From 82f86adb8e992714173fe4666d3938900a819778 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Fri, 23 Oct 2015 13:05:29 -0300 Subject: [PATCH 001/177] renames TLS Extension types to follow the TLSX_ + "extension name" pattern; using names listed by IANA: http://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml fixes ocsp response extensions parsing in asn.c; fixes dir slashes in .gitignore: replaces '\' with '/'; removes trailing white spaces; --- .gitignore | 10 +- configure.ac | 6 +- examples/client/client.c | 2 +- examples/server/server.c | 2 +- pull_to_vagrant.sh | 1 + src/internal.c | 27 ++--- src/ssl.c | 31 ++++-- src/tls.c | 214 +++++++++++++++++++++++---------------- wolfcrypt/src/asn.c | 9 +- wolfssl/internal.h | 115 +++++++++++---------- wolfssl/ssl.h | 42 ++++---- wolfssl/wolfcrypt/asn.h | 1 - 12 files changed, 260 insertions(+), 200 deletions(-) diff --git a/.gitignore b/.gitignore index dfedec021..15ee851d8 100644 --- a/.gitignore +++ b/.gitignore @@ -112,11 +112,11 @@ cov-int cyassl.tgz *.log *.trs -IDE\MDK-ARM\Projects/ -IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/inc -IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/src -IDE\MDK-ARM\LPC43xx\Drivers/ -IDE\MDK-ARM\LPC43xx\LPC43xx/ +IDE/MDK-ARM/Projects/ +IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/inc +IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/src +IDE/MDK-ARM/LPC43xx/Drivers/ +IDE/MDK-ARM/LPC43xx/LPC43xx/ *.gcno *.gcda *.gcov diff --git a/configure.ac b/configure.ac index 7e96504e8..fff155a7f 100644 --- a/configure.ac +++ b/configure.ac @@ -2488,14 +2488,14 @@ echo " * Persistent cert cache: $ENABLED_SAVECERT" echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" echo " * NTRU: $ENABLED_NTRU" -echo " * SNI: $ENABLED_SNI" +echo " * Server Name Indication: $ENABLED_SNI" echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" -echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" -echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * Session Ticket: $ENABLED_SESSION_TICKET" +echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" +echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" echo " * All TLS Extensions: $ENABLED_TLSX" echo " * PKCS#7 $ENABLED_PKCS7" echo " * wolfSCEP $ENABLED_WOLFSCEP" diff --git a/examples/client/client.c b/examples/client/client.c index dc4a80f0a..533621d19 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -310,7 +310,7 @@ static void Usage(void) #endif printf("-b Benchmark connections and print stats\n"); #ifdef HAVE_ALPN - printf("-L Application-Layer Protocole Name ({C,F}:)\n"); + printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n"); #endif printf("-B Benchmark throughput using bytes and print stats\n"); printf("-s Use pre Shared keys\n"); diff --git a/examples/server/server.c b/examples/server/server.c index 3805417a9..8b648c622 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -200,7 +200,7 @@ static void Usage(void) DEFAULT_MIN_DHKEY_BITS); #endif #ifdef HAVE_ALPN - printf("-L Application-Layer Protocole Name ({C,F}:)\n"); + printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n"); #endif printf("-d Disable client cert check\n"); printf("-b Bind to any interface instead of localhost only\n"); diff --git a/pull_to_vagrant.sh b/pull_to_vagrant.sh index e2d245632..15d88d97d 100755 --- a/pull_to_vagrant.sh +++ b/pull_to_vagrant.sh @@ -10,4 +10,5 @@ rsync -rvt /$SRC/.git ~/$DST/ rsync -rvt /$SRC/IDE ~/$DST/ rsync -rvt /$SRC/mcapi ~/$DST/ rsync -rvt /$SRC/mplabx ~/$DST/ +rsync -rvt /$SRC/certs ~/$DST/ rsync -rvt /$SRC/configure.ac ~/$DST/ diff --git a/src/internal.c b/src/internal.c index d0c2258fc..a54a76f52 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4450,6 +4450,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, (void)doCrlLookup; #ifdef HAVE_OCSP if (ssl->ctx->cm->ocspEnabled) { + WOLFSSL_MSG("Doing Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { @@ -10363,7 +10364,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -11068,7 +11069,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, size, 0)) < 0) @@ -11904,7 +11905,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) return MEMORY_E; /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -12664,7 +12665,7 @@ int DoSessionTicket(WOLFSSL* ssl, return MEMORY_E; /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -12813,7 +12814,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -13454,7 +13455,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -13996,7 +13997,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -15374,7 +15375,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input @@ -15452,7 +15453,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15514,7 +15515,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15602,7 +15603,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15657,7 +15658,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15752,7 +15753,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, diff --git a/src/ssl.c b/src/ssl.c index 292352dc2..c20c2e3aa 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -690,8 +690,9 @@ int wolfSSL_UseSNI(WOLFSSL* ssl, byte type, const void* data, word16 size) return TLSX_UseSNI(&ssl->extensions, type, data, size); } -int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, - const void* data, word16 size) + +int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, const void* data, + word16 size) { if (ctx == NULL) return BAD_FUNC_ARG; @@ -707,17 +708,20 @@ void wolfSSL_SNI_SetOptions(WOLFSSL* ssl, byte type, byte options) TLSX_SNI_SetOptions(ssl->extensions, type, options); } + void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, byte type, byte options) { if (ctx && ctx->extensions) TLSX_SNI_SetOptions(ctx->extensions, type, options); } + byte wolfSSL_SNI_Status(WOLFSSL* ssl, byte type) { return TLSX_SNI_Status(ssl ? ssl->extensions : NULL, type); } + word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) { if (data) @@ -729,6 +733,7 @@ word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) return 0; } + int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, byte type, byte* sni, word32* inOutSz) { @@ -745,6 +750,7 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #ifdef HAVE_MAX_FRAGMENT #ifndef NO_WOLFSSL_CLIENT + int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) { if (ssl == NULL) @@ -753,6 +759,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) return TLSX_UseMaxFragment(&ssl->extensions, mfl); } + int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) { if (ctx == NULL) @@ -760,11 +767,13 @@ int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) return TLSX_UseMaxFragment(&ctx->extensions, mfl); } + #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_MAX_FRAGMENT */ #ifdef HAVE_TRUNCATED_HMAC #ifndef NO_WOLFSSL_CLIENT + int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) { if (ssl == NULL) @@ -773,6 +782,7 @@ int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) return TLSX_UseTruncatedHMAC(&ssl->extensions); } + int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) { if (ctx == NULL) @@ -780,6 +790,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) return TLSX_UseTruncatedHMAC(&ctx->extensions); } + #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_TRUNCATED_HMAC */ @@ -808,6 +819,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name) return TLSX_UseSupportedCurve(&ssl->extensions, name); } + int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) { if (ctx == NULL) @@ -885,7 +897,7 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name) #endif /* HAVE_QSH */ -/* Application-Layer Procotol Name */ +/* Application-Layer Procotol Negotiation */ #ifdef HAVE_ALPN int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, @@ -988,7 +1000,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl) ret = TLSX_UseSecureRenegotiation(&ssl->extensions); if (ret == SSL_SUCCESS) { - TLSX* extension = TLSX_Find(ssl->extensions, SECURE_RENEGOTIATION); + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); if (extension) ssl->secure_renegotiation = (SecureRenegotiation*)extension->data; @@ -2475,7 +2487,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - + if (ret == MP_OKAY) return SSL_SUCCESS; else if (ret == SSL_BAD_FILE) @@ -11849,7 +11861,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn) XFREE(buf, NULL, DYNAMIC_TYPE_ECC); return NULL; } - + return buf; } #else @@ -14872,7 +14884,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group, int ret; (void)ctx; - + WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp"); if (group == NULL || a == NULL || a->internal == NULL || b == NULL || @@ -15342,7 +15354,7 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc, WOLFSSL_MSG("ECC private key file write failed"); return SSL_FAILURE; } - + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); return SSL_SUCCESS; } @@ -15517,7 +15529,7 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, WOLFSSL_MSG("DSA private key file write failed"); return SSL_FAILURE; } - + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); return SSL_SUCCESS; } @@ -17091,4 +17103,3 @@ void* wolfSSL_get_jobject(WOLFSSL* ssl) #endif /* WOLFSSL_JNI */ #endif /* WOLFCRYPT_ONLY */ - diff --git a/src/tls.c b/src/tls.c index 97dc09ef5..ec756a9df 100644 --- a/src/tls.c +++ b/src/tls.c @@ -755,7 +755,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type) { switch (type) { - case SECURE_RENEGOTIATION: /* 0xFF01 */ + case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */ return 63; default: @@ -784,7 +784,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type) /** Creates a new extension. */ static TLSX* TLSX_New(TLSX_Type type, void* data) { - TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX); + TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), NULL, DYNAMIC_TYPE_TLSX); if (extension) { extension->type = type; @@ -845,6 +845,9 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type) #endif +/******************************************************************************/ +/* Application-Layer Protocol Negotiation */ +/******************************************************************************/ #ifdef HAVE_ALPN /** Creates a new ALPN object, providing protocol name to use. */ @@ -981,7 +984,7 @@ static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size) alpn->negociated = 1; - ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn); if (ret != 0) { TLSX_ALPN_Free(alpn); return ret; @@ -1001,9 +1004,10 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, TLSX *extension; ALPN *alpn = NULL, *list; - extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN); + extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) - extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN); + extension = TLSX_Find(ssl->ctx->extensions, + TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL || extension->data == NULL) { WOLFSSL_MSG("No ALPN extensions not used or bad"); @@ -1088,7 +1092,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, /* reply to ALPN extension sent from client */ if (isRequest) { #ifndef NO_WOLFSSL_SERVER - TLSX_SetResponse(ssl, WOLFSSL_ALPN); + TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL); #endif } @@ -1114,9 +1118,10 @@ int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options) /* Set Options of ALPN */ alpn->options = options; - extension = TLSX_Find(*extensions, WOLFSSL_ALPN); + extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) { - ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, + (void*)alpn); if (ret != 0) { TLSX_ALPN_Free(alpn); return ret; @@ -1140,7 +1145,7 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) if (extensions == NULL || data == NULL || dataSz == NULL) return BAD_FUNC_ARG; - extension = TLSX_Find(extensions, WOLFSSL_ALPN); + extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) { WOLFSSL_MSG("TLS extension not found"); return SSL_ALPN_NOT_FOUND; @@ -1192,13 +1197,16 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) #endif /* HAVE_ALPN */ -/* Server Name Indication */ +/******************************************************************************/ +/* Server Name Indication */ +/******************************************************************************/ + #ifdef HAVE_SNI /** Creates a new SNI object. */ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size) { - SNI* sni = (SNI*)XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX); + SNI* sni = (SNI*)XMALLOC(sizeof(SNI), NULL, DYNAMIC_TYPE_TLSX); if (sni) { sni->type = type; @@ -1211,7 +1219,7 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size) switch (sni->type) { case WOLFSSL_SNI_HOST_NAME: - sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX); + sni->data.host_name = XMALLOC(size+1, NULL, DYNAMIC_TYPE_TLSX); if (sni->data.host_name) { XSTRNCPY(sni->data.host_name, (const char*)data, size); @@ -1325,7 +1333,7 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type) /** Sets the status of a SNI object. */ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1335,7 +1343,7 @@ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) /** Gets the status of a SNI object. */ byte TLSX_SNI_Status(TLSX* extensions, byte type) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1356,10 +1364,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, int cacheOnly = 0; #endif - TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); + TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); if (!extension) - extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); + extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); (void)isRequest; (void)input; @@ -1438,7 +1446,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, TLSX_SNI_SetStatus(ssl->extensions, type, matchStat); if(!cacheOnly) - TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); + TLSX_SetResponse(ssl, TLSX_SERVER_NAME); } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { SendAlert(ssl, alert_fatal, unrecognized_name); @@ -1461,8 +1469,8 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) if (isRequest) { #ifndef NO_WOLFSSL_SERVER - TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); - TLSX* ssl_ext = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); + TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); + TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL; SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL; SNI* sni = NULL; @@ -1502,7 +1510,7 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) { - TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(*extensions, TLSX_SERVER_NAME); SNI* sni = NULL; if (extensions == NULL || data == NULL) @@ -1512,7 +1520,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) return MEMORY_E; if (!extension) { - int ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni); + int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni); if (ret != 0) { TLSX_SNI_Free(sni); return ret; @@ -1546,7 +1554,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) /** Tells the SNI requested by the client. */ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) { @@ -1563,7 +1571,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) /** Sets the options for a SNI object. */ void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1681,7 +1689,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, if (helloSz < offset + extLen) return BUFFER_ERROR; - if (extType != SERVER_NAME_INDICATION) { + if (extType != TLSX_SERVER_NAME) { offset += extLen; /* skip extension */ } else { word16 listLen; @@ -1739,6 +1747,10 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #endif /* HAVE_SNI */ +/******************************************************************************/ +/* Max Fragment Length Negotiation */ +/******************************************************************************/ + #ifdef HAVE_MAX_FRAGMENT static word16 TLSX_MFL_Write(byte* data, byte* output) @@ -1775,7 +1787,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length, if (r != SSL_SUCCESS) return r; /* throw error */ - TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH); + TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH); } #endif @@ -1793,13 +1805,13 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl) return BAD_FUNC_ARG; - if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((data = XMALLOC(ENUM_LEN, NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; data[0] = mfl; /* push new MFL extension. */ - if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data)) != 0) { XFREE(data, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -1822,6 +1834,10 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) #endif /* HAVE_MAX_FRAGMENT */ +/******************************************************************************/ +/* Truncated HMAC */ +/******************************************************************************/ + #ifdef HAVE_TRUNCATED_HMAC static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, @@ -1836,9 +1852,10 @@ static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, if (isRequest) { int r = TLSX_UseTruncatedHMAC(&ssl->extensions); - if (r != SSL_SUCCESS) return r; /* throw error */ + if (r != SSL_SUCCESS) + return r; /* throw error */ - TLSX_SetResponse(ssl, TRUNCATED_HMAC); + TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC); } #endif @@ -1854,7 +1871,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) if (extensions == NULL) return BAD_FUNC_ARG; - if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0) + if ((ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL)) != 0) return ret; return SSL_SUCCESS; @@ -1868,6 +1885,10 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) #endif /* HAVE_TRUNCATED_HMAC */ +/******************************************************************************/ +/* Supported Elliptic Curves */ +/******************************************************************************/ + #ifdef HAVE_SUPPORTED_CURVES #ifndef HAVE_ECC @@ -1887,12 +1908,14 @@ static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list) static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name) { - EllipticCurve* curve; + EllipticCurve* curve = NULL; if (list == NULL) return BAD_FUNC_ARG; - if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL) + curve = (EllipticCurve*)XMALLOC(sizeof(EllipticCurve), NULL, + DYNAMIC_TYPE_TLSX); + if (curve == NULL) return MEMORY_E; curve->name = name; @@ -1914,7 +1937,7 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) return; /* turns semaphore on to avoid sending this extension. */ - TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES)); + TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); } static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) @@ -1988,7 +2011,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length, int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { TLSX* extension = (first == ECC_BYTE) - ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES) + ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) : NULL; EllipticCurve* curve = NULL; word32 oid = 0; @@ -2097,7 +2120,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) { - TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES); + TLSX* extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); EllipticCurve* curve = NULL; int ret = 0; @@ -2108,7 +2131,7 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) return ret; if (!extension) { - if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve)) != 0) { XFREE(curve, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -2161,6 +2184,10 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) #endif /* HAVE_SUPPORTED_CURVES */ +/******************************************************************************/ +/* Renegotiation Indication */ +/******************************************************************************/ + #ifdef HAVE_SECURE_RENEGOTIATION static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data, @@ -2259,7 +2286,7 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions) XMEMSET(data, 0, sizeof(SecureRenegotiation)); - ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data); + ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data); if (ret != 0) { XFREE(data, 0, DYNAMIC_TYPE_TLSX); return ret; @@ -2283,11 +2310,15 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions) #endif /* HAVE_SECURE_RENEGOTIATION */ +/******************************************************************************/ +/* Session Tickets */ +/******************************************************************************/ + #ifdef HAVE_SESSION_TICKET static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) { - TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET); + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); SessionTicket* ticket = extension ? extension->data : NULL; if (ticket) { @@ -2345,7 +2376,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, ret = TLSX_UseSessionTicket(&ssl->extensions, NULL); if (ret == SSL_SUCCESS) { ret = 0; - TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */ + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ ssl->options.createTicket = 1; /* will send ticket msg */ ssl->options.useTicket = 1; } @@ -2361,7 +2392,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, ret = TLSX_UseSessionTicket(&ssl->extensions, NULL); if (ret == SSL_SUCCESS) { ret = 0; - TLSX_SetResponse(ssl, SESSION_TICKET); + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ ssl->options.createTicket = 1; /* will send ticket msg */ ssl->options.useTicket = 1; @@ -2416,7 +2447,7 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) /* If the ticket is NULL, the client will request a new ticket from the server. Otherwise, the client will use it in the next client hello. */ - if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0) + if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket)) != 0) return ret; return SSL_SUCCESS; @@ -2436,6 +2467,9 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) #endif /* HAVE_SESSION_TICKET */ +/******************************************************************************/ +/* Quantum-Safe-Hybrid */ +/******************************************************************************/ #ifdef HAVE_QSH static WC_RNG* rng; @@ -2459,7 +2493,7 @@ static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub, if (list == NULL) return BAD_FUNC_ARG; - if ((temp = XMALLOC(sizeof(QSHScheme), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = name; @@ -2499,7 +2533,7 @@ static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore) return; /* No QSH suite found */ - TURN_ON(semaphore, TLSX_ToSemaphore(WOLFSSL_QSH)); + TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID)); } @@ -2610,7 +2644,7 @@ word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output) static void TLSX_QSHAgreement(TLSX** extensions) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; QSHScheme* delete = NULL; QSHScheme* prev = NULL; @@ -2735,7 +2769,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, while ((offset_len < offset_pk) && numKeys) { QSHKey * temp; - if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; /* initialize */ @@ -2768,7 +2802,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, /* read in public key */ if (PKLen > 0) { temp->pub.buffer = (byte*)XMALLOC(temp->pub.length, - 0, DYNAMIC_TYPE_PUBLIC_KEY); + NULL, DYNAMIC_TYPE_PUBLIC_KEY); XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length); offset_len += PKLen; } @@ -2797,7 +2831,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, /* reply to a QSH extension sent from client */ if (isRequest) { - TLSX_SetResponse(ssl, WOLFSSL_QSH); + TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID); /* only use schemes we have key generated for -- free the rest */ TLSX_QSHAgreement(&ssl->extensions); } @@ -2903,7 +2937,7 @@ int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length, /* return 1 on success */ int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; /* if no extension is sent then do not use QSH */ @@ -2947,7 +2981,7 @@ static int TLSX_HaveQSHScheme(word16 name) /* Add a QSHScheme struct to list of usable ones */ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; int ret = 0; @@ -2961,7 +2995,8 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) return ret; if (!extension) { - if ((ret = TLSX_Push(extensions, WOLFSSL_QSH, format)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format)) + != 0) { XFREE(format, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -3018,6 +3053,9 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) #endif /* HAVE_QSH */ +/******************************************************************************/ +/* TLS Extensions Framework */ +/******************************************************************************/ /** Finds an extension in the provided list. */ TLSX* TLSX_Find(TLSX* list, TLSX_Type type) @@ -3040,35 +3078,35 @@ void TLSX_FreeAll(TLSX* list) switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: SNI_FREE_ALL((SNI*)extension->data); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: MFL_FREE_ALL(extension->data); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* Nothing to do. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: EC_FREE_ALL(extension->data); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: SCR_FREE_ALL(extension->data); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: /* Nothing to do. */ break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: QSH_FREE_ALL(extension->data); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: ALPN_FREE_ALL((ALPN*)extension->data); break; } @@ -3105,37 +3143,37 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: /* SNI only sends the name on the request. */ if (isRequest) length += SNI_GET_SIZE(extension->data); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: length += MFL_GET_SIZE(extension->data); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* always empty. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: length += EC_GET_SIZE(extension->data); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: length += SCR_GET_SIZE(extension->data, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: length += STK_GET_SIZE(extension->data, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: length += QSH_GET_SIZE(extension->data, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: length += ALPN_GET_SIZE(extension->data); break; @@ -3175,34 +3213,34 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, /* extension data should be written internally. */ switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: if (isRequest) offset += SNI_WRITE(extension->data, output + offset); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: offset += MFL_WRITE(extension->data, output + offset); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* always empty. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: offset += EC_WRITE(extension->data, output + offset); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: offset += SCR_WRITE(extension->data, output + offset, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: offset += STK_WRITE(extension->data, output + offset, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: if (isRequest) { offset += QSH_WRITE(extension->data, output + offset); } @@ -3210,7 +3248,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, offset += QSH_SERREQ(output + offset, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: offset += ALPN_WRITE(extension->data, output + offset); break; } @@ -3234,14 +3272,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes) int ret = 0; if (rng == NULL) { - if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((rng = XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; wc_InitRng(rng); } if (rngMutex == NULL) { - if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0, - DYNAMIC_TYPE_TLSX)) == NULL) + if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; InitMutex(rngMutex); } @@ -3360,7 +3398,7 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) return ret; } - if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = type; temp->pub.length = public_key_len; @@ -3471,7 +3509,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) } else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { /* for each scheme make a client key */ - extension = TLSX_Find(ssl->extensions, WOLFSSL_QSH); + extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); if (extension) { qsh = (QSHScheme*)extension->data; @@ -3596,7 +3634,7 @@ word16 TLSX_GetResponseSize(WOLFSSL* ssl) #ifdef HAVE_QSH /* change response if not using TLS_QSH */ if (!ssl->options.haveQSH) { - TLSX* ext = TLSX_Find(ssl->extensions, WOLFSSL_QSH); + TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); if (ext) ext->resp = 0; } @@ -3661,49 +3699,49 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, return BUFFER_ERROR; switch (type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: WOLFSSL_MSG("SNI extension received"); ret = SNI_PARSE(ssl, input + offset, size, isRequest); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: WOLFSSL_MSG("Max Fragment Length extension received"); ret = MFL_PARSE(ssl, input + offset, size, isRequest); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: WOLFSSL_MSG("Truncated HMAC extension received"); ret = THM_PARSE(ssl, input + offset, size, isRequest); break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: WOLFSSL_MSG("Elliptic Curves extension received"); ret = EC_PARSE(ssl, input + offset, size, isRequest); break; - case SECURE_RENEGOTIATION: + case TLSX_RENEGOTIATION_INFO: WOLFSSL_MSG("Secure Renegotiation extension received"); ret = SCR_PARSE(ssl, input + offset, size, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: WOLFSSL_MSG("Session Ticket extension received"); ret = STK_PARSE(ssl, input + offset, size, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: WOLFSSL_MSG("Quantum-Safe-Hybrid extension received"); ret = QSH_PARSE(ssl, input + offset, size, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: WOLFSSL_MSG("ALPN extension received"); ret = ALPN_PARSE(ssl, input + offset, size, isRequest); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5eeae21d4..3cc87a979 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8602,8 +8602,13 @@ static int DecodeResponseData(byte* source, if (DecodeSingleResponse(source, &idx, resp, size) < 0) return ASN_PARSE_E; - if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) - return ASN_PARSE_E; + /* + * Check the length of the ResponseData against the current index to + * see if there are extensions, they are optional. + */ + if (idx - prev_idx < resp->responseSz) + if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) + return ASN_PARSE_E; *ioIndex = idx; return 0; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d65665ec0..0540b7df2 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -868,7 +868,7 @@ enum Misc { COMP_LEN = 1, /* compression length */ CURVE_LEN = 2, /* ecc named curve length */ SERVER_ID_LEN = 20, /* server session id length */ - + HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */ RECORD_HEADER_SZ = 5, /* type + version + len(2) */ CERT_HEADER_SZ = 3, /* always 3 bytes */ @@ -897,7 +897,7 @@ enum Misc { MAX_PRF_LABSEED = 128, /* Maximum label + seed len */ MAX_PRF_DIG = 224, /* Maximum digest len */ MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */ - SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ + SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ RC4_KEY_SIZE = 16, /* always 128bit */ DES_KEY_SIZE = 8, /* des */ @@ -1156,7 +1156,7 @@ enum { /* only the sniffer needs space in the buffer for extra MTU record(s) */ #ifdef WOLFSSL_SNIFFER - #define MTU_EXTRA MAX_MTU * 3 + #define MTU_EXTRA MAX_MTU * 3 #else #define MTU_EXTRA 0 #endif @@ -1174,9 +1174,9 @@ enum { #define RECORD_SIZE MAX_RECORD_SIZE #else #ifdef WOLFSSL_DTLS - #define RECORD_SIZE MAX_MTU + #define RECORD_SIZE MAX_MTU #else - #define RECORD_SIZE 128 + #define RECORD_SIZE 128 #endif #endif @@ -1263,14 +1263,14 @@ typedef struct OCSP_Entry OCSP_Entry; #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE #endif -#ifdef NO_ASN +#ifdef NO_ASN /* no_asn won't have */ typedef struct CertStatus CertStatus; #endif struct OCSP_Entry { OCSP_Entry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ + byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ CertStatus* status; /* OCSP response list */ int totalStatus; /* number on list */ @@ -1307,8 +1307,8 @@ typedef struct CRL_Entry CRL_Entry; /* Complete CRL */ struct CRL_Entry { CRL_Entry* next; /* next entry */ - byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ - /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ + byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ + /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ @@ -1456,18 +1456,18 @@ typedef struct Keys { -/* RFC 6066 TLS Extensions */ +/** TLS Extensions - RFC 6066 */ #ifdef HAVE_TLS_EXTENSIONS typedef enum { - SERVER_NAME_INDICATION = 0x0000, - MAX_FRAGMENT_LENGTH = 0x0001, - TRUNCATED_HMAC = 0x0004, - ELLIPTIC_CURVES = 0x000a, - SESSION_TICKET = 0x0023, - SECURE_RENEGOTIATION = 0xff01, - WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */ - WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */ + TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ + TLSX_MAX_FRAGMENT_LENGTH = 0x0001, + TLSX_TRUNCATED_HMAC = 0x0004, + TLSX_SUPPORTED_GROUPS = 0x000a, + TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ + TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ + TLSX_SESSION_TICKET = 0x0023, + TLSX_RENEGOTIATION_INFO = 0xff01 } TLSX_Type; typedef struct TLSX { @@ -1495,19 +1495,20 @@ WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output); WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, Suites *suites); -#elif defined(HAVE_SNI) \ - || defined(HAVE_MAX_FRAGMENT) \ - || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_SUPPORTED_CURVES) \ - || defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SESSION_TICKET) \ - || defined(HAVE_ALPN) +#elif defined(HAVE_SNI) \ + || defined(HAVE_MAX_FRAGMENT) \ + || defined(HAVE_TRUNCATED_HMAC) \ + || defined(HAVE_SUPPORTED_CURVES) \ + || defined(HAVE_ALPN) \ + || defined(HAVE_QSH) \ + || defined(HAVE_SESSION_TICKET) \ + || defined(HAVE_SECURE_RENEGOTIATION) #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. #endif /* HAVE_TLS_EXTENSIONS */ -/* Server Name Indication */ +/** Server Name Indication - RFC 6066 (session 3) */ #ifdef HAVE_SNI typedef struct SNI { @@ -1535,7 +1536,7 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz, #endif /* HAVE_SNI */ -/* Application-layer Protocol Name */ +/* Application-Layer Protocol Negotiation - RFC 7301 */ #ifdef HAVE_ALPN typedef struct ALPN { char* protocol_name; /* ALPN protocol name */ @@ -1554,19 +1555,21 @@ WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option); #endif /* HAVE_ALPN */ -/* Maximum Fragment Length */ +/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */ #ifdef HAVE_MAX_FRAGMENT WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl); #endif /* HAVE_MAX_FRAGMENT */ +/** Truncated HMAC - RFC 6066 (session 7) */ #ifdef HAVE_TRUNCATED_HMAC WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ +/** Supported Elliptic Curves - RFC 4492 (session 4) */ #ifdef HAVE_SUPPORTED_CURVES typedef struct EllipticCurve { @@ -1583,6 +1586,7 @@ WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, #endif /* HAVE_SUPPORTED_CURVES */ +/** Renegotiation Indication - RFC 5746 */ #ifdef HAVE_SECURE_RENEGOTIATION enum key_cache_state { @@ -1593,7 +1597,6 @@ enum key_cache_state { SCR_CACHE_COMPLETE /* complete restore to real keys */ }; - /* Additional Conection State according to rfc5746 section 3.1 */ typedef struct SecureRenegotiation { byte enabled; /* secure_renegotiation flag in rfc */ @@ -1609,6 +1612,7 @@ WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions); #endif /* HAVE_SECURE_RENEGOTIATION */ +/** Session Ticket - RFC 5077 (session 3.2) */ #ifdef HAVE_SESSION_TICKET typedef struct SessionTicket { @@ -1617,13 +1621,15 @@ typedef struct SessionTicket { word16 size; } SessionTicket; -WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket); WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, byte* data, word16 size); WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket); + #endif /* HAVE_SESSION_TICKET */ +/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */ #ifdef HAVE_QSH typedef struct QSHScheme { @@ -1753,7 +1759,7 @@ struct WOLFSSL_CTX { CallbackEccSign EccSignCb; /* User EccSign Callback handler */ CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */ #endif /* HAVE_ECC */ - #ifndef NO_RSA + #ifndef NO_RSA CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */ CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */ CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */ @@ -1803,7 +1809,7 @@ void InitCipherSpecs(CipherSpecs* cs); /* Supported Message Authentication Codes from page 43 */ -enum MACAlgorithm { +enum MACAlgorithm { no_mac, md5_mac, sha_mac, @@ -1817,10 +1823,10 @@ enum MACAlgorithm { /* Supported Key Exchange Protocols */ -enum KeyExchangeAlgorithm { +enum KeyExchangeAlgorithm { no_kea, - rsa_kea, - diffie_hellman_kea, + rsa_kea, + diffie_hellman_kea, fortezza_kea, psk_kea, dhe_psk_kea, @@ -1846,8 +1852,8 @@ enum EccCurves { /* Valid client certificate request types from page 27 */ -enum ClientCertificateType { - rsa_sign = 1, +enum ClientCertificateType { + rsa_sign = 1, dss_sign = 2, rsa_fixed_dh = 3, dss_fixed_dh = 4, @@ -2177,7 +2183,7 @@ struct WOLFSSL_X509_NAME { #define EXTERNAL_SERIAL_SIZE 32 #endif -#ifdef NO_ASN +#ifdef NO_ASN typedef struct DNS_entry DNS_entry; #endif @@ -2529,20 +2535,20 @@ typedef struct EncryptedInfo { #ifdef WOLFSSL_CALLBACKS WOLFSSL_LOCAL void InitHandShakeInfo(HandShakeInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void FinishHandShakeInfo(HandShakeInfo*, const WOLFSSL*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddPacketName(const char*, HandShakeInfo*); WOLFSSL_LOCAL void InitTimeoutInfo(TimeoutInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void FreeTimeoutInfo(TimeoutInfo*, void*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddPacketInfo(const char*, TimeoutInfo*, const byte*, int, void*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddLateName(const char*, TimeoutInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info); #endif @@ -2550,10 +2556,10 @@ typedef struct EncryptedInfo { /* Record Layer Header identifier from page 12 */ enum ContentType { no_type = 0, - change_cipher_spec = 20, - alert = 21, - handshake = 22, - application_data = 23 + change_cipher_spec = 20, + alert = 21, + handshake = 22, + application_data = 23 }; @@ -2576,16 +2582,16 @@ typedef struct DtlsHandShakeHeader { enum HandShakeType { no_shake = -1, - hello_request = 0, - client_hello = 1, + hello_request = 0, + client_hello = 1, server_hello = 2, hello_verify_request = 3, /* DTLS addition */ session_ticket = 4, - certificate = 11, + certificate = 11, server_key_exchange = 12, - certificate_request = 13, + certificate_request = 13, server_hello_done = 14, - certificate_verify = 15, + certificate_verify = 15, client_key_exchange = 16, finished = 20, certificate_status = 22, @@ -2685,7 +2691,7 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength); #endif /* WOLFSSL_DTLS */ #ifndef NO_TLS - + #endif /* NO_TLS */ @@ -2721,4 +2727,3 @@ WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side); #endif #endif /* wolfSSL_INT_H */ - diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index d852d2be1..c11d3d5fd 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -166,35 +166,35 @@ typedef struct WOLFSSL_X509_STORE_CTX { /* Valid Alert types from page 16/17 */ enum AlertDescription { - close_notify = 0, - unexpected_message = 10, - bad_record_mac = 20, - record_overflow = 22, - decompression_failure = 30, - handshake_failure = 40, - no_certificate = 41, - bad_certificate = 42, - unsupported_certificate = 43, - certificate_revoked = 44, - certificate_expired = 45, - certificate_unknown = 46, - illegal_parameter = 47, - decrypt_error = 51, + close_notify = 0, + unexpected_message = 10, + bad_record_mac = 20, + record_overflow = 22, + decompression_failure = 30, + handshake_failure = 40, + no_certificate = 41, + bad_certificate = 42, + unsupported_certificate = 43, + certificate_revoked = 44, + certificate_expired = 45, + certificate_unknown = 46, + illegal_parameter = 47, + decrypt_error = 51, #ifdef WOLFSSL_MYSQL_COMPATIBLE /* catch name conflict for enum protocol with MYSQL build */ - wc_protocol_version = 70, + wc_protocol_version = 70, #else - protocol_version = 70, + protocol_version = 70, #endif - no_renegotiation = 100, - unrecognized_name = 112, - no_application_protocol = 120 + no_renegotiation = 100, + unrecognized_name = 112, /**< RFC 6066, section 3 */ + no_application_protocol = 120 }; enum AlertLevel { alert_warning = 1, - alert_fatal = 2 + alert_fatal = 2 }; @@ -1349,7 +1349,7 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer( #endif #endif -/* Application-Layer Protocol Name */ +/* Application-Layer Protocol Negotiation */ #ifdef HAVE_ALPN /* ALPN status code */ diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index b39114fa4..48e0412c2 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -779,4 +779,3 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*); #endif /* !NO_ASN */ #endif /* WOLF_CRYPT_ASN_H */ - From daf3155d3cc877f5cc353118cb83ca595066a973 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Fri, 23 Oct 2015 17:08:15 -0300 Subject: [PATCH 002/177] adds partial client support to TLS Extension Status Request, a.k.a. OCSP stapling; missing: - compare OcspRequest and OcspResponse; - execute contingence plan; - add nonce extension; --- configure.ac | 13 ++++ examples/client/client.c | 21 ++++-- src/internal.c | 140 ++++++++++++++++++++++++++++++++++-- src/ssl.c | 21 ++++++ src/tls.c | 152 +++++++++++++++++++++++++++++++++++++++ wolfcrypt/src/asn.c | 46 ++++++------ wolfssl/internal.h | 20 +++++- wolfssl/ssl.h | 19 +++++ 8 files changed, 401 insertions(+), 31 deletions(-) diff --git a/configure.ac b/configure.ac index fff155a7f..6a7574b7a 100644 --- a/configure.ac +++ b/configure.ac @@ -1595,6 +1595,18 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC" fi +# Certificate Status Request : a.k.a. OCSP stapling +AC_ARG_ENABLE([statusrequest], + [ --enable-statusrequest Enable Certificate Status Request (default: disabled)], + [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], + [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] + ) + +if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST" +fi + # Renegotiation Indication - (FAKE Secure Renegotiation) AC_ARG_ENABLE([renegotiation-indication], [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])], @@ -2492,6 +2504,7 @@ echo " * Server Name Indication: $ENABLED_SNI" echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" +echo " * Status Request: $ENABLED_CERTIFICATE_STATUS_REQUEST" echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * Session Ticket: $ENABLED_SESSION_TICKET" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" diff --git a/examples/client/client.c b/examples/client/client.c index 533621d19..b3a11e407 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -425,7 +425,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) byte maxFragment = 0; #endif #ifdef HAVE_TRUNCATED_HMAC - byte truncatedHMAC = 0; + byte truncatedHMAC = 0; +#endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + byte statusRequest = 0; #endif @@ -465,8 +468,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) StackTrap(); while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:")) - != -1) { + "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { switch (ch) { case '?' : Usage(); @@ -653,6 +655,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif break; + case 'W' : + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + statusRequest = 1; + #endif + break; + case 'o' : #ifdef HAVE_OCSP useOcsp = 1; @@ -938,6 +946,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS) err_sys("UseTruncatedHMAC failed"); #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (statusRequest) + if (wolfSSL_CTX_UseCertificateStatusRequest(ctx, WOLFSSL_CSR_OCSP) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); +#endif #ifdef HAVE_SESSION_TICKET if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS) err_sys("UseSessionTicket failed"); @@ -1320,4 +1334,3 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif - diff --git a/src/internal.c b/src/internal.c index a54a76f52..f0b998e14 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4357,7 +4357,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (ret == 0) { int doCrlLookup = 1; - (void)doCrlLookup; #ifdef HAVE_OCSP if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); @@ -4380,6 +4379,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("\tCRL check not ok"); } } +#else + (void)doCrlLookup; #endif /* HAVE_CRL */ } #endif /* HAVE_OCSP || HAVE_CRL */ @@ -4447,7 +4448,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (fatal == 0) { int doCrlLookup = 1; - (void)doCrlLookup; #ifdef HAVE_OCSP if (ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); @@ -4469,6 +4469,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, fatal = 0; } } +#else + (void)doCrlLookup; #endif /* HAVE_CRL */ } #endif /* HAVE_OCSP || HAVE_CRL */ @@ -4776,6 +4778,101 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, return ret; } + +static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, + word32 size) +{ + int ret = 0; + byte status_type; + word32 status_length; + + if (size < ENUM_LEN + OPAQUE24_LEN) + return BUFFER_ERROR; + + status_type = input[(*inOutIdx)++]; + + c24to32(input + *inOutIdx, &status_length); + *inOutIdx += OPAQUE24_LEN; + + if (size != ENUM_LEN + OPAQUE24_LEN + status_length) + return BUFFER_ERROR; + + switch (status_type) { + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + + case WOLFSSL_CSR_OCSP: { + + #ifdef WOLFSSL_SMALL_STACK + CertStatus* status; + OcspResponse* response; + #else + CertStatus status[1]; + OcspResponse response[1]; + #endif + + do { + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->status_request) { + ssl->status_request = 0; + break; + } + #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + ssl->status_request_v2 = 0; + break; + } + #endif + return BUFFER_ERROR; + } while(0); + + #ifdef WOLFSSL_SMALL_STACK + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (status == NULL || response == NULL) { + if (status) XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response) XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return MEMORY_ERROR; + } + #endif + + InitOcspResponse(response, status, input +*inOutIdx, status_length); + + if ((ret = OcspResponseDecode(response)) == 0) { + if (response->responseStatus != OCSP_SUCCESSFUL) + ret = FATAL_ERROR; + /* TODO CSR */ + /*else if (CompareOcspReqResp(request, response) != 0) + ret = FATAL_ERROR; */ + else if (response->status->status != CERT_GOOD) + ret = FATAL_ERROR; + } + + *inOutIdx += status_length; + + #ifdef WOLFSSL_SMALL_STACK + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + } + break; + #endif + + default: + ret = BUFFER_ERROR; + } + + if (ret != 0) + SendAlert(ssl, alert_fatal, bad_certificate_status_response); + + return ret; +} + #endif /* !NO_CERTS */ @@ -4971,6 +5068,26 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) #endif break; +#ifndef NO_WOLFSSL_CLIENT + case certificate_status: + if (ssl->msgsReceived.got_certificate_status) { + WOLFSSL_MSG("Duplicate CertificateSatatus received"); + return DUPLICATE_MSG_E; + } + ssl->msgsReceived.got_certificate_status = 1; + + if (ssl->msgsReceived.got_certificate == 0) { + WOLFSSL_MSG("No Certificate before CertificateStatus"); + return OUT_OF_ORDER_E; + } + if (ssl->msgsReceived.got_server_key_exchange != 0) { + WOLFSSL_MSG("CertificateStatus after ServerKeyExchange"); + return OUT_OF_ORDER_E; + } + + break; +#endif + #ifndef NO_WOLFSSL_CLIENT case server_key_exchange: if (ssl->msgsReceived.got_server_key_exchange) { @@ -4979,10 +5096,18 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) } ssl->msgsReceived.got_server_key_exchange = 1; - if ( ssl->msgsReceived.got_server_hello == 0) { - WOLFSSL_MSG("No ServerHello before Cert"); + if (ssl->msgsReceived.got_server_hello == 0) { + WOLFSSL_MSG("No ServerHello before ServerKeyExchange"); return OUT_OF_ORDER_E; } + if (ssl->msgsReceived.got_certificate_status == 0) { +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->status_request) { + WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); + return OUT_OF_ORDER_E; + } +#endif + } break; #endif @@ -5224,7 +5349,12 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifndef NO_CERTS case certificate: WOLFSSL_MSG("processing certificate"); - ret = DoCertificate(ssl, input, inOutIdx, size); + ret = DoCertificate(ssl, input, inOutIdx, size); + break; + + case certificate_status: + WOLFSSL_MSG("processing certificate status"); + ret = DoCertificateStatus(ssl, input, inOutIdx, size); break; #endif diff --git a/src/ssl.c b/src/ssl.c index c20c2e3aa..8b5a2efb8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -794,6 +794,27 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_TRUNCATED_HMAC */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type) +{ + if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type); +} + + +int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type) +{ + if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type); +} + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ + /* Elliptic Curves */ #ifdef HAVE_SUPPORTED_CURVES #ifndef NO_WOLFSSL_CLIENT diff --git a/src/tls.c b/src/tls.c index ec756a9df..668951b3a 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1885,6 +1885,139 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) #endif /* HAVE_TRUNCATED_HMAC */ +/******************************************************************************/ +/* Certificate Status Request */ +/******************************************************************************/ + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +#ifndef HAVE_OCSP +#error Status Request Extension requires OCSP. \ + Use --enable-ocsp in the configure script or define HAVE_OCSP. +#endif + +static void TLSX_CSR_Free(CertificateStatusRequest* csr) +{ + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + /* nothing to release for now... */ + break; + } + + XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); +} + +static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) +{ + /* shut up compiler warnings */ + (void) csr; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + return ENUM_LEN + 2 * OPAQUE16_LEN; + } + } +#endif + + return 0; +} + +static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, + byte isRequest) +{ + /* shut up compiler warnings */ + (void) csr; (void) output; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + word16 offset = 0; + + /* type */ + output[offset++] = csr->status_type; + + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + /* responder id list */ + c16toa(0, output + offset); + offset += OPAQUE16_LEN; + + /* request extensions */ + c16toa(0, output + offset); + offset += OPAQUE16_LEN; + break; + } + + return offset; + } +#endif + + return 0; +} + +static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, + byte isRequest) +{ + /* shut up compiler warnings */ + (void) ssl; (void) input; + + if (!isRequest) { + ssl->status_request = 1; + + return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ + } + + return 0; +} + +int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) +{ + CertificateStatusRequest* csr = NULL; + int ret = 0; + + if (!extensions) + return BAD_FUNC_ARG; + + csr = (CertificateStatusRequest*)XMALLOC(sizeof(CertificateStatusRequest), + NULL, DYNAMIC_TYPE_TLSX); + if (!csr) + return MEMORY_E; + + csr->status_type = status_type; + + switch (status_type) { + case WOLFSSL_CSR_OCSP: + /* nothing to handle for now... */ + break; + + default: + XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); + return BAD_FUNC_ARG; + } + + if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr)) != 0) { + XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); + return ret; + } + + return SSL_SUCCESS; +} + +#define CSR_FREE_ALL TLSX_CSR_Free +#define CSR_GET_SIZE TLSX_CSR_GetSize +#define CSR_WRITE TLSX_CSR_Write +#define CSR_PARSE TLSX_CSR_Parse + +#else + +#define CSR_FREE_ALL(data) +#define CSR_GET_SIZE(a, b) 0 +#define CSR_WRITE(a, b, c) 0 +#define CSR_PARSE(a, b, c, d) 0 + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ + /******************************************************************************/ /* Supported Elliptic Curves */ /******************************************************************************/ @@ -3094,6 +3227,10 @@ void TLSX_FreeAll(TLSX* list) EC_FREE_ALL(extension->data); break; + case TLSX_STATUS_REQUEST: + CSR_FREE_ALL(extension->data); + break; + case TLSX_RENEGOTIATION_INFO: SCR_FREE_ALL(extension->data); break; @@ -3161,6 +3298,10 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) length += EC_GET_SIZE(extension->data); break; + case TLSX_STATUS_REQUEST: + length += CSR_GET_SIZE(extension->data, isRequest); + break; + case TLSX_RENEGOTIATION_INFO: length += SCR_GET_SIZE(extension->data, isRequest); break; @@ -3230,6 +3371,11 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, offset += EC_WRITE(extension->data, output + offset); break; + case TLSX_STATUS_REQUEST: + offset += CSR_WRITE(extension->data, output + offset, + isRequest); + break; + case TLSX_RENEGOTIATION_INFO: offset += SCR_WRITE(extension->data, output + offset, isRequest); @@ -3723,6 +3869,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, ret = EC_PARSE(ssl, input + offset, size, isRequest); break; + case TLSX_STATUS_REQUEST: + WOLFSSL_MSG("Certificate Status Request extension received"); + + ret = CSR_PARSE(ssl, input + offset, size, isRequest); + break; + case TLSX_RENEGOTIATION_INFO: WOLFSSL_MSG("Secure Renegotiation extension received"); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 3cc87a979..0ac8a3b67 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -43,7 +43,11 @@ #include #include - +#ifdef NO_INLINE + #include +#else + #include +#endif #ifndef NO_RC4 #include @@ -8856,18 +8860,11 @@ int EncodeOcspRequest(OcspRequest* req) algoSz = SetAlgoID(SHAh, algoArray, hashType, 0); #endif - req->issuerHash = req->cert->issuerHash; - issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray); + issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray); + issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray); + snSz = SetSerialNumber(req->serial, req->serialSz, snArray); + extSz = 0; - req->issuerKeyHash = req->cert->issuerKeyHash; - issuerKeySz = SetDigest(req->cert->issuerKeyHash, - KEYID_SIZE, issuerKeyArray); - - req->serial = req->cert->serial; - req->serialSz = req->cert->serialSz; - snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray); - - extSz = 0; if (req->useNonce) { WC_RNG rng; if (wc_InitRng(&rng) != 0) { @@ -8885,25 +8882,30 @@ int EncodeOcspRequest(OcspRequest* req) } totalSz = algoSz + issuerSz + issuerKeySz + snSz; - for (i = 4; i >= 0; i--) { seqSz[i] = SetSequence(totalSz, seqArray[i]); totalSz += seqSz[i]; if (i == 2) totalSz += extSz; } + totalSz = 0; for (i = 0; i < 5; i++) { XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); totalSz += seqSz[i]; } + XMEMCPY(output + totalSz, algoArray, algoSz); totalSz += algoSz; + XMEMCPY(output + totalSz, issuerArray, issuerSz); totalSz += issuerSz; + XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz); totalSz += issuerKeySz; + XMEMCPY(output + totalSz, snArray, snSz); totalSz += snSz; + if (extSz != 0) { XMEMCPY(output + totalSz, extArray, extSz); totalSz += extSz; @@ -8918,14 +8920,16 @@ void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, { WOLFSSL_ENTER("InitOcspRequest"); - req->cert = cert; - req->useNonce = useNonce; - req->nonceSz = 0; - req->issuerHash = NULL; - req->issuerKeyHash = NULL; - req->serial = NULL; - req->dest = dest; - req->destSz = destSz; + ForceZero(req, sizeof(OcspRequest)); + + req->cert = cert; + req->useNonce = useNonce; + req->issuerHash = cert->issuerHash; + req->issuerKeyHash = cert->issuerKeyHash; + req->serial = cert->serial; + req->serialSz = cert->serialSz; + req->dest = dest; + req->destSz = destSz; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 0540b7df2..63d4d177b 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1463,7 +1463,8 @@ typedef enum { TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ TLSX_MAX_FRAGMENT_LENGTH = 0x0001, TLSX_TRUNCATED_HMAC = 0x0004, - TLSX_SUPPORTED_GROUPS = 0x000a, + TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stappling */ + TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ TLSX_SESSION_TICKET = 0x0023, @@ -1498,6 +1499,7 @@ WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, #elif defined(HAVE_SNI) \ || defined(HAVE_MAX_FRAGMENT) \ || defined(HAVE_TRUNCATED_HMAC) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_SUPPORTED_CURVES) \ || defined(HAVE_ALPN) \ || defined(HAVE_QSH) \ @@ -1569,6 +1571,18 @@ WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ +/** Certificate Status Request - RFC 6066 (session 8) */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +typedef struct { + byte status_type; +} CertificateStatusRequest; + +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, + byte status_type); + +#endif + /** Supported Elliptic Curves - RFC 4492 (session 4) */ #ifdef HAVE_SUPPORTED_CURVES @@ -2301,6 +2315,7 @@ typedef struct MsgsReceived { word16 got_hello_verify_request:1; word16 got_session_ticket:1; word16 got_certificate:1; + word16 got_certificate_status:1; word16 got_server_key_exchange:1; word16 got_certificate_request:1; word16 got_server_hello_done:1; @@ -2452,6 +2467,9 @@ struct WOLFSSL { #ifdef HAVE_TRUNCATED_HMAC byte truncated_hmac; #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + byte status_request; + #endif #ifdef HAVE_SECURE_RENEGOTIATION SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */ #endif /* user turned on */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index c11d3d5fd..b507df897 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -188,6 +188,7 @@ enum AlertDescription { #endif no_renegotiation = 100, unrecognized_name = 112, /**< RFC 6066, section 3 */ + bad_certificate_status_response = 113, /**< RFC 6066, section 8 */ no_application_protocol = 120 }; @@ -1406,6 +1407,24 @@ WOLFSSL_API int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx); #endif #endif +/* Certificate Status Request */ +/* Certificate Status Type */ +enum { + WOLFSSL_CSR_OCSP = 1 +}; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#ifndef NO_WOLFSSL_CLIENT + +WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, + unsigned char status_type); + +WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, + unsigned char status_type); + +#endif +#endif + /* Elliptic Curves */ enum { WOLFSSL_ECC_SECP160R1 = 0x10, From 42380793c943a0d9840fd8e16a66e8281b8479ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Fri, 23 Oct 2015 19:25:41 -0300 Subject: [PATCH 003/177] adds comparison of OcspRequest and OcspResponse; removes TLS Extension Status Request at context level as specific data is always needed for each session; --- examples/client/client.c | 12 +-- src/internal.c | 48 +++++---- src/ocsp.c | 13 ++- src/ssl.c | 9 -- src/tls.c | 30 +++++- wolfcrypt/src/asn.c | 40 ++++++-- wolfssl/error-ssl.h | 209 ++++++++++++++++++++------------------- wolfssl/internal.h | 5 + wolfssl/ssl.h | 3 - wolfssl/wolfcrypt/asn.h | 19 ++-- 10 files changed, 220 insertions(+), 168 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index b3a11e407..1821a0894 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -946,12 +946,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (wolfSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS) err_sys("UseTruncatedHMAC failed"); #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (statusRequest) - if (wolfSSL_CTX_UseCertificateStatusRequest(ctx, WOLFSSL_CSR_OCSP) - != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); -#endif #ifdef HAVE_SESSION_TICKET if (wolfSSL_CTX_UseSessionTicket(ctx) != SSL_SUCCESS) err_sys("UseSessionTicket failed"); @@ -988,6 +982,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); } #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (statusRequest) + if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); +#endif tcp_connect(&sockfd, host, port, doDTLS, ssl); diff --git a/src/internal.c b/src/internal.c index f0b998e14..b22fef72a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4447,12 +4447,28 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (fatal == 0) { - int doCrlLookup = 1; + int doLookup = 1; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->options.side == WOLFSSL_CLIENT_END) { + switch (ssl->status_request) { + case WOLFSSL_CSR_OCSP: { + OcspRequest* request = + TLSX_CSR_GetRequest(ssl->extensions); + + fatal = InitOcspRequest(request, dCert, 0, NULL, 0); + doLookup = 0; + } + break; + } + } +#endif + #ifdef HAVE_OCSP - if (ssl->ctx->cm->ocspEnabled) { + if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); + doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); fatal = 0; @@ -4461,7 +4477,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (doCrlLookup && ssl->ctx->cm->crlEnabled) { + if (doLookup && ssl->ctx->cm->crlEnabled) { WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); if (ret != 0) { @@ -4469,14 +4485,13 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, fatal = 0; } } -#else - (void)doCrlLookup; #endif /* HAVE_CRL */ + (void)doLookup; } #endif /* HAVE_OCSP || HAVE_CRL */ #ifdef KEEP_PEER_CERT - { + if (fatal == 0) { /* set X509 format for peer cert even if fatal */ int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert); if (copyRet == MEMORY_E) @@ -4801,6 +4816,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) case WOLFSSL_CSR_OCSP: { + OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions); #ifdef WOLFSSL_SMALL_STACK CertStatus* status; @@ -4817,12 +4833,6 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - if (ssl->status_request_v2) { - ssl->status_request_v2 = 0; - break; - } - #endif return BUFFER_ERROR; } while(0); @@ -4844,12 +4854,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, if ((ret = OcspResponseDecode(response)) == 0) { if (response->responseStatus != OCSP_SUCCESSFUL) - ret = FATAL_ERROR; - /* TODO CSR */ - /*else if (CompareOcspReqResp(request, response) != 0) - ret = FATAL_ERROR; */ + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (CompareOcspReqResp(request, response) != 0) + ret = BAD_CERTIFICATE_STATUS_ERROR; else if (response->status->status != CERT_GOOD) - ret = FATAL_ERROR; + ret = BAD_CERTIFICATE_STATUS_ERROR; } *inOutIdx += status_length; @@ -8730,6 +8739,9 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case UNKNOWN_ALPN_PROTOCOL_NAME_E: return "Unrecognized protocol name Error"; + case BAD_CERTIFICATE_STATUS_ERROR: + return "Bad Certificate Status Message Error"; + case HANDSHAKE_SIZE_ERROR: return "Handshake message too large Error"; diff --git a/src/ocsp.c b/src/ocsp.c index 2b355d988..ae8cb8978 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -227,13 +227,15 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) } #endif - InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, + result = InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, ocspReqBuf, ocspReqSz); - ocspReqSz = EncodeOcspRequest(ocspRequest); - - if (ocsp->cm->ocspIOCb) - result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, + if (result == 0) { + ocspReqSz = EncodeOcspRequest(ocspRequest); + + if (ocsp->cm->ocspIOCb) + result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, ocspReqBuf, ocspReqSz, &ocspRespBuf); + } if (result >= 0 && ocspRespBuf) { XMEMSET(newStatus, 0, sizeof(CertStatus)); @@ -275,6 +277,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) else result = OCSP_LOOKUP_FAIL; + FreeOcspRequest(ocspRequest); XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); #ifdef WOLFSSL_SMALL_STACK diff --git a/src/ssl.c b/src/ssl.c index 8b5a2efb8..fedee84f3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -804,15 +804,6 @@ int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type) return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type); } - -int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type) -{ - if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) - return BAD_FUNC_ARG; - - return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type); -} - #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ /* Elliptic Curves */ diff --git a/src/tls.c b/src/tls.c index 668951b3a..1b20f96e9 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1900,7 +1900,7 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr) { switch (csr->status_type) { case WOLFSSL_CSR_OCSP: - /* nothing to release for now... */ + FreeOcspRequest(&csr->data.ocspRequest); break; } @@ -1963,14 +1963,38 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, (void) ssl; (void) input; if (!isRequest) { - ssl->status_request = 1; +#ifndef NO_WOLFSSL_CLIENT + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr == NULL) + return BUFFER_ERROR; /* unexpected extension */ + + ssl->status_request = csr->status_type; return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ +#endif } return 0; } +void* TLSX_CSR_GetRequest(TLSX* extensions) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + return &csr->data.ocspRequest; + break; + } + } + + return NULL; +} + int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) { CertificateStatusRequest* csr = NULL; @@ -1988,7 +2012,7 @@ int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) switch (status_type) { case WOLFSSL_CSR_OCSP: - /* nothing to handle for now... */ + ForceZero(&csr->data.ocspRequest, sizeof(OcspRequest)); break; default: diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 0ac8a3b67..7a981d8f2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8848,7 +8848,7 @@ int EncodeOcspRequest(OcspRequest* req) byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; byte snArray[MAX_SN_SZ]; byte extArray[MAX_OCSP_EXT_SZ]; - byte* output = req->dest; + byte* output = req->request; word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; int i; @@ -8915,21 +8915,41 @@ int EncodeOcspRequest(OcspRequest* req) } -void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, +int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, byte* dest, word32 destSz) { WOLFSSL_ENTER("InitOcspRequest"); + if (req == NULL) + return BAD_FUNC_ARG; + ForceZero(req, sizeof(OcspRequest)); - req->cert = cert; - req->useNonce = useNonce; - req->issuerHash = cert->issuerHash; - req->issuerKeyHash = cert->issuerKeyHash; - req->serial = cert->serial; - req->serialSz = cert->serialSz; - req->dest = dest; - req->destSz = destSz; + if (cert) { + XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); + XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); + + req->serial = (byte*)XMALLOC(cert->serialSz, NULL, DYNAMIC_TYPE_OCSP); + if (req->serial == NULL) + return MEMORY_E; + + XMEMCPY(req->serial, cert->serial, cert->serialSz); + req->serialSz = cert->serialSz; + } + + req->useNonce = useNonce; + req->request = dest; + req->requestSz = destSz; + + return 0; +} + +void FreeOcspRequest(OcspRequest* req) +{ + WOLFSSL_ENTER("FreeOcspRequest"); + + if (req && req->serial) + XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP); } diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index f07796079..37952a318 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -30,121 +30,122 @@ #endif enum wolfSSL_ErrorCodes { - INPUT_CASE_ERROR = -301, /* process input state error */ - PREFIX_ERROR = -302, /* bad index to key rounds */ - MEMORY_ERROR = -303, /* out of memory */ - VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ - VERIFY_MAC_ERROR = -305, /* verify mac problem */ - PARSE_ERROR = -306, /* parse error on header */ - UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ - SOCKET_ERROR_E = -308, /* error state on socket */ - SOCKET_NODATA = -309, /* expected data, not there */ - INCOMPLETE_DATA = -310, /* don't have enough data to + INPUT_CASE_ERROR = -301, /* process input state error */ + PREFIX_ERROR = -302, /* bad index to key rounds */ + MEMORY_ERROR = -303, /* out of memory */ + VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ + VERIFY_MAC_ERROR = -305, /* verify mac problem */ + PARSE_ERROR = -306, /* parse error on header */ + UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ + SOCKET_ERROR_E = -308, /* error state on socket */ + SOCKET_NODATA = -309, /* expected data, not there */ + INCOMPLETE_DATA = -310, /* don't have enough data to complete task */ - UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ - DECRYPT_ERROR = -312, /* error during decryption */ - FATAL_ERROR = -313, /* recvd alert fatal error */ - ENCRYPT_ERROR = -314, /* error during encryption */ - FREAD_ERROR = -315, /* fread problem */ - NO_PEER_KEY = -316, /* need peer's key */ - NO_PRIVATE_KEY = -317, /* need the private key */ - RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ - NO_DH_PARAMS = -319, /* server missing DH params */ - BUILD_MSG_ERROR = -320, /* build message failure */ + UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ + DECRYPT_ERROR = -312, /* error during decryption */ + FATAL_ERROR = -313, /* recvd alert fatal error */ + ENCRYPT_ERROR = -314, /* error during encryption */ + FREAD_ERROR = -315, /* fread problem */ + NO_PEER_KEY = -316, /* need peer's key */ + NO_PRIVATE_KEY = -317, /* need the private key */ + RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ + NO_DH_PARAMS = -319, /* server missing DH params */ + BUILD_MSG_ERROR = -320, /* build message failure */ - BAD_HELLO = -321, /* client hello malformed */ - DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ - WANT_READ = -323, /* want read, call again */ - NOT_READY_ERROR = -324, /* handshake layer not ready */ - PMS_VERSION_ERROR = -325, /* pre m secret version error */ - VERSION_ERROR = -326, /* record layer version error */ - WANT_WRITE = -327, /* want write, call again */ - BUFFER_ERROR = -328, /* malformed buffer input */ - VERIFY_CERT_ERROR = -329, /* verify cert error */ - VERIFY_SIGN_ERROR = -330, /* verify sign error */ - CLIENT_ID_ERROR = -331, /* psk client identity error */ - SERVER_HINT_ERROR = -332, /* psk server hint error */ - PSK_KEY_ERROR = -333, /* psk key error */ - ZLIB_INIT_ERROR = -334, /* zlib init error */ - ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ - ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ + BAD_HELLO = -321, /* client hello malformed */ + DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ + WANT_READ = -323, /* want read, call again */ + NOT_READY_ERROR = -324, /* handshake layer not ready */ + PMS_VERSION_ERROR = -325, /* pre m secret version error */ + VERSION_ERROR = -326, /* record layer version error */ + WANT_WRITE = -327, /* want write, call again */ + BUFFER_ERROR = -328, /* malformed buffer input */ + VERIFY_CERT_ERROR = -329, /* verify cert error */ + VERIFY_SIGN_ERROR = -330, /* verify sign error */ + CLIENT_ID_ERROR = -331, /* psk client identity error */ + SERVER_HINT_ERROR = -332, /* psk server hint error */ + PSK_KEY_ERROR = -333, /* psk key error */ + ZLIB_INIT_ERROR = -334, /* zlib init error */ + ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ + ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ - GETTIME_ERROR = -337, /* gettimeofday failed ??? */ - GETITIMER_ERROR = -338, /* getitimer failed ??? */ - SIGACT_ERROR = -339, /* sigaction failed ??? */ - SETITIMER_ERROR = -340, /* setitimer failed ??? */ - LENGTH_ERROR = -341, /* record layer length error */ - PEER_KEY_ERROR = -342, /* can't decode peer key */ - ZERO_RETURN = -343, /* peer sent close notify */ - SIDE_ERROR = -344, /* wrong client/server type */ - NO_PEER_CERT = -345, /* peer didn't send key */ - NTRU_KEY_ERROR = -346, /* NTRU key error */ - NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ - NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ - NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ - ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ - ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ - ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ - ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ - ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ - ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ - NOT_CA_ERROR = -357, /* Not a CA cert error */ - BAD_PATH_ERROR = -358, /* Bad path for opendir */ - BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ - OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ - CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ - CRL_MISSING = -362, /* CRL Not loaded */ - MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ - THREAD_CREATE_E = -364, /* Thread Create Error */ - OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ - OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ - OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ - MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ - COOKIE_ERROR = -369, /* dtls cookie error */ - SEQUENCE_ERROR = -370, /* dtls sequence error */ - SUITES_ERROR = -371, /* suites pointer error */ - SSL_NO_PEM_HEADER = -372, /* no PEM header found */ - OUT_OF_ORDER_E = -373, /* out of order message */ - BAD_KEA_TYPE_E = -374, /* bad KEA type found */ - SANITY_CIPHER_E = -375, /* sanity check on cipher error */ - RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ - GEN_COOKIE_E = -377, /* Generate Cookie Error */ - NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ - FWRITE_ERROR = -379, /* fwrite problem */ - CACHE_MATCH_ERROR = -380, /* chache hdr match error */ - UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ - UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ - KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ - KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ - EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ - SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ - SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ - SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ - SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ - SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ - SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ - NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ - SANITY_MSG_E = -394, /* Sanity check on msg order error */ - DUPLICATE_MSG_E = -395, /* Duplicate message error */ - SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ - SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ + GETTIME_ERROR = -337, /* gettimeofday failed ??? */ + GETITIMER_ERROR = -338, /* getitimer failed ??? */ + SIGACT_ERROR = -339, /* sigaction failed ??? */ + SETITIMER_ERROR = -340, /* setitimer failed ??? */ + LENGTH_ERROR = -341, /* record layer length error */ + PEER_KEY_ERROR = -342, /* can't decode peer key */ + ZERO_RETURN = -343, /* peer sent close notify */ + SIDE_ERROR = -344, /* wrong client/server type */ + NO_PEER_CERT = -345, /* peer didn't send key */ + NTRU_KEY_ERROR = -346, /* NTRU key error */ + NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ + NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ + NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ + ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ + ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ + ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ + ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ + ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ + ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ + NOT_CA_ERROR = -357, /* Not a CA cert error */ + BAD_PATH_ERROR = -358, /* Bad path for opendir */ + BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ + OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ + CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ + CRL_MISSING = -362, /* CRL Not loaded */ + MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ + THREAD_CREATE_E = -364, /* Thread Create Error */ + OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ + OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ + OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ + MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ + COOKIE_ERROR = -369, /* dtls cookie error */ + SEQUENCE_ERROR = -370, /* dtls sequence error */ + SUITES_ERROR = -371, /* suites pointer error */ + SSL_NO_PEM_HEADER = -372, /* no PEM header found */ + OUT_OF_ORDER_E = -373, /* out of order message */ + BAD_KEA_TYPE_E = -374, /* bad KEA type found */ + SANITY_CIPHER_E = -375, /* sanity check on cipher error */ + RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ + GEN_COOKIE_E = -377, /* Generate Cookie Error */ + NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ + FWRITE_ERROR = -379, /* fwrite problem */ + CACHE_MATCH_ERROR = -380, /* chache hdr match error */ + UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ + UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ + KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ + KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ + EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ + SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ + SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ + SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ + SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ + SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ + SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ + NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ + SANITY_MSG_E = -394, /* Sanity check on msg order error */ + DUPLICATE_MSG_E = -395, /* Duplicate message error */ + SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ + SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ - BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ - BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ - BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ + BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ + BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ + BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ - DH_KEY_SIZE_E = -401, /* DH Key too small */ - SNI_ABSENT_ERROR = -402, /* No SNI request. */ - RSA_SIGN_FAULT = -403, /* RSA Sign fault */ - HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ + DH_KEY_SIZE_E = -401, /* DH Key too small */ + SNI_ABSENT_ERROR = -402, /* No SNI request. */ + RSA_SIGN_FAULT = -403, /* RSA Sign fault */ + HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/ + BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ - UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */ - MATCH_SUITE_ERROR = -501 /* can't match cipher suite */ + UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */ + MATCH_SUITE_ERROR = -501 /* can't match cipher suite */ /* end negotiation parameter errors only 10 for now */ /* add strings to SetErrorString !!!!! */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 63d4d177b..dce8acbbd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1576,10 +1576,15 @@ WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); typedef struct { byte status_type; + union { + OcspRequest ocspRequest; + } data; } CertificateStatusRequest; WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type); +WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); + #endif diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b507df897..24bbfb0f3 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1419,9 +1419,6 @@ enum { WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, unsigned char status_type); -WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, - unsigned char status_type); - #endif #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 48e0412c2..290d312f3 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -707,27 +707,26 @@ struct OcspResponse { struct OcspRequest { - DecodedCert* cert; + byte issuerHash[KEYID_SIZE]; + byte issuerKeyHash[KEYID_SIZE]; + byte* serial; /* copy of the serial number in source cert; OWNED */ + int serialSz; - byte useNonce; byte nonce[MAX_OCSP_NONCE_SZ]; int nonceSz; + byte useNonce; - byte* issuerHash; /* pointer to issuerHash in source cert */ - byte* issuerKeyHash; /* pointer to issuerKeyHash in source cert */ - byte* serial; /* pointer to serial number in source cert */ - int serialSz; /* length of the serial number */ - - byte* dest; /* pointer to the destination ASN.1 buffer */ - word32 destSz; /* length of the destination buffer */ + byte* request; /* pointer to the destination ASN.1 buffer; NOT OWNED */ + word32 requestSz; /* length of the destination buffer */ }; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*); -WOLFSSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*, +WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte, byte*, word32); +WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*); WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); From 14fa980dad2543d772ecc3946ca3629f46d3173b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Sun, 25 Oct 2015 21:21:41 -0300 Subject: [PATCH 004/177] adds contingence plan (force OCSP check when the server answer the status_request extension but doesn't sends a CertificateStatus message); adds back status_request to context level; --- examples/client/client.c | 5 +- src/internal.c | 24 +-- src/ocsp.c | 301 ++++++++++++++++++++++---------------- src/ssl.c | 9 ++ src/tls.c | 77 +++++++--- wolfcrypt/src/asn.c | 69 +++++---- wolfssl/error-ssl.h | 1 + wolfssl/internal.h | 27 ++-- wolfssl/ocsp.h | 2 + wolfssl/ssl.h | 3 + wolfssl/wolfcrypt/asn.h | 17 +-- wolfssl/wolfcrypt/types.h | 3 +- 12 files changed, 332 insertions(+), 206 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 1821a0894..651bf0819 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -983,10 +983,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (statusRequest) + if (statusRequest) { if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP) != SSL_SUCCESS) err_sys("UseCertificateStatusRequest failed"); + + wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); + } #endif tcp_connect(&sockfd, host, port, doDTLS, ssl); diff --git a/src/internal.c b/src/internal.c index b22fef72a..ce5f1326d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4451,15 +4451,9 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->options.side == WOLFSSL_CLIENT_END) { - switch (ssl->status_request) { - case WOLFSSL_CSR_OCSP: { - OcspRequest* request = - TLSX_CSR_GetRequest(ssl->extensions); - - fatal = InitOcspRequest(request, dCert, 0, NULL, 0); - doLookup = 0; - } - break; + if (ssl->status_request) { + fatal = TLSX_CSR_InitRequest(ssl->extensions, dCert); + doLookup = 0; } } #endif @@ -5112,8 +5106,11 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) if (ssl->msgsReceived.got_certificate_status == 0) { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { + int ret; + WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); - return OUT_OF_ORDER_E; + if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) + return ret; } #endif } @@ -8736,14 +8733,17 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case RSA_SIGN_FAULT: return "RSA Signature Fault Error"; + case HANDSHAKE_SIZE_ERROR: + return "Handshake message too large Error"; + case UNKNOWN_ALPN_PROTOCOL_NAME_E: return "Unrecognized protocol name Error"; case BAD_CERTIFICATE_STATUS_ERROR: return "Bad Certificate Status Message Error"; - case HANDSHAKE_SIZE_ERROR: - return "Handshake message too large Error"; + case OCSP_INVALID_STATUS: + return "Invalid OCSP Status Error"; default : return "unknown error number"; diff --git a/src/ocsp.c b/src/ocsp.c index ae8cb8978..aa1a97252 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -34,59 +34,68 @@ #include #include +#ifdef NO_INLINE + #include +#else + #include +#endif + int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm) { WOLFSSL_ENTER("InitOCSP"); - XMEMSET(ocsp, 0, sizeof(*ocsp)); - ocsp->cm = cm; + + ForceZero(ocsp, sizeof(WOLFSSL_OCSP)); + if (InitMutex(&ocsp->ocspLock) != 0) return BAD_MUTEX_E; - return 0; -} - - -static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert) -{ - WOLFSSL_ENTER("InitOCSP_Entry"); - - XMEMSET(ocspe, 0, sizeof(*ocspe)); - XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE); - XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE); + ocsp->cm = cm; return 0; } -static void FreeOCSP_Entry(OCSP_Entry* ocspe) +static int InitOcspEntry(OcspEntry* entry, OcspRequest* request) { - CertStatus* tmp = ocspe->status; + WOLFSSL_ENTER("InitOcspEntry"); - WOLFSSL_ENTER("FreeOCSP_Entry"); + ForceZero(entry, sizeof(OcspEntry)); - while (tmp) { - CertStatus* next = tmp->next; - XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_STATUS); - tmp = next; + XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE); + XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE); + + return 0; +} + + +static void FreeOcspEntry(OcspEntry* entry) +{ + CertStatus *status, *next; + + WOLFSSL_ENTER("FreeOcspEntry"); + + for (status = entry->status; status; status = next) { + next = status->next; + XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); } } void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic) { - OCSP_Entry* tmp = ocsp->ocspList; + OcspEntry *entry, *next; WOLFSSL_ENTER("FreeOCSP"); - while (tmp) { - OCSP_Entry* next = tmp->next; - FreeOCSP_Entry(tmp); - XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY); - tmp = next; + for (entry = ocsp->ocspList; entry; entry = next) { + next = entry->next; + FreeOcspEntry(entry); + XFREE(entry, NULL, DYNAMIC_TYPE_OCSP_ENTRY); } FreeMutex(&ocsp->ocspLock); + if (dynamic) XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP); } @@ -107,84 +116,135 @@ static int xstat2err(int stat) int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) { - byte* ocspReqBuf = NULL; - int ocspReqSz = 2048; - byte* ocspRespBuf = NULL; - int result = -1; - OCSP_Entry* ocspe; - CertStatus* certStatus = NULL; - const char *url; - int urlSz; + int ret = OCSP_LOOKUP_FAIL; + #ifdef WOLFSSL_SMALL_STACK - CertStatus* newStatus; OcspRequest* ocspRequest; - OcspResponse* ocspResponse; #else - CertStatus newStatus[1]; OcspRequest ocspRequest[1]; - OcspResponse ocspResponse[1]; #endif WOLFSSL_ENTER("CheckCertOCSP"); + +#ifdef WOLFSSL_SMALL_STACK + ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (ocspRequest == NULL) { + WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); + return MEMORY_E; + } +#endif + + if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) { + ret = CheckOcspRequest(ocsp, ocspRequest); + + FreeOcspRequest(ocspRequest); + } + +#ifdef WOLFSSL_SMALL_STACK + XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + WOLFSSL_LEAVE("CheckCertOCSP", ret); + return ret; +} + +static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, + OcspEntry** entry) +{ + WOLFSSL_ENTER("GetOcspEntry"); + + *entry = NULL; + if (LockMutex(&ocsp->ocspLock) != 0) { WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); return BAD_MUTEX_E; } - ocspe = ocsp->ocspList; - while (ocspe) { - if (XMEMCMP(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0 - && XMEMCMP(ocspe->issuerKeyHash, cert->issuerKeyHash, - SHA_DIGEST_SIZE) == 0) + for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next) + if (XMEMCMP((*entry)->issuerHash, request->issuerHash, + OCSP_DIGEST_SIZE) == 0 + && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash, + OCSP_DIGEST_SIZE) == 0) break; - else - ocspe = ocspe->next; - } - if (ocspe == NULL) { - ocspe = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry), - NULL, DYNAMIC_TYPE_OCSP_ENTRY); - if (ocspe != NULL) { - InitOCSP_Entry(ocspe, cert); - ocspe->next = ocsp->ocspList; - ocsp->ocspList = ocspe; - } - else { - UnLockMutex(&ocsp->ocspLock); - WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); - return MEMORY_ERROR; - } - } - else { - certStatus = ocspe->status; - while (certStatus) { - if (certStatus->serialSz == cert->serialSz && - XMEMCMP(certStatus->serial, cert->serial, cert->serialSz) == 0) - break; - else - certStatus = certStatus->next; - } - } - - if (certStatus != NULL) { - if (!ValidateDate(certStatus->thisDate, - certStatus->thisDateFormat, BEFORE) || - (certStatus->nextDate[0] == 0) || - !ValidateDate(certStatus->nextDate, - certStatus->nextDateFormat, AFTER)) { - WOLFSSL_MSG("\tinvalid status date, looking up cert"); - } - else { - result = xstat2err(certStatus->status); - UnLockMutex(&ocsp->ocspLock); - WOLFSSL_LEAVE("CheckCertOCSP", result); - return result; + if (*entry == NULL) { + *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), + NULL, DYNAMIC_TYPE_OCSP_ENTRY); + if (*entry) { + InitOcspEntry(*entry, request); + (*entry)->next = ocsp->ocspList; + ocsp->ocspList = *entry; } } UnLockMutex(&ocsp->ocspLock); + return *entry ? 0 : MEMORY_ERROR; +} + + +static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, + OcspEntry* entry, CertStatus** status) +{ + int ret = OCSP_INVALID_STATUS; + + WOLFSSL_ENTER("GetOcspStatus"); + + *status = NULL; + + if (LockMutex(&ocsp->ocspLock) != 0) { + WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); + return BAD_MUTEX_E; + } + + for (*status = entry->status; *status; *status = (*status)->next) + if ((*status)->serialSz == request->serialSz + && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) + break; + + if (*status) { + if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) + && ((*status)->nextDate[0] != 0) + && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) + ret = xstat2err((*status)->status); + } + + UnLockMutex(&ocsp->ocspLock); + + return ret; +} + +int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) +{ + OcspEntry* entry = NULL; + CertStatus* status = NULL; + byte* request = NULL; + int requestSz = 2048; + byte* response = NULL; + const char* url; + int urlSz; + int ret = -1; + +#ifdef WOLFSSL_SMALL_STACK + CertStatus* newStatus; + OcspResponse* ocspResponse; +#else + CertStatus newStatus[1]; + OcspResponse ocspResponse[1]; +#endif + + WOLFSSL_ENTER("CheckOcspRequest"); + + ret = GetOcspEntry(ocsp, ocspRequest, &entry); + if (ret != 0) + return ret; + + ret = GetOcspStatus(ocsp, ocspRequest, entry, &status); + if (ret != OCSP_INVALID_STATUS) + return ret; + if (ocsp->cm->ocspUseOverrideURL) { url = ocsp->cm->ocspOverrideURL; if (url != NULL && url[0] != '\0') @@ -192,17 +252,17 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) else return OCSP_NEED_URL; } - else if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { - url = (const char *)cert->extAuthInfo; - urlSz = cert->extAuthInfoSz; + else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) { + url = (const char *)ocspRequest->url; + urlSz = ocspRequest->urlSz; } else { /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ return 0; } - ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER); - if (ocspReqBuf == NULL) { + request = (byte*)XMALLOC(requestSz, NULL, DYNAMIC_TYPE_IN_BUFFER); + if (request == NULL) { WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_ERROR; } @@ -210,60 +270,53 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) #ifdef WOLFSSL_SMALL_STACK newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_TMP_BUFFER); - ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, - DYNAMIC_TYPE_TMP_BUFFER); ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (newStatus == NULL || ocspRequest == NULL || ocspResponse == NULL) { + if (newStatus == NULL || ocspResponse == NULL) { if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (ocspRequest) XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(request, NULL, DYNAMIC_TYPE_TMP_BUFFER); WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_E; } #endif - result = InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, - ocspReqBuf, ocspReqSz); - if (result == 0) { - ocspReqSz = EncodeOcspRequest(ocspRequest); + requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); - if (ocsp->cm->ocspIOCb) - result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, - ocspReqBuf, ocspReqSz, &ocspRespBuf); - } + if (ocsp->cm->ocspIOCb) + ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, + request, requestSz, &response); - if (result >= 0 && ocspRespBuf) { + if (ret >= 0 && response) { XMEMSET(newStatus, 0, sizeof(CertStatus)); - InitOcspResponse(ocspResponse, newStatus, ocspRespBuf, result); + InitOcspResponse(ocspResponse, newStatus, response, ret); OcspResponseDecode(ocspResponse); - + if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) - result = OCSP_LOOKUP_FAIL; + ret = OCSP_LOOKUP_FAIL; else { if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { - result = xstat2err(ocspResponse->status->status); + ret = xstat2err(ocspResponse->status->status); if (LockMutex(&ocsp->ocspLock) != 0) - result = BAD_MUTEX_E; + ret = BAD_MUTEX_E; else { - if (certStatus != NULL) + if (status != NULL) /* Replace existing certificate entry with updated */ - XMEMCPY(certStatus, newStatus, sizeof(CertStatus)); + XMEMCPY(status, newStatus, sizeof(CertStatus)); else { /* Save new certificate entry */ - certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_OCSP_STATUS); - if (certStatus != NULL) { - XMEMCPY(certStatus, newStatus, sizeof(CertStatus)); - certStatus->next = ocspe->status; - ocspe->status = certStatus; - ocspe->totalStatus++; + if (status != NULL) { + XMEMCPY(status, newStatus, sizeof(CertStatus)); + status->next = entry->status; + entry->status = status; + entry->totalStatus++; } } @@ -271,26 +324,22 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) } } else - result = OCSP_LOOKUP_FAIL; + ret = OCSP_LOOKUP_FAIL; } } else - result = OCSP_LOOKUP_FAIL; - - FreeOcspRequest(ocspRequest); - XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); + ret = OCSP_LOOKUP_FAIL; #ifdef WOLFSSL_SMALL_STACK XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb) - ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf); + if (response != NULL && ocsp->cm->ocspRespFreeCb) + ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); - WOLFSSL_LEAVE("CheckCertOCSP", result); - return result; + WOLFSSL_LEAVE("CheckOcspRequest", ret); + return ret; } diff --git a/src/ssl.c b/src/ssl.c index fedee84f3..8b5a2efb8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -804,6 +804,15 @@ int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type) return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type); } + +int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type) +{ + if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type); +} + #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ /* Elliptic Curves */ diff --git a/src/tls.c b/src/tls.c index 1b20f96e9..03fe2f409 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1900,7 +1900,7 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr) { switch (csr->status_type) { case WOLFSSL_CSR_OCSP: - FreeOcspRequest(&csr->data.ocspRequest); + FreeOcspRequest(&csr->request.ocsp); break; } @@ -1959,6 +1959,8 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest) { + int ret = 0; + /* shut up compiler warnings */ (void) ssl; (void) input; @@ -1967,15 +1969,43 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); CertificateStatusRequest* csr = extension ? extension->data : NULL; - if (csr == NULL) - return BUFFER_ERROR; /* unexpected extension */ + if (!csr) { + /* look at context level */ - ssl->status_request = csr->status_type; + extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST); + csr = extension ? extension->data : NULL; + + if (!csr) + return BUFFER_ERROR; /* unexpected extension */ + + /* enable extension at ssl level */ + ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, + csr->status_type); + if (ret != SSL_SUCCESS) + return ret; + } + + ssl->status_request = 1; return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ #endif } + return ret; +} + +int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + return InitOcspRequest(&csr->request.ocsp, cert, 0); + } + } + return 0; } @@ -1987,7 +2017,7 @@ void* TLSX_CSR_GetRequest(TLSX* extensions) if (csr) { switch (csr->status_type) { case WOLFSSL_CSR_OCSP: - return &csr->data.ocspRequest; + return &csr->request.ocsp; break; } } @@ -1995,31 +2025,42 @@ void* TLSX_CSR_GetRequest(TLSX* extensions) return NULL; } +int TLSX_CSR_ForceRequest(WOLFSSL* ssl) +{ + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + if (ssl->ctx->cm->ocspEnabled) + return CheckOcspRequest(ssl->ctx->cm->ocsp, + &csr->request.ocsp); + else + return OCSP_LOOKUP_FAIL; + } + } + + return 0; +} + int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) { CertificateStatusRequest* csr = NULL; int ret = 0; - if (!extensions) + if (!extensions || status_type != WOLFSSL_CSR_OCSP) return BAD_FUNC_ARG; - csr = (CertificateStatusRequest*)XMALLOC(sizeof(CertificateStatusRequest), - NULL, DYNAMIC_TYPE_TLSX); + csr = (CertificateStatusRequest*) + XMALLOC(sizeof(CertificateStatusRequest), NULL, DYNAMIC_TYPE_TLSX); if (!csr) return MEMORY_E; + ForceZero(csr, sizeof(CertificateStatusRequest)); + csr->status_type = status_type; - switch (status_type) { - case WOLFSSL_CSR_OCSP: - ForceZero(&csr->data.ocspRequest, sizeof(OcspRequest)); - break; - - default: - XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); - return BAD_FUNC_ARG; - } - if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr)) != 0) { XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); return ret; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 7a981d8f2..1b8ba6504 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8839,7 +8839,7 @@ static word32 SetOcspReqExtensions(word32 extSz, byte* output, } -int EncodeOcspRequest(OcspRequest* req) +int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) { byte seqArray[5][MAX_SEQ_SZ]; /* The ASN.1 of the OCSP Request is an onion of sequences */ @@ -8848,7 +8848,6 @@ int EncodeOcspRequest(OcspRequest* req) byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; byte snArray[MAX_SN_SZ]; byte extArray[MAX_OCSP_EXT_SZ]; - byte* output = req->request; word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; int i; @@ -8865,21 +8864,9 @@ int EncodeOcspRequest(OcspRequest* req) snSz = SetSerialNumber(req->serial, req->serialSz, snArray); extSz = 0; - if (req->useNonce) { - WC_RNG rng; - if (wc_InitRng(&rng) != 0) { - WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); - } else { - if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) - WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); - else { - req->nonceSz = MAX_OCSP_NONCE_SZ; - extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, + if (req->nonceSz) + extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, req->nonce, req->nonceSz); - } - wc_FreeRng(&rng); - } - } totalSz = algoSz + issuerSz + issuerKeySz + snSz; for (i = 4; i >= 0; i--) { @@ -8888,6 +8875,9 @@ int EncodeOcspRequest(OcspRequest* req) if (i == 2) totalSz += extSz; } + if (totalSz > size) + return BUFFER_E; + totalSz = 0; for (i = 0; i < 5; i++) { XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); @@ -8915,8 +8905,7 @@ int EncodeOcspRequest(OcspRequest* req) } -int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, - byte* dest, word32 destSz) +int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce) { WOLFSSL_ENTER("InitOcspRequest"); @@ -8929,17 +8918,42 @@ int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); - req->serial = (byte*)XMALLOC(cert->serialSz, NULL, DYNAMIC_TYPE_OCSP); + req->serial = (byte*)XMALLOC(cert->serialSz, NULL, + DYNAMIC_TYPE_OCSP_REQUEST); if (req->serial == NULL) return MEMORY_E; XMEMCPY(req->serial, cert->serial, cert->serialSz); req->serialSz = cert->serialSz; + + if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { + req->url = (byte*)XMALLOC(cert->extAuthInfoSz, NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (req->url == NULL) { + XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP); + return MEMORY_E; + } + + XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); + req->urlSz = cert->extAuthInfoSz; + } + } - req->useNonce = useNonce; - req->request = dest; - req->requestSz = destSz; + if (useNonce) { + WC_RNG rng; + + if (wc_InitRng(&rng) != 0) { + WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); + } else { + if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) + WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); + else + req->nonceSz = MAX_OCSP_NONCE_SZ; + + wc_FreeRng(&rng); + } + } return 0; } @@ -8948,8 +8962,13 @@ void FreeOcspRequest(OcspRequest* req) { WOLFSSL_ENTER("FreeOcspRequest"); - if (req && req->serial) - XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP); + if (req) { + if (req->serial) + XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + + if (req->url) + XFREE(req->url, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } } @@ -8973,7 +8992,7 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) /* Nonces are not critical. The responder may not necessarily add * the nonce to the response. */ - if (req->useNonce && resp->nonceSz != 0) { + if (req->nonceSz && resp->nonceSz != 0) { cmp = req->nonceSz - resp->nonceSz; if (cmp != 0) { diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index 37952a318..bfccee9cd 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -140,6 +140,7 @@ enum wolfSSL_ErrorCodes { UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/ BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */ + OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */ /* add strings to SetErrorString !!!!! */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index dce8acbbd..ee961573e 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1255,7 +1255,7 @@ struct WOLFSSL_CIPHER { }; -typedef struct OCSP_Entry OCSP_Entry; +typedef struct OcspEntry OcspEntry; #ifdef NO_SHA #define OCSP_DIGEST_SIZE SHA256_DIGEST_SIZE @@ -1268,12 +1268,12 @@ typedef struct OCSP_Entry OCSP_Entry; typedef struct CertStatus CertStatus; #endif -struct OCSP_Entry { - OCSP_Entry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ - byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ - CertStatus* status; /* OCSP response list */ - int totalStatus; /* number on list */ +struct OcspEntry { + OcspEntry* next; /* next entry */ + byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ + byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ + CertStatus* status; /* OCSP response list */ + int totalStatus; /* number on list */ }; @@ -1284,7 +1284,7 @@ struct OCSP_Entry { /* wolfSSL OCSP controller */ struct WOLFSSL_OCSP { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - OCSP_Entry* ocspList; /* OCSP response list */ + OcspEntry* ocspList; /* OCSP response list */ wolfSSL_Mutex ocspLock; /* OCSP list lock */ }; @@ -1577,14 +1577,15 @@ WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); typedef struct { byte status_type; union { - OcspRequest ocspRequest; - } data; + OcspRequest ocsp; + } request; } CertificateStatusRequest; -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type); -WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); - +WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); +WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); +WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); #endif diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 77a4157ee..dc76ca16e 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -40,6 +40,8 @@ WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*); +WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, + OcspRequest* ocspRequest); #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 24bbfb0f3..b507df897 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1419,6 +1419,9 @@ enum { WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, unsigned char status_type); +WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, + unsigned char status_type); + #endif #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 290d312f3..f18402e35 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -709,25 +709,22 @@ struct OcspResponse { struct OcspRequest { byte issuerHash[KEYID_SIZE]; byte issuerKeyHash[KEYID_SIZE]; - byte* serial; /* copy of the serial number in source cert; OWNED */ + byte* serial; /* copy of the serial number in source cert */ int serialSz; + byte* url; /* copy of the extAuthInfo in source cert */ + int urlSz; - byte nonce[MAX_OCSP_NONCE_SZ]; - int nonceSz; - byte useNonce; - - byte* request; /* pointer to the destination ASN.1 buffer; NOT OWNED */ - word32 requestSz; /* length of the destination buffer */ + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz; }; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*); -WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, - byte, byte*, word32); +WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte); WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); -WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*); +WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index d97636e0a..9532c26d9 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -286,7 +286,8 @@ DYNAMIC_TYPE_SIGNATURE = 45, DYNAMIC_TYPE_HASHES = 46, DYNAMIC_TYPE_SRP = 47, - DYNAMIC_TYPE_COOKIE_PWD = 48 + DYNAMIC_TYPE_COOKIE_PWD = 48, + DYNAMIC_TYPE_OCSP_REQUEST = 49, }; /* max error buffer string size */ From a47f98ee19d9010e9f6b8d5edb126e3b53b34451 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 26 Oct 2015 18:09:09 -0300 Subject: [PATCH 005/177] adds support to nonce extension in OCSP stapling (status request tls extension); fix nonce encoding, there was a missing ASN.1 OctetString header; --- examples/client/client.c | 4 +- src/ssl.c | 12 ++++-- src/tls.c | 79 +++++++++++++++++++++++++++++++++++----- wolfcrypt/src/asn.c | 60 ++++++++++++------------------ wolfssl/internal.h | 3 +- wolfssl/ssl.h | 9 ++++- wolfssl/wolfcrypt/asn.h | 10 +++-- 7 files changed, 118 insertions(+), 59 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 651bf0819..edfd05b6f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -984,8 +984,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (statusRequest) { - if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP) - != SSL_SUCCESS) + if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, + WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) err_sys("UseCertificateStatusRequest failed"); wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); diff --git a/src/ssl.c b/src/ssl.c index 8b5a2efb8..344e3c979 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -796,21 +796,25 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) #ifdef HAVE_CERTIFICATE_STATUS_REQUEST -int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type) +int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type, + byte options) { if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; - return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type); + return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, + options); } -int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type) +int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, + byte options) { if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; - return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type); + return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type, + options); } #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ diff --git a/src/tls.c b/src/tls.c index 03fe2f409..77e3694d3 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1909,6 +1909,8 @@ static void TLSX_CSR_Free(CertificateStatusRequest* csr) static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) { + word16 size = 0; + /* shut up compiler warnings */ (void) csr; (void) isRequest; @@ -1916,12 +1918,15 @@ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) if (isRequest) { switch (csr->status_type) { case WOLFSSL_CSR_OCSP: - return ENUM_LEN + 2 * OPAQUE16_LEN; + size += ENUM_LEN + 2 * OPAQUE16_LEN; + + if (csr->request.ocsp.nonceSz) + size += MAX_OCSP_EXT_SZ; } } #endif - return 0; + return size; } static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, @@ -1933,6 +1938,7 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, #ifndef NO_WOLFSSL_CLIENT if (isRequest) { word16 offset = 0; + word16 length = 0; /* type */ output[offset++] = csr->status_type; @@ -1944,8 +1950,15 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, offset += OPAQUE16_LEN; /* request extensions */ - c16toa(0, output + offset); - offset += OPAQUE16_LEN; + if (csr->request.ocsp.nonceSz) + length = EncodeOcspRequestExtensions( + &csr->request.ocsp, + output + offset + OPAQUE16_LEN, + MAX_OCSP_EXT_SZ); + + c16toa(length, output + offset); + offset += OPAQUE16_LEN + length; + break; } @@ -1980,9 +1993,25 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, /* enable extension at ssl level */ ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, - csr->status_type); + csr->status_type, csr->options); if (ret != SSL_SUCCESS) return ret; + + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + /* propagate nonce */ + if (csr->request.ocsp.nonceSz) { + OcspRequest* request = + TLSX_CSR_GetRequest(ssl->extensions); + + if (request) { + XMEMCPY(request->nonce, csr->request.ocsp.nonce, + csr->request.ocsp.nonceSz); + request->nonceSz = csr->request.ocsp.nonceSz; + } + } + break; + } } ssl->status_request = 1; @@ -1998,15 +2027,29 @@ int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); CertificateStatusRequest* csr = extension ? extension->data : NULL; + int ret = 0; if (csr) { switch (csr->status_type) { - case WOLFSSL_CSR_OCSP: - return InitOcspRequest(&csr->request.ocsp, cert, 0); + case WOLFSSL_CSR_OCSP: { + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz = csr->request.ocsp.nonceSz; + + /* preserve nonce */ + XMEMCPY(nonce, csr->request.ocsp.nonce, nonceSz); + + if ((ret = InitOcspRequest(&csr->request.ocsp, cert, 0)) != 0) + return ret; + + /* restore nonce */ + XMEMCPY(csr->request.ocsp.nonce, nonce, nonceSz); + csr->request.ocsp.nonceSz = nonceSz; + } + break; } } - return 0; + return ret; } void* TLSX_CSR_GetRequest(TLSX* extensions) @@ -2044,7 +2087,8 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl) return 0; } -int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) +int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, + byte options) { CertificateStatusRequest* csr = NULL; int ret = 0; @@ -2060,6 +2104,23 @@ int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type) ForceZero(csr, sizeof(CertificateStatusRequest)); csr->status_type = status_type; + csr->options = options; + + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + if (options & WOLFSSL_CSR_OCSP_USE_NONCE) { + WC_RNG rng; + + if (wc_InitRng(&rng) == 0) { + if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp.nonce, + MAX_OCSP_NONCE_SZ) == 0) + csr->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ; + + wc_FreeRng(&rng); + } + } + break; + } if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr)) != 0) { XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 1b8ba6504..57a5c38af 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8786,53 +8786,40 @@ int OcspResponseDecode(OcspResponse* resp) } -static word32 SetOcspReqExtensions(word32 extSz, byte* output, - const byte* nonce, word32 nonceSz) +word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) { static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02 }; - byte seqArray[5][MAX_SEQ_SZ]; - word32 seqSz[5], totalSz; + byte seqArray[6][MAX_SEQ_SZ]; + word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId); WOLFSSL_ENTER("SetOcspReqExtensions"); - if (nonce == NULL || nonceSz == 0) return 0; + if (!req || !output || !req->nonceSz) + return 0; - seqArray[0][0] = ASN_OCTET_STRING; - seqSz[0] = 1 + SetLength(nonceSz, &seqArray[0][1]); + totalSz += req->nonceSz; + totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]); + totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]); + seqArray[2][0] = ASN_OBJECT_ID; + totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]); + totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]); + totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); + totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]); - seqArray[1][0] = ASN_OBJECT_ID; - seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]); - - totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId); - - seqSz[2] = SetSequence(totalSz, seqArray[2]); - totalSz += seqSz[2]; - - seqSz[3] = SetSequence(totalSz, seqArray[3]); - totalSz += seqSz[3]; - - seqArray[4][0] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2); - seqSz[4] = 1 + SetLength(totalSz, &seqArray[4][1]); - totalSz += seqSz[4]; - - if (totalSz < extSz) + if (totalSz < size) { totalSz = 0; - XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); - totalSz += seqSz[4]; - XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); - totalSz += seqSz[3]; - XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); - totalSz += seqSz[2]; - XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); - totalSz += seqSz[1]; + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); totalSz += seqSz[5]; + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); totalSz += seqSz[4]; + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); totalSz += seqSz[3]; + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); totalSz += seqSz[2]; XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); totalSz += (word32)sizeof(NonceObjId); - XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); - totalSz += seqSz[0]; - XMEMCPY(output + totalSz, nonce, nonceSz); - totalSz += nonceSz; + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); totalSz += seqSz[1]; + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); totalSz += seqSz[0]; + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); + totalSz += req->nonceSz; } return totalSz; @@ -8865,8 +8852,7 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) extSz = 0; if (req->nonceSz) - extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, - req->nonce, req->nonceSz); + extSz = EncodeOcspRequestExtensions(req, extArray, MAX_OCSP_EXT_SZ); totalSz = algoSz + issuerSz + issuerKeySz + snSz; for (i = 4; i >= 0; i--) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ee961573e..76f7f108a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1576,13 +1576,14 @@ WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); typedef struct { byte status_type; + byte options; union { OcspRequest ocsp; } request; } CertificateStatusRequest; WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, - byte status_type); + byte status_type, byte options); WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index b507df897..5243dabb2 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1413,14 +1413,19 @@ enum { WOLFSSL_CSR_OCSP = 1 }; +/* Certificate Status Options (flags) */ +enum { + WOLFSSL_CSR_OCSP_USE_NONCE = 0x01 +}; + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST #ifndef NO_WOLFSSL_CLIENT WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, - unsigned char status_type); + unsigned char status_type, unsigned char options); WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, - unsigned char status_type); + unsigned char status_type, unsigned char options); #endif #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index f18402e35..76832d9a6 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -188,7 +188,7 @@ enum Misc_ASN { MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ - MAX_OCSP_NONCE_SZ = 18, /* OCSP Nonce size */ + MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ EIGHTK_BUF = 8192, /* Tmp buffer size */ MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, /* use bigger NTRU size */ @@ -722,9 +722,11 @@ struct OcspRequest { WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*); -WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte); -WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); -WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); +WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte); +WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); +WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); +WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32); + WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); From f37ea955ecce42e5f46d668a4afc4a4dd03d9b61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 26 Oct 2015 19:33:35 -0300 Subject: [PATCH 006/177] improves OCSP response signature verification; MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit reference: RFC 2560 - Section 4.2.2.2 Authorized Responders: The key that signs a certificate’s status information need not be the same key that signed the certificate. It is necessary however to ensure that the entity signing this information is authorized to do so. Therefore, a certificate’s issuer MUST either sign the OCSP responses itself or it MUST explicitly designate this authority to another entity. --- src/internal.c | 2 +- src/ocsp.c | 2 +- wolfcrypt/src/asn.c | 26 ++++++++++++++++++++------ wolfssl/wolfcrypt/asn.h | 2 +- 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/src/internal.c b/src/internal.c index ce5f1326d..7c7ef3774 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4846,7 +4846,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, InitOcspResponse(response, status, input +*inOutIdx, status_length); - if ((ret = OcspResponseDecode(response)) == 0) { + if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) { if (response->responseStatus != OCSP_SUCCESSFUL) ret = BAD_CERTIFICATE_STATUS_ERROR; else if (CompareOcspReqResp(request, response) != 0) diff --git a/src/ocsp.c b/src/ocsp.c index aa1a97252..567a67de8 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -294,7 +294,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) XMEMSET(newStatus, 0, sizeof(CertStatus)); InitOcspResponse(ocspResponse, newStatus, response, ret); - OcspResponseDecode(ocspResponse); + OcspResponseDecode(ocspResponse, ocsp->cm); if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) ret = OCSP_LOOKUP_FAIL; diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 57a5c38af..90e9e19b6 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8645,12 +8645,13 @@ static int DecodeCerts(byte* source, return 0; } -static int DecodeBasicOcspResponse(byte* source, - word32* ioIndex, OcspResponse* resp, word32 size) +static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, + OcspResponse* resp, word32 size, void* cm) { int length; word32 idx = *ioIndex; word32 end_index; + int ret; WOLFSSL_ENTER("DecodeBasicOcspResponse"); @@ -8686,13 +8687,12 @@ static int DecodeBasicOcspResponse(byte* source, if (idx < end_index) { DecodedCert cert; - int ret; if (DecodeCerts(source, &idx, resp, size) < 0) return ASN_PARSE_E; InitDecodedCert(&cert, resp->cert, resp->certSz, 0); - ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0); + ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm); if (ret < 0) return ret; @@ -8707,6 +8707,20 @@ static int DecodeBasicOcspResponse(byte* source, return ASN_OCSP_CONFIRM_E; } } + else { + Signer* ca = GetCA(cm, resp->issuerHash); + + if (ca) + ret = ConfirmSignature(resp->response, resp->responseSz, + ca->publicKey, ca->pubKeySize, ca->keyOID, + resp->sig, resp->sigSz, resp->sigOID, NULL); + + if (!ca || ret == 0) + { + WOLFSSL_MSG("\tOCSP Confirm signature failed"); + return ASN_OCSP_CONFIRM_E; + } + } *ioIndex = idx; return 0; @@ -8735,7 +8749,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status, } -int OcspResponseDecode(OcspResponse* resp) +int OcspResponseDecode(OcspResponse* resp, void* cm) { int length = 0; word32 idx = 0; @@ -8779,7 +8793,7 @@ int OcspResponseDecode(OcspResponse* resp) if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0) + if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0) return ASN_PARSE_E; return 0; diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 76832d9a6..b1a132514 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -720,7 +720,7 @@ struct OcspRequest { WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); -WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*); +WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*); WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte); WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); From cddebfa94173ef9c682d796e9fa13fd959a6a3a6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Tue, 27 Oct 2015 19:17:18 -0300 Subject: [PATCH 007/177] changes --enable-statusrequest to --enable-ocspstapling --- configure.ac | 202 ++++++++++++++++++++------------------- examples/client/client.c | 3 + 2 files changed, 108 insertions(+), 97 deletions(-) diff --git a/configure.ac b/configure.ac index 6a7574b7a..f4a8614ca 100644 --- a/configure.ac +++ b/configure.ac @@ -1595,9 +1595,9 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC" fi -# Certificate Status Request : a.k.a. OCSP stapling -AC_ARG_ENABLE([statusrequest], - [ --enable-statusrequest Enable Certificate Status Request (default: disabled)], +# Certificate Status Request : a.k.a. OCSP Stapling +AC_ARG_ENABLE([ocspstapling], + [AS_HELP_STRING([--enable-ocspstapling],[Enable Certificate Status Request - a.k.a. OCSP Stapling (default: disabled)])], [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] ) @@ -1605,6 +1605,14 @@ AC_ARG_ENABLE([statusrequest], if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST" + + # Requires OCSP make sure on + if test "x$ENABLED_OCSP" = "xno" + then + ENABLED_OCSP="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" + AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + fi fi # Renegotiation Indication - (FAKE Secure Renegotiation) @@ -2421,101 +2429,101 @@ done < $OPTION_FILE echo "---" echo "Configuration summary for $PACKAGE_NAME version $VERSION" echo "" -echo " * Installation prefix: $prefix" -echo " * System type: $host_vendor-$host_os" -echo " * Host CPU: $host_cpu" -echo " * C Compiler: $CC" -echo " * C Flags: $CFLAGS" -echo " * C++ Compiler: $CXX" -echo " * C++ Flags: $CXXFLAGS" -echo " * CPP Flags: $CPPFLAGS" -echo " * LIB Flags: $LIB" -echo " * Debug enabled: $ax_enable_debug" -echo " * Warnings as failure: $ac_cv_warnings_as_errors" -echo " * make -j: $enable_jobserver" -echo " * VCS checkout: $ac_cv_vcs_checkout" +echo " * Installation prefix: $prefix" +echo " * System type: $host_vendor-$host_os" +echo " * Host CPU: $host_cpu" +echo " * C Compiler: $CC" +echo " * C Flags: $CFLAGS" +echo " * C++ Compiler: $CXX" +echo " * C++ Flags: $CXXFLAGS" +echo " * CPP Flags: $CPPFLAGS" +echo " * LIB Flags: $LIB" +echo " * Debug enabled: $ax_enable_debug" +echo " * Warnings as failure: $ac_cv_warnings_as_errors" +echo " * make -j: $enable_jobserver" +echo " * VCS checkout: $ac_cv_vcs_checkout" echo echo " Features " -echo " * Single threaded: $ENABLED_SINGLETHREADED" -echo " * Filesystem: $ENABLED_FILESYSTEM" -echo " * OpenSSH Build: $ENABLED_OPENSSH" -echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" -echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" -echo " * fastmath: $ENABLED_FASTMATH" -echo " * sniffer: $ENABLED_SNIFFER" -echo " * snifftest: $ENABLED_SNIFFTEST" -echo " * ARC4: $ENABLED_ARC4" -echo " * AES: $ENABLED_AES" -echo " * AES-NI: $ENABLED_AESNI" -echo " * AES-GCM: $ENABLED_AESGCM" -echo " * AES-CCM: $ENABLED_AESCCM" -echo " * DES3: $ENABLED_DES3" -echo " * IDEA: $ENABLED_IDEA" -echo " * Camellia: $ENABLED_CAMELLIA" -echo " * NULL Cipher: $ENABLED_NULL_CIPHER" -echo " * MD5: $ENABLED_MD5" -echo " * RIPEMD: $ENABLED_RIPEMD" -echo " * SHA: $ENABLED_SHA" -echo " * SHA-512: $ENABLED_SHA512" -echo " * BLAKE2: $ENABLED_BLAKE2" -echo " * keygen: $ENABLED_KEYGEN" -echo " * certgen: $ENABLED_CERTGEN" -echo " * certreq: $ENABLED_CERTREQ" -echo " * certext: $ENABLED_CERTEXT" -echo " * HC-128: $ENABLED_HC128" -echo " * RABBIT: $ENABLED_RABBIT" -echo " * CHACHA: $ENABLED_CHACHA" -echo " * Hash DRBG: $ENABLED_HASHDRBG" -echo " * PWDBASED: $ENABLED_PWDBASED" -echo " * wolfCrypt Only: $ENABLED_CRYPTONLY" -echo " * HKDF: $ENABLED_HKDF" -echo " * MD4: $ENABLED_MD4" -echo " * PSK: $ENABLED_PSK" -echo " * Poly1305: $ENABLED_POLY1305" -echo " * LEANPSK: $ENABLED_LEANPSK" -echo " * RSA: $ENABLED_RSA" -echo " * DSA: $ENABLED_DSA" -echo " * DH: $ENABLED_DH" -echo " * ECC: $ENABLED_ECC" -echo " * CURVE25519: $ENABLED_CURVE25519" -echo " * ED25519: $ENABLED_ED25519" -echo " * FPECC: $ENABLED_FPECC" -echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT" -echo " * ASN: $ENABLED_ASN" -echo " * Anonymous cipher: $ENABLED_ANON" -echo " * CODING: $ENABLED_CODING" -echo " * MEMORY: $ENABLED_MEMORY" -echo " * I/O POOL: $ENABLED_IOPOOL" -echo " * LIGHTY: $ENABLED_LIGHTY" -echo " * STUNNEL: $ENABLED_STUNNEL" -echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" -echo " * DTLS: $ENABLED_DTLS" -echo " * Old TLS Versions: $ENABLED_OLD_TLS" -echo " * SSL version 3.0: $ENABLED_SSLV3" -echo " * OCSP: $ENABLED_OCSP" -echo " * CRL: $ENABLED_CRL" -echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" -echo " * Persistent session cache: $ENABLED_SAVESESSION" -echo " * Persistent cert cache: $ENABLED_SAVECERT" -echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" -echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" -echo " * NTRU: $ENABLED_NTRU" -echo " * Server Name Indication: $ENABLED_SNI" -echo " * ALPN: $ENABLED_ALPN" -echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" -echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" -echo " * Status Request: $ENABLED_CERTIFICATE_STATUS_REQUEST" -echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" -echo " * Session Ticket: $ENABLED_SESSION_TICKET" -echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" -echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" -echo " * All TLS Extensions: $ENABLED_TLSX" -echo " * PKCS#7 $ENABLED_PKCS7" -echo " * wolfSCEP $ENABLED_WOLFSCEP" -echo " * Secure Remote Password $ENABLED_SRP" -echo " * Small Stack: $ENABLED_SMALL_STACK" -echo " * valgrind unit tests: $ENABLED_VALGRIND" -echo " * LIBZ: $ENABLED_LIBZ" -echo " * Examples: $ENABLED_EXAMPLES" +echo " * Single threaded: $ENABLED_SINGLETHREADED" +echo " * Filesystem: $ENABLED_FILESYSTEM" +echo " * OpenSSH Build: $ENABLED_OPENSSH" +echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" +echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" +echo " * fastmath: $ENABLED_FASTMATH" +echo " * sniffer: $ENABLED_SNIFFER" +echo " * snifftest: $ENABLED_SNIFFTEST" +echo " * ARC4: $ENABLED_ARC4" +echo " * AES: $ENABLED_AES" +echo " * AES-NI: $ENABLED_AESNI" +echo " * AES-GCM: $ENABLED_AESGCM" +echo " * AES-CCM: $ENABLED_AESCCM" +echo " * DES3: $ENABLED_DES3" +echo " * IDEA: $ENABLED_IDEA" +echo " * Camellia: $ENABLED_CAMELLIA" +echo " * NULL Cipher: $ENABLED_NULL_CIPHER" +echo " * MD5: $ENABLED_MD5" +echo " * RIPEMD: $ENABLED_RIPEMD" +echo " * SHA: $ENABLED_SHA" +echo " * SHA-512: $ENABLED_SHA512" +echo " * BLAKE2: $ENABLED_BLAKE2" +echo " * keygen: $ENABLED_KEYGEN" +echo " * certgen: $ENABLED_CERTGEN" +echo " * certreq: $ENABLED_CERTREQ" +echo " * certext: $ENABLED_CERTEXT" +echo " * HC-128: $ENABLED_HC128" +echo " * RABBIT: $ENABLED_RABBIT" +echo " * CHACHA: $ENABLED_CHACHA" +echo " * Hash DRBG: $ENABLED_HASHDRBG" +echo " * PWDBASED: $ENABLED_PWDBASED" +echo " * wolfCrypt Only: $ENABLED_CRYPTONLY" +echo " * HKDF: $ENABLED_HKDF" +echo " * MD4: $ENABLED_MD4" +echo " * PSK: $ENABLED_PSK" +echo " * Poly1305: $ENABLED_POLY1305" +echo " * LEANPSK: $ENABLED_LEANPSK" +echo " * RSA: $ENABLED_RSA" +echo " * DSA: $ENABLED_DSA" +echo " * DH: $ENABLED_DH" +echo " * ECC: $ENABLED_ECC" +echo " * CURVE25519: $ENABLED_CURVE25519" +echo " * ED25519: $ENABLED_ED25519" +echo " * FPECC: $ENABLED_FPECC" +echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT" +echo " * ASN: $ENABLED_ASN" +echo " * Anonymous cipher: $ENABLED_ANON" +echo " * CODING: $ENABLED_CODING" +echo " * MEMORY: $ENABLED_MEMORY" +echo " * I/O POOL: $ENABLED_IOPOOL" +echo " * LIGHTY: $ENABLED_LIGHTY" +echo " * STUNNEL: $ENABLED_STUNNEL" +echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" +echo " * DTLS: $ENABLED_DTLS" +echo " * Old TLS Versions: $ENABLED_OLD_TLS" +echo " * SSL version 3.0: $ENABLED_SSLV3" +echo " * OCSP: $ENABLED_OCSP" +echo " * CRL: $ENABLED_CRL" +echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" +echo " * Persistent session cache: $ENABLED_SAVESESSION" +echo " * Persistent cert cache: $ENABLED_SAVECERT" +echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" +echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" +echo " * NTRU: $ENABLED_NTRU" +echo " * Server Name Indication: $ENABLED_SNI" +echo " * ALPN: $ENABLED_ALPN" +echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" +echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" +echo " * Certificate Status Request: $ENABLED_CERTIFICATE_STATUS_REQUEST" +echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" +echo " * Session Ticket: $ENABLED_SESSION_TICKET" +echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" +echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" +echo " * All TLS Extensions: $ENABLED_TLSX" +echo " * PKCS#7 $ENABLED_PKCS7" +echo " * wolfSCEP $ENABLED_WOLFSCEP" +echo " * Secure Remote Password $ENABLED_SRP" +echo " * Small Stack: $ENABLED_SMALL_STACK" +echo " * valgrind unit tests: $ENABLED_VALGRIND" +echo " * LIBZ: $ENABLED_LIBZ" +echo " * Examples: $ENABLED_EXAMPLES" echo "" echo "---" diff --git a/examples/client/client.c b/examples/client/client.c index edfd05b6f..4292df34f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -348,6 +348,9 @@ static void Usage(void) printf("-o Perform OCSP lookup on peer certificate\n"); printf("-O Perform OCSP lookup using as responder\n"); #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + printf("-W Use OCSP Stapling\n"); +#endif #ifdef ATOMIC_USER printf("-U Atomic User Record Layer Callbacks\n"); #endif From 071a452bec4b981ce236a0a3243c528ce8149750 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Wed, 28 Oct 2015 12:20:20 -0300 Subject: [PATCH 008/177] fix indentation and enum conflict --- wolfcrypt/src/asn.c | 26 ++++++++++++++++++++------ wolfssl/wolfcrypt/types.h | 2 +- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 90e9e19b6..e6ef3e241 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8824,14 +8824,28 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) if (totalSz < size) { totalSz = 0; - XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); totalSz += seqSz[5]; - XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); totalSz += seqSz[4]; - XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); totalSz += seqSz[3]; - XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); totalSz += seqSz[2]; + + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); + totalSz += seqSz[5]; + + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); + totalSz += seqSz[4]; + + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); + totalSz += seqSz[3]; + + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); + totalSz += seqSz[2]; + XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); totalSz += (word32)sizeof(NonceObjId); - XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); totalSz += seqSz[1]; - XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); totalSz += seqSz[0]; + + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); + totalSz += seqSz[1]; + + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); + totalSz += seqSz[0]; + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); totalSz += req->nonceSz; } diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 9532c26d9..8e49678c0 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -287,7 +287,7 @@ DYNAMIC_TYPE_HASHES = 46, DYNAMIC_TYPE_SRP = 47, DYNAMIC_TYPE_COOKIE_PWD = 48, - DYNAMIC_TYPE_OCSP_REQUEST = 49, + DYNAMIC_TYPE_OCSP_REQUEST = 50 }; /* max error buffer string size */ From 3e9fd1c5428a21579df65afbcf7046956362e5e1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Wed, 28 Oct 2015 14:34:15 -0300 Subject: [PATCH 009/177] Merge branch 'master' into csr Conflicts: configure.ac wolfssl/wolfcrypt/types.h --- .gitignore | 16 + Makefile.am | 11 + configure.ac | 208 +- examples/client/include.am | 2 +- examples/echoclient/include.am | 2 +- examples/echoserver/include.am | 2 +- examples/server/include.am | 2 +- examples/server/server.c | 2 +- src/include.am | 23 +- src/internal.c | 8 + src/ssl.c | 14 +- sslSniffer/sslSnifferTest/include.am | 2 +- tests/include.am | 2 +- testsuite/include.am | 2 +- wolfcrypt/benchmark/benchmark.c | 4 +- wolfcrypt/benchmark/include.am | 2 +- wolfcrypt/src/asn.c | 30 +- wolfcrypt/src/wc_port.c | 24 + wolfcrypt/test/include.am | 2 +- wolfcrypt/user-crypto/Makefile.am | 9 + wolfcrypt/user-crypto/README.txt | 77 + wolfcrypt/user-crypto/autogen.sh | 23 + wolfcrypt/user-crypto/configure.ac | 44 + wolfcrypt/user-crypto/include/user_rsa.h | 129 ++ wolfcrypt/user-crypto/lib/.gitkeep | 0 wolfcrypt/user-crypto/src/rsa.c | 2352 ++++++++++++++++++++++ wolfssl/ssl.h | 4 + wolfssl/wolfcrypt/error-crypt.h | 2 + wolfssl/wolfcrypt/integer.h | 5 + wolfssl/wolfcrypt/rsa.h | 11 +- wolfssl/wolfcrypt/tfm.h | 5 + wolfssl/wolfcrypt/types.h | 1 + wolfssl/wolfcrypt/wc_port.h | 2 + 33 files changed, 2996 insertions(+), 26 deletions(-) create mode 100644 wolfcrypt/user-crypto/Makefile.am create mode 100644 wolfcrypt/user-crypto/README.txt create mode 100755 wolfcrypt/user-crypto/autogen.sh create mode 100644 wolfcrypt/user-crypto/configure.ac create mode 100644 wolfcrypt/user-crypto/include/user_rsa.h create mode 100644 wolfcrypt/user-crypto/lib/.gitkeep create mode 100644 wolfcrypt/user-crypto/src/rsa.c diff --git a/.gitignore b/.gitignore index 15ee851d8..dd3e2058e 100644 --- a/.gitignore +++ b/.gitignore @@ -152,3 +152,19 @@ mqx/wolfcrypt_test/SaAnalysispointsManager.apconfig mqx/wolfcrypt_benchmark/.settings mqx/wolfcrypt_benchmark/.cwGeneratedFileSetLog mqx/wolfcrypt_benchmark/SaAnalysispointsManager.apconfig + +# User Crypto example build +wolfcrypt/user-crypto/aclocal.m4 +wolfcrypt/user-crypto/config.guess +wolfcrypt/user-crypto/autom4te.cache +wolfcrypt/user-crypto/config.log +wolfcrypt/user-crypto/config.status +wolfcrypt/user-crypto/config.sub +wolfcrypt/user-crypto/depcomp +wolfcrypt/user-crypto/install-sh +wolfcrypt/user-crypto/libtool +wolfcrypt/user-crypto/ltmain.sh +wolfcrypt/user-crypto/m4 +wolfcrypt/user-crypto/missing +wolfcrypt/user-crypto/Makefile.in +wolfcrypt/user-crypto/lib/libusercrypto.* diff --git a/Makefile.am b/Makefile.am index 6f0457615..687895e34 100644 --- a/Makefile.am +++ b/Makefile.am @@ -17,6 +17,7 @@ BUILT_SOURCES= EXTRA_DIST= dist_doc_DATA= dist_noinst_SCRIPTS = +noinst_SCRIPTS = check_SCRIPTS = #includes additional rules from aminclude.am @@ -58,6 +59,16 @@ EXTRA_DIST+= gencertbuf.pl EXTRA_DIST+= README.md EXTRA_DIST+= LICENSING EXTRA_DIST+= INSTALL +EXTRA_DIST+= IPP/ + +# user crypto plug in example +EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac +EXTRA_DIST+= wolfcrypt/user-crypto/autogen.sh +EXTRA_DIST+= wolfcrypt/user-crypto/include/user_rsa.h +EXTRA_DIST+= wolfcrypt/user-crypto/src/rsa.c +EXTRA_DIST+= wolfcrypt/user-crypto/lib/.gitkeep +EXTRA_DIST+= wolfcrypt/user-crypto/README.txt +EXTRA_DIST+= wolfcrypt/user-crypto/Makefile.am include cyassl/include.am include wolfssl/include.am diff --git a/configure.ac b/configure.ac index f4a8614ca..0e439de43 100644 --- a/configure.ac +++ b/configure.ac @@ -106,6 +106,8 @@ OPTIMIZE_CFLAGS="-Os -fomit-frame-pointer" OPTIMIZE_FAST_CFLAGS="-O2 -fomit-frame-pointer" OPTIMIZE_HUGE_CFLAGS="-funroll-loops -DTFM_SMALL_SET -DTFM_HUGE_SET" DEBUG_CFLAGS="-g -DDEBUG -DDEBUG_WOLFSSL" +LIB_ADD= +LIB_STATIC_ADD= thread_ls_on=no # Thread local storage @@ -1499,11 +1501,68 @@ fi AM_CONDITIONAL([BUILD_CRL_MONITOR], [test "x$ENABLED_CRL_MONITOR" = "xyes"]) +# USER CRYPTO +ENABLED_USER_CRYPTO="no" +ENABLED_USER_RSA="no" +AC_DEFINE([BUILD_USER_RSA], [], [User RSA is being defined]) +trycryptodir="" +AC_ARG_WITH([user-crypto], + [AS_HELP_STRING([--with-user-crypto=PATH],[Path to USER_CRYPTO install (default /usr/local)])], + [ + CPPFLAGS="$CPPFLAGS -DHAVE_USER_CRYPTO" + LIBS="$LIBS -lusercrypto" + + if test "x$withval" != "xno" ; then + trycryptodir=$withval + fi + if test "x$withval" == "xyes" ; then + trycryptodir="/usr/local" + fi + + LDFLAGS="$LDFLAGS -L$trycryptodir/lib" + CPPFLAGS="$CPPFLAGS -I$trycryptodir/include" + + #Look for RSA Init function in usercrypto lib + AC_CHECK_LIB([usercrypto], [wc_InitRsaKey], [user_rsa_linked=yes], [user_rsa_linked=no]) + + if test "x$user_rsa_linked" == "xyes" ; then + AC_MSG_NOTICE([User user_rsa.h being used]) + AM_CFLAGS="$AM_CFLAGS -DHAVE_USER_RSA" + ENABLED_USER_RSA=yes + ENABLED_USER_CRYPTO=yes + fi + + + #Display check and find result of link attempts + AC_MSG_CHECKING([for USER_CRYPTO]) + if test "x$ENABLED_USER_CRYPTO" == "xno" ; then + AC_MSG_RESULT([no]) + AC_MSG_ERROR([USER_CRYPTO not found. Either move to /usr/include and /usr/lib or + Specify its path using --with-user-crypto=/dir/]) + else + AC_MSG_RESULT([yes]) + # Check if .la is available if not then rely on exported path + AC_CHECK_FILE($trycryptodir/lib/libusercrypto.la, [LIB_ADD="$trycryptodir/lib/libusercrypto.la $LIB_ADD"], [LIB_ADD="-lusercrypto $LIB_ADD"]) + AM_LDFLAGS="$AM_LDFLAGS -L$trycryptodir/lib" + AM_CFLAGS="$AM_CFLAGS -DHAVE_USER_CRYPTO" + fi + ] +) + +AM_CONDITIONAL([BUILD_USER_RSA], [test "x$ENABLED_USER_RSA" == "xyes"] ) +AM_CONDITIONAL([BUILD_USER_CRYPTO], [test "x$ENABLED_USER_CRYPTO" = "xyes"]) + +if test "$ENABLED_USER_CRYPTO" = "yes" && test "$ENABLED_FIPS" = "yes" +then + AC_MSG_ERROR([cannot enable user crypto and fips, user crypto posibility of using code in fips boundary.]) +fi + + # NTRU ENABLED_NTRU="no" tryntrudir="" AC_ARG_WITH([ntru], - [ --with-ntru=PATH Path to NTRU install (default /usr/) ], + [AS_HELP_STRING([--with-ntru=PATH],[Path to NTRU install (default /usr/)])], [ AC_MSG_CHECKING([for NTRU]) CPPFLAGS="$CPPFLAGS -DHAVE_NTRU -DHAVE_QSH -DHAVE_TLS_EXTENSIONS" @@ -1519,7 +1578,7 @@ AC_ARG_WITH([ntru], tryntrudir="/usr" fi - LDFLAGS="$AM_LDFLAGS -L$tryntrudir/lib" + LDFLAGS="$AM_LDFLAGS $LDFLAGS -L$tryntrudir/lib" CPPFLAGS="$CPPFLAGS -I$tryntrudir/include" AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include ]], [[ ntru_crypto_drbg_instantiate(0, 0, 0, 0, 0); ]])], [ ntru_linked=yes ],[ ntru_linked=no ]) @@ -2221,6 +2280,147 @@ AC_ARG_WITH([cavium], ) +# Fast RSA using Intel IPP +ippdir="${srcdir}/IPP" +ipplib="lib" # if autoconf guesses 32 changes lib directory +fastRSA_headers=no + +# set up variables used +IPPLIBS= +IPPHEADERS= +IPPLINK= + +AC_ARG_ENABLE([fast-rsa], + [AS_HELP_STRING([--enable-fast-rsa],[Enable RSA using Intel IPP (default: disabled)])], + [ ENABLED_FAST_RSA=$enableval ], + [ ENABLED_FAST_RSA=no ], + ) + +if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then + +if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then + if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then + ipplib="lib_32" # 32 bit OS detected + fi + + case $host_os in + *darwin*) + ipplib="$ipplib/mac_static" + AC_MSG_ERROR([Issue with static linking to libippcp.a on Mac. + Dynamic IPP libraries supported on Mac]) + break;; + + *linux*) + ipplib="$ipplib/linux_static" + break;; + *) + ENABLED_FAST_RSA=no + esac + + AC_CHECK_FILES([$srcdir/IPP/$ipplib/libippcore.a $srcdir/IPP/$ipplib/libippcp.a], [], [ENABLED_FAST_RSA=no]) + AC_CHECK_FILES([$srcdir/IPP/include/ipp.h $srcdir/IPP/include/ippcp.h], [AM_CPPFLAGS="-I$srcdir/IPP/include $AM_CPPFLAGS"], [ENABLED_FAST_RSA=no]) + LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a" + if test "$ENABLED_FAST_RSA" = "no"; then + AC_MSG_ERROR([Could not find fast rsa libraries]) + fi +else +# just check link and see if user has already exported paths +if test "$ENABLED_FAST_RSA" = "yes" + then + AC_MSG_NOTICE([Checking if IPP crypto library installed]) + AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [LIBS="$LIBS -lippcore"; fastRSA_headers=yes], [AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]); fastRSA_headers=no])], [fastRSA_headers=no]) + if test "$fastRSA_headers" = "yes"; then + AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp" + fi +fi + +# Don't cache the result so it can be checked again +AS_UNSET([ac_cv_header_ippcp_h]) +AS_UNSET([ac_cv_header_ipp_h]) + +if test "$fastRSA_headers" = "no"; then +dnl set default paths +if test "$ENABLED_FAST_RSA" = "yes"; then + AC_MSG_NOTICE([Using local IPP crypto library]) + # build and default locations on linux and mac + STORE_LDFLAGS=${LDFLAGS} + STORE_CPPFLAGS=${CPPFLAGS} + if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then + ipplib="lib_32" # 32 bit OS detected + fi + # using LDFLAGS instead of AM_ temporarily to test link to library + LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore" + CPPFLAGS="-I$ippdir/include" + AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [], [ENABLED_FAST_RSA=no])], [ENABLED_FAST_RSA=no]) + + if test "$ENABLED_FAST_RSA" = "yes"; then + # was succesfull so add tested LDFLAGS to AM_ flags + AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}" + AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}" + + case $host_os in + *darwin*) + name="$ippdir/$ipplib/libippcp" + IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib" + IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib" + break;; + + *linux*) + if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then + name="$ippdir/$ipplib/libippcp" + IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so" + IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0" + else + name="$ippdir/$ipplib/libippcp" + IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so" + IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0" + fi + break;; + *) + ENABLED_FAST_RSA=no + esac + fi + # restore LDFLAGS to user set + LDFLAGS=${STORE_LDFLAGS} + CPPFLAGS=${STORE_CPPFLAGS} + IPPHEADERS="${srcdir}/IPP/include/*.h" + + # Error out on not finding libraries + if test "$ENABLED_FAST_RSA" = "no"; then + AC_MSG_ERROR([Could not find fast rsa libraries]) + fi +fi +fi # end of if found exported paths +fi # end of if for shared library +else # if user rsa is set than do not use fast rsa option + if test "$ENABLED_FAST_RSA" = "yes"; then + AC_MSG_ERROR([Could not use fast rsa libraries with user crypto or fips]) + fi +fi # end of if for user rsa crypto + +AC_MSG_CHECKING([for fast RSA]) +if test "$ENABLED_FAST_RSA" = "yes"; then + AM_CFLAGS="$AM_CFLAGS -DHAVE_FAST_RSA -DHAVE_USER_RSA" + # add in user crypto header that uses Intel IPP + AM_CPPFLAGS="$AM_CPPFLAGS -I$srcdir/wolfcrypt/user-crypto/include" + if test "$enable_shared" = "yes"; then + LIBS="$LIBS -lippcore" + LIB_ADD="-lippcp -lippcore $LIB_ADD" + else + LIB_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_ADD" + fi + AC_MSG_RESULT([yes]) +else + AC_MSG_RESULT([no]) +fi + +AC_SUBST([IPPLIBS]) +AC_SUBST([IPPHEADERS]) +AC_SUBST([IPPLINK]) +# Found IPP library now build in user crypto to use it +AM_CONDITIONAL([BUILD_FAST_RSA], [test "x$ENABLED_FAST_RSA" = "xyes"]) + + # microchip api AC_ARG_ENABLE([mcapi], [ --enable-mcapi Enable Microchip API (default: disabled)], @@ -2320,6 +2520,8 @@ CREATE_HEX_VERSION AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) AC_SUBST([AM_LDFLAGS]) +AC_SUBST([LIB_ADD]) +AC_SUBST([LIB_STATIC_ADD]) # FINAL AC_CONFIG_FILES([stamp-h], [echo timestamp > stamp-h]) @@ -2525,5 +2727,7 @@ echo " * Small Stack: $ENABLED_SMALL_STACK" echo " * valgrind unit tests: $ENABLED_VALGRIND" echo " * LIBZ: $ENABLED_LIBZ" echo " * Examples: $ENABLED_EXAMPLES" +echo " * User Crypto: $ENABLED_USER_CRYPTO" +echo " * Fast RSA: $ENABLED_FAST_RSA" echo "" echo "---" diff --git a/examples/client/include.am b/examples/client/include.am index d0ddcdfaa..862cdfa08 100644 --- a/examples/client/include.am +++ b/examples/client/include.am @@ -5,7 +5,7 @@ if BUILD_EXAMPLES noinst_PROGRAMS += examples/client/client noinst_HEADERS += examples/client/client.h examples_client_client_SOURCES = examples/client/client.c -examples_client_client_LDADD = src/libwolfssl.la +examples_client_client_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) examples_client_client_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += examples/client/client.sln diff --git a/examples/echoclient/include.am b/examples/echoclient/include.am index 179cf9907..f0d5868c2 100644 --- a/examples/echoclient/include.am +++ b/examples/echoclient/include.am @@ -7,7 +7,7 @@ if BUILD_EXAMPLES noinst_PROGRAMS += examples/echoclient/echoclient noinst_HEADERS += examples/echoclient/echoclient.h examples_echoclient_echoclient_SOURCES = examples/echoclient/echoclient.c -examples_echoclient_echoclient_LDADD = src/libwolfssl.la +examples_echoclient_echoclient_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) examples_echoclient_echoclient_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += examples/echoclient/echoclient.sln diff --git a/examples/echoserver/include.am b/examples/echoserver/include.am index a84312191..767da6c46 100644 --- a/examples/echoserver/include.am +++ b/examples/echoserver/include.am @@ -7,7 +7,7 @@ if BUILD_EXAMPLES noinst_PROGRAMS += examples/echoserver/echoserver noinst_HEADERS += examples/echoserver/echoserver.h examples_echoserver_echoserver_SOURCES = examples/echoserver/echoserver.c -examples_echoserver_echoserver_LDADD = src/libwolfssl.la +examples_echoserver_echoserver_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) examples_echoserver_echoserver_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += examples/echoserver/echoserver.sln diff --git a/examples/server/include.am b/examples/server/include.am index bd7037682..f42490591 100644 --- a/examples/server/include.am +++ b/examples/server/include.am @@ -7,7 +7,7 @@ if BUILD_EXAMPLES noinst_PROGRAMS += examples/server/server noinst_HEADERS += examples/server/server.h examples_server_server_SOURCES = examples/server/server.c -examples_server_server_LDADD = src/libwolfssl.la +examples_server_server_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) examples_server_server_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += examples/server/server.sln diff --git a/examples/server/server.c b/examples/server/server.c index 8b648c622..d3baeb076 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -125,7 +125,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int throughput) int ret = 0; char* buffer = (char*)malloc(TEST_BUFFER_SIZE); if(buffer) { - double start, rx_time = 0, tx_time = 0; + double start = 0, rx_time = 0, tx_time = 0; int xfer_bytes = 0; while((echoData && throughput == 0) || (!echoData && xfer_bytes < throughput)) { int select_ret = tcp_select(clientfd, 1); /* Timeout=1 second */ diff --git a/src/include.am b/src/include.am index d2605a797..a442f4b63 100644 --- a/src/include.am +++ b/src/include.am @@ -4,12 +4,25 @@ lib_LTLIBRARIES+= src/libwolfssl.la src_libwolfssl_la_SOURCES = - src_libwolfssl_la_LDFLAGS = ${AM_LDFLAGS} -no-undefined -version-info ${WOLFSSL_LIBRARY_VERSION} -src_libwolfssl_la_LIBADD = $(LIBM) +src_libwolfssl_la_LIBADD = $(LIBM) $(LIB_ADD) $(LIB_STATIC_ADD) src_libwolfssl_la_CFLAGS = -DBUILDING_WOLFSSL $(AM_CFLAGS) src_libwolfssl_la_CPPFLAGS = -DBUILDING_WOLFSSL $(AM_CPPFLAGS) +# install the packaged IPP libraries +if BUILD_FAST_RSA + +# Link needed IPP libraries +noinst_SCRIPTS+=IPP_links +IPP_links: + @$(IPPLINK) + +ippdir = $(libdir) +ipp_DATA = $(IPPLIBS) + +include_HEADERS+=$(IPPHEADERS) +endif # BUILD_FAST_RSA + # fips first file if BUILD_FIPS src_libwolfssl_la_SOURCES += ctaocrypt/src/wolfcrypt_first.c @@ -52,9 +65,15 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/sha256.c \ wolfcrypt/src/hash.c +if !BUILD_USER_RSA if BUILD_RSA +if BUILD_FAST_RSA +src_libwolfssl_la_SOURCES += wolfcrypt/user-crypto/src/rsa.c +else src_libwolfssl_la_SOURCES += wolfcrypt/src/rsa.c endif +endif +endif if BUILD_AES src_libwolfssl_la_SOURCES += wolfcrypt/src/aes.c diff --git a/src/internal.c b/src/internal.c index 7c7ef3774..1c6a4c6e4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2843,6 +2843,14 @@ static void AddRecordHeader(byte* output, word32 length, byte type, WOLFSSL* ssl rl->pvMajor = ssl->version.major; /* type and version same in each */ rl->pvMinor = ssl->version.minor; +#ifdef WOLFSSL_ALTERNATIVE_DOWNGRADE + if (ssl->options.side == WOLFSSL_CLIENT_END + && ssl->options.connectState == CONNECT_BEGIN + && !ssl->options.resuming) + rl->pvMinor = ssl->options.downgrade ? ssl->options.minDowngrade + : ssl->version.minor; +#endif + if (!ssl->options.dtls) c16toa((word16)length, rl->length); else { diff --git a/src/ssl.c b/src/ssl.c index 344e3c979..e8431550b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2335,7 +2335,6 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) #endif /* NO_SESSION_CACHE */ - int wolfSSL_Init(void) { int ret = SSL_SUCCESS; @@ -2355,6 +2354,11 @@ int wolfSSL_Init(void) WOLFSSL_MSG("Bad Lock Mutex count"); return BAD_MUTEX_E; } + + /* Initialize crypto for use with TLS connection */ + if (wolfcrypt_Init() != 0) + ret = WC_FAILURE_E; + initRefCount++; UnLockMutex(&count_mutex); } @@ -12588,7 +12592,8 @@ void wolfSSL_RSA_free(WOLFSSL_RSA* rsa) #endif /* NO_RSA */ -#if !defined(NO_RSA) || !defined(NO_DSA) +#if (!defined(NO_RSA) && !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA)) \ + || !defined(NO_DSA) || defined(HAVE_ECC) static int SetIndividualExternal(WOLFSSL_BIGNUM** bn, mp_int* mpi) { WOLFSSL_MSG("Entering SetIndividualExternal"); @@ -12740,7 +12745,8 @@ static int SetDsaInternal(WOLFSSL_DSA* dsa) #endif /* NO_DSA */ -#ifndef NO_RSA +#if !defined(NO_RSA) +#if !defined(HAVE_USER_RSA) && !defined(HAVE_FAST_RSA) /* WolfSSL -> OpenSSL */ static int SetRsaExternal(WOLFSSL_RSA* rsa) { @@ -12869,7 +12875,7 @@ static int SetRsaInternal(WOLFSSL_RSA* rsa) return SSL_SUCCESS; } - +#endif /* HAVE_USER_RSA */ /* return compliant with OpenSSL * 1 if success, 0 if error diff --git a/sslSniffer/sslSnifferTest/include.am b/sslSniffer/sslSnifferTest/include.am index 222777c7f..23de07f91 100644 --- a/sslSniffer/sslSnifferTest/include.am +++ b/sslSniffer/sslSnifferTest/include.am @@ -5,7 +5,7 @@ if BUILD_SNIFFTEST noinst_PROGRAMS += sslSniffer/sslSnifferTest/snifftest sslSniffer_sslSnifferTest_snifftest_SOURCES = sslSniffer/sslSnifferTest/snifftest.c -sslSniffer_sslSnifferTest_snifftest_LDADD = src/libwolfssl.la -lpcap +sslSniffer_sslSnifferTest_snifftest_LDADD = src/libwolfssl.la -lpcap $(LIB_STATIC_ADD) sslSniffer_sslSnifferTest_snifftest_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += sslSniffer/sslSniffer.vcproj diff --git a/tests/include.am b/tests/include.am index 802ec5ad1..2a3f9baf0 100644 --- a/tests/include.am +++ b/tests/include.am @@ -15,7 +15,7 @@ tests_unit_test_SOURCES = \ examples/client/client.c \ examples/server/server.c tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -tests_unit_test_LDADD = src/libwolfssl.la +tests_unit_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) tests_unit_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += tests/unit.h diff --git a/testsuite/include.am b/testsuite/include.am index 62edb4a30..86b6f9784 100644 --- a/testsuite/include.am +++ b/testsuite/include.am @@ -14,7 +14,7 @@ testsuite_testsuite_test_SOURCES = \ examples/server/server.c \ testsuite/testsuite.c testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -testsuite_testsuite_test_LDADD = src/libwolfssl.la +testsuite_testsuite_test_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) testsuite_testsuite_test_DEPENDENCIES = src/libwolfssl.la endif EXTRA_DIST += testsuite/testsuite.sln diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 5695a60df..fbcf360b2 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -244,6 +244,8 @@ int benchmark_test(void *args) { #endif + wolfcrypt_Init(); + #if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND) wolfSSL_Debugging_ON(); #endif @@ -259,7 +261,7 @@ int benchmark_test(void *args) printf("Cavium OpenNitroxDevice failed\n"); exit(-1); } -#endif /* HAVE_CAVIUM */ + #endif /* HAVE_CAVIUM */ #if defined(HAVE_LOCAL_RNG) { diff --git a/wolfcrypt/benchmark/include.am b/wolfcrypt/benchmark/include.am index db70ba79c..eee26235f 100644 --- a/wolfcrypt/benchmark/include.am +++ b/wolfcrypt/benchmark/include.am @@ -3,7 +3,7 @@ noinst_PROGRAMS += wolfcrypt/benchmark/benchmark wolfcrypt_benchmark_benchmark_SOURCES = wolfcrypt/benchmark/benchmark.c -wolfcrypt_benchmark_benchmark_LDADD = src/libwolfssl.la +wolfcrypt_benchmark_benchmark_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) wolfcrypt_benchmark_benchmark_DEPENDENCIES = src/libwolfssl.la EXTRA_DIST += wolfcrypt/benchmark/benchmark.sln EXTRA_DIST += wolfcrypt/benchmark/benchmark.vcproj diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index e6ef3e241..eecb57ba7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -806,6 +806,7 @@ static int CaviumRsaPrivateKeyDecode(const byte* input, word32* inOutIdx, #endif /* HAVE_CAVIUM */ +#ifndef HAVE_USER_RSA int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, word32 inSz) { @@ -835,7 +836,7 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, return 0; } - +#endif /* HAVE_USER_RSA */ #endif /* NO_RSA */ /* Remove PKCS8 header, move beginning of traditional to beginning of input */ @@ -1260,6 +1261,7 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) #ifndef NO_RSA +#ifndef HAVE_USER_RSA int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, word32 inSz) { @@ -1354,7 +1356,7 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, return 0; } - +#endif /* HAVE_USER_RSA */ #endif #ifndef NO_DH @@ -5055,7 +5057,9 @@ int wc_DerToPemEx(const byte* der, word32 derSz, byte* output, word32 outSz, #endif /* WOLFSSL_KEY_GEN || WOLFSSL_CERT_GEN */ -#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN)) +#if !defined(NO_RSA) && (defined(WOLFSSL_CERT_GEN) || (defined(WOLFSSL_KEY_GEN) && !defined(HAVE_USER_RSA))) +/* USER RSA ifdef portions used instead of refactor in consideration for + possible fips build */ /* Write a public RSA key to output */ static int SetRsaPublicKey(byte* output, RsaKey* key, int outLen, int with_header) @@ -5088,15 +5092,24 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, return MEMORY_E; #endif +#ifdef HAVE_USER_RSA + leadingBit = wc_Rsa_leading_bit(key->n); + rawLen = wc_Rsa_unsigned_bin_size(key->n) + leadingBit; +#else leadingBit = mp_leading_bit(&key->n); rawLen = mp_unsigned_bin_size(&key->n) + leadingBit; +#endif n[0] = ASN_INTEGER; nSz = SetLength(rawLen, n + 1) + 1; /* int tag */ if ( (nSz + rawLen) < MAX_RSA_INT_SZ) { if (leadingBit) n[nSz] = 0; +#ifdef HAVE_USER_RSA + err = wc_Rsa_to_unsigned_bin(key->n, n + nSz, rawLen); +#else err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit); +#endif if (err == MP_OKAY) nSz += rawLen; else { @@ -5124,15 +5137,24 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, } #endif +#ifdef HAVE_USER_RSA + leadingBit = wc_Rsa_leading_bit(key->e); + rawLen = wc_Rsa_unsigned_bin_size(key->e) + leadingBit; +#else leadingBit = mp_leading_bit(&key->e); rawLen = mp_unsigned_bin_size(&key->e) + leadingBit; +#endif e[0] = ASN_INTEGER; eSz = SetLength(rawLen, e + 1) + 1; /* int tag */ if ( (eSz + rawLen) < MAX_RSA_E_SZ) { if (leadingBit) e[eSz] = 0; +#ifdef HAVE_USER_RSA + err = wc_Rsa_to_unsigned_bin(key->e, e + eSz, rawLen); +#else err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit); +#endif if (err == MP_OKAY) eSz += rawLen; else { @@ -5231,7 +5253,7 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, defined(WOLFSSL_KEY_GEN)) */ -#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) +#if defined(WOLFSSL_KEY_GEN) && !defined(NO_RSA) && !defined(HAVE_USER_RSA) static mp_int* GetRsaInt(RsaKey* key, int idx) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 8a6d7513a..9956da3c4 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -26,7 +26,13 @@ #include #include #include +#include +/* IPP header files for library initialization */ +#ifdef HAVE_FAST_RSA +#include +#include +#endif #ifdef _MSC_VER /* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */ @@ -34,6 +40,24 @@ #endif +/* Used to initialize state for wolfcrypt + return 0 on success + */ +int wolfcrypt_Init() +{ + /* if defined have fast RSA then initialize Intel IPP */ + #ifdef HAVE_FAST_RSA + WOLFSSL_MSG("Setting up IPP Library"); + if (ippInit() != ippStsNoErr) { + WOLFSSL_MSG("Error setting up optimized Intel library to use!"); + return -1; + } + #endif + + return 0; +} + + #if WOLFSSL_CRYPT_HW_MUTEX /* Mutex for protection of cryptograpghy hardware */ static wolfSSL_Mutex wcCryptHwMutex; diff --git a/wolfcrypt/test/include.am b/wolfcrypt/test/include.am index fcb07979f..18805a3e2 100644 --- a/wolfcrypt/test/include.am +++ b/wolfcrypt/test/include.am @@ -7,7 +7,7 @@ check_PROGRAMS+= wolfcrypt/test/testwolfcrypt endif noinst_PROGRAMS+= wolfcrypt/test/testwolfcrypt wolfcrypt_test_testwolfcrypt_SOURCES = wolfcrypt/test/test.c -wolfcrypt_test_testwolfcrypt_LDADD = src/libwolfssl.la +wolfcrypt_test_testwolfcrypt_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) wolfcrypt_test_testwolfcrypt_DEPENDENCIES = src/libwolfssl.la noinst_HEADERS += wolfcrypt/test/test.h EXTRA_DIST += wolfcrypt/test/test.sln diff --git a/wolfcrypt/user-crypto/Makefile.am b/wolfcrypt/user-crypto/Makefile.am new file mode 100644 index 000000000..d9c3ae391 --- /dev/null +++ b/wolfcrypt/user-crypto/Makefile.am @@ -0,0 +1,9 @@ +AM_CFLAGS=-I m4 + +#add in wolfssl directory +AM_CPPFLAGS+=-I$(abs_srcdir)/../../ -I$(srcdir)/include/ +lib_LTLIBRARIES = lib/libusercrypto.la +lib_libusercrypto_la_CPPFLAGS = $(AM_CPPFLAGS) +lib_libusercrypto_la_LDFLAGS = $(AM_LDFLAGS) +lib_libusercrypto_la_SOURCES = src/rsa.c +include_HEADERS = include/user_rsa.h diff --git a/wolfcrypt/user-crypto/README.txt b/wolfcrypt/user-crypto/README.txt new file mode 100644 index 000000000..50bc8b709 --- /dev/null +++ b/wolfcrypt/user-crypto/README.txt @@ -0,0 +1,77 @@ +/* + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* + Created to use intel's IPP see their license for linking to intel's IPP library + */ + + +##BUILDING ON 64BIT MAC OSX +Tested and developed on MAC OSX linking to IPP v9.0 + +for me exporting the IPP library was needed. As an example it was +export DYLD_LIBRARY_PATH="/opt/intel/ipp/lib" + +first go to the root wolfssl dir and run ./autogen.sh && ./configure it with desired settings then make. This is to set up the define options and wolfssl library for the user crypto to link to. + +Then go to the wolfssl/user-crypto directory and run ./autogen.sh && ./configure then make make install this creates a usercrypto library to use + +Finally go back to the root wolfssl directory and follow these build instructions + +building wolfSSL add CPPFLAGS=-I/opt/intel/ipp/include for finding the IPP include files +An example build would be +./configure --with-user-crypto CPPFLAGS=-I/opt/intel/ipp/include --enable-lighty + + +##BUILDING IN 32BIT UBUNTU +Tested on UBUNTU 32 bit linking to IPP v9.0 + +for me exporting the IPP library. As an example it was +export LD_LIBRARY_PATH="/opt/intel/ipp/lib/ia32_lin/:$LD_LIBRARY_PATH" + +first go to the root wolfssl dir and configure it with desired settings and make install. This is to set up the define options and wolfssl library for the user crypto to link to. + +For me on Ubuntu the IPP libraries had been installed into /opt/intel/ipp/lib/ia32_lin/ so the ./configure LDFLAGS=-L/opt/intel/ipp/lib/ia32_lin was needed to be looking at that directory. +Run make && make install from the directory wolfssl_root/wolfssl/user-crypto/ this creates a usercrypto library to use + +Finally go back to the root wolfssl directory and follow these build instructions + +building wolfSSL add CPPFLAGS=-I/opt/intel/ipp/include for finding the IPP include files + +./configure --with-user-crypto=root_wolfssl/wolfssl/user-crypto CPPFLAGS=-I/opt/intel/ipp/include (plus any desired additional flags) + + +##THINGS TO CHECK FOR IF NOT ABLE TO LINK WITH USERCRYPTO LIB +Check that the path has been exported for the IPP library. If usercrypto is unable to use the function to init an RSA key then the link to it will fail in configure. Check for this by $DYLD_LIBRARY_PATH on mac or $LD_LIBRARY_PATH on ubuntu. If the directory for the Intel IPP libraries are not displayed than use "export DYLD_LIBRARY_PATH=path_to_ipp_libraries:$DYLD_LIBRARY_PATH". + + +##CREATING OWN RSA CRYPTO PLUGIN + +It is required to have a header file named user_rsa.h. This is what is looked for by wolfssl/wolfcrypt/rsa.h and should contain the user defined rsa key struct. + +It is required to have a library called usercrypto. This is linked to when configuring wolfSSL with the option --with-user-crypto + +It is required when compiled with RSA cert generation to have key struct elements named n and e containing the corresponding big numbers. And the three helper functions to work with the big numbers. These functions are called by wolfcrypt/src/asn.c when working with certificates. +To view the needed functions look at wolfssl/wolfcrypt/rsa.h they will be extern functions surronded by HAVE_USER_RSA define. +Cert Generation for other sign and verify such as ECC are not yet supported. + +When building with openssl compatibility layer extra developent needs to be done, having the two functions SetRsaExernal and SetRsaInternal + +wolfSSL does not take responsibility for the strength of security of third party cryptography libraries plugged in by the user. diff --git a/wolfcrypt/user-crypto/autogen.sh b/wolfcrypt/user-crypto/autogen.sh new file mode 100755 index 000000000..89e475c0b --- /dev/null +++ b/wolfcrypt/user-crypto/autogen.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# +# Create configure and makefile stuff... +# + +# Git hooks should come before autoreconf. +if test -d .git; then + if ! test -d .git/hooks; then + mkdir .git/hooks + fi + ln -s -f ../../pre-commit.sh .git/hooks/pre-commit + ln -s -f ../../pre-push.sh .git/hooks/pre-push +fi + +# If this is a source checkout then call autoreconf with error as well +if test -d .git; then + WARNINGS="all,error" +else + WARNINGS="all" +fi + +autoreconf --install --force --verbose + diff --git a/wolfcrypt/user-crypto/configure.ac b/wolfcrypt/user-crypto/configure.ac new file mode 100644 index 000000000..561b9ccd9 --- /dev/null +++ b/wolfcrypt/user-crypto/configure.ac @@ -0,0 +1,44 @@ +# -*- Autoconf -*- +# Process this file with autoconf to produce a configure script. + +AC_PREREQ([2.63]) +AC_INIT([usercypto], [0.1], []) +AC_CONFIG_SRCDIR([src/rsa.c]) + +AM_INIT_AUTOMAKE([1.11 -Wall -Werror -Wno-portability foreign tar-ustar subdir-objects no-define color-tests]) + +LT_PREREQ([2.2]) +LT_INIT([disable-static]) +LT_LANG([C++]) +LT_LANG([C]) + +# Checks for programs. +AC_PROG_CC +AC_CONFIG_MACRO_DIR([m4]) + +# Checks for libraries. +AM_LDFLAGS=$LDFLAGS +LDFLAGS="$LDFLAGS -L/opt/intel/ipp/lib -lippcp -lippcore" + +# Path to find wolfssl/options and other includes +AM_CPPFLAGS=$CPPFLAGS +CPPFLAGS="$CPPFLAGS -I../../ -I/opt/intel/ipp/include" +AC_CHECK_LIB([ippcore], [ippGetStatusString], [], [AC_MSG_ERROR([ippcore library needed ./configure LDFLAGS=/path/to/ipp/lib])]) +AC_CHECK_LIB([ippcp], [ippsRSA_InitPublicKey], [], [AC_MSG_ERROR([ippcp library needed ./configure LDFLAGS=/path/to/ipp/lib])]) + +# check headers +AC_CHECK_HEADER([ippcp.h], [], [AC_MSG_ERROR([ippcp.h not found ./configure CPPFLAGS=-I/ipp/headers])]) +AC_CHECK_HEADER([ipp.h], [], [AC_MSG_ERROR([ipp.h not found ./configure CPPFLAGS=-I/ipp/headers])]) + +LDFLAGS=$AM_LDFLAGS +CPPFLAGS=$AM_CPPFLAGS + +AM_LDFLAGS="-L/opt/intel/ipp/lib -lippcp -lippcore" +AM_CPPFLAGS="-I/opt/intel/ipp/include" + +AC_SUBST([AM_CPPFLAGS]) +AC_SUBST([AM_LDFLAGS]) +AC_C_INLINE + +AC_CONFIG_FILES([Makefile]) +AC_OUTPUT diff --git a/wolfcrypt/user-crypto/include/user_rsa.h b/wolfcrypt/user-crypto/include/user_rsa.h new file mode 100644 index 000000000..ab5436203 --- /dev/null +++ b/wolfcrypt/user-crypto/include/user_rsa.h @@ -0,0 +1,129 @@ +/* user_rsa.h + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* + Created to use intel's IPP see their license for linking to intel's IPP library + */ + +#ifndef USER_WOLF_CRYPT_RSA_H +#define USER_WOLF_CRYPT_RSA_H + +#include + +#ifndef NO_RSA + +#include +#include + +/* intels crypto */ +#include +#include + +#ifdef __cplusplus + extern "C" { +#endif + +/* needed for WOLFSSL_RSA type but use macro guard against redefine */ +#if defined(OPENSSL_EXTRA) && !defined(WOLFSSL_TYPES_DEFINED) \ + && !defined(WOLFSSL_RSA_TYPE_DEFINED) + struct WOLFSSL_RSA; + typedef struct WOLFSSL_RSA WOLFSSL_RSA; + #define WOLFSSL_RSA_TYPE_DEFINED +#endif + +enum { + RSA_PUBLIC = 0, + RSA_PRIVATE = 1, +}; + + +/* RSA */ +typedef struct RsaKey { + IppsBigNumState* n; + IppsBigNumState* e; + IppsBigNumState* dipp; + IppsBigNumState* pipp; + IppsBigNumState* qipp; + IppsBigNumState* dPipp; + IppsBigNumState* dQipp; + IppsBigNumState* uipp; + int nSz, eSz, dSz; + IppsRSAPublicKeyState* pPub; + IppsRSAPrivateKeyState* pPrv; + word32 prvSz; /* size of private key */ + word32 sz; /* size of signature */ + int type; /* public or private */ + void* heap; /* for user memory overrides */ +} RsaKey; + +WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void*); +WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); + +WOLFSSL_API int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key, WC_RNG* rng); +WOLFSSL_API int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, + RsaKey* key); +WOLFSSL_API int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key); +WOLFSSL_API int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key, WC_RNG* rng); +WOLFSSL_API int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, + RsaKey* key); +WOLFSSL_API int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, + word32 outLen, RsaKey* key); +WOLFSSL_API int wc_RsaEncryptSize(RsaKey* key); + +WOLFSSL_API int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, + RsaKey*, word32); +WOLFSSL_API int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, + RsaKey*, word32); +WOLFSSL_API int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, + const byte* e, word32 eSz, RsaKey* key); +#ifdef WOLFSSL_KEY_GEN + WOLFSSL_API int wc_RsaKeyToDer(RsaKey*, byte* output, word32 inLen); + WOLFSSL_API int wc_RsaKeyToPublicDer(RsaKey*, byte* output, word32 inLen); + WOLFSSL_API int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng); +#endif +WOLFSSL_API int wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*, + word32*); + + +#ifdef WOLFSSL_CERT_GEN + /* abstracted BN operations with RSA key */ + WOLFSSL_API int wc_Rsa_leading_bit(void* BN); + WOLFSSL_API int wc_Rsa_unsigned_bin_size(void* BN); + + /* return MP_OKAY on success */ + WOLFSSL_API int wc_Rsa_to_unsigned_bin(void* BN, byte* in, int inLen); +#endif + +#ifdef OPENSSL_EXTRA /* abstracted functions to deal with rsa key */ + WOLFSSL_API int SetRsaExternal(WOLFSSL_RSA* rsa); + WOLFSSL_API int SetRsaInternal(WOLFSSL_RSA* rsa); +#endif +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* NO_RSA */ +#endif /* USER_WOLF_CRYPT_RSA_H */ + + diff --git a/wolfcrypt/user-crypto/lib/.gitkeep b/wolfcrypt/user-crypto/lib/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c new file mode 100644 index 000000000..faa672cbb --- /dev/null +++ b/wolfcrypt/user-crypto/src/rsa.c @@ -0,0 +1,2352 @@ +/* rsa.c + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +/* + Created to use intel's IPP see their license for linking to intel's IPP library + */ + +#ifdef HAVE_CONFIG_H /* configure options when using autoconf */ + #include +#endif + +#include +#include + +#ifndef NO_RSA + +#define USER_CRYPTO_ERROR -101 + +#ifdef OPENSSL_EXTRA + #include /* include for openssl compatibility */ + #include +#endif +#include "user_rsa.h" + +#ifdef DEBUG_WOLFSSL /* debug done without variadric to allow older compilers */ + #include + #define USER_DEBUG(x) printf x +#else + #define USER_DEBUG(x) +#endif + +#define ASN_INTEGER 0x02 +#define ASN_BIT_STRING 0x03 +#define ASN_TAG_NULL 0x05 +#define ASN_OBJECT_ID 0x06 + + +/* Make sure compiler doesn't skip -- used from wolfSSL */ +static inline void ForceZero(const void* mem, word32 len) +{ + volatile byte* z = (volatile byte*)mem; + + while (len--) *z++ = 0; +} + +enum { + RSA_PUBLIC_ENCRYPT = 0, + RSA_PUBLIC_DECRYPT = 1, + RSA_PRIVATE_ENCRYPT = 2, + RSA_PRIVATE_DECRYPT = 3, + + RSA_BLOCK_TYPE_1 = 1, + RSA_BLOCK_TYPE_2 = 2, + + RSA_MIN_SIZE = 512, + RSA_MAX_SIZE = 4096, /* max allowed in IPP library */ + + RSA_MIN_PAD_SZ = 11 /* seperator + 0 + pad value + 8 pads */ +}; + + +int wc_InitRsaKey(RsaKey* key, void* heap) +{ + + USER_DEBUG(("Entering wc_InitRsaKey\n")); + + if (key == NULL) + return USER_CRYPTO_ERROR; + + /* set full struct as 0 */ + ForceZero(key, sizeof(RsaKey)); + + USER_DEBUG(("\tExit wc_InitRsaKey\n")); + + (void)heap; + return 0; +} + + +#ifdef WOLFSSL_CERT_GEN /* three functions needed for cert gen */ +/* return 1 if there is a leading bit*/ +int wc_Rsa_leading_bit(void* bn) +{ + int ret = 0; + if (ippsExtGet_BN(NULL, &ret, NULL, bn) != ippStsNoErr) { + USER_DEBUG(("Rsa leading bit error\n")); + return USER_CRYPTO_ERROR; + } + return (ret % 8)? 1 : 0; /* if mod 8 bit then an extra byte is needed */ +} + + +/* get the size in bytes of BN + cuts off if extra byte is needed so recommended to check wc_Rsa_leading_bit + and adding it to this return value before mallocing memory needed */ +int wc_Rsa_unsigned_bin_size(void* bn) +{ + int ret = 0; + if (ippsExtGet_BN(NULL, &ret, NULL, bn) != ippStsNoErr) { + USER_DEBUG(("Rsa unsigned bin size error\n")); + return USER_CRYPTO_ERROR; + } + return ret / 8; /* size in bytes */ +} + +#ifndef MP_OKAY +#define MP_OKAY 0 +#endif + +/* extract the bn value to a unsigned byte array and return MP_OKAY on succes */ +int wc_Rsa_to_unsigned_bin(void* bn, byte* in, int inLen) +{ + if (ippsGetOctString_BN((Ipp8u*)in, inLen, bn) != ippStsNoErr) { + USER_DEBUG(("Rsa unsigned bin error\n")); + return USER_CRYPTO_ERROR; + } + return MP_OKAY; +} +#endif /* WOLFSSL_CERT_GEN */ + + +#ifdef OPENSSL_EXTRA /* functions needed for openssl compatibility layer */ +static int SetIndividualExternal(WOLFSSL_BIGNUM** bn, IppsBigNumState* in) +{ + IppStatus ret; + byte* data; + int sz; + + USER_DEBUG(("Entering SetIndividualExternal\n")); + + if (bn == NULL || in == NULL) { + USER_DEBUG(("inputs NULL error\n")); + return USER_CRYPTO_ERROR; + } + + if (*bn == NULL) { + *bn = wolfSSL_BN_new(); + if (*bn == NULL) { + USER_DEBUG(("SetIndividualExternal alloc failed\n")); + return USER_CRYPTO_ERROR; + } + } + + /* get size of array needed and extract oct array of data */ + ret = ippsGetSize_BN(in, &sz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + data = XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (data == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsGetOctString_BN(data, sz, in); + if (ret != ippStsNoErr) { + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + return USER_CRYPTO_ERROR; + } + + /* store the data into a wolfSSL Big Number */ + *bn = wolfSSL_BN_bin2bn(data, sz, *bn); + + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return 0; +} + + +static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi) +{ + int length, ctxSz, sz; + IppStatus ret; + Ipp8u* data; + + USER_DEBUG(("Entering SetIndividualInternal\n")); + + if (bn == NULL || bn->internal == NULL) { + USER_DEBUG(("bn NULL error\n")); + return USER_CRYPTO_ERROR; + } + + length = wolfSSL_BN_num_bytes(bn); + + /* if not IPP BN then create one */ + if (*mpi == NULL) { + ret = ippsBigNumGetSize(length, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (*mpi == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(length, *mpi); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + } + + /* get the size of array needed and check IPP BigNum */ + if (ippsGetSize_BN(*mpi, &sz) != ippStsNoErr) + return USER_CRYPTO_ERROR; + + if (sz < length) { + USER_DEBUG(("big num size is too small\n")); + return USER_CRYPTO_ERROR; + } + + data = XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (data == NULL) + return USER_CRYPTO_ERROR; + + /* extract the wolfSSL BigNum and store it into IPP BigNum */ + if (wolfSSL_BN_bn2bin(bn, data) < 0) { + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + USER_DEBUG(("error in getting bin from wolfssl bn\n")); + return USER_CRYPTO_ERROR; + } + + ret = ippsSetOctString_BN(data, length, *mpi); + if (ret != ippStsNoErr) { + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + return USER_CRYPTO_ERROR; + } + + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return 0; +} + + +/* WolfSSL -> OpenSSL */ +int SetRsaExternal(WOLFSSL_RSA* rsa) +{ + RsaKey* key; + USER_DEBUG(("Entering SetRsaExternal\n")); + + if (rsa == NULL || rsa->internal == NULL) { + USER_DEBUG(("rsa key NULL error\n")); + return USER_CRYPTO_ERROR; + } + + key = (RsaKey*)rsa->internal; + + if (SetIndividualExternal(&rsa->n, key->n) != 0) { + USER_DEBUG(("rsa n key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->e, key->e) != 0) { + USER_DEBUG(("rsa e key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->d, key->dipp) != 0) { + USER_DEBUG(("rsa d key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->p, key->pipp) != 0) { + USER_DEBUG(("rsa p key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->q, key->qipp) != 0) { + USER_DEBUG(("rsa q key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->dmp1, key->dPipp) != 0) { + USER_DEBUG(("rsa dP key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->dmq1, key->dQipp) != 0) { + USER_DEBUG(("rsa dQ key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualExternal(&rsa->iqmp, key->uipp) != 0) { + USER_DEBUG(("rsa u key error\n")); + return USER_CRYPTO_ERROR; + } + + rsa->exSet = 1; + + /* SSL_SUCCESS */ + return 1; +} + + +/* Openssl -> WolfSSL */ +int SetRsaInternal(WOLFSSL_RSA* rsa) +{ + int ctxSz, pSz, qSz; + IppStatus ret; + RsaKey* key; + USER_DEBUG(("Entering SetRsaInternal\n")); + + if (rsa == NULL || rsa->internal == NULL) { + USER_DEBUG(("rsa key NULL error\n")); + return USER_CRYPTO_ERROR; + } + + key = (RsaKey*)rsa->internal; + + if (SetIndividualInternal(rsa->n, &key->n) != 0) { + USER_DEBUG(("rsa n key error\n")); + return USER_CRYPTO_ERROR; + } + + if (SetIndividualInternal(rsa->e, &key->e) != 0) { + USER_DEBUG(("rsa e key error\n")); + return USER_CRYPTO_ERROR; + } + + /* public key */ + key->type = RSA_PUBLIC; + + if (rsa->d != NULL) { + if (SetIndividualInternal(rsa->d, &key->dipp) != 0) { + USER_DEBUG(("rsa d key error\n")); + return USER_CRYPTO_ERROR; + } + + /* private key */ + key->type = RSA_PRIVATE; + } + + if (rsa->p != NULL && + SetIndividualInternal(rsa->p, &key->pipp) != 0) { + USER_DEBUG(("rsa p key error\n")); + return USER_CRYPTO_ERROR; + } + + if (rsa->q != NULL && + SetIndividualInternal(rsa->q, &key->qipp) != 0) { + USER_DEBUG(("rsa q key error\n")); + return USER_CRYPTO_ERROR; + } + + if (rsa->dmp1 != NULL && + SetIndividualInternal(rsa->dmp1, &key->dPipp) != 0) { + USER_DEBUG(("rsa dP key error\n")); + return USER_CRYPTO_ERROR; + } + + if (rsa->dmq1 != NULL && + SetIndividualInternal(rsa->dmq1, &key->dQipp) != 0) { + USER_DEBUG(("rsa dQ key error\n")); + return USER_CRYPTO_ERROR; + } + + if (rsa->iqmp != NULL && + SetIndividualInternal(rsa->iqmp, &key->uipp) != 0) { + USER_DEBUG(("rsa u key error\n")); + return USER_CRYPTO_ERROR; + } + + rsa->inSet = 1; + + /* get sizes of IPP BN key states created from input */ + ret = ippsGetSize_BN(key->n, &key->nSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsGetSize_BN(key->e, &key->eSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->sz = key->nSz; /* set modulus size */ + + /* convert to size in bits */ + key->nSz = key->nSz * 8; + key->eSz = key->eSz * 8; + + /* set up public key state */ + ret = ippsRSA_GetSizePublicKey(key->nSz, key->eSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPub == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPublicKey(key->nSz, key->eSz, key->pPub, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPublicKey(key->n, key->e, key->pPub); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPublicKey error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + if (key->pipp != NULL && key->qipp != NULL && key->dipp != NULL && + key->dPipp != NULL && key->dQipp != NULL && key->uipp != NULL) { + /* get bn sizes needed for private key set up */ + ret = ippsGetSize_BN(key->pipp, &pSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsGetSize_BN(key->qipp, &qSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* store sizes needed for creating tmp private keys */ + ret = ippsGetSize_BN(key->dipp, &key->dSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* convert to size in bits */ + key->dSz = key->dSz * 8; + pSz = pSz * 8; + qSz = qSz * 8; + + /* set up private key state */ + ret = ippsRSA_GetSizePrivateKeyType2(pSz, qSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->prvSz = ctxSz; + key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPrv == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPrivateKeyType2(pSz, qSz, key->pPrv, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPrivateKeyType2(key->pipp, key->qipp, key->dPipp, + key->dQipp, key->uipp, key->pPrv); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPrivateKey error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + } + + /* SSL_SUCCESS */ + return 1; +} +#endif /* OPENSSLEXTRA */ + + +/* Padding scheme function used in wolfSSL for signing needed for matching + existing API signing scheme + input : the msg to be signed + inputLen : length of input msg + pkcsBlock : the outputed padded msg + pkcsBlockLen : length of outptued padded msg buffer + padValue : the padded value after first 00 , is either 01 or 02 + rng : random number generator structure + */ +static int wc_RsaPad(const byte* input, word32 inputLen, byte* pkcsBlock, + word32 pkcsBlockLen, byte padValue, WC_RNG* rng) +{ + if (inputLen == 0) + return 0; + + pkcsBlock[0] = 0x0; /* set first byte to zero and advance */ + pkcsBlock++; pkcsBlockLen--; + pkcsBlock[0] = padValue; /* insert padValue */ + + if (padValue == RSA_BLOCK_TYPE_1) + /* pad with 0xff bytes */ + XMEMSET(&pkcsBlock[1], 0xFF, pkcsBlockLen - inputLen - 2); + else { + /* pad with non-zero random bytes */ + word32 padLen = pkcsBlockLen - inputLen - 1, i; + int ret = wc_RNG_GenerateBlock(rng, &pkcsBlock[1], padLen); + + if (ret != 0) + return ret; + + /* remove zeros */ + for (i = 1; i < padLen; i++) + if (pkcsBlock[i] == 0) pkcsBlock[i] = 0x01; + } + + pkcsBlock[pkcsBlockLen-inputLen-1] = 0; /* separator */ + XMEMCPY(pkcsBlock+pkcsBlockLen-inputLen, input, inputLen); + + return 0; +} + + +/* UnPad plaintext, set start to *output, return length of plaintext, + * < 0 on error */ +static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, + byte **output, byte padValue) +{ + word32 maxOutputLen = (pkcsBlockLen > 10) ? (pkcsBlockLen - 10) : 0, + invalid = 0, + i = 1, + outputLen; + + if (pkcsBlock[0] != 0x0) /* skip past zero */ + invalid = 1; + pkcsBlock++; pkcsBlockLen--; + + /* Require block type padValue */ + invalid = (pkcsBlock[0] != padValue) || invalid; + + /* verify the padding until we find the separator */ + if (padValue == RSA_BLOCK_TYPE_1) { + while (i maxOutputLen) || invalid; + + if (invalid) { + USER_DEBUG(("RsaUnPad error, bad formatting\n")); + return USER_CRYPTO_ERROR; + } + + *output = (byte *)(pkcsBlock + i); + return outputLen; +} + + +int wc_FreeRsaKey(RsaKey* key) +{ + if (key == NULL) + return 0; + + USER_DEBUG(("Entering wc_FreeRsaKey\n")); + + if (key->pPub != NULL) { + XFREE(key->pPub, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPub = NULL; + } + + if (key->pPrv != NULL) { + /* write over senstive information */ + ForceZero(key->pPrv, key->prvSz); + XFREE(key->pPrv, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPrv = NULL; + } + + if (key->n != NULL) { + XFREE(key->n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->n = NULL; + } + + if (key->e != NULL) { + XFREE(key->e, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->e = NULL; + } + + if (key->dipp != NULL) { + XFREE(key->dipp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->dipp = NULL; + } + + if (key->pipp != NULL) { + XFREE(key->pipp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pipp = NULL; + } + + if (key->qipp != NULL) { + XFREE(key->qipp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->qipp = NULL; + } + + if (key->dPipp != NULL) { + XFREE(key->dPipp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->dPipp = NULL; + } + + if (key->dQipp != NULL) { + XFREE(key->dQipp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->dQipp = NULL; + } + + if (key->uipp != NULL) { + XFREE(key->uipp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->uipp = NULL; + } + + USER_DEBUG(("\tExit wc_FreeRsaKey\n")); + (void)key; + + return 0; +} + + +/* Some parsing functions from wolfSSL code needed to match wolfSSL API used */ +static int GetLength(const byte* input, word32* inOutIdx, int* len, + word32 maxIdx) +{ + int length = 0; + word32 i = *inOutIdx; + byte b; + + *len = 0; /* default length */ + + if ( (i+1) > maxIdx) { /* for first read */ + USER_DEBUG(("GetLength bad index on input\n")); + return USER_CRYPTO_ERROR; + } + + b = input[i++]; + if (b >= 0x80) { + word32 bytes = b & 0x7F; + + if ( (i+bytes) > maxIdx) { /* for reading bytes */ + USER_DEBUG(("GetLength bad long length\n")); + return USER_CRYPTO_ERROR; + } + + while (bytes--) { + b = input[i++]; + length = (length << 8) | b; + } + } + else + length = b; + + if ( (i+length) > maxIdx) { /* for user of length */ + USER_DEBUG(("GetLength value exceeds buffer length\n")); + return USER_CRYPTO_ERROR; + } + + *inOutIdx = i; + if (length > 0) + *len = length; + + return length; +} + + +static int GetInt(IppsBigNumState** mpi, const byte* input, word32* inOutIdx, + word32 maxIdx) +{ + IppStatus ret; + word32 i = *inOutIdx; + byte b = input[i++]; + int length; + int ctxSz; + + if (b != 0x02) + return USER_CRYPTO_ERROR; + + if (GetLength(input, &i, &length, maxIdx) < 0) + return USER_CRYPTO_ERROR; + + if ( (b = input[i++]) == 0x00) + length--; + else + i--; + + ret = ippsBigNumGetSize(length, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (*mpi == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(length, *mpi); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + ret = ippsSetOctString_BN((Ipp8u*)input + i, length, *mpi); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + *inOutIdx = i + length; + return 0; +} + + +static int GetSequence(const byte* input, word32* inOutIdx, int* len, + word32 maxIdx) +{ + int length = -1; + word32 idx = *inOutIdx; + + if (input[idx++] != (0x10 | 0x20) || + GetLength(input, &idx, &length, maxIdx) < 0) + return USER_CRYPTO_ERROR; + + *len = length; + *inOutIdx = idx; + + return length; +} + + +static int GetMyVersion(const byte* input, word32* inOutIdx, + int* version) +{ + word32 idx = *inOutIdx; + + if (input[idx++] != 0x02) + return USER_CRYPTO_ERROR; + + if (input[idx++] != 0x01) + return USER_CRYPTO_ERROR; + + *version = input[idx++]; + *inOutIdx = idx; + + return *version; +} + + +int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, + word32 inSz) +{ + int version, length; + int ctxSz, pSz, qSz; + IppStatus ret; + + USER_DEBUG(("Entering wc_RsaPrivateKeyDecode\n")); + + /* read in key information */ + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return USER_CRYPTO_ERROR; + + if (GetMyVersion(input, inOutIdx, &version) < 0) + return USER_CRYPTO_ERROR; + + key->type = RSA_PRIVATE; + + if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || + GetInt(&key->e, input, inOutIdx, inSz) < 0 || + GetInt(&key->dipp, input, inOutIdx, inSz) < 0 || + GetInt(&key->pipp, input, inOutIdx, inSz) < 0 || + GetInt(&key->qipp, input, inOutIdx, inSz) < 0 || + GetInt(&key->dPipp, input, inOutIdx, inSz) < 0 || + GetInt(&key->dQipp, input, inOutIdx, inSz) < 0 || + GetInt(&key->uipp, input, inOutIdx, inSz) < 0 ) + return USER_CRYPTO_ERROR; + + /* get sizes of IPP BN key states created from input */ + ret = ippsGetSize_BN(key->n, &key->nSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsGetSize_BN(key->e, &key->eSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->sz = key->nSz; /* set modulus size */ + + /* convert to size in bits */ + key->nSz = key->nSz * 8; + key->eSz = key->eSz * 8; + + /* set up public key state */ + ret = ippsRSA_GetSizePublicKey(key->nSz, key->eSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPub == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPublicKey(key->nSz, key->eSz, key->pPub, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPublicKey(key->n, key->e, key->pPub); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* get bn sizes needed for private key set up */ + ret = ippsGetSize_BN(key->pipp, &pSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsGetSize_BN(key->qipp, &qSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* store sizes needed for creating tmp private keys */ + ret = ippsGetSize_BN(key->dipp, &key->dSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* convert to size in bits */ + key->dSz = key->dSz * 8; + pSz = pSz * 8; + qSz = qSz * 8; + + /* set up private key state */ + ret = ippsRSA_GetSizePrivateKeyType2(pSz, qSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->prvSz = ctxSz; + key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPrv == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPrivateKeyType2(pSz, qSz, key->pPrv, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPrivateKeyType2(key->pipp, key->qipp, key->dPipp, + key->dQipp, key->uipp, key->pPrv); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + USER_DEBUG(("\tExit wc_RsaPrivateKeyDecode\n")); + + return 0; +} + + +/* read in a public RSA key */ +int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, + word32 inSz) +{ + int length; + int ctxSz; + IppStatus ret; + + USER_DEBUG(("Entering wc_RsaPublicKeyDecode\n")); + + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return USER_CRYPTO_ERROR; + + key->type = RSA_PUBLIC; + +#if defined(OPENSSL_EXTRA) || defined(RSA_DECODE_EXTRA) + { + byte b = input[*inOutIdx]; + if (b != ASN_INTEGER) { + /* not from decoded cert, will have algo id, skip past */ + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return USER_CRYPTO_ERROR; + + b = input[(*inOutIdx)++]; + if (b != ASN_OBJECT_ID) + return USER_CRYPTO_ERROR; + + if (GetLength(input, inOutIdx, &length, inSz) < 0) + return USER_CRYPTO_ERROR; + + *inOutIdx += length; /* skip past */ + + /* could have NULL tag and 0 terminator, but may not */ + b = input[(*inOutIdx)++]; + + if (b == ASN_TAG_NULL) { + b = input[(*inOutIdx)++]; + if (b != 0) + return USER_CRYPTO_ERROR; + } + else + /* go back, didn't have it */ + (*inOutIdx)--; + + /* should have bit tag length and seq next */ + b = input[(*inOutIdx)++]; + if (b != ASN_BIT_STRING) + return USER_CRYPTO_ERROR; + + if (GetLength(input, inOutIdx, &length, inSz) < 0) + return USER_CRYPTO_ERROR; + + /* could have 0 */ + b = input[(*inOutIdx)++]; + if (b != 0) + (*inOutIdx)--; + + if (GetSequence(input, inOutIdx, &length, inSz) < 0) + return USER_CRYPTO_ERROR; + } /* end if */ + } /* openssl var block */ +#endif /* OPENSSL_EXTRA */ + + if (GetInt(&key->n, input, inOutIdx, inSz) < 0 || + GetInt(&key->e, input, inOutIdx, inSz) < 0 ) return USER_CRYPTO_ERROR; + + /* get sizes set for IPP BN states */ + ret = ippsGetSize_BN(key->n, &key->nSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsGetSize_BN(key->e, &key->eSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->sz = key->nSz; /* set modulus size */ + + /* convert to size in bits */ + key->nSz = key->nSz * 8; + key->eSz = key->eSz * 8; + + /* set up public key state */ + ret = ippsRSA_GetSizePublicKey(key->nSz, key->eSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPub == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPublicKey(key->nSz, key->eSz, key->pPub, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPublicKey(key->n, key->e, key->pPub); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + USER_DEBUG(("\tExit RsaPublicKeyDecode\n")); + + return 0; +} + + +/* import RSA public key elements (n, e) into RsaKey structure (key) */ +int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, + word32 eSz, RsaKey* key) +{ + IppStatus ret; + int ctxSz; + + USER_DEBUG(("Entering wc_RsaPublicKeyDecodeRaw\n")); + + if (n == NULL || e == NULL || key == NULL) + return USER_CRYPTO_ERROR; + + /* set up IPP key states -- read in n */ + ret = ippsBigNumGetSize(nSz, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + key->n = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->n == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(nSz, key->n); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + ret = ippsSetOctString_BN((Ipp8u*)n, nSz, key->n); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* read in e */ + ret = ippsBigNumGetSize(eSz, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + key->e = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->e == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(eSz, key->e); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + ret = ippsSetOctString_BN((Ipp8u*)e, eSz, key->e); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* store size and convert to binary */ + key->sz = nSz; + nSz = nSz * 8; + eSz = eSz * 8; + + /* set up public key state */ + ret = ippsRSA_GetSizePublicKey(nSz, eSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPub == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPublicKey(nSz, eSz, key->pPub, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPublicKey(key->n,key->e, key->pPub); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->nSz = nSz; + key->eSz = eSz; + key->type = RSA_PUBLIC; + + return USER_CRYPTO_ERROR; +} + + +/* encrypt using PKCS v15 */ +int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen, + RsaKey* key, WC_RNG* rng) +{ + IppStatus ret; + Ipp8u* scratchBuffer; + int scratchSz; + + if (key == NULL || in == NULL || out == NULL) + return USER_CRYPTO_ERROR; + + if (key->pPub == NULL || outLen < key->sz) + return USER_CRYPTO_ERROR; + + /* set size of scratch buffer */ + ret = ippsRSA_GetBufferSizePublicKey(&scratchSz, key->pPub); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); + if (scratchBuffer == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSAEncrypt_PKCSv15((Ipp8u*)in, inLen, NULL, (Ipp8u*)out, + key->pPub, scratchBuffer); + if (ret != ippStsNoErr) { + XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); + USER_DEBUG(("encrypt error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + (void)rng; + return key->sz; +} + + +/* decrypt using PLCS v15 */ +int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen, + RsaKey* key) +{ + IppStatus ret; + Ipp8u* scratchBuffer; + int scratchSz; + int outSz; + + if (in == NULL || out == NULL || key == NULL) + return USER_CRYPTO_ERROR; + + if (key->pPrv == NULL || inLen != key->sz) + return USER_CRYPTO_ERROR; + + outSz = outLen; + + /* set size of scratch buffer */ + ret = ippsRSA_GetBufferSizePrivateKey(&scratchSz, key->pPrv); + if (ret != ippStsNoErr) { + return USER_CRYPTO_ERROR; + } + + scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); + if (scratchBuffer == NULL) { + return USER_CRYPTO_ERROR; + } + + /* perform decryption using IPP */ + ret = ippsRSADecrypt_PKCSv15((Ipp8u*)in, (Ipp8u*)out, &outSz, key->pPrv, + scratchBuffer); + if (ret != ippStsNoErr) { + XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); + USER_DEBUG(("decrypt error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return outSz; +} + + +/* out is a pointer that is set to the location in byte array "in" where input + data has been decrypted */ +int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key) +{ + int outSz; + byte* tmp; + + USER_DEBUG(("Entering wc_RsaPrivateDecryptInline\n")); + + /* allocate a buffer for max decrypted text */ + tmp = XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (tmp == NULL) + return USER_CRYPTO_ERROR; + + outSz = wc_RsaPrivateDecrypt(in, inLen, tmp, key->sz, key); + if (outSz >= 0) { + XMEMCPY(in, tmp, outSz); + *out = in; + } + else { + XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + return USER_CRYPTO_ERROR; + } + + XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + USER_DEBUG(("\tExit wc_RsaPrivateDecryptInline\n")); + + return outSz; +} + + +/* Used to clean up memory when exiting, clean up memory used */ +static int FreeHelper(IppsBigNumState* pTxt, IppsBigNumState* cTxt, + Ipp8u* scratchBuffer, void* pPub) +{ + if (pTxt != NULL) + XFREE(pTxt, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (cTxt != NULL) + XFREE(cTxt, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (scratchBuffer != NULL) + XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (pPub != NULL) + XFREE(pPub, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return 0; +} + + +/* for Rsa Verify + in : byte array to be verified + inLen : length of input array + out : pointer to location of in byte array that has been verified + */ +int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) +{ + + int ctxSz; + int scratchSz; + Ipp8u* scratchBuffer = NULL; + IppStatus ret; + IppsRSAPrivateKeyState* pPub = NULL; + IppsBigNumState* pTxt = NULL; + IppsBigNumState* cTxt = NULL; + + USER_DEBUG(("Entering wc_RsaSSL_VerifyInline\n")); + + if (key == NULL || key->n == NULL || key->e == NULL) { + USER_DEBUG(("n or e element was null\n")); + return USER_CRYPTO_ERROR; + } + + if (in == NULL || out == NULL) + return USER_CRYPTO_ERROR; + + /* set up a private key state using public key values */ + ret = ippsRSA_GetSizePrivateKeyType1(key->nSz, key->eSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + pPub = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (pPub == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPrivateKeyType1(key->nSz, key->eSz, pPub, ctxSz); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + USER_DEBUG(("ippsRSA_InitPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + + ret = ippsRSA_SetPrivateKeyType1(key->n, key->e, pPub); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + USER_DEBUG(("ippsRSA_SetPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* set size of scratch buffer */ + ret = ippsRSA_GetBufferSizePrivateKey(&scratchSz, pPub); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); + if (scratchBuffer == NULL) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + /* load plain and cipher into big num states */ + ret = ippsBigNumGetSize(key->sz, &ctxSz); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + pTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (pTxt == NULL) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + ret = ippsBigNumInit(key->sz, pTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + ret = ippsSetOctString_BN((Ipp8u*)in, key->sz, pTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + /* set up cipher to hold signature */ + ret = ippsBigNumGetSize(key->sz, &ctxSz); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + cTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (cTxt == NULL) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + ret = ippsBigNumInit(key->sz, cTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + ret = ippsSetOctString_BN((Ipp8u*)in, key->sz, cTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + return USER_CRYPTO_ERROR; + } + + /* decrypt using public key information */ + ret = ippsRSA_Decrypt(cTxt, pTxt, pPub, scratchBuffer); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + USER_DEBUG(("decrypt error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* extract big num struct to octect string */ + ret = ippsGetOctString_BN((Ipp8u*)in, key->sz, pTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + USER_DEBUG(("BN get string error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + FreeHelper(pTxt, cTxt, scratchBuffer, pPub); + + /* unpad the decrypted information and return size of array */ + return RsaUnPad(in, inLen, out, RSA_BLOCK_TYPE_1); +} + + +/* sets up and call VerifyInline to verify a signature */ +int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen, + RsaKey* key) +{ + int plainLen; + byte* tmp; + byte* pad = 0; + + if (out == NULL || in == NULL || key == NULL) + return USER_CRYPTO_ERROR; + + tmp = (byte*)XMALLOC(inLen, key->heap, DYNAMIC_TYPE_USER_CRYPTO); + if (tmp == NULL) { + return USER_CRYPTO_ERROR; + } + + XMEMCPY(tmp, in, inLen); + + /* verify signature and test if output buffer is large enough */ + plainLen = wc_RsaSSL_VerifyInline(tmp, inLen, &pad, key); + if (plainLen < 0) { + XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + return plainLen; + } + + if (plainLen > (int)outLen) + plainLen = USER_CRYPTO_ERROR; + else + XMEMCPY(out, pad, plainLen); + + ForceZero(tmp, inLen); + XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return plainLen; +} + + +/* for Rsa Sign */ +int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, + RsaKey* key, WC_RNG* rng) +{ + int sz; + int scratchSz; + int ctxSz; + int prvSz; + IppStatus ret; + Ipp8u* scratchBuffer = NULL; + IppsRSAPublicKeyState* pPrv = NULL; + IppsBigNumState* pTxt = NULL; + IppsBigNumState* cTxt = NULL; + + sz = key->sz; + + /* set up public key state using private key values */ + ret = ippsRSA_GetSizePublicKey(key->nSz, key->dSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + prvSz = ctxSz; /* used later to overright sensitive memory */ + pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (pPrv == NULL) { + USER_DEBUG(("memeory error assinging pPrv\n")); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_InitPublicKey(key->nSz, key->dSz, pPrv, ctxSz); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("ippsRSA_InitPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPublicKey(key->n, key->dipp, pPrv); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("ippsRSA_SetPrivateKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* set size of scratch buffer */ + ret = ippsRSA_GetBufferSizePublicKey(&scratchSz, pPrv); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("ippsRSA_GetBufferSizePublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); + if (scratchBuffer == NULL) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("memory error assigning scratch buffer\n")); + return USER_CRYPTO_ERROR; + } + + /* Set up needed pkcs v15 padding */ + if (wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng) != 0) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + /* load plain and cipher into big num states */ + ret = ippsBigNumGetSize(sz, &ctxSz); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + pTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (pTxt == NULL) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + ret = ippsBigNumInit(sz, pTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + ret = ippsSetOctString_BN((Ipp8u*)out, sz, pTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + /* set up cipher to hold signature */ + ret = ippsBigNumGetSize(outLen, &ctxSz); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + cTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (cTxt == NULL) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + ret = ippsBigNumInit(outLen, cTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + ret = ippsSetOctString_BN((Ipp8u*)out, outLen, cTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + return USER_CRYPTO_ERROR; + } + + /* encrypt using private key */ + ret = ippsRSA_Encrypt(pTxt, cTxt, pPrv, scratchBuffer); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("sign error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* get output string from big number structure */ + ret = ippsGetOctString_BN((Ipp8u*)out, sz, cTxt); + if (ret != ippStsNoErr) { + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("BN get string error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* clean up memory used */ + ForceZero(pPrv, prvSz); /* clear senstive memory */ + FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + + return sz; +} + + +int wc_RsaEncryptSize(RsaKey* key) +{ + if (key == NULL) + return 0; + + return key->sz; +} + + +/* flatten RsaKey structure into individual elements (e, n) */ +int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, + word32* nSz) +{ + int sz, bytSz; + IppStatus ret; + + USER_DEBUG(("Entering wc_RsaFlattenPublicKey\n")); + + if (key == NULL || e == NULL || eSz == NULL || n == NULL || nSz == NULL) + return USER_CRYPTO_ERROR; + + bytSz = sizeof(byte); + ret = ippsExtGet_BN(NULL, &sz, NULL, key->e); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* sz is in bits change to bytes */ + sz = (sz / bytSz) + (sz % bytSz); + + if (*eSz < (word32)sz) + return USER_CRYPTO_ERROR; + + ret = ippsGetOctString_BN(e, sz, key->e); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + *eSz = (word32)sz; + + /* flatten n */ + ret = ippsExtGet_BN(NULL, &sz, NULL, key->n); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* sz is in bits change to bytes */ + sz = (sz / bytSz) + (sz % bytSz); + + if (*nSz < (word32)sz) + return USER_CRYPTO_ERROR; + + ret = ippsGetOctString_BN(n, sz, key->n); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + *nSz = (word32)sz; + + return 0; +} + +#ifdef WOLFSSL_KEY_GEN +/* Make an RSA key for size bits, with e specified, 65537 is a good e */ +int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) +{ + IppStatus ret; + int scratchSz; + int i; /* for trys on calling make key */ + int ctxSz; + + IppsBigNumState* pSrcPublicExp; + Ipp8u* scratchBuffer; + int trys = 8; /* Miller-Rabin test parameter */ + IppsPrimeState* pPrime; + IppBitSupplier rndFunc; + IppsPRNGState* rndParam; /* rng context */ + + int qBitSz; /* size of q factor */ + int bytSz; /* size of key in bytes */ + int leng; + + USER_DEBUG(("Entering wc_MakeRsaKey\n")); + + qBitSz = size / 2; + bytSz = size / 8; + + if (key == NULL) + return USER_CRYPTO_ERROR; + + if (e < 3 || (e&1) == 0) + return USER_CRYPTO_ERROR; + + if (size > RSA_MAX_SIZE || size < RSA_MIN_SIZE) + return USER_CRYPTO_ERROR; + + key->type = RSA_PRIVATE; + + /* set up rng */ + ret = ippsPRNGGetSize(&ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsPRNGGetSize error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + rndParam = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (rndParam == NULL) + return USER_CRYPTO_ERROR; + + /*@TODO size of seed bits used hard set at 256 */ + ret = ippsPRNGInit(256, rndParam); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsPRNGInit error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* initialize prime number */ + ret = ippsPrimeGetSize(size, &ctxSz); /* size in bits */ + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsPrimeGetSize error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + pPrime = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (pPrime == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsPrimeInit(size, pPrime); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsPrimeInit error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsPrimeGen(size, 100, pPrime, ippsPRNGen, rndParam); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsPrimeGen error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* define RSA privete key type 2 */ + /* length in bits of p and q factors */ + ret = ippsRSA_GetSizePrivateKeyType2(qBitSz, qBitSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePrivateKeyType2 error of %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + key->prvSz = ctxSz; /* used when freeing private key */ + key->pPrv = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPrv == NULL) + return USER_CRYPTO_ERROR; + + /* length in bits of p and q factors */ + ret = ippsRSA_InitPrivateKeyType2(qBitSz, qBitSz, key->pPrv, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPrivateKeyType2 error of %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* allocate scratch buffer */ + ret = ippsRSA_GetBufferSizePrivateKey(&scratchSz, key->pPrv); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetBufferSizePrivateKey error of %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + scratchBuffer = XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (scratchBuffer == NULL) + return USER_CRYPTO_ERROR; + + /* set up initial value of pScrPublicExp */ + leng = (int)sizeof(long); /* # of Ipp32u in long */ + ret = ippsBigNumGetSize(leng, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + pSrcPublicExp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (pSrcPublicExp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, pSrcPublicExp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + ret = ippsSetOctString_BN((Ipp8u*)&e, leng, pSrcPublicExp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* initializing key->n */ + ret = ippsBigNumGetSize(bytSz, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + key->n = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->n == NULL) + return USER_CRYPTO_ERROR; + + key->nSz = size; + ret = ippsBigNumInit(bytSz, key->n); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* initializing public exponent key->e */ + ret = ippsBigNumGetSize(leng, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + key->e = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->e == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, key->e); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* private exponent key->dipp */ + ret = ippsBigNumGetSize(bytSz, &ctxSz); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + key->dipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->dipp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(bytSz, key->dipp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + rndFunc = ippsPRNGen; + /* call IPP to generate keys, if inseficent entropy error call again + using for loop to avoid infinte loop */ + for (i = 0; i < 5; i++) { + ret = ippsRSA_GenerateKeys(pSrcPublicExp, key->n, key->e, + key->dipp, key->pPrv, scratchBuffer, trys, pPrime, + rndFunc, rndParam); + if (ret == ippStsNoErr) { + break; + } + + /* catch all errors other than entropy error */ + if (ret != ippStsInsufficientEntropy) { + USER_DEBUG(("ippsRSA_GeneratKeys error of %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + } + + /* get bn sizes needed for private key set up */ + ret = ippsExtGet_BN(NULL, &key->eSz, NULL, key->e); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsExtGet_BN(NULL, &key->nSz, NULL, key->n); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetSize_BN error %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* set up public key state */ + ret = ippsRSA_GetSizePublicKey(key->nSz, key->eSz, &ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetSizePublicKey error %s nSz = %d eSz = %d\n", + ippGetStatusString(ret), key->nSz, key->eSz)); + return USER_CRYPTO_ERROR; + } + + key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pPub == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsRSA_InitPublicKey(key->nSz, key->eSz, key->pPub, ctxSz); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_InitPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsRSA_SetPublicKey(key->n, key->e, key->pPub); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_SetPublicKey error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* get private key information for key struct */ + leng = size/16; /* size of q, p, u, dP, dQ */ + ret = ippsBigNumGetSize(leng, &ctxSz); /* get needed ctxSz and use */ + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + key->pipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->pipp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, key->pipp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* set up q BN for key */ + key->qipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->qipp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, key->qipp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* set up dP BN for key */ + key->dPipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->dPipp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, key->dPipp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* set up dQ BN for key */ + key->dQipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->dQipp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, key->dQipp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* set up u BN for key */ + key->uipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (key->uipp == NULL) + return USER_CRYPTO_ERROR; + + ret = ippsBigNumInit(leng, key->uipp); + if (ret != ippStsNoErr) + return USER_CRYPTO_ERROR; + + /* get values from created key */ + ret = ippsRSA_GetPrivateKeyType2(key->pipp, key->qipp, key->dPipp, + key->dQipp, key->uipp, key->pPrv); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GetPrivateKeyType2 error %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* clean up memory used */ + XFREE(pSrcPublicExp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pPrime, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(rndParam, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + (void)rng; + + return 0; +} + +/********** duplicate code needed -- future refactor */ +#define MAX_VERSION_SZ 5 +#define MAX_SEQ_SZ 5 +#define ASN_CONTEXT_SPECIFIC 0x80 +#define ASN_CONSTRUCTED 0x20 +#define ASN_LONG_LENGTH 0x80 +#define ASN_SEQUENCE 0x10 +#define RSA_INTS 8 +#define FALSE 0 +#define TRUE 1 + +#define MAX_LENGTH_SZ 4 +#define RSAk 645 +#define keyType 2 +#define MAX_RSA_INT_SZ 517 +#define MAX_RSA_E_SZ 16 +#define MAX_ALGO_SZ 20 + +static word32 BytePrecision(word32 value) +{ + word32 i; + for (i = sizeof(value); i; --i) + if (value >> ((i - 1) * WOLFSSL_BIT_SIZE)) + break; + + return i; +} + + +static int SetMyVersion(word32 version, byte* output, int header) +{ + int i = 0; + + if (output == NULL) + return USER_CRYPTO_ERROR; + + if (header) { + output[i++] = ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED; + output[i++] = ASN_BIT_STRING; + } + output[i++] = ASN_INTEGER; + output[i++] = 0x01; + output[i++] = (byte)version; + + return i; +} + + +static word32 SetLength(word32 length, byte* output) +{ + word32 i = 0, j; + + if (length < 0x80) + output[i++] = (byte)length; + else { + output[i++] = (byte)(BytePrecision(length) | ASN_LONG_LENGTH); + + for (j = BytePrecision(length); j; --j) { + output[i] = (byte)(length >> ((j - 1) * WOLFSSL_BIT_SIZE)); + i++; + } + } + + return i; +} + + +static word32 SetSequence(word32 len, byte* output) +{ + output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED; + return SetLength(len, output + 1) + 1; +} + + +static word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) +{ + /* adding TAG_NULL and 0 to end */ + + /* RSA keyType */ + #ifndef NO_RSA + static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, + 0x01, 0x01, 0x01, 0x05, 0x00}; + #endif /* NO_RSA */ + + int algoSz = 0; + int tagSz = 2; /* tag null and terminator */ + word32 idSz, seqSz; + const byte* algoName = 0; + byte ID_Length[MAX_LENGTH_SZ]; + byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ + + if (type == keyType) { /* keyType */ + switch (algoOID) { + #ifndef NO_RSA + case RSAk: + algoSz = sizeof(RSA_AlgoID); + algoName = RSA_AlgoID; + break; + #endif /* NO_RSA */ + default: + /* unknown key algo */ + return 0; + } + } + else { + /* unknown algo type */ + return 0; + } + + idSz = SetLength(algoSz - tagSz, ID_Length); /* don't include tags */ + seqSz = SetSequence(idSz + algoSz + 1 + curveSz, seqArray); + /* +1 for object id, curveID of curveSz follows for ecc */ + seqArray[seqSz++] = ASN_OBJECT_ID; + + XMEMCPY(output, seqArray, seqSz); + XMEMCPY(output + seqSz, ID_Length, idSz); + XMEMCPY(output + seqSz + idSz, algoName, algoSz); + + return seqSz + idSz + algoSz; + +} + + +/* Write a public RSA key to output */ +static int SetRsaPublicKey(byte* output, RsaKey* key, + int outLen, int with_header) +{ +#ifdef WOLFSSL_SMALL_STACK + byte* n = NULL; + byte* e = NULL; +#else + byte n[MAX_RSA_INT_SZ]; + byte e[MAX_RSA_E_SZ]; +#endif + byte seq[MAX_SEQ_SZ]; + byte len[MAX_LENGTH_SZ + 1]; /* trailing 0 */ + int nSz; + int eSz; + int seqSz; + int lenSz; + int idx; + int rawLen; + int leadingBit; + int err; + + if (output == NULL || key == NULL || outLen < MAX_SEQ_SZ) + return USER_CRYPTO_ERROR; + + /* n */ +#ifdef WOLFSSL_SMALL_STACK + n = (byte*)XMALLOC(MAX_RSA_INT_SZ, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (n == NULL) + return USER_CRYPTO_ERROR; +#endif + + if (ippsExtGet_BN(NULL, &rawLen, NULL, key->n) != ippStsNoErr) + return USER_CRYPTO_ERROR; + leadingBit = rawLen % 8; /* check for if an extra byte is needed */ + rawLen = rawLen/8; /* convert to byte size */ + rawLen = rawLen + leadingBit; + n[0] = ASN_INTEGER; + nSz = SetLength(rawLen, n + 1) + 1; /* int tag */ + + if ( (nSz + rawLen) < MAX_RSA_INT_SZ) { + if (leadingBit) + n[nSz] = 0; + err = ippsGetOctString_BN((Ipp8u*)n + nSz, rawLen, key->n); + if (err == ippStsNoErr) + nSz += rawLen; + else { +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + return USER_CRYPTO_ERROR; + } + } + else { +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + return USER_CRYPTO_ERROR; + } + + /* e */ +#ifdef WOLFSSL_SMALL_STACK + e = (byte*)XMALLOC(MAX_RSA_E_SZ, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (e == NULL) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + return USER_CRYPTO_ERROR; + } +#endif + + if (ippsExtGet_BN(NULL, &rawLen, NULL, key->e) != ippStsNoErr) + return USER_CRYPTO_ERROR; + leadingBit = rawLen % 8; + rawLen = rawLen/8; + rawLen = rawLen + leadingBit; + e[0] = ASN_INTEGER; + eSz = SetLength(rawLen, e + 1) + 1; /* int tag */ + + if ( (eSz + rawLen) < MAX_RSA_E_SZ) { + if (leadingBit) + e[eSz] = 0; + err = ippsGetOctString_BN((Ipp8u*)e + eSz, rawLen, key->e); + if (err == ippStsNoErr) + eSz += rawLen; + else { +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(e, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + return USER_CRYPTO_ERROR; + } + } + else { +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(e, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + return USER_CRYPTO_ERROR; + } + + seqSz = SetSequence(nSz + eSz, seq); + + /* check output size */ + if ( (seqSz + nSz + eSz) > outLen) { +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(e, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + return USER_CRYPTO_ERROR; + } + + /* headers */ + if (with_header) { + int algoSz; +#ifdef WOLFSSL_SMALL_STACK + byte* algo = NULL; + + algo = (byte*)XMALLOC(MAX_ALGO_SZ, NULL, DYNAMIC_TYPE_USER_CRYPTO); + if (algo == NULL) { + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(e, NULL, DYNAMIC_TYPE_USER_CRYPTO); + return USER_CRYPTO_ERROR; + } +#else + byte algo[MAX_ALGO_SZ]; +#endif + algoSz = SetAlgoID(RSAk, algo, keyType, 0); + lenSz = SetLength(seqSz + nSz + eSz + 1, len); + len[lenSz++] = 0; /* trailing 0 */ + + /* write, 1 is for ASN_BIT_STRING */ + idx = SetSequence(nSz + eSz + seqSz + lenSz + 1 + algoSz, output); + + /* check output size */ + if ( (idx + algoSz + 1 + lenSz + seqSz + nSz + eSz) > outLen) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(e, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(algo, NULL, DYNAMIC_TYPE_USER_CRYPTO); + #endif + + return USER_CRYPTO_ERROR; + } + + /* algo */ + XMEMCPY(output + idx, algo, algoSz); + idx += algoSz; + /* bit string */ + output[idx++] = ASN_BIT_STRING; + /* length */ + XMEMCPY(output + idx, len, lenSz); + idx += lenSz; +#ifdef WOLFSSL_SMALL_STACK + XFREE(algo, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + } + else + idx = 0; + + /* seq */ + XMEMCPY(output + idx, seq, seqSz); + idx += seqSz; + /* n */ + XMEMCPY(output + idx, n, nSz); + idx += nSz; + /* e */ + XMEMCPY(output + idx, e, eSz); + idx += eSz; + +#ifdef WOLFSSL_SMALL_STACK + XFREE(n, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(e, NULL, DYNAMIC_TYPE_USER_CRYPTO); +#endif + + return idx; +} + + +static IppsBigNumState* GetRsaInt(RsaKey* key, int idx) +{ + if (idx == 0) + return key->n; + if (idx == 1) + return key->e; + if (idx == 2) + return key->dipp; + if (idx == 3) + return key->pipp; + if (idx == 4) + return key->qipp; + if (idx == 5) + return key->dPipp; + if (idx == 6) + return key->dQipp; + if (idx == 7) + return key->uipp; + + return NULL; +} + + +/* Release Tmp RSA resources */ +static INLINE void FreeTmpRsas(byte** tmps, void* heap) +{ + int i; + + (void)heap; + + for (i = 0; i < RSA_INTS; i++) + XFREE(tmps[i], heap, DYNAMIC_TYPE_USER_CRYPTO); +} + + +/* Convert RsaKey key to DER format, write to output (inLen), return bytes + written */ +int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) +{ + word32 seqSz, verSz, rawLen, intTotalLen = 0; + word32 sizes[RSA_INTS]; + int i, j, outLen, ret = 0, lbit; + + byte seq[MAX_SEQ_SZ]; + byte ver[MAX_VERSION_SZ]; + byte* tmps[RSA_INTS]; + + USER_DEBUG(("Entering RsaKeyToDer\n")); + + if (!key || !output) + return USER_CRYPTO_ERROR; + + if (key->type != RSA_PRIVATE) + return USER_CRYPTO_ERROR; + + for (i = 0; i < RSA_INTS; i++) + tmps[i] = NULL; + + /* write all big ints from key to DER tmps */ + for (i = 0; i < RSA_INTS; i++) { + Ipp32u isZero; + IppsBigNumState* keyInt = GetRsaInt(key, i); + + /* leading zero */ + ippsCmpZero_BN(keyInt, &isZero); /* makes isZero 0 if true */ + ippsExtGet_BN(NULL, (int*)&rawLen, NULL, keyInt); /* bit length */ + if (rawLen % 8 || !isZero) + lbit = 1; + else + lbit = 0; + + rawLen /= 8; /* convert to bytes */ + rawLen += lbit; + + tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, + DYNAMIC_TYPE_USER_CRYPTO); + if (tmps[i] == NULL) { + ret = USER_CRYPTO_ERROR; + break; + } + + tmps[i][0] = ASN_INTEGER; + sizes[i] = SetLength(rawLen, tmps[i] + 1) + 1 + lbit; /* tag & lbit */ + + if (sizes[i] <= MAX_SEQ_SZ) { + int err; + + /* leading zero */ + if (lbit) + tmps[i][sizes[i]-1] = 0x00; + + /* extract data*/ + err = ippsGetOctString_BN((Ipp8u*)(tmps[i] + sizes[i]), + rawLen, keyInt); + if (err == ippStsOk) { + sizes[i] += (rawLen-lbit); /* lbit included in rawLen */ + intTotalLen += sizes[i]; + ret = 0; + } + else { + ret = USER_CRYPTO_ERROR; + break; + } + } + else { + ret = USER_CRYPTO_ERROR; + break; + } + } + + if (ret != 0) { + FreeTmpRsas(tmps, key->heap); + return ret; + } + + /* make headers */ + verSz = SetMyVersion(0, ver, FALSE); + seqSz = SetSequence(verSz + intTotalLen, seq); + + outLen = seqSz + verSz + intTotalLen; + if (outLen > (int)inLen) { + return USER_CRYPTO_ERROR; + } + + /* write to output */ + XMEMCPY(output, seq, seqSz); + j = seqSz; + XMEMCPY(output + j, ver, verSz); + j += verSz; + + for (i = 0; i < RSA_INTS; i++) { + XMEMCPY(output + j, tmps[i], sizes[i]); + j += sizes[i]; + } + FreeTmpRsas(tmps, key->heap); + + return outLen; +} + + +/* Convert Rsa Public key to DER format, write to output (inLen), return bytes + written +*/ +int wc_RsaKeyToPublicDer(RsaKey* key, byte* output, word32 inLen) +{ + return SetRsaPublicKey(output, key, inLen, 1); +} + + +#endif /* WOLFSSL_KEY_GEN */ + +#endif /* NO_RSA */ + diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5243dabb2..5a30c8c81 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -78,7 +78,11 @@ typedef struct WOLFSSL_SOCKADDR WOLFSSL_SOCKADDR; #define WOLFSSL_TYPES_DEFINED +#ifndef WOLFSSL_RSA_TYPE_DEFINED /* guard on redeclaration */ typedef struct WOLFSSL_RSA WOLFSSL_RSA; +#define WOLFSSL_RSA_TYPE_DEFINED +#endif + typedef struct WOLFSSL_DSA WOLFSSL_DSA; typedef struct WOLFSSL_EC_KEY WOLFSSL_EC_KEY; typedef struct WOLFSSL_EC_POINT WOLFSSL_EC_POINT; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index f08ecbd98..7a1100bcf 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -161,6 +161,8 @@ enum { KEYUSAGE_E = -226, /* Bad Key Usage value */ CERTPOLICIES_E = -227, /* setting Certificate Policies error */ + WC_FAILURE_E = -228, /* wolfcrypt failed to initialize */ + MIN_CODE_E = -300 /* errors -101 - -299 */ }; diff --git a/wolfssl/wolfcrypt/integer.h b/wolfssl/wolfcrypt/integer.h index 099b9f4e3..c150fd880 100644 --- a/wolfssl/wolfcrypt/integer.h +++ b/wolfssl/wolfcrypt/integer.h @@ -77,6 +77,10 @@ extern "C" { #undef MP_64BIT #endif + +/* allow user to define on mp_digit, mp_word, DIGIT_BIT types */ +#ifndef WOLFSSL_BIGINT_TYPES + /* some default configurations. * * A "mp_digit" must be able to hold DIGIT_BIT + 1 bits @@ -119,6 +123,7 @@ extern "C" { #endif #endif +#endif /* WOLFSSL_BIGINT_TYPES */ /* otherwise the bits per digit is calculated automatically from the size of a mp_digit */ diff --git a/wolfssl/wolfcrypt/rsa.h b/wolfssl/wolfcrypt/rsa.h index 8141367c9..e9e774aed 100644 --- a/wolfssl/wolfcrypt/rsa.h +++ b/wolfssl/wolfcrypt/rsa.h @@ -26,6 +26,11 @@ #ifndef NO_RSA +/* allow for user to plug in own crypto */ +#if !defined(HAVE_FIPS) && (defined(HAVE_USER_RSA) || defined(HAVE_FAST_RSA)) + #include "user_rsa.h" +#else + #ifdef HAVE_FIPS /* for fips @wc_fips */ #include @@ -41,7 +46,8 @@ extern "C" { #endif -#ifndef HAVE_FIPS /* avoid redefinition of structs */ +/* avoid redefinition of structs */ +#if !defined(HAVE_FIPS) #define WOLFSSL_RSA_CAVIUM_MAGIC 0xBEEF0006 enum { @@ -72,7 +78,6 @@ typedef struct RsaKey { } RsaKey; #endif /*HAVE_FIPS */ - WOLFSSL_API int wc_InitRsaKey(RsaKey* key, void*); WOLFSSL_API int wc_FreeRsaKey(RsaKey* key); @@ -113,7 +118,7 @@ WOLFSSL_API int wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*, WOLFSSL_API int wc_RsaInitCavium(RsaKey*, int); WOLFSSL_API void wc_RsaFreeCavium(RsaKey*); #endif - +#endif /* HAVE_USER_RSA */ #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/wolfssl/wolfcrypt/tfm.h b/wolfssl/wolfcrypt/tfm.h index ac24eb93c..4e2804d1a 100644 --- a/wolfssl/wolfcrypt/tfm.h +++ b/wolfssl/wolfcrypt/tfm.h @@ -202,6 +202,9 @@ #endif +/* allow user to define on fp_digit, fp_word types */ +#ifndef WOLFSSL_BIGINT_TYPES + /* some default configurations. */ #if defined(FP_64BIT) @@ -227,6 +230,8 @@ #endif #endif +#endif /* WOLFSSL_BIGINT_TYPES */ + /* # of digits this is */ #define DIGIT_BIT (int)((CHAR_BIT) * sizeof(fp_digit)) diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 8e49678c0..3b9963bb9 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -287,6 +287,7 @@ DYNAMIC_TYPE_HASHES = 46, DYNAMIC_TYPE_SRP = 47, DYNAMIC_TYPE_COOKIE_PWD = 48, + DYNAMIC_TYPE_USER_CRYPTO = 49, DYNAMIC_TYPE_OCSP_REQUEST = 50 }; diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 7e260f923..9697f8aa8 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -169,6 +169,8 @@ WOLFSSL_LOCAL int FreeMutex(wolfSSL_Mutex*); WOLFSSL_LOCAL int LockMutex(wolfSSL_Mutex*); WOLFSSL_LOCAL int UnLockMutex(wolfSSL_Mutex*); +/* main crypto initialization function */ +WOLFSSL_API int wolfcrypt_Init(void); /* filesystem abstraction layer, used by ssl.c */ #ifndef NO_FILESYSTEM From 55a56cac052456862aa7caa19f7d64b9330c2a29 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 28 Oct 2015 15:07:22 -0600 Subject: [PATCH 010/177] Release 3.7.0 --- IPP/.gitkeep | 0 README | 18 +++++++++++++++--- README.md | 20 +++++++++++++++----- configure.ac | 4 ++-- support/wolfssl.pc | 2 +- wolfssl/version.h | 4 ++-- 6 files changed, 35 insertions(+), 13 deletions(-) create mode 100644 IPP/.gitkeep diff --git a/IPP/.gitkeep b/IPP/.gitkeep new file mode 100644 index 000000000..e69de29bb diff --git a/README b/README index 2c5586532..9d15eb7fb 100644 --- a/README +++ b/README @@ -32,13 +32,25 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** -wolfSSL (Formerly CyaSSL) Release 3.6.9 (10/05/2015) + ********* wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015) -Release 3.6.9 of wolfSSL has bug fixes and new features including: +Release 3.7.0 of wolfSSL has bug fixes and new features including: +- ALPN extension support added for HTTP2 connections with --enable-alpn +- Change of example/client/client max fragment flag -L -> -F +- Throughput benchmarking, added scripts/benchmark.test +- Sniffer API ssl_FreeDecodeBuffer added +- Addition of AES_GCM to Sniffer +- Sniffer change to handle unlimited decrypt buffer size - New option for the sniffer where it will try to pick up decoding after a sequence number acknowldgement fault. Also includes some additional stats. +- JNI API setter and getter function for jobject added +- User RSA crypto plugin abstraction. An example placed in wolfcrypt/user-crypto +- fix to asn configuration bug - AES-GCM/CCM fixes. +- Port for Rowley added +- Rowley Crossworks bare metal examples added +- MDK5-ARM project update - FreeRTOS support updates. - VXWorks support updates. - Added the IDEA cipher and support in wolfSSL. @@ -46,7 +58,7 @@ Release 3.6.9 of wolfSSL has bug fixes and new features including: - CFLAGS is usable when configuring source. - No high level security fixes that requires an update though we always - recommend updating to the latest +recommend updating to the latest See INSTALL file for build instructions. More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html diff --git a/README.md b/README.md index eb2437b10..57b658663 100644 --- a/README.md +++ b/README.md @@ -35,14 +35,25 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new(); Though it's not recommended. ``` +# wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015) -# wolfSSL (Formerly CyaSSL) Release 3.6.9 (10/05/2015) - -##Release 3.6.9 of wolfSSL has bug fixes and new features including: +##Release 3.7.0 of wolfSSL has bug fixes and new features including: +- ALPN extension support added for HTTP2 connections with --enable-alpn +- Change of example/client/client max fragment flag -L -> -F +- Throughput benchmarking, added scripts/benchmark.test +- Sniffer API ssl_FreeDecodeBuffer added +- Addition of AES_GCM to Sniffer +- Sniffer change to handle unlimited decrypt buffer size - New option for the sniffer where it will try to pick up decoding after a sequence number acknowldgement fault. Also includes some additional stats. +- JNI API setter and getter function for jobject added +- User RSA crypto plugin abstraction. An example placed in wolfcrypt/user-crypto +- fix to asn configuration bug - AES-GCM/CCM fixes. +- Port for Rowley added +- Rowley Crossworks bare metal examples added +- MDK5-ARM project update - FreeRTOS support updates. - VXWorks support updates. - Added the IDEA cipher and support in wolfSSL. @@ -50,12 +61,11 @@ before calling wolfSSL_new(); Though it's not recommended. - CFLAGS is usable when configuring source. - No high level security fixes that requires an update though we always - recommend updating to the latest +recommend updating to the latest See INSTALL file for build instructions. More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html - #wolfSSL (Formerly CyaSSL) Release 3.6.8 (09/17/2015) ##Release 3.6.8 of wolfSSL fixes two high severity vulnerabilities. diff --git a/configure.ac b/configure.ac index e2895eb39..8d4eba4f1 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.6.9d],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.7.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -WOLFSSL_LIBRARY_VERSION=1:0:0 +WOLFSSL_LIBRARY_VERSION=2:0:1 # | | | # +------+ | +---+ # | | | diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 74800588c..617705cae 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.6.9d +Version: 3.7.0 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfssl/version.h b/wolfssl/version.h index 58d1fdd5a..52f61334f 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.6.9d" -#define LIBWOLFSSL_VERSION_HEX 0x03006009 +#define LIBWOLFSSL_VERSION_STRING "3.7.0" +#define LIBWOLFSSL_VERSION_HEX 0x03007000 #ifdef __cplusplus } From 2c41a5b96102ae7558ec6e7ea667c898a4f1ebd9 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 28 Oct 2015 17:33:31 -0600 Subject: [PATCH 011/177] adjust wolfssl lib value in rpm spec.in --- rpm/spec.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rpm/spec.in b/rpm/spec.in index 9a3414f2f..6efe3bfcf 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -69,7 +69,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/libwolfssl.la %{_libdir}/libwolfssl.so %{_libdir}/libwolfssl.so.1 -%{_libdir}/libwolfssl.so.1.0.0 +%{_libdir}/libwolfssl.so.1.1.0 %files devel %defattr(-,root,root,-) From d31cec0df01cecdda8ddb059bf05fbcecfae0177 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 28 Oct 2015 23:07:52 -0700 Subject: [PATCH 012/177] Fixes initialization of the Crypto HW protection, which could leak a mutex if two calls to "wolfSSL_CryptHwMutexLock()" occurred at the same time prior to calling "wolfSSL_CryptHwMutexInit()". Fixes #164. --- wolfcrypt/src/wc_port.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index 9956da3c4..c769e2dcf 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -45,6 +45,11 @@ */ int wolfcrypt_Init() { + #if WOLFSSL_CRYPT_HW_MUTEX + /* If crypto hardware mutex protection is enabled, then initialize it */ + wolfSSL_CryptHwMutexInit(); + #endif + /* if defined have fast RSA then initialize Intel IPP */ #ifdef HAVE_FAST_RSA WOLFSSL_MSG("Setting up IPP Library"); From f977caa4921300c28fbda9dca3c1719eb4364833 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 28 Oct 2015 23:54:08 -0700 Subject: [PATCH 013/177] Cleanup of the test code that looks for the WolfSSL root directory. Now it tries to open the certs/ntru-cert.pem file in each directory up (limited to 5) until it opens it. --- examples/client/client.c | 7 +- examples/echoclient/echoclient.c | 5 +- examples/echoserver/echoserver.c | 5 +- examples/server/server.c | 7 +- tests/unit.c | 5 +- testsuite/testsuite.c | 22 +----- wolfssl/test.h | 114 ++++++++++--------------------- 7 files changed, 42 insertions(+), 123 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index dc4a80f0a..796e19e6b 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1261,12 +1261,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(DEBUG_WOLFSSL) && !defined(WOLFSSL_MDK_SHELL) && !defined(STACK_TRAP) wolfSSL_Debugging_ON(); #endif - if (CurrentDir("_build")) - ChangeDirBack(1); - else if (CurrentDir("client")) - ChangeDirBack(2); - else if (CurrentDir("Debug") || CurrentDir("Release")) - ChangeDirBack(3); + ChangeToWolfRoot(); #ifdef HAVE_STACK_SIZE StackSizeCheck(&args, client_test); diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 8cf05c26c..6f06dd82c 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -261,10 +261,7 @@ void echoclient_test(void* args) CyaSSL_Debugging_ON(); #endif #ifndef CYASSL_TIRTOS - if (CurrentDir("echoclient")) - ChangeDirBack(2); - else if (CurrentDir("Debug") || CurrentDir("Release")) - ChangeDirBack(3); + ChangeToWolfRoot(); #endif echoclient_test(&args); diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index e510e1387..a01377a7f 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -393,10 +393,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) #if defined(DEBUG_CYASSL) && !defined(CYASSL_MDK_SHELL) CyaSSL_Debugging_ON(); #endif - if (CurrentDir("echoserver")) - ChangeDirBack(2); - else if (CurrentDir("Debug") || CurrentDir("Release")) - ChangeDirBack(3); + ChangeToWolfRoot(); echoserver_test(&args); CyaSSL_Cleanup(); diff --git a/examples/server/server.c b/examples/server/server.c index 455d9b2fa..ed263e67f 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -906,12 +906,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL) CyaSSL_Debugging_ON(); #endif - if (CurrentDir("_build")) - ChangeDirBack(1); - else if (CurrentDir("server")) - ChangeDirBack(2); - else if (CurrentDir("Debug") || CurrentDir("Release")) - ChangeDirBack(3); + ChangeToWolfRoot(); #ifdef HAVE_STACK_SIZE StackSizeCheck(&args, server_test); diff --git a/tests/unit.c b/tests/unit.c index a05ae3ccd..e25c6776e 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -60,10 +60,7 @@ int unit_test(int argc, char** argv) #endif /* HAVE_CAVIUM */ #ifndef WOLFSSL_TIRTOS - if (CurrentDir("tests") || CurrentDir("_build")) - ChangeDirBack(1); - else if (CurrentDir("Debug") || CurrentDir("Release")) - ChangeDirBack(3); + ChangeToWolfRoot(); #endif ApiTest(); diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index c0304e324..1d228d12e 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -29,24 +29,6 @@ #include #include "wolfcrypt/test/test.h" -/* This function changes the current directory to the wolfssl root */ -static void ChangeDirToRoot(void) -{ - /* Normal Command Line=_build, Visual Studio=testsuite */ - if (CurrentDir("testsuite") || CurrentDir("_build")) { - ChangeDirBack(1); - } - - /* Xcode: To output application to correct location: */ - /* 1. Xcode->Preferences->Locations->Locations */ - /* 2. Derived Data Advanced -> Custom */ - /* 3. Relative to Workspace, Build/Products */ - /* Build/Products/Debug or Build/Products/Release */ - else if (CurrentDir("Debug") || CurrentDir("Release")) { - ChangeDirBack(5); - } -} - #ifndef SINGLE_THREADED @@ -118,7 +100,7 @@ int testsuite_test(int argc, char** argv) #endif #if !defined(WOLFSSL_TIRTOS) - ChangeDirToRoot(); + ChangeToWolfRoot(); #endif #ifdef WOLFSSL_TIRTOS @@ -431,7 +413,7 @@ int main(int argc, char** argv) server_args.argc = argc; server_args.argv = argv; - ChangeDirToRoot(); + ChangeToWolfRoot(); wolfcrypt_test(&server_args); if (server_args.return_code != 0) return server_args.return_code; diff --git a/wolfssl/test.h b/wolfssl/test.h index 8549f0f7a..526b98171 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1160,87 +1160,43 @@ static INLINE int OpenNitroxDevice(int dma_mode,int dev_id) #endif /* HAVE_CAVIUM */ -#ifdef USE_WINDOWS_API +/* Wolf Root Directory Helper */ +/* KEIL-RL File System does not support relative directry */ +#if !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_KEIL_FS) && !defined(WOLFSSL_TIRTOS) + #ifndef MAX_PATH + #define MAX_PATH 256 + #endif -/* do back x number of directories */ -static INLINE void ChangeDirBack(int x) -{ - char path[MAX_PATH]; - XMEMSET(path, 0, MAX_PATH); - XSTRNCAT(path, ".\\", MAX_PATH); - while (x-- > 0) { - XSTRNCAT(path, "..\\", MAX_PATH); + /* Maximum depth to search for WolfSSL root */ + #define MAX_WOLF_ROOT_DEPTH 5 + + static INLINE int ChangeToWolfRoot(void) + { + int depth; + XFILE file; + char path[MAX_PATH]; + XMEMSET(path, 0, MAX_PATH); + + for(depth = 0; depth < MAX_WOLF_ROOT_DEPTH; depth++) { + file = XFOPEN(ntruCert, "rb"); + if (file != XBADFILE) { + XFCLOSE(file); + break; + } + #ifdef USE_WINDOWS_API + XSTRNCAT(path, "..\\", MAX_PATH); + SetCurrentDirectoryA(path); + #else + XSTRNCAT(path, "../", MAX_PATH); + if (chdir(path) < 0) { + printf("chdir to %s failed\n", path); + break; + } + #endif + } + return depth; } - SetCurrentDirectoryA(path); -} - -/* does current dir contain str */ -static INLINE int CurrentDir(const char* str) -{ - char path[MAX_PATH]; - char* baseName; - - GetCurrentDirectoryA(sizeof(path), path); - - baseName = strrchr(path, '\\'); - if (baseName) - baseName++; - else - baseName = path; - - if (strstr(baseName, str)) - return 1; - - return 0; -} - -#elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_FS) - /* KEIL-RL File System does not support relative directry */ -#elif defined(WOLFSSL_TIRTOS) -#else - -#ifndef MAX_PATH - #define MAX_PATH 256 -#endif - -/* do back x number of directories */ -static INLINE void ChangeDirBack(int x) -{ - char path[MAX_PATH]; - XMEMSET(path, 0, MAX_PATH); - XSTRNCAT(path, "./", MAX_PATH); - while (x-- > 0) { - XSTRNCAT(path, "../", MAX_PATH); - } - if (chdir(path) < 0) { - printf("chdir to %s failed\n", path); - } -} - -/* does current dir contain str */ -static INLINE int CurrentDir(const char* str) -{ - char path[MAX_PATH]; - char* baseName; - - if (getcwd(path, sizeof(path)) == NULL) { - printf("no current dir?\n"); - return 0; - } - - baseName = strrchr(path, '/'); - if (baseName) - baseName++; - else - baseName = path; - - if (strstr(baseName, str)) - return 1; - - return 0; -} - -#endif /* USE_WINDOWS_API */ +#endif /* !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_KEIL_FS) && !defined(WOLFSSL_TIRTOS) */ #ifdef USE_WOLFSSL_MEMORY From dacfd84beaf4030cca45862b422308c7a09c6fa4 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 29 Oct 2015 10:45:37 -0700 Subject: [PATCH 014/177] Enhanced "ChangeToWolfRoot" to report error if the root was not found. Also fixed the depth limit. --- wolfssl/test.h | 48 +++++++++++++++++++++++++++--------------------- 1 file changed, 27 insertions(+), 21 deletions(-) diff --git a/wolfssl/test.h b/wolfssl/test.h index 526b98171..588ab5270 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1172,29 +1172,35 @@ static INLINE int OpenNitroxDevice(int dma_mode,int dev_id) static INLINE int ChangeToWolfRoot(void) { - int depth; - XFILE file; - char path[MAX_PATH]; - XMEMSET(path, 0, MAX_PATH); + #if !defined(NO_FILESYSTEM) + int depth; + XFILE file; + char path[MAX_PATH]; + XMEMSET(path, 0, MAX_PATH); - for(depth = 0; depth < MAX_WOLF_ROOT_DEPTH; depth++) { - file = XFOPEN(ntruCert, "rb"); - if (file != XBADFILE) { - XFCLOSE(file); - break; - } - #ifdef USE_WINDOWS_API - XSTRNCAT(path, "..\\", MAX_PATH); - SetCurrentDirectoryA(path); - #else - XSTRNCAT(path, "../", MAX_PATH); - if (chdir(path) < 0) { - printf("chdir to %s failed\n", path); - break; + for(depth = 0; depth <= MAX_WOLF_ROOT_DEPTH; depth++) { + file = XFOPEN(ntruKey, "rb"); + if (file != XBADFILE) { + XFCLOSE(file); + return depth; } - #endif - } - return depth; + #ifdef USE_WINDOWS_API + XSTRNCAT(path, "..\\", MAX_PATH); + SetCurrentDirectoryA(path); + #else + XSTRNCAT(path, "../", MAX_PATH); + if (chdir(path) < 0) { + printf("chdir to %s failed\n", path); + break; + } + #endif + } + + err_sys("wolf root not found"); + return -1; + #else + return 0; + #endif } #endif /* !defined(WOLFSSL_MDK_ARM) && !defined(WOLFSSL_KEIL_FS) && !defined(WOLFSSL_TIRTOS) */ From d741d4cddc14b54e4e7883915723d6a351c04574 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Fri, 30 Oct 2015 11:26:54 +0900 Subject: [PATCH 015/177] Adding UTC Time Differential in ValidateDate --- wolfcrypt/src/asn.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 03353d45a..76a565399 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2550,6 +2550,9 @@ int ValidateDate(const byte* date, byte format, int dateType) struct tm* localTime; struct tm* tmpTime = NULL; int i = 0; + int timeDiff = 0 ; + int diffHH = 0 ; int diffMM = 0 ; + int diffSign = 0 ; #if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) struct tm tmpTimeStorage; @@ -2580,11 +2583,17 @@ int ValidateDate(const byte* date, byte format, int dateType) GetTime((int*)&certTime.tm_min, date, &i); GetTime((int*)&certTime.tm_sec, date, &i); - if (date[i] != 'Z') { /* only Zulu supported for this profile */ - WOLFSSL_MSG("Only Zulu time supported for this profile"); - return 0; + if ((date[i] == '+') || (date[i] == '-')) { + diffSign = date[i++]=='+' ? 1 : -1 ; + GetTime((int*)&diffHH, date, &i); + GetTime((int*)&diffMM, date, &i); + timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ; + } else if (date[i] != 'Z') { + WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ; + return 0; } + ltime -= timeDiff ; localTime = XGMTIME(<ime, tmpTime); if (localTime == NULL) { @@ -9316,4 +9325,3 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) #endif /* WOLFSSL_SEP */ - From 5d2d24967372b55f220c395b67c6510047d1f305 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 30 Oct 2015 13:40:05 -0700 Subject: [PATCH 016/177] turn on OpenSSL public key type decodes unless explicitly turned off --- wolfssl/wolfcrypt/settings.h | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 8fd9d629f..546055c86 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -984,8 +984,9 @@ static char *fgets(char *buff, int sz, FILE *fp) #endif #endif -/* Certificate Request Extensions needs decode extras */ -#ifdef WOLFSSL_CERT_EXT +/* Decode Public Key extras on by default, user can turn off with + * WOLFSSL_NO_DECODE_EXTRA */ +#ifndef WOLFSSL_NO_DECODE_EXTRA #ifndef RSA_DECODE_EXTRA #define RSA_DECODE_EXTRA #endif From f8aeac608c2a53e5476b16d11fe937dad6cd1ea8 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 30 Oct 2015 16:03:26 -0700 Subject: [PATCH 017/177] 1. Add C NI-intrinsic AES-GCM encrypt and decrypt. 2. Fix error string for wolfcrypt test of GMAC. 3. Add AES-GCM Decrypt to benchmark. --- configure.ac | 3 + wolfcrypt/benchmark/benchmark.c | 23 +- wolfcrypt/src/aes.c | 437 ++++++++++++++++++++++++++++++++ wolfcrypt/src/aes_asm.asm | 79 ++++++ wolfcrypt/src/aes_asm.s | 88 ++++++- wolfcrypt/test/test.c | 2 +- wolfssl/wolfcrypt/aes.h | 2 + 7 files changed, 630 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 8d4eba4f1..d7fdca0e8 100644 --- a/configure.ac +++ b/configure.ac @@ -452,6 +452,7 @@ then AM_CFLAGS="$AM_CFLAGS -maes -msse4" fi fi + AS_IF([test "x$ENABLED_AESGCM" != "xno"],[AM_CCASFLAGS="$AM_CCASFLAGS -DHAVE_AESGCM"]) fi if test "$ENABLED_INTELASM" = "yes" @@ -2500,6 +2501,7 @@ CREATE_HEX_VERSION AC_SUBST([AM_CPPFLAGS]) AC_SUBST([AM_CFLAGS]) AC_SUBST([AM_LDFLAGS]) +AC_SUBST([AM_CCASFLAGS]) AC_SUBST([LIB_ADD]) AC_SUBST([LIB_STATIC_ADD]) @@ -2619,6 +2621,7 @@ echo " * C Flags: $CFLAGS" echo " * C++ Compiler: $CXX" echo " * C++ Flags: $CXXFLAGS" echo " * CPP Flags: $CPPFLAGS" +echo " * CCAS Flags: $CCASFLAGS" echo " * LIB Flags: $LIB" echo " * Debug enabled: $ax_enable_debug" echo " * Warnings as failure: $ac_cv_warnings_as_errors" diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index fbcf360b2..3f709522c 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -483,7 +483,28 @@ void bench_aesgcm(void) persec = persec / 1024; #endif - printf("AES-GCM %d %s took %5.3f seconds, %8.3f MB/s", numBlocks, + printf("AES-GCM Encrypt %d %s took %5.3f seconds, %8.3f MB/s", numBlocks, + blockType, total, persec); + SHOW_INTEL_CYCLES + printf("\n"); + + start = current_time(1); + BEGIN_INTEL_CYCLES + + for(i = 0; i < numBlocks; i++) + wc_AesGcmDecrypt(&enc, plain, cipher, sizeof(cipher), iv, 12, + tag, 16, additional, 13); + + END_INTEL_CYCLES + total = current_time(0) - start; + + persec = 1 / total * numBlocks; +#ifdef BENCH_EMBEDDED + /* since using kB, convert to MB/s */ + persec = persec / 1024; +#endif + + printf("AES-GCM Decrypt %d %s took %5.3f seconds, %8.3f MB/s", numBlocks, blockType, total, persec); SHOW_INTEL_CYCLES printf("\n"); diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 0550d6118..d7524b66a 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -2763,6 +2763,426 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len) } +#ifdef WOLFSSL_AESNI + +void gfmul(__m128i a, __m128i b, __m128i* out) XASM_LINK("gfmul"); + + +/* See Intel® Carry-Less Multiplication Instruction + * and its Usage for Computing the GCM Mode White Paper + * by Shay Gueron, Intel Mobility Group, Israel Development Center; + * and Michael E. Kounavis, Intel Labs, Circuits and Systems Research */ + + +/* Figure 9. AES-GCM – Encrypt With Single Block Ghash at a Time */ + +static void AES_GCM_encrypt(const unsigned char *in, + unsigned char *out, + const unsigned char* addt, + const unsigned char* ivec, + unsigned char *tag, + int nbytes, int abytes, int ibytes, + const unsigned char* key, int nr) +{ + int i, j ,k; + __m128i tmp1, tmp2, tmp3, tmp4; + __m128i H, Y, T; + __m128i *KEY = (__m128i*)key; + __m128i ctr1, ctr2, ctr3, ctr4; + __m128i last_block = _mm_setzero_si128(); + __m128i ONE = _mm_set_epi32(0, 1, 0, 0); + __m128i FOUR = _mm_set_epi32(0, 4, 0, 0); + __m128i BSWAP_EPI64 = _mm_set_epi8(8,9,10,11,12,13,14,15,0,1,2,3,4,5,6,7); + __m128i BSWAP_MASK = _mm_set_epi8(0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15); + __m128i X = _mm_setzero_si128(); + + if(ibytes == 96/8) { + Y = _mm_loadu_si128((__m128i*)ivec); + Y = _mm_insert_epi32(Y, 0x1000000, 3); + /* (Compute E[ZERO, KS] and E[Y0, KS] together */ + tmp1 = _mm_xor_si128(X, KEY[0]); + tmp2 = _mm_xor_si128(Y, KEY[0]); + for(j=1; j < nr-1; j+=2) { + tmp1 = _mm_aesenc_si128(tmp1, KEY[j]); + tmp2 = _mm_aesenc_si128(tmp2, KEY[j]); + tmp1 = _mm_aesenc_si128(tmp1, KEY[j+1]); + tmp2 = _mm_aesenc_si128(tmp2, KEY[j+1]); + } + tmp1 = _mm_aesenc_si128(tmp1, KEY[nr-1]); + tmp2 = _mm_aesenc_si128(tmp2, KEY[nr-1]); + H = _mm_aesenclast_si128(tmp1, KEY[nr]); + T = _mm_aesenclast_si128(tmp2, KEY[nr]); + H = _mm_shuffle_epi8(H, BSWAP_MASK); + } + else { + tmp1 = _mm_xor_si128(X, KEY[0]); + for(j=1; j key, aes->rounds); + return 0; + } +#endif + #ifdef WOLFSSL_PIC32MZ_CRYPT ctr = (char *)aes->iv_ce ; #else @@ -3339,6 +3767,15 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, WOLFSSL_ENTER("AesGcmDecrypt"); +#ifdef WOLFSSL_AESNI + if (haveAESNI) { + if (AES_GCM_decrypt(in, out, authIn, iv, authTag, + sz, authInSz, ivSz, (byte*)aes->key, aes->rounds) == 0) + return AES_GCM_AUTH_E; + return 0; + } +#endif + #ifdef WOLFSSL_PIC32MZ_CRYPT ctr = (char *)aes->iv_ce ; #else diff --git a/wolfcrypt/src/aes_asm.asm b/wolfcrypt/src/aes_asm.asm index 1e3d2d99e..439dacc51 100644 --- a/wolfcrypt/src/aes_asm.asm +++ b/wolfcrypt/src/aes_asm.asm @@ -969,4 +969,83 @@ MAKE_RK256_b: pxor xmm3,xmm2 ret + +; See Intel® Carry-Less Multiplication Instruction +; and its Usage for Computing the GCM Mode White Paper +; by Shay Gueron, Intel Mobility Group, Israel Development Center; +; and Michael E. Kounavis, Intel Labs, Circuits and Systems Research + +; void gfmul(__m128i a, __m128i b, __m128i* out); + +; .globl gfmul +gfmul PROC + ; xmm0 holds operand a (128 bits) + ; xmm1 holds operand b (128 bits) + ; rdi holds the pointer to output (128 bits) + movdqa %xmm0, %xmm3 + pclmulqdq $0, %xmm1, %xmm3 ; xmm3 holds a0*b0 + movdqa %xmm0, %xmm4 + pclmulqdq $16, %xmm1, %xmm4 ; xmm4 holds a0*b1 + movdqa %xmm0, %xmm5 + pclmulqdq $1, %xmm1, %xmm5 ; xmm5 holds a1*b0 + movdqa %xmm0, %xmm6 + pclmulqdq $17, %xmm1, %xmm6 ; xmm6 holds a1*b1 + pxor %xmm5, %xmm4 ; xmm4 holds a0*b1 + a1*b0 + movdqa %xmm4, %xmm5 + psrldq $8, %xmm4 + pslldq $8, %xmm5 + pxor %xmm5, %xmm3 + pxor %xmm4, %xmm6 ; holds the result of + ; the carry-less multiplication of + ; xmm0 by xmm1 + +; shift the result by one bit position to the left cope for the fact +; that bits are reversed + movdqa %xmm3, %xmm7 + movdqa %xmm6, %xmm8 + pslld $1, %xmm3 + pslld $1, %xmm6 + psrld $31, %xmm7 + psrld $31, %xmm8 + movdqa %xmm7, %xmm9 + pslldq $4, %xmm8 + pslldq $4, %xmm7 + psrldq $12, %xmm9 + por %xmm7, %xmm3 + por %xmm8, %xmm6 + por %xmm9, %xmm6 + +; first phase of the reduction + movdqa %xmm3, %xmm7 + movdqa %xmm3, %xmm8 + movdqa %xmm3, %xmm9 + pslld $31, %xmm7 ; packed right shifting << 31 + pslld $30, %xmm8 ; packed right shifting shift << 30 + pslld $25, %xmm9 ; packed right shifting shift << 25 + pxor %xmm8, %xmm7 ; xor the shifted versions + pxor %xmm9, %xmm7 + + movdqa %xmm7, %xmm8 + pslldq $12, %xmm7 + psrldq $4, %xmm8 + pxor %xmm7, %xmm3 ; first phase of the reduction complete + movdqa %xmm3,%xmm2 ; second phase of the reduction + movdqa %xmm3,%xmm4 + movdqa %xmm3,%xmm5 + psrld $1, %xmm2 ; packed left shifting >> 1 + psrld $2, %xmm4 ; packed left shifting >> 2 + psrld $7, %xmm5 ; packed left shifting >> 7 + + pxor %xmm4, %xmm2 ; xor the shifted versions + pxor %xmm5, %xmm2 + pxor %xmm8, %xmm2 + pxor %xmm2, %xmm3 + pxor %xmm3, %xmm6 ; the result is in xmm6 + movdqu %xmm6, (%rdi) ; store the result + + ; restore xmm6 and xmm7 + + ret +gfmul ENDP + END diff --git a/wolfcrypt/src/aes_asm.s b/wolfcrypt/src/aes_asm.s index b50c7ff95..92d670416 100644 --- a/wolfcrypt/src/aes_asm.s +++ b/wolfcrypt/src/aes_asm.s @@ -20,12 +20,12 @@ */ +/* This file is in at&t asm syntax, see .asm for intel syntax */ + /* See Intel® Advanced Encryption Standard (AES) Instructions Set White Paper * by Intel Mobility Group, Israel Development Center, Israel Shay Gueron */ -/* This file is in at&t asm syntax, see .asm for intel syntax */ - /* AES_CBC_encrypt (const unsigned char *in, @@ -814,3 +814,87 @@ pxor %xmm4, %xmm3 pxor %xmm2, %xmm3 ret + +#ifdef HAVE_AESGCM + +/* See Intel® Carry-Less Multiplication Instruction + * and its Usage for Computing the GCM Mode White Paper + * by Shay Gueron, Intel Mobility Group, Israel Development Center; + * and Michael E. Kounavis, Intel Labs, Circuits and Systems Research + * + * This is for use with the C code. + */ + +/* Figure 6. Code Sample - Performing Ghash Using Algorithms 1 and 5 */ + +/* + * void gfmul(__m128i a, __m128i b, __m128i* out); + */ +.globl gfmul +gfmul: + #xmm0 holds operand a (128 bits) + #xmm1 holds operand b (128 bits) + #rdi holds the pointer to output (128 bits) + movdqa %xmm0, %xmm3 + pclmulqdq $0, %xmm1, %xmm3 # xmm3 holds a0*b0 + movdqa %xmm0, %xmm4 + pclmulqdq $16, %xmm1, %xmm4 # xmm4 holds a0*b1 + movdqa %xmm0, %xmm5 + pclmulqdq $1, %xmm1, %xmm5 # xmm5 holds a1*b0 + movdqa %xmm0, %xmm6 + pclmulqdq $17, %xmm1, %xmm6 # xmm6 holds a1*b1 + pxor %xmm5, %xmm4 # xmm4 holds a0*b1 + a1*b0 + movdqa %xmm4, %xmm5 + psrldq $8, %xmm4 + pslldq $8, %xmm5 + pxor %xmm5, %xmm3 + pxor %xmm4, %xmm6 # holds the result of + # the carry-less multiplication of + # xmm0 by xmm1 + +# shift the result by one bit position to the left cope for the fact +# that bits are reversed + movdqa %xmm3, %xmm7 + movdqa %xmm6, %xmm8 + pslld $1, %xmm3 + pslld $1, %xmm6 + psrld $31, %xmm7 + psrld $31, %xmm8 + movdqa %xmm7, %xmm9 + pslldq $4, %xmm8 + pslldq $4, %xmm7 + psrldq $12, %xmm9 + por %xmm7, %xmm3 + por %xmm8, %xmm6 + por %xmm9, %xmm6 + +# first phase of the reduction + movdqa %xmm3, %xmm7 + movdqa %xmm3, %xmm8 + movdqa %xmm3, %xmm9 + pslld $31, %xmm7 # packed right shifting << 31 + pslld $30, %xmm8 # packed right shifting shift << 30 + pslld $25, %xmm9 # packed right shifting shift << 25 + pxor %xmm8, %xmm7 # xor the shifted versions + pxor %xmm9, %xmm7 + + movdqa %xmm7, %xmm8 + pslldq $12, %xmm7 + psrldq $4, %xmm8 + pxor %xmm7, %xmm3 # first phase of the reduction complete + movdqa %xmm3,%xmm2 # second phase of the reduction + movdqa %xmm3,%xmm4 + movdqa %xmm3,%xmm5 + psrld $1, %xmm2 # packed left shifting >> 1 + psrld $2, %xmm4 # packed left shifting >> 2 + psrld $7, %xmm5 # packed left shifting >> 7 + + pxor %xmm4, %xmm2 # xor the shifted versions + pxor %xmm5, %xmm2 + pxor %xmm8, %xmm2 + pxor %xmm2, %xmm3 + pxor %xmm3, %xmm6 # the result is in xmm6 + movdqu %xmm6, (%rdi) # store the result + ret + +#endif /* HAVE_AESGCM */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index f804e6d9f..fbdc43a63 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -390,7 +390,7 @@ int wolfcrypt_test(void* args) #ifdef HAVE_AESGCM if ( (ret = gmac_test()) != 0) - return err_sys("GMAC test passed!\n", ret); + return err_sys("GMAC test failed!\n", ret); else printf( "GMAC test passed!\n"); #endif diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index 480412a21..f850c3ca8 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -46,6 +46,8 @@ #ifdef WOLFSSL_AESNI #include +#include +#include #if !defined (ALIGN16) #if defined (__GNUC__) From 28dcef2d71d453fbbc012861d58610dadb2ce55a Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 2 Nov 2015 09:39:34 -0800 Subject: [PATCH 018/177] gcm benchmark results format alignment --- wolfcrypt/benchmark/benchmark.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 3f709522c..436c4cf7f 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -483,11 +483,12 @@ void bench_aesgcm(void) persec = persec / 1024; #endif - printf("AES-GCM Encrypt %d %s took %5.3f seconds, %8.3f MB/s", numBlocks, + printf("AES-GCM %d %s took %5.3f seconds, %8.3f MB/s", numBlocks, blockType, total, persec); SHOW_INTEL_CYCLES printf("\n"); +#if 0 start = current_time(1); BEGIN_INTEL_CYCLES @@ -508,6 +509,7 @@ void bench_aesgcm(void) blockType, total, persec); SHOW_INTEL_CYCLES printf("\n"); +#endif } #endif From 21d70636dc977622e7c402f5089e7f6e6d4f799f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 2 Nov 2015 15:51:01 -0300 Subject: [PATCH 019/177] Merge branch csr into 'master' --- .gitignore | 10 +- configure.ac | 213 +++++++++-------- examples/client/client.c | 29 ++- examples/server/server.c | 2 +- pull_to_vagrant.sh | 1 + src/internal.c | 193 +++++++++++++-- src/ocsp.c | 302 +++++++++++++---------- src/ssl.c | 56 ++++- src/tls.c | 492 +++++++++++++++++++++++++++++++------- wolfcrypt/src/asn.c | 214 +++++++++++------ wolfssl/error-ssl.h | 210 ++++++++-------- wolfssl/internal.h | 154 +++++++----- wolfssl/ocsp.h | 2 + wolfssl/ssl.h | 66 +++-- wolfssl/wolfcrypt/asn.h | 33 ++- wolfssl/wolfcrypt/types.h | 3 +- 16 files changed, 1343 insertions(+), 637 deletions(-) diff --git a/.gitignore b/.gitignore index d84c77d37..dd3e2058e 100644 --- a/.gitignore +++ b/.gitignore @@ -112,11 +112,11 @@ cov-int cyassl.tgz *.log *.trs -IDE\MDK-ARM\Projects/ -IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/inc -IDE\MDK-ARM\STM32F2xx_StdPeriph_Lib/src -IDE\MDK-ARM\LPC43xx\Drivers/ -IDE\MDK-ARM\LPC43xx\LPC43xx/ +IDE/MDK-ARM/Projects/ +IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/inc +IDE/MDK-ARM/STM32F2xx_StdPeriph_Lib/src +IDE/MDK-ARM/LPC43xx/Drivers/ +IDE/MDK-ARM/LPC43xx/LPC43xx/ *.gcno *.gcda *.gcov diff --git a/configure.ac b/configure.ac index d7fdca0e8..51178b114 100644 --- a/configure.ac +++ b/configure.ac @@ -1655,6 +1655,26 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC" fi +# Certificate Status Request : a.k.a. OCSP Stapling +AC_ARG_ENABLE([ocspstapling], + [AS_HELP_STRING([--enable-ocspstapling],[Enable Certificate Status Request - a.k.a. OCSP Stapling (default: disabled)])], + [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], + [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] + ) + +if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST" + + # Requires OCSP make sure on + if test "x$ENABLED_OCSP" = "xno" + then + ENABLED_OCSP="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" + AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + fi +fi + # Renegotiation Indication - (FAKE Secure Renegotiation) AC_ARG_ENABLE([renegotiation-indication], [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])], @@ -2613,103 +2633,104 @@ done < $OPTION_FILE echo "---" echo "Configuration summary for $PACKAGE_NAME version $VERSION" echo "" -echo " * Installation prefix: $prefix" -echo " * System type: $host_vendor-$host_os" -echo " * Host CPU: $host_cpu" -echo " * C Compiler: $CC" -echo " * C Flags: $CFLAGS" -echo " * C++ Compiler: $CXX" -echo " * C++ Flags: $CXXFLAGS" -echo " * CPP Flags: $CPPFLAGS" -echo " * CCAS Flags: $CCASFLAGS" -echo " * LIB Flags: $LIB" -echo " * Debug enabled: $ax_enable_debug" -echo " * Warnings as failure: $ac_cv_warnings_as_errors" -echo " * make -j: $enable_jobserver" -echo " * VCS checkout: $ac_cv_vcs_checkout" +echo " * Installation prefix: $prefix" +echo " * System type: $host_vendor-$host_os" +echo " * Host CPU: $host_cpu" +echo " * C Compiler: $CC" +echo " * C Flags: $CFLAGS" +echo " * C++ Compiler: $CXX" +echo " * C++ Flags: $CXXFLAGS" +echo " * CPP Flags: $CPPFLAGS" +echo " * CCAS Flags: $CCASFLAGS" +echo " * LIB Flags: $LIB" +echo " * Debug enabled: $ax_enable_debug" +echo " * Warnings as failure: $ac_cv_warnings_as_errors" +echo " * make -j: $enable_jobserver" +echo " * VCS checkout: $ac_cv_vcs_checkout" echo echo " Features " -echo " * Single threaded: $ENABLED_SINGLETHREADED" -echo " * Filesystem: $ENABLED_FILESYSTEM" -echo " * OpenSSH Build: $ENABLED_OPENSSH" -echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" -echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" -echo " * fastmath: $ENABLED_FASTMATH" -echo " * sniffer: $ENABLED_SNIFFER" -echo " * snifftest: $ENABLED_SNIFFTEST" -echo " * ARC4: $ENABLED_ARC4" -echo " * AES: $ENABLED_AES" -echo " * AES-NI: $ENABLED_AESNI" -echo " * AES-GCM: $ENABLED_AESGCM" -echo " * AES-CCM: $ENABLED_AESCCM" -echo " * DES3: $ENABLED_DES3" -echo " * IDEA: $ENABLED_IDEA" -echo " * Camellia: $ENABLED_CAMELLIA" -echo " * NULL Cipher: $ENABLED_NULL_CIPHER" -echo " * MD5: $ENABLED_MD5" -echo " * RIPEMD: $ENABLED_RIPEMD" -echo " * SHA: $ENABLED_SHA" -echo " * SHA-512: $ENABLED_SHA512" -echo " * BLAKE2: $ENABLED_BLAKE2" -echo " * keygen: $ENABLED_KEYGEN" -echo " * certgen: $ENABLED_CERTGEN" -echo " * certreq: $ENABLED_CERTREQ" -echo " * certext: $ENABLED_CERTEXT" -echo " * HC-128: $ENABLED_HC128" -echo " * RABBIT: $ENABLED_RABBIT" -echo " * CHACHA: $ENABLED_CHACHA" -echo " * Hash DRBG: $ENABLED_HASHDRBG" -echo " * PWDBASED: $ENABLED_PWDBASED" -echo " * wolfCrypt Only: $ENABLED_CRYPTONLY" -echo " * HKDF: $ENABLED_HKDF" -echo " * MD4: $ENABLED_MD4" -echo " * PSK: $ENABLED_PSK" -echo " * Poly1305: $ENABLED_POLY1305" -echo " * LEANPSK: $ENABLED_LEANPSK" -echo " * RSA: $ENABLED_RSA" -echo " * DSA: $ENABLED_DSA" -echo " * DH: $ENABLED_DH" -echo " * ECC: $ENABLED_ECC" -echo " * CURVE25519: $ENABLED_CURVE25519" -echo " * ED25519: $ENABLED_ED25519" -echo " * FPECC: $ENABLED_FPECC" -echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT" -echo " * ASN: $ENABLED_ASN" -echo " * Anonymous cipher: $ENABLED_ANON" -echo " * CODING: $ENABLED_CODING" -echo " * MEMORY: $ENABLED_MEMORY" -echo " * I/O POOL: $ENABLED_IOPOOL" -echo " * LIGHTY: $ENABLED_LIGHTY" -echo " * STUNNEL: $ENABLED_STUNNEL" -echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" -echo " * DTLS: $ENABLED_DTLS" -echo " * Old TLS Versions: $ENABLED_OLD_TLS" -echo " * SSL version 3.0: $ENABLED_SSLV3" -echo " * OCSP: $ENABLED_OCSP" -echo " * CRL: $ENABLED_CRL" -echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" -echo " * Persistent session cache: $ENABLED_SAVESESSION" -echo " * Persistent cert cache: $ENABLED_SAVECERT" -echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" -echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" -echo " * NTRU: $ENABLED_NTRU" -echo " * SNI: $ENABLED_SNI" -echo " * ALPN: $ENABLED_ALPN" -echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" -echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" -echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" -echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" -echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" -echo " * Session Ticket: $ENABLED_SESSION_TICKET" -echo " * All TLS Extensions: $ENABLED_TLSX" -echo " * PKCS#7 $ENABLED_PKCS7" -echo " * wolfSCEP $ENABLED_WOLFSCEP" -echo " * Secure Remote Password $ENABLED_SRP" -echo " * Small Stack: $ENABLED_SMALL_STACK" -echo " * valgrind unit tests: $ENABLED_VALGRIND" -echo " * LIBZ: $ENABLED_LIBZ" -echo " * Examples: $ENABLED_EXAMPLES" -echo " * User Crypto: $ENABLED_USER_CRYPTO" -echo " * Fast RSA: $ENABLED_FAST_RSA" +echo " * Single threaded: $ENABLED_SINGLETHREADED" +echo " * Filesystem: $ENABLED_FILESYSTEM" +echo " * OpenSSH Build: $ENABLED_OPENSSH" +echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA" +echo " * Max Strength Build: $ENABLED_MAXSTRENGTH" +echo " * fastmath: $ENABLED_FASTMATH" +echo " * sniffer: $ENABLED_SNIFFER" +echo " * snifftest: $ENABLED_SNIFFTEST" +echo " * ARC4: $ENABLED_ARC4" +echo " * AES: $ENABLED_AES" +echo " * AES-NI: $ENABLED_AESNI" +echo " * AES-GCM: $ENABLED_AESGCM" +echo " * AES-CCM: $ENABLED_AESCCM" +echo " * DES3: $ENABLED_DES3" +echo " * IDEA: $ENABLED_IDEA" +echo " * Camellia: $ENABLED_CAMELLIA" +echo " * NULL Cipher: $ENABLED_NULL_CIPHER" +echo " * MD5: $ENABLED_MD5" +echo " * RIPEMD: $ENABLED_RIPEMD" +echo " * SHA: $ENABLED_SHA" +echo " * SHA-512: $ENABLED_SHA512" +echo " * BLAKE2: $ENABLED_BLAKE2" +echo " * keygen: $ENABLED_KEYGEN" +echo " * certgen: $ENABLED_CERTGEN" +echo " * certreq: $ENABLED_CERTREQ" +echo " * certext: $ENABLED_CERTEXT" +echo " * HC-128: $ENABLED_HC128" +echo " * RABBIT: $ENABLED_RABBIT" +echo " * CHACHA: $ENABLED_CHACHA" +echo " * Hash DRBG: $ENABLED_HASHDRBG" +echo " * PWDBASED: $ENABLED_PWDBASED" +echo " * wolfCrypt Only: $ENABLED_CRYPTONLY" +echo " * HKDF: $ENABLED_HKDF" +echo " * MD4: $ENABLED_MD4" +echo " * PSK: $ENABLED_PSK" +echo " * Poly1305: $ENABLED_POLY1305" +echo " * LEANPSK: $ENABLED_LEANPSK" +echo " * RSA: $ENABLED_RSA" +echo " * DSA: $ENABLED_DSA" +echo " * DH: $ENABLED_DH" +echo " * ECC: $ENABLED_ECC" +echo " * CURVE25519: $ENABLED_CURVE25519" +echo " * ED25519: $ENABLED_ED25519" +echo " * FPECC: $ENABLED_FPECC" +echo " * ECC_ENCRYPT: $ENABLED_ECC_ENCRYPT" +echo " * ASN: $ENABLED_ASN" +echo " * Anonymous cipher: $ENABLED_ANON" +echo " * CODING: $ENABLED_CODING" +echo " * MEMORY: $ENABLED_MEMORY" +echo " * I/O POOL: $ENABLED_IOPOOL" +echo " * LIGHTY: $ENABLED_LIGHTY" +echo " * STUNNEL: $ENABLED_STUNNEL" +echo " * ERROR_STRINGS: $ENABLED_ERROR_STRINGS" +echo " * DTLS: $ENABLED_DTLS" +echo " * Old TLS Versions: $ENABLED_OLD_TLS" +echo " * SSL version 3.0: $ENABLED_SSLV3" +echo " * OCSP: $ENABLED_OCSP" +echo " * CRL: $ENABLED_CRL" +echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" +echo " * Persistent session cache: $ENABLED_SAVESESSION" +echo " * Persistent cert cache: $ENABLED_SAVECERT" +echo " * Atomic User Record Layer: $ENABLED_ATOMICUSER" +echo " * Public Key Callbacks: $ENABLED_PKCALLBACKS" +echo " * NTRU: $ENABLED_NTRU" +echo " * Server Name Indication: $ENABLED_SNI" +echo " * ALPN: $ENABLED_ALPN" +echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" +echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" +echo " * Certificate Status Request: $ENABLED_CERTIFICATE_STATUS_REQUEST" +echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" +echo " * Session Ticket: $ENABLED_SESSION_TICKET" +echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" +echo " * Secure Renegotiation: $ENABLED_SECURE_RENEGOTIATION" +echo " * All TLS Extensions: $ENABLED_TLSX" +echo " * PKCS#7 $ENABLED_PKCS7" +echo " * wolfSCEP $ENABLED_WOLFSCEP" +echo " * Secure Remote Password $ENABLED_SRP" +echo " * Small Stack: $ENABLED_SMALL_STACK" +echo " * valgrind unit tests: $ENABLED_VALGRIND" +echo " * LIBZ: $ENABLED_LIBZ" +echo " * Examples: $ENABLED_EXAMPLES" +echo " * User Crypto: $ENABLED_USER_CRYPTO" +echo " * Fast RSA: $ENABLED_FAST_RSA" echo "" echo "---" diff --git a/examples/client/client.c b/examples/client/client.c index c27619c4c..479b4d2d3 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -310,7 +310,7 @@ static void Usage(void) #endif printf("-b Benchmark connections and print stats\n"); #ifdef HAVE_ALPN - printf("-L Application-Layer Protocole Name ({C,F}:)\n"); + printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n"); #endif printf("-B Benchmark throughput using bytes and print stats\n"); printf("-s Use pre Shared keys\n"); @@ -348,6 +348,9 @@ static void Usage(void) printf("-o Perform OCSP lookup on peer certificate\n"); printf("-O Perform OCSP lookup using as responder\n"); #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + printf("-W Use OCSP Stapling\n"); +#endif #ifdef ATOMIC_USER printf("-U Atomic User Record Layer Callbacks\n"); #endif @@ -425,7 +428,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) byte maxFragment = 0; #endif #ifdef HAVE_TRUNCATED_HMAC - byte truncatedHMAC = 0; + byte truncatedHMAC = 0; +#endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + byte statusRequest = 0; #endif @@ -466,8 +472,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:")) - != -1) { + "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { switch (ch) { case '?' : Usage(); @@ -654,6 +659,12 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif break; + case 'W' : + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + statusRequest = 1; + #endif + break; + case 'o' : #ifdef HAVE_OCSP useOcsp = 1; @@ -976,6 +987,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_UseALPN(ssl, alpnList, (word32)XSTRLEN(alpnList), alpn_opt); } #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (statusRequest) { + if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, + WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + + wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); + } +#endif tcp_connect(&sockfd, host, port, doDTLS, ssl); @@ -1317,4 +1337,3 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } #endif - diff --git a/examples/server/server.c b/examples/server/server.c index d432f2d35..d2e97e17b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -200,7 +200,7 @@ static void Usage(void) DEFAULT_MIN_DHKEY_BITS); #endif #ifdef HAVE_ALPN - printf("-L Application-Layer Protocole Name ({C,F}:)\n"); + printf("-L Application-Layer Protocol Negotiation ({C,F}:)\n"); #endif printf("-d Disable client cert check\n"); printf("-b Bind to any interface instead of localhost only\n"); diff --git a/pull_to_vagrant.sh b/pull_to_vagrant.sh index e2d245632..15d88d97d 100755 --- a/pull_to_vagrant.sh +++ b/pull_to_vagrant.sh @@ -10,4 +10,5 @@ rsync -rvt /$SRC/.git ~/$DST/ rsync -rvt /$SRC/IDE ~/$DST/ rsync -rvt /$SRC/mcapi ~/$DST/ rsync -rvt /$SRC/mplabx ~/$DST/ +rsync -rvt /$SRC/certs ~/$DST/ rsync -rvt /$SRC/configure.ac ~/$DST/ diff --git a/src/internal.c b/src/internal.c index c20a92f33..1c6a4c6e4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4365,7 +4365,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (ret == 0) { int doCrlLookup = 1; - (void)doCrlLookup; #ifdef HAVE_OCSP if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); @@ -4388,6 +4387,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, WOLFSSL_MSG("\tCRL check not ok"); } } +#else + (void)doCrlLookup; #endif /* HAVE_CRL */ } #endif /* HAVE_OCSP || HAVE_CRL */ @@ -4454,12 +4455,22 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (fatal == 0) { - int doCrlLookup = 1; - (void)doCrlLookup; + int doLookup = 1; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->options.side == WOLFSSL_CLIENT_END) { + if (ssl->status_request) { + fatal = TLSX_CSR_InitRequest(ssl->extensions, dCert); + doLookup = 0; + } + } +#endif + #ifdef HAVE_OCSP - if (ssl->ctx->cm->ocspEnabled) { + if (doLookup && ssl->ctx->cm->ocspEnabled) { + WOLFSSL_MSG("Doing Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); - doCrlLookup = (ret == OCSP_CERT_UNKNOWN); + doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); fatal = 0; @@ -4468,7 +4479,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (doCrlLookup && ssl->ctx->cm->crlEnabled) { + if (doLookup && ssl->ctx->cm->crlEnabled) { WOLFSSL_MSG("Doing Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); if (ret != 0) { @@ -4477,11 +4488,12 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, } } #endif /* HAVE_CRL */ + (void)doLookup; } #endif /* HAVE_OCSP || HAVE_CRL */ #ifdef KEEP_PEER_CERT - { + if (fatal == 0) { /* set X509 format for peer cert even if fatal */ int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert); if (copyRet == MEMORY_E) @@ -4783,6 +4795,95 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, return ret; } + +static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, + word32 size) +{ + int ret = 0; + byte status_type; + word32 status_length; + + if (size < ENUM_LEN + OPAQUE24_LEN) + return BUFFER_ERROR; + + status_type = input[(*inOutIdx)++]; + + c24to32(input + *inOutIdx, &status_length); + *inOutIdx += OPAQUE24_LEN; + + if (size != ENUM_LEN + OPAQUE24_LEN + status_length) + return BUFFER_ERROR; + + switch (status_type) { + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + + case WOLFSSL_CSR_OCSP: { + OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions); + + #ifdef WOLFSSL_SMALL_STACK + CertStatus* status; + OcspResponse* response; + #else + CertStatus status[1]; + OcspResponse response[1]; + #endif + + do { + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->status_request) { + ssl->status_request = 0; + break; + } + #endif + return BUFFER_ERROR; + } while(0); + + #ifdef WOLFSSL_SMALL_STACK + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (status == NULL || response == NULL) { + if (status) XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response) XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return MEMORY_ERROR; + } + #endif + + InitOcspResponse(response, status, input +*inOutIdx, status_length); + + if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) { + if (response->responseStatus != OCSP_SUCCESSFUL) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (CompareOcspReqResp(request, response) != 0) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (response->status->status != CERT_GOOD) + ret = BAD_CERTIFICATE_STATUS_ERROR; + } + + *inOutIdx += status_length; + + #ifdef WOLFSSL_SMALL_STACK + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + } + break; + #endif + + default: + ret = BUFFER_ERROR; + } + + if (ret != 0) + SendAlert(ssl, alert_fatal, bad_certificate_status_response); + + return ret; +} + #endif /* !NO_CERTS */ @@ -4978,6 +5079,26 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) #endif break; +#ifndef NO_WOLFSSL_CLIENT + case certificate_status: + if (ssl->msgsReceived.got_certificate_status) { + WOLFSSL_MSG("Duplicate CertificateSatatus received"); + return DUPLICATE_MSG_E; + } + ssl->msgsReceived.got_certificate_status = 1; + + if (ssl->msgsReceived.got_certificate == 0) { + WOLFSSL_MSG("No Certificate before CertificateStatus"); + return OUT_OF_ORDER_E; + } + if (ssl->msgsReceived.got_server_key_exchange != 0) { + WOLFSSL_MSG("CertificateStatus after ServerKeyExchange"); + return OUT_OF_ORDER_E; + } + + break; +#endif + #ifndef NO_WOLFSSL_CLIENT case server_key_exchange: if (ssl->msgsReceived.got_server_key_exchange) { @@ -4986,10 +5107,21 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) } ssl->msgsReceived.got_server_key_exchange = 1; - if ( ssl->msgsReceived.got_server_hello == 0) { - WOLFSSL_MSG("No ServerHello before Cert"); + if (ssl->msgsReceived.got_server_hello == 0) { + WOLFSSL_MSG("No ServerHello before ServerKeyExchange"); return OUT_OF_ORDER_E; } + if (ssl->msgsReceived.got_certificate_status == 0) { +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->status_request) { + int ret; + + WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); + if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) + return ret; + } +#endif + } break; #endif @@ -5231,7 +5363,12 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifndef NO_CERTS case certificate: WOLFSSL_MSG("processing certificate"); - ret = DoCertificate(ssl, input, inOutIdx, size); + ret = DoCertificate(ssl, input, inOutIdx, size); + break; + + case certificate_status: + WOLFSSL_MSG("processing certificate status"); + ret = DoCertificateStatus(ssl, input, inOutIdx, size); break; #endif @@ -8604,11 +8741,17 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case RSA_SIGN_FAULT: return "RSA Signature Fault Error"; + case HANDSHAKE_SIZE_ERROR: + return "Handshake message too large Error"; + case UNKNOWN_ALPN_PROTOCOL_NAME_E: return "Unrecognized protocol name Error"; - case HANDSHAKE_SIZE_ERROR: - return "Handshake message too large Error"; + case BAD_CERTIFICATE_STATUS_ERROR: + return "Bad Certificate Status Message Error"; + + case OCSP_INVALID_STATUS: + return "Invalid OCSP Status Error"; default : return "unknown error number"; @@ -10371,7 +10514,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -11076,7 +11219,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, size, 0)) < 0) @@ -11912,7 +12055,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) return MEMORY_E; /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -12672,7 +12815,7 @@ int DoSessionTicket(WOLFSSL* ssl, return MEMORY_E; /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -12821,7 +12964,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -13462,7 +13605,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -14004,7 +14147,7 @@ int DoSessionTicket(WOLFSSL* ssl, QSH_KeyExchangeWrite(ssl, 1); /* extension type */ - c16toa(WOLFSSL_QSH, output + idx); + c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); idx += OPAQUE16_LEN; /* write to output and check amount written */ @@ -15382,7 +15525,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input @@ -15460,7 +15603,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15522,7 +15665,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15610,7 +15753,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15665,7 +15808,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, @@ -15760,7 +15903,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(input + *inOutIdx, &name); *inOutIdx += OPAQUE16_LEN; - if (name == WOLFSSL_QSH) { + if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, diff --git a/src/ocsp.c b/src/ocsp.c index 2b355d988..567a67de8 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -34,59 +34,68 @@ #include #include +#ifdef NO_INLINE + #include +#else + #include +#endif + int InitOCSP(WOLFSSL_OCSP* ocsp, WOLFSSL_CERT_MANAGER* cm) { WOLFSSL_ENTER("InitOCSP"); - XMEMSET(ocsp, 0, sizeof(*ocsp)); - ocsp->cm = cm; + + ForceZero(ocsp, sizeof(WOLFSSL_OCSP)); + if (InitMutex(&ocsp->ocspLock) != 0) return BAD_MUTEX_E; - return 0; -} - - -static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert) -{ - WOLFSSL_ENTER("InitOCSP_Entry"); - - XMEMSET(ocspe, 0, sizeof(*ocspe)); - XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE); - XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE); + ocsp->cm = cm; return 0; } -static void FreeOCSP_Entry(OCSP_Entry* ocspe) +static int InitOcspEntry(OcspEntry* entry, OcspRequest* request) { - CertStatus* tmp = ocspe->status; + WOLFSSL_ENTER("InitOcspEntry"); - WOLFSSL_ENTER("FreeOCSP_Entry"); + ForceZero(entry, sizeof(OcspEntry)); - while (tmp) { - CertStatus* next = tmp->next; - XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_STATUS); - tmp = next; + XMEMCPY(entry->issuerHash, request->issuerHash, OCSP_DIGEST_SIZE); + XMEMCPY(entry->issuerKeyHash, request->issuerKeyHash, OCSP_DIGEST_SIZE); + + return 0; +} + + +static void FreeOcspEntry(OcspEntry* entry) +{ + CertStatus *status, *next; + + WOLFSSL_ENTER("FreeOcspEntry"); + + for (status = entry->status; status; status = next) { + next = status->next; + XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); } } void FreeOCSP(WOLFSSL_OCSP* ocsp, int dynamic) { - OCSP_Entry* tmp = ocsp->ocspList; + OcspEntry *entry, *next; WOLFSSL_ENTER("FreeOCSP"); - while (tmp) { - OCSP_Entry* next = tmp->next; - FreeOCSP_Entry(tmp); - XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY); - tmp = next; + for (entry = ocsp->ocspList; entry; entry = next) { + next = entry->next; + FreeOcspEntry(entry); + XFREE(entry, NULL, DYNAMIC_TYPE_OCSP_ENTRY); } FreeMutex(&ocsp->ocspLock); + if (dynamic) XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP); } @@ -107,84 +116,135 @@ static int xstat2err(int stat) int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) { - byte* ocspReqBuf = NULL; - int ocspReqSz = 2048; - byte* ocspRespBuf = NULL; - int result = -1; - OCSP_Entry* ocspe; - CertStatus* certStatus = NULL; - const char *url; - int urlSz; + int ret = OCSP_LOOKUP_FAIL; + #ifdef WOLFSSL_SMALL_STACK - CertStatus* newStatus; OcspRequest* ocspRequest; - OcspResponse* ocspResponse; #else - CertStatus newStatus[1]; OcspRequest ocspRequest[1]; - OcspResponse ocspResponse[1]; #endif WOLFSSL_ENTER("CheckCertOCSP"); + +#ifdef WOLFSSL_SMALL_STACK + ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (ocspRequest == NULL) { + WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); + return MEMORY_E; + } +#endif + + if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) { + ret = CheckOcspRequest(ocsp, ocspRequest); + + FreeOcspRequest(ocspRequest); + } + +#ifdef WOLFSSL_SMALL_STACK + XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + + WOLFSSL_LEAVE("CheckCertOCSP", ret); + return ret; +} + +static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, + OcspEntry** entry) +{ + WOLFSSL_ENTER("GetOcspEntry"); + + *entry = NULL; + if (LockMutex(&ocsp->ocspLock) != 0) { WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); return BAD_MUTEX_E; } - ocspe = ocsp->ocspList; - while (ocspe) { - if (XMEMCMP(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0 - && XMEMCMP(ocspe->issuerKeyHash, cert->issuerKeyHash, - SHA_DIGEST_SIZE) == 0) + for (*entry = ocsp->ocspList; *entry; *entry = (*entry)->next) + if (XMEMCMP((*entry)->issuerHash, request->issuerHash, + OCSP_DIGEST_SIZE) == 0 + && XMEMCMP((*entry)->issuerKeyHash, request->issuerKeyHash, + OCSP_DIGEST_SIZE) == 0) break; - else - ocspe = ocspe->next; - } - if (ocspe == NULL) { - ocspe = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry), - NULL, DYNAMIC_TYPE_OCSP_ENTRY); - if (ocspe != NULL) { - InitOCSP_Entry(ocspe, cert); - ocspe->next = ocsp->ocspList; - ocsp->ocspList = ocspe; - } - else { - UnLockMutex(&ocsp->ocspLock); - WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); - return MEMORY_ERROR; - } - } - else { - certStatus = ocspe->status; - while (certStatus) { - if (certStatus->serialSz == cert->serialSz && - XMEMCMP(certStatus->serial, cert->serial, cert->serialSz) == 0) - break; - else - certStatus = certStatus->next; - } - } - - if (certStatus != NULL) { - if (!ValidateDate(certStatus->thisDate, - certStatus->thisDateFormat, BEFORE) || - (certStatus->nextDate[0] == 0) || - !ValidateDate(certStatus->nextDate, - certStatus->nextDateFormat, AFTER)) { - WOLFSSL_MSG("\tinvalid status date, looking up cert"); - } - else { - result = xstat2err(certStatus->status); - UnLockMutex(&ocsp->ocspLock); - WOLFSSL_LEAVE("CheckCertOCSP", result); - return result; + if (*entry == NULL) { + *entry = (OcspEntry*)XMALLOC(sizeof(OcspEntry), + NULL, DYNAMIC_TYPE_OCSP_ENTRY); + if (*entry) { + InitOcspEntry(*entry, request); + (*entry)->next = ocsp->ocspList; + ocsp->ocspList = *entry; } } UnLockMutex(&ocsp->ocspLock); + return *entry ? 0 : MEMORY_ERROR; +} + + +static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, + OcspEntry* entry, CertStatus** status) +{ + int ret = OCSP_INVALID_STATUS; + + WOLFSSL_ENTER("GetOcspStatus"); + + *status = NULL; + + if (LockMutex(&ocsp->ocspLock) != 0) { + WOLFSSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); + return BAD_MUTEX_E; + } + + for (*status = entry->status; *status; *status = (*status)->next) + if ((*status)->serialSz == request->serialSz + && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) + break; + + if (*status) { + if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) + && ((*status)->nextDate[0] != 0) + && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) + ret = xstat2err((*status)->status); + } + + UnLockMutex(&ocsp->ocspLock); + + return ret; +} + +int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) +{ + OcspEntry* entry = NULL; + CertStatus* status = NULL; + byte* request = NULL; + int requestSz = 2048; + byte* response = NULL; + const char* url; + int urlSz; + int ret = -1; + +#ifdef WOLFSSL_SMALL_STACK + CertStatus* newStatus; + OcspResponse* ocspResponse; +#else + CertStatus newStatus[1]; + OcspResponse ocspResponse[1]; +#endif + + WOLFSSL_ENTER("CheckOcspRequest"); + + ret = GetOcspEntry(ocsp, ocspRequest, &entry); + if (ret != 0) + return ret; + + ret = GetOcspStatus(ocsp, ocspRequest, entry, &status); + if (ret != OCSP_INVALID_STATUS) + return ret; + if (ocsp->cm->ocspUseOverrideURL) { url = ocsp->cm->ocspOverrideURL; if (url != NULL && url[0] != '\0') @@ -192,17 +252,17 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) else return OCSP_NEED_URL; } - else if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { - url = (const char *)cert->extAuthInfo; - urlSz = cert->extAuthInfoSz; + else if (ocspRequest->urlSz != 0 && ocspRequest->url != NULL) { + url = (const char *)ocspRequest->url; + urlSz = ocspRequest->urlSz; } else { /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ return 0; } - ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER); - if (ocspReqBuf == NULL) { + request = (byte*)XMALLOC(requestSz, NULL, DYNAMIC_TYPE_IN_BUFFER); + if (request == NULL) { WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_ERROR; } @@ -210,58 +270,53 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) #ifdef WOLFSSL_SMALL_STACK newStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_TMP_BUFFER); - ocspRequest = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, - DYNAMIC_TYPE_TMP_BUFFER); ocspResponse = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (newStatus == NULL || ocspRequest == NULL || ocspResponse == NULL) { + if (newStatus == NULL || ocspResponse == NULL) { if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (ocspRequest) XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(request, NULL, DYNAMIC_TYPE_TMP_BUFFER); WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_E; } #endif - InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce, - ocspReqBuf, ocspReqSz); - ocspReqSz = EncodeOcspRequest(ocspRequest); - - if (ocsp->cm->ocspIOCb) - result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, - ocspReqBuf, ocspReqSz, &ocspRespBuf); + requestSz = EncodeOcspRequest(ocspRequest, request, requestSz); - if (result >= 0 && ocspRespBuf) { + if (ocsp->cm->ocspIOCb) + ret = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, + request, requestSz, &response); + + if (ret >= 0 && response) { XMEMSET(newStatus, 0, sizeof(CertStatus)); - InitOcspResponse(ocspResponse, newStatus, ocspRespBuf, result); - OcspResponseDecode(ocspResponse); - + InitOcspResponse(ocspResponse, newStatus, response, ret); + OcspResponseDecode(ocspResponse, ocsp->cm); + if (ocspResponse->responseStatus != OCSP_SUCCESSFUL) - result = OCSP_LOOKUP_FAIL; + ret = OCSP_LOOKUP_FAIL; else { if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { - result = xstat2err(ocspResponse->status->status); + ret = xstat2err(ocspResponse->status->status); if (LockMutex(&ocsp->ocspLock) != 0) - result = BAD_MUTEX_E; + ret = BAD_MUTEX_E; else { - if (certStatus != NULL) + if (status != NULL) /* Replace existing certificate entry with updated */ - XMEMCPY(certStatus, newStatus, sizeof(CertStatus)); + XMEMCPY(status, newStatus, sizeof(CertStatus)); else { /* Save new certificate entry */ - certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_OCSP_STATUS); - if (certStatus != NULL) { - XMEMCPY(certStatus, newStatus, sizeof(CertStatus)); - certStatus->next = ocspe->status; - ocspe->status = certStatus; - ocspe->totalStatus++; + if (status != NULL) { + XMEMCPY(status, newStatus, sizeof(CertStatus)); + status->next = entry->status; + entry->status = status; + entry->totalStatus++; } } @@ -269,25 +324,22 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) } } else - result = OCSP_LOOKUP_FAIL; + ret = OCSP_LOOKUP_FAIL; } } else - result = OCSP_LOOKUP_FAIL; - - XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); + ret = OCSP_LOOKUP_FAIL; #ifdef WOLFSSL_SMALL_STACK XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(ocspRequest, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb) - ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf); + if (response != NULL && ocsp->cm->ocspRespFreeCb) + ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, response); - WOLFSSL_LEAVE("CheckCertOCSP", result); - return result; + WOLFSSL_LEAVE("CheckOcspRequest", ret); + return ret; } diff --git a/src/ssl.c b/src/ssl.c index 575e9a8a7..e8431550b 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -690,8 +690,9 @@ int wolfSSL_UseSNI(WOLFSSL* ssl, byte type, const void* data, word16 size) return TLSX_UseSNI(&ssl->extensions, type, data, size); } -int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, - const void* data, word16 size) + +int wolfSSL_CTX_UseSNI(WOLFSSL_CTX* ctx, byte type, const void* data, + word16 size) { if (ctx == NULL) return BAD_FUNC_ARG; @@ -707,17 +708,20 @@ void wolfSSL_SNI_SetOptions(WOLFSSL* ssl, byte type, byte options) TLSX_SNI_SetOptions(ssl->extensions, type, options); } + void wolfSSL_CTX_SNI_SetOptions(WOLFSSL_CTX* ctx, byte type, byte options) { if (ctx && ctx->extensions) TLSX_SNI_SetOptions(ctx->extensions, type, options); } + byte wolfSSL_SNI_Status(WOLFSSL* ssl, byte type) { return TLSX_SNI_Status(ssl ? ssl->extensions : NULL, type); } + word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) { if (data) @@ -729,6 +733,7 @@ word16 wolfSSL_SNI_GetRequest(WOLFSSL* ssl, byte type, void** data) return 0; } + int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, byte type, byte* sni, word32* inOutSz) { @@ -745,6 +750,7 @@ int wolfSSL_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #ifdef HAVE_MAX_FRAGMENT #ifndef NO_WOLFSSL_CLIENT + int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) { if (ssl == NULL) @@ -753,6 +759,7 @@ int wolfSSL_UseMaxFragment(WOLFSSL* ssl, byte mfl) return TLSX_UseMaxFragment(&ssl->extensions, mfl); } + int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) { if (ctx == NULL) @@ -760,11 +767,13 @@ int wolfSSL_CTX_UseMaxFragment(WOLFSSL_CTX* ctx, byte mfl) return TLSX_UseMaxFragment(&ctx->extensions, mfl); } + #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_MAX_FRAGMENT */ #ifdef HAVE_TRUNCATED_HMAC #ifndef NO_WOLFSSL_CLIENT + int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) { if (ssl == NULL) @@ -773,6 +782,7 @@ int wolfSSL_UseTruncatedHMAC(WOLFSSL* ssl) return TLSX_UseTruncatedHMAC(&ssl->extensions); } + int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) { if (ctx == NULL) @@ -780,9 +790,35 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) return TLSX_UseTruncatedHMAC(&ctx->extensions); } + #endif /* NO_WOLFSSL_CLIENT */ #endif /* HAVE_TRUNCATED_HMAC */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type, + byte options) +{ + if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, + options); +} + + +int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, + byte options) +{ + if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequest(&ctx->extensions, status_type, + options); +} + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ + /* Elliptic Curves */ #ifdef HAVE_SUPPORTED_CURVES #ifndef NO_WOLFSSL_CLIENT @@ -808,6 +844,7 @@ int wolfSSL_UseSupportedCurve(WOLFSSL* ssl, word16 name) return TLSX_UseSupportedCurve(&ssl->extensions, name); } + int wolfSSL_CTX_UseSupportedCurve(WOLFSSL_CTX* ctx, word16 name) { if (ctx == NULL) @@ -885,7 +922,7 @@ int wolfSSL_UseSupportedQSH(WOLFSSL* ssl, word16 name) #endif /* HAVE_QSH */ -/* Application-Layer Procotol Name */ +/* Application-Layer Procotol Negotiation */ #ifdef HAVE_ALPN int wolfSSL_UseALPN(WOLFSSL* ssl, char *protocol_name_list, @@ -988,7 +1025,7 @@ int wolfSSL_UseSecureRenegotiation(WOLFSSL* ssl) ret = TLSX_UseSecureRenegotiation(&ssl->extensions); if (ret == SSL_SUCCESS) { - TLSX* extension = TLSX_Find(ssl->extensions, SECURE_RENEGOTIATION); + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_RENEGOTIATION_INFO); if (extension) ssl->secure_renegotiation = (SecureRenegotiation*)extension->data; @@ -2479,7 +2516,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - + if (ret == MP_OKAY) return SSL_SUCCESS; else if (ret == SSL_BAD_FILE) @@ -11853,7 +11890,7 @@ char *wolfSSL_BN_bn2dec(const WOLFSSL_BIGNUM *bn) XFREE(buf, NULL, DYNAMIC_TYPE_ECC); return NULL; } - + return buf; } #else @@ -14878,7 +14915,7 @@ int wolfSSL_EC_POINT_cmp(const WOLFSSL_EC_GROUP *group, int ret; (void)ctx; - + WOLFSSL_ENTER("wolfSSL_EC_POINT_cmp"); if (group == NULL || a == NULL || a->internal == NULL || b == NULL || @@ -15348,7 +15385,7 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc, WOLFSSL_MSG("ECC private key file write failed"); return SSL_FAILURE; } - + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); return SSL_SUCCESS; } @@ -15523,7 +15560,7 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, WOLFSSL_MSG("DSA private key file write failed"); return SSL_FAILURE; } - + XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); return SSL_SUCCESS; } @@ -17097,4 +17134,3 @@ void* wolfSSL_get_jobject(WOLFSSL* ssl) #endif /* WOLFSSL_JNI */ #endif /* WOLFCRYPT_ONLY */ - diff --git a/src/tls.c b/src/tls.c index 97dc09ef5..77e3694d3 100644 --- a/src/tls.c +++ b/src/tls.c @@ -755,7 +755,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type) { switch (type) { - case SECURE_RENEGOTIATION: /* 0xFF01 */ + case TLSX_RENEGOTIATION_INFO: /* 0xFF01 */ return 63; default: @@ -784,7 +784,7 @@ static INLINE word16 TLSX_ToSemaphore(word16 type) /** Creates a new extension. */ static TLSX* TLSX_New(TLSX_Type type, void* data) { - TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), 0, DYNAMIC_TYPE_TLSX); + TLSX* extension = (TLSX*)XMALLOC(sizeof(TLSX), NULL, DYNAMIC_TYPE_TLSX); if (extension) { extension->type = type; @@ -845,6 +845,9 @@ void TLSX_SetResponse(WOLFSSL* ssl, TLSX_Type type) #endif +/******************************************************************************/ +/* Application-Layer Protocol Negotiation */ +/******************************************************************************/ #ifdef HAVE_ALPN /** Creates a new ALPN object, providing protocol name to use. */ @@ -981,7 +984,7 @@ static int TLSX_SetALPN(TLSX** extensions, const void* data, word16 size) alpn->negociated = 1; - ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, (void*)alpn); if (ret != 0) { TLSX_ALPN_Free(alpn); return ret; @@ -1001,9 +1004,10 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, TLSX *extension; ALPN *alpn = NULL, *list; - extension = TLSX_Find(ssl->extensions, WOLFSSL_ALPN); + extension = TLSX_Find(ssl->extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) - extension = TLSX_Find(ssl->ctx->extensions, WOLFSSL_ALPN); + extension = TLSX_Find(ssl->ctx->extensions, + TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL || extension->data == NULL) { WOLFSSL_MSG("No ALPN extensions not used or bad"); @@ -1088,7 +1092,7 @@ static int TLSX_ALPN_ParseAndSet(WOLFSSL *ssl, byte *input, word16 length, /* reply to ALPN extension sent from client */ if (isRequest) { #ifndef NO_WOLFSSL_SERVER - TLSX_SetResponse(ssl, WOLFSSL_ALPN); + TLSX_SetResponse(ssl, TLSX_APPLICATION_LAYER_PROTOCOL); #endif } @@ -1114,9 +1118,10 @@ int TLSX_UseALPN(TLSX** extensions, const void* data, word16 size, byte options) /* Set Options of ALPN */ alpn->options = options; - extension = TLSX_Find(*extensions, WOLFSSL_ALPN); + extension = TLSX_Find(*extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) { - ret = TLSX_Push(extensions, WOLFSSL_ALPN, (void*)alpn); + ret = TLSX_Push(extensions, TLSX_APPLICATION_LAYER_PROTOCOL, + (void*)alpn); if (ret != 0) { TLSX_ALPN_Free(alpn); return ret; @@ -1140,7 +1145,7 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) if (extensions == NULL || data == NULL || dataSz == NULL) return BAD_FUNC_ARG; - extension = TLSX_Find(extensions, WOLFSSL_ALPN); + extension = TLSX_Find(extensions, TLSX_APPLICATION_LAYER_PROTOCOL); if (extension == NULL) { WOLFSSL_MSG("TLS extension not found"); return SSL_ALPN_NOT_FOUND; @@ -1192,13 +1197,16 @@ int TLSX_ALPN_GetRequest(TLSX* extensions, void** data, word16 *dataSz) #endif /* HAVE_ALPN */ -/* Server Name Indication */ +/******************************************************************************/ +/* Server Name Indication */ +/******************************************************************************/ + #ifdef HAVE_SNI /** Creates a new SNI object. */ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size) { - SNI* sni = (SNI*)XMALLOC(sizeof(SNI), 0, DYNAMIC_TYPE_TLSX); + SNI* sni = (SNI*)XMALLOC(sizeof(SNI), NULL, DYNAMIC_TYPE_TLSX); if (sni) { sni->type = type; @@ -1211,7 +1219,7 @@ static SNI* TLSX_SNI_New(byte type, const void* data, word16 size) switch (sni->type) { case WOLFSSL_SNI_HOST_NAME: - sni->data.host_name = XMALLOC(size + 1, 0, DYNAMIC_TYPE_TLSX); + sni->data.host_name = XMALLOC(size+1, NULL, DYNAMIC_TYPE_TLSX); if (sni->data.host_name) { XSTRNCPY(sni->data.host_name, (const char*)data, size); @@ -1325,7 +1333,7 @@ static SNI* TLSX_SNI_Find(SNI *list, byte type) /** Sets the status of a SNI object. */ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1335,7 +1343,7 @@ static void TLSX_SNI_SetStatus(TLSX* extensions, byte type, byte status) /** Gets the status of a SNI object. */ byte TLSX_SNI_Status(TLSX* extensions, byte type) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1356,10 +1364,10 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, int cacheOnly = 0; #endif - TLSX *extension = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); + TLSX *extension = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); if (!extension) - extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); + extension = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); (void)isRequest; (void)input; @@ -1438,7 +1446,7 @@ static int TLSX_SNI_Parse(WOLFSSL* ssl, byte* input, word16 length, TLSX_SNI_SetStatus(ssl->extensions, type, matchStat); if(!cacheOnly) - TLSX_SetResponse(ssl, SERVER_NAME_INDICATION); + TLSX_SetResponse(ssl, TLSX_SERVER_NAME); } else if (!(sni->options & WOLFSSL_SNI_CONTINUE_ON_MISMATCH)) { SendAlert(ssl, alert_fatal, unrecognized_name); @@ -1461,8 +1469,8 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) if (isRequest) { #ifndef NO_WOLFSSL_SERVER - TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); - TLSX* ssl_ext = TLSX_Find(ssl->extensions, SERVER_NAME_INDICATION); + TLSX* ctx_ext = TLSX_Find(ssl->ctx->extensions, TLSX_SERVER_NAME); + TLSX* ssl_ext = TLSX_Find(ssl->extensions, TLSX_SERVER_NAME); SNI* ctx_sni = ctx_ext ? ctx_ext->data : NULL; SNI* ssl_sni = ssl_ext ? ssl_ext->data : NULL; SNI* sni = NULL; @@ -1502,7 +1510,7 @@ static int TLSX_SNI_VerifyParse(WOLFSSL* ssl, byte isRequest) int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) { - TLSX* extension = TLSX_Find(*extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(*extensions, TLSX_SERVER_NAME); SNI* sni = NULL; if (extensions == NULL || data == NULL) @@ -1512,7 +1520,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) return MEMORY_E; if (!extension) { - int ret = TLSX_Push(extensions, SERVER_NAME_INDICATION, (void*)sni); + int ret = TLSX_Push(extensions, TLSX_SERVER_NAME, (void*)sni); if (ret != 0) { TLSX_SNI_Free(sni); return ret; @@ -1546,7 +1554,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size) /** Tells the SNI requested by the client. */ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni && sni->status != WOLFSSL_SNI_NO_MATCH) { @@ -1563,7 +1571,7 @@ word16 TLSX_SNI_GetRequest(TLSX* extensions, byte type, void** data) /** Sets the options for a SNI object. */ void TLSX_SNI_SetOptions(TLSX* extensions, byte type, byte options) { - TLSX* extension = TLSX_Find(extensions, SERVER_NAME_INDICATION); + TLSX* extension = TLSX_Find(extensions, TLSX_SERVER_NAME); SNI* sni = TLSX_SNI_Find(extension ? extension->data : NULL, type); if (sni) @@ -1681,7 +1689,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, if (helloSz < offset + extLen) return BUFFER_ERROR; - if (extType != SERVER_NAME_INDICATION) { + if (extType != TLSX_SERVER_NAME) { offset += extLen; /* skip extension */ } else { word16 listLen; @@ -1739,6 +1747,10 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, #endif /* HAVE_SNI */ +/******************************************************************************/ +/* Max Fragment Length Negotiation */ +/******************************************************************************/ + #ifdef HAVE_MAX_FRAGMENT static word16 TLSX_MFL_Write(byte* data, byte* output) @@ -1775,7 +1787,7 @@ static int TLSX_MFL_Parse(WOLFSSL* ssl, byte* input, word16 length, if (r != SSL_SUCCESS) return r; /* throw error */ - TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH); + TLSX_SetResponse(ssl, TLSX_MAX_FRAGMENT_LENGTH); } #endif @@ -1793,13 +1805,13 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) if (mfl < WOLFSSL_MFL_2_9 || WOLFSSL_MFL_2_13 < mfl) return BAD_FUNC_ARG; - if ((data = XMALLOC(ENUM_LEN, 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((data = XMALLOC(ENUM_LEN, NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; data[0] = mfl; /* push new MFL extension. */ - if ((ret = TLSX_Push(extensions, MAX_FRAGMENT_LENGTH, data)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_MAX_FRAGMENT_LENGTH, data)) != 0) { XFREE(data, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -1822,6 +1834,10 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl) #endif /* HAVE_MAX_FRAGMENT */ +/******************************************************************************/ +/* Truncated HMAC */ +/******************************************************************************/ + #ifdef HAVE_TRUNCATED_HMAC static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, @@ -1836,9 +1852,10 @@ static int TLSX_THM_Parse(WOLFSSL* ssl, byte* input, word16 length, if (isRequest) { int r = TLSX_UseTruncatedHMAC(&ssl->extensions); - if (r != SSL_SUCCESS) return r; /* throw error */ + if (r != SSL_SUCCESS) + return r; /* throw error */ - TLSX_SetResponse(ssl, TRUNCATED_HMAC); + TLSX_SetResponse(ssl, TLSX_TRUNCATED_HMAC); } #endif @@ -1854,7 +1871,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) if (extensions == NULL) return BAD_FUNC_ARG; - if ((ret = TLSX_Push(extensions, TRUNCATED_HMAC, NULL)) != 0) + if ((ret = TLSX_Push(extensions, TLSX_TRUNCATED_HMAC, NULL)) != 0) return ret; return SSL_SUCCESS; @@ -1868,6 +1885,269 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) #endif /* HAVE_TRUNCATED_HMAC */ +/******************************************************************************/ +/* Certificate Status Request */ +/******************************************************************************/ + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +#ifndef HAVE_OCSP +#error Status Request Extension requires OCSP. \ + Use --enable-ocsp in the configure script or define HAVE_OCSP. +#endif + +static void TLSX_CSR_Free(CertificateStatusRequest* csr) +{ + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + FreeOcspRequest(&csr->request.ocsp); + break; + } + + XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); +} + +static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) +{ + word16 size = 0; + + /* shut up compiler warnings */ + (void) csr; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + size += ENUM_LEN + 2 * OPAQUE16_LEN; + + if (csr->request.ocsp.nonceSz) + size += MAX_OCSP_EXT_SZ; + } + } +#endif + + return size; +} + +static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, + byte isRequest) +{ + /* shut up compiler warnings */ + (void) csr; (void) output; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + word16 offset = 0; + word16 length = 0; + + /* type */ + output[offset++] = csr->status_type; + + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + /* responder id list */ + c16toa(0, output + offset); + offset += OPAQUE16_LEN; + + /* request extensions */ + if (csr->request.ocsp.nonceSz) + length = EncodeOcspRequestExtensions( + &csr->request.ocsp, + output + offset + OPAQUE16_LEN, + MAX_OCSP_EXT_SZ); + + c16toa(length, output + offset); + offset += OPAQUE16_LEN + length; + + break; + } + + return offset; + } +#endif + + return 0; +} + +static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, + byte isRequest) +{ + int ret = 0; + + /* shut up compiler warnings */ + (void) ssl; (void) input; + + if (!isRequest) { +#ifndef NO_WOLFSSL_CLIENT + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (!csr) { + /* look at context level */ + + extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST); + csr = extension ? extension->data : NULL; + + if (!csr) + return BUFFER_ERROR; /* unexpected extension */ + + /* enable extension at ssl level */ + ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, + csr->status_type, csr->options); + if (ret != SSL_SUCCESS) + return ret; + + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + /* propagate nonce */ + if (csr->request.ocsp.nonceSz) { + OcspRequest* request = + TLSX_CSR_GetRequest(ssl->extensions); + + if (request) { + XMEMCPY(request->nonce, csr->request.ocsp.nonce, + csr->request.ocsp.nonceSz); + request->nonceSz = csr->request.ocsp.nonceSz; + } + } + break; + } + } + + ssl->status_request = 1; + + return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ +#endif + } + + return ret; +} + +int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + int ret = 0; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: { + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz = csr->request.ocsp.nonceSz; + + /* preserve nonce */ + XMEMCPY(nonce, csr->request.ocsp.nonce, nonceSz); + + if ((ret = InitOcspRequest(&csr->request.ocsp, cert, 0)) != 0) + return ret; + + /* restore nonce */ + XMEMCPY(csr->request.ocsp.nonce, nonce, nonceSz); + csr->request.ocsp.nonceSz = nonceSz; + } + break; + } + } + + return ret; +} + +void* TLSX_CSR_GetRequest(TLSX* extensions) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + return &csr->request.ocsp; + break; + } + } + + return NULL; +} + +int TLSX_CSR_ForceRequest(WOLFSSL* ssl) +{ + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST); + CertificateStatusRequest* csr = extension ? extension->data : NULL; + + if (csr) { + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + if (ssl->ctx->cm->ocspEnabled) + return CheckOcspRequest(ssl->ctx->cm->ocsp, + &csr->request.ocsp); + else + return OCSP_LOOKUP_FAIL; + } + } + + return 0; +} + +int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, + byte options) +{ + CertificateStatusRequest* csr = NULL; + int ret = 0; + + if (!extensions || status_type != WOLFSSL_CSR_OCSP) + return BAD_FUNC_ARG; + + csr = (CertificateStatusRequest*) + XMALLOC(sizeof(CertificateStatusRequest), NULL, DYNAMIC_TYPE_TLSX); + if (!csr) + return MEMORY_E; + + ForceZero(csr, sizeof(CertificateStatusRequest)); + + csr->status_type = status_type; + csr->options = options; + + switch (csr->status_type) { + case WOLFSSL_CSR_OCSP: + if (options & WOLFSSL_CSR_OCSP_USE_NONCE) { + WC_RNG rng; + + if (wc_InitRng(&rng) == 0) { + if (wc_RNG_GenerateBlock(&rng, csr->request.ocsp.nonce, + MAX_OCSP_NONCE_SZ) == 0) + csr->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ; + + wc_FreeRng(&rng); + } + } + break; + } + + if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST, csr)) != 0) { + XFREE(csr, NULL, DYNAMIC_TYPE_TLSX); + return ret; + } + + return SSL_SUCCESS; +} + +#define CSR_FREE_ALL TLSX_CSR_Free +#define CSR_GET_SIZE TLSX_CSR_GetSize +#define CSR_WRITE TLSX_CSR_Write +#define CSR_PARSE TLSX_CSR_Parse + +#else + +#define CSR_FREE_ALL(data) +#define CSR_GET_SIZE(a, b) 0 +#define CSR_WRITE(a, b, c) 0 +#define CSR_PARSE(a, b, c, d) 0 + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ + +/******************************************************************************/ +/* Supported Elliptic Curves */ +/******************************************************************************/ + #ifdef HAVE_SUPPORTED_CURVES #ifndef HAVE_ECC @@ -1887,12 +2167,14 @@ static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list) static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name) { - EllipticCurve* curve; + EllipticCurve* curve = NULL; if (list == NULL) return BAD_FUNC_ARG; - if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL) + curve = (EllipticCurve*)XMALLOC(sizeof(EllipticCurve), NULL, + DYNAMIC_TYPE_TLSX); + if (curve == NULL) return MEMORY_E; curve->name = name; @@ -1914,7 +2196,7 @@ static void TLSX_EllipticCurve_ValidateRequest(WOLFSSL* ssl, byte* semaphore) return; /* turns semaphore on to avoid sending this extension. */ - TURN_ON(semaphore, TLSX_ToSemaphore(ELLIPTIC_CURVES)); + TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_SUPPORTED_GROUPS)); } static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list) @@ -1988,7 +2270,7 @@ static int TLSX_EllipticCurve_Parse(WOLFSSL* ssl, byte* input, word16 length, int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { TLSX* extension = (first == ECC_BYTE) - ? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES) + ? TLSX_Find(ssl->extensions, TLSX_SUPPORTED_GROUPS) : NULL; EllipticCurve* curve = NULL; word32 oid = 0; @@ -2097,7 +2379,7 @@ int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, byte second) { int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) { - TLSX* extension = TLSX_Find(*extensions, ELLIPTIC_CURVES); + TLSX* extension = TLSX_Find(*extensions, TLSX_SUPPORTED_GROUPS); EllipticCurve* curve = NULL; int ret = 0; @@ -2108,7 +2390,7 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) return ret; if (!extension) { - if ((ret = TLSX_Push(extensions, ELLIPTIC_CURVES, curve)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_SUPPORTED_GROUPS, curve)) != 0) { XFREE(curve, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -2161,6 +2443,10 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) #endif /* HAVE_SUPPORTED_CURVES */ +/******************************************************************************/ +/* Renegotiation Indication */ +/******************************************************************************/ + #ifdef HAVE_SECURE_RENEGOTIATION static byte TLSX_SecureRenegotiation_GetSize(SecureRenegotiation* data, @@ -2259,7 +2545,7 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions) XMEMSET(data, 0, sizeof(SecureRenegotiation)); - ret = TLSX_Push(extensions, SECURE_RENEGOTIATION, data); + ret = TLSX_Push(extensions, TLSX_RENEGOTIATION_INFO, data); if (ret != 0) { XFREE(data, 0, DYNAMIC_TYPE_TLSX); return ret; @@ -2283,11 +2569,15 @@ int TLSX_UseSecureRenegotiation(TLSX** extensions) #endif /* HAVE_SECURE_RENEGOTIATION */ +/******************************************************************************/ +/* Session Tickets */ +/******************************************************************************/ + #ifdef HAVE_SESSION_TICKET static void TLSX_SessionTicket_ValidateRequest(WOLFSSL* ssl) { - TLSX* extension = TLSX_Find(ssl->extensions, SESSION_TICKET); + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_SESSION_TICKET); SessionTicket* ticket = extension ? extension->data : NULL; if (ticket) { @@ -2345,7 +2635,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, ret = TLSX_UseSessionTicket(&ssl->extensions, NULL); if (ret == SSL_SUCCESS) { ret = 0; - TLSX_SetResponse(ssl, SESSION_TICKET); /* send blank ticket */ + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ ssl->options.createTicket = 1; /* will send ticket msg */ ssl->options.useTicket = 1; } @@ -2361,7 +2651,7 @@ static int TLSX_SessionTicket_Parse(WOLFSSL* ssl, byte* input, word16 length, ret = TLSX_UseSessionTicket(&ssl->extensions, NULL); if (ret == SSL_SUCCESS) { ret = 0; - TLSX_SetResponse(ssl, SESSION_TICKET); + TLSX_SetResponse(ssl, TLSX_SESSION_TICKET); /* send blank ticket */ ssl->options.createTicket = 1; /* will send ticket msg */ ssl->options.useTicket = 1; @@ -2416,7 +2706,7 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) /* If the ticket is NULL, the client will request a new ticket from the server. Otherwise, the client will use it in the next client hello. */ - if ((ret = TLSX_Push(extensions, SESSION_TICKET, (void*)ticket)) != 0) + if ((ret = TLSX_Push(extensions, TLSX_SESSION_TICKET, (void*)ticket)) != 0) return ret; return SSL_SUCCESS; @@ -2436,6 +2726,9 @@ int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket) #endif /* HAVE_SESSION_TICKET */ +/******************************************************************************/ +/* Quantum-Safe-Hybrid */ +/******************************************************************************/ #ifdef HAVE_QSH static WC_RNG* rng; @@ -2459,7 +2752,7 @@ static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub, if (list == NULL) return BAD_FUNC_ARG; - if ((temp = XMALLOC(sizeof(QSHScheme), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = name; @@ -2499,7 +2792,7 @@ static void TLSX_QSH_ValidateRequest(WOLFSSL* ssl, byte* semaphore) return; /* No QSH suite found */ - TURN_ON(semaphore, TLSX_ToSemaphore(WOLFSSL_QSH)); + TURN_ON(semaphore, TLSX_ToSemaphore(TLSX_QUANTUM_SAFE_HYBRID)); } @@ -2610,7 +2903,7 @@ word16 TLSX_QSHPK_Write(QSHScheme* list, byte* output) static void TLSX_QSHAgreement(TLSX** extensions) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; QSHScheme* delete = NULL; QSHScheme* prev = NULL; @@ -2735,7 +3028,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, while ((offset_len < offset_pk) && numKeys) { QSHKey * temp; - if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; /* initialize */ @@ -2768,7 +3061,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, /* read in public key */ if (PKLen > 0) { temp->pub.buffer = (byte*)XMALLOC(temp->pub.length, - 0, DYNAMIC_TYPE_PUBLIC_KEY); + NULL, DYNAMIC_TYPE_PUBLIC_KEY); XMEMCPY(temp->pub.buffer, input + offset_len, temp->pub.length); offset_len += PKLen; } @@ -2797,7 +3090,7 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, /* reply to a QSH extension sent from client */ if (isRequest) { - TLSX_SetResponse(ssl, WOLFSSL_QSH); + TLSX_SetResponse(ssl, TLSX_QUANTUM_SAFE_HYBRID); /* only use schemes we have key generated for -- free the rest */ TLSX_QSHAgreement(&ssl->extensions); } @@ -2903,7 +3196,7 @@ int TLSX_QSHCipher_Parse(WOLFSSL* ssl, const byte* input, word16 length, /* return 1 on success */ int TLSX_ValidateQSHScheme(TLSX** extensions, word16 theirs) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; /* if no extension is sent then do not use QSH */ @@ -2947,7 +3240,7 @@ static int TLSX_HaveQSHScheme(word16 name) /* Add a QSHScheme struct to list of usable ones */ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) { - TLSX* extension = TLSX_Find(*extensions, WOLFSSL_QSH); + TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID); QSHScheme* format = NULL; int ret = 0; @@ -2961,7 +3254,8 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) return ret; if (!extension) { - if ((ret = TLSX_Push(extensions, WOLFSSL_QSH, format)) != 0) { + if ((ret = TLSX_Push(extensions, TLSX_QUANTUM_SAFE_HYBRID, format)) + != 0) { XFREE(format, 0, DYNAMIC_TYPE_TLSX); return ret; } @@ -3018,6 +3312,9 @@ int TLSX_UseQSHScheme(TLSX** extensions, word16 name, byte* pKey, word16 pkeySz) #endif /* HAVE_QSH */ +/******************************************************************************/ +/* TLS Extensions Framework */ +/******************************************************************************/ /** Finds an extension in the provided list. */ TLSX* TLSX_Find(TLSX* list, TLSX_Type type) @@ -3040,35 +3337,39 @@ void TLSX_FreeAll(TLSX* list) switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: SNI_FREE_ALL((SNI*)extension->data); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: MFL_FREE_ALL(extension->data); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* Nothing to do. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: EC_FREE_ALL(extension->data); break; - case SECURE_RENEGOTIATION: + case TLSX_STATUS_REQUEST: + CSR_FREE_ALL(extension->data); + break; + + case TLSX_RENEGOTIATION_INFO: SCR_FREE_ALL(extension->data); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: /* Nothing to do. */ break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: QSH_FREE_ALL(extension->data); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: ALPN_FREE_ALL((ALPN*)extension->data); break; } @@ -3105,37 +3406,41 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: /* SNI only sends the name on the request. */ if (isRequest) length += SNI_GET_SIZE(extension->data); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: length += MFL_GET_SIZE(extension->data); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* always empty. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: length += EC_GET_SIZE(extension->data); break; - case SECURE_RENEGOTIATION: + case TLSX_STATUS_REQUEST: + length += CSR_GET_SIZE(extension->data, isRequest); + break; + + case TLSX_RENEGOTIATION_INFO: length += SCR_GET_SIZE(extension->data, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: length += STK_GET_SIZE(extension->data, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: length += QSH_GET_SIZE(extension->data, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: length += ALPN_GET_SIZE(extension->data); break; @@ -3175,34 +3480,39 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, /* extension data should be written internally. */ switch (extension->type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: if (isRequest) offset += SNI_WRITE(extension->data, output + offset); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: offset += MFL_WRITE(extension->data, output + offset); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: /* always empty. */ break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: offset += EC_WRITE(extension->data, output + offset); break; - case SECURE_RENEGOTIATION: + case TLSX_STATUS_REQUEST: + offset += CSR_WRITE(extension->data, output + offset, + isRequest); + break; + + case TLSX_RENEGOTIATION_INFO: offset += SCR_WRITE(extension->data, output + offset, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: offset += STK_WRITE(extension->data, output + offset, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: if (isRequest) { offset += QSH_WRITE(extension->data, output + offset); } @@ -3210,7 +3520,7 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, offset += QSH_SERREQ(output + offset, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: offset += ALPN_WRITE(extension->data, output + offset); break; } @@ -3234,14 +3544,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes) int ret = 0; if (rng == NULL) { - if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((rng = XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; wc_InitRng(rng); } if (rngMutex == NULL) { - if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0, - DYNAMIC_TYPE_TLSX)) == NULL) + if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; InitMutex(rngMutex); } @@ -3360,7 +3670,7 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) return ret; } - if ((temp = XMALLOC(sizeof(QSHKey), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = type; temp->pub.length = public_key_len; @@ -3471,7 +3781,7 @@ int TLSX_PopulateExtensions(WOLFSSL* ssl, byte isServer) } else if (ssl->sendQSHKeys && ssl->QSH_Key == NULL) { /* for each scheme make a client key */ - extension = TLSX_Find(ssl->extensions, WOLFSSL_QSH); + extension = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); if (extension) { qsh = (QSHScheme*)extension->data; @@ -3596,7 +3906,7 @@ word16 TLSX_GetResponseSize(WOLFSSL* ssl) #ifdef HAVE_QSH /* change response if not using TLS_QSH */ if (!ssl->options.haveQSH) { - TLSX* ext = TLSX_Find(ssl->extensions, WOLFSSL_QSH); + TLSX* ext = TLSX_Find(ssl->extensions, TLSX_QUANTUM_SAFE_HYBRID); if (ext) ext->resp = 0; } @@ -3661,49 +3971,55 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, return BUFFER_ERROR; switch (type) { - case SERVER_NAME_INDICATION: + case TLSX_SERVER_NAME: WOLFSSL_MSG("SNI extension received"); ret = SNI_PARSE(ssl, input + offset, size, isRequest); break; - case MAX_FRAGMENT_LENGTH: + case TLSX_MAX_FRAGMENT_LENGTH: WOLFSSL_MSG("Max Fragment Length extension received"); ret = MFL_PARSE(ssl, input + offset, size, isRequest); break; - case TRUNCATED_HMAC: + case TLSX_TRUNCATED_HMAC: WOLFSSL_MSG("Truncated HMAC extension received"); ret = THM_PARSE(ssl, input + offset, size, isRequest); break; - case ELLIPTIC_CURVES: + case TLSX_SUPPORTED_GROUPS: WOLFSSL_MSG("Elliptic Curves extension received"); ret = EC_PARSE(ssl, input + offset, size, isRequest); break; - case SECURE_RENEGOTIATION: + case TLSX_STATUS_REQUEST: + WOLFSSL_MSG("Certificate Status Request extension received"); + + ret = CSR_PARSE(ssl, input + offset, size, isRequest); + break; + + case TLSX_RENEGOTIATION_INFO: WOLFSSL_MSG("Secure Renegotiation extension received"); ret = SCR_PARSE(ssl, input + offset, size, isRequest); break; - case SESSION_TICKET: + case TLSX_SESSION_TICKET: WOLFSSL_MSG("Session Ticket extension received"); ret = STK_PARSE(ssl, input + offset, size, isRequest); break; - case WOLFSSL_QSH: + case TLSX_QUANTUM_SAFE_HYBRID: WOLFSSL_MSG("Quantum-Safe-Hybrid extension received"); ret = QSH_PARSE(ssl, input + offset, size, isRequest); break; - case WOLFSSL_ALPN: + case TLSX_APPLICATION_LAYER_PROTOCOL: WOLFSSL_MSG("ALPN extension received"); ret = ALPN_PARSE(ssl, input + offset, size, isRequest); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 03353d45a..eecb57ba7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -43,7 +43,11 @@ #include #include - +#ifdef NO_INLINE + #include +#else + #include +#endif #ifndef NO_RC4 #include @@ -8624,8 +8628,13 @@ static int DecodeResponseData(byte* source, if (DecodeSingleResponse(source, &idx, resp, size) < 0) return ASN_PARSE_E; - if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) - return ASN_PARSE_E; + /* + * Check the length of the ResponseData against the current index to + * see if there are extensions, they are optional. + */ + if (idx - prev_idx < resp->responseSz) + if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0) + return ASN_PARSE_E; *ioIndex = idx; return 0; @@ -8658,12 +8667,13 @@ static int DecodeCerts(byte* source, return 0; } -static int DecodeBasicOcspResponse(byte* source, - word32* ioIndex, OcspResponse* resp, word32 size) +static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, + OcspResponse* resp, word32 size, void* cm) { int length; word32 idx = *ioIndex; word32 end_index; + int ret; WOLFSSL_ENTER("DecodeBasicOcspResponse"); @@ -8699,13 +8709,12 @@ static int DecodeBasicOcspResponse(byte* source, if (idx < end_index) { DecodedCert cert; - int ret; if (DecodeCerts(source, &idx, resp, size) < 0) return ASN_PARSE_E; InitDecodedCert(&cert, resp->cert, resp->certSz, 0); - ret = ParseCertRelative(&cert, CA_TYPE, NO_VERIFY, 0); + ret = ParseCertRelative(&cert, CERT_TYPE, VERIFY, cm); if (ret < 0) return ret; @@ -8720,6 +8729,20 @@ static int DecodeBasicOcspResponse(byte* source, return ASN_OCSP_CONFIRM_E; } } + else { + Signer* ca = GetCA(cm, resp->issuerHash); + + if (ca) + ret = ConfirmSignature(resp->response, resp->responseSz, + ca->publicKey, ca->pubKeySize, ca->keyOID, + resp->sig, resp->sigSz, resp->sigOID, NULL); + + if (!ca || ret == 0) + { + WOLFSSL_MSG("\tOCSP Confirm signature failed"); + return ASN_OCSP_CONFIRM_E; + } + } *ioIndex = idx; return 0; @@ -8748,7 +8771,7 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status, } -int OcspResponseDecode(OcspResponse* resp) +int OcspResponseDecode(OcspResponse* resp, void* cm) { int length = 0; word32 idx = 0; @@ -8792,67 +8815,68 @@ int OcspResponseDecode(OcspResponse* resp) if (GetLength(source, &idx, &length, size) < 0) return ASN_PARSE_E; - if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0) + if (DecodeBasicOcspResponse(source, &idx, resp, size, cm) < 0) return ASN_PARSE_E; return 0; } -static word32 SetOcspReqExtensions(word32 extSz, byte* output, - const byte* nonce, word32 nonceSz) +word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) { static const byte NonceObjId[] = { 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, 0x02 }; - byte seqArray[5][MAX_SEQ_SZ]; - word32 seqSz[5], totalSz; + byte seqArray[6][MAX_SEQ_SZ]; + word32 seqSz[6], totalSz = (word32)sizeof(NonceObjId); WOLFSSL_ENTER("SetOcspReqExtensions"); - if (nonce == NULL || nonceSz == 0) return 0; + if (!req || !output || !req->nonceSz) + return 0; - seqArray[0][0] = ASN_OCTET_STRING; - seqSz[0] = 1 + SetLength(nonceSz, &seqArray[0][1]); + totalSz += req->nonceSz; + totalSz += seqSz[0] = SetOctetString(req->nonceSz, seqArray[0]); + totalSz += seqSz[1] = SetOctetString(req->nonceSz + seqSz[0], seqArray[1]); + seqArray[2][0] = ASN_OBJECT_ID; + totalSz += seqSz[2] = 1 + SetLength(sizeof(NonceObjId), &seqArray[2][1]); + totalSz += seqSz[3] = SetSequence(totalSz, seqArray[3]); + totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); + totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]); - seqArray[1][0] = ASN_OBJECT_ID; - seqSz[1] = 1 + SetLength(sizeof(NonceObjId), &seqArray[1][1]); - - totalSz = seqSz[0] + seqSz[1] + nonceSz + (word32)sizeof(NonceObjId); - - seqSz[2] = SetSequence(totalSz, seqArray[2]); - totalSz += seqSz[2]; - - seqSz[3] = SetSequence(totalSz, seqArray[3]); - totalSz += seqSz[3]; - - seqArray[4][0] = (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 2); - seqSz[4] = 1 + SetLength(totalSz, &seqArray[4][1]); - totalSz += seqSz[4]; - - if (totalSz < extSz) + if (totalSz < size) { totalSz = 0; + + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); + totalSz += seqSz[5]; + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); totalSz += seqSz[4]; + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); totalSz += seqSz[3]; + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); totalSz += seqSz[2]; - XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); - totalSz += seqSz[1]; + XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); totalSz += (word32)sizeof(NonceObjId); + + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); + totalSz += seqSz[1]; + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); totalSz += seqSz[0]; - XMEMCPY(output + totalSz, nonce, nonceSz); - totalSz += nonceSz; + + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); + totalSz += req->nonceSz; } return totalSz; } -int EncodeOcspRequest(OcspRequest* req) +int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) { byte seqArray[5][MAX_SEQ_SZ]; /* The ASN.1 of the OCSP Request is an onion of sequences */ @@ -8861,7 +8885,6 @@ int EncodeOcspRequest(OcspRequest* req) byte issuerKeyArray[MAX_ENCODED_DIG_SZ]; byte snArray[MAX_SN_SZ]; byte extArray[MAX_OCSP_EXT_SZ]; - byte* output = req->dest; word32 seqSz[5], algoSz, issuerSz, issuerKeySz, snSz, extSz, totalSz; int i; @@ -8873,54 +8896,42 @@ int EncodeOcspRequest(OcspRequest* req) algoSz = SetAlgoID(SHAh, algoArray, hashType, 0); #endif - req->issuerHash = req->cert->issuerHash; - issuerSz = SetDigest(req->cert->issuerHash, KEYID_SIZE, issuerArray); + issuerSz = SetDigest(req->issuerHash, KEYID_SIZE, issuerArray); + issuerKeySz = SetDigest(req->issuerKeyHash, KEYID_SIZE, issuerKeyArray); + snSz = SetSerialNumber(req->serial, req->serialSz, snArray); + extSz = 0; - req->issuerKeyHash = req->cert->issuerKeyHash; - issuerKeySz = SetDigest(req->cert->issuerKeyHash, - KEYID_SIZE, issuerKeyArray); - - req->serial = req->cert->serial; - req->serialSz = req->cert->serialSz; - snSz = SetSerialNumber(req->cert->serial, req->cert->serialSz, snArray); - - extSz = 0; - if (req->useNonce) { - WC_RNG rng; - if (wc_InitRng(&rng) != 0) { - WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); - } else { - if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) - WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); - else { - req->nonceSz = MAX_OCSP_NONCE_SZ; - extSz = SetOcspReqExtensions(MAX_OCSP_EXT_SZ, extArray, - req->nonce, req->nonceSz); - } - wc_FreeRng(&rng); - } - } + if (req->nonceSz) + extSz = EncodeOcspRequestExtensions(req, extArray, MAX_OCSP_EXT_SZ); totalSz = algoSz + issuerSz + issuerKeySz + snSz; - for (i = 4; i >= 0; i--) { seqSz[i] = SetSequence(totalSz, seqArray[i]); totalSz += seqSz[i]; if (i == 2) totalSz += extSz; } + + if (totalSz > size) + return BUFFER_E; + totalSz = 0; for (i = 0; i < 5; i++) { XMEMCPY(output + totalSz, seqArray[i], seqSz[i]); totalSz += seqSz[i]; } + XMEMCPY(output + totalSz, algoArray, algoSz); totalSz += algoSz; + XMEMCPY(output + totalSz, issuerArray, issuerSz); totalSz += issuerSz; + XMEMCPY(output + totalSz, issuerKeyArray, issuerKeySz); totalSz += issuerKeySz; + XMEMCPY(output + totalSz, snArray, snSz); totalSz += snSz; + if (extSz != 0) { XMEMCPY(output + totalSz, extArray, extSz); totalSz += extSz; @@ -8930,19 +8941,70 @@ int EncodeOcspRequest(OcspRequest* req) } -void InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce, - byte* dest, word32 destSz) +int InitOcspRequest(OcspRequest* req, DecodedCert* cert, byte useNonce) { WOLFSSL_ENTER("InitOcspRequest"); - req->cert = cert; - req->useNonce = useNonce; - req->nonceSz = 0; - req->issuerHash = NULL; - req->issuerKeyHash = NULL; - req->serial = NULL; - req->dest = dest; - req->destSz = destSz; + if (req == NULL) + return BAD_FUNC_ARG; + + ForceZero(req, sizeof(OcspRequest)); + + if (cert) { + XMEMCPY(req->issuerHash, cert->issuerHash, KEYID_SIZE); + XMEMCPY(req->issuerKeyHash, cert->issuerKeyHash, KEYID_SIZE); + + req->serial = (byte*)XMALLOC(cert->serialSz, NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (req->serial == NULL) + return MEMORY_E; + + XMEMCPY(req->serial, cert->serial, cert->serialSz); + req->serialSz = cert->serialSz; + + if (cert->extAuthInfoSz != 0 && cert->extAuthInfo != NULL) { + req->url = (byte*)XMALLOC(cert->extAuthInfoSz, NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (req->url == NULL) { + XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP); + return MEMORY_E; + } + + XMEMCPY(req->url, cert->extAuthInfo, cert->extAuthInfoSz); + req->urlSz = cert->extAuthInfoSz; + } + + } + + if (useNonce) { + WC_RNG rng; + + if (wc_InitRng(&rng) != 0) { + WOLFSSL_MSG("\tCannot initialize RNG. Skipping the OSCP Nonce."); + } else { + if (wc_RNG_GenerateBlock(&rng, req->nonce, MAX_OCSP_NONCE_SZ) != 0) + WOLFSSL_MSG("\tCannot run RNG. Skipping the OSCP Nonce."); + else + req->nonceSz = MAX_OCSP_NONCE_SZ; + + wc_FreeRng(&rng); + } + } + + return 0; +} + +void FreeOcspRequest(OcspRequest* req) +{ + WOLFSSL_ENTER("FreeOcspRequest"); + + if (req) { + if (req->serial) + XFREE(req->serial, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + + if (req->url) + XFREE(req->url, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } } @@ -8966,7 +9028,7 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp) /* Nonces are not critical. The responder may not necessarily add * the nonce to the response. */ - if (req->useNonce && resp->nonceSz != 0) { + if (req->nonceSz && resp->nonceSz != 0) { cmp = req->nonceSz - resp->nonceSz; if (cmp != 0) { diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index f07796079..bfccee9cd 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -30,121 +30,123 @@ #endif enum wolfSSL_ErrorCodes { - INPUT_CASE_ERROR = -301, /* process input state error */ - PREFIX_ERROR = -302, /* bad index to key rounds */ - MEMORY_ERROR = -303, /* out of memory */ - VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ - VERIFY_MAC_ERROR = -305, /* verify mac problem */ - PARSE_ERROR = -306, /* parse error on header */ - UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ - SOCKET_ERROR_E = -308, /* error state on socket */ - SOCKET_NODATA = -309, /* expected data, not there */ - INCOMPLETE_DATA = -310, /* don't have enough data to + INPUT_CASE_ERROR = -301, /* process input state error */ + PREFIX_ERROR = -302, /* bad index to key rounds */ + MEMORY_ERROR = -303, /* out of memory */ + VERIFY_FINISHED_ERROR = -304, /* verify problem on finished */ + VERIFY_MAC_ERROR = -305, /* verify mac problem */ + PARSE_ERROR = -306, /* parse error on header */ + UNKNOWN_HANDSHAKE_TYPE = -307, /* weird handshake type */ + SOCKET_ERROR_E = -308, /* error state on socket */ + SOCKET_NODATA = -309, /* expected data, not there */ + INCOMPLETE_DATA = -310, /* don't have enough data to complete task */ - UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ - DECRYPT_ERROR = -312, /* error during decryption */ - FATAL_ERROR = -313, /* recvd alert fatal error */ - ENCRYPT_ERROR = -314, /* error during encryption */ - FREAD_ERROR = -315, /* fread problem */ - NO_PEER_KEY = -316, /* need peer's key */ - NO_PRIVATE_KEY = -317, /* need the private key */ - RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ - NO_DH_PARAMS = -319, /* server missing DH params */ - BUILD_MSG_ERROR = -320, /* build message failure */ + UNKNOWN_RECORD_TYPE = -311, /* unknown type in record hdr */ + DECRYPT_ERROR = -312, /* error during decryption */ + FATAL_ERROR = -313, /* recvd alert fatal error */ + ENCRYPT_ERROR = -314, /* error during encryption */ + FREAD_ERROR = -315, /* fread problem */ + NO_PEER_KEY = -316, /* need peer's key */ + NO_PRIVATE_KEY = -317, /* need the private key */ + RSA_PRIVATE_ERROR = -318, /* error during rsa priv op */ + NO_DH_PARAMS = -319, /* server missing DH params */ + BUILD_MSG_ERROR = -320, /* build message failure */ - BAD_HELLO = -321, /* client hello malformed */ - DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ - WANT_READ = -323, /* want read, call again */ - NOT_READY_ERROR = -324, /* handshake layer not ready */ - PMS_VERSION_ERROR = -325, /* pre m secret version error */ - VERSION_ERROR = -326, /* record layer version error */ - WANT_WRITE = -327, /* want write, call again */ - BUFFER_ERROR = -328, /* malformed buffer input */ - VERIFY_CERT_ERROR = -329, /* verify cert error */ - VERIFY_SIGN_ERROR = -330, /* verify sign error */ - CLIENT_ID_ERROR = -331, /* psk client identity error */ - SERVER_HINT_ERROR = -332, /* psk server hint error */ - PSK_KEY_ERROR = -333, /* psk key error */ - ZLIB_INIT_ERROR = -334, /* zlib init error */ - ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ - ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ + BAD_HELLO = -321, /* client hello malformed */ + DOMAIN_NAME_MISMATCH = -322, /* peer subject name mismatch */ + WANT_READ = -323, /* want read, call again */ + NOT_READY_ERROR = -324, /* handshake layer not ready */ + PMS_VERSION_ERROR = -325, /* pre m secret version error */ + VERSION_ERROR = -326, /* record layer version error */ + WANT_WRITE = -327, /* want write, call again */ + BUFFER_ERROR = -328, /* malformed buffer input */ + VERIFY_CERT_ERROR = -329, /* verify cert error */ + VERIFY_SIGN_ERROR = -330, /* verify sign error */ + CLIENT_ID_ERROR = -331, /* psk client identity error */ + SERVER_HINT_ERROR = -332, /* psk server hint error */ + PSK_KEY_ERROR = -333, /* psk key error */ + ZLIB_INIT_ERROR = -334, /* zlib init error */ + ZLIB_COMPRESS_ERROR = -335, /* zlib compression error */ + ZLIB_DECOMPRESS_ERROR = -336, /* zlib decompression error */ - GETTIME_ERROR = -337, /* gettimeofday failed ??? */ - GETITIMER_ERROR = -338, /* getitimer failed ??? */ - SIGACT_ERROR = -339, /* sigaction failed ??? */ - SETITIMER_ERROR = -340, /* setitimer failed ??? */ - LENGTH_ERROR = -341, /* record layer length error */ - PEER_KEY_ERROR = -342, /* can't decode peer key */ - ZERO_RETURN = -343, /* peer sent close notify */ - SIDE_ERROR = -344, /* wrong client/server type */ - NO_PEER_CERT = -345, /* peer didn't send key */ - NTRU_KEY_ERROR = -346, /* NTRU key error */ - NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ - NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ - NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ - ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ - ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ - ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ - ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ - ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ - ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ - NOT_CA_ERROR = -357, /* Not a CA cert error */ - BAD_PATH_ERROR = -358, /* Bad path for opendir */ - BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ - OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ - CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ - CRL_MISSING = -362, /* CRL Not loaded */ - MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ - THREAD_CREATE_E = -364, /* Thread Create Error */ - OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ - OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ - OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ - MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ - COOKIE_ERROR = -369, /* dtls cookie error */ - SEQUENCE_ERROR = -370, /* dtls sequence error */ - SUITES_ERROR = -371, /* suites pointer error */ - SSL_NO_PEM_HEADER = -372, /* no PEM header found */ - OUT_OF_ORDER_E = -373, /* out of order message */ - BAD_KEA_TYPE_E = -374, /* bad KEA type found */ - SANITY_CIPHER_E = -375, /* sanity check on cipher error */ - RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ - GEN_COOKIE_E = -377, /* Generate Cookie Error */ - NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ - FWRITE_ERROR = -379, /* fwrite problem */ - CACHE_MATCH_ERROR = -380, /* chache hdr match error */ - UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ - UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ - KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ - KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ - EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ - SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ - SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ - SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ - SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ - SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ - SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ - NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ - SANITY_MSG_E = -394, /* Sanity check on msg order error */ - DUPLICATE_MSG_E = -395, /* Duplicate message error */ - SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ - SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ + GETTIME_ERROR = -337, /* gettimeofday failed ??? */ + GETITIMER_ERROR = -338, /* getitimer failed ??? */ + SIGACT_ERROR = -339, /* sigaction failed ??? */ + SETITIMER_ERROR = -340, /* setitimer failed ??? */ + LENGTH_ERROR = -341, /* record layer length error */ + PEER_KEY_ERROR = -342, /* can't decode peer key */ + ZERO_RETURN = -343, /* peer sent close notify */ + SIDE_ERROR = -344, /* wrong client/server type */ + NO_PEER_CERT = -345, /* peer didn't send key */ + NTRU_KEY_ERROR = -346, /* NTRU key error */ + NTRU_DRBG_ERROR = -347, /* NTRU drbg error */ + NTRU_ENCRYPT_ERROR = -348, /* NTRU encrypt error */ + NTRU_DECRYPT_ERROR = -349, /* NTRU decrypt error */ + ECC_CURVETYPE_ERROR = -350, /* Bad ECC Curve Type */ + ECC_CURVE_ERROR = -351, /* Bad ECC Curve */ + ECC_PEERKEY_ERROR = -352, /* Bad Peer ECC Key */ + ECC_MAKEKEY_ERROR = -353, /* Bad Make ECC Key */ + ECC_EXPORT_ERROR = -354, /* Bad ECC Export Key */ + ECC_SHARED_ERROR = -355, /* Bad ECC Shared Secret */ + NOT_CA_ERROR = -357, /* Not a CA cert error */ + BAD_PATH_ERROR = -358, /* Bad path for opendir */ + BAD_CERT_MANAGER_ERROR = -359, /* Bad Cert Manager */ + OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ + CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ + CRL_MISSING = -362, /* CRL Not loaded */ + MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ + THREAD_CREATE_E = -364, /* Thread Create Error */ + OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ + OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ + OCSP_LOOKUP_FAIL = -367, /* OCSP lookup not successful */ + MAX_CHAIN_ERROR = -368, /* max chain depth exceeded */ + COOKIE_ERROR = -369, /* dtls cookie error */ + SEQUENCE_ERROR = -370, /* dtls sequence error */ + SUITES_ERROR = -371, /* suites pointer error */ + SSL_NO_PEM_HEADER = -372, /* no PEM header found */ + OUT_OF_ORDER_E = -373, /* out of order message */ + BAD_KEA_TYPE_E = -374, /* bad KEA type found */ + SANITY_CIPHER_E = -375, /* sanity check on cipher error */ + RECV_OVERFLOW_E = -376, /* RXCB returned more than rqed */ + GEN_COOKIE_E = -377, /* Generate Cookie Error */ + NO_PEER_VERIFY = -378, /* Need peer cert verify Error */ + FWRITE_ERROR = -379, /* fwrite problem */ + CACHE_MATCH_ERROR = -380, /* chache hdr match error */ + UNKNOWN_SNI_HOST_NAME_E = -381, /* Unrecognized host name Error */ + UNKNOWN_MAX_FRAG_LEN_E = -382, /* Unrecognized max frag len Error */ + KEYUSE_SIGNATURE_E = -383, /* KeyUse digSignature error */ + KEYUSE_ENCIPHER_E = -385, /* KeyUse keyEncipher error */ + EXTKEYUSE_AUTH_E = -386, /* ExtKeyUse server|client_auth */ + SEND_OOB_READ_E = -387, /* Send Cb out of bounds read */ + SECURE_RENEGOTIATION_E = -388, /* Invalid Renegotiation Info */ + SESSION_TICKET_LEN_E = -389, /* Session Ticket too large */ + SESSION_TICKET_EXPECT_E = -390, /* Session Ticket missing */ + SCR_DIFFERENT_CERT_E = -391, /* SCR Different cert error */ + SESSION_SECRET_CB_E = -392, /* Session secret Cb fcn failure */ + NO_CHANGE_CIPHER_E = -393, /* Finished before change cipher */ + SANITY_MSG_E = -394, /* Sanity check on msg order error */ + DUPLICATE_MSG_E = -395, /* Duplicate message error */ + SNI_UNSUPPORTED = -396, /* SSL 3.0 does not support SNI */ + SOCKET_PEER_CLOSED_E = -397, /* Underlying transport closed */ - BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ - BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ - BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ + BAD_TICKET_KEY_CB_SZ = -398, /* Bad session ticket key cb size */ + BAD_TICKET_MSG_SZ = -399, /* Bad session ticket msg size */ + BAD_TICKET_ENCRYPT = -400, /* Bad user ticket encrypt */ - DH_KEY_SIZE_E = -401, /* DH Key too small */ - SNI_ABSENT_ERROR = -402, /* No SNI request. */ - RSA_SIGN_FAULT = -403, /* RSA Sign fault */ - HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ + DH_KEY_SIZE_E = -401, /* DH Key too small */ + SNI_ABSENT_ERROR = -402, /* No SNI request. */ + RSA_SIGN_FAULT = -403, /* RSA Sign fault */ + HANDSHAKE_SIZE_ERROR = -404, /* Handshake message too large */ UNKNOWN_ALPN_PROTOCOL_NAME_E = -405, /* Unrecognized protocol name Error*/ + BAD_CERTIFICATE_STATUS_ERROR = -406, /* Bad certificate status message */ + OCSP_INVALID_STATUS = -407, /* Invalid OCSP Status */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ - UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */ - MATCH_SUITE_ERROR = -501 /* can't match cipher suite */ + UNSUPPORTED_SUITE = -500, /* unsupported cipher suite */ + MATCH_SUITE_ERROR = -501 /* can't match cipher suite */ /* end negotiation parameter errors only 10 for now */ /* add strings to SetErrorString !!!!! */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index d65665ec0..76f7f108a 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -868,7 +868,7 @@ enum Misc { COMP_LEN = 1, /* compression length */ CURVE_LEN = 2, /* ecc named curve length */ SERVER_ID_LEN = 20, /* server session id length */ - + HANDSHAKE_HEADER_SZ = 4, /* type + length(3) */ RECORD_HEADER_SZ = 5, /* type + version + len(2) */ CERT_HEADER_SZ = 3, /* always 3 bytes */ @@ -897,7 +897,7 @@ enum Misc { MAX_PRF_LABSEED = 128, /* Maximum label + seed len */ MAX_PRF_DIG = 224, /* Maximum digest len */ MAX_REQUEST_SZ = 256, /* Maximum cert req len (no auth yet */ - SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ + SESSION_FLUSH_COUNT = 256, /* Flush session cache unless user turns off */ RC4_KEY_SIZE = 16, /* always 128bit */ DES_KEY_SIZE = 8, /* des */ @@ -1156,7 +1156,7 @@ enum { /* only the sniffer needs space in the buffer for extra MTU record(s) */ #ifdef WOLFSSL_SNIFFER - #define MTU_EXTRA MAX_MTU * 3 + #define MTU_EXTRA MAX_MTU * 3 #else #define MTU_EXTRA 0 #endif @@ -1174,9 +1174,9 @@ enum { #define RECORD_SIZE MAX_RECORD_SIZE #else #ifdef WOLFSSL_DTLS - #define RECORD_SIZE MAX_MTU + #define RECORD_SIZE MAX_MTU #else - #define RECORD_SIZE 128 + #define RECORD_SIZE 128 #endif #endif @@ -1255,7 +1255,7 @@ struct WOLFSSL_CIPHER { }; -typedef struct OCSP_Entry OCSP_Entry; +typedef struct OcspEntry OcspEntry; #ifdef NO_SHA #define OCSP_DIGEST_SIZE SHA256_DIGEST_SIZE @@ -1263,17 +1263,17 @@ typedef struct OCSP_Entry OCSP_Entry; #define OCSP_DIGEST_SIZE SHA_DIGEST_SIZE #endif -#ifdef NO_ASN +#ifdef NO_ASN /* no_asn won't have */ typedef struct CertStatus CertStatus; #endif -struct OCSP_Entry { - OCSP_Entry* next; /* next entry */ - byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ - byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ - CertStatus* status; /* OCSP response list */ - int totalStatus; /* number on list */ +struct OcspEntry { + OcspEntry* next; /* next entry */ + byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */ + byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */ + CertStatus* status; /* OCSP response list */ + int totalStatus; /* number on list */ }; @@ -1284,7 +1284,7 @@ struct OCSP_Entry { /* wolfSSL OCSP controller */ struct WOLFSSL_OCSP { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - OCSP_Entry* ocspList; /* OCSP response list */ + OcspEntry* ocspList; /* OCSP response list */ wolfSSL_Mutex ocspLock; /* OCSP list lock */ }; @@ -1307,8 +1307,8 @@ typedef struct CRL_Entry CRL_Entry; /* Complete CRL */ struct CRL_Entry { CRL_Entry* next; /* next entry */ - byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ - /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ + byte issuerHash[CRL_DIGEST_SIZE]; /* issuer hash */ + /* byte crlHash[CRL_DIGEST_SIZE]; raw crl data hash */ /* restore the hash here if needed for optimized comparisons */ byte lastDate[MAX_DATE_SIZE]; /* last date updated */ byte nextDate[MAX_DATE_SIZE]; /* next update date */ @@ -1456,18 +1456,19 @@ typedef struct Keys { -/* RFC 6066 TLS Extensions */ +/** TLS Extensions - RFC 6066 */ #ifdef HAVE_TLS_EXTENSIONS typedef enum { - SERVER_NAME_INDICATION = 0x0000, - MAX_FRAGMENT_LENGTH = 0x0001, - TRUNCATED_HMAC = 0x0004, - ELLIPTIC_CURVES = 0x000a, - SESSION_TICKET = 0x0023, - SECURE_RENEGOTIATION = 0xff01, - WOLFSSL_QSH = 0x0018, /* Quantum-Safe-Hybrid */ - WOLFSSL_ALPN = 0x0010 /* Application-Layer Protocol Name */ + TLSX_SERVER_NAME = 0x0000, /* a.k.a. SNI */ + TLSX_MAX_FRAGMENT_LENGTH = 0x0001, + TLSX_TRUNCATED_HMAC = 0x0004, + TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stappling */ + TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ + TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ + TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ + TLSX_SESSION_TICKET = 0x0023, + TLSX_RENEGOTIATION_INFO = 0xff01 } TLSX_Type; typedef struct TLSX { @@ -1495,19 +1496,21 @@ WOLFSSL_LOCAL word16 TLSX_WriteResponse(WOLFSSL* ssl, byte* output); WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, Suites *suites); -#elif defined(HAVE_SNI) \ - || defined(HAVE_MAX_FRAGMENT) \ - || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_SUPPORTED_CURVES) \ - || defined(HAVE_SECURE_RENEGOTIATION) \ - || defined(HAVE_SESSION_TICKET) \ - || defined(HAVE_ALPN) +#elif defined(HAVE_SNI) \ + || defined(HAVE_MAX_FRAGMENT) \ + || defined(HAVE_TRUNCATED_HMAC) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_SUPPORTED_CURVES) \ + || defined(HAVE_ALPN) \ + || defined(HAVE_QSH) \ + || defined(HAVE_SESSION_TICKET) \ + || defined(HAVE_SECURE_RENEGOTIATION) #error Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined. #endif /* HAVE_TLS_EXTENSIONS */ -/* Server Name Indication */ +/** Server Name Indication - RFC 6066 (session 3) */ #ifdef HAVE_SNI typedef struct SNI { @@ -1535,7 +1538,7 @@ WOLFSSL_LOCAL int TLSX_SNI_GetFromBuffer(const byte* buffer, word32 bufferSz, #endif /* HAVE_SNI */ -/* Application-layer Protocol Name */ +/* Application-Layer Protocol Negotiation - RFC 7301 */ #ifdef HAVE_ALPN typedef struct ALPN { char* protocol_name; /* ALPN protocol name */ @@ -1554,19 +1557,40 @@ WOLFSSL_LOCAL int TLSX_ALPN_SetOptions(TLSX** extensions, const byte option); #endif /* HAVE_ALPN */ -/* Maximum Fragment Length */ +/** Maximum Fragment Length Negotiation - RFC 6066 (session 4) */ #ifdef HAVE_MAX_FRAGMENT WOLFSSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl); #endif /* HAVE_MAX_FRAGMENT */ +/** Truncated HMAC - RFC 6066 (session 7) */ #ifdef HAVE_TRUNCATED_HMAC WOLFSSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ +/** Certificate Status Request - RFC 6066 (session 8) */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + +typedef struct { + byte status_type; + byte options; + union { + OcspRequest ocsp; + } request; +} CertificateStatusRequest; + +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, + byte status_type, byte options); +WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); +WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); +WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); + +#endif + +/** Supported Elliptic Curves - RFC 4492 (session 4) */ #ifdef HAVE_SUPPORTED_CURVES typedef struct EllipticCurve { @@ -1583,6 +1607,7 @@ WOLFSSL_LOCAL int TLSX_ValidateEllipticCurves(WOLFSSL* ssl, byte first, #endif /* HAVE_SUPPORTED_CURVES */ +/** Renegotiation Indication - RFC 5746 */ #ifdef HAVE_SECURE_RENEGOTIATION enum key_cache_state { @@ -1593,7 +1618,6 @@ enum key_cache_state { SCR_CACHE_COMPLETE /* complete restore to real keys */ }; - /* Additional Conection State according to rfc5746 section 3.1 */ typedef struct SecureRenegotiation { byte enabled; /* secure_renegotiation flag in rfc */ @@ -1609,6 +1633,7 @@ WOLFSSL_LOCAL int TLSX_UseSecureRenegotiation(TLSX** extensions); #endif /* HAVE_SECURE_RENEGOTIATION */ +/** Session Ticket - RFC 5077 (session 3.2) */ #ifdef HAVE_SESSION_TICKET typedef struct SessionTicket { @@ -1617,13 +1642,15 @@ typedef struct SessionTicket { word16 size; } SessionTicket; -WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseSessionTicket(TLSX** extensions, SessionTicket* ticket); WOLFSSL_LOCAL SessionTicket* TLSX_SessionTicket_Create(word32 lifetime, byte* data, word16 size); WOLFSSL_LOCAL void TLSX_SessionTicket_Free(SessionTicket* ticket); + #endif /* HAVE_SESSION_TICKET */ +/** Quantum-Safe-Hybrid - draft-whyte-qsh-tls12-00 */ #ifdef HAVE_QSH typedef struct QSHScheme { @@ -1753,7 +1780,7 @@ struct WOLFSSL_CTX { CallbackEccSign EccSignCb; /* User EccSign Callback handler */ CallbackEccVerify EccVerifyCb; /* User EccVerify Callback handler */ #endif /* HAVE_ECC */ - #ifndef NO_RSA + #ifndef NO_RSA CallbackRsaSign RsaSignCb; /* User RsaSign Callback handler */ CallbackRsaVerify RsaVerifyCb; /* User RsaVerify Callback handler */ CallbackRsaEnc RsaEncCb; /* User Rsa Public Encrypt handler */ @@ -1803,7 +1830,7 @@ void InitCipherSpecs(CipherSpecs* cs); /* Supported Message Authentication Codes from page 43 */ -enum MACAlgorithm { +enum MACAlgorithm { no_mac, md5_mac, sha_mac, @@ -1817,10 +1844,10 @@ enum MACAlgorithm { /* Supported Key Exchange Protocols */ -enum KeyExchangeAlgorithm { +enum KeyExchangeAlgorithm { no_kea, - rsa_kea, - diffie_hellman_kea, + rsa_kea, + diffie_hellman_kea, fortezza_kea, psk_kea, dhe_psk_kea, @@ -1846,8 +1873,8 @@ enum EccCurves { /* Valid client certificate request types from page 27 */ -enum ClientCertificateType { - rsa_sign = 1, +enum ClientCertificateType { + rsa_sign = 1, dss_sign = 2, rsa_fixed_dh = 3, dss_fixed_dh = 4, @@ -2177,7 +2204,7 @@ struct WOLFSSL_X509_NAME { #define EXTERNAL_SERIAL_SIZE 32 #endif -#ifdef NO_ASN +#ifdef NO_ASN typedef struct DNS_entry DNS_entry; #endif @@ -2295,6 +2322,7 @@ typedef struct MsgsReceived { word16 got_hello_verify_request:1; word16 got_session_ticket:1; word16 got_certificate:1; + word16 got_certificate_status:1; word16 got_server_key_exchange:1; word16 got_certificate_request:1; word16 got_server_hello_done:1; @@ -2446,6 +2474,9 @@ struct WOLFSSL { #ifdef HAVE_TRUNCATED_HMAC byte truncated_hmac; #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + byte status_request; + #endif #ifdef HAVE_SECURE_RENEGOTIATION SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */ #endif /* user turned on */ @@ -2529,20 +2560,20 @@ typedef struct EncryptedInfo { #ifdef WOLFSSL_CALLBACKS WOLFSSL_LOCAL void InitHandShakeInfo(HandShakeInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void FinishHandShakeInfo(HandShakeInfo*, const WOLFSSL*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddPacketName(const char*, HandShakeInfo*); WOLFSSL_LOCAL void InitTimeoutInfo(TimeoutInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void FreeTimeoutInfo(TimeoutInfo*, void*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddPacketInfo(const char*, TimeoutInfo*, const byte*, int, void*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddLateName(const char*, TimeoutInfo*); - WOLFSSL_LOCAL + WOLFSSL_LOCAL void AddLateRecordHeader(const RecordLayerHeader* rl, TimeoutInfo* info); #endif @@ -2550,10 +2581,10 @@ typedef struct EncryptedInfo { /* Record Layer Header identifier from page 12 */ enum ContentType { no_type = 0, - change_cipher_spec = 20, - alert = 21, - handshake = 22, - application_data = 23 + change_cipher_spec = 20, + alert = 21, + handshake = 22, + application_data = 23 }; @@ -2576,16 +2607,16 @@ typedef struct DtlsHandShakeHeader { enum HandShakeType { no_shake = -1, - hello_request = 0, - client_hello = 1, + hello_request = 0, + client_hello = 1, server_hello = 2, hello_verify_request = 3, /* DTLS addition */ session_ticket = 4, - certificate = 11, + certificate = 11, server_key_exchange = 12, - certificate_request = 13, + certificate_request = 13, server_hello_done = 14, - certificate_verify = 15, + certificate_verify = 15, client_key_exchange = 16, finished = 20, certificate_status = 22, @@ -2685,7 +2716,7 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength); #endif /* WOLFSSL_DTLS */ #ifndef NO_TLS - + #endif /* NO_TLS */ @@ -2721,4 +2752,3 @@ WOLFSSL_LOCAL int SetKeysSide(WOLFSSL*, enum encrypt_side); #endif #endif /* wolfSSL_INT_H */ - diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index 77a4157ee..dc76ca16e 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -40,6 +40,8 @@ WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*); +WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, + OcspRequest* ocspRequest); #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 356224fe1..5a30c8c81 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -170,35 +170,36 @@ typedef struct WOLFSSL_X509_STORE_CTX { /* Valid Alert types from page 16/17 */ enum AlertDescription { - close_notify = 0, - unexpected_message = 10, - bad_record_mac = 20, - record_overflow = 22, - decompression_failure = 30, - handshake_failure = 40, - no_certificate = 41, - bad_certificate = 42, - unsupported_certificate = 43, - certificate_revoked = 44, - certificate_expired = 45, - certificate_unknown = 46, - illegal_parameter = 47, - decrypt_error = 51, + close_notify = 0, + unexpected_message = 10, + bad_record_mac = 20, + record_overflow = 22, + decompression_failure = 30, + handshake_failure = 40, + no_certificate = 41, + bad_certificate = 42, + unsupported_certificate = 43, + certificate_revoked = 44, + certificate_expired = 45, + certificate_unknown = 46, + illegal_parameter = 47, + decrypt_error = 51, #ifdef WOLFSSL_MYSQL_COMPATIBLE /* catch name conflict for enum protocol with MYSQL build */ - wc_protocol_version = 70, + wc_protocol_version = 70, #else - protocol_version = 70, + protocol_version = 70, #endif - no_renegotiation = 100, - unrecognized_name = 112, - no_application_protocol = 120 + no_renegotiation = 100, + unrecognized_name = 112, /**< RFC 6066, section 3 */ + bad_certificate_status_response = 113, /**< RFC 6066, section 8 */ + no_application_protocol = 120 }; enum AlertLevel { alert_warning = 1, - alert_fatal = 2 + alert_fatal = 2 }; @@ -1353,7 +1354,7 @@ WOLFSSL_API int wolfSSL_SNI_GetFromBuffer( #endif #endif -/* Application-Layer Protocol Name */ +/* Application-Layer Protocol Negotiation */ #ifdef HAVE_ALPN /* ALPN status code */ @@ -1410,6 +1411,29 @@ WOLFSSL_API int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx); #endif #endif +/* Certificate Status Request */ +/* Certificate Status Type */ +enum { + WOLFSSL_CSR_OCSP = 1 +}; + +/* Certificate Status Options (flags) */ +enum { + WOLFSSL_CSR_OCSP_USE_NONCE = 0x01 +}; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#ifndef NO_WOLFSSL_CLIENT + +WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, + unsigned char status_type, unsigned char options); + +WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, + unsigned char status_type, unsigned char options); + +#endif +#endif + /* Elliptic Curves */ enum { WOLFSSL_ECC_SECP160R1 = 0x10, diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index b39114fa4..b1a132514 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -188,7 +188,7 @@ enum Misc_ASN { MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ - MAX_OCSP_NONCE_SZ = 18, /* OCSP Nonce size */ + MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ EIGHTK_BUF = 8192, /* Tmp buffer size */ MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2, /* use bigger NTRU size */ @@ -707,28 +707,26 @@ struct OcspResponse { struct OcspRequest { - DecodedCert* cert; + byte issuerHash[KEYID_SIZE]; + byte issuerKeyHash[KEYID_SIZE]; + byte* serial; /* copy of the serial number in source cert */ + int serialSz; + byte* url; /* copy of the extAuthInfo in source cert */ + int urlSz; - byte useNonce; - byte nonce[MAX_OCSP_NONCE_SZ]; - int nonceSz; - - byte* issuerHash; /* pointer to issuerHash in source cert */ - byte* issuerKeyHash; /* pointer to issuerKeyHash in source cert */ - byte* serial; /* pointer to serial number in source cert */ - int serialSz; /* length of the serial number */ - - byte* dest; /* pointer to the destination ASN.1 buffer */ - word32 destSz; /* length of the destination buffer */ + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz; }; WOLFSSL_LOCAL void InitOcspResponse(OcspResponse*, CertStatus*, byte*, word32); -WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*); +WOLFSSL_LOCAL int OcspResponseDecode(OcspResponse*, void*); + +WOLFSSL_LOCAL int InitOcspRequest(OcspRequest*, DecodedCert*, byte); +WOLFSSL_LOCAL void FreeOcspRequest(OcspRequest*); +WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*, byte*, word32); +WOLFSSL_LOCAL word32 EncodeOcspRequestExtensions(OcspRequest*, byte*, word32); -WOLFSSL_LOCAL void InitOcspRequest(OcspRequest*, DecodedCert*, - byte, byte*, word32); -WOLFSSL_LOCAL int EncodeOcspRequest(OcspRequest*); WOLFSSL_LOCAL int CompareOcspReqResp(OcspRequest*, OcspResponse*); @@ -779,4 +777,3 @@ WOLFSSL_LOCAL void FreeDecodedCRL(DecodedCRL*); #endif /* !NO_ASN */ #endif /* WOLF_CRYPT_ASN_H */ - diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 4e7952940..3b9963bb9 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -287,7 +287,8 @@ DYNAMIC_TYPE_HASHES = 46, DYNAMIC_TYPE_SRP = 47, DYNAMIC_TYPE_COOKIE_PWD = 48, - DYNAMIC_TYPE_USER_CRYPTO = 49 + DYNAMIC_TYPE_USER_CRYPTO = 49, + DYNAMIC_TYPE_OCSP_REQUEST = 50 }; /* max error buffer string size */ From b13ae543ecfde34a59f4d1c73c4050207b66d5b1 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 2 Nov 2015 11:15:21 -0800 Subject: [PATCH 020/177] bump dev version --- configure.ac | 2 +- support/wolfssl.pc | 2 +- wolfssl/version.h | 4 ++-- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 51178b114..dca8dc4ac 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.7.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.7.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 617705cae..8e2be0eab 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.7.0 +Version: 3.7.1 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfssl/version.h b/wolfssl/version.h index 52f61334f..0a963865f 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.7.0" -#define LIBWOLFSSL_VERSION_HEX 0x03007000 +#define LIBWOLFSSL_VERSION_STRING "3.7.1" +#define LIBWOLFSSL_VERSION_HEX 0x03007001 #ifdef __cplusplus } From a1d1155b0c5851353a932eca9ed97096b77270ab Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 2 Nov 2015 12:18:12 -0800 Subject: [PATCH 021/177] add missing error strings --- src/ssl.c | 2 +- wolfcrypt/src/error.c | 24 ++++++++++++++++++++++++ wolfssl/wolfcrypt/error-crypt.h | 2 +- 3 files changed, 26 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index e8431550b..34de9cdd8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2357,7 +2357,7 @@ int wolfSSL_Init(void) /* Initialize crypto for use with TLS connection */ if (wolfcrypt_Init() != 0) - ret = WC_FAILURE_E; + ret = WC_INIT_E; initRefCount++; UnLockMutex(&count_mutex); diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 37b78422a..b8339eec0 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -337,6 +337,30 @@ const char* wc_GetErrorString(int error) case SRP_BAD_KEY_E: return "SRP bad key values error"; + case ASN_NO_SKID: + return "ASN no Subject Key Identifier found error"; + + case ASN_NO_AKID: + return "ASN no Authority Key Identifier found error"; + + case ASN_NO_KEYUSAGE: + return "ASN no Key Usage found error"; + + case SKID_E: + return "Setting Subject Key Identifier error"; + + case AKID_E: + return "Setting Authority Key Identifier error"; + + case KEYUSAGE_E: + return "Bad Key Usage value error"; + + case CERTPOLICIES_E: + return "Setting Certificate Policies error"; + + case WC_INIT_E: + return "wolfCrypt Initialize Failure error"; + default: return "unknown error number"; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index 7a1100bcf..b26f6c3f7 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -161,7 +161,7 @@ enum { KEYUSAGE_E = -226, /* Bad Key Usage value */ CERTPOLICIES_E = -227, /* setting Certificate Policies error */ - WC_FAILURE_E = -228, /* wolfcrypt failed to initialize */ + WC_INIT_E = -228, /* wolfcrypt failed to initialize */ MIN_CODE_E = -300 /* errors -101 - -299 */ }; From 54a0a3370a72f9a78f233ae4c0d82e52885a5c3c Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 2 Nov 2015 12:35:43 -0800 Subject: [PATCH 022/177] fix wolfSSL_Init to only call new wolfCrypt_Init() once --- src/ssl.c | 57 ++++++++++++++++++++------------- wolfcrypt/benchmark/benchmark.c | 2 +- wolfcrypt/src/wc_port.c | 2 +- wolfssl/wolfcrypt/wc_port.h | 2 +- 4 files changed, 37 insertions(+), 26 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 34de9cdd8..387455cf5 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -159,8 +159,15 @@ WOLFSSL_CTX* wolfSSL_CTX_new(WOLFSSL_METHOD* method) WOLFSSL_ENTER("WOLFSSL_CTX_new"); - if (initRefCount == 0) - wolfSSL_Init(); /* user no longer forced to call Init themselves */ + if (initRefCount == 0) { + /* user no longer forced to call Init themselves */ + int ret = wolfSSL_Init(); + if (ret != SSL_SUCCESS) { + WOLFSSL_MSG("wolfSSL_Init failed"); + WOLFSSL_LEAVE("WOLFSSL_CTX_new", 0); + return NULL; + } + } if (method == NULL) return ctx; @@ -2337,33 +2344,35 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, buffer der, int type, int verify) int wolfSSL_Init(void) { - int ret = SSL_SUCCESS; - WOLFSSL_ENTER("wolfSSL_Init"); if (initRefCount == 0) { + /* Initialize crypto for use with TLS connection */ + if (wolfCrypt_Init() != 0) { + WOLFSSL_MSG("Bad wolfCrypt Init"); + return WC_INIT_E; + } #ifndef NO_SESSION_CACHE - if (InitMutex(&session_mutex) != 0) - ret = BAD_MUTEX_E; -#endif - if (InitMutex(&count_mutex) != 0) - ret = BAD_MUTEX_E; - } - if (ret == SSL_SUCCESS) { - if (LockMutex(&count_mutex) != 0) { - WOLFSSL_MSG("Bad Lock Mutex count"); + if (InitMutex(&session_mutex) != 0) { + WOLFSSL_MSG("Bad Init Mutex session"); + return BAD_MUTEX_E; + } +#endif + if (InitMutex(&count_mutex) != 0) { + WOLFSSL_MSG("Bad Init Mutex count"); return BAD_MUTEX_E; } - - /* Initialize crypto for use with TLS connection */ - if (wolfcrypt_Init() != 0) - ret = WC_INIT_E; - - initRefCount++; - UnLockMutex(&count_mutex); } - return ret; + if (LockMutex(&count_mutex) != 0) { + WOLFSSL_MSG("Bad Lock Mutex count"); + return BAD_MUTEX_E; + } + + initRefCount++; + UnLockMutex(&count_mutex); + + return SSL_SUCCESS; } @@ -7352,8 +7361,10 @@ int wolfSSL_set_compression(WOLFSSL* ssl) int wolfSSL_add_all_algorithms(void) { WOLFSSL_ENTER("wolfSSL_add_all_algorithms"); - wolfSSL_Init(); - return SSL_SUCCESS; + if (wolfSSL_Init() == SSL_SUCCESS) + return SSL_SUCCESS; + else + return SSL_FATAL_ERROR; } diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index 436c4cf7f..f36563d4c 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -244,7 +244,7 @@ int benchmark_test(void *args) { #endif - wolfcrypt_Init(); + wolfCrypt_Init(); #if defined(DEBUG_WOLFSSL) && !defined(HAVE_VALGRIND) wolfSSL_Debugging_ON(); diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index c769e2dcf..b81702bba 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -43,7 +43,7 @@ /* Used to initialize state for wolfcrypt return 0 on success */ -int wolfcrypt_Init() +int wolfCrypt_Init() { #if WOLFSSL_CRYPT_HW_MUTEX /* If crypto hardware mutex protection is enabled, then initialize it */ diff --git a/wolfssl/wolfcrypt/wc_port.h b/wolfssl/wolfcrypt/wc_port.h index 9697f8aa8..78c39ad74 100644 --- a/wolfssl/wolfcrypt/wc_port.h +++ b/wolfssl/wolfcrypt/wc_port.h @@ -170,7 +170,7 @@ WOLFSSL_LOCAL int LockMutex(wolfSSL_Mutex*); WOLFSSL_LOCAL int UnLockMutex(wolfSSL_Mutex*); /* main crypto initialization function */ -WOLFSSL_API int wolfcrypt_Init(void); +WOLFSSL_API int wolfCrypt_Init(void); /* filesystem abstraction layer, used by ssl.c */ #ifndef NO_FILESYSTEM From fbd4f8a6edc53caa09413a791f28fc47e95c5fd6 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 2 Nov 2015 13:26:46 -0800 Subject: [PATCH 023/177] fix merge conflict --- examples/client/client.c | 51 ++++++++++++++++--- scripts/openssl.test | 107 ++++++++++++++++++++++++++------------- 2 files changed, 115 insertions(+), 43 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 479b4d2d3..5c888597d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -127,6 +127,15 @@ static void ShowCiphers(void) printf("%s\n", ciphers); } +/* Shows which versions are valid */ +static void ShowVersions(void) +{ +#ifdef WOLFSSL_ALLOW_SSLV3 + printf("0:"); +#endif + printf("1:2:3\n"); +} + int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, int doDTLS, int benchmark, int resumeSession) { @@ -300,6 +309,7 @@ static void Usage(void) printf("-p Port to connect on, not 0, default %d\n", wolfSSLPort); printf("-v SSL version [0-3], SSLv3(0) - TLS1.2(3)), default %d\n", CLIENT_DEFAULT_VERSION); + printf("-V Prints valid ssl version numbers, SSLv3(0) - TLS1.2(3)\n"); printf("-l Cipher suite list (: delimited)\n"); printf("-c Certificate file, default %s\n", cliCert); printf("-k Key file, default %s\n", cliKey); @@ -375,8 +385,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) WOLFSSL* sslResume = 0; WOLFSSL_SESSION* session = 0; - char resumeMsg[] = "resuming wolfssl!"; - int resumeSz = sizeof(resumeMsg); + char resumeMsg[32] = "resuming wolfssl!"; + int resumeSz = (int)strlen(resumeMsg); char msg[32] = "hello wolfssl!"; /* GET may make bigger */ char reply[80]; @@ -472,7 +482,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { switch (ch) { case '?' : Usage(); @@ -563,6 +573,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) } break; + case 'V' : + ShowVersions(); + exit(EXIT_SUCCESS); + case 'l' : cipherList = myoptarg; break; @@ -1096,6 +1110,10 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) msgSz = 28; strncpy(msg, "GET /index.html HTTP/1.0\r\n\r\n", msgSz); msg[msgSz] = '\0'; + + resumeSz = msgSz; + strncpy(resumeMsg, "GET /index.html HTTP/1.0\r\n\r\n", resumeSz); + resumeMsg[resumeSz] = '\0'; } if (wolfSSL_write(ssl, msg, msgSz) != msgSz) err_sys("SSL_write failed"); @@ -1176,7 +1194,6 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) (void*)"resumed session"); #endif - showPeer(sslResume); #ifndef WOLFSSL_CALLBACKS if (nonBlocking) { wolfSSL_set_using_nonblock(sslResume, 1); @@ -1190,6 +1207,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) timeout.tv_usec = 0; NonBlockingSSL_Connect(ssl); /* will keep retrying on timeout */ #endif + showPeer(sslResume); if (wolfSSL_session_reused(sslResume)) printf("reused session id\n"); @@ -1228,11 +1246,28 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif } - input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); - if (input > 0) { - reply[input] = 0; - printf("Server resume response: %s\n", reply); + input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); + + if (input > 0) { + reply[input] = 0; + printf("Server resume response: %s\n", reply); + + if (sendGET) { /* get html */ + while (1) { + input = wolfSSL_read(sslResume, reply, sizeof(reply)-1); + if (input > 0) { + reply[input] = 0; + printf("%s\n", reply); + } + else + break; + } } + } else if (input < 0) { + int readErr = wolfSSL_get_error(ssl, 0); + if (readErr != SSL_ERROR_WANT_READ) + err_sys("wolfSSL_read failed"); + } /* try to send session break */ wolfSSL_write(sslResume, msg, msgSz); diff --git a/scripts/openssl.test b/scripts/openssl.test index 708186ab2..d44f7d1c1 100755 --- a/scripts/openssl.test +++ b/scripts/openssl.test @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh #openssl.test @@ -41,7 +41,7 @@ command -v openssl >/dev/null 2>&1 || { echo >&2 "Requires openssl command, but echo -e "\nTesting for _build directory as part of distcheck, different paths" currentDir=`pwd` -if [[ $currentDir == *"_build" ]] +if [ $currentDir = *"_build" ] then echo -e "_build directory detected, moving a directory back" cd .. @@ -49,17 +49,13 @@ fi echo -e "\nStarting openssl server...\n" -openssl s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem -quiet -www -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem & +openssl s_server -accept $openssl_port -cert ./certs/server-cert.pem -key ./certs/server-key.pem -quiet -CAfile ./certs/client-cert.pem -www -dhparam ./certs/dh2048.pem -dcert ./certs/server-ecc.pem -dkey ./certs/ecc-key.pem -Verify 10 -verify_return_error & server_pid=$! -# get openssl ciphers -open_ciphers=`openssl ciphers` -IFS=':' read -ra opensslArray <<< "$open_ciphers" # get wolfssl ciphers wolf_ciphers=`./examples/client/client -e` -IFS=':' read -ra wolfsslArray <<< "$wolf_ciphers" # server should be ready, let's make sure server_ready=0 @@ -67,7 +63,7 @@ while [ "$counter" -lt 20 ]; do echo -e "waiting for openssl s_server ready..." nc -z localhost $openssl_port nc_result=$? - if [ $nc_result == 0 ] + if [ $nc_result = 0 ] then echo -e "openssl s_server ready!" server_ready=1 @@ -78,45 +74,86 @@ while [ "$counter" -lt 20 ]; do done -if [ $server_ready == 0 ] +if [ $server_ready = 0 ] then echo -e "Couldn't verify openssl server is running, timeout error" do_cleanup exit -1 fi -for wolfSuite in "${wolfsslArray[@]}"; do +OIFS=$IFS # store old seperator to reset +IFS=$'\:' # set delimiter +set -f # no globbing - echo -e "trying wolfSSL cipher suite $wolfSuite" - matchSuite=0 - wolf_suites_total=$((wolf_suites_total + 1)) +wolf_versions=`./examples/client/client -V` +wolf_versions="$wolf_versions:4" #:4 will test without -v flag - for openSuite in "${opensslArray[@]}"; do - if [ $openSuite == $wolfSuite ] - then +wolf_temp_suites_total=0 +wolf_temp_suites_tested=0 + +for version in $wolf_versions; +do + echo -e "version = $version" + # get openssl ciphers depending on version + case $version in "0") + openssl_ciphers=`openssl ciphers "SSLv3"` + ;; + "1") + openssl_ciphers=`openssl ciphers "TLSv1"` + ;; + "2") + openssl_ciphers=`openssl ciphers "TLSv1.1"` + ;; + "3") + openssl_ciphers=`openssl ciphers "TLSv1.2"` + ;; + "4") #test all suites + openssl_ciphers=`openssl ciphers "ALL"` + ;; + esac + + for wolfSuite in $wolf_ciphers; do + echo -e "trying wolfSSL cipher suite $wolfSuite" + wolf_temp_suites_total=$((wolf_temp_suites_total + 1)) + matchSuite=0; + + case ":$openssl_ciphers:" in *":$wolfSuite:"*) # add extra : for edge cases echo -e "Matched to OpenSSL suite support" - matchSuite=1 + matchSuite=1;; + esac + + if [ $matchSuite = 0 ] + then + echo -e "Couldn't match suite, continuing..." + continue fi + + if [ $version -lt 4 ] + then + ./examples/client/client -p $openssl_port -g -r -l $wolfSuite -v $version + else + # do all versions + ./examples/client/client -p $openssl_port -g -r -l $wolfSuite + fi + + client_result=$? + + if [ $client_result != 0 ] + then + echo -e "client failed! Suite = $wolfSuite version = $version" + do_cleanup + exit 1 + fi + wolf_temp_suites_tested=$((wolf_temp_suites_tested+1)) + done - - if [ $matchSuite == 0 ] - then - echo -e "Couldn't match suite, continuing..." - continue - fi - - ./examples/client/client -p $openssl_port -g -l $wolfSuite - client_result=$? - - if [ $client_result != 0 ] - then - echo -e "client failed!" - do_cleanup - exit 1 - fi - wolf_suites_tested=$((wolf_suites_tested+1)) - + wolf_suites_tested=$((wolf_temp_suites_tested+wolf_suites_tested)) + wolf_suites_total=$((wolf_temp_suites_total+wolf_suites_total)) + echo -e "wolfSSL suites tested with version:$version $wolf_temp_suites_tested" + wolf_temp_suites_total=0 + wolf_temp_suites_tested=0 done +IFS=$OIFS #restore separator kill -9 $server_pid From 8d4d9ebe12367b22f92a2443af86ac03f7367147 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 3 Nov 2015 11:30:56 -0800 Subject: [PATCH 024/177] fix jenkins ec 56 --- wolfcrypt/src/asn.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index eecb57ba7..fa3471cd7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8673,7 +8673,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, int length; word32 idx = *ioIndex; word32 end_index; - int ret; + int ret = -1; WOLFSSL_ENTER("DecodeBasicOcspResponse"); @@ -8733,10 +8733,11 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, Signer* ca = GetCA(cm, resp->issuerHash); if (ca) + { ret = ConfirmSignature(resp->response, resp->responseSz, ca->publicKey, ca->pubKeySize, ca->keyOID, resp->sig, resp->sigSz, resp->sigOID, NULL); - + } if (!ca || ret == 0) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); From 5c9089651ad404d13b5b1a2f69e43306764c536c Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 3 Nov 2015 12:03:35 -0800 Subject: [PATCH 025/177] fix github issue #174 , disable des3 with (else if) logic broken --- src/ssl.c | 38 +++++++++++++++++--------------------- 1 file changed, 17 insertions(+), 21 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 387455cf5..cd2acef55 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2382,7 +2382,7 @@ int wolfSSL_Init(void) static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, int passwordSz, EncryptedInfo* info) { - int ret; + int ret = SSL_BAD_FILE; #ifdef WOLFSSL_SMALL_STACK byte* key = NULL; @@ -2434,7 +2434,7 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, key, info->iv); #endif /* NO_DES3 */ #ifndef NO_AES - else if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) + if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_128_KEY_SIZE, info->iv); else if (XSTRNCMP(info->name, EVP_AES_192_CBC, EVP_AES_SIZE) == 0) @@ -2444,8 +2444,6 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, ret = wc_AesCbcDecryptWithKey(der->buffer, der->buffer, der->length, key, AES_256_KEY_SIZE, info->iv); #endif /* NO_AES */ - else - ret = SSL_BAD_FILE; #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -2465,7 +2463,7 @@ static int wolfssl_decrypt_buffer_key(buffer* der, byte* password, static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, int passwordSz, EncryptedInfo* info) { - int ret; + int ret = SSL_BAD_FILE; #ifdef WOLFSSL_SMALL_STACK byte* key = NULL; @@ -2509,7 +2507,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, ret = wc_Des3_CbcEncryptWithKey(der, der, derSz, key, info->iv); #endif /* NO_DES3 */ #ifndef NO_AES - else if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) + if (XSTRNCMP(info->name, EVP_AES_128_CBC, EVP_AES_SIZE) == 0) ret = wc_AesCbcEncryptWithKey(der, der, derSz, key, AES_128_KEY_SIZE, info->iv); else if (XSTRNCMP(info->name, EVP_AES_192_CBC, EVP_AES_SIZE) == 0) @@ -2519,8 +2517,6 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password, ret = wc_AesCbcEncryptWithKey(der, der, derSz, key, AES_256_KEY_SIZE, info->iv); #endif /* NO_AES */ - else - ret = SSL_BAD_FILE; #ifdef WOLFSSL_SMALL_STACK XFREE(key, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -8332,17 +8328,15 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } - /* SSL_SUCCESS on ok */ + /* return SSL_SUCCESS on ok, 0 on failure to match API compatibility */ int wolfSSL_EVP_CipherInit(WOLFSSL_EVP_CIPHER_CTX* ctx, const WOLFSSL_EVP_CIPHER* type, byte* key, byte* iv, int enc) { -#if defined(NO_AES) && defined(NO_DES3) && !defined(HAVE_IDEA) + int ret = -1; /* failure local, during function 0 means success + because internal functions work that way */ (void)iv; (void)enc; -#else - int ret = 0; -#endif WOLFSSL_ENTER("wolfSSL_EVP_CipherInit"); if (ctx == NULL) { @@ -8475,7 +8469,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) #endif /* NO_AES */ #ifndef NO_DES3 - else if (ctx->cipherType == DES_CBC_TYPE || + if (ctx->cipherType == DES_CBC_TYPE || (type && XSTRNCMP(type, EVP_DES_CBC, EVP_DES_SIZE) == 0)) { WOLFSSL_MSG(EVP_DES_CBC); ctx->cipherType = DES_CBC_TYPE; @@ -8515,7 +8509,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) } #endif /* NO_DES3 */ #ifndef NO_RC4 - else if (ctx->cipherType == ARC4_TYPE || (type && + if (ctx->cipherType == ARC4_TYPE || (type && XSTRNCMP(type, "ARC4", 4) == 0)) { WOLFSSL_MSG("ARC4"); ctx->cipherType = ARC4_TYPE; @@ -8523,10 +8517,11 @@ int wolfSSL_set_compression(WOLFSSL* ssl) ctx->keyLen = 16; /* default to 128 */ if (key) wc_Arc4SetKey(&ctx->cipher.arc4, key, ctx->keyLen); + ret = 0; /* success */ } #endif /* NO_RC4 */ #ifdef HAVE_IDEA - else if (ctx->cipherType == IDEA_CBC_TYPE || + if (ctx->cipherType == IDEA_CBC_TYPE || (type && XSTRNCMP(type, EVP_IDEA_CBC, EVP_IDEA_SIZE) == 0)) { WOLFSSL_MSG(EVP_IDEA_CBC); ctx->cipherType = IDEA_CBC_TYPE; @@ -8544,17 +8539,18 @@ int wolfSSL_set_compression(WOLFSSL* ssl) wc_IdeaSetIV(&ctx->cipher.idea, iv); } #endif /* HAVE_IDEA */ - else if (ctx->cipherType == NULL_CIPHER_TYPE || (type && + if (ctx->cipherType == NULL_CIPHER_TYPE || (type && XSTRNCMP(type, "NULL", 4) == 0)) { WOLFSSL_MSG("NULL cipher"); ctx->cipherType = NULL_CIPHER_TYPE; ctx->keyLen = 0; + ret = 0; /* success */ } + + if (ret == 0) + return SSL_SUCCESS; else - return 0; /* failure */ - - - return SSL_SUCCESS; + return 0; /* overall failure */ } From 44165371bcb5c10622bf6ef6aaac8430eb76625a Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 3 Nov 2015 14:15:15 -0800 Subject: [PATCH 026/177] timediff fixup --- wolfcrypt/src/asn.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 661bec19e..a29ce1527 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2588,16 +2588,17 @@ int ValidateDate(const byte* date, byte format, int dateType) GetTime((int*)&certTime.tm_sec, date, &i); if ((date[i] == '+') || (date[i] == '-')) { - diffSign = date[i++]=='+' ? 1 : -1 ; - GetTime((int*)&diffHH, date, &i); - GetTime((int*)&diffMM, date, &i); + WOLFSSL_MSG("Using time differential, not Zulu") ; + diffSign = date[i++] == '+' ? 1 : -1 ; + GetTime(&diffHH, date, &i); + GetTime(&diffMM, date, &i); timeDiff = diffSign * (diffHH*60 + diffMM) * 60 ; } else if (date[i] != 'Z') { - WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ; - return 0; + WOLFSSL_MSG("UTCtime, niether Zulu or time differential") ; + return 0; } - ltime -= timeDiff ; + ltime -= (time_t)timeDiff ; localTime = XGMTIME(<ime, tmpTime); if (localTime == NULL) { From 23ba31cbdd81a2832beafc357765c98d86271970 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 3 Nov 2015 16:47:42 -0800 Subject: [PATCH 027/177] 1. Fixed bug where AES-GCM IVs had to only be 12 bytes. Now accepts any length. 2. Added test case for AES-GCM using an 60 byte IV. 3. AesGcmSetKey doesn't calculate H value in AES-NI mode. --- wolfcrypt/src/aes.c | 47 ++++++++++------- wolfcrypt/test/test.c | 119 +++++++++++++++++++++++++++++++----------- 2 files changed, 117 insertions(+), 49 deletions(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index d7524b66a..20e6ce874 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -2651,19 +2651,11 @@ int wc_AesSetIV(Aes* aes, const byte* iv) #endif enum { - CTR_SZ = 4 + NONCE_SZ = 12, + CTR_SZ = 4 }; -static INLINE void InitGcmCounter(byte* inOutCtr) -{ - inOutCtr[AES_BLOCK_SIZE - 4] = 0; - inOutCtr[AES_BLOCK_SIZE - 3] = 0; - inOutCtr[AES_BLOCK_SIZE - 2] = 0; - inOutCtr[AES_BLOCK_SIZE - 1] = 1; -} - - static INLINE void IncrementGcmCounter(byte* inOutCtr) { int i; @@ -2752,6 +2744,12 @@ int wc_AesGcmSetKey(Aes* aes, const byte* key, word32 len) XMEMSET(iv, 0, AES_BLOCK_SIZE); ret = wc_AesSetKey(aes, key, len, iv, AES_ENCRYPTION); + #ifdef WOLFSSL_AESNI + /* AES-NI code generates its own H value. */ + if (haveAESNI) + return ret; + #endif /* WOLFSSL_AESNI */ + if (ret == 0) { wc_AesEncrypt(aes, iv, aes->H); #ifdef GCM_TABLE @@ -3696,6 +3694,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, const byte* p = in; byte* c = out; byte counter[AES_BLOCK_SIZE]; + byte initialCounter[AES_BLOCK_SIZE]; byte *ctr ; byte scratch[AES_BLOCK_SIZE]; @@ -3715,9 +3714,15 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, ctr = counter ; #endif - XMEMSET(ctr, 0, AES_BLOCK_SIZE); - XMEMCPY(ctr, iv, ivSz); - InitGcmCounter(ctr); + XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); + if (ivSz == NONCE_SZ) { + XMEMCPY(initialCounter, iv, ivSz); + initialCounter[AES_BLOCK_SIZE - 1] = 1; + } + else { + GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE); + } + XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE); #ifdef WOLFSSL_PIC32MZ_CRYPT if(blocks) @@ -3744,8 +3749,7 @@ int wc_AesGcmEncrypt(Aes* aes, byte* out, const byte* in, word32 sz, } GHASH(aes, authIn, authInSz, out, sz, authTag, authTagSz); - InitGcmCounter(ctr); - wc_AesEncrypt(aes, ctr, scratch); + wc_AesEncrypt(aes, initialCounter, scratch); xorbuf(authTag, scratch, authTagSz); return 0; @@ -3762,6 +3766,7 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, const byte* c = in; byte* p = out; byte counter[AES_BLOCK_SIZE]; + byte initialCounter[AES_BLOCK_SIZE]; byte *ctr ; byte scratch[AES_BLOCK_SIZE]; @@ -3782,9 +3787,15 @@ int wc_AesGcmDecrypt(Aes* aes, byte* out, const byte* in, word32 sz, ctr = counter ; #endif - XMEMSET(ctr, 0, AES_BLOCK_SIZE); - XMEMCPY(ctr, iv, ivSz); - InitGcmCounter(ctr); + XMEMSET(initialCounter, 0, AES_BLOCK_SIZE); + if (ivSz == NONCE_SZ) { + XMEMCPY(initialCounter, iv, ivSz); + initialCounter[AES_BLOCK_SIZE - 1] = 1; + } + else { + GHASH(aes, NULL, 0, iv, ivSz, initialCounter, AES_BLOCK_SIZE); + } + XMEMCPY(ctr, initialCounter, AES_BLOCK_SIZE); /* Calculate the authTag again using the received auth data and the * cipher text. */ diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index fbdc43a63..e22ac3908 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -2729,20 +2729,6 @@ int aesgcm_test(void) * Counter Mode of Operation (GCM) by McGrew and * Viega. */ - const byte k[] = - { - 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, - 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, - 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, - 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 - }; - - const byte iv[] = - { - 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, - 0xde, 0xca, 0xf8, 0x88 - }; - const byte p[] = { 0xd9, 0x31, 0x32, 0x25, 0xf8, 0x84, 0x06, 0xe5, @@ -2762,7 +2748,21 @@ int aesgcm_test(void) 0xab, 0xad, 0xda, 0xd2 }; - const byte c[] = + const byte k1[] = + { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08 + }; + + const byte iv1[] = + { + 0xca, 0xfe, 0xba, 0xbe, 0xfa, 0xce, 0xdb, 0xad, + 0xde, 0xca, 0xf8, 0x88 + }; + + const byte c1[] = { 0x52, 0x2d, 0xc1, 0xf0, 0x99, 0x56, 0x7d, 0x07, 0xf4, 0x7f, 0x37, 0xa3, 0x2a, 0x84, 0x42, 0x7d, @@ -2774,38 +2774,95 @@ int aesgcm_test(void) 0xbc, 0xc9, 0xf6, 0x62 }; - const byte t[] = + const byte t1[] = { 0x76, 0xfc, 0x6e, 0xce, 0x0f, 0x4e, 0x17, 0x68, 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b }; - byte t2[sizeof(t)]; - byte p2[sizeof(c)]; - byte c2[sizeof(p)]; + /* Test Case 12, uses same plaintext and AAD data. */ + const byte k2[] = + { + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c, + 0x6d, 0x6a, 0x8f, 0x94, 0x67, 0x30, 0x83, 0x08, + 0xfe, 0xff, 0xe9, 0x92, 0x86, 0x65, 0x73, 0x1c + }; - int result; + const byte iv2[] = + { + 0x93, 0x13, 0x22, 0x5d, 0xf8, 0x84, 0x06, 0xe5, + 0x55, 0x90, 0x9c, 0x5a, 0xff, 0x52, 0x69, 0xaa, + 0x6a, 0x7a, 0x95, 0x38, 0x53, 0x4f, 0x7d, 0xa1, + 0xe4, 0xc3, 0x03, 0xd2, 0xa3, 0x18, 0xa7, 0x28, + 0xc3, 0xc0, 0xc9, 0x51, 0x56, 0x80, 0x95, 0x39, + 0xfc, 0xf0, 0xe2, 0x42, 0x9a, 0x6b, 0x52, 0x54, + 0x16, 0xae, 0xdb, 0xf5, 0xa0, 0xde, 0x6a, 0x57, + 0xa6, 0x37, 0xb3, 0x9b + }; - memset(t2, 0, sizeof(t2)); - memset(c2, 0, sizeof(c2)); - memset(p2, 0, sizeof(p2)); + const byte c2[] = + { + 0xd2, 0x7e, 0x88, 0x68, 0x1c, 0xe3, 0x24, 0x3c, + 0x48, 0x30, 0x16, 0x5a, 0x8f, 0xdc, 0xf9, 0xff, + 0x1d, 0xe9, 0xa1, 0xd8, 0xe6, 0xb4, 0x47, 0xef, + 0x6e, 0xf7, 0xb7, 0x98, 0x28, 0x66, 0x6e, 0x45, + 0x81, 0xe7, 0x90, 0x12, 0xaf, 0x34, 0xdd, 0xd9, + 0xe2, 0xf0, 0x37, 0x58, 0x9b, 0x29, 0x2d, 0xb3, + 0xe6, 0x7c, 0x03, 0x67, 0x45, 0xfa, 0x22, 0xe7, + 0xe9, 0xb7, 0x37, 0x3b + }; - wc_AesGcmSetKey(&enc, k, sizeof(k)); + const byte t2[] = + { + 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb, + 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 + }; + + byte resultT[sizeof(t1)]; + byte resultP[sizeof(p)]; + byte resultC[sizeof(p)]; + int result; + + memset(resultT, 0, sizeof(resultT)); + memset(resultC, 0, sizeof(resultC)); + memset(resultP, 0, sizeof(resultP)); + + wc_AesGcmSetKey(&enc, k1, sizeof(k1)); /* AES-GCM encrypt and decrypt both use AES encrypt internally */ - wc_AesGcmEncrypt(&enc, c2, p, sizeof(c2), iv, sizeof(iv), - t2, sizeof(t2), a, sizeof(a)); - if (memcmp(c, c2, sizeof(c2))) + wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv1, sizeof(iv1), + resultT, sizeof(resultT), a, sizeof(a)); + if (memcmp(c1, resultC, sizeof(resultC))) return -68; - if (memcmp(t, t2, sizeof(t2))) + if (memcmp(t1, resultT, sizeof(resultT))) return -69; - result = wc_AesGcmDecrypt(&enc, p2, c2, sizeof(p2), iv, sizeof(iv), - t2, sizeof(t2), a, sizeof(a)); + result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC), + iv1, sizeof(iv1), resultT, sizeof(resultT), a, sizeof(a)); if (result != 0) return -70; - if (memcmp(p, p2, sizeof(p2))) + if (memcmp(p, resultP, sizeof(resultP))) return -71; + memset(resultT, 0, sizeof(resultT)); + memset(resultC, 0, sizeof(resultC)); + memset(resultP, 0, sizeof(resultP)); + + wc_AesGcmSetKey(&enc, k2, sizeof(k2)); + /* AES-GCM encrypt and decrypt both use AES encrypt internally */ + wc_AesGcmEncrypt(&enc, resultC, p, sizeof(p), iv2, sizeof(iv2), + resultT, sizeof(resultT), a, sizeof(a)); + if (memcmp(c2, resultC, sizeof(resultC))) + return -230; + if (memcmp(t2, resultT, sizeof(resultT))) + return -231; + + result = wc_AesGcmDecrypt(&enc, resultP, resultC, sizeof(resultC), + iv2, sizeof(iv2), resultT, sizeof(resultT), a, sizeof(a)); + if (result != 0) + return -232; + if (memcmp(p, resultP, sizeof(resultP))) + return -233; + return 0; } From 3b102862b16885cfac236c637388910e0dccdd56 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 3 Nov 2015 16:57:38 -0800 Subject: [PATCH 028/177] exclude new AES-GCM test when in FIPS mode --- wolfcrypt/test/test.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index e22ac3908..991a15639 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -2780,6 +2780,7 @@ int aesgcm_test(void) 0xcd, 0xdf, 0x88, 0x53, 0xbb, 0x2d, 0x55, 0x1b }; +#ifndef HAVE_FIPS /* Test Case 12, uses same plaintext and AAD data. */ const byte k2[] = { @@ -2817,6 +2818,7 @@ int aesgcm_test(void) 0xdc, 0xf5, 0x66, 0xff, 0x29, 0x1c, 0x25, 0xbb, 0xb8, 0x56, 0x8f, 0xc3, 0xd3, 0x76, 0xa6, 0xd9 }; +#endif /* HAVE_FIPS */ byte resultT[sizeof(t1)]; byte resultP[sizeof(p)]; @@ -2843,6 +2845,7 @@ int aesgcm_test(void) if (memcmp(p, resultP, sizeof(resultP))) return -71; +#ifndef HAVE_FIPS memset(resultT, 0, sizeof(resultT)); memset(resultC, 0, sizeof(resultC)); memset(resultP, 0, sizeof(resultP)); @@ -2862,6 +2865,7 @@ int aesgcm_test(void) return -232; if (memcmp(p, resultP, sizeof(resultP))) return -233; +#endif /* HAVE_FIPS */ return 0; } From 124f1f8ce77ea47b89fe9c8fb63475371b9a4558 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 4 Nov 2015 11:55:04 -0800 Subject: [PATCH 029/177] switch gfmul to intel syntax in aes_asm.asm --- wolfcrypt/src/aes_asm.asm | 119 +++++++++++++++++++++----------------- 1 file changed, 66 insertions(+), 53 deletions(-) diff --git a/wolfcrypt/src/aes_asm.asm b/wolfcrypt/src/aes_asm.asm index 439dacc51..b880762d8 100644 --- a/wolfcrypt/src/aes_asm.asm +++ b/wolfcrypt/src/aes_asm.asm @@ -981,69 +981,82 @@ MAKE_RK256_b: gfmul PROC ; xmm0 holds operand a (128 bits) ; xmm1 holds operand b (128 bits) - ; rdi holds the pointer to output (128 bits) - movdqa %xmm0, %xmm3 - pclmulqdq $0, %xmm1, %xmm3 ; xmm3 holds a0*b0 - movdqa %xmm0, %xmm4 - pclmulqdq $16, %xmm1, %xmm4 ; xmm4 holds a0*b1 - movdqa %xmm0, %xmm5 - pclmulqdq $1, %xmm1, %xmm5 ; xmm5 holds a1*b0 - movdqa %xmm0, %xmm6 - pclmulqdq $17, %xmm1, %xmm6 ; xmm6 holds a1*b1 - pxor %xmm5, %xmm4 ; xmm4 holds a0*b1 + a1*b0 - movdqa %xmm4, %xmm5 - psrldq $8, %xmm4 - pslldq $8, %xmm5 - pxor %xmm5, %xmm3 - pxor %xmm4, %xmm6 ; holds the result of + ; r8 holds the pointer to output (128 bits) + + ; on microsoft xmm6-xmm15 are non volaitle, let's save on stack and restore at end + sub rsp,8+4*16 ; 8 = align stack , 4 xmm6-9 16 bytes each + movdqa [rsp+0], xmm6 + movdqa [rsp+16], xmm7 + movdqa [rsp+32], xmm8 + movdqa [rsp+48], xmm9 + + movdqa xmm3, xmm0 + pclmulqdq xmm3, xmm1, 0 ; xmm3 holds a0*b0 + movdqa xmm4, xmm0 + pclmulqdq xmm4, xmm1, 16 ; xmm4 holds a0*b1 + movdqa xmm5, xmm0 + pclmulqdq xmm5, xmm1, 1 ; xmm5 holds a1*b0 + movdqa xmm6, xmm0 + pclmulqdq xmm6, xmm1, 17 ; xmm6 holds a1*b1 + pxor xmm4, xmm5 ; xmm4 holds a0*b1 + a1*b0 + movdqa xmm5, xmm4 + psrldq xmm4, 8 + pslldq xmm5, 8 + pxor xmm3, xmm5 + pxor xmm6, xmm4 ; holds the result of ; the carry-less multiplication of ; xmm0 by xmm1 ; shift the result by one bit position to the left cope for the fact ; that bits are reversed - movdqa %xmm3, %xmm7 - movdqa %xmm6, %xmm8 - pslld $1, %xmm3 - pslld $1, %xmm6 - psrld $31, %xmm7 - psrld $31, %xmm8 - movdqa %xmm7, %xmm9 - pslldq $4, %xmm8 - pslldq $4, %xmm7 - psrldq $12, %xmm9 - por %xmm7, %xmm3 - por %xmm8, %xmm6 - por %xmm9, %xmm6 + movdqa xmm7, xmm3 + movdqa xmm8, xmm6 + pslld xmm3, 1 + pslld xmm6, 1 + psrld xmm7, 31 + psrld xmm8, 31 + movdqa xmm9, xmm7 + pslldq xmm8, 4 + pslldq xmm7, 4 + psrldq xmm9, 12 + por xmm3, xmm7 + por xmm6, xmm8 + por xmm6, xmm9 ; first phase of the reduction - movdqa %xmm3, %xmm7 - movdqa %xmm3, %xmm8 - movdqa %xmm3, %xmm9 - pslld $31, %xmm7 ; packed right shifting << 31 - pslld $30, %xmm8 ; packed right shifting shift << 30 - pslld $25, %xmm9 ; packed right shifting shift << 25 - pxor %xmm8, %xmm7 ; xor the shifted versions - pxor %xmm9, %xmm7 + movdqa xmm7, xmm3 + movdqa xmm8, xmm3 + movdqa xmm9, xmm3 + pslld xmm7, 31 ; packed right shifting << 31 + pslld xmm8, 30 ; packed right shifting shift << 30 + pslld xmm9, 25 ; packed right shifting shift << 25 + pxor xmm7, xmm8 ; xor the shifted versions + pxor xmm7, xmm9 - movdqa %xmm7, %xmm8 - pslldq $12, %xmm7 - psrldq $4, %xmm8 - pxor %xmm7, %xmm3 ; first phase of the reduction complete - movdqa %xmm3,%xmm2 ; second phase of the reduction - movdqa %xmm3,%xmm4 - movdqa %xmm3,%xmm5 - psrld $1, %xmm2 ; packed left shifting >> 1 - psrld $2, %xmm4 ; packed left shifting >> 2 - psrld $7, %xmm5 ; packed left shifting >> 7 + movdqa xmm8, xmm7 + pslldq xmm7, 12 + psrldq xmm8, 4 + pxor xmm3, xmm7 ; first phase of the reduction complete + movdqa xmm2, xmm3 ; second phase of the reduction + movdqa xmm4, xmm3 + movdqa xmm5, xmm3 + psrld xmm2, 1 ; packed left shifting >> 1 + psrld xmm4, 2 ; packed left shifting >> 2 + psrld xmm5, 7 ; packed left shifting >> 7 - pxor %xmm4, %xmm2 ; xor the shifted versions - pxor %xmm5, %xmm2 - pxor %xmm8, %xmm2 - pxor %xmm2, %xmm3 - pxor %xmm3, %xmm6 ; the result is in xmm6 - movdqu %xmm6, (%rdi) ; store the result + pxor xmm2, xmm4 ; xor the shifted versions + pxor xmm2, xmm5 + pxor xmm2, xmm8 + pxor xmm3, xmm2 + pxor xmm6, xmm3 ; the result is in xmm6 + movdqu [r8],xmm6 ; store the result - ; restore xmm6 and xmm7 + ; restore non volatile xmms from stack + movdqa xmm6, [rsp+0] + movdqa xmm7, [rsp+16] + movdqa xmm8, [rsp+32] + movdqa xmm9, [rsp+48] + add rsp,8+4*16 ; 8 = align stack , 4 xmm6-9 16 bytes each ret gfmul ENDP From 17c9494a2df7f697c2656876699b3c5ef5e3d76e Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 4 Nov 2015 13:26:38 -0800 Subject: [PATCH 030/177] fix gfmul intel calling convention --- wolfcrypt/src/aes_asm.asm | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfcrypt/src/aes_asm.asm b/wolfcrypt/src/aes_asm.asm index b880762d8..921d89a73 100644 --- a/wolfcrypt/src/aes_asm.asm +++ b/wolfcrypt/src/aes_asm.asm @@ -983,6 +983,10 @@ gfmul PROC ; xmm1 holds operand b (128 bits) ; r8 holds the pointer to output (128 bits) + ; convert to what we had for att&t convention + movdqa xmm0, [rcx] + movdqa xmm1, [rdx] + ; on microsoft xmm6-xmm15 are non volaitle, let's save on stack and restore at end sub rsp,8+4*16 ; 8 = align stack , 4 xmm6-9 16 bytes each movdqa [rsp+0], xmm6 From 62210186c736481dbbe5d34596d173a01e18ac14 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Wed, 4 Nov 2015 16:05:35 -0300 Subject: [PATCH 031/177] fix code logic to single if --- wolfcrypt/src/asn.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a29ce1527..be1c332b5 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8742,14 +8742,9 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, else { Signer* ca = GetCA(cm, resp->issuerHash); - if (ca) - { - ret = ConfirmSignature(resp->response, resp->responseSz, - ca->publicKey, ca->pubKeySize, ca->keyOID, - resp->sig, resp->sigSz, resp->sigOID, NULL); - } - if (!ca || ret == 0) - { + if (!ca || !ConfirmSignature(resp->response, resp->responseSz, + ca->publicKey, ca->pubKeySize, ca->keyOID, + resp->sig, resp->sigSz, resp->sigOID, NULL)) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); return ASN_OCSP_CONFIRM_E; } From dccbc1cdd453e3143b7f75556436e8248edadc6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Thu, 5 Nov 2015 11:36:11 -0300 Subject: [PATCH 032/177] fixes ocsp nonce extension decoding; enables use of ocsp nonce extension in the client example. --- examples/client/client.c | 4 ++-- wolfcrypt/src/asn.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 5c888597d..f5d005acd 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -905,7 +905,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) | WOLFSSL_OCSP_URL_OVERRIDE); } else - wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); + wolfSSL_CTX_EnableOCSP(ctx, 0); } #endif @@ -1007,7 +1007,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) err_sys("UseCertificateStatusRequest failed"); - wolfSSL_CTX_EnableOCSP(ctx, WOLFSSL_OCSP_NO_NONCE); + wolfSSL_CTX_EnableOCSP(ctx, 0); } #endif diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index be1c332b5..4dcd65b79 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8579,6 +8579,17 @@ static int DecodeOcspRespExtensions(byte* source, } if (oid == OCSP_NONCE_OID) { + /* get data inside extra OCTET_STRING */ + if (source[idx++] != ASN_OCTET_STRING) { + WOLFSSL_MSG("\tfail: should be an OCTET STRING"); + return ASN_PARSE_E; + } + + if (GetLength(source, &idx, &length, sz) < 0) { + WOLFSSL_MSG("\tfail: extension data length"); + return ASN_PARSE_E; + } + resp->nonce = source + idx; resp->nonceSz = length; } From 05f4c83b980d95a7c92eb61f2f4dded8edcb5e69 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 5 Nov 2015 22:20:11 -0800 Subject: [PATCH 033/177] Optimizations to improve random number generation performance and provide additional ways to implement custom versions of custom random handlers. Added new "CUSTOM_RAND_TYPE" to define the datatype for the "CUSTOM_RAND_GENERATE" function. Added new "CUSTOM_RAND_GENERATE_SEED" option for anyone who wants to implement their own equivalent "wc_GenerateSeed()" function. Added generic FREESCALE_RNGA and FREESCALE_RNGB options. --- IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h | 3 +- wolfcrypt/src/random.c | 49 +++++++++++++++++++---- 2 files changed, 43 insertions(+), 9 deletions(-) diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h index 77ae6dbd4..0f648c1a3 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h +++ b/IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h @@ -18,7 +18,8 @@ /* Custom functions */ extern int custom_rand_generate(void); -#define CUSTOM_RAND_GENERATE custom_rand_generate +#define CUSTOM_RAND_GENERATE custom_rand_generate +#define CUSTOM_RAND_TYPE word32 #define WOLFSSL_USER_CURRTIME /* Debugging - Optional */ diff --git a/wolfcrypt/src/random.c b/wolfcrypt/src/random.c index 044a77021..3793b69b4 100644 --- a/wolfcrypt/src/random.c +++ b/wolfcrypt/src/random.c @@ -32,6 +32,12 @@ #include +#if defined(CUSTOM_RAND_GENERATE) && !defined(CUSTOM_RAND_TYPE) +/* To maintain compatiblity the default return vaule from CUSTOM_RAND_GENERATE is byte */ +#define CUSTOM_RAND_TYPE byte +#endif + + #ifdef HAVE_FIPS int wc_GenerateSeed(OS_Seed* os, byte* seed, word32 sz) { @@ -973,8 +979,22 @@ static int wc_GenerateRand_IntelRD(OS_Seed* os, byte* output, word32 sz) #endif /* HAVE_INTEL_RDGEN */ -#if defined(USE_WINDOWS_API) +/* wc_GenerateSeed Implementations */ +#if defined(CUSTOM_RAND_GENERATE_SEED) + /* Implement your own random generation function + * Return 0 to indicate success + * int rand_gen_seed(byte* output, word32 sz); + * #define CUSTOM_RAND_GENERATE_SEED rand_gen_seed */ + + int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) + { + (void)os; + return CUSTOM_RAND_GENERATE_SEED(output, sz); + } + + +#elif defined(USE_WINDOWS_API) int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) { @@ -1088,7 +1108,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) #elif defined(FREESCALE_MQX) || defined(FREESCALE_KSDK_MQX) || \ defined(FREESCALE_KSDK_BM) || defined(FREESCALE_FREE_RTOS) - #ifdef FREESCALE_K70_RNGA + #if defined(FREESCALE_K70_RNGA) || defined(FREESCALE_RNGA) /* * wc_Generates a RNG seed using the Random Number Generator Accelerator * on the Kinetis K70. Documentation located in Chapter 37 of @@ -1122,7 +1142,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) return 0; } - #elif defined(FREESCALE_K53_RNGB) + #elif defined(FREESCALE_K53_RNGB) || defined(FREESCALE_RNGB) /* * wc_Generates a RNG seed using the Random Number Generator (RNGB) * on the Kinetis K53. Documentation located in Chapter 33 of @@ -1165,7 +1185,7 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) { TRNG_DRV_GetRandomData(TRNG_INSTANCE, output, sz); - return(0); + return 0; } #else @@ -1273,12 +1293,25 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz) { - word32 i; + word32 i = 0; (void)os; - - for (i = 0; i < sz; i++ ) - output[i] = CUSTOM_RAND_GENERATE(); + + while (i < sz) + { + /* If not aligned or there is odd/remainder */ + if( (i + sizeof(CUSTOM_RAND_TYPE)) > sz || + ((wolfssl_word)&output[i] % sizeof(CUSTOM_RAND_TYPE)) != 0 + ) { + /* Single byte at a time */ + output[i++] = (byte)CUSTOM_RAND_GENERATE(); + } + else { + /* Use native 8, 16, 32 or 64 copy instruction */ + *((CUSTOM_RAND_TYPE*)&output[i]) = CUSTOM_RAND_GENERATE(); + i += sizeof(CUSTOM_RAND_TYPE); + } + } return 0; } From 099b6bc3df94b31e30b2de81f3b41cfdaecd288d Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 6 Nov 2015 09:41:16 -0800 Subject: [PATCH 034/177] Updated the Rowley Crossworks example so it builds due to new user-crypto. Tested and verified new "CUSTOM_RAND_TYPE" using 8, 16 and 32 bit values. --- IDE/ROWLEY-CROSSWORKS-ARM/hw.h | 2 +- IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c | 2 +- IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c | 2 +- IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp | 20 ++++++++++++++------ 4 files changed, 17 insertions(+), 9 deletions(-) diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/hw.h b/IDE/ROWLEY-CROSSWORKS-ARM/hw.h index 3a9bea546..1461f59bc 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/hw.h +++ b/IDE/ROWLEY-CROSSWORKS-ARM/hw.h @@ -10,4 +10,4 @@ uint32_t hw_get_time_sec(void); uint32_t hw_get_time_msec(void); void hw_uart_printchar(int c); void hw_watchdog_disable(void); -int hw_rand(void); +uint32_t hw_rand(void); diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c b/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c index f8fe62441..7dab09433 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c +++ b/IDE/ROWLEY-CROSSWORKS-ARM/kinetis_hw.c @@ -167,7 +167,7 @@ void hw_uart_printchar(int c) UART_PORT->D = (uint8_t)c; /* Send the character */ } -int hw_rand(void) +uint32_t hw_rand(void) { while((RNG->SR & RNG_SR_OREG_LVL(0xF)) == 0) {}; /* Wait until FIFO has a value available */ return RNG->OR; /* Return next value in FIFO output register */ diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c b/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c index 562f153c6..1929e868b 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c +++ b/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c @@ -29,7 +29,7 @@ double current_time(int reset) return time; } -int custom_rand_generate(void) +uint32_t custom_rand_generate(void) { return hw_rand(); } diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp index 9d20a1ba5..3221c59c1 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp +++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp @@ -10,12 +10,14 @@ project_type="Library" /> - + + + + + + + + + From e9348635a031b67475a00ee151e7771d46141220 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 9 Nov 2015 15:11:58 -0700 Subject: [PATCH 035/177] SAFESEH:NO in DLL Debug|Win32 --- examples/client/client.vcxproj | 1 + examples/echoclient/echoclient.vcxproj | 1 + examples/echoserver/echoserver.vcxproj | 1 + examples/server/server.vcxproj | 1 + testsuite/testsuite.vcxproj | 1 + wolfssl.vcxproj | 1 + 6 files changed, 6 insertions(+) diff --git a/examples/client/client.vcxproj b/examples/client/client.vcxproj index dec191d7a..a0416781a 100644 --- a/examples/client/client.vcxproj +++ b/examples/client/client.vcxproj @@ -193,6 +193,7 @@ true Console MachineX86 + false diff --git a/examples/echoclient/echoclient.vcxproj b/examples/echoclient/echoclient.vcxproj index a3a60545a..15e37985e 100644 --- a/examples/echoclient/echoclient.vcxproj +++ b/examples/echoclient/echoclient.vcxproj @@ -194,6 +194,7 @@ true Console MachineX86 + false diff --git a/examples/echoserver/echoserver.vcxproj b/examples/echoserver/echoserver.vcxproj index 096ba75c6..e25ceaa3c 100644 --- a/examples/echoserver/echoserver.vcxproj +++ b/examples/echoserver/echoserver.vcxproj @@ -194,6 +194,7 @@ true Console MachineX86 + false diff --git a/examples/server/server.vcxproj b/examples/server/server.vcxproj index f6b53fc57..a2f3251b7 100644 --- a/examples/server/server.vcxproj +++ b/examples/server/server.vcxproj @@ -194,6 +194,7 @@ true Console MachineX86 + false diff --git a/testsuite/testsuite.vcxproj b/testsuite/testsuite.vcxproj index 484a87584..beaa08322 100644 --- a/testsuite/testsuite.vcxproj +++ b/testsuite/testsuite.vcxproj @@ -193,6 +193,7 @@ true Console MachineX86 + false diff --git a/wolfssl.vcxproj b/wolfssl.vcxproj index 12bdaa708..d1834c78a 100644 --- a/wolfssl.vcxproj +++ b/wolfssl.vcxproj @@ -176,6 +176,7 @@ ws2_32.lib;%(AdditionalDependencies) false true + false From 417f85da8640f09c36f4b0cdeb44fa29130dbda5 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 9 Nov 2015 14:48:39 -0800 Subject: [PATCH 036/177] use gmtime_r if there --- configure.ac | 1 + wolfcrypt/src/asn.c | 11 ++++++++--- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index dca8dc4ac..6c5e5e93e 100644 --- a/configure.ac +++ b/configure.ac @@ -70,6 +70,7 @@ m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])]) AC_CHECK_FUNCS([gethostbyname]) AC_CHECK_FUNCS([getaddrinfo]) AC_CHECK_FUNCS([gettimeofday]) +AC_CHECK_FUNCS([gmtime_r]) AC_CHECK_FUNCS([inet_ntoa]) AC_CHECK_FUNCS([memset]) AC_CHECK_FUNCS([socket]) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 4dcd65b79..88073abd2 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -200,7 +200,12 @@ /* uses complete facility */ #include #define XTIME(tl) time((tl)) - #define XGMTIME(c, t) gmtime((c)) + #ifdef HAVE_GMTIME_R + #define XGMTIME(c, t) gmtime_r((c), (t)) + #define NEED_TMP_TIME + #else + #define XGMTIME(c, t) gmtime((c)) + #endif #define XVALIDATE_DATE(d, f, t) ValidateDate((d), (f), (t)) #endif @@ -2558,7 +2563,7 @@ int ValidateDate(const byte* date, byte format, int dateType) int diffHH = 0 ; int diffMM = 0 ; int diffSign = 0 ; -#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) +#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) || defined(NEED_TMP_TIME) struct tm tmpTimeStorage; tmpTime = &tmpTimeStorage; #else @@ -5754,7 +5759,7 @@ static int SetValidity(byte* output, int daysValid) struct tm* tmpTime = NULL; struct tm local; -#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) +#if defined(FREESCALE_MQX) || defined(TIME_OVERRIDES) || defined(NEED_TMP_TIME) /* for use with gmtime_r */ struct tm tmpTimeStorage; tmpTime = &tmpTimeStorage; From 906be9fb207e82abc84bf640bc265efcfdb0b927 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 9 Nov 2015 14:55:09 -0800 Subject: [PATCH 037/177] add printf to logger w/o callbacks w/ WOLFSSL_LOG_PRINTF --- wolfcrypt/src/logging.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index f2d155bb0..fb90c6dcc 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -119,6 +119,8 @@ static void wolfssl_log(const int logLevel, const char *const logMessage) fflush(stdout) ; printf("%s\n", logMessage); fflush(stdout) ; +#elif defined(WOLFSSL_LOG_PRINTF) + printf("%s\n", logMessage); #else fprintf(stderr, "%s\n", logMessage); #endif From 6efd8e2db03bc608fd05de28f7a486d4bff881cf Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 9 Nov 2015 14:58:20 -0800 Subject: [PATCH 038/177] fix unused PemToDer() vars depending on build options --- src/ssl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index cd2acef55..d3ed8a72c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2551,6 +2551,9 @@ int PemToDer(const unsigned char* buff, long longSz, int type, int sz = (int)longSz; int encrypted_key = 0; + (void)dynamicType; + (void)heap; + WOLFSSL_ENTER("PemToDer"); switch (type) { From 9b8f26329d228129b5e33861848670d53752f91c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Tue, 10 Nov 2015 17:38:42 -0300 Subject: [PATCH 039/177] improves srp unit test to use random salt; --- wolfcrypt/test/test.c | 52 ++++++++++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 18 deletions(-) diff --git a/wolfcrypt/test/test.c b/wolfcrypt/test/test.c index 991a15639..b2885382f 100644 --- a/wolfcrypt/test/test.c +++ b/wolfcrypt/test/test.c @@ -5398,6 +5398,23 @@ int dsa_test(void) #ifdef WOLFCRYPT_HAVE_SRP +static int generate_random_salt(byte *buf, word32 size) +{ + int ret = -1; + WC_RNG rng; + + if(NULL == buf || !size) + return -1; + + if (buf && size && wc_InitRng(&rng) == 0) { + ret = wc_RNG_GenerateBlock(&rng, (byte *)buf, size); + + wc_FreeRng(&rng); + } + + return ret; +} + int srp_test(void) { Srp cli, srv; @@ -5432,26 +5449,29 @@ int srp_test(void) 0x02 }; - byte salt[] = { - 0xB2, 0xE5, 0x8E, 0xCC, 0xD0, 0xCF, 0x9D, 0x10, 0x3A, 0x56 - }; + byte salt[10]; - byte verifier[] = { - 0x7C, 0xAB, 0x17, 0xFE, 0x54, 0x3E, 0x8C, 0x13, 0xF2, 0x3D, 0x21, 0xE7, - 0xD2, 0xAF, 0xAF, 0xDB, 0xA1, 0x52, 0x69, 0x9D, 0x49, 0x01, 0x79, 0x91, - 0xCF, 0xD1, 0x3F, 0xE5, 0x28, 0x72, 0xCA, 0xBE, 0x13, 0xD1, 0xC2, 0xDA, - 0x65, 0x34, 0x55, 0x8F, 0x34, 0x0E, 0x05, 0xB8, 0xB4, 0x0F, 0x7F, 0x6B, - 0xBB, 0xB0, 0x6B, 0x50, 0xD8, 0xB1, 0xCC, 0xB7, 0x81, 0xFE, 0xD4, 0x42, - 0xF5, 0x11, 0xBC, 0x8A, 0x28, 0xEB, 0x50, 0xB3, 0x46, 0x08, 0xBA, 0x24, - 0xA2, 0xFB, 0x7F, 0x2E, 0x0A, 0xA5, 0x33, 0xCC - }; + byte verifier[80]; + word32 v_size = sizeof(verifier); + + /* generating random salt */ + + r = generate_random_salt(salt, sizeof(salt)); /* client knows username and password. */ /* server knows N, g, salt and verifier. */ - r = wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE); + if (!r) r = wc_SrpInit(&cli, SRP_TYPE_SHA, SRP_CLIENT_SIDE); if (!r) r = wc_SrpSetUsername(&cli, username, usernameSz); + /* loading N, g and salt in advance to generate the verifier. */ + + if (!r) r = wc_SrpSetParams(&cli, N, sizeof(N), + g, sizeof(g), + salt, sizeof(salt)); + if (!r) r = wc_SrpSetPassword(&cli, password, passwordSz); + if (!r) r = wc_SrpGetVerifier(&cli, verifier, &v_size); + /* client sends username to server */ if (!r) r = wc_SrpInit(&srv, SRP_TYPE_SHA, SRP_SERVER_SIDE); @@ -5459,15 +5479,11 @@ int srp_test(void) if (!r) r = wc_SrpSetParams(&srv, N, sizeof(N), g, sizeof(g), salt, sizeof(salt)); - if (!r) r = wc_SrpSetVerifier(&srv, verifier, sizeof(verifier)); + if (!r) r = wc_SrpSetVerifier(&srv, verifier, v_size); if (!r) r = wc_SrpGetPublic(&srv, serverPubKey, &serverPubKeySz); /* server sends N, g, salt and B to client */ - if (!r) r = wc_SrpSetParams(&cli, N, sizeof(N), - g, sizeof(g), - salt, sizeof(salt)); - if (!r) r = wc_SrpSetPassword(&cli, password, passwordSz); if (!r) r = wc_SrpGetPublic(&cli, clientPubKey, &clientPubKeySz); if (!r) r = wc_SrpComputeKey(&cli, clientPubKey, clientPubKeySz, serverPubKey, serverPubKeySz); From c3a249009f02b6694c2c2305b3d0d13b39acb489 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 10 Nov 2015 15:29:05 -0700 Subject: [PATCH 040/177] allow openssl extra tests if configuration supports --- wolfcrypt/src/integer.c | 3 ++- wolfcrypt/src/tfm.c | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index fa967a6ef..933b78d33 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -3828,7 +3828,8 @@ int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c) #if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(WOLFSSL_SNIFFER) || \ - defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN) + defined(WOLFSSL_HAVE_WOLFSCEP) || defined(WOLFSSL_KEY_GEN) || \ + defined(OPENSSL_EXTRA) /* single digit addition */ int mp_add_d (mp_int* a, mp_digit b, mp_int* c) diff --git a/wolfcrypt/src/tfm.c b/wolfcrypt/src/tfm.c index 6963ed022..21e7a62ae 100644 --- a/wolfcrypt/src/tfm.c +++ b/wolfcrypt/src/tfm.c @@ -2716,7 +2716,7 @@ void fp_gcd(fp_int *a, fp_int *b, fp_int *c) #endif /* WOLFSSL_KEY_GEN */ -#if defined(HAVE_ECC) || !defined(NO_PWDBASED) +#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(OPENSSL_EXTRA) /* c = a + b */ void fp_add_d(fp_int *a, fp_digit b, fp_int *c) { From 3211817f5902611feac85a824cea6d0053cdec21 Mon Sep 17 00:00:00 2001 From: Vikram Adiga Date: Wed, 4 Nov 2015 17:49:26 -0800 Subject: [PATCH 041/177] fix TI-RTOS makefiles to build wolfSSL from local dir Signed-off-by: Vikram Adiga --- tirtos/include.am | 1 + tirtos/products.mak | 30 ++++++++++++++++++++++++++++++ tirtos/wolfssl.bld | 14 +++++++------- tirtos/wolfssl.mak | 32 +++++++++++--------------------- 4 files changed, 49 insertions(+), 28 deletions(-) create mode 100644 tirtos/products.mak diff --git a/tirtos/include.am b/tirtos/include.am index 0e2f7a902..7299c438e 100644 --- a/tirtos/include.am +++ b/tirtos/include.am @@ -6,6 +6,7 @@ EXTRA_DIST += \ tirtos/README \ tirtos/wolfssl.bld \ tirtos/wolfssl.mak \ + tirtos/products.mak \ tirtos/packages/ti/net/wolfssl/package.bld \ tirtos/packages/ti/net/wolfssl/package.xdc \ tirtos/packages/ti/net/wolfssl/package.xs \ diff --git a/tirtos/products.mak b/tirtos/products.mak new file mode 100644 index 000000000..8bf1823db --- /dev/null +++ b/tirtos/products.mak @@ -0,0 +1,30 @@ +# +# ======== products.mak ======== +# +# +# Read the http://processors.wiki.ti.com/index.php/Using_wolfSSL_with_TI-RTOS +# for instructions to download the software required. + +# XDC_INSTALL_DIR is the path to XDCtools directory. +XDC_INSTALL_DIR = + +# BIOS_INSTALL_DIR is the path to TI-RTOS Kernel (SYS/BIOS) directory. If you +# have installed TI-RTOS, it is located in the products/bios_* path. +BIOS_INSTALL_DIR = + +# NDK_INSTALL_DIR is the path to TI-RTOS NDK directory. If you have +# installed TI-RTOS, it is located in the products/ndk_* path. +NDK_INSTALL_DIR = + +# TIVAWARE_INSTALL_DIR is the path to Tivaware driverlib directory. If you have +# installed TI-RTOS, it is located in the products/TivaWare_* path. +TIVAWARE_INSTALL_DIR = + +# Define the code generation tools path for TI, IAR and GCC ARM compilers. +# If you have installed Code Composer Studio, the TI and GCC compiler are +# located in the ccsv*/tools/compiler/* path. +# +# Leave assignment empty to disable any toolchain. +ti.targets.arm.elf.M4F = +iar.targets.arm.M4F = +gnu.targets.arm.M4F = diff --git a/tirtos/wolfssl.bld b/tirtos/wolfssl.bld index 1c1e55ef5..59e95103b 100644 --- a/tirtos/wolfssl.bld +++ b/tirtos/wolfssl.bld @@ -34,7 +34,7 @@ var armOpts = " -ms "; var gnuOpts = " -D_POSIX_SOURCE "; var iarOpts = " --diag_suppress=Pa134 "; -var TivaWareDir = ""; +var ndkDir = ""; /* Uncomment the following lines to build libraries for debug mode: */ // Pkg.attrs.profile = "debug"; @@ -57,7 +57,7 @@ var ccOpts = { for (arg = 0; arg < arguments.length; arg++) { /* * Get the compiler's installation directory. - * For "ti.targets.arm.elf.M4F=/vendors/arm/6.1.0", + * For "ti.targets.arm.elf.M4F=/vendors/arm/6.1.0", * we get "/vendors/arm/6.1.0" */ var targetName = arguments[arg].split("=")[0]; @@ -68,8 +68,8 @@ for (arg = 0; arg < arguments.length; arg++) { continue; } - if (targetName.match(/^TIVAWARE/) ) { - TivaWareDir = rootDir; + if (targetName.match(/^NDK/) ) { + ndkDir = rootDir; continue; } @@ -81,9 +81,9 @@ for (arg = 0; arg < arguments.length; arg++) { } /* Include Path (needed to find NDK headers) */ -var ndkPath = "$(NDK_INSTALL_DIR)/packages/ti/ndk/"; -var wolfsslPathInclude = " -I" + ndkPath + "/inc/bsd -DWOLFSSL_TIRTOS "; +var wolfsslPathInclude = " -I" + ndkDir + "/packages/ti/ndk/inc/bsd " + + "-DWOLFSSL_TIRTOS "; /* lib/ is a generated directory that 'xdc clean' should remove */ -var Pkg = xdc.useModule('xdc.bld.PackageContents'); +var Pkg = xdc.useModule('xdc.bld.PackageContents'); Pkg.generatedFiles.$add("lib/"); diff --git a/tirtos/wolfssl.mak b/tirtos/wolfssl.mak index 5ab82c065..c419e1a38 100644 --- a/tirtos/wolfssl.mak +++ b/tirtos/wolfssl.mak @@ -1,27 +1,17 @@ # # ======== wolfssl.mak ======== # +include ./products.mak -# USER OPTIONAL STEP: These variables are set when building wolfssl -# through the tirtos.mak -# Set up dependencies -XDC_INSTALL_DIR ?= C:/ti/xdctools_3_24_02_30 -SYSBIOS_INSTALL_DIR ?= C:/ti/bios_6_34_01_14 -NDK_INSTALL_DIR ?= C:/ti/ndk_2_24_00_02 -TIRTOS_INSTALLATION_DIR ?= C:/ti/tirtos_tivac_2_00_00_22 -TIVAWARE ?= C:/ti/tivaware -WOLFSSL_INSTALL_DIR ?= C:/wolfssl/wolfssl-2.9.4 +# Enable older TI-RTOS 2.14-based variables +ifeq ($(BIOS_INSTALL_DIR),) + BIOS_INSTALL_DIR=$(SYSBIOS_INSTALL_DIR) +endif +ifeq ($(TIVAWARE_INSTALL_DIR),) + TIVAWARE_INSTALL_DIR=$(TIVAWARE) +endif -# -# Set location of various cgtools -# These variables can be set here or on the command line. These -# variables are set when building wolfssl through tirtos.mak -# USER OPTIONAL STEP: user can define below paths to compilers -ti.targets.arm.elf.M4F ?= - -gnu.targets.arm.M4F ?= - -iar.targets.arm.M4F ?= +WOLFSSL_INSTALL_DIR=$(CURDIR)/../ # # Set XDCARGS to some of the variables above. XDCARGS are passed @@ -40,12 +30,12 @@ XDCARGS= \ ti.targets.arm.elf.M4F=\"$(ti.targets.arm.elf.M4F)\" \ gnu.targets.arm.M4F=\"$(gnu.targets.arm.M4F)\" \ iar.targets.arm.M4F=\"$(iar.targets.arm.M4F)\" \ - TIVAWARE=\"$(TIVAWARE)\" + NDK=\"$(NDK_INSTALL_DIR)\" # # Set XDCPATH to contain necessary repositories. # -XDCPATH = $(SYSBIOS_INSTALL_DIR)/packages;$(NDK_INSTALL_DIR)/packages;$(WOLFSSL_INSTALL_DIR);$(TIRTOS_INSTALLATION_DIR)/packages;$(TIVAWARE); +XDCPATH = $(BIOS_INSTALL_DIR)/packages;$(NDK_INSTALL_DIR)/packages;$(WOLFSSL_INSTALL_DIR);$(TIVAWARE_INSTALL_DIR) export XDCPATH # From 196b965be56a4c3bc66af92f856c8c7143866114 Mon Sep 17 00:00:00 2001 From: Vikram Adiga Date: Tue, 10 Nov 2015 17:55:04 -0800 Subject: [PATCH 042/177] add HAVE_ECC to WolfSSL/TI-RTOS settings --- wolfssl/wolfcrypt/settings.h | 1 + 1 file changed, 1 insertion(+) diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index 546055c86..d49be050d 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -449,6 +449,7 @@ static char *fgets(char *buff, int sz, FILE *fp) #define USE_CERT_BUFFERS_2048 #define NO_ERROR_STRINGS #define USER_TIME + #define HAVE_ECC #ifdef __IAR_SYSTEMS_ICC__ #pragma diag_suppress=Pa089 From e49b12c7cc5578d18d46cf578d3d8862a4e91f4d Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Wed, 11 Nov 2015 11:43:38 -0700 Subject: [PATCH 043/177] Make get_shutdown return correct results with stunnel --- src/ssl.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d3ed8a72c..bf94d35a7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9952,13 +9952,10 @@ void wolfSSL_set_connect_state(WOLFSSL* ssl) int wolfSSL_get_shutdown(const WOLFSSL* ssl) { WOLFSSL_ENTER("wolfSSL_get_shutdown"); -#ifdef HAVE_STUNNEL - return (ssl->options.sentNotify << 1) | (ssl->options.closeNotify); -#else - return (ssl->options.isClosed || - ssl->options.connReset || - ssl->options.sentNotify); -#endif + /* in OpenSSL, SSL_SENT_SHUTDOWN = 1, when closeNotifySent * + * SSL_RECEIVED_SHUTDOWN = 2, from close notify or fatal err */ + return ((ssl->options.closeNotify||ssl->options.connReset) << 1) + | (ssl->options.sentNotify); } From 302fd05edd3180d6dc3b1faa62215c5d40ccdd95 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Thu, 12 Nov 2015 15:31:58 +0900 Subject: [PATCH 044/177] Change "//" to "/* */" comment. Removed unreferred functions. --- wolfcrypt/src/port/pic32/pic32mz-hash.c | 71 ++++++++++--------------- 1 file changed, 28 insertions(+), 43 deletions(-) diff --git a/wolfcrypt/src/port/pic32/pic32mz-hash.c b/wolfcrypt/src/port/pic32/pic32mz-hash.c index c293afacd..c2dbfcd43 100644 --- a/wolfcrypt/src/port/pic32/pic32mz-hash.c +++ b/wolfcrypt/src/port/pic32/pic32mz-hash.c @@ -72,7 +72,7 @@ static void reset_engine(pic32mz_desc *desc, int algo) uc_desc->bd[i].NXTPTR = KVA_TO_PA(&uc_desc->bd[0]); XMEMSET((void *)&dataBuffer[i], 0, PIC32_BLOCK_SIZE); } - uc_desc->bd[0].BD_CTRL.SA_FETCH_EN = 1; // Fetch the security association on the first BD + uc_desc->bd[0].BD_CTRL.SA_FETCH_EN = 1; /* Fetch the security association on the first BD */ desc->dbPtr = 0; desc->currBd = 0; desc->msgSize = 0; @@ -86,49 +86,45 @@ static void reset_engine(pic32mz_desc *desc, int algo) #define PIC32MZ_IF_RAM(addr) (KVA_TO_PA(addr) < 0x80000) -static void update_data_size(pic32mz_desc *desc, word32 msgSize) -{ - desc->msgSize = msgSize; -} - -static void update_engine(pic32mz_desc *desc, const char *input, word32 len, +static void update_engine(pic32mz_desc *desc, const byte *input, word32 len, word32 *hash) { int total ; pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc); uc_desc->bd[desc->currBd].UPDPTR = KVA_TO_PA(hash); - // Add the data to the current buffer. If the buffer fills, start processing it - // and fill the next one. + /* Add the data to the current buffer. If the buffer fills, start processing it + and fill the next one. */ while (len) { - // If the engine is processing the current BD, spin. -// if (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN) -// continue; + /* If the engine is processing the current BD, spin. + if (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN) + continue; */ if (desc->msgSize) { - // If we've been given the message size, we can process along the - // way. - // Enable the current buffer descriptor if it is full. + /* If we've been given the message size, we can process along the + way. + Enable the current buffer descriptor if it is full. */ if (desc->dbPtr >= PIC32_BLOCK_SIZE) { - // Wrap up the buffer descriptor and enable it so the engine can process + /* Wrap up the buffer descriptor and enable it so the engine can process */ uc_desc->bd[desc->currBd].MSGLEN = desc->msgSize; uc_desc->bd[desc->currBd].BD_CTRL.BUFLEN = desc->dbPtr; uc_desc->bd[desc->currBd].BD_CTRL.LAST_BD = 0; uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 0; - //SYS_DEVCON_DataCacheClean((word32)desc, sizeof(pic32mz_desc)); + /* SYS_DEVCON_DataCacheClean((word32)desc, sizeof(pic32mz_desc)); */ uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN = 1; - // Move to the next buffer descriptor, or wrap around. + /* Move to the next buffer descriptor, or wrap around. */ desc->currBd++; if (desc->currBd >= PIC32MZ_MAX_BD) desc->currBd = 0; - // Wait until the engine has processed the new BD. + /* Wait until the engine has processed the new BD. */ while (uc_desc->bd[desc->currBd].BD_CTRL.DESC_EN); uc_desc->bd[desc->currBd].UPDPTR = KVA_TO_PA(hash); desc->dbPtr = 0; } - if (!PIC32MZ_IF_RAM(input)) // If we're inputting from flash, let the BD have the address and max the buffer size + if (!PIC32MZ_IF_RAM(input)) /* If we're inputting from flash, let the BD have + the address and max the buffer size */ { uc_desc->bd[desc->currBd].SRCADDR = KVA_TO_PA(input); total = (len > PIC32MZ_MAX_BLOCK ? PIC32MZ_MAX_BLOCK : len); @@ -140,7 +136,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len, { if (len > PIC32_BLOCK_SIZE - desc->dbPtr) { - // We have more data than can be put in the buffer. Fill what we can. + /* We have more data than can be put in the buffer. Fill what we can.*/ total = PIC32_BLOCK_SIZE - desc->dbPtr; XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, total); len -= total; @@ -149,7 +145,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len, } else { - // Fill up what we have, but don't turn on the engine. + /* Fill up what we have, but don't turn on the engine.*/ XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, len); desc->dbPtr += len; len = 0; @@ -158,13 +154,13 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len, } else { - // We have to buffer everything and keep track of how much has been - // added in order to get a total size. If the buffer fills, we move - // to the next one. If we try to add more when the last buffer is - // full, we error out. + /* We have to buffer everything and keep track of how much has been + added in order to get a total size. If the buffer fills, we move + to the next one. If we try to add more when the last buffer is + full, we error out. */ if (desc->dbPtr == PIC32_BLOCK_SIZE) { - // We filled the last BD buffer, so move on to the next one + /* We filled the last BD buffer, so move on to the next one */ uc_desc->bd[desc->currBd].BD_CTRL.LAST_BD = 0; uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 0; uc_desc->bd[desc->currBd].BD_CTRL.BUFLEN = PIC32_BLOCK_SIZE; @@ -178,7 +174,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len, } if (len > PIC32_BLOCK_SIZE - desc->dbPtr) { - // We have more data than can be put in the buffer. Fill what we can. + /* We have more data than can be put in the buffer. Fill what we can. */ total = PIC32_BLOCK_SIZE - desc->dbPtr; XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, total); len -= total; @@ -188,7 +184,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len, } else { - // Fill up what we have + /* Fill up what we have */ XMEMCPY(&dataBuffer[desc->currBd][desc->dbPtr], input, len); desc->dbPtr += len; desc->processed += len; @@ -199,7 +195,7 @@ static void update_engine(pic32mz_desc *desc, const char *input, word32 len, } static void start_engine(pic32mz_desc *desc) { - // Wrap up the last buffer descriptor and enable it + /* Wrap up the last buffer descriptor and enable it */ int i ; int bufferLen ; pic32mz_desc *uc_desc = KVA0_TO_KVA1(desc); @@ -212,8 +208,8 @@ static void start_engine(pic32mz_desc *desc) { uc_desc->bd[desc->currBd].BD_CTRL.LIFM = 1; if (desc->msgSize == 0) { - // We were not given the size, so now we have to go through every BD - // and give it what will be processed, and enable them. + /* We were not given the size, so now we have to go through every BD + and give it what will be processed, and enable them. */ for (i = desc->currBd; i >= 0; i--) { uc_desc->bd[i].MSGLEN = desc->processed; @@ -251,17 +247,6 @@ void wait_engine(pic32mz_desc *desc, char *hash, int hash_sz) { } } -static int fillBuff(char *buff, int *bufflen, const char *data, int len, int blocksz) -{ - int room, copysz ; - - room = blocksz - *bufflen ; - copysz = (len <= room) ? len : room ; - XMEMCPY(buff, data, copysz) ; - *bufflen += copysz ; - return (*bufflen == blocksz) ? 1 : 0 ; -} - #endif #ifndef NO_MD5 From f692c8cefb850557bb635a891c57d1d878234396 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 12 Nov 2015 09:36:14 -0800 Subject: [PATCH 045/177] New hash and signature wrapper functions: 1. Added new hash wrapper function "wc_Hash". Hash functions support Md# and SHA# using "enum wc_HashType". Added new "wc_HashGetDigestSize" function to get hash size (returns 0 if not supported). 2. Added new signature wrapper functions "wc_SignatureGenerate" and "wc_SignatureVerify" to perform hash then sign/verify of bytes. Signature functions support ECC and RSA using "enum wc_SignatureType". Added new "wc_SignatureGetSize" function to get the signature size using the key (returns 0 if not supported). --- src/include.am | 3 +- wolfcrypt/src/hash.c | 127 ++++++++++++++++++++- wolfcrypt/src/signature.c | 204 ++++++++++++++++++++++++++++++++++ wolfssl/wolfcrypt/hash.h | 38 ++++++- wolfssl/wolfcrypt/include.am | 1 + wolfssl/wolfcrypt/signature.h | 63 +++++++++++ 6 files changed, 428 insertions(+), 8 deletions(-) create mode 100644 wolfcrypt/src/signature.c create mode 100644 wolfssl/wolfcrypt/signature.h diff --git a/src/include.am b/src/include.am index a442f4b63..c65e8d263 100644 --- a/src/include.am +++ b/src/include.am @@ -95,7 +95,8 @@ src_libwolfssl_la_SOURCES += \ wolfcrypt/src/logging.c \ wolfcrypt/src/wc_encrypt.c \ wolfcrypt/src/wc_port.c \ - wolfcrypt/src/error.c + wolfcrypt/src/error.c \ + wolfcrypt/src/signature.c if BUILD_MEMORY src_libwolfssl_la_SOURCES += wolfcrypt/src/memory.c diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index 58fce69f8..95a54f7be 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -27,10 +27,129 @@ #include #include -#if !defined(WOLFSSL_TI_HASH) - #include +#ifdef WOLFSSL_MD2 +#include +#endif +#ifndef NO_MD4 +#include +#endif +#ifndef NO_MD5 +#include +#endif + + +/* Get Hash digest size */ +word32 wc_HashGetDigestSize(enum wc_HashType hash_type) +{ + word32 dig_size = 0; + switch(hash_type) + { +#ifdef WOLFSSL_MD2 + case WC_HASH_TYPE_MD2: + dig_size = MD2_DIGEST_SIZE; + break; +#endif +#ifndef NO_MD4 + case WC_HASH_TYPE_MD4: + dig_size = MD4_DIGEST_SIZE; + break; +#endif +#ifndef NO_MD5 + case WC_HASH_TYPE_MD5: + dig_size = MD5_DIGEST_SIZE; + break; +#endif +#ifndef NO_SHA + case WC_HASH_TYPE_SHA: + dig_size = SHA_DIGEST_SIZE; + break; +#endif +#ifndef NO_SHA256 + case WC_HASH_TYPE_SHA256: + dig_size = SHA256_DIGEST_SIZE; + break; +#endif +#ifdef WOLFSSL_SHA512 +#ifdef WOLFSSL_SHA384 + case WC_HASH_TYPE_SHA384: + dig_size = SHA384_DIGEST_SIZE; + break; +#endif /* WOLFSSL_SHA384 */ + case WC_HASH_TYPE_SHA512: + dig_size = SHA512_DIGEST_SIZE; + break; +#endif /* WOLFSSL_SHA512 */ + + case WC_HASH_TYPE_NONE: + default: + break; + } + return dig_size; +} + +/* Generic Hashing Wrapper */ +int wc_Hash(enum wc_HashType hash_type, const byte* data, + word32 data_len, byte* hash, word32 hash_len) +{ + int ret = 0; + word32 dig_size; + + /* Validate hash buffer size */ + dig_size = wc_HashGetDigestSize(hash_type); + if (hash_len < dig_size) { + return BUFFER_E; + } + + switch(hash_type) + { +#ifdef WOLFSSL_MD2 + case WC_HASH_TYPE_MD2: + ret = wc_Md2Hash(data, data_len, hash); + break; +#endif +#ifndef NO_MD4 + case WC_HASH_TYPE_MD4: + ret = wc_Md4Hash(data, data_len, hash); + break; +#endif +#ifndef NO_MD5 + case WC_HASH_TYPE_MD5: + ret = wc_Md5Hash(data, data_len, hash); + break; +#endif +#ifndef NO_SHA + case WC_HASH_TYPE_SHA: + ret = wc_ShaHash(data, data_len, hash); + break; +#endif +#ifndef NO_SHA256 + case WC_HASH_TYPE_SHA256: + ret = wc_Sha256Hash(data, data_len, hash); + break; +#endif +#ifdef WOLFSSL_SHA512 +#ifdef WOLFSSL_SHA384 + case WC_HASH_TYPE_SHA384: + ret = wc_Sha384Hash(data, data_len, hash); + break; +#endif /* WOLFSSL_SHA384 */ + case WC_HASH_TYPE_SHA512: + ret = wc_Sha512Hash(data, data_len, hash); + break; +#endif /* WOLFSSL_SHA512 */ + + case WC_HASH_TYPE_NONE: + default: + break; + } + return ret; +} + + +#if !defined(WOLFSSL_TI_HASH) + #if !defined(NO_MD5) void wc_Md5GetHash(Md5* md5, byte* hash) { @@ -55,7 +174,7 @@ int wc_ShaGetHash(Sha* sha, byte* hash) return ret ; } -WOLFSSL_API void wc_ShaRestorePos(Sha* s1, Sha* s2) { +void wc_ShaRestorePos(Sha* s1, Sha* s2) { *s1 = *s2 ; } @@ -102,7 +221,7 @@ int wc_Sha256GetHash(Sha256* sha256, byte* hash) return ret ; } -WOLFSSL_API void wc_Sha256RestorePos(Sha256* s1, Sha256* s2) { +void wc_Sha256RestorePos(Sha256* s1, Sha256* s2) { *s1 = *s2 ; } diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c new file mode 100644 index 000000000..d3a5799fa --- /dev/null +++ b/wolfcrypt/src/signature.c @@ -0,0 +1,204 @@ +/* signature.c + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include +#include + +#ifdef HAVE_ECC +#include +#endif +#ifndef NO_RSA +#include +#endif + + +word32 wc_SignatureGetSize(enum wc_SignatureType sig_type, + const void* key, word32 key_len) +{ + word32 sig_len = 0; + + switch(sig_type) { +#ifdef HAVE_ECC + case WC_SIGNATURE_TYPE_ECC: + { + if (key_len < sizeof(ecc_key)) { + return BAD_FUNC_ARG; + } + sig_len = wc_ecc_sig_size((ecc_key*)key); + break; + } +#endif +#ifndef NO_RSA + case WC_SIGNATURE_TYPE_RSA: + if (key_len < sizeof(RsaKey)) { + return BAD_FUNC_ARG; + } + sig_len = wc_RsaEncryptSize((RsaKey*)key); + break; +#endif + + case WC_SIGNATURE_TYPE_NONE: + default: + break; + } + return sig_len; +} + +int wc_SignatureVerify( + enum wc_HashType hash_type, enum wc_SignatureType sig_type, + const byte* data, word32 data_len, + const byte* sig, word32 sig_len, + const void* key, word32 key_len) +{ + int ret, hash_len; + byte *hash_data = NULL; + + /* Validate hash size */ + hash_len = wc_HashGetDigestSize(hash_type); + if (hash_len <= 0) { + return BAD_FUNC_ARG; + } + + /* Allocate temporary buffer for hash data */ + hash_data = XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (hash_data == NULL) { + return MEMORY_E; + } + + /* Perform hash of data */ + ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len); + if(ret != 0) { + goto exit; + } + + /* Verify signature using hash as data */ + switch(sig_type) { +#ifdef HAVE_ECC + case WC_SIGNATURE_TYPE_ECC: + { + int is_valid_sig = -1; + + /* Validate key size */ + if (key_len < sizeof(ecc_key)) { + return BAD_FUNC_ARG; + } + /* Perform verification of signature using provided ECC key */ + ret = wc_ecc_verify_hash(sig, sig_len, hash_data, hash_len, &is_valid_sig, (ecc_key*)key); + if (ret != 0 || is_valid_sig != 1) { + ret = -1; + } + break; + } +#endif +#ifndef NO_RSA + case WC_SIGNATURE_TYPE_RSA: + /* Validate key size */ + if (key_len < sizeof(ecc_key)) { + return BAD_FUNC_ARG; + } + /* Perform verification of signature using provided RSA key */ + ret = wc_RsaSSL_Verify(sig, sig_len, hash_data, hash_len, (RsaKey*)key); + break; +#endif + + case WC_SIGNATURE_TYPE_NONE: + default: + break; + } + +exit: + if (hash_data) { + XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + return ret; +} + +int wc_SignatureGenerate( + enum wc_HashType hash_type, enum wc_SignatureType sig_type, + const byte* data, word32 data_len, + byte* sig, word32 *sig_len, + const void* key, word32 key_len, RNG* rng) +{ + int ret, hash_len; + byte *hash_data = NULL; + + /* Validate hash size */ + hash_len = wc_HashGetDigestSize(hash_type); + if (hash_len <= 0) { + return BAD_FUNC_ARG; + } + + /* Allocate temporary buffer for hash data */ + hash_data = XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (hash_data == NULL) { + return MEMORY_E; + } + + /* Perform hash of data */ + ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len); + if (ret != 0) { + goto exit; + } + + /* Create signature using hash as data */ + switch(sig_type) { +#ifdef HAVE_ECC + case WC_SIGNATURE_TYPE_ECC: + { + /* Validate key size */ + if (key_len < sizeof(ecc_key)) { + return BAD_FUNC_ARG; + } + /* Create signature using provided ECC key */ + ret = wc_ecc_sign_hash(hash_data, hash_len, sig, sig_len, rng, (ecc_key*)key); + break; + } +#endif +#ifndef NO_RSA + case WC_SIGNATURE_TYPE_RSA: + /* Validate key size */ + if (key_len < sizeof(RsaKey)) { + return BAD_FUNC_ARG; + } + /* Create signature using provided RSA key */ + ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, (RsaKey*)key, rng); + if (ret > 0) { + *sig_len = ret; + } + break; +#endif + + case WC_SIGNATURE_TYPE_NONE: + default: + break; + } + +exit: + if (hash_data) { + XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + return ret; +} diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h index 4cdd85f11..c25faf313 100755 --- a/wolfssl/wolfcrypt/hash.h +++ b/wolfssl/wolfcrypt/hash.h @@ -28,10 +28,42 @@ extern "C" { #endif +/* Hash types */ +enum wc_HashType { + WC_HASH_TYPE_NONE = 0, +#ifdef WOLFSSL_MD2 + WC_HASH_TYPE_MD2 = 1, +#endif +#ifndef NO_MD4 + WC_HASH_TYPE_MD4 = 2, +#endif +#ifndef NO_MD5 + WC_HASH_TYPE_MD5 = 3, +#endif +#ifndef NO_SHA + WC_HASH_TYPE_SHA = 4, +#endif +#ifndef NO_SHA256 + WC_HASH_TYPE_SHA256 = 5, +#endif +#ifdef WOLFSSL_SHA512 +#ifdef WOLFSSL_SHA384 + WC_HASH_TYPE_SHA384 = 6, +#endif /* WOLFSSL_SHA384 */ + WC_HASH_TYPE_SHA512 = 7, +#endif /* WOLFSSL_SHA512 */ +}; + +WOLFSSL_API word32 wc_HashGetDigestSize(enum wc_HashType hash_type); +WOLFSSL_API int wc_Hash(enum wc_HashType hash_type, + const byte* data, word32 data_len, + byte* hash, word32 hash_len); + + #ifndef NO_MD5 #include WOLFSSL_API void wc_Md5GetHash(Md5*, byte*); -WOLFSSL_API void wc_Md5RestorePos(Md5*, Md5*) ; +WOLFSSL_API void wc_Md5RestorePos(Md5*, Md5*); #if defined(WOLFSSL_TI_HASH) WOLFSSL_API void wc_Md5Free(Md5*); #else @@ -42,7 +74,7 @@ WOLFSSL_API void wc_Md5RestorePos(Md5*, Md5*) ; #ifndef NO_SHA #include WOLFSSL_API int wc_ShaGetHash(Sha*, byte*); -WOLFSSL_API void wc_ShaRestorePos(Sha*, Sha*) ; +WOLFSSL_API void wc_ShaRestorePos(Sha*, Sha*); WOLFSSL_API int wc_ShaHash(const byte*, word32, byte*); #if defined(WOLFSSL_TI_HASH) WOLFSSL_API void wc_ShaFree(Sha*); @@ -54,7 +86,7 @@ WOLFSSL_API int wc_ShaHash(const byte*, word32, byte*); #ifndef NO_SHA256 #include WOLFSSL_API int wc_Sha256GetHash(Sha256*, byte*); -WOLFSSL_API void wc_Sha256RestorePos(Sha256*, Sha256*) ; +WOLFSSL_API void wc_Sha256RestorePos(Sha256*, Sha256*); WOLFSSL_API int wc_Sha256Hash(const byte*, word32, byte*); #if defined(WOLFSSL_TI_HASH) WOLFSSL_API void wc_Sha256Free(Sha256*); diff --git a/wolfssl/wolfcrypt/include.am b/wolfssl/wolfcrypt/include.am index 452fe8f18..d72d24583 100644 --- a/wolfssl/wolfcrypt/include.am +++ b/wolfssl/wolfcrypt/include.am @@ -42,6 +42,7 @@ nobase_include_HEADERS+= \ wolfssl/wolfcrypt/sha256.h \ wolfssl/wolfcrypt/sha512.h \ wolfssl/wolfcrypt/sha.h \ + wolfssl/wolfcrypt/signature.h \ wolfssl/wolfcrypt/blake2.h \ wolfssl/wolfcrypt/blake2-int.h \ wolfssl/wolfcrypt/blake2-impl.h \ diff --git a/wolfssl/wolfcrypt/signature.h b/wolfssl/wolfcrypt/signature.h new file mode 100644 index 000000000..f3bb30352 --- /dev/null +++ b/wolfssl/wolfcrypt/signature.h @@ -0,0 +1,63 @@ +/* signature.h + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#ifndef WOLF_CRYPT_SIGNATURE_H +#define WOLF_CRYPT_SIGNATURE_H + +#include +#include +#include + +#ifdef __cplusplus + extern "C" { +#endif + +enum wc_SignatureType { + WC_SIGNATURE_TYPE_NONE = 0, +#ifdef HAVE_ECC + WC_SIGNATURE_TYPE_ECC = 1, +#endif +#ifndef NO_RSA + WC_SIGNATURE_TYPE_RSA = 2, +#endif +}; + +WOLFSSL_API word32 wc_SignatureGetSize(enum wc_SignatureType sig_type, + const void* key, word32 key_len); + +WOLFSSL_API int wc_SignatureVerify( + enum wc_HashType hash_type, enum wc_SignatureType sig_type, + const byte* data, word32 data_len, + const byte* sig, word32 sig_len, + const void* key, word32 key_len); + +WOLFSSL_API int wc_SignatureGenerate( + enum wc_HashType hash_type, enum wc_SignatureType sig_type, + const byte* data, word32 data_len, + byte* sig, word32 *sig_len, + const void* key, word32 key_len, + RNG* rng); + +#ifdef __cplusplus + } /* extern "C" */ +#endif + +#endif /* WOLF_CRYPT_SIGNATURE_H */ From d9cb1cfbe16f7741614e860b257c8223f9176459 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 12 Nov 2015 10:22:31 -0800 Subject: [PATCH 046/177] fix idea_mult() for 16 and 32bit systems --- wolfcrypt/src/idea.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/idea.c b/wolfcrypt/src/idea.c index d7ab766d7..534aa1165 100644 --- a/wolfcrypt/src/idea.c +++ b/wolfcrypt/src/idea.c @@ -44,9 +44,10 @@ */ static INLINE word16 idea_mult(word16 x, word16 y) { - long mul, res; + word32 mul; + long res; - mul = (long)x * (long)y; + mul = (word32)x * (word32)y; if (mul) { res = (mul & IDEA_MASK) - (mul >> 16); if (res <= 0) From 261fedd9063b1ab956cfe354c2e4dd50dc7f3283 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 12 Nov 2015 10:32:35 -0800 Subject: [PATCH 047/177] idea_mult() now works on 16,32, AND 64bit systems --- wolfcrypt/src/idea.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/wolfcrypt/src/idea.c b/wolfcrypt/src/idea.c index 534aa1165..37df7d62b 100644 --- a/wolfcrypt/src/idea.c +++ b/wolfcrypt/src/idea.c @@ -44,12 +44,11 @@ */ static INLINE word16 idea_mult(word16 x, word16 y) { - word32 mul; - long res; + long mul, res; - mul = (word32)x * (word32)y; + mul = (long)x * (long)y; if (mul) { - res = (mul & IDEA_MASK) - (mul >> 16); + res = (mul & IDEA_MASK) - ((word32)mul >> 16); if (res <= 0) res += IDEA_MODULO; From 5c96be4d19503d3abe6135a8dd4af1f7e30cbed7 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 12 Nov 2015 15:14:00 -0800 Subject: [PATCH 048/177] fix idea conversion warnings --- src/ssl.c | 5 +++-- wolfcrypt/src/idea.c | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index bf94d35a7..85407b815 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -8532,8 +8532,9 @@ int wolfSSL_set_compression(WOLFSSL* ssl) if (enc == 0 || enc == 1) ctx->enc = enc ? 1 : 0; if (key) { - ret = wc_IdeaSetKey(&ctx->cipher.idea, key, ctx->keyLen, iv, - ctx->enc ? IDEA_ENCRYPTION : IDEA_DECRYPTION); + ret = wc_IdeaSetKey(&ctx->cipher.idea, key, (word16)ctx->keyLen, + iv, ctx->enc ? IDEA_ENCRYPTION : + IDEA_DECRYPTION); if (ret != 0) return ret; } diff --git a/wolfcrypt/src/idea.c b/wolfcrypt/src/idea.c index 37df7d62b..712949698 100644 --- a/wolfcrypt/src/idea.c +++ b/wolfcrypt/src/idea.c @@ -211,17 +211,17 @@ void wc_IdeaCipher(Idea *idea, byte* out, const byte* in) x[3] = idea_mult(x[3], idea->skey[skey_idx++]); t2 = x[0] ^ x[2]; - t2 = idea_mult(t2, idea->skey[skey_idx++]); + t2 = idea_mult((word16)t2, idea->skey[skey_idx++]); t1 = (t2 + (x[1] ^ x[3])) & IDEA_MASK; - t1 = idea_mult(t1, idea->skey[skey_idx++]); + t1 = idea_mult((word16)t1, idea->skey[skey_idx++]); t2 = (t1 + t2) & IDEA_MASK; x[0] ^= t1; x[3] ^= t2; t2 ^= x[1]; - x[1] = x[2] ^ t1; - x[2] = t2; + x[1] = x[2] ^ (word16)t1; + x[2] = (word16)t2; } x[0] = idea_mult(x[0], idea->skey[skey_idx++]); From 66965759d50e58ac1c4a8bf2329ab04e8604210b Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 12 Nov 2015 16:52:56 -0700 Subject: [PATCH 049/177] Implement missing openssl API --- src/ssl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 85407b815..1473748b0 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -9968,6 +9968,7 @@ int wolfSSL_session_reused(WOLFSSL* ssl) #ifdef OPENSSL_EXTRA void wolfSSL_SESSION_free(WOLFSSL_SESSION* session) { + /* No need to free since cache is static */ (void)session; } #endif @@ -10410,10 +10411,10 @@ char* wolfSSL_CIPHER_description(WOLFSSL_CIPHER* cipher, char* in, int len) } -WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl) /* what's ref count */ +WOLFSSL_SESSION* wolfSSL_get1_session(WOLFSSL* ssl) { - (void)ssl; - return 0; + /* sessions are stored statically, no need for reference count */ + return wolfSSL_get_session(ssl); } From b870bad63ea390f024c3cb0eecb60c3c30b5c345 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 13 Nov 2015 12:22:32 -0800 Subject: [PATCH 050/177] Added new "SIG_VERIFY_E" type for "wc_SignatureVerify" failure. Added argument checking on new signature wrapper functions. Added new "NO_SIG_WRAPPER" to optionally disable wrappers to reduce code size. --- wolfcrypt/src/ecc.c | 2 +- wolfcrypt/src/error.c | 3 + wolfcrypt/src/hash.c | 7 +- wolfcrypt/src/signature.c | 165 +++++++++++++++++++------------- wolfssl/wolfcrypt/ecc.h | 3 +- wolfssl/wolfcrypt/error-crypt.h | 1 + wolfssl/wolfcrypt/hash.h | 2 +- wolfssl/wolfcrypt/signature.h | 2 +- 8 files changed, 112 insertions(+), 73 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index ef92b00ef..507f212b0 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -3254,7 +3254,7 @@ int wc_ecc_sig_size(ecc_key* key) if (sz <= 0) return sz; - return sz * 2 + SIG_HEADER_SZ + 4; /* (4) worst case estimate */ + return (sz * 2) + SIG_HEADER_SZ + ECC_MAX_PAD_SZ; } diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index b8339eec0..36271c3cc 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -361,6 +361,9 @@ const char* wc_GetErrorString(int error) case WC_INIT_E: return "wolfCrypt Initialize Failure error"; + case SIG_VERIFY_E: + return "Signature verify error"; + default: return "unknown error number"; diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index 95a54f7be..86dd1953d 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -41,9 +41,9 @@ /* Get Hash digest size */ -word32 wc_HashGetDigestSize(enum wc_HashType hash_type) +int wc_HashGetDigestSize(enum wc_HashType hash_type) { - word32 dig_size = 0; + int dig_size = BAD_FUNC_ARG; switch(hash_type) { #ifdef WOLFSSL_MD2 @@ -93,7 +93,7 @@ word32 wc_HashGetDigestSize(enum wc_HashType hash_type) int wc_Hash(enum wc_HashType hash_type, const byte* data, word32 data_len, byte* hash, word32 hash_len) { - int ret = 0; + int ret = BAD_FUNC_ARG; word32 dig_size; /* Validate hash buffer size */ @@ -142,6 +142,7 @@ int wc_Hash(enum wc_HashType hash_type, const byte* data, case WC_HASH_TYPE_NONE: default: + WOLFSSL_MSG("wc_Hash: Bad hash type"); break; } return ret; diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index d3a5799fa..d069e3491 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -26,6 +26,7 @@ #include #include #include +#include #ifdef HAVE_ECC #include @@ -34,29 +35,34 @@ #include #endif +#ifndef NO_SIG_WRAPPER -word32 wc_SignatureGetSize(enum wc_SignatureType sig_type, +int wc_SignatureGetSize(enum wc_SignatureType sig_type, const void* key, word32 key_len) { - word32 sig_len = 0; + int sig_len = BAD_FUNC_ARG; switch(sig_type) { #ifdef HAVE_ECC case WC_SIGNATURE_TYPE_ECC: { - if (key_len < sizeof(ecc_key)) { - return BAD_FUNC_ARG; + if (key_len >= sizeof(ecc_key)) { + sig_len = wc_ecc_sig_size((ecc_key*)key); + } + else { + WOLFSSL_MSG("wc_SignatureGetSize: Invalid ECC key size"); } - sig_len = wc_ecc_sig_size((ecc_key*)key); break; } #endif #ifndef NO_RSA case WC_SIGNATURE_TYPE_RSA: - if (key_len < sizeof(RsaKey)) { - return BAD_FUNC_ARG; + if (key_len >= sizeof(RsaKey)) { + sig_len = wc_RsaEncryptSize((RsaKey*)key); + } + else { + WOLFSSL_MSG("wc_SignatureGetSize: Invalid RsaKey key size"); } - sig_len = wc_RsaEncryptSize((RsaKey*)key); break; #endif @@ -76,9 +82,22 @@ int wc_SignatureVerify( int ret, hash_len; byte *hash_data = NULL; + /* Check arguments */ + if (data == NULL || data_len <= 0 || sig == NULL || sig_len <= 0 || + key == NULL || key_len <= 0) { + return BAD_FUNC_ARG; + } + + /* Validate signature len (1 to max is okay) */ + if ((int)sig_len > wc_SignatureGetSize(sig_type, key, key_len)) { + WOLFSSL_MSG("wc_SignatureVerify: Invalid sig type/len"); + return BAD_FUNC_ARG; + } + /* Validate hash size */ hash_len = wc_HashGetDigestSize(hash_type); if (hash_len <= 0) { + WOLFSSL_MSG("wc_SignatureVerify: Invalid hash type/len"); return BAD_FUNC_ARG; } @@ -90,49 +109,55 @@ int wc_SignatureVerify( /* Perform hash of data */ ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len); - if(ret != 0) { - goto exit; - } + if(ret == 0) { + /* Default to bad argument */ + ret = BAD_FUNC_ARG; - /* Verify signature using hash as data */ - switch(sig_type) { + /* Verify signature using hash as data */ + switch(sig_type) { #ifdef HAVE_ECC - case WC_SIGNATURE_TYPE_ECC: - { - int is_valid_sig = -1; + case WC_SIGNATURE_TYPE_ECC: + { - /* Validate key size */ - if (key_len < sizeof(ecc_key)) { - return BAD_FUNC_ARG; + int is_valid_sig = 0; + + /* Perform verification of signature using provided ECC key */ + ret = wc_ecc_verify_hash(sig, sig_len, hash_data, hash_len, &is_valid_sig, (ecc_key*)key); + if (ret != 0 || is_valid_sig != 1) { + ret = SIG_VERIFY_E; + } + break; } - /* Perform verification of signature using provided ECC key */ - ret = wc_ecc_verify_hash(sig, sig_len, hash_data, hash_len, &is_valid_sig, (ecc_key*)key); - if (ret != 0 || is_valid_sig != 1) { - ret = -1; - } - break; - } #endif #ifndef NO_RSA - case WC_SIGNATURE_TYPE_RSA: - /* Validate key size */ - if (key_len < sizeof(ecc_key)) { - return BAD_FUNC_ARG; + case WC_SIGNATURE_TYPE_RSA: + { + byte *plain_data = XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (plain_data) { + /* Perform verification of signature using provided RSA key */ + ret = wc_RsaSSL_Verify(sig, sig_len, plain_data, hash_len, (RsaKey*)key); + if (ret != hash_len || XMEMCMP(plain_data, hash_data, hash_len) != 0) { + ret = SIG_VERIFY_E; + } + XFREE(plain_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + else { + ret = MEMORY_E; + } + break; } - /* Perform verification of signature using provided RSA key */ - ret = wc_RsaSSL_Verify(sig, sig_len, hash_data, hash_len, (RsaKey*)key); - break; #endif - case WC_SIGNATURE_TYPE_NONE: - default: - break; + case WC_SIGNATURE_TYPE_NONE: + default: + break; + } } -exit: if (hash_data) { XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); } + return ret; } @@ -145,9 +170,22 @@ int wc_SignatureGenerate( int ret, hash_len; byte *hash_data = NULL; + /* Check arguments */ + if (data == NULL || data_len <= 0 || sig == NULL || sig_len == NULL || + *sig_len <= 0 || key == NULL || key_len <= 0) { + return BAD_FUNC_ARG; + } + + /* Validate signature len (needs to be at least max) */ + if ((int)*sig_len < wc_SignatureGetSize(sig_type, key, key_len)) { + WOLFSSL_MSG("wc_SignatureGenerate: Invalid sig type/len"); + return BAD_FUNC_ARG; + } + /* Validate hash size */ hash_len = wc_HashGetDigestSize(hash_type); if (hash_len <= 0) { + WOLFSSL_MSG("wc_SignatureGenerate: Invalid hash type/len"); return BAD_FUNC_ARG; } @@ -159,46 +197,41 @@ int wc_SignatureGenerate( /* Perform hash of data */ ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len); - if (ret != 0) { - goto exit; - } + if (ret == 0) { + /* Default to bad argument */ + ret = BAD_FUNC_ARG; - /* Create signature using hash as data */ - switch(sig_type) { + /* Create signature using hash as data */ + switch(sig_type) { #ifdef HAVE_ECC - case WC_SIGNATURE_TYPE_ECC: - { - /* Validate key size */ - if (key_len < sizeof(ecc_key)) { - return BAD_FUNC_ARG; + case WC_SIGNATURE_TYPE_ECC: + { + /* Create signature using provided ECC key */ + ret = wc_ecc_sign_hash(hash_data, hash_len, sig, sig_len, rng, (ecc_key*)key); + break; } - /* Create signature using provided ECC key */ - ret = wc_ecc_sign_hash(hash_data, hash_len, sig, sig_len, rng, (ecc_key*)key); - break; - } #endif #ifndef NO_RSA - case WC_SIGNATURE_TYPE_RSA: - /* Validate key size */ - if (key_len < sizeof(RsaKey)) { - return BAD_FUNC_ARG; - } - /* Create signature using provided RSA key */ - ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, (RsaKey*)key, rng); - if (ret > 0) { - *sig_len = ret; - } - break; + case WC_SIGNATURE_TYPE_RSA: + /* Create signature using provided RSA key */ + ret = wc_RsaSSL_Sign(hash_data, hash_len, sig, *sig_len, (RsaKey*)key, rng); + if (ret > 0) { + *sig_len = ret; + } + break; #endif - case WC_SIGNATURE_TYPE_NONE: - default: - break; + case WC_SIGNATURE_TYPE_NONE: + default: + break; + } } -exit: if (hash_data) { XFREE(hash_data, NULL, DYNAMIC_TYPE_TMP_BUFFER); } + return ret; } + +#endif /* NO_SIG_WRAPPER */ diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 6abbf38c7..880b36237 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -41,7 +41,8 @@ enum { ECC_BUFSIZE = 256, /* for exported keys temp buffer */ ECC_MINSIZE = 20, /* MIN Private Key size */ ECC_MAXSIZE = 66, /* MAX Private Key size */ - ECC_MAXSIZE_GEN = 74 /* MAX Buffer size required when generating ECC keys*/ + ECC_MAXSIZE_GEN = 74, /* MAX Buffer size required when generating ECC keys*/ + ECC_MAX_PAD_SZ = 4 /* ECC maximum padding size */ }; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index b26f6c3f7..adf2d96b3 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -162,6 +162,7 @@ enum { CERTPOLICIES_E = -227, /* setting Certificate Policies error */ WC_INIT_E = -228, /* wolfcrypt failed to initialize */ + SIG_VERIFY_E = -229, /* wolfcrypt signature verify error */ MIN_CODE_E = -300 /* errors -101 - -299 */ }; diff --git a/wolfssl/wolfcrypt/hash.h b/wolfssl/wolfcrypt/hash.h index c25faf313..2a96f4e55 100755 --- a/wolfssl/wolfcrypt/hash.h +++ b/wolfssl/wolfcrypt/hash.h @@ -54,7 +54,7 @@ enum wc_HashType { #endif /* WOLFSSL_SHA512 */ }; -WOLFSSL_API word32 wc_HashGetDigestSize(enum wc_HashType hash_type); +WOLFSSL_API int wc_HashGetDigestSize(enum wc_HashType hash_type); WOLFSSL_API int wc_Hash(enum wc_HashType hash_type, const byte* data, word32 data_len, byte* hash, word32 hash_len); diff --git a/wolfssl/wolfcrypt/signature.h b/wolfssl/wolfcrypt/signature.h index f3bb30352..24d2b3a67 100644 --- a/wolfssl/wolfcrypt/signature.h +++ b/wolfssl/wolfcrypt/signature.h @@ -40,7 +40,7 @@ enum wc_SignatureType { #endif }; -WOLFSSL_API word32 wc_SignatureGetSize(enum wc_SignatureType sig_type, +WOLFSSL_API int wc_SignatureGetSize(enum wc_SignatureType sig_type, const void* key, word32 key_len); WOLFSSL_API int wc_SignatureVerify( From a38f7bb9373fd85a5dec985a3b0799bacb84f08a Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 13 Nov 2015 16:58:05 -0700 Subject: [PATCH 051/177] fix jni build enabling ecc on non 64 bit platforms --- configure.ac | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 6c5e5e93e..11c5bd149 100644 --- a/configure.ac +++ b/configure.ac @@ -1967,7 +1967,8 @@ then if test "x$ENABLED_ECC" = "xno" then ENABLED_ECC="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" + AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) fi if test "x$ENABLED_PKCALLBACKS" = "xno" then From cc684f859317d507d7cd4d9f884ed41bffca555a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Sat, 14 Nov 2015 22:28:52 -0300 Subject: [PATCH 052/177] fixes OCSP nonce extension size estimation at client hello message; --- src/tls.c | 2 +- wolfssl/wolfcrypt/asn.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 77e3694d3..619f96856 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1921,7 +1921,7 @@ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) size += ENUM_LEN + 2 * OPAQUE16_LEN; if (csr->request.ocsp.nonceSz) - size += MAX_OCSP_EXT_SZ; + size += OCSP_NONCE_EXT_SZ; } } #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index b1a132514..339680ca2 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -187,6 +187,7 @@ enum Misc_ASN { MAX_CERTPOL_NB = CTC_MAX_CERTPOL_NB,/* Max number of Cert Policy */ MAX_CERTPOL_SZ = CTC_MAX_CERTPOL_SZ, #endif + OCSP_NONCE_EXT_SZ = 37, /* OCSP Nonce Extension size */ MAX_OCSP_EXT_SZ = 58, /* Max OCSP Extension length */ MAX_OCSP_NONCE_SZ = 16, /* OCSP Nonce size */ EIGHTK_BUF = 8192, /* Tmp buffer size */ From 8ae6bf16416412cdab086188860ef236ec3e91e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Thu, 12 Nov 2015 23:29:27 -0300 Subject: [PATCH 053/177] adds server side Certificate Status Request extension; missing: Finish SendCertificateStatus(); --- examples/server/server.c | 3 ++ src/internal.c | 84 ++++++++++++++++++++++++++++++++++++++- src/ocsp.c | 85 +++++++++++++++++++++++++++++++++------- src/ssl.c | 61 +++++++++++++++++++++++++++- src/tls.c | 59 ++++++++++++++++++++++++---- wolfcrypt/src/asn.c | 19 +++------ wolfssl/internal.h | 38 ++++++++++-------- wolfssl/ocsp.h | 4 +- wolfssl/ssl.h | 5 +++ wolfssl/wolfcrypt/asn.h | 3 ++ 10 files changed, 304 insertions(+), 57 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index 1808240a8..9e7dd230a 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -725,6 +725,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); } #endif +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + wolfSSL_CTX_EnableOCSPStapling(ctx); +#endif #ifdef HAVE_PK_CALLBACKS if (pkCallbacks) SetupPkCallbacks(ctx, ssl); diff --git a/src/internal.c b/src/internal.c index 1c6a4c6e4..057e4c9f4 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4368,7 +4368,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_OCSP if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL); doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { doCrlLookup = 0; @@ -4469,7 +4469,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_OCSP if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL); doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); @@ -8141,6 +8141,86 @@ int SendCertificateRequest(WOLFSSL* ssl) else return SendBuffered(ssl); } + + +int SendCertificateStatus(WOLFSSL* ssl) +{ + int ret = 0; + byte status_type = 0; + + WOLFSSL_ENTER("SendCertificateStatus"); + + (void) ssl; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + status_type = ssl->status_request; +#endif + + switch (status_type) { +#if defined HAVE_CERTIFICATE_STATUS_REQUEST + case WOLFSSL_CSR_OCSP: { + buffer response = {NULL, 0}; + buffer der = ssl->buffers.certificate; +#ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; +#else + DecodedCert cert[1]; +#endif + + /* unable to fetch status. skip. */ + if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) + return 0; + if (der.buffer == NULL || der.length == 0) + return 0; + +#ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; +#endif + + InitDecodedCert(cert, der.buffer, der.length, NULL); + + if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, + ssl->ctx->cm)) != 0) { + WOLFSSL_MSG("ParseCert failed"); + } + else { + ret = CheckCertOCSP(ssl->ctx->cm->ocsp_stapling, cert, + &response); + + if (response.buffer) { + if (ret == OCSP_CERT_REVOKED || ret == OCSP_CERT_UNKNOWN) { + ret = 0; /* Forward status to client */ + } + + if (ret == 0) { + + } + + XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + + if (ret == OCSP_LOOKUP_FAIL) + ret = 0; /* Suppressing, not critical */ + } + + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + } + break; +#endif + + default: + break; + } + + return ret; +} + #endif /* !NO_CERTS */ diff --git a/src/ocsp.c b/src/ocsp.c index 567a67de8..f503d5b9c 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -77,6 +77,10 @@ static void FreeOcspEntry(OcspEntry* entry) for (status = entry->status; status; status = next) { next = status->next; + + if (status->rawOcspResponse) + XFREE(status->rawOcspResponse, NULL, DYNAMIC_TYPE_OCSP_STATUS); + XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); } } @@ -114,7 +118,7 @@ static int xstat2err(int stat) } -int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) +int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, void* encodedResponse) { int ret = OCSP_LOOKUP_FAIL; @@ -137,7 +141,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) #endif if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) { - ret = CheckOcspRequest(ocsp, ocspRequest); + ret = CheckOcspRequest(ocsp, ocspRequest, encodedResponse); FreeOcspRequest(ocspRequest); } @@ -186,7 +190,7 @@ static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, - OcspEntry* entry, CertStatus** status) + OcspEntry* entry, CertStatus** status, buffer* responseBuffer) { int ret = OCSP_INVALID_STATUS; @@ -204,11 +208,27 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) break; - if (*status) { + if (responseBuffer && *status && !(*status)->rawOcspResponse) { + /* force fetching again */ + ret = OCSP_INVALID_STATUS; + } + else if (*status) { if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) && ((*status)->nextDate[0] != 0) && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) ret = xstat2err((*status)->status); + + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC( + (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + if (responseBuffer->buffer) { + responseBuffer->length = (*status)->rawOcspResponseSz; + XMEMCPY(responseBuffer->buffer, + (*status)->rawOcspResponse, + (*status)->rawOcspResponseSz); + } + } } UnLockMutex(&ocsp->ocspLock); @@ -216,16 +236,18 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, return ret; } -int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) +int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, + void* encodedResponse) { - OcspEntry* entry = NULL; - CertStatus* status = NULL; - byte* request = NULL; - int requestSz = 2048; - byte* response = NULL; - const char* url; - int urlSz; - int ret = -1; + OcspEntry* entry = NULL; + CertStatus* status = NULL; + byte* request = NULL; + int requestSz = 2048; + byte* response = NULL; + buffer* responseBuffer = (buffer*) encodedResponse; + const char* url = NULL; + int urlSz = 0; + int ret = -1; #ifdef WOLFSSL_SMALL_STACK CertStatus* newStatus; @@ -237,11 +259,16 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) WOLFSSL_ENTER("CheckOcspRequest"); + if (responseBuffer) { + responseBuffer->buffer = NULL; + responseBuffer->length = 0; + } + ret = GetOcspEntry(ocsp, ocspRequest, &entry); if (ret != 0) return ret; - ret = GetOcspStatus(ocsp, ocspRequest, entry, &status); + ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer); if (ret != OCSP_INVALID_STATUS) return ret; @@ -300,14 +327,29 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) ret = OCSP_LOOKUP_FAIL; else { if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC(ret, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (responseBuffer->buffer) { + responseBuffer->length = ret; + XMEMCPY(responseBuffer->buffer, response, ret); + } + } + ret = xstat2err(ocspResponse->status->status); if (LockMutex(&ocsp->ocspLock) != 0) ret = BAD_MUTEX_E; else { - if (status != NULL) + if (status != NULL) { + if (status->rawOcspResponse) + XFREE(status->rawOcspResponse, NULL, + DYNAMIC_TYPE_OCSP_STATUS); + /* Replace existing certificate entry with updated */ XMEMCPY(status, newStatus, sizeof(CertStatus)); + } else { /* Save new certificate entry */ status = (CertStatus*)XMALLOC(sizeof(CertStatus), @@ -320,6 +362,19 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) } } + if (responseBuffer && responseBuffer->buffer) { + status->rawOcspResponse = (byte*)XMALLOC( + responseBuffer->length, NULL, + DYNAMIC_TYPE_OCSP_STATUS); + + if (status->rawOcspResponse) { + status->rawOcspResponseSz = responseBuffer->length; + XMEMCPY(status->rawOcspResponse, + responseBuffer->buffer, + responseBuffer->length); + } + } + UnLockMutex(&ocsp->ocspLock); } } diff --git a/src/ssl.c b/src/ssl.c index 1473748b0..38c7d7ea7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1643,6 +1643,10 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) #ifdef HAVE_OCSP if (cm->ocsp) FreeOCSP(cm->ocsp, 1); + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + if (cm->ocsp_stapling) + FreeOCSP(cm->ocsp_stapling, 1); + #endif #endif FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL); FreeMutex(&cm->caLock); @@ -3460,6 +3464,42 @@ int wolfSSL_CertManagerDisableOCSP(WOLFSSL_CERT_MANAGER* cm) return SSL_SUCCESS; } +/* turn on OCSP Stapling if off and compiled in, set options */ +int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) +{ + int ret = SSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPStapling"); + if (cm == NULL) + return BAD_FUNC_ARG; + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + if (cm->ocsp_stapling == NULL) { + cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), + cm->heap, DYNAMIC_TYPE_OCSP); + if (cm->ocsp_stapling == NULL) + return MEMORY_E; + + if (InitOCSP(cm->ocsp_stapling, cm) != 0) { + WOLFSSL_MSG("Init OCSP failed"); + FreeOCSP(cm->ocsp_stapling, 1); + cm->ocsp_stapling = NULL; + return SSL_FAILURE; + } + } + cm->ocspStaplingEnabled = 1; + + #ifndef WOLFSSL_USER_IO + cm->ocspIOCb = EmbedOcspLookup; + cm->ocspRespFreeCb = EmbedOcspRespFree; + #endif /* WOLFSSL_USER_IO */ + #else + ret = NOT_COMPILED_IN; + #endif + + return ret; +} + #ifdef HAVE_OCSP @@ -3494,7 +3534,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) { WOLFSSL_MSG("ParseCert failed"); } - else if ((ret = CheckCertOCSP(cm->ocsp, cert)) != 0) { + else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) { WOLFSSL_MSG("CheckCertOCSP failed"); } @@ -3629,6 +3669,16 @@ int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX* ctx, CbOCSPIO ioCb, return BAD_FUNC_ARG; } +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) +int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSPStapling"); + if (ctx) + return wolfSSL_CertManagerEnableOCSPStapling(ctx->cm); + else + return BAD_FUNC_ARG; +} +#endif #endif /* HAVE_OCSP */ @@ -6132,6 +6182,15 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, WOLFSSL_MSG("accept state CERT_SENT"); case CERT_SENT : + if (!ssl->options.resuming) + if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + ssl->options.acceptState = CERT_STATUS_SENT; + WOLFSSL_MSG("accept state CERT_STATUS_SENT"); + + case CERT_STATUS_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { WOLFSSL_ERROR(ssl->error); diff --git a/src/tls.c b/src/tls.c index 619f96856..652c6dabf 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1891,11 +1891,6 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) #ifdef HAVE_CERTIFICATE_STATUS_REQUEST -#ifndef HAVE_OCSP -#error Status Request Extension requires OCSP. \ - Use --enable-ocsp in the configure script or define HAVE_OCSP. -#endif - static void TLSX_CSR_Free(CertificateStatusRequest* csr) { switch (csr->status_type) { @@ -1972,7 +1967,7 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest) { - int ret = 0; + int ret; /* shut up compiler warnings */ (void) ssl; (void) input; @@ -2019,8 +2014,56 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ #endif } + else { +#ifndef NO_WOLFSSL_SERVER + byte status_type; + word16 offset = 0; + word16 size = 0; - return ret; + if (length < ENUM_LEN) + return BUFFER_ERROR; + + status_type = input[offset++]; + + switch (status_type) { + case WOLFSSL_CSR_OCSP: { + + /* skip responder_id_list */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + /* skip request_extensions */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + if (offset > length) + return BUFFER_ERROR; + + /* is able to send OCSP response? */ + if (ssl->ctx->cm == NULL || !ssl->ctx->cm->ocspStaplingEnabled) + return 0; + } + break; + } + + ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, + 0); + if (ret != SSL_SUCCESS) + return ret; /* throw error */ + + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); + ssl->status_request = status_type; + +#endif + } + + return 0; } int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert) @@ -2078,7 +2121,7 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl) case WOLFSSL_CSR_OCSP: if (ssl->ctx->cm->ocspEnabled) return CheckOcspRequest(ssl->ctx->cm->ocsp, - &csr->request.ocsp); + &csr->request.ocsp, NULL); else return OCSP_LOOKUP_FAIL; } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 88073abd2..935574ac7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8776,20 +8776,13 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status, { WOLFSSL_ENTER("InitOcspResponse"); + XMEMSET(status, 0, sizeof(CertStatus)); + XMEMSET(resp, 0, sizeof(OcspResponse)); + resp->responseStatus = -1; - resp->response = NULL; - resp->responseSz = 0; - resp->producedDateFormat = 0; - resp->issuerHash = NULL; - resp->issuerKeyHash = NULL; - resp->sig = NULL; - resp->sigSz = 0; - resp->sigOID = 0; - resp->status = status; - resp->nonce = NULL; - resp->nonceSz = 0; - resp->source = source; - resp->maxIdx = inSz; + resp->status = status; + resp->source = source; + resp->maxIdx = inSz; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 76f7f108a..ead5aae36 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1361,22 +1361,26 @@ struct WOLFSSL_CRL { /* wolfSSL Certificate Manager */ struct WOLFSSL_CERT_MANAGER { Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */ - void* heap; /* heap helper */ - WOLFSSL_CRL* crl; /* CRL checker */ - WOLFSSL_OCSP* ocsp; /* OCSP checker */ - char* ocspOverrideURL; /* use this responder */ - void* ocspIOCtx; /* I/O callback CTX */ - CallbackCACache caCacheCallback; /* CA cache addition callback */ - CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ - CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ - CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ - wolfSSL_Mutex caLock; /* CA list lock */ - byte crlEnabled; /* is CRL on ? */ - byte crlCheckAll; /* always leaf, but all ? */ - byte ocspEnabled; /* is OCSP on ? */ - byte ocspCheckAll; /* always leaf, but all ? */ - byte ocspSendNonce; /* send the OCSP nonce ? */ - byte ocspUseOverrideURL; /* ignore cert's responder, override */ + void* heap; /* heap helper */ + WOLFSSL_CRL* crl; /* CRL checker */ + WOLFSSL_OCSP* ocsp; /* OCSP checker */ +#if !defined(NO_WOLFSSL_SEVER) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) + WOLFSSL_OCSP* ocsp_stapling; /* OCSP checker for OCSP stapling */ +#endif + char* ocspOverrideURL; /* use this responder */ + void* ocspIOCtx; /* I/O callback CTX */ + CallbackCACache caCacheCallback; /* CA cache addition callback */ + CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ + CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ + CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ + wolfSSL_Mutex caLock; /* CA list lock */ + byte crlEnabled; /* is CRL on ? */ + byte crlCheckAll; /* always leaf, but all ? */ + byte ocspEnabled; /* is OCSP on ? */ + byte ocspCheckAll; /* always leaf, but all ? */ + byte ocspSendNonce; /* send the OCSP nonce ? */ + byte ocspUseOverrideURL; /* ignore cert's responder, override */ + byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ }; WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER*, const char*); @@ -2033,6 +2037,7 @@ enum AcceptState { ACCEPT_FIRST_REPLY_DONE, SERVER_HELLO_SENT, CERT_SENT, + CERT_STATUS_SENT, KEY_EXCHANGE_SENT, CERT_REQ_SENT, SERVER_HELLO_DONE, @@ -2640,6 +2645,7 @@ WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32); WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int); WOLFSSL_LOCAL int SendCertificate(WOLFSSL*); WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*); +WOLFSSL_LOCAL int SendCertificateStatus(WOLFSSL*); WOLFSSL_LOCAL int SendServerKeyExchange(WOLFSSL*); WOLFSSL_LOCAL int SendBuffered(WOLFSSL*); WOLFSSL_LOCAL int ReceiveData(WOLFSSL*, byte*, int, int); diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index dc76ca16e..8d05c26d0 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -39,9 +39,9 @@ typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); -WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*); +WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, void*); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, - OcspRequest* ocspRequest); + OcspRequest* ocspRequest, void*); #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5a30c8c81..415b4bd60 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1269,6 +1269,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER*, CbOCSPIO, CbOCSPRespFree, void*); + WOLFSSL_API int wolfSSL_CertManagerEnableOCSPStapling( + WOLFSSL_CERT_MANAGER* cm); + WOLFSSL_API int wolfSSL_EnableCRL(WOLFSSL* ssl, int options); WOLFSSL_API int wolfSSL_DisableCRL(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_LoadCRL(WOLFSSL*, const char*, int, int); @@ -1287,6 +1290,8 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_SetOCSP_OverrideURL(WOLFSSL_CTX*, const char*); WOLFSSL_API int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX*, CbOCSPIO, CbOCSPRespFree, void*); + + WOLFSSL_API int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX*); #endif /* !NO_CERTS */ /* end of handshake frees temporary arrays, if user needs for get_keys or diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 339680ca2..e3fd7a569 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -675,6 +675,9 @@ struct CertStatus { byte nextDate[MAX_DATE_SIZE]; byte thisDateFormat; byte nextDateFormat; + + byte* rawOcspResponse; + word32 rawOcspResponseSz; }; From 12802f40c5744697eb70fa049f815e1562773662 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Sun, 15 Nov 2015 14:37:24 -0300 Subject: [PATCH 054/177] finishes SendCertificateStatus(); sending the stored status; --- src/internal.c | 92 ++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 81 insertions(+), 11 deletions(-) diff --git a/src/internal.c b/src/internal.c index 057e4c9f4..08debae7e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8143,6 +8143,78 @@ int SendCertificateRequest(WOLFSSL* ssl) } +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer status) +{ + byte* output = NULL; + word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; + word32 length = ENUM_LEN + OPAQUE24_LEN + status.length; + int sendSz = idx + length; + int ret = 0; + + WOLFSSL_ENTER("BuildCertificateStatus"); + + if (ssl->keys.encryptionOn) + sendSz += MAX_MSG_EXTRA; + + if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) { + output = ssl->buffers.outputBuffer.buffer + + ssl->buffers.outputBuffer.length; + + AddHeaders(output, length, certificate_status, ssl); + + output[idx++] = type; + + c32to24(status.length, output + idx); + idx += OPAQUE24_LEN; + + XMEMCPY(output + idx, status.buffer, status.length); + idx += status.length; + + if (ssl->keys.encryptionOn) { + byte* input; + int inputSz = idx - RECORD_HEADER_SZ; + + input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (input == NULL) + return MEMORY_E; + + XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); + sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake); + XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); + + if (sendSz < 0) + ret = sendSz; + } + else + ret = HashOutput(ssl, output, sendSz, 0); + + #ifdef WOLFSSL_DTLS + if (ret == 0 && ssl->options.dtls) + ret = DtlsPoolSave(ssl, output, sendSz)); + #endif + + #ifdef WOLFSSL_CALLBACKS + if (ret == 0 && ssl->hsInfoOn) + AddPacketName("CertificateStatus", &ssl->handShakeInfo); + if (ret == 0 && ssl->toInfoOn) + AddPacketInfo("CertificateStatus", &ssl->timeoutInfo, output, + sendSz, ssl->heap); + #endif + + if (ret == 0) { + ssl->buffers.outputBuffer.length += sendSz; + if (!ssl->options.groupMessages) + ret = SendBuffered(ssl); + } + } + + WOLFSSL_LEAVE("BuildCertificateStatus", ret); + return ret; +} +#endif + + int SendCertificateStatus(WOLFSSL* ssl) { int ret = 0; @@ -8182,7 +8254,7 @@ int SendCertificateStatus(WOLFSSL* ssl) InitDecodedCert(cert, der.buffer, der.length, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, ssl->ctx->cm)) != 0) { WOLFSSL_MSG("ParseCert failed"); } @@ -8190,20 +8262,18 @@ int SendCertificateStatus(WOLFSSL* ssl) ret = CheckCertOCSP(ssl->ctx->cm->ocsp_stapling, cert, &response); + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + if (response.buffer) { - if (ret == OCSP_CERT_REVOKED || ret == OCSP_CERT_UNKNOWN) { - ret = 0; /* Forward status to client */ - } - - if (ret == 0) { - - } + if (ret == 0) + ret = BuildCertificateStatus(ssl,status_type, response); XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); } - - if (ret == OCSP_LOOKUP_FAIL) - ret = 0; /* Suppressing, not critical */ } FreeDecodedCert(cert); From 24907fc818c2ba29a82e18e7c353c68cf88b459b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Sun, 15 Nov 2015 18:43:29 -0300 Subject: [PATCH 055/177] adds buffer logging; --- wolfcrypt/src/logging.c | 38 +++++++++++++++++++++++++++++++++++++ wolfssl/wolfcrypt/logging.h | 2 ++ 2 files changed, 40 insertions(+) diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index fb90c6dcc..2156b1f43 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -136,6 +136,44 @@ void WOLFSSL_MSG(const char* msg) } +void WOLFSSL_BUFFER(byte* buffer, word32 length) +{ + #define LINE_LEN 16 + + if (loggingEnabled) { + word32 i; + char line[80]; + + if (!buffer) { + wolfssl_log(INFO_LOG, "\tNULL"); + + return; + } + + sprintf(line, "\t"); + + for (i = 0; i < LINE_LEN; i++) { + if (i < length) + sprintf(line + 1 + i * 3,"%02x ", buffer[i]); + else + sprintf(line + 1 + i * 3, " "); + } + + sprintf(line + 1 + LINE_LEN * 3, "| "); + + for (i = 0; i < LINE_LEN; i++) + if (i < length) + sprintf(line + 3 + LINE_LEN * 3 + i, + "%c", 31 < buffer[i] && buffer[i] < 127 ? buffer[i] : '.'); + + wolfssl_log(INFO_LOG, line); + + if (length > LINE_LEN) + WOLFSSL_BUFFER(buffer + LINE_LEN, length - LINE_LEN); + } +} + + void WOLFSSL_ENTER(const char* msg) { if (loggingEnabled) { diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index 2e604080d..03681412d 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -56,6 +56,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); void WOLFSSL_ERROR(int); void WOLFSSL_MSG(const char* msg); + void WOLFSSL_BUFFER(byte* buffer, word32 length); #else /* DEBUG_WOLFSSL */ @@ -65,6 +66,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #define WOLFSSL_ERROR(e) #define WOLFSSL_MSG(m) + #define WOLFSSL_BUFFER(b, l) #endif /* DEBUG_WOLFSSL */ From 6d6ca56e4e571ce494cf1b048c84ad0dc25a65a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 16 Nov 2015 15:31:50 -0300 Subject: [PATCH 056/177] fixes SendCertificateStatus() loading the CA in the server side to build the OCSP request properly. --- examples/server/server.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/examples/server/server.c b/examples/server/server.c index 9e7dd230a..56a0c680d 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -726,7 +726,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) } #endif #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) - wolfSSL_CTX_EnableOCSPStapling(ctx); + if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS) + err_sys("can't enable OCSP Stapling Certificate Manager"); + if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); #endif #ifdef HAVE_PK_CALLBACKS if (pkCallbacks) From 5e4955f689198443bd01e743d413302821d9b424 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 16 Nov 2015 16:03:48 -0300 Subject: [PATCH 057/177] reuse OcspRequest data in ocsp stapling; --- src/internal.c | 80 ++++++++++++++++++++++++++++++++++------------ wolfssl/internal.h | 3 ++ 2 files changed, 63 insertions(+), 20 deletions(-) diff --git a/src/internal.c b/src/internal.c index 08debae7e..c7fcd29c7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -542,6 +542,13 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) #endif #ifdef HAVE_TLS_EXTENSIONS TLSX_FreeAll(ctx->extensions); + + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ctx->certOcspRequest) { + FreeOcspRequest(ctx->certOcspRequest); + XFREE(ctx->certOcspRequest, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + #endif #endif } @@ -8231,35 +8238,69 @@ int SendCertificateStatus(WOLFSSL* ssl) switch (status_type) { #if defined HAVE_CERTIFICATE_STATUS_REQUEST case WOLFSSL_CSR_OCSP: { + OcspRequest* request = ssl->ctx->certOcspRequest; buffer response = {NULL, 0}; - buffer der = ssl->buffers.certificate; -#ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; -#else - DecodedCert cert[1]; -#endif /* unable to fetch status. skip. */ if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) return 0; - if (der.buffer == NULL || der.length == 0) - return 0; + + if (!request || ssl->buffers.weOwnCert) { + buffer der = ssl->buffers.certificate; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + /* unable to fetch status. skip. */ + if (der.buffer == NULL || der.length == 0) + return 0; #ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; + if (cert == NULL) + return MEMORY_E; #endif - InitDecodedCert(cert, der.buffer, der.length, NULL); + InitDecodedCert(cert, der.buffer, der.length, NULL); - if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, ssl->ctx->cm)) != 0) { - WOLFSSL_MSG("ParseCert failed"); + WOLFSSL_MSG("ParseCert failed"); + } + else { + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (request == NULL) { + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif + return MEMORY_E; + } + + ret = InitOcspRequest(request, cert, 0); + if (ret != 0) { + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + else if (!ssl->buffers.weOwnCert && 0 == LockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock)) { + if (!ssl->ctx->certOcspRequest) + ssl->ctx->certOcspRequest = request; + UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); + } + } + + FreeDecodedCert(cert); +#ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); +#endif } - else { - ret = CheckCertOCSP(ssl->ctx->cm->ocsp_stapling, cert, + + if (ret == 0) { + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, &response); /* Suppressing, not critical */ @@ -8274,12 +8315,11 @@ int SendCertificateStatus(WOLFSSL* ssl) XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); } + } - FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif + if (request != ssl->ctx->certOcspRequest) + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); } break; #endif diff --git a/wolfssl/internal.h b/wolfssl/internal.h index ead5aae36..a553bddba 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1769,6 +1769,9 @@ struct WOLFSSL_CTX { #endif #ifdef HAVE_TLS_EXTENSIONS TLSX* extensions; /* RFC 6066 TLS Extensions data */ + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER) + OcspRequest* certOcspRequest; + #endif #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SEVER) SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */ void* ticketEncCtx; /* session encrypt context */ From 60b1a0c8be0b4c60a8cd260501bbd836156962dd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 16 Nov 2015 16:16:48 -0300 Subject: [PATCH 058/177] fixes scan-build warnings --- src/ocsp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ocsp.c b/src/ocsp.c index f503d5b9c..7852c2bcb 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -362,7 +362,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, } } - if (responseBuffer && responseBuffer->buffer) { + if (status && responseBuffer && responseBuffer->buffer) { status->rawOcspResponse = (byte*)XMALLOC( responseBuffer->length, NULL, DYNAMIC_TYPE_OCSP_STATUS); From 103f984421afdd7d2cfe134860a1a28cdfaa1c30 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 16 Nov 2015 11:54:23 -0800 Subject: [PATCH 059/177] Cleanup of the signature wrapper error cases to be more explicit. --- wolfcrypt/src/signature.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index d069e3491..840dd394a 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -110,8 +110,6 @@ int wc_SignatureVerify( /* Perform hash of data */ ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len); if(ret == 0) { - /* Default to bad argument */ - ret = BAD_FUNC_ARG; /* Verify signature using hash as data */ switch(sig_type) { @@ -150,6 +148,7 @@ int wc_SignatureVerify( case WC_SIGNATURE_TYPE_NONE: default: + ret = BAD_FUNC_ARG; break; } } @@ -198,9 +197,6 @@ int wc_SignatureGenerate( /* Perform hash of data */ ret = wc_Hash(hash_type, data, data_len, hash_data, hash_len); if (ret == 0) { - /* Default to bad argument */ - ret = BAD_FUNC_ARG; - /* Create signature using hash as data */ switch(sig_type) { #ifdef HAVE_ECC @@ -223,6 +219,7 @@ int wc_SignatureGenerate( case WC_SIGNATURE_TYPE_NONE: default: + ret = BAD_FUNC_ARG; break; } } From ca7956b50d5ad8f2b93855056da7b8111d9a08c5 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 16 Nov 2015 13:20:19 -0800 Subject: [PATCH 060/177] update cavium nitrox port to wolfssl --- src/keys.c | 8 ++++---- wolfcrypt/src/aes.c | 6 +++--- wolfcrypt/src/hmac.c | 29 ++++++++++++++++++----------- wolfcrypt/src/rsa.c | 4 ++-- wolfssl/wolfcrypt/aes.h | 2 +- 5 files changed, 28 insertions(+), 21 deletions(-) diff --git a/src/keys.c b/src/keys.c index 5ca1b72f7..3c1ccea5c 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1859,13 +1859,13 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #ifdef HAVE_CAVIUM if (devId != NO_CAVIUM_DEVICE) { if (enc) { - if (Arc4InitCavium(enc->arc4, devId) != 0) { + if (wc_Arc4InitCavium(enc->arc4, devId) != 0) { WOLFSSL_MSG("Arc4InitCavium failed in SetKeys"); return CAVIUM_INIT_E; } } if (dec) { - if (Arc4InitCavium(dec->arc4, devId) != 0) { + if (wc_Arc4InitCavium(dec->arc4, devId) != 0) { WOLFSSL_MSG("Arc4InitCavium failed in SetKeys"); return CAVIUM_INIT_E; } @@ -2048,13 +2048,13 @@ static int SetKeys(Ciphers* enc, Ciphers* dec, Keys* keys, CipherSpecs* specs, #ifdef HAVE_CAVIUM if (devId != NO_CAVIUM_DEVICE) { if (enc) { - if (Des3_InitCavium(enc->des3, devId) != 0) { + if (wc_Des3_InitCavium(enc->des3, devId) != 0) { WOLFSSL_MSG("Des3_InitCavium failed in SetKeys"); return CAVIUM_INIT_E; } } if (dec) { - if (Des3_InitCavium(dec->des3, devId) != 0) { + if (wc_Des3_InitCavium(dec->des3, devId) != 0) { WOLFSSL_MSG("Des3_InitCavium failed in SetKeys"); return CAVIUM_INIT_E; } diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index d7524b66a..52948062a 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -4105,7 +4105,7 @@ int wc_AesCcmDecrypt(Aes* aes, byte* out, const byte* in, word32 inSz, #ifdef HAVE_CAVIUM -#include +#include #include "cavium_common.h" /* Initiliaze Aes for use with Nitrox device */ @@ -4156,7 +4156,7 @@ static int wc_AesCaviumSetKey(Aes* aes, const byte* key, word32 length, } -static int AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in, +static int wc_AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 length) { wolfssl_word offset = 0; @@ -4189,7 +4189,7 @@ static int AesCaviumCbcEncrypt(Aes* aes, byte* out, const byte* in, return 0; } -static int AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in, +static int wc_AesCaviumCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 length) { word32 requestId; diff --git a/wolfcrypt/src/hmac.c b/wolfcrypt/src/hmac.c index aacbef88a..272f335d8 100644 --- a/wolfcrypt/src/hmac.c +++ b/wolfcrypt/src/hmac.c @@ -105,10 +105,10 @@ int wc_HKDF(int type, const byte* inKey, word32 inKeySz, #ifdef HAVE_CAVIUM - static void HmacCaviumFinal(Hmac* hmac, byte* hash); - static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length); - static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, - word32 length); + static int HmacCaviumFinal(Hmac* hmac, byte* hash); + static int HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length); + static int HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, + word32 length); #endif static int InitHmac(Hmac* hmac, int type) @@ -642,7 +642,7 @@ void wc_HmacFreeCavium(Hmac* hmac) } -static void HmacCaviumFinal(Hmac* hmac, byte* hash) +static int HmacCaviumFinal(Hmac* hmac, byte* hash) { word32 requestId; @@ -650,12 +650,15 @@ static void HmacCaviumFinal(Hmac* hmac, byte* hash) (byte*)hmac->ipad, hmac->dataLen, hmac->data, hash, &requestId, hmac->devId) != 0) { WOLFSSL_MSG("Cavium Hmac failed"); + return -1; } hmac->innerHashKeyed = 0; /* tell update to start over if used again */ + + return 0; } -static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length) +static int HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length) { word16 add = (word16)length; word32 total; @@ -663,7 +666,7 @@ static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length) if (length > WOLFSSL_MAX_16BIT) { WOLFSSL_MSG("Too big msg for cavium hmac"); - return; + return -1; } if (hmac->innerHashKeyed == 0) { /* starting new */ @@ -674,13 +677,13 @@ static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length) total = add + hmac->dataLen; if (total > WOLFSSL_MAX_16BIT) { WOLFSSL_MSG("Too big msg for cavium hmac"); - return; + return -1; } tmp = XMALLOC(hmac->dataLen + add, NULL,DYNAMIC_TYPE_CAVIUM_TMP); if (tmp == NULL) { WOLFSSL_MSG("Out of memory for cavium update"); - return; + return -1; } if (hmac->dataLen) XMEMCPY(tmp, hmac->data, hmac->dataLen); @@ -689,11 +692,13 @@ static void HmacCaviumUpdate(Hmac* hmac, const byte* msg, word32 length) hmac->dataLen += add; XFREE(hmac->data, NULL, DYNAMIC_TYPE_CAVIUM_TMP); hmac->data = tmp; + + return 0; } -static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, - word32 length) +static int HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, + word32 length) { hmac->macType = (byte)type; if (type == MD5) @@ -711,6 +716,8 @@ static void HmacCaviumSetKey(Hmac* hmac, int type, const byte* key, hmac->keyLen = (word16)length; /* store key in ipad */ XMEMCPY(hmac->ipad, key, length); + + return 0; } #endif /* HAVE_CAVIUM */ diff --git a/wolfcrypt/src/rsa.c b/wolfcrypt/src/rsa.c index 6f4c3a595..5ca4a40c6 100644 --- a/wolfcrypt/src/rsa.c +++ b/wolfcrypt/src/rsa.c @@ -715,11 +715,11 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) #ifdef HAVE_CAVIUM -#include +#include #include "cavium_common.h" /* Initiliaze RSA for use with Nitrox device */ -int RsaInitCavium(RsaKey* rsa, int devId) +int wc_RsaInitCavium(RsaKey* rsa, int devId) { if (rsa == NULL) return -1; diff --git a/wolfssl/wolfcrypt/aes.h b/wolfssl/wolfcrypt/aes.h index f850c3ca8..45c972226 100644 --- a/wolfssl/wolfcrypt/aes.h +++ b/wolfssl/wolfcrypt/aes.h @@ -39,7 +39,7 @@ #ifndef HAVE_FIPS /* to avoid redefinition of macros */ #ifdef HAVE_CAVIUM - #include + #include #include "cavium_common.h" #endif From 09793e32068ac7a8ad0bd453a12368d692cab5d8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 17 Nov 2015 08:52:12 -0800 Subject: [PATCH 061/177] Added benchmark.h to expose the benchmark_test function. Updated a couple of projects to use the new benchmark header. --- .../Projects/benchmark/benchmark-main.c | 4 +-- IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c | 4 +-- wolfcrypt/benchmark/benchmark.c | 1 + wolfcrypt/benchmark/benchmark.h | 32 +++++++++++++++++++ wolfcrypt/benchmark/include.am | 1 + wolfcrypt/test/test.h | 2 +- 6 files changed, 38 insertions(+), 6 deletions(-) create mode 100644 wolfcrypt/benchmark/benchmark.h diff --git a/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c b/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c index d8f559d4c..cdb8efd26 100644 --- a/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c +++ b/IDE/IAR-EWARM/Projects/benchmark/benchmark-main.c @@ -24,6 +24,7 @@ #endif #include +#include typedef struct func_args { int argc; @@ -34,11 +35,8 @@ typedef struct func_args { func_args args = { 0 } ; extern double current_time(int reset) ; -extern int benchmark_test(void *args) ; main(void) { benchmark_test(&args) ; return 0; } - - diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c b/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c index 99cf1fbc9..9d3891e62 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c +++ b/IDE/ROWLEY-CROSSWORKS-ARM/benchmark_main.c @@ -24,6 +24,7 @@ #endif #include +#include #include typedef struct func_args { @@ -34,8 +35,7 @@ typedef struct func_args { static func_args args = { 0 } ; -extern double current_time(int reset) ; -extern int benchmark_test(void *args) ; +extern double current_time(int reset); void main(void) { diff --git a/wolfcrypt/benchmark/benchmark.c b/wolfcrypt/benchmark/benchmark.c index f36563d4c..723194418 100644 --- a/wolfcrypt/benchmark/benchmark.c +++ b/wolfcrypt/benchmark/benchmark.c @@ -122,6 +122,7 @@ #pragma warning(disable: 4996) #endif +#include "wolfcrypt/benchmark/benchmark.h" void bench_des(void); void bench_idea(void); diff --git a/wolfcrypt/benchmark/benchmark.h b/wolfcrypt/benchmark/benchmark.h new file mode 100644 index 000000000..3905eebf7 --- /dev/null +++ b/wolfcrypt/benchmark/benchmark.h @@ -0,0 +1,32 @@ +/* wolfcrypt/benchmark/benchmark.h + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + +#pragma once + +#ifdef __cplusplus + extern "C" { +#endif + +int benchmark_test(void* args); + +#ifdef __cplusplus + } /* extern "C" */ +#endif diff --git a/wolfcrypt/benchmark/include.am b/wolfcrypt/benchmark/include.am index eee26235f..f147883da 100644 --- a/wolfcrypt/benchmark/include.am +++ b/wolfcrypt/benchmark/include.am @@ -5,6 +5,7 @@ noinst_PROGRAMS += wolfcrypt/benchmark/benchmark wolfcrypt_benchmark_benchmark_SOURCES = wolfcrypt/benchmark/benchmark.c wolfcrypt_benchmark_benchmark_LDADD = src/libwolfssl.la $(LIB_STATIC_ADD) wolfcrypt_benchmark_benchmark_DEPENDENCIES = src/libwolfssl.la +noinst_HEADERS += wolfcrypt/benchmark/benchmark.h EXTRA_DIST += wolfcrypt/benchmark/benchmark.sln EXTRA_DIST += wolfcrypt/benchmark/benchmark.vcproj DISTCLEANFILES+= wolfcrypt/benchmark/.libs/benchmark diff --git a/wolfcrypt/test/test.h b/wolfcrypt/test/test.h index dbe6e25e0..6f9b6bd14 100644 --- a/wolfcrypt/test/test.h +++ b/wolfcrypt/test/test.h @@ -1,4 +1,4 @@ -/* ctaocrypt/test/test.h +/* wolfcrypt/test/test.h * * Copyright (C) 2006-2015 wolfSSL Inc. * From cdc830c1cc7c9202881530295cdbbf69e6a03a98 Mon Sep 17 00:00:00 2001 From: David Garske Date: Tue, 17 Nov 2015 10:15:36 -0800 Subject: [PATCH 062/177] Fixes for build errors with new signature and hash wrapping functions. Disabled MD2/4 hash wrapping. --- wolfcrypt/src/hash.c | 52 +++++++++++++++++---------------------- wolfcrypt/src/signature.c | 14 +++++++++++ 2 files changed, 36 insertions(+), 30 deletions(-) diff --git a/wolfcrypt/src/hash.c b/wolfcrypt/src/hash.c index 86dd1953d..3096ec7bd 100644 --- a/wolfcrypt/src/hash.c +++ b/wolfcrypt/src/hash.c @@ -29,16 +29,6 @@ #include -#ifdef WOLFSSL_MD2 -#include -#endif -#ifndef NO_MD4 -#include -#endif -#ifndef NO_MD5 -#include -#endif - /* Get Hash digest size */ int wc_HashGetDigestSize(enum wc_HashType hash_type) @@ -46,16 +36,6 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type) int dig_size = BAD_FUNC_ARG; switch(hash_type) { -#ifdef WOLFSSL_MD2 - case WC_HASH_TYPE_MD2: - dig_size = MD2_DIGEST_SIZE; - break; -#endif -#ifndef NO_MD4 - case WC_HASH_TYPE_MD4: - dig_size = MD4_DIGEST_SIZE; - break; -#endif #ifndef NO_MD5 case WC_HASH_TYPE_MD5: dig_size = MD5_DIGEST_SIZE; @@ -82,8 +62,16 @@ int wc_HashGetDigestSize(enum wc_HashType hash_type) break; #endif /* WOLFSSL_SHA512 */ + /* Not Supported */ +#ifdef WOLFSSL_MD2 + case WC_HASH_TYPE_MD2: +#endif +#ifndef NO_MD4 + case WC_HASH_TYPE_MD4: +#endif case WC_HASH_TYPE_NONE: default: + dig_size = BAD_FUNC_ARG; break; } return dig_size; @@ -101,19 +89,15 @@ int wc_Hash(enum wc_HashType hash_type, const byte* data, if (hash_len < dig_size) { return BUFFER_E; } + + /* Supress possible unused arg if all hashing is disabled */ + (void)data; + (void)data_len; + (void)hash; + (void)hash_len; switch(hash_type) { -#ifdef WOLFSSL_MD2 - case WC_HASH_TYPE_MD2: - ret = wc_Md2Hash(data, data_len, hash); - break; -#endif -#ifndef NO_MD4 - case WC_HASH_TYPE_MD4: - ret = wc_Md4Hash(data, data_len, hash); - break; -#endif #ifndef NO_MD5 case WC_HASH_TYPE_MD5: ret = wc_Md5Hash(data, data_len, hash); @@ -140,9 +124,17 @@ int wc_Hash(enum wc_HashType hash_type, const byte* data, break; #endif /* WOLFSSL_SHA512 */ + /* Not Supported */ +#ifdef WOLFSSL_MD2 + case WC_HASH_TYPE_MD2: +#endif +#ifndef NO_MD4 + case WC_HASH_TYPE_MD4: +#endif case WC_HASH_TYPE_NONE: default: WOLFSSL_MSG("wc_Hash: Bad hash type"); + ret = BAD_FUNC_ARG; break; } return ret; diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index 840dd394a..10aa9969f 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -35,6 +35,13 @@ #include #endif +/* If ECC and RSA are disabled then disable signature wrapper */ +#if !defined(HAVE_ECC) && defined(NO_RSA) +#undef NO_SIG_WRAPPER +#define NO_SIG_WRAPPER +#endif + +/* Signature wrapper disabled check */ #ifndef NO_SIG_WRAPPER int wc_SignatureGetSize(enum wc_SignatureType sig_type, @@ -42,6 +49,10 @@ int wc_SignatureGetSize(enum wc_SignatureType sig_type, { int sig_len = BAD_FUNC_ARG; + /* Supress possible unused args if all signature types are disabled */ + (void)key; + (void)key_len; + switch(sig_type) { #ifdef HAVE_ECC case WC_SIGNATURE_TYPE_ECC: @@ -169,6 +180,9 @@ int wc_SignatureGenerate( int ret, hash_len; byte *hash_data = NULL; + /* Supress possible unused arg if all signature types are disabled */ + (void)rng; + /* Check arguments */ if (data == NULL || data_len <= 0 || sig == NULL || sig_len == NULL || *sig_len <= 0 || key == NULL || key_len <= 0) { From e51f99a5c34ffc81f59f710a2052d3a2e3f580f4 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 18 Nov 2015 17:16:33 -0800 Subject: [PATCH 063/177] Adds LPCXpresso IDE support. Tested with the OM13076 (LPCXpresso18S37) board. --- .cproject | 266 ++++++++++ .project | 28 + IDE/LPCXPRESSO/README.md | 32 ++ IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c | 93 ++++ IDE/LPCXPRESSO/lib_wolfssl/user_settings.h | 81 +++ IDE/LPCXPRESSO/wolf_example/.cproject | 314 ++++++++++++ IDE/LPCXPRESSO/wolf_example/.project | 29 ++ IDE/LPCXPRESSO/wolf_example/readme.txt | 7 + .../wolf_example/src/cr_startup_lpc18xx.c | 484 ++++++++++++++++++ IDE/LPCXPRESSO/wolf_example/src/sysinit.c | 89 ++++ .../wolf_example/src/wolfssl_example.c | 95 ++++ IDE/include.am | 2 +- 12 files changed, 1519 insertions(+), 1 deletion(-) create mode 100644 .cproject create mode 100644 .project create mode 100644 IDE/LPCXPRESSO/README.md create mode 100644 IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c create mode 100644 IDE/LPCXPRESSO/lib_wolfssl/user_settings.h create mode 100644 IDE/LPCXPRESSO/wolf_example/.cproject create mode 100644 IDE/LPCXPRESSO/wolf_example/.project create mode 100644 IDE/LPCXPRESSO/wolf_example/readme.txt create mode 100644 IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c create mode 100644 IDE/LPCXPRESSO/wolf_example/src/sysinit.c create mode 100644 IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c diff --git a/.cproject b/.cproject new file mode 100644 index 000000000..dd29970a5 --- /dev/null +++ b/.cproject @@ -0,0 +1,266 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + <?xml version="1.0" encoding="UTF-8"?> +<TargetConfig> +<Properties property_0="" property_2="LPC18x7_43x7_2x512_BootA.cfx" property_3="NXP" property_4="LPC18S37" property_count="5" version="70200"/> +<infoList vendor="NXP"><info chip="LPC18S37" flash_driver="LPC18x7_43x7_2x512_BootA.cfx" match_id="0x0" name="LPC18S37" resetscript="LPC18LPC43InternalFLASHBootResetscript.scp" stub="crt_emu_lpc18_43_nxp"><chip><name>LPC18S37</name> +<family>LPC18xx</family> +<vendor>NXP (formerly Philips)</vendor> +<reset board="None" core="Real" sys="Real"/> +<clock changeable="TRUE" freq="20MHz" is_accurate="TRUE"/> +<memory can_program="true" id="Flash" is_ro="true" type="Flash"/> +<memory id="RAM" type="RAM"/> +<memory id="Periph" is_volatile="true" type="Peripheral"/> +<memoryInstance derived_from="Flash" id="MFlashA512" location="0x1a000000" size="0x80000"/> +<memoryInstance derived_from="Flash" id="MFlashB512" location="0x1b000000" size="0x80000"/> +<memoryInstance derived_from="RAM" id="RamLoc32" location="0x10000000" size="0x8000"/> +<memoryInstance derived_from="RAM" id="RamLoc40" location="0x10080000" size="0xa000"/> +<memoryInstance derived_from="RAM" id="RamAHB32" location="0x20000000" size="0x8000"/> +<memoryInstance derived_from="RAM" id="RamAHB16" location="0x20008000" size="0x4000"/> +<memoryInstance derived_from="RAM" id="RamAHB_ETB16" location="0x2000c000" size="0x4000"/> +<prog_flash blocksz="0x2000" location="0x1a000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/> +<prog_flash blocksz="0x10000" location="0x1a010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/> +<prog_flash blocksz="0x2000" location="0x1b000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/> +<prog_flash blocksz="0x10000" location="0x1b010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/> +<peripheralInstance derived_from="V7M_MPU" id="MPU" location="0xe000ed90"/> +<peripheralInstance derived_from="V7M_NVIC" id="NVIC" location="0xe000e000"/> +<peripheralInstance derived_from="V7M_DCR" id="DCR" location="0xe000edf0"/> +<peripheralInstance derived_from="V7M_ITM" id="ITM" location="0xe0000000"/> +<peripheralInstance derived_from="SCT" id="SCT" location="0x40000000"/> +<peripheralInstance derived_from="GPDMA" id="GPDMA" location="0x40002000"/> +<peripheralInstance derived_from="SPIFI" id="SPIFI" location="0x40003000"/> +<peripheralInstance derived_from="SDMMC" id="SDMMC" location="0x40004000"/> +<peripheralInstance derived_from="EMC" id="EMC" location="0x40005000"/> +<peripheralInstance derived_from="USB0" id="USB0" location="0x40006000"/> +<peripheralInstance derived_from="USB1" id="USB1" location="0x40007000"/> +<peripheralInstance derived_from="EEPROM" id="EEPROM" location="0x4000e000"/> +<peripheralInstance derived_from="ETHERNET" id="ETHERNET" location="0x40010000"/> +<peripheralInstance derived_from="ATIMER" id="ATIMER" location="0x40040000"/> +<peripheralInstance derived_from="REGFILE" id="REGFILE" location="0x40041000"/> +<peripheralInstance derived_from="PMC" id="PMC" location="0x40042000"/> +<peripheralInstance derived_from="CREG" id="CREG" location="0x40043000"/> +<peripheralInstance derived_from="EVENTROUTER" id="EVENTROUTER" location="0x40044000"/> +<peripheralInstance derived_from="RTC" id="RTC" location="0x40046000"/> +<peripheralInstance derived_from="CGU" id="CGU" location="0x40050000"/> +<peripheralInstance derived_from="CCU1" id="CCU1" location="0x40051000"/> +<peripheralInstance derived_from="CCU2" id="CCU2" location="0x40052000"/> +<peripheralInstance derived_from="RGU" id="RGU" location="0x40053000"/> +<peripheralInstance derived_from="WWDT" id="WWDT" location="0x40080000"/> +<peripheralInstance derived_from="USART0" id="USART0" location="0x40081000"/> +<peripheralInstance derived_from="USART2" id="USART2" location="0x400c1000"/> +<peripheralInstance derived_from="USART3" id="USART3" location="0x400c2000"/> +<peripheralInstance derived_from="UART1" id="UART1" location="0x40082000"/> +<peripheralInstance derived_from="SSP0" id="SSP0" location="0x40083000"/> +<peripheralInstance derived_from="SSP1" id="SSP1" location="0x400c5000"/> +<peripheralInstance derived_from="TIMER0" id="TIMER0" location="0x40084000"/> +<peripheralInstance derived_from="TIMER1" id="TIMER1" location="0x40085000"/> +<peripheralInstance derived_from="TIMER2" id="TIMER2" location="0x400c3000"/> +<peripheralInstance derived_from="TIMER3" id="TIMER3" location="0x400c4000"/> +<peripheralInstance derived_from="SCU" id="SCU" location="0x40086000"/> +<peripheralInstance derived_from="GPIO-PIN-INT" id="GPIO-PIN-INT" location="0x40087000"/> +<peripheralInstance derived_from="GPIO-GROUP-INT0" id="GPIO-GROUP-INT0" location="0x40088000"/> +<peripheralInstance derived_from="GPIO-GROUP-INT1" id="GPIO-GROUP-INT1" location="0x40089000"/> +<peripheralInstance derived_from="MCPWM" id="MCPWM" location="0x400a0000"/> +<peripheralInstance derived_from="I2C0" id="I2C0" location="0x400a1000"/> +<peripheralInstance derived_from="I2C1" id="I2C1" location="0x400e0000"/> +<peripheralInstance derived_from="I2S0" id="I2S0" location="0x400a2000"/> +<peripheralInstance derived_from="I2S1" id="I2S1" location="0x400a3000"/> +<peripheralInstance derived_from="C-CAN1" id="C-CAN1" location="0x400a4000"/> +<peripheralInstance derived_from="RITIMER" id="RITIMER" location="0x400c0000"/> +<peripheralInstance derived_from="QEI" id="QEI" location="0x400c6000"/> +<peripheralInstance derived_from="GIMA" id="GIMA" location="0x400c7000"/> +<peripheralInstance derived_from="DAC" id="DAC" location="0x400e1000"/> +<peripheralInstance derived_from="C-CAN0" id="C-CAN0" location="0x400e2000"/> +<peripheralInstance derived_from="ADC0" id="ADC0" location="0x400e3000"/> +<peripheralInstance derived_from="ADC1" id="ADC1" location="0x400e4000"/> +<peripheralInstance derived_from="GPIO-PORT" id="GPIO-PORT" location="0x400f4000"/> +</chip> +<processor><name gcc_name="cortex-m3">Cortex-M3</name> +<family>Cortex-M</family> +</processor> +<link href="nxp_lpc18xx_peripheral.xme" show="embed" type="simple"/> +</info> +</infoList> +</TargetConfig> + + + + + + + + + + + + + + + + + + diff --git a/.project b/.project new file mode 100644 index 000000000..9c76912ee --- /dev/null +++ b/.project @@ -0,0 +1,28 @@ + + + lib_wolfssl + + + lpc_board_nxp_lpcxpresso_1837 + lpc_chip_18xx + + + + org.eclipse.cdt.managedbuilder.core.genmakebuilder + clean,full,incremental, + + + + + org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder + full,incremental, + + + + + + org.eclipse.cdt.core.cnature + org.eclipse.cdt.managedbuilder.core.managedBuildNature + org.eclipse.cdt.managedbuilder.core.ScannerConfigNature + + diff --git a/IDE/LPCXPRESSO/README.md b/IDE/LPCXPRESSO/README.md new file mode 100644 index 000000000..9a93c021a --- /dev/null +++ b/IDE/LPCXPRESSO/README.md @@ -0,0 +1,32 @@ +# WolfSSL Example using the OM13076 (LPCXpresso18S37) board + +To use, install the NXP LPCXpresso IDE and import the projects in a new workspace. + +1. Run LPCXpresso and choose a workspace location. +2. Right click in the project exporer window and choose Inport. +3. Under General choose "Existing Projects into Workspace". +4. Under "Select root directory" click browse and select the wolfSSL root. +5. Check the "Search for nested projects" box. +5. Make sure "wolfssl" and "wolfssl_example" are checked under "Projects:". +6. Click finish. +7. Download the board and chip LPCOpen package for your platform. +8. Import the projects. For example "lpc_board_nxp_lpcxpresso_1837" and "lpc_chip_18xx" are the ones for the LPC18S37. + +To setup this example to work with different baords/chips you will need to locate the LPCOpen sources for LPCXpresso on the NXP website and import the board and chip projects. Then you will need to update the "wolfssl_example" project properties to reference these projects (C/C++ General -> Paths and Symbols -> References). See the [LPCOpen v2.xx LPCXpresso quickstart guide for all platforms](https://www.lpcware.com/content/project/lpcopen-platform-nxp-lpc-microcontrollers/lpcopen-v200-quickstart-guides/lpcopen-1) for additional information. + + +## WolfSSL example projects: + +1. `wolf_example`. It has console options to run the Wolf tests and benchmarks ('t' for the WolfSSL Tests and 'b' for the WolfSSL Benchmarks). + +## Static libraries projects: + +1. `wolfssl` for WolfSSL. The WolfSSL port for the LPC18XX platform is located in `IDE/LPCXPRESSO/lpc_18xx_port.c`. This has platform specific functions for `current_time` and `rand_gen`. The `WOLF_USER_SETTINGS` define is set which allows all WolfSSL settings to exist in the `user_settings.h` file (see this file for all customizations used). + +## Important Files + +1. `IDE/LPCXPRESSO/user_settings.h`. This provides a reference for library settings used to optimize for this embedded platform. + +2. `IDE/LPCXPRESSO/lpc_18xx_port.c`. This defines the required time and random number functions for the WolfSSL library. + +3. `IDE/LPCXPRESSO/wolf_example/wolf_example.c`. This shows use of the WolfSSL tests and benchmarks. diff --git a/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c b/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c new file mode 100644 index 000000000..dfdff06c4 --- /dev/null +++ b/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c @@ -0,0 +1,93 @@ +/* + * lpc_18xx_port.c + * + * Created on: Nov 4, 2015 + * Author: davidgarske + */ +#include "board.h" +#include "otp_18xx_43xx.h" /* For RNG */ +#include "timer_18xx_43xx.h" + +static uint32_t mTimeInit = 0; +#define TIMER_SCALER 1000000 +static void init_time(void) +{ + if(mTimeInit == 0) { + uint32_t timerFreq; + + /* Set current time for RTC 2:00:00PM, 2012-10-05 */ + RTC_TIME_T FullTime; + + Chip_RTC_Init(LPC_RTC); + + FullTime.time[RTC_TIMETYPE_SECOND] = 0; + FullTime.time[RTC_TIMETYPE_MINUTE] = 0; + FullTime.time[RTC_TIMETYPE_HOUR] = 14; + FullTime.time[RTC_TIMETYPE_DAYOFMONTH] = 5; + FullTime.time[RTC_TIMETYPE_DAYOFWEEK] = 5; + FullTime.time[RTC_TIMETYPE_DAYOFYEAR] = 279; + FullTime.time[RTC_TIMETYPE_MONTH] = 10; + FullTime.time[RTC_TIMETYPE_YEAR] = 2012; + + Chip_RTC_SetFullTime(LPC_RTC, &FullTime); + + /* Enable RTC (starts increase the tick counter and second counter register) */ + Chip_RTC_Enable(LPC_RTC, ENABLE); + + /* Enable timer 1 clock and reset it */ + Chip_TIMER_Init(LPC_TIMER2); + Chip_RGU_TriggerReset(RGU_TIMER2_RST); + while (Chip_RGU_InReset(RGU_TIMER2_RST)) {} + + /* Get timer peripheral clock rate */ + timerFreq = Chip_Clock_GetRate(CLK_MX_TIMER2); + + /* Timer setup */ + Chip_TIMER_Reset(LPC_TIMER2); + Chip_TIMER_PrescaleSet(LPC_TIMER2, timerFreq/TIMER_SCALER); + Chip_TIMER_Enable(LPC_TIMER2); + + mTimeInit = 1; + } +} + +double current_time() +{ + //RTC_TIME_T FullTime; + uint32_t timerMs; + + init_time(); + timerMs = Chip_TIMER_ReadCount(LPC_TIMER2); + + //Chip_RTC_GetFullTime(LPC_RTC, &FullTime); + //(double)FullTime.time[RTC_TIMETYPE_SECOND] + + return (double)timerMs/TIMER_SCALER; +} + +/* Memory location of the generated random numbers (for total of 128 bits) */ +static volatile uint32_t* mRandData = (uint32_t*)0x40045050; +static uint32_t mRandInit = 0; +static uint32_t mRandIndex = 0; +uint32_t rand_gen(void) +{ + uint32_t rand = 0; + uint32_t status = LPC_OK; + if(mRandIndex == 0) { + if(mRandInit == 0) { + Chip_OTP_Init(); + mRandInit = 1; + } + status = Chip_OTP_GenRand(); + } + if(status == LPC_OK) { + rand = mRandData[mRandIndex]; + } + else { + printf("GenRand Failed 0x%x\n", status); + } + if(++mRandIndex > 4) { + mRandIndex = 0; + } + return rand; +} diff --git a/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h new file mode 100644 index 000000000..1414154ba --- /dev/null +++ b/IDE/LPCXPRESSO/lib_wolfssl/user_settings.h @@ -0,0 +1,81 @@ +#include + +/* Configuration */ +#define WOLFSSL_USER_IO +#define WOLFSSL_GENERAL_ALIGNMENT 4 +#define WOLFSSL_SMALL_STACK +#define WOLFSSL_BASE64_ENCODE +#define WOLFSSL_SHA512 + +#define HAVE_ECC +#define HAVE_AESGCM +#define HAVE_CURVE25519 +#define HAVE_HKDF +#define HAVE_HASHDRBG +#define HAVE_CHACHA +#define HAVE_POLY1305 +#define HAVE_ONE_TIME_AUTH +#define HAVE_TLS_EXTENSIONS +#define HAVE_SUPPORTED_CURVES +#define HAVE_ERRNO_H +#define HAVE_LWIP_NATIVE + +#define FP_LUT 4 +#define FP_MAX_BITS 2048 /* 4096 */ +#define FP_MAX_BITS_ECC 512 +#define ALT_ECC_SIZE +#define USE_FAST_MATH +#define SMALL_SESSION_CACHE +#define CURVED25519_SMALL +#define RSA_LOW_MEM +#define GCM_SMALL +#define ECC_SHAMIR +#define USE_SLOW_SHA2 +#define MP_LOW_MEM +#define TFM_TIMING_RESISTANT +//#define TFM_ARM + + +/* Remove Features */ +#define NO_DEV_RANDOM +#define NO_FILESYSTEM +#define NO_WRITEV +#define NO_MAIN_DRIVER +#define NO_WOLFSSL_MEMORY +#define NO_DEV_RANDOM +#define NO_MD4 +#define NO_RABBIT +#define NO_HC128 +#define NO_DSA +#define NO_PWDBASED +#define NO_PSK +#define NO_64BIT +#define NO_WOLFSSL_SERVER +#define NO_OLD_TLS +#define ECC_USER_CURVES /* Disables P-112, P-128, P-160, P-192, P-224, P-384, P-521 but leaves P-256 enabled */ +#define NO_DES3 +#define NO_MD5 +#define NO_RC4 +#define NO_DH +#define NO_SHA + + +/* Benchmark / Testing */ +#define BENCH_EMBEDDED +#define USE_CERT_BUFFERS_1024 + + +/* Custom functions */ +extern uint32_t rand_gen(void); +#define CUSTOM_RAND_GENERATE rand_gen +#define CUSTOM_RAND_TYPE uint32_t + +extern double current_time(int reset); +#define WOLFSSL_USER_CURRTIME + + +/* Debugging - Optional */ +#if 0 +#define fprintf(file, format, ...) printf(format, ##__VA_ARGS__) +#define DEBUG_WOLFSSL +#endif diff --git a/IDE/LPCXPRESSO/wolf_example/.cproject b/IDE/LPCXPRESSO/wolf_example/.cproject new file mode 100644 index 000000000..a6d5e4962 --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/.cproject @@ -0,0 +1,314 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + <?xml version="1.0" encoding="UTF-8"?> +<TargetConfig> +<Properties property_0="" property_2="LPC18x7_43x7_2x512_BootA.cfx" property_3="NXP" property_4="LPC1837" property_count="5" version="70200"/> +<infoList vendor="NXP"><info chip="LPC1837" flash_driver="LPC18x7_43x7_2x512_BootA.cfx" match_id="0x0" name="LPC1837" resetscript="LPC18LPC43InternalFLASHBootResetscript.scp" stub="crt_emu_lpc18_43_nxp"><chip><name>LPC1837</name> +<family>LPC18xx</family> +<vendor>NXP (formerly Philips)</vendor> +<reset board="None" core="Real" sys="Real"/> +<clock changeable="TRUE" freq="20MHz" is_accurate="TRUE"/> +<memory can_program="true" id="Flash" is_ro="true" type="Flash"/> +<memory id="RAM" type="RAM"/> +<memory id="Periph" is_volatile="true" type="Peripheral"/> +<memoryInstance derived_from="Flash" id="MFlashA512" location="0x1a000000" size="0x80000"/> +<memoryInstance derived_from="Flash" id="MFlashB512" location="0x1b000000" size="0x80000"/> +<memoryInstance derived_from="RAM" id="RamLoc32" location="0x10000000" size="0x8000"/> +<memoryInstance derived_from="RAM" id="RamLoc40" location="0x10080000" size="0xa000"/> +<memoryInstance derived_from="RAM" id="RamAHB32" location="0x20000000" size="0x8000"/> +<memoryInstance derived_from="RAM" id="RamAHB16" location="0x20008000" size="0x4000"/> +<memoryInstance derived_from="RAM" id="RamAHB_ETB16" location="0x2000c000" size="0x4000"/> +<prog_flash blocksz="0x2000" location="0x1a000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/> +<prog_flash blocksz="0x10000" location="0x1a010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/> +<prog_flash blocksz="0x2000" location="0x1b000000" maxprgbuff="0x400" progwithcode="TRUE" size="0x10000"/> +<prog_flash blocksz="0x10000" location="0x1b010000" maxprgbuff="0x400" progwithcode="TRUE" size="0x70000"/> +<peripheralInstance derived_from="V7M_MPU" determined="infoFile" id="MPU" location="0xe000ed90"/> +<peripheralInstance derived_from="V7M_NVIC" determined="infoFile" id="NVIC" location="0xe000e000"/> +<peripheralInstance derived_from="V7M_DCR" determined="infoFile" id="DCR" location="0xe000edf0"/> +<peripheralInstance derived_from="V7M_ITM" determined="infoFile" id="ITM" location="0xe0000000"/> +<peripheralInstance derived_from="SCT" determined="infoFile" id="SCT" location="0x40000000"/> +<peripheralInstance derived_from="GPDMA" determined="infoFile" id="GPDMA" location="0x40002000"/> +<peripheralInstance derived_from="SPIFI" determined="infoFile" id="SPIFI" location="0x40003000"/> +<peripheralInstance derived_from="SDMMC" determined="infoFile" id="SDMMC" location="0x40004000"/> +<peripheralInstance derived_from="EMC" determined="infoFile" id="EMC" location="0x40005000"/> +<peripheralInstance derived_from="USB0" determined="infoFile" id="USB0" location="0x40006000"/> +<peripheralInstance derived_from="USB1" determined="infoFile" id="USB1" location="0x40007000"/> +<peripheralInstance derived_from="EEPROM" determined="infoFile" id="EEPROM" location="0x4000e000"/> +<peripheralInstance derived_from="ETHERNET" determined="infoFile" id="ETHERNET" location="0x40010000"/> +<peripheralInstance derived_from="ATIMER" determined="infoFile" id="ATIMER" location="0x40040000"/> +<peripheralInstance derived_from="REGFILE" determined="infoFile" id="REGFILE" location="0x40041000"/> +<peripheralInstance derived_from="PMC" determined="infoFile" id="PMC" location="0x40042000"/> +<peripheralInstance derived_from="CREG" determined="infoFile" id="CREG" location="0x40043000"/> +<peripheralInstance derived_from="EVENTROUTER" determined="infoFile" id="EVENTROUTER" location="0x40044000"/> +<peripheralInstance derived_from="RTC" determined="infoFile" id="RTC" location="0x40046000"/> +<peripheralInstance derived_from="CGU" determined="infoFile" id="CGU" location="0x40050000"/> +<peripheralInstance derived_from="CCU1" determined="infoFile" id="CCU1" location="0x40051000"/> +<peripheralInstance derived_from="CCU2" determined="infoFile" id="CCU2" location="0x40052000"/> +<peripheralInstance derived_from="RGU" determined="infoFile" id="RGU" location="0x40053000"/> +<peripheralInstance derived_from="WWDT" determined="infoFile" id="WWDT" location="0x40080000"/> +<peripheralInstance derived_from="USART0" determined="infoFile" id="USART0" location="0x40081000"/> +<peripheralInstance derived_from="USART2" determined="infoFile" id="USART2" location="0x400c1000"/> +<peripheralInstance derived_from="USART3" determined="infoFile" id="USART3" location="0x400c2000"/> +<peripheralInstance derived_from="UART1" determined="infoFile" id="UART1" location="0x40082000"/> +<peripheralInstance derived_from="SSP0" determined="infoFile" id="SSP0" location="0x40083000"/> +<peripheralInstance derived_from="SSP1" determined="infoFile" id="SSP1" location="0x400c5000"/> +<peripheralInstance derived_from="TIMER0" determined="infoFile" id="TIMER0" location="0x40084000"/> +<peripheralInstance derived_from="TIMER1" determined="infoFile" id="TIMER1" location="0x40085000"/> +<peripheralInstance derived_from="TIMER2" determined="infoFile" id="TIMER2" location="0x400c3000"/> +<peripheralInstance derived_from="TIMER3" determined="infoFile" id="TIMER3" location="0x400c4000"/> +<peripheralInstance derived_from="SCU" determined="infoFile" id="SCU" location="0x40086000"/> +<peripheralInstance derived_from="GPIO-PIN-INT" determined="infoFile" id="GPIO-PIN-INT" location="0x40087000"/> +<peripheralInstance derived_from="GPIO-GROUP-INT0" determined="infoFile" id="GPIO-GROUP-INT0" location="0x40088000"/> +<peripheralInstance derived_from="GPIO-GROUP-INT1" determined="infoFile" id="GPIO-GROUP-INT1" location="0x40089000"/> +<peripheralInstance derived_from="MCPWM" determined="infoFile" id="MCPWM" location="0x400a0000"/> +<peripheralInstance derived_from="I2C0" determined="infoFile" id="I2C0" location="0x400a1000"/> +<peripheralInstance derived_from="I2C1" determined="infoFile" id="I2C1" location="0x400e0000"/> +<peripheralInstance derived_from="I2S0" determined="infoFile" id="I2S0" location="0x400a2000"/> +<peripheralInstance derived_from="I2S1" determined="infoFile" id="I2S1" location="0x400a3000"/> +<peripheralInstance derived_from="C-CAN1" determined="infoFile" id="C-CAN1" location="0x400a4000"/> +<peripheralInstance derived_from="RITIMER" determined="infoFile" id="RITIMER" location="0x400c0000"/> +<peripheralInstance derived_from="QEI" determined="infoFile" id="QEI" location="0x400c6000"/> +<peripheralInstance derived_from="GIMA" determined="infoFile" id="GIMA" location="0x400c7000"/> +<peripheralInstance derived_from="DAC" determined="infoFile" id="DAC" location="0x400e1000"/> +<peripheralInstance derived_from="C-CAN0" determined="infoFile" id="C-CAN0" location="0x400e2000"/> +<peripheralInstance derived_from="ADC0" determined="infoFile" id="ADC0" location="0x400e3000"/> +<peripheralInstance derived_from="ADC1" determined="infoFile" id="ADC1" location="0x400e4000"/> +<peripheralInstance derived_from="GPIO-PORT" determined="infoFile" id="GPIO-PORT" location="0x400f4000"/> +</chip> +<processor><name gcc_name="cortex-m3">Cortex-M3</name> +<family>Cortex-M</family> +</processor> +<link href="nxp_lpc18xx_peripheral.xme" show="embed" type="simple"/> +</info> +</infoList> +</TargetConfig> + + + + + + + + + + + + + + + + + + diff --git a/IDE/LPCXPRESSO/wolf_example/.project b/IDE/LPCXPRESSO/wolf_example/.project new file mode 100644 index 000000000..32f134304 --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/.project @@ -0,0 +1,29 @@ + + + wolf_example + + + lpc_chip_18xx + lpc_board_nxp_lpcxpresso_1837 + wolfssl + + + + org.eclipse.cdt.managedbuilder.core.genmakebuilder + clean,full,incremental, + + + + + org.eclipse.cdt.managedbuilder.core.ScannerConfigBuilder + full,incremental, + + + + + + org.eclipse.cdt.core.cnature + org.eclipse.cdt.managedbuilder.core.managedBuildNature + org.eclipse.cdt.managedbuilder.core.ScannerConfigNature + + diff --git a/IDE/LPCXPRESSO/wolf_example/readme.txt b/IDE/LPCXPRESSO/wolf_example/readme.txt new file mode 100644 index 000000000..37686e98f --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/readme.txt @@ -0,0 +1,7 @@ +wolfSSL example + +Target board LPC43S37 Xpresso board +The board communicates to the PC terminal through UART0 at 115200. +This example builds the wolfSSL library, test and benchmark examples. +Use 't' to launch the WolfSSL Test +Use 'b' to launch the WolfSSL Benchmark diff --git a/IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c b/IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c new file mode 100644 index 000000000..fe13845e9 --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c @@ -0,0 +1,484 @@ +//***************************************************************************** +// LPC18xx Microcontroller Startup code for use with LPCXpresso IDE +// +// Version : 141204 +//***************************************************************************** +// +// Copyright(C) NXP Semiconductors, 2013-2014 +// All rights reserved. +// +// Software that is described herein is for illustrative purposes only +// which provides customers with programming information regarding the +// LPC products. This software is supplied "AS IS" without any warranties of +// any kind, and NXP Semiconductors and its licensor disclaim any and +// all warranties, express or implied, including all implied warranties of +// merchantability, fitness for a particular purpose and non-infringement of +// intellectual property rights. NXP Semiconductors assumes no responsibility +// or liability for the use of the software, conveys no license or rights under any +// patent, copyright, mask work right, or any other intellectual property rights in +// or to any products. NXP Semiconductors reserves the right to make changes +// in the software without notification. NXP Semiconductors also makes no +// representation or warranty that such application will be suitable for the +// specified use without further testing or modification. +// +// Permission to use, copy, modify, and distribute this software and its +// documentation is hereby granted, under NXP Semiconductors' and its +// licensor's relevant copyrights in the software, without fee, provided that it +// is used in conjunction with NXP Semiconductors microcontrollers. This +// copyright, permission, and disclaimer notice must appear in all copies of +// this code. +//***************************************************************************** + +#if defined (__cplusplus) +#ifdef __REDLIB__ +#error Redlib does not support C++ +#else +//***************************************************************************** +// +// The entry point for the C++ library startup +// +//***************************************************************************** +extern "C" { + extern void __libc_init_array(void); +} +#endif +#endif + +#define WEAK __attribute__ ((weak)) +#define ALIAS(f) __attribute__ ((weak, alias (#f))) + +//***************************************************************************** +#if defined (__cplusplus) +extern "C" { +#endif + +//***************************************************************************** +#if defined (__USE_CMSIS) || defined (__USE_LPCOPEN) +// Declaration of external SystemInit function +extern void SystemInit(void); +#endif + +//***************************************************************************** +// +// Forward declaration of the default handlers. These are aliased. +// When the application defines a handler (with the same name), this will +// automatically take precedence over these weak definitions +// +//***************************************************************************** + void ResetISR(void); +WEAK void NMI_Handler(void); +WEAK void HardFault_Handler(void); +WEAK void MemManage_Handler(void); +WEAK void BusFault_Handler(void); +WEAK void UsageFault_Handler(void); +WEAK void SVC_Handler(void); +WEAK void DebugMon_Handler(void); +WEAK void PendSV_Handler(void); +WEAK void SysTick_Handler(void); +WEAK void IntDefaultHandler(void); + +//***************************************************************************** +// +// Forward declaration of the specific IRQ handlers. These are aliased +// to the IntDefaultHandler, which is a 'forever' loop. When the application +// defines a handler (with the same name), this will automatically take +// precedence over these weak definitions +// +//***************************************************************************** +void DAC_IRQHandler(void) ALIAS(IntDefaultHandler); +void DMA_IRQHandler(void) ALIAS(IntDefaultHandler); +void FLASHEEPROM_IRQHandler(void) ALIAS(IntDefaultHandler); +void ETH_IRQHandler(void) ALIAS(IntDefaultHandler); +void SDIO_IRQHandler(void) ALIAS(IntDefaultHandler); +void LCD_IRQHandler(void) ALIAS(IntDefaultHandler); +void USB0_IRQHandler(void) ALIAS(IntDefaultHandler); +void USB1_IRQHandler(void) ALIAS(IntDefaultHandler); +void SCT_IRQHandler(void) ALIAS(IntDefaultHandler); +void RIT_IRQHandler(void) ALIAS(IntDefaultHandler); +void TIMER0_IRQHandler(void) ALIAS(IntDefaultHandler); +void TIMER1_IRQHandler(void) ALIAS(IntDefaultHandler); +void TIMER2_IRQHandler(void) ALIAS(IntDefaultHandler); +void TIMER3_IRQHandler(void) ALIAS(IntDefaultHandler); +void MCPWM_IRQHandler(void) ALIAS(IntDefaultHandler); +void ADC0_IRQHandler(void) ALIAS(IntDefaultHandler); +void I2C0_IRQHandler(void) ALIAS(IntDefaultHandler); +void I2C1_IRQHandler(void) ALIAS(IntDefaultHandler); +void ADC1_IRQHandler(void) ALIAS(IntDefaultHandler); +void SSP0_IRQHandler(void) ALIAS(IntDefaultHandler); +void SSP1_IRQHandler(void) ALIAS(IntDefaultHandler); +void UART0_IRQHandler(void) ALIAS(IntDefaultHandler); +void UART1_IRQHandler(void) ALIAS(IntDefaultHandler); +void UART2_IRQHandler(void) ALIAS(IntDefaultHandler); +void UART3_IRQHandler(void) ALIAS(IntDefaultHandler); +void I2S0_IRQHandler(void) ALIAS(IntDefaultHandler); +void I2S1_IRQHandler(void) ALIAS(IntDefaultHandler); +void SPIFI_IRQHandler(void) ALIAS(IntDefaultHandler); +void SGPIO_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO0_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO1_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO2_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO3_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO4_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO5_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO6_IRQHandler(void) ALIAS(IntDefaultHandler); +void GPIO7_IRQHandler(void) ALIAS(IntDefaultHandler); +void GINT0_IRQHandler(void) ALIAS(IntDefaultHandler); +void GINT1_IRQHandler(void) ALIAS(IntDefaultHandler); +void EVRT_IRQHandler(void) ALIAS(IntDefaultHandler); +void CAN1_IRQHandler(void) ALIAS(IntDefaultHandler); +void ATIMER_IRQHandler(void) ALIAS(IntDefaultHandler); +void RTC_IRQHandler(void) ALIAS(IntDefaultHandler); +void WDT_IRQHandler(void) ALIAS(IntDefaultHandler); +void CAN0_IRQHandler(void) ALIAS(IntDefaultHandler); +void QEI_IRQHandler(void) ALIAS(IntDefaultHandler); + +//***************************************************************************** +// +// The entry point for the application. +// __main() is the entry point for Redlib based applications +// main() is the entry point for Newlib based applications +// +//***************************************************************************** +#if defined (__REDLIB__) +extern void __main(void); +#endif +extern int main(void); +//***************************************************************************** +// +// External declaration for the pointer to the stack top from the Linker Script +// +//***************************************************************************** +extern void _vStackTop(void); + +//***************************************************************************** +#if defined (__cplusplus) +} // extern "C" +#endif +//***************************************************************************** +// +// The vector table. +// This relies on the linker script to place at correct location in memory. +// +//***************************************************************************** +extern void (* const g_pfnVectors[])(void); +__attribute__ ((used,section(".isr_vector"))) +void (* const g_pfnVectors[])(void) = { + // Core Level - CM3 + &_vStackTop, // The initial stack pointer + ResetISR, // The reset handler + NMI_Handler, // The NMI handler + HardFault_Handler, // The hard fault handler + MemManage_Handler, // The MPU fault handler + BusFault_Handler, // The bus fault handler + UsageFault_Handler, // The usage fault handler + 0, // Reserved + 0, // Reserved + 0, // Reserved + 0, // Reserved + SVC_Handler, // SVCall handler + DebugMon_Handler, // Debug monitor handler + 0, // Reserved + PendSV_Handler, // The PendSV handler + SysTick_Handler, // The SysTick handler + + // Chip Level - LPC18 + DAC_IRQHandler, // 16 + 0, // 17 + DMA_IRQHandler, // 18 + 0, // 19 + FLASHEEPROM_IRQHandler, // 20 ORed flash Bank A, flash Bank B, EEPROM interrupts + ETH_IRQHandler, // 21 + SDIO_IRQHandler, // 22 + LCD_IRQHandler, // 23 + USB0_IRQHandler, // 24 + USB1_IRQHandler, // 25 + SCT_IRQHandler, // 26 + RIT_IRQHandler, // 27 + TIMER0_IRQHandler, // 28 + TIMER1_IRQHandler, // 29 + TIMER2_IRQHandler, // 30 + TIMER3_IRQHandler, // 31 + MCPWM_IRQHandler, // 32 + ADC0_IRQHandler, // 33 + I2C0_IRQHandler, // 34 + I2C1_IRQHandler, // 35 + 0, // 36 + ADC1_IRQHandler, // 37 + SSP0_IRQHandler, // 38 + SSP1_IRQHandler, // 39 + UART0_IRQHandler, // 40 + UART1_IRQHandler, // 41 + UART2_IRQHandler, // 42 + UART3_IRQHandler, // 43 + I2S0_IRQHandler, // 44 + I2S1_IRQHandler, // 45 + SPIFI_IRQHandler, // 46 + SGPIO_IRQHandler, // 47 + GPIO0_IRQHandler, // 48 + GPIO1_IRQHandler, // 49 + GPIO2_IRQHandler, // 50 + GPIO3_IRQHandler, // 51 + GPIO4_IRQHandler, // 52 + GPIO5_IRQHandler, // 53 + GPIO6_IRQHandler, // 54 + GPIO7_IRQHandler, // 55 + GINT0_IRQHandler, // 56 + GINT1_IRQHandler, // 57 + EVRT_IRQHandler, // 58 + CAN1_IRQHandler, // 59 + 0, // 60 + 0, // 61 + ATIMER_IRQHandler, // 62 + RTC_IRQHandler, // 63 + 0, // 64 + WDT_IRQHandler, // 65 + 0, // 66 + CAN0_IRQHandler, // 67 + QEI_IRQHandler, // 68 +}; + +//***************************************************************************** +// Functions to carry out the initialization of RW and BSS data sections. These +// are written as separate functions rather than being inlined within the +// ResetISR() function in order to cope with MCUs with multiple banks of +// memory. +//***************************************************************************** +__attribute__ ((section(".after_vectors"))) +void data_init(unsigned int romstart, unsigned int start, unsigned int len) { + unsigned int *pulDest = (unsigned int*) start; + unsigned int *pulSrc = (unsigned int*) romstart; + unsigned int loop; + for (loop = 0; loop < len; loop = loop + 4) + *pulDest++ = *pulSrc++; +} + +__attribute__ ((section(".after_vectors"))) +void bss_init(unsigned int start, unsigned int len) { + unsigned int *pulDest = (unsigned int*) start; + unsigned int loop; + for (loop = 0; loop < len; loop = loop + 4) + *pulDest++ = 0; +} + +//***************************************************************************** +// The following symbols are constructs generated by the linker, indicating +// the location of various points in the "Global Section Table". This table is +// created by the linker via the Code Red managed linker script mechanism. It +// contains the load address, execution address and length of each RW data +// section and the execution and length of each BSS (zero initialized) section. +//***************************************************************************** +extern unsigned int __data_section_table; +extern unsigned int __data_section_table_end; +extern unsigned int __bss_section_table; +extern unsigned int __bss_section_table_end; + +//***************************************************************************** +// Reset entry point for your code. +// Sets up a simple runtime environment and initializes the C/C++ +// library. +// +//***************************************************************************** +void +ResetISR(void) { + +// ************************************************************* +// The following conditional block of code manually resets as +// much of the peripheral set of the LPC18 as possible. This is +// done because the LPC18 does not provide a means of triggering +// a full system reset under debugger control, which can cause +// problems in certain circumstances when debugging. +// +// You can prevent this code block being included if you require +// (for example when creating a final executable which you will +// not debug) by setting the define 'DONT_RESET_ON_RESTART'. +// +#ifndef DONT_RESET_ON_RESTART + + // Disable interrupts + __asm volatile ("cpsid i"); + // equivalent to CMSIS '__disable_irq()' function + + unsigned int *RESET_CONTROL = (unsigned int *) 0x40053100; + // LPC_RGU->RESET_CTRL0 @ 0x40053100 + // LPC_RGU->RESET_CTRL1 @ 0x40053104 + // Note that we do not use the CMSIS register access mechanism, + // as there is no guarantee that the project has been configured + // to use CMSIS. + + // Write to LPC_RGU->RESET_CTRL0 + *(RESET_CONTROL+0) = 0x10DF0000; + // GPIO_RST|AES_RST|ETHERNET_RST|SDIO_RST|DMA_RST| + // USB1_RST|USB0_RST|LCD_RST + + // Write to LPC_RGU->RESET_CTRL1 + *(RESET_CONTROL+1) = 0x00DFF7FF; + // CAN0_RST|CAN1_RST|I2S_RST|SSP1_RST|SSP0_RST| + // I2C1_RST|I2C0_RST|UART3_RST|UART1_RST|UART1_RST|UART0_RST| + // DAC_RST|ADC1_RST|ADC0_RST|QEI_RST|MOTOCONPWM_RST|SCT_RST| + // RITIMER_RST|TIMER3_RST|TIMER2_RST|TIMER1_RST|TIMER0_RST + + // Clear all pending interrupts in the NVIC + volatile unsigned int *NVIC_ICPR = (unsigned int *) 0xE000E280; + unsigned int irqpendloop; + for (irqpendloop = 0; irqpendloop < 8; irqpendloop++) { + *(NVIC_ICPR+irqpendloop)= 0xFFFFFFFF; + } + + // Reenable interrupts + __asm volatile ("cpsie i"); + // equivalent to CMSIS '__enable_irq()' function + +#endif // ifndef DONT_RESET_ON_RESTART +// ************************************************************* + + +#if defined (__USE_LPCOPEN) + SystemInit(); +#endif + + // + // Copy the data sections from flash to SRAM. + // + unsigned int LoadAddr, ExeAddr, SectionLen; + unsigned int *SectionTableAddr; + + // Load base address of Global Section Table + SectionTableAddr = &__data_section_table; + + // Copy the data sections from flash to SRAM. + while (SectionTableAddr < &__data_section_table_end) { + LoadAddr = *SectionTableAddr++; + ExeAddr = *SectionTableAddr++; + SectionLen = *SectionTableAddr++; + data_init(LoadAddr, ExeAddr, SectionLen); + } + // At this point, SectionTableAddr = &__bss_section_table; + // Zero fill the bss segment + while (SectionTableAddr < &__bss_section_table_end) { + ExeAddr = *SectionTableAddr++; + SectionLen = *SectionTableAddr++; + bss_init(ExeAddr, SectionLen); + } + + // ****************************** + // Check to see if we are running the code from a non-zero + // address (eg RAM, external flash), in which case we need + // to modify the VTOR register to tell the CPU that the + // vector table is located at a non-0x0 address. + + // Note that we do not use the CMSIS register access mechanism, + // as there is no guarantee that the project has been configured + // to use CMSIS. + unsigned int * pSCB_VTOR = (unsigned int *) 0xE000ED08; + if ((unsigned int *)g_pfnVectors!=(unsigned int *) 0x00000000) { + // CMSIS : SCB->VTOR =
+ *pSCB_VTOR = (unsigned int)g_pfnVectors; + } + +#if defined (__USE_CMSIS) + SystemInit(); +#endif + +#if defined (__cplusplus) + // + // Call C++ library initialisation + // + __libc_init_array(); +#endif + +#if defined (__REDLIB__) + // Call the Redlib library, which in turn calls main() + __main() ; +#else + main(); +#endif + + // + // main() shouldn't return, but if it does, we'll just enter an infinite loop + // + while (1) { + ; + } +} + +//***************************************************************************** +// Default exception handlers. Override the ones here by defining your own +// handler routines in your application code. +//***************************************************************************** +__attribute__ ((section(".after_vectors"))) +void NMI_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void HardFault_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void MemManage_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void BusFault_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void UsageFault_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void SVC_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void DebugMon_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void PendSV_Handler(void) +{ + while(1) + { + } +} +__attribute__ ((section(".after_vectors"))) +void SysTick_Handler(void) +{ + while(1) + { + } +} + +//***************************************************************************** +// +// Processor ends up here if an unexpected interrupt occurs or a specific +// handler is not present in the application code. +// +//***************************************************************************** +__attribute__ ((section(".after_vectors"))) +void IntDefaultHandler(void) +{ + while(1) + { + } +} diff --git a/IDE/LPCXPRESSO/wolf_example/src/sysinit.c b/IDE/LPCXPRESSO/wolf_example/src/sysinit.c new file mode 100644 index 000000000..187eebb51 --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/src/sysinit.c @@ -0,0 +1,89 @@ +/* + * @brief Common SystemInit function for LPC18xx/LPC43xx chips + * + * @note + * Copyright(C) NXP Semiconductors, 2013 + * All rights reserved. + * + * @par + * Software that is described herein is for illustrative purposes only + * which provides customers with programming information regarding the + * LPC products. This software is supplied "AS IS" without any warranties of + * any kind, and NXP Semiconductors and its licensor disclaim any and + * all warranties, express or implied, including all implied warranties of + * merchantability, fitness for a particular purpose and non-infringement of + * intellectual property rights. NXP Semiconductors assumes no responsibility + * or liability for the use of the software, conveys no license or rights under any + * patent, copyright, mask work right, or any other intellectual property rights in + * or to any products. NXP Semiconductors reserves the right to make changes + * in the software without notification. NXP Semiconductors also makes no + * representation or warranty that such application will be suitable for the + * specified use without further testing or modification. + * + * @par + * Permission to use, copy, modify, and distribute this software and its + * documentation is hereby granted, under NXP Semiconductors' and its + * licensor's relevant copyrights in the software, without fee, provided that it + * is used in conjunction with NXP Semiconductors microcontrollers. This + * copyright, permission, and disclaimer notice must appear in all copies of + * this code. + */ + +/***************************************************************************** + * Private types/enumerations/variables + ****************************************************************************/ + +/***************************************************************************** + * Public types/enumerations/variables + ****************************************************************************/ + +#if defined(NO_BOARD_LIB) +#include "chip.h" +const uint32_t ExtRateIn = 0; +const uint32_t OscRateIn = 12000000; +#else +#include "board.h" +#endif + +/***************************************************************************** + * Private functions + ****************************************************************************/ + +/***************************************************************************** + * Public functions + ****************************************************************************/ + +/* Set up and initialize hardware prior to call to main */ +void SystemInit(void) +{ +#if defined(CORE_M3) || defined(CORE_M4) + unsigned int *pSCB_VTOR = (unsigned int *) 0xE000ED08; + +#if defined(__IAR_SYSTEMS_ICC__) + extern void *__vector_table; + + *pSCB_VTOR = (unsigned int) &__vector_table; +#elif defined(__CODE_RED) + extern void *g_pfnVectors; + + *pSCB_VTOR = (unsigned int) &g_pfnVectors; +#elif defined(__ARMCC_VERSION) + extern void *__Vectors; + + *pSCB_VTOR = (unsigned int) &__Vectors; +#endif + +#if defined(__FPU_PRESENT) && __FPU_PRESENT == 1 + fpuInit(); +#endif + +#if defined(NO_BOARD_LIB) + /* Chip specific SystemInit */ + Chip_SystemInit(); +#else + /* Board specific SystemInit */ + Board_SystemInit(); +#endif + +#endif /* defined(CORE_M3) || defined(CORE_M4) */ +} diff --git a/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c b/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c new file mode 100644 index 000000000..c60804641 --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c @@ -0,0 +1,95 @@ +#include "board.h" +#include + + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include +#include +#include + + +/***************************************************************************** + * Private types/enumerations/variables + ****************************************************************************/ + +/* UART definitions */ +#define LPC_UART LPC_USART0 +#define UARTx_IRQn USART0_IRQn + + +/***************************************************************************** + * Public types/enumerations/variables + ****************************************************************************/ +typedef struct func_args { + int argc; + char** argv; + int return_code; +} func_args; + +const char menu1[] = "\r\n" + "\tt. WolfSSL Test\r\n" + "\tb. WolfSSL Benchmark\r\n"; + +/***************************************************************************** + * Private functions + ****************************************************************************/ + +/***************************************************************************** + * Public functions + ****************************************************************************/ +int main(void) +{ + int opt = 0; + uint8_t buffer[1]; + func_args args; + + SystemCoreClockUpdate(); + Board_Init(); + Board_UART_Init(LPC_UART); + Chip_UART_Init(LPC_UART); + Chip_UART_SetBaud(LPC_UART, 115200); + Chip_UART_ConfigData(LPC_UART, UART_LCR_WLEN8 | UART_LCR_SBS_1BIT); /* Default 8-N-1 */ + Chip_UART_TXEnable(LPC_UART); + Chip_UART_SetupFIFOS(LPC_UART, (UART_FCR_FIFO_EN | UART_FCR_RX_RS | + UART_FCR_TX_RS | UART_FCR_DMAMODE_SEL | UART_FCR_TRG_LEV0)); + Chip_UART_IntEnable(LPC_UART, (UART_IER_ABEOINT | UART_IER_ABTOINT)); + NVIC_SetPriority(UARTx_IRQn, 1); + NVIC_EnableIRQ(UARTx_IRQn); + + Chip_OTP_Init(); + + while (1) { + DEBUGOUT("\r\n\t\t\t\tMENU\r\n"); + DEBUGOUT(menu1); + DEBUGOUT("Please select one of the above options: "); + + opt = 0; + while (opt == 0) { + opt = Chip_UART_Read(LPC_UART, buffer, sizeof(buffer)); + } + + switch (buffer[0]) { + + case 't': + memset(&args, 0, sizeof(args)); + printf("\nCrypt Test\n"); + wolfcrypt_test(&args); + printf("Crypt Test: Return code %d\n", args.return_code); + break; + + case 'b': + memset(&args, 0, sizeof(args)); + printf("\nBenchmark Test\n"); + benchmark_test(&args); + printf("Benchmark Test: Return code %d\n", args.return_code); + break; + + // All other cases go here + default: DEBUGOUT("\r\nSelection out of range\r\n"); break; + } + } +} diff --git a/IDE/include.am b/IDE/include.am index 008e6ddda..b5d154936 100644 --- a/IDE/include.am +++ b/IDE/include.am @@ -7,4 +7,4 @@ include IDE/WIN/include.am include IDE/WORKBENCH/include.am include IDE/ROWLEY-CROSSWORKS-ARM/include.am -EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL +EXTRA_DIST+= IDE/IAR-EWARM IDE/MDK-ARM IDE/MDK5-ARM IDE/MYSQL IDE/LPCXPRESSO From 2698736aaf492d3790d162e3a302df6a59163685 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 19 Nov 2015 10:20:28 -0800 Subject: [PATCH 064/177] fix missing XMALLOC/FREE types --- src/internal.c | 10 ++++++---- src/ssl.c | 23 ++++++++++++----------- wolfcrypt/src/asn.c | 15 +++++++++------ wolfssl/wolfcrypt/types.h | 6 +++++- 4 files changed, 32 insertions(+), 22 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1c6a4c6e4..31a7d943f 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1567,8 +1567,8 @@ void FreeX509(WOLFSSL_X509* x509) XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_SUBJECT_CN); XFREE(x509->sig.buffer, NULL, DYNAMIC_TYPE_SIGNATURE); #ifdef OPENSSL_EXTRA - XFREE(x509->authKeyId, NULL, 0); - XFREE(x509->subjKeyId, NULL, 0); + XFREE(x509->authKeyId, NULL, DYNAMIC_TYPE_X509_EXT); + XFREE(x509->subjKeyId, NULL, DYNAMIC_TYPE_X509_EXT); #endif /* OPENSSL_EXTRA */ if (x509->altNames) FreeAltNames(x509->altNames, NULL); @@ -4195,7 +4195,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->authKeyIdSet = dCert->extAuthKeyIdSet; x509->authKeyIdCrit = dCert->extAuthKeyIdCrit; if (dCert->extAuthKeyIdSrc != NULL && dCert->extAuthKeyIdSz != 0) { - x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, NULL, 0); + x509->authKeyId = (byte*)XMALLOC(dCert->extAuthKeyIdSz, NULL, + DYNAMIC_TYPE_X509_EXT); if (x509->authKeyId != NULL) { XMEMCPY(x509->authKeyId, dCert->extAuthKeyIdSrc, dCert->extAuthKeyIdSz); @@ -4207,7 +4208,8 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert) x509->subjKeyIdSet = dCert->extSubjKeyIdSet; x509->subjKeyIdCrit = dCert->extSubjKeyIdCrit; if (dCert->extSubjKeyIdSrc != NULL && dCert->extSubjKeyIdSz != 0) { - x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, NULL, 0); + x509->subjKeyId = (byte*)XMALLOC(dCert->extSubjKeyIdSz, NULL, + DYNAMIC_TYPE_X509_EXT); if (x509->subjKeyId != NULL) { XMEMCPY(x509->subjKeyId, dCert->extSubjKeyIdSrc, dCert->extSubjKeyIdSz); diff --git a/src/ssl.c b/src/ssl.c index 1473748b0..02ff5e162 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -3514,10 +3514,10 @@ int wolfSSL_CertManagerSetOCSPOverrideURL(WOLFSSL_CERT_MANAGER* cm, if (cm == NULL) return BAD_FUNC_ARG; - XFREE(cm->ocspOverrideURL, cm->heap, 0); + XFREE(cm->ocspOverrideURL, cm->heap, DYNAMIC_TYPE_URL); if (url != NULL) { int urlSz = (int)XSTRLEN(url) + 1; - cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, 0); + cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, DYNAMIC_TYPE_URL); if (cm->ocspOverrideURL != NULL) { XMEMCPY(cm->ocspOverrideURL, url, urlSz); } @@ -10687,11 +10687,12 @@ WOLFSSL_X509_STORE* wolfSSL_X509_STORE_new(void) { WOLFSSL_X509_STORE* store = NULL; - store = (WOLFSSL_X509_STORE*)XMALLOC(sizeof(WOLFSSL_X509_STORE), NULL, 0); + store = (WOLFSSL_X509_STORE*)XMALLOC(sizeof(WOLFSSL_X509_STORE), NULL, + DYNAMIC_TYPE_X509_STORE); if (store != NULL) { store->cm = wolfSSL_CertManagerNew(); if (store->cm == NULL) { - XFREE(store, NULL, 0); + XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); store = NULL; } } @@ -10705,7 +10706,7 @@ void wolfSSL_X509_STORE_free(WOLFSSL_X509_STORE* store) if (store != NULL) { if (store->cm != NULL) wolfSSL_CertManagerFree(store->cm); - XFREE(store, NULL, 0); + XFREE(store, NULL, DYNAMIC_TYPE_X509_STORE); } } @@ -10731,8 +10732,8 @@ int wolfSSL_X509_STORE_get_by_subject(WOLFSSL_X509_STORE_CTX* ctx, int idx, WOLFSSL_X509_STORE_CTX* wolfSSL_X509_STORE_CTX_new(void) { WOLFSSL_X509_STORE_CTX* ctx = (WOLFSSL_X509_STORE_CTX*)XMALLOC( - sizeof(WOLFSSL_X509_STORE_CTX), NULL, 0); - + sizeof(WOLFSSL_X509_STORE_CTX), NULL, + DYNAMIC_TYPE_X509_CTX); if (ctx != NULL) wolfSSL_X509_STORE_CTX_init(ctx, NULL, NULL, NULL); @@ -10767,7 +10768,7 @@ void wolfSSL_X509_STORE_CTX_free(WOLFSSL_X509_STORE_CTX* ctx) wolfSSL_X509_STORE_free(ctx->store); if (ctx->current_cert != NULL) wolfSSL_FreeX509(ctx->current_cert); - XFREE(ctx, NULL, 0); + XFREE(ctx, NULL, DYNAMIC_TYPE_X509_CTX); } } @@ -10858,8 +10859,8 @@ void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key) { if (key != NULL) { if (key->pkey.ptr != NULL) - XFREE(key->pkey.ptr, NULL, 0); - XFREE(key, NULL, 0); + XFREE(key->pkey.ptr, NULL, DYNAMIC_TYPE_PUBLIC_KEY); + XFREE(key, NULL, DYNAMIC_TYPE_PUBLIC_KEY); } } @@ -13768,7 +13769,7 @@ void wolfSSL_OPENSSL_free(void* p) { WOLFSSL_MSG("wolfSSL_OPENSSL_free"); - XFREE(p, NULL, 0); + XFREE(p, NULL, DYNAMIC_TYPE_OPENSSL); } #if defined(WOLFSSL_KEY_GEN) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 88073abd2..9a221dc99 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1760,9 +1760,9 @@ void FreeDecodedCert(DecodedCert* cert) FreeNameSubtrees(cert->excludedNames, cert->heap); #endif /* IGNORE_NAME_CONSTRAINTS */ #ifdef WOLFSSL_SEP - XFREE(cert->deviceType, cert->heap, 0); - XFREE(cert->hwType, cert->heap, 0); - XFREE(cert->hwSerialNum, cert->heap, 0); + XFREE(cert->deviceType, cert->heap, DYNAMIC_TYPE_X509_EXT); + XFREE(cert->hwType, cert->heap, DYNAMIC_TYPE_X509_EXT); + XFREE(cert->hwSerialNum, cert->heap, DYNAMIC_TYPE_X509_EXT); #endif /* WOLFSSL_SEP */ #ifdef OPENSSL_EXTRA if (cert->issuerName.fullName != NULL) @@ -3756,7 +3756,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) return ASN_PARSE_E; } - cert->hwType = (byte*)XMALLOC(strLen, cert->heap, 0); + cert->hwType = (byte*)XMALLOC(strLen, cert->heap, + DYNAMIC_TYPE_X509_EXT); if (cert->hwType == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; @@ -3776,7 +3777,8 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) return ASN_PARSE_E; } - cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, 0); + cert->hwSerialNum = (byte*)XMALLOC(strLen + 1, cert->heap, + DYNAMIC_TYPE_X509_EXT); if (cert->hwSerialNum == NULL) { WOLFSSL_MSG("\tOut of Memory"); return MEMORY_E; @@ -4359,7 +4361,8 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz) if (length > 0) { #if defined(WOLFSSL_SEP) - cert->deviceType = (byte*)XMALLOC(length, cert->heap, 0); + cert->deviceType = (byte*)XMALLOC(length, cert->heap, + DYNAMIC_TYPE_X509_EXT); if (cert->deviceType == NULL) { WOLFSSL_MSG("\tCouldn't alloc memory for deviceType"); return MEMORY_E; diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index 3b9963bb9..b766a3726 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -288,7 +288,11 @@ DYNAMIC_TYPE_SRP = 47, DYNAMIC_TYPE_COOKIE_PWD = 48, DYNAMIC_TYPE_USER_CRYPTO = 49, - DYNAMIC_TYPE_OCSP_REQUEST = 50 + DYNAMIC_TYPE_OCSP_REQUEST = 50, + DYNAMIC_TYPE_X509_EXT = 51, + DYNAMIC_TYPE_X509_STORE = 52, + DYNAMIC_TYPE_X509_CTX = 53, + DYNAMIC_TYPE_URL = 54 }; /* max error buffer string size */ From c3cdbf31bb4deeda2016098121d6f54a2fdc59c6 Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 19 Nov 2015 13:49:57 -0700 Subject: [PATCH 065/177] Define SNI func condtionally. Declare var at top of func --- src/ssl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 02ff5e162..2140041ab 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16735,7 +16735,7 @@ const byte* wolfSSL_SESSION_get_id(WOLFSSL_SESSION* sess, unsigned int* idLen) return sess->sessionID; } - +#ifdef HAVE_SNI int wolfSSL_set_tlsext_host_name(WOLFSSL* ssl, const char* host_name) { int ret; @@ -16755,6 +16755,7 @@ const char * wolfSSL_get_servername(WOLFSSL* ssl, byte type) TLSX_SNI_GetRequest(ssl->extensions, type, &serverName); return (const char *)serverName; } +#endif /* HAVE_SNI */ WOLFSSL_CTX* wolfSSL_set_SSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx) @@ -16776,8 +16777,8 @@ VerifyCallback wolfSSL_CTX_get_verify_callback(WOLFSSL_CTX* ctx) int wolfSSL_CTX_get_verify_mode(WOLFSSL_CTX* ctx) { - WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); int mode = 0; + WOLFSSL_ENTER("wolfSSL_CTX_get_verify_mode"); if(!ctx) return SSL_FATAL_ERROR; From 1894358becdb227fc8d9b9118ce74991b751581c Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 19 Nov 2015 14:32:45 -0800 Subject: [PATCH 066/177] Rowley IDE fix to exclude .asm and .s files. Cleanup to remove Rowley example code, leaving just stubs and Wolf code. --- .gitignore | 1 + .../{user_libc.c => retarget.c} | 26 +------------------ IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp | 11 +++++--- 3 files changed, 10 insertions(+), 28 deletions(-) rename IDE/ROWLEY-CROSSWORKS-ARM/{user_libc.c => retarget.c} (74%) diff --git a/.gitignore b/.gitignore index dd3e2058e..8761d1658 100644 --- a/.gitignore +++ b/.gitignore @@ -168,3 +168,4 @@ wolfcrypt/user-crypto/m4 wolfcrypt/user-crypto/missing wolfcrypt/user-crypto/Makefile.in wolfcrypt/user-crypto/lib/libusercrypto.* +*.hzs diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c b/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c similarity index 74% rename from IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c rename to IDE/ROWLEY-CROSSWORKS-ARM/retarget.c index 1929e868b..3fd50a501 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c +++ b/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c @@ -40,23 +40,7 @@ int __putchar(int c, __printf_tag_ptr ctx) hw_uart_printchar(c); } - -// Rowley CrossWorks, runtime support. -// -// Copyright (c) 2001-2015 Rowley Associates Limited. -// -// This file may be distributed under the terms of the License Agreement -// provided with this software. -// -// THIS FILE IS PROVIDED AS IS WITH NO WARRANTY OF ANY KIND, INCLUDING THE -// WARRANTY OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. - -#include <__libc.h> - -#if defined(__CROSSWORKS_ARM) || defined(__SES_ARM) - extern unsigned char __stack_process_start__[]; - unsigned char * __aeabi_read_tp(void) { // thread-local storage addressing refers to the thread pointer @@ -64,15 +48,7 @@ unsigned char * __aeabi_read_tp(void) return (__stack_process_start__); } -#elif defined(__CROSSWORKS_AVR) || defined(__CROSSWORKS_MSP430) - -unsigned char * __RAL_read_tp(void) -{ - return 0; -} - -#endif - +/* Stubs */ void __heap_lock(void) { } diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp index 3221c59c1..7468f7e55 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp +++ b/IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp @@ -12,7 +12,12 @@ - + @@ -60,7 +65,7 @@ target_script_file="$(TargetsDir)/Kinetis/Kinetis_Target.js" /> - + @@ -99,7 +104,7 @@ target_script_file="$(TargetsDir)/Kinetis/Kinetis_Target.js" /> - + From c898c582f92af8a79485d23c4d25895c70951ec9 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 19 Nov 2015 17:56:49 -0800 Subject: [PATCH 067/177] Corrected filename in include.am and top of file. --- IDE/ROWLEY-CROSSWORKS-ARM/include.am | 2 +- IDE/ROWLEY-CROSSWORKS-ARM/retarget.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/include.am b/IDE/ROWLEY-CROSSWORKS-ARM/include.am index d7b17a037..e812cc7e6 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/include.am +++ b/IDE/ROWLEY-CROSSWORKS-ARM/include.am @@ -10,6 +10,6 @@ EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/Kinetis_MemoryMap.xml EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/Kinetis_FlashPlacement.xml EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/README.md EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/test_main.c -EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/user_libc.c +EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/retarget.c EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/user_settings.h EXTRA_DIST+= IDE/ROWLEY-CROSSWORKS-ARM/wolfssl.hzp diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c b/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c index 3fd50a501..8f524b841 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c +++ b/IDE/ROWLEY-CROSSWORKS-ARM/retarget.c @@ -1,4 +1,4 @@ -/* user_libc.c +/* retarget.c * * Copyright (C) 2006-2015 wolfSSL Inc. * From 6abfaf6df4a7cd48711a6d3700a294d0da3a024a Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 19 Nov 2015 19:06:40 -0800 Subject: [PATCH 068/177] Implemented Wolf version of LPC18XX startup code to eliminate NXP code from our repo. Cleanup of trailing spaces and convert tabs to spaces. --- IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c | 131 ++--- .../wolf_example/src/cr_startup_lpc18xx.c | 484 ------------------ .../wolf_example/src/lpc_18xx_startup.c | 352 +++++++++++++ IDE/LPCXPRESSO/wolf_example/src/sysinit.c | 89 ---- .../wolf_example/src/wolfssl_example.c | 92 ++-- 5 files changed, 471 insertions(+), 677 deletions(-) delete mode 100644 IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c create mode 100644 IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c delete mode 100644 IDE/LPCXPRESSO/wolf_example/src/sysinit.c diff --git a/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c b/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c index dfdff06c4..600173913 100644 --- a/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c +++ b/IDE/LPCXPRESSO/lib_wolfssl/lpc_18xx_port.c @@ -1,66 +1,81 @@ -/* - * lpc_18xx_port.c +/* lpc_18xx_port.c * - * Created on: Nov 4, 2015 - * Author: davidgarske + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ + #include "board.h" #include "otp_18xx_43xx.h" /* For RNG */ #include "timer_18xx_43xx.h" static uint32_t mTimeInit = 0; -#define TIMER_SCALER 1000000 +#define TIMER_SCALER 1000000 static void init_time(void) { - if(mTimeInit == 0) { - uint32_t timerFreq; + if(mTimeInit == 0) { + uint32_t timerFreq; - /* Set current time for RTC 2:00:00PM, 2012-10-05 */ - RTC_TIME_T FullTime; + /* Set current time for RTC 2:00:00PM, 2012-10-05 */ + RTC_TIME_T FullTime; - Chip_RTC_Init(LPC_RTC); + Chip_RTC_Init(LPC_RTC); - FullTime.time[RTC_TIMETYPE_SECOND] = 0; - FullTime.time[RTC_TIMETYPE_MINUTE] = 0; - FullTime.time[RTC_TIMETYPE_HOUR] = 14; - FullTime.time[RTC_TIMETYPE_DAYOFMONTH] = 5; - FullTime.time[RTC_TIMETYPE_DAYOFWEEK] = 5; - FullTime.time[RTC_TIMETYPE_DAYOFYEAR] = 279; - FullTime.time[RTC_TIMETYPE_MONTH] = 10; - FullTime.time[RTC_TIMETYPE_YEAR] = 2012; + FullTime.time[RTC_TIMETYPE_SECOND] = 0; + FullTime.time[RTC_TIMETYPE_MINUTE] = 0; + FullTime.time[RTC_TIMETYPE_HOUR] = 14; + FullTime.time[RTC_TIMETYPE_DAYOFMONTH] = 5; + FullTime.time[RTC_TIMETYPE_DAYOFWEEK] = 5; + FullTime.time[RTC_TIMETYPE_DAYOFYEAR] = 279; + FullTime.time[RTC_TIMETYPE_MONTH] = 10; + FullTime.time[RTC_TIMETYPE_YEAR] = 2012; - Chip_RTC_SetFullTime(LPC_RTC, &FullTime); + Chip_RTC_SetFullTime(LPC_RTC, &FullTime); - /* Enable RTC (starts increase the tick counter and second counter register) */ - Chip_RTC_Enable(LPC_RTC, ENABLE); + /* Enable RTC (starts increase the tick counter and second counter register) */ + Chip_RTC_Enable(LPC_RTC, ENABLE); - /* Enable timer 1 clock and reset it */ - Chip_TIMER_Init(LPC_TIMER2); - Chip_RGU_TriggerReset(RGU_TIMER2_RST); - while (Chip_RGU_InReset(RGU_TIMER2_RST)) {} + /* Enable timer 1 clock and reset it */ + Chip_TIMER_Init(LPC_TIMER2); + Chip_RGU_TriggerReset(RGU_TIMER2_RST); + while (Chip_RGU_InReset(RGU_TIMER2_RST)) {} - /* Get timer peripheral clock rate */ - timerFreq = Chip_Clock_GetRate(CLK_MX_TIMER2); + /* Get timer peripheral clock rate */ + timerFreq = Chip_Clock_GetRate(CLK_MX_TIMER2); - /* Timer setup */ - Chip_TIMER_Reset(LPC_TIMER2); - Chip_TIMER_PrescaleSet(LPC_TIMER2, timerFreq/TIMER_SCALER); - Chip_TIMER_Enable(LPC_TIMER2); + /* Timer setup */ + Chip_TIMER_Reset(LPC_TIMER2); + Chip_TIMER_PrescaleSet(LPC_TIMER2, timerFreq/TIMER_SCALER); + Chip_TIMER_Enable(LPC_TIMER2); - mTimeInit = 1; - } + mTimeInit = 1; + } } double current_time() { - //RTC_TIME_T FullTime; - uint32_t timerMs; + //RTC_TIME_T FullTime; + uint32_t timerMs; - init_time(); - timerMs = Chip_TIMER_ReadCount(LPC_TIMER2); + init_time(); + timerMs = Chip_TIMER_ReadCount(LPC_TIMER2); - //Chip_RTC_GetFullTime(LPC_RTC, &FullTime); - //(double)FullTime.time[RTC_TIMETYPE_SECOND] + //Chip_RTC_GetFullTime(LPC_RTC, &FullTime); + //(double)FullTime.time[RTC_TIMETYPE_SECOND] return (double)timerMs/TIMER_SCALER; } @@ -71,23 +86,23 @@ static uint32_t mRandInit = 0; static uint32_t mRandIndex = 0; uint32_t rand_gen(void) { - uint32_t rand = 0; - uint32_t status = LPC_OK; - if(mRandIndex == 0) { - if(mRandInit == 0) { - Chip_OTP_Init(); - mRandInit = 1; - } - status = Chip_OTP_GenRand(); - } - if(status == LPC_OK) { - rand = mRandData[mRandIndex]; - } - else { - printf("GenRand Failed 0x%x\n", status); - } - if(++mRandIndex > 4) { - mRandIndex = 0; - } - return rand; + uint32_t rand = 0; + uint32_t status = LPC_OK; + if(mRandIndex == 0) { + if(mRandInit == 0) { + Chip_OTP_Init(); + mRandInit = 1; + } + status = Chip_OTP_GenRand(); + } + if(status == LPC_OK) { + rand = mRandData[mRandIndex]; + } + else { + printf("GenRand Failed 0x%x\n", status); + } + if(++mRandIndex > 4) { + mRandIndex = 0; + } + return rand; } diff --git a/IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c b/IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c deleted file mode 100644 index fe13845e9..000000000 --- a/IDE/LPCXPRESSO/wolf_example/src/cr_startup_lpc18xx.c +++ /dev/null @@ -1,484 +0,0 @@ -//***************************************************************************** -// LPC18xx Microcontroller Startup code for use with LPCXpresso IDE -// -// Version : 141204 -//***************************************************************************** -// -// Copyright(C) NXP Semiconductors, 2013-2014 -// All rights reserved. -// -// Software that is described herein is for illustrative purposes only -// which provides customers with programming information regarding the -// LPC products. This software is supplied "AS IS" without any warranties of -// any kind, and NXP Semiconductors and its licensor disclaim any and -// all warranties, express or implied, including all implied warranties of -// merchantability, fitness for a particular purpose and non-infringement of -// intellectual property rights. NXP Semiconductors assumes no responsibility -// or liability for the use of the software, conveys no license or rights under any -// patent, copyright, mask work right, or any other intellectual property rights in -// or to any products. NXP Semiconductors reserves the right to make changes -// in the software without notification. NXP Semiconductors also makes no -// representation or warranty that such application will be suitable for the -// specified use without further testing or modification. -// -// Permission to use, copy, modify, and distribute this software and its -// documentation is hereby granted, under NXP Semiconductors' and its -// licensor's relevant copyrights in the software, without fee, provided that it -// is used in conjunction with NXP Semiconductors microcontrollers. This -// copyright, permission, and disclaimer notice must appear in all copies of -// this code. -//***************************************************************************** - -#if defined (__cplusplus) -#ifdef __REDLIB__ -#error Redlib does not support C++ -#else -//***************************************************************************** -// -// The entry point for the C++ library startup -// -//***************************************************************************** -extern "C" { - extern void __libc_init_array(void); -} -#endif -#endif - -#define WEAK __attribute__ ((weak)) -#define ALIAS(f) __attribute__ ((weak, alias (#f))) - -//***************************************************************************** -#if defined (__cplusplus) -extern "C" { -#endif - -//***************************************************************************** -#if defined (__USE_CMSIS) || defined (__USE_LPCOPEN) -// Declaration of external SystemInit function -extern void SystemInit(void); -#endif - -//***************************************************************************** -// -// Forward declaration of the default handlers. These are aliased. -// When the application defines a handler (with the same name), this will -// automatically take precedence over these weak definitions -// -//***************************************************************************** - void ResetISR(void); -WEAK void NMI_Handler(void); -WEAK void HardFault_Handler(void); -WEAK void MemManage_Handler(void); -WEAK void BusFault_Handler(void); -WEAK void UsageFault_Handler(void); -WEAK void SVC_Handler(void); -WEAK void DebugMon_Handler(void); -WEAK void PendSV_Handler(void); -WEAK void SysTick_Handler(void); -WEAK void IntDefaultHandler(void); - -//***************************************************************************** -// -// Forward declaration of the specific IRQ handlers. These are aliased -// to the IntDefaultHandler, which is a 'forever' loop. When the application -// defines a handler (with the same name), this will automatically take -// precedence over these weak definitions -// -//***************************************************************************** -void DAC_IRQHandler(void) ALIAS(IntDefaultHandler); -void DMA_IRQHandler(void) ALIAS(IntDefaultHandler); -void FLASHEEPROM_IRQHandler(void) ALIAS(IntDefaultHandler); -void ETH_IRQHandler(void) ALIAS(IntDefaultHandler); -void SDIO_IRQHandler(void) ALIAS(IntDefaultHandler); -void LCD_IRQHandler(void) ALIAS(IntDefaultHandler); -void USB0_IRQHandler(void) ALIAS(IntDefaultHandler); -void USB1_IRQHandler(void) ALIAS(IntDefaultHandler); -void SCT_IRQHandler(void) ALIAS(IntDefaultHandler); -void RIT_IRQHandler(void) ALIAS(IntDefaultHandler); -void TIMER0_IRQHandler(void) ALIAS(IntDefaultHandler); -void TIMER1_IRQHandler(void) ALIAS(IntDefaultHandler); -void TIMER2_IRQHandler(void) ALIAS(IntDefaultHandler); -void TIMER3_IRQHandler(void) ALIAS(IntDefaultHandler); -void MCPWM_IRQHandler(void) ALIAS(IntDefaultHandler); -void ADC0_IRQHandler(void) ALIAS(IntDefaultHandler); -void I2C0_IRQHandler(void) ALIAS(IntDefaultHandler); -void I2C1_IRQHandler(void) ALIAS(IntDefaultHandler); -void ADC1_IRQHandler(void) ALIAS(IntDefaultHandler); -void SSP0_IRQHandler(void) ALIAS(IntDefaultHandler); -void SSP1_IRQHandler(void) ALIAS(IntDefaultHandler); -void UART0_IRQHandler(void) ALIAS(IntDefaultHandler); -void UART1_IRQHandler(void) ALIAS(IntDefaultHandler); -void UART2_IRQHandler(void) ALIAS(IntDefaultHandler); -void UART3_IRQHandler(void) ALIAS(IntDefaultHandler); -void I2S0_IRQHandler(void) ALIAS(IntDefaultHandler); -void I2S1_IRQHandler(void) ALIAS(IntDefaultHandler); -void SPIFI_IRQHandler(void) ALIAS(IntDefaultHandler); -void SGPIO_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO0_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO1_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO2_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO3_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO4_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO5_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO6_IRQHandler(void) ALIAS(IntDefaultHandler); -void GPIO7_IRQHandler(void) ALIAS(IntDefaultHandler); -void GINT0_IRQHandler(void) ALIAS(IntDefaultHandler); -void GINT1_IRQHandler(void) ALIAS(IntDefaultHandler); -void EVRT_IRQHandler(void) ALIAS(IntDefaultHandler); -void CAN1_IRQHandler(void) ALIAS(IntDefaultHandler); -void ATIMER_IRQHandler(void) ALIAS(IntDefaultHandler); -void RTC_IRQHandler(void) ALIAS(IntDefaultHandler); -void WDT_IRQHandler(void) ALIAS(IntDefaultHandler); -void CAN0_IRQHandler(void) ALIAS(IntDefaultHandler); -void QEI_IRQHandler(void) ALIAS(IntDefaultHandler); - -//***************************************************************************** -// -// The entry point for the application. -// __main() is the entry point for Redlib based applications -// main() is the entry point for Newlib based applications -// -//***************************************************************************** -#if defined (__REDLIB__) -extern void __main(void); -#endif -extern int main(void); -//***************************************************************************** -// -// External declaration for the pointer to the stack top from the Linker Script -// -//***************************************************************************** -extern void _vStackTop(void); - -//***************************************************************************** -#if defined (__cplusplus) -} // extern "C" -#endif -//***************************************************************************** -// -// The vector table. -// This relies on the linker script to place at correct location in memory. -// -//***************************************************************************** -extern void (* const g_pfnVectors[])(void); -__attribute__ ((used,section(".isr_vector"))) -void (* const g_pfnVectors[])(void) = { - // Core Level - CM3 - &_vStackTop, // The initial stack pointer - ResetISR, // The reset handler - NMI_Handler, // The NMI handler - HardFault_Handler, // The hard fault handler - MemManage_Handler, // The MPU fault handler - BusFault_Handler, // The bus fault handler - UsageFault_Handler, // The usage fault handler - 0, // Reserved - 0, // Reserved - 0, // Reserved - 0, // Reserved - SVC_Handler, // SVCall handler - DebugMon_Handler, // Debug monitor handler - 0, // Reserved - PendSV_Handler, // The PendSV handler - SysTick_Handler, // The SysTick handler - - // Chip Level - LPC18 - DAC_IRQHandler, // 16 - 0, // 17 - DMA_IRQHandler, // 18 - 0, // 19 - FLASHEEPROM_IRQHandler, // 20 ORed flash Bank A, flash Bank B, EEPROM interrupts - ETH_IRQHandler, // 21 - SDIO_IRQHandler, // 22 - LCD_IRQHandler, // 23 - USB0_IRQHandler, // 24 - USB1_IRQHandler, // 25 - SCT_IRQHandler, // 26 - RIT_IRQHandler, // 27 - TIMER0_IRQHandler, // 28 - TIMER1_IRQHandler, // 29 - TIMER2_IRQHandler, // 30 - TIMER3_IRQHandler, // 31 - MCPWM_IRQHandler, // 32 - ADC0_IRQHandler, // 33 - I2C0_IRQHandler, // 34 - I2C1_IRQHandler, // 35 - 0, // 36 - ADC1_IRQHandler, // 37 - SSP0_IRQHandler, // 38 - SSP1_IRQHandler, // 39 - UART0_IRQHandler, // 40 - UART1_IRQHandler, // 41 - UART2_IRQHandler, // 42 - UART3_IRQHandler, // 43 - I2S0_IRQHandler, // 44 - I2S1_IRQHandler, // 45 - SPIFI_IRQHandler, // 46 - SGPIO_IRQHandler, // 47 - GPIO0_IRQHandler, // 48 - GPIO1_IRQHandler, // 49 - GPIO2_IRQHandler, // 50 - GPIO3_IRQHandler, // 51 - GPIO4_IRQHandler, // 52 - GPIO5_IRQHandler, // 53 - GPIO6_IRQHandler, // 54 - GPIO7_IRQHandler, // 55 - GINT0_IRQHandler, // 56 - GINT1_IRQHandler, // 57 - EVRT_IRQHandler, // 58 - CAN1_IRQHandler, // 59 - 0, // 60 - 0, // 61 - ATIMER_IRQHandler, // 62 - RTC_IRQHandler, // 63 - 0, // 64 - WDT_IRQHandler, // 65 - 0, // 66 - CAN0_IRQHandler, // 67 - QEI_IRQHandler, // 68 -}; - -//***************************************************************************** -// Functions to carry out the initialization of RW and BSS data sections. These -// are written as separate functions rather than being inlined within the -// ResetISR() function in order to cope with MCUs with multiple banks of -// memory. -//***************************************************************************** -__attribute__ ((section(".after_vectors"))) -void data_init(unsigned int romstart, unsigned int start, unsigned int len) { - unsigned int *pulDest = (unsigned int*) start; - unsigned int *pulSrc = (unsigned int*) romstart; - unsigned int loop; - for (loop = 0; loop < len; loop = loop + 4) - *pulDest++ = *pulSrc++; -} - -__attribute__ ((section(".after_vectors"))) -void bss_init(unsigned int start, unsigned int len) { - unsigned int *pulDest = (unsigned int*) start; - unsigned int loop; - for (loop = 0; loop < len; loop = loop + 4) - *pulDest++ = 0; -} - -//***************************************************************************** -// The following symbols are constructs generated by the linker, indicating -// the location of various points in the "Global Section Table". This table is -// created by the linker via the Code Red managed linker script mechanism. It -// contains the load address, execution address and length of each RW data -// section and the execution and length of each BSS (zero initialized) section. -//***************************************************************************** -extern unsigned int __data_section_table; -extern unsigned int __data_section_table_end; -extern unsigned int __bss_section_table; -extern unsigned int __bss_section_table_end; - -//***************************************************************************** -// Reset entry point for your code. -// Sets up a simple runtime environment and initializes the C/C++ -// library. -// -//***************************************************************************** -void -ResetISR(void) { - -// ************************************************************* -// The following conditional block of code manually resets as -// much of the peripheral set of the LPC18 as possible. This is -// done because the LPC18 does not provide a means of triggering -// a full system reset under debugger control, which can cause -// problems in certain circumstances when debugging. -// -// You can prevent this code block being included if you require -// (for example when creating a final executable which you will -// not debug) by setting the define 'DONT_RESET_ON_RESTART'. -// -#ifndef DONT_RESET_ON_RESTART - - // Disable interrupts - __asm volatile ("cpsid i"); - // equivalent to CMSIS '__disable_irq()' function - - unsigned int *RESET_CONTROL = (unsigned int *) 0x40053100; - // LPC_RGU->RESET_CTRL0 @ 0x40053100 - // LPC_RGU->RESET_CTRL1 @ 0x40053104 - // Note that we do not use the CMSIS register access mechanism, - // as there is no guarantee that the project has been configured - // to use CMSIS. - - // Write to LPC_RGU->RESET_CTRL0 - *(RESET_CONTROL+0) = 0x10DF0000; - // GPIO_RST|AES_RST|ETHERNET_RST|SDIO_RST|DMA_RST| - // USB1_RST|USB0_RST|LCD_RST - - // Write to LPC_RGU->RESET_CTRL1 - *(RESET_CONTROL+1) = 0x00DFF7FF; - // CAN0_RST|CAN1_RST|I2S_RST|SSP1_RST|SSP0_RST| - // I2C1_RST|I2C0_RST|UART3_RST|UART1_RST|UART1_RST|UART0_RST| - // DAC_RST|ADC1_RST|ADC0_RST|QEI_RST|MOTOCONPWM_RST|SCT_RST| - // RITIMER_RST|TIMER3_RST|TIMER2_RST|TIMER1_RST|TIMER0_RST - - // Clear all pending interrupts in the NVIC - volatile unsigned int *NVIC_ICPR = (unsigned int *) 0xE000E280; - unsigned int irqpendloop; - for (irqpendloop = 0; irqpendloop < 8; irqpendloop++) { - *(NVIC_ICPR+irqpendloop)= 0xFFFFFFFF; - } - - // Reenable interrupts - __asm volatile ("cpsie i"); - // equivalent to CMSIS '__enable_irq()' function - -#endif // ifndef DONT_RESET_ON_RESTART -// ************************************************************* - - -#if defined (__USE_LPCOPEN) - SystemInit(); -#endif - - // - // Copy the data sections from flash to SRAM. - // - unsigned int LoadAddr, ExeAddr, SectionLen; - unsigned int *SectionTableAddr; - - // Load base address of Global Section Table - SectionTableAddr = &__data_section_table; - - // Copy the data sections from flash to SRAM. - while (SectionTableAddr < &__data_section_table_end) { - LoadAddr = *SectionTableAddr++; - ExeAddr = *SectionTableAddr++; - SectionLen = *SectionTableAddr++; - data_init(LoadAddr, ExeAddr, SectionLen); - } - // At this point, SectionTableAddr = &__bss_section_table; - // Zero fill the bss segment - while (SectionTableAddr < &__bss_section_table_end) { - ExeAddr = *SectionTableAddr++; - SectionLen = *SectionTableAddr++; - bss_init(ExeAddr, SectionLen); - } - - // ****************************** - // Check to see if we are running the code from a non-zero - // address (eg RAM, external flash), in which case we need - // to modify the VTOR register to tell the CPU that the - // vector table is located at a non-0x0 address. - - // Note that we do not use the CMSIS register access mechanism, - // as there is no guarantee that the project has been configured - // to use CMSIS. - unsigned int * pSCB_VTOR = (unsigned int *) 0xE000ED08; - if ((unsigned int *)g_pfnVectors!=(unsigned int *) 0x00000000) { - // CMSIS : SCB->VTOR =
- *pSCB_VTOR = (unsigned int)g_pfnVectors; - } - -#if defined (__USE_CMSIS) - SystemInit(); -#endif - -#if defined (__cplusplus) - // - // Call C++ library initialisation - // - __libc_init_array(); -#endif - -#if defined (__REDLIB__) - // Call the Redlib library, which in turn calls main() - __main() ; -#else - main(); -#endif - - // - // main() shouldn't return, but if it does, we'll just enter an infinite loop - // - while (1) { - ; - } -} - -//***************************************************************************** -// Default exception handlers. Override the ones here by defining your own -// handler routines in your application code. -//***************************************************************************** -__attribute__ ((section(".after_vectors"))) -void NMI_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void HardFault_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void MemManage_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void BusFault_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void UsageFault_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void SVC_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void DebugMon_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void PendSV_Handler(void) -{ - while(1) - { - } -} -__attribute__ ((section(".after_vectors"))) -void SysTick_Handler(void) -{ - while(1) - { - } -} - -//***************************************************************************** -// -// Processor ends up here if an unexpected interrupt occurs or a specific -// handler is not present in the application code. -// -//***************************************************************************** -__attribute__ ((section(".after_vectors"))) -void IntDefaultHandler(void) -{ - while(1) - { - } -} diff --git a/IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c b/IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c new file mode 100644 index 000000000..893704285 --- /dev/null +++ b/IDE/LPCXPRESSO/wolf_example/src/lpc_18xx_startup.c @@ -0,0 +1,352 @@ +/* lpc_18xx_startup.c + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#include "board.h" +#include +#include + +/* Top of stack location */ +extern void _vStackTop(void); + +/* Memory locations */ +extern unsigned int __data_section_table; +extern unsigned int __data_section_table_end; +extern unsigned int __bss_section_table; +extern unsigned int __bss_section_table_end; + +/* Copy memory: src=Source, dst_beg=Destination Begin, dst_end=Destination End */ +__attribute__ ((section(".after_vectors"))) +void memcpy32(uint32_t* src, uint32_t* dst_beg, uint32_t len) +{ + unsigned int i; + for (i = 0; i < len; i += sizeof(uint32_t)) { + *dst_beg++ = *src++; + } +} + +/* Zero address in range */ +__attribute__ ((section(".after_vectors"))) +void meminit32(uint32_t* start, uint32_t len) +{ + unsigned int i; + for (i = 0; i < len; i += sizeof(uint32_t)) { + *start++ = 0; + } +} + +/* Reset Entry Point */ +void ResetISR(void) +{ + unsigned int irqPendLoop; + unsigned int *SectionTableAddr; + unsigned int LoadAddr, ExeAddr, SectionLen; + unsigned int *RESET_CONTROL = (unsigned int *) 0x40053100; + volatile unsigned int *NVIC_ICPR = (unsigned int *) 0xE000E280; + + /* Chip cleanup/reset */ + __asm volatile ("cpsid i"); /* Disable interrupts */ + + /* Write to LPC_RGU->RESET_CTRL0 */ + *(RESET_CONTROL+0) = 0x10DF0000; + /* GPIO_RST|AES_RST|ETHERNET_RST|SDIO_RST|DMA_RST| + * USB1_RST|USB0_RST|LCD_RST */ + + /* Write to LPC_RGU->RESET_CTRL1 */ + *(RESET_CONTROL+1) = 0x00DFF7FF; + /* CAN0_RST|CAN1_RST|I2S_RST|SSP1_RST|SSP0_RST| + * I2C1_RST|I2C0_RST|UART3_RST|UART1_RST|UART1_RST|UART0_RST| + * DAC_RST|ADC1_RST|ADC0_RST|QEI_RST|MOTOCONPWM_RST|SCT_RST| + * RITIMER_RST|TIMER3_RST|TIMER2_RST|TIMER1_RST|TIMER0_RST */ + + /* Clear all pending interrupts in the NVIC */ + for (irqPendLoop = 0; irqPendLoop < 8; irqPendLoop++) { + *(NVIC_ICPR + irqPendLoop) = 0xFFFFFFFF; + } + __asm volatile ("cpsie i"); /* Re-enable interrupts */ + + /* Init sections */ + SectionTableAddr = &__data_section_table; + /* Copy the data sections from flash to SRAM */ + while (SectionTableAddr < &__data_section_table_end) { + LoadAddr = *SectionTableAddr++; + ExeAddr = *SectionTableAddr++; + SectionLen = *SectionTableAddr++; + memcpy32((uint32_t*)LoadAddr, (uint32_t*)ExeAddr, SectionLen); + } + /* Zero fill the bss segment */ + while (SectionTableAddr < &__bss_section_table_end) { + ExeAddr = *SectionTableAddr++; + SectionLen = *SectionTableAddr++; + meminit32((uint32_t*)ExeAddr, SectionLen); + } + +#if defined(__FPU_PRESENT) && __FPU_PRESENT == 1 + fpuInit(); +#endif + + /* Board specific SystemInit */ + Board_SystemInit(); + + /* Start main */ +#if defined (__REDLIB__) + /* Call the Redlib library, which in turn calls main() */ + extern void __main(void); + __main() ; +#else + extern void main(void); + main(); +#endif + + /* Application has ended, so busy wait */ + while(1) {}; +} + +/* Vector Exception/Interrupt Handlers */ +__attribute__ ((section(".after_vectors"))) +static void Default_Handler(void) +{ + /* Loop forever */ + while(1); +} + +void HardFault_HandlerC( uint32_t *hardfault_args ) +{ + /* These are volatile to try and prevent the compiler/linker optimizing them + away as the variables never actually get used. If the debugger won't show the + values of the variables, make them global my moving their declaration outside + of this function. */ + volatile uint32_t stacked_r0; + volatile uint32_t stacked_r1; + volatile uint32_t stacked_r2; + volatile uint32_t stacked_r3; + volatile uint32_t stacked_r12; + volatile uint32_t stacked_lr; + volatile uint32_t stacked_pc; + volatile uint32_t stacked_psr; + volatile uint32_t _CFSR; + volatile uint32_t _HFSR; + volatile uint32_t _DFSR; + volatile uint32_t _AFSR; + volatile uint32_t _BFAR; + volatile uint32_t _MMAR; + + stacked_r0 = ((uint32_t)hardfault_args[0]); + stacked_r1 = ((uint32_t)hardfault_args[1]); + stacked_r2 = ((uint32_t)hardfault_args[2]); + stacked_r3 = ((uint32_t)hardfault_args[3]); + stacked_r12 = ((uint32_t)hardfault_args[4]); + stacked_lr = ((uint32_t)hardfault_args[5]); + stacked_pc = ((uint32_t)hardfault_args[6]); + stacked_psr = ((uint32_t)hardfault_args[7]); + + /* Configurable Fault Status Register */ + /* Consists of MMSR, BFSR and UFSR */ + _CFSR = (*((volatile uint32_t *)(0xE000ED28))); + + /* Hard Fault Status Register */ + _HFSR = (*((volatile uint32_t *)(0xE000ED2C))); + + /* Debug Fault Status Register */ + _DFSR = (*((volatile uint32_t *)(0xE000ED30))); + + /* Auxiliary Fault Status Register */ + _AFSR = (*((volatile uint32_t *)(0xE000ED3C))); + + /* Read the Fault Address Registers. These may not contain valid values. */ + /* Check BFARVALID/MMARVALID to see if they are valid values */ + /* MemManage Fault Address Register */ + _MMAR = (*((volatile uint32_t *)(0xE000ED34))); + /* Bus Fault Address Register */ + _BFAR = (*((volatile uint32_t *)(0xE000ED38))); + + printf ("\n\nHard fault handler (all numbers in hex):\n"); + printf ("R0 = %x\n", stacked_r0); + printf ("R1 = %x\n", stacked_r1); + printf ("R2 = %x\n", stacked_r2); + printf ("R3 = %x\n", stacked_r3); + printf ("R12 = %x\n", stacked_r12); + printf ("LR [R14] = %x subroutine call return address\n", stacked_lr); + printf ("PC [R15] = %x program counter\n", stacked_pc); + printf ("PSR = %x\n", stacked_psr); + printf ("CFSR = %x\n", _CFSR); + printf ("HFSR = %x\n", _HFSR); + printf ("DFSR = %x\n", _DFSR); + printf ("AFSR = %x\n", _AFSR); + printf ("MMAR = %x\n", _MMAR); + printf ("BFAR = %x\n", _BFAR); + + /* Break into the debugger */ + __asm("BKPT #0\n"); +} + +__attribute__( ( naked, section(".after_vectors") ) ) +void HardFault_Handler(void) +{ + __asm volatile + ( + " tst lr, #4 \n" + " ite eq \n" + " mrseq r0, msp \n" + " mrsne r0, psp \n" + " ldr r1, [r0, #24] \n" + " ldr r2, handler2_address_const \n" + " bx r2 \n" + " handler2_address_const: .word HardFault_HandlerC \n" + ); +} + +/* Forward declaration of IRQ handlers */ +#define ALIAS(f) __attribute__ ((weak, alias (#f))) + +void NMI_Handler(void) ALIAS(Default_Handler); +void MemManage_Handler(void) ALIAS(Default_Handler); +void BusFault_Handler(void) ALIAS(Default_Handler); +void UsageFault_Handler(void) ALIAS(Default_Handler); +void SVC_Handler(void) ALIAS(Default_Handler); +void DebugMon_Handler(void) ALIAS(Default_Handler); +void PendSV_Handler(void) ALIAS(Default_Handler); +void SysTick_Handler(void) ALIAS(Default_Handler); + +void DAC_IRQHandler(void) ALIAS(Default_Handler); +void DMA_IRQHandler(void) ALIAS(Default_Handler); +void FLASHEEPROM_IRQHandler(void) ALIAS(Default_Handler); +void ETH_IRQHandler(void) ALIAS(Default_Handler); +void SDIO_IRQHandler(void) ALIAS(Default_Handler); +void LCD_IRQHandler(void) ALIAS(Default_Handler); +void USB0_IRQHandler(void) ALIAS(Default_Handler); +void USB1_IRQHandler(void) ALIAS(Default_Handler); +void SCT_IRQHandler(void) ALIAS(Default_Handler); +void RIT_IRQHandler(void) ALIAS(Default_Handler); +void TIMER0_IRQHandler(void) ALIAS(Default_Handler); +void TIMER1_IRQHandler(void) ALIAS(Default_Handler); +void TIMER2_IRQHandler(void) ALIAS(Default_Handler); +void TIMER3_IRQHandler(void) ALIAS(Default_Handler); +void MCPWM_IRQHandler(void) ALIAS(Default_Handler); +void ADC0_IRQHandler(void) ALIAS(Default_Handler); +void I2C0_IRQHandler(void) ALIAS(Default_Handler); +void I2C1_IRQHandler(void) ALIAS(Default_Handler); +void ADC1_IRQHandler(void) ALIAS(Default_Handler); +void SSP0_IRQHandler(void) ALIAS(Default_Handler); +void SSP1_IRQHandler(void) ALIAS(Default_Handler); +void UART0_IRQHandler(void) ALIAS(Default_Handler); +void UART1_IRQHandler(void) ALIAS(Default_Handler); +void UART2_IRQHandler(void) ALIAS(Default_Handler); +void UART3_IRQHandler(void) ALIAS(Default_Handler); +void I2S0_IRQHandler(void) ALIAS(Default_Handler); +void I2S1_IRQHandler(void) ALIAS(Default_Handler); +void SPIFI_IRQHandler(void) ALIAS(Default_Handler); +void SGPIO_IRQHandler(void) ALIAS(Default_Handler); +void GPIO0_IRQHandler(void) ALIAS(Default_Handler); +void GPIO1_IRQHandler(void) ALIAS(Default_Handler); +void GPIO2_IRQHandler(void) ALIAS(Default_Handler); +void GPIO3_IRQHandler(void) ALIAS(Default_Handler); +void GPIO4_IRQHandler(void) ALIAS(Default_Handler); +void GPIO5_IRQHandler(void) ALIAS(Default_Handler); +void GPIO6_IRQHandler(void) ALIAS(Default_Handler); +void GPIO7_IRQHandler(void) ALIAS(Default_Handler); +void GINT0_IRQHandler(void) ALIAS(Default_Handler); +void GINT1_IRQHandler(void) ALIAS(Default_Handler); +void EVRT_IRQHandler(void) ALIAS(Default_Handler); +void CAN1_IRQHandler(void) ALIAS(Default_Handler); +void ATIMER_IRQHandler(void) ALIAS(Default_Handler); +void RTC_IRQHandler(void) ALIAS(Default_Handler); +void WDT_IRQHandler(void) ALIAS(Default_Handler); +void CAN0_IRQHandler(void) ALIAS(Default_Handler); +void QEI_IRQHandler(void) ALIAS(Default_Handler); + +/* Vectors */ +extern void (* const g_pfnVectors[])(void); +__attribute__ ((used,section(".isr_vector"))) +void (* const g_pfnVectors[])(void) = +{ + // Core Level - CM3 + &_vStackTop, // The initial stack pointer + ResetISR, // The reset handler + NMI_Handler, // The NMI handler + HardFault_Handler, // The hard fault handler + MemManage_Handler, // The MPU fault handler + BusFault_Handler, // The bus fault handler + UsageFault_Handler, // The usage fault handler + 0, // Reserved + 0, // Reserved + 0, // Reserved + 0, // Reserved + SVC_Handler, // SVCall handler + DebugMon_Handler, // Debug monitor handler + 0, // Reserved + PendSV_Handler, // The PendSV handler + SysTick_Handler, // The SysTick handler + + // Chip Level - LPC18 + DAC_IRQHandler, // 16 + 0, // 17 + DMA_IRQHandler, // 18 + 0, // 19 + FLASHEEPROM_IRQHandler, // 20 + ETH_IRQHandler, // 21 + SDIO_IRQHandler, // 22 + LCD_IRQHandler, // 23 + USB0_IRQHandler, // 24 + USB1_IRQHandler, // 25 + SCT_IRQHandler, // 26 + RIT_IRQHandler, // 27 + TIMER0_IRQHandler, // 28 + TIMER1_IRQHandler, // 29 + TIMER2_IRQHandler, // 30 + TIMER3_IRQHandler, // 31 + MCPWM_IRQHandler, // 32 + ADC0_IRQHandler, // 33 + I2C0_IRQHandler, // 34 + I2C1_IRQHandler, // 35 + 0, // 36 + ADC1_IRQHandler, // 37 + SSP0_IRQHandler, // 38 + SSP1_IRQHandler, // 39 + UART0_IRQHandler, // 40 + UART1_IRQHandler, // 41 + UART2_IRQHandler, // 42 + UART3_IRQHandler, // 43 + I2S0_IRQHandler, // 44 + I2S1_IRQHandler, // 45 + SPIFI_IRQHandler, // 46 + SGPIO_IRQHandler, // 47 + GPIO0_IRQHandler, // 48 + GPIO1_IRQHandler, // 49 + GPIO2_IRQHandler, // 50 + GPIO3_IRQHandler, // 51 + GPIO4_IRQHandler, // 52 + GPIO5_IRQHandler, // 53 + GPIO6_IRQHandler, // 54 + GPIO7_IRQHandler, // 55 + GINT0_IRQHandler, // 56 + GINT1_IRQHandler, // 57 + EVRT_IRQHandler, // 58 + CAN1_IRQHandler, // 59 + 0, // 60 + 0, // 61 + ATIMER_IRQHandler, // 62 + RTC_IRQHandler, // 63 + 0, // 64 + WDT_IRQHandler, // 65 + 0, // 66 + CAN0_IRQHandler, // 67 + QEI_IRQHandler, // 68 +}; diff --git a/IDE/LPCXPRESSO/wolf_example/src/sysinit.c b/IDE/LPCXPRESSO/wolf_example/src/sysinit.c deleted file mode 100644 index 187eebb51..000000000 --- a/IDE/LPCXPRESSO/wolf_example/src/sysinit.c +++ /dev/null @@ -1,89 +0,0 @@ -/* - * @brief Common SystemInit function for LPC18xx/LPC43xx chips - * - * @note - * Copyright(C) NXP Semiconductors, 2013 - * All rights reserved. - * - * @par - * Software that is described herein is for illustrative purposes only - * which provides customers with programming information regarding the - * LPC products. This software is supplied "AS IS" without any warranties of - * any kind, and NXP Semiconductors and its licensor disclaim any and - * all warranties, express or implied, including all implied warranties of - * merchantability, fitness for a particular purpose and non-infringement of - * intellectual property rights. NXP Semiconductors assumes no responsibility - * or liability for the use of the software, conveys no license or rights under any - * patent, copyright, mask work right, or any other intellectual property rights in - * or to any products. NXP Semiconductors reserves the right to make changes - * in the software without notification. NXP Semiconductors also makes no - * representation or warranty that such application will be suitable for the - * specified use without further testing or modification. - * - * @par - * Permission to use, copy, modify, and distribute this software and its - * documentation is hereby granted, under NXP Semiconductors' and its - * licensor's relevant copyrights in the software, without fee, provided that it - * is used in conjunction with NXP Semiconductors microcontrollers. This - * copyright, permission, and disclaimer notice must appear in all copies of - * this code. - */ - -/***************************************************************************** - * Private types/enumerations/variables - ****************************************************************************/ - -/***************************************************************************** - * Public types/enumerations/variables - ****************************************************************************/ - -#if defined(NO_BOARD_LIB) -#include "chip.h" -const uint32_t ExtRateIn = 0; -const uint32_t OscRateIn = 12000000; -#else -#include "board.h" -#endif - -/***************************************************************************** - * Private functions - ****************************************************************************/ - -/***************************************************************************** - * Public functions - ****************************************************************************/ - -/* Set up and initialize hardware prior to call to main */ -void SystemInit(void) -{ -#if defined(CORE_M3) || defined(CORE_M4) - unsigned int *pSCB_VTOR = (unsigned int *) 0xE000ED08; - -#if defined(__IAR_SYSTEMS_ICC__) - extern void *__vector_table; - - *pSCB_VTOR = (unsigned int) &__vector_table; -#elif defined(__CODE_RED) - extern void *g_pfnVectors; - - *pSCB_VTOR = (unsigned int) &g_pfnVectors; -#elif defined(__ARMCC_VERSION) - extern void *__Vectors; - - *pSCB_VTOR = (unsigned int) &__Vectors; -#endif - -#if defined(__FPU_PRESENT) && __FPU_PRESENT == 1 - fpuInit(); -#endif - -#if defined(NO_BOARD_LIB) - /* Chip specific SystemInit */ - Chip_SystemInit(); -#else - /* Board specific SystemInit */ - Board_SystemInit(); -#endif - -#endif /* defined(CORE_M3) || defined(CORE_M4) */ -} diff --git a/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c b/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c index c60804641..3e394d891 100644 --- a/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c +++ b/IDE/LPCXPRESSO/wolf_example/src/wolfssl_example.c @@ -17,8 +17,8 @@ ****************************************************************************/ /* UART definitions */ -#define LPC_UART LPC_USART0 -#define UARTx_IRQn USART0_IRQn +#define LPC_UART LPC_USART0 +#define UARTx_IRQn USART0_IRQn /***************************************************************************** @@ -31,8 +31,8 @@ typedef struct func_args { } func_args; const char menu1[] = "\r\n" - "\tt. WolfSSL Test\r\n" - "\tb. WolfSSL Benchmark\r\n"; + "\tt. WolfSSL Test\r\n" + "\tb. WolfSSL Benchmark\r\n"; /***************************************************************************** * Private functions @@ -43,53 +43,53 @@ const char menu1[] = "\r\n" ****************************************************************************/ int main(void) { - int opt = 0; - uint8_t buffer[1]; - func_args args; - - SystemCoreClockUpdate(); - Board_Init(); - Board_UART_Init(LPC_UART); - Chip_UART_Init(LPC_UART); - Chip_UART_SetBaud(LPC_UART, 115200); - Chip_UART_ConfigData(LPC_UART, UART_LCR_WLEN8 | UART_LCR_SBS_1BIT); /* Default 8-N-1 */ - Chip_UART_TXEnable(LPC_UART); - Chip_UART_SetupFIFOS(LPC_UART, (UART_FCR_FIFO_EN | UART_FCR_RX_RS | - UART_FCR_TX_RS | UART_FCR_DMAMODE_SEL | UART_FCR_TRG_LEV0)); - Chip_UART_IntEnable(LPC_UART, (UART_IER_ABEOINT | UART_IER_ABTOINT)); - NVIC_SetPriority(UARTx_IRQn, 1); - NVIC_EnableIRQ(UARTx_IRQn); + int opt = 0; + uint8_t buffer[1]; + func_args args; - Chip_OTP_Init(); + SystemCoreClockUpdate(); + Board_Init(); + Board_UART_Init(LPC_UART); + Chip_UART_Init(LPC_UART); + Chip_UART_SetBaud(LPC_UART, 115200); + Chip_UART_ConfigData(LPC_UART, UART_LCR_WLEN8 | UART_LCR_SBS_1BIT); /* Default 8-N-1 */ + Chip_UART_TXEnable(LPC_UART); + Chip_UART_SetupFIFOS(LPC_UART, (UART_FCR_FIFO_EN | UART_FCR_RX_RS | + UART_FCR_TX_RS | UART_FCR_DMAMODE_SEL | UART_FCR_TRG_LEV0)); + Chip_UART_IntEnable(LPC_UART, (UART_IER_ABEOINT | UART_IER_ABTOINT)); + NVIC_SetPriority(UARTx_IRQn, 1); + NVIC_EnableIRQ(UARTx_IRQn); - while (1) { - DEBUGOUT("\r\n\t\t\t\tMENU\r\n"); - DEBUGOUT(menu1); - DEBUGOUT("Please select one of the above options: "); + Chip_OTP_Init(); - opt = 0; - while (opt == 0) { - opt = Chip_UART_Read(LPC_UART, buffer, sizeof(buffer)); - } + while (1) { + DEBUGOUT("\r\n\t\t\t\tMENU\r\n"); + DEBUGOUT(menu1); + DEBUGOUT("Please select one of the above options: "); - switch (buffer[0]) { + opt = 0; + while (opt == 0) { + opt = Chip_UART_Read(LPC_UART, buffer, sizeof(buffer)); + } - case 't': - memset(&args, 0, sizeof(args)); - printf("\nCrypt Test\n"); - wolfcrypt_test(&args); - printf("Crypt Test: Return code %d\n", args.return_code); - break; + switch (buffer[0]) { - case 'b': - memset(&args, 0, sizeof(args)); - printf("\nBenchmark Test\n"); - benchmark_test(&args); - printf("Benchmark Test: Return code %d\n", args.return_code); - break; + case 't': + memset(&args, 0, sizeof(args)); + printf("\nCrypt Test\n"); + wolfcrypt_test(&args); + printf("Crypt Test: Return code %d\n", args.return_code); + break; - // All other cases go here - default: DEBUGOUT("\r\nSelection out of range\r\n"); break; - } - } + case 'b': + memset(&args, 0, sizeof(args)); + printf("\nBenchmark Test\n"); + benchmark_test(&args); + printf("Benchmark Test: Return code %d\n", args.return_code); + break; + + // All other cases go here + default: DEBUGOUT("\r\nSelection out of range\r\n"); break; + } + } } From b9dae51658a300a55e1f54868ba4ccc6f81e9c53 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 19 Nov 2015 20:51:32 -0700 Subject: [PATCH 069/177] C Sharp wrapper --- .gitignore | 3 + Makefile.am | 1 + wolfssl/wolfcrypt/settings.h | 10 + .../CSharp/wolfSSL-DTLS-PSK-Server/App.config | 6 + .../Properties/AssemblyInfo.cs | 36 + .../wolfSSL-DTLS-PSK-Server.cs | 163 +++ .../wolfSSL-DTLS-PSK-Server.csproj | 88 ++ wrapper/CSharp/wolfSSL-DTLS-Server/App.config | 6 + .../Properties/AssemblyInfo.cs | 36 + .../wolfSSL-DTLS-Server.cs | 129 ++ .../wolfSSL-DTLS-Server.csproj | 89 ++ .../CSharp/wolfSSL-TLS-PSK-Server/App.config | 6 + .../Properties/AssemblyInfo.cs | 36 + .../wolfSSL-TLS-PSK-Server.cs | 159 +++ .../wolfSSL-TLS-PSK-Server.csproj | 88 ++ wrapper/CSharp/wolfSSL-TLS-Server/App.config | 6 + .../Properties/AssemblyInfo.cs | 36 + .../Properties/Settings.Designer.cs | 26 + .../Properties/Settings.settings | 6 + .../wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs | 121 ++ .../wolfSSL-TLS-Server.csproj | 133 ++ wrapper/CSharp/wolfSSL_CSharp.sln | 252 ++++ .../wolfSSL_CSharp/Properties/AssemblyInfo.cs | 36 + .../Properties/Resources.Designer.cs | 63 + .../wolfSSL_CSharp/Properties/Resources.resx | 101 ++ wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs | 1181 +++++++++++++++++ .../wolfSSL_CSharp/wolfSSL_CSharp.csproj | 80 ++ wrapper/include.am | 26 + 28 files changed, 2923 insertions(+) create mode 100755 wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config create mode 100755 wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs create mode 100755 wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs create mode 100755 wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj create mode 100755 wrapper/CSharp/wolfSSL-DTLS-Server/App.config create mode 100755 wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs create mode 100755 wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs create mode 100755 wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj create mode 100755 wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config create mode 100755 wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs create mode 100755 wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs create mode 100755 wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj create mode 100755 wrapper/CSharp/wolfSSL-TLS-Server/App.config create mode 100755 wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs create mode 100755 wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs create mode 100755 wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings create mode 100755 wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs create mode 100755 wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj create mode 100755 wrapper/CSharp/wolfSSL_CSharp.sln create mode 100755 wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs create mode 100755 wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs create mode 100755 wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx create mode 100755 wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs create mode 100755 wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj create mode 100644 wrapper/include.am diff --git a/.gitignore b/.gitignore index 8761d1658..f8ff8a508 100644 --- a/.gitignore +++ b/.gitignore @@ -169,3 +169,6 @@ wolfcrypt/user-crypto/missing wolfcrypt/user-crypto/Makefile.in wolfcrypt/user-crypto/lib/libusercrypto.* *.hzs + +# wolfSSL CSharp wrapper +wrapper/CSharp/x64/ diff --git a/Makefile.am b/Makefile.am index 687895e34..e8941e6b5 100644 --- a/Makefile.am +++ b/Makefile.am @@ -70,6 +70,7 @@ EXTRA_DIST+= wolfcrypt/user-crypto/lib/.gitkeep EXTRA_DIST+= wolfcrypt/user-crypto/README.txt EXTRA_DIST+= wolfcrypt/user-crypto/Makefile.am +include wrapper/include.am include cyassl/include.am include wolfssl/include.am include certs/include.am diff --git a/wolfssl/wolfcrypt/settings.h b/wolfssl/wolfcrypt/settings.h index c671df00a..c3a37c610 100644 --- a/wolfssl/wolfcrypt/settings.h +++ b/wolfssl/wolfcrypt/settings.h @@ -1000,6 +1000,16 @@ static char *fgets(char *buff, int sz, FILE *fp) #endif #endif +/* C Sharp wrapper defines */ +#ifdef HAVE_CSHARP + #ifndef WOLFSSL_DTLS + #define WOLFSSL_DTLS + #endif + #undef NO_PSK + #undef NO_SHA256 + #undef NO_DH +#endif + /* Place any other flags or defines here */ diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config new file mode 100755 index 000000000..fad249e40 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs new file mode 100755 index 000000000..dc597de7c --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs @@ -0,0 +1,36 @@ +using System.Reflection; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; + +// General Information about an assembly is controlled through the following +// set of attributes. Change these attribute values to modify the information +// associated with an assembly. +[assembly: AssemblyTitle("wolfSSL-DTLS-PSK-Server")] +[assembly: AssemblyDescription("")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyProduct("wolfSSL-DTLS-PSK-Server")] +[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] + +// Setting ComVisible to false makes the types in this assembly not visible +// to COM components. If you need to access a type in this assembly from +// COM, set the ComVisible attribute to true on that type. +[assembly: ComVisible(false)] + +// The following GUID is for the ID of the typelib if this project is exposed to COM +[assembly: Guid("77149dab-52f6-4b83-a9bd-da5beb402621")] + +// Version information for an assembly consists of the following four values: +// +// Major Version +// Minor Version +// Build Number +// Revision +// +// You can specify all the values or you can default the Build and Revision Numbers +// by using the '*' as shown below: +// [assembly: AssemblyVersion("1.0.*")] +[assembly: AssemblyVersion("1.0.0.0")] +[assembly: AssemblyFileVersion("1.0.0.0")] diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs new file mode 100755 index 000000000..ecac02924 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs @@ -0,0 +1,163 @@ + +using System; + +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; +using System.IO; +using System.Net; +using System.Net.Sockets; +using wolfSSL.CSharp; + + + +public class wolfSSL_DTLS_PSK_Server +{ + + + /// + /// Example of a PSK function call back + /// + /// pointer to ssl structure + /// identity of client connecting + /// buffer to hold key + /// max key size + /// size of key set + public static uint my_psk_server_cb(IntPtr ssl, string identity, IntPtr key, uint max_key) + { + /* perform a check on the identity sent across + * log function must be set for print out of logging information + */ + wolfssl.log(1, "PSK Client Identity = " + identity); + + /* Use desired key, note must be a key smaller than max key size parameter + Replace this with desired key. Is trivial one for testing */ + if (max_key < 4) + return 0; + byte[] tmp = { 26, 43, 60, 77 }; + Marshal.Copy(tmp, 0, key, 4); + + return (uint)4; + } + + + public static void Main(string[] args) + { + IntPtr ctx; + IntPtr ssl; + + /* These paths should be changed according to use */ + string fileCert = @"server-cert.pem"; + string fileKey = @"server-key.pem"; + StringBuilder dhparam = new StringBuilder("dh2048.pem"); + + wolfssl.psk_delegate psk_cb = new wolfssl.psk_delegate(my_psk_server_cb); + + StringBuilder buff = new StringBuilder(1024); + StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper"); + + wolfssl.Init(); + + Console.WriteLine("Calling ctx Init from wolfSSL"); + ctx = wolfssl.CTX_dtls_new(wolfssl.useDTLSv1_2_server()); + Console.WriteLine("Finished init of ctx .... now load in cert and key"); + + if (!File.Exists(fileCert) || !File.Exists(fileKey)) + { + Console.WriteLine("Could not find cert or key file"); + return; + } + + + if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting cert file"); + return; + } + + + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, 1) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting key file"); + return; + } + + + /* Test psk use with DHE */ + StringBuilder hint = new StringBuilder("cyassl server"); + wolfssl.CTX_use_psk_identity_hint(ctx, hint); + wolfssl.CTX_set_psk_server_callback(ctx, psk_cb); + + short minDhKey = 128; + wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey); + Console.Write("Setting cipher suite to "); + StringBuilder set_cipher = new StringBuilder("DHE-PSK-AES128-CBC-SHA256"); + Console.WriteLine(set_cipher); + if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS) + { + Console.WriteLine("Failed to set cipher suite"); + return; + } + + IPAddress ip = IPAddress.Parse("0.0.0.0"); + UdpClient udp = new UdpClient(11111); + IPEndPoint ep = new IPEndPoint(ip, 11111); + Console.WriteLine("Started UDP and waiting for a connection"); + + ssl = wolfssl.new_ssl(ctx); + + if (wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting dhparam"); + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + if (wolfssl.set_dtls_fd(ssl, udp, ep) != wolfssl.SUCCESS) + { + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + if (wolfssl.accept(ssl) != wolfssl.SUCCESS) + { + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + /* print out results of TLS/SSL accept */ + Console.WriteLine("SSL version is " + wolfssl.get_version(ssl)); + Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl)); + + /* get connection information and print ip - port */ + wolfssl.DTLS_con con = wolfssl.get_dtls_fd(ssl); + Console.Write("Connected to ip "); + Console.Write(con.ep.Address.ToString()); + Console.Write(" on port "); + Console.WriteLine(con.ep.Port.ToString()); + + /* read information sent and send a reply */ + if (wolfssl.read(ssl, buff, 1023) < 0) + { + Console.WriteLine("Error reading message"); + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + Console.WriteLine(buff); + + if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) + { + Console.WriteLine("Error writing message"); + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + Console.WriteLine("At the end freeing stuff"); + wolfssl.shutdown(ssl); + wolfssl.free(ssl); + udp.Close(); + + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } +} diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj new file mode 100755 index 000000000..aae0b1f05 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj @@ -0,0 +1,88 @@ + + + + + Debug + AnyCPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5} + Exe + Properties + wolfSSL_DTLS_PSK_Server + wolfSSL-DTLS-PSK-Server + v4.5 + 512 + + + AnyCPU + true + full + false + ..\DLL Debug\ + DEBUG;TRACE + prompt + 4 + + + AnyCPU + pdbonly + true + ..\DLL Release\ + TRACE + prompt + 4 + + + true + ..\x64\DLL Debug\ + DEBUG;TRACE + full + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + ..\x64\DLL Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + + + + + + + + + + + + + + + + + + {52609808-0418-46d3-8e17-141927a1a39a} + wolfSSL_CSharp + + + + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/App.config b/wrapper/CSharp/wolfSSL-DTLS-Server/App.config new file mode 100755 index 000000000..fad249e40 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/App.config @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs new file mode 100755 index 000000000..76d3c655d --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs @@ -0,0 +1,36 @@ +using System.Reflection; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; + +// General Information about an assembly is controlled through the following +// set of attributes. Change these attribute values to modify the information +// associated with an assembly. +[assembly: AssemblyTitle("wolfSSL-DTLS-Server")] +[assembly: AssemblyDescription("")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyProduct("wolfSSL-DTLS-Server")] +[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] + +// Setting ComVisible to false makes the types in this assembly not visible +// to COM components. If you need to access a type in this assembly from +// COM, set the ComVisible attribute to true on that type. +[assembly: ComVisible(false)] + +// The following GUID is for the ID of the typelib if this project is exposed to COM +[assembly: Guid("9da922fb-8459-479f-ab06-42b5c0378d2f")] + +// Version information for an assembly consists of the following four values: +// +// Major Version +// Minor Version +// Build Number +// Revision +// +// You can specify all the values or you can default the Build and Revision Numbers +// by using the '*' as shown below: +// [assembly: AssemblyVersion("1.0.*")] +[assembly: AssemblyVersion("1.0.0.0")] +[assembly: AssemblyFileVersion("1.0.0.0")] diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs new file mode 100755 index 000000000..1fb9d3bf8 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs @@ -0,0 +1,129 @@ +using System; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; +using System.IO; +using System.Net; +using System.Net.Sockets; +using wolfSSL.CSharp; + +public class wolfSSL_DTLS_Server +{ + /// + /// Example of a logging function + /// + /// level of log + /// message to log + public static void standard_log(int lvl, StringBuilder msg) + { + Console.WriteLine(msg); + } + + + public static void Main(string[] args) + { + IntPtr ctx; + IntPtr ssl; + + /* These paths should be changed for use */ + string fileCert = @"server-cert.pem"; + string fileKey = @"server-key.pem"; + StringBuilder dhparam = new StringBuilder("dh2048.pem"); + + StringBuilder buff = new StringBuilder(1024); + StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper"); + + //example of function used for setting logging + wolfssl.SetLogging(standard_log); + + wolfssl.Init(); + + Console.WriteLine("Calling ctx Init from wolfSSL"); + ctx = wolfssl.CTX_dtls_new(wolfssl.useDTLSv1_2_server()); + Console.WriteLine("Finished init of ctx .... now load in cert and key"); + + if (!File.Exists(fileCert) || !File.Exists(fileKey)) + { + Console.WriteLine("Could not find cert or key file"); + return; + } + + + if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting cert file"); + return; + } + + + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, 1) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting key file"); + return; + } + + short minDhKey = 128; + wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey); + + IPAddress ip = IPAddress.Parse("0.0.0.0"); + UdpClient udp = new UdpClient(11111); + IPEndPoint ep = new IPEndPoint(ip, 11111); + Console.WriteLine("Started UDP and waiting for a connection"); + + ssl = wolfssl.new_ssl(ctx); + + if (wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting dhparam"); + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + if (wolfssl.set_dtls_fd(ssl, udp, ep) != wolfssl.SUCCESS) + { + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + if (wolfssl.accept(ssl) != wolfssl.SUCCESS) + { + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + /* print out results of TLS/SSL accept */ + Console.WriteLine("SSL version is " + wolfssl.get_version(ssl)); + Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl)); + + /* get connection information and print ip - port */ + wolfssl.DTLS_con con = wolfssl.get_dtls_fd(ssl); + Console.Write("Connected to ip "); + Console.Write(con.ep.Address.ToString()); + Console.Write(" on port "); + Console.WriteLine(con.ep.Port.ToString()); + + /* read information sent and send a reply */ + if (wolfssl.read(ssl, buff, 1023) < 0) + { + Console.WriteLine("Error reading message"); + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + Console.WriteLine(buff); + + if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) + { + Console.WriteLine("Error writing message"); + Console.WriteLine(wolfssl.get_error(ssl)); + return; + } + + Console.WriteLine("At the end freeing stuff"); + wolfssl.shutdown(ssl); + wolfssl.free(ssl); + udp.Close(); + + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } +} diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj new file mode 100755 index 000000000..2e8e63d8f --- /dev/null +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj @@ -0,0 +1,89 @@ + + + + + Debug + AnyCPU + {730F047E-37A6-498F-A543-B6C98AA7B338} + Exe + Properties + wolfSSL_DTLS_Server + wolfSSL-DTLS-Server + v4.5 + 512 + + + AnyCPU + true + full + false + ..\DLL Debug\ + DEBUG;TRACE + prompt + 4 + + + AnyCPU + pdbonly + true + ..\DLL Release\ + TRACE + prompt + 4 + + + true + ..\x64\DLL Debug\ + DEBUG;TRACE + full + x64 + prompt + MinimumRecommendedRules.ruleset + true + 0 + + + ..\x64\DLL Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + + + + + + + + + + + + + + + + + + {52609808-0418-46d3-8e17-141927a1a39a} + wolfSSL_CSharp + + + + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config new file mode 100755 index 000000000..fad249e40 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs new file mode 100755 index 000000000..6c0c13c43 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs @@ -0,0 +1,36 @@ +using System.Reflection; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; + +// General Information about an assembly is controlled through the following +// set of attributes. Change these attribute values to modify the information +// associated with an assembly. +[assembly: AssemblyTitle("wolfSSL-TLS-PSK-Server")] +[assembly: AssemblyDescription("")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyProduct("wolfSSL-TLS-PSK-Server")] +[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] + +// Setting ComVisible to false makes the types in this assembly not visible +// to COM components. If you need to access a type in this assembly from +// COM, set the ComVisible attribute to true on that type. +[assembly: ComVisible(false)] + +// The following GUID is for the ID of the typelib if this project is exposed to COM +[assembly: Guid("1de70ade-16d5-4c90-9657-c19c2762bca6")] + +// Version information for an assembly consists of the following four values: +// +// Major Version +// Minor Version +// Build Number +// Revision +// +// You can specify all the values or you can default the Build and Revision Numbers +// by using the '*' as shown below: +// [assembly: AssemblyVersion("1.0.*")] +[assembly: AssemblyVersion("1.0.0.0")] +[assembly: AssemblyFileVersion("1.0.0.0")] diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs new file mode 100755 index 000000000..64cc335f0 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs @@ -0,0 +1,159 @@ + +using System; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; +using System.IO; +using System.Net; +using System.Net.Sockets; +using wolfSSL.CSharp; + + + +public class wolfSSL_TLS_PSK_Server +{ + + + /// + /// Example of a PSK function call back + /// + /// pointer to ssl structure + /// identity of client connecting + /// buffer to hold key + /// max key size + /// size of key set + public static uint my_psk_server_cb(IntPtr ssl, string identity, IntPtr key, uint max_key) + { + /* perform a check on the identity sent across + * log function must be set for print out of logging information + */ + wolfssl.log(1, "PSK Client Identity = " + identity); + + /* Use desired key, note must be a key smaller than max key size parameter + Replace this with desired key. Is trivial one for testing */ + if (max_key < 4) + return 0; + byte[] tmp = { 26, 43, 60, 77 }; + Marshal.Copy(tmp, 0, key, 4); + + return (uint)4; + } + + + public static void Main(string[] args) + { + IntPtr ctx; + IntPtr ssl; + Socket fd; + + wolfssl.psk_delegate psk_cb = new wolfssl.psk_delegate(my_psk_server_cb); + + /* These paths should be changed according to use */ + string fileCert = @"server-cert.pem"; + string fileKey = @"server-key.pem"; + StringBuilder dhparam = new StringBuilder("dh2048.pem"); + + StringBuilder buff = new StringBuilder(1024); + StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper"); + + wolfssl.Init(); + + Console.WriteLine("Calling ctx Init from wolfSSL"); + ctx = wolfssl.CTX_new(wolfssl.useTLSv1_2_server()); + Console.WriteLine("Finished init of ctx .... now load in cert and key"); + + if (!File.Exists(fileCert) || !File.Exists(fileKey)) + { + Console.WriteLine("Could not find cert or key file"); + return; + } + + if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting cert file"); + return; + } + + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting key file"); + return; + } + + + StringBuilder ciphers = new StringBuilder(new String(' ', 4096)); + wolfssl.get_ciphers(ciphers, 4096); + Console.WriteLine("Ciphers : " + ciphers.ToString()); + + short minDhKey = 128; + wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey); + Console.Write("Setting cipher suite to "); + StringBuilder set_cipher = new StringBuilder("DHE-PSK-AES128-CBC-SHA256"); + Console.WriteLine(set_cipher); + if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS) + { + Console.WriteLine("Failed to set cipher suite"); + return; + } + + /* Test psk use with DHE */ + StringBuilder hint = new StringBuilder("cyassl server"); + if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting hint"); + return; + } + wolfssl.CTX_set_psk_server_callback(ctx, psk_cb); + + /* set up TCP socket */ + IPAddress ip = IPAddress.Parse("0.0.0.0"); //bind to any + TcpListener tcp = new TcpListener(ip, 11111); + tcp.Start(); + + Console.WriteLine("Started TCP and waiting for a connection"); + fd = tcp.AcceptSocket(); + ssl = wolfssl.new_ssl(ctx); + + Console.WriteLine("Connection made wolfSSL_accept "); + if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS) + { + /* get and print out the error */ + Console.Write(wolfssl.get_error(ssl)); + return; + } + + wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM); + + if (wolfssl.accept(ssl) != wolfssl.SUCCESS) + { + /* get and print out the error */ + Console.Write(wolfssl.get_error(ssl)); + return; + } + + /* print out results of TLS/SSL accept */ + Console.WriteLine("SSL version is " + wolfssl.get_version(ssl)); + Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl)); + + /* read and print out the message then reply */ + if (wolfssl.read(ssl, buff, 1023) < 0) + { + Console.WriteLine("Error in read"); + return; + } + Console.WriteLine(buff); + + if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) + { + Console.WriteLine("Error in write"); + return; + } + + wolfssl.shutdown(ssl); + wolfssl.free(ssl); + fd.Close(); + + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } +} diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj new file mode 100755 index 000000000..3308ae37b --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj @@ -0,0 +1,88 @@ + + + + + Debug + AnyCPU + {030431C7-26AB-4447-815B-F27E88BE5D5B} + Exe + Properties + wolfSSL_TLS_PSK_Server + wolfSSL-TLS-PSK-Server + v4.5 + 512 + + + AnyCPU + true + full + false + ..\DLL Debug\ + DEBUG;TRACE + prompt + 4 + + + AnyCPU + pdbonly + true + ..\DLL Release\ + TRACE + prompt + 4 + + + true + ..\x64\DLL Debug\ + DEBUG;TRACE + full + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + ..\x64\DLL Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + + + + + + + + + + + + + + + + + + {52609808-0418-46d3-8e17-141927a1a39a} + wolfSSL_CSharp + + + + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/App.config b/wrapper/CSharp/wolfSSL-TLS-Server/App.config new file mode 100755 index 000000000..fad249e40 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-Server/App.config @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs new file mode 100755 index 000000000..762bc4d31 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs @@ -0,0 +1,36 @@ +using System.Reflection; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; + +// General Information about an assembly is controlled through the following +// set of attributes. Change these attribute values to modify the information +// associated with an assembly. +[assembly: AssemblyTitle("wolfSSL-TLS-Server")] +[assembly: AssemblyDescription("")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyProduct("wolfSSL-TLS-Server")] +[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] + +// Setting ComVisible to false makes the types in this assembly not visible +// to COM components. If you need to access a type in this assembly from +// COM, set the ComVisible attribute to true on that type. +[assembly: ComVisible(false)] + +// The following GUID is for the ID of the typelib if this project is exposed to COM +[assembly: Guid("716e8f30-1318-4e3b-b788-d0380b397a4c")] + +// Version information for an assembly consists of the following four values: +// +// Major Version +// Minor Version +// Build Number +// Revision +// +// You can specify all the values or you can default the Build and Revision Numbers +// by using the '*' as shown below: +// [assembly: AssemblyVersion("1.0.*")] +[assembly: AssemblyVersion("1.0.0.0")] +[assembly: AssemblyFileVersion("1.0.0.0")] diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs new file mode 100755 index 000000000..6409d3ec6 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs @@ -0,0 +1,26 @@ +//------------------------------------------------------------------------------ +// +// This code was generated by a tool. +// Runtime Version:4.0.30319.17929 +// +// Changes to this file may cause incorrect behavior and will be lost if +// the code is regenerated. +// +//------------------------------------------------------------------------------ + +namespace wolfSSL_TLS_CSharp.Properties { + + + [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] + [global::System.CodeDom.Compiler.GeneratedCodeAttribute("Microsoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator", "11.0.0.0")] + internal sealed partial class Settings : global::System.Configuration.ApplicationSettingsBase { + + private static Settings defaultInstance = ((Settings)(global::System.Configuration.ApplicationSettingsBase.Synchronized(new Settings()))); + + public static Settings Default { + get { + return defaultInstance; + } + } + } +} diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings new file mode 100755 index 000000000..15034e76c --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings @@ -0,0 +1,6 @@ + + + + + + diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs new file mode 100755 index 000000000..190efe8c6 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs @@ -0,0 +1,121 @@ +using System; +using System.Runtime.InteropServices; +using System.Text; +using System.IO; +using System.Net; +using System.Net.Sockets; +using wolfSSL.CSharp; + +public class wolfSSL_TLS_CSHarp +{ + /// + /// Example of a logging function + /// + /// level of log + /// message to log + public static void standard_log(int lvl, StringBuilder msg) + { + Console.WriteLine(msg); + } + + public static void Main(string[] args) + { + IntPtr ctx; + IntPtr ssl; + Socket fd; + + /* These paths should be changed for use */ + string fileCert = @"server-cert.pem"; + string fileKey = @"server-key.pem"; + StringBuilder dhparam = new StringBuilder("dh2048.pem"); + + StringBuilder buff = new StringBuilder(1024); + StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper"); + + //example of function used for setting logging + wolfssl.SetLogging(standard_log); + + wolfssl.Init(); + + Console.WriteLine("Calling ctx Init from wolfSSL"); + ctx = wolfssl.CTX_new(wolfssl.usev23_server()); + Console.WriteLine("Finished init of ctx .... now load in cert and key"); + + if (!File.Exists(fileCert) || !File.Exists(fileKey)) + { + Console.WriteLine("Could not find cert or key file"); + return; + } + + if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting cert file"); + return; + } + + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting key file"); + return; + } + + + StringBuilder ciphers = new StringBuilder(new String(' ', 4096)); + wolfssl.get_ciphers(ciphers, 4096); + Console.WriteLine("Ciphers : " + ciphers.ToString()); + + short minDhKey = 128; + wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey); + + /* set up TCP socket */ + IPAddress ip = IPAddress.Parse("0.0.0.0"); //bind to any + TcpListener tcp = new TcpListener(ip, 11111); + tcp.Start(); + + Console.WriteLine("Started TCP and waiting for a connection"); + fd = tcp.AcceptSocket(); + ssl = wolfssl.new_ssl(ctx); + + Console.WriteLine("Connection made wolfSSL_accept "); + if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS) + { + /* get and print out the error */ + Console.Write(wolfssl.get_error(ssl)); + return; + } + + wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM); + + if (wolfssl.accept(ssl) != 1) + { + /* get and print out the error */ + Console.Write(wolfssl.get_error(ssl)); + return; + } + + /* print out results of TLS/SSL accept */ + Console.WriteLine("SSL version is " + wolfssl.get_version(ssl)); + Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl)); + + /* read and print out the message then reply */ + if (wolfssl.read(ssl, buff, 1023) < 0) + { + Console.WriteLine("Error in read"); + return; + } + Console.WriteLine(buff); + + if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) + { + Console.WriteLine("Error in write"); + return; + } + + wolfssl.shutdown(ssl); + wolfssl.free(ssl); + fd.Close(); + + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } +} diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj new file mode 100755 index 000000000..f1ee88264 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj @@ -0,0 +1,133 @@ + + + + + Debug + AnyCPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2} + Exe + Properties + wolfSSL_TLS_CSharp + wolfSSL-TLS-Server + v4.5 + 512 + publish\ + true + Disk + false + Foreground + 7 + Days + false + false + true + 0 + 1.0.0.%2a + false + false + true + + + AnyCPU + true + full + false + ..\DLL Debug\ + DEBUG;TRACE + prompt + 3 + + + AnyCPU + pdbonly + true + ..\DLL Release\ + TRACE + prompt + 4 + + + + + + true + ..\x64\DLL Debug\ + DEBUG;TRACE + 4 + full + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + ..\x64\DLL Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + + + + + + + + + + + + True + True + Settings.settings + + + + + + + SettingsSingleFileGenerator + Settings.Designer.cs + + + + + {52609808-0418-46d3-8e17-141927a1a39a} + wolfSSL_CSharp + + + + + False + Microsoft .NET Framework 4.5 %28x86 and x64%29 + true + + + False + .NET Framework 3.5 SP1 Client Profile + false + + + False + .NET Framework 3.5 SP1 + false + + + + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL_CSharp.sln b/wrapper/CSharp/wolfSSL_CSharp.sln new file mode 100755 index 000000000..53c74f173 --- /dev/null +++ b/wrapper/CSharp/wolfSSL_CSharp.sln @@ -0,0 +1,252 @@ + +Microsoft Visual Studio Solution File, Format Version 12.00 +# Visual Studio 2012 +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL_CSharp", "wolfSSL_CSharp\wolfSSL_CSharp.csproj", "{52609808-0418-46D3-8E17-141927A1A39A}" + ProjectSection(ProjectDependencies) = postProject + {73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B} + EndProjectSection +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-TLS-Server", "wolfSSL-TLS-Server\wolfSSL-TLS-Server.csproj", "{8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-TLS-PSK-Server", "wolfSSL-TLS-PSK-Server\wolfSSL-TLS-PSK-Server.csproj", "{030431C7-26AB-4447-815B-F27E88BE5D5B}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-DTLS-Server", "wolfSSL-DTLS-Server\wolfSSL-DTLS-Server.csproj", "{730F047E-37A6-498F-A543-B6C98AA7B338}" +EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-DTLS-PSK-Server", "wolfSSL-DTLS-PSK-Server\wolfSSL-DTLS-PSK-Server.csproj", "{77AEF1BE-4BE3-4837-8188-2A06E4D963F5}" + ProjectSection(ProjectDependencies) = postProject + {52609808-0418-46D3-8E17-141927A1A39A} = {52609808-0418-46D3-8E17-141927A1A39A} + EndProjectSection +EndProject +Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "wolfSSL", "wolfSSL", "{252D09D0-D007-4AEB-9F7A-A74408039A8A}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfssl", "..\..\wolfssl.vcxproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "..\..\testsuite\testsuite.vcxproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}" +EndProject +Global + GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|Any CPU = Debug|Any CPU + Debug|Mixed Platforms = Debug|Mixed Platforms + Debug|Win32 = Debug|Win32 + Debug|x64 = Debug|x64 + DLL Debug|Any CPU = DLL Debug|Any CPU + DLL Debug|Mixed Platforms = DLL Debug|Mixed Platforms + DLL Debug|Win32 = DLL Debug|Win32 + DLL Debug|x64 = DLL Debug|x64 + DLL Release|Any CPU = DLL Release|Any CPU + DLL Release|Mixed Platforms = DLL Release|Mixed Platforms + DLL Release|Win32 = DLL Release|Win32 + DLL Release|x64 = DLL Release|x64 + Release|Any CPU = Release|Any CPU + Release|Mixed Platforms = Release|Mixed Platforms + Release|Win32 = Release|Win32 + Release|x64 = Release|x64 + EndGlobalSection + GlobalSection(ProjectConfigurationPlatforms) = postSolution + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Any CPU.Build.0 = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Win32.ActiveCfg = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|x64.ActiveCfg = Debug|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.Debug|x64.Build.0 = Debug|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Win32.Build.0 = Debug|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|x64.ActiveCfg = Debug|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|x64.Build.0 = Debug|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Any CPU.Build.0 = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Win32.ActiveCfg = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Win32.Build.0 = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|x64.ActiveCfg = Release|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|x64.Build.0 = Release|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.Release|Any CPU.ActiveCfg = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Release|Any CPU.Build.0 = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Release|Mixed Platforms.Build.0 = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Release|Win32.ActiveCfg = Release|Any CPU + {52609808-0418-46D3-8E17-141927A1A39A}.Release|x64.ActiveCfg = Release|x64 + {52609808-0418-46D3-8E17-141927A1A39A}.Release|x64.Build.0 = Release|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Any CPU.Build.0 = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Win32.ActiveCfg = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|x64.ActiveCfg = Debug|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|x64.Build.0 = Debug|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Win32.Build.0 = Debug|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|x64.ActiveCfg = Debug|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|x64.Build.0 = Debug|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Any CPU.Build.0 = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Win32.ActiveCfg = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Win32.Build.0 = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|x64.ActiveCfg = Release|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|x64.Build.0 = Release|x64 + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Any CPU.ActiveCfg = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Any CPU.Build.0 = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Mixed Platforms.Build.0 = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Win32.ActiveCfg = Release|Any CPU + {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|x64.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Any CPU.Build.0 = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Win32.ActiveCfg = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|x64.ActiveCfg = Debug|x64 + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|x64.Build.0 = Debug|x64 + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Win32.Build.0 = Debug|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|x64.ActiveCfg = Debug|x64 + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|x64.Build.0 = Debug|x64 + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Any CPU.Build.0 = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Win32.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Win32.Build.0 = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|x64.ActiveCfg = Release|x64 + {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|x64.Build.0 = Release|x64 + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Any CPU.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Any CPU.Build.0 = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Mixed Platforms.Build.0 = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Win32.ActiveCfg = Release|Any CPU + {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|x64.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Any CPU.Build.0 = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Win32.ActiveCfg = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|x64.ActiveCfg = Debug|x64 + {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|x64.Build.0 = Debug|x64 + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Win32.Build.0 = Debug|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|x64.ActiveCfg = Debug|x64 + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|x64.Build.0 = Debug|x64 + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Any CPU.Build.0 = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Win32.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Win32.Build.0 = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|x64.ActiveCfg = Release|x64 + {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|x64.Build.0 = Release|x64 + {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Any CPU.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Any CPU.Build.0 = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Mixed Platforms.Build.0 = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Win32.ActiveCfg = Release|Any CPU + {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|x64.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Any CPU.Build.0 = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Win32.ActiveCfg = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|x64.ActiveCfg = Debug|x64 + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|x64.Build.0 = Debug|x64 + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Win32.Build.0 = Debug|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|x64.ActiveCfg = Debug|x64 + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|x64.Build.0 = Debug|x64 + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Any CPU.Build.0 = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Win32.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Win32.Build.0 = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|x64.ActiveCfg = Release|x64 + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|x64.Build.0 = Release|x64 + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Any CPU.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Any CPU.Build.0 = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Mixed Platforms.Build.0 = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Win32.ActiveCfg = Release|Any CPU + {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|x64.ActiveCfg = Release|Any CPU + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Any CPU.ActiveCfg = Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Mixed Platforms.Build.0 = Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.ActiveCfg = DLL Debug|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.Build.0 = DLL Debug|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Any CPU.ActiveCfg = DLL Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Mixed Platforms.ActiveCfg = DLL Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Mixed Platforms.Build.0 = DLL Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.Build.0 = DLL Debug|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.ActiveCfg = DLL Debug|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.Build.0 = DLL Debug|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Any CPU.ActiveCfg = DLL Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Mixed Platforms.ActiveCfg = DLL Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Mixed Platforms.Build.0 = DLL Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.ActiveCfg = DLL Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.Build.0 = DLL Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.ActiveCfg = DLL Release|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.Build.0 = DLL Release|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Any CPU.ActiveCfg = Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Mixed Platforms.ActiveCfg = Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Mixed Platforms.Build.0 = Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.ActiveCfg = Release|x64 + {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.Build.0 = Release|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Any CPU.ActiveCfg = Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|x64.ActiveCfg = Debug|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Any CPU.ActiveCfg = DLL Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Mixed Platforms.ActiveCfg = DLL Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Mixed Platforms.Build.0 = DLL Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|x64.ActiveCfg = DLL Debug|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|x64.Build.0 = DLL Debug|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Any CPU.ActiveCfg = DLL Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Mixed Platforms.ActiveCfg = DLL Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Mixed Platforms.Build.0 = DLL Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Win32.ActiveCfg = DLL Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|x64.ActiveCfg = DLL Release|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|x64.Build.0 = DLL Release|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Any CPU.ActiveCfg = Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Mixed Platforms.ActiveCfg = Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Mixed Platforms.Build.0 = Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|x64.ActiveCfg = Release|x64 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|x64.Build.0 = Release|x64 + EndGlobalSection + GlobalSection(SolutionProperties) = preSolution + HideSolutionNode = FALSE + EndGlobalSection + GlobalSection(NestedProjects) = preSolution + {73973223-5EE8-41CA-8E88-1D60E89A237B} = {252D09D0-D007-4AEB-9F7A-A74408039A8A} + {611E8971-46E0-4D0A-B5A1-632C3B00CB80} = {252D09D0-D007-4AEB-9F7A-A74408039A8A} + EndGlobalSection +EndGlobal diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs new file mode 100755 index 000000000..2931bee7b --- /dev/null +++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs @@ -0,0 +1,36 @@ +using System.Reflection; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; + +// General Information about an assembly is controlled through the following +// set of attributes. Change these attribute values to modify the information +// associated with an assembly. +[assembly: AssemblyTitle("wolfSSL.CSharp")] +[assembly: AssemblyDescription("")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyProduct("wolfSSL.CSharp")] +[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] + +// Setting ComVisible to false makes the types in this assembly not visible +// to COM components. If you need to access a type in this assembly from +// COM, set the ComVisible attribute to true on that type. +[assembly: ComVisible(false)] + +// The following GUID is for the ID of the typelib if this project is exposed to COM +[assembly: Guid("b50b8d16-ff19-4ea4-8881-13cf972765db")] + +// Version information for an assembly consists of the following four values: +// +// Major Version +// Minor Version +// Build Number +// Revision +// +// You can specify all the values or you can default the Build and Revision Numbers +// by using the '*' as shown below: +// [assembly: AssemblyVersion("1.0.*")] +[assembly: AssemblyVersion("1.0.0.0")] +[assembly: AssemblyFileVersion("1.0.0.0")] diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs new file mode 100755 index 000000000..dd0327fd4 --- /dev/null +++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs @@ -0,0 +1,63 @@ +//------------------------------------------------------------------------------ +// +// This code was generated by a tool. +// Runtime Version:4.0.30319.17929 +// +// Changes to this file may cause incorrect behavior and will be lost if +// the code is regenerated. +// +//------------------------------------------------------------------------------ + +namespace wolfssl_wrapper.Properties { + using System; + + + /// + /// A strongly-typed resource class, for looking up localized strings, etc. + /// + // This class was auto-generated by the StronglyTypedResourceBuilder + // class via a tool like ResGen or Visual Studio. + // To add or remove a member, edit your .ResX file then rerun ResGen + // with the /str option, or rebuild your VS project. + [global::System.CodeDom.Compiler.GeneratedCodeAttribute("System.Resources.Tools.StronglyTypedResourceBuilder", "4.0.0.0")] + [global::System.Diagnostics.DebuggerNonUserCodeAttribute()] + [global::System.Runtime.CompilerServices.CompilerGeneratedAttribute()] + internal class Resources { + + private static global::System.Resources.ResourceManager resourceMan; + + private static global::System.Globalization.CultureInfo resourceCulture; + + [global::System.Diagnostics.CodeAnalysis.SuppressMessageAttribute("Microsoft.Performance", "CA1811:AvoidUncalledPrivateCode")] + internal Resources() { + } + + /// + /// Returns the cached ResourceManager instance used by this class. + /// + [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] + internal static global::System.Resources.ResourceManager ResourceManager { + get { + if (object.ReferenceEquals(resourceMan, null)) { + global::System.Resources.ResourceManager temp = new global::System.Resources.ResourceManager("wolfSSL.CSharp.Properties.Resources", typeof(Resources).Assembly); + resourceMan = temp; + } + return resourceMan; + } + } + + /// + /// Overrides the current thread's CurrentUICulture property for all + /// resource lookups using this strongly typed resource class. + /// + [global::System.ComponentModel.EditorBrowsableAttribute(global::System.ComponentModel.EditorBrowsableState.Advanced)] + internal static global::System.Globalization.CultureInfo Culture { + get { + return resourceCulture; + } + set { + resourceCulture = value; + } + } + } +} diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx new file mode 100755 index 000000000..85c909092 --- /dev/null +++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx @@ -0,0 +1,101 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + text/microsoft-resx + + + 1.3 + + + System.Resources.ResXResourceReader, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 + + + System.Resources.ResXResourceWriter, System.Windows.Forms, Version=2.0.3500.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs new file mode 100755 index 000000000..c384be2d1 --- /dev/null +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs @@ -0,0 +1,1181 @@ +using System; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; +using System.IO; +using System.Net; +using System.Net.Sockets; + +namespace wolfSSL.CSharp { + public class wolfssl + { + private const string wolfssl_dll = "wolfssl.dll"; + + /******************************** + * Class for DTLS connections + */ + public class DTLS_con + { + public UdpClient udp; + public IPEndPoint ep; + } + + + /******************************** + * Init wolfSSL library + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_Init(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_Cleanup(); + + + /******************************** + * Methods of connection + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfTLSv1_2_server_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSLv23_server_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfTLSv1_2_client_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSLv23_client_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfDTLSv1_2_server_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfDTLSv1_2_client_method(); + + + /******************************** + * Call backs + */ + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate int CallbackIORecv_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIORecv(IntPtr ctx, CallbackIORecv_delegate recv); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIOReadCtx(IntPtr ssl, IntPtr rctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_GetIOReadCtx(IntPtr ssl); + + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate int CallbackIOSend_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIOSend(IntPtr ctx, CallbackIOSend_delegate send); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIOWriteCtx(IntPtr ssl, IntPtr wctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_GetIOWriteCtx(IntPtr ssl); + + + /******************************** + * CTX structure + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_CTX_new(IntPtr method); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_CTX_free(IntPtr ctx); + + + /******************************** + * PSK + */ + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate uint psk_delegate(IntPtr ssl, string identity, IntPtr key, uint max_sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder identity); + + + /******************************** + * SSL Structure + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_new(IntPtr ctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_accept(IntPtr ssl); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_connect(IntPtr ssl); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_read(IntPtr ssl, StringBuilder buf, int sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_write(IntPtr ssl, StringBuilder buf, int sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_shutdown(IntPtr ssl); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_free(IntPtr ssl); + + + /******************************** + * Cipher lists + */ + /* only supports full name from cipher_name[] delimited by : */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_set_cipher_list(IntPtr ctx, StringBuilder ciphers); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_set_cipher_list(IntPtr ssl, StringBuilder ciphers); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_get_ciphers(StringBuilder ciphers, int sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_cipher(IntPtr ssl); + [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_CIPHER_get_name(IntPtr cipher); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_current_cipher(IntPtr ssl); + [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_version(IntPtr ssl); + [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_cipher_list(IntPtr ssl); + + + /******************************** + * Error logging + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_ERR_error_string(int err, StringBuilder errOut); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_get_error(IntPtr ssl, int err); + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate void loggingCb(int lvl, StringBuilder msg); + private static loggingCb internal_log; + + + /******************************** + * DH + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_SetMinDhKey_Sz(IntPtr ctx, short size); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetTmpDH_file(IntPtr ssl, StringBuilder dhParam, int type); + + + /******************************** + * Enum types from wolfSSL library + */ + public static readonly int SSL_FILETYPE_PEM = 1; + public static readonly int SSL_FILETYPE_ASN1= 2; + public static readonly int SSL_FILETYPE_RAW = 3; + public static readonly int CBIO_ERR_GENERAL = -1; + public static readonly int CBIO_ERR_WANT_READ = -2; + public static readonly int CBIO_ERR_WANT_WRITE = -2; + public static readonly int CBIO_ERR_CONN_RST = -3; + public static readonly int CBIO_ERR_ISR = -4; + public static readonly int CBIO_ERR_CONN_CLOSE = -5; + public static readonly int CBIO_ERR_TIMEOUT = -6; + + public static readonly int SUCCESS = 1; + public static readonly int FAILURE = 0; + + + /// + /// Call back to allow recieving TLS information + /// + /// structure of ssl passed in + /// buffer to contain recieved msg + /// size of buffer + /// optional information passed in + /// size of message recieved + private static int wolfSSLCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + log(1, "wolfssl recieve error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + int amtRecv = 0; + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + Socket con = (System.Net.Sockets.Socket)gch.Target; + + try + { + Byte[] msg = new Byte[sz]; + amtRecv = con.Receive(msg, msg.Length, 0); + Marshal.Copy(msg, 0, buf, sz); + } + catch (Exception e) + { + log(1, "Error in recive " + e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + + return amtRecv; + } + + + /// + /// Call back used for sending TLS information + /// + /// pointer to ssl struct + /// buffer containing information to send + /// size of buffer to send + /// optional information + /// amount of information sent + private static int wolfSSLCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + log(1, "wolfssl send error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + + Socket con = (System.Net.Sockets.Socket)gch.Target; + + Byte[] msg = new Byte[sz]; + + Marshal.Copy(buf, msg, 0, sz); + try + { + con.Send(msg, 0, msg.Length, SocketFlags.None); + return sz; + } + catch (Exception e) + { + log(1, "socket connection issue "+ e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + } + + + /// + /// Call back used for sending DTLS information + /// + /// pointer to ssl struct + /// buffer containing information to send + /// size of buffer to send + /// optional information + /// amount of information sent + private static int wolfSSL_dtlsCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + log(1, "wolfssl dtls send error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + + DTLS_con con = (DTLS_con)gch.Target; + + Byte[] msg = new Byte[sz]; + + Marshal.Copy(buf, msg, 0, sz); + try + { + con.udp.Send(msg, msg.Length, con.ep); + return msg.Length; + } + catch (Exception e) + { + log(1, "socket connection issue " + e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + } + + + /// + /// Call back to allow recieving DTLS information + /// + /// structure of ssl passed in + /// buffer to contain recieved msg + /// size of buffer + /// optional information passed in + /// size of message recieved + private static int wolfSSL_dtlsCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + + if (sz <= 0) + { + log(1, "wolfssl dtls recieve error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + DTLS_con con = (DTLS_con)gch.Target; + + Byte[] msg = new Byte[sz]; + try + { + msg = con.udp.Receive(ref con.ep); + } + catch (Exception e) + { + /* issue with receive or size of buffer */ + log(1, "socket read issue "+ e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + + Marshal.Copy(msg, 0, buf, msg.Length); + + return msg.Length; + } + + + /// + /// Create a new ssl structure + /// + /// structure to create ssl structure from + /// pointer to ssl structure + public static IntPtr new_ssl(IntPtr ctx) + { + try + { + return wolfSSL_new(ctx); + } + catch (Exception e) + { + log(1, e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Used for a server to accept a connection + /// + /// structure containing info for connection + /// 1 on success + public static int accept(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_accept(ssl); + } + catch (Exception e) + { + log(1, "accept error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Used for a client to connect + /// + /// structure containing connection info + /// 1 on success + public static int connect(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_connect(ssl); + } + catch (Exception e) + { + log(1, "connect error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Read message from secure connection + /// + /// structure containing info about connection + /// object to hold incoming message + /// size of available memory in buf + /// amount of data read on success + public static int read(IntPtr ssl, StringBuilder buf, int sz) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_read(ssl, buf, sz); + } + catch (Exception e) + { + log(1, "wolfssl read error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Write message to secure connection + /// + /// structure containing connection info + /// message to send + /// size of the message + /// amount sent on success + public static int write(IntPtr ssl, StringBuilder buf, int sz) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_write(ssl, buf, sz); + } + catch (Exception e) + { + log(1, "wolfssl write error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Free information stored in ssl struct + /// + /// pointer to ssl struct to free + public static void free(IntPtr ssl) + { + try + { + /* free the handle for the socket */ + IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + gch.Free(); + } + ptr = wolfSSL_GetIOWriteCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + gch.Free(); + } + wolfSSL_free(ssl); + } + catch (Exception e) + { + log(1, "wolfssl free error " + e.ToString()); + } + } + + + /// + /// Shutdown a connection + /// + /// pointer to ssl struct to close connection of + /// 1 on success + public static int shutdown(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_shutdown(ssl); + } + catch (Exception e) + { + log(1, "wolfssl shutdwon error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Optional, can be used to set a custom recieve function + /// + /// structure to set recieve function in + /// function to use when reading socket + public static void SetIORecv(IntPtr ctx, CallbackIORecv_delegate func) + { + try + { + wolfSSL_SetIORecv(ctx, func); + } + catch (Exception e) + { + log(1, "wolfssl setIORecv error " + e.ToString()); + } + } + + + /// + /// Optional, can be used to set a custom send function + /// + /// structure to set function in + /// function to use when sending data + public static void SetIOSend(IntPtr ctx, CallbackIOSend_delegate func) + { + try + { + wolfSSL_SetIOSend(ctx, func); + } + catch (Exception e) + { + log(1, "wolfssl setIOSend error " + e.ToString()); + } + } + + + /// + /// Create a new CTX structure + /// + /// method to use such as TLSv1.2 + /// pointer to CTX structure + public static IntPtr CTX_new(IntPtr method) + { + try + { + IntPtr ctx = wolfSSL_CTX_new(method); + if (ctx == IntPtr.Zero) + return ctx; + + CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSLCbIORecv); + wolfSSL_SetIORecv(ctx, recv); + + CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSLCbIOSend); + wolfSSL_SetIOSend(ctx, send); + + return ctx; + } + catch (Exception e) + { + log(1, "ctx_new error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Create a new CTX structure for a DTLS connection + /// + /// Method to use in connection ie DTLSv1.2 + /// + public static IntPtr CTX_dtls_new(IntPtr method) + { + try + { + IntPtr ctx = wolfSSL_CTX_new(method); + if (ctx == IntPtr.Zero) + return ctx; + + CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSL_dtlsCbIORecv); + wolfSSL_SetIORecv(ctx, recv); + + CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSL_dtlsCbIOSend); + wolfSSL_SetIOSend(ctx, send); + + return ctx; + } + catch (Exception e) + { + log(1, "ctx_dtls_new error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Free information used in CTX structure + /// + /// structure to free + public static void CTX_free(IntPtr ctx) + { + try + { + wolfSSL_CTX_free(ctx); + } + catch (Exception e) + { + log(1, "wolfssl ctx free error " + e.ToString()); + } + } + + + /// + /// Set identity hint to use + /// + /// pointer to structure of ctx to set hint in + /// hint to use + /// 1 on success + public static int CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder hint) + { + try + { + return wolfSSL_CTX_use_psk_identity_hint(ctx, hint); + } + catch (Exception e) + { + log(1, "wolfssl psk identity hint error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set the function to use for PSK connections + /// + /// pointer to CTX that the function is set in + /// PSK function to use + public static void CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb) + { + try + { + wolfSSL_CTX_set_psk_server_callback(ctx, psk_cb); + } + catch (Exception e) + { + log(1, "wolfssl psk server callback error " + e.ToString()); + } + } + + + /// + /// Set the function to use for PSK connections on a single TLS/DTLS connection + /// + /// pointer to SSL that the function is set in + /// PSK function to use + public static void set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb) + { + try + { + wolfSSL_set_psk_server_callback(ssl, psk_cb); + } + catch (Exception e) + { + log(1, "wolfssl psk server callback error " + e.ToString()); + } + } + + + /// + /// Set Socket for TLS connection + /// + /// structure to set Socket in + /// Socket to use + /// 1 on success + public static int set_fd(IntPtr ssl, Socket fd) + { + /* sanity check on inputs */ + if (ssl == IntPtr.Zero) + { + return FAILURE; + } + + try + { + if (!fd.Equals(null)) + { + IntPtr ptr = GCHandle.ToIntPtr(GCHandle.Alloc(fd)); + wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to + wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from + } + } + catch (Exception e) + { + log(1, "Error setting up fd!! " + e.ToString()); + return FAILURE; + } + + return 1; + } + + + /// + /// Get socket of a TLS connection + /// + /// structure to get socket from + /// Socket object used for connection + public static Socket get_fd(IntPtr ssl) + { + try + { + IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + return (System.Net.Sockets.Socket)gch.Target; + } + return null; + } + catch (Exception e) + { + log(1, "wolfssl get_fd error " + e.ToString()); + return null; + } + } + + + + /// + /// Set information needed to send and receive a DTLS connection + /// + /// structure to set information in + /// UDP object to send and receive + /// End point of connection + /// 1 on success + public static int set_dtls_fd(IntPtr ssl, UdpClient udp, IPEndPoint ep) + { + IntPtr ptr; + DTLS_con con; + + /* sanity check on inputs */ + if (ssl == IntPtr.Zero) + { + return FAILURE; + } + + try + { + if (!udp.Equals(null) && !ep.Equals(null)) + { + con = new DTLS_con(); + con.udp = udp; + con.ep = ep; + ptr = GCHandle.ToIntPtr(GCHandle.Alloc(con)); + wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to + wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from + } + } + catch (Exception e) + { + log(1, "Error setting up fd!! " + e.ToString()); + return FAILURE; + } + + return 1; + } + + + /// + /// Get the pointer to DTLS_con class used for connection + /// + /// structure to get connection from + /// DTLS_con object + public static DTLS_con get_dtls_fd(IntPtr ssl) + { + try + { + IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + return (DTLS_con)gch.Target; + } + return null; + } + catch (Exception e) + { + log(1, "wolfssl get_dtls_fd error " + e.ToString()); + return null; + } + } + + + /// + /// Get available cipher suites + /// + /// list to fill with cipher suite names + /// size of list available to fill + /// 1 on success + public static int get_ciphers(StringBuilder list, int sz) + { + try + { + return wolfSSL_get_ciphers(list, sz); + } + catch (Exception e) + { + log(1, "wolfssl get_ciphers error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Initialize wolfSSL library + /// + /// 1 on success + public static int Init() + { + try + { + return wolfSSL_Init(); + } + catch (Exception e) + { + log(1, "wolfssl init error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Clean up wolfSSL library memory + /// + /// 1 on success + public static int Cleanup() + { + try + { + return wolfSSL_Cleanup(); + } + catch (Exception e) + { + log(1, "wolfssl cleanup error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set up TLS version 1.2 method + /// + /// pointer to TLSv1.2 method + public static IntPtr useTLSv1_2_server() + { + try + { + return wolfTLSv1_2_server_method(); + } + catch (Exception e) + { + log(1, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Use any TLS version + /// + /// pointer to method + public static IntPtr usev23_server() + { + try + { + return wolfSSLv23_server_method(); + } + catch (Exception e) + { + log(1, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Set up TLS version 1.2 method + /// + /// pointer to TLSv1.2 method + public static IntPtr useTLSv1_2_client() + { + try + { + return wolfTLSv1_2_client_method(); + } + catch (Exception e) + { + log(1, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Use any TLS version + /// + /// pointer to method + public static IntPtr usev23_client() + { + try + { + return wolfSSLv23_client_method(); + } + catch (Exception e) + { + log(1, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Set up DTLS version 1.2 + /// + /// pointer to DTLSv1.2 method + public static IntPtr useDTLSv1_2_server() + { + try + { + return wolfDTLSv1_2_server_method(); + } + catch (Exception e) + { + log(1, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Set up DTLS version 1.2 + /// + /// pointer to DTLSv1.2 method + public static IntPtr useDTLSv1_2_client() + { + try + { + return wolfDTLSv1_2_client_method(); + } + catch (Exception e) + { + log(1, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Gets the current cipher suite being used in connection + /// + /// SSL struct to get cipher suite from + /// string containing current cipher suite + public static string get_current_cipher(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return null; + try + { + IntPtr ssl_cipher; + IntPtr ssl_cipher_ptr; + string ssl_cipher_str; + + ssl_cipher = wolfSSL_get_current_cipher(ssl); + ssl_cipher_ptr = wolfSSL_CIPHER_get_name(ssl_cipher); + ssl_cipher_str = Marshal.PtrToStringAnsi(ssl_cipher_ptr); + + return ssl_cipher_str; + } + catch (Exception e) + { + log(1, "wolfssl get current cipher error " + e.ToString()); + return null; + } + } + + + /// + /// Set avialable cipher suites for all ssl structs created from ctx + /// + /// CTX structure to set + /// List full of ciphers suites + /// 1 on success + public static int CTX_set_cipher_list(IntPtr ctx, StringBuilder list) + { + try + { + return wolfSSL_CTX_set_cipher_list(ctx, list); + } + catch (Exception e) + { + log(1, "wolfssl ctx set cipher list error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set available cipher suite in local connection + /// + /// Structure to set cipher suite in + /// List of cipher suites + /// 1 on success + public static int set_cipher_list(IntPtr ssl, StringBuilder list) + { + try + { + return wolfSSL_set_cipher_list(ssl, list); + } + catch (Exception e) + { + log(1, "wolfssl set cipher error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Gets the version of the connection made ie TLSv1.2 + /// + /// SSL struct to get version of + /// string containing version + public static string get_version(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return null; + + try + { + IntPtr version_ptr; + string version; + + version_ptr = wolfSSL_get_version(ssl); + version = Marshal.PtrToStringAnsi(version_ptr); + + return version; + } + catch (Exception e) + { + log(1, "wolfssl get version error " + e.ToString()); + return null; + } + } + + + /// + /// Get a string containing error value and reason + /// + /// SSL struct that had error + /// String containing error value and reason + public static string get_error(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return null; + + try + { + int err; + StringBuilder err_name; + StringBuilder ret; + + /* wolfSSL max error length is 80 */ + ret = new StringBuilder(' ', 100); + err = wolfSSL_get_error(ssl, 0); + err_name = new StringBuilder(' ', 80); + wolfSSL_ERR_error_string(err, err_name); + ret.Append("Error " + err + " " + err_name); + + return ret.ToString(); + } + catch (Exception e) + { + log(1, "wolfssl get error, error " + e.ToString()); + return null; + } + } + + + /// + /// Used to load in the certificate file + /// + /// CTX structure for TLS/SSL connections + /// Name of the file to load including absolute path + /// Type of file ie PEM or DER + /// 1 on success + public static int CTX_use_certificate_file(IntPtr ctx, string fileCert, int type) + { + try + { + return wolfSSL_CTX_use_certificate_file(ctx, fileCert, type); + } + catch (Exception e) + { + log(1, "wolfssl ctx use cert file error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Used to load in the private key from a file + /// + /// CTX structure for TLS/SSL connections + /// Name of the file, includeing absolute directory + /// Type of file ie PEM or DER + /// 1 on succes + public static int CTX_use_PrivateKey_file(IntPtr ctx, string fileKey, int type) + { + try + { + return wolfSSL_CTX_use_PrivateKey_file(ctx, fileKey, type); + } + catch (Exception e) + { + log(1, "wolfssl ctx use key file error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set temporary DH parameters + /// + /// Structure to set in + /// file name + /// type of file ie PEM + /// 1 on success + public static int SetTmpDH_file(IntPtr ssl, StringBuilder dhparam, int file_type) + { + try + { + return wolfSSL_SetTmpDH_file(ssl, dhparam, file_type); + } + catch (Exception e) + { + log(1, "wolfssl set tmp dh file error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Used to set the minimum size of DH key + /// + /// Structure to store key size + /// Min key size + /// 1 on success + public static int CTX_SetMinDhKey_Sz(IntPtr ctx, short minDhKey) + { + try + { + return wolfSSL_CTX_SetMinDhKey_Sz(ctx, minDhKey); + } + catch (Exception e) + { + log(1, "wolfssl ctx set min dh key error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set the function to use for logging + /// + /// Function that conforms as to loggingCb + /// 1 on success + public static int SetLogging(loggingCb input) + { + internal_log = input; + return SUCCESS; + } + + + /// + /// Log a message to set logging function + /// + /// Level of log message + /// Message to log + public static void log(int lvl, string msg) + { + /* if log is not set then pring nothing */ + if (internal_log == null) + return; + StringBuilder ptr = new StringBuilder(msg); + internal_log(lvl, ptr); + } + } +} diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj new file mode 100755 index 000000000..7cc8fc8b3 --- /dev/null +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj @@ -0,0 +1,80 @@ + + + + + Debug + AnyCPU + {52609808-0418-46D3-8E17-141927A1A39A} + Library + Properties + wolfSSL.CSharp + wolfSSL_CSharp + v4.5 + 512 + + + true + full + false + ..\DLL Debug\ + DEBUG;TRACE + prompt + 3 + + + pdbonly + true + ..\DLL Release\ + TRACE + prompt + 4 + + + true + ..\x64\DLL Debug\ + DEBUG;TRACE + 3 + full + x64 + prompt + MinimumRecommendedRules.ruleset + + + ..\x64\DLL Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + + + + + + + + + + + + + + + + + + + + xcopy "$(ProjectDir)..\..\..\certs\server-key.pem" "$(TargetDir)" /Y /R +xcopy "$(ProjectDir)..\..\..\certs\server-cert.pem" "$(TargetDir)" /Y /R +xcopy "$(ProjectDir)..\..\..\certs\dh2048.pem" "$(TargetDir)" /Y /R + + + \ No newline at end of file diff --git a/wrapper/include.am b/wrapper/include.am new file mode 100644 index 000000000..2b3f26e2a --- /dev/null +++ b/wrapper/include.am @@ -0,0 +1,26 @@ + +# wolfSSL CSharp wrapper files +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/App.config +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/App.config +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/App.config +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/App.config +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj +EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp.sln +EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.resx +EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj From 39d6992759628f1273d32b0376d24c64fdd81db0 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 20 Nov 2015 09:59:08 -0700 Subject: [PATCH 070/177] logging levels added --- wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs | 2368 +++++++++++----------- 1 file changed, 1187 insertions(+), 1181 deletions(-) diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs index c384be2d1..98cdef6c9 100755 --- a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs @@ -1,1181 +1,1187 @@ -using System; -using System.Runtime.InteropServices; -using System.Text; -using System.Threading; -using System.IO; -using System.Net; -using System.Net.Sockets; - -namespace wolfSSL.CSharp { - public class wolfssl - { - private const string wolfssl_dll = "wolfssl.dll"; - - /******************************** - * Class for DTLS connections - */ - public class DTLS_con - { - public UdpClient udp; - public IPEndPoint ep; - } - - - /******************************** - * Init wolfSSL library - */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_Init(); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_Cleanup(); - - - /******************************** - * Methods of connection - */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfTLSv1_2_server_method(); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSLv23_server_method(); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfTLSv1_2_client_method(); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSLv23_client_method(); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfDTLSv1_2_server_method(); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfDTLSv1_2_client_method(); - - - /******************************** - * Call backs - */ - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int CallbackIORecv_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIORecv(IntPtr ctx, CallbackIORecv_delegate recv); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIOReadCtx(IntPtr ssl, IntPtr rctx); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_GetIOReadCtx(IntPtr ssl); - - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate int CallbackIOSend_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIOSend(IntPtr ctx, CallbackIOSend_delegate send); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIOWriteCtx(IntPtr ssl, IntPtr wctx); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_GetIOWriteCtx(IntPtr ssl); - - - /******************************** - * CTX structure - */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_CTX_new(IntPtr method); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_CTX_free(IntPtr ctx); - - - /******************************** - * PSK - */ - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate uint psk_delegate(IntPtr ssl, string identity, IntPtr key, uint max_sz); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder identity); - - - /******************************** - * SSL Structure - */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_new(IntPtr ctx); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_accept(IntPtr ssl); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_connect(IntPtr ssl); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_read(IntPtr ssl, StringBuilder buf, int sz); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_write(IntPtr ssl, StringBuilder buf, int sz); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_shutdown(IntPtr ssl); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_free(IntPtr ssl); - - - /******************************** - * Cipher lists - */ - /* only supports full name from cipher_name[] delimited by : */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_set_cipher_list(IntPtr ctx, StringBuilder ciphers); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_set_cipher_list(IntPtr ssl, StringBuilder ciphers); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_get_ciphers(StringBuilder ciphers, int sz); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_cipher(IntPtr ssl); - [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_CIPHER_get_name(IntPtr cipher); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_current_cipher(IntPtr ssl); - [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_version(IntPtr ssl); - [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_cipher_list(IntPtr ssl); - - - /******************************** - * Error logging - */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_ERR_error_string(int err, StringBuilder errOut); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_get_error(IntPtr ssl, int err); - [UnmanagedFunctionPointer(CallingConvention.Cdecl)] - public delegate void loggingCb(int lvl, StringBuilder msg); - private static loggingCb internal_log; - - - /******************************** - * DH - */ - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_SetMinDhKey_Sz(IntPtr ctx, short size); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetTmpDH_file(IntPtr ssl, StringBuilder dhParam, int type); - - - /******************************** - * Enum types from wolfSSL library - */ - public static readonly int SSL_FILETYPE_PEM = 1; - public static readonly int SSL_FILETYPE_ASN1= 2; - public static readonly int SSL_FILETYPE_RAW = 3; - public static readonly int CBIO_ERR_GENERAL = -1; - public static readonly int CBIO_ERR_WANT_READ = -2; - public static readonly int CBIO_ERR_WANT_WRITE = -2; - public static readonly int CBIO_ERR_CONN_RST = -3; - public static readonly int CBIO_ERR_ISR = -4; - public static readonly int CBIO_ERR_CONN_CLOSE = -5; - public static readonly int CBIO_ERR_TIMEOUT = -6; - - public static readonly int SUCCESS = 1; - public static readonly int FAILURE = 0; - - - /// - /// Call back to allow recieving TLS information - /// - /// structure of ssl passed in - /// buffer to contain recieved msg - /// size of buffer - /// optional information passed in - /// size of message recieved - private static int wolfSSLCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) - { - if (sz <= 0) - { - log(1, "wolfssl recieve error, size less than 0"); - return wolfssl.CBIO_ERR_GENERAL; - } - - int amtRecv = 0; - - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - Socket con = (System.Net.Sockets.Socket)gch.Target; - - try - { - Byte[] msg = new Byte[sz]; - amtRecv = con.Receive(msg, msg.Length, 0); - Marshal.Copy(msg, 0, buf, sz); - } - catch (Exception e) - { - log(1, "Error in recive " + e.ToString()); - return wolfssl.CBIO_ERR_CONN_CLOSE; - } - - return amtRecv; - } - - - /// - /// Call back used for sending TLS information - /// - /// pointer to ssl struct - /// buffer containing information to send - /// size of buffer to send - /// optional information - /// amount of information sent - private static int wolfSSLCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) - { - if (sz <= 0) - { - log(1, "wolfssl send error, size less than 0"); - return wolfssl.CBIO_ERR_GENERAL; - } - - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - - Socket con = (System.Net.Sockets.Socket)gch.Target; - - Byte[] msg = new Byte[sz]; - - Marshal.Copy(buf, msg, 0, sz); - try - { - con.Send(msg, 0, msg.Length, SocketFlags.None); - return sz; - } - catch (Exception e) - { - log(1, "socket connection issue "+ e.ToString()); - return wolfssl.CBIO_ERR_CONN_CLOSE; - } - } - - - /// - /// Call back used for sending DTLS information - /// - /// pointer to ssl struct - /// buffer containing information to send - /// size of buffer to send - /// optional information - /// amount of information sent - private static int wolfSSL_dtlsCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) - { - if (sz <= 0) - { - log(1, "wolfssl dtls send error, size less than 0"); - return wolfssl.CBIO_ERR_GENERAL; - } - - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - - DTLS_con con = (DTLS_con)gch.Target; - - Byte[] msg = new Byte[sz]; - - Marshal.Copy(buf, msg, 0, sz); - try - { - con.udp.Send(msg, msg.Length, con.ep); - return msg.Length; - } - catch (Exception e) - { - log(1, "socket connection issue " + e.ToString()); - return wolfssl.CBIO_ERR_CONN_CLOSE; - } - } - - - /// - /// Call back to allow recieving DTLS information - /// - /// structure of ssl passed in - /// buffer to contain recieved msg - /// size of buffer - /// optional information passed in - /// size of message recieved - private static int wolfSSL_dtlsCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) - { - - if (sz <= 0) - { - log(1, "wolfssl dtls recieve error, size less than 0"); - return wolfssl.CBIO_ERR_GENERAL; - } - - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - DTLS_con con = (DTLS_con)gch.Target; - - Byte[] msg = new Byte[sz]; - try - { - msg = con.udp.Receive(ref con.ep); - } - catch (Exception e) - { - /* issue with receive or size of buffer */ - log(1, "socket read issue "+ e.ToString()); - return wolfssl.CBIO_ERR_CONN_CLOSE; - } - - Marshal.Copy(msg, 0, buf, msg.Length); - - return msg.Length; - } - - - /// - /// Create a new ssl structure - /// - /// structure to create ssl structure from - /// pointer to ssl structure - public static IntPtr new_ssl(IntPtr ctx) - { - try - { - return wolfSSL_new(ctx); - } - catch (Exception e) - { - log(1, e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Used for a server to accept a connection - /// - /// structure containing info for connection - /// 1 on success - public static int accept(IntPtr ssl) - { - if (ssl == IntPtr.Zero) - return FAILURE; - try - { - return wolfSSL_accept(ssl); - } - catch (Exception e) - { - log(1, "accept error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Used for a client to connect - /// - /// structure containing connection info - /// 1 on success - public static int connect(IntPtr ssl) - { - if (ssl == IntPtr.Zero) - return FAILURE; - try - { - return wolfSSL_connect(ssl); - } - catch (Exception e) - { - log(1, "connect error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Read message from secure connection - /// - /// structure containing info about connection - /// object to hold incoming message - /// size of available memory in buf - /// amount of data read on success - public static int read(IntPtr ssl, StringBuilder buf, int sz) - { - if (ssl == IntPtr.Zero) - return FAILURE; - try - { - return wolfSSL_read(ssl, buf, sz); - } - catch (Exception e) - { - log(1, "wolfssl read error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Write message to secure connection - /// - /// structure containing connection info - /// message to send - /// size of the message - /// amount sent on success - public static int write(IntPtr ssl, StringBuilder buf, int sz) - { - if (ssl == IntPtr.Zero) - return FAILURE; - try - { - return wolfSSL_write(ssl, buf, sz); - } - catch (Exception e) - { - log(1, "wolfssl write error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Free information stored in ssl struct - /// - /// pointer to ssl struct to free - public static void free(IntPtr ssl) - { - try - { - /* free the handle for the socket */ - IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); - if (ptr != IntPtr.Zero) - { - GCHandle gch = GCHandle.FromIntPtr(ptr); - gch.Free(); - } - ptr = wolfSSL_GetIOWriteCtx(ssl); - if (ptr != IntPtr.Zero) - { - GCHandle gch = GCHandle.FromIntPtr(ptr); - gch.Free(); - } - wolfSSL_free(ssl); - } - catch (Exception e) - { - log(1, "wolfssl free error " + e.ToString()); - } - } - - - /// - /// Shutdown a connection - /// - /// pointer to ssl struct to close connection of - /// 1 on success - public static int shutdown(IntPtr ssl) - { - if (ssl == IntPtr.Zero) - return FAILURE; - try - { - return wolfSSL_shutdown(ssl); - } - catch (Exception e) - { - log(1, "wolfssl shutdwon error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Optional, can be used to set a custom recieve function - /// - /// structure to set recieve function in - /// function to use when reading socket - public static void SetIORecv(IntPtr ctx, CallbackIORecv_delegate func) - { - try - { - wolfSSL_SetIORecv(ctx, func); - } - catch (Exception e) - { - log(1, "wolfssl setIORecv error " + e.ToString()); - } - } - - - /// - /// Optional, can be used to set a custom send function - /// - /// structure to set function in - /// function to use when sending data - public static void SetIOSend(IntPtr ctx, CallbackIOSend_delegate func) - { - try - { - wolfSSL_SetIOSend(ctx, func); - } - catch (Exception e) - { - log(1, "wolfssl setIOSend error " + e.ToString()); - } - } - - - /// - /// Create a new CTX structure - /// - /// method to use such as TLSv1.2 - /// pointer to CTX structure - public static IntPtr CTX_new(IntPtr method) - { - try - { - IntPtr ctx = wolfSSL_CTX_new(method); - if (ctx == IntPtr.Zero) - return ctx; - - CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSLCbIORecv); - wolfSSL_SetIORecv(ctx, recv); - - CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSLCbIOSend); - wolfSSL_SetIOSend(ctx, send); - - return ctx; - } - catch (Exception e) - { - log(1, "ctx_new error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Create a new CTX structure for a DTLS connection - /// - /// Method to use in connection ie DTLSv1.2 - /// - public static IntPtr CTX_dtls_new(IntPtr method) - { - try - { - IntPtr ctx = wolfSSL_CTX_new(method); - if (ctx == IntPtr.Zero) - return ctx; - - CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSL_dtlsCbIORecv); - wolfSSL_SetIORecv(ctx, recv); - - CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSL_dtlsCbIOSend); - wolfSSL_SetIOSend(ctx, send); - - return ctx; - } - catch (Exception e) - { - log(1, "ctx_dtls_new error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Free information used in CTX structure - /// - /// structure to free - public static void CTX_free(IntPtr ctx) - { - try - { - wolfSSL_CTX_free(ctx); - } - catch (Exception e) - { - log(1, "wolfssl ctx free error " + e.ToString()); - } - } - - - /// - /// Set identity hint to use - /// - /// pointer to structure of ctx to set hint in - /// hint to use - /// 1 on success - public static int CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder hint) - { - try - { - return wolfSSL_CTX_use_psk_identity_hint(ctx, hint); - } - catch (Exception e) - { - log(1, "wolfssl psk identity hint error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Set the function to use for PSK connections - /// - /// pointer to CTX that the function is set in - /// PSK function to use - public static void CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb) - { - try - { - wolfSSL_CTX_set_psk_server_callback(ctx, psk_cb); - } - catch (Exception e) - { - log(1, "wolfssl psk server callback error " + e.ToString()); - } - } - - - /// - /// Set the function to use for PSK connections on a single TLS/DTLS connection - /// - /// pointer to SSL that the function is set in - /// PSK function to use - public static void set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb) - { - try - { - wolfSSL_set_psk_server_callback(ssl, psk_cb); - } - catch (Exception e) - { - log(1, "wolfssl psk server callback error " + e.ToString()); - } - } - - - /// - /// Set Socket for TLS connection - /// - /// structure to set Socket in - /// Socket to use - /// 1 on success - public static int set_fd(IntPtr ssl, Socket fd) - { - /* sanity check on inputs */ - if (ssl == IntPtr.Zero) - { - return FAILURE; - } - - try - { - if (!fd.Equals(null)) - { - IntPtr ptr = GCHandle.ToIntPtr(GCHandle.Alloc(fd)); - wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to - wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from - } - } - catch (Exception e) - { - log(1, "Error setting up fd!! " + e.ToString()); - return FAILURE; - } - - return 1; - } - - - /// - /// Get socket of a TLS connection - /// - /// structure to get socket from - /// Socket object used for connection - public static Socket get_fd(IntPtr ssl) - { - try - { - IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); - if (ptr != IntPtr.Zero) - { - GCHandle gch = GCHandle.FromIntPtr(ptr); - return (System.Net.Sockets.Socket)gch.Target; - } - return null; - } - catch (Exception e) - { - log(1, "wolfssl get_fd error " + e.ToString()); - return null; - } - } - - - - /// - /// Set information needed to send and receive a DTLS connection - /// - /// structure to set information in - /// UDP object to send and receive - /// End point of connection - /// 1 on success - public static int set_dtls_fd(IntPtr ssl, UdpClient udp, IPEndPoint ep) - { - IntPtr ptr; - DTLS_con con; - - /* sanity check on inputs */ - if (ssl == IntPtr.Zero) - { - return FAILURE; - } - - try - { - if (!udp.Equals(null) && !ep.Equals(null)) - { - con = new DTLS_con(); - con.udp = udp; - con.ep = ep; - ptr = GCHandle.ToIntPtr(GCHandle.Alloc(con)); - wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to - wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from - } - } - catch (Exception e) - { - log(1, "Error setting up fd!! " + e.ToString()); - return FAILURE; - } - - return 1; - } - - - /// - /// Get the pointer to DTLS_con class used for connection - /// - /// structure to get connection from - /// DTLS_con object - public static DTLS_con get_dtls_fd(IntPtr ssl) - { - try - { - IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); - if (ptr != IntPtr.Zero) - { - GCHandle gch = GCHandle.FromIntPtr(ptr); - return (DTLS_con)gch.Target; - } - return null; - } - catch (Exception e) - { - log(1, "wolfssl get_dtls_fd error " + e.ToString()); - return null; - } - } - - - /// - /// Get available cipher suites - /// - /// list to fill with cipher suite names - /// size of list available to fill - /// 1 on success - public static int get_ciphers(StringBuilder list, int sz) - { - try - { - return wolfSSL_get_ciphers(list, sz); - } - catch (Exception e) - { - log(1, "wolfssl get_ciphers error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Initialize wolfSSL library - /// - /// 1 on success - public static int Init() - { - try - { - return wolfSSL_Init(); - } - catch (Exception e) - { - log(1, "wolfssl init error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Clean up wolfSSL library memory - /// - /// 1 on success - public static int Cleanup() - { - try - { - return wolfSSL_Cleanup(); - } - catch (Exception e) - { - log(1, "wolfssl cleanup error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Set up TLS version 1.2 method - /// - /// pointer to TLSv1.2 method - public static IntPtr useTLSv1_2_server() - { - try - { - return wolfTLSv1_2_server_method(); - } - catch (Exception e) - { - log(1, "wolfssl error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Use any TLS version - /// - /// pointer to method - public static IntPtr usev23_server() - { - try - { - return wolfSSLv23_server_method(); - } - catch (Exception e) - { - log(1, "wolfssl error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Set up TLS version 1.2 method - /// - /// pointer to TLSv1.2 method - public static IntPtr useTLSv1_2_client() - { - try - { - return wolfTLSv1_2_client_method(); - } - catch (Exception e) - { - log(1, "wolfssl error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Use any TLS version - /// - /// pointer to method - public static IntPtr usev23_client() - { - try - { - return wolfSSLv23_client_method(); - } - catch (Exception e) - { - log(1, "wolfssl error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Set up DTLS version 1.2 - /// - /// pointer to DTLSv1.2 method - public static IntPtr useDTLSv1_2_server() - { - try - { - return wolfDTLSv1_2_server_method(); - } - catch (Exception e) - { - log(1, "wolfssl error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Set up DTLS version 1.2 - /// - /// pointer to DTLSv1.2 method - public static IntPtr useDTLSv1_2_client() - { - try - { - return wolfDTLSv1_2_client_method(); - } - catch (Exception e) - { - log(1, "wolfssl error " + e.ToString()); - return IntPtr.Zero; - } - } - - - /// - /// Gets the current cipher suite being used in connection - /// - /// SSL struct to get cipher suite from - /// string containing current cipher suite - public static string get_current_cipher(IntPtr ssl) - { - if (ssl == IntPtr.Zero) - return null; - try - { - IntPtr ssl_cipher; - IntPtr ssl_cipher_ptr; - string ssl_cipher_str; - - ssl_cipher = wolfSSL_get_current_cipher(ssl); - ssl_cipher_ptr = wolfSSL_CIPHER_get_name(ssl_cipher); - ssl_cipher_str = Marshal.PtrToStringAnsi(ssl_cipher_ptr); - - return ssl_cipher_str; - } - catch (Exception e) - { - log(1, "wolfssl get current cipher error " + e.ToString()); - return null; - } - } - - - /// - /// Set avialable cipher suites for all ssl structs created from ctx - /// - /// CTX structure to set - /// List full of ciphers suites - /// 1 on success - public static int CTX_set_cipher_list(IntPtr ctx, StringBuilder list) - { - try - { - return wolfSSL_CTX_set_cipher_list(ctx, list); - } - catch (Exception e) - { - log(1, "wolfssl ctx set cipher list error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Set available cipher suite in local connection - /// - /// Structure to set cipher suite in - /// List of cipher suites - /// 1 on success - public static int set_cipher_list(IntPtr ssl, StringBuilder list) - { - try - { - return wolfSSL_set_cipher_list(ssl, list); - } - catch (Exception e) - { - log(1, "wolfssl set cipher error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Gets the version of the connection made ie TLSv1.2 - /// - /// SSL struct to get version of - /// string containing version - public static string get_version(IntPtr ssl) - { - if (ssl == IntPtr.Zero) - return null; - - try - { - IntPtr version_ptr; - string version; - - version_ptr = wolfSSL_get_version(ssl); - version = Marshal.PtrToStringAnsi(version_ptr); - - return version; - } - catch (Exception e) - { - log(1, "wolfssl get version error " + e.ToString()); - return null; - } - } - - - /// - /// Get a string containing error value and reason - /// - /// SSL struct that had error - /// String containing error value and reason - public static string get_error(IntPtr ssl) - { - if (ssl == IntPtr.Zero) - return null; - - try - { - int err; - StringBuilder err_name; - StringBuilder ret; - - /* wolfSSL max error length is 80 */ - ret = new StringBuilder(' ', 100); - err = wolfSSL_get_error(ssl, 0); - err_name = new StringBuilder(' ', 80); - wolfSSL_ERR_error_string(err, err_name); - ret.Append("Error " + err + " " + err_name); - - return ret.ToString(); - } - catch (Exception e) - { - log(1, "wolfssl get error, error " + e.ToString()); - return null; - } - } - - - /// - /// Used to load in the certificate file - /// - /// CTX structure for TLS/SSL connections - /// Name of the file to load including absolute path - /// Type of file ie PEM or DER - /// 1 on success - public static int CTX_use_certificate_file(IntPtr ctx, string fileCert, int type) - { - try - { - return wolfSSL_CTX_use_certificate_file(ctx, fileCert, type); - } - catch (Exception e) - { - log(1, "wolfssl ctx use cert file error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Used to load in the private key from a file - /// - /// CTX structure for TLS/SSL connections - /// Name of the file, includeing absolute directory - /// Type of file ie PEM or DER - /// 1 on succes - public static int CTX_use_PrivateKey_file(IntPtr ctx, string fileKey, int type) - { - try - { - return wolfSSL_CTX_use_PrivateKey_file(ctx, fileKey, type); - } - catch (Exception e) - { - log(1, "wolfssl ctx use key file error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Set temporary DH parameters - /// - /// Structure to set in - /// file name - /// type of file ie PEM - /// 1 on success - public static int SetTmpDH_file(IntPtr ssl, StringBuilder dhparam, int file_type) - { - try - { - return wolfSSL_SetTmpDH_file(ssl, dhparam, file_type); - } - catch (Exception e) - { - log(1, "wolfssl set tmp dh file error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Used to set the minimum size of DH key - /// - /// Structure to store key size - /// Min key size - /// 1 on success - public static int CTX_SetMinDhKey_Sz(IntPtr ctx, short minDhKey) - { - try - { - return wolfSSL_CTX_SetMinDhKey_Sz(ctx, minDhKey); - } - catch (Exception e) - { - log(1, "wolfssl ctx set min dh key error " + e.ToString()); - return FAILURE; - } - } - - - /// - /// Set the function to use for logging - /// - /// Function that conforms as to loggingCb - /// 1 on success - public static int SetLogging(loggingCb input) - { - internal_log = input; - return SUCCESS; - } - - - /// - /// Log a message to set logging function - /// - /// Level of log message - /// Message to log - public static void log(int lvl, string msg) - { - /* if log is not set then pring nothing */ - if (internal_log == null) - return; - StringBuilder ptr = new StringBuilder(msg); - internal_log(lvl, ptr); - } - } -} +using System; +using System.Runtime.InteropServices; +using System.Text; +using System.Threading; +using System.IO; +using System.Net; +using System.Net.Sockets; + +namespace wolfSSL.CSharp { + public class wolfssl + { + private const string wolfssl_dll = "wolfssl.dll"; + + /******************************** + * Class for DTLS connections + */ + public class DTLS_con + { + public UdpClient udp; + public IPEndPoint ep; + } + + + /******************************** + * Init wolfSSL library + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_Init(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_Cleanup(); + + + /******************************** + * Methods of connection + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfTLSv1_2_server_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSLv23_server_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfTLSv1_2_client_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSLv23_client_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfDTLSv1_2_server_method(); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfDTLSv1_2_client_method(); + + + /******************************** + * Call backs + */ + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate int CallbackIORecv_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIORecv(IntPtr ctx, CallbackIORecv_delegate recv); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIOReadCtx(IntPtr ssl, IntPtr rctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_GetIOReadCtx(IntPtr ssl); + + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate int CallbackIOSend_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIOSend(IntPtr ctx, CallbackIOSend_delegate send); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetIOWriteCtx(IntPtr ssl, IntPtr wctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_GetIOWriteCtx(IntPtr ssl); + + + /******************************** + * CTX structure + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_CTX_new(IntPtr method); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_CTX_free(IntPtr ctx); + + + /******************************** + * PSK + */ + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate uint psk_delegate(IntPtr ssl, string identity, IntPtr key, uint max_sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder identity); + + + /******************************** + * SSL Structure + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_new(IntPtr ctx); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_accept(IntPtr ssl); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_connect(IntPtr ssl); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_read(IntPtr ssl, StringBuilder buf, int sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_write(IntPtr ssl, StringBuilder buf, int sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_shutdown(IntPtr ssl); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static void wolfSSL_free(IntPtr ssl); + + + /******************************** + * Cipher lists + */ + /* only supports full name from cipher_name[] delimited by : */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_set_cipher_list(IntPtr ctx, StringBuilder ciphers); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_set_cipher_list(IntPtr ssl, StringBuilder ciphers); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_get_ciphers(StringBuilder ciphers, int sz); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_cipher(IntPtr ssl); + [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_CIPHER_get_name(IntPtr cipher); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_current_cipher(IntPtr ssl); + [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_version(IntPtr ssl); + [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_get_cipher_list(IntPtr ssl); + + + /******************************** + * Error logging + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static IntPtr wolfSSL_ERR_error_string(int err, StringBuilder errOut); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_get_error(IntPtr ssl, int err); + [UnmanagedFunctionPointer(CallingConvention.Cdecl)] + public delegate void loggingCb(int lvl, StringBuilder msg); + private static loggingCb internal_log; + + + /******************************** + * DH + */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_CTX_SetMinDhKey_Sz(IntPtr ctx, short size); + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] + public extern static int wolfSSL_SetTmpDH_file(IntPtr ssl, StringBuilder dhParam, int type); + + + /******************************** + * Enum types from wolfSSL library + */ + public static readonly int SSL_FILETYPE_PEM = 1; + public static readonly int SSL_FILETYPE_ASN1= 2; + public static readonly int SSL_FILETYPE_RAW = 3; + public static readonly int CBIO_ERR_GENERAL = -1; + public static readonly int CBIO_ERR_WANT_READ = -2; + public static readonly int CBIO_ERR_WANT_WRITE = -2; + public static readonly int CBIO_ERR_CONN_RST = -3; + public static readonly int CBIO_ERR_ISR = -4; + public static readonly int CBIO_ERR_CONN_CLOSE = -5; + public static readonly int CBIO_ERR_TIMEOUT = -6; + + public static readonly int ERROR_LOG = 0; + public static readonly int INFO_LOG = 1; + public static readonly int ENTER_LOG = 2; + public static readonly int LEAVE_LOG = 3; + public static readonly int OTHER_LOG = 4; + + public static readonly int SUCCESS = 1; + public static readonly int FAILURE = 0; + + + /// + /// Call back to allow recieving TLS information + /// + /// structure of ssl passed in + /// buffer to contain recieved msg + /// size of buffer + /// optional information passed in + /// size of message recieved + private static int wolfSSLCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + log(ERROR_LOG, "wolfssl recieve error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + int amtRecv = 0; + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + Socket con = (System.Net.Sockets.Socket)gch.Target; + + try + { + Byte[] msg = new Byte[sz]; + amtRecv = con.Receive(msg, msg.Length, 0); + Marshal.Copy(msg, 0, buf, sz); + } + catch (Exception e) + { + log(1, "Error in recive " + e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + + return amtRecv; + } + + + /// + /// Call back used for sending TLS information + /// + /// pointer to ssl struct + /// buffer containing information to send + /// size of buffer to send + /// optional information + /// amount of information sent + private static int wolfSSLCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + log(ERROR_LOG, "wolfssl send error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + + Socket con = (System.Net.Sockets.Socket)gch.Target; + + Byte[] msg = new Byte[sz]; + + Marshal.Copy(buf, msg, 0, sz); + try + { + con.Send(msg, 0, msg.Length, SocketFlags.None); + return sz; + } + catch (Exception e) + { + log(ERROR_LOG, "socket connection issue "+ e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + } + + + /// + /// Call back used for sending DTLS information + /// + /// pointer to ssl struct + /// buffer containing information to send + /// size of buffer to send + /// optional information + /// amount of information sent + private static int wolfSSL_dtlsCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + log(ERROR_LOG, "wolfssl dtls send error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + + DTLS_con con = (DTLS_con)gch.Target; + + Byte[] msg = new Byte[sz]; + + Marshal.Copy(buf, msg, 0, sz); + try + { + con.udp.Send(msg, msg.Length, con.ep); + return msg.Length; + } + catch (Exception e) + { + log(ERROR_LOG, "socket connection issue " + e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + } + + + /// + /// Call back to allow recieving DTLS information + /// + /// structure of ssl passed in + /// buffer to contain recieved msg + /// size of buffer + /// optional information passed in + /// size of message recieved + private static int wolfSSL_dtlsCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + + if (sz <= 0) + { + log(ERROR_LOG, "wolfssl dtls recieve error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + DTLS_con con = (DTLS_con)gch.Target; + + Byte[] msg = new Byte[sz]; + try + { + msg = con.udp.Receive(ref con.ep); + } + catch (Exception e) + { + /* issue with receive or size of buffer */ + log(ERROR_LOG, "socket read issue "+ e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + + Marshal.Copy(msg, 0, buf, msg.Length); + + return msg.Length; + } + + + /// + /// Create a new ssl structure + /// + /// structure to create ssl structure from + /// pointer to ssl structure + public static IntPtr new_ssl(IntPtr ctx) + { + try + { + return wolfSSL_new(ctx); + } + catch (Exception e) + { + log(ERROR_LOG, e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Used for a server to accept a connection + /// + /// structure containing info for connection + /// 1 on success + public static int accept(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_accept(ssl); + } + catch (Exception e) + { + log(ERROR_LOG, "accept error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Used for a client to connect + /// + /// structure containing connection info + /// 1 on success + public static int connect(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_connect(ssl); + } + catch (Exception e) + { + log(ERROR_LOG, "connect error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Read message from secure connection + /// + /// structure containing info about connection + /// object to hold incoming message + /// size of available memory in buf + /// amount of data read on success + public static int read(IntPtr ssl, StringBuilder buf, int sz) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_read(ssl, buf, sz); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl read error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Write message to secure connection + /// + /// structure containing connection info + /// message to send + /// size of the message + /// amount sent on success + public static int write(IntPtr ssl, StringBuilder buf, int sz) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_write(ssl, buf, sz); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl write error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Free information stored in ssl struct + /// + /// pointer to ssl struct to free + public static void free(IntPtr ssl) + { + try + { + /* free the handle for the socket */ + IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + gch.Free(); + } + ptr = wolfSSL_GetIOWriteCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + gch.Free(); + } + wolfSSL_free(ssl); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl free error " + e.ToString()); + } + } + + + /// + /// Shutdown a connection + /// + /// pointer to ssl struct to close connection of + /// 1 on success + public static int shutdown(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return FAILURE; + try + { + return wolfSSL_shutdown(ssl); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl shutdwon error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Optional, can be used to set a custom recieve function + /// + /// structure to set recieve function in + /// function to use when reading socket + public static void SetIORecv(IntPtr ctx, CallbackIORecv_delegate func) + { + try + { + wolfSSL_SetIORecv(ctx, func); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl setIORecv error " + e.ToString()); + } + } + + + /// + /// Optional, can be used to set a custom send function + /// + /// structure to set function in + /// function to use when sending data + public static void SetIOSend(IntPtr ctx, CallbackIOSend_delegate func) + { + try + { + wolfSSL_SetIOSend(ctx, func); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl setIOSend error " + e.ToString()); + } + } + + + /// + /// Create a new CTX structure + /// + /// method to use such as TLSv1.2 + /// pointer to CTX structure + public static IntPtr CTX_new(IntPtr method) + { + try + { + IntPtr ctx = wolfSSL_CTX_new(method); + if (ctx == IntPtr.Zero) + return ctx; + + CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSLCbIORecv); + wolfSSL_SetIORecv(ctx, recv); + + CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSLCbIOSend); + wolfSSL_SetIOSend(ctx, send); + + return ctx; + } + catch (Exception e) + { + log(ERROR_LOG, "ctx_new error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Create a new CTX structure for a DTLS connection + /// + /// Method to use in connection ie DTLSv1.2 + /// + public static IntPtr CTX_dtls_new(IntPtr method) + { + try + { + IntPtr ctx = wolfSSL_CTX_new(method); + if (ctx == IntPtr.Zero) + return ctx; + + CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSL_dtlsCbIORecv); + wolfSSL_SetIORecv(ctx, recv); + + CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSL_dtlsCbIOSend); + wolfSSL_SetIOSend(ctx, send); + + return ctx; + } + catch (Exception e) + { + log(ERROR_LOG, "ctx_dtls_new error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Free information used in CTX structure + /// + /// structure to free + public static void CTX_free(IntPtr ctx) + { + try + { + wolfSSL_CTX_free(ctx); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl ctx free error " + e.ToString()); + } + } + + + /// + /// Set identity hint to use + /// + /// pointer to structure of ctx to set hint in + /// hint to use + /// 1 on success + public static int CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder hint) + { + try + { + return wolfSSL_CTX_use_psk_identity_hint(ctx, hint); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl psk identity hint error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set the function to use for PSK connections + /// + /// pointer to CTX that the function is set in + /// PSK function to use + public static void CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb) + { + try + { + wolfSSL_CTX_set_psk_server_callback(ctx, psk_cb); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl psk server callback error " + e.ToString()); + } + } + + + /// + /// Set the function to use for PSK connections on a single TLS/DTLS connection + /// + /// pointer to SSL that the function is set in + /// PSK function to use + public static void set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb) + { + try + { + wolfSSL_set_psk_server_callback(ssl, psk_cb); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl psk server callback error " + e.ToString()); + } + } + + + /// + /// Set Socket for TLS connection + /// + /// structure to set Socket in + /// Socket to use + /// 1 on success + public static int set_fd(IntPtr ssl, Socket fd) + { + /* sanity check on inputs */ + if (ssl == IntPtr.Zero) + { + return FAILURE; + } + + try + { + if (!fd.Equals(null)) + { + IntPtr ptr = GCHandle.ToIntPtr(GCHandle.Alloc(fd)); + wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to + wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from + } + } + catch (Exception e) + { + log(ERROR_LOG, "Error setting up fd!! " + e.ToString()); + return FAILURE; + } + + return 1; + } + + + /// + /// Get socket of a TLS connection + /// + /// structure to get socket from + /// Socket object used for connection + public static Socket get_fd(IntPtr ssl) + { + try + { + IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + return (System.Net.Sockets.Socket)gch.Target; + } + return null; + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl get_fd error " + e.ToString()); + return null; + } + } + + + + /// + /// Set information needed to send and receive a DTLS connection + /// + /// structure to set information in + /// UDP object to send and receive + /// End point of connection + /// 1 on success + public static int set_dtls_fd(IntPtr ssl, UdpClient udp, IPEndPoint ep) + { + IntPtr ptr; + DTLS_con con; + + /* sanity check on inputs */ + if (ssl == IntPtr.Zero) + { + return FAILURE; + } + + try + { + if (!udp.Equals(null) && !ep.Equals(null)) + { + con = new DTLS_con(); + con.udp = udp; + con.ep = ep; + ptr = GCHandle.ToIntPtr(GCHandle.Alloc(con)); + wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to + wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from + } + } + catch (Exception e) + { + log(ERROR_LOG, "Error setting up fd!! " + e.ToString()); + return FAILURE; + } + + return 1; + } + + + /// + /// Get the pointer to DTLS_con class used for connection + /// + /// structure to get connection from + /// DTLS_con object + public static DTLS_con get_dtls_fd(IntPtr ssl) + { + try + { + IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + if (ptr != IntPtr.Zero) + { + GCHandle gch = GCHandle.FromIntPtr(ptr); + return (DTLS_con)gch.Target; + } + return null; + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl get_dtls_fd error " + e.ToString()); + return null; + } + } + + + /// + /// Get available cipher suites + /// + /// list to fill with cipher suite names + /// size of list available to fill + /// 1 on success + public static int get_ciphers(StringBuilder list, int sz) + { + try + { + return wolfSSL_get_ciphers(list, sz); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl get_ciphers error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Initialize wolfSSL library + /// + /// 1 on success + public static int Init() + { + try + { + return wolfSSL_Init(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl init error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Clean up wolfSSL library memory + /// + /// 1 on success + public static int Cleanup() + { + try + { + return wolfSSL_Cleanup(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl cleanup error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set up TLS version 1.2 method + /// + /// pointer to TLSv1.2 method + public static IntPtr useTLSv1_2_server() + { + try + { + return wolfTLSv1_2_server_method(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Use any TLS version + /// + /// pointer to method + public static IntPtr usev23_server() + { + try + { + return wolfSSLv23_server_method(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Set up TLS version 1.2 method + /// + /// pointer to TLSv1.2 method + public static IntPtr useTLSv1_2_client() + { + try + { + return wolfTLSv1_2_client_method(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Use any TLS version + /// + /// pointer to method + public static IntPtr usev23_client() + { + try + { + return wolfSSLv23_client_method(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Set up DTLS version 1.2 + /// + /// pointer to DTLSv1.2 method + public static IntPtr useDTLSv1_2_server() + { + try + { + return wolfDTLSv1_2_server_method(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Set up DTLS version 1.2 + /// + /// pointer to DTLSv1.2 method + public static IntPtr useDTLSv1_2_client() + { + try + { + return wolfDTLSv1_2_client_method(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl error " + e.ToString()); + return IntPtr.Zero; + } + } + + + /// + /// Gets the current cipher suite being used in connection + /// + /// SSL struct to get cipher suite from + /// string containing current cipher suite + public static string get_current_cipher(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return null; + try + { + IntPtr ssl_cipher; + IntPtr ssl_cipher_ptr; + string ssl_cipher_str; + + ssl_cipher = wolfSSL_get_current_cipher(ssl); + ssl_cipher_ptr = wolfSSL_CIPHER_get_name(ssl_cipher); + ssl_cipher_str = Marshal.PtrToStringAnsi(ssl_cipher_ptr); + + return ssl_cipher_str; + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl get current cipher error " + e.ToString()); + return null; + } + } + + + /// + /// Set avialable cipher suites for all ssl structs created from ctx + /// + /// CTX structure to set + /// List full of ciphers suites + /// 1 on success + public static int CTX_set_cipher_list(IntPtr ctx, StringBuilder list) + { + try + { + return wolfSSL_CTX_set_cipher_list(ctx, list); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl ctx set cipher list error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set available cipher suite in local connection + /// + /// Structure to set cipher suite in + /// List of cipher suites + /// 1 on success + public static int set_cipher_list(IntPtr ssl, StringBuilder list) + { + try + { + return wolfSSL_set_cipher_list(ssl, list); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl set cipher error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Gets the version of the connection made ie TLSv1.2 + /// + /// SSL struct to get version of + /// string containing version + public static string get_version(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return null; + + try + { + IntPtr version_ptr; + string version; + + version_ptr = wolfSSL_get_version(ssl); + version = Marshal.PtrToStringAnsi(version_ptr); + + return version; + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl get version error " + e.ToString()); + return null; + } + } + + + /// + /// Get a string containing error value and reason + /// + /// SSL struct that had error + /// String containing error value and reason + public static string get_error(IntPtr ssl) + { + if (ssl == IntPtr.Zero) + return null; + + try + { + int err; + StringBuilder err_name; + StringBuilder ret; + + /* wolfSSL max error length is 80 */ + ret = new StringBuilder(' ', 100); + err = wolfSSL_get_error(ssl, 0); + err_name = new StringBuilder(' ', 80); + wolfSSL_ERR_error_string(err, err_name); + ret.Append("Error " + err + " " + err_name); + + return ret.ToString(); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl get error, error " + e.ToString()); + return null; + } + } + + + /// + /// Used to load in the certificate file + /// + /// CTX structure for TLS/SSL connections + /// Name of the file to load including absolute path + /// Type of file ie PEM or DER + /// 1 on success + public static int CTX_use_certificate_file(IntPtr ctx, string fileCert, int type) + { + try + { + return wolfSSL_CTX_use_certificate_file(ctx, fileCert, type); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl ctx use cert file error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Used to load in the private key from a file + /// + /// CTX structure for TLS/SSL connections + /// Name of the file, includeing absolute directory + /// Type of file ie PEM or DER + /// 1 on succes + public static int CTX_use_PrivateKey_file(IntPtr ctx, string fileKey, int type) + { + try + { + return wolfSSL_CTX_use_PrivateKey_file(ctx, fileKey, type); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl ctx use key file error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set temporary DH parameters + /// + /// Structure to set in + /// file name + /// type of file ie PEM + /// 1 on success + public static int SetTmpDH_file(IntPtr ssl, StringBuilder dhparam, int file_type) + { + try + { + return wolfSSL_SetTmpDH_file(ssl, dhparam, file_type); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl set tmp dh file error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Used to set the minimum size of DH key + /// + /// Structure to store key size + /// Min key size + /// 1 on success + public static int CTX_SetMinDhKey_Sz(IntPtr ctx, short minDhKey) + { + try + { + return wolfSSL_CTX_SetMinDhKey_Sz(ctx, minDhKey); + } + catch (Exception e) + { + log(ERROR_LOG, "wolfssl ctx set min dh key error " + e.ToString()); + return FAILURE; + } + } + + + /// + /// Set the function to use for logging + /// + /// Function that conforms as to loggingCb + /// 1 on success + public static int SetLogging(loggingCb input) + { + internal_log = input; + return SUCCESS; + } + + + /// + /// Log a message to set logging function + /// + /// Level of log message + /// Message to log + public static void log(int lvl, string msg) + { + /* if log is not set then pring nothing */ + if (internal_log == null) + return; + StringBuilder ptr = new StringBuilder(msg); + internal_log(lvl, ptr); + } + } +} From 7d13fe90172dbae02694a2845282f62c46396f13 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Fri, 20 Nov 2015 10:19:55 -0700 Subject: [PATCH 071/177] license heading --- .../wolfSSL-DTLS-PSK-Server.cs | 22 ++++++++++++++++++- .../wolfSSL-DTLS-Server.cs | 21 ++++++++++++++++++ .../wolfSSL-TLS-PSK-Server.cs | 20 +++++++++++++++++ .../wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs | 21 ++++++++++++++++++ wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs | 21 ++++++++++++++++++ 5 files changed, 104 insertions(+), 1 deletion(-) diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs index ecac02924..a55435d1a 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs @@ -1,4 +1,24 @@ - +/* wolfSSL-DTLS-PSK-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs index 1fb9d3bf8..c8de0acc9 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs @@ -1,3 +1,24 @@ +/* wolfSSL-DTLS-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; using System.Text; diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs index 64cc335f0..cedf0d457 100755 --- a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs @@ -1,3 +1,23 @@ +/* wolfSSL-TLS-PSK-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ using System; using System.Runtime.InteropServices; diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs index 190efe8c6..ba0ec939f 100755 --- a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs +++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs @@ -1,3 +1,24 @@ +/* wolfSSL-TLS-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; using System.Text; diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs index 98cdef6c9..7085005ec 100755 --- a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs @@ -1,3 +1,24 @@ +/* wolfSSL.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; using System.Text; From 85373f7b6e942fb78e92abea34ecb83eb2fa0b8b Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 20 Nov 2015 13:30:22 -0700 Subject: [PATCH 072/177] move SetTmpDH buffer functions out of NO_FILESYSTEM --- src/ssl.c | 178 ++++++++++++++++++++++++++++++------------------------ 1 file changed, 98 insertions(+), 80 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 2140041ab..2fba69bd6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4329,85 +4329,6 @@ int wolfSSL_CTX_use_certificate_chain_file(WOLFSSL_CTX* ctx, const char* file) #ifndef NO_DH -/* server wrapper for ctx or ssl Diffie-Hellman parameters */ -static int wolfSSL_SetTmpDH_buffer_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, - const unsigned char* buf, - long sz, int format) -{ - buffer der; - int ret = 0; - int weOwnDer = 0; - word32 pSz = MAX_DH_SIZE; - word32 gSz = MAX_DH_SIZE; -#ifdef WOLFSSL_SMALL_STACK - byte* p = NULL; - byte* g = NULL; -#else - byte p[MAX_DH_SIZE]; - byte g[MAX_DH_SIZE]; -#endif - - der.buffer = (byte*)buf; - der.length = (word32)sz; - -#ifdef WOLFSSL_SMALL_STACK - p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - - if (p == NULL || g == NULL) { - XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return MEMORY_E; - } -#endif - - if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM) - ret = SSL_BAD_FILETYPE; - else { - if (format == SSL_FILETYPE_PEM) { - der.buffer = NULL; - ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, NULL,NULL); - weOwnDer = 1; - } - - if (ret == 0) { - if (wc_DhParamsLoad(der.buffer, der.length, p, &pSz, g, &gSz) < 0) - ret = SSL_BAD_FILETYPE; - else if (ssl) - ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz); - else - ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz); - } - } - - if (weOwnDer) - XFREE(der.buffer, ctx->heap, DYNAMIC_TYPE_KEY); - -#ifdef WOLFSSL_SMALL_STACK - XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif - - return ret; -} - - -/* server Diffie-Hellman parameters, SSL_SUCCESS on ok */ -int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* buf, long sz, - int format) -{ - return wolfSSL_SetTmpDH_buffer_wrapper(ssl->ctx, ssl, buf, sz, format); -} - - -/* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ -int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf, - long sz, int format) -{ - return wolfSSL_SetTmpDH_buffer_wrapper(ctx, NULL, buf, sz, format); -} - - /* server Diffie-Hellman parameters */ static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, const char* fname, int format) @@ -4421,8 +4342,12 @@ static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, int dynamic = 0; int ret; long sz = 0; - XFILE file = XFOPEN(fname, "rb"); + XFILE file; + if (ctx == NULL || ssl == NULL || fname == NULL) + return BAD_FUNC_ARG; + + file = XFOPEN(fname, "rb"); if (file == XBADFILE) return SSL_BAD_FILE; XFSEEK(file, 0, XSEEK_END); sz = XFTELL(file); @@ -4461,6 +4386,9 @@ static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, /* server Diffie-Hellman parameters */ int wolfSSL_SetTmpDH_file(WOLFSSL* ssl, const char* fname, int format) { + if (ssl == NULL) + return BAD_FUNC_ARG; + return wolfSSL_SetTmpDH_file_wrapper(ssl->ctx, ssl, fname, format); } @@ -7277,6 +7205,96 @@ int wolfSSL_set_compression(WOLFSSL* ssl) NULL, 1); } + +#ifndef NO_DH + + /* server wrapper for ctx or ssl Diffie-Hellman parameters */ + static int wolfSSL_SetTmpDH_buffer_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, + const unsigned char* buf, + long sz, int format) + { + buffer der; + int ret = 0; + int weOwnDer = 0; + word32 pSz = MAX_DH_SIZE; + word32 gSz = MAX_DH_SIZE; + #ifdef WOLFSSL_SMALL_STACK + byte* p = NULL; + byte* g = NULL; + #else + byte p[MAX_DH_SIZE]; + byte g[MAX_DH_SIZE]; + #endif + + if (ctx == NULL || ssl == NULL || buf == NULL) + return BAD_FUNC_ARG; + + der.buffer = (byte*)buf; + der.length = (word32)sz; + + #ifdef WOLFSSL_SMALL_STACK + p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + g = (byte*)XMALLOC(gSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + if (p == NULL || g == NULL) { + XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER); + return MEMORY_E; + } + #endif + + if (format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM) + ret = SSL_BAD_FILETYPE; + else { + if (format == SSL_FILETYPE_PEM) { + der.buffer = NULL; + ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap, NULL,NULL); + weOwnDer = 1; + } + + if (ret == 0) { + if (wc_DhParamsLoad(der.buffer, der.length, p, &pSz, g, &gSz) < 0) + ret = SSL_BAD_FILETYPE; + else if (ssl) + ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz); + else + ret = wolfSSL_CTX_SetTmpDH(ctx, p, pSz, g, gSz); + } + } + + if (weOwnDer) + XFREE(der.buffer, ctx->heap, DYNAMIC_TYPE_KEY); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(g, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + return ret; + } + + + /* server Diffie-Hellman parameters, SSL_SUCCESS on ok */ + int wolfSSL_SetTmpDH_buffer(WOLFSSL* ssl, const unsigned char* buf, long sz, + int format) + { + if (ssl == NULL) + return BAD_FUNC_ARG; + + return wolfSSL_SetTmpDH_buffer_wrapper(ssl->ctx, ssl, buf, sz, format); + } + + + /* server ctx Diffie-Hellman parameters, SSL_SUCCESS on ok */ + int wolfSSL_CTX_SetTmpDH_buffer(WOLFSSL_CTX* ctx, const unsigned char* buf, + long sz, int format) + { + return wolfSSL_SetTmpDH_buffer_wrapper(ctx, NULL, buf, sz, format); + } + +#endif /* NO_DH */ + + int wolfSSL_use_certificate_buffer(WOLFSSL* ssl, const unsigned char* in, long sz, int format) { From 9c6b52876ae0ff05ace403f8360feb3b7653552d Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 20 Nov 2015 13:32:44 -0700 Subject: [PATCH 073/177] add SetTmpDH file/buffer functions to API tests --- tests/api.c | 114 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 114 insertions(+) diff --git a/tests/api.c b/tests/api.c index ccd03748c..4dd15e17e 100644 --- a/tests/api.c +++ b/tests/api.c @@ -38,6 +38,12 @@ #include #include +/* enable testing buffer load functions */ +#ifndef USE_CERT_BUFFERS_2048 + #define USE_CERT_BUFFERS_2048 +#endif +#include + /*----------------------------------------------------------------------------* | Constants *----------------------------------------------------------------------------*/ @@ -232,6 +238,55 @@ static void test_wolfSSL_CTX_load_verify_locations(void) #endif } +static void test_wolfSSL_CTX_SetTmpDH_file(void) +{ +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_DH) + WOLFSSL_CTX *ctx; + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + + /* invalid context */ + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(NULL, + dhParam, SSL_FILETYPE_PEM)); + + /* invalid dhParam file */ + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, + NULL, SSL_FILETYPE_PEM)); + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, + bogusFile, SSL_FILETYPE_PEM)); + + /* success */ + AssertTrue(wolfSSL_CTX_SetTmpDH_file(ctx, dhParam, SSL_FILETYPE_PEM)); + + wolfSSL_CTX_free(ctx); +#endif +} + +static void test_wolfSSL_CTX_SetTmpDH_buffer(void) +{ +#if !defined(NO_CERTS) && !defined(NO_DH) + WOLFSSL_CTX *ctx; + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + + /* invalid context */ + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, dh_key_der_2048, + sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); + + /* invalid dhParam file */ + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(NULL, NULL, + 0, SSL_FILETYPE_ASN1)); + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dsa_key_der_2048, + sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1)); + + /* success */ + AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048, + sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); + + wolfSSL_CTX_free(ctx); +#endif +} + /*----------------------------------------------------------------------------* | SSL *----------------------------------------------------------------------------*/ @@ -291,6 +346,61 @@ static void test_client_wolfSSL_new(void) #endif } +static void test_wolfSSL_SetTmpDH_file(void) +{ +#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) && !defined(NO_DH) + WOLFSSL_CTX *ctx; + WOLFSSL *ssl; + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + AssertNotNull(ssl = wolfSSL_new(ctx)); + + /* invalid ssl */ + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(NULL, + dhParam, SSL_FILETYPE_PEM)); + + /* invalid dhParam file */ + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, + NULL, SSL_FILETYPE_PEM)); + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, + bogusFile, SSL_FILETYPE_PEM)); + + /* success */ + AssertTrue(wolfSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif +} + +static void test_wolfSSL_SetTmpDH_buffer(void) +{ +#if !defined(NO_CERTS) && !defined(NO_DH) + WOLFSSL_CTX *ctx; + WOLFSSL *ssl; + + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + AssertNotNull(ssl = wolfSSL_new(ctx)); + + /* invalid ssl */ + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, dh_key_der_2048, + sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); + + /* invalid dhParam file */ + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(NULL, NULL, + 0, SSL_FILETYPE_ASN1)); + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dsa_key_der_2048, + sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1)); + + /* success */ + AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); + + wolfSSL_free(ssl); + wolfSSL_CTX_free(ctx); +#endif +} + /*----------------------------------------------------------------------------* | IO *----------------------------------------------------------------------------*/ @@ -1471,8 +1581,12 @@ void ApiTest(void) test_wolfSSL_CTX_use_certificate_file(); test_wolfSSL_CTX_use_PrivateKey_file(); test_wolfSSL_CTX_load_verify_locations(); + test_wolfSSL_CTX_SetTmpDH_file(); + test_wolfSSL_CTX_SetTmpDH_buffer(); test_server_wolfSSL_new(); test_client_wolfSSL_new(); + test_wolfSSL_SetTmpDH_file(); + test_wolfSSL_SetTmpDH_buffer(); test_wolfSSL_read_write(); /* TLS extensions tests */ From d248a7660cc441b68dc48728b10256e852928ea3 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Sat, 21 Nov 2015 12:00:34 -0800 Subject: [PATCH 074/177] ASN: when getting OID from stream, check the summed value; added utility to skip OID; setting OID uses same strings as getting, separated NULL tag from the OID --- wolfcrypt/src/asn.c | 770 +++++++++++++++++++++++++++------------- wolfcrypt/src/pkcs7.c | 23 +- wolfssl/wolfcrypt/asn.h | 23 +- 3 files changed, 538 insertions(+), 278 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 9a221dc99..107524198 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -678,12 +678,440 @@ WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, } -static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, - word32 maxIdx) +/* hashType */ +static const byte hashMd2hOid[] = {42, 134, 72, 134, 247, 13, 2, 2}; +static const byte hashMd5hOid[] = {42, 134, 72, 134, 247, 13, 2, 5}; +static const byte hashSha1hOid[] = {43, 14, 3, 2, 26}; +static const byte hashSha256hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 1}; +static const byte hashSha384hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 2}; +static const byte hashSha512hOid[] = {96, 134, 72, 1, 101, 3, 4, 2, 3}; + +/* sigType */ +#ifndef NO_DSA + static const byte sigSha1wDsaOid[] = {42, 134, 72, 206, 56, 4, 3}; +#endif /* NO_DSA */ +#ifndef NO_RSA + static const byte sigMd2wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 2}; + static const byte sigMd5wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 4}; + static const byte sigSha1wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 5}; + static const byte sigSha256wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,11}; + static const byte sigSha384wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,12}; + static const byte sigSha512wRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1,13}; +#endif /* NO_RSA */ +#ifdef HAVE_ECC + static const byte sigSha1wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 1}; + static const byte sigSha256wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 2}; + static const byte sigSha384wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 3}; + static const byte sigSha512wEcdsaOid[] = {42, 134, 72, 206, 61, 4, 3, 4}; +#endif /* HAVE_ECC */ + +/* keyType */ +#ifndef NO_DSA + static const byte keyDsaOid[] = {42, 134, 72, 206, 56, 4, 1}; +#endif /* NO_DSA */ +#ifndef NO_RSA + static const byte keyRsaOid[] = {42, 134, 72, 134, 247, 13, 1, 1, 1}; +#endif /* NO_RSA */ +#ifdef HAVE_NTRU + static const byte keyNtruOid[] = {43, 6, 1, 4, 1, 193, 22, 1, 1, 1, 1}; +#endif /* HAVE_NTRU */ +#ifdef HAVE_ECC + static const byte keyEcdsaOid[] = {42, 134, 72, 206, 61, 2, 1}; +#endif /* HAVE_ECC */ + +/* curveType */ +#ifdef HAVE_ECC + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) + static const byte curve192v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 1}; + #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */ + #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) + static const byte curve256v1Oid[] = {42, 134, 72, 206, 61, 3, 1, 7}; + #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) + static const byte curve160r1Oid[] = {43, 129, 4, 0, 2}; + #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) + static const byte curve224r1Oid[] = {43, 129, 4, 0, 33}; + #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) + static const byte curve384r1Oid[] = {43, 129, 4, 0, 34}; + #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) + static const byte curve521r1Oid[] = {43, 129, 4, 0, 35}; + #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */ +#endif /* HAVE_ECC */ + +/* blkType */ +static const byte blkDesCbcOid[] = {43, 14, 3, 2, 7}; +static const byte blkDes3CbcOid[] = {42, 134, 72, 134, 247, 13, 3, 7}; + +/* ocspType */ +#ifdef HAVE_OCSP + static const byte ocspBasicOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 1}; + static const byte ocspNonceOid[] = {43, 6, 1, 5, 5, 7, 48, 1, 2}; +#endif /* HAVE_OCSP */ + +/* certExtType */ +static const byte extBasicCaOid[] = {85, 29, 19}; +static const byte extAltNamesOid[] = {85, 29, 17}; +static const byte extCrlDistOid[] = {85, 29, 31}; +static const byte extAuthInfoOid[] = {43, 6, 1, 5, 5, 7, 1, 1}; +static const byte extAuthKeyOid[] = {85, 29, 35}; +static const byte extSubjKeyOid[] = {85, 29, 14}; +static const byte extCertPolicyOid[] = {85, 29, 32}; +static const byte extKeyUsageOid[] = {85, 29, 15}; +static const byte extInhibitAnyOid[] = {85, 29, 54}; +static const byte extExtKeyUsageOid[] = {85, 29, 37}; +static const byte extNameConsOid[] = {85, 29, 30}; + +/* certAuthInfoType */ +static const byte extAuthInfoOcspOid[] = {43, 6, 1, 5, 5, 7, 48, 1}; +static const byte extAuthInfoCaIssuerOid[] = {43, 6, 1, 5, 5, 7, 48, 2}; + +/* certPolicyType */ +static const byte extCertPolicyAnyOid[] = {85, 29, 32, 0}; + +/* certKeyUseType */ +static const byte extAltNamesHwNameOid[] = {43, 6, 1, 5, 5, 7, 8, 4}; + +/* certKeyUseType */ +static const byte extExtKeyUsageAnyOid[] = {85, 29, 37, 0}; +static const byte extExtKeyUsageServerAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 1}; +static const byte extExtKeyUsageClientAuthOid[] = {43, 6, 1, 5, 5, 7, 3, 2}; +static const byte extExtKeyUsageOcspSignOid[] = {43, 6, 1, 5, 5, 7, 3, 9}; + +/* kdfType */ +static const byte pbkdf2Oid[] = {42, 134, 72, 134, 247, 13, 1, 5, 12}; + +static const byte* OidFromId(word32 id, word32 type, word32* oidSz) +{ + const byte* oid = NULL; + + *oidSz = 0; + + switch (type) { + + case hashType: + switch (id) { + case MD2h: + oid = hashMd2hOid; + *oidSz = sizeof(hashMd2hOid); + break; + case MD5h: + oid = hashMd5hOid; + *oidSz = sizeof(hashMd5hOid); + break; + case SHAh: + oid = hashSha1hOid; + *oidSz = sizeof(hashSha1hOid); + break; + case SHA256h: + oid = hashSha256hOid; + *oidSz = sizeof(hashSha256hOid); + break; + case SHA384h: + oid = hashSha384hOid; + *oidSz = sizeof(hashSha384hOid); + break; + case SHA512h: + oid = hashSha512hOid; + *oidSz = sizeof(hashSha512hOid); + break; + } + break; + + case sigType: + switch (id) { + #ifndef NO_DSA + case CTC_SHAwDSA: + oid = sigSha1wDsaOid; + *oidSz = sizeof(sigSha1wDsaOid); + break; + #endif /* NO_DSA */ + #ifndef NO_RSA + case CTC_MD2wRSA: + oid = sigMd2wRsaOid; + *oidSz = sizeof(sigMd2wRsaOid); + break; + case CTC_MD5wRSA: + oid = sigMd5wRsaOid; + *oidSz = sizeof(sigMd5wRsaOid); + break; + case CTC_SHAwRSA: + oid = sigSha1wRsaOid; + *oidSz = sizeof(sigSha1wRsaOid); + break; + case CTC_SHA256wRSA: + oid = sigSha256wRsaOid; + *oidSz = sizeof(sigSha256wRsaOid); + break; + case CTC_SHA384wRSA: + oid = sigSha384wRsaOid; + *oidSz = sizeof(sigSha384wRsaOid); + break; + case CTC_SHA512wRSA: + oid = sigSha512wRsaOid; + *oidSz = sizeof(sigSha512wRsaOid); + break; + #endif /* NO_RSA */ + #ifdef HAVE_ECC + case CTC_SHAwECDSA: + oid = sigSha1wEcdsaOid; + *oidSz = sizeof(sigSha1wEcdsaOid); + break; + case CTC_SHA256wECDSA: + oid = sigSha256wEcdsaOid; + *oidSz = sizeof(sigSha256wEcdsaOid); + break; + case CTC_SHA384wECDSA: + oid = sigSha384wEcdsaOid; + *oidSz = sizeof(sigSha384wEcdsaOid); + break; + case CTC_SHA512wECDSA: + oid = sigSha512wEcdsaOid; + *oidSz = sizeof(sigSha512wEcdsaOid); + break; + #endif /* HAVE_ECC */ + default: + break; + } + break; + + case keyType: + switch (id) { + #ifndef NO_DSA + case DSAk: + oid = keyDsaOid; + *oidSz = sizeof(keyDsaOid); + break; + #endif /* NO_DSA */ + #ifndef NO_RSA + case RSAk: + oid = keyRsaOid; + *oidSz = sizeof(keyRsaOid); + break; + #endif /* NO_RSA */ + #ifdef HAVE_NTRU + case NTRUk: + oid = keyNtruOid; + *oidSz = sizeof(keyNtruOid); + break; + #endif /* HAVE_NTRU */ + #ifdef HAVE_ECC + case ECDSAk: + oid = keyEcdsaOid; + *oidSz = sizeof(keyEcdsaOid); + break; + #endif /* HAVE_ECC */ + default: + break; + } + break; + + #ifdef HAVE_ECC + case curveType: + switch (id) { + #if defined(HAVE_ALL_CURVES) || !defined(NO_ECC256) + case ECC_256R1: + oid = curve256v1Oid; + *oidSz = sizeof(curve256v1Oid); + break; + #endif /* HAVE_ALL_CURVES || HAVE_ECC256 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC384) + case ECC_384R1: + oid = curve384r1Oid; + *oidSz = sizeof(curve384r1Oid); + break; + #endif /* HAVE_ALL_CURVES || HAVE_ECC384 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC521) + case ECC_521R1: + oid = curve521r1Oid; + *oidSz = sizeof(curve521r1Oid); + break; + #endif /* HAVE_ALL_CURVES || HAVE_ECC521 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC160) + case ECC_160R1: + oid = curve160r1Oid; + *oidSz = sizeof(curve160r1Oid); + break; + #endif /* HAVE_ALL_CURVES || HAVE_ECC160 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC192) + case ECC_192R1: + oid = curve192v1Oid; + *oidSz = sizeof(curve192v1Oid); + break; + #endif /* HAVE_ALL_CURVES || HAVE_ECC192 */ + #if defined(HAVE_ALL_CURVES) || defined(HAVE_ECC224) + case ECC_224R1: + oid = curve224r1Oid; + *oidSz = sizeof(curve224r1Oid); + break; + #endif /* HAVE_ALL_CURVES || HAVE_ECC224 */ + default: + break; + } + break; + #endif /* HAVE_ECC */ + + case blkType: + switch (id) { + case DESb: + oid = blkDesCbcOid; + *oidSz = sizeof(blkDesCbcOid); + break; + case DES3b: + oid = blkDes3CbcOid; + *oidSz = sizeof(blkDes3CbcOid); + break; + } + break; + + #ifdef HAVE_OCSP + case ocspType: + switch (id) { + case OCSP_BASIC_OID: + oid = ocspBasicOid; + *oidSz = sizeof(ocspBasicOid); + break; + case OCSP_NONCE_OID: + oid = ocspNonceOid; + *oidSz = sizeof(ocspNonceOid); + break; + } + break; + #endif /* HAVE_OCSP */ + + case certExtType: + switch (id) { + case BASIC_CA_OID: + oid = extBasicCaOid; + *oidSz = sizeof(extBasicCaOid); + break; + case ALT_NAMES_OID: + oid = extAltNamesOid; + *oidSz = sizeof(extAltNamesOid); + break; + case CRL_DIST_OID: + oid = extCrlDistOid; + *oidSz = sizeof(extCrlDistOid); + break; + case AUTH_INFO_OID: + oid = extAuthInfoOid; + *oidSz = sizeof(extAuthInfoOid); + break; + case AUTH_KEY_OID: + oid = extAuthKeyOid; + *oidSz = sizeof(extAuthKeyOid); + break; + case SUBJ_KEY_OID: + oid = extSubjKeyOid; + *oidSz = sizeof(extSubjKeyOid); + break; + case CERT_POLICY_OID: + oid = extCertPolicyOid; + *oidSz = sizeof(extCertPolicyOid); + break; + case KEY_USAGE_OID: + oid = extKeyUsageOid; + *oidSz = sizeof(extKeyUsageOid); + break; + case INHIBIT_ANY_OID: + oid = extInhibitAnyOid; + *oidSz = sizeof(extInhibitAnyOid); + break; + case EXT_KEY_USAGE_OID: + oid = extExtKeyUsageOid; + *oidSz = sizeof(extExtKeyUsageOid); + break; + case NAME_CONS_OID: + oid = extNameConsOid; + *oidSz = sizeof(extNameConsOid); + break; + } + break; + + case certAuthInfoType: + switch (id) { + case AIA_OCSP_OID: + oid = extAuthInfoOcspOid; + *oidSz = sizeof(extAuthInfoOcspOid); + break; + case AIA_CA_ISSUER_OID: + oid = extAuthInfoCaIssuerOid; + *oidSz = sizeof(extAuthInfoCaIssuerOid); + break; + } + break; + + case certPolicyType: + switch (id) { + case CP_ANY_OID: + oid = extCertPolicyAnyOid; + *oidSz = sizeof(extCertPolicyAnyOid); + break; + } + break; + + case certAltNameType: + switch (id) { + case HW_NAME_OID: + oid = extAltNamesHwNameOid; + *oidSz = sizeof(extAltNamesHwNameOid); + break; + } + break; + + case certKeyUseType: + switch (id) { + case EKU_ANY_OID: + oid = extExtKeyUsageAnyOid; + *oidSz = sizeof(extExtKeyUsageAnyOid); + break; + case EKU_SERVER_AUTH_OID: + oid = extExtKeyUsageServerAuthOid; + *oidSz = sizeof(extExtKeyUsageServerAuthOid); + break; + case EKU_CLIENT_AUTH_OID: + oid = extExtKeyUsageClientAuthOid; + *oidSz = sizeof(extExtKeyUsageClientAuthOid); + break; + case EKU_OCSP_SIGN_OID: + oid = extExtKeyUsageOcspSignOid; + *oidSz = sizeof(extExtKeyUsageOcspSignOid); + break; + } + + case kdfType: + switch (id) { + case PBKDF2_OID: + oid = pbkdf2Oid; + *oidSz = sizeof(pbkdf2Oid); + break; + } + break; + + case ignoreType: + default: + break; + } + + return oid; +} + + +WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, + word32 oidType, word32 maxIdx) { int length; word32 i = *inOutIdx; +#ifndef NO_VERIFY_OID + word32 actualOidSz = 0; + const byte* actualOid; +#endif /* NO_VERIFY_OID */ byte b; + + (void)oidType; + WOLFSSL_ENTER("GetObjectId()"); *oid = 0; b = input[i++]; @@ -693,18 +1121,62 @@ static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, if (GetLength(input, &i, &length, maxIdx) < 0) return ASN_PARSE_E; - while(length--) - *oid += input[i++]; +#ifndef NO_VERIFY_OID + actualOid = &input[i]; + if (length > 0) + actualOidSz = (word32)length; +#endif /* NO_VERIFY_OID */ + + while(length--) { + /* odd HC08 compiler behavior here when input[i++] */ + *oid += input[i]; + i++; + } /* just sum it up for now */ *inOutIdx = i; +#ifndef NO_VERIFY_OID + { + const byte* checkOid = NULL; + word32 checkOidSz; + + if (oidType != ignoreType) { + checkOid = OidFromId(*oid, oidType, &checkOidSz); + + if (checkOid == NULL || + checkOidSz != actualOidSz || + XMEMCMP(actualOid, checkOid, checkOidSz) != 0) { + + WOLFSSL_MSG("OID Check Failed"); + return ASN_UNKNOWN_OID_E; + } + } + } +#endif /* NO_VERIFY_OID */ + + return 0; +} + + +static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx) +{ + int length; + + if (input[(*inOutIdx)++] != ASN_OBJECT_ID) + return ASN_OBJECT_ID_E; + + if (GetLength(input, inOutIdx, &length, maxIdx) < 0) + return ASN_PARSE_E; + + *inOutIdx += length; + return 0; } WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, - word32 maxIdx) + word32 oidType, word32 maxIdx) { int length; word32 i = *inOutIdx; @@ -716,31 +1188,18 @@ WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, if (GetSequence(input, &i, &length, maxIdx) < 0) return ASN_PARSE_E; - b = input[i++]; - if (b != ASN_OBJECT_ID) + if (GetObjectId(input, &i, oid, oidType, maxIdx) < 0) return ASN_OBJECT_ID_E; - if (GetLength(input, &i, &length, maxIdx) < 0) - return ASN_PARSE_E; - - while(length--) { - /* odd HC08 compiler behavior here when input[i++] */ - *oid += input[i]; - i++; - } - /* just sum it up for now */ - /* could have NULL tag and 0 terminator, but may not */ - b = input[i++]; + b = input[i]; if (b == ASN_TAG_NULL) { + i++; b = input[i++]; if (b != 0) return ASN_EXPECT_0_E; } - else - /* go back, didn't have it */ - i--; *inOutIdx = i; @@ -856,7 +1315,7 @@ int ToTraditional(byte* input, word32 sz) if (GetMyVersion(input, &inOutIdx, &version) < 0) return ASN_PARSE_E; - if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) + if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0) return ASN_PARSE_E; if (input[inOutIdx] == ASN_OBJECT_ID) { @@ -1133,7 +1592,7 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) if (GetSequence(input, &inOutIdx, &length, sz) < 0) return ASN_PARSE_E; - if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) + if (GetAlgoId(input, &inOutIdx, &oid, sigType, sz) < 0) return ASN_PARSE_E; first = input[inOutIdx - 2]; /* PKCS version alwyas 2nd to last byte */ @@ -1147,7 +1606,7 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) if (GetSequence(input, &inOutIdx, &length, sz) < 0) return ASN_PARSE_E; - if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) + if (GetAlgoId(input, &inOutIdx, &oid, kdfType, sz) < 0) return ASN_PARSE_E; if (oid != PBKDF2_OID) @@ -1192,7 +1651,8 @@ int ToTraditionalEnc(byte* input, word32 sz,const char* password,int passwordSz) if (version == PKCS5v2) { /* get encryption algo */ - if (GetAlgoId(input, &inOutIdx, &oid, sz) < 0) { + /* JOHN: New type. Need a little more research. */ + if (GetAlgoId(input, &inOutIdx, &oid, blkType, sz) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(salt, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(cbcIv, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -1285,15 +1745,9 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, if (GetSequence(input, inOutIdx, &length, inSz) < 0) return ASN_PARSE_E; - b = input[(*inOutIdx)++]; - if (b != ASN_OBJECT_ID) - return ASN_OBJECT_ID_E; - - if (GetLength(input, inOutIdx, &length, inSz) < 0) + if (SkipObjectId(input, inOutIdx, inSz) < 0) return ASN_PARSE_E; - *inOutIdx += length; /* skip past */ - /* could have NULL tag and 0 terminator, but may not */ b = input[(*inOutIdx)++]; @@ -1898,7 +2352,8 @@ static int GetKey(DecodedCert* cert) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) return ASN_PARSE_E; - if (GetAlgoId(cert->source, &cert->srcIdx, &cert->keyOID, cert->maxIdx) < 0) + if (GetAlgoId(cert->source, &cert->srcIdx, + &cert->keyOID, keyType, cert->maxIdx) < 0) return ASN_PARSE_E; switch (cert->keyOID) { @@ -1986,18 +2441,12 @@ static int GetKey(DecodedCert* cert) #ifdef HAVE_ECC case ECDSAk: { - int oidSz = 0; - byte b = cert->source[cert->srcIdx++]; + byte b; - if (b != ASN_OBJECT_ID) - return ASN_OBJECT_ID_E; - - if (GetLength(cert->source,&cert->srcIdx,&oidSz,cert->maxIdx) < 0) + if (GetObjectId(cert->source, &cert->srcIdx, + &cert->pkCurveOID, curveType, cert->maxIdx) < 0) return ASN_PARSE_E; - while(oidSz--) - cert->pkCurveOID += cert->source[cert->srcIdx++]; - if (CheckCurve(cert->pkCurveOID) < 0) return ECC_CURVE_OID_E; @@ -2699,7 +3148,7 @@ int DecodeToKey(DecodedCert* cert, int verify) WOLFSSL_MSG("Got Cert Header"); if ( (ret = GetAlgoId(cert->source, &cert->srcIdx, &cert->signatureOID, - cert->maxIdx)) < 0) + sigType, cert->maxIdx)) < 0) return ret; WOLFSSL_MSG("Got Algo ID"); @@ -2925,216 +3374,35 @@ static int SetCurve(ecc_key* key, byte* output) WOLFSSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz) { - /* adding TAG_NULL and 0 to end */ - - /* hashTypes */ - static const byte shaAlgoID[] = { 0x2b, 0x0e, 0x03, 0x02, 0x1a, - 0x05, 0x00 }; - static const byte sha256AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x01, 0x05, 0x00 }; - static const byte sha384AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x02, 0x05, 0x00 }; - static const byte sha512AlgoID[] = { 0x60, 0x86, 0x48, 0x01, 0x65, 0x03, - 0x04, 0x02, 0x03, 0x05, 0x00 }; - static const byte md5AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x02, 0x05, 0x05, 0x00 }; - static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x02, 0x02, 0x05, 0x00}; - - /* blkTypes, no NULL tags because IV is there instead */ - static const byte desCbcAlgoID[] = { 0x2B, 0x0E, 0x03, 0x02, 0x07 }; - static const byte des3CbcAlgoID[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7, - 0x0D, 0x03, 0x07 }; - - /* RSA sigTypes */ - #ifndef NO_RSA - static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x04, 0x05, 0x00}; - static const byte shawRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00}; - static const byte sha256wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00}; - static const byte sha384wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0c, 0x05, 0x00}; - static const byte sha512wRSA_AlgoID[] = {0x2a, 0x86, 0x48, 0x86, 0xf7, - 0x0d, 0x01, 0x01, 0x0d, 0x05, 0x00}; - #endif /* NO_RSA */ - - /* ECDSA sigTypes */ - #ifdef HAVE_ECC - static const byte shawECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, - 0x04, 0x01, 0x05, 0x00}; - static const byte sha256wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d, - 0x04, 0x03, 0x02, 0x05, 0x00}; - static const byte sha384wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d, - 0x04, 0x03, 0x03, 0x05, 0x00}; - static const byte sha512wECDSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE,0x3d, - 0x04, 0x03, 0x04, 0x05, 0x00}; - #endif /* HAVE_ECC */ - - /* RSA keyType */ - #ifndef NO_RSA - static const byte RSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, - 0x01, 0x01, 0x01, 0x05, 0x00}; - #endif /* NO_RSA */ - - #ifdef HAVE_ECC - /* ECC keyType */ - /* no tags, so set tagSz smaller later */ - static const byte ECC_AlgoID[] = { 0x2a, 0x86, 0x48, 0xCE, 0x3d, - 0x02, 0x01}; - #endif /* HAVE_ECC */ - - int algoSz = 0; - int tagSz = 2; /* tag null and terminator */ - word32 idSz, seqSz; + word32 tagSz, idSz, seqSz, algoSz = 0; const byte* algoName = 0; - byte ID_Length[MAX_LENGTH_SZ]; - byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ + byte ID_Length[MAX_LENGTH_SZ]; + byte seqArray[MAX_SEQ_SZ + 1]; /* add object_id to end */ - if (type == hashType) { - switch (algoOID) { - case SHAh: - algoSz = sizeof(shaAlgoID); - algoName = shaAlgoID; - break; + tagSz = (type == hashType || type == sigType || + (type == keyType && algoOID == RSAk)) ? 2 : 0; - case SHA256h: - algoSz = sizeof(sha256AlgoID); - algoName = sha256AlgoID; - break; + algoName = OidFromId(algoOID, type, &algoSz); - case SHA384h: - algoSz = sizeof(sha384AlgoID); - algoName = sha384AlgoID; - break; - - case SHA512h: - algoSz = sizeof(sha512AlgoID); - algoName = sha512AlgoID; - break; - - case MD2h: - algoSz = sizeof(md2AlgoID); - algoName = md2AlgoID; - break; - - case MD5h: - algoSz = sizeof(md5AlgoID); - algoName = md5AlgoID; - break; - - default: - WOLFSSL_MSG("Unknown Hash Algo"); - return 0; /* UNKOWN_HASH_E; */ - } - } - else if (type == blkType) { - switch (algoOID) { - case DESb: - algoSz = sizeof(desCbcAlgoID); - algoName = desCbcAlgoID; - tagSz = 0; - break; - case DES3b: - algoSz = sizeof(des3CbcAlgoID); - algoName = des3CbcAlgoID; - tagSz = 0; - break; - default: - WOLFSSL_MSG("Unknown Block Algo"); - return 0; - } - } - else if (type == sigType) { /* sigType */ - switch (algoOID) { - #ifndef NO_RSA - case CTC_MD5wRSA: - algoSz = sizeof(md5wRSA_AlgoID); - algoName = md5wRSA_AlgoID; - break; - - case CTC_SHAwRSA: - algoSz = sizeof(shawRSA_AlgoID); - algoName = shawRSA_AlgoID; - break; - - case CTC_SHA256wRSA: - algoSz = sizeof(sha256wRSA_AlgoID); - algoName = sha256wRSA_AlgoID; - break; - - case CTC_SHA384wRSA: - algoSz = sizeof(sha384wRSA_AlgoID); - algoName = sha384wRSA_AlgoID; - break; - - case CTC_SHA512wRSA: - algoSz = sizeof(sha512wRSA_AlgoID); - algoName = sha512wRSA_AlgoID; - break; - #endif /* NO_RSA */ - #ifdef HAVE_ECC - case CTC_SHAwECDSA: - algoSz = sizeof(shawECDSA_AlgoID); - algoName = shawECDSA_AlgoID; - break; - - case CTC_SHA256wECDSA: - algoSz = sizeof(sha256wECDSA_AlgoID); - algoName = sha256wECDSA_AlgoID; - break; - - case CTC_SHA384wECDSA: - algoSz = sizeof(sha384wECDSA_AlgoID); - algoName = sha384wECDSA_AlgoID; - break; - - case CTC_SHA512wECDSA: - algoSz = sizeof(sha512wECDSA_AlgoID); - algoName = sha512wECDSA_AlgoID; - break; - #endif /* HAVE_ECC */ - default: - WOLFSSL_MSG("Unknown Signature Algo"); - return 0; - } - } - else if (type == keyType) { /* keyType */ - switch (algoOID) { - #ifndef NO_RSA - case RSAk: - algoSz = sizeof(RSA_AlgoID); - algoName = RSA_AlgoID; - break; - #endif /* NO_RSA */ - #ifdef HAVE_ECC - case ECDSAk: - algoSz = sizeof(ECC_AlgoID); - algoName = ECC_AlgoID; - tagSz = 0; - break; - #endif /* HAVE_ECC */ - default: - WOLFSSL_MSG("Unknown Key Algo"); - return 0; - } - } - else { - WOLFSSL_MSG("Unknown Algo type"); + if (algoName == NULL) { + WOLFSSL_MSG("Unknown Algorithm"); return 0; } - idSz = SetLength(algoSz - tagSz, ID_Length); /* don't include tags */ - seqSz = SetSequence(idSz + algoSz + 1 + curveSz, seqArray); + idSz = SetLength(algoSz, ID_Length); + seqSz = SetSequence(idSz + algoSz + 1 + tagSz + curveSz, seqArray); /* +1 for object id, curveID of curveSz follows for ecc */ seqArray[seqSz++] = ASN_OBJECT_ID; XMEMCPY(output, seqArray, seqSz); XMEMCPY(output + seqSz, ID_Length, idSz); XMEMCPY(output + seqSz + idSz, algoName, algoSz); + if (tagSz == 2) { + output[seqSz + idSz + algoSz] = ASN_TAG_NULL; + output[seqSz + idSz + algoSz + 1] = 0; + } - return seqSz + idSz + algoSz; + return seqSz + idSz + algoSz + tagSz; } @@ -3721,7 +3989,7 @@ static int DecodeAltNames(byte* input, int sz, DecodedCert* cert) /* Consume the rest of this sequence. */ length -= (strLen + idx - lenStartIdx); - if (GetObjectId(input, &idx, &oid, sz) < 0) { + if (GetObjectId(input, &idx, &oid, certAltNameType, sz) < 0) { WOLFSSL_MSG("\tbad OID"); return ASN_PARSE_E; } @@ -3972,7 +4240,7 @@ static int DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) return ASN_PARSE_E; oid = 0; - if (GetObjectId(input, &idx, &oid, sz) < 0) + if (GetObjectId(input, &idx, &oid, certAuthInfoType, sz) < 0) return ASN_PARSE_E; /* Only supporting URIs right now. */ @@ -4118,7 +4386,7 @@ static int DecodeExtKeyUsage(byte* input, int sz, DecodedCert* cert) #endif while (idx < (word32)sz) { - if (GetObjectId(input, &idx, &oid, sz) < 0) + if (GetObjectId(input, &idx, &oid, certKeyUseType, sz) < 0) return ASN_PARSE_E; switch (oid) { @@ -4458,7 +4726,7 @@ static int DecodeCertExtensions(DecodedCert* cert) } oid = 0; - if (GetObjectId(input, &idx, &oid, sz) < 0) { + if (GetObjectId(input, &idx, &oid, certExtType, sz) < 0) { WOLFSSL_MSG("\tfail: OBJECT ID"); return ASN_PARSE_E; } @@ -4707,7 +4975,7 @@ int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm) } if ((ret = GetAlgoId(cert->source, &cert->srcIdx, &confirmOID, - cert->maxIdx)) < 0) + sigType, cert->maxIdx)) < 0) return ret; if ((ret = GetSignature(cert)) < 0) @@ -7685,7 +7953,7 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) decoded->srcIdx = startIdx; if (GetAlgoId(decoded->source, &decoded->srcIdx, &oid, - decoded->maxIdx) < 0) { + certExtType, decoded->maxIdx) < 0) { ret = ASN_PARSE_E; break; } @@ -8444,7 +8712,7 @@ static int DecodeSingleResponse(byte* source, if (GetSequence(source, &idx, &length, size) < 0) return ASN_PARSE_E; /* Skip the hash algorithm */ - if (GetAlgoId(source, &idx, &oid, size) < 0) + if (GetAlgoId(source, &idx, &oid, ignoreType, size) < 0) return ASN_PARSE_E; /* Save reference to the hash of CN */ if (source[idx++] != ASN_OCTET_STRING) @@ -8564,7 +8832,7 @@ static int DecodeOcspRespExtensions(byte* source, } oid = 0; - if (GetObjectId(source, &idx, &oid, sz) < 0) { + if (GetObjectId(source, &idx, &oid, ocspType, sz) < 0) { WOLFSSL_MSG("\tfail: OBJECT ID"); return ASN_PARSE_E; } @@ -8717,7 +8985,7 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, return ASN_PARSE_E; /* Get the signature algorithm */ - if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0) + if (GetAlgoId(source, &idx, &resp->sigOID, sigType, size) < 0) return ASN_PARSE_E; /* Obtain pointer to the start of the signature, and save the size */ @@ -8830,7 +9098,7 @@ int OcspResponseDecode(OcspResponse* resp, void* cm) return ASN_PARSE_E; /* Check ObjectID for the resposeBytes */ - if (GetObjectId(source, &idx, &oid, size) < 0) + if (GetObjectId(source, &idx, &oid, ocspType, size) < 0) return ASN_PARSE_E; if (oid != OCSP_BASIC_OID) return ASN_PARSE_E; @@ -9308,7 +9576,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) return ASN_PARSE_E; } - if (GetAlgoId(buff, &idx, &oid, sz) < 0) + if (GetAlgoId(buff, &idx, &oid, ignoreType, sz) < 0) return ASN_PARSE_E; if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) @@ -9352,7 +9620,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, word32 sz, void* cm) if (idx != dcrl->sigIndex) idx = dcrl->sigIndex; /* skip extensions */ - if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0) + if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sigType, sz) < 0) return ASN_PARSE_E; if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) diff --git a/wolfcrypt/src/pkcs7.c b/wolfcrypt/src/pkcs7.c index ed933a7df..314005b69 100644 --- a/wolfcrypt/src/pkcs7.c +++ b/wolfcrypt/src/pkcs7.c @@ -129,27 +129,10 @@ WOLFSSL_LOCAL int wc_SetContentType(int pkcs7TypeOID, byte* output) int wc_GetContentType(const byte* input, word32* inOutIdx, word32* oid, word32 maxIdx) { - int length; - word32 i = *inOutIdx; - byte b; - *oid = 0; - WOLFSSL_ENTER("wc_GetContentType"); - - b = input[i++]; - if (b != ASN_OBJECT_ID) - return ASN_OBJECT_ID_E; - - if (GetLength(input, &i, &length, maxIdx) < 0) + if (GetObjectId(input, inOutIdx, oid, ignoreType, maxIdx) < 0) return ASN_PARSE_E; - while(length--) { - *oid += input[i]; - i++; - } - - *inOutIdx = i; - return 0; } @@ -1609,7 +1592,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, XFREE(serialNum, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) { + if (GetAlgoId(pkiMsg, &idx, &encOID, keyType, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -1670,7 +1653,7 @@ WOLFSSL_API int wc_PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg, return ASN_PARSE_E; } - if (GetAlgoId(pkiMsg, &idx, &encOID, pkiMsgSz) < 0) { + if (GetAlgoId(pkiMsg, &idx, &encOID, blkType, pkiMsgSz) < 0) { #ifdef WOLFSSL_SMALL_STACK XFREE(encryptedKey, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index 339680ca2..e77487bd7 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -198,11 +198,19 @@ enum Misc_ASN { enum Oid_Types { - hashType = 0, - sigType = 1, - keyType = 2, - curveType = 3, - blkType = 4 + hashType = 0, + sigType = 1, + keyType = 2, + curveType = 3, + blkType = 4, + ocspType = 5, + certExtType = 6, + certAuthInfoType = 7, + certPolicyType = 8, + certAltNameType = 9, + certKeyUseType = 10, + kdfType = 11, + ignoreType }; @@ -250,7 +258,6 @@ enum Extensions_Sum { ALT_NAMES_OID = 131, CRL_DIST_OID = 145, AUTH_INFO_OID = 69, - CA_ISSUER_OID = 117, AUTH_KEY_OID = 149, SUBJ_KEY_OID = 128, CERT_POLICY_OID = 146, @@ -585,8 +592,10 @@ WOLFSSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, int* version); WOLFSSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx, word32 maxIdx); +WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, + word32 oidType, word32 maxIdx); WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, - word32 maxIdx); + word32 oidType, word32 maxIdx); WOLFSSL_LOCAL word32 SetLength(word32 length, byte* output); WOLFSSL_LOCAL word32 SetSequence(word32 len, byte* output); WOLFSSL_LOCAL word32 SetOctetString(word32 len, byte* output); From aaad9787db214216242de3cfcd62f1217e3642c8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 23 Nov 2015 09:19:33 -0300 Subject: [PATCH 075/177] updates box version to trusty64; fixes provisioning errors; --- Vagrantfile | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/Vagrantfile b/Vagrantfile index aef42caf7..ddf37ce83 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -17,10 +17,10 @@ cd $LIB.$VER/ && ./autogen.sh && ./configure -q && make -s sudo make install && cd .. && rm -rf $LIB.$VER* -SRC=vagrant DST=wolfssl -cp -rp /$SRC/ $DST/ +cp -rp /vagrant/ $DST/ +chown -hR vagrant:vagrant $DST/ echo "cd $DST" >> .bashrc echo "read -p 'Sync $DST? (y/n) ' -n 1 -r" >> .bashrc @@ -30,20 +30,13 @@ echo " echo -e '\e[0;32mRunning $DST sync\e[0m'" >> .bashrc echo " ./pull_to_vagrant.sh" >> .bashrc echo "fi" >> .bashrc -cd $DST -./autogen.sh -./configure -make check - -cd .. -chown -hR vagrant:vagrant $DST/ /tmp/output SCRIPT VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - config.vm.box = "hashicorp/precise64" + config.vm.box = "ubuntu/trusty64" config.vm.provision "shell", inline: $setup config.vm.network "forwarded_port", guest: 11111, host: 33333 From 51f5ded392c3cd59a16055b623da0f0ed9f942ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 23 Nov 2015 09:33:49 -0300 Subject: [PATCH 076/177] adds config to generate ocsp certs --- certs/ocsp/ocsp-key.pem | 27 +++++++++++++++++++++++++++ certs/renewcerts.sh | 21 +++++++++++++++++++-- certs/renewcerts/wolfssl.cnf | 15 ++++++++++++--- 3 files changed, 58 insertions(+), 5 deletions(-) create mode 100644 certs/ocsp/ocsp-key.pem diff --git a/certs/ocsp/ocsp-key.pem b/certs/ocsp/ocsp-key.pem new file mode 100644 index 000000000..61c5616a9 --- /dev/null +++ b/certs/ocsp/ocsp-key.pem @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEowIBAAKCAQEAuLojtPbDexTDpPUdYaH1HmO5hSM0UG34fKKKBIvVdVwt92OI +0Qd66gtFNSvrH7EitJRBOOKddNaLMCIQUcXbyj9GK/7lWj9BdGd1lamU1cPuQviN +65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMxUO5KFr05i60FSIexmeIQ +pwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew/pf1HujHXZuLERkSPKuC +cXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gEZWwAdlDvFQjXtHNoJhSH +lcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQABAoIBAGI2tR1VxYD+/TYL +DGAIV+acZtqeaQYKMf8x++eG4SrQo6/QP8HDFFqzO0yV2SC0cRtJZ5PzCHxCRSaG +Nd8EL2NMWOazUwW0c/yLtTypOPSeg2Mf+3SwLvgxOZ9CbFQ8YAJi+vbNOPLGCijL +N0HWEkcC1P1kWWgKCWIloR7eEt0IQOb5PPSCu3buq/rForb6qUf+L+ESpWed6bnc +uhIrHDuQ/PopW05fW1r61zI286wKdLRyatQsljNqPvVdFVhtCKqCqMHdIzMg2cbh +q9DJMWc/KLjzBk6YPMZKm/4k4RXj+IwS+iITbpUNrhYj2TMevBMPW3AIRobD823D +ehQv+rECgYEA3CWL+G9zJ5PXRDAdQ69lN+CE/Uf9444CN5idMO+qRQ+QE8hWYT/U +PFH/aUgd1k3WJZseR/GTWx29VsRPSDWZXzwzLfUNKnqvp0b2oZe/EdYiRSo8OCPp +kF07HbTKe4Cyma7HdgDkNkS+UW5JujnuLcuee+wTq6xU0289juwFBc8CgYEA1s/d +VtwXqBf3qMxfi+eMa77fqxptAFGtZNKNkYwX42Ow6Hehj8EnoPqYEF+9MzKn/BFh +ROnQ76axKBN8mkRUjpv7d2+zMlDnGrWul8q6VrfGiU2P7jd4L6GY/V1MYktnIBsd +Ld/jW8P0FFfI2RIREPWdrATxBhQpTJfXd/7rLncCgYB1wrvyBCQUSrg/KIGvADbj +wf1Bw23jeMZk2QVU9Q8e7ClE+8iBMvSj47T9q28SgQaJjUWQdIA/oFP1AwPp+4n0 +cK5r6gbF72Tg1Uv+ur6hmuswFlyqJ0O8TrLdvCUIFZr0LJNT4zwwb2tjAdz8ehqX +crFvVqRbE884XuwN9ODm7wKBgQDIEnKlI/kkpq4UmcWkGNXAxNauFr7PPUOyVCln +FoRpVcC/xCzGJ7ExTjWzing950BulgFynhPsIeV+3id/x4S6Dq34YCEXDCMzzWQA +HOHRQvm3iHY1+ZQHSQulb/Bk3LYAQUC8KXspTSlYiSqYgytCEIH6Zd/XOY/9tq8J +JHUHoQKBgHYIB2mRCuDK5C3dCspdPVeAUqptK1nnXxWY/MXA6v+M4wFsIxV7Iwg7 +HEjeD5yKH4619syPCFz3jrCxL0oJqVTD2tnrbLf8idEt2eaV/3o2mUGFjvWpTywg +F8DewhrGh6z7FWHp4cMrxpq1hkdi6k+481T1GKBJ1zBSTzskTHQB +-----END RSA PRIVATE KEY----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ec4e35e47..de8d8e791 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -202,6 +202,23 @@ function run_renewcerts(){ openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem + ########################################################### + ########## update and sign ocsp-cert.pem ################## + ########################################################### + echo "Updating ocsp-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\ocsp.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ocsp/ocsp-key.pem -nodes > ocsp-req.pem + + openssl x509 -req -in ocsp-req.pem -extfile wolfssl.cnf -extensions v3_ocsp -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 03 > ocsp/ocsp-cert.pem + + rm ocsp-req.pem + + openssl x509 -in ca-cert.pem -text > ca_tmp.pem + openssl x509 -in ocsp/ocsp-cert.pem -text > ocsp_tmp.pem + mv ocsp_tmp.pem ocsp/ocsp-cert.pem + cat ca_tmp.pem >> ocsp/ocsp-cert.pem + rm ca_tmp.pem ############################################################ ########## make .der files from .pem files ################# ############################################################ @@ -302,7 +319,7 @@ elif [ ! -z "$1" ]; then echo "" echo "" #else the argument was invalid, tell user to use -h or -help - else + else echo "" echo "That is not a valid option." echo "" @@ -328,7 +345,7 @@ else # check options.h a second time, if the user had # ntru installed on their system and in the default - # path location, then it will now be defined, if the + # path location, then it will now be defined, if the # user does not have ntru on their system this will fail # again and we will not update any certs until user installs # ntru in the default location diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 7decf9ef9..3da804b44 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -1,5 +1,5 @@ # -# wolfssl configuration file +# wolfssl configuration file # HOME = . RANDFILE = $ENV::HOME/.rnd @@ -20,7 +20,7 @@ default_ca = CA_default # The default ca section [ CA_default ] #################################################################### -# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY # +# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY # # # dir = $HOME./.. # #################################################################### @@ -124,6 +124,7 @@ authorityKeyIdentifier=keyid,issuer subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true +authorityInfoAccess = OCSP;URI:http://localhost:22222 # Extensions to add to a certificate request [ v3_req ] @@ -140,6 +141,14 @@ basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always +# OCSP extensions. +[ v3_ocsp ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning +basicConstraints = CA:false + # These extensions should be added when creating a proxy certificate [ proxy_cert_ext ] basicConstraints=CA:FALSE @@ -158,7 +167,7 @@ dir = ./demoCA # directory serial = $dir/tsaserial # (mandatory) crypto_device = builtin # engine signer_cert = $dir/tsacert.pem # certificate -certs = $dir/cacert.pem # chain +certs = $dir/cacert.pem # chain signer_key = $dir/private/tsakey.pem # (optional) default_policy = tsa_policy1 # Policy other_policies = tsa_policy2, tsa_policy3 # (optional) From b820619e6c46ceb0e7e9c3f40389ae04d06b9dae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 23 Nov 2015 09:56:45 -0300 Subject: [PATCH 077/177] updates certs; adds ocsp certs; --- certs/1024/ca-cert.pem | 54 ++--- certs/1024/client-cert.der | Bin 969 -> 1021 bytes certs/1024/client-cert.pem | 44 ++-- certs/1024/server-cert.pem | 106 ++++----- certs/ca-cert.der | Bin 1198 -> 1252 bytes certs/ca-cert.pem | 71 ++++--- certs/client-cert.der | Bin 1230 -> 1282 bytes certs/client-cert.pem | 62 +++--- certs/client-ecc-cert.der | Bin 780 -> 835 bytes certs/client-ecc-cert.pem | 42 ++-- certs/crl/cliCrl.pem | 50 ++--- certs/crl/crl.pem | 52 ++--- certs/crl/crl.revoked | 58 ++--- certs/crl/eccCliCRL.pem | 22 +- certs/crl/eccSrvCRL.pem | 20 +- certs/ocsp/index.txt | 1 + certs/ocsp/ocsp-cert.pem | 182 ++++++++++++++++ certs/ocsp/ocspd.sh | 8 + certs/server-cert.der | Bin 1186 -> 1240 bytes certs/server-cert.pem | 141 ++++++------ certs/server-ecc-comp.pem | 32 +-- certs/server-ecc-rsa.pem | 70 +++--- certs/server-ecc.pem | 42 ++-- certs/server-revoked-cert.pem | 141 ++++++------ wolfssl/certs_test.h | 389 ++++++++++++++++++---------------- 25 files changed, 930 insertions(+), 657 deletions(-) create mode 100644 certs/ocsp/index.txt create mode 100644 certs/ocsp/ocsp-cert.pem create mode 100755 certs/ocsp/ocspd.sh diff --git a/certs/1024/ca-cert.pem b/certs/1024/ca-cert.pem index 3deb3628c..41136c2c2 100644 --- a/certs/1024/ca-cert.pem +++ b/certs/1024/ca-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 10323419125573214618 (0x8f4426ffb743e19a) - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 16629652120256878762 (0xe6c8647ee63b98aa) + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Sep 23 19:23:38 2015 GMT - Not After : Jun 19 19:23:38 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,38 +28,42 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:8F:44:26:FF:B7:43:E1:9A + serial:E6:C8:64:7E:E6:3B:98:AA X509v3 Basic Constraints: CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0e:46:ac:d8:29:1d:12:12:06:0c:d3:3f:7d:58:2e:0d:11:5e: - 5d:0d:dd:17:c0:0f:aa:01:4d:a4:c4:84:81:6e:64:ae:d1:5d: - 58:cd:19:6a:74:a4:46:2f:c8:43:79:39:c0:91:4b:7c:71:ea: - 4e:63:44:66:15:41:15:de:50:82:e3:e9:d1:55:55:cc:5a:38: - 1e:3a:59:b3:0e:ee:0e:54:4d:93:e7:e0:8e:27:a5:6e:08:b8: - 6a:39:da:2d:47:62:c4:5b:89:c0:48:48:2a:d5:f0:55:74:fd: - a6:b1:68:3c:70:a4:52:24:81:ec:4c:57:e0:e8:18:73:9d:0a: - 4d:d8 + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 82:53:ec:89:0a:6a:1b:ae:c3:69:fc:22:b5:d7:d2:f4:0b:6d: + 18:72:f5:64:7f:bb:80:57:e3:f3:b2:af:e1:89:47:03:19:dd: + 6f:62:ed:2b:24:d3:a2:77:c0:83:6a:fb:0f:55:93:78:15:4a: + c1:e0:13:f2:65:9c:7a:8c:6c:98:57:f0:44:9d:3a:9e:6a:30: + 08:9f:33:ce:0d:7e:86:6f:ef:0e:34:41:b9:c6:1d:34:c6:28: + 1e:f9:81:be:68:3d:77:92:50:c5:f8:2f:4c:aa:db:5f:72:93: + 42:eb:8a:cf:24:a0:d9:25:44:46:8b:ed:de:46:d5:1a:90:e9: + d6:d8 -----BEGIN CERTIFICATE----- -MIIDtTCCAx6gAwIBAgIJAI9EJv+3Q+GaMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD +MIID6jCCA1OgAwIBAgIJAObIZH7mO5iqMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MDkyMzE5MjMzOFoXDTE4MDYxOTE5MjMzOFowgZkxCzAJBgNVBAYT +Y29tMB4XDTE1MTEyMzEyNDkzN1oXDTE4MDgxOTEyNDkzN1owgZkxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq -1OWIGLMRL3PA1ikJAgMBAAGjggEBMIH+MB0GA1UdDgQWBBTTIo8oLOAF7tPtw3E9 -ybI2Oh2/qDCBzgYDVR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SB -nDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv -emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEw -MjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m -b0B3b2xmc3NsLmNvbYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADgYEADkas2CkdEhIGDNM/fVguDRFeXQ3dF8APqgFNpMSEgW5krtFdWM0Z -anSkRi/IQ3k5wJFLfHHqTmNEZhVBFd5QguPp0VVVzFo4HjpZsw7uDlRNk+fgjiel -bgi4ajnaLUdixFuJwEhIKtXwVXT9prFoPHCkUiSB7ExX4OgYc50KTdg= +1OWIGLMRL3PA1ikJAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx +PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k +gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x +MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu +Zm9Ad29sZnNzbC5jb22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUF +BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkq +hkiG9w0BAQsFAAOBgQCCU+yJCmobrsNp/CK119L0C20YcvVkf7uAV+Pzsq/hiUcD +Gd1vYu0rJNOid8CDavsPVZN4FUrB4BPyZZx6jGyYV/BEnTqeajAInzPODX6Gb+8O +NEG5xh00xige+YG+aD13klDF+C9MqttfcpNC64rPJKDZJURGi+3eRtUakOnW2A== -----END CERTIFICATE----- diff --git a/certs/1024/client-cert.der b/certs/1024/client-cert.der index c2bd6df8fe58e67cfaf20cb20bce0bd93a31726b..4d4d69ba88f5d813ee46baaddda891ec90644b00 100644 GIT binary patch delta 314 zcmX@f{+C_Cpo#gXK@)S*0%j&gCMHgX%lBs-X^@xCpD3|S%Fxir*wDzt(%3vooY&C8 zz{1cH%AH)pv~Y4K<5GTWgC<6E16elaP+2|}F_y`ROrn#6n9kM1j4|K=NeQ#C8Za|5 z{x>jU)FR z?K>|cBR4Apb7Lbzq2;f(!y!*+Y<+R~^mP5U{V(?Xetn~Oy2&iD{SP+n-B_?k4+6xk5wPV9XZ8pj=2NziyJ#ugT-u=QNVCBinL8W|RB1@MZ xnQvEo!=iHk_u0O@pI4n*#N3i5a+2|D+tRd!r?Lv;bq)Ju&hR{Qn;FaH0{}DKaTfpp delta 262 zcmey%ev)0npo#gYK@+py0%j&gCMHgX$JZD9D!Z@sYof$9DFagjb3+RwLj%Joab80U z14Cm&D0gxV)56J}j7$014VoC44P@DvLuL6`#8@ULGKo$OVmen3Gsb`iBqhwkYQW6M z_}_q+jZ>@5qwPB{BO^B}19M{|gY5RJH4iu5IFKH@^>WAa0L{YW{xfRw#+;$fvsWLJ z-gBIBs?@L42Y=_h&gbG6d9zjjj*P+Gpy^j+I2nvB;!m#->lfU<<3ifQ5RK3F`?K=P zJhbA%mYi-7ThwGJ}td5@eP&)0| FTL53mWPJbt diff --git a/certs/1024/client-cert.pem b/certs/1024/client-cert.pem index 2f13e8e25..f99471e9d 100644 --- a/certs/1024/client-cert.pem +++ b/certs/1024/client-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 16417767964199037690 (0xe3d7a0fa76df2afa) + Serial Number: 15267089231539806063 (0xd3df98c4801f1f6f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: May 7 18:21:01 2015 GMT - Not After : Jan 31 18:21:01 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,39 +28,43 @@ Certificate: X509v3 Authority Key Identifier: keyid:81:69:0F:F8:DF:DD:CF:34:29:D5:67:75:71:85:C7:75:10:69:59:EC DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_1024/OU=Programming-1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:E3:D7:A0:FA:76:DF:2A:FA + serial:D3:DF:98:C4:80:1F:1F:6F X509v3 Basic Constraints: CA:TRUE + Authority Information Access: + OCSP - URI:http://localhost:22222 + Signature Algorithm: sha256WithRSAEncryption - 1d:b7:d5:7c:e1:b1:d8:c0:67:5d:b5:d3:88:e7:50:29:71:63: - 8f:cc:26:1f:33:09:55:43:9b:ab:c6:1b:bc:c7:01:95:1a:fa: - 65:e0:fd:9c:eb:6f:0a:0f:14:ec:b5:2f:dc:1c:30:dd:52:97: - d4:1c:09:00:33:38:5f:cb:a8:16:8f:11:b7:b8:d0:66:e1:54: - 28:f3:3f:bf:6a:6f:76:48:2a:5e:56:a7:ce:1c:f0:04:dd:17: - bd:06:78:21:6d:d6:b1:9b:75:31:92:c1:fe:d4:8d:d4:67:2f: - 03:1b:27:8d:ab:ff:30:3b:c3:7f:23:e4:ab:5b:91:e1:1b:66: - e6:ed + 71:39:fa:86:c3:54:e5:98:b5:e8:c3:cb:97:2f:86:bf:e8:bc: + fb:eb:d8:73:97:34:9a:16:bf:e0:b2:bd:be:7d:ff:a0:d7:e6: + db:a3:52:43:41:60:f1:d7:c3:63:c0:9b:e2:b2:28:87:70:60: + 5d:2b:5d:56:15:3c:b1:1e:03:53:72:39:32:e2:47:85:f7:8b: + e8:38:50:a9:c9:d3:52:75:0e:16:14:a5:a5:c4:9f:3e:73:d8: + 38:79:bf:f7:9b:4d:0d:f3:aa:ce:a2:03:84:66:14:c9:01:f5: + 86:a5:66:a1:ca:6a:71:5f:2d:31:8e:1c:cc:0c:e6:46:99:5d: + 0a:4c -----BEGIN CERTIFICATE----- -MIIDxTCCAy6gAwIBAgIJAOPXoPp23yr6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +MIID+TCCA2KgAwIBAgIJANPfmMSAHx9vMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG A1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0xMDI0MRgw FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb20wHhcNMTUwNTA3MTgyMTAxWhcNMTgwMTMxMTgyMTAxWjCBnjELMAkG +ZnNzbC5jb20wHhcNMTUxMTIzMTI0OTM3WhcNMTgwODE5MTI0OTM3WjCBnjELMAkG A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT BgNVBAoMDHdvbGZTU0xfMTAyNDEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMTAyNDEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv bGZzc2wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8cw6oSfN0oqnv GKXaVZkh+cjss21I5TU1dXc37NFhkF8+2eTV35TKwanXGdqGyehNxGE2gv6rrX53 JbuNEaW8YjqoOMw5ogRmtPf386raTQIOu16NaUjcd8koDiLpa6Qmukzowf1Kbysf -74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFIFp +74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBOzCCATcwHQYDVR0OBBYEFIFp D/jf3c80KdVndXGFx3UQaVnsMIHTBgNVHSMEgcswgciAFIFpD/jf3c80KdVndXGF x3UQaVnsoYGkpIGhMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ MA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQL DBBQcm9ncmFtbWluZy0xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAd -BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDj16D6dt8q+jAMBgNVHRME -BTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAB231XzhsdjAZ12104jnUClxY4/MJh8z -CVVDm6vGG7zHAZUa+mXg/ZzrbwoPFOy1L9wcMN1Sl9QcCQAzOF/LqBaPEbe40Gbh -VCjzP79qb3ZIKl5Wp84c8ATdF70GeCFt1rGbdTGSwf7UjdRnLwMbJ42r/zA7w38j -5KtbkeEbZubt +BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDT35jEgB8fbzAMBgNVHRME +BTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs +aG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOBgQBxOfqGw1TlmLXow8uXL4a/6Lz7 +69hzlzSaFr/gsr2+ff+g1+bbo1JDQWDx18NjwJvisiiHcGBdK11WFTyxHgNTcjky +4keF94voOFCpydNSdQ4WFKWlxJ8+c9g4eb/3m00N86rOogOEZhTJAfWGpWahympx +Xy0xjhzMDOZGmV0KTA== -----END CERTIFICATE----- diff --git a/certs/1024/server-cert.pem b/certs/1024/server-cert.pem index f278d2c0f..739d80ed5 100644 --- a/certs/1024/server-cert.pem +++ b/certs/1024/server-cert.pem @@ -2,11 +2,11 @@ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Sep 23 19:23:38 2015 GMT - Not After : Jun 19 19:23:38 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,50 +28,54 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:8F:44:26:FF:B7:43:E1:9A + serial:E6:C8:64:7E:E6:3B:98:AA X509v3 Basic Constraints: CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0a:04:c7:9a:c4:f6:46:db:e4:85:d4:22:02:12:3e:53:27:25: - 24:8a:9b:2f:93:7f:de:70:94:c5:6c:4c:26:25:25:7a:d7:0f: - 33:b9:9c:d2:5a:94:7f:8d:30:75:ad:82:c9:bf:4b:6c:91:58: - 7c:45:1a:89:df:8e:ca:31:9f:ab:38:b3:ae:c2:8f:14:87:e6: - 1c:ab:12:4e:df:82:36:c9:41:46:c4:05:95:88:62:09:72:57: - 66:31:80:b8:9c:55:a8:fb:74:01:32:e7:5a:40:df:9b:e4:98: - d7:5b:ea:69:5c:14:1b:9b:8b:08:2d:d9:58:28:be:c9:01:e0: - e1:a9 + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + cb:33:02:ab:da:33:24:83:8f:e8:2b:29:13:94:58:f2:df:69: + 69:0c:2f:79:79:4f:fc:35:fd:a5:75:59:a5:18:74:02:79:50: + 49:2e:3b:16:28:4b:b5:0f:2a:a4:e7:b9:2a:33:50:eb:c4:7c: + b4:a2:af:8d:24:f3:27:48:58:01:ac:c0:5d:7a:90:6a:5b:f7: + 4f:d3:a5:96:24:24:96:47:2c:81:97:3c:03:1c:ad:90:c7:22: + 90:91:67:03:7f:81:51:c7:97:d7:76:85:82:66:1b:f8:03:d9: + ae:1d:b0:a1:20:05:55:68:2b:d7:eb:92:dc:ec:cd:be:c6:c8: + 53:df -----BEGIN CERTIFICATE----- -MIIDqTCCAxKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx +MIID3jCCA0egAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh d3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMMD3d3dy53 b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0x -NTA5MjMxOTIzMzhaFw0xODA2MTkxOTIzMzhaMIGVMQswCQYDVQQGEwJVUzEQMA4G +NTExMjMxMjQ5MzdaFw0xODA4MTkxMjQ5MzdaMIGVMQswCQYDVQQGEwJVUzEQMA4G A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4GA1UECgwHd29sZlNT TDEVMBMGA1UECwwMU3VwcG9ydF8xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5j b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAKo+pZzTF0llQ97Q80sc20kM/HplBW3easTkcyyKloKP I6UGcRwGPi+SjQspNEVZ6am8YdckN121xDeNumey7wMn+sG0zWsAZrTWc3AfCDrM d63p+TTU86AtqedYqcBhhLbsPQqt/VyGc6prR9iLLlhLaRKCJlXmFL9VcIj++XXh -AgMBAAGjggEBMIH+MB0GA1UdDgQWBBTZPDXqdA4jvpz8+imQCcHnhBaffDCBzgYD -VR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SBnDCBmTELMAkGA1UE -BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV -BAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMM -D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACgTH -msT2RtvkhdQiAhI+UyclJIqbL5N/3nCUxWxMJiUletcPM7mc0lqUf40wda2Cyb9L -bJFYfEUaid+OyjGfqzizrsKPFIfmHKsSTt+CNslBRsQFlYhiCXJXZjGAuJxVqPt0 -ATLnWkDfm+SY11vqaVwUG5uLCC3ZWCi+yQHg4ak= +AgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU2Tw16nQOI76c/PopkAnB54QWn3wwgc4G +A1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+kgZwwgZkxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYD +VQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQD +DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggr +BgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOB +gQDLMwKr2jMkg4/oKykTlFjy32lpDC95eU/8Nf2ldVmlGHQCeVBJLjsWKEu1Dyqk +57kqM1DrxHy0oq+NJPMnSFgBrMBdepBqW/dP06WWJCSWRyyBlzwDHK2QxyKQkWcD +f4FRx5fXdoWCZhv4A9muHbChIAVVaCvX65Lc7M2+xshT3w== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) - Serial Number: 10323419125573214618 (0x8f4426ffb743e19a) - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 16629652120256878762 (0xe6c8647ee63b98aa) + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Sep 23 19:23:38 2015 GMT - Not After : Jun 19 19:23:38 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -93,38 +97,42 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:8F:44:26:FF:B7:43:E1:9A + serial:E6:C8:64:7E:E6:3B:98:AA X509v3 Basic Constraints: CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0e:46:ac:d8:29:1d:12:12:06:0c:d3:3f:7d:58:2e:0d:11:5e: - 5d:0d:dd:17:c0:0f:aa:01:4d:a4:c4:84:81:6e:64:ae:d1:5d: - 58:cd:19:6a:74:a4:46:2f:c8:43:79:39:c0:91:4b:7c:71:ea: - 4e:63:44:66:15:41:15:de:50:82:e3:e9:d1:55:55:cc:5a:38: - 1e:3a:59:b3:0e:ee:0e:54:4d:93:e7:e0:8e:27:a5:6e:08:b8: - 6a:39:da:2d:47:62:c4:5b:89:c0:48:48:2a:d5:f0:55:74:fd: - a6:b1:68:3c:70:a4:52:24:81:ec:4c:57:e0:e8:18:73:9d:0a: - 4d:d8 + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 82:53:ec:89:0a:6a:1b:ae:c3:69:fc:22:b5:d7:d2:f4:0b:6d: + 18:72:f5:64:7f:bb:80:57:e3:f3:b2:af:e1:89:47:03:19:dd: + 6f:62:ed:2b:24:d3:a2:77:c0:83:6a:fb:0f:55:93:78:15:4a: + c1:e0:13:f2:65:9c:7a:8c:6c:98:57:f0:44:9d:3a:9e:6a:30: + 08:9f:33:ce:0d:7e:86:6f:ef:0e:34:41:b9:c6:1d:34:c6:28: + 1e:f9:81:be:68:3d:77:92:50:c5:f8:2f:4c:aa:db:5f:72:93: + 42:eb:8a:cf:24:a0:d9:25:44:46:8b:ed:de:46:d5:1a:90:e9: + d6:d8 -----BEGIN CERTIFICATE----- -MIIDtTCCAx6gAwIBAgIJAI9EJv+3Q+GaMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD +MIID6jCCA1OgAwIBAgIJAObIZH7mO5iqMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MDkyMzE5MjMzOFoXDTE4MDYxOTE5MjMzOFowgZkxCzAJBgNVBAYT +Y29tMB4XDTE1MTEyMzEyNDkzN1oXDTE4MDgxOTEyNDkzN1owgZkxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq -1OWIGLMRL3PA1ikJAgMBAAGjggEBMIH+MB0GA1UdDgQWBBTTIo8oLOAF7tPtw3E9 -ybI2Oh2/qDCBzgYDVR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SB -nDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv -emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEw -MjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m -b0B3b2xmc3NsLmNvbYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADgYEADkas2CkdEhIGDNM/fVguDRFeXQ3dF8APqgFNpMSEgW5krtFdWM0Z -anSkRi/IQ3k5wJFLfHHqTmNEZhVBFd5QguPp0VVVzFo4HjpZsw7uDlRNk+fgjiel -bgi4ajnaLUdixFuJwEhIKtXwVXT9prFoPHCkUiSB7ExX4OgYc50KTdg= +1OWIGLMRL3PA1ikJAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx +PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k +gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x +MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu +Zm9Ad29sZnNzbC5jb22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUF +BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkq +hkiG9w0BAQsFAAOBgQCCU+yJCmobrsNp/CK119L0C20YcvVkf7uAV+Pzsq/hiUcD +Gd1vYu0rJNOid8CDavsPVZN4FUrB4BPyZZx6jGyYV/BEnTqeajAInzPODX6Gb+8O +NEG5xh00xige+YG+aD13klDF+C9MqttfcpNC64rPJKDZJURGi+3eRtUakOnW2A== -----END CERTIFICATE----- diff --git a/certs/ca-cert.der b/certs/ca-cert.der index d0eab7a3ce08847c4bc6c9160c266eaa3289778b..b61188892a7dd9a237caaa5a29e55d4c226cf4d5 100644 GIT binary patch delta 427 zcmZ3-`Gix#po!&yK@;UVL7$sbh)$ zi#*ld>^s4$^)I{kTvK0dx##k!8;sMIxP)6wUVZrU)b#rEs+|1xi{c{2UsOTLen-z&5+ zGp1#KP~*2`QTysNBf);ENBq{@b3+RwLj%Joab80U z14Cm&2zTS%{fzvLe+(Lb8pyIShsyG?h_Ot*$Rs-X5YrJcme3-%Iozu8yg+^Iwar-^d`#3f2WSd!2Z*qN&$7|f7q^OnoN+EI4WLY)YKSX5~{O5>Ic-mHaz_?S!r(gpU*7{QpecaC#lU7m54NEyYqX)wzAld z2lY?rC(SutPxVc-WXjWrbN-4VW1j{~H*wacHwKva+%> zGP0-{s2C{0_y&w^Vi_eR1y=g{Ir+(nIT`uIC00ftV8F}9snzDu_MMlJk(-r)xrvdH zp?YF+uVqMz%@+HsC;azw?_VD?$MHCKQ0}o0_iFyn_WSp_UTG%pfn;mha9f7)^G&Gn13-~8swXIdM0pzLlM z*EwF!XDggGupMT3E^}O6+khxZK;@Z T-RsYsBQ=r=&3u3DeU}3Odz7!9 delta 378 zcmZqTI>#wt(8O}epow|Y0%j&gCMHgXRqC6Mt}M#qohY$Q%D~jX+|a_v(7-TCoY&C8 zz|hzb%ALf#aC0Z4CL=4mK@%hMtPxVc-WXjWrbN-4VW1j{~PeKacZ@Bw0-Ag zWaMULU~Xb$WC)zLTt+QcX2LO}`O`!{$v&SvXH99?)V~S^t6j4=H+=rYyyEs9{XO#S zRg16mU-g_`XA`n!G^zNmIeqhTlWko0wiZ@#F0;GV6w#SJ z=V(UKF1BlyyH8skc#tfAoM(gVWwcd8VA-c!;y|W9q&1B2Pexet- z<6CCPo}Ita{k3(N!M3tV2R-8VOx+M56?#I)FUh?1-P&TD94 zU}0zp3#yj;etp+@7%%QTvEUX61jEw&cjMzA|*%(<_ z*%=vG)C^P%lwf=V#x}8xl9B=|ef^yLm)V&l+i^EhYA!py|%!C>IZ zq{uK|<&gEWr&_ufXQrR}`u5_r36f%BKjww4d@C(EDTHtNBPK(N zW@2_{FmPc~D5+joH|Ip=)GqF|^(W13ZR)qb|9orqs|(A^xR#U)eP6+(P&l={bNhp)SWz)>2dwCGz(AH*>@TZc-WXjWrbN-4VW1j{~H*wacHwKva+%>GP0-{ zs2C{0_y&w^Vi_eR1y=g{Ir+(nIT`uIC00ftV8F}9snzDu_MMlJk(-r)xrvdHp-{X( zzxJ9SW96Echkh4kX7i*>JZRKCC#h&_((WJUbJXwGe@MCJ73yE_)m_~XZL`2|gX$zE zra3d0_VFaX-y+ATC-ZVnr0)AXX5WvIPvbMwVz{22{Z^vT=JTyzsV$@KU%I`m!h&4XUcvbxx zJ%LHv7yUe##FJpnlR2wURB(^^{yt@qLmPSTce={m7kM$&v_pNx>bo_{_PhW2@x5C1 z?rZt)RXa3{etFrc_B-dC>d%^r6IMzYpTy)YU9wkUY5%nS zU{dm~qrcW&QfQRA#IsHW~ z*8OXY*3JmuCp^hTVCm;|kJ4_rtejG4e?ea%vi(Vv!@EmQc+RO#xx@d@;(=q3NzCrU zw-3gb9ggKQ%G93A_*N%C+P{3|${U3Sr}cCS7* Date: Mon, 23 Nov 2015 13:34:27 -0300 Subject: [PATCH 078/177] adds next update time to ocspd.sh --- certs/ocsp/ocspd.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/certs/ocsp/ocspd.sh b/certs/ocsp/ocspd.sh index 98e1a10d0..6f7ce20fe 100755 --- a/certs/ocsp/ocspd.sh +++ b/certs/ocsp/ocspd.sh @@ -5,4 +5,5 @@ openssl ocsp -index index.txt \ -rsigner ocsp-cert.pem \ -rkey ocsp-key.pem \ -CA ../ca-cert.pem \ + -nmin 1 \ -text From 96e18a8c685d298f5c3f787dd2a9c9f153be2a49 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 23 Nov 2015 15:08:25 -0300 Subject: [PATCH 079/177] adds next update verification when decoding the OcspResponse; fixes memleak in GetOcspStatus(); If the status was outdated, the responseBuffer was allocated twice; consider error in OcspResponseDecode() also a BAD_CERTIFICATE_STATUS_ERROR; --- src/internal.c | 13 +++++-------- src/ocsp.c | 16 +++++++++------- wolfcrypt/src/asn.c | 24 +++++++++++++----------- 3 files changed, 27 insertions(+), 26 deletions(-) diff --git a/src/internal.c b/src/internal.c index c7fcd29c7..905e88a95 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4861,14 +4861,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, InitOcspResponse(response, status, input +*inOutIdx, status_length); - if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) { - if (response->responseStatus != OCSP_SUCCESSFUL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->status->status != CERT_GOOD) - ret = BAD_CERTIFICATE_STATUS_ERROR; - } + if ((OcspResponseDecode(response, ssl->ctx->cm) != 0) + || (response->responseStatus != OCSP_SUCCESSFUL) + || (response->status->status != CERT_GOOD) + || (CompareOcspReqResp(request, response) != 0)) + ret = BAD_CERTIFICATE_STATUS_ERROR; *inOutIdx += status_length; diff --git a/src/ocsp.c b/src/ocsp.c index 7852c2bcb..7283e66ad 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -216,17 +216,19 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) && ((*status)->nextDate[0] != 0) && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) + { ret = xstat2err((*status)->status); - if (responseBuffer) { - responseBuffer->buffer = (byte*)XMALLOC( + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC( (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (responseBuffer->buffer) { - responseBuffer->length = (*status)->rawOcspResponseSz; - XMEMCPY(responseBuffer->buffer, - (*status)->rawOcspResponse, - (*status)->rawOcspResponseSz); + if (responseBuffer->buffer) { + responseBuffer->length = (*status)->rawOcspResponseSz; + XMEMCPY(responseBuffer->buffer, + (*status)->rawOcspResponse, + (*status)->rawOcspResponseSz); + } } } } diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 935574ac7..728a8f737 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8520,6 +8520,8 @@ static int DecodeSingleResponse(byte* source, if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) return ASN_PARSE_E; + if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) + return ASN_AFTER_DATE_E; } if (((int)(idx - prevIndex) < wrapperSz) && (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) @@ -8594,7 +8596,7 @@ static int DecodeOcspRespExtensions(byte* source, WOLFSSL_MSG("\tfail: extension data length"); return ASN_PARSE_E; } - + resp->nonce = source + idx; resp->nonceSz = length; } @@ -8758,8 +8760,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, else { Signer* ca = GetCA(cm, resp->issuerHash); - if (!ca || !ConfirmSignature(resp->response, resp->responseSz, - ca->publicKey, ca->pubKeySize, ca->keyOID, + if (!ca || !ConfirmSignature(resp->response, resp->responseSz, + ca->publicKey, ca->pubKeySize, ca->keyOID, resp->sig, resp->sigSz, resp->sigOID, NULL)) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); return ASN_OCSP_CONFIRM_E; @@ -8861,28 +8863,28 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) if (totalSz < size) { totalSz = 0; - + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); totalSz += seqSz[5]; - + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); totalSz += seqSz[4]; - + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); totalSz += seqSz[3]; - + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); totalSz += seqSz[2]; - + XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); totalSz += (word32)sizeof(NonceObjId); - + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); totalSz += seqSz[1]; - + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); totalSz += seqSz[0]; - + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); totalSz += req->nonceSz; } From 32b2d7f9e425f729330035265dbcd924a1b783a2 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 23 Nov 2015 14:15:12 -0800 Subject: [PATCH 080/177] have calling thread wait for crl monitor thread to setup for simpler cleanup --- configure.ac | 2 +- examples/server/server.c | 16 ++++++--- src/crl.c | 77 +++++++++++++++++++++++++++++++++------- src/internal.c | 4 +-- support/wolfssl.pc | 2 +- wolfssl/error-ssl.h | 2 +- wolfssl/internal.h | 10 +++--- wolfssl/version.h | 4 +-- 8 files changed, 90 insertions(+), 27 deletions(-) diff --git a/configure.ac b/configure.ac index 11c5bd149..a4ccb5ce0 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.7.1],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.7.2],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) diff --git a/examples/server/server.c b/examples/server/server.c index 1808240a8..20c53ab45 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -266,6 +266,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int throughput = 0; int minDhKeyBits = DEFAULT_MIN_DHKEY_BITS; int doListen = 1; + int crlFlags = 0; int ret; char* alpnList = NULL; unsigned char alpn_opt = 0; @@ -309,6 +310,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) (void)minDhKeyBits; (void)alpnList; (void)alpn_opt; + (void)crlFlags; #ifdef CYASSL_TIRTOS fdOpenSession(Task_self()); @@ -709,10 +711,16 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) wolfSSL_SetHsDoneCb(ssl, myHsDoneCb, NULL); #endif #ifdef HAVE_CRL - CyaSSL_EnableCRL(ssl, 0); - CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, CYASSL_CRL_MONITOR | - CYASSL_CRL_START_MON); - CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); +#ifdef HAVE_CRL_MONITOR + crlFlags = CYASSL_CRL_MONITOR | CYASSL_CRL_START_MON; +#endif + if (CyaSSL_EnableCRL(ssl, 0) != SSL_SUCCESS) + err_sys("unable to enable CRL"); + if (CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, crlFlags) + != SSL_SUCCESS) + err_sys("unable to load CRL"); + if (CyaSSL_SetCRL_Cb(ssl, CRL_CallBack) != SSL_SUCCESS) + err_sys("unable to set CRL callback url"); #endif #ifdef HAVE_OCSP if (useOcsp) { diff --git a/src/crl.c b/src/crl.c index 51bff821a..244a686f7 100644 --- a/src/crl.c +++ b/src/crl.c @@ -55,8 +55,10 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm) crl->monitors[0].path = NULL; crl->monitors[1].path = NULL; #ifdef HAVE_CRL_MONITOR - crl->tid = 0; - crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */ + crl->tid = 0; + crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */ + crl->setup = 0; /* thread setup done predicate */ + pthread_cond_init(&crl->cond, 0); #endif if (InitMutex(&crl->crlLock) != 0) return BAD_MUTEX_E; @@ -120,7 +122,7 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) FreeCRL_Entry(tmp); XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY); tmp = next; - } + } #ifdef HAVE_CRL_MONITOR if (crl->tid != 0) { @@ -128,10 +130,10 @@ void FreeCRL(WOLFSSL_CRL* crl, int dynamic) if (StopMonitor(crl->mfd) == 0) pthread_join(crl->tid, NULL); else { - WOLFSSL_MSG("stop monitor failed, cancel instead"); - pthread_cancel(crl->tid); + WOLFSSL_MSG("stop monitor failed"); } } + pthread_cond_destroy(&crl->cond); #endif FreeMutex(&crl->crlLock); if (dynamic) /* free self */ @@ -324,6 +326,24 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) #ifdef HAVE_CRL_MONITOR +/* Signal Monitor thread is setup, save status to setup flag, 0 on success */ +static int SignalSetup(WOLFSSL_CRL* crl, int status) +{ + /* signal to calling thread we're setup */ + if (LockMutex(&crl->crlLock) != 0) { + WOLFSSL_MSG("LockMutex crlLock failed"); + return BAD_MUTEX_E; + } + + crl->setup = status; + pthread_cond_signal(&crl->cond); + + UnLockMutex(&crl->crlLock); + + return 0; +} + + /* read in new CRL entries and save new list */ static int SwapLists(WOLFSSL_CRL* crl) { @@ -451,6 +471,7 @@ static void* DoMonitor(void* arg) crl->mfd = kqueue(); if (crl->mfd == -1) { WOLFSSL_MSG("kqueue failed"); + SignalSetup(crl, MONITOR_SETUP_E); return NULL; } @@ -458,6 +479,7 @@ static void* DoMonitor(void* arg) EV_SET(&change, CRL_CUSTOM_FD, EVFILT_USER, EV_ADD, 0, 0, NULL); if (kevent(crl->mfd, &change, 1, NULL, 0, NULL) < 0) { WOLFSSL_MSG("kevent monitor customer event failed"); + SignalSetup(crl, MONITOR_SETUP_E); close(crl->mfd); return NULL; } @@ -469,6 +491,7 @@ static void* DoMonitor(void* arg) fPEM = open(crl->monitors[0].path, XEVENT_MODE); if (fPEM == -1) { WOLFSSL_MSG("PEM event dir open failed"); + SignalSetup(crl, MONITOR_SETUP_E); close(crl->mfd); return NULL; } @@ -479,6 +502,7 @@ static void* DoMonitor(void* arg) if (fDER == -1) { WOLFSSL_MSG("DER event dir open failed"); close(crl->mfd); + SignalSetup(crl, MONITOR_SETUP_E); return NULL; } } @@ -491,6 +515,10 @@ static void* DoMonitor(void* arg) EV_SET(&change, fDER, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); + /* signal to calling thread we're setup */ + if (SignalSetup(crl, 1) != 0) + return NULL; + for (;;) { struct kevent event; int numEvents = kevent(crl->mfd, &change, 1, &event, 1, NULL); @@ -571,6 +599,7 @@ static void* DoMonitor(void* arg) crl->mfd = eventfd(0, 0); /* our custom shutdown event */ if (crl->mfd < 0) { WOLFSSL_MSG("eventfd failed"); + SignalSetup(crl, MONITOR_SETUP_E); return NULL; } @@ -578,6 +607,7 @@ static void* DoMonitor(void* arg) if (notifyFd < 0) { WOLFSSL_MSG("inotify failed"); close(crl->mfd); + SignalSetup(crl, MONITOR_SETUP_E); return NULL; } @@ -588,6 +618,7 @@ static void* DoMonitor(void* arg) WOLFSSL_MSG("PEM notify add watch failed"); close(crl->mfd); close(notifyFd); + SignalSetup(crl, MONITOR_SETUP_E); return NULL; } } @@ -599,6 +630,7 @@ static void* DoMonitor(void* arg) WOLFSSL_MSG("DER notify add watch failed"); close(crl->mfd); close(notifyFd); + SignalSetup(crl, MONITOR_SETUP_E); return NULL; } } @@ -609,6 +641,10 @@ static void* DoMonitor(void* arg) return NULL; #endif + /* signal to calling thread we're setup */ + if (SignalSetup(crl, 1) != 0) + return NULL; + for (;;) { fd_set readfds; int result; @@ -666,26 +702,43 @@ static void* DoMonitor(void* arg) /* Start Monitoring the CRL path(s) in a thread */ static int StartMonitorCRL(WOLFSSL_CRL* crl) { - pthread_attr_t attr; + int ret = SSL_SUCCESS; WOLFSSL_ENTER("StartMonitorCRL"); - if (crl == NULL) + if (crl == NULL) return BAD_FUNC_ARG; if (crl->tid != 0) { WOLFSSL_MSG("Monitor thread already running"); - return MONITOR_RUNNING_E; + return ret; /* that's ok, someone already started */ } - pthread_attr_init(&attr); - - if (pthread_create(&crl->tid, &attr, DoMonitor, crl) != 0) { + if (pthread_create(&crl->tid, NULL, DoMonitor, crl) != 0) { WOLFSSL_MSG("Thread creation error"); return THREAD_CREATE_E; } - return SSL_SUCCESS; + /* wait for setup to complete */ + if (LockMutex(&crl->crlLock) != 0) { + WOLFSSL_MSG("LockMutex crlLock error"); + return BAD_MUTEX_E; + } + + while (crl->setup == 0) + pthread_cond_wait(&crl->cond, &crl->crlLock); + + if (crl->setup < 0) + ret = crl->setup; /* store setup error */ + + UnLockMutex(&crl->crlLock); + + if (ret < 0) { + WOLFSSL_MSG("DoMonitor setup failure"); + crl->tid = 0; /* thread already done */ + } + + return ret; } diff --git a/src/internal.c b/src/internal.c index 31a7d943f..2487af3b7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8626,8 +8626,8 @@ const char* wolfSSL_ERR_reason_error_string(unsigned long e) case CRL_MISSING: return "CRL missing, not loaded"; - case MONITOR_RUNNING_E: - return "CRL monitor already running"; + case MONITOR_SETUP_E: + return "CRL monitor setup error"; case THREAD_CREATE_E: return "Thread creation problem"; diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 8e2be0eab..ac202dc30 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.7.1 +Version: 3.7.2 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfssl/error-ssl.h b/wolfssl/error-ssl.h index bfccee9cd..5ebd28cd3 100644 --- a/wolfssl/error-ssl.h +++ b/wolfssl/error-ssl.h @@ -94,7 +94,7 @@ enum wolfSSL_ErrorCodes { OCSP_CERT_REVOKED = -360, /* OCSP Certificate revoked */ CRL_CERT_REVOKED = -361, /* CRL Certificate revoked */ CRL_MISSING = -362, /* CRL Not loaded */ - MONITOR_RUNNING_E = -363, /* CRL Monitor already running */ + MONITOR_SETUP_E = -363, /* CRL Monitor setup error */ THREAD_CREATE_E = -364, /* Thread Create Error */ OCSP_NEED_URL = -365, /* OCSP need an URL for lookup */ OCSP_CERT_UNKNOWN = -366, /* OCSP responder doesn't know */ diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 76f7f108a..c688843cb 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1339,12 +1339,14 @@ struct CRL_Monitor { /* wolfSSL CRL controller */ struct WOLFSSL_CRL { WOLFSSL_CERT_MANAGER* cm; /* pointer back to cert manager */ - CRL_Entry* crlList; /* our CRL list */ + CRL_Entry* crlList; /* our CRL list */ wolfSSL_Mutex crlLock; /* CRL list lock */ - CRL_Monitor monitors[2]; /* PEM and DER possible */ + CRL_Monitor monitors[2]; /* PEM and DER possible */ #ifdef HAVE_CRL_MONITOR - pthread_t tid; /* monitoring thread */ - int mfd; /* monitor fd, -1 if no init yet */ + pthread_cond_t cond; /* condition to signal setup */ + pthread_t tid; /* monitoring thread */ + int mfd; /* monitor fd, -1 if no init yet */ + int setup; /* thread is setup predicate */ #endif }; diff --git a/wolfssl/version.h b/wolfssl/version.h index 0a963865f..cd01ec856 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.7.1" -#define LIBWOLFSSL_VERSION_HEX 0x03007001 +#define LIBWOLFSSL_VERSION_STRING "3.7.2" +#define LIBWOLFSSL_VERSION_HEX 0x03007002 #ifdef __cplusplus } From c3b3ba4a2a3b288bd194d94c073a5ff7fa679632 Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 23 Nov 2015 14:41:24 -0800 Subject: [PATCH 081/177] Fixes "warning: Size argument is greater than the free space in the destination buffer" with XSTRNCAT(). --- wolfssl/test.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfssl/test.h b/wolfssl/test.h index ead682173..f2c7b3dfd 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1185,10 +1185,10 @@ static INLINE int OpenNitroxDevice(int dma_mode,int dev_id) return depth; } #ifdef USE_WINDOWS_API - XSTRNCAT(path, "..\\", MAX_PATH); + XSTRNCAT(path, "..\\", MAX_PATH - XSTRLEN(path)); SetCurrentDirectoryA(path); #else - XSTRNCAT(path, "../", MAX_PATH); + XSTRNCAT(path, "../", MAX_PATH - XSTRLEN(path)); if (chdir(path) < 0) { printf("chdir to %s failed\n", path); break; From 91b7cddb7c619c719ecd746e48d6fa77fbd77e2c Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 23 Nov 2015 15:13:36 -0800 Subject: [PATCH 082/177] better error checking on condition variable operations, cleanup --- src/crl.c | 47 +++++++++++++++++++++++++++------ wolfcrypt/src/error.c | 3 +++ wolfssl/wolfcrypt/error-crypt.h | 1 + 3 files changed, 43 insertions(+), 8 deletions(-) diff --git a/src/crl.c b/src/crl.c index 244a686f7..03515bd3d 100644 --- a/src/crl.c +++ b/src/crl.c @@ -58,10 +58,15 @@ int InitCRL(WOLFSSL_CRL* crl, WOLFSSL_CERT_MANAGER* cm) crl->tid = 0; crl->mfd = -1; /* mfd for bsd is kqueue fd, eventfd for linux */ crl->setup = 0; /* thread setup done predicate */ - pthread_cond_init(&crl->cond, 0); + if (pthread_cond_init(&crl->cond, 0) != 0) { + WOLFSSL_MSG("Pthread condition init failed"); + return BAD_COND_E; + } #endif - if (InitMutex(&crl->crlLock) != 0) - return BAD_MUTEX_E; + if (InitMutex(&crl->crlLock) != 0) { + WOLFSSL_MSG("Init Mutex failed"); + return BAD_MUTEX_E; + } return 0; } @@ -329,6 +334,8 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type) /* Signal Monitor thread is setup, save status to setup flag, 0 on success */ static int SignalSetup(WOLFSSL_CRL* crl, int status) { + int ret; + /* signal to calling thread we're setup */ if (LockMutex(&crl->crlLock) != 0) { WOLFSSL_MSG("LockMutex crlLock failed"); @@ -336,10 +343,13 @@ static int SignalSetup(WOLFSSL_CRL* crl, int status) } crl->setup = status; - pthread_cond_signal(&crl->cond); + ret = pthread_cond_signal(&crl->cond); UnLockMutex(&crl->crlLock); + if (ret != 0) + return BAD_COND_E; + return 0; } @@ -501,6 +511,8 @@ static void* DoMonitor(void* arg) fDER = open(crl->monitors[1].path, XEVENT_MODE); if (fDER == -1) { WOLFSSL_MSG("DER event dir open failed"); + if (fPEM != -1) + close(fPEM); close(crl->mfd); SignalSetup(crl, MONITOR_SETUP_E); return NULL; @@ -516,8 +528,14 @@ static void* DoMonitor(void* arg) NOTE_DELETE | NOTE_EXTEND | NOTE_WRITE | NOTE_ATTRIB, 0, 0); /* signal to calling thread we're setup */ - if (SignalSetup(crl, 1) != 0) + if (SignalSetup(crl, 1) != 0) { + if (fPEM != -1) + close(fPEM); + if (fDER != -1) + close(fDER); + close(crl->mfd); return NULL; + } for (;;) { struct kevent event; @@ -642,8 +660,17 @@ static void* DoMonitor(void* arg) #endif /* signal to calling thread we're setup */ - if (SignalSetup(crl, 1) != 0) + if (SignalSetup(crl, 1) != 0) { + #ifdef WOLFSSL_SMALL_STACK + XFREE(buff, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + if (wd > 0) + inotify_rm_watch(notifyFd, wd); + close(crl->mfd); + close(notifyFd); return NULL; + } for (;;) { fd_set readfds; @@ -725,8 +752,12 @@ static int StartMonitorCRL(WOLFSSL_CRL* crl) return BAD_MUTEX_E; } - while (crl->setup == 0) - pthread_cond_wait(&crl->cond, &crl->crlLock); + while (crl->setup == 0) { + if (pthread_cond_wait(&crl->cond, &crl->crlLock) != 0) { + ret = BAD_COND_E; + break; + } + } if (crl->setup < 0) ret = crl->setup; /* store setup error */ diff --git a/wolfcrypt/src/error.c b/wolfcrypt/src/error.c index 36271c3cc..dd570a31a 100644 --- a/wolfcrypt/src/error.c +++ b/wolfcrypt/src/error.c @@ -364,6 +364,9 @@ const char* wc_GetErrorString(int error) case SIG_VERIFY_E: return "Signature verify error"; + case BAD_COND_E: + return "Bad condition variable operation error"; + default: return "unknown error number"; diff --git a/wolfssl/wolfcrypt/error-crypt.h b/wolfssl/wolfcrypt/error-crypt.h index adf2d96b3..187ef324a 100644 --- a/wolfssl/wolfcrypt/error-crypt.h +++ b/wolfssl/wolfcrypt/error-crypt.h @@ -163,6 +163,7 @@ enum { WC_INIT_E = -228, /* wolfcrypt failed to initialize */ SIG_VERIFY_E = -229, /* wolfcrypt signature verify error */ + BAD_COND_E = -230, /* Bad condition variable operation */ MIN_CODE_E = -300 /* errors -101 - -299 */ }; From e4bed957b3b0ff1d7a56d57c4b57a390c3426be2 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Tue, 24 Nov 2015 11:26:08 +0900 Subject: [PATCH 083/177] #1591: fixed macro control for MDK4 --- src/io.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/io.c b/src/io.c index 3df6570b9..6e40639b2 100644 --- a/src/io.c +++ b/src/io.c @@ -62,14 +62,14 @@ #elif defined(FREESCALE_KSDK_MQX) #include #elif defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) - #if defined(WOLFSSL_MDK5) || defined(WOLFSSL_KEIL_TCP_NET) + #if !defined(WOLFSSL_MDK_ARM) #include "cmsis_os.h" + #include "rl_net.h" #else #include #endif #include "errno.h" #define SOCKET_T int - #include "rl_net.h" #elif defined(WOLFSSL_TIRTOS) #include #elif defined(FREERTOS_TCP) @@ -153,7 +153,7 @@ #define SOCKET_ECONNABORTED NIO_ECONNABORTED #endif #elif defined(WOLFSSL_MDK_ARM)|| defined(WOLFSSL_KEIL_TCP_NET) - #if defined(WOLFSSL_MDK5)|| defined(WOLFSSL_KEIL_TCP_NET) + #if !defined(WOLFSSL_MDK_ARM) #define SOCKET_EWOULDBLOCK BSD_ERROR_WOULDBLOCK #define SOCKET_EAGAIN BSD_ERROR_LOCKED #define SOCKET_ECONNRESET BSD_ERROR_CLOSED From f9d6464793530d5b780380e40923e418e8457100 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 23 Nov 2015 18:05:55 -0300 Subject: [PATCH 084/177] adds basic extension code for CERTIFICATE_STATUS_REQUEST_V2; fixes EncodeOcspRequestExtensions() length check; --- configure.ac | 21 +++ examples/client/client.c | 18 ++- examples/server/server.c | 3 +- src/internal.c | 30 +++- src/ssl.c | 34 +++- src/tls.c | 328 ++++++++++++++++++++++++++++++++++++++- wolfcrypt/src/asn.c | 42 ++--- wolfssl/internal.h | 26 +++- wolfssl/ssl.h | 24 +++ 9 files changed, 489 insertions(+), 37 deletions(-) diff --git a/configure.ac b/configure.ac index 11c5bd149..e7bd09bad 100644 --- a/configure.ac +++ b/configure.ac @@ -1676,6 +1676,26 @@ then fi fi +# Certificate Status Request v2 : a.k.a. OCSP stapling v2 +AC_ARG_ENABLE([ocspstapling2], + [AS_HELP_STRING([--enable-ocspstapling2],[Enable Certificate Status Request v2 - a.k.a. OCSP Stapling v2 (default: disabled)])], + [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ], + [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ] + ) + +if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2" + + # Requires OCSP make sure on + if test "x$ENABLED_OCSP" = "xno" + then + ENABLED_OCSP="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" + AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + fi +fi + # Renegotiation Indication - (FAKE Secure Renegotiation) AC_ARG_ENABLE([renegotiation-indication], [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])], @@ -2720,6 +2740,7 @@ echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" echo " * Certificate Status Request: $ENABLED_CERTIFICATE_STATUS_REQUEST" +echo " * Certificate Status Request v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2" echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * Session Ticket: $ENABLED_SESSION_TICKET" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" diff --git a/examples/client/client.c b/examples/client/client.c index f5d005acd..79d735b44 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -358,7 +358,8 @@ static void Usage(void) printf("-o Perform OCSP lookup on peer certificate\n"); printf("-O Perform OCSP lookup using as responder\n"); #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) printf("-W Use OCSP Stapling\n"); #endif #ifdef ATOMIC_USER @@ -440,7 +441,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_TRUNCATED_HMAC byte truncatedHMAC = 0; #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) byte statusRequest = 0; #endif @@ -674,7 +676,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) break; case 'W' : - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) statusRequest = 1; #endif break; @@ -1010,6 +1013,15 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) wolfSSL_CTX_EnableOCSP(ctx, 0); } #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (statusRequest) { + if (wolfSSL_UseCertificateStatusRequestV2(ssl, WOLFSSL_CSR2_OCSP, + WOLFSSL_CSR2_OCSP_USE_NONCE) != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + + wolfSSL_CTX_EnableOCSP(ctx, 0); + } +#endif tcp_connect(&sockfd, host, port, doDTLS, ssl); diff --git a/examples/server/server.c b/examples/server/server.c index 56a0c680d..000d35a1c 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -725,7 +725,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); } #endif -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS) err_sys("can't enable OCSP Stapling Certificate Manager"); if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS) diff --git a/src/internal.c b/src/internal.c index 905e88a95..163c34d5e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4822,9 +4822,11 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, return BUFFER_ERROR; switch (status_type) { - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - case WOLFSSL_CSR_OCSP: { + /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ + case WOLFSSL_CSR2_OCSP: { OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions); #ifdef WOLFSSL_SMALL_STACK @@ -4842,6 +4844,12 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + ssl->status_request_v2 = 0; + break; + } + #endif return BUFFER_ERROR; } while(0); @@ -8147,7 +8155,8 @@ int SendCertificateRequest(WOLFSSL* ssl) } -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer status) { byte* output = NULL; @@ -8232,9 +8241,15 @@ int SendCertificateStatus(WOLFSSL* ssl) status_type = ssl->status_request; #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + status_type = status_type ? status_type : ssl->status_request_v2; +#endif + switch (status_type) { -#if defined HAVE_CERTIFICATE_STATUS_REQUEST - case WOLFSSL_CSR_OCSP: { +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + /* case WOLFSSL_CSR_OCSP: */ + case WOLFSSL_CSR2_OCSP: { OcspRequest* request = ssl->ctx->certOcspRequest; buffer response = {NULL, 0}; @@ -8321,6 +8336,11 @@ int SendCertificateStatus(WOLFSSL* ssl) break; #endif +#if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 + case WOLFSSL_CSR2_OCSP_MULTI: + break; +#endif + default: break; } diff --git a/src/ssl.c b/src/ssl.c index 38c7d7ea7..e7cecf9f3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -826,6 +826,31 @@ int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +int wolfSSL_UseCertificateStatusRequestV2(WOLFSSL* ssl, byte status_type, + byte options) +{ + if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequestV2(&ssl->extensions, status_type, + options); +} + + +int wolfSSL_CTX_UseCertificateStatusRequestV2(WOLFSSL_CTX* ctx, + byte status_type, byte options) +{ + if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequestV2(&ctx->extensions, status_type, + options); +} + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + /* Elliptic Curves */ #ifdef HAVE_SUPPORTED_CURVES #ifndef NO_WOLFSSL_CLIENT @@ -1643,7 +1668,8 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) #ifdef HAVE_OCSP if (cm->ocsp) FreeOCSP(cm->ocsp, 1); - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (cm->ocsp_stapling) FreeOCSP(cm->ocsp_stapling, 1); #endif @@ -3473,7 +3499,8 @@ int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) if (cm == NULL) return BAD_FUNC_ARG; - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (cm->ocsp_stapling == NULL) { cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), cm->heap, DYNAMIC_TYPE_OCSP); @@ -3669,7 +3696,8 @@ int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX* ctx, CbOCSPIO ioCb, return BAD_FUNC_ARG; } -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx) { WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSPStapling"); diff --git a/src/tls.c b/src/tls.c index 652c6dabf..ba8bd1a7d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -919,7 +919,7 @@ static word16 TLSX_ALPN_GetSize(ALPN *list) length++; /* protocol name length is on one byte */ length += (word16)XSTRLEN(alpn->protocol_name); } - + return length; } @@ -946,7 +946,7 @@ static word16 TLSX_ALPN_Write(ALPN *list, byte *output) /* writing list length */ c16toa(offset - OPAQUE16_LEN, output); - + return offset; } @@ -1917,6 +1917,7 @@ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) if (csr->request.ocsp.nonceSz) size += OCSP_NONCE_EXT_SZ; + break; } } #endif @@ -1949,7 +1950,7 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, length = EncodeOcspRequestExtensions( &csr->request.ocsp, output + offset + OPAQUE16_LEN, - MAX_OCSP_EXT_SZ); + OCSP_NONCE_EXT_SZ); c16toa(length, output + offset); offset += OPAQUE16_LEN + length; @@ -2052,6 +2053,13 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, break; } + /* if using status_request and already sending it, skip this one */ + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) + return 0; + #endif + + /* accept the first good status_type and return */ ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, 0); if (ret != SSL_SUCCESS) @@ -2187,6 +2195,301 @@ int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ +/******************************************************************************/ +/* Certificate Status Request v2 */ +/******************************************************************************/ + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2) +{ + CertificateStatusRequestItemV2* next; + + for (; csr2; csr2 = next) { + next = csr2->next; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + FreeOcspRequest(&csr2->request.ocsp); + break; + } + + XFREE(csr2, NULL, DYNAMIC_TYPE_TLSX); + } +} + +static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2, + byte isRequest) +{ + word16 size = 0; + + /* shut up compiler warnings */ + (void) csr2; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + CertificateStatusRequestItemV2* next; + + for (size = OPAQUE16_LEN; csr2; csr2 = next) { + next = csr2->next; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + size += ENUM_LEN + 3 * OPAQUE16_LEN; + + if (csr2->request.ocsp.nonceSz) + size += OCSP_NONCE_EXT_SZ; + break; + } + } + } +#endif + + return size; +} + +static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, + byte* output, byte isRequest) +{ + /* shut up compiler warnings */ + (void) csr2; (void) output; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + word16 offset; + word16 length; + + for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) { + /* status_type */ + output[offset++] = csr2->status_type; + + /* request */ + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + /* request_length */ + length = 2 * OPAQUE16_LEN; + + if (csr2->request.ocsp.nonceSz) + length += OCSP_NONCE_EXT_SZ; + + c16toa(length, output + offset); + offset += OPAQUE16_LEN; + + /* responder id list */ + c16toa(0, output + offset); + offset += OPAQUE16_LEN; + + /* request extensions */ + length = 0; + + if (csr2->request.ocsp.nonceSz) + length = EncodeOcspRequestExtensions( + &csr2->request.ocsp, + output + offset + OPAQUE16_LEN, + OCSP_NONCE_EXT_SZ); + + c16toa(length, output + offset); + offset += OPAQUE16_LEN + length; + break; + } + } + + /* list size */ + c16toa(offset - OPAQUE16_LEN, output); + + return offset; + } +#endif + + return 0; +} + +static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, + byte isRequest) +{ + int ret; + + /* shut up compiler warnings */ + (void) ssl; (void) input; + + if (!isRequest) { +#ifndef NO_WOLFSSL_CLIENT + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data + : NULL; + + if (!csr2) { + /* look at context level */ + + extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2); + csr2 = extension ? extension->data : NULL; + + if (!csr2) + return BUFFER_ERROR; /* unexpected extension */ + } + + ssl->status_request_v2 = 1; + + return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ +#endif + } + else { +#ifndef NO_WOLFSSL_SERVER + byte status_type; + word16 request_length; + word16 offset = 0; + word16 size = 0; + + /* list size */ + ato16(input + offset, &request_length); + offset += OPAQUE16_LEN; + + if (length - OPAQUE16_LEN != request_length) + return BUFFER_ERROR; + + while (length > offset) { + if (length - offset < ENUM_LEN + OPAQUE16_LEN) + return BUFFER_ERROR; + + status_type = input[offset++]; + + ato16(input + offset, &request_length); + offset += OPAQUE16_LEN; + + if (length - offset < request_length) + return BUFFER_ERROR; + + switch (status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + /* skip responder_id_list */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + /* skip request_extensions */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + if (offset > length) + return BUFFER_ERROR; + + /* is able to send OCSP response? */ + if (ssl->ctx->cm == NULL + || !ssl->ctx->cm->ocspStaplingEnabled) + continue; + break; + + default: + /* unkown status type, skipping! */ + offset += request_length; + continue; + } + + /* if using status_request and already sending it, skip this one */ + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->status_request) + return 0; + #endif + + /* accept the first good status_type and return */ + ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, + status_type, 0); + if (ret != SSL_SUCCESS) + return ret; /* throw error */ + + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2); + ssl->status_request_v2 = status_type; + + return 0; + } +#endif + } + + return 0; +} + +int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, + byte options) +{ + TLSX* extension = NULL; + CertificateStatusRequestItemV2* csr2 = NULL; + int ret = 0; + + if (!extensions) + return BAD_FUNC_ARG; + + if (status_type != WOLFSSL_CSR2_OCSP + && status_type != WOLFSSL_CSR2_OCSP_MULTI) + return BAD_FUNC_ARG; + + csr2 = (CertificateStatusRequestItemV2*) + XMALLOC(sizeof(CertificateStatusRequestItemV2), NULL, DYNAMIC_TYPE_TLSX); + if (!csr2) + return MEMORY_E; + + ForceZero(csr2, sizeof(CertificateStatusRequestItemV2)); + + csr2->status_type = status_type; + csr2->options = options; + csr2->next = NULL; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) { + WC_RNG rng; + + if (wc_InitRng(&rng) == 0) { + if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp.nonce, + MAX_OCSP_NONCE_SZ) == 0) + csr2->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ; + + wc_FreeRng(&rng); + } + } + break; + } + + /* append new item */ + if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) { + CertificateStatusRequestItemV2* last = + (CertificateStatusRequestItemV2*)extension->data; + + for (; last->next; last = last->next); + + last->next = csr2; + } + else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2))) { + XFREE(csr2, NULL, DYNAMIC_TYPE_TLSX); + return ret; + } + + return SSL_SUCCESS; +} + +#define CSR2_FREE_ALL TLSX_CSR2_FreeAll +#define CSR2_GET_SIZE TLSX_CSR2_GetSize +#define CSR2_WRITE TLSX_CSR2_Write +#define CSR2_PARSE TLSX_CSR2_Parse + +#else + +#define CSR2_FREE_ALL(data) +#define CSR2_GET_SIZE(a, b) 0 +#define CSR2_WRITE(a, b, c) 0 +#define CSR2_PARSE(a, b, c, d) 0 + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + /******************************************************************************/ /* Supported Elliptic Curves */ /******************************************************************************/ @@ -3400,6 +3703,10 @@ void TLSX_FreeAll(TLSX* list) CSR_FREE_ALL(extension->data); break; + case TLSX_STATUS_REQUEST_V2: + CSR2_FREE_ALL(extension->data); + break; + case TLSX_RENEGOTIATION_INFO: SCR_FREE_ALL(extension->data); break; @@ -3471,6 +3778,10 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) length += CSR_GET_SIZE(extension->data, isRequest); break; + case TLSX_STATUS_REQUEST_V2: + length += CSR2_GET_SIZE(extension->data, isRequest); + break; + case TLSX_RENEGOTIATION_INFO: length += SCR_GET_SIZE(extension->data, isRequest); break; @@ -3545,6 +3856,11 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, isRequest); break; + case TLSX_STATUS_REQUEST_V2: + offset += CSR2_WRITE(extension->data, output + offset, + isRequest); + break; + case TLSX_RENEGOTIATION_INFO: offset += SCR_WRITE(extension->data, output + offset, isRequest); @@ -4044,6 +4360,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, ret = CSR_PARSE(ssl, input + offset, size, isRequest); break; + case TLSX_STATUS_REQUEST_V2: + WOLFSSL_MSG("Certificate Status Request v2 extension received"); + + ret = CSR2_PARSE(ssl, input + offset, size, isRequest); + break; + case TLSX_RENEGOTIATION_INFO: WOLFSSL_MSG("Secure Renegotiation extension received"); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 728a8f737..a633dfe50 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8860,34 +8860,34 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]); - if (totalSz < size) - { - totalSz = 0; + if (totalSz > size) + return 0; - XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); - totalSz += seqSz[5]; + totalSz = 0; - XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); - totalSz += seqSz[4]; + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); + totalSz += seqSz[5]; - XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); - totalSz += seqSz[3]; + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); + totalSz += seqSz[4]; - XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); - totalSz += seqSz[2]; + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); + totalSz += seqSz[3]; - XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); - totalSz += (word32)sizeof(NonceObjId); + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); + totalSz += seqSz[2]; - XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); - totalSz += seqSz[1]; + XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); + totalSz += (word32)sizeof(NonceObjId); - XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); - totalSz += seqSz[0]; + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); + totalSz += seqSz[1]; - XMEMCPY(output + totalSz, req->nonce, req->nonceSz); - totalSz += req->nonceSz; - } + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); + totalSz += seqSz[0]; + + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); + totalSz += req->nonceSz; return totalSz; } @@ -8919,7 +8919,7 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) extSz = 0; if (req->nonceSz) - extSz = EncodeOcspRequestExtensions(req, extArray, MAX_OCSP_EXT_SZ); + extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ); totalSz = algoSz + issuerSz + issuerKeySz + snSz; for (i = 4; i >= 0; i--) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index a553bddba..67a535060 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1364,7 +1364,8 @@ struct WOLFSSL_CERT_MANAGER { void* heap; /* heap helper */ WOLFSSL_CRL* crl; /* CRL checker */ WOLFSSL_OCSP* ocsp; /* OCSP checker */ -#if !defined(NO_WOLFSSL_SEVER) && defined(HAVE_CERTIFICATE_STATUS_REQUEST) +#if !defined(NO_WOLFSSL_SEVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) WOLFSSL_OCSP* ocsp_stapling; /* OCSP checker for OCSP stapling */ #endif char* ocspOverrideURL; /* use this responder */ @@ -1470,6 +1471,7 @@ typedef enum { TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stappling */ TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ + TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stappling v2 */ TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ TLSX_SESSION_TICKET = 0x0023, TLSX_RENEGOTIATION_INFO = 0xff01 @@ -1504,6 +1506,7 @@ WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, || defined(HAVE_MAX_FRAGMENT) \ || defined(HAVE_TRUNCATED_HMAC) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \ || defined(HAVE_SUPPORTED_CURVES) \ || defined(HAVE_ALPN) \ || defined(HAVE_QSH) \ @@ -1594,6 +1597,24 @@ WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); #endif +/** Certificate Status Request v2 - RFC 6961 */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +typedef struct CSRIv2 { + byte status_type; + byte options; + word16 request_length; + union { + OcspRequest ocsp; + } request; + struct CSRIv2* next; +} CertificateStatusRequestItemV2; + +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, + byte status_type, byte options); + +#endif + /** Supported Elliptic Curves - RFC 4492 (session 4) */ #ifdef HAVE_SUPPORTED_CURVES @@ -2485,6 +2506,9 @@ struct WOLFSSL { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST byte status_request; #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + byte status_request_v2; + #endif #ifdef HAVE_SECURE_RENEGOTIATION SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */ #endif /* user turned on */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 415b4bd60..9da9c4360 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1439,6 +1439,30 @@ WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, #endif #endif +/* Certificate Status Request v2 */ +/* Certificate Status Type */ +enum { + WOLFSSL_CSR2_OCSP = 1, + WOLFSSL_CSR2_OCSP_MULTI = 2 +}; + +/* Certificate Status v2 Options (flags) */ +enum { + WOLFSSL_CSR2_OCSP_USE_NONCE = 0x01 +}; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#ifndef NO_WOLFSSL_CLIENT + +WOLFSSL_API int wolfSSL_UseCertificateStatusRequestV2(WOLFSSL* ssl, + unsigned char status_type, unsigned char options); + +WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequestV2(WOLFSSL_CTX* ctx, + unsigned char status_type, unsigned char options); + +#endif +#endif + /* Elliptic Curves */ enum { WOLFSSL_ECC_SECP160R1 = 0x10, From 1fbaf089aea2832ee656979c691e90ee90bfc3cb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Tue, 24 Nov 2015 00:47:27 -0300 Subject: [PATCH 085/177] adds support to WOLFSSL_CSR2_OCSP in both DoCertificateStatus() and SendCertificateStatus(); adds contingence plan for status_request_v2; --- src/internal.c | 61 ++++++++++++++++++++++---- src/tls.c | 106 +++++++++++++++++++++++++++++++++++++++++++++ wolfssl/internal.h | 23 +++++++--- 3 files changed, 174 insertions(+), 16 deletions(-) diff --git a/src/internal.c b/src/internal.c index 163c34d5e..0503ae722 100644 --- a/src/internal.c +++ b/src/internal.c @@ -526,6 +526,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method) /* In case contexts are held in array and don't want to free actual ctx */ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) { + int i; + + (void)i; + XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD); if (ctx->suites) XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES); @@ -534,22 +538,39 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); #endif + #ifndef NO_CERTS XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY); XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); wolfSSL_CertManagerFree(ctx->cm); #endif + #ifdef HAVE_TLS_EXTENSIONS TLSX_FreeAll(ctx->extensions); - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - if (ctx->certOcspRequest) { - FreeOcspRequest(ctx->certOcspRequest); - XFREE(ctx->certOcspRequest, NULL, DYNAMIC_TYPE_OCSP_REQUEST); - } - #endif +#ifndef NO_WOLFSSL_SERVER + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (ctx->certOcspRequest) { + FreeOcspRequest(ctx->certOcspRequest); + XFREE(ctx->certOcspRequest, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } #endif + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + for (i = 0; i < MAX_CHAIN_DEPTH; i++) { + if (ctx->chainOcspRequest[i]) { + FreeOcspRequest(ctx->chainOcspRequest[i]); + XFREE(ctx->chainOcspRequest[i], NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + } +#endif + +#endif /* NO_WOLFSSL_SERVER */ + +#endif /* HAVE_TLS_EXTENSIONS */ } @@ -4464,14 +4485,21 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (fatal == 0) { int doLookup = 1; -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST + /* TODO CSR2 */ if (ssl->options.side == WOLFSSL_CLIENT_END) { +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { fatal = TLSX_CSR_InitRequest(ssl->extensions, dCert); doLookup = 0; } - } #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + fatal = TLSX_CSR2_InitRequests(ssl->extensions, dCert); + doLookup = 0; + } +#endif + } #ifdef HAVE_OCSP if (doLookup && ssl->ctx->cm->ocspEnabled) { @@ -4827,7 +4855,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ case WOLFSSL_CSR2_OCSP: { - OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions); + OcspRequest* request; #ifdef WOLFSSL_SMALL_STACK CertStatus* status; @@ -4840,12 +4868,15 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, do { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { + request = TLSX_CSR_GetRequest(ssl->extensions); ssl->status_request = 0; break; } #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) { + request = TLSX_CSR2_GetRequest(ssl->extensions, + WOLFSSL_CSR2_OCSP); ssl->status_request_v2 = 0; break; } @@ -4853,6 +4884,9 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, return BUFFER_ERROR; } while(0); + if (request == NULL) + return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */ + #ifdef WOLFSSL_SMALL_STACK status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -5132,6 +5166,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) return ret; } +#endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + int ret; + + WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); + if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0) + return ret; + } #endif } diff --git a/src/tls.c b/src/tls.c index ba8bd1a7d..177cb73f5 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2329,6 +2329,36 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, if (!csr2) return BUFFER_ERROR; /* unexpected extension */ + + /* enable extension at ssl level */ + for (; csr2; csr2 = csr2->next) { + ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, + csr2->status_type, csr2->options); + if (ret != SSL_SUCCESS) + return ret; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + case WOLFSSL_CSR2_OCSP_MULTI: + /* propagate nonce */ + if (csr2->request.ocsp.nonceSz) { + OcspRequest* request = + TLSX_CSR2_GetRequest(ssl->extensions, + csr2->status_type); + + if (request) { + XMEMCPY(request->nonce, + csr2->request.ocsp.nonce, + csr2->request.ocsp.nonceSz); + + request->nonceSz = csr2->request.ocsp.nonceSz; + } + } + break; + } + } + } ssl->status_request_v2 = 1; @@ -2417,6 +2447,82 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, return 0; } +int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + int ret = 0; + + for (; csr2; csr2 = csr2->next) { + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + + case WOLFSSL_CSR2_OCSP_MULTI: { + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz = csr2->request.ocsp.nonceSz; + + /* preserve nonce */ + XMEMCPY(nonce, csr2->request.ocsp.nonce, nonceSz); + + if ((ret = InitOcspRequest(&csr2->request.ocsp, cert, 0)) != 0) + return ret; + + /* restore nonce */ + XMEMCPY(csr2->request.ocsp.nonce, nonce, nonceSz); + csr2->request.ocsp.nonceSz = nonceSz; + } + break; + } + } + + return ret; +} + +void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + + for (; csr2; csr2 = csr2->next) { + if (csr2->status_type == status_type) { + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + + case WOLFSSL_CSR2_OCSP_MULTI: + return &csr2->request.ocsp; + break; + } + } + } + + return NULL; +} + +int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) +{ + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + + /* forces only the first one */ + if (csr2) { + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + + case WOLFSSL_CSR2_OCSP_MULTI: + if (ssl->ctx->cm->ocspEnabled) + return CheckOcspRequest(ssl->ctx->cm->ocsp, + &csr2->request.ocsp, NULL); + else + return OCSP_LOOKUP_FAIL; + } + } + + return 0; +} + int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, byte options) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 67a535060..9e592fb26 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1589,11 +1589,11 @@ typedef struct { } request; } CertificateStatusRequest; -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, byte options); -WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); -WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); -WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); +WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); +WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); +WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); #endif @@ -1610,8 +1610,11 @@ typedef struct CSRIv2 { struct CSRIv2* next; } CertificateStatusRequestItemV2; -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, byte options); +WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert); +WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type); +WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl); #endif @@ -1790,8 +1793,14 @@ struct WOLFSSL_CTX { #endif #ifdef HAVE_TLS_EXTENSIONS TLSX* extensions; /* RFC 6066 TLS Extensions data */ - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) && !defined(NO_WOLFSSL_SERVER) - OcspRequest* certOcspRequest; + #ifndef NO_WOLFSSL_SERVER + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + OcspRequest* certOcspRequest; + #endif + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + OcspRequest* chainOcspRequest[MAX_CHAIN_DEPTH]; + #endif #endif #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SEVER) SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */ From da127dfb17282ebc8d04caa3b44a62b862abbf5e Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 24 Nov 2015 13:18:39 -0700 Subject: [PATCH 086/177] warrning for unused function in user-crypto / fast-rsa mode --- wolfcrypt/src/asn.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 107524198..5c9179283 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1159,6 +1159,7 @@ WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, } +#ifndef HAVE_USER_RSA static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx) { int length; @@ -1173,7 +1174,7 @@ static int SkipObjectId(const byte* input, word32* inOutIdx, word32 maxIdx) return 0; } - +#endif WOLFSSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, word32 oidType, word32 maxIdx) From c5c9991d11f4e2bc9bf47c9240ab908ddd0ee6b4 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 24 Nov 2015 13:41:04 -0700 Subject: [PATCH 087/177] modification to fast-rsa sign operation and make key --- wolfcrypt/user-crypto/src/rsa.c | 581 +++++++++++++++++++------------- 1 file changed, 345 insertions(+), 236 deletions(-) diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c index faa672cbb..05d7388e6 100644 --- a/wolfcrypt/user-crypto/src/rsa.c +++ b/wolfcrypt/user-crypto/src/rsa.c @@ -19,10 +19,6 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -/* - Created to use intel's IPP see their license for linking to intel's IPP library - */ - #ifdef HAVE_CONFIG_H /* configure options when using autoconf */ #include #endif @@ -566,6 +562,88 @@ static int RsaUnPad(const byte *pkcsBlock, unsigned int pkcsBlockLen, } +/* Set up memory and structure for a Big Number + * returns ippStsNoErr on success + */ +static IppStatus init_bn(IppsBigNumState** in, int sz) +{ + int ctxSz; + IppStatus ret; + + ret = ippsBigNumGetSize(sz, &ctxSz); + if (ret != ippStsNoErr) { + return ret; + } + + *in = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (*in == NULL) { + return ippStsNoMemErr; + } + + ret = ippsBigNumInit(sz, *in); + if (ret != ippStsNoErr) { + return ret; + } + + return ippStsNoErr; +} + + +/* Set up memory and structure for a Montgomery struct + * returns ippStsNoErr on success + */ +static IppStatus init_mont(IppsMontState** mont, IppsBigNumState* modul) +{ + int ctxSz, mSz; + Ipp32u* m; + IppStatus ret; + + ret = ippsExtGet_BN(NULL, &ctxSz, NULL, modul); + if (ret != ippStsNoErr) { + return ret; + } + + mSz = (ctxSz/32)+((ctxSz % 32)? 1: 0); + m = XMALLOC(mSz * sizeof(Ipp32u), 0, DYNAMIC_TYPE_USER_CRYPTO); + if (m == NULL) { + return ippStsNoMemErr; + } + + ret = ippsExtGet_BN(NULL, NULL, m, modul); + if (ret != ippStsNoErr) { + return ret; + } + + ret = ippsMontGetSize(IppsBinaryMethod, mSz, &ctxSz); + if (ret != ippStsNoErr) { + return ret; + } + + /* 2. Allocate working buffer using malloc */ + *mont = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + if (mont == NULL) { + return ippStsNoMemErr; + } + ret = ippsMontInit(IppsBinaryMethod, mSz, *mont); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsMontInit error of %s\n", ippGetStatusString(ret))); + return ret; + } + + /* 3. Call the function MontSet to set big number module */ + ret = ippsMontSet(m, mSz, *mont); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsMontSet error of %s\n", ippGetStatusString(ret))); + return ret; + } + + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return ippStsNoErr; +} + + + int wc_FreeRsaKey(RsaKey* key) { if (key == NULL) @@ -1015,15 +1093,7 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, return USER_CRYPTO_ERROR; /* set up IPP key states -- read in n */ - ret = ippsBigNumGetSize(nSz, &ctxSz); - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; - - key->n = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->n == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(nSz, key->n); + ret = init_bn(&key->n, nSz); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; @@ -1032,15 +1102,7 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, return USER_CRYPTO_ERROR; /* read in e */ - ret = ippsBigNumGetSize(eSz, &ctxSz); - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; - - key->e = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->e == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(eSz, key->e); + ret = init_bn(&key->e, eSz); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; @@ -1264,7 +1326,6 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) return USER_CRYPTO_ERROR; } - ret = ippsRSA_SetPrivateKeyType1(key->n, key->e, pPub); if (ret != ippStsNoErr) { FreeHelper(pTxt, cTxt, scratchBuffer, pPub); @@ -1288,24 +1349,11 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) } /* load plain and cipher into big num states */ - ret = ippsBigNumGetSize(key->sz, &ctxSz); + ret = init_bn(&pTxt, key->sz); if (ret != ippStsNoErr) { FreeHelper(pTxt, cTxt, scratchBuffer, pPub); return USER_CRYPTO_ERROR; } - - pTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (pTxt == NULL) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPub); - return USER_CRYPTO_ERROR; - } - - ret = ippsBigNumInit(key->sz, pTxt); - if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPub); - return USER_CRYPTO_ERROR; - } - ret = ippsSetOctString_BN((Ipp8u*)in, key->sz, pTxt); if (ret != ippStsNoErr) { FreeHelper(pTxt, cTxt, scratchBuffer, pPub); @@ -1313,24 +1361,11 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) } /* set up cipher to hold signature */ - ret = ippsBigNumGetSize(key->sz, &ctxSz); + ret = init_bn(&cTxt, key->sz); if (ret != ippStsNoErr) { FreeHelper(pTxt, cTxt, scratchBuffer, pPub); return USER_CRYPTO_ERROR; } - - cTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (cTxt == NULL) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPub); - return USER_CRYPTO_ERROR; - } - - ret = ippsBigNumInit(key->sz, cTxt); - if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPub); - return USER_CRYPTO_ERROR; - } - ret = ippsSetOctString_BN((Ipp8u*)in, key->sz, cTxt); if (ret != ippStsNoErr) { FreeHelper(pTxt, cTxt, scratchBuffer, pPub); @@ -1397,147 +1432,278 @@ int wc_RsaSSL_Verify(const byte* in, word32 inLen, byte* out, word32 outLen, } +/* Check if a > b , if so c = a mod b + return ippStsNoErr on success */ +static IppStatus reduce(IppsBigNumState* a, IppsBigNumState* b, + IppsBigNumState* c) +{ + IppStatus ret; + + if ((ret = ippsMod_BN(a, b, c)) != ippStsNoErr) + return ret; + + return ippStsNoErr; +} + + +static IppStatus exptmod(IppsBigNumState* a, IppsBigNumState* b, + IppsMontState* mont, IppsBigNumState* out, IppsBigNumState* one) +{ + IppStatus ret; + + ret = ippsMontForm(a, mont, a); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsMontForm error of %s\n", ippGetStatusString(ret))); + return ret; + } + + /* a = a^b mod mont */ + ret = ippsMontExp(a, b, mont, out); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsMontExp error of %s\n", ippGetStatusString(ret))); + return ret; + } + + /* convert back from montgomery */ + ret = ippsMontMul(out, one, mont, out); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsMontMul error of %s\n", ippGetStatusString(ret))); + return ret; + } + + return ippStsNoErr; +} + + /* for Rsa Sign */ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, RsaKey* key, WC_RNG* rng) { int sz; - int scratchSz; - int ctxSz; - int prvSz; IppStatus ret; - Ipp8u* scratchBuffer = NULL; - IppsRSAPublicKeyState* pPrv = NULL; - IppsBigNumState* pTxt = NULL; - IppsBigNumState* cTxt = NULL; + word32 outSz = outLen; + + IppsMontState* pMont; + IppsMontState* qMont; + + IppsBigNumState* one; + IppsBigNumState* tmp; + IppsBigNumState* tmpP; + IppsBigNumState* tmpQ; + IppsBigNumState* tmpa; + IppsBigNumState* tmpb; + + IppsBigNumSGN sa, sb; + + Ipp8u o[1]; + o[0] = 1; + + USER_DEBUG(("Entering wc_RsaSSL_Sign\n")); sz = key->sz; - /* set up public key state using private key values */ - ret = ippsRSA_GetSizePublicKey(key->nSz, key->dSz, &ctxSz); - if (ret != ippStsNoErr) { - USER_DEBUG(("ippsRSA_GetSizePrivateKey error %s\n", - ippGetStatusString(ret))); + if (in == NULL || out == NULL || key == NULL || rng == NULL) { + USER_DEBUG(("Bad argument to wc_RsaSSL_Sign\n")); return USER_CRYPTO_ERROR; } - prvSz = ctxSz; /* used later to overright sensitive memory */ - pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (pPrv == NULL) { - USER_DEBUG(("memeory error assinging pPrv\n")); + if (sz > (int)outLen) { + USER_DEBUG(("Bad argument outLen to wc_RsaSSL_Sign\n")); return USER_CRYPTO_ERROR; } - ret = ippsRSA_InitPublicKey(key->nSz, key->dSz, pPrv, ctxSz); - if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - USER_DEBUG(("ippsRSA_InitPrivateKey error %s\n", - ippGetStatusString(ret))); - return USER_CRYPTO_ERROR; - } - - ret = ippsRSA_SetPublicKey(key->n, key->dipp, pPrv); - if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - USER_DEBUG(("ippsRSA_SetPrivateKey error %s\n", - ippGetStatusString(ret))); - return USER_CRYPTO_ERROR; - } - - /* set size of scratch buffer */ - ret = ippsRSA_GetBufferSizePublicKey(&scratchSz, pPrv); - if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - USER_DEBUG(("ippsRSA_GetBufferSizePublicKey error %s\n", - ippGetStatusString(ret))); - return USER_CRYPTO_ERROR; - } - - scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, - DYNAMIC_TYPE_USER_CRYPTO); - if (scratchBuffer == NULL) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - USER_DEBUG(("memory error assigning scratch buffer\n")); + if (inLen > (word32)(sz - RSA_MIN_PAD_SZ)) { + USER_DEBUG(("Bad argument inLen to wc_RsaSSL_Sign\n")); return USER_CRYPTO_ERROR; } /* Set up needed pkcs v15 padding */ if (wc_RsaPad(in, inLen, out, sz, RSA_BLOCK_TYPE_1, rng) != 0) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("RSA Padding error\n")); return USER_CRYPTO_ERROR; } - /* load plain and cipher into big num states */ - ret = ippsBigNumGetSize(sz, &ctxSz); + /* tmp = intput to sign */ + ret = init_bn(&tmp, sz); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - - pTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (pTxt == NULL) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - return USER_CRYPTO_ERROR; - } - - ret = ippsBigNumInit(sz, pTxt); + ret = ippsSetOctString_BN(out, sz, tmp); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("ippsSetOctString_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - ret = ippsSetOctString_BN((Ipp8u*)out, sz, pTxt); + /* tmpP = tmp mod p */ + ret = init_bn(&tmpP, sz); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - /* set up cipher to hold signature */ - ret = ippsBigNumGetSize(outLen, &ctxSz); + /* tmpQ = tmp mod q */ + ret = init_bn(&tmpQ, sz); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - cTxt = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (cTxt == NULL) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - return USER_CRYPTO_ERROR; - } - - ret = ippsBigNumInit(outLen, cTxt); + /* tmpa */ + ret = init_bn(&tmpa, sz); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - ret = ippsSetOctString_BN((Ipp8u*)out, outLen, cTxt); + /* tmpb */ + ret = init_bn(&tmpb, sz); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - /* encrypt using private key */ - ret = ippsRSA_Encrypt(pTxt, cTxt, pPrv, scratchBuffer); + /* one : used for conversion from Montgomery to classical */ + ret = init_bn(&one, sz); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - USER_DEBUG(("sign error of %s\n", ippGetStatusString(ret))); + USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - - /* get output string from big number structure */ - ret = ippsGetOctString_BN((Ipp8u*)out, sz, cTxt); + ret = ippsSetOctString_BN(o, 1, one); if (ret != ippStsNoErr) { - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); - USER_DEBUG(("BN get string error of %s\n", ippGetStatusString(ret))); + USER_DEBUG(("ippsSetOctString_BN error of %s\n", + ippGetStatusString(ret))); return USER_CRYPTO_ERROR; } - /* clean up memory used */ - ForceZero(pPrv, prvSz); /* clear senstive memory */ - FreeHelper(pTxt, cTxt, scratchBuffer, pPrv); + /** + Set up Montgomery state + */ + ret = init_mont(&pMont, key->pipp); + if (ret != ippStsNoErr) { + USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } - return sz; + ret = init_mont(&qMont, key->qipp); + if (ret != ippStsNoErr) { + USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /** + Check and reduce input + This is needed for calls to MontExp since required value of a < modulus + */ + ret = reduce(tmp, key->pipp, tmpP); + if (ret != ippStsNoErr) + { + USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = reduce(tmp, key->qipp, tmpQ); + if (ret != ippStsNoErr) + { + USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* tmpa = (tmp mod p)^dP mod p */ + ret = exptmod(tmpP, key->dPipp, pMont, tmpa, one); + if (ret != ippStsNoErr) { + USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* tmpb = (tmp mod q)^dQ mod q */ + ret = exptmod(tmpQ, key->dQipp, qMont, tmpb, one); + if (ret != ippStsNoErr) { + USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* tmp = (tmpa - tmpb) * qInv (mod p) */ + ret = ippsSub_BN(tmpa, tmpb, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + ret = ippsMul_BN(tmp, key->uipp, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsMul_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* mod performed the same was as wolfSSL fp_mod -- tmpa is just scratch */ + ret = ippsDiv_BN(tmp, key->pipp, tmpa, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsDiv_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* Check sign of values and perform conditional add */ + ret = ippsExtGet_BN(&sa, NULL, NULL, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + ret = ippsExtGet_BN(&sb, NULL, NULL, key->pipp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + if (sa != sb) { + ret = ippsAdd_BN(tmp, key->pipp, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsAdd_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + } + + /* tmp = tmpb + q * tmp */ + ret = ippsMul_BN(tmp, key->qipp, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + + ret = ippsAdd_BN(tmp, tmpb, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + /* Extract the output */ + ret = ippsGetOctString_BN(out, sz, tmp); + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsGetOctString_BN error of %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } + + outSz = sz; + + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + XFREE(one, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + /* clear memory by setting BN to one and then free */ + ippsSetOctString_BN(o, 1, tmp); + XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO); + ippsSetOctString_BN(o, 1, tmpP); + XFREE(tmpP, NULL, DYNAMIC_TYPE_USER_CRYPTO); + ippsSetOctString_BN(o, 1, tmpQ); + XFREE(tmpQ, NULL, DYNAMIC_TYPE_USER_CRYPTO); + ippsSetOctString_BN(o, 1, tmpa); + XFREE(tmpa, NULL, DYNAMIC_TYPE_USER_CRYPTO); + ippsSetOctString_BN(o, 1, tmpb); + XFREE(tmpb, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return outSz; } @@ -1599,6 +1765,27 @@ int wc_RsaFlattenPublicKey(RsaKey* key, byte* e, word32* eSz, byte* n, return 0; } + +IppStatus wolfSSL_rng(Ipp32u* pData, int nBits, void* pEbsParams); +IppStatus wolfSSL_rng(Ipp32u* pData, int nBits, void* pEbsParams) +{ + int nBytes; + + if (pData == NULL) { + USER_DEBUG(("error with wolfSSL_rng argument\n")); + return ippStsErr; + } + + nBytes = (nBits/8) + ((nBits % 8)? 1: 0); + if (wc_RNG_GenerateBlock(pEbsParams, (byte*)pData, nBytes) != 0) { + USER_DEBUG(("error in generating random wolfSSL block\n")); + return ippStsErr; + } + + return ippStsNoErr; +} + + #ifdef WOLFSSL_KEY_GEN /* Make an RSA key for size bits, with e specified, 65537 is a good e */ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) @@ -1612,8 +1799,6 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) Ipp8u* scratchBuffer; int trys = 8; /* Miller-Rabin test parameter */ IppsPrimeState* pPrime; - IppBitSupplier rndFunc; - IppsPRNGState* rndParam; /* rng context */ int qBitSz; /* size of q factor */ int bytSz; /* size of key in bytes */ @@ -1621,8 +1806,9 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) USER_DEBUG(("Entering wc_MakeRsaKey\n")); - qBitSz = size / 2; - bytSz = size / 8; + /* get byte size and individual private key size -- round up */ + qBitSz = (size / 2) + ((size % 2)? 1: 0); + bytSz = (size / 8) + ((size % 8)? 1: 0); if (key == NULL) return USER_CRYPTO_ERROR; @@ -1634,24 +1820,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return USER_CRYPTO_ERROR; key->type = RSA_PRIVATE; - - /* set up rng */ - ret = ippsPRNGGetSize(&ctxSz); - if (ret != ippStsNoErr) { - USER_DEBUG(("ippsPRNGGetSize error of %s\n", ippGetStatusString(ret))); - return USER_CRYPTO_ERROR; - } - - rndParam = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); - if (rndParam == NULL) - return USER_CRYPTO_ERROR; - - /*@TODO size of seed bits used hard set at 256 */ - ret = ippsPRNGInit(256, rndParam); - if (ret != ippStsNoErr) { - USER_DEBUG(("ippsPRNGInit error of %s\n", ippGetStatusString(ret))); - return USER_CRYPTO_ERROR; - } + key->sz = bytSz; /* initialize prime number */ ret = ippsPrimeGetSize(size, &ctxSz); /* size in bits */ @@ -1670,12 +1839,6 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return USER_CRYPTO_ERROR; } - ret = ippsPrimeGen(size, 100, pPrime, ippsPRNGen, rndParam); - if (ret != ippStsNoErr) { - USER_DEBUG(("ippsPrimeGen error of %s\n", ippGetStatusString(ret))); - return USER_CRYPTO_ERROR; - } - /* define RSA privete key type 2 */ /* length in bits of p and q factors */ ret = ippsRSA_GetSizePrivateKeyType2(qBitSz, qBitSz, &ctxSz); @@ -1712,68 +1875,35 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) /* set up initial value of pScrPublicExp */ leng = (int)sizeof(long); /* # of Ipp32u in long */ - ret = ippsBigNumGetSize(leng, &ctxSz); + ret = init_bn(&pSrcPublicExp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - pSrcPublicExp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (pSrcPublicExp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, pSrcPublicExp); - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; ret = ippsSetOctString_BN((Ipp8u*)&e, leng, pSrcPublicExp); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* initializing key->n */ - ret = ippsBigNumGetSize(bytSz, &ctxSz); - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; - - key->n = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->n == NULL) - return USER_CRYPTO_ERROR; - - key->nSz = size; - ret = ippsBigNumInit(bytSz, key->n); + ret = init_bn(&key->n, bytSz); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* initializing public exponent key->e */ - ret = ippsBigNumGetSize(leng, &ctxSz); - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; - - key->e = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->e == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, key->e); + ret = init_bn(&key->e, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* private exponent key->dipp */ - ret = ippsBigNumGetSize(bytSz, &ctxSz); + ret = init_bn(&key->dipp, bytSz); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - key->dipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->dipp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(bytSz, key->dipp); - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; - - rndFunc = ippsPRNGen; /* call IPP to generate keys, if inseficent entropy error call again using for loop to avoid infinte loop */ for (i = 0; i < 5; i++) { ret = ippsRSA_GenerateKeys(pSrcPublicExp, key->n, key->e, key->dipp, key->pPrv, scratchBuffer, trys, pPrime, - rndFunc, rndParam); + wolfSSL_rng, rng); if (ret == ippStsNoErr) { break; } @@ -1785,6 +1915,12 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return USER_CRYPTO_ERROR; } } + /* catch if still did not generate a good key */ + if (ret != ippStsNoErr) { + USER_DEBUG(("ippsRSA_GeneratKeys error of %s\n", + ippGetStatusString(ret))); + return USER_CRYPTO_ERROR; + } /* get bn sizes needed for private key set up */ ret = ippsExtGet_BN(NULL, &key->eSz, NULL, key->e); @@ -1827,51 +1963,27 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) /* get private key information for key struct */ leng = size/16; /* size of q, p, u, dP, dQ */ - ret = ippsBigNumGetSize(leng, &ctxSz); /* get needed ctxSz and use */ - if (ret != ippStsNoErr) - return USER_CRYPTO_ERROR; - - key->pipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->pipp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, key->pipp); + ret = init_bn(&key->pipp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* set up q BN for key */ - key->qipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->qipp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, key->qipp); + ret = init_bn(&key->qipp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* set up dP BN for key */ - key->dPipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->dPipp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, key->dPipp); + ret = init_bn(&key->dPipp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* set up dQ BN for key */ - key->dQipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->dQipp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, key->dQipp); + ret = init_bn(&key->dQipp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; /* set up u BN for key */ - key->uipp = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); - if (key->uipp == NULL) - return USER_CRYPTO_ERROR; - - ret = ippsBigNumInit(leng, key->uipp); + ret = init_bn(&key->uipp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; @@ -1888,9 +2000,6 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) XFREE(pSrcPublicExp, NULL, DYNAMIC_TYPE_USER_CRYPTO); XFREE(scratchBuffer, NULL, DYNAMIC_TYPE_USER_CRYPTO); XFREE(pPrime, NULL, DYNAMIC_TYPE_USER_CRYPTO); - XFREE(rndParam, NULL, DYNAMIC_TYPE_USER_CRYPTO); - - (void)rng; return 0; } From 33eb4b98d33f239ca53052985731883e389e4970 Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Tue, 24 Nov 2015 15:16:26 -0700 Subject: [PATCH 088/177] Clarify Openssl.test results messaging --- scripts/openssl.test | 62 ++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/scripts/openssl.test b/scripts/openssl.test index d44f7d1c1..8f068309c 100755 --- a/scripts/openssl.test +++ b/scripts/openssl.test @@ -9,6 +9,27 @@ server_pid=$no_pid wolf_suites_tested=0 wolf_suites_total=0 counter=0 +testing_summary="OpenSSL Interop Testing Summary:\nVersion\tTested\t#Found\t#Tested\n" +versionName="Invalid" + +version_name() { + case $version in "0") + versionName="SSLv3" + ;; + "1") + versionName="TLSv1" + ;; + "2") + versionName="TLSv1.1" + ;; + "3") + versionName="TLSv1.2" + ;; + "4") + versionName="ALL" + ;; + esac +} do_cleanup() { echo "in cleanup" @@ -97,18 +118,53 @@ do # get openssl ciphers depending on version case $version in "0") openssl_ciphers=`openssl ciphers "SSLv3"` + sslv3_sup=$? + if [ $sslv3_sup != 0 ] + then + echo -e "Not testing SSLv3. No OpenSSL support for 'SSLv3' modifier" + testing_summary="$testing_summary SSLv3\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n" + continue + fi ;; "1") openssl_ciphers=`openssl ciphers "TLSv1"` + tlsv1_sup=$? + if [ $tlsv1_sup != 0 ] + then + echo -e "Not testing TLSv1. No OpenSSL support for 'TLSv1' modifier" + testing_summary="$testing_summary TLSv1\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n" + continue + fi ;; "2") openssl_ciphers=`openssl ciphers "TLSv1.1"` + tlsv1_1_sup=$? + if [ $tlsv1_1_sup != 0 ] + then + echo -e "Not testing TLSv1.1. No OpenSSL support for 'TLSv1.1' modifier" + testing_summary="${testing_summary}TLSv1.1\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n" + continue + fi ;; "3") openssl_ciphers=`openssl ciphers "TLSv1.2"` + tlsv1_2_sup=$? + if [ $tlsv1_2_sup != 0 ] + then + echo -e "Not testing TLSv1.2. No OpenSSL support for 'TLSv1.2' modifier" + testing_summary="$testing_summary TLSv1.2\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n" + continue + fi ;; "4") #test all suites openssl_ciphers=`openssl ciphers "ALL"` + all_sup=$? + if [ $all_sup != 0 ] + then + echo -e "Not testing ALL. No OpenSSL support for ALL modifier" + testing_summary="$testing_summary ALL\tNo\tN/A\tN/A\t (No OpenSSL Support for cipherstring)\n" + continue + fi ;; esac @@ -150,6 +206,8 @@ do wolf_suites_tested=$((wolf_temp_suites_tested+wolf_suites_tested)) wolf_suites_total=$((wolf_temp_suites_total+wolf_suites_total)) echo -e "wolfSSL suites tested with version:$version $wolf_temp_suites_tested" + version_name + testing_summary="$testing_summary$versionName\tYes\t$wolf_temp_suites_total\t$wolf_temp_suites_tested\n" wolf_temp_suites_total=0 wolf_temp_suites_tested=0 done @@ -159,6 +217,6 @@ kill -9 $server_pid echo -e "wolfSSL total suites $wolf_suites_total" echo -e "wolfSSL suites tested $wolf_suites_tested" -echo -e "\nSuccess!\n" - +echo -e "\nSuccess!\n\n\n\n" +echo -e "$testing_summary" exit 0 From f7fac88e8b4aea7a77e203d78d11fa90300a873d Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 24 Nov 2015 17:28:43 -0700 Subject: [PATCH 089/177] Don't error out when calling ippInit to find optimized IPP library, just fall back to use standard --- wolfcrypt/src/wc_port.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/wolfcrypt/src/wc_port.c b/wolfcrypt/src/wc_port.c index b81702bba..ac54c3494 100644 --- a/wolfcrypt/src/wc_port.c +++ b/wolfcrypt/src/wc_port.c @@ -45,6 +45,7 @@ */ int wolfCrypt_Init() { + int ret = 0; #if WOLFSSL_CRYPT_HW_MUTEX /* If crypto hardware mutex protection is enabled, then initialize it */ wolfSSL_CryptHwMutexInit(); @@ -52,14 +53,18 @@ int wolfCrypt_Init() /* if defined have fast RSA then initialize Intel IPP */ #ifdef HAVE_FAST_RSA - WOLFSSL_MSG("Setting up IPP Library"); - if (ippInit() != ippStsNoErr) { - WOLFSSL_MSG("Error setting up optimized Intel library to use!"); - return -1; + WOLFSSL_MSG("Attempting to use optimized IPP Library"); + if ((ret = ippInit()) != ippStsNoErr) { + /* possible to get a CPU feature support status on optimized IPP + library but still use default library and see competitve speeds */ + WOLFSSL_MSG("Warning when trying to set up optimization"); + WOLFSSL_MSG(ippGetStatusString(ret)); + WOLFSSL_MSG("Using default fast IPP library"); + ret = 0; } #endif - return 0; + return ret; } From 02411ccced57bf27a7fe40704692ccf2797c3142 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 25 Nov 2015 10:36:51 -0800 Subject: [PATCH 090/177] add F back into the client command line options scanning --- examples/client/client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/client/client.c b/examples/client/client.c index f5d005acd..55874e49e 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -482,7 +482,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W")) != -1) { switch (ch) { case '?' : Usage(); From e4894bfd0b8abf1eedae839413d81b84ea470903 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 25 Nov 2015 11:10:42 -0800 Subject: [PATCH 091/177] add comments to clarify accept and connect state advancement due to sending fragments --- src/ssl.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 2fba69bd6..e895a3f90 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -5695,9 +5695,17 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->buffers.outputBuffer.length > 0) { if ( (ssl->error = SendBuffered(ssl)) == 0) { + /* fragOffset is non-zero when sending fragments. On the last + * fragment, fragOffset is zero again, and the state can be + * advanced. */ if (ssl->fragOffset == 0) { ssl->options.connectState++; - WOLFSSL_MSG("connect state: Advanced from buffered send"); + WOLFSSL_MSG("connect state: " + "Advanced from last buffered fragment send"); + } + else { + WOLFSSL_MSG("connect state: " + "Not advanced, more fragments to send"); } } else { @@ -6013,9 +6021,17 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, if (ssl->buffers.outputBuffer.length > 0) { if ( (ssl->error = SendBuffered(ssl)) == 0) { + /* fragOffset is non-zero when sending fragments. On the last + * fragment, fragOffset is zero again, and the state can be + * advanced. */ if (ssl->fragOffset == 0) { ssl->options.acceptState++; - WOLFSSL_MSG("accept state: Advanced from buffered send"); + WOLFSSL_MSG("accept state: " + "Advanced from last buffered fragment send"); + } + else { + WOLFSSL_MSG("accept state: " + "Not advanced, more fragments to send"); } } else { From 7f1b9a1e13a2b80bc57216f65aa56e094cd45272 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 25 Nov 2015 20:25:57 -0800 Subject: [PATCH 092/177] storing DTLS handshake messages takes into account overlapping data --- src/internal.c | 166 +++++++++++++++++++++++++++++++------- wolfssl/internal.h | 21 +++-- wolfssl/wolfcrypt/types.h | 4 +- 3 files changed, 156 insertions(+), 35 deletions(-) diff --git a/src/internal.c b/src/internal.c index 2487af3b7..1d19e9b36 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2371,13 +2371,12 @@ DtlsMsg* DtlsMsgNew(word32 sz, void* heap) msg = (DtlsMsg*)XMALLOC(sizeof(DtlsMsg), heap, DYNAMIC_TYPE_DTLS_MSG); if (msg != NULL) { + XMEMSET(msg, 0, sizeof(DtlsMsg)); msg->buf = (byte*)XMALLOC(sz + DTLS_HANDSHAKE_HEADER_SZ, - heap, DYNAMIC_TYPE_NONE); + heap, DYNAMIC_TYPE_DTLS_BUFFER); if (msg->buf != NULL) { - msg->next = NULL; - msg->seq = 0; msg->sz = sz; - msg->fragSz = 0; + msg->type = no_shake; msg->msg = msg->buf + DTLS_HANDSHAKE_HEADER_SZ; } else { @@ -2394,8 +2393,14 @@ void DtlsMsgDelete(DtlsMsg* item, void* heap) (void)heap; if (item != NULL) { + DtlsFrag* cur = item->fragList; + while (cur != NULL) { + DtlsFrag* next = cur->next; + XFREE(cur, heap, DYNAMIC_TYPE_DTLS_FRAG); + cur = next; + } if (item->buf != NULL) - XFREE(item->buf, heap, DYNAMIC_TYPE_NONE); + XFREE(item->buf, heap, DYNAMIC_TYPE_DTLS_BUFFER); XFREE(item, heap, DYNAMIC_TYPE_DTLS_MSG); } } @@ -2412,32 +2417,127 @@ void DtlsMsgListDelete(DtlsMsg* head, void* heap) } -void DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type, - word32 fragOffset, word32 fragSz) +/* Create a DTLS Fragment from *begin - end, adjust new *begin and bytesLeft */ +static DtlsFrag* CreateFragment(word32* begin, word32 end, const byte* data, + byte* buf, word32* bytesLeft, void* heap) +{ + DtlsFrag* newFrag; + word32 added = end - *begin + 1; + + newFrag = (DtlsFrag*)XMALLOC(sizeof(DtlsFrag), heap, + DYNAMIC_TYPE_DTLS_FRAG); + if (newFrag != NULL) { + newFrag->next = NULL; + newFrag->begin = *begin; + newFrag->end = end; + + XMEMCPY(buf + *begin, data, added); + *bytesLeft -= added; + *begin = newFrag->end + 1; + } + + return newFrag; +} + + +int DtlsMsgSet(DtlsMsg* msg, word32 seq, const byte* data, byte type, + word32 fragOffset, word32 fragSz, void* heap) { if (msg != NULL && data != NULL && msg->fragSz <= msg->sz && (fragOffset + fragSz) <= msg->sz) { + DtlsFrag* cur = msg->fragList; + DtlsFrag* prev = cur; + DtlsFrag* newFrag; + word32 bytesLeft = fragSz; /* could be overlapping fragment */ + word32 startOffset = fragOffset; + word32 added; msg->seq = seq; msg->type = type; - msg->fragSz += fragSz; - /* If fragOffset is zero, this is either a full message that is out - * of order, or the first fragment of a fragmented message. Copy the - * handshake message header with the message data. Zero length messages - * like Server Hello Done should be saved as well. */ - if (fragOffset == 0) + + if (fragOffset == 0) { XMEMCPY(msg->buf, data - DTLS_HANDSHAKE_HEADER_SZ, - fragSz + DTLS_HANDSHAKE_HEADER_SZ); - else { - /* If fragOffset is non-zero, this is an additional fragment that - * needs to be copied to its location in the message buffer. Also - * copy the total size of the message over the fragment size. The - * hash routines look at a defragmented message if it had actually - * come across as a single handshake message. */ - XMEMCPY(msg->msg + fragOffset, data, fragSz); + DTLS_HANDSHAKE_HEADER_SZ); + c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ); + } + + /* if no mesage data, just return */ + if (fragSz == 0) + return 0; + + /* if list is empty add full fragment to front */ + if (cur == NULL) { + newFrag = CreateFragment(&fragOffset, fragOffset + fragSz - 1, data, + msg->msg, &bytesLeft, heap); + if (newFrag == NULL) + return MEMORY_E; + + msg->fragSz = fragSz; + msg->fragList = newFrag; + + return 0; + } + + /* add to front if before current front, up to next->begin */ + if (fragOffset < cur->begin) { + word32 end = fragOffset + fragSz - 1; + + if (end >= cur->begin) + end = cur->begin - 1; + + added = end - fragOffset + 1; + newFrag = CreateFragment(&fragOffset, end, data, msg->msg, + &bytesLeft, heap); + if (newFrag == NULL) + return MEMORY_E; + + msg->fragSz += added; + + newFrag->next = cur; + msg->fragList = newFrag; + } + + /* while we have bytes left, try to find a gap to fill */ + while (bytesLeft > 0) { + /* get previous packet in list */ + while (cur && (fragOffset >= cur->begin)) { + prev = cur; + cur = cur->next; + } + + /* don't add duplicate data */ + if (prev->end >= fragOffset) { + if ( (fragOffset + bytesLeft - 1) <= prev->end) + return 0; + fragOffset = prev->end + 1; + bytesLeft = startOffset + fragSz - fragOffset; + } + + if (cur == NULL) + /* we're at the end */ + added = bytesLeft; + else + /* we're in between two frames */ + added = min(bytesLeft, cur->begin - fragOffset); + + /* data already there */ + if (added == 0) + continue; + + newFrag = CreateFragment(&fragOffset, fragOffset + added - 1, + data + fragOffset - startOffset, + msg->msg, &bytesLeft, heap); + if (newFrag == NULL) + return MEMORY_E; + + msg->fragSz += added; + + newFrag->next = prev->next; + prev->next = newFrag; } - c32to24(msg->sz, msg->msg - DTLS_HANDSHAKE_FRAG_SZ); } + + return 0; } @@ -2459,14 +2559,16 @@ DtlsMsg* DtlsMsgStore(DtlsMsg* head, word32 seq, const byte* data, * starting at offset fragOffset, and add fragSz to msg->fragSz. If * the seq is in the list and it isn't full, copy fragSz bytes from * data to msg->msg starting at offset fragOffset, and add fragSz to - * msg->fragSz. The new item should be inserted into the list in its + * msg->fragSz. Insertions take into account data already in the list + * in case there are overlaps in the handshake message due to retransmit + * messages. The new item should be inserted into the list in its * proper position. * * 1. Find seq in list, or where seq should go in list. If seq not in * list, create new item and insert into list. Either case, keep * pointer to item. - * 2. If msg->fragSz + fragSz < sz, copy data to msg->msg at offset - * fragOffset. Add fragSz to msg->fragSz. + * 2. Copy the data from the message to the stored message where it + * belongs without overlaps. */ if (head != NULL) { @@ -2474,17 +2576,25 @@ DtlsMsg* DtlsMsgStore(DtlsMsg* head, word32 seq, const byte* data, if (cur == NULL) { cur = DtlsMsgNew(dataSz, heap); if (cur != NULL) { - DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz); + if (DtlsMsgSet(cur, seq, data, type, + fragOffset, fragSz, heap) < 0) { + DtlsMsgDelete(cur, heap); + return head; + } head = DtlsMsgInsert(head, cur); } } else { - DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz); + /* If this fails, the data is just dropped. */ + DtlsMsgSet(cur, seq, data, type, fragOffset, fragSz, heap); } } else { head = DtlsMsgNew(dataSz, heap); - DtlsMsgSet(head, seq, data, type, fragOffset, fragSz); + if (DtlsMsgSet(head, seq, data, type, fragOffset, fragSz, heap) < 0) { + DtlsMsgDelete(head, heap); + return NULL; + } } return head; diff --git a/wolfssl/internal.h b/wolfssl/internal.h index c688843cb..7acd2a064 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2292,14 +2292,23 @@ typedef struct DtlsPool { int used; } DtlsPool; + +typedef struct DtlsFrag { + word32 begin; + word32 end; + struct DtlsFrag* next; +} DtlsFrag; + + typedef struct DtlsMsg { struct DtlsMsg* next; - word32 seq; /* Handshake sequence number */ - word32 sz; /* Length of whole mesage */ - word32 fragSz; /* Length of fragments received */ - byte type; byte* buf; byte* msg; + DtlsFrag* fragList; + word32 fragSz; /* Length of fragments received */ + word32 seq; /* Handshake sequence number */ + word32 sz; /* Length of whole mesage */ + word16 type; } DtlsMsg; @@ -2709,8 +2718,8 @@ WOLFSSL_LOCAL int GrowInputBuffer(WOLFSSL* ssl, int size, int usedLength); WOLFSSL_LOCAL DtlsMsg* DtlsMsgNew(word32, void*); WOLFSSL_LOCAL void DtlsMsgDelete(DtlsMsg*, void*); WOLFSSL_LOCAL void DtlsMsgListDelete(DtlsMsg*, void*); - WOLFSSL_LOCAL void DtlsMsgSet(DtlsMsg*, word32, const byte*, byte, - word32, word32); + WOLFSSL_LOCAL int DtlsMsgSet(DtlsMsg*, word32, const byte*, byte, + word32, word32, void*); WOLFSSL_LOCAL DtlsMsg* DtlsMsgFind(DtlsMsg*, word32); WOLFSSL_LOCAL DtlsMsg* DtlsMsgStore(DtlsMsg*, word32, const byte*, word32, byte, word32, word32, void*); diff --git a/wolfssl/wolfcrypt/types.h b/wolfssl/wolfcrypt/types.h index b766a3726..d8a228452 100644 --- a/wolfssl/wolfcrypt/types.h +++ b/wolfssl/wolfcrypt/types.h @@ -292,7 +292,9 @@ DYNAMIC_TYPE_X509_EXT = 51, DYNAMIC_TYPE_X509_STORE = 52, DYNAMIC_TYPE_X509_CTX = 53, - DYNAMIC_TYPE_URL = 54 + DYNAMIC_TYPE_URL = 54, + DYNAMIC_TYPE_DTLS_FRAG = 55, + DYNAMIC_TYPE_DTLS_BUFFER = 56 }; /* max error buffer string size */ From 4217ef54753fcf2fe88ce6ded030b25e49244386 Mon Sep 17 00:00:00 2001 From: Takashi Kojo Date: Fri, 27 Nov 2015 11:31:12 +0900 Subject: [PATCH 093/177] fixed mdk4 macro control in example server/client, echoserver/client --- examples/client/client.c | 7 +++---- examples/echoclient/echoclient.c | 3 ++- examples/echoserver/echoserver.c | 7 +++---- examples/server/server.c | 7 ++++--- 4 files changed, 12 insertions(+), 12 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 55874e49e..0dda6a076 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -25,19 +25,18 @@ #include -#if defined(WOLFSSL_MDK_ARM) +#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #include #include - #if defined(WOLFSSL_MDK5) + #if !defined(WOLFSSL_MDK_ARM) #include "cmsis_os.h" #include "rl_fs.h" #include "rl_net.h" #else #include "rtl.h" + #include "wolfssl_MDK_ARM.h" #endif - - #include "wolfssl_MDK_ARM.h" #endif #include diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 6f06dd82c..37670f20e 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -33,11 +33,12 @@ #include #include - #if defined(WOLFSSL_MDK5) || defined(WOLFSSL_KEIL_TCP_NET) + #if !defined(WOLFSSL_MDK_ARM) #include "cmsis_os.h" #include "rl_net.h" #else #include "rtl.h" + #include "wolfssl_MDK_ARM.h" #endif #if defined(WOLFSSL_MDK_SHELL) char * wolfssl_fgets ( char * str, int num, FILE * f ) ; diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index a01377a7f..a0ecae3ff 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -29,19 +29,18 @@ #include /* ecc_fp_free */ #endif -#if defined(WOLFSSL_MDK_ARM) +#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #include #include - #if defined(WOLFSSL_MDK5) + #if !defined(WOLFSSL_MDK_ARM) #include "cmsis_os.h" #include "rl_fs.h" #include "rl_net.h" #else #include "rtl.h" + #include "wolfssl_MDK_ARM.h" #endif - - #include "wolfssl_MDK_ARM.h" #endif #include diff --git a/examples/server/server.c b/examples/server/server.c index 20c53ab45..a488c8901 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -34,19 +34,20 @@ #define WOLFSSL_TRACK_MEMORY #endif -#if defined(WOLFSSL_MDK_ARM) +#if defined(WOLFSSL_MDK_ARM) || defined(WOLFSSL_KEIL_TCP_NET) #include #include - #if defined(WOLFSSL_MDK5) + #if !defined(WOLFSSL_MDK_ARM) #include "cmsis_os.h" #include "rl_fs.h" #include "rl_net.h" #else #include "rtl.h" + #include "wolfssl_MDK_ARM.h" #endif - #include "wolfssl_MDK_ARM.h" + #endif #include #include From 6030970026b4033f2ee6d69b8fb4ae3b05d5bcb0 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Sun, 29 Nov 2015 23:34:58 -0700 Subject: [PATCH 094/177] perfer local IPP libraries, memory usage and casting --- Makefile.am | 2 +- configure.ac | 131 ++++++++-------- wolfcrypt/user-crypto/src/rsa.c | 265 ++++++++++++++++++++++++-------- 3 files changed, 274 insertions(+), 124 deletions(-) diff --git a/Makefile.am b/Makefile.am index e8941e6b5..043b9328d 100644 --- a/Makefile.am +++ b/Makefile.am @@ -59,7 +59,7 @@ EXTRA_DIST+= gencertbuf.pl EXTRA_DIST+= README.md EXTRA_DIST+= LICENSING EXTRA_DIST+= INSTALL -EXTRA_DIST+= IPP/ +EXTRA_DIST+= IPP # user crypto plug in example EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac diff --git a/configure.ac b/configure.ac index a4ccb5ce0..9dcb798db 100644 --- a/configure.ac +++ b/configure.ac @@ -2285,8 +2285,9 @@ AC_ARG_WITH([cavium], # Fast RSA using Intel IPP ippdir="${srcdir}/IPP" -ipplib="lib" # if autoconf guesses 32 changes lib directory -fastRSA_headers=no +ipplib="lib" # if autoconf guesses 32bit system changes lib directory +fastRSA_found=no +abs_path=`pwd` # set up variables used IPPLIBS= @@ -2301,11 +2302,12 @@ AC_ARG_ENABLE([fast-rsa], if test "$ENABLED_USER_RSA" = "no" && test "$ENABLED_FIPS" = "no"; then -if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then ipplib="lib_32" # 32 bit OS detected fi +# Use static IPP Libraries +if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then case $host_os in *darwin*) ipplib="$ipplib/mac_static" @@ -2322,92 +2324,100 @@ if test "$enable_shared" = "no" && test "$ENABLED_FAST_RSA" = "yes"; then AC_CHECK_FILES([$srcdir/IPP/$ipplib/libippcore.a $srcdir/IPP/$ipplib/libippcp.a], [], [ENABLED_FAST_RSA=no]) AC_CHECK_FILES([$srcdir/IPP/include/ipp.h $srcdir/IPP/include/ippcp.h], [AM_CPPFLAGS="-I$srcdir/IPP/include $AM_CPPFLAGS"], [ENABLED_FAST_RSA=no]) - LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a" + LIB_STATIC_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_STATIC_ADD" if test "$ENABLED_FAST_RSA" = "no"; then AC_MSG_ERROR([Could not find fast rsa libraries]) fi else -# just check link and see if user has already exported paths -if test "$ENABLED_FAST_RSA" = "yes" - then - AC_MSG_NOTICE([Checking if IPP crypto library installed]) - AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [LIBS="$LIBS -lippcore"; fastRSA_headers=yes], [AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]); fastRSA_headers=no])], [fastRSA_headers=no]) - if test "$fastRSA_headers" = "yes"; then - AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp" - fi -fi -# Don't cache the result so it can be checked again -AS_UNSET([ac_cv_header_ippcp_h]) -AS_UNSET([ac_cv_header_ipp_h]) - -if test "$fastRSA_headers" = "no"; then -dnl set default paths +# Check for and use bundled IPP libraries if test "$ENABLED_FAST_RSA" = "yes"; then AC_MSG_NOTICE([Using local IPP crypto library]) - # build and default locations on linux and mac - STORE_LDFLAGS=${LDFLAGS} - STORE_CPPFLAGS=${CPPFLAGS} - if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then - ipplib="lib_32" # 32 bit OS detected - fi - # using LDFLAGS instead of AM_ temporarily to test link to library - LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore" - CPPFLAGS="-I$ippdir/include" - AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [], [ENABLED_FAST_RSA=no])], [ENABLED_FAST_RSA=no]) - if test "$ENABLED_FAST_RSA" = "yes"; then - # was succesfull so add tested LDFLAGS to AM_ flags - AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}" - AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}" + AC_CHECK_FILES([$abs_path/IPP/include/ippcp.h], + [ + # build and default locations on linux and mac + STORE_LDFLAGS=${LDFLAGS} + STORE_CPPFLAGS=${CPPFLAGS} - case $host_os in - *darwin*) + # using LDFLAGS instead of AM_ temporarily to test link to library + LDFLAGS="-L$ippdir/$ipplib -lippcp -lippcore" + CPPFLAGS="-I$ippdir/include" + AC_CHECK_HEADERS([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], [fastRSA_found=yes], [fastRSA_found=no])], [fastRSA_found=no]) name="$ippdir/$ipplib/libippcp" - IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib" - IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib" - break;; + case $host_os in + *darwin*) + # check file existence and conditionally set variables + AC_CHECK_FILES([$abs_path/IPP/$ipplib/libippcp.dylib], [ + IPPLIBS="${name}.dylib ${name}-9.0.dylib ${name}e9-9.0.dylib ${name}g9-9.0.dylib ${name}h9-9.0.dylib ${name}k0-9.0.dylib ${name}l9-9.0.dylib ${name}n8-9.0.dylib ${name}p8-9.0.dylib ${name}s8-9.0.dylib ${name}y8-9.0.dylib IPP/lib/libippcore.dylib IPP/lib/libippcore-9.0.dylib" + IPPLINK="mkdir -p src/.libs && ln -f ${name}.dylib src/.libs/libippcp.dylib && ln -f ${srcdir}/${name}-9.0.dylib src/.libs/libippcp-9.0.dylib && ln -f ${srcdir}/${name}e9-9.0.dylib src/.libs/libippcpe9-9.0.dylib && ln -f ${srcdir}/${name}g9-9.0.dylib src/.libs/libippcpg9-9.0.dylib && ln -f ${srcdir}/${name}h9-9.0.dylib src/.libs/libippcph9-9.0.dylib && ln -f ${srcdir}/${name}k0-9.0.dylib src/.libs/libippcpk0-9.0.dylib && ln -f ${srcdir}/${name}l9-9.0.dylib src/.libs/libippcpl9-9.0.dylib && ln -f ${srcdir}/${name}n8-9.0.dylib src/.libs/libippcpn8-9.0.dylib && ln -f ${srcdir}/${name}p8-9.0.dylib src/.libs/libippcpp8-9.0.dylib && ln -f ${srcdir}/${name}s8-9.0.dylib src/.libs/libippcps8-9.0.dylib && ln -f ${srcdir}/${name}y8-9.0.dylib src/.libs/libippcpy8-9.0.dylib && ln -f ${srcdir}/IPP/lib/libippcore.dylib src/.libs/libippcore.dylib && ln -f ${srcdir}/IPP/lib/libippcore-9.0.dylib src/.libs/libippcore-9.0.dylib" + ], [fastRSA_found=no]) + break;; - *linux*) - if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then - name="$ippdir/$ipplib/libippcp" - IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so" - IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0" - else - name="$ippdir/$ipplib/libippcp" - IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so" - IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0" + *linux*) + # check file existence and conditionally set variables + AC_CHECK_FILES([$abs_path/IPP/$ipplib/libippcp.so.9.0], [ + if test "$ac_cv_sizeof_long" = "4" && test "$ac_cv_sizeof_long_long" = "8"; then + IPPLIBS="${name}.so.9.0 ${name}g9.so.9.0 ${name}h9.so.9.0 ${name}p8.so.9.0 ${name}px.so.9.0 ${name}s8.so.9.0 ${name}.so ${name}w7.so.9.0 IPP/$ipplib/libippcore.so IPP/$ipplib/libippcore.so.9.0" + IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}g9.so.9.0 src/.libs/libippcpg9.so.9.0 && ln -f ${name}h9.so.9.0 src/.libs/libippcph9.so.9.0 && ln -f ${name}p8.so.9.0 src/.libs/libippcpp8.so.9.0 && ln -f ${name}px.so.9.0 src/.libs/libippcppx.so.9.0 && ln -f ${name}s8.so.9.0 src/.libs/libippcps8.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}w7.so.9.0 src/.libs/libippcpw7.so.9.0 && ln -f IPP/$ipplib/libippcore.so src/.libs/libippcore.so && ln -f IPP/$ipplib/libippcore.so.9.0 src/.libs/libippcore.so.9.0" + else + IPPLIBS="${name}.so.9.0 ${name}e9.so.9.0 ${name}k0.so.9.0 ${name}l9.so.9.0 ${name}m7.so.9.0 ${name}mx.so.9.0 ${name}.so ${name}n8.so.9.0 ${name}y8.so.9.0 IPP/lib/libippcore.so IPP/lib/libippcore.so.9.0" + IPPLINK="mkdir -p src/.libs && ln -f ${name}.so.9.0 src/.libs/libippcp.so.9.0 && ln -f ${name}e9.so.9.0 src/.libs/libippcpe9.so.9.0 && ln -f ${name}k0.so.9.0 src/.libs/libippcpk0.so.9.0 && ln -f ${name}l9.so.9.0 src/.libs/libippcpl9.so.9.0 && ln -f ${name}m7.so.9.0 src/.libs/libippcpm7.so.9.0 && ln -f ${name}mx.so.9.0 src/.libs/libippcpmx.so.9.0 && ln -f ${name}.so src/.libs/libippcp.so && ln -f ${name}n8.so.9.0 src/.libs/libippcpn8.so.9.0 && ln -f ${name}y8.so.9.0 src/.libs/libippcpy8.so.9.0 && ln -f IPP/lib/libippcore.so src/.libs/libippcore.so && ln -f IPP/lib/libippcore.so.9.0 src/.libs/libippcore.so.9.0" + fi + ], [fastRSA_found=no]) + break;; + *) + fastRSA_found=no + esac + + if test "$fastRSA_found" = "yes"; then + # was succesfull so add tested LDFLAGS to AM_ flags + AM_LDFLAGS="${AM_LDFLAGS} ${LDFLAGS}" + AM_CPPFLAGS="${AM_CPPFLAGS} ${CPPFLAGS}" + IPPHEADERS="${srcdir}/IPP/include/*.h" fi - break;; - *) - ENABLED_FAST_RSA=no - esac - fi - # restore LDFLAGS to user set - LDFLAGS=${STORE_LDFLAGS} - CPPFLAGS=${STORE_CPPFLAGS} - IPPHEADERS="${srcdir}/IPP/include/*.h" + + # restore LDFLAGS to user set + LDFLAGS=${STORE_LDFLAGS} + CPPFLAGS=${STORE_CPPFLAGS} + ], [fastRSA_found=no]) +fi + +# Don't cache the result so it can be checked +AS_UNSET([ac_cv_header_ippcp_h]) +AS_UNSET([ac_cv_header_ipp_h]) +AS_UNSET([ac_cv_lib_ippcp_ippsRSAEncrypt_PKCSv15]); + +# Check link and see if user has pre-existing IPP Libraries if not using local +if test "$ENABLED_FAST_RSA" = "yes" && test "$fastRSA_found" = "no"; then + AC_MSG_NOTICE([Checking if IPP crypto library installed]) + AC_CHECK_HEADER([ippcp.h], [AC_CHECK_LIB([ippcp], [ippsRSAEncrypt_PKCSv15], + [ + fastRSA_found=yes + AM_LDFLAGS="${AM_LDFLAGS} -lippcore -lippcp" + ], [ fastRSA_found=no]) + ], [fastRSA_found=no]) # Error out on not finding libraries - if test "$ENABLED_FAST_RSA" = "no"; then + if test "$fastRSA_found" = "no"; then AC_MSG_ERROR([Could not find fast rsa libraries]) fi fi -fi # end of if found exported paths fi # end of if for shared library else # if user rsa is set than do not use fast rsa option if test "$ENABLED_FAST_RSA" = "yes"; then AC_MSG_ERROR([Could not use fast rsa libraries with user crypto or fips]) fi -fi # end of if for user rsa crypto +fi # end of if for user rsa crypto or fips +# End result of checking for IPP Libraries AC_MSG_CHECKING([for fast RSA]) if test "$ENABLED_FAST_RSA" = "yes"; then AM_CFLAGS="$AM_CFLAGS -DHAVE_FAST_RSA -DHAVE_USER_RSA" # add in user crypto header that uses Intel IPP AM_CPPFLAGS="$AM_CPPFLAGS -I$srcdir/wolfcrypt/user-crypto/include" if test "$enable_shared" = "yes"; then - LIBS="$LIBS -lippcore" + LIBS="$LIBS -lippcore -lippcp" LIB_ADD="-lippcp -lippcore $LIB_ADD" else LIB_ADD="$srcdir/IPP/$ipplib/libippcp.a $srcdir/IPP/$ipplib/libippcore.a $LIB_ADD" @@ -2420,7 +2430,6 @@ fi AC_SUBST([IPPLIBS]) AC_SUBST([IPPHEADERS]) AC_SUBST([IPPLINK]) -# Found IPP library now build in user crypto to use it AM_CONDITIONAL([BUILD_FAST_RSA], [test "x$ENABLED_FAST_RSA" = "xyes"]) diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c index 05d7388e6..a61d61781 100644 --- a/wolfcrypt/user-crypto/src/rsa.c +++ b/wolfcrypt/user-crypto/src/rsa.c @@ -160,7 +160,7 @@ static int SetIndividualExternal(WOLFSSL_BIGNUM** bn, IppsBigNumState* in) if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - data = XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + data = (byte*)XMALLOC(sz, NULL, DYNAMIC_TYPE_USER_CRYPTO); if (data == NULL) return USER_CRYPTO_ERROR; @@ -200,13 +200,15 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi) if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + *mpi = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); if (*mpi == NULL) return USER_CRYPTO_ERROR; ret = ippsBigNumInit(length, *mpi); - if (ret != ippStsNoErr) + if (ret != ippStsNoErr) { + XFREE(*mpi, NULL, DYNAMIC_TYPE_USER_CRYPTO); return USER_CRYPTO_ERROR; + } } @@ -219,7 +221,7 @@ static int SetIndividualInternal(WOLFSSL_BIGNUM* bn, IppsBigNumState** mpi) return USER_CRYPTO_ERROR; } - data = XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO); + data = (Ipp8u*)XMALLOC(length, NULL, DYNAMIC_TYPE_USER_CRYPTO); if (data == NULL) return USER_CRYPTO_ERROR; @@ -399,7 +401,8 @@ int SetRsaInternal(WOLFSSL_RSA* rsa) return USER_CRYPTO_ERROR; } - key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPub == NULL) return USER_CRYPTO_ERROR; @@ -452,7 +455,8 @@ int SetRsaInternal(WOLFSSL_RSA* rsa) } key->prvSz = ctxSz; - key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPrv == NULL) return USER_CRYPTO_ERROR; @@ -575,13 +579,15 @@ static IppStatus init_bn(IppsBigNumState** in, int sz) return ret; } - *in = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + *in = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); if (*in == NULL) { return ippStsNoMemErr; } ret = ippsBigNumInit(sz, *in); if (ret != ippStsNoErr) { + XFREE(*in, NULL, DYNAMIC_TYPE_USER_CRYPTO); + *in = NULL; return ret; } @@ -592,41 +598,51 @@ static IppStatus init_bn(IppsBigNumState** in, int sz) /* Set up memory and structure for a Montgomery struct * returns ippStsNoErr on success */ -static IppStatus init_mont(IppsMontState** mont, IppsBigNumState* modul) +static IppStatus init_mont(IppsMontState** mont, int* ctxSz, + IppsBigNumState* modul) { - int ctxSz, mSz; - Ipp32u* m; - IppStatus ret; + int mSz; + Ipp32u* m; + IppStatus ret; - ret = ippsExtGet_BN(NULL, &ctxSz, NULL, modul); + ret = ippsExtGet_BN(NULL, ctxSz, NULL, modul); if (ret != ippStsNoErr) { return ret; } - mSz = (ctxSz/32)+((ctxSz % 32)? 1: 0); - m = XMALLOC(mSz * sizeof(Ipp32u), 0, DYNAMIC_TYPE_USER_CRYPTO); + /* convert bits to Ipp32u array size and round up + 32 is number of bits in type */ + mSz = (*ctxSz/32)+((*ctxSz % 32)? 1: 0); + m = (Ipp32u*)XMALLOC(mSz * sizeof(Ipp32u), 0, DYNAMIC_TYPE_USER_CRYPTO); if (m == NULL) { + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); return ippStsNoMemErr; } ret = ippsExtGet_BN(NULL, NULL, m, modul); if (ret != ippStsNoErr) { + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); return ret; } - ret = ippsMontGetSize(IppsBinaryMethod, mSz, &ctxSz); + ret = ippsMontGetSize(IppsSlidingWindows, mSz, ctxSz); if (ret != ippStsNoErr) { + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); return ret; } /* 2. Allocate working buffer using malloc */ - *mont = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + *mont = (IppsMontState*)XMALLOC(*ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); if (mont == NULL) { + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); return ippStsNoMemErr; } - ret = ippsMontInit(IppsBinaryMethod, mSz, *mont); + ret = ippsMontInit(IppsSlidingWindows, mSz, *mont); if (ret != ippStsNoErr) { USER_DEBUG(("ippsMontInit error of %s\n", ippGetStatusString(ret))); + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(*mont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + *mont = NULL; return ret; } @@ -634,6 +650,9 @@ static IppStatus init_mont(IppsMontState** mont, IppsBigNumState* modul) ret = ippsMontSet(m, mSz, *mont); if (ret != ippStsNoErr) { USER_DEBUG(("ippsMontSet error of %s\n", ippGetStatusString(ret))); + XFREE(m, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(*mont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + *mont = NULL; return ret; } @@ -779,7 +798,7 @@ static int GetInt(IppsBigNumState** mpi, const byte* input, word32* inOutIdx, if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - *mpi = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + *mpi = (IppsBigNumState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); if (*mpi == NULL) return USER_CRYPTO_ERROR; @@ -886,7 +905,8 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, return USER_CRYPTO_ERROR; } - key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPub == NULL) return USER_CRYPTO_ERROR; @@ -938,7 +958,8 @@ int wc_RsaPrivateKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, } key->prvSz = ctxSz; - key->pPrv = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPrv == NULL) return USER_CRYPTO_ERROR; @@ -1056,7 +1077,8 @@ int wc_RsaPublicKeyDecode(const byte* input, word32* inOutIdx, RsaKey* key, return USER_CRYPTO_ERROR; } - key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPub == NULL) return USER_CRYPTO_ERROR; @@ -1123,7 +1145,8 @@ int wc_RsaPublicKeyDecodeRaw(const byte* n, word32 nSz, const byte* e, return USER_CRYPTO_ERROR; } - key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPub == NULL) return USER_CRYPTO_ERROR; @@ -1168,8 +1191,8 @@ int wc_RsaPublicEncrypt(const byte* in, word32 inLen, byte* out, word32 outLen, if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, - DYNAMIC_TYPE_USER_CRYPTO); + scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); if (scratchBuffer == NULL) return USER_CRYPTO_ERROR; @@ -1211,8 +1234,8 @@ int wc_RsaPrivateDecrypt(const byte* in, word32 inLen, byte* out, word32 outLen, return USER_CRYPTO_ERROR; } - scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, - DYNAMIC_TYPE_USER_CRYPTO); + scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); if (scratchBuffer == NULL) { return USER_CRYPTO_ERROR; } @@ -1242,7 +1265,7 @@ int wc_RsaPrivateDecryptInline(byte* in, word32 inLen, byte** out, RsaKey* key) USER_DEBUG(("Entering wc_RsaPrivateDecryptInline\n")); /* allocate a buffer for max decrypted text */ - tmp = XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + tmp = (byte*)XMALLOC(key->sz, NULL, DYNAMIC_TYPE_USER_CRYPTO); if (tmp == NULL) return USER_CRYPTO_ERROR; @@ -1314,7 +1337,7 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) return USER_CRYPTO_ERROR; } - pPub = XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + pPub = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, 0, DYNAMIC_TYPE_USER_CRYPTO); if (pPub == NULL) return USER_CRYPTO_ERROR; @@ -1341,8 +1364,8 @@ int wc_RsaSSL_VerifyInline(byte* in, word32 inLen, byte** out, RsaKey* key) return USER_CRYPTO_ERROR; } - scratchBuffer = XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, - DYNAMIC_TYPE_USER_CRYPTO); + scratchBuffer = (Ipp8u*)XMALLOC(scratchSz*(sizeof(Ipp8u)), 0, + DYNAMIC_TYPE_USER_CRYPTO); if (scratchBuffer == NULL) { FreeHelper(pTxt, cTxt, scratchBuffer, pPub); return USER_CRYPTO_ERROR; @@ -1475,23 +1498,58 @@ static IppStatus exptmod(IppsBigNumState* a, IppsBigNumState* b, } +static void Free_BN(IppsBigNumState* bn) +{ + int sz, ctxSz; + IppStatus ret; + + if (bn != NULL) { + ret = ippStsNoErr; + ret |= ippsGetSize_BN(bn, &sz); + ret |= ippsBigNumGetSize(sz, &ctxSz); + if (ret == ippStsNoErr) { + ForceZero(bn, ctxSz); + } + else { + USER_DEBUG(("Issue with clearing a struct in RsaSSL_Sign free\n")); + } + XFREE(bn, NULL, DYNAMIC_TYPE_USER_CRYPTO); + bn = NULL; + } +} + + +/* free up memory used during CRT sign operation */ +static void FreeSignHelper(IppsBigNumState* one, IppsBigNumState* tmp, + IppsBigNumState* tmpP, IppsBigNumState* tmpQ, IppsBigNumState* tmpa, + IppsBigNumState* tmpb) +{ + Free_BN(one); + Free_BN(tmp); + Free_BN(tmpP); + Free_BN(tmpQ); + Free_BN(tmpa); + Free_BN(tmpb); +} + + /* for Rsa Sign */ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, RsaKey* key, WC_RNG* rng) { - int sz; + int sz, pSz, qSz; IppStatus ret; word32 outSz = outLen; - IppsMontState* pMont; - IppsMontState* qMont; + IppsMontState* pMont = NULL; + IppsMontState* qMont = NULL; - IppsBigNumState* one; - IppsBigNumState* tmp; - IppsBigNumState* tmpP; - IppsBigNumState* tmpQ; - IppsBigNumState* tmpa; - IppsBigNumState* tmpb; + IppsBigNumState* one = NULL; + IppsBigNumState* tmp = NULL; + IppsBigNumState* tmpP = NULL; + IppsBigNumState* tmpQ = NULL; + IppsBigNumState* tmpa = NULL; + IppsBigNumState* tmpb = NULL; IppsBigNumSGN sa, sb; @@ -1507,6 +1565,13 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, return USER_CRYPTO_ERROR; } + /* sanity check on key being used */ + if (key->pipp == NULL || key->qipp == NULL || key->uipp == NULL || + key->dPipp == NULL || key->dQipp == NULL) { + USER_DEBUG(("Bad key argument to wc_RsaSSL_Sign\n")); + return USER_CRYPTO_ERROR; + } + if (sz > (int)outLen) { USER_DEBUG(("Bad argument outLen to wc_RsaSSL_Sign\n")); return USER_CRYPTO_ERROR; @@ -1527,11 +1592,14 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = init_bn(&tmp, sz); if (ret != ippStsNoErr) { USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } ret = ippsSetOctString_BN(out, sz, tmp); if (ret != ippStsNoErr) { - USER_DEBUG(("ippsSetOctString_BN error of %s\n", ippGetStatusString(ret))); + USER_DEBUG(("ippsSetOctString_BN error of %s\n", + ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1539,6 +1607,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = init_bn(&tmpP, sz); if (ret != ippStsNoErr) { USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1546,6 +1615,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = init_bn(&tmpQ, sz); if (ret != ippStsNoErr) { USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1553,6 +1623,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = init_bn(&tmpa, sz); if (ret != ippStsNoErr) { USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1560,6 +1631,7 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = init_bn(&tmpb, sz); if (ret != ippStsNoErr) { USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1567,27 +1639,39 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = init_bn(&one, sz); if (ret != ippStsNoErr) { USER_DEBUG(("init_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } ret = ippsSetOctString_BN(o, 1, one); if (ret != ippStsNoErr) { USER_DEBUG(("ippsSetOctString_BN error of %s\n", ippGetStatusString(ret))); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } /** Set up Montgomery state */ - ret = init_mont(&pMont, key->pipp); + ret = init_mont(&pMont, &pSz, key->pipp); if (ret != ippStsNoErr) { USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret))); + if (pMont != NULL) { + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + } + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } - ret = init_mont(&qMont, key->qipp); + ret = init_mont(&qMont, &qSz, key->qipp); if (ret != ippStsNoErr) { USER_DEBUG(("init_mont error of %s\n", ippGetStatusString(ret))); + if (qMont != NULL) { + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + } + ForceZero(pMont, pSz); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1599,6 +1683,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, if (ret != ippStsNoErr) { USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1606,6 +1695,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, if (ret != ippStsNoErr) { USER_DEBUG(("reduce error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1613,6 +1707,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = exptmod(tmpP, key->dPipp, pMont, tmpa, one); if (ret != ippStsNoErr) { USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1620,6 +1719,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = exptmod(tmpQ, key->dQipp, qMont, tmpb, one); if (ret != ippStsNoErr) { USER_DEBUG(("exptmod error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1627,12 +1731,22 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = ippsSub_BN(tmpa, tmpb, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } ret = ippsMul_BN(tmp, key->uipp, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsMul_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1640,6 +1754,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = ippsDiv_BN(tmp, key->pipp, tmpa, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsDiv_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1647,17 +1766,32 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = ippsExtGet_BN(&sa, NULL, NULL, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } ret = ippsExtGet_BN(&sb, NULL, NULL, key->pipp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsExtGet_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } if (sa != sb) { ret = ippsAdd_BN(tmp, key->pipp, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsAdd_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } } @@ -1666,6 +1800,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = ippsMul_BN(tmp, key->qipp, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1673,6 +1812,11 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, ret = ippsAdd_BN(tmp, tmpb, tmp); if (ret != ippStsNoErr) { USER_DEBUG(("ippsSub_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } @@ -1681,27 +1825,22 @@ int wc_RsaSSL_Sign(const byte* in, word32 inLen, byte* out, word32 outLen, if (ret != ippStsNoErr) { USER_DEBUG(("ippsGetOctString_BN error of %s\n", ippGetStatusString(ret))); + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); + XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return USER_CRYPTO_ERROR; } outSz = sz; - XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + /* clear memory and free */ + ForceZero(pMont, pSz); + ForceZero(qMont, qSz); XFREE(qMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); - - XFREE(one, NULL, DYNAMIC_TYPE_USER_CRYPTO); - - /* clear memory by setting BN to one and then free */ - ippsSetOctString_BN(o, 1, tmp); - XFREE(tmp, NULL, DYNAMIC_TYPE_USER_CRYPTO); - ippsSetOctString_BN(o, 1, tmpP); - XFREE(tmpP, NULL, DYNAMIC_TYPE_USER_CRYPTO); - ippsSetOctString_BN(o, 1, tmpQ); - XFREE(tmpQ, NULL, DYNAMIC_TYPE_USER_CRYPTO); - ippsSetOctString_BN(o, 1, tmpa); - XFREE(tmpa, NULL, DYNAMIC_TYPE_USER_CRYPTO); - ippsSetOctString_BN(o, 1, tmpb); - XFREE(tmpb, NULL, DYNAMIC_TYPE_USER_CRYPTO); + XFREE(pMont, NULL, DYNAMIC_TYPE_USER_CRYPTO); + FreeSignHelper(one, tmp, tmpP, tmpQ, tmpa, tmpb); return outSz; } @@ -1829,7 +1968,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return USER_CRYPTO_ERROR; } - pPrime = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + pPrime = (IppsPrimeState*)XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); if (pPrime == NULL) return USER_CRYPTO_ERROR; @@ -1849,7 +1988,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) } key->prvSz = ctxSz; /* used when freeing private key */ - key->pPrv = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPrv = (IppsRSAPrivateKeyState*)XMALLOC(ctxSz, NULL, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPrv == NULL) return USER_CRYPTO_ERROR; @@ -1869,7 +2009,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return USER_CRYPTO_ERROR; } - scratchBuffer = XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO); + scratchBuffer = (Ipp8u*)XMALLOC(scratchSz, 0, DYNAMIC_TYPE_USER_CRYPTO); if (scratchBuffer == NULL) return USER_CRYPTO_ERROR; @@ -1943,7 +2083,8 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) return USER_CRYPTO_ERROR; } - key->pPub = XMALLOC(ctxSz, NULL, DYNAMIC_TYPE_USER_CRYPTO); + key->pPub = (IppsRSAPublicKeyState*)XMALLOC(ctxSz, NULL, + DYNAMIC_TYPE_USER_CRYPTO); if (key->pPub == NULL) return USER_CRYPTO_ERROR; @@ -2381,7 +2522,7 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) rawLen += lbit; tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, - DYNAMIC_TYPE_USER_CRYPTO); + DYNAMIC_TYPE_USER_CRYPTO); if (tmps[i] == NULL) { ret = USER_CRYPTO_ERROR; break; From d2a80ba1bc014b58a0a951cd82be11a9cbf4a423 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 30 Nov 2015 10:25:55 -0700 Subject: [PATCH 095/177] remove extra NULL check in SetTmpDH_buffer/file_wrapper, fix API tests --- src/ssl.c | 4 ++-- tests/api.c | 23 +++++++++++++++++------ 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index e895a3f90..d748ff048 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -4344,7 +4344,7 @@ static int wolfSSL_SetTmpDH_file_wrapper(WOLFSSL_CTX* ctx, WOLFSSL* ssl, long sz = 0; XFILE file; - if (ctx == NULL || ssl == NULL || fname == NULL) + if (ctx == NULL || fname == NULL) return BAD_FUNC_ARG; file = XFOPEN(fname, "rb"); @@ -7242,7 +7242,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl) byte g[MAX_DH_SIZE]; #endif - if (ctx == NULL || ssl == NULL || buf == NULL) + if (ctx == NULL || buf == NULL) return BAD_FUNC_ARG; der.buffer = (byte*)buf; diff --git a/tests/api.c b/tests/api.c index 4dd15e17e..745557cf2 100644 --- a/tests/api.c +++ b/tests/api.c @@ -256,7 +256,8 @@ static void test_wolfSSL_CTX_SetTmpDH_file(void) bogusFile, SSL_FILETYPE_PEM)); /* success */ - AssertTrue(wolfSSL_CTX_SetTmpDH_file(ctx, dhParam, SSL_FILETYPE_PEM)); + AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_file(ctx, dhParam, + SSL_FILETYPE_PEM)); wolfSSL_CTX_free(ctx); #endif @@ -280,7 +281,7 @@ static void test_wolfSSL_CTX_SetTmpDH_buffer(void) sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1)); /* success */ - AssertIntNE(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048, + AssertIntEQ(SSL_SUCCESS, wolfSSL_CTX_SetTmpDH_buffer(ctx, dh_key_der_2048, sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); wolfSSL_CTX_free(ctx); @@ -352,7 +353,11 @@ static void test_wolfSSL_SetTmpDH_file(void) WOLFSSL_CTX *ctx; WOLFSSL *ssl; - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(wolfSSL_CTX_use_certificate_file(ctx, svrCert, + SSL_FILETYPE_PEM)); + AssertTrue(wolfSSL_CTX_use_PrivateKey_file(ctx, svrKey, + SSL_FILETYPE_PEM)); AssertNotNull(ssl = wolfSSL_new(ctx)); /* invalid ssl */ @@ -366,7 +371,8 @@ static void test_wolfSSL_SetTmpDH_file(void) bogusFile, SSL_FILETYPE_PEM)); /* success */ - AssertTrue(wolfSSL_SetTmpDH_file(ssl, dhParam, SSL_FILETYPE_PEM)); + AssertIntEQ(SSL_SUCCESS, wolfSSL_SetTmpDH_file(ssl, dhParam, + SSL_FILETYPE_PEM)); wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); @@ -379,7 +385,11 @@ static void test_wolfSSL_SetTmpDH_buffer(void) WOLFSSL_CTX *ctx; WOLFSSL *ssl; - AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_client_method())); + AssertNotNull(ctx = wolfSSL_CTX_new(wolfSSLv23_server_method())); + AssertTrue(wolfSSL_CTX_use_certificate_buffer(ctx, server_cert_der_2048, + sizeof_server_cert_der_2048, SSL_FILETYPE_ASN1)); + AssertTrue(wolfSSL_CTX_use_PrivateKey_buffer(ctx, server_key_der_2048, + sizeof_server_key_der_2048, SSL_FILETYPE_ASN1)); AssertNotNull(ssl = wolfSSL_new(ctx)); /* invalid ssl */ @@ -393,11 +403,12 @@ static void test_wolfSSL_SetTmpDH_buffer(void) sizeof_dsa_key_der_2048, SSL_FILETYPE_ASN1)); /* success */ - AssertIntNE(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, + AssertIntEQ(SSL_SUCCESS, wolfSSL_SetTmpDH_buffer(ssl, dh_key_der_2048, sizeof_dh_key_der_2048, SSL_FILETYPE_ASN1)); wolfSSL_free(ssl); wolfSSL_CTX_free(ctx); + printf("SUCCESS4\n"); #endif } From 767da41b168b20812dd1f9c6f069c261a327e086 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 30 Nov 2015 14:18:17 -0700 Subject: [PATCH 096/177] allow 1024 and 2048 example cert buffers to be enabled at same time, gencertbuf.pl --- gencertbuf.pl | 7 ++++--- wolfssl/certs_test.h | 7 ++++--- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/gencertbuf.pl b/gencertbuf.pl index 9a11a7147..450ff764a 100755 --- a/gencertbuf.pl +++ b/gencertbuf.pl @@ -71,9 +71,10 @@ for (my $i = 0; $i < $num_1024; $i++) { print OUT_FILE "};\n"; print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n"; } +print OUT_FILE "#endif /* USE_CERT_BUFFERS_1024 */\n\n"; # convert and print 2048-bit certs/keys -print OUT_FILE "#elif defined(USE_CERT_BUFFERS_2048)\n\n"; +print OUT_FILE "#ifdef USE_CERT_BUFFERS_2048\n\n"; for (my $i = 0; $i < $num_2048; $i++) { my $fname = $fileList_2048[$i][0]; @@ -87,7 +88,7 @@ for (my $i = 0; $i < $num_2048; $i++) { print OUT_FILE "static const int sizeof_$sname = sizeof($sname);\n\n"; } -print OUT_FILE "#endif /* USE_CERT_BUFFERS_1024 */\n\n"; +print OUT_FILE "#endif /* USE_CERT_BUFFERS_2048 */\n\n"; print OUT_FILE "/* dh1024 p */ static const unsigned char dh_p[] = { @@ -108,7 +109,7 @@ static const unsigned char dh_p[] = static const unsigned char dh_g[] = { 0x02, -};\n\n\n"; +};\n\n"; print OUT_FILE "#endif /* WOLFSSL_CERTS_TEST_H */\n\n"; # close certs_test.h file diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h index e7ab3c767..6a3fb4799 100644 --- a/wolfssl/certs_test.h +++ b/wolfssl/certs_test.h @@ -606,7 +606,9 @@ static const unsigned char server_cert_der_1024[] = }; static const int sizeof_server_cert_der_1024 = sizeof(server_cert_der_1024); -#elif defined(USE_CERT_BUFFERS_2048) +#endif /* USE_CERT_BUFFERS_1024 */ + +#ifdef USE_CERT_BUFFERS_2048 /* ./certs/client-key.der, 2048-bit */ static const unsigned char client_key_der_2048[] = @@ -1526,7 +1528,7 @@ static const unsigned char server_cert_der_2048[] = }; static const int sizeof_server_cert_der_2048 = sizeof(server_cert_der_2048); -#endif /* USE_CERT_BUFFERS_1024 */ +#endif /* USE_CERT_BUFFERS_2048 */ /* dh1024 p */ static const unsigned char dh_p[] = @@ -1550,6 +1552,5 @@ static const unsigned char dh_g[] = 0x02, }; - #endif /* WOLFSSL_CERTS_TEST_H */ From 07356af78ea8097ae5086df854228ddc96601346 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 30 Nov 2015 18:34:00 -0300 Subject: [PATCH 097/177] prepares BuildCertificateStatus() to send more than one certificate status; --- src/internal.c | 196 ++++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 160 insertions(+), 36 deletions(-) diff --git a/src/internal.c b/src/internal.c index 0503ae722..b7fc15bdc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4850,6 +4850,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, return BUFFER_ERROR; switch (status_type) { + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) @@ -4873,6 +4874,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) { request = TLSX_CSR2_GetRequest(ssl->extensions, @@ -4881,6 +4883,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, break; } #endif + return BUFFER_ERROR; } while(0); @@ -8200,16 +8203,34 @@ int SendCertificateRequest(WOLFSSL* ssl) #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) -static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer status) +static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, + byte count) { byte* output = NULL; word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; - word32 length = ENUM_LEN + OPAQUE24_LEN + status.length; - int sendSz = idx + length; + word32 length = ENUM_LEN; + int sendSz = 0; int ret = 0; + int i = 0; WOLFSSL_ENTER("BuildCertificateStatus"); + switch (type) { + case WOLFSSL_CSR2_OCSP_MULTI: + length += OPAQUE24_LEN; + /* followed by */ + + case WOLFSSL_CSR2_OCSP: + for (i = 0; i < count; i++) + length += OPAQUE24_LEN + status[i].length; + break; + + default: + return 0; + } + + sendSz = idx + length; + if (ssl->keys.encryptionOn) sendSz += MAX_MSG_EXTRA; @@ -8221,11 +8242,18 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer status) output[idx++] = type; - c32to24(status.length, output + idx); - idx += OPAQUE24_LEN; + if (type == WOLFSSL_CSR2_OCSP_MULTI) { + c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx); + idx += OPAQUE24_LEN; + } - XMEMCPY(output + idx, status.buffer, status.length); - idx += status.length; + for (i = 0; i < count; i++) { + c32to24(status[i].length, output + idx); + idx += OPAQUE24_LEN; + + XMEMCPY(output + idx, status[i].buffer, status[i].length); + idx += status[i].length; + } if (ssl->keys.encryptionOn) { byte* input; @@ -8280,17 +8308,18 @@ int SendCertificateStatus(WOLFSSL* ssl) (void) ssl; -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST - status_type = ssl->status_request; -#endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + status_type = ssl->status_request; + #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 - status_type = status_type ? status_type : ssl->status_request_v2; -#endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + status_type = status_type ? status_type : ssl->status_request_v2; + #endif switch (status_type) { -#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ - || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) /* case WOLFSSL_CSR_OCSP: */ case WOLFSSL_CSR2_OCSP: { OcspRequest* request = ssl->ctx->certOcspRequest; @@ -8302,22 +8331,22 @@ int SendCertificateStatus(WOLFSSL* ssl) if (!request || ssl->buffers.weOwnCert) { buffer der = ssl->buffers.certificate; - #ifdef WOLFSSL_SMALL_STACK - DecodedCert* cert = NULL; - #else - DecodedCert cert[1]; - #endif + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif /* unable to fetch status. skip. */ if (der.buffer == NULL || der.length == 0) return 0; -#ifdef WOLFSSL_SMALL_STACK - cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (cert == NULL) - return MEMORY_E; -#endif + if (cert == NULL) + return MEMORY_E; + #endif InitDecodedCert(cert, der.buffer, der.length, NULL); @@ -8330,9 +8359,11 @@ int SendCertificateStatus(WOLFSSL* ssl) DYNAMIC_TYPE_OCSP_REQUEST); if (request == NULL) { FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + return MEMORY_E; } @@ -8349,9 +8380,10 @@ int SendCertificateStatus(WOLFSSL* ssl) } FreeDecodedCert(cert); -#ifdef WOLFSSL_SMALL_STACK - XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); -#endif + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif } if (ret == 0) { @@ -8366,7 +8398,8 @@ int SendCertificateStatus(WOLFSSL* ssl) if (response.buffer) { if (ret == 0) - ret = BuildCertificateStatus(ssl,status_type, response); + ret = BuildCertificateStatus(ssl, status_type, + &response, 1); XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); } @@ -8377,12 +8410,103 @@ int SendCertificateStatus(WOLFSSL* ssl) XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); } break; -#endif -#if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 - case WOLFSSL_CSR2_OCSP_MULTI: + #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ + /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + + #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 + case WOLFSSL_CSR2_OCSP_MULTI: { + OcspRequest* request = ssl->ctx->certOcspRequest; + buffer response = {NULL, 0}; + + /* unable to fetch status. skip. */ + if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) + return 0; + + if (!request || ssl->buffers.weOwnCert) { + buffer der = ssl->buffers.certificate; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + /* unable to fetch status. skip. */ + if (der.buffer == NULL || der.length == 0) + return 0; + + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; + #endif + + InitDecodedCert(cert, der.buffer, der.length, NULL); + + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, + ssl->ctx->cm)) != 0) { + WOLFSSL_MSG("ParseCert failed"); + } + else { + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (request == NULL) { + FreeDecodedCert(cert); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + return MEMORY_E; + } + + ret = InitOcspRequest(request, cert, 0); + if (ret != 0) { + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + else if (!ssl->buffers.weOwnCert && 0 == LockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock)) { + if (!ssl->ctx->certOcspRequest) + ssl->ctx->certOcspRequest = request; + + UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); + } + } + + FreeDecodedCert(cert); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + } + + if (ret == 0) { + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, + &response); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + + if (response.buffer) { + if (ret == 0) + ret = BuildCertificateStatus(ssl, status_type, + &response, 1); + + XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + + } + + if (request != ssl->ctx->certOcspRequest) + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } break; -#endif + + #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ default: break; From 514aa331f8e91f7a6ad54927a1c73777830b60e3 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 30 Nov 2015 14:43:03 -0800 Subject: [PATCH 098/177] wrapped checks for encryptionOn with a function to allow more complicated checks like for epoch 0 being unencrypted --- src/internal.c | 80 ++++++++++++++++++++++++---------------------- wolfssl/internal.h | 1 - 2 files changed, 42 insertions(+), 39 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1d19e9b36..a51ba9528 100644 --- a/src/internal.c +++ b/src/internal.c @@ -182,6 +182,20 @@ int IsAtLeastTLSv1_2(const WOLFSSL* ssl) } +static INLINE int IsEncryptionOn(WOLFSSL* ssl, int isSend) +{ + (void)isSend; + + #ifdef WOLFSSL_DTLS + /* For DTLS, epoch 0 is always not encrypted. */ + if (ssl->options.dtls && !isSend && ssl->keys.dtls_state.curEpoch == 0) + return 0; + #endif /* WOLFSSL_DTLS */ + + return ssl->keys.encryptionOn; +} + + #ifdef HAVE_QSH /* free all structs that where used with QSH */ static int QSH_FreeAll(WOLFSSL* ssl) @@ -3412,9 +3426,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return UNKNOWN_RECORD_TYPE; } - /* haven't decrypted this record yet */ - ssl->keys.decryptedCur = 0; - return 0; } @@ -4546,7 +4557,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (fatal == 0 && ssl->secure_renegotiation && ssl->secure_renegotiation->enabled) { - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { /* compare against previous time */ if (XMEMCMP(dCert->subjectHash, ssl->secure_renegotiation->subject_hash, @@ -4895,7 +4906,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (ret == 0 && ssl->options.side == WOLFSSL_CLIENT_END) ssl->options.serverState = SERVER_CERT_COMPLETE; - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; } @@ -5007,7 +5018,7 @@ static int DoHelloRequest(WOLFSSL* ssl, const byte* input, word32* inOutIdx, if (size) /* must be 0 */ return BUFFER_ERROR; - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { /* access beyond input + size should be checked against totalSz */ if (*inOutIdx + ssl->keys.padSz > totalSz) return BUFFER_E; @@ -5493,7 +5504,7 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx, AddLateName("ServerHelloDone", &ssl->timeoutInfo); #endif ssl->options.serverState = SERVER_HELLODONE_COMPLETE; - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; } if (ssl->options.resuming) { @@ -6854,7 +6865,7 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type, ssl->options.closeNotify = 1; } WOLFSSL_ERROR(*type); - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { if (*inOutIdx + ssl->keys.padSz > totalSz) return BUFFER_E; *inOutIdx += ssl->keys.padSz; @@ -7162,13 +7173,7 @@ int ProcessReply(WOLFSSL* ssl) /* the record layer is here */ case runProcessingOneMessage: - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls && - ssl->keys.dtls_state.curEpoch < ssl->keys.dtls_state.nextEpoch) - ssl->keys.decryptedCur = 1; - #endif - - if (ssl->keys.encryptionOn && ssl->keys.decryptedCur == 0) + if (IsEncryptionOn(ssl, 0)) { ret = SanityCheckCipherText(ssl, ssl->curSize); if (ret < 0) @@ -7220,7 +7225,6 @@ int ProcessReply(WOLFSSL* ssl) return DECRYPT_ERROR; } ssl->keys.encryptSz = ssl->curSize; - ssl->keys.decryptedCur = 1; } if (ssl->options.dtls) { @@ -7295,7 +7299,7 @@ int ProcessReply(WOLFSSL* ssl) } #endif - if (ssl->keys.encryptionOn && ssl->options.handShakeDone) { + if (IsEncryptionOn(ssl, 0) && ssl->options.handShakeDone) { ssl->buffers.inputBuffer.idx += ssl->keys.padSz; ssl->curSize -= (word16) ssl->buffers.inputBuffer.idx; } @@ -7394,7 +7398,7 @@ int ProcessReply(WOLFSSL* ssl) #endif ssl->options.processReply = runProcessingOneMessage; - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { WOLFSSL_MSG("Bundled encrypted messages, remove middle pad"); ssl->buffers.inputBuffer.idx -= ssl->keys.padSz; } @@ -7431,7 +7435,7 @@ int SendChangeCipher(WOLFSSL* ssl) #endif /* are we in scr */ - if (ssl->keys.encryptionOn && ssl->options.handShakeDone) { + if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { sendSz += MAX_MSG_EXTRA; } @@ -7447,7 +7451,7 @@ int SendChangeCipher(WOLFSSL* ssl) output[idx] = 1; /* turn it on */ - if (ssl->keys.encryptionOn && ssl->options.handShakeDone) { + if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) { byte input[ENUM_LEN]; int inputSz = ENUM_LEN; @@ -8018,7 +8022,7 @@ int SendCertificate(WOLFSSL* ssl) sendSz += fragSz; } - if (ssl->keys.encryptionOn) + if (IsEncryptionOn(ssl, 1)) sendSz += MAX_MSG_EXTRA; } else { @@ -8042,14 +8046,14 @@ int SendCertificate(WOLFSSL* ssl) if (ssl->fragOffset == 0) { if (!ssl->options.dtls) { AddFragHeaders(output, fragSz, 0, payloadSz, certificate, ssl); - if (!ssl->keys.encryptionOn) + if (!IsEncryptionOn(ssl, 1)) HashOutputRaw(ssl, output + RECORD_HEADER_SZ, HANDSHAKE_HEADER_SZ); } else { #ifdef WOLFSSL_DTLS AddHeaders(output, payloadSz, certificate, ssl); - if (!ssl->keys.encryptionOn) + if (!IsEncryptionOn(ssl, 1)) HashOutputRaw(ssl, output + RECORD_HEADER_SZ + DTLS_RECORD_EXTRA, HANDSHAKE_HEADER_SZ + DTLS_HANDSHAKE_EXTRA); @@ -8064,20 +8068,20 @@ int SendCertificate(WOLFSSL* ssl) /* list total */ c32to24(listSz, output + i); - if (!ssl->keys.encryptionOn) + if (!IsEncryptionOn(ssl, 1)) HashOutputRaw(ssl, output + i, CERT_HEADER_SZ); i += CERT_HEADER_SZ; length -= CERT_HEADER_SZ; fragSz -= CERT_HEADER_SZ; if (certSz) { c32to24(certSz, output + i); - if (!ssl->keys.encryptionOn) + if (!IsEncryptionOn(ssl, 1)) HashOutputRaw(ssl, output + i, CERT_HEADER_SZ); i += CERT_HEADER_SZ; length -= CERT_HEADER_SZ; fragSz -= CERT_HEADER_SZ; - if (!ssl->keys.encryptionOn) { + if (!IsEncryptionOn(ssl, 1)) { HashOutputRaw(ssl, ssl->buffers.certificate.buffer, certSz); if (certChainSz) HashOutputRaw(ssl, ssl->buffers.certChain.buffer, @@ -8118,7 +8122,7 @@ int SendCertificate(WOLFSSL* ssl) length -= copySz; } - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 1)) { byte* input; int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */ @@ -8492,7 +8496,7 @@ int SendAlert(WOLFSSL* ssl, int severity, int type) /* only send encrypted alert if handshake actually complete, otherwise other side may not be able to handle it */ - if (ssl->keys.encryptionOn && ssl->options.handShakeDone) + if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert); else { @@ -10015,7 +10019,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, } #endif - if (ssl->keys.encryptionOn) + if (IsEncryptionOn(ssl, 1)) sendSz += MAX_MSG_EXTRA; /* check for available size */ @@ -10113,7 +10117,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, } #endif - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 1)) { byte* input; int inputSz = idx - RECORD_HEADER_SZ; /* build msg adds rec hdr */ @@ -10376,7 +10380,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ssl->options.serverState = SERVER_HELLO_COMPLETE; - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; } @@ -10530,7 +10534,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, else if (IsTLS(ssl)) ssl->options.sendVerify = SEND_BLANK_CERT; - if (ssl->keys.encryptionOn) + if (IsEncryptionOn(ssl, 0)) *inOutIdx += ssl->keys.padSz; return 0; @@ -11319,7 +11323,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, return ret; } - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; } @@ -12137,7 +12141,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) } #endif - if (ssl->keys.encryptionOn) + if (IsEncryptionOn(ssl, 1)) sendSz += MAX_MSG_EXTRA; #ifdef HAVE_QSH @@ -12193,7 +12197,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) XMEMCPY(output + idx, encSecret, encSz); idx += encSz; - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 1)) { byte* input; int inputSz = idx-RECORD_HEADER_SZ; /* buildmsg adds rechdr */ @@ -12293,7 +12297,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) if (ssl->options.sendVerify == SEND_BLANK_CERT) return 0; /* sent blank cert, can't verify */ - if (ssl->keys.encryptionOn) + if (IsEncryptionOn(ssl, 1)) sendSz += MAX_MSG_EXTRA; /* check for available size */ @@ -12569,7 +12573,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) } #endif - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 1)) { byte* input; int inputSz = sendSz - RECORD_HEADER_SZ; /* build msg adds rec hdr */ @@ -12683,7 +12687,7 @@ int DoSessionTicket(WOLFSSL* ssl, ssl->session.ticketLen = 0; } - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl)) { *inOutIdx += ssl->keys.padSz; } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7acd2a064..de8ef669f 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1453,7 +1453,6 @@ typedef struct Keys { word32 encryptSz; /* last size of encrypted data */ word32 padSz; /* how much to advance after decrypt part */ byte encryptionOn; /* true after change cipher spec */ - byte decryptedCur; /* only decrypt current record once */ } Keys; From 346dcb0fd9af585bb055e9b8a315b0beb838269a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 30 Nov 2015 21:26:00 -0300 Subject: [PATCH 099/177] adds WOLFSSL_CSR2_OCSP_MULTI support; --- src/internal.c | 268 +++++++++++++++++++++++++++++++++++++++------ src/tls.c | 59 ++++++---- wolfssl/internal.h | 7 +- 3 files changed, 274 insertions(+), 60 deletions(-) diff --git a/src/internal.c b/src/internal.c index b7fc15bdc..6b2d44459 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4393,7 +4393,13 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (ret == 0) { int doCrlLookup = 1; + #ifdef HAVE_OCSP + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) + ret = TLSX_CSR2_InitRequests(ssl->extensions, dCert); + else /* skips OCSP and force CRL check */ + #endif if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL); @@ -4406,7 +4412,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (doCrlLookup && ssl->ctx->cm->crlEnabled + if (ret == 0 && doCrlLookup && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) { WOLFSSL_MSG("Doing Non Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); @@ -4858,13 +4864,13 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, case WOLFSSL_CSR2_OCSP: { OcspRequest* request; - #ifdef WOLFSSL_SMALL_STACK - CertStatus* status; - OcspResponse* response; - #else - CertStatus status[1]; - OcspResponse response[1]; - #endif + #ifdef WOLFSSL_SMALL_STACK + CertStatus* status; + OcspResponse* response; + #else + CertStatus status[1]; + OcspResponse response[1]; + #endif do { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST @@ -4878,7 +4884,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) { request = TLSX_CSR2_GetRequest(ssl->extensions, - WOLFSSL_CSR2_OCSP); + status_type, 0); ssl->status_request_v2 = 0; break; } @@ -4890,19 +4896,21 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (request == NULL) return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */ - #ifdef WOLFSSL_SMALL_STACK - status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + #ifdef WOLFSSL_SMALL_STACK + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_TMP_BUFFER); - response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (status == NULL || response == NULL) { - if (status) XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (response) XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (status == NULL || response == NULL) { + if (status) + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response) + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return MEMORY_ERROR; - } - #endif + return MEMORY_ERROR; + } + #endif InitOcspResponse(response, status, input +*inOutIdx, status_length); @@ -4914,13 +4922,109 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, *inOutIdx += status_length; - #ifdef WOLFSSL_SMALL_STACK - XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif + #ifdef WOLFSSL_SMALL_STACK + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif } break; + + #endif + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + + case WOLFSSL_CSR2_OCSP_MULTI: { + OcspRequest* request; + word32 list_length = status_length; + byte index = 0; + + #ifdef WOLFSSL_SMALL_STACK + CertStatus* status; + OcspResponse* response; + #else + CertStatus status[1]; + OcspResponse response[1]; + #endif + + do { + if (ssl->status_request_v2) { + ssl->status_request_v2 = 0; + break; + } + + return BUFFER_ERROR; + } while(0); + + #ifdef WOLFSSL_SMALL_STACK + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (status == NULL || response == NULL) { + if (status) + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response) + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return MEMORY_ERROR; + } + #endif + + while (list_length && ret == 0) { + if (OPAQUE24_LEN > list_length) { + ret = BUFFER_ERROR; + break; + } + + c24to32(input + *inOutIdx, &status_length); + *inOutIdx += OPAQUE24_LEN; + list_length -= OPAQUE24_LEN; + + if (status_length > list_length) { + ret = BUFFER_ERROR; + break; + } + + if (status_length) { + InitOcspResponse(response, status, input +*inOutIdx, + status_length); + + if ((OcspResponseDecode(response, ssl->ctx->cm) != 0) + || (response->responseStatus != OCSP_SUCCESSFUL) + || (response->status->status != CERT_GOOD)) + ret = BAD_CERTIFICATE_STATUS_ERROR; + + while (ret == 0) { + request = TLSX_CSR2_GetRequest(ssl->extensions, + status_type, index++); + + if (request == NULL) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (CompareOcspReqResp(request, response) == 0) + break; + else if (index == 1) + ret = BAD_CERTIFICATE_STATUS_ERROR; + } + + *inOutIdx += status_length; + list_length -= status_length; + } + } + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ssl->status_request_v2 = 0; + #endif + + #ifdef WOLFSSL_SMALL_STACK + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + } + break; + #endif default: @@ -8417,7 +8521,10 @@ int SendCertificateStatus(WOLFSSL* ssl) #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 case WOLFSSL_CSR2_OCSP_MULTI: { OcspRequest* request = ssl->ctx->certOcspRequest; - buffer response = {NULL, 0}; + buffer responses[1 + MAX_CHAIN_DEPTH]; + int i = 0; + + ForceZero(responses, sizeof(responses)); /* unable to fetch status. skip. */ if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) @@ -8483,26 +8590,121 @@ int SendCertificateStatus(WOLFSSL* ssl) if (ret == 0) { ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, - &response); + &responses[0]); /* Suppressing, not critical */ if (ret == OCSP_CERT_REVOKED || ret == OCSP_CERT_UNKNOWN || ret == OCSP_LOOKUP_FAIL) ret = 0; - - if (response.buffer) { - if (ret == 0) - ret = BuildCertificateStatus(ssl, status_type, - &response, 1); - - XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); - } - } if (request != ssl->ctx->certOcspRequest) XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + + if (ret == 0 && (!ssl->ctx->chainOcspRequest[0] + || ssl->buffers.weOwnCertChain)) { + buffer der = {NULL, 0}; + word32 idx = 0; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; + #endif + + while (idx + OPAQUE24_LEN < ssl->buffers.certChain.length) { + c24to32(ssl->buffers.certChain.buffer + idx, &der.length); + idx += OPAQUE24_LEN; + + der.buffer = ssl->buffers.certChain.buffer + idx; + idx += der.length; + + if (idx > ssl->buffers.certChain.length) + break; + + InitDecodedCert(cert, der.buffer, der.length, NULL); + + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, + ssl->ctx->cm)) != 0) { + WOLFSSL_MSG("ParseCert failed"); + break; + } + else { + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), + NULL, DYNAMIC_TYPE_OCSP_REQUEST); + if (request == NULL) { + ret = MEMORY_E; + break; + } + + ret = InitOcspRequest(request, cert, 0); + if (ret != 0) { + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + break; + } + else if (!ssl->buffers.weOwnCertChain && 0 == + LockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock)) { + if (!ssl->ctx->chainOcspRequest[i]) + ssl->ctx->chainOcspRequest[i] = request; + + UnLockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock); + } + + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, + request, &responses[i + 1]); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + + if (request != ssl->ctx->chainOcspRequest[i]) + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + + i++; + } + + FreeDecodedCert(cert); + } + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + } + else { + while (ret == 0 && + NULL != (request = ssl->ctx->chainOcspRequest[i])) { + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, + request, &responses[++i]); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + } + } + + if (responses[0].buffer) { + if (ret == 0) + ret = BuildCertificateStatus(ssl, status_type, + responses, i + 1); + + for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) + if (responses[i].buffer) + XFREE(responses[i].buffer, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + } } break; diff --git a/src/tls.c b/src/tls.c index 177cb73f5..49bb8c4f9 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2211,7 +2211,8 @@ static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2) switch (csr2->status_type) { case WOLFSSL_CSR2_OCSP: case WOLFSSL_CSR2_OCSP_MULTI: - FreeOcspRequest(&csr2->request.ocsp); + while(csr2->requests--) + FreeOcspRequest(&csr2->request.ocsp[csr2->requests]); break; } @@ -2239,7 +2240,7 @@ static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2, case WOLFSSL_CSR2_OCSP_MULTI: size += ENUM_LEN + 3 * OPAQUE16_LEN; - if (csr2->request.ocsp.nonceSz) + if (csr2->request.ocsp[0].nonceSz) size += OCSP_NONCE_EXT_SZ; break; } @@ -2272,7 +2273,7 @@ static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, /* request_length */ length = 2 * OPAQUE16_LEN; - if (csr2->request.ocsp.nonceSz) + if (csr2->request.ocsp[0].nonceSz) length += OCSP_NONCE_EXT_SZ; c16toa(length, output + offset); @@ -2285,9 +2286,9 @@ static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, /* request extensions */ length = 0; - if (csr2->request.ocsp.nonceSz) + if (csr2->request.ocsp[0].nonceSz) length = EncodeOcspRequestExtensions( - &csr2->request.ocsp, + &csr2->request.ocsp[0], output + offset + OPAQUE16_LEN, OCSP_NONCE_EXT_SZ); @@ -2342,17 +2343,18 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, /* followed by */ case WOLFSSL_CSR2_OCSP_MULTI: /* propagate nonce */ - if (csr2->request.ocsp.nonceSz) { + if (csr2->request.ocsp[0].nonceSz) { OcspRequest* request = TLSX_CSR2_GetRequest(ssl->extensions, - csr2->status_type); + csr2->status_type, 0); if (request) { XMEMCPY(request->nonce, - csr2->request.ocsp.nonce, - csr2->request.ocsp.nonceSz); + csr2->request.ocsp[0].nonce, + csr2->request.ocsp[0].nonceSz); - request->nonceSz = csr2->request.ocsp.nonceSz; + request->nonceSz = + csr2->request.ocsp[0].nonceSz; } } break; @@ -2456,21 +2458,29 @@ int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert) for (; csr2; csr2 = csr2->next) { switch (csr2->status_type) { case WOLFSSL_CSR2_OCSP: + if (csr2->requests != 0) + break; + /* followed by */ case WOLFSSL_CSR2_OCSP_MULTI: { - byte nonce[MAX_OCSP_NONCE_SZ]; - int nonceSz = csr2->request.ocsp.nonceSz; + if (csr2->requests < 1 + MAX_CHAIN_DEPTH) { + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz = csr2->request.ocsp[0].nonceSz; - /* preserve nonce */ - XMEMCPY(nonce, csr2->request.ocsp.nonce, nonceSz); + /* preserve nonce, replicating nonce of ocsp[0] */ + XMEMCPY(nonce, csr2->request.ocsp[0].nonce, nonceSz); - if ((ret = InitOcspRequest(&csr2->request.ocsp, cert, 0)) != 0) - return ret; + if ((ret = InitOcspRequest( + &csr2->request.ocsp[csr2->requests], cert, 0)) != 0) + return ret; - /* restore nonce */ - XMEMCPY(csr2->request.ocsp.nonce, nonce, nonceSz); - csr2->request.ocsp.nonceSz = nonceSz; + /* restore nonce */ + XMEMCPY(csr2->request.ocsp[csr2->requests].nonce, + nonce, nonceSz); + csr2->request.ocsp[csr2->requests].nonceSz = nonceSz; + csr2->requests++; + } } break; } @@ -2479,7 +2489,7 @@ int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert) return ret; } -void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type) +void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; @@ -2491,7 +2501,8 @@ void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type) /* followed by */ case WOLFSSL_CSR2_OCSP_MULTI: - return &csr2->request.ocsp; + return index < csr2->requests ? &csr2->request.ocsp[index] + : NULL; break; } } @@ -2514,7 +2525,7 @@ int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) case WOLFSSL_CSR2_OCSP_MULTI: if (ssl->ctx->cm->ocspEnabled) return CheckOcspRequest(ssl->ctx->cm->ocsp, - &csr2->request.ocsp, NULL); + &csr2->request.ocsp[0], NULL); else return OCSP_LOOKUP_FAIL; } @@ -2555,9 +2566,9 @@ int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, WC_RNG rng; if (wc_InitRng(&rng) == 0) { - if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp.nonce, + if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce, MAX_OCSP_NONCE_SZ) == 0) - csr2->request.ocsp.nonceSz = MAX_OCSP_NONCE_SZ; + csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ; wc_FreeRng(&rng); } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 9e592fb26..87d5247bc 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1603,9 +1603,9 @@ WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); typedef struct CSRIv2 { byte status_type; byte options; - word16 request_length; + word16 requests; union { - OcspRequest ocsp; + OcspRequest ocsp[1 + MAX_CHAIN_DEPTH]; } request; struct CSRIv2* next; } CertificateStatusRequestItemV2; @@ -1613,7 +1613,8 @@ typedef struct CSRIv2 { WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, byte options); WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert); -WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type); +WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, + byte index); WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl); #endif From 251d0364f8154ef8e5e5cd3c14a22be96fa24261 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 30 Nov 2015 17:16:47 -0800 Subject: [PATCH 100/177] check DTLS sequence number against window a little earlier --- src/internal.c | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index a51ba9528..a9b98507c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3374,6 +3374,11 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, #endif } +#ifdef WOLFSSL_DTLS + if (ssl->options.dtls && !DtlsCheckWindow(&ssl->keys.dtls_state)) + return SEQUENCE_ERROR; +#endif + /* catch version mismatch */ if (rh->pvMajor != ssl->version.major || rh->pvMinor != ssl->version.minor){ if (ssl->options.side == WOLFSSL_SERVER_END && @@ -3395,13 +3400,6 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } } -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - if (DtlsCheckWindow(&ssl->keys.dtls_state) != 1) - return SEQUENCE_ERROR; - } -#endif - /* record layer length check */ #ifdef HAVE_MAX_FRAGMENT if (*size > (ssl->max_fragment + MAX_COMP_EXTRA + MAX_MSG_EXTRA)) { From 654e17379e3928d8e88a8940e105813097e7b52b Mon Sep 17 00:00:00 2001 From: David Garske Date: Mon, 30 Nov 2015 19:29:20 -0800 Subject: [PATCH 101/177] Combined "wc_RNG_GenerateBlock" calls in "SendServerHello". --- src/internal.c | 59 +++++++++++++++++++++++++------------------------- 1 file changed, 29 insertions(+), 30 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1d19e9b36..e997f7ce0 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12740,20 +12740,32 @@ int DoSessionTicket(WOLFSSL* ssl, } #endif /* now write to output */ - /* first version */ + /* first version */ output[idx++] = ssl->version.major; output[idx++] = ssl->version.minor; - /* then random */ + /* then random and session id */ if (!ssl->options.resuming) { - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->serverRandom, - RAN_LEN); + /* generate random part and session id */ + ret = wc_RNG_GenerateBlock(ssl->rng, output + idx, + RAN_LEN + sizeof(sessIdSz) + sessIdSz); if (ret != 0) return ret; - } - XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN); - idx += RAN_LEN; + /* store info in SSL context for later */ + XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); + idx += RAN_LEN; + output[idx++] = sessIdSz; + XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz); + } + else { + /* If resuming, use info from SSL context */ + XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN); + idx += RAN_LEN; + output[idx++] = sessIdSz; + XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz); + } + idx += sessIdSz; #ifdef SHOW_SECRETS { @@ -12764,31 +12776,18 @@ int DoSessionTicket(WOLFSSL* ssl, printf("\n"); } #endif - /* then session id */ - output[idx++] = sessIdSz; - if (sessIdSz) { - if (!ssl->options.resuming) { - ret = wc_RNG_GenerateBlock(ssl->rng, ssl->arrays->sessionID, - sessIdSz); - if (ret != 0) return ret; - } - - XMEMCPY(output + idx, ssl->arrays->sessionID, sessIdSz); - idx += sessIdSz; - } - - /* then cipher suite */ + /* then cipher suite */ output[idx++] = ssl->options.cipherSuite0; output[idx++] = ssl->options.cipherSuite; - /* then compression */ + /* then compression */ if (ssl->options.usingCompression) output[idx++] = ZLIB_COMPRESSION; else output[idx++] = NO_COMPRESSION; - /* last, extensions */ + /* last, extensions */ #ifdef HAVE_TLS_EXTENSIONS TLSX_WriteResponse(ssl, output + idx); #endif @@ -12805,13 +12804,13 @@ int DoSessionTicket(WOLFSSL* ssl, if (ret != 0) return ret; - #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) - AddPacketName("ServerHello", &ssl->handShakeInfo); - if (ssl->toInfoOn) - AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz, - ssl->heap); - #endif + #ifdef WOLFSSL_CALLBACKS + if (ssl->hsInfoOn) + AddPacketName("ServerHello", &ssl->handShakeInfo); + if (ssl->toInfoOn) + AddPacketInfo("ServerHello", &ssl->timeoutInfo, output, sendSz, + ssl->heap); + #endif ssl->options.serverState = SERVER_HELLO_COMPLETE; From bb5de34e5c087807ceba3c6610493b80d2947e2e Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 1 Dec 2015 09:24:44 -0700 Subject: [PATCH 102/177] cast type on XMALLOC with ntru --- src/internal.c | 17 ++++++++++------- src/tls.c | 18 +++++++++++------- 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/src/internal.c b/src/internal.c index a9b98507c..1e3cd3aba 100644 --- a/src/internal.c +++ b/src/internal.c @@ -278,13 +278,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes) int ret = 0; if (rng == NULL) { - if ((rng = XMALLOC(sizeof(WC_RNG), 0, DYNAMIC_TYPE_TLSX)) == NULL) + if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), 0, + DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; wc_InitRng(rng); } if (rngMutex == NULL) { - if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), 0, + if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), 0, DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; InitMutex(rngMutex); @@ -11460,8 +11461,8 @@ int QSH_Init(WOLFSSL* ssl) return 0; /* malloc memory for holding generated secret information */ - if ((ssl->QSH_secret = - XMALLOC(sizeof(QSHSecret), NULL, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) + if ((ssl->QSH_secret = (QSHSecret*)XMALLOC(sizeof(QSHSecret), NULL, + DYNAMIC_TYPE_TMP_BUFFER)) == NULL) return MEMORY_E; ssl->QSH_secret->CliSi = (buffer*)XMALLOC(sizeof(buffer), NULL, @@ -11623,7 +11624,7 @@ static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer) buf = ssl->QSH_secret->CliSi; } buf->length = sz; - buf->buffer = XMALLOC(sz, buf->buffer, DYNAMIC_TYPE_TMP_BUFFER); + buf->buffer = (byte*)XMALLOC(sz, buf->buffer, DYNAMIC_TYPE_TMP_BUFFER); if (buf->buffer == NULL) { WOLFSSL_ERROR(MEMORY_E); } @@ -11632,7 +11633,8 @@ static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer) sz = 0; current = ssl->peerQSHKey; while (current) { - schm = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TMP_BUFFER); + schm = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL, + DYNAMIC_TYPE_TMP_BUFFER); if (schm == NULL) return MEMORY_E; @@ -11651,7 +11653,8 @@ static int QSH_GenerateSerCliSecret(WOLFSSL* ssl, byte isServer) tmpSz = QSH_MaxSecret(current); - if ((schm->PK = XMALLOC(tmpSz, 0, DYNAMIC_TYPE_TMP_BUFFER)) == NULL) + if ((schm->PK = (byte*)XMALLOC(tmpSz, 0, + DYNAMIC_TYPE_TMP_BUFFER)) == NULL) return -1; /* store info for writing extension */ diff --git a/src/tls.c b/src/tls.c index 619f96856..8cef8597b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2752,7 +2752,8 @@ static int TLSX_QSH_Append(QSHScheme** list, word16 name, byte* pub, if (list == NULL) return BAD_FUNC_ARG; - if ((temp = XMALLOC(sizeof(QSHScheme), NULL, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = (QSHScheme*)XMALLOC(sizeof(QSHScheme), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = name; @@ -3028,7 +3029,8 @@ static int TLSX_QSH_Parse(WOLFSSL* ssl, byte* input, word16 length, while ((offset_len < offset_pk) && numKeys) { QSHKey * temp; - if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; /* initialize */ @@ -3544,13 +3546,14 @@ static word32 GetEntropy(unsigned char* out, word32 num_bytes) int ret = 0; if (rng == NULL) { - if ((rng = XMALLOC(sizeof(WC_RNG), NULL, DYNAMIC_TYPE_TLSX)) == NULL) + if ((rng = (WC_RNG*)XMALLOC(sizeof(WC_RNG), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; wc_InitRng(rng); } if (rngMutex == NULL) { - if ((rngMutex = XMALLOC(sizeof(wolfSSL_Mutex), NULL, + if ((rngMutex = (wolfSSL_Mutex*)XMALLOC(sizeof(wolfSSL_Mutex), NULL, DYNAMIC_TYPE_TLSX)) == NULL) return DRBG_OUT_OF_MEMORY; InitMutex(rngMutex); @@ -3670,15 +3673,16 @@ int TLSX_CreateNtruKey(WOLFSSL* ssl, int type) return ret; } - if ((temp = XMALLOC(sizeof(QSHKey), NULL, DYNAMIC_TYPE_TLSX)) == NULL) + if ((temp = (QSHKey*)XMALLOC(sizeof(QSHKey), NULL, + DYNAMIC_TYPE_TLSX)) == NULL) return MEMORY_E; temp->name = type; temp->pub.length = public_key_len; - temp->pub.buffer = XMALLOC(public_key_len, public_key, + temp->pub.buffer = (byte*)XMALLOC(public_key_len, public_key, DYNAMIC_TYPE_PUBLIC_KEY); XMEMCPY(temp->pub.buffer, public_key, public_key_len); temp->pri.length = private_key_len; - temp->pri.buffer = XMALLOC(private_key_len, private_key, + temp->pri.buffer = (byte*)XMALLOC(private_key_len, private_key, DYNAMIC_TYPE_ARRAYS); XMEMCPY(temp->pri.buffer, private_key, private_key_len); temp->next = NULL; From a5f689168ecba027bfa3ec954eb6f0db004f80d5 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 1 Dec 2015 09:18:21 -0800 Subject: [PATCH 103/177] fix call to IsEncryptionOn for session tickets --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 1e3cd3aba..1d076cd49 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12688,7 +12688,7 @@ int DoSessionTicket(WOLFSSL* ssl, ssl->session.ticketLen = 0; } - if (IsEncryptionOn(ssl)) { + if (IsEncryptionOn(ssl, 0)) { *inOutIdx += ssl->keys.padSz; } From 5687562e7b213e20aadd0fbe7154c5432b916666 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 1 Dec 2015 13:32:00 -0800 Subject: [PATCH 104/177] back out change to decryptedCur flag --- src/internal.c | 6 +++++- wolfssl/internal.h | 1 + 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 1d076cd49..c6d13d8b8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3425,6 +3425,9 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, return UNKNOWN_RECORD_TYPE; } + /* haven't decrypted this record yet */ + ssl->keys.decryptedCur = 0; + return 0; } @@ -7172,7 +7175,7 @@ int ProcessReply(WOLFSSL* ssl) /* the record layer is here */ case runProcessingOneMessage: - if (IsEncryptionOn(ssl, 0)) + if (IsEncryptionOn(ssl, 0) && ssl->keys.decryptedCur == 0) { ret = SanityCheckCipherText(ssl, ssl->curSize); if (ret < 0) @@ -7224,6 +7227,7 @@ int ProcessReply(WOLFSSL* ssl) return DECRYPT_ERROR; } ssl->keys.encryptSz = ssl->curSize; + ssl->keys.decryptedCur = 1; } if (ssl->options.dtls) { diff --git a/wolfssl/internal.h b/wolfssl/internal.h index de8ef669f..7acd2a064 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1453,6 +1453,7 @@ typedef struct Keys { word32 encryptSz; /* last size of encrypted data */ word32 padSz; /* how much to advance after decrypt part */ byte encryptionOn; /* true after change cipher spec */ + byte decryptedCur; /* only decrypt current record once */ } Keys; From d673a56c8310f37af44d24d91ce43de14f61d0be Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 1 Dec 2015 14:49:16 -0700 Subject: [PATCH 105/177] change line ending of license to match Windows CR LF --- .../wolfSSL-DTLS-PSK-Server.cs | 42 +++++++++---------- .../wolfSSL-DTLS-Server.cs | 42 +++++++++---------- .../wolfSSL-TLS-PSK-Server.cs | 40 +++++++++--------- .../wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs | 42 +++++++++---------- 4 files changed, 83 insertions(+), 83 deletions(-) diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs index a55435d1a..9240ae849 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs @@ -1,24 +1,24 @@ -/* wolfSSL-DTLS-PSK-Server.cs - * - * Copyright (C) 2006-2015 wolfSSL Inc. - * - * This file is part of wolfSSL. (formerly known as CyaSSL) - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - +/* wolfSSL-DTLS-PSK-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs index c8de0acc9..916b951fe 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs @@ -1,24 +1,24 @@ -/* wolfSSL-DTLS-Server.cs - * - * Copyright (C) 2006-2015 wolfSSL Inc. - * - * This file is part of wolfSSL. (formerly known as CyaSSL) - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - +/* wolfSSL-DTLS-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; using System.Text; diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs index cedf0d457..7c157b3d8 100755 --- a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs @@ -1,23 +1,23 @@ -/* wolfSSL-TLS-PSK-Server.cs - * - * Copyright (C) 2006-2015 wolfSSL Inc. - * - * This file is part of wolfSSL. (formerly known as CyaSSL) - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ +/* wolfSSL-TLS-PSK-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ using System; using System.Runtime.InteropServices; diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs index ba0ec939f..08b9105b8 100755 --- a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs +++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs @@ -1,24 +1,24 @@ -/* wolfSSL-TLS-Server.cs - * - * Copyright (C) 2006-2015 wolfSSL Inc. - * - * This file is part of wolfSSL. (formerly known as CyaSSL) - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA - */ - +/* wolfSSL-TLS-Server.cs + * + * Copyright (C) 2006-2015 wolfSSL Inc. + * + * This file is part of wolfSSL. (formerly known as CyaSSL) + * + * wolfSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * wolfSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA + */ + using System; using System.Runtime.InteropServices; using System.Text; From 5cf94166b28b9259e93e9e235050477a075afdc0 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 1 Dec 2015 14:59:32 -0800 Subject: [PATCH 106/177] silently drop epoch 0 messages when handshake completed --- src/internal.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index c6d13d8b8..b56f20299 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3376,8 +3376,11 @@ static int GetRecordHeader(WOLFSSL* ssl, const byte* input, word32* inOutIdx, } #ifdef WOLFSSL_DTLS - if (ssl->options.dtls && !DtlsCheckWindow(&ssl->keys.dtls_state)) - return SEQUENCE_ERROR; + if (ssl->options.dtls && + (!DtlsCheckWindow(&ssl->keys.dtls_state) || + (ssl->options.handShakeDone && ssl->keys.dtls_state.curEpoch == 0))) { + return SEQUENCE_ERROR; + } #endif /* catch version mismatch */ @@ -7140,6 +7143,7 @@ int ProcessReply(WOLFSSL* ssl) &ssl->curRL, &ssl->curSize); #ifdef WOLFSSL_DTLS if (ssl->options.dtls && ret == SEQUENCE_ERROR) { + WOLFSSL_MSG("Silently dropping out of order DTLS message"); ssl->options.processReply = doProcessInit; ssl->buffers.inputBuffer.length = 0; ssl->buffers.inputBuffer.idx = 0; From e08fa67a3274604c35b2ea343069d6bf531162dd Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 2 Dec 2015 14:40:32 -0800 Subject: [PATCH 107/177] fix clang --disable-memory issues --- src/internal.c | 28 ++++++++++++++++++---------- src/ssl.c | 9 +++++++-- wolfcrypt/src/asn.c | 2 ++ 3 files changed, 27 insertions(+), 12 deletions(-) diff --git a/src/internal.c b/src/internal.c index b56f20299..caff84c25 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2040,13 +2040,10 @@ void SSL_ResourceFree(WOLFSSL* ssl) DYNAMIC_TYPE_COOKIE_PWD); #endif #endif /* WOLFSSL_DTLS */ -#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) - FreeX509(&ssl->peerCert); -#endif #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) - wolfSSL_BIO_free(ssl->biord); - if (ssl->biord != ssl->biowr) /* in case same as write */ + if (ssl->biord != ssl->biowr) /* only free write if different */ wolfSSL_BIO_free(ssl->biowr); + wolfSSL_BIO_free(ssl->biord); /* always free read bio */ #endif #ifdef HAVE_LIBZ FreeStreams(ssl); @@ -2090,6 +2087,9 @@ void SSL_ResourceFree(WOLFSSL* ssl) if (ssl->nxCtx.nxPacket) nx_packet_release(ssl->nxCtx.nxPacket); #endif +#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) + FreeX509(&(ssl->peerCert)); /* clang thinks this frees ssl itslef */ +#endif } #ifdef WOLFSSL_TI_HASH @@ -8130,14 +8130,22 @@ int SendCertificate(WOLFSSL* ssl) } if (IsEncryptionOn(ssl, 1)) { - byte* input; + byte* input = NULL; int inputSz = i - RECORD_HEADER_SZ; /* build msg adds rec hdr */ - input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); - if (input == NULL) - return MEMORY_E; + if (inputSz < 0) { + WOLFSSL_MSG("Send Cert bad inputSz"); + return BUFFER_E; + } + + if (inputSz > 0) { /* clang thinks could be zero, let's help */ + input = (byte*)XMALLOC(inputSz, ssl->heap, + DYNAMIC_TYPE_TMP_BUFFER); + if (input == NULL) + return MEMORY_E; + XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); + } - XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake); XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); diff --git a/src/ssl.c b/src/ssl.c index d748ff048..9dbd97fe7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2913,7 +2913,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, WOLFSSL_MSG("Finished Processing Cert Chain"); /* only retain actual size used */ - shrinked = (byte*)XMALLOC(idx, heap, dynamicType); + if (idx > 0) /* clang thinks it can be zero, let's help analysis */ + shrinked = (byte*)XMALLOC(idx, heap, dynamicType); if (shrinked) { if (ssl) { if (ssl->buffers.certChain.buffer && @@ -2936,7 +2937,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff, if (dynamicBuffer) XFREE(chainBuffer, heap, DYNAMIC_TYPE_FILE); - if (shrinked == NULL) { + if (idx > 0 && shrinked == NULL) { #ifdef WOLFSSL_SMALL_STACK XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif @@ -14843,6 +14844,7 @@ WOLFSSL_EC_POINT *wolfSSL_EC_POINT_new(const WOLFSSL_EC_GROUP *group) p->internal = wc_ecc_new_point(); if (p->internal == NULL) { WOLFSSL_MSG("ecc_new_point failure"); + XFREE(p, NULL, DYNAMIC_TYPE_ECC); return NULL; } @@ -15061,6 +15063,7 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_SIG_new(void) return NULL; } + sig->s = NULL; sig->r = wolfSSL_BN_new(); if (sig->r == NULL) { WOLFSSL_MSG("wolfSSL_ECDSA_SIG_new malloc ECDSA r failure"); @@ -15143,10 +15146,12 @@ WOLFSSL_ECDSA_SIG *wolfSSL_ECDSA_do_sign(const unsigned char *d, int dlen, else if (SetIndividualExternal(&(sig->r), &sig_r)!=SSL_SUCCESS){ WOLFSSL_MSG("ecdsa r key error"); wolfSSL_ECDSA_SIG_free(sig); + sig = NULL; } else if (SetIndividualExternal(&(sig->s), &sig_s)!=SSL_SUCCESS){ WOLFSSL_MSG("ecdsa s key error"); wolfSSL_ECDSA_SIG_free(sig); + sig = NULL; } mp_clear(&sig_r); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 5c9179283..ff73f69dd 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -2793,6 +2793,7 @@ static int GetName(DecodedCert* cert, int nameType) cert->heap, DYNAMIC_TYPE_ALTNAME); if (emailName->name == NULL) { WOLFSSL_MSG("\tOut of Memory"); + XFREE(emailName, cert->heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } XMEMCPY(emailName->name, @@ -4453,6 +4454,7 @@ static int DecodeSubtree(byte* input, int sz, Base_entry** head, void* heap) entry->name = (char*)XMALLOC(strLength, heap, DYNAMIC_TYPE_ALTNAME); if (entry->name == NULL) { WOLFSSL_MSG("allocate error"); + XFREE(entry, heap, DYNAMIC_TYPE_ALTNAME); return MEMORY_E; } From fea769816cc4b43c0d86fa6fb02cfda5093e0810 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 2 Dec 2015 15:55:40 -0700 Subject: [PATCH 108/177] ed25519 verify function return descriptive error value --- wolfcrypt/src/ed25519.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/ed25519.c b/wolfcrypt/src/ed25519.c index 2e5f6545e..ef4510f42 100644 --- a/wolfcrypt/src/ed25519.c +++ b/wolfcrypt/src/ed25519.c @@ -171,6 +171,7 @@ int wc_ed25519_sign_msg(const byte* in, word32 inlen, byte* out, msg the array of bytes containing the message msglen length of msg array stat will be 1 on successful verify and 0 on unsuccessful + return 0 and stat of 1 on success */ int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg, word32 msglen, int* stat, ed25519_key* key) @@ -229,7 +230,7 @@ int wc_ed25519_verify_msg(byte* sig, word32 siglen, const byte* msg, /* comparison of R created to R in sig */ ret = ConstantCompare(rcheck, sig, ED25519_SIG_SIZE/2); if (ret != 0) - return ret; + return SIG_VERIFY_E; /* set the verification status */ *stat = 1; From b1d18d8455204f6fc026bfe030a679f3574ae70d Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 2 Dec 2015 19:43:05 -0800 Subject: [PATCH 109/177] Fixed issue with "WOLFSSL_SMALL_STACK" and pre TLS 1.2 in "SendServerKeyExchange" where "encodedSig" is allocated and not used. --- src/internal.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1d19e9b36..14f5337a2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14158,17 +14158,17 @@ int DoSessionTicket(WOLFSSL* ssl, doUserRsa = 1; #endif - #ifdef WOLFSSL_SMALL_STACK - encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) - ERROR_OUT(MEMORY_E, done_b); - #endif - if (IsAtLeastTLSv1_2(ssl)) { byte* digest = &hash[MD5_DIGEST_SIZE]; int typeH = SHAh; int digestSz = SHA_DIGEST_SIZE; + + #ifdef WOLFSSL_SMALL_STACK + encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (encodedSig == NULL) + ERROR_OUT(MEMORY_E, done_b); + #endif if (ssl->suites->hashAlgo == sha256_mac) { #ifndef NO_SHA256 From 37bc497f219d23763d09330fec2e4e9cb0b8ca1c Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 3 Dec 2015 12:37:49 -0800 Subject: [PATCH 110/177] fix merge conflict --- src/internal.c | 880 +++++++++++++++++++++++++++++++------------------ 1 file changed, 556 insertions(+), 324 deletions(-) diff --git a/src/internal.c b/src/internal.c index e7f52953f..5e0eae51e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10620,17 +10620,21 @@ static void PickHashSigAlgo(WOLFSSL* ssl, AddLateName("ServerKeyExchange", &ssl->timeoutInfo); #endif + switch (ssl->specs.kea) + { #ifndef NO_PSK - if (ssl->specs.kea == psk_kea) { - - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + case psk_kea: + { + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { return BUFFER_ERROR; + } XMEMCPY(ssl->arrays->server_hint, input + *inOutIdx, min(length, MAX_PSK_ID_LEN)); @@ -10649,8 +10653,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size, 0)) < 0) + size, 0)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -10665,155 +10670,182 @@ static void PickHashSigAlgo(WOLFSSL* ssl, } #endif #ifndef NO_DH - if (ssl->specs.kea == diffie_hellman_kea) + case diffie_hellman_kea: { - /* p */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; + /* p */ + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { + return BUFFER_ERROR; + } - ato16(input + *inOutIdx, &length); - *inOutIdx += OPAQUE16_LEN; + ato16(input + *inOutIdx, &length); + *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) - return BUFFER_ERROR; + if ((*inOutIdx - begin) + length > size) { + return BUFFER_ERROR; + } - if (length < ssl->options.minDhKeySz) { - WOLFSSL_MSG("Server using a DH key that is too small"); - SendAlert(ssl, alert_fatal, handshake_failure); - return DH_KEY_SIZE_E; - } + if (length < ssl->options.minDhKeySz) { + WOLFSSL_MSG("Server using a DH key that is too small"); + SendAlert(ssl, alert_fatal, handshake_failure); + return DH_KEY_SIZE_E; + } - ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap, - DYNAMIC_TYPE_DH); + ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap, + DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_P.buffer) - ssl->buffers.serverDH_P.length = length; - else - return MEMORY_ERROR; + if (ssl->buffers.serverDH_P.buffer) { + ssl->buffers.serverDH_P.length = length; + } + else { + return MEMORY_ERROR; + } - XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length); - *inOutIdx += length; + XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length); + *inOutIdx += length; - ssl->options.dhKeySz = length; + ssl->options.dhKeySz = length; - /* g */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; + /* g */ + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { + return BUFFER_ERROR; + } - ato16(input + *inOutIdx, &length); - *inOutIdx += OPAQUE16_LEN; + ato16(input + *inOutIdx, &length); + *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) - return BUFFER_ERROR; + if ((*inOutIdx - begin) + length > size) { + return BUFFER_ERROR; + } - ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap, - DYNAMIC_TYPE_DH); + ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap, + DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_G.buffer) - ssl->buffers.serverDH_G.length = length; - else - return MEMORY_ERROR; + if (ssl->buffers.serverDH_G.buffer) { + ssl->buffers.serverDH_G.length = length; + } + else { + return MEMORY_ERROR; + } - XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length); - *inOutIdx += length; + XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length); + *inOutIdx += length; - /* pub */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) - return BUFFER_ERROR; + /* pub */ + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { + return BUFFER_ERROR; + } - ato16(input + *inOutIdx, &length); - *inOutIdx += OPAQUE16_LEN; + ato16(input + *inOutIdx, &length); + *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) - return BUFFER_ERROR; + if ((*inOutIdx - begin) + length > size) { + return BUFFER_ERROR; + } - ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap, - DYNAMIC_TYPE_DH); + ssl->buffers.serverDH_Pub.buffer = + (byte*) XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_Pub.buffer) - ssl->buffers.serverDH_Pub.length = length; - else - return MEMORY_ERROR; + if (ssl->buffers.serverDH_Pub.buffer) { + ssl->buffers.serverDH_Pub.length = length; + } + else { + return MEMORY_ERROR; + } - XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length); - *inOutIdx += length; + XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, + length); + *inOutIdx += length; + break; } /* dh_kea */ #endif /* NO_DH */ #ifdef HAVE_ECC - if (ssl->specs.kea == ecc_diffie_hellman_kea) + case ecc_diffie_hellman_kea: { - byte b; + byte b; - if ((*inOutIdx - begin) + ENUM_LEN + OPAQUE16_LEN + OPAQUE8_LEN > size) - return BUFFER_ERROR; - - b = input[(*inOutIdx)++]; - - if (b != named_curve) - return ECC_CURVETYPE_ERROR; - - *inOutIdx += 1; /* curve type, eat leading 0 */ - b = input[(*inOutIdx)++]; - - if (CheckCurveId(b) != 0) { - return ECC_CURVE_ERROR; - } - - length = input[(*inOutIdx)++]; - - if ((*inOutIdx - begin) + length > size) - return BUFFER_ERROR; - - if (ssl->peerEccKey == NULL) { - /* alloc/init on demand */ - ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), - ssl->ctx->heap, DYNAMIC_TYPE_ECC); - if (ssl->peerEccKey == NULL) { - WOLFSSL_MSG("PeerEccKey Memory error"); - return MEMORY_E; + if ((*inOutIdx - begin) + ENUM_LEN + OPAQUE16_LEN + + OPAQUE8_LEN > size) { + return BUFFER_ERROR; } - wc_ecc_init(ssl->peerEccKey); - } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */ - wc_ecc_free(ssl->peerEccKey); - ssl->peerEccKeyPresent = 0; - wc_ecc_init(ssl->peerEccKey); - } - if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey) != 0) - return ECC_PEERKEY_ERROR; + b = input[(*inOutIdx)++]; - *inOutIdx += length; - ssl->peerEccKeyPresent = 1; + if (b != named_curve) { + return ECC_CURVETYPE_ERROR; + } + + *inOutIdx += 1; /* curve type, eat leading 0 */ + b = input[(*inOutIdx)++]; + + if (CheckCurveId(b) != 0) { + return ECC_CURVE_ERROR; + } + + length = input[(*inOutIdx)++]; + + if ((*inOutIdx - begin) + length > size) { + return BUFFER_ERROR; + } + + if (ssl->peerEccKey == NULL) { + /* alloc/init on demand */ + ssl->peerEccKey = (ecc_key*)XMALLOC(sizeof(ecc_key), + ssl->ctx->heap, DYNAMIC_TYPE_ECC); + if (ssl->peerEccKey == NULL) { + WOLFSSL_MSG("PeerEccKey Memory error"); + return MEMORY_E; + } + wc_ecc_init(ssl->peerEccKey); + } else if (ssl->peerEccKeyPresent) { /* don't leak on reuse */ + wc_ecc_free(ssl->peerEccKey); + ssl->peerEccKeyPresent = 0; + wc_ecc_init(ssl->peerEccKey); + } + + if (wc_ecc_import_x963(input + *inOutIdx, length, + ssl->peerEccKey) != 0) { + return ECC_PEERKEY_ERROR; + } + + *inOutIdx += length; + ssl->peerEccKeyPresent = 1; + + break; } #endif /* HAVE_ECC */ #if !defined(NO_DH) && !defined(NO_PSK) - if (ssl->specs.kea == dhe_psk_kea) { - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + case dhe_psk_kea: + { + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { return BUFFER_ERROR; + } XMEMCPY(ssl->arrays->server_hint, input + *inOutIdx, - min(length, MAX_PSK_ID_LEN)); + min(length, MAX_PSK_ID_LEN)); ssl->arrays->server_hint[min(length, MAX_PSK_ID_LEN - 1)] = 0; *inOutIdx += length; /* p */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { return BUFFER_ERROR; + } if (length < ssl->options.minDhKeySz) { WOLFSSL_MSG("Server using a DH key that is too small"); @@ -10821,13 +10853,15 @@ static void PickHashSigAlgo(WOLFSSL* ssl, return DH_KEY_SIZE_E; } - ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap, + ssl->buffers.serverDH_P.buffer = (byte*) XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_P.buffer) + if (ssl->buffers.serverDH_P.buffer) { ssl->buffers.serverDH_P.length = length; - else + } + else { return MEMORY_ERROR; + } XMEMCPY(ssl->buffers.serverDH_P.buffer, input + *inOutIdx, length); *inOutIdx += length; @@ -10835,48 +10869,59 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ssl->options.dhKeySz = length; /* g */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { return BUFFER_ERROR; + } ssl->buffers.serverDH_G.buffer = (byte*) XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_G.buffer) + if (ssl->buffers.serverDH_G.buffer) { ssl->buffers.serverDH_G.length = length; - else + } + else { return MEMORY_ERROR; + } XMEMCPY(ssl->buffers.serverDH_G.buffer, input + *inOutIdx, length); *inOutIdx += length; /* pub */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { return BUFFER_ERROR; + } ssl->buffers.serverDH_Pub.buffer = (byte*) XMALLOC(length, ssl->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_Pub.buffer) + if (ssl->buffers.serverDH_Pub.buffer) { ssl->buffers.serverDH_Pub.length = length; - else + } + else { return MEMORY_ERROR; + } XMEMCPY(ssl->buffers.serverDH_Pub.buffer, input + *inOutIdx, length); *inOutIdx += length; + + break; } #endif /* !NO_DH || !NO_PSK */ + } /* switch() */ #if !defined(NO_DH) || defined(HAVE_ECC) if (!ssl->options.usingAnon_cipher && @@ -10949,22 +10994,25 @@ static void PickHashSigAlgo(WOLFSSL* ssl, (void)hashAlgo; /* save message for hash verify */ - if (verifySz > MAX_DH_SZ) + if (verifySz > MAX_DH_SZ) { ERROR_OUT(BUFFER_ERROR, done); + } #ifdef WOLFSSL_SMALL_STACK messageVerify = (byte*)XMALLOC(MAX_DH_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (messageVerify == NULL) + if (messageVerify == NULL) { ERROR_OUT(MEMORY_E, done); + } #endif XMEMCPY(messageVerify, input + begin, verifySz); if (IsAtLeastTLSv1_2(ssl)) { byte setHash = 0; - if ((*inOutIdx - begin) + ENUM_LEN + ENUM_LEN > size) + if ((*inOutIdx - begin) + ENUM_LEN + ENUM_LEN > size) { ERROR_OUT(BUFFER_ERROR, done); + } hashAlgo = input[(*inOutIdx)++]; sigAlgo = input[(*inOutIdx)++]; @@ -11019,22 +11067,25 @@ static void PickHashSigAlgo(WOLFSSL* ssl, } /* signature */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { ERROR_OUT(BUFFER_ERROR, done); + } ato16(input + *inOutIdx, &length); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { ERROR_OUT(BUFFER_ERROR, done); + } /* inOutIdx updated at the end of the function */ /* verify signature */ #ifdef WOLFSSL_SMALL_STACK hash = (byte*)XMALLOC(FINISHED_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (hash == NULL) + if (hash == NULL) { ERROR_OUT(MEMORY_E, done); + } #endif #ifndef NO_OLD_TLS @@ -11042,8 +11093,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, #ifdef WOLFSSL_SMALL_STACK if (doMd5) { md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (md5 == NULL) + if (md5 == NULL) { ERROR_OUT(MEMORY_E, done); + } } #endif if (doMd5) { @@ -11057,13 +11109,16 @@ static void PickHashSigAlgo(WOLFSSL* ssl, #ifdef WOLFSSL_SMALL_STACK if (doSha) { sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha == NULL) + if (sha == NULL) { ERROR_OUT(MEMORY_E, done); + } } #endif if (doSha) { ret = wc_InitSha(sha); - if (ret != 0) goto done; + if (ret != 0) { + goto done; + } wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN); wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN); wc_ShaUpdate(sha, messageVerify, verifySz); @@ -11078,8 +11133,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha256 == NULL || hash256 == NULL) + if (sha256 == NULL || hash256 == NULL) { ERROR_OUT(MEMORY_E, done); + } } #endif if (doSha256) { @@ -11088,9 +11144,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, RAN_LEN)) && !(ret = wc_Sha256Update(sha256, ssl->arrays->serverRandom, RAN_LEN)) - && !(ret = wc_Sha256Update(sha256, messageVerify, verifySz))) + && !(ret = wc_Sha256Update(sha256, messageVerify, verifySz))) { ret = wc_Sha256Final(sha256, hash256); - if (ret != 0) goto done; + } + if (ret != 0) { + goto done; + } } #endif @@ -11101,8 +11160,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha384 == NULL || hash384 == NULL) + if (sha384 == NULL || hash384 == NULL) { ERROR_OUT(MEMORY_E, done); + } } #endif if (doSha384) { @@ -11111,9 +11171,12 @@ static void PickHashSigAlgo(WOLFSSL* ssl, RAN_LEN)) && !(ret = wc_Sha384Update(sha384, ssl->arrays->serverRandom, RAN_LEN)) - && !(ret = wc_Sha384Update(sha384, messageVerify, verifySz))) + && !(ret = wc_Sha384Update(sha384, messageVerify, verifySz))) { ret = wc_Sha384Final(sha384, hash384); - if (ret != 0) goto done; + } + if (ret != 0) { + goto done; + } } #endif @@ -11124,8 +11187,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha512 == NULL || hash512 == NULL) + if (sha512 == NULL || hash512 == NULL) { ERROR_OUT(MEMORY_E, done); + } } #endif if (doSha512) { @@ -11134,15 +11198,20 @@ static void PickHashSigAlgo(WOLFSSL* ssl, RAN_LEN)) && !(ret = wc_Sha512Update(sha512, ssl->arrays->serverRandom, RAN_LEN)) - && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz))) + && !(ret = wc_Sha512Update(sha512, messageVerify, verifySz))) { ret = wc_Sha512Final(sha512, hash512); - if (ret != 0) goto done; + } + if (ret != 0) { + goto done; + } } #endif + switch (sigAlgo) + { #ifndef NO_RSA /* rsa */ - if (sigAlgo == rsa_sa_algo) + case rsa_sa_algo: { byte* out = NULL; byte doUserRsa = 0; @@ -11153,8 +11222,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, doUserRsa = 1; #endif /*HAVE_PK_CALLBACKS */ - if (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent) + if (ssl->peerRsaKey == NULL || !ssl->peerRsaKeyPresent) { ERROR_OUT(NO_PEER_KEY, done); + } if (doUserRsa) { #ifdef HAVE_PK_CALLBACKS @@ -11166,9 +11236,10 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ssl->RsaVerifyCtx); #endif /*HAVE_PK_CALLBACKS */ } - else + else { verifiedSz = wc_RsaSSL_VerifyInline((byte *)input + *inOutIdx, length, &out, ssl->peerRsaKey); + } if (IsAtLeastTLSv1_2(ssl)) { word32 encSigSz; @@ -11219,31 +11290,38 @@ static void PickHashSigAlgo(WOLFSSL* ssl, #ifdef WOLFSSL_SMALL_STACK encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) + if (encodedSig == NULL) { ERROR_OUT(MEMORY_E, done); + } #endif - if (digest == NULL) + if (digest == NULL) { ERROR_OUT(ALGO_ID_E, done); + } encSigSz = wc_EncodeSignature(encodedSig, digest, digestSz, typeH); if (encSigSz != verifiedSz || !out || XMEMCMP(out, encodedSig, - min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) + min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) { ret = VERIFY_SIGN_ERROR; + } #ifdef WOLFSSL_SMALL_STACK XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ret != 0) + if (ret != 0) { goto done; + } } else if (verifiedSz != FINISHED_SZ || !out || XMEMCMP(out, - hash, FINISHED_SZ) != 0) + hash, FINISHED_SZ) != 0) { ERROR_OUT(VERIFY_SIGN_ERROR, done); - } else + } + break; + } #endif #ifdef HAVE_ECC /* ecdsa */ - if (sigAlgo == ecc_dsa_sa_algo) { + case ecc_dsa_sa_algo: + { int verify = 0; #ifndef NO_OLD_TLS byte* digest = &hash[MD5_DIGEST_SIZE]; @@ -11255,8 +11333,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, byte doUserEcc = 0; #ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->EccVerifyCb) + if (ssl->ctx->EccVerifyCb) { doUserEcc = 1; + } #endif if (!ssl->peerEccDsaKeyPresent) @@ -11301,12 +11380,15 @@ static void PickHashSigAlgo(WOLFSSL* ssl, ret = wc_ecc_verify_hash(input + *inOutIdx, length, digest, digestSz, &verify, ssl->peerEccDsaKey); } - if (ret != 0 || verify == 0) + if (ret != 0 || verify == 0) { ERROR_OUT(VERIFY_SIGN_ERROR, done); + } + break; } - else #endif /* HAVE_ECC */ + default: ERROR_OUT(ALGO_ID_E, done); + } /* switch (sigAlgo) */ /* signature length */ *inOutIdx += length; @@ -11334,8 +11416,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, XFREE(hash, NULL, DYNAMIC_TYPE_TMP_BUFFER); XFREE(messageVerify, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ret != 0) + if (ret != 0) { return ret; + } } if (IsEncryptionOn(ssl, 0)) { @@ -11353,8 +11436,9 @@ static void PickHashSigAlgo(WOLFSSL* ssl, if (name == TLSX_QUANTUM_SAFE_HYBRID) { /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size, 0)) < 0) + size, 0)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -12893,8 +12977,10 @@ int DoSessionTicket(WOLFSSL* ssl, #endif + switch(ssl->specs.kea) + { #ifndef NO_PSK - if (ssl->specs.kea == psk_kea) + case psk_kea: { byte *output; word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; @@ -12903,8 +12989,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* include size part */ length = (word32)XSTRLEN(ssl->arrays->server_hint); - if (length > MAX_PSK_ID_LEN) + if (length > MAX_PSK_ID_LEN) { return SERVER_HINT_ERROR; + } length += HINT_LEN_SZ; sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; @@ -12921,8 +13008,9 @@ int DoSessionTicket(WOLFSSL* ssl, } #endif /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; + if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) { + return ret; + } /* get ouput buffer */ output = ssl->buffers.outputBuffer.buffer + @@ -12943,8 +13031,9 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->peerQSHKeyPresent) { if (qshSz > 0) { idx = sendSz - qshSz; - if (QSH_KeyExchangeWrite(ssl, 1) != 0) + if (QSH_KeyExchangeWrite(ssl, 1) != 0) { return MEMORY_E; + } /* extension type */ c16toa(TLSX_QUANTUM_SAFE_HYBRID, output + idx); @@ -12952,41 +13041,51 @@ int DoSessionTicket(WOLFSSL* ssl, /* write to output and check amount written */ if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx) - > qshSz - OPAQUE16_LEN) + > qshSz - OPAQUE16_LEN) { return MEMORY_E; + } } } #endif #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) + if (ssl->options.dtls) { + if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) { return ret; + } + } #endif ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) + if (ret != 0) { return ret; + } #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) + if (ssl->hsInfoOn) { AddPacketName("ServerKeyExchange", &ssl->handShakeInfo); - if (ssl->toInfoOn) + } + if (ssl->toInfoOn) { AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output, - sendSz, ssl->heap); + sendSz, ssl->heap); + } #endif ssl->buffers.outputBuffer.length += sendSz; - if (ssl->options.groupMessages) + if (ssl->options.groupMessages) { ret = 0; - else + } + else { ret = SendBuffered(ssl); + } ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; + break; } #endif /*NO_PSK */ #if !defined(NO_DH) && !defined(NO_PSK) - if (ssl->specs.kea == dhe_psk_kea) { + case dhe_psk_kea: + { byte *output; word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; word32 hintLen; @@ -12994,23 +13093,26 @@ int DoSessionTicket(WOLFSSL* ssl, DhKey dhKey; if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL) + ssl->buffers.serverDH_G.buffer == NULL) { return NO_DH_PARAMS; + } if (ssl->buffers.serverDH_Pub.buffer == NULL) { ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC( ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_Pub.buffer == NULL) + if (ssl->buffers.serverDH_Pub.buffer == NULL) { return MEMORY_E; + } } if (ssl->buffers.serverDH_Priv.buffer == NULL) { ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC( ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_Priv.buffer == NULL) + if (ssl->buffers.serverDH_Priv.buffer == NULL) { return MEMORY_E; + } } wc_InitDhKey(&dhKey); @@ -13018,15 +13120,17 @@ int DoSessionTicket(WOLFSSL* ssl, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length); - if (ret == 0) + if (ret == 0) { ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng, ssl->buffers.serverDH_Priv.buffer, &ssl->buffers.serverDH_Priv.length, ssl->buffers.serverDH_Pub.buffer, &ssl->buffers.serverDH_Pub.length); + } wc_FreeDhKey(&dhKey); - if (ret != 0) + if (ret != 0) { return ret; + } length = LENGTH_SZ * 3 + /* p, g, pub */ ssl->buffers.serverDH_P.length + @@ -13035,8 +13139,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* include size part */ hintLen = (word32)XSTRLEN(ssl->arrays->server_hint); - if (hintLen > MAX_PSK_ID_LEN) + if (hintLen > MAX_PSK_ID_LEN) { return SERVER_HINT_ERROR; + } length += hintLen + HINT_LEN_SZ; sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; @@ -13052,8 +13157,9 @@ int DoSessionTicket(WOLFSSL* ssl, #endif /* check for available size */ - if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) - return ret; + if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) { + return ret; + } /* get ouput buffer */ output = ssl->buffers.outputBuffer.buffer + @@ -13101,42 +13207,51 @@ int DoSessionTicket(WOLFSSL* ssl, /* write to output and check amount written */ if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx) - > qshSz - OPAQUE16_LEN) + > qshSz - OPAQUE16_LEN) { return MEMORY_E; + } } } #endif #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) + if (ssl->options.dtls) { + if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) { return ret; + } + } #endif ret = HashOutput(ssl, output, sendSz, 0); - if (ret != 0) + if (ret != 0) { return ret; + } #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) + if (ssl->hsInfoOn) { AddPacketName("ServerKeyExchange", &ssl->handShakeInfo); - if (ssl->toInfoOn) + } + if (ssl->toInfoOn) { AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output, - sendSz, ssl->heap); + sendSz, ssl->heap); + } #endif ssl->buffers.outputBuffer.length += sendSz; - if (ssl->options.groupMessages) + if (ssl->options.groupMessages) { ret = 0; - else + } + else { ret = SendBuffered(ssl); + } ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; + break; } #endif /* !NO_DH && !NO_PSK */ #ifdef HAVE_ECC - if (ssl->specs.kea == ecc_diffie_hellman_kea) + case ecc_diffie_hellman_kea: { byte *output; word32 length, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; @@ -13169,7 +13284,7 @@ int DoSessionTicket(WOLFSSL* ssl, #endif if (ssl->specs.static_ecdh) { - WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchagne"); + WOLFSSL_MSG("Using Static ECDH, not sending ServerKeyExchange"); return 0; } @@ -13182,7 +13297,7 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->eccTempKey == NULL) { /* alloc/init on demand */ ssl->eccTempKey = (ecc_key*)XMALLOC(sizeof(ecc_key), - ssl->ctx->heap, DYNAMIC_TYPE_ECC); + ssl->ctx->heap, DYNAMIC_TYPE_ECC); if (ssl->eccTempKey == NULL) { WOLFSSL_MSG("EccTempKey Memory error"); return MEMORY_E; @@ -13199,13 +13314,15 @@ int DoSessionTicket(WOLFSSL* ssl, #ifdef WOLFSSL_SMALL_STACK exportBuf = (byte*)XMALLOC(MAX_EXPORT_ECC_SZ, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (exportBuf == NULL) + DYNAMIC_TYPE_TMP_BUFFER); + if (exportBuf == NULL) { return MEMORY_E; + } #endif - if (wc_ecc_export_x963(ssl->eccTempKey, exportBuf, &expSz) != 0) + if (wc_ecc_export_x963(ssl->eccTempKey, exportBuf, &expSz) != 0) { ERROR_OUT(ECC_EXPORT_ERROR, done_a); + } length += expSz; preSigSz = length; @@ -13213,8 +13330,9 @@ int DoSessionTicket(WOLFSSL* ssl, #ifndef NO_RSA ret = wc_InitRsaKey(&rsaKey, ssl->heap); - if (ret != 0) + if (ret != 0) { goto done_a; + } #endif wc_ecc_init(&dsaKey); @@ -13236,8 +13354,9 @@ int DoSessionTicket(WOLFSSL* ssl, word32 i = 0; ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i, &rsaKey, ssl->buffers.key.length); - if (ret != 0) + if (ret != 0) { goto done_a; + } sigSz = wc_RsaEncryptSize(&rsaKey); } else #endif @@ -13247,8 +13366,9 @@ int DoSessionTicket(WOLFSSL* ssl, word32 i = 0; ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i, &dsaKey, ssl->buffers.key.length); - if (ret != 0) + if (ret != 0) { goto done_a; + } sigSz = wc_ecc_sig_size(&dsaKey); /* worst case estimate */ } else { @@ -13260,8 +13380,9 @@ int DoSessionTicket(WOLFSSL* ssl, } length += sigSz; - if (IsAtLeastTLSv1_2(ssl)) + if (IsAtLeastTLSv1_2(ssl)) { length += HASH_SIG_SIZE; + } sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; @@ -13366,9 +13487,10 @@ int DoSessionTicket(WOLFSSL* ssl, is */ #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE, - ssl->fuzzerCtx); + if (ssl->fuzzerCb) { + ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, + FUZZ_SIGNATURE, ssl->fuzzerCtx); + } #endif /* do signature */ @@ -13417,9 +13539,10 @@ int DoSessionTicket(WOLFSSL* ssl, #ifdef WOLFSSL_SMALL_STACK hash = (byte*)XMALLOC(FINISHED_SZ, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (hash == NULL) + DYNAMIC_TYPE_TMP_BUFFER); + if (hash == NULL) { ERROR_OUT(MEMORY_E, done_a); + } #endif #ifndef NO_OLD_TLS @@ -13428,8 +13551,9 @@ int DoSessionTicket(WOLFSSL* ssl, if (doMd5) { md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (md5 == NULL) + if (md5 == NULL) { ERROR_OUT(MEMORY_E, done_a2); + } } #endif if (doMd5) { @@ -13444,13 +13568,16 @@ int DoSessionTicket(WOLFSSL* ssl, if (doSha) { sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha == NULL) + if (sha == NULL) { ERROR_OUT(MEMORY_E, done_a2); + } } #endif if (doSha) { ret = wc_InitSha(sha); - if (ret != 0) goto done_a2; + if (ret != 0) { + goto done_a2; + } wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN); wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN); wc_ShaUpdate(sha, output + preSigIdx, preSigSz); @@ -13465,22 +13592,25 @@ int DoSessionTicket(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha256 == NULL || hash256 == NULL) + if (sha256 == NULL || hash256 == NULL) { ERROR_OUT(MEMORY_E, done_a2); + } } #endif if (doSha256) { if (!(ret = wc_InitSha256(sha256)) && !(ret = wc_Sha256Update(sha256, - ssl->arrays->clientRandom, RAN_LEN)) + ssl->arrays->clientRandom, RAN_LEN)) && !(ret = wc_Sha256Update(sha256, - ssl->arrays->serverRandom, RAN_LEN)) + ssl->arrays->serverRandom, RAN_LEN)) && !(ret = wc_Sha256Update(sha256, - output + preSigIdx, preSigSz))) + output + preSigIdx, preSigSz))) { ret = wc_Sha256Final(sha256, hash256); - - if (ret != 0) goto done_a2; + } + if (ret != 0) { + goto done_a2; + } } #endif @@ -13491,22 +13621,25 @@ int DoSessionTicket(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha384 == NULL || hash384 == NULL) + if (sha384 == NULL || hash384 == NULL) { ERROR_OUT(MEMORY_E, done_a2); + } } #endif if (doSha384) { if (!(ret = wc_InitSha384(sha384)) && !(ret = wc_Sha384Update(sha384, - ssl->arrays->clientRandom, RAN_LEN)) + ssl->arrays->clientRandom, RAN_LEN)) && !(ret = wc_Sha384Update(sha384, - ssl->arrays->serverRandom, RAN_LEN)) + ssl->arrays->serverRandom, RAN_LEN)) && !(ret = wc_Sha384Update(sha384, - output + preSigIdx, preSigSz))) + output + preSigIdx, preSigSz))) { ret = wc_Sha384Final(sha384, hash384); - - if (ret != 0) goto done_a2; + } + if (ret != 0) { + goto done_a2; + } } #endif @@ -13517,22 +13650,25 @@ int DoSessionTicket(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha512 == NULL || hash512 == NULL) + if (sha512 == NULL || hash512 == NULL) { ERROR_OUT(MEMORY_E, done_a2); + } } #endif if (doSha512) { if (!(ret = wc_InitSha512(sha512)) && !(ret = wc_Sha512Update(sha512, - ssl->arrays->clientRandom, RAN_LEN)) + ssl->arrays->clientRandom, RAN_LEN)) && !(ret = wc_Sha512Update(sha512, - ssl->arrays->serverRandom, RAN_LEN)) + ssl->arrays->serverRandom, RAN_LEN)) && !(ret = wc_Sha512Update(sha512, - output + preSigIdx, preSigSz))) + output + preSigIdx, preSigSz))) { ret = wc_Sha512Final(sha512, hash512); - - if (ret != 0) goto done_a2; + } + if (ret != 0) { + goto done_a2; + } } #endif @@ -13554,9 +13690,10 @@ int DoSessionTicket(WOLFSSL* ssl, #ifdef WOLFSSL_SMALL_STACK encodedSig = (byte*)XMALLOC(MAX_ENCODED_SIG_SZ, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (encodedSig == NULL) + DYNAMIC_TYPE_TMP_BUFFER); + if (encodedSig == NULL) { ERROR_OUT(MEMORY_E, done_a2); + } #endif if (IsAtLeastTLSv1_2(ssl)) { @@ -13613,13 +13750,13 @@ int DoSessionTicket(WOLFSSL* ssl, } else { ret = wc_RsaSSL_Sign(signBuffer, signSz, output + idx, - sigSz, &rsaKey, ssl->rng); + sigSz, &rsaKey, ssl->rng); } if (ret > 0) { /* check for signature faults */ ret = VerifyRsaSign(output + idx, ret, - signBuffer, signSz, &rsaKey); + signBuffer, signSz, &rsaKey); } wc_FreeRsaKey(&rsaKey); wc_ecc_free(&dsaKey); @@ -13628,8 +13765,9 @@ int DoSessionTicket(WOLFSSL* ssl, XFREE(encodedSig, NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - if (ret < 0) + if (ret < 0) { goto done_a2; + } } else #endif @@ -13645,8 +13783,9 @@ int DoSessionTicket(WOLFSSL* ssl, byte doUserEcc = 0; #if defined(HAVE_PK_CALLBACKS) && defined(HAVE_ECC) - if (ssl->ctx->EccSignCb) + if (ssl->ctx->EccSignCb) { doUserEcc = 1; + } #endif if (IsAtLeastTLSv1_2(ssl)) { @@ -13679,7 +13818,8 @@ int DoSessionTicket(WOLFSSL* ssl, if (doUserEcc) { #if defined(HAVE_PK_CALLBACKS) && defined(HAVE_ECC) ret = ssl->ctx->EccSignCb(ssl, digest, digestSz, - output + LENGTH_SZ + idx, &sz, + output + LENGTH_SZ + idx, + &sz, ssl->buffers.key.buffer, ssl->buffers.key.length, ssl->EccSignCtx); @@ -13687,15 +13827,16 @@ int DoSessionTicket(WOLFSSL* ssl, } else { ret = wc_ecc_sign_hash(digest, digestSz, - output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey); + output + LENGTH_SZ + idx, &sz, ssl->rng, &dsaKey); } #ifndef NO_RSA wc_FreeRsaKey(&rsaKey); #endif wc_ecc_free(&dsaKey); - if (ret < 0) + if (ret < 0) { goto done_a2; + } /* Now that we know the real sig size, write it. */ c16toa((word16)sz, output + idx); @@ -13742,8 +13883,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* write to output and check amount written */ if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx) - > qshSz - OPAQUE16_LEN) + > qshSz - OPAQUE16_LEN) { return MEMORY_E; + } } } #endif @@ -13752,27 +13894,34 @@ int DoSessionTicket(WOLFSSL* ssl, AddHeaders(output, length, server_key_exchange, ssl); #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) + if (ssl->options.dtls) { + if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) { goto done_a; + } + } #endif - if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) + if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) { goto done_a; + } #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) + if (ssl->hsInfoOn) { AddPacketName("ServerKeyExchange", &ssl->handShakeInfo); - if (ssl->toInfoOn) + } + if (ssl->toInfoOn) { AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output, sendSz, ssl->heap); + } #endif ssl->buffers.outputBuffer.length += sendSz; - if (ssl->options.groupMessages) + if (ssl->options.groupMessages) { ret = 0; - else + } + else { ret = SendBuffered(ssl); + } ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; done_a: @@ -13785,7 +13934,8 @@ int DoSessionTicket(WOLFSSL* ssl, #endif /* HAVE_ECC */ #if !defined(NO_DH) && !defined(NO_RSA) - if (ssl->specs.kea == diffie_hellman_kea) { + case diffie_hellman_kea: + { byte *output; word32 length = 0, idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; int sendSz; @@ -13795,23 +13945,26 @@ int DoSessionTicket(WOLFSSL* ssl, DhKey dhKey; if (ssl->buffers.serverDH_P.buffer == NULL || - ssl->buffers.serverDH_G.buffer == NULL) + ssl->buffers.serverDH_G.buffer == NULL) { return NO_DH_PARAMS; + } if (ssl->buffers.serverDH_Pub.buffer == NULL) { ssl->buffers.serverDH_Pub.buffer = (byte*)XMALLOC( ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_Pub.buffer == NULL) + if (ssl->buffers.serverDH_Pub.buffer == NULL) { return MEMORY_E; + } } if (ssl->buffers.serverDH_Priv.buffer == NULL) { ssl->buffers.serverDH_Priv.buffer = (byte*)XMALLOC( ssl->buffers.serverDH_P.length + 2, ssl->ctx->heap, DYNAMIC_TYPE_DH); - if (ssl->buffers.serverDH_Priv.buffer == NULL) + if (ssl->buffers.serverDH_Priv.buffer == NULL) { return MEMORY_E; + } } wc_InitDhKey(&dhKey); @@ -13819,15 +13972,18 @@ int DoSessionTicket(WOLFSSL* ssl, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length); - if (ret == 0) + if (ret == 0) { ret = wc_DhGenerateKeyPair(&dhKey, ssl->rng, ssl->buffers.serverDH_Priv.buffer, &ssl->buffers.serverDH_Priv.length, ssl->buffers.serverDH_Pub.buffer, &ssl->buffers.serverDH_Pub.length); + } wc_FreeDhKey(&dhKey); - if (ret != 0) return ret; + if (ret != 0) { + return ret; + } length = LENGTH_SZ * 3; /* p, g, pub */ length += ssl->buffers.serverDH_P.length + @@ -13839,16 +13995,19 @@ int DoSessionTicket(WOLFSSL* ssl, if (!ssl->options.usingAnon_cipher) { ret = wc_InitRsaKey(&rsaKey, ssl->heap); - if (ret != 0) return ret; + if (ret != 0) { + return ret; + } /* sig length */ length += LENGTH_SZ; - if (!ssl->buffers.key.buffer) + if (!ssl->buffers.key.buffer) { return NO_PRIVATE_KEY; + } - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i, &rsaKey, - ssl->buffers.key.length); + ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i, + &rsaKey, ssl->buffers.key.length); if (ret == 0) { sigSz = wc_RsaEncryptSize(&rsaKey); length += sigSz; @@ -13858,8 +14017,9 @@ int DoSessionTicket(WOLFSSL* ssl, return ret; } - if (IsAtLeastTLSv1_2(ssl)) + if (IsAtLeastTLSv1_2(ssl)) { length += HASH_SIG_SIZE; + } } sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; @@ -13878,8 +14038,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* check for available size */ if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) { - if (!ssl->options.usingAnon_cipher) + if (!ssl->options.usingAnon_cipher) { wc_FreeRsaKey(&rsaKey); + } return ret; } @@ -13911,9 +14072,10 @@ int DoSessionTicket(WOLFSSL* ssl, idx += ssl->buffers.serverDH_Pub.length; #ifdef HAVE_FUZZER - if (ssl->fuzzerCb) - ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE, - ssl->fuzzerCtx); + if (ssl->fuzzerCb) { + ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, + FUZZ_SIGNATURE, ssl->fuzzerCtx); + } #endif /* Add signature */ @@ -14039,11 +14201,12 @@ int DoSessionTicket(WOLFSSL* ssl, /* do signature */ #ifdef WOLFSSL_SMALL_STACK hash = (byte*)XMALLOC(FINISHED_SZ, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (hash == NULL) + DYNAMIC_TYPE_TMP_BUFFER); + if (hash == NULL) { return MEMORY_E; /* No heap commitment before this point, from now on, the resources are freed at done_b. */ + } #endif #ifndef NO_OLD_TLS @@ -14052,8 +14215,9 @@ int DoSessionTicket(WOLFSSL* ssl, if (doMd5) { md5 = (Md5*)XMALLOC(sizeof(Md5), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (md5 == NULL) + if (md5 == NULL) { ERROR_OUT(MEMORY_E, done_b); + } } #endif if (doMd5) { @@ -14069,14 +14233,16 @@ int DoSessionTicket(WOLFSSL* ssl, if (doSha) { sha = (Sha*)XMALLOC(sizeof(Sha), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha == NULL) + if (sha == NULL) { ERROR_OUT(MEMORY_E, done_b); + } } #endif if (doSha) { - if ((ret = wc_InitSha(sha)) != 0) + if ((ret = wc_InitSha(sha)) != 0) { goto done_b; + } wc_ShaUpdate(sha, ssl->arrays->clientRandom, RAN_LEN); wc_ShaUpdate(sha, ssl->arrays->serverRandom, RAN_LEN); wc_ShaUpdate(sha, output + preSigIdx, preSigSz); @@ -14091,22 +14257,25 @@ int DoSessionTicket(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash256 = (byte*)XMALLOC(SHA256_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha256 == NULL || hash256 == NULL) + if (sha256 == NULL || hash256 == NULL) { ERROR_OUT(MEMORY_E, done_b); + } } #endif if (doSha256) { if (!(ret = wc_InitSha256(sha256)) && !(ret = wc_Sha256Update(sha256, - ssl->arrays->clientRandom, RAN_LEN)) + ssl->arrays->clientRandom, RAN_LEN)) && !(ret = wc_Sha256Update(sha256, - ssl->arrays->serverRandom, RAN_LEN)) + ssl->arrays->serverRandom, RAN_LEN)) && !(ret = wc_Sha256Update(sha256, - output + preSigIdx, preSigSz))) + output + preSigIdx, preSigSz))) { ret = wc_Sha256Final(sha256, hash256); - - if (ret != 0) goto done_b; + } + if (ret != 0) { + goto done_b; + } } #endif @@ -14116,23 +14285,26 @@ int DoSessionTicket(WOLFSSL* ssl, sha384 = (Sha384*)XMALLOC(sizeof(Sha384), NULL, DYNAMIC_TYPE_TMP_BUFFER); hash384 = (byte*)XMALLOC(SHA384_DIGEST_SIZE, NULL, - DYNAMIC_TYPE_TMP_BUFFER); - if (sha384 == NULL || hash384 == NULL) + DYNAMIC_TYPE_TMP_BUFFER); + if (sha384 == NULL || hash384 == NULL) { ERROR_OUT(MEMORY_E, done_b); + } } #endif if (doSha384) { if (!(ret = wc_InitSha384(sha384)) && !(ret = wc_Sha384Update(sha384, - ssl->arrays->clientRandom, RAN_LEN)) + ssl->arrays->clientRandom, RAN_LEN)) && !(ret = wc_Sha384Update(sha384, - ssl->arrays->serverRandom, RAN_LEN)) + ssl->arrays->serverRandom, RAN_LEN)) && !(ret = wc_Sha384Update(sha384, - output + preSigIdx, preSigSz))) + output + preSigIdx, preSigSz))) { ret = wc_Sha384Final(sha384, hash384); - - if (ret != 0) goto done_b; + } + if (ret != 0) { + goto done_b; + } } #endif @@ -14143,22 +14315,25 @@ int DoSessionTicket(WOLFSSL* ssl, DYNAMIC_TYPE_TMP_BUFFER); hash512 = (byte*)XMALLOC(SHA512_DIGEST_SIZE, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (sha512 == NULL || hash512 == NULL) + if (sha512 == NULL || hash512 == NULL) { ERROR_OUT(MEMORY_E, done_b); + } } #endif if (doSha512) { if (!(ret = wc_InitSha512(sha512)) && !(ret = wc_Sha512Update(sha512, - ssl->arrays->clientRandom, RAN_LEN)) + ssl->arrays->clientRandom, RAN_LEN)) && !(ret = wc_Sha512Update(sha512, - ssl->arrays->serverRandom, RAN_LEN)) + ssl->arrays->serverRandom, RAN_LEN)) && !(ret = wc_Sha512Update(sha512, - output + preSigIdx, preSigSz))) + output + preSigIdx, preSigSz))) { ret = wc_Sha512Final(sha512, hash512); - - if (ret != 0) goto done_b; + } + if (ret != 0) { + goto done_b; + } } #endif @@ -14174,8 +14349,9 @@ int DoSessionTicket(WOLFSSL* ssl, byte doUserRsa = 0; #ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaSignCb) + if (ssl->ctx->RsaSignCb) { doUserRsa = 1; + } #endif if (IsAtLeastTLSv1_2(ssl)) { @@ -14269,7 +14445,9 @@ int DoSessionTicket(WOLFSSL* ssl, #endif #endif - if (ret < 0) return ret; + if (ret < 0) { + return ret; + } } #ifdef HAVE_QSH @@ -14284,37 +14462,49 @@ int DoSessionTicket(WOLFSSL* ssl, /* write to output and check amount written */ if (TLSX_QSHPK_Write(ssl->QSH_secret->list, output + idx) - > qshSz - OPAQUE16_LEN) + > qshSz - OPAQUE16_LEN) { return MEMORY_E; + } } } #endif #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) - if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) + if (ssl->options.dtls) { + if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) { return ret; + } + } #endif - if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) + if ((ret = HashOutput(ssl, output, sendSz, 0)) != 0) { return ret; + } #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) + if (ssl->hsInfoOn) { AddPacketName("ServerKeyExchange", &ssl->handShakeInfo); - if (ssl->toInfoOn) + } + if (ssl->toInfoOn) { AddPacketInfo("ServerKeyExchange", &ssl->timeoutInfo, output, sendSz, ssl->heap); + } #endif ssl->buffers.outputBuffer.length += sendSz; - if (ssl->options.groupMessages) + if (ssl->options.groupMessages) { ret = 0; - else + } + else { ret = SendBuffered(ssl); + } ssl->options.serverState = SERVER_KEYEXCHANGE_COMPLETE; + break; } #endif /* NO_DH */ + default: + break; + } /* switch(ssl->specs.kea) */ return ret; #undef ERROR_OUT @@ -15564,18 +15754,21 @@ int DoSessionTicket(WOLFSSL* ssl, } #ifndef NO_CERTS - if (ssl->options.verifyPeer && ssl->options.failNoCert) + if (ssl->options.verifyPeer && ssl->options.failNoCert) { if (!ssl->options.havePeerCert) { WOLFSSL_MSG("client didn't present peer cert"); return NO_PEER_CERT; } + } #endif #ifdef WOLFSSL_CALLBACKS - if (ssl->hsInfoOn) + if (ssl->hsInfoOn) { AddPacketName("ClientKeyExchange", &ssl->handShakeInfo); - if (ssl->toInfoOn) + } + if (ssl->toInfoOn) { AddLateName("ClientKeyExchange", &ssl->timeoutInfo); + } #endif switch (ssl->specs.kea) { @@ -15587,18 +15780,22 @@ int DoSessionTicket(WOLFSSL* ssl, byte doUserRsa = 0; #ifdef HAVE_PK_CALLBACKS - if (ssl->ctx->RsaDecCb) + if (ssl->ctx->RsaDecCb) { doUserRsa = 1; + } #endif ret = wc_InitRsaKey(&key, ssl->heap); - if (ret != 0) return ret; + if (ret != 0) { + return ret; + } - if (ssl->buffers.key.buffer) - ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, - &key, ssl->buffers.key.length); - else + if (!ssl->buffers.key.buffer) { return NO_PRIVATE_KEY; + } + + ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, + &key, ssl->buffers.key.length); if (ret == 0) { length = wc_RsaEncryptSize(&key); @@ -15607,8 +15804,9 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->options.tls) { word16 check; - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &check); *inOutIdx += OPAQUE16_LEN; @@ -15647,8 +15845,9 @@ int DoSessionTicket(WOLFSSL* ssl, if (ssl->arrays->preMasterSecret[0] != ssl->chVersion.major || ssl->arrays->preMasterSecret[1] != - ssl->chVersion.minor) + ssl->chVersion.minor) { ret = PMS_VERSION_ERROR; + } else { #ifdef HAVE_QSH @@ -15662,8 +15861,9 @@ int DoSessionTicket(WOLFSSL* ssl, length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, size - *inOutIdx - + begin, 1)) < 0) + + begin, 1)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -15691,17 +15891,20 @@ int DoSessionTicket(WOLFSSL* ssl, byte* pms = ssl->arrays->preMasterSecret; word16 ci_sz; - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &ci_sz); *inOutIdx += OPAQUE16_LEN; - if (ci_sz > MAX_PSK_ID_LEN) + if (ci_sz > MAX_PSK_ID_LEN) { return CLIENT_ID_ERROR; + } - if ((*inOutIdx - begin) + ci_sz > size) + if ((*inOutIdx - begin) + ci_sz > size) { return BUFFER_ERROR; + } XMEMCPY(ssl->arrays->client_identity, input + *inOutIdx, ci_sz); *inOutIdx += ci_sz; @@ -15712,8 +15915,9 @@ int DoSessionTicket(WOLFSSL* ssl, MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) + ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { return PSK_KEY_ERROR; + } /* make psk pre master secret */ /* length of key + length 0s + length of key + key */ @@ -15739,8 +15943,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size - *inOutIdx + begin, 1)) < 0) + size - *inOutIdx + begin, 1)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -15764,30 +15969,36 @@ int DoSessionTicket(WOLFSSL* ssl, word16 cipherLen; word16 plainLen = sizeof(ssl->arrays->preMasterSecret); - if (!ssl->buffers.key.buffer) + if (!ssl->buffers.key.buffer) { return NO_PRIVATE_KEY; + } - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &cipherLen); *inOutIdx += OPAQUE16_LEN; - if (cipherLen > MAX_NTRU_ENCRYPT_SZ) + if (cipherLen > MAX_NTRU_ENCRYPT_SZ) { return NTRU_KEY_ERROR; + } - if ((*inOutIdx - begin) + cipherLen > size) + if ((*inOutIdx - begin) + cipherLen > size) { return BUFFER_ERROR; + } if (NTRU_OK != ntru_crypto_ntru_decrypt( (word16) ssl->buffers.key.length, ssl->buffers.key.buffer, cipherLen, input + *inOutIdx, &plainLen, - ssl->arrays->preMasterSecret)) + ssl->arrays->preMasterSecret)) { return NTRU_DECRYPT_ERROR; + } - if (plainLen != SECRET_LEN) + if (plainLen != SECRET_LEN) { return NTRU_DECRYPT_ERROR; + } *inOutIdx += cipherLen; @@ -15801,8 +16012,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size - *inOutIdx + begin, 1)) < 0) + size - *inOutIdx + begin, 1)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -15820,13 +16032,15 @@ int DoSessionTicket(WOLFSSL* ssl, #ifdef HAVE_ECC case ecc_diffie_hellman_kea: { - if ((*inOutIdx - begin) + OPAQUE8_LEN > size) + if ((*inOutIdx - begin) + OPAQUE8_LEN > size) { return BUFFER_ERROR; + } length = input[(*inOutIdx)++]; - if ((*inOutIdx - begin) + length > size) + if ((*inOutIdx - begin) + length > size) { return BUFFER_ERROR; + } if (ssl->peerEccKey == NULL) { /* alloc/init on demand */ @@ -15843,8 +16057,9 @@ int DoSessionTicket(WOLFSSL* ssl, wc_ecc_init(ssl->peerEccKey); } - if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey)) + if (wc_ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey)) { return ECC_PEERKEY_ERROR; + } *inOutIdx += length; ssl->peerEccKeyPresent = 1; @@ -15859,9 +16074,10 @@ int DoSessionTicket(WOLFSSL* ssl, ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i, &staticKey, ssl->buffers.key.length); - if (ret == 0) + if (ret == 0) { ret = wc_ecc_shared_secret(&staticKey, ssl->peerEccKey, ssl->arrays->preMasterSecret, &length); + } wc_ecc_free(&staticKey); } @@ -15875,8 +16091,9 @@ int DoSessionTicket(WOLFSSL* ssl, } } - if (ret != 0) + if (ret != 0) { return ECC_SHARED_ERROR; + } ssl->arrays->preMasterSz = length; #ifdef HAVE_QSH @@ -15889,8 +16106,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size - *inOutIdx + begin, 1)) < 0) + size - *inOutIdx + begin, 1)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -15910,26 +16128,29 @@ int DoSessionTicket(WOLFSSL* ssl, word16 clientPubSz; DhKey dhKey; - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &clientPubSz); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + clientPubSz > size) + if ((*inOutIdx - begin) + clientPubSz > size) { return BUFFER_ERROR; + } wc_InitDhKey(&dhKey); ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length); - if (ret == 0) + if (ret == 0) { ret = wc_DhAgree(&dhKey, ssl->arrays->preMasterSecret, &ssl->arrays->preMasterSz, ssl->buffers.serverDH_Priv.buffer, ssl->buffers.serverDH_Priv.length, input + *inOutIdx, clientPubSz); + } wc_FreeDhKey(&dhKey); *inOutIdx += clientPubSz; @@ -15944,8 +16165,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size - *inOutIdx + begin, 1)) < 0) + size - *inOutIdx + begin, 1)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -15955,8 +16177,9 @@ int DoSessionTicket(WOLFSSL* ssl, } } #endif - if (ret == 0) + if (ret == 0) { ret = MakeMasterSecret(ssl); + } } break; #endif /* NO_DH */ @@ -15968,16 +16191,19 @@ int DoSessionTicket(WOLFSSL* ssl, DhKey dhKey; /* Read in the PSK hint */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &clientSz); *inOutIdx += OPAQUE16_LEN; - if (clientSz > MAX_PSK_ID_LEN) + if (clientSz > MAX_PSK_ID_LEN) { return CLIENT_ID_ERROR; + } - if ((*inOutIdx - begin) + clientSz > size) + if ((*inOutIdx - begin) + clientSz > size) { return BUFFER_ERROR; + } XMEMCPY(ssl->arrays->client_identity, input + *inOutIdx, clientSz); @@ -15986,26 +16212,29 @@ int DoSessionTicket(WOLFSSL* ssl, 0; /* Read in the DHE business */ - if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) { return BUFFER_ERROR; + } ato16(input + *inOutIdx, &clientSz); *inOutIdx += OPAQUE16_LEN; - if ((*inOutIdx - begin) + clientSz > size) + if ((*inOutIdx - begin) + clientSz > size) { return BUFFER_ERROR; + } wc_InitDhKey(&dhKey); ret = wc_DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer, ssl->buffers.serverDH_P.length, ssl->buffers.serverDH_G.buffer, ssl->buffers.serverDH_G.length); - if (ret == 0) + if (ret == 0) { ret = wc_DhAgree(&dhKey, pms + OPAQUE16_LEN, &ssl->arrays->preMasterSz, ssl->buffers.serverDH_Priv.buffer, ssl->buffers.serverDH_Priv.length, input + *inOutIdx, clientSz); + } wc_FreeDhKey(&dhKey); *inOutIdx += clientSz; @@ -16020,8 +16249,9 @@ int DoSessionTicket(WOLFSSL* ssl, MAX_PSK_KEY_LEN); if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) + ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) { return PSK_KEY_ERROR; + } c16toa((word16) ssl->arrays->psk_keySz, pms); pms += OPAQUE16_LEN; @@ -16039,8 +16269,9 @@ int DoSessionTicket(WOLFSSL* ssl, /* if qshSz is larger than 0 it is the length of buffer used */ if ((qshSz = TLSX_QSHCipher_Parse(ssl, input + *inOutIdx, - size - *inOutIdx + begin, 1)) < 0) + size - *inOutIdx + begin, 1)) < 0) { return qshSz; + } *inOutIdx += qshSz; } else { @@ -16074,8 +16305,9 @@ int DoSessionTicket(WOLFSSL* ssl, if (ret == 0) { ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE; #ifndef NO_CERTS - if (ssl->options.verifyPeer) + if (ssl->options.verifyPeer) { ret = BuildCertHashes(ssl, &ssl->hsHashes->certHashes); + } #endif } From 89a65b0aa0331de4bc3a63ff21f9ea4e5de59b15 Mon Sep 17 00:00:00 2001 From: David Garske Date: Fri, 4 Dec 2015 15:22:06 -0800 Subject: [PATCH 111/177] Fixed compile error in signature.c with g++. Corrected comment. --- src/internal.c | 4 ++-- wolfcrypt/src/signature.c | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index 5e0eae51e..308a594c2 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12857,14 +12857,14 @@ int DoSessionTicket(WOLFSSL* ssl, if (ret != 0) return ret; - /* store info in SSL context for later */ + /* store info in SSL for later */ XMEMCPY(ssl->arrays->serverRandom, output + idx, RAN_LEN); idx += RAN_LEN; output[idx++] = sessIdSz; XMEMCPY(ssl->arrays->sessionID, output + idx, sessIdSz); } else { - /* If resuming, use info from SSL context */ + /* If resuming, use info from SSL */ XMEMCPY(output + idx, ssl->arrays->serverRandom, RAN_LEN); idx += RAN_LEN; output[idx++] = sessIdSz; diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index 10aa9969f..618632a43 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -113,7 +113,7 @@ int wc_SignatureVerify( } /* Allocate temporary buffer for hash data */ - hash_data = XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + hash_data = (byte*)XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (hash_data == NULL) { return MEMORY_E; } @@ -141,7 +141,7 @@ int wc_SignatureVerify( #ifndef NO_RSA case WC_SIGNATURE_TYPE_RSA: { - byte *plain_data = XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + byte *plain_data = (byte*)XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (plain_data) { /* Perform verification of signature using provided RSA key */ ret = wc_RsaSSL_Verify(sig, sig_len, plain_data, hash_len, (RsaKey*)key); @@ -203,7 +203,7 @@ int wc_SignatureGenerate( } /* Allocate temporary buffer for hash data */ - hash_data = XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); + hash_data = (byte*)XMALLOC(hash_len, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (hash_data == NULL) { return MEMORY_E; } From 6c70e3233d92314031d5d54c990d8588efb0fd78 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Sat, 5 Dec 2015 13:14:29 -0800 Subject: [PATCH 112/177] fix bug where unknown OIDs were treated as parsing errors rather than ignored --- wolfcrypt/src/asn.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index ff73f69dd..a23190005 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1144,9 +1144,9 @@ WOLFSSL_LOCAL int GetObjectId(const byte* input, word32* inOutIdx, word32* oid, if (oidType != ignoreType) { checkOid = OidFromId(*oid, oidType, &checkOidSz); - if (checkOid == NULL || - checkOidSz != actualOidSz || - XMEMCMP(actualOid, checkOid, checkOidSz) != 0) { + if (checkOid != NULL && + (checkOidSz != actualOidSz || + XMEMCMP(actualOid, checkOid, checkOidSz) != 0)) { WOLFSSL_MSG("OID Check Failed"); return ASN_UNKNOWN_OID_E; From 1600ba7f3d1c885d4188b77be848f534f721b127 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Sun, 6 Dec 2015 14:30:00 -0700 Subject: [PATCH 113/177] example IO callback and keep memory alive when needed --- .../Properties/AssemblyInfo.cs | 8 +- .../wolfSSL-DTLS-PSK-Server.cs | 51 +- .../wolfSSL-DTLS-PSK-Server.csproj | 1 - .../Properties/AssemblyInfo.cs | 8 +- .../wolfSSL-DTLS-Server.cs | 48 +- .../wolfSSL-DTLS-Server.csproj | 1 - .../wolfSSL-Example-IOCallbacks/App.config | 6 + .../Properties/AssemblyInfo.cs | 36 ++ .../wolfSSL-Example-IOCallbacks.cs | 258 ++++++++ .../wolfSSL-Example-IOCallbacks.csproj | 84 +++ .../Properties/AssemblyInfo.cs | 8 +- .../wolfSSL-TLS-PSK-Server.cs | 42 +- .../wolfSSL-TLS-PSK-Server.csproj | 1 - .../Properties/AssemblyInfo.cs | 8 +- .../wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs | 40 +- .../wolfSSL-TLS-Server.csproj | 1 - wrapper/CSharp/wolfSSL_CSharp.sln | 168 +----- .../wolfSSL_CSharp/Properties/AssemblyInfo.cs | 8 +- wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs | 571 ++++++++++++++---- .../wolfSSL_CSharp/wolfSSL_CSharp.csproj | 1 - wrapper/include.am | 4 + 21 files changed, 1017 insertions(+), 336 deletions(-) create mode 100755 wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config create mode 100755 wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs create mode 100755 wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs create mode 100755 wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs index dc597de7c..7e22f5faf 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/Properties/AssemblyInfo.cs @@ -8,9 +8,9 @@ using System.Runtime.InteropServices; [assembly: AssemblyTitle("wolfSSL-DTLS-PSK-Server")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] -[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyCompany("wolfSSL")] [assembly: AssemblyProduct("wolfSSL-DTLS-PSK-Server")] -[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyCopyright("Copyright wolfSSL 2015")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] @@ -32,5 +32,5 @@ using System.Runtime.InteropServices; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.0.0.0")] -[assembly: AssemblyFileVersion("1.0.0.0")] +[assembly: AssemblyVersion("1.1.0.0")] +[assembly: AssemblyFileVersion("1.1.0.0")] diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs index 9240ae849..89603ff2f 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.cs @@ -48,7 +48,7 @@ public class wolfSSL_DTLS_PSK_Server /* perform a check on the identity sent across * log function must be set for print out of logging information */ - wolfssl.log(1, "PSK Client Identity = " + identity); + wolfssl.log(wolfssl.INFO_LOG, "PSK Client Identity = " + identity); /* Use desired key, note must be a key smaller than max key size parameter Replace this with desired key. Is trivial one for testing */ @@ -61,6 +61,14 @@ public class wolfSSL_DTLS_PSK_Server } + private static void clean(IntPtr ssl, IntPtr ctx) + { + wolfssl.free(ssl); + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } + + public static void Main(string[] args) { IntPtr ctx; @@ -80,11 +88,18 @@ public class wolfSSL_DTLS_PSK_Server Console.WriteLine("Calling ctx Init from wolfSSL"); ctx = wolfssl.CTX_dtls_new(wolfssl.useDTLSv1_2_server()); + if (ctx == IntPtr.Zero) + { + Console.WriteLine("Error creating ctx structure"); + return; + } + Console.WriteLine("Finished init of ctx .... now load in cert and key"); if (!File.Exists(fileCert) || !File.Exists(fileKey)) { Console.WriteLine("Could not find cert or key file"); + wolfssl.CTX_free(ctx); return; } @@ -92,20 +107,27 @@ public class wolfSSL_DTLS_PSK_Server if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error setting cert file"); + wolfssl.CTX_free(ctx); return; } - if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, 1) != wolfssl.SUCCESS) + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error setting key file"); + wolfssl.CTX_free(ctx); return; } /* Test psk use with DHE */ StringBuilder hint = new StringBuilder("cyassl server"); - wolfssl.CTX_use_psk_identity_hint(ctx, hint); + if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting hint"); + wolfssl.CTX_free(ctx); + return; + } wolfssl.CTX_set_psk_server_callback(ctx, psk_cb); short minDhKey = 128; @@ -116,6 +138,7 @@ public class wolfSSL_DTLS_PSK_Server if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS) { Console.WriteLine("Failed to set cipher suite"); + wolfssl.CTX_free(ctx); return; } @@ -125,23 +148,36 @@ public class wolfSSL_DTLS_PSK_Server Console.WriteLine("Started UDP and waiting for a connection"); ssl = wolfssl.new_ssl(ctx); + if (ssl == IntPtr.Zero) + { + Console.WriteLine("Error creating ssl object"); + udp.Close(); + wolfssl.CTX_free(ctx); + return; + } if (wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error in setting dhparam"); Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } if (wolfssl.set_dtls_fd(ssl, udp, ep) != wolfssl.SUCCESS) { Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } if (wolfssl.accept(ssl) != wolfssl.SUCCESS) { Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } @@ -161,6 +197,8 @@ public class wolfSSL_DTLS_PSK_Server { Console.WriteLine("Error reading message"); Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } Console.WriteLine(buff); @@ -169,15 +207,14 @@ public class wolfSSL_DTLS_PSK_Server { Console.WriteLine("Error writing message"); Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } Console.WriteLine("At the end freeing stuff"); wolfssl.shutdown(ssl); - wolfssl.free(ssl); udp.Close(); - - wolfssl.CTX_free(ctx); - wolfssl.Cleanup(); + clean(ssl, ctx); } } diff --git a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj index aae0b1f05..50a590a1a 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj +++ b/wrapper/CSharp/wolfSSL-DTLS-PSK-Server/wolfSSL-DTLS-PSK-Server.csproj @@ -56,7 +56,6 @@ - diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs index 76d3c655d..f047e5351 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/Properties/AssemblyInfo.cs @@ -8,9 +8,9 @@ using System.Runtime.InteropServices; [assembly: AssemblyTitle("wolfSSL-DTLS-Server")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] -[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyCompany("wolfSSL")] [assembly: AssemblyProduct("wolfSSL-DTLS-Server")] -[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyCopyright("Copyright wolfSSL 2015")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] @@ -32,5 +32,5 @@ using System.Runtime.InteropServices; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.0.0.0")] -[assembly: AssemblyFileVersion("1.0.0.0")] +[assembly: AssemblyVersion("1.1.0.0")] +[assembly: AssemblyFileVersion("1.1.0.0")] diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs index 916b951fe..246d73f93 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.cs @@ -41,6 +41,14 @@ public class wolfSSL_DTLS_Server } + private static void clean(IntPtr ssl, IntPtr ctx) + { + wolfssl.free(ssl); + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } + + public static void Main(string[] args) { IntPtr ctx; @@ -61,11 +69,18 @@ public class wolfSSL_DTLS_Server Console.WriteLine("Calling ctx Init from wolfSSL"); ctx = wolfssl.CTX_dtls_new(wolfssl.useDTLSv1_2_server()); - Console.WriteLine("Finished init of ctx .... now load in cert and key"); + if (ctx == IntPtr.Zero) + { + Console.WriteLine("Error creating ctx structure"); + wolfssl.CTX_free(ctx); + return; + } + Console.WriteLine("Finished init of ctx .... now load in cert and key"); if (!File.Exists(fileCert) || !File.Exists(fileKey)) { Console.WriteLine("Could not find cert or key file"); + wolfssl.CTX_free(ctx); return; } @@ -73,13 +88,15 @@ public class wolfSSL_DTLS_Server if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error setting cert file"); + wolfssl.CTX_free(ctx); return; } - if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, 1) != wolfssl.SUCCESS) + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error setting key file"); + wolfssl.CTX_free(ctx); return; } @@ -92,24 +109,36 @@ public class wolfSSL_DTLS_Server Console.WriteLine("Started UDP and waiting for a connection"); ssl = wolfssl.new_ssl(ctx); + if (ssl == IntPtr.Zero) + { + Console.WriteLine("Error creating ssl object"); + wolfssl.CTX_free(ctx); + return; + } if (wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error in setting dhparam"); Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } if (wolfssl.set_dtls_fd(ssl, udp, ep) != wolfssl.SUCCESS) { Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } if (wolfssl.accept(ssl) != wolfssl.SUCCESS) { - Console.WriteLine(wolfssl.get_error(ssl)); - return; + Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); + return; } /* print out results of TLS/SSL accept */ @@ -128,6 +157,8 @@ public class wolfSSL_DTLS_Server { Console.WriteLine("Error reading message"); Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } Console.WriteLine(buff); @@ -136,15 +167,14 @@ public class wolfSSL_DTLS_Server { Console.WriteLine("Error writing message"); Console.WriteLine(wolfssl.get_error(ssl)); + udp.Close(); + clean(ssl, ctx); return; } Console.WriteLine("At the end freeing stuff"); - wolfssl.shutdown(ssl); - wolfssl.free(ssl); udp.Close(); - - wolfssl.CTX_free(ctx); - wolfssl.Cleanup(); + wolfssl.shutdown(ssl); + clean(ssl, ctx); } } diff --git a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj index 2e8e63d8f..915ed3201 100755 --- a/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj +++ b/wrapper/CSharp/wolfSSL-DTLS-Server/wolfSSL-DTLS-Server.csproj @@ -57,7 +57,6 @@ - diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config new file mode 100755 index 000000000..fad249e40 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config @@ -0,0 +1,6 @@ + + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs new file mode 100755 index 000000000..a19cd0ad7 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs @@ -0,0 +1,36 @@ +using System.Reflection; +using System.Runtime.CompilerServices; +using System.Runtime.InteropServices; + +// General Information about an assembly is controlled through the following +// set of attributes. Change these attribute values to modify the information +// associated with an assembly. +[assembly: AssemblyTitle("wolfSSL-Example-IOCallbacks")] +[assembly: AssemblyDescription("")] +[assembly: AssemblyConfiguration("")] +[assembly: AssemblyCompany("wolfSSL")] +[assembly: AssemblyProduct("wolfSSL-Example-IOCallbacks")] +[assembly: AssemblyCopyright("Copyright wolfSSL 2015")] +[assembly: AssemblyTrademark("")] +[assembly: AssemblyCulture("")] + +// Setting ComVisible to false makes the types in this assembly not visible +// to COM components. If you need to access a type in this assembly from +// COM, set the ComVisible attribute to true on that type. +[assembly: ComVisible(false)] + +// The following GUID is for the ID of the typelib if this project is exposed to COM +[assembly: Guid("c0ac38b1-1984-4659-b36a-20362dc47f99")] + +// Version information for an assembly consists of the following four values: +// +// Major Version +// Minor Version +// Build Number +// Revision +// +// You can specify all the values or you can default the Build and Revision Numbers +// by using the '*' as shown below: +// [assembly: AssemblyVersion("1.0.*")] +[assembly: AssemblyVersion("1.1.0.0")] +[assembly: AssemblyFileVersion("1.1.0.0")] diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs new file mode 100755 index 000000000..f770a8514 --- /dev/null +++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs @@ -0,0 +1,258 @@ +using System; +using System.Collections.Generic; +using System.Linq; +using System.Text; +using System.Threading.Tasks; +using System.Net; +using System.Net.Sockets; +using System.Runtime.InteropServices; +using System.IO; +using wolfSSL.CSharp; + + +class wolfSSL_Example_IOCallbacks +{ + /// + /// Example call back to allow recieving TLS information + /// + /// structure of ssl passed in + /// buffer to contain recieved msg + /// size of buffer for receiving + /// information passed in from set_fd + /// size of message recieved + private static int wolfSSLCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + wolfssl.log(wolfssl.ERROR_LOG, "wolfssl recieve error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + int amtRecv = 0; + + try + { + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + Socket con = (System.Net.Sockets.Socket)gch.Target; + + Byte[] msg = new Byte[sz]; + amtRecv = con.Receive(msg, msg.Length, 0); + Marshal.Copy(msg, 0, buf, sz); + } + catch (Exception e) + { + wolfssl.log(wolfssl.ENTER_LOG, "Error in recive " + e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + + Console.WriteLine("Example custom receive got {0:D} bytes", amtRecv); + return amtRecv; + } + + + /// + /// Example call back used for sending TLS information + /// + /// pointer to ssl struct + /// buffer containing information to send + /// size of buffer to send + /// object that was set as fd + /// amount of information sent + private static int wolfSSLCbIOSend(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) + { + if (sz <= 0) + { + wolfssl.log(wolfssl.ERROR_LOG, "wolfssl send error, size less than 0"); + return wolfssl.CBIO_ERR_GENERAL; + } + + try + { + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + Socket con = (System.Net.Sockets.Socket)gch.Target; + + Byte[] msg = new Byte[sz]; + Marshal.Copy(buf, msg, 0, sz); + + con.Send(msg, 0, msg.Length, SocketFlags.None); + Console.WriteLine("Example custom send sent {0:D} bytes", sz); + return sz; + } + catch (Exception e) + { + wolfssl.log(wolfssl.ERROR_LOG, "socket connection issue " + e.ToString()); + return wolfssl.CBIO_ERR_CONN_CLOSE; + } + } + + + /// + /// Example of a PSK function call back + /// + /// pointer to ssl structure + /// identity of client connecting + /// buffer to hold key + /// max key size + /// size of key set + public static uint my_psk_server_cb(IntPtr ssl, string identity, IntPtr key, uint max_key) + { + /* perform a check on the identity sent across + * log function must be set for print out of logging information + */ + wolfssl.log(wolfssl.INFO_LOG, "PSK Client Identity = " + identity); + + /* Use desired key, note must be a key smaller than max key size parameter + Replace this with desired key. Is trivial one for testing */ + if (max_key < 4) + return 0; + byte[] tmp = { 26, 43, 60, 77 }; + Marshal.Copy(tmp, 0, key, 4); + + return (uint)4; + } + + + private static void clean(IntPtr ssl, IntPtr ctx) + { + wolfssl.free(ssl); + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } + + + static void Main(string[] args) + { + IntPtr ctx; + IntPtr ssl; + Socket fd; + + wolfssl.psk_delegate psk_cb = new wolfssl.psk_delegate(my_psk_server_cb); + + /* These paths should be changed according to use */ + string fileCert = @"server-cert.pem"; + string fileKey = @"server-key.pem"; + + StringBuilder buff = new StringBuilder(1024); + StringBuilder reply = new StringBuilder("Hello, this is the wolfSSL C# wrapper"); + + wolfssl.Init(); + + Console.WriteLine("Calling ctx Init from wolfSSL"); + ctx = wolfssl.CTX_new(wolfssl.useTLSv1_2_server()); + if (ctx == IntPtr.Zero) + { + Console.WriteLine("Error creating ctx structure"); + return; + } + Console.WriteLine("Finished init of ctx .... now load in cert and key"); + + if (!File.Exists(fileCert) || !File.Exists(fileKey)) + { + Console.WriteLine("Could not find cert or key file"); + wolfssl.CTX_free(ctx); + return; + } + + if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting cert file"); + wolfssl.CTX_free(ctx); + return; + } + + if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) + { + Console.WriteLine("Error in setting key file"); + wolfssl.CTX_free(ctx); + return; + } + + StringBuilder ciphers = new StringBuilder(new String(' ', 4096)); + wolfssl.get_ciphers(ciphers, 4096); + Console.WriteLine("Ciphers : " + ciphers.ToString()); + + Console.Write("Setting cipher suite to "); + /* To use static PSK build wolfSSL with WOLFSSL_STATIC_PSK preprocessor flag */ + StringBuilder set_cipher = new StringBuilder("PSK-AES128-CBC-SHA256"); + Console.WriteLine(set_cipher); + if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS) + { + Console.WriteLine("Failed to set cipher suite"); + Console.WriteLine("If using static PSK make sure wolfSSL was built with preprocessor flag WOLFSSL_STATIC_PSK"); + wolfssl.CTX_free(ctx); + return; + } + + /* Test psk use */ + StringBuilder hint = new StringBuilder("cyassl server"); + if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS) + { + Console.WriteLine("Error setting hint"); + return; + } + wolfssl.CTX_set_psk_server_callback(ctx, psk_cb); + + /* Set using custom IO callbacks + delegate memory is allocated when calling SetIO**** function and freed with ctx free + */ + wolfssl.SetIORecv(ctx, new wolfssl.CallbackIORecv_delegate(wolfSSLCbIORecv)); + wolfssl.SetIOSend(ctx, new wolfssl.CallbackIOSend_delegate(wolfSSLCbIOSend)); + + /* set up TCP socket */ + IPAddress ip = IPAddress.Parse("0.0.0.0"); //bind to any + TcpListener tcp = new TcpListener(ip, 11111); + tcp.Start(); + + Console.WriteLine("Started TCP and waiting for a connection"); + fd = tcp.AcceptSocket(); + ssl = wolfssl.new_ssl(ctx); + + Console.WriteLine("Connection made wolfSSL_accept "); + if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS) + { + /* get and print out the error */ + Console.Write(wolfssl.get_error(ssl)); + tcp.Stop(); + clean(ssl, ctx); + return; + } + + if (wolfssl.accept(ssl) != wolfssl.SUCCESS) + { + /* get and print out the error */ + Console.Write(wolfssl.get_error(ssl)); + tcp.Stop(); + clean(ssl, ctx); + return; + } + + /* print out results of TLS/SSL accept */ + Console.WriteLine("SSL version is " + wolfssl.get_version(ssl)); + Console.WriteLine("SSL cipher suite is " + wolfssl.get_current_cipher(ssl)); + + /* read and print out the message then reply */ + if (wolfssl.read(ssl, buff, 1023) < 0) + { + Console.WriteLine("Error in read"); + tcp.Stop(); + clean(ssl, ctx); + return; + } + Console.WriteLine(buff); + + if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) + { + Console.WriteLine("Error in write"); + tcp.Stop(); + clean(ssl, ctx); + return; + } + + wolfssl.shutdown(ssl); + fd.Close(); + tcp.Stop(); + clean(ssl, ctx); + } +} diff --git a/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj new file mode 100755 index 000000000..8b9bd133e --- /dev/null +++ b/wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj @@ -0,0 +1,84 @@ + + + + + Debug + AnyCPU + {E2415718-0A15-48DB-A774-01FB0093B626} + Exe + Properties + wolfSSL_Example_IOCallbacks + wolfSSL-Example-IOCallbacks + v4.5 + 512 + + + AnyCPU + true + full + false + ..\DLL Debug\ + DEBUG;TRACE + prompt + 4 + + + AnyCPU + pdbonly + true + ..\DLL Release\ + TRACE + prompt + 4 + + + true + ..\x64\DLL Debug\ + DEBUG;TRACE + full + x64 + prompt + MinimumRecommendedRules.ruleset + true + + + ..\x64\DLL Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + true + 0 + + + + + + + + + + + + + + + + + + + {52609808-0418-46d3-8e17-141927a1a39a} + wolfSSL_CSharp + + + + + \ No newline at end of file diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs index 6c0c13c43..35acba0e3 100755 --- a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/Properties/AssemblyInfo.cs @@ -8,9 +8,9 @@ using System.Runtime.InteropServices; [assembly: AssemblyTitle("wolfSSL-TLS-PSK-Server")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] -[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyCompany("wolfSSL")] [assembly: AssemblyProduct("wolfSSL-TLS-PSK-Server")] -[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyCopyright("Copyright wolfSSL 2015")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] @@ -32,5 +32,5 @@ using System.Runtime.InteropServices; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.0.0.0")] -[assembly: AssemblyFileVersion("1.0.0.0")] +[assembly: AssemblyVersion("1.1.0.0")] +[assembly: AssemblyFileVersion("1.1.0.0")] diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs index 7c157b3d8..4c603b9c7 100755 --- a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.cs @@ -47,7 +47,7 @@ public class wolfSSL_TLS_PSK_Server /* perform a check on the identity sent across * log function must be set for print out of logging information */ - wolfssl.log(1, "PSK Client Identity = " + identity); + wolfssl.log(wolfssl.INFO_LOG, "PSK Client Identity = " + identity); /* Use desired key, note must be a key smaller than max key size parameter Replace this with desired key. Is trivial one for testing */ @@ -60,6 +60,14 @@ public class wolfSSL_TLS_PSK_Server } + private static void clean(IntPtr ssl, IntPtr ctx) + { + wolfssl.free(ssl); + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } + + public static void Main(string[] args) { IntPtr ctx; @@ -80,23 +88,31 @@ public class wolfSSL_TLS_PSK_Server Console.WriteLine("Calling ctx Init from wolfSSL"); ctx = wolfssl.CTX_new(wolfssl.useTLSv1_2_server()); + if (ctx == IntPtr.Zero) + { + Console.WriteLine("Error creating ctx structure"); + return; + } Console.WriteLine("Finished init of ctx .... now load in cert and key"); if (!File.Exists(fileCert) || !File.Exists(fileKey)) { Console.WriteLine("Could not find cert or key file"); + wolfssl.CTX_free(ctx); return; } if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error in setting cert file"); + wolfssl.CTX_free(ctx); return; } if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error in setting key file"); + wolfssl.CTX_free(ctx); return; } @@ -108,6 +124,8 @@ public class wolfSSL_TLS_PSK_Server short minDhKey = 128; wolfssl.CTX_SetMinDhKey_Sz(ctx, minDhKey); Console.Write("Setting cipher suite to "); + + /* In order to use static PSK build wolfSSL with the preprocessor flag WOLFSSL_STATIC_PSK */ StringBuilder set_cipher = new StringBuilder("DHE-PSK-AES128-CBC-SHA256"); Console.WriteLine(set_cipher); if (wolfssl.CTX_set_cipher_list(ctx, set_cipher) != wolfssl.SUCCESS) @@ -121,6 +139,7 @@ public class wolfSSL_TLS_PSK_Server if (wolfssl.CTX_use_psk_identity_hint(ctx, hint) != wolfssl.SUCCESS) { Console.WriteLine("Error setting hint"); + wolfssl.CTX_free(ctx); return; } wolfssl.CTX_set_psk_server_callback(ctx, psk_cb); @@ -133,12 +152,21 @@ public class wolfSSL_TLS_PSK_Server Console.WriteLine("Started TCP and waiting for a connection"); fd = tcp.AcceptSocket(); ssl = wolfssl.new_ssl(ctx); + if (ssl == IntPtr.Zero) + { + Console.WriteLine("Error creating ssl object"); + tcp.Stop(); + wolfssl.CTX_free(ctx); + return; + } Console.WriteLine("Connection made wolfSSL_accept "); if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS) { /* get and print out the error */ Console.Write(wolfssl.get_error(ssl)); + tcp.Stop(); + clean(ssl, ctx); return; } @@ -148,6 +176,8 @@ public class wolfSSL_TLS_PSK_Server { /* get and print out the error */ Console.Write(wolfssl.get_error(ssl)); + tcp.Stop(); + clean(ssl, ctx); return; } @@ -159,6 +189,8 @@ public class wolfSSL_TLS_PSK_Server if (wolfssl.read(ssl, buff, 1023) < 0) { Console.WriteLine("Error in read"); + tcp.Stop(); + clean(ssl, ctx); return; } Console.WriteLine(buff); @@ -166,14 +198,14 @@ public class wolfSSL_TLS_PSK_Server if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) { Console.WriteLine("Error in write"); + tcp.Stop(); + clean(ssl, ctx); return; } wolfssl.shutdown(ssl); - wolfssl.free(ssl); fd.Close(); - - wolfssl.CTX_free(ctx); - wolfssl.Cleanup(); + tcp.Stop(); + clean(ssl, ctx); } } diff --git a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj index 3308ae37b..b9bdf26eb 100755 --- a/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj +++ b/wrapper/CSharp/wolfSSL-TLS-PSK-Server/wolfSSL-TLS-PSK-Server.csproj @@ -56,7 +56,6 @@ - diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs index 762bc4d31..cab955e7d 100755 --- a/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs +++ b/wrapper/CSharp/wolfSSL-TLS-Server/Properties/AssemblyInfo.cs @@ -8,9 +8,9 @@ using System.Runtime.InteropServices; [assembly: AssemblyTitle("wolfSSL-TLS-Server")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] -[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyCompany("wolfSSL")] [assembly: AssemblyProduct("wolfSSL-TLS-Server")] -[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyCopyright("Copyright wolfSSL 2015")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] @@ -32,5 +32,5 @@ using System.Runtime.InteropServices; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.0.0.0")] -[assembly: AssemblyFileVersion("1.0.0.0")] +[assembly: AssemblyVersion("1.1.0.0")] +[assembly: AssemblyFileVersion("1.1.0.0")] diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs index 08b9105b8..8a629f3f1 100755 --- a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs +++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs @@ -39,6 +39,15 @@ public class wolfSSL_TLS_CSHarp Console.WriteLine(msg); } + + private static void clean(IntPtr ssl, IntPtr ctx) + { + wolfssl.free(ssl); + wolfssl.CTX_free(ctx); + wolfssl.Cleanup(); + } + + public static void Main(string[] args) { IntPtr ctx; @@ -58,25 +67,34 @@ public class wolfSSL_TLS_CSHarp wolfssl.Init(); + Console.WriteLine("Calling ctx Init from wolfSSL"); ctx = wolfssl.CTX_new(wolfssl.usev23_server()); + if (ctx == IntPtr.Zero) + { + Console.WriteLine("Error in creating ctx structure"); + return; + } Console.WriteLine("Finished init of ctx .... now load in cert and key"); if (!File.Exists(fileCert) || !File.Exists(fileKey)) { Console.WriteLine("Could not find cert or key file"); + wolfssl.CTX_free(ctx); return; } if (wolfssl.CTX_use_certificate_file(ctx, fileCert, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error in setting cert file"); + wolfssl.CTX_free(ctx); return; } if (wolfssl.CTX_use_PrivateKey_file(ctx, fileKey, wolfssl.SSL_FILETYPE_PEM) != wolfssl.SUCCESS) { Console.WriteLine("Error in setting key file"); + wolfssl.CTX_free(ctx); return; } @@ -96,21 +114,31 @@ public class wolfSSL_TLS_CSHarp Console.WriteLine("Started TCP and waiting for a connection"); fd = tcp.AcceptSocket(); ssl = wolfssl.new_ssl(ctx); + if (ssl == IntPtr.Zero) + { + Console.WriteLine("Error in creating ssl object"); + wolfssl.CTX_free(ctx); + return; + } Console.WriteLine("Connection made wolfSSL_accept "); if (wolfssl.set_fd(ssl, fd) != wolfssl.SUCCESS) { /* get and print out the error */ Console.Write(wolfssl.get_error(ssl)); + tcp.Stop(); + clean(ssl, ctx); return; } wolfssl.SetTmpDH_file(ssl, dhparam, wolfssl.SSL_FILETYPE_PEM); - if (wolfssl.accept(ssl) != 1) + if (wolfssl.accept(ssl) != wolfssl.SUCCESS) { /* get and print out the error */ Console.Write(wolfssl.get_error(ssl)); + tcp.Stop(); + clean(ssl, ctx); return; } @@ -122,6 +150,8 @@ public class wolfSSL_TLS_CSHarp if (wolfssl.read(ssl, buff, 1023) < 0) { Console.WriteLine("Error in read"); + tcp.Stop(); + clean(ssl, ctx); return; } Console.WriteLine(buff); @@ -129,14 +159,14 @@ public class wolfSSL_TLS_CSHarp if (wolfssl.write(ssl, reply, reply.Length) != reply.Length) { Console.WriteLine("Error in write"); + tcp.Stop(); + clean(ssl, ctx); return; } wolfssl.shutdown(ssl); - wolfssl.free(ssl); fd.Close(); - - wolfssl.CTX_free(ctx); - wolfssl.Cleanup(); + tcp.Stop(); + clean(ssl, ctx); } } diff --git a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj index f1ee88264..b5b5006ea 100755 --- a/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj +++ b/wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj @@ -75,7 +75,6 @@ - diff --git a/wrapper/CSharp/wolfSSL_CSharp.sln b/wrapper/CSharp/wolfSSL_CSharp.sln index 53c74f173..f7c63d7c1 100755 --- a/wrapper/CSharp/wolfSSL_CSharp.sln +++ b/wrapper/CSharp/wolfSSL_CSharp.sln @@ -23,224 +23,80 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "wolfssl", "..\..\wolfssl.vc EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "..\..\testsuite\testsuite.vcxproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "wolfSSL-Example-IOCallbacks", "wolfSSL-Example-IOCallbacks\wolfSSL-Example-IOCallbacks.csproj", "{E2415718-0A15-48DB-A774-01FB0093B626}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution - Debug|Any CPU = Debug|Any CPU - Debug|Mixed Platforms = Debug|Mixed Platforms - Debug|Win32 = Debug|Win32 - Debug|x64 = Debug|x64 - DLL Debug|Any CPU = DLL Debug|Any CPU - DLL Debug|Mixed Platforms = DLL Debug|Mixed Platforms DLL Debug|Win32 = DLL Debug|Win32 DLL Debug|x64 = DLL Debug|x64 - DLL Release|Any CPU = DLL Release|Any CPU - DLL Release|Mixed Platforms = DLL Release|Mixed Platforms DLL Release|Win32 = DLL Release|Win32 DLL Release|x64 = DLL Release|x64 - Release|Any CPU = Release|Any CPU - Release|Mixed Platforms = Release|Mixed Platforms - Release|Win32 = Release|Win32 - Release|x64 = Release|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Any CPU.Build.0 = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|Win32.ActiveCfg = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|x64.ActiveCfg = Debug|x64 - {52609808-0418-46D3-8E17-141927A1A39A}.Debug|x64.Build.0 = Debug|x64 - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|Win32.Build.0 = Debug|Any CPU {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|x64.ActiveCfg = Debug|x64 {52609808-0418-46D3-8E17-141927A1A39A}.DLL Debug|x64.Build.0 = Debug|x64 - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Any CPU.Build.0 = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Win32.ActiveCfg = Release|Any CPU {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|Win32.Build.0 = Release|Any CPU {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|x64.ActiveCfg = Release|x64 {52609808-0418-46D3-8E17-141927A1A39A}.DLL Release|x64.Build.0 = Release|x64 - {52609808-0418-46D3-8E17-141927A1A39A}.Release|Any CPU.ActiveCfg = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Release|Any CPU.Build.0 = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Release|Mixed Platforms.Build.0 = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Release|Win32.ActiveCfg = Release|Any CPU - {52609808-0418-46D3-8E17-141927A1A39A}.Release|x64.ActiveCfg = Release|x64 - {52609808-0418-46D3-8E17-141927A1A39A}.Release|x64.Build.0 = Release|x64 - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Any CPU.Build.0 = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|Win32.ActiveCfg = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|x64.ActiveCfg = Debug|x64 - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Debug|x64.Build.0 = Debug|x64 - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|Win32.Build.0 = Debug|Any CPU {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|x64.ActiveCfg = Debug|x64 {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Debug|x64.Build.0 = Debug|x64 - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Any CPU.Build.0 = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Win32.ActiveCfg = Release|Any CPU {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|Win32.Build.0 = Release|Any CPU {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|x64.ActiveCfg = Release|x64 {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.DLL Release|x64.Build.0 = Release|x64 - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Any CPU.ActiveCfg = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Any CPU.Build.0 = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Mixed Platforms.Build.0 = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|Win32.ActiveCfg = Release|Any CPU - {8921AD35-4E62-4DAC-8FEE-8C9F8E57DDD2}.Release|x64.ActiveCfg = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Any CPU.Build.0 = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|Win32.ActiveCfg = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|x64.ActiveCfg = Debug|x64 - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Debug|x64.Build.0 = Debug|x64 - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|Win32.Build.0 = Debug|Any CPU {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|x64.ActiveCfg = Debug|x64 {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Debug|x64.Build.0 = Debug|x64 - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Any CPU.Build.0 = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Win32.ActiveCfg = Release|Any CPU {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|Win32.Build.0 = Release|Any CPU {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|x64.ActiveCfg = Release|x64 {030431C7-26AB-4447-815B-F27E88BE5D5B}.DLL Release|x64.Build.0 = Release|x64 - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Any CPU.ActiveCfg = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Any CPU.Build.0 = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Mixed Platforms.Build.0 = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|Win32.ActiveCfg = Release|Any CPU - {030431C7-26AB-4447-815B-F27E88BE5D5B}.Release|x64.ActiveCfg = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Any CPU.Build.0 = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|Win32.ActiveCfg = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|x64.ActiveCfg = Debug|x64 - {730F047E-37A6-498F-A543-B6C98AA7B338}.Debug|x64.Build.0 = Debug|x64 - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|Win32.Build.0 = Debug|Any CPU {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|x64.ActiveCfg = Debug|x64 {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Debug|x64.Build.0 = Debug|x64 - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Any CPU.Build.0 = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Win32.ActiveCfg = Release|Any CPU {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|Win32.Build.0 = Release|Any CPU {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|x64.ActiveCfg = Release|x64 {730F047E-37A6-498F-A543-B6C98AA7B338}.DLL Release|x64.Build.0 = Release|x64 - {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Any CPU.ActiveCfg = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Any CPU.Build.0 = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Mixed Platforms.Build.0 = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|Win32.ActiveCfg = Release|Any CPU - {730F047E-37A6-498F-A543-B6C98AA7B338}.Release|x64.ActiveCfg = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Any CPU.ActiveCfg = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Any CPU.Build.0 = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Mixed Platforms.Build.0 = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|Win32.ActiveCfg = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|x64.ActiveCfg = Debug|x64 - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Debug|x64.Build.0 = Debug|x64 - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Any CPU.ActiveCfg = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Any CPU.Build.0 = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Mixed Platforms.ActiveCfg = Debug|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Mixed Platforms.Build.0 = Debug|Any CPU {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|Win32.Build.0 = Debug|Any CPU {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|x64.ActiveCfg = Debug|x64 {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Debug|x64.Build.0 = Debug|x64 - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Any CPU.ActiveCfg = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Any CPU.Build.0 = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Mixed Platforms.Build.0 = Release|Any CPU {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Win32.ActiveCfg = Release|Any CPU {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|Win32.Build.0 = Release|Any CPU {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|x64.ActiveCfg = Release|x64 {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.DLL Release|x64.Build.0 = Release|x64 - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Any CPU.ActiveCfg = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Any CPU.Build.0 = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Mixed Platforms.ActiveCfg = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Mixed Platforms.Build.0 = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|Win32.ActiveCfg = Release|Any CPU - {77AEF1BE-4BE3-4837-8188-2A06E4D963F5}.Release|x64.ActiveCfg = Release|Any CPU - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Any CPU.ActiveCfg = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Mixed Platforms.Build.0 = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.ActiveCfg = DLL Debug|x64 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|x64.Build.0 = DLL Debug|x64 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Any CPU.ActiveCfg = DLL Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Mixed Platforms.ActiveCfg = DLL Debug|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Mixed Platforms.Build.0 = DLL Debug|Win32 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|Win32.Build.0 = DLL Debug|Win32 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.ActiveCfg = DLL Debug|x64 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Debug|x64.Build.0 = DLL Debug|x64 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Any CPU.ActiveCfg = DLL Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Mixed Platforms.ActiveCfg = DLL Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Mixed Platforms.Build.0 = DLL Release|Win32 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.ActiveCfg = DLL Release|Win32 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|Win32.Build.0 = DLL Release|Win32 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.ActiveCfg = DLL Release|x64 {73973223-5EE8-41CA-8E88-1D60E89A237B}.DLL Release|x64.Build.0 = DLL Release|x64 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Any CPU.ActiveCfg = Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Mixed Platforms.ActiveCfg = Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Mixed Platforms.Build.0 = Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.ActiveCfg = Release|x64 - {73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|x64.Build.0 = Release|x64 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Any CPU.ActiveCfg = Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Mixed Platforms.ActiveCfg = Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|x64.ActiveCfg = Debug|x64 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Any CPU.ActiveCfg = DLL Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Mixed Platforms.ActiveCfg = DLL Debug|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Mixed Platforms.Build.0 = DLL Debug|Win32 {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Win32.ActiveCfg = DLL Debug|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|Win32.Build.0 = DLL Debug|Win32 {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|x64.ActiveCfg = DLL Debug|x64 {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Debug|x64.Build.0 = DLL Debug|x64 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Any CPU.ActiveCfg = DLL Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Mixed Platforms.ActiveCfg = DLL Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Mixed Platforms.Build.0 = DLL Release|Win32 {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Win32.ActiveCfg = DLL Release|Win32 + {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|Win32.Build.0 = DLL Release|Win32 {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|x64.ActiveCfg = DLL Release|x64 {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.DLL Release|x64.Build.0 = DLL Release|x64 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Any CPU.ActiveCfg = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Mixed Platforms.ActiveCfg = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Mixed Platforms.Build.0 = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|x64.ActiveCfg = Release|x64 - {611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|x64.Build.0 = Release|x64 + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|Win32.ActiveCfg = Debug|Any CPU + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|Win32.Build.0 = Debug|Any CPU + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|x64.ActiveCfg = Debug|x64 + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Debug|x64.Build.0 = Debug|x64 + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|Win32.ActiveCfg = Release|Any CPU + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|Win32.Build.0 = Release|Any CPU + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|x64.ActiveCfg = Release|x64 + {E2415718-0A15-48DB-A774-01FB0093B626}.DLL Release|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs b/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs index 2931bee7b..b4df96b9d 100755 --- a/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs +++ b/wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs @@ -8,9 +8,9 @@ using System.Runtime.InteropServices; [assembly: AssemblyTitle("wolfSSL.CSharp")] [assembly: AssemblyDescription("")] [assembly: AssemblyConfiguration("")] -[assembly: AssemblyCompany("Microsoft")] +[assembly: AssemblyCompany("wolfSSL")] [assembly: AssemblyProduct("wolfSSL.CSharp")] -[assembly: AssemblyCopyright("Copyright © Microsoft 2015")] +[assembly: AssemblyCopyright("Copyright wolfSSL 2015")] [assembly: AssemblyTrademark("")] [assembly: AssemblyCulture("")] @@ -32,5 +32,5 @@ using System.Runtime.InteropServices; // You can specify all the values or you can default the Build and Revision Numbers // by using the '*' as shown below: // [assembly: AssemblyVersion("1.0.*")] -[assembly: AssemblyVersion("1.0.0.0")] -[assembly: AssemblyFileVersion("1.0.0.0")] +[assembly: AssemblyVersion("1.1.0.0")] +[assembly: AssemblyFileVersion("1.1.0.0")] diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs index 7085005ec..37cf76d4a 100755 --- a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL.cs @@ -35,6 +35,10 @@ namespace wolfSSL.CSharp { /******************************** * Class for DTLS connections */ + /// + /// Contains information regarding a DTLS conection having UdpClient udp and IPEndPoint ep. + /// Used to keep memory alive. + /// public class DTLS_con { public UdpClient udp; @@ -42,30 +46,118 @@ namespace wolfSSL.CSharp { } + /******************************** + * Class for keeping ctx/ssl handles alive + */ + [StructLayout(LayoutKind.Sequential)] + private class ctx_handles + { + private GCHandle rec_cb; + private GCHandle snd_cb; + private GCHandle psk_cb; + private GCHandle fd_pin; + private IntPtr ctx; + + public void set_receive(GCHandle input) + { + this.rec_cb = input; + } + + public GCHandle get_receive() + { + return this.rec_cb; + } + + public void set_send(GCHandle input) + { + this.snd_cb = input; + } + + public GCHandle get_send() + { + return this.snd_cb; + } + + public void set_psk(GCHandle input) + { + this.psk_cb = input; + } + + public GCHandle get_psk() + { + return this.psk_cb; + } + + public void set_fd(GCHandle input) + { + this.fd_pin = input; + } + + public GCHandle get_fd() + { + return this.fd_pin; + } + + public void set_ctx(IntPtr input) + { + this.ctx = input; + } + + public IntPtr get_ctx() + { + return this.ctx; + } + + /// + /// Called to free the pointers keeping handles alive + /// + public void free() + { + log(INFO_LOG, "freeing handles"); + if (!Object.Equals(this.rec_cb, default(GCHandle))) + { + this.rec_cb.Free(); + } + if (!Object.Equals(this.snd_cb, default(GCHandle))) + { + this.snd_cb.Free(); + } + if (!Object.Equals(this.psk_cb, default(GCHandle))) + { + this.psk_cb.Free(); + } + if (!Object.Equals(this.fd_pin, default(GCHandle))) + { + this.fd_pin.Free(); + } + } + } + + /******************************** * Init wolfSSL library */ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_Init(); + private extern static int wolfSSL_Init(); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_Cleanup(); + private extern static int wolfSSL_Cleanup(); /******************************** * Methods of connection */ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfTLSv1_2_server_method(); + private extern static IntPtr wolfTLSv1_2_server_method(); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSLv23_server_method(); + private extern static IntPtr wolfSSLv23_server_method(); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfTLSv1_2_client_method(); + private extern static IntPtr wolfTLSv1_2_client_method(); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSLv23_client_method(); + private extern static IntPtr wolfSSLv23_client_method(); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfDTLSv1_2_server_method(); + private extern static IntPtr wolfDTLSv1_2_server_method(); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfDTLSv1_2_client_method(); + private extern static IntPtr wolfDTLSv1_2_client_method(); /******************************** @@ -74,33 +166,33 @@ namespace wolfSSL.CSharp { [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate int CallbackIORecv_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIORecv(IntPtr ctx, CallbackIORecv_delegate recv); + private extern static int wolfSSL_SetIORecv(IntPtr ctx, CallbackIORecv_delegate recv); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIOReadCtx(IntPtr ssl, IntPtr rctx); + private extern static int wolfSSL_SetIOReadCtx(IntPtr ssl, IntPtr rctx); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_GetIOReadCtx(IntPtr ssl); + private extern static IntPtr wolfSSL_GetIOReadCtx(IntPtr ssl); [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate int CallbackIOSend_delegate(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIOSend(IntPtr ctx, CallbackIOSend_delegate send); + private extern static int wolfSSL_SetIOSend(IntPtr ctx, CallbackIOSend_delegate send); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetIOWriteCtx(IntPtr ssl, IntPtr wctx); + private extern static int wolfSSL_SetIOWriteCtx(IntPtr ssl, IntPtr wctx); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_GetIOWriteCtx(IntPtr ssl); + private extern static IntPtr wolfSSL_GetIOWriteCtx(IntPtr ssl); /******************************** * CTX structure */ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_CTX_new(IntPtr method); + private extern static IntPtr wolfSSL_CTX_new(IntPtr method); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type); + private extern static int wolfSSL_CTX_use_certificate_file(IntPtr ctx, string file, int type); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type); + private extern static int wolfSSL_CTX_use_PrivateKey_file(IntPtr ctx, string file, int type); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_CTX_free(IntPtr ctx); + private extern static void wolfSSL_CTX_free(IntPtr ctx); /******************************** @@ -109,30 +201,30 @@ namespace wolfSSL.CSharp { [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate uint psk_delegate(IntPtr ssl, string identity, IntPtr key, uint max_sz); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb); + private extern static void wolfSSL_set_psk_server_callback(IntPtr ssl, psk_delegate psk_cb); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb); + private extern static void wolfSSL_CTX_set_psk_server_callback(IntPtr ctx, psk_delegate psk_cb); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder identity); + private extern static int wolfSSL_CTX_use_psk_identity_hint(IntPtr ctx, StringBuilder identity); /******************************** * SSL Structure */ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_new(IntPtr ctx); + private extern static IntPtr wolfSSL_new(IntPtr ctx); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_accept(IntPtr ssl); + private extern static int wolfSSL_accept(IntPtr ssl); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_connect(IntPtr ssl); + private extern static int wolfSSL_connect(IntPtr ssl); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_read(IntPtr ssl, StringBuilder buf, int sz); + private extern static int wolfSSL_read(IntPtr ssl, StringBuilder buf, int sz); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_write(IntPtr ssl, StringBuilder buf, int sz); + private extern static int wolfSSL_write(IntPtr ssl, StringBuilder buf, int sz); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_shutdown(IntPtr ssl); + private extern static int wolfSSL_shutdown(IntPtr ssl); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static void wolfSSL_free(IntPtr ssl); + private extern static void wolfSSL_free(IntPtr ssl); /******************************** @@ -140,30 +232,30 @@ namespace wolfSSL.CSharp { */ /* only supports full name from cipher_name[] delimited by : */ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_set_cipher_list(IntPtr ctx, StringBuilder ciphers); + private extern static int wolfSSL_CTX_set_cipher_list(IntPtr ctx, StringBuilder ciphers); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_set_cipher_list(IntPtr ssl, StringBuilder ciphers); + private extern static int wolfSSL_set_cipher_list(IntPtr ssl, StringBuilder ciphers); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_get_ciphers(StringBuilder ciphers, int sz); + private extern static int wolfSSL_get_ciphers(StringBuilder ciphers, int sz); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_cipher(IntPtr ssl); + private extern static IntPtr wolfSSL_get_cipher(IntPtr ssl); [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_CIPHER_get_name(IntPtr cipher); + private extern static IntPtr wolfSSL_CIPHER_get_name(IntPtr cipher); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_current_cipher(IntPtr ssl); + private extern static IntPtr wolfSSL_get_current_cipher(IntPtr ssl); [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_version(IntPtr ssl); + private extern static IntPtr wolfSSL_get_version(IntPtr ssl); [DllImport(wolfssl_dll, CharSet = CharSet.Ansi, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_get_cipher_list(IntPtr ssl); + private extern static IntPtr wolfSSL_get_cipher_list(IntPtr ssl); /******************************** * Error logging */ + [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl, CharSet=CharSet.Ansi)] + private extern static IntPtr wolfSSL_ERR_error_string(uint err, StringBuilder errOut); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static IntPtr wolfSSL_ERR_error_string(int err, StringBuilder errOut); - [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_get_error(IntPtr ssl, int err); + private extern static int wolfSSL_get_error(IntPtr ssl, int err); [UnmanagedFunctionPointer(CallingConvention.Cdecl)] public delegate void loggingCb(int lvl, StringBuilder msg); private static loggingCb internal_log; @@ -173,9 +265,9 @@ namespace wolfSSL.CSharp { * DH */ [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_CTX_SetMinDhKey_Sz(IntPtr ctx, short size); + private extern static int wolfSSL_CTX_SetMinDhKey_Sz(IntPtr ctx, short size); [DllImport(wolfssl_dll, CallingConvention = CallingConvention.Cdecl)] - public extern static int wolfSSL_SetTmpDH_file(IntPtr ssl, StringBuilder dhParam, int type); + private extern static int wolfSSL_SetTmpDH_file(IntPtr ssl, StringBuilder dhParam, int type); /******************************** @@ -202,6 +294,20 @@ namespace wolfSSL.CSharp { public static readonly int FAILURE = 0; + private static IntPtr unwrap(IntPtr ctx) + { + try { + GCHandle gch = GCHandle.FromIntPtr(ctx); + ctx_handles handles = (ctx_handles)gch.Target; + return handles.get_ctx(); + } catch (Exception e) + { + log(ERROR_LOG, "wolfssl pointer is incorrect " + e); + return IntPtr.Zero; + } + } + + /// /// Call back to allow recieving TLS information /// @@ -220,19 +326,19 @@ namespace wolfSSL.CSharp { int amtRecv = 0; - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - Socket con = (System.Net.Sockets.Socket)gch.Target; - try { + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + Socket con = (System.Net.Sockets.Socket)gch.Target; + Byte[] msg = new Byte[sz]; amtRecv = con.Receive(msg, msg.Length, 0); Marshal.Copy(msg, 0, buf, sz); } catch (Exception e) { - log(1, "Error in recive " + e.ToString()); + log(ERROR_LOG, "Error in recive " + e.ToString()); return wolfssl.CBIO_ERR_CONN_CLOSE; } @@ -256,16 +362,15 @@ namespace wolfSSL.CSharp { return wolfssl.CBIO_ERR_GENERAL; } - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - - Socket con = (System.Net.Sockets.Socket)gch.Target; - - Byte[] msg = new Byte[sz]; - - Marshal.Copy(buf, msg, 0, sz); try { + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + + Socket con = (System.Net.Sockets.Socket)gch.Target; + + Byte[] msg = new Byte[sz]; + Marshal.Copy(buf, msg, 0, sz); con.Send(msg, 0, msg.Length, SocketFlags.None); return sz; } @@ -293,16 +398,15 @@ namespace wolfSSL.CSharp { return wolfssl.CBIO_ERR_GENERAL; } - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - - DTLS_con con = (DTLS_con)gch.Target; - - Byte[] msg = new Byte[sz]; - - Marshal.Copy(buf, msg, 0, sz); try { + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + + DTLS_con con = (DTLS_con)gch.Target; + + Byte[] msg = new Byte[sz]; + Marshal.Copy(buf, msg, 0, sz); con.udp.Send(msg, msg.Length, con.ep); return msg.Length; } @@ -324,21 +428,27 @@ namespace wolfSSL.CSharp { /// size of message recieved private static int wolfSSL_dtlsCbIORecv(IntPtr ssl, IntPtr buf, int sz, IntPtr ctx) { - if (sz <= 0) { log(ERROR_LOG, "wolfssl dtls recieve error, size less than 0"); return wolfssl.CBIO_ERR_GENERAL; } - System.Runtime.InteropServices.GCHandle gch; - gch = GCHandle.FromIntPtr(ctx); - DTLS_con con = (DTLS_con)gch.Target; - - Byte[] msg = new Byte[sz]; try { - msg = con.udp.Receive(ref con.ep); + System.Runtime.InteropServices.GCHandle gch; + gch = GCHandle.FromIntPtr(ctx); + DTLS_con con = (DTLS_con)gch.Target; + + Byte[] msg = con.udp.Receive(ref con.ep); + if (msg.Length > sz) + { + log(ERROR_LOG, "wolfssl DTLS packet received was larger than buffer"); + return wolfssl.CBIO_ERR_GENERAL; + } + + Marshal.Copy(msg, 0, buf, msg.Length); + return msg.Length; } catch (Exception e) { @@ -346,10 +456,6 @@ namespace wolfSSL.CSharp { log(ERROR_LOG, "socket read issue "+ e.ToString()); return wolfssl.CBIO_ERR_CONN_CLOSE; } - - Marshal.Copy(msg, 0, buf, msg.Length); - - return msg.Length; } @@ -360,9 +466,30 @@ namespace wolfSSL.CSharp { /// pointer to ssl structure public static IntPtr new_ssl(IntPtr ctx) { + if (ctx == IntPtr.Zero) + return IntPtr.Zero; + try { - return wolfSSL_new(ctx); + ctx_handles io; + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "new_ssl error"); + return IntPtr.Zero; + } + + io = new ctx_handles(); + io.set_ctx(wolfSSL_new(local_ctx)); + + /* check if null */ + if (io.get_ctx() == IntPtr.Zero) + { + return IntPtr.Zero; + } + + /* keep memory pinned to be able to refrence by address */ + return GCHandle.ToIntPtr(GCHandle.Alloc(io, GCHandleType.Pinned)); } catch (Exception e) { @@ -383,7 +510,14 @@ namespace wolfSSL.CSharp { return FAILURE; try { - return wolfSSL_accept(ssl); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "accept error"); + return FAILURE; + } + + return wolfSSL_accept(sslCtx); } catch (Exception e) { @@ -404,7 +538,14 @@ namespace wolfSSL.CSharp { return FAILURE; try { - return wolfSSL_connect(ssl); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "connect error"); + return FAILURE; + } + + return wolfSSL_connect(sslCtx); } catch (Exception e) { @@ -427,7 +568,14 @@ namespace wolfSSL.CSharp { return FAILURE; try { - return wolfSSL_read(ssl, buf, sz); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "connect error"); + return FAILURE; + } + + return wolfSSL_read(sslCtx, buf, sz); } catch (Exception e) { @@ -450,7 +598,14 @@ namespace wolfSSL.CSharp { return FAILURE; try { - return wolfSSL_write(ssl, buf, sz); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "connect error"); + return FAILURE; + } + + return wolfSSL_write(sslCtx, buf, sz); } catch (Exception e) { @@ -468,20 +623,14 @@ namespace wolfSSL.CSharp { { try { - /* free the handle for the socket */ - IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); - if (ptr != IntPtr.Zero) - { - GCHandle gch = GCHandle.FromIntPtr(ptr); - gch.Free(); - } - ptr = wolfSSL_GetIOWriteCtx(ssl); - if (ptr != IntPtr.Zero) - { - GCHandle gch = GCHandle.FromIntPtr(ptr); - gch.Free(); - } - wolfSSL_free(ssl); + IntPtr sslCtx; + GCHandle gch = GCHandle.FromIntPtr(ssl); + ctx_handles handles = (ctx_handles)gch.Target; + + sslCtx = handles.get_ctx(); + wolfSSL_free(sslCtx); + handles.free(); + gch.Free(); } catch (Exception e) { @@ -501,7 +650,14 @@ namespace wolfSSL.CSharp { return FAILURE; try { - return wolfSSL_shutdown(ssl); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl shutdown error"); + return FAILURE; + } + + return wolfSSL_shutdown(sslCtx); } catch (Exception e) { @@ -520,7 +676,20 @@ namespace wolfSSL.CSharp { { try { - wolfSSL_SetIORecv(ctx, func); + GCHandle gch = GCHandle.FromIntPtr(ctx); + ctx_handles handles = (ctx_handles)gch.Target; + + /* check if already stored handle needs freed */ + gch = handles.get_receive(); + if (!Object.Equals(gch, default(GCHandle))) + { + gch.Free(); + } + + /* keep new function alive */ + handles.set_receive(GCHandle.Alloc(func)); + + wolfSSL_SetIORecv(handles.get_ctx(), func); } catch (Exception e) { @@ -538,7 +707,20 @@ namespace wolfSSL.CSharp { { try { - wolfSSL_SetIOSend(ctx, func); + GCHandle gch = GCHandle.FromIntPtr(ctx); + ctx_handles handles = (ctx_handles)gch.Target; + + /* check if already stored handle needs freed */ + gch = handles.get_send(); + if (!Object.Equals(gch, default(GCHandle))) + { + gch.Free(); + } + + /* keep new function alive */ + handles.set_send(GCHandle.Alloc(func)); + + wolfSSL_SetIOSend(handles.get_ctx(), func); } catch (Exception e) { @@ -560,13 +742,19 @@ namespace wolfSSL.CSharp { if (ctx == IntPtr.Zero) return ctx; + ctx_handles io = new ctx_handles(); + io.set_ctx(ctx); + CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSLCbIORecv); + io.set_receive(GCHandle.Alloc(recv)); wolfSSL_SetIORecv(ctx, recv); CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSLCbIOSend); + io.set_send(GCHandle.Alloc(send)); wolfSSL_SetIOSend(ctx, send); - return ctx; + /* keep memory pinned */ + return GCHandle.ToIntPtr(GCHandle.Alloc(io, GCHandleType.Pinned)); } catch (Exception e) { @@ -589,13 +777,19 @@ namespace wolfSSL.CSharp { if (ctx == IntPtr.Zero) return ctx; + ctx_handles io = new ctx_handles(); + io.set_ctx(ctx); + CallbackIORecv_delegate recv = new CallbackIORecv_delegate(wolfssl.wolfSSL_dtlsCbIORecv); + io.set_receive(GCHandle.Alloc(recv)); wolfSSL_SetIORecv(ctx, recv); CallbackIOSend_delegate send = new CallbackIOSend_delegate(wolfssl.wolfSSL_dtlsCbIOSend); + io.set_send(GCHandle.Alloc(send)); wolfSSL_SetIOSend(ctx, send); - return ctx; + /* keep memory pinned */ + return GCHandle.ToIntPtr(GCHandle.Alloc(io, GCHandleType.Pinned)); } catch (Exception e) { @@ -613,7 +807,11 @@ namespace wolfSSL.CSharp { { try { - wolfSSL_CTX_free(ctx); + GCHandle gch = GCHandle.FromIntPtr(ctx); + ctx_handles handles = (ctx_handles)gch.Target; + wolfSSL_CTX_free(handles.get_ctx()); + handles.free(); + gch.Free(); } catch (Exception e) { @@ -632,7 +830,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_CTX_use_psk_identity_hint(ctx, hint); + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "CTX use psk identity hint error"); + return FAILURE; + } + + return wolfSSL_CTX_use_psk_identity_hint(local_ctx, hint); } catch (Exception e) { @@ -651,7 +856,11 @@ namespace wolfSSL.CSharp { { try { - wolfSSL_CTX_set_psk_server_callback(ctx, psk_cb); + GCHandle gch = GCHandle.FromIntPtr(ctx); + ctx_handles handles = (ctx_handles)gch.Target; + + handles.set_psk(GCHandle.Alloc(psk_cb)); + wolfSSL_CTX_set_psk_server_callback(handles.get_ctx(), psk_cb); } catch (Exception e) { @@ -669,7 +878,11 @@ namespace wolfSSL.CSharp { { try { - wolfSSL_set_psk_server_callback(ssl, psk_cb); + GCHandle gch = GCHandle.FromIntPtr(ssl); + ctx_handles handles = (ctx_handles)gch.Target; + + handles.set_psk(GCHandle.Alloc(psk_cb)); + wolfSSL_set_psk_server_callback(handles.get_ctx(), psk_cb); } catch (Exception e) { @@ -696,18 +909,33 @@ namespace wolfSSL.CSharp { { if (!fd.Equals(null)) { - IntPtr ptr = GCHandle.ToIntPtr(GCHandle.Alloc(fd)); - wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to - wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from + GCHandle gch = GCHandle.FromIntPtr(ssl); + ctx_handles handles = (ctx_handles)gch.Target; + IntPtr sslCtx = handles.get_ctx(); + IntPtr ptr; + GCHandle fd_pin = GCHandle.Alloc(fd); + + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl error setting up fd!!"); + return FAILURE; + } + + handles.set_fd(fd_pin); + ptr = GCHandle.ToIntPtr(fd_pin); + wolfSSL_SetIOWriteCtx(sslCtx, ptr); //pass along the socket for writing to + wolfSSL_SetIOReadCtx(sslCtx, ptr); //pass along the socket for reading from + + return SUCCESS; } + + return FAILURE; } catch (Exception e) { log(ERROR_LOG, "Error setting up fd!! " + e.ToString()); return FAILURE; } - - return 1; } @@ -720,7 +948,15 @@ namespace wolfSSL.CSharp { { try { - IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + IntPtr ptr; + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl get_fd error"); + return null; + } + + ptr = wolfSSL_GetIOReadCtx(sslCtx); if (ptr != IntPtr.Zero) { GCHandle gch = GCHandle.FromIntPtr(ptr); @@ -746,9 +982,6 @@ namespace wolfSSL.CSharp { /// 1 on success public static int set_dtls_fd(IntPtr ssl, UdpClient udp, IPEndPoint ep) { - IntPtr ptr; - DTLS_con con; - /* sanity check on inputs */ if (ssl == IntPtr.Zero) { @@ -759,21 +992,30 @@ namespace wolfSSL.CSharp { { if (!udp.Equals(null) && !ep.Equals(null)) { + IntPtr ptr; + DTLS_con con; + GCHandle gch = GCHandle.FromIntPtr(ssl); + ctx_handles handles = (ctx_handles)gch.Target; + GCHandle fd_pin; + con = new DTLS_con(); con.udp = udp; - con.ep = ep; - ptr = GCHandle.ToIntPtr(GCHandle.Alloc(con)); - wolfSSL_SetIOWriteCtx(ssl, ptr); //pass along the socket for writing to - wolfSSL_SetIOReadCtx(ssl, ptr); //pass along the socket for reading from + con.ep = ep; + fd_pin = GCHandle.Alloc(con); + handles.set_fd(fd_pin); + ptr = GCHandle.ToIntPtr(fd_pin); + wolfSSL_SetIOWriteCtx(handles.get_ctx(), ptr); //pass along the socket for writing to + wolfSSL_SetIOReadCtx(handles.get_ctx(), ptr); //pass along the socket for reading from + + return SUCCESS; } + return FAILURE; } catch (Exception e) { log(ERROR_LOG, "Error setting up fd!! " + e.ToString()); return FAILURE; } - - return 1; } @@ -786,7 +1028,15 @@ namespace wolfSSL.CSharp { { try { - IntPtr ptr = wolfSSL_GetIOReadCtx(ssl); + IntPtr ptr; + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl get_dtls_fd error"); + return null; + } + + ptr = wolfSSL_GetIOReadCtx(sslCtx); if (ptr != IntPtr.Zero) { GCHandle gch = GCHandle.FromIntPtr(ptr); @@ -981,7 +1231,14 @@ namespace wolfSSL.CSharp { IntPtr ssl_cipher_ptr; string ssl_cipher_str; - ssl_cipher = wolfSSL_get_current_cipher(ssl); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl get_current_cipher error"); + return null; + } + + ssl_cipher = wolfSSL_get_current_cipher(sslCtx); ssl_cipher_ptr = wolfSSL_CIPHER_get_name(ssl_cipher); ssl_cipher_str = Marshal.PtrToStringAnsi(ssl_cipher_ptr); @@ -1005,7 +1262,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_CTX_set_cipher_list(ctx, list); + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "CTX set cipher list error"); + return FAILURE; + } + + return wolfSSL_CTX_set_cipher_list(local_ctx, list); } catch (Exception e) { @@ -1025,7 +1289,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_set_cipher_list(ssl, list); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl set_cipher_list error"); + return FAILURE; + } + + return wolfSSL_set_cipher_list(sslCtx, list); } catch (Exception e) { @@ -1050,7 +1321,14 @@ namespace wolfSSL.CSharp { IntPtr version_ptr; string version; - version_ptr = wolfSSL_get_version(ssl); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl get_version error"); + return null; + } + + version_ptr = wolfSSL_get_version(sslCtx); version = Marshal.PtrToStringAnsi(version_ptr); return version; @@ -1079,12 +1357,19 @@ namespace wolfSSL.CSharp { StringBuilder err_name; StringBuilder ret; + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl get_error error"); + return null; + } + /* wolfSSL max error length is 80 */ ret = new StringBuilder(' ', 100); - err = wolfSSL_get_error(ssl, 0); - err_name = new StringBuilder(' ', 80); - wolfSSL_ERR_error_string(err, err_name); - ret.Append("Error " + err + " " + err_name); + err = wolfSSL_get_error(sslCtx, 0); + err_name = new StringBuilder(new String(' ', 80)); + wolfSSL_ERR_error_string((uint)err, err_name); + ret.Append("Error " + err + " " + err_name.ToString()); return ret.ToString(); } @@ -1107,7 +1392,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_CTX_use_certificate_file(ctx, fileCert, type); + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "CTX use certificate file error"); + return FAILURE; + } + + return wolfSSL_CTX_use_certificate_file(local_ctx, fileCert, type); } catch (Exception e) { @@ -1128,7 +1420,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_CTX_use_PrivateKey_file(ctx, fileKey, type); + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "CTX use PrivateKey file error"); + return FAILURE; + } + + return wolfSSL_CTX_use_PrivateKey_file(local_ctx, fileKey, type); } catch (Exception e) { @@ -1149,7 +1448,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_SetTmpDH_file(ssl, dhparam, file_type); + IntPtr sslCtx = unwrap(ssl); + if (sslCtx == IntPtr.Zero) + { + log(ERROR_LOG, "wolfssl SetTmpDH_file error"); + return FAILURE; + } + + return wolfSSL_SetTmpDH_file(sslCtx, dhparam, file_type); } catch (Exception e) { @@ -1169,7 +1475,14 @@ namespace wolfSSL.CSharp { { try { - return wolfSSL_CTX_SetMinDhKey_Sz(ctx, minDhKey); + IntPtr local_ctx = unwrap(ctx); + if (local_ctx == IntPtr.Zero) + { + log(ERROR_LOG, "CTX SetMinDhKey_Sz error"); + return FAILURE; + } + + return wolfSSL_CTX_SetMinDhKey_Sz(local_ctx, minDhKey); } catch (Exception e) { diff --git a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj index 7cc8fc8b3..d5eabceba 100755 --- a/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj +++ b/wrapper/CSharp/wolfSSL_CSharp/wolfSSL_CSharp.csproj @@ -53,7 +53,6 @@ - diff --git a/wrapper/include.am b/wrapper/include.am index 2b3f26e2a..bb61de307 100644 --- a/wrapper/include.am +++ b/wrapper/include.am @@ -18,6 +18,10 @@ EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.Designer.cs EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/Properties/Settings.settings EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.cs EXTRA_DIST+= wrapper/CSharp/wolfSSL-TLS-Server/wolfSSL-TLS-Server.csproj +EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/App.config +EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/Properties/AssemblyInfo.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.cs +EXTRA_DIST+= wrapper/CSharp/wolfSSL-Example-IOCallbacks/wolfSSL-Example-IOCallbacks.csproj EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp.sln EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/AssemblyInfo.cs EXTRA_DIST+= wrapper/CSharp/wolfSSL_CSharp/Properties/Resources.Designer.cs From 4a0c4fbf3fdc3ae014b2ec830de923c36dbaf3b3 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 7 Dec 2015 09:25:19 -0800 Subject: [PATCH 114/177] remove fprintf from ecdsa verify fail wrapper --- src/ssl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 9dbd97fe7..4362f95f1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17145,7 +17145,6 @@ int wolfSSL_ED25519_verify(const unsigned char *msg, unsigned int msgSz, if ((ret = wc_ed25519_verify_msg((byte*)sig, sigSz, msg, msgSz, &check, &key)) != MP_OKAY) { WOLFSSL_MSG("wc_ed25519_verify_msg failed"); - fprintf(stderr, "err code = %d, sigSz=%d, msgSz=%d\n", ret, sigSz, msgSz); } else if (!check) WOLFSSL_MSG("wc_ed25519_verify_msg failed (signature invalid)"); From c7fdc9ba9e683b148880a22ffcf258c988f9e78f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 7 Dec 2015 11:24:14 -0800 Subject: [PATCH 115/177] DTLS Hello Verify and Server Hello should use the sequence number of the Client Hello --- src/internal.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/internal.c b/src/internal.c index 308a594c2..a15a63016 100644 --- a/src/internal.c +++ b/src/internal.c @@ -12836,14 +12836,17 @@ int DoSessionTicket(WOLFSSL* ssl, ssl->buffers.outputBuffer.length; sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ; + #ifdef WOLFSSL_DTLS + if (ssl->options.dtls) { + /* Server Hello should use the same sequence number as the + * Client Hello. */ + ssl->keys.dtls_sequence_number = ssl->keys.dtls_state.curSeq; + idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; + sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; + } + #endif /* WOLFSSL_DTLS */ AddHeaders(output, length, server_hello, ssl); - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - idx += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA; - } - #endif /* now write to output */ /* first version */ output[idx++] = ssl->version.major; @@ -15693,6 +15696,9 @@ int DoSessionTicket(WOLFSSL* ssl, output = ssl->buffers.outputBuffer.buffer + ssl->buffers.outputBuffer.length; + /* Hello Verify Request should use the same sequence number as the + * Client Hello. */ + ssl->keys.dtls_sequence_number = ssl->keys.dtls_state.curSeq; AddHeaders(output, length, hello_verify_request, ssl); { DtlsRecordLayerHeader* rh = (DtlsRecordLayerHeader*)output; From d30a1be572e888b3ee3e6ee12d8f040d409a6739 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 7 Dec 2015 18:19:09 -0300 Subject: [PATCH 116/177] adds new certificates for OCSP tests --- certs/ocsp/index.txt | 1 - certs/ocsp/index0.txt | 2 + certs/ocsp/index1.txt | 2 + certs/ocsp/index2.txt | 1 + certs/ocsp/intermediate1-ca-cert.pem | 182 +++++++++++++++++ certs/ocsp/intermediate1-ca-key.pem | 28 +++ certs/ocsp/intermediate2-ca-cert.pem | 182 +++++++++++++++++ certs/ocsp/intermediate2-ca-key.pem | 28 +++ certs/ocsp/ocsp-cert.pem | 182 ----------------- certs/ocsp/ocsp-responder-cert.pem | 180 +++++++++++++++++ .../{ocsp-key.pem => ocsp-responder-key.pem} | 0 certs/ocsp/ocspd.sh | 9 - certs/ocsp/ocspd0.sh | 10 + certs/ocsp/ocspd1.sh | 10 + certs/ocsp/ocspd2.sh | 10 + certs/ocsp/openssl.cnf | 33 ++++ certs/ocsp/renewcerts.sh | 50 +++++ certs/ocsp/root-ca-cert.pem | 91 +++++++++ certs/ocsp/root-ca-key.pem | 28 +++ certs/ocsp/server1-cert.pem | 184 ++++++++++++++++++ certs/ocsp/server1-key.pem | 28 +++ certs/ocsp/server2-cert.pem | 184 ++++++++++++++++++ certs/ocsp/server2-key.pem | 28 +++ certs/ocsp/server3-cert.pem | 184 ++++++++++++++++++ certs/ocsp/server3-key.pem | 28 +++ 25 files changed, 1473 insertions(+), 192 deletions(-) delete mode 100644 certs/ocsp/index.txt create mode 100644 certs/ocsp/index0.txt create mode 100644 certs/ocsp/index1.txt create mode 100644 certs/ocsp/index2.txt create mode 100644 certs/ocsp/intermediate1-ca-cert.pem create mode 100644 certs/ocsp/intermediate1-ca-key.pem create mode 100644 certs/ocsp/intermediate2-ca-cert.pem create mode 100644 certs/ocsp/intermediate2-ca-key.pem delete mode 100644 certs/ocsp/ocsp-cert.pem create mode 100644 certs/ocsp/ocsp-responder-cert.pem rename certs/ocsp/{ocsp-key.pem => ocsp-responder-key.pem} (100%) delete mode 100755 certs/ocsp/ocspd.sh create mode 100755 certs/ocsp/ocspd0.sh create mode 100755 certs/ocsp/ocspd1.sh create mode 100755 certs/ocsp/ocspd2.sh create mode 100644 certs/ocsp/openssl.cnf create mode 100755 certs/ocsp/renewcerts.sh create mode 100644 certs/ocsp/root-ca-cert.pem create mode 100644 certs/ocsp/root-ca-key.pem create mode 100644 certs/ocsp/server1-cert.pem create mode 100644 certs/ocsp/server1-key.pem create mode 100644 certs/ocsp/server2-cert.pem create mode 100644 certs/ocsp/server2-key.pem create mode 100644 certs/ocsp/server3-cert.pem create mode 100644 certs/ocsp/server3-key.pem diff --git a/certs/ocsp/index.txt b/certs/ocsp/index.txt deleted file mode 100644 index 91b85cff4..000000000 --- a/certs/ocsp/index.txt +++ /dev/null @@ -1 +0,0 @@ -V 051213070133Z 01 unknown /C=US/ST=Montana/L=Bozeman/O=wolfSSL/OU=Support/CN=www.wolfssl.com/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/index0.txt b/certs/ocsp/index0.txt new file mode 100644 index 000000000..3b7524369 --- /dev/null +++ b/certs/ocsp/index0.txt @@ -0,0 +1,2 @@ +V 161213070133Z 01 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com +R 161213070133Z 151201070133Z 02 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/index1.txt b/certs/ocsp/index1.txt new file mode 100644 index 000000000..fc223eedc --- /dev/null +++ b/certs/ocsp/index1.txt @@ -0,0 +1,2 @@ +V 161213070133Z 04 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www1.wolfssl.com/emailAddress=info@wolfssl.com +R 161213070133Z 151201070133Z 05 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www2.wolfssl.com/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/index2.txt b/certs/ocsp/index2.txt new file mode 100644 index 000000000..3edb677b5 --- /dev/null +++ b/certs/ocsp/index2.txt @@ -0,0 +1 @@ +V 161213070133Z 06 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www3.wolfssl.com/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/intermediate1-ca-cert.pem b/certs/ocsp/intermediate1-ca-cert.pem new file mode 100644 index 000000000..a4a1cb222 --- /dev/null +++ b/certs/ocsp/intermediate1-ca-cert.pem @@ -0,0 +1,182 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 3d:92:fc:b0:73:95:d8:5a:18:e3:27:fc:55:05:14:54:2e:af: + 37:1e:37:11:25:e8:c9:7a:b0:9b:68:fb:a0:69:91:fd:bb:dd: + 00:55:fb:30:b3:4a:59:a6:58:bb:e4:03:3e:f2:98:a2:07:71: + c7:de:3a:a0:0b:eb:43:44:77:2b:fc:5d:96:a7:89:c8:1a:6a: + 6e:b6:34:00:bb:e0:8a:5b:2b:ad:3a:f4:ab:b9:d4:54:f9:85: + 9a:f7:3b:23:00:dc:17:8f:55:1f:b9:e1:17:10:61:91:50:77: + b6:57:be:75:61:6e:cc:9c:27:76:32:c2:de:b4:ee:11:ff:10: + f7:99:49:38:8e:af:af:fa:73:1e:34:20:6c:3e:9f:cb:56:70: + 20:47:21:d3:2c:db:9b:ad:3b:32:96:72:be:d3:1b:d2:33:21: + 9b:4b:86:3a:64:45:37:8b:60:80:3b:3e:08:7a:06:f2:aa:20: + 7b:63:2c:df:03:c0:2a:74:07:61:db:f3:ec:8a:17:a4:36:a1: + 6c:b6:c0:64:f7:8a:5b:d0:43:64:bb:3e:ed:5d:e8:06:9c:b0: + ef:c2:f3:d1:ff:e2:05:5e:1f:e1:bd:ef:2a:32:a3:44:9f:44: + 99:c0:a3:27:8b:af:24:c4:5f:2b:d5:05:a2:18:70:32:a4:d2: + 75:16:1b:b1 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN60yFx34C2x9bmtFkc1oDVlZcbh +QKsetLkTt8uMu3eldtpth4f2Sk0T5CY+J4fuW8dqP0UwYVVc9jXRZfqYEaOnVdW+ +kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN +MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr +GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a +lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA +cYJkRNoOMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPZL8 +sHOV2FoY4yf8VQUUVC6vNx43ESXoyXqwm2j7oGmR/bvdAFX7MLNKWaZYu+QDPvKY +ogdxx946oAvrQ0R3K/xdlqeJyBpqbrY0ALvgilsrrTr0q7nUVPmFmvc7IwDcF49V +H7nhFxBhkVB3tle+dWFuzJwndjLC3rTuEf8Q95lJOI6vr/pzHjQgbD6fy1ZwIEch +0yzbm607MpZyvtMb0jMhm0uGOmRFN4tggDs+CHoG8qoge2Ms3wPAKnQHYdvz7IoX +pDahbLbAZPeKW9BDZLs+7V3oBpyw78Lz0f/iBV4f4b3vKjKjRJ9EmcCjJ4uvJMRf +K9UFohhwMqTSdRYbsQ== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 17246491846582506789 (0xef57d8f569389525) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: + c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: + b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: + c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: + 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: + 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: + 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: + 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: + 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: + 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: + 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: + c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: + 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: + 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: + f9:fe:bc:01 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ +MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM +D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE +CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT +U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA +wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ +X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 +zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T +tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC +1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE +gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe +vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym +9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn +YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 +MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc +UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM +H8bKHeSMPjGB+f68AQ== +-----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate1-ca-key.pem b/certs/ocsp/intermediate1-ca-key.pem new file mode 100644 index 000000000..7147c9b0b --- /dev/null +++ b/certs/ocsp/intermediate1-ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDetMhcd+AtsfW5 +rRZHNaA1ZWXG4UCrHrS5E7fLjLt3pXbabYeH9kpNE+QmPieH7lvHaj9FMGFVXPY1 +0WX6mBGjp1XVvpGCS/y+kNZQU2OaLCLhNRHceAKXiuRGkpxTCHbeH1O2uMp3Pnlu +vNDjDTBbTPaUDTApZJ8E5dv7iWBnu68mg1F3JC8rC6GUgRCY6OsmqB585MRsZwaV +VUrdUvTyYG0BKxmRNW2kCEcGcSQA2d7GVvOLUyzimpal82LlxOMj8tL8IeoPYnaN +1ZlIztxYxLt/2pQsgHSDxeCwFX5B/Q7y9PB4dnutJg2qSJYXLyHjlSsmN/mqgC/+ +3vZevJd/AgMBAAECggEBAJC4sitEyy1mo+QREpUbyAxq5ASlhDyvK4nJwnpH7dsG +b4HqA1TbO9Vyw6QGZ/HxdzrTVGJF2jp6upSmirqZ73yF1UWdHTmq34eG3347clJR +tCjdL8oxQp3v5//kbimXKoeVm/T1iLyMoKTRlny1qWLrVKFJIK8FcEDijl2bHEbL +fdlPSJTN+y0zWoS3urRi/IPrsob23B4ILj0n+yUR4eOK25I3trqgsqcfTyMhX8tH +eyD4C+ir0j5evnmBhsKL0cUgGxGj8aVdOgab8dlKlDNi7HH5fe/FTMAQ344uege8 +D5dytc1H4wWq3le1PsvCh56lyPx7P4BamNzuJ85OnWECgYEA8xSw544oIe6RzMxh +51pYLyf1aU8zd9w0ISkXnXQ4RxcNubbFHLu/S/vSlbE5qqSf128H3XkAP6HT6UJe +JS/WqJbUcdWkzULjj7fLXJ2oer3hrVXq2L9Me1l0XrYoBvRuap15AtQ/cxafxMUZ +HpEWam0EPxoTkTp4EUWi++U09yMCgYEA6org2l1qdqChHw3ihlfl3rKMY/DT+f1b +uMnbMKNhqgyV3ItSh7MnVJurvJ56CQVuVay+T11qfyo3cKzxNYLYTGLvAtBeK/aC +B/hdCvxMBpXd71Vlnz0w6qJi0mkGNNTFGzxwqwPByqP0NyKStPN3W98HwFhiqKmU +y8wpv5ZeUfUCgYEAx1Ba8bLdc10zzbJ0QIgSsK/aCXx4njo/wET6aQ/HqXrctT+J +BlNnur0EYduMhkAwFCylTVMPAh4GLUhO+7zrDReHoMNmOywyfUBeDlXztJkHd+Jw +C0NoSegChDpmPbWk5+SxOcGhORP+8xAN1cNvltpG1hrimn1PwBHSXysEr/MCgYEA +hLVUCPp2dOzqfcHDfLRbcqigWyQ3LOo4bdR5W4n2httcKFAEwJeUF4GFqNIaxuP1 +zDBT9mArFAz1FaIlUVvZu073YiY4QrPWW2AidUbQVaGS1AsD1xguh3SeaePXCSmi +5YhLT9huXJRsaI39aLmhva/ymNjp6fkaIj5BGRCiCckCgYEAkZjADCg9gcqJo5oc +RDMpHT8C6SjE6+W0+00AnH1rSK0ev7uAGb6/rOpsShRiGubo7Ekil1MyMuOFmLPK +9K5oi4KKmVfTaPMfm2UnVCC2Dv2nMXkmYdQKiGgwbAhYfu/wGQXj682r2YYD4Xsa +qz7cWosuOKihAVhA52vZ7YacW2c= +-----END PRIVATE KEY----- diff --git a/certs/ocsp/intermediate2-ca-cert.pem b/certs/ocsp/intermediate2-ca-cert.pem new file mode 100644 index 000000000..34f0c52b8 --- /dev/null +++ b/certs/ocsp/intermediate2-ca-cert.pem @@ -0,0 +1,182 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4: + 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7: + 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6: + 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77: + 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db: + 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb: + ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98: + 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1: + 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a: + 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52: + 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d: + f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35: + cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36: + a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f: + 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55: + f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96: + aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff: + d9:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 00:5e:fe:87:51:fc:e7:de:5c:e5:97:17:d2:af:6d:3b:65:29: + 27:3b:06:d7:55:5a:93:56:12:0f:8b:e7:57:69:dc:ae:ec:ec: + 2b:cd:cd:d0:15:c0:63:a3:5c:d9:6e:59:d2:88:b6:da:1c:ac: + b7:fe:46:2a:37:7b:5f:0b:30:80:7e:a5:46:8f:38:58:7e:df: + 8e:d0:f9:27:e6:e7:26:01:f8:04:5f:21:0d:7a:27:85:af:f8: + 41:15:aa:1d:73:3d:32:2a:a1:6b:f7:9e:36:3a:a3:26:dc:b8: + be:f2:61:ea:11:49:1c:43:68:5f:8c:a5:87:7b:71:a6:78:d0: + 1a:f1:f7:45:6c:59:eb:88:b5:ef:00:59:4f:71:48:00:73:11: + 2c:74:af:8d:1e:67:ee:cf:b3:9d:a4:64:ee:90:a7:f8:69:0a: + 8f:9b:74:89:68:c7:e4:1b:22:73:f1:23:94:c2:dd:4a:11:ee: + 9c:99:20:f7:e1:06:2a:ef:1b:1a:1c:10:f9:0b:0b:49:82:af: + 5f:38:75:0c:c3:a5:b8:9f:21:c5:61:eb:6d:6e:2d:d5:b5:89: + 19:28:ff:94:c1:55:eb:77:79:b5:57:e1:44:05:54:28:ca:66: + c5:4e:75:63:1b:b7:c4:57:fa:35:94:f7:82:3d:06:cc:f0:13: + bf:0e:23:70 +-----BEGIN CERTIFICATE----- +MIIE8TCCA9mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L +RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLH +dbRqK6kjhb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcu +SyjFU0YjK4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPk +yIlDYfEluM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1 +JMvpSd+BnZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkF +UPC/7H8S4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORG +eP/ZmQIDAQABo4IBNDCCATAwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi +7ioFJLcRrS1g8ZAUjxcwgcwGA1UdIwSBxDCBwYAUc7AcpC+Cy89HpTjXsASCOn5y +FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw +DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp +bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tggkA71fY9Wk4lSUwMgYIKwYBBQUHAQEEJjAkMCIG +CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUA +A4IBAQAAXv6HUfzn3lzllxfSr207ZSknOwbXVVqTVhIPi+dXadyu7Owrzc3QFcBj +o1zZblnSiLbaHKy3/kYqN3tfCzCAfqVGjzhYft+O0Pkn5ucmAfgEXyENeieFr/hB +Faodcz0yKqFr9542OqMm3Li+8mHqEUkcQ2hfjKWHe3GmeNAa8fdFbFnriLXvAFlP +cUgAcxEsdK+NHmfuz7OdpGTukKf4aQqPm3SJaMfkGyJz8SOUwt1KEe6cmSD34QYq +7xsaHBD5CwtJgq9fOHUMw6W4nyHFYettbi3VtYkZKP+UwVXrd3m1V+FEBVQoymbF +TnVjG7fEV/o1lPeCPQbM8BO/DiNw +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 17246491846582506789 (0xef57d8f569389525) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: + c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: + b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: + c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: + 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: + 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: + 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: + 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: + 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: + 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: + 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: + c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: + 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: + 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: + f9:fe:bc:01 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ +MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM +D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE +CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT +U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA +wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ +X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 +zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T +tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC +1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE +gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe +vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym +9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn +YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 +MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc +UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM +H8bKHeSMPjGB+f68AQ== +-----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate2-ca-key.pem b/certs/ocsp/intermediate2-ca-key.pem new file mode 100644 index 000000000..61cec0879 --- /dev/null +++ b/certs/ocsp/intermediate2-ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDQIDw1GW8sRLR+ +Qsd1tGorqSOFv4e07srXSx8x1xECoatYPfvcUco6HR+VplaC94//a1C76hDhRx01 +dy5LKMVTRiMrgv1a0/Qh2w7g8nYzR7MAvjqxI5hT6+qg3hvMBU7uY6gskyTWmHh0 +A+TIiUNh8SW4zTuHwTEl/bpM/CmURZ5p12cKio7VUpMwog7dahywlHfbUlK3iSG+ +lnUky+lJ34GdnfhVfQEq63gDEuIgbttjNc2hlvD4jCA1aYcByrRUNqAV4CN9ufu+ +mQVQ8L/sfxLhPXUVTsjCMOaL/uWLVfhEXuXjVuBmLW9CWkVrlqrHXUEIX87X3J8g +5EZ4/9mZAgMBAAECggEAR2vofWhfCFgDgJi2DiR9ksIWWJ2jmmmf3kX/TIE7ayXD +wSJ0PeUresnnvtk4MvV1yvcu2221oTlgQqrFjjFNlggppZLsErFNxBiCgJt0CKEA +Qq8FQSiv64y4FcBi1Z60uYYlfjZ4m9Py8g0sA81m/ENe6I41cZ7QmPL7bdPTCPhE +cGwPKjkw1xwDn6EeK5x5sscfCrlKXsH4zhXH67r2iwQ7x5+t4pWApdT15rMX+r0E +HzBoj4wjhR7yo9nZDqhBZiOJF/zQGTCkj6J451Rj47s42fLTYgVyW5D1DO9wBvQQ +i7AwwDuimVqKNGW7J/oRjhiBAKFr2IOGcAFJJbM3SQKBgQD1JRO9umdNfqj38kw5 +DMeydVITvhYjSfc+F2R1hldX9kSdowttJ3GwArnjsZLSfttj7/gnRVPJC+OWvJGm +AmegmCXJGl/mtDAlN+MDJw2/KEdcC4CHMqRokrNNF3zafbTDIDq24kAMx1wef46k +8+9F3IPY+arD50LSkS5+gUUk1wKBgQDZV4R9yCeAE8o+ejks7lBC8kk5CxZKbXPA +o4vPHGKOknmZGqfKJY9Auk7nk4g56K9GxlotlsjwCwuSBdkqjDkqMypHG9odh6s8 +8iFjVGvJvY6x+PXONW6cjG2K6Lif0o0/bx+C+2Sy05koV1eYY4+EskafqTxbQgSa +0t85a6u3DwKBgGK4g7KsFl3G3BS9pqRy2Ris1ljM++1KJB8FHJeXeiUaL5eryTYz +5DyVXHatVAsguwkL4ksuSAd2mjhhx+WqokCyBMVvsZ8egST71Je4anjIp7QRjbjk +VAEo0rwA8W6roNfTatGrW0/KGPbPN4qGEZ14qEAAixxJTUeu36JiPI4RAoGASK43 +pEh2zSHRFCuTSy82r+yOCAFpJuKLPvRyIISBgOQCvexoB/WffinPkSmI+LSTSLu0 +FGLEN2G6MM673LqfszkA/l6WBiIEZZEjETB+CyzUtzdmG9tKbheX2kgQ1YF3sqra +gtbGyfZw1UjABjnlGJ71dxcFFA9zssKp223iMokCgYAEBpHy/x90qWR6d9ApXZnC +PMvcZCa2EgQWBabOkyxF7Ao8mIu0K4rqRM9XBlboRRBQdEP3qL7whJ2voZ7frZYH +E9hcwnH4F6rBki9PHbEaU80FfTUplKr+qMJavhQ8O1zGhWr7JSF6ByqTQDYWI8BX +3Q6DAbgdQeeCKFpi4256AA== +-----END PRIVATE KEY----- diff --git a/certs/ocsp/ocsp-cert.pem b/certs/ocsp/ocsp-cert.pem deleted file mode 100644 index 3867817a5..000000000 --- a/certs/ocsp/ocsp-cert.pem +++ /dev/null @@ -1,182 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 3 (0x3) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com - Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT - Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support\ocsp.wolfssl.com, CN=info@wolfssl.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:b8:ba:23:b4:f6:c3:7b:14:c3:a4:f5:1d:61:a1: - f5:1e:63:b9:85:23:34:50:6d:f8:7c:a2:8a:04:8b: - d5:75:5c:2d:f7:63:88:d1:07:7a:ea:0b:45:35:2b: - eb:1f:b1:22:b4:94:41:38:e2:9d:74:d6:8b:30:22: - 10:51:c5:db:ca:3f:46:2b:fe:e5:5a:3f:41:74:67: - 75:95:a9:94:d5:c3:ee:42:f8:8d:eb:92:95:e1:d9: - 65:b7:43:c4:18:de:16:80:90:ce:24:35:21:c4:55: - ac:5a:51:e0:2e:2d:b3:0a:5a:4f:4a:73:31:50:ee: - 4a:16:bd:39:8b:ad:05:48:87:b1:99:e2:10:a7:06: - 72:67:ca:5c:d1:97:bd:c8:f1:76:f8:e0:4a:ec:bc: - 93:f4:66:4c:28:71:d1:d8:66:03:b4:90:30:bb:17: - b0:fe:97:f5:1e:e8:c7:5d:9b:8b:11:19:12:3c:ab: - 82:71:78:ff:ae:3f:32:b2:08:71:b2:1b:8c:27:ac: - 11:b8:d8:43:49:cf:b0:70:b1:f0:8c:ae:da:24:87: - 17:3b:d8:04:65:6c:00:76:50:ef:15:08:d7:b4:73: - 68:26:14:87:95:c3:5f:6e:61:b8:87:84:fa:80:1a: - 0a:8b:98:f3:e3:ff:4e:44:1c:65:74:7c:71:54:65: - e5:39 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 32:67:E1:B1:79:D2:81:FC:9F:23:0C:70:40:50:B5:46:56:B8:30:36 - X509v3 Authority Key Identifier: - keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 - DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:A6:66:38:49:45:9B:DC:81 - - X509v3 Key Usage: - Digital Signature, Non Repudiation, Key Encipherment - X509v3 Extended Key Usage: - OCSP Signing - X509v3 Basic Constraints: - CA:FALSE - Signature Algorithm: sha256WithRSAEncryption - 66:26:ec:73:2a:08:3b:22:c5:56:35:f7:77:c8:e5:96:88:3d: - 11:78:ac:84:22:25:26:9d:c8:cf:32:ed:fb:bc:38:9f:ae:8d: - 99:13:3a:b3:59:e7:50:a4:b5:56:a8:05:e1:21:6c:26:5c:ee: - f7:55:b7:ea:b2:72:80:4f:4e:70:1d:fb:a7:5e:02:d6:d9:37: - d6:80:71:42:98:63:ef:f4:4a:a1:9a:95:1d:fd:99:13:de:3b: - 10:d6:ed:1b:0d:ff:9e:14:2e:e0:8f:5f:ef:8d:b4:0d:5e:60: - 4b:b9:d4:d1:58:6e:eb:bb:ad:4a:ac:44:13:62:f7:d1:b4:00: - f3:8f:35:bb:b1:76:8f:d9:1a:87:14:66:4b:de:04:91:42:f1: - b7:d2:8b:e1:14:6c:31:30:03:8f:62:f2:b3:ee:f1:67:81:67: - 5f:a1:56:9b:93:54:e8:c7:05:b5:fa:64:c8:b3:a8:b4:1f:49: - 9b:e0:d4:74:01:19:53:07:b1:0a:47:bb:37:37:58:e4:ce:18: - 87:08:a0:8b:69:d3:d5:f3:b6:28:07:2d:56:e7:3e:0e:5f:07: - c5:e0:d8:57:bc:55:96:fc:ec:18:4e:7a:ed:23:7b:53:53:b7: - ee:36:fb:a3:89:65:ce:6e:f1:8f:8a:05:e4:d9:f3:3a:05:8a: - d7:00:95:a0 ------BEGIN CERTIFICATE----- -MIIEsDCCA5igAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlDELMAkGA1UEBhMCVVMx -EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh -d3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNz -bC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUxMTIz -MTI0OTM3WhcNMTgwODE5MTI0OTM3WjCBgTELMAkGA1UEBhMCVVMxEDAOBgNVBAgM -B01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xEDAOBgNVBAoMB3dvbGZTU0wxITAf -BgNVBAsMGFN1cHBvcnRcb2NzcC53b2xmc3NsLmNvbTEZMBcGA1UEAwwQaW5mb0B3 -b2xmc3NsLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALi6I7T2 -w3sUw6T1HWGh9R5juYUjNFBt+HyiigSL1XVcLfdjiNEHeuoLRTUr6x+xIrSUQTji -nXTWizAiEFHF28o/Riv+5Vo/QXRndZWplNXD7kL4jeuSleHZZbdDxBjeFoCQziQ1 -IcRVrFpR4C4tswpaT0pzMVDuSha9OYutBUiHsZniEKcGcmfKXNGXvcjxdvjgSuy8 -k/RmTChx0dhmA7SQMLsXsP6X9R7ox12bixEZEjyrgnF4/64/MrIIcbIbjCesEbjY -Q0nPsHCx8Iyu2iSHFzvYBGVsAHZQ7xUI17RzaCYUh5XDX25huIeE+oAaCouY8+P/ -TkQcZXR8cVRl5TkCAwEAAaOCARwwggEYMB0GA1UdDgQWBBQyZ+GxedKB/J8jDHBA -ULVGVrgwNjCByQYDVR0jBIHBMIG+gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSB -lzCBlDELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv -emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgw -FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb22CCQCmZjhJRZvcgTALBgNVHQ8EBAMCBeAwEwYDVR0lBAwwCgYIKwYB -BQUHAwkwCQYDVR0TBAIwADANBgkqhkiG9w0BAQsFAAOCAQEAZibscyoIOyLFVjX3 -d8jllog9EXishCIlJp3IzzLt+7w4n66NmRM6s1nnUKS1VqgF4SFsJlzu91W36rJy -gE9OcB37p14C1tk31oBxQphj7/RKoZqVHf2ZE947ENbtGw3/nhQu4I9f7420DV5g -S7nU0Vhu67utSqxEE2L30bQA8481u7F2j9kahxRmS94EkULxt9KL4RRsMTADj2Ly -s+7xZ4FnX6FWm5NU6McFtfpkyLOotB9Jm+DUdAEZUwexCke7NzdY5M4Yhwigi2nT -1fO2KActVuc+Dl8HxeDYV7xVlvzsGE567SN7U1O37jb7o4llzm7xj4oF5NnzOgWK -1wCVoA== ------END CERTIFICATE----- -Certificate: - Data: - Version: 3 (0x2) - Serial Number: 11990332945272134785 (0xa6663849459bdc81) - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com - Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT - Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting, CN=www.wolfssl.com/emailAddress=info@wolfssl.com - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit) - Modulus: - 00:bf:0c:ca:2d:14:b2:1e:84:42:5b:cd:38:1f:4a: - f2:4d:75:10:f1:b6:35:9f:df:ca:7d:03:98:d3:ac: - de:03:66:ee:2a:f1:d8:b0:7d:6e:07:54:0b:10:98: - 21:4d:80:cb:12:20:e7:cc:4f:de:45:7d:c9:72:77: - 32:ea:ca:90:bb:69:52:10:03:2f:a8:f3:95:c5:f1: - 8b:62:56:1b:ef:67:6f:a4:10:41:95:ad:0a:9b:e3: - a5:c0:b0:d2:70:76:50:30:5b:a8:e8:08:2c:7c:ed: - a7:a2:7a:8d:38:29:1c:ac:c7:ed:f2:7c:95:b0:95: - 82:7d:49:5c:38:cd:77:25:ef:bd:80:75:53:94:3c: - 3d:ca:63:5b:9f:15:b5:d3:1d:13:2f:19:d1:3c:db: - 76:3a:cc:b8:7d:c9:e5:c2:d7:da:40:6f:d8:21:dc: - 73:1b:42:2d:53:9c:fe:1a:fc:7d:ab:7a:36:3f:98: - de:84:7c:05:67:ce:6a:14:38:87:a9:f1:8c:b5:68: - cb:68:7f:71:20:2b:f5:a0:63:f5:56:2f:a3:26:d2: - b7:6f:b1:5a:17:d7:38:99:08:fe:93:58:6f:fe:c3: - 13:49:08:16:0b:a7:4d:67:00:52:31:67:23:4e:98: - ed:51:45:1d:b9:04:d9:0b:ec:d8:28:b3:4b:bd:ed: - 36:79 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Subject Key Identifier: - 27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 - X509v3 Authority Key Identifier: - keyid:27:8E:67:11:74:C3:26:1D:3F:ED:33:63:B3:A4:D8:1D:30:E5:E8:D5 - DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:A6:66:38:49:45:9B:DC:81 - - X509v3 Basic Constraints: - CA:TRUE - Authority Information Access: - OCSP - URI:http://localhost:22222 - - Signature Algorithm: sha256WithRSAEncryption - 41:8f:fb:6b:65:6b:36:f2:56:4f:0c:48:b0:4d:8c:c2:cb:d6: - 58:7a:83:3a:30:7d:62:7b:86:f1:15:26:b3:26:02:77:f2:c8: - 57:e5:1e:60:68:8b:a4:e8:f3:a8:b2:88:a4:2f:e8:6e:25:8d: - 6b:dc:53:ab:2f:d3:47:8c:d6:27:ab:39:bc:d3:ca:d8:01:96: - a4:44:57:38:93:ab:c3:f3:95:67:7f:cf:25:1d:b7:04:dc:06: - c9:5d:24:c1:54:13:71:81:21:31:ee:9f:b4:9d:ce:98:66:a4: - a0:77:c1:88:18:a4:d1:36:ee:cd:d8:c1:1b:bc:03:d6:85:9a: - 2e:21:82:95:4c:b2:2a:fe:69:db:ac:e4:97:e1:e9:0e:f1:d3: - ef:20:86:03:01:66:6b:f0:26:0f:39:04:26:f5:42:98:3f:95: - 48:5f:b5:5d:bc:49:4c:81:38:d5:e9:72:32:1c:66:1b:12:80: - 0f:db:99:f0:97:67:61:79:ad:ab:be:6a:ea:aa:cc:3d:f9:40: - 99:00:93:bb:df:4b:41:d4:7f:f1:93:b2:70:83:3a:e3:6b:44: - 4b:1f:9f:77:53:ea:5d:e6:59:1e:c0:2d:4b:83:d6:f4:a3:d4: - a9:c3:91:12:e7:61:3f:56:9d:8f:b8:19:29:62:1b:58:df:73: - 99:1f:49:63 ------BEGIN CERTIFICATE----- -MIIE4DCCA8igAwIBAgIJAKZmOElFm9yBMA0GCSqGSIb3DQEBCwUAMIGUMQswCQYD -VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G -A1UECgwIU2F3dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3 -dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAe -Fw0xNTExMjMxMjQ5MzdaFw0xODA4MTkxMjQ5MzdaMIGUMQswCQYDVQQGEwJVUzEQ -MA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8GA1UECgwIU2F3 -dG9vdGgxEzARBgNVBAsMCkNvbnN1bHRpbmcxGDAWBgNVBAMMD3d3dy53b2xmc3Ns -LmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIwDQYJKoZI -hvcNAQEBBQADggEPADCCAQoCggEBAL8Myi0Ush6EQlvNOB9K8k11EPG2NZ/fyn0D -mNOs3gNm7irx2LB9bgdUCxCYIU2AyxIg58xP3kV9yXJ3MurKkLtpUhADL6jzlcXx -i2JWG+9nb6QQQZWtCpvjpcCw0nB2UDBbqOgILHztp6J6jTgpHKzH7fJ8lbCVgn1J -XDjNdyXvvYB1U5Q8PcpjW58VtdMdEy8Z0TzbdjrMuH3J5cLX2kBv2CHccxtCLVOc -/hr8fat6Nj+Y3oR8BWfOahQ4h6nxjLVoy2h/cSAr9aBj9VYvoybSt2+xWhfXOJkI -/pNYb/7DE0kIFgunTWcAUjFnI06Y7VFFHbkE2Qvs2CizS73tNnkCAwEAAaOCATEw -ggEtMB0GA1UdDgQWBBQnjmcRdMMmHT/tM2OzpNgdMOXo1TCByQYDVR0jBIHBMIG+ -gBQnjmcRdMMmHT/tM2OzpNgdMOXo1aGBmqSBlzCBlDELMAkGA1UEBhMCVVMxEDAO -BgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNhd3Rv -b3RoMRMwEQYDVQQLDApDb25zdWx0aW5nMRgwFgYDVQQDDA93d3cud29sZnNzbC5j -b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQCmZjhJRZvcgTAM -BgNVHRMEBTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDov -L2xvY2FsaG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOCAQEAQY/7a2VrNvJWTwxI -sE2MwsvWWHqDOjB9YnuG8RUmsyYCd/LIV+UeYGiLpOjzqLKIpC/obiWNa9xTqy/T -R4zWJ6s5vNPK2AGWpERXOJOrw/OVZ3/PJR23BNwGyV0kwVQTcYEhMe6ftJ3OmGak -oHfBiBik0TbuzdjBG7wD1oWaLiGClUyyKv5p26zkl+HpDvHT7yCGAwFma/AmDzkE -JvVCmD+VSF+1XbxJTIE41elyMhxmGxKAD9uZ8JdnYXmtq75q6qrMPflAmQCTu99L -QdR/8ZOycIM642tESx+fd1PqXeZZHsAtS4PW9KPUqcOREudhP1adj7gZKWIbWN9z -mR9JYw== ------END CERTIFICATE----- diff --git a/certs/ocsp/ocsp-responder-cert.pem b/certs/ocsp/ocsp-responder-cert.pem new file mode 100644 index 000000000..55a81ac9d --- /dev/null +++ b/certs/ocsp/ocsp-responder-cert.pem @@ -0,0 +1,180 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL OCSP Responder/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:b8:ba:23:b4:f6:c3:7b:14:c3:a4:f5:1d:61:a1: + f5:1e:63:b9:85:23:34:50:6d:f8:7c:a2:8a:04:8b: + d5:75:5c:2d:f7:63:88:d1:07:7a:ea:0b:45:35:2b: + eb:1f:b1:22:b4:94:41:38:e2:9d:74:d6:8b:30:22: + 10:51:c5:db:ca:3f:46:2b:fe:e5:5a:3f:41:74:67: + 75:95:a9:94:d5:c3:ee:42:f8:8d:eb:92:95:e1:d9: + 65:b7:43:c4:18:de:16:80:90:ce:24:35:21:c4:55: + ac:5a:51:e0:2e:2d:b3:0a:5a:4f:4a:73:31:50:ee: + 4a:16:bd:39:8b:ad:05:48:87:b1:99:e2:10:a7:06: + 72:67:ca:5c:d1:97:bd:c8:f1:76:f8:e0:4a:ec:bc: + 93:f4:66:4c:28:71:d1:d8:66:03:b4:90:30:bb:17: + b0:fe:97:f5:1e:e8:c7:5d:9b:8b:11:19:12:3c:ab: + 82:71:78:ff:ae:3f:32:b2:08:71:b2:1b:8c:27:ac: + 11:b8:d8:43:49:cf:b0:70:b1:f0:8c:ae:da:24:87: + 17:3b:d8:04:65:6c:00:76:50:ef:15:08:d7:b4:73: + 68:26:14:87:95:c3:5f:6e:61:b8:87:84:fa:80:1a: + 0a:8b:98:f3:e3:ff:4e:44:1c:65:74:7c:71:54:65: + e5:39 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 32:67:E1:B1:79:D2:81:FC:9F:23:0C:70:40:50:B5:46:56:B8:30:36 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + X509v3 Extended Key Usage: + OCSP Signing + Signature Algorithm: sha256WithRSAEncryption + 1a:b0:0c:d3:5d:8d:fe:f0:4f:76:8d:cb:47:51:c3:64:0b:8e: + 94:9b:82:eb:2e:53:13:1d:28:31:55:c7:2a:7c:be:4e:32:9f: + 52:fd:2a:9c:a0:e2:9f:7b:23:9d:bf:93:e2:37:ac:40:47:f2: + 2d:ac:e6:8d:23:a2:18:c5:3f:c0:8d:60:4b:c5:2f:55:ae:f3: + 63:ea:e4:2f:20:56:fa:13:7c:d1:af:4f:ef:cb:ad:81:d1:26: + 0d:86:4b:0d:bb:67:8d:b6:a0:51:ac:a5:e5:f1:75:30:77:cc: + a6:57:d6:11:3c:76:7f:a7:b2:85:5e:c2:52:ec:8e:d8:7a:25: + b6:a9:ef:6e:6d:d8:a8:2d:e2:91:6d:fe:2d:11:df:8e:cc:c6: + 96:45:d9:f7:82:8a:58:ec:f7:7a:74:62:17:16:db:e9:8e:dc: + 40:ed:3d:de:1a:2b:af:e7:8e:39:be:91:50:f8:2c:70:bd:1b: + 64:01:db:bb:7a:1c:64:77:fb:ed:55:4c:3f:de:5c:cf:22:01: + 1f:7e:34:84:93:a2:37:06:7e:b2:6c:d1:58:ee:d8:1d:fb:8b: + b2:32:5b:6d:ef:9d:5a:b5:31:9b:f0:74:0b:c6:41:9a:fa:4a: + a5:a2:91:39:a3:a8:d0:69:a6:93:1a:7f:55:e9:04:58:b0:16: + 58:0c:27:92 +-----BEGIN CERTIFICATE----- +MIIExjCCA66gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnjELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZ3b2xmU1NMIE9DU1Ag +UmVzcG9uZGVyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuLojtPbDexTDpPUdYaH1HmO5hSM0 +UG34fKKKBIvVdVwt92OI0Qd66gtFNSvrH7EitJRBOOKddNaLMCIQUcXbyj9GK/7l +Wj9BdGd1lamU1cPuQviN65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMx +UO5KFr05i60FSIexmeIQpwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew +/pf1HujHXZuLERkSPKuCcXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gE +ZWwAdlDvFQjXtHNoJhSHlcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQAB +o4IBEjCCAQ4wCQYDVR0TBAIwADAdBgNVHQ4EFgQUMmfhsXnSgfyfIwxwQFC1Rla4 +MDYwgcwGA1UdIwSBxDCBwYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2kgZowgZcx +CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0 +dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG +A1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz +c2wuY29tggkA71fY9Wk4lSUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN +AQELBQADggEBABqwDNNdjf7wT3aNy0dRw2QLjpSbgusuUxMdKDFVxyp8vk4yn1L9 +Kpyg4p97I52/k+I3rEBH8i2s5o0johjFP8CNYEvFL1Wu82Pq5C8gVvoTfNGvT+/L +rYHRJg2GSw27Z422oFGspeXxdTB3zKZX1hE8dn+nsoVewlLsjth6Jbap725t2Kgt +4pFt/i0R347MxpZF2feCiljs93p0YhcW2+mO3EDtPd4aK6/njjm+kVD4LHC9G2QB +27t6HGR3++1VTD/eXM8iAR9+NISTojcGfrJs0Vju2B37i7IyW23vnVq1MZvwdAvG +QZr6SqWikTmjqNBpppMaf1XpBFiwFlgMJ5I= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 17246491846582506789 (0xef57d8f569389525) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: + c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: + b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: + c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: + 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: + 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: + 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: + 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: + 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: + 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: + 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: + c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: + 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: + 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: + f9:fe:bc:01 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ +MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM +D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE +CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT +U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA +wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ +X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 +zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T +tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC +1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE +gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe +vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym +9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn +YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 +MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc +UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM +H8bKHeSMPjGB+f68AQ== +-----END CERTIFICATE----- diff --git a/certs/ocsp/ocsp-key.pem b/certs/ocsp/ocsp-responder-key.pem similarity index 100% rename from certs/ocsp/ocsp-key.pem rename to certs/ocsp/ocsp-responder-key.pem diff --git a/certs/ocsp/ocspd.sh b/certs/ocsp/ocspd.sh deleted file mode 100755 index 6f7ce20fe..000000000 --- a/certs/ocsp/ocspd.sh +++ /dev/null @@ -1,9 +0,0 @@ -#!/bin/bash - -openssl ocsp -index index.txt \ - -port 22222 \ - -rsigner ocsp-cert.pem \ - -rkey ocsp-key.pem \ - -CA ../ca-cert.pem \ - -nmin 1 \ - -text diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh new file mode 100755 index 000000000..ea15a1c7a --- /dev/null +++ b/certs/ocsp/ocspd0.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +openssl ocsp \ + -index index0.txt \ + -port 22220 \ + -rsigner ocsp-responder-cert.pem \ + -rkey ocsp-responder-key.pem \ + -CA root-ca-cert.pem \ + -nmin 1 \ + -text diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh new file mode 100755 index 000000000..60390216d --- /dev/null +++ b/certs/ocsp/ocspd1.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +openssl ocsp \ + -index index1.txt \ + -port 22221 \ + -rsigner ocsp-responder-cert.pem \ + -rkey ocsp-responder-key.pem \ + -CA intermediate1-ca-cert.pem \ + -nmin 1 \ + -text diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh new file mode 100755 index 000000000..f827bbcb6 --- /dev/null +++ b/certs/ocsp/ocspd2.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +openssl ocsp \ + -index index2.txt \ + -port 22222 \ + -rsigner ocsp-responder-cert.pem \ + -rkey ocsp-responder-key.pem \ + -CA intermediate2-ca-cert.pem \ + -nmin 1 \ + -text diff --git a/certs/ocsp/openssl.cnf b/certs/ocsp/openssl.cnf new file mode 100644 index 000000000..20d2f6df7 --- /dev/null +++ b/certs/ocsp/openssl.cnf @@ -0,0 +1,33 @@ +# +# openssl configuration file for OCSP certificates +# + +# Extensions to add to a certificate request (intermediate1-ca) +[ v3_req1 ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +authorityInfoAccess = OCSP;URI:http://localhost:22221 + +# Extensions to add to a certificate request (intermediate2-ca) +[ v3_req2 ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +authorityInfoAccess = OCSP;URI:http://localhost:22222 + +# Extensions for a typical CA +[ v3_ca ] +basicConstraints = CA:true +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +authorityInfoAccess = OCSP;URI:http://localhost:22220 + +# OCSP extensions. +[ v3_ocsp ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +extendedKeyUsage = OCSPSigning diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh new file mode 100755 index 000000000..30e90cb6a --- /dev/null +++ b/certs/ocsp/renewcerts.sh @@ -0,0 +1,50 @@ +openssl req \ + -new \ + -key root-ca-key.pem \ + -out root-ca-cert.csr \ + -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com" + +openssl x509 \ + -req -in root-ca-cert.csr \ + -extfile openssl.cnf \ + -extensions v3_ca \ + -days 1000 \ + -signkey root-ca-key.pem \ + -out root-ca-cert.pem + +rm root-ca-cert.csr +openssl x509 -in root-ca-cert.pem -text > tmp.pem +mv tmp.pem root-ca-cert.pem + +# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial +function update_cert() { + openssl req \ + -new \ + -key $1-key.pem \ + -out $1-cert.csr \ + -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com" + + openssl x509 \ + -req -in $1-cert.csr \ + -extfile openssl.cnf \ + -extensions $4 \ + -days 1000 \ + -CA $3-cert.pem \ + -CAkey $3-key.pem \ + -set_serial $5 \ + -out $1-cert.pem + + rm $1-cert.csr + openssl x509 -in $3-cert.pem -text > $3_tmp.pem + openssl x509 -in $1-cert.pem -text > $1_tmp.pem + mv $1_tmp.pem $1-cert.pem + cat $3_tmp.pem >> $1-cert.pem + rm $3_tmp.pem +} + +update_cert intermediate1-ca "wolfSSL intermediate CA" root-ca v3_ca 01 +update_cert intermediate2-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 02 # REVOKED +update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 03 +update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 04 +update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 05 # REVOKED +update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 06 diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem new file mode 100644 index 000000000..f63c2d9e7 --- /dev/null +++ b/certs/ocsp/root-ca-cert.pem @@ -0,0 +1,91 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 17246491846582506789 (0xef57d8f569389525) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: + c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: + b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: + c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: + 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: + 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: + 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: + 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: + 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: + 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: + 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: + c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: + 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: + 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: + f9:fe:bc:01 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD +VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ +MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM +D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE +CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT +U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA +wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ +X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 +zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T +tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC +1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE +gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe +vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym +9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn +YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 +MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc +UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM +H8bKHeSMPjGB+f68AQ== +-----END CERTIFICATE----- diff --git a/certs/ocsp/root-ca-key.pem b/certs/ocsp/root-ca-key.pem new file mode 100644 index 000000000..a7cbcbb60 --- /dev/null +++ b/certs/ocsp/root-ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrLLQvHQYJ704p +hoR+zL+meXzwwMFkJYx1txAFykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRx +kK3MBbmfFccKP19p9ApfjHG1LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4 +hc0BiKzFsrFZuM1a9AkJOJvaWs/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4 +yHDM4WcGsysvk7Vpz4N+iFObD0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tb +ipKXrf2XuXXKwtRFfRdrzS/zY3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsV +roxb+ZmBAgMBAAECggEAd0Qjm3wOfBeYD0jhwnOoyTZ2vkyfssaS0mYlrNMfaM12 +iqYBELQo5miReaHZ5ZfYCweNX8guVUAkMCiNX81RYy3KTDKRqYJXQ/HYPFMcXXP2 +7Ja6jMfub1FXJ1xULtJs/5XilVwxad1ZgHbBu2LedrUl6wzfUJMeRKWDuiVyCzpK +J2+F1iVH+whBI/eN8qopHM4JeR0W9k7rFJayQZ9iAIfrl2In1hTay9S7HCEdmWz/ +BVI818QXsgCuulR9G2erS0gS181P090YcZeuzh5YfvAnzn7m8BTboJojix5pkfQt +gM5E7YD4nYU1V796P2cfAaMJoQyCW4NSn+kwgLT5rQKBgQDXnHvs/fk+gxFiBt/U +tRfU+iUoiMofrcAZswMBvOZVy40RbtxuNXwnGo9+Bko7XVKekVO6TGUyPSpv1VXR +QCjlk+PsXyx0DD2+Hb3r69wXJ3Wfxe0K+p6CHIuspJUmNrHdpJOBTO8GbHNxuaD/ +kDJvBq+ZkXEKUm9a5BeU5WiwMwKBgQDLPUkr+Mm2pJIIEBF8z3Lr3bWIbZsinxhM +ErQRAQC0J+oBj1kuUoXYoh1hzQK/E90bM2fRUMhgVGIBvwDMv0c+Z2Fb6zK0r3mP +dOLYGOrfavl/f7zhd4TjzPkAF1fbbYbciFQIWW3//q8PXY68eKvwrhGqT+CCwLef +tWC3xrpLewKBgQC7Ht7abgxa+UsjxQ2Kv+O//Zw0EotAdP2sEBUC9Br+yJpUT99U +cmyeT0nLONBBtxtV7JA6tcR5lmX3CrHg2Yrku7XqVSrySBFppsxGLLslCSTnFdJE +Xf8ksntxyKB8uqkgz40IgWlMLOEACPc19MIgYzAQ2g29xI9J1Xy1x2dUywKBgBFo +HVU7yKLw82TnY2gKKHCVG5Akuw27DIyvaWavbE0BwiQCEARMoxQLxnJy6ZJN9Dj5 +LSIbRh4h/AbkQgBHPaXVmtwRh9U71jB4NVmGwM8DzXyjBx1UbDhKfOUKGsc7WTqY +HoJcjnRHbtzlCW2Q9ED316F7l+H6+X8fPLpgteHzAoGARc6B/pWJWkUVM87ObGmr +hiA5YByyC6Rq8HyFEeXiS2fiQPfQF0UC9Qxq9/CBkezb8v+Yb/UT4ieL26c270s5 +JkyYqMoBLgkOKG6nPDD4hxoR24cFmC090RNQOhwwHskh+KjVmf3c/m9wNBSdHTpt +URu+xdmbaoKaH9dIJMUKasc= +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem new file mode 100644 index 000000000..b4f1426d3 --- /dev/null +++ b/certs/ocsp/server1-cert.pem @@ -0,0 +1,184 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 4 (0x4) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:e6:96:55:75:cf:8a:97:68:8c:b6:38:f6:7a:05: + be:33:b6:51:47:37:8a:f7:db:91:be:92:6b:b7:00: + 8c:f2:c5:24:6e:18:e9:92:00:81:01:dc:b3:4c:28: + a9:b7:80:f1:96:cf:23:7a:2f:ae:f8:e3:0f:2d:d3: + 5e:23:e7:db:4c:b2:5d:89:16:17:be:be:81:db:fb: + 12:6d:28:4b:10:a0:12:04:27:c1:c9:d0:79:95:ef: + e8:8d:8c:59:9b:4e:72:7d:bc:49:2b:22:4e:f8:4f: + e2:0c:f1:e9:e9:97:f9:df:8c:5a:0a:aa:38:1d:43: + 04:a3:a7:89:a1:e2:83:a4:4b:b5:4e:45:88:a6:22: + 5d:ac:a9:58:67:88:c1:d5:61:ef:bd:11:05:27:94: + 47:bb:33:a5:8a:ca:ee:1f:8d:c0:6e:24:af:cd:ca: + bf:80:47:71:95:ac:a9:f1:5d:23:6c:f5:4b:b4:a9: + e1:c4:66:fb:e5:c4:a1:9f:a7:51:d1:78:cd:2e:b4: + 3f:2e:e2:82:f3:7f:c4:a7:f4:31:cf:76:27:3f:db: + 2e:d2:6e:c3:47:23:82:a3:48:40:8c:a7:c1:13:f0: + 63:50:54:43:f6:71:12:e1:6f:a5:7a:58:26:f7:fd: + 8b:3b:70:18:a0:43:ba:01:6b:b3:f8:d5:be:05:13: + 64:31 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + CC:55:15:00:E2:44:89:92:63:6D:10:5D:B9:9E:73:B6:5D:3A:19:CA + X509v3 Authority Key Identifier: + keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:01 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22221 + + Signature Algorithm: sha256WithRSAEncryption + d2:c0:12:20:fd:e1:b6:ad:89:ae:6f:60:af:3c:ad:5a:09:04: + 31:99:7a:94:00:56:80:26:5a:13:53:60:f3:81:7c:ac:01:e8: + 7a:87:e9:3c:7a:0f:78:14:fa:3f:f1:54:0f:f9:8d:0e:f9:02: + 66:bd:81:c6:e9:12:1c:b6:db:7b:b0:71:dd:62:06:fd:39:5f: + b3:1f:43:ff:af:91:0f:58:3a:ae:e7:07:a5:da:a1:46:e4:67: + 0a:a4:0d:7e:37:b7:59:92:6c:7b:95:94:2b:33:5c:19:c2:35: + c5:fc:92:10:9e:87:13:8a:82:0f:f7:68:97:e1:b8:94:d3:d4: + d5:89:14:f3:1e:9e:29:1c:af:40:14:4b:80:7a:1e:dd:99:23: + dc:82:79:4b:3c:ac:09:6c:bf:84:97:ba:28:d2:ed:b7:d3:19: + 51:49:c1:1f:37:4d:44:fd:e9:2e:ff:b7:71:f7:35:5b:97:82: + 69:12:75:17:44:b3:a8:57:b8:88:ae:b9:1a:80:31:1f:c9:10: + 91:73:97:98:0b:9a:27:9e:ac:47:99:c6:66:64:f3:b2:36:1f: + 60:ef:fd:43:1e:f5:81:d4:21:89:d1:2e:27:69:9b:39:cb:84: + e4:fc:24:1b:f7:18:ff:78:36:0d:9e:37:59:ff:1d:ec:9b:c4: + 50:7d:42:ea +-----BEGIN CERTIFICATE----- +MIIE7DCCA9SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NM +IGludGVybWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGYMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE +CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEHd3dzEu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmllV1z4qXaIy2OPZ6Bb4ztlFH +N4r325G+kmu3AIzyxSRuGOmSAIEB3LNMKKm3gPGWzyN6L6744w8t014j59tMsl2J +Fhe+voHb+xJtKEsQoBIEJ8HJ0HmV7+iNjFmbTnJ9vEkrIk74T+IM8enpl/nfjFoK +qjgdQwSjp4mh4oOkS7VORYimIl2sqVhniMHVYe+9EQUnlEe7M6WKyu4fjcBuJK/N +yr+AR3GVrKnxXSNs9Uu0qeHEZvvlxKGfp1HReM0utD8u4oLzf8Sn9DHPdic/2y7S +bsNHI4KjSECMp8ET8GNQVEP2cRLhb6V6WCb3/Ys7cBigQ7oBa7P41b4FE2QxAgMB +AAGjggE2MIIBMjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTMVRUA4kSJkmNtEF25nnO2 +XToZyjCBxAYDVR0jBIG8MIG5gBSDxjqJLIH0AtedTOIqwHGCZETaDqGBnaSBmjCB +lzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl +YXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgw +FgYDVQQDDA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb22CAQEwCwYDVR0PBAQDAgXgMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF +BQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMTANBgkqhkiG9w0BAQsFAAOCAQEA +0sASIP3htq2Jrm9grzytWgkEMZl6lABWgCZaE1Ng84F8rAHoeofpPHoPeBT6P/FU +D/mNDvkCZr2BxukSHLbbe7Bx3WIG/Tlfsx9D/6+RD1g6rucHpdqhRuRnCqQNfje3 +WZJse5WUKzNcGcI1xfySEJ6HE4qCD/dol+G4lNPU1YkU8x6eKRyvQBRLgHoe3Zkj +3IJ5SzysCWy/hJe6KNLtt9MZUUnBHzdNRP3pLv+3cfc1W5eCaRJ1F0SzqFe4iK65 +GoAxH8kQkXOXmAuaJ56sR5nGZmTzsjYfYO/9Qx71gdQhidEuJ2mbOcuE5PwkG/cY +/3g2DZ43Wf8d7JvEUH1C6g== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 3d:92:fc:b0:73:95:d8:5a:18:e3:27:fc:55:05:14:54:2e:af: + 37:1e:37:11:25:e8:c9:7a:b0:9b:68:fb:a0:69:91:fd:bb:dd: + 00:55:fb:30:b3:4a:59:a6:58:bb:e4:03:3e:f2:98:a2:07:71: + c7:de:3a:a0:0b:eb:43:44:77:2b:fc:5d:96:a7:89:c8:1a:6a: + 6e:b6:34:00:bb:e0:8a:5b:2b:ad:3a:f4:ab:b9:d4:54:f9:85: + 9a:f7:3b:23:00:dc:17:8f:55:1f:b9:e1:17:10:61:91:50:77: + b6:57:be:75:61:6e:cc:9c:27:76:32:c2:de:b4:ee:11:ff:10: + f7:99:49:38:8e:af:af:fa:73:1e:34:20:6c:3e:9f:cb:56:70: + 20:47:21:d3:2c:db:9b:ad:3b:32:96:72:be:d3:1b:d2:33:21: + 9b:4b:86:3a:64:45:37:8b:60:80:3b:3e:08:7a:06:f2:aa:20: + 7b:63:2c:df:03:c0:2a:74:07:61:db:f3:ec:8a:17:a4:36:a1: + 6c:b6:c0:64:f7:8a:5b:d0:43:64:bb:3e:ed:5d:e8:06:9c:b0: + ef:c2:f3:d1:ff:e2:05:5e:1f:e1:bd:ef:2a:32:a3:44:9f:44: + 99:c0:a3:27:8b:af:24:c4:5f:2b:d5:05:a2:18:70:32:a4:d2: + 75:16:1b:b1 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN60yFx34C2x9bmtFkc1oDVlZcbh +QKsetLkTt8uMu3eldtpth4f2Sk0T5CY+J4fuW8dqP0UwYVVc9jXRZfqYEaOnVdW+ +kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN +MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr +GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a +lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA +cYJkRNoOMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPZL8 +sHOV2FoY4yf8VQUUVC6vNx43ESXoyXqwm2j7oGmR/bvdAFX7MLNKWaZYu+QDPvKY +ogdxx946oAvrQ0R3K/xdlqeJyBpqbrY0ALvgilsrrTr0q7nUVPmFmvc7IwDcF49V +H7nhFxBhkVB3tle+dWFuzJwndjLC3rTuEf8Q95lJOI6vr/pzHjQgbD6fy1ZwIEch +0yzbm607MpZyvtMb0jMhm0uGOmRFN4tggDs+CHoG8qoge2Ms3wPAKnQHYdvz7IoX +pDahbLbAZPeKW9BDZLs+7V3oBpyw78Lz0f/iBV4f4b3vKjKjRJ9EmcCjJ4uvJMRf +K9UFohhwMqTSdRYbsQ== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server1-key.pem b/certs/ocsp/server1-key.pem new file mode 100644 index 000000000..e44f63129 --- /dev/null +++ b/certs/ocsp/server1-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDmllV1z4qXaIy2 +OPZ6Bb4ztlFHN4r325G+kmu3AIzyxSRuGOmSAIEB3LNMKKm3gPGWzyN6L6744w8t +014j59tMsl2JFhe+voHb+xJtKEsQoBIEJ8HJ0HmV7+iNjFmbTnJ9vEkrIk74T+IM +8enpl/nfjFoKqjgdQwSjp4mh4oOkS7VORYimIl2sqVhniMHVYe+9EQUnlEe7M6WK +yu4fjcBuJK/Nyr+AR3GVrKnxXSNs9Uu0qeHEZvvlxKGfp1HReM0utD8u4oLzf8Sn +9DHPdic/2y7SbsNHI4KjSECMp8ET8GNQVEP2cRLhb6V6WCb3/Ys7cBigQ7oBa7P4 +1b4FE2QxAgMBAAECggEBAMcAl2DFbOae5FGfd5h3vF8EycCcvuKKLI4775pQb1RV +r8sU1P+cT7o7rsHblh04u0dcHVImNOu3ijISaPyz7R+UEAVve66y23/uf0iVrbL7 +cpEDfsudkFFGa30901elrEm3Za5EPcMvrfdeEHH5Jz02876giS032ZkjzjRYOSRg +TuFhiqjRTMfE6AB63KSRWcb6AYEocHV/jF+IEQcz9ctsv6XKKKJtge4+Y3+gQU4N +ALUE6OjBsD5KpMVuMYBSfTucYi5g2eOK05PoCOR8lTqgvsbof+ALj+84zEpG20aK +p0KdMVwiMolXaYcvKBOGPxZKt7sQaIMitbs0iuErMQECgYEA+cLVZh4qkRnsjPVc +/27qC/VLeWo2QAL7TWC7YgkY0MgNtZXRkJZdKOlzYWo/iJmuxHj7eUFLkoHpPNV2 +X6WG+CGHD1qq/BqLQNlJKS/MtI2VNzOjBJ/J3SktOGo3BwL+Q5uSRNHukQip0YnD +c9GCU4UhfBHr/UNitMBH6N5aPqUCgYEA7FjjTGomVseF5wNbfw2xLjBmRuQ2DDgJ +/OvCtV6it+OiVU9R+cYcz/hVl1QLIkGBHt5hb8O6np4tW5ehKd5LNTtolIO+/BLL +2xPZCLY7U+LES5dgUTC/wb5t5igAmPuOMi9qNQ1kYxbKYJVLRUdwfOM8FNE4gjZF +kj2BIb6OxZ0CgYEAmuXXvWZ2FdmTGHTPwWdDZjkyHtHdZWO0AXA9pnZn2oxH3FdX +SinHCymFsmPXlVtixV0W8UOqn+lMAruMl5MsGtWIUuBzbLj1pjlcI1wOw+ePJFY1 +AxgqdKwl7HgLOqEDmmBwnZfpMi/CSj77ZegIwM2vT6g5yK+zFtCtiGHmbDUCgYBf +L2VLbyzFolGBOk7tGnyTF5b5UguaXC9ZlzGxjc2Gtby5Etr29xy/fUorSgO55hu0 +bOdc9b0BCL9HtgeILyim5ag2t+CA8Kj9MD8mTQ4TuK5Jq0t1J2bzBliIau/irN0V +xRbHCv+1EIas4zOPUTgyc+nMkH5roqPeQ7rv9ijV2QKBgQDJiNmAJv3dlie2x+bj +rX5RDF1Q/egVVGx41jPyuzh0oFLwEQG2lSHEAKgF+gWt0ZMwNzPB9oue2LBSpNFl +7ZdpFCpzD+3OcaxnWYEGT+qNhczbf0PvVNBOzOI33Trr7maktWi0Mh9qmXqoNuwG +uCnrEriJlBk2MV88tIG/ZJ+bvQ== +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem new file mode 100644 index 000000000..de79496e1 --- /dev/null +++ b/certs/ocsp/server2-cert.pem @@ -0,0 +1,184 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:30 2015 GMT + Not After : Sep 2 22:42:30 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c6:35:8a:e8:aa:bd:33:c9:5e:84:43:67:42:65: + 2a:3c:e3:89:b4:a6:67:a1:3b:ee:6d:85:d1:d3:2b: + 6e:b1:62:d4:f1:22:43:a0:d5:b7:a5:7d:b5:f5:6c: + 09:06:7c:8c:ef:87:af:4f:34:ce:27:eb:f3:4a:37: + 57:c3:d7:d8:ee:e4:a0:77:65:2c:a7:c2:10:65:6b: + 7b:48:c4:d8:28:fe:4c:4e:4f:7e:2f:20:c4:49:5b: + 71:38:40:0d:36:a3:57:b3:44:da:be:cd:54:14:15: + 66:0f:d3:05:08:f2:2e:03:67:2e:5c:5d:e1:b0:e6: + c0:25:8f:58:77:5b:d3:d7:a8:22:ea:56:d3:0e:01: + 6d:38:34:56:47:aa:12:c4:ba:2a:ef:ec:18:f5:d4: + db:b9:fa:6f:dc:50:eb:ee:10:a2:14:b5:9a:12:e1: + e3:85:0f:79:14:b8:70:6d:0d:1c:1d:38:57:85:6a: + 82:0c:d6:bd:2c:bf:20:f1:28:2e:f6:34:80:a7:0d: + 32:82:35:4f:c1:b1:e5:9e:26:d5:f8:b9:39:57:43: + ef:ed:f1:10:5c:3e:32:ba:d9:e4:9e:40:cd:28:ea: + 26:46:9b:a9:34:8d:9f:b9:fd:45:7d:14:f7:ce:ca: + 3b:85:87:a7:64:74:9c:65:29:18:b3:f5:b1:ad:92: + 62:39 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 7D:6D:FD:F6:0B:4F:3F:4A:62:91:F5:F3:13:60:51:86:C3:5A:9F:D6 + X509v3 Authority Key Identifier: + keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:01 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22221 + + Signature Algorithm: sha256WithRSAEncryption + 72:91:43:1a:4f:fb:87:32:dc:12:b0:60:ed:d8:05:f9:ac:62: + 51:1d:21:40:f4:36:86:6c:24:82:33:a5:1e:c9:bd:bb:2a:2f: + 14:76:ef:63:ba:fe:79:c5:14:ac:0b:d7:3d:7d:cd:db:50:98: + 93:05:0e:f2:0f:00:fa:f2:11:dc:10:25:c0:e7:ae:0e:b2:fc: + 86:2a:a1:d9:ee:1c:ad:31:ad:be:69:3f:58:5d:73:cd:bb:df: + 64:3d:bd:aa:e0:30:9e:4b:f5:e5:48:0e:81:c5:81:2e:90:d5: + 73:62:a6:80:9a:71:24:54:95:3a:aa:a0:df:aa:2a:95:9e:90: + 1f:f4:94:cb:ad:9d:47:7f:52:d6:52:16:a4:db:1e:71:71:c9: + a4:4a:02:1c:e5:5d:4d:23:6c:6a:db:60:b4:0e:58:83:1a:86: + af:f0:ec:25:44:63:c6:05:f2:26:f8:34:98:11:93:cd:4d:4d: + 7a:cb:53:e5:86:40:91:fb:6d:16:14:de:c8:d1:5d:65:9d:45: + 92:1c:c0:4f:4f:33:8a:8b:23:93:30:f4:fe:08:92:27:bf:3d: + 11:4e:0b:42:59:69:88:b3:df:45:0f:a0:05:63:03:bd:1c:8c: + 3c:76:1f:20:65:25:8b:3c:34:1e:74:a0:79:05:6e:dd:b6:ae: + 8f:77:b5:0d +-----BEGIN CERTIFICATE----- +MIIE7DCCA9SgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NM +IGludGVybWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bTAeFw0xNTEyMDcyMjQyMzBaFw0xODA5MDIyMjQyMzBaMIGYMQswCQYDVQQGEwJV +UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE +CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEHd3dzIu +d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi +MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGNYroqr0zyV6EQ2dCZSo844m0 +pmehO+5thdHTK26xYtTxIkOg1belfbX1bAkGfIzvh69PNM4n6/NKN1fD19ju5KB3 +ZSynwhBla3tIxNgo/kxOT34vIMRJW3E4QA02o1ezRNq+zVQUFWYP0wUI8i4DZy5c +XeGw5sAlj1h3W9PXqCLqVtMOAW04NFZHqhLEuirv7Bj11Nu5+m/cUOvuEKIUtZoS +4eOFD3kUuHBtDRwdOFeFaoIM1r0svyDxKC72NICnDTKCNU/BseWeJtX4uTlXQ+/t +8RBcPjK62eSeQM0o6iZGm6k0jZ+5/UV9FPfOyjuFh6dkdJxlKRiz9bGtkmI5AgMB +AAGjggE2MIIBMjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR9bf32C08/SmKR9fMTYFGG +w1qf1jCBxAYDVR0jBIG8MIG5gBSDxjqJLIH0AtedTOIqwHGCZETaDqGBnaSBmjCB +lzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl +YXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgw +FgYDVQQDDA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s +ZnNzbC5jb22CAQEwCwYDVR0PBAQDAgXgMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF +BQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMTANBgkqhkiG9w0BAQsFAAOCAQEA +cpFDGk/7hzLcErBg7dgF+axiUR0hQPQ2hmwkgjOlHsm9uyovFHbvY7r+ecUUrAvX +PX3N21CYkwUO8g8A+vIR3BAlwOeuDrL8hiqh2e4crTGtvmk/WF1zzbvfZD29quAw +nkv15UgOgcWBLpDVc2KmgJpxJFSVOqqg36oqlZ6QH/SUy62dR39S1lIWpNsecXHJ +pEoCHOVdTSNsattgtA5YgxqGr/DsJURjxgXyJvg0mBGTzU1NestT5YZAkfttFhTe +yNFdZZ1FkhzAT08ziosjkzD0/giSJ789EU4LQllpiLPfRQ+gBWMDvRyMPHYfIGUl +izw0HnSgeQVu3bauj3e1DQ== +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 3d:92:fc:b0:73:95:d8:5a:18:e3:27:fc:55:05:14:54:2e:af: + 37:1e:37:11:25:e8:c9:7a:b0:9b:68:fb:a0:69:91:fd:bb:dd: + 00:55:fb:30:b3:4a:59:a6:58:bb:e4:03:3e:f2:98:a2:07:71: + c7:de:3a:a0:0b:eb:43:44:77:2b:fc:5d:96:a7:89:c8:1a:6a: + 6e:b6:34:00:bb:e0:8a:5b:2b:ad:3a:f4:ab:b9:d4:54:f9:85: + 9a:f7:3b:23:00:dc:17:8f:55:1f:b9:e1:17:10:61:91:50:77: + b6:57:be:75:61:6e:cc:9c:27:76:32:c2:de:b4:ee:11:ff:10: + f7:99:49:38:8e:af:af:fa:73:1e:34:20:6c:3e:9f:cb:56:70: + 20:47:21:d3:2c:db:9b:ad:3b:32:96:72:be:d3:1b:d2:33:21: + 9b:4b:86:3a:64:45:37:8b:60:80:3b:3e:08:7a:06:f2:aa:20: + 7b:63:2c:df:03:c0:2a:74:07:61:db:f3:ec:8a:17:a4:36:a1: + 6c:b6:c0:64:f7:8a:5b:d0:43:64:bb:3e:ed:5d:e8:06:9c:b0: + ef:c2:f3:d1:ff:e2:05:5e:1f:e1:bd:ef:2a:32:a3:44:9f:44: + 99:c0:a3:27:8b:af:24:c4:5f:2b:d5:05:a2:18:70:32:a4:d2: + 75:16:1b:b1 +-----BEGIN CERTIFICATE----- +MIIE6TCCA9GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw +DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN60yFx34C2x9bmtFkc1oDVlZcbh +QKsetLkTt8uMu3eldtpth4f2Sk0T5CY+J4fuW8dqP0UwYVVc9jXRZfqYEaOnVdW+ +kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN +MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr +GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a +lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA +AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA +cYJkRNoOMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw +AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPZL8 +sHOV2FoY4yf8VQUUVC6vNx43ESXoyXqwm2j7oGmR/bvdAFX7MLNKWaZYu+QDPvKY +ogdxx946oAvrQ0R3K/xdlqeJyBpqbrY0ALvgilsrrTr0q7nUVPmFmvc7IwDcF49V +H7nhFxBhkVB3tle+dWFuzJwndjLC3rTuEf8Q95lJOI6vr/pzHjQgbD6fy1ZwIEch +0yzbm607MpZyvtMb0jMhm0uGOmRFN4tggDs+CHoG8qoge2Ms3wPAKnQHYdvz7IoX +pDahbLbAZPeKW9BDZLs+7V3oBpyw78Lz0f/iBV4f4b3vKjKjRJ9EmcCjJ4uvJMRf +K9UFohhwMqTSdRYbsQ== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server2-key.pem b/certs/ocsp/server2-key.pem new file mode 100644 index 000000000..e4b6181e8 --- /dev/null +++ b/certs/ocsp/server2-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGNYroqr0zyV6E +Q2dCZSo844m0pmehO+5thdHTK26xYtTxIkOg1belfbX1bAkGfIzvh69PNM4n6/NK +N1fD19ju5KB3ZSynwhBla3tIxNgo/kxOT34vIMRJW3E4QA02o1ezRNq+zVQUFWYP +0wUI8i4DZy5cXeGw5sAlj1h3W9PXqCLqVtMOAW04NFZHqhLEuirv7Bj11Nu5+m/c +UOvuEKIUtZoS4eOFD3kUuHBtDRwdOFeFaoIM1r0svyDxKC72NICnDTKCNU/BseWe +JtX4uTlXQ+/t8RBcPjK62eSeQM0o6iZGm6k0jZ+5/UV9FPfOyjuFh6dkdJxlKRiz +9bGtkmI5AgMBAAECggEAL6rWwke1gsvNyD8xiR0tQEF0b5aJW5Q/LeW95WwPjed3 +0Jnt67MaHFmUNfaKYR35Au39si2/2of7FYEjwTyatjETikMxrxKTwOBNYN2+InWt +wjOJ5CmcKwwruVxmERrNT5aiiLp2mvHefrXAAzvC5xycYKhPS6zizuWfX+0ckEM5 +yJnl8TRTjfqExxHS1ciTY4B1w8nfWdYY/xiQW23sCPZ8toqsqAuHJjREmMcj+oer +z8Md1tZNa0ujDy0ejSovCnqzWIi4Umg3SndhRDYKNRAFGPNQmYRM+EWEqQufMaXP +ghD+Heb5RUPSkNW98KdjDGK4WiIeqF45tb+YQ4AvgQKBgQDt2X+FMHG/s7FAEAxA +x6TzIcDedqwEKtO3JbaC+Q0FKwRTGwP1tGOnyqbVrw4cSlza5EvUnK8CZK9I2HFd +qfbP3rtFCtHl9/bpVZPNkaVImzqkfmzmGJIREsCDIPu8THFNyxL2TC27VKCNsSmZ +ui2tuxRJ6/O0DroGdvdnFL89SQKBgQDVVaZjiA5Cr1e5Eo6q3dNNeMSBfTuI90Ja +W1OmVovp2yWYjfFFTW2B9vb4RDaRvIuykGhHgAnGKGmHtv7f0GlY7n6Qr0czvyn5 +6s+fRVIcPzEaTVnxC1g20+XHc41XdqnIOcaUjUz7oqC6g7+Y56WKdvvKitV0Lb98 +ua7ZOM6tcQKBgGWtRMY7H2VD+9HXCmXm8qy9ESYItSBS7o6soIj8zoQXD5I3SkoP +A0sHZqqSWwXdBDTOw1vwXyA2ynfpjwzrS4cxP/0T0wbsKbE11ClcybtwIHGRWhxD +BK4nxgRIZVTpmMYYudJwXlxmoPvxcEc3P6+0+cdgBp5CbWO2F60JQXeBAoGAHxLs +u46z1Q7JTlHfqg/JmX0/0kS1iUvKxHKNCquMkbG0FjaGsDuI+edJLfxxnmTCTG4w +YknKIqz8QiJrmZo33hZPJTACxQzRRm/nciGcxjSGKHif4zZt0P6od5bjPZwxOtL/ +k9/JGNYlZ0WNgO4s9LBEGMqEMPoA7F/3kfhuUmECgYEA6WzFZjs31OqTLE0vnCfL +/b/wPeozaAyjtR/24TNkAFwP/LrBAA5gFOoL8p94ce87yXdm80x3bK6OGbNmor7c +qT/OJgnXV1wTrKYSkFUu7LTC7DihpYy2MqyGg8xGxB4kK1IR+ROB4v3c5RkIqaGF +lTSpXFge771NjCimucIOl/Y= +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem new file mode 100644 index 000000000..b06624053 --- /dev/null +++ b/certs/ocsp/server3-cert.pem @@ -0,0 +1,184 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:30 2015 GMT + Not After : Sep 2 22:42:30 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:be:19:65:1e:17:39:d4:33:fc:97:64:69:80:51: + fb:6c:7c:ca:e1:ba:2a:ab:d2:dd:30:61:f3:2e:47: + c1:d4:33:c0:ff:53:21:ba:2d:14:a6:b9:7c:66:ca: + 45:7b:1c:7d:8f:fc:75:f3:9a:69:f1:6c:25:46:a0: + 92:5d:00:93:e3:22:a6:60:b9:97:05:37:7f:a1:aa: + cd:22:81:72:b1:22:47:3d:7c:8d:46:55:bc:32:4d: + d2:84:43:5c:15:43:07:22:70:36:39:93:1b:e8:a1: + 46:bb:02:85:ba:1d:31:ac:b1:3c:84:5b:eb:8f:1f: + 62:8a:71:52:9e:0b:63:b6:e6:d6:46:cc:19:06:d6: + bb:06:81:e4:0b:25:14:6c:63:94:70:1a:27:37:95: + 24:40:07:30:f5:24:73:c3:bd:f9:0e:5f:b6:cd:4f: + 18:88:f0:d7:a3:9b:f5:b0:1e:fe:04:03:a5:8d:73: + f7:6b:31:74:85:fd:61:fa:9e:53:37:75:90:e6:f8: + b5:98:66:e8:52:4d:4a:4c:39:05:65:c1:34:f9:c6: + 95:27:b0:07:c1:51:96:a8:82:1b:22:cf:41:df:de: + b4:94:b7:0d:ba:61:fb:f4:40:7c:a1:fc:a2:29:a3: + 47:4d:b4:94:9d:7b:51:ec:e4:13:fb:cd:e9:26:ca: + a7:93 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + C1:CD:C0:2C:34:F4:3B:BB:E3:CA:98:35:7D:6A:15:33:94:5C:11:3A + X509v3 Authority Key Identifier: + keyid:05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:02 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 65:ef:ab:69:45:9f:a9:92:4d:2c:3c:83:11:ec:03:35:9f:f2: + 8d:53:b8:b0:19:7d:93:66:ca:c6:9b:a1:16:ac:9c:29:39:14: + 9f:1e:08:bd:c7:80:31:e0:f5:cc:a5:ff:0e:dc:82:bd:64:fa: + 45:eb:c3:b8:86:20:5e:e5:ab:9a:04:25:4e:57:d0:13:93:3d: + 8b:cd:77:d3:f3:26:29:e9:6a:84:30:27:e3:20:88:3c:dd:91: + b6:37:42:10:d1:70:49:2f:28:33:12:36:06:df:3a:41:22:d3: + a8:f1:91:08:7a:fd:f7:85:1e:0a:2f:70:90:14:d6:8f:95:d2: + 53:4f:cc:f6:ec:91:eb:3b:46:db:12:e3:21:e5:f2:b8:64:90: + cd:d0:54:35:49:d1:1d:07:24:1b:dc:03:d4:27:6e:11:2f:1a: + 60:ac:df:63:ea:90:cd:c0:f0:92:e3:90:49:13:8c:aa:2f:af: + a1:4d:e2:0c:10:26:2f:80:1e:99:2b:d8:b2:30:d2:e8:10:a6: + 8c:01:9b:10:df:b9:4b:25:23:ce:8e:e6:14:eb:dd:ed:8e:6a: + cf:3a:1b:7e:8c:f3:98:d7:7c:e6:d1:b3:b8:20:86:82:c8:b6: + cf:86:91:71:d0:88:24:2d:9a:c0:60:69:0b:8a:58:4a:d3:93: + 41:99:7a:77 +-----BEGIN CERTIFICATE----- +MIIE9DCCA9ygAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM +IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMB4XDTE1MTIwNzIyNDIzMFoXDTE4MDkwMjIyNDIzMFowgZgxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl +MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE +AwwQd3d3My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4ZZR4XOdQz/Jdk +aYBR+2x8yuG6KqvS3TBh8y5HwdQzwP9TIbotFKa5fGbKRXscfY/8dfOaafFsJUag +kl0Ak+MipmC5lwU3f6GqzSKBcrEiRz18jUZVvDJN0oRDXBVDByJwNjmTG+ihRrsC +hbodMayxPIRb648fYopxUp4LY7bm1kbMGQbWuwaB5AslFGxjlHAaJzeVJEAHMPUk +c8O9+Q5fts1PGIjw16Ob9bAe/gQDpY1z92sxdIX9YfqeUzd1kOb4tZhm6FJNSkw5 +BWXBNPnGlSewB8FRlqiCGyLPQd/etJS3Dbph+/RAfKH8oimjR020lJ17UezkE/vN +6SbKp5MCAwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMHNwCw09Du7 +48qYNX1qFTOUXBE6MIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8X +oYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4G +A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l +ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ +aW5mb0B3b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk +MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEB +CwUAA4IBAQBl76tpRZ+pkk0sPIMR7AM1n/KNU7iwGX2TZsrGm6EWrJwpORSfHgi9 +x4Ax4PXMpf8O3IK9ZPpF68O4hiBe5auaBCVOV9ATkz2LzXfT8yYp6WqEMCfjIIg8 +3ZG2N0IQ0XBJLygzEjYG3zpBItOo8ZEIev33hR4KL3CQFNaPldJTT8z27JHrO0bb +EuMh5fK4ZJDN0FQ1SdEdByQb3APUJ24RLxpgrN9j6pDNwPCS45BJE4yqL6+hTeIM +ECYvgB6ZK9iyMNLoEKaMAZsQ37lLJSPOjuYU693tjmrPOht+jPOY13zm0bO4IIaC +yLbPhpFx0IgkLZrAYGkLilhK05NBmXp3 +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 7 22:42:29 2015 GMT + Not After : Sep 2 22:42:29 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4: + 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7: + 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6: + 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77: + 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db: + 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb: + ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98: + 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1: + 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a: + 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52: + 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d: + f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35: + cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36: + a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f: + 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55: + f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96: + aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff: + d9:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:EF:57:D8:F5:69:38:95:25 + + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 00:5e:fe:87:51:fc:e7:de:5c:e5:97:17:d2:af:6d:3b:65:29: + 27:3b:06:d7:55:5a:93:56:12:0f:8b:e7:57:69:dc:ae:ec:ec: + 2b:cd:cd:d0:15:c0:63:a3:5c:d9:6e:59:d2:88:b6:da:1c:ac: + b7:fe:46:2a:37:7b:5f:0b:30:80:7e:a5:46:8f:38:58:7e:df: + 8e:d0:f9:27:e6:e7:26:01:f8:04:5f:21:0d:7a:27:85:af:f8: + 41:15:aa:1d:73:3d:32:2a:a1:6b:f7:9e:36:3a:a3:26:dc:b8: + be:f2:61:ea:11:49:1c:43:68:5f:8c:a5:87:7b:71:a6:78:d0: + 1a:f1:f7:45:6c:59:eb:88:b5:ef:00:59:4f:71:48:00:73:11: + 2c:74:af:8d:1e:67:ee:cf:b3:9d:a4:64:ee:90:a7:f8:69:0a: + 8f:9b:74:89:68:c7:e4:1b:22:73:f1:23:94:c2:dd:4a:11:ee: + 9c:99:20:f7:e1:06:2a:ef:1b:1a:1c:10:f9:0b:0b:49:82:af: + 5f:38:75:0c:c3:a5:b8:9f:21:c5:61:eb:6d:6e:2d:d5:b5:89: + 19:28:ff:94:c1:55:eb:77:79:b5:57:e1:44:05:54:28:ca:66: + c5:4e:75:63:1b:b7:c4:57:fa:35:94:f7:82:3d:06:cc:f0:13: + bf:0e:23:70 +-----BEGIN CERTIFICATE----- +MIIE8TCCA9mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L +RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLH +dbRqK6kjhb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcu +SyjFU0YjK4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPk +yIlDYfEluM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1 +JMvpSd+BnZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkF +UPC/7H8S4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORG +eP/ZmQIDAQABo4IBNDCCATAwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi +7ioFJLcRrS1g8ZAUjxcwgcwGA1UdIwSBxDCBwYAUc7AcpC+Cy89HpTjXsASCOn5y +FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw +DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp +bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tggkA71fY9Wk4lSUwMgYIKwYBBQUHAQEEJjAkMCIG +CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUA +A4IBAQAAXv6HUfzn3lzllxfSr207ZSknOwbXVVqTVhIPi+dXadyu7Owrzc3QFcBj +o1zZblnSiLbaHKy3/kYqN3tfCzCAfqVGjzhYft+O0Pkn5ucmAfgEXyENeieFr/hB +Faodcz0yKqFr9542OqMm3Li+8mHqEUkcQ2hfjKWHe3GmeNAa8fdFbFnriLXvAFlP +cUgAcxEsdK+NHmfuz7OdpGTukKf4aQqPm3SJaMfkGyJz8SOUwt1KEe6cmSD34QYq +7xsaHBD5CwtJgq9fOHUMw6W4nyHFYettbi3VtYkZKP+UwVXrd3m1V+FEBVQoymbF +TnVjG7fEV/o1lPeCPQbM8BO/DiNw +-----END CERTIFICATE----- diff --git a/certs/ocsp/server3-key.pem b/certs/ocsp/server3-key.pem new file mode 100644 index 000000000..30e108011 --- /dev/null +++ b/certs/ocsp/server3-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+GWUeFznUM/yX +ZGmAUftsfMrhuiqr0t0wYfMuR8HUM8D/UyG6LRSmuXxmykV7HH2P/HXzmmnxbCVG +oJJdAJPjIqZguZcFN3+hqs0igXKxIkc9fI1GVbwyTdKEQ1wVQwcicDY5kxvooUa7 +AoW6HTGssTyEW+uPH2KKcVKeC2O25tZGzBkG1rsGgeQLJRRsY5RwGic3lSRABzD1 +JHPDvfkOX7bNTxiI8Nejm/WwHv4EA6WNc/drMXSF/WH6nlM3dZDm+LWYZuhSTUpM +OQVlwTT5xpUnsAfBUZaoghsiz0Hf3rSUtw26Yfv0QHyh/KIpo0dNtJSde1Hs5BP7 +zekmyqeTAgMBAAECggEARDViddCJnF1m5X9O548C8qM4PJQK2YoYeVK76cAviQ9k +0XgnouCoB0aIn202Tv0jBHXmcJjYKJrQKS5WNe6OIbJ+FjihOmr2bbCWWCowV+Rf +wW0eV71NgJMx1OlCchKRzcaLfk8NdYPgmBtIlkYBW+BgQXGl7L2rIteUeEbH6Yj9 +yCn7ORQeFSbhZJTn2WdXhK3GWjV+1GyHyUyL2SSa2+G2LZ54Ifquq/F6rMGYB9lY +2K6Q6DB18aVxd/I/OYKeyBZcmJ9COgPUW7/fg0He73aduYdVvWZCRP1ygGdqSZFr +oqLVe34bEVFANUKylzRplRJdC4oKSUyTSubiOMKZ+QKBgQDf0mk3PolyvsfE2YGb +9/DsURIxZg14o9Pysp3yD1vvIYNz6WaddtJaj5OM7NzN8spu3wJSoeVgL6KYI6ah +ZTIYqy4ehOGPKBVL7SvLF+7q/QBMTdfllpdK7GLTtjBnz92TZl9bS/rBc9dCnnBC +EDkPPrc3nbk5/ADWd+K4RPG3HwKBgQDZbdiQCKY2ulppRcwjcAEIjhrFpShV21P6 +JNKt17HDBqULIAn+G9T/Gg/6yHWeY1DUgVBu1avb4L3jdnMPe2O+1jeaDzNRo6Xj +9v6PgGsiv4q7gfz7XqVwylUWIY7O52Ox/q+/QJBfwE0qe+E0t4syb44W4QvD9+k7 +fv77R7dFDQKBgQCe0SfVimtvX05TMN9V87YhiVk2ciqm6uDO+s02YI2kfgxPqFMm +8pRKrExPmBcJj/jyeQ2l4rjm6oYeHFX1ed/1PyoHf9SphxCtgoornzzpw0J94lKK +17Nc96Ucgs+QKiAYonCRULWKpY8d91zCk85ZMfBB54nySg2yIPlgNZOqkwKBgFO/ +Xqnj2vm7f7WKv91qd8tuyNsWCVpAl7EC2+8/5GVlOs71MUQiPkFgLYWADuXKBUlE +4dE/FeokP5/McPcmpL3Nzy7U6gRpDy2mZlipsxp4QpyErge4Zery1CEpHdOOBrV5 +jwIQgUuQS2iwvIbMp53uoAEp/5kk9T4IZXguIGZFAoGAMA/j0kHArT7FINf+O6R4 +3EyUTR139emLKHU2OlH/HfHVRZhHo4AmfUYksf+Njb81A6MKFd1XVmNnaumBIfq+ +6Ohoz1VMoO6aUiMMqbmBGaTHc30FVEtAQIRq2C8UDrEN67Sx3O/ngl0Br7lNri29 +LMSCe8fxf8+Kq0k+6tcsht4= +-----END PRIVATE KEY----- From 1d1af6410d0c4ee38c0860bd94272d6660531426 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 8 Dec 2015 07:27:43 -0800 Subject: [PATCH 117/177] OpenSSH added support for additional NID types. Update our compatibility layer --- src/ssl.c | 24 ++++++++++++++++++++---- wolfssl/openssl/evp.h | 1 + wolfssl/openssl/rsa.h | 7 +++++++ 3 files changed, 28 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4362f95f1..90626cac4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13310,9 +13310,16 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, return 0; } - if (type != NID_md5 && type != NID_sha1) { - WOLFSSL_MSG("Bad md type"); - return 0; + switch (type) { + case NID_md2: break; + case NID_md5: break; + case NID_sha1: break; + case NID_sha256: break; + case NID_sha384: break; + case NID_sha512: break; + default: + WOLFSSL_MSG("This NID_ is not yet implemented"); + return 0; } if (rsa->inSet == 0) @@ -13356,7 +13363,16 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } if (rng) { - type = (type == NID_md5) ? MD5h : SHAh; + + switch (type) { + case NID_md2: type = MD2h; break; + case NID_md5: type = MD5h; break; + case NID_sha1: type = SHAh; break; + case NID_sha256: type = SHA256h; break; + case NID_sha384: type = SHA384h; break; + case NID_sha512: type = SHA512h; break; + /* no default, already checked if NID is supported */ + } signSz = wc_EncodeSignature(encodedSig, m, mLen, type); if (signSz == 0) { diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index 6d3449f07..6ea1443e5 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -132,6 +132,7 @@ enum { EVP_PKEY_EC = 13, IDEA_CBC_TYPE = 14, NID_sha1 = 64, + NID_md2 = 3, NID_md5 = 4 }; diff --git a/wolfssl/openssl/rsa.h b/wolfssl/openssl/rsa.h index 2db993b65..210a24e4c 100644 --- a/wolfssl/openssl/rsa.h +++ b/wolfssl/openssl/rsa.h @@ -17,6 +17,13 @@ enum { RSA_PKCS1_PADDING = 1 }; +/* rsaTypes */ +enum { + NID_sha256 = 672, + NID_sha384 = 673, + NID_sha512 = 674 +}; + struct WOLFSSL_RSA { WOLFSSL_BIGNUM* n; WOLFSSL_BIGNUM* e; From 5fd4903fde243e85bbe14b798f99e465ac4b327a Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Tue, 8 Dec 2015 09:32:00 -0800 Subject: [PATCH 118/177] bump version to 3.7.3 --- configure.ac | 4 ++-- support/wolfssl.pc | 2 +- wolfssl/version.h | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 9dcb798db..a495b2234 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.7.2],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.7.3],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -WOLFSSL_LIBRARY_VERSION=2:0:1 +WOLFSSL_LIBRARY_VERSION=3:0:0 # | | | # +------+ | +---+ # | | | diff --git a/support/wolfssl.pc b/support/wolfssl.pc index ac202dc30..554fcdb4c 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.7.2 +Version: 3.7.3 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfssl/version.h b/wolfssl/version.h index cd01ec856..831ac42c3 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.7.2" -#define LIBWOLFSSL_VERSION_HEX 0x03007002 +#define LIBWOLFSSL_VERSION_STRING "3.7.3" +#define LIBWOLFSSL_VERSION_HEX 0x03007003 #ifdef __cplusplus } From 1153c31bbbbc6aa8ad90b7d7941d9c2f9572d8b8 Mon Sep 17 00:00:00 2001 From: David Garske Date: Wed, 9 Dec 2015 09:53:59 -0800 Subject: [PATCH 119/177] Added compile time check for ALT_ECC_SIZE requiring USE_FAST_MATH. --- wolfssl/wolfcrypt/ecc.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfssl/wolfcrypt/ecc.h b/wolfssl/wolfcrypt/ecc.h index 880b36237..a23fa71f2 100644 --- a/wolfssl/wolfcrypt/ecc.h +++ b/wolfssl/wolfcrypt/ecc.h @@ -85,6 +85,10 @@ typedef struct { * Do not enable ALT_ECC_SIZE and disable fast math in the configuration. */ +#ifndef USE_FAST_MATH + #error USE_FAST_MATH must be defined to use ALT_ECC_SIZE +#endif + #ifndef FP_MAX_BITS_ECC #define FP_MAX_BITS_ECC 528 #endif From 1c4b3016e6b1309c96637b04e43c073b8efe033c Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Thu, 10 Dec 2015 11:45:27 -0700 Subject: [PATCH 120/177] set required tls1_2 for when using ChaCha20-Poly1305 suite --- src/internal.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index a15a63016..bdddaa072 100644 --- a/src/internal.c +++ b/src/internal.c @@ -967,14 +967,14 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, #endif #ifdef BUILD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls && haveRSA) { + if (tls1_2 && haveRSA) { suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256; } #endif #ifdef BUILD_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - if (tls && haveRSA) { + if (tls1_2 && haveRSA) { suites->suites[idx++] = CHACHA_BYTE; suites->suites[idx++] = TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256; } From 89518ad44560888c0ec4bbcf4fb4a4ba0ccd3060 Mon Sep 17 00:00:00 2001 From: David Garske Date: Thu, 10 Dec 2015 10:48:50 -0800 Subject: [PATCH 121/177] Cleanup of the leading zero detection in wc_RsaKeyToDer and wc_DsaKeyToDer to use existing mp_leading_bit function. --- wolfcrypt/src/asn.c | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index a23190005..479c5d3c8 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -1980,11 +1980,7 @@ int wc_DsaKeyToDer(DsaKey* key, byte* output, word32 inLen) mp_int* keyInt = GetDsaInt(key, i); /* leading zero */ - if ((mp_count_bits(keyInt) & 7) == 0 || mp_iszero(keyInt) == MP_YES) - lbit = 1; - else - lbit = 0; - + lbit = mp_leading_bit(keyInt); rawLen = mp_unsigned_bin_size(keyInt) + lbit; tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, NULL, DYNAMIC_TYPE_DSA); @@ -5606,11 +5602,7 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) mp_int* keyInt = GetRsaInt(key, i); /* leading zero */ - if ((mp_count_bits(keyInt) & 7) == 0 || mp_iszero(keyInt) == MP_YES) - lbit = 1; - else - lbit = 0; - + lbit = mp_leading_bit(keyInt); rawLen = mp_unsigned_bin_size(keyInt) + lbit; tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, From bc54b18caddafe1f721dd3bab19a596664e7899a Mon Sep 17 00:00:00 2001 From: Andrew Burks Date: Thu, 10 Dec 2015 16:55:49 -0800 Subject: [PATCH 122/177] Issue #213: AES fails with Freescale (mm)CAU. --- wolfcrypt/src/aes.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index 9188db33f..efefd0c62 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -2166,7 +2166,7 @@ int wc_AesSetIV(Aes* aes, const byte* iv) { XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE); - wc_AesEncrypt(aes, in + offset, out + offset); + wc_AesDecrypt(aes, in + offset, out + offset); /* XOR block with IV for CBC */ for (i = 0; i < AES_BLOCK_SIZE; i++) From 03a643cc35f161d48472664626c380117403d1bf Mon Sep 17 00:00:00 2001 From: Andrew Burks Date: Thu, 10 Dec 2015 17:04:48 -0800 Subject: [PATCH 123/177] Issue #215: Signature module uses old RNG. Use the new WC_RNG construct instead in order to prevent conflicts with board support packages. --- wolfcrypt/src/signature.c | 2 +- wolfssl/wolfcrypt/signature.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/signature.c b/wolfcrypt/src/signature.c index 618632a43..bc1853052 100644 --- a/wolfcrypt/src/signature.c +++ b/wolfcrypt/src/signature.c @@ -175,7 +175,7 @@ int wc_SignatureGenerate( enum wc_HashType hash_type, enum wc_SignatureType sig_type, const byte* data, word32 data_len, byte* sig, word32 *sig_len, - const void* key, word32 key_len, RNG* rng) + const void* key, word32 key_len, WC_RNG* rng) { int ret, hash_len; byte *hash_data = NULL; diff --git a/wolfssl/wolfcrypt/signature.h b/wolfssl/wolfcrypt/signature.h index 24d2b3a67..8ef2a6002 100644 --- a/wolfssl/wolfcrypt/signature.h +++ b/wolfssl/wolfcrypt/signature.h @@ -54,7 +54,7 @@ WOLFSSL_API int wc_SignatureGenerate( const byte* data, word32 data_len, byte* sig, word32 *sig_len, const void* key, word32 key_len, - RNG* rng); + WC_RNG* rng); #ifdef __cplusplus } /* extern "C" */ From a834c2acf6030c1c1e0b68fe788649bb03cd20c6 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 11 Dec 2015 18:41:09 -0800 Subject: [PATCH 124/177] improved DTLS handshake sequence numbering when retransmitting finished message --- src/internal.c | 151 ++++++++++++++++++--------------------------- wolfssl/internal.h | 4 +- 2 files changed, 64 insertions(+), 91 deletions(-) diff --git a/src/internal.c b/src/internal.c index bdddaa072..3dfbfbdf8 100644 --- a/src/internal.c +++ b/src/internal.c @@ -84,7 +84,7 @@ WOLFSSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS #endif static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, - const byte* input, int inSz, int type); + const byte* input, int inSz, int type, int hashOutput); #ifndef NO_WOLFSSL_CLIENT static int DoHelloVerifyRequest(WOLFSSL* ssl, const byte* input, word32*, @@ -2282,6 +2282,7 @@ int DtlsPoolSave(WOLFSSL* ssl, const byte *src, int sz) return MEMORY_ERROR; } XMEMCPY(pBuf->buffer, src, sz); + pool->epoch[pool->used] = ssl->keys.dtls_epoch; pBuf->length = (word32)sz; pool->used++; } @@ -2331,40 +2332,53 @@ int DtlsPoolTimeout(WOLFSSL* ssl) int DtlsPoolSend(WOLFSSL* ssl) { - int ret; - DtlsPool *pool = ssl->dtls_pool; + DtlsPool* pool = ssl->dtls_pool; if (pool != NULL && pool->used > 0) { - int i; - for (i = 0; i < pool->used; i++) { - int sendResult; - buffer* buf = &pool->buf[i]; + int ret = 0; + int i; + buffer* buf; - DtlsRecordLayerHeader* dtls = (DtlsRecordLayerHeader*)buf->buffer; + for (i = 0, buf = pool->buf; i < pool->used; i++, buf++) { + if (pool->epoch[i] == 0) { + DtlsRecordLayerHeader* dtls; - word16 message_epoch; - ato16(dtls->epoch, &message_epoch); - if (message_epoch == ssl->keys.dtls_epoch) { - /* Increment record sequence number on retransmitted handshake - * messages */ - c32to48(ssl->keys.dtls_sequence_number, dtls->sequence_number); - ssl->keys.dtls_sequence_number++; + dtls = (DtlsRecordLayerHeader*)buf->buffer; + c32to48(ssl->keys.dtls_prev_sequence_number++, + dtls->sequence_number); + if ((ret = CheckAvailableSize(ssl, buf->length)) != 0) + return ret; + + XMEMCPY(ssl->buffers.outputBuffer.buffer, + buf->buffer, buf->length); + ssl->buffers.outputBuffer.idx = 0; + ssl->buffers.outputBuffer.length = buf->length; } - else { - /* The Finished message is sent with the next epoch, keep its - * sequence number */ + else if (pool->epoch[i] == ssl->keys.dtls_epoch) { + byte* input; + byte* output; + int inputSz, sendSz; + + input = buf->buffer; + inputSz = buf->length; + sendSz = inputSz + MAX_MSG_EXTRA; + + if ((ret = CheckAvailableSize(ssl, sendSz)) != 0) + return ret; + + output = ssl->buffers.outputBuffer.buffer + + ssl->buffers.outputBuffer.length; + sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, + handshake, 0); + if (sendSz < 0) + return BUILD_MSG_ERROR; + + ssl->buffers.outputBuffer.length += sendSz; } - if ((ret = CheckAvailableSize(ssl, buf->length)) != 0) + ret = SendBuffered(ssl); + if (ret < 0) { return ret; - - XMEMCPY(ssl->buffers.outputBuffer.buffer, buf->buffer, buf->length); - ssl->buffers.outputBuffer.idx = 0; - ssl->buffers.outputBuffer.length = buf->length; - - sendResult = SendBuffered(ssl); - if (sendResult < 0) { - return sendResult; } } } @@ -5091,14 +5105,6 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, if (!ssl->options.resuming) { ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* Other side has received our Finished, go to next epoch */ - ssl->keys.dtls_epoch++; - ssl->keys.dtls_sequence_number = 1; - } -#endif } } else { @@ -5106,14 +5112,6 @@ int DoFinished(WOLFSSL* ssl, const byte* input, word32* inOutIdx, word32 size, if (ssl->options.resuming) { ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; - -#ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* Other side has received our Finished, go to next epoch */ - ssl->keys.dtls_epoch++; - ssl->keys.dtls_sequence_number = 1; - } -#endif } } @@ -7464,7 +7462,7 @@ int SendChangeCipher(WOLFSSL* ssl) input[0] = 1; /* turn it on */ sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - change_cipher_spec); + change_cipher_spec, 0); if (sendSz < 0) return sendSz; } @@ -7694,7 +7692,7 @@ static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes) /* Build SSL Message, encrypted */ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, - const byte* input, int inSz, int type) + const byte* input, int inSz, int type, int hashOutput) { #ifdef HAVE_TRUNCATED_HMAC word32 digestSz = min(ssl->specs.hash_size, @@ -7769,7 +7767,7 @@ static int BuildMessage(WOLFSSL* ssl, byte* output, int outSz, XMEMCPY(output + idx, input, inSz); idx += inSz; - if (type == handshake) { + if (type == handshake && hashOutput) { ret = HashOutput(ssl, output, headerSz + inSz, ivSz); if (ret != 0) return ret; @@ -7843,11 +7841,6 @@ int SendFinished(WOLFSSL* ssl) int headerSz = HANDSHAKE_HEADER_SZ; int outputSz; - #ifdef WOLFSSL_DTLS - word32 sequence_number = ssl->keys.dtls_sequence_number; - word16 epoch = ssl->keys.dtls_epoch; - #endif - /* setup encrypt keys */ if ((ret = SetKeysSide(ssl, ENCRYPT_SIDE_ONLY)) != 0) return ret; @@ -7859,11 +7852,11 @@ int SendFinished(WOLFSSL* ssl) #ifdef WOLFSSL_DTLS if (ssl->options.dtls) { - /* Send Finished message with the next epoch, but don't commit that - * change until the other end confirms its reception. */ headerSz += DTLS_HANDSHAKE_EXTRA; ssl->keys.dtls_epoch++; - ssl->keys.dtls_sequence_number = 0; /* reset after epoch change */ + ssl->keys.dtls_prev_sequence_number = + ssl->keys.dtls_sequence_number; + ssl->keys.dtls_sequence_number = 0; } #endif @@ -7890,18 +7883,18 @@ int SendFinished(WOLFSSL* ssl) } #endif + #ifdef WOLFSSL_DTLS + if (ssl->options.dtls) { + if ((ret = DtlsPoolSave(ssl, input, headerSz + finishedSz)) != 0) + return ret; + } + #endif + sendSz = BuildMessage(ssl, output, outputSz, input, headerSz + finishedSz, - handshake); + handshake, 1); if (sendSz < 0) return BUILD_MSG_ERROR; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - ssl->keys.dtls_epoch = epoch; - ssl->keys.dtls_sequence_number = sequence_number; - } - #endif - if (!ssl->options.resuming) { #ifndef NO_SESSION_CACHE AddSession(ssl); /* just try */ @@ -7909,36 +7902,14 @@ int SendFinished(WOLFSSL* ssl) if (ssl->options.side == WOLFSSL_SERVER_END) { ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* Other side will soon receive our Finished, go to next - * epoch. */ - ssl->keys.dtls_epoch++; - ssl->keys.dtls_sequence_number = 1; - } - #endif } } else { if (ssl->options.side == WOLFSSL_CLIENT_END) { ssl->options.handShakeState = HANDSHAKE_DONE; ssl->options.handShakeDone = 1; - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - /* Other side will soon receive our Finished, go to next - * epoch. */ - ssl->keys.dtls_epoch++; - ssl->keys.dtls_sequence_number = 1; - } - #endif } } - #ifdef WOLFSSL_DTLS - if (ssl->options.dtls) { - if ((ret = DtlsPoolSave(ssl, output, sendSz)) != 0) - return ret; - } - #endif #ifdef WOLFSSL_CALLBACKS if (ssl->hsInfoOn) AddPacketName("Finished", &ssl->handShakeInfo); @@ -8146,7 +8117,7 @@ int SendCertificate(WOLFSSL* ssl) XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); } - sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake); + sendSz = BuildMessage(ssl, output,sendSz,input,inputSz,handshake,1); XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sendSz < 0) @@ -8361,7 +8332,7 @@ int SendData(WOLFSSL* ssl, const void* data, int sz) } #endif sendSz = BuildMessage(ssl, out, outputSz, sendBuffer, buffSz, - application_data); + application_data, 0); if (sendSz < 0) return BUILD_MSG_ERROR; @@ -8512,7 +8483,7 @@ int SendAlert(WOLFSSL* ssl, int severity, int type) /* only send encrypted alert if handshake actually complete, otherwise other side may not be able to handle it */ if (IsEncryptionOn(ssl, 1) && ssl->options.handShakeDone) - sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE, alert); + sendSz = BuildMessage(ssl, output, outputSz, input, ALERT_SIZE,alert,0); else { AddRecordHeader(output, ALERT_SIZE, alert, ssl); @@ -10141,7 +10112,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl, return MEMORY_E; XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake); + sendSz = BuildMessage(ssl, output,sendSz,input,inputSz,handshake,1); XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sendSz < 0) @@ -12313,7 +12284,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, - handshake); + handshake, 1); XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sendSz < 0) { #ifdef WOLFSSL_SMALL_STACK @@ -12686,7 +12657,7 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer) XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); sendSz = BuildMessage(ssl, output, MAX_CERT_VERIFY_SZ +MAX_MSG_EXTRA, - input, inputSz, handshake); + input, inputSz, handshake, 1); XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sendSz < 0) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 7acd2a064..2f5d329ee 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1445,8 +1445,9 @@ typedef struct Keys { word16 dtls_peer_handshake_number; word16 dtls_expected_peer_handshake_number; - word16 dtls_epoch; /* Current tx epoch */ word32 dtls_sequence_number; /* Current tx sequence */ + word32 dtls_prev_sequence_number; /* Previous epoch's seq number*/ + word16 dtls_epoch; /* Current tx epoch */ word16 dtls_handshake_number; /* Current tx handshake seq */ #endif @@ -2289,6 +2290,7 @@ typedef struct DtlsRecordLayerHeader { typedef struct DtlsPool { buffer buf[DTLS_POOL_SZ]; + word16 epoch[DTLS_POOL_SZ]; int used; } DtlsPool; From 196b983b7b67cc0e398cd9c9b6337baa8ddfaa61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Sun, 13 Dec 2015 18:02:19 -0300 Subject: [PATCH 125/177] adds ocsp test scripts; --- SCRIPTS-LIST | 11 +++++-- certs/external/ca-globalsign-root-r2.pem | 22 +++++++++++++ certs/external/ca-verisign-g5.pem | 28 +++++++++++++++++ certs/ocsp/ocspd0.sh | 14 ++++----- certs/ocsp/ocspd1.sh | 14 ++++----- certs/ocsp/ocspd2.sh | 14 ++++----- configure.ac | 4 +++ examples/client/client.c | 31 ++++++++++++++----- examples/server/server.c | 6 ++-- scripts/include.am | 18 ++++++++++- scripts/ocsp-stapling.test | 39 ++++++++++++++++++++++++ scripts/ocsp-stapling2.test | 35 +++++++++++++++++++++ scripts/ocsp.test | 20 ++++++++++++ src/internal.c | 1 - 14 files changed, 219 insertions(+), 38 deletions(-) create mode 100644 certs/external/ca-globalsign-root-r2.pem create mode 100644 certs/external/ca-verisign-g5.pem create mode 100755 scripts/ocsp-stapling.test create mode 100755 scripts/ocsp-stapling2.test create mode 100755 scripts/ocsp.test diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST index 2f2306590..ffea9432f 100644 --- a/SCRIPTS-LIST +++ b/SCRIPTS-LIST @@ -19,13 +19,20 @@ certs/ renewcerts.sh - renews test certs and crls crl/ gencrls.sh - generates crls, used by renewcerts.sh + ocsp/ + renewcerts.sh - renews ocsp certs + ocspd0.sh - ocsp responder for root-ca-cert.pem + ocspd1.sh - ocsp responder for intermediate1-ca-cert.pem + ocspd2.sh - ocsp responder for intermediate2-ca-cert.pem scripts/ external.test - example client test against our website, part of tests google.test - example client test against google, part of tests resume.test - example sessoin resume test, part of tests - sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests - in sniffer mode + ocsp-stapling.test - example client test against globalsign, part of tests + ocsp-stapling2.test - example client test against example server, part of tests + sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests + in sniffer mode swig/ PythonBuild.sh - builds and runs simple python example diff --git a/certs/external/ca-globalsign-root-r2.pem b/certs/external/ca-globalsign-root-r2.pem new file mode 100644 index 000000000..6f0f8db0d --- /dev/null +++ b/certs/external/ca-globalsign-root-r2.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDujCCAqKgAwIBAgILBAAAAAABD4Ym5g0wDQYJKoZIhvcNAQEFBQAwTDEgMB4G +A1UECxMXR2xvYmFsU2lnbiBSb290IENBIC0gUjIxEzARBgNVBAoTCkdsb2JhbFNp +Z24xEzARBgNVBAMTCkdsb2JhbFNpZ24wHhcNMDYxMjE1MDgwMDAwWhcNMjExMjE1 +MDgwMDAwWjBMMSAwHgYDVQQLExdHbG9iYWxTaWduIFJvb3QgQ0EgLSBSMjETMBEG +A1UEChMKR2xvYmFsU2lnbjETMBEGA1UEAxMKR2xvYmFsU2lnbjCCASIwDQYJKoZI +hvcNAQEBBQADggEPADCCAQoCggEBAKbPJA6+Lm8omUVCxKs+IVSbC9N/hHD6ErPL +v4dfxn+G07IwXNb9rfF73OX4YJYJkhD10FPe+3t+c4isUoh7SqbKSaZeqKeMWhG8 +eoLrvozps6yWJQeXSpkqBy+0Hne/ig+1AnwblrjFuTosvNYSuetZfeLQBoZfXklq +tTleiDTsvHgMCJiEbKjNS7SgfQx5TfC4LcshytVsW33hoCmEofnTlEnLJGKRILzd +C9XZzPnqJworc5HGnRusyMvo4KD0L5CLTfuwNhv2GXqF4G3yYROIXJ/gkwpRl4pa +zq+r1feqCapgvdzZX99yqWATXgAByUr6P6TqBwMhAo6CygPCm48CAwEAAaOBnDCB +mTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUm+IH +V2ccHsBqBt5ZtJot39wZhi4wNgYDVR0fBC8wLTAroCmgJ4YlaHR0cDovL2NybC5n +bG9iYWxzaWduLm5ldC9yb290LXIyLmNybDAfBgNVHSMEGDAWgBSb4gdXZxwewGoG +3lm0mi3f3BmGLjANBgkqhkiG9w0BAQUFAAOCAQEAmYFThxxol4aR7OBKuEQLq4Gs +J0/WwbgcQ3izDJr86iw8bmEbTUsp9Z8FHSbBuOmDAGJFtqkIk7mpM0sYmsL4h4hO +291xNBrBVNpGP+DTKqttVCL1OmLNIG+6KYnX3ZHu01yiPqFbQfXf5WRDLenVOavS +ot+3i9DAgBkcRcAtjOj4LaR0VknFBbVPFd5uRHg5h6h+u/N5GJG79G+dwfCMNYxd +AfvDbbnvRG15RjF+Cv6pgsH/76tuIMRQyV+dTZsXjAzlAcmgQWpzU/qlULRuJQ/7 +TBj0/VLZjmmx6BEP3ojY+x1J96relc8geMJgEtslQIxq/H5COEBkEveegeGTLg== +-----END CERTIFICATE----- diff --git a/certs/external/ca-verisign-g5.pem b/certs/external/ca-verisign-g5.pem new file mode 100644 index 000000000..707ff085b --- /dev/null +++ b/certs/external/ca-verisign-g5.pem @@ -0,0 +1,28 @@ +-----BEGIN CERTIFICATE----- +MIIE0zCCA7ugAwIBAgIQGNrRniZ96LtKIVjNzGs7SjANBgkqhkiG9w0BAQUFADCB +yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL +ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp +U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW +ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0 +aG9yaXR5IC0gRzUwHhcNMDYxMTA4MDAwMDAwWhcNMzYwNzE2MjM1OTU5WjCByjEL +MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW +ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJpU2ln +biwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxWZXJp +U2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9y +aXR5IC0gRzUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCvJAgIKXo1 +nmAMqudLO07cfLw8RRy7K+D+KQL5VwijZIUVJ/XxrcgxiV0i6CqqpkKzj/i5Vbex +t0uz/o9+B1fs70PbZmIVYc9gDaTY3vjgw2IIPVQT60nKWVSFJuUrjxuf6/WhkcIz +SdhDY2pSS9KP6HBRTdGJaXvHcPaz3BJ023tdS1bTlr8Vd6Gw9KIl8q8ckmcY5fQG +BO+QueQA5N06tRn/Arr0PO7gi+s3i+z016zy9vA9r911kTMZHRxAy3QkGSGT2RT+ +rCpSx4/VBEnkjWNHiDxpg8v+R70rfk/Fla4OndTRQ8Bnc+MUCH7lP59zuDMKz10/ +NIeWiu5T6CUVAgMBAAGjgbIwga8wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8E +BAMCAQYwbQYIKwYBBQUHAQwEYTBfoV2gWzBZMFcwVRYJaW1hZ2UvZ2lmMCEwHzAH +BgUrDgMCGgQUj+XTGoasjY5rw8+AatRIGCx7GS4wJRYjaHR0cDovL2xvZ28udmVy +aXNpZ24uY29tL3ZzbG9nby5naWYwHQYDVR0OBBYEFH/TZafC3ey78DAJ80M5+gKv +MzEzMA0GCSqGSIb3DQEBBQUAA4IBAQCTJEowX2LP2BqYLz3q3JktvXf2pXkiOOzE +p6B4Eq1iDkVwZMXnl2YtmAl+X6/WzChl8gGqCBpH3vn5fJJaCGkgDdk+bW48DW7Y +5gaRQBi5+MHt39tBquCWIMnNZBU4gcmU7qKEKQsTb47bDN0lAtukixlE0kF6BWlK +WE9gyn6CagsCqiUXObXbf+eEZSqVir2G3l6BFoMtEMze/aiCKm0oHw0LxOXnGiYZ +4fQRbxC1lfznQgUy286dUV4otp6F01vvpX1FQHKOtw5rDgb7MzVIcbidJ4vEZV8N +hnacRHr2lVz2XTIIM6RUthg/aFzyQkqFOFSDX9HoLPKsEdao7WNq +-----END CERTIFICATE----- diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh index ea15a1c7a..33baeee14 100755 --- a/certs/ocsp/ocspd0.sh +++ b/certs/ocsp/ocspd0.sh @@ -1,10 +1,8 @@ #!/bin/bash -openssl ocsp \ - -index index0.txt \ - -port 22220 \ - -rsigner ocsp-responder-cert.pem \ - -rkey ocsp-responder-key.pem \ - -CA root-ca-cert.pem \ - -nmin 1 \ - -text +openssl ocsp -port 22220 -nmin 1 -text \ + -index certs/ocsp/index0.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/root-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh index 60390216d..1a6f2dc2a 100755 --- a/certs/ocsp/ocspd1.sh +++ b/certs/ocsp/ocspd1.sh @@ -1,10 +1,8 @@ #!/bin/bash -openssl ocsp \ - -index index1.txt \ - -port 22221 \ - -rsigner ocsp-responder-cert.pem \ - -rkey ocsp-responder-key.pem \ - -CA intermediate1-ca-cert.pem \ - -nmin 1 \ - -text +openssl ocsp -port 22221 -nmin 1 -text \ + -index certs/ocsp/index1.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate1-ca-cert.pem \ + $@ diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh index f827bbcb6..04f3ae2bf 100755 --- a/certs/ocsp/ocspd2.sh +++ b/certs/ocsp/ocspd2.sh @@ -1,10 +1,8 @@ #!/bin/bash -openssl ocsp \ - -index index2.txt \ - -port 22222 \ - -rsigner ocsp-responder-cert.pem \ - -rkey ocsp-responder-key.pem \ - -CA intermediate2-ca-cert.pem \ - -nmin 1 \ - -text +openssl ocsp -port 22222 -nmin 1 -text \ + -index certs/ocsp/index2.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate2-ca-cert.pem \ + $@ diff --git a/configure.ac b/configure.ac index e7bd09bad..35497b851 100644 --- a/configure.ac +++ b/configure.ac @@ -1676,6 +1676,8 @@ then fi fi +AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"]) + # Certificate Status Request v2 : a.k.a. OCSP stapling v2 AC_ARG_ENABLE([ocspstapling2], [AS_HELP_STRING([--enable-ocspstapling2],[Enable Certificate Status Request v2 - a.k.a. OCSP Stapling v2 (default: disabled)])], @@ -1696,6 +1698,8 @@ then fi fi +AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"]) + # Renegotiation Indication - (FAKE Secure Renegotiation) AC_ARG_ENABLE([renegotiation-indication], [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])], diff --git a/examples/client/client.c b/examples/client/client.c index 79d735b44..f96258664 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -484,7 +484,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W:")) != -1) { switch (ch) { case '?' : Usage(); @@ -678,7 +678,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) case 'W' : #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - statusRequest = 1; + statusRequest = atoi(myoptarg); #endif break; @@ -1006,18 +1006,35 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (statusRequest) { - if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, + switch (statusRequest) { + case WOLFSSL_CSR_OCSP: + if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); + err_sys("UseCertificateStatusRequest failed"); + + break; + } wolfSSL_CTX_EnableOCSP(ctx, 0); } #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (statusRequest) { - if (wolfSSL_UseCertificateStatusRequestV2(ssl, WOLFSSL_CSR2_OCSP, - WOLFSSL_CSR2_OCSP_USE_NONCE) != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); + switch (statusRequest) { + case WOLFSSL_CSR2_OCSP: + if (wolfSSL_UseCertificateStatusRequestV2(ssl, + WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + break; + case WOLFSSL_CSR2_OCSP_MULTI: + if (wolfSSL_UseCertificateStatusRequestV2(ssl, + WOLFSSL_CSR2_OCSP_MULTI, 0) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + break; + + } wolfSSL_CTX_EnableOCSP(ctx, 0); } diff --git a/examples/server/server.c b/examples/server/server.c index 000d35a1c..b413b81b0 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -729,7 +729,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS) err_sys("can't enable OCSP Stapling Certificate Manager"); - if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS) + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); #endif #ifdef HAVE_PK_CALLBACKS @@ -967,5 +969,3 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) return 0; } #endif - - diff --git a/scripts/include.am b/scripts/include.am index 4b2c7982a..b4c66554c 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -9,8 +9,9 @@ dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test endif if BUILD_EXAMPLES + dist_noinst_SCRIPTS+= scripts/resume.test -EXTRA_DIST+= scripts/benchmark.test +EXTRA_DIST+= scripts/benchmark.test if BUILD_CRL # make revoked test rely on completion of resume test @@ -23,6 +24,21 @@ dist_noinst_SCRIPTS+= scripts/external.test dist_noinst_SCRIPTS+= scripts/google.test #dist_noinst_SCRIPTS+= scripts/openssl.test endif + +if BUILD_OCSP +dist_noinst_SCRIPTS+= scripts/ocsp.test +endif + +if BUILD_OCSP_STAPLING +dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test +scripts/ocsp-stapling.log: scripts/ocsp.log +endif + +if BUILD_OCSP_STAPLING_V2 +dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test +scripts/ocsp-stapling2.log: scripts/ocsp.log +endif + endif diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test new file mode 100755 index 000000000..7b4ac9cda --- /dev/null +++ b/scripts/ocsp-stapling.test @@ -0,0 +1,39 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +server=login.live.com +ca=certs/external/ca-verisign-g5.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? - login.live.com doesn't answers PING +# ping -c 2 $server +# RESULT=$? +# [ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# setup ocsp responder +./certs/ocsp/ocspd1.sh & + +# client test against our own server - GOOD CERT +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test new file mode 100755 index 000000000..eb300a625 --- /dev/null +++ b/scripts/ocsp-stapling2.test @@ -0,0 +1,35 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# setup ocsp responders +./certs/ocsp/ocspd0.sh & +./certs/ocsp/ocspd1.sh & +./certs/ocsp/ocspd2.sh & + +# client test against our own server - GOOD CERTS +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED SERVER CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +# client test against our own server - REVOKED INTERMEDIATE CERT +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp.test b/scripts/ocsp.test new file mode 100755 index 000000000..66d4488ad --- /dev/null +++ b/scripts/ocsp.test @@ -0,0 +1,20 @@ +#!/bin/sh + +# ocsp-stapling.test + +server=www.globalsign.com +ca=certs/external/ca-globalsign-root-r2.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? +ping -c 2 $server +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -o +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +exit 0 diff --git a/src/internal.c b/src/internal.c index 6b2d44459..6d10a972b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4491,7 +4491,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (fatal == 0) { int doLookup = 1; - /* TODO CSR2 */ if (ssl->options.side == WOLFSSL_CLIENT_END) { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { From bf621f1832f5e9cfc090fd01e276bcd2e9e73076 Mon Sep 17 00:00:00 2001 From: Nickolas Lapp Date: Thu, 19 Nov 2015 17:05:52 -0700 Subject: [PATCH 126/177] Add in stub functions for opensslv1.0.1 w/ stunnel and lighttpd --- src/ssl.c | 83 ++++++++++++++++++++++++++++++++++++++ wolfssl/openssl/crypto.h | 4 ++ wolfssl/openssl/dh.h | 3 +- wolfssl/openssl/opensslv.h | 2 +- wolfssl/openssl/ssl.h | 6 +++ wolfssl/ssl.h | 18 +++++++++ 6 files changed, 114 insertions(+), 2 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 4362f95f1..323b71dd8 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -16406,6 +16406,23 @@ void* wolfSSL_get_ex_data(const WOLFSSL* ssl, int idx) #if defined(HAVE_LIGHTY) || defined(HAVE_STUNNEL) +char * wolf_OBJ_nid2ln(int n) { + (void)n; + WOLFSSL_ENTER("wolf_OBJ_nid2ln"); + WOLFSSL_STUB("wolf_OBJ_nid2ln"); + + return NULL; +} + +int wolf_OBJ_txt2nid(const char* s) { + (void)s; + WOLFSSL_ENTER("wolf_OBJ_txt2nid"); + WOLFSSL_STUB("wolf_OBJ_txt2nid"); + + return 0; +} + + WOLFSSL_BIO *wolfSSL_BIO_new_file(const char *filename, const char *mode) { (void)filename; (void)mode; @@ -16486,6 +16503,13 @@ long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX* ctx, WOLFSSL_DH* dh) /* stunnel compatability functions*/ #if defined(OPENSSL_EXTRA) && defined(HAVE_STUNNEL) +void WOLFSSL_ERR_remove_thread_state(void* pid) +{ + (void) pid; + return; +} + + int wolfSSL_SESSION_set_ex_data(WOLFSSL_SESSION* session, int idx, void* data) { WOLFSSL_ENTER("wolfSSL_SESSION_set_ex_data"); @@ -16551,6 +16575,19 @@ WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator, return NULL; } +int wolfSSL_DH_generate_parameters_ex(WOLFSSL_DH* dh, int prime_len, int generator, + void (*callback) (int, int, void *)) +{ + (void)prime_len; + (void)generator; + (void)callback; + (void)dh; + WOLFSSL_ENTER("wolfSSL_DH_generate_parameters_ex"); + WOLFSSL_STUB("wolfSSL_DH_generate_parameters_ex"); + + return -1; +} + void wolfSSL_ERR_load_crypto_strings(void) { @@ -16849,6 +16886,52 @@ void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX* ctx, void* arg) if (ctx) ctx->sniRecvCbArg = arg; } + + +long wolfSSL_CTX_clear_options(WOLFSSL_CTX* ctx, long opt) +{ + WOLFSSL_ENTER("SSL_CTX_clear_options"); + WOLFSSL_STUB("SSL_CTX_clear_options"); + (void)ctx; + (void)opt; + return opt; +} + +void wolfSSL_THREADID_set_callback(void(*threadid_func)(void*)) +{ + WOLFSSL_ENTER("wolfSSL_THREADID_set_callback"); + WOLFSSL_STUB("wolfSSL_THREADID_set_callback"); + (void)threadid_func; + return; +} + +void wolfSSL_THREADID_set_numeric(void* id, unsigned long val) +{ + WOLFSSL_ENTER("wolfSSL_THREADID_set_numeric"); + WOLFSSL_STUB("wolfSSL_THREADID_set_numeric"); + (void)id; + (void)val; + return; +} + + +WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX* ctx, + WOLFSSL_X509_NAME* name) +{ + WOLFSSL_ENTER("wolfSSL_X509_STORE_get1_certs"); + WOLFSSL_STUB("wolfSSL_X509_STORE_get1_certs"); + (void)ctx; + (void)name; + return NULL; +} + +void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*)){ + (void) sk; + (void) f; + WOLFSSL_ENTER("wolfSSL_sk_X509_pop_free"); + WOLFSSL_STUB("wolfSSL_sk_X509_pop_free"); +} + #endif /* OPENSSL_EXTRA and HAVE_STUNNEL */ #if defined(OPENSSL_EXTRA) && defined(HAVE_CURVE25519) diff --git a/wolfssl/openssl/crypto.h b/wolfssl/openssl/crypto.h index 034b1cfe1..97a4be17a 100644 --- a/wolfssl/openssl/crypto.h +++ b/wolfssl/openssl/crypto.h @@ -14,6 +14,8 @@ WOLFSSL_API const char* wolfSSLeay_version(int type); WOLFSSL_API unsigned long wolfSSLeay(void); +#define CRYPTO_THREADID void + #define SSLeay_version wolfSSLeay_version #define SSLeay wolfSSLeay @@ -28,6 +30,8 @@ WOLFSSL_API unsigned long wolfSSLeay(void); typedef struct CRYPTO_EX_DATA CRYPTO_EX_DATA; typedef void (CRYPTO_free_func)(void*parent, void*ptr, CRYPTO_EX_DATA *ad, int idx, long argl, void* argp); +#define CRYPTO_THREADID_set_callback wolfSSL_THREADID_set_callback +#define CRYPTO_THREADID_set_numeric wolfSSL_THREADID_set_numeric #endif /* HAVE_STUNNEL */ #endif /* header */ diff --git a/wolfssl/openssl/dh.h b/wolfssl/openssl/dh.h index e38b7f7af..a1535c34e 100644 --- a/wolfssl/openssl/dh.h +++ b/wolfssl/openssl/dh.h @@ -49,6 +49,7 @@ typedef WOLFSSL_DH DH; #endif #ifdef HAVE_STUNNEL -#define DH_generate_parameters wolfSSL_DH_generate_parameters +#define DH_generate_parameters wolfSSL_DH_generate_parameters +#define DH_generate_parameters_ex wolfSSL_DH_generate_parameters_ex #endif /* HAVE_STUNNEL */ #endif /* header */ diff --git a/wolfssl/openssl/opensslv.h b/wolfssl/openssl/opensslv.h index e569ec52a..48955f9ec 100644 --- a/wolfssl/openssl/opensslv.h +++ b/wolfssl/openssl/opensslv.h @@ -8,7 +8,7 @@ #if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) /* version number can be increased for Lighty after compatibility for ECDH is added */ - #define OPENSSL_VERSION_NUMBER 0x0090700fL + #define OPENSSL_VERSION_NUMBER 0x10001000L #else #define OPENSSL_VERSION_NUMBER 0x0090810fL #endif diff --git a/wolfssl/openssl/ssl.h b/wolfssl/openssl/ssl.h index 05b77a7ea..aaf4830c9 100644 --- a/wolfssl/openssl/ssl.h +++ b/wolfssl/openssl/ssl.h @@ -431,6 +431,8 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) +#define OBJ_nid2ln wolf_OBJ_nid2ln +#define OBJ_txt2nid wolf_OBJ_txt2nid #define PEM_read_bio_DHparams wolfSSL_PEM_read_bio_DHparams #define PEM_write_bio_X509 PEM_write_bio_WOLFSSL_X509 #define SSL_CTX_set_tmp_dh wolfSSL_CTX_set_tmp_dh @@ -477,6 +479,8 @@ typedef WOLFSSL_X509_NAME_ENTRY X509_NAME_ENTRY; #define SSL_SESSION_get_id wolfSSL_SESSION_get_id #define CRYPTO_dynlock_value WOLFSSL_dynlock_value typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; +#define X509_STORE_get1_certs wolfSSL_X509_STORE_get1_certs +#define sk_X509_pop_free wolfSSL_sk_X509_pop_free #define SSL_TLSEXT_ERR_OK 0 #define SSL_TLSEXT_ERR_ALERT_FATAL alert_fatal @@ -492,6 +496,8 @@ typedef WOLFSSL_ASN1_BIT_STRING ASN1_BIT_STRING; #define PSK_MAX_PSK_LEN 256 #define PSK_MAX_IDENTITY_LEN 128 +#define ERR_remove_thread_state WOLFSSL_ERR_remove_thread_state +#define SSL_CTX_clear_options wolfSSL_CTX_clear_options #endif /* HAVE_STUNNEL */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 5a30c8c81..136c6bbd9 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1620,6 +1620,8 @@ WOLFSSL_API STACK_OF(WOLFSSL_X509_NAME) *wolfSSL_dup_CA_list( STACK_OF(WOLFSSL_X #if defined(HAVE_STUNNEL) || defined(HAVE_LIGHTY) +WOLFSSL_API char * wolf_OBJ_nid2ln(int n); +WOLFSSL_API int wolf_OBJ_txt2nid(const char *sn); WOLFSSL_API WOLFSSL_BIO* wolfSSL_BIO_new_file(const char *filename, const char *mode); WOLFSSL_API long wolfSSL_CTX_set_tmp_dh(WOLFSSL_CTX*, WOLFSSL_DH*); WOLFSSL_API WOLFSSL_DH *wolfSSL_PEM_read_bio_DHparams(WOLFSSL_BIO *bp, @@ -1643,6 +1645,9 @@ WOLFSSL_API int wolfSSL_CRYPTO_set_mem_ex_functions(void *(*m) (size_t, const ch WOLFSSL_API WOLFSSL_DH *wolfSSL_DH_generate_parameters(int prime_len, int generator, void (*callback) (int, int, void *), void *cb_arg); +WOLFSSL_API int wolfSSL_DH_generate_parameters_ex(WOLFSSL_DH*, int, int, + void (*callback) (int, int, void *)); + WOLFSSL_API void wolfSSL_ERR_load_crypto_strings(void); WOLFSSL_API unsigned long wolfSSL_ERR_peek_last_error(void); @@ -1708,6 +1713,19 @@ WOLFSSL_API void wolfSSL_CTX_set_servername_callback(WOLFSSL_CTX *, CallbackSniRecv); WOLFSSL_API void wolfSSL_CTX_set_servername_arg(WOLFSSL_CTX *, void*); + +WOLFSSL_API void WOLFSSL_ERR_remove_thread_state(void*); + +WOLFSSL_API long wolfSSL_CTX_clear_options(WOLFSSL_CTX*, long); + +WOLFSSL_API void wolfSSL_THREADID_set_callback(void (*threadid_func)(void*)); + +WOLFSSL_API void wolfSSL_THREADID_set_numeric(void* id, unsigned long val); + +WOLFSSL_API WOLFSSL_X509* wolfSSL_X509_STORE_get1_certs(WOLFSSL_X509_STORE_CTX*, + WOLFSSL_X509_NAME*); + +WOLFSSL_API void wolfSSL_sk_X509_pop_free(STACK_OF(WOLFSSL_X509)* sk, void f (WOLFSSL_X509*)); #endif /* HAVE_STUNNEL */ #ifdef WOLFSSL_JNI From 0ca6a5601eaeb5cf0911648c54badc55cfe20bbb Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 14 Dec 2015 20:22:48 -0300 Subject: [PATCH 127/177] fixes OCSP_MULTI check; adds root-ca-cert to index0.txt; adds keyUsage to CA certs; sets fixed serial to root-ca-cert; --- certs/ocsp/index0.txt | 1 + certs/ocsp/intermediate1-ca-cert.pem | 156 ++++++++++---------- certs/ocsp/intermediate2-ca-cert.pem | 156 ++++++++++---------- certs/ocsp/ocsp-responder-cert.pem | 152 ++++++++++---------- certs/ocsp/openssl.cnf | 1 + certs/ocsp/renewcerts.sh | 5 +- certs/ocsp/root-ca-cert.pem | 94 +++++++------ certs/ocsp/server1-cert.pem | 203 ++++++++++++++++++++------- certs/ocsp/server2-cert.pem | 203 ++++++++++++++++++++------- certs/ocsp/server3-cert.pem | 203 ++++++++++++++++++++------- examples/server/server.c | 2 +- scripts/ocsp-stapling2.test | 20 ++- src/internal.c | 6 +- src/tls.c | 10 +- wolfssl/internal.h | 2 +- 15 files changed, 766 insertions(+), 448 deletions(-) diff --git a/certs/ocsp/index0.txt b/certs/ocsp/index0.txt index 3b7524369..ba666d9db 100644 --- a/certs/ocsp/index0.txt +++ b/certs/ocsp/index0.txt @@ -1,2 +1,3 @@ +V 161213070133Z 63 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com V 161213070133Z 01 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com R 161213070133Z 151201070133Z 02 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/intermediate1-ca-cert.pem b/certs/ocsp/intermediate1-ca-cert.pem index a4a1cb222..d3a498adf 100644 --- a/certs/ocsp/intermediate1-ca-cert.pem +++ b/certs/ocsp/intermediate1-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -39,33 +39,35 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 3d:92:fc:b0:73:95:d8:5a:18:e3:27:fc:55:05:14:54:2e:af: - 37:1e:37:11:25:e8:c9:7a:b0:9b:68:fb:a0:69:91:fd:bb:dd: - 00:55:fb:30:b3:4a:59:a6:58:bb:e4:03:3e:f2:98:a2:07:71: - c7:de:3a:a0:0b:eb:43:44:77:2b:fc:5d:96:a7:89:c8:1a:6a: - 6e:b6:34:00:bb:e0:8a:5b:2b:ad:3a:f4:ab:b9:d4:54:f9:85: - 9a:f7:3b:23:00:dc:17:8f:55:1f:b9:e1:17:10:61:91:50:77: - b6:57:be:75:61:6e:cc:9c:27:76:32:c2:de:b4:ee:11:ff:10: - f7:99:49:38:8e:af:af:fa:73:1e:34:20:6c:3e:9f:cb:56:70: - 20:47:21:d3:2c:db:9b:ad:3b:32:96:72:be:d3:1b:d2:33:21: - 9b:4b:86:3a:64:45:37:8b:60:80:3b:3e:08:7a:06:f2:aa:20: - 7b:63:2c:df:03:c0:2a:74:07:61:db:f3:ec:8a:17:a4:36:a1: - 6c:b6:c0:64:f7:8a:5b:d0:43:64:bb:3e:ed:5d:e8:06:9c:b0: - ef:c2:f3:d1:ff:e2:05:5e:1f:e1:bd:ef:2a:32:a3:44:9f:44: - 99:c0:a3:27:8b:af:24:c4:5f:2b:d5:05:a2:18:70:32:a4:d2: - 75:16:1b:b1 + 1b:83:ce:ad:1e:50:0f:3c:f0:26:17:23:c1:d5:98:88:c8:bc: + 30:5b:bb:01:bd:9b:cc:b3:45:0b:a3:7b:30:0a:54:3f:c7:36: + 16:4b:8b:cb:dd:d1:b3:7b:00:40:48:24:cb:46:3b:e7:e0:5c: + 7b:ec:ca:f8:e0:e5:34:5d:ae:e7:ac:87:15:cd:6c:7e:13:52: + 28:84:55:2b:2a:14:d9:fa:34:ce:fb:15:6c:10:47:c9:e6:ed: + 35:5b:4c:97:9c:dd:51:46:ac:2c:60:b7:2e:9d:2f:cb:0d:83: + 86:f0:a6:1b:6d:26:cb:7f:c4:97:51:6c:a1:a3:8d:6e:be:41: + 4a:ec:b0:cf:b4:ae:ad:e4:65:57:12:5d:bf:a0:78:ce:bf:4b: + 35:fe:bb:94:7a:f1:43:7d:0f:01:45:eb:d1:53:8b:19:db:bf: + 3e:4a:26:77:a1:b5:06:2a:64:ec:53:ca:ec:93:23:a2:4e:6a: + 82:8f:11:f4:cd:5f:6c:6e:22:cd:e1:1c:76:ce:49:f7:ca:43: + 65:aa:f5:9e:e7:ad:eb:99:4f:ff:db:fe:b8:91:ef:2c:ea:92: + 5f:bf:08:78:c1:90:22:37:f3:7e:c3:5b:fc:31:f0:5b:83:65: + 00:d6:5a:55:3a:a2:a8:3f:02:e5:ae:7a:37:7b:3c:39:e7:91: + 4a:2e:53:04 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE7jCCA9agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw @@ -75,29 +77,29 @@ kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA -cYJkRNoOMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +AaOCATkwggE1MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA +cYJkRNoOMIHEBgNVHSMEgbwwgbmAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPZL8 -sHOV2FoY4yf8VQUUVC6vNx43ESXoyXqwm2j7oGmR/bvdAFX7MLNKWaZYu+QDPvKY -ogdxx946oAvrQ0R3K/xdlqeJyBpqbrY0ALvgilsrrTr0q7nUVPmFmvc7IwDcF49V -H7nhFxBhkVB3tle+dWFuzJwndjLC3rTuEf8Q95lJOI6vr/pzHjQgbD6fy1ZwIEch -0yzbm607MpZyvtMb0jMhm0uGOmRFN4tggDs+CHoG8qoge2Ms3wPAKnQHYdvz7IoX -pDahbLbAZPeKW9BDZLs+7V3oBpyw78Lz0f/iBV4f4b3vKjKjRJ9EmcCjJ4uvJMRf -K9UFohhwMqTSdRYbsQ== +b2xmc3NsLmNvbYIBYzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IB +AQAbg86tHlAPPPAmFyPB1ZiIyLwwW7sBvZvMs0ULo3swClQ/xzYWS4vL3dGzewBA +SCTLRjvn4Fx77Mr44OU0Xa7nrIcVzWx+E1IohFUrKhTZ+jTO+xVsEEfJ5u01W0yX +nN1RRqwsYLcunS/LDYOG8KYbbSbLf8SXUWyho41uvkFK7LDPtK6t5GVXEl2/oHjO +v0s1/ruUevFDfQ8BRevRU4sZ278+SiZ3obUGKmTsU8rskyOiTmqCjxH0zV9sbiLN +4Rx2zkn3ykNlqvWe563rmU//2/64ke8s6pJfvwh4wZAiN/N+w1v8MfBbg2UA1lpV +OqKoPwLlrno3ezw555FKLlME -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) - Serial Number: 17246491846582506789 (0xef57d8f569389525) + Serial Number: 99 (0x63) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -130,53 +132,55 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: - c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: - b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: - c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: - 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: - 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: - 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: - 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: - 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: - 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: - 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: - c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: - 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: - 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: - f9:fe:bc:01 + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ -MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM -D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE -CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT -U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA -wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ -X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 -zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T -tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC -1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE -gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe -vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym -9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn -YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 -MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc -UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM -H8bKHeSMPjGB+f68AQ== +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate2-ca-cert.pem b/certs/ocsp/intermediate2-ca-cert.pem index 34f0c52b8..886f251e5 100644 --- a/certs/ocsp/intermediate2-ca-cert.pem +++ b/certs/ocsp/intermediate2-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -39,33 +39,35 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 00:5e:fe:87:51:fc:e7:de:5c:e5:97:17:d2:af:6d:3b:65:29: - 27:3b:06:d7:55:5a:93:56:12:0f:8b:e7:57:69:dc:ae:ec:ec: - 2b:cd:cd:d0:15:c0:63:a3:5c:d9:6e:59:d2:88:b6:da:1c:ac: - b7:fe:46:2a:37:7b:5f:0b:30:80:7e:a5:46:8f:38:58:7e:df: - 8e:d0:f9:27:e6:e7:26:01:f8:04:5f:21:0d:7a:27:85:af:f8: - 41:15:aa:1d:73:3d:32:2a:a1:6b:f7:9e:36:3a:a3:26:dc:b8: - be:f2:61:ea:11:49:1c:43:68:5f:8c:a5:87:7b:71:a6:78:d0: - 1a:f1:f7:45:6c:59:eb:88:b5:ef:00:59:4f:71:48:00:73:11: - 2c:74:af:8d:1e:67:ee:cf:b3:9d:a4:64:ee:90:a7:f8:69:0a: - 8f:9b:74:89:68:c7:e4:1b:22:73:f1:23:94:c2:dd:4a:11:ee: - 9c:99:20:f7:e1:06:2a:ef:1b:1a:1c:10:f9:0b:0b:49:82:af: - 5f:38:75:0c:c3:a5:b8:9f:21:c5:61:eb:6d:6e:2d:d5:b5:89: - 19:28:ff:94:c1:55:eb:77:79:b5:57:e1:44:05:54:28:ca:66: - c5:4e:75:63:1b:b7:c4:57:fa:35:94:f7:82:3d:06:cc:f0:13: - bf:0e:23:70 + 85:95:3d:99:83:f5:4b:6f:b5:87:88:7a:2f:fe:02:c6:a5:2d: + 55:ff:e6:f3:72:c2:ed:2b:3f:cd:b5:59:5b:30:19:6e:5f:7b: + 2d:48:1e:d1:8e:65:04:86:0e:ef:01:50:ed:d7:ff:23:7e:2c: + 40:37:48:9d:aa:82:cb:82:c9:d7:f4:07:8b:73:6a:3a:fb:1b: + 2f:9d:e7:af:14:5f:2b:49:b2:87:3a:eb:c3:0f:f2:13:d7:49: + 6c:9a:d2:26:39:fa:f8:48:f4:9b:19:30:95:39:67:d8:63:37: + d6:b9:bf:fd:32:e1:fc:a9:2a:97:99:cb:cf:f6:fa:42:4b:ee: + 0e:87:92:16:dc:7e:70:dc:46:ee:8d:52:14:74:b5:6c:4b:9e: + e4:e7:b6:46:1c:82:2b:c5:4c:7d:84:f0:65:15:78:8c:2c:c7: + 7e:6d:db:8d:fc:64:4c:61:a0:b4:87:83:f6:04:59:71:43:8b: + 40:03:ad:e0:18:b9:94:0e:b9:05:22:6a:52:92:fe:48:04:cf: + a4:8c:ca:f6:f6:1c:29:c8:b0:83:a1:79:1a:9a:49:5a:73:c4: + 3d:16:4a:f7:c9:b5:dd:67:2b:bd:7c:11:ac:7f:74:8f:4b:dd: + ed:d3:ea:b8:6d:3a:3e:e7:ff:fc:d8:05:7b:47:49:c0:cc:6e: + 9a:71:23:96 -----BEGIN CERTIFICATE----- -MIIE8TCCA9mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE9jCCA96gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu @@ -75,29 +77,29 @@ SyjFU0YjK4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPk yIlDYfEluM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1 JMvpSd+BnZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkF UPC/7H8S4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORG -eP/ZmQIDAQABo4IBNDCCATAwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi -7ioFJLcRrS1g8ZAUjxcwgcwGA1UdIwSBxDCBwYAUc7AcpC+Cy89HpTjXsASCOn5y +eP/ZmQIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi +7ioFJLcRrS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB -FhBpbmZvQHdvbGZzc2wuY29tggkA71fY9Wk4lSUwMgYIKwYBBQUHAQEEJjAkMCIG -CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUA -A4IBAQAAXv6HUfzn3lzllxfSr207ZSknOwbXVVqTVhIPi+dXadyu7Owrzc3QFcBj -o1zZblnSiLbaHKy3/kYqN3tfCzCAfqVGjzhYft+O0Pkn5ucmAfgEXyENeieFr/hB -Faodcz0yKqFr9542OqMm3Li+8mHqEUkcQ2hfjKWHe3GmeNAa8fdFbFnriLXvAFlP -cUgAcxEsdK+NHmfuz7OdpGTukKf4aQqPm3SJaMfkGyJz8SOUwt1KEe6cmSD34QYq -7xsaHBD5CwtJgq9fOHUMw6W4nyHFYettbi3VtYkZKP+UwVXrd3m1V+FEBVQoymbF -TnVjG7fEV/o1lPeCPQbM8BO/DiNw +FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAIWVPZmD9UtvtYeIei/+AsalLVX/5vNywu0rP821WVswGW5fey1I +HtGOZQSGDu8BUO3X/yN+LEA3SJ2qgsuCydf0B4tzajr7Gy+d568UXytJsoc668MP +8hPXSWya0iY5+vhI9JsZMJU5Z9hjN9a5v/0y4fypKpeZy8/2+kJL7g6HkhbcfnDc +Ru6NUhR0tWxLnuTntkYcgivFTH2E8GUVeIwsx35t2438ZExhoLSHg/YEWXFDi0AD +reAYuZQOuQUialKS/kgEz6SMyvb2HCnIsIOheRqaSVpzxD0WSvfJtd1nK718Eax/ +dI9L3e3T6rhtOj7n//zYBXtHScDMbppxI5Y= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) - Serial Number: 17246491846582506789 (0xef57d8f569389525) + Serial Number: 99 (0x63) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -130,53 +132,55 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: - c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: - b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: - c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: - 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: - 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: - 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: - 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: - 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: - 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: - 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: - c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: - 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: - 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: - f9:fe:bc:01 + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ -MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM -D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE -CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT -U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA -wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ -X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 -zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T -tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC -1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE -gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe -vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym -9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn -YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 -MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc -UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM -H8bKHeSMPjGB+f68AQ== +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/certs/ocsp/ocsp-responder-cert.pem b/certs/ocsp/ocsp-responder-cert.pem index 55a81ac9d..616752f2e 100644 --- a/certs/ocsp/ocsp-responder-cert.pem +++ b/certs/ocsp/ocsp-responder-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL OCSP Responder/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -39,32 +39,32 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 X509v3 Extended Key Usage: OCSP Signing Signature Algorithm: sha256WithRSAEncryption - 1a:b0:0c:d3:5d:8d:fe:f0:4f:76:8d:cb:47:51:c3:64:0b:8e: - 94:9b:82:eb:2e:53:13:1d:28:31:55:c7:2a:7c:be:4e:32:9f: - 52:fd:2a:9c:a0:e2:9f:7b:23:9d:bf:93:e2:37:ac:40:47:f2: - 2d:ac:e6:8d:23:a2:18:c5:3f:c0:8d:60:4b:c5:2f:55:ae:f3: - 63:ea:e4:2f:20:56:fa:13:7c:d1:af:4f:ef:cb:ad:81:d1:26: - 0d:86:4b:0d:bb:67:8d:b6:a0:51:ac:a5:e5:f1:75:30:77:cc: - a6:57:d6:11:3c:76:7f:a7:b2:85:5e:c2:52:ec:8e:d8:7a:25: - b6:a9:ef:6e:6d:d8:a8:2d:e2:91:6d:fe:2d:11:df:8e:cc:c6: - 96:45:d9:f7:82:8a:58:ec:f7:7a:74:62:17:16:db:e9:8e:dc: - 40:ed:3d:de:1a:2b:af:e7:8e:39:be:91:50:f8:2c:70:bd:1b: - 64:01:db:bb:7a:1c:64:77:fb:ed:55:4c:3f:de:5c:cf:22:01: - 1f:7e:34:84:93:a2:37:06:7e:b2:6c:d1:58:ee:d8:1d:fb:8b: - b2:32:5b:6d:ef:9d:5a:b5:31:9b:f0:74:0b:c6:41:9a:fa:4a: - a5:a2:91:39:a3:a8:d0:69:a6:93:1a:7f:55:e9:04:58:b0:16: - 58:0c:27:92 + 73:47:ce:37:60:b0:51:a2:91:81:1c:1f:b6:b8:ca:4f:c8:95: + 68:cc:d3:4f:62:df:ff:c0:29:55:16:b2:df:2c:bf:73:b3:7c: + 95:a1:94:cc:a2:9f:30:60:92:fb:ec:31:21:14:09:60:ab:67: + f5:66:e4:bd:fd:18:a9:0b:d7:5e:61:39:37:cb:da:51:84:aa: + 06:38:68:27:eb:16:d7:60:91:23:5e:87:40:7f:e3:ce:40:f1: + 1f:99:50:2b:ba:69:b5:4b:ca:15:d7:9a:0d:9d:8f:ae:83:82: + fb:fc:0a:37:a8:2b:fb:0f:8d:c0:f4:59:3e:7b:81:78:a0:b2: + a2:64:55:41:bc:19:02:8b:de:db:8b:6c:43:fd:f5:23:e2:25: + 63:33:71:53:e7:eb:05:75:3a:56:4b:53:e1:5f:d1:82:c7:fd: + 80:64:27:93:a6:81:38:51:09:25:fc:de:9f:84:f1:b2:07:44: + 5a:f9:b1:70:d6:1b:1e:4f:7c:c9:ca:bd:d7:df:28:86:ce:8d: + 96:f5:54:94:0a:bb:97:5a:04:a4:05:9d:8d:b8:06:0e:ba:fb: + 5a:e1:3f:f2:90:59:1b:dd:e2:23:22:e2:7f:6a:f7:b7:d7:54: + 2b:ca:20:78:2a:6e:65:de:05:50:7d:40:4d:4b:3c:42:38:f5: + 98:e0:23:c9 -----BEGIN CERTIFICATE----- -MIIExjCCA66gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIEvjCCA6agAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnjELMAkGA1UEBhMCVVMxEzARBgNV +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnjELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZ3b2xmU1NMIE9DU1Ag UmVzcG9uZGVyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN @@ -74,28 +74,28 @@ Wj9BdGd1lamU1cPuQviN65KV4dllt0PEGN4WgJDOJDUhxFWsWlHgLi2zClpPSnMx UO5KFr05i60FSIexmeIQpwZyZ8pc0Ze9yPF2+OBK7LyT9GZMKHHR2GYDtJAwuxew /pf1HujHXZuLERkSPKuCcXj/rj8ysghxshuMJ6wRuNhDSc+wcLHwjK7aJIcXO9gE ZWwAdlDvFQjXtHNoJhSHlcNfbmG4h4T6gBoKi5jz4/9ORBxldHxxVGXlOQIDAQAB -o4IBEjCCAQ4wCQYDVR0TBAIwADAdBgNVHQ4EFgQUMmfhsXnSgfyfIwxwQFC1Rla4 -MDYwgcwGA1UdIwSBxDCBwYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2kgZowgZcx +o4IBCjCCAQYwCQYDVR0TBAIwADAdBgNVHQ4EFgQUMmfhsXnSgfyfIwxwQFC1Rla4 +MDYwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2kgZowgZcx CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0 dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG A1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz -c2wuY29tggkA71fY9Wk4lSUwEwYDVR0lBAwwCgYIKwYBBQUHAwkwDQYJKoZIhvcN -AQELBQADggEBABqwDNNdjf7wT3aNy0dRw2QLjpSbgusuUxMdKDFVxyp8vk4yn1L9 -Kpyg4p97I52/k+I3rEBH8i2s5o0johjFP8CNYEvFL1Wu82Pq5C8gVvoTfNGvT+/L -rYHRJg2GSw27Z422oFGspeXxdTB3zKZX1hE8dn+nsoVewlLsjth6Jbap725t2Kgt -4pFt/i0R347MxpZF2feCiljs93p0YhcW2+mO3EDtPd4aK6/njjm+kVD4LHC9G2QB -27t6HGR3++1VTD/eXM8iAR9+NISTojcGfrJs0Vju2B37i7IyW23vnVq1MZvwdAvG -QZr6SqWikTmjqNBpppMaf1XpBFiwFlgMJ5I= +c2wuY29tggFjMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB +AQBzR843YLBRopGBHB+2uMpPyJVozNNPYt//wClVFrLfLL9zs3yVoZTMop8wYJL7 +7DEhFAlgq2f1ZuS9/RipC9deYTk3y9pRhKoGOGgn6xbXYJEjXodAf+POQPEfmVAr +umm1S8oV15oNnY+ug4L7/Ao3qCv7D43A9Fk+e4F4oLKiZFVBvBkCi97bi2xD/fUj +4iVjM3FT5+sFdTpWS1PhX9GCx/2AZCeTpoE4UQkl/N6fhPGyB0Ra+bFw1hseT3zJ +yr3X3yiGzo2W9VSUCruXWgSkBZ2NuAYOuvta4T/ykFkb3eIjIuJ/ave311QryiB4 +Km5l3gVQfUBNSzxCOPWY4CPJ -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) - Serial Number: 17246491846582506789 (0xef57d8f569389525) + Serial Number: 99 (0x63) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -128,53 +128,55 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: - c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: - b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: - c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: - 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: - 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: - 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: - 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: - 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: - 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: - 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: - c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: - 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: - 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: - f9:fe:bc:01 + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ -MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM -D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE -CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT -U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA -wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ -X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 -zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T -tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC -1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE -gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe -vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym -9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn -YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 -MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc -UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM -H8bKHeSMPjGB+f68AQ== +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/certs/ocsp/openssl.cnf b/certs/ocsp/openssl.cnf index 20d2f6df7..2c4234a90 100644 --- a/certs/ocsp/openssl.cnf +++ b/certs/ocsp/openssl.cnf @@ -23,6 +23,7 @@ authorityInfoAccess = OCSP;URI:http://localhost:22222 basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = keyCertSign, cRLSign authorityInfoAccess = OCSP;URI:http://localhost:22220 # OCSP extensions. diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 30e90cb6a..2fa007a49 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -10,6 +10,7 @@ openssl x509 \ -extensions v3_ca \ -days 1000 \ -signkey root-ca-key.pem \ + -set_serial 99 \ -out root-ca-cert.pem rm root-ca-cert.csr @@ -35,11 +36,9 @@ function update_cert() { -out $1-cert.pem rm $1-cert.csr - openssl x509 -in $3-cert.pem -text > $3_tmp.pem openssl x509 -in $1-cert.pem -text > $1_tmp.pem mv $1_tmp.pem $1-cert.pem - cat $3_tmp.pem >> $1-cert.pem - rm $3_tmp.pem + cat $3-cert.pem >> $1-cert.pem } update_cert intermediate1-ca "wolfSSL intermediate CA" root-ca v3_ca 01 diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem index f63c2d9e7..34bcd48c6 100644 --- a/certs/ocsp/root-ca-cert.pem +++ b/certs/ocsp/root-ca-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 17246491846582506789 (0xef57d8f569389525) + Serial Number: 99 (0x63) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -39,53 +39,55 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 55:f6:de:bd:4f:ac:95:3a:cc:86:88:c3:4c:fc:0b:91:86:91: - c5:95:ca:5c:f8:c3:bb:d7:c1:bd:6e:c3:2f:94:18:c1:d8:e2: - b5:dd:8b:97:13:3f:5e:76:9c:13:89:14:d4:fc:a6:f7:01:a1: - c5:cf:0e:4d:00:ae:85:09:54:ce:cf:f8:d5:a7:40:60:ac:38: - 72:75:3b:cb:42:e0:4f:a2:60:34:74:ed:be:65:70:b1:4a:d9: - 99:af:17:0f:6f:f4:b7:f3:67:60:57:17:20:ac:88:65:53:0f: - 8c:bc:0b:51:79:a2:af:12:11:26:5e:55:06:1e:5c:8c:58:18: - 4a:4a:d8:e5:f9:fc:69:98:e6:e5:e6:94:5c:82:ee:bf:07:47: - 18:8c:b4:31:b3:d2:c3:02:dc:53:86:c1:1f:fa:31:3f:8f:d2: - 3c:8a:2b:4d:37:1f:0b:26:78:9b:3b:fd:eb:89:a4:d2:47:5e: - 99:82:d1:63:96:5f:46:a6:18:ab:8c:d8:d2:ec:dc:50:dc:67: - c1:63:d0:1e:57:04:10:a9:d5:1d:c0:73:e4:ce:b0:79:62:be: - 11:6e:30:53:3b:df:e7:5d:e4:06:b1:80:c8:1a:33:cc:31:84: - 42:0f:55:ac:d8:5a:e5:d0:0c:1f:c6:ca:1d:e4:8c:3e:31:81: - f9:fe:bc:01 + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIJAO9X2PVpOJUlMA0GCSqGSIb3DQEBCwUAMIGXMQswCQYD -VQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQ -MA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMM -D3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGXMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE -CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGDAWBgNVBAMMD3dvbGZT -U0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKsstC8dBgnvTimGhH7Mv6Z5fPDA -wWQljHW3EAXKSCcMDjIcsP6ZhTm2uaL3J/9tPIwWcykhf4umVHGQrcwFuZ8Vxwo/ -X2n0Cl+McbUsv2biA5oy9NLsKolL+TWIFDNHTi4FeQHtZDZ2ufiFzQGIrMWysVm4 -zVr0CQk4m9paz854mR9JPUHWBnxSmciX0bOAOqJPNsTFljB3MTjIcMzhZwazKy+T -tWnPg36IU5sPRiFM1gU2RJlgaEflMgES1BBzrpo0lPpuuFhPe1uKkpet/Ze5dcrC -1EV9F2vNL/Njeg4wtQup2aZ8dGCdzAkDQ/EPkNO3/myf2c14SxWujFv5mYECAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFHOwHKQvgsvPR6U417AE -gjp+chUhMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAVfbe -vU+slTrMhojDTPwLkYaRxZXKXPjDu9fBvW7DL5QYwdjitd2LlxM/XnacE4kU1Pym -9wGhxc8OTQCuhQlUzs/41adAYKw4cnU7y0LgT6JgNHTtvmVwsUrZma8XD2/0t/Nn -YFcXIKyIZVMPjLwLUXmirxIRJl5VBh5cjFgYSkrY5fn8aZjm5eaUXILuvwdHGIy0 -MbPSwwLcU4bBH/oxP4/SPIorTTcfCyZ4mzv964mk0kdemYLRY5ZfRqYYq4zY0uzc -UNxnwWPQHlcEEKnVHcBz5M6weWK+EW4wUzvf513kBrGAyBozzDGEQg9VrNha5dAM -H8bKHeSMPjGB+f68AQ== +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem index b4f1426d3..794bb7a31 100644 --- a/certs/ocsp/server1-cert.pem +++ b/certs/ocsp/server1-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,27 +47,27 @@ Certificate: OCSP - URI:http://localhost:22221 Signature Algorithm: sha256WithRSAEncryption - d2:c0:12:20:fd:e1:b6:ad:89:ae:6f:60:af:3c:ad:5a:09:04: - 31:99:7a:94:00:56:80:26:5a:13:53:60:f3:81:7c:ac:01:e8: - 7a:87:e9:3c:7a:0f:78:14:fa:3f:f1:54:0f:f9:8d:0e:f9:02: - 66:bd:81:c6:e9:12:1c:b6:db:7b:b0:71:dd:62:06:fd:39:5f: - b3:1f:43:ff:af:91:0f:58:3a:ae:e7:07:a5:da:a1:46:e4:67: - 0a:a4:0d:7e:37:b7:59:92:6c:7b:95:94:2b:33:5c:19:c2:35: - c5:fc:92:10:9e:87:13:8a:82:0f:f7:68:97:e1:b8:94:d3:d4: - d5:89:14:f3:1e:9e:29:1c:af:40:14:4b:80:7a:1e:dd:99:23: - dc:82:79:4b:3c:ac:09:6c:bf:84:97:ba:28:d2:ed:b7:d3:19: - 51:49:c1:1f:37:4d:44:fd:e9:2e:ff:b7:71:f7:35:5b:97:82: - 69:12:75:17:44:b3:a8:57:b8:88:ae:b9:1a:80:31:1f:c9:10: - 91:73:97:98:0b:9a:27:9e:ac:47:99:c6:66:64:f3:b2:36:1f: - 60:ef:fd:43:1e:f5:81:d4:21:89:d1:2e:27:69:9b:39:cb:84: - e4:fc:24:1b:f7:18:ff:78:36:0d:9e:37:59:ff:1d:ec:9b:c4: - 50:7d:42:ea + 81:77:93:7b:35:9c:af:00:ca:7a:eb:53:d0:56:f9:11:7b:eb: + 6b:d1:ac:f2:bb:1a:f2:b7:d1:02:59:04:3c:43:09:5a:66:9b: + 05:c9:9b:3c:98:d4:3b:30:dd:8a:8a:97:fb:77:06:22:89:b3: + c6:14:3d:00:ef:48:95:69:6f:74:92:4e:f0:70:fb:7a:d4:84: + f9:26:00:b7:f9:59:14:fb:56:ed:b3:ea:14:de:d6:76:aa:c4: + dd:16:74:f7:5a:32:18:1e:ab:eb:80:3d:2f:5c:fc:29:96:fa: + 62:44:09:bf:3e:f9:ac:2b:6e:36:68:f1:d7:53:eb:a1:47:53: + 99:65:29:3f:21:e2:ce:64:55:37:e0:41:d2:0a:ac:1b:6a:a3: + 62:db:96:46:2e:67:9f:4a:8f:7d:5e:f9:1f:2a:36:e6:c0:2b: + 07:f9:63:d9:54:e7:5b:09:86:7a:dc:75:96:bc:60:28:00:99: + a7:8b:17:7a:bd:8b:06:bc:9f:c4:bc:d7:c8:d5:eb:a6:60:cf: + 0c:07:b3:8c:bd:87:8c:15:12:d2:26:ea:56:ed:d4:c0:87:10: + 50:7f:f6:70:d0:72:fb:f0:75:cf:c7:c2:c9:01:6a:05:68:5e: + 7a:2f:e0:ef:c1:45:e0:31:52:05:d7:12:7a:06:53:81:f7:e8: + cb:14:42:bd -----BEGIN CERTIFICATE----- MIIE7DCCA9SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NM IGludGVybWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMDcyMjQyMjlaFw0xODA5MDIyMjQyMjlaMIGYMQswCQYDVQQGEwJV +bTAeFw0xNTEyMTQyMjI1MjNaFw0xODA5MDkyMjI1MjNaMIGYMQswCQYDVQQGEwJV UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEHd3dzEu d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi @@ -84,12 +84,12 @@ YXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgw FgYDVQQDDA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s ZnNzbC5jb22CAQEwCwYDVR0PBAQDAgXgMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF BQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMTANBgkqhkiG9w0BAQsFAAOCAQEA -0sASIP3htq2Jrm9grzytWgkEMZl6lABWgCZaE1Ng84F8rAHoeofpPHoPeBT6P/FU -D/mNDvkCZr2BxukSHLbbe7Bx3WIG/Tlfsx9D/6+RD1g6rucHpdqhRuRnCqQNfje3 -WZJse5WUKzNcGcI1xfySEJ6HE4qCD/dol+G4lNPU1YkU8x6eKRyvQBRLgHoe3Zkj -3IJ5SzysCWy/hJe6KNLtt9MZUUnBHzdNRP3pLv+3cfc1W5eCaRJ1F0SzqFe4iK65 -GoAxH8kQkXOXmAuaJ56sR5nGZmTzsjYfYO/9Qx71gdQhidEuJ2mbOcuE5PwkG/cY -/3g2DZ43Wf8d7JvEUH1C6g== +gXeTezWcrwDKeutT0Fb5EXvra9Gs8rsa8rfRAlkEPEMJWmabBcmbPJjUOzDdioqX ++3cGIomzxhQ9AO9IlWlvdJJO8HD7etSE+SYAt/lZFPtW7bPqFN7WdqrE3RZ091oy +GB6r64A9L1z8KZb6YkQJvz75rCtuNmjx11ProUdTmWUpPyHizmRVN+BB0gqsG2qj +YtuWRi5nn0qPfV75Hyo25sArB/lj2VTnWwmGetx1lrxgKACZp4sXer2LBryfxLzX +yNXrpmDPDAezjL2HjBUS0ibqVu3UwIcQUH/2cNBy+/B1z8fCyQFqBWheei/g78FF +4DFSBdcSegZTgffoyxRCvQ== -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -132,33 +132,35 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 3d:92:fc:b0:73:95:d8:5a:18:e3:27:fc:55:05:14:54:2e:af: - 37:1e:37:11:25:e8:c9:7a:b0:9b:68:fb:a0:69:91:fd:bb:dd: - 00:55:fb:30:b3:4a:59:a6:58:bb:e4:03:3e:f2:98:a2:07:71: - c7:de:3a:a0:0b:eb:43:44:77:2b:fc:5d:96:a7:89:c8:1a:6a: - 6e:b6:34:00:bb:e0:8a:5b:2b:ad:3a:f4:ab:b9:d4:54:f9:85: - 9a:f7:3b:23:00:dc:17:8f:55:1f:b9:e1:17:10:61:91:50:77: - b6:57:be:75:61:6e:cc:9c:27:76:32:c2:de:b4:ee:11:ff:10: - f7:99:49:38:8e:af:af:fa:73:1e:34:20:6c:3e:9f:cb:56:70: - 20:47:21:d3:2c:db:9b:ad:3b:32:96:72:be:d3:1b:d2:33:21: - 9b:4b:86:3a:64:45:37:8b:60:80:3b:3e:08:7a:06:f2:aa:20: - 7b:63:2c:df:03:c0:2a:74:07:61:db:f3:ec:8a:17:a4:36:a1: - 6c:b6:c0:64:f7:8a:5b:d0:43:64:bb:3e:ed:5d:e8:06:9c:b0: - ef:c2:f3:d1:ff:e2:05:5e:1f:e1:bd:ef:2a:32:a3:44:9f:44: - 99:c0:a3:27:8b:af:24:c4:5f:2b:d5:05:a2:18:70:32:a4:d2: - 75:16:1b:b1 + 1b:83:ce:ad:1e:50:0f:3c:f0:26:17:23:c1:d5:98:88:c8:bc: + 30:5b:bb:01:bd:9b:cc:b3:45:0b:a3:7b:30:0a:54:3f:c7:36: + 16:4b:8b:cb:dd:d1:b3:7b:00:40:48:24:cb:46:3b:e7:e0:5c: + 7b:ec:ca:f8:e0:e5:34:5d:ae:e7:ac:87:15:cd:6c:7e:13:52: + 28:84:55:2b:2a:14:d9:fa:34:ce:fb:15:6c:10:47:c9:e6:ed: + 35:5b:4c:97:9c:dd:51:46:ac:2c:60:b7:2e:9d:2f:cb:0d:83: + 86:f0:a6:1b:6d:26:cb:7f:c4:97:51:6c:a1:a3:8d:6e:be:41: + 4a:ec:b0:cf:b4:ae:ad:e4:65:57:12:5d:bf:a0:78:ce:bf:4b: + 35:fe:bb:94:7a:f1:43:7d:0f:01:45:eb:d1:53:8b:19:db:bf: + 3e:4a:26:77:a1:b5:06:2a:64:ec:53:ca:ec:93:23:a2:4e:6a: + 82:8f:11:f4:cd:5f:6c:6e:22:cd:e1:1c:76:ce:49:f7:ca:43: + 65:aa:f5:9e:e7:ad:eb:99:4f:ff:db:fe:b8:91:ef:2c:ea:92: + 5f:bf:08:78:c1:90:22:37:f3:7e:c3:5b:fc:31:f0:5b:83:65: + 00:d6:5a:55:3a:a2:a8:3f:02:e5:ae:7a:37:7b:3c:39:e7:91: + 4a:2e:53:04 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE7jCCA9agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw @@ -168,17 +170,110 @@ kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA -cYJkRNoOMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +AaOCATkwggE1MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA +cYJkRNoOMIHEBgNVHSMEgbwwgbmAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPZL8 -sHOV2FoY4yf8VQUUVC6vNx43ESXoyXqwm2j7oGmR/bvdAFX7MLNKWaZYu+QDPvKY -ogdxx946oAvrQ0R3K/xdlqeJyBpqbrY0ALvgilsrrTr0q7nUVPmFmvc7IwDcF49V -H7nhFxBhkVB3tle+dWFuzJwndjLC3rTuEf8Q95lJOI6vr/pzHjQgbD6fy1ZwIEch -0yzbm607MpZyvtMb0jMhm0uGOmRFN4tggDs+CHoG8qoge2Ms3wPAKnQHYdvz7IoX -pDahbLbAZPeKW9BDZLs+7V3oBpyw78Lz0f/iBV4f4b3vKjKjRJ9EmcCjJ4uvJMRf -K9UFohhwMqTSdRYbsQ== +b2xmc3NsLmNvbYIBYzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IB +AQAbg86tHlAPPPAmFyPB1ZiIyLwwW7sBvZvMs0ULo3swClQ/xzYWS4vL3dGzewBA +SCTLRjvn4Fx77Mr44OU0Xa7nrIcVzWx+E1IohFUrKhTZ+jTO+xVsEEfJ5u01W0yX +nN1RRqwsYLcunS/LDYOG8KYbbSbLf8SXUWyho41uvkFK7LDPtK6t5GVXEl2/oHjO +v0s1/ruUevFDfQ8BRevRU4sZ278+SiZ3obUGKmTsU8rskyOiTmqCjxH0zV9sbiLN +4Rx2zkn3ykNlqvWe563rmU//2/64ke8s6pJfvwh4wZAiN/N+w1v8MfBbg2UA1lpV +OqKoPwLlrno3ezw555FKLlME +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem index de79496e1..9025271b2 100644 --- a/certs/ocsp/server2-cert.pem +++ b/certs/ocsp/server2-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:30 2015 GMT - Not After : Sep 2 22:42:30 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,27 +47,27 @@ Certificate: OCSP - URI:http://localhost:22221 Signature Algorithm: sha256WithRSAEncryption - 72:91:43:1a:4f:fb:87:32:dc:12:b0:60:ed:d8:05:f9:ac:62: - 51:1d:21:40:f4:36:86:6c:24:82:33:a5:1e:c9:bd:bb:2a:2f: - 14:76:ef:63:ba:fe:79:c5:14:ac:0b:d7:3d:7d:cd:db:50:98: - 93:05:0e:f2:0f:00:fa:f2:11:dc:10:25:c0:e7:ae:0e:b2:fc: - 86:2a:a1:d9:ee:1c:ad:31:ad:be:69:3f:58:5d:73:cd:bb:df: - 64:3d:bd:aa:e0:30:9e:4b:f5:e5:48:0e:81:c5:81:2e:90:d5: - 73:62:a6:80:9a:71:24:54:95:3a:aa:a0:df:aa:2a:95:9e:90: - 1f:f4:94:cb:ad:9d:47:7f:52:d6:52:16:a4:db:1e:71:71:c9: - a4:4a:02:1c:e5:5d:4d:23:6c:6a:db:60:b4:0e:58:83:1a:86: - af:f0:ec:25:44:63:c6:05:f2:26:f8:34:98:11:93:cd:4d:4d: - 7a:cb:53:e5:86:40:91:fb:6d:16:14:de:c8:d1:5d:65:9d:45: - 92:1c:c0:4f:4f:33:8a:8b:23:93:30:f4:fe:08:92:27:bf:3d: - 11:4e:0b:42:59:69:88:b3:df:45:0f:a0:05:63:03:bd:1c:8c: - 3c:76:1f:20:65:25:8b:3c:34:1e:74:a0:79:05:6e:dd:b6:ae: - 8f:77:b5:0d + a3:33:6d:91:c3:bd:b5:42:e6:6a:b8:1f:01:d8:ef:8c:ab:f9: + f7:e2:ac:23:72:a1:77:41:67:fc:b4:c9:dd:72:d8:25:3c:40: + 17:db:87:c0:6c:55:2c:26:d2:53:d5:e7:81:8e:b3:3f:e1:fd: + fd:73:4b:ee:75:44:04:a6:f1:56:aa:57:94:a3:5e:4d:45:49: + 4b:70:e2:bf:36:e9:8c:68:cf:37:f3:0f:ee:74:4a:ef:f8:8a: + 39:89:9f:3d:26:91:c8:cf:03:45:5a:13:8d:5f:ac:7c:c3:d9: + 34:1c:80:e5:33:40:fc:02:8a:04:36:93:ba:47:c5:bc:34:8b: + dc:30:4c:f5:b0:42:60:3b:59:2e:d6:c6:44:bb:44:dc:2a:05: + bd:f0:37:cc:16:27:a9:b5:f7:7d:fa:3a:7f:3c:64:62:cf:3a: + 2b:2d:85:82:bd:29:96:47:6f:a9:85:5c:4f:ae:72:eb:25:05: + e1:c8:f2:95:9e:02:03:2c:fe:06:1c:83:3a:d2:84:d4:84:17: + d8:49:84:3e:c6:3d:16:10:e5:65:25:68:a5:71:18:8c:2e:40: + a0:1c:43:ba:0f:bc:6c:07:25:29:1f:ab:1e:ff:d0:45:51:3f: + 3f:f5:a1:71:c8:35:87:47:14:c5:8e:1c:e2:94:ff:27:2c:ce: + aa:55:1c:c9 -----BEGIN CERTIFICATE----- MIIE7DCCA9SgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NM IGludGVybWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMDcyMjQyMzBaFw0xODA5MDIyMjQyMzBaMIGYMQswCQYDVQQGEwJV +bTAeFw0xNTEyMTQyMjI1MjNaFw0xODA5MDkyMjI1MjNaMIGYMQswCQYDVQQGEwJV UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEHd3dzIu d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi @@ -84,12 +84,12 @@ YXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgw FgYDVQQDDA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s ZnNzbC5jb22CAQEwCwYDVR0PBAQDAgXgMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF BQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMTANBgkqhkiG9w0BAQsFAAOCAQEA -cpFDGk/7hzLcErBg7dgF+axiUR0hQPQ2hmwkgjOlHsm9uyovFHbvY7r+ecUUrAvX -PX3N21CYkwUO8g8A+vIR3BAlwOeuDrL8hiqh2e4crTGtvmk/WF1zzbvfZD29quAw -nkv15UgOgcWBLpDVc2KmgJpxJFSVOqqg36oqlZ6QH/SUy62dR39S1lIWpNsecXHJ -pEoCHOVdTSNsattgtA5YgxqGr/DsJURjxgXyJvg0mBGTzU1NestT5YZAkfttFhTe -yNFdZZ1FkhzAT08ziosjkzD0/giSJ789EU4LQllpiLPfRQ+gBWMDvRyMPHYfIGUl -izw0HnSgeQVu3bauj3e1DQ== +ozNtkcO9tULmargfAdjvjKv59+KsI3Khd0Fn/LTJ3XLYJTxAF9uHwGxVLCbSU9Xn +gY6zP+H9/XNL7nVEBKbxVqpXlKNeTUVJS3DivzbpjGjPN/MP7nRK7/iKOYmfPSaR +yM8DRVoTjV+sfMPZNByA5TNA/AKKBDaTukfFvDSL3DBM9bBCYDtZLtbGRLtE3CoF +vfA3zBYnqbX3ffo6fzxkYs86Ky2Fgr0plkdvqYVcT65y6yUF4cjylZ4CAyz+BhyD +OtKE1IQX2EmEPsY9FhDlZSVopXEYjC5AoBxDug+8bAclKR+rHv/QRVE/P/Whccg1 +h0cUxY4c4pT/JyzOqlUcyQ== -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -132,33 +132,35 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 3d:92:fc:b0:73:95:d8:5a:18:e3:27:fc:55:05:14:54:2e:af: - 37:1e:37:11:25:e8:c9:7a:b0:9b:68:fb:a0:69:91:fd:bb:dd: - 00:55:fb:30:b3:4a:59:a6:58:bb:e4:03:3e:f2:98:a2:07:71: - c7:de:3a:a0:0b:eb:43:44:77:2b:fc:5d:96:a7:89:c8:1a:6a: - 6e:b6:34:00:bb:e0:8a:5b:2b:ad:3a:f4:ab:b9:d4:54:f9:85: - 9a:f7:3b:23:00:dc:17:8f:55:1f:b9:e1:17:10:61:91:50:77: - b6:57:be:75:61:6e:cc:9c:27:76:32:c2:de:b4:ee:11:ff:10: - f7:99:49:38:8e:af:af:fa:73:1e:34:20:6c:3e:9f:cb:56:70: - 20:47:21:d3:2c:db:9b:ad:3b:32:96:72:be:d3:1b:d2:33:21: - 9b:4b:86:3a:64:45:37:8b:60:80:3b:3e:08:7a:06:f2:aa:20: - 7b:63:2c:df:03:c0:2a:74:07:61:db:f3:ec:8a:17:a4:36:a1: - 6c:b6:c0:64:f7:8a:5b:d0:43:64:bb:3e:ed:5d:e8:06:9c:b0: - ef:c2:f3:d1:ff:e2:05:5e:1f:e1:bd:ef:2a:32:a3:44:9f:44: - 99:c0:a3:27:8b:af:24:c4:5f:2b:d5:05:a2:18:70:32:a4:d2: - 75:16:1b:b1 + 1b:83:ce:ad:1e:50:0f:3c:f0:26:17:23:c1:d5:98:88:c8:bc: + 30:5b:bb:01:bd:9b:cc:b3:45:0b:a3:7b:30:0a:54:3f:c7:36: + 16:4b:8b:cb:dd:d1:b3:7b:00:40:48:24:cb:46:3b:e7:e0:5c: + 7b:ec:ca:f8:e0:e5:34:5d:ae:e7:ac:87:15:cd:6c:7e:13:52: + 28:84:55:2b:2a:14:d9:fa:34:ce:fb:15:6c:10:47:c9:e6:ed: + 35:5b:4c:97:9c:dd:51:46:ac:2c:60:b7:2e:9d:2f:cb:0d:83: + 86:f0:a6:1b:6d:26:cb:7f:c4:97:51:6c:a1:a3:8d:6e:be:41: + 4a:ec:b0:cf:b4:ae:ad:e4:65:57:12:5d:bf:a0:78:ce:bf:4b: + 35:fe:bb:94:7a:f1:43:7d:0f:01:45:eb:d1:53:8b:19:db:bf: + 3e:4a:26:77:a1:b5:06:2a:64:ec:53:ca:ec:93:23:a2:4e:6a: + 82:8f:11:f4:cd:5f:6c:6e:22:cd:e1:1c:76:ce:49:f7:ca:43: + 65:aa:f5:9e:e7:ad:eb:99:4f:ff:db:fe:b8:91:ef:2c:ea:92: + 5f:bf:08:78:c1:90:22:37:f3:7e:c3:5b:fc:31:f0:5b:83:65: + 00:d6:5a:55:3a:a2:a8:3f:02:e5:ae:7a:37:7b:3c:39:e7:91: + 4a:2e:53:04 -----BEGIN CERTIFICATE----- -MIIE6TCCA9GgAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE7jCCA9agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw @@ -168,17 +170,110 @@ kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA -AaOCATQwggEwMAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA -cYJkRNoOMIHMBgNVHSMEgcQwgcGAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa +AaOCATkwggE1MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA +cYJkRNoOMIHEBgNVHSMEgbwwgbmAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIJAO9X2PVpOJUlMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw -AYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAPZL8 -sHOV2FoY4yf8VQUUVC6vNx43ESXoyXqwm2j7oGmR/bvdAFX7MLNKWaZYu+QDPvKY -ogdxx946oAvrQ0R3K/xdlqeJyBpqbrY0ALvgilsrrTr0q7nUVPmFmvc7IwDcF49V -H7nhFxBhkVB3tle+dWFuzJwndjLC3rTuEf8Q95lJOI6vr/pzHjQgbD6fy1ZwIEch -0yzbm607MpZyvtMb0jMhm0uGOmRFN4tggDs+CHoG8qoge2Ms3wPAKnQHYdvz7IoX -pDahbLbAZPeKW9BDZLs+7V3oBpyw78Lz0f/iBV4f4b3vKjKjRJ9EmcCjJ4uvJMRf -K9UFohhwMqTSdRYbsQ== +b2xmc3NsLmNvbYIBYzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IB +AQAbg86tHlAPPPAmFyPB1ZiIyLwwW7sBvZvMs0ULo3swClQ/xzYWS4vL3dGzewBA +SCTLRjvn4Fx77Mr44OU0Xa7nrIcVzWx+E1IohFUrKhTZ+jTO+xVsEEfJ5u01W0yX +nN1RRqwsYLcunS/LDYOG8KYbbSbLf8SXUWyho41uvkFK7LDPtK6t5GVXEl2/oHjO +v0s1/ruUevFDfQ8BRevRU4sZ278+SiZ3obUGKmTsU8rskyOiTmqCjxH0zV9sbiLN +4Rx2zkn3ykNlqvWe563rmU//2/64ke8s6pJfvwh4wZAiN/N+w1v8MfBbg2UA1lpV +OqKoPwLlrno3ezw555FKLlME +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem index b06624053..fe24c1698 100644 --- a/certs/ocsp/server3-cert.pem +++ b/certs/ocsp/server3-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:30 2015 GMT - Not After : Sep 2 22:42:30 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,27 +47,27 @@ Certificate: OCSP - URI:http://localhost:22222 Signature Algorithm: sha256WithRSAEncryption - 65:ef:ab:69:45:9f:a9:92:4d:2c:3c:83:11:ec:03:35:9f:f2: - 8d:53:b8:b0:19:7d:93:66:ca:c6:9b:a1:16:ac:9c:29:39:14: - 9f:1e:08:bd:c7:80:31:e0:f5:cc:a5:ff:0e:dc:82:bd:64:fa: - 45:eb:c3:b8:86:20:5e:e5:ab:9a:04:25:4e:57:d0:13:93:3d: - 8b:cd:77:d3:f3:26:29:e9:6a:84:30:27:e3:20:88:3c:dd:91: - b6:37:42:10:d1:70:49:2f:28:33:12:36:06:df:3a:41:22:d3: - a8:f1:91:08:7a:fd:f7:85:1e:0a:2f:70:90:14:d6:8f:95:d2: - 53:4f:cc:f6:ec:91:eb:3b:46:db:12:e3:21:e5:f2:b8:64:90: - cd:d0:54:35:49:d1:1d:07:24:1b:dc:03:d4:27:6e:11:2f:1a: - 60:ac:df:63:ea:90:cd:c0:f0:92:e3:90:49:13:8c:aa:2f:af: - a1:4d:e2:0c:10:26:2f:80:1e:99:2b:d8:b2:30:d2:e8:10:a6: - 8c:01:9b:10:df:b9:4b:25:23:ce:8e:e6:14:eb:dd:ed:8e:6a: - cf:3a:1b:7e:8c:f3:98:d7:7c:e6:d1:b3:b8:20:86:82:c8:b6: - cf:86:91:71:d0:88:24:2d:9a:c0:60:69:0b:8a:58:4a:d3:93: - 41:99:7a:77 + c6:3a:40:31:ac:3c:32:72:03:a9:35:86:b5:04:db:d9:39:e0: + 9a:96:54:d4:7f:b8:fe:49:2a:86:37:d8:30:a7:df:1f:08:c6: + 34:77:e3:95:6e:b8:5f:7a:2f:cd:71:04:55:e7:c1:a3:d5:14: + 93:13:b2:69:7c:6a:36:bc:09:15:f8:5a:ab:af:c8:d2:f6:ba: + ee:2b:6b:30:d4:a6:4a:48:08:f8:58:39:1b:6b:67:dd:4c:f9: + ee:9f:c7:cc:e7:19:68:b1:cb:d1:9d:7c:42:12:c5:25:ff:6d: + 81:24:cf:76:06:9c:a6:39:53:60:08:fe:d6:5b:ef:9e:2c:3d: + bf:23:1e:8b:db:0f:57:ae:c4:ee:af:b3:0a:54:86:ad:65:a4: + 6b:a2:c3:ec:34:0a:c3:75:a5:06:2e:67:1c:61:52:61:61:6c: + c4:86:15:71:ea:ac:e2:9f:b7:ae:65:59:89:ab:41:ec:4a:a1: + d8:17:d6:15:cc:98:d7:67:a2:0b:2f:2e:85:ce:e5:32:5a:e1: + c6:54:aa:37:31:ba:f8:31:16:bb:de:3a:d7:9d:9e:63:5d:69: + 25:9f:0e:5a:f3:9d:7f:86:0a:15:3e:64:04:8a:0c:f7:b7:e8: + ec:4f:9f:4e:25:ef:1e:44:a0:73:ca:2e:5b:c0:f1:38:c5:15: + 29:45:04:11 -----BEGIN CERTIFICATE----- MIIE9DCCA9ygAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv -bGZzc2wuY29tMB4XDTE1MTIwNzIyNDIzMFoXDTE4MDkwMjIyNDIzMFowgZgxCzAJ +bGZzc2wuY29tMB4XDTE1MTIxNDIyMjUyM1oXDTE4MDkwOTIyMjUyM1owgZgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE AwwQd3d3My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns @@ -84,12 +84,12 @@ A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ aW5mb0B3b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEB -CwUAA4IBAQBl76tpRZ+pkk0sPIMR7AM1n/KNU7iwGX2TZsrGm6EWrJwpORSfHgi9 -x4Ax4PXMpf8O3IK9ZPpF68O4hiBe5auaBCVOV9ATkz2LzXfT8yYp6WqEMCfjIIg8 -3ZG2N0IQ0XBJLygzEjYG3zpBItOo8ZEIev33hR4KL3CQFNaPldJTT8z27JHrO0bb -EuMh5fK4ZJDN0FQ1SdEdByQb3APUJ24RLxpgrN9j6pDNwPCS45BJE4yqL6+hTeIM -ECYvgB6ZK9iyMNLoEKaMAZsQ37lLJSPOjuYU693tjmrPOht+jPOY13zm0bO4IIaC -yLbPhpFx0IgkLZrAYGkLilhK05NBmXp3 +CwUAA4IBAQDGOkAxrDwycgOpNYa1BNvZOeCallTUf7j+SSqGN9gwp98fCMY0d+OV +brhfei/NcQRV58Gj1RSTE7JpfGo2vAkV+Fqrr8jS9rruK2sw1KZKSAj4WDkba2fd +TPnun8fM5xloscvRnXxCEsUl/22BJM92BpymOVNgCP7WW++eLD2/Ix6L2w9XrsTu +r7MKVIatZaRrosPsNArDdaUGLmccYVJhYWzEhhVx6qzin7euZVmJq0HsSqHYF9YV +zJjXZ6ILLy6FzuUyWuHGVKo3Mbr4MRa73jrXnZ5jXWklnw5a851/hgoVPmQEigz3 +t+jsT59OJe8eRKBzyi5bwPE4xRUpRQQR -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 7 22:42:29 2015 GMT - Not After : Sep 2 22:42:29 2018 GMT + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -132,33 +132,35 @@ Certificate: X509v3 Authority Key Identifier: keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com - serial:EF:57:D8:F5:69:38:95:25 + serial:63 + X509v3 Key Usage: + Certificate Sign, CRL Sign Authority Information Access: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 00:5e:fe:87:51:fc:e7:de:5c:e5:97:17:d2:af:6d:3b:65:29: - 27:3b:06:d7:55:5a:93:56:12:0f:8b:e7:57:69:dc:ae:ec:ec: - 2b:cd:cd:d0:15:c0:63:a3:5c:d9:6e:59:d2:88:b6:da:1c:ac: - b7:fe:46:2a:37:7b:5f:0b:30:80:7e:a5:46:8f:38:58:7e:df: - 8e:d0:f9:27:e6:e7:26:01:f8:04:5f:21:0d:7a:27:85:af:f8: - 41:15:aa:1d:73:3d:32:2a:a1:6b:f7:9e:36:3a:a3:26:dc:b8: - be:f2:61:ea:11:49:1c:43:68:5f:8c:a5:87:7b:71:a6:78:d0: - 1a:f1:f7:45:6c:59:eb:88:b5:ef:00:59:4f:71:48:00:73:11: - 2c:74:af:8d:1e:67:ee:cf:b3:9d:a4:64:ee:90:a7:f8:69:0a: - 8f:9b:74:89:68:c7:e4:1b:22:73:f1:23:94:c2:dd:4a:11:ee: - 9c:99:20:f7:e1:06:2a:ef:1b:1a:1c:10:f9:0b:0b:49:82:af: - 5f:38:75:0c:c3:a5:b8:9f:21:c5:61:eb:6d:6e:2d:d5:b5:89: - 19:28:ff:94:c1:55:eb:77:79:b5:57:e1:44:05:54:28:ca:66: - c5:4e:75:63:1b:b7:c4:57:fa:35:94:f7:82:3d:06:cc:f0:13: - bf:0e:23:70 + 85:95:3d:99:83:f5:4b:6f:b5:87:88:7a:2f:fe:02:c6:a5:2d: + 55:ff:e6:f3:72:c2:ed:2b:3f:cd:b5:59:5b:30:19:6e:5f:7b: + 2d:48:1e:d1:8e:65:04:86:0e:ef:01:50:ed:d7:ff:23:7e:2c: + 40:37:48:9d:aa:82:cb:82:c9:d7:f4:07:8b:73:6a:3a:fb:1b: + 2f:9d:e7:af:14:5f:2b:49:b2:87:3a:eb:c3:0f:f2:13:d7:49: + 6c:9a:d2:26:39:fa:f8:48:f4:9b:19:30:95:39:67:d8:63:37: + d6:b9:bf:fd:32:e1:fc:a9:2a:97:99:cb:cf:f6:fa:42:4b:ee: + 0e:87:92:16:dc:7e:70:dc:46:ee:8d:52:14:74:b5:6c:4b:9e: + e4:e7:b6:46:1c:82:2b:c5:4c:7d:84:f0:65:15:78:8c:2c:c7: + 7e:6d:db:8d:fc:64:4c:61:a0:b4:87:83:f6:04:59:71:43:8b: + 40:03:ad:e0:18:b9:94:0e:b9:05:22:6a:52:92:fe:48:04:cf: + a4:8c:ca:f6:f6:1c:29:c8:b0:83:a1:79:1a:9a:49:5a:73:c4: + 3d:16:4a:f7:c9:b5:dd:67:2b:bd:7c:11:ac:7f:74:8f:4b:dd: + ed:d3:ea:b8:6d:3a:3e:e7:ff:fc:d8:05:7b:47:49:c0:cc:6e: + 9a:71:23:96 -----BEGIN CERTIFICATE----- -MIIE8TCCA9mgAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE9jCCA96gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjA3MjI0MjI5WhcNMTgwOTAyMjI0MjI5WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu @@ -168,17 +170,110 @@ SyjFU0YjK4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPk yIlDYfEluM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1 JMvpSd+BnZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkF UPC/7H8S4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORG -eP/ZmQIDAQABo4IBNDCCATAwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi -7ioFJLcRrS1g8ZAUjxcwgcwGA1UdIwSBxDCBwYAUc7AcpC+Cy89HpTjXsASCOn5y +eP/ZmQIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi +7ioFJLcRrS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB -FhBpbmZvQHdvbGZzc2wuY29tggkA71fY9Wk4lSUwMgYIKwYBBQUHAQEEJjAkMCIG -CCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUA -A4IBAQAAXv6HUfzn3lzllxfSr207ZSknOwbXVVqTVhIPi+dXadyu7Owrzc3QFcBj -o1zZblnSiLbaHKy3/kYqN3tfCzCAfqVGjzhYft+O0Pkn5ucmAfgEXyENeieFr/hB -Faodcz0yKqFr9542OqMm3Li+8mHqEUkcQ2hfjKWHe3GmeNAa8fdFbFnriLXvAFlP -cUgAcxEsdK+NHmfuz7OdpGTukKf4aQqPm3SJaMfkGyJz8SOUwt1KEe6cmSD34QYq -7xsaHBD5CwtJgq9fOHUMw6W4nyHFYettbi3VtYkZKP+UwVXrd3m1V+FEBVQoymbF -TnVjG7fEV/o1lPeCPQbM8BO/DiNw +FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAIWVPZmD9UtvtYeIei/+AsalLVX/5vNywu0rP821WVswGW5fey1I +HtGOZQSGDu8BUO3X/yN+LEA3SJ2qgsuCydf0B4tzajr7Gy+d568UXytJsoc668MP +8hPXSWya0iY5+vhI9JsZMJU5Z9hjN9a5v/0y4fypKpeZy8/2+kJL7g6HkhbcfnDc +Ru6NUhR0tWxLnuTntkYcgivFTH2E8GUVeIwsx35t2438ZExhoLSHg/YEWXFDi0AD +reAYuZQOuQUialKS/kgEz6SMyvb2HCnIsIOheRqaSVpzxD0WSvfJtd1nK718Eax/ +dI9L3e3T6rhtOj7n//zYBXtHScDMbppxI5Y= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 14 22:25:23 2015 GMT + Not After : Sep 9 22:25:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: + ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: + 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: + f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: + 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: + e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: + 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: + 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: + 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: + 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: + c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: + 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: + d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: + f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: + d5:08:52:a3 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI +MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m +892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 +e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 +dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf +lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY +FUwF8FPn1QhSow== -----END CERTIFICATE----- diff --git a/examples/server/server.c b/examples/server/server.c index b413b81b0..5949da937 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -598,7 +598,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) if (!usePsk && !useAnon) { - if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) + if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) err_sys("can't load server cert file, check file and run from" " wolfSSL home dir"); diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index eb300a625..d4ce3ec7e 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -12,6 +12,12 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT ./certs/ocsp/ocspd2.sh & # client test against our own server - GOOD CERTS +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + ./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & sleep 1 ./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 @@ -19,6 +25,12 @@ RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # client test against our own server - REVOKED SERVER CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + ./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & sleep 1 ./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 @@ -28,8 +40,14 @@ RESULT=$? # client test against our own server - REVOKED INTERMEDIATE CERT ./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2 +./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + exit 0 diff --git a/src/internal.c b/src/internal.c index 6d10a972b..d2fc96ef6 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4397,7 +4397,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #ifdef HAVE_OCSP #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) - ret = TLSX_CSR2_InitRequests(ssl->extensions, dCert); + ret = TLSX_CSR2_InitRequests(ssl->extensions, dCert, 0); else /* skips OCSP and force CRL check */ #endif if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { @@ -4500,7 +4500,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 if (ssl->status_request_v2) { - fatal = TLSX_CSR2_InitRequests(ssl->extensions, dCert); + fatal = TLSX_CSR2_InitRequests(ssl->extensions, dCert, 1); doLookup = 0; } #endif @@ -5003,7 +5003,7 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, ret = BAD_CERTIFICATE_STATUS_ERROR; else if (CompareOcspReqResp(request, response) == 0) break; - else if (index == 1) + else if (index == 1) /* server cert must be OK */ ret = BAD_CERTIFICATE_STATUS_ERROR; } diff --git a/src/tls.c b/src/tls.c index 49bb8c4f9..86c364e46 100644 --- a/src/tls.c +++ b/src/tls.c @@ -2449,7 +2449,7 @@ static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, return 0; } -int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert) +int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer) { TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; @@ -2458,7 +2458,7 @@ int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert) for (; csr2; csr2 = csr2->next) { switch (csr2->status_type) { case WOLFSSL_CSR2_OCSP: - if (csr2->requests != 0) + if (!isPeer || csr2->requests != 0) break; /* followed by */ @@ -2501,8 +2501,10 @@ void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index) /* followed by */ case WOLFSSL_CSR2_OCSP_MULTI: - return index < csr2->requests ? &csr2->request.ocsp[index] - : NULL; + /* requests are initialized in the reverse order */ + return index < csr2->requests + ? &csr2->request.ocsp[csr2->requests - index - 1] + : NULL; break; } } diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 87d5247bc..c75b1af3c 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1612,7 +1612,7 @@ typedef struct CSRIv2 { WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, byte options); -WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert); +WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer); WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index); WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl); From a15c00321141bd9a79a14b0c633a1dca1e2aecf9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 14 Dec 2015 22:53:04 -0300 Subject: [PATCH 128/177] adds extra certs for ocspstapling tests; --- certs/ocsp/index0.txt | 5 +- certs/ocsp/index1.txt | 4 +- certs/ocsp/index2.txt | 3 +- certs/ocsp/index3.txt | 1 + certs/ocsp/intermediate1-ca-cert.pem | 132 ++++++------- certs/ocsp/intermediate2-ca-cert.pem | 132 ++++++------- certs/ocsp/intermediate3-ca-cert.pem | 186 ++++++++++++++++++ certs/ocsp/intermediate3-ca-key.pem | 28 +++ certs/ocsp/ocsp-responder-cert.pem | 102 +++++----- certs/ocsp/ocspd0.sh | 2 +- certs/ocsp/ocspd1.sh | 2 +- certs/ocsp/ocspd2.sh | 2 +- certs/ocsp/ocspd3.sh | 8 + certs/ocsp/openssl.cnf | 8 + certs/ocsp/renewcerts.sh | 17 +- certs/ocsp/root-ca-cert.pem | 50 ++--- certs/ocsp/server1-cert.pem | 222 ++++++++++----------- certs/ocsp/server2-cert.pem | 222 ++++++++++----------- certs/ocsp/server3-cert.pem | 222 ++++++++++----------- certs/ocsp/server4-cert.pem | 279 +++++++++++++++++++++++++++ certs/ocsp/server4-key.pem | 28 +++ certs/ocsp/server5-cert.pem | 279 +++++++++++++++++++++++++++ certs/ocsp/server5-key.pem | 28 +++ examples/server/server.c | 2 + scripts/include.am | 6 + scripts/ocsp-stapling.test | 8 +- scripts/ocsp-stapling2.test | 34 ++-- 27 files changed, 1438 insertions(+), 574 deletions(-) create mode 100644 certs/ocsp/index3.txt create mode 100644 certs/ocsp/intermediate3-ca-cert.pem create mode 100644 certs/ocsp/intermediate3-ca-key.pem create mode 100755 certs/ocsp/ocspd3.sh create mode 100644 certs/ocsp/server4-cert.pem create mode 100644 certs/ocsp/server4-key.pem create mode 100644 certs/ocsp/server5-cert.pem create mode 100644 certs/ocsp/server5-key.pem diff --git a/certs/ocsp/index0.txt b/certs/ocsp/index0.txt index ba666d9db..256b8ab58 100644 --- a/certs/ocsp/index0.txt +++ b/certs/ocsp/index0.txt @@ -1,3 +1,4 @@ V 161213070133Z 63 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com -V 161213070133Z 01 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com -R 161213070133Z 151201070133Z 02 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com +V 161213070133Z 01 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com +V 161213070133Z 02 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com +R 161213070133Z 151201070133Z 03 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/index1.txt b/certs/ocsp/index1.txt index fc223eedc..a49ec58a3 100644 --- a/certs/ocsp/index1.txt +++ b/certs/ocsp/index1.txt @@ -1,2 +1,2 @@ -V 161213070133Z 04 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www1.wolfssl.com/emailAddress=info@wolfssl.com -R 161213070133Z 151201070133Z 05 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www2.wolfssl.com/emailAddress=info@wolfssl.com +V 161213070133Z 05 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www1.wolfssl.com/emailAddress=info@wolfssl.com +R 161213070133Z 151201070133Z 06 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www2.wolfssl.com/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/index2.txt b/certs/ocsp/index2.txt index 3edb677b5..0a163f7b6 100644 --- a/certs/ocsp/index2.txt +++ b/certs/ocsp/index2.txt @@ -1 +1,2 @@ -V 161213070133Z 06 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www3.wolfssl.com/emailAddress=info@wolfssl.com +V 161213070133Z 07 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www3.wolfssl.com/emailAddress=info@wolfssl.com +R 161213070133Z 151201070133Z 08 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www4.wolfssl.com/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/index3.txt b/certs/ocsp/index3.txt new file mode 100644 index 000000000..eb6d3c048 --- /dev/null +++ b/certs/ocsp/index3.txt @@ -0,0 +1 @@ +V 161213070133Z 09 unknown /C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=www5.wolfssl.com/emailAddress=info@wolfssl.com diff --git a/certs/ocsp/intermediate1-ca-cert.pem b/certs/ocsp/intermediate1-ca-cert.pem index d3a498adf..05e15e413 100644 --- a/certs/ocsp/intermediate1-ca-cert.pem +++ b/certs/ocsp/intermediate1-ca-cert.pem @@ -5,9 +5,9 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT - Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) @@ -47,49 +47,49 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 1b:83:ce:ad:1e:50:0f:3c:f0:26:17:23:c1:d5:98:88:c8:bc: - 30:5b:bb:01:bd:9b:cc:b3:45:0b:a3:7b:30:0a:54:3f:c7:36: - 16:4b:8b:cb:dd:d1:b3:7b:00:40:48:24:cb:46:3b:e7:e0:5c: - 7b:ec:ca:f8:e0:e5:34:5d:ae:e7:ac:87:15:cd:6c:7e:13:52: - 28:84:55:2b:2a:14:d9:fa:34:ce:fb:15:6c:10:47:c9:e6:ed: - 35:5b:4c:97:9c:dd:51:46:ac:2c:60:b7:2e:9d:2f:cb:0d:83: - 86:f0:a6:1b:6d:26:cb:7f:c4:97:51:6c:a1:a3:8d:6e:be:41: - 4a:ec:b0:cf:b4:ae:ad:e4:65:57:12:5d:bf:a0:78:ce:bf:4b: - 35:fe:bb:94:7a:f1:43:7d:0f:01:45:eb:d1:53:8b:19:db:bf: - 3e:4a:26:77:a1:b5:06:2a:64:ec:53:ca:ec:93:23:a2:4e:6a: - 82:8f:11:f4:cd:5f:6c:6e:22:cd:e1:1c:76:ce:49:f7:ca:43: - 65:aa:f5:9e:e7:ad:eb:99:4f:ff:db:fe:b8:91:ef:2c:ea:92: - 5f:bf:08:78:c1:90:22:37:f3:7e:c3:5b:fc:31:f0:5b:83:65: - 00:d6:5a:55:3a:a2:a8:3f:02:e5:ae:7a:37:7b:3c:39:e7:91: - 4a:2e:53:04 + 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: + c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: + 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: + fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: + 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: + 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: + 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: + 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: + f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: + ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: + 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: + 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: + 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: + e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: + 49:be:30:c1 -----BEGIN CERTIFICATE----- -MIIE7jCCA9agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT -U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy -bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN60yFx34C2x9bmtFkc1oDVlZcbh -QKsetLkTt8uMu3eldtpth4f2Sk0T5CY+J4fuW8dqP0UwYVVc9jXRZfqYEaOnVdW+ -kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN -MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr -GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a -lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA -AaOCATkwggE1MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA -cYJkRNoOMIHEBgNVHSMEgbwwgbmAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIBYzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IB -AQAbg86tHlAPPPAmFyPB1ZiIyLwwW7sBvZvMs0ULo3swClQ/xzYWS4vL3dGzewBA -SCTLRjvn4Fx77Mr44OU0Xa7nrIcVzWx+E1IohFUrKhTZ+jTO+xVsEEfJ5u01W0yX -nN1RRqwsYLcunS/LDYOG8KYbbSbLf8SXUWyho41uvkFK7LDPtK6t5GVXEl2/oHjO -v0s1/ruUevFDfQ8BRevRU4sZ278+SiZ3obUGKmTsU8rskyOiTmqCjxH0zV9sbiLN -4Rx2zkn3ykNlqvWe563rmU//2/64ke8s6pJfvwh4wZAiN/N+w1v8MfBbg2UA1lpV -OqKoPwLlrno3ezw555FKLlME +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ +KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt +OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO +DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe +2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR +0iqUR3W1gPLogzTMfyKKnkm+MME= -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -140,27 +140,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate2-ca-cert.pem b/certs/ocsp/intermediate2-ca-cert.pem index 886f251e5..a045d6776 100644 --- a/certs/ocsp/intermediate2-ca-cert.pem +++ b/certs/ocsp/intermediate2-ca-cert.pem @@ -5,9 +5,9 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT - Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) @@ -47,49 +47,49 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 85:95:3d:99:83:f5:4b:6f:b5:87:88:7a:2f:fe:02:c6:a5:2d: - 55:ff:e6:f3:72:c2:ed:2b:3f:cd:b5:59:5b:30:19:6e:5f:7b: - 2d:48:1e:d1:8e:65:04:86:0e:ef:01:50:ed:d7:ff:23:7e:2c: - 40:37:48:9d:aa:82:cb:82:c9:d7:f4:07:8b:73:6a:3a:fb:1b: - 2f:9d:e7:af:14:5f:2b:49:b2:87:3a:eb:c3:0f:f2:13:d7:49: - 6c:9a:d2:26:39:fa:f8:48:f4:9b:19:30:95:39:67:d8:63:37: - d6:b9:bf:fd:32:e1:fc:a9:2a:97:99:cb:cf:f6:fa:42:4b:ee: - 0e:87:92:16:dc:7e:70:dc:46:ee:8d:52:14:74:b5:6c:4b:9e: - e4:e7:b6:46:1c:82:2b:c5:4c:7d:84:f0:65:15:78:8c:2c:c7: - 7e:6d:db:8d:fc:64:4c:61:a0:b4:87:83:f6:04:59:71:43:8b: - 40:03:ad:e0:18:b9:94:0e:b9:05:22:6a:52:92:fe:48:04:cf: - a4:8c:ca:f6:f6:1c:29:c8:b0:83:a1:79:1a:9a:49:5a:73:c4: - 3d:16:4a:f7:c9:b5:dd:67:2b:bd:7c:11:ac:7f:74:8f:4b:dd: - ed:d3:ea:b8:6d:3a:3e:e7:ff:fc:d8:05:7b:47:49:c0:cc:6e: - 9a:71:23:96 + 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: + c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: + d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: + ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: + 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: + b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: + 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: + 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: + 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: + 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: + 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: + 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: + e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: + 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: + 53:95:72:29 -----BEGIN CERTIFICATE----- -MIIE9jCCA96gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT -U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L -RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLH -dbRqK6kjhb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcu -SyjFU0YjK4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPk -yIlDYfEluM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1 -JMvpSd+BnZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkF -UPC/7H8S4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORG -eP/ZmQIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi -7ioFJLcRrS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y -FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw -DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp -bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB -FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm -MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN -AQELBQADggEBAIWVPZmD9UtvtYeIei/+AsalLVX/5vNywu0rP821WVswGW5fey1I -HtGOZQSGDu8BUO3X/yN+LEA3SJ2qgsuCydf0B4tzajr7Gy+d568UXytJsoc668MP -8hPXSWya0iY5+vhI9JsZMJU5Z9hjN9a5v/0y4fypKpeZy8/2+kJL7g6HkhbcfnDc -Ru6NUhR0tWxLnuTntkYcgivFTH2E8GUVeIwsx35t2438ZExhoLSHg/YEWXFDi0AD -reAYuZQOuQUialKS/kgEz6SMyvb2HCnIsIOheRqaSVpzxD0WSvfJtd1nK718Eax/ -dI9L3e3T6rhtOj7n//zYBXtHScDMbppxI5Y= +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj +hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj +K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl +uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B +nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S +4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR +rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 +oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch +wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ +2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk +xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN +K2lpzYEnY+gtVSoA3gsVLFOVcik= -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -140,27 +140,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate3-ca-cert.pem b/certs/ocsp/intermediate3-ca-cert.pem new file mode 100644 index 000000000..b7629bdc1 --- /dev/null +++ b/certs/ocsp/intermediate3-ca-cert.pem @@ -0,0 +1,186 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28: + fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c: + 31:eb:13:70:ea:4a:dd:58:3e:4f:33:14:66:59:69: + 7a:aa:90:e0:7c:c4:b2:36:c1:0a:f4:df:3e:34:6c: + 1a:e9:2b:f1:a5:92:7e:a9:68:70:ba:a4:68:88:f3: + ec:10:40:64:a5:64:7d:d9:1e:51:49:9d:7f:c8:cc: + 2b:6d:71:2a:06:ff:e6:1f:84:28:8a:c1:ed:a8:52: + f4:89:a5:c0:77:d8:13:66:c2:65:a5:63:03:98:b0: + 4b:05:4f:0c:84:a0:f4:2d:72:73:6b:fa:0d:e1:cf: + 45:27:ed:a3:8c:02:d7:ee:99:e2:a1:f0:e3:a0:ad: + 69:ed:59:e4:27:41:8f:ef:fa:83:73:8f:5f:2b:68: + 89:13:46:26:dc:f6:28:6b:3b:b2:b8:9b:52:2a:17: + 1b:dc:72:45:73:da:75:24:35:8b:00:5e:23:37:64: + 6a:16:74:b8:ee:fe:b7:11:71:be:0a:73:c8:54:c2: + d9:04:d2:1b:f5:53:ac:8d:2a:4f:fe:33:79:e6:5e: + e7:f3:86:d3:dc:bb:4b:d7:39:7f:5b:3c:67:fe:5e: + 88:51:05:96:f2:b4:9a:45:09:4c:51:f0:6a:4d:88: + 2a:17 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 0c:5e:0d:55:3c:e7:fb:5e:c2:09:19:c8:0b:f4:c2:b2:2b:14: + 79:dc:e8:63:f6:8a:0c:03:57:9e:15:47:7e:b6:15:a3:71:90: + 01:11:39:4b:ff:3d:13:34:e4:f3:5b:a3:6c:58:4f:00:d5:c4: + b0:63:6c:90:c9:89:a8:5d:16:87:0a:da:08:40:12:b4:94:00: + 3e:44:00:13:de:34:75:90:38:79:d4:c2:39:6d:ed:17:cb:7e: + 50:ff:da:0b:eb:49:1a:66:e6:dd:eb:66:a5:92:ef:68:d5:c9: + 93:8f:aa:c7:2a:92:6b:95:af:3d:74:de:aa:29:fd:c9:53:56: + ad:9f:e0:05:d1:97:0c:01:3b:f1:c6:a6:90:7e:5c:08:11:5e: + c1:77:5d:64:09:56:ea:78:29:15:a3:ea:44:2a:4c:d6:09:a7: + a0:5f:05:54:2a:61:ca:7a:09:07:14:34:c2:0d:c5:93:cd:28: + 8b:62:26:af:30:25:8a:f1:da:65:fa:db:da:84:ab:d5:0c:37: + ae:5d:95:bd:55:2a:4b:09:e0:d3:3d:8b:3c:ea:f2:b9:68:5e: + e6:21:53:8b:28:78:39:f4:bf:9b:dc:92:bc:4b:14:06:fe:17: + 21:64:be:af:20:e8:e7:fb:67:c8:5e:ec:59:bf:27:a4:cb:e3: + 8a:6d:c3:ac +-----BEGIN CERTIFICATE----- +MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L +RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sUEEH3CIekSRdrV +uij9pvQwRKDf+XBeFyaXWVwx6xNw6krdWD5PMxRmWWl6qpDgfMSyNsEK9N8+NGwa +6SvxpZJ+qWhwuqRoiPPsEEBkpWR92R5RSZ1/yMwrbXEqBv/mH4QoisHtqFL0iaXA +d9gTZsJlpWMDmLBLBU8MhKD0LXJza/oN4c9FJ+2jjALX7pniofDjoK1p7VnkJ0GP +7/qDc49fK2iJE0Ym3PYoazuyuJtSKhcb3HJFc9p1JDWLAF4jN2RqFnS47v63EXG+ +CnPIVMLZBNIb9VOsjSpP/jN55l7n84bT3LtL1zl/Wzxn/l6IUQWW8rSaRQlMUfBq +TYgqFwIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUuxWeMk3g ++KqKsC4MFytaQXRLBkUwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y +FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw +DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp +bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAAxeDVU85/tewgkZyAv0wrIrFHnc6GP2igwDV54VR362FaNxkAER +OUv/PRM05PNbo2xYTwDVxLBjbJDJiahdFocK2ghAErSUAD5EABPeNHWQOHnUwjlt +7RfLflD/2gvrSRpm5t3rZqWS72jVyZOPqscqkmuVrz103qop/clTVq2f4AXRlwwB +O/HGppB+XAgRXsF3XWQJVup4KRWj6kQqTNYJp6BfBVQqYcp6CQcUNMINxZPNKIti +Jq8wJYrx2mX629qEq9UMN65dlb1VKksJ4NM9izzq8rloXuYhU4soeDn0v5vckrxL +FAb+FyFkvq8g6Of7Z8he7Fm/J6TL44ptw6w= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate3-ca-key.pem b/certs/ocsp/intermediate3-ca-key.pem new file mode 100644 index 000000000..03ebd4154 --- /dev/null +++ b/certs/ocsp/intermediate3-ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDexQQQfcIh6RJF +2tW6KP2m9DBEoN/5cF4XJpdZXDHrE3DqSt1YPk8zFGZZaXqqkOB8xLI2wQr03z40 +bBrpK/Glkn6paHC6pGiI8+wQQGSlZH3ZHlFJnX/IzCttcSoG/+YfhCiKwe2oUvSJ +pcB32BNmwmWlYwOYsEsFTwyEoPQtcnNr+g3hz0Un7aOMAtfumeKh8OOgrWntWeQn +QY/v+oNzj18raIkTRibc9ihrO7K4m1IqFxvcckVz2nUkNYsAXiM3ZGoWdLju/rcR +cb4Kc8hUwtkE0hv1U6yNKk/+M3nmXufzhtPcu0vXOX9bPGf+XohRBZbytJpFCUxR +8GpNiCoXAgMBAAECggEAFkESRd96TE7vT2EsJru/kzUjuUdk+JM8Iw3s4rVuGzDG +//DYqd8XpF+uVdJOucldU7mGoCeqw4mlujDug0qrikHXO28+i7au5rePZpQ4ObmP +ROhdcIA2asXStM0wSKC5yX43Wp1C86TN3w5a6t4AGizjYKFCk7dQ10ftVTaLDhsI +I4uuEZAHA7ruKmQp1DbE+/696kY4GUh2SXYQxee1zb/yYDvA6lGhuDW2Jev+4v4l ++1LZq8E2bE4GsmiLEALiHAdGvOrkZ5MUkiHVTnhGz7THK0OMj/4dJlNCwusyO+O5 +4Zr2LJQ2rnAtVGdtKuVsgwHwQBPpV9bJPkDXEzlXUQKBgQD38kxnjJ5nv0plMA+E +QViItp0qgQeXX18YTlh8yicqVe+t9kKnHm1tqZx/djvvR/51p0SkMfWNvMn8JYXa +dfT3ZX0djrzR9o6FgR8rL+LmPg6jyIn71wBqmMf7A6WQVYuG7fQk3IJNtx52BKcS +f8r2tsdPX8d/FBsCn3m/ZxaEyQKBgQDmAV5xxTbJKdea5pfH33BOCp6HTqSYgf4Y +/5GEO0YLmQoBXAKbX+zcAeiaOt5WvLQgw7LfkznitPlxCkpHr9VcgVarlEjXHa7y +SeJfik5cIFbMZtXqaQ/DIUvOTgnb/ngLxEdrzX4JUnlv/z1BEhWvEYaHn0asEsc4 +zbbcKoEH3wKBgQDRisobcPGmSDm9TmKuqPMDhyFH/IfH2+foCL4rqER1OO84G7i0 +t7hPR1plNizsyfE4yUXvZfFZ+cTR/Xwj5jBCrFiSlEDrSO2l0jvfKbceUi/ZJu/G +ECvf6oKHlstjMYibXZpJVLoip7Fsl/4CWlHTMyE56X4V3Y3+J3yiz6JuUQKBgDPS +byMXGibs5IUkG2KPN1B+GAXIdFFgSI39Vx4B9OA8FQMFZhj33fgb/fpx9RJ55ePT +9ANnuo0X1XPgq6fHOD1lbs+t01OUfoxclUKNeOZM6wGW0e/EyCZg5CGRd6s3hHiy +Op1RaWpUSMQxL+3vUy9ktXjtLBEtEfH8d4zXjsblAoGBAMPAdSskbG+upEYcNR2O +++R9X8BkWhaTDqkAuygsGJDomIgH89wROdlTnsi5LXe/r3uCocRC+M1ChRXm7Zqs +81QjVdls6HVZu5rG82S8itqdXHOXCajb1ls+lNiu7/9tPJVmpYfjfjD4/QHV0vF/ +FqdfthIOUXePjrAKccJDiJIk +-----END PRIVATE KEY----- diff --git a/certs/ocsp/ocsp-responder-cert.pem b/certs/ocsp/ocsp-responder-cert.pem index 616752f2e..90446b51c 100644 --- a/certs/ocsp/ocsp-responder-cert.pem +++ b/certs/ocsp/ocsp-responder-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 3 (0x3) + Serial Number: 4 (0x4) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL OCSP Responder/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,27 +44,27 @@ Certificate: X509v3 Extended Key Usage: OCSP Signing Signature Algorithm: sha256WithRSAEncryption - 73:47:ce:37:60:b0:51:a2:91:81:1c:1f:b6:b8:ca:4f:c8:95: - 68:cc:d3:4f:62:df:ff:c0:29:55:16:b2:df:2c:bf:73:b3:7c: - 95:a1:94:cc:a2:9f:30:60:92:fb:ec:31:21:14:09:60:ab:67: - f5:66:e4:bd:fd:18:a9:0b:d7:5e:61:39:37:cb:da:51:84:aa: - 06:38:68:27:eb:16:d7:60:91:23:5e:87:40:7f:e3:ce:40:f1: - 1f:99:50:2b:ba:69:b5:4b:ca:15:d7:9a:0d:9d:8f:ae:83:82: - fb:fc:0a:37:a8:2b:fb:0f:8d:c0:f4:59:3e:7b:81:78:a0:b2: - a2:64:55:41:bc:19:02:8b:de:db:8b:6c:43:fd:f5:23:e2:25: - 63:33:71:53:e7:eb:05:75:3a:56:4b:53:e1:5f:d1:82:c7:fd: - 80:64:27:93:a6:81:38:51:09:25:fc:de:9f:84:f1:b2:07:44: - 5a:f9:b1:70:d6:1b:1e:4f:7c:c9:ca:bd:d7:df:28:86:ce:8d: - 96:f5:54:94:0a:bb:97:5a:04:a4:05:9d:8d:b8:06:0e:ba:fb: - 5a:e1:3f:f2:90:59:1b:dd:e2:23:22:e2:7f:6a:f7:b7:d7:54: - 2b:ca:20:78:2a:6e:65:de:05:50:7d:40:4d:4b:3c:42:38:f5: - 98:e0:23:c9 + 47:86:d8:ff:a5:6e:18:e4:28:b7:8a:74:f6:81:97:89:be:c7: + cf:8d:1e:15:c2:d3:e1:ff:3e:82:b8:6d:8f:92:c8:a2:55:ff: + df:7a:ed:2b:ee:d5:6f:d3:9e:8e:30:d0:08:d3:6a:39:8f:23: + 45:a3:2d:e6:99:d4:18:49:a3:f9:17:88:b5:68:86:c8:8c:17: + a7:ac:6a:a6:46:6f:b1:a4:6b:f8:8d:e5:d8:68:75:ca:a6:2d: + 36:72:12:0d:1f:12:af:c2:90:e7:bf:4a:3a:f2:02:a0:89:dd: + 6b:f8:92:4b:9b:9c:69:5a:24:a7:3f:9b:b9:8e:60:ef:33:54: + cf:aa:53:01:c2:f9:0d:9d:75:bc:c9:09:0f:40:06:6f:ab:f9: + f2:e7:0d:26:84:24:0c:b0:b2:bb:f0:13:e1:bc:82:e7:48:ce: + 46:d2:36:e6:d9:7a:4e:b3:d3:55:6c:93:a0:6c:1a:83:d5:22: + a1:2c:84:e7:cc:9e:a5:ef:d5:e1:85:36:38:c5:35:a6:87:49: + 74:2c:b0:7c:3d:e7:68:47:5d:46:35:cb:d3:9c:bb:8c:8a:3e: + fd:f9:42:ad:7d:c4:bf:0a:d9:e2:49:04:14:24:11:c1:a4:3d: + 86:93:6e:0c:55:49:ed:3f:f9:82:ec:f8:26:3e:bf:9f:33:21: + 41:55:23:8c -----BEGIN CERTIFICATE----- -MIIEvjCCA6agAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIEvjCCA6agAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnjELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBnjELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZ3b2xmU1NMIE9DU1Ag UmVzcG9uZGVyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN @@ -80,12 +80,12 @@ CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0 dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG A1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz c2wuY29tggFjMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB -AQBzR843YLBRopGBHB+2uMpPyJVozNNPYt//wClVFrLfLL9zs3yVoZTMop8wYJL7 -7DEhFAlgq2f1ZuS9/RipC9deYTk3y9pRhKoGOGgn6xbXYJEjXodAf+POQPEfmVAr -umm1S8oV15oNnY+ug4L7/Ao3qCv7D43A9Fk+e4F4oLKiZFVBvBkCi97bi2xD/fUj -4iVjM3FT5+sFdTpWS1PhX9GCx/2AZCeTpoE4UQkl/N6fhPGyB0Ra+bFw1hseT3zJ -yr3X3yiGzo2W9VSUCruXWgSkBZ2NuAYOuvta4T/ykFkb3eIjIuJ/ave311QryiB4 -Km5l3gVQfUBNSzxCOPWY4CPJ +AQBHhtj/pW4Y5Ci3inT2gZeJvsfPjR4VwtPh/z6CuG2PksiiVf/feu0r7tVv056O +MNAI02o5jyNFoy3mmdQYSaP5F4i1aIbIjBenrGqmRm+xpGv4jeXYaHXKpi02chIN +HxKvwpDnv0o68gKgid1r+JJLm5xpWiSnP5u5jmDvM1TPqlMBwvkNnXW8yQkPQAZv +q/ny5w0mhCQMsLK78BPhvILnSM5G0jbm2XpOs9NVbJOgbBqD1SKhLITnzJ6l79Xh +hTY4xTWmh0l0LLB8PedoR11GNcvTnLuMij79+UKtfcS/CtniSQQUJBHBpD2Gk24M +VUntP/mC7PgmPr+fMyFBVSOM -----END CERTIFICATE----- Certificate: Data: @@ -94,8 +94,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -136,27 +136,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -172,11 +172,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh index 33baeee14..e0f978773 100755 --- a/certs/ocsp/ocspd0.sh +++ b/certs/ocsp/ocspd0.sh @@ -1,6 +1,6 @@ #!/bin/bash -openssl ocsp -port 22220 -nmin 1 -text \ +openssl ocsp -port 22220 -nmin 1 \ -index certs/ocsp/index0.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh index 1a6f2dc2a..da6babcaa 100755 --- a/certs/ocsp/ocspd1.sh +++ b/certs/ocsp/ocspd1.sh @@ -1,6 +1,6 @@ #!/bin/bash -openssl ocsp -port 22221 -nmin 1 -text \ +openssl ocsp -port 22221 -nmin 1 \ -index certs/ocsp/index1.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh index 04f3ae2bf..3539f38fd 100755 --- a/certs/ocsp/ocspd2.sh +++ b/certs/ocsp/ocspd2.sh @@ -1,6 +1,6 @@ #!/bin/bash -openssl ocsp -port 22222 -nmin 1 -text \ +openssl ocsp -port 22222 -nmin 1 \ -index certs/ocsp/index2.txt \ -rsigner certs/ocsp/ocsp-responder-cert.pem \ -rkey certs/ocsp/ocsp-responder-key.pem \ diff --git a/certs/ocsp/ocspd3.sh b/certs/ocsp/ocspd3.sh new file mode 100755 index 000000000..35130c253 --- /dev/null +++ b/certs/ocsp/ocspd3.sh @@ -0,0 +1,8 @@ +#!/bin/bash + +openssl ocsp -port 22223 -nmin 1 \ + -index certs/ocsp/index3.txt \ + -rsigner certs/ocsp/ocsp-responder-cert.pem \ + -rkey certs/ocsp/ocsp-responder-key.pem \ + -CA certs/ocsp/intermediate3-ca-cert.pem \ + $@ diff --git a/certs/ocsp/openssl.cnf b/certs/ocsp/openssl.cnf index 2c4234a90..71eee9a86 100644 --- a/certs/ocsp/openssl.cnf +++ b/certs/ocsp/openssl.cnf @@ -18,6 +18,14 @@ authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment authorityInfoAccess = OCSP;URI:http://localhost:22222 +# Extensions to add to a certificate request (intermediate3-ca) +[ v3_req3 ] +basicConstraints = CA:false +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always,issuer:always +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +authorityInfoAccess = OCSP;URI:http://localhost:22223 + # Extensions for a typical CA [ v3_ca ] basicConstraints = CA:true diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 2fa007a49..4eb552b42 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -41,9 +41,14 @@ function update_cert() { cat $3-cert.pem >> $1-cert.pem } -update_cert intermediate1-ca "wolfSSL intermediate CA" root-ca v3_ca 01 -update_cert intermediate2-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 02 # REVOKED -update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 03 -update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 04 -update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 05 # REVOKED -update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 06 +update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 +update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 +update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED + +update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04 + +update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05 +update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 # REVOKED +update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 +update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED +update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem index 34bcd48c6..9d68f8197 100644 --- a/certs/ocsp/root-ca-cert.pem +++ b/certs/ocsp/root-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,27 +47,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -83,11 +83,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem index 794bb7a31..eab440bdf 100644 --- a/certs/ocsp/server1-cert.pem +++ b/certs/ocsp/server1-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 4 (0x4) + Serial Number: 5 (0x5) Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,49 +47,49 @@ Certificate: OCSP - URI:http://localhost:22221 Signature Algorithm: sha256WithRSAEncryption - 81:77:93:7b:35:9c:af:00:ca:7a:eb:53:d0:56:f9:11:7b:eb: - 6b:d1:ac:f2:bb:1a:f2:b7:d1:02:59:04:3c:43:09:5a:66:9b: - 05:c9:9b:3c:98:d4:3b:30:dd:8a:8a:97:fb:77:06:22:89:b3: - c6:14:3d:00:ef:48:95:69:6f:74:92:4e:f0:70:fb:7a:d4:84: - f9:26:00:b7:f9:59:14:fb:56:ed:b3:ea:14:de:d6:76:aa:c4: - dd:16:74:f7:5a:32:18:1e:ab:eb:80:3d:2f:5c:fc:29:96:fa: - 62:44:09:bf:3e:f9:ac:2b:6e:36:68:f1:d7:53:eb:a1:47:53: - 99:65:29:3f:21:e2:ce:64:55:37:e0:41:d2:0a:ac:1b:6a:a3: - 62:db:96:46:2e:67:9f:4a:8f:7d:5e:f9:1f:2a:36:e6:c0:2b: - 07:f9:63:d9:54:e7:5b:09:86:7a:dc:75:96:bc:60:28:00:99: - a7:8b:17:7a:bd:8b:06:bc:9f:c4:bc:d7:c8:d5:eb:a6:60:cf: - 0c:07:b3:8c:bd:87:8c:15:12:d2:26:ea:56:ed:d4:c0:87:10: - 50:7f:f6:70:d0:72:fb:f0:75:cf:c7:c2:c9:01:6a:05:68:5e: - 7a:2f:e0:ef:c1:45:e0:31:52:05:d7:12:7a:06:53:81:f7:e8: - cb:14:42:bd + cc:2e:e2:e4:a8:f6:e8:73:e4:e8:d9:ee:05:e6:2c:a9:0f:54: + d5:b0:be:ce:20:a6:12:38:63:b8:19:32:c1:12:2f:d4:ee:a5: + 73:2b:72:5c:ad:c7:ed:d7:a4:5e:97:d2:a4:fd:9e:db:3d:e0: + df:a2:96:a9:36:c8:e3:f9:93:d6:84:dc:ad:a4:5f:1e:d4:af: + de:b4:05:9a:e5:ac:c6:b4:f4:9b:69:a0:e8:81:28:32:d7:a0: + 83:1b:2d:18:92:87:33:3f:23:11:11:f5:c9:01:11:35:de:44: + 8d:1d:6b:c4:3a:20:72:64:5d:c1:59:60:cb:5c:3b:ca:a0:27: + ab:e6:6c:ac:31:ec:a9:3a:a0:ec:10:e5:48:34:9b:d3:1c:9e: + 1e:93:2a:ba:47:40:b6:5d:45:c4:b9:cb:d6:63:5b:1a:70:26: + 23:f6:0a:41:53:de:ba:02:db:df:ce:df:6d:7a:9c:85:55:a4: + 01:3e:f5:d1:9c:4a:59:bf:1f:f5:83:fa:92:9a:3d:80:4d:49: + aa:f6:92:5f:94:ee:ef:38:b3:71:9f:96:30:7d:b2:d2:8d:bb: + 16:ed:e1:6f:cd:8e:4e:d2:e0:5b:59:5c:dd:95:de:9f:69:63: + d4:b2:54:52:51:40:e5:50:5c:4b:1c:5e:51:5b:10:b7:19:1f: + 31:08:70:cb -----BEGIN CERTIFICATE----- -MIIE7DCCA9SgAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMCVVMx +MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM -B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NM -IGludGVybWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMTQyMjI1MjNaFw0xODA5MDkyMjI1MjNaMIGYMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE -CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEHd3dzEu -d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDmllV1z4qXaIy2OPZ6Bb4ztlFH -N4r325G+kmu3AIzyxSRuGOmSAIEB3LNMKKm3gPGWzyN6L6744w8t014j59tMsl2J -Fhe+voHb+xJtKEsQoBIEJ8HJ0HmV7+iNjFmbTnJ9vEkrIk74T+IM8enpl/nfjFoK -qjgdQwSjp4mh4oOkS7VORYimIl2sqVhniMHVYe+9EQUnlEe7M6WKyu4fjcBuJK/N -yr+AR3GVrKnxXSNs9Uu0qeHEZvvlxKGfp1HReM0utD8u4oLzf8Sn9DHPdic/2y7S -bsNHI4KjSECMp8ET8GNQVEP2cRLhb6V6WCb3/Ys7cBigQ7oBa7P41b4FE2QxAgMB -AAGjggE2MIIBMjAJBgNVHRMEAjAAMB0GA1UdDgQWBBTMVRUA4kSJkmNtEF25nnO2 -XToZyjCBxAYDVR0jBIG8MIG5gBSDxjqJLIH0AtedTOIqwHGCZETaDqGBnaSBmjCB -lzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl -YXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgw -FgYDVQQDDA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb22CAQEwCwYDVR0PBAQDAgXgMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF -BQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMTANBgkqhkiG9w0BAQsFAAOCAQEA -gXeTezWcrwDKeutT0Fb5EXvra9Gs8rsa8rfRAlkEPEMJWmabBcmbPJjUOzDdioqX -+3cGIomzxhQ9AO9IlWlvdJJO8HD7etSE+SYAt/lZFPtW7bPqFN7WdqrE3RZ091oy -GB6r64A9L1z8KZb6YkQJvz75rCtuNmjx11ProUdTmWUpPyHizmRVN+BB0gqsG2qj -YtuWRi5nn0qPfV75Hyo25sArB/lj2VTnWwmGetx1lrxgKACZp4sXer2LBryfxLzX -yNXrpmDPDAezjL2HjBUS0ibqVu3UwIcQUH/2cNBy+/B1z8fCyQFqBWheei/g78FF -4DFSBdcSegZTgffoyxRCvQ== +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOaWVXXPipdojLY49noFvjO2 +UUc3ivfbkb6Sa7cAjPLFJG4Y6ZIAgQHcs0woqbeA8ZbPI3ovrvjjDy3TXiPn20yy +XYkWF76+gdv7Em0oSxCgEgQnwcnQeZXv6I2MWZtOcn28SSsiTvhP4gzx6emX+d+M +WgqqOB1DBKOniaHig6RLtU5FiKYiXaypWGeIwdVh770RBSeUR7szpYrK7h+NwG4k +r83Kv4BHcZWsqfFdI2z1S7Sp4cRm++XEoZ+nUdF4zS60Py7igvN/xKf0Mc92Jz/b +LtJuw0cjgqNIQIynwRPwY1BUQ/ZxEuFvpXpYJvf9iztwGKBDugFrs/jVvgUTZDEC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMxVFQDiRImSY20QXbme +c7ZdOhnKMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQDMLuLkqPboc+To2e4F5iypD1TVsL7OIKYSOGO4GTLBEi/U7qVzK3Jcrcft16Re +l9Kk/Z7bPeDfopapNsjj+ZPWhNytpF8e1K/etAWa5azGtPSbaaDogSgy16CDGy0Y +koczPyMREfXJARE13kSNHWvEOiByZF3BWWDLXDvKoCer5mysMeypOqDsEOVINJvT +HJ4ekyq6R0C2XUXEucvWY1sacCYj9gpBU966Atvfzt9tepyFVaQBPvXRnEpZvx/1 +g/qSmj2ATUmq9pJflO7vOLNxn5YwfbLSjbsW7eFvzY5O0uBbWVzdld6faWPUslRS +UUDlUFxLHF5RWxC3GR8xCHDL -----END CERTIFICATE----- Certificate: Data: @@ -98,9 +98,9 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT - Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) @@ -140,49 +140,49 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 1b:83:ce:ad:1e:50:0f:3c:f0:26:17:23:c1:d5:98:88:c8:bc: - 30:5b:bb:01:bd:9b:cc:b3:45:0b:a3:7b:30:0a:54:3f:c7:36: - 16:4b:8b:cb:dd:d1:b3:7b:00:40:48:24:cb:46:3b:e7:e0:5c: - 7b:ec:ca:f8:e0:e5:34:5d:ae:e7:ac:87:15:cd:6c:7e:13:52: - 28:84:55:2b:2a:14:d9:fa:34:ce:fb:15:6c:10:47:c9:e6:ed: - 35:5b:4c:97:9c:dd:51:46:ac:2c:60:b7:2e:9d:2f:cb:0d:83: - 86:f0:a6:1b:6d:26:cb:7f:c4:97:51:6c:a1:a3:8d:6e:be:41: - 4a:ec:b0:cf:b4:ae:ad:e4:65:57:12:5d:bf:a0:78:ce:bf:4b: - 35:fe:bb:94:7a:f1:43:7d:0f:01:45:eb:d1:53:8b:19:db:bf: - 3e:4a:26:77:a1:b5:06:2a:64:ec:53:ca:ec:93:23:a2:4e:6a: - 82:8f:11:f4:cd:5f:6c:6e:22:cd:e1:1c:76:ce:49:f7:ca:43: - 65:aa:f5:9e:e7:ad:eb:99:4f:ff:db:fe:b8:91:ef:2c:ea:92: - 5f:bf:08:78:c1:90:22:37:f3:7e:c3:5b:fc:31:f0:5b:83:65: - 00:d6:5a:55:3a:a2:a8:3f:02:e5:ae:7a:37:7b:3c:39:e7:91: - 4a:2e:53:04 + 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: + c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: + 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: + fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: + 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: + 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: + 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: + 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: + f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: + ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: + 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: + 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: + 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: + e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: + 49:be:30:c1 -----BEGIN CERTIFICATE----- -MIIE7jCCA9agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT -U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy -bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN60yFx34C2x9bmtFkc1oDVlZcbh -QKsetLkTt8uMu3eldtpth4f2Sk0T5CY+J4fuW8dqP0UwYVVc9jXRZfqYEaOnVdW+ -kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN -MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr -GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a -lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA -AaOCATkwggE1MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA -cYJkRNoOMIHEBgNVHSMEgbwwgbmAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIBYzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IB -AQAbg86tHlAPPPAmFyPB1ZiIyLwwW7sBvZvMs0ULo3swClQ/xzYWS4vL3dGzewBA -SCTLRjvn4Fx77Mr44OU0Xa7nrIcVzWx+E1IohFUrKhTZ+jTO+xVsEEfJ5u01W0yX -nN1RRqwsYLcunS/LDYOG8KYbbSbLf8SXUWyho41uvkFK7LDPtK6t5GVXEl2/oHjO -v0s1/ruUevFDfQ8BRevRU4sZ278+SiZ3obUGKmTsU8rskyOiTmqCjxH0zV9sbiLN -4Rx2zkn3ykNlqvWe563rmU//2/64ke8s6pJfvwh4wZAiN/N+w1v8MfBbg2UA1lpV -OqKoPwLlrno3ezw555FKLlME +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ +KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt +OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO +DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe +2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR +0iqUR3W1gPLogzTMfyKKnkm+MME= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -233,27 +233,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem index 9025271b2..8aa20085f 100644 --- a/certs/ocsp/server2-cert.pem +++ b/certs/ocsp/server2-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 5 (0x5) + Serial Number: 6 (0x6) Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,49 +47,49 @@ Certificate: OCSP - URI:http://localhost:22221 Signature Algorithm: sha256WithRSAEncryption - a3:33:6d:91:c3:bd:b5:42:e6:6a:b8:1f:01:d8:ef:8c:ab:f9: - f7:e2:ac:23:72:a1:77:41:67:fc:b4:c9:dd:72:d8:25:3c:40: - 17:db:87:c0:6c:55:2c:26:d2:53:d5:e7:81:8e:b3:3f:e1:fd: - fd:73:4b:ee:75:44:04:a6:f1:56:aa:57:94:a3:5e:4d:45:49: - 4b:70:e2:bf:36:e9:8c:68:cf:37:f3:0f:ee:74:4a:ef:f8:8a: - 39:89:9f:3d:26:91:c8:cf:03:45:5a:13:8d:5f:ac:7c:c3:d9: - 34:1c:80:e5:33:40:fc:02:8a:04:36:93:ba:47:c5:bc:34:8b: - dc:30:4c:f5:b0:42:60:3b:59:2e:d6:c6:44:bb:44:dc:2a:05: - bd:f0:37:cc:16:27:a9:b5:f7:7d:fa:3a:7f:3c:64:62:cf:3a: - 2b:2d:85:82:bd:29:96:47:6f:a9:85:5c:4f:ae:72:eb:25:05: - e1:c8:f2:95:9e:02:03:2c:fe:06:1c:83:3a:d2:84:d4:84:17: - d8:49:84:3e:c6:3d:16:10:e5:65:25:68:a5:71:18:8c:2e:40: - a0:1c:43:ba:0f:bc:6c:07:25:29:1f:ab:1e:ff:d0:45:51:3f: - 3f:f5:a1:71:c8:35:87:47:14:c5:8e:1c:e2:94:ff:27:2c:ce: - aa:55:1c:c9 + 84:39:12:8b:3b:47:c1:57:60:70:5d:21:e4:1f:60:33:20:94: + ab:7d:50:62:55:bf:cc:78:13:40:9d:40:75:14:55:d5:71:e8: + 8a:26:3d:4a:85:94:02:6f:be:1c:84:69:6b:03:9d:74:a7:8c: + f1:0e:e4:4e:79:e3:fc:bd:1f:c7:fb:d6:bb:6e:aa:55:7f:ac: + 6f:da:84:08:b0:97:ef:24:d5:a3:d9:c1:67:78:08:7d:05:18: + c0:58:50:e8:fc:20:65:c6:0a:4e:3a:81:7a:64:0b:81:be:12: + 87:33:18:85:d3:e3:c3:ba:b5:b0:03:9a:16:e3:01:ae:a9:9a: + 9a:ea:84:5f:0e:5c:dd:d4:16:b8:38:e2:63:0a:4f:75:5f:44: + 0b:60:08:f3:d4:df:32:cf:5b:f9:7b:a0:b1:ba:ae:ed:0f:a1: + c5:71:6b:1a:19:13:b7:5f:18:e8:97:51:a2:d3:66:52:b9:8b: + 0e:47:22:c9:61:17:94:80:7c:3d:39:6f:5a:58:18:7b:2e:42: + ea:20:fa:67:58:bf:4c:58:7e:e8:c0:3d:15:08:96:84:57:a8: + 6c:66:58:9d:93:30:64:93:28:7e:cc:1b:a2:e4:f7:d8:69:9c: + 19:07:9f:90:7f:53:a8:4f:59:86:a2:0a:87:c7:35:3d:b7:9d: + 51:61:51:69 -----BEGIN CERTIFICATE----- -MIIE7DCCA9SgAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBnzELMAkGA1UEBhMCVVMx +MIIE7jCCA9agAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM -B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NM -IGludGVybWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bTAeFw0xNTEyMTQyMjI1MjNaFw0xODA5MDkyMjI1MjNaMIGYMQswCQYDVQQGEwJV -UzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwHU2VhdHRsZTEQMA4GA1UE -CgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcxGTAXBgNVBAMMEHd3dzIu -d29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEi -MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDGNYroqr0zyV6EQ2dCZSo844m0 -pmehO+5thdHTK26xYtTxIkOg1belfbX1bAkGfIzvh69PNM4n6/NKN1fD19ju5KB3 -ZSynwhBla3tIxNgo/kxOT34vIMRJW3E4QA02o1ezRNq+zVQUFWYP0wUI8i4DZy5c -XeGw5sAlj1h3W9PXqCLqVtMOAW04NFZHqhLEuirv7Bj11Nu5+m/cUOvuEKIUtZoS -4eOFD3kUuHBtDRwdOFeFaoIM1r0svyDxKC72NICnDTKCNU/BseWeJtX4uTlXQ+/t -8RBcPjK62eSeQM0o6iZGm6k0jZ+5/UV9FPfOyjuFh6dkdJxlKRiz9bGtkmI5AgMB -AAGjggE2MIIBMjAJBgNVHRMEAjAAMB0GA1UdDgQWBBR9bf32C08/SmKR9fMTYFGG -w1qf1jCBxAYDVR0jBIG8MIG5gBSDxjqJLIH0AtedTOIqwHGCZETaDqGBnaSBmjCB -lzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1Nl -YXR0bGUxEDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgw -FgYDVQQDDA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb22CAQEwCwYDVR0PBAQDAgXgMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEF -BQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMTANBgkqhkiG9w0BAQsFAAOCAQEA -ozNtkcO9tULmargfAdjvjKv59+KsI3Khd0Fn/LTJ3XLYJTxAF9uHwGxVLCbSU9Xn -gY6zP+H9/XNL7nVEBKbxVqpXlKNeTUVJS3DivzbpjGjPN/MP7nRK7/iKOYmfPSaR -yM8DRVoTjV+sfMPZNByA5TNA/AKKBDaTukfFvDSL3DBM9bBCYDtZLtbGRLtE3CoF -vfA3zBYnqbX3ffo6fzxkYs86Ky2Fgr0plkdvqYVcT65y6yUF4cjylZ4CAyz+BhyD -OtKE1IQX2EmEPsY9FhDlZSVopXEYjC5AoBxDug+8bAclKR+rHv/QRVE/P/Whccg1 -h0cUxY4c4pT/JyzOqlUcyQ== +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +Mi53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMY1iuiqvTPJXoRDZ0JlKjzj +ibSmZ6E77m2F0dMrbrFi1PEiQ6DVt6V9tfVsCQZ8jO+Hr080zifr80o3V8PX2O7k +oHdlLKfCEGVre0jE2Cj+TE5Pfi8gxElbcThADTajV7NE2r7NVBQVZg/TBQjyLgNn +Llxd4bDmwCWPWHdb09eoIupW0w4BbTg0VkeqEsS6Ku/sGPXU27n6b9xQ6+4QohS1 +mhLh44UPeRS4cG0NHB04V4VqggzWvSy/IPEoLvY0gKcNMoI1T8Gx5Z4m1fi5OVdD +7+3xEFw+MrrZ5J5AzSjqJkabqTSNn7n9RX0U987KO4WHp2R0nGUpGLP1sa2SYjkC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFH1t/fYLTz9KYpH18xNg +UYbDWp/WMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQCEORKLO0fBV2BwXSHkH2AzIJSrfVBiVb/MeBNAnUB1FFXVceiKJj1KhZQCb74c +hGlrA510p4zxDuROeeP8vR/H+9a7bqpVf6xv2oQIsJfvJNWj2cFneAh9BRjAWFDo +/CBlxgpOOoF6ZAuBvhKHMxiF0+PDurWwA5oW4wGuqZqa6oRfDlzd1Ba4OOJjCk91 +X0QLYAjz1N8yz1v5e6Cxuq7tD6HFcWsaGRO3Xxjol1Gi02ZSuYsORyLJYReUgHw9 +OW9aWBh7LkLqIPpnWL9MWH7owD0VCJaEV6hsZlidkzBkkyh+zBui5PfYaZwZB5+Q +f1OoT1mGogqHxzU9t51RYVFp -----END CERTIFICATE----- Certificate: Data: @@ -98,9 +98,9 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT - Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA/emailAddress=info@wolfssl.com + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) @@ -140,49 +140,49 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 1b:83:ce:ad:1e:50:0f:3c:f0:26:17:23:c1:d5:98:88:c8:bc: - 30:5b:bb:01:bd:9b:cc:b3:45:0b:a3:7b:30:0a:54:3f:c7:36: - 16:4b:8b:cb:dd:d1:b3:7b:00:40:48:24:cb:46:3b:e7:e0:5c: - 7b:ec:ca:f8:e0:e5:34:5d:ae:e7:ac:87:15:cd:6c:7e:13:52: - 28:84:55:2b:2a:14:d9:fa:34:ce:fb:15:6c:10:47:c9:e6:ed: - 35:5b:4c:97:9c:dd:51:46:ac:2c:60:b7:2e:9d:2f:cb:0d:83: - 86:f0:a6:1b:6d:26:cb:7f:c4:97:51:6c:a1:a3:8d:6e:be:41: - 4a:ec:b0:cf:b4:ae:ad:e4:65:57:12:5d:bf:a0:78:ce:bf:4b: - 35:fe:bb:94:7a:f1:43:7d:0f:01:45:eb:d1:53:8b:19:db:bf: - 3e:4a:26:77:a1:b5:06:2a:64:ec:53:ca:ec:93:23:a2:4e:6a: - 82:8f:11:f4:cd:5f:6c:6e:22:cd:e1:1c:76:ce:49:f7:ca:43: - 65:aa:f5:9e:e7:ad:eb:99:4f:ff:db:fe:b8:91:ef:2c:ea:92: - 5f:bf:08:78:c1:90:22:37:f3:7e:c3:5b:fc:31:f0:5b:83:65: - 00:d6:5a:55:3a:a2:a8:3f:02:e5:ae:7a:37:7b:3c:39:e7:91: - 4a:2e:53:04 + 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: + c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: + 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: + fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: + 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: + 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: + 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: + 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: + f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: + ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: + 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: + 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: + 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: + e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: + 49:be:30:c1 -----BEGIN CERTIFICATE----- -MIIE7jCCA9agAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBnzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT -U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSAwHgYDVQQDDBd3b2xmU1NMIGludGVy -bWVkaWF0ZSBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCCASIw -DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAN60yFx34C2x9bmtFkc1oDVlZcbh -QKsetLkTt8uMu3eldtpth4f2Sk0T5CY+J4fuW8dqP0UwYVVc9jXRZfqYEaOnVdW+ -kYJL/L6Q1lBTY5osIuE1Edx4ApeK5EaSnFMIdt4fU7a4ync+eW680OMNMFtM9pQN -MClknwTl2/uJYGe7ryaDUXckLysLoZSBEJjo6yaoHnzkxGxnBpVVSt1S9PJgbQEr -GZE1baQIRwZxJADZ3sZW84tTLOKalqXzYuXE4yPy0vwh6g9ido3VmUjO3FjEu3/a -lCyAdIPF4LAVfkH9DvL08Hh2e60mDapIlhcvIeOVKyY3+aqAL/7e9l68l38CAwEA -AaOCATkwggE1MAwGA1UdEwQFMAMBAf8wHQYDVR0OBBYEFIPGOoksgfQC151M4irA -cYJkRNoOMIHEBgNVHSMEgbwwgbmAFHOwHKQvgsvPR6U417AEgjp+chUhoYGdpIGa -MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH -U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx -GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 -b2xmc3NsLmNvbYIBYzALBgNVHQ8EBAMCAQYwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIwMA0GCSqGSIb3DQEBCwUAA4IB -AQAbg86tHlAPPPAmFyPB1ZiIyLwwW7sBvZvMs0ULo3swClQ/xzYWS4vL3dGzewBA -SCTLRjvn4Fx77Mr44OU0Xa7nrIcVzWx+E1IohFUrKhTZ+jTO+xVsEEfJ5u01W0yX -nN1RRqwsYLcunS/LDYOG8KYbbSbLf8SXUWyho41uvkFK7LDPtK6t5GVXEl2/oHjO -v0s1/ruUevFDfQ8BRevRU4sZ278+SiZ3obUGKmTsU8rskyOiTmqCjxH0zV9sbiLN -4Rx2zkn3ykNlqvWe563rmU//2/64ke8s6pJfvwh4wZAiN/N+w1v8MfBbg2UA1lpV -OqKoPwLlrno3ezw555FKLlME +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ +KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt +OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO +DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe +2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR +0iqUR3W1gPLogzTMfyKKnkm+MME= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -233,27 +233,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem index fe24c1698..f707abecf 100644 --- a/certs/ocsp/server3-cert.pem +++ b/certs/ocsp/server3-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 6 (0x6) + Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption - Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -47,49 +47,49 @@ Certificate: OCSP - URI:http://localhost:22222 Signature Algorithm: sha256WithRSAEncryption - c6:3a:40:31:ac:3c:32:72:03:a9:35:86:b5:04:db:d9:39:e0: - 9a:96:54:d4:7f:b8:fe:49:2a:86:37:d8:30:a7:df:1f:08:c6: - 34:77:e3:95:6e:b8:5f:7a:2f:cd:71:04:55:e7:c1:a3:d5:14: - 93:13:b2:69:7c:6a:36:bc:09:15:f8:5a:ab:af:c8:d2:f6:ba: - ee:2b:6b:30:d4:a6:4a:48:08:f8:58:39:1b:6b:67:dd:4c:f9: - ee:9f:c7:cc:e7:19:68:b1:cb:d1:9d:7c:42:12:c5:25:ff:6d: - 81:24:cf:76:06:9c:a6:39:53:60:08:fe:d6:5b:ef:9e:2c:3d: - bf:23:1e:8b:db:0f:57:ae:c4:ee:af:b3:0a:54:86:ad:65:a4: - 6b:a2:c3:ec:34:0a:c3:75:a5:06:2e:67:1c:61:52:61:61:6c: - c4:86:15:71:ea:ac:e2:9f:b7:ae:65:59:89:ab:41:ec:4a:a1: - d8:17:d6:15:cc:98:d7:67:a2:0b:2f:2e:85:ce:e5:32:5a:e1: - c6:54:aa:37:31:ba:f8:31:16:bb:de:3a:d7:9d:9e:63:5d:69: - 25:9f:0e:5a:f3:9d:7f:86:0a:15:3e:64:04:8a:0c:f7:b7:e8: - ec:4f:9f:4e:25:ef:1e:44:a0:73:ca:2e:5b:c0:f1:38:c5:15: - 29:45:04:11 + 12:62:57:58:a4:74:c0:b3:f1:d7:63:8b:1d:ba:79:99:88:76: + 5f:88:3b:e3:53:8d:d3:88:d0:98:91:3b:72:31:e9:03:5d:d5: + 1d:fe:6a:59:e8:a0:46:5b:4a:5a:3c:ce:60:27:00:36:68:49: + 35:22:cd:16:01:5f:94:67:5e:80:1a:2f:a6:21:4b:1a:d2:f8: + 70:ba:39:0f:d4:54:44:c8:6d:f4:1c:bc:fa:b3:72:32:e5:56: + 18:b8:c0:4c:98:21:56:36:a3:83:94:60:a9:a1:de:8c:7d:22: + 46:40:ac:92:7c:4a:44:6c:24:36:78:ab:f6:93:4f:44:f6:82: + 2e:ba:bc:7f:45:c2:51:be:fa:05:bb:d1:8a:95:84:38:f0:1d: + c7:66:8d:5e:44:05:26:48:b2:bd:4e:56:7a:17:28:b2:fa:3a: + 25:ce:7e:83:9a:ee:76:b0:02:54:a3:65:78:7c:7b:1e:49:ad: + 7f:65:5e:a8:cc:59:1e:fb:61:27:b6:3f:df:31:11:49:06:01: + 58:55:84:35:3e:f6:db:5a:e9:fd:2f:0a:b0:f7:c7:fb:d9:59: + 86:c6:cd:0c:f2:a6:f9:0a:ef:4b:ab:ca:a6:16:b4:df:0f:0d: + c6:d1:32:4f:0d:f9:a8:2a:28:a1:be:e2:c3:62:7e:74:90:58: + bc:67:89:20 -----BEGIN CERTIFICATE----- -MIIE9DCCA9ygAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM -B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM -IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv -bGZzc2wuY29tMB4XDTE1MTIxNDIyMjUyM1oXDTE4MDkwOTIyMjUyM1owgZgxCzAJ -BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl -MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE -AwwQd3d3My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns -LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4ZZR4XOdQz/Jdk -aYBR+2x8yuG6KqvS3TBh8y5HwdQzwP9TIbotFKa5fGbKRXscfY/8dfOaafFsJUag -kl0Ak+MipmC5lwU3f6GqzSKBcrEiRz18jUZVvDJN0oRDXBVDByJwNjmTG+ihRrsC -hbodMayxPIRb648fYopxUp4LY7bm1kbMGQbWuwaB5AslFGxjlHAaJzeVJEAHMPUk -c8O9+Q5fts1PGIjw16Ob9bAe/gQDpY1z92sxdIX9YfqeUzd1kOb4tZhm6FJNSkw5 -BWXBNPnGlSewB8FRlqiCGyLPQd/etJS3Dbph+/RAfKH8oimjR020lJ17UezkE/vN -6SbKp5MCAwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMHNwCw09Du7 -48qYNX1qFTOUXBE6MIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8X -oYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4G -A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l -ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ -aW5mb0B3b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk -MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEB -CwUAA4IBAQDGOkAxrDwycgOpNYa1BNvZOeCallTUf7j+SSqGN9gwp98fCMY0d+OV -brhfei/NcQRV58Gj1RSTE7JpfGo2vAkV+Fqrr8jS9rruK2sw1KZKSAj4WDkba2fd -TPnun8fM5xloscvRnXxCEsUl/22BJM92BpymOVNgCP7WW++eLD2/Ix6L2w9XrsTu -r7MKVIatZaRrosPsNArDdaUGLmccYVJhYWzEhhVx6qzin7euZVmJq0HsSqHYF9YV -zJjXZ6ILLy6FzuUyWuHGVKo3Mbr4MRa73jrXnZ5jXWklnw5a851/hgoVPmQEigz3 -t+jsT59OJe8eRKBzyi5bwPE4xRUpRQQR +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4ZZR4XOdQz/JdkaYBR+2x8 +yuG6KqvS3TBh8y5HwdQzwP9TIbotFKa5fGbKRXscfY/8dfOaafFsJUagkl0Ak+Mi +pmC5lwU3f6GqzSKBcrEiRz18jUZVvDJN0oRDXBVDByJwNjmTG+ihRrsChbodMayx +PIRb648fYopxUp4LY7bm1kbMGQbWuwaB5AslFGxjlHAaJzeVJEAHMPUkc8O9+Q5f +ts1PGIjw16Ob9bAe/gQDpY1z92sxdIX9YfqeUzd1kOb4tZhm6FJNSkw5BWXBNPnG +lSewB8FRlqiCGyLPQd/etJS3Dbph+/RAfKH8oimjR020lJ17UezkE/vN6SbKp5MC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMHNwCw09Du748qYNX1q +FTOUXBE6MIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8XoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB +AQASYldYpHTAs/HXY4sdunmZiHZfiDvjU43TiNCYkTtyMekDXdUd/mpZ6KBGW0pa +PM5gJwA2aEk1Is0WAV+UZ16AGi+mIUsa0vhwujkP1FREyG30HLz6s3Iy5VYYuMBM +mCFWNqODlGCpod6MfSJGQKySfEpEbCQ2eKv2k09E9oIuurx/RcJRvvoFu9GKlYQ4 +8B3HZo1eRAUmSLK9TlZ6Fyiy+jolzn6Dmu52sAJUo2V4fHseSa1/ZV6ozFke+2En +tj/fMRFJBgFYVYQ1PvbbWun9Lwqw98f72VmGxs0M8qb5Cu9Lq8qmFrTfDw3G0TJP +DfmoKiihvuLDYn50kFi8Z4kg -----END CERTIFICATE----- Certificate: Data: @@ -98,9 +98,9 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT - Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) @@ -140,49 +140,49 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 85:95:3d:99:83:f5:4b:6f:b5:87:88:7a:2f:fe:02:c6:a5:2d: - 55:ff:e6:f3:72:c2:ed:2b:3f:cd:b5:59:5b:30:19:6e:5f:7b: - 2d:48:1e:d1:8e:65:04:86:0e:ef:01:50:ed:d7:ff:23:7e:2c: - 40:37:48:9d:aa:82:cb:82:c9:d7:f4:07:8b:73:6a:3a:fb:1b: - 2f:9d:e7:af:14:5f:2b:49:b2:87:3a:eb:c3:0f:f2:13:d7:49: - 6c:9a:d2:26:39:fa:f8:48:f4:9b:19:30:95:39:67:d8:63:37: - d6:b9:bf:fd:32:e1:fc:a9:2a:97:99:cb:cf:f6:fa:42:4b:ee: - 0e:87:92:16:dc:7e:70:dc:46:ee:8d:52:14:74:b5:6c:4b:9e: - e4:e7:b6:46:1c:82:2b:c5:4c:7d:84:f0:65:15:78:8c:2c:c7: - 7e:6d:db:8d:fc:64:4c:61:a0:b4:87:83:f6:04:59:71:43:8b: - 40:03:ad:e0:18:b9:94:0e:b9:05:22:6a:52:92:fe:48:04:cf: - a4:8c:ca:f6:f6:1c:29:c8:b0:83:a1:79:1a:9a:49:5a:73:c4: - 3d:16:4a:f7:c9:b5:dd:67:2b:bd:7c:11:ac:7f:74:8f:4b:dd: - ed:d3:ea:b8:6d:3a:3e:e7:ff:fc:d8:05:7b:47:49:c0:cc:6e: - 9a:71:23:96 + 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: + c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: + d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: + ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: + 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: + b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: + 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: + 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: + 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: + 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: + 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: + 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: + e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: + 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: + 53:95:72:29 -----BEGIN CERTIFICATE----- -MIIE9jCCA96gAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT -U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L -RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLH -dbRqK6kjhb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcu -SyjFU0YjK4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPk -yIlDYfEluM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1 -JMvpSd+BnZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkF -UPC/7H8S4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORG -eP/ZmQIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi -7ioFJLcRrS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y -FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw -DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp -bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB -FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm -MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN -AQELBQADggEBAIWVPZmD9UtvtYeIei/+AsalLVX/5vNywu0rP821WVswGW5fey1I -HtGOZQSGDu8BUO3X/yN+LEA3SJ2qgsuCydf0B4tzajr7Gy+d568UXytJsoc668MP -8hPXSWya0iY5+vhI9JsZMJU5Z9hjN9a5v/0y4fypKpeZy8/2+kJL7g6HkhbcfnDc -Ru6NUhR0tWxLnuTntkYcgivFTH2E8GUVeIwsx35t2438ZExhoLSHg/YEWXFDi0AD -reAYuZQOuQUialKS/kgEz6SMyvb2HCnIsIOheRqaSVpzxD0WSvfJtd1nK718Eax/ -dI9L3e3T6rhtOj7n//zYBXtHScDMbppxI5Y= +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj +hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj +K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl +uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B +nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S +4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR +rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 +oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch +wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ +2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk +xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN +K2lpzYEnY+gtVSoA3gsVLFOVcik= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 14 22:25:23 2015 GMT - Not After : Sep 9 22:25:23 2018 GMT + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -233,27 +233,27 @@ Certificate: OCSP - URI:http://localhost:22220 Signature Algorithm: sha256WithRSAEncryption - 99:fc:b4:e2:1b:08:32:4b:8e:b3:fa:b4:08:53:f6:55:36:01: - ec:25:89:80:64:60:31:3b:0c:a3:6f:be:73:f7:1a:12:d1:7e: - 3d:db:80:30:72:a8:26:63:35:80:81:b6:61:16:34:c0:fd:e6: - f3:dd:a5:4a:dc:7e:85:87:57:5d:48:8e:09:46:89:89:f8:66: - 56:b5:7d:57:8e:d2:b7:77:3a:b7:51:15:97:fa:e9:d7:72:a5: - e0:e6:51:9a:f3:d8:89:7d:2c:a5:bf:34:7b:d8:f4:2f:b5:4e: - 63:97:a7:5b:69:1a:e2:1c:d8:5f:ca:a8:61:79:dc:01:40:b7: - 43:09:a7:31:a2:dd:b2:c2:0d:98:06:41:c6:60:a7:25:21:cd: - 45:84:fb:34:c7:3b:74:ed:92:c9:d9:34:8e:dc:d5:43:9e:e4: - 60:ff:b1:d8:a0:5a:5d:7d:53:8e:62:e7:b3:8c:64:cf:42:0d: - c6:e5:13:20:20:be:4b:60:5f:6f:f3:15:5b:9c:82:62:03:9f: - 94:d4:b2:8b:86:af:ed:3b:8f:20:68:4d:14:78:23:37:d7:aa: - d9:5e:89:e5:80:7a:6b:a4:b8:63:6f:df:32:ad:cd:5e:5f:60: - f8:e4:fc:3a:ce:67:e7:7a:3b:68:36:98:15:4c:05:f0:53:e7: - d5:08:52:a3 + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE0MjIyNTIzWhcNMTgwOTA5MjIyNTIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmfy04hsI -MkuOs/q0CFP2VTYB7CWJgGRgMTsMo2++c/caEtF+PduAMHKoJmM1gIG2YRY0wP3m -892lStx+hYdXXUiOCUaJifhmVrV9V47St3c6t1EVl/rp13Kl4OZRmvPYiX0spb80 -e9j0L7VOY5enW2ka4hzYX8qoYXncAUC3QwmnMaLdssINmAZBxmCnJSHNRYT7NMc7 -dO2Sydk0jtzVQ57kYP+x2KBaXX1TjmLns4xkz0INxuUTICC+S2Bfb/MVW5yCYgOf -lNSyi4av7TuPIGhNFHgjN9eq2V6J5YB6a6S4Y2/fMq3NXl9g+OT8Os5n53o7aDaY -FUwF8FPn1QhSow== +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== -----END CERTIFICATE----- diff --git a/certs/ocsp/server4-cert.pem b/certs/ocsp/server4-cert.pem new file mode 100644 index 000000000..a73be3fea --- /dev/null +++ b/certs/ocsp/server4-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8 (0x8) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www4.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9c:ef:8a:7e:84:4d:58:7a:b1:91:c8:cb:68:76: + df:fe:0a:29:fe:7f:74:35:d5:c3:fd:43:be:d7:89: + fc:59:51:5a:30:e9:50:14:84:24:d0:c8:72:7d:d6: + 75:42:12:8b:16:ad:5a:e8:d3:84:a7:07:2b:9e:12: + ef:6a:cd:3e:83:14:b7:26:a2:53:7b:3d:6c:96:7f: + 9c:c5:09:08:0e:55:08:19:b7:5a:1c:46:32:09:da: + 44:b2:ca:fd:4a:e4:be:d0:02:c9:c9:48:03:13:a5: + ad:3e:7b:21:cf:05:3a:b9:25:f5:c1:b8:4e:4d:eb: + 33:99:d1:50:4a:eb:f7:1a:08:6b:d0:5c:9d:48:eb: + 98:fd:dc:89:0f:aa:74:d3:7f:03:1b:59:65:f5:86: + e1:d9:53:ab:e4:53:ab:85:3c:79:8b:45:39:7b:fd: + e9:a2:10:b9:fa:92:71:0e:68:36:66:6e:8c:fb:e2: + 8a:5d:5f:72:66:b0:47:2d:c5:b4:93:ce:61:7f:90: + 1a:64:02:dd:57:9d:f1:f1:e8:75:21:e2:af:44:e3: + 96:f5:1c:e3:73:87:dc:b7:05:12:ad:a5:8f:0c:d8: + 2c:b4:90:b3:d9:e7:13:e1:e5:5e:4c:9b:24:89:08: + 07:9e:aa:6b:9f:64:01:da:ec:95:05:45:84:d9:a9: + db:c7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 9A:D6:EF:4E:0A:7B:8B:74:E6:14:EC:35:9A:05:2A:94:68:09:61:58 + X509v3 Authority Key Identifier: + keyid:05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:02 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 4e:d7:ac:3b:e2:2a:7c:2d:17:95:15:60:7d:d9:59:5f:53:9d: + d7:e4:8d:cf:9d:34:db:ea:e9:6b:1d:8c:d4:6e:4b:df:53:30: + 3f:8e:5b:65:2e:e6:bb:7b:96:b1:2e:9b:65:fa:72:a8:eb:97: + af:47:33:f5:ae:0b:9b:6f:d6:25:9e:60:e4:b2:e5:88:3b:64: + 26:8c:d4:8b:d5:4b:6b:85:23:c3:08:06:ca:b5:d3:88:f3:6b: + 19:be:16:c0:a6:a3:68:25:4b:68:a2:be:a0:38:51:7b:6f:7d: + a7:74:5f:1a:57:cd:29:01:4c:33:e4:52:bf:b9:f9:52:4e:c5: + a1:85:16:90:e3:c4:26:d7:b2:db:07:75:78:1f:90:99:db:cc: + 18:da:7d:58:af:52:e3:67:6a:8f:d2:33:f3:07:7f:da:09:24: + 54:03:cd:9a:ef:8f:15:f2:11:a9:42:71:d6:0b:6b:c8:76:f4: + 62:65:8c:d8:d3:10:19:af:34:9d:01:86:05:02:59:e8:4b:03: + 6d:06:0d:c4:98:38:b5:f2:85:65:29:74:2a:c2:c6:47:8b:e1: + 0e:d4:ee:9b:5d:a6:a5:55:8d:b0:e7:61:55:de:2e:30:50:cf: + 51:ba:c1:64:c0:3a:d0:55:73:fe:3c:79:e8:d7:33:0c:7e:a2: + dc:df:45:ad +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +NC53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzvin6ETVh6sZHIy2h23/4K +Kf5/dDXVw/1DvteJ/FlRWjDpUBSEJNDIcn3WdUISixatWujThKcHK54S72rNPoMU +tyaiU3s9bJZ/nMUJCA5VCBm3WhxGMgnaRLLK/UrkvtACyclIAxOlrT57Ic8FOrkl +9cG4Tk3rM5nRUErr9xoIa9BcnUjrmP3ciQ+qdNN/AxtZZfWG4dlTq+RTq4U8eYtF +OXv96aIQufqScQ5oNmZujPviil1fcmawRy3FtJPOYX+QGmQC3Ved8fHodSHir0Tj +lvUc43OH3LcFEq2ljwzYLLSQs9nnE+HlXkybJIkIB56qa59kAdrslQVFhNmp28cC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJrW704Ke4t05hTsNZoF +KpRoCWFYMIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8XoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB +AQBO16w74ip8LReVFWB92VlfU53X5I3PnTTb6ulrHYzUbkvfUzA/jltlLua7e5ax +Lptl+nKo65evRzP1rgubb9YlnmDksuWIO2QmjNSL1UtrhSPDCAbKtdOI82sZvhbA +pqNoJUtoor6gOFF7b32ndF8aV80pAUwz5FK/uflSTsWhhRaQ48Qm17LbB3V4H5CZ +28wY2n1Yr1LjZ2qP0jPzB3/aCSRUA82a748V8hGpQnHWC2vIdvRiZYzY0xAZrzSd +AYYFAlnoSwNtBg3EmDi18oVlKXQqwsZHi+EO1O6bXaalVY2w52FV3i4wUM9RusFk +wDrQVXP+PHno1zMMfqLc30Wt +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4: + 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7: + 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6: + 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77: + 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db: + 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb: + ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98: + 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1: + 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a: + 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52: + 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d: + f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35: + cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36: + a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f: + 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55: + f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96: + aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff: + d9:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: + c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: + d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: + ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: + 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: + b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: + 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: + 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: + 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: + 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: + 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: + 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: + e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: + 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: + 53:95:72:29 +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj +hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj +K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl +uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B +nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S +4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR +rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 +oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch +wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ +2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk +xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN +K2lpzYEnY+gtVSoA3gsVLFOVcik= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server4-key.pem b/certs/ocsp/server4-key.pem new file mode 100644 index 000000000..39a93b209 --- /dev/null +++ b/certs/ocsp/server4-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCc74p+hE1YerGR +yMtodt/+Cin+f3Q11cP9Q77XifxZUVow6VAUhCTQyHJ91nVCEosWrVro04SnByue +Eu9qzT6DFLcmolN7PWyWf5zFCQgOVQgZt1ocRjIJ2kSyyv1K5L7QAsnJSAMTpa0+ +eyHPBTq5JfXBuE5N6zOZ0VBK6/caCGvQXJ1I65j93IkPqnTTfwMbWWX1huHZU6vk +U6uFPHmLRTl7/emiELn6knEOaDZmboz74opdX3JmsEctxbSTzmF/kBpkAt1XnfHx +6HUh4q9E45b1HONzh9y3BRKtpY8M2Cy0kLPZ5xPh5V5MmySJCAeeqmufZAHa7JUF +RYTZqdvHAgMBAAECggEAMmlQF6vwHIftGmNh08C72yLwsmvGrLRqLKTiXOJaSWa0 +jhmkO7LnEJoTDREiwYKrYzF0jm3DotPO0wxKFAiyF/FDlAl4v5HPm9iKR1DLYa82 +1uvq6kIyOLAAeV5zVud7093Ra/LR6jHCINv01EddwbPL6dqGbMks3jA6lpaN3bJt +85VSy3h6rC2pIZrGddJxDV5jR2gm4N4j8GJoPWpYIGZa/i+GhFmx0OJfUAWTBsGQ +flt4HxtxoR0OkAQ1MnBbBLqadQQiJ3tt47vD5Ma98GGkuq/l9y2rCuJ/t7sjY7+1 +1dnXrMj4VHKTNYEIkmpNti9lblT55P9v5HAYj4SoIQKBgQDP6/Tf1sf12XKZoQvi +qwww32brRqMnj7xpiK9PfsPdnBvq1u8aApQ2XRsHLkH/aq7S91DdLKhn+5fX9TZq +fGtix0V5/JVB11+0Y8hB6YonKtmTxGPScSKQdsSdnvo27yuBfSSp2QuSqYsAqKdV +dU/F++jAeNJFr5lg+X3zo+7gMwKBgQDBOXB3cO6Xjr1vzkxdtxpbKYTVYK5XGFpy +lGDJ9QasDMD6iX8EsTzp0/3CRtITnfYFBiBDXSFDwoUm7TqjdlDh9ahFcvkre/33 +6SmXqHshn/RBl+JCAKYolw7cJmuWAFrJNZPbnbfiuqDNg8wkD3P2VTVkKWjsDpxA +f+99Xm2yHQKBgBBlWvoLxdjtPMxAlt9Y/a0c8NC80UDdZM4tqSVrqaZgGRN7v38d +lPJ0hR0b2Lh7gS3Bsu6+BsmsXVz6SUA8b3tqm1/zOxHmGfXvqGsKL4rHJkEwy25c +3Yzm0LpdPv31/khHxgxewTrfg8aZhhiHF7NVGhWTcYFtR3sOMZB07PFhAoGAf9to +RkDeQD9druwNsD2HHSeeFCvDcTJWN1djrH+MiLBvydjNyecV7YwvcCy4ue5eavig +xLKNXm8K+LUlhiC2aK7LSBlKM7H6Xd9VfFsqDxfu4rCEMTSIvncmiBqMOlfFuzrO +uhXlJgxkd1ls7bej/i5oA/06xmjsj+mYKZcgcykCgYAbONjSKF28CILSDKLepNqx +euRSnKaSgTjcu8B5C6ZWUY8+EsD3Lw6VK2Xn+PPPSS2+Pw7dgLdYybyCgPOLXV+9 +we3d0OyuIPiLiRpfnHVTXdYQBc7qa8khw12LZpodkXwKT85St8jdwJzL1KTZAWqf +N2KyjDHPGPz8paCzS8LfuQ== +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server5-cert.pem b/certs/ocsp/server5-cert.pem new file mode 100644 index 000000000..066f659fd --- /dev/null +++ b/certs/ocsp/server5-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9 (0x9) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www5.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ac:73:6d:e9:fa:8c:36:72:3e:89:3b:52:29:bd: + 14:70:a2:00:b4:08:58:b6:c6:c0:bf:80:6a:1f:a5: + f0:15:fc:f4:19:a2:67:f9:6a:5d:22:69:2e:9c:29: + 53:1e:5a:4a:d1:27:d5:b8:3b:65:37:8a:a2:eb:1b: + d4:5d:90:11:35:11:af:e3:d1:8c:24:5b:b5:90:c0: + bf:de:cb:7a:05:71:1b:ef:76:d7:9d:43:47:85:dc: + 24:b8:b8:54:fc:53:bf:c3:fd:e1:12:c6:fc:1b:6f: + 95:aa:cf:bb:8e:22:af:83:bd:4e:6b:66:fe:7e:7e: + 98:6f:b1:b9:fc:f9:8a:8a:18:92:9a:4c:27:5d:78: + 6b:e9:d0:14:1c:ed:69:6d:29:4c:4e:52:e6:92:24: + 53:b0:2e:c3:a4:94:8f:20:1c:29:5c:97:70:1a:32: + 85:90:71:f7:d7:a5:99:4f:48:c7:3d:fc:3d:a7:e1: + f9:96:ea:c1:6b:ea:31:e0:9b:fb:68:3e:4b:ad:a4: + 2b:06:90:c2:b4:27:ea:f3:a3:3e:6e:32:75:aa:70: + 6a:e3:33:29:fb:42:09:94:79:a5:eb:3c:4e:89:02: + 77:08:fd:da:ba:fc:14:c6:8e:c1:5e:db:6d:d0:07: + 4f:02:79:60:e7:95:c3:c8:f4:54:83:21:12:79:03: + 7f:e1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 2A:48:B6:8B:00:F0:4B:35:73:94:07:87:52:A3:69:5E:E6:D8:42:87 + X509v3 Authority Key Identifier: + keyid:BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:03 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22223 + + Signature Algorithm: sha256WithRSAEncryption + 65:c1:7f:66:88:19:db:04:76:f3:ec:eb:c8:9c:38:3f:3f:83: + 4c:6c:c9:3a:67:2f:cf:45:8d:72:28:d1:85:64:fd:53:0a:4a: + 4a:22:9d:2f:2f:76:19:f5:97:04:cb:a7:1e:83:43:42:58:01: + ca:9b:25:42:bb:d1:5c:05:4f:c1:94:22:40:df:30:42:c1:be: + b9:f2:c0:a4:64:37:9b:9b:ed:20:44:e8:f0:5c:c6:2f:b6:24: + 7f:13:b8:52:02:61:ac:69:4e:f4:bd:72:9d:e9:31:13:5f:12: + d2:cc:e7:eb:16:b3:84:cc:86:40:ee:f9:e1:4c:d8:ea:73:a1: + 32:2a:2c:c7:f6:ba:4f:bf:ba:35:49:71:4c:d1:83:86:7a:44: + 14:f3:b3:12:02:99:33:01:46:50:e0:0c:74:34:03:45:9d:d2: + 2c:e1:83:31:59:d6:e7:69:8f:26:0a:12:5d:90:97:c4:ae:93: + 67:c6:9b:a9:5b:a0:8f:22:ad:e9:e2:17:74:19:93:92:cb:9c: + cc:30:8e:7e:57:8f:37:44:82:04:f0:29:9e:79:37:0a:d6:55: + 56:8e:b6:eb:d8:0f:a5:c4:ec:65:88:98:15:2f:2a:cd:9f:d8: + 11:26:c6:d7:0e:12:4e:62:c5:5c:92:b2:99:db:c2:72:71:6f: + c1:94:24:06 +-----BEGIN CERTIFICATE----- +MIIE9DCCA9ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM +IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl +MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE +AwwQd3d3NS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxzben6jDZyPok7 +Uim9FHCiALQIWLbGwL+Aah+l8BX89BmiZ/lqXSJpLpwpUx5aStEn1bg7ZTeKousb +1F2QETURr+PRjCRbtZDAv97LegVxG+92151DR4XcJLi4VPxTv8P94RLG/BtvlarP +u44ir4O9Tmtm/n5+mG+xufz5iooYkppMJ114a+nQFBztaW0pTE5S5pIkU7Auw6SU +jyAcKVyXcBoyhZBx99elmU9Ixz38Pafh+ZbqwWvqMeCb+2g+S62kKwaQwrQn6vOj +Pm4ydapwauMzKftCCZR5pes8TokCdwj92rr8FMaOwV7bbdAHTwJ5YOeVw8j0VIMh +EnkDf+ECAwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCpItosA8Es1 +c5QHh1KjaV7m2EKHMIHEBgNVHSMEgbwwgbmAFLsVnjJN4PiqirAuDBcrWkF0SwZF +oYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4G +A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l +ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ +aW5mb0B3b2xmc3NsLmNvbYIBAzALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk +MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIzMA0GCSqGSIb3DQEB +CwUAA4IBAQBlwX9miBnbBHbz7OvInDg/P4NMbMk6Zy/PRY1yKNGFZP1TCkpKIp0v +L3YZ9ZcEy6ceg0NCWAHKmyVCu9FcBU/BlCJA3zBCwb658sCkZDebm+0gROjwXMYv +tiR/E7hSAmGsaU70vXKd6TETXxLSzOfrFrOEzIZA7vnhTNjqc6EyKizH9rpPv7o1 +SXFM0YOGekQU87MSApkzAUZQ4Ax0NANFndIs4YMxWdbnaY8mChJdkJfErpNnxpup +W6CPIq3p4hd0GZOSy5zMMI5+V483RIIE8CmeeTcK1lVWjrbr2A+lxOxliJgVLyrN +n9gRJsbXDhJOYsVckrKZ28JycW/BlCQG +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28: + fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c: + 31:eb:13:70:ea:4a:dd:58:3e:4f:33:14:66:59:69: + 7a:aa:90:e0:7c:c4:b2:36:c1:0a:f4:df:3e:34:6c: + 1a:e9:2b:f1:a5:92:7e:a9:68:70:ba:a4:68:88:f3: + ec:10:40:64:a5:64:7d:d9:1e:51:49:9d:7f:c8:cc: + 2b:6d:71:2a:06:ff:e6:1f:84:28:8a:c1:ed:a8:52: + f4:89:a5:c0:77:d8:13:66:c2:65:a5:63:03:98:b0: + 4b:05:4f:0c:84:a0:f4:2d:72:73:6b:fa:0d:e1:cf: + 45:27:ed:a3:8c:02:d7:ee:99:e2:a1:f0:e3:a0:ad: + 69:ed:59:e4:27:41:8f:ef:fa:83:73:8f:5f:2b:68: + 89:13:46:26:dc:f6:28:6b:3b:b2:b8:9b:52:2a:17: + 1b:dc:72:45:73:da:75:24:35:8b:00:5e:23:37:64: + 6a:16:74:b8:ee:fe:b7:11:71:be:0a:73:c8:54:c2: + d9:04:d2:1b:f5:53:ac:8d:2a:4f:fe:33:79:e6:5e: + e7:f3:86:d3:dc:bb:4b:d7:39:7f:5b:3c:67:fe:5e: + 88:51:05:96:f2:b4:9a:45:09:4c:51:f0:6a:4d:88: + 2a:17 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 0c:5e:0d:55:3c:e7:fb:5e:c2:09:19:c8:0b:f4:c2:b2:2b:14: + 79:dc:e8:63:f6:8a:0c:03:57:9e:15:47:7e:b6:15:a3:71:90: + 01:11:39:4b:ff:3d:13:34:e4:f3:5b:a3:6c:58:4f:00:d5:c4: + b0:63:6c:90:c9:89:a8:5d:16:87:0a:da:08:40:12:b4:94:00: + 3e:44:00:13:de:34:75:90:38:79:d4:c2:39:6d:ed:17:cb:7e: + 50:ff:da:0b:eb:49:1a:66:e6:dd:eb:66:a5:92:ef:68:d5:c9: + 93:8f:aa:c7:2a:92:6b:95:af:3d:74:de:aa:29:fd:c9:53:56: + ad:9f:e0:05:d1:97:0c:01:3b:f1:c6:a6:90:7e:5c:08:11:5e: + c1:77:5d:64:09:56:ea:78:29:15:a3:ea:44:2a:4c:d6:09:a7: + a0:5f:05:54:2a:61:ca:7a:09:07:14:34:c2:0d:c5:93:cd:28: + 8b:62:26:af:30:25:8a:f1:da:65:fa:db:da:84:ab:d5:0c:37: + ae:5d:95:bd:55:2a:4b:09:e0:d3:3d:8b:3c:ea:f2:b9:68:5e: + e6:21:53:8b:28:78:39:f4:bf:9b:dc:92:bc:4b:14:06:fe:17: + 21:64:be:af:20:e8:e7:fb:67:c8:5e:ec:59:bf:27:a4:cb:e3: + 8a:6d:c3:ac +-----BEGIN CERTIFICATE----- +MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L +RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sUEEH3CIekSRdrV +uij9pvQwRKDf+XBeFyaXWVwx6xNw6krdWD5PMxRmWWl6qpDgfMSyNsEK9N8+NGwa +6SvxpZJ+qWhwuqRoiPPsEEBkpWR92R5RSZ1/yMwrbXEqBv/mH4QoisHtqFL0iaXA +d9gTZsJlpWMDmLBLBU8MhKD0LXJza/oN4c9FJ+2jjALX7pniofDjoK1p7VnkJ0GP +7/qDc49fK2iJE0Ym3PYoazuyuJtSKhcb3HJFc9p1JDWLAF4jN2RqFnS47v63EXG+ +CnPIVMLZBNIb9VOsjSpP/jN55l7n84bT3LtL1zl/Wzxn/l6IUQWW8rSaRQlMUfBq +TYgqFwIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUuxWeMk3g ++KqKsC4MFytaQXRLBkUwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y +FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw +DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp +bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAAxeDVU85/tewgkZyAv0wrIrFHnc6GP2igwDV54VR362FaNxkAER +OUv/PRM05PNbo2xYTwDVxLBjbJDJiahdFocK2ghAErSUAD5EABPeNHWQOHnUwjlt +7RfLflD/2gvrSRpm5t3rZqWS72jVyZOPqscqkmuVrz103qop/clTVq2f4AXRlwwB +O/HGppB+XAgRXsF3XWQJVup4KRWj6kQqTNYJp6BfBVQqYcp6CQcUNMINxZPNKIti +Jq8wJYrx2mX629qEq9UMN65dlb1VKksJ4NM9izzq8rloXuYhU4soeDn0v5vckrxL +FAb+FyFkvq8g6Of7Z8he7Fm/J6TL44ptw6w= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server5-key.pem b/certs/ocsp/server5-key.pem new file mode 100644 index 000000000..a45a1c6e9 --- /dev/null +++ b/certs/ocsp/server5-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsc23p+ow2cj6J +O1IpvRRwogC0CFi2xsC/gGofpfAV/PQZomf5al0iaS6cKVMeWkrRJ9W4O2U3iqLr +G9RdkBE1Ea/j0YwkW7WQwL/ey3oFcRvvdtedQ0eF3CS4uFT8U7/D/eESxvwbb5Wq +z7uOIq+DvU5rZv5+fphvsbn8+YqKGJKaTCddeGvp0BQc7WltKUxOUuaSJFOwLsOk +lI8gHClcl3AaMoWQcffXpZlPSMc9/D2n4fmW6sFr6jHgm/toPkutpCsGkMK0J+rz +oz5uMnWqcGrjMyn7QgmUeaXrPE6JAncI/dq6/BTGjsFe223QB08CeWDnlcPI9FSD +IRJ5A3/hAgMBAAECggEABz5+EoMc2rin2dntFKXFswmLIATtvRfSRvkc/CFbWYEb +u+vvlDGcofJrK9IslKzUUb7romaUVOX0/A1aOWfw4RrSGa7WxTw4/1CpfrFreckL +lF6YphmKapwZysyrfUIDXzdN+hzzwC9KyTcauNjKKK2OGsLj0+p7es2rc24EHNLj +vFpNj5TC84qsibATY1ny3tcL7SBcNLtiHsm+0JDagGqlW3ptT0oErrzH6jtUAI9j +LLm87mxwJyp4rBZvnP3s4jnOLLCJH40QyrCPKR6L4bAzSaA9kEnBUu+y1y1PyUP7 +goWIPJmfclDFqgB2U7K/QbbfPFpt8pFB9SmbsoIlMQKBgQDgvgf/pdc6q9jAL9UQ +sTYa+iJJIFcjQKA95aCRoUeUjWvjA+2ROmYgLcMi7pxfNyFvYkaOXjBTL+aqSEWI +wQVbnGK4aqG16w2o/P+bWUatpMMWNbwsZGAkXpcgdrg+SbNjrQ2lY35EdmPc025G +Fqx5ouOk7wDlKWQolIwWDh3WNQKBgQDEb47VbrIo8BNnO/xxVjAsU7uQIYZkr/GR +6V5oN+kIXrttReZnY/bUVrV84r49E3cNfoZXlfZa7fAEVb9GWbZMk+9M/s78aU5M +xeFNj7HBfbgG3I+1SZQZaAEK6BZuq8GRCLV2JKOn9iInVQQL57/qz6APjC/a52zJ +asNmmcdIfQKBgBmEWgIjwUEvG8gOZkGj7UG43sWwv1QIVWlRth5y0l7Cg9pdqs6P +c+L5byt7LhP9fXVZEiu98/yt9qGk3Qg+6i3Rnr/Tk5LFImLqftcTltvGVkQiS8A6 +kVPvzXbpI9gmpBCQKHl7x21ch9AdzWp1zpVs8i3a2R4ryex1mUYzyh11AoGAWhKZ +WS7IDNOA4i50Y/fUYQ8IC2AEAvlWeMScoIc6mLbvlHyf2LrSvK0BzUEfYFwjlBF3 +QoQmEa3XB/XVnkmWuOiAqzqP6NfUqol19R21sXaXQrYyQzt46GlzSPABEUA6oulu +Y70LOgI3yPdHwrnCm8YWq+ppKyRBEt6cuNg8s/UCgYEAl3J4fMTYcDjt4H/OTgba +IjKLPV0LuBUfx/PTA0oi81x1c11fM8a/ZeD0QkXDjjrjXM33mbkR0lzFEl7ZOCnh +sRDkkM8MvOsq4KMGnBLQBN0QvKSgsuYDqIEUmFdMHiyckBjuwntMVXnfKYtEJ1Q9 +zYHlJn4e4/2VqGK9PWrgAtA= +-----END PRIVATE KEY----- diff --git a/examples/server/server.c b/examples/server/server.c index 5949da937..c539a18e3 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -733,6 +733,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) err_sys("can't load ca file, Please run from wolfSSL home dir"); if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); #endif #ifdef HAVE_PK_CALLBACKS if (pkCallbacks) diff --git a/scripts/include.am b/scripts/include.am index b4c66554c..5b9d38448 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -36,11 +36,17 @@ endif if BUILD_OCSP_STAPLING_V2 dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test + +if BUILD_OCSP_STAPLING +scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log +else scripts/ocsp-stapling2.log: scripts/ocsp.log endif endif +endif + EXTRA_DIST += scripts/testsuite.pcap # leave openssl.test as extra until non bash works diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test index 7b4ac9cda..7d711d417 100755 --- a/scripts/ocsp-stapling.test +++ b/scripts/ocsp-stapling.test @@ -21,19 +21,21 @@ RESULT=$? # setup ocsp responder ./certs/ocsp/ocspd1.sh & +sleep 1 +[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERT ./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # client test against our own server - REVOKED CERT ./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test index d4ce3ec7e..75877f210 100755 --- a/scripts/ocsp-stapling2.test +++ b/scripts/ocsp-stapling2.test @@ -8,46 +8,48 @@ trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT # setup ocsp responders ./certs/ocsp/ocspd0.sh & -./certs/ocsp/ocspd1.sh & ./certs/ocsp/ocspd2.sh & +./certs/ocsp/ocspd3.sh & +sleep 1 +[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 # client test against our own server - GOOD CERTS -./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 -./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 # client test against our own server - REVOKED SERVER CERT -./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 -./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate1-ca-cert.pem -W 2 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2 RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 # client test against our own server - REVOKED INTERMEDIATE CERT -./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 -./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & sleep 1 -./examples/client/client -A certs/ocsp/intermediate2-ca-cert.pem -W 2 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2 RESULT=$? -[ $RESULT -ne 1 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 exit 0 From 9688a0f0db467631ad566d51e37fe0f09584a103 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 14 Dec 2015 23:12:08 -0300 Subject: [PATCH 129/177] fixes API names (marketing wise); --- examples/client/client.c | 6 +++--- src/ssl.c | 10 ++++------ wolfssl/ssl.h | 8 ++++---- 3 files changed, 11 insertions(+), 13 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index f96258664..db4eef7d6 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -1008,7 +1008,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (statusRequest) { switch (statusRequest) { case WOLFSSL_CSR_OCSP: - if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, + if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) err_sys("UseCertificateStatusRequest failed"); @@ -1022,13 +1022,13 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) if (statusRequest) { switch (statusRequest) { case WOLFSSL_CSR2_OCSP: - if (wolfSSL_UseCertificateStatusRequestV2(ssl, + if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) != SSL_SUCCESS) err_sys("UseCertificateStatusRequest failed"); break; case WOLFSSL_CSR2_OCSP_MULTI: - if (wolfSSL_UseCertificateStatusRequestV2(ssl, + if (wolfSSL_UseOCSPStaplingV2(ssl, WOLFSSL_CSR2_OCSP_MULTI, 0) != SSL_SUCCESS) err_sys("UseCertificateStatusRequest failed"); diff --git a/src/ssl.c b/src/ssl.c index e7cecf9f3..4ed86a84e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -803,8 +803,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) #ifdef HAVE_CERTIFICATE_STATUS_REQUEST -int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type, - byte options) +int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options) { if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; @@ -814,7 +813,7 @@ int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type, } -int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, +int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, byte status_type, byte options) { if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) @@ -828,8 +827,7 @@ int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 -int wolfSSL_UseCertificateStatusRequestV2(WOLFSSL* ssl, byte status_type, - byte options) +int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl, byte status_type, byte options) { if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; @@ -839,7 +837,7 @@ int wolfSSL_UseCertificateStatusRequestV2(WOLFSSL* ssl, byte status_type, } -int wolfSSL_CTX_UseCertificateStatusRequestV2(WOLFSSL_CTX* ctx, +int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, byte status_type, byte options) { if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 9da9c4360..728ec05e8 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1430,10 +1430,10 @@ enum { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST #ifndef NO_WOLFSSL_CLIENT -WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, +WOLFSSL_API int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, unsigned char status_type, unsigned char options); -WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, +WOLFSSL_API int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, unsigned char status_type, unsigned char options); #endif @@ -1454,10 +1454,10 @@ enum { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 #ifndef NO_WOLFSSL_CLIENT -WOLFSSL_API int wolfSSL_UseCertificateStatusRequestV2(WOLFSSL* ssl, +WOLFSSL_API int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl, unsigned char status_type, unsigned char options); -WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequestV2(WOLFSSL_CTX* ctx, +WOLFSSL_API int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, unsigned char status_type, unsigned char options); #endif From eed40eb690d68573a09d249fca3c32cc16cc2fc9 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 15 Dec 2015 11:54:03 -0800 Subject: [PATCH 130/177] add aes256 key derivation to ssl3 --- src/keys.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/keys.c b/src/keys.c index 3c1ccea5c..124f70ade 100644 --- a/src/keys.c +++ b/src/keys.c @@ -1802,7 +1802,7 @@ int SetCipherSpecs(WOLFSSL* ssl) enum KeyStuff { MASTER_ROUNDS = 3, PREFIX = 3, /* up to three letters for master prefix */ - KEY_PREFIX = 7 /* up to 7 prefix letters for key rounds */ + KEY_PREFIX = 9 /* up to 9 prefix letters for key rounds */ }; @@ -1833,6 +1833,12 @@ static int SetPrefix(byte* sha_input, int idx) case 6: XMEMCPY(sha_input, "GGGGGGG", 7); break; + case 7: + XMEMCPY(sha_input, "HHHHHHHH", 8); + break; + case 8: + XMEMCPY(sha_input, "IIIIIIIII", 9); + break; default: WOLFSSL_MSG("Set Prefix error, bad input"); return 0; From b87c7fb4609506ad9c304880efd8f8ad51a5e158 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 15 Dec 2015 13:50:01 -0700 Subject: [PATCH 131/177] install user_rsa.h and fix leading bit function --- Makefile.am | 4 ++ wolfcrypt/user-crypto/include/user_rsa.h | 2 +- wolfcrypt/user-crypto/src/rsa.c | 91 ++++++++++++++++++------ 3 files changed, 75 insertions(+), 22 deletions(-) diff --git a/Makefile.am b/Makefile.am index 043b9328d..d44fc3413 100644 --- a/Makefile.am +++ b/Makefile.am @@ -61,6 +61,10 @@ EXTRA_DIST+= LICENSING EXTRA_DIST+= INSTALL EXTRA_DIST+= IPP +if BUILD_FAST_RSA +include_HEADERS += wolfcrypt/user-crypto/include/user_rsa.h +endif + # user crypto plug in example EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac EXTRA_DIST+= wolfcrypt/user-crypto/autogen.sh diff --git a/wolfcrypt/user-crypto/include/user_rsa.h b/wolfcrypt/user-crypto/include/user_rsa.h index ab5436203..21b7b7a31 100644 --- a/wolfcrypt/user-crypto/include/user_rsa.h +++ b/wolfcrypt/user-crypto/include/user_rsa.h @@ -106,7 +106,7 @@ WOLFSSL_API int wc_RsaFlattenPublicKey(RsaKey*, byte*, word32*, byte*, word32*); -#ifdef WOLFSSL_CERT_GEN +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) /* abstracted BN operations with RSA key */ WOLFSSL_API int wc_Rsa_leading_bit(void* BN); WOLFSSL_API int wc_Rsa_unsigned_bin_size(void* BN); diff --git a/wolfcrypt/user-crypto/src/rsa.c b/wolfcrypt/user-crypto/src/rsa.c index a61d61781..1bd708aff 100644 --- a/wolfcrypt/user-crypto/src/rsa.c +++ b/wolfcrypt/user-crypto/src/rsa.c @@ -91,22 +91,56 @@ int wc_InitRsaKey(RsaKey* key, void* heap) } -#ifdef WOLFSSL_CERT_GEN /* three functions needed for cert gen */ +/* three functions needed for cert and key gen */ +#if defined(WOLFSSL_CERT_GEN) || defined(WOLFSSL_KEY_GEN) /* return 1 if there is a leading bit*/ int wc_Rsa_leading_bit(void* bn) { int ret = 0; - if (ippsExtGet_BN(NULL, &ret, NULL, bn) != ippStsNoErr) { - USER_DEBUG(("Rsa leading bit error\n")); + int dataSz; + Ipp32u* data; + Ipp32u q; + int qSz = sizeof(Ipp32u); + + if (ippsExtGet_BN(NULL, &dataSz, NULL, bn) != ippStsNoErr) { + USER_DEBUG(("ippsExtGet_BN Rsa leading bit error\n")); return USER_CRYPTO_ERROR; } - return (ret % 8)? 1 : 0; /* if mod 8 bit then an extra byte is needed */ + + /* convert from size in binary to Ipp32u */ + dataSz = dataSz / 32 + ((dataSz % 32)? 1 : 0); + data = (Ipp32u*)XMALLOC(dataSz * sizeof(Ipp32u), NULL, + DYNAMIC_TYPE_USER_CRYPTO); + if (data == NULL) { + USER_DEBUG(("Rsa leading bit memory error\n")); + return 0; + } + + /* extract value from BN */ + if (ippsExtGet_BN(NULL, NULL, data, bn) != ippStsNoErr) { + USER_DEBUG(("Rsa leading bit error\n")); + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + return 0; + } + + /* use method like what's used in wolfssl tfm.c */ + q = data[dataSz - 1]; + + ret = 0; + while (qSz > 0) { + if (q != 0) + ret = (q & 0x80) != 0; + q >>= 8; + qSz--; + } + + XFREE(data, NULL, DYNAMIC_TYPE_USER_CRYPTO); + + return ret; } -/* get the size in bytes of BN - cuts off if extra byte is needed so recommended to check wc_Rsa_leading_bit - and adding it to this return value before mallocing memory needed */ +/* get the size in bytes of BN */ int wc_Rsa_unsigned_bin_size(void* bn) { int ret = 0; @@ -114,7 +148,7 @@ int wc_Rsa_unsigned_bin_size(void* bn) USER_DEBUG(("Rsa unsigned bin size error\n")); return USER_CRYPTO_ERROR; } - return ret / 8; /* size in bytes */ + return (ret / 8) + ((ret % 8)? 1: 0); /* size in bytes */ } #ifndef MP_OKAY @@ -125,12 +159,12 @@ int wc_Rsa_unsigned_bin_size(void* bn) int wc_Rsa_to_unsigned_bin(void* bn, byte* in, int inLen) { if (ippsGetOctString_BN((Ipp8u*)in, inLen, bn) != ippStsNoErr) { - USER_DEBUG(("Rsa unsigned bin error\n")); + USER_DEBUG(("Rsa to unsigned bin error\n")); return USER_CRYPTO_ERROR; } return MP_OKAY; } -#endif /* WOLFSSL_CERT_GEN */ +#endif /* WOLFSSL_CERT_GEN or WOLFSSL_KEY_GEN */ #ifdef OPENSSL_EXTRA /* functions needed for openssl compatibility layer */ @@ -1936,6 +1970,7 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) IppsBigNumState* pSrcPublicExp; Ipp8u* scratchBuffer; + Ipp8u eAry[8]; int trys = 8; /* Miller-Rabin test parameter */ IppsPrimeState* pPrime; @@ -2015,11 +2050,16 @@ int wc_MakeRsaKey(RsaKey* key, int size, long e, WC_RNG* rng) /* set up initial value of pScrPublicExp */ leng = (int)sizeof(long); /* # of Ipp32u in long */ + + /* place the value of e into the array eAry then load into BN */ + for (i = 0; i < leng; i++) { + eAry[i] = (e >> (8 * (leng - 1 - i))) & 0XFF; + } ret = init_bn(&pSrcPublicExp, leng); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; - ret = ippsSetOctString_BN((Ipp8u*)&e, leng, pSrcPublicExp); + ret = ippsSetOctString_BN(eAry, leng, pSrcPublicExp); if (ret != ippStsNoErr) return USER_CRYPTO_ERROR; @@ -2300,10 +2340,12 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, return USER_CRYPTO_ERROR; #endif - if (ippsExtGet_BN(NULL, &rawLen, NULL, key->n) != ippStsNoErr) + leadingBit = wc_Rsa_leading_bit(key->n); + rawLen = wc_Rsa_unsigned_bin_size(key->n); + if ((int)rawLen < 0) { return USER_CRYPTO_ERROR; - leadingBit = rawLen % 8; /* check for if an extra byte is needed */ - rawLen = rawLen/8; /* convert to byte size */ + } + rawLen = rawLen + leadingBit; n[0] = ASN_INTEGER; nSz = SetLength(rawLen, n + 1) + 1; /* int tag */ @@ -2339,10 +2381,12 @@ static int SetRsaPublicKey(byte* output, RsaKey* key, } #endif - if (ippsExtGet_BN(NULL, &rawLen, NULL, key->e) != ippStsNoErr) + leadingBit = wc_Rsa_leading_bit(key->e); + rawLen = wc_Rsa_unsigned_bin_size(key->e); + if ((int)rawLen < 0) { return USER_CRYPTO_ERROR; - leadingBit = rawLen % 8; - rawLen = rawLen/8; + } + rawLen = rawLen + leadingBit; e[0] = ASN_INTEGER; eSz = SetLength(rawLen, e + 1) + 1; /* int tag */ @@ -2510,15 +2554,18 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) Ipp32u isZero; IppsBigNumState* keyInt = GetRsaInt(key, i); - /* leading zero */ ippsCmpZero_BN(keyInt, &isZero); /* makes isZero 0 if true */ - ippsExtGet_BN(NULL, (int*)&rawLen, NULL, keyInt); /* bit length */ - if (rawLen % 8 || !isZero) + rawLen = wc_Rsa_unsigned_bin_size(keyInt); + if ((int)rawLen < 0) { + return USER_CRYPTO_ERROR; + } + + /* leading zero */ + if (!isZero || wc_Rsa_leading_bit(keyInt)) lbit = 1; else lbit = 0; - rawLen /= 8; /* convert to bytes */ rawLen += lbit; tmps[i] = (byte*)XMALLOC(rawLen + MAX_SEQ_SZ, key->heap, @@ -2548,6 +2595,8 @@ int wc_RsaKeyToDer(RsaKey* key, byte* output, word32 inLen) } else { ret = USER_CRYPTO_ERROR; + USER_DEBUG(("ippsGetOctString_BN error %s\n", + ippGetStatusString(err))); break; } } From 1cdc6d5edb93c3538b91cbc12151d7ee28969f5a Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 15 Dec 2015 16:09:49 -0700 Subject: [PATCH 132/177] refactoring dist and install of user/fast-rsa --- Makefile.am | 14 +------------- wolfcrypt/user-crypto/include.am | 13 +++++++++++++ 2 files changed, 14 insertions(+), 13 deletions(-) create mode 100644 wolfcrypt/user-crypto/include.am diff --git a/Makefile.am b/Makefile.am index d44fc3413..2180ecc37 100644 --- a/Makefile.am +++ b/Makefile.am @@ -61,19 +61,6 @@ EXTRA_DIST+= LICENSING EXTRA_DIST+= INSTALL EXTRA_DIST+= IPP -if BUILD_FAST_RSA -include_HEADERS += wolfcrypt/user-crypto/include/user_rsa.h -endif - -# user crypto plug in example -EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac -EXTRA_DIST+= wolfcrypt/user-crypto/autogen.sh -EXTRA_DIST+= wolfcrypt/user-crypto/include/user_rsa.h -EXTRA_DIST+= wolfcrypt/user-crypto/src/rsa.c -EXTRA_DIST+= wolfcrypt/user-crypto/lib/.gitkeep -EXTRA_DIST+= wolfcrypt/user-crypto/README.txt -EXTRA_DIST+= wolfcrypt/user-crypto/Makefile.am - include wrapper/include.am include cyassl/include.am include wolfssl/include.am @@ -85,6 +72,7 @@ include swig/include.am include src/include.am include support/include.am +include wolfcrypt/user-crypto/include.am include wolfcrypt/benchmark/include.am include wolfcrypt/src/include.am include wolfcrypt/test/include.am diff --git a/wolfcrypt/user-crypto/include.am b/wolfcrypt/user-crypto/include.am new file mode 100644 index 000000000..6cc8577ab --- /dev/null +++ b/wolfcrypt/user-crypto/include.am @@ -0,0 +1,13 @@ + +if BUILD_FAST_RSA +include_HEADERS += wolfcrypt/user-crypto/include/user_rsa.h +endif + +# user crypto plug in example +EXTRA_DIST+= wolfcrypt/user-crypto/configure.ac +EXTRA_DIST+= wolfcrypt/user-crypto/autogen.sh +EXTRA_DIST+= wolfcrypt/user-crypto/include/user_rsa.h +EXTRA_DIST+= wolfcrypt/user-crypto/src/rsa.c +EXTRA_DIST+= wolfcrypt/user-crypto/lib/.gitkeep +EXTRA_DIST+= wolfcrypt/user-crypto/README.txt +EXTRA_DIST+= wolfcrypt/user-crypto/Makefile.am From d395c5aba3a94bdff23143e1371e1ad962bacd04 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Wed, 16 Dec 2015 11:40:58 -0700 Subject: [PATCH 133/177] condense to one switch statement for testing of message digests --- src/ssl.c | 24 +++++++----------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index a5b0f7580..582e9660c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13311,14 +13311,14 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } switch (type) { - case NID_md2: break; - case NID_md5: break; - case NID_sha1: break; - case NID_sha256: break; - case NID_sha384: break; - case NID_sha512: break; + case NID_md2: type = MD2h; break; + case NID_md5: type = MD5h; break; + case NID_sha1: type = SHAh; break; + case NID_sha256: type = SHA256h; break; + case NID_sha384: type = SHA384h; break; + case NID_sha512: type = SHA512h; break; default: - WOLFSSL_MSG("This NID_ is not yet implemented"); + WOLFSSL_MSG("This NID (md type) is not yet implemented"); return 0; } @@ -13364,16 +13364,6 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, if (rng) { - switch (type) { - case NID_md2: type = MD2h; break; - case NID_md5: type = MD5h; break; - case NID_sha1: type = SHAh; break; - case NID_sha256: type = SHA256h; break; - case NID_sha384: type = SHA384h; break; - case NID_sha512: type = SHA512h; break; - /* no default, already checked if NID is supported */ - } - signSz = wc_EncodeSignature(encodedSig, m, mLen, type); if (signSz == 0) { WOLFSSL_MSG("Bad Encode Signature"); From 6c69b7f1098367fc39c1e4d131ad964288cad797 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 17 Dec 2015 09:57:44 -0800 Subject: [PATCH 134/177] make hello suite size user settable, increase default --- src/internal.c | 4 ++-- wolfssl/internal.h | 9 +++++++-- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/src/internal.c b/src/internal.c index 3dfbfbdf8..fdd0e0f65 100644 --- a/src/internal.c +++ b/src/internal.c @@ -14723,7 +14723,7 @@ int DoSessionTicket(WOLFSSL* ssl, ato16(&input[idx], &clSuites.suiteSz); idx += 2; - if (clSuites.suiteSz > MAX_SUITE_SZ) + if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) return BUFFER_ERROR; clSuites.hashSigAlgoSz = 0; @@ -15005,7 +15005,7 @@ int DoSessionTicket(WOLFSSL* ssl, if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) return BUFFER_ERROR; - if (clSuites.suiteSz > MAX_SUITE_SZ) + if (clSuites.suiteSz > WOLFSSL_MAX_SUITE_SZ) return BUFFER_ERROR; XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index 2f5d329ee..dea006f80 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -852,7 +852,6 @@ enum Misc { MAX_DH_SIZE = 513, /* 4096 bit plus possible leading 0 */ SESSION_HINT_SZ = 4, /* session timeout hint */ - MAX_SUITE_SZ = 200, /* 100 suites for now! */ RAN_LEN = 32, /* random length */ SEED_LEN = RAN_LEN * 2, /* tls prf seed length */ ID_LEN = 32, /* session id length */ @@ -988,6 +987,12 @@ enum Misc { }; +#ifndef WOLFSSL_MAX_SUITE_SZ + #define WOLFSSL_MAX_SUITE_SZ 300 + /* 150 suites for now! */ +#endif + + #ifndef WOLFSSL_MIN_DHKEY_BITS #ifdef WOLFSSL_MAX_STRENGTH #define WOLFSSL_MIN_DHKEY_BITS 2048 @@ -1221,7 +1226,7 @@ typedef struct { typedef struct Suites { word16 suiteSz; /* suite length in bytes */ word16 hashSigAlgoSz; /* SigAlgo extension length in bytes */ - byte suites[MAX_SUITE_SZ]; + byte suites[WOLFSSL_MAX_SUITE_SZ]; byte hashSigAlgo[HELLO_EXT_SIGALGO_MAX]; /* sig/algo to offer */ byte setSuites; /* user set suites from default */ byte hashAlgo; /* selected hash algorithm */ From e503b89ca1a5d3644f073b5b0fe6b4c1ea165284 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 17 Dec 2015 12:10:22 -0800 Subject: [PATCH 135/177] allow sniffer build with -v 0 examples to work --- examples/client/client.c | 2 +- examples/server/server.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index 0dda6a076..f1be58e94 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -890,7 +890,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #if defined(WOLFSSL_SNIFFER) if (cipherList == NULL) { /* don't use EDH, can't sniff tmp keys */ - if (wolfSSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) { + if (wolfSSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS) { err_sys("client can't set cipher list 3"); } } diff --git a/examples/server/server.c b/examples/server/server.c index a488c8901..f96b04b7c 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -675,7 +675,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #if defined(CYASSL_SNIFFER) /* don't use EDH, can't sniff tmp keys */ if (cipherList == NULL) { - if (SSL_CTX_set_cipher_list(ctx, "AES256-SHA256") != SSL_SUCCESS) + if (SSL_CTX_set_cipher_list(ctx, "AES128-SHA") != SSL_SUCCESS) err_sys("server can't set cipher list 3"); } #endif From b89354880f9a6df4a80e0ca3d379e1f51a13b804 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Thu, 17 Dec 2015 13:19:17 -0700 Subject: [PATCH 136/177] switch pragma once uses, causes warnings on some compilers --- IDE/ROWLEY-CROSSWORKS-ARM/hw.h | 9 ++++++++- configure.ac | 11 ++++++++++- cyassl/options.h.in | 7 ++++++- examples/client/client.h | 16 +++++++++++----- examples/echoclient/echoclient.h | 9 ++++++++- examples/echoserver/echoserver.h | 8 +++++++- examples/server/server.h | 8 +++++++- wolfcrypt/benchmark/benchmark.h | 8 +++++++- wolfcrypt/test/test.h | 7 ++++++- wolfssl/options.h.in | 7 ++++++- wolfssl/version.h | 6 +++++- wolfssl/version.h.in | 6 +++++- 12 files changed, 86 insertions(+), 16 deletions(-) diff --git a/IDE/ROWLEY-CROSSWORKS-ARM/hw.h b/IDE/ROWLEY-CROSSWORKS-ARM/hw.h index 1461f59bc..134193ca8 100644 --- a/IDE/ROWLEY-CROSSWORKS-ARM/hw.h +++ b/IDE/ROWLEY-CROSSWORKS-ARM/hw.h @@ -1,4 +1,7 @@ -#pragma once + +#ifndef WOLFSSL_ROWLEY_HW_H +#define WOLFSSL_ROWLEY_HW_H + #include <__cross_studio_io.h> #include <__libc.h> @@ -11,3 +14,7 @@ uint32_t hw_get_time_msec(void); void hw_uart_printchar(int c); void hw_watchdog_disable(void); uint32_t hw_rand(void); + + +#endif /* WOLFSSL_ROWLEY_HW_H */ + diff --git a/configure.ac b/configure.ac index a495b2234..949852207 100644 --- a/configure.ac +++ b/configure.ac @@ -2581,7 +2581,9 @@ echo " *" >> $OPTION_FILE echo " */" >> $OPTION_FILE echo "" >> $OPTION_FILE -echo "#pragma once" >> $OPTION_FILE +echo "#ifndef WOLFSSL_OPTIONS_H" >> $OPTION_FILE +echo "#define WOLFSSL_OPTIONS_H" >> $OPTION_FILE +echo "" >> $OPTION_FILE echo "" >> $OPTION_FILE echo "#ifdef __cplusplus" >> $OPTION_FILE echo "extern \"C\" {" >> $OPTION_FILE @@ -2627,6 +2629,9 @@ echo "#ifdef __cplusplus" >> $OPTION_FILE echo "}" >> $OPTION_FILE echo "#endif" >> $OPTION_FILE echo "" >> $OPTION_FILE +echo "" >> $OPTION_FILE +echo "#endif /* WOLFSSL_OPTIONS_H */" >> $OPTION_FILE +echo "" >> $OPTION_FILE echo #backwards compatability for those who have included options or version @@ -2640,6 +2645,10 @@ do echo "$line" >> cyassl/options.h done < $OPTION_FILE +# switch ifdef protection in cyassl/option.h to CYASSL_OPTONS_H, remove bak +sed -i.bak 's/WOLFSSL_OPTIONS_H/CYASSL_OPTIONS_H/g' cyassl/options.h +rm cyassl/options.h.bak + # output config summary echo "---" echo "Configuration summary for $PACKAGE_NAME version $VERSION" diff --git a/cyassl/options.h.in b/cyassl/options.h.in index d1e362c20..523be8c57 100644 --- a/cyassl/options.h.in +++ b/cyassl/options.h.in @@ -21,7 +21,9 @@ /* default blank options for autoconf */ -#pragma once +#ifndef CYASSL_OPTIONS_H +#define CYASSL_OPTIONS_H + #ifdef __cplusplus extern "C" { @@ -32,3 +34,6 @@ extern "C" { } #endif + +#endif /* CYASSL_OPTIONS_H */ + diff --git a/examples/client/client.h b/examples/client/client.h index 25881aab8..5efefe993 100644 --- a/examples/client/client.h +++ b/examples/client/client.h @@ -19,15 +19,21 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#pragma once +#ifndef WOLFSSL_CLIENT_H +#define WOLFSSL_CLIENT_H + THREAD_RETURN WOLFSSL_THREAD client_test(void* args); -/* Measures average time to create, connect and disconnect a connection (TPS). +/* Measures average time to create, connect and disconnect a connection (TPS). Benchmark = number of connections. */ -int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, +int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, int doDTLS, int benchmark, int resumeSession); -/* Measures throughput in kbps. Throughput = number of bytes */ -int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, +/* Measures throughput in kbps. Throughput = number of bytes */ +int ClientBenchmarkThroughput(WOLFSSL_CTX* ctx, char* host, word16 port, int doDTLS, int throughput); + + +#endif /* WOLFSSL_CLIENT_H */ + diff --git a/examples/echoclient/echoclient.h b/examples/echoclient/echoclient.h index d945edb4a..0498c69ed 100644 --- a/examples/echoclient/echoclient.h +++ b/examples/echoclient/echoclient.h @@ -19,5 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#pragma once +#ifndef WOLFSSL_ECHOCLIENT_H +#define WOLFSSL_ECHOCLIENT_H + + void echoclient_test(void* args); + + +#endif /* WOLFSSL_ECHOCLIENT_H */ + diff --git a/examples/echoserver/echoserver.h b/examples/echoserver/echoserver.h index 2f0d88d3d..6fc153564 100644 --- a/examples/echoserver/echoserver.h +++ b/examples/echoserver/echoserver.h @@ -19,6 +19,12 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#pragma once +#ifndef WOLFSSL_ECHOSERVER_H +#define WOLFSSL_ECHOSERVER_H + THREAD_RETURN WOLFSSL_THREAD echoserver_test(void* args); + + +#endif /* WOLFSSL_ECHOSERVER_H */ + diff --git a/examples/server/server.h b/examples/server/server.h index 3cba4c004..bfd6a14f1 100644 --- a/examples/server/server.h +++ b/examples/server/server.h @@ -19,10 +19,16 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#pragma once +#ifndef WOLFSSL_SERVER_H +#define WOLFSSL_SERVER_H + THREAD_RETURN WOLFSSL_THREAD server_test(void* args); /* Echo bytes using buffer of TEST_BUFFER_SIZE until [echoData] bytes are complete. */ /* If [bechmarkThroughput] set the statistcs will be output at the end */ int ServerEchoData(WOLFSSL* ssl, int clientfd, int echoData, int benchmarkThroughput); + + +#endif /* WOLFSSL_SERVER_H */ + diff --git a/wolfcrypt/benchmark/benchmark.h b/wolfcrypt/benchmark/benchmark.h index 3905eebf7..b916229d3 100644 --- a/wolfcrypt/benchmark/benchmark.h +++ b/wolfcrypt/benchmark/benchmark.h @@ -19,7 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#pragma once +#ifndef WOLFCRYPT_BENCHMARK_H +#define WOLFCRYPT_BENCHMARK_H + #ifdef __cplusplus extern "C" { @@ -30,3 +32,7 @@ int benchmark_test(void* args); #ifdef __cplusplus } /* extern "C" */ #endif + + +#endif /* WOLFCRYPT_BENCHMARK_H */ + diff --git a/wolfcrypt/test/test.h b/wolfcrypt/test/test.h index 6f9b6bd14..53f299454 100644 --- a/wolfcrypt/test/test.h +++ b/wolfcrypt/test/test.h @@ -19,7 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ -#pragma once +#ifndef WOLFCRYPT_TEST_H +#define WOLFCRYPT_TEST_H + #ifdef __cplusplus extern "C" { @@ -31,3 +33,6 @@ int wolfcrypt_test(void* args); } /* extern "C" */ #endif + +#endif /* WOLFCRYPT_TEST_H */ + diff --git a/wolfssl/options.h.in b/wolfssl/options.h.in index d1e362c20..2043cbbf7 100644 --- a/wolfssl/options.h.in +++ b/wolfssl/options.h.in @@ -21,7 +21,9 @@ /* default blank options for autoconf */ -#pragma once +#ifndef WOLFSSL_OPTIONS_H +#define WOLFSSL_OPTIONS_H + #ifdef __cplusplus extern "C" { @@ -32,3 +34,6 @@ extern "C" { } #endif + +#endif /* WOLFSSL_OPTIONS_H */ + diff --git a/wolfssl/version.h b/wolfssl/version.h index 831ac42c3..48bc23d52 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -19,8 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ +#ifndef WOLFSSL_VERSION_H +#define WOLFSSL_VERSION_H -#pragma once #ifdef __cplusplus extern "C" { @@ -33,3 +34,6 @@ extern "C" { } #endif + +#endif /* WOLFSSL_VERSION_H */ + diff --git a/wolfssl/version.h.in b/wolfssl/version.h.in index 966ff5a6f..cc3c5e30f 100644 --- a/wolfssl/version.h.in +++ b/wolfssl/version.h.in @@ -19,8 +19,9 @@ * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA */ +#ifndef WOLFSSL_VERSION_H +#define WOLFSSL_VERSION_H -#pragma once #ifdef __cplusplus extern "C" { @@ -33,3 +34,6 @@ extern "C" { } #endif + +#endif /* WOLFSSL_VERSION_H */ + From d5295edbd18c5eb1e152f08081fa545ce0e9ac6d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 21 Dec 2015 11:01:09 -0800 Subject: [PATCH 137/177] add the Windows object ordering tags to wolfCrypt first and last sources --- ctaocrypt/src/wolfcrypt_first.c | 6 ++++++ ctaocrypt/src/wolfcrypt_last.c | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/ctaocrypt/src/wolfcrypt_first.c b/ctaocrypt/src/wolfcrypt_first.c index c694aa045..00e474457 100644 --- a/ctaocrypt/src/wolfcrypt_first.c +++ b/ctaocrypt/src/wolfcrypt_first.c @@ -30,6 +30,12 @@ #ifdef HAVE_FIPS +#ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$a") + #pragma const_seg(".fipsB$a") +#endif + + /* read only start address */ const unsigned int wolfCrypt_FIPS_ro_start[] = { 0x1a2b3c4d, 0x00000001 }; diff --git a/ctaocrypt/src/wolfcrypt_last.c b/ctaocrypt/src/wolfcrypt_last.c index cdcd741a1..284eb110e 100644 --- a/ctaocrypt/src/wolfcrypt_last.c +++ b/ctaocrypt/src/wolfcrypt_last.c @@ -30,6 +30,12 @@ #ifdef HAVE_FIPS +#ifdef USE_WINDOWS_API + #pragma code_seg(".fipsA$l") + #pragma const_seg(".fipsB$l") +#endif + + /* last function of text/code segment */ int wolfCrypt_FIPS_last(void); int wolfCrypt_FIPS_last(void) From b153ac002c13ecf0c411c540caf802ca4e54bd4f Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 21 Dec 2015 16:11:02 -0700 Subject: [PATCH 138/177] fix Visual Studio warnings --- src/internal.c | 10 ++++++---- src/ssl.c | 23 ++++++++++++++--------- wolfcrypt/src/integer.c | 14 +++++++------- 3 files changed, 27 insertions(+), 20 deletions(-) diff --git a/src/internal.c b/src/internal.c index fdd0e0f65..db7f9f65c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10088,12 +10088,14 @@ static void PickHashSigAlgo(WOLFSSL* ssl, { int i; /* add in the extensions length */ - c16toa(HELLO_EXT_LEN + ssl->suites->hashSigAlgoSz, output + idx); + c16toa((word16)(HELLO_EXT_LEN + ssl->suites->hashSigAlgoSz), + output + idx); idx += 2; c16toa(HELLO_EXT_SIG_ALGO, output + idx); idx += 2; - c16toa(HELLO_EXT_SIGALGO_SZ+ssl->suites->hashSigAlgoSz, output+idx); + c16toa((word16)(HELLO_EXT_SIGALGO_SZ + ssl->suites->hashSigAlgoSz), + output+idx); idx += 2; c16toa(ssl->suites->hashSigAlgoSz, output + idx); idx += 2; @@ -14886,8 +14888,8 @@ int DoSessionTicket(WOLFSSL* ssl, && ssl->version.minor != DTLSv1_2_MINOR && pv.minor != DTLS_MINOR && pv.minor != DTLSv1_2_MINOR)) { - byte haveRSA = 0; - byte havePSK = 0; + word16 haveRSA = 0; + word16 havePSK = 0; if (!ssl->options.downgrade) { WOLFSSL_MSG("Client trying to connect with lesser version"); diff --git a/src/ssl.c b/src/ssl.c index 323b71dd8..246dbe5ff 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -468,8 +468,8 @@ int wolfSSL_GetObjectSize(void) int wolfSSL_SetTmpDH(WOLFSSL* ssl, const unsigned char* p, int pSz, const unsigned char* g, int gSz) { - byte havePSK = 0; - byte haveRSA = 1; + word16 havePSK = 0; + word16 haveRSA = 1; WOLFSSL_ENTER("wolfSSL_SetTmpDH"); if (ssl == NULL || p == NULL || g == NULL) return BAD_FUNC_ARG; @@ -1983,8 +1983,8 @@ int wolfSSL_SetMinVersion(WOLFSSL* ssl, int version) int wolfSSL_SetVersion(WOLFSSL* ssl, int version) { - byte haveRSA = 1; - byte havePSK = 0; + word16 haveRSA = 1; + word16 havePSK = 0; WOLFSSL_ENTER("wolfSSL_SetVersion"); @@ -5971,8 +5971,8 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, int wolfSSL_accept(WOLFSSL* ssl) { - byte havePSK = 0; - byte haveAnon = 0; + word16 havePSK = 0; + word16 haveAnon = 0; WOLFSSL_ENTER("SSL_accept()"); #ifdef HAVE_ERRNO_H @@ -7494,8 +7494,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl) void wolfSSL_set_accept_state(WOLFSSL* ssl) { - byte haveRSA = 1; - byte havePSK = 0; + word16 haveRSA = 1; + word16 havePSK = 0; WOLFSSL_ENTER("SSL_set_accept_state"); ssl->options.side = WOLFSSL_SERVER_END; @@ -11768,7 +11768,12 @@ int wolfSSL_BN_is_bit_set(const WOLFSSL_BIGNUM* bn, int n) return SSL_FAILURE; } - return mp_is_bit_set((mp_int*)bn->internal, n); + if (n > DIGIT_BIT) { + WOLFSSL_MSG("input bit count too large"); + return SSL_FAILURE; + } + + return mp_is_bit_set((mp_int*)bn->internal, (mp_digit)n); } /* return code compliant with OpenSSL : diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index 933b78d33..a185ee295 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -665,7 +665,7 @@ int mp_mul_2d (mp_int * a, int b, mp_int * c) rr = (*tmpc >> shift) & mask; /* shift the current word and OR in the carry */ - *tmpc = ((*tmpc << d) | r) & MP_MASK; + *tmpc = (mp_digit)(((*tmpc << d) | r) & MP_MASK); ++tmpc; /* set the carry to the carry bits of the current word */ @@ -1262,7 +1262,7 @@ int mp_cmp_d(mp_int * a, mp_digit b) void mp_set (mp_int * a, mp_digit b) { mp_zero (a); - a->dp[0] = b & MP_MASK; + a->dp[0] = (mp_digit)(b & MP_MASK); a->used = (a->dp[0] != 0) ? 1 : 0; } @@ -2089,7 +2089,7 @@ mp_montgomery_setup (mp_int * n, mp_digit * rho) /* rho = -1/m mod b */ /* TAO, switched mp_word casts to mp_digit to shut up compiler */ - *rho = (((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK; + *rho = (mp_digit)((((mp_digit)1 << ((mp_digit) DIGIT_BIT)) - x) & MP_MASK); return MP_OKAY; } @@ -2719,7 +2719,7 @@ int mp_mul_2(mp_int * a, mp_int * b) rr = *tmpa >> ((mp_digit)(DIGIT_BIT - 1)); /* now shift up this digit, add in the carry [from the previous] */ - *tmpb++ = ((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK; + *tmpb++ = (mp_digit)(((*tmpa++ << ((mp_digit)1)) | r) & MP_MASK); /* copy the carry that would be from the source * digit into the next iteration @@ -2929,7 +2929,7 @@ int fast_s_mp_sqr (mp_int * a, mp_int * b) mp_digit *tmpb; tmpb = b->dp; for (ix = 0; ix < pa; ix++) { - *tmpb++ = W[ix] & MP_MASK; + *tmpb++ = (mp_digit)(W[ix] & MP_MASK); } /* clear unused digits [that existed in the old copy of c] */ @@ -3018,7 +3018,7 @@ int fast_s_mp_mul_digs (mp_int * a, mp_int * b, mp_int * c, int digs) } /* store term */ - W[ix] = ((mp_digit)_W) & MP_MASK; + W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK); /* make next carry */ _W = _W >> ((mp_word)DIGIT_BIT); @@ -3741,7 +3741,7 @@ int fast_s_mp_mul_high_digs (mp_int * a, mp_int * b, mp_int * c, int digs) } /* store term */ - W[ix] = ((mp_digit)_W) & MP_MASK; + W[ix] = (mp_digit)(((mp_digit)_W) & MP_MASK); /* make next carry */ _W = _W >> ((mp_word)DIGIT_BIT); From 0cb2374c6923d9d05e634abc7c2738d687c0099a Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 21 Dec 2015 23:03:45 -0700 Subject: [PATCH 139/177] Ensure configured before assuming message digest is supported --- src/ssl.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 582e9660c..c250f0efc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13311,14 +13311,26 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } switch (type) { + #ifndef WOLFSSL_MD2 case NID_md2: type = MD2h; break; + #endif + #ifndef NO_MD5 case NID_md5: type = MD5h; break; + #endif + #ifndef NO_SHA case NID_sha1: type = SHAh; break; + #endif + #ifndef NO_SHA256 case NID_sha256: type = SHA256h; break; + #endif + #ifdef WOLFSSL_SHA384 case NID_sha384: type = SHA384h; break; + #endif + #ifdef WOLFSSL_SHA512 case NID_sha512: type = SHA512h; break; + #endif default: - WOLFSSL_MSG("This NID (md type) is not yet implemented"); + WOLFSSL_MSG("This NID (md type) not configured or not implemented"); return 0; } From cbf3213c4ff1f7600714ea18fb4bda29f3314495 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 21 Dec 2015 23:33:33 -0700 Subject: [PATCH 140/177] correct logic on pre-processor macro --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index c250f0efc..ead593a5a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -13311,7 +13311,7 @@ int wolfSSL_RSA_sign(int type, const unsigned char* m, } switch (type) { - #ifndef WOLFSSL_MD2 + #ifdef WOLFSSL_MD2 case NID_md2: type = MD2h; break; #endif #ifndef NO_MD5 From 44c4f18d3e5ff0ddf7eeecc387b9ba396cd7505d Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 22 Dec 2015 09:45:54 -0800 Subject: [PATCH 141/177] fix DTLS warnings for Windows --- wolfssl/internal.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index dea006f80..098282a2c 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -2315,7 +2315,7 @@ typedef struct DtlsMsg { word32 fragSz; /* Length of fragments received */ word32 seq; /* Handshake sequence number */ word32 sz; /* Length of whole mesage */ - word16 type; + byte type; } DtlsMsg; @@ -2624,7 +2624,6 @@ typedef struct DtlsHandShakeHeader { enum HandShakeType { - no_shake = -1, hello_request = 0, client_hello = 1, server_hello = 2, @@ -2638,9 +2637,10 @@ enum HandShakeType { client_key_exchange = 16, finished = 20, certificate_status = 22, - change_cipher_hs = 55 /* simulate unique handshake type for sanity + change_cipher_hs = 55, /* simulate unique handshake type for sanity checks. record layer change_cipher conflicts with handshake finished */ + no_shake = 255 /* used to initialize the DtlsMsg record */ }; From 0721b79282722c69f4927cdbf3d609ada9b2ae96 Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 22 Dec 2015 11:51:26 -0700 Subject: [PATCH 142/177] help message to use NTRU key in example server --- examples/server/server.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/examples/server/server.c b/examples/server/server.c index f96b04b7c..9bd5cc4c5 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -230,6 +230,9 @@ static void Usage(void) #endif printf("-i Loop indefinitely (allow repeated connections)\n"); printf("-e Echo data mode (return raw bytes received)\n"); +#ifdef HAVE_NTRU + printf("-n Use NTRU key (needed for NTRU suites)\n"); +#endif printf("-B Benchmark throughput using bytes and print stats\n"); } From 41f50b7a734e2185b33026110333f3abb4e21c1f Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Tue, 22 Dec 2015 15:19:11 -0700 Subject: [PATCH 143/177] NTRU suites considered part of static RSA suites group --- README | 4 +++- examples/echoserver/echoserver.c | 2 +- wolfssl/internal.h | 8 +++++--- wolfssl/test.h | 5 +++++ 4 files changed, 14 insertions(+), 5 deletions(-) diff --git a/README b/README index 9d15eb7fb..d4e952102 100644 --- a/README +++ b/README @@ -12,7 +12,9 @@ key cipher suites with WOLFSSL_STATIC_PSK though static key cipher suites are deprecated and will be removed from future -versions of TLS. They also lower your security by removing PFS. +versions of TLS. They also lower your security by removing PFS. Since current +NTRU suites available do not use ephemeral keys, WOLFSSL_STATIC_RSA needs to be +used in order to build with NTRU suites. When compiling ssl.c wolfSSL will now issue a compiler error if no cipher suites are available. You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index a0ecae3ff..25e6cd5c0 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -152,7 +152,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) #ifndef NO_FILESYSTEM if (doPSK == 0) { - #ifdef HAVE_NTRU + #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA) /* ntru */ if (CyaSSL_CTX_use_certificate_file(ctx, ntruCert, SSL_FILETYPE_PEM) != SSL_SUCCESS) diff --git a/wolfssl/internal.h b/wolfssl/internal.h index dea006f80..9c2de60c7 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -229,7 +229,8 @@ typedef byte word24[3]; #define BUILD_SSL_RSA_WITH_RC4_128_MD5 #endif #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) + #if !defined(NO_TLS) && defined(HAVE_NTRU) && !defined(NO_SHA) \ + && defined(WOLFSSL_STATIC_RSA) #define BUILD_TLS_NTRU_RSA_WITH_RC4_128_SHA #endif #endif @@ -239,7 +240,8 @@ typedef byte word24[3]; #if defined(WOLFSSL_STATIC_RSA) #define BUILD_SSL_RSA_WITH_3DES_EDE_CBC_SHA #endif - #if !defined(NO_TLS) && defined(HAVE_NTRU) + #if !defined(NO_TLS) && defined(HAVE_NTRU) \ + && defined(WOLFSSL_STATIC_RSA) #define BUILD_TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA #endif #endif @@ -257,7 +259,7 @@ typedef byte word24[3]; #define BUILD_TLS_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_RSA_WITH_AES_256_CBC_SHA #endif - #if defined(HAVE_NTRU) + #if defined(HAVE_NTRU) && defined(WOLFSSL_STATIC_RSA) #define BUILD_TLS_NTRU_RSA_WITH_AES_128_CBC_SHA #define BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA #endif diff --git a/wolfssl/test.h b/wolfssl/test.h index f2c7b3dfd..ffd2e88f3 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -455,7 +455,12 @@ static INLINE void showPeer(WOLFSSL* ssl) printf("SSL version is %s\n", wolfSSL_get_version(ssl)); cipher = wolfSSL_get_current_cipher(ssl); +#ifdef HAVE_QSH + printf("SSL cipher suite is %s%s\n", (wolfSSL_isQSH(ssl))? "QSH:": "", + wolfSSL_CIPHER_get_name(cipher)); +#else printf("SSL cipher suite is %s\n", wolfSSL_CIPHER_get_name(cipher)); +#endif #if defined(SESSION_CERTS) && defined(SHOW_CERTS) { From 22385f2b39e93803969e7d7d4f52423bce7949ed Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 22 Dec 2015 14:35:34 -0800 Subject: [PATCH 144/177] add random ports for all make check scripts, unique ready file --- examples/server/server.c | 22 +++++++++---- scripts/crl-revoked.test | 32 +++++++++++++----- scripts/resume.test | 31 ++++++++++++++---- tests/unit.c | 23 ------------- testsuite/testsuite.c | 22 ------------- wolfssl/test.h | 70 +++++++++++++++++++++++++++++----------- 6 files changed, 116 insertions(+), 84 deletions(-) diff --git a/examples/server/server.c b/examples/server/server.c index f96b04b7c..3e10c8f81 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -195,6 +195,7 @@ static void Usage(void) printf("-c Certificate file, default %s\n", svrCert); printf("-k Key file, default %s\n", svrKey); printf("-A Certificate Authority file, default %s\n", cliCert); + printf("-R Create Ready file for external monitor default none\n"); #ifndef NO_DH printf("-D Diffie-Hellman Params file, default %s\n", dhParam); printf("-Z Minimum DH key bits, default %d\n", @@ -210,7 +211,6 @@ static void Usage(void) printf("-u Use UDP DTLS," " add -v 2 for DTLSv1, -v 3 for DTLSv1.2 (default)\n"); printf("-f Fewer packets/group messages\n"); - printf("-R Create server ready file, for external monitor\n"); printf("-r Allow one client Resumption\n"); printf("-N Use Non-blocking sockets\n"); printf("-S Use Host Name Indication\n"); @@ -258,7 +258,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int trackMemory = 0; int fewerPackets = 0; int pkCallbacks = 0; - int serverReadyFile = 0; int wc_shutdown = 0; int resume = 0; int resumeCount = 0; @@ -269,6 +268,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int doListen = 1; int crlFlags = 0; int ret; + char* serverReadyFile = NULL; char* alpnList = NULL; unsigned char alpn_opt = 0; char* cipherList = NULL; @@ -276,6 +276,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) const char* ourCert = svrCert; const char* ourKey = svrKey; const char* ourDhParam = dhParam; + tcp_ready* readySignal = NULL; int argc = ((func_args*)args)->argc; char** argv = ((func_args*)args)->argv; @@ -312,6 +313,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) (void)alpnList; (void)alpn_opt; (void)crlFlags; + (void)readySignal; #ifdef CYASSL_TIRTOS fdOpenSession(Task_self()); @@ -320,7 +322,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #ifdef WOLFSSL_VXWORKS useAnyAddr = 1; #else - while ((ch = mygetopt(argc, argv, "?dbstnNufrRawPIp:v:l:A:c:k:Z:S:oO:D:L:ieB:")) + while ((ch = mygetopt(argc, argv, "?dbstnNufrawPIR:p:v:l:A:c:k:Z:S:oO:D:L:ieB:")) != -1) { switch (ch) { case '?' : @@ -358,7 +360,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) break; case 'R' : - serverReadyFile = 1; + serverReadyFile = myoptarg; break; case 'r' : @@ -375,7 +377,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) case 'p' : port = (word16)atoi(myoptarg); - #if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API) + #if defined(USE_WINDOWS_API) if (port == 0) err_sys("port number cannot be 0"); #endif @@ -740,8 +742,12 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif /* do accept */ + readySignal = ((func_args*)args)->signal; + if (readySignal) { + readySignal->srfName = serverReadyFile; + } tcp_accept(&sockfd, &clientfd, (func_args*)args, port, useAnyAddr, - doDTLS, serverReadyFile, doListen); + doDTLS, serverReadyFile ? 1 : 0, doListen); doListen = 0; /* Don't listen next time */ SSL_set_fd(ssl, clientfd); @@ -903,6 +909,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int main(int argc, char** argv) { func_args args; + tcp_ready ready; #ifdef HAVE_CAVIUM int ret = OpenNitroxDevice(CAVIUM_DIRECT, CAVIUM_DEV_ID); @@ -914,6 +921,8 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) args.argc = argc; args.argv = argv; + args.signal = &ready; + InitTcpReady(&ready); CyaSSL_Init(); #if defined(DEBUG_CYASSL) && !defined(WOLFSSL_MDK_SHELL) @@ -927,6 +936,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) server_test(&args); #endif CyaSSL_Cleanup(); + FreeTcpReady(&ready); #ifdef HAVE_CAVIUM CspShutdown(CAVIUM_DEV_ID); diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test index ee9c89447..8f48a3a8e 100755 --- a/scripts/crl-revoked.test +++ b/scripts/crl-revoked.test @@ -5,16 +5,22 @@ revocation_code="-361" exit_code=1 counter=0 -crl_port=11113 +# need a unique resume port since may run the same time as testsuite +# use server port zero hack to get one +crl_port=0 #no_pid tells us process was never started if -1 no_pid=-1 #server_pid captured on startup, stores the id of the server process server_pid=$no_pid +# let's use absolute path to a local dir (make distcheck may be in sub dir) +# also let's add some randomness by adding pid in case multiple 'make check's +# per source tree +ready_file=`pwd`/wolfssl_crl_ready$$ remove_ready_file() { - if test -e /tmp/wolfssl_server_ready; then - echo -e "removing exisitng server_ready file" - rm /tmp/wolfssl_server_ready + if test -e $ready_file; then + echo -e "removing exisitng ready file" + rm $ready_file fi } @@ -53,16 +59,26 @@ run_test() { # starts the server on crl_port, -R generates ready file to be used as a # mutex lock, -c loads the revoked certificate. We capture the processid # into the variable server_pid - ./examples/server/server -R -p $crl_port -c certs/server-revoked-cert.pem \ - -k certs/server-revoked-key.pem & + ./examples/server/server -R $ready_file -p $crl_port \ + -c certs/server-revoked-cert.pem -k certs/server-revoked-key.pem & server_pid=$! - while [ ! -s /tmp/wolfssl_server_ready -a "$counter" -lt 20 ]; do - echo -e "waiting for server_ready file..." + while [ ! -s $ready_file -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." sleep 0.1 counter=$((counter+ 1)) done + if test -e $ready_file; then + echo -e "found ready file, starting client..." + else + echo -e "NO ready file ending test..." + exit 1 + fi + + # get created port 0 ephemeral port + crl_port=`cat $ready_file` + # starts client on crl_port and captures the output from client capture_out=$(./examples/client/client -p $crl_port 2>&1) client_result=$? diff --git a/scripts/resume.test b/scripts/resume.test index b0592af90..caa59b362 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -3,16 +3,22 @@ #reusme.test # need a unique resume port since may run the same time as testsuite -resume_port=11112 +# use server port zero hack to get one +resume_port=0 no_pid=-1 server_pid=$no_pid counter=0 +# let's use absolute path to a local dir (make distcheck may be in sub dir) +# also let's add some randomness by adding pid in case multiple 'make check's +# per source tree +ready_file=`pwd`/wolfssl_resume_ready$$ +echo "ready file $ready_file" remove_ready_file() { - if test -e /tmp/wolfssl_server_ready; then - echo -e "removing exisitng server_ready file" - rm /tmp/wolfssl_server_ready + if test -e $ready_file; then + echo -e "removing exisitng ready file" + rm $ready_file fi } @@ -39,15 +45,26 @@ trap do_trap INT TERM echo -e "\nStarting example server for resume test...\n" remove_ready_file -./examples/server/server -r -R -p $resume_port & +./examples/server/server -r -R $ready_file -p $resume_port & server_pid=$! -while [ ! -s /tmp/wolfssl_server_ready -a "$counter" -lt 20 ]; do - echo -e "waiting for server_ready file..." +while [ ! -s $ready_file -a "$counter" -lt 20 ]; do + echo -e "waiting for ready file..." sleep 0.1 counter=$((counter+ 1)) done +if test -e $ready_file; then + echo -e "found ready file, starting client..." +else + echo -e "NO ready file ending test..." + do_cleanup + exit 1 +fi + +# get created port 0 ephemeral port +resume_port=`cat $ready_file` + ./examples/client/client -r -p $resume_port client_result=$? diff --git a/tests/unit.c b/tests/unit.c index e25c6776e..41ee8a1d4 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -155,26 +155,3 @@ void join_thread(THREAD_TYPE thread) } -void InitTcpReady(tcp_ready* ready) -{ - ready->ready = 0; - ready->port = 0; -#ifdef SINGLE_THREADED -#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) - pthread_mutex_init(&ready->mutex, 0); - pthread_cond_init(&ready->cond, 0); -#endif -} - - -void FreeTcpReady(tcp_ready* ready) -{ -#ifdef SINGLE_THREADED - (void)ready; -#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) - pthread_mutex_destroy(&ready->mutex); - pthread_cond_destroy(&ready->cond); -#else - (void)ready; -#endif -} diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 1d228d12e..792cbbbde 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -333,28 +333,6 @@ void join_thread(THREAD_TYPE thread) } -void InitTcpReady(tcp_ready* ready) -{ - ready->ready = 0; - ready->port = 0; -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) - pthread_mutex_init(&ready->mutex, 0); - pthread_cond_init(&ready->cond, 0); -#endif -} - - -void FreeTcpReady(tcp_ready* ready) -{ -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) - pthread_mutex_destroy(&ready->mutex); - pthread_cond_destroy(&ready->cond); -#else - (void)ready; -#endif -} - - void file_test(const char* file, byte* check) { FILE* f; diff --git a/wolfssl/test.h b/wolfssl/test.h index f2c7b3dfd..6f695eb61 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -267,6 +267,7 @@ typedef struct tcp_ready { word16 ready; /* predicate */ word16 port; + char* srfName; /* server ready file name */ #if defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_mutex_t mutex; pthread_cond_t cond; @@ -274,8 +275,30 @@ typedef struct tcp_ready { } tcp_ready; -void InitTcpReady(tcp_ready*); -void FreeTcpReady(tcp_ready*); +static INLINE void InitTcpReady(tcp_ready* ready) +{ + ready->ready = 0; + ready->port = 0; + ready->srfName = NULL; +#ifdef SINGLE_THREADED +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) + pthread_mutex_init(&ready->mutex, 0); + pthread_cond_init(&ready->cond, 0); +#endif +} + + +static INLINE void FreeTcpReady(tcp_ready* ready) +{ +#ifdef SINGLE_THREADED + (void)ready; +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) + pthread_mutex_destroy(&ready->mutex); + pthread_cond_destroy(&ready->cond); +#else + (void)ready; +#endif +} typedef WOLFSSL_METHOD* (*method_provider)(void); typedef void (*ctx_callback)(WOLFSSL_CTX* ctx); @@ -296,6 +319,9 @@ typedef struct func_args { callback_functions *callbacks; } func_args; + + + void wait_tcp_ready(func_args*); typedef THREAD_RETURN WOLFSSL_THREAD THREAD_FUNC(void*); @@ -702,7 +728,7 @@ static INLINE void tcp_listen(SOCKET_T* sockfd, word16* port, int useAnyAddr, if (listen(*sockfd, 5) != 0) err_sys("tcp listen failed"); } - #if (defined(NO_MAIN_DRIVER) && !defined(USE_WINDOWS_API)) && !defined(WOLFSSL_TIRTOS) + #if !defined(USE_WINDOWS_API) && !defined(WOLFSSL_TIRTOS) if (*port == 0) { socklen_t len = sizeof(addr); if (getsockname(*sockfd, (struct sockaddr*)&addr, &len) == 0) { @@ -815,11 +841,13 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, /* signal ready to tcp_accept */ { tcp_ready* ready = args->signal; - pthread_mutex_lock(&ready->mutex); - ready->ready = 1; - ready->port = port; - pthread_cond_signal(&ready->cond); - pthread_mutex_unlock(&ready->mutex); + if (ready) { + pthread_mutex_lock(&ready->mutex); + ready->ready = 1; + ready->port = port; + pthread_cond_signal(&ready->cond); + pthread_mutex_unlock(&ready->mutex); + } } #elif defined (WOLFSSL_TIRTOS) /* Need mutex? */ @@ -829,18 +857,24 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, #endif if (ready_file) { - #ifndef NO_FILESYSTEM - #ifndef USE_WINDOWS_API - FILE* srf = fopen("/tmp/wolfssl_server_ready", "w"); - #else - FILE* srf = fopen("wolfssl_server_ready", "w"); - #endif + #ifndef NO_FILESYSTEM + FILE* srf = NULL; + tcp_ready* ready = args ? args->signal : NULL; - if (srf) { - fputs("ready", srf); - fclose(srf); + if (ready) { + srf = fopen(ready->srfName, "w"); + + if (srf) { + /* let's write port sever is listening on to ready file + external monitor can then do ephemeral ports by passing + -p 0 to server on supported platforms with -R ready_file + client can then wait for exisitence of ready_file and see + which port the server is listening on. */ + fprintf(srf, "%d\n", (int)port); + fclose(srf); + } } - #endif + #endif } } From d17549f8485f67f31b65faed4f7131c52fffeb54 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 23 Dec 2015 12:12:41 -0800 Subject: [PATCH 145/177] update example client ShowVersions() to not show disabled old-tls versions --- examples/client/client.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index f1be58e94..932aed198 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -129,10 +129,13 @@ static void ShowCiphers(void) /* Shows which versions are valid */ static void ShowVersions(void) { +#ifndef NO_OLD_TLS #ifdef WOLFSSL_ALLOW_SSLV3 printf("0:"); -#endif - printf("1:2:3\n"); +#endif /* WOLFSSL_ALLOW_SSLV3 */ + printf("1:2:"); +#endif /* NO_OLD_TLS */ + printf("3\n"); } int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port, From 4b836f8476ce4874d07939b587d5647dbadd45a5 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Wed, 23 Dec 2015 12:20:53 -0800 Subject: [PATCH 146/177] added note to client and server regarding port 0 --- examples/client/client.c | 4 ++++ examples/server/server.c | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/examples/client/client.c b/examples/client/client.c index 932aed198..ef651fbe7 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -52,6 +52,10 @@ #include "examples/client/client.h" +/* Note on using port 0: the client and server standalone examples don't + * utilize the port 0 port sharing; that is used by the testsuite which uses + * this code and sets up the correct port numbers when the internal thread, + * using the server code, uses port 0. */ #ifdef WOLFSSL_CALLBACKS int handShakeCB(HandShakeInfo*); diff --git a/examples/server/server.c b/examples/server/server.c index 3e10c8f81..a97bcc93b 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -54,6 +54,10 @@ #include "examples/server/server.h" +/* Note on using port 0: the client and server standalone examples don't + * utilize the port 0 port sharing; that is used by the testsuite which uses + * this code and sets up the correct port numbers when the internal thread, + * using the server code, uses port 0. */ #ifdef CYASSL_CALLBACKS int srvHandShakeCB(HandShakeInfo*); From cc8633fe7f37943779fd3c0ee7fd7a666dfb3544 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Wed, 23 Dec 2015 13:28:45 -0700 Subject: [PATCH 147/177] minor typo corrections --- scripts/crl-revoked.test | 2 +- scripts/resume.test | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/crl-revoked.test b/scripts/crl-revoked.test index 8f48a3a8e..5588aa5b4 100755 --- a/scripts/crl-revoked.test +++ b/scripts/crl-revoked.test @@ -19,7 +19,7 @@ ready_file=`pwd`/wolfssl_crl_ready$$ remove_ready_file() { if test -e $ready_file; then - echo -e "removing exisitng ready file" + echo -e "removing existing ready file" rm $ready_file fi } diff --git a/scripts/resume.test b/scripts/resume.test index caa59b362..40a8613ae 100755 --- a/scripts/resume.test +++ b/scripts/resume.test @@ -17,7 +17,7 @@ echo "ready file $ready_file" remove_ready_file() { if test -e $ready_file; then - echo -e "removing exisitng ready file" + echo -e "removing existing ready file" rm $ready_file fi } From 92cb8eee61dd7879867177e5dc99625f3f24ea1c Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 24 Dec 2015 15:42:52 -0800 Subject: [PATCH 148/177] revise the comments about port 0 use in the example client and server --- examples/client/client.c | 8 ++++---- examples/server/server.c | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index ef651fbe7..6b9221142 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -52,10 +52,10 @@ #include "examples/client/client.h" -/* Note on using port 0: the client and server standalone examples don't - * utilize the port 0 port sharing; that is used by the testsuite which uses - * this code and sets up the correct port numbers when the internal thread, - * using the server code, uses port 0. */ +/* Note on using port 0: the client standalone example doesn't utilize the + * port 0 port sharing; that is used by (1) the server in external control + * test mode and (2) the testsuite which uses this code and sets up the correct + * port numbers when the internal thread using the server code using port 0. */ #ifdef WOLFSSL_CALLBACKS int handShakeCB(HandShakeInfo*); diff --git a/examples/server/server.c b/examples/server/server.c index a97bcc93b..7fa6e76ee 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -54,10 +54,10 @@ #include "examples/server/server.h" -/* Note on using port 0: the client and server standalone examples don't - * utilize the port 0 port sharing; that is used by the testsuite which uses - * this code and sets up the correct port numbers when the internal thread, - * using the server code, uses port 0. */ +/* Note on using port 0: if the server uses port 0 to bind an ephemeral port + * number and is using the ready file for scripted testing, the code in + * test.h will write the actual port number into the ready file for use + * by the client. */ #ifdef CYASSL_CALLBACKS int srvHandShakeCB(HandShakeInfo*); From 2e00b12b692ca65c1c71df0b1fabe3300f6f16f9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 28 Dec 2015 17:55:41 -0300 Subject: [PATCH 149/177] updates configure.ac with better option naming. --- configure.ac | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/configure.ac b/configure.ac index 35497b851..055dd78a5 100644 --- a/configure.ac +++ b/configure.ac @@ -1658,7 +1658,7 @@ fi # Certificate Status Request : a.k.a. OCSP Stapling AC_ARG_ENABLE([ocspstapling], - [AS_HELP_STRING([--enable-ocspstapling],[Enable Certificate Status Request - a.k.a. OCSP Stapling (default: disabled)])], + [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])], [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] ) @@ -1680,7 +1680,7 @@ AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUES # Certificate Status Request v2 : a.k.a. OCSP stapling v2 AC_ARG_ENABLE([ocspstapling2], - [AS_HELP_STRING([--enable-ocspstapling2],[Enable Certificate Status Request v2 - a.k.a. OCSP Stapling v2 (default: disabled)])], + [AS_HELP_STRING([--enable-ocspstapling2],[Enable OCSP Stapling v2 (default: disabled)])], [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ], [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ] ) @@ -2743,8 +2743,8 @@ echo " * Server Name Indication: $ENABLED_SNI" echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" -echo " * Certificate Status Request: $ENABLED_CERTIFICATE_STATUS_REQUEST" -echo " * Certificate Status Request v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2" +echo " * OCSP Stapling: $ENABLED_CERTIFICATE_STATUS_REQUEST" +echo " * OCSP Stapling v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2" echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * Session Ticket: $ENABLED_SESSION_TICKET" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" From 47426b1f8d1f0a26eb794daf3a78321356cff988 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Mon, 28 Dec 2015 13:58:01 -0700 Subject: [PATCH 150/177] fix LowResTimer on Microchip ports --- src/internal.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index db7f9f65c..31ed766ca 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2746,7 +2746,7 @@ ProtocolVersion MakeDTLSv1_2(void) word32 LowResTimer(void) { - return (word32) TickGet(); + return (word32) (TickGet() / TICKS_PER_SECOND); } @@ -2758,14 +2758,15 @@ ProtocolVersion MakeDTLSv1_2(void) word32 LowResTimer(void) { - return (word32) SYS_TMR_TickCountGet(); + return (word32) (SYS_TMR_TickCountGet() / + SYS_TMR_TickCounterFrequencyGet()); } #else word32 LowResTimer(void) { - return (word32) SYS_TICK_Get(); + return (word32) (SYS_TICK_Get() / SYS_TICK_TicksPerSecondGet()); } #endif From 487bb4eb5e92a852ca3b055ebad333c0c5f81448 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 28 Dec 2015 19:33:06 -0300 Subject: [PATCH 151/177] fixes before merge --- examples/client/client.c | 2 +- src/internal.c | 5 +++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/examples/client/client.c b/examples/client/client.c index db4eef7d6..fa84beb0d 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -484,7 +484,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:L:ToO:aB:W:")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:")) != -1) { switch (ch) { case '?' : Usage(); diff --git a/src/internal.c b/src/internal.c index d2fc96ef6..41708b9f7 100644 --- a/src/internal.c +++ b/src/internal.c @@ -8358,7 +8358,7 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, idx += status[i].length; } - if (ssl->keys.encryptionOn) { + if (IsEncryptionOn(ssl, 1)) { byte* input; int inputSz = idx - RECORD_HEADER_SZ; @@ -8367,7 +8367,8 @@ static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, return MEMORY_E; XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); - sendSz = BuildMessage(ssl, output, sendSz, input,inputSz,handshake); + sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, + handshake, 1); XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); if (sendSz < 0) From ec9d23a9c32bebb6f7f95a3c913bd3dfa465d4f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 28 Dec 2015 19:38:04 -0300 Subject: [PATCH 152/177] Merge branch 'csr' --- SCRIPTS-LIST | 11 +- Vagrantfile | 13 +- certs/1024/ca-cert.pem | 54 +- certs/1024/client-cert.der | Bin 969 -> 1021 bytes certs/1024/client-cert.pem | 44 +- certs/1024/server-cert.pem | 106 ++-- certs/ca-cert.der | Bin 1198 -> 1252 bytes certs/ca-cert.pem | 71 +-- certs/client-cert.der | Bin 1230 -> 1282 bytes certs/client-cert.pem | 62 ++- certs/client-ecc-cert.der | Bin 780 -> 835 bytes certs/client-ecc-cert.pem | 42 +- certs/crl/cliCrl.pem | 50 +- certs/crl/crl.pem | 52 +- certs/crl/crl.revoked | 58 +- certs/crl/eccCliCRL.pem | 22 +- certs/crl/eccSrvCRL.pem | 20 +- certs/external/ca-globalsign-root-r2.pem | 22 + certs/external/ca-verisign-g5.pem | 28 + certs/ocsp/index0.txt | 4 + certs/ocsp/index1.txt | 2 + certs/ocsp/index2.txt | 2 + certs/ocsp/index3.txt | 1 + certs/ocsp/intermediate1-ca-cert.pem | 186 +++++++ certs/ocsp/intermediate1-ca-key.pem | 28 + certs/ocsp/intermediate2-ca-cert.pem | 186 +++++++ certs/ocsp/intermediate2-ca-key.pem | 28 + certs/ocsp/intermediate3-ca-cert.pem | 186 +++++++ certs/ocsp/intermediate3-ca-key.pem | 28 + certs/ocsp/ocsp-responder-cert.pem | 182 +++++++ certs/ocsp/ocsp-responder-key.pem | 27 + certs/ocsp/ocspd0.sh | 8 + certs/ocsp/ocspd1.sh | 8 + certs/ocsp/ocspd2.sh | 8 + certs/ocsp/ocspd3.sh | 8 + certs/ocsp/openssl.cnf | 42 ++ certs/ocsp/renewcerts.sh | 54 ++ certs/ocsp/root-ca-cert.pem | 93 ++++ certs/ocsp/root-ca-key.pem | 28 + certs/ocsp/server1-cert.pem | 279 ++++++++++ certs/ocsp/server1-key.pem | 28 + certs/ocsp/server2-cert.pem | 279 ++++++++++ certs/ocsp/server2-key.pem | 28 + certs/ocsp/server3-cert.pem | 279 ++++++++++ certs/ocsp/server3-key.pem | 28 + certs/ocsp/server4-cert.pem | 279 ++++++++++ certs/ocsp/server4-key.pem | 28 + certs/ocsp/server5-cert.pem | 279 ++++++++++ certs/ocsp/server5-key.pem | 28 + certs/renewcerts.sh | 21 +- certs/renewcerts/wolfssl.cnf | 15 +- certs/server-cert.der | Bin 1186 -> 1240 bytes certs/server-cert.pem | 141 ++--- certs/server-ecc-comp.pem | 32 +- certs/server-ecc-rsa.pem | 70 +-- certs/server-ecc.pem | 42 +- certs/server-revoked-cert.pem | 141 ++--- configure.ac | 29 +- examples/client/client.c | 43 +- examples/server/server.c | 15 +- scripts/include.am | 24 +- scripts/ocsp-stapling.test | 41 ++ scripts/ocsp-stapling2.test | 55 ++ scripts/ocsp.test | 20 + src/internal.c | 648 +++++++++++++++++++++-- src/ocsp.c | 87 ++- src/ssl.c | 93 +++- src/tls.c | 506 +++++++++++++++++- wolfcrypt/src/asn.c | 85 ++- wolfcrypt/src/logging.c | 38 ++ wolfssl/certs_test.h | 389 +++++++------- wolfssl/internal.h | 83 ++- wolfssl/ocsp.h | 4 +- wolfssl/ssl.h | 33 +- wolfssl/wolfcrypt/asn.h | 3 + wolfssl/wolfcrypt/logging.h | 2 + 76 files changed, 5137 insertions(+), 822 deletions(-) create mode 100644 certs/external/ca-globalsign-root-r2.pem create mode 100644 certs/external/ca-verisign-g5.pem create mode 100644 certs/ocsp/index0.txt create mode 100644 certs/ocsp/index1.txt create mode 100644 certs/ocsp/index2.txt create mode 100644 certs/ocsp/index3.txt create mode 100644 certs/ocsp/intermediate1-ca-cert.pem create mode 100644 certs/ocsp/intermediate1-ca-key.pem create mode 100644 certs/ocsp/intermediate2-ca-cert.pem create mode 100644 certs/ocsp/intermediate2-ca-key.pem create mode 100644 certs/ocsp/intermediate3-ca-cert.pem create mode 100644 certs/ocsp/intermediate3-ca-key.pem create mode 100644 certs/ocsp/ocsp-responder-cert.pem create mode 100644 certs/ocsp/ocsp-responder-key.pem create mode 100755 certs/ocsp/ocspd0.sh create mode 100755 certs/ocsp/ocspd1.sh create mode 100755 certs/ocsp/ocspd2.sh create mode 100755 certs/ocsp/ocspd3.sh create mode 100644 certs/ocsp/openssl.cnf create mode 100755 certs/ocsp/renewcerts.sh create mode 100644 certs/ocsp/root-ca-cert.pem create mode 100644 certs/ocsp/root-ca-key.pem create mode 100644 certs/ocsp/server1-cert.pem create mode 100644 certs/ocsp/server1-key.pem create mode 100644 certs/ocsp/server2-cert.pem create mode 100644 certs/ocsp/server2-key.pem create mode 100644 certs/ocsp/server3-cert.pem create mode 100644 certs/ocsp/server3-key.pem create mode 100644 certs/ocsp/server4-cert.pem create mode 100644 certs/ocsp/server4-key.pem create mode 100644 certs/ocsp/server5-cert.pem create mode 100644 certs/ocsp/server5-key.pem create mode 100755 scripts/ocsp-stapling.test create mode 100755 scripts/ocsp-stapling2.test create mode 100755 scripts/ocsp.test diff --git a/SCRIPTS-LIST b/SCRIPTS-LIST index 2f2306590..ffea9432f 100644 --- a/SCRIPTS-LIST +++ b/SCRIPTS-LIST @@ -19,13 +19,20 @@ certs/ renewcerts.sh - renews test certs and crls crl/ gencrls.sh - generates crls, used by renewcerts.sh + ocsp/ + renewcerts.sh - renews ocsp certs + ocspd0.sh - ocsp responder for root-ca-cert.pem + ocspd1.sh - ocsp responder for intermediate1-ca-cert.pem + ocspd2.sh - ocsp responder for intermediate2-ca-cert.pem scripts/ external.test - example client test against our website, part of tests google.test - example client test against google, part of tests resume.test - example sessoin resume test, part of tests - sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests - in sniffer mode + ocsp-stapling.test - example client test against globalsign, part of tests + ocsp-stapling2.test - example client test against example server, part of tests + sniffer-testsuite.test - runs snifftest on a pcap of testsuite, part of tests + in sniffer mode swig/ PythonBuild.sh - builds and runs simple python example diff --git a/Vagrantfile b/Vagrantfile index aef42caf7..ddf37ce83 100644 --- a/Vagrantfile +++ b/Vagrantfile @@ -17,10 +17,10 @@ cd $LIB.$VER/ && ./autogen.sh && ./configure -q && make -s sudo make install && cd .. && rm -rf $LIB.$VER* -SRC=vagrant DST=wolfssl -cp -rp /$SRC/ $DST/ +cp -rp /vagrant/ $DST/ +chown -hR vagrant:vagrant $DST/ echo "cd $DST" >> .bashrc echo "read -p 'Sync $DST? (y/n) ' -n 1 -r" >> .bashrc @@ -30,20 +30,13 @@ echo " echo -e '\e[0;32mRunning $DST sync\e[0m'" >> .bashrc echo " ./pull_to_vagrant.sh" >> .bashrc echo "fi" >> .bashrc -cd $DST -./autogen.sh -./configure -make check - -cd .. -chown -hR vagrant:vagrant $DST/ /tmp/output SCRIPT VAGRANTFILE_API_VERSION = "2" Vagrant.configure(VAGRANTFILE_API_VERSION) do |config| - config.vm.box = "hashicorp/precise64" + config.vm.box = "ubuntu/trusty64" config.vm.provision "shell", inline: $setup config.vm.network "forwarded_port", guest: 11111, host: 33333 diff --git a/certs/1024/ca-cert.pem b/certs/1024/ca-cert.pem index 3deb3628c..41136c2c2 100644 --- a/certs/1024/ca-cert.pem +++ b/certs/1024/ca-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 10323419125573214618 (0x8f4426ffb743e19a) - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 16629652120256878762 (0xe6c8647ee63b98aa) + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Sep 23 19:23:38 2015 GMT - Not After : Jun 19 19:23:38 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,38 +28,42 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:8F:44:26:FF:B7:43:E1:9A + serial:E6:C8:64:7E:E6:3B:98:AA X509v3 Basic Constraints: CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0e:46:ac:d8:29:1d:12:12:06:0c:d3:3f:7d:58:2e:0d:11:5e: - 5d:0d:dd:17:c0:0f:aa:01:4d:a4:c4:84:81:6e:64:ae:d1:5d: - 58:cd:19:6a:74:a4:46:2f:c8:43:79:39:c0:91:4b:7c:71:ea: - 4e:63:44:66:15:41:15:de:50:82:e3:e9:d1:55:55:cc:5a:38: - 1e:3a:59:b3:0e:ee:0e:54:4d:93:e7:e0:8e:27:a5:6e:08:b8: - 6a:39:da:2d:47:62:c4:5b:89:c0:48:48:2a:d5:f0:55:74:fd: - a6:b1:68:3c:70:a4:52:24:81:ec:4c:57:e0:e8:18:73:9d:0a: - 4d:d8 + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 82:53:ec:89:0a:6a:1b:ae:c3:69:fc:22:b5:d7:d2:f4:0b:6d: + 18:72:f5:64:7f:bb:80:57:e3:f3:b2:af:e1:89:47:03:19:dd: + 6f:62:ed:2b:24:d3:a2:77:c0:83:6a:fb:0f:55:93:78:15:4a: + c1:e0:13:f2:65:9c:7a:8c:6c:98:57:f0:44:9d:3a:9e:6a:30: + 08:9f:33:ce:0d:7e:86:6f:ef:0e:34:41:b9:c6:1d:34:c6:28: + 1e:f9:81:be:68:3d:77:92:50:c5:f8:2f:4c:aa:db:5f:72:93: + 42:eb:8a:cf:24:a0:d9:25:44:46:8b:ed:de:46:d5:1a:90:e9: + d6:d8 -----BEGIN CERTIFICATE----- -MIIDtTCCAx6gAwIBAgIJAI9EJv+3Q+GaMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD +MIID6jCCA1OgAwIBAgIJAObIZH7mO5iqMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MDkyMzE5MjMzOFoXDTE4MDYxOTE5MjMzOFowgZkxCzAJBgNVBAYT +Y29tMB4XDTE1MTEyMzEyNDkzN1oXDTE4MDgxOTEyNDkzN1owgZkxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq -1OWIGLMRL3PA1ikJAgMBAAGjggEBMIH+MB0GA1UdDgQWBBTTIo8oLOAF7tPtw3E9 -ybI2Oh2/qDCBzgYDVR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SB -nDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv -emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEw -MjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m -b0B3b2xmc3NsLmNvbYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADgYEADkas2CkdEhIGDNM/fVguDRFeXQ3dF8APqgFNpMSEgW5krtFdWM0Z -anSkRi/IQ3k5wJFLfHHqTmNEZhVBFd5QguPp0VVVzFo4HjpZsw7uDlRNk+fgjiel -bgi4ajnaLUdixFuJwEhIKtXwVXT9prFoPHCkUiSB7ExX4OgYc50KTdg= +1OWIGLMRL3PA1ikJAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx +PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k +gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x +MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu +Zm9Ad29sZnNzbC5jb22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUF +BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkq +hkiG9w0BAQsFAAOBgQCCU+yJCmobrsNp/CK119L0C20YcvVkf7uAV+Pzsq/hiUcD +Gd1vYu0rJNOid8CDavsPVZN4FUrB4BPyZZx6jGyYV/BEnTqeajAInzPODX6Gb+8O +NEG5xh00xige+YG+aD13klDF+C9MqttfcpNC64rPJKDZJURGi+3eRtUakOnW2A== -----END CERTIFICATE----- diff --git a/certs/1024/client-cert.der b/certs/1024/client-cert.der index c2bd6df8fe58e67cfaf20cb20bce0bd93a31726b..4d4d69ba88f5d813ee46baaddda891ec90644b00 100644 GIT binary patch delta 314 zcmX@f{+C_Cpo#gXK@)S*0%j&gCMHgX%lBs-X^@xCpD3|S%Fxir*wDzt(%3vooY&C8 zz{1cH%AH)pv~Y4K<5GTWgC<6E16elaP+2|}F_y`ROrn#6n9kM1j4|K=NeQ#C8Za|5 z{x>jU)FR z?K>|cBR4Apb7Lbzq2;f(!y!*+Y<+R~^mP5U{V(?Xetn~Oy2&iD{SP+n-B_?k4+6xk5wPV9XZ8pj=2NziyJ#ugT-u=QNVCBinL8W|RB1@MZ xnQvEo!=iHk_u0O@pI4n*#N3i5a+2|D+tRd!r?Lv;bq)Ju&hR{Qn;FaH0{}DKaTfpp delta 262 zcmey%ev)0npo#gYK@+py0%j&gCMHgX$JZD9D!Z@sYof$9DFagjb3+RwLj%Joab80U z14Cm&D0gxV)56J}j7$014VoC44P@DvLuL6`#8@ULGKo$OVmen3Gsb`iBqhwkYQW6M z_}_q+jZ>@5qwPB{BO^B}19M{|gY5RJH4iu5IFKH@^>WAa0L{YW{xfRw#+;$fvsWLJ z-gBIBs?@L42Y=_h&gbG6d9zjjj*P+Gpy^j+I2nvB;!m#->lfU<<3ifQ5RK3F`?K=P zJhbA%mYi-7ThwGJ}td5@eP&)0| FTL53mWPJbt diff --git a/certs/1024/client-cert.pem b/certs/1024/client-cert.pem index 2f13e8e25..f99471e9d 100644 --- a/certs/1024/client-cert.pem +++ b/certs/1024/client-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 16417767964199037690 (0xe3d7a0fa76df2afa) + Serial Number: 15267089231539806063 (0xd3df98c4801f1f6f) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: May 7 18:21:01 2015 GMT - Not After : Jan 31 18:21:01 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,39 +28,43 @@ Certificate: X509v3 Authority Key Identifier: keyid:81:69:0F:F8:DF:DD:CF:34:29:D5:67:75:71:85:C7:75:10:69:59:EC DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_1024/OU=Programming-1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:E3:D7:A0:FA:76:DF:2A:FA + serial:D3:DF:98:C4:80:1F:1F:6F X509v3 Basic Constraints: CA:TRUE + Authority Information Access: + OCSP - URI:http://localhost:22222 + Signature Algorithm: sha256WithRSAEncryption - 1d:b7:d5:7c:e1:b1:d8:c0:67:5d:b5:d3:88:e7:50:29:71:63: - 8f:cc:26:1f:33:09:55:43:9b:ab:c6:1b:bc:c7:01:95:1a:fa: - 65:e0:fd:9c:eb:6f:0a:0f:14:ec:b5:2f:dc:1c:30:dd:52:97: - d4:1c:09:00:33:38:5f:cb:a8:16:8f:11:b7:b8:d0:66:e1:54: - 28:f3:3f:bf:6a:6f:76:48:2a:5e:56:a7:ce:1c:f0:04:dd:17: - bd:06:78:21:6d:d6:b1:9b:75:31:92:c1:fe:d4:8d:d4:67:2f: - 03:1b:27:8d:ab:ff:30:3b:c3:7f:23:e4:ab:5b:91:e1:1b:66: - e6:ed + 71:39:fa:86:c3:54:e5:98:b5:e8:c3:cb:97:2f:86:bf:e8:bc: + fb:eb:d8:73:97:34:9a:16:bf:e0:b2:bd:be:7d:ff:a0:d7:e6: + db:a3:52:43:41:60:f1:d7:c3:63:c0:9b:e2:b2:28:87:70:60: + 5d:2b:5d:56:15:3c:b1:1e:03:53:72:39:32:e2:47:85:f7:8b: + e8:38:50:a9:c9:d3:52:75:0e:16:14:a5:a5:c4:9f:3e:73:d8: + 38:79:bf:f7:9b:4d:0d:f3:aa:ce:a2:03:84:66:14:c9:01:f5: + 86:a5:66:a1:ca:6a:71:5f:2d:31:8e:1c:cc:0c:e6:46:99:5d: + 0a:4c -----BEGIN CERTIFICATE----- -MIIDxTCCAy6gAwIBAgIJAOPXoPp23yr6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +MIID+TCCA2KgAwIBAgIJANPfmMSAHx9vMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG A1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0xMDI0MRgw FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb20wHhcNMTUwNTA3MTgyMTAxWhcNMTgwMTMxMTgyMTAxWjCBnjELMAkG +ZnNzbC5jb20wHhcNMTUxMTIzMTI0OTM3WhcNMTgwODE5MTI0OTM3WjCBnjELMAkG A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT BgNVBAoMDHdvbGZTU0xfMTAyNDEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMTAyNDEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv bGZzc2wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8cw6oSfN0oqnv GKXaVZkh+cjss21I5TU1dXc37NFhkF8+2eTV35TKwanXGdqGyehNxGE2gv6rrX53 JbuNEaW8YjqoOMw5ogRmtPf386raTQIOu16NaUjcd8koDiLpa6Qmukzowf1Kbysf -74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFIFp +74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBOzCCATcwHQYDVR0OBBYEFIFp D/jf3c80KdVndXGFx3UQaVnsMIHTBgNVHSMEgcswgciAFIFpD/jf3c80KdVndXGF x3UQaVnsoYGkpIGhMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ MA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQL DBBQcm9ncmFtbWluZy0xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAd -BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDj16D6dt8q+jAMBgNVHRME -BTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAB231XzhsdjAZ12104jnUClxY4/MJh8z -CVVDm6vGG7zHAZUa+mXg/ZzrbwoPFOy1L9wcMN1Sl9QcCQAzOF/LqBaPEbe40Gbh -VCjzP79qb3ZIKl5Wp84c8ATdF70GeCFt1rGbdTGSwf7UjdRnLwMbJ42r/zA7w38j -5KtbkeEbZubt +BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDT35jEgB8fbzAMBgNVHRME +BTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs +aG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOBgQBxOfqGw1TlmLXow8uXL4a/6Lz7 +69hzlzSaFr/gsr2+ff+g1+bbo1JDQWDx18NjwJvisiiHcGBdK11WFTyxHgNTcjky +4keF94voOFCpydNSdQ4WFKWlxJ8+c9g4eb/3m00N86rOogOEZhTJAfWGpWahympx +Xy0xjhzMDOZGmV0KTA== -----END CERTIFICATE----- diff --git a/certs/1024/server-cert.pem b/certs/1024/server-cert.pem index f278d2c0f..739d80ed5 100644 --- a/certs/1024/server-cert.pem +++ b/certs/1024/server-cert.pem @@ -2,11 +2,11 @@ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) - Signature Algorithm: sha1WithRSAEncryption + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Sep 23 19:23:38 2015 GMT - Not After : Jun 19 19:23:38 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,50 +28,54 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:8F:44:26:FF:B7:43:E1:9A + serial:E6:C8:64:7E:E6:3B:98:AA X509v3 Basic Constraints: CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0a:04:c7:9a:c4:f6:46:db:e4:85:d4:22:02:12:3e:53:27:25: - 24:8a:9b:2f:93:7f:de:70:94:c5:6c:4c:26:25:25:7a:d7:0f: - 33:b9:9c:d2:5a:94:7f:8d:30:75:ad:82:c9:bf:4b:6c:91:58: - 7c:45:1a:89:df:8e:ca:31:9f:ab:38:b3:ae:c2:8f:14:87:e6: - 1c:ab:12:4e:df:82:36:c9:41:46:c4:05:95:88:62:09:72:57: - 66:31:80:b8:9c:55:a8:fb:74:01:32:e7:5a:40:df:9b:e4:98: - d7:5b:ea:69:5c:14:1b:9b:8b:08:2d:d9:58:28:be:c9:01:e0: - e1:a9 + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + cb:33:02:ab:da:33:24:83:8f:e8:2b:29:13:94:58:f2:df:69: + 69:0c:2f:79:79:4f:fc:35:fd:a5:75:59:a5:18:74:02:79:50: + 49:2e:3b:16:28:4b:b5:0f:2a:a4:e7:b9:2a:33:50:eb:c4:7c: + b4:a2:af:8d:24:f3:27:48:58:01:ac:c0:5d:7a:90:6a:5b:f7: + 4f:d3:a5:96:24:24:96:47:2c:81:97:3c:03:1c:ad:90:c7:22: + 90:91:67:03:7f:81:51:c7:97:d7:76:85:82:66:1b:f8:03:d9: + ae:1d:b0:a1:20:05:55:68:2b:d7:eb:92:dc:ec:cd:be:c6:c8: + 53:df -----BEGIN CERTIFICATE----- -MIIDqTCCAxKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx +MIID3jCCA0egAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh d3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMMD3d3dy53 b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0x -NTA5MjMxOTIzMzhaFw0xODA2MTkxOTIzMzhaMIGVMQswCQYDVQQGEwJVUzEQMA4G +NTExMjMxMjQ5MzdaFw0xODA4MTkxMjQ5MzdaMIGVMQswCQYDVQQGEwJVUzEQMA4G A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4GA1UECgwHd29sZlNT TDEVMBMGA1UECwwMU3VwcG9ydF8xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5j b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAKo+pZzTF0llQ97Q80sc20kM/HplBW3easTkcyyKloKP I6UGcRwGPi+SjQspNEVZ6am8YdckN121xDeNumey7wMn+sG0zWsAZrTWc3AfCDrM d63p+TTU86AtqedYqcBhhLbsPQqt/VyGc6prR9iLLlhLaRKCJlXmFL9VcIj++XXh -AgMBAAGjggEBMIH+MB0GA1UdDgQWBBTZPDXqdA4jvpz8+imQCcHnhBaffDCBzgYD -VR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SBnDCBmTELMAkGA1UE -BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV -BAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMM -D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv -bYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACgTH -msT2RtvkhdQiAhI+UyclJIqbL5N/3nCUxWxMJiUletcPM7mc0lqUf40wda2Cyb9L -bJFYfEUaid+OyjGfqzizrsKPFIfmHKsSTt+CNslBRsQFlYhiCXJXZjGAuJxVqPt0 -ATLnWkDfm+SY11vqaVwUG5uLCC3ZWCi+yQHg4ak= +AgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU2Tw16nQOI76c/PopkAnB54QWn3wwgc4G +A1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+kgZwwgZkxCzAJBgNV +BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYD +VQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQD +DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggr +BgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOB +gQDLMwKr2jMkg4/oKykTlFjy32lpDC95eU/8Nf2ldVmlGHQCeVBJLjsWKEu1Dyqk +57kqM1DrxHy0oq+NJPMnSFgBrMBdepBqW/dP06WWJCSWRyyBlzwDHK2QxyKQkWcD +f4FRx5fXdoWCZhv4A9muHbChIAVVaCvX65Lc7M2+xshT3w== -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) - Serial Number: 10323419125573214618 (0x8f4426ffb743e19a) - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 16629652120256878762 (0xe6c8647ee63b98aa) + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Sep 23 19:23:38 2015 GMT - Not After : Jun 19 19:23:38 2018 GMT + Not Before: Nov 23 12:49:37 2015 GMT + Not After : Aug 19 12:49:37 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -93,38 +97,42 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:8F:44:26:FF:B7:43:E1:9A + serial:E6:C8:64:7E:E6:3B:98:AA X509v3 Basic Constraints: CA:TRUE - Signature Algorithm: sha1WithRSAEncryption - 0e:46:ac:d8:29:1d:12:12:06:0c:d3:3f:7d:58:2e:0d:11:5e: - 5d:0d:dd:17:c0:0f:aa:01:4d:a4:c4:84:81:6e:64:ae:d1:5d: - 58:cd:19:6a:74:a4:46:2f:c8:43:79:39:c0:91:4b:7c:71:ea: - 4e:63:44:66:15:41:15:de:50:82:e3:e9:d1:55:55:cc:5a:38: - 1e:3a:59:b3:0e:ee:0e:54:4d:93:e7:e0:8e:27:a5:6e:08:b8: - 6a:39:da:2d:47:62:c4:5b:89:c0:48:48:2a:d5:f0:55:74:fd: - a6:b1:68:3c:70:a4:52:24:81:ec:4c:57:e0:e8:18:73:9d:0a: - 4d:d8 + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 82:53:ec:89:0a:6a:1b:ae:c3:69:fc:22:b5:d7:d2:f4:0b:6d: + 18:72:f5:64:7f:bb:80:57:e3:f3:b2:af:e1:89:47:03:19:dd: + 6f:62:ed:2b:24:d3:a2:77:c0:83:6a:fb:0f:55:93:78:15:4a: + c1:e0:13:f2:65:9c:7a:8c:6c:98:57:f0:44:9d:3a:9e:6a:30: + 08:9f:33:ce:0d:7e:86:6f:ef:0e:34:41:b9:c6:1d:34:c6:28: + 1e:f9:81:be:68:3d:77:92:50:c5:f8:2f:4c:aa:db:5f:72:93: + 42:eb:8a:cf:24:a0:d9:25:44:46:8b:ed:de:46:d5:1a:90:e9: + d6:d8 -----BEGIN CERTIFICATE----- -MIIDtTCCAx6gAwIBAgIJAI9EJv+3Q+GaMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD +MIID6jCCA1OgAwIBAgIJAObIZH7mO5iqMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MDkyMzE5MjMzOFoXDTE4MDYxOTE5MjMzOFowgZkxCzAJBgNVBAYT +Y29tMB4XDTE1MTEyMzEyNDkzN1oXDTE4MDgxOTEyNDkzN1owgZkxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq -1OWIGLMRL3PA1ikJAgMBAAGjggEBMIH+MB0GA1UdDgQWBBTTIo8oLOAF7tPtw3E9 -ybI2Oh2/qDCBzgYDVR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SB -nDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv -emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEw -MjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m -b0B3b2xmc3NsLmNvbYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN -AQEFBQADgYEADkas2CkdEhIGDNM/fVguDRFeXQ3dF8APqgFNpMSEgW5krtFdWM0Z -anSkRi/IQ3k5wJFLfHHqTmNEZhVBFd5QguPp0VVVzFo4HjpZsw7uDlRNk+fgjiel -bgi4ajnaLUdixFuJwEhIKtXwVXT9prFoPHCkUiSB7ExX4OgYc50KTdg= +1OWIGLMRL3PA1ikJAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx +PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k +gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC +b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x +MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu +Zm9Ad29sZnNzbC5jb22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUF +BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkq +hkiG9w0BAQsFAAOBgQCCU+yJCmobrsNp/CK119L0C20YcvVkf7uAV+Pzsq/hiUcD +Gd1vYu0rJNOid8CDavsPVZN4FUrB4BPyZZx6jGyYV/BEnTqeajAInzPODX6Gb+8O +NEG5xh00xige+YG+aD13klDF+C9MqttfcpNC64rPJKDZJURGi+3eRtUakOnW2A== -----END CERTIFICATE----- diff --git a/certs/ca-cert.der b/certs/ca-cert.der index d0eab7a3ce08847c4bc6c9160c266eaa3289778b..b61188892a7dd9a237caaa5a29e55d4c226cf4d5 100644 GIT binary patch delta 427 zcmZ3-`Gix#po!&yK@;UVL7$sbh)$ zi#*ld>^s4$^)I{kTvK0dx##k!8;sMIxP)6wUVZrU)b#rEs+|1xi{c{2UsOTLen-z&5+ zGp1#KP~*2`QTysNBf);ENBq{@b3+RwLj%Joab80U z14Cm&2zTS%{fzvLe+(Lb8pyIShsyG?h_Ot*$Rs-X5YrJcme3-%Iozu8yg+^Iwar-^d`#3f2WSd!2Z*qN&$7|f7q^OnoN+EI4WLY)YKSX5~{O5>Ic-mHaz_?S!r(gpU*7{QpecaC#lU7m54NEyYqX)wzAld z2lY?rC(SutPxVc-WXjWrbN-4VW1j{~H*wacHwKva+%> zGP0-{s2C{0_y&w^Vi_eR1y=g{Ir+(nIT`uIC00ftV8F}9snzDu_MMlJk(-r)xrvdH zp?YF+uVqMz%@+HsC;azw?_VD?$MHCKQ0}o0_iFyn_WSp_UTG%pfn;mha9f7)^G&Gn13-~8swXIdM0pzLlM z*EwF!XDggGupMT3E^}O6+khxZK;@Z T-RsYsBQ=r=&3u3DeU}3Odz7!9 delta 378 zcmZqTI>#wt(8O}epow|Y0%j&gCMHgXRqC6Mt}M#qohY$Q%D~jX+|a_v(7-TCoY&C8 zz|hzb%ALf#aC0Z4CL=4mK@%hMtPxVc-WXjWrbN-4VW1j{~PeKacZ@Bw0-Ag zWaMULU~Xb$WC)zLTt+QcX2LO}`O`!{$v&SvXH99?)V~S^t6j4=H+=rYyyEs9{XO#S zRg16mU-g_`XA`n!G^zNmIeqhTlWko0wiZ@#F0;GV6w#SJ z=V(UKF1BlyyH8skc#tfAoM(gVWwcd8VA-c!;y|W9q&1B2Pexet- z<6CCPo}Ita{k3(N!M3tV2R-8VOx+M56?#I)FUh?1-P&TD94 zU}0zp3#yj;etp+@7%%QTvEUX61jEw&cjMzA|*%(<_ z*%=vG)C^P%lwf=V#x}8xl9B=|ef^yLm)V&l+i^EhYA!py|%!C>IZ zq{uK|<&gEWr&_ufXQrR}`u5_r36f%BKjww4d@C(EDTHtNBPK(N zW@2_{FmPc~D5+joH|Ip=)GqF|^(W13ZR)qb|9orqs|(A^xR#U)eP6+(P&l={bNh tmp.pem +mv tmp.pem root-ca-cert.pem + +# $1 cert, $2 name, $3 ca, $4 extensions, $5 serial +function update_cert() { + openssl req \ + -new \ + -key $1-key.pem \ + -out $1-cert.csr \ + -subj "/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=$2/emailAddress=info@wolfssl.com" + + openssl x509 \ + -req -in $1-cert.csr \ + -extfile openssl.cnf \ + -extensions $4 \ + -days 1000 \ + -CA $3-cert.pem \ + -CAkey $3-key.pem \ + -set_serial $5 \ + -out $1-cert.pem + + rm $1-cert.csr + openssl x509 -in $1-cert.pem -text > $1_tmp.pem + mv $1_tmp.pem $1-cert.pem + cat $3-cert.pem >> $1-cert.pem +} + +update_cert intermediate1-ca "wolfSSL intermediate CA 1" root-ca v3_ca 01 +update_cert intermediate2-ca "wolfSSL intermediate CA 2" root-ca v3_ca 02 +update_cert intermediate3-ca "wolfSSL REVOKED intermediate CA" root-ca v3_ca 03 # REVOKED + +update_cert ocsp-responder "wolfSSL OCSP Responder" root-ca v3_ocsp 04 + +update_cert server1 "www1.wolfssl.com" intermediate1-ca v3_req1 05 +update_cert server2 "www2.wolfssl.com" intermediate1-ca v3_req1 06 # REVOKED +update_cert server3 "www3.wolfssl.com" intermediate2-ca v3_req2 07 +update_cert server4 "www4.wolfssl.com" intermediate2-ca v3_req2 08 # REVOKED +update_cert server5 "www5.wolfssl.com" intermediate3-ca v3_req3 09 diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem new file mode 100644 index 000000000..9d68f8197 --- /dev/null +++ b/certs/ocsp/root-ca-cert.pem @@ -0,0 +1,93 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/root-ca-key.pem b/certs/ocsp/root-ca-key.pem new file mode 100644 index 000000000..a7cbcbb60 --- /dev/null +++ b/certs/ocsp/root-ca-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrLLQvHQYJ704p +hoR+zL+meXzwwMFkJYx1txAFykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRx +kK3MBbmfFccKP19p9ApfjHG1LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4 +hc0BiKzFsrFZuM1a9AkJOJvaWs/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4 +yHDM4WcGsysvk7Vpz4N+iFObD0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tb +ipKXrf2XuXXKwtRFfRdrzS/zY3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsV +roxb+ZmBAgMBAAECggEAd0Qjm3wOfBeYD0jhwnOoyTZ2vkyfssaS0mYlrNMfaM12 +iqYBELQo5miReaHZ5ZfYCweNX8guVUAkMCiNX81RYy3KTDKRqYJXQ/HYPFMcXXP2 +7Ja6jMfub1FXJ1xULtJs/5XilVwxad1ZgHbBu2LedrUl6wzfUJMeRKWDuiVyCzpK +J2+F1iVH+whBI/eN8qopHM4JeR0W9k7rFJayQZ9iAIfrl2In1hTay9S7HCEdmWz/ +BVI818QXsgCuulR9G2erS0gS181P090YcZeuzh5YfvAnzn7m8BTboJojix5pkfQt +gM5E7YD4nYU1V796P2cfAaMJoQyCW4NSn+kwgLT5rQKBgQDXnHvs/fk+gxFiBt/U +tRfU+iUoiMofrcAZswMBvOZVy40RbtxuNXwnGo9+Bko7XVKekVO6TGUyPSpv1VXR +QCjlk+PsXyx0DD2+Hb3r69wXJ3Wfxe0K+p6CHIuspJUmNrHdpJOBTO8GbHNxuaD/ +kDJvBq+ZkXEKUm9a5BeU5WiwMwKBgQDLPUkr+Mm2pJIIEBF8z3Lr3bWIbZsinxhM +ErQRAQC0J+oBj1kuUoXYoh1hzQK/E90bM2fRUMhgVGIBvwDMv0c+Z2Fb6zK0r3mP +dOLYGOrfavl/f7zhd4TjzPkAF1fbbYbciFQIWW3//q8PXY68eKvwrhGqT+CCwLef +tWC3xrpLewKBgQC7Ht7abgxa+UsjxQ2Kv+O//Zw0EotAdP2sEBUC9Br+yJpUT99U +cmyeT0nLONBBtxtV7JA6tcR5lmX3CrHg2Yrku7XqVSrySBFppsxGLLslCSTnFdJE +Xf8ksntxyKB8uqkgz40IgWlMLOEACPc19MIgYzAQ2g29xI9J1Xy1x2dUywKBgBFo +HVU7yKLw82TnY2gKKHCVG5Akuw27DIyvaWavbE0BwiQCEARMoxQLxnJy6ZJN9Dj5 +LSIbRh4h/AbkQgBHPaXVmtwRh9U71jB4NVmGwM8DzXyjBx1UbDhKfOUKGsc7WTqY +HoJcjnRHbtzlCW2Q9ED316F7l+H6+X8fPLpgteHzAoGARc6B/pWJWkUVM87ObGmr +hiA5YByyC6Rq8HyFEeXiS2fiQPfQF0UC9Qxq9/CBkezb8v+Yb/UT4ieL26c270s5 +JkyYqMoBLgkOKG6nPDD4hxoR24cFmC090RNQOhwwHskh+KjVmf3c/m9wNBSdHTpt +URu+xdmbaoKaH9dIJMUKasc= +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem new file mode 100644 index 000000000..eab440bdf --- /dev/null +++ b/certs/ocsp/server1-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 5 (0x5) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:e6:96:55:75:cf:8a:97:68:8c:b6:38:f6:7a:05: + be:33:b6:51:47:37:8a:f7:db:91:be:92:6b:b7:00: + 8c:f2:c5:24:6e:18:e9:92:00:81:01:dc:b3:4c:28: + a9:b7:80:f1:96:cf:23:7a:2f:ae:f8:e3:0f:2d:d3: + 5e:23:e7:db:4c:b2:5d:89:16:17:be:be:81:db:fb: + 12:6d:28:4b:10:a0:12:04:27:c1:c9:d0:79:95:ef: + e8:8d:8c:59:9b:4e:72:7d:bc:49:2b:22:4e:f8:4f: + e2:0c:f1:e9:e9:97:f9:df:8c:5a:0a:aa:38:1d:43: + 04:a3:a7:89:a1:e2:83:a4:4b:b5:4e:45:88:a6:22: + 5d:ac:a9:58:67:88:c1:d5:61:ef:bd:11:05:27:94: + 47:bb:33:a5:8a:ca:ee:1f:8d:c0:6e:24:af:cd:ca: + bf:80:47:71:95:ac:a9:f1:5d:23:6c:f5:4b:b4:a9: + e1:c4:66:fb:e5:c4:a1:9f:a7:51:d1:78:cd:2e:b4: + 3f:2e:e2:82:f3:7f:c4:a7:f4:31:cf:76:27:3f:db: + 2e:d2:6e:c3:47:23:82:a3:48:40:8c:a7:c1:13:f0: + 63:50:54:43:f6:71:12:e1:6f:a5:7a:58:26:f7:fd: + 8b:3b:70:18:a0:43:ba:01:6b:b3:f8:d5:be:05:13: + 64:31 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + CC:55:15:00:E2:44:89:92:63:6D:10:5D:B9:9E:73:B6:5D:3A:19:CA + X509v3 Authority Key Identifier: + keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:01 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22221 + + Signature Algorithm: sha256WithRSAEncryption + cc:2e:e2:e4:a8:f6:e8:73:e4:e8:d9:ee:05:e6:2c:a9:0f:54: + d5:b0:be:ce:20:a6:12:38:63:b8:19:32:c1:12:2f:d4:ee:a5: + 73:2b:72:5c:ad:c7:ed:d7:a4:5e:97:d2:a4:fd:9e:db:3d:e0: + df:a2:96:a9:36:c8:e3:f9:93:d6:84:dc:ad:a4:5f:1e:d4:af: + de:b4:05:9a:e5:ac:c6:b4:f4:9b:69:a0:e8:81:28:32:d7:a0: + 83:1b:2d:18:92:87:33:3f:23:11:11:f5:c9:01:11:35:de:44: + 8d:1d:6b:c4:3a:20:72:64:5d:c1:59:60:cb:5c:3b:ca:a0:27: + ab:e6:6c:ac:31:ec:a9:3a:a0:ec:10:e5:48:34:9b:d3:1c:9e: + 1e:93:2a:ba:47:40:b6:5d:45:c4:b9:cb:d6:63:5b:1a:70:26: + 23:f6:0a:41:53:de:ba:02:db:df:ce:df:6d:7a:9c:85:55:a4: + 01:3e:f5:d1:9c:4a:59:bf:1f:f5:83:fa:92:9a:3d:80:4d:49: + aa:f6:92:5f:94:ee:ef:38:b3:71:9f:96:30:7d:b2:d2:8d:bb: + 16:ed:e1:6f:cd:8e:4e:d2:e0:5b:59:5c:dd:95:de:9f:69:63: + d4:b2:54:52:51:40:e5:50:5c:4b:1c:5e:51:5b:10:b7:19:1f: + 31:08:70:cb +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOaWVXXPipdojLY49noFvjO2 +UUc3ivfbkb6Sa7cAjPLFJG4Y6ZIAgQHcs0woqbeA8ZbPI3ovrvjjDy3TXiPn20yy +XYkWF76+gdv7Em0oSxCgEgQnwcnQeZXv6I2MWZtOcn28SSsiTvhP4gzx6emX+d+M +WgqqOB1DBKOniaHig6RLtU5FiKYiXaypWGeIwdVh770RBSeUR7szpYrK7h+NwG4k +r83Kv4BHcZWsqfFdI2z1S7Sp4cRm++XEoZ+nUdF4zS60Py7igvN/xKf0Mc92Jz/b +LtJuw0cjgqNIQIynwRPwY1BUQ/ZxEuFvpXpYJvf9iztwGKBDugFrs/jVvgUTZDEC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMxVFQDiRImSY20QXbme +c7ZdOhnKMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQDMLuLkqPboc+To2e4F5iypD1TVsL7OIKYSOGO4GTLBEi/U7qVzK3Jcrcft16Re +l9Kk/Z7bPeDfopapNsjj+ZPWhNytpF8e1K/etAWa5azGtPSbaaDogSgy16CDGy0Y +koczPyMREfXJARE13kSNHWvEOiByZF3BWWDLXDvKoCer5mysMeypOqDsEOVINJvT +HJ4ekyq6R0C2XUXEucvWY1sacCYj9gpBU966Atvfzt9tepyFVaQBPvXRnEpZvx/1 +g/qSmj2ATUmq9pJflO7vOLNxn5YwfbLSjbsW7eFvzY5O0uBbWVzdld6faWPUslRS +UUDlUFxLHF5RWxC3GR8xCHDL +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: + c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: + 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: + fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: + 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: + 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: + 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: + 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: + f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: + ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: + 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: + 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: + 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: + e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: + 49:be:30:c1 +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ +KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt +OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO +DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe +2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR +0iqUR3W1gPLogzTMfyKKnkm+MME= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server1-key.pem b/certs/ocsp/server1-key.pem new file mode 100644 index 000000000..e44f63129 --- /dev/null +++ b/certs/ocsp/server1-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDmllV1z4qXaIy2 +OPZ6Bb4ztlFHN4r325G+kmu3AIzyxSRuGOmSAIEB3LNMKKm3gPGWzyN6L6744w8t +014j59tMsl2JFhe+voHb+xJtKEsQoBIEJ8HJ0HmV7+iNjFmbTnJ9vEkrIk74T+IM +8enpl/nfjFoKqjgdQwSjp4mh4oOkS7VORYimIl2sqVhniMHVYe+9EQUnlEe7M6WK +yu4fjcBuJK/Nyr+AR3GVrKnxXSNs9Uu0qeHEZvvlxKGfp1HReM0utD8u4oLzf8Sn +9DHPdic/2y7SbsNHI4KjSECMp8ET8GNQVEP2cRLhb6V6WCb3/Ys7cBigQ7oBa7P4 +1b4FE2QxAgMBAAECggEBAMcAl2DFbOae5FGfd5h3vF8EycCcvuKKLI4775pQb1RV +r8sU1P+cT7o7rsHblh04u0dcHVImNOu3ijISaPyz7R+UEAVve66y23/uf0iVrbL7 +cpEDfsudkFFGa30901elrEm3Za5EPcMvrfdeEHH5Jz02876giS032ZkjzjRYOSRg +TuFhiqjRTMfE6AB63KSRWcb6AYEocHV/jF+IEQcz9ctsv6XKKKJtge4+Y3+gQU4N +ALUE6OjBsD5KpMVuMYBSfTucYi5g2eOK05PoCOR8lTqgvsbof+ALj+84zEpG20aK +p0KdMVwiMolXaYcvKBOGPxZKt7sQaIMitbs0iuErMQECgYEA+cLVZh4qkRnsjPVc +/27qC/VLeWo2QAL7TWC7YgkY0MgNtZXRkJZdKOlzYWo/iJmuxHj7eUFLkoHpPNV2 +X6WG+CGHD1qq/BqLQNlJKS/MtI2VNzOjBJ/J3SktOGo3BwL+Q5uSRNHukQip0YnD +c9GCU4UhfBHr/UNitMBH6N5aPqUCgYEA7FjjTGomVseF5wNbfw2xLjBmRuQ2DDgJ +/OvCtV6it+OiVU9R+cYcz/hVl1QLIkGBHt5hb8O6np4tW5ehKd5LNTtolIO+/BLL +2xPZCLY7U+LES5dgUTC/wb5t5igAmPuOMi9qNQ1kYxbKYJVLRUdwfOM8FNE4gjZF +kj2BIb6OxZ0CgYEAmuXXvWZ2FdmTGHTPwWdDZjkyHtHdZWO0AXA9pnZn2oxH3FdX +SinHCymFsmPXlVtixV0W8UOqn+lMAruMl5MsGtWIUuBzbLj1pjlcI1wOw+ePJFY1 +AxgqdKwl7HgLOqEDmmBwnZfpMi/CSj77ZegIwM2vT6g5yK+zFtCtiGHmbDUCgYBf +L2VLbyzFolGBOk7tGnyTF5b5UguaXC9ZlzGxjc2Gtby5Etr29xy/fUorSgO55hu0 +bOdc9b0BCL9HtgeILyim5ag2t+CA8Kj9MD8mTQ4TuK5Jq0t1J2bzBliIau/irN0V +xRbHCv+1EIas4zOPUTgyc+nMkH5roqPeQ7rv9ijV2QKBgQDJiNmAJv3dlie2x+bj +rX5RDF1Q/egVVGx41jPyuzh0oFLwEQG2lSHEAKgF+gWt0ZMwNzPB9oue2LBSpNFl +7ZdpFCpzD+3OcaxnWYEGT+qNhczbf0PvVNBOzOI33Trr7maktWi0Mh9qmXqoNuwG +uCnrEriJlBk2MV88tIG/ZJ+bvQ== +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem new file mode 100644 index 000000000..8aa20085f --- /dev/null +++ b/certs/ocsp/server2-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 6 (0x6) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:c6:35:8a:e8:aa:bd:33:c9:5e:84:43:67:42:65: + 2a:3c:e3:89:b4:a6:67:a1:3b:ee:6d:85:d1:d3:2b: + 6e:b1:62:d4:f1:22:43:a0:d5:b7:a5:7d:b5:f5:6c: + 09:06:7c:8c:ef:87:af:4f:34:ce:27:eb:f3:4a:37: + 57:c3:d7:d8:ee:e4:a0:77:65:2c:a7:c2:10:65:6b: + 7b:48:c4:d8:28:fe:4c:4e:4f:7e:2f:20:c4:49:5b: + 71:38:40:0d:36:a3:57:b3:44:da:be:cd:54:14:15: + 66:0f:d3:05:08:f2:2e:03:67:2e:5c:5d:e1:b0:e6: + c0:25:8f:58:77:5b:d3:d7:a8:22:ea:56:d3:0e:01: + 6d:38:34:56:47:aa:12:c4:ba:2a:ef:ec:18:f5:d4: + db:b9:fa:6f:dc:50:eb:ee:10:a2:14:b5:9a:12:e1: + e3:85:0f:79:14:b8:70:6d:0d:1c:1d:38:57:85:6a: + 82:0c:d6:bd:2c:bf:20:f1:28:2e:f6:34:80:a7:0d: + 32:82:35:4f:c1:b1:e5:9e:26:d5:f8:b9:39:57:43: + ef:ed:f1:10:5c:3e:32:ba:d9:e4:9e:40:cd:28:ea: + 26:46:9b:a9:34:8d:9f:b9:fd:45:7d:14:f7:ce:ca: + 3b:85:87:a7:64:74:9c:65:29:18:b3:f5:b1:ad:92: + 62:39 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 7D:6D:FD:F6:0B:4F:3F:4A:62:91:F5:F3:13:60:51:86:C3:5A:9F:D6 + X509v3 Authority Key Identifier: + keyid:83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:01 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22221 + + Signature Algorithm: sha256WithRSAEncryption + 84:39:12:8b:3b:47:c1:57:60:70:5d:21:e4:1f:60:33:20:94: + ab:7d:50:62:55:bf:cc:78:13:40:9d:40:75:14:55:d5:71:e8: + 8a:26:3d:4a:85:94:02:6f:be:1c:84:69:6b:03:9d:74:a7:8c: + f1:0e:e4:4e:79:e3:fc:bd:1f:c7:fb:d6:bb:6e:aa:55:7f:ac: + 6f:da:84:08:b0:97:ef:24:d5:a3:d9:c1:67:78:08:7d:05:18: + c0:58:50:e8:fc:20:65:c6:0a:4e:3a:81:7a:64:0b:81:be:12: + 87:33:18:85:d3:e3:c3:ba:b5:b0:03:9a:16:e3:01:ae:a9:9a: + 9a:ea:84:5f:0e:5c:dd:d4:16:b8:38:e2:63:0a:4f:75:5f:44: + 0b:60:08:f3:d4:df:32:cf:5b:f9:7b:a0:b1:ba:ae:ed:0f:a1: + c5:71:6b:1a:19:13:b7:5f:18:e8:97:51:a2:d3:66:52:b9:8b: + 0e:47:22:c9:61:17:94:80:7c:3d:39:6f:5a:58:18:7b:2e:42: + ea:20:fa:67:58:bf:4c:58:7e:e8:c0:3d:15:08:96:84:57:a8: + 6c:66:58:9d:93:30:64:93:28:7e:cc:1b:a2:e4:f7:d8:69:9c: + 19:07:9f:90:7f:53:a8:4f:59:86:a2:0a:87:c7:35:3d:b7:9d: + 51:61:51:69 +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +Mi53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMY1iuiqvTPJXoRDZ0JlKjzj +ibSmZ6E77m2F0dMrbrFi1PEiQ6DVt6V9tfVsCQZ8jO+Hr080zifr80o3V8PX2O7k +oHdlLKfCEGVre0jE2Cj+TE5Pfi8gxElbcThADTajV7NE2r7NVBQVZg/TBQjyLgNn +Llxd4bDmwCWPWHdb09eoIupW0w4BbTg0VkeqEsS6Ku/sGPXU27n6b9xQ6+4QohS1 +mhLh44UPeRS4cG0NHB04V4VqggzWvSy/IPEoLvY0gKcNMoI1T8Gx5Z4m1fi5OVdD +7+3xEFw+MrrZ5J5AzSjqJkabqTSNn7n9RX0U987KO4WHp2R0nGUpGLP1sa2SYjkC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFH1t/fYLTz9KYpH18xNg +UYbDWp/WMIHEBgNVHSMEgbwwgbmAFIPGOoksgfQC151M4irAcYJkRNoOoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQCEORKLO0fBV2BwXSHkH2AzIJSrfVBiVb/MeBNAnUB1FFXVceiKJj1KhZQCb74c +hGlrA510p4zxDuROeeP8vR/H+9a7bqpVf6xv2oQIsJfvJNWj2cFneAh9BRjAWFDo +/CBlxgpOOoF6ZAuBvhKHMxiF0+PDurWwA5oW4wGuqZqa6oRfDlzd1Ba4OOJjCk91 +X0QLYAjz1N8yz1v5e6Cxuq7tD6HFcWsaGRO3Xxjol1Gi02ZSuYsORyLJYReUgHw9 +OW9aWBh7LkLqIPpnWL9MWH7owD0VCJaEV6hsZlidkzBkkyh+zBui5PfYaZwZB5+Q +f1OoT1mGogqHxzU9t51RYVFp +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:b4:c8:5c:77:e0:2d:b1:f5:b9:ad:16:47:35: + a0:35:65:65:c6:e1:40:ab:1e:b4:b9:13:b7:cb:8c: + bb:77:a5:76:da:6d:87:87:f6:4a:4d:13:e4:26:3e: + 27:87:ee:5b:c7:6a:3f:45:30:61:55:5c:f6:35:d1: + 65:fa:98:11:a3:a7:55:d5:be:91:82:4b:fc:be:90: + d6:50:53:63:9a:2c:22:e1:35:11:dc:78:02:97:8a: + e4:46:92:9c:53:08:76:de:1f:53:b6:b8:ca:77:3e: + 79:6e:bc:d0:e3:0d:30:5b:4c:f6:94:0d:30:29:64: + 9f:04:e5:db:fb:89:60:67:bb:af:26:83:51:77:24: + 2f:2b:0b:a1:94:81:10:98:e8:eb:26:a8:1e:7c:e4: + c4:6c:67:06:95:55:4a:dd:52:f4:f2:60:6d:01:2b: + 19:91:35:6d:a4:08:47:06:71:24:00:d9:de:c6:56: + f3:8b:53:2c:e2:9a:96:a5:f3:62:e5:c4:e3:23:f2: + d2:fc:21:ea:0f:62:76:8d:d5:99:48:ce:dc:58:c4: + bb:7f:da:94:2c:80:74:83:c5:e0:b0:15:7e:41:fd: + 0e:f2:f4:f0:78:76:7b:ad:26:0d:aa:48:96:17:2f: + 21:e3:95:2b:26:37:f9:aa:80:2f:fe:de:f6:5e:bc: + 97:7f + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 83:C6:3A:89:2C:81:F4:02:D7:9D:4C:E2:2A:C0:71:82:64:44:DA:0E + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: + c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: + 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: + fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: + 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: + 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: + 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: + 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: + f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: + ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: + 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: + 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: + 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: + e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: + 49:be:30:c1 +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3rTIXHfgLbH1ua0WRzWgNWVl +xuFAqx60uRO3y4y7d6V22m2Hh/ZKTRPkJj4nh+5bx2o/RTBhVVz2NdFl+pgRo6dV +1b6Rgkv8vpDWUFNjmiwi4TUR3HgCl4rkRpKcUwh23h9TtrjKdz55brzQ4w0wW0z2 +lA0wKWSfBOXb+4lgZ7uvJoNRdyQvKwuhlIEQmOjrJqgefOTEbGcGlVVK3VL08mBt +ASsZkTVtpAhHBnEkANnexlbzi1Ms4pqWpfNi5cTjI/LS/CHqD2J2jdWZSM7cWMS7 +f9qULIB0g8XgsBV+Qf0O8vTweHZ7rSYNqkiWFy8h45UrJjf5qoAv/t72XryXfwID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUg8Y6iSyB9ALXnUzi +KsBxgmRE2g4wgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ +KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt +OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO +DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe +2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR +0iqUR3W1gPLogzTMfyKKnkm+MME= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server2-key.pem b/certs/ocsp/server2-key.pem new file mode 100644 index 000000000..e4b6181e8 --- /dev/null +++ b/certs/ocsp/server2-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDGNYroqr0zyV6E +Q2dCZSo844m0pmehO+5thdHTK26xYtTxIkOg1belfbX1bAkGfIzvh69PNM4n6/NK +N1fD19ju5KB3ZSynwhBla3tIxNgo/kxOT34vIMRJW3E4QA02o1ezRNq+zVQUFWYP +0wUI8i4DZy5cXeGw5sAlj1h3W9PXqCLqVtMOAW04NFZHqhLEuirv7Bj11Nu5+m/c +UOvuEKIUtZoS4eOFD3kUuHBtDRwdOFeFaoIM1r0svyDxKC72NICnDTKCNU/BseWe +JtX4uTlXQ+/t8RBcPjK62eSeQM0o6iZGm6k0jZ+5/UV9FPfOyjuFh6dkdJxlKRiz +9bGtkmI5AgMBAAECggEAL6rWwke1gsvNyD8xiR0tQEF0b5aJW5Q/LeW95WwPjed3 +0Jnt67MaHFmUNfaKYR35Au39si2/2of7FYEjwTyatjETikMxrxKTwOBNYN2+InWt +wjOJ5CmcKwwruVxmERrNT5aiiLp2mvHefrXAAzvC5xycYKhPS6zizuWfX+0ckEM5 +yJnl8TRTjfqExxHS1ciTY4B1w8nfWdYY/xiQW23sCPZ8toqsqAuHJjREmMcj+oer +z8Md1tZNa0ujDy0ejSovCnqzWIi4Umg3SndhRDYKNRAFGPNQmYRM+EWEqQufMaXP +ghD+Heb5RUPSkNW98KdjDGK4WiIeqF45tb+YQ4AvgQKBgQDt2X+FMHG/s7FAEAxA +x6TzIcDedqwEKtO3JbaC+Q0FKwRTGwP1tGOnyqbVrw4cSlza5EvUnK8CZK9I2HFd +qfbP3rtFCtHl9/bpVZPNkaVImzqkfmzmGJIREsCDIPu8THFNyxL2TC27VKCNsSmZ +ui2tuxRJ6/O0DroGdvdnFL89SQKBgQDVVaZjiA5Cr1e5Eo6q3dNNeMSBfTuI90Ja +W1OmVovp2yWYjfFFTW2B9vb4RDaRvIuykGhHgAnGKGmHtv7f0GlY7n6Qr0czvyn5 +6s+fRVIcPzEaTVnxC1g20+XHc41XdqnIOcaUjUz7oqC6g7+Y56WKdvvKitV0Lb98 +ua7ZOM6tcQKBgGWtRMY7H2VD+9HXCmXm8qy9ESYItSBS7o6soIj8zoQXD5I3SkoP +A0sHZqqSWwXdBDTOw1vwXyA2ynfpjwzrS4cxP/0T0wbsKbE11ClcybtwIHGRWhxD +BK4nxgRIZVTpmMYYudJwXlxmoPvxcEc3P6+0+cdgBp5CbWO2F60JQXeBAoGAHxLs +u46z1Q7JTlHfqg/JmX0/0kS1iUvKxHKNCquMkbG0FjaGsDuI+edJLfxxnmTCTG4w +YknKIqz8QiJrmZo33hZPJTACxQzRRm/nciGcxjSGKHif4zZt0P6od5bjPZwxOtL/ +k9/JGNYlZ0WNgO4s9LBEGMqEMPoA7F/3kfhuUmECgYEA6WzFZjs31OqTLE0vnCfL +/b/wPeozaAyjtR/24TNkAFwP/LrBAA5gFOoL8p94ce87yXdm80x3bK6OGbNmor7c +qT/OJgnXV1wTrKYSkFUu7LTC7DihpYy2MqyGg8xGxB4kK1IR+ROB4v3c5RkIqaGF +lTSpXFge771NjCimucIOl/Y= +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem new file mode 100644 index 000000000..f707abecf --- /dev/null +++ b/certs/ocsp/server3-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 7 (0x7) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:be:19:65:1e:17:39:d4:33:fc:97:64:69:80:51: + fb:6c:7c:ca:e1:ba:2a:ab:d2:dd:30:61:f3:2e:47: + c1:d4:33:c0:ff:53:21:ba:2d:14:a6:b9:7c:66:ca: + 45:7b:1c:7d:8f:fc:75:f3:9a:69:f1:6c:25:46:a0: + 92:5d:00:93:e3:22:a6:60:b9:97:05:37:7f:a1:aa: + cd:22:81:72:b1:22:47:3d:7c:8d:46:55:bc:32:4d: + d2:84:43:5c:15:43:07:22:70:36:39:93:1b:e8:a1: + 46:bb:02:85:ba:1d:31:ac:b1:3c:84:5b:eb:8f:1f: + 62:8a:71:52:9e:0b:63:b6:e6:d6:46:cc:19:06:d6: + bb:06:81:e4:0b:25:14:6c:63:94:70:1a:27:37:95: + 24:40:07:30:f5:24:73:c3:bd:f9:0e:5f:b6:cd:4f: + 18:88:f0:d7:a3:9b:f5:b0:1e:fe:04:03:a5:8d:73: + f7:6b:31:74:85:fd:61:fa:9e:53:37:75:90:e6:f8: + b5:98:66:e8:52:4d:4a:4c:39:05:65:c1:34:f9:c6: + 95:27:b0:07:c1:51:96:a8:82:1b:22:cf:41:df:de: + b4:94:b7:0d:ba:61:fb:f4:40:7c:a1:fc:a2:29:a3: + 47:4d:b4:94:9d:7b:51:ec:e4:13:fb:cd:e9:26:ca: + a7:93 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + C1:CD:C0:2C:34:F4:3B:BB:E3:CA:98:35:7D:6A:15:33:94:5C:11:3A + X509v3 Authority Key Identifier: + keyid:05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:02 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 12:62:57:58:a4:74:c0:b3:f1:d7:63:8b:1d:ba:79:99:88:76: + 5f:88:3b:e3:53:8d:d3:88:d0:98:91:3b:72:31:e9:03:5d:d5: + 1d:fe:6a:59:e8:a0:46:5b:4a:5a:3c:ce:60:27:00:36:68:49: + 35:22:cd:16:01:5f:94:67:5e:80:1a:2f:a6:21:4b:1a:d2:f8: + 70:ba:39:0f:d4:54:44:c8:6d:f4:1c:bc:fa:b3:72:32:e5:56: + 18:b8:c0:4c:98:21:56:36:a3:83:94:60:a9:a1:de:8c:7d:22: + 46:40:ac:92:7c:4a:44:6c:24:36:78:ab:f6:93:4f:44:f6:82: + 2e:ba:bc:7f:45:c2:51:be:fa:05:bb:d1:8a:95:84:38:f0:1d: + c7:66:8d:5e:44:05:26:48:b2:bd:4e:56:7a:17:28:b2:fa:3a: + 25:ce:7e:83:9a:ee:76:b0:02:54:a3:65:78:7c:7b:1e:49:ad: + 7f:65:5e:a8:cc:59:1e:fb:61:27:b6:3f:df:31:11:49:06:01: + 58:55:84:35:3e:f6:db:5a:e9:fd:2f:0a:b0:f7:c7:fb:d9:59: + 86:c6:cd:0c:f2:a6:f9:0a:ef:4b:ab:ca:a6:16:b4:df:0f:0d: + c6:d1:32:4f:0d:f9:a8:2a:28:a1:be:e2:c3:62:7e:74:90:58: + bc:67:89:20 +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL4ZZR4XOdQz/JdkaYBR+2x8 +yuG6KqvS3TBh8y5HwdQzwP9TIbotFKa5fGbKRXscfY/8dfOaafFsJUagkl0Ak+Mi +pmC5lwU3f6GqzSKBcrEiRz18jUZVvDJN0oRDXBVDByJwNjmTG+ihRrsChbodMayx +PIRb648fYopxUp4LY7bm1kbMGQbWuwaB5AslFGxjlHAaJzeVJEAHMPUkc8O9+Q5f +ts1PGIjw16Ob9bAe/gQDpY1z92sxdIX9YfqeUzd1kOb4tZhm6FJNSkw5BWXBNPnG +lSewB8FRlqiCGyLPQd/etJS3Dbph+/RAfKH8oimjR020lJ17UezkE/vN6SbKp5MC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFMHNwCw09Du748qYNX1q +FTOUXBE6MIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8XoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB +AQASYldYpHTAs/HXY4sdunmZiHZfiDvjU43TiNCYkTtyMekDXdUd/mpZ6KBGW0pa +PM5gJwA2aEk1Is0WAV+UZ16AGi+mIUsa0vhwujkP1FREyG30HLz6s3Iy5VYYuMBM +mCFWNqODlGCpod6MfSJGQKySfEpEbCQ2eKv2k09E9oIuurx/RcJRvvoFu9GKlYQ4 +8B3HZo1eRAUmSLK9TlZ6Fyiy+jolzn6Dmu52sAJUo2V4fHseSa1/ZV6ozFke+2En +tj/fMRFJBgFYVYQ1PvbbWun9Lwqw98f72VmGxs0M8qb5Cu9Lq8qmFrTfDw3G0TJP +DfmoKiihvuLDYn50kFi8Z4kg +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4: + 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7: + 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6: + 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77: + 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db: + 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb: + ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98: + 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1: + 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a: + 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52: + 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d: + f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35: + cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36: + a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f: + 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55: + f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96: + aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff: + d9:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: + c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: + d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: + ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: + 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: + b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: + 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: + 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: + 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: + 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: + 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: + 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: + e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: + 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: + 53:95:72:29 +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj +hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj +K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl +uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B +nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S +4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR +rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 +oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch +wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ +2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk +xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN +K2lpzYEnY+gtVSoA3gsVLFOVcik= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server3-key.pem b/certs/ocsp/server3-key.pem new file mode 100644 index 000000000..30e108011 --- /dev/null +++ b/certs/ocsp/server3-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC+GWUeFznUM/yX +ZGmAUftsfMrhuiqr0t0wYfMuR8HUM8D/UyG6LRSmuXxmykV7HH2P/HXzmmnxbCVG +oJJdAJPjIqZguZcFN3+hqs0igXKxIkc9fI1GVbwyTdKEQ1wVQwcicDY5kxvooUa7 +AoW6HTGssTyEW+uPH2KKcVKeC2O25tZGzBkG1rsGgeQLJRRsY5RwGic3lSRABzD1 +JHPDvfkOX7bNTxiI8Nejm/WwHv4EA6WNc/drMXSF/WH6nlM3dZDm+LWYZuhSTUpM +OQVlwTT5xpUnsAfBUZaoghsiz0Hf3rSUtw26Yfv0QHyh/KIpo0dNtJSde1Hs5BP7 +zekmyqeTAgMBAAECggEARDViddCJnF1m5X9O548C8qM4PJQK2YoYeVK76cAviQ9k +0XgnouCoB0aIn202Tv0jBHXmcJjYKJrQKS5WNe6OIbJ+FjihOmr2bbCWWCowV+Rf +wW0eV71NgJMx1OlCchKRzcaLfk8NdYPgmBtIlkYBW+BgQXGl7L2rIteUeEbH6Yj9 +yCn7ORQeFSbhZJTn2WdXhK3GWjV+1GyHyUyL2SSa2+G2LZ54Ifquq/F6rMGYB9lY +2K6Q6DB18aVxd/I/OYKeyBZcmJ9COgPUW7/fg0He73aduYdVvWZCRP1ygGdqSZFr +oqLVe34bEVFANUKylzRplRJdC4oKSUyTSubiOMKZ+QKBgQDf0mk3PolyvsfE2YGb +9/DsURIxZg14o9Pysp3yD1vvIYNz6WaddtJaj5OM7NzN8spu3wJSoeVgL6KYI6ah +ZTIYqy4ehOGPKBVL7SvLF+7q/QBMTdfllpdK7GLTtjBnz92TZl9bS/rBc9dCnnBC +EDkPPrc3nbk5/ADWd+K4RPG3HwKBgQDZbdiQCKY2ulppRcwjcAEIjhrFpShV21P6 +JNKt17HDBqULIAn+G9T/Gg/6yHWeY1DUgVBu1avb4L3jdnMPe2O+1jeaDzNRo6Xj +9v6PgGsiv4q7gfz7XqVwylUWIY7O52Ox/q+/QJBfwE0qe+E0t4syb44W4QvD9+k7 +fv77R7dFDQKBgQCe0SfVimtvX05TMN9V87YhiVk2ciqm6uDO+s02YI2kfgxPqFMm +8pRKrExPmBcJj/jyeQ2l4rjm6oYeHFX1ed/1PyoHf9SphxCtgoornzzpw0J94lKK +17Nc96Ucgs+QKiAYonCRULWKpY8d91zCk85ZMfBB54nySg2yIPlgNZOqkwKBgFO/ +Xqnj2vm7f7WKv91qd8tuyNsWCVpAl7EC2+8/5GVlOs71MUQiPkFgLYWADuXKBUlE +4dE/FeokP5/McPcmpL3Nzy7U6gRpDy2mZlipsxp4QpyErge4Zery1CEpHdOOBrV5 +jwIQgUuQS2iwvIbMp53uoAEp/5kk9T4IZXguIGZFAoGAMA/j0kHArT7FINf+O6R4 +3EyUTR139emLKHU2OlH/HfHVRZhHo4AmfUYksf+Njb81A6MKFd1XVmNnaumBIfq+ +6Ohoz1VMoO6aUiMMqbmBGaTHc30FVEtAQIRq2C8UDrEN67Sx3O/ngl0Br7lNri29 +LMSCe8fxf8+Kq0k+6tcsht4= +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server4-cert.pem b/certs/ocsp/server4-cert.pem new file mode 100644 index 000000000..a73be3fea --- /dev/null +++ b/certs/ocsp/server4-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 8 (0x8) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www4.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:9c:ef:8a:7e:84:4d:58:7a:b1:91:c8:cb:68:76: + df:fe:0a:29:fe:7f:74:35:d5:c3:fd:43:be:d7:89: + fc:59:51:5a:30:e9:50:14:84:24:d0:c8:72:7d:d6: + 75:42:12:8b:16:ad:5a:e8:d3:84:a7:07:2b:9e:12: + ef:6a:cd:3e:83:14:b7:26:a2:53:7b:3d:6c:96:7f: + 9c:c5:09:08:0e:55:08:19:b7:5a:1c:46:32:09:da: + 44:b2:ca:fd:4a:e4:be:d0:02:c9:c9:48:03:13:a5: + ad:3e:7b:21:cf:05:3a:b9:25:f5:c1:b8:4e:4d:eb: + 33:99:d1:50:4a:eb:f7:1a:08:6b:d0:5c:9d:48:eb: + 98:fd:dc:89:0f:aa:74:d3:7f:03:1b:59:65:f5:86: + e1:d9:53:ab:e4:53:ab:85:3c:79:8b:45:39:7b:fd: + e9:a2:10:b9:fa:92:71:0e:68:36:66:6e:8c:fb:e2: + 8a:5d:5f:72:66:b0:47:2d:c5:b4:93:ce:61:7f:90: + 1a:64:02:dd:57:9d:f1:f1:e8:75:21:e2:af:44:e3: + 96:f5:1c:e3:73:87:dc:b7:05:12:ad:a5:8f:0c:d8: + 2c:b4:90:b3:d9:e7:13:e1:e5:5e:4c:9b:24:89:08: + 07:9e:aa:6b:9f:64:01:da:ec:95:05:45:84:d9:a9: + db:c7 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 9A:D6:EF:4E:0A:7B:8B:74:E6:14:EC:35:9A:05:2A:94:68:09:61:58 + X509v3 Authority Key Identifier: + keyid:05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:02 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22222 + + Signature Algorithm: sha256WithRSAEncryption + 4e:d7:ac:3b:e2:2a:7c:2d:17:95:15:60:7d:d9:59:5f:53:9d: + d7:e4:8d:cf:9d:34:db:ea:e9:6b:1d:8c:d4:6e:4b:df:53:30: + 3f:8e:5b:65:2e:e6:bb:7b:96:b1:2e:9b:65:fa:72:a8:eb:97: + af:47:33:f5:ae:0b:9b:6f:d6:25:9e:60:e4:b2:e5:88:3b:64: + 26:8c:d4:8b:d5:4b:6b:85:23:c3:08:06:ca:b5:d3:88:f3:6b: + 19:be:16:c0:a6:a3:68:25:4b:68:a2:be:a0:38:51:7b:6f:7d: + a7:74:5f:1a:57:cd:29:01:4c:33:e4:52:bf:b9:f9:52:4e:c5: + a1:85:16:90:e3:c4:26:d7:b2:db:07:75:78:1f:90:99:db:cc: + 18:da:7d:58:af:52:e3:67:6a:8f:d2:33:f3:07:7f:da:09:24: + 54:03:cd:9a:ef:8f:15:f2:11:a9:42:71:d6:0b:6b:c8:76:f4: + 62:65:8c:d8:d3:10:19:af:34:9d:01:86:05:02:59:e8:4b:03: + 6d:06:0d:c4:98:38:b5:f2:85:65:29:74:2a:c2:c6:47:8b:e1: + 0e:d4:ee:9b:5d:a6:a5:55:8d:b0:e7:61:55:de:2e:30:50:cf: + 51:ba:c1:64:c0:3a:d0:55:73:fe:3c:79:e8:d7:33:0c:7e:a2: + dc:df:45:ad +-----BEGIN CERTIFICATE----- +MIIE7jCCA9agAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM +IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD +VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 +NC53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC +ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJzvin6ETVh6sZHIy2h23/4K +Kf5/dDXVw/1DvteJ/FlRWjDpUBSEJNDIcn3WdUISixatWujThKcHK54S72rNPoMU +tyaiU3s9bJZ/nMUJCA5VCBm3WhxGMgnaRLLK/UrkvtACyclIAxOlrT57Ic8FOrkl +9cG4Tk3rM5nRUErr9xoIa9BcnUjrmP3ciQ+qdNN/AxtZZfWG4dlTq+RTq4U8eYtF +OXv96aIQufqScQ5oNmZujPviil1fcmawRy3FtJPOYX+QGmQC3Ved8fHodSHir0Tj +lvUc43OH3LcFEq2ljwzYLLSQs9nnE+HlXkybJIkIB56qa59kAdrslQVFhNmp28cC +AwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFJrW704Ke4t05hTsNZoF +KpRoCWFYMIHEBgNVHSMEgbwwgbmAFAXRuoYAou4qBSS3Ea0tYPGQFI8XoYGdpIGa +MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH +U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx +GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 +b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG +AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB +AQBO16w74ip8LReVFWB92VlfU53X5I3PnTTb6ulrHYzUbkvfUzA/jltlLua7e5ax +Lptl+nKo65evRzP1rgubb9YlnmDksuWIO2QmjNSL1UtrhSPDCAbKtdOI82sZvhbA +pqNoJUtoor6gOFF7b32ndF8aV80pAUwz5FK/uflSTsWhhRaQ48Qm17LbB3V4H5CZ +28wY2n1Yr1LjZ2qP0jPzB3/aCSRUA82a748V8hGpQnHWC2vIdvRiZYzY0xAZrzSd +AYYFAlnoSwNtBg3EmDi18oVlKXQqwsZHi+EO1O6bXaalVY2w52FV3i4wUM9RusFk +wDrQVXP+PHno1zMMfqLc30Wt +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 2 (0x2) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:d0:20:3c:35:19:6f:2c:44:b4:7e:42:c7:75:b4: + 6a:2b:a9:23:85:bf:87:b4:ee:ca:d7:4b:1f:31:d7: + 11:02:a1:ab:58:3d:fb:dc:51:ca:3a:1d:1f:95:a6: + 56:82:f7:8f:ff:6b:50:bb:ea:10:e1:47:1d:35:77: + 2e:4b:28:c5:53:46:23:2b:82:fd:5a:d3:f4:21:db: + 0e:e0:f2:76:33:47:b3:00:be:3a:b1:23:98:53:eb: + ea:a0:de:1b:cc:05:4e:ee:63:a8:2c:93:24:d6:98: + 78:74:03:e4:c8:89:43:61:f1:25:b8:cd:3b:87:c1: + 31:25:fd:ba:4c:fc:29:94:45:9e:69:d7:67:0a:8a: + 8e:d5:52:93:30:a2:0e:dd:6a:1c:b0:94:77:db:52: + 52:b7:89:21:be:96:75:24:cb:e9:49:df:81:9d:9d: + f8:55:7d:01:2a:eb:78:03:12:e2:20:6e:db:63:35: + cd:a1:96:f0:f8:8c:20:35:69:87:01:ca:b4:54:36: + a0:15:e0:23:7d:b9:fb:be:99:05:50:f0:bf:ec:7f: + 12:e1:3d:75:15:4e:c8:c2:30:e6:8b:fe:e5:8b:55: + f8:44:5e:e5:e3:56:e0:66:2d:6f:42:5a:45:6b:96: + aa:c7:5d:41:08:5f:ce:d7:dc:9f:20:e4:46:78:ff: + d9:99 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 05:D1:BA:86:00:A2:EE:2A:05:24:B7:11:AD:2D:60:F1:90:14:8F:17 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: + c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: + d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: + ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: + 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: + b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: + 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: + 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: + 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: + 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: + 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: + 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: + e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: + 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: + 53:95:72:29 +-----BEGIN CERTIFICATE----- +MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy +bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB +IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0CA8NRlvLES0fkLHdbRqK6kj +hb+HtO7K10sfMdcRAqGrWD373FHKOh0flaZWgveP/2tQu+oQ4UcdNXcuSyjFU0Yj +K4L9WtP0IdsO4PJ2M0ezAL46sSOYU+vqoN4bzAVO7mOoLJMk1ph4dAPkyIlDYfEl +uM07h8ExJf26TPwplEWeaddnCoqO1VKTMKIO3WocsJR321JSt4khvpZ1JMvpSd+B +nZ34VX0BKut4AxLiIG7bYzXNoZbw+IwgNWmHAcq0VDagFeAjfbn7vpkFUPC/7H8S +4T11FU7IwjDmi/7li1X4RF7l41bgZi1vQlpFa5aqx11BCF/O19yfIORGeP/ZmQID +AQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUBdG6hgCi7ioFJLcR +rS1g8ZAUjxcwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5yFSGhgZ2k +gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH +DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu +ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv +QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI +KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 +oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch +wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ +2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk +xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN +K2lpzYEnY+gtVSoA3gsVLFOVcik= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server4-key.pem b/certs/ocsp/server4-key.pem new file mode 100644 index 000000000..39a93b209 --- /dev/null +++ b/certs/ocsp/server4-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCc74p+hE1YerGR +yMtodt/+Cin+f3Q11cP9Q77XifxZUVow6VAUhCTQyHJ91nVCEosWrVro04SnByue +Eu9qzT6DFLcmolN7PWyWf5zFCQgOVQgZt1ocRjIJ2kSyyv1K5L7QAsnJSAMTpa0+ +eyHPBTq5JfXBuE5N6zOZ0VBK6/caCGvQXJ1I65j93IkPqnTTfwMbWWX1huHZU6vk +U6uFPHmLRTl7/emiELn6knEOaDZmboz74opdX3JmsEctxbSTzmF/kBpkAt1XnfHx +6HUh4q9E45b1HONzh9y3BRKtpY8M2Cy0kLPZ5xPh5V5MmySJCAeeqmufZAHa7JUF +RYTZqdvHAgMBAAECggEAMmlQF6vwHIftGmNh08C72yLwsmvGrLRqLKTiXOJaSWa0 +jhmkO7LnEJoTDREiwYKrYzF0jm3DotPO0wxKFAiyF/FDlAl4v5HPm9iKR1DLYa82 +1uvq6kIyOLAAeV5zVud7093Ra/LR6jHCINv01EddwbPL6dqGbMks3jA6lpaN3bJt +85VSy3h6rC2pIZrGddJxDV5jR2gm4N4j8GJoPWpYIGZa/i+GhFmx0OJfUAWTBsGQ +flt4HxtxoR0OkAQ1MnBbBLqadQQiJ3tt47vD5Ma98GGkuq/l9y2rCuJ/t7sjY7+1 +1dnXrMj4VHKTNYEIkmpNti9lblT55P9v5HAYj4SoIQKBgQDP6/Tf1sf12XKZoQvi +qwww32brRqMnj7xpiK9PfsPdnBvq1u8aApQ2XRsHLkH/aq7S91DdLKhn+5fX9TZq +fGtix0V5/JVB11+0Y8hB6YonKtmTxGPScSKQdsSdnvo27yuBfSSp2QuSqYsAqKdV +dU/F++jAeNJFr5lg+X3zo+7gMwKBgQDBOXB3cO6Xjr1vzkxdtxpbKYTVYK5XGFpy +lGDJ9QasDMD6iX8EsTzp0/3CRtITnfYFBiBDXSFDwoUm7TqjdlDh9ahFcvkre/33 +6SmXqHshn/RBl+JCAKYolw7cJmuWAFrJNZPbnbfiuqDNg8wkD3P2VTVkKWjsDpxA +f+99Xm2yHQKBgBBlWvoLxdjtPMxAlt9Y/a0c8NC80UDdZM4tqSVrqaZgGRN7v38d +lPJ0hR0b2Lh7gS3Bsu6+BsmsXVz6SUA8b3tqm1/zOxHmGfXvqGsKL4rHJkEwy25c +3Yzm0LpdPv31/khHxgxewTrfg8aZhhiHF7NVGhWTcYFtR3sOMZB07PFhAoGAf9to +RkDeQD9druwNsD2HHSeeFCvDcTJWN1djrH+MiLBvydjNyecV7YwvcCy4ue5eavig +xLKNXm8K+LUlhiC2aK7LSBlKM7H6Xd9VfFsqDxfu4rCEMTSIvncmiBqMOlfFuzrO +uhXlJgxkd1ls7bej/i5oA/06xmjsj+mYKZcgcykCgYAbONjSKF28CILSDKLepNqx +euRSnKaSgTjcu8B5C6ZWUY8+EsD3Lw6VK2Xn+PPPSS2+Pw7dgLdYybyCgPOLXV+9 +we3d0OyuIPiLiRpfnHVTXdYQBc7qa8khw12LZpodkXwKT85St8jdwJzL1KTZAWqf +N2KyjDHPGPz8paCzS8LfuQ== +-----END PRIVATE KEY----- diff --git a/certs/ocsp/server5-cert.pem b/certs/ocsp/server5-cert.pem new file mode 100644 index 000000000..066f659fd --- /dev/null +++ b/certs/ocsp/server5-cert.pem @@ -0,0 +1,279 @@ +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 9 (0x9) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www5.wolfssl.com/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ac:73:6d:e9:fa:8c:36:72:3e:89:3b:52:29:bd: + 14:70:a2:00:b4:08:58:b6:c6:c0:bf:80:6a:1f:a5: + f0:15:fc:f4:19:a2:67:f9:6a:5d:22:69:2e:9c:29: + 53:1e:5a:4a:d1:27:d5:b8:3b:65:37:8a:a2:eb:1b: + d4:5d:90:11:35:11:af:e3:d1:8c:24:5b:b5:90:c0: + bf:de:cb:7a:05:71:1b:ef:76:d7:9d:43:47:85:dc: + 24:b8:b8:54:fc:53:bf:c3:fd:e1:12:c6:fc:1b:6f: + 95:aa:cf:bb:8e:22:af:83:bd:4e:6b:66:fe:7e:7e: + 98:6f:b1:b9:fc:f9:8a:8a:18:92:9a:4c:27:5d:78: + 6b:e9:d0:14:1c:ed:69:6d:29:4c:4e:52:e6:92:24: + 53:b0:2e:c3:a4:94:8f:20:1c:29:5c:97:70:1a:32: + 85:90:71:f7:d7:a5:99:4f:48:c7:3d:fc:3d:a7:e1: + f9:96:ea:c1:6b:ea:31:e0:9b:fb:68:3e:4b:ad:a4: + 2b:06:90:c2:b4:27:ea:f3:a3:3e:6e:32:75:aa:70: + 6a:e3:33:29:fb:42:09:94:79:a5:eb:3c:4e:89:02: + 77:08:fd:da:ba:fc:14:c6:8e:c1:5e:db:6d:d0:07: + 4f:02:79:60:e7:95:c3:c8:f4:54:83:21:12:79:03: + 7f:e1 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:FALSE + X509v3 Subject Key Identifier: + 2A:48:B6:8B:00:F0:4B:35:73:94:07:87:52:A3:69:5E:E6:D8:42:87 + X509v3 Authority Key Identifier: + keyid:BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:03 + + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment + Authority Information Access: + OCSP - URI:http://localhost:22223 + + Signature Algorithm: sha256WithRSAEncryption + 65:c1:7f:66:88:19:db:04:76:f3:ec:eb:c8:9c:38:3f:3f:83: + 4c:6c:c9:3a:67:2f:cf:45:8d:72:28:d1:85:64:fd:53:0a:4a: + 4a:22:9d:2f:2f:76:19:f5:97:04:cb:a7:1e:83:43:42:58:01: + ca:9b:25:42:bb:d1:5c:05:4f:c1:94:22:40:df:30:42:c1:be: + b9:f2:c0:a4:64:37:9b:9b:ed:20:44:e8:f0:5c:c6:2f:b6:24: + 7f:13:b8:52:02:61:ac:69:4e:f4:bd:72:9d:e9:31:13:5f:12: + d2:cc:e7:eb:16:b3:84:cc:86:40:ee:f9:e1:4c:d8:ea:73:a1: + 32:2a:2c:c7:f6:ba:4f:bf:ba:35:49:71:4c:d1:83:86:7a:44: + 14:f3:b3:12:02:99:33:01:46:50:e0:0c:74:34:03:45:9d:d2: + 2c:e1:83:31:59:d6:e7:69:8f:26:0a:12:5d:90:97:c4:ae:93: + 67:c6:9b:a9:5b:a0:8f:22:ad:e9:e2:17:74:19:93:92:cb:9c: + cc:30:8e:7e:57:8f:37:44:82:04:f0:29:9e:79:37:0a:d6:55: + 56:8e:b6:eb:d8:0f:a5:c4:ec:65:88:98:15:2f:2a:cd:9f:d8: + 11:26:c6:d7:0e:12:4e:62:c5:5c:92:b2:99:db:c2:72:71:6f: + c1:94:24:06 +-----BEGIN CERTIFICATE----- +MIIE9DCCA9ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM +IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv +bGZzc2wuY29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJ +BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl +MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE +AwwQd3d3NS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxzben6jDZyPok7 +Uim9FHCiALQIWLbGwL+Aah+l8BX89BmiZ/lqXSJpLpwpUx5aStEn1bg7ZTeKousb +1F2QETURr+PRjCRbtZDAv97LegVxG+92151DR4XcJLi4VPxTv8P94RLG/BtvlarP +u44ir4O9Tmtm/n5+mG+xufz5iooYkppMJ114a+nQFBztaW0pTE5S5pIkU7Auw6SU +jyAcKVyXcBoyhZBx99elmU9Ixz38Pafh+ZbqwWvqMeCb+2g+S62kKwaQwrQn6vOj +Pm4ydapwauMzKftCCZR5pes8TokCdwj92rr8FMaOwV7bbdAHTwJ5YOeVw8j0VIMh +EnkDf+ECAwEAAaOCATYwggEyMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCpItosA8Es1 +c5QHh1KjaV7m2EKHMIHEBgNVHSMEgbwwgbmAFLsVnjJN4PiqirAuDBcrWkF0SwZF +oYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4G +A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l +ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ +aW5mb0B3b2xmc3NsLmNvbYIBAzALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk +MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIzMA0GCSqGSIb3DQEB +CwUAA4IBAQBlwX9miBnbBHbz7OvInDg/P4NMbMk6Zy/PRY1yKNGFZP1TCkpKIp0v +L3YZ9ZcEy6ceg0NCWAHKmyVCu9FcBU/BlCJA3zBCwb658sCkZDebm+0gROjwXMYv +tiR/E7hSAmGsaU70vXKd6TETXxLSzOfrFrOEzIZA7vnhTNjqc6EyKizH9rpPv7o1 +SXFM0YOGekQU87MSApkzAUZQ4Ax0NANFndIs4YMxWdbnaY8mChJdkJfErpNnxpup +W6CPIq3p4hd0GZOSy5zMMI5+V483RIIE8CmeeTcK1lVWjrbr2A+lxOxliJgVLyrN +n9gRJsbXDhJOYsVckrKZ28JycW/BlCQG +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 3 (0x3) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:de:c5:04:10:7d:c2:21:e9:12:45:da:d5:ba:28: + fd:a6:f4:30:44:a0:df:f9:70:5e:17:26:97:59:5c: + 31:eb:13:70:ea:4a:dd:58:3e:4f:33:14:66:59:69: + 7a:aa:90:e0:7c:c4:b2:36:c1:0a:f4:df:3e:34:6c: + 1a:e9:2b:f1:a5:92:7e:a9:68:70:ba:a4:68:88:f3: + ec:10:40:64:a5:64:7d:d9:1e:51:49:9d:7f:c8:cc: + 2b:6d:71:2a:06:ff:e6:1f:84:28:8a:c1:ed:a8:52: + f4:89:a5:c0:77:d8:13:66:c2:65:a5:63:03:98:b0: + 4b:05:4f:0c:84:a0:f4:2d:72:73:6b:fa:0d:e1:cf: + 45:27:ed:a3:8c:02:d7:ee:99:e2:a1:f0:e3:a0:ad: + 69:ed:59:e4:27:41:8f:ef:fa:83:73:8f:5f:2b:68: + 89:13:46:26:dc:f6:28:6b:3b:b2:b8:9b:52:2a:17: + 1b:dc:72:45:73:da:75:24:35:8b:00:5e:23:37:64: + 6a:16:74:b8:ee:fe:b7:11:71:be:0a:73:c8:54:c2: + d9:04:d2:1b:f5:53:ac:8d:2a:4f:fe:33:79:e6:5e: + e7:f3:86:d3:dc:bb:4b:d7:39:7f:5b:3c:67:fe:5e: + 88:51:05:96:f2:b4:9a:45:09:4c:51:f0:6a:4d:88: + 2a:17 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + BB:15:9E:32:4D:E0:F8:AA:8A:B0:2E:0C:17:2B:5A:41:74:4B:06:45 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 0c:5e:0d:55:3c:e7:fb:5e:c2:09:19:c8:0b:f4:c2:b2:2b:14: + 79:dc:e8:63:f6:8a:0c:03:57:9e:15:47:7e:b6:15:a3:71:90: + 01:11:39:4b:ff:3d:13:34:e4:f3:5b:a3:6c:58:4f:00:d5:c4: + b0:63:6c:90:c9:89:a8:5d:16:87:0a:da:08:40:12:b4:94:00: + 3e:44:00:13:de:34:75:90:38:79:d4:c2:39:6d:ed:17:cb:7e: + 50:ff:da:0b:eb:49:1a:66:e6:dd:eb:66:a5:92:ef:68:d5:c9: + 93:8f:aa:c7:2a:92:6b:95:af:3d:74:de:aa:29:fd:c9:53:56: + ad:9f:e0:05:d1:97:0c:01:3b:f1:c6:a6:90:7e:5c:08:11:5e: + c1:77:5d:64:09:56:ea:78:29:15:a3:ea:44:2a:4c:d6:09:a7: + a0:5f:05:54:2a:61:ca:7a:09:07:14:34:c2:0d:c5:93:cd:28: + 8b:62:26:af:30:25:8a:f1:da:65:fa:db:da:84:ab:d5:0c:37: + ae:5d:95:bd:55:2a:4b:09:e0:d3:3d:8b:3c:ea:f2:b9:68:5e: + e6:21:53:8b:28:78:39:f4:bf:9b:dc:92:bc:4b:14:06:fe:17: + 21:64:be:af:20:e8:e7:fb:67:c8:5e:ec:59:bf:27:a4:cb:e3: + 8a:6d:c3:ac +-----BEGIN CERTIFICATE----- +MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L +RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu +Y29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3sUEEH3CIekSRdrV +uij9pvQwRKDf+XBeFyaXWVwx6xNw6krdWD5PMxRmWWl6qpDgfMSyNsEK9N8+NGwa +6SvxpZJ+qWhwuqRoiPPsEEBkpWR92R5RSZ1/yMwrbXEqBv/mH4QoisHtqFL0iaXA +d9gTZsJlpWMDmLBLBU8MhKD0LXJza/oN4c9FJ+2jjALX7pniofDjoK1p7VnkJ0GP +7/qDc49fK2iJE0Ym3PYoazuyuJtSKhcb3HJFc9p1JDWLAF4jN2RqFnS47v63EXG+ +CnPIVMLZBNIb9VOsjSpP/jN55l7n84bT3LtL1zl/Wzxn/l6IUQWW8rSaRQlMUfBq +TYgqFwIDAQABo4IBOTCCATUwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUuxWeMk3g ++KqKsC4MFytaQXRLBkUwgcQGA1UdIwSBvDCBuYAUc7AcpC+Cy89HpTjXsASCOn5y +FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw +DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp +bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB +FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAAxeDVU85/tewgkZyAv0wrIrFHnc6GP2igwDV54VR362FaNxkAER +OUv/PRM05PNbo2xYTwDVxLBjbJDJiahdFocK2ghAErSUAD5EABPeNHWQOHnUwjlt +7RfLflD/2gvrSRpm5t3rZqWS72jVyZOPqscqkmuVrz103qop/clTVq2f4AXRlwwB +O/HGppB+XAgRXsF3XWQJVup4KRWj6kQqTNYJp6BfBVQqYcp6CQcUNMINxZPNKIti +Jq8wJYrx2mX629qEq9UMN65dlb1VKksJ4NM9izzq8rloXuYhU4soeDn0v5vckrxL +FAb+FyFkvq8g6Of7Z8he7Fm/J6TL44ptw6w= +-----END CERTIFICATE----- +Certificate: + Data: + Version: 3 (0x2) + Serial Number: 99 (0x63) + Signature Algorithm: sha256WithRSAEncryption + Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Validity + Not Before: Dec 15 01:27:23 2015 GMT + Not After : Sep 10 01:27:23 2018 GMT + Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com + Subject Public Key Info: + Public Key Algorithm: rsaEncryption + Public-Key: (2048 bit) + Modulus: + 00:ab:2c:b4:2f:1d:06:09:ef:4e:29:86:84:7e:cc: + bf:a6:79:7c:f0:c0:c1:64:25:8c:75:b7:10:05:ca: + 48:27:0c:0e:32:1c:b0:fe:99:85:39:b6:b9:a2:f7: + 27:ff:6d:3c:8c:16:73:29:21:7f:8b:a6:54:71:90: + ad:cc:05:b9:9f:15:c7:0a:3f:5f:69:f4:0a:5f:8c: + 71:b5:2c:bf:66:e2:03:9a:32:f4:d2:ec:2a:89:4b: + f9:35:88:14:33:47:4e:2e:05:79:01:ed:64:36:76: + b9:f8:85:cd:01:88:ac:c5:b2:b1:59:b8:cd:5a:f4: + 09:09:38:9b:da:5a:cf:ce:78:99:1f:49:3d:41:d6: + 06:7c:52:99:c8:97:d1:b3:80:3a:a2:4f:36:c4:c5: + 96:30:77:31:38:c8:70:cc:e1:67:06:b3:2b:2f:93: + b5:69:cf:83:7e:88:53:9b:0f:46:21:4c:d6:05:36: + 44:99:60:68:47:e5:32:01:12:d4:10:73:ae:9a:34: + 94:fa:6e:b8:58:4f:7b:5b:8a:92:97:ad:fd:97:b9: + 75:ca:c2:d4:45:7d:17:6b:cd:2f:f3:63:7a:0e:30: + b5:0b:a9:d9:a6:7c:74:60:9d:cc:09:03:43:f1:0f: + 90:d3:b7:fe:6c:9f:d9:cd:78:4b:15:ae:8c:5b:f9: + 99:81 + Exponent: 65537 (0x10001) + X509v3 extensions: + X509v3 Basic Constraints: + CA:TRUE + X509v3 Subject Key Identifier: + 73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + X509v3 Authority Key Identifier: + keyid:73:B0:1C:A4:2F:82:CB:CF:47:A5:38:D7:B0:04:82:3A:7E:72:15:21 + DirName:/C=US/ST=Washington/L=Seattle/O=wolfSSL/OU=Engineering/CN=wolfSSL root CA/emailAddress=info@wolfssl.com + serial:63 + + X509v3 Key Usage: + Certificate Sign, CRL Sign + Authority Information Access: + OCSP - URI:http://localhost:22220 + + Signature Algorithm: sha256WithRSAEncryption + 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: + d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: + 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: + 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: + 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: + b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: + 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: + d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: + 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: + 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: + e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: + c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: + 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: + 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: + 87:f5:98:78 +-----BEGIN CERTIFICATE----- +MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx +EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM +B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM +IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx +MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT +U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg +Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 +DQEBAQUAA4IBDwAwggEKAoIBAQCrLLQvHQYJ704phoR+zL+meXzwwMFkJYx1txAF +ykgnDA4yHLD+mYU5trmi9yf/bTyMFnMpIX+LplRxkK3MBbmfFccKP19p9ApfjHG1 +LL9m4gOaMvTS7CqJS/k1iBQzR04uBXkB7WQ2drn4hc0BiKzFsrFZuM1a9AkJOJva +Ws/OeJkfST1B1gZ8UpnIl9GzgDqiTzbExZYwdzE4yHDM4WcGsysvk7Vpz4N+iFOb +D0YhTNYFNkSZYGhH5TIBEtQQc66aNJT6brhYT3tbipKXrf2XuXXKwtRFfRdrzS/z +Y3oOMLULqdmmfHRgncwJA0PxD5DTt/5sn9nNeEsVroxb+ZmBAgMBAAGjggE5MIIB +NTAMBgNVHRMEBTADAQH/MB0GA1UdDgQWBBRzsBykL4LLz0elONewBII6fnIVITCB +xAYDVR0jBIG8MIG5gBRzsBykL4LLz0elONewBII6fnIVIaGBnaSBmjCBlzELMAkG +A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx +EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD +DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j +b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW +aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ +UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE +nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM +gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 +Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG +xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE +pxWweEFIh/WYeA== +-----END CERTIFICATE----- diff --git a/certs/ocsp/server5-key.pem b/certs/ocsp/server5-key.pem new file mode 100644 index 000000000..a45a1c6e9 --- /dev/null +++ b/certs/ocsp/server5-key.pem @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCsc23p+ow2cj6J +O1IpvRRwogC0CFi2xsC/gGofpfAV/PQZomf5al0iaS6cKVMeWkrRJ9W4O2U3iqLr +G9RdkBE1Ea/j0YwkW7WQwL/ey3oFcRvvdtedQ0eF3CS4uFT8U7/D/eESxvwbb5Wq +z7uOIq+DvU5rZv5+fphvsbn8+YqKGJKaTCddeGvp0BQc7WltKUxOUuaSJFOwLsOk +lI8gHClcl3AaMoWQcffXpZlPSMc9/D2n4fmW6sFr6jHgm/toPkutpCsGkMK0J+rz +oz5uMnWqcGrjMyn7QgmUeaXrPE6JAncI/dq6/BTGjsFe223QB08CeWDnlcPI9FSD +IRJ5A3/hAgMBAAECggEABz5+EoMc2rin2dntFKXFswmLIATtvRfSRvkc/CFbWYEb +u+vvlDGcofJrK9IslKzUUb7romaUVOX0/A1aOWfw4RrSGa7WxTw4/1CpfrFreckL +lF6YphmKapwZysyrfUIDXzdN+hzzwC9KyTcauNjKKK2OGsLj0+p7es2rc24EHNLj +vFpNj5TC84qsibATY1ny3tcL7SBcNLtiHsm+0JDagGqlW3ptT0oErrzH6jtUAI9j +LLm87mxwJyp4rBZvnP3s4jnOLLCJH40QyrCPKR6L4bAzSaA9kEnBUu+y1y1PyUP7 +goWIPJmfclDFqgB2U7K/QbbfPFpt8pFB9SmbsoIlMQKBgQDgvgf/pdc6q9jAL9UQ +sTYa+iJJIFcjQKA95aCRoUeUjWvjA+2ROmYgLcMi7pxfNyFvYkaOXjBTL+aqSEWI +wQVbnGK4aqG16w2o/P+bWUatpMMWNbwsZGAkXpcgdrg+SbNjrQ2lY35EdmPc025G +Fqx5ouOk7wDlKWQolIwWDh3WNQKBgQDEb47VbrIo8BNnO/xxVjAsU7uQIYZkr/GR +6V5oN+kIXrttReZnY/bUVrV84r49E3cNfoZXlfZa7fAEVb9GWbZMk+9M/s78aU5M +xeFNj7HBfbgG3I+1SZQZaAEK6BZuq8GRCLV2JKOn9iInVQQL57/qz6APjC/a52zJ +asNmmcdIfQKBgBmEWgIjwUEvG8gOZkGj7UG43sWwv1QIVWlRth5y0l7Cg9pdqs6P +c+L5byt7LhP9fXVZEiu98/yt9qGk3Qg+6i3Rnr/Tk5LFImLqftcTltvGVkQiS8A6 +kVPvzXbpI9gmpBCQKHl7x21ch9AdzWp1zpVs8i3a2R4ryex1mUYzyh11AoGAWhKZ +WS7IDNOA4i50Y/fUYQ8IC2AEAvlWeMScoIc6mLbvlHyf2LrSvK0BzUEfYFwjlBF3 +QoQmEa3XB/XVnkmWuOiAqzqP6NfUqol19R21sXaXQrYyQzt46GlzSPABEUA6oulu +Y70LOgI3yPdHwrnCm8YWq+ppKyRBEt6cuNg8s/UCgYEAl3J4fMTYcDjt4H/OTgba +IjKLPV0LuBUfx/PTA0oi81x1c11fM8a/ZeD0QkXDjjrjXM33mbkR0lzFEl7ZOCnh +sRDkkM8MvOsq4KMGnBLQBN0QvKSgsuYDqIEUmFdMHiyckBjuwntMVXnfKYtEJ1Q9 +zYHlJn4e4/2VqGK9PWrgAtA= +-----END PRIVATE KEY----- diff --git a/certs/renewcerts.sh b/certs/renewcerts.sh index ec4e35e47..de8d8e791 100755 --- a/certs/renewcerts.sh +++ b/certs/renewcerts.sh @@ -202,6 +202,23 @@ function run_renewcerts(){ openssl x509 -in server-ecc-comp.pem -text > tmp.pem mv tmp.pem server-ecc-comp.pem + ########################################################### + ########## update and sign ocsp-cert.pem ################## + ########################################################### + echo "Updating ocsp-cert.pem" + echo "" + #pipe the following arguments to openssl req... + echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\ocsp.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ocsp/ocsp-key.pem -nodes > ocsp-req.pem + + openssl x509 -req -in ocsp-req.pem -extfile wolfssl.cnf -extensions v3_ocsp -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 03 > ocsp/ocsp-cert.pem + + rm ocsp-req.pem + + openssl x509 -in ca-cert.pem -text > ca_tmp.pem + openssl x509 -in ocsp/ocsp-cert.pem -text > ocsp_tmp.pem + mv ocsp_tmp.pem ocsp/ocsp-cert.pem + cat ca_tmp.pem >> ocsp/ocsp-cert.pem + rm ca_tmp.pem ############################################################ ########## make .der files from .pem files ################# ############################################################ @@ -302,7 +319,7 @@ elif [ ! -z "$1" ]; then echo "" echo "" #else the argument was invalid, tell user to use -h or -help - else + else echo "" echo "That is not a valid option." echo "" @@ -328,7 +345,7 @@ else # check options.h a second time, if the user had # ntru installed on their system and in the default - # path location, then it will now be defined, if the + # path location, then it will now be defined, if the # user does not have ntru on their system this will fail # again and we will not update any certs until user installs # ntru in the default location diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 7decf9ef9..3da804b44 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -1,5 +1,5 @@ # -# wolfssl configuration file +# wolfssl configuration file # HOME = . RANDFILE = $ENV::HOME/.rnd @@ -20,7 +20,7 @@ default_ca = CA_default # The default ca section [ CA_default ] #################################################################### -# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY # +# CHANGE THIS LINE TO BE YOUR WOLFSSL_ROOT DIRECTORY # # # dir = $HOME./.. # #################################################################### @@ -124,6 +124,7 @@ authorityKeyIdentifier=keyid,issuer subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true +authorityInfoAccess = OCSP;URI:http://localhost:22222 # Extensions to add to a certificate request [ v3_req ] @@ -140,6 +141,14 @@ basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always +# OCSP extensions. +[ v3_ocsp ] +subjectKeyIdentifier=hash +authorityKeyIdentifier=keyid:always,issuer:always +keyUsage = nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = OCSPSigning +basicConstraints = CA:false + # These extensions should be added when creating a proxy certificate [ proxy_cert_ext ] basicConstraints=CA:FALSE @@ -158,7 +167,7 @@ dir = ./demoCA # directory serial = $dir/tsaserial # (mandatory) crypto_device = builtin # engine signer_cert = $dir/tsacert.pem # certificate -certs = $dir/cacert.pem # chain +certs = $dir/cacert.pem # chain signer_key = $dir/private/tsakey.pem # (optional) default_policy = tsa_policy1 # Policy other_policies = tsa_policy2, tsa_policy3 # (optional) diff --git a/certs/server-cert.der b/certs/server-cert.der index 0c936a241e174dc782f39758850bd3e80c0e7e1e..1b61be8e96a54702bf033c908d939f26040d108e 100644 GIT binary patch delta 420 zcmZ3)d4rR~po!&*K@;p)SWz)>2dwCGz(AH*>@TZc-WXjWrbN-4VW1j{~H*wacHwKva+%>GP0-{ zs2C{0_y&w^Vi_eR1y=g{Ir+(nIT`uIC00ftV8F}9snzDu_MMlJk(-r)xrvdHp-{X( zzxJ9SW96Echkh4kX7i*>JZRKCC#h&_((WJUbJXwGe@MCJ73yE_)m_~XZL`2|gX$zE zra3d0_VFaX-y+ATC-ZVnr0)AXX5WvIPvbMwVz{22{Z^vT=JTyzsV$@KU%I`m!h&4XUcvbxx zJ%LHv7yUe##FJpnlR2wURB(^^{yt@qLmPSTce={m7kM$&v_pNx>bo_{_PhW2@x5C1 z?rZt)RXa3{etFrc_B-dC>d%^r6IMzYpTy)YU9wkUY5%nS zU{dm~qrcW&QfQRA#IsHW~ z*8OXY*3JmuCp^hTVCm;|kJ4_rtejG4e?ea%vi(Vv!@EmQc+RO#xx@d@;(=q3NzCrU zw-3gb9ggKQ%G93A_*N%C+P{3|${U3Sr}cCS7* Perform OCSP lookup using as responder\n"); #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) printf("-W Use OCSP Stapling\n"); #endif #ifdef ATOMIC_USER @@ -446,7 +447,8 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifdef HAVE_TRUNCATED_HMAC byte truncatedHMAC = 0; #endif -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) byte statusRequest = 0; #endif @@ -488,7 +490,7 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #ifndef WOLFSSL_VXWORKS while ((ch = mygetopt(argc, argv, - "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W")) != -1) { + "?gdeDusmNrwRitfxXUPCVh:p:v:l:A:c:k:Z:b:zS:F:L:ToO:aB:W:")) != -1) { switch (ch) { case '?' : Usage(); @@ -680,8 +682,9 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) break; case 'W' : - #ifdef HAVE_CERTIFICATE_STATUS_REQUEST - statusRequest = 1; + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + statusRequest = atoi(myoptarg); #endif break; @@ -1009,9 +1012,35 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) #endif #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (statusRequest) { - if (wolfSSL_UseCertificateStatusRequest(ssl, WOLFSSL_CSR_OCSP, + switch (statusRequest) { + case WOLFSSL_CSR_OCSP: + if (wolfSSL_UseOCSPStapling(ssl, WOLFSSL_CSR_OCSP, WOLFSSL_CSR_OCSP_USE_NONCE) != SSL_SUCCESS) - err_sys("UseCertificateStatusRequest failed"); + err_sys("UseCertificateStatusRequest failed"); + + break; + } + + wolfSSL_CTX_EnableOCSP(ctx, 0); + } +#endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (statusRequest) { + switch (statusRequest) { + case WOLFSSL_CSR2_OCSP: + if (wolfSSL_UseOCSPStaplingV2(ssl, + WOLFSSL_CSR2_OCSP, WOLFSSL_CSR2_OCSP_USE_NONCE) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + break; + case WOLFSSL_CSR2_OCSP_MULTI: + if (wolfSSL_UseOCSPStaplingV2(ssl, + WOLFSSL_CSR2_OCSP_MULTI, 0) + != SSL_SUCCESS) + err_sys("UseCertificateStatusRequest failed"); + break; + + } wolfSSL_CTX_EnableOCSP(ctx, 0); } diff --git a/examples/server/server.c b/examples/server/server.c index f2da9f7d1..d899dacb3 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -610,7 +610,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) if (!usePsk && !useAnon) { - if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) + if (SSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) err_sys("can't load server cert file, check file and run from" " wolfSSL home dir"); @@ -743,6 +743,17 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE); } #endif +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (wolfSSL_CTX_EnableOCSPStapling(ctx) != SSL_SUCCESS) + err_sys("can't enable OCSP Stapling Certificate Manager"); + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate1-ca-cert.pem", 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate2-ca-cert.pem", 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); + if (SSL_CTX_load_verify_locations(ctx, "certs/ocsp/intermediate3-ca-cert.pem", 0) != SSL_SUCCESS) + err_sys("can't load ca file, Please run from wolfSSL home dir"); +#endif #ifdef HAVE_PK_CALLBACKS if (pkCallbacks) SetupPkCallbacks(ctx, ssl); @@ -986,5 +997,3 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) return 0; } #endif - - diff --git a/scripts/include.am b/scripts/include.am index 4b2c7982a..5b9d38448 100644 --- a/scripts/include.am +++ b/scripts/include.am @@ -9,8 +9,9 @@ dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test endif if BUILD_EXAMPLES + dist_noinst_SCRIPTS+= scripts/resume.test -EXTRA_DIST+= scripts/benchmark.test +EXTRA_DIST+= scripts/benchmark.test if BUILD_CRL # make revoked test rely on completion of resume test @@ -23,6 +24,27 @@ dist_noinst_SCRIPTS+= scripts/external.test dist_noinst_SCRIPTS+= scripts/google.test #dist_noinst_SCRIPTS+= scripts/openssl.test endif + +if BUILD_OCSP +dist_noinst_SCRIPTS+= scripts/ocsp.test +endif + +if BUILD_OCSP_STAPLING +dist_noinst_SCRIPTS+= scripts/ocsp-stapling.test +scripts/ocsp-stapling.log: scripts/ocsp.log +endif + +if BUILD_OCSP_STAPLING_V2 +dist_noinst_SCRIPTS+= scripts/ocsp-stapling2.test + +if BUILD_OCSP_STAPLING +scripts/ocsp-stapling2.log: scripts/ocsp-stapling.log +else +scripts/ocsp-stapling2.log: scripts/ocsp.log +endif + +endif + endif diff --git a/scripts/ocsp-stapling.test b/scripts/ocsp-stapling.test new file mode 100755 index 000000000..7d711d417 --- /dev/null +++ b/scripts/ocsp-stapling.test @@ -0,0 +1,41 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +server=login.live.com +ca=certs/external/ca-verisign-g5.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? - login.live.com doesn't answers PING +# ping -c 2 $server +# RESULT=$? +# [ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# setup ocsp responder +./certs/ocsp/ocspd1.sh & +sleep 1 +[ $(jobs -r | wc -l) -ne 1 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 + +# client test against our own server - GOOD CERT +./examples/server/server -c certs/ocsp/server1-cert.pem -k certs/ocsp/server1-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED CERT +./examples/server/server -c certs/ocsp/server2-cert.pem -k certs/ocsp/server2-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp-stapling2.test b/scripts/ocsp-stapling2.test new file mode 100755 index 000000000..75877f210 --- /dev/null +++ b/scripts/ocsp-stapling2.test @@ -0,0 +1,55 @@ +#!/bin/sh + +# ocsp-stapling.test + +trap 'for i in `jobs -p`; do pkill -TERM -P $i; kill $i; done' EXIT + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# setup ocsp responders +./certs/ocsp/ocspd0.sh & +./certs/ocsp/ocspd2.sh & +./certs/ocsp/ocspd3.sh & +sleep 1 +[ $(jobs -r | wc -l) -ne 3 ] && echo -e "\n\nSetup ocsp responder failed, skipping" && exit 0 + +# client test against our own server - GOOD CERTS +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +./examples/server/server -c certs/ocsp/server3-cert.pem -k certs/ocsp/server3-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +# client test against our own server - REVOKED SERVER CERT +./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 + +./examples/server/server -c certs/ocsp/server4-cert.pem -k certs/ocsp/server4-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 + +# client test against our own server - REVOKED INTERMEDIATE CERT +./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 1 +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed $RESULT" && exit 1 + +./examples/server/server -c certs/ocsp/server5-cert.pem -k certs/ocsp/server5-key.pem & +sleep 1 +./examples/client/client -A certs/ocsp/root-ca-cert.pem -W 2 +RESULT=$? +[ $RESULT -ne 1 ] && echo -e "\n\nClient connection suceeded $RESULT" && exit 1 + +exit 0 diff --git a/scripts/ocsp.test b/scripts/ocsp.test new file mode 100755 index 000000000..66d4488ad --- /dev/null +++ b/scripts/ocsp.test @@ -0,0 +1,20 @@ +#!/bin/sh + +# ocsp-stapling.test + +server=www.globalsign.com +ca=certs/external/ca-globalsign-root-r2.pem + +[ ! -x ./examples/client/client ] && echo -e "\n\nClient doesn't exist" && exit 1 + +# is our desired server there? +ping -c 2 $server +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nCouldn't find $server, skipping" && exit 0 + +# client test against the server +./examples/client/client -X -C -h $server -p 443 -A $ca -g -o +RESULT=$? +[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 + +exit 0 diff --git a/src/internal.c b/src/internal.c index db7f9f65c..31e0a8f94 100644 --- a/src/internal.c +++ b/src/internal.c @@ -541,6 +541,10 @@ int InitSSL_Ctx(WOLFSSL_CTX* ctx, WOLFSSL_METHOD* method) /* In case contexts are held in array and don't want to free actual ctx */ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) { + int i; + + (void)i; + XFREE(ctx->method, ctx->heap, DYNAMIC_TYPE_METHOD); if (ctx->suites) XFREE(ctx->suites, ctx->heap, DYNAMIC_TYPE_SUITES); @@ -549,15 +553,39 @@ void SSL_CtxResourceFree(WOLFSSL_CTX* ctx) XFREE(ctx->serverDH_G.buffer, ctx->heap, DYNAMIC_TYPE_DH); XFREE(ctx->serverDH_P.buffer, ctx->heap, DYNAMIC_TYPE_DH); #endif + #ifndef NO_CERTS XFREE(ctx->privateKey.buffer, ctx->heap, DYNAMIC_TYPE_KEY); XFREE(ctx->certificate.buffer, ctx->heap, DYNAMIC_TYPE_CERT); XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT); wolfSSL_CertManagerFree(ctx->cm); #endif + #ifdef HAVE_TLS_EXTENSIONS TLSX_FreeAll(ctx->extensions); + +#ifndef NO_WOLFSSL_SERVER + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (ctx->certOcspRequest) { + FreeOcspRequest(ctx->certOcspRequest); + XFREE(ctx->certOcspRequest, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } #endif + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + for (i = 0; i < MAX_CHAIN_DEPTH; i++) { + if (ctx->chainOcspRequest[i]) { + FreeOcspRequest(ctx->chainOcspRequest[i]); + XFREE(ctx->chainOcspRequest[i], NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + } +#endif + +#endif /* NO_WOLFSSL_SERVER */ + +#endif /* HAVE_TLS_EXTENSIONS */ } @@ -4507,10 +4535,16 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #if defined(HAVE_OCSP) || defined(HAVE_CRL) if (ret == 0) { int doCrlLookup = 1; + #ifdef HAVE_OCSP + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) + ret = TLSX_CSR2_InitRequests(ssl->extensions, dCert, 0); + else /* skips OCSP and force CRL check */ + #endif if (ssl->ctx->cm->ocspEnabled && ssl->ctx->cm->ocspCheckAll) { WOLFSSL_MSG("Doing Non Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL); doCrlLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { doCrlLookup = 0; @@ -4520,7 +4554,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, #endif /* HAVE_OCSP */ #ifdef HAVE_CRL - if (doCrlLookup && ssl->ctx->cm->crlEnabled + if (ret == 0 && doCrlLookup && ssl->ctx->cm->crlEnabled && ssl->ctx->cm->crlCheckAll) { WOLFSSL_MSG("Doing Non Leaf CRL check"); ret = CheckCertCRL(ssl->ctx->cm->crl, dCert); @@ -4599,19 +4633,25 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx, if (fatal == 0) { int doLookup = 1; -#ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->options.side == WOLFSSL_CLIENT_END) { +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { fatal = TLSX_CSR_InitRequest(ssl->extensions, dCert); doLookup = 0; } - } #endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + fatal = TLSX_CSR2_InitRequests(ssl->extensions, dCert, 1); + doLookup = 0; + } +#endif + } #ifdef HAVE_OCSP if (doLookup && ssl->ctx->cm->ocspEnabled) { WOLFSSL_MSG("Doing Leaf OCSP check"); - ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert); + ret = CheckCertOCSP(ssl->ctx->cm->ocsp, dCert, NULL); doLookup = (ret == OCSP_CERT_UNKNOWN); if (ret != 0) { WOLFSSL_MSG("\tOCSP Lookup not ok"); @@ -4957,63 +4997,175 @@ static int DoCertificateStatus(WOLFSSL* ssl, byte* input, word32* inOutIdx, return BUFFER_ERROR; switch (status_type) { - #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) - case WOLFSSL_CSR_OCSP: { - OcspRequest* request = TLSX_CSR_GetRequest(ssl->extensions); + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) - #ifdef WOLFSSL_SMALL_STACK - CertStatus* status; - OcspResponse* response; - #else - CertStatus status[1]; - OcspResponse response[1]; - #endif + /* WOLFSSL_CSR_OCSP overlaps with WOLFSSL_CSR2_OCSP */ + case WOLFSSL_CSR2_OCSP: { + OcspRequest* request; + + #ifdef WOLFSSL_SMALL_STACK + CertStatus* status; + OcspResponse* response; + #else + CertStatus status[1]; + OcspResponse response[1]; + #endif do { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST if (ssl->status_request) { + request = TLSX_CSR_GetRequest(ssl->extensions); ssl->status_request = 0; break; } #endif + + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + request = TLSX_CSR2_GetRequest(ssl->extensions, + status_type, 0); + ssl->status_request_v2 = 0; + break; + } + #endif + return BUFFER_ERROR; } while(0); - #ifdef WOLFSSL_SMALL_STACK - status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + if (request == NULL) + return BAD_CERTIFICATE_STATUS_ERROR; /* not expected */ + + #ifdef WOLFSSL_SMALL_STACK + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, DYNAMIC_TYPE_TMP_BUFFER); - response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (status == NULL || response == NULL) { - if (status) XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - if (response) XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (status == NULL || response == NULL) { + if (status) + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response) + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - return MEMORY_ERROR; - } - #endif + return MEMORY_ERROR; + } + #endif InitOcspResponse(response, status, input +*inOutIdx, status_length); - if ((ret = OcspResponseDecode(response, ssl->ctx->cm)) == 0) { - if (response->responseStatus != OCSP_SUCCESSFUL) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (CompareOcspReqResp(request, response) != 0) - ret = BAD_CERTIFICATE_STATUS_ERROR; - else if (response->status->status != CERT_GOOD) - ret = BAD_CERTIFICATE_STATUS_ERROR; - } + if ((OcspResponseDecode(response, ssl->ctx->cm) != 0) + || (response->responseStatus != OCSP_SUCCESSFUL) + || (response->status->status != CERT_GOOD) + || (CompareOcspReqResp(request, response) != 0)) + ret = BAD_CERTIFICATE_STATUS_ERROR; *inOutIdx += status_length; - #ifdef WOLFSSL_SMALL_STACK - XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); - #endif + #ifdef WOLFSSL_SMALL_STACK + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif } break; + + #endif + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + + case WOLFSSL_CSR2_OCSP_MULTI: { + OcspRequest* request; + word32 list_length = status_length; + byte index = 0; + + #ifdef WOLFSSL_SMALL_STACK + CertStatus* status; + OcspResponse* response; + #else + CertStatus status[1]; + OcspResponse response[1]; + #endif + + do { + if (ssl->status_request_v2) { + ssl->status_request_v2 = 0; + break; + } + + return BUFFER_ERROR; + } while(0); + + #ifdef WOLFSSL_SMALL_STACK + status = (CertStatus*)XMALLOC(sizeof(CertStatus), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + response = (OcspResponse*)XMALLOC(sizeof(OcspResponse), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (status == NULL || response == NULL) { + if (status) + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + if (response) + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + return MEMORY_ERROR; + } + #endif + + while (list_length && ret == 0) { + if (OPAQUE24_LEN > list_length) { + ret = BUFFER_ERROR; + break; + } + + c24to32(input + *inOutIdx, &status_length); + *inOutIdx += OPAQUE24_LEN; + list_length -= OPAQUE24_LEN; + + if (status_length > list_length) { + ret = BUFFER_ERROR; + break; + } + + if (status_length) { + InitOcspResponse(response, status, input +*inOutIdx, + status_length); + + if ((OcspResponseDecode(response, ssl->ctx->cm) != 0) + || (response->responseStatus != OCSP_SUCCESSFUL) + || (response->status->status != CERT_GOOD)) + ret = BAD_CERTIFICATE_STATUS_ERROR; + + while (ret == 0) { + request = TLSX_CSR2_GetRequest(ssl->extensions, + status_type, index++); + + if (request == NULL) + ret = BAD_CERTIFICATE_STATUS_ERROR; + else if (CompareOcspReqResp(request, response) == 0) + break; + else if (index == 1) /* server cert must be OK */ + ret = BAD_CERTIFICATE_STATUS_ERROR; + } + + *inOutIdx += status_length; + list_length -= status_length; + } + } + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + ssl->status_request_v2 = 0; + #endif + + #ifdef WOLFSSL_SMALL_STACK + XFREE(status, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(response, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + } + break; + #endif default: @@ -5246,6 +5398,15 @@ static int SanityCheckMsgReceived(WOLFSSL* ssl, byte type) if ((ret = TLSX_CSR_ForceRequest(ssl)) != 0) return ret; } +#endif +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) { + int ret; + + WOLFSSL_MSG("No CertificateStatus before ServerKeyExchange"); + if ((ret = TLSX_CSR2_ForceRequest(ssl)) != 0) + return ret; + } #endif } @@ -8243,6 +8404,421 @@ int SendCertificateRequest(WOLFSSL* ssl) else return SendBuffered(ssl); } + + +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) +static int BuildCertificateStatus(WOLFSSL* ssl, byte type, buffer* status, + byte count) +{ + byte* output = NULL; + word32 idx = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ; + word32 length = ENUM_LEN; + int sendSz = 0; + int ret = 0; + int i = 0; + + WOLFSSL_ENTER("BuildCertificateStatus"); + + switch (type) { + case WOLFSSL_CSR2_OCSP_MULTI: + length += OPAQUE24_LEN; + /* followed by */ + + case WOLFSSL_CSR2_OCSP: + for (i = 0; i < count; i++) + length += OPAQUE24_LEN + status[i].length; + break; + + default: + return 0; + } + + sendSz = idx + length; + + if (ssl->keys.encryptionOn) + sendSz += MAX_MSG_EXTRA; + + if ((ret = CheckAvailableSize(ssl, sendSz)) == 0) { + output = ssl->buffers.outputBuffer.buffer + + ssl->buffers.outputBuffer.length; + + AddHeaders(output, length, certificate_status, ssl); + + output[idx++] = type; + + if (type == WOLFSSL_CSR2_OCSP_MULTI) { + c32to24(length - (ENUM_LEN + OPAQUE24_LEN), output + idx); + idx += OPAQUE24_LEN; + } + + for (i = 0; i < count; i++) { + c32to24(status[i].length, output + idx); + idx += OPAQUE24_LEN; + + XMEMCPY(output + idx, status[i].buffer, status[i].length); + idx += status[i].length; + } + + if (IsEncryptionOn(ssl, 1)) { + byte* input; + int inputSz = idx - RECORD_HEADER_SZ; + + input = (byte*)XMALLOC(inputSz, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); + if (input == NULL) + return MEMORY_E; + + XMEMCPY(input, output + RECORD_HEADER_SZ, inputSz); + sendSz = BuildMessage(ssl, output, sendSz, input, inputSz, + handshake, 1); + XFREE(input, ssl->heap, DYNAMIC_TYPE_TMP_BUFFER); + + if (sendSz < 0) + ret = sendSz; + } + else + ret = HashOutput(ssl, output, sendSz, 0); + + #ifdef WOLFSSL_DTLS + if (ret == 0 && ssl->options.dtls) + ret = DtlsPoolSave(ssl, output, sendSz)); + #endif + + #ifdef WOLFSSL_CALLBACKS + if (ret == 0 && ssl->hsInfoOn) + AddPacketName("CertificateStatus", &ssl->handShakeInfo); + if (ret == 0 && ssl->toInfoOn) + AddPacketInfo("CertificateStatus", &ssl->timeoutInfo, output, + sendSz, ssl->heap); + #endif + + if (ret == 0) { + ssl->buffers.outputBuffer.length += sendSz; + if (!ssl->options.groupMessages) + ret = SendBuffered(ssl); + } + } + + WOLFSSL_LEAVE("BuildCertificateStatus", ret); + return ret; +} +#endif + + +int SendCertificateStatus(WOLFSSL* ssl) +{ + int ret = 0; + byte status_type = 0; + + WOLFSSL_ENTER("SendCertificateStatus"); + + (void) ssl; + + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + status_type = ssl->status_request; + #endif + + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + status_type = status_type ? status_type : ssl->status_request_v2; + #endif + + switch (status_type) { + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + /* case WOLFSSL_CSR_OCSP: */ + case WOLFSSL_CSR2_OCSP: { + OcspRequest* request = ssl->ctx->certOcspRequest; + buffer response = {NULL, 0}; + + /* unable to fetch status. skip. */ + if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) + return 0; + + if (!request || ssl->buffers.weOwnCert) { + buffer der = ssl->buffers.certificate; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + /* unable to fetch status. skip. */ + if (der.buffer == NULL || der.length == 0) + return 0; + + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; + #endif + + InitDecodedCert(cert, der.buffer, der.length, NULL); + + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, + ssl->ctx->cm)) != 0) { + WOLFSSL_MSG("ParseCert failed"); + } + else { + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (request == NULL) { + FreeDecodedCert(cert); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + return MEMORY_E; + } + + ret = InitOcspRequest(request, cert, 0); + if (ret != 0) { + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + else if (!ssl->buffers.weOwnCert && 0 == LockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock)) { + if (!ssl->ctx->certOcspRequest) + ssl->ctx->certOcspRequest = request; + UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); + } + } + + FreeDecodedCert(cert); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + } + + if (ret == 0) { + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, + &response); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + + if (response.buffer) { + if (ret == 0) + ret = BuildCertificateStatus(ssl, status_type, + &response, 1); + + XFREE(response.buffer, NULL, DYNAMIC_TYPE_TMP_BUFFER); + } + + } + + if (request != ssl->ctx->certOcspRequest) + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + break; + + #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ + /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + + #if defined HAVE_CERTIFICATE_STATUS_REQUEST_V2 + case WOLFSSL_CSR2_OCSP_MULTI: { + OcspRequest* request = ssl->ctx->certOcspRequest; + buffer responses[1 + MAX_CHAIN_DEPTH]; + int i = 0; + + ForceZero(responses, sizeof(responses)); + + /* unable to fetch status. skip. */ + if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0) + return 0; + + if (!request || ssl->buffers.weOwnCert) { + buffer der = ssl->buffers.certificate; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + /* unable to fetch status. skip. */ + if (der.buffer == NULL || der.length == 0) + return 0; + + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; + #endif + + InitDecodedCert(cert, der.buffer, der.length, NULL); + + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, + ssl->ctx->cm)) != 0) { + WOLFSSL_MSG("ParseCert failed"); + } + else { + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), NULL, + DYNAMIC_TYPE_OCSP_REQUEST); + if (request == NULL) { + FreeDecodedCert(cert); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + + return MEMORY_E; + } + + ret = InitOcspRequest(request, cert, 0); + if (ret != 0) { + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + } + else if (!ssl->buffers.weOwnCert && 0 == LockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock)) { + if (!ssl->ctx->certOcspRequest) + ssl->ctx->certOcspRequest = request; + + UnLockMutex(&ssl->ctx->cm->ocsp_stapling->ocspLock); + } + } + + FreeDecodedCert(cert); + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + } + + if (ret == 0) { + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, request, + &responses[0]); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + } + + if (request != ssl->ctx->certOcspRequest) + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + + if (ret == 0 && (!ssl->ctx->chainOcspRequest[0] + || ssl->buffers.weOwnCertChain)) { + buffer der = {NULL, 0}; + word32 idx = 0; + #ifdef WOLFSSL_SMALL_STACK + DecodedCert* cert = NULL; + #else + DecodedCert cert[1]; + #endif + + #ifdef WOLFSSL_SMALL_STACK + cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL, + DYNAMIC_TYPE_TMP_BUFFER); + if (cert == NULL) + return MEMORY_E; + #endif + + while (idx + OPAQUE24_LEN < ssl->buffers.certChain.length) { + c24to32(ssl->buffers.certChain.buffer + idx, &der.length); + idx += OPAQUE24_LEN; + + der.buffer = ssl->buffers.certChain.buffer + idx; + idx += der.length; + + if (idx > ssl->buffers.certChain.length) + break; + + InitDecodedCert(cert, der.buffer, der.length, NULL); + + if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY, + ssl->ctx->cm)) != 0) { + WOLFSSL_MSG("ParseCert failed"); + break; + } + else { + request = (OcspRequest*)XMALLOC(sizeof(OcspRequest), + NULL, DYNAMIC_TYPE_OCSP_REQUEST); + if (request == NULL) { + ret = MEMORY_E; + break; + } + + ret = InitOcspRequest(request, cert, 0); + if (ret != 0) { + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + break; + } + else if (!ssl->buffers.weOwnCertChain && 0 == + LockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock)) { + if (!ssl->ctx->chainOcspRequest[i]) + ssl->ctx->chainOcspRequest[i] = request; + + UnLockMutex( + &ssl->ctx->cm->ocsp_stapling->ocspLock); + } + + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, + request, &responses[i + 1]); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + + if (request != ssl->ctx->chainOcspRequest[i]) + XFREE(request, NULL, DYNAMIC_TYPE_OCSP_REQUEST); + + i++; + } + + FreeDecodedCert(cert); + } + + #ifdef WOLFSSL_SMALL_STACK + XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER); + #endif + } + else { + while (ret == 0 && + NULL != (request = ssl->ctx->chainOcspRequest[i])) { + ret = CheckOcspRequest(ssl->ctx->cm->ocsp_stapling, + request, &responses[++i]); + + /* Suppressing, not critical */ + if (ret == OCSP_CERT_REVOKED + || ret == OCSP_CERT_UNKNOWN + || ret == OCSP_LOOKUP_FAIL) + ret = 0; + } + } + + if (responses[0].buffer) { + if (ret == 0) + ret = BuildCertificateStatus(ssl, status_type, + responses, i + 1); + + for (i = 0; i < 1 + MAX_CHAIN_DEPTH; i++) + if (responses[i].buffer) + XFREE(responses[i].buffer, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + } + } + break; + + #endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + + default: + break; + } + + return ret; +} + #endif /* !NO_CERTS */ diff --git a/src/ocsp.c b/src/ocsp.c index 567a67de8..7283e66ad 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -77,6 +77,10 @@ static void FreeOcspEntry(OcspEntry* entry) for (status = entry->status; status; status = next) { next = status->next; + + if (status->rawOcspResponse) + XFREE(status->rawOcspResponse, NULL, DYNAMIC_TYPE_OCSP_STATUS); + XFREE(status, NULL, DYNAMIC_TYPE_OCSP_STATUS); } } @@ -114,7 +118,7 @@ static int xstat2err(int stat) } -int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) +int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, void* encodedResponse) { int ret = OCSP_LOOKUP_FAIL; @@ -137,7 +141,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert) #endif if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) { - ret = CheckOcspRequest(ocsp, ocspRequest); + ret = CheckOcspRequest(ocsp, ocspRequest, encodedResponse); FreeOcspRequest(ocspRequest); } @@ -186,7 +190,7 @@ static int GetOcspEntry(WOLFSSL_OCSP* ocsp, OcspRequest* request, static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, - OcspEntry* entry, CertStatus** status) + OcspEntry* entry, CertStatus** status, buffer* responseBuffer) { int ret = OCSP_INVALID_STATUS; @@ -204,11 +208,29 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, && !XMEMCMP((*status)->serial, request->serial, (*status)->serialSz)) break; - if (*status) { + if (responseBuffer && *status && !(*status)->rawOcspResponse) { + /* force fetching again */ + ret = OCSP_INVALID_STATUS; + } + else if (*status) { if (ValidateDate((*status)->thisDate, (*status)->thisDateFormat, BEFORE) && ((*status)->nextDate[0] != 0) && ValidateDate((*status)->nextDate, (*status)->nextDateFormat, AFTER)) + { ret = xstat2err((*status)->status); + + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC( + (*status)->rawOcspResponseSz, NULL, DYNAMIC_TYPE_TMP_BUFFER); + + if (responseBuffer->buffer) { + responseBuffer->length = (*status)->rawOcspResponseSz; + XMEMCPY(responseBuffer->buffer, + (*status)->rawOcspResponse, + (*status)->rawOcspResponseSz); + } + } + } } UnLockMutex(&ocsp->ocspLock); @@ -216,16 +238,18 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request, return ret; } -int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) +int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, + void* encodedResponse) { - OcspEntry* entry = NULL; - CertStatus* status = NULL; - byte* request = NULL; - int requestSz = 2048; - byte* response = NULL; - const char* url; - int urlSz; - int ret = -1; + OcspEntry* entry = NULL; + CertStatus* status = NULL; + byte* request = NULL; + int requestSz = 2048; + byte* response = NULL; + buffer* responseBuffer = (buffer*) encodedResponse; + const char* url = NULL; + int urlSz = 0; + int ret = -1; #ifdef WOLFSSL_SMALL_STACK CertStatus* newStatus; @@ -237,11 +261,16 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) WOLFSSL_ENTER("CheckOcspRequest"); + if (responseBuffer) { + responseBuffer->buffer = NULL; + responseBuffer->length = 0; + } + ret = GetOcspEntry(ocsp, ocspRequest, &entry); if (ret != 0) return ret; - ret = GetOcspStatus(ocsp, ocspRequest, entry, &status); + ret = GetOcspStatus(ocsp, ocspRequest, entry, &status, responseBuffer); if (ret != OCSP_INVALID_STATUS) return ret; @@ -300,14 +329,29 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) ret = OCSP_LOOKUP_FAIL; else { if (CompareOcspReqResp(ocspRequest, ocspResponse) == 0) { + if (responseBuffer) { + responseBuffer->buffer = (byte*)XMALLOC(ret, NULL, + DYNAMIC_TYPE_TMP_BUFFER); + + if (responseBuffer->buffer) { + responseBuffer->length = ret; + XMEMCPY(responseBuffer->buffer, response, ret); + } + } + ret = xstat2err(ocspResponse->status->status); if (LockMutex(&ocsp->ocspLock) != 0) ret = BAD_MUTEX_E; else { - if (status != NULL) + if (status != NULL) { + if (status->rawOcspResponse) + XFREE(status->rawOcspResponse, NULL, + DYNAMIC_TYPE_OCSP_STATUS); + /* Replace existing certificate entry with updated */ XMEMCPY(status, newStatus, sizeof(CertStatus)); + } else { /* Save new certificate entry */ status = (CertStatus*)XMALLOC(sizeof(CertStatus), @@ -320,6 +364,19 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest) } } + if (status && responseBuffer && responseBuffer->buffer) { + status->rawOcspResponse = (byte*)XMALLOC( + responseBuffer->length, NULL, + DYNAMIC_TYPE_OCSP_STATUS); + + if (status->rawOcspResponse) { + status->rawOcspResponseSz = responseBuffer->length; + XMEMCPY(status->rawOcspResponse, + responseBuffer->buffer, + responseBuffer->length); + } + } + UnLockMutex(&ocsp->ocspLock); } } diff --git a/src/ssl.c b/src/ssl.c index 4a76e40b0..a6d4c2937 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -803,8 +803,7 @@ int wolfSSL_CTX_UseTruncatedHMAC(WOLFSSL_CTX* ctx) #ifdef HAVE_CERTIFICATE_STATUS_REQUEST -int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type, - byte options) +int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, byte status_type, byte options) { if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) return BAD_FUNC_ARG; @@ -814,7 +813,7 @@ int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, byte status_type, } -int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, +int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, byte status_type, byte options) { if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) @@ -826,6 +825,30 @@ int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, byte status_type, #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl, byte status_type, byte options) +{ + if (ssl == NULL || ssl->options.side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequestV2(&ssl->extensions, status_type, + options); +} + + +int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, + byte status_type, byte options) +{ + if (ctx == NULL || ctx->method->side != WOLFSSL_CLIENT_END) + return BAD_FUNC_ARG; + + return TLSX_UseCertificateStatusRequestV2(&ctx->extensions, status_type, + options); +} + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + /* Elliptic Curves */ #ifdef HAVE_SUPPORTED_CURVES #ifndef NO_WOLFSSL_CLIENT @@ -1643,6 +1666,11 @@ void wolfSSL_CertManagerFree(WOLFSSL_CERT_MANAGER* cm) #ifdef HAVE_OCSP if (cm->ocsp) FreeOCSP(cm->ocsp, 1); + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (cm->ocsp_stapling) + FreeOCSP(cm->ocsp_stapling, 1); + #endif #endif FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL); FreeMutex(&cm->caLock); @@ -3461,6 +3489,43 @@ int wolfSSL_CertManagerDisableOCSP(WOLFSSL_CERT_MANAGER* cm) return SSL_SUCCESS; } +/* turn on OCSP Stapling if off and compiled in, set options */ +int wolfSSL_CertManagerEnableOCSPStapling(WOLFSSL_CERT_MANAGER* cm) +{ + int ret = SSL_SUCCESS; + + WOLFSSL_ENTER("wolfSSL_CertManagerEnableOCSPStapling"); + if (cm == NULL) + return BAD_FUNC_ARG; + + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + if (cm->ocsp_stapling == NULL) { + cm->ocsp_stapling = (WOLFSSL_OCSP*)XMALLOC(sizeof(WOLFSSL_OCSP), + cm->heap, DYNAMIC_TYPE_OCSP); + if (cm->ocsp_stapling == NULL) + return MEMORY_E; + + if (InitOCSP(cm->ocsp_stapling, cm) != 0) { + WOLFSSL_MSG("Init OCSP failed"); + FreeOCSP(cm->ocsp_stapling, 1); + cm->ocsp_stapling = NULL; + return SSL_FAILURE; + } + } + cm->ocspStaplingEnabled = 1; + + #ifndef WOLFSSL_USER_IO + cm->ocspIOCb = EmbedOcspLookup; + cm->ocspRespFreeCb = EmbedOcspRespFree; + #endif /* WOLFSSL_USER_IO */ + #else + ret = NOT_COMPILED_IN; + #endif + + return ret; +} + #ifdef HAVE_OCSP @@ -3495,7 +3560,7 @@ int wolfSSL_CertManagerCheckOCSP(WOLFSSL_CERT_MANAGER* cm, byte* der, int sz) if ((ret = ParseCertRelative(cert, CERT_TYPE, NO_VERIFY, cm)) != 0) { WOLFSSL_MSG("ParseCert failed"); } - else if ((ret = CheckCertOCSP(cm->ocsp, cert)) != 0) { + else if ((ret = CheckCertOCSP(cm->ocsp, cert, NULL)) != 0) { WOLFSSL_MSG("CheckCertOCSP failed"); } @@ -3630,6 +3695,17 @@ int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX* ctx, CbOCSPIO ioCb, return BAD_FUNC_ARG; } +#if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) +int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX* ctx) +{ + WOLFSSL_ENTER("wolfSSL_CTX_EnableOCSPStapling"); + if (ctx) + return wolfSSL_CertManagerEnableOCSPStapling(ctx->cm); + else + return BAD_FUNC_ARG; +} +#endif #endif /* HAVE_OCSP */ @@ -6077,6 +6153,15 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, WOLFSSL_MSG("accept state CERT_SENT"); case CERT_SENT : + if (!ssl->options.resuming) + if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { + WOLFSSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + ssl->options.acceptState = CERT_STATUS_SENT; + WOLFSSL_MSG("accept state CERT_STATUS_SENT"); + + case CERT_STATUS_SENT : if (!ssl->options.resuming) if ( (ssl->error = SendServerKeyExchange(ssl)) != 0) { WOLFSSL_ERROR(ssl->error); diff --git a/src/tls.c b/src/tls.c index 8cef8597b..744b81828 100644 --- a/src/tls.c +++ b/src/tls.c @@ -919,7 +919,7 @@ static word16 TLSX_ALPN_GetSize(ALPN *list) length++; /* protocol name length is on one byte */ length += (word16)XSTRLEN(alpn->protocol_name); } - + return length; } @@ -946,7 +946,7 @@ static word16 TLSX_ALPN_Write(ALPN *list, byte *output) /* writing list length */ c16toa(offset - OPAQUE16_LEN, output); - + return offset; } @@ -1891,11 +1891,6 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions) #ifdef HAVE_CERTIFICATE_STATUS_REQUEST -#ifndef HAVE_OCSP -#error Status Request Extension requires OCSP. \ - Use --enable-ocsp in the configure script or define HAVE_OCSP. -#endif - static void TLSX_CSR_Free(CertificateStatusRequest* csr) { switch (csr->status_type) { @@ -1922,6 +1917,7 @@ static word16 TLSX_CSR_GetSize(CertificateStatusRequest* csr, byte isRequest) if (csr->request.ocsp.nonceSz) size += OCSP_NONCE_EXT_SZ; + break; } } #endif @@ -1954,7 +1950,7 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, length = EncodeOcspRequestExtensions( &csr->request.ocsp, output + offset + OPAQUE16_LEN, - MAX_OCSP_EXT_SZ); + OCSP_NONCE_EXT_SZ); c16toa(length, output + offset); offset += OPAQUE16_LEN + length; @@ -1972,7 +1968,7 @@ static word16 TLSX_CSR_Write(CertificateStatusRequest* csr, byte* output, static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest) { - int ret = 0; + int ret; /* shut up compiler warnings */ (void) ssl; (void) input; @@ -2019,8 +2015,63 @@ static int TLSX_CSR_Parse(WOLFSSL* ssl, byte* input, word16 length, return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ #endif } + else { +#ifndef NO_WOLFSSL_SERVER + byte status_type; + word16 offset = 0; + word16 size = 0; - return ret; + if (length < ENUM_LEN) + return BUFFER_ERROR; + + status_type = input[offset++]; + + switch (status_type) { + case WOLFSSL_CSR_OCSP: { + + /* skip responder_id_list */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + /* skip request_extensions */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + if (offset > length) + return BUFFER_ERROR; + + /* is able to send OCSP response? */ + if (ssl->ctx->cm == NULL || !ssl->ctx->cm->ocspStaplingEnabled) + return 0; + } + break; + } + + /* if using status_request and already sending it, skip this one */ + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + if (ssl->status_request_v2) + return 0; + #endif + + /* accept the first good status_type and return */ + ret = TLSX_UseCertificateStatusRequest(&ssl->extensions, status_type, + 0); + if (ret != SSL_SUCCESS) + return ret; /* throw error */ + + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST); + ssl->status_request = status_type; + +#endif + } + + return 0; } int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert) @@ -2078,7 +2129,7 @@ int TLSX_CSR_ForceRequest(WOLFSSL* ssl) case WOLFSSL_CSR_OCSP: if (ssl->ctx->cm->ocspEnabled) return CheckOcspRequest(ssl->ctx->cm->ocsp, - &csr->request.ocsp); + &csr->request.ocsp, NULL); else return OCSP_LOOKUP_FAIL; } @@ -2144,6 +2195,420 @@ int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, #endif /* HAVE_CERTIFICATE_STATUS_REQUEST */ +/******************************************************************************/ +/* Certificate Status Request v2 */ +/******************************************************************************/ + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +static void TLSX_CSR2_FreeAll(CertificateStatusRequestItemV2* csr2) +{ + CertificateStatusRequestItemV2* next; + + for (; csr2; csr2 = next) { + next = csr2->next; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + while(csr2->requests--) + FreeOcspRequest(&csr2->request.ocsp[csr2->requests]); + break; + } + + XFREE(csr2, NULL, DYNAMIC_TYPE_TLSX); + } +} + +static word16 TLSX_CSR2_GetSize(CertificateStatusRequestItemV2* csr2, + byte isRequest) +{ + word16 size = 0; + + /* shut up compiler warnings */ + (void) csr2; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + CertificateStatusRequestItemV2* next; + + for (size = OPAQUE16_LEN; csr2; csr2 = next) { + next = csr2->next; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + size += ENUM_LEN + 3 * OPAQUE16_LEN; + + if (csr2->request.ocsp[0].nonceSz) + size += OCSP_NONCE_EXT_SZ; + break; + } + } + } +#endif + + return size; +} + +static word16 TLSX_CSR2_Write(CertificateStatusRequestItemV2* csr2, + byte* output, byte isRequest) +{ + /* shut up compiler warnings */ + (void) csr2; (void) output; (void) isRequest; + +#ifndef NO_WOLFSSL_CLIENT + if (isRequest) { + word16 offset; + word16 length; + + for (offset = OPAQUE16_LEN; csr2 != NULL; csr2 = csr2->next) { + /* status_type */ + output[offset++] = csr2->status_type; + + /* request */ + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + /* request_length */ + length = 2 * OPAQUE16_LEN; + + if (csr2->request.ocsp[0].nonceSz) + length += OCSP_NONCE_EXT_SZ; + + c16toa(length, output + offset); + offset += OPAQUE16_LEN; + + /* responder id list */ + c16toa(0, output + offset); + offset += OPAQUE16_LEN; + + /* request extensions */ + length = 0; + + if (csr2->request.ocsp[0].nonceSz) + length = EncodeOcspRequestExtensions( + &csr2->request.ocsp[0], + output + offset + OPAQUE16_LEN, + OCSP_NONCE_EXT_SZ); + + c16toa(length, output + offset); + offset += OPAQUE16_LEN + length; + break; + } + } + + /* list size */ + c16toa(offset - OPAQUE16_LEN, output); + + return offset; + } +#endif + + return 0; +} + +static int TLSX_CSR2_Parse(WOLFSSL* ssl, byte* input, word16 length, + byte isRequest) +{ + int ret; + + /* shut up compiler warnings */ + (void) ssl; (void) input; + + if (!isRequest) { +#ifndef NO_WOLFSSL_CLIENT + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data + : NULL; + + if (!csr2) { + /* look at context level */ + + extension = TLSX_Find(ssl->ctx->extensions, TLSX_STATUS_REQUEST_V2); + csr2 = extension ? extension->data : NULL; + + if (!csr2) + return BUFFER_ERROR; /* unexpected extension */ + + /* enable extension at ssl level */ + for (; csr2; csr2 = csr2->next) { + ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, + csr2->status_type, csr2->options); + if (ret != SSL_SUCCESS) + return ret; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + case WOLFSSL_CSR2_OCSP_MULTI: + /* propagate nonce */ + if (csr2->request.ocsp[0].nonceSz) { + OcspRequest* request = + TLSX_CSR2_GetRequest(ssl->extensions, + csr2->status_type, 0); + + if (request) { + XMEMCPY(request->nonce, + csr2->request.ocsp[0].nonce, + csr2->request.ocsp[0].nonceSz); + + request->nonceSz = + csr2->request.ocsp[0].nonceSz; + } + } + break; + } + } + + } + + ssl->status_request_v2 = 1; + + return length ? BUFFER_ERROR : 0; /* extension_data MUST be empty. */ +#endif + } + else { +#ifndef NO_WOLFSSL_SERVER + byte status_type; + word16 request_length; + word16 offset = 0; + word16 size = 0; + + /* list size */ + ato16(input + offset, &request_length); + offset += OPAQUE16_LEN; + + if (length - OPAQUE16_LEN != request_length) + return BUFFER_ERROR; + + while (length > offset) { + if (length - offset < ENUM_LEN + OPAQUE16_LEN) + return BUFFER_ERROR; + + status_type = input[offset++]; + + ato16(input + offset, &request_length); + offset += OPAQUE16_LEN; + + if (length - offset < request_length) + return BUFFER_ERROR; + + switch (status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + /* skip responder_id_list */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + /* skip request_extensions */ + if (length - offset < OPAQUE16_LEN) + return BUFFER_ERROR; + + ato16(input + offset, &size); + offset += OPAQUE16_LEN + size; + + if (offset > length) + return BUFFER_ERROR; + + /* is able to send OCSP response? */ + if (ssl->ctx->cm == NULL + || !ssl->ctx->cm->ocspStaplingEnabled) + continue; + break; + + default: + /* unkown status type, skipping! */ + offset += request_length; + continue; + } + + /* if using status_request and already sending it, skip this one */ + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST + if (ssl->status_request) + return 0; + #endif + + /* accept the first good status_type and return */ + ret = TLSX_UseCertificateStatusRequestV2(&ssl->extensions, + status_type, 0); + if (ret != SSL_SUCCESS) + return ret; /* throw error */ + + TLSX_SetResponse(ssl, TLSX_STATUS_REQUEST_V2); + ssl->status_request_v2 = status_type; + + return 0; + } +#endif + } + + return 0; +} + +int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + int ret = 0; + + for (; csr2; csr2 = csr2->next) { + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + if (!isPeer || csr2->requests != 0) + break; + + /* followed by */ + + case WOLFSSL_CSR2_OCSP_MULTI: { + if (csr2->requests < 1 + MAX_CHAIN_DEPTH) { + byte nonce[MAX_OCSP_NONCE_SZ]; + int nonceSz = csr2->request.ocsp[0].nonceSz; + + /* preserve nonce, replicating nonce of ocsp[0] */ + XMEMCPY(nonce, csr2->request.ocsp[0].nonce, nonceSz); + + if ((ret = InitOcspRequest( + &csr2->request.ocsp[csr2->requests], cert, 0)) != 0) + return ret; + + /* restore nonce */ + XMEMCPY(csr2->request.ocsp[csr2->requests].nonce, + nonce, nonceSz); + csr2->request.ocsp[csr2->requests].nonceSz = nonceSz; + csr2->requests++; + } + } + break; + } + } + + return ret; +} + +void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, byte index) +{ + TLSX* extension = TLSX_Find(extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + + for (; csr2; csr2 = csr2->next) { + if (csr2->status_type == status_type) { + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + + case WOLFSSL_CSR2_OCSP_MULTI: + /* requests are initialized in the reverse order */ + return index < csr2->requests + ? &csr2->request.ocsp[csr2->requests - index - 1] + : NULL; + break; + } + } + } + + return NULL; +} + +int TLSX_CSR2_ForceRequest(WOLFSSL* ssl) +{ + TLSX* extension = TLSX_Find(ssl->extensions, TLSX_STATUS_REQUEST_V2); + CertificateStatusRequestItemV2* csr2 = extension ? extension->data : NULL; + + /* forces only the first one */ + if (csr2) { + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + /* followed by */ + + case WOLFSSL_CSR2_OCSP_MULTI: + if (ssl->ctx->cm->ocspEnabled) + return CheckOcspRequest(ssl->ctx->cm->ocsp, + &csr2->request.ocsp[0], NULL); + else + return OCSP_LOOKUP_FAIL; + } + } + + return 0; +} + +int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, byte status_type, + byte options) +{ + TLSX* extension = NULL; + CertificateStatusRequestItemV2* csr2 = NULL; + int ret = 0; + + if (!extensions) + return BAD_FUNC_ARG; + + if (status_type != WOLFSSL_CSR2_OCSP + && status_type != WOLFSSL_CSR2_OCSP_MULTI) + return BAD_FUNC_ARG; + + csr2 = (CertificateStatusRequestItemV2*) + XMALLOC(sizeof(CertificateStatusRequestItemV2), NULL, DYNAMIC_TYPE_TLSX); + if (!csr2) + return MEMORY_E; + + ForceZero(csr2, sizeof(CertificateStatusRequestItemV2)); + + csr2->status_type = status_type; + csr2->options = options; + csr2->next = NULL; + + switch (csr2->status_type) { + case WOLFSSL_CSR2_OCSP: + case WOLFSSL_CSR2_OCSP_MULTI: + if (options & WOLFSSL_CSR2_OCSP_USE_NONCE) { + WC_RNG rng; + + if (wc_InitRng(&rng) == 0) { + if (wc_RNG_GenerateBlock(&rng, csr2->request.ocsp[0].nonce, + MAX_OCSP_NONCE_SZ) == 0) + csr2->request.ocsp[0].nonceSz = MAX_OCSP_NONCE_SZ; + + wc_FreeRng(&rng); + } + } + break; + } + + /* append new item */ + if ((extension = TLSX_Find(*extensions, TLSX_STATUS_REQUEST_V2))) { + CertificateStatusRequestItemV2* last = + (CertificateStatusRequestItemV2*)extension->data; + + for (; last->next; last = last->next); + + last->next = csr2; + } + else if ((ret = TLSX_Push(extensions, TLSX_STATUS_REQUEST_V2, csr2))) { + XFREE(csr2, NULL, DYNAMIC_TYPE_TLSX); + return ret; + } + + return SSL_SUCCESS; +} + +#define CSR2_FREE_ALL TLSX_CSR2_FreeAll +#define CSR2_GET_SIZE TLSX_CSR2_GetSize +#define CSR2_WRITE TLSX_CSR2_Write +#define CSR2_PARSE TLSX_CSR2_Parse + +#else + +#define CSR2_FREE_ALL(data) +#define CSR2_GET_SIZE(a, b) 0 +#define CSR2_WRITE(a, b, c) 0 +#define CSR2_PARSE(a, b, c, d) 0 + +#endif /* HAVE_CERTIFICATE_STATUS_REQUEST_V2 */ + /******************************************************************************/ /* Supported Elliptic Curves */ /******************************************************************************/ @@ -3359,6 +3824,10 @@ void TLSX_FreeAll(TLSX* list) CSR_FREE_ALL(extension->data); break; + case TLSX_STATUS_REQUEST_V2: + CSR2_FREE_ALL(extension->data); + break; + case TLSX_RENEGOTIATION_INFO: SCR_FREE_ALL(extension->data); break; @@ -3430,6 +3899,10 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest) length += CSR_GET_SIZE(extension->data, isRequest); break; + case TLSX_STATUS_REQUEST_V2: + length += CSR2_GET_SIZE(extension->data, isRequest); + break; + case TLSX_RENEGOTIATION_INFO: length += SCR_GET_SIZE(extension->data, isRequest); break; @@ -3504,6 +3977,11 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore, isRequest); break; + case TLSX_STATUS_REQUEST_V2: + offset += CSR2_WRITE(extension->data, output + offset, + isRequest); + break; + case TLSX_RENEGOTIATION_INFO: offset += SCR_WRITE(extension->data, output + offset, isRequest); @@ -4005,6 +4483,12 @@ int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, byte isRequest, ret = CSR_PARSE(ssl, input + offset, size, isRequest); break; + case TLSX_STATUS_REQUEST_V2: + WOLFSSL_MSG("Certificate Status Request v2 extension received"); + + ret = CSR2_PARSE(ssl, input + offset, size, isRequest); + break; + case TLSX_RENEGOTIATION_INFO: WOLFSSL_MSG("Secure Renegotiation extension received"); diff --git a/wolfcrypt/src/asn.c b/wolfcrypt/src/asn.c index 479c5d3c8..6488467b7 100644 --- a/wolfcrypt/src/asn.c +++ b/wolfcrypt/src/asn.c @@ -8786,6 +8786,8 @@ static int DecodeSingleResponse(byte* source, if (GetBasicDate(source, &idx, cs->nextDate, &cs->nextDateFormat, size) < 0) return ASN_PARSE_E; + if (!XVALIDATE_DATE(cs->nextDate, cs->nextDateFormat, AFTER)) + return ASN_AFTER_DATE_E; } if (((int)(idx - prevIndex) < wrapperSz) && (source[idx] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))) @@ -8860,7 +8862,7 @@ static int DecodeOcspRespExtensions(byte* source, WOLFSSL_MSG("\tfail: extension data length"); return ASN_PARSE_E; } - + resp->nonce = source + idx; resp->nonceSz = length; } @@ -9024,8 +9026,8 @@ static int DecodeBasicOcspResponse(byte* source, word32* ioIndex, else { Signer* ca = GetCA(cm, resp->issuerHash); - if (!ca || !ConfirmSignature(resp->response, resp->responseSz, - ca->publicKey, ca->pubKeySize, ca->keyOID, + if (!ca || !ConfirmSignature(resp->response, resp->responseSz, + ca->publicKey, ca->pubKeySize, ca->keyOID, resp->sig, resp->sigSz, resp->sigOID, NULL)) { WOLFSSL_MSG("\tOCSP Confirm signature failed"); return ASN_OCSP_CONFIRM_E; @@ -9042,20 +9044,13 @@ void InitOcspResponse(OcspResponse* resp, CertStatus* status, { WOLFSSL_ENTER("InitOcspResponse"); + XMEMSET(status, 0, sizeof(CertStatus)); + XMEMSET(resp, 0, sizeof(OcspResponse)); + resp->responseStatus = -1; - resp->response = NULL; - resp->responseSz = 0; - resp->producedDateFormat = 0; - resp->issuerHash = NULL; - resp->issuerKeyHash = NULL; - resp->sig = NULL; - resp->sigSz = 0; - resp->sigOID = 0; - resp->status = status; - resp->nonce = NULL; - resp->nonceSz = 0; - resp->source = source; - resp->maxIdx = inSz; + resp->status = status; + resp->source = source; + resp->maxIdx = inSz; } @@ -9131,34 +9126,34 @@ word32 EncodeOcspRequestExtensions(OcspRequest* req, byte* output, word32 size) totalSz += seqSz[4] = SetSequence(totalSz, seqArray[4]); totalSz += seqSz[5] = SetExplicit(2, totalSz, seqArray[5]); - if (totalSz < size) - { - totalSz = 0; - - XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); - totalSz += seqSz[5]; - - XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); - totalSz += seqSz[4]; - - XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); - totalSz += seqSz[3]; - - XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); - totalSz += seqSz[2]; - - XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); - totalSz += (word32)sizeof(NonceObjId); - - XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); - totalSz += seqSz[1]; - - XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); - totalSz += seqSz[0]; - - XMEMCPY(output + totalSz, req->nonce, req->nonceSz); - totalSz += req->nonceSz; - } + if (totalSz > size) + return 0; + + totalSz = 0; + + XMEMCPY(output + totalSz, seqArray[5], seqSz[5]); + totalSz += seqSz[5]; + + XMEMCPY(output + totalSz, seqArray[4], seqSz[4]); + totalSz += seqSz[4]; + + XMEMCPY(output + totalSz, seqArray[3], seqSz[3]); + totalSz += seqSz[3]; + + XMEMCPY(output + totalSz, seqArray[2], seqSz[2]); + totalSz += seqSz[2]; + + XMEMCPY(output + totalSz, NonceObjId, sizeof(NonceObjId)); + totalSz += (word32)sizeof(NonceObjId); + + XMEMCPY(output + totalSz, seqArray[1], seqSz[1]); + totalSz += seqSz[1]; + + XMEMCPY(output + totalSz, seqArray[0], seqSz[0]); + totalSz += seqSz[0]; + + XMEMCPY(output + totalSz, req->nonce, req->nonceSz); + totalSz += req->nonceSz; return totalSz; } @@ -9190,7 +9185,7 @@ int EncodeOcspRequest(OcspRequest* req, byte* output, word32 size) extSz = 0; if (req->nonceSz) - extSz = EncodeOcspRequestExtensions(req, extArray, MAX_OCSP_EXT_SZ); + extSz = EncodeOcspRequestExtensions(req, extArray, OCSP_NONCE_EXT_SZ); totalSz = algoSz + issuerSz + issuerKeySz + snSz; for (i = 4; i >= 0; i--) { diff --git a/wolfcrypt/src/logging.c b/wolfcrypt/src/logging.c index fb90c6dcc..2156b1f43 100644 --- a/wolfcrypt/src/logging.c +++ b/wolfcrypt/src/logging.c @@ -136,6 +136,44 @@ void WOLFSSL_MSG(const char* msg) } +void WOLFSSL_BUFFER(byte* buffer, word32 length) +{ + #define LINE_LEN 16 + + if (loggingEnabled) { + word32 i; + char line[80]; + + if (!buffer) { + wolfssl_log(INFO_LOG, "\tNULL"); + + return; + } + + sprintf(line, "\t"); + + for (i = 0; i < LINE_LEN; i++) { + if (i < length) + sprintf(line + 1 + i * 3,"%02x ", buffer[i]); + else + sprintf(line + 1 + i * 3, " "); + } + + sprintf(line + 1 + LINE_LEN * 3, "| "); + + for (i = 0; i < LINE_LEN; i++) + if (i < length) + sprintf(line + 3 + LINE_LEN * 3 + i, + "%c", 31 < buffer[i] && buffer[i] < 127 ? buffer[i] : '.'); + + wolfssl_log(INFO_LOG, line); + + if (length > LINE_LEN) + WOLFSSL_BUFFER(buffer + LINE_LEN, length - LINE_LEN); + } +} + + void WOLFSSL_ENTER(const char* msg) { if (loggingEnabled) { diff --git a/wolfssl/certs_test.h b/wolfssl/certs_test.h index 6a3fb4799..c9b0b16a5 100644 --- a/wolfssl/certs_test.h +++ b/wolfssl/certs_test.h @@ -98,9 +98,9 @@ static const int sizeof_client_keypub_der_1024 = sizeof(client_keypub_der_1024); /* ./certs/1024/client-cert.der, 1024-bit */ static const unsigned char client_cert_der_1024[] = { - 0x30, 0x82, 0x03, 0xC5, 0x30, 0x82, 0x03, 0x2E, 0xA0, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xE3, 0xD7, 0xA0, 0xFA, - 0x76, 0xDF, 0x2A, 0xFA, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x30, 0x82, 0x03, 0xF9, 0x30, 0x82, 0x03, 0x62, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xD3, 0xDF, 0x98, 0xC4, + 0x80, 0x1F, 0x1F, 0x6F, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, @@ -118,10 +118,10 @@ static const unsigned char client_cert_der_1024[] = 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, 0x30, 0x37, - 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, 0x0D, 0x31, - 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, 0x31, 0x30, - 0x31, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31, + 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, 0x39, 0x33, + 0x37, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, @@ -153,8 +153,8 @@ static const unsigned char client_cert_der_1024[] = 0x4C, 0xE8, 0xC1, 0xFD, 0x4A, 0x6F, 0x2B, 0x1F, 0xEF, 0x8A, 0xAE, 0xF6, 0x90, 0x62, 0xE5, 0x64, 0x1E, 0xEB, 0x2B, 0x3C, 0x67, 0xC8, 0xDC, 0x27, 0x00, 0xF6, 0x91, 0x68, 0x65, 0xA9, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x07, 0x30, - 0x82, 0x01, 0x03, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, + 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x3B, 0x30, + 0x82, 0x01, 0x37, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x81, 0x69, 0x0F, 0xF8, 0xDF, 0xDD, 0xCF, 0x34, 0x29, 0xD5, 0x67, 0x75, 0x71, 0x85, 0xC7, 0x75, 0x10, 0x69, 0x59, 0xEC, 0x30, 0x81, 0xD3, 0x06, 0x03, 0x55, @@ -178,23 +178,29 @@ static const unsigned char client_cert_der_1024[] = 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, - 0xE3, 0xD7, 0xA0, 0xFA, 0x76, 0xDF, 0x2A, 0xFA, 0x30, 0x0C, + 0xD3, 0xDF, 0x98, 0xC4, 0x80, 0x1F, 0x1F, 0x6F, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, - 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x81, 0x81, - 0x00, 0x1D, 0xB7, 0xD5, 0x7C, 0xE1, 0xB1, 0xD8, 0xC0, 0x67, - 0x5D, 0xB5, 0xD3, 0x88, 0xE7, 0x50, 0x29, 0x71, 0x63, 0x8F, - 0xCC, 0x26, 0x1F, 0x33, 0x09, 0x55, 0x43, 0x9B, 0xAB, 0xC6, - 0x1B, 0xBC, 0xC7, 0x01, 0x95, 0x1A, 0xFA, 0x65, 0xE0, 0xFD, - 0x9C, 0xEB, 0x6F, 0x0A, 0x0F, 0x14, 0xEC, 0xB5, 0x2F, 0xDC, - 0x1C, 0x30, 0xDD, 0x52, 0x97, 0xD4, 0x1C, 0x09, 0x00, 0x33, - 0x38, 0x5F, 0xCB, 0xA8, 0x16, 0x8F, 0x11, 0xB7, 0xB8, 0xD0, - 0x66, 0xE1, 0x54, 0x28, 0xF3, 0x3F, 0xBF, 0x6A, 0x6F, 0x76, - 0x48, 0x2A, 0x5E, 0x56, 0xA7, 0xCE, 0x1C, 0xF0, 0x04, 0xDD, - 0x17, 0xBD, 0x06, 0x78, 0x21, 0x6D, 0xD6, 0xB1, 0x9B, 0x75, - 0x31, 0x92, 0xC1, 0xFE, 0xD4, 0x8D, 0xD4, 0x67, 0x2F, 0x03, - 0x1B, 0x27, 0x8D, 0xAB, 0xFF, 0x30, 0x3B, 0xC3, 0x7F, 0x23, - 0xE4, 0xAB, 0x5B, 0x91, 0xE1, 0x1B, 0x66, 0xE6, 0xED + 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, + 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22, + 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, + 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x6C, + 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x3A, 0x32, + 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, + 0x81, 0x81, 0x00, 0x71, 0x39, 0xFA, 0x86, 0xC3, 0x54, 0xE5, + 0x98, 0xB5, 0xE8, 0xC3, 0xCB, 0x97, 0x2F, 0x86, 0xBF, 0xE8, + 0xBC, 0xFB, 0xEB, 0xD8, 0x73, 0x97, 0x34, 0x9A, 0x16, 0xBF, + 0xE0, 0xB2, 0xBD, 0xBE, 0x7D, 0xFF, 0xA0, 0xD7, 0xE6, 0xDB, + 0xA3, 0x52, 0x43, 0x41, 0x60, 0xF1, 0xD7, 0xC3, 0x63, 0xC0, + 0x9B, 0xE2, 0xB2, 0x28, 0x87, 0x70, 0x60, 0x5D, 0x2B, 0x5D, + 0x56, 0x15, 0x3C, 0xB1, 0x1E, 0x03, 0x53, 0x72, 0x39, 0x32, + 0xE2, 0x47, 0x85, 0xF7, 0x8B, 0xE8, 0x38, 0x50, 0xA9, 0xC9, + 0xD3, 0x52, 0x75, 0x0E, 0x16, 0x14, 0xA5, 0xA5, 0xC4, 0x9F, + 0x3E, 0x73, 0xD8, 0x38, 0x79, 0xBF, 0xF7, 0x9B, 0x4D, 0x0D, + 0xF3, 0xAA, 0xCE, 0xA2, 0x03, 0x84, 0x66, 0x14, 0xC9, 0x01, + 0xF5, 0x86, 0xA5, 0x66, 0xA1, 0xCA, 0x6A, 0x71, 0x5F, 0x2D, + 0x31, 0x8E, 0x1C, 0xCC, 0x0C, 0xE6, 0x46, 0x99, 0x5D, 0x0A, + 0x4C }; static const int sizeof_client_cert_der_1024 = sizeof(client_cert_der_1024); @@ -775,9 +781,9 @@ static const int sizeof_client_keypub_der_2048 = sizeof(client_keypub_der_2048); /* ./certs/client-cert.der, 2048-bit */ static const unsigned char client_cert_der_2048[] = { - 0x30, 0x82, 0x04, 0xCA, 0x30, 0x82, 0x03, 0xB2, 0xA0, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xAA, 0x27, 0xB3, 0xC5, - 0xA9, 0x72, 0x6E, 0x0D, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x30, 0x82, 0x04, 0xFE, 0x30, 0x82, 0x03, 0xE6, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0x95, 0x90, 0x12, 0x9B, + 0x22, 0xA1, 0x50, 0x40, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, @@ -795,10 +801,10 @@ static const unsigned char client_cert_der_2048[] = 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, 0x30, 0x37, - 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, 0x0D, 0x31, - 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, 0x31, 0x30, - 0x31, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31, + 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, 0x39, 0x33, + 0x37, 0x5A, 0x30, 0x81, 0x9E, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, @@ -844,7 +850,7 @@ static const unsigned char client_cert_der_2048[] = 0x30, 0xC4, 0x97, 0x84, 0x86, 0x2D, 0x56, 0x2F, 0xD7, 0x15, 0xF7, 0x7F, 0xC0, 0xAE, 0xF5, 0xFC, 0x5B, 0xE5, 0xFB, 0xA1, 0xBA, 0xD3, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, - 0x07, 0x30, 0x82, 0x01, 0x03, 0x30, 0x1D, 0x06, 0x03, 0x55, + 0x3B, 0x30, 0x82, 0x01, 0x37, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x33, 0xD8, 0x45, 0x66, 0xD7, 0x68, 0x87, 0x18, 0x7E, 0x54, 0x0D, 0x70, 0x27, 0x91, 0xC7, 0x26, 0xD7, 0x85, 0x65, 0xC0, 0x30, 0x81, 0xD3, 0x06, @@ -868,37 +874,42 @@ static const unsigned char client_cert_der_2048[] = 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, - 0x09, 0x00, 0xAA, 0x27, 0xB3, 0xC5, 0xA9, 0x72, 0x6E, 0x0D, + 0x09, 0x00, 0x95, 0x90, 0x12, 0x9B, 0x22, 0xA1, 0x50, 0x40, 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, - 0x03, 0x01, 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, - 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, - 0x82, 0x01, 0x01, 0x00, 0x51, 0x96, 0xA7, 0x1C, 0x26, 0x5D, - 0x1C, 0x90, 0xC6, 0x32, 0x9F, 0x96, 0x15, 0xF2, 0x1D, 0xE7, - 0x93, 0x9C, 0xAC, 0x75, 0x56, 0x95, 0xFD, 0x20, 0x70, 0xAB, - 0x45, 0x6A, 0x09, 0xB0, 0xF3, 0xF2, 0x03, 0xA8, 0xDB, 0xDC, - 0x2F, 0xBC, 0x1F, 0x87, 0x7A, 0xA3, 0xD4, 0x8F, 0xD5, 0x49, - 0x97, 0x7E, 0x3C, 0x54, 0xAC, 0xB1, 0xE3, 0xF0, 0x39, 0x0D, - 0xFE, 0x09, 0x9A, 0x23, 0xF6, 0x32, 0xA6, 0x41, 0x59, 0xBD, - 0x60, 0xE8, 0xBD, 0xDE, 0x00, 0x36, 0x6F, 0x3E, 0xE9, 0x41, - 0x6F, 0xA9, 0x63, 0xC7, 0xAA, 0xD5, 0x7B, 0xF3, 0xE4, 0x39, - 0x48, 0x9E, 0xF6, 0x60, 0xC6, 0xC6, 0x86, 0xD5, 0x72, 0x86, - 0x23, 0xCD, 0xF5, 0x6A, 0x63, 0x53, 0xA4, 0xF8, 0xFC, 0x51, - 0x6A, 0xCD, 0x60, 0x74, 0x8E, 0xA3, 0x86, 0x61, 0x01, 0x34, - 0x78, 0xF7, 0x29, 0x97, 0xB3, 0xA7, 0x34, 0xB6, 0x0A, 0xDE, - 0xB5, 0x71, 0x7A, 0x09, 0xA6, 0x3E, 0xD6, 0x82, 0x58, 0x89, - 0x67, 0x9C, 0xC5, 0x68, 0x62, 0xBA, 0x06, 0xD6, 0x39, 0xBB, - 0xCB, 0x3A, 0xC0, 0xE0, 0x63, 0x1F, 0xC7, 0x0C, 0x9C, 0x12, - 0x86, 0xEC, 0xF7, 0x39, 0x6A, 0x61, 0x93, 0xD0, 0x33, 0x14, - 0xC6, 0x55, 0x3B, 0xB6, 0xCF, 0x80, 0x5B, 0x8C, 0x43, 0xEF, - 0x43, 0x44, 0x0B, 0x3C, 0x93, 0x39, 0xA3, 0x4E, 0x15, 0xD1, - 0x0B, 0x5F, 0x84, 0x98, 0x1D, 0xCD, 0x9F, 0xA9, 0x47, 0xEB, - 0x3B, 0x56, 0x30, 0xB6, 0x76, 0x92, 0xC1, 0x48, 0x5F, 0xBC, - 0x95, 0xB0, 0x50, 0x1A, 0x55, 0xC8, 0x4E, 0x62, 0x47, 0x87, - 0x54, 0x64, 0x0C, 0x9B, 0x91, 0xFA, 0x43, 0xB3, 0x29, 0x48, - 0xBE, 0xE6, 0x12, 0xEB, 0xE3, 0x44, 0xC6, 0x52, 0xE4, 0x40, - 0xC6, 0x83, 0x95, 0x1B, 0xA7, 0x65, 0x27, 0x69, 0x73, 0x2F, - 0xC8, 0xA0, 0x4D, 0x7F, 0xBE, 0xEA, 0x9B, 0x67, 0xB2, 0x7B - + 0x03, 0x01, 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, + 0x30, 0x22, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, + 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, + 0x2F, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, + 0x3A, 0x32, 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x7B, 0x91, 0x63, 0x8D, + 0x39, 0x54, 0x64, 0x3C, 0xB4, 0x3F, 0xD5, 0xC8, 0x4F, 0xBF, + 0x0B, 0xBF, 0xAF, 0x5C, 0x9C, 0x41, 0xC7, 0x0B, 0x52, 0x6D, + 0xC6, 0xF0, 0xDE, 0x7C, 0xFF, 0x9B, 0x4E, 0xFE, 0xF3, 0x22, + 0xA5, 0x00, 0x13, 0x9F, 0x81, 0xE4, 0x6D, 0x70, 0x2C, 0xF9, + 0x7A, 0xF4, 0xD8, 0x50, 0xBE, 0x72, 0xE1, 0x04, 0x8B, 0xB0, + 0x05, 0xE3, 0x61, 0x82, 0x3F, 0x65, 0xDE, 0xF9, 0xE9, 0xD3, + 0x3D, 0x97, 0x7D, 0x88, 0xB7, 0x99, 0x85, 0xC1, 0xE5, 0x5C, + 0x57, 0xA7, 0x9C, 0x1F, 0xF2, 0xB8, 0xCE, 0xEC, 0xD7, 0xD1, + 0x9B, 0xEC, 0xFB, 0x0E, 0x6F, 0x02, 0xAD, 0x51, 0xC0, 0x76, + 0xDD, 0x66, 0x0A, 0xCE, 0x0D, 0x09, 0xE6, 0xA8, 0x42, 0xB0, + 0x06, 0xC3, 0x04, 0xE7, 0x1C, 0xC7, 0x10, 0x83, 0x07, 0xF2, + 0xE6, 0x11, 0x1A, 0xCD, 0xA7, 0xB9, 0x7E, 0x17, 0xEF, 0xEA, + 0x63, 0x9C, 0xF2, 0xA5, 0xBE, 0x6B, 0xB6, 0xDF, 0xEB, 0x5A, + 0x75, 0x01, 0x59, 0x05, 0xF7, 0xEC, 0x49, 0x75, 0x10, 0xDD, + 0x40, 0x1A, 0x25, 0x25, 0x4F, 0x78, 0x6E, 0xE1, 0x92, 0x21, + 0xB5, 0xB8, 0x82, 0x2F, 0x33, 0xB3, 0x5B, 0xB6, 0x81, 0xB8, + 0xB1, 0xA4, 0x0C, 0x8D, 0x98, 0x74, 0x74, 0xDA, 0x0D, 0x90, + 0x33, 0xC8, 0xA7, 0xAA, 0x0D, 0x06, 0x5A, 0x04, 0xEB, 0x37, + 0xD3, 0xE4, 0x55, 0x0C, 0x93, 0xB6, 0xC8, 0x3A, 0xE8, 0xA7, + 0x2B, 0x4E, 0xB8, 0x90, 0xBB, 0x36, 0x0B, 0xDB, 0x7F, 0x2E, + 0x99, 0x23, 0x76, 0x68, 0x81, 0xA8, 0x73, 0x74, 0xE7, 0x68, + 0xFB, 0x1D, 0xFF, 0x5B, 0xEC, 0xB5, 0x6B, 0x30, 0xD1, 0xD0, + 0x2B, 0x89, 0xA6, 0xC6, 0xA9, 0xFC, 0x03, 0x66, 0xFE, 0xB5, + 0x8C, 0xAF, 0xDE, 0x8E, 0x2A, 0xB4, 0x78, 0x9C, 0xD7, 0x4A, + 0xFC, 0x9C, 0xC4, 0x7C, 0x19, 0x20, 0x83, 0x0E, 0xFD, 0x3F, + 0x4D, 0xA7 }; static const int sizeof_client_cert_der_2048 = sizeof(client_cert_der_2048); @@ -1154,9 +1165,9 @@ static const int sizeof_rsa_key_der_2048 = sizeof(rsa_key_der_2048); /* ./certs/ca-cert.der, 2048-bit */ static const unsigned char ca_cert_der_2048[] = { - 0x30, 0x82, 0x04, 0xAA, 0x30, 0x82, 0x03, 0x92, 0xA0, 0x03, - 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xD9, 0x80, 0x3A, 0xC3, - 0xD2, 0xF4, 0xDA, 0x37, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x30, 0x82, 0x04, 0xE0, 0x30, 0x82, 0x03, 0xC8, 0xA0, 0x03, + 0x02, 0x01, 0x02, 0x02, 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49, + 0x45, 0x9B, 0xDC, 0x81, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, @@ -1173,10 +1184,10 @@ static const unsigned char ca_cert_der_2048[] = 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, - 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, 0x30, 0x37, - 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, 0x0D, 0x31, - 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, 0x31, 0x30, - 0x31, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, + 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, 0x32, 0x33, + 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, 0x0D, 0x31, + 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, 0x39, 0x33, + 0x37, 0x5A, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, @@ -1220,60 +1231,66 @@ static const unsigned char ca_cert_der_2048[] = 0x13, 0x49, 0x08, 0x16, 0x0B, 0xA7, 0x4D, 0x67, 0x00, 0x52, 0x31, 0x67, 0x23, 0x4E, 0x98, 0xED, 0x51, 0x45, 0x1D, 0xB9, 0x04, 0xD9, 0x0B, 0xEC, 0xD8, 0x28, 0xB3, 0x4B, 0xBD, 0xED, - 0x36, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x81, 0xFC, - 0x30, 0x81, 0xF9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, - 0x04, 0x16, 0x04, 0x14, 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, - 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, - 0x30, 0xE5, 0xE8, 0xD5, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55, - 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14, - 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, - 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, - 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, - 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, - 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, - 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, - 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, - 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, - 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, - 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, - 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, - 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, - 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, - 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, - 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, - 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, - 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, - 0xD9, 0x80, 0x3A, 0xC3, 0xD2, 0xF4, 0xDA, 0x37, 0x30, 0x0C, - 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, - 0x01, 0xFF, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, - 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, - 0x01, 0x00, 0x7A, 0xAF, 0x44, 0x3B, 0xAA, 0x6F, 0x53, 0x42, - 0xB2, 0x33, 0xAA, 0x43, 0x5F, 0x56, 0x30, 0xD3, 0xB9, 0x96, - 0x0B, 0x9A, 0x55, 0x5A, 0x39, 0x2A, 0x0B, 0x4E, 0xE4, 0x2E, - 0xF1, 0x95, 0x66, 0xC9, 0x86, 0x36, 0x82, 0x8D, 0x63, 0x7C, - 0x4D, 0xA2, 0xEE, 0x48, 0xBA, 0x03, 0xC7, 0x90, 0xD7, 0xA7, - 0xC6, 0x74, 0x60, 0x48, 0x5F, 0x31, 0xA2, 0xF9, 0x5E, 0x3E, - 0xC3, 0x82, 0xE1, 0xE5, 0x2F, 0x41, 0x81, 0x83, 0x29, 0x25, - 0x79, 0xD1, 0x53, 0x00, 0x69, 0x3C, 0xED, 0x0A, 0x30, 0x3B, - 0x41, 0x1D, 0x92, 0xA1, 0x2C, 0xA8, 0x9D, 0x2C, 0xE3, 0x23, - 0x87, 0x79, 0xE0, 0x55, 0x6E, 0x91, 0xA8, 0x50, 0xDA, 0x46, - 0x2F, 0xC2, 0x20, 0x50, 0x3E, 0x2B, 0x47, 0x97, 0x14, 0xB0, - 0x7D, 0x04, 0xBA, 0x45, 0x51, 0xD0, 0x6E, 0xE1, 0x5A, 0xA2, - 0x4B, 0x84, 0x9C, 0x4D, 0xCD, 0x85, 0x04, 0xF9, 0x28, 0x31, - 0x82, 0x93, 0xBC, 0xC7, 0x59, 0x49, 0x91, 0x03, 0xE8, 0xDF, - 0x6A, 0xE4, 0x56, 0xAD, 0x6A, 0xCB, 0x1F, 0x0D, 0x37, 0xE4, - 0x5E, 0xBD, 0xE7, 0x9F, 0xD5, 0xEC, 0x9D, 0x3C, 0x18, 0x25, - 0x9B, 0xF1, 0x2F, 0x50, 0x7D, 0xEB, 0x31, 0xCB, 0xF1, 0x63, - 0x22, 0x9D, 0x57, 0xFC, 0xF3, 0x84, 0x20, 0x1A, 0xC6, 0x07, - 0x87, 0x92, 0x26, 0x9E, 0x15, 0x18, 0x59, 0x33, 0x06, 0xDC, - 0xFB, 0xB0, 0xB6, 0x76, 0x5D, 0xF1, 0xC1, 0x2F, 0xC8, 0x2F, - 0x62, 0x9C, 0xC0, 0xD6, 0xDE, 0xEB, 0x65, 0x77, 0xF3, 0x5C, - 0xA6, 0xC3, 0x88, 0x27, 0x96, 0x75, 0xB4, 0xF4, 0x54, 0xCD, - 0xFF, 0x2D, 0x21, 0x2E, 0x96, 0xF0, 0x07, 0x73, 0x4B, 0xE9, - 0x93, 0x92, 0x90, 0xDE, 0x62, 0xD9, 0xA3, 0x3B, 0xAC, 0x6E, - 0x24, 0x5F, 0x27, 0x4A, 0xB3, 0x94, 0x70, 0xFF, 0x30, 0x17, - 0xE7, 0x7E, 0x32, 0x8F, 0x65, 0xB7, 0x75, 0x58 + 0x36, 0x79, 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, + 0x31, 0x30, 0x82, 0x01, 0x2D, 0x30, 0x1D, 0x06, 0x03, 0x55, + 0x1D, 0x0E, 0x04, 0x16, 0x04, 0x14, 0x27, 0x8E, 0x67, 0x11, + 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, + 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, 0x30, 0x81, 0xC9, 0x06, + 0x03, 0x55, 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, + 0x80, 0x14, 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, + 0x3F, 0xED, 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, + 0xE8, 0xD5, 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, + 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, + 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, + 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, + 0x6E, 0x61, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, + 0x07, 0x0C, 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, + 0x31, 0x11, 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, + 0x08, 0x53, 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, + 0x13, 0x30, 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, + 0x43, 0x6F, 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, + 0x31, 0x18, 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, + 0x0F, 0x77, 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, + 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, + 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, + 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, + 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, + 0x09, 0x00, 0xA6, 0x66, 0x38, 0x49, 0x45, 0x9B, 0xDC, 0x81, + 0x30, 0x0C, 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, + 0x03, 0x01, 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06, + 0x01, 0x05, 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, + 0x30, 0x22, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, + 0x30, 0x01, 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, + 0x2F, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, + 0x3A, 0x32, 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, + 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x41, 0x8F, 0xFB, 0x6B, + 0x65, 0x6B, 0x36, 0xF2, 0x56, 0x4F, 0x0C, 0x48, 0xB0, 0x4D, + 0x8C, 0xC2, 0xCB, 0xD6, 0x58, 0x7A, 0x83, 0x3A, 0x30, 0x7D, + 0x62, 0x7B, 0x86, 0xF1, 0x15, 0x26, 0xB3, 0x26, 0x02, 0x77, + 0xF2, 0xC8, 0x57, 0xE5, 0x1E, 0x60, 0x68, 0x8B, 0xA4, 0xE8, + 0xF3, 0xA8, 0xB2, 0x88, 0xA4, 0x2F, 0xE8, 0x6E, 0x25, 0x8D, + 0x6B, 0xDC, 0x53, 0xAB, 0x2F, 0xD3, 0x47, 0x8C, 0xD6, 0x27, + 0xAB, 0x39, 0xBC, 0xD3, 0xCA, 0xD8, 0x01, 0x96, 0xA4, 0x44, + 0x57, 0x38, 0x93, 0xAB, 0xC3, 0xF3, 0x95, 0x67, 0x7F, 0xCF, + 0x25, 0x1D, 0xB7, 0x04, 0xDC, 0x06, 0xC9, 0x5D, 0x24, 0xC1, + 0x54, 0x13, 0x71, 0x81, 0x21, 0x31, 0xEE, 0x9F, 0xB4, 0x9D, + 0xCE, 0x98, 0x66, 0xA4, 0xA0, 0x77, 0xC1, 0x88, 0x18, 0xA4, + 0xD1, 0x36, 0xEE, 0xCD, 0xD8, 0xC1, 0x1B, 0xBC, 0x03, 0xD6, + 0x85, 0x9A, 0x2E, 0x21, 0x82, 0x95, 0x4C, 0xB2, 0x2A, 0xFE, + 0x69, 0xDB, 0xAC, 0xE4, 0x97, 0xE1, 0xE9, 0x0E, 0xF1, 0xD3, + 0xEF, 0x20, 0x86, 0x03, 0x01, 0x66, 0x6B, 0xF0, 0x26, 0x0F, + 0x39, 0x04, 0x26, 0xF5, 0x42, 0x98, 0x3F, 0x95, 0x48, 0x5F, + 0xB5, 0x5D, 0xBC, 0x49, 0x4C, 0x81, 0x38, 0xD5, 0xE9, 0x72, + 0x32, 0x1C, 0x66, 0x1B, 0x12, 0x80, 0x0F, 0xDB, 0x99, 0xF0, + 0x97, 0x67, 0x61, 0x79, 0xAD, 0xAB, 0xBE, 0x6A, 0xEA, 0xAA, + 0xCC, 0x3D, 0xF9, 0x40, 0x99, 0x00, 0x93, 0xBB, 0xDF, 0x4B, + 0x41, 0xD4, 0x7F, 0xF1, 0x93, 0xB2, 0x70, 0x83, 0x3A, 0xE3, + 0x6B, 0x44, 0x4B, 0x1F, 0x9F, 0x77, 0x53, 0xEA, 0x5D, 0xE6, + 0x59, 0x1E, 0xC0, 0x2D, 0x4B, 0x83, 0xD6, 0xF4, 0xA3, 0xD4, + 0xA9, 0xC3, 0x91, 0x12, 0xE7, 0x61, 0x3F, 0x56, 0x9D, 0x8F, + 0xB8, 0x19, 0x29, 0x62, 0x1B, 0x58, 0xDF, 0x73, 0x99, 0x1F, + 0x49, 0x63 }; static const int sizeof_ca_cert_der_2048 = sizeof(ca_cert_der_2048); @@ -1406,7 +1423,7 @@ static const int sizeof_server_key_der_2048 = sizeof(server_key_der_2048); /* ./certs/server-cert.der, 2048-bit */ static const unsigned char server_cert_der_2048[] = { - 0x30, 0x82, 0x04, 0x9E, 0x30, 0x82, 0x03, 0x86, 0xA0, 0x03, + 0x30, 0x82, 0x04, 0xD4, 0x30, 0x82, 0x03, 0xBC, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x01, 0x01, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, @@ -1424,10 +1441,10 @@ static const unsigned char server_cert_der_2048[] = 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, - 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x30, 0x35, - 0x30, 0x37, 0x31, 0x38, 0x32, 0x31, 0x30, 0x31, 0x5A, 0x17, - 0x0D, 0x31, 0x38, 0x30, 0x31, 0x33, 0x31, 0x31, 0x38, 0x32, - 0x31, 0x30, 0x31, 0x5A, 0x30, 0x81, 0x90, 0x31, 0x0B, 0x30, + 0x6F, 0x6D, 0x30, 0x1E, 0x17, 0x0D, 0x31, 0x35, 0x31, 0x31, + 0x32, 0x33, 0x31, 0x32, 0x34, 0x39, 0x33, 0x37, 0x5A, 0x17, + 0x0D, 0x31, 0x38, 0x30, 0x38, 0x31, 0x39, 0x31, 0x32, 0x34, + 0x39, 0x33, 0x37, 0x5A, 0x30, 0x81, 0x90, 0x31, 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, @@ -1471,60 +1488,66 @@ static const unsigned char server_cert_der_2048[] = 0x69, 0x42, 0x42, 0x09, 0xE9, 0xD8, 0x08, 0xBC, 0x33, 0x20, 0xB3, 0x58, 0x22, 0xA7, 0xAA, 0xEB, 0xC4, 0xE1, 0xE6, 0x61, 0x83, 0xC5, 0xD2, 0x96, 0xDF, 0xD9, 0xD0, 0x4F, 0xAD, 0xD7, - 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x81, 0xFC, 0x30, 0x81, - 0xF9, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, 0x04, 0x16, - 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98, 0x84, 0xE2, - 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, 0x42, 0xCA, 0x1F, 0x0E, - 0x8E, 0x3C, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55, 0x1D, 0x23, - 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14, 0x27, 0x8E, - 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, 0x33, 0x63, - 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, 0xA1, 0x81, - 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, 0x0B, 0x30, - 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x55, 0x53, - 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x08, 0x0C, - 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, 0x31, 0x10, - 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, 0x07, 0x42, - 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, 0x30, 0x0F, - 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, 0x61, 0x77, - 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, 0x11, 0x06, - 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, 0x6E, 0x73, - 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, 0x30, 0x16, - 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, 0x77, 0x77, - 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, 0x2E, 0x63, - 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, 0x2A, 0x86, - 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, 0x10, 0x69, - 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, - 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, 0xD9, 0x80, - 0x3A, 0xC3, 0xD2, 0xF4, 0xDA, 0x37, 0x30, 0x0C, 0x06, 0x03, - 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, 0x01, 0xFF, - 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, - 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, - 0x67, 0xC0, 0x2C, 0xA9, 0x43, 0x47, 0xE7, 0x11, 0x14, 0x77, - 0xAE, 0xCC, 0xD8, 0xE0, 0x6B, 0x23, 0x82, 0x91, 0x63, 0xE8, - 0xA8, 0x0D, 0x21, 0xC5, 0xC8, 0x47, 0x97, 0x2F, 0xD5, 0xF3, - 0x86, 0xFB, 0x6C, 0xCE, 0x25, 0xF9, 0x7C, 0x78, 0xC8, 0x3A, - 0x22, 0x68, 0xF2, 0x16, 0x1E, 0xD2, 0xD2, 0x3F, 0x24, 0x04, - 0x87, 0xF2, 0xB7, 0xC1, 0x62, 0x63, 0xBA, 0xC5, 0xFA, 0xAE, - 0xD2, 0x20, 0x81, 0x1A, 0xD2, 0x0C, 0xAE, 0x26, 0x6B, 0x1B, - 0x2B, 0x10, 0xD3, 0xE1, 0x9A, 0x4E, 0x64, 0x6C, 0x97, 0xDB, - 0x36, 0xA8, 0x8F, 0xF8, 0x05, 0x63, 0xBF, 0xBA, 0x0D, 0x88, - 0x0B, 0x87, 0x46, 0xC9, 0xE4, 0x64, 0xE3, 0xD7, 0xBD, 0xB8, - 0x2D, 0xD5, 0xC1, 0xC3, 0xC4, 0xDB, 0x55, 0x68, 0xDC, 0xA3, - 0x7A, 0x40, 0xB9, 0xA9, 0xF6, 0x04, 0x4A, 0x22, 0xCF, 0x98, - 0x76, 0x1C, 0xE4, 0xA3, 0xFF, 0x79, 0x19, 0x96, 0x57, 0x63, - 0x07, 0x6F, 0xF6, 0x32, 0x77, 0x16, 0x50, 0x9B, 0xE3, 0x34, - 0x18, 0xD4, 0xEB, 0xBE, 0xFD, 0xB6, 0x6F, 0xE3, 0xC7, 0xF6, - 0x85, 0xBF, 0xAC, 0x32, 0xAD, 0x98, 0x57, 0xBE, 0x13, 0x92, - 0x44, 0x10, 0xA5, 0xF3, 0xAE, 0xE2, 0x66, 0xDA, 0x44, 0xA9, - 0x94, 0x71, 0x3F, 0xD0, 0x2F, 0x20, 0x59, 0x87, 0xE4, 0x5A, - 0x40, 0xEE, 0xD2, 0xE4, 0x0C, 0xCE, 0x25, 0x94, 0xDC, 0x0F, - 0xFE, 0x38, 0xE0, 0x41, 0x52, 0x34, 0x5C, 0xBB, 0xC3, 0xDB, - 0xC1, 0x5F, 0x76, 0xC3, 0x5D, 0x0E, 0x32, 0x69, 0x2B, 0x9D, - 0x01, 0xED, 0x50, 0x1B, 0x4F, 0x77, 0xA9, 0xA9, 0xD8, 0x71, - 0x30, 0xCB, 0x2E, 0x2C, 0x70, 0x00, 0xAB, 0x78, 0x4B, 0xD7, - 0x15, 0xD9, 0x17, 0xF8, 0x64, 0xB2, 0xF7, 0x3A, 0xDA, 0xE1, - 0x0B, 0x8B, 0x0A, 0xE1, 0x4E, 0xB1, 0x03, 0x46, 0x14, 0xCA, - 0x94, 0xE3, 0x44, 0x77, 0xD7, 0x59 + 0x02, 0x03, 0x01, 0x00, 0x01, 0xA3, 0x82, 0x01, 0x31, 0x30, + 0x82, 0x01, 0x2D, 0x30, 0x1D, 0x06, 0x03, 0x55, 0x1D, 0x0E, + 0x04, 0x16, 0x04, 0x14, 0xB3, 0x11, 0x32, 0xC9, 0x92, 0x98, + 0x84, 0xE2, 0xC9, 0xF8, 0xD0, 0x3B, 0x6E, 0x03, 0x42, 0xCA, + 0x1F, 0x0E, 0x8E, 0x3C, 0x30, 0x81, 0xC9, 0x06, 0x03, 0x55, + 0x1D, 0x23, 0x04, 0x81, 0xC1, 0x30, 0x81, 0xBE, 0x80, 0x14, + 0x27, 0x8E, 0x67, 0x11, 0x74, 0xC3, 0x26, 0x1D, 0x3F, 0xED, + 0x33, 0x63, 0xB3, 0xA4, 0xD8, 0x1D, 0x30, 0xE5, 0xE8, 0xD5, + 0xA1, 0x81, 0x9A, 0xA4, 0x81, 0x97, 0x30, 0x81, 0x94, 0x31, + 0x0B, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, + 0x55, 0x53, 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, + 0x08, 0x0C, 0x07, 0x4D, 0x6F, 0x6E, 0x74, 0x61, 0x6E, 0x61, + 0x31, 0x10, 0x30, 0x0E, 0x06, 0x03, 0x55, 0x04, 0x07, 0x0C, + 0x07, 0x42, 0x6F, 0x7A, 0x65, 0x6D, 0x61, 0x6E, 0x31, 0x11, + 0x30, 0x0F, 0x06, 0x03, 0x55, 0x04, 0x0A, 0x0C, 0x08, 0x53, + 0x61, 0x77, 0x74, 0x6F, 0x6F, 0x74, 0x68, 0x31, 0x13, 0x30, + 0x11, 0x06, 0x03, 0x55, 0x04, 0x0B, 0x0C, 0x0A, 0x43, 0x6F, + 0x6E, 0x73, 0x75, 0x6C, 0x74, 0x69, 0x6E, 0x67, 0x31, 0x18, + 0x30, 0x16, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0C, 0x0F, 0x77, + 0x77, 0x77, 0x2E, 0x77, 0x6F, 0x6C, 0x66, 0x73, 0x73, 0x6C, + 0x2E, 0x63, 0x6F, 0x6D, 0x31, 0x1F, 0x30, 0x1D, 0x06, 0x09, + 0x2A, 0x86, 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x09, 0x01, 0x16, + 0x10, 0x69, 0x6E, 0x66, 0x6F, 0x40, 0x77, 0x6F, 0x6C, 0x66, + 0x73, 0x73, 0x6C, 0x2E, 0x63, 0x6F, 0x6D, 0x82, 0x09, 0x00, + 0xA6, 0x66, 0x38, 0x49, 0x45, 0x9B, 0xDC, 0x81, 0x30, 0x0C, + 0x06, 0x03, 0x55, 0x1D, 0x13, 0x04, 0x05, 0x30, 0x03, 0x01, + 0x01, 0xFF, 0x30, 0x32, 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, + 0x05, 0x07, 0x01, 0x01, 0x04, 0x26, 0x30, 0x24, 0x30, 0x22, + 0x06, 0x08, 0x2B, 0x06, 0x01, 0x05, 0x05, 0x07, 0x30, 0x01, + 0x86, 0x16, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x6C, + 0x6F, 0x63, 0x61, 0x6C, 0x68, 0x6F, 0x73, 0x74, 0x3A, 0x32, + 0x32, 0x32, 0x32, 0x32, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, + 0x48, 0x86, 0xF7, 0x0D, 0x01, 0x01, 0x0B, 0x05, 0x00, 0x03, + 0x82, 0x01, 0x01, 0x00, 0x71, 0x17, 0x8F, 0x6F, 0x7D, 0xD6, + 0x11, 0x01, 0x79, 0xAC, 0xE9, 0xC2, 0xFB, 0x71, 0x69, 0x6B, + 0x0C, 0x64, 0x91, 0xC1, 0x32, 0x8B, 0x9C, 0x62, 0x72, 0xB5, + 0x62, 0xBB, 0xF8, 0xCF, 0x6C, 0x27, 0xDF, 0xF0, 0x64, 0xD6, + 0x4A, 0x55, 0x4F, 0x7F, 0x4A, 0x8B, 0x7B, 0x80, 0x5B, 0x3C, + 0xA0, 0x31, 0xB0, 0x25, 0x92, 0x02, 0x02, 0x9C, 0x99, 0xA5, + 0x8E, 0x0C, 0x61, 0xEF, 0xB4, 0x1E, 0x01, 0x2E, 0x1C, 0xE9, + 0x9C, 0x59, 0x2D, 0xEF, 0x6E, 0x03, 0x4D, 0xF1, 0x59, 0xE5, + 0x5F, 0x69, 0x66, 0x5C, 0x0A, 0xE6, 0xCD, 0xF6, 0x74, 0x20, + 0x86, 0x4C, 0xF6, 0x8F, 0x22, 0x86, 0x68, 0x7E, 0xFE, 0x67, + 0x3F, 0x3D, 0x19, 0xB8, 0x61, 0xEF, 0xC5, 0xA5, 0x58, 0xA8, + 0x2A, 0xCE, 0xD3, 0x2C, 0xA7, 0x1B, 0xDD, 0xC8, 0x59, 0xC7, + 0xE7, 0xCF, 0x42, 0x42, 0xDB, 0xAF, 0xFE, 0x15, 0x82, 0xC9, + 0xE5, 0x53, 0xFA, 0xB4, 0x37, 0x55, 0x67, 0x47, 0x0F, 0xE7, + 0x24, 0x88, 0x14, 0xA3, 0x6C, 0xBE, 0x5F, 0x72, 0x05, 0x5F, + 0x56, 0x33, 0xAA, 0x7F, 0xAC, 0x2E, 0x10, 0x92, 0xB7, 0xA2, + 0xF9, 0xC1, 0x62, 0x0C, 0x3B, 0x0C, 0x69, 0x9A, 0x71, 0x15, + 0x11, 0xBC, 0x37, 0xBF, 0x8E, 0x23, 0x14, 0xC2, 0xB1, 0x0D, + 0xDF, 0x89, 0x45, 0x1E, 0xDF, 0x14, 0xE8, 0x95, 0x35, 0x88, + 0x27, 0xA8, 0xAB, 0xDD, 0x7C, 0x23, 0x3F, 0xBB, 0xFE, 0x4E, + 0x0E, 0xEA, 0xA6, 0xEE, 0xF5, 0x77, 0xFB, 0xAA, 0xB8, 0x28, + 0x33, 0xF9, 0x61, 0xB0, 0xD2, 0x79, 0x46, 0xA4, 0xBA, 0xA0, + 0x90, 0xC8, 0xE7, 0x96, 0x8F, 0x27, 0xE9, 0x1E, 0xD0, 0x92, + 0x43, 0xBB, 0x84, 0xC7, 0xF3, 0x28, 0x0C, 0x41, 0xAA, 0x77, + 0x39, 0x65, 0xAA, 0x0D, 0x02, 0xB0, 0xE0, 0x4D, 0xB1, 0x17, + 0x41, 0xC9, 0xF0, 0xD4, 0x47, 0x87, 0xFB, 0x0F, 0xF0, 0x40 + }; static const int sizeof_server_cert_der_2048 = sizeof(server_cert_der_2048); diff --git a/wolfssl/internal.h b/wolfssl/internal.h index aa6bd5846..e83d194cd 100644 --- a/wolfssl/internal.h +++ b/wolfssl/internal.h @@ -1370,22 +1370,27 @@ struct WOLFSSL_CRL { /* wolfSSL Certificate Manager */ struct WOLFSSL_CERT_MANAGER { Signer* caTable[CA_TABLE_SIZE]; /* the CA signer table */ - void* heap; /* heap helper */ - WOLFSSL_CRL* crl; /* CRL checker */ - WOLFSSL_OCSP* ocsp; /* OCSP checker */ - char* ocspOverrideURL; /* use this responder */ - void* ocspIOCtx; /* I/O callback CTX */ - CallbackCACache caCacheCallback; /* CA cache addition callback */ - CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ - CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ - CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ - wolfSSL_Mutex caLock; /* CA list lock */ - byte crlEnabled; /* is CRL on ? */ - byte crlCheckAll; /* always leaf, but all ? */ - byte ocspEnabled; /* is OCSP on ? */ - byte ocspCheckAll; /* always leaf, but all ? */ - byte ocspSendNonce; /* send the OCSP nonce ? */ - byte ocspUseOverrideURL; /* ignore cert's responder, override */ + void* heap; /* heap helper */ + WOLFSSL_CRL* crl; /* CRL checker */ + WOLFSSL_OCSP* ocsp; /* OCSP checker */ +#if !defined(NO_WOLFSSL_SEVER) && (defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2)) + WOLFSSL_OCSP* ocsp_stapling; /* OCSP checker for OCSP stapling */ +#endif + char* ocspOverrideURL; /* use this responder */ + void* ocspIOCtx; /* I/O callback CTX */ + CallbackCACache caCacheCallback; /* CA cache addition callback */ + CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ + CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */ + CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */ + wolfSSL_Mutex caLock; /* CA list lock */ + byte crlEnabled; /* is CRL on ? */ + byte crlCheckAll; /* always leaf, but all ? */ + byte ocspEnabled; /* is OCSP on ? */ + byte ocspCheckAll; /* always leaf, but all ? */ + byte ocspSendNonce; /* send the OCSP nonce ? */ + byte ocspUseOverrideURL; /* ignore cert's responder, override */ + byte ocspStaplingEnabled; /* is OCSP Stapling on ? */ }; WOLFSSL_LOCAL int CM_SaveCertCache(WOLFSSL_CERT_MANAGER*, const char*); @@ -1476,6 +1481,7 @@ typedef enum { TLSX_STATUS_REQUEST = 0x0005, /* a.k.a. OCSP stappling */ TLSX_SUPPORTED_GROUPS = 0x000a, /* a.k.a. Supported Curves */ TLSX_APPLICATION_LAYER_PROTOCOL = 0x0010, /* a.k.a. ALPN */ + TLSX_STATUS_REQUEST_V2 = 0x0011, /* a.k.a. OCSP stappling v2 */ TLSX_QUANTUM_SAFE_HYBRID = 0x0018, /* a.k.a. QSH */ TLSX_SESSION_TICKET = 0x0023, TLSX_RENEGOTIATION_INFO = 0xff01 @@ -1510,6 +1516,7 @@ WOLFSSL_LOCAL int TLSX_Parse(WOLFSSL* ssl, byte* input, word16 length, || defined(HAVE_MAX_FRAGMENT) \ || defined(HAVE_TRUNCATED_HMAC) \ || defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) \ || defined(HAVE_SUPPORTED_CURVES) \ || defined(HAVE_ALPN) \ || defined(HAVE_QSH) \ @@ -1592,11 +1599,33 @@ typedef struct { } request; } CertificateStatusRequest; -WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequest(TLSX** extensions, byte status_type, byte options); -WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); -WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); -WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); +WOLFSSL_LOCAL int TLSX_CSR_InitRequest(TLSX* extensions, DecodedCert* cert); +WOLFSSL_LOCAL void* TLSX_CSR_GetRequest(TLSX* extensions); +WOLFSSL_LOCAL int TLSX_CSR_ForceRequest(WOLFSSL* ssl); + +#endif + +/** Certificate Status Request v2 - RFC 6961 */ +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + +typedef struct CSRIv2 { + byte status_type; + byte options; + word16 requests; + union { + OcspRequest ocsp[1 + MAX_CHAIN_DEPTH]; + } request; + struct CSRIv2* next; +} CertificateStatusRequestItemV2; + +WOLFSSL_LOCAL int TLSX_UseCertificateStatusRequestV2(TLSX** extensions, + byte status_type, byte options); +WOLFSSL_LOCAL int TLSX_CSR2_InitRequests(TLSX* extensions, DecodedCert* cert, byte isPeer); +WOLFSSL_LOCAL void* TLSX_CSR2_GetRequest(TLSX* extensions, byte status_type, + byte index); +WOLFSSL_LOCAL int TLSX_CSR2_ForceRequest(WOLFSSL* ssl); #endif @@ -1775,6 +1804,15 @@ struct WOLFSSL_CTX { #endif #ifdef HAVE_TLS_EXTENSIONS TLSX* extensions; /* RFC 6066 TLS Extensions data */ + #ifndef NO_WOLFSSL_SERVER + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST) \ + || defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + OcspRequest* certOcspRequest; + #endif + #if defined(HAVE_CERTIFICATE_STATUS_REQUEST_V2) + OcspRequest* chainOcspRequest[MAX_CHAIN_DEPTH]; + #endif + #endif #if defined(HAVE_SESSION_TICKET) && !defined(NO_WOLFSSL_SEVER) SessionTicketEncCb ticketEncCb; /* enc/dec session ticket Cb */ void* ticketEncCtx; /* session encrypt context */ @@ -2043,6 +2081,7 @@ enum AcceptState { ACCEPT_FIRST_REPLY_DONE, SERVER_HELLO_SENT, CERT_SENT, + CERT_STATUS_SENT, KEY_EXCHANGE_SENT, CERT_REQ_SENT, SERVER_HELLO_DONE, @@ -2497,6 +2536,9 @@ struct WOLFSSL { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST byte status_request; #endif + #ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 + byte status_request_v2; + #endif #ifdef HAVE_SECURE_RENEGOTIATION SecureRenegotiation* secure_renegotiation; /* valid pointer indicates */ #endif /* user turned on */ @@ -2660,6 +2702,7 @@ WOLFSSL_LOCAL int DoClientTicket(WOLFSSL*, const byte*, word32); WOLFSSL_LOCAL int SendData(WOLFSSL*, const void*, int); WOLFSSL_LOCAL int SendCertificate(WOLFSSL*); WOLFSSL_LOCAL int SendCertificateRequest(WOLFSSL*); +WOLFSSL_LOCAL int SendCertificateStatus(WOLFSSL*); WOLFSSL_LOCAL int SendServerKeyExchange(WOLFSSL*); WOLFSSL_LOCAL int SendBuffered(WOLFSSL*); WOLFSSL_LOCAL int ReceiveData(WOLFSSL*, byte*, int, int); diff --git a/wolfssl/ocsp.h b/wolfssl/ocsp.h index dc76ca16e..8d05c26d0 100644 --- a/wolfssl/ocsp.h +++ b/wolfssl/ocsp.h @@ -39,9 +39,9 @@ typedef struct WOLFSSL_OCSP WOLFSSL_OCSP; WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*); WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic); -WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*); +WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, void*); WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp, - OcspRequest* ocspRequest); + OcspRequest* ocspRequest, void*); #ifdef __cplusplus } /* extern "C" */ diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 136c6bbd9..06f35e160 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -1269,6 +1269,9 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CertManagerSetOCSP_Cb(WOLFSSL_CERT_MANAGER*, CbOCSPIO, CbOCSPRespFree, void*); + WOLFSSL_API int wolfSSL_CertManagerEnableOCSPStapling( + WOLFSSL_CERT_MANAGER* cm); + WOLFSSL_API int wolfSSL_EnableCRL(WOLFSSL* ssl, int options); WOLFSSL_API int wolfSSL_DisableCRL(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_LoadCRL(WOLFSSL*, const char*, int, int); @@ -1287,6 +1290,8 @@ WOLFSSL_API void* wolfSSL_GetRsaDecCtx(WOLFSSL* ssl); WOLFSSL_API int wolfSSL_CTX_SetOCSP_OverrideURL(WOLFSSL_CTX*, const char*); WOLFSSL_API int wolfSSL_CTX_SetOCSP_Cb(WOLFSSL_CTX*, CbOCSPIO, CbOCSPRespFree, void*); + + WOLFSSL_API int wolfSSL_CTX_EnableOCSPStapling(WOLFSSL_CTX*); #endif /* !NO_CERTS */ /* end of handshake frees temporary arrays, if user needs for get_keys or @@ -1425,10 +1430,34 @@ enum { #ifdef HAVE_CERTIFICATE_STATUS_REQUEST #ifndef NO_WOLFSSL_CLIENT -WOLFSSL_API int wolfSSL_UseCertificateStatusRequest(WOLFSSL* ssl, +WOLFSSL_API int wolfSSL_UseOCSPStapling(WOLFSSL* ssl, unsigned char status_type, unsigned char options); -WOLFSSL_API int wolfSSL_CTX_UseCertificateStatusRequest(WOLFSSL_CTX* ctx, +WOLFSSL_API int wolfSSL_CTX_UseOCSPStapling(WOLFSSL_CTX* ctx, + unsigned char status_type, unsigned char options); + +#endif +#endif + +/* Certificate Status Request v2 */ +/* Certificate Status Type */ +enum { + WOLFSSL_CSR2_OCSP = 1, + WOLFSSL_CSR2_OCSP_MULTI = 2 +}; + +/* Certificate Status v2 Options (flags) */ +enum { + WOLFSSL_CSR2_OCSP_USE_NONCE = 0x01 +}; + +#ifdef HAVE_CERTIFICATE_STATUS_REQUEST_V2 +#ifndef NO_WOLFSSL_CLIENT + +WOLFSSL_API int wolfSSL_UseOCSPStaplingV2(WOLFSSL* ssl, + unsigned char status_type, unsigned char options); + +WOLFSSL_API int wolfSSL_CTX_UseOCSPStaplingV2(WOLFSSL_CTX* ctx, unsigned char status_type, unsigned char options); #endif diff --git a/wolfssl/wolfcrypt/asn.h b/wolfssl/wolfcrypt/asn.h index e77487bd7..a305d01d9 100644 --- a/wolfssl/wolfcrypt/asn.h +++ b/wolfssl/wolfcrypt/asn.h @@ -684,6 +684,9 @@ struct CertStatus { byte nextDate[MAX_DATE_SIZE]; byte thisDateFormat; byte nextDateFormat; + + byte* rawOcspResponse; + word32 rawOcspResponseSz; }; diff --git a/wolfssl/wolfcrypt/logging.h b/wolfssl/wolfcrypt/logging.h index 2e604080d..03681412d 100644 --- a/wolfssl/wolfcrypt/logging.h +++ b/wolfssl/wolfcrypt/logging.h @@ -56,6 +56,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); void WOLFSSL_ERROR(int); void WOLFSSL_MSG(const char* msg); + void WOLFSSL_BUFFER(byte* buffer, word32 length); #else /* DEBUG_WOLFSSL */ @@ -65,6 +66,7 @@ WOLFSSL_API int wolfSSL_SetLoggingCb(wolfSSL_Logging_cb log_function); #define WOLFSSL_ERROR(e) #define WOLFSSL_MSG(m) + #define WOLFSSL_BUFFER(b, l) #endif /* DEBUG_WOLFSSL */ From 6ba14fa241e8474e133588767b08638ede021c59 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Tue, 29 Dec 2015 10:19:27 -0300 Subject: [PATCH 153/177] fixes some errors from Jenkins Expected Configurations Build # 111 --- src/ssl.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index a6d4c2937..bc4c97368 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6153,11 +6153,13 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl, WOLFSSL_MSG("accept state CERT_SENT"); case CERT_SENT : + #ifndef NO_CERTS if (!ssl->options.resuming) if ( (ssl->error = SendCertificateStatus(ssl)) != 0) { WOLFSSL_ERROR(ssl->error); return SSL_FATAL_ERROR; } + #endif ssl->options.acceptState = CERT_STATUS_SENT; WOLFSSL_MSG("accept state CERT_STATUS_SENT"); From a973eca4b82f0d31b45fd5ede48cf5dfce2e0798 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 29 Dec 2015 17:05:51 -0700 Subject: [PATCH 154/177] accounts for assumptions with external ocsp stapling test --- examples/client/client.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/examples/client/client.c b/examples/client/client.c index ec7ee6652..d225da2ea 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -743,6 +743,16 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) done = 1; #endif + /* www.globalsign.com does not respond to ipv6 ocsp requests */ + #if defined(TEST_IPV6) && defined(HAVE_OCSP) + done = 1; + #endif + + /* www.globalsign.com has limited supported cipher suites */ + #if defined(NO_AES) && defined(HAVE_OCSP) + done = 1; + #endif + #ifndef NO_PSK done = 1; #endif From 157486ce0dd4fa5c08c896f6188b0ba0a4f3fa8b Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 29 Dec 2015 16:13:09 -0800 Subject: [PATCH 155/177] fix hint types for misuse of in_buffer and out_buffer --- src/io.c | 8 ++++---- src/ocsp.c | 4 ++-- src/ssl.c | 20 ++++++++++---------- tests/api.c | 2 +- 4 files changed, 17 insertions(+), 17 deletions(-) diff --git a/src/io.c b/src/io.c index 6e40639b2..3c54becc3 100644 --- a/src/io.c +++ b/src/io.c @@ -866,7 +866,7 @@ static int process_http_response(int sfd, byte** respBuf, } } while (state != phr_http_end); - recvBuf = (byte*)XMALLOC(recvBufSz, NULL, DYNAMIC_TYPE_IN_BUFFER); + recvBuf = (byte*)XMALLOC(recvBufSz, NULL, DYNAMIC_TYPE_OCSP); if (recvBuf == NULL) { WOLFSSL_MSG("process_http_response couldn't create response buffer"); return -1; @@ -936,7 +936,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, * free this buffer. */ int httpBufSz = SCRATCH_BUFFER_SIZE; byte* httpBuf = (byte*)XMALLOC(httpBufSz, NULL, - DYNAMIC_TYPE_IN_BUFFER); + DYNAMIC_TYPE_OCSP); if (httpBuf == NULL) { WOLFSSL_MSG("Unable to create OCSP response buffer"); @@ -962,7 +962,7 @@ int EmbedOcspLookup(void* ctx, const char* url, int urlSz, } close(sfd); - XFREE(httpBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); + XFREE(httpBuf, NULL, DYNAMIC_TYPE_OCSP); } } @@ -980,7 +980,7 @@ void EmbedOcspRespFree(void* ctx, byte *resp) (void)ctx; if (resp) - XFREE(resp, NULL, DYNAMIC_TYPE_IN_BUFFER); + XFREE(resp, NULL, DYNAMIC_TYPE_OCSP); } diff --git a/src/ocsp.c b/src/ocsp.c index 7283e66ad..a1fd6dc25 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -290,7 +290,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, return 0; } - request = (byte*)XMALLOC(requestSz, NULL, DYNAMIC_TYPE_IN_BUFFER); + request = (byte*)XMALLOC(requestSz, NULL, DYNAMIC_TYPE_OCSP); if (request == NULL) { WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_ERROR; @@ -306,7 +306,7 @@ int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest, if (newStatus) XFREE(newStatus, NULL, DYNAMIC_TYPE_TMP_BUFFER); if (ocspResponse) XFREE(ocspResponse, NULL, DYNAMIC_TYPE_TMP_BUFFER); - XFREE(request, NULL, DYNAMIC_TYPE_TMP_BUFFER); + XFREE(request, NULL, DYNAMIC_TYPE_OCSP); WOLFSSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_E; diff --git a/src/ssl.c b/src/ssl.c index bc4c97368..db8027e53 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1031,7 +1031,7 @@ int wolfSSL_ALPN_GetPeerProtocol(WOLFSSL* ssl, char **list, word16 *listSz) if (*listSz == 0) return BUFFER_ERROR; - *list = (char *)XMALLOC((*listSz)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); + *list = (char *)XMALLOC((*listSz)+1, NULL, DYNAMIC_TYPE_TLSX); if (*list == NULL) return MEMORY_ERROR; @@ -14110,7 +14110,7 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); - *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); + *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY); if (*pem == NULL) { WOLFSSL_MSG("malloc failed"); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -14120,7 +14120,7 @@ int wolfSSL_PEM_write_mem_RSAPrivateKey(RSA* rsa, const EVP_CIPHER* cipher, if (XMEMCPY(*pem, tmp, *plen) == NULL) { WOLFSSL_MSG("XMEMCPY failed"); - XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(pem, NULL, DYNAMIC_TYPE_KEY); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -14164,7 +14164,7 @@ int wolfSSL_PEM_write_RSAPrivateKey(FILE *fp, WOLFSSL_RSA *rsa, return SSL_FAILURE; } - XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(pem, NULL, DYNAMIC_TYPE_KEY); return SSL_SUCCESS; } #endif /* NO_FILESYSTEM */ @@ -15492,7 +15492,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); - *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); + *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY); if (*pem == NULL) { WOLFSSL_MSG("malloc failed"); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -15502,7 +15502,7 @@ int wolfSSL_PEM_write_mem_ECPrivateKey(WOLFSSL_EC_KEY* ecc, if (XMEMCPY(*pem, tmp, *plen) == NULL) { WOLFSSL_MSG("XMEMCPY failed"); - XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(pem, NULL, DYNAMIC_TYPE_KEY); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -15545,7 +15545,7 @@ int wolfSSL_PEM_write_ECPrivateKey(FILE *fp, WOLFSSL_EC_KEY *ecc, return SSL_FAILURE; } - XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(pem, NULL, DYNAMIC_TYPE_KEY); return SSL_SUCCESS; } @@ -15667,7 +15667,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, if (cipherInfo != NULL) XFREE(cipherInfo, NULL, DYNAMIC_TYPE_TMP_BUFFER); - *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_OUT_BUFFER); + *pem = (byte*)XMALLOC((*plen)+1, NULL, DYNAMIC_TYPE_KEY); if (*pem == NULL) { WOLFSSL_MSG("malloc failed"); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); @@ -15677,7 +15677,7 @@ int wolfSSL_PEM_write_mem_DSAPrivateKey(WOLFSSL_DSA* dsa, if (XMEMCPY(*pem, tmp, *plen) == NULL) { WOLFSSL_MSG("XMEMCPY failed"); - XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(pem, NULL, DYNAMIC_TYPE_KEY); XFREE(tmp, NULL, DYNAMIC_TYPE_TMP_BUFFER); return SSL_FAILURE; } @@ -15720,7 +15720,7 @@ int wolfSSL_PEM_write_DSAPrivateKey(FILE *fp, WOLFSSL_DSA *dsa, return SSL_FAILURE; } - XFREE(pem, NULL, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(pem, NULL, DYNAMIC_TYPE_KEY); return SSL_SUCCESS; } diff --git a/tests/api.c b/tests/api.c index 745557cf2..07b5dce6f 100644 --- a/tests/api.c +++ b/tests/api.c @@ -1449,7 +1449,7 @@ static void verify_ALPN_client_list(WOLFSSL* ssl) AssertIntEQ(1, sizeof(alpn_list) == clistSz); AssertIntEQ(0, XMEMCMP(alpn_list, clist, clistSz)); - XFREE(clist, 0, DYNAMIC_TYPE_OUT_BUFFER); + XFREE(clist, 0, DYNAMIC_TYPE_TLSX); } static void test_wolfSSL_UseALPN_connection(void) From 0c21b67bb62623a40900138c81a92a88c2a3646f Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 30 Dec 2015 10:19:20 -0700 Subject: [PATCH 156/177] add ocsp needed certs to dist --- Makefile.am | 2 ++ certs/external/include.am | 7 +++++++ certs/ocsp/include.am | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+) create mode 100644 certs/external/include.am create mode 100644 certs/ocsp/include.am diff --git a/Makefile.am b/Makefile.am index 2180ecc37..2b46d5624 100644 --- a/Makefile.am +++ b/Makefile.am @@ -67,6 +67,8 @@ include wolfssl/include.am include certs/include.am include certs/1024/include.am include certs/crl/include.am +include certs/external/include.am +include certs/ocsp/include.am include doc/include.am include swig/include.am diff --git a/certs/external/include.am b/certs/external/include.am new file mode 100644 index 000000000..a6fa17f64 --- /dev/null +++ b/certs/external/include.am @@ -0,0 +1,7 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/external/ca-globalsign-root-r2.pem \ + certs/external/ca-verisign-g5.pem diff --git a/certs/ocsp/include.am b/certs/ocsp/include.am new file mode 100644 index 000000000..cd5457f9e --- /dev/null +++ b/certs/ocsp/include.am @@ -0,0 +1,34 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +EXTRA_DIST += \ + certs/ocsp/index0.txt \ + certs/ocsp/index1.txt \ + certs/ocsp/index2.txt \ + certs/ocsp/index3.txt \ + certs/ocsp/openssl.cnf \ + certs/ocsp/ocspd0.sh \ + certs/ocsp/ocspd1.sh \ + certs/ocsp/ocspd2.sh \ + certs/ocsp/ocspd3.sh \ + certs/ocsp/intermediate1-ca-key.pem \ + certs/ocsp/intermediate1-ca-cert.pem \ + certs/ocsp/intermediate2-ca-key.pem \ + certs/ocsp/intermediate2-ca-cert.pem \ + certs/ocsp/intermediate3-ca-key.pem \ + certs/ocsp/intermediate3-ca-cert.pem \ + certs/ocsp/ocsp-responder-key.pem \ + certs/ocsp/ocsp-responder-cert.pem \ + certs/ocsp/server1-key.pem \ + certs/ocsp/server1-cert.pem \ + certs/ocsp/server2-key.pem \ + certs/ocsp/server2-cert.pem \ + certs/ocsp/server3-key.pem \ + certs/ocsp/server3-cert.pem \ + certs/ocsp/server4-key.pem \ + certs/ocsp/server4-cert.pem \ + certs/ocsp/server5-key.pem \ + certs/ocsp/server5-cert.pem \ + certs/ocsp/root-ca-key.pem \ + certs/ocsp/root-ca-cert.pem From 5040820f9807fb59830e3d34b71563b1313b610e Mon Sep 17 00:00:00 2001 From: Jacob Barthelmeh Date: Wed, 30 Dec 2015 12:09:31 -0700 Subject: [PATCH 157/177] prepare for 3.8.0 release --- README | 24 ++++++++++++++++++++++++ README.md | 28 +++++++++++++++++++++++++++- configure.ac | 4 ++-- rpm/spec.in | 15 +++++++++++++-- support/wolfssl.pc | 2 +- wolfssl/version.h | 4 ++-- 6 files changed, 69 insertions(+), 8 deletions(-) diff --git a/README b/README index d4e952102..efcab65e7 100644 --- a/README +++ b/README @@ -34,6 +34,30 @@ before calling wolfSSL_new(); Though it's not recommended. *** end Notes *** + + ********* wolfSSL (Formerly CyaSSL) Release 3.8.0 (12/30/2015) + +Release 3.8.0 of wolfSSL has bug fixes and new features including: + +- Example client/server with VxWorks +- AESNI use with AES-GCM +- Stunnel compatibility enhancements +- Single shot hash and signature/verify API added +- Update cavium nitrox port +- LPCXpresso IDE support added +- C# wrapper to support wolfSSL use by a C# program +- (BETA version)OCSP stapling added +- Update OpenSSH compatibility +- Improve DTLS handshake when retransmitting finished message +- fix idea_mult() for 16 and 32bit systems +- fix LowResTimer on Microchip ports + +- No high level security fixes that requires an update though we always +recommend updating to the latest + +See INSTALL file for build instructions. +More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html + ********* wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015) Release 3.7.0 of wolfSSL has bug fixes and new features including: diff --git a/README.md b/README.md index 57b658663..286e65bf2 100644 --- a/README.md +++ b/README.md @@ -13,7 +13,10 @@ key cipher suites with WOLFSSL_STATIC_PSK though static key cipher suites are deprecated and will be removed from future -versions of TLS. They also lower your security by removing PFS. +versions of TLS. They also lower your security by removing PFS. Since current +NTRU suites available do not use ephemeral keys, WOLFSSL_STATIC_RSA needs to be +used in order to build with NTRU suites. + When compiling ssl.c wolfSSL will now issue a comipler error if no cipher suites are available. You can remove this error by defining WOLFSSL_ALLOW_NO_SUITES @@ -35,6 +38,29 @@ wolfSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); before calling wolfSSL_new(); Though it's not recommended. ``` +# wolfSSL (Formerly CyaSSL) Release 3.8.0 (12/30/2015) + +##Release 3.8.0 of wolfSSL has bug fixes and new features including: + +- Example client/server with VxWorks +- AESNI use with AES-GCM +- Stunnel compatibility enhancements +- Single shot hash and signature/verify API added +- Update cavium nitrox port +- LPCXpresso IDE support added +- C# wrapper to support wolfSSL use by a C# program +- (BETA version)OCSP stapling added +- Update OpenSSH compatibility +- Improve DTLS handshake when retransmitting finished message +- fix idea_mult() for 16 and 32bit systems +- fix LowResTimer on Microchip ports + +- No high level security fixes that requires an update though we always +recommend updating to the latest + +See INSTALL file for build instructions. +More info can be found on-line at //http://wolfssl.com/yaSSL/Docs.html + # wolfSSL (Formerly CyaSSL) Release 3.7.0 (10/26/2015) ##Release 3.7.0 of wolfSSL has bug fixes and new features including: diff --git a/configure.ac b/configure.ac index d8e839889..d07b03ae4 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([wolfssl],[3.7.3],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) +AC_INIT([wolfssl],[3.8.0],[https://github.com/wolfssl/wolfssl/issues],[wolfssl],[http://www.wolfssl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -35,7 +35,7 @@ AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -WOLFSSL_LIBRARY_VERSION=3:0:0 +WOLFSSL_LIBRARY_VERSION=4:0:1 # | | | # +------+ | +---+ # | | | diff --git a/rpm/spec.in b/rpm/spec.in index 6efe3bfcf..8fde26c02 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -68,8 +68,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_docdir}/wolfssl/README.txt %{_libdir}/libwolfssl.la %{_libdir}/libwolfssl.so -%{_libdir}/libwolfssl.so.1 -%{_libdir}/libwolfssl.so.1.1.0 +%{_libdir}/libwolfssl.so.3 +%{_libdir}/libwolfssl.so.3.1.0 %files devel %defattr(-,root,root,-) @@ -134,6 +134,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/cyassl/openssl/dsa.h %{_includedir}/cyassl/openssl/ec.h %{_includedir}/cyassl/openssl/ecdsa.h +%{_includedir}/cyassl/openssl/ec25519.h +%{_includedir}/cyassl/openssl/ed25519.h %{_includedir}/cyassl/openssl/ecdh.h %{_includedir}/cyassl/openssl/engine.h %{_includedir}/cyassl/openssl/err.h @@ -192,6 +194,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/hc128.h %{_includedir}/wolfssl/wolfcrypt/hmac.h %{_includedir}/wolfssl/wolfcrypt/integer.h +%{_includedir}/wolfssl/wolfcrypt/idea.h %{_includedir}/wolfssl/wolfcrypt/logging.h %{_includedir}/wolfssl/wolfcrypt/md2.h %{_includedir}/wolfssl/wolfcrypt/md4.h @@ -209,12 +212,15 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/wolfcrypt/ripemd.h %{_includedir}/wolfssl/wolfcrypt/rsa.h %{_includedir}/wolfssl/wolfcrypt/settings.h +%{_includedir}/wolfssl/wolfcrypt/signature.h %{_includedir}/wolfssl/wolfcrypt/sha.h %{_includedir}/wolfssl/wolfcrypt/sha256.h %{_includedir}/wolfssl/wolfcrypt/sha512.h +%{_includedir}/wolfssl/wolfcrypt/srp.h %{_includedir}/wolfssl/wolfcrypt/tfm.h %{_includedir}/wolfssl/wolfcrypt/types.h %{_includedir}/wolfssl/wolfcrypt/visibility.h +%{_includedir}/wolfssl/wolfcrypt/wc_encrypt.h %{_includedir}/wolfssl/error-ssl.h %{_includedir}/wolfssl/ocsp.h %{_includedir}/wolfssl/openssl/asn1.h @@ -227,6 +233,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/wolfssl/openssl/dsa.h %{_includedir}/wolfssl/openssl/ec.h %{_includedir}/wolfssl/openssl/ecdsa.h +%{_includedir}/wolfssl/openssl/ec25519.h +%{_includedir}/wolfssl/openssl/ed25519.h %{_includedir}/wolfssl/openssl/ecdh.h %{_includedir}/wolfssl/openssl/engine.h %{_includedir}/wolfssl/openssl/err.h @@ -259,6 +267,9 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/wolfssl.pc %changelog +* Wed Dec 30 2015 Jacob Barthelmeh +- Added headers for curve25519 and ed25519 openssl compatibility +- Added headers for Idea, srp, signature, and wc_encrypt * Tue Mar 31 2015 John Safranek - Added recent new wolfcrypt headers for curve25519 * Fri Jan 09 2015 John Safranek diff --git a/support/wolfssl.pc b/support/wolfssl.pc index 554fcdb4c..80301285d 100644 --- a/support/wolfssl.pc +++ b/support/wolfssl.pc @@ -5,6 +5,6 @@ includedir=${prefix}/include Name: wolfssl Description: wolfssl C library. -Version: 3.7.3 +Version: 3.8.0 Libs: -L${libdir} -lwolfssl Cflags: -I${includedir} diff --git a/wolfssl/version.h b/wolfssl/version.h index 48bc23d52..ba077958f 100644 --- a/wolfssl/version.h +++ b/wolfssl/version.h @@ -27,8 +27,8 @@ extern "C" { #endif -#define LIBWOLFSSL_VERSION_STRING "3.7.3" -#define LIBWOLFSSL_VERSION_HEX 0x03007003 +#define LIBWOLFSSL_VERSION_STRING "3.8.0" +#define LIBWOLFSSL_VERSION_HEX 0x03008000 #ifdef __cplusplus } From 5fb8ea691a409371f839fc1c9176006474c46c1d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Wed, 30 Dec 2015 16:29:27 -0300 Subject: [PATCH 158/177] updates ocsp certs with better OCSP Responder URI. --- certs/ocsp/intermediate1-ca-cert.pem | 104 +++++++++--------- certs/ocsp/intermediate2-ca-cert.pem | 104 +++++++++--------- certs/ocsp/intermediate3-ca-cert.pem | 104 +++++++++--------- certs/ocsp/ocsp-responder-cert.pem | 100 ++++++++--------- certs/ocsp/openssl.cnf | 8 +- certs/ocsp/root-ca-cert.pem | 52 ++++----- certs/ocsp/server1-cert.pem | 156 +++++++++++++-------------- certs/ocsp/server2-cert.pem | 156 +++++++++++++-------------- certs/ocsp/server3-cert.pem | 156 +++++++++++++-------------- certs/ocsp/server4-cert.pem | 156 +++++++++++++-------------- certs/ocsp/server5-cert.pem | 156 +++++++++++++-------------- 11 files changed, 626 insertions(+), 626 deletions(-) diff --git a/certs/ocsp/intermediate1-ca-cert.pem b/certs/ocsp/intermediate1-ca-cert.pem index 05e15e413..42f681889 100644 --- a/certs/ocsp/intermediate1-ca-cert.pem +++ b/certs/ocsp/intermediate1-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: - c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: - 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: - fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: - 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: - 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: - 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: - 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: - f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: - ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: - 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: - 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: - 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: - e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: - 49:be:30:c1 + 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1: + 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7: + 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8: + 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1: + e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17: + 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b: + 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2: + af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6: + 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7: + 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56: + 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7: + a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c: + 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75: + 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8: + bb:4b:1f:aa -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB @@ -83,13 +83,13 @@ gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI -KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD -ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ -KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt -OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO -DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe -2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR -0iqUR3W1gPLogzTMfyKKnkm+MME= +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9 +jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg +iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw +0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC +LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt +JMjGmMN/2B1Pxa7gso71qLtLH6o= -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate2-ca-cert.pem b/certs/ocsp/intermediate2-ca-cert.pem index a045d6776..cacb413d2 100644 --- a/certs/ocsp/intermediate2-ca-cert.pem +++ b/certs/ocsp/intermediate2-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: - c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: - d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: - ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: - 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: - b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: - 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: - 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: - 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: - 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: - 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: - 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: - e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: - 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: - 53:95:72:29 + 1d:d6:14:6c:f5:cc:f9:c9:0d:c4:27:c1:50:49:ab:d7:39:6e: + 86:31:cf:67:99:c0:5d:37:d0:14:ee:d8:e3:da:17:a5:82:c2: + 25:86:33:28:0d:f6:ca:6b:7a:c7:72:f1:d8:b9:20:27:ee:0c: + 7d:77:e5:8b:03:46:9a:f8:99:6a:8e:57:1a:c9:a2:b1:79:d6: + b6:b6:e5:1a:39:80:2e:88:2b:17:c8:b9:36:37:38:58:8a:f0: + 62:68:97:25:b5:7a:62:5c:4d:22:2c:30:62:0c:11:f0:4d:70: + 95:c7:2d:9e:ab:c5:ef:2e:a4:29:25:8b:e2:e4:d2:9d:2c:5e: + 60:79:36:98:13:a8:38:6c:00:0d:6a:f0:11:3c:3f:d8:f9:6b: + 16:d1:61:f9:db:53:56:02:43:56:a8:01:3b:88:77:91:a5:6e: + a0:ab:2c:6c:e6:ec:cf:ff:5a:07:94:ea:49:92:d4:87:98:f8: + 89:f0:f7:4f:77:b0:df:c9:89:03:76:d9:31:30:86:f7:e9:8a: + 74:fa:f2:b2:f3:4d:f7:43:41:48:9c:1f:db:ea:23:e3:1e:4c: + 15:76:92:e0:f8:ce:71:35:fd:25:f0:97:cd:99:5d:2c:af:33: + 64:5e:bd:be:35:e3:53:78:6c:10:c8:0e:cc:83:e5:d9:2e:7a: + d9:6d:52:95 -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB @@ -83,13 +83,13 @@ gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI -KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD -ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 -oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch -wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ -2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk -xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN -K2lpzYEnY+gtVSoA3gsVLFOVcik= +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB3WFGz1zPnJDcQnwVBJq9c5boYxz2eZwF030BTu2OPaF6WCwiWGMygN9spr +esdy8di5ICfuDH135YsDRpr4mWqOVxrJorF51ra25Ro5gC6IKxfIuTY3OFiK8GJo +lyW1emJcTSIsMGIMEfBNcJXHLZ6rxe8upCkli+Lk0p0sXmB5NpgTqDhsAA1q8BE8 +P9j5axbRYfnbU1YCQ1aoATuId5GlbqCrLGzm7M//WgeU6kmS1IeY+Inw9093sN/J +iQN22TEwhvfpinT68rLzTfdDQUicH9vqI+MeTBV2kuD4znE1/SXwl82ZXSyvM2Re +vb4141N4bBDIDsyD5dkuetltUpU= -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/intermediate3-ca-cert.pem b/certs/ocsp/intermediate3-ca-cert.pem index b7629bdc1..d3fc21682 100644 --- a/certs/ocsp/intermediate3-ca-cert.pem +++ b/certs/ocsp/intermediate3-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 0c:5e:0d:55:3c:e7:fb:5e:c2:09:19:c8:0b:f4:c2:b2:2b:14: - 79:dc:e8:63:f6:8a:0c:03:57:9e:15:47:7e:b6:15:a3:71:90: - 01:11:39:4b:ff:3d:13:34:e4:f3:5b:a3:6c:58:4f:00:d5:c4: - b0:63:6c:90:c9:89:a8:5d:16:87:0a:da:08:40:12:b4:94:00: - 3e:44:00:13:de:34:75:90:38:79:d4:c2:39:6d:ed:17:cb:7e: - 50:ff:da:0b:eb:49:1a:66:e6:dd:eb:66:a5:92:ef:68:d5:c9: - 93:8f:aa:c7:2a:92:6b:95:af:3d:74:de:aa:29:fd:c9:53:56: - ad:9f:e0:05:d1:97:0c:01:3b:f1:c6:a6:90:7e:5c:08:11:5e: - c1:77:5d:64:09:56:ea:78:29:15:a3:ea:44:2a:4c:d6:09:a7: - a0:5f:05:54:2a:61:ca:7a:09:07:14:34:c2:0d:c5:93:cd:28: - 8b:62:26:af:30:25:8a:f1:da:65:fa:db:da:84:ab:d5:0c:37: - ae:5d:95:bd:55:2a:4b:09:e0:d3:3d:8b:3c:ea:f2:b9:68:5e: - e6:21:53:8b:28:78:39:f4:bf:9b:dc:92:bc:4b:14:06:fe:17: - 21:64:be:af:20:e8:e7:fb:67:c8:5e:ec:59:bf:27:a4:cb:e3: - 8a:6d:c3:ac + 9a:47:17:70:ff:92:e7:b5:51:a0:d2:5d:f3:e3:dd:90:ec:c9: + 8f:ad:61:74:30:ba:d9:60:ba:5b:cf:da:03:4f:c8:50:5a:f4: + 5e:e0:e3:a0:ce:de:43:6c:56:e0:bc:35:e9:0d:bb:53:0e:22: + 7f:21:42:6c:2a:0f:67:b2:8a:1a:f5:e8:1f:a9:a1:90:11:d0: + ec:18:90:ba:ee:cf:d4:18:28:1b:9c:96:8e:d6:48:bd:6f:66: + 79:df:04:0d:04:d3:13:69:b8:24:15:7c:3b:bc:b9:fc:1d:dd: + cc:45:a5:c1:04:c9:d3:68:a7:de:cd:1e:aa:cc:bd:3d:f4:12: + eb:3d:01:44:11:fd:1d:bd:a0:7a:4c:24:f2:39:78:17:c1:1f: + 8c:b8:ab:01:f3:98:88:ff:bd:2c:1b:43:bb:fe:37:94:65:b4: + 3c:e6:11:8c:5d:36:de:ab:84:a5:6d:30:23:dc:ad:b1:74:24: + 2a:bb:49:f0:37:ef:db:9a:eb:4e:fc:f9:a2:47:06:3a:09:9d: + 4f:c3:c6:dc:18:90:47:42:f4:bc:8d:75:be:7c:c8:d5:47:a6: + bb:c2:1e:55:16:8f:a4:62:cc:1f:7c:cf:5a:b5:41:6d:98:f4: + 15:b9:fc:5a:3e:47:75:a0:f7:b0:df:33:54:a9:7c:f0:da:3c: + 65:c2:e6:1a -----BEGIN CERTIFICATE----- MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu @@ -83,13 +83,13 @@ FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm -MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN -AQELBQADggEBAAxeDVU85/tewgkZyAv0wrIrFHnc6GP2igwDV54VR362FaNxkAER -OUv/PRM05PNbo2xYTwDVxLBjbJDJiahdFocK2ghAErSUAD5EABPeNHWQOHnUwjlt -7RfLflD/2gvrSRpm5t3rZqWS72jVyZOPqscqkmuVrz103qop/clTVq2f4AXRlwwB -O/HGppB+XAgRXsF3XWQJVup4KRWj6kQqTNYJp6BfBVQqYcp6CQcUNMINxZPNKIti -Jq8wJYrx2mX629qEq9UMN65dlb1VKksJ4NM9izzq8rloXuYhU4soeDn0v5vckrxL -FAb+FyFkvq8g6Of7Z8he7Fm/J6TL44ptw6w= +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAJpHF3D/kue1UaDSXfPj3ZDsyY+tYXQwutlgulvP2gNPyFBa9F7g +46DO3kNsVuC8NekNu1MOIn8hQmwqD2eyihr16B+poZAR0OwYkLruz9QYKBuclo7W +SL1vZnnfBA0E0xNpuCQVfDu8ufwd3cxFpcEEydNop97NHqrMvT30Eus9AUQR/R29 +oHpMJPI5eBfBH4y4qwHzmIj/vSwbQ7v+N5RltDzmEYxdNt6rhKVtMCPcrbF0JCq7 +SfA379ua6078+aJHBjoJnU/DxtwYkEdC9LyNdb58yNVHprvCHlUWj6RizB98z1q1 +QW2Y9BW5/Fo+R3Wg97DfM1SpfPDaPGXC5ho= -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -176,11 +176,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/ocsp-responder-cert.pem b/certs/ocsp/ocsp-responder-cert.pem index 90446b51c..9e76a90f8 100644 --- a/certs/ocsp/ocsp-responder-cert.pem +++ b/certs/ocsp/ocsp-responder-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL OCSP Responder/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,27 +44,27 @@ Certificate: X509v3 Extended Key Usage: OCSP Signing Signature Algorithm: sha256WithRSAEncryption - 47:86:d8:ff:a5:6e:18:e4:28:b7:8a:74:f6:81:97:89:be:c7: - cf:8d:1e:15:c2:d3:e1:ff:3e:82:b8:6d:8f:92:c8:a2:55:ff: - df:7a:ed:2b:ee:d5:6f:d3:9e:8e:30:d0:08:d3:6a:39:8f:23: - 45:a3:2d:e6:99:d4:18:49:a3:f9:17:88:b5:68:86:c8:8c:17: - a7:ac:6a:a6:46:6f:b1:a4:6b:f8:8d:e5:d8:68:75:ca:a6:2d: - 36:72:12:0d:1f:12:af:c2:90:e7:bf:4a:3a:f2:02:a0:89:dd: - 6b:f8:92:4b:9b:9c:69:5a:24:a7:3f:9b:b9:8e:60:ef:33:54: - cf:aa:53:01:c2:f9:0d:9d:75:bc:c9:09:0f:40:06:6f:ab:f9: - f2:e7:0d:26:84:24:0c:b0:b2:bb:f0:13:e1:bc:82:e7:48:ce: - 46:d2:36:e6:d9:7a:4e:b3:d3:55:6c:93:a0:6c:1a:83:d5:22: - a1:2c:84:e7:cc:9e:a5:ef:d5:e1:85:36:38:c5:35:a6:87:49: - 74:2c:b0:7c:3d:e7:68:47:5d:46:35:cb:d3:9c:bb:8c:8a:3e: - fd:f9:42:ad:7d:c4:bf:0a:d9:e2:49:04:14:24:11:c1:a4:3d: - 86:93:6e:0c:55:49:ed:3f:f9:82:ec:f8:26:3e:bf:9f:33:21: - 41:55:23:8c + 0a:4e:f7:89:58:26:5f:35:b7:ee:45:2f:2a:a6:ac:37:93:c8: + a8:97:74:6e:64:60:c0:6e:0e:1d:3c:f2:f5:b4:6e:c7:40:c2: + a5:3a:e1:f5:de:7e:73:df:f8:e6:a6:58:2b:bf:4b:8e:0c:fa: + 6f:08:b6:27:da:ad:21:d1:a5:c1:97:1e:fb:5b:06:c7:d5:dc: + 8d:1a:e3:cc:b2:c0:e6:54:f5:dc:b7:58:1a:eb:84:6e:14:c3: + 9a:57:f1:16:c6:ea:f0:e5:5f:e7:cb:f8:d0:86:73:c8:87:83: + d5:91:9d:6d:16:01:f7:8d:84:5e:f4:8d:17:f5:30:a8:94:36: + 4c:2e:33:03:ca:06:17:f0:51:5f:db:ea:65:3f:1f:bb:f6:50: + 26:ac:36:78:3a:8d:03:ab:7d:f9:32:d6:38:7e:6b:3c:93:49: + df:18:d2:5b:25:b6:70:f7:83:a8:b1:18:b8:85:53:c7:b6:be: + fe:30:b8:78:8a:e3:ec:6b:48:ce:41:f5:56:da:52:2a:9f:c9: + 40:62:d3:44:f7:2d:aa:94:94:fa:3e:0f:59:3a:2f:06:92:4f: + d5:3f:2c:3c:0e:79:b7:7c:9f:34:ca:9c:b5:ce:6b:b1:8e:40: + 3a:6f:76:3d:de:18:c9:a5:1a:bb:68:19:2b:7a:58:22:67:8b: + 8d:48:b1:f7 -----BEGIN CERTIFICATE----- MIIEvjCCA6agAwIBAgIBBDANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBnjELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBnjELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMR8wHQYDVQQDDBZ3b2xmU1NMIE9DU1Ag UmVzcG9uZGVyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIBIjAN @@ -80,12 +80,12 @@ CzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0 dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEYMBYG A1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZz c2wuY29tggFjMBMGA1UdJQQMMAoGCCsGAQUFBwMJMA0GCSqGSIb3DQEBCwUAA4IB -AQBHhtj/pW4Y5Ci3inT2gZeJvsfPjR4VwtPh/z6CuG2PksiiVf/feu0r7tVv056O -MNAI02o5jyNFoy3mmdQYSaP5F4i1aIbIjBenrGqmRm+xpGv4jeXYaHXKpi02chIN -HxKvwpDnv0o68gKgid1r+JJLm5xpWiSnP5u5jmDvM1TPqlMBwvkNnXW8yQkPQAZv -q/ny5w0mhCQMsLK78BPhvILnSM5G0jbm2XpOs9NVbJOgbBqD1SKhLITnzJ6l79Xh -hTY4xTWmh0l0LLB8PedoR11GNcvTnLuMij79+UKtfcS/CtniSQQUJBHBpD2Gk24M -VUntP/mC7PgmPr+fMyFBVSOM +AQAKTveJWCZfNbfuRS8qpqw3k8iol3RuZGDAbg4dPPL1tG7HQMKlOuH13n5z3/jm +plgrv0uODPpvCLYn2q0h0aXBlx77WwbH1dyNGuPMssDmVPXct1ga64RuFMOaV/EW +xurw5V/ny/jQhnPIh4PVkZ1tFgH3jYRe9I0X9TColDZMLjMDygYX8FFf2+plPx+7 +9lAmrDZ4Oo0Dq335MtY4fms8k0nfGNJbJbZw94OosRi4hVPHtr7+MLh4iuPsa0jO +QfVW2lIqn8lAYtNE9y2qlJT6Pg9ZOi8Gkk/VPyw8Dnm3fJ80ypy1zmuxjkA6b3Y9 +3hjJpRq7aBkrelgiZ4uNSLH3 -----END CERTIFICATE----- Certificate: Data: @@ -94,8 +94,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -133,30 +133,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -172,11 +172,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/openssl.cnf b/certs/ocsp/openssl.cnf index 71eee9a86..c518d33a5 100644 --- a/certs/ocsp/openssl.cnf +++ b/certs/ocsp/openssl.cnf @@ -8,7 +8,7 @@ basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://localhost:22221 +authorityInfoAccess = OCSP;URI:http://127.0.0.1:22221 # Extensions to add to a certificate request (intermediate2-ca) [ v3_req2 ] @@ -16,7 +16,7 @@ basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://localhost:22222 +authorityInfoAccess = OCSP;URI:http://127.0.0.1:22222 # Extensions to add to a certificate request (intermediate3-ca) [ v3_req3 ] @@ -24,7 +24,7 @@ basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = nonRepudiation, digitalSignature, keyEncipherment -authorityInfoAccess = OCSP;URI:http://localhost:22223 +authorityInfoAccess = OCSP;URI:http://127.0.0.1:22223 # Extensions for a typical CA [ v3_ca ] @@ -32,7 +32,7 @@ basicConstraints = CA:true subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always,issuer:always keyUsage = keyCertSign, cRLSign -authorityInfoAccess = OCSP;URI:http://localhost:22220 +authorityInfoAccess = OCSP;URI:http://127.0.0.1:22220 # OCSP extensions. [ v3_ocsp ] diff --git a/certs/ocsp/root-ca-cert.pem b/certs/ocsp/root-ca-cert.pem index 9d68f8197..b62a03c7a 100644 --- a/certs/ocsp/root-ca-cert.pem +++ b/certs/ocsp/root-ca-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -83,11 +83,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/server1-cert.pem b/certs/ocsp/server1-cert.pem index eab440bdf..1226f27aa 100644 --- a/certs/ocsp/server1-cert.pem +++ b/certs/ocsp/server1-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www1.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Authority Information Access: - OCSP - URI:http://localhost:22221 + OCSP - URI:http://127.0.0.1:22221 Signature Algorithm: sha256WithRSAEncryption - cc:2e:e2:e4:a8:f6:e8:73:e4:e8:d9:ee:05:e6:2c:a9:0f:54: - d5:b0:be:ce:20:a6:12:38:63:b8:19:32:c1:12:2f:d4:ee:a5: - 73:2b:72:5c:ad:c7:ed:d7:a4:5e:97:d2:a4:fd:9e:db:3d:e0: - df:a2:96:a9:36:c8:e3:f9:93:d6:84:dc:ad:a4:5f:1e:d4:af: - de:b4:05:9a:e5:ac:c6:b4:f4:9b:69:a0:e8:81:28:32:d7:a0: - 83:1b:2d:18:92:87:33:3f:23:11:11:f5:c9:01:11:35:de:44: - 8d:1d:6b:c4:3a:20:72:64:5d:c1:59:60:cb:5c:3b:ca:a0:27: - ab:e6:6c:ac:31:ec:a9:3a:a0:ec:10:e5:48:34:9b:d3:1c:9e: - 1e:93:2a:ba:47:40:b6:5d:45:c4:b9:cb:d6:63:5b:1a:70:26: - 23:f6:0a:41:53:de:ba:02:db:df:ce:df:6d:7a:9c:85:55:a4: - 01:3e:f5:d1:9c:4a:59:bf:1f:f5:83:fa:92:9a:3d:80:4d:49: - aa:f6:92:5f:94:ee:ef:38:b3:71:9f:96:30:7d:b2:d2:8d:bb: - 16:ed:e1:6f:cd:8e:4e:d2:e0:5b:59:5c:dd:95:de:9f:69:63: - d4:b2:54:52:51:40:e5:50:5c:4b:1c:5e:51:5b:10:b7:19:1f: - 31:08:70:cb + 05:65:8d:f5:fa:47:b1:4d:b9:9b:86:b0:18:9d:c8:94:64:7d: + 16:5e:69:69:bb:62:06:9d:8c:be:4f:83:22:f1:0a:7d:ae:f5: + ca:68:78:63:b2:bc:43:12:4f:d3:eb:ce:30:82:d6:be:81:c0: + 68:f4:3b:97:5f:3a:2c:88:62:36:0b:83:1d:ba:56:b1:06:65: + cd:4d:ac:1d:92:3f:73:77:10:5b:17:44:1f:66:cf:a8:f2:1f: + 18:29:c0:5f:20:b6:cb:15:d4:35:b1:b0:a6:41:a8:6e:f0:29: + 83:28:3b:4a:68:e5:b7:42:2f:b4:8a:96:ed:65:84:de:0b:72: + 6f:2b:91:10:56:7f:cd:89:5e:22:30:cc:5a:df:39:88:a9:ea: + af:1d:ba:9a:8a:3d:61:a6:c7:45:2d:ce:9f:76:f9:b2:45:9d: + 19:68:5d:e7:d6:3e:32:0e:65:83:79:63:81:0e:b5:44:51:47: + 9c:a7:6a:c1:5a:04:36:f3:b9:be:4d:76:80:55:2a:76:cd:61: + 15:c1:1a:5f:1f:62:b5:0f:ad:7f:48:66:81:eb:7a:04:b4:0a: + 92:a4:40:ff:bf:59:34:86:5c:1b:79:10:b4:d4:09:fa:45:3d: + 4f:bf:4c:30:b3:18:f2:b9:e9:8d:7c:5f:c0:67:ea:94:fb:ac: + 2e:90:ef:0d -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIBBTANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 MS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC @@ -83,13 +83,13 @@ MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB -AQDMLuLkqPboc+To2e4F5iypD1TVsL7OIKYSOGO4GTLBEi/U7qVzK3Jcrcft16Re -l9Kk/Z7bPeDfopapNsjj+ZPWhNytpF8e1K/etAWa5azGtPSbaaDogSgy16CDGy0Y -koczPyMREfXJARE13kSNHWvEOiByZF3BWWDLXDvKoCer5mysMeypOqDsEOVINJvT -HJ4ekyq6R0C2XUXEucvWY1sacCYj9gpBU966Atvfzt9tepyFVaQBPvXRnEpZvx/1 -g/qSmj2ATUmq9pJflO7vOLNxn5YwfbLSjbsW7eFvzY5O0uBbWVzdld6faWPUslRS -UUDlUFxLHF5RWxC3GR8xCHDL +AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQAFZY31+kexTbmbhrAYnciUZH0WXmlpu2IGnYy+T4Mi8Qp9rvXKaHhjsrxDEk/T +684wgta+gcBo9DuXXzosiGI2C4MdulaxBmXNTawdkj9zdxBbF0QfZs+o8h8YKcBf +ILbLFdQ1sbCmQahu8CmDKDtKaOW3Qi+0ipbtZYTeC3JvK5EQVn/NiV4iMMxa3zmI +qeqvHbqaij1hpsdFLc6fdvmyRZ0ZaF3n1j4yDmWDeWOBDrVEUUecp2rBWgQ287m+ +TXaAVSp2zWEVwRpfH2K1D61/SGaB63oEtAqSpED/v1k0hlwbeRC01An6RT1Pv0ww +sxjyuemNfF/AZ+qU+6wukO8N -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: - c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: - 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: - fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: - 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: - 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: - 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: - 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: - f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: - ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: - 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: - 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: - 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: - e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: - 49:be:30:c1 + 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1: + 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7: + 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8: + 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1: + e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17: + 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b: + 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2: + af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6: + 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7: + 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56: + 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7: + a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c: + 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75: + 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8: + bb:4b:1f:aa -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB @@ -176,13 +176,13 @@ gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI -KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD -ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ -KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt -OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO -DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe -2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR -0iqUR3W1gPLogzTMfyKKnkm+MME= +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9 +jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg +iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw +0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC +LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt +JMjGmMN/2B1Pxa7gso71qLtLH6o= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -230,30 +230,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/server2-cert.pem b/certs/ocsp/server2-cert.pem index 8aa20085f..51c56fd40 100644 --- a/certs/ocsp/server2-cert.pem +++ b/certs/ocsp/server2-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www2.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Authority Information Access: - OCSP - URI:http://localhost:22221 + OCSP - URI:http://127.0.0.1:22221 Signature Algorithm: sha256WithRSAEncryption - 84:39:12:8b:3b:47:c1:57:60:70:5d:21:e4:1f:60:33:20:94: - ab:7d:50:62:55:bf:cc:78:13:40:9d:40:75:14:55:d5:71:e8: - 8a:26:3d:4a:85:94:02:6f:be:1c:84:69:6b:03:9d:74:a7:8c: - f1:0e:e4:4e:79:e3:fc:bd:1f:c7:fb:d6:bb:6e:aa:55:7f:ac: - 6f:da:84:08:b0:97:ef:24:d5:a3:d9:c1:67:78:08:7d:05:18: - c0:58:50:e8:fc:20:65:c6:0a:4e:3a:81:7a:64:0b:81:be:12: - 87:33:18:85:d3:e3:c3:ba:b5:b0:03:9a:16:e3:01:ae:a9:9a: - 9a:ea:84:5f:0e:5c:dd:d4:16:b8:38:e2:63:0a:4f:75:5f:44: - 0b:60:08:f3:d4:df:32:cf:5b:f9:7b:a0:b1:ba:ae:ed:0f:a1: - c5:71:6b:1a:19:13:b7:5f:18:e8:97:51:a2:d3:66:52:b9:8b: - 0e:47:22:c9:61:17:94:80:7c:3d:39:6f:5a:58:18:7b:2e:42: - ea:20:fa:67:58:bf:4c:58:7e:e8:c0:3d:15:08:96:84:57:a8: - 6c:66:58:9d:93:30:64:93:28:7e:cc:1b:a2:e4:f7:d8:69:9c: - 19:07:9f:90:7f:53:a8:4f:59:86:a2:0a:87:c7:35:3d:b7:9d: - 51:61:51:69 + dd:b6:17:51:62:83:8d:32:7f:2f:21:2f:0a:ea:6b:3f:f0:c9: + 59:9d:1e:4b:82:7d:aa:1d:6d:a8:f5:c0:20:78:a8:fd:a3:ca: + cb:1f:2b:99:28:97:d2:ce:71:48:95:82:ee:e4:a4:d9:32:75: + 7f:1d:b2:97:8d:5c:3c:96:9a:b9:4c:05:fe:d1:af:81:4a:25: + c5:66:a1:f3:c7:0e:f3:76:db:3d:a2:87:7e:5c:c4:0a:d3:d3: + 97:a1:7c:46:fc:94:2c:dc:0a:7e:a1:b2:f2:7f:c7:cb:d9:7a: + c2:fa:8d:5b:4a:75:c0:e4:dc:57:4b:84:2a:5a:84:35:13:7b: + 15:49:a0:e8:9e:d8:1d:90:a4:99:4e:a4:dd:fc:ba:d3:f5:12: + aa:36:f2:87:04:b4:09:04:6f:94:a1:18:3e:46:ce:ae:55:f4: + 0f:d8:26:ee:11:cf:d4:8e:e5:33:da:17:e2:ad:43:05:50:e2: + 38:c7:d2:15:18:23:f0:fa:cd:cc:b3:e9:ea:00:5a:af:29:90: + 6a:69:8c:ba:c8:f7:84:84:57:0d:80:b1:10:2c:bd:9d:33:42: + 6d:f1:58:d5:b4:6a:79:e4:26:8f:41:ef:a2:b5:84:6b:c2:6d: + be:5e:76:8f:29:25:13:e8:ba:dd:aa:64:3e:74:bc:90:2d:aa: + bb:1a:cd:c9 -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIBBjANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM IGludGVybWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 Mi53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC @@ -83,13 +83,13 @@ MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 b2xmc3NsLmNvbYIBATALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB -AQCEORKLO0fBV2BwXSHkH2AzIJSrfVBiVb/MeBNAnUB1FFXVceiKJj1KhZQCb74c -hGlrA510p4zxDuROeeP8vR/H+9a7bqpVf6xv2oQIsJfvJNWj2cFneAh9BRjAWFDo -/CBlxgpOOoF6ZAuBvhKHMxiF0+PDurWwA5oW4wGuqZqa6oRfDlzd1Ba4OOJjCk91 -X0QLYAjz1N8yz1v5e6Cxuq7tD6HFcWsaGRO3Xxjol1Gi02ZSuYsORyLJYReUgHw9 -OW9aWBh7LkLqIPpnWL9MWH7owD0VCJaEV6hsZlidkzBkkyh+zBui5PfYaZwZB5+Q -f1OoT1mGogqHxzU9t51RYVFp +AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIxMA0GCSqGSIb3DQEBCwUAA4IB +AQDdthdRYoONMn8vIS8K6ms/8MlZnR5Lgn2qHW2o9cAgeKj9o8rLHyuZKJfSznFI +lYLu5KTZMnV/HbKXjVw8lpq5TAX+0a+BSiXFZqHzxw7zdts9ood+XMQK09OXoXxG +/JQs3Ap+obLyf8fL2XrC+o1bSnXA5NxXS4QqWoQ1E3sVSaDontgdkKSZTqTd/LrT +9RKqNvKHBLQJBG+UoRg+Rs6uVfQP2CbuEc/UjuUz2hfirUMFUOI4x9IVGCPw+s3M +s+nqAFqvKZBqaYy6yPeEhFcNgLEQLL2dM0Jt8VjVtGp55CaPQe+itYRrwm2+XnaP +KSUT6LrdqmQ+dLyQLaq7Gs3J -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 1/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 1e:07:eb:03:66:a7:54:e8:c5:e1:fe:c9:08:58:91:d8:1b:d6: - c8:69:a5:65:03:a3:1a:f4:eb:9d:cd:4a:c1:9d:cd:ac:39:0b: - 49:09:e7:9c:0f:12:cb:3f:29:e1:9c:d1:f4:68:14:02:2e:d3: - fe:3d:63:3c:26:80:38:91:03:c3:52:52:9e:66:4d:59:d1:80: - 97:eb:91:99:5f:e7:d5:8e:e7:c4:c0:d3:f3:12:2e:c9:05:3a: - 54:ed:38:f3:6f:f3:ae:74:18:47:b5:25:c6:e3:44:8c:27:bd: - 3f:bc:e3:f1:0e:e4:50:ff:4c:ec:30:d6:0d:9f:8f:d0:f6:be: - 43:73:94:8f:48:97:38:7c:e8:8a:53:fd:02:4e:0f:2c:14:53: - f4:4c:80:8a:09:b2:b8:a8:0e:11:75:a6:15:6a:5f:c8:06:7b: - ff:a3:76:d0:e8:70:0a:e0:b1:6d:88:54:06:c2:04:f9:81:b0: - 77:af:a4:80:1b:88:64:5e:db:ff:36:dc:e8:d2:7b:4e:55:40: - 3c:f7:cd:33:f9:66:59:2e:9c:18:c7:50:e6:b5:b9:c1:94:3b: - 78:46:05:a6:24:41:2a:28:b5:e8:92:d0:0d:47:18:e8:cc:6e: - e8:11:d2:2a:94:47:75:b5:80:f2:e8:83:34:cc:7f:22:8a:9e: - 49:be:30:c1 + 0f:a2:19:93:09:2f:c8:c5:91:62:2b:1e:9c:69:93:ea:5f:f1: + 5e:b8:15:8e:0f:c9:82:08:3a:6b:60:3f:ad:1b:fa:47:94:a7: + 31:33:34:6c:cf:09:63:fd:8c:de:62:c4:2e:5f:71:19:2e:a8: + 96:63:37:16:e7:bf:37:67:2d:46:36:72:d0:e4:03:a7:89:a1: + e4:4c:2f:76:31:79:0d:84:ae:c8:61:cf:98:03:2f:12:fc:17: + 60:60:88:b0:96:a0:a8:59:f5:96:1d:3d:1e:e0:c0:26:fd:1b: + 3e:42:73:ad:1d:39:0f:ff:d9:f0:71:52:e3:9a:9b:7a:b4:a2: + af:50:e7:33:7f:66:40:65:bd:31:0c:c9:21:b0:d1:3f:df:b6: + 77:e5:05:ca:24:b9:72:c9:82:c6:9f:be:12:f6:5d:39:34:b7: + 20:df:e1:24:c3:b2:fe:98:b6:d3:6c:3e:43:62:6b:e2:6d:56: + 65:99:3e:aa:2e:a8:cb:82:2d:9b:11:da:8a:b6:63:20:12:c7: + a0:5b:5d:5b:09:29:47:50:ad:4e:1f:68:29:d2:d9:0e:5f:5c: + 83:e8:e6:fd:c7:e5:f9:14:0d:14:8e:6e:34:dd:4f:ec:01:75: + 54:2d:24:c8:c6:98:c3:7f:d8:1d:4f:c5:ae:e0:b2:8e:f5:a8: + bb:4b:1f:aa -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgIBATANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy bWVkaWF0ZSBDQSAxMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB @@ -176,13 +176,13 @@ gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI -KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD -ggEBAB4H6wNmp1ToxeH+yQhYkdgb1shppWUDoxr0653NSsGdzaw5C0kJ55wPEss/ -KeGc0fRoFAIu0/49YzwmgDiRA8NSUp5mTVnRgJfrkZlf59WO58TA0/MSLskFOlTt -OPNv8650GEe1JcbjRIwnvT+84/EO5FD/TOww1g2fj9D2vkNzlI9Ilzh86IpT/QJO -DywUU/RMgIoJsrioDhF1phVqX8gGe/+jdtDocArgsW2IVAbCBPmBsHevpIAbiGRe -2/823OjSe05VQDz3zTP5ZlkunBjHUOa1ucGUO3hGBaYkQSooteiS0A1HGOjMbugR -0iqUR3W1gPLogzTMfyKKnkm+MME= +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAA+iGZMJL8jFkWIrHpxpk+pf8V64FY4PyYIIOmtgP60b+keUpzEzNGzPCWP9 +jN5ixC5fcRkuqJZjNxbnvzdnLUY2ctDkA6eJoeRML3YxeQ2Ershhz5gDLxL8F2Bg +iLCWoKhZ9ZYdPR7gwCb9Gz5Cc60dOQ//2fBxUuOam3q0oq9Q5zN/ZkBlvTEMySGw +0T/ftnflBcokuXLJgsafvhL2XTk0tyDf4STDsv6YttNsPkNia+JtVmWZPqouqMuC +LZsR2oq2YyASx6BbXVsJKUdQrU4faCnS2Q5fXIPo5v3H5fkUDRSObjTdT+wBdVQt +JMjGmMN/2B1Pxa7gso71qLtLH6o= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -230,30 +230,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/server3-cert.pem b/certs/ocsp/server3-cert.pem index f707abecf..7f1873535 100644 --- a/certs/ocsp/server3-cert.pem +++ b/certs/ocsp/server3-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www3.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Authority Information Access: - OCSP - URI:http://localhost:22222 + OCSP - URI:http://127.0.0.1:22222 Signature Algorithm: sha256WithRSAEncryption - 12:62:57:58:a4:74:c0:b3:f1:d7:63:8b:1d:ba:79:99:88:76: - 5f:88:3b:e3:53:8d:d3:88:d0:98:91:3b:72:31:e9:03:5d:d5: - 1d:fe:6a:59:e8:a0:46:5b:4a:5a:3c:ce:60:27:00:36:68:49: - 35:22:cd:16:01:5f:94:67:5e:80:1a:2f:a6:21:4b:1a:d2:f8: - 70:ba:39:0f:d4:54:44:c8:6d:f4:1c:bc:fa:b3:72:32:e5:56: - 18:b8:c0:4c:98:21:56:36:a3:83:94:60:a9:a1:de:8c:7d:22: - 46:40:ac:92:7c:4a:44:6c:24:36:78:ab:f6:93:4f:44:f6:82: - 2e:ba:bc:7f:45:c2:51:be:fa:05:bb:d1:8a:95:84:38:f0:1d: - c7:66:8d:5e:44:05:26:48:b2:bd:4e:56:7a:17:28:b2:fa:3a: - 25:ce:7e:83:9a:ee:76:b0:02:54:a3:65:78:7c:7b:1e:49:ad: - 7f:65:5e:a8:cc:59:1e:fb:61:27:b6:3f:df:31:11:49:06:01: - 58:55:84:35:3e:f6:db:5a:e9:fd:2f:0a:b0:f7:c7:fb:d9:59: - 86:c6:cd:0c:f2:a6:f9:0a:ef:4b:ab:ca:a6:16:b4:df:0f:0d: - c6:d1:32:4f:0d:f9:a8:2a:28:a1:be:e2:c3:62:7e:74:90:58: - bc:67:89:20 + 3a:2f:11:d6:45:96:cc:68:80:ed:dd:25:1f:1c:b2:b2:c8:42: + 71:11:ed:3b:f8:69:73:d3:bc:49:38:0e:5f:f8:bb:a1:69:a0: + fe:bd:a0:6f:c2:68:74:4c:c8:c0:cc:00:83:6b:b2:c3:15:3c: + bb:08:51:3e:2a:36:2e:f7:48:00:a0:74:11:b7:db:00:56:82: + 52:17:94:b1:a6:a8:82:c7:33:ac:20:ef:3d:93:e2:56:01:62: + 99:d4:c4:8e:4b:4d:bf:36:1e:f7:bb:83:85:81:6d:46:fb:8d: + c2:12:99:87:ae:7a:fd:83:3c:df:7b:51:12:79:44:4f:df:17: + 74:d5:d9:ab:19:d3:49:8b:33:4c:82:e4:83:1a:4d:fa:d3:84: + ea:37:86:58:77:93:41:2e:f9:30:3a:09:d6:72:3a:aa:d8:e7: + 13:f6:2f:80:7a:47:fc:c8:c2:98:34:07:ca:ed:21:c5:3f:21: + fb:f2:1a:4c:cb:ff:fb:db:7d:6c:1b:f2:4a:1d:58:43:8f:58: + 3c:c8:de:80:c8:79:fa:0a:97:a1:02:a8:5b:b6:96:ed:b7:24: + 9e:ac:79:b6:e1:e6:3f:f1:66:8e:4d:22:47:a2:df:90:f2:d1: + 0a:3c:be:bb:ce:34:46:e5:c2:13:50:e9:8c:49:e7:31:51:73: + c3:b1:b5:03 -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 My53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC @@ -83,13 +83,13 @@ MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB -AQASYldYpHTAs/HXY4sdunmZiHZfiDvjU43TiNCYkTtyMekDXdUd/mpZ6KBGW0pa -PM5gJwA2aEk1Is0WAV+UZ16AGi+mIUsa0vhwujkP1FREyG30HLz6s3Iy5VYYuMBM -mCFWNqODlGCpod6MfSJGQKySfEpEbCQ2eKv2k09E9oIuurx/RcJRvvoFu9GKlYQ4 -8B3HZo1eRAUmSLK9TlZ6Fyiy+jolzn6Dmu52sAJUo2V4fHseSa1/ZV6ozFke+2En -tj/fMRFJBgFYVYQ1PvbbWun9Lwqw98f72VmGxs0M8qb5Cu9Lq8qmFrTfDw3G0TJP -DfmoKiihvuLDYn50kFi8Z4kg +AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB +AQA6LxHWRZbMaIDt3SUfHLKyyEJxEe07+Glz07xJOA5f+LuhaaD+vaBvwmh0TMjA +zACDa7LDFTy7CFE+KjYu90gAoHQRt9sAVoJSF5SxpqiCxzOsIO89k+JWAWKZ1MSO +S02/Nh73u4OFgW1G+43CEpmHrnr9gzzfe1ESeURP3xd01dmrGdNJizNMguSDGk36 +04TqN4ZYd5NBLvkwOgnWcjqq2OcT9i+Aekf8yMKYNAfK7SHFPyH78hpMy//7231s +G/JKHVhDj1g8yN6AyHn6CpehAqhbtpbttySerHm24eY/8WaOTSJHot+Q8tEKPL67 +zjRG5cITUOmMSecxUXPDsbUD -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: - c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: - d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: - ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: - 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: - b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: - 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: - 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: - 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: - 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: - 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: - 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: - e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: - 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: - 53:95:72:29 + 1d:d6:14:6c:f5:cc:f9:c9:0d:c4:27:c1:50:49:ab:d7:39:6e: + 86:31:cf:67:99:c0:5d:37:d0:14:ee:d8:e3:da:17:a5:82:c2: + 25:86:33:28:0d:f6:ca:6b:7a:c7:72:f1:d8:b9:20:27:ee:0c: + 7d:77:e5:8b:03:46:9a:f8:99:6a:8e:57:1a:c9:a2:b1:79:d6: + b6:b6:e5:1a:39:80:2e:88:2b:17:c8:b9:36:37:38:58:8a:f0: + 62:68:97:25:b5:7a:62:5c:4d:22:2c:30:62:0c:11:f0:4d:70: + 95:c7:2d:9e:ab:c5:ef:2e:a4:29:25:8b:e2:e4:d2:9d:2c:5e: + 60:79:36:98:13:a8:38:6c:00:0d:6a:f0:11:3c:3f:d8:f9:6b: + 16:d1:61:f9:db:53:56:02:43:56:a8:01:3b:88:77:91:a5:6e: + a0:ab:2c:6c:e6:ec:cf:ff:5a:07:94:ea:49:92:d4:87:98:f8: + 89:f0:f7:4f:77:b0:df:c9:89:03:76:d9:31:30:86:f7:e9:8a: + 74:fa:f2:b2:f3:4d:f7:43:41:48:9c:1f:db:ea:23:e3:1e:4c: + 15:76:92:e0:f8:ce:71:35:fd:25:f0:97:cd:99:5d:2c:af:33: + 64:5e:bd:be:35:e3:53:78:6c:10:c8:0e:cc:83:e5:d9:2e:7a: + d9:6d:52:95 -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB @@ -176,13 +176,13 @@ gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI -KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD -ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 -oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch -wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ -2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk -xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN -K2lpzYEnY+gtVSoA3gsVLFOVcik= +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB3WFGz1zPnJDcQnwVBJq9c5boYxz2eZwF030BTu2OPaF6WCwiWGMygN9spr +esdy8di5ICfuDH135YsDRpr4mWqOVxrJorF51ra25Ro5gC6IKxfIuTY3OFiK8GJo +lyW1emJcTSIsMGIMEfBNcJXHLZ6rxe8upCkli+Lk0p0sXmB5NpgTqDhsAA1q8BE8 +P9j5axbRYfnbU1YCQ1aoATuId5GlbqCrLGzm7M//WgeU6kmS1IeY+Inw9093sN/J +iQN22TEwhvfpinT68rLzTfdDQUicH9vqI+MeTBV2kuD4znE1/SXwl82ZXSyvM2Re +vb4141N4bBDIDsyD5dkuetltUpU= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -230,30 +230,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/server4-cert.pem b/certs/ocsp/server4-cert.pem index a73be3fea..d9909f676 100644 --- a/certs/ocsp/server4-cert.pem +++ b/certs/ocsp/server4-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www4.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Authority Information Access: - OCSP - URI:http://localhost:22222 + OCSP - URI:http://127.0.0.1:22222 Signature Algorithm: sha256WithRSAEncryption - 4e:d7:ac:3b:e2:2a:7c:2d:17:95:15:60:7d:d9:59:5f:53:9d: - d7:e4:8d:cf:9d:34:db:ea:e9:6b:1d:8c:d4:6e:4b:df:53:30: - 3f:8e:5b:65:2e:e6:bb:7b:96:b1:2e:9b:65:fa:72:a8:eb:97: - af:47:33:f5:ae:0b:9b:6f:d6:25:9e:60:e4:b2:e5:88:3b:64: - 26:8c:d4:8b:d5:4b:6b:85:23:c3:08:06:ca:b5:d3:88:f3:6b: - 19:be:16:c0:a6:a3:68:25:4b:68:a2:be:a0:38:51:7b:6f:7d: - a7:74:5f:1a:57:cd:29:01:4c:33:e4:52:bf:b9:f9:52:4e:c5: - a1:85:16:90:e3:c4:26:d7:b2:db:07:75:78:1f:90:99:db:cc: - 18:da:7d:58:af:52:e3:67:6a:8f:d2:33:f3:07:7f:da:09:24: - 54:03:cd:9a:ef:8f:15:f2:11:a9:42:71:d6:0b:6b:c8:76:f4: - 62:65:8c:d8:d3:10:19:af:34:9d:01:86:05:02:59:e8:4b:03: - 6d:06:0d:c4:98:38:b5:f2:85:65:29:74:2a:c2:c6:47:8b:e1: - 0e:d4:ee:9b:5d:a6:a5:55:8d:b0:e7:61:55:de:2e:30:50:cf: - 51:ba:c1:64:c0:3a:d0:55:73:fe:3c:79:e8:d7:33:0c:7e:a2: - dc:df:45:ad + 33:15:a7:22:85:5d:69:97:b2:33:1b:39:8f:0b:0f:57:d6:84: + 99:eb:53:e9:35:14:a2:93:9c:11:45:01:6e:45:c7:5b:b7:fc: + 7c:2c:a9:e5:34:0f:f2:79:26:a0:4b:99:f8:16:ec:f1:e1:15: + 2c:09:d5:f9:7f:c5:8a:ef:16:d7:85:e6:d4:87:35:cd:9d:a2: + 6f:c6:f6:39:f6:b7:57:1d:e8:bf:01:71:d5:0b:8d:99:db:84: + ab:39:36:24:80:bd:ef:ca:04:2d:f1:fa:fa:a9:4e:e1:e1:28: + 58:0c:81:8e:ed:2f:f8:41:91:2d:49:2d:05:55:6d:fd:c1:47: + 01:a9:f8:92:13:29:62:7b:a6:7d:f0:04:dd:54:9b:e2:23:95: + 63:91:2c:16:10:b1:af:5a:5e:e4:fc:6d:94:76:bb:2a:1f:c2: + 12:01:8e:7f:1e:22:d7:71:e0:60:5b:af:a2:25:b8:bd:7e:88: + fe:46:17:63:8c:b7:71:db:da:74:17:4e:8e:c6:93:9c:73:77: + 4d:6e:9c:75:75:7b:76:fe:6b:ad:00:7a:58:da:c0:f4:2a:be: + ef:88:74:5a:80:3f:79:9b:b7:1e:e8:5f:0c:da:b3:27:bb:1f: + aa:dd:ad:cb:4f:00:fe:c6:fe:c2:44:06:49:01:4f:a8:ff:24: + 64:6b:ae:9a -----BEGIN CERTIFICATE----- MIIE7jCCA9agAwIBAgIBCDANBgkqhkiG9w0BAQsFADCBoTELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NM IGludGVybWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJBgNVBAYT +Y29tMB4XDTE1MTIzMDE5MTI0NloXDTE4MDkyNTE5MTI0NlowgZgxCzAJBgNVBAYT AlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMRAwDgYD VQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UEAwwQd3d3 NC53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTCC @@ -83,13 +83,13 @@ MIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4GA1UEBwwH U2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5lZXJpbmcx GDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3 b2xmc3NsLmNvbYIBAjALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAkMCIGCCsG -AQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB -AQBO16w74ip8LReVFWB92VlfU53X5I3PnTTb6ulrHYzUbkvfUzA/jltlLua7e5ax -Lptl+nKo65evRzP1rgubb9YlnmDksuWIO2QmjNSL1UtrhSPDCAbKtdOI82sZvhbA -pqNoJUtoor6gOFF7b32ndF8aV80pAUwz5FK/uflSTsWhhRaQ48Qm17LbB3V4H5CZ -28wY2n1Yr1LjZ2qP0jPzB3/aCSRUA82a748V8hGpQnHWC2vIdvRiZYzY0xAZrzSd -AYYFAlnoSwNtBg3EmDi18oVlKXQqwsZHi+EO1O6bXaalVY2w52FV3i4wUM9RusFk -wDrQVXP+PHno1zMMfqLc30Wt +AQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIyMA0GCSqGSIb3DQEBCwUAA4IB +AQAzFacihV1pl7IzGzmPCw9X1oSZ61PpNRSik5wRRQFuRcdbt/x8LKnlNA/yeSag +S5n4Fuzx4RUsCdX5f8WK7xbXhebUhzXNnaJvxvY59rdXHei/AXHVC42Z24SrOTYk +gL3vygQt8fr6qU7h4ShYDIGO7S/4QZEtSS0FVW39wUcBqfiSEylie6Z98ATdVJvi +I5VjkSwWELGvWl7k/G2UdrsqH8ISAY5/HiLXceBgW6+iJbi9foj+RhdjjLdx29p0 +F06OxpOcc3dNbpx1dXt2/mutAHpY2sD0Kr7viHRagD95m7ce6F8M2rMnux+q3a3L +TwD+xv7CRAZJAU+o/yRka66a -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL intermediate CA 2/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 6a:f5:af:1f:f7:43:ef:10:74:6d:1f:e5:2e:72:5f:d1:84:40: - c8:60:79:b7:66:2e:46:39:bf:95:ca:fe:83:0a:8a:f4:52:6e: - d2:d3:a5:54:7b:0c:29:35:a0:75:7a:e5:35:5d:99:0a:d9:13: - ca:80:46:a0:a2:6d:d5:c4:ff:0c:d5:da:ec:54:86:df:ce:a7: - 92:1a:c7:f6:12:74:04:74:9f:06:39:82:b1:1e:af:47:de:b5: - b7:21:c1:3b:22:27:e3:d0:3f:70:d3:27:1c:63:e0:01:12:80: - 20:e7:ac:6c:f0:8f:7a:72:54:8a:21:2d:0e:17:6c:9d:01:fd: - 42:96:e1:7a:d5:43:d5:65:9b:0b:7c:dd:b6:90:da:cc:3c:d7: - 7a:d3:e2:63:07:e3:96:a7:96:84:d6:0c:9e:31:e0:72:cd:91: - 54:cf:16:38:af:c8:23:04:ce:98:2c:61:11:28:70:d7:34:69: - 55:b7:e0:5b:87:a6:c4:a4:c5:bf:8f:e0:04:5d:e4:14:22:04: - 21:a1:9b:01:19:50:29:03:9d:81:be:e4:ba:4d:68:1c:2f:e4: - e6:05:02:c2:e7:b4:ef:45:be:80:dc:a3:86:58:cf:02:cf:6a: - 69:8d:2b:69:69:cd:81:27:63:e8:2d:55:2a:00:de:0b:15:2c: - 53:95:72:29 + 1d:d6:14:6c:f5:cc:f9:c9:0d:c4:27:c1:50:49:ab:d7:39:6e: + 86:31:cf:67:99:c0:5d:37:d0:14:ee:d8:e3:da:17:a5:82:c2: + 25:86:33:28:0d:f6:ca:6b:7a:c7:72:f1:d8:b9:20:27:ee:0c: + 7d:77:e5:8b:03:46:9a:f8:99:6a:8e:57:1a:c9:a2:b1:79:d6: + b6:b6:e5:1a:39:80:2e:88:2b:17:c8:b9:36:37:38:58:8a:f0: + 62:68:97:25:b5:7a:62:5c:4d:22:2c:30:62:0c:11:f0:4d:70: + 95:c7:2d:9e:ab:c5:ef:2e:a4:29:25:8b:e2:e4:d2:9d:2c:5e: + 60:79:36:98:13:a8:38:6c:00:0d:6a:f0:11:3c:3f:d8:f9:6b: + 16:d1:61:f9:db:53:56:02:43:56:a8:01:3b:88:77:91:a5:6e: + a0:ab:2c:6c:e6:ec:cf:ff:5a:07:94:ea:49:92:d4:87:98:f8: + 89:f0:f7:4f:77:b0:df:c9:89:03:76:d9:31:30:86:f7:e9:8a: + 74:fa:f2:b2:f3:4d:f7:43:41:48:9c:1f:db:ea:23:e3:1e:4c: + 15:76:92:e0:f8:ce:71:35:fd:25:f0:97:cd:99:5d:2c:af:33: + 64:5e:bd:be:35:e3:53:78:6c:10:c8:0e:cc:83:e5:d9:2e:7a: + d9:6d:52:95 -----BEGIN CERTIFICATE----- MIIE8DCCA9igAwIBAgIBAjANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBoTELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBoTELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSIwIAYDVQQDDBl3b2xmU1NMIGludGVy bWVkaWF0ZSBDQSAyMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wuY29tMIIB @@ -176,13 +176,13 @@ gZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH DAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmlu ZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkBFhBpbmZv QHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQmMCQwIgYI -KwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcNAQELBQAD -ggEBAGr1rx/3Q+8QdG0f5S5yX9GEQMhgebdmLkY5v5XK/oMKivRSbtLTpVR7DCk1 -oHV65TVdmQrZE8qARqCibdXE/wzV2uxUht/Op5Iax/YSdAR0nwY5grEer0fetbch -wTsiJ+PQP3DTJxxj4AESgCDnrGzwj3pyVIohLQ4XbJ0B/UKW4XrVQ9Vlmwt83baQ -2sw813rT4mMH45anloTWDJ4x4HLNkVTPFjivyCMEzpgsYREocNc0aVW34FuHpsSk -xb+P4ARd5BQiBCGhmwEZUCkDnYG+5LpNaBwv5OYFAsLntO9FvoDco4ZYzwLPammN -K2lpzYEnY+gtVSoA3gsVLFOVcik= +KwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcNAQELBQAD +ggEBAB3WFGz1zPnJDcQnwVBJq9c5boYxz2eZwF030BTu2OPaF6WCwiWGMygN9spr +esdy8di5ICfuDH135YsDRpr4mWqOVxrJorF51ra25Ro5gC6IKxfIuTY3OFiK8GJo +lyW1emJcTSIsMGIMEfBNcJXHLZ6rxe8upCkli+Lk0p0sXmB5NpgTqDhsAA1q8BE8 +P9j5axbRYfnbU1YCQ1aoATuId5GlbqCrLGzm7M//WgeU6kmS1IeY+Inw9093sN/J +iQN22TEwhvfpinT68rLzTfdDQUicH9vqI+MeTBV2kuD4znE1/SXwl82ZXSyvM2Re +vb4141N4bBDIDsyD5dkuetltUpU= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -230,30 +230,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- diff --git a/certs/ocsp/server5-cert.pem b/certs/ocsp/server5-cert.pem index 066f659fd..43ecf9c83 100644 --- a/certs/ocsp/server5-cert.pem +++ b/certs/ocsp/server5-cert.pem @@ -5,8 +5,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:47 2015 GMT + Not After : Sep 25 19:12:47 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=www5.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -44,30 +44,30 @@ Certificate: X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment Authority Information Access: - OCSP - URI:http://localhost:22223 + OCSP - URI:http://127.0.0.1:22223 Signature Algorithm: sha256WithRSAEncryption - 65:c1:7f:66:88:19:db:04:76:f3:ec:eb:c8:9c:38:3f:3f:83: - 4c:6c:c9:3a:67:2f:cf:45:8d:72:28:d1:85:64:fd:53:0a:4a: - 4a:22:9d:2f:2f:76:19:f5:97:04:cb:a7:1e:83:43:42:58:01: - ca:9b:25:42:bb:d1:5c:05:4f:c1:94:22:40:df:30:42:c1:be: - b9:f2:c0:a4:64:37:9b:9b:ed:20:44:e8:f0:5c:c6:2f:b6:24: - 7f:13:b8:52:02:61:ac:69:4e:f4:bd:72:9d:e9:31:13:5f:12: - d2:cc:e7:eb:16:b3:84:cc:86:40:ee:f9:e1:4c:d8:ea:73:a1: - 32:2a:2c:c7:f6:ba:4f:bf:ba:35:49:71:4c:d1:83:86:7a:44: - 14:f3:b3:12:02:99:33:01:46:50:e0:0c:74:34:03:45:9d:d2: - 2c:e1:83:31:59:d6:e7:69:8f:26:0a:12:5d:90:97:c4:ae:93: - 67:c6:9b:a9:5b:a0:8f:22:ad:e9:e2:17:74:19:93:92:cb:9c: - cc:30:8e:7e:57:8f:37:44:82:04:f0:29:9e:79:37:0a:d6:55: - 56:8e:b6:eb:d8:0f:a5:c4:ec:65:88:98:15:2f:2a:cd:9f:d8: - 11:26:c6:d7:0e:12:4e:62:c5:5c:92:b2:99:db:c2:72:71:6f: - c1:94:24:06 + 79:1c:0f:7c:7d:e5:3d:ec:60:00:c9:a4:d6:f1:67:32:66:57: + 0a:8a:97:af:a6:53:92:c4:4d:cb:a7:3d:24:24:74:19:fb:9c: + d0:25:90:00:ba:32:e2:b2:a8:aa:61:eb:f8:7c:ca:52:5f:8c: + ef:e8:9a:d1:9d:73:a7:6e:72:04:0a:6f:d0:b3:88:de:8d:50: + c5:da:fc:e7:81:f8:12:b0:12:4a:a2:54:84:50:87:2d:ee:08: + 33:dc:2f:ae:2a:ce:57:5e:1d:57:8c:ce:90:4d:9a:a7:4e:cd: + 33:4c:f8:47:5d:9f:68:c3:2c:ed:84:b3:b6:ea:dd:1a:f4:ba: + 9d:fa:b9:a1:df:82:4a:ed:fc:3f:8c:bf:c5:5a:ab:81:93:6b: + a1:65:05:be:00:7b:6c:81:f9:2c:a7:92:60:80:70:de:8d:65: + c7:fa:51:e7:b8:02:de:c0:4d:d8:88:6f:41:18:7a:6f:f4:eb: + e1:7a:ab:f2:0d:e8:f9:9c:c4:64:fc:e8:d6:e2:c2:79:95:b1: + 0a:89:73:e6:4e:bf:35:3f:0b:9f:0c:d5:98:01:15:fe:fb:a3: + 0f:1a:75:21:10:0b:32:16:a9:4e:72:d1:de:1e:a6:df:9d:b3: + bd:2a:14:67:e0:8d:4e:a2:9d:ae:f4:08:97:a5:f7:df:fa:e1: + 00:50:1f:f7 -----BEGIN CERTIFICATE----- MIIE9DCCA9ygAwIBAgIBCTANBgkqhkiG9w0BAQsFADCBpzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NM IFJFVk9LRUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv -bGZzc2wuY29tMB4XDTE1MTIxNTAxMjcyM1oXDTE4MDkxMDAxMjcyM1owgZgxCzAJ +bGZzc2wuY29tMB4XDTE1MTIzMDE5MTI0N1oXDTE4MDkyNTE5MTI0N1owgZgxCzAJ BgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxl MRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdpbmVlcmluZzEZMBcGA1UE AwwQd3d3NS53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3Ns @@ -83,13 +83,13 @@ oYGdpIGaMIGXMQswCQYDVQQGEwJVUzETMBEGA1UECAwKV2FzaGluZ3RvbjEQMA4G A1UEBwwHU2VhdHRsZTEQMA4GA1UECgwHd29sZlNTTDEUMBIGA1UECwwLRW5naW5l ZXJpbmcxGDAWBgNVBAMMD3dvbGZTU0wgcm9vdCBDQTEfMB0GCSqGSIb3DQEJARYQ aW5mb0B3b2xmc3NsLmNvbYIBAzALBgNVHQ8EBAMCBeAwMgYIKwYBBQUHAQEEJjAk -MCIGCCsGAQUFBzABhhZodHRwOi8vbG9jYWxob3N0OjIyMjIzMA0GCSqGSIb3DQEB -CwUAA4IBAQBlwX9miBnbBHbz7OvInDg/P4NMbMk6Zy/PRY1yKNGFZP1TCkpKIp0v -L3YZ9ZcEy6ceg0NCWAHKmyVCu9FcBU/BlCJA3zBCwb658sCkZDebm+0gROjwXMYv -tiR/E7hSAmGsaU70vXKd6TETXxLSzOfrFrOEzIZA7vnhTNjqc6EyKizH9rpPv7o1 -SXFM0YOGekQU87MSApkzAUZQ4Ax0NANFndIs4YMxWdbnaY8mChJdkJfErpNnxpup -W6CPIq3p4hd0GZOSy5zMMI5+V483RIIE8CmeeTcK1lVWjrbr2A+lxOxliJgVLyrN -n9gRJsbXDhJOYsVckrKZ28JycW/BlCQG +MCIGCCsGAQUFBzABhhZodHRwOi8vMTI3LjAuMC4xOjIyMjIzMA0GCSqGSIb3DQEB +CwUAA4IBAQB5HA98feU97GAAyaTW8WcyZlcKipevplOSxE3Lpz0kJHQZ+5zQJZAA +ujLisqiqYev4fMpSX4zv6JrRnXOnbnIECm/Qs4jejVDF2vzngfgSsBJKolSEUIct +7ggz3C+uKs5XXh1XjM6QTZqnTs0zTPhHXZ9owyzthLO26t0a9Lqd+rmh34JK7fw/ +jL/FWquBk2uhZQW+AHtsgfksp5JggHDejWXH+lHnuALewE3YiG9BGHpv9Ovheqvy +Dej5nMRk/OjW4sJ5lbEKiXPmTr81PwufDNWYARX++6MPGnUhEAsyFqlOctHeHqbf +nbO9KhRn4I1Oop2u9AiXpfff+uEAUB/3 -----END CERTIFICATE----- Certificate: Data: @@ -98,8 +98,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL REVOKED intermediate CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -137,30 +137,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 0c:5e:0d:55:3c:e7:fb:5e:c2:09:19:c8:0b:f4:c2:b2:2b:14: - 79:dc:e8:63:f6:8a:0c:03:57:9e:15:47:7e:b6:15:a3:71:90: - 01:11:39:4b:ff:3d:13:34:e4:f3:5b:a3:6c:58:4f:00:d5:c4: - b0:63:6c:90:c9:89:a8:5d:16:87:0a:da:08:40:12:b4:94:00: - 3e:44:00:13:de:34:75:90:38:79:d4:c2:39:6d:ed:17:cb:7e: - 50:ff:da:0b:eb:49:1a:66:e6:dd:eb:66:a5:92:ef:68:d5:c9: - 93:8f:aa:c7:2a:92:6b:95:af:3d:74:de:aa:29:fd:c9:53:56: - ad:9f:e0:05:d1:97:0c:01:3b:f1:c6:a6:90:7e:5c:08:11:5e: - c1:77:5d:64:09:56:ea:78:29:15:a3:ea:44:2a:4c:d6:09:a7: - a0:5f:05:54:2a:61:ca:7a:09:07:14:34:c2:0d:c5:93:cd:28: - 8b:62:26:af:30:25:8a:f1:da:65:fa:db:da:84:ab:d5:0c:37: - ae:5d:95:bd:55:2a:4b:09:e0:d3:3d:8b:3c:ea:f2:b9:68:5e: - e6:21:53:8b:28:78:39:f4:bf:9b:dc:92:bc:4b:14:06:fe:17: - 21:64:be:af:20:e8:e7:fb:67:c8:5e:ec:59:bf:27:a4:cb:e3: - 8a:6d:c3:ac + 9a:47:17:70:ff:92:e7:b5:51:a0:d2:5d:f3:e3:dd:90:ec:c9: + 8f:ad:61:74:30:ba:d9:60:ba:5b:cf:da:03:4f:c8:50:5a:f4: + 5e:e0:e3:a0:ce:de:43:6c:56:e0:bc:35:e9:0d:bb:53:0e:22: + 7f:21:42:6c:2a:0f:67:b2:8a:1a:f5:e8:1f:a9:a1:90:11:d0: + ec:18:90:ba:ee:cf:d4:18:28:1b:9c:96:8e:d6:48:bd:6f:66: + 79:df:04:0d:04:d3:13:69:b8:24:15:7c:3b:bc:b9:fc:1d:dd: + cc:45:a5:c1:04:c9:d3:68:a7:de:cd:1e:aa:cc:bd:3d:f4:12: + eb:3d:01:44:11:fd:1d:bd:a0:7a:4c:24:f2:39:78:17:c1:1f: + 8c:b8:ab:01:f3:98:88:ff:bd:2c:1b:43:bb:fe:37:94:65:b4: + 3c:e6:11:8c:5d:36:de:ab:84:a5:6d:30:23:dc:ad:b1:74:24: + 2a:bb:49:f0:37:ef:db:9a:eb:4e:fc:f9:a2:47:06:3a:09:9d: + 4f:c3:c6:dc:18:90:47:42:f4:bc:8d:75:be:7c:c8:d5:47:a6: + bb:c2:1e:55:16:8f:a4:62:cc:1f:7c:cf:5a:b5:41:6d:98:f4: + 15:b9:fc:5a:3e:47:75:a0:f7:b0:df:33:54:a9:7c:f0:da:3c: + 65:c2:e6:1a -----BEGIN CERTIFICATE----- MIIE9jCCA96gAwIBAgIBAzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBpzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBpzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMSgwJgYDVQQDDB93b2xmU1NMIFJFVk9L RUQgaW50ZXJtZWRpYXRlIENBMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu @@ -176,13 +176,13 @@ FSGhgZ2kgZowgZcxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAw DgYDVQQHDAdTZWF0dGxlMRAwDgYDVQQKDAd3b2xmU1NMMRQwEgYDVQQLDAtFbmdp bmVlcmluZzEYMBYGA1UEAwwPd29sZlNTTCByb290IENBMR8wHQYJKoZIhvcNAQkB FhBpbmZvQHdvbGZzc2wuY29tggFjMAsGA1UdDwQEAwIBBjAyBggrBgEFBQcBAQQm -MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9sb2NhbGhvc3Q6MjIyMjAwDQYJKoZIhvcN -AQELBQADggEBAAxeDVU85/tewgkZyAv0wrIrFHnc6GP2igwDV54VR362FaNxkAER -OUv/PRM05PNbo2xYTwDVxLBjbJDJiahdFocK2ghAErSUAD5EABPeNHWQOHnUwjlt -7RfLflD/2gvrSRpm5t3rZqWS72jVyZOPqscqkmuVrz103qop/clTVq2f4AXRlwwB -O/HGppB+XAgRXsF3XWQJVup4KRWj6kQqTNYJp6BfBVQqYcp6CQcUNMINxZPNKIti -Jq8wJYrx2mX629qEq9UMN65dlb1VKksJ4NM9izzq8rloXuYhU4soeDn0v5vckrxL -FAb+FyFkvq8g6Of7Z8he7Fm/J6TL44ptw6w= +MCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly8xMjcuMC4wLjE6MjIyMjAwDQYJKoZIhvcN +AQELBQADggEBAJpHF3D/kue1UaDSXfPj3ZDsyY+tYXQwutlgulvP2gNPyFBa9F7g +46DO3kNsVuC8NekNu1MOIn8hQmwqD2eyihr16B+poZAR0OwYkLruz9QYKBuclo7W +SL1vZnnfBA0E0xNpuCQVfDu8ufwd3cxFpcEEydNop97NHqrMvT30Eus9AUQR/R29 +oHpMJPI5eBfBH4y4qwHzmIj/vSwbQ7v+N5RltDzmEYxdNt6rhKVtMCPcrbF0JCq7 +SfA379ua6078+aJHBjoJnU/DxtwYkEdC9LyNdb58yNVHprvCHlUWj6RizB98z1q1 +QW2Y9BW5/Fo+R3Wg97DfM1SpfPDaPGXC5ho= -----END CERTIFICATE----- Certificate: Data: @@ -191,8 +191,8 @@ Certificate: Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Validity - Not Before: Dec 15 01:27:23 2015 GMT - Not After : Sep 10 01:27:23 2018 GMT + Not Before: Dec 30 19:12:46 2015 GMT + Not After : Sep 25 19:12:46 2018 GMT Subject: C=US, ST=Washington, L=Seattle, O=wolfSSL, OU=Engineering, CN=wolfSSL root CA/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -230,30 +230,30 @@ Certificate: X509v3 Key Usage: Certificate Sign, CRL Sign Authority Information Access: - OCSP - URI:http://localhost:22220 + OCSP - URI:http://127.0.0.1:22220 Signature Algorithm: sha256WithRSAEncryption - 5a:9d:7f:40:a7:10:51:e5:d7:b3:23:dd:e7:25:c2:bc:00:5a: - d0:6e:cf:26:bb:c1:1d:38:89:ac:3c:0c:37:60:6c:aa:8a:54: - 6b:a4:44:79:d5:49:f5:13:ed:bc:00:4c:dd:ed:eb:2e:64:44: - 9c:4c:96:8a:6a:e6:f6:4d:0a:63:f0:f5:18:e3:5e:72:fc:5a: - 3f:1b:4c:27:eb:6e:57:9d:d5:8e:3d:ee:28:3f:1b:7b:e0:25: - b9:0c:95:21:cd:bd:12:8f:4a:c4:b2:cc:80:da:b5:59:49:4d: - 32:d5:96:90:a0:ec:47:8c:15:0b:de:2a:22:be:d6:d4:d7:09: - d1:85:48:4f:33:92:04:30:d1:d5:14:cb:bd:ab:96:06:93:18: - 62:ed:8f:29:f8:b6:66:06:a7:f1:3a:ae:15:62:36:90:89:de: - 41:41:f2:44:35:ea:4c:7b:fc:0b:6f:08:46:09:de:35:5f:e3: - e6:f3:5a:08:70:a4:28:df:a6:c7:17:d1:c3:ec:70:09:c2:06: - c7:12:29:b9:d6:d6:26:7d:2c:df:86:c7:4d:0a:c6:98:2b:61: - 14:b3:b3:29:8e:c1:85:18:db:fd:54:9d:fe:99:a9:90:d1:c6: - 08:2b:4f:6c:16:47:d9:16:fc:7b:0c:84:a7:15:b0:78:41:48: - 87:f5:98:78 + 99:a3:7d:72:17:b7:c0:cd:98:bb:55:fa:f2:ea:9f:17:81:6e: + 8e:02:25:c6:4d:42:cd:32:64:13:f4:bf:42:0c:a6:4e:39:45: + 52:92:40:ed:16:78:17:a2:45:5e:d9:19:ac:1d:d4:56:68:c8: + 55:de:65:ae:ba:72:b0:c0:57:52:5e:5b:08:d9:dd:72:ca:18: + 6e:16:61:32:9a:8b:c0:7d:3e:5a:27:bc:2d:81:aa:36:d4:44: + 26:52:07:f2:41:3b:d1:0f:2e:64:2e:a7:f8:0f:c3:0e:d3:9d: + 73:b9:24:12:e8:ca:28:db:4f:48:c2:43:bb:b7:a8:14:be:8d: + 3a:2f:d3:3a:1a:eb:5f:15:61:e3:e8:03:65:88:d5:03:7e:25: + 7a:35:8d:45:17:3f:0d:10:fd:8e:27:31:65:ee:de:9d:5c:68: + 7f:68:95:bc:85:5a:fa:2a:10:37:82:ca:11:84:9b:90:1e:23: + d6:2b:a6:c5:af:89:ef:31:37:56:0a:91:9e:0f:5b:3e:6c:c1: + 7d:29:cd:bb:38:3f:0e:cb:fb:05:04:e6:4f:5c:6a:c5:b6:a4: + 0f:0b:6a:25:bf:e9:ed:82:19:bb:6b:9a:2e:7d:40:58:0b:45: + 0e:ff:c2:73:39:9c:c2:ef:f4:7c:d0:9e:ae:c9:05:e1:e3:5e: + bf:dd:65:6d -----BEGIN CERTIFICATE----- MIIE5jCCA86gAwIBAgIBYzANBgkqhkiG9w0BAQsFADCBlzELMAkGA1UEBhMCVVMx EzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoM B3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NM IHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wHhcNMTUx -MjE1MDEyNzIzWhcNMTgwOTEwMDEyNzIzWjCBlzELMAkGA1UEBhMCVVMxEzARBgNV +MjMwMTkxMjQ2WhcNMTgwOTI1MTkxMjQ2WjCBlzELMAkGA1UEBhMCVVMxEzARBgNV BAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUxEDAOBgNVBAoMB3dvbGZT U0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQDDA93b2xmU1NMIHJvb3Qg Q0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wggEiMA0GCSqGSIb3 @@ -269,11 +269,11 @@ A1UEBhMCVVMxEzARBgNVBAgMCldhc2hpbmd0b24xEDAOBgNVBAcMB1NlYXR0bGUx EDAOBgNVBAoMB3dvbGZTU0wxFDASBgNVBAsMC0VuZ2luZWVyaW5nMRgwFgYDVQQD DA93b2xmU1NMIHJvb3QgQ0ExHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j b22CAWMwCwYDVR0PBAQDAgEGMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYW -aHR0cDovL2xvY2FsaG9zdDoyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAWp1/QKcQ -UeXXsyPd5yXCvABa0G7PJrvBHTiJrDwMN2BsqopUa6REedVJ9RPtvABM3e3rLmRE -nEyWimrm9k0KY/D1GONecvxaPxtMJ+tuV53Vjj3uKD8be+AluQyVIc29Eo9KxLLM -gNq1WUlNMtWWkKDsR4wVC94qIr7W1NcJ0YVITzOSBDDR1RTLvauWBpMYYu2PKfi2 -Zgan8TquFWI2kIneQUHyRDXqTHv8C28IRgneNV/j5vNaCHCkKN+mxxfRw+xwCcIG -xxIpudbWJn0s34bHTQrGmCthFLOzKY7BhRjb/VSd/pmpkNHGCCtPbBZH2Rb8ewyE -pxWweEFIh/WYeA== +aHR0cDovLzEyNy4wLjAuMToyMjIyMDANBgkqhkiG9w0BAQsFAAOCAQEAmaN9che3 +wM2Yu1X68uqfF4FujgIlxk1CzTJkE/S/QgymTjlFUpJA7RZ4F6JFXtkZrB3UVmjI +Vd5lrrpysMBXUl5bCNndcsoYbhZhMpqLwH0+Wie8LYGqNtREJlIH8kE70Q8uZC6n ++A/DDtOdc7kkEujKKNtPSMJDu7eoFL6NOi/TOhrrXxVh4+gDZYjVA34lejWNRRc/ +DRD9jicxZe7enVxof2iVvIVa+ioQN4LKEYSbkB4j1iumxa+J7zE3VgqRng9bPmzB +fSnNuzg/Dsv7BQTmT1xqxbakDwtqJb/p7YIZu2uaLn1AWAtFDv/Cczmcwu/0fNCe +rskF4eNev91lbQ== -----END CERTIFICATE----- From 1bef0ba45513d5793ba1d8ba7a757f389d8bae2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Wed, 30 Dec 2015 17:10:25 -0300 Subject: [PATCH 159/177] cosmetic changes to OCSP Stapling options. --- configure.ac | 92 ++++++++++++++++++++++++++-------------------------- 1 file changed, 46 insertions(+), 46 deletions(-) diff --git a/configure.ac b/configure.ac index d07b03ae4..b30e62100 100644 --- a/configure.ac +++ b/configure.ac @@ -1469,6 +1469,50 @@ then fi +# Certificate Status Request : a.k.a. OCSP Stapling +AC_ARG_ENABLE([ocspstapling], + [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])], + [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], + [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] + ) + +if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST" + + # Requires OCSP make sure on + if test "x$ENABLED_OCSP" = "xno" + then + ENABLED_OCSP="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" + AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + fi +fi + +AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"]) + +# Certificate Status Request v2 : a.k.a. OCSP stapling v2 +AC_ARG_ENABLE([ocspstapling2], + [AS_HELP_STRING([--enable-ocspstapling2],[Enable OCSP Stapling v2 (default: disabled)])], + [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ], + [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ] + ) + +if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2" + + # Requires OCSP make sure on + if test "x$ENABLED_OCSP" = "xno" + then + ENABLED_OCSP="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" + AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + fi +fi + +AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"]) + # CRL AC_ARG_ENABLE([crl], [ --enable-crl Enable CRL (default: disabled)], @@ -1656,50 +1700,6 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC" fi -# Certificate Status Request : a.k.a. OCSP Stapling -AC_ARG_ENABLE([ocspstapling], - [AS_HELP_STRING([--enable-ocspstapling],[Enable OCSP Stapling (default: disabled)])], - [ ENABLED_CERTIFICATE_STATUS_REQUEST=$enableval ], - [ ENABLED_CERTIFICATE_STATUS_REQUEST=no ] - ) - -if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes" -then - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST" - - # Requires OCSP make sure on - if test "x$ENABLED_OCSP" = "xno" - then - ENABLED_OCSP="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" - AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) - fi -fi - -AM_CONDITIONAL([BUILD_OCSP_STAPLING], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST" = "xyes"]) - -# Certificate Status Request v2 : a.k.a. OCSP stapling v2 -AC_ARG_ENABLE([ocspstapling2], - [AS_HELP_STRING([--enable-ocspstapling2],[Enable OCSP Stapling v2 (default: disabled)])], - [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=$enableval ], - [ ENABLED_CERTIFICATE_STATUS_REQUEST_V2=no ] - ) - -if test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes" -then - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_CERTIFICATE_STATUS_REQUEST_V2" - - # Requires OCSP make sure on - if test "x$ENABLED_OCSP" = "xno" - then - ENABLED_OCSP="yes" - AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" - AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) - fi -fi - -AM_CONDITIONAL([BUILD_OCSP_STAPLING_V2], [test "x$ENABLED_CERTIFICATE_STATUS_REQUEST_V2" = "xyes"]) - # Renegotiation Indication - (FAKE Secure Renegotiation) AC_ARG_ENABLE([renegotiation-indication], [AS_HELP_STRING([--enable-renegotiation-indication],[Enable Renegotiation Indication (default: disabled)])], @@ -2750,6 +2750,8 @@ echo " * DTLS: $ENABLED_DTLS" echo " * Old TLS Versions: $ENABLED_OLD_TLS" echo " * SSL version 3.0: $ENABLED_SSLV3" echo " * OCSP: $ENABLED_OCSP" +echo " * OCSP Stapling: $ENABLED_CERTIFICATE_STATUS_REQUEST" +echo " * OCSP Stapling v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2" echo " * CRL: $ENABLED_CRL" echo " * CRL-MONITOR: $ENABLED_CRL_MONITOR" echo " * Persistent session cache: $ENABLED_SAVESESSION" @@ -2761,8 +2763,6 @@ echo " * Server Name Indication: $ENABLED_SNI" echo " * ALPN: $ENABLED_ALPN" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" -echo " * OCSP Stapling: $ENABLED_CERTIFICATE_STATUS_REQUEST" -echo " * OCSP Stapling v2: $ENABLED_CERTIFICATE_STATUS_REQUEST_V2" echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * Session Ticket: $ENABLED_SESSION_TICKET" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" From 6a56a53545eec545092830641d3129be6c2035b5 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 31 Dec 2015 09:33:01 -0700 Subject: [PATCH 160/177] catching up on old jenkins issues --- src/ssl.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index db8027e53..b00daae7f 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17191,6 +17191,10 @@ int wolfSSL_ED25519_generate_key(unsigned char *priv, unsigned int *privSz, { #ifndef WOLFSSL_KEY_GEN WOLFSSL_MSG("No Key Gen built in"); + (void) priv; + (void) privSz; + (void) pub; + (void) pubSz; return SSL_FAILURE; #else /* WOLFSSL_KEY_GEN */ int ret = SSL_FAILURE; @@ -17264,6 +17268,12 @@ int wolfSSL_ED25519_sign(const unsigned char *msg, unsigned int msgSz, { #ifndef WOLFSSL_KEY_GEN WOLFSSL_MSG("No Key Gen built in"); + (void) msg; + (void) msgSz; + (void) priv; + (void) privSz; + (void) sig; + (void) sigSz; return SSL_FAILURE; #else /* WOLFSSL_KEY_GEN */ ed25519_key key; @@ -17311,6 +17321,12 @@ int wolfSSL_ED25519_verify(const unsigned char *msg, unsigned int msgSz, { #ifndef WOLFSSL_KEY_GEN WOLFSSL_MSG("No Key Gen built in"); + (void) msg; + (void) msgSz; + (void) pub; + (void) pubSz; + (void) sig; + (void) sigSz; return SSL_FAILURE; #else /* WOLFSSL_KEY_GEN */ ed25519_key key; From 84ae9a9ae57ee06a4d25345bfdf1977ab9214655 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 31 Dec 2015 12:05:45 -0700 Subject: [PATCH 161/177] Also account for 32-bit users --- examples/client/client.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/examples/client/client.c b/examples/client/client.c index d225da2ea..bbb9bcb8f 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -753,6 +753,14 @@ THREAD_RETURN WOLFSSL_THREAD client_test(void* args) done = 1; #endif + /* www.globalsign.com only supports static RSA or ECDHE with AES */ + /* We cannot expect users to have on static RSA so test for ECC only + * as some users will most likely be on 32-bit systems where ECC + * is not enabled by default */ + #if defined(HAVE_OCSP) && !defined(HAVE_ECC) + done = 1; + #endif + #ifndef NO_PSK done = 1; #endif From 99539b88757e3895f22ffe8abed4a8dfb9159e85 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 31 Dec 2015 11:19:47 -0800 Subject: [PATCH 162/177] fix aesni 192bit key expansion over read of 64bits --- wolfcrypt/src/aes_asm.asm | 2 +- wolfcrypt/src/aes_asm.s | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/aes_asm.asm b/wolfcrypt/src/aes_asm.asm index 921d89a73..5453d2e45 100644 --- a/wolfcrypt/src/aes_asm.asm +++ b/wolfcrypt/src/aes_asm.asm @@ -794,7 +794,7 @@ AES_192_Key_Expansion PROC movdqa [rsp+0], xmm6 movdqu xmm1,[rdi] - movdqu xmm3,16[rdi] + movq xmm3,qword ptr 16[rdi] movdqa [rsi],xmm1 movdqa xmm5,xmm3 diff --git a/wolfcrypt/src/aes_asm.s b/wolfcrypt/src/aes_asm.s index 92d670416..46f7e29e6 100644 --- a/wolfcrypt/src/aes_asm.s +++ b/wolfcrypt/src/aes_asm.s @@ -657,7 +657,7 @@ AES_192_Key_Expansion: # parameter 2: %rsi movdqu (%rdi), %xmm1 -movdqu 16(%rdi), %xmm3 +movq 16(%rdi), %xmm3 movdqa %xmm1, (%rsi) movdqa %xmm3, %xmm5 From b78fb311bb0bd6a199a7cf1823287a5c32994533 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 31 Dec 2015 13:18:37 -0700 Subject: [PATCH 163/177] Fix cases that were not detected in Jenkins --- src/ssl.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/ssl.c b/src/ssl.c index b00daae7f..f1cd2d4c1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -17053,6 +17053,10 @@ int wolfSSL_EC25519_generate_key(unsigned char *priv, unsigned int *privSz, { #ifndef WOLFSSL_KEY_GEN WOLFSSL_MSG("No Key Gen built in"); + (void) priv; + (void) privSz; + (void) pub; + (void) pubSz; return SSL_FAILURE; #else /* WOLFSSL_KEY_GEN */ int ret = SSL_FAILURE; @@ -17127,6 +17131,12 @@ int wolfSSL_EC25519_shared_key(unsigned char *shared, unsigned int *sharedSz, { #ifndef WOLFSSL_KEY_GEN WOLFSSL_MSG("No Key Gen built in"); + (void) shared; + (void) sharedSz; + (void) priv; + (void) privSz; + (void) pub; + (void) pubSz; return SSL_FAILURE; #else /* WOLFSSL_KEY_GEN */ int ret = SSL_FAILURE; From fa3f0660b6f7264e266cd24fad3ca387e7da335f Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Thu, 31 Dec 2015 13:59:11 -0700 Subject: [PATCH 164/177] compiler warning about myStack use --- wolfssl/test.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/wolfssl/test.h b/wolfssl/test.h index b09c632d8..ebe722432 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1374,7 +1374,7 @@ typedef THREAD_RETURN WOLFSSL_THREAD (*thread_func)(void* args); static INLINE void StackSizeCheck(func_args* args, thread_func tf) { int ret, i, used; - unsigned char* myStack; + unsigned char* myStack = NULL; int stackSize = 1024*128; pthread_attr_t myAttr; pthread_t threadId; @@ -1388,7 +1388,10 @@ static INLINE void StackSizeCheck(func_args* args, thread_func tf) if (ret != 0) err_sys("posix_memalign failed\n"); - memset(myStack, 0x01, stackSize); + XMEMSET(myStack, 0x01, stackSize); + + if (myStack == NULL) + err_sys("Failed to initialize myStack"); ret = pthread_attr_init(&myAttr); if (ret != 0) From d817f0fbc81a0ca374d940d2f1dea82b526c02c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 4 Jan 2016 09:27:58 -0300 Subject: [PATCH 165/177] fixes test scripts to avoid bash-isms --- certs/ocsp/ocspd0.sh | 2 +- certs/ocsp/ocspd1.sh | 2 +- certs/ocsp/ocspd2.sh | 2 +- certs/ocsp/ocspd3.sh | 2 +- certs/ocsp/renewcerts.sh | 2 ++ 5 files changed, 6 insertions(+), 4 deletions(-) diff --git a/certs/ocsp/ocspd0.sh b/certs/ocsp/ocspd0.sh index e0f978773..d0aa0b953 100755 --- a/certs/ocsp/ocspd0.sh +++ b/certs/ocsp/ocspd0.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh openssl ocsp -port 22220 -nmin 1 \ -index certs/ocsp/index0.txt \ diff --git a/certs/ocsp/ocspd1.sh b/certs/ocsp/ocspd1.sh index da6babcaa..91448c004 100755 --- a/certs/ocsp/ocspd1.sh +++ b/certs/ocsp/ocspd1.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh openssl ocsp -port 22221 -nmin 1 \ -index certs/ocsp/index1.txt \ diff --git a/certs/ocsp/ocspd2.sh b/certs/ocsp/ocspd2.sh index 3539f38fd..a7748b337 100755 --- a/certs/ocsp/ocspd2.sh +++ b/certs/ocsp/ocspd2.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh openssl ocsp -port 22222 -nmin 1 \ -index certs/ocsp/index2.txt \ diff --git a/certs/ocsp/ocspd3.sh b/certs/ocsp/ocspd3.sh index 35130c253..3e53ceb71 100755 --- a/certs/ocsp/ocspd3.sh +++ b/certs/ocsp/ocspd3.sh @@ -1,4 +1,4 @@ -#!/bin/bash +#!/bin/sh openssl ocsp -port 22223 -nmin 1 \ -index certs/ocsp/index3.txt \ diff --git a/certs/ocsp/renewcerts.sh b/certs/ocsp/renewcerts.sh index 4eb552b42..cdbabdf81 100755 --- a/certs/ocsp/renewcerts.sh +++ b/certs/ocsp/renewcerts.sh @@ -1,3 +1,5 @@ +#!/bin/sh + openssl req \ -new \ -key root-ca-key.pem \ From e6398998b1863f69b7cd5665a4ed6e515fbb0eb5 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 4 Jan 2016 12:55:35 -0700 Subject: [PATCH 166/177] check for NULL after malloc in posix_memalign --- wolfssl/test.h | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/wolfssl/test.h b/wolfssl/test.h index ebe722432..1e4fa1373 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1374,7 +1374,7 @@ typedef THREAD_RETURN WOLFSSL_THREAD (*thread_func)(void* args); static INLINE void StackSizeCheck(func_args* args, thread_func tf) { int ret, i, used; - unsigned char* myStack = NULL; + unsigned char* myStack; int stackSize = 1024*128; pthread_attr_t myAttr; pthread_t threadId; @@ -1385,14 +1385,11 @@ static INLINE void StackSizeCheck(func_args* args, thread_func tf) #endif ret = posix_memalign((void**)&myStack, sysconf(_SC_PAGESIZE), stackSize); - if (ret != 0) + if (ret != 0 || myStack == NULL) err_sys("posix_memalign failed\n"); XMEMSET(myStack, 0x01, stackSize); - if (myStack == NULL) - err_sys("Failed to initialize myStack"); - ret = pthread_attr_init(&myAttr); if (ret != 0) err_sys("attr_init failed"); From 858da86c05395e2ee0e22a5190162ef0e4f0359c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moise=CC=81s=20Guimara=CC=83es?= Date: Mon, 4 Jan 2016 17:15:29 -0300 Subject: [PATCH 167/177] restore original certs, without OCSP Authority Information Access; --- certs/1024/ca-cert.pem | 54 ++++++------- certs/1024/client-cert.der | Bin 1021 -> 969 bytes certs/1024/client-cert.pem | 44 +++++------ certs/1024/server-cert.pem | 106 ++++++++++++------------- certs/ca-cert.der | Bin 1252 -> 1198 bytes certs/ca-cert.pem | 71 ++++++++--------- certs/client-cert.der | Bin 1282 -> 1230 bytes certs/client-cert.pem | 62 +++++++-------- certs/client-ecc-cert.der | Bin 835 -> 780 bytes certs/client-ecc-cert.pem | 42 +++++----- certs/crl/cliCrl.pem | 50 ++++++------ certs/crl/crl.pem | 52 ++++++------- certs/crl/crl.revoked | 58 +++++++------- certs/crl/eccCliCRL.pem | 22 +++--- certs/crl/eccSrvCRL.pem | 20 ++--- certs/renewcerts.sh | 17 ---- certs/renewcerts/wolfssl.cnf | 9 --- certs/server-cert.der | Bin 1240 -> 1186 bytes certs/server-cert.pem | 141 ++++++++++++++++------------------ certs/server-ecc-comp.pem | 32 ++++---- certs/server-ecc-rsa.pem | 70 ++++++++--------- certs/server-ecc.pem | 42 +++++----- certs/server-revoked-cert.pem | 141 ++++++++++++++++------------------ 23 files changed, 474 insertions(+), 559 deletions(-) diff --git a/certs/1024/ca-cert.pem b/certs/1024/ca-cert.pem index 41136c2c2..3deb3628c 100644 --- a/certs/1024/ca-cert.pem +++ b/certs/1024/ca-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 16629652120256878762 (0xe6c8647ee63b98aa) - Signature Algorithm: sha256WithRSAEncryption + Serial Number: 10323419125573214618 (0x8f4426ffb743e19a) + Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT + Not Before: Sep 23 19:23:38 2015 GMT + Not After : Jun 19 19:23:38 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,42 +28,38 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:E6:C8:64:7E:E6:3B:98:AA + serial:8F:44:26:FF:B7:43:E1:9A X509v3 Basic Constraints: CA:TRUE - Authority Information Access: - OCSP - URI:http://localhost:22222 - - Signature Algorithm: sha256WithRSAEncryption - 82:53:ec:89:0a:6a:1b:ae:c3:69:fc:22:b5:d7:d2:f4:0b:6d: - 18:72:f5:64:7f:bb:80:57:e3:f3:b2:af:e1:89:47:03:19:dd: - 6f:62:ed:2b:24:d3:a2:77:c0:83:6a:fb:0f:55:93:78:15:4a: - c1:e0:13:f2:65:9c:7a:8c:6c:98:57:f0:44:9d:3a:9e:6a:30: - 08:9f:33:ce:0d:7e:86:6f:ef:0e:34:41:b9:c6:1d:34:c6:28: - 1e:f9:81:be:68:3d:77:92:50:c5:f8:2f:4c:aa:db:5f:72:93: - 42:eb:8a:cf:24:a0:d9:25:44:46:8b:ed:de:46:d5:1a:90:e9: - d6:d8 + Signature Algorithm: sha1WithRSAEncryption + 0e:46:ac:d8:29:1d:12:12:06:0c:d3:3f:7d:58:2e:0d:11:5e: + 5d:0d:dd:17:c0:0f:aa:01:4d:a4:c4:84:81:6e:64:ae:d1:5d: + 58:cd:19:6a:74:a4:46:2f:c8:43:79:39:c0:91:4b:7c:71:ea: + 4e:63:44:66:15:41:15:de:50:82:e3:e9:d1:55:55:cc:5a:38: + 1e:3a:59:b3:0e:ee:0e:54:4d:93:e7:e0:8e:27:a5:6e:08:b8: + 6a:39:da:2d:47:62:c4:5b:89:c0:48:48:2a:d5:f0:55:74:fd: + a6:b1:68:3c:70:a4:52:24:81:ec:4c:57:e0:e8:18:73:9d:0a: + 4d:d8 -----BEGIN CERTIFICATE----- -MIID6jCCA1OgAwIBAgIJAObIZH7mO5iqMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD +MIIDtTCCAx6gAwIBAgIJAI9EJv+3Q+GaMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MTEyMzEyNDkzN1oXDTE4MDgxOTEyNDkzN1owgZkxCzAJBgNVBAYT +Y29tMB4XDTE1MDkyMzE5MjMzOFoXDTE4MDYxOTE5MjMzOFowgZkxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq -1OWIGLMRL3PA1ikJAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx -PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k -gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC -b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x -MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu -Zm9Ad29sZnNzbC5jb22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUF -BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkq -hkiG9w0BAQsFAAOBgQCCU+yJCmobrsNp/CK119L0C20YcvVkf7uAV+Pzsq/hiUcD -Gd1vYu0rJNOid8CDavsPVZN4FUrB4BPyZZx6jGyYV/BEnTqeajAInzPODX6Gb+8O -NEG5xh00xige+YG+aD13klDF+C9MqttfcpNC64rPJKDZJURGi+3eRtUakOnW2A== +1OWIGLMRL3PA1ikJAgMBAAGjggEBMIH+MB0GA1UdDgQWBBTTIo8oLOAF7tPtw3E9 +ybI2Oh2/qDCBzgYDVR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SB +nDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv +emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEw +MjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m +b0B3b2xmc3NsLmNvbYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN +AQEFBQADgYEADkas2CkdEhIGDNM/fVguDRFeXQ3dF8APqgFNpMSEgW5krtFdWM0Z +anSkRi/IQ3k5wJFLfHHqTmNEZhVBFd5QguPp0VVVzFo4HjpZsw7uDlRNk+fgjiel +bgi4ajnaLUdixFuJwEhIKtXwVXT9prFoPHCkUiSB7ExX4OgYc50KTdg= -----END CERTIFICATE----- diff --git a/certs/1024/client-cert.der b/certs/1024/client-cert.der index 4d4d69ba88f5d813ee46baaddda891ec90644b00..c2bd6df8fe58e67cfaf20cb20bce0bd93a31726b 100644 GIT binary patch delta 262 zcmey%ev)0npo#gYK@+py0%j&gCMHgX$JZD9D!Z@sYof$9DFagjb3+RwLj%Joab80U z14Cm&D0gxV)56J}j7$014VoC44P@DvLuL6`#8@ULGKo$OVmen3Gsb`iBqhwkYQW6M z_}_q+jZ>@5qwPB{BO^B}19M{|gY5RJH4iu5IFKH@^>WAa0L{YW{xfRw#+;$fvsWLJ z-gBIBs?@L42Y=_h&gbG6d9zjjj*P+Gpy^j+I2nvB;!m#->lfU<<3ifQ5RK3F`?K=P zJhbA%mYi-7ThwGJ}td5@eP&)0| FTL53mWPJbt delta 314 zcmX@f{+C_Cpo#gXK@)S*0%j&gCMHgX%lBs-X^@xCpD3|S%Fxir*wDzt(%3vooY&C8 zz{1cH%AH)pv~Y4K<5GTWgC<6E16elaP+2|}F_y`ROrn#6n9kM1j4|K=NeQ#C8Za|5 z{x>jU)FR z?K>|cBR4Apb7Lbzq2;f(!y!*+Y<+R~^mP5U{V(?Xetn~Oy2&iD{SP+n-B_?k4+6xk5wPV9XZ8pj=2NziyJ#ugT-u=QNVCBinL8W|RB1@MZ xnQvEo!=iHk_u0O@pI4n*#N3i5a+2|D+tRd!r?Lv;bq)Ju&hR{Qn;FaH0{}DKaTfpp diff --git a/certs/1024/client-cert.pem b/certs/1024/client-cert.pem index f99471e9d..2f13e8e25 100644 --- a/certs/1024/client-cert.pem +++ b/certs/1024/client-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 15267089231539806063 (0xd3df98c4801f1f6f) + Serial Number: 16417767964199037690 (0xe3d7a0fa76df2afa) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT + Not Before: May 7 18:21:01 2015 GMT + Not After : Jan 31 18:21:01 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_1024, OU=Programming-1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,43 +28,39 @@ Certificate: X509v3 Authority Key Identifier: keyid:81:69:0F:F8:DF:DD:CF:34:29:D5:67:75:71:85:C7:75:10:69:59:EC DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_1024/OU=Programming-1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:D3:DF:98:C4:80:1F:1F:6F + serial:E3:D7:A0:FA:76:DF:2A:FA X509v3 Basic Constraints: CA:TRUE - Authority Information Access: - OCSP - URI:http://localhost:22222 - Signature Algorithm: sha256WithRSAEncryption - 71:39:fa:86:c3:54:e5:98:b5:e8:c3:cb:97:2f:86:bf:e8:bc: - fb:eb:d8:73:97:34:9a:16:bf:e0:b2:bd:be:7d:ff:a0:d7:e6: - db:a3:52:43:41:60:f1:d7:c3:63:c0:9b:e2:b2:28:87:70:60: - 5d:2b:5d:56:15:3c:b1:1e:03:53:72:39:32:e2:47:85:f7:8b: - e8:38:50:a9:c9:d3:52:75:0e:16:14:a5:a5:c4:9f:3e:73:d8: - 38:79:bf:f7:9b:4d:0d:f3:aa:ce:a2:03:84:66:14:c9:01:f5: - 86:a5:66:a1:ca:6a:71:5f:2d:31:8e:1c:cc:0c:e6:46:99:5d: - 0a:4c + 1d:b7:d5:7c:e1:b1:d8:c0:67:5d:b5:d3:88:e7:50:29:71:63: + 8f:cc:26:1f:33:09:55:43:9b:ab:c6:1b:bc:c7:01:95:1a:fa: + 65:e0:fd:9c:eb:6f:0a:0f:14:ec:b5:2f:dc:1c:30:dd:52:97: + d4:1c:09:00:33:38:5f:cb:a8:16:8f:11:b7:b8:d0:66:e1:54: + 28:f3:3f:bf:6a:6f:76:48:2a:5e:56:a7:ce:1c:f0:04:dd:17: + bd:06:78:21:6d:d6:b1:9b:75:31:92:c1:fe:d4:8d:d4:67:2f: + 03:1b:27:8d:ab:ff:30:3b:c3:7f:23:e4:ab:5b:91:e1:1b:66: + e6:ed -----BEGIN CERTIFICATE----- -MIID+TCCA2KgAwIBAgIJANPfmMSAHx9vMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +MIIDxTCCAy6gAwIBAgIJAOPXoPp23yr6MA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG A1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0xMDI0MRgw FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb20wHhcNMTUxMTIzMTI0OTM3WhcNMTgwODE5MTI0OTM3WjCBnjELMAkG +ZnNzbC5jb20wHhcNMTUwNTA3MTgyMTAxWhcNMTgwMTMxMTgyMTAxWjCBnjELMAkG A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT BgNVBAoMDHdvbGZTU0xfMTAyNDEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMTAyNDEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv bGZzc2wuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8cw6oSfN0oqnv GKXaVZkh+cjss21I5TU1dXc37NFhkF8+2eTV35TKwanXGdqGyehNxGE2gv6rrX53 JbuNEaW8YjqoOMw5ogRmtPf386raTQIOu16NaUjcd8koDiLpa6Qmukzowf1Kbysf -74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBOzCCATcwHQYDVR0OBBYEFIFp +74qu9pBi5WQe6ys8Z8jcJwD2kWhlqQIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFIFp D/jf3c80KdVndXGFx3UQaVnsMIHTBgNVHSMEgcswgciAFIFpD/jf3c80KdVndXGF x3UQaVnsoYGkpIGhMIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQ MA4GA1UEBwwHQm96ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8xMDI0MRkwFwYDVQQL DBBQcm9ncmFtbWluZy0xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAd -BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDT35jEgB8fbzAMBgNVHRME -BTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2Fs -aG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOBgQBxOfqGw1TlmLXow8uXL4a/6Lz7 -69hzlzSaFr/gsr2+ff+g1+bbo1JDQWDx18NjwJvisiiHcGBdK11WFTyxHgNTcjky -4keF94voOFCpydNSdQ4WFKWlxJ8+c9g4eb/3m00N86rOogOEZhTJAfWGpWahympx -Xy0xjhzMDOZGmV0KTA== +BgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb22CCQDj16D6dt8q+jAMBgNVHRME +BTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBAB231XzhsdjAZ12104jnUClxY4/MJh8z +CVVDm6vGG7zHAZUa+mXg/ZzrbwoPFOy1L9wcMN1Sl9QcCQAzOF/LqBaPEbe40Gbh +VCjzP79qb3ZIKl5Wp84c8ATdF70GeCFt1rGbdTGSwf7UjdRnLwMbJ42r/zA7w38j +5KtbkeEbZubt -----END CERTIFICATE----- diff --git a/certs/1024/server-cert.pem b/certs/1024/server-cert.pem index 739d80ed5..f278d2c0f 100644 --- a/certs/1024/server-cert.pem +++ b/certs/1024/server-cert.pem @@ -2,11 +2,11 @@ Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) - Signature Algorithm: sha256WithRSAEncryption + Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT + Not Before: Sep 23 19:23:38 2015 GMT + Not After : Jun 19 19:23:38 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL, OU=Support_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -28,54 +28,50 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:E6:C8:64:7E:E6:3B:98:AA + serial:8F:44:26:FF:B7:43:E1:9A X509v3 Basic Constraints: CA:TRUE - Authority Information Access: - OCSP - URI:http://localhost:22222 - - Signature Algorithm: sha256WithRSAEncryption - cb:33:02:ab:da:33:24:83:8f:e8:2b:29:13:94:58:f2:df:69: - 69:0c:2f:79:79:4f:fc:35:fd:a5:75:59:a5:18:74:02:79:50: - 49:2e:3b:16:28:4b:b5:0f:2a:a4:e7:b9:2a:33:50:eb:c4:7c: - b4:a2:af:8d:24:f3:27:48:58:01:ac:c0:5d:7a:90:6a:5b:f7: - 4f:d3:a5:96:24:24:96:47:2c:81:97:3c:03:1c:ad:90:c7:22: - 90:91:67:03:7f:81:51:c7:97:d7:76:85:82:66:1b:f8:03:d9: - ae:1d:b0:a1:20:05:55:68:2b:d7:eb:92:dc:ec:cd:be:c6:c8: - 53:df + Signature Algorithm: sha1WithRSAEncryption + 0a:04:c7:9a:c4:f6:46:db:e4:85:d4:22:02:12:3e:53:27:25: + 24:8a:9b:2f:93:7f:de:70:94:c5:6c:4c:26:25:25:7a:d7:0f: + 33:b9:9c:d2:5a:94:7f:8d:30:75:ad:82:c9:bf:4b:6c:91:58: + 7c:45:1a:89:df:8e:ca:31:9f:ab:38:b3:ae:c2:8f:14:87:e6: + 1c:ab:12:4e:df:82:36:c9:41:46:c4:05:95:88:62:09:72:57: + 66:31:80:b8:9c:55:a8:fb:74:01:32:e7:5a:40:df:9b:e4:98: + d7:5b:ea:69:5c:14:1b:9b:8b:08:2d:d9:58:28:be:c9:01:e0: + e1:a9 -----BEGIN CERTIFICATE----- -MIID3jCCA0egAwIBAgIBATANBgkqhkiG9w0BAQsFADCBmTELMAkGA1UEBhMCVVMx +MIIDqTCCAxKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBmTELMAkGA1UEBhMCVVMx EDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNVBAoMCFNh d3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMMD3d3dy53 b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNvbTAeFw0x -NTExMjMxMjQ5MzdaFw0xODA4MTkxMjQ5MzdaMIGVMQswCQYDVQQGEwJVUzEQMA4G +NTA5MjMxOTIzMzhaFw0xODA2MTkxOTIzMzhaMIGVMQswCQYDVQQGEwJVUzEQMA4G A1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEQMA4GA1UECgwHd29sZlNT TDEVMBMGA1UECwwMU3VwcG9ydF8xMDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5j b20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBAKo+pZzTF0llQ97Q80sc20kM/HplBW3easTkcyyKloKP I6UGcRwGPi+SjQspNEVZ6am8YdckN121xDeNumey7wMn+sG0zWsAZrTWc3AfCDrM d63p+TTU86AtqedYqcBhhLbsPQqt/VyGc6prR9iLLlhLaRKCJlXmFL9VcIj++XXh -AgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU2Tw16nQOI76c/PopkAnB54QWn3wwgc4G -A1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+kgZwwgZkxCzAJBgNV -BAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYD -VQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQD -DA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5j -b22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUFBwEBBCYwJDAiBggr -BgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkqhkiG9w0BAQsFAAOB -gQDLMwKr2jMkg4/oKykTlFjy32lpDC95eU/8Nf2ldVmlGHQCeVBJLjsWKEu1Dyqk -57kqM1DrxHy0oq+NJPMnSFgBrMBdepBqW/dP06WWJCSWRyyBlzwDHK2QxyKQkWcD -f4FRx5fXdoWCZhv4A9muHbChIAVVaCvX65Lc7M2+xshT3w== +AgMBAAGjggEBMIH+MB0GA1UdDgQWBBTZPDXqdA4jvpz8+imQCcHnhBaffDCBzgYD +VR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SBnDCBmTELMAkGA1UE +BhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xETAPBgNV +BAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEwMjQxGDAWBgNVBAMM +D3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5mb0B3b2xmc3NsLmNv +bYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEACgTH +msT2RtvkhdQiAhI+UyclJIqbL5N/3nCUxWxMJiUletcPM7mc0lqUf40wda2Cyb9L +bJFYfEUaid+OyjGfqzizrsKPFIfmHKsSTt+CNslBRsQFlYhiCXJXZjGAuJxVqPt0 +ATLnWkDfm+SY11vqaVwUG5uLCC3ZWCi+yQHg4ak= -----END CERTIFICATE----- Certificate: Data: Version: 3 (0x2) - Serial Number: 16629652120256878762 (0xe6c8647ee63b98aa) - Signature Algorithm: sha256WithRSAEncryption + Serial Number: 10323419125573214618 (0x8f4426ffb743e19a) + Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT + Not Before: Sep 23 19:23:38 2015 GMT + Not After : Jun 19 19:23:38 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=Sawtooth, OU=Consulting_1024, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -97,42 +93,38 @@ Certificate: X509v3 Authority Key Identifier: keyid:D3:22:8F:28:2C:E0:05:EE:D3:ED:C3:71:3D:C9:B2:36:3A:1D:BF:A8 DirName:/C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting_1024/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:E6:C8:64:7E:E6:3B:98:AA + serial:8F:44:26:FF:B7:43:E1:9A X509v3 Basic Constraints: CA:TRUE - Authority Information Access: - OCSP - URI:http://localhost:22222 - - Signature Algorithm: sha256WithRSAEncryption - 82:53:ec:89:0a:6a:1b:ae:c3:69:fc:22:b5:d7:d2:f4:0b:6d: - 18:72:f5:64:7f:bb:80:57:e3:f3:b2:af:e1:89:47:03:19:dd: - 6f:62:ed:2b:24:d3:a2:77:c0:83:6a:fb:0f:55:93:78:15:4a: - c1:e0:13:f2:65:9c:7a:8c:6c:98:57:f0:44:9d:3a:9e:6a:30: - 08:9f:33:ce:0d:7e:86:6f:ef:0e:34:41:b9:c6:1d:34:c6:28: - 1e:f9:81:be:68:3d:77:92:50:c5:f8:2f:4c:aa:db:5f:72:93: - 42:eb:8a:cf:24:a0:d9:25:44:46:8b:ed:de:46:d5:1a:90:e9: - d6:d8 + Signature Algorithm: sha1WithRSAEncryption + 0e:46:ac:d8:29:1d:12:12:06:0c:d3:3f:7d:58:2e:0d:11:5e: + 5d:0d:dd:17:c0:0f:aa:01:4d:a4:c4:84:81:6e:64:ae:d1:5d: + 58:cd:19:6a:74:a4:46:2f:c8:43:79:39:c0:91:4b:7c:71:ea: + 4e:63:44:66:15:41:15:de:50:82:e3:e9:d1:55:55:cc:5a:38: + 1e:3a:59:b3:0e:ee:0e:54:4d:93:e7:e0:8e:27:a5:6e:08:b8: + 6a:39:da:2d:47:62:c4:5b:89:c0:48:48:2a:d5:f0:55:74:fd: + a6:b1:68:3c:70:a4:52:24:81:ec:4c:57:e0:e8:18:73:9d:0a: + 4d:d8 -----BEGIN CERTIFICATE----- -MIID6jCCA1OgAwIBAgIJAObIZH7mO5iqMA0GCSqGSIb3DQEBCwUAMIGZMQswCQYD +MIIDtTCCAx6gAwIBAgIJAI9EJv+3Q+GaMA0GCSqGSIb3DQEBBQUAMIGZMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjERMA8G A1UECgwIU2F3dG9vdGgxGDAWBgNVBAsMD0NvbnN1bHRpbmdfMTAyNDEYMBYGA1UE AwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdvbGZzc2wu -Y29tMB4XDTE1MTEyMzEyNDkzN1oXDTE4MDgxOTEyNDkzN1owgZkxCzAJBgNVBAYT +Y29tMB4XDTE1MDkyMzE5MjMzOFoXDTE4MDYxOTE5MjMzOFowgZkxCzAJBgNVBAYT AlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdCb3plbWFuMREwDwYDVQQK DAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18xMDI0MRgwFgYDVQQDDA93 d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29sZnNzbC5jb20w gZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM2s3Ufsvrckw2MbVJh54ccxFlnW nXedjeKL7QQXssbr5JuRvjFQYpdYtX8p3rNxJAu/lwl/Jtwt7KgusmQreis1GS2i gMuZ/ZRxGyONVNsuYo2BCC30JHInbPnJjttMdbqbAfg/GPTmf/tXlJLMiMS0AMKq -1OWIGLMRL3PA1ikJAgMBAAGjggE2MIIBMjAdBgNVHQ4EFgQU0yKPKCzgBe7T7cNx -PcmyNjodv6gwgc4GA1UdIwSBxjCBw4AU0yKPKCzgBe7T7cNxPcmyNjodv6ihgZ+k -gZwwgZkxCzAJBgNVBAYTAlVTMRAwDgYDVQQIDAdNb250YW5hMRAwDgYDVQQHDAdC -b3plbWFuMREwDwYDVQQKDAhTYXd0b290aDEYMBYGA1UECwwPQ29uc3VsdGluZ18x -MDI0MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGlu -Zm9Ad29sZnNzbC5jb22CCQDmyGR+5juYqjAMBgNVHRMEBTADAQH/MDIGCCsGAQUF -BwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjANBgkq -hkiG9w0BAQsFAAOBgQCCU+yJCmobrsNp/CK119L0C20YcvVkf7uAV+Pzsq/hiUcD -Gd1vYu0rJNOid8CDavsPVZN4FUrB4BPyZZx6jGyYV/BEnTqeajAInzPODX6Gb+8O -NEG5xh00xige+YG+aD13klDF+C9MqttfcpNC64rPJKDZJURGi+3eRtUakOnW2A== +1OWIGLMRL3PA1ikJAgMBAAGjggEBMIH+MB0GA1UdDgQWBBTTIo8oLOAF7tPtw3E9 +ybI2Oh2/qDCBzgYDVR0jBIHGMIHDgBTTIo8oLOAF7tPtw3E9ybI2Oh2/qKGBn6SB +nDCBmTELMAkGA1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0Jv +emVtYW4xETAPBgNVBAoMCFNhd3Rvb3RoMRgwFgYDVQQLDA9Db25zdWx0aW5nXzEw +MjQxGDAWBgNVBAMMD3d3dy53b2xmc3NsLmNvbTEfMB0GCSqGSIb3DQEJARYQaW5m +b0B3b2xmc3NsLmNvbYIJAI9EJv+3Q+GaMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcN +AQEFBQADgYEADkas2CkdEhIGDNM/fVguDRFeXQ3dF8APqgFNpMSEgW5krtFdWM0Z +anSkRi/IQ3k5wJFLfHHqTmNEZhVBFd5QguPp0VVVzFo4HjpZsw7uDlRNk+fgjiel +bgi4ajnaLUdixFuJwEhIKtXwVXT9prFoPHCkUiSB7ExX4OgYc50KTdg= -----END CERTIFICATE----- diff --git a/certs/ca-cert.der b/certs/ca-cert.der index b61188892a7dd9a237caaa5a29e55d4c226cf4d5..d0eab7a3ce08847c4bc6c9160c266eaa3289778b 100644 GIT binary patch delta 372 zcmaFDxsFr9powLbK@;<&1@b3+RwLj%Joab80U z14Cm&2zTS%{fzvLe+(Lb8pyIShsyG?h_Ot*$Rs-X5YrJcme3-%Iozu8yg+^Iwar-^d`#3f2WSd!2Z*qN&$7|f7q^OnoN+EI4WLY)YKSX5~{O5>Ic-mHaz_?S!r(gpU*7{QpecaC#lU7m54NEyYqX)wzAld z2lY?rC(SuUVL7$sbh)$ zi#*ld>^s4$^)I{kTvK0dx##k!8;sMIxP)6wUVZrU)b#rEs+|1xi{c{2UsOTLen-z&5+ zGp1#KP~*2`QTysNBf);ENBq{#wt(8O}epow|Y0%j&gCMHgXRqC6Mt}M#qohY$Q%D~jX+|a_v(7-TCoY&C8 zz|hzb%ALf#aC0Z4CL=4mK@%hMtPxVc-WXjWrbN-4VW1j{~PeKacZ@Bw0-Ag zWaMULU~Xb$WC)zLTt+QcX2LO}`O`!{$v&SvXH99?)V~S^t6j4=H+=rYyyEs9{XO#S zRg16mU-g_`XA`n!G^zNmIeqhTlWko0wiZ@#F0;GV6w#SJ z=V(UKF1BlyyH8skc#tfAoM(gVWwcd8VA-c!;y|W9q&1B2Pexet- z<6CCPo}Ita{k3(N!M3tV2R-8VOx+M56?#I)FUh?tPxVc-WXjWrbN-4VW1j{~H*wacHwKva+%> zGP0-{s2C{0_y&w^Vi_eR1y=g{Ir+(nIT`uIC00ftV8F}9snzDu_MMlJk(-r)xrvdH zp?YF+uVqMz%@+HsC;azw?_VD?$MHCKQ0}o0_iFyn_WSp_UTG%pfn;mha9f7)^G&Gn13-~8swXIdM0pzLlM z*EwF!XDggGupMT3E^}O6+khxZK;@Z T-RsYsBQ=r=&3u3DeU}3Odz7!9 diff --git a/certs/client-cert.pem b/certs/client-cert.pem index 296581003..569cdddac 100644 --- a/certs/client-cert.pem +++ b/certs/client-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 10777134365807824960 (0x9590129b22a15040) + Serial Number: 12260966172072242701 (0xaa27b3c5a9726e0d) Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Validity - Not Before: Nov 23 12:49:37 2015 GMT - Not After : Aug 19 12:49:37 2018 GMT + Not Before: May 7 18:21:01 2015 GMT + Not After : Jan 31 18:21:01 2018 GMT Subject: C=US, ST=Montana, L=Bozeman, O=wolfSSL_2048, OU=Programming-2048, CN=www.wolfssl.com/emailAddress=info@wolfssl.com Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -37,35 +37,32 @@ Certificate: X509v3 Authority Key Identifier: keyid:33:D8:45:66:D7:68:87:18:7E:54:0D:70:27:91:C7:26:D7:85:65:C0 DirName:/C=US/ST=Montana/L=Bozeman/O=wolfSSL_2048/OU=Programming-2048/CN=www.wolfssl.com/emailAddress=info@wolfssl.com - serial:95:90:12:9B:22:A1:50:40 + serial:AA:27:B3:C5:A9:72:6E:0D X509v3 Basic Constraints: CA:TRUE - Authority Information Access: - OCSP - URI:http://localhost:22222 - Signature Algorithm: sha256WithRSAEncryption - 7b:91:63:8d:39:54:64:3c:b4:3f:d5:c8:4f:bf:0b:bf:af:5c: - 9c:41:c7:0b:52:6d:c6:f0:de:7c:ff:9b:4e:fe:f3:22:a5:00: - 13:9f:81:e4:6d:70:2c:f9:7a:f4:d8:50:be:72:e1:04:8b:b0: - 05:e3:61:82:3f:65:de:f9:e9:d3:3d:97:7d:88:b7:99:85:c1: - e5:5c:57:a7:9c:1f:f2:b8:ce:ec:d7:d1:9b:ec:fb:0e:6f:02: - ad:51:c0:76:dd:66:0a:ce:0d:09:e6:a8:42:b0:06:c3:04:e7: - 1c:c7:10:83:07:f2:e6:11:1a:cd:a7:b9:7e:17:ef:ea:63:9c: - f2:a5:be:6b:b6:df:eb:5a:75:01:59:05:f7:ec:49:75:10:dd: - 40:1a:25:25:4f:78:6e:e1:92:21:b5:b8:82:2f:33:b3:5b:b6: - 81:b8:b1:a4:0c:8d:98:74:74:da:0d:90:33:c8:a7:aa:0d:06: - 5a:04:eb:37:d3:e4:55:0c:93:b6:c8:3a:e8:a7:2b:4e:b8:90: - bb:36:0b:db:7f:2e:99:23:76:68:81:a8:73:74:e7:68:fb:1d: - ff:5b:ec:b5:6b:30:d1:d0:2b:89:a6:c6:a9:fc:03:66:fe:b5: - 8c:af:de:8e:2a:b4:78:9c:d7:4a:fc:9c:c4:7c:19:20:83:0e: - fd:3f:4d:a7 + 51:96:a7:1c:26:5d:1c:90:c6:32:9f:96:15:f2:1d:e7:93:9c: + ac:75:56:95:fd:20:70:ab:45:6a:09:b0:f3:f2:03:a8:db:dc: + 2f:bc:1f:87:7a:a3:d4:8f:d5:49:97:7e:3c:54:ac:b1:e3:f0: + 39:0d:fe:09:9a:23:f6:32:a6:41:59:bd:60:e8:bd:de:00:36: + 6f:3e:e9:41:6f:a9:63:c7:aa:d5:7b:f3:e4:39:48:9e:f6:60: + c6:c6:86:d5:72:86:23:cd:f5:6a:63:53:a4:f8:fc:51:6a:cd: + 60:74:8e:a3:86:61:01:34:78:f7:29:97:b3:a7:34:b6:0a:de: + b5:71:7a:09:a6:3e:d6:82:58:89:67:9c:c5:68:62:ba:06:d6: + 39:bb:cb:3a:c0:e0:63:1f:c7:0c:9c:12:86:ec:f7:39:6a:61: + 93:d0:33:14:c6:55:3b:b6:cf:80:5b:8c:43:ef:43:44:0b:3c: + 93:39:a3:4e:15:d1:0b:5f:84:98:1d:cd:9f:a9:47:eb:3b:56: + 30:b6:76:92:c1:48:5f:bc:95:b0:50:1a:55:c8:4e:62:47:87: + 54:64:0c:9b:91:fa:43:b3:29:48:be:e6:12:eb:e3:44:c6:52: + e4:40:c6:83:95:1b:a7:65:27:69:73:2f:c8:a0:4d:7f:be:ea: + 9b:67:b2:7b -----BEGIN CERTIFICATE----- -MIIE/jCCA+agAwIBAgIJAJWQEpsioVBAMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD +MIIEyjCCA7KgAwIBAgIJAKons8Wpcm4NMA0GCSqGSIb3DQEBCwUAMIGeMQswCQYD VQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96ZW1hbjEVMBMG A1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWluZy0yMDQ4MRgw FgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEWEGluZm9Ad29s -ZnNzbC5jb20wHhcNMTUxMTIzMTI0OTM3WhcNMTgwODE5MTI0OTM3WjCBnjELMAkG +ZnNzbC5jb20wHhcNMTUwNTA3MTgyMTAxWhcNMTgwMTMxMTgyMTAxWjCBnjELMAkG A1UEBhMCVVMxEDAOBgNVBAgMB01vbnRhbmExEDAOBgNVBAcMB0JvemVtYW4xFTAT BgNVBAoMDHdvbGZTU0xfMjA0ODEZMBcGA1UECwwQUHJvZ3JhbW1pbmctMjA0ODEY MBYGA1UEAwwPd3d3LndvbGZzc2wuY29tMR8wHQYJKoZIhvcNAQkBFhBpbmZvQHdv @@ -75,17 +72,16 @@ StIb94u6zw357+zxgR57mwNHmr9lzH9lJGmm6BSJW+Q098WwFJP1Z3s6enjhAVZW kaYTQo3SPECcTO/Rht83URsMoTv18aNKNeThzpbfG36/TpfQEOioCDCBryALQxTF dGe0MoJvjYbCiECZNoO6HkByIhfXUmUkc7DO7xnNrv94bHvAEgPUTnINUG07ozuj mV6dyNkMhbPZitlUJttt+qy7/yVMxNF59HHThkAYE7BjtXJOMMSXhIYtVi/XFfd/ -wK71/Fvl+6G60wIDAQABo4IBOzCCATcwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR +wK71/Fvl+6G60wIDAQABo4IBBzCCAQMwHQYDVR0OBBYEFDPYRWbXaIcYflQNcCeR xybXhWXAMIHTBgNVHSMEgcswgciAFDPYRWbXaIcYflQNcCeRxybXhWXAoYGkpIGh MIGeMQswCQYDVQQGEwJVUzEQMA4GA1UECAwHTW9udGFuYTEQMA4GA1UEBwwHQm96 ZW1hbjEVMBMGA1UECgwMd29sZlNTTF8yMDQ4MRkwFwYDVQQLDBBQcm9ncmFtbWlu Zy0yMDQ4MRgwFgYDVQQDDA93d3cud29sZnNzbC5jb20xHzAdBgkqhkiG9w0BCQEW -EGluZm9Ad29sZnNzbC5jb22CCQCVkBKbIqFQQDAMBgNVHRMEBTADAQH/MDIGCCsG -AQUFBwEBBCYwJDAiBggrBgEFBQcwAYYWaHR0cDovL2xvY2FsaG9zdDoyMjIyMjAN -BgkqhkiG9w0BAQsFAAOCAQEAe5FjjTlUZDy0P9XIT78Lv69cnEHHC1JtxvDefP+b -Tv7zIqUAE5+B5G1wLPl69NhQvnLhBIuwBeNhgj9l3vnp0z2XfYi3mYXB5VxXp5wf -8rjO7NfRm+z7Dm8CrVHAdt1mCs4NCeaoQrAGwwTnHMcQgwfy5hEazae5fhfv6mOc -8qW+a7bf61p1AVkF9+xJdRDdQBolJU94buGSIbW4gi8zs1u2gbixpAyNmHR02g2Q -M8inqg0GWgTrN9PkVQyTtsg66KcrTriQuzYL238umSN2aIGoc3TnaPsd/1vstWsw -0dAriabGqfwDZv61jK/ejiq0eJzXSvycxHwZIIMO/T9Npw== +EGluZm9Ad29sZnNzbC5jb22CCQCqJ7PFqXJuDTAMBgNVHRMEBTADAQH/MA0GCSqG +SIb3DQEBCwUAA4IBAQBRlqccJl0ckMYyn5YV8h3nk5ysdVaV/SBwq0VqCbDz8gOo +29wvvB+HeqPUj9VJl348VKyx4/A5Df4JmiP2MqZBWb1g6L3eADZvPulBb6ljx6rV +e/PkOUie9mDGxobVcoYjzfVqY1Ok+PxRas1gdI6jhmEBNHj3KZezpzS2Ct61cXoJ +pj7WgliJZ5zFaGK6BtY5u8s6wOBjH8cMnBKG7Pc5amGT0DMUxlU7ts+AW4xD70NE +CzyTOaNOFdELX4SYHc2fqUfrO1YwtnaSwUhfvJWwUBpVyE5iR4dUZAybkfpDsylI +vuYS6+NExlLkQMaDlRunZSdpcy/IoE1/vuqbZ7J7 -----END CERTIFICATE----- diff --git a/certs/client-ecc-cert.der b/certs/client-ecc-cert.der index 5b6226714d91653ece79b12b0dfc9a7222742135..fa9a2483963e2c798bf6ac0a46e6168afb87b66e 100644 GIT binary patch delta 185 zcmX@i*25-Y(8SDP(8RQU0W%XL6B8%H{a&lW2TGIqCQ2-lGB7nTH?%M^G%$=3=QXr2 zFf=xVawiKgO_-d*7{l85)u8dy(N zW@2_{FmPc~D5+joH|Ip=)GqF|^(W13ZR)qb|9orqs|(A^xR#U)eP6+(P&l={bNh1-P&TD94 zU}0zp3#yj;etp+@7%%QTvEUX61jEw&cjMzA|*%(<_ z*%=vG)C^P%lwf=V#x}8xl9B=|ef^yLm)V&l+i^EhYA!py|%!C>IZ zq{uK|<&gEWr&_ufXQrR}`u5_r36f%BKjww4d@C(EDTHtNBPK tmp.pem mv tmp.pem server-ecc-comp.pem - ########################################################### - ########## update and sign ocsp-cert.pem ################## - ########################################################### - echo "Updating ocsp-cert.pem" - echo "" - #pipe the following arguments to openssl req... - echo -e "US\nMontana\nBozeman\nwolfSSL\nSupport\ocsp.wolfssl.com\ninfo@wolfssl.com\n.\n.\n" | openssl req -new -key ocsp/ocsp-key.pem -nodes > ocsp-req.pem - - openssl x509 -req -in ocsp-req.pem -extfile wolfssl.cnf -extensions v3_ocsp -days 1000 -CA ca-cert.pem -CAkey ca-key.pem -set_serial 03 > ocsp/ocsp-cert.pem - - rm ocsp-req.pem - - openssl x509 -in ca-cert.pem -text > ca_tmp.pem - openssl x509 -in ocsp/ocsp-cert.pem -text > ocsp_tmp.pem - mv ocsp_tmp.pem ocsp/ocsp-cert.pem - cat ca_tmp.pem >> ocsp/ocsp-cert.pem - rm ca_tmp.pem ############################################################ ########## make .der files from .pem files ################# ############################################################ diff --git a/certs/renewcerts/wolfssl.cnf b/certs/renewcerts/wolfssl.cnf index 3da804b44..47ad4ba93 100644 --- a/certs/renewcerts/wolfssl.cnf +++ b/certs/renewcerts/wolfssl.cnf @@ -124,7 +124,6 @@ authorityKeyIdentifier=keyid,issuer subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always basicConstraints=CA:true -authorityInfoAccess = OCSP;URI:http://localhost:22222 # Extensions to add to a certificate request [ v3_req ] @@ -141,14 +140,6 @@ basicConstraints = CA:true [ crl_ext ] authorityKeyIdentifier=keyid:always -# OCSP extensions. -[ v3_ocsp ] -subjectKeyIdentifier=hash -authorityKeyIdentifier=keyid:always,issuer:always -keyUsage = nonRepudiation, digitalSignature, keyEncipherment -extendedKeyUsage = OCSPSigning -basicConstraints = CA:false - # These extensions should be added when creating a proxy certificate [ proxy_cert_ext ] basicConstraints=CA:FALSE diff --git a/certs/server-cert.der b/certs/server-cert.der index 1b61be8e96a54702bf033c908d939f26040d108e..0c936a241e174dc782f39758850bd3e80c0e7e1e 100644 GIT binary patch delta 357 zcmcb?xrmd)powLkK@)S^M2;tFrc_B-dC>d%^r6IMzYpTy)YU9wkUY5%nS zU{dm~qrcW&QfQRA#IsHW~ z*8OXY*3JmuCp^hTVCm;|kJ4_rtejG4e?ea%vi(Vv!@EmQc+RO#xx@d@;(=q3NzCrU zw-3gb9ggKQ%G93A_*N%C+P{3|${U3Sr}cCS7*p)SWz)>2dwCGz(AH*>@TZc-WXjWrbN-4VW1j{~H*wacHwKva+%>GP0-{ zs2C{0_y&w^Vi_eR1y=g{Ir+(nIT`uIC00ftV8F}9snzDu_MMlJk(-r)xrvdHp-{X( zzxJ9SW96Echkh4kX7i*>JZRKCC#h&_((WJUbJXwGe@MCJ73yE_)m_~XZL`2|gX$zE zra3d0_VFaX-y+ATC-ZVnr0)AXX5WvIPvbMwVz{22{Z^vT=JTyzsV$@KU%I`m!h&4XUcvbxx zJ%LHv7yUe##FJpnlR2wURB(^^{yt@qLmPSTce={m7kM$&v_pNx>bo_{_PhW2@x5C1 z?rZt)RXa3{e Date: Mon, 4 Jan 2016 13:18:43 -0700 Subject: [PATCH 168/177] initialize myStack to NULL for the later check against NULL --- wolfssl/test.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfssl/test.h b/wolfssl/test.h index 1e4fa1373..a0d1719e1 100644 --- a/wolfssl/test.h +++ b/wolfssl/test.h @@ -1374,7 +1374,7 @@ typedef THREAD_RETURN WOLFSSL_THREAD (*thread_func)(void* args); static INLINE void StackSizeCheck(func_args* args, thread_func tf) { int ret, i, used; - unsigned char* myStack; + unsigned char* myStack = NULL; int stackSize = 1024*128; pthread_attr_t myAttr; pthread_t threadId; From dd469bb67d4b8a0c9b415fc14fa9381edefd1621 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 4 Jan 2016 15:03:39 -0700 Subject: [PATCH 169/177] avoid unused variable warnings --- src/internal.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index 2a8c6b7da..008a45f1c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1519,6 +1519,11 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, } #endif + /* account for unused variable warnings ifdef WOLFSSL_DTLS */ +#ifdef WOLFSSL_DTLS + (void) dtls; + (void) tls; +#endif suites->suiteSz = idx; InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, 0); @@ -15438,7 +15443,7 @@ int DoSessionTicket(WOLFSSL* ssl, #error "DTLS needs either SHA or SHA-256" #endif /* NO_SHA && NO_SHA256 */ - #ifndef NO_SHA + #if !defined(NO_SHA) && defined(NO_SHA256) cookieType = SHA; cookieSz = SHA_DIGEST_SIZE; #endif /* NO_SHA */ From 023052eaf10f3c7f21ef72342266dff89d2cda31 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 4 Jan 2016 15:40:10 -0700 Subject: [PATCH 170/177] Avoid unused variable warnings with dead store in AES_GCM_decrypt --- wolfcrypt/src/aes.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/wolfcrypt/src/aes.c b/wolfcrypt/src/aes.c index efefd0c62..c27c55425 100644 --- a/wolfcrypt/src/aes.c +++ b/wolfcrypt/src/aes.c @@ -3145,6 +3145,12 @@ static int AES_GCM_decrypt(const unsigned char *in, tmp4 = _mm_shuffle_epi8(tmp4, BSWAP_MASK); } + /* Acknowledge the dead store and continue */ + (void) tmp1; + (void) tmp2; + (void) tmp3; + (void) tmp4; + for (k = i*4; k < nbytes/16; k++) { tmp1 = _mm_shuffle_epi8(ctr1, BSWAP_EPI64); ctr1 = _mm_add_epi32(ctr1, ONE); From 21c972f805272e225b335413bee4eaed40ba5bb9 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 4 Jan 2016 16:08:04 -0700 Subject: [PATCH 171/177] Remove unnecessary assignment prior to return --- src/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/tls.c b/src/tls.c index 744b81828..793b55c33 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1604,7 +1604,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, return BUFFER_ERROR; ato16(clientHello + offset, &len16); - offset += OPAQUE16_LEN; + /* Returning SNI_UNSUPPORTED do not increment offset here */ if (len16 != 0) /* session_id_length must be 0 */ return BUFFER_ERROR; From fcfef59c434324f8bc6daafa56e34208f82a5bfd Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Mon, 4 Jan 2016 17:04:10 -0700 Subject: [PATCH 172/177] check err after set --- wolfcrypt/src/ecc.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 507f212b0..653f16ed4 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -4192,7 +4192,8 @@ static int accel_fp_mul(int idx, mp_int* k, ecc_point *R, mp_int* modulus, } if (err == MP_OKAY) { - z = 0; + z = 0; /* mp_to_unsigned_bin != MP_OKAY z will be declared/not set */ + (void) z; /* Acknowledge the unused assignment */ ForceZero(kb, KB_SIZE); /* map R back from projective space */ if (map) { @@ -4448,6 +4449,9 @@ static int accel_fp_mul2add(int idx1, int idx2, XFREE(kb[1], NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + if (err != MP_OKAY) + return err; + #undef KB_SIZE return ecc_map(R, modulus, mp); From 699597bb21aaf7e2f9bfc05b78db4dde9bf0285b Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 5 Jan 2016 07:35:28 -0700 Subject: [PATCH 173/177] execute undef before checking and return --- wolfcrypt/src/ecc.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 653f16ed4..175c436bd 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -4449,11 +4449,11 @@ static int accel_fp_mul2add(int idx1, int idx2, XFREE(kb[1], NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif + #undef KB_SIZE + if (err != MP_OKAY) return err; -#undef KB_SIZE - return ecc_map(R, modulus, mp); } From e4c4c5a73a69f016d01c9ae52b82a9790fa8840d Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 5 Jan 2016 07:37:31 -0700 Subject: [PATCH 174/177] white space change removed --- wolfcrypt/src/ecc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c index 175c436bd..a88d765f4 100644 --- a/wolfcrypt/src/ecc.c +++ b/wolfcrypt/src/ecc.c @@ -4449,7 +4449,7 @@ static int accel_fp_mul2add(int idx1, int idx2, XFREE(kb[1], NULL, DYNAMIC_TYPE_TMP_BUFFER); #endif - #undef KB_SIZE +#undef KB_SIZE if (err != MP_OKAY) return err; From 29e6f283cff6e5a28a34cef611538bac316bca6a Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 5 Jan 2016 14:19:46 -0700 Subject: [PATCH 175/177] Implement peer suggestion --- src/internal.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/src/internal.c b/src/internal.c index 008a45f1c..cc35f158d 100644 --- a/src/internal.c +++ b/src/internal.c @@ -832,6 +832,9 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, tls1_2 = pv.minor <= DTLSv1_2_MINOR; } #endif + /* May be dead assignments dependant upon configuration */ + (void) dtls; + (void) tls; #ifdef HAVE_RENEGOTIATION_INDICATION if (side == WOLFSSL_CLIENT_END) { @@ -1519,11 +1522,6 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, } #endif - /* account for unused variable warnings ifdef WOLFSSL_DTLS */ -#ifdef WOLFSSL_DTLS - (void) dtls; - (void) tls; -#endif suites->suiteSz = idx; InitSuitesHashSigAlgo(suites, haveECDSAsig, haveRSAsig, 0); From a6ca2c3bdd7fbc039eb0fa7f24247a13df870bea Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Tue, 5 Jan 2016 14:32:45 -0700 Subject: [PATCH 176/177] Avoid un-necessary cast --- src/internal.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/internal.c b/src/internal.c index cc35f158d..440d768fc 100644 --- a/src/internal.c +++ b/src/internal.c @@ -829,12 +829,12 @@ void InitSuites(Suites* suites, ProtocolVersion pv, word16 haveRSA, if (pv.major == DTLS_MAJOR) { dtls = 1; tls = 1; - tls1_2 = pv.minor <= DTLSv1_2_MINOR; - } -#endif /* May be dead assignments dependant upon configuration */ (void) dtls; (void) tls; + tls1_2 = pv.minor <= DTLSv1_2_MINOR; + } +#endif #ifdef HAVE_RENEGOTIATION_INDICATION if (side == WOLFSSL_CLIENT_END) { From 38392ce56a7356bd2bc97e1368045321ea963496 Mon Sep 17 00:00:00 2001 From: kaleb-himes Date: Wed, 6 Jan 2016 10:12:52 -0700 Subject: [PATCH 177/177] safeguards to avoid de-referencing a null pointer --- wolfcrypt/src/integer.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/wolfcrypt/src/integer.c b/wolfcrypt/src/integer.c index a185ee295..a463cbdef 100644 --- a/wolfcrypt/src/integer.c +++ b/wolfcrypt/src/integer.c @@ -125,6 +125,10 @@ int mp_init (mp_int * a) { int i; + /* Safeguard against passing in a null pointer */ + if (a == NULL) + return MP_VAL; + /* allocate memory required and clear it */ a->dp = OPT_CAST(mp_digit) XMALLOC (sizeof (mp_digit) * MP_PREC, 0, DYNAMIC_TYPE_BIGINT); @@ -275,6 +279,10 @@ mp_copy (mp_int * a, mp_int * b) { int res, n; + /* Safeguard against passing in a null pointer */ + if (a == NULL || b == NULL) + return MP_VAL; + /* if dst == src do nothing */ if (a == b) { return MP_OKAY;