diff --git a/.cproject b/.cproject
new file mode 100644
index 000000000..dd29970a5
--- /dev/null
+++ b/.cproject
@@ -0,0 +1,266 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ <?xml version="1.0" encoding="UTF-8"?>
+<TargetConfig>
+<Properties property_0="" property_2="LPC18x7_43x7_2x512_BootA.cfx" property_3="NXP" property_4="LPC18S37" property_count="5" version="70200"/>
+<infoList vendor="NXP"><info chip="LPC18S37" flash_driver="LPC18x7_43x7_2x512_BootA.cfx" match_id="0x0" name="LPC18S37" resetscript="LPC18LPC43InternalFLASHBootResetscript.scp" stub="crt_emu_lpc18_43_nxp"><chip><name>LPC18S37</name>
+<family>LPC18xx</family>
+<vendor>NXP (formerly Philips)</vendor>
+<reset board="None" core="Real" sys="Real"/>
+<clock changeable="TRUE" freq="20MHz" is_accurate="TRUE"/>
+<memory can_program="true" id="Flash" is_ro="true" type="Flash"/>
+<memory id="RAM" type="RAM"/>
+<memory id="Periph" is_volatile="true" type="Peripheral"/>
+<memoryInstance derived_from="Flash" id="MFlashA512" location="0x1a000000" size="0x80000"/>
+<memoryInstance derived_from="Flash" id="MFlashB512" location="0x1b000000" size="0x80000"/>
+<memoryInstance derived_from="RAM" id="RamLoc32" location="0x10000000" size="0x8000"/>
+<memoryInstance derived_from="RAM" id="RamLoc40" location="0x10080000" size="0xa000"/>
+<memoryInstance derived_from="RAM" id="RamAHB32" location="0x20000000" size="0x8000"/>
+<memoryInstance derived_from="RAM" id="RamAHB16" location="0x20008000" size="0x4000"/>
+<memoryInstance derived_from="RAM" id="RamAHB_ETB16" location="0x2000c000" size="0x4000"/>
+<prog_flash blocksz="0x2000" location="0x1a000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/>
+<prog_flash blocksz="0x10000" location="0x1a010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/>
+<prog_flash blocksz="0x2000" location="0x1b000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/>
+<prog_flash blocksz="0x10000" location="0x1b010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/>
+<peripheralInstance derived_from="V7M_MPU" id="MPU" location="0xe000ed90"/>
+<peripheralInstance derived_from="V7M_NVIC" id="NVIC" location="0xe000e000"/>
+<peripheralInstance derived_from="V7M_DCR" id="DCR" location="0xe000edf0"/>
+<peripheralInstance derived_from="V7M_ITM" id="ITM" location="0xe0000000"/>
+<peripheralInstance derived_from="SCT" id="SCT" location="0x40000000"/>
+<peripheralInstance derived_from="GPDMA" id="GPDMA" location="0x40002000"/>
+<peripheralInstance derived_from="SPIFI" id="SPIFI" location="0x40003000"/>
+<peripheralInstance derived_from="SDMMC" id="SDMMC" location="0x40004000"/>
+<peripheralInstance derived_from="EMC" id="EMC" location="0x40005000"/>
+<peripheralInstance derived_from="USB0" id="USB0" location="0x40006000"/>
+<peripheralInstance derived_from="USB1" id="USB1" location="0x40007000"/>
+<peripheralInstance derived_from="EEPROM" id="EEPROM" location="0x4000e000"/>
+<peripheralInstance derived_from="ETHERNET" id="ETHERNET" location="0x40010000"/>
+<peripheralInstance derived_from="ATIMER" id="ATIMER" location="0x40040000"/>
+<peripheralInstance derived_from="REGFILE" id="REGFILE" location="0x40041000"/>
+<peripheralInstance derived_from="PMC" id="PMC" location="0x40042000"/>
+<peripheralInstance derived_from="CREG" id="CREG" location="0x40043000"/>
+<peripheralInstance derived_from="EVENTROUTER" id="EVENTROUTER" location="0x40044000"/>
+<peripheralInstance derived_from="RTC" id="RTC" location="0x40046000"/>
+<peripheralInstance derived_from="CGU" id="CGU" location="0x40050000"/>
+<peripheralInstance derived_from="CCU1" id="CCU1" location="0x40051000"/>
+<peripheralInstance derived_from="CCU2" id="CCU2" location="0x40052000"/>
+<peripheralInstance derived_from="RGU" id="RGU" location="0x40053000"/>
+<peripheralInstance derived_from="WWDT" id="WWDT" location="0x40080000"/>
+<peripheralInstance derived_from="USART0" id="USART0" location="0x40081000"/>
+<peripheralInstance derived_from="USART2" id="USART2" location="0x400c1000"/>
+<peripheralInstance derived_from="USART3" id="USART3" location="0x400c2000"/>
+<peripheralInstance derived_from="UART1" id="UART1" location="0x40082000"/>
+<peripheralInstance derived_from="SSP0" id="SSP0" location="0x40083000"/>
+<peripheralInstance derived_from="SSP1" id="SSP1" location="0x400c5000"/>
+<peripheralInstance derived_from="TIMER0" id="TIMER0" location="0x40084000"/>
+<peripheralInstance derived_from="TIMER1" id="TIMER1" location="0x40085000"/>
+<peripheralInstance derived_from="TIMER2" id="TIMER2" location="0x400c3000"/>
+<peripheralInstance derived_from="TIMER3" id="TIMER3" location="0x400c4000"/>
+<peripheralInstance derived_from="SCU" id="SCU" location="0x40086000"/>
+<peripheralInstance derived_from="GPIO-PIN-INT" id="GPIO-PIN-INT" location="0x40087000"/>
+<peripheralInstance derived_from="GPIO-GROUP-INT0" id="GPIO-GROUP-INT0" location="0x40088000"/>
+<peripheralInstance derived_from="GPIO-GROUP-INT1" id="GPIO-GROUP-INT1" location="0x40089000"/>
+<peripheralInstance derived_from="MCPWM" id="MCPWM" location="0x400a0000"/>
+<peripheralInstance derived_from="I2C0" id="I2C0" location="0x400a1000"/>
+<peripheralInstance derived_from="I2C1" id="I2C1" location="0x400e0000"/>
+<peripheralInstance derived_from="I2S0" id="I2S0" location="0x400a2000"/>
+<peripheralInstance derived_from="I2S1" id="I2S1" location="0x400a3000"/>
+<peripheralInstance derived_from="C-CAN1" id="C-CAN1" location="0x400a4000"/>
+<peripheralInstance derived_from="RITIMER" id="RITIMER" location="0x400c0000"/>
+<peripheralInstance derived_from="QEI" id="QEI" location="0x400c6000"/>
+<peripheralInstance derived_from="GIMA" id="GIMA" location="0x400c7000"/>
+<peripheralInstance derived_from="DAC" id="DAC" location="0x400e1000"/>
+<peripheralInstance derived_from="C-CAN0" id="C-CAN0" location="0x400e2000"/>
+<peripheralInstance derived_from="ADC0" id="ADC0" location="0x400e3000"/>
+<peripheralInstance derived_from="ADC1" id="ADC1" location="0x400e4000"/>
+<peripheralInstance derived_from="GPIO-PORT" id="GPIO-PORT" location="0x400f4000"/>
+</chip>
+<processor><name gcc_name="cortex-m3">Cortex-M3</name>
+<family>Cortex-M</family>
+</processor>
+<link href="nxp_lpc18xx_peripheral.xme" show="embed" type="simple"/>
+</info>
+</infoList>
+</TargetConfig>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/.gitignore b/.gitignore
index d84c77d37..f8ff8a508 100644
--- a/.gitignore
+++ b/.gitignore
@@ -112,11 +112,11 @@ cov-int
cyassl.tgz
*.log
*.trs
-IDE\MDK-ARM\Projects/
-IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/inc
-IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/src
-IDE\MDK-ARM\LPC43xx\Drivers/
-IDE\MDK-ARM\LPC43xx\LPC43xx/
+IDE/MDK-ARM/Projects/
+IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/inc
+IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/src
+IDE/MDK-ARM/LPC43xx/Drivers/
+IDE/MDK-ARM/LPC43xx/LPC43xx/
*.gcno
*.gcda
*.gcov
@@ -168,3 +168,7 @@ wolfcrypt/user-crypto/m4
wolfcrypt/user-crypto/missing
wolfcrypt/user-crypto/Makefile.in
wolfcrypt/user-crypto/lib/libusercrypto.*
+*.hzs
+
+# wolfSSL CSharp wrapper
+wrapper/CSharp/x64/
diff --git a/.project b/.project
new file mode 100644
index 000000000..9c76912ee
--- /dev/null
+++ b/.project
@@ -0,0 +1,28 @@
+
+
+ lib_wolfssl
+
+
+ lpc_board_nxp_lpcxpresso_1837
+ lpc_chip_18xx
+
+
+
+ org.eclipse.cdt.managedbuilder.core.genmakebuilder
+ clean,full,incremental,
+
+
+
+
+ org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder
+ full,incremental,
+
+
+
+
+
+ org.eclipse.cdt.core.cnature
+ org.eclipse.cdt.managedbuilder.core.managedBuildNature
+ org.eclipse.cdt.managedbuilder.core.ScannerConfigNature
+
+
diff --git a/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c b/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c
index d8f559d4c..cdb8efd26 100644
--- a/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c
+++ b/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c
@@ -24,6 +24,7 @@
#endif
#include
+#include
typedef struct func_args {
int argc;
@@ -34,11 +35,8 @@ typedef struct func_args {
func_args args = { 0 } ;
extern double current_time(int reset) ;
-extern int benchmark_test(void *args) ;
main(void) {
benchmark_test(&args) ;
return 0;
}
-
-
diff --git a/IDE/LPCXPRESSO/README.md b/IDE/LPCXPRESSO/README.md
new file mode 100644
index 000000000..9a93c021a
--- /dev/null
+++ b/IDE/LPCXPRESSO/README.md
@@ -0,0 +1,32 @@
+# WolfSSL Example using the OM13076 (LPCXpresso18S37) board
+
+To use, install the NXP LPCXpresso IDE and import the projects in a new workspace.
+
+1. Run LPCXpresso and choose a workspace location.
+2. Right click in the project exporer window and choose Inport.
+3. Under General choose "Existing Projects into Workspace".
+4. Under "Select root directory" click browse and select the wolfSSL root.
+5. Check the "Search for nested projects" box.
+5. Make sure "wolfssl" and "wolfssl_example" are checked under "Projects:".
+6. Click finish.
+7. Download the board and chip LPCOpen package for your platform.
+8. Import the projects. For example "lpc_board_nxp_lpcxpresso_1837" and "lpc_chip_18xx" are the ones for the LPC18S37.
+
+To setup this example to work with different baords/chips you will need to locate the LPCOpen sources for LPCXpresso on the NXP website and import the board and chip projects. Then you will need to update the "wolfssl_example" project properties to reference these projects (C/C++ General -> Paths and Symbols -> References). See the [LPCOpen v2.xx LPCXpresso quickstart guide for all platforms](https://www.lpcware.com/content/project/lpcopen-platform-nxp-lpc-microcontrollers/lpcopen-v200-quickstart-guides/lpcopen-1) for additional information.
+
+
+## WolfSSL example projects:
+
+1. `wolf_example`. It has console options to run the Wolf tests and benchmarks ('t' for the WolfSSL Tests and 'b' for the WolfSSL Benchmarks).
+
+## Static libraries projects:
+
+1. `wolfssl` for WolfSSL. The WolfSSL port for the LPC18XX platform is located in `IDE/LPCXPRESSO/lpc_18xx_port.c`. This has platform specific functions for `current_time` and `rand_gen`. The `WOLF_USER_SETTINGS` define is set which allows all WolfSSL settings to exist in the `user_settings.h` file (see this file for all customizations used).
+
+## Important Files
+
+1. `IDE/LPCXPRESSO/user_settings.h`. This provides a reference for library settings used to optimize for this embedded platform.
+
+2. `IDE/LPCXPRESSO/lpc_18xx_port.c`. This defines the required time and random number functions for the WolfSSL library.
+
+3. `IDE/LPCXPRESSO/wolf_example/wolf_example.c`. This shows use of the WolfSSL tests and benchmarks.
diff --git a/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c b/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c
new file mode 100644
index 000000000..600173913
--- /dev/null
+++ b/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c
@@ -0,0 +1,108 @@
+/* lpc_18xx_port.c
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#include "board.h"
+#include "otp_18xx_43xx.h" /* For RNG */
+#include "timer_18xx_43xx.h"
+
+static uint32_t mTimeInit = 0;
+#define TIMER_SCALER 1000000
+static void init_time(void)
+{
+ if(mTimeInit == 0) {
+ uint32_t timerFreq;
+
+ /* Set current time for RTC 2:00:00PM, 2012-10-05 */
+ RTC_TIME_T FullTime;
+
+ Chip_RTC_Init(LPC_RTC);
+
+ FullTime.time[RTC_TIMETYPE_SECOND] = 0;
+ FullTime.time[RTC_TIMETYPE_MINUTE] = 0;
+ FullTime.time[RTC_TIMETYPE_HOUR] = 14;
+ FullTime.time[RTC_TIMETYPE_DAYOFMONTH] = 5;
+ FullTime.time[RTC_TIMETYPE_DAYOFWEEK] = 5;
+ FullTime.time[RTC_TIMETYPE_DAYOFYEAR] = 279;
+ FullTime.time[RTC_TIMETYPE_MONTH] = 10;
+ FullTime.time[RTC_TIMETYPE_YEAR] = 2012;
+
+ Chip_RTC_SetFullTime(LPC_RTC, &FullTime);
+
+ /* Enable RTC (starts increase the tick counter and second counter register) */
+ Chip_RTC_Enable(LPC_RTC, ENABLE);
+
+ /* Enable timer 1 clock and reset it */
+ Chip_TIMER_Init(LPC_TIMER2);
+ Chip_RGU_TriggerReset(RGU_TIMER2_RST);
+ while (Chip_RGU_InReset(RGU_TIMER2_RST)) {}
+
+ /* Get timer peripheral clock rate */
+ timerFreq = Chip_Clock_GetRate(CLK_MX_TIMER2);
+
+ /* Timer setup */
+ Chip_TIMER_Reset(LPC_TIMER2);
+ Chip_TIMER_PrescaleSet(LPC_TIMER2, timerFreq/TIMER_SCALER);
+ Chip_TIMER_Enable(LPC_TIMER2);
+
+ mTimeInit = 1;
+ }
+}
+
+double current_time()
+{
+ //RTC_TIME_T FullTime;
+ uint32_t timerMs;
+
+ init_time();
+ timerMs = Chip_TIMER_ReadCount(LPC_TIMER2);
+
+ //Chip_RTC_GetFullTime(LPC_RTC, &FullTime);
+ //(double)FullTime.time[RTC_TIMETYPE_SECOND]
+
+ return (double)timerMs/TIMER_SCALER;
+}
+
+/* Memory location of the generated random numbers (for total of 128 bits) */
+static volatile uint32_t* mRandData = (uint32_t*)0x40045050;
+static uint32_t mRandInit = 0;
+static uint32_t mRandIndex = 0;
+uint32_t rand_gen(void)
+{
+ uint32_t rand = 0;
+ uint32_t status = LPC_OK;
+ if(mRandIndex == 0) {
+ if(mRandInit == 0) {
+ Chip_OTP_Init();
+ mRandInit = 1;
+ }
+ status = Chip_OTP_GenRand();
+ }
+ if(status == LPC_OK) {
+ rand = mRandData[mRandIndex];
+ }
+ else {
+ printf("GenRand Failed 0x%x\n", status);
+ }
+ if(++mRandIndex > 4) {
+ mRandIndex = 0;
+ }
+ return rand;
+}
diff --git a/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h
new file mode 100644
index 000000000..1414154ba
--- /dev/null
+++ b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h
@@ -0,0 +1,81 @@
+#include
+
+/* Configuration */
+#define WOLFSSL_USER_IO
+#define WOLFSSL_GENERAL_ALIGNMENT 4
+#define WOLFSSL_SMALL_STACK
+#define WOLFSSL_BASE64_ENCODE
+#define WOLFSSL_SHA512
+
+#define HAVE_ECC
+#define HAVE_AESGCM
+#define HAVE_CURVE25519
+#define HAVE_HKDF
+#define HAVE_HASHDRBG
+#define HAVE_CHACHA
+#define HAVE_POLY1305
+#define HAVE_ONE_TIME_AUTH
+#define HAVE_TLS_EXTENSIONS
+#define HAVE_SUPPORTED_CURVES
+#define HAVE_ERRNO_H
+#define HAVE_LWIP_NATIVE
+
+#define FP_LUT 4
+#define FP_MAX_BITS 2048 /* 4096 */
+#define FP_MAX_BITS_ECC 512
+#define ALT_ECC_SIZE
+#define USE_FAST_MATH
+#define SMALL_SESSION_CACHE
+#define CURVED25519_SMALL
+#define RSA_LOW_MEM
+#define GCM_SMALL
+#define ECC_SHAMIR
+#define USE_SLOW_SHA2
+#define MP_LOW_MEM
+#define TFM_TIMING_RESISTANT
+//#define TFM_ARM
+
+
+/* Remove Features */
+#define NO_DEV_RANDOM
+#define NO_FILESYSTEM
+#define NO_WRITEV
+#define NO_MAIN_DRIVER
+#define NO_WOLFSSL_MEMORY
+#define NO_DEV_RANDOM
+#define NO_MD4
+#define NO_RABBIT
+#define NO_HC128
+#define NO_DSA
+#define NO_PWDBASED
+#define NO_PSK
+#define NO_64BIT
+#define NO_WOLFSSL_SERVER
+#define NO_OLD_TLS
+#define ECC_USER_CURVES /* Disables P-112, P-128, P-160, P-192, P-224, P-384, P-521 but leaves P-256 enabled */
+#define NO_DES3
+#define NO_MD5
+#define NO_RC4
+#define NO_DH
+#define NO_SHA
+
+
+/* Benchmark / Testing */
+#define BENCH_EMBEDDED
+#define USE_CERT_BUFFERS_1024
+
+
+/* Custom functions */
+extern uint32_t rand_gen(void);
+#define CUSTOM_RAND_GENERATE rand_gen
+#define CUSTOM_RAND_TYPE uint32_t
+
+extern double current_time(int reset);
+#define WOLFSSL_USER_CURRTIME
+
+
+/* Debugging - Optional */
+#if 0
+#define fprintf(file, format, ...) printf(format, ##__VA_ARGS__)
+#define DEBUG_WOLFSSL
+#endif
diff --git a/IDE/LPCXPRESSO/wolf_example/.cproject b/IDE/LPCXPRESSO/wolf_example/.cproject
new file mode 100644
index 000000000..a6d5e4962
--- /dev/null
+++ b/IDE/LPCXPRESSO/wolf_example/.cproject
@@ -0,0 +1,314 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ <?xml version="1.0" encoding="UTF-8"?>
+<TargetConfig>
+<Properties property_0="" property_2="LPC18x7_43x7_2x512_BootA.cfx" property_3="NXP" property_4="LPC1837" property_count="5" version="70200"/>
+<infoList vendor="NXP"><info chip="LPC1837" flash_driver="LPC18x7_43x7_2x512_BootA.cfx" match_id="0x0" name="LPC1837" resetscript="LPC18LPC43InternalFLASHBootResetscript.scp" stub="crt_emu_lpc18_43_nxp"><chip><name>LPC1837</name>
+<family>LPC18xx</family>
+<vendor>NXP (formerly Philips)</vendor>
+<reset board="None" core="Real" sys="Real"/>
+<clock changeable="TRUE" freq="20MHz" is_accurate="TRUE"/>
+<memory can_program="true" id="Flash" is_ro="true" type="Flash"/>
+<memory id="RAM" type="RAM"/>
+<memory id="Periph" is_volatile="true" type="Peripheral"/>
+<memoryInstance derived_from="Flash" id="MFlashA512" location="0x1a000000" size="0x80000"/>
+<memoryInstance derived_from="Flash" id="MFlashB512" location="0x1b000000" size="0x80000"/>
+<memoryInstance derived_from="RAM" id="RamLoc32" location="0x10000000" size="0x8000"/>
+<memoryInstance derived_from="RAM" id="RamLoc40" location="0x10080000" size="0xa000"/>
+<memoryInstance derived_from="RAM" id="RamAHB32" location="0x20000000" size="0x8000"/>
+<memoryInstance derived_from="RAM" id="RamAHB16" location="0x20008000" size="0x4000"/>
+<memoryInstance derived_from="RAM" id="RamAHB_ETB16" location="0x2000c000" size="0x4000"/>
+<prog_flash blocksz="0x2000" location="0x1a000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/>
+<prog_flash blocksz="0x10000" location="0x1a010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/>
+<prog_flash blocksz="0x2000" location="0x1b000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/>
+<prog_flash blocksz="0x10000" location="0x1b010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/>
+<peripheralInstance derived_from="V7M_MPU" determined="infoFile" id="MPU" location="0xe000ed90"/>
+<peripheralInstance derived_from="V7M_NVIC" determined="infoFile" id="NVIC" location="0xe000e000"/>
+<peripheralInstance derived_from="V7M_DCR" determined="infoFile" id="DCR" location="0xe000edf0"/>
+<peripheralInstance derived_from="V7M_ITM" determined="infoFile" id="ITM" location="0xe0000000"/>
+<peripheralInstance derived_from="SCT" determined="infoFile" id="SCT" location="0x40000000"/>
+<peripheralInstance derived_from="GPDMA" determined="infoFile" id="GPDMA" location="0x40002000"/>
+<peripheralInstance derived_from="SPIFI" determined="infoFile" id="SPIFI" location="0x40003000"/>
+<peripheralInstance derived_from="SDMMC" determined="infoFile" id="SDMMC" location="0x40004000"/>
+<peripheralInstance derived_from="EMC" determined="infoFile" id="EMC" location="0x40005000"/>
+<peripheralInstance derived_from="USB0" determined="infoFile" id="USB0" location="0x40006000"/>
+<peripheralInstance derived_from="USB1" determined="infoFile" id="USB1" location="0x40007000"/>
+<peripheralInstance derived_from="EEPROM" determined="infoFile" id="EEPROM" location="0x4000e000"/>
+<peripheralInstance derived_from="ETHERNET" determined="infoFile" id="ETHERNET" location="0x40010000"/>
+<peripheralInstance derived_from="ATIMER" determined="infoFile" id="ATIMER" location="0x40040000"/>
+<peripheralInstance derived_from="REGFILE" determined="infoFile" id="REGFILE" location="0x40041000"/>
+<peripheralInstance derived_from="PMC" determined="infoFile" id="PMC" location="0x40042000"/>
+<peripheralInstance derived_from="CREG" determined="infoFile" id="CREG" location="0x40043000"/>
+<peripheralInstance derived_from="EVENTROUTER" determined="infoFile" id="EVENTROUTER" location="0x40044000"/>
+<peripheralInstance derived_from="RTC" determined="infoFile" id="RTC" location="0x40046000"/>
+<peripheralInstance derived_from="CGU" determined="infoFile" id="CGU" location="0x40050000"/>
+<peripheralInstance derived_from="CCU1" determined="infoFile" id="CCU1" location="0x40051000"/>
+<peripheralInstance derived_from="CCU2" determined="infoFile" id="CCU2" location="0x40052000"/>
+<peripheralInstance derived_from="RGU" determined="infoFile" id="RGU" location="0x40053000"/>
+<peripheralInstance derived_from="WWDT" determined="infoFile" id="WWDT" location="0x40080000"/>
+<peripheralInstance derived_from="USART0" determined="infoFile" id="USART0" location="0x40081000"/>
+<peripheralInstance derived_from="USART2" determined="infoFile" id="USART2" location="0x400c1000"/>
+<peripheralInstance derived_from="USART3" determined="infoFile" id="USART3" location="0x400c2000"/>
+<peripheralInstance derived_from="UART1" determined="infoFile" id="UART1" location="0x40082000"/>
+<peripheralInstance derived_from="SSP0" determined="infoFile" id="SSP0" location="0x40083000"/>
+<peripheralInstance derived_from="SSP1" determined="infoFile" id="SSP1" location="0x400c5000"/>
+<peripheralInstance derived_from="TIMER0" determined="infoFile" id="TIMER0" location="0x40084000"/>
+<peripheralInstance derived_from="TIMER1" determined="infoFile" id="TIMER1" location="0x40085000"/>
+<peripheralInstance derived_from="TIMER2" determined="infoFile" id="TIMER2" location="0x400c3000"/>
+<peripheralInstance derived_from="TIMER3" determined="infoFile" id="TIMER3" location="0x400c4000"/>
+<peripheralInstance derived_from="SCU" determined="infoFile" id="SCU" location="0x40086000"/>
+<peripheralInstance derived_from="GPIO-PIN-INT" determined="infoFile" id="GPIO-PIN-INT" location="0x40087000"/>
+<peripheralInstance derived_from="GPIO-GROUP-INT0" determined="infoFile" id="GPIO-GROUP-INT0" location="0x40088000"/>
+<peripheralInstance derived_from="GPIO-GROUP-INT1" determined="infoFile" id="GPIO-GROUP-INT1" location="0x40089000"/>
+<peripheralInstance derived_from="MCPWM" determined="infoFile" id="MCPWM" location="0x400a0000"/>
+<peripheralInstance derived_from="I2C0" determined="infoFile" id="I2C0" location="0x400a1000"/>
+<peripheralInstance derived_from="I2C1" determined="infoFile" id="I2C1" location="0x400e0000"/>
+<peripheralInstance derived_from="I2S0" determined="infoFile" id="I2S0" location="0x400a2000"/>
+<peripheralInstance derived_from="I2S1" determined="infoFile" id="I2S1" location="0x400a3000"/>
+<peripheralInstance derived_from="C-CAN1" determined="infoFile" id="C-CAN1" location="0x400a4000"/>
+<peripheralInstance derived_from="RITIMER" determined="infoFile" id="RITIMER" location="0x400c0000"/>
+<peripheralInstance derived_from="QEI" determined="infoFile" id="QEI" location="0x400c6000"/>
+<peripheralInstance derived_from="GIMA" determined="infoFile" id="GIMA" location="0x400c7000"/>
+<peripheralInstance derived_from="DAC" determined="infoFile" id="DAC" location="0x400e1000"/>
+<peripheralInstance derived_from="C-CAN0" determined="infoFile" id="C-CAN0" location="0x400e2000"/>
+<peripheralInstance derived_from="ADC0" determined="infoFile" id="ADC0" location="0x400e3000"/>
+<peripheralInstance derived_from="ADC1" determined="infoFile" id="ADC1" location="0x400e4000"/>
+<peripheralInstance derived_from="GPIO-PORT" determined="infoFile" id="GPIO-PORT" location="0x400f4000"/>
+</chip>
+<processor><name gcc_name="cortex-m3">Cortex-M3</name>
+<family>Cortex-M</family>
+</processor>
+<link href="nxp_lpc18xx_peripheral.xme" show="embed" type="simple"/>
+</info>
+</infoList>
+</TargetConfig>
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/IDE/LPCXPRESSO/wolf_example/.project b/IDE/LPCXPRESSO/wolf_example/.project
new file mode 100644
index 000000000..32f134304
--- /dev/null
+++ b/IDE/LPCXPRESSO/wolf_example/.project
@@ -0,0 +1,29 @@
+
+
+ wolf_example
+
+
+ lpc_chip_18xx
+ lpc_board_nxp_lpcxpresso_1837
+ wolfssl
+
+
+
+ org.eclipse.cdt.managedbuilder.core.genmakebuilder
+ clean,full,incremental,
+
+
+
+
+ org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder
+ full,incremental,
+
+
+
+
+
+ org.eclipse.cdt.core.cnature
+ org.eclipse.cdt.managedbuilder.core.managedBuildNature
+ org.eclipse.cdt.managedbuilder.core.ScannerConfigNature
+
+
diff --git a/IDE/LPCXPRESSO/wolf_example/readme.txt b/IDE/LPCXPRESSO/wolf_example/readme.txt
new file mode 100644
index 000000000..37686e98f
--- /dev/null
+++ b/IDE/LPCXPRESSO/wolf_example/readme.txt
@@ -0,0 +1,7 @@
+wolfSSL example
+
+Target board LPC43S37 Xpresso board
+The board communicates to the PC terminal through UART0 at 115200.
+This example builds the wolfSSL library, test and benchmark examples.
+Use 't' to launch the WolfSSL Test
+Use 'b' to launch the WolfSSL Benchmark
diff --git a/IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c b/IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c
new file mode 100644
index 000000000..893704285
--- /dev/null
+++ b/IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c
@@ -0,0 +1,352 @@
+/* lpc_18xx_startup.c
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
+ */
+
+#include "board.h"
+#include
+#include
+
+/* Top of stack location */
+extern void _vStackTop(void);
+
+/* Memory locations */
+extern unsigned int __data_section_table;
+extern unsigned int __data_section_table_end;
+extern unsigned int __bss_section_table;
+extern unsigned int __bss_section_table_end;
+
+/* Copy memory: src=Source, dst_beg=Destination Begin, dst_end=Destination End */
+__attribute__ ((section(".after_vectors")))
+void memcpy32(uint32_t* src, uint32_t* dst_beg, uint32_t len)
+{
+ unsigned int i;
+ for (i = 0; i < len; i += sizeof(uint32_t)) {
+ *dst_beg++ = *src++;
+ }
+}
+
+/* Zero address in range */
+__attribute__ ((section(".after_vectors")))
+void meminit32(uint32_t* start, uint32_t len)
+{
+ unsigned int i;
+ for (i = 0; i < len; i += sizeof(uint32_t)) {
+ *start++ = 0;
+ }
+}
+
+/* Reset Entry Point */
+void ResetISR(void)
+{
+ unsigned int irqPendLoop;
+ unsigned int *SectionTableAddr;
+ unsigned int LoadAddr, ExeAddr, SectionLen;
+ unsigned int *RESET_CONTROL = (unsigned int *) 0x40053100;
+ volatile unsigned int *NVIC_ICPR = (unsigned int *) 0xE000E280;
+
+ /* Chip cleanup/reset */
+ __asm volatile ("cpsid i"); /* Disable interrupts */
+
+ /* Write to LPC_RGU->RESET_CTRL0 */
+ *(RESET_CONTROL+0) = 0x10DF0000;
+ /* GPIO_RST|AES_RST|ETHERNET_RST|SDIO_RST|DMA_RST|
+ * USB1_RST|USB0_RST|LCD_RST */
+
+ /* Write to LPC_RGU->RESET_CTRL1 */
+ *(RESET_CONTROL+1) = 0x00DFF7FF;
+ /* CAN0_RST|CAN1_RST|I2S_RST|SSP1_RST|SSP0_RST|
+ * I2C1_RST|I2C0_RST|UART3_RST|UART1_RST|UART1_RST|UART0_RST|
+ * DAC_RST|ADC1_RST|ADC0_RST|QEI_RST|MOTOCONPWM_RST|SCT_RST|
+ * RITIMER_RST|TIMER3_RST|TIMER2_RST|TIMER1_RST|TIMER0_RST */
+
+ /* Clear all pending interrupts in the NVIC */
+ for (irqPendLoop = 0; irqPendLoop < 8; irqPendLoop++) {
+ *(NVIC_ICPR + irqPendLoop) = 0xFFFFFFFF;
+ }
+ __asm volatile ("cpsie i"); /* Re-enable interrupts */
+
+ /* Init sections */
+ SectionTableAddr = &__data_section_table;
+ /* Copy the data sections from flash to SRAM */
+ while (SectionTableAddr < &__data_section_table_end) {
+ LoadAddr = *SectionTableAddr++;
+ ExeAddr = *SectionTableAddr++;
+ SectionLen = *SectionTableAddr++;
+ memcpy32((uint32_t*)LoadAddr, (uint32_t*)ExeAddr, SectionLen);
+ }
+ /* Zero fill the bss segment */
+ while (SectionTableAddr < &__bss_section_table_end) {
+ ExeAddr = *SectionTableAddr++;
+ SectionLen = *SectionTableAddr++;
+ meminit32((uint32_t*)ExeAddr, SectionLen);
+ }
+
+#if defined(__FPU_PRESENT) && __FPU_PRESENT == 1
+ fpuInit();
+#endif
+
+ /* Board specific SystemInit */
+ Board_SystemInit();
+
+ /* Start main */
+#if defined (__REDLIB__)
+ /* Call the Redlib library, which in turn calls main() */
+ extern void __main(void);
+ __main() ;
+#else
+ extern void main(void);
+ main();
+#endif
+
+ /* Application has ended, so busy wait */
+ while(1) {};
+}
+
+/* Vector Exception/Interrupt Handlers */
+__attribute__ ((section(".after_vectors")))
+static void Default_Handler(void)
+{
+ /* Loop forever */
+ while(1);
+}
+
+void HardFault_HandlerC( uint32_t *hardfault_args )
+{
+ /* These are volatile to try and prevent the compiler/linker optimizing them
+ away as the variables never actually get used. If the debugger won't show the
+ values of the variables, make them global my moving their declaration outside
+ of this function. */
+ volatile uint32_t stacked_r0;
+ volatile uint32_t stacked_r1;
+ volatile uint32_t stacked_r2;
+ volatile uint32_t stacked_r3;
+ volatile uint32_t stacked_r12;
+ volatile uint32_t stacked_lr;
+ volatile uint32_t stacked_pc;
+ volatile uint32_t stacked_psr;
+ volatile uint32_t _CFSR;
+ volatile uint32_t _HFSR;
+ volatile uint32_t _DFSR;
+ volatile uint32_t _AFSR;
+ volatile uint32_t _BFAR;
+ volatile uint32_t _MMAR;
+
+ stacked_r0 = ((uint32_t)hardfault_args[0]);
+ stacked_r1 = ((uint32_t)hardfault_args[1]);
+ stacked_r2 = ((uint32_t)hardfault_args[2]);
+ stacked_r3 = ((uint32_t)hardfault_args[3]);
+ stacked_r12 = ((uint32_t)hardfault_args[4]);
+ stacked_lr = ((uint32_t)hardfault_args[5]);
+ stacked_pc = ((uint32_t)hardfault_args[6]);
+ stacked_psr = ((uint32_t)hardfault_args[7]);
+
+ /* Configurable Fault Status Register */
+ /* Consists of MMSR, BFSR and UFSR */
+ _CFSR = (*((volatile uint32_t *)(0xE000ED28)));
+
+ /* Hard Fault Status Register */
+ _HFSR = (*((volatile uint32_t *)(0xE000ED2C)));
+
+ /* Debug Fault Status Register */
+ _DFSR = (*((volatile uint32_t *)(0xE000ED30)));
+
+ /* Auxiliary Fault Status Register */
+ _AFSR = (*((volatile uint32_t *)(0xE000ED3C)));
+
+ /* Read the Fault Address Registers. These may not contain valid values. */
+ /* Check BFARVALID/MMARVALID to see if they are valid values */
+ /* MemManage Fault Address Register */
+ _MMAR = (*((volatile uint32_t *)(0xE000ED34)));
+ /* Bus Fault Address Register */
+ _BFAR = (*((volatile uint32_t *)(0xE000ED38)));
+
+ printf ("\n\nHard fault handler (all numbers in hex):\n");
+ printf ("R0 = %x\n", stacked_r0);
+ printf ("R1 = %x\n", stacked_r1);
+ printf ("R2 = %x\n", stacked_r2);
+ printf ("R3 = %x\n", stacked_r3);
+ printf ("R12 = %x\n", stacked_r12);
+ printf ("LR [R14] = %x subroutine call return address\n", stacked_lr);
+ printf ("PC [R15] = %x program counter\n", stacked_pc);
+ printf ("PSR = %x\n", stacked_psr);
+ printf ("CFSR = %x\n", _CFSR);
+ printf ("HFSR = %x\n", _HFSR);
+ printf ("DFSR = %x\n", _DFSR);
+ printf ("AFSR = %x\n", _AFSR);
+ printf ("MMAR = %x\n", _MMAR);
+ printf ("BFAR = %x\n", _BFAR);
+
+ /* Break into the debugger */
+ __asm("BKPT #0\n");
+}
+
+__attribute__( ( naked, section(".after_vectors") ) )
+void HardFault_Handler(void)
+{
+ __asm volatile
+ (
+ " tst lr, #4 \n"
+ " ite eq \n"
+ " mrseq r0, msp \n"
+ " mrsne r0, psp \n"
+ " ldr r1, [r0, #24] \n"
+ " ldr r2, handler2_address_const \n"
+ " bx r2 \n"
+ " handler2_address_const: .word HardFault_HandlerC \n"
+ );
+}
+
+/* Forward declaration of IRQ handlers */
+#define ALIAS(f) __attribute__ ((weak, alias (#f)))
+
+void NMI_Handler(void) ALIAS(Default_Handler);
+void MemManage_Handler(void) ALIAS(Default_Handler);
+void BusFault_Handler(void) ALIAS(Default_Handler);
+void UsageFault_Handler(void) ALIAS(Default_Handler);
+void SVC_Handler(void) ALIAS(Default_Handler);
+void DebugMon_Handler(void) ALIAS(Default_Handler);
+void PendSV_Handler(void) ALIAS(Default_Handler);
+void SysTick_Handler(void) ALIAS(Default_Handler);
+
+void DAC_IRQHandler(void) ALIAS(Default_Handler);
+void DMA_IRQHandler(void) ALIAS(Default_Handler);
+void FLASHEEPROM_IRQHandler(void) ALIAS(Default_Handler);
+void ETH_IRQHandler(void) ALIAS(Default_Handler);
+void SDIO_IRQHandler(void) ALIAS(Default_Handler);
+void LCD_IRQHandler(void) ALIAS(Default_Handler);
+void USB0_IRQHandler(void) ALIAS(Default_Handler);
+void USB1_IRQHandler(void) ALIAS(Default_Handler);
+void SCT_IRQHandler(void) ALIAS(Default_Handler);
+void RIT_IRQHandler(void) ALIAS(Default_Handler);
+void TIMER0_IRQHandler(void) ALIAS(Default_Handler);
+void TIMER1_IRQHandler(void) ALIAS(Default_Handler);
+void TIMER2_IRQHandler(void) ALIAS(Default_Handler);
+void TIMER3_IRQHandler(void) ALIAS(Default_Handler);
+void MCPWM_IRQHandler(void) ALIAS(Default_Handler);
+void ADC0_IRQHandler(void) ALIAS(Default_Handler);
+void I2C0_IRQHandler(void) ALIAS(Default_Handler);
+void I2C1_IRQHandler(void) ALIAS(Default_Handler);
+void ADC1_IRQHandler(void) ALIAS(Default_Handler);
+void SSP0_IRQHandler(void) ALIAS(Default_Handler);
+void SSP1_IRQHandler(void) ALIAS(Default_Handler);
+void UART0_IRQHandler(void) ALIAS(Default_Handler);
+void UART1_IRQHandler(void) ALIAS(Default_Handler);
+void UART2_IRQHandler(void) ALIAS(Default_Handler);
+void UART3_IRQHandler(void) ALIAS(Default_Handler);
+void I2S0_IRQHandler(void) ALIAS(Default_Handler);
+void I2S1_IRQHandler(void) ALIAS(Default_Handler);
+void SPIFI_IRQHandler(void) ALIAS(Default_Handler);
+void SGPIO_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO0_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO1_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO2_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO3_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO4_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO5_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO6_IRQHandler(void) ALIAS(Default_Handler);
+void GPIO7_IRQHandler(void) ALIAS(Default_Handler);
+void GINT0_IRQHandler(void) ALIAS(Default_Handler);
+void GINT1_IRQHandler(void) ALIAS(Default_Handler);
+void EVRT_IRQHandler(void) ALIAS(Default_Handler);
+void CAN1_IRQHandler(void) ALIAS(Default_Handler);
+void ATIMER_IRQHandler(void) ALIAS(Default_Handler);
+void RTC_IRQHandler(void) ALIAS(Default_Handler);
+void WDT_IRQHandler(void) ALIAS(Default_Handler);
+void CAN0_IRQHandler(void) ALIAS(Default_Handler);
+void QEI_IRQHandler(void) ALIAS(Default_Handler);
+
+/* Vectors */
+extern void (* const g_pfnVectors[])(void);
+__attribute__ ((used,section(".isr_vector")))
+void (* const g_pfnVectors[])(void) =
+{
+ // Core Level - CM3
+ &_vStackTop, // The initial stack pointer
+ ResetISR, // The reset handler
+ NMI_Handler, // The NMI handler
+ HardFault_Handler, // The hard fault handler
+ MemManage_Handler, // The MPU fault handler
+ BusFault_Handler, // The bus fault handler
+ UsageFault_Handler, // The usage fault handler
+ 0, // Reserved
+ 0, // Reserved
+ 0, // Reserved
+ 0, // Reserved
+ SVC_Handler, // SVCall handler
+ DebugMon_Handler, // Debug monitor handler
+ 0, // Reserved
+ PendSV_Handler, // The PendSV handler
+ SysTick_Handler, // The SysTick handler
+
+ // Chip Level - LPC18
+ DAC_IRQHandler, // 16
+ 0, // 17
+ DMA_IRQHandler, // 18
+ 0, // 19
+ FLASHEEPROM_IRQHandler, // 20
+ ETH_IRQHandler, // 21
+ SDIO_IRQHandler, // 22
+ LCD_IRQHandler, // 23
+ USB0_IRQHandler, // 24
+ USB1_IRQHandler, // 25
+ SCT_IRQHandler, // 26
+ RIT_IRQHandler, // 27
+ TIMER0_IRQHandler, // 28
+ TIMER1_IRQHandler, // 29
+ TIMER2_IRQHandler, // 30
+ TIMER3_IRQHandler, // 31
+ MCPWM_IRQHandler, // 32
+ ADC0_IRQHandler, // 33
+ I2C0_IRQHandler, // 34
+ I2C1_IRQHandler, // 35
+ 0, // 36
+ ADC1_IRQHandler, // 37
+ SSP0_IRQHandler, // 38
+ SSP1_IRQHandler, // 39
+ UART0_IRQHandler, // 40
+ UART1_IRQHandler, // 41
+ UART2_IRQHandler, // 42
+ UART3_IRQHandler, // 43
+ I2S0_IRQHandler, // 44
+ I2S1_IRQHandler, // 45
+ SPIFI_IRQHandler, // 46
+ SGPIO_IRQHandler, // 47
+ GPIO0_IRQHandler, // 48
+ GPIO1_IRQHandler, // 49
+ GPIO2_IRQHandler, // 50
+ GPIO3_IRQHandler, // 51
+ GPIO4_IRQHandler, // 52
+ GPIO5_IRQHandler, // 53
+ GPIO6_IRQHandler, // 54
+ GPIO7_IRQHandler, // 55
+ GINT0_IRQHandler, // 56
+ GINT1_IRQHandler, // 57
+ EVRT_IRQHandler, // 58
+ CAN1_IRQHandler, // 59
+ 0, // 60
+ 0, // 61
+ ATIMER_IRQHandler, // 62
+ RTC_IRQHandler, // 63
+ 0, // 64
+ WDT_IRQHandler, // 65
+ 0, // 66
+ CAN0_IRQHandler, // 67
+ QEI_IRQHandler, // 68
+};
diff --git a/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c b/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c
new file mode 100644
index 000000000..3e394d891
--- /dev/null
+++ b/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c
@@ -0,0 +1,95 @@
+#include "board.h"
+#include
+
+
+#ifdef HAVE_CONFIG_H
+ #include
+#endif
+
+#include
+#include
+#include
+#include
+
+
+/*****************************************************************************
+ * Private types/enumerations/variables
+ ****************************************************************************/
+
+/* UART definitions */
+#define LPC_UART LPC_USART0
+#define UARTx_IRQn USART0_IRQn
+
+
+/*****************************************************************************
+ * Public types/enumerations/variables
+ ****************************************************************************/
+typedef struct func_args {
+ int argc;
+ char** argv;
+ int return_code;
+} func_args;
+
+const char menu1[] = "\r\n"
+ "\tt. WolfSSL Test\r\n"
+ "\tb. WolfSSL Benchmark\r\n";
+
+/*****************************************************************************
+ * Private functions
+ ****************************************************************************/
+
+/*****************************************************************************
+ * Public functions
+ ****************************************************************************/
+int main(void)
+{
+ int opt = 0;
+ uint8_t buffer[1];
+ func_args args;
+
+ SystemCoreClockUpdate();
+ Board_Init();
+ Board_UART_Init(LPC_UART);
+ Chip_UART_Init(LPC_UART);
+ Chip_UART_SetBaud(LPC_UART, 115200);
+ Chip_UART_ConfigData(LPC_UART, UART_LCR_WLEN8 | UART_LCR_SBS_1BIT); /* Default 8-N-1 */
+ Chip_UART_TXEnable(LPC_UART);
+ Chip_UART_SetupFIFOS(LPC_UART, (UART_FCR_FIFO_EN | UART_FCR_RX_RS |
+ UART_FCR_TX_RS | UART_FCR_DMAMODE_SEL | UART_FCR_TRG_LEV0));
+ Chip_UART_IntEnable(LPC_UART, (UART_IER_ABEOINT | UART_IER_ABTOINT));
+ NVIC_SetPriority(UARTx_IRQn, 1);
+ NVIC_EnableIRQ(UARTx_IRQn);
+
+ Chip_OTP_Init();
+
+ while (1) {
+ DEBUGOUT("\r\n\t\t\t\tMENU\r\n");
+ DEBUGOUT(menu1);
+ DEBUGOUT("Please select one of the above options: ");
+
+ opt = 0;
+ while (opt == 0) {
+ opt = Chip_UART_Read(LPC_UART, buffer, sizeof(buffer));
+ }
+
+ switch (buffer[0]) {
+
+ case 't':
+ memset(&args, 0, sizeof(args));
+ printf("\nCrypt Test\n");
+ wolfcrypt_test(&args);
+ printf("Crypt Test: Return code %d\n", args.return_code);
+ break;
+
+ case 'b':
+ memset(&args, 0, sizeof(args));
+ printf("\nBenchmark Test\n");
+ benchmark_test(&args);
+ printf("Benchmark Test: Return code %d\n", args.return_code);
+ break;
+
+ // All other cases go here
+ default: DEBUGOUT("\r\nSelection out of range\r\n"); break;
+ }
+ }
+}
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c b/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c
index 99cf1fbc9..9d3891e62 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c
@@ -24,6 +24,7 @@
#endif
#include
+#include
#include
typedef struct func_args {
@@ -34,8 +35,7 @@ typedef struct func_args {
static func_args args = { 0 } ;
-extern double current_time(int reset) ;
-extern int benchmark_test(void *args) ;
+extern double current_time(int reset);
void main(void)
{
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/hw.h b/IDE/ROWLEY-CROSSWORKS-ARM/hw.h
index 3a9bea546..134193ca8 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/hw.h
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/hw.h
@@ -1,4 +1,7 @@
-#pragma once
+
+#ifndef WOLFSSL_ROWLEY_HW_H
+#define WOLFSSL_ROWLEY_HW_H
+
#include <__cross_studio_io.h>
#include <__libc.h>
@@ -10,4 +13,8 @@ uint32_t hw_get_time_sec(void);
uint32_t hw_get_time_msec(void);
void hw_uart_printchar(int c);
void hw_watchdog_disable(void);
-int hw_rand(void);
+uint32_t hw_rand(void);
+
+
+#endif /* WOLFSSL_ROWLEY_HW_H */
+
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/include.am b/IDE/ROWLEY-CROSSWORKS-ARM/include.am
index d7b17a037..e812cc7e6 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/include.am
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/include.am
@@ -10,6 +10,6 @@ EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/Kinetis_MemoryMap.xml
EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/Kinetis_FlashPlacement.xml
EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/README.md
EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/test_main.c
-EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c
+EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/retarget.c
EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c b/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c
index f8fe62441..7dab09433 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c
@@ -167,7 +167,7 @@ void hw_uart_printchar(int c)
UART_PORT->D = (uint8_t)c; /* Send the character */
}
-int hw_rand(void)
+uint32_t hw_rand(void)
{
while((RNG->SR & RNG_SR_OREG_LVL(0xF)) == 0) {}; /* Wait until FIFO has a value available */
return RNG->OR; /* Return next value in FIFO output register */
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c b/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c
similarity index 72%
rename from IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c
rename to IDE/ROWLEY-CROSSWORKS-ARM/retarget.c
index 562f153c6..8f524b841 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c
@@ -1,4 +1,4 @@
-/* user_libc.c
+/* retarget.c
*
* Copyright (C) 2006-2015 wolfSSL Inc.
*
@@ -29,7 +29,7 @@ double current_time(int reset)
return time;
}
-int custom_rand_generate(void)
+uint32_t custom_rand_generate(void)
{
return hw_rand();
}
@@ -40,23 +40,7 @@ int __putchar(int c, __printf_tag_ptr ctx)
hw_uart_printchar(c);
}
-
-// Rowley CrossWorks, runtime support.
-//
-// Copyright (c) 2001-2015 Rowley Associates Limited.
-//
-// This file may be distributed under the terms of the License Agreement
-// provided with this software.
-//
-// THIS FILE IS PROVIDED AS IS WITH NO WARRANTY OF ANY KIND, INCLUDING THE
-// WARRANTY OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
-
-#include <__libc.h>
-
-#if defined(__CROSSWORKS_ARM) || defined(__SES_ARM)
-
extern unsigned char __stack_process_start__[];
-
unsigned char * __aeabi_read_tp(void)
{
// thread-local storage addressing refers to the thread pointer
@@ -64,15 +48,7 @@ unsigned char * __aeabi_read_tp(void)
return (__stack_process_start__);
}
-#elif defined(__CROSSWORKS_AVR) || defined(__CROSSWORKS_MSP430)
-
-unsigned char * __RAL_read_tp(void)
-{
- return 0;
-}
-
-#endif
-
+/* Stubs */
void __heap_lock(void)
{
}
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
index 77ae6dbd4..0f648c1a3 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h
@@ -18,7 +18,8 @@
/* Custom functions */
extern int custom_rand_generate(void);
-#define CUSTOM_RAND_GENERATE custom_rand_generate
+#define CUSTOM_RAND_GENERATE custom_rand_generate
+#define CUSTOM_RAND_TYPE word32
#define WOLFSSL_USER_CURRTIME
/* Debugging - Optional */
diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
index 9d20a1ba5..7468f7e55 100644
--- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
+++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp
@@ -10,12 +10,19 @@
project_type="Library" />
-
+
+
+
+
+
+
+
+
+
@@ -52,7 +65,7 @@
target_script_file="$(TargetsDir)/Kinetis/Kinetis_Target.js" />
-
+
@@ -91,7 +104,7 @@
target_script_file="$(TargetsDir)/Kinetis/Kinetis_Target.js" />
-
+
diff --git a/IDE/include.am b/IDE/include.am
index 0a421feb7..e77c86c35 100644
--- a/IDE/include.am
+++ b/IDE/include.am
@@ -8,4 +8,4 @@ include IDE/WORKBENCH/include.am
include IDE/ROWLEY-CROSSWORKS-ARM/include.am
include IDE/ARDUINO/include.am
-EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL
+EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL IDE/LPCXPRESSO
diff --git a/IPP/.gitkeep b/IPP/.gitkeep
new file mode 100644
index 000000000..e69de29bb
diff --git a/Makefile.am b/Makefile.am
index 687895e34..2b46d5624 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -59,27 +59,22 @@ EXTRA_DIST+= gencertbuf.pl
EXTRA_DIST+= README.md
EXTRA_DIST+= LICENSING
EXTRA_DIST+= INSTALL
-EXTRA_DIST+= IPP/
-
-# user crypto plug in example
-EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac
-EXTRA_DIST+= wolfcrypt/user-crypto/autogen.sh
-EXTRA_DIST+= wolfcrypt/user-crypto/include/user_rsa.h
-EXTRA_DIST+= wolfcrypt/user-crypto/src/rsa.c
-EXTRA_DIST+= wolfcrypt/user-crypto/lib/.gitkeep
-EXTRA_DIST+= wolfcrypt/user-crypto/README.txt
-EXTRA_DIST+= wolfcrypt/user-crypto/Makefile.am
+EXTRA_DIST+= IPP
+include wrapper/include.am
include cyassl/include.am
include wolfssl/include.am
include certs/include.am
include certs/1024/include.am
include certs/crl/include.am
+include certs/external/include.am
+include certs/ocsp/include.am
include doc/include.am
include swig/include.am
include src/include.am
include support/include.am
+include wolfcrypt/user-crypto/include.am
include wolfcrypt/benchmark/include.am
include wolfcrypt/src/include.am
include wolfcrypt/test/include.am
diff --git a/README b/README
index 2c5586532..efcab65e7 100644
--- a/README
+++ b/README
@@ -12,7 +12,9 @@ key cipher suites with
WOLFSSL_STATIC_PSK
though static key cipher suites are deprecated and will be removed from future
-versions of TLS. They also lower your security by removing PFS.
+versions of TLS. They also lower your security by removing PFS. Since current
+NTRU suites available do not use ephemeral keys, WOLFSSL_STATIC_RSA needs to be
+used in order to build with NTRU suites.
When compiling ssl.c wolfSSL will now issue a compiler error if no cipher suites
are available. You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES
@@ -32,13 +34,49 @@ before calling wolfSSL_new(); Though it's not recommended.
*** end Notes ***
-wolfSSL (Formerly CyaSSL) Release 3.6.9 (10/05/2015)
-Release 3.6.9 of wolfSSL has bug fixes and new features including:
+ ********* wolfSSL (Formerly CyaSSL) Release 3.8.0 (12/30/2015)
+Release 3.8.0 of wolfSSL has bug fixes and new features including:
+
+- Example client/server with VxWorks
+- AESNI use with AES-GCM
+- Stunnel compatibility enhancements
+- Single shot hash and signature/verify API added
+- Update cavium nitrox port
+- LPCXpresso IDE support added
+- C# wrapper to support wolfSSL use by a C# program
+- (BETA version)OCSP stapling added
+- Update OpenSSH compatibility
+- Improve DTLS handshake when retransmitting finished message
+- fix idea_mult() for 16 and 32bit systems
+- fix LowResTimer on Microchip ports
+
+- No high level security fixes that requires an update though we always
+recommend updating to the latest
+
+See INSTALL file for build instructions.
+More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
+
+ ********* wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)
+
+Release 3.7.0 of wolfSSL has bug fixes and new features including:
+
+- ALPN extension support added for HTTP2 connections with --enable-alpn
+- Change of example/client/client max fragment flag -L -> -F
+- Throughput benchmarking, added scripts/benchmark.test
+- Sniffer API ssl_FreeDecodeBuffer added
+- Addition of AES_GCM to Sniffer
+- Sniffer change to handle unlimited decrypt buffer size
- New option for the sniffer where it will try to pick up decoding after a
sequence number acknowldgement fault. Also includes some additional stats.
+- JNI API setter and getter function for jobject added
+- User RSA crypto plugin abstraction. An example placed in wolfcrypt/user-crypto
+- fix to asn configuration bug
- AES-GCM/CCM fixes.
+- Port for Rowley added
+- Rowley Crossworks bare metal examples added
+- MDK5-ARM project update
- FreeRTOS support updates.
- VXWorks support updates.
- Added the IDEA cipher and support in wolfSSL.
@@ -46,7 +84,7 @@ Release 3.6.9 of wolfSSL has bug fixes and new features including:
- CFLAGS is usable when configuring source.
- No high level security fixes that requires an update though we always
- recommend updating to the latest
+recommend updating to the latest
See INSTALL file for build instructions.
More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
diff --git a/README.md b/README.md
index eb2437b10..286e65bf2 100644
--- a/README.md
+++ b/README.md
@@ -13,7 +13,10 @@ key cipher suites with
WOLFSSL_STATIC_PSK
though static key cipher suites are deprecated and will be removed from future
-versions of TLS. They also lower your security by removing PFS.
+versions of TLS. They also lower your security by removing PFS. Since current
+NTRU suites available do not use ephemeral keys, WOLFSSL_STATIC_RSA needs to be
+used in order to build with NTRU suites.
+
When compiling ssl.c wolfSSL will now issue a comipler error if no cipher suites
are available. You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES
@@ -35,14 +38,48 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0);
before calling wolfSSL_new(); Though it's not recommended.
```
+# wolfSSL (Formerly CyaSSL) Release 3.8.0 (12/30/2015)
-# wolfSSL (Formerly CyaSSL) Release 3.6.9 (10/05/2015)
+##Release 3.8.0 of wolfSSL has bug fixes and new features including:
-##Release 3.6.9 of wolfSSL has bug fixes and new features including:
+- Example client/server with VxWorks
+- AESNI use with AES-GCM
+- Stunnel compatibility enhancements
+- Single shot hash and signature/verify API added
+- Update cavium nitrox port
+- LPCXpresso IDE support added
+- C# wrapper to support wolfSSL use by a C# program
+- (BETA version)OCSP stapling added
+- Update OpenSSH compatibility
+- Improve DTLS handshake when retransmitting finished message
+- fix idea_mult() for 16 and 32bit systems
+- fix LowResTimer on Microchip ports
+- No high level security fixes that requires an update though we always
+recommend updating to the latest
+
+See INSTALL file for build instructions.
+More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
+
+# wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015)
+
+##Release 3.7.0 of wolfSSL has bug fixes and new features including:
+
+- ALPN extension support added for HTTP2 connections with --enable-alpn
+- Change of example/client/client max fragment flag -L -> -F
+- Throughput benchmarking, added scripts/benchmark.test
+- Sniffer API ssl_FreeDecodeBuffer added
+- Addition of AES_GCM to Sniffer
+- Sniffer change to handle unlimited decrypt buffer size
- New option for the sniffer where it will try to pick up decoding after a
sequence number acknowldgement fault. Also includes some additional stats.
+- JNI API setter and getter function for jobject added
+- User RSA crypto plugin abstraction. An example placed in wolfcrypt/user-crypto
+- fix to asn configuration bug
- AES-GCM/CCM fixes.
+- Port for Rowley added
+- Rowley Crossworks bare metal examples added
+- MDK5-ARM project update
- FreeRTOS support updates.
- VXWorks support updates.
- Added the IDEA cipher and support in wolfSSL.
@@ -50,12 +87,11 @@ before calling wolfSSL_new(); Though it's not recommended.
- CFLAGS is usable when configuring source.
- No high level security fixes that requires an update though we always
- recommend updating to the latest
+recommend updating to the latest
See INSTALL file for build instructions.
More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html
-
#wolfSSL (Formerly CyaSSL) Release 3.6.8 (09/17/2015)
##Release 3.6.8 of wolfSSL fixes two high severity vulnerabilities.
diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST
index 2f2306590..ffea9432f 100644
--- a/SCRIPTS-LIST
+++ b/SCRIPTS-LIST
@@ -19,13 +19,20 @@ certs/
renewcerts.sh - renews test certs and crls
crl/
gencrls.sh - generates crls, used by renewcerts.sh
+ ocsp/
+ renewcerts.sh - renews ocsp certs
+ ocspd0.sh - ocsp responder for root-ca-cert.pem
+ ocspd1.sh - ocsp responder for intermediate1-ca-cert.pem
+ ocspd2.sh - ocsp responder for intermediate2-ca-cert.pem
scripts/
external.test - example client test against our website, part of tests
google.test - example client test against google, part of tests
resume.test - example sessoin resume test, part of tests
- sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
- in sniffer mode
+ ocsp-stapling.test - example client test against globalsign, part of tests
+ ocsp-stapling2.test - example client test against example server, part of tests
+ sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests
+ in sniffer mode
swig/
PythonBuild.sh - builds and runs simple python example
diff --git a/Vagrantfile b/Vagrantfile
index aef42caf7..ddf37ce83 100644
--- a/Vagrantfile
+++ b/Vagrantfile
@@ -17,10 +17,10 @@ cd $LIB.$VER/ && ./autogen.sh && ./configure -q && make -s
sudo make install && cd .. && rm -rf $LIB.$VER*
-SRC=vagrant
DST=wolfssl
-cp -rp /$SRC/ $DST/
+cp -rp /vagrant/ $DST/
+chown -hR vagrant:vagrant $DST/
echo "cd $DST" >> .bashrc
echo "read -p 'Sync $DST? (y/n) ' -n 1 -r" >> .bashrc
@@ -30,20 +30,13 @@ echo " echo -e '\e[0;32mRunning $DST sync\e[0m'" >> .bashrc
echo " ./pull_to_vagrant.sh" >> .bashrc
echo "fi" >> .bashrc
-cd $DST
-./autogen.sh
-./configure
-make check
-
-cd ..
-chown -hR vagrant:vagrant $DST/ /tmp/output
SCRIPT
VAGRANTFILE_API_VERSION = "2"
Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
- config.vm.box = "hashicorp/precise64"
+ config.vm.box = "ubuntu/trusty64"
config.vm.provision "shell", inline: $setup
config.vm.network "forwarded_port", guest: 11111, host: 33333
diff --git a/certs/external/ca-globalsign-root-r2.pem b/certs/external/ca-globalsign-root-r2.pem
new file mode 100644
index 000000000..6f0f8db0d
--- /dev/null
+++ b/certs/external/ca-globalsign-root-r2.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G
+A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp
+Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1
+MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG
+A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI
+hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL
+v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8
+eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq
+tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd
+C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa
+zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB
+mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH
+V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n
+bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG
+3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs
+J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO
+291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS
+ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd
+AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7
+TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg==
+-----END CERTIFICATE-----
diff --git a/certs/external/ca-verisign-g5.pem b/certs/external/ca-verisign-g5.pem
new file mode 100644
index 000000000..707ff085b
--- /dev/null
+++ b/certs/external/ca-verisign-g5.pem
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB
+yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
+ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
+U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
+ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
+aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL
+MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
+ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln
+biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp
+U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y
+aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1
+nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex
+t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz
+SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG
+BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+
+rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/
+NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E
+BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH
+BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy
+aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv
+MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE
+p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y
+5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK
+WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ
+4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N
+hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq
+-----END CERTIFICATE-----
diff --git a/certs/external/include.am b/certs/external/include.am
new file mode 100644
index 000000000..a6fa17f64
--- /dev/null
+++ b/certs/external/include.am
@@ -0,0 +1,7 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+ certs/external/ca-globalsign-root-r2.pem \
+ certs/external/ca-verisign-g5.pem
diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am
new file mode 100644
index 000000000..cd5457f9e
--- /dev/null
+++ b/certs/ocsp/include.am
@@ -0,0 +1,34 @@
+# vim:ft=automake
+# All paths should be given relative to the root
+#
+
+EXTRA_DIST += \
+ certs/ocsp/index0.txt \
+ certs/ocsp/index1.txt \
+ certs/ocsp/index2.txt \
+ certs/ocsp/index3.txt \
+ certs/ocsp/openssl.cnf \
+ certs/ocsp/ocspd0.sh \
+ certs/ocsp/ocspd1.sh \
+ certs/ocsp/ocspd2.sh \
+ certs/ocsp/ocspd3.sh \
+ certs/ocsp/intermediate1-ca-key.pem \
+ certs/ocsp/intermediate1-ca-cert.pem \
+ certs/ocsp/intermediate2-ca-key.pem \
+ certs/ocsp/intermediate2-ca-cert.pem \
+ certs/ocsp/intermediate3-ca-key.pem \
+ certs/ocsp/intermediate3-ca-cert.pem \
+ certs/ocsp/ocsp-responder-key.pem \
+ certs/ocsp/ocsp-responder-cert.pem \
+ certs/ocsp/server1-key.pem \
+ certs/ocsp/server1-cert.pem \
+ certs/ocsp/server2-key.pem \
+ certs/ocsp/server2-cert.pem \
+ certs/ocsp/server3-key.pem \
+ certs/ocsp/server3-cert.pem \
+ certs/ocsp/server4-key.pem \
+ certs/ocsp/server4-cert.pem \
+ certs/ocsp/server5-key.pem \
+ certs/ocsp/server5-cert.pem \
+ certs/ocsp/root-ca-key.pem \
+ certs/ocsp/root-ca-cert.pem
diff --git a/certs/ocsp/index0.txt b/certs/ocsp/index0.txt
new file mode 100644
index 000000000..256b8ab58
--- /dev/null
+++ b/certs/ocsp/index0.txt
@@ -0,0 +1,4 @@
+V 161213070133Z 63 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+V 161213070133Z 01 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+V 161213070133Z 02 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+R 161213070133Z 151201070133Z 03 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
diff --git a/certs/ocsp/index1.txt b/certs/ocsp/index1.txt
new file mode 100644
index 000000000..a49ec58a3
--- /dev/null
+++ b/certs/ocsp/index1.txt
@@ -0,0 +1,2 @@
+V 161213070133Z 05 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www1.wolfssl.com/emailAddress=info@wolfssl.com
+R 161213070133Z 151201070133Z 06 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www2.wolfssl.com/emailAddress=info@wolfssl.com
diff --git a/certs/ocsp/index2.txt b/certs/ocsp/index2.txt
new file mode 100644
index 000000000..0a163f7b6
--- /dev/null
+++ b/certs/ocsp/index2.txt
@@ -0,0 +1,2 @@
+V 161213070133Z 07 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www3.wolfssl.com/emailAddress=info@wolfssl.com
+R 161213070133Z 151201070133Z 08 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www4.wolfssl.com/emailAddress=info@wolfssl.com
diff --git a/certs/ocsp/index3.txt b/certs/ocsp/index3.txt
new file mode 100644
index 000000000..eb6d3c048
--- /dev/null
+++ b/certs/ocsp/index3.txt
@@ -0,0 +1 @@
+V 161213070133Z 09 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www5.wolfssl.com/emailAddress=info@wolfssl.com
diff --git a/certs/ocsp/intermediate1-ca-cert.pem b/certs/ocsp/intermediate1-ca-cert.pem
new file mode 100644
index 000000000..42f681889
--- /dev/null
+++ b/certs/ocsp/intermediate1-ca-cert.pem
@@ -0,0 +1,186 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
+ a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
+ bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e:
+ 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1:
+ 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90:
+ d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a:
+ e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e:
+ 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64:
+ 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24:
+ 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4:
+ c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b:
+ 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56:
+ f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2:
+ d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4:
+ bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd:
+ 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f:
+ 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc:
+ 97:7f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1:
+ 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7:
+ 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8:
+ 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1:
+ e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17:
+ 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b:
+ 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2:
+ af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6:
+ 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7:
+ 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56:
+ 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7:
+ a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c:
+ 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75:
+ 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8:
+ bb:4b:1f:aa
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl
+xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV
+1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2
+lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt
+ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7
+f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi
+KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9
+jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg
+iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw
+0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC
+LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt
+JMjGmMN/2B1Pxa7gso71qLtLH6o=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/intermediate1-ca-key.pem b/certs/ocsp/intermediate1-ca-key.pem
new file mode 100644
index 000000000..7147c9b0b
--- /dev/null
+++ b/certs/ocsp/intermediate1-ca-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDetMhcd+AtsfW5
+rRZHNaA1ZWXG4UCrHrS5E7fLjLt3pXbabYeH9kpNE+QmPieH7lvHaj9FMGFVXPY1
+0WX6mBGjp1XVvpGCS/y+kNZQU2OaLCLhNRHceAKXiuRGkpxTCHbeH1O2uMp3Pnlu
+vNDjDTBbTPaUDTApZJ8E5dv7iWBnu68mg1F3JC8rC6GUgRCY6OsmqB585MRsZwaV
+VUrdUvTyYG0BKxmRNW2kCEcGcSQA2d7GVvOLUyzimpal82LlxOMj8tL8IeoPYnaN
+1ZlIztxYxLt/2pQsgHSDxeCwFX5B/Q7y9PB4dnutJg2qSJYXLyHjlSsmN/mqgC/+
+3vZevJd/AgMBAAECggEBAJC4sitEyy1mo+QREpUbyAxq5ASlhDyvK4nJwnpH7dsG
+b4HqA1TbO9Vyw6QGZ/HxdzrTVGJF2jp6upSmirqZ73yF1UWdHTmq34eG3347clJR
+tCjdL8oxQp3v5//kbimXKoeVm/T1iLyMoKTRlny1qWLrVKFJIK8FcEDijl2bHEbL
+fdlPSJTN+y0zWoS3urRi/IPrsob23B4ILj0n+yUR4eOK25I3trqgsqcfTyMhX8tH
+eyD4C+ir0j5evnmBhsKL0cUgGxGj8aVdOgab8dlKlDNi7HH5fe/FTMAQ344uege8
+D5dytc1H4wWq3le1PsvCh56lyPx7P4BamNzuJ85OnWECgYEA8xSw544oIe6RzMxh
+51pYLyf1aU8zd9w0ISkXnXQ4RxcNubbFHLu/S/vSlbE5qqSf128H3XkAP6HT6UJe
+JS/WqJbUcdWkzULjj7fLXJ2oer3hrVXq2L9Me1l0XrYoBvRuap15AtQ/cxafxMUZ
+HpEWam0EPxoTkTp4EUWi++U09yMCgYEA6org2l1qdqChHw3ihlfl3rKMY/DT+f1b
+uMnbMKNhqgyV3ItSh7MnVJurvJ56CQVuVay+T11qfyo3cKzxNYLYTGLvAtBeK/aC
+B/hdCvxMBpXd71Vlnz0w6qJi0mkGNNTFGzxwqwPByqP0NyKStPN3W98HwFhiqKmU
+y8wpv5ZeUfUCgYEAx1Ba8bLdc10zzbJ0QIgSsK/aCXx4njo/wET6aQ/HqXrctT+J
+BlNnur0EYduMhkAwFCylTVMPAh4GLUhO+7zrDReHoMNmOywyfUBeDlXztJkHd+Jw
+C0NoSegChDpmPbWk5+SxOcGhORP+8xAN1cNvltpG1hrimn1PwBHSXysEr/MCgYEA
+hLVUCPp2dOzqfcHDfLRbcqigWyQ3LOo4bdR5W4n2httcKFAEwJeUF4GFqNIaxuP1
+zDBT9mArFAz1FaIlUVvZu073YiY4QrPWW2AidUbQVaGS1AsD1xguh3SeaePXCSmi
+5YhLT9huXJRsaI39aLmhva/ymNjp6fkaIj5BGRCiCckCgYEAkZjADCg9gcqJo5oc
+RDMpHT8C6SjE6+W0+00AnH1rSK0ev7uAGb6/rOpsShRiGubo7Ekil1MyMuOFmLPK
+9K5oi4KKmVfTaPMfm2UnVCC2Dv2nMXkmYdQKiGgwbAhYfu/wGQXj682r2YYD4Xsa
+qz7cWosuOKihAVhA52vZ7YacW2c=
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/intermediate2-ca-cert.pem b/certs/ocsp/intermediate2-ca-cert.pem
new file mode 100644
index 000000000..cacb413d2
--- /dev/null
+++ b/certs/ocsp/intermediate2-ca-cert.pem
@@ -0,0 +1,186 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
+ 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
+ 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6:
+ 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77:
+ 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db:
+ 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb:
+ ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98:
+ 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1:
+ 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a:
+ 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52:
+ 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d:
+ f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35:
+ cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36:
+ a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f:
+ 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55:
+ f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96:
+ aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff:
+ d9:99
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1d:d6:14:6c:f5:cc:f9:c9:0d:c4:27:c1:50:49:ab:d7:39:6e:
+ 86:31:cf:67:99:c0:5d:37:d0:14:ee:d8:e3:da:17:a5:82:c2:
+ 25:86:33:28:0d:f6:ca:6b:7a:c7:72:f1:d8:b9:20:27:ee:0c:
+ 7d:77:e5:8b:03:46:9a:f8:99:6a:8e:57:1a:c9:a2:b1:79:d6:
+ b6:b6:e5:1a:39:80:2e:88:2b:17:c8:b9:36:37:38:58:8a:f0:
+ 62:68:97:25:b5:7a:62:5c:4d:22:2c:30:62:0c:11:f0:4d:70:
+ 95:c7:2d:9e:ab:c5:ef:2e:a4:29:25:8b:e2:e4:d2:9d:2c:5e:
+ 60:79:36:98:13:a8:38:6c:00:0d:6a:f0:11:3c:3f:d8:f9:6b:
+ 16:d1:61:f9:db:53:56:02:43:56:a8:01:3b:88:77:91:a5:6e:
+ a0:ab:2c:6c:e6:ec:cf:ff:5a:07:94:ea:49:92:d4:87:98:f8:
+ 89:f0:f7:4f:77:b0:df:c9:89:03:76:d9:31:30:86:f7:e9:8a:
+ 74:fa:f2:b2:f3:4d:f7:43:41:48:9c:1f:db:ea:23:e3:1e:4c:
+ 15:76:92:e0:f8:ce:71:35:fd:25:f0:97:cd:99:5d:2c:af:33:
+ 64:5e:bd:be:35:e3:53:78:6c:10:c8:0e:cc:83:e5:d9:2e:7a:
+ d9:6d:52:95
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj
+hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj
+K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl
+uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B
+nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S
+4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR
+rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAB3WFGz1zPnJDcQnwVBJq9c5boYxz2eZwF030BTu2OPaF6WCwiWGMygN9spr
+esdy8di5ICfuDH135YsDRpr4mWqOVxrJorF51ra25Ro5gC6IKxfIuTY3OFiK8GJo
+lyW1emJcTSIsMGIMEfBNcJXHLZ6rxe8upCkli+Lk0p0sXmB5NpgTqDhsAA1q8BE8
+P9j5axbRYfnbU1YCQ1aoATuId5GlbqCrLGzm7M//WgeU6kmS1IeY+Inw9093sN/J
+iQN22TEwhvfpinT68rLzTfdDQUicH9vqI+MeTBV2kuD4znE1/SXwl82ZXSyvM2Re
+vb4141N4bBDIDsyD5dkuetltUpU=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/intermediate2-ca-key.pem b/certs/ocsp/intermediate2-ca-key.pem
new file mode 100644
index 000000000..61cec0879
--- /dev/null
+++ b/certs/ocsp/intermediate2-ca-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQIDw1GW8sRLR+
+Qsd1tGorqSOFv4e07srXSx8x1xECoatYPfvcUco6HR+VplaC94//a1C76hDhRx01
+dy5LKMVTRiMrgv1a0/Qh2w7g8nYzR7MAvjqxI5hT6+qg3hvMBU7uY6gskyTWmHh0
+A+TIiUNh8SW4zTuHwTEl/bpM/CmURZ5p12cKio7VUpMwog7dahywlHfbUlK3iSG+
+lnUky+lJ34GdnfhVfQEq63gDEuIgbttjNc2hlvD4jCA1aYcByrRUNqAV4CN9ufu+
+mQVQ8L/sfxLhPXUVTsjCMOaL/uWLVfhEXuXjVuBmLW9CWkVrlqrHXUEIX87X3J8g
+5EZ4/9mZAgMBAAECggEAR2vofWhfCFgDgJi2DiR9ksIWWJ2jmmmf3kX/TIE7ayXD
+wSJ0PeUresnnvtk4MvV1yvcu2221oTlgQqrFjjFNlggppZLsErFNxBiCgJt0CKEA
+Qq8FQSiv64y4FcBi1Z60uYYlfjZ4m9Py8g0sA81m/ENe6I41cZ7QmPL7bdPTCPhE
+cGwPKjkw1xwDn6EeK5x5sscfCrlKXsH4zhXH67r2iwQ7x5+t4pWApdT15rMX+r0E
+HzBoj4wjhR7yo9nZDqhBZiOJF/zQGTCkj6J451Rj47s42fLTYgVyW5D1DO9wBvQQ
+i7AwwDuimVqKNGW7J/oRjhiBAKFr2IOGcAFJJbM3SQKBgQD1JRO9umdNfqj38kw5
+DMeydVITvhYjSfc+F2R1hldX9kSdowttJ3GwArnjsZLSfttj7/gnRVPJC+OWvJGm
+AmegmCXJGl/mtDAlN+MDJw2/KEdcC4CHMqRokrNNF3zafbTDIDq24kAMx1wef46k
+8+9F3IPY+arD50LSkS5+gUUk1wKBgQDZV4R9yCeAE8o+ejks7lBC8kk5CxZKbXPA
+o4vPHGKOknmZGqfKJY9Auk7nk4g56K9GxlotlsjwCwuSBdkqjDkqMypHG9odh6s8
+8iFjVGvJvY6x+PXONW6cjG2K6Lif0o0/bx+C+2Sy05koV1eYY4+EskafqTxbQgSa
+0t85a6u3DwKBgGK4g7KsFl3G3BS9pqRy2Ris1ljM++1KJB8FHJeXeiUaL5eryTYz
+5DyVXHatVAsguwkL4ksuSAd2mjhhx+WqokCyBMVvsZ8egST71Je4anjIp7QRjbjk
+VAEo0rwA8W6roNfTatGrW0/KGPbPN4qGEZ14qEAAixxJTUeu36JiPI4RAoGASK43
+pEh2zSHRFCuTSy82r+yOCAFpJuKLPvRyIISBgOQCvexoB/WffinPkSmI+LSTSLu0
+FGLEN2G6MM673LqfszkA/l6WBiIEZZEjETB+CyzUtzdmG9tKbheX2kgQ1YF3sqra
+gtbGyfZw1UjABjnlGJ71dxcFFA9zssKp223iMokCgYAEBpHy/x90qWR6d9ApXZnC
+PMvcZCa2EgQWBabOkyxF7Ao8mIu0K4rqRM9XBlboRRBQdEP3qL7whJ2voZ7frZYH
+E9hcwnH4F6rBki9PHbEaU80FfTUplKr+qMJavhQ8O1zGhWr7JSF6ByqTQDYWI8BX
+3Q6DAbgdQeeCKFpi4256AA==
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/intermediate3-ca-cert.pem b/certs/ocsp/intermediate3-ca-cert.pem
new file mode 100644
index 000000000..d3fc21682
--- /dev/null
+++ b/certs/ocsp/intermediate3-ca-cert.pem
@@ -0,0 +1,186 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28:
+ fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c:
+ 31:eb:13:70:ea:4a:dd:58:3e:4f:33:14:66:59:69:
+ 7a:aa:90:e0:7c:c4:b2:36:c1:0a:f4:df:3e:34:6c:
+ 1a:e9:2b:f1:a5:92:7e:a9:68:70:ba:a4:68:88:f3:
+ ec:10:40:64:a5:64:7d:d9:1e:51:49:9d:7f:c8:cc:
+ 2b:6d:71:2a:06:ff:e6:1f:84:28:8a:c1:ed:a8:52:
+ f4:89:a5:c0:77:d8:13:66:c2:65:a5:63:03:98:b0:
+ 4b:05:4f:0c:84:a0:f4:2d:72:73:6b:fa:0d:e1:cf:
+ 45:27:ed:a3:8c:02:d7:ee:99:e2:a1:f0:e3:a0:ad:
+ 69:ed:59:e4:27:41:8f:ef:fa:83:73:8f:5f:2b:68:
+ 89:13:46:26:dc:f6:28:6b:3b:b2:b8:9b:52:2a:17:
+ 1b:dc:72:45:73:da:75:24:35:8b:00:5e:23:37:64:
+ 6a:16:74:b8:ee:fe:b7:11:71:be:0a:73:c8:54:c2:
+ d9:04:d2:1b:f5:53:ac:8d:2a:4f:fe:33:79:e6:5e:
+ e7:f3:86:d3:dc:bb:4b:d7:39:7f:5b:3c:67:fe:5e:
+ 88:51:05:96:f2:b4:9a:45:09:4c:51:f0:6a:4d:88:
+ 2a:17
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 9a:47:17:70:ff:92:e7:b5:51:a0:d2:5d:f3:e3:dd:90:ec:c9:
+ 8f:ad:61:74:30:ba:d9:60:ba:5b:cf:da:03:4f:c8:50:5a:f4:
+ 5e:e0:e3:a0:ce:de:43:6c:56:e0:bc:35:e9:0d:bb:53:0e:22:
+ 7f:21:42:6c:2a:0f:67:b2:8a:1a:f5:e8:1f:a9:a1:90:11:d0:
+ ec:18:90:ba:ee:cf:d4:18:28:1b:9c:96:8e:d6:48:bd:6f:66:
+ 79:df:04:0d:04:d3:13:69:b8:24:15:7c:3b:bc:b9:fc:1d:dd:
+ cc:45:a5:c1:04:c9:d3:68:a7:de:cd:1e:aa:cc:bd:3d:f4:12:
+ eb:3d:01:44:11:fd:1d:bd:a0:7a:4c:24:f2:39:78:17:c1:1f:
+ 8c:b8:ab:01:f3:98:88:ff:bd:2c:1b:43:bb:fe:37:94:65:b4:
+ 3c:e6:11:8c:5d:36:de:ab:84:a5:6d:30:23:dc:ad:b1:74:24:
+ 2a:bb:49:f0:37:ef:db:9a:eb:4e:fc:f9:a2:47:06:3a:09:9d:
+ 4f:c3:c6:dc:18:90:47:42:f4:bc:8d:75:be:7c:c8:d5:47:a6:
+ bb:c2:1e:55:16:8f:a4:62:cc:1f:7c:cf:5a:b5:41:6d:98:f4:
+ 15:b9:fc:5a:3e:47:75:a0:f7:b0:df:33:54:a9:7c:f0:da:3c:
+ 65:c2:e6:1a
+-----BEGIN CERTIFICATE-----
+MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L
+RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sUEEH3CIekSRdrV
+uij9pvQwRKDf+XBeFyaXWVwx6xNw6krdWD5PMxRmWWl6qpDgfMSyNsEK9N8+NGwa
+6SvxpZJ+qWhwuqRoiPPsEEBkpWR92R5RSZ1/yMwrbXEqBv/mH4QoisHtqFL0iaXA
+d9gTZsJlpWMDmLBLBU8MhKD0LXJza/oN4c9FJ+2jjALX7pniofDjoK1p7VnkJ0GP
+7/qDc49fK2iJE0Ym3PYoazuyuJtSKhcb3HJFc9p1JDWLAF4jN2RqFnS47v63EXG+
+CnPIVMLZBNIb9VOsjSpP/jN55l7n84bT3LtL1zl/Wzxn/l6IUQWW8rSaRQlMUfBq
+TYgqFwIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUuxWeMk3g
++KqKsC4MFytaQXRLBkUwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y
+FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw
+DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp
+bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm
+MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcN
+AQELBQADggEBAJpHF3D/kue1UaDSXfPj3ZDsyY+tYXQwutlgulvP2gNPyFBa9F7g
+46DO3kNsVuC8NekNu1MOIn8hQmwqD2eyihr16B+poZAR0OwYkLruz9QYKBuclo7W
+SL1vZnnfBA0E0xNpuCQVfDu8ufwd3cxFpcEEydNop97NHqrMvT30Eus9AUQR/R29
+oHpMJPI5eBfBH4y4qwHzmIj/vSwbQ7v+N5RltDzmEYxdNt6rhKVtMCPcrbF0JCq7
+SfA379ua6078+aJHBjoJnU/DxtwYkEdC9LyNdb58yNVHprvCHlUWj6RizB98z1q1
+QW2Y9BW5/Fo+R3Wg97DfM1SpfPDaPGXC5ho=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/intermediate3-ca-key.pem b/certs/ocsp/intermediate3-ca-key.pem
new file mode 100644
index 000000000..03ebd4154
--- /dev/null
+++ b/certs/ocsp/intermediate3-ca-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDexQQQfcIh6RJF
+2tW6KP2m9DBEoN/5cF4XJpdZXDHrE3DqSt1YPk8zFGZZaXqqkOB8xLI2wQr03z40
+bBrpK/Glkn6paHC6pGiI8+wQQGSlZH3ZHlFJnX/IzCttcSoG/+YfhCiKwe2oUvSJ
+pcB32BNmwmWlYwOYsEsFTwyEoPQtcnNr+g3hz0Un7aOMAtfumeKh8OOgrWntWeQn
+QY/v+oNzj18raIkTRibc9ihrO7K4m1IqFxvcckVz2nUkNYsAXiM3ZGoWdLju/rcR
+cb4Kc8hUwtkE0hv1U6yNKk/+M3nmXufzhtPcu0vXOX9bPGf+XohRBZbytJpFCUxR
+8GpNiCoXAgMBAAECggEAFkESRd96TE7vT2EsJru/kzUjuUdk+JM8Iw3s4rVuGzDG
+//DYqd8XpF+uVdJOucldU7mGoCeqw4mlujDug0qrikHXO28+i7au5rePZpQ4ObmP
+ROhdcIA2asXStM0wSKC5yX43Wp1C86TN3w5a6t4AGizjYKFCk7dQ10ftVTaLDhsI
+I4uuEZAHA7ruKmQp1DbE+/696kY4GUh2SXYQxee1zb/yYDvA6lGhuDW2Jev+4v4l
++1LZq8E2bE4GsmiLEALiHAdGvOrkZ5MUkiHVTnhGz7THK0OMj/4dJlNCwusyO+O5
+4Zr2LJQ2rnAtVGdtKuVsgwHwQBPpV9bJPkDXEzlXUQKBgQD38kxnjJ5nv0plMA+E
+QViItp0qgQeXX18YTlh8yicqVe+t9kKnHm1tqZx/djvvR/51p0SkMfWNvMn8JYXa
+dfT3ZX0djrzR9o6FgR8rL+LmPg6jyIn71wBqmMf7A6WQVYuG7fQk3IJNtx52BKcS
+f8r2tsdPX8d/FBsCn3m/ZxaEyQKBgQDmAV5xxTbJKdea5pfH33BOCp6HTqSYgf4Y
+/5GEO0YLmQoBXAKbX+zcAeiaOt5WvLQgw7LfkznitPlxCkpHr9VcgVarlEjXHa7y
+SeJfik5cIFbMZtXqaQ/DIUvOTgnb/ngLxEdrzX4JUnlv/z1BEhWvEYaHn0asEsc4
+zbbcKoEH3wKBgQDRisobcPGmSDm9TmKuqPMDhyFH/IfH2+foCL4rqER1OO84G7i0
+t7hPR1plNizsyfE4yUXvZfFZ+cTR/Xwj5jBCrFiSlEDrSO2l0jvfKbceUi/ZJu/G
+ECvf6oKHlstjMYibXZpJVLoip7Fsl/4CWlHTMyE56X4V3Y3+J3yiz6JuUQKBgDPS
+byMXGibs5IUkG2KPN1B+GAXIdFFgSI39Vx4B9OA8FQMFZhj33fgb/fpx9RJ55ePT
+9ANnuo0X1XPgq6fHOD1lbs+t01OUfoxclUKNeOZM6wGW0e/EyCZg5CGRd6s3hHiy
+Op1RaWpUSMQxL+3vUy9ktXjtLBEtEfH8d4zXjsblAoGBAMPAdSskbG+upEYcNR2O
+++R9X8BkWhaTDqkAuygsGJDomIgH89wROdlTnsi5LXe/r3uCocRC+M1ChRXm7Zqs
+81QjVdls6HVZu5rG82S8itqdXHOXCajb1ls+lNiu7/9tPJVmpYfjfjD4/QHV0vF/
+FqdfthIOUXePjrAKccJDiJIk
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/ocsp-responder-cert.pem b/certs/ocsp/ocsp-responder-cert.pem
new file mode 100644
index 000000000..9e76a90f8
--- /dev/null
+++ b/certs/ocsp/ocsp-responder-cert.pem
@@ -0,0 +1,182 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 4 (0x4)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL OCSP Responder/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:b8:ba:23:b4:f6:c3:7b:14:c3:a4:f5:1d:61:a1:
+ f5:1e:63:b9:85:23:34:50:6d:f8:7c:a2:8a:04:8b:
+ d5:75:5c:2d:f7:63:88:d1:07:7a:ea:0b:45:35:2b:
+ eb:1f:b1:22:b4:94:41:38:e2:9d:74:d6:8b:30:22:
+ 10:51:c5:db:ca:3f:46:2b:fe:e5:5a:3f:41:74:67:
+ 75:95:a9:94:d5:c3:ee:42:f8:8d:eb:92:95:e1:d9:
+ 65:b7:43:c4:18:de:16:80:90:ce:24:35:21:c4:55:
+ ac:5a:51:e0:2e:2d:b3:0a:5a:4f:4a:73:31:50:ee:
+ 4a:16:bd:39:8b:ad:05:48:87:b1:99:e2:10:a7:06:
+ 72:67:ca:5c:d1:97:bd:c8:f1:76:f8:e0:4a:ec:bc:
+ 93:f4:66:4c:28:71:d1:d8:66:03:b4:90:30:bb:17:
+ b0:fe:97:f5:1e:e8:c7:5d:9b:8b:11:19:12:3c:ab:
+ 82:71:78:ff:ae:3f:32:b2:08:71:b2:1b:8c:27:ac:
+ 11:b8:d8:43:49:cf:b0:70:b1:f0:8c:ae:da:24:87:
+ 17:3b:d8:04:65:6c:00:76:50:ef:15:08:d7:b4:73:
+ 68:26:14:87:95:c3:5f:6e:61:b8:87:84:fa:80:1a:
+ 0a:8b:98:f3:e3:ff:4e:44:1c:65:74:7c:71:54:65:
+ e5:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 32:67:E1:B1:79:D2:81:FC:9F:23:0C:70:40:50:B5:46:56:B8:30:36
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Extended Key Usage:
+ OCSP Signing
+ Signature Algorithm: sha256WithRSAEncryption
+ 0a:4e:f7:89:58:26:5f:35:b7:ee:45:2f:2a:a6:ac:37:93:c8:
+ a8:97:74:6e:64:60:c0:6e:0e:1d:3c:f2:f5:b4:6e:c7:40:c2:
+ a5:3a:e1:f5:de:7e:73:df:f8:e6:a6:58:2b:bf:4b:8e:0c:fa:
+ 6f:08:b6:27:da:ad:21:d1:a5:c1:97:1e:fb:5b:06:c7:d5:dc:
+ 8d:1a:e3:cc:b2:c0:e6:54:f5:dc:b7:58:1a:eb:84:6e:14:c3:
+ 9a:57:f1:16:c6:ea:f0:e5:5f:e7:cb:f8:d0:86:73:c8:87:83:
+ d5:91:9d:6d:16:01:f7:8d:84:5e:f4:8d:17:f5:30:a8:94:36:
+ 4c:2e:33:03:ca:06:17:f0:51:5f:db:ea:65:3f:1f:bb:f6:50:
+ 26:ac:36:78:3a:8d:03:ab:7d:f9:32:d6:38:7e:6b:3c:93:49:
+ df:18:d2:5b:25:b6:70:f7:83:a8:b1:18:b8:85:53:c7:b6:be:
+ fe:30:b8:78:8a:e3:ec:6b:48:ce:41:f5:56:da:52:2a:9f:c9:
+ 40:62:d3:44:f7:2d:aa:94:94:fa:3e:0f:59:3a:2f:06:92:4f:
+ d5:3f:2c:3c:0e:79:b7:7c:9f:34:ca:9c:b5:ce:6b:b1:8e:40:
+ 3a:6f:76:3d:de:18:c9:a5:1a:bb:68:19:2b:7a:58:22:67:8b:
+ 8d:48:b1:f7
+-----BEGIN CERTIFICATE-----
+MIIEvjCCA6agAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBnjELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZ3b2xmU1NMIE9DU1Ag
+UmVzcG9uZGVyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN
+BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuLojtPbDexTDpPUdYaH1HmO5hSM0
+UG34fKKKBIvVdVwt92OI0Qd66gtFNSvrH7EitJRBOOKddNaLMCIQUcXbyj9GK/7l
+Wj9BdGd1lamU1cPuQviN65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMx
+UO5KFr05i60FSIexmeIQpwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew
+/pf1HujHXZuLERkSPKuCcXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gE
+ZWwAdlDvFQjXtHNoJhSHlcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQAB
+o4IBCjCCAQYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUMmfhsXnSgfyfIwxwQFC1Rla4
+MDYwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2kgZowgZcx
+CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0
+dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG
+A1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz
+c2wuY29tggFjMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB
+AQAKTveJWCZfNbfuRS8qpqw3k8iol3RuZGDAbg4dPPL1tG7HQMKlOuH13n5z3/jm
+plgrv0uODPpvCLYn2q0h0aXBlx77WwbH1dyNGuPMssDmVPXct1ga64RuFMOaV/EW
+xurw5V/ny/jQhnPIh4PVkZ1tFgH3jYRe9I0X9TColDZMLjMDygYX8FFf2+plPx+7
+9lAmrDZ4Oo0Dq335MtY4fms8k0nfGNJbJbZw94OosRi4hVPHtr7+MLh4iuPsa0jO
+QfVW2lIqn8lAYtNE9y2qlJT6Pg9ZOi8Gkk/VPyw8Dnm3fJ80ypy1zmuxjkA6b3Y9
+3hjJpRq7aBkrelgiZ4uNSLH3
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/ocsp-responder-key.pem b/certs/ocsp/ocsp-responder-key.pem
new file mode 100644
index 000000000..61c5616a9
--- /dev/null
+++ b/certs/ocsp/ocsp-responder-key.pem
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAuLojtPbDexTDpPUdYaH1HmO5hSM0UG34fKKKBIvVdVwt92OI
+0Qd66gtFNSvrH7EitJRBOOKddNaLMCIQUcXbyj9GK/7lWj9BdGd1lamU1cPuQviN
+65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMxUO5KFr05i60FSIexmeIQ
+pwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew/pf1HujHXZuLERkSPKuC
+cXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gEZWwAdlDvFQjXtHNoJhSH
+lcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQABAoIBAGI2tR1VxYD+/TYL
+DGAIV+acZtqeaQYKMf8x++eG4SrQo6/QP8HDFFqzO0yV2SC0cRtJZ5PzCHxCRSaG
+Nd8EL2NMWOazUwW0c/yLtTypOPSeg2Mf+3SwLvgxOZ9CbFQ8YAJi+vbNOPLGCijL
+N0HWEkcC1P1kWWgKCWIloR7eEt0IQOb5PPSCu3buq/rForb6qUf+L+ESpWed6bnc
+uhIrHDuQ/PopW05fW1r61zI286wKdLRyatQsljNqPvVdFVhtCKqCqMHdIzMg2cbh
+q9DJMWc/KLjzBk6YPMZKm/4k4RXj+IwS+iITbpUNrhYj2TMevBMPW3AIRobD823D
+ehQv+rECgYEA3CWL+G9zJ5PXRDAdQ69lN+CE/Uf9444CN5idMO+qRQ+QE8hWYT/U
+PFH/aUgd1k3WJZseR/GTWx29VsRPSDWZXzwzLfUNKnqvp0b2oZe/EdYiRSo8OCPp
+kF07HbTKe4Cyma7HdgDkNkS+UW5JujnuLcuee+wTq6xU0289juwFBc8CgYEA1s/d
+VtwXqBf3qMxfi+eMa77fqxptAFGtZNKNkYwX42Ow6Hehj8EnoPqYEF+9MzKn/BFh
+ROnQ76axKBN8mkRUjpv7d2+zMlDnGrWul8q6VrfGiU2P7jd4L6GY/V1MYktnIBsd
+Ld/jW8P0FFfI2RIREPWdrATxBhQpTJfXd/7rLncCgYB1wrvyBCQUSrg/KIGvADbj
+wf1Bw23jeMZk2QVU9Q8e7ClE+8iBMvSj47T9q28SgQaJjUWQdIA/oFP1AwPp+4n0
+cK5r6gbF72Tg1Uv+ur6hmuswFlyqJ0O8TrLdvCUIFZr0LJNT4zwwb2tjAdz8ehqX
+crFvVqRbE884XuwN9ODm7wKBgQDIEnKlI/kkpq4UmcWkGNXAxNauFr7PPUOyVCln
+FoRpVcC/xCzGJ7ExTjWzing950BulgFynhPsIeV+3id/x4S6Dq34YCEXDCMzzWQA
+HOHRQvm3iHY1+ZQHSQulb/Bk3LYAQUC8KXspTSlYiSqYgytCEIH6Zd/XOY/9tq8J
+JHUHoQKBgHYIB2mRCuDK5C3dCspdPVeAUqptK1nnXxWY/MXA6v+M4wFsIxV7Iwg7
+HEjeD5yKH4619syPCFz3jrCxL0oJqVTD2tnrbLf8idEt2eaV/3o2mUGFjvWpTywg
+F8DewhrGh6z7FWHp4cMrxpq1hkdi6k+481T1GKBJ1zBSTzskTHQB
+-----END RSA PRIVATE KEY-----
diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh
new file mode 100755
index 000000000..d0aa0b953
--- /dev/null
+++ b/certs/ocsp/ocspd0.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22220 -nmin 1 \
+ -index certs/ocsp/index0.txt \
+ -rsigner certs/ocsp/ocsp-responder-cert.pem \
+ -rkey certs/ocsp/ocsp-responder-key.pem \
+ -CA certs/ocsp/root-ca-cert.pem \
+ $@
diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh
new file mode 100755
index 000000000..91448c004
--- /dev/null
+++ b/certs/ocsp/ocspd1.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22221 -nmin 1 \
+ -index certs/ocsp/index1.txt \
+ -rsigner certs/ocsp/ocsp-responder-cert.pem \
+ -rkey certs/ocsp/ocsp-responder-key.pem \
+ -CA certs/ocsp/intermediate1-ca-cert.pem \
+ $@
diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh
new file mode 100755
index 000000000..a7748b337
--- /dev/null
+++ b/certs/ocsp/ocspd2.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22222 -nmin 1 \
+ -index certs/ocsp/index2.txt \
+ -rsigner certs/ocsp/ocsp-responder-cert.pem \
+ -rkey certs/ocsp/ocsp-responder-key.pem \
+ -CA certs/ocsp/intermediate2-ca-cert.pem \
+ $@
diff --git a/certs/ocsp/ocspd3.sh b/certs/ocsp/ocspd3.sh
new file mode 100755
index 000000000..3e53ceb71
--- /dev/null
+++ b/certs/ocsp/ocspd3.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+openssl ocsp -port 22223 -nmin 1 \
+ -index certs/ocsp/index3.txt \
+ -rsigner certs/ocsp/ocsp-responder-cert.pem \
+ -rkey certs/ocsp/ocsp-responder-key.pem \
+ -CA certs/ocsp/intermediate3-ca-cert.pem \
+ $@
diff --git a/certs/ocsp/openssl.cnf b/certs/ocsp/openssl.cnf
new file mode 100644
index 000000000..c518d33a5
--- /dev/null
+++ b/certs/ocsp/openssl.cnf
@@ -0,0 +1,42 @@
+#
+# openssl configuration file for OCSP certificates
+#
+
+# Extensions to add to a certificate request (intermediate1-ca)
+[ v3_req1 ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+authorityInfoAccess = OCSP;URI:http://127.0.0.1:22221
+
+# Extensions to add to a certificate request (intermediate2-ca)
+[ v3_req2 ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222
+
+# Extensions to add to a certificate request (intermediate3-ca)
+[ v3_req3 ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223
+
+# Extensions for a typical CA
+[ v3_ca ]
+basicConstraints = CA:true
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+keyUsage = keyCertSign, cRLSign
+authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220
+
+# OCSP extensions.
+[ v3_ocsp ]
+basicConstraints = CA:false
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer:always
+extendedKeyUsage = OCSPSigning
diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh
new file mode 100755
index 000000000..cdbabdf81
--- /dev/null
+++ b/certs/ocsp/renewcerts.sh
@@ -0,0 +1,56 @@
+#!/bin/sh
+
+openssl req \
+ -new \
+ -key root-ca-key.pem \
+ -out root-ca-cert.csr \
+ -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com"
+
+openssl x509 \
+ -req -in root-ca-cert.csr \
+ -extfile openssl.cnf \
+ -extensions v3_ca \
+ -days 1000 \
+ -signkey root-ca-key.pem \
+ -set_serial 99 \
+ -out root-ca-cert.pem
+
+rm root-ca-cert.csr
+openssl x509 -in root-ca-cert.pem -text > tmp.pem
+mv tmp.pem root-ca-cert.pem
+
+# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial
+function update_cert() {
+ openssl req \
+ -new \
+ -key $1-key.pem \
+ -out $1-cert.csr \
+ -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com"
+
+ openssl x509 \
+ -req -in $1-cert.csr \
+ -extfile openssl.cnf \
+ -extensions $4 \
+ -days 1000 \
+ -CA $3-cert.pem \
+ -CAkey $3-key.pem \
+ -set_serial $5 \
+ -out $1-cert.pem
+
+ rm $1-cert.csr
+ openssl x509 -in $1-cert.pem -text > $1_tmp.pem
+ mv $1_tmp.pem $1-cert.pem
+ cat $3-cert.pem >> $1-cert.pem
+}
+
+update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01
+update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02
+update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED
+
+update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04
+
+update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05
+update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 # REVOKED
+update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07
+update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED
+update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09
diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem
new file mode 100644
index 000000000..b62a03c7a
--- /dev/null
+++ b/certs/ocsp/root-ca-cert.pem
@@ -0,0 +1,93 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/root-ca-key.pem b/certs/ocsp/root-ca-key.pem
new file mode 100644
index 000000000..a7cbcbb60
--- /dev/null
+++ b/certs/ocsp/root-ca-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrLLQvHQYJ704p
+hoR+zL+meXzwwMFkJYx1txAFykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRx
+kK3MBbmfFccKP19p9ApfjHG1LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4
+hc0BiKzFsrFZuM1a9AkJOJvaWs/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4
+yHDM4WcGsysvk7Vpz4N+iFObD0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tb
+ipKXrf2XuXXKwtRFfRdrzS/zY3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsV
+roxb+ZmBAgMBAAECggEAd0Qjm3wOfBeYD0jhwnOoyTZ2vkyfssaS0mYlrNMfaM12
+iqYBELQo5miReaHZ5ZfYCweNX8guVUAkMCiNX81RYy3KTDKRqYJXQ/HYPFMcXXP2
+7Ja6jMfub1FXJ1xULtJs/5XilVwxad1ZgHbBu2LedrUl6wzfUJMeRKWDuiVyCzpK
+J2+F1iVH+whBI/eN8qopHM4JeR0W9k7rFJayQZ9iAIfrl2In1hTay9S7HCEdmWz/
+BVI818QXsgCuulR9G2erS0gS181P090YcZeuzh5YfvAnzn7m8BTboJojix5pkfQt
+gM5E7YD4nYU1V796P2cfAaMJoQyCW4NSn+kwgLT5rQKBgQDXnHvs/fk+gxFiBt/U
+tRfU+iUoiMofrcAZswMBvOZVy40RbtxuNXwnGo9+Bko7XVKekVO6TGUyPSpv1VXR
+QCjlk+PsXyx0DD2+Hb3r69wXJ3Wfxe0K+p6CHIuspJUmNrHdpJOBTO8GbHNxuaD/
+kDJvBq+ZkXEKUm9a5BeU5WiwMwKBgQDLPUkr+Mm2pJIIEBF8z3Lr3bWIbZsinxhM
+ErQRAQC0J+oBj1kuUoXYoh1hzQK/E90bM2fRUMhgVGIBvwDMv0c+Z2Fb6zK0r3mP
+dOLYGOrfavl/f7zhd4TjzPkAF1fbbYbciFQIWW3//q8PXY68eKvwrhGqT+CCwLef
+tWC3xrpLewKBgQC7Ht7abgxa+UsjxQ2Kv+O//Zw0EotAdP2sEBUC9Br+yJpUT99U
+cmyeT0nLONBBtxtV7JA6tcR5lmX3CrHg2Yrku7XqVSrySBFppsxGLLslCSTnFdJE
+Xf8ksntxyKB8uqkgz40IgWlMLOEACPc19MIgYzAQ2g29xI9J1Xy1x2dUywKBgBFo
+HVU7yKLw82TnY2gKKHCVG5Akuw27DIyvaWavbE0BwiQCEARMoxQLxnJy6ZJN9Dj5
+LSIbRh4h/AbkQgBHPaXVmtwRh9U71jB4NVmGwM8DzXyjBx1UbDhKfOUKGsc7WTqY
+HoJcjnRHbtzlCW2Q9ED316F7l+H6+X8fPLpgteHzAoGARc6B/pWJWkUVM87ObGmr
+hiA5YByyC6Rq8HyFEeXiS2fiQPfQF0UC9Qxq9/CBkezb8v+Yb/UT4ieL26c270s5
+JkyYqMoBLgkOKG6nPDD4hxoR24cFmC090RNQOhwwHskh+KjVmf3c/m9wNBSdHTpt
+URu+xdmbaoKaH9dIJMUKasc=
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem
new file mode 100644
index 000000000..1226f27aa
--- /dev/null
+++ b/certs/ocsp/server1-cert.pem
@@ -0,0 +1,279 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 5 (0x5)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:e6:96:55:75:cf:8a:97:68:8c:b6:38:f6:7a:05:
+ be:33:b6:51:47:37:8a:f7:db:91:be:92:6b:b7:00:
+ 8c:f2:c5:24:6e:18:e9:92:00:81:01:dc:b3:4c:28:
+ a9:b7:80:f1:96:cf:23:7a:2f:ae:f8:e3:0f:2d:d3:
+ 5e:23:e7:db:4c:b2:5d:89:16:17:be:be:81:db:fb:
+ 12:6d:28:4b:10:a0:12:04:27:c1:c9:d0:79:95:ef:
+ e8:8d:8c:59:9b:4e:72:7d:bc:49:2b:22:4e:f8:4f:
+ e2:0c:f1:e9:e9:97:f9:df:8c:5a:0a:aa:38:1d:43:
+ 04:a3:a7:89:a1:e2:83:a4:4b:b5:4e:45:88:a6:22:
+ 5d:ac:a9:58:67:88:c1:d5:61:ef:bd:11:05:27:94:
+ 47:bb:33:a5:8a:ca:ee:1f:8d:c0:6e:24:af:cd:ca:
+ bf:80:47:71:95:ac:a9:f1:5d:23:6c:f5:4b:b4:a9:
+ e1:c4:66:fb:e5:c4:a1:9f:a7:51:d1:78:cd:2e:b4:
+ 3f:2e:e2:82:f3:7f:c4:a7:f4:31:cf:76:27:3f:db:
+ 2e:d2:6e:c3:47:23:82:a3:48:40:8c:a7:c1:13:f0:
+ 63:50:54:43:f6:71:12:e1:6f:a5:7a:58:26:f7:fd:
+ 8b:3b:70:18:a0:43:ba:01:6b:b3:f8:d5:be:05:13:
+ 64:31
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ CC:55:15:00:E2:44:89:92:63:6D:10:5D:B9:9E:73:B6:5D:3A:19:CA
+ X509v3 Authority Key Identifier:
+ keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:01
+
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22221
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 05:65:8d:f5:fa:47:b1:4d:b9:9b:86:b0:18:9d:c8:94:64:7d:
+ 16:5e:69:69:bb:62:06:9d:8c:be:4f:83:22:f1:0a:7d:ae:f5:
+ ca:68:78:63:b2:bc:43:12:4f:d3:eb:ce:30:82:d6:be:81:c0:
+ 68:f4:3b:97:5f:3a:2c:88:62:36:0b:83:1d:ba:56:b1:06:65:
+ cd:4d:ac:1d:92:3f:73:77:10:5b:17:44:1f:66:cf:a8:f2:1f:
+ 18:29:c0:5f:20:b6:cb:15:d4:35:b1:b0:a6:41:a8:6e:f0:29:
+ 83:28:3b:4a:68:e5:b7:42:2f:b4:8a:96:ed:65:84:de:0b:72:
+ 6f:2b:91:10:56:7f:cd:89:5e:22:30:cc:5a:df:39:88:a9:ea:
+ af:1d:ba:9a:8a:3d:61:a6:c7:45:2d:ce:9f:76:f9:b2:45:9d:
+ 19:68:5d:e7:d6:3e:32:0e:65:83:79:63:81:0e:b5:44:51:47:
+ 9c:a7:6a:c1:5a:04:36:f3:b9:be:4d:76:80:55:2a:76:cd:61:
+ 15:c1:1a:5f:1f:62:b5:0f:ad:7f:48:66:81:eb:7a:04:b4:0a:
+ 92:a4:40:ff:bf:59:34:86:5c:1b:79:10:b4:d4:09:fa:45:3d:
+ 4f:bf:4c:30:b3:18:f2:b9:e9:8d:7c:5f:c0:67:ea:94:fb:ac:
+ 2e:90:ef:0d
+-----BEGIN CERTIFICATE-----
+MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
+IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
+MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOaWVXXPipdojLY49noFvjO2
+UUc3ivfbkb6Sa7cAjPLFJG4Y6ZIAgQHcs0woqbeA8ZbPI3ovrvjjDy3TXiPn20yy
+XYkWF76+gdv7Em0oSxCgEgQnwcnQeZXv6I2MWZtOcn28SSsiTvhP4gzx6emX+d+M
+WgqqOB1DBKOniaHig6RLtU5FiKYiXaypWGeIwdVh770RBSeUR7szpYrK7h+NwG4k
+r83Kv4BHcZWsqfFdI2z1S7Sp4cRm++XEoZ+nUdF4zS60Py7igvN/xKf0Mc92Jz/b
+LtJuw0cjgqNIQIynwRPwY1BUQ/ZxEuFvpXpYJvf9iztwGKBDugFrs/jVvgUTZDEC
+AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMxVFQDiRImSY20QXbme
+c7ZdOhnKMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa
+MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
+U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
+GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB
+AQAFZY31+kexTbmbhrAYnciUZH0WXmlpu2IGnYy+T4Mi8Qp9rvXKaHhjsrxDEk/T
+684wgta+gcBo9DuXXzosiGI2C4MdulaxBmXNTawdkj9zdxBbF0QfZs+o8h8YKcBf
+ILbLFdQ1sbCmQahu8CmDKDtKaOW3Qi+0ipbtZYTeC3JvK5EQVn/NiV4iMMxa3zmI
+qeqvHbqaij1hpsdFLc6fdvmyRZ0ZaF3n1j4yDmWDeWOBDrVEUUecp2rBWgQ287m+
+TXaAVSp2zWEVwRpfH2K1D61/SGaB63oEtAqSpED/v1k0hlwbeRC01An6RT1Pv0ww
+sxjyuemNfF/AZ+qU+6wukO8N
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
+ a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
+ bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e:
+ 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1:
+ 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90:
+ d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a:
+ e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e:
+ 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64:
+ 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24:
+ 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4:
+ c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b:
+ 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56:
+ f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2:
+ d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4:
+ bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd:
+ 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f:
+ 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc:
+ 97:7f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1:
+ 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7:
+ 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8:
+ 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1:
+ e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17:
+ 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b:
+ 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2:
+ af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6:
+ 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7:
+ 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56:
+ 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7:
+ a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c:
+ 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75:
+ 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8:
+ bb:4b:1f:aa
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl
+xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV
+1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2
+lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt
+ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7
+f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi
+KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9
+jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg
+iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw
+0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC
+LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt
+JMjGmMN/2B1Pxa7gso71qLtLH6o=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/server1-key.pem b/certs/ocsp/server1-key.pem
new file mode 100644
index 000000000..e44f63129
--- /dev/null
+++ b/certs/ocsp/server1-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDmllV1z4qXaIy2
+OPZ6Bb4ztlFHN4r325G+kmu3AIzyxSRuGOmSAIEB3LNMKKm3gPGWzyN6L6744w8t
+014j59tMsl2JFhe+voHb+xJtKEsQoBIEJ8HJ0HmV7+iNjFmbTnJ9vEkrIk74T+IM
+8enpl/nfjFoKqjgdQwSjp4mh4oOkS7VORYimIl2sqVhniMHVYe+9EQUnlEe7M6WK
+yu4fjcBuJK/Nyr+AR3GVrKnxXSNs9Uu0qeHEZvvlxKGfp1HReM0utD8u4oLzf8Sn
+9DHPdic/2y7SbsNHI4KjSECMp8ET8GNQVEP2cRLhb6V6WCb3/Ys7cBigQ7oBa7P4
+1b4FE2QxAgMBAAECggEBAMcAl2DFbOae5FGfd5h3vF8EycCcvuKKLI4775pQb1RV
+r8sU1P+cT7o7rsHblh04u0dcHVImNOu3ijISaPyz7R+UEAVve66y23/uf0iVrbL7
+cpEDfsudkFFGa30901elrEm3Za5EPcMvrfdeEHH5Jz02876giS032ZkjzjRYOSRg
+TuFhiqjRTMfE6AB63KSRWcb6AYEocHV/jF+IEQcz9ctsv6XKKKJtge4+Y3+gQU4N
+ALUE6OjBsD5KpMVuMYBSfTucYi5g2eOK05PoCOR8lTqgvsbof+ALj+84zEpG20aK
+p0KdMVwiMolXaYcvKBOGPxZKt7sQaIMitbs0iuErMQECgYEA+cLVZh4qkRnsjPVc
+/27qC/VLeWo2QAL7TWC7YgkY0MgNtZXRkJZdKOlzYWo/iJmuxHj7eUFLkoHpPNV2
+X6WG+CGHD1qq/BqLQNlJKS/MtI2VNzOjBJ/J3SktOGo3BwL+Q5uSRNHukQip0YnD
+c9GCU4UhfBHr/UNitMBH6N5aPqUCgYEA7FjjTGomVseF5wNbfw2xLjBmRuQ2DDgJ
+/OvCtV6it+OiVU9R+cYcz/hVl1QLIkGBHt5hb8O6np4tW5ehKd5LNTtolIO+/BLL
+2xPZCLY7U+LES5dgUTC/wb5t5igAmPuOMi9qNQ1kYxbKYJVLRUdwfOM8FNE4gjZF
+kj2BIb6OxZ0CgYEAmuXXvWZ2FdmTGHTPwWdDZjkyHtHdZWO0AXA9pnZn2oxH3FdX
+SinHCymFsmPXlVtixV0W8UOqn+lMAruMl5MsGtWIUuBzbLj1pjlcI1wOw+ePJFY1
+AxgqdKwl7HgLOqEDmmBwnZfpMi/CSj77ZegIwM2vT6g5yK+zFtCtiGHmbDUCgYBf
+L2VLbyzFolGBOk7tGnyTF5b5UguaXC9ZlzGxjc2Gtby5Etr29xy/fUorSgO55hu0
+bOdc9b0BCL9HtgeILyim5ag2t+CA8Kj9MD8mTQ4TuK5Jq0t1J2bzBliIau/irN0V
+xRbHCv+1EIas4zOPUTgyc+nMkH5roqPeQ7rv9ijV2QKBgQDJiNmAJv3dlie2x+bj
+rX5RDF1Q/egVVGx41jPyuzh0oFLwEQG2lSHEAKgF+gWt0ZMwNzPB9oue2LBSpNFl
+7ZdpFCpzD+3OcaxnWYEGT+qNhczbf0PvVNBOzOI33Trr7maktWi0Mh9qmXqoNuwG
+uCnrEriJlBk2MV88tIG/ZJ+bvQ==
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem
new file mode 100644
index 000000000..51c56fd40
--- /dev/null
+++ b/certs/ocsp/server2-cert.pem
@@ -0,0 +1,279 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 6 (0x6)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:c6:35:8a:e8:aa:bd:33:c9:5e:84:43:67:42:65:
+ 2a:3c:e3:89:b4:a6:67:a1:3b:ee:6d:85:d1:d3:2b:
+ 6e:b1:62:d4:f1:22:43:a0:d5:b7:a5:7d:b5:f5:6c:
+ 09:06:7c:8c:ef:87:af:4f:34:ce:27:eb:f3:4a:37:
+ 57:c3:d7:d8:ee:e4:a0:77:65:2c:a7:c2:10:65:6b:
+ 7b:48:c4:d8:28:fe:4c:4e:4f:7e:2f:20:c4:49:5b:
+ 71:38:40:0d:36:a3:57:b3:44:da:be:cd:54:14:15:
+ 66:0f:d3:05:08:f2:2e:03:67:2e:5c:5d:e1:b0:e6:
+ c0:25:8f:58:77:5b:d3:d7:a8:22:ea:56:d3:0e:01:
+ 6d:38:34:56:47:aa:12:c4:ba:2a:ef:ec:18:f5:d4:
+ db:b9:fa:6f:dc:50:eb:ee:10:a2:14:b5:9a:12:e1:
+ e3:85:0f:79:14:b8:70:6d:0d:1c:1d:38:57:85:6a:
+ 82:0c:d6:bd:2c:bf:20:f1:28:2e:f6:34:80:a7:0d:
+ 32:82:35:4f:c1:b1:e5:9e:26:d5:f8:b9:39:57:43:
+ ef:ed:f1:10:5c:3e:32:ba:d9:e4:9e:40:cd:28:ea:
+ 26:46:9b:a9:34:8d:9f:b9:fd:45:7d:14:f7:ce:ca:
+ 3b:85:87:a7:64:74:9c:65:29:18:b3:f5:b1:ad:92:
+ 62:39
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 7D:6D:FD:F6:0B:4F:3F:4A:62:91:F5:F3:13:60:51:86:C3:5A:9F:D6
+ X509v3 Authority Key Identifier:
+ keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:01
+
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22221
+
+ Signature Algorithm: sha256WithRSAEncryption
+ dd:b6:17:51:62:83:8d:32:7f:2f:21:2f:0a:ea:6b:3f:f0:c9:
+ 59:9d:1e:4b:82:7d:aa:1d:6d:a8:f5:c0:20:78:a8:fd:a3:ca:
+ cb:1f:2b:99:28:97:d2:ce:71:48:95:82:ee:e4:a4:d9:32:75:
+ 7f:1d:b2:97:8d:5c:3c:96:9a:b9:4c:05:fe:d1:af:81:4a:25:
+ c5:66:a1:f3:c7:0e:f3:76:db:3d:a2:87:7e:5c:c4:0a:d3:d3:
+ 97:a1:7c:46:fc:94:2c:dc:0a:7e:a1:b2:f2:7f:c7:cb:d9:7a:
+ c2:fa:8d:5b:4a:75:c0:e4:dc:57:4b:84:2a:5a:84:35:13:7b:
+ 15:49:a0:e8:9e:d8:1d:90:a4:99:4e:a4:dd:fc:ba:d3:f5:12:
+ aa:36:f2:87:04:b4:09:04:6f:94:a1:18:3e:46:ce:ae:55:f4:
+ 0f:d8:26:ee:11:cf:d4:8e:e5:33:da:17:e2:ad:43:05:50:e2:
+ 38:c7:d2:15:18:23:f0:fa:cd:cc:b3:e9:ea:00:5a:af:29:90:
+ 6a:69:8c:ba:c8:f7:84:84:57:0d:80:b1:10:2c:bd:9d:33:42:
+ 6d:f1:58:d5:b4:6a:79:e4:26:8f:41:ef:a2:b5:84:6b:c2:6d:
+ be:5e:76:8f:29:25:13:e8:ba:dd:aa:64:3e:74:bc:90:2d:aa:
+ bb:1a:cd:c9
+-----BEGIN CERTIFICATE-----
+MIIE7jCCA9agAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
+IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
+Mi53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMY1iuiqvTPJXoRDZ0JlKjzj
+ibSmZ6E77m2F0dMrbrFi1PEiQ6DVt6V9tfVsCQZ8jO+Hr080zifr80o3V8PX2O7k
+oHdlLKfCEGVre0jE2Cj+TE5Pfi8gxElbcThADTajV7NE2r7NVBQVZg/TBQjyLgNn
+Llxd4bDmwCWPWHdb09eoIupW0w4BbTg0VkeqEsS6Ku/sGPXU27n6b9xQ6+4QohS1
+mhLh44UPeRS4cG0NHB04V4VqggzWvSy/IPEoLvY0gKcNMoI1T8Gx5Z4m1fi5OVdD
+7+3xEFw+MrrZ5J5AzSjqJkabqTSNn7n9RX0U987KO4WHp2R0nGUpGLP1sa2SYjkC
+AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFH1t/fYLTz9KYpH18xNg
+UYbDWp/WMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa
+MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
+U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
+GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB
+AQDdthdRYoONMn8vIS8K6ms/8MlZnR5Lgn2qHW2o9cAgeKj9o8rLHyuZKJfSznFI
+lYLu5KTZMnV/HbKXjVw8lpq5TAX+0a+BSiXFZqHzxw7zdts9ood+XMQK09OXoXxG
+/JQs3Ap+obLyf8fL2XrC+o1bSnXA5NxXS4QqWoQ1E3sVSaDontgdkKSZTqTd/LrT
+9RKqNvKHBLQJBG+UoRg+Rs6uVfQP2CbuEc/UjuUz2hfirUMFUOI4x9IVGCPw+s3M
+s+nqAFqvKZBqaYy6yPeEhFcNgLEQLL2dM0Jt8VjVtGp55CaPQe+itYRrwm2+XnaP
+KSUT6LrdqmQ+dLyQLaq7Gs3J
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 1 (0x1)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35:
+ a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c:
+ bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e:
+ 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1:
+ 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90:
+ d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a:
+ e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e:
+ 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64:
+ 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24:
+ 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4:
+ c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b:
+ 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56:
+ f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2:
+ d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4:
+ bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd:
+ 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f:
+ 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc:
+ 97:7f
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1:
+ 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7:
+ 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8:
+ 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1:
+ e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17:
+ 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b:
+ 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2:
+ af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6:
+ 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7:
+ 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56:
+ 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7:
+ a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c:
+ 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75:
+ 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8:
+ bb:4b:1f:aa
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl
+xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV
+1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2
+lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt
+ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7
+f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi
+KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9
+jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg
+iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw
+0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC
+LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt
+JMjGmMN/2B1Pxa7gso71qLtLH6o=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/server2-key.pem b/certs/ocsp/server2-key.pem
new file mode 100644
index 000000000..e4b6181e8
--- /dev/null
+++ b/certs/ocsp/server2-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGNYroqr0zyV6E
+Q2dCZSo844m0pmehO+5thdHTK26xYtTxIkOg1belfbX1bAkGfIzvh69PNM4n6/NK
+N1fD19ju5KB3ZSynwhBla3tIxNgo/kxOT34vIMRJW3E4QA02o1ezRNq+zVQUFWYP
+0wUI8i4DZy5cXeGw5sAlj1h3W9PXqCLqVtMOAW04NFZHqhLEuirv7Bj11Nu5+m/c
+UOvuEKIUtZoS4eOFD3kUuHBtDRwdOFeFaoIM1r0svyDxKC72NICnDTKCNU/BseWe
+JtX4uTlXQ+/t8RBcPjK62eSeQM0o6iZGm6k0jZ+5/UV9FPfOyjuFh6dkdJxlKRiz
+9bGtkmI5AgMBAAECggEAL6rWwke1gsvNyD8xiR0tQEF0b5aJW5Q/LeW95WwPjed3
+0Jnt67MaHFmUNfaKYR35Au39si2/2of7FYEjwTyatjETikMxrxKTwOBNYN2+InWt
+wjOJ5CmcKwwruVxmERrNT5aiiLp2mvHefrXAAzvC5xycYKhPS6zizuWfX+0ckEM5
+yJnl8TRTjfqExxHS1ciTY4B1w8nfWdYY/xiQW23sCPZ8toqsqAuHJjREmMcj+oer
+z8Md1tZNa0ujDy0ejSovCnqzWIi4Umg3SndhRDYKNRAFGPNQmYRM+EWEqQufMaXP
+ghD+Heb5RUPSkNW98KdjDGK4WiIeqF45tb+YQ4AvgQKBgQDt2X+FMHG/s7FAEAxA
+x6TzIcDedqwEKtO3JbaC+Q0FKwRTGwP1tGOnyqbVrw4cSlza5EvUnK8CZK9I2HFd
+qfbP3rtFCtHl9/bpVZPNkaVImzqkfmzmGJIREsCDIPu8THFNyxL2TC27VKCNsSmZ
+ui2tuxRJ6/O0DroGdvdnFL89SQKBgQDVVaZjiA5Cr1e5Eo6q3dNNeMSBfTuI90Ja
+W1OmVovp2yWYjfFFTW2B9vb4RDaRvIuykGhHgAnGKGmHtv7f0GlY7n6Qr0czvyn5
+6s+fRVIcPzEaTVnxC1g20+XHc41XdqnIOcaUjUz7oqC6g7+Y56WKdvvKitV0Lb98
+ua7ZOM6tcQKBgGWtRMY7H2VD+9HXCmXm8qy9ESYItSBS7o6soIj8zoQXD5I3SkoP
+A0sHZqqSWwXdBDTOw1vwXyA2ynfpjwzrS4cxP/0T0wbsKbE11ClcybtwIHGRWhxD
+BK4nxgRIZVTpmMYYudJwXlxmoPvxcEc3P6+0+cdgBp5CbWO2F60JQXeBAoGAHxLs
+u46z1Q7JTlHfqg/JmX0/0kS1iUvKxHKNCquMkbG0FjaGsDuI+edJLfxxnmTCTG4w
+YknKIqz8QiJrmZo33hZPJTACxQzRRm/nciGcxjSGKHif4zZt0P6od5bjPZwxOtL/
+k9/JGNYlZ0WNgO4s9LBEGMqEMPoA7F/3kfhuUmECgYEA6WzFZjs31OqTLE0vnCfL
+/b/wPeozaAyjtR/24TNkAFwP/LrBAA5gFOoL8p94ce87yXdm80x3bK6OGbNmor7c
+qT/OJgnXV1wTrKYSkFUu7LTC7DihpYy2MqyGg8xGxB4kK1IR+ROB4v3c5RkIqaGF
+lTSpXFge771NjCimucIOl/Y=
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem
new file mode 100644
index 000000000..7f1873535
--- /dev/null
+++ b/certs/ocsp/server3-cert.pem
@@ -0,0 +1,279 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 7 (0x7)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:be:19:65:1e:17:39:d4:33:fc:97:64:69:80:51:
+ fb:6c:7c:ca:e1:ba:2a:ab:d2:dd:30:61:f3:2e:47:
+ c1:d4:33:c0:ff:53:21:ba:2d:14:a6:b9:7c:66:ca:
+ 45:7b:1c:7d:8f:fc:75:f3:9a:69:f1:6c:25:46:a0:
+ 92:5d:00:93:e3:22:a6:60:b9:97:05:37:7f:a1:aa:
+ cd:22:81:72:b1:22:47:3d:7c:8d:46:55:bc:32:4d:
+ d2:84:43:5c:15:43:07:22:70:36:39:93:1b:e8:a1:
+ 46:bb:02:85:ba:1d:31:ac:b1:3c:84:5b:eb:8f:1f:
+ 62:8a:71:52:9e:0b:63:b6:e6:d6:46:cc:19:06:d6:
+ bb:06:81:e4:0b:25:14:6c:63:94:70:1a:27:37:95:
+ 24:40:07:30:f5:24:73:c3:bd:f9:0e:5f:b6:cd:4f:
+ 18:88:f0:d7:a3:9b:f5:b0:1e:fe:04:03:a5:8d:73:
+ f7:6b:31:74:85:fd:61:fa:9e:53:37:75:90:e6:f8:
+ b5:98:66:e8:52:4d:4a:4c:39:05:65:c1:34:f9:c6:
+ 95:27:b0:07:c1:51:96:a8:82:1b:22:cf:41:df:de:
+ b4:94:b7:0d:ba:61:fb:f4:40:7c:a1:fc:a2:29:a3:
+ 47:4d:b4:94:9d:7b:51:ec:e4:13:fb:cd:e9:26:ca:
+ a7:93
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ C1:CD:C0:2C:34:F4:3B:BB:E3:CA:98:35:7D:6A:15:33:94:5C:11:3A
+ X509v3 Authority Key Identifier:
+ keyid:05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:02
+
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22222
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 3a:2f:11:d6:45:96:cc:68:80:ed:dd:25:1f:1c:b2:b2:c8:42:
+ 71:11:ed:3b:f8:69:73:d3:bc:49:38:0e:5f:f8:bb:a1:69:a0:
+ fe:bd:a0:6f:c2:68:74:4c:c8:c0:cc:00:83:6b:b2:c3:15:3c:
+ bb:08:51:3e:2a:36:2e:f7:48:00:a0:74:11:b7:db:00:56:82:
+ 52:17:94:b1:a6:a8:82:c7:33:ac:20:ef:3d:93:e2:56:01:62:
+ 99:d4:c4:8e:4b:4d:bf:36:1e:f7:bb:83:85:81:6d:46:fb:8d:
+ c2:12:99:87:ae:7a:fd:83:3c:df:7b:51:12:79:44:4f:df:17:
+ 74:d5:d9:ab:19:d3:49:8b:33:4c:82:e4:83:1a:4d:fa:d3:84:
+ ea:37:86:58:77:93:41:2e:f9:30:3a:09:d6:72:3a:aa:d8:e7:
+ 13:f6:2f:80:7a:47:fc:c8:c2:98:34:07:ca:ed:21:c5:3f:21:
+ fb:f2:1a:4c:cb:ff:fb:db:7d:6c:1b:f2:4a:1d:58:43:8f:58:
+ 3c:c8:de:80:c8:79:fa:0a:97:a1:02:a8:5b:b6:96:ed:b7:24:
+ 9e:ac:79:b6:e1:e6:3f:f1:66:8e:4d:22:47:a2:df:90:f2:d1:
+ 0a:3c:be:bb:ce:34:46:e5:c2:13:50:e9:8c:49:e7:31:51:73:
+ c3:b1:b5:03
+-----BEGIN CERTIFICATE-----
+MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
+IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
+My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4ZZR4XOdQz/JdkaYBR+2x8
+yuG6KqvS3TBh8y5HwdQzwP9TIbotFKa5fGbKRXscfY/8dfOaafFsJUagkl0Ak+Mi
+pmC5lwU3f6GqzSKBcrEiRz18jUZVvDJN0oRDXBVDByJwNjmTG+ihRrsChbodMayx
+PIRb648fYopxUp4LY7bm1kbMGQbWuwaB5AslFGxjlHAaJzeVJEAHMPUkc8O9+Q5f
+ts1PGIjw16Ob9bAe/gQDpY1z92sxdIX9YfqeUzd1kOb4tZhm6FJNSkw5BWXBNPnG
+lSewB8FRlqiCGyLPQd/etJS3Dbph+/RAfKH8oimjR020lJ17UezkE/vN6SbKp5MC
+AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMHNwCw09Du748qYNX1q
+FTOUXBE6MIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8XoYGdpIGa
+MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
+U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
+GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB
+AQA6LxHWRZbMaIDt3SUfHLKyyEJxEe07+Glz07xJOA5f+LuhaaD+vaBvwmh0TMjA
+zACDa7LDFTy7CFE+KjYu90gAoHQRt9sAVoJSF5SxpqiCxzOsIO89k+JWAWKZ1MSO
+S02/Nh73u4OFgW1G+43CEpmHrnr9gzzfe1ESeURP3xd01dmrGdNJizNMguSDGk36
+04TqN4ZYd5NBLvkwOgnWcjqq2OcT9i+Aekf8yMKYNAfK7SHFPyH78hpMy//7231s
+G/JKHVhDj1g8yN6AyHn6CpehAqhbtpbttySerHm24eY/8WaOTSJHot+Q8tEKPL67
+zjRG5cITUOmMSecxUXPDsbUD
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
+ 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
+ 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6:
+ 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77:
+ 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db:
+ 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb:
+ ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98:
+ 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1:
+ 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a:
+ 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52:
+ 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d:
+ f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35:
+ cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36:
+ a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f:
+ 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55:
+ f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96:
+ aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff:
+ d9:99
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1d:d6:14:6c:f5:cc:f9:c9:0d:c4:27:c1:50:49:ab:d7:39:6e:
+ 86:31:cf:67:99:c0:5d:37:d0:14:ee:d8:e3:da:17:a5:82:c2:
+ 25:86:33:28:0d:f6:ca:6b:7a:c7:72:f1:d8:b9:20:27:ee:0c:
+ 7d:77:e5:8b:03:46:9a:f8:99:6a:8e:57:1a:c9:a2:b1:79:d6:
+ b6:b6:e5:1a:39:80:2e:88:2b:17:c8:b9:36:37:38:58:8a:f0:
+ 62:68:97:25:b5:7a:62:5c:4d:22:2c:30:62:0c:11:f0:4d:70:
+ 95:c7:2d:9e:ab:c5:ef:2e:a4:29:25:8b:e2:e4:d2:9d:2c:5e:
+ 60:79:36:98:13:a8:38:6c:00:0d:6a:f0:11:3c:3f:d8:f9:6b:
+ 16:d1:61:f9:db:53:56:02:43:56:a8:01:3b:88:77:91:a5:6e:
+ a0:ab:2c:6c:e6:ec:cf:ff:5a:07:94:ea:49:92:d4:87:98:f8:
+ 89:f0:f7:4f:77:b0:df:c9:89:03:76:d9:31:30:86:f7:e9:8a:
+ 74:fa:f2:b2:f3:4d:f7:43:41:48:9c:1f:db:ea:23:e3:1e:4c:
+ 15:76:92:e0:f8:ce:71:35:fd:25:f0:97:cd:99:5d:2c:af:33:
+ 64:5e:bd:be:35:e3:53:78:6c:10:c8:0e:cc:83:e5:d9:2e:7a:
+ d9:6d:52:95
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj
+hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj
+K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl
+uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B
+nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S
+4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR
+rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAB3WFGz1zPnJDcQnwVBJq9c5boYxz2eZwF030BTu2OPaF6WCwiWGMygN9spr
+esdy8di5ICfuDH135YsDRpr4mWqOVxrJorF51ra25Ro5gC6IKxfIuTY3OFiK8GJo
+lyW1emJcTSIsMGIMEfBNcJXHLZ6rxe8upCkli+Lk0p0sXmB5NpgTqDhsAA1q8BE8
+P9j5axbRYfnbU1YCQ1aoATuId5GlbqCrLGzm7M//WgeU6kmS1IeY+Inw9093sN/J
+iQN22TEwhvfpinT68rLzTfdDQUicH9vqI+MeTBV2kuD4znE1/SXwl82ZXSyvM2Re
+vb4141N4bBDIDsyD5dkuetltUpU=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/server3-key.pem b/certs/ocsp/server3-key.pem
new file mode 100644
index 000000000..30e108011
--- /dev/null
+++ b/certs/ocsp/server3-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+GWUeFznUM/yX
+ZGmAUftsfMrhuiqr0t0wYfMuR8HUM8D/UyG6LRSmuXxmykV7HH2P/HXzmmnxbCVG
+oJJdAJPjIqZguZcFN3+hqs0igXKxIkc9fI1GVbwyTdKEQ1wVQwcicDY5kxvooUa7
+AoW6HTGssTyEW+uPH2KKcVKeC2O25tZGzBkG1rsGgeQLJRRsY5RwGic3lSRABzD1
+JHPDvfkOX7bNTxiI8Nejm/WwHv4EA6WNc/drMXSF/WH6nlM3dZDm+LWYZuhSTUpM
+OQVlwTT5xpUnsAfBUZaoghsiz0Hf3rSUtw26Yfv0QHyh/KIpo0dNtJSde1Hs5BP7
+zekmyqeTAgMBAAECggEARDViddCJnF1m5X9O548C8qM4PJQK2YoYeVK76cAviQ9k
+0XgnouCoB0aIn202Tv0jBHXmcJjYKJrQKS5WNe6OIbJ+FjihOmr2bbCWWCowV+Rf
+wW0eV71NgJMx1OlCchKRzcaLfk8NdYPgmBtIlkYBW+BgQXGl7L2rIteUeEbH6Yj9
+yCn7ORQeFSbhZJTn2WdXhK3GWjV+1GyHyUyL2SSa2+G2LZ54Ifquq/F6rMGYB9lY
+2K6Q6DB18aVxd/I/OYKeyBZcmJ9COgPUW7/fg0He73aduYdVvWZCRP1ygGdqSZFr
+oqLVe34bEVFANUKylzRplRJdC4oKSUyTSubiOMKZ+QKBgQDf0mk3PolyvsfE2YGb
+9/DsURIxZg14o9Pysp3yD1vvIYNz6WaddtJaj5OM7NzN8spu3wJSoeVgL6KYI6ah
+ZTIYqy4ehOGPKBVL7SvLF+7q/QBMTdfllpdK7GLTtjBnz92TZl9bS/rBc9dCnnBC
+EDkPPrc3nbk5/ADWd+K4RPG3HwKBgQDZbdiQCKY2ulppRcwjcAEIjhrFpShV21P6
+JNKt17HDBqULIAn+G9T/Gg/6yHWeY1DUgVBu1avb4L3jdnMPe2O+1jeaDzNRo6Xj
+9v6PgGsiv4q7gfz7XqVwylUWIY7O52Ox/q+/QJBfwE0qe+E0t4syb44W4QvD9+k7
+fv77R7dFDQKBgQCe0SfVimtvX05TMN9V87YhiVk2ciqm6uDO+s02YI2kfgxPqFMm
+8pRKrExPmBcJj/jyeQ2l4rjm6oYeHFX1ed/1PyoHf9SphxCtgoornzzpw0J94lKK
+17Nc96Ucgs+QKiAYonCRULWKpY8d91zCk85ZMfBB54nySg2yIPlgNZOqkwKBgFO/
+Xqnj2vm7f7WKv91qd8tuyNsWCVpAl7EC2+8/5GVlOs71MUQiPkFgLYWADuXKBUlE
+4dE/FeokP5/McPcmpL3Nzy7U6gRpDy2mZlipsxp4QpyErge4Zery1CEpHdOOBrV5
+jwIQgUuQS2iwvIbMp53uoAEp/5kk9T4IZXguIGZFAoGAMA/j0kHArT7FINf+O6R4
+3EyUTR139emLKHU2OlH/HfHVRZhHo4AmfUYksf+Njb81A6MKFd1XVmNnaumBIfq+
+6Ohoz1VMoO6aUiMMqbmBGaTHc30FVEtAQIRq2C8UDrEN67Sx3O/ngl0Br7lNri29
+LMSCe8fxf8+Kq0k+6tcsht4=
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/server4-cert.pem b/certs/ocsp/server4-cert.pem
new file mode 100644
index 000000000..d9909f676
--- /dev/null
+++ b/certs/ocsp/server4-cert.pem
@@ -0,0 +1,279 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 8 (0x8)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www4.wolfssl.com/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:9c:ef:8a:7e:84:4d:58:7a:b1:91:c8:cb:68:76:
+ df:fe:0a:29:fe:7f:74:35:d5:c3:fd:43:be:d7:89:
+ fc:59:51:5a:30:e9:50:14:84:24:d0:c8:72:7d:d6:
+ 75:42:12:8b:16:ad:5a:e8:d3:84:a7:07:2b:9e:12:
+ ef:6a:cd:3e:83:14:b7:26:a2:53:7b:3d:6c:96:7f:
+ 9c:c5:09:08:0e:55:08:19:b7:5a:1c:46:32:09:da:
+ 44:b2:ca:fd:4a:e4:be:d0:02:c9:c9:48:03:13:a5:
+ ad:3e:7b:21:cf:05:3a:b9:25:f5:c1:b8:4e:4d:eb:
+ 33:99:d1:50:4a:eb:f7:1a:08:6b:d0:5c:9d:48:eb:
+ 98:fd:dc:89:0f:aa:74:d3:7f:03:1b:59:65:f5:86:
+ e1:d9:53:ab:e4:53:ab:85:3c:79:8b:45:39:7b:fd:
+ e9:a2:10:b9:fa:92:71:0e:68:36:66:6e:8c:fb:e2:
+ 8a:5d:5f:72:66:b0:47:2d:c5:b4:93:ce:61:7f:90:
+ 1a:64:02:dd:57:9d:f1:f1:e8:75:21:e2:af:44:e3:
+ 96:f5:1c:e3:73:87:dc:b7:05:12:ad:a5:8f:0c:d8:
+ 2c:b4:90:b3:d9:e7:13:e1:e5:5e:4c:9b:24:89:08:
+ 07:9e:aa:6b:9f:64:01:da:ec:95:05:45:84:d9:a9:
+ db:c7
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 9A:D6:EF:4E:0A:7B:8B:74:E6:14:EC:35:9A:05:2A:94:68:09:61:58
+ X509v3 Authority Key Identifier:
+ keyid:05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:02
+
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22222
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 33:15:a7:22:85:5d:69:97:b2:33:1b:39:8f:0b:0f:57:d6:84:
+ 99:eb:53:e9:35:14:a2:93:9c:11:45:01:6e:45:c7:5b:b7:fc:
+ 7c:2c:a9:e5:34:0f:f2:79:26:a0:4b:99:f8:16:ec:f1:e1:15:
+ 2c:09:d5:f9:7f:c5:8a:ef:16:d7:85:e6:d4:87:35:cd:9d:a2:
+ 6f:c6:f6:39:f6:b7:57:1d:e8:bf:01:71:d5:0b:8d:99:db:84:
+ ab:39:36:24:80:bd:ef:ca:04:2d:f1:fa:fa:a9:4e:e1:e1:28:
+ 58:0c:81:8e:ed:2f:f8:41:91:2d:49:2d:05:55:6d:fd:c1:47:
+ 01:a9:f8:92:13:29:62:7b:a6:7d:f0:04:dd:54:9b:e2:23:95:
+ 63:91:2c:16:10:b1:af:5a:5e:e4:fc:6d:94:76:bb:2a:1f:c2:
+ 12:01:8e:7f:1e:22:d7:71:e0:60:5b:af:a2:25:b8:bd:7e:88:
+ fe:46:17:63:8c:b7:71:db:da:74:17:4e:8e:c6:93:9c:73:77:
+ 4d:6e:9c:75:75:7b:76:fe:6b:ad:00:7a:58:da:c0:f4:2a:be:
+ ef:88:74:5a:80:3f:79:9b:b7:1e:e8:5f:0c:da:b3:27:bb:1f:
+ aa:dd:ad:cb:4f:00:fe:c6:fe:c2:44:06:49:01:4f:a8:ff:24:
+ 64:6b:ae:9a
+-----BEGIN CERTIFICATE-----
+MIIE7jCCA9agAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM
+IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT
+AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD
+VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3
+NC53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzvin6ETVh6sZHIy2h23/4K
+Kf5/dDXVw/1DvteJ/FlRWjDpUBSEJNDIcn3WdUISixatWujThKcHK54S72rNPoMU
+tyaiU3s9bJZ/nMUJCA5VCBm3WhxGMgnaRLLK/UrkvtACyclIAxOlrT57Ic8FOrkl
+9cG4Tk3rM5nRUErr9xoIa9BcnUjrmP3ciQ+qdNN/AxtZZfWG4dlTq+RTq4U8eYtF
+OXv96aIQufqScQ5oNmZujPviil1fcmawRy3FtJPOYX+QGmQC3Ved8fHodSHir0Tj
+lvUc43OH3LcFEq2ljwzYLLSQs9nnE+HlXkybJIkIB56qa59kAdrslQVFhNmp28cC
+AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJrW704Ke4t05hTsNZoF
+KpRoCWFYMIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8XoYGdpIGa
+MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH
+U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx
+GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3
+b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG
+AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB
+AQAzFacihV1pl7IzGzmPCw9X1oSZ61PpNRSik5wRRQFuRcdbt/x8LKnlNA/yeSag
+S5n4Fuzx4RUsCdX5f8WK7xbXhebUhzXNnaJvxvY59rdXHei/AXHVC42Z24SrOTYk
+gL3vygQt8fr6qU7h4ShYDIGO7S/4QZEtSS0FVW39wUcBqfiSEylie6Z98ATdVJvi
+I5VjkSwWELGvWl7k/G2UdrsqH8ISAY5/HiLXceBgW6+iJbi9foj+RhdjjLdx29p0
+F06OxpOcc3dNbpx1dXt2/mutAHpY2sD0Kr7viHRagD95m7ce6F8M2rMnux+q3a3L
+TwD+xv7CRAZJAU+o/yRka66a
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 2 (0x2)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4:
+ 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7:
+ 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6:
+ 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77:
+ 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db:
+ 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb:
+ ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98:
+ 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1:
+ 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a:
+ 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52:
+ 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d:
+ f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35:
+ cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36:
+ a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f:
+ 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55:
+ f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96:
+ aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff:
+ d9:99
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 1d:d6:14:6c:f5:cc:f9:c9:0d:c4:27:c1:50:49:ab:d7:39:6e:
+ 86:31:cf:67:99:c0:5d:37:d0:14:ee:d8:e3:da:17:a5:82:c2:
+ 25:86:33:28:0d:f6:ca:6b:7a:c7:72:f1:d8:b9:20:27:ee:0c:
+ 7d:77:e5:8b:03:46:9a:f8:99:6a:8e:57:1a:c9:a2:b1:79:d6:
+ b6:b6:e5:1a:39:80:2e:88:2b:17:c8:b9:36:37:38:58:8a:f0:
+ 62:68:97:25:b5:7a:62:5c:4d:22:2c:30:62:0c:11:f0:4d:70:
+ 95:c7:2d:9e:ab:c5:ef:2e:a4:29:25:8b:e2:e4:d2:9d:2c:5e:
+ 60:79:36:98:13:a8:38:6c:00:0d:6a:f0:11:3c:3f:d8:f9:6b:
+ 16:d1:61:f9:db:53:56:02:43:56:a8:01:3b:88:77:91:a5:6e:
+ a0:ab:2c:6c:e6:ec:cf:ff:5a:07:94:ea:49:92:d4:87:98:f8:
+ 89:f0:f7:4f:77:b0:df:c9:89:03:76:d9:31:30:86:f7:e9:8a:
+ 74:fa:f2:b2:f3:4d:f7:43:41:48:9c:1f:db:ea:23:e3:1e:4c:
+ 15:76:92:e0:f8:ce:71:35:fd:25:f0:97:cd:99:5d:2c:af:33:
+ 64:5e:bd:be:35:e3:53:78:6c:10:c8:0e:cc:83:e5:d9:2e:7a:
+ d9:6d:52:95
+-----BEGIN CERTIFICATE-----
+MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy
+bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj
+hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj
+K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl
+uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B
+nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S
+4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID
+AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR
+rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k
+gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
+DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu
+ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv
+QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI
+KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD
+ggEBAB3WFGz1zPnJDcQnwVBJq9c5boYxz2eZwF030BTu2OPaF6WCwiWGMygN9spr
+esdy8di5ICfuDH135YsDRpr4mWqOVxrJorF51ra25Ro5gC6IKxfIuTY3OFiK8GJo
+lyW1emJcTSIsMGIMEfBNcJXHLZ6rxe8upCkli+Lk0p0sXmB5NpgTqDhsAA1q8BE8
+P9j5axbRYfnbU1YCQ1aoATuId5GlbqCrLGzm7M//WgeU6kmS1IeY+Inw9093sN/J
+iQN22TEwhvfpinT68rLzTfdDQUicH9vqI+MeTBV2kuD4znE1/SXwl82ZXSyvM2Re
+vb4141N4bBDIDsyD5dkuetltUpU=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/server4-key.pem b/certs/ocsp/server4-key.pem
new file mode 100644
index 000000000..39a93b209
--- /dev/null
+++ b/certs/ocsp/server4-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCc74p+hE1YerGR
+yMtodt/+Cin+f3Q11cP9Q77XifxZUVow6VAUhCTQyHJ91nVCEosWrVro04SnByue
+Eu9qzT6DFLcmolN7PWyWf5zFCQgOVQgZt1ocRjIJ2kSyyv1K5L7QAsnJSAMTpa0+
+eyHPBTq5JfXBuE5N6zOZ0VBK6/caCGvQXJ1I65j93IkPqnTTfwMbWWX1huHZU6vk
+U6uFPHmLRTl7/emiELn6knEOaDZmboz74opdX3JmsEctxbSTzmF/kBpkAt1XnfHx
+6HUh4q9E45b1HONzh9y3BRKtpY8M2Cy0kLPZ5xPh5V5MmySJCAeeqmufZAHa7JUF
+RYTZqdvHAgMBAAECggEAMmlQF6vwHIftGmNh08C72yLwsmvGrLRqLKTiXOJaSWa0
+jhmkO7LnEJoTDREiwYKrYzF0jm3DotPO0wxKFAiyF/FDlAl4v5HPm9iKR1DLYa82
+1uvq6kIyOLAAeV5zVud7093Ra/LR6jHCINv01EddwbPL6dqGbMks3jA6lpaN3bJt
+85VSy3h6rC2pIZrGddJxDV5jR2gm4N4j8GJoPWpYIGZa/i+GhFmx0OJfUAWTBsGQ
+flt4HxtxoR0OkAQ1MnBbBLqadQQiJ3tt47vD5Ma98GGkuq/l9y2rCuJ/t7sjY7+1
+1dnXrMj4VHKTNYEIkmpNti9lblT55P9v5HAYj4SoIQKBgQDP6/Tf1sf12XKZoQvi
+qwww32brRqMnj7xpiK9PfsPdnBvq1u8aApQ2XRsHLkH/aq7S91DdLKhn+5fX9TZq
+fGtix0V5/JVB11+0Y8hB6YonKtmTxGPScSKQdsSdnvo27yuBfSSp2QuSqYsAqKdV
+dU/F++jAeNJFr5lg+X3zo+7gMwKBgQDBOXB3cO6Xjr1vzkxdtxpbKYTVYK5XGFpy
+lGDJ9QasDMD6iX8EsTzp0/3CRtITnfYFBiBDXSFDwoUm7TqjdlDh9ahFcvkre/33
+6SmXqHshn/RBl+JCAKYolw7cJmuWAFrJNZPbnbfiuqDNg8wkD3P2VTVkKWjsDpxA
+f+99Xm2yHQKBgBBlWvoLxdjtPMxAlt9Y/a0c8NC80UDdZM4tqSVrqaZgGRN7v38d
+lPJ0hR0b2Lh7gS3Bsu6+BsmsXVz6SUA8b3tqm1/zOxHmGfXvqGsKL4rHJkEwy25c
+3Yzm0LpdPv31/khHxgxewTrfg8aZhhiHF7NVGhWTcYFtR3sOMZB07PFhAoGAf9to
+RkDeQD9druwNsD2HHSeeFCvDcTJWN1djrH+MiLBvydjNyecV7YwvcCy4ue5eavig
+xLKNXm8K+LUlhiC2aK7LSBlKM7H6Xd9VfFsqDxfu4rCEMTSIvncmiBqMOlfFuzrO
+uhXlJgxkd1ls7bej/i5oA/06xmjsj+mYKZcgcykCgYAbONjSKF28CILSDKLepNqx
+euRSnKaSgTjcu8B5C6ZWUY8+EsD3Lw6VK2Xn+PPPSS2+Pw7dgLdYybyCgPOLXV+9
+we3d0OyuIPiLiRpfnHVTXdYQBc7qa8khw12LZpodkXwKT85St8jdwJzL1KTZAWqf
+N2KyjDHPGPz8paCzS8LfuQ==
+-----END PRIVATE KEY-----
diff --git a/certs/ocsp/server5-cert.pem b/certs/ocsp/server5-cert.pem
new file mode 100644
index 000000000..43ecf9c83
--- /dev/null
+++ b/certs/ocsp/server5-cert.pem
@@ -0,0 +1,279 @@
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 9 (0x9)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:47 2015 GMT
+ Not After : Sep 25 19:12:47 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www5.wolfssl.com/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ac:73:6d:e9:fa:8c:36:72:3e:89:3b:52:29:bd:
+ 14:70:a2:00:b4:08:58:b6:c6:c0:bf:80:6a:1f:a5:
+ f0:15:fc:f4:19:a2:67:f9:6a:5d:22:69:2e:9c:29:
+ 53:1e:5a:4a:d1:27:d5:b8:3b:65:37:8a:a2:eb:1b:
+ d4:5d:90:11:35:11:af:e3:d1:8c:24:5b:b5:90:c0:
+ bf:de:cb:7a:05:71:1b:ef:76:d7:9d:43:47:85:dc:
+ 24:b8:b8:54:fc:53:bf:c3:fd:e1:12:c6:fc:1b:6f:
+ 95:aa:cf:bb:8e:22:af:83:bd:4e:6b:66:fe:7e:7e:
+ 98:6f:b1:b9:fc:f9:8a:8a:18:92:9a:4c:27:5d:78:
+ 6b:e9:d0:14:1c:ed:69:6d:29:4c:4e:52:e6:92:24:
+ 53:b0:2e:c3:a4:94:8f:20:1c:29:5c:97:70:1a:32:
+ 85:90:71:f7:d7:a5:99:4f:48:c7:3d:fc:3d:a7:e1:
+ f9:96:ea:c1:6b:ea:31:e0:9b:fb:68:3e:4b:ad:a4:
+ 2b:06:90:c2:b4:27:ea:f3:a3:3e:6e:32:75:aa:70:
+ 6a:e3:33:29:fb:42:09:94:79:a5:eb:3c:4e:89:02:
+ 77:08:fd:da:ba:fc:14:c6:8e:c1:5e:db:6d:d0:07:
+ 4f:02:79:60:e7:95:c3:c8:f4:54:83:21:12:79:03:
+ 7f:e1
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:FALSE
+ X509v3 Subject Key Identifier:
+ 2A:48:B6:8B:00:F0:4B:35:73:94:07:87:52:A3:69:5E:E6:D8:42:87
+ X509v3 Authority Key Identifier:
+ keyid:BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:03
+
+ X509v3 Key Usage:
+ Digital Signature, Non Repudiation, Key Encipherment
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22223
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 79:1c:0f:7c:7d:e5:3d:ec:60:00:c9:a4:d6:f1:67:32:66:57:
+ 0a:8a:97:af:a6:53:92:c4:4d:cb:a7:3d:24:24:74:19:fb:9c:
+ d0:25:90:00:ba:32:e2:b2:a8:aa:61:eb:f8:7c:ca:52:5f:8c:
+ ef:e8:9a:d1:9d:73:a7:6e:72:04:0a:6f:d0:b3:88:de:8d:50:
+ c5:da:fc:e7:81:f8:12:b0:12:4a:a2:54:84:50:87:2d:ee:08:
+ 33:dc:2f:ae:2a:ce:57:5e:1d:57:8c:ce:90:4d:9a:a7:4e:cd:
+ 33:4c:f8:47:5d:9f:68:c3:2c:ed:84:b3:b6:ea:dd:1a:f4:ba:
+ 9d:fa:b9:a1:df:82:4a:ed:fc:3f:8c:bf:c5:5a:ab:81:93:6b:
+ a1:65:05:be:00:7b:6c:81:f9:2c:a7:92:60:80:70:de:8d:65:
+ c7:fa:51:e7:b8:02:de:c0:4d:d8:88:6f:41:18:7a:6f:f4:eb:
+ e1:7a:ab:f2:0d:e8:f9:9c:c4:64:fc:e8:d6:e2:c2:79:95:b1:
+ 0a:89:73:e6:4e:bf:35:3f:0b:9f:0c:d5:98:01:15:fe:fb:a3:
+ 0f:1a:75:21:10:0b:32:16:a9:4e:72:d1:de:1e:a6:df:9d:b3:
+ bd:2a:14:67:e0:8d:4e:a2:9d:ae:f4:08:97:a5:f7:df:fa:e1:
+ 00:50:1f:f7
+-----BEGIN CERTIFICATE-----
+MIIE9DCCA9ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM
+IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv
+bGZzc2wuY29tMB4XDTE1MTIzMDE5MTI0N1oXDTE4MDkyNTE5MTI0N1owgZgxCzAJ
+BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl
+MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE
+AwwQd3d3NS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxzben6jDZyPok7
+Uim9FHCiALQIWLbGwL+Aah+l8BX89BmiZ/lqXSJpLpwpUx5aStEn1bg7ZTeKousb
+1F2QETURr+PRjCRbtZDAv97LegVxG+92151DR4XcJLi4VPxTv8P94RLG/BtvlarP
+u44ir4O9Tmtm/n5+mG+xufz5iooYkppMJ114a+nQFBztaW0pTE5S5pIkU7Auw6SU
+jyAcKVyXcBoyhZBx99elmU9Ixz38Pafh+ZbqwWvqMeCb+2g+S62kKwaQwrQn6vOj
+Pm4ydapwauMzKftCCZR5pes8TokCdwj92rr8FMaOwV7bbdAHTwJ5YOeVw8j0VIMh
+EnkDf+ECAwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCpItosA8Es1
+c5QHh1KjaV7m2EKHMIHEBgNVHSMEgbwwgbmAFLsVnjJN4PiqirAuDBcrWkF0SwZF
+oYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4G
+A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l
+ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ
+aW5mb0B3b2xmc3NsLmNvbYIBAzALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk
+MCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIzMA0GCSqGSIb3DQEB
+CwUAA4IBAQB5HA98feU97GAAyaTW8WcyZlcKipevplOSxE3Lpz0kJHQZ+5zQJZAA
+ujLisqiqYev4fMpSX4zv6JrRnXOnbnIECm/Qs4jejVDF2vzngfgSsBJKolSEUIct
+7ggz3C+uKs5XXh1XjM6QTZqnTs0zTPhHXZ9owyzthLO26t0a9Lqd+rmh34JK7fw/
+jL/FWquBk2uhZQW+AHtsgfksp5JggHDejWXH+lHnuALewE3YiG9BGHpv9Ovheqvy
+Dej5nMRk/OjW4sJ5lbEKiXPmTr81PwufDNWYARX++6MPGnUhEAsyFqlOctHeHqbf
+nbO9KhRn4I1Oop2u9AiXpfff+uEAUB/3
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 3 (0x3)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28:
+ fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c:
+ 31:eb:13:70:ea:4a:dd:58:3e:4f:33:14:66:59:69:
+ 7a:aa:90:e0:7c:c4:b2:36:c1:0a:f4:df:3e:34:6c:
+ 1a:e9:2b:f1:a5:92:7e:a9:68:70:ba:a4:68:88:f3:
+ ec:10:40:64:a5:64:7d:d9:1e:51:49:9d:7f:c8:cc:
+ 2b:6d:71:2a:06:ff:e6:1f:84:28:8a:c1:ed:a8:52:
+ f4:89:a5:c0:77:d8:13:66:c2:65:a5:63:03:98:b0:
+ 4b:05:4f:0c:84:a0:f4:2d:72:73:6b:fa:0d:e1:cf:
+ 45:27:ed:a3:8c:02:d7:ee:99:e2:a1:f0:e3:a0:ad:
+ 69:ed:59:e4:27:41:8f:ef:fa:83:73:8f:5f:2b:68:
+ 89:13:46:26:dc:f6:28:6b:3b:b2:b8:9b:52:2a:17:
+ 1b:dc:72:45:73:da:75:24:35:8b:00:5e:23:37:64:
+ 6a:16:74:b8:ee:fe:b7:11:71:be:0a:73:c8:54:c2:
+ d9:04:d2:1b:f5:53:ac:8d:2a:4f:fe:33:79:e6:5e:
+ e7:f3:86:d3:dc:bb:4b:d7:39:7f:5b:3c:67:fe:5e:
+ 88:51:05:96:f2:b4:9a:45:09:4c:51:f0:6a:4d:88:
+ 2a:17
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 9a:47:17:70:ff:92:e7:b5:51:a0:d2:5d:f3:e3:dd:90:ec:c9:
+ 8f:ad:61:74:30:ba:d9:60:ba:5b:cf:da:03:4f:c8:50:5a:f4:
+ 5e:e0:e3:a0:ce:de:43:6c:56:e0:bc:35:e9:0d:bb:53:0e:22:
+ 7f:21:42:6c:2a:0f:67:b2:8a:1a:f5:e8:1f:a9:a1:90:11:d0:
+ ec:18:90:ba:ee:cf:d4:18:28:1b:9c:96:8e:d6:48:bd:6f:66:
+ 79:df:04:0d:04:d3:13:69:b8:24:15:7c:3b:bc:b9:fc:1d:dd:
+ cc:45:a5:c1:04:c9:d3:68:a7:de:cd:1e:aa:cc:bd:3d:f4:12:
+ eb:3d:01:44:11:fd:1d:bd:a0:7a:4c:24:f2:39:78:17:c1:1f:
+ 8c:b8:ab:01:f3:98:88:ff:bd:2c:1b:43:bb:fe:37:94:65:b4:
+ 3c:e6:11:8c:5d:36:de:ab:84:a5:6d:30:23:dc:ad:b1:74:24:
+ 2a:bb:49:f0:37:ef:db:9a:eb:4e:fc:f9:a2:47:06:3a:09:9d:
+ 4f:c3:c6:dc:18:90:47:42:f4:bc:8d:75:be:7c:c8:d5:47:a6:
+ bb:c2:1e:55:16:8f:a4:62:cc:1f:7c:cf:5a:b5:41:6d:98:f4:
+ 15:b9:fc:5a:3e:47:75:a0:f7:b0:df:33:54:a9:7c:f0:da:3c:
+ 65:c2:e6:1a
+-----BEGIN CERTIFICATE-----
+MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L
+RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu
+Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sUEEH3CIekSRdrV
+uij9pvQwRKDf+XBeFyaXWVwx6xNw6krdWD5PMxRmWWl6qpDgfMSyNsEK9N8+NGwa
+6SvxpZJ+qWhwuqRoiPPsEEBkpWR92R5RSZ1/yMwrbXEqBv/mH4QoisHtqFL0iaXA
+d9gTZsJlpWMDmLBLBU8MhKD0LXJza/oN4c9FJ+2jjALX7pniofDjoK1p7VnkJ0GP
+7/qDc49fK2iJE0Ym3PYoazuyuJtSKhcb3HJFc9p1JDWLAF4jN2RqFnS47v63EXG+
+CnPIVMLZBNIb9VOsjSpP/jN55l7n84bT3LtL1zl/Wzxn/l6IUQWW8rSaRQlMUfBq
+TYgqFwIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUuxWeMk3g
++KqKsC4MFytaQXRLBkUwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y
+FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw
+DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp
+bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB
+FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm
+MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcN
+AQELBQADggEBAJpHF3D/kue1UaDSXfPj3ZDsyY+tYXQwutlgulvP2gNPyFBa9F7g
+46DO3kNsVuC8NekNu1MOIn8hQmwqD2eyihr16B+poZAR0OwYkLruz9QYKBuclo7W
+SL1vZnnfBA0E0xNpuCQVfDu8ufwd3cxFpcEEydNop97NHqrMvT30Eus9AUQR/R29
+oHpMJPI5eBfBH4y4qwHzmIj/vSwbQ7v+N5RltDzmEYxdNt6rhKVtMCPcrbF0JCq7
+SfA379ua6078+aJHBjoJnU/DxtwYkEdC9LyNdb58yNVHprvCHlUWj6RizB98z1q1
+QW2Y9BW5/Fo+R3Wg97DfM1SpfPDaPGXC5ho=
+-----END CERTIFICATE-----
+Certificate:
+ Data:
+ Version: 3 (0x2)
+ Serial Number: 99 (0x63)
+ Signature Algorithm: sha256WithRSAEncryption
+ Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Validity
+ Not Before: Dec 30 19:12:46 2015 GMT
+ Not After : Sep 25 19:12:46 2018 GMT
+ Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ Subject Public Key Info:
+ Public Key Algorithm: rsaEncryption
+ Public-Key: (2048 bit)
+ Modulus:
+ 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc:
+ bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca:
+ 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7:
+ 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90:
+ ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c:
+ 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b:
+ f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76:
+ b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4:
+ 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6:
+ 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5:
+ 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93:
+ b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36:
+ 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34:
+ 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9:
+ 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30:
+ b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f:
+ 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9:
+ 99:81
+ Exponent: 65537 (0x10001)
+ X509v3 extensions:
+ X509v3 Basic Constraints:
+ CA:TRUE
+ X509v3 Subject Key Identifier:
+ 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ X509v3 Authority Key Identifier:
+ keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21
+ DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com
+ serial:63
+
+ X509v3 Key Usage:
+ Certificate Sign, CRL Sign
+ Authority Information Access:
+ OCSP - URI:http://127.0.0.1:22220
+
+ Signature Algorithm: sha256WithRSAEncryption
+ 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e:
+ 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45:
+ 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8:
+ 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18:
+ 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44:
+ 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d:
+ 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d:
+ 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25:
+ 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68:
+ 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23:
+ d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1:
+ 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4:
+ 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45:
+ 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e:
+ bf:dd:65:6d
+-----BEGIN CERTIFICATE-----
+MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx
+EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM
+B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM
+IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx
+MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV
+BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT
+U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg
+Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3
+DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF
+ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1
+LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva
+Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb
+D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z
+Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB
+NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB
+xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG
+A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx
+EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD
+DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j
+b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW
+aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3
+wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI
+Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n
++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/
+DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB
+fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe
+rskF4eNev91lbQ==
+-----END CERTIFICATE-----
diff --git a/certs/ocsp/server5-key.pem b/certs/ocsp/server5-key.pem
new file mode 100644
index 000000000..a45a1c6e9
--- /dev/null
+++ b/certs/ocsp/server5-key.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsc23p+ow2cj6J
+O1IpvRRwogC0CFi2xsC/gGofpfAV/PQZomf5al0iaS6cKVMeWkrRJ9W4O2U3iqLr
+G9RdkBE1Ea/j0YwkW7WQwL/ey3oFcRvvdtedQ0eF3CS4uFT8U7/D/eESxvwbb5Wq
+z7uOIq+DvU5rZv5+fphvsbn8+YqKGJKaTCddeGvp0BQc7WltKUxOUuaSJFOwLsOk
+lI8gHClcl3AaMoWQcffXpZlPSMc9/D2n4fmW6sFr6jHgm/toPkutpCsGkMK0J+rz
+oz5uMnWqcGrjMyn7QgmUeaXrPE6JAncI/dq6/BTGjsFe223QB08CeWDnlcPI9FSD
+IRJ5A3/hAgMBAAECggEABz5+EoMc2rin2dntFKXFswmLIATtvRfSRvkc/CFbWYEb
+u+vvlDGcofJrK9IslKzUUb7romaUVOX0/A1aOWfw4RrSGa7WxTw4/1CpfrFreckL
+lF6YphmKapwZysyrfUIDXzdN+hzzwC9KyTcauNjKKK2OGsLj0+p7es2rc24EHNLj
+vFpNj5TC84qsibATY1ny3tcL7SBcNLtiHsm+0JDagGqlW3ptT0oErrzH6jtUAI9j
+LLm87mxwJyp4rBZvnP3s4jnOLLCJH40QyrCPKR6L4bAzSaA9kEnBUu+y1y1PyUP7
+goWIPJmfclDFqgB2U7K/QbbfPFpt8pFB9SmbsoIlMQKBgQDgvgf/pdc6q9jAL9UQ
+sTYa+iJJIFcjQKA95aCRoUeUjWvjA+2ROmYgLcMi7pxfNyFvYkaOXjBTL+aqSEWI
+wQVbnGK4aqG16w2o/P+bWUatpMMWNbwsZGAkXpcgdrg+SbNjrQ2lY35EdmPc025G
+Fqx5ouOk7wDlKWQolIwWDh3WNQKBgQDEb47VbrIo8BNnO/xxVjAsU7uQIYZkr/GR
+6V5oN+kIXrttReZnY/bUVrV84r49E3cNfoZXlfZa7fAEVb9GWbZMk+9M/s78aU5M
+xeFNj7HBfbgG3I+1SZQZaAEK6BZuq8GRCLV2JKOn9iInVQQL57/qz6APjC/a52zJ
+asNmmcdIfQKBgBmEWgIjwUEvG8gOZkGj7UG43sWwv1QIVWlRth5y0l7Cg9pdqs6P
+c+L5byt7LhP9fXVZEiu98/yt9qGk3Qg+6i3Rnr/Tk5LFImLqftcTltvGVkQiS8A6
+kVPvzXbpI9gmpBCQKHl7x21ch9AdzWp1zpVs8i3a2R4ryex1mUYzyh11AoGAWhKZ
+WS7IDNOA4i50Y/fUYQ8IC2AEAvlWeMScoIc6mLbvlHyf2LrSvK0BzUEfYFwjlBF3
+QoQmEa3XB/XVnkmWuOiAqzqP6NfUqol19R21sXaXQrYyQzt46GlzSPABEUA6oulu
+Y70LOgI3yPdHwrnCm8YWq+ppKyRBEt6cuNg8s/UCgYEAl3J4fMTYcDjt4H/OTgba
+IjKLPV0LuBUfx/PTA0oi81x1c11fM8a/ZeD0QkXDjjrjXM33mbkR0lzFEl7ZOCnh
+sRDkkM8MvOsq4KMGnBLQBN0QvKSgsuYDqIEUmFdMHiyckBjuwntMVXnfKYtEJ1Q9
+zYHlJn4e4/2VqGK9PWrgAtA=
+-----END PRIVATE KEY-----
diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh
index ec4e35e47..da7fbe49a 100755
--- a/certs/renewcerts.sh
+++ b/certs/renewcerts.sh
@@ -302,7 +302,7 @@ elif [ ! -z "$1" ]; then
echo ""
echo ""
#else the argument was invalid, tell user to use -h or -help
- else
+ else
echo ""
echo "That is not a valid option."
echo ""
@@ -328,7 +328,7 @@ else
# check options.h a second time, if the user had
# ntru installed on their system and in the default
- # path location, then it will now be defined, if the
+ # path location, then it will now be defined, if the
# user does not have ntru on their system this will fail
# again and we will not update any certs until user installs
# ntru in the default location
diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf
index 7decf9ef9..47ad4ba93 100644
--- a/certs/renewcerts/wolfssl.cnf
+++ b/certs/renewcerts/wolfssl.cnf
@@ -1,5 +1,5 @@
#
-# wolfssl configuration file
+# wolfssl configuration file
#
HOME = .
RANDFILE = $ENV::HOME/.rnd
@@ -20,7 +20,7 @@ default_ca = CA_default # The default ca section
[ CA_default ]
####################################################################
-# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY #
+# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY #
# #
dir = $HOME./.. #
####################################################################
@@ -158,7 +158,7 @@ dir = ./demoCA # directory
serial = $dir/tsaserial # (mandatory)
crypto_device = builtin # engine
signer_cert = $dir/tsacert.pem # certificate
-certs = $dir/cacert.pem # chain
+certs = $dir/cacert.pem # chain
signer_key = $dir/private/tsakey.pem # (optional)
default_policy = tsa_policy1 # Policy
other_policies = tsa_policy2, tsa_policy3 # (optional)
diff --git a/configure.ac b/configure.ac
index e2895eb39..b30e62100 100644
--- a/configure.ac
+++ b/configure.ac
@@ -6,7 +6,7 @@
#
#
-AC_INIT([wolfssl],[3.6.9d],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com])
+AC_INIT([wolfssl],[3.8.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com])
AC_CONFIG_AUX_DIR([build-aux])
@@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS.
#shared library versioning
-WOLFSSL_LIBRARY_VERSION=1:0:0
+WOLFSSL_LIBRARY_VERSION=4:0:1
# | | |
# +------+ | +---+
# | | |
@@ -70,6 +70,7 @@ m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])])
AC_CHECK_FUNCS([gethostbyname])
AC_CHECK_FUNCS([getaddrinfo])
AC_CHECK_FUNCS([gettimeofday])
+AC_CHECK_FUNCS([gmtime_r])
AC_CHECK_FUNCS([inet_ntoa])
AC_CHECK_FUNCS([memset])
AC_CHECK_FUNCS([socket])
@@ -452,6 +453,7 @@ then
AM_CFLAGS="$AM_CFLAGS -maes -msse4"
fi
fi
+ AS_IF([test "x$ENABLED_AESGCM" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"])
fi
if test "$ENABLED_INTELASM" = "yes"
@@ -1467,6 +1469,50 @@ then
fi
+# Certificate Status Request : a.k.a. OCSP Stapling
+AC_ARG_ENABLE([ocspstapling],
+ [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])],
+ [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ],
+ [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ]
+ )
+
+if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"
+then
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST"
+
+ # Requires OCSP make sure on
+ if test "x$ENABLED_OCSP" = "xno"
+ then
+ ENABLED_OCSP="yes"
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"
+ AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"])
+ fi
+fi
+
+AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"])
+
+# Certificate Status Request v2 : a.k.a. OCSP stapling v2
+AC_ARG_ENABLE([ocspstapling2],
+ [AS_HELP_STRING([--enable-ocspstapling2],[Enable OCSP Stapling v2 (default: disabled)])],
+ [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ],
+ [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ]
+ )
+
+if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"
+then
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2"
+
+ # Requires OCSP make sure on
+ if test "x$ENABLED_OCSP" = "xno"
+ then
+ ENABLED_OCSP="yes"
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP"
+ AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"])
+ fi
+fi
+
+AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"])
+
# CRL
AC_ARG_ENABLE([crl],
[ --enable-crl Enable CRL (default: disabled)],
@@ -1945,7 +1991,8 @@ then
if test "x$ENABLED_ECC" = "xno"
then
ENABLED_ECC="yes"
- AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC"
+ AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR"
+ AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"])
fi
if test "x$ENABLED_PKCALLBACKS" = "xno"
then
@@ -2262,8 +2309,9 @@ AC_ARG_WITH([cavium],
# Fast RSA using Intel IPP
ippdir="${srcdir}/IPP"
-ipplib="lib" # if autoconf guesses 32 changes lib directory
-fastRSA_headers=no
+ipplib="lib" # if autoconf guesses 32bit system changes lib directory
+fastRSA_found=no
+abs_path=`pwd`
# set up variables used
IPPLIBS=
@@ -2278,11 +2326,12 @@ AC_ARG_ENABLE([fast-rsa],
if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then
-if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then
if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
ipplib="lib_32" # 32 bit OS detected
fi
+# Use static IPP Libraries
+if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then
case $host_os in
*darwin*)
ipplib="$ipplib/mac_static"
@@ -2299,92 +2348,100 @@ if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then
AC_CHECK_FILES([$srcdir/IPP/$ipplib/libippcore.a $srcdir/IPP/$ipplib/libippcp.a], [], [ENABLED_FAST_RSA=no])
AC_CHECK_FILES([$srcdir/IPP/include/ipp.h $srcdir/IPP/include/ippcp.h], [AM_CPPFLAGS="-I$srcdir/IPP/include $AM_CPPFLAGS"], [ENABLED_FAST_RSA=no])
- LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a"
+ LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_STATIC_ADD"
if test "$ENABLED_FAST_RSA" = "no"; then
AC_MSG_ERROR([Could not find fast rsa libraries])
fi
else
-# just check link and see if user has already exported paths
-if test "$ENABLED_FAST_RSA" = "yes"
- then
- AC_MSG_NOTICE([Checking if IPP crypto library installed])
- AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [LIBS="$LIBS -lippcore"; fastRSA_headers=yes], [AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]); fastRSA_headers=no])], [fastRSA_headers=no])
- if test "$fastRSA_headers" = "yes"; then
- AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp"
- fi
-fi
-# Don't cache the result so it can be checked again
-AS_UNSET([ac_cv_header_ippcp_h])
-AS_UNSET([ac_cv_header_ipp_h])
-
-if test "$fastRSA_headers" = "no"; then
-dnl set default paths
+# Check for and use bundled IPP libraries
if test "$ENABLED_FAST_RSA" = "yes"; then
AC_MSG_NOTICE([Using local IPP crypto library])
- # build and default locations on linux and mac
- STORE_LDFLAGS=${LDFLAGS}
- STORE_CPPFLAGS=${CPPFLAGS}
- if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
- ipplib="lib_32" # 32 bit OS detected
- fi
- # using LDFLAGS instead of AM_ temporarily to test link to library
- LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore"
- CPPFLAGS="-I$ippdir/include"
- AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [], [ENABLED_FAST_RSA=no])], [ENABLED_FAST_RSA=no])
- if test "$ENABLED_FAST_RSA" = "yes"; then
- # was succesfull so add tested LDFLAGS to AM_ flags
- AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}"
- AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}"
+ AC_CHECK_FILES([$abs_path/IPP/include/ippcp.h],
+ [
+ # build and default locations on linux and mac
+ STORE_LDFLAGS=${LDFLAGS}
+ STORE_CPPFLAGS=${CPPFLAGS}
- case $host_os in
- *darwin*)
+ # using LDFLAGS instead of AM_ temporarily to test link to library
+ LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore"
+ CPPFLAGS="-I$ippdir/include"
+ AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [fastRSA_found=yes], [fastRSA_found=no])], [fastRSA_found=no])
name="$ippdir/$ipplib/libippcp"
- IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib"
- IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib"
- break;;
+ case $host_os in
+ *darwin*)
+ # check file existence and conditionally set variables
+ AC_CHECK_FILES([$abs_path/IPP/$ipplib/libippcp.dylib], [
+ IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib"
+ IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib"
+ ], [fastRSA_found=no])
+ break;;
- *linux*)
- if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
- name="$ippdir/$ipplib/libippcp"
- IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so"
- IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
- else
- name="$ippdir/$ipplib/libippcp"
- IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so"
- IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
+ *linux*)
+ # check file existence and conditionally set variables
+ AC_CHECK_FILES([$abs_path/IPP/$ipplib/libippcp.so.9.0], [
+ if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then
+ IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so IPP/$ipplib/libippcore.so.9.0"
+ IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
+ else
+ IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so IPP/lib/libippcore.so.9.0"
+ IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0"
+ fi
+ ], [fastRSA_found=no])
+ break;;
+ *)
+ fastRSA_found=no
+ esac
+
+ if test "$fastRSA_found" = "yes"; then
+ # was succesfull so add tested LDFLAGS to AM_ flags
+ AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}"
+ AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}"
+ IPPHEADERS="${srcdir}/IPP/include/*.h"
fi
- break;;
- *)
- ENABLED_FAST_RSA=no
- esac
- fi
- # restore LDFLAGS to user set
- LDFLAGS=${STORE_LDFLAGS}
- CPPFLAGS=${STORE_CPPFLAGS}
- IPPHEADERS="${srcdir}/IPP/include/*.h"
+
+ # restore LDFLAGS to user set
+ LDFLAGS=${STORE_LDFLAGS}
+ CPPFLAGS=${STORE_CPPFLAGS}
+ ], [fastRSA_found=no])
+fi
+
+# Don't cache the result so it can be checked
+AS_UNSET([ac_cv_header_ippcp_h])
+AS_UNSET([ac_cv_header_ipp_h])
+AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]);
+
+# Check link and see if user has pre-existing IPP Libraries if not using local
+if test "$ENABLED_FAST_RSA" = "yes" && test "$fastRSA_found" = "no"; then
+ AC_MSG_NOTICE([Checking if IPP crypto library installed])
+ AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15],
+ [
+ fastRSA_found=yes
+ AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp"
+ ], [ fastRSA_found=no])
+ ], [fastRSA_found=no])
# Error out on not finding libraries
- if test "$ENABLED_FAST_RSA" = "no"; then
+ if test "$fastRSA_found" = "no"; then
AC_MSG_ERROR([Could not find fast rsa libraries])
fi
fi
-fi # end of if found exported paths
fi # end of if for shared library
else # if user rsa is set than do not use fast rsa option
if test "$ENABLED_FAST_RSA" = "yes"; then
AC_MSG_ERROR([Could not use fast rsa libraries with user crypto or fips])
fi
-fi # end of if for user rsa crypto
+fi # end of if for user rsa crypto or fips
+# End result of checking for IPP Libraries
AC_MSG_CHECKING([for fast RSA])
if test "$ENABLED_FAST_RSA" = "yes"; then
AM_CFLAGS="$AM_CFLAGS -DHAVE_FAST_RSA -DHAVE_USER_RSA"
# add in user crypto header that uses Intel IPP
AM_CPPFLAGS="$AM_CPPFLAGS -I$srcdir/wolfcrypt/user-crypto/include"
if test "$enable_shared" = "yes"; then
- LIBS="$LIBS -lippcore"
+ LIBS="$LIBS -lippcore -lippcp"
LIB_ADD="-lippcp -lippcore $LIB_ADD"
else
LIB_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_ADD"
@@ -2397,7 +2454,6 @@ fi
AC_SUBST([IPPLIBS])
AC_SUBST([IPPHEADERS])
AC_SUBST([IPPLINK])
-# Found IPP library now build in user crypto to use it
AM_CONDITIONAL([BUILD_FAST_RSA], [test "x$ENABLED_FAST_RSA" = "xyes"])
@@ -2500,6 +2556,7 @@ CREATE_HEX_VERSION
AC_SUBST([AM_CPPFLAGS])
AC_SUBST([AM_CFLAGS])
AC_SUBST([AM_LDFLAGS])
+AC_SUBST([AM_CCASFLAGS])
AC_SUBST([LIB_ADD])
AC_SUBST([LIB_STATIC_ADD])
@@ -2548,7 +2605,9 @@ echo " *" >> $OPTION_FILE
echo " */" >> $OPTION_FILE
echo "" >> $OPTION_FILE
-echo "#pragma once" >> $OPTION_FILE
+echo "#ifndef WOLFSSL_OPTIONS_H" >> $OPTION_FILE
+echo "#define WOLFSSL_OPTIONS_H" >> $OPTION_FILE
+echo "" >> $OPTION_FILE
echo "" >> $OPTION_FILE
echo "#ifdef __cplusplus" >> $OPTION_FILE
echo "extern \"C\" {" >> $OPTION_FILE
@@ -2594,6 +2653,9 @@ echo "#ifdef __cplusplus" >> $OPTION_FILE
echo "}" >> $OPTION_FILE
echo "#endif" >> $OPTION_FILE
echo "" >> $OPTION_FILE
+echo "" >> $OPTION_FILE
+echo "#endif /* WOLFSSL_OPTIONS_H */" >> $OPTION_FILE
+echo "" >> $OPTION_FILE
echo
#backwards compatability for those who have included options or version
@@ -2607,106 +2669,113 @@ do
echo "$line" >> cyassl/options.h
done < $OPTION_FILE
+# switch ifdef protection in cyassl/option.h to CYASSL_OPTONS_H, remove bak
+sed -i.bak 's/WOLFSSL_OPTIONS_H/CYASSL_OPTIONS_H/g' cyassl/options.h
+rm cyassl/options.h.bak
+
# output config summary
echo "---"
echo "Configuration summary for $PACKAGE_NAME version $VERSION"
echo ""
-echo " * Installation prefix: $prefix"
-echo " * System type: $host_vendor-$host_os"
-echo " * Host CPU: $host_cpu"
-echo " * C Compiler: $CC"
-echo " * C Flags: $CFLAGS"
-echo " * C++ Compiler: $CXX"
-echo " * C++ Flags: $CXXFLAGS"
-echo " * CPP Flags: $CPPFLAGS"
-echo " * LIB Flags: $LIB"
-echo " * Debug enabled: $ax_enable_debug"
-echo " * Warnings as failure: $ac_cv_warnings_as_errors"
-echo " * make -j: $enable_jobserver"
-echo " * VCS checkout: $ac_cv_vcs_checkout"
+echo " * Installation prefix: $prefix"
+echo " * System type: $host_vendor-$host_os"
+echo " * Host CPU: $host_cpu"
+echo " * C Compiler: $CC"
+echo " * C Flags: $CFLAGS"
+echo " * C++ Compiler: $CXX"
+echo " * C++ Flags: $CXXFLAGS"
+echo " * CPP Flags: $CPPFLAGS"
+echo " * CCAS Flags: $CCASFLAGS"
+echo " * LIB Flags: $LIB"
+echo " * Debug enabled: $ax_enable_debug"
+echo " * Warnings as failure: $ac_cv_warnings_as_errors"
+echo " * make -j: $enable_jobserver"
+echo " * VCS checkout: $ac_cv_vcs_checkout"
echo
echo " Features "
-echo " * Single threaded: $ENABLED_SINGLETHREADED"
-echo " * Filesystem: $ENABLED_FILESYSTEM"
-echo " * OpenSSH Build: $ENABLED_OPENSSH"
-echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA"
-echo " * Max Strength Build: $ENABLED_MAXSTRENGTH"
-echo " * fastmath: $ENABLED_FASTMATH"
-echo " * sniffer: $ENABLED_SNIFFER"
-echo " * snifftest: $ENABLED_SNIFFTEST"
-echo " * ARC4: $ENABLED_ARC4"
-echo " * AES: $ENABLED_AES"
-echo " * AES-NI: $ENABLED_AESNI"
-echo " * AES-GCM: $ENABLED_AESGCM"
-echo " * AES-CCM: $ENABLED_AESCCM"
-echo " * DES3: $ENABLED_DES3"
-echo " * IDEA: $ENABLED_IDEA"
-echo " * Camellia: $ENABLED_CAMELLIA"
-echo " * NULL Cipher: $ENABLED_NULL_CIPHER"
-echo " * MD5: $ENABLED_MD5"
-echo " * RIPEMD: $ENABLED_RIPEMD"
-echo " * SHA: $ENABLED_SHA"
-echo " * SHA-512: $ENABLED_SHA512"
-echo " * BLAKE2: $ENABLED_BLAKE2"
-echo " * keygen: $ENABLED_KEYGEN"
-echo " * certgen: $ENABLED_CERTGEN"
-echo " * certreq: $ENABLED_CERTREQ"
-echo " * certext: $ENABLED_CERTEXT"
-echo " * HC-128: $ENABLED_HC128"
-echo " * RABBIT: $ENABLED_RABBIT"
-echo " * CHACHA: $ENABLED_CHACHA"
-echo " * Hash DRBG: $ENABLED_HASHDRBG"
-echo " * PWDBASED: $ENABLED_PWDBASED"
-echo " * wolfCrypt Only: $ENABLED_CRYPTONLY"
-echo " * HKDF: $ENABLED_HKDF"
-echo " * MD4: $ENABLED_MD4"
-echo " * PSK: $ENABLED_PSK"
-echo " * Poly1305: $ENABLED_POLY1305"
-echo " * LEANPSK: $ENABLED_LEANPSK"
-echo " * RSA: $ENABLED_RSA"
-echo " * DSA: $ENABLED_DSA"
-echo " * DH: $ENABLED_DH"
-echo " * ECC: $ENABLED_ECC"
-echo " * CURVE25519: $ENABLED_CURVE25519"
-echo " * ED25519: $ENABLED_ED25519"
-echo " * FPECC: $ENABLED_FPECC"
-echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT"
-echo " * ASN: $ENABLED_ASN"
-echo " * Anonymous cipher: $ENABLED_ANON"
-echo " * CODING: $ENABLED_CODING"
-echo " * MEMORY: $ENABLED_MEMORY"
-echo " * I/O POOL: $ENABLED_IOPOOL"
-echo " * LIGHTY: $ENABLED_LIGHTY"
-echo " * STUNNEL: $ENABLED_STUNNEL"
-echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
-echo " * DTLS: $ENABLED_DTLS"
-echo " * Old TLS Versions: $ENABLED_OLD_TLS"
-echo " * SSL version 3.0: $ENABLED_SSLV3"
-echo " * OCSP: $ENABLED_OCSP"
-echo " * CRL: $ENABLED_CRL"
-echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR"
-echo " * Persistent session cache: $ENABLED_SAVESESSION"
-echo " * Persistent cert cache: $ENABLED_SAVECERT"
-echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER"
-echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS"
-echo " * NTRU: $ENABLED_NTRU"
-echo " * SNI: $ENABLED_SNI"
-echo " * ALPN: $ENABLED_ALPN"
-echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT"
-echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC"
-echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"
-echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION"
-echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES"
-echo " * Session Ticket: $ENABLED_SESSION_TICKET"
-echo " * All TLS Extensions: $ENABLED_TLSX"
-echo " * PKCS#7 $ENABLED_PKCS7"
-echo " * wolfSCEP $ENABLED_WOLFSCEP"
-echo " * Secure Remote Password $ENABLED_SRP"
-echo " * Small Stack: $ENABLED_SMALL_STACK"
-echo " * valgrind unit tests: $ENABLED_VALGRIND"
-echo " * LIBZ: $ENABLED_LIBZ"
-echo " * Examples: $ENABLED_EXAMPLES"
-echo " * User Crypto: $ENABLED_USER_CRYPTO"
-echo " * Fast RSA: $ENABLED_FAST_RSA"
+echo " * Single threaded: $ENABLED_SINGLETHREADED"
+echo " * Filesystem: $ENABLED_FILESYSTEM"
+echo " * OpenSSH Build: $ENABLED_OPENSSH"
+echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA"
+echo " * Max Strength Build: $ENABLED_MAXSTRENGTH"
+echo " * fastmath: $ENABLED_FASTMATH"
+echo " * sniffer: $ENABLED_SNIFFER"
+echo " * snifftest: $ENABLED_SNIFFTEST"
+echo " * ARC4: $ENABLED_ARC4"
+echo " * AES: $ENABLED_AES"
+echo " * AES-NI: $ENABLED_AESNI"
+echo " * AES-GCM: $ENABLED_AESGCM"
+echo " * AES-CCM: $ENABLED_AESCCM"
+echo " * DES3: $ENABLED_DES3"
+echo " * IDEA: $ENABLED_IDEA"
+echo " * Camellia: $ENABLED_CAMELLIA"
+echo " * NULL Cipher: $ENABLED_NULL_CIPHER"
+echo " * MD5: $ENABLED_MD5"
+echo " * RIPEMD: $ENABLED_RIPEMD"
+echo " * SHA: $ENABLED_SHA"
+echo " * SHA-512: $ENABLED_SHA512"
+echo " * BLAKE2: $ENABLED_BLAKE2"
+echo " * keygen: $ENABLED_KEYGEN"
+echo " * certgen: $ENABLED_CERTGEN"
+echo " * certreq: $ENABLED_CERTREQ"
+echo " * certext: $ENABLED_CERTEXT"
+echo " * HC-128: $ENABLED_HC128"
+echo " * RABBIT: $ENABLED_RABBIT"
+echo " * CHACHA: $ENABLED_CHACHA"
+echo " * Hash DRBG: $ENABLED_HASHDRBG"
+echo " * PWDBASED: $ENABLED_PWDBASED"
+echo " * wolfCrypt Only: $ENABLED_CRYPTONLY"
+echo " * HKDF: $ENABLED_HKDF"
+echo " * MD4: $ENABLED_MD4"
+echo " * PSK: $ENABLED_PSK"
+echo " * Poly1305: $ENABLED_POLY1305"
+echo " * LEANPSK: $ENABLED_LEANPSK"
+echo " * RSA: $ENABLED_RSA"
+echo " * DSA: $ENABLED_DSA"
+echo " * DH: $ENABLED_DH"
+echo " * ECC: $ENABLED_ECC"
+echo " * CURVE25519: $ENABLED_CURVE25519"
+echo " * ED25519: $ENABLED_ED25519"
+echo " * FPECC: $ENABLED_FPECC"
+echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT"
+echo " * ASN: $ENABLED_ASN"
+echo " * Anonymous cipher: $ENABLED_ANON"
+echo " * CODING: $ENABLED_CODING"
+echo " * MEMORY: $ENABLED_MEMORY"
+echo " * I/O POOL: $ENABLED_IOPOOL"
+echo " * LIGHTY: $ENABLED_LIGHTY"
+echo " * STUNNEL: $ENABLED_STUNNEL"
+echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS"
+echo " * DTLS: $ENABLED_DTLS"
+echo " * Old TLS Versions: $ENABLED_OLD_TLS"
+echo " * SSL version 3.0: $ENABLED_SSLV3"
+echo " * OCSP: $ENABLED_OCSP"
+echo " * OCSP Stapling: $ENABLED_CERTIFICATE_STATUS_REQUEST"
+echo " * OCSP Stapling v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2"
+echo " * CRL: $ENABLED_CRL"
+echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR"
+echo " * Persistent session cache: $ENABLED_SAVESESSION"
+echo " * Persistent cert cache: $ENABLED_SAVECERT"
+echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER"
+echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS"
+echo " * NTRU: $ENABLED_NTRU"
+echo " * Server Name Indication: $ENABLED_SNI"
+echo " * ALPN: $ENABLED_ALPN"
+echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT"
+echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC"
+echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES"
+echo " * Session Ticket: $ENABLED_SESSION_TICKET"
+echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"
+echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION"
+echo " * All TLS Extensions: $ENABLED_TLSX"
+echo " * PKCS#7 $ENABLED_PKCS7"
+echo " * wolfSCEP $ENABLED_WOLFSCEP"
+echo " * Secure Remote Password $ENABLED_SRP"
+echo " * Small Stack: $ENABLED_SMALL_STACK"
+echo " * valgrind unit tests: $ENABLED_VALGRIND"
+echo " * LIBZ: $ENABLED_LIBZ"
+echo " * Examples: $ENABLED_EXAMPLES"
+echo " * User Crypto: $ENABLED_USER_CRYPTO"
+echo " * Fast RSA: $ENABLED_FAST_RSA"
echo ""
echo "---"
diff --git a/ctaocrypt/src/wolfcrypt_first.c b/ctaocrypt/src/wolfcrypt_first.c
index c694aa045..00e474457 100644
--- a/ctaocrypt/src/wolfcrypt_first.c
+++ b/ctaocrypt/src/wolfcrypt_first.c
@@ -30,6 +30,12 @@
#ifdef HAVE_FIPS
+#ifdef USE_WINDOWS_API
+ #pragma code_seg(".fipsA$a")
+ #pragma const_seg(".fipsB$a")
+#endif
+
+
/* read only start address */
const unsigned int wolfCrypt_FIPS_ro_start[] =
{ 0x1a2b3c4d, 0x00000001 };
diff --git a/ctaocrypt/src/wolfcrypt_last.c b/ctaocrypt/src/wolfcrypt_last.c
index cdcd741a1..284eb110e 100644
--- a/ctaocrypt/src/wolfcrypt_last.c
+++ b/ctaocrypt/src/wolfcrypt_last.c
@@ -30,6 +30,12 @@
#ifdef HAVE_FIPS
+#ifdef USE_WINDOWS_API
+ #pragma code_seg(".fipsA$l")
+ #pragma const_seg(".fipsB$l")
+#endif
+
+
/* last function of text/code segment */
int wolfCrypt_FIPS_last(void);
int wolfCrypt_FIPS_last(void)
diff --git a/cyassl/options.h.in b/cyassl/options.h.in
index d1e362c20..523be8c57 100644
--- a/cyassl/options.h.in
+++ b/cyassl/options.h.in
@@ -21,7 +21,9 @@
/* default blank options for autoconf */
-#pragma once
+#ifndef CYASSL_OPTIONS_H
+#define CYASSL_OPTIONS_H
+
#ifdef __cplusplus
extern "C" {
@@ -32,3 +34,6 @@ extern "C" {
}
#endif
+
+#endif /* CYASSL_OPTIONS_H */
+
diff --git a/examples/client/client.c b/examples/client/client.c
index fc9e1ec56..bbb9bcb8f 100644
--- a/examples/client/client.c
+++ b/examples/client/client.c
@@ -25,19 +25,18 @@
#include
-#if defined(WOLFSSL_MDK_ARM)
+#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
#include
#include
- #if defined(WOLFSSL_MDK5)
+ #if !defined(WOLFSSL_MDK_ARM)
#include "cmsis_os.h"
#include "rl_fs.h"
#include "rl_net.h"
#else
#include "rtl.h"
+ #include "wolfssl_MDK_ARM.h"
#endif
-
- #include "wolfssl_MDK_ARM.h"
#endif
#include
@@ -53,6 +52,10 @@
#include "examples/client/client.h"
+/* Note on using port 0: the client standalone example doesn't utilize the
+ * port 0 port sharing; that is used by (1) the server in external control
+ * test mode and (2) the testsuite which uses this code and sets up the correct
+ * port numbers when the internal thread using the server code using port 0. */
#ifdef WOLFSSL_CALLBACKS
int handShakeCB(HandShakeInfo*);
@@ -127,6 +130,18 @@ static void ShowCiphers(void)
printf("%s\n", ciphers);
}
+/* Shows which versions are valid */
+static void ShowVersions(void)
+{
+#ifndef NO_OLD_TLS
+#ifdef WOLFSSL_ALLOW_SSLV3
+ printf("0:");
+#endif /* WOLFSSL_ALLOW_SSLV3 */
+ printf("1:2:");
+#endif /* NO_OLD_TLS */
+ printf("3\n");
+}
+
int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
int doDTLS, int benchmark, int resumeSession)
{
@@ -300,6 +315,7 @@ static void Usage(void)
printf("-p Port to connect on, not 0, default %d\n", wolfSSLPort);
printf("-v SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n",
CLIENT_DEFAULT_VERSION);
+ printf("-V Prints valid ssl version numbers, SSLv3(0) - TLS1.2(3)\n");
printf("-l Cipher suite list (: delimited)\n");
printf("-c Certificate file, default %s\n", cliCert);
printf("-k Key file, default %s\n", cliKey);
@@ -310,7 +326,7 @@ static void Usage(void)
#endif
printf("-b Benchmark connections and print stats\n");
#ifdef HAVE_ALPN
- printf("-L Application-Layer Protocole Name ({C,F}:)\n");
+ printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n");
#endif
printf("-B Benchmark throughput using bytes and print stats\n");
printf("-s Use pre Shared keys\n");
@@ -348,6 +364,10 @@ static void Usage(void)
printf("-o Perform OCSP lookup on peer certificate\n");
printf("-O Perform OCSP lookup using as responder\n");
#endif
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ printf("-W Use OCSP Stapling\n");
+#endif
#ifdef ATOMIC_USER
printf("-U Atomic User Record Layer Callbacks\n");
#endif
@@ -372,8 +392,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
WOLFSSL* sslResume = 0;
WOLFSSL_SESSION* session = 0;
- char resumeMsg[] = "resuming wolfssl!";
- int resumeSz = sizeof(resumeMsg);
+ char resumeMsg[32] = "resuming wolfssl!";
+ int resumeSz = (int)strlen(resumeMsg);
char msg[32] = "hello wolfssl!"; /* GET may make bigger */
char reply[80];
@@ -425,7 +445,11 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
byte maxFragment = 0;
#endif
#ifdef HAVE_TRUNCATED_HMAC
- byte truncatedHMAC = 0;
+ byte truncatedHMAC = 0;
+#endif
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ byte statusRequest = 0;
#endif
@@ -466,8 +490,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#ifndef WOLFSSL_VXWORKS
while ((ch = mygetopt(argc, argv,
- "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:"))
- != -1) {
+ "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:")) != -1) {
switch (ch) {
case '?' :
Usage();
@@ -558,6 +581,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
break;
+ case 'V' :
+ ShowVersions();
+ exit(EXIT_SUCCESS);
+
case 'l' :
cipherList = myoptarg;
break;
@@ -654,6 +681,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
break;
+ case 'W' :
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ statusRequest = atoi(myoptarg);
+ #endif
+ break;
+
case 'o' :
#ifdef HAVE_OCSP
useOcsp = 1;
@@ -709,6 +743,24 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
done = 1;
#endif
+ /* www.globalsign.com does not respond to ipv6 ocsp requests */
+ #if defined(TEST_IPV6) && defined(HAVE_OCSP)
+ done = 1;
+ #endif
+
+ /* www.globalsign.com has limited supported cipher suites */
+ #if defined(NO_AES) && defined(HAVE_OCSP)
+ done = 1;
+ #endif
+
+ /* www.globalsign.com only supports static RSA or ECDHE with AES */
+ /* We cannot expect users to have on static RSA so test for ECC only
+ * as some users will most likely be on 32-bit systems where ECC
+ * is not enabled by default */
+ #if defined(HAVE_OCSP) && !defined(HAVE_ECC)
+ done = 1;
+ #endif
+
#ifndef NO_PSK
done = 1;
#endif
@@ -866,7 +918,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(WOLFSSL_SNIFFER)
if (cipherList == NULL) {
/* don't use EDH, can't sniff tmp keys */
- if (wolfSSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) {
+ if (wolfSSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS) {
err_sys("client can't set cipher list 3");
}
}
@@ -880,7 +932,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
| WOLFSSL_OCSP_URL_OVERRIDE);
}
else
- wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE);
+ wolfSSL_CTX_EnableOCSP(ctx, 0);
}
#endif
@@ -976,6 +1028,41 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt);
}
#endif
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ if (statusRequest) {
+ switch (statusRequest) {
+ case WOLFSSL_CSR_OCSP:
+ if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP,
+ WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS)
+ err_sys("UseCertificateStatusRequest failed");
+
+ break;
+ }
+
+ wolfSSL_CTX_EnableOCSP(ctx, 0);
+ }
+#endif
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ if (statusRequest) {
+ switch (statusRequest) {
+ case WOLFSSL_CSR2_OCSP:
+ if (wolfSSL_UseOCSPStaplingV2(ssl,
+ WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE)
+ != SSL_SUCCESS)
+ err_sys("UseCertificateStatusRequest failed");
+ break;
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ if (wolfSSL_UseOCSPStaplingV2(ssl,
+ WOLFSSL_CSR2_OCSP_MULTI, 0)
+ != SSL_SUCCESS)
+ err_sys("UseCertificateStatusRequest failed");
+ break;
+
+ }
+
+ wolfSSL_CTX_EnableOCSP(ctx, 0);
+ }
+#endif
tcp_connect(&sockfd, host, port, doDTLS, ssl);
@@ -1076,6 +1163,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
msgSz = 28;
strncpy(msg, "GET /index.html HTTP/1.0\r\n\r\n", msgSz);
msg[msgSz] = '\0';
+
+ resumeSz = msgSz;
+ strncpy(resumeMsg, "GET /index.html HTTP/1.0\r\n\r\n", resumeSz);
+ resumeMsg[resumeSz] = '\0';
}
if (wolfSSL_write(ssl, msg, msgSz) != msgSz)
err_sys("SSL_write failed");
@@ -1156,7 +1247,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
(void*)"resumed session");
#endif
- showPeer(sslResume);
#ifndef WOLFSSL_CALLBACKS
if (nonBlocking) {
wolfSSL_set_using_nonblock(sslResume, 1);
@@ -1170,6 +1260,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
timeout.tv_usec = 0;
NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */
#endif
+ showPeer(sslResume);
if (wolfSSL_session_reused(sslResume))
printf("reused session id\n");
@@ -1208,11 +1299,28 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#endif
}
- input = wolfSSL_read(sslResume, reply, sizeof(reply)-1);
- if (input > 0) {
- reply[input] = 0;
- printf("Server resume response: %s\n", reply);
+ input = wolfSSL_read(sslResume, reply, sizeof(reply)-1);
+
+ if (input > 0) {
+ reply[input] = 0;
+ printf("Server resume response: %s\n", reply);
+
+ if (sendGET) { /* get html */
+ while (1) {
+ input = wolfSSL_read(sslResume, reply, sizeof(reply)-1);
+ if (input > 0) {
+ reply[input] = 0;
+ printf("%s\n", reply);
+ }
+ else
+ break;
+ }
}
+ } else if (input < 0) {
+ int readErr = wolfSSL_get_error(ssl, 0);
+ if (readErr != SSL_ERROR_WANT_READ)
+ err_sys("wolfSSL_read failed");
+ }
/* try to send session break */
wolfSSL_write(sslResume, msg, msgSz);
@@ -1263,12 +1371,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
#if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_MDK_SHELL) && !defined(STACK_TRAP)
wolfSSL_Debugging_ON();
#endif
- if (CurrentDir("_build"))
- ChangeDirBack(1);
- else if (CurrentDir("client"))
- ChangeDirBack(2);
- else if (CurrentDir("Debug") || CurrentDir("Release"))
- ChangeDirBack(3);
+ ChangeToWolfRoot();
#ifdef HAVE_STACK_SIZE
StackSizeCheck(&args, client_test);
@@ -1322,4 +1425,3 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args)
}
#endif
-
diff --git a/examples/client/client.h b/examples/client/client.h
index 25881aab8..5efefe993 100644
--- a/examples/client/client.h
+++ b/examples/client/client.h
@@ -19,15 +19,21 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
-#pragma once
+#ifndef WOLFSSL_CLIENT_H
+#define WOLFSSL_CLIENT_H
+
THREAD_RETURN WOLFSSL_THREAD client_test(void* args);
-/* Measures average time to create, connect and disconnect a connection (TPS).
+/* Measures average time to create, connect and disconnect a connection (TPS).
Benchmark = number of connections. */
-int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
+int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
int doDTLS, int benchmark, int resumeSession);
-/* Measures throughput in kbps. Throughput = number of bytes */
-int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
+/* Measures throughput in kbps. Throughput = number of bytes */
+int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port,
int doDTLS, int throughput);
+
+
+#endif /* WOLFSSL_CLIENT_H */
+
diff --git a/examples/client/client.vcxproj b/examples/client/client.vcxproj
index dec191d7a..a0416781a 100644
--- a/examples/client/client.vcxproj
+++ b/examples/client/client.vcxproj
@@ -193,6 +193,7 @@
true
Console
MachineX86
+ false
diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c
index 8cf05c26c..37670f20e 100644
--- a/examples/echoclient/echoclient.c
+++ b/examples/echoclient/echoclient.c
@@ -33,11 +33,12 @@
#include
#include
- #if defined(WOLFSSL_MDK5) || defined(WOLFSSL_KEIL_TCP_NET)
+ #if !defined(WOLFSSL_MDK_ARM)
#include "cmsis_os.h"
#include "rl_net.h"
#else
#include "rtl.h"
+ #include "wolfssl_MDK_ARM.h"
#endif
#if defined(WOLFSSL_MDK_SHELL)
char * wolfssl_fgets ( char * str, int num, FILE * f ) ;
@@ -261,10 +262,7 @@ void echoclient_test(void* args)
CyaSSL_Debugging_ON();
#endif
#ifndef CYASSL_TIRTOS
- if (CurrentDir("echoclient"))
- ChangeDirBack(2);
- else if (CurrentDir("Debug") || CurrentDir("Release"))
- ChangeDirBack(3);
+ ChangeToWolfRoot();
#endif
echoclient_test(&args);
diff --git a/examples/echoclient/echoclient.h b/examples/echoclient/echoclient.h
index d945edb4a..0498c69ed 100644
--- a/examples/echoclient/echoclient.h
+++ b/examples/echoclient/echoclient.h
@@ -19,5 +19,12 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
-#pragma once
+#ifndef WOLFSSL_ECHOCLIENT_H
+#define WOLFSSL_ECHOCLIENT_H
+
+
void echoclient_test(void* args);
+
+
+#endif /* WOLFSSL_ECHOCLIENT_H */
+
diff --git a/examples/echoclient/echoclient.vcxproj b/examples/echoclient/echoclient.vcxproj
index a3a60545a..15e37985e 100644
--- a/examples/echoclient/echoclient.vcxproj
+++ b/examples/echoclient/echoclient.vcxproj
@@ -194,6 +194,7 @@
true
Console
MachineX86
+ false
diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c
index e510e1387..25e6cd5c0 100644
--- a/examples/echoserver/echoserver.c
+++ b/examples/echoserver/echoserver.c
@@ -29,19 +29,18 @@
#include /* ecc_fp_free */
#endif
-#if defined(WOLFSSL_MDK_ARM)
+#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
#include
#include
- #if defined(WOLFSSL_MDK5)
+ #if !defined(WOLFSSL_MDK_ARM)
#include "cmsis_os.h"
#include "rl_fs.h"
#include "rl_net.h"
#else
#include "rtl.h"
+ #include "wolfssl_MDK_ARM.h"
#endif
-
- #include "wolfssl_MDK_ARM.h"
#endif
#include
@@ -153,7 +152,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#ifndef NO_FILESYSTEM
if (doPSK == 0) {
- #ifdef HAVE_NTRU
+ #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA)
/* ntru */
if (CyaSSL_CTX_use_certificate_file(ctx, ntruCert, SSL_FILETYPE_PEM)
!= SSL_SUCCESS)
@@ -393,10 +392,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#if defined(DEBUG_CYASSL) && !defined(CYASSL_MDK_SHELL)
CyaSSL_Debugging_ON();
#endif
- if (CurrentDir("echoserver"))
- ChangeDirBack(2);
- else if (CurrentDir("Debug") || CurrentDir("Release"))
- ChangeDirBack(3);
+ ChangeToWolfRoot();
echoserver_test(&args);
CyaSSL_Cleanup();
diff --git a/examples/echoserver/echoserver.h b/examples/echoserver/echoserver.h
index 2f0d88d3d..6fc153564 100644
--- a/examples/echoserver/echoserver.h
+++ b/examples/echoserver/echoserver.h
@@ -19,6 +19,12 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
-#pragma once
+#ifndef WOLFSSL_ECHOSERVER_H
+#define WOLFSSL_ECHOSERVER_H
+
THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args);
+
+
+#endif /* WOLFSSL_ECHOSERVER_H */
+
diff --git a/examples/echoserver/echoserver.vcxproj b/examples/echoserver/echoserver.vcxproj
index 096ba75c6..e25ceaa3c 100644
--- a/examples/echoserver/echoserver.vcxproj
+++ b/examples/echoserver/echoserver.vcxproj
@@ -194,6 +194,7 @@
true
Console
MachineX86
+ false
diff --git a/examples/server/server.c b/examples/server/server.c
index 9b16ec412..d899dacb3 100644
--- a/examples/server/server.c
+++ b/examples/server/server.c
@@ -34,25 +34,30 @@
#define WOLFSSL_TRACK_MEMORY
#endif
-#if defined(WOLFSSL_MDK_ARM)
+#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
#include
#include
- #if defined(WOLFSSL_MDK5)
+ #if !defined(WOLFSSL_MDK_ARM)
#include "cmsis_os.h"
#include "rl_fs.h"
#include "rl_net.h"
#else
#include "rtl.h"
+ #include "wolfssl_MDK_ARM.h"
#endif
- #include "wolfssl_MDK_ARM.h"
+
#endif
#include
#include
#include "examples/server/server.h"
+/* Note on using port 0: if the server uses port 0 to bind an ephemeral port
+ * number and is using the ready file for scripted testing, the code in
+ * test.h will write the actual port number into the ready file for use
+ * by the client. */
#ifdef CYASSL_CALLBACKS
int srvHandShakeCB(HandShakeInfo*);
@@ -194,13 +199,14 @@ static void Usage(void)
printf("-c Certificate file, default %s\n", svrCert);
printf("-k Key file, default %s\n", svrKey);
printf("-A Certificate Authority file, default %s\n", cliCert);
+ printf("-R Create Ready file for external monitor default none\n");
#ifndef NO_DH
printf("-D Diffie-Hellman Params file, default %s\n", dhParam);
printf("-Z Minimum DH key bits, default %d\n",
DEFAULT_MIN_DHKEY_BITS);
#endif
#ifdef HAVE_ALPN
- printf("-L Application-Layer Protocole Name ({C,F}:)\n");
+ printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n");
#endif
printf("-d Disable client cert check\n");
printf("-b Bind to any interface instead of localhost only\n");
@@ -209,7 +215,6 @@ static void Usage(void)
printf("-u Use UDP DTLS,"
" add -v 2 for DTLSv1, -v 3 for DTLSv1.2 (default)\n");
printf("-f Fewer packets/group messages\n");
- printf("-R Create server ready file, for external monitor\n");
printf("-r Allow one client Resumption\n");
printf("-N Use Non-blocking sockets\n");
printf("-S Use Host Name Indication\n");
@@ -229,6 +234,9 @@ static void Usage(void)
#endif
printf("-i Loop indefinitely (allow repeated connections)\n");
printf("-e Echo data mode (return raw bytes received)\n");
+#ifdef HAVE_NTRU
+ printf("-n Use NTRU key (needed for NTRU suites)\n");
+#endif
printf("-B Benchmark throughput using bytes and print stats\n");
}
@@ -257,7 +265,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int trackMemory = 0;
int fewerPackets = 0;
int pkCallbacks = 0;
- int serverReadyFile = 0;
int wc_shutdown = 0;
int resume = 0;
int resumeCount = 0;
@@ -266,7 +273,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int throughput = 0;
int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS;
int doListen = 1;
+ int crlFlags = 0;
int ret;
+ char* serverReadyFile = NULL;
char* alpnList = NULL;
unsigned char alpn_opt = 0;
char* cipherList = NULL;
@@ -274,6 +283,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
const char* ourCert = svrCert;
const char* ourKey = svrKey;
const char* ourDhParam = dhParam;
+ tcp_ready* readySignal = NULL;
int argc = ((func_args*)args)->argc;
char** argv = ((func_args*)args)->argv;
@@ -309,6 +319,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
(void)minDhKeyBits;
(void)alpnList;
(void)alpn_opt;
+ (void)crlFlags;
+ (void)readySignal;
#ifdef CYASSL_TIRTOS
fdOpenSession(Task_self());
@@ -317,7 +329,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef WOLFSSL_VXWORKS
useAnyAddr = 1;
#else
- while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:L:ieB:"))
+ while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:"))
!= -1) {
switch (ch) {
case '?' :
@@ -355,7 +367,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
break;
case 'R' :
- serverReadyFile = 1;
+ serverReadyFile = myoptarg;
break;
case 'r' :
@@ -372,7 +384,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
case 'p' :
port = (word16)atoi(myoptarg);
- #if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API)
+ #if defined(USE_WINDOWS_API)
if (port == 0)
err_sys("port number cannot be 0");
#endif
@@ -598,7 +610,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!usePsk && !useAnon) {
- if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
+ if (SSL_CTX_use_certificate_chain_file(ctx, ourCert)
!= SSL_SUCCESS)
err_sys("can't load server cert file, check file and run from"
" wolfSSL home dir");
@@ -672,7 +684,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#if defined(CYASSL_SNIFFER)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
- if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS)
+ if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS)
err_sys("server can't set cipher list 3");
}
#endif
@@ -709,10 +721,16 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL);
#endif
#ifdef HAVE_CRL
- CyaSSL_EnableCRL(ssl, 0);
- CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR |
- CYASSL_CRL_START_MON);
- CyaSSL_SetCRL_Cb(ssl, CRL_CallBack);
+#ifdef HAVE_CRL_MONITOR
+ crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON;
+#endif
+ if (CyaSSL_EnableCRL(ssl, 0) != SSL_SUCCESS)
+ err_sys("unable to enable CRL");
+ if (CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, crlFlags)
+ != SSL_SUCCESS)
+ err_sys("unable to load CRL");
+ if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS)
+ err_sys("unable to set CRL callback url");
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
@@ -725,14 +743,29 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS)
+ err_sys("can't enable OCSP Stapling Certificate Manager");
+ if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS)
+ err_sys("can't load ca file, Please run from wolfSSL home dir");
+ if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS)
+ err_sys("can't load ca file, Please run from wolfSSL home dir");
+ if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != SSL_SUCCESS)
+ err_sys("can't load ca file, Please run from wolfSSL home dir");
+#endif
#ifdef HAVE_PK_CALLBACKS
if (pkCallbacks)
SetupPkCallbacks(ctx, ssl);
#endif
/* do accept */
+ readySignal = ((func_args*)args)->signal;
+ if (readySignal) {
+ readySignal->srfName = serverReadyFile;
+ }
tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr,
- doDTLS, serverReadyFile, doListen);
+ doDTLS, serverReadyFile ? 1 : 0, doListen);
doListen = 0; /* Don't listen next time */
SSL_set_fd(ssl, clientfd);
@@ -894,6 +927,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
int main(int argc, char** argv)
{
func_args args;
+ tcp_ready ready;
#ifdef HAVE_CAVIUM
int ret = OpenNitroxDevice(CAVIUM_DIRECT, CAVIUM_DEV_ID);
@@ -905,17 +939,14 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
args.argc = argc;
args.argv = argv;
+ args.signal = &ready;
+ InitTcpReady(&ready);
CyaSSL_Init();
#if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL)
CyaSSL_Debugging_ON();
#endif
- if (CurrentDir("_build"))
- ChangeDirBack(1);
- else if (CurrentDir("server"))
- ChangeDirBack(2);
- else if (CurrentDir("Debug") || CurrentDir("Release"))
- ChangeDirBack(3);
+ ChangeToWolfRoot();
#ifdef HAVE_STACK_SIZE
StackSizeCheck(&args, server_test);
@@ -923,6 +954,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
server_test(&args);
#endif
CyaSSL_Cleanup();
+ FreeTcpReady(&ready);
#ifdef HAVE_CAVIUM
CspShutdown(CAVIUM_DEV_ID);
@@ -965,5 +997,3 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
return 0;
}
#endif
-
-
diff --git a/examples/server/server.h b/examples/server/server.h
index 3cba4c004..bfd6a14f1 100644
--- a/examples/server/server.h
+++ b/examples/server/server.h
@@ -19,10 +19,16 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
-#pragma once
+#ifndef WOLFSSL_SERVER_H
+#define WOLFSSL_SERVER_H
+
THREAD_RETURN WOLFSSL_THREAD server_test(void* args);
/* Echo bytes using buffer of TEST_BUFFER_SIZE until [echoData] bytes are complete. */
/* If [bechmarkThroughput] set the statistcs will be output at the end */
int ServerEchoData(WOLFSSL* ssl, int clientfd, int echoData, int benchmarkThroughput);
+
+
+#endif /* WOLFSSL_SERVER_H */
+
diff --git a/examples/server/server.vcxproj b/examples/server/server.vcxproj
index f6b53fc57..a2f3251b7 100644
--- a/examples/server/server.vcxproj
+++ b/examples/server/server.vcxproj
@@ -194,6 +194,7 @@
true
Console
MachineX86
+ false
diff --git a/gencertbuf.pl b/gencertbuf.pl
index 9a11a7147..450ff764a 100755
--- a/gencertbuf.pl
+++ b/gencertbuf.pl
@@ -71,9 +71,10 @@ for (my $i = 0; $i < $num_1024; $i++) {
print OUT_FILE "};\n";
print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n";
}
+print OUT_FILE "#endif /* USE_CERT_BUFFERS_1024 */\n\n";
# convert and print 2048-bit certs/keys
-print OUT_FILE "#elif defined(USE_CERT_BUFFERS_2048)\n\n";
+print OUT_FILE "#ifdef USE_CERT_BUFFERS_2048\n\n";
for (my $i = 0; $i < $num_2048; $i++) {
my $fname = $fileList_2048[$i][0];
@@ -87,7 +88,7 @@ for (my $i = 0; $i < $num_2048; $i++) {
print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n";
}
-print OUT_FILE "#endif /* USE_CERT_BUFFERS_1024 */\n\n";
+print OUT_FILE "#endif /* USE_CERT_BUFFERS_2048 */\n\n";
print OUT_FILE "/* dh1024 p */
static const unsigned char dh_p[] =
{
@@ -108,7 +109,7 @@ static const unsigned char dh_p[] =
static const unsigned char dh_g[] =
{
0x02,
-};\n\n\n";
+};\n\n";
print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n";
# close certs_test.h file
diff --git a/pull_to_vagrant.sh b/pull_to_vagrant.sh
index e2d245632..15d88d97d 100755
--- a/pull_to_vagrant.sh
+++ b/pull_to_vagrant.sh
@@ -10,4 +10,5 @@ rsync -rvt /$SRC/.git ~/$DST/
rsync -rvt /$SRC/IDE ~/$DST/
rsync -rvt /$SRC/mcapi ~/$DST/
rsync -rvt /$SRC/mplabx ~/$DST/
+rsync -rvt /$SRC/certs ~/$DST/
rsync -rvt /$SRC/configure.ac ~/$DST/
diff --git a/rpm/spec.in b/rpm/spec.in
index 9a3414f2f..8fde26c02 100644
--- a/rpm/spec.in
+++ b/rpm/spec.in
@@ -68,8 +68,8 @@ mkdir -p $RPM_BUILD_ROOT/
%{_docdir}/wolfssl/README.txt
%{_libdir}/libwolfssl.la
%{_libdir}/libwolfssl.so
-%{_libdir}/libwolfssl.so.1
-%{_libdir}/libwolfssl.so.1.0.0
+%{_libdir}/libwolfssl.so.3
+%{_libdir}/libwolfssl.so.3.1.0
%files devel
%defattr(-,root,root,-)
@@ -134,6 +134,8 @@ mkdir -p $RPM_BUILD_ROOT/
%{_includedir}/cyassl/openssl/dsa.h
%{_includedir}/cyassl/openssl/ec.h
%{_includedir}/cyassl/openssl/ecdsa.h
+%{_includedir}/cyassl/openssl/ec25519.h
+%{_includedir}/cyassl/openssl/ed25519.h
%{_includedir}/cyassl/openssl/ecdh.h
%{_includedir}/cyassl/openssl/engine.h
%{_includedir}/cyassl/openssl/err.h
@@ -192,6 +194,7 @@ mkdir -p $RPM_BUILD_ROOT/
%{_includedir}/wolfssl/wolfcrypt/hc128.h
%{_includedir}/wolfssl/wolfcrypt/hmac.h
%{_includedir}/wolfssl/wolfcrypt/integer.h
+%{_includedir}/wolfssl/wolfcrypt/idea.h
%{_includedir}/wolfssl/wolfcrypt/logging.h
%{_includedir}/wolfssl/wolfcrypt/md2.h
%{_includedir}/wolfssl/wolfcrypt/md4.h
@@ -209,12 +212,15 @@ mkdir -p $RPM_BUILD_ROOT/
%{_includedir}/wolfssl/wolfcrypt/ripemd.h
%{_includedir}/wolfssl/wolfcrypt/rsa.h
%{_includedir}/wolfssl/wolfcrypt/settings.h
+%{_includedir}/wolfssl/wolfcrypt/signature.h
%{_includedir}/wolfssl/wolfcrypt/sha.h
%{_includedir}/wolfssl/wolfcrypt/sha256.h
%{_includedir}/wolfssl/wolfcrypt/sha512.h
+%{_includedir}/wolfssl/wolfcrypt/srp.h
%{_includedir}/wolfssl/wolfcrypt/tfm.h
%{_includedir}/wolfssl/wolfcrypt/types.h
%{_includedir}/wolfssl/wolfcrypt/visibility.h
+%{_includedir}/wolfssl/wolfcrypt/wc_encrypt.h
%{_includedir}/wolfssl/error-ssl.h
%{_includedir}/wolfssl/ocsp.h
%{_includedir}/wolfssl/openssl/asn1.h
@@ -227,6 +233,8 @@ mkdir -p $RPM_BUILD_ROOT/
%{_includedir}/wolfssl/openssl/dsa.h
%{_includedir}/wolfssl/openssl/ec.h
%{_includedir}/wolfssl/openssl/ecdsa.h
+%{_includedir}/wolfssl/openssl/ec25519.h
+%{_includedir}/wolfssl/openssl/ed25519.h
%{_includedir}/wolfssl/openssl/ecdh.h
%{_includedir}/wolfssl/openssl/engine.h
%{_includedir}/wolfssl/openssl/err.h
@@ -259,6 +267,9 @@ mkdir -p $RPM_BUILD_ROOT/
%{_libdir}/pkgconfig/wolfssl.pc
%changelog
+* Wed Dec 30 2015 Jacob Barthelmeh
+- Added headers for curve25519 and ed25519 openssl compatibility
+- Added headers for Idea, srp, signature, and wc_encrypt
* Tue Mar 31 2015 John Safranek
- Added recent new wolfcrypt headers for curve25519
* Fri Jan 09 2015 John Safranek
diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test
index ee9c89447..5588aa5b4 100755
--- a/scripts/crl-revoked.test
+++ b/scripts/crl-revoked.test
@@ -5,16 +5,22 @@
revocation_code="-361"
exit_code=1
counter=0
-crl_port=11113
+# need a unique resume port since may run the same time as testsuite
+# use server port zero hack to get one
+crl_port=0
#no_pid tells us process was never started if -1
no_pid=-1
#server_pid captured on startup, stores the id of the server process
server_pid=$no_pid
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_crl_ready$$
remove_ready_file() {
- if test -e /tmp/wolfssl_server_ready; then
- echo -e "removing exisitng server_ready file"
- rm /tmp/wolfssl_server_ready
+ if test -e $ready_file; then
+ echo -e "removing existing ready file"
+ rm $ready_file
fi
}
@@ -53,16 +59,26 @@ run_test() {
# starts the server on crl_port, -R generates ready file to be used as a
# mutex lock, -c loads the revoked certificate. We capture the processid
# into the variable server_pid
- ./examples/server/server -R -p $crl_port -c certs/server-revoked-cert.pem \
- -k certs/server-revoked-key.pem &
+ ./examples/server/server -R $ready_file -p $crl_port \
+ -c certs/server-revoked-cert.pem -k certs/server-revoked-key.pem &
server_pid=$!
- while [ ! -s /tmp/wolfssl_server_ready -a "$counter" -lt 20 ]; do
- echo -e "waiting for server_ready file..."
+ while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+ echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
+ if test -e $ready_file; then
+ echo -e "found ready file, starting client..."
+ else
+ echo -e "NO ready file ending test..."
+ exit 1
+ fi
+
+ # get created port 0 ephemeral port
+ crl_port=`cat $ready_file`
+
# starts client on crl_port and captures the output from client
capture_out=$(./examples/client/client -p $crl_port 2>&1)
client_result=$?
diff --git a/scripts/include.am b/scripts/include.am
index 4b2c7982a..5b9d38448 100644
--- a/scripts/include.am
+++ b/scripts/include.am
@@ -9,8 +9,9 @@ dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
endif
if BUILD_EXAMPLES
+
dist_noinst_SCRIPTS+= scripts/resume.test
-EXTRA_DIST+= scripts/benchmark.test
+EXTRA_DIST+= scripts/benchmark.test
if BUILD_CRL
# make revoked test rely on completion of resume test
@@ -23,6 +24,27 @@ dist_noinst_SCRIPTS+= scripts/external.test
dist_noinst_SCRIPTS+= scripts/google.test
#dist_noinst_SCRIPTS+= scripts/openssl.test
endif
+
+if BUILD_OCSP
+dist_noinst_SCRIPTS+= scripts/ocsp.test
+endif
+
+if BUILD_OCSP_STAPLING
+dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test
+scripts/ocsp-stapling.log: scripts/ocsp.log
+endif
+
+if BUILD_OCSP_STAPLING_V2
+dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test
+
+if BUILD_OCSP_STAPLING
+scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log
+else
+scripts/ocsp-stapling2.log: scripts/ocsp.log
+endif
+
+endif
+
endif
diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test
new file mode 100755
index 000000000..7d711d417
--- /dev/null
+++ b/scripts/ocsp-stapling.test
@@ -0,0 +1,41 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
+
+server=login.live.com
+ca=certs/external/ca-verisign-g5.pem
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# is our desired server there? - login.live.com doesn't answers PING
+# ping -c 2 $server
+# RESULT=$?
+# [ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0
+
+# client test against the server
+./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# setup ocsp responder
+./certs/ocsp/ocspd1.sh &
+sleep 1
+[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
+
+# client test against our own server - GOOD CERT
+./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# client test against our own server - REVOKED CERT
+./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
+
+exit 0
diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test
new file mode 100755
index 000000000..75877f210
--- /dev/null
+++ b/scripts/ocsp-stapling2.test
@@ -0,0 +1,55 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# setup ocsp responders
+./certs/ocsp/ocspd0.sh &
+./certs/ocsp/ocspd2.sh &
+./certs/ocsp/ocspd3.sh &
+sleep 1
+[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0
+
+# client test against our own server - GOOD CERTS
+./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+# client test against our own server - REVOKED SERVER CERT
+./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
+
+./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
+
+# client test against our own server - REVOKED INTERMEDIATE CERT
+./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1
+
+./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem &
+sleep 1
+./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2
+RESULT=$?
+[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1
+
+exit 0
diff --git a/scripts/ocsp.test b/scripts/ocsp.test
new file mode 100755
index 000000000..66d4488ad
--- /dev/null
+++ b/scripts/ocsp.test
@@ -0,0 +1,20 @@
+#!/bin/sh
+
+# ocsp-stapling.test
+
+server=www.globalsign.com
+ca=certs/external/ca-globalsign-root-r2.pem
+
+[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1
+
+# is our desired server there?
+ping -c 2 $server
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0
+
+# client test against the server
+./examples/client/client -X -C -h $server -p 443 -A $ca -g -o
+RESULT=$?
+[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1
+
+exit 0
diff --git a/scripts/openssl.test b/scripts/openssl.test
index 708186ab2..8f068309c 100755
--- a/scripts/openssl.test
+++ b/scripts/openssl.test
@@ -1,4 +1,4 @@
-#!/bin/bash
+#!/bin/sh
#openssl.test
@@ -9,6 +9,27 @@ server_pid=$no_pid
wolf_suites_tested=0
wolf_suites_total=0
counter=0
+testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#Tested\n"
+versionName="Invalid"
+
+version_name() {
+ case $version in "0")
+ versionName="SSLv3"
+ ;;
+ "1")
+ versionName="TLSv1"
+ ;;
+ "2")
+ versionName="TLSv1.1"
+ ;;
+ "3")
+ versionName="TLSv1.2"
+ ;;
+ "4")
+ versionName="ALL"
+ ;;
+ esac
+}
do_cleanup() {
echo "in cleanup"
@@ -41,7 +62,7 @@ command -v openssl >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but
echo -e "\nTesting for _build directory as part of distcheck, different paths"
currentDir=`pwd`
-if [[ $currentDir == *"_build" ]]
+if [ $currentDir = *"_build" ]
then
echo -e "_build directory detected, moving a directory back"
cd ..
@@ -49,17 +70,13 @@ fi
echo -e "\nStarting openssl server...\n"
-openssl s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem -quiet -www -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem &
+openssl s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem -quiet -CAfile ./certs/client-cert.pem -www -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem -Verify 10 -verify_return_error &
server_pid=$!
-# get openssl ciphers
-open_ciphers=`openssl ciphers`
-IFS=':' read -ra opensslArray <<< "$open_ciphers"
# get wolfssl ciphers
wolf_ciphers=`./examples/client/client -e`
-IFS=':' read -ra wolfsslArray <<< "$wolf_ciphers"
# server should be ready, let's make sure
server_ready=0
@@ -67,7 +84,7 @@ while [ "$counter" -lt 20 ]; do
echo -e "waiting for openssl s_server ready..."
nc -z localhost $openssl_port
nc_result=$?
- if [ $nc_result == 0 ]
+ if [ $nc_result = 0 ]
then
echo -e "openssl s_server ready!"
server_ready=1
@@ -78,50 +95,128 @@ while [ "$counter" -lt 20 ]; do
done
-if [ $server_ready == 0 ]
+if [ $server_ready = 0 ]
then
echo -e "Couldn't verify openssl server is running, timeout error"
do_cleanup
exit -1
fi
-for wolfSuite in "${wolfsslArray[@]}"; do
+OIFS=$IFS # store old seperator to reset
+IFS=$'\:' # set delimiter
+set -f # no globbing
- echo -e "trying wolfSSL cipher suite $wolfSuite"
- matchSuite=0
- wolf_suites_total=$((wolf_suites_total + 1))
+wolf_versions=`./examples/client/client -V`
+wolf_versions="$wolf_versions:4" #:4 will test without -v flag
- for openSuite in "${opensslArray[@]}"; do
- if [ $openSuite == $wolfSuite ]
+wolf_temp_suites_total=0
+wolf_temp_suites_tested=0
+
+for version in $wolf_versions;
+do
+ echo -e "version = $version"
+ # get openssl ciphers depending on version
+ case $version in "0")
+ openssl_ciphers=`openssl ciphers "SSLv3"`
+ sslv3_sup=$?
+ if [ $sslv3_sup != 0 ]
then
- echo -e "Matched to OpenSSL suite support"
- matchSuite=1
+ echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier"
+ testing_summary="$testing_summary SSLv3\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+ continue
fi
+ ;;
+ "1")
+ openssl_ciphers=`openssl ciphers "TLSv1"`
+ tlsv1_sup=$?
+ if [ $tlsv1_sup != 0 ]
+ then
+ echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier"
+ testing_summary="$testing_summary TLSv1\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+ continue
+ fi
+ ;;
+ "2")
+ openssl_ciphers=`openssl ciphers "TLSv1.1"`
+ tlsv1_1_sup=$?
+ if [ $tlsv1_1_sup != 0 ]
+ then
+ echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier"
+ testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+ continue
+ fi
+ ;;
+ "3")
+ openssl_ciphers=`openssl ciphers "TLSv1.2"`
+ tlsv1_2_sup=$?
+ if [ $tlsv1_2_sup != 0 ]
+ then
+ echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier"
+ testing_summary="$testing_summary TLSv1.2\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+ continue
+ fi
+ ;;
+ "4") #test all suites
+ openssl_ciphers=`openssl ciphers "ALL"`
+ all_sup=$?
+ if [ $all_sup != 0 ]
+ then
+ echo -e "Not testing ALL. No OpenSSL support for ALL modifier"
+ testing_summary="$testing_summary ALL\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n"
+ continue
+ fi
+ ;;
+ esac
+
+ for wolfSuite in $wolf_ciphers; do
+ echo -e "trying wolfSSL cipher suite $wolfSuite"
+ wolf_temp_suites_total=$((wolf_temp_suites_total + 1))
+ matchSuite=0;
+
+ case ":$openssl_ciphers:" in *":$wolfSuite:"*) # add extra : for edge cases
+ echo -e "Matched to OpenSSL suite support"
+ matchSuite=1;;
+ esac
+
+ if [ $matchSuite = 0 ]
+ then
+ echo -e "Couldn't match suite, continuing..."
+ continue
+ fi
+
+ if [ $version -lt 4 ]
+ then
+ ./examples/client/client -p $openssl_port -g -r -l $wolfSuite -v $version
+ else
+ # do all versions
+ ./examples/client/client -p $openssl_port -g -r -l $wolfSuite
+ fi
+
+ client_result=$?
+
+ if [ $client_result != 0 ]
+ then
+ echo -e "client failed! Suite = $wolfSuite version = $version"
+ do_cleanup
+ exit 1
+ fi
+ wolf_temp_suites_tested=$((wolf_temp_suites_tested+1))
+
done
-
- if [ $matchSuite == 0 ]
- then
- echo -e "Couldn't match suite, continuing..."
- continue
- fi
-
- ./examples/client/client -p $openssl_port -g -l $wolfSuite
- client_result=$?
-
- if [ $client_result != 0 ]
- then
- echo -e "client failed!"
- do_cleanup
- exit 1
- fi
- wolf_suites_tested=$((wolf_suites_tested+1))
-
+ wolf_suites_tested=$((wolf_temp_suites_tested+wolf_suites_tested))
+ wolf_suites_total=$((wolf_temp_suites_total+wolf_suites_total))
+ echo -e "wolfSSL suites tested with version:$version $wolf_temp_suites_tested"
+ version_name
+ testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_suites_total\t$wolf_temp_suites_tested\n"
+ wolf_temp_suites_total=0
+ wolf_temp_suites_tested=0
done
+IFS=$OIFS #restore separator
kill -9 $server_pid
echo -e "wolfSSL total suites $wolf_suites_total"
echo -e "wolfSSL suites tested $wolf_suites_tested"
-echo -e "\nSuccess!\n"
-
+echo -e "\nSuccess!\n\n\n\n"
+echo -e "$testing_summary"
exit 0
diff --git a/scripts/resume.test b/scripts/resume.test
index b0592af90..40a8613ae 100755
--- a/scripts/resume.test
+++ b/scripts/resume.test
@@ -3,16 +3,22 @@
#reusme.test
# need a unique resume port since may run the same time as testsuite
-resume_port=11112
+# use server port zero hack to get one
+resume_port=0
no_pid=-1
server_pid=$no_pid
counter=0
+# let's use absolute path to a local dir (make distcheck may be in sub dir)
+# also let's add some randomness by adding pid in case multiple 'make check's
+# per source tree
+ready_file=`pwd`/wolfssl_resume_ready$$
+echo "ready file $ready_file"
remove_ready_file() {
- if test -e /tmp/wolfssl_server_ready; then
- echo -e "removing exisitng server_ready file"
- rm /tmp/wolfssl_server_ready
+ if test -e $ready_file; then
+ echo -e "removing existing ready file"
+ rm $ready_file
fi
}
@@ -39,15 +45,26 @@ trap do_trap INT TERM
echo -e "\nStarting example server for resume test...\n"
remove_ready_file
-./examples/server/server -r -R -p $resume_port &
+./examples/server/server -r -R $ready_file -p $resume_port &
server_pid=$!
-while [ ! -s /tmp/wolfssl_server_ready -a "$counter" -lt 20 ]; do
- echo -e "waiting for server_ready file..."
+while [ ! -s $ready_file -a "$counter" -lt 20 ]; do
+ echo -e "waiting for ready file..."
sleep 0.1
counter=$((counter+ 1))
done
+if test -e $ready_file; then
+ echo -e "found ready file, starting client..."
+else
+ echo -e "NO ready file ending test..."
+ do_cleanup
+ exit 1
+fi
+
+# get created port 0 ephemeral port
+resume_port=`cat $ready_file`
+
./examples/client/client -r -p $resume_port
client_result=$?
diff --git a/src/crl.c b/src/crl.c
index 51bff821a..03515bd3d 100644
--- a/src/crl.c
+++ b/src/crl.c
@@ -55,11 +55,18 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm)
crl->monitors[0].path = NULL;
crl->monitors[1].path = NULL;
#ifdef HAVE_CRL_MONITOR
- crl->tid = 0;
- crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
+ crl->tid = 0;
+ crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */
+ crl->setup = 0; /* thread setup done predicate */
+ if (pthread_cond_init(&crl->cond, 0) != 0) {
+ WOLFSSL_MSG("Pthread condition init failed");
+ return BAD_COND_E;
+ }
#endif
- if (InitMutex(&crl->crlLock) != 0)
- return BAD_MUTEX_E;
+ if (InitMutex(&crl->crlLock) != 0) {
+ WOLFSSL_MSG("Init Mutex failed");
+ return BAD_MUTEX_E;
+ }
return 0;
}
@@ -120,7 +127,7 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
FreeCRL_Entry(tmp);
XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY);
tmp = next;
- }
+ }
#ifdef HAVE_CRL_MONITOR
if (crl->tid != 0) {
@@ -128,10 +135,10 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic)
if (StopMonitor(crl->mfd) == 0)
pthread_join(crl->tid, NULL);
else {
- WOLFSSL_MSG("stop monitor failed, cancel instead");
- pthread_cancel(crl->tid);
+ WOLFSSL_MSG("stop monitor failed");
}
}
+ pthread_cond_destroy(&crl->cond);
#endif
FreeMutex(&crl->crlLock);
if (dynamic) /* free self */
@@ -324,6 +331,29 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
#ifdef HAVE_CRL_MONITOR
+/* Signal Monitor thread is setup, save status to setup flag, 0 on success */
+static int SignalSetup(WOLFSSL_CRL* crl, int status)
+{
+ int ret;
+
+ /* signal to calling thread we're setup */
+ if (LockMutex(&crl->crlLock) != 0) {
+ WOLFSSL_MSG("LockMutex crlLock failed");
+ return BAD_MUTEX_E;
+ }
+
+ crl->setup = status;
+ ret = pthread_cond_signal(&crl->cond);
+
+ UnLockMutex(&crl->crlLock);
+
+ if (ret != 0)
+ return BAD_COND_E;
+
+ return 0;
+}
+
+
/* read in new CRL entries and save new list */
static int SwapLists(WOLFSSL_CRL* crl)
{
@@ -451,6 +481,7 @@ static void* DoMonitor(void* arg)
crl->mfd = kqueue();
if (crl->mfd == -1) {
WOLFSSL_MSG("kqueue failed");
+ SignalSetup(crl, MONITOR_SETUP_E);
return NULL;
}
@@ -458,6 +489,7 @@ static void* DoMonitor(void* arg)
EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL);
if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) {
WOLFSSL_MSG("kevent monitor customer event failed");
+ SignalSetup(crl, MONITOR_SETUP_E);
close(crl->mfd);
return NULL;
}
@@ -469,6 +501,7 @@ static void* DoMonitor(void* arg)
fPEM = open(crl->monitors[0].path, XEVENT_MODE);
if (fPEM == -1) {
WOLFSSL_MSG("PEM event dir open failed");
+ SignalSetup(crl, MONITOR_SETUP_E);
close(crl->mfd);
return NULL;
}
@@ -478,7 +511,10 @@ static void* DoMonitor(void* arg)
fDER = open(crl->monitors[1].path, XEVENT_MODE);
if (fDER == -1) {
WOLFSSL_MSG("DER event dir open failed");
+ if (fPEM != -1)
+ close(fPEM);
close(crl->mfd);
+ SignalSetup(crl, MONITOR_SETUP_E);
return NULL;
}
}
@@ -491,6 +527,16 @@ static void* DoMonitor(void* arg)
EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT,
NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0);
+ /* signal to calling thread we're setup */
+ if (SignalSetup(crl, 1) != 0) {
+ if (fPEM != -1)
+ close(fPEM);
+ if (fDER != -1)
+ close(fDER);
+ close(crl->mfd);
+ return NULL;
+ }
+
for (;;) {
struct kevent event;
int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL);
@@ -571,6 +617,7 @@ static void* DoMonitor(void* arg)
crl->mfd = eventfd(0, 0); /* our custom shutdown event */
if (crl->mfd < 0) {
WOLFSSL_MSG("eventfd failed");
+ SignalSetup(crl, MONITOR_SETUP_E);
return NULL;
}
@@ -578,6 +625,7 @@ static void* DoMonitor(void* arg)
if (notifyFd < 0) {
WOLFSSL_MSG("inotify failed");
close(crl->mfd);
+ SignalSetup(crl, MONITOR_SETUP_E);
return NULL;
}
@@ -588,6 +636,7 @@ static void* DoMonitor(void* arg)
WOLFSSL_MSG("PEM notify add watch failed");
close(crl->mfd);
close(notifyFd);
+ SignalSetup(crl, MONITOR_SETUP_E);
return NULL;
}
}
@@ -599,6 +648,7 @@ static void* DoMonitor(void* arg)
WOLFSSL_MSG("DER notify add watch failed");
close(crl->mfd);
close(notifyFd);
+ SignalSetup(crl, MONITOR_SETUP_E);
return NULL;
}
}
@@ -609,6 +659,19 @@ static void* DoMonitor(void* arg)
return NULL;
#endif
+ /* signal to calling thread we're setup */
+ if (SignalSetup(crl, 1) != 0) {
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+
+ if (wd > 0)
+ inotify_rm_watch(notifyFd, wd);
+ close(crl->mfd);
+ close(notifyFd);
+ return NULL;
+ }
+
for (;;) {
fd_set readfds;
int result;
@@ -666,26 +729,47 @@ static void* DoMonitor(void* arg)
/* Start Monitoring the CRL path(s) in a thread */
static int StartMonitorCRL(WOLFSSL_CRL* crl)
{
- pthread_attr_t attr;
+ int ret = SSL_SUCCESS;
WOLFSSL_ENTER("StartMonitorCRL");
- if (crl == NULL)
+ if (crl == NULL)
return BAD_FUNC_ARG;
if (crl->tid != 0) {
WOLFSSL_MSG("Monitor thread already running");
- return MONITOR_RUNNING_E;
+ return ret; /* that's ok, someone already started */
}
- pthread_attr_init(&attr);
-
- if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) {
+ if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) {
WOLFSSL_MSG("Thread creation error");
return THREAD_CREATE_E;
}
- return SSL_SUCCESS;
+ /* wait for setup to complete */
+ if (LockMutex(&crl->crlLock) != 0) {
+ WOLFSSL_MSG("LockMutex crlLock error");
+ return BAD_MUTEX_E;
+ }
+
+ while (crl->setup == 0) {
+ if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) {
+ ret = BAD_COND_E;
+ break;
+ }
+ }
+
+ if (crl->setup < 0)
+ ret = crl->setup; /* store setup error */
+
+ UnLockMutex(&crl->crlLock);
+
+ if (ret < 0) {
+ WOLFSSL_MSG("DoMonitor setup failure");
+ crl->tid = 0; /* thread already done */
+ }
+
+ return ret;
}
diff --git a/src/include.am b/src/include.am
index a442f4b63..c65e8d263 100644
--- a/src/include.am
+++ b/src/include.am
@@ -95,7 +95,8 @@ src_libwolfssl_la_SOURCES += \
wolfcrypt/src/logging.c \
wolfcrypt/src/wc_encrypt.c \
wolfcrypt/src/wc_port.c \
- wolfcrypt/src/error.c
+ wolfcrypt/src/error.c \
+ wolfcrypt/src/signature.c
if BUILD_MEMORY
src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c
diff --git a/src/internal.c b/src/internal.c
index c20a92f33..440d768fc 100644
--- a/src/internal.c
+++ b/src/internal.c
@@ -84,7 +84,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
#endif
static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
- const byte* input, int inSz, int type);
+ const byte* input, int inSz, int type, int hashOutput);
#ifndef NO_WOLFSSL_CLIENT
static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32*,
@@ -182,6 +182,20 @@ int IsAtLeastTLSv1_2(const WOLFSSL* ssl)
}
+static INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend)
+{
+ (void)isSend;
+
+ #ifdef WOLFSSL_DTLS
+ /* For DTLS, epoch 0 is always not encrypted. */
+ if (ssl->options.dtls && !isSend && ssl->keys.dtls_state.curEpoch == 0)
+ return 0;
+ #endif /* WOLFSSL_DTLS */
+
+ return ssl->keys.encryptionOn;
+}
+
+
#ifdef HAVE_QSH
/* free all structs that where used with QSH */
static int QSH_FreeAll(WOLFSSL* ssl)
@@ -264,13 +278,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes)
int ret = 0;
if (rng == NULL) {
- if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), 0,
+ DYNAMIC_TYPE_TLSX)) == NULL)
return DRBG_OUT_OF_MEMORY;
wc_InitRng(rng);
}
if (rngMutex == NULL) {
- if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0,
+ if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), 0,
DYNAMIC_TYPE_TLSX)) == NULL)
return DRBG_OUT_OF_MEMORY;
InitMutex(rngMutex);
@@ -526,6 +541,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method)
/* In case contexts are held in array and don't want to free actual ctx */
void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
{
+ int i;
+
+ (void)i;
+
XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD);
if (ctx->suites)
XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES);
@@ -534,15 +553,39 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx)
XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH);
XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH);
#endif
+
#ifndef NO_CERTS
XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY);
XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
wolfSSL_CertManagerFree(ctx->cm);
#endif
+
#ifdef HAVE_TLS_EXTENSIONS
TLSX_FreeAll(ctx->extensions);
+
+#ifndef NO_WOLFSSL_SERVER
+
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ if (ctx->certOcspRequest) {
+ FreeOcspRequest(ctx->certOcspRequest);
+ XFREE(ctx->certOcspRequest, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ }
#endif
+
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ for (i = 0; i < MAX_CHAIN_DEPTH; i++) {
+ if (ctx->chainOcspRequest[i]) {
+ FreeOcspRequest(ctx->chainOcspRequest[i]);
+ XFREE(ctx->chainOcspRequest[i], NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ }
+ }
+#endif
+
+#endif /* NO_WOLFSSL_SERVER */
+
+#endif /* HAVE_TLS_EXTENSIONS */
}
@@ -786,6 +829,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
if (pv.major == DTLS_MAJOR) {
dtls = 1;
tls = 1;
+ /* May be dead assignments dependant upon configuration */
+ (void) dtls;
+ (void) tls;
tls1_2 = pv.minor <= DTLSv1_2_MINOR;
}
#endif
@@ -952,14 +998,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA,
#endif
#ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- if (tls && haveRSA) {
+ if (tls1_2 && haveRSA) {
suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
}
#endif
#ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- if (tls && haveRSA) {
+ if (tls1_2 && haveRSA) {
suites->suites[idx++] = CHACHA_BYTE;
suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256;
}
@@ -1567,8 +1613,8 @@ void FreeX509(WOLFSSL_X509* x509)
XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_SUBJECT_CN);
XFREE(x509->sig.buffer, NULL, DYNAMIC_TYPE_SIGNATURE);
#ifdef OPENSSL_EXTRA
- XFREE(x509->authKeyId, NULL, 0);
- XFREE(x509->subjKeyId, NULL, 0);
+ XFREE(x509->authKeyId, NULL, DYNAMIC_TYPE_X509_EXT);
+ XFREE(x509->subjKeyId, NULL, DYNAMIC_TYPE_X509_EXT);
#endif /* OPENSSL_EXTRA */
if (x509->altNames)
FreeAltNames(x509->altNames, NULL);
@@ -2025,13 +2071,10 @@ void SSL_ResourceFree(WOLFSSL* ssl)
DYNAMIC_TYPE_COOKIE_PWD);
#endif
#endif /* WOLFSSL_DTLS */
-#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
- FreeX509(&ssl->peerCert);
-#endif
#if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS)
- wolfSSL_BIO_free(ssl->biord);
- if (ssl->biord != ssl->biowr) /* in case same as write */
+ if (ssl->biord != ssl->biowr) /* only free write if different */
wolfSSL_BIO_free(ssl->biowr);
+ wolfSSL_BIO_free(ssl->biord); /* always free read bio */
#endif
#ifdef HAVE_LIBZ
FreeStreams(ssl);
@@ -2075,6 +2118,9 @@ void SSL_ResourceFree(WOLFSSL* ssl)
if (ssl->nxCtx.nxPacket)
nx_packet_release(ssl->nxCtx.nxPacket);
#endif
+#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
+ FreeX509(&(ssl->peerCert)); /* clang thinks this frees ssl itslef */
+#endif
}
#ifdef WOLFSSL_TI_HASH
@@ -2267,6 +2313,7 @@ int DtlsPoolSave(WOLFSSL* ssl, const byte *src, int sz)
return MEMORY_ERROR;
}
XMEMCPY(pBuf->buffer, src, sz);
+ pool->epoch[pool->used] = ssl->keys.dtls_epoch;
pBuf->length = (word32)sz;
pool->used++;
}
@@ -2316,40 +2363,53 @@ int DtlsPoolTimeout(WOLFSSL* ssl)
int DtlsPoolSend(WOLFSSL* ssl)
{
- int ret;
- DtlsPool *pool = ssl->dtls_pool;
+ DtlsPool* pool = ssl->dtls_pool;
if (pool != NULL && pool->used > 0) {
- int i;
- for (i = 0; i < pool->used; i++) {
- int sendResult;
- buffer* buf = &pool->buf[i];
+ int ret = 0;
+ int i;
+ buffer* buf;
- DtlsRecordLayerHeader* dtls = (DtlsRecordLayerHeader*)buf->buffer;
+ for (i = 0, buf = pool->buf; i < pool->used; i++, buf++) {
+ if (pool->epoch[i] == 0) {
+ DtlsRecordLayerHeader* dtls;
- word16 message_epoch;
- ato16(dtls->epoch, &message_epoch);
- if (message_epoch == ssl->keys.dtls_epoch) {
- /* Increment record sequence number on retransmitted handshake
- * messages */
- c32to48(ssl->keys.dtls_sequence_number, dtls->sequence_number);
- ssl->keys.dtls_sequence_number++;
+ dtls = (DtlsRecordLayerHeader*)buf->buffer;
+ c32to48(ssl->keys.dtls_prev_sequence_number++,
+ dtls->sequence_number);
+ if ((ret = CheckAvailableSize(ssl, buf->length)) != 0)
+ return ret;
+
+ XMEMCPY(ssl->buffers.outputBuffer.buffer,
+ buf->buffer, buf->length);
+ ssl->buffers.outputBuffer.idx = 0;
+ ssl->buffers.outputBuffer.length = buf->length;
}
- else {
- /* The Finished message is sent with the next epoch, keep its
- * sequence number */
+ else if (pool->epoch[i] == ssl->keys.dtls_epoch) {
+ byte* input;
+ byte* output;
+ int inputSz, sendSz;
+
+ input = buf->buffer;
+ inputSz = buf->length;
+ sendSz = inputSz + MAX_MSG_EXTRA;
+
+ if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
+ return ret;
+
+ output = ssl->buffers.outputBuffer.buffer +
+ ssl->buffers.outputBuffer.length;
+ sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
+ handshake, 0);
+ if (sendSz < 0)
+ return BUILD_MSG_ERROR;
+
+ ssl->buffers.outputBuffer.length += sendSz;
}
- if ((ret = CheckAvailableSize(ssl, buf->length)) != 0)
+ ret = SendBuffered(ssl);
+ if (ret < 0) {
return ret;
-
- XMEMCPY(ssl->buffers.outputBuffer.buffer, buf->buffer, buf->length);
- ssl->buffers.outputBuffer.idx = 0;
- ssl->buffers.outputBuffer.length = buf->length;
-
- sendResult = SendBuffered(ssl);
- if (sendResult < 0) {
- return sendResult;
}
}
}
@@ -2371,13 +2431,12 @@ DtlsMsg* DtlsMsgNew(word32 sz, void* heap)
msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG);
if (msg != NULL) {
+ XMEMSET(msg, 0, sizeof(DtlsMsg));
msg->buf = (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ,
- heap, DYNAMIC_TYPE_NONE);
+ heap, DYNAMIC_TYPE_DTLS_BUFFER);
if (msg->buf != NULL) {
- msg->next = NULL;
- msg->seq = 0;
msg->sz = sz;
- msg->fragSz = 0;
+ msg->type = no_shake;
msg->msg = msg->buf + DTLS_HANDSHAKE_HEADER_SZ;
}
else {
@@ -2394,8 +2453,14 @@ void DtlsMsgDelete(DtlsMsg* item, void* heap)
(void)heap;
if (item != NULL) {
+ DtlsFrag* cur = item->fragList;
+ while (cur != NULL) {
+ DtlsFrag* next = cur->next;
+ XFREE(cur, heap, DYNAMIC_TYPE_DTLS_FRAG);
+ cur = next;
+ }
if (item->buf != NULL)
- XFREE(item->buf, heap, DYNAMIC_TYPE_NONE);
+ XFREE(item->buf, heap, DYNAMIC_TYPE_DTLS_BUFFER);
XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG);
}
}
@@ -2412,32 +2477,127 @@ void DtlsMsgListDelete(DtlsMsg* head, void* heap)
}
-void DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type,
- word32 fragOffset, word32 fragSz)
+/* Create a DTLS Fragment from *begin - end, adjust new *begin and bytesLeft */
+static DtlsFrag* CreateFragment(word32* begin, word32 end, const byte* data,
+ byte* buf, word32* bytesLeft, void* heap)
+{
+ DtlsFrag* newFrag;
+ word32 added = end - *begin + 1;
+
+ newFrag = (DtlsFrag*)XMALLOC(sizeof(DtlsFrag), heap,
+ DYNAMIC_TYPE_DTLS_FRAG);
+ if (newFrag != NULL) {
+ newFrag->next = NULL;
+ newFrag->begin = *begin;
+ newFrag->end = end;
+
+ XMEMCPY(buf + *begin, data, added);
+ *bytesLeft -= added;
+ *begin = newFrag->end + 1;
+ }
+
+ return newFrag;
+}
+
+
+int DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type,
+ word32 fragOffset, word32 fragSz, void* heap)
{
if (msg != NULL && data != NULL && msg->fragSz <= msg->sz &&
(fragOffset + fragSz) <= msg->sz) {
+ DtlsFrag* cur = msg->fragList;
+ DtlsFrag* prev = cur;
+ DtlsFrag* newFrag;
+ word32 bytesLeft = fragSz; /* could be overlapping fragment */
+ word32 startOffset = fragOffset;
+ word32 added;
msg->seq = seq;
msg->type = type;
- msg->fragSz += fragSz;
- /* If fragOffset is zero, this is either a full message that is out
- * of order, or the first fragment of a fragmented message. Copy the
- * handshake message header with the message data. Zero length messages
- * like Server Hello Done should be saved as well. */
- if (fragOffset == 0)
+
+ if (fragOffset == 0) {
XMEMCPY(msg->buf, data - DTLS_HANDSHAKE_HEADER_SZ,
- fragSz + DTLS_HANDSHAKE_HEADER_SZ);
- else {
- /* If fragOffset is non-zero, this is an additional fragment that
- * needs to be copied to its location in the message buffer. Also
- * copy the total size of the message over the fragment size. The
- * hash routines look at a defragmented message if it had actually
- * come across as a single handshake message. */
- XMEMCPY(msg->msg + fragOffset, data, fragSz);
+ DTLS_HANDSHAKE_HEADER_SZ);
+ c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ);
+ }
+
+ /* if no mesage data, just return */
+ if (fragSz == 0)
+ return 0;
+
+ /* if list is empty add full fragment to front */
+ if (cur == NULL) {
+ newFrag = CreateFragment(&fragOffset, fragOffset + fragSz - 1, data,
+ msg->msg, &bytesLeft, heap);
+ if (newFrag == NULL)
+ return MEMORY_E;
+
+ msg->fragSz = fragSz;
+ msg->fragList = newFrag;
+
+ return 0;
+ }
+
+ /* add to front if before current front, up to next->begin */
+ if (fragOffset < cur->begin) {
+ word32 end = fragOffset + fragSz - 1;
+
+ if (end >= cur->begin)
+ end = cur->begin - 1;
+
+ added = end - fragOffset + 1;
+ newFrag = CreateFragment(&fragOffset, end, data, msg->msg,
+ &bytesLeft, heap);
+ if (newFrag == NULL)
+ return MEMORY_E;
+
+ msg->fragSz += added;
+
+ newFrag->next = cur;
+ msg->fragList = newFrag;
+ }
+
+ /* while we have bytes left, try to find a gap to fill */
+ while (bytesLeft > 0) {
+ /* get previous packet in list */
+ while (cur && (fragOffset >= cur->begin)) {
+ prev = cur;
+ cur = cur->next;
+ }
+
+ /* don't add duplicate data */
+ if (prev->end >= fragOffset) {
+ if ( (fragOffset + bytesLeft - 1) <= prev->end)
+ return 0;
+ fragOffset = prev->end + 1;
+ bytesLeft = startOffset + fragSz - fragOffset;
+ }
+
+ if (cur == NULL)
+ /* we're at the end */
+ added = bytesLeft;
+ else
+ /* we're in between two frames */
+ added = min(bytesLeft, cur->begin - fragOffset);
+
+ /* data already there */
+ if (added == 0)
+ continue;
+
+ newFrag = CreateFragment(&fragOffset, fragOffset + added - 1,
+ data + fragOffset - startOffset,
+ msg->msg, &bytesLeft, heap);
+ if (newFrag == NULL)
+ return MEMORY_E;
+
+ msg->fragSz += added;
+
+ newFrag->next = prev->next;
+ prev->next = newFrag;
}
- c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ);
}
+
+ return 0;
}
@@ -2459,14 +2619,16 @@ DtlsMsg* DtlsMsgStore(DtlsMsg* head, word32 seq, const byte* data,
* starting at offset fragOffset, and add fragSz to msg->fragSz. If
* the seq is in the list and it isn't full, copy fragSz bytes from
* data to msg->msg starting at offset fragOffset, and add fragSz to
- * msg->fragSz. The new item should be inserted into the list in its
+ * msg->fragSz. Insertions take into account data already in the list
+ * in case there are overlaps in the handshake message due to retransmit
+ * messages. The new item should be inserted into the list in its
* proper position.
*
* 1. Find seq in list, or where seq should go in list. If seq not in
* list, create new item and insert into list. Either case, keep
* pointer to item.
- * 2. If msg->fragSz + fragSz < sz, copy data to msg->msg at offset
- * fragOffset. Add fragSz to msg->fragSz.
+ * 2. Copy the data from the message to the stored message where it
+ * belongs without overlaps.
*/
if (head != NULL) {
@@ -2474,17 +2636,25 @@ DtlsMsg* DtlsMsgStore(DtlsMsg* head, word32 seq, const byte* data,
if (cur == NULL) {
cur = DtlsMsgNew(dataSz, heap);
if (cur != NULL) {
- DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz);
+ if (DtlsMsgSet(cur, seq, data, type,
+ fragOffset, fragSz, heap) < 0) {
+ DtlsMsgDelete(cur, heap);
+ return head;
+ }
head = DtlsMsgInsert(head, cur);
}
}
else {
- DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz);
+ /* If this fails, the data is just dropped. */
+ DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz, heap);
}
}
else {
head = DtlsMsgNew(dataSz, heap);
- DtlsMsgSet(head, seq, data, type, fragOffset, fragSz);
+ if (DtlsMsgSet(head, seq, data, type, fragOffset, fragSz, heap) < 0) {
+ DtlsMsgDelete(head, heap);
+ return NULL;
+ }
}
return head;
@@ -2607,7 +2777,7 @@ ProtocolVersion MakeDTLSv1_2(void)
word32 LowResTimer(void)
{
- return (word32) TickGet();
+ return (word32) (TickGet() / TICKS_PER_SECOND);
}
@@ -2619,14 +2789,15 @@ ProtocolVersion MakeDTLSv1_2(void)
word32 LowResTimer(void)
{
- return (word32) SYS_TMR_TickCountGet();
+ return (word32) (SYS_TMR_TickCountGet() /
+ SYS_TMR_TickCounterFrequencyGet());
}
#else
word32 LowResTimer(void)
{
- return (word32) SYS_TICK_Get();
+ return (word32) (SYS_TICK_Get() / SYS_TICK_TicksPerSecondGet());
}
#endif
@@ -3250,6 +3421,14 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
#endif
}
+#ifdef WOLFSSL_DTLS
+ if (ssl->options.dtls &&
+ (!DtlsCheckWindow(&ssl->keys.dtls_state) ||
+ (ssl->options.handShakeDone && ssl->keys.dtls_state.curEpoch == 0))) {
+ return SEQUENCE_ERROR;
+ }
+#endif
+
/* catch version mismatch */
if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){
if (ssl->options.side == WOLFSSL_SERVER_END &&
@@ -3271,13 +3450,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
}
}
-#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if (DtlsCheckWindow(&ssl->keys.dtls_state) != 1)
- return SEQUENCE_ERROR;
- }
-#endif
-
/* record layer length check */
#ifdef HAVE_MAX_FRAGMENT
if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) {
@@ -4195,7 +4367,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
x509->authKeyIdSet = dCert->extAuthKeyIdSet;
x509->authKeyIdCrit = dCert->extAuthKeyIdCrit;
if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) {
- x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, NULL, 0);
+ x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, NULL,
+ DYNAMIC_TYPE_X509_EXT);
if (x509->authKeyId != NULL) {
XMEMCPY(x509->authKeyId,
dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz);
@@ -4207,7 +4380,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
x509->subjKeyIdSet = dCert->extSubjKeyIdSet;
x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit;
if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) {
- x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, NULL, 0);
+ x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, NULL,
+ DYNAMIC_TYPE_X509_EXT);
if (x509->subjKeyId != NULL) {
XMEMCPY(x509->subjKeyId,
dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz);
@@ -4365,11 +4539,16 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
if (ret == 0) {
int doCrlLookup = 1;
- (void)doCrlLookup;
+
#ifdef HAVE_OCSP
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ if (ssl->status_request_v2)
+ ret = TLSX_CSR2_InitRequests(ssl->extensions, dCert, 0);
+ else /* skips OCSP and force CRL check */
+ #endif
if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) {
WOLFSSL_MSG("Doing Non Leaf OCSP check");
- ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
+ ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL);
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) {
doCrlLookup = 0;
@@ -4379,7 +4558,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* HAVE_OCSP */
#ifdef HAVE_CRL
- if (doCrlLookup && ssl->ctx->cm->crlEnabled
+ if (ret == 0 && doCrlLookup && ssl->ctx->cm->crlEnabled
&& ssl->ctx->cm->crlCheckAll) {
WOLFSSL_MSG("Doing Non Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
@@ -4388,6 +4567,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("\tCRL check not ok");
}
}
+#else
+ (void)doCrlLookup;
#endif /* HAVE_CRL */
}
#endif /* HAVE_OCSP || HAVE_CRL */
@@ -4433,7 +4614,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (fatal == 0 && ssl->secure_renegotiation
&& ssl->secure_renegotiation->enabled) {
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
/* compare against previous time */
if (XMEMCMP(dCert->subjectHash,
ssl->secure_renegotiation->subject_hash,
@@ -4454,12 +4635,28 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#if defined(HAVE_OCSP) || defined(HAVE_CRL)
if (fatal == 0) {
- int doCrlLookup = 1;
- (void)doCrlLookup;
+ int doLookup = 1;
+
+ if (ssl->options.side == WOLFSSL_CLIENT_END) {
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ if (ssl->status_request) {
+ fatal = TLSX_CSR_InitRequest(ssl->extensions, dCert);
+ doLookup = 0;
+ }
+#endif
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ if (ssl->status_request_v2) {
+ fatal = TLSX_CSR2_InitRequests(ssl->extensions, dCert, 1);
+ doLookup = 0;
+ }
+#endif
+ }
+
#ifdef HAVE_OCSP
- if (ssl->ctx->cm->ocspEnabled) {
- ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert);
- doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
+ if (doLookup && ssl->ctx->cm->ocspEnabled) {
+ WOLFSSL_MSG("Doing Leaf OCSP check");
+ ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL);
+ doLookup = (ret == OCSP_CERT_UNKNOWN);
if (ret != 0) {
WOLFSSL_MSG("\tOCSP Lookup not ok");
fatal = 0;
@@ -4468,7 +4665,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* HAVE_OCSP */
#ifdef HAVE_CRL
- if (doCrlLookup && ssl->ctx->cm->crlEnabled) {
+ if (doLookup && ssl->ctx->cm->crlEnabled) {
WOLFSSL_MSG("Doing Leaf CRL check");
ret = CheckCertCRL(ssl->ctx->cm->crl, dCert);
if (ret != 0) {
@@ -4477,11 +4674,12 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
}
#endif /* HAVE_CRL */
+ (void)doLookup;
}
#endif /* HAVE_OCSP || HAVE_CRL */
#ifdef KEEP_PEER_CERT
- {
+ if (fatal == 0) {
/* set X509 format for peer cert even if fatal */
int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert);
if (copyRet == MEMORY_E)
@@ -4771,7 +4969,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END)
ssl->options.serverState = SERVER_CERT_COMPLETE;
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
}
@@ -4783,6 +4981,207 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
return ret;
}
+
+static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx,
+ word32 size)
+{
+ int ret = 0;
+ byte status_type;
+ word32 status_length;
+
+ if (size < ENUM_LEN + OPAQUE24_LEN)
+ return BUFFER_ERROR;
+
+ status_type = input[(*inOutIdx)++];
+
+ c24to32(input + *inOutIdx, &status_length);
+ *inOutIdx += OPAQUE24_LEN;
+
+ if (size != ENUM_LEN + OPAQUE24_LEN + status_length)
+ return BUFFER_ERROR;
+
+ switch (status_type) {
+
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+
+ /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */
+ case WOLFSSL_CSR2_OCSP: {
+ OcspRequest* request;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ CertStatus* status;
+ OcspResponse* response;
+ #else
+ CertStatus status[1];
+ OcspResponse response[1];
+ #endif
+
+ do {
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ if (ssl->status_request) {
+ request = TLSX_CSR_GetRequest(ssl->extensions);
+ ssl->status_request = 0;
+ break;
+ }
+ #endif
+
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ if (ssl->status_request_v2) {
+ request = TLSX_CSR2_GetRequest(ssl->extensions,
+ status_type, 0);
+ ssl->status_request_v2 = 0;
+ break;
+ }
+ #endif
+
+ return BUFFER_ERROR;
+ } while(0);
+
+ if (request == NULL)
+ return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */
+
+ #ifdef WOLFSSL_SMALL_STACK
+ status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+
+ if (status == NULL || response == NULL) {
+ if (status)
+ XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ if (response)
+ XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+ return MEMORY_ERROR;
+ }
+ #endif
+
+ InitOcspResponse(response, status, input +*inOutIdx, status_length);
+
+ if ((OcspResponseDecode(response, ssl->ctx->cm) != 0)
+ || (response->responseStatus != OCSP_SUCCESSFUL)
+ || (response->status->status != CERT_GOOD)
+ || (CompareOcspReqResp(request, response) != 0))
+ ret = BAD_CERTIFICATE_STATUS_ERROR;
+
+ *inOutIdx += status_length;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+
+ }
+ break;
+
+ #endif
+
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+
+ case WOLFSSL_CSR2_OCSP_MULTI: {
+ OcspRequest* request;
+ word32 list_length = status_length;
+ byte index = 0;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ CertStatus* status;
+ OcspResponse* response;
+ #else
+ CertStatus status[1];
+ OcspResponse response[1];
+ #endif
+
+ do {
+ if (ssl->status_request_v2) {
+ ssl->status_request_v2 = 0;
+ break;
+ }
+
+ return BUFFER_ERROR;
+ } while(0);
+
+ #ifdef WOLFSSL_SMALL_STACK
+ status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+
+ if (status == NULL || response == NULL) {
+ if (status)
+ XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ if (response)
+ XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+ return MEMORY_ERROR;
+ }
+ #endif
+
+ while (list_length && ret == 0) {
+ if (OPAQUE24_LEN > list_length) {
+ ret = BUFFER_ERROR;
+ break;
+ }
+
+ c24to32(input + *inOutIdx, &status_length);
+ *inOutIdx += OPAQUE24_LEN;
+ list_length -= OPAQUE24_LEN;
+
+ if (status_length > list_length) {
+ ret = BUFFER_ERROR;
+ break;
+ }
+
+ if (status_length) {
+ InitOcspResponse(response, status, input +*inOutIdx,
+ status_length);
+
+ if ((OcspResponseDecode(response, ssl->ctx->cm) != 0)
+ || (response->responseStatus != OCSP_SUCCESSFUL)
+ || (response->status->status != CERT_GOOD))
+ ret = BAD_CERTIFICATE_STATUS_ERROR;
+
+ while (ret == 0) {
+ request = TLSX_CSR2_GetRequest(ssl->extensions,
+ status_type, index++);
+
+ if (request == NULL)
+ ret = BAD_CERTIFICATE_STATUS_ERROR;
+ else if (CompareOcspReqResp(request, response) == 0)
+ break;
+ else if (index == 1) /* server cert must be OK */
+ ret = BAD_CERTIFICATE_STATUS_ERROR;
+ }
+
+ *inOutIdx += status_length;
+ list_length -= status_length;
+ }
+ }
+
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ ssl->status_request_v2 = 0;
+ #endif
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+
+ }
+ break;
+
+ #endif
+
+ default:
+ ret = BUFFER_ERROR;
+ }
+
+ if (ret != 0)
+ SendAlert(ssl, alert_fatal, bad_certificate_status_response);
+
+ return ret;
+}
+
#endif /* !NO_CERTS */
@@ -4794,7 +5193,7 @@ static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
if (size) /* must be 0 */
return BUFFER_ERROR;
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
/* access beyond input + size should be checked against totalSz */
if (*inOutIdx + ssl->keys.padSz > totalSz)
return BUFFER_E;
@@ -4862,14 +5261,6 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
if (!ssl->options.resuming) {
ssl->options.handShakeState = HANDSHAKE_DONE;
ssl->options.handShakeDone = 1;
-
-#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- /* Other side has received our Finished, go to next epoch */
- ssl->keys.dtls_epoch++;
- ssl->keys.dtls_sequence_number = 1;
- }
-#endif
}
}
else {
@@ -4877,14 +5268,6 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size,
if (ssl->options.resuming) {
ssl->options.handShakeState = HANDSHAKE_DONE;
ssl->options.handShakeDone = 1;
-
-#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- /* Other side has received our Finished, go to next epoch */
- ssl->keys.dtls_epoch++;
- ssl->keys.dtls_sequence_number = 1;
- }
-#endif
}
}
@@ -4978,6 +5361,26 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
#endif
break;
+#ifndef NO_WOLFSSL_CLIENT
+ case certificate_status:
+ if (ssl->msgsReceived.got_certificate_status) {
+ WOLFSSL_MSG("Duplicate CertificateSatatus received");
+ return DUPLICATE_MSG_E;
+ }
+ ssl->msgsReceived.got_certificate_status = 1;
+
+ if (ssl->msgsReceived.got_certificate == 0) {
+ WOLFSSL_MSG("No Certificate before CertificateStatus");
+ return OUT_OF_ORDER_E;
+ }
+ if (ssl->msgsReceived.got_server_key_exchange != 0) {
+ WOLFSSL_MSG("CertificateStatus after ServerKeyExchange");
+ return OUT_OF_ORDER_E;
+ }
+
+ break;
+#endif
+
#ifndef NO_WOLFSSL_CLIENT
case server_key_exchange:
if (ssl->msgsReceived.got_server_key_exchange) {
@@ -4986,10 +5389,30 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type)
}
ssl->msgsReceived.got_server_key_exchange = 1;
- if ( ssl->msgsReceived.got_server_hello == 0) {
- WOLFSSL_MSG("No ServerHello before Cert");
+ if (ssl->msgsReceived.got_server_hello == 0) {
+ WOLFSSL_MSG("No ServerHello before ServerKeyExchange");
return OUT_OF_ORDER_E;
}
+ if (ssl->msgsReceived.got_certificate_status == 0) {
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ if (ssl->status_request) {
+ int ret;
+
+ WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
+ if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0)
+ return ret;
+ }
+#endif
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ if (ssl->status_request_v2) {
+ int ret;
+
+ WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange");
+ if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0)
+ return ret;
+ }
+#endif
+ }
break;
#endif
@@ -5231,7 +5654,12 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#ifndef NO_CERTS
case certificate:
WOLFSSL_MSG("processing certificate");
- ret = DoCertificate(ssl, input, inOutIdx, size);
+ ret = DoCertificate(ssl, input, inOutIdx, size);
+ break;
+
+ case certificate_status:
+ WOLFSSL_MSG("processing certificate status");
+ ret = DoCertificateStatus(ssl, input, inOutIdx, size);
break;
#endif
@@ -5244,7 +5672,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
AddLateName("ServerHelloDone", &ssl->timeoutInfo);
#endif
ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
}
if (ssl->options.resuming) {
@@ -6605,7 +7033,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type,
ssl->options.closeNotify = 1;
}
WOLFSSL_ERROR(*type);
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
if (*inOutIdx + ssl->keys.padSz > totalSz)
return BUFFER_E;
*inOutIdx += ssl->keys.padSz;
@@ -6878,6 +7306,7 @@ int ProcessReply(WOLFSSL* ssl)
&ssl->curRL, &ssl->curSize);
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls && ret == SEQUENCE_ERROR) {
+ WOLFSSL_MSG("Silently dropping out of order DTLS message");
ssl->options.processReply = doProcessInit;
ssl->buffers.inputBuffer.length = 0;
ssl->buffers.inputBuffer.idx = 0;
@@ -6913,13 +7342,7 @@ int ProcessReply(WOLFSSL* ssl)
/* the record layer is here */
case runProcessingOneMessage:
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls &&
- ssl->keys.dtls_state.curEpoch < ssl->keys.dtls_state.nextEpoch)
- ssl->keys.decryptedCur = 1;
- #endif
-
- if (ssl->keys.encryptionOn && ssl->keys.decryptedCur == 0)
+ if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0)
{
ret = SanityCheckCipherText(ssl, ssl->curSize);
if (ret < 0)
@@ -7046,7 +7469,7 @@ int ProcessReply(WOLFSSL* ssl)
}
#endif
- if (ssl->keys.encryptionOn && ssl->options.handShakeDone) {
+ if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) {
ssl->buffers.inputBuffer.idx += ssl->keys.padSz;
ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx;
}
@@ -7145,7 +7568,7 @@ int ProcessReply(WOLFSSL* ssl)
#endif
ssl->options.processReply = runProcessingOneMessage;
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
WOLFSSL_MSG("Bundled encrypted messages, remove middle pad");
ssl->buffers.inputBuffer.idx -= ssl->keys.padSz;
}
@@ -7182,7 +7605,7 @@ int SendChangeCipher(WOLFSSL* ssl)
#endif
/* are we in scr */
- if (ssl->keys.encryptionOn && ssl->options.handShakeDone) {
+ if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
sendSz += MAX_MSG_EXTRA;
}
@@ -7198,13 +7621,13 @@ int SendChangeCipher(WOLFSSL* ssl)
output[idx] = 1; /* turn it on */
- if (ssl->keys.encryptionOn && ssl->options.handShakeDone) {
+ if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) {
byte input[ENUM_LEN];
int inputSz = ENUM_LEN;
input[0] = 1; /* turn it on */
sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- change_cipher_spec);
+ change_cipher_spec, 0);
if (sendSz < 0)
return sendSz;
}
@@ -7434,7 +7857,7 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes)
/* Build SSL Message, encrypted */
static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
- const byte* input, int inSz, int type)
+ const byte* input, int inSz, int type, int hashOutput)
{
#ifdef HAVE_TRUNCATED_HMAC
word32 digestSz = min(ssl->specs.hash_size,
@@ -7509,7 +7932,7 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz,
XMEMCPY(output + idx, input, inSz);
idx += inSz;
- if (type == handshake) {
+ if (type == handshake && hashOutput) {
ret = HashOutput(ssl, output, headerSz + inSz, ivSz);
if (ret != 0)
return ret;
@@ -7583,11 +8006,6 @@ int SendFinished(WOLFSSL* ssl)
int headerSz = HANDSHAKE_HEADER_SZ;
int outputSz;
- #ifdef WOLFSSL_DTLS
- word32 sequence_number = ssl->keys.dtls_sequence_number;
- word16 epoch = ssl->keys.dtls_epoch;
- #endif
-
/* setup encrypt keys */
if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0)
return ret;
@@ -7599,11 +8017,11 @@ int SendFinished(WOLFSSL* ssl)
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls) {
- /* Send Finished message with the next epoch, but don't commit that
- * change until the other end confirms its reception. */
headerSz += DTLS_HANDSHAKE_EXTRA;
ssl->keys.dtls_epoch++;
- ssl->keys.dtls_sequence_number = 0; /* reset after epoch change */
+ ssl->keys.dtls_prev_sequence_number =
+ ssl->keys.dtls_sequence_number;
+ ssl->keys.dtls_sequence_number = 0;
}
#endif
@@ -7630,18 +8048,18 @@ int SendFinished(WOLFSSL* ssl)
}
#endif
+ #ifdef WOLFSSL_DTLS
+ if (ssl->options.dtls) {
+ if ((ret = DtlsPoolSave(ssl, input, headerSz + finishedSz)) != 0)
+ return ret;
+ }
+ #endif
+
sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz,
- handshake);
+ handshake, 1);
if (sendSz < 0)
return BUILD_MSG_ERROR;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- ssl->keys.dtls_epoch = epoch;
- ssl->keys.dtls_sequence_number = sequence_number;
- }
- #endif
-
if (!ssl->options.resuming) {
#ifndef NO_SESSION_CACHE
AddSession(ssl); /* just try */
@@ -7649,36 +8067,14 @@ int SendFinished(WOLFSSL* ssl)
if (ssl->options.side == WOLFSSL_SERVER_END) {
ssl->options.handShakeState = HANDSHAKE_DONE;
ssl->options.handShakeDone = 1;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- /* Other side will soon receive our Finished, go to next
- * epoch. */
- ssl->keys.dtls_epoch++;
- ssl->keys.dtls_sequence_number = 1;
- }
- #endif
}
}
else {
if (ssl->options.side == WOLFSSL_CLIENT_END) {
ssl->options.handShakeState = HANDSHAKE_DONE;
ssl->options.handShakeDone = 1;
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- /* Other side will soon receive our Finished, go to next
- * epoch. */
- ssl->keys.dtls_epoch++;
- ssl->keys.dtls_sequence_number = 1;
- }
- #endif
}
}
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
- return ret;
- }
- #endif
#ifdef WOLFSSL_CALLBACKS
if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo);
@@ -7769,7 +8165,7 @@ int SendCertificate(WOLFSSL* ssl)
sendSz += fragSz;
}
- if (ssl->keys.encryptionOn)
+ if (IsEncryptionOn(ssl, 1))
sendSz += MAX_MSG_EXTRA;
}
else {
@@ -7793,14 +8189,14 @@ int SendCertificate(WOLFSSL* ssl)
if (ssl->fragOffset == 0) {
if (!ssl->options.dtls) {
AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl);
- if (!ssl->keys.encryptionOn)
+ if (!IsEncryptionOn(ssl, 1))
HashOutputRaw(ssl, output + RECORD_HEADER_SZ,
HANDSHAKE_HEADER_SZ);
}
else {
#ifdef WOLFSSL_DTLS
AddHeaders(output, payloadSz, certificate, ssl);
- if (!ssl->keys.encryptionOn)
+ if (!IsEncryptionOn(ssl, 1))
HashOutputRaw(ssl,
output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA,
HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA);
@@ -7815,20 +8211,20 @@ int SendCertificate(WOLFSSL* ssl)
/* list total */
c32to24(listSz, output + i);
- if (!ssl->keys.encryptionOn)
+ if (!IsEncryptionOn(ssl, 1))
HashOutputRaw(ssl, output + i, CERT_HEADER_SZ);
i += CERT_HEADER_SZ;
length -= CERT_HEADER_SZ;
fragSz -= CERT_HEADER_SZ;
if (certSz) {
c32to24(certSz, output + i);
- if (!ssl->keys.encryptionOn)
+ if (!IsEncryptionOn(ssl, 1))
HashOutputRaw(ssl, output + i, CERT_HEADER_SZ);
i += CERT_HEADER_SZ;
length -= CERT_HEADER_SZ;
fragSz -= CERT_HEADER_SZ;
- if (!ssl->keys.encryptionOn) {
+ if (!IsEncryptionOn(ssl, 1)) {
HashOutputRaw(ssl, ssl->buffers.certificate.buffer, certSz);
if (certChainSz)
HashOutputRaw(ssl, ssl->buffers.certChain.buffer,
@@ -7869,16 +8265,24 @@ int SendCertificate(WOLFSSL* ssl)
length -= copySz;
}
- if (ssl->keys.encryptionOn) {
- byte* input;
+ if (IsEncryptionOn(ssl, 1)) {
+ byte* input = NULL;
int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */
- input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
- if (input == NULL)
- return MEMORY_E;
+ if (inputSz < 0) {
+ WOLFSSL_MSG("Send Cert bad inputSz");
+ return BUFFER_E;
+ }
- XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
- sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake);
+ if (inputSz > 0) { /* clang thinks could be zero, let's help */
+ input = (byte*)XMALLOC(inputSz, ssl->heap,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (input == NULL)
+ return MEMORY_E;
+ XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
+ }
+
+ sendSz = BuildMessage(ssl, output,sendSz,input,inputSz,handshake,1);
XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (sendSz < 0)
@@ -8004,6 +8408,421 @@ int SendCertificateRequest(WOLFSSL* ssl)
else
return SendBuffered(ssl);
}
+
+
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status,
+ byte count)
+{
+ byte* output = NULL;
+ word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
+ word32 length = ENUM_LEN;
+ int sendSz = 0;
+ int ret = 0;
+ int i = 0;
+
+ WOLFSSL_ENTER("BuildCertificateStatus");
+
+ switch (type) {
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ length += OPAQUE24_LEN;
+ /* followed by */
+
+ case WOLFSSL_CSR2_OCSP:
+ for (i = 0; i < count; i++)
+ length += OPAQUE24_LEN + status[i].length;
+ break;
+
+ default:
+ return 0;
+ }
+
+ sendSz = idx + length;
+
+ if (ssl->keys.encryptionOn)
+ sendSz += MAX_MSG_EXTRA;
+
+ if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) {
+ output = ssl->buffers.outputBuffer.buffer +
+ ssl->buffers.outputBuffer.length;
+
+ AddHeaders(output, length, certificate_status, ssl);
+
+ output[idx++] = type;
+
+ if (type == WOLFSSL_CSR2_OCSP_MULTI) {
+ c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx);
+ idx += OPAQUE24_LEN;
+ }
+
+ for (i = 0; i < count; i++) {
+ c32to24(status[i].length, output + idx);
+ idx += OPAQUE24_LEN;
+
+ XMEMCPY(output + idx, status[i].buffer, status[i].length);
+ idx += status[i].length;
+ }
+
+ if (IsEncryptionOn(ssl, 1)) {
+ byte* input;
+ int inputSz = idx - RECORD_HEADER_SZ;
+
+ input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+ if (input == NULL)
+ return MEMORY_E;
+
+ XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
+ sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
+ handshake, 1);
+ XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
+
+ if (sendSz < 0)
+ ret = sendSz;
+ }
+ else
+ ret = HashOutput(ssl, output, sendSz, 0);
+
+ #ifdef WOLFSSL_DTLS
+ if (ret == 0 && ssl->options.dtls)
+ ret = DtlsPoolSave(ssl, output, sendSz));
+ #endif
+
+ #ifdef WOLFSSL_CALLBACKS
+ if (ret == 0 && ssl->hsInfoOn)
+ AddPacketName("CertificateStatus", &ssl->handShakeInfo);
+ if (ret == 0 && ssl->toInfoOn)
+ AddPacketInfo("CertificateStatus", &ssl->timeoutInfo, output,
+ sendSz, ssl->heap);
+ #endif
+
+ if (ret == 0) {
+ ssl->buffers.outputBuffer.length += sendSz;
+ if (!ssl->options.groupMessages)
+ ret = SendBuffered(ssl);
+ }
+ }
+
+ WOLFSSL_LEAVE("BuildCertificateStatus", ret);
+ return ret;
+}
+#endif
+
+
+int SendCertificateStatus(WOLFSSL* ssl)
+{
+ int ret = 0;
+ byte status_type = 0;
+
+ WOLFSSL_ENTER("SendCertificateStatus");
+
+ (void) ssl;
+
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ status_type = ssl->status_request;
+ #endif
+
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ status_type = status_type ? status_type : ssl->status_request_v2;
+ #endif
+
+ switch (status_type) {
+
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ /* case WOLFSSL_CSR_OCSP: */
+ case WOLFSSL_CSR2_OCSP: {
+ OcspRequest* request = ssl->ctx->certOcspRequest;
+ buffer response = {NULL, 0};
+
+ /* unable to fetch status. skip. */
+ if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0)
+ return 0;
+
+ if (!request || ssl->buffers.weOwnCert) {
+ buffer der = ssl->buffers.certificate;
+ #ifdef WOLFSSL_SMALL_STACK
+ DecodedCert* cert = NULL;
+ #else
+ DecodedCert cert[1];
+ #endif
+
+ /* unable to fetch status. skip. */
+ if (der.buffer == NULL || der.length == 0)
+ return 0;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (cert == NULL)
+ return MEMORY_E;
+ #endif
+
+ InitDecodedCert(cert, der.buffer, der.length, NULL);
+
+ if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
+ ssl->ctx->cm)) != 0) {
+ WOLFSSL_MSG("ParseCert failed");
+ }
+ else {
+ request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
+ DYNAMIC_TYPE_OCSP_REQUEST);
+ if (request == NULL) {
+ FreeDecodedCert(cert);
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+
+ return MEMORY_E;
+ }
+
+ ret = InitOcspRequest(request, cert, 0);
+ if (ret != 0) {
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ }
+ else if (!ssl->buffers.weOwnCert && 0 == LockMutex(
+ &ssl->ctx->cm->ocsp_stapling->ocspLock)) {
+ if (!ssl->ctx->certOcspRequest)
+ ssl->ctx->certOcspRequest = request;
+ UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock);
+ }
+ }
+
+ FreeDecodedCert(cert);
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+ }
+
+ if (ret == 0) {
+ ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
+ &response);
+
+ /* Suppressing, not critical */
+ if (ret == OCSP_CERT_REVOKED
+ || ret == OCSP_CERT_UNKNOWN
+ || ret == OCSP_LOOKUP_FAIL)
+ ret = 0;
+
+ if (response.buffer) {
+ if (ret == 0)
+ ret = BuildCertificateStatus(ssl, status_type,
+ &response, 1);
+
+ XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ }
+
+ }
+
+ if (request != ssl->ctx->certOcspRequest)
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ }
+ break;
+
+ #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
+ /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
+
+ #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ case WOLFSSL_CSR2_OCSP_MULTI: {
+ OcspRequest* request = ssl->ctx->certOcspRequest;
+ buffer responses[1 + MAX_CHAIN_DEPTH];
+ int i = 0;
+
+ ForceZero(responses, sizeof(responses));
+
+ /* unable to fetch status. skip. */
+ if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0)
+ return 0;
+
+ if (!request || ssl->buffers.weOwnCert) {
+ buffer der = ssl->buffers.certificate;
+ #ifdef WOLFSSL_SMALL_STACK
+ DecodedCert* cert = NULL;
+ #else
+ DecodedCert cert[1];
+ #endif
+
+ /* unable to fetch status. skip. */
+ if (der.buffer == NULL || der.length == 0)
+ return 0;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (cert == NULL)
+ return MEMORY_E;
+ #endif
+
+ InitDecodedCert(cert, der.buffer, der.length, NULL);
+
+ if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
+ ssl->ctx->cm)) != 0) {
+ WOLFSSL_MSG("ParseCert failed");
+ }
+ else {
+ request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
+ DYNAMIC_TYPE_OCSP_REQUEST);
+ if (request == NULL) {
+ FreeDecodedCert(cert);
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+
+ return MEMORY_E;
+ }
+
+ ret = InitOcspRequest(request, cert, 0);
+ if (ret != 0) {
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ }
+ else if (!ssl->buffers.weOwnCert && 0 == LockMutex(
+ &ssl->ctx->cm->ocsp_stapling->ocspLock)) {
+ if (!ssl->ctx->certOcspRequest)
+ ssl->ctx->certOcspRequest = request;
+
+ UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock);
+ }
+ }
+
+ FreeDecodedCert(cert);
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+ }
+
+ if (ret == 0) {
+ ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request,
+ &responses[0]);
+
+ /* Suppressing, not critical */
+ if (ret == OCSP_CERT_REVOKED
+ || ret == OCSP_CERT_UNKNOWN
+ || ret == OCSP_LOOKUP_FAIL)
+ ret = 0;
+ }
+
+ if (request != ssl->ctx->certOcspRequest)
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+
+ if (ret == 0 && (!ssl->ctx->chainOcspRequest[0]
+ || ssl->buffers.weOwnCertChain)) {
+ buffer der = {NULL, 0};
+ word32 idx = 0;
+ #ifdef WOLFSSL_SMALL_STACK
+ DecodedCert* cert = NULL;
+ #else
+ DecodedCert cert[1];
+ #endif
+
+ #ifdef WOLFSSL_SMALL_STACK
+ cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (cert == NULL)
+ return MEMORY_E;
+ #endif
+
+ while (idx + OPAQUE24_LEN < ssl->buffers.certChain.length) {
+ c24to32(ssl->buffers.certChain.buffer + idx, &der.length);
+ idx += OPAQUE24_LEN;
+
+ der.buffer = ssl->buffers.certChain.buffer + idx;
+ idx += der.length;
+
+ if (idx > ssl->buffers.certChain.length)
+ break;
+
+ InitDecodedCert(cert, der.buffer, der.length, NULL);
+
+ if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
+ ssl->ctx->cm)) != 0) {
+ WOLFSSL_MSG("ParseCert failed");
+ break;
+ }
+ else {
+ request = (OcspRequest*)XMALLOC(sizeof(OcspRequest),
+ NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ if (request == NULL) {
+ ret = MEMORY_E;
+ break;
+ }
+
+ ret = InitOcspRequest(request, cert, 0);
+ if (ret != 0) {
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ break;
+ }
+ else if (!ssl->buffers.weOwnCertChain && 0 ==
+ LockMutex(
+ &ssl->ctx->cm->ocsp_stapling->ocspLock)) {
+ if (!ssl->ctx->chainOcspRequest[i])
+ ssl->ctx->chainOcspRequest[i] = request;
+
+ UnLockMutex(
+ &ssl->ctx->cm->ocsp_stapling->ocspLock);
+ }
+
+ ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
+ request, &responses[i + 1]);
+
+ /* Suppressing, not critical */
+ if (ret == OCSP_CERT_REVOKED
+ || ret == OCSP_CERT_UNKNOWN
+ || ret == OCSP_LOOKUP_FAIL)
+ ret = 0;
+
+ if (request != ssl->ctx->chainOcspRequest[i])
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+
+ i++;
+ }
+
+ FreeDecodedCert(cert);
+ }
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+ }
+ else {
+ while (ret == 0 &&
+ NULL != (request = ssl->ctx->chainOcspRequest[i])) {
+ ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling,
+ request, &responses[++i]);
+
+ /* Suppressing, not critical */
+ if (ret == OCSP_CERT_REVOKED
+ || ret == OCSP_CERT_UNKNOWN
+ || ret == OCSP_LOOKUP_FAIL)
+ ret = 0;
+ }
+ }
+
+ if (responses[0].buffer) {
+ if (ret == 0)
+ ret = BuildCertificateStatus(ssl, status_type,
+ responses, i + 1);
+
+ for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++)
+ if (responses[i].buffer)
+ XFREE(responses[i].buffer, NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ }
+ }
+ break;
+
+ #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
+
+ default:
+ break;
+ }
+
+ return ret;
+}
+
#endif /* !NO_CERTS */
@@ -8093,7 +8912,7 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
}
#endif
sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz,
- application_data);
+ application_data, 0);
if (sendSz < 0)
return BUILD_MSG_ERROR;
@@ -8243,8 +9062,8 @@ int SendAlert(WOLFSSL* ssl, int severity, int type)
/* only send encrypted alert if handshake actually complete, otherwise
other side may not be able to handle it */
- if (ssl->keys.encryptionOn && ssl->options.handShakeDone)
- sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert);
+ if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone)
+ sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE,alert,0);
else {
AddRecordHeader(output, ALERT_SIZE, alert, ssl);
@@ -8487,8 +9306,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case CRL_MISSING:
return "CRL missing, not loaded";
- case MONITOR_RUNNING_E:
- return "CRL monitor already running";
+ case MONITOR_SETUP_E:
+ return "CRL monitor setup error";
case THREAD_CREATE_E:
return "Thread creation problem";
@@ -8604,11 +9423,17 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e)
case RSA_SIGN_FAULT:
return "RSA Signature Fault Error";
+ case HANDSHAKE_SIZE_ERROR:
+ return "Handshake message too large Error";
+
case UNKNOWN_ALPN_PROTOCOL_NAME_E:
return "Unrecognized protocol name Error";
- case HANDSHAKE_SIZE_ERROR:
- return "Handshake message too large Error";
+ case BAD_CERTIFICATE_STATUS_ERROR:
+ return "Bad Certificate Status Message Error";
+
+ case OCSP_INVALID_STATUS:
+ return "Invalid OCSP Status Error";
default :
return "unknown error number";
@@ -9760,7 +10585,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
}
#endif
- if (ssl->keys.encryptionOn)
+ if (IsEncryptionOn(ssl, 1))
sendSz += MAX_MSG_EXTRA;
/* check for available size */
@@ -9843,12 +10668,14 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
{
int i;
/* add in the extensions length */
- c16toa(HELLO_EXT_LEN + ssl->suites->hashSigAlgoSz, output + idx);
+ c16toa((word16)(HELLO_EXT_LEN + ssl->suites->hashSigAlgoSz),
+ output + idx);
idx += 2;
c16toa(HELLO_EXT_SIG_ALGO, output + idx);
idx += 2;
- c16toa(HELLO_EXT_SIGALGO_SZ+ssl->suites->hashSigAlgoSz, output+idx);
+ c16toa((word16)(HELLO_EXT_SIGALGO_SZ + ssl->suites->hashSigAlgoSz),
+ output+idx);
idx += 2;
c16toa(ssl->suites->hashSigAlgoSz, output + idx);
idx += 2;
@@ -9858,7 +10685,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
}
#endif
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 1)) {
byte* input;
int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */
@@ -9867,7 +10694,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
return MEMORY_E;
XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
- sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake);
+ sendSz = BuildMessage(ssl, output,sendSz,input,inputSz,handshake,1);
XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (sendSz < 0)
@@ -10121,7 +10948,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ssl->options.serverState = SERVER_HELLO_COMPLETE;
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
}
@@ -10275,7 +11102,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
else if (IsTLS(ssl))
ssl->options.sendVerify = SEND_BLANK_CERT;
- if (ssl->keys.encryptionOn)
+ if (IsEncryptionOn(ssl, 0))
*inOutIdx += ssl->keys.padSz;
return 0;
@@ -10346,17 +11173,21 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
AddLateName("ServerKeyExchange", &ssl->timeoutInfo);
#endif
+ switch (ssl->specs.kea)
+ {
#ifndef NO_PSK
- if (ssl->specs.kea == psk_kea) {
-
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ case psk_kea:
+ {
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &length);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
return BUFFER_ERROR;
+ }
XMEMCPY(ssl->arrays->server_hint, input + *inOutIdx,
min(length, MAX_PSK_ID_LEN));
@@ -10371,12 +11202,13 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of buffer
used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size, 0)) < 0)
+ size, 0)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -10391,155 +11223,182 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
}
#endif
#ifndef NO_DH
- if (ssl->specs.kea == diffie_hellman_kea)
+ case diffie_hellman_kea:
{
- /* p */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
+ /* p */
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
+ return BUFFER_ERROR;
+ }
- ato16(input + *inOutIdx, &length);
- *inOutIdx += OPAQUE16_LEN;
+ ato16(input + *inOutIdx, &length);
+ *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
- return BUFFER_ERROR;
+ if ((*inOutIdx - begin) + length > size) {
+ return BUFFER_ERROR;
+ }
- if (length < ssl->options.minDhKeySz) {
- WOLFSSL_MSG("Server using a DH key that is too small");
- SendAlert(ssl, alert_fatal, handshake_failure);
- return DH_KEY_SIZE_E;
- }
+ if (length < ssl->options.minDhKeySz) {
+ WOLFSSL_MSG("Server using a DH key that is too small");
+ SendAlert(ssl, alert_fatal, handshake_failure);
+ return DH_KEY_SIZE_E;
+ }
- ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
- DYNAMIC_TYPE_DH);
+ ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
+ DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_P.buffer)
- ssl->buffers.serverDH_P.length = length;
- else
- return MEMORY_ERROR;
+ if (ssl->buffers.serverDH_P.buffer) {
+ ssl->buffers.serverDH_P.length = length;
+ }
+ else {
+ return MEMORY_ERROR;
+ }
- XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length);
- *inOutIdx += length;
+ XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length);
+ *inOutIdx += length;
- ssl->options.dhKeySz = length;
+ ssl->options.dhKeySz = length;
- /* g */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
+ /* g */
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
+ return BUFFER_ERROR;
+ }
- ato16(input + *inOutIdx, &length);
- *inOutIdx += OPAQUE16_LEN;
+ ato16(input + *inOutIdx, &length);
+ *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
- return BUFFER_ERROR;
+ if ((*inOutIdx - begin) + length > size) {
+ return BUFFER_ERROR;
+ }
- ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap,
- DYNAMIC_TYPE_DH);
+ ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap,
+ DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_G.buffer)
- ssl->buffers.serverDH_G.length = length;
- else
- return MEMORY_ERROR;
+ if (ssl->buffers.serverDH_G.buffer) {
+ ssl->buffers.serverDH_G.length = length;
+ }
+ else {
+ return MEMORY_ERROR;
+ }
- XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length);
- *inOutIdx += length;
+ XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length);
+ *inOutIdx += length;
- /* pub */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
- return BUFFER_ERROR;
+ /* pub */
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
+ return BUFFER_ERROR;
+ }
- ato16(input + *inOutIdx, &length);
- *inOutIdx += OPAQUE16_LEN;
+ ato16(input + *inOutIdx, &length);
+ *inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
- return BUFFER_ERROR;
+ if ((*inOutIdx - begin) + length > size) {
+ return BUFFER_ERROR;
+ }
- ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap,
- DYNAMIC_TYPE_DH);
+ ssl->buffers.serverDH_Pub.buffer =
+ (byte*) XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_Pub.buffer)
- ssl->buffers.serverDH_Pub.length = length;
- else
- return MEMORY_ERROR;
+ if (ssl->buffers.serverDH_Pub.buffer) {
+ ssl->buffers.serverDH_Pub.length = length;
+ }
+ else {
+ return MEMORY_ERROR;
+ }
- XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length);
- *inOutIdx += length;
+ XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx,
+ length);
+ *inOutIdx += length;
+ break;
} /* dh_kea */
#endif /* NO_DH */
#ifdef HAVE_ECC
- if (ssl->specs.kea == ecc_diffie_hellman_kea)
+ case ecc_diffie_hellman_kea:
{
- byte b;
+ byte b;
- if ((*inOutIdx - begin) + ENUM_LEN + OPAQUE16_LEN + OPAQUE8_LEN > size)
- return BUFFER_ERROR;
-
- b = input[(*inOutIdx)++];
-
- if (b != named_curve)
- return ECC_CURVETYPE_ERROR;
-
- *inOutIdx += 1; /* curve type, eat leading 0 */
- b = input[(*inOutIdx)++];
-
- if (CheckCurveId(b) != 0) {
- return ECC_CURVE_ERROR;
- }
-
- length = input[(*inOutIdx)++];
-
- if ((*inOutIdx - begin) + length > size)
- return BUFFER_ERROR;
-
- if (ssl->peerEccKey == NULL) {
- /* alloc/init on demand */
- ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
- ssl->ctx->heap, DYNAMIC_TYPE_ECC);
- if (ssl->peerEccKey == NULL) {
- WOLFSSL_MSG("PeerEccKey Memory error");
- return MEMORY_E;
+ if ((*inOutIdx - begin) + ENUM_LEN + OPAQUE16_LEN +
+ OPAQUE8_LEN > size) {
+ return BUFFER_ERROR;
}
- wc_ecc_init(ssl->peerEccKey);
- } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
- wc_ecc_free(ssl->peerEccKey);
- ssl->peerEccKeyPresent = 0;
- wc_ecc_init(ssl->peerEccKey);
- }
- if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey) != 0)
- return ECC_PEERKEY_ERROR;
+ b = input[(*inOutIdx)++];
- *inOutIdx += length;
- ssl->peerEccKeyPresent = 1;
+ if (b != named_curve) {
+ return ECC_CURVETYPE_ERROR;
+ }
+
+ *inOutIdx += 1; /* curve type, eat leading 0 */
+ b = input[(*inOutIdx)++];
+
+ if (CheckCurveId(b) != 0) {
+ return ECC_CURVE_ERROR;
+ }
+
+ length = input[(*inOutIdx)++];
+
+ if ((*inOutIdx - begin) + length > size) {
+ return BUFFER_ERROR;
+ }
+
+ if (ssl->peerEccKey == NULL) {
+ /* alloc/init on demand */
+ ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
+ ssl->ctx->heap, DYNAMIC_TYPE_ECC);
+ if (ssl->peerEccKey == NULL) {
+ WOLFSSL_MSG("PeerEccKey Memory error");
+ return MEMORY_E;
+ }
+ wc_ecc_init(ssl->peerEccKey);
+ } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */
+ wc_ecc_free(ssl->peerEccKey);
+ ssl->peerEccKeyPresent = 0;
+ wc_ecc_init(ssl->peerEccKey);
+ }
+
+ if (wc_ecc_import_x963(input + *inOutIdx, length,
+ ssl->peerEccKey) != 0) {
+ return ECC_PEERKEY_ERROR;
+ }
+
+ *inOutIdx += length;
+ ssl->peerEccKeyPresent = 1;
+
+ break;
}
#endif /* HAVE_ECC */
#if !defined(NO_DH) && !defined(NO_PSK)
- if (ssl->specs.kea == dhe_psk_kea) {
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ case dhe_psk_kea:
+ {
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &length);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
return BUFFER_ERROR;
+ }
XMEMCPY(ssl->arrays->server_hint, input + *inOutIdx,
- min(length, MAX_PSK_ID_LEN));
+ min(length, MAX_PSK_ID_LEN));
ssl->arrays->server_hint[min(length, MAX_PSK_ID_LEN - 1)] = 0;
*inOutIdx += length;
/* p */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &length);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
return BUFFER_ERROR;
+ }
if (length < ssl->options.minDhKeySz) {
WOLFSSL_MSG("Server using a DH key that is too small");
@@ -10547,13 +11406,15 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
return DH_KEY_SIZE_E;
}
- ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
+ ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_P.buffer)
+ if (ssl->buffers.serverDH_P.buffer) {
ssl->buffers.serverDH_P.length = length;
- else
+ }
+ else {
return MEMORY_ERROR;
+ }
XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length);
*inOutIdx += length;
@@ -10561,48 +11422,59 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ssl->options.dhKeySz = length;
/* g */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &length);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
return BUFFER_ERROR;
+ }
ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_G.buffer)
+ if (ssl->buffers.serverDH_G.buffer) {
ssl->buffers.serverDH_G.length = length;
- else
+ }
+ else {
return MEMORY_ERROR;
+ }
XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length);
*inOutIdx += length;
/* pub */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &length);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
return BUFFER_ERROR;
+ }
ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_Pub.buffer)
+ if (ssl->buffers.serverDH_Pub.buffer) {
ssl->buffers.serverDH_Pub.length = length;
- else
+ }
+ else {
return MEMORY_ERROR;
+ }
XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length);
*inOutIdx += length;
+
+ break;
}
#endif /* !NO_DH || !NO_PSK */
+ } /* switch() */
#if !defined(NO_DH) || defined(HAVE_ECC)
if (!ssl->options.usingAnon_cipher &&
@@ -10675,22 +11547,25 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
(void)hashAlgo;
/* save message for hash verify */
- if (verifySz > MAX_DH_SZ)
+ if (verifySz > MAX_DH_SZ) {
ERROR_OUT(BUFFER_ERROR, done);
+ }
#ifdef WOLFSSL_SMALL_STACK
messageVerify = (byte*)XMALLOC(MAX_DH_SZ, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (messageVerify == NULL)
+ if (messageVerify == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
#endif
XMEMCPY(messageVerify, input + begin, verifySz);
if (IsAtLeastTLSv1_2(ssl)) {
byte setHash = 0;
- if ((*inOutIdx - begin) + ENUM_LEN + ENUM_LEN > size)
+ if ((*inOutIdx - begin) + ENUM_LEN + ENUM_LEN > size) {
ERROR_OUT(BUFFER_ERROR, done);
+ }
hashAlgo = input[(*inOutIdx)++];
sigAlgo = input[(*inOutIdx)++];
@@ -10745,22 +11620,25 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
}
/* signature */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
ERROR_OUT(BUFFER_ERROR, done);
+ }
ato16(input + *inOutIdx, &length);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
ERROR_OUT(BUFFER_ERROR, done);
+ }
/* inOutIdx updated at the end of the function */
/* verify signature */
#ifdef WOLFSSL_SMALL_STACK
hash = (byte*)XMALLOC(FINISHED_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (hash == NULL)
+ if (hash == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
#endif
#ifndef NO_OLD_TLS
@@ -10768,8 +11646,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
#ifdef WOLFSSL_SMALL_STACK
if (doMd5) {
md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (md5 == NULL)
+ if (md5 == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
}
#endif
if (doMd5) {
@@ -10783,13 +11662,16 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
#ifdef WOLFSSL_SMALL_STACK
if (doSha) {
sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (sha == NULL)
+ if (sha == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
}
#endif
if (doSha) {
ret = wc_InitSha(sha);
- if (ret != 0) goto done;
+ if (ret != 0) {
+ goto done;
+ }
wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN);
wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN);
wc_ShaUpdate(sha, messageVerify, verifySz);
@@ -10804,8 +11686,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha256 == NULL || hash256 == NULL)
+ if (sha256 == NULL || hash256 == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
}
#endif
if (doSha256) {
@@ -10814,9 +11697,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
RAN_LEN))
&& !(ret = wc_Sha256Update(sha256, ssl->arrays->serverRandom,
RAN_LEN))
- && !(ret = wc_Sha256Update(sha256, messageVerify, verifySz)))
+ && !(ret = wc_Sha256Update(sha256, messageVerify, verifySz))) {
ret = wc_Sha256Final(sha256, hash256);
- if (ret != 0) goto done;
+ }
+ if (ret != 0) {
+ goto done;
+ }
}
#endif
@@ -10827,8 +11713,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha384 == NULL || hash384 == NULL)
+ if (sha384 == NULL || hash384 == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
}
#endif
if (doSha384) {
@@ -10837,9 +11724,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
RAN_LEN))
&& !(ret = wc_Sha384Update(sha384, ssl->arrays->serverRandom,
RAN_LEN))
- && !(ret = wc_Sha384Update(sha384, messageVerify, verifySz)))
+ && !(ret = wc_Sha384Update(sha384, messageVerify, verifySz))) {
ret = wc_Sha384Final(sha384, hash384);
- if (ret != 0) goto done;
+ }
+ if (ret != 0) {
+ goto done;
+ }
}
#endif
@@ -10850,8 +11740,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha512 == NULL || hash512 == NULL)
+ if (sha512 == NULL || hash512 == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
}
#endif
if (doSha512) {
@@ -10860,15 +11751,20 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
RAN_LEN))
&& !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom,
RAN_LEN))
- && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz)))
+ && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz))) {
ret = wc_Sha512Final(sha512, hash512);
- if (ret != 0) goto done;
+ }
+ if (ret != 0) {
+ goto done;
+ }
}
#endif
+ switch (sigAlgo)
+ {
#ifndef NO_RSA
/* rsa */
- if (sigAlgo == rsa_sa_algo)
+ case rsa_sa_algo:
{
byte* out = NULL;
byte doUserRsa = 0;
@@ -10879,8 +11775,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
doUserRsa = 1;
#endif /*HAVE_PK_CALLBACKS */
- if (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent)
+ if (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent) {
ERROR_OUT(NO_PEER_KEY, done);
+ }
if (doUserRsa) {
#ifdef HAVE_PK_CALLBACKS
@@ -10892,9 +11789,10 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ssl->RsaVerifyCtx);
#endif /*HAVE_PK_CALLBACKS */
}
- else
+ else {
verifiedSz = wc_RsaSSL_VerifyInline((byte *)input + *inOutIdx,
length, &out, ssl->peerRsaKey);
+ }
if (IsAtLeastTLSv1_2(ssl)) {
word32 encSigSz;
@@ -10945,31 +11843,38 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
#ifdef WOLFSSL_SMALL_STACK
encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (encodedSig == NULL)
+ if (encodedSig == NULL) {
ERROR_OUT(MEMORY_E, done);
+ }
#endif
- if (digest == NULL)
+ if (digest == NULL) {
ERROR_OUT(ALGO_ID_E, done);
+ }
encSigSz = wc_EncodeSignature(encodedSig, digest, digestSz,
typeH);
if (encSigSz != verifiedSz || !out || XMEMCMP(out, encodedSig,
- min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0)
+ min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) {
ret = VERIFY_SIGN_ERROR;
+ }
#ifdef WOLFSSL_SMALL_STACK
XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
- if (ret != 0)
+ if (ret != 0) {
goto done;
+ }
}
else if (verifiedSz != FINISHED_SZ || !out || XMEMCMP(out,
- hash, FINISHED_SZ) != 0)
+ hash, FINISHED_SZ) != 0) {
ERROR_OUT(VERIFY_SIGN_ERROR, done);
- } else
+ }
+ break;
+ }
#endif
#ifdef HAVE_ECC
/* ecdsa */
- if (sigAlgo == ecc_dsa_sa_algo) {
+ case ecc_dsa_sa_algo:
+ {
int verify = 0;
#ifndef NO_OLD_TLS
byte* digest = &hash[MD5_DIGEST_SIZE];
@@ -10981,8 +11886,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
byte doUserEcc = 0;
#ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->EccVerifyCb)
+ if (ssl->ctx->EccVerifyCb) {
doUserEcc = 1;
+ }
#endif
if (!ssl->peerEccDsaKeyPresent)
@@ -11027,12 +11933,15 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ret = wc_ecc_verify_hash(input + *inOutIdx, length,
digest, digestSz, &verify, ssl->peerEccDsaKey);
}
- if (ret != 0 || verify == 0)
+ if (ret != 0 || verify == 0) {
ERROR_OUT(VERIFY_SIGN_ERROR, done);
+ }
+ break;
}
- else
#endif /* HAVE_ECC */
+ default:
ERROR_OUT(ALGO_ID_E, done);
+ } /* switch (sigAlgo) */
/* signature length */
*inOutIdx += length;
@@ -11060,11 +11969,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(messageVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
- if (ret != 0)
+ if (ret != 0) {
return ret;
+ }
}
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
}
@@ -11076,11 +11986,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size, 0)) < 0)
+ size, 0)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -11203,8 +12114,8 @@ int QSH_Init(WOLFSSL* ssl)
return 0;
/* malloc memory for holding generated secret information */
- if ((ssl->QSH_secret =
- XMALLOC(sizeof(QSHSecret), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
+ if ((ssl->QSH_secret = (QSHSecret*)XMALLOC(sizeof(QSHSecret), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
return MEMORY_E;
ssl->QSH_secret->CliSi = (buffer*)XMALLOC(sizeof(buffer), NULL,
@@ -11366,7 +12277,7 @@ static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer)
buf = ssl->QSH_secret->CliSi;
}
buf->length = sz;
- buf->buffer = XMALLOC(sz, buf->buffer, DYNAMIC_TYPE_TMP_BUFFER);
+ buf->buffer = (byte*)XMALLOC(sz, buf->buffer, DYNAMIC_TYPE_TMP_BUFFER);
if (buf->buffer == NULL) {
WOLFSSL_ERROR(MEMORY_E);
}
@@ -11375,7 +12286,8 @@ static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer)
sz = 0;
current = ssl->peerQSHKey;
while (current) {
- schm = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ schm = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
if (schm == NULL)
return MEMORY_E;
@@ -11394,7 +12306,8 @@ static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer)
tmpSz = QSH_MaxSecret(current);
- if ((schm->PK = XMALLOC(tmpSz, 0, DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
+ if ((schm->PK = (byte*)XMALLOC(tmpSz, 0,
+ DYNAMIC_TYPE_TMP_BUFFER)) == NULL)
return -1;
/* store info for writing extension */
@@ -11882,7 +12795,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
}
#endif
- if (ssl->keys.encryptionOn)
+ if (IsEncryptionOn(ssl, 1))
sendSz += MAX_MSG_EXTRA;
#ifdef HAVE_QSH
@@ -11912,7 +12825,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
return MEMORY_E;
/* extension type */
- c16toa(WOLFSSL_QSH, output + idx);
+ c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
@@ -11938,7 +12851,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
XMEMCPY(output + idx, encSecret, encSz);
idx += encSz;
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 1)) {
byte* input;
int inputSz = idx-RECORD_HEADER_SZ; /* buildmsg adds rechdr */
@@ -11953,7 +12866,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
sendSz = BuildMessage(ssl, output, sendSz, input, inputSz,
- handshake);
+ handshake, 1);
XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (sendSz < 0) {
#ifdef WOLFSSL_SMALL_STACK
@@ -12038,7 +12951,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
if (ssl->options.sendVerify == SEND_BLANK_CERT)
return 0; /* sent blank cert, can't verify */
- if (ssl->keys.encryptionOn)
+ if (IsEncryptionOn(ssl, 1))
sendSz += MAX_MSG_EXTRA;
/* check for available size */
@@ -12314,7 +13227,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
}
#endif
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 1)) {
byte* input;
int inputSz = sendSz - RECORD_HEADER_SZ;
/* build msg adds rec hdr */
@@ -12326,7 +13239,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz);
sendSz = BuildMessage(ssl, output,
MAX_CERT_VERIFY_SZ +MAX_MSG_EXTRA,
- input, inputSz, handshake);
+ input, inputSz, handshake, 1);
XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER);
if (sendSz < 0)
@@ -12428,7 +13341,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ssl->session.ticketLen = 0;
}
- if (ssl->keys.encryptionOn) {
+ if (IsEncryptionOn(ssl, 0)) {
*inOutIdx += ssl->keys.padSz;
}
@@ -12476,29 +13389,44 @@ int DoSessionTicket(WOLFSSL* ssl,
ssl->buffers.outputBuffer.length;
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
+ #ifdef WOLFSSL_DTLS
+ if (ssl->options.dtls) {
+ /* Server Hello should use the same sequence number as the
+ * Client Hello. */
+ ssl->keys.dtls_sequence_number = ssl->keys.dtls_state.curSeq;
+ idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
+ sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
+ }
+ #endif /* WOLFSSL_DTLS */
AddHeaders(output, length, server_hello, ssl);
- #ifdef WOLFSSL_DTLS
- if (ssl->options.dtls) {
- idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
- }
- #endif
/* now write to output */
- /* first version */
+ /* first version */
output[idx++] = ssl->version.major;
output[idx++] = ssl->version.minor;
- /* then random */
+ /* then random and session id */
if (!ssl->options.resuming) {
- ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom,
- RAN_LEN);
+ /* generate random part and session id */
+ ret = wc_RNG_GenerateBlock(ssl->rng, output + idx,
+ RAN_LEN + sizeof(sessIdSz) + sessIdSz);
if (ret != 0)
return ret;
- }
- XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN);
- idx += RAN_LEN;
+ /* store info in SSL for later */
+ XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN);
+ idx += RAN_LEN;
+ output[idx++] = sessIdSz;
+ XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz);
+ }
+ else {
+ /* If resuming, use info from SSL */
+ XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN);
+ idx += RAN_LEN;
+ output[idx++] = sessIdSz;
+ XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz);
+ }
+ idx += sessIdSz;
#ifdef SHOW_SECRETS
{
@@ -12509,31 +13437,18 @@ int DoSessionTicket(WOLFSSL* ssl,
printf("\n");
}
#endif
- /* then session id */
- output[idx++] = sessIdSz;
- if (sessIdSz) {
- if (!ssl->options.resuming) {
- ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->sessionID,
- sessIdSz);
- if (ret != 0) return ret;
- }
-
- XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz);
- idx += sessIdSz;
- }
-
- /* then cipher suite */
+ /* then cipher suite */
output[idx++] = ssl->options.cipherSuite0;
output[idx++] = ssl->options.cipherSuite;
- /* then compression */
+ /* then compression */
if (ssl->options.usingCompression)
output[idx++] = ZLIB_COMPRESSION;
else
output[idx++] = NO_COMPRESSION;
- /* last, extensions */
+ /* last, extensions */
#ifdef HAVE_TLS_EXTENSIONS
TLSX_WriteResponse(ssl, output + idx);
#endif
@@ -12550,13 +13465,13 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret != 0)
return ret;
- #ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
- AddPacketName("ServerHello", &ssl->handShakeInfo);
- if (ssl->toInfoOn)
- AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
- ssl->heap);
- #endif
+ #ifdef WOLFSSL_CALLBACKS
+ if (ssl->hsInfoOn)
+ AddPacketName("ServerHello", &ssl->handShakeInfo);
+ if (ssl->toInfoOn)
+ AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz,
+ ssl->heap);
+ #endif
ssl->options.serverState = SERVER_HELLO_COMPLETE;
@@ -12618,8 +13533,10 @@ int DoSessionTicket(WOLFSSL* ssl,
#endif
+ switch(ssl->specs.kea)
+ {
#ifndef NO_PSK
- if (ssl->specs.kea == psk_kea)
+ case psk_kea:
{
byte *output;
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
@@ -12628,8 +13545,9 @@ int DoSessionTicket(WOLFSSL* ssl,
/* include size part */
length = (word32)XSTRLEN(ssl->arrays->server_hint);
- if (length > MAX_PSK_ID_LEN)
+ if (length > MAX_PSK_ID_LEN) {
return SERVER_HINT_ERROR;
+ }
length += HINT_LEN_SZ;
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
@@ -12646,8 +13564,9 @@ int DoSessionTicket(WOLFSSL* ssl,
}
#endif
/* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
+ if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
+ return ret;
+ }
/* get ouput buffer */
output = ssl->buffers.outputBuffer.buffer +
@@ -12668,50 +13587,61 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->peerQSHKeyPresent) {
if (qshSz > 0) {
idx = sendSz - qshSz;
- if (QSH_KeyExchangeWrite(ssl, 1) != 0)
+ if (QSH_KeyExchangeWrite(ssl, 1) != 0) {
return MEMORY_E;
+ }
/* extension type */
- c16toa(WOLFSSL_QSH, output + idx);
+ c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx)
- > qshSz - OPAQUE16_LEN)
+ > qshSz - OPAQUE16_LEN) {
return MEMORY_E;
+ }
}
}
#endif
#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
+ if (ssl->options.dtls) {
+ if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) {
return ret;
+ }
+ }
#endif
ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
+ if (ret != 0) {
return ret;
+ }
#ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
+ if (ssl->hsInfoOn) {
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
- if (ssl->toInfoOn)
+ }
+ if (ssl->toInfoOn) {
AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output,
- sendSz, ssl->heap);
+ sendSz, ssl->heap);
+ }
#endif
ssl->buffers.outputBuffer.length += sendSz;
- if (ssl->options.groupMessages)
+ if (ssl->options.groupMessages) {
ret = 0;
- else
+ }
+ else {
ret = SendBuffered(ssl);
+ }
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
+ break;
}
#endif /*NO_PSK */
#if !defined(NO_DH) && !defined(NO_PSK)
- if (ssl->specs.kea == dhe_psk_kea) {
+ case dhe_psk_kea:
+ {
byte *output;
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
word32 hintLen;
@@ -12719,23 +13649,26 @@ int DoSessionTicket(WOLFSSL* ssl,
DhKey dhKey;
if (ssl->buffers.serverDH_P.buffer == NULL ||
- ssl->buffers.serverDH_G.buffer == NULL)
+ ssl->buffers.serverDH_G.buffer == NULL) {
return NO_DH_PARAMS;
+ }
if (ssl->buffers.serverDH_Pub.buffer == NULL) {
ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_Pub.buffer == NULL)
+ if (ssl->buffers.serverDH_Pub.buffer == NULL) {
return MEMORY_E;
+ }
}
if (ssl->buffers.serverDH_Priv.buffer == NULL) {
ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_Priv.buffer == NULL)
+ if (ssl->buffers.serverDH_Priv.buffer == NULL) {
return MEMORY_E;
+ }
}
wc_InitDhKey(&dhKey);
@@ -12743,15 +13676,17 @@ int DoSessionTicket(WOLFSSL* ssl,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
- if (ret == 0)
+ if (ret == 0) {
ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng,
ssl->buffers.serverDH_Priv.buffer,
&ssl->buffers.serverDH_Priv.length,
ssl->buffers.serverDH_Pub.buffer,
&ssl->buffers.serverDH_Pub.length);
+ }
wc_FreeDhKey(&dhKey);
- if (ret != 0)
+ if (ret != 0) {
return ret;
+ }
length = LENGTH_SZ * 3 + /* p, g, pub */
ssl->buffers.serverDH_P.length +
@@ -12760,8 +13695,9 @@ int DoSessionTicket(WOLFSSL* ssl,
/* include size part */
hintLen = (word32)XSTRLEN(ssl->arrays->server_hint);
- if (hintLen > MAX_PSK_ID_LEN)
+ if (hintLen > MAX_PSK_ID_LEN) {
return SERVER_HINT_ERROR;
+ }
length += hintLen + HINT_LEN_SZ;
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
@@ -12777,8 +13713,9 @@ int DoSessionTicket(WOLFSSL* ssl,
#endif
/* check for available size */
- if ((ret = CheckAvailableSize(ssl, sendSz)) != 0)
- return ret;
+ if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
+ return ret;
+ }
/* get ouput buffer */
output = ssl->buffers.outputBuffer.buffer +
@@ -12821,47 +13758,56 @@ int DoSessionTicket(WOLFSSL* ssl,
QSH_KeyExchangeWrite(ssl, 1);
/* extension type */
- c16toa(WOLFSSL_QSH, output + idx);
+ c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx)
- > qshSz - OPAQUE16_LEN)
+ > qshSz - OPAQUE16_LEN) {
return MEMORY_E;
+ }
}
}
#endif
#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
+ if (ssl->options.dtls) {
+ if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) {
return ret;
+ }
+ }
#endif
ret = HashOutput(ssl, output, sendSz, 0);
- if (ret != 0)
+ if (ret != 0) {
return ret;
+ }
#ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
+ if (ssl->hsInfoOn) {
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
- if (ssl->toInfoOn)
+ }
+ if (ssl->toInfoOn) {
AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output,
- sendSz, ssl->heap);
+ sendSz, ssl->heap);
+ }
#endif
ssl->buffers.outputBuffer.length += sendSz;
- if (ssl->options.groupMessages)
+ if (ssl->options.groupMessages) {
ret = 0;
- else
+ }
+ else {
ret = SendBuffered(ssl);
+ }
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
+ break;
}
#endif /* !NO_DH && !NO_PSK */
#ifdef HAVE_ECC
- if (ssl->specs.kea == ecc_diffie_hellman_kea)
+ case ecc_diffie_hellman_kea:
{
byte *output;
word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
@@ -12894,7 +13840,7 @@ int DoSessionTicket(WOLFSSL* ssl,
#endif
if (ssl->specs.static_ecdh) {
- WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchagne");
+ WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchange");
return 0;
}
@@ -12907,7 +13853,7 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->eccTempKey == NULL) {
/* alloc/init on demand */
ssl->eccTempKey = (ecc_key*)XMALLOC(sizeof(ecc_key),
- ssl->ctx->heap, DYNAMIC_TYPE_ECC);
+ ssl->ctx->heap, DYNAMIC_TYPE_ECC);
if (ssl->eccTempKey == NULL) {
WOLFSSL_MSG("EccTempKey Memory error");
return MEMORY_E;
@@ -12924,13 +13870,15 @@ int DoSessionTicket(WOLFSSL* ssl,
#ifdef WOLFSSL_SMALL_STACK
exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ, NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (exportBuf == NULL)
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (exportBuf == NULL) {
return MEMORY_E;
+ }
#endif
- if (wc_ecc_export_x963(ssl->eccTempKey, exportBuf, &expSz) != 0)
+ if (wc_ecc_export_x963(ssl->eccTempKey, exportBuf, &expSz) != 0) {
ERROR_OUT(ECC_EXPORT_ERROR, done_a);
+ }
length += expSz;
preSigSz = length;
@@ -12938,8 +13886,9 @@ int DoSessionTicket(WOLFSSL* ssl,
#ifndef NO_RSA
ret = wc_InitRsaKey(&rsaKey, ssl->heap);
- if (ret != 0)
+ if (ret != 0) {
goto done_a;
+ }
#endif
wc_ecc_init(&dsaKey);
@@ -12961,8 +13910,9 @@ int DoSessionTicket(WOLFSSL* ssl,
word32 i = 0;
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&rsaKey, ssl->buffers.key.length);
- if (ret != 0)
+ if (ret != 0) {
goto done_a;
+ }
sigSz = wc_RsaEncryptSize(&rsaKey);
} else
#endif
@@ -12972,8 +13922,9 @@ int DoSessionTicket(WOLFSSL* ssl,
word32 i = 0;
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&dsaKey, ssl->buffers.key.length);
- if (ret != 0)
+ if (ret != 0) {
goto done_a;
+ }
sigSz = wc_ecc_sig_size(&dsaKey); /* worst case estimate */
}
else {
@@ -12985,8 +13936,9 @@ int DoSessionTicket(WOLFSSL* ssl,
}
length += sigSz;
- if (IsAtLeastTLSv1_2(ssl))
+ if (IsAtLeastTLSv1_2(ssl)) {
length += HASH_SIG_SIZE;
+ }
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
@@ -13091,9 +14043,10 @@ int DoSessionTicket(WOLFSSL* ssl,
is */
#ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE,
- ssl->fuzzerCtx);
+ if (ssl->fuzzerCb) {
+ ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz,
+ FUZZ_SIGNATURE, ssl->fuzzerCtx);
+ }
#endif
/* do signature */
@@ -13142,9 +14095,10 @@ int DoSessionTicket(WOLFSSL* ssl,
#ifdef WOLFSSL_SMALL_STACK
hash = (byte*)XMALLOC(FINISHED_SZ, NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (hash == NULL)
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (hash == NULL) {
ERROR_OUT(MEMORY_E, done_a);
+ }
#endif
#ifndef NO_OLD_TLS
@@ -13153,8 +14107,9 @@ int DoSessionTicket(WOLFSSL* ssl,
if (doMd5) {
md5 = (Md5*)XMALLOC(sizeof(Md5), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (md5 == NULL)
+ if (md5 == NULL) {
ERROR_OUT(MEMORY_E, done_a2);
+ }
}
#endif
if (doMd5) {
@@ -13169,13 +14124,16 @@ int DoSessionTicket(WOLFSSL* ssl,
if (doSha) {
sha = (Sha*)XMALLOC(sizeof(Sha), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha == NULL)
+ if (sha == NULL) {
ERROR_OUT(MEMORY_E, done_a2);
+ }
}
#endif
if (doSha) {
ret = wc_InitSha(sha);
- if (ret != 0) goto done_a2;
+ if (ret != 0) {
+ goto done_a2;
+ }
wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN);
wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN);
wc_ShaUpdate(sha, output + preSigIdx, preSigSz);
@@ -13190,22 +14148,25 @@ int DoSessionTicket(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha256 == NULL || hash256 == NULL)
+ if (sha256 == NULL || hash256 == NULL) {
ERROR_OUT(MEMORY_E, done_a2);
+ }
}
#endif
if (doSha256) {
if (!(ret = wc_InitSha256(sha256))
&& !(ret = wc_Sha256Update(sha256,
- ssl->arrays->clientRandom, RAN_LEN))
+ ssl->arrays->clientRandom, RAN_LEN))
&& !(ret = wc_Sha256Update(sha256,
- ssl->arrays->serverRandom, RAN_LEN))
+ ssl->arrays->serverRandom, RAN_LEN))
&& !(ret = wc_Sha256Update(sha256,
- output + preSigIdx, preSigSz)))
+ output + preSigIdx, preSigSz))) {
ret = wc_Sha256Final(sha256, hash256);
-
- if (ret != 0) goto done_a2;
+ }
+ if (ret != 0) {
+ goto done_a2;
+ }
}
#endif
@@ -13216,22 +14177,25 @@ int DoSessionTicket(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha384 == NULL || hash384 == NULL)
+ if (sha384 == NULL || hash384 == NULL) {
ERROR_OUT(MEMORY_E, done_a2);
+ }
}
#endif
if (doSha384) {
if (!(ret = wc_InitSha384(sha384))
&& !(ret = wc_Sha384Update(sha384,
- ssl->arrays->clientRandom, RAN_LEN))
+ ssl->arrays->clientRandom, RAN_LEN))
&& !(ret = wc_Sha384Update(sha384,
- ssl->arrays->serverRandom, RAN_LEN))
+ ssl->arrays->serverRandom, RAN_LEN))
&& !(ret = wc_Sha384Update(sha384,
- output + preSigIdx, preSigSz)))
+ output + preSigIdx, preSigSz))) {
ret = wc_Sha384Final(sha384, hash384);
-
- if (ret != 0) goto done_a2;
+ }
+ if (ret != 0) {
+ goto done_a2;
+ }
}
#endif
@@ -13242,22 +14206,25 @@ int DoSessionTicket(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha512 == NULL || hash512 == NULL)
+ if (sha512 == NULL || hash512 == NULL) {
ERROR_OUT(MEMORY_E, done_a2);
+ }
}
#endif
if (doSha512) {
if (!(ret = wc_InitSha512(sha512))
&& !(ret = wc_Sha512Update(sha512,
- ssl->arrays->clientRandom, RAN_LEN))
+ ssl->arrays->clientRandom, RAN_LEN))
&& !(ret = wc_Sha512Update(sha512,
- ssl->arrays->serverRandom, RAN_LEN))
+ ssl->arrays->serverRandom, RAN_LEN))
&& !(ret = wc_Sha512Update(sha512,
- output + preSigIdx, preSigSz)))
+ output + preSigIdx, preSigSz))) {
ret = wc_Sha512Final(sha512, hash512);
-
- if (ret != 0) goto done_a2;
+ }
+ if (ret != 0) {
+ goto done_a2;
+ }
}
#endif
@@ -13279,9 +14246,10 @@ int DoSessionTicket(WOLFSSL* ssl,
#ifdef WOLFSSL_SMALL_STACK
encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (encodedSig == NULL)
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (encodedSig == NULL) {
ERROR_OUT(MEMORY_E, done_a2);
+ }
#endif
if (IsAtLeastTLSv1_2(ssl)) {
@@ -13338,13 +14306,13 @@ int DoSessionTicket(WOLFSSL* ssl,
}
else {
ret = wc_RsaSSL_Sign(signBuffer, signSz, output + idx,
- sigSz, &rsaKey, ssl->rng);
+ sigSz, &rsaKey, ssl->rng);
}
if (ret > 0) {
/* check for signature faults */
ret = VerifyRsaSign(output + idx, ret,
- signBuffer, signSz, &rsaKey);
+ signBuffer, signSz, &rsaKey);
}
wc_FreeRsaKey(&rsaKey);
wc_ecc_free(&dsaKey);
@@ -13353,8 +14321,9 @@ int DoSessionTicket(WOLFSSL* ssl,
XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
- if (ret < 0)
+ if (ret < 0) {
goto done_a2;
+ }
} else
#endif
@@ -13370,8 +14339,9 @@ int DoSessionTicket(WOLFSSL* ssl,
byte doUserEcc = 0;
#if defined(HAVE_PK_CALLBACKS) && defined(HAVE_ECC)
- if (ssl->ctx->EccSignCb)
+ if (ssl->ctx->EccSignCb) {
doUserEcc = 1;
+ }
#endif
if (IsAtLeastTLSv1_2(ssl)) {
@@ -13404,7 +14374,8 @@ int DoSessionTicket(WOLFSSL* ssl,
if (doUserEcc) {
#if defined(HAVE_PK_CALLBACKS) && defined(HAVE_ECC)
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
- output + LENGTH_SZ + idx, &sz,
+ output + LENGTH_SZ + idx,
+ &sz,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->EccSignCtx);
@@ -13412,15 +14383,16 @@ int DoSessionTicket(WOLFSSL* ssl,
}
else {
ret = wc_ecc_sign_hash(digest, digestSz,
- output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey);
+ output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey);
}
#ifndef NO_RSA
wc_FreeRsaKey(&rsaKey);
#endif
wc_ecc_free(&dsaKey);
- if (ret < 0)
+ if (ret < 0) {
goto done_a2;
+ }
/* Now that we know the real sig size, write it. */
c16toa((word16)sz, output + idx);
@@ -13462,13 +14434,14 @@ int DoSessionTicket(WOLFSSL* ssl,
QSH_KeyExchangeWrite(ssl, 1);
/* extension type */
- c16toa(WOLFSSL_QSH, output + idx);
+ c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx)
- > qshSz - OPAQUE16_LEN)
+ > qshSz - OPAQUE16_LEN) {
return MEMORY_E;
+ }
}
}
#endif
@@ -13477,27 +14450,34 @@ int DoSessionTicket(WOLFSSL* ssl,
AddHeaders(output, length, server_key_exchange, ssl);
#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
+ if (ssl->options.dtls) {
+ if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) {
goto done_a;
+ }
+ }
#endif
- if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
+ if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) {
goto done_a;
+ }
#ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
+ if (ssl->hsInfoOn) {
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
- if (ssl->toInfoOn)
+ }
+ if (ssl->toInfoOn) {
AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo,
output, sendSz, ssl->heap);
+ }
#endif
ssl->buffers.outputBuffer.length += sendSz;
- if (ssl->options.groupMessages)
+ if (ssl->options.groupMessages) {
ret = 0;
- else
+ }
+ else {
ret = SendBuffered(ssl);
+ }
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
done_a:
@@ -13510,7 +14490,8 @@ int DoSessionTicket(WOLFSSL* ssl,
#endif /* HAVE_ECC */
#if !defined(NO_DH) && !defined(NO_RSA)
- if (ssl->specs.kea == diffie_hellman_kea) {
+ case diffie_hellman_kea:
+ {
byte *output;
word32 length = 0, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ;
int sendSz;
@@ -13520,23 +14501,26 @@ int DoSessionTicket(WOLFSSL* ssl,
DhKey dhKey;
if (ssl->buffers.serverDH_P.buffer == NULL ||
- ssl->buffers.serverDH_G.buffer == NULL)
+ ssl->buffers.serverDH_G.buffer == NULL) {
return NO_DH_PARAMS;
+ }
if (ssl->buffers.serverDH_Pub.buffer == NULL) {
ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC(
ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_Pub.buffer == NULL)
+ if (ssl->buffers.serverDH_Pub.buffer == NULL) {
return MEMORY_E;
+ }
}
if (ssl->buffers.serverDH_Priv.buffer == NULL) {
ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC(
ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap,
DYNAMIC_TYPE_DH);
- if (ssl->buffers.serverDH_Priv.buffer == NULL)
+ if (ssl->buffers.serverDH_Priv.buffer == NULL) {
return MEMORY_E;
+ }
}
wc_InitDhKey(&dhKey);
@@ -13544,15 +14528,18 @@ int DoSessionTicket(WOLFSSL* ssl,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
- if (ret == 0)
+ if (ret == 0) {
ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng,
ssl->buffers.serverDH_Priv.buffer,
&ssl->buffers.serverDH_Priv.length,
ssl->buffers.serverDH_Pub.buffer,
&ssl->buffers.serverDH_Pub.length);
+ }
wc_FreeDhKey(&dhKey);
- if (ret != 0) return ret;
+ if (ret != 0) {
+ return ret;
+ }
length = LENGTH_SZ * 3; /* p, g, pub */
length += ssl->buffers.serverDH_P.length +
@@ -13564,16 +14551,19 @@ int DoSessionTicket(WOLFSSL* ssl,
if (!ssl->options.usingAnon_cipher) {
ret = wc_InitRsaKey(&rsaKey, ssl->heap);
- if (ret != 0) return ret;
+ if (ret != 0) {
+ return ret;
+ }
/* sig length */
length += LENGTH_SZ;
- if (!ssl->buffers.key.buffer)
+ if (!ssl->buffers.key.buffer) {
return NO_PRIVATE_KEY;
+ }
- ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i, &rsaKey,
- ssl->buffers.key.length);
+ ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
+ &rsaKey, ssl->buffers.key.length);
if (ret == 0) {
sigSz = wc_RsaEncryptSize(&rsaKey);
length += sigSz;
@@ -13583,8 +14573,9 @@ int DoSessionTicket(WOLFSSL* ssl,
return ret;
}
- if (IsAtLeastTLSv1_2(ssl))
+ if (IsAtLeastTLSv1_2(ssl)) {
length += HASH_SIG_SIZE;
+ }
}
sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
@@ -13603,8 +14594,9 @@ int DoSessionTicket(WOLFSSL* ssl,
/* check for available size */
if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) {
- if (!ssl->options.usingAnon_cipher)
+ if (!ssl->options.usingAnon_cipher) {
wc_FreeRsaKey(&rsaKey);
+ }
return ret;
}
@@ -13636,9 +14628,10 @@ int DoSessionTicket(WOLFSSL* ssl,
idx += ssl->buffers.serverDH_Pub.length;
#ifdef HAVE_FUZZER
- if (ssl->fuzzerCb)
- ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE,
- ssl->fuzzerCtx);
+ if (ssl->fuzzerCb) {
+ ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz,
+ FUZZ_SIGNATURE, ssl->fuzzerCtx);
+ }
#endif
/* Add signature */
@@ -13764,11 +14757,12 @@ int DoSessionTicket(WOLFSSL* ssl,
/* do signature */
#ifdef WOLFSSL_SMALL_STACK
hash = (byte*)XMALLOC(FINISHED_SZ, NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (hash == NULL)
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (hash == NULL) {
return MEMORY_E; /* No heap commitment before this point,
from now on, the resources are freed
at done_b. */
+ }
#endif
#ifndef NO_OLD_TLS
@@ -13777,8 +14771,9 @@ int DoSessionTicket(WOLFSSL* ssl,
if (doMd5) {
md5 = (Md5*)XMALLOC(sizeof(Md5), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (md5 == NULL)
+ if (md5 == NULL) {
ERROR_OUT(MEMORY_E, done_b);
+ }
}
#endif
if (doMd5) {
@@ -13794,14 +14789,16 @@ int DoSessionTicket(WOLFSSL* ssl,
if (doSha) {
sha = (Sha*)XMALLOC(sizeof(Sha), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha == NULL)
+ if (sha == NULL) {
ERROR_OUT(MEMORY_E, done_b);
+ }
}
#endif
if (doSha) {
- if ((ret = wc_InitSha(sha)) != 0)
+ if ((ret = wc_InitSha(sha)) != 0) {
goto done_b;
+ }
wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN);
wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN);
wc_ShaUpdate(sha, output + preSigIdx, preSigSz);
@@ -13816,22 +14813,25 @@ int DoSessionTicket(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha256 == NULL || hash256 == NULL)
+ if (sha256 == NULL || hash256 == NULL) {
ERROR_OUT(MEMORY_E, done_b);
+ }
}
#endif
if (doSha256) {
if (!(ret = wc_InitSha256(sha256))
&& !(ret = wc_Sha256Update(sha256,
- ssl->arrays->clientRandom, RAN_LEN))
+ ssl->arrays->clientRandom, RAN_LEN))
&& !(ret = wc_Sha256Update(sha256,
- ssl->arrays->serverRandom, RAN_LEN))
+ ssl->arrays->serverRandom, RAN_LEN))
&& !(ret = wc_Sha256Update(sha256,
- output + preSigIdx, preSigSz)))
+ output + preSigIdx, preSigSz))) {
ret = wc_Sha256Final(sha256, hash256);
-
- if (ret != 0) goto done_b;
+ }
+ if (ret != 0) {
+ goto done_b;
+ }
}
#endif
@@ -13841,23 +14841,26 @@ int DoSessionTicket(WOLFSSL* ssl,
sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (sha384 == NULL || hash384 == NULL)
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (sha384 == NULL || hash384 == NULL) {
ERROR_OUT(MEMORY_E, done_b);
+ }
}
#endif
if (doSha384) {
if (!(ret = wc_InitSha384(sha384))
&& !(ret = wc_Sha384Update(sha384,
- ssl->arrays->clientRandom, RAN_LEN))
+ ssl->arrays->clientRandom, RAN_LEN))
&& !(ret = wc_Sha384Update(sha384,
- ssl->arrays->serverRandom, RAN_LEN))
+ ssl->arrays->serverRandom, RAN_LEN))
&& !(ret = wc_Sha384Update(sha384,
- output + preSigIdx, preSigSz)))
+ output + preSigIdx, preSigSz))) {
ret = wc_Sha384Final(sha384, hash384);
-
- if (ret != 0) goto done_b;
+ }
+ if (ret != 0) {
+ goto done_b;
+ }
}
#endif
@@ -13868,22 +14871,25 @@ int DoSessionTicket(WOLFSSL* ssl,
DYNAMIC_TYPE_TMP_BUFFER);
hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (sha512 == NULL || hash512 == NULL)
+ if (sha512 == NULL || hash512 == NULL) {
ERROR_OUT(MEMORY_E, done_b);
+ }
}
#endif
if (doSha512) {
if (!(ret = wc_InitSha512(sha512))
&& !(ret = wc_Sha512Update(sha512,
- ssl->arrays->clientRandom, RAN_LEN))
+ ssl->arrays->clientRandom, RAN_LEN))
&& !(ret = wc_Sha512Update(sha512,
- ssl->arrays->serverRandom, RAN_LEN))
+ ssl->arrays->serverRandom, RAN_LEN))
&& !(ret = wc_Sha512Update(sha512,
- output + preSigIdx, preSigSz)))
+ output + preSigIdx, preSigSz))) {
ret = wc_Sha512Final(sha512, hash512);
-
- if (ret != 0) goto done_b;
+ }
+ if (ret != 0) {
+ goto done_b;
+ }
}
#endif
@@ -13899,21 +14905,22 @@ int DoSessionTicket(WOLFSSL* ssl,
byte doUserRsa = 0;
#ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaSignCb)
+ if (ssl->ctx->RsaSignCb) {
doUserRsa = 1;
- #endif
-
- #ifdef WOLFSSL_SMALL_STACK
- encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
- if (encodedSig == NULL)
- ERROR_OUT(MEMORY_E, done_b);
+ }
#endif
if (IsAtLeastTLSv1_2(ssl)) {
byte* digest = &hash[MD5_DIGEST_SIZE];
int typeH = SHAh;
int digestSz = SHA_DIGEST_SIZE;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (encodedSig == NULL)
+ ERROR_OUT(MEMORY_E, done_b);
+ #endif
if (ssl->suites->hashAlgo == sha256_mac) {
#ifndef NO_SHA256
@@ -13994,7 +15001,9 @@ int DoSessionTicket(WOLFSSL* ssl,
#endif
#endif
- if (ret < 0) return ret;
+ if (ret < 0) {
+ return ret;
+ }
}
#ifdef HAVE_QSH
@@ -14004,42 +15013,54 @@ int DoSessionTicket(WOLFSSL* ssl,
QSH_KeyExchangeWrite(ssl, 1);
/* extension type */
- c16toa(WOLFSSL_QSH, output + idx);
+ c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx);
idx += OPAQUE16_LEN;
/* write to output and check amount written */
if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx)
- > qshSz - OPAQUE16_LEN)
+ > qshSz - OPAQUE16_LEN) {
return MEMORY_E;
+ }
}
}
#endif
#ifdef WOLFSSL_DTLS
- if (ssl->options.dtls)
- if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0)
+ if (ssl->options.dtls) {
+ if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) {
return ret;
+ }
+ }
#endif
- if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0)
+ if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) {
return ret;
+ }
#ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
+ if (ssl->hsInfoOn) {
AddPacketName("ServerKeyExchange", &ssl->handShakeInfo);
- if (ssl->toInfoOn)
+ }
+ if (ssl->toInfoOn) {
AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo,
output, sendSz, ssl->heap);
+ }
#endif
ssl->buffers.outputBuffer.length += sendSz;
- if (ssl->options.groupMessages)
+ if (ssl->options.groupMessages) {
ret = 0;
- else
+ }
+ else {
ret = SendBuffered(ssl);
+ }
ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE;
+ break;
}
#endif /* NO_DH */
+ default:
+ break;
+ } /* switch(ssl->specs.kea) */
return ret;
#undef ERROR_OUT
@@ -14284,7 +15305,7 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(&input[idx], &clSuites.suiteSz);
idx += 2;
- if (clSuites.suiteSz > MAX_SUITE_SZ)
+ if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
return BUFFER_ERROR;
clSuites.hashSigAlgoSz = 0;
@@ -14420,7 +15441,7 @@ int DoSessionTicket(WOLFSSL* ssl,
#error "DTLS needs either SHA or SHA-256"
#endif /* NO_SHA && NO_SHA256 */
- #ifndef NO_SHA
+ #if !defined(NO_SHA) && defined(NO_SHA256)
cookieType = SHA;
cookieSz = SHA_DIGEST_SIZE;
#endif /* NO_SHA */
@@ -14447,8 +15468,8 @@ int DoSessionTicket(WOLFSSL* ssl,
&& ssl->version.minor != DTLSv1_2_MINOR && pv.minor != DTLS_MINOR
&& pv.minor != DTLSv1_2_MINOR)) {
- byte haveRSA = 0;
- byte havePSK = 0;
+ word16 haveRSA = 0;
+ word16 havePSK = 0;
if (!ssl->options.downgrade) {
WOLFSSL_MSG("Client trying to connect with lesser version");
@@ -14566,7 +15587,7 @@ int DoSessionTicket(WOLFSSL* ssl,
if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz)
return BUFFER_ERROR;
- if (clSuites.suiteSz > MAX_SUITE_SZ)
+ if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ)
return BUFFER_ERROR;
XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz);
@@ -15228,6 +16249,9 @@ int DoSessionTicket(WOLFSSL* ssl,
output = ssl->buffers.outputBuffer.buffer +
ssl->buffers.outputBuffer.length;
+ /* Hello Verify Request should use the same sequence number as the
+ * Client Hello. */
+ ssl->keys.dtls_sequence_number = ssl->keys.dtls_state.curSeq;
AddHeaders(output, length, hello_verify_request, ssl);
{
DtlsRecordLayerHeader* rh = (DtlsRecordLayerHeader*)output;
@@ -15289,18 +16313,21 @@ int DoSessionTicket(WOLFSSL* ssl,
}
#ifndef NO_CERTS
- if (ssl->options.verifyPeer && ssl->options.failNoCert)
+ if (ssl->options.verifyPeer && ssl->options.failNoCert) {
if (!ssl->options.havePeerCert) {
WOLFSSL_MSG("client didn't present peer cert");
return NO_PEER_CERT;
}
+ }
#endif
#ifdef WOLFSSL_CALLBACKS
- if (ssl->hsInfoOn)
+ if (ssl->hsInfoOn) {
AddPacketName("ClientKeyExchange", &ssl->handShakeInfo);
- if (ssl->toInfoOn)
+ }
+ if (ssl->toInfoOn) {
AddLateName("ClientKeyExchange", &ssl->timeoutInfo);
+ }
#endif
switch (ssl->specs.kea) {
@@ -15312,18 +16339,22 @@ int DoSessionTicket(WOLFSSL* ssl,
byte doUserRsa = 0;
#ifdef HAVE_PK_CALLBACKS
- if (ssl->ctx->RsaDecCb)
+ if (ssl->ctx->RsaDecCb) {
doUserRsa = 1;
+ }
#endif
ret = wc_InitRsaKey(&key, ssl->heap);
- if (ret != 0) return ret;
+ if (ret != 0) {
+ return ret;
+ }
- if (ssl->buffers.key.buffer)
- ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx,
- &key, ssl->buffers.key.length);
- else
+ if (!ssl->buffers.key.buffer) {
return NO_PRIVATE_KEY;
+ }
+
+ ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx,
+ &key, ssl->buffers.key.length);
if (ret == 0) {
length = wc_RsaEncryptSize(&key);
@@ -15332,8 +16363,9 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->options.tls) {
word16 check;
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &check);
*inOutIdx += OPAQUE16_LEN;
@@ -15372,8 +16404,9 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->arrays->preMasterSecret[0] !=
ssl->chVersion.major
|| ssl->arrays->preMasterSecret[1] !=
- ssl->chVersion.minor)
+ ssl->chVersion.minor) {
ret = PMS_VERSION_ERROR;
+ }
else
{
#ifdef HAVE_QSH
@@ -15382,13 +16415,14 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the
length of buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input
+ *inOutIdx, size - *inOutIdx
- + begin, 1)) < 0)
+ + begin, 1)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -15416,17 +16450,20 @@ int DoSessionTicket(WOLFSSL* ssl,
byte* pms = ssl->arrays->preMasterSecret;
word16 ci_sz;
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &ci_sz);
*inOutIdx += OPAQUE16_LEN;
- if (ci_sz > MAX_PSK_ID_LEN)
+ if (ci_sz > MAX_PSK_ID_LEN) {
return CLIENT_ID_ERROR;
+ }
- if ((*inOutIdx - begin) + ci_sz > size)
+ if ((*inOutIdx - begin) + ci_sz > size) {
return BUFFER_ERROR;
+ }
XMEMCPY(ssl->arrays->client_identity, input + *inOutIdx, ci_sz);
*inOutIdx += ci_sz;
@@ -15437,8 +16474,9 @@ int DoSessionTicket(WOLFSSL* ssl,
MAX_PSK_KEY_LEN);
if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
+ ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
return PSK_KEY_ERROR;
+ }
/* make psk pre master secret */
/* length of key + length 0s + length of key + key */
@@ -15460,12 +16498,13 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size - *inOutIdx + begin, 1)) < 0)
+ size - *inOutIdx + begin, 1)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -15489,30 +16528,36 @@ int DoSessionTicket(WOLFSSL* ssl,
word16 cipherLen;
word16 plainLen = sizeof(ssl->arrays->preMasterSecret);
- if (!ssl->buffers.key.buffer)
+ if (!ssl->buffers.key.buffer) {
return NO_PRIVATE_KEY;
+ }
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &cipherLen);
*inOutIdx += OPAQUE16_LEN;
- if (cipherLen > MAX_NTRU_ENCRYPT_SZ)
+ if (cipherLen > MAX_NTRU_ENCRYPT_SZ) {
return NTRU_KEY_ERROR;
+ }
- if ((*inOutIdx - begin) + cipherLen > size)
+ if ((*inOutIdx - begin) + cipherLen > size) {
return BUFFER_ERROR;
+ }
if (NTRU_OK != ntru_crypto_ntru_decrypt(
(word16) ssl->buffers.key.length,
ssl->buffers.key.buffer, cipherLen,
input + *inOutIdx, &plainLen,
- ssl->arrays->preMasterSecret))
+ ssl->arrays->preMasterSecret)) {
return NTRU_DECRYPT_ERROR;
+ }
- if (plainLen != SECRET_LEN)
+ if (plainLen != SECRET_LEN) {
return NTRU_DECRYPT_ERROR;
+ }
*inOutIdx += cipherLen;
@@ -15522,12 +16567,13 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size - *inOutIdx + begin, 1)) < 0)
+ size - *inOutIdx + begin, 1)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -15545,13 +16591,15 @@ int DoSessionTicket(WOLFSSL* ssl,
#ifdef HAVE_ECC
case ecc_diffie_hellman_kea:
{
- if ((*inOutIdx - begin) + OPAQUE8_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE8_LEN > size) {
return BUFFER_ERROR;
+ }
length = input[(*inOutIdx)++];
- if ((*inOutIdx - begin) + length > size)
+ if ((*inOutIdx - begin) + length > size) {
return BUFFER_ERROR;
+ }
if (ssl->peerEccKey == NULL) {
/* alloc/init on demand */
@@ -15568,8 +16616,9 @@ int DoSessionTicket(WOLFSSL* ssl,
wc_ecc_init(ssl->peerEccKey);
}
- if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey))
+ if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey)) {
return ECC_PEERKEY_ERROR;
+ }
*inOutIdx += length;
ssl->peerEccKeyPresent = 1;
@@ -15584,9 +16633,10 @@ int DoSessionTicket(WOLFSSL* ssl,
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&staticKey, ssl->buffers.key.length);
- if (ret == 0)
+ if (ret == 0) {
ret = wc_ecc_shared_secret(&staticKey, ssl->peerEccKey,
ssl->arrays->preMasterSecret, &length);
+ }
wc_ecc_free(&staticKey);
}
@@ -15600,8 +16650,9 @@ int DoSessionTicket(WOLFSSL* ssl,
}
}
- if (ret != 0)
+ if (ret != 0) {
return ECC_SHARED_ERROR;
+ }
ssl->arrays->preMasterSz = length;
#ifdef HAVE_QSH
@@ -15610,12 +16661,13 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size - *inOutIdx + begin, 1)) < 0)
+ size - *inOutIdx + begin, 1)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -15635,26 +16687,29 @@ int DoSessionTicket(WOLFSSL* ssl,
word16 clientPubSz;
DhKey dhKey;
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &clientPubSz);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + clientPubSz > size)
+ if ((*inOutIdx - begin) + clientPubSz > size) {
return BUFFER_ERROR;
+ }
wc_InitDhKey(&dhKey);
ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
- if (ret == 0)
+ if (ret == 0) {
ret = wc_DhAgree(&dhKey, ssl->arrays->preMasterSecret,
&ssl->arrays->preMasterSz,
ssl->buffers.serverDH_Priv.buffer,
ssl->buffers.serverDH_Priv.length,
input + *inOutIdx, clientPubSz);
+ }
wc_FreeDhKey(&dhKey);
*inOutIdx += clientPubSz;
@@ -15665,12 +16720,13 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size - *inOutIdx + begin, 1)) < 0)
+ size - *inOutIdx + begin, 1)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -15680,8 +16736,9 @@ int DoSessionTicket(WOLFSSL* ssl,
}
}
#endif
- if (ret == 0)
+ if (ret == 0) {
ret = MakeMasterSecret(ssl);
+ }
}
break;
#endif /* NO_DH */
@@ -15693,16 +16750,19 @@ int DoSessionTicket(WOLFSSL* ssl,
DhKey dhKey;
/* Read in the PSK hint */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &clientSz);
*inOutIdx += OPAQUE16_LEN;
- if (clientSz > MAX_PSK_ID_LEN)
+ if (clientSz > MAX_PSK_ID_LEN) {
return CLIENT_ID_ERROR;
+ }
- if ((*inOutIdx - begin) + clientSz > size)
+ if ((*inOutIdx - begin) + clientSz > size) {
return BUFFER_ERROR;
+ }
XMEMCPY(ssl->arrays->client_identity,
input + *inOutIdx, clientSz);
@@ -15711,26 +16771,29 @@ int DoSessionTicket(WOLFSSL* ssl,
0;
/* Read in the DHE business */
- if ((*inOutIdx - begin) + OPAQUE16_LEN > size)
+ if ((*inOutIdx - begin) + OPAQUE16_LEN > size) {
return BUFFER_ERROR;
+ }
ato16(input + *inOutIdx, &clientSz);
*inOutIdx += OPAQUE16_LEN;
- if ((*inOutIdx - begin) + clientSz > size)
+ if ((*inOutIdx - begin) + clientSz > size) {
return BUFFER_ERROR;
+ }
wc_InitDhKey(&dhKey);
ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer,
ssl->buffers.serverDH_P.length,
ssl->buffers.serverDH_G.buffer,
ssl->buffers.serverDH_G.length);
- if (ret == 0)
+ if (ret == 0) {
ret = wc_DhAgree(&dhKey, pms + OPAQUE16_LEN,
&ssl->arrays->preMasterSz,
ssl->buffers.serverDH_Priv.buffer,
ssl->buffers.serverDH_Priv.length,
input + *inOutIdx, clientSz);
+ }
wc_FreeDhKey(&dhKey);
*inOutIdx += clientSz;
@@ -15745,8 +16808,9 @@ int DoSessionTicket(WOLFSSL* ssl,
MAX_PSK_KEY_LEN);
if (ssl->arrays->psk_keySz == 0 ||
- ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN)
+ ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) {
return PSK_KEY_ERROR;
+ }
c16toa((word16) ssl->arrays->psk_keySz, pms);
pms += OPAQUE16_LEN;
@@ -15760,12 +16824,13 @@ int DoSessionTicket(WOLFSSL* ssl,
ato16(input + *inOutIdx, &name);
*inOutIdx += OPAQUE16_LEN;
- if (name == WOLFSSL_QSH) {
+ if (name == TLSX_QUANTUM_SAFE_HYBRID) {
/* if qshSz is larger than 0 it is the length of
buffer used */
if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx,
- size - *inOutIdx + begin, 1)) < 0)
+ size - *inOutIdx + begin, 1)) < 0) {
return qshSz;
+ }
*inOutIdx += qshSz;
}
else {
@@ -15799,8 +16864,9 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ret == 0) {
ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
#ifndef NO_CERTS
- if (ssl->options.verifyPeer)
+ if (ssl->options.verifyPeer) {
ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes);
+ }
#endif
}
diff --git a/src/io.c b/src/io.c
index 3df6570b9..3c54becc3 100644
--- a/src/io.c
+++ b/src/io.c
@@ -62,14 +62,14 @@
#elif defined(FREESCALE_KSDK_MQX)
#include
#elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET)
- #if defined(WOLFSSL_MDK5) || defined(WOLFSSL_KEIL_TCP_NET)
+ #if !defined(WOLFSSL_MDK_ARM)
#include "cmsis_os.h"
+ #include "rl_net.h"
#else
#include
#endif
#include "errno.h"
#define SOCKET_T int
- #include "rl_net.h"
#elif defined(WOLFSSL_TIRTOS)
#include
#elif defined(FREERTOS_TCP)
@@ -153,7 +153,7 @@
#define SOCKET_ECONNABORTED NIO_ECONNABORTED
#endif
#elif defined(WOLFSSL_MDK_ARM)|| defined(WOLFSSL_KEIL_TCP_NET)
- #if defined(WOLFSSL_MDK5)|| defined(WOLFSSL_KEIL_TCP_NET)
+ #if !defined(WOLFSSL_MDK_ARM)
#define SOCKET_EWOULDBLOCK BSD_ERROR_WOULDBLOCK
#define SOCKET_EAGAIN BSD_ERROR_LOCKED
#define SOCKET_ECONNRESET BSD_ERROR_CLOSED
@@ -866,7 +866,7 @@ static int process_http_response(int sfd, byte** respBuf,
}
} while (state != phr_http_end);
- recvBuf = (byte*)XMALLOC(recvBufSz, NULL, DYNAMIC_TYPE_IN_BUFFER);
+ recvBuf = (byte*)XMALLOC(recvBufSz, NULL, DYNAMIC_TYPE_OCSP);
if (recvBuf == NULL) {
WOLFSSL_MSG("process_http_response couldn't create response buffer");
return -1;
@@ -936,7 +936,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
* free this buffer. */
int httpBufSz = SCRATCH_BUFFER_SIZE;
byte* httpBuf = (byte*)XMALLOC(httpBufSz, NULL,
- DYNAMIC_TYPE_IN_BUFFER);
+ DYNAMIC_TYPE_OCSP);
if (httpBuf == NULL) {
WOLFSSL_MSG("Unable to create OCSP response buffer");
@@ -962,7 +962,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz,
}
close(sfd);
- XFREE(httpBuf, NULL, DYNAMIC_TYPE_IN_BUFFER);
+ XFREE(httpBuf, NULL, DYNAMIC_TYPE_OCSP);
}
}
@@ -980,7 +980,7 @@ void EmbedOcspRespFree(void* ctx, byte *resp)
(void)ctx;
if (resp)
- XFREE(resp, NULL, DYNAMIC_TYPE_IN_BUFFER);
+ XFREE(resp, NULL, DYNAMIC_TYPE_OCSP);
}
diff --git a/src/keys.c b/src/keys.c
index 5ca1b72f7..124f70ade 100644
--- a/src/keys.c
+++ b/src/keys.c
@@ -1802,7 +1802,7 @@ int SetCipherSpecs(WOLFSSL* ssl)
enum KeyStuff {
MASTER_ROUNDS = 3,
PREFIX = 3, /* up to three letters for master prefix */
- KEY_PREFIX = 7 /* up to 7 prefix letters for key rounds */
+ KEY_PREFIX = 9 /* up to 9 prefix letters for key rounds */
};
@@ -1833,6 +1833,12 @@ static int SetPrefix(byte* sha_input, int idx)
case 6:
XMEMCPY(sha_input, "GGGGGGG", 7);
break;
+ case 7:
+ XMEMCPY(sha_input, "HHHHHHHH", 8);
+ break;
+ case 8:
+ XMEMCPY(sha_input, "IIIIIIIII", 9);
+ break;
default:
WOLFSSL_MSG("Set Prefix error, bad input");
return 0;
@@ -1859,13 +1865,13 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#ifdef HAVE_CAVIUM
if (devId != NO_CAVIUM_DEVICE) {
if (enc) {
- if (Arc4InitCavium(enc->arc4, devId) != 0) {
+ if (wc_Arc4InitCavium(enc->arc4, devId) != 0) {
WOLFSSL_MSG("Arc4InitCavium failed in SetKeys");
return CAVIUM_INIT_E;
}
}
if (dec) {
- if (Arc4InitCavium(dec->arc4, devId) != 0) {
+ if (wc_Arc4InitCavium(dec->arc4, devId) != 0) {
WOLFSSL_MSG("Arc4InitCavium failed in SetKeys");
return CAVIUM_INIT_E;
}
@@ -2048,13 +2054,13 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs,
#ifdef HAVE_CAVIUM
if (devId != NO_CAVIUM_DEVICE) {
if (enc) {
- if (Des3_InitCavium(enc->des3, devId) != 0) {
+ if (wc_Des3_InitCavium(enc->des3, devId) != 0) {
WOLFSSL_MSG("Des3_InitCavium failed in SetKeys");
return CAVIUM_INIT_E;
}
}
if (dec) {
- if (Des3_InitCavium(dec->des3, devId) != 0) {
+ if (wc_Des3_InitCavium(dec->des3, devId) != 0) {
WOLFSSL_MSG("Des3_InitCavium failed in SetKeys");
return CAVIUM_INIT_E;
}
diff --git a/src/ocsp.c b/src/ocsp.c
index 2b355d988..a1fd6dc25 100644
--- a/src/ocsp.c
+++ b/src/ocsp.c
@@ -34,59 +34,72 @@
#include
#include
+#ifdef NO_INLINE
+ #include
+#else
+ #include
+#endif
+
int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm)
{
WOLFSSL_ENTER("InitOCSP");
- XMEMSET(ocsp, 0, sizeof(*ocsp));
- ocsp->cm = cm;
+
+ ForceZero(ocsp, sizeof(WOLFSSL_OCSP));
+
if (InitMutex(&ocsp->ocspLock) != 0)
return BAD_MUTEX_E;
- return 0;
-}
-
-
-static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert)
-{
- WOLFSSL_ENTER("InitOCSP_Entry");
-
- XMEMSET(ocspe, 0, sizeof(*ocspe));
- XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE);
- XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE);
+ ocsp->cm = cm;
return 0;
}
-static void FreeOCSP_Entry(OCSP_Entry* ocspe)
+static int InitOcspEntry(OcspEntry* entry, OcspRequest* request)
{
- CertStatus* tmp = ocspe->status;
+ WOLFSSL_ENTER("InitOcspEntry");
- WOLFSSL_ENTER("FreeOCSP_Entry");
+ ForceZero(entry, sizeof(OcspEntry));
- while (tmp) {
- CertStatus* next = tmp->next;
- XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_STATUS);
- tmp = next;
+ XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE);
+ XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE);
+
+ return 0;
+}
+
+
+static void FreeOcspEntry(OcspEntry* entry)
+{
+ CertStatus *status, *next;
+
+ WOLFSSL_ENTER("FreeOcspEntry");
+
+ for (status = entry->status; status; status = next) {
+ next = status->next;
+
+ if (status->rawOcspResponse)
+ XFREE(status->rawOcspResponse, NULL, DYNAMIC_TYPE_OCSP_STATUS);
+
+ XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS);
}
}
void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic)
{
- OCSP_Entry* tmp = ocsp->ocspList;
+ OcspEntry *entry, *next;
WOLFSSL_ENTER("FreeOCSP");
- while (tmp) {
- OCSP_Entry* next = tmp->next;
- FreeOCSP_Entry(tmp);
- XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- tmp = next;
+ for (entry = ocsp->ocspList; entry; entry = next) {
+ next = entry->next;
+ FreeOcspEntry(entry);
+ XFREE(entry, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
}
FreeMutex(&ocsp->ocspLock);
+
if (dynamic)
XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP);
}
@@ -105,86 +118,162 @@ static int xstat2err(int stat)
}
-int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert)
+int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, void* encodedResponse)
{
- byte* ocspReqBuf = NULL;
- int ocspReqSz = 2048;
- byte* ocspRespBuf = NULL;
- int result = -1;
- OCSP_Entry* ocspe;
- CertStatus* certStatus = NULL;
- const char *url;
- int urlSz;
+ int ret = OCSP_LOOKUP_FAIL;
+
#ifdef WOLFSSL_SMALL_STACK
- CertStatus* newStatus;
OcspRequest* ocspRequest;
- OcspResponse* ocspResponse;
#else
- CertStatus newStatus[1];
OcspRequest ocspRequest[1];
- OcspResponse ocspResponse[1];
#endif
WOLFSSL_ENTER("CheckCertOCSP");
+
+#ifdef WOLFSSL_SMALL_STACK
+ ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+ if (ocspRequest == NULL) {
+ WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
+ return MEMORY_E;
+ }
+#endif
+
+ if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) {
+ ret = CheckOcspRequest(ocsp, ocspRequest, encodedResponse);
+
+ FreeOcspRequest(ocspRequest);
+ }
+
+#ifdef WOLFSSL_SMALL_STACK
+ XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+#endif
+
+ WOLFSSL_LEAVE("CheckCertOCSP", ret);
+ return ret;
+}
+
+static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request,
+ OcspEntry** entry)
+{
+ WOLFSSL_ENTER("GetOcspEntry");
+
+ *entry = NULL;
+
if (LockMutex(&ocsp->ocspLock) != 0) {
WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
return BAD_MUTEX_E;
}
- ocspe = ocsp->ocspList;
- while (ocspe) {
- if (XMEMCMP(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0
- && XMEMCMP(ocspe->issuerKeyHash, cert->issuerKeyHash,
- SHA_DIGEST_SIZE) == 0)
+ for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next)
+ if (XMEMCMP((*entry)->issuerHash, request->issuerHash,
+ OCSP_DIGEST_SIZE) == 0
+ && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash,
+ OCSP_DIGEST_SIZE) == 0)
break;
- else
- ocspe = ocspe->next;
- }
- if (ocspe == NULL) {
- ocspe = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry),
- NULL, DYNAMIC_TYPE_OCSP_ENTRY);
- if (ocspe != NULL) {
- InitOCSP_Entry(ocspe, cert);
- ocspe->next = ocsp->ocspList;
- ocsp->ocspList = ocspe;
- }
- else {
- UnLockMutex(&ocsp->ocspLock);
- WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
- return MEMORY_ERROR;
- }
- }
- else {
- certStatus = ocspe->status;
- while (certStatus) {
- if (certStatus->serialSz == cert->serialSz &&
- XMEMCMP(certStatus->serial, cert->serial, cert->serialSz) == 0)
- break;
- else
- certStatus = certStatus->next;
- }
- }
-
- if (certStatus != NULL) {
- if (!ValidateDate(certStatus->thisDate,
- certStatus->thisDateFormat, BEFORE) ||
- (certStatus->nextDate[0] == 0) ||
- !ValidateDate(certStatus->nextDate,
- certStatus->nextDateFormat, AFTER)) {
- WOLFSSL_MSG("\tinvalid status date, looking up cert");
- }
- else {
- result = xstat2err(certStatus->status);
- UnLockMutex(&ocsp->ocspLock);
- WOLFSSL_LEAVE("CheckCertOCSP", result);
- return result;
+ if (*entry == NULL) {
+ *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry),
+ NULL, DYNAMIC_TYPE_OCSP_ENTRY);
+ if (*entry) {
+ InitOcspEntry(*entry, request);
+ (*entry)->next = ocsp->ocspList;
+ ocsp->ocspList = *entry;
}
}
UnLockMutex(&ocsp->ocspLock);
+ return *entry ? 0 : MEMORY_ERROR;
+}
+
+
+static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
+ OcspEntry* entry, CertStatus** status, buffer* responseBuffer)
+{
+ int ret = OCSP_INVALID_STATUS;
+
+ WOLFSSL_ENTER("GetOcspStatus");
+
+ *status = NULL;
+
+ if (LockMutex(&ocsp->ocspLock) != 0) {
+ WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
+ return BAD_MUTEX_E;
+ }
+
+ for (*status = entry->status; *status; *status = (*status)->next)
+ if ((*status)->serialSz == request->serialSz
+ && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz))
+ break;
+
+ if (responseBuffer && *status && !(*status)->rawOcspResponse) {
+ /* force fetching again */
+ ret = OCSP_INVALID_STATUS;
+ }
+ else if (*status) {
+ if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE)
+ && ((*status)->nextDate[0] != 0)
+ && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER))
+ {
+ ret = xstat2err((*status)->status);
+
+ if (responseBuffer) {
+ responseBuffer->buffer = (byte*)XMALLOC(
+ (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+ if (responseBuffer->buffer) {
+ responseBuffer->length = (*status)->rawOcspResponseSz;
+ XMEMCPY(responseBuffer->buffer,
+ (*status)->rawOcspResponse,
+ (*status)->rawOcspResponseSz);
+ }
+ }
+ }
+ }
+
+ UnLockMutex(&ocsp->ocspLock);
+
+ return ret;
+}
+
+int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
+ void* encodedResponse)
+{
+ OcspEntry* entry = NULL;
+ CertStatus* status = NULL;
+ byte* request = NULL;
+ int requestSz = 2048;
+ byte* response = NULL;
+ buffer* responseBuffer = (buffer*) encodedResponse;
+ const char* url = NULL;
+ int urlSz = 0;
+ int ret = -1;
+
+#ifdef WOLFSSL_SMALL_STACK
+ CertStatus* newStatus;
+ OcspResponse* ocspResponse;
+#else
+ CertStatus newStatus[1];
+ OcspResponse ocspResponse[1];
+#endif
+
+ WOLFSSL_ENTER("CheckOcspRequest");
+
+ if (responseBuffer) {
+ responseBuffer->buffer = NULL;
+ responseBuffer->length = 0;
+ }
+
+ ret = GetOcspEntry(ocsp, ocspRequest, &entry);
+ if (ret != 0)
+ return ret;
+
+ ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer);
+ if (ret != OCSP_INVALID_STATUS)
+ return ret;
+
if (ocsp->cm->ocspUseOverrideURL) {
url = ocsp->cm->ocspOverrideURL;
if (url != NULL && url[0] != '\0')
@@ -192,17 +281,17 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert)
else
return OCSP_NEED_URL;
}
- else if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
- url = (const char *)cert->extAuthInfo;
- urlSz = cert->extAuthInfoSz;
+ else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) {
+ url = (const char *)ocspRequest->url;
+ urlSz = ocspRequest->urlSz;
}
else {
/* cert doesn't have extAuthInfo, assuming CERT_GOOD */
return 0;
}
- ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER);
- if (ocspReqBuf == NULL) {
+ request = (byte*)XMALLOC(requestSz, NULL, DYNAMIC_TYPE_OCSP);
+ if (request == NULL) {
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_ERROR;
}
@@ -210,58 +299,81 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert)
#ifdef WOLFSSL_SMALL_STACK
newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL,
- DYNAMIC_TYPE_TMP_BUFFER);
ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
- if (newStatus == NULL || ocspRequest == NULL || ocspResponse == NULL) {
+ if (newStatus == NULL || ocspResponse == NULL) {
if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- if (ocspRequest) XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ XFREE(request, NULL, DYNAMIC_TYPE_OCSP);
WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_E;
}
#endif
- InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce,
- ocspReqBuf, ocspReqSz);
- ocspReqSz = EncodeOcspRequest(ocspRequest);
-
- if (ocsp->cm->ocspIOCb)
- result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
- ocspReqBuf, ocspReqSz, &ocspRespBuf);
+ requestSz = EncodeOcspRequest(ocspRequest, request, requestSz);
- if (result >= 0 && ocspRespBuf) {
+ if (ocsp->cm->ocspIOCb)
+ ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
+ request, requestSz, &response);
+
+ if (ret >= 0 && response) {
XMEMSET(newStatus, 0, sizeof(CertStatus));
- InitOcspResponse(ocspResponse, newStatus, ocspRespBuf, result);
- OcspResponseDecode(ocspResponse);
-
+ InitOcspResponse(ocspResponse, newStatus, response, ret);
+ OcspResponseDecode(ocspResponse, ocsp->cm);
+
if (ocspResponse->responseStatus != OCSP_SUCCESSFUL)
- result = OCSP_LOOKUP_FAIL;
+ ret = OCSP_LOOKUP_FAIL;
else {
if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) {
- result = xstat2err(ocspResponse->status->status);
+ if (responseBuffer) {
+ responseBuffer->buffer = (byte*)XMALLOC(ret, NULL,
+ DYNAMIC_TYPE_TMP_BUFFER);
+
+ if (responseBuffer->buffer) {
+ responseBuffer->length = ret;
+ XMEMCPY(responseBuffer->buffer, response, ret);
+ }
+ }
+
+ ret = xstat2err(ocspResponse->status->status);
if (LockMutex(&ocsp->ocspLock) != 0)
- result = BAD_MUTEX_E;
+ ret = BAD_MUTEX_E;
else {
- if (certStatus != NULL)
+ if (status != NULL) {
+ if (status->rawOcspResponse)
+ XFREE(status->rawOcspResponse, NULL,
+ DYNAMIC_TYPE_OCSP_STATUS);
+
/* Replace existing certificate entry with updated */
- XMEMCPY(certStatus, newStatus, sizeof(CertStatus));
+ XMEMCPY(status, newStatus, sizeof(CertStatus));
+ }
else {
/* Save new certificate entry */
- certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus),
+ status = (CertStatus*)XMALLOC(sizeof(CertStatus),
NULL, DYNAMIC_TYPE_OCSP_STATUS);
- if (certStatus != NULL) {
- XMEMCPY(certStatus, newStatus, sizeof(CertStatus));
- certStatus->next = ocspe->status;
- ocspe->status = certStatus;
- ocspe->totalStatus++;
+ if (status != NULL) {
+ XMEMCPY(status, newStatus, sizeof(CertStatus));
+ status->next = entry->status;
+ entry->status = status;
+ entry->totalStatus++;
+ }
+ }
+
+ if (status && responseBuffer && responseBuffer->buffer) {
+ status->rawOcspResponse = (byte*)XMALLOC(
+ responseBuffer->length, NULL,
+ DYNAMIC_TYPE_OCSP_STATUS);
+
+ if (status->rawOcspResponse) {
+ status->rawOcspResponseSz = responseBuffer->length;
+ XMEMCPY(status->rawOcspResponse,
+ responseBuffer->buffer,
+ responseBuffer->length);
}
}
@@ -269,25 +381,22 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert)
}
}
else
- result = OCSP_LOOKUP_FAIL;
+ ret = OCSP_LOOKUP_FAIL;
}
}
else
- result = OCSP_LOOKUP_FAIL;
-
- XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER);
+ ret = OCSP_LOOKUP_FAIL;
#ifdef WOLFSSL_SMALL_STACK
XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
- if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb)
- ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf);
+ if (response != NULL && ocsp->cm->ocspRespFreeCb)
+ ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response);
- WOLFSSL_LEAVE("CheckCertOCSP", result);
- return result;
+ WOLFSSL_LEAVE("CheckOcspRequest", ret);
+ return ret;
}
diff --git a/src/ssl.c b/src/ssl.c
index 575e9a8a7..f1cd2d4c1 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -159,8 +159,15 @@ WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD* method)
WOLFSSL_ENTER("WOLFSSL_CTX_new");
- if (initRefCount == 0)
- wolfSSL_Init(); /* user no longer forced to call Init themselves */
+ if (initRefCount == 0) {
+ /* user no longer forced to call Init themselves */
+ int ret = wolfSSL_Init();
+ if (ret != SSL_SUCCESS) {
+ WOLFSSL_MSG("wolfSSL_Init failed");
+ WOLFSSL_LEAVE("WOLFSSL_CTX_new", 0);
+ return NULL;
+ }
+ }
if (method == NULL)
return ctx;
@@ -461,8 +468,8 @@ int wolfSSL_GetObjectSize(void)
int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz,
const unsigned char* g, int gSz)
{
- byte havePSK = 0;
- byte haveRSA = 1;
+ word16 havePSK = 0;
+ word16 haveRSA = 1;
WOLFSSL_ENTER("wolfSSL_SetTmpDH");
if (ssl == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG;
@@ -690,8 +697,9 @@ int wolfSSL_UseSNI(WOLFSSL* ssl, byte type, const void* data, word16 size)
return TLSX_UseSNI(&ssl->extensions, type, data, size);
}
-int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type,
- const void* data, word16 size)
+
+int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, const void* data,
+ word16 size)
{
if (ctx == NULL)
return BAD_FUNC_ARG;
@@ -707,17 +715,20 @@ void wolfSSL_SNI_SetOptions(WOLFSSL* ssl, byte type, byte options)
TLSX_SNI_SetOptions(ssl->extensions, type, options);
}
+
void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, byte type, byte options)
{
if (ctx && ctx->extensions)
TLSX_SNI_SetOptions(ctx->extensions, type, options);
}
+
byte wolfSSL_SNI_Status(WOLFSSL* ssl, byte type)
{
return TLSX_SNI_Status(ssl ? ssl->extensions : NULL, type);
}
+
word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data)
{
if (data)
@@ -729,6 +740,7 @@ word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data)
return 0;
}
+
int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
byte type, byte* sni, word32* inOutSz)
{
@@ -745,6 +757,7 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
#ifdef HAVE_MAX_FRAGMENT
#ifndef NO_WOLFSSL_CLIENT
+
int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl)
{
if (ssl == NULL)
@@ -753,6 +766,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl)
return TLSX_UseMaxFragment(&ssl->extensions, mfl);
}
+
int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl)
{
if (ctx == NULL)
@@ -760,11 +774,13 @@ int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl)
return TLSX_UseMaxFragment(&ctx->extensions, mfl);
}
+
#endif /* NO_WOLFSSL_CLIENT */
#endif /* HAVE_MAX_FRAGMENT */
#ifdef HAVE_TRUNCATED_HMAC
#ifndef NO_WOLFSSL_CLIENT
+
int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl)
{
if (ssl == NULL)
@@ -773,6 +789,7 @@ int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl)
return TLSX_UseTruncatedHMAC(&ssl->extensions);
}
+
int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
{
if (ctx == NULL)
@@ -780,9 +797,58 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx)
return TLSX_UseTruncatedHMAC(&ctx->extensions);
}
+
#endif /* NO_WOLFSSL_CLIENT */
#endif /* HAVE_TRUNCATED_HMAC */
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+
+int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options)
+{
+ if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END)
+ return BAD_FUNC_ARG;
+
+ return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type,
+ options);
+}
+
+
+int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, byte status_type,
+ byte options)
+{
+ if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END)
+ return BAD_FUNC_ARG;
+
+ return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type,
+ options);
+}
+
+#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
+
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+
+int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl, byte status_type, byte options)
+{
+ if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END)
+ return BAD_FUNC_ARG;
+
+ return TLSX_UseCertificateStatusRequestV2(&ssl->extensions, status_type,
+ options);
+}
+
+
+int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx,
+ byte status_type, byte options)
+{
+ if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END)
+ return BAD_FUNC_ARG;
+
+ return TLSX_UseCertificateStatusRequestV2(&ctx->extensions, status_type,
+ options);
+}
+
+#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
+
/* Elliptic Curves */
#ifdef HAVE_SUPPORTED_CURVES
#ifndef NO_WOLFSSL_CLIENT
@@ -808,6 +874,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name)
return TLSX_UseSupportedCurve(&ssl->extensions, name);
}
+
int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name)
{
if (ctx == NULL)
@@ -885,7 +952,7 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name)
#endif /* HAVE_QSH */
-/* Application-Layer Procotol Name */
+/* Application-Layer Procotol Negotiation */
#ifdef HAVE_ALPN
int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list,
@@ -964,7 +1031,7 @@ int wolfSSL_ALPN_GetPeerProtocol(WOLFSSL* ssl, char **list, word16 *listSz)
if (*listSz == 0)
return BUFFER_ERROR;
- *list = (char *)XMALLOC((*listSz)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ *list = (char *)XMALLOC((*listSz)+1, NULL, DYNAMIC_TYPE_TLSX);
if (*list == NULL)
return MEMORY_ERROR;
@@ -988,7 +1055,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl)
ret = TLSX_UseSecureRenegotiation(&ssl->extensions);
if (ret == SSL_SUCCESS) {
- TLSX* extension = TLSX_Find(ssl->extensions, SECURE_RENEGOTIATION);
+ TLSX* extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO);
if (extension)
ssl->secure_renegotiation = (SecureRenegotiation*)extension->data;
@@ -1599,6 +1666,11 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm)
#ifdef HAVE_OCSP
if (cm->ocsp)
FreeOCSP(cm->ocsp, 1);
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ if (cm->ocsp_stapling)
+ FreeOCSP(cm->ocsp_stapling, 1);
+ #endif
#endif
FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL);
FreeMutex(&cm->caLock);
@@ -1939,8 +2011,8 @@ int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version)
int wolfSSL_SetVersion(WOLFSSL* ssl, int version)
{
- byte haveRSA = 1;
- byte havePSK = 0;
+ word16 haveRSA = 1;
+ word16 havePSK = 0;
WOLFSSL_ENTER("wolfSSL_SetVersion");
@@ -2300,33 +2372,35 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify)
int wolfSSL_Init(void)
{
- int ret = SSL_SUCCESS;
-
WOLFSSL_ENTER("wolfSSL_Init");
if (initRefCount == 0) {
+ /* Initialize crypto for use with TLS connection */
+ if (wolfCrypt_Init() != 0) {
+ WOLFSSL_MSG("Bad wolfCrypt Init");
+ return WC_INIT_E;
+ }
#ifndef NO_SESSION_CACHE
- if (InitMutex(&session_mutex) != 0)
- ret = BAD_MUTEX_E;
-#endif
- if (InitMutex(&count_mutex) != 0)
- ret = BAD_MUTEX_E;
- }
- if (ret == SSL_SUCCESS) {
- if (LockMutex(&count_mutex) != 0) {
- WOLFSSL_MSG("Bad Lock Mutex count");
+ if (InitMutex(&session_mutex) != 0) {
+ WOLFSSL_MSG("Bad Init Mutex session");
+ return BAD_MUTEX_E;
+ }
+#endif
+ if (InitMutex(&count_mutex) != 0) {
+ WOLFSSL_MSG("Bad Init Mutex count");
return BAD_MUTEX_E;
}
-
- /* Initialize crypto for use with TLS connection */
- if (wolfcrypt_Init() != 0)
- ret = WC_FAILURE_E;
-
- initRefCount++;
- UnLockMutex(&count_mutex);
}
- return ret;
+ if (LockMutex(&count_mutex) != 0) {
+ WOLFSSL_MSG("Bad Lock Mutex count");
+ return BAD_MUTEX_E;
+ }
+
+ initRefCount++;
+ UnLockMutex(&count_mutex);
+
+ return SSL_SUCCESS;
}
@@ -2336,7 +2410,7 @@ int wolfSSL_Init(void)
static int wolfssl_decrypt_buffer_key(buffer* der, byte* password,
int passwordSz, EncryptedInfo* info)
{
- int ret;
+ int ret = SSL_BAD_FILE;
#ifdef WOLFSSL_SMALL_STACK
byte* key = NULL;
@@ -2388,7 +2462,7 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password,
key, info->iv);
#endif /* NO_DES3 */
#ifndef NO_AES
- else if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)
+ if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)
ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length,
key, AES_128_KEY_SIZE, info->iv);
else if (XSTRNCMP(info->name, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)
@@ -2398,8 +2472,6 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password,
ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length,
key, AES_256_KEY_SIZE, info->iv);
#endif /* NO_AES */
- else
- ret = SSL_BAD_FILE;
#ifdef WOLFSSL_SMALL_STACK
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -2419,7 +2491,7 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password,
static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password,
int passwordSz, EncryptedInfo* info)
{
- int ret;
+ int ret = SSL_BAD_FILE;
#ifdef WOLFSSL_SMALL_STACK
byte* key = NULL;
@@ -2463,7 +2535,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password,
ret = wc_Des3_CbcEncryptWithKey(der, der, derSz, key, info->iv);
#endif /* NO_DES3 */
#ifndef NO_AES
- else if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)
+ if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0)
ret = wc_AesCbcEncryptWithKey(der, der, derSz,
key, AES_128_KEY_SIZE, info->iv);
else if (XSTRNCMP(info->name, EVP_AES_192_CBC, EVP_AES_SIZE) == 0)
@@ -2473,13 +2545,11 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password,
ret = wc_AesCbcEncryptWithKey(der, der, derSz,
key, AES_256_KEY_SIZE, info->iv);
#endif /* NO_AES */
- else
- ret = SSL_BAD_FILE;
#ifdef WOLFSSL_SMALL_STACK
XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
-
+
if (ret == MP_OKAY)
return SSL_SUCCESS;
else if (ret == SSL_BAD_FILE)
@@ -2509,6 +2579,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
int sz = (int)longSz;
int encrypted_key = 0;
+ (void)dynamicType;
+ (void)heap;
+
WOLFSSL_ENTER("PemToDer");
switch (type) {
@@ -2868,7 +2941,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
WOLFSSL_MSG("Finished Processing Cert Chain");
/* only retain actual size used */
- shrinked = (byte*)XMALLOC(idx, heap, dynamicType);
+ if (idx > 0) /* clang thinks it can be zero, let's help analysis */
+ shrinked = (byte*)XMALLOC(idx, heap, dynamicType);
if (shrinked) {
if (ssl) {
if (ssl->buffers.certChain.buffer &&
@@ -2891,7 +2965,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
if (dynamicBuffer)
XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE);
- if (shrinked == NULL) {
+ if (idx > 0 && shrinked == NULL) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
@@ -3415,6 +3489,43 @@ int wolfSSL_CertManagerDisableOCSP(WOLFSSL_CERT_MANAGER* cm)
return SSL_SUCCESS;
}
+/* turn on OCSP Stapling if off and compiled in, set options */
+int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER* cm)
+{
+ int ret = SSL_SUCCESS;
+
+ WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPStapling");
+ if (cm == NULL)
+ return BAD_FUNC_ARG;
+
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ if (cm->ocsp_stapling == NULL) {
+ cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP),
+ cm->heap, DYNAMIC_TYPE_OCSP);
+ if (cm->ocsp_stapling == NULL)
+ return MEMORY_E;
+
+ if (InitOCSP(cm->ocsp_stapling, cm) != 0) {
+ WOLFSSL_MSG("Init OCSP failed");
+ FreeOCSP(cm->ocsp_stapling, 1);
+ cm->ocsp_stapling = NULL;
+ return SSL_FAILURE;
+ }
+ }
+ cm->ocspStaplingEnabled = 1;
+
+ #ifndef WOLFSSL_USER_IO
+ cm->ocspIOCb = EmbedOcspLookup;
+ cm->ocspRespFreeCb = EmbedOcspRespFree;
+ #endif /* WOLFSSL_USER_IO */
+ #else
+ ret = NOT_COMPILED_IN;
+ #endif
+
+ return ret;
+}
+
#ifdef HAVE_OCSP
@@ -3449,7 +3560,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz)
if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) {
WOLFSSL_MSG("ParseCert failed");
}
- else if ((ret = CheckCertOCSP(cm->ocsp, cert)) != 0) {
+ else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) {
WOLFSSL_MSG("CheckCertOCSP failed");
}
@@ -3469,10 +3580,10 @@ int wolfSSL_CertManagerSetOCSPOverrideURL(WOLFSSL_CERT_MANAGER* cm,
if (cm == NULL)
return BAD_FUNC_ARG;
- XFREE(cm->ocspOverrideURL, cm->heap, 0);
+ XFREE(cm->ocspOverrideURL, cm->heap, DYNAMIC_TYPE_URL);
if (url != NULL) {
int urlSz = (int)XSTRLEN(url) + 1;
- cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, 0);
+ cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, DYNAMIC_TYPE_URL);
if (cm->ocspOverrideURL != NULL) {
XMEMCPY(cm->ocspOverrideURL, url, urlSz);
}
@@ -3584,6 +3695,17 @@ int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX* ctx, CbOCSPIO ioCb,
return BAD_FUNC_ARG;
}
+#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx)
+{
+ WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSPStapling");
+ if (ctx)
+ return wolfSSL_CertManagerEnableOCSPStapling(ctx->cm);
+ else
+ return BAD_FUNC_ARG;
+}
+#endif
#endif /* HAVE_OCSP */
@@ -4284,85 +4406,6 @@ int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX* ctx, const char* file)
#ifndef NO_DH
-/* server wrapper for ctx or ssl Diffie-Hellman parameters */
-static int wolfSSL_SetTmpDH_buffer_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
- const unsigned char* buf,
- long sz, int format)
-{
- buffer der;
- int ret = 0;
- int weOwnDer = 0;
- word32 pSz = MAX_DH_SIZE;
- word32 gSz = MAX_DH_SIZE;
-#ifdef WOLFSSL_SMALL_STACK
- byte* p = NULL;
- byte* g = NULL;
-#else
- byte p[MAX_DH_SIZE];
- byte g[MAX_DH_SIZE];
-#endif
-
- der.buffer = (byte*)buf;
- der.length = (word32)sz;
-
-#ifdef WOLFSSL_SMALL_STACK
- p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-
- if (p == NULL || g == NULL) {
- XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- return MEMORY_E;
- }
-#endif
-
- if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM)
- ret = SSL_BAD_FILETYPE;
- else {
- if (format == SSL_FILETYPE_PEM) {
- der.buffer = NULL;
- ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, NULL,NULL);
- weOwnDer = 1;
- }
-
- if (ret == 0) {
- if (wc_DhParamsLoad(der.buffer, der.length, p, &pSz, g, &gSz) < 0)
- ret = SSL_BAD_FILETYPE;
- else if (ssl)
- ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz);
- else
- ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz);
- }
- }
-
- if (weOwnDer)
- XFREE(der.buffer, ctx->heap, DYNAMIC_TYPE_KEY);
-
-#ifdef WOLFSSL_SMALL_STACK
- XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER);
-#endif
-
- return ret;
-}
-
-
-/* server Diffie-Hellman parameters, SSL_SUCCESS on ok */
-int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* buf, long sz,
- int format)
-{
- return wolfSSL_SetTmpDH_buffer_wrapper(ssl->ctx, ssl, buf, sz, format);
-}
-
-
-/* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */
-int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
- long sz, int format)
-{
- return wolfSSL_SetTmpDH_buffer_wrapper(ctx, NULL, buf, sz, format);
-}
-
-
/* server Diffie-Hellman parameters */
static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
const char* fname, int format)
@@ -4376,8 +4419,12 @@ static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
int dynamic = 0;
int ret;
long sz = 0;
- XFILE file = XFOPEN(fname, "rb");
+ XFILE file;
+ if (ctx == NULL || fname == NULL)
+ return BAD_FUNC_ARG;
+
+ file = XFOPEN(fname, "rb");
if (file == XBADFILE) return SSL_BAD_FILE;
XFSEEK(file, 0, XSEEK_END);
sz = XFTELL(file);
@@ -4416,6 +4463,9 @@ static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
/* server Diffie-Hellman parameters */
int wolfSSL_SetTmpDH_file(WOLFSSL* ssl, const char* fname, int format)
{
+ if (ssl == NULL)
+ return BAD_FUNC_ARG;
+
return wolfSSL_SetTmpDH_file_wrapper(ssl->ctx, ssl, fname, format);
}
@@ -5722,9 +5772,17 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
if (ssl->buffers.outputBuffer.length > 0) {
if ( (ssl->error = SendBuffered(ssl)) == 0) {
+ /* fragOffset is non-zero when sending fragments. On the last
+ * fragment, fragOffset is zero again, and the state can be
+ * advanced. */
if (ssl->fragOffset == 0) {
ssl->options.connectState++;
- WOLFSSL_MSG("connect state: Advanced from buffered send");
+ WOLFSSL_MSG("connect state: "
+ "Advanced from last buffered fragment send");
+ }
+ else {
+ WOLFSSL_MSG("connect state: "
+ "Not advanced, more fragments to send");
}
}
else {
@@ -5989,8 +6047,8 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
int wolfSSL_accept(WOLFSSL* ssl)
{
- byte havePSK = 0;
- byte haveAnon = 0;
+ word16 havePSK = 0;
+ word16 haveAnon = 0;
WOLFSSL_ENTER("SSL_accept()");
#ifdef HAVE_ERRNO_H
@@ -6040,9 +6098,17 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
if (ssl->buffers.outputBuffer.length > 0) {
if ( (ssl->error = SendBuffered(ssl)) == 0) {
+ /* fragOffset is non-zero when sending fragments. On the last
+ * fragment, fragOffset is zero again, and the state can be
+ * advanced. */
if (ssl->fragOffset == 0) {
ssl->options.acceptState++;
- WOLFSSL_MSG("accept state: Advanced from buffered send");
+ WOLFSSL_MSG("accept state: "
+ "Advanced from last buffered fragment send");
+ }
+ else {
+ WOLFSSL_MSG("accept state: "
+ "Not advanced, more fragments to send");
}
}
else {
@@ -6087,6 +6153,17 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
WOLFSSL_MSG("accept state CERT_SENT");
case CERT_SENT :
+ #ifndef NO_CERTS
+ if (!ssl->options.resuming)
+ if ( (ssl->error = SendCertificateStatus(ssl)) != 0) {
+ WOLFSSL_ERROR(ssl->error);
+ return SSL_FATAL_ERROR;
+ }
+ #endif
+ ssl->options.acceptState = CERT_STATUS_SENT;
+ WOLFSSL_MSG("accept state CERT_STATUS_SENT");
+
+ case CERT_STATUS_SENT :
if (!ssl->options.resuming)
if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) {
WOLFSSL_ERROR(ssl->error);
@@ -7232,6 +7309,96 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
NULL, 1);
}
+
+#ifndef NO_DH
+
+ /* server wrapper for ctx or ssl Diffie-Hellman parameters */
+ static int wolfSSL_SetTmpDH_buffer_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl,
+ const unsigned char* buf,
+ long sz, int format)
+ {
+ buffer der;
+ int ret = 0;
+ int weOwnDer = 0;
+ word32 pSz = MAX_DH_SIZE;
+ word32 gSz = MAX_DH_SIZE;
+ #ifdef WOLFSSL_SMALL_STACK
+ byte* p = NULL;
+ byte* g = NULL;
+ #else
+ byte p[MAX_DH_SIZE];
+ byte g[MAX_DH_SIZE];
+ #endif
+
+ if (ctx == NULL || buf == NULL)
+ return BAD_FUNC_ARG;
+
+ der.buffer = (byte*)buf;
+ der.length = (word32)sz;
+
+ #ifdef WOLFSSL_SMALL_STACK
+ p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+
+ if (p == NULL || g == NULL) {
+ XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ return MEMORY_E;
+ }
+ #endif
+
+ if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM)
+ ret = SSL_BAD_FILETYPE;
+ else {
+ if (format == SSL_FILETYPE_PEM) {
+ der.buffer = NULL;
+ ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, NULL,NULL);
+ weOwnDer = 1;
+ }
+
+ if (ret == 0) {
+ if (wc_DhParamsLoad(der.buffer, der.length, p, &pSz, g, &gSz) < 0)
+ ret = SSL_BAD_FILETYPE;
+ else if (ssl)
+ ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz);
+ else
+ ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz);
+ }
+ }
+
+ if (weOwnDer)
+ XFREE(der.buffer, ctx->heap, DYNAMIC_TYPE_KEY);
+
+ #ifdef WOLFSSL_SMALL_STACK
+ XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ #endif
+
+ return ret;
+ }
+
+
+ /* server Diffie-Hellman parameters, SSL_SUCCESS on ok */
+ int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* buf, long sz,
+ int format)
+ {
+ if (ssl == NULL)
+ return BAD_FUNC_ARG;
+
+ return wolfSSL_SetTmpDH_buffer_wrapper(ssl->ctx, ssl, buf, sz, format);
+ }
+
+
+ /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */
+ int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf,
+ long sz, int format)
+ {
+ return wolfSSL_SetTmpDH_buffer_wrapper(ctx, NULL, buf, sz, format);
+ }
+
+#endif /* NO_DH */
+
+
int wolfSSL_use_certificate_buffer(WOLFSSL* ssl,
const unsigned char* in, long sz, int format)
{
@@ -7315,8 +7482,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
int wolfSSL_add_all_algorithms(void)
{
WOLFSSL_ENTER("wolfSSL_add_all_algorithms");
- wolfSSL_Init();
- return SSL_SUCCESS;
+ if (wolfSSL_Init() == SSL_SUCCESS)
+ return SSL_SUCCESS;
+ else
+ return SSL_FATAL_ERROR;
}
@@ -7412,8 +7581,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
void wolfSSL_set_accept_state(WOLFSSL* ssl)
{
- byte haveRSA = 1;
- byte havePSK = 0;
+ word16 haveRSA = 1;
+ word16 havePSK = 0;
WOLFSSL_ENTER("SSL_set_accept_state");
ssl->options.side = WOLFSSL_SERVER_END;
@@ -8284,17 +8453,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
}
- /* SSL_SUCCESS on ok */
+ /* return SSL_SUCCESS on ok, 0 on failure to match API compatibility */
int wolfSSL_EVP_CipherInit(WOLFSSL_EVP_CIPHER_CTX* ctx,
const WOLFSSL_EVP_CIPHER* type, byte* key,
byte* iv, int enc)
{
-#if defined(NO_AES) && defined(NO_DES3) && !defined(HAVE_IDEA)
+ int ret = -1; /* failure local, during function 0 means success
+ because internal functions work that way */
(void)iv;
(void)enc;
-#else
- int ret = 0;
-#endif
WOLFSSL_ENTER("wolfSSL_EVP_CipherInit");
if (ctx == NULL) {
@@ -8427,7 +8594,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
#endif /* NO_AES */
#ifndef NO_DES3
- else if (ctx->cipherType == DES_CBC_TYPE ||
+ if (ctx->cipherType == DES_CBC_TYPE ||
(type && XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0)) {
WOLFSSL_MSG(EVP_DES_CBC);
ctx->cipherType = DES_CBC_TYPE;
@@ -8467,7 +8634,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
}
#endif /* NO_DES3 */
#ifndef NO_RC4
- else if (ctx->cipherType == ARC4_TYPE || (type &&
+ if (ctx->cipherType == ARC4_TYPE || (type &&
XSTRNCMP(type, "ARC4", 4) == 0)) {
WOLFSSL_MSG("ARC4");
ctx->cipherType = ARC4_TYPE;
@@ -8475,10 +8642,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ctx->keyLen = 16; /* default to 128 */
if (key)
wc_Arc4SetKey(&ctx->cipher.arc4, key, ctx->keyLen);
+ ret = 0; /* success */
}
#endif /* NO_RC4 */
#ifdef HAVE_IDEA
- else if (ctx->cipherType == IDEA_CBC_TYPE ||
+ if (ctx->cipherType == IDEA_CBC_TYPE ||
(type && XSTRNCMP(type, EVP_IDEA_CBC, EVP_IDEA_SIZE) == 0)) {
WOLFSSL_MSG(EVP_IDEA_CBC);
ctx->cipherType = IDEA_CBC_TYPE;
@@ -8486,8 +8654,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
if (enc == 0 || enc == 1)
ctx->enc = enc ? 1 : 0;
if (key) {
- ret = wc_IdeaSetKey(&ctx->cipher.idea, key, ctx->keyLen, iv,
- ctx->enc ? IDEA_ENCRYPTION : IDEA_DECRYPTION);
+ ret = wc_IdeaSetKey(&ctx->cipher.idea, key, (word16)ctx->keyLen,
+ iv, ctx->enc ? IDEA_ENCRYPTION :
+ IDEA_DECRYPTION);
if (ret != 0)
return ret;
}
@@ -8496,17 +8665,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
wc_IdeaSetIV(&ctx->cipher.idea, iv);
}
#endif /* HAVE_IDEA */
- else if (ctx->cipherType == NULL_CIPHER_TYPE || (type &&
+ if (ctx->cipherType == NULL_CIPHER_TYPE || (type &&
XSTRNCMP(type, "NULL", 4) == 0)) {
WOLFSSL_MSG("NULL cipher");
ctx->cipherType = NULL_CIPHER_TYPE;
ctx->keyLen = 0;
+ ret = 0; /* success */
}
+
+ if (ret == 0)
+ return SSL_SUCCESS;
else
- return 0; /* failure */
-
-
- return SSL_SUCCESS;
+ return 0; /* overall failure */
}
@@ -9905,13 +10075,10 @@ void wolfSSL_set_connect_state(WOLFSSL* ssl)
int wolfSSL_get_shutdown(const WOLFSSL* ssl)
{
WOLFSSL_ENTER("wolfSSL_get_shutdown");
-#ifdef HAVE_STUNNEL
- return (ssl->options.sentNotify << 1) | (ssl->options.closeNotify);
-#else
- return (ssl->options.isClosed ||
- ssl->options.connReset ||
- ssl->options.sentNotify);
-#endif
+ /* in OpenSSL, SSL_SENT_SHUTDOWN = 1, when closeNotifySent *
+ * SSL_RECEIVED_SHUTDOWN = 2, from close notify or fatal err */
+ return ((ssl->options.closeNotify||ssl->options.connReset) << 1)
+ | (ssl->options.sentNotify);
}
@@ -9923,6 +10090,7 @@ int wolfSSL_session_reused(WOLFSSL* ssl)
#ifdef OPENSSL_EXTRA
void wolfSSL_SESSION_free(WOLFSSL_SESSION* session)
{
+ /* No need to free since cache is static */
(void)session;
}
#endif
@@ -10365,10 +10533,10 @@ char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER* cipher, char* in, int len)
}
-WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl) /* what's ref count */
+WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl)
{
- (void)ssl;
- return 0;
+ /* sessions are stored statically, no need for reference count */
+ return wolfSSL_get_session(ssl);
}
@@ -10641,11 +10809,12 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void)
{
WOLFSSL_X509_STORE* store = NULL;
- store = (WOLFSSL_X509_STORE*)XMALLOC(sizeof(WOLFSSL_X509_STORE), NULL, 0);
+ store = (WOLFSSL_X509_STORE*)XMALLOC(sizeof(WOLFSSL_X509_STORE), NULL,
+ DYNAMIC_TYPE_X509_STORE);
if (store != NULL) {
store->cm = wolfSSL_CertManagerNew();
if (store->cm == NULL) {
- XFREE(store, NULL, 0);
+ XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE);
store = NULL;
}
}
@@ -10659,7 +10828,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store)
if (store != NULL) {
if (store->cm != NULL)
wolfSSL_CertManagerFree(store->cm);
- XFREE(store, NULL, 0);
+ XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE);
}
}
@@ -10685,8 +10854,8 @@ int wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CTX* ctx, int idx,
WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void)
{
WOLFSSL_X509_STORE_CTX* ctx = (WOLFSSL_X509_STORE_CTX*)XMALLOC(
- sizeof(WOLFSSL_X509_STORE_CTX), NULL, 0);
-
+ sizeof(WOLFSSL_X509_STORE_CTX), NULL,
+ DYNAMIC_TYPE_X509_CTX);
if (ctx != NULL)
wolfSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL);
@@ -10721,7 +10890,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx)
wolfSSL_X509_STORE_free(ctx->store);
if (ctx->current_cert != NULL)
wolfSSL_FreeX509(ctx->current_cert);
- XFREE(ctx, NULL, 0);
+ XFREE(ctx, NULL, DYNAMIC_TYPE_X509_CTX);
}
}
@@ -10812,8 +10981,8 @@ void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key)
{
if (key != NULL) {
if (key->pkey.ptr != NULL)
- XFREE(key->pkey.ptr, NULL, 0);
- XFREE(key, NULL, 0);
+ XFREE(key->pkey.ptr, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
+ XFREE(key, NULL, DYNAMIC_TYPE_PUBLIC_KEY);
}
}
@@ -11686,7 +11855,12 @@ int wolfSSL_BN_is_bit_set(const WOLFSSL_BIGNUM* bn, int n)
return SSL_FAILURE;
}
- return mp_is_bit_set((mp_int*)bn->internal, n);
+ if (n > DIGIT_BIT) {
+ WOLFSSL_MSG("input bit count too large");
+ return SSL_FAILURE;
+ }
+
+ return mp_is_bit_set((mp_int*)bn->internal, (mp_digit)n);
}
/* return code compliant with OpenSSL :
@@ -11853,7 +12027,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn)
XFREE(buf, NULL, DYNAMIC_TYPE_ECC);
return NULL;
}
-
+
return buf;
}
#else
@@ -13228,9 +13402,28 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m,
return 0;
}
- if (type != NID_md5 && type != NID_sha1) {
- WOLFSSL_MSG("Bad md type");
- return 0;
+ switch (type) {
+ #ifdef WOLFSSL_MD2
+ case NID_md2: type = MD2h; break;
+ #endif
+ #ifndef NO_MD5
+ case NID_md5: type = MD5h; break;
+ #endif
+ #ifndef NO_SHA
+ case NID_sha1: type = SHAh; break;
+ #endif
+ #ifndef NO_SHA256
+ case NID_sha256: type = SHA256h; break;
+ #endif
+ #ifdef WOLFSSL_SHA384
+ case NID_sha384: type = SHA384h; break;
+ #endif
+ #ifdef WOLFSSL_SHA512
+ case NID_sha512: type = SHA512h; break;
+ #endif
+ default:
+ WOLFSSL_MSG("This NID (md type) not configured or not implemented");
+ return 0;
}
if (rsa->inSet == 0)
@@ -13274,7 +13467,6 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m,
}
if (rng) {
- type = (type == NID_md5) ? MD5h : SHAh;
signSz = wc_EncodeSignature(encodedSig, m, mLen, type);
if (signSz == 0) {
@@ -13722,7 +13914,7 @@ void wolfSSL_OPENSSL_free(void* p)
{
WOLFSSL_MSG("wolfSSL_OPENSSL_free");
- XFREE(p, NULL, 0);
+ XFREE(p, NULL, DYNAMIC_TYPE_OPENSSL);
}
#if defined(WOLFSSL_KEY_GEN)
@@ -13918,7 +14110,7 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher,
if (cipherInfo != NULL)
XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY);
if (*pem == NULL) {
WOLFSSL_MSG("malloc failed");
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -13928,7 +14120,7 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher,
if (XMEMCPY(*pem, tmp, *plen) == NULL) {
WOLFSSL_MSG("XMEMCPY failed");
- XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return SSL_FAILURE;
}
@@ -13972,7 +14164,7 @@ int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa,
return SSL_FAILURE;
}
- XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
return SSL_SUCCESS;
}
#endif /* NO_FILESYSTEM */
@@ -14762,6 +14954,7 @@ WOLFSSL_EC_POINT *wolfSSL_EC_POINT_new(const WOLFSSL_EC_GROUP *group)
p->internal = wc_ecc_new_point();
if (p->internal == NULL) {
WOLFSSL_MSG("ecc_new_point failure");
+ XFREE(p, NULL, DYNAMIC_TYPE_ECC);
return NULL;
}
@@ -14878,7 +15071,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group,
int ret;
(void)ctx;
-
+
WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp");
if (group == NULL || a == NULL || a->internal == NULL || b == NULL ||
@@ -14980,6 +15173,7 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_SIG_new(void)
return NULL;
}
+ sig->s = NULL;
sig->r = wolfSSL_BN_new();
if (sig->r == NULL) {
WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA r failure");
@@ -15062,10 +15256,12 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen,
else if (SetIndividualExternal(&(sig->r), &sig_r)!=SSL_SUCCESS){
WOLFSSL_MSG("ecdsa r key error");
wolfSSL_ECDSA_SIG_free(sig);
+ sig = NULL;
}
else if (SetIndividualExternal(&(sig->s), &sig_s)!=SSL_SUCCESS){
WOLFSSL_MSG("ecdsa s key error");
wolfSSL_ECDSA_SIG_free(sig);
+ sig = NULL;
}
mp_clear(&sig_r);
@@ -15296,7 +15492,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc,
if (cipherInfo != NULL)
XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY);
if (*pem == NULL) {
WOLFSSL_MSG("malloc failed");
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -15306,7 +15502,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc,
if (XMEMCPY(*pem, tmp, *plen) == NULL) {
WOLFSSL_MSG("XMEMCPY failed");
- XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return SSL_FAILURE;
}
@@ -15348,8 +15544,8 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc,
WOLFSSL_MSG("ECC private key file write failed");
return SSL_FAILURE;
}
-
- XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+
+ XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
return SSL_SUCCESS;
}
@@ -15471,7 +15667,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
if (cipherInfo != NULL)
XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER);
- *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY);
if (*pem == NULL) {
WOLFSSL_MSG("malloc failed");
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -15481,7 +15677,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa,
if (XMEMCPY(*pem, tmp, *plen) == NULL) {
WOLFSSL_MSG("XMEMCPY failed");
- XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+ XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER);
return SSL_FAILURE;
}
@@ -15523,8 +15719,8 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa,
WOLFSSL_MSG("DSA private key file write failed");
return SSL_FAILURE;
}
-
- XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER);
+
+ XFREE(pem, NULL, DYNAMIC_TYPE_KEY);
return SSL_SUCCESS;
}
@@ -16320,6 +16516,23 @@ void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx)
#if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL)
+char * wolf_OBJ_nid2ln(int n) {
+ (void)n;
+ WOLFSSL_ENTER("wolf_OBJ_nid2ln");
+ WOLFSSL_STUB("wolf_OBJ_nid2ln");
+
+ return NULL;
+}
+
+int wolf_OBJ_txt2nid(const char* s) {
+ (void)s;
+ WOLFSSL_ENTER("wolf_OBJ_txt2nid");
+ WOLFSSL_STUB("wolf_OBJ_txt2nid");
+
+ return 0;
+}
+
+
WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) {
(void)filename;
(void)mode;
@@ -16400,6 +16613,13 @@ long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh)
/* stunnel compatability functions*/
#if defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL)
+void WOLFSSL_ERR_remove_thread_state(void* pid)
+{
+ (void) pid;
+ return;
+}
+
+
int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data)
{
WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data");
@@ -16465,6 +16685,19 @@ WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator,
return NULL;
}
+int wolfSSL_DH_generate_parameters_ex(WOLFSSL_DH* dh, int prime_len, int generator,
+ void (*callback) (int, int, void *))
+{
+ (void)prime_len;
+ (void)generator;
+ (void)callback;
+ (void)dh;
+ WOLFSSL_ENTER("wolfSSL_DH_generate_parameters_ex");
+ WOLFSSL_STUB("wolfSSL_DH_generate_parameters_ex");
+
+ return -1;
+}
+
void wolfSSL_ERR_load_crypto_strings(void)
{
@@ -16688,7 +16921,7 @@ const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen)
return sess->sessionID;
}
-
+#ifdef HAVE_SNI
int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name)
{
int ret;
@@ -16708,6 +16941,7 @@ const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type)
TLSX_SNI_GetRequest(ssl->extensions, type, &serverName);
return (const char *)serverName;
}
+#endif /* HAVE_SNI */
WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
@@ -16729,8 +16963,8 @@ VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx)
int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx)
{
- WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode");
int mode = 0;
+ WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode");
if(!ctx)
return SSL_FATAL_ERROR;
@@ -16762,6 +16996,52 @@ void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg)
if (ctx)
ctx->sniRecvCbArg = arg;
}
+
+
+long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt)
+{
+ WOLFSSL_ENTER("SSL_CTX_clear_options");
+ WOLFSSL_STUB("SSL_CTX_clear_options");
+ (void)ctx;
+ (void)opt;
+ return opt;
+}
+
+void wolfSSL_THREADID_set_callback(void(*threadid_func)(void*))
+{
+ WOLFSSL_ENTER("wolfSSL_THREADID_set_callback");
+ WOLFSSL_STUB("wolfSSL_THREADID_set_callback");
+ (void)threadid_func;
+ return;
+}
+
+void wolfSSL_THREADID_set_numeric(void* id, unsigned long val)
+{
+ WOLFSSL_ENTER("wolfSSL_THREADID_set_numeric");
+ WOLFSSL_STUB("wolfSSL_THREADID_set_numeric");
+ (void)id;
+ (void)val;
+ return;
+}
+
+
+WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX* ctx,
+ WOLFSSL_X509_NAME* name)
+{
+ WOLFSSL_ENTER("wolfSSL_X509_STORE_get1_certs");
+ WOLFSSL_STUB("wolfSSL_X509_STORE_get1_certs");
+ (void)ctx;
+ (void)name;
+ return NULL;
+}
+
+void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*)){
+ (void) sk;
+ (void) f;
+ WOLFSSL_ENTER("wolfSSL_sk_X509_pop_free");
+ WOLFSSL_STUB("wolfSSL_sk_X509_pop_free");
+}
+
#endif /* OPENSSL_EXTRA and HAVE_STUNNEL */
#if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE25519)
@@ -16773,6 +17053,10 @@ int wolfSSL_EC25519_generate_key(unsigned char *priv, unsigned int *privSz,
{
#ifndef WOLFSSL_KEY_GEN
WOLFSSL_MSG("No Key Gen built in");
+ (void) priv;
+ (void) privSz;
+ (void) pub;
+ (void) pubSz;
return SSL_FAILURE;
#else /* WOLFSSL_KEY_GEN */
int ret = SSL_FAILURE;
@@ -16847,6 +17131,12 @@ int wolfSSL_EC25519_shared_key(unsigned char *shared, unsigned int *sharedSz,
{
#ifndef WOLFSSL_KEY_GEN
WOLFSSL_MSG("No Key Gen built in");
+ (void) shared;
+ (void) sharedSz;
+ (void) priv;
+ (void) privSz;
+ (void) pub;
+ (void) pubSz;
return SSL_FAILURE;
#else /* WOLFSSL_KEY_GEN */
int ret = SSL_FAILURE;
@@ -16911,6 +17201,10 @@ int wolfSSL_ED25519_generate_key(unsigned char *priv, unsigned int *privSz,
{
#ifndef WOLFSSL_KEY_GEN
WOLFSSL_MSG("No Key Gen built in");
+ (void) priv;
+ (void) privSz;
+ (void) pub;
+ (void) pubSz;
return SSL_FAILURE;
#else /* WOLFSSL_KEY_GEN */
int ret = SSL_FAILURE;
@@ -16984,6 +17278,12 @@ int wolfSSL_ED25519_sign(const unsigned char *msg, unsigned int msgSz,
{
#ifndef WOLFSSL_KEY_GEN
WOLFSSL_MSG("No Key Gen built in");
+ (void) msg;
+ (void) msgSz;
+ (void) priv;
+ (void) privSz;
+ (void) sig;
+ (void) sigSz;
return SSL_FAILURE;
#else /* WOLFSSL_KEY_GEN */
ed25519_key key;
@@ -17031,6 +17331,12 @@ int wolfSSL_ED25519_verify(const unsigned char *msg, unsigned int msgSz,
{
#ifndef WOLFSSL_KEY_GEN
WOLFSSL_MSG("No Key Gen built in");
+ (void) msg;
+ (void) msgSz;
+ (void) pub;
+ (void) pubSz;
+ (void) sig;
+ (void) sigSz;
return SSL_FAILURE;
#else /* WOLFSSL_KEY_GEN */
ed25519_key key;
@@ -17058,7 +17364,6 @@ int wolfSSL_ED25519_verify(const unsigned char *msg, unsigned int msgSz,
if ((ret = wc_ed25519_verify_msg((byte*)sig, sigSz, msg, msgSz,
&check, &key)) != MP_OKAY) {
WOLFSSL_MSG("wc_ed25519_verify_msg failed");
- fprintf(stderr, "err code = %d, sigSz=%d, msgSz=%d\n", ret, sigSz, msgSz);
}
else if (!check)
WOLFSSL_MSG("wc_ed25519_verify_msg failed (signature invalid)");
@@ -17097,4 +17402,3 @@ void* wolfSSL_get_jobject(WOLFSSL* ssl)
#endif /* WOLFSSL_JNI */
#endif /* WOLFCRYPT_ONLY */
-
diff --git a/src/tls.c b/src/tls.c
index 97dc09ef5..793b55c33 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -755,7 +755,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type)
{
switch (type) {
- case SECURE_RENEGOTIATION: /* 0xFF01 */
+ case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */
return 63;
default:
@@ -784,7 +784,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type)
/** Creates a new extension. */
static TLSX* TLSX_New(TLSX_Type type, void* data)
{
- TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX);
+ TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), NULL, DYNAMIC_TYPE_TLSX);
if (extension) {
extension->type = type;
@@ -845,6 +845,9 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type)
#endif
+/******************************************************************************/
+/* Application-Layer Protocol Negotiation */
+/******************************************************************************/
#ifdef HAVE_ALPN
/** Creates a new ALPN object, providing protocol name to use. */
@@ -916,7 +919,7 @@ static word16 TLSX_ALPN_GetSize(ALPN *list)
length++; /* protocol name length is on one byte */
length += (word16)XSTRLEN(alpn->protocol_name);
}
-
+
return length;
}
@@ -943,7 +946,7 @@ static word16 TLSX_ALPN_Write(ALPN *list, byte *output)
/* writing list length */
c16toa(offset - OPAQUE16_LEN, output);
-
+
return offset;
}
@@ -981,7 +984,7 @@ static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size)
alpn->negociated = 1;
- ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
+ ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn);
if (ret != 0) {
TLSX_ALPN_Free(alpn);
return ret;
@@ -1001,9 +1004,10 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
TLSX *extension;
ALPN *alpn = NULL, *list;
- extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN);
+ extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL)
- extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN);
+ extension = TLSX_Find(ssl->ctx->extensions,
+ TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL || extension->data == NULL) {
WOLFSSL_MSG("No ALPN extensions not used or bad");
@@ -1088,7 +1092,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length,
/* reply to ALPN extension sent from client */
if (isRequest) {
#ifndef NO_WOLFSSL_SERVER
- TLSX_SetResponse(ssl, WOLFSSL_ALPN);
+ TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL);
#endif
}
@@ -1114,9 +1118,10 @@ int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options)
/* Set Options of ALPN */
alpn->options = options;
- extension = TLSX_Find(*extensions, WOLFSSL_ALPN);
+ extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL) {
- ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn);
+ ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL,
+ (void*)alpn);
if (ret != 0) {
TLSX_ALPN_Free(alpn);
return ret;
@@ -1140,7 +1145,7 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
if (extensions == NULL || data == NULL || dataSz == NULL)
return BAD_FUNC_ARG;
- extension = TLSX_Find(extensions, WOLFSSL_ALPN);
+ extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL);
if (extension == NULL) {
WOLFSSL_MSG("TLS extension not found");
return SSL_ALPN_NOT_FOUND;
@@ -1192,13 +1197,16 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz)
#endif /* HAVE_ALPN */
-/* Server Name Indication */
+/******************************************************************************/
+/* Server Name Indication */
+/******************************************************************************/
+
#ifdef HAVE_SNI
/** Creates a new SNI object. */
static SNI* TLSX_SNI_New(byte type, const void* data, word16 size)
{
- SNI* sni = (SNI*)XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX);
+ SNI* sni = (SNI*)XMALLOC(sizeof(SNI), NULL, DYNAMIC_TYPE_TLSX);
if (sni) {
sni->type = type;
@@ -1211,7 +1219,7 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size)
switch (sni->type) {
case WOLFSSL_SNI_HOST_NAME:
- sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX);
+ sni->data.host_name = XMALLOC(size+1, NULL, DYNAMIC_TYPE_TLSX);
if (sni->data.host_name) {
XSTRNCPY(sni->data.host_name, (const char*)data, size);
@@ -1325,7 +1333,7 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type)
/** Sets the status of a SNI object. */
static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
{
- TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
@@ -1335,7 +1343,7 @@ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status)
/** Gets the status of a SNI object. */
byte TLSX_SNI_Status(TLSX* extensions, byte type)
{
- TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
@@ -1356,10 +1364,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
int cacheOnly = 0;
#endif
- TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
+ TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
if (!extension)
- extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
+ extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
(void)isRequest;
(void)input;
@@ -1438,7 +1446,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length,
TLSX_SNI_SetStatus(ssl->extensions, type, matchStat);
if(!cacheOnly)
- TLSX_SetResponse(ssl, SERVER_NAME_INDICATION);
+ TLSX_SetResponse(ssl, TLSX_SERVER_NAME);
} else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) {
SendAlert(ssl, alert_fatal, unrecognized_name);
@@ -1461,8 +1469,8 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest)
if (isRequest) {
#ifndef NO_WOLFSSL_SERVER
- TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION);
- TLSX* ssl_ext = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION);
+ TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME);
+ TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME);
SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL;
SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL;
SNI* sni = NULL;
@@ -1502,7 +1510,7 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest)
int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
{
- TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION);
+ TLSX* extension = TLSX_Find(*extensions, TLSX_SERVER_NAME);
SNI* sni = NULL;
if (extensions == NULL || data == NULL)
@@ -1512,7 +1520,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
return MEMORY_E;
if (!extension) {
- int ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni);
+ int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni);
if (ret != 0) {
TLSX_SNI_Free(sni);
return ret;
@@ -1546,7 +1554,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
/** Tells the SNI requested by the client. */
word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
{
- TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) {
@@ -1563,7 +1571,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data)
/** Sets the options for a SNI object. */
void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options)
{
- TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION);
+ TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME);
SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type);
if (sni)
@@ -1596,7 +1604,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
return BUFFER_ERROR;
ato16(clientHello + offset, &len16);
- offset += OPAQUE16_LEN;
+ /* Returning SNI_UNSUPPORTED do not increment offset here */
if (len16 != 0) /* session_id_length must be 0 */
return BUFFER_ERROR;
@@ -1681,7 +1689,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
if (helloSz < offset + extLen)
return BUFFER_ERROR;
- if (extType != SERVER_NAME_INDICATION) {
+ if (extType != TLSX_SERVER_NAME) {
offset += extLen; /* skip extension */
} else {
word16 listLen;
@@ -1739,6 +1747,10 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
#endif /* HAVE_SNI */
+/******************************************************************************/
+/* Max Fragment Length Negotiation */
+/******************************************************************************/
+
#ifdef HAVE_MAX_FRAGMENT
static word16 TLSX_MFL_Write(byte* data, byte* output)
@@ -1775,7 +1787,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (r != SSL_SUCCESS) return r; /* throw error */
- TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH);
+ TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH);
}
#endif
@@ -1793,13 +1805,13 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl)
return BAD_FUNC_ARG;
- if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((data = XMALLOC(ENUM_LEN, NULL, DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
data[0] = mfl;
/* push new MFL extension. */
- if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) {
+ if ((ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data)) != 0) {
XFREE(data, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
@@ -1822,6 +1834,10 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
#endif /* HAVE_MAX_FRAGMENT */
+/******************************************************************************/
+/* Truncated HMAC */
+/******************************************************************************/
+
#ifdef HAVE_TRUNCATED_HMAC
static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
@@ -1836,9 +1852,10 @@ static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length,
if (isRequest) {
int r = TLSX_UseTruncatedHMAC(&ssl->extensions);
- if (r != SSL_SUCCESS) return r; /* throw error */
+ if (r != SSL_SUCCESS)
+ return r; /* throw error */
- TLSX_SetResponse(ssl, TRUNCATED_HMAC);
+ TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC);
}
#endif
@@ -1854,7 +1871,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions)
if (extensions == NULL)
return BAD_FUNC_ARG;
- if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0)
+ if ((ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL)) != 0)
return ret;
return SSL_SUCCESS;
@@ -1868,6 +1885,734 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions)
#endif /* HAVE_TRUNCATED_HMAC */
+/******************************************************************************/
+/* Certificate Status Request */
+/******************************************************************************/
+
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+
+static void TLSX_CSR_Free(CertificateStatusRequest* csr)
+{
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ FreeOcspRequest(&csr->request.ocsp);
+ break;
+ }
+
+ XFREE(csr, NULL, DYNAMIC_TYPE_TLSX);
+}
+
+static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest)
+{
+ word16 size = 0;
+
+ /* shut up compiler warnings */
+ (void) csr; (void) isRequest;
+
+#ifndef NO_WOLFSSL_CLIENT
+ if (isRequest) {
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ size += ENUM_LEN + 2 * OPAQUE16_LEN;
+
+ if (csr->request.ocsp.nonceSz)
+ size += OCSP_NONCE_EXT_SZ;
+ break;
+ }
+ }
+#endif
+
+ return size;
+}
+
+static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output,
+ byte isRequest)
+{
+ /* shut up compiler warnings */
+ (void) csr; (void) output; (void) isRequest;
+
+#ifndef NO_WOLFSSL_CLIENT
+ if (isRequest) {
+ word16 offset = 0;
+ word16 length = 0;
+
+ /* type */
+ output[offset++] = csr->status_type;
+
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ /* responder id list */
+ c16toa(0, output + offset);
+ offset += OPAQUE16_LEN;
+
+ /* request extensions */
+ if (csr->request.ocsp.nonceSz)
+ length = EncodeOcspRequestExtensions(
+ &csr->request.ocsp,
+ output + offset + OPAQUE16_LEN,
+ OCSP_NONCE_EXT_SZ);
+
+ c16toa(length, output + offset);
+ offset += OPAQUE16_LEN + length;
+
+ break;
+ }
+
+ return offset;
+ }
+#endif
+
+ return 0;
+}
+
+static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length,
+ byte isRequest)
+{
+ int ret;
+
+ /* shut up compiler warnings */
+ (void) ssl; (void) input;
+
+ if (!isRequest) {
+#ifndef NO_WOLFSSL_CLIENT
+ TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
+ CertificateStatusRequest* csr = extension ? extension->data : NULL;
+
+ if (!csr) {
+ /* look at context level */
+
+ extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST);
+ csr = extension ? extension->data : NULL;
+
+ if (!csr)
+ return BUFFER_ERROR; /* unexpected extension */
+
+ /* enable extension at ssl level */
+ ret = TLSX_UseCertificateStatusRequest(&ssl->extensions,
+ csr->status_type, csr->options);
+ if (ret != SSL_SUCCESS)
+ return ret;
+
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ /* propagate nonce */
+ if (csr->request.ocsp.nonceSz) {
+ OcspRequest* request =
+ TLSX_CSR_GetRequest(ssl->extensions);
+
+ if (request) {
+ XMEMCPY(request->nonce, csr->request.ocsp.nonce,
+ csr->request.ocsp.nonceSz);
+ request->nonceSz = csr->request.ocsp.nonceSz;
+ }
+ }
+ break;
+ }
+ }
+
+ ssl->status_request = 1;
+
+ return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
+#endif
+ }
+ else {
+#ifndef NO_WOLFSSL_SERVER
+ byte status_type;
+ word16 offset = 0;
+ word16 size = 0;
+
+ if (length < ENUM_LEN)
+ return BUFFER_ERROR;
+
+ status_type = input[offset++];
+
+ switch (status_type) {
+ case WOLFSSL_CSR_OCSP: {
+
+ /* skip responder_id_list */
+ if (length - offset < OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(input + offset, &size);
+ offset += OPAQUE16_LEN + size;
+
+ /* skip request_extensions */
+ if (length - offset < OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(input + offset, &size);
+ offset += OPAQUE16_LEN + size;
+
+ if (offset > length)
+ return BUFFER_ERROR;
+
+ /* is able to send OCSP response? */
+ if (ssl->ctx->cm == NULL || !ssl->ctx->cm->ocspStaplingEnabled)
+ return 0;
+ }
+ break;
+ }
+
+ /* if using status_request and already sending it, skip this one */
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ if (ssl->status_request_v2)
+ return 0;
+ #endif
+
+ /* accept the first good status_type and return */
+ ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type,
+ 0);
+ if (ret != SSL_SUCCESS)
+ return ret; /* throw error */
+
+ TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST);
+ ssl->status_request = status_type;
+
+#endif
+ }
+
+ return 0;
+}
+
+int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert)
+{
+ TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
+ CertificateStatusRequest* csr = extension ? extension->data : NULL;
+ int ret = 0;
+
+ if (csr) {
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP: {
+ byte nonce[MAX_OCSP_NONCE_SZ];
+ int nonceSz = csr->request.ocsp.nonceSz;
+
+ /* preserve nonce */
+ XMEMCPY(nonce, csr->request.ocsp.nonce, nonceSz);
+
+ if ((ret = InitOcspRequest(&csr->request.ocsp, cert, 0)) != 0)
+ return ret;
+
+ /* restore nonce */
+ XMEMCPY(csr->request.ocsp.nonce, nonce, nonceSz);
+ csr->request.ocsp.nonceSz = nonceSz;
+ }
+ break;
+ }
+ }
+
+ return ret;
+}
+
+void* TLSX_CSR_GetRequest(TLSX* extensions)
+{
+ TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST);
+ CertificateStatusRequest* csr = extension ? extension->data : NULL;
+
+ if (csr) {
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ return &csr->request.ocsp;
+ break;
+ }
+ }
+
+ return NULL;
+}
+
+int TLSX_CSR_ForceRequest(WOLFSSL* ssl)
+{
+ TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST);
+ CertificateStatusRequest* csr = extension ? extension->data : NULL;
+
+ if (csr) {
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ if (ssl->ctx->cm->ocspEnabled)
+ return CheckOcspRequest(ssl->ctx->cm->ocsp,
+ &csr->request.ocsp, NULL);
+ else
+ return OCSP_LOOKUP_FAIL;
+ }
+ }
+
+ return 0;
+}
+
+int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type,
+ byte options)
+{
+ CertificateStatusRequest* csr = NULL;
+ int ret = 0;
+
+ if (!extensions || status_type != WOLFSSL_CSR_OCSP)
+ return BAD_FUNC_ARG;
+
+ csr = (CertificateStatusRequest*)
+ XMALLOC(sizeof(CertificateStatusRequest), NULL, DYNAMIC_TYPE_TLSX);
+ if (!csr)
+ return MEMORY_E;
+
+ ForceZero(csr, sizeof(CertificateStatusRequest));
+
+ csr->status_type = status_type;
+ csr->options = options;
+
+ switch (csr->status_type) {
+ case WOLFSSL_CSR_OCSP:
+ if (options & WOLFSSL_CSR_OCSP_USE_NONCE) {
+ WC_RNG rng;
+
+ if (wc_InitRng(&rng) == 0) {
+ if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp.nonce,
+ MAX_OCSP_NONCE_SZ) == 0)
+ csr->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ;
+
+ wc_FreeRng(&rng);
+ }
+ }
+ break;
+ }
+
+ if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr)) != 0) {
+ XFREE(csr, NULL, DYNAMIC_TYPE_TLSX);
+ return ret;
+ }
+
+ return SSL_SUCCESS;
+}
+
+#define CSR_FREE_ALL TLSX_CSR_Free
+#define CSR_GET_SIZE TLSX_CSR_GetSize
+#define CSR_WRITE TLSX_CSR_Write
+#define CSR_PARSE TLSX_CSR_Parse
+
+#else
+
+#define CSR_FREE_ALL(data)
+#define CSR_GET_SIZE(a, b) 0
+#define CSR_WRITE(a, b, c) 0
+#define CSR_PARSE(a, b, c, d) 0
+
+#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */
+
+/******************************************************************************/
+/* Certificate Status Request v2 */
+/******************************************************************************/
+
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+
+static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2)
+{
+ CertificateStatusRequestItemV2* next;
+
+ for (; csr2; csr2 = next) {
+ next = csr2->next;
+
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ while(csr2->requests--)
+ FreeOcspRequest(&csr2->request.ocsp[csr2->requests]);
+ break;
+ }
+
+ XFREE(csr2, NULL, DYNAMIC_TYPE_TLSX);
+ }
+}
+
+static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2,
+ byte isRequest)
+{
+ word16 size = 0;
+
+ /* shut up compiler warnings */
+ (void) csr2; (void) isRequest;
+
+#ifndef NO_WOLFSSL_CLIENT
+ if (isRequest) {
+ CertificateStatusRequestItemV2* next;
+
+ for (size = OPAQUE16_LEN; csr2; csr2 = next) {
+ next = csr2->next;
+
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ size += ENUM_LEN + 3 * OPAQUE16_LEN;
+
+ if (csr2->request.ocsp[0].nonceSz)
+ size += OCSP_NONCE_EXT_SZ;
+ break;
+ }
+ }
+ }
+#endif
+
+ return size;
+}
+
+static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2,
+ byte* output, byte isRequest)
+{
+ /* shut up compiler warnings */
+ (void) csr2; (void) output; (void) isRequest;
+
+#ifndef NO_WOLFSSL_CLIENT
+ if (isRequest) {
+ word16 offset;
+ word16 length;
+
+ for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) {
+ /* status_type */
+ output[offset++] = csr2->status_type;
+
+ /* request */
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ /* request_length */
+ length = 2 * OPAQUE16_LEN;
+
+ if (csr2->request.ocsp[0].nonceSz)
+ length += OCSP_NONCE_EXT_SZ;
+
+ c16toa(length, output + offset);
+ offset += OPAQUE16_LEN;
+
+ /* responder id list */
+ c16toa(0, output + offset);
+ offset += OPAQUE16_LEN;
+
+ /* request extensions */
+ length = 0;
+
+ if (csr2->request.ocsp[0].nonceSz)
+ length = EncodeOcspRequestExtensions(
+ &csr2->request.ocsp[0],
+ output + offset + OPAQUE16_LEN,
+ OCSP_NONCE_EXT_SZ);
+
+ c16toa(length, output + offset);
+ offset += OPAQUE16_LEN + length;
+ break;
+ }
+ }
+
+ /* list size */
+ c16toa(offset - OPAQUE16_LEN, output);
+
+ return offset;
+ }
+#endif
+
+ return 0;
+}
+
+static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length,
+ byte isRequest)
+{
+ int ret;
+
+ /* shut up compiler warnings */
+ (void) ssl; (void) input;
+
+ if (!isRequest) {
+#ifndef NO_WOLFSSL_CLIENT
+ TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
+ CertificateStatusRequestItemV2* csr2 = extension ? extension->data
+ : NULL;
+
+ if (!csr2) {
+ /* look at context level */
+
+ extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2);
+ csr2 = extension ? extension->data : NULL;
+
+ if (!csr2)
+ return BUFFER_ERROR; /* unexpected extension */
+
+ /* enable extension at ssl level */
+ for (; csr2; csr2 = csr2->next) {
+ ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
+ csr2->status_type, csr2->options);
+ if (ret != SSL_SUCCESS)
+ return ret;
+
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ /* followed by */
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ /* propagate nonce */
+ if (csr2->request.ocsp[0].nonceSz) {
+ OcspRequest* request =
+ TLSX_CSR2_GetRequest(ssl->extensions,
+ csr2->status_type, 0);
+
+ if (request) {
+ XMEMCPY(request->nonce,
+ csr2->request.ocsp[0].nonce,
+ csr2->request.ocsp[0].nonceSz);
+
+ request->nonceSz =
+ csr2->request.ocsp[0].nonceSz;
+ }
+ }
+ break;
+ }
+ }
+
+ }
+
+ ssl->status_request_v2 = 1;
+
+ return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */
+#endif
+ }
+ else {
+#ifndef NO_WOLFSSL_SERVER
+ byte status_type;
+ word16 request_length;
+ word16 offset = 0;
+ word16 size = 0;
+
+ /* list size */
+ ato16(input + offset, &request_length);
+ offset += OPAQUE16_LEN;
+
+ if (length - OPAQUE16_LEN != request_length)
+ return BUFFER_ERROR;
+
+ while (length > offset) {
+ if (length - offset < ENUM_LEN + OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ status_type = input[offset++];
+
+ ato16(input + offset, &request_length);
+ offset += OPAQUE16_LEN;
+
+ if (length - offset < request_length)
+ return BUFFER_ERROR;
+
+ switch (status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ /* skip responder_id_list */
+ if (length - offset < OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(input + offset, &size);
+ offset += OPAQUE16_LEN + size;
+
+ /* skip request_extensions */
+ if (length - offset < OPAQUE16_LEN)
+ return BUFFER_ERROR;
+
+ ato16(input + offset, &size);
+ offset += OPAQUE16_LEN + size;
+
+ if (offset > length)
+ return BUFFER_ERROR;
+
+ /* is able to send OCSP response? */
+ if (ssl->ctx->cm == NULL
+ || !ssl->ctx->cm->ocspStaplingEnabled)
+ continue;
+ break;
+
+ default:
+ /* unkown status type, skipping! */
+ offset += request_length;
+ continue;
+ }
+
+ /* if using status_request and already sending it, skip this one */
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ if (ssl->status_request)
+ return 0;
+ #endif
+
+ /* accept the first good status_type and return */
+ ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions,
+ status_type, 0);
+ if (ret != SSL_SUCCESS)
+ return ret; /* throw error */
+
+ TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2);
+ ssl->status_request_v2 = status_type;
+
+ return 0;
+ }
+#endif
+ }
+
+ return 0;
+}
+
+int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer)
+{
+ TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
+ CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL;
+ int ret = 0;
+
+ for (; csr2; csr2 = csr2->next) {
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ if (!isPeer || csr2->requests != 0)
+ break;
+
+ /* followed by */
+
+ case WOLFSSL_CSR2_OCSP_MULTI: {
+ if (csr2->requests < 1 + MAX_CHAIN_DEPTH) {
+ byte nonce[MAX_OCSP_NONCE_SZ];
+ int nonceSz = csr2->request.ocsp[0].nonceSz;
+
+ /* preserve nonce, replicating nonce of ocsp[0] */
+ XMEMCPY(nonce, csr2->request.ocsp[0].nonce, nonceSz);
+
+ if ((ret = InitOcspRequest(
+ &csr2->request.ocsp[csr2->requests], cert, 0)) != 0)
+ return ret;
+
+ /* restore nonce */
+ XMEMCPY(csr2->request.ocsp[csr2->requests].nonce,
+ nonce, nonceSz);
+ csr2->request.ocsp[csr2->requests].nonceSz = nonceSz;
+ csr2->requests++;
+ }
+ }
+ break;
+ }
+ }
+
+ return ret;
+}
+
+void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index)
+{
+ TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2);
+ CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL;
+
+ for (; csr2; csr2 = csr2->next) {
+ if (csr2->status_type == status_type) {
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ /* followed by */
+
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ /* requests are initialized in the reverse order */
+ return index < csr2->requests
+ ? &csr2->request.ocsp[csr2->requests - index - 1]
+ : NULL;
+ break;
+ }
+ }
+ }
+
+ return NULL;
+}
+
+int TLSX_CSR2_ForceRequest(WOLFSSL* ssl)
+{
+ TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2);
+ CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL;
+
+ /* forces only the first one */
+ if (csr2) {
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ /* followed by */
+
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ if (ssl->ctx->cm->ocspEnabled)
+ return CheckOcspRequest(ssl->ctx->cm->ocsp,
+ &csr2->request.ocsp[0], NULL);
+ else
+ return OCSP_LOOKUP_FAIL;
+ }
+ }
+
+ return 0;
+}
+
+int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type,
+ byte options)
+{
+ TLSX* extension = NULL;
+ CertificateStatusRequestItemV2* csr2 = NULL;
+ int ret = 0;
+
+ if (!extensions)
+ return BAD_FUNC_ARG;
+
+ if (status_type != WOLFSSL_CSR2_OCSP
+ && status_type != WOLFSSL_CSR2_OCSP_MULTI)
+ return BAD_FUNC_ARG;
+
+ csr2 = (CertificateStatusRequestItemV2*)
+ XMALLOC(sizeof(CertificateStatusRequestItemV2), NULL, DYNAMIC_TYPE_TLSX);
+ if (!csr2)
+ return MEMORY_E;
+
+ ForceZero(csr2, sizeof(CertificateStatusRequestItemV2));
+
+ csr2->status_type = status_type;
+ csr2->options = options;
+ csr2->next = NULL;
+
+ switch (csr2->status_type) {
+ case WOLFSSL_CSR2_OCSP:
+ case WOLFSSL_CSR2_OCSP_MULTI:
+ if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) {
+ WC_RNG rng;
+
+ if (wc_InitRng(&rng) == 0) {
+ if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce,
+ MAX_OCSP_NONCE_SZ) == 0)
+ csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ;
+
+ wc_FreeRng(&rng);
+ }
+ }
+ break;
+ }
+
+ /* append new item */
+ if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) {
+ CertificateStatusRequestItemV2* last =
+ (CertificateStatusRequestItemV2*)extension->data;
+
+ for (; last->next; last = last->next);
+
+ last->next = csr2;
+ }
+ else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2))) {
+ XFREE(csr2, NULL, DYNAMIC_TYPE_TLSX);
+ return ret;
+ }
+
+ return SSL_SUCCESS;
+}
+
+#define CSR2_FREE_ALL TLSX_CSR2_FreeAll
+#define CSR2_GET_SIZE TLSX_CSR2_GetSize
+#define CSR2_WRITE TLSX_CSR2_Write
+#define CSR2_PARSE TLSX_CSR2_Parse
+
+#else
+
+#define CSR2_FREE_ALL(data)
+#define CSR2_GET_SIZE(a, b) 0
+#define CSR2_WRITE(a, b, c) 0
+#define CSR2_PARSE(a, b, c, d) 0
+
+#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */
+
+/******************************************************************************/
+/* Supported Elliptic Curves */
+/******************************************************************************/
+
#ifdef HAVE_SUPPORTED_CURVES
#ifndef HAVE_ECC
@@ -1887,12 +2632,14 @@ static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list)
static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name)
{
- EllipticCurve* curve;
+ EllipticCurve* curve = NULL;
if (list == NULL)
return BAD_FUNC_ARG;
- if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ curve = (EllipticCurve*)XMALLOC(sizeof(EllipticCurve), NULL,
+ DYNAMIC_TYPE_TLSX);
+ if (curve == NULL)
return MEMORY_E;
curve->name = name;
@@ -1914,7 +2661,7 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
return;
/* turns semaphore on to avoid sending this extension. */
- TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES));
+ TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS));
}
static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
@@ -1988,7 +2735,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length,
int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE)
- ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES)
+ ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS)
: NULL;
EllipticCurve* curve = NULL;
word32 oid = 0;
@@ -2097,7 +2844,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) {
int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
{
- TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES);
+ TLSX* extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS);
EllipticCurve* curve = NULL;
int ret = 0;
@@ -2108,7 +2855,7 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
return ret;
if (!extension) {
- if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) {
+ if ((ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve)) != 0) {
XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
@@ -2161,6 +2908,10 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
#endif /* HAVE_SUPPORTED_CURVES */
+/******************************************************************************/
+/* Renegotiation Indication */
+/******************************************************************************/
+
#ifdef HAVE_SECURE_RENEGOTIATION
static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data,
@@ -2259,7 +3010,7 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions)
XMEMSET(data, 0, sizeof(SecureRenegotiation));
- ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data);
+ ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data);
if (ret != 0) {
XFREE(data, 0, DYNAMIC_TYPE_TLSX);
return ret;
@@ -2283,11 +3034,15 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions)
#endif /* HAVE_SECURE_RENEGOTIATION */
+/******************************************************************************/
+/* Session Tickets */
+/******************************************************************************/
+
#ifdef HAVE_SESSION_TICKET
static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl)
{
- TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET);
+ TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET);
SessionTicket* ticket = extension ? extension->data : NULL;
if (ticket) {
@@ -2345,7 +3100,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
if (ret == SSL_SUCCESS) {
ret = 0;
- TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */
+ TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */
ssl->options.createTicket = 1; /* will send ticket msg */
ssl->options.useTicket = 1;
}
@@ -2361,7 +3116,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length,
ret = TLSX_UseSessionTicket(&ssl->extensions, NULL);
if (ret == SSL_SUCCESS) {
ret = 0;
- TLSX_SetResponse(ssl, SESSION_TICKET);
+ TLSX_SetResponse(ssl, TLSX_SESSION_TICKET);
/* send blank ticket */
ssl->options.createTicket = 1; /* will send ticket msg */
ssl->options.useTicket = 1;
@@ -2416,7 +3171,7 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
/* If the ticket is NULL, the client will request a new ticket from the
server. Otherwise, the client will use it in the next client hello. */
- if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0)
+ if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket)) != 0)
return ret;
return SSL_SUCCESS;
@@ -2436,6 +3191,9 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket)
#endif /* HAVE_SESSION_TICKET */
+/******************************************************************************/
+/* Quantum-Safe-Hybrid */
+/******************************************************************************/
#ifdef HAVE_QSH
static WC_RNG* rng;
@@ -2459,7 +3217,8 @@ static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub,
if (list == NULL)
return BAD_FUNC_ARG;
- if ((temp = XMALLOC(sizeof(QSHScheme), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((temp = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL,
+ DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
temp->name = name;
@@ -2499,7 +3258,7 @@ static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore)
return;
/* No QSH suite found */
- TURN_ON(semaphore, TLSX_ToSemaphore(WOLFSSL_QSH));
+ TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID));
}
@@ -2610,7 +3369,7 @@ word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output)
static void TLSX_QSHAgreement(TLSX** extensions)
{
- TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
+ TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
QSHScheme* delete = NULL;
QSHScheme* prev = NULL;
@@ -2735,7 +3494,8 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
while ((offset_len < offset_pk) && numKeys) {
QSHKey * temp;
- if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), NULL,
+ DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
/* initialize */
@@ -2768,7 +3528,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
/* read in public key */
if (PKLen > 0) {
temp->pub.buffer = (byte*)XMALLOC(temp->pub.length,
- 0, DYNAMIC_TYPE_PUBLIC_KEY);
+ NULL, DYNAMIC_TYPE_PUBLIC_KEY);
XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length);
offset_len += PKLen;
}
@@ -2797,7 +3557,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length,
/* reply to a QSH extension sent from client */
if (isRequest) {
- TLSX_SetResponse(ssl, WOLFSSL_QSH);
+ TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID);
/* only use schemes we have key generated for -- free the rest */
TLSX_QSHAgreement(&ssl->extensions);
}
@@ -2903,7 +3663,7 @@ int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length,
/* return 1 on success */
int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) {
- TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
+ TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
/* if no extension is sent then do not use QSH */
@@ -2947,7 +3707,7 @@ static int TLSX_HaveQSHScheme(word16 name)
/* Add a QSHScheme struct to list of usable ones */
int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
{
- TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH);
+ TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
int ret = 0;
@@ -2961,7 +3721,8 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
return ret;
if (!extension) {
- if ((ret = TLSX_Push(extensions, WOLFSSL_QSH, format)) != 0) {
+ if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format))
+ != 0) {
XFREE(format, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
@@ -3018,6 +3779,9 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz)
#endif /* HAVE_QSH */
+/******************************************************************************/
+/* TLS Extensions Framework */
+/******************************************************************************/
/** Finds an extension in the provided list. */
TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
@@ -3040,35 +3804,43 @@ void TLSX_FreeAll(TLSX* list)
switch (extension->type) {
- case SERVER_NAME_INDICATION:
+ case TLSX_SERVER_NAME:
SNI_FREE_ALL((SNI*)extension->data);
break;
- case MAX_FRAGMENT_LENGTH:
+ case TLSX_MAX_FRAGMENT_LENGTH:
MFL_FREE_ALL(extension->data);
break;
- case TRUNCATED_HMAC:
+ case TLSX_TRUNCATED_HMAC:
/* Nothing to do. */
break;
- case ELLIPTIC_CURVES:
+ case TLSX_SUPPORTED_GROUPS:
EC_FREE_ALL(extension->data);
break;
- case SECURE_RENEGOTIATION:
+ case TLSX_STATUS_REQUEST:
+ CSR_FREE_ALL(extension->data);
+ break;
+
+ case TLSX_STATUS_REQUEST_V2:
+ CSR2_FREE_ALL(extension->data);
+ break;
+
+ case TLSX_RENEGOTIATION_INFO:
SCR_FREE_ALL(extension->data);
break;
- case SESSION_TICKET:
+ case TLSX_SESSION_TICKET:
/* Nothing to do. */
break;
- case WOLFSSL_QSH:
+ case TLSX_QUANTUM_SAFE_HYBRID:
QSH_FREE_ALL(extension->data);
break;
- case WOLFSSL_ALPN:
+ case TLSX_APPLICATION_LAYER_PROTOCOL:
ALPN_FREE_ALL((ALPN*)extension->data);
break;
}
@@ -3105,37 +3877,45 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
switch (extension->type) {
- case SERVER_NAME_INDICATION:
+ case TLSX_SERVER_NAME:
/* SNI only sends the name on the request. */
if (isRequest)
length += SNI_GET_SIZE(extension->data);
break;
- case MAX_FRAGMENT_LENGTH:
+ case TLSX_MAX_FRAGMENT_LENGTH:
length += MFL_GET_SIZE(extension->data);
break;
- case TRUNCATED_HMAC:
+ case TLSX_TRUNCATED_HMAC:
/* always empty. */
break;
- case ELLIPTIC_CURVES:
+ case TLSX_SUPPORTED_GROUPS:
length += EC_GET_SIZE(extension->data);
break;
- case SECURE_RENEGOTIATION:
+ case TLSX_STATUS_REQUEST:
+ length += CSR_GET_SIZE(extension->data, isRequest);
+ break;
+
+ case TLSX_STATUS_REQUEST_V2:
+ length += CSR2_GET_SIZE(extension->data, isRequest);
+ break;
+
+ case TLSX_RENEGOTIATION_INFO:
length += SCR_GET_SIZE(extension->data, isRequest);
break;
- case SESSION_TICKET:
+ case TLSX_SESSION_TICKET:
length += STK_GET_SIZE(extension->data, isRequest);
break;
- case WOLFSSL_QSH:
+ case TLSX_QUANTUM_SAFE_HYBRID:
length += QSH_GET_SIZE(extension->data, isRequest);
break;
- case WOLFSSL_ALPN:
+ case TLSX_APPLICATION_LAYER_PROTOCOL:
length += ALPN_GET_SIZE(extension->data);
break;
@@ -3175,34 +3955,44 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
/* extension data should be written internally. */
switch (extension->type) {
- case SERVER_NAME_INDICATION:
+ case TLSX_SERVER_NAME:
if (isRequest)
offset += SNI_WRITE(extension->data, output + offset);
break;
- case MAX_FRAGMENT_LENGTH:
+ case TLSX_MAX_FRAGMENT_LENGTH:
offset += MFL_WRITE(extension->data, output + offset);
break;
- case TRUNCATED_HMAC:
+ case TLSX_TRUNCATED_HMAC:
/* always empty. */
break;
- case ELLIPTIC_CURVES:
+ case TLSX_SUPPORTED_GROUPS:
offset += EC_WRITE(extension->data, output + offset);
break;
- case SECURE_RENEGOTIATION:
+ case TLSX_STATUS_REQUEST:
+ offset += CSR_WRITE(extension->data, output + offset,
+ isRequest);
+ break;
+
+ case TLSX_STATUS_REQUEST_V2:
+ offset += CSR2_WRITE(extension->data, output + offset,
+ isRequest);
+ break;
+
+ case TLSX_RENEGOTIATION_INFO:
offset += SCR_WRITE(extension->data, output + offset,
isRequest);
break;
- case SESSION_TICKET:
+ case TLSX_SESSION_TICKET:
offset += STK_WRITE(extension->data, output + offset,
isRequest);
break;
- case WOLFSSL_QSH:
+ case TLSX_QUANTUM_SAFE_HYBRID:
if (isRequest) {
offset += QSH_WRITE(extension->data, output + offset);
}
@@ -3210,7 +4000,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
offset += QSH_SERREQ(output + offset, isRequest);
break;
- case WOLFSSL_ALPN:
+ case TLSX_APPLICATION_LAYER_PROTOCOL:
offset += ALPN_WRITE(extension->data, output + offset);
break;
}
@@ -3234,14 +4024,15 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes)
int ret = 0;
if (rng == NULL) {
- if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL,
+ DYNAMIC_TYPE_TLSX)) == NULL)
return DRBG_OUT_OF_MEMORY;
wc_InitRng(rng);
}
if (rngMutex == NULL) {
- if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0,
- DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), NULL,
+ DYNAMIC_TYPE_TLSX)) == NULL)
return DRBG_OUT_OF_MEMORY;
InitMutex(rngMutex);
}
@@ -3360,15 +4151,16 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type)
return ret;
}
- if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL)
+ if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), NULL,
+ DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
temp->name = type;
temp->pub.length = public_key_len;
- temp->pub.buffer = XMALLOC(public_key_len, public_key,
+ temp->pub.buffer = (byte*)XMALLOC(public_key_len, public_key,
DYNAMIC_TYPE_PUBLIC_KEY);
XMEMCPY(temp->pub.buffer, public_key, public_key_len);
temp->pri.length = private_key_len;
- temp->pri.buffer = XMALLOC(private_key_len, private_key,
+ temp->pri.buffer = (byte*)XMALLOC(private_key_len, private_key,
DYNAMIC_TYPE_ARRAYS);
XMEMCPY(temp->pri.buffer, private_key, private_key_len);
temp->next = NULL;
@@ -3471,7 +4263,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer)
}
else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) {
/* for each scheme make a client key */
- extension = TLSX_Find(ssl->extensions, WOLFSSL_QSH);
+ extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (extension) {
qsh = (QSHScheme*)extension->data;
@@ -3596,7 +4388,7 @@ word16 TLSX_GetResponseSize(WOLFSSL* ssl)
#ifdef HAVE_QSH
/* change response if not using TLS_QSH */
if (!ssl->options.haveQSH) {
- TLSX* ext = TLSX_Find(ssl->extensions, WOLFSSL_QSH);
+ TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID);
if (ext)
ext->resp = 0;
}
@@ -3661,49 +4453,61 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest,
return BUFFER_ERROR;
switch (type) {
- case SERVER_NAME_INDICATION:
+ case TLSX_SERVER_NAME:
WOLFSSL_MSG("SNI extension received");
ret = SNI_PARSE(ssl, input + offset, size, isRequest);
break;
- case MAX_FRAGMENT_LENGTH:
+ case TLSX_MAX_FRAGMENT_LENGTH:
WOLFSSL_MSG("Max Fragment Length extension received");
ret = MFL_PARSE(ssl, input + offset, size, isRequest);
break;
- case TRUNCATED_HMAC:
+ case TLSX_TRUNCATED_HMAC:
WOLFSSL_MSG("Truncated HMAC extension received");
ret = THM_PARSE(ssl, input + offset, size, isRequest);
break;
- case ELLIPTIC_CURVES:
+ case TLSX_SUPPORTED_GROUPS:
WOLFSSL_MSG("Elliptic Curves extension received");
ret = EC_PARSE(ssl, input + offset, size, isRequest);
break;
- case SECURE_RENEGOTIATION:
+ case TLSX_STATUS_REQUEST:
+ WOLFSSL_MSG("Certificate Status Request extension received");
+
+ ret = CSR_PARSE(ssl, input + offset, size, isRequest);
+ break;
+
+ case TLSX_STATUS_REQUEST_V2:
+ WOLFSSL_MSG("Certificate Status Request v2 extension received");
+
+ ret = CSR2_PARSE(ssl, input + offset, size, isRequest);
+ break;
+
+ case TLSX_RENEGOTIATION_INFO:
WOLFSSL_MSG("Secure Renegotiation extension received");
ret = SCR_PARSE(ssl, input + offset, size, isRequest);
break;
- case SESSION_TICKET:
+ case TLSX_SESSION_TICKET:
WOLFSSL_MSG("Session Ticket extension received");
ret = STK_PARSE(ssl, input + offset, size, isRequest);
break;
- case WOLFSSL_QSH:
+ case TLSX_QUANTUM_SAFE_HYBRID:
WOLFSSL_MSG("Quantum-Safe-Hybrid extension received");
ret = QSH_PARSE(ssl, input + offset, size, isRequest);
break;
- case WOLFSSL_ALPN:
+ case TLSX_APPLICATION_LAYER_PROTOCOL:
WOLFSSL_MSG("ALPN extension received");
ret = ALPN_PARSE(ssl, input + offset, size, isRequest);
diff --git a/support/wolfssl.pc b/support/wolfssl.pc
index 74800588c..80301285d 100644
--- a/support/wolfssl.pc
+++ b/support/wolfssl.pc
@@ -5,6 +5,6 @@ includedir=${prefix}/include
Name: wolfssl
Description: wolfssl C library.
-Version: 3.6.9d
+Version: 3.8.0
Libs: -L${libdir} -lwolfssl
Cflags: -I${includedir}
diff --git a/tests/api.c b/tests/api.c
index ccd03748c..07b5dce6f 100644
--- a/tests/api.c
+++ b/tests/api.c
@@ -38,6 +38,12 @@
#include
#include
+/* enable testing buffer load functions */
+#ifndef USE_CERT_BUFFERS_2048
+ #define USE_CERT_BUFFERS_2048
+#endif
+#include
+
/*----------------------------------------------------------------------------*
| Constants
*----------------------------------------------------------------------------*/
@@ -232,6 +238,56 @@ static void test_wolfSSL_CTX_load_verify_locations(void)
#endif
}
+static void test_wolfSSL_CTX_SetTmpDH_file(void)
+{
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_DH)
+ WOLFSSL_CTX *ctx;
+
+ AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+
+ /* invalid context */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(NULL,
+ dhParam, SSL_FILETYPE_PEM));
+
+ /* invalid dhParam file */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx,
+ NULL, SSL_FILETYPE_PEM));
+ AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx,
+ bogusFile, SSL_FILETYPE_PEM));
+
+ /* success */
+ AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dhParam,
+ SSL_FILETYPE_PEM));
+
+ wolfSSL_CTX_free(ctx);
+#endif
+}
+
+static void test_wolfSSL_CTX_SetTmpDH_buffer(void)
+{
+#if !defined(NO_CERTS) && !defined(NO_DH)
+ WOLFSSL_CTX *ctx;
+
+ AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method()));
+
+ /* invalid context */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, dh_key_der_2048,
+ sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1));
+
+ /* invalid dhParam file */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, NULL,
+ 0, SSL_FILETYPE_ASN1));
+ AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dsa_key_der_2048,
+ sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1));
+
+ /* success */
+ AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048,
+ sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1));
+
+ wolfSSL_CTX_free(ctx);
+#endif
+}
+
/*----------------------------------------------------------------------------*
| SSL
*----------------------------------------------------------------------------*/
@@ -291,6 +347,71 @@ static void test_client_wolfSSL_new(void)
#endif
}
+static void test_wolfSSL_SetTmpDH_file(void)
+{
+#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_DH)
+ WOLFSSL_CTX *ctx;
+ WOLFSSL *ssl;
+
+ AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+ AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCert,
+ SSL_FILETYPE_PEM));
+ AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKey,
+ SSL_FILETYPE_PEM));
+ AssertNotNull(ssl = wolfSSL_new(ctx));
+
+ /* invalid ssl */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(NULL,
+ dhParam, SSL_FILETYPE_PEM));
+
+ /* invalid dhParam file */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl,
+ NULL, SSL_FILETYPE_PEM));
+ AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl,
+ bogusFile, SSL_FILETYPE_PEM));
+
+ /* success */
+ AssertIntEQ(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhParam,
+ SSL_FILETYPE_PEM));
+
+ wolfSSL_free(ssl);
+ wolfSSL_CTX_free(ctx);
+#endif
+}
+
+static void test_wolfSSL_SetTmpDH_buffer(void)
+{
+#if !defined(NO_CERTS) && !defined(NO_DH)
+ WOLFSSL_CTX *ctx;
+ WOLFSSL *ssl;
+
+ AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method()));
+ AssertTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048,
+ sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1));
+ AssertTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048,
+ sizeof_server_key_der_2048, SSL_FILETYPE_ASN1));
+ AssertNotNull(ssl = wolfSSL_new(ctx));
+
+ /* invalid ssl */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, dh_key_der_2048,
+ sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1));
+
+ /* invalid dhParam file */
+ AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, NULL,
+ 0, SSL_FILETYPE_ASN1));
+ AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dsa_key_der_2048,
+ sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1));
+
+ /* success */
+ AssertIntEQ(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048,
+ sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1));
+
+ wolfSSL_free(ssl);
+ wolfSSL_CTX_free(ctx);
+ printf("SUCCESS4\n");
+#endif
+}
+
/*----------------------------------------------------------------------------*
| IO
*----------------------------------------------------------------------------*/
@@ -1328,7 +1449,7 @@ static void verify_ALPN_client_list(WOLFSSL* ssl)
AssertIntEQ(1, sizeof(alpn_list) == clistSz);
AssertIntEQ(0, XMEMCMP(alpn_list, clist, clistSz));
- XFREE(clist, 0, DYNAMIC_TYPE_OUT_BUFFER);
+ XFREE(clist, 0, DYNAMIC_TYPE_TLSX);
}
static void test_wolfSSL_UseALPN_connection(void)
@@ -1471,8 +1592,12 @@ void ApiTest(void)
test_wolfSSL_CTX_use_certificate_file();
test_wolfSSL_CTX_use_PrivateKey_file();
test_wolfSSL_CTX_load_verify_locations();
+ test_wolfSSL_CTX_SetTmpDH_file();
+ test_wolfSSL_CTX_SetTmpDH_buffer();
test_server_wolfSSL_new();
test_client_wolfSSL_new();
+ test_wolfSSL_SetTmpDH_file();
+ test_wolfSSL_SetTmpDH_buffer();
test_wolfSSL_read_write();
/* TLS extensions tests */
diff --git a/tests/unit.c b/tests/unit.c
index a05ae3ccd..41ee8a1d4 100644
--- a/tests/unit.c
+++ b/tests/unit.c
@@ -60,10 +60,7 @@ int unit_test(int argc, char** argv)
#endif /* HAVE_CAVIUM */
#ifndef WOLFSSL_TIRTOS
- if (CurrentDir("tests") || CurrentDir("_build"))
- ChangeDirBack(1);
- else if (CurrentDir("Debug") || CurrentDir("Release"))
- ChangeDirBack(3);
+ ChangeToWolfRoot();
#endif
ApiTest();
@@ -158,26 +155,3 @@ void join_thread(THREAD_TYPE thread)
}
-void InitTcpReady(tcp_ready* ready)
-{
- ready->ready = 0;
- ready->port = 0;
-#ifdef SINGLE_THREADED
-#elif defined(_POSIX_THREADS) && !defined(__MINGW32__)
- pthread_mutex_init(&ready->mutex, 0);
- pthread_cond_init(&ready->cond, 0);
-#endif
-}
-
-
-void FreeTcpReady(tcp_ready* ready)
-{
-#ifdef SINGLE_THREADED
- (void)ready;
-#elif defined(_POSIX_THREADS) && !defined(__MINGW32__)
- pthread_mutex_destroy(&ready->mutex);
- pthread_cond_destroy(&ready->cond);
-#else
- (void)ready;
-#endif
-}
diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c
index c0304e324..792cbbbde 100644
--- a/testsuite/testsuite.c
+++ b/testsuite/testsuite.c
@@ -29,24 +29,6 @@
#include
#include "wolfcrypt/test/test.h"
-/* This function changes the current directory to the wolfssl root */
-static void ChangeDirToRoot(void)
-{
- /* Normal Command Line=_build, Visual Studio=testsuite */
- if (CurrentDir("testsuite") || CurrentDir("_build")) {
- ChangeDirBack(1);
- }
-
- /* Xcode: To output application to correct location: */
- /* 1. Xcode->Preferences->Locations->Locations */
- /* 2. Derived Data Advanced -> Custom */
- /* 3. Relative to Workspace, Build/Products */
- /* Build/Products/Debug or Build/Products/Release */
- else if (CurrentDir("Debug") || CurrentDir("Release")) {
- ChangeDirBack(5);
- }
-}
-
#ifndef SINGLE_THREADED
@@ -118,7 +100,7 @@ int testsuite_test(int argc, char** argv)
#endif
#if !defined(WOLFSSL_TIRTOS)
- ChangeDirToRoot();
+ ChangeToWolfRoot();
#endif
#ifdef WOLFSSL_TIRTOS
@@ -351,28 +333,6 @@ void join_thread(THREAD_TYPE thread)
}
-void InitTcpReady(tcp_ready* ready)
-{
- ready->ready = 0;
- ready->port = 0;
-#if defined(_POSIX_THREADS) && !defined(__MINGW32__)
- pthread_mutex_init(&ready->mutex, 0);
- pthread_cond_init(&ready->cond, 0);
-#endif
-}
-
-
-void FreeTcpReady(tcp_ready* ready)
-{
-#if defined(_POSIX_THREADS) && !defined(__MINGW32__)
- pthread_mutex_destroy(&ready->mutex);
- pthread_cond_destroy(&ready->cond);
-#else
- (void)ready;
-#endif
-}
-
-
void file_test(const char* file, byte* check)
{
FILE* f;
@@ -431,7 +391,7 @@ int main(int argc, char** argv)
server_args.argc = argc;
server_args.argv = argv;
- ChangeDirToRoot();
+ ChangeToWolfRoot();
wolfcrypt_test(&server_args);
if (server_args.return_code != 0) return server_args.return_code;
diff --git a/testsuite/testsuite.vcxproj b/testsuite/testsuite.vcxproj
index 484a87584..beaa08322 100644
--- a/testsuite/testsuite.vcxproj
+++ b/testsuite/testsuite.vcxproj
@@ -193,6 +193,7 @@
true
Console
MachineX86
+ false
diff --git a/tirtos/include.am b/tirtos/include.am
index 0e2f7a902..7299c438e 100644
--- a/tirtos/include.am
+++ b/tirtos/include.am
@@ -6,6 +6,7 @@ EXTRA_DIST += \
tirtos/README \
tirtos/wolfssl.bld \
tirtos/wolfssl.mak \
+ tirtos/products.mak \
tirtos/packages/ti/net/wolfssl/package.bld \
tirtos/packages/ti/net/wolfssl/package.xdc \
tirtos/packages/ti/net/wolfssl/package.xs \
diff --git a/tirtos/products.mak b/tirtos/products.mak
new file mode 100644
index 000000000..8bf1823db
--- /dev/null
+++ b/tirtos/products.mak
@@ -0,0 +1,30 @@
+#
+# ======== products.mak ========
+#
+#
+# Read the http://processors.wiki.ti.com/index.php/Using_wolfSSL_with_TI-RTOS
+# for instructions to download the software required.
+
+# XDC_INSTALL_DIR is the path to XDCtools directory.
+XDC_INSTALL_DIR =
+
+# BIOS_INSTALL_DIR is the path to TI-RTOS Kernel (SYS/BIOS) directory. If you
+# have installed TI-RTOS, it is located in the products/bios_* path.
+BIOS_INSTALL_DIR =
+
+# NDK_INSTALL_DIR is the path to TI-RTOS NDK directory. If you have
+# installed TI-RTOS, it is located in the products/ndk_* path.
+NDK_INSTALL_DIR =
+
+# TIVAWARE_INSTALL_DIR is the path to Tivaware driverlib directory. If you have
+# installed TI-RTOS, it is located in the products/TivaWare_* path.
+TIVAWARE_INSTALL_DIR =
+
+# Define the code generation tools path for TI, IAR and GCC ARM compilers.
+# If you have installed Code Composer Studio, the TI and GCC compiler are
+# located in the ccsv*/tools/compiler/* path.
+#
+# Leave assignment empty to disable any toolchain.
+ti.targets.arm.elf.M4F =
+iar.targets.arm.M4F =
+gnu.targets.arm.M4F =
diff --git a/tirtos/wolfssl.bld b/tirtos/wolfssl.bld
index 1c1e55ef5..59e95103b 100644
--- a/tirtos/wolfssl.bld
+++ b/tirtos/wolfssl.bld
@@ -34,7 +34,7 @@
var armOpts = " -ms ";
var gnuOpts = " -D_POSIX_SOURCE ";
var iarOpts = " --diag_suppress=Pa134 ";
-var TivaWareDir = "";
+var ndkDir = "";
/* Uncomment the following lines to build libraries for debug mode: */
// Pkg.attrs.profile = "debug";
@@ -57,7 +57,7 @@ var ccOpts = {
for (arg = 0; arg < arguments.length; arg++) {
/*
* Get the compiler's installation directory.
- * For "ti.targets.arm.elf.M4F=/vendors/arm/6.1.0",
+ * For "ti.targets.arm.elf.M4F=/vendors/arm/6.1.0",
* we get "/vendors/arm/6.1.0"
*/
var targetName = arguments[arg].split("=")[0];
@@ -68,8 +68,8 @@ for (arg = 0; arg < arguments.length; arg++) {
continue;
}
- if (targetName.match(/^TIVAWARE/) ) {
- TivaWareDir = rootDir;
+ if (targetName.match(/^NDK/) ) {
+ ndkDir = rootDir;
continue;
}
@@ -81,9 +81,9 @@ for (arg = 0; arg < arguments.length; arg++) {
}
/* Include Path (needed to find NDK headers) */
-var ndkPath = "$(NDK_INSTALL_DIR)/packages/ti/ndk/";
-var wolfsslPathInclude = " -I" + ndkPath + "/inc/bsd -DWOLFSSL_TIRTOS ";
+var wolfsslPathInclude = " -I" + ndkDir + "/packages/ti/ndk/inc/bsd "
+ + "-DWOLFSSL_TIRTOS ";
/* lib/ is a generated directory that 'xdc clean' should remove */
-var Pkg = xdc.useModule('xdc.bld.PackageContents');
+var Pkg = xdc.useModule('xdc.bld.PackageContents');
Pkg.generatedFiles.$add("lib/");
diff --git a/tirtos/wolfssl.mak b/tirtos/wolfssl.mak
index 5ab82c065..c419e1a38 100644
--- a/tirtos/wolfssl.mak
+++ b/tirtos/wolfssl.mak
@@ -1,27 +1,17 @@
#
# ======== wolfssl.mak ========
#
+include ./products.mak
-# USER OPTIONAL STEP: These variables are set when building wolfssl
-# through the tirtos.mak
-# Set up dependencies
-XDC_INSTALL_DIR ?= C:/ti/xdctools_3_24_02_30
-SYSBIOS_INSTALL_DIR ?= C:/ti/bios_6_34_01_14
-NDK_INSTALL_DIR ?= C:/ti/ndk_2_24_00_02
-TIRTOS_INSTALLATION_DIR ?= C:/ti/tirtos_tivac_2_00_00_22
-TIVAWARE ?= C:/ti/tivaware
-WOLFSSL_INSTALL_DIR ?= C:/wolfssl/wolfssl-2.9.4
+# Enable older TI-RTOS 2.14-based variables
+ifeq ($(BIOS_INSTALL_DIR),)
+ BIOS_INSTALL_DIR=$(SYSBIOS_INSTALL_DIR)
+endif
+ifeq ($(TIVAWARE_INSTALL_DIR),)
+ TIVAWARE_INSTALL_DIR=$(TIVAWARE)
+endif
-#
-# Set location of various cgtools
-# These variables can be set here or on the command line. These
-# variables are set when building wolfssl through tirtos.mak
-# USER OPTIONAL STEP: user can define below paths to compilers
-ti.targets.arm.elf.M4F ?=
-
-gnu.targets.arm.M4F ?=
-
-iar.targets.arm.M4F ?=
+WOLFSSL_INSTALL_DIR=$(CURDIR)/../
#
# Set XDCARGS to some of the variables above. XDCARGS are passed
@@ -40,12 +30,12 @@ XDCARGS= \
ti.targets.arm.elf.M4F=\"$(ti.targets.arm.elf.M4F)\" \
gnu.targets.arm.M4F=\"$(gnu.targets.arm.M4F)\" \
iar.targets.arm.M4F=\"$(iar.targets.arm.M4F)\" \
- TIVAWARE=\"$(TIVAWARE)\"
+ NDK=\"$(NDK_INSTALL_DIR)\"
#
# Set XDCPATH to contain necessary repositories.
#
-XDCPATH = $(SYSBIOS_INSTALL_DIR)/packages;$(NDK_INSTALL_DIR)/packages;$(WOLFSSL_INSTALL_DIR);$(TIRTOS_INSTALLATION_DIR)/packages;$(TIVAWARE);
+XDCPATH = $(BIOS_INSTALL_DIR)/packages;$(NDK_INSTALL_DIR)/packages;$(WOLFSSL_INSTALL_DIR);$(TIVAWARE_INSTALL_DIR)
export XDCPATH
#
diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c
index fbcf360b2..723194418 100644
--- a/wolfcrypt/benchmark/benchmark.c
+++ b/wolfcrypt/benchmark/benchmark.c
@@ -122,6 +122,7 @@
#pragma warning(disable: 4996)
#endif
+#include "wolfcrypt/benchmark/benchmark.h"
void bench_des(void);
void bench_idea(void);
@@ -244,7 +245,7 @@ int benchmark_test(void *args)
{
#endif
- wolfcrypt_Init();
+ wolfCrypt_Init();
#if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND)
wolfSSL_Debugging_ON();
@@ -487,6 +488,29 @@ void bench_aesgcm(void)
blockType, total, persec);
SHOW_INTEL_CYCLES
printf("\n");
+
+#if 0
+ start = current_time(1);
+ BEGIN_INTEL_CYCLES
+
+ for(i = 0; i < numBlocks; i++)
+ wc_AesGcmDecrypt(&enc, plain, cipher, sizeof(cipher), iv, 12,
+ tag, 16, additional, 13);
+
+ END_INTEL_CYCLES
+ total = current_time(0) - start;
+
+ persec = 1 / total * numBlocks;
+#ifdef BENCH_EMBEDDED
+ /* since using kB, convert to MB/s */
+ persec = persec / 1024;
+#endif
+
+ printf("AES-GCM Decrypt %d %s took %5.3f seconds, %8.3f MB/s", numBlocks,
+ blockType, total, persec);
+ SHOW_INTEL_CYCLES
+ printf("\n");
+#endif
}
#endif
diff --git a/wolfcrypt/benchmark/benchmark.h b/wolfcrypt/benchmark/benchmark.h
new file mode 100644
index 000000000..b916229d3
--- /dev/null
+++ b/wolfcrypt/benchmark/benchmark.h
@@ -0,0 +1,38 @@
+/* wolfcrypt/benchmark/benchmark.h
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifndef WOLFCRYPT_BENCHMARK_H
+#define WOLFCRYPT_BENCHMARK_H
+
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+int benchmark_test(void* args);
+
+#ifdef __cplusplus
+ } /* extern "C" */
+#endif
+
+
+#endif /* WOLFCRYPT_BENCHMARK_H */
+
diff --git a/wolfcrypt/benchmark/include.am b/wolfcrypt/benchmark/include.am
index eee26235f..f147883da 100644
--- a/wolfcrypt/benchmark/include.am
+++ b/wolfcrypt/benchmark/include.am
@@ -5,6 +5,7 @@ noinst_PROGRAMS += wolfcrypt/benchmark/benchmark
wolfcrypt_benchmark_benchmark_SOURCES = wolfcrypt/benchmark/benchmark.c
wolfcrypt_benchmark_benchmark_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD)
wolfcrypt_benchmark_benchmark_DEPENDENCIES = src/libwolfssl.la
+noinst_HEADERS += wolfcrypt/benchmark/benchmark.h
EXTRA_DIST += wolfcrypt/benchmark/benchmark.sln
EXTRA_DIST += wolfcrypt/benchmark/benchmark.vcproj
DISTCLEANFILES+= wolfcrypt/benchmark/.libs/benchmark
diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c
index 0550d6118..c27c55425 100644
--- a/wolfcrypt/src/aes.c
+++ b/wolfcrypt/src/aes.c
@@ -2166,7 +2166,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
{
XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
- wc_AesEncrypt(aes, in + offset, out + offset);
+ wc_AesDecrypt(aes, in + offset, out + offset);
/* XOR block with IV for CBC */
for (i = 0; i < AES_BLOCK_SIZE; i++)
@@ -2651,19 +2651,11 @@ int wc_AesSetIV(Aes* aes, const byte* iv)
#endif
enum {
- CTR_SZ = 4
+ NONCE_SZ = 12,
+ CTR_SZ = 4
};
-static INLINE void InitGcmCounter(byte* inOutCtr)
-{
- inOutCtr[AES_BLOCK_SIZE - 4] = 0;
- inOutCtr[AES_BLOCK_SIZE - 3] = 0;
- inOutCtr[AES_BLOCK_SIZE - 2] = 0;
- inOutCtr[AES_BLOCK_SIZE - 1] = 1;
-}
-
-
static INLINE void IncrementGcmCounter(byte* inOutCtr)
{
int i;
@@ -2752,6 +2744,12 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
XMEMSET(iv, 0, AES_BLOCK_SIZE);
ret = wc_AesSetKey(aes, key, len, iv, AES_ENCRYPTION);
+ #ifdef WOLFSSL_AESNI
+ /* AES-NI code generates its own H value. */
+ if (haveAESNI)
+ return ret;
+ #endif /* WOLFSSL_AESNI */
+
if (ret == 0) {
wc_AesEncrypt(aes, iv, aes->H);
#ifdef GCM_TABLE
@@ -2763,6 +2761,432 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len)
}
+#ifdef WOLFSSL_AESNI
+
+void gfmul(__m128i a, __m128i b, __m128i* out) XASM_LINK("gfmul");
+
+
+/* See Intel® Carry-Less Multiplication Instruction
+ * and its Usage for Computing the GCM Mode White Paper
+ * by Shay Gueron, Intel Mobility Group, Israel Development Center;
+ * and Michael E. Kounavis, Intel Labs, Circuits and Systems Research */
+
+
+/* Figure 9. AES-GCM – Encrypt With Single Block Ghash at a Time */
+
+static void AES_GCM_encrypt(const unsigned char *in,
+ unsigned char *out,
+ const unsigned char* addt,
+ const unsigned char* ivec,
+ unsigned char *tag,
+ int nbytes, int abytes, int ibytes,
+ const unsigned char* key, int nr)
+{
+ int i, j ,k;
+ __m128i tmp1, tmp2, tmp3, tmp4;
+ __m128i H, Y, T;
+ __m128i *KEY = (__m128i*)key;
+ __m128i ctr1, ctr2, ctr3, ctr4;
+ __m128i last_block = _mm_setzero_si128();
+ __m128i ONE = _mm_set_epi32(0, 1, 0, 0);
+ __m128i FOUR = _mm_set_epi32(0, 4, 0, 0);
+ __m128i BSWAP_EPI64 = _mm_set_epi8(8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7);
+ __m128i BSWAP_MASK = _mm_set_epi8(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15);
+ __m128i X = _mm_setzero_si128();
+
+ if(ibytes == 96/8) {
+ Y = _mm_loadu_si128((__m128i*)ivec);
+ Y = _mm_insert_epi32(Y, 0x1000000, 3);
+ /* (Compute E[ZERO, KS] and E[Y0, KS] together */
+ tmp1 = _mm_xor_si128(X, KEY[0]);
+ tmp2 = _mm_xor_si128(Y, KEY[0]);
+ for(j=1; j < nr-1; j+=2) {
+ tmp1 = _mm_aesenc_si128(tmp1, KEY[j]);
+ tmp2 = _mm_aesenc_si128(tmp2, KEY[j]);
+ tmp1 = _mm_aesenc_si128(tmp1, KEY[j+1]);
+ tmp2 = _mm_aesenc_si128(tmp2, KEY[j+1]);
+ }
+ tmp1 = _mm_aesenc_si128(tmp1, KEY[nr-1]);
+ tmp2 = _mm_aesenc_si128(tmp2, KEY[nr-1]);
+ H = _mm_aesenclast_si128(tmp1, KEY[nr]);
+ T = _mm_aesenclast_si128(tmp2, KEY[nr]);
+ H = _mm_shuffle_epi8(H, BSWAP_MASK);
+ }
+ else {
+ tmp1 = _mm_xor_si128(X, KEY[0]);
+ for(j=1; j key, aes->rounds);
+ return 0;
+ }
+#endif
+
#ifdef WOLFSSL_PIC32MZ_CRYPT
ctr = (char *)aes->iv_ce ;
#else
ctr = counter ;
#endif
- XMEMSET(ctr, 0, AES_BLOCK_SIZE);
- XMEMCPY(ctr, iv, ivSz);
- InitGcmCounter(ctr);
+ XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
+ if (ivSz == NONCE_SZ) {
+ XMEMCPY(initialCounter, iv, ivSz);
+ initialCounter[AES_BLOCK_SIZE - 1] = 1;
+ }
+ else {
+ GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);
+ }
+ XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE);
#ifdef WOLFSSL_PIC32MZ_CRYPT
if(blocks)
@@ -3316,8 +3755,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz,
}
GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz);
- InitGcmCounter(ctr);
- wc_AesEncrypt(aes, ctr, scratch);
+ wc_AesEncrypt(aes, initialCounter, scratch);
xorbuf(authTag, scratch, authTagSz);
return 0;
@@ -3334,20 +3772,36 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz,
const byte* c = in;
byte* p = out;
byte counter[AES_BLOCK_SIZE];
+ byte initialCounter[AES_BLOCK_SIZE];
byte *ctr ;
byte scratch[AES_BLOCK_SIZE];
WOLFSSL_ENTER("AesGcmDecrypt");
+#ifdef WOLFSSL_AESNI
+ if (haveAESNI) {
+ if (AES_GCM_decrypt(in, out, authIn, iv, authTag,
+ sz, authInSz, ivSz, (byte*)aes->key, aes->rounds) == 0)
+ return AES_GCM_AUTH_E;
+ return 0;
+ }
+#endif
+
#ifdef WOLFSSL_PIC32MZ_CRYPT
ctr = (char *)aes->iv_ce ;
#else
ctr = counter ;
#endif
- XMEMSET(ctr, 0, AES_BLOCK_SIZE);
- XMEMCPY(ctr, iv, ivSz);
- InitGcmCounter(ctr);
+ XMEMSET(initialCounter, 0, AES_BLOCK_SIZE);
+ if (ivSz == NONCE_SZ) {
+ XMEMCPY(initialCounter, iv, ivSz);
+ initialCounter[AES_BLOCK_SIZE - 1] = 1;
+ }
+ else {
+ GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE);
+ }
+ XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE);
/* Calculate the authTag again using the received auth data and the
* cipher text. */
@@ -3668,7 +4122,7 @@ int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz,
#ifdef HAVE_CAVIUM
-#include
+#include
#include "cavium_common.h"
/* Initiliaze Aes for use with Nitrox device */
@@ -3719,7 +4173,7 @@ static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length,
}
-static int AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
+static int wc_AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
word32 length)
{
wolfssl_word offset = 0;
@@ -3752,7 +4206,7 @@ static int AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in,
return 0;
}
-static int AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in,
+static int wc_AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in,
word32 length)
{
word32 requestId;
diff --git a/wolfcrypt/src/aes_asm.asm b/wolfcrypt/src/aes_asm.asm
index 1e3d2d99e..5453d2e45 100644
--- a/wolfcrypt/src/aes_asm.asm
+++ b/wolfcrypt/src/aes_asm.asm
@@ -794,7 +794,7 @@ AES_192_Key_Expansion PROC
movdqa [rsp+0], xmm6
movdqu xmm1,[rdi]
- movdqu xmm3,16[rdi]
+ movq xmm3,qword ptr 16[rdi]
movdqa [rsi],xmm1
movdqa xmm5,xmm3
@@ -969,4 +969,100 @@ MAKE_RK256_b:
pxor xmm3,xmm2
ret
+
+; See Intel® Carry-Less Multiplication Instruction
+; and its Usage for Computing the GCM Mode White Paper
+; by Shay Gueron, Intel Mobility Group, Israel Development Center;
+; and Michael E. Kounavis, Intel Labs, Circuits and Systems Research
+
+; void gfmul(__m128i a, __m128i b, __m128i* out);
+
+; .globl gfmul
+gfmul PROC
+ ; xmm0 holds operand a (128 bits)
+ ; xmm1 holds operand b (128 bits)
+ ; r8 holds the pointer to output (128 bits)
+
+ ; convert to what we had for att&t convention
+ movdqa xmm0, [rcx]
+ movdqa xmm1, [rdx]
+
+ ; on microsoft xmm6-xmm15 are non volaitle, let's save on stack and restore at end
+ sub rsp,8+4*16 ; 8 = align stack , 4 xmm6-9 16 bytes each
+ movdqa [rsp+0], xmm6
+ movdqa [rsp+16], xmm7
+ movdqa [rsp+32], xmm8
+ movdqa [rsp+48], xmm9
+
+ movdqa xmm3, xmm0
+ pclmulqdq xmm3, xmm1, 0 ; xmm3 holds a0*b0
+ movdqa xmm4, xmm0
+ pclmulqdq xmm4, xmm1, 16 ; xmm4 holds a0*b1
+ movdqa xmm5, xmm0
+ pclmulqdq xmm5, xmm1, 1 ; xmm5 holds a1*b0
+ movdqa xmm6, xmm0
+ pclmulqdq xmm6, xmm1, 17 ; xmm6 holds a1*b1
+ pxor xmm4, xmm5 ; xmm4 holds a0*b1 + a1*b0
+ movdqa xmm5, xmm4
+ psrldq xmm4, 8
+ pslldq xmm5, 8
+ pxor xmm3, xmm5
+ pxor xmm6, xmm4 ; holds the result of
+ ; the carry-less multiplication of
+ ; xmm0 by xmm1
+
+; shift the result by one bit position to the left cope for the fact
+; that bits are reversed
+ movdqa xmm7, xmm3
+ movdqa xmm8, xmm6
+ pslld xmm3, 1
+ pslld xmm6, 1
+ psrld xmm7, 31
+ psrld xmm8, 31
+ movdqa xmm9, xmm7
+ pslldq xmm8, 4
+ pslldq xmm7, 4
+ psrldq xmm9, 12
+ por xmm3, xmm7
+ por xmm6, xmm8
+ por xmm6, xmm9
+
+; first phase of the reduction
+ movdqa xmm7, xmm3
+ movdqa xmm8, xmm3
+ movdqa xmm9, xmm3
+ pslld xmm7, 31 ; packed right shifting << 31
+ pslld xmm8, 30 ; packed right shifting shift << 30
+ pslld xmm9, 25 ; packed right shifting shift << 25
+ pxor xmm7, xmm8 ; xor the shifted versions
+ pxor xmm7, xmm9
+
+ movdqa xmm8, xmm7
+ pslldq xmm7, 12
+ psrldq xmm8, 4
+ pxor xmm3, xmm7 ; first phase of the reduction complete
+ movdqa xmm2, xmm3 ; second phase of the reduction
+ movdqa xmm4, xmm3
+ movdqa xmm5, xmm3
+ psrld xmm2, 1 ; packed left shifting >> 1
+ psrld xmm4, 2 ; packed left shifting >> 2
+ psrld xmm5, 7 ; packed left shifting >> 7
+
+ pxor xmm2, xmm4 ; xor the shifted versions
+ pxor xmm2, xmm5
+ pxor xmm2, xmm8
+ pxor xmm3, xmm2
+ pxor xmm6, xmm3 ; the result is in xmm6
+ movdqu [r8],xmm6 ; store the result
+
+ ; restore non volatile xmms from stack
+ movdqa xmm6, [rsp+0]
+ movdqa xmm7, [rsp+16]
+ movdqa xmm8, [rsp+32]
+ movdqa xmm9, [rsp+48]
+ add rsp,8+4*16 ; 8 = align stack , 4 xmm6-9 16 bytes each
+
+ ret
+gfmul ENDP
+
END
diff --git a/wolfcrypt/src/aes_asm.s b/wolfcrypt/src/aes_asm.s
index b50c7ff95..46f7e29e6 100644
--- a/wolfcrypt/src/aes_asm.s
+++ b/wolfcrypt/src/aes_asm.s
@@ -20,12 +20,12 @@
*/
+/* This file is in at&t asm syntax, see .asm for intel syntax */
+
/* See Intel® Advanced Encryption Standard (AES) Instructions Set White Paper
* by Intel Mobility Group, Israel Development Center, Israel Shay Gueron
*/
-/* This file is in at&t asm syntax, see .asm for intel syntax */
-
/*
AES_CBC_encrypt (const unsigned char *in,
@@ -657,7 +657,7 @@ AES_192_Key_Expansion:
# parameter 2: %rsi
movdqu (%rdi), %xmm1
-movdqu 16(%rdi), %xmm3
+movq 16(%rdi), %xmm3
movdqa %xmm1, (%rsi)
movdqa %xmm3, %xmm5
@@ -814,3 +814,87 @@ pxor %xmm4, %xmm3
pxor %xmm2, %xmm3
ret
+
+#ifdef HAVE_AESGCM
+
+/* See Intel® Carry-Less Multiplication Instruction
+ * and its Usage for Computing the GCM Mode White Paper
+ * by Shay Gueron, Intel Mobility Group, Israel Development Center;
+ * and Michael E. Kounavis, Intel Labs, Circuits and Systems Research
+ *
+ * This is for use with the C code.
+ */
+
+/* Figure 6. Code Sample - Performing Ghash Using Algorithms 1 and 5 */
+
+/*
+ * void gfmul(__m128i a, __m128i b, __m128i* out);
+ */
+.globl gfmul
+gfmul:
+ #xmm0 holds operand a (128 bits)
+ #xmm1 holds operand b (128 bits)
+ #rdi holds the pointer to output (128 bits)
+ movdqa %xmm0, %xmm3
+ pclmulqdq $0, %xmm1, %xmm3 # xmm3 holds a0*b0
+ movdqa %xmm0, %xmm4
+ pclmulqdq $16, %xmm1, %xmm4 # xmm4 holds a0*b1
+ movdqa %xmm0, %xmm5
+ pclmulqdq $1, %xmm1, %xmm5 # xmm5 holds a1*b0
+ movdqa %xmm0, %xmm6
+ pclmulqdq $17, %xmm1, %xmm6 # xmm6 holds a1*b1
+ pxor %xmm5, %xmm4 # xmm4 holds a0*b1 + a1*b0
+ movdqa %xmm4, %xmm5
+ psrldq $8, %xmm4
+ pslldq $8, %xmm5
+ pxor %xmm5, %xmm3
+ pxor %xmm4, %xmm6 # holds the result of
+ # the carry-less multiplication of
+ # xmm0 by xmm1
+
+# shift the result by one bit position to the left cope for the fact
+# that bits are reversed
+ movdqa %xmm3, %xmm7
+ movdqa %xmm6, %xmm8
+ pslld $1, %xmm3
+ pslld $1, %xmm6
+ psrld $31, %xmm7
+ psrld $31, %xmm8
+ movdqa %xmm7, %xmm9
+ pslldq $4, %xmm8
+ pslldq $4, %xmm7
+ psrldq $12, %xmm9
+ por %xmm7, %xmm3
+ por %xmm8, %xmm6
+ por %xmm9, %xmm6
+
+# first phase of the reduction
+ movdqa %xmm3, %xmm7
+ movdqa %xmm3, %xmm8
+ movdqa %xmm3, %xmm9
+ pslld $31, %xmm7 # packed right shifting << 31
+ pslld $30, %xmm8 # packed right shifting shift << 30
+ pslld $25, %xmm9 # packed right shifting shift << 25
+ pxor %xmm8, %xmm7 # xor the shifted versions
+ pxor %xmm9, %xmm7
+
+ movdqa %xmm7, %xmm8
+ pslldq $12, %xmm7
+ psrldq $4, %xmm8
+ pxor %xmm7, %xmm3 # first phase of the reduction complete
+ movdqa %xmm3,%xmm2 # second phase of the reduction
+ movdqa %xmm3,%xmm4
+ movdqa %xmm3,%xmm5
+ psrld $1, %xmm2 # packed left shifting >> 1
+ psrld $2, %xmm4 # packed left shifting >> 2
+ psrld $7, %xmm5 # packed left shifting >> 7
+
+ pxor %xmm4, %xmm2 # xor the shifted versions
+ pxor %xmm5, %xmm2
+ pxor %xmm8, %xmm2
+ pxor %xmm2, %xmm3
+ pxor %xmm3, %xmm6 # the result is in xmm6
+ movdqu %xmm6, (%rdi) # store the result
+ ret
+
+#endif /* HAVE_AESGCM */
diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c
index 03353d45a..6488467b7 100644
--- a/wolfcrypt/src/asn.c
+++ b/wolfcrypt/src/asn.c
@@ -43,7 +43,11 @@
#include
#include
-
+#ifdef NO_INLINE
+ #include
+#else
+ #include
+#endif
#ifndef NO_RC4
#include
@@ -196,7 +200,12 @@
/* uses complete facility */
#include
#define XTIME(tl) time((tl))
- #define XGMTIME(c, t) gmtime((c))
+ #ifdef HAVE_GMTIME_R
+ #define XGMTIME(c, t) gmtime_r((c), (t))
+ #define NEED_TMP_TIME
+ #else
+ #define XGMTIME(c, t) gmtime((c))
+ #endif
#define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t))
#endif
@@ -669,12 +678,440 @@ WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
}
-static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
- word32 maxIdx)
+/* hashType */
+static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2};
+static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5};
+static const byte hashSha1hOid[] = {43, 14, 3, 2, 26};
+static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1};
+static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2};
+static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3};
+
+/* sigType */
+#ifndef NO_DSA
+ static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3};
+#endif /* NO_DSA */
+#ifndef NO_RSA
+ static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2};
+ static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4};
+ static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5};
+ static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11};
+ static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12};
+ static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13};
+#endif /* NO_RSA */
+#ifdef HAVE_ECC
+ static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1};
+ static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2};
+ static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3};
+ static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4};
+#endif /* HAVE_ECC */
+
+/* keyType */
+#ifndef NO_DSA
+ static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1};
+#endif /* NO_DSA */
+#ifndef NO_RSA
+ static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1};
+#endif /* NO_RSA */
+#ifdef HAVE_NTRU
+ static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1};
+#endif /* HAVE_NTRU */
+#ifdef HAVE_ECC
+ static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1};
+#endif /* HAVE_ECC */
+
+/* curveType */
+#ifdef HAVE_ECC
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
+ static const byte curve192v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 1};
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */
+ #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
+ static const byte curve256v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 7};
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
+ static const byte curve160r1Oid[] = {43, 129, 4, 0, 2};
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
+ static const byte curve224r1Oid[] = {43, 129, 4, 0, 33};
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
+ static const byte curve384r1Oid[] = {43, 129, 4, 0, 34};
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
+ static const byte curve521r1Oid[] = {43, 129, 4, 0, 35};
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */
+#endif /* HAVE_ECC */
+
+/* blkType */
+static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7};
+static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7};
+
+/* ocspType */
+#ifdef HAVE_OCSP
+ static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1};
+ static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2};
+#endif /* HAVE_OCSP */
+
+/* certExtType */
+static const byte extBasicCaOid[] = {85, 29, 19};
+static const byte extAltNamesOid[] = {85, 29, 17};
+static const byte extCrlDistOid[] = {85, 29, 31};
+static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1};
+static const byte extAuthKeyOid[] = {85, 29, 35};
+static const byte extSubjKeyOid[] = {85, 29, 14};
+static const byte extCertPolicyOid[] = {85, 29, 32};
+static const byte extKeyUsageOid[] = {85, 29, 15};
+static const byte extInhibitAnyOid[] = {85, 29, 54};
+static const byte extExtKeyUsageOid[] = {85, 29, 37};
+static const byte extNameConsOid[] = {85, 29, 30};
+
+/* certAuthInfoType */
+static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1};
+static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2};
+
+/* certPolicyType */
+static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0};
+
+/* certKeyUseType */
+static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4};
+
+/* certKeyUseType */
+static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0};
+static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1};
+static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2};
+static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9};
+
+/* kdfType */
+static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12};
+
+static const byte* OidFromId(word32 id, word32 type, word32* oidSz)
+{
+ const byte* oid = NULL;
+
+ *oidSz = 0;
+
+ switch (type) {
+
+ case hashType:
+ switch (id) {
+ case MD2h:
+ oid = hashMd2hOid;
+ *oidSz = sizeof(hashMd2hOid);
+ break;
+ case MD5h:
+ oid = hashMd5hOid;
+ *oidSz = sizeof(hashMd5hOid);
+ break;
+ case SHAh:
+ oid = hashSha1hOid;
+ *oidSz = sizeof(hashSha1hOid);
+ break;
+ case SHA256h:
+ oid = hashSha256hOid;
+ *oidSz = sizeof(hashSha256hOid);
+ break;
+ case SHA384h:
+ oid = hashSha384hOid;
+ *oidSz = sizeof(hashSha384hOid);
+ break;
+ case SHA512h:
+ oid = hashSha512hOid;
+ *oidSz = sizeof(hashSha512hOid);
+ break;
+ }
+ break;
+
+ case sigType:
+ switch (id) {
+ #ifndef NO_DSA
+ case CTC_SHAwDSA:
+ oid = sigSha1wDsaOid;
+ *oidSz = sizeof(sigSha1wDsaOid);
+ break;
+ #endif /* NO_DSA */
+ #ifndef NO_RSA
+ case CTC_MD2wRSA:
+ oid = sigMd2wRsaOid;
+ *oidSz = sizeof(sigMd2wRsaOid);
+ break;
+ case CTC_MD5wRSA:
+ oid = sigMd5wRsaOid;
+ *oidSz = sizeof(sigMd5wRsaOid);
+ break;
+ case CTC_SHAwRSA:
+ oid = sigSha1wRsaOid;
+ *oidSz = sizeof(sigSha1wRsaOid);
+ break;
+ case CTC_SHA256wRSA:
+ oid = sigSha256wRsaOid;
+ *oidSz = sizeof(sigSha256wRsaOid);
+ break;
+ case CTC_SHA384wRSA:
+ oid = sigSha384wRsaOid;
+ *oidSz = sizeof(sigSha384wRsaOid);
+ break;
+ case CTC_SHA512wRSA:
+ oid = sigSha512wRsaOid;
+ *oidSz = sizeof(sigSha512wRsaOid);
+ break;
+ #endif /* NO_RSA */
+ #ifdef HAVE_ECC
+ case CTC_SHAwECDSA:
+ oid = sigSha1wEcdsaOid;
+ *oidSz = sizeof(sigSha1wEcdsaOid);
+ break;
+ case CTC_SHA256wECDSA:
+ oid = sigSha256wEcdsaOid;
+ *oidSz = sizeof(sigSha256wEcdsaOid);
+ break;
+ case CTC_SHA384wECDSA:
+ oid = sigSha384wEcdsaOid;
+ *oidSz = sizeof(sigSha384wEcdsaOid);
+ break;
+ case CTC_SHA512wECDSA:
+ oid = sigSha512wEcdsaOid;
+ *oidSz = sizeof(sigSha512wEcdsaOid);
+ break;
+ #endif /* HAVE_ECC */
+ default:
+ break;
+ }
+ break;
+
+ case keyType:
+ switch (id) {
+ #ifndef NO_DSA
+ case DSAk:
+ oid = keyDsaOid;
+ *oidSz = sizeof(keyDsaOid);
+ break;
+ #endif /* NO_DSA */
+ #ifndef NO_RSA
+ case RSAk:
+ oid = keyRsaOid;
+ *oidSz = sizeof(keyRsaOid);
+ break;
+ #endif /* NO_RSA */
+ #ifdef HAVE_NTRU
+ case NTRUk:
+ oid = keyNtruOid;
+ *oidSz = sizeof(keyNtruOid);
+ break;
+ #endif /* HAVE_NTRU */
+ #ifdef HAVE_ECC
+ case ECDSAk:
+ oid = keyEcdsaOid;
+ *oidSz = sizeof(keyEcdsaOid);
+ break;
+ #endif /* HAVE_ECC */
+ default:
+ break;
+ }
+ break;
+
+ #ifdef HAVE_ECC
+ case curveType:
+ switch (id) {
+ #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256)
+ case ECC_256R1:
+ oid = curve256v1Oid;
+ *oidSz = sizeof(curve256v1Oid);
+ break;
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384)
+ case ECC_384R1:
+ oid = curve384r1Oid;
+ *oidSz = sizeof(curve384r1Oid);
+ break;
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521)
+ case ECC_521R1:
+ oid = curve521r1Oid;
+ *oidSz = sizeof(curve521r1Oid);
+ break;
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160)
+ case ECC_160R1:
+ oid = curve160r1Oid;
+ *oidSz = sizeof(curve160r1Oid);
+ break;
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192)
+ case ECC_192R1:
+ oid = curve192v1Oid;
+ *oidSz = sizeof(curve192v1Oid);
+ break;
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */
+ #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224)
+ case ECC_224R1:
+ oid = curve224r1Oid;
+ *oidSz = sizeof(curve224r1Oid);
+ break;
+ #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */
+ default:
+ break;
+ }
+ break;
+ #endif /* HAVE_ECC */
+
+ case blkType:
+ switch (id) {
+ case DESb:
+ oid = blkDesCbcOid;
+ *oidSz = sizeof(blkDesCbcOid);
+ break;
+ case DES3b:
+ oid = blkDes3CbcOid;
+ *oidSz = sizeof(blkDes3CbcOid);
+ break;
+ }
+ break;
+
+ #ifdef HAVE_OCSP
+ case ocspType:
+ switch (id) {
+ case OCSP_BASIC_OID:
+ oid = ocspBasicOid;
+ *oidSz = sizeof(ocspBasicOid);
+ break;
+ case OCSP_NONCE_OID:
+ oid = ocspNonceOid;
+ *oidSz = sizeof(ocspNonceOid);
+ break;
+ }
+ break;
+ #endif /* HAVE_OCSP */
+
+ case certExtType:
+ switch (id) {
+ case BASIC_CA_OID:
+ oid = extBasicCaOid;
+ *oidSz = sizeof(extBasicCaOid);
+ break;
+ case ALT_NAMES_OID:
+ oid = extAltNamesOid;
+ *oidSz = sizeof(extAltNamesOid);
+ break;
+ case CRL_DIST_OID:
+ oid = extCrlDistOid;
+ *oidSz = sizeof(extCrlDistOid);
+ break;
+ case AUTH_INFO_OID:
+ oid = extAuthInfoOid;
+ *oidSz = sizeof(extAuthInfoOid);
+ break;
+ case AUTH_KEY_OID:
+ oid = extAuthKeyOid;
+ *oidSz = sizeof(extAuthKeyOid);
+ break;
+ case SUBJ_KEY_OID:
+ oid = extSubjKeyOid;
+ *oidSz = sizeof(extSubjKeyOid);
+ break;
+ case CERT_POLICY_OID:
+ oid = extCertPolicyOid;
+ *oidSz = sizeof(extCertPolicyOid);
+ break;
+ case KEY_USAGE_OID:
+ oid = extKeyUsageOid;
+ *oidSz = sizeof(extKeyUsageOid);
+ break;
+ case INHIBIT_ANY_OID:
+ oid = extInhibitAnyOid;
+ *oidSz = sizeof(extInhibitAnyOid);
+ break;
+ case EXT_KEY_USAGE_OID:
+ oid = extExtKeyUsageOid;
+ *oidSz = sizeof(extExtKeyUsageOid);
+ break;
+ case NAME_CONS_OID:
+ oid = extNameConsOid;
+ *oidSz = sizeof(extNameConsOid);
+ break;
+ }
+ break;
+
+ case certAuthInfoType:
+ switch (id) {
+ case AIA_OCSP_OID:
+ oid = extAuthInfoOcspOid;
+ *oidSz = sizeof(extAuthInfoOcspOid);
+ break;
+ case AIA_CA_ISSUER_OID:
+ oid = extAuthInfoCaIssuerOid;
+ *oidSz = sizeof(extAuthInfoCaIssuerOid);
+ break;
+ }
+ break;
+
+ case certPolicyType:
+ switch (id) {
+ case CP_ANY_OID:
+ oid = extCertPolicyAnyOid;
+ *oidSz = sizeof(extCertPolicyAnyOid);
+ break;
+ }
+ break;
+
+ case certAltNameType:
+ switch (id) {
+ case HW_NAME_OID:
+ oid = extAltNamesHwNameOid;
+ *oidSz = sizeof(extAltNamesHwNameOid);
+ break;
+ }
+ break;
+
+ case certKeyUseType:
+ switch (id) {
+ case EKU_ANY_OID:
+ oid = extExtKeyUsageAnyOid;
+ *oidSz = sizeof(extExtKeyUsageAnyOid);
+ break;
+ case EKU_SERVER_AUTH_OID:
+ oid = extExtKeyUsageServerAuthOid;
+ *oidSz = sizeof(extExtKeyUsageServerAuthOid);
+ break;
+ case EKU_CLIENT_AUTH_OID:
+ oid = extExtKeyUsageClientAuthOid;
+ *oidSz = sizeof(extExtKeyUsageClientAuthOid);
+ break;
+ case EKU_OCSP_SIGN_OID:
+ oid = extExtKeyUsageOcspSignOid;
+ *oidSz = sizeof(extExtKeyUsageOcspSignOid);
+ break;
+ }
+
+ case kdfType:
+ switch (id) {
+ case PBKDF2_OID:
+ oid = pbkdf2Oid;
+ *oidSz = sizeof(pbkdf2Oid);
+ break;
+ }
+ break;
+
+ case ignoreType:
+ default:
+ break;
+ }
+
+ return oid;
+}
+
+
+WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
+ word32 oidType, word32 maxIdx)
{
int length;
word32 i = *inOutIdx;
+#ifndef NO_VERIFY_OID
+ word32 actualOidSz = 0;
+ const byte* actualOid;
+#endif /* NO_VERIFY_OID */
byte b;
+
+ (void)oidType;
+ WOLFSSL_ENTER("GetObjectId()");
*oid = 0;
b = input[i++];
@@ -684,18 +1121,63 @@ static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
if (GetLength(input, &i, &length, maxIdx) < 0)
return ASN_PARSE_E;
- while(length--)
- *oid += input[i++];
+#ifndef NO_VERIFY_OID
+ actualOid = &input[i];
+ if (length > 0)
+ actualOidSz = (word32)length;
+#endif /* NO_VERIFY_OID */
+
+ while(length--) {
+ /* odd HC08 compiler behavior here when input[i++] */
+ *oid += input[i];
+ i++;
+ }
/* just sum it up for now */
*inOutIdx = i;
+#ifndef NO_VERIFY_OID
+ {
+ const byte* checkOid = NULL;
+ word32 checkOidSz;
+
+ if (oidType != ignoreType) {
+ checkOid = OidFromId(*oid, oidType, &checkOidSz);
+
+ if (checkOid != NULL &&
+ (checkOidSz != actualOidSz ||
+ XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) {
+
+ WOLFSSL_MSG("OID Check Failed");
+ return ASN_UNKNOWN_OID_E;
+ }
+ }
+ }
+#endif /* NO_VERIFY_OID */
+
return 0;
}
+#ifndef HAVE_USER_RSA
+static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx)
+{
+ int length;
+
+ if (input[(*inOutIdx)++] != ASN_OBJECT_ID)
+ return ASN_OBJECT_ID_E;
+
+ if (GetLength(input, inOutIdx, &length, maxIdx) < 0)
+ return ASN_PARSE_E;
+
+ *inOutIdx += length;
+
+ return 0;
+}
+#endif
+
WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
- word32 maxIdx)
+ word32 oidType, word32 maxIdx)
{
int length;
word32 i = *inOutIdx;
@@ -707,31 +1189,18 @@ WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
if (GetSequence(input, &i, &length, maxIdx) < 0)
return ASN_PARSE_E;
- b = input[i++];
- if (b != ASN_OBJECT_ID)
+ if (GetObjectId(input, &i, oid, oidType, maxIdx) < 0)
return ASN_OBJECT_ID_E;
- if (GetLength(input, &i, &length, maxIdx) < 0)
- return ASN_PARSE_E;
-
- while(length--) {
- /* odd HC08 compiler behavior here when input[i++] */
- *oid += input[i];
- i++;
- }
- /* just sum it up for now */
-
/* could have NULL tag and 0 terminator, but may not */
- b = input[i++];
+ b = input[i];
if (b == ASN_TAG_NULL) {
+ i++;
b = input[i++];
if (b != 0)
return ASN_EXPECT_0_E;
}
- else
- /* go back, didn't have it */
- i--;
*inOutIdx = i;
@@ -847,7 +1316,7 @@ int ToTraditional(byte* input, word32 sz)
if (GetMyVersion(input, &inOutIdx, &version) < 0)
return ASN_PARSE_E;
- if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
+ if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0)
return ASN_PARSE_E;
if (input[inOutIdx] == ASN_OBJECT_ID) {
@@ -1124,7 +1593,7 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
if (GetSequence(input, &inOutIdx, &length, sz) < 0)
return ASN_PARSE_E;
- if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
+ if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0)
return ASN_PARSE_E;
first = input[inOutIdx - 2]; /* PKCS version alwyas 2nd to last byte */
@@ -1138,7 +1607,7 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
if (GetSequence(input, &inOutIdx, &length, sz) < 0)
return ASN_PARSE_E;
- if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0)
+ if (GetAlgoId(input, &inOutIdx, &oid, kdfType, sz) < 0)
return ASN_PARSE_E;
if (oid != PBKDF2_OID)
@@ -1183,7 +1652,8 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz)
if (version == PKCS5v2) {
/* get encryption algo */
- if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) {
+ /* JOHN: New type. Need a little more research. */
+ if (GetAlgoId(input, &inOutIdx, &oid, blkType, sz) < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER);
XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@@ -1276,15 +1746,9 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
if (GetSequence(input, inOutIdx, &length, inSz) < 0)
return ASN_PARSE_E;
- b = input[(*inOutIdx)++];
- if (b != ASN_OBJECT_ID)
- return ASN_OBJECT_ID_E;
-
- if (GetLength(input, inOutIdx, &length, inSz) < 0)
+ if (SkipObjectId(input, inOutIdx, inSz) < 0)
return ASN_PARSE_E;
- *inOutIdx += length; /* skip past */
-
/* could have NULL tag and 0 terminator, but may not */
b = input[(*inOutIdx)++];
@@ -1516,11 +1980,7 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen)
mp_int* keyInt = GetDsaInt(key, i);
/* leading zero */
- if ((mp_count_bits(keyInt) & 7) == 0 || mp_iszero(keyInt) == MP_YES)
- lbit = 1;
- else
- lbit = 0;
-
+ lbit = mp_leading_bit(keyInt);
rawLen = mp_unsigned_bin_size(keyInt) + lbit;
tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, NULL, DYNAMIC_TYPE_DSA);
@@ -1751,9 +2211,9 @@ void FreeDecodedCert(DecodedCert* cert)
FreeNameSubtrees(cert->excludedNames, cert->heap);
#endif /* IGNORE_NAME_CONSTRAINTS */
#ifdef WOLFSSL_SEP
- XFREE(cert->deviceType, cert->heap, 0);
- XFREE(cert->hwType, cert->heap, 0);
- XFREE(cert->hwSerialNum, cert->heap, 0);
+ XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT);
+ XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT);
+ XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT);
#endif /* WOLFSSL_SEP */
#ifdef OPENSSL_EXTRA
if (cert->issuerName.fullName != NULL)
@@ -1889,7 +2349,8 @@ static int GetKey(DecodedCert* cert)
if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
return ASN_PARSE_E;
- if (GetAlgoId(cert->source, &cert->srcIdx, &cert->keyOID, cert->maxIdx) < 0)
+ if (GetAlgoId(cert->source, &cert->srcIdx,
+ &cert->keyOID, keyType, cert->maxIdx) < 0)
return ASN_PARSE_E;
switch (cert->keyOID) {
@@ -1977,18 +2438,12 @@ static int GetKey(DecodedCert* cert)
#ifdef HAVE_ECC
case ECDSAk:
{
- int oidSz = 0;
- byte b = cert->source[cert->srcIdx++];
+ byte b;
- if (b != ASN_OBJECT_ID)
- return ASN_OBJECT_ID_E;
-
- if (GetLength(cert->source,&cert->srcIdx,&oidSz,cert->maxIdx) < 0)
+ if (GetObjectId(cert->source, &cert->srcIdx,
+ &cert->pkCurveOID, curveType, cert->maxIdx) < 0)
return ASN_PARSE_E;
- while(oidSz--)
- cert->pkCurveOID += cert->source[cert->srcIdx++];
-
if (CheckCurve(cert->pkCurveOID) < 0)
return ECC_CURVE_OID_E;
@@ -2334,6 +2789,7 @@ static int GetName(DecodedCert* cert, int nameType)
cert->heap, DYNAMIC_TYPE_ALTNAME);
if (emailName->name == NULL) {
WOLFSSL_MSG("\tOut of Memory");
+ XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME);
return MEMORY_E;
}
XMEMCPY(emailName->name,
@@ -2550,8 +3006,11 @@ int ValidateDate(const byte* date, byte format, int dateType)
struct tm* localTime;
struct tm* tmpTime = NULL;
int i = 0;
+ int timeDiff = 0 ;
+ int diffHH = 0 ; int diffMM = 0 ;
+ int diffSign = 0 ;
-#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES)
+#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) || defined(NEED_TMP_TIME)
struct tm tmpTimeStorage;
tmpTime = &tmpTimeStorage;
#else
@@ -2580,11 +3039,18 @@ int ValidateDate(const byte* date, byte format, int dateType)
GetTime((int*)&certTime.tm_min, date, &i);
GetTime((int*)&certTime.tm_sec, date, &i);
- if (date[i] != 'Z') { /* only Zulu supported for this profile */
- WOLFSSL_MSG("Only Zulu time supported for this profile");
+ if ((date[i] == '+') || (date[i] == '-')) {
+ WOLFSSL_MSG("Using time differential, not Zulu") ;
+ diffSign = date[i++] == '+' ? 1 : -1 ;
+ GetTime(&diffHH, date, &i);
+ GetTime(&diffMM, date, &i);
+ timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ;
+ } else if (date[i] != 'Z') {
+ WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ;
return 0;
}
+ ltime -= (time_t)timeDiff ;
localTime = XGMTIME(<ime, tmpTime);
if (localTime == NULL) {
@@ -2680,7 +3146,7 @@ int DecodeToKey(DecodedCert* cert, int verify)
WOLFSSL_MSG("Got Cert Header");
if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID,
- cert->maxIdx)) < 0)
+ sigType, cert->maxIdx)) < 0)
return ret;
WOLFSSL_MSG("Got Algo ID");
@@ -2906,216 +3372,35 @@ static int SetCurve(ecc_key* key, byte* output)
WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
{
- /* adding TAG_NULL and 0 to end */
-
- /* hashTypes */
- static const byte shaAlgoID[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a,
- 0x05, 0x00 };
- static const byte sha256AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
- 0x04, 0x02, 0x01, 0x05, 0x00 };
- static const byte sha384AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
- 0x04, 0x02, 0x02, 0x05, 0x00 };
- static const byte sha512AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
- 0x04, 0x02, 0x03, 0x05, 0x00 };
- static const byte md5AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x02, 0x05, 0x05, 0x00 };
- static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x02, 0x02, 0x05, 0x00};
-
- /* blkTypes, no NULL tags because IV is there instead */
- static const byte desCbcAlgoID[] = { 0x2B, 0x0E, 0x03, 0x02, 0x07 };
- static const byte des3CbcAlgoID[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
- 0x0D, 0x03, 0x07 };
-
- /* RSA sigTypes */
- #ifndef NO_RSA
- static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00};
- static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00};
- static const byte sha256wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00};
- static const byte sha384wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00};
- static const byte sha512wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7,
- 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00};
- #endif /* NO_RSA */
-
- /* ECDSA sigTypes */
- #ifdef HAVE_ECC
- static const byte shawECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
- 0x04, 0x01, 0x05, 0x00};
- static const byte sha256wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
- 0x04, 0x03, 0x02, 0x05, 0x00};
- static const byte sha384wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
- 0x04, 0x03, 0x03, 0x05, 0x00};
- static const byte sha512wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d,
- 0x04, 0x03, 0x04, 0x05, 0x00};
- #endif /* HAVE_ECC */
-
- /* RSA keyType */
- #ifndef NO_RSA
- static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
- 0x01, 0x01, 0x01, 0x05, 0x00};
- #endif /* NO_RSA */
-
- #ifdef HAVE_ECC
- /* ECC keyType */
- /* no tags, so set tagSz smaller later */
- static const byte ECC_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d,
- 0x02, 0x01};
- #endif /* HAVE_ECC */
-
- int algoSz = 0;
- int tagSz = 2; /* tag null and terminator */
- word32 idSz, seqSz;
+ word32 tagSz, idSz, seqSz, algoSz = 0;
const byte* algoName = 0;
- byte ID_Length[MAX_LENGTH_SZ];
- byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */
+ byte ID_Length[MAX_LENGTH_SZ];
+ byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */
- if (type == hashType) {
- switch (algoOID) {
- case SHAh:
- algoSz = sizeof(shaAlgoID);
- algoName = shaAlgoID;
- break;
+ tagSz = (type == hashType || type == sigType ||
+ (type == keyType && algoOID == RSAk)) ? 2 : 0;
- case SHA256h:
- algoSz = sizeof(sha256AlgoID);
- algoName = sha256AlgoID;
- break;
+ algoName = OidFromId(algoOID, type, &algoSz);
- case SHA384h:
- algoSz = sizeof(sha384AlgoID);
- algoName = sha384AlgoID;
- break;
-
- case SHA512h:
- algoSz = sizeof(sha512AlgoID);
- algoName = sha512AlgoID;
- break;
-
- case MD2h:
- algoSz = sizeof(md2AlgoID);
- algoName = md2AlgoID;
- break;
-
- case MD5h:
- algoSz = sizeof(md5AlgoID);
- algoName = md5AlgoID;
- break;
-
- default:
- WOLFSSL_MSG("Unknown Hash Algo");
- return 0; /* UNKOWN_HASH_E; */
- }
- }
- else if (type == blkType) {
- switch (algoOID) {
- case DESb:
- algoSz = sizeof(desCbcAlgoID);
- algoName = desCbcAlgoID;
- tagSz = 0;
- break;
- case DES3b:
- algoSz = sizeof(des3CbcAlgoID);
- algoName = des3CbcAlgoID;
- tagSz = 0;
- break;
- default:
- WOLFSSL_MSG("Unknown Block Algo");
- return 0;
- }
- }
- else if (type == sigType) { /* sigType */
- switch (algoOID) {
- #ifndef NO_RSA
- case CTC_MD5wRSA:
- algoSz = sizeof(md5wRSA_AlgoID);
- algoName = md5wRSA_AlgoID;
- break;
-
- case CTC_SHAwRSA:
- algoSz = sizeof(shawRSA_AlgoID);
- algoName = shawRSA_AlgoID;
- break;
-
- case CTC_SHA256wRSA:
- algoSz = sizeof(sha256wRSA_AlgoID);
- algoName = sha256wRSA_AlgoID;
- break;
-
- case CTC_SHA384wRSA:
- algoSz = sizeof(sha384wRSA_AlgoID);
- algoName = sha384wRSA_AlgoID;
- break;
-
- case CTC_SHA512wRSA:
- algoSz = sizeof(sha512wRSA_AlgoID);
- algoName = sha512wRSA_AlgoID;
- break;
- #endif /* NO_RSA */
- #ifdef HAVE_ECC
- case CTC_SHAwECDSA:
- algoSz = sizeof(shawECDSA_AlgoID);
- algoName = shawECDSA_AlgoID;
- break;
-
- case CTC_SHA256wECDSA:
- algoSz = sizeof(sha256wECDSA_AlgoID);
- algoName = sha256wECDSA_AlgoID;
- break;
-
- case CTC_SHA384wECDSA:
- algoSz = sizeof(sha384wECDSA_AlgoID);
- algoName = sha384wECDSA_AlgoID;
- break;
-
- case CTC_SHA512wECDSA:
- algoSz = sizeof(sha512wECDSA_AlgoID);
- algoName = sha512wECDSA_AlgoID;
- break;
- #endif /* HAVE_ECC */
- default:
- WOLFSSL_MSG("Unknown Signature Algo");
- return 0;
- }
- }
- else if (type == keyType) { /* keyType */
- switch (algoOID) {
- #ifndef NO_RSA
- case RSAk:
- algoSz = sizeof(RSA_AlgoID);
- algoName = RSA_AlgoID;
- break;
- #endif /* NO_RSA */
- #ifdef HAVE_ECC
- case ECDSAk:
- algoSz = sizeof(ECC_AlgoID);
- algoName = ECC_AlgoID;
- tagSz = 0;
- break;
- #endif /* HAVE_ECC */
- default:
- WOLFSSL_MSG("Unknown Key Algo");
- return 0;
- }
- }
- else {
- WOLFSSL_MSG("Unknown Algo type");
+ if (algoName == NULL) {
+ WOLFSSL_MSG("Unknown Algorithm");
return 0;
}
- idSz = SetLength(algoSz - tagSz, ID_Length); /* don't include tags */
- seqSz = SetSequence(idSz + algoSz + 1 + curveSz, seqArray);
+ idSz = SetLength(algoSz, ID_Length);
+ seqSz = SetSequence(idSz + algoSz + 1 + tagSz + curveSz, seqArray);
/* +1 for object id, curveID of curveSz follows for ecc */
seqArray[seqSz++] = ASN_OBJECT_ID;
XMEMCPY(output, seqArray, seqSz);
XMEMCPY(output + seqSz, ID_Length, idSz);
XMEMCPY(output + seqSz + idSz, algoName, algoSz);
+ if (tagSz == 2) {
+ output[seqSz + idSz + algoSz] = ASN_TAG_NULL;
+ output[seqSz + idSz + algoSz + 1] = 0;
+ }
- return seqSz + idSz + algoSz;
+ return seqSz + idSz + algoSz + tagSz;
}
@@ -3702,7 +3987,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
/* Consume the rest of this sequence. */
length -= (strLen + idx - lenStartIdx);
- if (GetObjectId(input, &idx, &oid, sz) < 0) {
+ if (GetObjectId(input, &idx, &oid, certAltNameType, sz) < 0) {
WOLFSSL_MSG("\tbad OID");
return ASN_PARSE_E;
}
@@ -3737,7 +4022,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
return ASN_PARSE_E;
}
- cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0);
+ cert->hwType = (byte*)XMALLOC(strLen, cert->heap,
+ DYNAMIC_TYPE_X509_EXT);
if (cert->hwType == NULL) {
WOLFSSL_MSG("\tOut of Memory");
return MEMORY_E;
@@ -3757,7 +4043,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert)
return ASN_PARSE_E;
}
- cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0);
+ cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap,
+ DYNAMIC_TYPE_X509_EXT);
if (cert->hwSerialNum == NULL) {
WOLFSSL_MSG("\tOut of Memory");
return MEMORY_E;
@@ -3951,7 +4238,7 @@ static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
return ASN_PARSE_E;
oid = 0;
- if (GetObjectId(input, &idx, &oid, sz) < 0)
+ if (GetObjectId(input, &idx, &oid, certAuthInfoType, sz) < 0)
return ASN_PARSE_E;
/* Only supporting URIs right now. */
@@ -4097,7 +4384,7 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert)
#endif
while (idx < (word32)sz) {
- if (GetObjectId(input, &idx, &oid, sz) < 0)
+ if (GetObjectId(input, &idx, &oid, certKeyUseType, sz) < 0)
return ASN_PARSE_E;
switch (oid) {
@@ -4163,6 +4450,7 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap)
entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME);
if (entry->name == NULL) {
WOLFSSL_MSG("allocate error");
+ XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME);
return MEMORY_E;
}
@@ -4340,7 +4628,8 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
if (length > 0) {
#if defined(WOLFSSL_SEP)
- cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0);
+ cert->deviceType = (byte*)XMALLOC(length, cert->heap,
+ DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType == NULL) {
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
return MEMORY_E;
@@ -4436,7 +4725,7 @@ static int DecodeCertExtensions(DecodedCert* cert)
}
oid = 0;
- if (GetObjectId(input, &idx, &oid, sz) < 0) {
+ if (GetObjectId(input, &idx, &oid, certExtType, sz) < 0) {
WOLFSSL_MSG("\tfail: OBJECT ID");
return ASN_PARSE_E;
}
@@ -4685,7 +4974,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)
}
if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID,
- cert->maxIdx)) < 0)
+ sigType, cert->maxIdx)) < 0)
return ret;
if ((ret = GetSignature(cert)) < 0)
@@ -5313,11 +5602,7 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
mp_int* keyInt = GetRsaInt(key, i);
/* leading zero */
- if ((mp_count_bits(keyInt) & 7) == 0 || mp_iszero(keyInt) == MP_YES)
- lbit = 1;
- else
- lbit = 0;
-
+ lbit = mp_leading_bit(keyInt);
rawLen = mp_unsigned_bin_size(keyInt) + lbit;
tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
@@ -5740,7 +6025,7 @@ static int SetValidity(byte* output, int daysValid)
struct tm* tmpTime = NULL;
struct tm local;
-#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES)
+#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) || defined(NEED_TMP_TIME)
/* for use with gmtime_r */
struct tm tmpTimeStorage;
tmpTime = &tmpTimeStorage;
@@ -7663,7 +7948,7 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz)
decoded->srcIdx = startIdx;
if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid,
- decoded->maxIdx) < 0) {
+ certExtType, decoded->maxIdx) < 0) {
ret = ASN_PARSE_E;
break;
}
@@ -8422,7 +8707,7 @@ static int DecodeSingleResponse(byte* source,
if (GetSequence(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
/* Skip the hash algorithm */
- if (GetAlgoId(source, &idx, &oid, size) < 0)
+ if (GetAlgoId(source, &idx, &oid, ignoreType, size) < 0)
return ASN_PARSE_E;
/* Save reference to the hash of CN */
if (source[idx++] != ASN_OCTET_STRING)
@@ -8501,6 +8786,8 @@ static int DecodeSingleResponse(byte* source,
if (GetBasicDate(source, &idx, cs->nextDate,
&cs->nextDateFormat, size) < 0)
return ASN_PARSE_E;
+ if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER))
+ return ASN_AFTER_DATE_E;
}
if (((int)(idx - prevIndex) < wrapperSz) &&
(source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1)))
@@ -8542,7 +8829,7 @@ static int DecodeOcspRespExtensions(byte* source,
}
oid = 0;
- if (GetObjectId(source, &idx, &oid, sz) < 0) {
+ if (GetObjectId(source, &idx, &oid, ocspType, sz) < 0) {
WOLFSSL_MSG("\tfail: OBJECT ID");
return ASN_PARSE_E;
}
@@ -8565,6 +8852,17 @@ static int DecodeOcspRespExtensions(byte* source,
}
if (oid == OCSP_NONCE_OID) {
+ /* get data inside extra OCTET_STRING */
+ if (source[idx++] != ASN_OCTET_STRING) {
+ WOLFSSL_MSG("\tfail: should be an OCTET STRING");
+ return ASN_PARSE_E;
+ }
+
+ if (GetLength(source, &idx, &length, sz) < 0) {
+ WOLFSSL_MSG("\tfail: extension data length");
+ return ASN_PARSE_E;
+ }
+
resp->nonce = source + idx;
resp->nonceSz = length;
}
@@ -8624,8 +8922,13 @@ static int DecodeResponseData(byte* source,
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
- if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
- return ASN_PARSE_E;
+ /*
+ * Check the length of the ResponseData against the current index to
+ * see if there are extensions, they are optional.
+ */
+ if (idx - prev_idx < resp->responseSz)
+ if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
+ return ASN_PARSE_E;
*ioIndex = idx;
return 0;
@@ -8658,12 +8961,13 @@ static int DecodeCerts(byte* source,
return 0;
}
-static int DecodeBasicOcspResponse(byte* source,
- word32* ioIndex, OcspResponse* resp, word32 size)
+static int DecodeBasicOcspResponse(byte* source, word32* ioIndex,
+ OcspResponse* resp, word32 size, void* cm)
{
int length;
word32 idx = *ioIndex;
word32 end_index;
+ int ret = -1;
WOLFSSL_ENTER("DecodeBasicOcspResponse");
@@ -8678,7 +8982,7 @@ static int DecodeBasicOcspResponse(byte* source,
return ASN_PARSE_E;
/* Get the signature algorithm */
- if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0)
+ if (GetAlgoId(source, &idx, &resp->sigOID, sigType, size) < 0)
return ASN_PARSE_E;
/* Obtain pointer to the start of the signature, and save the size */
@@ -8699,13 +9003,12 @@ static int DecodeBasicOcspResponse(byte* source,
if (idx < end_index)
{
DecodedCert cert;
- int ret;
if (DecodeCerts(source, &idx, resp, size) < 0)
return ASN_PARSE_E;
InitDecodedCert(&cert, resp->cert, resp->certSz, 0);
- ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0);
+ ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm);
if (ret < 0)
return ret;
@@ -8720,6 +9023,16 @@ static int DecodeBasicOcspResponse(byte* source,
return ASN_OCSP_CONFIRM_E;
}
}
+ else {
+ Signer* ca = GetCA(cm, resp->issuerHash);
+
+ if (!ca || !ConfirmSignature(resp->response, resp->responseSz,
+ ca->publicKey, ca->pubKeySize, ca->keyOID,
+ resp->sig, resp->sigSz, resp->sigOID, NULL)) {
+ WOLFSSL_MSG("\tOCSP Confirm signature failed");
+ return ASN_OCSP_CONFIRM_E;
+ }
+ }
*ioIndex = idx;
return 0;
@@ -8731,24 +9044,17 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status,
{
WOLFSSL_ENTER("InitOcspResponse");
+ XMEMSET(status, 0, sizeof(CertStatus));
+ XMEMSET(resp, 0, sizeof(OcspResponse));
+
resp->responseStatus = -1;
- resp->response = NULL;
- resp->responseSz = 0;
- resp->producedDateFormat = 0;
- resp->issuerHash = NULL;
- resp->issuerKeyHash = NULL;
- resp->sig = NULL;
- resp->sigSz = 0;
- resp->sigOID = 0;
- resp->status = status;
- resp->nonce = NULL;
- resp->nonceSz = 0;
- resp->source = source;
- resp->maxIdx = inSz;
+ resp->status = status;
+ resp->source = source;
+ resp->maxIdx = inSz;
}
-int OcspResponseDecode(OcspResponse* resp)
+int OcspResponseDecode(OcspResponse* resp, void* cm)
{
int length = 0;
word32 idx = 0;
@@ -8782,7 +9088,7 @@ int OcspResponseDecode(OcspResponse* resp)
return ASN_PARSE_E;
/* Check ObjectID for the resposeBytes */
- if (GetObjectId(source, &idx, &oid, size) < 0)
+ if (GetObjectId(source, &idx, &oid, ocspType, size) < 0)
return ASN_PARSE_E;
if (oid != OCSP_BASIC_OID)
return ASN_PARSE_E;
@@ -8792,67 +9098,68 @@ int OcspResponseDecode(OcspResponse* resp)
if (GetLength(source, &idx, &length, size) < 0)
return ASN_PARSE_E;
- if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
+ if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0)
return ASN_PARSE_E;
return 0;
}
-static word32 SetOcspReqExtensions(word32 extSz, byte* output,
- const byte* nonce, word32 nonceSz)
+word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size)
{
static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07,
0x30, 0x01, 0x02 };
- byte seqArray[5][MAX_SEQ_SZ];
- word32 seqSz[5], totalSz;
+ byte seqArray[6][MAX_SEQ_SZ];
+ word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId);
WOLFSSL_ENTER("SetOcspReqExtensions");
- if (nonce == NULL || nonceSz == 0) return 0;
+ if (!req || !output || !req->nonceSz)
+ return 0;
- seqArray[0][0] = ASN_OCTET_STRING;
- seqSz[0] = 1 + SetLength(nonceSz, &seqArray[0][1]);
+ totalSz += req->nonceSz;
+ totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]);
+ totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]);
+ seqArray[2][0] = ASN_OBJECT_ID;
+ totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]);
+ totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]);
+ totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]);
+ totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]);
- seqArray[1][0] = ASN_OBJECT_ID;
- seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]);
+ if (totalSz > size)
+ return 0;
- totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId);
+ totalSz = 0;
- seqSz[2] = SetSequence(totalSz, seqArray[2]);
- totalSz += seqSz[2];
+ XMEMCPY(output + totalSz, seqArray[5], seqSz[5]);
+ totalSz += seqSz[5];
- seqSz[3] = SetSequence(totalSz, seqArray[3]);
- totalSz += seqSz[3];
-
- seqArray[4][0] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2);
- seqSz[4] = 1 + SetLength(totalSz, &seqArray[4][1]);
+ XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
totalSz += seqSz[4];
- if (totalSz < extSz)
- {
- totalSz = 0;
- XMEMCPY(output + totalSz, seqArray[4], seqSz[4]);
- totalSz += seqSz[4];
- XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
- totalSz += seqSz[3];
- XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
- totalSz += seqSz[2];
- XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
- totalSz += seqSz[1];
- XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
- totalSz += (word32)sizeof(NonceObjId);
- XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
- totalSz += seqSz[0];
- XMEMCPY(output + totalSz, nonce, nonceSz);
- totalSz += nonceSz;
- }
+ XMEMCPY(output + totalSz, seqArray[3], seqSz[3]);
+ totalSz += seqSz[3];
+
+ XMEMCPY(output + totalSz, seqArray[2], seqSz[2]);
+ totalSz += seqSz[2];
+
+ XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId));
+ totalSz += (word32)sizeof(NonceObjId);
+
+ XMEMCPY(output + totalSz, seqArray[1], seqSz[1]);
+ totalSz += seqSz[1];
+
+ XMEMCPY(output + totalSz, seqArray[0], seqSz[0]);
+ totalSz += seqSz[0];
+
+ XMEMCPY(output + totalSz, req->nonce, req->nonceSz);
+ totalSz += req->nonceSz;
return totalSz;
}
-int EncodeOcspRequest(OcspRequest* req)
+int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size)
{
byte seqArray[5][MAX_SEQ_SZ];
/* The ASN.1 of the OCSP Request is an onion of sequences */
@@ -8861,7 +9168,6 @@ int EncodeOcspRequest(OcspRequest* req)
byte issuerKeyArray[MAX_ENCODED_DIG_SZ];
byte snArray[MAX_SN_SZ];
byte extArray[MAX_OCSP_EXT_SZ];
- byte* output = req->dest;
word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz;
int i;
@@ -8873,54 +9179,42 @@ int EncodeOcspRequest(OcspRequest* req)
algoSz = SetAlgoID(SHAh, algoArray, hashType, 0);
#endif
- req->issuerHash = req->cert->issuerHash;
- issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray);
+ issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray);
+ issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray);
+ snSz = SetSerialNumber(req->serial, req->serialSz, snArray);
+ extSz = 0;
- req->issuerKeyHash = req->cert->issuerKeyHash;
- issuerKeySz = SetDigest(req->cert->issuerKeyHash,
- KEYID_SIZE, issuerKeyArray);
-
- req->serial = req->cert->serial;
- req->serialSz = req->cert->serialSz;
- snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray);
-
- extSz = 0;
- if (req->useNonce) {
- WC_RNG rng;
- if (wc_InitRng(&rng) != 0) {
- WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
- } else {
- if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
- WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
- else {
- req->nonceSz = MAX_OCSP_NONCE_SZ;
- extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray,
- req->nonce, req->nonceSz);
- }
- wc_FreeRng(&rng);
- }
- }
+ if (req->nonceSz)
+ extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ);
totalSz = algoSz + issuerSz + issuerKeySz + snSz;
-
for (i = 4; i >= 0; i--) {
seqSz[i] = SetSequence(totalSz, seqArray[i]);
totalSz += seqSz[i];
if (i == 2) totalSz += extSz;
}
+
+ if (totalSz > size)
+ return BUFFER_E;
+
totalSz = 0;
for (i = 0; i < 5; i++) {
XMEMCPY(output + totalSz, seqArray[i], seqSz[i]);
totalSz += seqSz[i];
}
+
XMEMCPY(output + totalSz, algoArray, algoSz);
totalSz += algoSz;
+
XMEMCPY(output + totalSz, issuerArray, issuerSz);
totalSz += issuerSz;
+
XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz);
totalSz += issuerKeySz;
+
XMEMCPY(output + totalSz, snArray, snSz);
totalSz += snSz;
+
if (extSz != 0) {
XMEMCPY(output + totalSz, extArray, extSz);
totalSz += extSz;
@@ -8930,19 +9224,70 @@ int EncodeOcspRequest(OcspRequest* req)
}
-void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce,
- byte* dest, word32 destSz)
+int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce)
{
WOLFSSL_ENTER("InitOcspRequest");
- req->cert = cert;
- req->useNonce = useNonce;
- req->nonceSz = 0;
- req->issuerHash = NULL;
- req->issuerKeyHash = NULL;
- req->serial = NULL;
- req->dest = dest;
- req->destSz = destSz;
+ if (req == NULL)
+ return BAD_FUNC_ARG;
+
+ ForceZero(req, sizeof(OcspRequest));
+
+ if (cert) {
+ XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE);
+ XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE);
+
+ req->serial = (byte*)XMALLOC(cert->serialSz, NULL,
+ DYNAMIC_TYPE_OCSP_REQUEST);
+ if (req->serial == NULL)
+ return MEMORY_E;
+
+ XMEMCPY(req->serial, cert->serial, cert->serialSz);
+ req->serialSz = cert->serialSz;
+
+ if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) {
+ req->url = (byte*)XMALLOC(cert->extAuthInfoSz, NULL,
+ DYNAMIC_TYPE_OCSP_REQUEST);
+ if (req->url == NULL) {
+ XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP);
+ return MEMORY_E;
+ }
+
+ XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz);
+ req->urlSz = cert->extAuthInfoSz;
+ }
+
+ }
+
+ if (useNonce) {
+ WC_RNG rng;
+
+ if (wc_InitRng(&rng) != 0) {
+ WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce.");
+ } else {
+ if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0)
+ WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce.");
+ else
+ req->nonceSz = MAX_OCSP_NONCE_SZ;
+
+ wc_FreeRng(&rng);
+ }
+ }
+
+ return 0;
+}
+
+void FreeOcspRequest(OcspRequest* req)
+{
+ WOLFSSL_ENTER("FreeOcspRequest");
+
+ if (req) {
+ if (req->serial)
+ XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+
+ if (req->url)
+ XFREE(req->url, NULL, DYNAMIC_TYPE_OCSP_REQUEST);
+ }
}
@@ -8966,7 +9311,7 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
/* Nonces are not critical. The responder may not necessarily add
* the nonce to the response. */
- if (req->useNonce && resp->nonceSz != 0) {
+ if (req->nonceSz && resp->nonceSz != 0) {
cmp = req->nonceSz - resp->nonceSz;
if (cmp != 0)
{
@@ -9221,7 +9566,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
return ASN_PARSE_E;
}
- if (GetAlgoId(buff, &idx, &oid, sz) < 0)
+ if (GetAlgoId(buff, &idx, &oid, ignoreType, sz) < 0)
return ASN_PARSE_E;
if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
@@ -9265,7 +9610,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
if (idx != dcrl->sigIndex)
idx = dcrl->sigIndex; /* skip extensions */
- if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0)
+ if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sigType, sz) < 0)
return ASN_PARSE_E;
if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
@@ -9316,4 +9661,3 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm)
#endif /* WOLFSSL_SEP */
-
diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index ef92b00ef..a88d765f4 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -3254,7 +3254,7 @@ int wc_ecc_sig_size(ecc_key* key)
if (sz <= 0)
return sz;
- return sz * 2 + SIG_HEADER_SZ + 4; /* (4) worst case estimate */
+ return (sz * 2) + SIG_HEADER_SZ + ECC_MAX_PAD_SZ;
}
@@ -4192,7 +4192,8 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus,
}
if (err == MP_OKAY) {
- z = 0;
+ z = 0; /* mp_to_unsigned_bin != MP_OKAY z will be declared/not set */
+ (void) z; /* Acknowledge the unused assignment */
ForceZero(kb, KB_SIZE);
/* map R back from projective space */
if (map) {
@@ -4450,6 +4451,9 @@ static int accel_fp_mul2add(int idx1, int idx2,
#undef KB_SIZE
+ if (err != MP_OKAY)
+ return err;
+
return ecc_map(R, modulus, mp);
}
diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c
index 2e5f6545e..ef4510f42 100644
--- a/wolfcrypt/src/ed25519.c
+++ b/wolfcrypt/src/ed25519.c
@@ -171,6 +171,7 @@ int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out,
msg the array of bytes containing the message
msglen length of msg array
stat will be 1 on successful verify and 0 on unsuccessful
+ return 0 and stat of 1 on success
*/
int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg,
word32 msglen, int* stat, ed25519_key* key)
@@ -229,7 +230,7 @@ int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg,
/* comparison of R created to R in sig */
ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2);
if (ret != 0)
- return ret;
+ return SIG_VERIFY_E;
/* set the verification status */
*stat = 1;
diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c
index 37b78422a..dd570a31a 100644
--- a/wolfcrypt/src/error.c
+++ b/wolfcrypt/src/error.c
@@ -337,6 +337,36 @@ const char* wc_GetErrorString(int error)
case SRP_BAD_KEY_E:
return "SRP bad key values error";
+ case ASN_NO_SKID:
+ return "ASN no Subject Key Identifier found error";
+
+ case ASN_NO_AKID:
+ return "ASN no Authority Key Identifier found error";
+
+ case ASN_NO_KEYUSAGE:
+ return "ASN no Key Usage found error";
+
+ case SKID_E:
+ return "Setting Subject Key Identifier error";
+
+ case AKID_E:
+ return "Setting Authority Key Identifier error";
+
+ case KEYUSAGE_E:
+ return "Bad Key Usage value error";
+
+ case CERTPOLICIES_E:
+ return "Setting Certificate Policies error";
+
+ case WC_INIT_E:
+ return "wolfCrypt Initialize Failure error";
+
+ case SIG_VERIFY_E:
+ return "Signature verify error";
+
+ case BAD_COND_E:
+ return "Bad condition variable operation error";
+
default:
return "unknown error number";
diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c
index 58fce69f8..3096ec7bd 100644
--- a/wolfcrypt/src/hash.c
+++ b/wolfcrypt/src/hash.c
@@ -27,10 +27,122 @@
#include
#include
-#if !defined(WOLFSSL_TI_HASH)
-
#include
+
+/* Get Hash digest size */
+int wc_HashGetDigestSize(enum wc_HashType hash_type)
+{
+ int dig_size = BAD_FUNC_ARG;
+ switch(hash_type)
+ {
+#ifndef NO_MD5
+ case WC_HASH_TYPE_MD5:
+ dig_size = MD5_DIGEST_SIZE;
+ break;
+#endif
+#ifndef NO_SHA
+ case WC_HASH_TYPE_SHA:
+ dig_size = SHA_DIGEST_SIZE;
+ break;
+#endif
+#ifndef NO_SHA256
+ case WC_HASH_TYPE_SHA256:
+ dig_size = SHA256_DIGEST_SIZE;
+ break;
+#endif
+#ifdef WOLFSSL_SHA512
+#ifdef WOLFSSL_SHA384
+ case WC_HASH_TYPE_SHA384:
+ dig_size = SHA384_DIGEST_SIZE;
+ break;
+#endif /* WOLFSSL_SHA384 */
+ case WC_HASH_TYPE_SHA512:
+ dig_size = SHA512_DIGEST_SIZE;
+ break;
+#endif /* WOLFSSL_SHA512 */
+
+ /* Not Supported */
+#ifdef WOLFSSL_MD2
+ case WC_HASH_TYPE_MD2:
+#endif
+#ifndef NO_MD4
+ case WC_HASH_TYPE_MD4:
+#endif
+ case WC_HASH_TYPE_NONE:
+ default:
+ dig_size = BAD_FUNC_ARG;
+ break;
+ }
+ return dig_size;
+}
+
+/* Generic Hashing Wrapper */
+int wc_Hash(enum wc_HashType hash_type, const byte* data,
+ word32 data_len, byte* hash, word32 hash_len)
+{
+ int ret = BAD_FUNC_ARG;
+ word32 dig_size;
+
+ /* Validate hash buffer size */
+ dig_size = wc_HashGetDigestSize(hash_type);
+ if (hash_len < dig_size) {
+ return BUFFER_E;
+ }
+
+ /* Supress possible unused arg if all hashing is disabled */
+ (void)data;
+ (void)data_len;
+ (void)hash;
+ (void)hash_len;
+
+ switch(hash_type)
+ {
+#ifndef NO_MD5
+ case WC_HASH_TYPE_MD5:
+ ret = wc_Md5Hash(data, data_len, hash);
+ break;
+#endif
+#ifndef NO_SHA
+ case WC_HASH_TYPE_SHA:
+ ret = wc_ShaHash(data, data_len, hash);
+ break;
+#endif
+#ifndef NO_SHA256
+ case WC_HASH_TYPE_SHA256:
+ ret = wc_Sha256Hash(data, data_len, hash);
+ break;
+#endif
+#ifdef WOLFSSL_SHA512
+#ifdef WOLFSSL_SHA384
+ case WC_HASH_TYPE_SHA384:
+ ret = wc_Sha384Hash(data, data_len, hash);
+ break;
+#endif /* WOLFSSL_SHA384 */
+ case WC_HASH_TYPE_SHA512:
+ ret = wc_Sha512Hash(data, data_len, hash);
+ break;
+#endif /* WOLFSSL_SHA512 */
+
+ /* Not Supported */
+#ifdef WOLFSSL_MD2
+ case WC_HASH_TYPE_MD2:
+#endif
+#ifndef NO_MD4
+ case WC_HASH_TYPE_MD4:
+#endif
+ case WC_HASH_TYPE_NONE:
+ default:
+ WOLFSSL_MSG("wc_Hash: Bad hash type");
+ ret = BAD_FUNC_ARG;
+ break;
+ }
+ return ret;
+}
+
+
+#if !defined(WOLFSSL_TI_HASH)
+
#if !defined(NO_MD5)
void wc_Md5GetHash(Md5* md5, byte* hash)
{
@@ -55,7 +167,7 @@ int wc_ShaGetHash(Sha* sha, byte* hash)
return ret ;
}
-WOLFSSL_API void wc_ShaRestorePos(Sha* s1, Sha* s2) {
+void wc_ShaRestorePos(Sha* s1, Sha* s2) {
*s1 = *s2 ;
}
@@ -102,7 +214,7 @@ int wc_Sha256GetHash(Sha256* sha256, byte* hash)
return ret ;
}
-WOLFSSL_API void wc_Sha256RestorePos(Sha256* s1, Sha256* s2) {
+void wc_Sha256RestorePos(Sha256* s1, Sha256* s2) {
*s1 = *s2 ;
}
diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c
index aacbef88a..272f335d8 100644
--- a/wolfcrypt/src/hmac.c
+++ b/wolfcrypt/src/hmac.c
@@ -105,10 +105,10 @@ int wc_HKDF(int type, const byte* inKey, word32 inKeySz,
#ifdef HAVE_CAVIUM
- static void HmacCaviumFinal(Hmac* hmac, byte* hash);
- static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length);
- static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
- word32 length);
+ static int HmacCaviumFinal(Hmac* hmac, byte* hash);
+ static int HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length);
+ static int HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
+ word32 length);
#endif
static int InitHmac(Hmac* hmac, int type)
@@ -642,7 +642,7 @@ void wc_HmacFreeCavium(Hmac* hmac)
}
-static void HmacCaviumFinal(Hmac* hmac, byte* hash)
+static int HmacCaviumFinal(Hmac* hmac, byte* hash)
{
word32 requestId;
@@ -650,12 +650,15 @@ static void HmacCaviumFinal(Hmac* hmac, byte* hash)
(byte*)hmac->ipad, hmac->dataLen, hmac->data, hash, &requestId,
hmac->devId) != 0) {
WOLFSSL_MSG("Cavium Hmac failed");
+ return -1;
}
hmac->innerHashKeyed = 0; /* tell update to start over if used again */
+
+ return 0;
}
-static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
+static int HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
{
word16 add = (word16)length;
word32 total;
@@ -663,7 +666,7 @@ static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
if (length > WOLFSSL_MAX_16BIT) {
WOLFSSL_MSG("Too big msg for cavium hmac");
- return;
+ return -1;
}
if (hmac->innerHashKeyed == 0) { /* starting new */
@@ -674,13 +677,13 @@ static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
total = add + hmac->dataLen;
if (total > WOLFSSL_MAX_16BIT) {
WOLFSSL_MSG("Too big msg for cavium hmac");
- return;
+ return -1;
}
tmp = XMALLOC(hmac->dataLen + add, NULL,DYNAMIC_TYPE_CAVIUM_TMP);
if (tmp == NULL) {
WOLFSSL_MSG("Out of memory for cavium update");
- return;
+ return -1;
}
if (hmac->dataLen)
XMEMCPY(tmp, hmac->data, hmac->dataLen);
@@ -689,11 +692,13 @@ static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length)
hmac->dataLen += add;
XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP);
hmac->data = tmp;
+
+ return 0;
}
-static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
- word32 length)
+static int HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
+ word32 length)
{
hmac->macType = (byte)type;
if (type == MD5)
@@ -711,6 +716,8 @@ static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key,
hmac->keyLen = (word16)length;
/* store key in ipad */
XMEMCPY(hmac->ipad, key, length);
+
+ return 0;
}
#endif /* HAVE_CAVIUM */
diff --git a/wolfcrypt/src/idea.c b/wolfcrypt/src/idea.c
index d7ab766d7..712949698 100644
--- a/wolfcrypt/src/idea.c
+++ b/wolfcrypt/src/idea.c
@@ -48,7 +48,7 @@ static INLINE word16 idea_mult(word16 x, word16 y)
mul = (long)x * (long)y;
if (mul) {
- res = (mul & IDEA_MASK) - (mul >> 16);
+ res = (mul & IDEA_MASK) - ((word32)mul >> 16);
if (res <= 0)
res += IDEA_MODULO;
@@ -211,17 +211,17 @@ void wc_IdeaCipher(Idea *idea, byte* out, const byte* in)
x[3] = idea_mult(x[3], idea->skey[skey_idx++]);
t2 = x[0] ^ x[2];
- t2 = idea_mult(t2, idea->skey[skey_idx++]);
+ t2 = idea_mult((word16)t2, idea->skey[skey_idx++]);
t1 = (t2 + (x[1] ^ x[3])) & IDEA_MASK;
- t1 = idea_mult(t1, idea->skey[skey_idx++]);
+ t1 = idea_mult((word16)t1, idea->skey[skey_idx++]);
t2 = (t1 + t2) & IDEA_MASK;
x[0] ^= t1;
x[3] ^= t2;
t2 ^= x[1];
- x[1] = x[2] ^ t1;
- x[2] = t2;
+ x[1] = x[2] ^ (word16)t1;
+ x[2] = (word16)t2;
}
x[0] = idea_mult(x[0], idea->skey[skey_idx++]);
diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c
index fa967a6ef..a463cbdef 100644
--- a/wolfcrypt/src/integer.c
+++ b/wolfcrypt/src/integer.c
@@ -125,6 +125,10 @@ int mp_init (mp_int * a)
{
int i;
+ /* Safeguard against passing in a null pointer */
+ if (a == NULL)
+ return MP_VAL;
+
/* allocate memory required and clear it */
a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * MP_PREC, 0,
DYNAMIC_TYPE_BIGINT);
@@ -275,6 +279,10 @@ mp_copy (mp_int * a, mp_int * b)
{
int res, n;
+ /* Safeguard against passing in a null pointer */
+ if (a == NULL || b == NULL)
+ return MP_VAL;
+
/* if dst == src do nothing */
if (a == b) {
return MP_OKAY;
@@ -665,7 +673,7 @@ int mp_mul_2d (mp_int * a, int b, mp_int * c)
rr = (*tmpc >> shift) & mask;
/* shift the current word and OR in the carry */
- *tmpc = ((*tmpc << d) | r) & MP_MASK;
+ *tmpc = (mp_digit)(((*tmpc << d) | r) & MP_MASK);
++tmpc;
/* set the carry to the carry bits of the current word */
@@ -1262,7 +1270,7 @@ int mp_cmp_d(mp_int * a, mp_digit b)
void mp_set (mp_int * a, mp_digit b)
{
mp_zero (a);
- a->dp[0] = b & MP_MASK;
+ a->dp[0] = (mp_digit)(b & MP_MASK);
a->used = (a->dp[0] != 0) ? 1 : 0;
}
@@ -2089,7 +2097,7 @@ mp_montgomery_setup (mp_int * n, mp_digit * rho)
/* rho = -1/m mod b */
/* TAO, switched mp_word casts to mp_digit to shut up compiler */
- *rho = (((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK;
+ *rho = (mp_digit)((((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK);
return MP_OKAY;
}
@@ -2719,7 +2727,7 @@ int mp_mul_2(mp_int * a, mp_int * b)
rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1));
/* now shift up this digit, add in the carry [from the previous] */
- *tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK;
+ *tmpb++ = (mp_digit)(((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK);
/* copy the carry that would be from the source
* digit into the next iteration
@@ -2929,7 +2937,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b)
mp_digit *tmpb;
tmpb = b->dp;
for (ix = 0; ix < pa; ix++) {
- *tmpb++ = W[ix] & MP_MASK;
+ *tmpb++ = (mp_digit)(W[ix] & MP_MASK);
}
/* clear unused digits [that existed in the old copy of c] */
@@ -3018,7 +3026,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
}
/* store term */
- W[ix] = ((mp_digit)_W) & MP_MASK;
+ W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK);
/* make next carry */
_W = _W >> ((mp_word)DIGIT_BIT);
@@ -3741,7 +3749,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs)
}
/* store term */
- W[ix] = ((mp_digit)_W) & MP_MASK;
+ W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK);
/* make next carry */
_W = _W >> ((mp_word)DIGIT_BIT);
@@ -3828,7 +3836,8 @@ int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c)
#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(WOLFSSL_SNIFFER) || \
- defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN)
+ defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN) || \
+ defined(OPENSSL_EXTRA)
/* single digit addition */
int mp_add_d (mp_int* a, mp_digit b, mp_int* c)
diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c
index f2d155bb0..2156b1f43 100644
--- a/wolfcrypt/src/logging.c
+++ b/wolfcrypt/src/logging.c
@@ -119,6 +119,8 @@ static void wolfssl_log(const int logLevel, const char *const logMessage)
fflush(stdout) ;
printf("%s\n", logMessage);
fflush(stdout) ;
+#elif defined(WOLFSSL_LOG_PRINTF)
+ printf("%s\n", logMessage);
#else
fprintf(stderr, "%s\n", logMessage);
#endif
@@ -134,6 +136,44 @@ void WOLFSSL_MSG(const char* msg)
}
+void WOLFSSL_BUFFER(byte* buffer, word32 length)
+{
+ #define LINE_LEN 16
+
+ if (loggingEnabled) {
+ word32 i;
+ char line[80];
+
+ if (!buffer) {
+ wolfssl_log(INFO_LOG, "\tNULL");
+
+ return;
+ }
+
+ sprintf(line, "\t");
+
+ for (i = 0; i < LINE_LEN; i++) {
+ if (i < length)
+ sprintf(line + 1 + i * 3,"%02x ", buffer[i]);
+ else
+ sprintf(line + 1 + i * 3, " ");
+ }
+
+ sprintf(line + 1 + LINE_LEN * 3, "| ");
+
+ for (i = 0; i < LINE_LEN; i++)
+ if (i < length)
+ sprintf(line + 3 + LINE_LEN * 3 + i,
+ "%c", 31 < buffer[i] && buffer[i] < 127 ? buffer[i] : '.');
+
+ wolfssl_log(INFO_LOG, line);
+
+ if (length > LINE_LEN)
+ WOLFSSL_BUFFER(buffer + LINE_LEN, length - LINE_LEN);
+ }
+}
+
+
void WOLFSSL_ENTER(const char* msg)
{
if (loggingEnabled) {
diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c
index ed933a7df..314005b69 100644
--- a/wolfcrypt/src/pkcs7.c
+++ b/wolfcrypt/src/pkcs7.c
@@ -129,27 +129,10 @@ WOLFSSL_LOCAL int wc_SetContentType(int pkcs7TypeOID, byte* output)
int wc_GetContentType(const byte* input, word32* inOutIdx, word32* oid,
word32 maxIdx)
{
- int length;
- word32 i = *inOutIdx;
- byte b;
- *oid = 0;
-
WOLFSSL_ENTER("wc_GetContentType");
-
- b = input[i++];
- if (b != ASN_OBJECT_ID)
- return ASN_OBJECT_ID_E;
-
- if (GetLength(input, &i, &length, maxIdx) < 0)
+ if (GetObjectId(input, inOutIdx, oid, ignoreType, maxIdx) < 0)
return ASN_PARSE_E;
- while(length--) {
- *oid += input[i];
- i++;
- }
-
- *inOutIdx = i;
-
return 0;
}
@@ -1609,7 +1592,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
XFREE(serialNum, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
- if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) {
+ if (GetAlgoId(pkiMsg, &idx, &encOID, keyType, pkiMsgSz) < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
@@ -1670,7 +1653,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
return ASN_PARSE_E;
}
- if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) {
+ if (GetAlgoId(pkiMsg, &idx, &encOID, blkType, pkiMsgSz) < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
diff --git a/wolfcrypt/src/port/pic32/pic32mz-hash.c b/wolfcrypt/src/port/pic32/pic32mz-hash.c
index c293afacd..c2dbfcd43 100644
--- a/wolfcrypt/src/port/pic32/pic32mz-hash.c
+++ b/wolfcrypt/src/port/pic32/pic32mz-hash.c
@@ -72,7 +72,7 @@ static void reset_engine(pic32mz_desc *desc, int algo)
uc_desc->bd[i].NXTPTR = KVA_TO_PA(&uc_desc->bd[0]);
XMEMSET((void *)&dataBuffer[i], 0, PIC32_BLOCK_SIZE);
}
- uc_desc->bd[0].BD_CTRL.SA_FETCH_EN = 1; // Fetch the security association on the first BD
+ uc_desc->bd[0].BD_CTRL.SA_FETCH_EN = 1; /* Fetch the security association on the first BD */
desc->dbPtr = 0;
desc->currBd = 0;
desc->msgSize = 0;
@@ -86,49 +86,45 @@ static void reset_engine(pic32mz_desc *desc, int algo)
#define PIC32MZ_IF_RAM(addr) (KVA_TO_PA(addr) < 0x80000)
-static void update_data_size(pic32mz_desc *desc, word32 msgSize)
-{
- desc->msgSize = msgSize;
-}
-
-static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
+static void update_engine(pic32mz_desc *desc, const byte *input, word32 len,
word32 *hash)
{
int total ;
pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc);
uc_desc->bd[desc->currBd].UPDPTR = KVA_TO_PA(hash);
- // Add the data to the current buffer. If the buffer fills, start processing it
- // and fill the next one.
+ /* Add the data to the current buffer. If the buffer fills, start processing it
+ and fill the next one. */
while (len)
{
- // If the engine is processing the current BD, spin.
-// if (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN)
-// continue;
+ /* If the engine is processing the current BD, spin.
+ if (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN)
+ continue; */
if (desc->msgSize)
{
- // If we've been given the message size, we can process along the
- // way.
- // Enable the current buffer descriptor if it is full.
+ /* If we've been given the message size, we can process along the
+ way.
+ Enable the current buffer descriptor if it is full. */
if (desc->dbPtr >= PIC32_BLOCK_SIZE)
{
- // Wrap up the buffer descriptor and enable it so the engine can process
+ /* Wrap up the buffer descriptor and enable it so the engine can process */
uc_desc->bd[desc->currBd].MSGLEN = desc->msgSize;
uc_desc->bd[desc->currBd].BD_CTRL.BUFLEN = desc->dbPtr;
uc_desc->bd[desc->currBd].BD_CTRL.LAST_BD = 0;
uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 0;
- //SYS_DEVCON_DataCacheClean((word32)desc, sizeof(pic32mz_desc));
+ /* SYS_DEVCON_DataCacheClean((word32)desc, sizeof(pic32mz_desc)); */
uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN = 1;
- // Move to the next buffer descriptor, or wrap around.
+ /* Move to the next buffer descriptor, or wrap around. */
desc->currBd++;
if (desc->currBd >= PIC32MZ_MAX_BD)
desc->currBd = 0;
- // Wait until the engine has processed the new BD.
+ /* Wait until the engine has processed the new BD. */
while (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN);
uc_desc->bd[desc->currBd].UPDPTR = KVA_TO_PA(hash);
desc->dbPtr = 0;
}
- if (!PIC32MZ_IF_RAM(input)) // If we're inputting from flash, let the BD have the address and max the buffer size
+ if (!PIC32MZ_IF_RAM(input)) /* If we're inputting from flash, let the BD have
+ the address and max the buffer size */
{
uc_desc->bd[desc->currBd].SRCADDR = KVA_TO_PA(input);
total = (len > PIC32MZ_MAX_BLOCK ? PIC32MZ_MAX_BLOCK : len);
@@ -140,7 +136,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
{
if (len > PIC32_BLOCK_SIZE - desc->dbPtr)
{
- // We have more data than can be put in the buffer. Fill what we can.
+ /* We have more data than can be put in the buffer. Fill what we can.*/
total = PIC32_BLOCK_SIZE - desc->dbPtr;
XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, total);
len -= total;
@@ -149,7 +145,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
}
else
{
- // Fill up what we have, but don't turn on the engine.
+ /* Fill up what we have, but don't turn on the engine.*/
XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, len);
desc->dbPtr += len;
len = 0;
@@ -158,13 +154,13 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
}
else
{
- // We have to buffer everything and keep track of how much has been
- // added in order to get a total size. If the buffer fills, we move
- // to the next one. If we try to add more when the last buffer is
- // full, we error out.
+ /* We have to buffer everything and keep track of how much has been
+ added in order to get a total size. If the buffer fills, we move
+ to the next one. If we try to add more when the last buffer is
+ full, we error out. */
if (desc->dbPtr == PIC32_BLOCK_SIZE)
{
- // We filled the last BD buffer, so move on to the next one
+ /* We filled the last BD buffer, so move on to the next one */
uc_desc->bd[desc->currBd].BD_CTRL.LAST_BD = 0;
uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 0;
uc_desc->bd[desc->currBd].BD_CTRL.BUFLEN = PIC32_BLOCK_SIZE;
@@ -178,7 +174,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
}
if (len > PIC32_BLOCK_SIZE - desc->dbPtr)
{
- // We have more data than can be put in the buffer. Fill what we can.
+ /* We have more data than can be put in the buffer. Fill what we can. */
total = PIC32_BLOCK_SIZE - desc->dbPtr;
XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, total);
len -= total;
@@ -188,7 +184,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
}
else
{
- // Fill up what we have
+ /* Fill up what we have */
XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, len);
desc->dbPtr += len;
desc->processed += len;
@@ -199,7 +195,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len,
}
static void start_engine(pic32mz_desc *desc) {
- // Wrap up the last buffer descriptor and enable it
+ /* Wrap up the last buffer descriptor and enable it */
int i ;
int bufferLen ;
pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc);
@@ -212,8 +208,8 @@ static void start_engine(pic32mz_desc *desc) {
uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 1;
if (desc->msgSize == 0)
{
- // We were not given the size, so now we have to go through every BD
- // and give it what will be processed, and enable them.
+ /* We were not given the size, so now we have to go through every BD
+ and give it what will be processed, and enable them. */
for (i = desc->currBd; i >= 0; i--)
{
uc_desc->bd[i].MSGLEN = desc->processed;
@@ -251,17 +247,6 @@ void wait_engine(pic32mz_desc *desc, char *hash, int hash_sz) {
}
}
-static int fillBuff(char *buff, int *bufflen, const char *data, int len, int blocksz)
-{
- int room, copysz ;
-
- room = blocksz - *bufflen ;
- copysz = (len <= room) ? len : room ;
- XMEMCPY(buff, data, copysz) ;
- *bufflen += copysz ;
- return (*bufflen == blocksz) ? 1 : 0 ;
-}
-
#endif
#ifndef NO_MD5
diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c
index 4e194fef8..3571681db 100644
--- a/wolfcrypt/src/random.c
+++ b/wolfcrypt/src/random.c
@@ -32,6 +32,12 @@
#include
+#if defined(CUSTOM_RAND_GENERATE) && !defined(CUSTOM_RAND_TYPE)
+/* To maintain compatiblity the default return vaule from CUSTOM_RAND_GENERATE is byte */
+#define CUSTOM_RAND_TYPE byte
+#endif
+
+
#ifdef HAVE_FIPS
int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz)
{
@@ -973,8 +979,22 @@ static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz)
#endif /* HAVE_INTEL_RDGEN */
-#if defined(USE_WINDOWS_API)
+/* wc_GenerateSeed Implementations */
+#if defined(CUSTOM_RAND_GENERATE_SEED)
+ /* Implement your own random generation function
+ * Return 0 to indicate success
+ * int rand_gen_seed(byte* output, word32 sz);
+ * #define CUSTOM_RAND_GENERATE_SEED rand_gen_seed */
+
+ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
+ {
+ (void)os;
+ return CUSTOM_RAND_GENERATE_SEED(output, sz);
+ }
+
+
+#elif defined(USE_WINDOWS_API)
int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
{
@@ -1088,7 +1108,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
#elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) || \
defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS)
- #ifdef FREESCALE_K70_RNGA
+ #if defined(FREESCALE_K70_RNGA) || defined(FREESCALE_RNGA)
/*
* wc_Generates a RNG seed using the Random Number Generator Accelerator
* on the Kinetis K70. Documentation located in Chapter 37 of
@@ -1122,7 +1142,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
return 0;
}
- #elif defined(FREESCALE_K53_RNGB)
+ #elif defined(FREESCALE_K53_RNGB) || defined(FREESCALE_RNGB)
/*
* wc_Generates a RNG seed using the Random Number Generator (RNGB)
* on the Kinetis K53. Documentation located in Chapter 33 of
@@ -1165,7 +1185,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
{
TRNG_DRV_GetRandomData(TRNG_INSTANCE, output, sz);
- return(0);
+ return 0;
}
#else
@@ -1298,12 +1318,25 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
{
- word32 i;
+ word32 i = 0;
(void)os;
-
- for (i = 0; i < sz; i++ )
- output[i] = CUSTOM_RAND_GENERATE();
+
+ while (i < sz)
+ {
+ /* If not aligned or there is odd/remainder */
+ if( (i + sizeof(CUSTOM_RAND_TYPE)) > sz ||
+ ((wolfssl_word)&output[i] % sizeof(CUSTOM_RAND_TYPE)) != 0
+ ) {
+ /* Single byte at a time */
+ output[i++] = (byte)CUSTOM_RAND_GENERATE();
+ }
+ else {
+ /* Use native 8, 16, 32 or 64 copy instruction */
+ *((CUSTOM_RAND_TYPE*)&output[i]) = CUSTOM_RAND_GENERATE();
+ i += sizeof(CUSTOM_RAND_TYPE);
+ }
+ }
return 0;
}
diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c
index 6f4c3a595..5ca4a40c6 100644
--- a/wolfcrypt/src/rsa.c
+++ b/wolfcrypt/src/rsa.c
@@ -715,11 +715,11 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
#ifdef HAVE_CAVIUM
-#include
+#include
#include "cavium_common.h"
/* Initiliaze RSA for use with Nitrox device */
-int RsaInitCavium(RsaKey* rsa, int devId)
+int wc_RsaInitCavium(RsaKey* rsa, int devId)
{
if (rsa == NULL)
return -1;
diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c
new file mode 100644
index 000000000..bc1853052
--- /dev/null
+++ b/wolfcrypt/src/signature.c
@@ -0,0 +1,248 @@
+/* signature.c
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifdef HAVE_CONFIG_H
+ #include
+#endif
+
+#include
+#include
+#include
+#include
+
+#ifdef HAVE_ECC
+#include
+#endif
+#ifndef NO_RSA
+#include
+#endif
+
+/* If ECC and RSA are disabled then disable signature wrapper */
+#if !defined(HAVE_ECC) && defined(NO_RSA)
+#undef NO_SIG_WRAPPER
+#define NO_SIG_WRAPPER
+#endif
+
+/* Signature wrapper disabled check */
+#ifndef NO_SIG_WRAPPER
+
+int wc_SignatureGetSize(enum wc_SignatureType sig_type,
+ const void* key, word32 key_len)
+{
+ int sig_len = BAD_FUNC_ARG;
+
+ /* Supress possible unused args if all signature types are disabled */
+ (void)key;
+ (void)key_len;
+
+ switch(sig_type) {
+#ifdef HAVE_ECC
+ case WC_SIGNATURE_TYPE_ECC:
+ {
+ if (key_len >= sizeof(ecc_key)) {
+ sig_len = wc_ecc_sig_size((ecc_key*)key);
+ }
+ else {
+ WOLFSSL_MSG("wc_SignatureGetSize: Invalid ECC key size");
+ }
+ break;
+ }
+#endif
+#ifndef NO_RSA
+ case WC_SIGNATURE_TYPE_RSA:
+ if (key_len >= sizeof(RsaKey)) {
+ sig_len = wc_RsaEncryptSize((RsaKey*)key);
+ }
+ else {
+ WOLFSSL_MSG("wc_SignatureGetSize: Invalid RsaKey key size");
+ }
+ break;
+#endif
+
+ case WC_SIGNATURE_TYPE_NONE:
+ default:
+ break;
+ }
+ return sig_len;
+}
+
+int wc_SignatureVerify(
+ enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+ const byte* data, word32 data_len,
+ const byte* sig, word32 sig_len,
+ const void* key, word32 key_len)
+{
+ int ret, hash_len;
+ byte *hash_data = NULL;
+
+ /* Check arguments */
+ if (data == NULL || data_len <= 0 || sig == NULL || sig_len <= 0 ||
+ key == NULL || key_len <= 0) {
+ return BAD_FUNC_ARG;
+ }
+
+ /* Validate signature len (1 to max is okay) */
+ if ((int)sig_len > wc_SignatureGetSize(sig_type, key, key_len)) {
+ WOLFSSL_MSG("wc_SignatureVerify: Invalid sig type/len");
+ return BAD_FUNC_ARG;
+ }
+
+ /* Validate hash size */
+ hash_len = wc_HashGetDigestSize(hash_type);
+ if (hash_len <= 0) {
+ WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len");
+ return BAD_FUNC_ARG;
+ }
+
+ /* Allocate temporary buffer for hash data */
+ hash_data = (byte*)XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ if (hash_data == NULL) {
+ return MEMORY_E;
+ }
+
+ /* Perform hash of data */
+ ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len);
+ if(ret == 0) {
+
+ /* Verify signature using hash as data */
+ switch(sig_type) {
+#ifdef HAVE_ECC
+ case WC_SIGNATURE_TYPE_ECC:
+ {
+
+ int is_valid_sig = 0;
+
+ /* Perform verification of signature using provided ECC key */
+ ret = wc_ecc_verify_hash(sig, sig_len, hash_data, hash_len, &is_valid_sig, (ecc_key*)key);
+ if (ret != 0 || is_valid_sig != 1) {
+ ret = SIG_VERIFY_E;
+ }
+ break;
+ }
+#endif
+#ifndef NO_RSA
+ case WC_SIGNATURE_TYPE_RSA:
+ {
+ byte *plain_data = (byte*)XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ if (plain_data) {
+ /* Perform verification of signature using provided RSA key */
+ ret = wc_RsaSSL_Verify(sig, sig_len, plain_data, hash_len, (RsaKey*)key);
+ if (ret != hash_len || XMEMCMP(plain_data, hash_data, hash_len) != 0) {
+ ret = SIG_VERIFY_E;
+ }
+ XFREE(plain_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ }
+ else {
+ ret = MEMORY_E;
+ }
+ break;
+ }
+#endif
+
+ case WC_SIGNATURE_TYPE_NONE:
+ default:
+ ret = BAD_FUNC_ARG;
+ break;
+ }
+ }
+
+ if (hash_data) {
+ XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ }
+
+ return ret;
+}
+
+int wc_SignatureGenerate(
+ enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+ const byte* data, word32 data_len,
+ byte* sig, word32 *sig_len,
+ const void* key, word32 key_len, WC_RNG* rng)
+{
+ int ret, hash_len;
+ byte *hash_data = NULL;
+
+ /* Supress possible unused arg if all signature types are disabled */
+ (void)rng;
+
+ /* Check arguments */
+ if (data == NULL || data_len <= 0 || sig == NULL || sig_len == NULL ||
+ *sig_len <= 0 || key == NULL || key_len <= 0) {
+ return BAD_FUNC_ARG;
+ }
+
+ /* Validate signature len (needs to be at least max) */
+ if ((int)*sig_len < wc_SignatureGetSize(sig_type, key, key_len)) {
+ WOLFSSL_MSG("wc_SignatureGenerate: Invalid sig type/len");
+ return BAD_FUNC_ARG;
+ }
+
+ /* Validate hash size */
+ hash_len = wc_HashGetDigestSize(hash_type);
+ if (hash_len <= 0) {
+ WOLFSSL_MSG("wc_SignatureGenerate: Invalid hash type/len");
+ return BAD_FUNC_ARG;
+ }
+
+ /* Allocate temporary buffer for hash data */
+ hash_data = (byte*)XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ if (hash_data == NULL) {
+ return MEMORY_E;
+ }
+
+ /* Perform hash of data */
+ ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len);
+ if (ret == 0) {
+ /* Create signature using hash as data */
+ switch(sig_type) {
+#ifdef HAVE_ECC
+ case WC_SIGNATURE_TYPE_ECC:
+ {
+ /* Create signature using provided ECC key */
+ ret = wc_ecc_sign_hash(hash_data, hash_len, sig, sig_len, rng, (ecc_key*)key);
+ break;
+ }
+#endif
+#ifndef NO_RSA
+ case WC_SIGNATURE_TYPE_RSA:
+ /* Create signature using provided RSA key */
+ ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, (RsaKey*)key, rng);
+ if (ret > 0) {
+ *sig_len = ret;
+ }
+ break;
+#endif
+
+ case WC_SIGNATURE_TYPE_NONE:
+ default:
+ ret = BAD_FUNC_ARG;
+ break;
+ }
+ }
+
+ if (hash_data) {
+ XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER);
+ }
+
+ return ret;
+}
+
+#endif /* NO_SIG_WRAPPER */
diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c
index 6963ed022..21e7a62ae 100644
--- a/wolfcrypt/src/tfm.c
+++ b/wolfcrypt/src/tfm.c
@@ -2716,7 +2716,7 @@ void fp_gcd(fp_int *a, fp_int *b, fp_int *c)
#endif /* WOLFSSL_KEY_GEN */
-#if defined(HAVE_ECC) || !defined(NO_PWDBASED)
+#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(OPENSSL_EXTRA)
/* c = a + b */
void fp_add_d(fp_int *a, fp_digit b, fp_int *c)
{
diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c
index 9956da3c4..ac54c3494 100644
--- a/wolfcrypt/src/wc_port.c
+++ b/wolfcrypt/src/wc_port.c
@@ -43,18 +43,28 @@
/* Used to initialize state for wolfcrypt
return 0 on success
*/
-int wolfcrypt_Init()
+int wolfCrypt_Init()
{
+ int ret = 0;
+ #if WOLFSSL_CRYPT_HW_MUTEX
+ /* If crypto hardware mutex protection is enabled, then initialize it */
+ wolfSSL_CryptHwMutexInit();
+ #endif
+
/* if defined have fast RSA then initialize Intel IPP */
#ifdef HAVE_FAST_RSA
- WOLFSSL_MSG("Setting up IPP Library");
- if (ippInit() != ippStsNoErr) {
- WOLFSSL_MSG("Error setting up optimized Intel library to use!");
- return -1;
+ WOLFSSL_MSG("Attempting to use optimized IPP Library");
+ if ((ret = ippInit()) != ippStsNoErr) {
+ /* possible to get a CPU feature support status on optimized IPP
+ library but still use default library and see competitve speeds */
+ WOLFSSL_MSG("Warning when trying to set up optimization");
+ WOLFSSL_MSG(ippGetStatusString(ret));
+ WOLFSSL_MSG("Using default fast IPP library");
+ ret = 0;
}
#endif
- return 0;
+ return ret;
}
diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c
index f804e6d9f..b2885382f 100644
--- a/wolfcrypt/test/test.c
+++ b/wolfcrypt/test/test.c
@@ -390,7 +390,7 @@ int wolfcrypt_test(void* args)
#ifdef HAVE_AESGCM
if ( (ret = gmac_test()) != 0)
- return err_sys("GMAC test passed!\n", ret);
+ return err_sys("GMAC test failed!\n", ret);
else
printf( "GMAC test passed!\n");
#endif
@@ -2729,20 +2729,6 @@ int aesgcm_test(void)
* Counter Mode of Operation (GCM) by McGrew and
* Viega.
*/
- const byte k[] =
- {
- 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
- 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
- 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
- 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
- };
-
- const byte iv[] =
- {
- 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
- 0xde, 0xca, 0xf8, 0x88
- };
-
const byte p[] =
{
0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5,
@@ -2762,7 +2748,21 @@ int aesgcm_test(void)
0xab, 0xad, 0xda, 0xd2
};
- const byte c[] =
+ const byte k1[] =
+ {
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08
+ };
+
+ const byte iv1[] =
+ {
+ 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad,
+ 0xde, 0xca, 0xf8, 0x88
+ };
+
+ const byte c1[] =
{
0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07,
0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d,
@@ -2774,38 +2774,99 @@ int aesgcm_test(void)
0xbc, 0xc9, 0xf6, 0x62
};
- const byte t[] =
+ const byte t1[] =
{
0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68,
0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b
};
- byte t2[sizeof(t)];
- byte p2[sizeof(c)];
- byte c2[sizeof(p)];
+#ifndef HAVE_FIPS
+ /* Test Case 12, uses same plaintext and AAD data. */
+ const byte k2[] =
+ {
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c,
+ 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08,
+ 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c
+ };
- int result;
+ const byte iv2[] =
+ {
+ 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5,
+ 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa,
+ 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1,
+ 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28,
+ 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39,
+ 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54,
+ 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57,
+ 0xa6, 0x37, 0xb3, 0x9b
+ };
- memset(t2, 0, sizeof(t2));
- memset(c2, 0, sizeof(c2));
- memset(p2, 0, sizeof(p2));
+ const byte c2[] =
+ {
+ 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c,
+ 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff,
+ 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef,
+ 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45,
+ 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9,
+ 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3,
+ 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7,
+ 0xe9, 0xb7, 0x37, 0x3b
+ };
- wc_AesGcmSetKey(&enc, k, sizeof(k));
+ const byte t2[] =
+ {
+ 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb,
+ 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9
+ };
+#endif /* HAVE_FIPS */
+
+ byte resultT[sizeof(t1)];
+ byte resultP[sizeof(p)];
+ byte resultC[sizeof(p)];
+ int result;
+
+ memset(resultT, 0, sizeof(resultT));
+ memset(resultC, 0, sizeof(resultC));
+ memset(resultP, 0, sizeof(resultP));
+
+ wc_AesGcmSetKey(&enc, k1, sizeof(k1));
/* AES-GCM encrypt and decrypt both use AES encrypt internally */
- wc_AesGcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv),
- t2, sizeof(t2), a, sizeof(a));
- if (memcmp(c, c2, sizeof(c2)))
+ wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv1, sizeof(iv1),
+ resultT, sizeof(resultT), a, sizeof(a));
+ if (memcmp(c1, resultC, sizeof(resultC)))
return -68;
- if (memcmp(t, t2, sizeof(t2)))
+ if (memcmp(t1, resultT, sizeof(resultT)))
return -69;
- result = wc_AesGcmDecrypt(&enc, p2, c2, sizeof(p2), iv, sizeof(iv),
- t2, sizeof(t2), a, sizeof(a));
+ result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC),
+ iv1, sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a));
if (result != 0)
return -70;
- if (memcmp(p, p2, sizeof(p2)))
+ if (memcmp(p, resultP, sizeof(resultP)))
return -71;
+#ifndef HAVE_FIPS
+ memset(resultT, 0, sizeof(resultT));
+ memset(resultC, 0, sizeof(resultC));
+ memset(resultP, 0, sizeof(resultP));
+
+ wc_AesGcmSetKey(&enc, k2, sizeof(k2));
+ /* AES-GCM encrypt and decrypt both use AES encrypt internally */
+ wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv2, sizeof(iv2),
+ resultT, sizeof(resultT), a, sizeof(a));
+ if (memcmp(c2, resultC, sizeof(resultC)))
+ return -230;
+ if (memcmp(t2, resultT, sizeof(resultT)))
+ return -231;
+
+ result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC),
+ iv2, sizeof(iv2), resultT, sizeof(resultT), a, sizeof(a));
+ if (result != 0)
+ return -232;
+ if (memcmp(p, resultP, sizeof(resultP)))
+ return -233;
+#endif /* HAVE_FIPS */
+
return 0;
}
@@ -5337,6 +5398,23 @@ int dsa_test(void)
#ifdef WOLFCRYPT_HAVE_SRP
+static int generate_random_salt(byte *buf, word32 size)
+{
+ int ret = -1;
+ WC_RNG rng;
+
+ if(NULL == buf || !size)
+ return -1;
+
+ if (buf && size && wc_InitRng(&rng) == 0) {
+ ret = wc_RNG_GenerateBlock(&rng, (byte *)buf, size);
+
+ wc_FreeRng(&rng);
+ }
+
+ return ret;
+}
+
int srp_test(void)
{
Srp cli, srv;
@@ -5371,26 +5449,29 @@ int srp_test(void)
0x02
};
- byte salt[] = {
- 0xB2, 0xE5, 0x8E, 0xCC, 0xD0, 0xCF, 0x9D, 0x10, 0x3A, 0x56
- };
+ byte salt[10];
- byte verifier[] = {
- 0x7C, 0xAB, 0x17, 0xFE, 0x54, 0x3E, 0x8C, 0x13, 0xF2, 0x3D, 0x21, 0xE7,
- 0xD2, 0xAF, 0xAF, 0xDB, 0xA1, 0x52, 0x69, 0x9D, 0x49, 0x01, 0x79, 0x91,
- 0xCF, 0xD1, 0x3F, 0xE5, 0x28, 0x72, 0xCA, 0xBE, 0x13, 0xD1, 0xC2, 0xDA,
- 0x65, 0x34, 0x55, 0x8F, 0x34, 0x0E, 0x05, 0xB8, 0xB4, 0x0F, 0x7F, 0x6B,
- 0xBB, 0xB0, 0x6B, 0x50, 0xD8, 0xB1, 0xCC, 0xB7, 0x81, 0xFE, 0xD4, 0x42,
- 0xF5, 0x11, 0xBC, 0x8A, 0x28, 0xEB, 0x50, 0xB3, 0x46, 0x08, 0xBA, 0x24,
- 0xA2, 0xFB, 0x7F, 0x2E, 0x0A, 0xA5, 0x33, 0xCC
- };
+ byte verifier[80];
+ word32 v_size = sizeof(verifier);
+
+ /* generating random salt */
+
+ r = generate_random_salt(salt, sizeof(salt));
/* client knows username and password. */
/* server knows N, g, salt and verifier. */
- r = wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE);
+ if (!r) r = wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE);
if (!r) r = wc_SrpSetUsername(&cli, username, usernameSz);
+ /* loading N, g and salt in advance to generate the verifier. */
+
+ if (!r) r = wc_SrpSetParams(&cli, N, sizeof(N),
+ g, sizeof(g),
+ salt, sizeof(salt));
+ if (!r) r = wc_SrpSetPassword(&cli, password, passwordSz);
+ if (!r) r = wc_SrpGetVerifier(&cli, verifier, &v_size);
+
/* client sends username to server */
if (!r) r = wc_SrpInit(&srv, SRP_TYPE_SHA, SRP_SERVER_SIDE);
@@ -5398,15 +5479,11 @@ int srp_test(void)
if (!r) r = wc_SrpSetParams(&srv, N, sizeof(N),
g, sizeof(g),
salt, sizeof(salt));
- if (!r) r = wc_SrpSetVerifier(&srv, verifier, sizeof(verifier));
+ if (!r) r = wc_SrpSetVerifier(&srv, verifier, v_size);
if (!r) r = wc_SrpGetPublic(&srv, serverPubKey, &serverPubKeySz);
/* server sends N, g, salt and B to client */
- if (!r) r = wc_SrpSetParams(&cli, N, sizeof(N),
- g, sizeof(g),
- salt, sizeof(salt));
- if (!r) r = wc_SrpSetPassword(&cli, password, passwordSz);
if (!r) r = wc_SrpGetPublic(&cli, clientPubKey, &clientPubKeySz);
if (!r) r = wc_SrpComputeKey(&cli, clientPubKey, clientPubKeySz,
serverPubKey, serverPubKeySz);
diff --git a/wolfcrypt/test/test.h b/wolfcrypt/test/test.h
index dbe6e25e0..53f299454 100644
--- a/wolfcrypt/test/test.h
+++ b/wolfcrypt/test/test.h
@@ -1,4 +1,4 @@
-/* ctaocrypt/test/test.h
+/* wolfcrypt/test/test.h
*
* Copyright (C) 2006-2015 wolfSSL Inc.
*
@@ -19,7 +19,9 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
-#pragma once
+#ifndef WOLFCRYPT_TEST_H
+#define WOLFCRYPT_TEST_H
+
#ifdef __cplusplus
extern "C" {
@@ -31,3 +33,6 @@ int wolfcrypt_test(void* args);
} /* extern "C" */
#endif
+
+#endif /* WOLFCRYPT_TEST_H */
+
diff --git a/wolfcrypt/user-crypto/include.am b/wolfcrypt/user-crypto/include.am
new file mode 100644
index 000000000..6cc8577ab
--- /dev/null
+++ b/wolfcrypt/user-crypto/include.am
@@ -0,0 +1,13 @@
+
+if BUILD_FAST_RSA
+include_HEADERS += wolfcrypt/user-crypto/include/user_rsa.h
+endif
+
+# user crypto plug in example
+EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac
+EXTRA_DIST+= wolfcrypt/user-crypto/autogen.sh
+EXTRA_DIST+= wolfcrypt/user-crypto/include/user_rsa.h
+EXTRA_DIST+= wolfcrypt/user-crypto/src/rsa.c
+EXTRA_DIST+= wolfcrypt/user-crypto/lib/.gitkeep
+EXTRA_DIST+= wolfcrypt/user-crypto/README.txt
+EXTRA_DIST+= wolfcrypt/user-crypto/Makefile.am
diff --git a/wolfcrypt/user-crypto/include/user_rsa.h b/wolfcrypt/user-crypto/include/user_rsa.h
index ab5436203..21b7b7a31 100644
--- a/wolfcrypt/user-crypto/include/user_rsa.h
+++ b/wolfcrypt/user-crypto/include/user_rsa.h
@@ -106,7 +106,7 @@ WOLFSSL_API int wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*,
word32*);
-#ifdef WOLFSSL_CERT_GEN
+#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)
/* abstracted BN operations with RSA key */
WOLFSSL_API int wc_Rsa_leading_bit(void* BN);
WOLFSSL_API int wc_Rsa_unsigned_bin_size(void* BN);
diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c
index faa672cbb..1bd708aff 100644
--- a/wolfcrypt/user-crypto/src/rsa.c
+++ b/wolfcrypt/user-crypto/src/rsa.c
@@ -19,10 +19,6 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
-/*
- Created to use intel's IPP see their license for linking to intel's IPP library
- */
-
#ifdef HAVE_CONFIG_H /* configure options when using autoconf */
#include
#endif
@@ -95,22 +91,56 @@ int wc_InitRsaKey(RsaKey* key, void* heap)
}
-#ifdef WOLFSSL_CERT_GEN /* three functions needed for cert gen */
+/* three functions needed for cert and key gen */
+#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)
/* return 1 if there is a leading bit*/
int wc_Rsa_leading_bit(void* bn)
{
int ret = 0;
- if (ippsExtGet_BN(NULL, &ret, NULL, bn) != ippStsNoErr) {
- USER_DEBUG(("Rsa leading bit error\n"));
+ int dataSz;
+ Ipp32u* data;
+ Ipp32u q;
+ int qSz = sizeof(Ipp32u);
+
+ if (ippsExtGet_BN(NULL, &dataSz, NULL, bn) != ippStsNoErr) {
+ USER_DEBUG(("ippsExtGet_BN Rsa leading bit error\n"));
return USER_CRYPTO_ERROR;
}
- return (ret % 8)? 1 : 0; /* if mod 8 bit then an extra byte is needed */
+
+ /* convert from size in binary to Ipp32u */
+ dataSz = dataSz / 32 + ((dataSz % 32)? 1 : 0);
+ data = (Ipp32u*)XMALLOC(dataSz * sizeof(Ipp32u), NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
+ if (data == NULL) {
+ USER_DEBUG(("Rsa leading bit memory error\n"));
+ return 0;
+ }
+
+ /* extract value from BN */
+ if (ippsExtGet_BN(NULL, NULL, data, bn) != ippStsNoErr) {
+ USER_DEBUG(("Rsa leading bit error\n"));
+ XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ return 0;
+ }
+
+ /* use method like what's used in wolfssl tfm.c */
+ q = data[dataSz - 1];
+
+ ret = 0;
+ while (qSz > 0) {
+ if (q != 0)
+ ret = (q & 0x80) != 0;
+ q >>= 8;
+ qSz--;
+ }
+
+ XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+
+ return ret;
}
-/* get the size in bytes of BN
- cuts off if extra byte is needed so recommended to check wc_Rsa_leading_bit
- and adding it to this return value before mallocing memory needed */
+/* get the size in bytes of BN */
int wc_Rsa_unsigned_bin_size(void* bn)
{
int ret = 0;
@@ -118,7 +148,7 @@ int wc_Rsa_unsigned_bin_size(void* bn)
USER_DEBUG(("Rsa unsigned bin size error\n"));
return USER_CRYPTO_ERROR;
}
- return ret / 8; /* size in bytes */
+ return (ret / 8) + ((ret % 8)? 1: 0); /* size in bytes */
}
#ifndef MP_OKAY
@@ -129,12 +159,12 @@ int wc_Rsa_unsigned_bin_size(void* bn)
int wc_Rsa_to_unsigned_bin(void* bn, byte* in, int inLen)
{
if (ippsGetOctString_BN((Ipp8u*)in, inLen, bn) != ippStsNoErr) {
- USER_DEBUG(("Rsa unsigned bin error\n"));
+ USER_DEBUG(("Rsa to unsigned bin error\n"));
return USER_CRYPTO_ERROR;
}
return MP_OKAY;
}
-#endif /* WOLFSSL_CERT_GEN */
+#endif /* WOLFSSL_CERT_GEN or WOLFSSL_KEY_GEN */
#ifdef OPENSSL_EXTRA /* functions needed for openssl compatibility layer */
@@ -164,7 +194,7 @@ static int SetIndividualExternal(WOLFSSL_BIGNUM** bn, IppsBigNumState* in)
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
- data = XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ data = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
if (data == NULL)
return USER_CRYPTO_ERROR;
@@ -204,13 +234,15 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi)
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
- *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ *mpi = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
if (*mpi == NULL)
return USER_CRYPTO_ERROR;
ret = ippsBigNumInit(length, *mpi);
- if (ret != ippStsNoErr)
+ if (ret != ippStsNoErr) {
+ XFREE(*mpi, NULL, DYNAMIC_TYPE_USER_CRYPTO);
return USER_CRYPTO_ERROR;
+ }
}
@@ -223,7 +255,7 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi)
return USER_CRYPTO_ERROR;
}
- data = XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ data = (Ipp8u*)XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO);
if (data == NULL)
return USER_CRYPTO_ERROR;
@@ -403,7 +435,8 @@ int SetRsaInternal(WOLFSSL_RSA* rsa)
return USER_CRYPTO_ERROR;
}
- key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPub == NULL)
return USER_CRYPTO_ERROR;
@@ -456,7 +489,8 @@ int SetRsaInternal(WOLFSSL_RSA* rsa)
}
key->prvSz = ctxSz;
- key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPrv == NULL)
return USER_CRYPTO_ERROR;
@@ -566,6 +600,103 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen,
}
+/* Set up memory and structure for a Big Number
+ * returns ippStsNoErr on success
+ */
+static IppStatus init_bn(IppsBigNumState** in, int sz)
+{
+ int ctxSz;
+ IppStatus ret;
+
+ ret = ippsBigNumGetSize(sz, &ctxSz);
+ if (ret != ippStsNoErr) {
+ return ret;
+ }
+
+ *in = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ if (*in == NULL) {
+ return ippStsNoMemErr;
+ }
+
+ ret = ippsBigNumInit(sz, *in);
+ if (ret != ippStsNoErr) {
+ XFREE(*in, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ *in = NULL;
+ return ret;
+ }
+
+ return ippStsNoErr;
+}
+
+
+/* Set up memory and structure for a Montgomery struct
+ * returns ippStsNoErr on success
+ */
+static IppStatus init_mont(IppsMontState** mont, int* ctxSz,
+ IppsBigNumState* modul)
+{
+ int mSz;
+ Ipp32u* m;
+ IppStatus ret;
+
+ ret = ippsExtGet_BN(NULL, ctxSz, NULL, modul);
+ if (ret != ippStsNoErr) {
+ return ret;
+ }
+
+ /* convert bits to Ipp32u array size and round up
+ 32 is number of bits in type */
+ mSz = (*ctxSz/32)+((*ctxSz % 32)? 1: 0);
+ m = (Ipp32u*)XMALLOC(mSz * sizeof(Ipp32u), 0, DYNAMIC_TYPE_USER_CRYPTO);
+ if (m == NULL) {
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ return ippStsNoMemErr;
+ }
+
+ ret = ippsExtGet_BN(NULL, NULL, m, modul);
+ if (ret != ippStsNoErr) {
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ return ret;
+ }
+
+ ret = ippsMontGetSize(IppsSlidingWindows, mSz, ctxSz);
+ if (ret != ippStsNoErr) {
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ return ret;
+ }
+
+ /* 2. Allocate working buffer using malloc */
+ *mont = (IppsMontState*)XMALLOC(*ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ if (mont == NULL) {
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ return ippStsNoMemErr;
+ }
+ ret = ippsMontInit(IppsSlidingWindows, mSz, *mont);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsMontInit error of %s\n", ippGetStatusString(ret)));
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(*mont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ *mont = NULL;
+ return ret;
+ }
+
+ /* 3. Call the function MontSet to set big number module */
+ ret = ippsMontSet(m, mSz, *mont);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsMontSet error of %s\n", ippGetStatusString(ret)));
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(*mont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ *mont = NULL;
+ return ret;
+ }
+
+ XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+
+ return ippStsNoErr;
+}
+
+
+
int wc_FreeRsaKey(RsaKey* key)
{
if (key == NULL)
@@ -701,7 +832,7 @@ static int GetInt(IppsBigNumState** mpi, const byte* input, word32* inOutIdx,
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
- *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ *mpi = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
if (*mpi == NULL)
return USER_CRYPTO_ERROR;
@@ -808,7 +939,8 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
return USER_CRYPTO_ERROR;
}
- key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPub == NULL)
return USER_CRYPTO_ERROR;
@@ -860,7 +992,8 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
}
key->prvSz = ctxSz;
- key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPrv == NULL)
return USER_CRYPTO_ERROR;
@@ -978,7 +1111,8 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key,
return USER_CRYPTO_ERROR;
}
- key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPub == NULL)
return USER_CRYPTO_ERROR;
@@ -1015,15 +1149,7 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
return USER_CRYPTO_ERROR;
/* set up IPP key states -- read in n */
- ret = ippsBigNumGetSize(nSz, &ctxSz);
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
-
- key->n = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->n == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(nSz, key->n);
+ ret = init_bn(&key->n, nSz);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
@@ -1032,15 +1158,7 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
return USER_CRYPTO_ERROR;
/* read in e */
- ret = ippsBigNumGetSize(eSz, &ctxSz);
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
-
- key->e = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->e == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(eSz, key->e);
+ ret = init_bn(&key->e, eSz);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
@@ -1061,7 +1179,8 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e,
return USER_CRYPTO_ERROR;
}
- key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPub == NULL)
return USER_CRYPTO_ERROR;
@@ -1106,8 +1225,8 @@ int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
- scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
- DYNAMIC_TYPE_USER_CRYPTO);
+ scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (scratchBuffer == NULL)
return USER_CRYPTO_ERROR;
@@ -1149,8 +1268,8 @@ int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen,
return USER_CRYPTO_ERROR;
}
- scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
- DYNAMIC_TYPE_USER_CRYPTO);
+ scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (scratchBuffer == NULL) {
return USER_CRYPTO_ERROR;
}
@@ -1180,7 +1299,7 @@ int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key)
USER_DEBUG(("Entering wc_RsaPrivateDecryptInline\n"));
/* allocate a buffer for max decrypted text */
- tmp = XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ tmp = (byte*)XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
if (tmp == NULL)
return USER_CRYPTO_ERROR;
@@ -1252,7 +1371,7 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
return USER_CRYPTO_ERROR;
}
- pPub = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ pPub = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
if (pPub == NULL)
return USER_CRYPTO_ERROR;
@@ -1264,7 +1383,6 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
return USER_CRYPTO_ERROR;
}
-
ret = ippsRSA_SetPrivateKeyType1(key->n, key->e, pPub);
if (ret != ippStsNoErr) {
FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
@@ -1280,32 +1398,19 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
return USER_CRYPTO_ERROR;
}
- scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
- DYNAMIC_TYPE_USER_CRYPTO);
+ scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (scratchBuffer == NULL) {
FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
return USER_CRYPTO_ERROR;
}
/* load plain and cipher into big num states */
- ret = ippsBigNumGetSize(key->sz, &ctxSz);
+ ret = init_bn(&pTxt, key->sz);
if (ret != ippStsNoErr) {
FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
return USER_CRYPTO_ERROR;
}
-
- pTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (pTxt == NULL) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
- return USER_CRYPTO_ERROR;
- }
-
- ret = ippsBigNumInit(key->sz, pTxt);
- if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
- return USER_CRYPTO_ERROR;
- }
-
ret = ippsSetOctString_BN((Ipp8u*)in, key->sz, pTxt);
if (ret != ippStsNoErr) {
FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
@@ -1313,24 +1418,11 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key)
}
/* set up cipher to hold signature */
- ret = ippsBigNumGetSize(key->sz, &ctxSz);
+ ret = init_bn(&cTxt, key->sz);
if (ret != ippStsNoErr) {
FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
return USER_CRYPTO_ERROR;
}
-
- cTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (cTxt == NULL) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
- return USER_CRYPTO_ERROR;
- }
-
- ret = ippsBigNumInit(key->sz, cTxt);
- if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
- return USER_CRYPTO_ERROR;
- }
-
ret = ippsSetOctString_BN((Ipp8u*)in, key->sz, cTxt);
if (ret != ippStsNoErr) {
FreeHelper(pTxt, cTxt, scratchBuffer, pPub);
@@ -1397,147 +1489,394 @@ int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen,
}
+/* Check if a > b , if so c = a mod b
+ return ippStsNoErr on success */
+static IppStatus reduce(IppsBigNumState* a, IppsBigNumState* b,
+ IppsBigNumState* c)
+{
+ IppStatus ret;
+
+ if ((ret = ippsMod_BN(a, b, c)) != ippStsNoErr)
+ return ret;
+
+ return ippStsNoErr;
+}
+
+
+static IppStatus exptmod(IppsBigNumState* a, IppsBigNumState* b,
+ IppsMontState* mont, IppsBigNumState* out, IppsBigNumState* one)
+{
+ IppStatus ret;
+
+ ret = ippsMontForm(a, mont, a);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsMontForm error of %s\n", ippGetStatusString(ret)));
+ return ret;
+ }
+
+ /* a = a^b mod mont */
+ ret = ippsMontExp(a, b, mont, out);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsMontExp error of %s\n", ippGetStatusString(ret)));
+ return ret;
+ }
+
+ /* convert back from montgomery */
+ ret = ippsMontMul(out, one, mont, out);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsMontMul error of %s\n", ippGetStatusString(ret)));
+ return ret;
+ }
+
+ return ippStsNoErr;
+}
+
+
+static void Free_BN(IppsBigNumState* bn)
+{
+ int sz, ctxSz;
+ IppStatus ret;
+
+ if (bn != NULL) {
+ ret = ippStsNoErr;
+ ret |= ippsGetSize_BN(bn, &sz);
+ ret |= ippsBigNumGetSize(sz, &ctxSz);
+ if (ret == ippStsNoErr) {
+ ForceZero(bn, ctxSz);
+ }
+ else {
+ USER_DEBUG(("Issue with clearing a struct in RsaSSL_Sign free\n"));
+ }
+ XFREE(bn, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ bn = NULL;
+ }
+}
+
+
+/* free up memory used during CRT sign operation */
+static void FreeSignHelper(IppsBigNumState* one, IppsBigNumState* tmp,
+ IppsBigNumState* tmpP, IppsBigNumState* tmpQ, IppsBigNumState* tmpa,
+ IppsBigNumState* tmpb)
+{
+ Free_BN(one);
+ Free_BN(tmp);
+ Free_BN(tmpP);
+ Free_BN(tmpQ);
+ Free_BN(tmpa);
+ Free_BN(tmpb);
+}
+
+
/* for Rsa Sign */
int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen,
RsaKey* key, WC_RNG* rng)
{
- int sz;
- int scratchSz;
- int ctxSz;
- int prvSz;
+ int sz, pSz, qSz;
IppStatus ret;
- Ipp8u* scratchBuffer = NULL;
- IppsRSAPublicKeyState* pPrv = NULL;
- IppsBigNumState* pTxt = NULL;
- IppsBigNumState* cTxt = NULL;
+ word32 outSz = outLen;
+
+ IppsMontState* pMont = NULL;
+ IppsMontState* qMont = NULL;
+
+ IppsBigNumState* one = NULL;
+ IppsBigNumState* tmp = NULL;
+ IppsBigNumState* tmpP = NULL;
+ IppsBigNumState* tmpQ = NULL;
+ IppsBigNumState* tmpa = NULL;
+ IppsBigNumState* tmpb = NULL;
+
+ IppsBigNumSGN sa, sb;
+
+ Ipp8u o[1];
+ o[0] = 1;
+
+ USER_DEBUG(("Entering wc_RsaSSL_Sign\n"));
sz = key->sz;
- /* set up public key state using private key values */
- ret = ippsRSA_GetSizePublicKey(key->nSz, key->dSz, &ctxSz);
- if (ret != ippStsNoErr) {
- USER_DEBUG(("ippsRSA_GetSizePrivateKey error %s\n",
- ippGetStatusString(ret)));
+ if (in == NULL || out == NULL || key == NULL || rng == NULL) {
+ USER_DEBUG(("Bad argument to wc_RsaSSL_Sign\n"));
return USER_CRYPTO_ERROR;
}
- prvSz = ctxSz; /* used later to overright sensitive memory */
- pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (pPrv == NULL) {
- USER_DEBUG(("memeory error assinging pPrv\n"));
+ /* sanity check on key being used */
+ if (key->pipp == NULL || key->qipp == NULL || key->uipp == NULL ||
+ key->dPipp == NULL || key->dQipp == NULL) {
+ USER_DEBUG(("Bad key argument to wc_RsaSSL_Sign\n"));
return USER_CRYPTO_ERROR;
}
- ret = ippsRSA_InitPublicKey(key->nSz, key->dSz, pPrv, ctxSz);
- if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- USER_DEBUG(("ippsRSA_InitPrivateKey error %s\n",
- ippGetStatusString(ret)));
+ if (sz > (int)outLen) {
+ USER_DEBUG(("Bad argument outLen to wc_RsaSSL_Sign\n"));
return USER_CRYPTO_ERROR;
}
- ret = ippsRSA_SetPublicKey(key->n, key->dipp, pPrv);
- if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- USER_DEBUG(("ippsRSA_SetPrivateKey error %s\n",
- ippGetStatusString(ret)));
- return USER_CRYPTO_ERROR;
- }
-
- /* set size of scratch buffer */
- ret = ippsRSA_GetBufferSizePublicKey(&scratchSz, pPrv);
- if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- USER_DEBUG(("ippsRSA_GetBufferSizePublicKey error %s\n",
- ippGetStatusString(ret)));
- return USER_CRYPTO_ERROR;
- }
-
- scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0,
- DYNAMIC_TYPE_USER_CRYPTO);
- if (scratchBuffer == NULL) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- USER_DEBUG(("memory error assigning scratch buffer\n"));
+ if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) {
+ USER_DEBUG(("Bad argument inLen to wc_RsaSSL_Sign\n"));
return USER_CRYPTO_ERROR;
}
/* Set up needed pkcs v15 padding */
if (wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng) != 0) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("RSA Padding error\n"));
return USER_CRYPTO_ERROR;
}
- /* load plain and cipher into big num states */
- ret = ippsBigNumGetSize(sz, &ctxSz);
+ /* tmp = intput to sign */
+ ret = init_bn(&tmp, sz);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
-
- pTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (pTxt == NULL) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- return USER_CRYPTO_ERROR;
- }
-
- ret = ippsBigNumInit(sz, pTxt);
+ ret = ippsSetOctString_BN(out, sz, tmp);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("ippsSetOctString_BN error of %s\n",
+ ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
- ret = ippsSetOctString_BN((Ipp8u*)out, sz, pTxt);
+ /* tmpP = tmp mod p */
+ ret = init_bn(&tmpP, sz);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
- /* set up cipher to hold signature */
- ret = ippsBigNumGetSize(outLen, &ctxSz);
+ /* tmpQ = tmp mod q */
+ ret = init_bn(&tmpQ, sz);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
- cTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (cTxt == NULL) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- return USER_CRYPTO_ERROR;
- }
-
- ret = ippsBigNumInit(outLen, cTxt);
+ /* tmpa */
+ ret = init_bn(&tmpa, sz);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
- ret = ippsSetOctString_BN((Ipp8u*)out, outLen, cTxt);
+ /* tmpb */
+ ret = init_bn(&tmpb, sz);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
- /* encrypt using private key */
- ret = ippsRSA_Encrypt(pTxt, cTxt, pPrv, scratchBuffer);
+ /* one : used for conversion from Montgomery to classical */
+ ret = init_bn(&one, sz);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- USER_DEBUG(("sign error of %s\n", ippGetStatusString(ret)));
+ USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
-
- /* get output string from big number structure */
- ret = ippsGetOctString_BN((Ipp8u*)out, sz, cTxt);
+ ret = ippsSetOctString_BN(o, 1, one);
if (ret != ippStsNoErr) {
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
- USER_DEBUG(("BN get string error of %s\n", ippGetStatusString(ret)));
+ USER_DEBUG(("ippsSetOctString_BN error of %s\n",
+ ippGetStatusString(ret)));
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
return USER_CRYPTO_ERROR;
}
- /* clean up memory used */
- ForceZero(pPrv, prvSz); /* clear senstive memory */
- FreeHelper(pTxt, cTxt, scratchBuffer, pPrv);
+ /**
+ Set up Montgomery state
+ */
+ ret = init_mont(&pMont, &pSz, key->pipp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret)));
+ if (pMont != NULL) {
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ }
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
- return sz;
+ ret = init_mont(&qMont, &qSz, key->qipp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret)));
+ if (qMont != NULL) {
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ }
+ ForceZero(pMont, pSz);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /**
+ Check and reduce input
+ This is needed for calls to MontExp since required value of a < modulus
+ */
+ ret = reduce(tmp, key->pipp, tmpP);
+ if (ret != ippStsNoErr)
+ {
+ USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ ret = reduce(tmp, key->qipp, tmpQ);
+ if (ret != ippStsNoErr)
+ {
+ USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* tmpa = (tmp mod p)^dP mod p */
+ ret = exptmod(tmpP, key->dPipp, pMont, tmpa, one);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* tmpb = (tmp mod q)^dQ mod q */
+ ret = exptmod(tmpQ, key->dQipp, qMont, tmpb, one);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* tmp = (tmpa - tmpb) * qInv (mod p) */
+ ret = ippsSub_BN(tmpa, tmpb, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ ret = ippsMul_BN(tmp, key->uipp, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsMul_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* mod performed the same was as wolfSSL fp_mod -- tmpa is just scratch */
+ ret = ippsDiv_BN(tmp, key->pipp, tmpa, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsDiv_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* Check sign of values and perform conditional add */
+ ret = ippsExtGet_BN(&sa, NULL, NULL, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+ ret = ippsExtGet_BN(&sb, NULL, NULL, key->pipp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+ if (sa != sb) {
+ ret = ippsAdd_BN(tmp, key->pipp, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsAdd_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+ }
+
+ /* tmp = tmpb + q * tmp */
+ ret = ippsMul_BN(tmp, key->qipp, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+
+ ret = ippsAdd_BN(tmp, tmpb, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* Extract the output */
+ ret = ippsGetOctString_BN(out, sz, tmp);
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsGetOctString_BN error of %s\n",
+ ippGetStatusString(ret)));
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+ return USER_CRYPTO_ERROR;
+ }
+
+ outSz = sz;
+
+ /* clear memory and free */
+ ForceZero(pMont, pSz);
+ ForceZero(qMont, qSz);
+ XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb);
+
+ return outSz;
}
@@ -1599,6 +1938,27 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n,
return 0;
}
+
+IppStatus wolfSSL_rng(Ipp32u* pData, int nBits, void* pEbsParams);
+IppStatus wolfSSL_rng(Ipp32u* pData, int nBits, void* pEbsParams)
+{
+ int nBytes;
+
+ if (pData == NULL) {
+ USER_DEBUG(("error with wolfSSL_rng argument\n"));
+ return ippStsErr;
+ }
+
+ nBytes = (nBits/8) + ((nBits % 8)? 1: 0);
+ if (wc_RNG_GenerateBlock(pEbsParams, (byte*)pData, nBytes) != 0) {
+ USER_DEBUG(("error in generating random wolfSSL block\n"));
+ return ippStsErr;
+ }
+
+ return ippStsNoErr;
+}
+
+
#ifdef WOLFSSL_KEY_GEN
/* Make an RSA key for size bits, with e specified, 65537 is a good e */
int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
@@ -1610,10 +1970,9 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
IppsBigNumState* pSrcPublicExp;
Ipp8u* scratchBuffer;
+ Ipp8u eAry[8];
int trys = 8; /* Miller-Rabin test parameter */
IppsPrimeState* pPrime;
- IppBitSupplier rndFunc;
- IppsPRNGState* rndParam; /* rng context */
int qBitSz; /* size of q factor */
int bytSz; /* size of key in bytes */
@@ -1621,8 +1980,9 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
USER_DEBUG(("Entering wc_MakeRsaKey\n"));
- qBitSz = size / 2;
- bytSz = size / 8;
+ /* get byte size and individual private key size -- round up */
+ qBitSz = (size / 2) + ((size % 2)? 1: 0);
+ bytSz = (size / 8) + ((size % 8)? 1: 0);
if (key == NULL)
return USER_CRYPTO_ERROR;
@@ -1634,24 +1994,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return USER_CRYPTO_ERROR;
key->type = RSA_PRIVATE;
-
- /* set up rng */
- ret = ippsPRNGGetSize(&ctxSz);
- if (ret != ippStsNoErr) {
- USER_DEBUG(("ippsPRNGGetSize error of %s\n", ippGetStatusString(ret)));
- return USER_CRYPTO_ERROR;
- }
-
- rndParam = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
- if (rndParam == NULL)
- return USER_CRYPTO_ERROR;
-
- /*@TODO size of seed bits used hard set at 256 */
- ret = ippsPRNGInit(256, rndParam);
- if (ret != ippStsNoErr) {
- USER_DEBUG(("ippsPRNGInit error of %s\n", ippGetStatusString(ret)));
- return USER_CRYPTO_ERROR;
- }
+ key->sz = bytSz;
/* initialize prime number */
ret = ippsPrimeGetSize(size, &ctxSz); /* size in bits */
@@ -1660,7 +2003,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return USER_CRYPTO_ERROR;
}
- pPrime = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ pPrime = (IppsPrimeState*)XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
if (pPrime == NULL)
return USER_CRYPTO_ERROR;
@@ -1670,12 +2013,6 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return USER_CRYPTO_ERROR;
}
- ret = ippsPrimeGen(size, 100, pPrime, ippsPRNGen, rndParam);
- if (ret != ippStsNoErr) {
- USER_DEBUG(("ippsPrimeGen error of %s\n", ippGetStatusString(ret)));
- return USER_CRYPTO_ERROR;
- }
-
/* define RSA privete key type 2 */
/* length in bits of p and q factors */
ret = ippsRSA_GetSizePrivateKeyType2(qBitSz, qBitSz, &ctxSz);
@@ -1686,7 +2023,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
}
key->prvSz = ctxSz; /* used when freeing private key */
- key->pPrv = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPrv == NULL)
return USER_CRYPTO_ERROR;
@@ -1706,74 +2044,46 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return USER_CRYPTO_ERROR;
}
- scratchBuffer = XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
+ scratchBuffer = (Ipp8u*)XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
if (scratchBuffer == NULL)
return USER_CRYPTO_ERROR;
/* set up initial value of pScrPublicExp */
leng = (int)sizeof(long); /* # of Ipp32u in long */
- ret = ippsBigNumGetSize(leng, &ctxSz);
+
+ /* place the value of e into the array eAry then load into BN */
+ for (i = 0; i < leng; i++) {
+ eAry[i] = (e >> (8 * (leng - 1 - i))) & 0XFF;
+ }
+ ret = init_bn(&pSrcPublicExp, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
- pSrcPublicExp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (pSrcPublicExp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, pSrcPublicExp);
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
- ret = ippsSetOctString_BN((Ipp8u*)&e, leng, pSrcPublicExp);
+ ret = ippsSetOctString_BN(eAry, leng, pSrcPublicExp);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* initializing key->n */
- ret = ippsBigNumGetSize(bytSz, &ctxSz);
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
-
- key->n = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->n == NULL)
- return USER_CRYPTO_ERROR;
-
- key->nSz = size;
- ret = ippsBigNumInit(bytSz, key->n);
+ ret = init_bn(&key->n, bytSz);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* initializing public exponent key->e */
- ret = ippsBigNumGetSize(leng, &ctxSz);
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
-
- key->e = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->e == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, key->e);
+ ret = init_bn(&key->e, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* private exponent key->dipp */
- ret = ippsBigNumGetSize(bytSz, &ctxSz);
+ ret = init_bn(&key->dipp, bytSz);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
- key->dipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->dipp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(bytSz, key->dipp);
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
-
- rndFunc = ippsPRNGen;
/* call IPP to generate keys, if inseficent entropy error call again
using for loop to avoid infinte loop */
for (i = 0; i < 5; i++) {
ret = ippsRSA_GenerateKeys(pSrcPublicExp, key->n, key->e,
key->dipp, key->pPrv, scratchBuffer, trys, pPrime,
- rndFunc, rndParam);
+ wolfSSL_rng, rng);
if (ret == ippStsNoErr) {
break;
}
@@ -1785,6 +2095,12 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return USER_CRYPTO_ERROR;
}
}
+ /* catch if still did not generate a good key */
+ if (ret != ippStsNoErr) {
+ USER_DEBUG(("ippsRSA_GeneratKeys error of %s\n",
+ ippGetStatusString(ret)));
+ return USER_CRYPTO_ERROR;
+ }
/* get bn sizes needed for private key set up */
ret = ippsExtGet_BN(NULL, &key->eSz, NULL, key->e);
@@ -1807,7 +2123,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
return USER_CRYPTO_ERROR;
}
- key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO);
+ key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL,
+ DYNAMIC_TYPE_USER_CRYPTO);
if (key->pPub == NULL)
return USER_CRYPTO_ERROR;
@@ -1827,51 +2144,27 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
/* get private key information for key struct */
leng = size/16; /* size of q, p, u, dP, dQ */
- ret = ippsBigNumGetSize(leng, &ctxSz); /* get needed ctxSz and use */
- if (ret != ippStsNoErr)
- return USER_CRYPTO_ERROR;
-
- key->pipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->pipp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, key->pipp);
+ ret = init_bn(&key->pipp, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* set up q BN for key */
- key->qipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->qipp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, key->qipp);
+ ret = init_bn(&key->qipp, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* set up dP BN for key */
- key->dPipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->dPipp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, key->dPipp);
+ ret = init_bn(&key->dPipp, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* set up dQ BN for key */
- key->dQipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->dQipp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, key->dQipp);
+ ret = init_bn(&key->dQipp, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
/* set up u BN for key */
- key->uipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO);
- if (key->uipp == NULL)
- return USER_CRYPTO_ERROR;
-
- ret = ippsBigNumInit(leng, key->uipp);
+ ret = init_bn(&key->uipp, leng);
if (ret != ippStsNoErr)
return USER_CRYPTO_ERROR;
@@ -1888,9 +2181,6 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng)
XFREE(pSrcPublicExp, NULL, DYNAMIC_TYPE_USER_CRYPTO);
XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO);
XFREE(pPrime, NULL, DYNAMIC_TYPE_USER_CRYPTO);
- XFREE(rndParam, NULL, DYNAMIC_TYPE_USER_CRYPTO);
-
- (void)rng;
return 0;
}
@@ -2050,10 +2340,12 @@ static int SetRsaPublicKey(byte* output, RsaKey* key,
return USER_CRYPTO_ERROR;
#endif
- if (ippsExtGet_BN(NULL, &rawLen, NULL, key->n) != ippStsNoErr)
+ leadingBit = wc_Rsa_leading_bit(key->n);
+ rawLen = wc_Rsa_unsigned_bin_size(key->n);
+ if ((int)rawLen < 0) {
return USER_CRYPTO_ERROR;
- leadingBit = rawLen % 8; /* check for if an extra byte is needed */
- rawLen = rawLen/8; /* convert to byte size */
+ }
+
rawLen = rawLen + leadingBit;
n[0] = ASN_INTEGER;
nSz = SetLength(rawLen, n + 1) + 1; /* int tag */
@@ -2089,10 +2381,12 @@ static int SetRsaPublicKey(byte* output, RsaKey* key,
}
#endif
- if (ippsExtGet_BN(NULL, &rawLen, NULL, key->e) != ippStsNoErr)
+ leadingBit = wc_Rsa_leading_bit(key->e);
+ rawLen = wc_Rsa_unsigned_bin_size(key->e);
+ if ((int)rawLen < 0) {
return USER_CRYPTO_ERROR;
- leadingBit = rawLen % 8;
- rawLen = rawLen/8;
+ }
+
rawLen = rawLen + leadingBit;
e[0] = ASN_INTEGER;
eSz = SetLength(rawLen, e + 1) + 1; /* int tag */
@@ -2260,19 +2554,22 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
Ipp32u isZero;
IppsBigNumState* keyInt = GetRsaInt(key, i);
- /* leading zero */
ippsCmpZero_BN(keyInt, &isZero); /* makes isZero 0 if true */
- ippsExtGet_BN(NULL, (int*)&rawLen, NULL, keyInt); /* bit length */
- if (rawLen % 8 || !isZero)
+ rawLen = wc_Rsa_unsigned_bin_size(keyInt);
+ if ((int)rawLen < 0) {
+ return USER_CRYPTO_ERROR;
+ }
+
+ /* leading zero */
+ if (!isZero || wc_Rsa_leading_bit(keyInt))
lbit = 1;
else
lbit = 0;
- rawLen /= 8; /* convert to bytes */
rawLen += lbit;
tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap,
- DYNAMIC_TYPE_USER_CRYPTO);
+ DYNAMIC_TYPE_USER_CRYPTO);
if (tmps[i] == NULL) {
ret = USER_CRYPTO_ERROR;
break;
@@ -2298,6 +2595,8 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen)
}
else {
ret = USER_CRYPTO_ERROR;
+ USER_DEBUG(("ippsGetOctString_BN error %s\n",
+ ippGetStatusString(err)));
break;
}
}
diff --git a/wolfssl.vcxproj b/wolfssl.vcxproj
index 12bdaa708..d1834c78a 100644
--- a/wolfssl.vcxproj
+++ b/wolfssl.vcxproj
@@ -176,6 +176,7 @@
ws2_32.lib;%(AdditionalDependencies)
false
true
+ false
diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h
index e7ab3c767..c9b0b16a5 100644
--- a/wolfssl/certs_test.h
+++ b/wolfssl/certs_test.h
@@ -98,9 +98,9 @@ static const int sizeof_client_keypub_der_1024 = sizeof(client_keypub_der_1024);
/* ./certs/1024/client-cert.der, 1024-bit */
static const unsigned char client_cert_der_1024[] =
{
- 0x30, 0x82, 0x03, 0xC5, 0x30, 0x82, 0x03, 0x2E, 0xA0, 0x03,
- 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xE3, 0xD7, 0xA0, 0xFA,
- 0x76, 0xDF, 0x2A, 0xFA, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+ 0x30, 0x82, 0x03, 0xF9, 0x30, 0x82, 0x03, 0x62, 0xA0, 0x03,
+ 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xD3, 0xDF, 0x98, 0xC4,
+ 0x80, 0x1F, 0x1F, 0x6F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
@@ -118,10 +118,10 @@ static const unsigned char client_cert_der_1024[] =
0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
- 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, 0x30, 0x37,
- 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, 0x0D, 0x31,
- 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, 0x31, 0x30,
- 0x31, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
+ 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31,
+ 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, 0x39, 0x33,
+ 0x37, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
@@ -153,8 +153,8 @@ static const unsigned char client_cert_der_1024[] =
0x4C, 0xE8, 0xC1, 0xFD, 0x4A, 0x6F, 0x2B, 0x1F, 0xEF, 0x8A,
0xAE, 0xF6, 0x90, 0x62, 0xE5, 0x64, 0x1E, 0xEB, 0x2B, 0x3C,
0x67, 0xC8, 0xDC, 0x27, 0x00, 0xF6, 0x91, 0x68, 0x65, 0xA9,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x07, 0x30,
- 0x82, 0x01, 0x03, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
+ 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x3B, 0x30,
+ 0x82, 0x01, 0x37, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
0x04, 0x16, 0x04, 0x14, 0x81, 0x69, 0x0F, 0xF8, 0xDF, 0xDD,
0xCF, 0x34, 0x29, 0xD5, 0x67, 0x75, 0x71, 0x85, 0xC7, 0x75,
0x10, 0x69, 0x59, 0xEC, 0x30, 0x81, 0xD3, 0x06, 0x03, 0x55,
@@ -178,23 +178,29 @@ static const unsigned char client_cert_der_1024[] =
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
- 0xE3, 0xD7, 0xA0, 0xFA, 0x76, 0xDF, 0x2A, 0xFA, 0x30, 0x0C,
+ 0xD3, 0xDF, 0x98, 0xC4, 0x80, 0x1F, 0x1F, 0x6F, 0x30, 0x0C,
0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
- 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
- 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x81, 0x81,
- 0x00, 0x1D, 0xB7, 0xD5, 0x7C, 0xE1, 0xB1, 0xD8, 0xC0, 0x67,
- 0x5D, 0xB5, 0xD3, 0x88, 0xE7, 0x50, 0x29, 0x71, 0x63, 0x8F,
- 0xCC, 0x26, 0x1F, 0x33, 0x09, 0x55, 0x43, 0x9B, 0xAB, 0xC6,
- 0x1B, 0xBC, 0xC7, 0x01, 0x95, 0x1A, 0xFA, 0x65, 0xE0, 0xFD,
- 0x9C, 0xEB, 0x6F, 0x0A, 0x0F, 0x14, 0xEC, 0xB5, 0x2F, 0xDC,
- 0x1C, 0x30, 0xDD, 0x52, 0x97, 0xD4, 0x1C, 0x09, 0x00, 0x33,
- 0x38, 0x5F, 0xCB, 0xA8, 0x16, 0x8F, 0x11, 0xB7, 0xB8, 0xD0,
- 0x66, 0xE1, 0x54, 0x28, 0xF3, 0x3F, 0xBF, 0x6A, 0x6F, 0x76,
- 0x48, 0x2A, 0x5E, 0x56, 0xA7, 0xCE, 0x1C, 0xF0, 0x04, 0xDD,
- 0x17, 0xBD, 0x06, 0x78, 0x21, 0x6D, 0xD6, 0xB1, 0x9B, 0x75,
- 0x31, 0x92, 0xC1, 0xFE, 0xD4, 0x8D, 0xD4, 0x67, 0x2F, 0x03,
- 0x1B, 0x27, 0x8D, 0xAB, 0xFF, 0x30, 0x3B, 0xC3, 0x7F, 0x23,
- 0xE4, 0xAB, 0x5B, 0x91, 0xE1, 0x1B, 0x66, 0xE6, 0xED
+ 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05,
+ 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22,
+ 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
+ 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x6C,
+ 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x3A, 0x32,
+ 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+ 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03,
+ 0x81, 0x81, 0x00, 0x71, 0x39, 0xFA, 0x86, 0xC3, 0x54, 0xE5,
+ 0x98, 0xB5, 0xE8, 0xC3, 0xCB, 0x97, 0x2F, 0x86, 0xBF, 0xE8,
+ 0xBC, 0xFB, 0xEB, 0xD8, 0x73, 0x97, 0x34, 0x9A, 0x16, 0xBF,
+ 0xE0, 0xB2, 0xBD, 0xBE, 0x7D, 0xFF, 0xA0, 0xD7, 0xE6, 0xDB,
+ 0xA3, 0x52, 0x43, 0x41, 0x60, 0xF1, 0xD7, 0xC3, 0x63, 0xC0,
+ 0x9B, 0xE2, 0xB2, 0x28, 0x87, 0x70, 0x60, 0x5D, 0x2B, 0x5D,
+ 0x56, 0x15, 0x3C, 0xB1, 0x1E, 0x03, 0x53, 0x72, 0x39, 0x32,
+ 0xE2, 0x47, 0x85, 0xF7, 0x8B, 0xE8, 0x38, 0x50, 0xA9, 0xC9,
+ 0xD3, 0x52, 0x75, 0x0E, 0x16, 0x14, 0xA5, 0xA5, 0xC4, 0x9F,
+ 0x3E, 0x73, 0xD8, 0x38, 0x79, 0xBF, 0xF7, 0x9B, 0x4D, 0x0D,
+ 0xF3, 0xAA, 0xCE, 0xA2, 0x03, 0x84, 0x66, 0x14, 0xC9, 0x01,
+ 0xF5, 0x86, 0xA5, 0x66, 0xA1, 0xCA, 0x6A, 0x71, 0x5F, 0x2D,
+ 0x31, 0x8E, 0x1C, 0xCC, 0x0C, 0xE6, 0x46, 0x99, 0x5D, 0x0A,
+ 0x4C
};
static const int sizeof_client_cert_der_1024 = sizeof(client_cert_der_1024);
@@ -606,7 +612,9 @@ static const unsigned char server_cert_der_1024[] =
};
static const int sizeof_server_cert_der_1024 = sizeof(server_cert_der_1024);
-#elif defined(USE_CERT_BUFFERS_2048)
+#endif /* USE_CERT_BUFFERS_1024 */
+
+#ifdef USE_CERT_BUFFERS_2048
/* ./certs/client-key.der, 2048-bit */
static const unsigned char client_key_der_2048[] =
@@ -773,9 +781,9 @@ static const int sizeof_client_keypub_der_2048 = sizeof(client_keypub_der_2048);
/* ./certs/client-cert.der, 2048-bit */
static const unsigned char client_cert_der_2048[] =
{
- 0x30, 0x82, 0x04, 0xCA, 0x30, 0x82, 0x03, 0xB2, 0xA0, 0x03,
- 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xAA, 0x27, 0xB3, 0xC5,
- 0xA9, 0x72, 0x6E, 0x0D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+ 0x30, 0x82, 0x04, 0xFE, 0x30, 0x82, 0x03, 0xE6, 0xA0, 0x03,
+ 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x95, 0x90, 0x12, 0x9B,
+ 0x22, 0xA1, 0x50, 0x40, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
@@ -793,10 +801,10 @@ static const unsigned char client_cert_der_2048[] =
0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
- 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, 0x30, 0x37,
- 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, 0x0D, 0x31,
- 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, 0x31, 0x30,
- 0x31, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
+ 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31,
+ 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, 0x39, 0x33,
+ 0x37, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06,
0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
@@ -842,7 +850,7 @@ static const unsigned char client_cert_der_2048[] =
0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7, 0x15,
0xF7, 0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1,
0xBA, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01,
- 0x07, 0x30, 0x82, 0x01, 0x03, 0x30, 0x1D, 0x06, 0x03, 0x55,
+ 0x3B, 0x30, 0x82, 0x01, 0x37, 0x30, 0x1D, 0x06, 0x03, 0x55,
0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45, 0x66,
0xD7, 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91,
0xC7, 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x81, 0xD3, 0x06,
@@ -866,37 +874,42 @@ static const unsigned char client_cert_der_2048[] =
0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09,
0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82,
- 0x09, 0x00, 0xAA, 0x27, 0xB3, 0xC5, 0xA9, 0x72, 0x6E, 0x0D,
+ 0x09, 0x00, 0x95, 0x90, 0x12, 0x9B, 0x22, 0xA1, 0x50, 0x40,
0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
- 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
- 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03,
- 0x82, 0x01, 0x01, 0x00, 0x51, 0x96, 0xA7, 0x1C, 0x26, 0x5D,
- 0x1C, 0x90, 0xC6, 0x32, 0x9F, 0x96, 0x15, 0xF2, 0x1D, 0xE7,
- 0x93, 0x9C, 0xAC, 0x75, 0x56, 0x95, 0xFD, 0x20, 0x70, 0xAB,
- 0x45, 0x6A, 0x09, 0xB0, 0xF3, 0xF2, 0x03, 0xA8, 0xDB, 0xDC,
- 0x2F, 0xBC, 0x1F, 0x87, 0x7A, 0xA3, 0xD4, 0x8F, 0xD5, 0x49,
- 0x97, 0x7E, 0x3C, 0x54, 0xAC, 0xB1, 0xE3, 0xF0, 0x39, 0x0D,
- 0xFE, 0x09, 0x9A, 0x23, 0xF6, 0x32, 0xA6, 0x41, 0x59, 0xBD,
- 0x60, 0xE8, 0xBD, 0xDE, 0x00, 0x36, 0x6F, 0x3E, 0xE9, 0x41,
- 0x6F, 0xA9, 0x63, 0xC7, 0xAA, 0xD5, 0x7B, 0xF3, 0xE4, 0x39,
- 0x48, 0x9E, 0xF6, 0x60, 0xC6, 0xC6, 0x86, 0xD5, 0x72, 0x86,
- 0x23, 0xCD, 0xF5, 0x6A, 0x63, 0x53, 0xA4, 0xF8, 0xFC, 0x51,
- 0x6A, 0xCD, 0x60, 0x74, 0x8E, 0xA3, 0x86, 0x61, 0x01, 0x34,
- 0x78, 0xF7, 0x29, 0x97, 0xB3, 0xA7, 0x34, 0xB6, 0x0A, 0xDE,
- 0xB5, 0x71, 0x7A, 0x09, 0xA6, 0x3E, 0xD6, 0x82, 0x58, 0x89,
- 0x67, 0x9C, 0xC5, 0x68, 0x62, 0xBA, 0x06, 0xD6, 0x39, 0xBB,
- 0xCB, 0x3A, 0xC0, 0xE0, 0x63, 0x1F, 0xC7, 0x0C, 0x9C, 0x12,
- 0x86, 0xEC, 0xF7, 0x39, 0x6A, 0x61, 0x93, 0xD0, 0x33, 0x14,
- 0xC6, 0x55, 0x3B, 0xB6, 0xCF, 0x80, 0x5B, 0x8C, 0x43, 0xEF,
- 0x43, 0x44, 0x0B, 0x3C, 0x93, 0x39, 0xA3, 0x4E, 0x15, 0xD1,
- 0x0B, 0x5F, 0x84, 0x98, 0x1D, 0xCD, 0x9F, 0xA9, 0x47, 0xEB,
- 0x3B, 0x56, 0x30, 0xB6, 0x76, 0x92, 0xC1, 0x48, 0x5F, 0xBC,
- 0x95, 0xB0, 0x50, 0x1A, 0x55, 0xC8, 0x4E, 0x62, 0x47, 0x87,
- 0x54, 0x64, 0x0C, 0x9B, 0x91, 0xFA, 0x43, 0xB3, 0x29, 0x48,
- 0xBE, 0xE6, 0x12, 0xEB, 0xE3, 0x44, 0xC6, 0x52, 0xE4, 0x40,
- 0xC6, 0x83, 0x95, 0x1B, 0xA7, 0x65, 0x27, 0x69, 0x73, 0x2F,
- 0xC8, 0xA0, 0x4D, 0x7F, 0xBE, 0xEA, 0x9B, 0x67, 0xB2, 0x7B
-
+ 0x03, 0x01, 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06,
+ 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24,
+ 0x30, 0x22, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07,
+ 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
+ 0x2F, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74,
+ 0x3A, 0x32, 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09,
+ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
+ 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x7B, 0x91, 0x63, 0x8D,
+ 0x39, 0x54, 0x64, 0x3C, 0xB4, 0x3F, 0xD5, 0xC8, 0x4F, 0xBF,
+ 0x0B, 0xBF, 0xAF, 0x5C, 0x9C, 0x41, 0xC7, 0x0B, 0x52, 0x6D,
+ 0xC6, 0xF0, 0xDE, 0x7C, 0xFF, 0x9B, 0x4E, 0xFE, 0xF3, 0x22,
+ 0xA5, 0x00, 0x13, 0x9F, 0x81, 0xE4, 0x6D, 0x70, 0x2C, 0xF9,
+ 0x7A, 0xF4, 0xD8, 0x50, 0xBE, 0x72, 0xE1, 0x04, 0x8B, 0xB0,
+ 0x05, 0xE3, 0x61, 0x82, 0x3F, 0x65, 0xDE, 0xF9, 0xE9, 0xD3,
+ 0x3D, 0x97, 0x7D, 0x88, 0xB7, 0x99, 0x85, 0xC1, 0xE5, 0x5C,
+ 0x57, 0xA7, 0x9C, 0x1F, 0xF2, 0xB8, 0xCE, 0xEC, 0xD7, 0xD1,
+ 0x9B, 0xEC, 0xFB, 0x0E, 0x6F, 0x02, 0xAD, 0x51, 0xC0, 0x76,
+ 0xDD, 0x66, 0x0A, 0xCE, 0x0D, 0x09, 0xE6, 0xA8, 0x42, 0xB0,
+ 0x06, 0xC3, 0x04, 0xE7, 0x1C, 0xC7, 0x10, 0x83, 0x07, 0xF2,
+ 0xE6, 0x11, 0x1A, 0xCD, 0xA7, 0xB9, 0x7E, 0x17, 0xEF, 0xEA,
+ 0x63, 0x9C, 0xF2, 0xA5, 0xBE, 0x6B, 0xB6, 0xDF, 0xEB, 0x5A,
+ 0x75, 0x01, 0x59, 0x05, 0xF7, 0xEC, 0x49, 0x75, 0x10, 0xDD,
+ 0x40, 0x1A, 0x25, 0x25, 0x4F, 0x78, 0x6E, 0xE1, 0x92, 0x21,
+ 0xB5, 0xB8, 0x82, 0x2F, 0x33, 0xB3, 0x5B, 0xB6, 0x81, 0xB8,
+ 0xB1, 0xA4, 0x0C, 0x8D, 0x98, 0x74, 0x74, 0xDA, 0x0D, 0x90,
+ 0x33, 0xC8, 0xA7, 0xAA, 0x0D, 0x06, 0x5A, 0x04, 0xEB, 0x37,
+ 0xD3, 0xE4, 0x55, 0x0C, 0x93, 0xB6, 0xC8, 0x3A, 0xE8, 0xA7,
+ 0x2B, 0x4E, 0xB8, 0x90, 0xBB, 0x36, 0x0B, 0xDB, 0x7F, 0x2E,
+ 0x99, 0x23, 0x76, 0x68, 0x81, 0xA8, 0x73, 0x74, 0xE7, 0x68,
+ 0xFB, 0x1D, 0xFF, 0x5B, 0xEC, 0xB5, 0x6B, 0x30, 0xD1, 0xD0,
+ 0x2B, 0x89, 0xA6, 0xC6, 0xA9, 0xFC, 0x03, 0x66, 0xFE, 0xB5,
+ 0x8C, 0xAF, 0xDE, 0x8E, 0x2A, 0xB4, 0x78, 0x9C, 0xD7, 0x4A,
+ 0xFC, 0x9C, 0xC4, 0x7C, 0x19, 0x20, 0x83, 0x0E, 0xFD, 0x3F,
+ 0x4D, 0xA7
};
static const int sizeof_client_cert_der_2048 = sizeof(client_cert_der_2048);
@@ -1152,9 +1165,9 @@ static const int sizeof_rsa_key_der_2048 = sizeof(rsa_key_der_2048);
/* ./certs/ca-cert.der, 2048-bit */
static const unsigned char ca_cert_der_2048[] =
{
- 0x30, 0x82, 0x04, 0xAA, 0x30, 0x82, 0x03, 0x92, 0xA0, 0x03,
- 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xD9, 0x80, 0x3A, 0xC3,
- 0xD2, 0xF4, 0xDA, 0x37, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+ 0x30, 0x82, 0x04, 0xE0, 0x30, 0x82, 0x03, 0xC8, 0xA0, 0x03,
+ 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49,
+ 0x45, 0x9B, 0xDC, 0x81, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30,
0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04,
0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06,
@@ -1171,10 +1184,10 @@ static const unsigned char ca_cert_der_2048[] =
0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01,
0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77,
0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D,
- 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, 0x30, 0x37,
- 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, 0x0D, 0x31,
- 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, 0x31, 0x30,
- 0x31, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06,
+ 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, 0x32, 0x33,
+ 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31,
+ 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, 0x39, 0x33,
+ 0x37, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06,
0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10,
0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D,
0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E,
@@ -1218,60 +1231,66 @@ static const unsigned char ca_cert_der_2048[] =
0x13, 0x49, 0x08, 0x16, 0x0B, 0xA7, 0x4D, 0x67, 0x00, 0x52,
0x31, 0x67, 0x23, 0x4E, 0x98, 0xED, 0x51, 0x45, 0x1D, 0xB9,
0x04, 0xD9, 0x0B, 0xEC, 0xD8, 0x28, 0xB3, 0x4B, 0xBD, 0xED,
- 0x36, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x81, 0xFC,
- 0x30, 0x81, 0xF9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
- 0x04, 0x16, 0x04, 0x14, 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3,
- 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D,
- 0x30, 0xE5, 0xE8, 0xD5, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55,
- 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14,
- 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED,
- 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5,
- 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31,
- 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
- 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
- 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
- 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
- 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11,
- 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53,
- 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30,
- 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F,
- 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18,
- 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
- 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
- 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
- 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
- 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
- 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
- 0xD9, 0x80, 0x3A, 0xC3, 0xD2, 0xF4, 0xDA, 0x37, 0x30, 0x0C,
- 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
- 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
- 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01,
- 0x01, 0x00, 0x7A, 0xAF, 0x44, 0x3B, 0xAA, 0x6F, 0x53, 0x42,
- 0xB2, 0x33, 0xAA, 0x43, 0x5F, 0x56, 0x30, 0xD3, 0xB9, 0x96,
- 0x0B, 0x9A, 0x55, 0x5A, 0x39, 0x2A, 0x0B, 0x4E, 0xE4, 0x2E,
- 0xF1, 0x95, 0x66, 0xC9, 0x86, 0x36, 0x82, 0x8D, 0x63, 0x7C,
- 0x4D, 0xA2, 0xEE, 0x48, 0xBA, 0x03, 0xC7, 0x90, 0xD7, 0xA7,
- 0xC6, 0x74, 0x60, 0x48, 0x5F, 0x31, 0xA2, 0xF9, 0x5E, 0x3E,
- 0xC3, 0x82, 0xE1, 0xE5, 0x2F, 0x41, 0x81, 0x83, 0x29, 0x25,
- 0x79, 0xD1, 0x53, 0x00, 0x69, 0x3C, 0xED, 0x0A, 0x30, 0x3B,
- 0x41, 0x1D, 0x92, 0xA1, 0x2C, 0xA8, 0x9D, 0x2C, 0xE3, 0x23,
- 0x87, 0x79, 0xE0, 0x55, 0x6E, 0x91, 0xA8, 0x50, 0xDA, 0x46,
- 0x2F, 0xC2, 0x20, 0x50, 0x3E, 0x2B, 0x47, 0x97, 0x14, 0xB0,
- 0x7D, 0x04, 0xBA, 0x45, 0x51, 0xD0, 0x6E, 0xE1, 0x5A, 0xA2,
- 0x4B, 0x84, 0x9C, 0x4D, 0xCD, 0x85, 0x04, 0xF9, 0x28, 0x31,
- 0x82, 0x93, 0xBC, 0xC7, 0x59, 0x49, 0x91, 0x03, 0xE8, 0xDF,
- 0x6A, 0xE4, 0x56, 0xAD, 0x6A, 0xCB, 0x1F, 0x0D, 0x37, 0xE4,
- 0x5E, 0xBD, 0xE7, 0x9F, 0xD5, 0xEC, 0x9D, 0x3C, 0x18, 0x25,
- 0x9B, 0xF1, 0x2F, 0x50, 0x7D, 0xEB, 0x31, 0xCB, 0xF1, 0x63,
- 0x22, 0x9D, 0x57, 0xFC, 0xF3, 0x84, 0x20, 0x1A, 0xC6, 0x07,
- 0x87, 0x92, 0x26, 0x9E, 0x15, 0x18, 0x59, 0x33, 0x06, 0xDC,
- 0xFB, 0xB0, 0xB6, 0x76, 0x5D, 0xF1, 0xC1, 0x2F, 0xC8, 0x2F,
- 0x62, 0x9C, 0xC0, 0xD6, 0xDE, 0xEB, 0x65, 0x77, 0xF3, 0x5C,
- 0xA6, 0xC3, 0x88, 0x27, 0x96, 0x75, 0xB4, 0xF4, 0x54, 0xCD,
- 0xFF, 0x2D, 0x21, 0x2E, 0x96, 0xF0, 0x07, 0x73, 0x4B, 0xE9,
- 0x93, 0x92, 0x90, 0xDE, 0x62, 0xD9, 0xA3, 0x3B, 0xAC, 0x6E,
- 0x24, 0x5F, 0x27, 0x4A, 0xB3, 0x94, 0x70, 0xFF, 0x30, 0x17,
- 0xE7, 0x7E, 0x32, 0x8F, 0x65, 0xB7, 0x75, 0x58
+ 0x36, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01,
+ 0x31, 0x30, 0x82, 0x01, 0x2D, 0x30, 0x1D, 0x06, 0x03, 0x55,
+ 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x27, 0x8E, 0x67, 0x11,
+ 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4,
+ 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, 0x30, 0x81, 0xC9, 0x06,
+ 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE,
+ 0x80, 0x14, 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D,
+ 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5,
+ 0xE8, 0xD5, 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81,
+ 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06,
+ 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03,
+ 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61,
+ 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+ 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E,
+ 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C,
+ 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31,
+ 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A,
+ 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67,
+ 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C,
+ 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73,
+ 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D,
+ 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09,
+ 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F,
+ 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82,
+ 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49, 0x45, 0x9B, 0xDC, 0x81,
+ 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30,
+ 0x03, 0x01, 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06,
+ 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24,
+ 0x30, 0x22, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07,
+ 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F,
+ 0x2F, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74,
+ 0x3A, 0x32, 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09,
+ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
+ 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x41, 0x8F, 0xFB, 0x6B,
+ 0x65, 0x6B, 0x36, 0xF2, 0x56, 0x4F, 0x0C, 0x48, 0xB0, 0x4D,
+ 0x8C, 0xC2, 0xCB, 0xD6, 0x58, 0x7A, 0x83, 0x3A, 0x30, 0x7D,
+ 0x62, 0x7B, 0x86, 0xF1, 0x15, 0x26, 0xB3, 0x26, 0x02, 0x77,
+ 0xF2, 0xC8, 0x57, 0xE5, 0x1E, 0x60, 0x68, 0x8B, 0xA4, 0xE8,
+ 0xF3, 0xA8, 0xB2, 0x88, 0xA4, 0x2F, 0xE8, 0x6E, 0x25, 0x8D,
+ 0x6B, 0xDC, 0x53, 0xAB, 0x2F, 0xD3, 0x47, 0x8C, 0xD6, 0x27,
+ 0xAB, 0x39, 0xBC, 0xD3, 0xCA, 0xD8, 0x01, 0x96, 0xA4, 0x44,
+ 0x57, 0x38, 0x93, 0xAB, 0xC3, 0xF3, 0x95, 0x67, 0x7F, 0xCF,
+ 0x25, 0x1D, 0xB7, 0x04, 0xDC, 0x06, 0xC9, 0x5D, 0x24, 0xC1,
+ 0x54, 0x13, 0x71, 0x81, 0x21, 0x31, 0xEE, 0x9F, 0xB4, 0x9D,
+ 0xCE, 0x98, 0x66, 0xA4, 0xA0, 0x77, 0xC1, 0x88, 0x18, 0xA4,
+ 0xD1, 0x36, 0xEE, 0xCD, 0xD8, 0xC1, 0x1B, 0xBC, 0x03, 0xD6,
+ 0x85, 0x9A, 0x2E, 0x21, 0x82, 0x95, 0x4C, 0xB2, 0x2A, 0xFE,
+ 0x69, 0xDB, 0xAC, 0xE4, 0x97, 0xE1, 0xE9, 0x0E, 0xF1, 0xD3,
+ 0xEF, 0x20, 0x86, 0x03, 0x01, 0x66, 0x6B, 0xF0, 0x26, 0x0F,
+ 0x39, 0x04, 0x26, 0xF5, 0x42, 0x98, 0x3F, 0x95, 0x48, 0x5F,
+ 0xB5, 0x5D, 0xBC, 0x49, 0x4C, 0x81, 0x38, 0xD5, 0xE9, 0x72,
+ 0x32, 0x1C, 0x66, 0x1B, 0x12, 0x80, 0x0F, 0xDB, 0x99, 0xF0,
+ 0x97, 0x67, 0x61, 0x79, 0xAD, 0xAB, 0xBE, 0x6A, 0xEA, 0xAA,
+ 0xCC, 0x3D, 0xF9, 0x40, 0x99, 0x00, 0x93, 0xBB, 0xDF, 0x4B,
+ 0x41, 0xD4, 0x7F, 0xF1, 0x93, 0xB2, 0x70, 0x83, 0x3A, 0xE3,
+ 0x6B, 0x44, 0x4B, 0x1F, 0x9F, 0x77, 0x53, 0xEA, 0x5D, 0xE6,
+ 0x59, 0x1E, 0xC0, 0x2D, 0x4B, 0x83, 0xD6, 0xF4, 0xA3, 0xD4,
+ 0xA9, 0xC3, 0x91, 0x12, 0xE7, 0x61, 0x3F, 0x56, 0x9D, 0x8F,
+ 0xB8, 0x19, 0x29, 0x62, 0x1B, 0x58, 0xDF, 0x73, 0x99, 0x1F,
+ 0x49, 0x63
};
static const int sizeof_ca_cert_der_2048 = sizeof(ca_cert_der_2048);
@@ -1404,7 +1423,7 @@ static const int sizeof_server_key_der_2048 = sizeof(server_key_der_2048);
/* ./certs/server-cert.der, 2048-bit */
static const unsigned char server_cert_der_2048[] =
{
- 0x30, 0x82, 0x04, 0x9E, 0x30, 0x82, 0x03, 0x86, 0xA0, 0x03,
+ 0x30, 0x82, 0x04, 0xD4, 0x30, 0x82, 0x03, 0xBC, 0xA0, 0x03,
0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09,
0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05,
0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03,
@@ -1422,10 +1441,10 @@ static const unsigned char server_cert_der_2048[] =
0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7,
0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F,
0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
- 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35,
- 0x30, 0x37, 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17,
- 0x0D, 0x31, 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32,
- 0x31, 0x30, 0x31, 0x5A, 0x30, 0x81, 0x90, 0x31, 0x0B, 0x30,
+ 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31,
+ 0x32, 0x33, 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17,
+ 0x0D, 0x31, 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34,
+ 0x39, 0x33, 0x37, 0x5A, 0x30, 0x81, 0x90, 0x31, 0x0B, 0x30,
0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10,
@@ -1469,64 +1488,70 @@ static const unsigned char server_cert_der_2048[] =
0x69, 0x42, 0x42, 0x09, 0xE9, 0xD8, 0x08, 0xBC, 0x33, 0x20,
0xB3, 0x58, 0x22, 0xA7, 0xAA, 0xEB, 0xC4, 0xE1, 0xE6, 0x61,
0x83, 0xC5, 0xD2, 0x96, 0xDF, 0xD9, 0xD0, 0x4F, 0xAD, 0xD7,
- 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x81, 0xFC, 0x30, 0x81,
- 0xF9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16,
- 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98, 0x84, 0xE2,
- 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, 0x42, 0xCA, 0x1F, 0x0E,
- 0x8E, 0x3C, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55, 0x1D, 0x23,
- 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14, 0x27, 0x8E,
- 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63,
- 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, 0xA1, 0x81,
- 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30,
- 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53,
- 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C,
- 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10,
- 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42,
- 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F,
- 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77,
- 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06,
- 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73,
- 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16,
- 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77,
- 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63,
- 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86,
- 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69,
- 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73,
- 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 0xD9, 0x80,
- 0x3A, 0xC3, 0xD2, 0xF4, 0xDA, 0x37, 0x30, 0x0C, 0x06, 0x03,
- 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF,
- 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D,
- 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
- 0x67, 0xC0, 0x2C, 0xA9, 0x43, 0x47, 0xE7, 0x11, 0x14, 0x77,
- 0xAE, 0xCC, 0xD8, 0xE0, 0x6B, 0x23, 0x82, 0x91, 0x63, 0xE8,
- 0xA8, 0x0D, 0x21, 0xC5, 0xC8, 0x47, 0x97, 0x2F, 0xD5, 0xF3,
- 0x86, 0xFB, 0x6C, 0xCE, 0x25, 0xF9, 0x7C, 0x78, 0xC8, 0x3A,
- 0x22, 0x68, 0xF2, 0x16, 0x1E, 0xD2, 0xD2, 0x3F, 0x24, 0x04,
- 0x87, 0xF2, 0xB7, 0xC1, 0x62, 0x63, 0xBA, 0xC5, 0xFA, 0xAE,
- 0xD2, 0x20, 0x81, 0x1A, 0xD2, 0x0C, 0xAE, 0x26, 0x6B, 0x1B,
- 0x2B, 0x10, 0xD3, 0xE1, 0x9A, 0x4E, 0x64, 0x6C, 0x97, 0xDB,
- 0x36, 0xA8, 0x8F, 0xF8, 0x05, 0x63, 0xBF, 0xBA, 0x0D, 0x88,
- 0x0B, 0x87, 0x46, 0xC9, 0xE4, 0x64, 0xE3, 0xD7, 0xBD, 0xB8,
- 0x2D, 0xD5, 0xC1, 0xC3, 0xC4, 0xDB, 0x55, 0x68, 0xDC, 0xA3,
- 0x7A, 0x40, 0xB9, 0xA9, 0xF6, 0x04, 0x4A, 0x22, 0xCF, 0x98,
- 0x76, 0x1C, 0xE4, 0xA3, 0xFF, 0x79, 0x19, 0x96, 0x57, 0x63,
- 0x07, 0x6F, 0xF6, 0x32, 0x77, 0x16, 0x50, 0x9B, 0xE3, 0x34,
- 0x18, 0xD4, 0xEB, 0xBE, 0xFD, 0xB6, 0x6F, 0xE3, 0xC7, 0xF6,
- 0x85, 0xBF, 0xAC, 0x32, 0xAD, 0x98, 0x57, 0xBE, 0x13, 0x92,
- 0x44, 0x10, 0xA5, 0xF3, 0xAE, 0xE2, 0x66, 0xDA, 0x44, 0xA9,
- 0x94, 0x71, 0x3F, 0xD0, 0x2F, 0x20, 0x59, 0x87, 0xE4, 0x5A,
- 0x40, 0xEE, 0xD2, 0xE4, 0x0C, 0xCE, 0x25, 0x94, 0xDC, 0x0F,
- 0xFE, 0x38, 0xE0, 0x41, 0x52, 0x34, 0x5C, 0xBB, 0xC3, 0xDB,
- 0xC1, 0x5F, 0x76, 0xC3, 0x5D, 0x0E, 0x32, 0x69, 0x2B, 0x9D,
- 0x01, 0xED, 0x50, 0x1B, 0x4F, 0x77, 0xA9, 0xA9, 0xD8, 0x71,
- 0x30, 0xCB, 0x2E, 0x2C, 0x70, 0x00, 0xAB, 0x78, 0x4B, 0xD7,
- 0x15, 0xD9, 0x17, 0xF8, 0x64, 0xB2, 0xF7, 0x3A, 0xDA, 0xE1,
- 0x0B, 0x8B, 0x0A, 0xE1, 0x4E, 0xB1, 0x03, 0x46, 0x14, 0xCA,
- 0x94, 0xE3, 0x44, 0x77, 0xD7, 0x59
+ 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x31, 0x30,
+ 0x82, 0x01, 0x2D, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E,
+ 0x04, 0x16, 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98,
+ 0x84, 0xE2, 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, 0x42, 0xCA,
+ 0x1F, 0x0E, 0x8E, 0x3C, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55,
+ 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14,
+ 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED,
+ 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5,
+ 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31,
+ 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02,
+ 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04,
+ 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61,
+ 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C,
+ 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11,
+ 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53,
+ 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30,
+ 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F,
+ 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18,
+ 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77,
+ 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C,
+ 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09,
+ 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16,
+ 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66,
+ 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00,
+ 0xA6, 0x66, 0x38, 0x49, 0x45, 0x9B, 0xDC, 0x81, 0x30, 0x0C,
+ 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01,
+ 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05,
+ 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22,
+ 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01,
+ 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x6C,
+ 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x3A, 0x32,
+ 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86,
+ 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03,
+ 0x82, 0x01, 0x01, 0x00, 0x71, 0x17, 0x8F, 0x6F, 0x7D, 0xD6,
+ 0x11, 0x01, 0x79, 0xAC, 0xE9, 0xC2, 0xFB, 0x71, 0x69, 0x6B,
+ 0x0C, 0x64, 0x91, 0xC1, 0x32, 0x8B, 0x9C, 0x62, 0x72, 0xB5,
+ 0x62, 0xBB, 0xF8, 0xCF, 0x6C, 0x27, 0xDF, 0xF0, 0x64, 0xD6,
+ 0x4A, 0x55, 0x4F, 0x7F, 0x4A, 0x8B, 0x7B, 0x80, 0x5B, 0x3C,
+ 0xA0, 0x31, 0xB0, 0x25, 0x92, 0x02, 0x02, 0x9C, 0x99, 0xA5,
+ 0x8E, 0x0C, 0x61, 0xEF, 0xB4, 0x1E, 0x01, 0x2E, 0x1C, 0xE9,
+ 0x9C, 0x59, 0x2D, 0xEF, 0x6E, 0x03, 0x4D, 0xF1, 0x59, 0xE5,
+ 0x5F, 0x69, 0x66, 0x5C, 0x0A, 0xE6, 0xCD, 0xF6, 0x74, 0x20,
+ 0x86, 0x4C, 0xF6, 0x8F, 0x22, 0x86, 0x68, 0x7E, 0xFE, 0x67,
+ 0x3F, 0x3D, 0x19, 0xB8, 0x61, 0xEF, 0xC5, 0xA5, 0x58, 0xA8,
+ 0x2A, 0xCE, 0xD3, 0x2C, 0xA7, 0x1B, 0xDD, 0xC8, 0x59, 0xC7,
+ 0xE7, 0xCF, 0x42, 0x42, 0xDB, 0xAF, 0xFE, 0x15, 0x82, 0xC9,
+ 0xE5, 0x53, 0xFA, 0xB4, 0x37, 0x55, 0x67, 0x47, 0x0F, 0xE7,
+ 0x24, 0x88, 0x14, 0xA3, 0x6C, 0xBE, 0x5F, 0x72, 0x05, 0x5F,
+ 0x56, 0x33, 0xAA, 0x7F, 0xAC, 0x2E, 0x10, 0x92, 0xB7, 0xA2,
+ 0xF9, 0xC1, 0x62, 0x0C, 0x3B, 0x0C, 0x69, 0x9A, 0x71, 0x15,
+ 0x11, 0xBC, 0x37, 0xBF, 0x8E, 0x23, 0x14, 0xC2, 0xB1, 0x0D,
+ 0xDF, 0x89, 0x45, 0x1E, 0xDF, 0x14, 0xE8, 0x95, 0x35, 0x88,
+ 0x27, 0xA8, 0xAB, 0xDD, 0x7C, 0x23, 0x3F, 0xBB, 0xFE, 0x4E,
+ 0x0E, 0xEA, 0xA6, 0xEE, 0xF5, 0x77, 0xFB, 0xAA, 0xB8, 0x28,
+ 0x33, 0xF9, 0x61, 0xB0, 0xD2, 0x79, 0x46, 0xA4, 0xBA, 0xA0,
+ 0x90, 0xC8, 0xE7, 0x96, 0x8F, 0x27, 0xE9, 0x1E, 0xD0, 0x92,
+ 0x43, 0xBB, 0x84, 0xC7, 0xF3, 0x28, 0x0C, 0x41, 0xAA, 0x77,
+ 0x39, 0x65, 0xAA, 0x0D, 0x02, 0xB0, 0xE0, 0x4D, 0xB1, 0x17,
+ 0x41, 0xC9, 0xF0, 0xD4, 0x47, 0x87, 0xFB, 0x0F, 0xF0, 0x40
+
};
static const int sizeof_server_cert_der_2048 = sizeof(server_cert_der_2048);
-#endif /* USE_CERT_BUFFERS_1024 */
+#endif /* USE_CERT_BUFFERS_2048 */
/* dh1024 p */
static const unsigned char dh_p[] =
@@ -1550,6 +1575,5 @@ static const unsigned char dh_g[] =
0x02,
};
-
#endif /* WOLFSSL_CERTS_TEST_H */
diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h
index f07796079..5ebd28cd3 100644
--- a/wolfssl/error-ssl.h
+++ b/wolfssl/error-ssl.h
@@ -30,121 +30,123 @@
#endif
enum wolfSSL_ErrorCodes {
- INPUT_CASE_ERROR = -301, /* process input state error */
- PREFIX_ERROR = -302, /* bad index to key rounds */
- MEMORY_ERROR = -303, /* out of memory */
- VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */
- VERIFY_MAC_ERROR = -305, /* verify mac problem */
- PARSE_ERROR = -306, /* parse error on header */
- UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */
- SOCKET_ERROR_E = -308, /* error state on socket */
- SOCKET_NODATA = -309, /* expected data, not there */
- INCOMPLETE_DATA = -310, /* don't have enough data to
+ INPUT_CASE_ERROR = -301, /* process input state error */
+ PREFIX_ERROR = -302, /* bad index to key rounds */
+ MEMORY_ERROR = -303, /* out of memory */
+ VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */
+ VERIFY_MAC_ERROR = -305, /* verify mac problem */
+ PARSE_ERROR = -306, /* parse error on header */
+ UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */
+ SOCKET_ERROR_E = -308, /* error state on socket */
+ SOCKET_NODATA = -309, /* expected data, not there */
+ INCOMPLETE_DATA = -310, /* don't have enough data to
complete task */
- UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */
- DECRYPT_ERROR = -312, /* error during decryption */
- FATAL_ERROR = -313, /* recvd alert fatal error */
- ENCRYPT_ERROR = -314, /* error during encryption */
- FREAD_ERROR = -315, /* fread problem */
- NO_PEER_KEY = -316, /* need peer's key */
- NO_PRIVATE_KEY = -317, /* need the private key */
- RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */
- NO_DH_PARAMS = -319, /* server missing DH params */
- BUILD_MSG_ERROR = -320, /* build message failure */
+ UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */
+ DECRYPT_ERROR = -312, /* error during decryption */
+ FATAL_ERROR = -313, /* recvd alert fatal error */
+ ENCRYPT_ERROR = -314, /* error during encryption */
+ FREAD_ERROR = -315, /* fread problem */
+ NO_PEER_KEY = -316, /* need peer's key */
+ NO_PRIVATE_KEY = -317, /* need the private key */
+ RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */
+ NO_DH_PARAMS = -319, /* server missing DH params */
+ BUILD_MSG_ERROR = -320, /* build message failure */
- BAD_HELLO = -321, /* client hello malformed */
- DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
- WANT_READ = -323, /* want read, call again */
- NOT_READY_ERROR = -324, /* handshake layer not ready */
- PMS_VERSION_ERROR = -325, /* pre m secret version error */
- VERSION_ERROR = -326, /* record layer version error */
- WANT_WRITE = -327, /* want write, call again */
- BUFFER_ERROR = -328, /* malformed buffer input */
- VERIFY_CERT_ERROR = -329, /* verify cert error */
- VERIFY_SIGN_ERROR = -330, /* verify sign error */
- CLIENT_ID_ERROR = -331, /* psk client identity error */
- SERVER_HINT_ERROR = -332, /* psk server hint error */
- PSK_KEY_ERROR = -333, /* psk key error */
- ZLIB_INIT_ERROR = -334, /* zlib init error */
- ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */
- ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */
+ BAD_HELLO = -321, /* client hello malformed */
+ DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */
+ WANT_READ = -323, /* want read, call again */
+ NOT_READY_ERROR = -324, /* handshake layer not ready */
+ PMS_VERSION_ERROR = -325, /* pre m secret version error */
+ VERSION_ERROR = -326, /* record layer version error */
+ WANT_WRITE = -327, /* want write, call again */
+ BUFFER_ERROR = -328, /* malformed buffer input */
+ VERIFY_CERT_ERROR = -329, /* verify cert error */
+ VERIFY_SIGN_ERROR = -330, /* verify sign error */
+ CLIENT_ID_ERROR = -331, /* psk client identity error */
+ SERVER_HINT_ERROR = -332, /* psk server hint error */
+ PSK_KEY_ERROR = -333, /* psk key error */
+ ZLIB_INIT_ERROR = -334, /* zlib init error */
+ ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */
+ ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */
- GETTIME_ERROR = -337, /* gettimeofday failed ??? */
- GETITIMER_ERROR = -338, /* getitimer failed ??? */
- SIGACT_ERROR = -339, /* sigaction failed ??? */
- SETITIMER_ERROR = -340, /* setitimer failed ??? */
- LENGTH_ERROR = -341, /* record layer length error */
- PEER_KEY_ERROR = -342, /* can't decode peer key */
- ZERO_RETURN = -343, /* peer sent close notify */
- SIDE_ERROR = -344, /* wrong client/server type */
- NO_PEER_CERT = -345, /* peer didn't send key */
- NTRU_KEY_ERROR = -346, /* NTRU key error */
- NTRU_DRBG_ERROR = -347, /* NTRU drbg error */
- NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */
- NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */
- ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */
- ECC_CURVE_ERROR = -351, /* Bad ECC Curve */
- ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */
- ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */
- ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */
- ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */
- NOT_CA_ERROR = -357, /* Not a CA cert error */
- BAD_PATH_ERROR = -358, /* Bad path for opendir */
- BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */
- OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */
- CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */
- CRL_MISSING = -362, /* CRL Not loaded */
- MONITOR_RUNNING_E = -363, /* CRL Monitor already running */
- THREAD_CREATE_E = -364, /* Thread Create Error */
- OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */
- OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */
- OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */
- MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */
- COOKIE_ERROR = -369, /* dtls cookie error */
- SEQUENCE_ERROR = -370, /* dtls sequence error */
- SUITES_ERROR = -371, /* suites pointer error */
- SSL_NO_PEM_HEADER = -372, /* no PEM header found */
- OUT_OF_ORDER_E = -373, /* out of order message */
- BAD_KEA_TYPE_E = -374, /* bad KEA type found */
- SANITY_CIPHER_E = -375, /* sanity check on cipher error */
- RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */
- GEN_COOKIE_E = -377, /* Generate Cookie Error */
- NO_PEER_VERIFY = -378, /* Need peer cert verify Error */
- FWRITE_ERROR = -379, /* fwrite problem */
- CACHE_MATCH_ERROR = -380, /* chache hdr match error */
- UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */
- UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */
- KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */
- KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */
- EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */
- SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */
- SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */
- SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */
- SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */
- SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */
- SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */
- NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */
- SANITY_MSG_E = -394, /* Sanity check on msg order error */
- DUPLICATE_MSG_E = -395, /* Duplicate message error */
- SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */
- SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */
+ GETTIME_ERROR = -337, /* gettimeofday failed ??? */
+ GETITIMER_ERROR = -338, /* getitimer failed ??? */
+ SIGACT_ERROR = -339, /* sigaction failed ??? */
+ SETITIMER_ERROR = -340, /* setitimer failed ??? */
+ LENGTH_ERROR = -341, /* record layer length error */
+ PEER_KEY_ERROR = -342, /* can't decode peer key */
+ ZERO_RETURN = -343, /* peer sent close notify */
+ SIDE_ERROR = -344, /* wrong client/server type */
+ NO_PEER_CERT = -345, /* peer didn't send key */
+ NTRU_KEY_ERROR = -346, /* NTRU key error */
+ NTRU_DRBG_ERROR = -347, /* NTRU drbg error */
+ NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */
+ NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */
+ ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */
+ ECC_CURVE_ERROR = -351, /* Bad ECC Curve */
+ ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */
+ ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */
+ ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */
+ ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */
+ NOT_CA_ERROR = -357, /* Not a CA cert error */
+ BAD_PATH_ERROR = -358, /* Bad path for opendir */
+ BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */
+ OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */
+ CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */
+ CRL_MISSING = -362, /* CRL Not loaded */
+ MONITOR_SETUP_E = -363, /* CRL Monitor setup error */
+ THREAD_CREATE_E = -364, /* Thread Create Error */
+ OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */
+ OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */
+ OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */
+ MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */
+ COOKIE_ERROR = -369, /* dtls cookie error */
+ SEQUENCE_ERROR = -370, /* dtls sequence error */
+ SUITES_ERROR = -371, /* suites pointer error */
+ SSL_NO_PEM_HEADER = -372, /* no PEM header found */
+ OUT_OF_ORDER_E = -373, /* out of order message */
+ BAD_KEA_TYPE_E = -374, /* bad KEA type found */
+ SANITY_CIPHER_E = -375, /* sanity check on cipher error */
+ RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */
+ GEN_COOKIE_E = -377, /* Generate Cookie Error */
+ NO_PEER_VERIFY = -378, /* Need peer cert verify Error */
+ FWRITE_ERROR = -379, /* fwrite problem */
+ CACHE_MATCH_ERROR = -380, /* chache hdr match error */
+ UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */
+ UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */
+ KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */
+ KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */
+ EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */
+ SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */
+ SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */
+ SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */
+ SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */
+ SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */
+ SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */
+ NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */
+ SANITY_MSG_E = -394, /* Sanity check on msg order error */
+ DUPLICATE_MSG_E = -395, /* Duplicate message error */
+ SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */
+ SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */
- BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */
- BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */
- BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */
+ BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */
+ BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */
+ BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */
- DH_KEY_SIZE_E = -401, /* DH Key too small */
- SNI_ABSENT_ERROR = -402, /* No SNI request. */
- RSA_SIGN_FAULT = -403, /* RSA Sign fault */
- HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */
+ DH_KEY_SIZE_E = -401, /* DH Key too small */
+ SNI_ABSENT_ERROR = -402, /* No SNI request. */
+ RSA_SIGN_FAULT = -403, /* RSA Sign fault */
+ HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */
UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/
+ BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */
+ OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */
/* add strings to SetErrorString !!!!! */
/* begin negotiation parameter errors */
- UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */
- MATCH_SUITE_ERROR = -501 /* can't match cipher suite */
+ UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */
+ MATCH_SUITE_ERROR = -501 /* can't match cipher suite */
/* end negotiation parameter errors only 10 for now */
/* add strings to SetErrorString !!!!! */
diff --git a/wolfssl/internal.h b/wolfssl/internal.h
index d65665ec0..e83d194cd 100644
--- a/wolfssl/internal.h
+++ b/wolfssl/internal.h
@@ -229,7 +229,8 @@ typedef byte word24[3];
#define BUILD_SSL_RSA_WITH_RC4_128_MD5
#endif
#endif
- #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA)
+ #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) \
+ && defined(WOLFSSL_STATIC_RSA)
#define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA
#endif
#endif
@@ -239,7 +240,8 @@ typedef byte word24[3];
#if defined(WOLFSSL_STATIC_RSA)
#define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA
#endif
- #if !defined(NO_TLS) && defined(HAVE_NTRU)
+ #if !defined(NO_TLS) && defined(HAVE_NTRU) \
+ && defined(WOLFSSL_STATIC_RSA)
#define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA
#endif
#endif
@@ -257,7 +259,7 @@ typedef byte word24[3];
#define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA
#endif
- #if defined(HAVE_NTRU)
+ #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA)
#define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA
#define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
#endif
@@ -852,7 +854,6 @@ enum Misc {
MAX_DH_SIZE = 513, /* 4096 bit plus possible leading 0 */
SESSION_HINT_SZ = 4, /* session timeout hint */
- MAX_SUITE_SZ = 200, /* 100 suites for now! */
RAN_LEN = 32, /* random length */
SEED_LEN = RAN_LEN * 2, /* tls prf seed length */
ID_LEN = 32, /* session id length */
@@ -868,7 +869,7 @@ enum Misc {
COMP_LEN = 1, /* compression length */
CURVE_LEN = 2, /* ecc named curve length */
SERVER_ID_LEN = 20, /* server session id length */
-
+
HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */
RECORD_HEADER_SZ = 5, /* type + version + len(2) */
CERT_HEADER_SZ = 3, /* always 3 bytes */
@@ -897,7 +898,7 @@ enum Misc {
MAX_PRF_LABSEED = 128, /* Maximum label + seed len */
MAX_PRF_DIG = 224, /* Maximum digest len */
MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */
- SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */
+ SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */
RC4_KEY_SIZE = 16, /* always 128bit */
DES_KEY_SIZE = 8, /* des */
@@ -988,6 +989,12 @@ enum Misc {
};
+#ifndef WOLFSSL_MAX_SUITE_SZ
+ #define WOLFSSL_MAX_SUITE_SZ 300
+ /* 150 suites for now! */
+#endif
+
+
#ifndef WOLFSSL_MIN_DHKEY_BITS
#ifdef WOLFSSL_MAX_STRENGTH
#define WOLFSSL_MIN_DHKEY_BITS 2048
@@ -1156,7 +1163,7 @@ enum {
/* only the sniffer needs space in the buffer for extra MTU record(s) */
#ifdef WOLFSSL_SNIFFER
- #define MTU_EXTRA MAX_MTU * 3
+ #define MTU_EXTRA MAX_MTU * 3
#else
#define MTU_EXTRA 0
#endif
@@ -1174,9 +1181,9 @@ enum {
#define RECORD_SIZE MAX_RECORD_SIZE
#else
#ifdef WOLFSSL_DTLS
- #define RECORD_SIZE MAX_MTU
+ #define RECORD_SIZE MAX_MTU
#else
- #define RECORD_SIZE 128
+ #define RECORD_SIZE 128
#endif
#endif
@@ -1221,7 +1228,7 @@ typedef struct {
typedef struct Suites {
word16 suiteSz; /* suite length in bytes */
word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */
- byte suites[MAX_SUITE_SZ];
+ byte suites[WOLFSSL_MAX_SUITE_SZ];
byte hashSigAlgo[HELLO_EXT_SIGALGO_MAX]; /* sig/algo to offer */
byte setSuites; /* user set suites from default */
byte hashAlgo; /* selected hash algorithm */
@@ -1255,7 +1262,7 @@ struct WOLFSSL_CIPHER {
};
-typedef struct OCSP_Entry OCSP_Entry;
+typedef struct OcspEntry OcspEntry;
#ifdef NO_SHA
#define OCSP_DIGEST_SIZE SHA256_DIGEST_SIZE
@@ -1263,17 +1270,17 @@ typedef struct OCSP_Entry OCSP_Entry;
#define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE
#endif
-#ifdef NO_ASN
+#ifdef NO_ASN
/* no_asn won't have */
typedef struct CertStatus CertStatus;
#endif
-struct OCSP_Entry {
- OCSP_Entry* next; /* next entry */
- byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
- byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
- CertStatus* status; /* OCSP response list */
- int totalStatus; /* number on list */
+struct OcspEntry {
+ OcspEntry* next; /* next entry */
+ byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
+ byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
+ CertStatus* status; /* OCSP response list */
+ int totalStatus; /* number on list */
};
@@ -1284,7 +1291,7 @@ struct OCSP_Entry {
/* wolfSSL OCSP controller */
struct WOLFSSL_OCSP {
WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */
- OCSP_Entry* ocspList; /* OCSP response list */
+ OcspEntry* ocspList; /* OCSP response list */
wolfSSL_Mutex ocspLock; /* OCSP list lock */
};
@@ -1307,8 +1314,8 @@ typedef struct CRL_Entry CRL_Entry;
/* Complete CRL */
struct CRL_Entry {
CRL_Entry* next; /* next entry */
- byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
- /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
+ byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */
+ /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */
/* restore the hash here if needed for optimized comparisons */
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
byte nextDate[MAX_DATE_SIZE]; /* next update date */
@@ -1339,12 +1346,14 @@ struct CRL_Monitor {
/* wolfSSL CRL controller */
struct WOLFSSL_CRL {
WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */
- CRL_Entry* crlList; /* our CRL list */
+ CRL_Entry* crlList; /* our CRL list */
wolfSSL_Mutex crlLock; /* CRL list lock */
- CRL_Monitor monitors[2]; /* PEM and DER possible */
+ CRL_Monitor monitors[2]; /* PEM and DER possible */
#ifdef HAVE_CRL_MONITOR
- pthread_t tid; /* monitoring thread */
- int mfd; /* monitor fd, -1 if no init yet */
+ pthread_cond_t cond; /* condition to signal setup */
+ pthread_t tid; /* monitoring thread */
+ int mfd; /* monitor fd, -1 if no init yet */
+ int setup; /* thread is setup predicate */
#endif
};
@@ -1361,22 +1370,27 @@ struct WOLFSSL_CRL {
/* wolfSSL Certificate Manager */
struct WOLFSSL_CERT_MANAGER {
Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */
- void* heap; /* heap helper */
- WOLFSSL_CRL* crl; /* CRL checker */
- WOLFSSL_OCSP* ocsp; /* OCSP checker */
- char* ocspOverrideURL; /* use this responder */
- void* ocspIOCtx; /* I/O callback CTX */
- CallbackCACache caCacheCallback; /* CA cache addition callback */
- CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */
- CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */
- CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */
- wolfSSL_Mutex caLock; /* CA list lock */
- byte crlEnabled; /* is CRL on ? */
- byte crlCheckAll; /* always leaf, but all ? */
- byte ocspEnabled; /* is OCSP on ? */
- byte ocspCheckAll; /* always leaf, but all ? */
- byte ocspSendNonce; /* send the OCSP nonce ? */
- byte ocspUseOverrideURL; /* ignore cert's responder, override */
+ void* heap; /* heap helper */
+ WOLFSSL_CRL* crl; /* CRL checker */
+ WOLFSSL_OCSP* ocsp; /* OCSP checker */
+#if !defined(NO_WOLFSSL_SEVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2))
+ WOLFSSL_OCSP* ocsp_stapling; /* OCSP checker for OCSP stapling */
+#endif
+ char* ocspOverrideURL; /* use this responder */
+ void* ocspIOCtx; /* I/O callback CTX */
+ CallbackCACache caCacheCallback; /* CA cache addition callback */
+ CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */
+ CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */
+ CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */
+ wolfSSL_Mutex caLock; /* CA list lock */
+ byte crlEnabled; /* is CRL on ? */
+ byte crlCheckAll; /* always leaf, but all ? */
+ byte ocspEnabled; /* is OCSP on ? */
+ byte ocspCheckAll; /* always leaf, but all ? */
+ byte ocspSendNonce; /* send the OCSP nonce ? */
+ byte ocspUseOverrideURL; /* ignore cert's responder, override */
+ byte ocspStaplingEnabled; /* is OCSP Stapling on ? */
};
WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER*, const char*);
@@ -1443,8 +1457,9 @@ typedef struct Keys {
word16 dtls_peer_handshake_number;
word16 dtls_expected_peer_handshake_number;
- word16 dtls_epoch; /* Current tx epoch */
word32 dtls_sequence_number; /* Current tx sequence */
+ word32 dtls_prev_sequence_number; /* Previous epoch's seq number*/
+ word16 dtls_epoch; /* Current tx epoch */
word16 dtls_handshake_number; /* Current tx handshake seq */
#endif
@@ -1456,18 +1471,20 @@ typedef struct Keys {
-/* RFC 6066 TLS Extensions */
+/** TLS Extensions - RFC 6066 */
#ifdef HAVE_TLS_EXTENSIONS
typedef enum {
- SERVER_NAME_INDICATION = 0x0000,
- MAX_FRAGMENT_LENGTH = 0x0001,
- TRUNCATED_HMAC = 0x0004,
- ELLIPTIC_CURVES = 0x000a,
- SESSION_TICKET = 0x0023,
- SECURE_RENEGOTIATION = 0xff01,
- WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */
- WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */
+ TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */
+ TLSX_MAX_FRAGMENT_LENGTH = 0x0001,
+ TLSX_TRUNCATED_HMAC = 0x0004,
+ TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stappling */
+ TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */
+ TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */
+ TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stappling v2 */
+ TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */
+ TLSX_SESSION_TICKET = 0x0023,
+ TLSX_RENEGOTIATION_INFO = 0xff01
} TLSX_Type;
typedef struct TLSX {
@@ -1495,19 +1512,22 @@ WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output);
WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length,
byte isRequest, Suites *suites);
-#elif defined(HAVE_SNI) \
- || defined(HAVE_MAX_FRAGMENT) \
- || defined(HAVE_TRUNCATED_HMAC) \
- || defined(HAVE_SUPPORTED_CURVES) \
- || defined(HAVE_SECURE_RENEGOTIATION) \
- || defined(HAVE_SESSION_TICKET) \
- || defined(HAVE_ALPN)
+#elif defined(HAVE_SNI) \
+ || defined(HAVE_MAX_FRAGMENT) \
+ || defined(HAVE_TRUNCATED_HMAC) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \
+ || defined(HAVE_SUPPORTED_CURVES) \
+ || defined(HAVE_ALPN) \
+ || defined(HAVE_QSH) \
+ || defined(HAVE_SESSION_TICKET) \
+ || defined(HAVE_SECURE_RENEGOTIATION)
#error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined.
#endif /* HAVE_TLS_EXTENSIONS */
-/* Server Name Indication */
+/** Server Name Indication - RFC 6066 (session 3) */
#ifdef HAVE_SNI
typedef struct SNI {
@@ -1535,7 +1555,7 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz,
#endif /* HAVE_SNI */
-/* Application-layer Protocol Name */
+/* Application-Layer Protocol Negotiation - RFC 7301 */
#ifdef HAVE_ALPN
typedef struct ALPN {
char* protocol_name; /* ALPN protocol name */
@@ -1554,19 +1574,62 @@ WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option);
#endif /* HAVE_ALPN */
-/* Maximum Fragment Length */
+/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */
#ifdef HAVE_MAX_FRAGMENT
WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl);
#endif /* HAVE_MAX_FRAGMENT */
+/** Truncated HMAC - RFC 6066 (session 7) */
#ifdef HAVE_TRUNCATED_HMAC
WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions);
#endif /* HAVE_TRUNCATED_HMAC */
+/** Certificate Status Request - RFC 6066 (session 8) */
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+
+typedef struct {
+ byte status_type;
+ byte options;
+ union {
+ OcspRequest ocsp;
+ } request;
+} CertificateStatusRequest;
+
+WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions,
+ byte status_type, byte options);
+WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert);
+WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions);
+WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl);
+
+#endif
+
+/** Certificate Status Request v2 - RFC 6961 */
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+
+typedef struct CSRIv2 {
+ byte status_type;
+ byte options;
+ word16 requests;
+ union {
+ OcspRequest ocsp[1 + MAX_CHAIN_DEPTH];
+ } request;
+ struct CSRIv2* next;
+} CertificateStatusRequestItemV2;
+
+WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions,
+ byte status_type, byte options);
+WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer);
+WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type,
+ byte index);
+WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl);
+
+#endif
+
+/** Supported Elliptic Curves - RFC 4492 (session 4) */
#ifdef HAVE_SUPPORTED_CURVES
typedef struct EllipticCurve {
@@ -1583,6 +1646,7 @@ WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first,
#endif /* HAVE_SUPPORTED_CURVES */
+/** Renegotiation Indication - RFC 5746 */
#ifdef HAVE_SECURE_RENEGOTIATION
enum key_cache_state {
@@ -1593,7 +1657,6 @@ enum key_cache_state {
SCR_CACHE_COMPLETE /* complete restore to real keys */
};
-
/* Additional Conection State according to rfc5746 section 3.1 */
typedef struct SecureRenegotiation {
byte enabled; /* secure_renegotiation flag in rfc */
@@ -1609,6 +1672,7 @@ WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions);
#endif /* HAVE_SECURE_RENEGOTIATION */
+/** Session Ticket - RFC 5077 (session 3.2) */
#ifdef HAVE_SESSION_TICKET
typedef struct SessionTicket {
@@ -1617,13 +1681,15 @@ typedef struct SessionTicket {
word16 size;
} SessionTicket;
-WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions,
+WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions,
SessionTicket* ticket);
WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime,
byte* data, word16 size);
WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket);
+
#endif /* HAVE_SESSION_TICKET */
+/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */
#ifdef HAVE_QSH
typedef struct QSHScheme {
@@ -1738,6 +1804,15 @@ struct WOLFSSL_CTX {
#endif
#ifdef HAVE_TLS_EXTENSIONS
TLSX* extensions; /* RFC 6066 TLS Extensions data */
+ #ifndef NO_WOLFSSL_SERVER
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \
+ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ OcspRequest* certOcspRequest;
+ #endif
+ #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)
+ OcspRequest* chainOcspRequest[MAX_CHAIN_DEPTH];
+ #endif
+ #endif
#if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SEVER)
SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */
void* ticketEncCtx; /* session encrypt context */
@@ -1753,7 +1828,7 @@ struct WOLFSSL_CTX {
CallbackEccSign EccSignCb; /* User EccSign Callback handler */
CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */
#endif /* HAVE_ECC */
- #ifndef NO_RSA
+ #ifndef NO_RSA
CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */
CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */
CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */
@@ -1803,7 +1878,7 @@ void InitCipherSpecs(CipherSpecs* cs);
/* Supported Message Authentication Codes from page 43 */
-enum MACAlgorithm {
+enum MACAlgorithm {
no_mac,
md5_mac,
sha_mac,
@@ -1817,10 +1892,10 @@ enum MACAlgorithm {
/* Supported Key Exchange Protocols */
-enum KeyExchangeAlgorithm {
+enum KeyExchangeAlgorithm {
no_kea,
- rsa_kea,
- diffie_hellman_kea,
+ rsa_kea,
+ diffie_hellman_kea,
fortezza_kea,
psk_kea,
dhe_psk_kea,
@@ -1846,8 +1921,8 @@ enum EccCurves {
/* Valid client certificate request types from page 27 */
-enum ClientCertificateType {
- rsa_sign = 1,
+enum ClientCertificateType {
+ rsa_sign = 1,
dss_sign = 2,
rsa_fixed_dh = 3,
dss_fixed_dh = 4,
@@ -2006,6 +2081,7 @@ enum AcceptState {
ACCEPT_FIRST_REPLY_DONE,
SERVER_HELLO_SENT,
CERT_SENT,
+ CERT_STATUS_SENT,
KEY_EXCHANGE_SENT,
CERT_REQ_SENT,
SERVER_HELLO_DONE,
@@ -2177,7 +2253,7 @@ struct WOLFSSL_X509_NAME {
#define EXTERNAL_SERIAL_SIZE 32
#endif
-#ifdef NO_ASN
+#ifdef NO_ASN
typedef struct DNS_entry DNS_entry;
#endif
@@ -2260,17 +2336,27 @@ typedef struct DtlsRecordLayerHeader {
typedef struct DtlsPool {
buffer buf[DTLS_POOL_SZ];
+ word16 epoch[DTLS_POOL_SZ];
int used;
} DtlsPool;
+
+typedef struct DtlsFrag {
+ word32 begin;
+ word32 end;
+ struct DtlsFrag* next;
+} DtlsFrag;
+
+
typedef struct DtlsMsg {
struct DtlsMsg* next;
- word32 seq; /* Handshake sequence number */
- word32 sz; /* Length of whole mesage */
- word32 fragSz; /* Length of fragments received */
- byte type;
byte* buf;
byte* msg;
+ DtlsFrag* fragList;
+ word32 fragSz; /* Length of fragments received */
+ word32 seq; /* Handshake sequence number */
+ word32 sz; /* Length of whole mesage */
+ byte type;
} DtlsMsg;
@@ -2295,6 +2381,7 @@ typedef struct MsgsReceived {
word16 got_hello_verify_request:1;
word16 got_session_ticket:1;
word16 got_certificate:1;
+ word16 got_certificate_status:1;
word16 got_server_key_exchange:1;
word16 got_certificate_request:1;
word16 got_server_hello_done:1;
@@ -2446,6 +2533,12 @@ struct WOLFSSL {
#ifdef HAVE_TRUNCATED_HMAC
byte truncated_hmac;
#endif
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+ byte status_request;
+ #endif
+ #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+ byte status_request_v2;
+ #endif
#ifdef HAVE_SECURE_RENEGOTIATION
SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */
#endif /* user turned on */
@@ -2529,20 +2622,20 @@ typedef struct EncryptedInfo {
#ifdef WOLFSSL_CALLBACKS
WOLFSSL_LOCAL
void InitHandShakeInfo(HandShakeInfo*);
- WOLFSSL_LOCAL
+ WOLFSSL_LOCAL
void FinishHandShakeInfo(HandShakeInfo*, const WOLFSSL*);
- WOLFSSL_LOCAL
+ WOLFSSL_LOCAL
void AddPacketName(const char*, HandShakeInfo*);
WOLFSSL_LOCAL
void InitTimeoutInfo(TimeoutInfo*);
- WOLFSSL_LOCAL
+ WOLFSSL_LOCAL
void FreeTimeoutInfo(TimeoutInfo*, void*);
- WOLFSSL_LOCAL
+ WOLFSSL_LOCAL
void AddPacketInfo(const char*, TimeoutInfo*, const byte*, int, void*);
- WOLFSSL_LOCAL
+ WOLFSSL_LOCAL
void AddLateName(const char*, TimeoutInfo*);
- WOLFSSL_LOCAL
+ WOLFSSL_LOCAL
void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info);
#endif
@@ -2550,10 +2643,10 @@ typedef struct EncryptedInfo {
/* Record Layer Header identifier from page 12 */
enum ContentType {
no_type = 0,
- change_cipher_spec = 20,
- alert = 21,
- handshake = 22,
- application_data = 23
+ change_cipher_spec = 20,
+ alert = 21,
+ handshake = 22,
+ application_data = 23
};
@@ -2575,23 +2668,23 @@ typedef struct DtlsHandShakeHeader {
enum HandShakeType {
- no_shake = -1,
- hello_request = 0,
- client_hello = 1,
+ hello_request = 0,
+ client_hello = 1,
server_hello = 2,
hello_verify_request = 3, /* DTLS addition */
session_ticket = 4,
- certificate = 11,
+ certificate = 11,
server_key_exchange = 12,
- certificate_request = 13,
+ certificate_request = 13,
server_hello_done = 14,
- certificate_verify = 15,
+ certificate_verify = 15,
client_key_exchange = 16,
finished = 20,
certificate_status = 22,
- change_cipher_hs = 55 /* simulate unique handshake type for sanity
+ change_cipher_hs = 55, /* simulate unique handshake type for sanity
checks. record layer change_cipher
conflicts with handshake finished */
+ no_shake = 255 /* used to initialize the DtlsMsg record */
};
@@ -2609,6 +2702,7 @@ WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32);
WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int);
WOLFSSL_LOCAL int SendCertificate(WOLFSSL*);
WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*);
+WOLFSSL_LOCAL int SendCertificateStatus(WOLFSSL*);
WOLFSSL_LOCAL int SendServerKeyExchange(WOLFSSL*);
WOLFSSL_LOCAL int SendBuffered(WOLFSSL*);
WOLFSSL_LOCAL int ReceiveData(WOLFSSL*, byte*, int, int);
@@ -2676,8 +2770,8 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*);
WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*);
WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*);
- WOLFSSL_LOCAL void DtlsMsgSet(DtlsMsg*, word32, const byte*, byte,
- word32, word32);
+ WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg*, word32, const byte*, byte,
+ word32, word32, void*);
WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32);
WOLFSSL_LOCAL DtlsMsg* DtlsMsgStore(DtlsMsg*, word32, const byte*, word32,
byte, word32, word32, void*);
@@ -2685,7 +2779,7 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength);
#endif /* WOLFSSL_DTLS */
#ifndef NO_TLS
-
+
#endif /* NO_TLS */
@@ -2721,4 +2815,3 @@ WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side);
#endif
#endif /* wolfSSL_INT_H */
-
diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h
index 77a4157ee..8d05c26d0 100644
--- a/wolfssl/ocsp.h
+++ b/wolfssl/ocsp.h
@@ -39,7 +39,9 @@ typedef struct WOLFSSL_OCSP WOLFSSL_OCSP;
WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*);
WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic);
-WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*);
+WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, void*);
+WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp,
+ OcspRequest* ocspRequest, void*);
#ifdef __cplusplus
} /* extern "C" */
diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h
index 034b1cfe1..97a4be17a 100644
--- a/wolfssl/openssl/crypto.h
+++ b/wolfssl/openssl/crypto.h
@@ -14,6 +14,8 @@
WOLFSSL_API const char* wolfSSLeay_version(int type);
WOLFSSL_API unsigned long wolfSSLeay(void);
+#define CRYPTO_THREADID void
+
#define SSLeay_version wolfSSLeay_version
#define SSLeay wolfSSLeay
@@ -28,6 +30,8 @@ WOLFSSL_API unsigned long wolfSSLeay(void);
typedef struct CRYPTO_EX_DATA CRYPTO_EX_DATA;
typedef void (CRYPTO_free_func)(void*parent, void*ptr, CRYPTO_EX_DATA *ad, int idx,
long argl, void* argp);
+#define CRYPTO_THREADID_set_callback wolfSSL_THREADID_set_callback
+#define CRYPTO_THREADID_set_numeric wolfSSL_THREADID_set_numeric
#endif /* HAVE_STUNNEL */
#endif /* header */
diff --git a/wolfssl/openssl/dh.h b/wolfssl/openssl/dh.h
index e38b7f7af..a1535c34e 100644
--- a/wolfssl/openssl/dh.h
+++ b/wolfssl/openssl/dh.h
@@ -49,6 +49,7 @@ typedef WOLFSSL_DH DH;
#endif
#ifdef HAVE_STUNNEL
-#define DH_generate_parameters wolfSSL_DH_generate_parameters
+#define DH_generate_parameters wolfSSL_DH_generate_parameters
+#define DH_generate_parameters_ex wolfSSL_DH_generate_parameters_ex
#endif /* HAVE_STUNNEL */
#endif /* header */
diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h
index 6d3449f07..6ea1443e5 100644
--- a/wolfssl/openssl/evp.h
+++ b/wolfssl/openssl/evp.h
@@ -132,6 +132,7 @@ enum {
EVP_PKEY_EC = 13,
IDEA_CBC_TYPE = 14,
NID_sha1 = 64,
+ NID_md2 = 3,
NID_md5 = 4
};
diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h
index e569ec52a..48955f9ec 100644
--- a/wolfssl/openssl/opensslv.h
+++ b/wolfssl/openssl/opensslv.h
@@ -8,7 +8,7 @@
#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY)
/* version number can be increased for Lighty after compatibility for ECDH
is added */
- #define OPENSSL_VERSION_NUMBER 0x0090700fL
+ #define OPENSSL_VERSION_NUMBER 0x10001000L
#else
#define OPENSSL_VERSION_NUMBER 0x0090810fL
#endif
diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h
index 2db993b65..210a24e4c 100644
--- a/wolfssl/openssl/rsa.h
+++ b/wolfssl/openssl/rsa.h
@@ -17,6 +17,13 @@ enum {
RSA_PKCS1_PADDING = 1
};
+/* rsaTypes */
+enum {
+ NID_sha256 = 672,
+ NID_sha384 = 673,
+ NID_sha512 = 674
+};
+
struct WOLFSSL_RSA {
WOLFSSL_BIGNUM* n;
WOLFSSL_BIGNUM* e;
diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h
index 05b77a7ea..aaf4830c9 100644
--- a/wolfssl/openssl/ssl.h
+++ b/wolfssl/openssl/ssl.h
@@ -431,6 +431,8 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY)
+#define OBJ_nid2ln wolf_OBJ_nid2ln
+#define OBJ_txt2nid wolf_OBJ_txt2nid
#define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams
#define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509
#define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh
@@ -477,6 +479,8 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY;
#define SSL_SESSION_get_id wolfSSL_SESSION_get_id
#define CRYPTO_dynlock_value WOLFSSL_dynlock_value
typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
+#define X509_STORE_get1_certs wolfSSL_X509_STORE_get1_certs
+#define sk_X509_pop_free wolfSSL_sk_X509_pop_free
#define SSL_TLSEXT_ERR_OK 0
#define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal
@@ -492,6 +496,8 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING;
#define PSK_MAX_PSK_LEN 256
#define PSK_MAX_IDENTITY_LEN 128
+#define ERR_remove_thread_state WOLFSSL_ERR_remove_thread_state
+#define SSL_CTX_clear_options wolfSSL_CTX_clear_options
#endif /* HAVE_STUNNEL */
diff --git a/wolfssl/options.h.in b/wolfssl/options.h.in
index d1e362c20..2043cbbf7 100644
--- a/wolfssl/options.h.in
+++ b/wolfssl/options.h.in
@@ -21,7 +21,9 @@
/* default blank options for autoconf */
-#pragma once
+#ifndef WOLFSSL_OPTIONS_H
+#define WOLFSSL_OPTIONS_H
+
#ifdef __cplusplus
extern "C" {
@@ -32,3 +34,6 @@ extern "C" {
}
#endif
+
+#endif /* WOLFSSL_OPTIONS_H */
+
diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h
index 356224fe1..06f35e160 100644
--- a/wolfssl/ssl.h
+++ b/wolfssl/ssl.h
@@ -170,35 +170,36 @@ typedef struct WOLFSSL_X509_STORE_CTX {
/* Valid Alert types from page 16/17 */
enum AlertDescription {
- close_notify = 0,
- unexpected_message = 10,
- bad_record_mac = 20,
- record_overflow = 22,
- decompression_failure = 30,
- handshake_failure = 40,
- no_certificate = 41,
- bad_certificate = 42,
- unsupported_certificate = 43,
- certificate_revoked = 44,
- certificate_expired = 45,
- certificate_unknown = 46,
- illegal_parameter = 47,
- decrypt_error = 51,
+ close_notify = 0,
+ unexpected_message = 10,
+ bad_record_mac = 20,
+ record_overflow = 22,
+ decompression_failure = 30,
+ handshake_failure = 40,
+ no_certificate = 41,
+ bad_certificate = 42,
+ unsupported_certificate = 43,
+ certificate_revoked = 44,
+ certificate_expired = 45,
+ certificate_unknown = 46,
+ illegal_parameter = 47,
+ decrypt_error = 51,
#ifdef WOLFSSL_MYSQL_COMPATIBLE
/* catch name conflict for enum protocol with MYSQL build */
- wc_protocol_version = 70,
+ wc_protocol_version = 70,
#else
- protocol_version = 70,
+ protocol_version = 70,
#endif
- no_renegotiation = 100,
- unrecognized_name = 112,
- no_application_protocol = 120
+ no_renegotiation = 100,
+ unrecognized_name = 112, /**< RFC 6066, section 3 */
+ bad_certificate_status_response = 113, /**< RFC 6066, section 8 */
+ no_application_protocol = 120
};
enum AlertLevel {
alert_warning = 1,
- alert_fatal = 2
+ alert_fatal = 2
};
@@ -1268,6 +1269,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER*,
CbOCSPIO, CbOCSPRespFree, void*);
+ WOLFSSL_API int wolfSSL_CertManagerEnableOCSPStapling(
+ WOLFSSL_CERT_MANAGER* cm);
+
WOLFSSL_API int wolfSSL_EnableCRL(WOLFSSL* ssl, int options);
WOLFSSL_API int wolfSSL_DisableCRL(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_LoadCRL(WOLFSSL*, const char*, int, int);
@@ -1286,6 +1290,8 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl);
WOLFSSL_API int wolfSSL_CTX_SetOCSP_OverrideURL(WOLFSSL_CTX*, const char*);
WOLFSSL_API int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX*,
CbOCSPIO, CbOCSPRespFree, void*);
+
+ WOLFSSL_API int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX*);
#endif /* !NO_CERTS */
/* end of handshake frees temporary arrays, if user needs for get_keys or
@@ -1353,7 +1359,7 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer(
#endif
#endif
-/* Application-Layer Protocol Name */
+/* Application-Layer Protocol Negotiation */
#ifdef HAVE_ALPN
/* ALPN status code */
@@ -1410,6 +1416,53 @@ WOLFSSL_API int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx);
#endif
#endif
+/* Certificate Status Request */
+/* Certificate Status Type */
+enum {
+ WOLFSSL_CSR_OCSP = 1
+};
+
+/* Certificate Status Options (flags) */
+enum {
+ WOLFSSL_CSR_OCSP_USE_NONCE = 0x01
+};
+
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST
+#ifndef NO_WOLFSSL_CLIENT
+
+WOLFSSL_API int wolfSSL_UseOCSPStapling(WOLFSSL* ssl,
+ unsigned char status_type, unsigned char options);
+
+WOLFSSL_API int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx,
+ unsigned char status_type, unsigned char options);
+
+#endif
+#endif
+
+/* Certificate Status Request v2 */
+/* Certificate Status Type */
+enum {
+ WOLFSSL_CSR2_OCSP = 1,
+ WOLFSSL_CSR2_OCSP_MULTI = 2
+};
+
+/* Certificate Status v2 Options (flags) */
+enum {
+ WOLFSSL_CSR2_OCSP_USE_NONCE = 0x01
+};
+
+#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2
+#ifndef NO_WOLFSSL_CLIENT
+
+WOLFSSL_API int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl,
+ unsigned char status_type, unsigned char options);
+
+WOLFSSL_API int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx,
+ unsigned char status_type, unsigned char options);
+
+#endif
+#endif
+
/* Elliptic Curves */
enum {
WOLFSSL_ECC_SECP160R1 = 0x10,
@@ -1596,6 +1649,8 @@ WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( STACK_OF(WOLFSSL_X
#if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY)
+WOLFSSL_API char * wolf_OBJ_nid2ln(int n);
+WOLFSSL_API int wolf_OBJ_txt2nid(const char *sn);
WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_file(const char *filename, const char *mode);
WOLFSSL_API long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX*, WOLFSSL_DH*);
WOLFSSL_API WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp,
@@ -1619,6 +1674,9 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const ch
WOLFSSL_API WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator,
void (*callback) (int, int, void *), void *cb_arg);
+WOLFSSL_API int wolfSSL_DH_generate_parameters_ex(WOLFSSL_DH*, int, int,
+ void (*callback) (int, int, void *));
+
WOLFSSL_API void wolfSSL_ERR_load_crypto_strings(void);
WOLFSSL_API unsigned long wolfSSL_ERR_peek_last_error(void);
@@ -1684,6 +1742,19 @@ WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *,
CallbackSniRecv);
WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*);
+
+WOLFSSL_API void WOLFSSL_ERR_remove_thread_state(void*);
+
+WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long);
+
+WOLFSSL_API void wolfSSL_THREADID_set_callback(void (*threadid_func)(void*));
+
+WOLFSSL_API void wolfSSL_THREADID_set_numeric(void* id, unsigned long val);
+
+WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX*,
+ WOLFSSL_X509_NAME*);
+
+WOLFSSL_API void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*));
#endif /* HAVE_STUNNEL */
#ifdef WOLFSSL_JNI
diff --git a/wolfssl/test.h b/wolfssl/test.h
index ef59a6419..a0d1719e1 100644
--- a/wolfssl/test.h
+++ b/wolfssl/test.h
@@ -267,6 +267,7 @@
typedef struct tcp_ready {
word16 ready; /* predicate */
word16 port;
+ char* srfName; /* server ready file name */
#if defined(_POSIX_THREADS) && !defined(__MINGW32__)
pthread_mutex_t mutex;
pthread_cond_t cond;
@@ -274,8 +275,30 @@ typedef struct tcp_ready {
} tcp_ready;
-void InitTcpReady(tcp_ready*);
-void FreeTcpReady(tcp_ready*);
+static INLINE void InitTcpReady(tcp_ready* ready)
+{
+ ready->ready = 0;
+ ready->port = 0;
+ ready->srfName = NULL;
+#ifdef SINGLE_THREADED
+#elif defined(_POSIX_THREADS) && !defined(__MINGW32__)
+ pthread_mutex_init(&ready->mutex, 0);
+ pthread_cond_init(&ready->cond, 0);
+#endif
+}
+
+
+static INLINE void FreeTcpReady(tcp_ready* ready)
+{
+#ifdef SINGLE_THREADED
+ (void)ready;
+#elif defined(_POSIX_THREADS) && !defined(__MINGW32__)
+ pthread_mutex_destroy(&ready->mutex);
+ pthread_cond_destroy(&ready->cond);
+#else
+ (void)ready;
+#endif
+}
typedef WOLFSSL_METHOD* (*method_provider)(void);
typedef void (*ctx_callback)(WOLFSSL_CTX* ctx);
@@ -296,6 +319,9 @@ typedef struct func_args {
callback_functions *callbacks;
} func_args;
+
+
+
void wait_tcp_ready(func_args*);
typedef THREAD_RETURN WOLFSSL_THREAD THREAD_FUNC(void*);
@@ -455,7 +481,12 @@ static INLINE void showPeer(WOLFSSL* ssl)
printf("SSL version is %s\n", wolfSSL_get_version(ssl));
cipher = wolfSSL_get_current_cipher(ssl);
+#ifdef HAVE_QSH
+ printf("SSL cipher suite is %s%s\n", (wolfSSL_isQSH(ssl))? "QSH:": "",
+ wolfSSL_CIPHER_get_name(cipher));
+#else
printf("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher));
+#endif
#if defined(SESSION_CERTS) && defined(SHOW_CERTS)
{
@@ -702,7 +733,7 @@ static INLINE void tcp_listen(SOCKET_T* sockfd, word16* port, int useAnyAddr,
if (listen(*sockfd, 5) != 0)
err_sys("tcp listen failed");
}
- #if (defined(NO_MAIN_DRIVER) && !defined(USE_WINDOWS_API)) && !defined(WOLFSSL_TIRTOS)
+ #if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS)
if (*port == 0) {
socklen_t len = sizeof(addr);
if (getsockname(*sockfd, (struct sockaddr*)&addr, &len) == 0) {
@@ -815,11 +846,13 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
/* signal ready to tcp_accept */
{
tcp_ready* ready = args->signal;
- pthread_mutex_lock(&ready->mutex);
- ready->ready = 1;
- ready->port = port;
- pthread_cond_signal(&ready->cond);
- pthread_mutex_unlock(&ready->mutex);
+ if (ready) {
+ pthread_mutex_lock(&ready->mutex);
+ ready->ready = 1;
+ ready->port = port;
+ pthread_cond_signal(&ready->cond);
+ pthread_mutex_unlock(&ready->mutex);
+ }
}
#elif defined (WOLFSSL_TIRTOS)
/* Need mutex? */
@@ -829,18 +862,24 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
#endif
if (ready_file) {
- #ifndef NO_FILESYSTEM
- #ifndef USE_WINDOWS_API
- FILE* srf = fopen("/tmp/wolfssl_server_ready", "w");
- #else
- FILE* srf = fopen("wolfssl_server_ready", "w");
- #endif
+ #ifndef NO_FILESYSTEM
+ FILE* srf = NULL;
+ tcp_ready* ready = args ? args->signal : NULL;
- if (srf) {
- fputs("ready", srf);
- fclose(srf);
+ if (ready) {
+ srf = fopen(ready->srfName, "w");
+
+ if (srf) {
+ /* let's write port sever is listening on to ready file
+ external monitor can then do ephemeral ports by passing
+ -p 0 to server on supported platforms with -R ready_file
+ client can then wait for exisitence of ready_file and see
+ which port the server is listening on. */
+ fprintf(srf, "%d\n", (int)port);
+ fclose(srf);
+ }
}
- #endif
+ #endif
}
}
@@ -1160,87 +1199,49 @@ static INLINE int OpenNitroxDevice(int dma_mode,int dev_id)
#endif /* HAVE_CAVIUM */
-#ifdef USE_WINDOWS_API
+/* Wolf Root Directory Helper */
+/* KEIL-RL File System does not support relative directry */
+#if !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_KEIL_FS) && !defined(WOLFSSL_TIRTOS)
+ #ifndef MAX_PATH
+ #define MAX_PATH 256
+ #endif
-/* do back x number of directories */
-static INLINE void ChangeDirBack(int x)
-{
- char path[MAX_PATH];
- XMEMSET(path, 0, MAX_PATH);
- XSTRNCAT(path, ".\\", MAX_PATH);
- while (x-- > 0) {
- XSTRNCAT(path, "..\\", MAX_PATH);
+ /* Maximum depth to search for WolfSSL root */
+ #define MAX_WOLF_ROOT_DEPTH 5
+
+ static INLINE int ChangeToWolfRoot(void)
+ {
+ #if !defined(NO_FILESYSTEM)
+ int depth;
+ XFILE file;
+ char path[MAX_PATH];
+ XMEMSET(path, 0, MAX_PATH);
+
+ for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) {
+ file = XFOPEN(ntruKey, "rb");
+ if (file != XBADFILE) {
+ XFCLOSE(file);
+ return depth;
+ }
+ #ifdef USE_WINDOWS_API
+ XSTRNCAT(path, "..\\", MAX_PATH - XSTRLEN(path));
+ SetCurrentDirectoryA(path);
+ #else
+ XSTRNCAT(path, "../", MAX_PATH - XSTRLEN(path));
+ if (chdir(path) < 0) {
+ printf("chdir to %s failed\n", path);
+ break;
+ }
+ #endif
+ }
+
+ err_sys("wolf root not found");
+ return -1;
+ #else
+ return 0;
+ #endif
}
- SetCurrentDirectoryA(path);
-}
-
-/* does current dir contain str */
-static INLINE int CurrentDir(const char* str)
-{
- char path[MAX_PATH];
- char* baseName;
-
- GetCurrentDirectoryA(sizeof(path), path);
-
- baseName = strrchr(path, '\\');
- if (baseName)
- baseName++;
- else
- baseName = path;
-
- if (strstr(baseName, str))
- return 1;
-
- return 0;
-}
-
-#elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_FS)
- /* KEIL-RL File System does not support relative directry */
-#elif defined(WOLFSSL_TIRTOS)
-#else
-
-#ifndef MAX_PATH
- #define MAX_PATH 256
-#endif
-
-/* do back x number of directories */
-static INLINE void ChangeDirBack(int x)
-{
- char path[MAX_PATH];
- XMEMSET(path, 0, MAX_PATH);
- XSTRNCAT(path, "./", MAX_PATH);
- while (x-- > 0) {
- XSTRNCAT(path, "../", MAX_PATH);
- }
- if (chdir(path) < 0) {
- printf("chdir to %s failed\n", path);
- }
-}
-
-/* does current dir contain str */
-static INLINE int CurrentDir(const char* str)
-{
- char path[MAX_PATH];
- char* baseName;
-
- if (getcwd(path, sizeof(path)) == NULL) {
- printf("no current dir?\n");
- return 0;
- }
-
- baseName = strrchr(path, '/');
- if (baseName)
- baseName++;
- else
- baseName = path;
-
- if (strstr(baseName, str))
- return 1;
-
- return 0;
-}
-
-#endif /* USE_WINDOWS_API */
+#endif /* !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_KEIL_FS) && !defined(WOLFSSL_TIRTOS) */
#ifdef USE_WOLFSSL_MEMORY
@@ -1373,7 +1374,7 @@ typedef THREAD_RETURN WOLFSSL_THREAD (*thread_func)(void* args);
static INLINE void StackSizeCheck(func_args* args, thread_func tf)
{
int ret, i, used;
- unsigned char* myStack;
+ unsigned char* myStack = NULL;
int stackSize = 1024*128;
pthread_attr_t myAttr;
pthread_t threadId;
@@ -1384,10 +1385,10 @@ static INLINE void StackSizeCheck(func_args* args, thread_func tf)
#endif
ret = posix_memalign((void**)&myStack, sysconf(_SC_PAGESIZE), stackSize);
- if (ret != 0)
+ if (ret != 0 || myStack == NULL)
err_sys("posix_memalign failed\n");
- memset(myStack, 0x01, stackSize);
+ XMEMSET(myStack, 0x01, stackSize);
ret = pthread_attr_init(&myAttr);
if (ret != 0)
diff --git a/wolfssl/version.h b/wolfssl/version.h
index 58d1fdd5a..ba077958f 100644
--- a/wolfssl/version.h
+++ b/wolfssl/version.h
@@ -19,17 +19,21 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
+#ifndef WOLFSSL_VERSION_H
+#define WOLFSSL_VERSION_H
-#pragma once
#ifdef __cplusplus
extern "C" {
#endif
-#define LIBWOLFSSL_VERSION_STRING "3.6.9d"
-#define LIBWOLFSSL_VERSION_HEX 0x03006009
+#define LIBWOLFSSL_VERSION_STRING "3.8.0"
+#define LIBWOLFSSL_VERSION_HEX 0x03008000
#ifdef __cplusplus
}
#endif
+
+#endif /* WOLFSSL_VERSION_H */
+
diff --git a/wolfssl/version.h.in b/wolfssl/version.h.in
index 966ff5a6f..cc3c5e30f 100644
--- a/wolfssl/version.h.in
+++ b/wolfssl/version.h.in
@@ -19,8 +19,9 @@
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
*/
+#ifndef WOLFSSL_VERSION_H
+#define WOLFSSL_VERSION_H
-#pragma once
#ifdef __cplusplus
extern "C" {
@@ -33,3 +34,6 @@ extern "C" {
}
#endif
+
+#endif /* WOLFSSL_VERSION_H */
+
diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h
index 480412a21..45c972226 100644
--- a/wolfssl/wolfcrypt/aes.h
+++ b/wolfssl/wolfcrypt/aes.h
@@ -39,13 +39,15 @@
#ifndef HAVE_FIPS /* to avoid redefinition of macros */
#ifdef HAVE_CAVIUM
- #include
+ #include
#include "cavium_common.h"
#endif
#ifdef WOLFSSL_AESNI
#include
+#include
+#include
#if !defined (ALIGN16)
#if defined (__GNUC__)
diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h
index b39114fa4..a305d01d9 100644
--- a/wolfssl/wolfcrypt/asn.h
+++ b/wolfssl/wolfcrypt/asn.h
@@ -187,8 +187,9 @@ enum Misc_ASN {
MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */
MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ,
#endif
+ OCSP_NONCE_EXT_SZ = 37, /* OCSP Nonce Extension size */
MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */
- MAX_OCSP_NONCE_SZ = 18, /* OCSP Nonce size */
+ MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */
EIGHTK_BUF = 8192, /* Tmp buffer size */
MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2,
/* use bigger NTRU size */
@@ -197,11 +198,19 @@ enum Misc_ASN {
enum Oid_Types {
- hashType = 0,
- sigType = 1,
- keyType = 2,
- curveType = 3,
- blkType = 4
+ hashType = 0,
+ sigType = 1,
+ keyType = 2,
+ curveType = 3,
+ blkType = 4,
+ ocspType = 5,
+ certExtType = 6,
+ certAuthInfoType = 7,
+ certPolicyType = 8,
+ certAltNameType = 9,
+ certKeyUseType = 10,
+ kdfType = 11,
+ ignoreType
};
@@ -249,7 +258,6 @@ enum Extensions_Sum {
ALT_NAMES_OID = 131,
CRL_DIST_OID = 145,
AUTH_INFO_OID = 69,
- CA_ISSUER_OID = 117,
AUTH_KEY_OID = 149,
SUBJ_KEY_OID = 128,
CERT_POLICY_OID = 146,
@@ -584,8 +592,10 @@ WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
int* version);
WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
word32 maxIdx);
+WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
+ word32 oidType, word32 maxIdx);
WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
- word32 maxIdx);
+ word32 oidType, word32 maxIdx);
WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output);
WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output);
WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output);
@@ -674,6 +684,9 @@ struct CertStatus {
byte nextDate[MAX_DATE_SIZE];
byte thisDateFormat;
byte nextDateFormat;
+
+ byte* rawOcspResponse;
+ word32 rawOcspResponseSz;
};
@@ -707,28 +720,26 @@ struct OcspResponse {
struct OcspRequest {
- DecodedCert* cert;
+ byte issuerHash[KEYID_SIZE];
+ byte issuerKeyHash[KEYID_SIZE];
+ byte* serial; /* copy of the serial number in source cert */
+ int serialSz;
+ byte* url; /* copy of the extAuthInfo in source cert */
+ int urlSz;
- byte useNonce;
- byte nonce[MAX_OCSP_NONCE_SZ];
- int nonceSz;
-
- byte* issuerHash; /* pointer to issuerHash in source cert */
- byte* issuerKeyHash; /* pointer to issuerKeyHash in source cert */
- byte* serial; /* pointer to serial number in source cert */
- int serialSz; /* length of the serial number */
-
- byte* dest; /* pointer to the destination ASN.1 buffer */
- word32 destSz; /* length of the destination buffer */
+ byte nonce[MAX_OCSP_NONCE_SZ];
+ int nonceSz;
};
WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32);
-WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*);
+WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*);
+
+WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte);
+WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*);
+WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32);
+WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32);
-WOLFSSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*,
- byte, byte*, word32);
-WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*);
WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*);
@@ -779,4 +790,3 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
#endif /* !NO_ASN */
#endif /* WOLF_CRYPT_ASN_H */
-
diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h
index 6abbf38c7..a23fa71f2 100644
--- a/wolfssl/wolfcrypt/ecc.h
+++ b/wolfssl/wolfcrypt/ecc.h
@@ -41,7 +41,8 @@ enum {
ECC_BUFSIZE = 256, /* for exported keys temp buffer */
ECC_MINSIZE = 20, /* MIN Private Key size */
ECC_MAXSIZE = 66, /* MAX Private Key size */
- ECC_MAXSIZE_GEN = 74 /* MAX Buffer size required when generating ECC keys*/
+ ECC_MAXSIZE_GEN = 74, /* MAX Buffer size required when generating ECC keys*/
+ ECC_MAX_PAD_SZ = 4 /* ECC maximum padding size */
};
@@ -84,6 +85,10 @@ typedef struct {
* Do not enable ALT_ECC_SIZE and disable fast math in the configuration.
*/
+#ifndef USE_FAST_MATH
+ #error USE_FAST_MATH must be defined to use ALT_ECC_SIZE
+#endif
+
#ifndef FP_MAX_BITS_ECC
#define FP_MAX_BITS_ECC 528
#endif
diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h
index 7a1100bcf..187ef324a 100644
--- a/wolfssl/wolfcrypt/error-crypt.h
+++ b/wolfssl/wolfcrypt/error-crypt.h
@@ -161,7 +161,9 @@ enum {
KEYUSAGE_E = -226, /* Bad Key Usage value */
CERTPOLICIES_E = -227, /* setting Certificate Policies error */
- WC_FAILURE_E = -228, /* wolfcrypt failed to initialize */
+ WC_INIT_E = -228, /* wolfcrypt failed to initialize */
+ SIG_VERIFY_E = -229, /* wolfcrypt signature verify error */
+ BAD_COND_E = -230, /* Bad condition variable operation */
MIN_CODE_E = -300 /* errors -101 - -299 */
};
diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h
index 4cdd85f11..2a96f4e55 100755
--- a/wolfssl/wolfcrypt/hash.h
+++ b/wolfssl/wolfcrypt/hash.h
@@ -28,10 +28,42 @@
extern "C" {
#endif
+/* Hash types */
+enum wc_HashType {
+ WC_HASH_TYPE_NONE = 0,
+#ifdef WOLFSSL_MD2
+ WC_HASH_TYPE_MD2 = 1,
+#endif
+#ifndef NO_MD4
+ WC_HASH_TYPE_MD4 = 2,
+#endif
+#ifndef NO_MD5
+ WC_HASH_TYPE_MD5 = 3,
+#endif
+#ifndef NO_SHA
+ WC_HASH_TYPE_SHA = 4,
+#endif
+#ifndef NO_SHA256
+ WC_HASH_TYPE_SHA256 = 5,
+#endif
+#ifdef WOLFSSL_SHA512
+#ifdef WOLFSSL_SHA384
+ WC_HASH_TYPE_SHA384 = 6,
+#endif /* WOLFSSL_SHA384 */
+ WC_HASH_TYPE_SHA512 = 7,
+#endif /* WOLFSSL_SHA512 */
+};
+
+WOLFSSL_API int wc_HashGetDigestSize(enum wc_HashType hash_type);
+WOLFSSL_API int wc_Hash(enum wc_HashType hash_type,
+ const byte* data, word32 data_len,
+ byte* hash, word32 hash_len);
+
+
#ifndef NO_MD5
#include
WOLFSSL_API void wc_Md5GetHash(Md5*, byte*);
-WOLFSSL_API void wc_Md5RestorePos(Md5*, Md5*) ;
+WOLFSSL_API void wc_Md5RestorePos(Md5*, Md5*);
#if defined(WOLFSSL_TI_HASH)
WOLFSSL_API void wc_Md5Free(Md5*);
#else
@@ -42,7 +74,7 @@ WOLFSSL_API void wc_Md5RestorePos(Md5*, Md5*) ;
#ifndef NO_SHA
#include
WOLFSSL_API int wc_ShaGetHash(Sha*, byte*);
-WOLFSSL_API void wc_ShaRestorePos(Sha*, Sha*) ;
+WOLFSSL_API void wc_ShaRestorePos(Sha*, Sha*);
WOLFSSL_API int wc_ShaHash(const byte*, word32, byte*);
#if defined(WOLFSSL_TI_HASH)
WOLFSSL_API void wc_ShaFree(Sha*);
@@ -54,7 +86,7 @@ WOLFSSL_API int wc_ShaHash(const byte*, word32, byte*);
#ifndef NO_SHA256
#include
WOLFSSL_API int wc_Sha256GetHash(Sha256*, byte*);
-WOLFSSL_API void wc_Sha256RestorePos(Sha256*, Sha256*) ;
+WOLFSSL_API void wc_Sha256RestorePos(Sha256*, Sha256*);
WOLFSSL_API int wc_Sha256Hash(const byte*, word32, byte*);
#if defined(WOLFSSL_TI_HASH)
WOLFSSL_API void wc_Sha256Free(Sha256*);
diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am
index 452fe8f18..d72d24583 100644
--- a/wolfssl/wolfcrypt/include.am
+++ b/wolfssl/wolfcrypt/include.am
@@ -42,6 +42,7 @@ nobase_include_HEADERS+= \
wolfssl/wolfcrypt/sha256.h \
wolfssl/wolfcrypt/sha512.h \
wolfssl/wolfcrypt/sha.h \
+ wolfssl/wolfcrypt/signature.h \
wolfssl/wolfcrypt/blake2.h \
wolfssl/wolfcrypt/blake2-int.h \
wolfssl/wolfcrypt/blake2-impl.h \
diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h
index 2e604080d..03681412d 100644
--- a/wolfssl/wolfcrypt/logging.h
+++ b/wolfssl/wolfcrypt/logging.h
@@ -56,6 +56,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function);
void WOLFSSL_ERROR(int);
void WOLFSSL_MSG(const char* msg);
+ void WOLFSSL_BUFFER(byte* buffer, word32 length);
#else /* DEBUG_WOLFSSL */
@@ -65,6 +66,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function);
#define WOLFSSL_ERROR(e)
#define WOLFSSL_MSG(m)
+ #define WOLFSSL_BUFFER(b, l)
#endif /* DEBUG_WOLFSSL */
diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h
index b728c8d34..7740a41e8 100644
--- a/wolfssl/wolfcrypt/settings.h
+++ b/wolfssl/wolfcrypt/settings.h
@@ -474,6 +474,7 @@ static char *fgets(char *buff, int sz, FILE *fp)
#define USE_CERT_BUFFERS_2048
#define NO_ERROR_STRINGS
#define USER_TIME
+ #define HAVE_ECC
#ifdef __IAR_SYSTEMS_ICC__
#pragma diag_suppress=Pa089
@@ -1009,8 +1010,9 @@ static char *fgets(char *buff, int sz, FILE *fp)
#endif
#endif
-/* Certificate Request Extensions needs decode extras */
-#ifdef WOLFSSL_CERT_EXT
+/* Decode Public Key extras on by default, user can turn off with
+ * WOLFSSL_NO_DECODE_EXTRA */
+#ifndef WOLFSSL_NO_DECODE_EXTRA
#ifndef RSA_DECODE_EXTRA
#define RSA_DECODE_EXTRA
#endif
@@ -1019,6 +1021,16 @@ static char *fgets(char *buff, int sz, FILE *fp)
#endif
#endif
+/* C Sharp wrapper defines */
+#ifdef HAVE_CSHARP
+ #ifndef WOLFSSL_DTLS
+ #define WOLFSSL_DTLS
+ #endif
+ #undef NO_PSK
+ #undef NO_SHA256
+ #undef NO_DH
+#endif
+
/* Place any other flags or defines here */
diff --git a/wolfssl/wolfcrypt/signature.h b/wolfssl/wolfcrypt/signature.h
new file mode 100644
index 000000000..8ef2a6002
--- /dev/null
+++ b/wolfssl/wolfcrypt/signature.h
@@ -0,0 +1,63 @@
+/* signature.h
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+#ifndef WOLF_CRYPT_SIGNATURE_H
+#define WOLF_CRYPT_SIGNATURE_H
+
+#include
+#include
+#include
+
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+enum wc_SignatureType {
+ WC_SIGNATURE_TYPE_NONE = 0,
+#ifdef HAVE_ECC
+ WC_SIGNATURE_TYPE_ECC = 1,
+#endif
+#ifndef NO_RSA
+ WC_SIGNATURE_TYPE_RSA = 2,
+#endif
+};
+
+WOLFSSL_API int wc_SignatureGetSize(enum wc_SignatureType sig_type,
+ const void* key, word32 key_len);
+
+WOLFSSL_API int wc_SignatureVerify(
+ enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+ const byte* data, word32 data_len,
+ const byte* sig, word32 sig_len,
+ const void* key, word32 key_len);
+
+WOLFSSL_API int wc_SignatureGenerate(
+ enum wc_HashType hash_type, enum wc_SignatureType sig_type,
+ const byte* data, word32 data_len,
+ byte* sig, word32 *sig_len,
+ const void* key, word32 key_len,
+ WC_RNG* rng);
+
+#ifdef __cplusplus
+ } /* extern "C" */
+#endif
+
+#endif /* WOLF_CRYPT_SIGNATURE_H */
diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h
index 4e7952940..d8a228452 100644
--- a/wolfssl/wolfcrypt/types.h
+++ b/wolfssl/wolfcrypt/types.h
@@ -287,7 +287,14 @@
DYNAMIC_TYPE_HASHES = 46,
DYNAMIC_TYPE_SRP = 47,
DYNAMIC_TYPE_COOKIE_PWD = 48,
- DYNAMIC_TYPE_USER_CRYPTO = 49
+ DYNAMIC_TYPE_USER_CRYPTO = 49,
+ DYNAMIC_TYPE_OCSP_REQUEST = 50,
+ DYNAMIC_TYPE_X509_EXT = 51,
+ DYNAMIC_TYPE_X509_STORE = 52,
+ DYNAMIC_TYPE_X509_CTX = 53,
+ DYNAMIC_TYPE_URL = 54,
+ DYNAMIC_TYPE_DTLS_FRAG = 55,
+ DYNAMIC_TYPE_DTLS_BUFFER = 56
};
/* max error buffer string size */
diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h
index 9697f8aa8..78c39ad74 100644
--- a/wolfssl/wolfcrypt/wc_port.h
+++ b/wolfssl/wolfcrypt/wc_port.h
@@ -170,7 +170,7 @@ WOLFSSL_LOCAL int LockMutex(wolfSSL_Mutex*);
WOLFSSL_LOCAL int UnLockMutex(wolfSSL_Mutex*);
/* main crypto initialization function */
-WOLFSSL_API int wolfcrypt_Init(void);
+WOLFSSL_API int wolfCrypt_Init(void);
/* filesystem abstraction layer, used by ssl.c */
#ifndef NO_FILESYSTEM
diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config
new file mode 100755
index 000000000..fad249e40
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs
new file mode 100755
index 000000000..7e22f5faf
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("wolfSSL-DTLS-PSK-Server")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("wolfSSL")]
+[assembly: AssemblyProduct("wolfSSL-DTLS-PSK-Server")]
+[assembly: AssemblyCopyright("Copyright wolfSSL 2015")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("77149dab-52f6-4b83-a9bd-da5beb402621")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs
new file mode 100755
index 000000000..89603ff2f
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs
@@ -0,0 +1,220 @@
+/* wolfSSL-DTLS-PSK-Server.cs
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+using System;
+
+using System.Runtime.InteropServices;
+using System.Text;
+using System.Threading;
+using System.IO;
+using System.Net;
+using System.Net.Sockets;
+using wolfSSL.CSharp;
+
+
+
+public class wolfSSL_DTLS_PSK_Server
+{
+
+
+ ///
+ /// Example of a PSK function call back
+ ///
+ /// pointer to ssl structure
+ /// identity of client connecting
+ /// buffer to hold key
+ /// max key size
+ /// size of key set
+ public static uint my_psk_server_cb(IntPtr ssl, string identity, IntPtr key, uint max_key)
+ {
+ /* perform a check on the identity sent across
+ * log function must be set for print out of logging information
+ */
+ wolfssl.log(wolfssl.INFO_LOG, "PSK Client Identity = " + identity);
+
+ /* Use desired key, note must be a key smaller than max key size parameter
+ Replace this with desired key. Is trivial one for testing */
+ if (max_key < 4)
+ return 0;
+ byte[] tmp = { 26, 43, 60, 77 };
+ Marshal.Copy(tmp, 0, key, 4);
+
+ return (uint)4;
+ }
+
+
+ private static void clean(IntPtr ssl, IntPtr ctx)
+ {
+ wolfssl.free(ssl);
+ wolfssl.CTX_free(ctx);
+ wolfssl.Cleanup();
+ }
+
+
+ public static void Main(string[] args)
+ {
+ IntPtr ctx;
+ IntPtr ssl;
+
+ /* These paths should be changed according to use */
+ string fileCert = @"server-cert.pem";
+ string fileKey = @"server-key.pem";
+ StringBuilder dhparam = new StringBuilder("dh2048.pem");
+
+ wolfssl.psk_delegate psk_cb = new wolfssl.psk_delegate(my_psk_server_cb);
+
+ StringBuilder buff = new StringBuilder(1024);
+ StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper");
+
+ wolfssl.Init();
+
+ Console.WriteLine("Calling ctx Init from wolfSSL");
+ ctx = wolfssl.CTX_dtls_new(wolfssl.useDTLSv1_2_server());
+ if (ctx == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ctx structure");
+ return;
+ }
+
+ Console.WriteLine("Finished init of ctx .... now load in cert and key");
+
+ if (!File.Exists(fileCert) || !File.Exists(fileKey))
+ {
+ Console.WriteLine("Could not find cert or key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting cert file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ /* Test psk use with DHE */
+ StringBuilder hint = new StringBuilder("cyassl server");
+ if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting hint");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+ wolfssl.CTX_set_psk_server_callback(ctx, psk_cb);
+
+ short minDhKey = 128;
+ wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey);
+ Console.Write("Setting cipher suite to ");
+ StringBuilder set_cipher = new StringBuilder("DHE-PSK-AES128-CBC-SHA256");
+ Console.WriteLine(set_cipher);
+ if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Failed to set cipher suite");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ IPAddress ip = IPAddress.Parse("0.0.0.0");
+ UdpClient udp = new UdpClient(11111);
+ IPEndPoint ep = new IPEndPoint(ip, 11111);
+ Console.WriteLine("Started UDP and waiting for a connection");
+
+ ssl = wolfssl.new_ssl(ctx);
+ if (ssl == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ssl object");
+ udp.Close();
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting dhparam");
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ if (wolfssl.set_dtls_fd(ssl, udp, ep) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ if (wolfssl.accept(ssl) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ /* print out results of TLS/SSL accept */
+ Console.WriteLine("SSL version is " + wolfssl.get_version(ssl));
+ Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl));
+
+ /* get connection information and print ip - port */
+ wolfssl.DTLS_con con = wolfssl.get_dtls_fd(ssl);
+ Console.Write("Connected to ip ");
+ Console.Write(con.ep.Address.ToString());
+ Console.Write(" on port ");
+ Console.WriteLine(con.ep.Port.ToString());
+
+ /* read information sent and send a reply */
+ if (wolfssl.read(ssl, buff, 1023) < 0)
+ {
+ Console.WriteLine("Error reading message");
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+ Console.WriteLine(buff);
+
+ if (wolfssl.write(ssl, reply, reply.Length) != reply.Length)
+ {
+ Console.WriteLine("Error writing message");
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ Console.WriteLine("At the end freeing stuff");
+ wolfssl.shutdown(ssl);
+ udp.Close();
+ clean(ssl, ctx);
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj
new file mode 100755
index 000000000..50a590a1a
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj
@@ -0,0 +1,87 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}
+ Exe
+ Properties
+ wolfSSL_DTLS_PSK_Server
+ wolfSSL-DTLS-PSK-Server
+ v4.5
+ 512
+
+
+ AnyCPU
+ true
+ full
+ false
+ ..\DLL Debug\
+ DEBUG;TRACE
+ prompt
+ 4
+
+
+ AnyCPU
+ pdbonly
+ true
+ ..\DLL Release\
+ TRACE
+ prompt
+ 4
+
+
+ true
+ ..\x64\DLL Debug\
+ DEBUG;TRACE
+ full
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+ ..\x64\DLL Release\
+ TRACE
+ true
+ pdbonly
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {52609808-0418-46d3-8e17-141927a1a39a}
+ wolfSSL_CSharp
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/App.config b/wrapper/CSharp/wolfSSL-DTLS-Server/App.config
new file mode 100755
index 000000000..fad249e40
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-Server/App.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs
new file mode 100755
index 000000000..f047e5351
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("wolfSSL-DTLS-Server")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("wolfSSL")]
+[assembly: AssemblyProduct("wolfSSL-DTLS-Server")]
+[assembly: AssemblyCopyright("Copyright wolfSSL 2015")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("9da922fb-8459-479f-ab06-42b5c0378d2f")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs
new file mode 100755
index 000000000..246d73f93
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs
@@ -0,0 +1,180 @@
+/* wolfSSL-DTLS-Server.cs
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+using System.Threading;
+using System.IO;
+using System.Net;
+using System.Net.Sockets;
+using wolfSSL.CSharp;
+
+public class wolfSSL_DTLS_Server
+{
+ ///
+ /// Example of a logging function
+ ///
+ /// level of log
+ /// message to log
+ public static void standard_log(int lvl, StringBuilder msg)
+ {
+ Console.WriteLine(msg);
+ }
+
+
+ private static void clean(IntPtr ssl, IntPtr ctx)
+ {
+ wolfssl.free(ssl);
+ wolfssl.CTX_free(ctx);
+ wolfssl.Cleanup();
+ }
+
+
+ public static void Main(string[] args)
+ {
+ IntPtr ctx;
+ IntPtr ssl;
+
+ /* These paths should be changed for use */
+ string fileCert = @"server-cert.pem";
+ string fileKey = @"server-key.pem";
+ StringBuilder dhparam = new StringBuilder("dh2048.pem");
+
+ StringBuilder buff = new StringBuilder(1024);
+ StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper");
+
+ //example of function used for setting logging
+ wolfssl.SetLogging(standard_log);
+
+ wolfssl.Init();
+
+ Console.WriteLine("Calling ctx Init from wolfSSL");
+ ctx = wolfssl.CTX_dtls_new(wolfssl.useDTLSv1_2_server());
+ if (ctx == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ctx structure");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ Console.WriteLine("Finished init of ctx .... now load in cert and key");
+ if (!File.Exists(fileCert) || !File.Exists(fileKey))
+ {
+ Console.WriteLine("Could not find cert or key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting cert file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ short minDhKey = 128;
+ wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey);
+
+ IPAddress ip = IPAddress.Parse("0.0.0.0");
+ UdpClient udp = new UdpClient(11111);
+ IPEndPoint ep = new IPEndPoint(ip, 11111);
+ Console.WriteLine("Started UDP and waiting for a connection");
+
+ ssl = wolfssl.new_ssl(ctx);
+ if (ssl == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ssl object");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting dhparam");
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ if (wolfssl.set_dtls_fd(ssl, udp, ep) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ if (wolfssl.accept(ssl) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ /* print out results of TLS/SSL accept */
+ Console.WriteLine("SSL version is " + wolfssl.get_version(ssl));
+ Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl));
+
+ /* get connection information and print ip - port */
+ wolfssl.DTLS_con con = wolfssl.get_dtls_fd(ssl);
+ Console.Write("Connected to ip ");
+ Console.Write(con.ep.Address.ToString());
+ Console.Write(" on port ");
+ Console.WriteLine(con.ep.Port.ToString());
+
+ /* read information sent and send a reply */
+ if (wolfssl.read(ssl, buff, 1023) < 0)
+ {
+ Console.WriteLine("Error reading message");
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+ Console.WriteLine(buff);
+
+ if (wolfssl.write(ssl, reply, reply.Length) != reply.Length)
+ {
+ Console.WriteLine("Error writing message");
+ Console.WriteLine(wolfssl.get_error(ssl));
+ udp.Close();
+ clean(ssl, ctx);
+ return;
+ }
+
+ Console.WriteLine("At the end freeing stuff");
+ udp.Close();
+ wolfssl.shutdown(ssl);
+ clean(ssl, ctx);
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj
new file mode 100755
index 000000000..915ed3201
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj
@@ -0,0 +1,88 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {730F047E-37A6-498F-A543-B6C98AA7B338}
+ Exe
+ Properties
+ wolfSSL_DTLS_Server
+ wolfSSL-DTLS-Server
+ v4.5
+ 512
+
+
+ AnyCPU
+ true
+ full
+ false
+ ..\DLL Debug\
+ DEBUG;TRACE
+ prompt
+ 4
+
+
+ AnyCPU
+ pdbonly
+ true
+ ..\DLL Release\
+ TRACE
+ prompt
+ 4
+
+
+ true
+ ..\x64\DLL Debug\
+ DEBUG;TRACE
+ full
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+ 0
+
+
+ ..\x64\DLL Release\
+ TRACE
+ true
+ pdbonly
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {52609808-0418-46d3-8e17-141927a1a39a}
+ wolfSSL_CSharp
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config
new file mode 100755
index 000000000..fad249e40
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs
new file mode 100755
index 000000000..a19cd0ad7
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("wolfSSL-Example-IOCallbacks")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("wolfSSL")]
+[assembly: AssemblyProduct("wolfSSL-Example-IOCallbacks")]
+[assembly: AssemblyCopyright("Copyright wolfSSL 2015")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("c0ac38b1-1984-4659-b36a-20362dc47f99")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs
new file mode 100755
index 000000000..f770a8514
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs
@@ -0,0 +1,258 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using System.Net;
+using System.Net.Sockets;
+using System.Runtime.InteropServices;
+using System.IO;
+using wolfSSL.CSharp;
+
+
+class wolfSSL_Example_IOCallbacks
+{
+ ///
+ /// Example call back to allow recieving TLS information
+ ///
+ /// structure of ssl passed in
+ /// buffer to contain recieved msg
+ /// size of buffer for receiving
+ /// information passed in from set_fd
+ /// size of message recieved
+ private static int wolfSSLCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx)
+ {
+ if (sz <= 0)
+ {
+ wolfssl.log(wolfssl.ERROR_LOG, "wolfssl recieve error, size less than 0");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ int amtRecv = 0;
+
+ try
+ {
+ System.Runtime.InteropServices.GCHandle gch;
+ gch = GCHandle.FromIntPtr(ctx);
+ Socket con = (System.Net.Sockets.Socket)gch.Target;
+
+ Byte[] msg = new Byte[sz];
+ amtRecv = con.Receive(msg, msg.Length, 0);
+ Marshal.Copy(msg, 0, buf, sz);
+ }
+ catch (Exception e)
+ {
+ wolfssl.log(wolfssl.ENTER_LOG, "Error in recive " + e.ToString());
+ return wolfssl.CBIO_ERR_CONN_CLOSE;
+ }
+
+ Console.WriteLine("Example custom receive got {0:D} bytes", amtRecv);
+ return amtRecv;
+ }
+
+
+ ///
+ /// Example call back used for sending TLS information
+ ///
+ /// pointer to ssl struct
+ /// buffer containing information to send
+ /// size of buffer to send
+ /// object that was set as fd
+ /// amount of information sent
+ private static int wolfSSLCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx)
+ {
+ if (sz <= 0)
+ {
+ wolfssl.log(wolfssl.ERROR_LOG, "wolfssl send error, size less than 0");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ try
+ {
+ System.Runtime.InteropServices.GCHandle gch;
+ gch = GCHandle.FromIntPtr(ctx);
+ Socket con = (System.Net.Sockets.Socket)gch.Target;
+
+ Byte[] msg = new Byte[sz];
+ Marshal.Copy(buf, msg, 0, sz);
+
+ con.Send(msg, 0, msg.Length, SocketFlags.None);
+ Console.WriteLine("Example custom send sent {0:D} bytes", sz);
+ return sz;
+ }
+ catch (Exception e)
+ {
+ wolfssl.log(wolfssl.ERROR_LOG, "socket connection issue " + e.ToString());
+ return wolfssl.CBIO_ERR_CONN_CLOSE;
+ }
+ }
+
+
+ ///
+ /// Example of a PSK function call back
+ ///
+ /// pointer to ssl structure
+ /// identity of client connecting
+ /// buffer to hold key
+ /// max key size
+ /// size of key set
+ public static uint my_psk_server_cb(IntPtr ssl, string identity, IntPtr key, uint max_key)
+ {
+ /* perform a check on the identity sent across
+ * log function must be set for print out of logging information
+ */
+ wolfssl.log(wolfssl.INFO_LOG, "PSK Client Identity = " + identity);
+
+ /* Use desired key, note must be a key smaller than max key size parameter
+ Replace this with desired key. Is trivial one for testing */
+ if (max_key < 4)
+ return 0;
+ byte[] tmp = { 26, 43, 60, 77 };
+ Marshal.Copy(tmp, 0, key, 4);
+
+ return (uint)4;
+ }
+
+
+ private static void clean(IntPtr ssl, IntPtr ctx)
+ {
+ wolfssl.free(ssl);
+ wolfssl.CTX_free(ctx);
+ wolfssl.Cleanup();
+ }
+
+
+ static void Main(string[] args)
+ {
+ IntPtr ctx;
+ IntPtr ssl;
+ Socket fd;
+
+ wolfssl.psk_delegate psk_cb = new wolfssl.psk_delegate(my_psk_server_cb);
+
+ /* These paths should be changed according to use */
+ string fileCert = @"server-cert.pem";
+ string fileKey = @"server-key.pem";
+
+ StringBuilder buff = new StringBuilder(1024);
+ StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper");
+
+ wolfssl.Init();
+
+ Console.WriteLine("Calling ctx Init from wolfSSL");
+ ctx = wolfssl.CTX_new(wolfssl.useTLSv1_2_server());
+ if (ctx == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ctx structure");
+ return;
+ }
+ Console.WriteLine("Finished init of ctx .... now load in cert and key");
+
+ if (!File.Exists(fileCert) || !File.Exists(fileKey))
+ {
+ Console.WriteLine("Could not find cert or key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting cert file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ StringBuilder ciphers = new StringBuilder(new String(' ', 4096));
+ wolfssl.get_ciphers(ciphers, 4096);
+ Console.WriteLine("Ciphers : " + ciphers.ToString());
+
+ Console.Write("Setting cipher suite to ");
+ /* To use static PSK build wolfSSL with WOLFSSL_STATIC_PSK preprocessor flag */
+ StringBuilder set_cipher = new StringBuilder("PSK-AES128-CBC-SHA256");
+ Console.WriteLine(set_cipher);
+ if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Failed to set cipher suite");
+ Console.WriteLine("If using static PSK make sure wolfSSL was built with preprocessor flag WOLFSSL_STATIC_PSK");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ /* Test psk use */
+ StringBuilder hint = new StringBuilder("cyassl server");
+ if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting hint");
+ return;
+ }
+ wolfssl.CTX_set_psk_server_callback(ctx, psk_cb);
+
+ /* Set using custom IO callbacks
+ delegate memory is allocated when calling SetIO**** function and freed with ctx free
+ */
+ wolfssl.SetIORecv(ctx, new wolfssl.CallbackIORecv_delegate(wolfSSLCbIORecv));
+ wolfssl.SetIOSend(ctx, new wolfssl.CallbackIOSend_delegate(wolfSSLCbIOSend));
+
+ /* set up TCP socket */
+ IPAddress ip = IPAddress.Parse("0.0.0.0"); //bind to any
+ TcpListener tcp = new TcpListener(ip, 11111);
+ tcp.Start();
+
+ Console.WriteLine("Started TCP and waiting for a connection");
+ fd = tcp.AcceptSocket();
+ ssl = wolfssl.new_ssl(ctx);
+
+ Console.WriteLine("Connection made wolfSSL_accept ");
+ if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS)
+ {
+ /* get and print out the error */
+ Console.Write(wolfssl.get_error(ssl));
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ if (wolfssl.accept(ssl) != wolfssl.SUCCESS)
+ {
+ /* get and print out the error */
+ Console.Write(wolfssl.get_error(ssl));
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ /* print out results of TLS/SSL accept */
+ Console.WriteLine("SSL version is " + wolfssl.get_version(ssl));
+ Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl));
+
+ /* read and print out the message then reply */
+ if (wolfssl.read(ssl, buff, 1023) < 0)
+ {
+ Console.WriteLine("Error in read");
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+ Console.WriteLine(buff);
+
+ if (wolfssl.write(ssl, reply, reply.Length) != reply.Length)
+ {
+ Console.WriteLine("Error in write");
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ wolfssl.shutdown(ssl);
+ fd.Close();
+ tcp.Stop();
+ clean(ssl, ctx);
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj
new file mode 100755
index 000000000..8b9bd133e
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj
@@ -0,0 +1,84 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {E2415718-0A15-48DB-A774-01FB0093B626}
+ Exe
+ Properties
+ wolfSSL_Example_IOCallbacks
+ wolfSSL-Example-IOCallbacks
+ v4.5
+ 512
+
+
+ AnyCPU
+ true
+ full
+ false
+ ..\DLL Debug\
+ DEBUG;TRACE
+ prompt
+ 4
+
+
+ AnyCPU
+ pdbonly
+ true
+ ..\DLL Release\
+ TRACE
+ prompt
+ 4
+
+
+ true
+ ..\x64\DLL Debug\
+ DEBUG;TRACE
+ full
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+ ..\x64\DLL Release\
+ TRACE
+ true
+ pdbonly
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+ 0
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {52609808-0418-46d3-8e17-141927a1a39a}
+ wolfSSL_CSharp
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config
new file mode 100755
index 000000000..fad249e40
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs
new file mode 100755
index 000000000..35acba0e3
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("wolfSSL-TLS-PSK-Server")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("wolfSSL")]
+[assembly: AssemblyProduct("wolfSSL-TLS-PSK-Server")]
+[assembly: AssemblyCopyright("Copyright wolfSSL 2015")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("1de70ade-16d5-4c90-9657-c19c2762bca6")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs
new file mode 100755
index 000000000..4c603b9c7
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs
@@ -0,0 +1,211 @@
+/* wolfSSL-TLS-PSK-Server.cs
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+using System.Threading;
+using System.IO;
+using System.Net;
+using System.Net.Sockets;
+using wolfSSL.CSharp;
+
+
+
+public class wolfSSL_TLS_PSK_Server
+{
+
+
+ ///
+ /// Example of a PSK function call back
+ ///
+ /// pointer to ssl structure
+ /// identity of client connecting
+ /// buffer to hold key
+ /// max key size
+ /// size of key set
+ public static uint my_psk_server_cb(IntPtr ssl, string identity, IntPtr key, uint max_key)
+ {
+ /* perform a check on the identity sent across
+ * log function must be set for print out of logging information
+ */
+ wolfssl.log(wolfssl.INFO_LOG, "PSK Client Identity = " + identity);
+
+ /* Use desired key, note must be a key smaller than max key size parameter
+ Replace this with desired key. Is trivial one for testing */
+ if (max_key < 4)
+ return 0;
+ byte[] tmp = { 26, 43, 60, 77 };
+ Marshal.Copy(tmp, 0, key, 4);
+
+ return (uint)4;
+ }
+
+
+ private static void clean(IntPtr ssl, IntPtr ctx)
+ {
+ wolfssl.free(ssl);
+ wolfssl.CTX_free(ctx);
+ wolfssl.Cleanup();
+ }
+
+
+ public static void Main(string[] args)
+ {
+ IntPtr ctx;
+ IntPtr ssl;
+ Socket fd;
+
+ wolfssl.psk_delegate psk_cb = new wolfssl.psk_delegate(my_psk_server_cb);
+
+ /* These paths should be changed according to use */
+ string fileCert = @"server-cert.pem";
+ string fileKey = @"server-key.pem";
+ StringBuilder dhparam = new StringBuilder("dh2048.pem");
+
+ StringBuilder buff = new StringBuilder(1024);
+ StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper");
+
+ wolfssl.Init();
+
+ Console.WriteLine("Calling ctx Init from wolfSSL");
+ ctx = wolfssl.CTX_new(wolfssl.useTLSv1_2_server());
+ if (ctx == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ctx structure");
+ return;
+ }
+ Console.WriteLine("Finished init of ctx .... now load in cert and key");
+
+ if (!File.Exists(fileCert) || !File.Exists(fileKey))
+ {
+ Console.WriteLine("Could not find cert or key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting cert file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ StringBuilder ciphers = new StringBuilder(new String(' ', 4096));
+ wolfssl.get_ciphers(ciphers, 4096);
+ Console.WriteLine("Ciphers : " + ciphers.ToString());
+
+ short minDhKey = 128;
+ wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey);
+ Console.Write("Setting cipher suite to ");
+
+ /* In order to use static PSK build wolfSSL with the preprocessor flag WOLFSSL_STATIC_PSK */
+ StringBuilder set_cipher = new StringBuilder("DHE-PSK-AES128-CBC-SHA256");
+ Console.WriteLine(set_cipher);
+ if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Failed to set cipher suite");
+ return;
+ }
+
+ /* Test psk use with DHE */
+ StringBuilder hint = new StringBuilder("cyassl server");
+ if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error setting hint");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+ wolfssl.CTX_set_psk_server_callback(ctx, psk_cb);
+
+ /* set up TCP socket */
+ IPAddress ip = IPAddress.Parse("0.0.0.0"); //bind to any
+ TcpListener tcp = new TcpListener(ip, 11111);
+ tcp.Start();
+
+ Console.WriteLine("Started TCP and waiting for a connection");
+ fd = tcp.AcceptSocket();
+ ssl = wolfssl.new_ssl(ctx);
+ if (ssl == IntPtr.Zero)
+ {
+ Console.WriteLine("Error creating ssl object");
+ tcp.Stop();
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ Console.WriteLine("Connection made wolfSSL_accept ");
+ if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS)
+ {
+ /* get and print out the error */
+ Console.Write(wolfssl.get_error(ssl));
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM);
+
+ if (wolfssl.accept(ssl) != wolfssl.SUCCESS)
+ {
+ /* get and print out the error */
+ Console.Write(wolfssl.get_error(ssl));
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ /* print out results of TLS/SSL accept */
+ Console.WriteLine("SSL version is " + wolfssl.get_version(ssl));
+ Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl));
+
+ /* read and print out the message then reply */
+ if (wolfssl.read(ssl, buff, 1023) < 0)
+ {
+ Console.WriteLine("Error in read");
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+ Console.WriteLine(buff);
+
+ if (wolfssl.write(ssl, reply, reply.Length) != reply.Length)
+ {
+ Console.WriteLine("Error in write");
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ wolfssl.shutdown(ssl);
+ fd.Close();
+ tcp.Stop();
+ clean(ssl, ctx);
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj
new file mode 100755
index 000000000..b9bdf26eb
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj
@@ -0,0 +1,87 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}
+ Exe
+ Properties
+ wolfSSL_TLS_PSK_Server
+ wolfSSL-TLS-PSK-Server
+ v4.5
+ 512
+
+
+ AnyCPU
+ true
+ full
+ false
+ ..\DLL Debug\
+ DEBUG;TRACE
+ prompt
+ 4
+
+
+ AnyCPU
+ pdbonly
+ true
+ ..\DLL Release\
+ TRACE
+ prompt
+ 4
+
+
+ true
+ ..\x64\DLL Debug\
+ DEBUG;TRACE
+ full
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+ ..\x64\DLL Release\
+ TRACE
+ true
+ pdbonly
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {52609808-0418-46d3-8e17-141927a1a39a}
+ wolfSSL_CSharp
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/App.config b/wrapper/CSharp/wolfSSL-TLS-Server/App.config
new file mode 100755
index 000000000..fad249e40
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-Server/App.config
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs
new file mode 100755
index 000000000..cab955e7d
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("wolfSSL-TLS-Server")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("wolfSSL")]
+[assembly: AssemblyProduct("wolfSSL-TLS-Server")]
+[assembly: AssemblyCopyright("Copyright wolfSSL 2015")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("716e8f30-1318-4e3b-b788-d0380b397a4c")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs
new file mode 100755
index 000000000..6409d3ec6
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs
@@ -0,0 +1,26 @@
+//------------------------------------------------------------------------------
+//
+// This code was generated by a tool.
+// Runtime Version:4.0.30319.17929
+//
+// Changes to this file may cause incorrect behavior and will be lost if
+// the code is regenerated.
+//
+//------------------------------------------------------------------------------
+
+namespace wolfSSL_TLS_CSharp.Properties {
+
+
+ [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+ [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "11.0.0.0")]
+ internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase {
+
+ private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings())));
+
+ public static Settings Default {
+ get {
+ return defaultInstance;
+ }
+ }
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings
new file mode 100755
index 000000000..15034e76c
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings
@@ -0,0 +1,6 @@
+
+
+
+
+
+
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs
new file mode 100755
index 000000000..8a629f3f1
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs
@@ -0,0 +1,172 @@
+/* wolfSSL-TLS-Server.cs
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+using System.IO;
+using System.Net;
+using System.Net.Sockets;
+using wolfSSL.CSharp;
+
+public class wolfSSL_TLS_CSHarp
+{
+ ///
+ /// Example of a logging function
+ ///
+ /// level of log
+ /// message to log
+ public static void standard_log(int lvl, StringBuilder msg)
+ {
+ Console.WriteLine(msg);
+ }
+
+
+ private static void clean(IntPtr ssl, IntPtr ctx)
+ {
+ wolfssl.free(ssl);
+ wolfssl.CTX_free(ctx);
+ wolfssl.Cleanup();
+ }
+
+
+ public static void Main(string[] args)
+ {
+ IntPtr ctx;
+ IntPtr ssl;
+ Socket fd;
+
+ /* These paths should be changed for use */
+ string fileCert = @"server-cert.pem";
+ string fileKey = @"server-key.pem";
+ StringBuilder dhparam = new StringBuilder("dh2048.pem");
+
+ StringBuilder buff = new StringBuilder(1024);
+ StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper");
+
+ //example of function used for setting logging
+ wolfssl.SetLogging(standard_log);
+
+ wolfssl.Init();
+
+
+ Console.WriteLine("Calling ctx Init from wolfSSL");
+ ctx = wolfssl.CTX_new(wolfssl.usev23_server());
+ if (ctx == IntPtr.Zero)
+ {
+ Console.WriteLine("Error in creating ctx structure");
+ return;
+ }
+ Console.WriteLine("Finished init of ctx .... now load in cert and key");
+
+ if (!File.Exists(fileCert) || !File.Exists(fileKey))
+ {
+ Console.WriteLine("Could not find cert or key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting cert file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS)
+ {
+ Console.WriteLine("Error in setting key file");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+
+ StringBuilder ciphers = new StringBuilder(new String(' ', 4096));
+ wolfssl.get_ciphers(ciphers, 4096);
+ Console.WriteLine("Ciphers : " + ciphers.ToString());
+
+ short minDhKey = 128;
+ wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey);
+
+ /* set up TCP socket */
+ IPAddress ip = IPAddress.Parse("0.0.0.0"); //bind to any
+ TcpListener tcp = new TcpListener(ip, 11111);
+ tcp.Start();
+
+ Console.WriteLine("Started TCP and waiting for a connection");
+ fd = tcp.AcceptSocket();
+ ssl = wolfssl.new_ssl(ctx);
+ if (ssl == IntPtr.Zero)
+ {
+ Console.WriteLine("Error in creating ssl object");
+ wolfssl.CTX_free(ctx);
+ return;
+ }
+
+ Console.WriteLine("Connection made wolfSSL_accept ");
+ if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS)
+ {
+ /* get and print out the error */
+ Console.Write(wolfssl.get_error(ssl));
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM);
+
+ if (wolfssl.accept(ssl) != wolfssl.SUCCESS)
+ {
+ /* get and print out the error */
+ Console.Write(wolfssl.get_error(ssl));
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ /* print out results of TLS/SSL accept */
+ Console.WriteLine("SSL version is " + wolfssl.get_version(ssl));
+ Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl));
+
+ /* read and print out the message then reply */
+ if (wolfssl.read(ssl, buff, 1023) < 0)
+ {
+ Console.WriteLine("Error in read");
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+ Console.WriteLine(buff);
+
+ if (wolfssl.write(ssl, reply, reply.Length) != reply.Length)
+ {
+ Console.WriteLine("Error in write");
+ tcp.Stop();
+ clean(ssl, ctx);
+ return;
+ }
+
+ wolfssl.shutdown(ssl);
+ fd.Close();
+ tcp.Stop();
+ clean(ssl, ctx);
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj
new file mode 100755
index 000000000..b5b5006ea
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj
@@ -0,0 +1,132 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}
+ Exe
+ Properties
+ wolfSSL_TLS_CSharp
+ wolfSSL-TLS-Server
+ v4.5
+ 512
+ publish\
+ true
+ Disk
+ false
+ Foreground
+ 7
+ Days
+ false
+ false
+ true
+ 0
+ 1.0.0.%2a
+ false
+ false
+ true
+
+
+ AnyCPU
+ true
+ full
+ false
+ ..\DLL Debug\
+ DEBUG;TRACE
+ prompt
+ 3
+
+
+ AnyCPU
+ pdbonly
+ true
+ ..\DLL Release\
+ TRACE
+ prompt
+ 4
+
+
+
+
+
+ true
+ ..\x64\DLL Debug\
+ DEBUG;TRACE
+ 4
+ full
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+ ..\x64\DLL Release\
+ TRACE
+ true
+ pdbonly
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+ true
+
+
+
+
+
+
+
+
+
+
+
+
+ True
+ True
+ Settings.settings
+
+
+
+
+
+
+ SettingsSingleFileGenerator
+ Settings.Designer.cs
+
+
+
+
+ {52609808-0418-46d3-8e17-141927a1a39a}
+ wolfSSL_CSharp
+
+
+
+
+ False
+ Microsoft .NET Framework 4.5 %28x86 and x64%29
+ true
+
+
+ False
+ .NET Framework 3.5 SP1 Client Profile
+ false
+
+
+ False
+ .NET Framework 3.5 SP1
+ false
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL_CSharp.sln b/wrapper/CSharp/wolfSSL_CSharp.sln
new file mode 100755
index 000000000..f7c63d7c1
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL_CSharp.sln
@@ -0,0 +1,108 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2012
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL_CSharp", "wolfSSL_CSharp\wolfSSL_CSharp.csproj", "{52609808-0418-46D3-8E17-141927A1A39A}"
+ ProjectSection(ProjectDependencies) = postProject
+ {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+ EndProjectSection
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-TLS-Server", "wolfSSL-TLS-Server\wolfSSL-TLS-Server.csproj", "{8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-TLS-PSK-Server", "wolfSSL-TLS-PSK-Server\wolfSSL-TLS-PSK-Server.csproj", "{030431C7-26AB-4447-815B-F27E88BE5D5B}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-DTLS-Server", "wolfSSL-DTLS-Server\wolfSSL-DTLS-Server.csproj", "{730F047E-37A6-498F-A543-B6C98AA7B338}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-DTLS-PSK-Server", "wolfSSL-DTLS-PSK-Server\wolfSSL-DTLS-PSK-Server.csproj", "{77AEF1BE-4BE3-4837-8188-2A06E4D963F5}"
+ ProjectSection(ProjectDependencies) = postProject
+ {52609808-0418-46D3-8E17-141927A1A39A} = {52609808-0418-46D3-8E17-141927A1A39A}
+ EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "wolfSSL", "wolfSSL", "{252D09D0-D007-4AEB-9F7A-A74408039A8A}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfssl", "..\..\wolfssl.vcxproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "..\..\testsuite\testsuite.vcxproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}"
+EndProject
+Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-Example-IOCallbacks", "wolfSSL-Example-IOCallbacks\wolfSSL-Example-IOCallbacks.csproj", "{E2415718-0A15-48DB-A774-01FB0093B626}"
+EndProject
+Global
+ GlobalSection(SolutionConfigurationPlatforms) = preSolution
+ DLL Debug|Win32 = DLL Debug|Win32
+ DLL Debug|x64 = DLL Debug|x64
+ DLL Release|Win32 = DLL Release|Win32
+ DLL Release|x64 = DLL Release|x64
+ EndGlobalSection
+ GlobalSection(ProjectConfigurationPlatforms) = postSolution
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Win32.Build.0 = Debug|Any CPU
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|x64.ActiveCfg = Debug|x64
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|x64.Build.0 = Debug|x64
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Win32.ActiveCfg = Release|Any CPU
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Win32.Build.0 = Release|Any CPU
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|x64.ActiveCfg = Release|x64
+ {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|x64.Build.0 = Release|x64
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Win32.Build.0 = Debug|Any CPU
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|x64.ActiveCfg = Debug|x64
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|x64.Build.0 = Debug|x64
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Win32.ActiveCfg = Release|Any CPU
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Win32.Build.0 = Release|Any CPU
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|x64.ActiveCfg = Release|x64
+ {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|x64.Build.0 = Release|x64
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Win32.Build.0 = Debug|Any CPU
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|x64.ActiveCfg = Debug|x64
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|x64.Build.0 = Debug|x64
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Win32.ActiveCfg = Release|Any CPU
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Win32.Build.0 = Release|Any CPU
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|x64.ActiveCfg = Release|x64
+ {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|x64.Build.0 = Release|x64
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Win32.Build.0 = Debug|Any CPU
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|x64.ActiveCfg = Debug|x64
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|x64.Build.0 = Debug|x64
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Win32.ActiveCfg = Release|Any CPU
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Win32.Build.0 = Release|Any CPU
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|x64.ActiveCfg = Release|x64
+ {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|x64.Build.0 = Release|x64
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Win32.Build.0 = Debug|Any CPU
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|x64.ActiveCfg = Debug|x64
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|x64.Build.0 = Debug|x64
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Win32.ActiveCfg = Release|Any CPU
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Win32.Build.0 = Release|Any CPU
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|x64.ActiveCfg = Release|x64
+ {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|x64.Build.0 = Release|x64
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.Build.0 = DLL Debug|Win32
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.ActiveCfg = DLL Debug|x64
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.Build.0 = DLL Debug|x64
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.ActiveCfg = DLL Release|Win32
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.Build.0 = DLL Release|Win32
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.ActiveCfg = DLL Release|x64
+ {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.Build.0 = DLL Release|x64
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Win32.Build.0 = DLL Debug|Win32
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|x64.ActiveCfg = DLL Debug|x64
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|x64.Build.0 = DLL Debug|x64
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Win32.ActiveCfg = DLL Release|Win32
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Win32.Build.0 = DLL Release|Win32
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|x64.ActiveCfg = DLL Release|x64
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|x64.Build.0 = DLL Release|x64
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|Win32.Build.0 = Debug|Any CPU
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|x64.ActiveCfg = Debug|x64
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|x64.Build.0 = Debug|x64
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|Win32.ActiveCfg = Release|Any CPU
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|Win32.Build.0 = Release|Any CPU
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|x64.ActiveCfg = Release|x64
+ {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|x64.Build.0 = Release|x64
+ EndGlobalSection
+ GlobalSection(SolutionProperties) = preSolution
+ HideSolutionNode = FALSE
+ EndGlobalSection
+ GlobalSection(NestedProjects) = preSolution
+ {73973223-5EE8-41CA-8E88-1D60E89A237B} = {252D09D0-D007-4AEB-9F7A-A74408039A8A}
+ {611E8971-46E0-4D0A-B5A1-632C3B00CB80} = {252D09D0-D007-4AEB-9F7A-A74408039A8A}
+ EndGlobalSection
+EndGlobal
diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs
new file mode 100755
index 000000000..b4df96b9d
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs
@@ -0,0 +1,36 @@
+using System.Reflection;
+using System.Runtime.CompilerServices;
+using System.Runtime.InteropServices;
+
+// General Information about an assembly is controlled through the following
+// set of attributes. Change these attribute values to modify the information
+// associated with an assembly.
+[assembly: AssemblyTitle("wolfSSL.CSharp")]
+[assembly: AssemblyDescription("")]
+[assembly: AssemblyConfiguration("")]
+[assembly: AssemblyCompany("wolfSSL")]
+[assembly: AssemblyProduct("wolfSSL.CSharp")]
+[assembly: AssemblyCopyright("Copyright wolfSSL 2015")]
+[assembly: AssemblyTrademark("")]
+[assembly: AssemblyCulture("")]
+
+// Setting ComVisible to false makes the types in this assembly not visible
+// to COM components. If you need to access a type in this assembly from
+// COM, set the ComVisible attribute to true on that type.
+[assembly: ComVisible(false)]
+
+// The following GUID is for the ID of the typelib if this project is exposed to COM
+[assembly: Guid("b50b8d16-ff19-4ea4-8881-13cf972765db")]
+
+// Version information for an assembly consists of the following four values:
+//
+// Major Version
+// Minor Version
+// Build Number
+// Revision
+//
+// You can specify all the values or you can default the Build and Revision Numbers
+// by using the '*' as shown below:
+// [assembly: AssemblyVersion("1.0.*")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs
new file mode 100755
index 000000000..dd0327fd4
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs
@@ -0,0 +1,63 @@
+//------------------------------------------------------------------------------
+//
+// This code was generated by a tool.
+// Runtime Version:4.0.30319.17929
+//
+// Changes to this file may cause incorrect behavior and will be lost if
+// the code is regenerated.
+//
+//------------------------------------------------------------------------------
+
+namespace wolfssl_wrapper.Properties {
+ using System;
+
+
+ ///
+ /// A strongly-typed resource class, for looking up localized strings, etc.
+ ///
+ // This class was auto-generated by the StronglyTypedResourceBuilder
+ // class via a tool like ResGen or Visual Studio.
+ // To add or remove a member, edit your .ResX file then rerun ResGen
+ // with the /str option, or rebuild your VS project.
+ [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")]
+ [global::System.Diagnostics.DebuggerNonUserCodeAttribute()]
+ [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()]
+ internal class Resources {
+
+ private static global::System.Resources.ResourceManager resourceMan;
+
+ private static global::System.Globalization.CultureInfo resourceCulture;
+
+ [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")]
+ internal Resources() {
+ }
+
+ ///
+ /// Returns the cached ResourceManager instance used by this class.
+ ///
+ [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+ internal static global::System.Resources.ResourceManager ResourceManager {
+ get {
+ if (object.ReferenceEquals(resourceMan, null)) {
+ global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("wolfSSL.CSharp.Properties.Resources", typeof(Resources).Assembly);
+ resourceMan = temp;
+ }
+ return resourceMan;
+ }
+ }
+
+ ///
+ /// Overrides the current thread's CurrentUICulture property for all
+ /// resource lookups using this strongly typed resource class.
+ ///
+ [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)]
+ internal static global::System.Globalization.CultureInfo Culture {
+ get {
+ return resourceCulture;
+ }
+ set {
+ resourceCulture = value;
+ }
+ }
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx
new file mode 100755
index 000000000..85c909092
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx
@@ -0,0 +1,101 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ text/microsoft-resx
+
+
+ 1.3
+
+
+ System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
+
+
+ System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
+
+
\ No newline at end of file
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs
new file mode 100755
index 000000000..37cf76d4a
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs
@@ -0,0 +1,1521 @@
+/* wolfSSL.cs
+ *
+ * Copyright (C) 2006-2015 wolfSSL Inc.
+ *
+ * This file is part of wolfSSL. (formerly known as CyaSSL)
+ *
+ * wolfSSL is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * wolfSSL is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
+ */
+
+using System;
+using System.Runtime.InteropServices;
+using System.Text;
+using System.Threading;
+using System.IO;
+using System.Net;
+using System.Net.Sockets;
+
+namespace wolfSSL.CSharp {
+ public class wolfssl
+ {
+ private const string wolfssl_dll = "wolfssl.dll";
+
+ /********************************
+ * Class for DTLS connections
+ */
+ ///
+ /// Contains information regarding a DTLS conection having UdpClient udp and IPEndPoint ep.
+ /// Used to keep memory alive.
+ ///
+ public class DTLS_con
+ {
+ public UdpClient udp;
+ public IPEndPoint ep;
+ }
+
+
+ /********************************
+ * Class for keeping ctx/ssl handles alive
+ */
+ [StructLayout(LayoutKind.Sequential)]
+ private class ctx_handles
+ {
+ private GCHandle rec_cb;
+ private GCHandle snd_cb;
+ private GCHandle psk_cb;
+ private GCHandle fd_pin;
+ private IntPtr ctx;
+
+ public void set_receive(GCHandle input)
+ {
+ this.rec_cb = input;
+ }
+
+ public GCHandle get_receive()
+ {
+ return this.rec_cb;
+ }
+
+ public void set_send(GCHandle input)
+ {
+ this.snd_cb = input;
+ }
+
+ public GCHandle get_send()
+ {
+ return this.snd_cb;
+ }
+
+ public void set_psk(GCHandle input)
+ {
+ this.psk_cb = input;
+ }
+
+ public GCHandle get_psk()
+ {
+ return this.psk_cb;
+ }
+
+ public void set_fd(GCHandle input)
+ {
+ this.fd_pin = input;
+ }
+
+ public GCHandle get_fd()
+ {
+ return this.fd_pin;
+ }
+
+ public void set_ctx(IntPtr input)
+ {
+ this.ctx = input;
+ }
+
+ public IntPtr get_ctx()
+ {
+ return this.ctx;
+ }
+
+ ///
+ /// Called to free the pointers keeping handles alive
+ ///
+ public void free()
+ {
+ log(INFO_LOG, "freeing handles");
+ if (!Object.Equals(this.rec_cb, default(GCHandle)))
+ {
+ this.rec_cb.Free();
+ }
+ if (!Object.Equals(this.snd_cb, default(GCHandle)))
+ {
+ this.snd_cb.Free();
+ }
+ if (!Object.Equals(this.psk_cb, default(GCHandle)))
+ {
+ this.psk_cb.Free();
+ }
+ if (!Object.Equals(this.fd_pin, default(GCHandle)))
+ {
+ this.fd_pin.Free();
+ }
+ }
+ }
+
+
+ /********************************
+ * Init wolfSSL library
+ */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_Init();
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_Cleanup();
+
+
+ /********************************
+ * Methods of connection
+ */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfTLSv1_2_server_method();
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSLv23_server_method();
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfTLSv1_2_client_method();
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSLv23_client_method();
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfDTLSv1_2_server_method();
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfDTLSv1_2_client_method();
+
+
+ /********************************
+ * Call backs
+ */
+ [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+ public delegate int CallbackIORecv_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_SetIORecv(IntPtr ctx, CallbackIORecv_delegate recv);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_SetIOReadCtx(IntPtr ssl, IntPtr rctx);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_GetIOReadCtx(IntPtr ssl);
+
+ [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+ public delegate int CallbackIOSend_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_SetIOSend(IntPtr ctx, CallbackIOSend_delegate send);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_SetIOWriteCtx(IntPtr ssl, IntPtr wctx);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_GetIOWriteCtx(IntPtr ssl);
+
+
+ /********************************
+ * CTX structure
+ */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_CTX_new(IntPtr method);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static void wolfSSL_CTX_free(IntPtr ctx);
+
+
+ /********************************
+ * PSK
+ */
+ [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+ public delegate uint psk_delegate(IntPtr ssl, string identity, IntPtr key, uint max_sz);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static void wolfSSL_set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static void wolfSSL_CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder identity);
+
+
+ /********************************
+ * SSL Structure
+ */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_new(IntPtr ctx);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_accept(IntPtr ssl);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_connect(IntPtr ssl);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_read(IntPtr ssl, StringBuilder buf, int sz);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_write(IntPtr ssl, StringBuilder buf, int sz);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_shutdown(IntPtr ssl);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static void wolfSSL_free(IntPtr ssl);
+
+
+ /********************************
+ * Cipher lists
+ */
+ /* only supports full name from cipher_name[] delimited by : */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_CTX_set_cipher_list(IntPtr ctx, StringBuilder ciphers);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_set_cipher_list(IntPtr ssl, StringBuilder ciphers);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_get_ciphers(StringBuilder ciphers, int sz);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_get_cipher(IntPtr ssl);
+ [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_CIPHER_get_name(IntPtr cipher);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_get_current_cipher(IntPtr ssl);
+ [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_get_version(IntPtr ssl);
+ [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)]
+ private extern static IntPtr wolfSSL_get_cipher_list(IntPtr ssl);
+
+
+ /********************************
+ * Error logging
+ */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl, CharSet=CharSet.Ansi)]
+ private extern static IntPtr wolfSSL_ERR_error_string(uint err, StringBuilder errOut);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_get_error(IntPtr ssl, int err);
+ [UnmanagedFunctionPointer(CallingConvention.Cdecl)]
+ public delegate void loggingCb(int lvl, StringBuilder msg);
+ private static loggingCb internal_log;
+
+
+ /********************************
+ * DH
+ */
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_CTX_SetMinDhKey_Sz(IntPtr ctx, short size);
+ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)]
+ private extern static int wolfSSL_SetTmpDH_file(IntPtr ssl, StringBuilder dhParam, int type);
+
+
+ /********************************
+ * Enum types from wolfSSL library
+ */
+ public static readonly int SSL_FILETYPE_PEM = 1;
+ public static readonly int SSL_FILETYPE_ASN1= 2;
+ public static readonly int SSL_FILETYPE_RAW = 3;
+ public static readonly int CBIO_ERR_GENERAL = -1;
+ public static readonly int CBIO_ERR_WANT_READ = -2;
+ public static readonly int CBIO_ERR_WANT_WRITE = -2;
+ public static readonly int CBIO_ERR_CONN_RST = -3;
+ public static readonly int CBIO_ERR_ISR = -4;
+ public static readonly int CBIO_ERR_CONN_CLOSE = -5;
+ public static readonly int CBIO_ERR_TIMEOUT = -6;
+
+ public static readonly int ERROR_LOG = 0;
+ public static readonly int INFO_LOG = 1;
+ public static readonly int ENTER_LOG = 2;
+ public static readonly int LEAVE_LOG = 3;
+ public static readonly int OTHER_LOG = 4;
+
+ public static readonly int SUCCESS = 1;
+ public static readonly int FAILURE = 0;
+
+
+ private static IntPtr unwrap(IntPtr ctx)
+ {
+ try {
+ GCHandle gch = GCHandle.FromIntPtr(ctx);
+ ctx_handles handles = (ctx_handles)gch.Target;
+ return handles.get_ctx();
+ } catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl pointer is incorrect " + e);
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Call back to allow recieving TLS information
+ ///
+ /// structure of ssl passed in
+ /// buffer to contain recieved msg
+ /// size of buffer
+ /// optional information passed in
+ /// size of message recieved
+ private static int wolfSSLCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx)
+ {
+ if (sz <= 0)
+ {
+ log(ERROR_LOG, "wolfssl recieve error, size less than 0");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ int amtRecv = 0;
+
+ try
+ {
+ System.Runtime.InteropServices.GCHandle gch;
+ gch = GCHandle.FromIntPtr(ctx);
+ Socket con = (System.Net.Sockets.Socket)gch.Target;
+
+ Byte[] msg = new Byte[sz];
+ amtRecv = con.Receive(msg, msg.Length, 0);
+ Marshal.Copy(msg, 0, buf, sz);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "Error in recive " + e.ToString());
+ return wolfssl.CBIO_ERR_CONN_CLOSE;
+ }
+
+ return amtRecv;
+ }
+
+
+ ///
+ /// Call back used for sending TLS information
+ ///
+ /// pointer to ssl struct
+ /// buffer containing information to send
+ /// size of buffer to send
+ /// optional information
+ /// amount of information sent
+ private static int wolfSSLCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx)
+ {
+ if (sz <= 0)
+ {
+ log(ERROR_LOG, "wolfssl send error, size less than 0");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ try
+ {
+ System.Runtime.InteropServices.GCHandle gch;
+ gch = GCHandle.FromIntPtr(ctx);
+
+ Socket con = (System.Net.Sockets.Socket)gch.Target;
+
+ Byte[] msg = new Byte[sz];
+ Marshal.Copy(buf, msg, 0, sz);
+ con.Send(msg, 0, msg.Length, SocketFlags.None);
+ return sz;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "socket connection issue "+ e.ToString());
+ return wolfssl.CBIO_ERR_CONN_CLOSE;
+ }
+ }
+
+
+ ///
+ /// Call back used for sending DTLS information
+ ///
+ /// pointer to ssl struct
+ /// buffer containing information to send
+ /// size of buffer to send
+ /// optional information
+ /// amount of information sent
+ private static int wolfSSL_dtlsCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx)
+ {
+ if (sz <= 0)
+ {
+ log(ERROR_LOG, "wolfssl dtls send error, size less than 0");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ try
+ {
+ System.Runtime.InteropServices.GCHandle gch;
+ gch = GCHandle.FromIntPtr(ctx);
+
+ DTLS_con con = (DTLS_con)gch.Target;
+
+ Byte[] msg = new Byte[sz];
+ Marshal.Copy(buf, msg, 0, sz);
+ con.udp.Send(msg, msg.Length, con.ep);
+ return msg.Length;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "socket connection issue " + e.ToString());
+ return wolfssl.CBIO_ERR_CONN_CLOSE;
+ }
+ }
+
+
+ ///
+ /// Call back to allow recieving DTLS information
+ ///
+ /// structure of ssl passed in
+ /// buffer to contain recieved msg
+ /// size of buffer
+ /// optional information passed in
+ /// size of message recieved
+ private static int wolfSSL_dtlsCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx)
+ {
+ if (sz <= 0)
+ {
+ log(ERROR_LOG, "wolfssl dtls recieve error, size less than 0");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ try
+ {
+ System.Runtime.InteropServices.GCHandle gch;
+ gch = GCHandle.FromIntPtr(ctx);
+ DTLS_con con = (DTLS_con)gch.Target;
+
+ Byte[] msg = con.udp.Receive(ref con.ep);
+ if (msg.Length > sz)
+ {
+ log(ERROR_LOG, "wolfssl DTLS packet received was larger than buffer");
+ return wolfssl.CBIO_ERR_GENERAL;
+ }
+
+ Marshal.Copy(msg, 0, buf, msg.Length);
+ return msg.Length;
+ }
+ catch (Exception e)
+ {
+ /* issue with receive or size of buffer */
+ log(ERROR_LOG, "socket read issue "+ e.ToString());
+ return wolfssl.CBIO_ERR_CONN_CLOSE;
+ }
+ }
+
+
+ ///
+ /// Create a new ssl structure
+ ///
+ /// structure to create ssl structure from
+ /// pointer to ssl structure
+ public static IntPtr new_ssl(IntPtr ctx)
+ {
+ if (ctx == IntPtr.Zero)
+ return IntPtr.Zero;
+
+ try
+ {
+ ctx_handles io;
+ IntPtr local_ctx = unwrap(ctx);
+ if (local_ctx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "new_ssl error");
+ return IntPtr.Zero;
+ }
+
+ io = new ctx_handles();
+ io.set_ctx(wolfSSL_new(local_ctx));
+
+ /* check if null */
+ if (io.get_ctx() == IntPtr.Zero)
+ {
+ return IntPtr.Zero;
+ }
+
+ /* keep memory pinned to be able to refrence by address */
+ return GCHandle.ToIntPtr(GCHandle.Alloc(io, GCHandleType.Pinned));
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Used for a server to accept a connection
+ ///
+ /// structure containing info for connection
+ /// 1 on success
+ public static int accept(IntPtr ssl)
+ {
+ if (ssl == IntPtr.Zero)
+ return FAILURE;
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "accept error");
+ return FAILURE;
+ }
+
+ return wolfSSL_accept(sslCtx);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "accept error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Used for a client to connect
+ ///
+ /// structure containing connection info
+ /// 1 on success
+ public static int connect(IntPtr ssl)
+ {
+ if (ssl == IntPtr.Zero)
+ return FAILURE;
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "connect error");
+ return FAILURE;
+ }
+
+ return wolfSSL_connect(sslCtx);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "connect error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Read message from secure connection
+ ///
+ /// structure containing info about connection
+ /// object to hold incoming message
+ /// size of available memory in buf
+ /// amount of data read on success
+ public static int read(IntPtr ssl, StringBuilder buf, int sz)
+ {
+ if (ssl == IntPtr.Zero)
+ return FAILURE;
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "connect error");
+ return FAILURE;
+ }
+
+ return wolfSSL_read(sslCtx, buf, sz);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl read error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Write message to secure connection
+ ///
+ /// structure containing connection info
+ /// message to send
+ /// size of the message
+ /// amount sent on success
+ public static int write(IntPtr ssl, StringBuilder buf, int sz)
+ {
+ if (ssl == IntPtr.Zero)
+ return FAILURE;
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "connect error");
+ return FAILURE;
+ }
+
+ return wolfSSL_write(sslCtx, buf, sz);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl write error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Free information stored in ssl struct
+ ///
+ /// pointer to ssl struct to free
+ public static void free(IntPtr ssl)
+ {
+ try
+ {
+ IntPtr sslCtx;
+ GCHandle gch = GCHandle.FromIntPtr(ssl);
+ ctx_handles handles = (ctx_handles)gch.Target;
+
+ sslCtx = handles.get_ctx();
+ wolfSSL_free(sslCtx);
+ handles.free();
+ gch.Free();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl free error " + e.ToString());
+ }
+ }
+
+
+ ///
+ /// Shutdown a connection
+ ///
+ /// pointer to ssl struct to close connection of
+ /// 1 on success
+ public static int shutdown(IntPtr ssl)
+ {
+ if (ssl == IntPtr.Zero)
+ return FAILURE;
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl shutdown error");
+ return FAILURE;
+ }
+
+ return wolfSSL_shutdown(sslCtx);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl shutdwon error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Optional, can be used to set a custom recieve function
+ ///
+ /// structure to set recieve function in
+ /// function to use when reading socket
+ public static void SetIORecv(IntPtr ctx, CallbackIORecv_delegate func)
+ {
+ try
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ctx);
+ ctx_handles handles = (ctx_handles)gch.Target;
+
+ /* check if already stored handle needs freed */
+ gch = handles.get_receive();
+ if (!Object.Equals(gch, default(GCHandle)))
+ {
+ gch.Free();
+ }
+
+ /* keep new function alive */
+ handles.set_receive(GCHandle.Alloc(func));
+
+ wolfSSL_SetIORecv(handles.get_ctx(), func);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl setIORecv error " + e.ToString());
+ }
+ }
+
+
+ ///
+ /// Optional, can be used to set a custom send function
+ ///
+ /// structure to set function in
+ /// function to use when sending data
+ public static void SetIOSend(IntPtr ctx, CallbackIOSend_delegate func)
+ {
+ try
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ctx);
+ ctx_handles handles = (ctx_handles)gch.Target;
+
+ /* check if already stored handle needs freed */
+ gch = handles.get_send();
+ if (!Object.Equals(gch, default(GCHandle)))
+ {
+ gch.Free();
+ }
+
+ /* keep new function alive */
+ handles.set_send(GCHandle.Alloc(func));
+
+ wolfSSL_SetIOSend(handles.get_ctx(), func);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl setIOSend error " + e.ToString());
+ }
+ }
+
+
+ ///
+ /// Create a new CTX structure
+ ///
+ /// method to use such as TLSv1.2
+ /// pointer to CTX structure
+ public static IntPtr CTX_new(IntPtr method)
+ {
+ try
+ {
+ IntPtr ctx = wolfSSL_CTX_new(method);
+ if (ctx == IntPtr.Zero)
+ return ctx;
+
+ ctx_handles io = new ctx_handles();
+ io.set_ctx(ctx);
+
+ CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSLCbIORecv);
+ io.set_receive(GCHandle.Alloc(recv));
+ wolfSSL_SetIORecv(ctx, recv);
+
+ CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSLCbIOSend);
+ io.set_send(GCHandle.Alloc(send));
+ wolfSSL_SetIOSend(ctx, send);
+
+ /* keep memory pinned */
+ return GCHandle.ToIntPtr(GCHandle.Alloc(io, GCHandleType.Pinned));
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "ctx_new error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Create a new CTX structure for a DTLS connection
+ ///
+ /// Method to use in connection ie DTLSv1.2
+ ///
+ public static IntPtr CTX_dtls_new(IntPtr method)
+ {
+ try
+ {
+ IntPtr ctx = wolfSSL_CTX_new(method);
+ if (ctx == IntPtr.Zero)
+ return ctx;
+
+ ctx_handles io = new ctx_handles();
+ io.set_ctx(ctx);
+
+ CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSL_dtlsCbIORecv);
+ io.set_receive(GCHandle.Alloc(recv));
+ wolfSSL_SetIORecv(ctx, recv);
+
+ CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSL_dtlsCbIOSend);
+ io.set_send(GCHandle.Alloc(send));
+ wolfSSL_SetIOSend(ctx, send);
+
+ /* keep memory pinned */
+ return GCHandle.ToIntPtr(GCHandle.Alloc(io, GCHandleType.Pinned));
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "ctx_dtls_new error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Free information used in CTX structure
+ ///
+ /// structure to free
+ public static void CTX_free(IntPtr ctx)
+ {
+ try
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ctx);
+ ctx_handles handles = (ctx_handles)gch.Target;
+ wolfSSL_CTX_free(handles.get_ctx());
+ handles.free();
+ gch.Free();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl ctx free error " + e.ToString());
+ }
+ }
+
+
+ ///
+ /// Set identity hint to use
+ ///
+ /// pointer to structure of ctx to set hint in
+ /// hint to use
+ /// 1 on success
+ public static int CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder hint)
+ {
+ try
+ {
+ IntPtr local_ctx = unwrap(ctx);
+ if (local_ctx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "CTX use psk identity hint error");
+ return FAILURE;
+ }
+
+ return wolfSSL_CTX_use_psk_identity_hint(local_ctx, hint);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl psk identity hint error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Set the function to use for PSK connections
+ ///
+ /// pointer to CTX that the function is set in
+ /// PSK function to use
+ public static void CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb)
+ {
+ try
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ctx);
+ ctx_handles handles = (ctx_handles)gch.Target;
+
+ handles.set_psk(GCHandle.Alloc(psk_cb));
+ wolfSSL_CTX_set_psk_server_callback(handles.get_ctx(), psk_cb);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl psk server callback error " + e.ToString());
+ }
+ }
+
+
+ ///
+ /// Set the function to use for PSK connections on a single TLS/DTLS connection
+ ///
+ /// pointer to SSL that the function is set in
+ /// PSK function to use
+ public static void set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb)
+ {
+ try
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ssl);
+ ctx_handles handles = (ctx_handles)gch.Target;
+
+ handles.set_psk(GCHandle.Alloc(psk_cb));
+ wolfSSL_set_psk_server_callback(handles.get_ctx(), psk_cb);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl psk server callback error " + e.ToString());
+ }
+ }
+
+
+ ///
+ /// Set Socket for TLS connection
+ ///
+ /// structure to set Socket in
+ /// Socket to use
+ /// 1 on success
+ public static int set_fd(IntPtr ssl, Socket fd)
+ {
+ /* sanity check on inputs */
+ if (ssl == IntPtr.Zero)
+ {
+ return FAILURE;
+ }
+
+ try
+ {
+ if (!fd.Equals(null))
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ssl);
+ ctx_handles handles = (ctx_handles)gch.Target;
+ IntPtr sslCtx = handles.get_ctx();
+ IntPtr ptr;
+ GCHandle fd_pin = GCHandle.Alloc(fd);
+
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl error setting up fd!!");
+ return FAILURE;
+ }
+
+ handles.set_fd(fd_pin);
+ ptr = GCHandle.ToIntPtr(fd_pin);
+ wolfSSL_SetIOWriteCtx(sslCtx, ptr); //pass along the socket for writing to
+ wolfSSL_SetIOReadCtx(sslCtx, ptr); //pass along the socket for reading from
+
+ return SUCCESS;
+ }
+
+ return FAILURE;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "Error setting up fd!! " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Get socket of a TLS connection
+ ///
+ /// structure to get socket from
+ /// Socket object used for connection
+ public static Socket get_fd(IntPtr ssl)
+ {
+ try
+ {
+ IntPtr ptr;
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl get_fd error");
+ return null;
+ }
+
+ ptr = wolfSSL_GetIOReadCtx(sslCtx);
+ if (ptr != IntPtr.Zero)
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ptr);
+ return (System.Net.Sockets.Socket)gch.Target;
+ }
+ return null;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl get_fd error " + e.ToString());
+ return null;
+ }
+ }
+
+
+
+ ///
+ /// Set information needed to send and receive a DTLS connection
+ ///
+ /// structure to set information in
+ /// UDP object to send and receive
+ /// End point of connection
+ /// 1 on success
+ public static int set_dtls_fd(IntPtr ssl, UdpClient udp, IPEndPoint ep)
+ {
+ /* sanity check on inputs */
+ if (ssl == IntPtr.Zero)
+ {
+ return FAILURE;
+ }
+
+ try
+ {
+ if (!udp.Equals(null) && !ep.Equals(null))
+ {
+ IntPtr ptr;
+ DTLS_con con;
+ GCHandle gch = GCHandle.FromIntPtr(ssl);
+ ctx_handles handles = (ctx_handles)gch.Target;
+ GCHandle fd_pin;
+
+ con = new DTLS_con();
+ con.udp = udp;
+ con.ep = ep;
+ fd_pin = GCHandle.Alloc(con);
+ handles.set_fd(fd_pin);
+ ptr = GCHandle.ToIntPtr(fd_pin);
+ wolfSSL_SetIOWriteCtx(handles.get_ctx(), ptr); //pass along the socket for writing to
+ wolfSSL_SetIOReadCtx(handles.get_ctx(), ptr); //pass along the socket for reading from
+
+ return SUCCESS;
+ }
+ return FAILURE;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "Error setting up fd!! " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Get the pointer to DTLS_con class used for connection
+ ///
+ /// structure to get connection from
+ /// DTLS_con object
+ public static DTLS_con get_dtls_fd(IntPtr ssl)
+ {
+ try
+ {
+ IntPtr ptr;
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl get_dtls_fd error");
+ return null;
+ }
+
+ ptr = wolfSSL_GetIOReadCtx(sslCtx);
+ if (ptr != IntPtr.Zero)
+ {
+ GCHandle gch = GCHandle.FromIntPtr(ptr);
+ return (DTLS_con)gch.Target;
+ }
+ return null;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl get_dtls_fd error " + e.ToString());
+ return null;
+ }
+ }
+
+
+ ///
+ /// Get available cipher suites
+ ///
+ /// list to fill with cipher suite names
+ /// size of list available to fill
+ /// 1 on success
+ public static int get_ciphers(StringBuilder list, int sz)
+ {
+ try
+ {
+ return wolfSSL_get_ciphers(list, sz);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl get_ciphers error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Initialize wolfSSL library
+ ///
+ /// 1 on success
+ public static int Init()
+ {
+ try
+ {
+ return wolfSSL_Init();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl init error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Clean up wolfSSL library memory
+ ///
+ /// 1 on success
+ public static int Cleanup()
+ {
+ try
+ {
+ return wolfSSL_Cleanup();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl cleanup error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Set up TLS version 1.2 method
+ ///
+ /// pointer to TLSv1.2 method
+ public static IntPtr useTLSv1_2_server()
+ {
+ try
+ {
+ return wolfTLSv1_2_server_method();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Use any TLS version
+ ///
+ /// pointer to method
+ public static IntPtr usev23_server()
+ {
+ try
+ {
+ return wolfSSLv23_server_method();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Set up TLS version 1.2 method
+ ///
+ /// pointer to TLSv1.2 method
+ public static IntPtr useTLSv1_2_client()
+ {
+ try
+ {
+ return wolfTLSv1_2_client_method();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Use any TLS version
+ ///
+ /// pointer to method
+ public static IntPtr usev23_client()
+ {
+ try
+ {
+ return wolfSSLv23_client_method();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Set up DTLS version 1.2
+ ///
+ /// pointer to DTLSv1.2 method
+ public static IntPtr useDTLSv1_2_server()
+ {
+ try
+ {
+ return wolfDTLSv1_2_server_method();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Set up DTLS version 1.2
+ ///
+ /// pointer to DTLSv1.2 method
+ public static IntPtr useDTLSv1_2_client()
+ {
+ try
+ {
+ return wolfDTLSv1_2_client_method();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl error " + e.ToString());
+ return IntPtr.Zero;
+ }
+ }
+
+
+ ///
+ /// Gets the current cipher suite being used in connection
+ ///
+ /// SSL struct to get cipher suite from
+ /// string containing current cipher suite
+ public static string get_current_cipher(IntPtr ssl)
+ {
+ if (ssl == IntPtr.Zero)
+ return null;
+ try
+ {
+ IntPtr ssl_cipher;
+ IntPtr ssl_cipher_ptr;
+ string ssl_cipher_str;
+
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl get_current_cipher error");
+ return null;
+ }
+
+ ssl_cipher = wolfSSL_get_current_cipher(sslCtx);
+ ssl_cipher_ptr = wolfSSL_CIPHER_get_name(ssl_cipher);
+ ssl_cipher_str = Marshal.PtrToStringAnsi(ssl_cipher_ptr);
+
+ return ssl_cipher_str;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl get current cipher error " + e.ToString());
+ return null;
+ }
+ }
+
+
+ ///
+ /// Set avialable cipher suites for all ssl structs created from ctx
+ ///
+ /// CTX structure to set
+ /// List full of ciphers suites
+ /// 1 on success
+ public static int CTX_set_cipher_list(IntPtr ctx, StringBuilder list)
+ {
+ try
+ {
+ IntPtr local_ctx = unwrap(ctx);
+ if (local_ctx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "CTX set cipher list error");
+ return FAILURE;
+ }
+
+ return wolfSSL_CTX_set_cipher_list(local_ctx, list);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl ctx set cipher list error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Set available cipher suite in local connection
+ ///
+ /// Structure to set cipher suite in
+ /// List of cipher suites
+ /// 1 on success
+ public static int set_cipher_list(IntPtr ssl, StringBuilder list)
+ {
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl set_cipher_list error");
+ return FAILURE;
+ }
+
+ return wolfSSL_set_cipher_list(sslCtx, list);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl set cipher error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Gets the version of the connection made ie TLSv1.2
+ ///
+ /// SSL struct to get version of
+ /// string containing version
+ public static string get_version(IntPtr ssl)
+ {
+ if (ssl == IntPtr.Zero)
+ return null;
+
+ try
+ {
+ IntPtr version_ptr;
+ string version;
+
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl get_version error");
+ return null;
+ }
+
+ version_ptr = wolfSSL_get_version(sslCtx);
+ version = Marshal.PtrToStringAnsi(version_ptr);
+
+ return version;
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl get version error " + e.ToString());
+ return null;
+ }
+ }
+
+
+ ///
+ /// Get a string containing error value and reason
+ ///
+ /// SSL struct that had error
+ /// String containing error value and reason
+ public static string get_error(IntPtr ssl)
+ {
+ if (ssl == IntPtr.Zero)
+ return null;
+
+ try
+ {
+ int err;
+ StringBuilder err_name;
+ StringBuilder ret;
+
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl get_error error");
+ return null;
+ }
+
+ /* wolfSSL max error length is 80 */
+ ret = new StringBuilder(' ', 100);
+ err = wolfSSL_get_error(sslCtx, 0);
+ err_name = new StringBuilder(new String(' ', 80));
+ wolfSSL_ERR_error_string((uint)err, err_name);
+ ret.Append("Error " + err + " " + err_name.ToString());
+
+ return ret.ToString();
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl get error, error " + e.ToString());
+ return null;
+ }
+ }
+
+
+ ///
+ /// Used to load in the certificate file
+ ///
+ /// CTX structure for TLS/SSL connections
+ /// Name of the file to load including absolute path
+ /// Type of file ie PEM or DER
+ /// 1 on success
+ public static int CTX_use_certificate_file(IntPtr ctx, string fileCert, int type)
+ {
+ try
+ {
+ IntPtr local_ctx = unwrap(ctx);
+ if (local_ctx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "CTX use certificate file error");
+ return FAILURE;
+ }
+
+ return wolfSSL_CTX_use_certificate_file(local_ctx, fileCert, type);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl ctx use cert file error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Used to load in the private key from a file
+ ///
+ /// CTX structure for TLS/SSL connections
+ /// Name of the file, includeing absolute directory
+ /// Type of file ie PEM or DER
+ /// 1 on succes
+ public static int CTX_use_PrivateKey_file(IntPtr ctx, string fileKey, int type)
+ {
+ try
+ {
+ IntPtr local_ctx = unwrap(ctx);
+ if (local_ctx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "CTX use PrivateKey file error");
+ return FAILURE;
+ }
+
+ return wolfSSL_CTX_use_PrivateKey_file(local_ctx, fileKey, type);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl ctx use key file error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Set temporary DH parameters
+ ///
+ /// Structure to set in
+ /// file name
+ /// type of file ie PEM
+ /// 1 on success
+ public static int SetTmpDH_file(IntPtr ssl, StringBuilder dhparam, int file_type)
+ {
+ try
+ {
+ IntPtr sslCtx = unwrap(ssl);
+ if (sslCtx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "wolfssl SetTmpDH_file error");
+ return FAILURE;
+ }
+
+ return wolfSSL_SetTmpDH_file(sslCtx, dhparam, file_type);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl set tmp dh file error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Used to set the minimum size of DH key
+ ///
+ /// Structure to store key size
+ /// Min key size
+ /// 1 on success
+ public static int CTX_SetMinDhKey_Sz(IntPtr ctx, short minDhKey)
+ {
+ try
+ {
+ IntPtr local_ctx = unwrap(ctx);
+ if (local_ctx == IntPtr.Zero)
+ {
+ log(ERROR_LOG, "CTX SetMinDhKey_Sz error");
+ return FAILURE;
+ }
+
+ return wolfSSL_CTX_SetMinDhKey_Sz(local_ctx, minDhKey);
+ }
+ catch (Exception e)
+ {
+ log(ERROR_LOG, "wolfssl ctx set min dh key error " + e.ToString());
+ return FAILURE;
+ }
+ }
+
+
+ ///
+ /// Set the function to use for logging
+ ///
+ /// Function that conforms as to loggingCb
+ /// 1 on success
+ public static int SetLogging(loggingCb input)
+ {
+ internal_log = input;
+ return SUCCESS;
+ }
+
+
+ ///
+ /// Log a message to set logging function
+ ///
+ /// Level of log message
+ /// Message to log
+ public static void log(int lvl, string msg)
+ {
+ /* if log is not set then pring nothing */
+ if (internal_log == null)
+ return;
+ StringBuilder ptr = new StringBuilder(msg);
+ internal_log(lvl, ptr);
+ }
+ }
+}
diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj
new file mode 100755
index 000000000..d5eabceba
--- /dev/null
+++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj
@@ -0,0 +1,79 @@
+
+
+
+
+ Debug
+ AnyCPU
+ {52609808-0418-46D3-8E17-141927A1A39A}
+ Library
+ Properties
+ wolfSSL.CSharp
+ wolfSSL_CSharp
+ v4.5
+ 512
+
+
+ true
+ full
+ false
+ ..\DLL Debug\
+ DEBUG;TRACE
+ prompt
+ 3
+
+
+ pdbonly
+ true
+ ..\DLL Release\
+ TRACE
+ prompt
+ 4
+
+
+ true
+ ..\x64\DLL Debug\
+ DEBUG;TRACE
+ 3
+ full
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+
+
+ ..\x64\DLL Release\
+ TRACE
+ true
+ pdbonly
+ x64
+ prompt
+ MinimumRecommendedRules.ruleset
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ xcopy "$(ProjectDir)..\..\..\certs\server-key.pem" "$(TargetDir)" /Y /R
+xcopy "$(ProjectDir)..\..\..\certs\server-cert.pem" "$(TargetDir)" /Y /R
+xcopy "$(ProjectDir)..\..\..\certs\dh2048.pem" "$(TargetDir)" /Y /R
+
+
+
\ No newline at end of file
diff --git a/wrapper/include.am b/wrapper/include.am
new file mode 100644
index 000000000..bb61de307
--- /dev/null
+++ b/wrapper/include.am
@@ -0,0 +1,30 @@
+
+# wolfSSL CSharp wrapper files
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/App.config
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/App.config
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj
+EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp.sln
+EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx
+EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs
+EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj