wolfSSL/wolfssl
1
0
Fork 1
mirror of https://github.com/wolfSSL/wolfssl.git synced 2025-07-29 18:27:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: wolfSSL:v2.8.5
Branches Tags
wolfSSL:master wolfSSL:nightly-snapshot wolfSSL:devin/1753203298-add-pkcs7-data-oid-support wolfSSL:devin/1747238512-add-ssl-remove-session wolfSSL:pr-8603 wolfSSL:devin/invalid-gentime-crl-test wolfSSL:devin/1742841122-add-dod-pki-oids wolfSSL:rm_arc4 wolfSSL:devin/1742405136-cipherType-to-string wolfSSL:remove-arc4 wolfSSL:devin/1741708186-add-cmake-wolfclu wolfSSL:devin/1742172556-aes-xts-tests wolfSSL:devin/1741319666-remove-qt-guard-add-tests wolfSSL:devin/1740705266-update-mlkemkey-apis wolfSSL:devin/1740757542-null-cipher-evp-update wolfSSL:devin/1740759575-null-cipher-fix wolfSSL:devin-lifeguard/update-rules-d59f9c48 wolfSSL:devin/1739920896-esp32-fixes wolfSSL:devin/1739917420-rename-kyberkey-to-mlkem wolfSSL:devin/1739818351-optimize-test-suite-fix wolfSSL:devin/1739818351-optimize-test-suite wolfSSL:devin/1739784730-fix-tlsext-constants wolfSSL:devin/1739556249-pem-hash-algorithm wolfSSL:devin/1739556249-pem-hash-algorithm-fix2 wolfSSL:devin/1739556249-pem-hash-algorithm-fix wolfSSL:revert-8277-aarch64_no_crypto wolfSSL:revert-5549-fix_sha256_debug wolfSSL:cert-3389
wolfSSL:v5.8.2-stable wolfSSL:WCv5.2.3-RSA-SWITCH wolfSSL:wolfEntropy2 wolfSSL:WCv5.2.3-DHGENPUB-r2 wolfSSL:WCv5.2.3-DHGENPUB wolfSSL:v5.8.0-stable wolfSSL:WCv6.0.0-RC5 wolfSSL:WCv6.0.0-RC4 wolfSSL:WCv5.2.3-STM32-PAA wolfSSL:WCv6.0.0-RC3 wolfSSL:v5.7.6-stable wolfSSL:v5.2.1 wolfSSL:WCv5.2.3-ARMv8-PAA-r2 wolfSSL:WCv6.0.0-RC2 wolfSSL:WCv6.0.0-RC1 wolfSSL:v5.2.1-stable-OS_Seed-HdrOnly wolfSSL:v5.7.4-stable wolfSSL:v5.7.2-stable wolfSSL:wolfEntropy1 wolfSSL:v5.7.0-stable wolfSSL:WCv5.2.3-ARMv8-PAA wolfSSL:v5.6.6-stable wolfSSL:v5.6.4-stable wolfSSL:v5.2.1-stable wolfSSL:WCv5.2.1-PILOT wolfSSL:v5.6.3-stable wolfSSL:v5.6.2-stable wolfSSL:v5.6.0-stable wolfSSL:v5.5.4-stable wolfSSL:v5.5.3-stable wolfSSL:v5.5.2-stable wolfSSL:v5.5.1-stable wolfSSL:v5.5.0-stable wolfSSL:v5.4.0-stable wolfSSL:v5.3.0-stable wolfSSL:v5.2.0-stable wolfSSL:v5.1.1-stable wolfSSL:WCv5.0-RC12 wolfSSL:v5.1.0-stable wolfSSL:WCv5.0-RC11 wolfSSL:WCv5.0-RC10 wolfSSL:v5.0.0-stable wolfSSL:WCv5.0-RC9 wolfSSL:v4.8.1-stable wolfSSL:v4.8.0-stable wolfSSL:WCv5.0-RC8 wolfSSL:WCv5.0-RC7 wolfSSL:WCv5.0-RC6 wolfSSL:WCv5.0-RC5 wolfSSL:v4.7.1r wolfSSL:WCv5.0-RC4 wolfSSL:WCv5.0-RC3 wolfSSL:WCv5.0-RC2 wolfSSL:v4.7.0-stable wolfSSL:v4.6.0-stable wolfSSL:v4.5.0-stable wolfSSL:v4.4.0-stable wolfSSL:v4.3.0-stable wolfSSL:v4.2.0c wolfSSL:v4.2.0-stable wolfSSL:wolfRand-RC2 wolfSSL:v4.1.0-stable wolfSSL:wolfRand-RC1 wolfSSL:v4.0.0-stable wolfSSL:list wolfSSL:WCv4-rng-stable wolfSSL:v3.15.8 wolfSSL:v3.15.7-stable wolfSSL:v3.15.6 wolfSSL:v3.15.5a wolfSSL:v3.15.5-stable wolfSSL:WCv4.0-RC9 wolfSSL:WCv4.0-RC8 wolfSSL:WCv4.0-RC7 wolfSSL:v3.15.3-stable wolfSSL:l wolfSSL:WCv4-stable wolfSSL:v3.15.0-stable wolfSSL:v3.14.5 wolfSSL:WCv4.0-RC6 wolfSSL:WCv4.0-RC5 wolfSSL:WCv4.0-RC4 wolfSSL:v3.14.4 wolfSSL:WCv4.0-RC3 wolfSSL:WCv4.0-RC2 wolfSSL:WCv4.0-RC1 wolfSSL:v3.14.2 wolfSSL:v3.14.0b wolfSSL:v3.14.0a wolfSSL:v3.14.0-stable wolfSSL:v3.13.3 wolfSSL:v3.13.2 wolfSSL:v3.13.0-stable wolfSSL:v3.12.2-stable wolfSSL:v3.12.0-stable wolfSSL:v3.11.1-tls13-beta wolfSSL:v3.11.0-stable wolfSSL:v3.10.4 wolfSSL:v3.10.3 wolfSSL:v3.10.2-stable wolfSSL:v3.10.0a wolfSSL:v3.10.0-stable wolfSSL:v3.9.10b wolfSSL:v3.9.10-stable wolfSSL:v3.9.8 wolfSSL:v3.9.6w wolfSSL:v3.9.6 wolfSSL:v3.9.1 wolfSSL:v3.9.0 wolfSSL:v3.8.0 wolfSSL:v3.7.3 wolfSSL:v3.7.1 wolfSSL:v3.7.0 wolfSSL:v3.6.9d wolfSSL:v3.69.d wolfSSL:v3.6.9c wolfSSL:v3.6.9b wolfSSL:v3.6.9 wolfSSL:v3.6.8 wolfSSL:v3.6.6 wolfSSL:v3.6.2 wolfSSL:v3.6.0b wolfSSL:v3.6.0 wolfSSL:v3.4.8 wolfSSL:v3.4.6 wolfSSL:v3.4.2 wolfSSL:v3.4.0 wolfSSL:v3.3.3 wolfSSL:v3.3.2 wolfSSL:v3.3.0 wolfSSL:v3.2.6 wolfSSL:v3.2.4 wolfSSL:v3.2.0 wolfSSL:v3.1.0 wolfSSL:v3.0.2 wolfSSL:v3.0.0 wolfSSL:v2.9.4 wolfSSL:v2.9.2 wolfSSL:v2.9.1 wolfSSL:v0.5 wolfSSL:v2.9.0 wolfSSL:v2.8.6 wolfSSL:v2.8.5a wolfSSL:v2.8.5 wolfSSL:v2.8.4 wolfSSL:v2.8.3 wolfSSL:v2.8.2 wolfSSL:v2.8.0 wolfSSL:v2.7.2 wolfSSL:v2.7.0 wolfSSL:v2.6.2 wolfSSL:v2.6.0 wolfSSL:v2.5.2b wolfSSL:v2.5.2 wolfSSL:v2.5.0 wolfSSL:v2.4.7 wolfSSL:v2.4.6 wolfSSL:v2.4.2 wolfSSL:v2.4.0 wolfSSL:v2.3.0 wolfSSL:v2.2.2 wolfSSL:v2.2.1 wolfSSL:v2.1.1 wolfSSL:v2.2.0 wolfSSL:v2.1.4 wolfSSL:v2.1.2 wolfSSL:v2.0.8 wolfSSL:v2.0.6 wolfSSL:v2.0.3 wolfSSL:v2.0.2 wolfSSL:v2.0rc3 wolfSSL:v2.0rc2b wolfSSL:v2.0rc2 wolfSSL:v2.0rc1 wolfSSL:v1.9.0 wolfSSL:v1.8.8.0
...
compare: wolfSSL:v2.9.0
Branches Tags
wolfSSL:master wolfSSL:nightly-snapshot wolfSSL:devin/1753203298-add-pkcs7-data-oid-support wolfSSL:devin/1747238512-add-ssl-remove-session wolfSSL:pr-8603 wolfSSL:devin/invalid-gentime-crl-test wolfSSL:devin/1742841122-add-dod-pki-oids wolfSSL:rm_arc4 wolfSSL:devin/1742405136-cipherType-to-string wolfSSL:remove-arc4 wolfSSL:devin/1741708186-add-cmake-wolfclu wolfSSL:devin/1742172556-aes-xts-tests wolfSSL:devin/1741319666-remove-qt-guard-add-tests wolfSSL:devin/1740705266-update-mlkemkey-apis wolfSSL:devin/1740757542-null-cipher-evp-update wolfSSL:devin/1740759575-null-cipher-fix wolfSSL:devin-lifeguard/update-rules-d59f9c48 wolfSSL:devin/1739920896-esp32-fixes wolfSSL:devin/1739917420-rename-kyberkey-to-mlkem wolfSSL:devin/1739818351-optimize-test-suite-fix wolfSSL:devin/1739818351-optimize-test-suite wolfSSL:devin/1739784730-fix-tlsext-constants wolfSSL:devin/1739556249-pem-hash-algorithm wolfSSL:devin/1739556249-pem-hash-algorithm-fix2 wolfSSL:devin/1739556249-pem-hash-algorithm-fix wolfSSL:revert-8277-aarch64_no_crypto wolfSSL:revert-5549-fix_sha256_debug wolfSSL:cert-3389
wolfSSL:v5.8.2-stable wolfSSL:WCv5.2.3-RSA-SWITCH wolfSSL:wolfEntropy2 wolfSSL:WCv5.2.3-DHGENPUB-r2 wolfSSL:WCv5.2.3-DHGENPUB wolfSSL:v5.8.0-stable wolfSSL:WCv6.0.0-RC5 wolfSSL:WCv6.0.0-RC4 wolfSSL:WCv5.2.3-STM32-PAA wolfSSL:WCv6.0.0-RC3 wolfSSL:v5.7.6-stable wolfSSL:v5.2.1 wolfSSL:WCv5.2.3-ARMv8-PAA-r2 wolfSSL:WCv6.0.0-RC2 wolfSSL:WCv6.0.0-RC1 wolfSSL:v5.2.1-stable-OS_Seed-HdrOnly wolfSSL:v5.7.4-stable wolfSSL:v5.7.2-stable wolfSSL:wolfEntropy1 wolfSSL:v5.7.0-stable wolfSSL:WCv5.2.3-ARMv8-PAA wolfSSL:v5.6.6-stable wolfSSL:v5.6.4-stable wolfSSL:v5.2.1-stable wolfSSL:WCv5.2.1-PILOT wolfSSL:v5.6.3-stable wolfSSL:v5.6.2-stable wolfSSL:v5.6.0-stable wolfSSL:v5.5.4-stable wolfSSL:v5.5.3-stable wolfSSL:v5.5.2-stable wolfSSL:v5.5.1-stable wolfSSL:v5.5.0-stable wolfSSL:v5.4.0-stable wolfSSL:v5.3.0-stable wolfSSL:v5.2.0-stable wolfSSL:v5.1.1-stable wolfSSL:WCv5.0-RC12 wolfSSL:v5.1.0-stable wolfSSL:WCv5.0-RC11 wolfSSL:WCv5.0-RC10 wolfSSL:v5.0.0-stable wolfSSL:WCv5.0-RC9 wolfSSL:v4.8.1-stable wolfSSL:v4.8.0-stable wolfSSL:WCv5.0-RC8 wolfSSL:WCv5.0-RC7 wolfSSL:WCv5.0-RC6 wolfSSL:WCv5.0-RC5 wolfSSL:v4.7.1r wolfSSL:WCv5.0-RC4 wolfSSL:WCv5.0-RC3 wolfSSL:WCv5.0-RC2 wolfSSL:v4.7.0-stable wolfSSL:v4.6.0-stable wolfSSL:v4.5.0-stable wolfSSL:v4.4.0-stable wolfSSL:v4.3.0-stable wolfSSL:v4.2.0c wolfSSL:v4.2.0-stable wolfSSL:wolfRand-RC2 wolfSSL:v4.1.0-stable wolfSSL:wolfRand-RC1 wolfSSL:v4.0.0-stable wolfSSL:list wolfSSL:WCv4-rng-stable wolfSSL:v3.15.8 wolfSSL:v3.15.7-stable wolfSSL:v3.15.6 wolfSSL:v3.15.5a wolfSSL:v3.15.5-stable wolfSSL:WCv4.0-RC9 wolfSSL:WCv4.0-RC8 wolfSSL:WCv4.0-RC7 wolfSSL:v3.15.3-stable wolfSSL:l wolfSSL:WCv4-stable wolfSSL:v3.15.0-stable wolfSSL:v3.14.5 wolfSSL:WCv4.0-RC6 wolfSSL:WCv4.0-RC5 wolfSSL:WCv4.0-RC4 wolfSSL:v3.14.4 wolfSSL:WCv4.0-RC3 wolfSSL:WCv4.0-RC2 wolfSSL:WCv4.0-RC1 wolfSSL:v3.14.2 wolfSSL:v3.14.0b wolfSSL:v3.14.0a wolfSSL:v3.14.0-stable wolfSSL:v3.13.3 wolfSSL:v3.13.2 wolfSSL:v3.13.0-stable wolfSSL:v3.12.2-stable wolfSSL:v3.12.0-stable wolfSSL:v3.11.1-tls13-beta wolfSSL:v3.11.0-stable wolfSSL:v3.10.4 wolfSSL:v3.10.3 wolfSSL:v3.10.2-stable wolfSSL:v3.10.0a wolfSSL:v3.10.0-stable wolfSSL:v3.9.10b wolfSSL:v3.9.10-stable wolfSSL:v3.9.8 wolfSSL:v3.9.6w wolfSSL:v3.9.6 wolfSSL:v3.9.1 wolfSSL:v3.9.0 wolfSSL:v3.8.0 wolfSSL:v3.7.3 wolfSSL:v3.7.1 wolfSSL:v3.7.0 wolfSSL:v3.6.9d wolfSSL:v3.69.d wolfSSL:v3.6.9c wolfSSL:v3.6.9b wolfSSL:v3.6.9 wolfSSL:v3.6.8 wolfSSL:v3.6.6 wolfSSL:v3.6.2 wolfSSL:v3.6.0b wolfSSL:v3.6.0 wolfSSL:v3.4.8 wolfSSL:v3.4.6 wolfSSL:v3.4.2 wolfSSL:v3.4.0 wolfSSL:v3.3.3 wolfSSL:v3.3.2 wolfSSL:v3.3.0 wolfSSL:v3.2.6 wolfSSL:v3.2.4 wolfSSL:v3.2.0 wolfSSL:v3.1.0 wolfSSL:v3.0.2 wolfSSL:v3.0.0 wolfSSL:v2.9.4 wolfSSL:v2.9.2 wolfSSL:v2.9.1 wolfSSL:v0.5 wolfSSL:v2.9.0 wolfSSL:v2.8.6 wolfSSL:v2.8.5a wolfSSL:v2.8.5 wolfSSL:v2.8.4 wolfSSL:v2.8.3 wolfSSL:v2.8.2 wolfSSL:v2.8.0 wolfSSL:v2.7.2 wolfSSL:v2.7.0 wolfSSL:v2.6.2 wolfSSL:v2.6.0 wolfSSL:v2.5.2b wolfSSL:v2.5.2 wolfSSL:v2.5.0 wolfSSL:v2.4.7 wolfSSL:v2.4.6 wolfSSL:v2.4.2 wolfSSL:v2.4.0 wolfSSL:v2.3.0 wolfSSL:v2.2.2 wolfSSL:v2.2.1 wolfSSL:v2.1.1 wolfSSL:v2.2.0 wolfSSL:v2.1.4 wolfSSL:v2.1.2 wolfSSL:v2.0.8 wolfSSL:v2.0.6 wolfSSL:v2.0.3 wolfSSL:v2.0.2 wolfSSL:v2.0rc3 wolfSSL:v2.0rc2b wolfSSL:v2.0rc2 wolfSSL:v2.0rc1 wolfSSL:v1.9.0 wolfSSL:v1.8.8.0

120 Commits
v2.8.5 ... v2.9.0

Author SHA1 Message Date
John Safranek
f1c2250652 fix static analysis warning, g++ compile warning 2014-02-07 14:52:44 -08:00
John Safranek
594feec68b v2.9.0 release 2014-02-07 12:28:41 -08:00
John Safranek
9a275fbe8b updated CRLs for a year 2014-02-07 12:17:01 -08:00
John Safranek
4a0afa19bf Reinitialize the index when processing stored DTLS handshake messages. 2014-02-04 07:36:59 -08:00
Moisés Guimarães
468e26a3a2 fixed error catching on TLSX_EllipticCurve_Parse 
fixed unsupported curves handling
 2014-02-03 21:54:31 -03:00
John Safranek
f669e73c8d Merge branch 'master' of github.com:cyassl/cyassl 2014-02-03 14:49:38 -08:00
John Safranek
2758f40a09 For OCSP, when decoding X.509 Auth Info Access record, find the first 
OCSP responder, rather than only looking at the first item.
 2014-02-03 14:39:41 -08:00
Moisés Guimarães
36b5bf0df1 Renaming Elliptic Curves to Supported Curves for better extension representation and avoid confusion. 2014-02-03 16:14:35 -03:00
toddouska
51b3b1cb6c fix pkCurveOID c files, doesn't require openssl extra 2014-02-01 12:14:41 -08:00
toddouska
c14bc1a45c fix ecc w/o openssl extra 2014-02-01 11:37:08 -08:00
John Safranek
909b9258d6 Thread safe OCSP. 2014-01-31 16:59:13 -08:00
Moisés Guimarães
5616450a4b fixed return codes 
added protection for missing HAVE_TLS_EXTENSIONS
 2014-01-31 16:52:15 -03:00
Moisés Guimarães
30e2b4aa11 writing curves in the right order. (reverse) 
improved curve validation.
 2014-01-31 16:52:14 -03:00
Moisés Guimarães
9490c0dbaf validating curves 2014-01-31 16:52:14 -03:00
Moisés Guimarães
de6a537896 exporting pkCurve info to ctx and ssl 2014-01-31 16:52:14 -03:00
Moisés Guimarães
70e3d6ddb0 removing missing extensions 2014-01-31 16:52:13 -03:00
Moisés Guimarães
afd38d11cd removing unused curve names. 2014-01-31 16:52:13 -03:00
Moisés Guimarães
ae6d593096 added curve names extension to all extensions 2014-01-31 16:52:13 -03:00
Moisés Guimarães
7d2a6800f7 added Elliptic Curves Extensions implementation and configuration. 2014-01-31 16:52:13 -03:00
Moisés Guimarães
179836ad43 added api tests for Elliptic Curves Extensions. 2014-01-31 16:52:13 -03:00
Moisés Guimarães
75ae9dc973 added external api for Elliptic Curves Extension. 2014-01-31 16:52:13 -03:00
toddouska
b2ebfe9004 determine if openssl command line tool available for testing with ocsp, if so, HAVE_OPENSSL_CMD define is set 2014-01-31 10:37:11 -08:00
John Safranek
12e9309618 fix Windows function name conflict 2014-01-28 12:30:01 -08:00
John Safranek
2fe8477679 fix make distcheck 2014-01-28 12:22:16 -08:00
John Safranek
631cfbcf27 fix output size check bug 2014-01-28 11:57:49 -08:00
Chris Conlon
42ad70591a prevent XFREE from freeing NULL pointer under Freescale MQX 2014-01-28 10:28:19 -07:00
toddouska
60cddecd9c remove mcheck from --enable-debug, not thread safe 2014-01-27 20:04:14 -08:00
toddouska
2084e9869d fix pkcs7 leaks with normal math 2014-01-27 16:29:15 -08:00
toddouska
e040e0ba7a fix scep 32 2014-01-27 12:50:29 -08:00
John Safranek
cfa9007199 1. Bumped release version in configure.ac. 
2. Added enable option for SCEP. Enables prereqs.
3. Added CyaSSL_wolfSCEP() for ac to test for CyaSSL SCEP.
 2014-01-27 11:35:43 -08:00
toddouska
c0f9780c70 fix challenge pwd init bug 2014-01-24 14:08:14 -08:00
toddouska
21c9eb7b22 fix forgotten leading 0 on SetRsaPublicKey 2014-01-24 13:58:20 -08:00
toddouska
5945723d87 linux pkcs7 build fixes 2014-01-24 13:15:26 -08:00
John Safranek
1dac5d28e3 Allow PKCS7_VerifyDecodedData to have an empty set of SignerInfos. Save first certificate. 2014-01-24 12:14:53 -08:00
John Safranek
595fe0b445 Merge branch 'master' of github.com:cyassl/cyassl 2014-01-23 21:48:37 -08:00
toddouska
18365df209 add non block length test case, including test again, to aes ctr 2014-01-23 15:18:42 -08:00
Chris Conlon
43199cd573 PKCS7_DecodeEnvelopedData, only do ParseCert once in PKCS7_InitWithCert 2014-01-23 14:48:18 -07:00
toddouska
45c05ffd30 add non block size AesCtr support 2014-01-23 12:34:27 -08:00
John Safranek
0972fbbf9d PKCS7_VerifySignedMessage() decodes more of the 
message and performs an RSA verify on it.
 2014-01-23 11:24:50 -08:00
Chris Conlon
9f8dcccc61 PKCS7_DecodeEnvelopedData, RsaPrivateDecryptInline can return 0 upon error 2014-01-22 15:26:43 -07:00
John Safranek
38c2373c4f PKCS7_VerifySignedData() also saves pointer to signed data. 2014-01-21 22:11:21 -08:00
John Safranek
15f94b2f98 1. Resized sample PKCS7 signed data attribute. 
2. Removed unnecessary PKCS7 signed data attribute.
 2014-01-21 11:45:15 -08:00
Moisés Guimarães
8541c2cc97 added renegotiation indication SCSV sending on client hello. 2014-01-21 11:38:59 -03:00
John Safranek
c35a635fd7 Added initial PKCS7_VerifySignedData(). Only saves 
the first included certificate if available.
 2014-01-20 15:52:41 -08:00
John Safranek
2187955fe9 Merge branch 'master' of github.com:cyassl/cyassl 2014-01-20 10:53:14 -08:00
John Safranek
28f3a2dc21 Added deallocator function for PKCS7 initializer data. 2014-01-20 10:51:26 -08:00
Chris Conlon
ce7fe56de5 adjust next PKCS#7 envelopedData recipient check 2014-01-20 11:42:45 -07:00
John Safranek
c4eb5642b1 1. Sign the PKCS#7 with a supplied private key, not 
the single cert's public key.
2. Rename PKCS7 Envelope Data function as
   `PKCS7_EncodeEnvelopedData()`.
3. Encode signed data to check input parameters.
 2014-01-17 14:07:40 -08:00
Chris Conlon
e9b82d8174 place PKCS#7 IV in AlgoID optional params, resolve merge conflicts 2014-01-16 17:46:28 -07:00
Chris Conlon
366f42a91b remove NULL tag from block cipher AlgoId, IV there instead 2014-01-16 17:45:10 -07:00
John Safranek
eb2e987a29 Split two PKCS7 tests into two functions. 2014-01-16 16:29:33 -08:00
John Safranek
cf22e49117 Merge branch 'master' of github.com:cyassl/cyassl 2014-01-16 16:19:34 -08:00
John Safranek
264ce75041 1. Split SetTagged into SetExplicit and SetImplicit. 
2. Updated code using SetTagged to use new functions.
 2014-01-16 16:17:17 -08:00
Chris Conlon
a75b95facc more comments to PKCS#7 files 2014-01-16 13:29:37 -07:00
Chris Conlon
590dde753a only store issuer into issuerRaw 2014-01-16 10:45:52 -07:00
John Safranek
36f78c5e1d 1. Bug fix for taking the size of something. 
(Used wrong variable name.)
2. Renamed PKCS7 signed data test output file.
3. Added PKCS7 data test output files to gitignore.
 2014-01-15 15:42:27 -08:00
John Safranek
cd44227945 Cleaned up warnings when using sizeof() in math. 2014-01-15 14:25:15 -08:00
John Safranek
85c5c29e7a Merge branch 'master' of github.com:cyassl/cyassl 
Conflicts:
	ctaocrypt/test/test.c
	cyassl/ctaocrypt/pkcs7.h
 2014-01-15 13:23:26 -08:00
John Safranek
c33a8a890e Added encoding PKCS#7 signed data messages. 2014-01-15 12:31:51 -08:00
Chris Conlon
46a03daf5f initial PKCS#7 crypto test 2014-01-15 11:05:18 -07:00
Moisés Guimarães
d58add7e97 added protection to test_CyaSSL_client_server 
fixed min macro
 2014-01-15 10:56:49 -03:00
Chris Conlon
9f7e33e7e1 add PKCS7_DecodeEnvelopedData() 2014-01-14 22:57:55 -07:00
Chris Conlon
d63c58864f expose more ASN.1 helper functions with CYASSL_LOCAL 2014-01-14 22:48:55 -07:00
Chris Conlon
80c19aaf33 add PKCS7 error codes 2014-01-14 22:46:54 -07:00
toddouska
8a1971d52b add CyaSSL_CertPemToDer for certs, ca certs, and cert reqs 2014-01-14 15:13:43 -08:00
toddouska
3152c28650 add escape for 64encdoe + and = too 2014-01-14 09:36:21 -08:00
Chris Conlon
f072d92ed8 Merge branch 'master' of github.com:cyassl/cyassl 2014-01-13 13:20:29 -07:00
Chris Conlon
69ffa3a481 add PKCS7_EncodeEnvelopeData() 2014-01-13 13:19:44 -07:00
toddouska
bb6b2e86c6 add base64 encode with esacped line ending, keep existing api intact 2014-01-13 12:17:12 -08:00
John Safranek
ef9cfc2172 Added method to encode PKCS7 data type messages. 2014-01-13 10:58:01 -08:00
Chris Conlon
3a984990c2 update pkcs7.h 2014-01-10 16:17:02 -07:00
Chris Conlon
71e13a3c3a expose ASN.1 helper fns, add blkType 2014-01-10 16:13:56 -07:00
Chris Conlon
0024db221f fix --enable-pkcs7 configure.ac 2014-01-10 16:11:17 -07:00
Chris Conlon
1d67d9217e initial PKCS#7 stubs, tie into ./configure 2014-01-10 15:17:03 -07:00
John Safranek
9e55d71ccc Added enable-certgen to configure.ac. 2014-01-10 11:50:55 -08:00
John Safranek
4a975e8d00 SetRsaPublicKey() to support ASN.1 unsigned intergers correctly. 2014-01-10 11:29:08 -08:00
John Safranek
f9e73a8aeb Added setting the cert req challenge password. 2014-01-09 14:17:55 -08:00
John Safranek
f545a33e77 Cert Req 
1. Added support for the cert req attributes.
2. Added setting the Basic Constraints extenstion request.
3. Added error checking for the cert req attribs.
 2014-01-08 16:26:42 -08:00
John Safranek
7b4cf370d0 In test: Cert req now signed by correct key. Removed loading of CA key. 2014-01-08 11:47:59 -08:00
John Safranek
f0a7d94c48 Cert Request 
1. Added setting the request's version.
2. Added certreq test code to the ctaocrypt test.
3. Added the certreq test outputs to gitignore.
 2014-01-08 10:57:46 -08:00
John Safranek
4de6a6d902 Cert Request 
1. Added function to make simple DER format cert reqs.
2. Added cert req type to DerToPem.
 2014-01-07 17:25:46 -08:00
toddouska
d6ad10f027 add USE_SLOW_SHA2 for sha384 and sha512, over twice as small code but over 50% slower too 2014-01-03 12:32:14 -08:00
toddouska
9d0e991e41 fix 32bit no asm combos 2014-01-02 16:58:54 -08:00
Chris Conlon
99ac08cf3d lower case mp_sqr() parameters, missed in previous commit 2014-01-02 13:37:11 -07:00
Chris Conlon
9f4ea7d059 update TYTO settings, FREESCALE_MMCAU AES check for NULL 2014-01-02 13:13:18 -07:00
Chris Conlon
7cc9ab3d6f use lower case variables, prevent conflict with some toolchain defines 2014-01-02 13:11:27 -07:00
John Safranek
7b04b7ab84 DTLS IO and cookie callbacks are IPv4/IPv6 agnostic. 2013-12-30 10:39:12 -08:00
John Safranek
420ca9e6e3 Merge branch 'ocsp' 2013-12-27 16:14:47 -08:00
John Safranek
896b16a7df Fixed off-by-one error in OCSP 2013-12-27 16:13:52 -08:00
John Safranek
d46c68ba10 Moved OCSP into the CertManager like the CRL. 2013-12-27 12:11:47 -08:00
Moisés Guimarães
3e24a446b9 fixing SNI_GetFromBuffer return code on success. 2013-12-24 15:34:17 -03:00
John Safranek
4ce2e59adf For Atomic user: 
1. Added a getter for the session's IV size.
2. The HMAC size getter should return 0 for AEAD ciphers
   and the hash length for the others.
 2013-12-23 22:32:08 -08:00
John Safranek
14aa114854 Trimmed unused includes and defines from OCSP source. 2013-12-23 14:33:44 -08:00
Chris Conlon
64912b37f6 adjust key buffer length when using ToTraditional() or ToTraditionalEnc() 2013-12-23 14:07:58 -07:00
toddouska
29c41da818 do size check on user password input 2013-12-23 12:24:03 -08:00
toddouska
3c706b4645 only set up tmp ctx if using password 2013-12-23 12:15:55 -08:00
toddouska
db71460bb8 add password functionality to CyaSSL_KeyPemToDer() 2013-12-23 12:07:20 -08:00
toddouska
0ee34c961e make sure passwd_cb called before load private key in server example 2013-12-23 11:19:21 -08:00
toddouska
dff54942a2 xcode5 paths for examples 2013-12-19 15:23:57 -08:00
toddouska
7a19cc377f Merge branch 'master' of github.com:cyassl/cyassl 2013-12-18 16:18:07 -08:00
toddouska
ea5b7ca9d1 allow testsuite to run in xcode 5 if custom build location 2013-12-18 16:16:35 -08:00
John Safranek
4ffc92a4d6 Use OCSP override URL enable in both example client and server. 2013-12-18 12:34:40 -08:00
John Safranek
75e6ac534e Force Cygwin to use function tolower() rather than macro version 2013-12-18 10:58:10 -08:00
John Safranek
fe4f10418f OCSP lookups are IPv4/IPv6 agnostic. 2013-12-17 18:30:42 -08:00
John Safranek
003446a5cd Using OCSP override URL should enable OCSP url overriding. 2013-12-17 18:26:29 -08:00
Chris Conlon
6c43a008ab update README 2013-12-17 16:33:56 -07:00
Chris Conlon
8c8a1b0db8 add Freescale K60 mmCAU AES, DES, 3DES support 2013-12-17 16:29:21 -07:00
Chris Conlon
c466fac597 add Freescale K60 mmCAU MD5, SHA, SHA256 support 2013-12-17 16:28:08 -07:00
toddouska
9db9f52c9c don't install internal.h, not for public consumption 2013-12-16 15:24:02 -08:00
Moisés Guimarães
ffd58e27ef removing deprecated TRUNCATED_HMAC_SIZE 2013-12-12 21:05:31 -03:00
toddouska
5efbf98f31 separate sniffer / snifftest ./configure build 2013-12-12 14:20:56 -08:00
John Safranek
9d6182d279 Merge branch 'master' of github.com:cyassl/cyassl 2013-12-12 11:06:21 -08:00
John Safranek
26a26fa19d 1. Fixed a build warning. 
2. Fixed an initialization bug when decoding old-style client hellos.
 2013-12-12 10:45:19 -08:00
Chris Conlon
5909f5c2c0 Merge branch 'master' of github.com:cyassl/cyassl 2013-12-11 16:20:43 -08:00
Chris Conlon
8c7f5817ac NO_FILESYSTEM fix for CyaSSL_X509_load_certificate_file 2013-12-11 16:19:09 -08:00
toddouska
ba95c33ed4 more clang warnings 2013-12-11 15:47:40 -08:00
toddouska
e5b0000ee4 switch enable-sniffer w/o libpcap to error out again 2013-12-11 14:59:46 -08:00
toddouska
b41d09b1a2 fix newer clang warnings 2013-12-11 12:03:09 -08:00
toddouska
9e56ad262c fix snifftest pcap frees on file mode, close TraceFile on ssl_Free 2013-12-10 16:17:43 -08:00
John Safranek
0d85a85d59 Bumped version for point release. 2013-12-10 12:05:55 -08:00
68 changed files with 4483 additions and 846 deletions
Expand all files Collapse all files

5
.gitignore vendored
View File

@ -52,6 +52,11 @@ othercert.der
othercert.pem
key.der
key.pem
certreq.der
certreq.pem
pkcs7cert.der
pkcs7signedData.der
pkcs7envelopedData.der
diff
sslSniffer/sslSnifferTest/tracefile.txt
*.gz

3
IDE/MDK5-ARM/Projects/CyaSSL-Full/client.c
View File

@ -469,7 +469,8 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args)
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)))
if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))
!= SSL_SUCCESS)
err_sys("UseSNI failed");
#endif

10
IDE/MDK5-ARM/Projects/CyaSSL-Full/server.c
View File

@ -347,6 +347,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
usePsk = 1;
#endif
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
@ -404,10 +408,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
#endif
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
@ -419,7 +419,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_SNI
if (sniHostName) {
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)))
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
else
CyaSSL_CTX_SNI_SetOptions(ctx, CYASSL_SNI_HOST_NAME,

3
IDE/MDK5-ARM/Projects/SimpleClient/client.c
View File

@ -471,7 +471,8 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args)
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)))
if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))
!= SSL_SUCCESS)
err_sys("UseSNI failed");
#endif

2
IDE/MDK5-ARM/Projects/SimpleServer/server.c
View File

@ -418,7 +418,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_SNI
if (sniHostName) {
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)))
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
else
CyaSSL_CTX_SNI_SetOptions(ctx, CYASSL_SNI_HOST_NAME,

33
README
View File

@ -35,12 +35,43 @@ before calling SSL_new(); Though it's not recommended.
*** end Notes ***
CyaSSL Release 2.9.0 (X/XX/XXXX)
CyaSSL Release 2.9.0 (02/07/2014)
Release 2.9.0 CyaSSL has bug fixes and new features including:
- Freescale Kinetis RNGB support
- Freescale Kinetis mmCAU support
- TLS Hello extensions
- ECC
- Secure Renegotiation (null)
- Truncated HMAC
- SCEP support
- PKCS #7 Enveloped data and signed data
- PKCS #10 Certificate Signing Request generation
- DTLS sliding window
- OCSP Improvements
- API change to integrate into Certificate Manager
- IPv4/IPv6 agnostic
- example client/server support for OCSP
- OCSP nonces are optional
- GMAC hashing
- Windows build additions
- Windows CYGWIN build fixes
- Updated test certificates
- Microchip MPLAB Harmony support
- Update autoconf scripts
- Additional X.509 inspection functions
- ECC encrypt/decrypt primitives
- ECC Certificate generation
The Freescale Kinetis K53 RNGB documentation can be found in Chapter 33 of the
K53 Sub-Family Reference Manual:
http://cache.freescale.com/files/32bit/doc/ref_manual/K53P144M100SF2RM.pdf
Freescale Kinetis K60 mmCAU (AES, DES, 3DES, MD5, SHA, SHA256) documentation
can be found in the "ColdFire/ColdFire+ CAU and Kinetis mmCAU Software Library
User Guide":
http://cache.freescale.com/files/32bit/doc/user_guide/CAUAPIUG.pdf
*****************CyaSSL Release 2.8.0 (8/30/2013)

58
certs/crl/cliCrl.pem
View File

@ -2,38 +2,40 @@ Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: Jun 17 21:32:30 2013 GMT
Next Update: Dec 14 21:32:30 2013 GMT
Last Update: Feb 7 20:14:06 2014 GMT
Next Update: Feb 7 20:14:06 2015 GMT
CRL extensions:
X509v3 CRL Number:
87
No Revoked Certificates.
3
Revoked Certificates:
Serial Number: 02
Revocation Date: Feb 7 20:14:06 2014 GMT
Signature Algorithm: sha1WithRSAEncryption
0f:16:d2:d6:62:f8:c0:db:b2:2c:de:9d:0a:10:72:0e:85:6e:
25:1d:38:20:1b:d5:66:d9:d3:9e:0e:a6:9e:e8:60:20:1c:b5:
c9:ab:09:c3:a5:d5:c3:91:a3:9a:ff:44:40:68:da:7b:da:4a:
3c:15:17:89:0a:49:b9:af:b2:ac:f0:e2:b5:0e:4d:c0:22:d7:
5e:c1:02:9e:f3:95:20:62:7c:88:d9:32:97:12:04:1a:6f:8c:
d8:7b:9f:0c:1e:91:fe:98:52:17:de:f2:ee:7c:66:e7:db:91:
99:7a:f7:09:c9:15:16:3d:a2:1c:13:af:ad:e0:70:b8:6b:e5:
dc:8e:f8:b5:ec:ff:f7:88:1b:ce:46:eb:22:ff:10:2f:ea:53:
f0:86:62:1a:ab:6f:4d:05:45:e8:5c:ba:b5:8d:0d:38:72:cd:
df:a1:74:31:bb:ad:68:7d:56:be:d8:7e:7a:f5:ef:52:be:14:
5c:6d:ed:b4:2a:c9:ab:97:ba:e8:93:c5:6b:79:66:c7:52:a8:
0d:62:dc:cb:e2:4c:e6:53:f4:c3:5c:ce:47:0f:39:46:9a:cb:
82:d9:98:7d:69:41:aa:ac:6a:7a:e9:02:c9:9b:77:59:7f:6a:
90:54:10:8a:45:c7:49:5f:ca:be:66:6a:20:e1:cd:e8:10:09:
30:7e:16:44
36:33:8d:75:7a:2c:40:dc:e2:64:71:de:1d:06:b4:0e:d3:98:
63:05:79:84:53:76:9b:aa:51:70:a1:3a:ab:12:f7:da:69:70:
34:5b:4d:08:01:a6:3b:16:25:ac:3d:11:0c:80:94:bc:dc:b5:
51:7c:84:11:65:d7:d2:24:16:f5:ac:11:0b:ea:72:62:4a:cb:
83:c1:6c:96:ec:6b:ce:1f:26:88:89:8a:74:90:fb:d3:67:91:
8c:f7:ef:0e:ca:81:39:22:89:1a:52:75:d0:13:ba:ee:83:0c:
61:e9:b4:d8:f1:3f:80:77:29:d2:bb:7e:81:29:a8:fb:1f:ad:
92:91:bd:e9:b8:29:3f:a3:ec:44:b5:09:e5:03:3c:1b:2d:df:
4c:27:45:94:da:be:50:dd:b9:78:3f:1f:92:92:59:a5:ad:5a:
ef:95:71:ff:ca:ff:db:70:53:17:aa:00:40:9b:4c:ff:fb:be:
73:7a:8e:0f:07:9b:b9:14:fd:a4:b4:d7:79:4b:3e:ff:c6:90:
ef:91:2e:a2:f3:ee:4b:1f:16:47:2a:a3:39:f9:b5:fd:74:fa:
8f:c4:15:8d:77:7f:46:78:6f:ba:a5:4e:bc:63:8f:39:63:c9:
68:3d:8f:02:3a:4a:d0:d5:c4:47:6a:2c:4d:6c:d5:e2:a7:5f:
35:ba:65:e4
-----BEGIN X509 CRL-----
MIIB6DCB0QIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxDzANBgNV
MIIB/jCB5wIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxDzANBgNV
BAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxDjAMBgNVBAoTBXlhU1NMMRQw
EgYDVQQLEwtQcm9ncmFtbWluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsG
CSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20XDTEzMDYxNzIxMzIzMFoXDTEzMTIx
NDIxMzIzMFqgDjAMMAoGA1UdFAQDAgFXMA0GCSqGSIb3DQEBBQUAA4IBAQAPFtLW
YvjA27Is3p0KEHIOhW4lHTggG9Vm2dOeDqae6GAgHLXJqwnDpdXDkaOa/0RAaNp7
2ko8FReJCkm5r7Ks8OK1Dk3AItdewQKe85UgYnyI2TKXEgQab4zYe58MHpH+mFIX
3vLufGbn25GZevcJyRUWPaIcE6+t4HC4a+Xcjvi17P/3iBvORusi/xAv6lPwhmIa
q29NBUXoXLq1jQ04cs3foXQxu61ofVa+2H569e9SvhRcbe20Ksmrl7rok8VreWbH
UqgNYtzL4kzmU/TDXM5HDzlGmsuC2Zh9aUGqrGp66QLJm3dZf2qQVBCKRcdJX8q+
Zmog4c3oEAkwfhZE
CSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20XDTE0MDIwNzIwMTQwNloXDTE1MDIw
NzIwMTQwNlowFDASAgECFw0xNDAyMDcyMDE0MDZaoA4wDDAKBgNVHRQEAwIBAzAN
BgkqhkiG9w0BAQUFAAOCAQEANjONdXosQNziZHHeHQa0DtOYYwV5hFN2m6pRcKE6
qxL32mlwNFtNCAGmOxYlrD0RDICUvNy1UXyEEWXX0iQW9awRC+pyYkrLg8Fsluxr
zh8miImKdJD702eRjPfvDsqBOSKJGlJ10BO67oMMYem02PE/gHcp0rt+gSmo+x+t
kpG96bgpP6PsRLUJ5QM8Gy3fTCdFlNq+UN25eD8fkpJZpa1a75Vx/8r/23BTF6oA
QJtM//u+c3qODwebuRT9pLTXeUs+/8aQ75EuovPuSx8WRyqjOfm1/XT6j8QVjXd/
RnhvuqVOvGOPOWPJaD2PAjpK0NXER2osTWzV4qdfNbpl5A==
-----END X509 CRL-----

52
certs/crl/crl.pem
View File

@ -2,38 +2,38 @@ Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: Jun 17 21:32:30 2013 GMT
Next Update: Dec 14 21:32:30 2013 GMT
Last Update: Feb 7 20:14:06 2014 GMT
Next Update: Feb 7 20:14:06 2015 GMT
CRL extensions:
X509v3 CRL Number:
85
1
No Revoked Certificates.
Signature Algorithm: sha1WithRSAEncryption
4d:9c:63:22:02:91:fe:52:35:93:7c:b6:5b:e8:86:5a:29:a2:
4d:9a:bc:d9:16:e0:8a:04:90:4d:ae:21:00:be:9c:81:5b:68:
6e:90:1a:fd:1a:37:70:85:50:f2:02:87:1c:38:f4:ef:9d:41:
f5:4f:53:66:d4:c0:22:80:00:82:7a:09:42:49:c3:1c:c9:4c:
9f:92:f9:66:f4:21:1f:24:67:4f:83:6a:bd:3a:19:f1:04:99:
ea:30:05:bf:a7:3d:bf:71:ac:3e:3a:ba:2a:c5:05:12:53:eb:
5c:6f:ed:2d:4b:c0:f5:00:e1:95:45:c9:62:b5:89:66:4b:2b:
01:fc:66:29:a3:0a:9a:05:ae:f7:9f:51:2a:9c:3b:18:03:ed:
c4:7c:33:62:93:30:49:ab:c4:d1:07:f4:18:ac:96:24:1e:c2:
fa:37:ed:82:db:06:66:8d:fb:25:93:35:7b:39:88:e8:8e:70:
e9:c8:be:00:c4:f7:a7:67:83:f8:3d:af:8b:71:5b:25:3b:1d:
56:cd:d0:15:86:31:d1:cb:57:3a:00:b5:1c:7c:3e:99:44:ce:
bc:89:a7:78:37:50:ed:a1:b6:16:cd:72:20:c9:1f:60:b2:8a:
c5:62:30:26:f0:aa:b6:73:ca:8e:d6:ba:31:0a:21:a2:6e:40:
4b:66:30:11
4b:c1:68:4f:80:01:0e:ab:ff:c1:8f:5e:e5:3c:01:7a:fd:9c:
bb:21:b3:68:73:7c:e9:dc:c5:70:a8:fd:1b:74:27:c2:9e:7d:
11:9c:95:b9:fb:73:ac:50:bb:b7:4a:5e:f1:f3:44:b4:7c:b5:
21:0f:32:48:2e:b2:03:95:a7:09:6b:25:87:c3:1d:9c:3f:8f:
69:91:30:fb:e5:a1:b2:26:1a:ed:8f:73:06:2d:bd:bc:72:f4:
b8:bd:63:61:90:c7:91:2b:68:52:51:47:0d:d6:a1:79:b8:4b:
bc:30:57:94:fa:b7:49:80:1a:1f:4d:aa:a3:8b:cd:8f:5d:8e:
ad:8b:d6:d1:5b:c1:cf:f2:0c:60:22:19:87:42:db:42:8b:aa:
47:36:4d:20:eb:cb:72:ce:4b:48:1b:f3:4d:0b:e0:f8:58:27:
65:60:e7:97:50:83:a9:80:58:62:a8:02:ac:4e:37:79:42:47:
65:aa:55:ca:7c:9a:9c:bf:6c:36:89:f3:f7:60:d3:30:be:d4:
ce:f1:af:41:7e:02:75:6e:82:86:96:b9:16:07:15:29:c0:65:
4d:2f:13:4f:01:ec:47:f1:af:36:0a:d6:a1:dc:81:57:18:2d:
00:7b:d4:49:88:c0:61:81:0e:cd:a7:39:6a:53:2a:7c:91:3d:
ac:62:8d:49
-----BEGIN X509 CRL-----
MIIB6jCB0wIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMxEDAOBgNV
BAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAPBgNVBAoTCFNhd3Rvb3Ro
MRMwEQYDVQQLEwpDb25zdWx0aW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w
GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTMwNjE3MjEzMjMwWhcNMTMx
MjE0MjEzMjMwWqAOMAwwCgYDVR0UBAMCAVUwDQYJKoZIhvcNAQEFBQADggEBAE2c
YyICkf5SNZN8tlvohlopok2avNkW4IoEkE2uIQC+nIFbaG6QGv0aN3CFUPIChxw4
9O+dQfVPU2bUwCKAAIJ6CUJJwxzJTJ+S+Wb0IR8kZ0+Dar06GfEEmeowBb+nPb9x
rD46uirFBRJT61xv7S1LwPUA4ZVFyWK1iWZLKwH8ZimjCpoFrvefUSqcOxgD7cR8
M2KTMEmrxNEH9BisliQewvo37YLbBmaN+yWTNXs5iOiOcOnIvgDE96dng/g9r4tx
WyU7HVbN0BWGMdHLVzoAtRx8PplEzryJp3g3UO2hthbNciDJH2CyisViMCbwqrZz
yo7WujEKIaJuQEtmMBE=
GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTQwMjA3MjAxNDA2WhcNMTUw
MjA3MjAxNDA2WqAOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADggEBAEvB
aE+AAQ6r/8GPXuU8AXr9nLshs2hzfOncxXCo/Rt0J8KefRGclbn7c6xQu7dKXvHz
RLR8tSEPMkgusgOVpwlrJYfDHZw/j2mRMPvlobImGu2PcwYtvbxy9Li9Y2GQx5Er
aFJRRw3WoXm4S7wwV5T6t0mAGh9NqqOLzY9djq2L1tFbwc/yDGAiGYdC20KLqkc2
TSDry3LOS0gb800L4PhYJ2Vg55dQg6mAWGKoAqxON3lCR2WqVcp8mpy/bDaJ8/dg
0zC+1M7xr0F+AnVugoaWuRYHFSnAZU0vE08B7EfxrzYK1qHcgVcYLQB71EmIwGGB
Ds2nOWpTKnyRPaxijUk=
-----END X509 CRL-----

54
certs/crl/crl.revoked
View File

@ -2,40 +2,40 @@ Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha1WithRSAEncryption
Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: Jun 17 21:32:30 2013 GMT
Next Update: Dec 14 21:32:30 2013 GMT
Last Update: Feb 7 20:14:06 2014 GMT
Next Update: Feb 7 20:14:06 2015 GMT
CRL extensions:
X509v3 CRL Number:
86
2
Revoked Certificates:
Serial Number: 02
Revocation Date: Jun 17 21:32:30 2013 GMT
Revocation Date: Feb 7 20:14:06 2014 GMT
Signature Algorithm: sha1WithRSAEncryption
87:3b:bb:ac:6b:1a:e8:96:87:6f:a3:8e:39:77:28:01:a7:ea:
76:36:c2:48:e2:41:02:3f:f3:f7:64:09:60:91:87:9e:57:74:
38:a0:c3:20:47:7d:82:4b:2c:34:23:fe:66:dc:2b:3e:8a:a1:
d9:e3:06:ec:75:0f:b1:ef:32:e2:28:ab:7d:40:2c:82:59:74:
c9:95:b5:62:a6:6a:8e:34:e6:f6:f8:91:ff:aa:c1:21:93:79:
cb:6f:dc:be:94:21:b1:c8:dd:9e:b8:fe:ad:e8:50:6e:0d:76:
92:32:54:51:96:cd:c7:be:d2:0f:6f:63:69:5f:b3:28:c1:57:
0e:61:f7:62:81:9f:ea:e7:a5:14:89:41:56:63:46:da:bc:d8:
e0:78:44:c6:c7:1a:ab:1b:f1:0b:59:d5:4e:6d:14:bc:16:c2:
02:43:06:0b:f4:16:6e:26:8c:36:09:61:0c:53:3f:72:85:64:
33:4d:bf:70:44:c8:23:83:c3:51:98:a8:14:f7:b2:03:a1:7b:
72:48:4d:24:d0:a8:a9:22:3d:9b:94:bf:24:24:01:6f:2e:4b:
2b:21:24:8f:64:46:20:79:45:b3:45:1a:4f:93:10:e1:8d:04:
4c:8d:83:63:96:9f:28:c5:37:0f:10:8e:02:9b:4d:96:8b:ea:
a3:31:88:9f
10:5d:b1:d0:79:d2:8a:15:2d:40:0b:44:d6:d9:df:58:73:eb:
55:2c:81:fe:e1:7b:62:48:8f:34:c5:06:51:e5:e8:50:70:8c:
12:ba:e3:6e:fe:7d:0d:ce:44:08:9d:dc:d9:57:43:6c:54:12:
82:d4:ed:6c:71:e5:74:44:bd:d1:a8:98:96:63:8b:68:5f:d2:
87:28:dd:99:4f:aa:ba:8e:18:9e:c4:4f:69:9e:66:13:03:28:
5f:3c:35:01:15:77:22:7c:ed:c5:4a:67:44:af:85:7f:df:8a:
fd:49:8b:e1:be:52:e3:ca:e8:ae:a3:ad:07:91:2c:51:c6:28:
5f:26:17:14:39:5d:4e:21:9f:11:6f:c4:a2:ef:ef:b8:ec:27:
af:45:ad:b9:ed:e0:14:09:60:a0:50:ee:dd:f7:b1:3e:58:c4:
0d:e8:b5:0b:a9:0d:98:ad:7c:74:ab:1c:d6:fa:c8:7d:e7:5a:
3b:91:23:d5:62:ba:d4:e4:be:58:78:fe:09:ba:63:f6:9e:2c:
3f:93:c2:fe:de:c5:00:21:50:39:91:ac:71:e6:fc:4a:37:a4:
e4:e9:5e:e7:ac:8d:95:21:d6:76:aa:10:a8:3c:28:3e:ef:1c:
64:58:e9:1e:f6:7e:54:f3:cb:bb:ed:6f:5d:27:5a:b1:4b:91:
8e:8c:67:7d
-----BEGIN X509 CRL-----
MIICADCB6QIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMxEDAOBgNV
BAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAPBgNVBAoTCFNhd3Rvb3Ro
MRMwEQYDVQQLEwpDb25zdWx0aW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w
GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTMwNjE3MjEzMjMwWhcNMTMx
MjE0MjEzMjMwWjAUMBICAQIXDTEzMDYxNzIxMzIzMFqgDjAMMAoGA1UdFAQDAgFW
MA0GCSqGSIb3DQEBBQUAA4IBAQCHO7usaxrolodvo445dygBp+p2NsJI4kECP/P3
ZAlgkYeeV3Q4oMMgR32CSyw0I/5m3Cs+iqHZ4wbsdQ+x7zLiKKt9QCyCWXTJlbVi
pmqONOb2+JH/qsEhk3nLb9y+lCGxyN2euP6t6FBuDXaSMlRRls3HvtIPb2NpX7Mo
wVcOYfdigZ/q56UUiUFWY0bavNjgeETGxxqrG/ELWdVObRS8FsICQwYL9BZuJow2
CWEMUz9yhWQzTb9wRMgjg8NRmKgU97IDoXtySE0k0KipIj2blL8kJAFvLksrISSP
ZEYgeUWzRRpPkxDhjQRMjYNjlp8oxTcPEI4Cm02Wi+qjMYif
GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTQwMjA3MjAxNDA2WhcNMTUw
MjA3MjAxNDA2WjAUMBICAQIXDTE0MDIwNzIwMTQwNlqgDjAMMAoGA1UdFAQDAgEC
MA0GCSqGSIb3DQEBBQUAA4IBAQAQXbHQedKKFS1AC0TW2d9Yc+tVLIH+4XtiSI80
xQZR5ehQcIwSuuNu/n0NzkQIndzZV0NsVBKC1O1sceV0RL3RqJiWY4toX9KHKN2Z
T6q6jhiexE9pnmYTAyhfPDUBFXcifO3FSmdEr4V/34r9SYvhvlLjyuiuo60HkSxR
xihfJhcUOV1OIZ8Rb8Si7++47CevRa257eAUCWCgUO7d97E+WMQN6LULqQ2YrXx0
qxzW+sh951o7kSPVYrrU5L5YeP4JumP2niw/k8L+3sUAIVA5kaxx5vxKN6Tk6V7n
rI2VIdZ2qhCoPCg+7xxkWOke9n5U88u77W9dJ1qxS5GOjGd9
-----END X509 CRL-----

28
certs/crl/eccCliCRL.pem
View File

@ -2,23 +2,25 @@ Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA1
Issuer: /C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: Jun 17 21:32:30 2013 GMT
Next Update: Dec 14 21:32:30 2013 GMT
Last Update: Feb 7 20:14:06 2014 GMT
Next Update: Feb 7 20:14:06 2015 GMT
CRL extensions:
X509v3 CRL Number:
88
No Revoked Certificates.
4
Revoked Certificates:
Serial Number: 02
Revocation Date: Feb 7 20:14:06 2014 GMT
Signature Algorithm: ecdsa-with-SHA1
30:45:02:21:00:eb:6e:1b:5d:f9:43:f9:67:5b:4e:d1:6d:30:
c7:c1:57:a3:e6:25:af:87:7a:77:8d:d9:89:47:1d:a4:64:0e:
21:02:20:11:20:49:d5:84:47:fa:12:61:46:ec:b6:db:0e:d0:
9d:3d:95:24:4f:a3:43:ab:d0:ad:dd:d9:61:b7:49:e2:5e
30:44:02:20:10:95:f9:c8:20:bc:7d:ce:79:6d:35:23:4c:82:
8c:f5:8b:d1:4f:69:a9:5e:70:97:dd:bb:c2:67:13:46:b0:47:
02:20:4f:1f:43:c2:cc:63:1c:6e:26:89:2d:e7:ce:69:45:6d:
fb:8f:53:cd:1f:84:0f:93:fe:83:91:69:f2:91:c6:f9
-----BEGIN X509 CRL-----
MIIBIDCByAIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG
MIIBNTCB3gIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG
T3JlZ29uMQ4wDAYDVQQHEwVTYWxlbTETMBEGA1UEChMKQ2xpZW50IEVDQzENMAsG
A1UECxMERmFzdDEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsGCSqGSIb3DQEJ
ARYOaW5mb0B5YXNzbC5jb20XDTEzMDYxNzIxMzIzMFoXDTEzMTIxNDIxMzIzMFqg
DjAMMAoGA1UdFAQDAgFYMAkGByqGSM49BAEDSAAwRQIhAOtuG135Q/lnW07RbTDH
wVej5iWvh3p3jdmJRx2kZA4hAiARIEnVhEf6EmFG7LbbDtCdPZUkT6NDq9Ct3dlh
t0niXg==
ARYOaW5mb0B5YXNzbC5jb20XDTE0MDIwNzIwMTQwNloXDTE1MDIwNzIwMTQwNlow
FDASAgECFw0xNDAyMDcyMDE0MDZaoA4wDDAKBgNVHRQEAwIBBDAJBgcqhkjOPQQB
A0cAMEQCIBCV+cggvH3OeW01I0yCjPWL0U9pqV5wl927wmcTRrBHAiBPH0PCzGMc
biaJLefOaUVt+49TzR+ED5P+g5Fp8pHG+Q==
-----END X509 CRL-----

28
certs/crl/eccSrvCRL.pem
View File

@ -2,23 +2,25 @@ Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: ecdsa-with-SHA1
Issuer: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.yassl.com/emailAddress=info@yassl.com
Last Update: Jun 17 21:32:30 2013 GMT
Next Update: Dec 14 21:32:30 2013 GMT
Last Update: Feb 7 20:14:06 2014 GMT
Next Update: Feb 7 20:14:06 2015 GMT
CRL extensions:
X509v3 CRL Number:
89
No Revoked Certificates.
5
Revoked Certificates:
Serial Number: 02
Revocation Date: Feb 7 20:14:06 2014 GMT
Signature Algorithm: ecdsa-with-SHA1
30:44:02:20:0c:78:df:c4:4b:8b:e0:70:15:4f:f6:7d:82:d6:
0d:dd:a5:a0:e2:6a:95:4b:2b:6b:29:14:15:ba:51:0d:e3:1f:
02:20:2b:4b:1d:7c:9d:2f:5a:01:3d:9b:c1:94:cd:10:86:fe:
e2:9d:a0:b2:3c:97:10:ba:a6:56:43:78:b3:92:9b:0b
30:44:02:20:2a:2a:2c:ff:8a:0f:6a:74:57:b8:41:a8:5a:5c:
8c:7d:c1:7d:b1:76:a3:db:ff:22:1a:69:cd:80:8d:d5:e4:2a:
02:20:2d:51:3e:01:5b:79:6c:f4:89:89:63:46:0b:65:44:46:
59:2d:42:3e:ba:a8:6d:08:4a:20:1f:9a:06:cc:a9:65
-----BEGIN X509 CRL-----
MIIBITCBygIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
MIIBNzCB4AIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
V2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMHRWxpcHRpYzEM
MAoGA1UECxMDRUNDMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN
AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTMwNjE3MjEzMjMwWhcNMTMxMjE0MjEzMjMw
WqAOMAwwCgYDVR0UBAMCAVkwCQYHKoZIzj0EAQNHADBEAiAMeN/ES4vgcBVP9n2C
1g3dpaDiapVLK2spFBW6UQ3jHwIgK0sdfJ0vWgE9m8GUzRCG/uKdoLI8lxC6plZD
eLOSmws=
AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTQwMjA3MjAxNDA2WhcNMTUwMjA3MjAxNDA2
WjAUMBICAQIXDTE0MDIwNzIwMTQwNlqgDjAMMAoGA1UdFAQDAgEFMAkGByqGSM49
BAEDRwAwRAIgKios/4oPanRXuEGoWlyMfcF9sXaj2/8iGmnNgI3V5CoCIC1RPgFb
eWz0iYljRgtlREZZLUI+uqhtCEogH5oGzKll
-----END X509 CRL-----

10
certs/crl/gencrls.sh
View File

@ -5,7 +5,7 @@
# caCrl
openssl ca -gencrl -crldays 180 -out crl.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
openssl ca -gencrl -crldays 365 -out crl.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
# metadata
openssl crl -in crl.pem -text > tmp
@ -17,7 +17,7 @@ cp crl.pem ~/cyassl/certs/crl/crl.pem
openssl ca -revoke ~/cyassl/certs/server-cert.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
# caCrl server revoked generation
openssl ca -gencrl -crldays 180 -out crl.revoked -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
openssl ca -gencrl -crldays 365 -out crl.revoked -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem
# metadata
openssl crl -in crl.revoked -text > tmp
@ -29,7 +29,7 @@ cp crl.revoked ~/cyassl/certs/crl/crl.revoked
cp blank.index.txt demoCA/index.txt
# cliCrl
openssl ca -gencrl -crldays 180 -out cliCrl.pem -keyfile ~/cyassl/certs/client-key.pem -cert ~/cyassl/certs/client-cert.pem
openssl ca -gencrl -crldays 365 -out cliCrl.pem -keyfile ~/cyassl/certs/client-key.pem -cert ~/cyassl/certs/client-cert.pem
# metadata
openssl crl -in cliCrl.pem -text > tmp
@ -38,7 +38,7 @@ mv tmp cliCrl.pem
cp cliCrl.pem ~/cyassl/certs/crl/cliCrl.pem
# eccCliCRL
openssl ca -gencrl -crldays 180 -out eccCliCRL.pem -keyfile ~/cyassl/certs/ecc-client-key.pem -cert ~/cyassl/certs/client-ecc-cert.pem
openssl ca -gencrl -crldays 365 -out eccCliCRL.pem -keyfile ~/cyassl/certs/ecc-client-key.pem -cert ~/cyassl/certs/client-ecc-cert.pem
# metadata
openssl crl -in eccCliCRL.pem -text > tmp
@ -47,7 +47,7 @@ mv tmp eccCliCRL.pem
cp eccCliCRL.pem ~/cyassl/certs/crl/eccCliCRL.pem
# eccSrvCRL
openssl ca -gencrl -crldays 180 -out eccSrvCRL.pem -keyfile ~/cyassl/certs/ecc-key.pem -cert ~/cyassl/certs/server-ecc.pem
openssl ca -gencrl -crldays 365 -out eccSrvCRL.pem -keyfile ~/cyassl/certs/ecc-key.pem -cert ~/cyassl/certs/server-ecc.pem
# metadata
openssl crl -in eccSrvCRL.pem -text > tmp

139
configure.ac
View File

@ -6,7 +6,7 @@
#
#
AC_INIT([cyassl],[2.8.4],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com])
AC_INIT([cyassl],[2.9.0],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com])
AC_CONFIG_AUX_DIR([build-aux])
@ -33,7 +33,7 @@ AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS.
#shared library versioning
CYASSL_LIBRARY_VERSION=5:2:0
CYASSL_LIBRARY_VERSION=5:3:0
# | | |
# +------+ | +---+
# | | |
@ -310,17 +310,20 @@ fi
# SNIFFER
ENABLED_SNIFFTEST=no
AC_ARG_ENABLE([sniffer],
[AS_HELP_STRING([--enable-sniffer],[ Enable CyaSSL sniffer support (default: disabled) ])],[
AS_IF([ test "x$enableval" = "xyes" ],[ AC_CHECK_HEADERS([pcap/pcap.h],[
ENABLED_SNIFFER=yes
AM_CFLAGS="$AM_CFLAGS -DCYASSL_SNIFFER -DOPENSSL_EXTRA"
],[ ENABLED_SNIFFER=no ]) ])
],[
ENABLED_SNIFFER=no
])
[AS_HELP_STRING([--enable-sniffer],[ Enable CyaSSL sniffer support (default: disabled) ])],[
ENABLED_SNIFFER=yes
AM_CFLAGS="$AM_CFLAGS -DCYASSL_SNIFFER -DOPENSSL_EXTRA"
AS_IF([ test "x$enableval" = "xyes" ],[ AC_CHECK_HEADERS([pcap/pcap.h],[
ENABLED_SNIFFTEST=yes
],[ AC_MSG_WARN([cannot enable sniffer test without having libpcap available.]) ]) ])
],[
ENABLED_SNIFFER=no
])
AM_CONDITIONAL([BUILD_SNIFFER], [ test "x$ENABLED_SNIFFER" = "xyes" ])
AM_CONDITIONAL([BUILD_SNIFFER], [ test "x$ENABLED_SNIFFER" = "xyes" ])
AM_CONDITIONAL([BUILD_SNIFFTEST], [ test "x$ENABLED_SNIFFTEST" = "xyes" ])
# AES-GCM
AC_ARG_ENABLE([aesgcm],
@ -528,6 +531,23 @@ then
fi
# CERT REQUEST GENERATION
AC_ARG_ENABLE([certreq],
[ --enable-certreq Enable cert request generation (default: disabled)],
[ ENABLED_CERTREQ=$enableval ],
[ ENABLED_CERTREQ=no ]
)
if test "$ENABLED_CERTREQ" = "yes"
then
if test "$ENABLED_CERTGEN" = "no"
then
AC_MSG_ERROR([cannot enable certreq without enabling certgen.])
fi
AM_CFLAGS="$AM_CFLAGS -DCYASSL_CERT_REQ"
fi
# SEP
AC_ARG_ENABLE([sep],
[ --enable-sep Enable sep extensions (default: disabled)],
@ -1085,6 +1105,20 @@ fi
AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"])
if test "$ENABLED_OCSP" = "yes"
then
# check openssl command tool for testing ocsp
AC_CHECK_PROG([HAVE_OPENSSL_CMD],[openssl],[yes],[no])
if test "$HAVE_OPENSSL_CMD" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_OPENSSL_CMD"
else
AC_MSG_WARN([openssl command line tool not available for testing ocsp])
fi
fi
# CRL
AC_ARG_ENABLE([crl],
[ --enable-crl Enable CRL (default: disabled)],
@ -1180,6 +1214,30 @@ then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_TRUNCATED_HMAC"
fi
# Renegotiation Indication
AC_ARG_ENABLE([renegotiation-indication],
[ --enable-renegotiation-indication Enable Renegotiation Indication (default: disabled)],
[ ENABLED_RENEGOTIATION_INDICATION=$enableval ],
[ ENABLED_RENEGOTIATION_INDICATION=no ]
)
if test "x$ENABLED_RENEGOTIATION_INDICATION" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_RENEGOTIATION_INDICATION"
fi
# Supported Elliptic Curves Extensions
AC_ARG_ENABLE([supportedcurves],
[ --enable-supportedcurves Enable Supported Elliptic Curves (default: disabled)],
[ ENABLED_SUPPORTED_CURVES=$enableval ],
[ ENABLED_SUPPORTED_CURVES=no ]
)
if test "x$ENABLED_SUPPORTED_CURVES" = "xyes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES"
fi
# TLS Extensions
AC_ARG_ENABLE([tlsx],
[ --enable-tlsx Enable all TLS Extensions (default: disabled)],
@ -1192,9 +1250,60 @@ then
ENABLED_SNI=yes
ENABLED_MAX_FRAGMENT=yes
ENABLED_TRUNCATED_HMAC=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC"
ENABLED_RENEGOTIATION_INDICATION=yes
ENABLED_SUPPORTED_CURVES=yes
AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION -DHAVE_SUPPORTED_CURVES"
fi
# PKCS7
AC_ARG_ENABLE([pkcs7],
[ --enable-pkcs7 Enable PKCS7 (default: disabled)],
[ ENABLED_PKCS7=$enableval ],
[ ENABLED_PKCS7=no ],
)
if test "$ENABLED_PKCS7" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS7"
fi
AM_CONDITIONAL([BUILD_PKCS7], [test "x$ENABLED_PKCS7" = "xyes"])
# Simple Certificate Enrollment Protocol (SCEP)
AC_ARG_ENABLE([scep],
[ --enable-scep Enable wolfSCEP (default: disabled)],
[ ENABLED_WOLFSCEP=$enableval ],
[ ENABLED_WOLFSCEP=no ]
)
if test "$ENABLED_WOLFSCEP" = "yes"
then
# Enable prereqs if not already enabled
if test "x$ENABLED_KEYGEN" = "xno"
then
ENABLED_KEYGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DCYASSL_KEY_GEN"
fi
if test "x$ENABLED_CERTGEN" = "xno"
then
ENABLED_CERTGEN="yes"
AM_CFLAGS="$AM_CFLAGS -DCYASSL_CERT_GEN"
fi
if test "x$ENABLED_CERTREQ" = "xno"
then
ENABLED_CERTREQ="yes"
AM_CFLAGS="$AM_CFLAGS -DCYASSL_CERT_REQ"
fi
if test "x$ENABLED_PKCS7" = "xno"
then
ENABLED_PKCS7="yes"
AM_CFLAGS="$AM_CFLAGS -DHAVE_PKCS7"
AM_CONDITIONAL([BUILD_PKCS7], [test "x$ENABLED_PKCS7" = "xyes"])
fi
AM_CFLAGS="$AM_CFLAGS -DCYASSL_HAVE_WOLFSCEP"
fi
#valgrind
AC_ARG_ENABLE([valgrind],
[ --enable-valgrind Enable valgrind for unit tests (default: disabled)],
@ -1532,6 +1641,7 @@ echo " * Filesystem: $ENABLED_FILESYSTEM"
echo " * OpenSSL Extra API: $ENABLED_OPENSSLEXTRA"
echo " * fastmath: $ENABLED_FASTMATH"
echo " * sniffer: $ENABLED_SNIFFER"
echo " * snifftest: $ENABLED_SNIFFTEST"
echo " * ARC4: $ENABLED_ARC4"
echo " * AES: $ENABLED_AES"
echo " * AES-NI: $ENABLED_AESNI"
@ -1547,6 +1657,7 @@ echo " * SHA-512: $ENABLED_SHA512"
echo " * BLAKE2: $ENABLED_BLAKE2"
echo " * keygen: $ENABLED_KEYGEN"
echo " * certgen: $ENABLED_CERTGEN"
echo " * certreq: $ENABLED_CERTREQ"
echo " * HC-128: $ENABLED_HC128"
echo " * RABBIT: $ENABLED_RABBIT"
echo " * PWDBASED: $ENABLED_PWDBASED"
@ -1577,7 +1688,11 @@ echo " * NTRU: $ENABLED_NTRU"
echo " * SNI: $ENABLED_SNI"
echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT"
echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC"
echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION"
echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES"
echo " * All TLS Extensions: $ENABLED_TLSX"
echo " * PKCS#7 $ENABLED_PKCS7"
echo " * wolfSCEP $ENABLED_WOLFSCEP"
echo " * valgrind unit tests: $ENABLED_VALGRIND"
echo " * LIBZ: $ENABLED_LIBZ"
echo " * Examples: $ENABLED_EXAMPLES"

128
ctaocrypt/src/aes.c
View File

@ -62,8 +62,8 @@
* document (See note in README).
*/
#include "stm32f2xx.h"
#include "stm32f2xx_cryp.h"
#include "stm32f2xx_cryp.h"
int AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
int dir)
{
@ -553,6 +553,96 @@ int AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
return 0;
}
#elif defined FREESCALE_MMCAU
/*
* Freescale mmCAU hardware AES support through the CAU/mmCAU library.
* Documentation located in ColdFire/ColdFire+ CAU and Kinetis mmCAU
* Software Library User Guide (See note in README).
*/
#include "cau_api.h"
int AesSetKey(Aes* aes, const byte* userKey, word32 keylen, const byte* iv,
int dir)
{
byte *rk = (byte*)aes->key;
if (!((keylen == 16) || (keylen == 24) || (keylen == 32)))
return BAD_FUNC_ARG;
if (rk == NULL)
return BAD_FUNC_ARG;
aes->rounds = keylen/4 + 6;
cau_aes_set_key(userKey, keylen*8, rk);
return AesSetIV(aes, iv);
}
int AesCbcEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
{
int i;
int offset = 0;
int len = sz;
byte *iv, *enc_key;
byte temp_block[AES_BLOCK_SIZE];
iv = (byte*)aes->reg;
enc_key = (byte*)aes->key;
while (len > 0)
{
XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
/* XOR block with IV for CBC */
for (i = 0; i < AES_BLOCK_SIZE; i++)
temp_block[i] ^= iv[i];
cau_aes_encrypt(temp_block, enc_key, aes->rounds, out + offset);
len -= AES_BLOCK_SIZE;
offset += AES_BLOCK_SIZE;
/* store IV for next block */
XMEMCPY(iv, out + offset - AES_BLOCK_SIZE, AES_BLOCK_SIZE);
}
return 0;
}
int AesCbcDecrypt(Aes* aes, byte* out, const byte* in, word32 sz)
{
int i;
int offset = 0;
int len = sz;
byte* iv, *dec_key;
byte temp_block[AES_BLOCK_SIZE];
iv = (byte*)aes->reg;
dec_key = (byte*)aes->key;
while (len > 0)
{
XMEMCPY(temp_block, in + offset, AES_BLOCK_SIZE);
cau_aes_decrypt(in + offset, dec_key, aes->rounds, out + offset);
/* XOR block with IV for CBC */
for (i = 0; i < AES_BLOCK_SIZE; i++)
(out + offset)[i] ^= iv[i];
/* store IV for next block */
XMEMCPY(iv, temp_block, AES_BLOCK_SIZE);
len -= AES_BLOCK_SIZE;
offset += AES_BLOCK_SIZE;
}
return 0;
}
#else /* CTaoCrypt software implementation */
static const word32 rcon[] = {
@ -1386,6 +1476,10 @@ static int AesSetKeyLocal(Aes* aes, const byte* userKey, word32 keylen,
#ifdef CYASSL_AESNI
aes->use_aesni = 0;
#endif /* CYASSL_AESNI */
#ifdef CYASSL_AES_COUNTER
aes->left = 0;
#endif /* CYASSL_AES_COUNTER */
aes->rounds = keylen/4 + 6;
XMEMCPY(rk, userKey, keylen);
@ -2039,15 +2133,39 @@ static INLINE void IncrementAesCounter(byte* inOutCtr)
void AesCtrEncrypt(Aes* aes, byte* out, const byte* in, word32 sz)
{
word32 blocks = sz / AES_BLOCK_SIZE;
byte* tmp = (byte*)aes->tmp + AES_BLOCK_SIZE - aes->left;
while (blocks--) {
/* consume any unused bytes left in aes->tmp */
while (aes->left && sz) {
*(out++) = *(in++) ^ *(tmp++);
aes->left--;
sz--;
}
/* do as many block size ops as possible */
while (sz >= AES_BLOCK_SIZE) {
AesEncrypt(aes, (byte*)aes->reg, out);
IncrementAesCounter((byte*)aes->reg);
xorbuf(out, in, AES_BLOCK_SIZE);
out += AES_BLOCK_SIZE;
in += AES_BLOCK_SIZE;
in += AES_BLOCK_SIZE;
sz -= AES_BLOCK_SIZE;
aes->left = 0;
}
/* handle non block size remaining and sotre unused byte count in left */
if (sz) {
AesEncrypt(aes, (byte*)aes->reg, (byte*)aes->tmp);
IncrementAesCounter((byte*)aes->reg);
aes->left = AES_BLOCK_SIZE;
tmp = (byte*)aes->tmp;
while (sz--) {
*(out++) = *(in++) ^ *(tmp++);
aes->left--;
}
}
}

12
ctaocrypt/src/asm.c
View File

@ -1004,15 +1004,17 @@ __asm__( \
#define SQRADDAC(i, j) \
do { fp_word t; \
t = sc0 + ((fp_word)i) * ((fp_word)j); sc0 = t; \
t = sc1 + (t >> DIGIT_BIT); sc1 = t; sc2 += t >> DIGIT_BIT; \
t = sc0 + ((fp_word)i) * ((fp_word)j); sc0 = (fp_digit)t; \
t = sc1 + (t >> DIGIT_BIT); sc1 = (fp_digit)t; \
sc2 += (fp_digit)(t >> DIGIT_BIT); \
} while (0);
#define SQRADDDB \
do { fp_word t; \
t = ((fp_word)sc0) + ((fp_word)sc0) + c0; c0 = t; \
t = ((fp_word)sc1) + ((fp_word)sc1) + c1 + (t >> DIGIT_BIT); c1 = t; \
c2 = c2 + ((fp_word)sc2) + ((fp_word)sc2) + (t >> DIGIT_BIT); \
t = ((fp_word)sc0) + ((fp_word)sc0) + c0; c0 = (fp_digit)t; \
t = ((fp_word)sc1) + ((fp_word)sc1) + c1 + (t >> DIGIT_BIT); \
c1 = (fp_digit)t; \
c2 = c2 + (fp_digit)(((fp_word)sc2) + ((fp_word)sc2) + (t >> DIGIT_BIT)); \
} while (0);
#endif

527
ctaocrypt/src/asn.c
View File

@ -398,8 +398,8 @@ CPU_INT32S NetSecure_ValidateDateHandler(CPU_INT08U *date, CPU_INT08U format,
#endif /* MICRIUM */
static int GetLength(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
CYASSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
int length = 0;
word32 i = *inOutIdx;
@ -439,8 +439,8 @@ static int GetLength(const byte* input, word32* inOutIdx, int* len,
}
static int GetSequence(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
CYASSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
int length = -1;
word32 idx = *inOutIdx;
@ -456,7 +456,8 @@ static int GetSequence(const byte* input, word32* inOutIdx, int* len,
}
static int GetSet(const byte* input, word32* inOutIdx, int* len, word32 maxIdx)
CYASSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx)
{
int length = -1;
word32 idx = *inOutIdx;
@ -473,7 +474,7 @@ static int GetSet(const byte* input, word32* inOutIdx, int* len, word32 maxIdx)
/* winodws header clash for WinCE using GetVersion */
static int GetMyVersion(const byte* input, word32* inOutIdx, int* version)
CYASSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx, int* version)
{
word32 idx = *inOutIdx;
@ -537,7 +538,7 @@ static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
}
static int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
CYASSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
word32 maxIdx)
{
word32 i = *inOutIdx;
@ -593,7 +594,7 @@ static int GetObjectId(const byte* input, word32* inOutIdx, word32* oid,
}
static int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
CYASSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
word32 maxIdx)
{
int length;
@ -764,7 +765,7 @@ int ToTraditional(byte* input, word32 sz)
XMEMMOVE(input, input + inOutIdx, length);
return 0;
return length;
}
@ -1280,6 +1281,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
XMEMSET(cert->extAuthKeyId, 0, SHA_SIZE);
cert->extAuthKeyIdSet = 0;
cert->isCA = 0;
#ifdef HAVE_PKCS7
cert->issuerRaw = NULL;
cert->issuerRawLen = 0;
#endif
#ifdef CYASSL_CERT_GEN
cert->subjectSN = 0;
cert->subjectSNLen = 0;
@ -1318,10 +1323,10 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap)
cert->extAuthKeyIdSz = 0;
cert->extSubjKeyIdSrc = NULL;
cert->extSubjKeyIdSz = 0;
#ifdef HAVE_ECC
cert->pkCurveOID = 0;
#endif /* HAVE_ECC */
#endif /* OPENSSL_EXTRA */
#ifdef HAVE_ECC
cert->pkCurveOID = 0;
#endif /* HAVE_ECC */
#ifdef CYASSL_SEP
cert->deviceTypeSz = 0;
cert->deviceType = NULL;
@ -1517,7 +1522,6 @@ static int GetKey(DecodedCert* cert)
#ifdef HAVE_ECC
case ECDSAk:
{
word32 oid = 0;
int oidSz = 0;
byte b = cert->source[cert->srcIdx++];
@ -1528,12 +1532,10 @@ static int GetKey(DecodedCert* cert)
return ASN_PARSE_E;
while(oidSz--)
oid += cert->source[cert->srcIdx++];
if (CheckCurve(oid) < 0)
cert->pkCurveOID += cert->source[cert->srcIdx++];
if (CheckCurve(cert->pkCurveOID) < 0)
return ECC_CURVE_OID_E;
#ifdef OPENSSL_EXTRA
cert->pkCurveOID = oid;
#endif /* OPENSSL_EXTRA */
/* key header */
b = cert->source[cert->srcIdx++];
@ -1611,6 +1613,14 @@ static int GetName(DecodedCert* cert, int nameType)
length += cert->srcIdx;
idx = 0;
#ifdef HAVE_PKCS7
/* store pointer to raw issuer */
if (nameType == ISSUER) {
cert->issuerRaw = &cert->source[cert->srcIdx];
cert->issuerRawLen = length - cert->srcIdx;
}
#endif
while (cert->srcIdx < (word32)length) {
byte b;
byte joint[2];
@ -2230,7 +2240,7 @@ static word32 BytePrecision(word32 value)
}
static word32 SetLength(word32 length, byte* output)
CYASSL_LOCAL word32 SetLength(word32 length, byte* output)
{
word32 i = 0, j;
@ -2249,12 +2259,39 @@ static word32 SetLength(word32 length, byte* output)
}
static word32 SetSequence(word32 len, byte* output)
CYASSL_LOCAL word32 SetSequence(word32 len, byte* output)
{
output[0] = ASN_SEQUENCE | ASN_CONSTRUCTED;
return SetLength(len, output + 1) + 1;
}
CYASSL_LOCAL word32 SetOctetString(word32 len, byte* output)
{
output[0] = ASN_OCTET_STRING;
return SetLength(len, output + 1) + 1;
}
/* Write a set header to output */
CYASSL_LOCAL word32 SetSet(word32 len, byte* output)
{
output[0] = ASN_SET | ASN_CONSTRUCTED;
return SetLength(len, output + 1) + 1;
}
CYASSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len, byte* output)
{
output[0] = ((tag == ASN_SEQUENCE || tag == ASN_SET) ? ASN_CONSTRUCTED : 0)
| ASN_CONTEXT_SPECIFIC | number;
return SetLength(len, output + 1) + 1;
}
CYASSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output)
{
output[0] = ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | number;
return SetLength(len, output + 1) + 1;
}
#if defined(HAVE_ECC) && defined(CYASSL_CERT_GEN)
@ -2329,7 +2366,7 @@ static word32 SetCurve(ecc_key* key, byte* output)
#endif /* HAVE_ECC && CYASSL_CERT_GEN */
static word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
CYASSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
{
/* adding TAG_NULL and 0 to end */
@ -2347,6 +2384,11 @@ static word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
static const byte md2AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x02, 0x02, 0x05, 0x00};
/* blkTypes, no NULL tags because IV is there instead */
static const byte desCbcAlgoID[] = { 0x2B, 0x0E, 0x03, 0x02, 0x07 };
static const byte des3CbcAlgoID[] = { 0x2A, 0x86, 0x48, 0x86, 0xF7,
0x0D, 0x03, 0x07 };
/* RSA sigTypes */
#ifndef NO_RSA
static const byte md5wRSA_AlgoID[] = { 0x2a, 0x86, 0x48, 0x86, 0xf7,
@ -2430,6 +2472,23 @@ static word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz)
return 0; /* UNKOWN_HASH_E; */
}
}
else if (type == blkType) {
switch (algoOID) {
case DESb:
algoSz = sizeof(desCbcAlgoID);
algoName = desCbcAlgoID;
tagSz = 0;
break;
case DES3b:
algoSz = sizeof(des3CbcAlgoID);
algoName = des3CbcAlgoID;
tagSz = 0;
break;
default:
CYASSL_MSG("Unknown Block Algo");
return 0;
}
}
else if (type == sigType) { /* sigType */
switch (algoOID) {
#ifndef NO_RSA
@ -2646,6 +2705,7 @@ static int ConfirmSignature(const byte* buf, word32 bufSz,
CYASSL_MSG("Verify Signautre has unsupported type");
return 0;
}
(void)typeH; /* some builds won't read */
switch (keyOID) {
#ifndef NO_RSA
@ -3018,6 +3078,7 @@ static void DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int length = 0;
byte b;
word32 oid;
CYASSL_ENTER("DecodeAuthInfo");
@ -3025,35 +3086,26 @@ static void DecodeAuthInfo(byte* input, int sz, DecodedCert* cert)
/* Unwrap the list of AIAs */
if (GetSequence(input, &idx, &length, sz) < 0) return;
/* Unwrap a single AIA */
if (GetSequence(input, &idx, &length, sz) < 0) return;
while (idx < (word32)sz) {
/* Unwrap a single AIA */
if (GetSequence(input, &idx, &length, sz) < 0) return;
oid = 0;
if (GetObjectId(input, &idx, &oid, sz) < 0) return;
oid = 0;
if (GetObjectId(input, &idx, &oid, sz) < 0) return;
/* Only supporting URIs right now. */
if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI))
{
idx++;
/* Only supporting URIs right now. */
b = input[idx++];
if (GetLength(input, &idx, &length, sz) < 0) return;
cert->extAuthInfoSz = length;
cert->extAuthInfo = input + idx;
if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) &&
oid == AIA_OCSP_OID)
{
cert->extAuthInfoSz = length;
cert->extAuthInfo = input + idx;
break;
}
idx += length;
}
else
{
/* Skip anything else. */
idx++;
if (GetLength(input, &idx, &length, sz) < 0) return;
idx += length;
}
if (idx < (word32)sz)
{
CYASSL_MSG("\tThere are more Authority Information Access records, "
"but we only use first one.");
}
return;
}
@ -3339,6 +3391,7 @@ static void DecodeCertExtensions(DecodedCert* cert)
}
idx += length;
}
(void)critical;
CYASSL_LEAVE("DecodeCertExtensions", 0);
return;
@ -3365,7 +3418,8 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
cert->subjectCNStored = 1;
}
if (cert->keyOID == RSAk && cert->pubKeySize > 0) {
if (cert->keyOID == RSAk &&
cert->publicKey != NULL && cert->pubKeySize > 0) {
ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap,
DYNAMIC_TYPE_PUBLIC_KEY);
if (ptr == NULL)
@ -3532,9 +3586,7 @@ void FreeSignerTable(Signer** table, int rows, void* heap)
}
#if defined(CYASSL_KEY_GEN) || defined(CYASSL_CERT_GEN)
static int SetMyVersion(word32 version, byte* output, int header)
CYASSL_LOCAL int SetMyVersion(word32 version, byte* output, int header)
{
int i = 0;
@ -3550,6 +3602,37 @@ static int SetMyVersion(word32 version, byte* output, int header)
}
CYASSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
{
int result = 0;
CYASSL_ENTER("SetSerialNumber");
if (snSz <= EXTERNAL_SERIAL_SIZE) {
output[0] = ASN_INTEGER;
/* The serial number is always positive. When encoding the
* INTEGER, if the MSB is 1, add a padding zero to keep the
* number positive. */
if (sn[0] & 0x80) {
output[1] = (byte)snSz + 1;
output[2] = 0;
XMEMCPY(&output[3], sn, snSz);
result = snSz + 3;
}
else {
output[1] = (byte)snSz;
XMEMCPY(&output[2], sn, snSz);
result = snSz + 2;
}
}
return result;
}
#if defined(CYASSL_KEY_GEN) || defined(CYASSL_CERT_GEN)
/* convert der buffer to pem into output, can't do inplace, der and output
need to be different */
int DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
@ -3581,6 +3664,14 @@ int DerToPem(const byte* der, word32 derSz, byte* output, word32 outSz,
XSTRNCPY(footer, "-----END EC PRIVATE KEY-----\n", sizeof(footer));
}
#endif
#ifdef CYASSL_CERT_REQ
else if (type == CERTREQ_TYPE)
{
XSTRNCPY(header,
"-----BEGIN CERTIFICATE REQUEST-----\n", sizeof(header));
XSTRNCPY(footer, "-----END CERTIFICATE REQUEST-----\n", sizeof(footer));
}
#endif
else
return BAD_FUNC_ARG;
@ -3792,6 +3883,10 @@ void InitCert(Cert* cert)
cert->subject.unit[0] = '\0';
cert->subject.commonName[0] = '\0';
cert->subject.email[0] = '\0';
#ifdef CYASSL_CERT_REQ
cert->challengePw[0] ='\0';
#endif
}
@ -3807,6 +3902,9 @@ typedef struct DerCert {
byte publicKey[MAX_PUBLIC_KEY_SZ]; /* rsa / ntru public key encoded */
byte ca[MAX_CA_SZ]; /* basic constraint CA true size */
byte extensions[MAX_EXTENSIONS_SZ]; /* all extensions */
#ifdef CYASSL_CERT_REQ
byte attrib[MAX_ATTRIB_SZ]; /* Cert req attributes encoded */
#endif
int sizeSz; /* encoded size length */
int versionSz; /* encoded version length */
int serialSz; /* encoded serial length */
@ -3818,16 +3916,23 @@ typedef struct DerCert {
int caSz; /* encoded CA extension length */
int extensionsSz; /* encoded extensions total length */
int total; /* total encoded lengths */
#ifdef CYASSL_CERT_REQ
int attribSz;
#endif
} DerCert;
#ifdef CYASSL_CERT_REQ
/* Write a set header to output */
static word32 SetSet(word32 len, byte* output)
static word32 SetUTF8String(word32 len, byte* output)
{
output[0] = ASN_SET | ASN_CONSTRUCTED;
output[0] = ASN_UTF8STRING;
return SetLength(len, output + 1) + 1;
}
#endif /* CYASSL_CERT_REQ */
/* Write a serial number to output */
static int SetSerial(const byte* serial, byte* output)
@ -3908,14 +4013,19 @@ static int SetRsaPublicKey(byte* output, RsaKey* key)
int lenSz;
int idx;
int rawLen;
int leadingBit;
int err;
/* n */
rawLen = mp_unsigned_bin_size(&key->n);
leadingBit = mp_leading_bit(&key->n);
rawLen = mp_unsigned_bin_size(&key->n) + leadingBit;
n[0] = ASN_INTEGER;
nSz = SetLength(rawLen, n + 1) + 1; /* int tag */
if ( (nSz + rawLen) < (int)sizeof(n)) {
int err = mp_to_unsigned_bin(&key->n, n + nSz);
if (leadingBit)
n[nSz] = 0;
err = mp_to_unsigned_bin(&key->n, n + nSz + leadingBit);
if (err == MP_OKAY)
nSz += rawLen;
else
@ -3925,12 +4035,15 @@ static int SetRsaPublicKey(byte* output, RsaKey* key)
return BUFFER_E;
/* e */
rawLen = mp_unsigned_bin_size(&key->e);
leadingBit = mp_leading_bit(&key->e);
rawLen = mp_unsigned_bin_size(&key->e) + leadingBit;
e[0] = ASN_INTEGER;
eSz = SetLength(rawLen, e + 1) + 1; /* int tag */
if ( (eSz + rawLen) < (int)sizeof(e)) {
int err = mp_to_unsigned_bin(&key->e, e + eSz);
if (leadingBit)
e[eSz] = 0;
err = mp_to_unsigned_bin(&key->e, e + eSz + leadingBit);
if (err == MP_OKAY)
eSz += rawLen;
else
@ -4163,19 +4276,21 @@ static byte GetNameId(int idx)
/* encode all extensions, return total bytes written */
static int SetExtensions(byte* output, const byte* ext, int extSz)
static int SetExtensions(byte* output, const byte* ext, int extSz, int header)
{
byte sequence[MAX_SEQ_SZ];
byte len[MAX_LENGTH_SZ];
int sz = 0;
int seqSz = SetSequence(extSz, sequence);
int lenSz = SetLength(seqSz + extSz, len);
output[0] = ASN_EXTENSIONS; /* extensions id */
sz++;
XMEMCPY(&output[sz], len, lenSz); /* length */
sz += lenSz;
if (header) {
int lenSz = SetLength(seqSz + extSz, len);
output[0] = ASN_EXTENSIONS; /* extensions id */
sz++;
XMEMCPY(&output[sz], len, lenSz); /* length */
sz += lenSz;
}
XMEMCPY(&output[sz], sequence, seqSz); /* sequence */
sz += seqSz;
XMEMCPY(&output[sz], ext, extSz); /* extensions */
@ -4309,7 +4424,7 @@ static int SetName(byte* output, CertName* name)
return totalBytes;
}
/* encode info from cert into DER enocder format */
/* encode info from cert into DER encoded format */
static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
RNG* rng, const byte* ntruKey, word16 ntruSz)
{
@ -4412,7 +4527,8 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
/* extensions, just CA now */
if (cert->isCA) {
der->extensionsSz = SetExtensions(der->extensions, der->ca, der->caSz);
der->extensionsSz = SetExtensions(der->extensions,
der->ca, der->caSz, TRUE);
if (der->extensionsSz == 0)
return EXTENSIONS_E;
}
@ -4422,7 +4538,7 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, ecc_key* eccKey,
#ifdef CYASSL_ALT_NAMES
if (der->extensionsSz == 0 && cert->altNamesSz) {
der->extensionsSz = SetExtensions(der->extensions, cert->altNames,
cert->altNamesSz);
cert->altNamesSz, TRUE);
if (der->extensionsSz == 0)
return EXTENSIONS_E;
}
@ -4603,6 +4719,196 @@ int MakeNtruCert(Cert* cert, byte* derBuffer, word32 derSz,
#endif /* HAVE_NTRU */
#ifdef CYASSL_CERT_REQ
static int SetReqAttrib(byte* output, char* pw, int extSz)
{
static const byte cpOid[] =
{ ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x09, 0x07 };
static const byte erOid[] =
{ ASN_OBJECT_ID, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x09, 0x0e };
int sz = 0; /* overall size */
int cpSz = 0; /* Challenge Password section size */
int cpSeqSz = 0;
int cpSetSz = 0;
int cpStrSz = 0;
int pwSz = 0;
int erSz = 0; /* Extension Request section size */
int erSeqSz = 0;
int erSetSz = 0;
byte cpSeq[MAX_SEQ_SZ];
byte cpSet[MAX_SET_SZ];
byte cpStr[MAX_PRSTR_SZ];
byte erSeq[MAX_SEQ_SZ];
byte erSet[MAX_SET_SZ];
output[0] = 0xa0;
sz++;
if (pw && pw[0]) {
pwSz = (int)XSTRLEN(pw);
cpStrSz = SetUTF8String(pwSz, cpStr);
cpSetSz = SetSet(cpStrSz + pwSz, cpSet);
cpSeqSz = SetSequence(sizeof(cpOid) + cpSetSz + cpStrSz + pwSz, cpSeq);
cpSz = cpSeqSz + sizeof(cpOid) + cpSetSz + cpStrSz + pwSz;
}
if (extSz) {
erSetSz = SetSet(extSz, erSet);
erSeqSz = SetSequence(erSetSz + sizeof(erOid) + extSz, erSeq);
erSz = extSz + erSetSz + erSeqSz + sizeof(erOid);
}
/* Put the pieces together. */
sz += SetLength(cpSz + erSz, &output[sz]);
if (cpSz) {
XMEMCPY(&output[sz], cpSeq, cpSeqSz);
sz += cpSeqSz;
XMEMCPY(&output[sz], cpOid, sizeof(cpOid));
sz += sizeof(cpOid);
XMEMCPY(&output[sz], cpSet, cpSetSz);
sz += cpSetSz;
XMEMCPY(&output[sz], cpStr, cpStrSz);
sz += cpStrSz;
XMEMCPY(&output[sz], pw, pwSz);
sz += pwSz;
}
if (erSz) {
XMEMCPY(&output[sz], erSeq, erSeqSz);
sz += erSeqSz;
XMEMCPY(&output[sz], erOid, sizeof(erOid));
sz += sizeof(erOid);
XMEMCPY(&output[sz], erSet, erSetSz);
sz += erSetSz;
/* The actual extension data will be tacked onto the output later. */
}
return sz;
}
/* encode info from cert into DER encoded format */
static int EncodeCertReq(Cert* cert, DerCert* der,
RsaKey* rsaKey, ecc_key* eccKey)
{
(void)eccKey;
/* init */
XMEMSET(der, 0, sizeof(DerCert));
/* version */
der->versionSz = SetMyVersion(cert->version, der->version, FALSE);
/* subject name */
der->subjectSz = SetName(der->subject, &cert->subject);
if (der->subjectSz == 0)
return SUBJECT_E;
/* public key */
if (cert->keyType == RSA_KEY) {
if (rsaKey == NULL)
return PUBLIC_KEY_E;
der->publicKeySz = SetRsaPublicKey(der->publicKey, rsaKey);
if (der->publicKeySz <= 0)
return PUBLIC_KEY_E;
}
#ifdef HAVE_ECC
if (cert->keyType == ECC_KEY) {
if (eccKey == NULL)
return PUBLIC_KEY_E;
der->publicKeySz = SetEccPublicKey(der->publicKey, eccKey);
if (der->publicKeySz <= 0)
return PUBLIC_KEY_E;
}
#endif /* HAVE_ECC */
/* CA */
if (cert->isCA) {
der->caSz = SetCa(der->ca);
if (der->caSz == 0)
return CA_TRUE_E;
}
else
der->caSz = 0;
/* extensions, just CA now */
if (cert->isCA) {
der->extensionsSz = SetExtensions(der->extensions,
der->ca, der->caSz, FALSE);
if (der->extensionsSz == 0)
return EXTENSIONS_E;
}
else
der->extensionsSz = 0;
der->attribSz = SetReqAttrib(der->attrib,
cert->challengePw, der->extensionsSz);
if (der->attribSz == 0)
return REQ_ATTRIBUTE_E;
der->total = der->versionSz + der->subjectSz + der->publicKeySz +
der->extensionsSz + der->attribSz;
return 0;
}
/* write DER encoded cert req to buffer, size already checked */
static int WriteCertReqBody(DerCert* der, byte* buffer)
{
int idx;
/* signed part header */
idx = SetSequence(der->total, buffer);
/* version */
XMEMCPY(buffer + idx, der->version, der->versionSz);
idx += der->versionSz;
/* subject */
XMEMCPY(buffer + idx, der->subject, der->subjectSz);
idx += der->subjectSz;
/* public key */
XMEMCPY(buffer + idx, der->publicKey, der->publicKeySz);
idx += der->publicKeySz;
/* attributes */
XMEMCPY(buffer + idx, der->attrib, der->attribSz);
idx += der->attribSz;
/* extensions */
if (der->extensionsSz) {
XMEMCPY(buffer + idx, der->extensions, min(der->extensionsSz,
sizeof(der->extensions)));
idx += der->extensionsSz;
}
return idx;
}
int MakeCertReq(Cert* cert, byte* derBuffer, word32 derSz,
RsaKey* rsaKey, ecc_key* eccKey)
{
DerCert der;
int ret;
cert->keyType = (eccKey != NULL) ? ECC_KEY : RSA_KEY;
ret = EncodeCertReq(cert, &der, rsaKey, eccKey);
if (ret != 0)
return ret;
if (der.total + MAX_SEQ_SZ * 2 > (int)derSz)
return BUFFER_E;
return cert->bodySz = WriteCertReqBody(&der, derBuffer);
}
#endif /* CYASSL_CERT_REQ */
int SignCert(int requestSz, int sType, byte* buffer, word32 buffSz,
RsaKey* rsaKey, ecc_key* eccKey, RNG* rng)
{
@ -4957,7 +5263,8 @@ int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r, mp_int* s)
int sLen = mp_unsigned_bin_size(s);
int err;
if (*outLen < (rLen + sLen + headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */
if (*outLen < (rLen + rLeadingZero + sLen + sLeadingZero +
headerSz + 2)) /* SEQ_TAG + LEN(ENUM) */
return BAD_FUNC_ARG;
idx = SetSequence(rLen+rLeadingZero+sLen+sLeadingZero+headerSz, out);
@ -5561,33 +5868,6 @@ int OcspResponseDecode(OcspResponse* resp)
}
static int SetSerialNumber(const byte* sn, word32 snSz, byte* output)
{
int result = 0;
CYASSL_ENTER("SetSerialNumber");
if (snSz <= EXTERNAL_SERIAL_SIZE) {
output[0] = ASN_INTEGER;
/* The serial number is always positive. When encoding the
* INTEGER, if the MSB is 1, add a padding zero to keep the
* number positive. */
if (sn[0] & 0x80) {
output[1] = (byte)snSz + 1;
output[2] = 0;
XMEMCPY(&output[3], sn, snSz);
result = snSz + 3;
}
else {
output[1] = (byte)snSz;
XMEMCPY(&output[2], sn, snSz);
result = snSz + 2;
}
}
return result;
}
static word32 SetOcspReqExtensions(word32 extSz, byte* output,
const byte* nonce, word32 nonceSz)
{
@ -5796,39 +6076,9 @@ int CompareOcspReqResp(OcspRequest* req, OcspResponse* resp)
#endif
#ifdef HAVE_CRL
/* initialize decoded CRL */
void InitDecodedCRL(DecodedCRL* dcrl)
{
CYASSL_MSG("InitDecodedCRL");
dcrl->certBegin = 0;
dcrl->sigIndex = 0;
dcrl->sigLength = 0;
dcrl->signatureOID = 0;
dcrl->certs = NULL;
dcrl->totalCerts = 0;
}
/* free decoded CRL resources */
void FreeDecodedCRL(DecodedCRL* dcrl)
{
RevokedCert* tmp = dcrl->certs;
CYASSL_MSG("FreeDecodedCRL");
while(tmp) {
RevokedCert* next = tmp->next;
XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
tmp = next;
}
}
/* store SHA1 hash of NAME */
static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
CYASSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
int maxIdx)
{
Sha sha;
int length; /* length of all distinguished names */
@ -5863,6 +6113,37 @@ static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
}
#ifdef HAVE_CRL
/* initialize decoded CRL */
void InitDecodedCRL(DecodedCRL* dcrl)
{
CYASSL_MSG("InitDecodedCRL");
dcrl->certBegin = 0;
dcrl->sigIndex = 0;
dcrl->sigLength = 0;
dcrl->signatureOID = 0;
dcrl->certs = NULL;
dcrl->totalCerts = 0;
}
/* free decoded CRL resources */
void FreeDecodedCRL(DecodedCRL* dcrl)
{
RevokedCert* tmp = dcrl->certs;
CYASSL_MSG("FreeDecodedCRL");
while(tmp) {
RevokedCert* next = tmp->next;
XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
tmp = next;
}
}
/* Get Revoked Cert list, 0 on success */
static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
int maxIdx)

154
ctaocrypt/src/coding.c
View File

@ -147,16 +147,101 @@ const byte base64Encode[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',
};
/* porting assistance from yaSSL by Raphael HUCK */
int Base64_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
/* make sure *i (idx) won't exceed max, store and possibly escape to out,
* raw means use e w/o decode, 0 on success */
static int CEscape(int escaped, byte e, byte* out, word32* i, word32 max,
int raw)
{
int doEscape = 0;
word32 needed = 1;
word32 idx = *i;
byte basic;
byte plus = 0;
byte equals = 0;
byte newline = 0;
if (raw)
basic = e;
else
basic = base64Encode[e];
/* check whether to escape */
if (escaped) {
switch ((char)basic) {
case '+' :
plus = 1;
doEscape = 1;
needed += 2;
break;
case '=' :
equals = 1;
doEscape = 1;
needed += 2;
break;
case '\n' :
newline = 1;
doEscape = 1;
needed += 2;
break;
default:
/* do nothing */
break;
}
}
/* check size */
if ( (idx+needed) > max) {
CYASSL_MSG("Escape buffer max too small");
return BUFFER_E;
}
/* store it */
if (doEscape == 0) {
out[idx++] = basic;
}
else {
out[idx++] = '%'; /* start escape */
if (plus) {
out[idx++] = '2';
out[idx++] = 'B';
}
else if (equals) {
out[idx++] = '3';
out[idx++] = 'D';
}
else if (newline) {
out[idx++] = '0';
out[idx++] = 'A';
}
}
*i = idx;
return 0;
}
/* internal worker, handles both escaped and normal line endings */
static int DoBase64_Encode(const byte* in, word32 inLen, byte* out,
word32* outLen, int escaped)
{
int ret = 0;
word32 i = 0,
j = 0,
n = 0; /* new line counter */
word32 outSz = (inLen + 3 - 1) / 3 * 4;
outSz += (outSz + PEM_LINE_SZ - 1) / PEM_LINE_SZ; /* new lines */
word32 addSz = (outSz + PEM_LINE_SZ - 1) / PEM_LINE_SZ; /* new lines */
if (escaped)
addSz *= 3; /* instead of just \n, we're doing %0A triplet */
outSz += addSz;
/* if escaped we can't predetermine size for one pass encoding, but
* make sure we have enough if no escapes are in input */
if (outSz > *outLen) return BAD_FUNC_ARG;
while (inLen > 2) {
@ -171,19 +256,25 @@ int Base64_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
byte e4 = b3 & 0x3F;
/* store */
out[i++] = base64Encode[e1];
out[i++] = base64Encode[e2];
out[i++] = base64Encode[e3];
out[i++] = base64Encode[e4];
ret = CEscape(escaped, e1, out, &i, *outLen, 0);
if (ret != 0) break;
ret = CEscape(escaped, e2, out, &i, *outLen, 0);
if (ret != 0) break;
ret = CEscape(escaped, e3, out, &i, *outLen, 0);
if (ret != 0) break;
ret = CEscape(escaped, e4, out, &i, *outLen, 0);
if (ret != 0) break;
inLen -= 3;
if ((++n % (PEM_LINE_SZ / 4)) == 0 && inLen)
out[i++] = '\n';
if ((++n % (PEM_LINE_SZ / 4)) == 0 && inLen) {
ret = CEscape(escaped, '\n', out, &i, *outLen, 1);
if (ret != 0) break;
}
}
/* last integral */
if (inLen) {
if (inLen && ret == 0) {
int twoBytes = (inLen == 2);
byte b1 = in[j++];
@ -193,18 +284,43 @@ int Base64_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
byte e2 = ((b1 & 0x3) << 4) | (b2 >> 4);
byte e3 = (b2 & 0xF) << 2;
out[i++] = base64Encode[e1];
out[i++] = base64Encode[e2];
out[i++] = (twoBytes) ? base64Encode[e3] : PAD;
out[i++] = PAD;
ret = CEscape(escaped, e1, out, &i, *outLen, 0);
if (ret == 0)
ret = CEscape(escaped, e2, out, &i, *outLen, 0);
if (ret == 0) {
/* third */
if (twoBytes)
ret = CEscape(escaped, e3, out, &i, *outLen, 0);
else
ret = CEscape(escaped, '=', out, &i, *outLen, 1);
}
/* fourth always pad */
if (ret == 0)
ret = CEscape(escaped, '=', out, &i, *outLen, 1);
}
out[i++] = '\n';
if (i != outSz)
return ASN_INPUT_E;
*outLen = outSz;
if (ret == 0)
ret = CEscape(escaped, '\n', out, &i, *outLen, 1);
return 0;
if (i != outSz && escaped == 0 && ret == 0)
return ASN_INPUT_E;
*outLen = i;
return ret;
}
/* Base64 Encode, PEM style, with \n line endings */
int Base64_Encode(const byte* in, word32 inLen, byte* out, word32* outLen)
{
return DoBase64_Encode(in, inLen, out, outLen, 0);
}
/* Base64 Encode, with %0A esacped line endings instead of \n */
int Base64_EncodeEsc(const byte* in, word32 inLen, byte* out, word32* outLen)
{
return DoBase64_Encode(in, inLen, out, outLen, 1);
}

181
ctaocrypt/src/des3.c
View File

@ -413,6 +413,187 @@ void Des3_SetKey(Des3* des3, const byte* key, const byte* iv, int dir)
}
}
#elif defined FREESCALE_MMCAU
/*
* Freescale mmCAU hardware DES/3DES support through the CAU/mmCAU library.
* Documentation located in ColdFire/ColdFire+ CAU and Kinetis mmCAU
* Software Library User Guide (See note in README).
*/
#include "cau_api.h"
const unsigned char parityLookup[128] =
{
1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,
0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,
0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,
1,0,0,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0
};
void Des_SetKey(Des* des, const byte* key, const byte* iv, int dir)
{
int i = 0;
byte* dkey = (byte*)des->key;
XMEMCPY(dkey, key, 8);
Des_SetIV(des, iv);
/* fix key parity, if needed */
for (i = 0; i < 8; i++) {
dkey[i] = ((dkey[i] & 0xFE) | parityLookup[dkey[i] >> 1]);
}
}
void Des3_SetKey(Des3* des, const byte* key, const byte* iv, int dir)
{
int i = 0;
byte* dkey1 = (byte*)des->key[0];
byte* dkey2 = (byte*)des->key[1];
byte* dkey3 = (byte*)des->key[2];
XMEMCPY(dkey1, key, 8); /* set key 1 */
XMEMCPY(dkey2, key + 8, 8); /* set key 2 */
XMEMCPY(dkey3, key + 16, 8); /* set key 3 */
Des3_SetIV(des, iv);
/* fix key parity if needed */
for (i = 0; i < 8; i++)
dkey1[i] = ((dkey1[i] & 0xFE) | parityLookup[dkey1[i] >> 1]);
for (i = 0; i < 8; i++)
dkey2[i] = ((dkey2[i] & 0xFE) | parityLookup[dkey2[i] >> 1]);
for (i = 0; i < 8; i++)
dkey3[i] = ((dkey3[i] & 0xFE) | parityLookup[dkey3[i] >> 1]);
}
void Des_CbcEncrypt(Des* des, byte* out, const byte* in, word32 sz)
{
int i;
int offset = 0;
int len = sz;
byte *iv;
byte temp_block[DES_BLOCK_SIZE];
iv = (byte*)des->reg;
while (len > 0)
{
XMEMCPY(temp_block, in + offset, DES_BLOCK_SIZE);
/* XOR block with IV for CBC */
for (i = 0; i < DES_BLOCK_SIZE; i++)
temp_block[i] ^= iv[i];
cau_des_encrypt(temp_block, (byte*)des->key, out + offset);
len -= DES_BLOCK_SIZE;
offset += DES_BLOCK_SIZE;
/* store IV for next block */
XMEMCPY(iv, out + offset - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
}
return;
}
void Des_CbcDecrypt(Des* des, byte* out, const byte* in, word32 sz)
{
int i;
int offset = 0;
int len = sz;
byte* iv;
byte temp_block[DES_BLOCK_SIZE];
iv = (byte*)des->reg;
while (len > 0)
{
XMEMCPY(temp_block, in + offset, DES_BLOCK_SIZE);
cau_des_decrypt(in + offset, (byte*)des->key, out + offset);
/* XOR block with IV for CBC */
for (i = 0; i < DES_BLOCK_SIZE; i++)
(out + offset)[i] ^= iv[i];
/* store IV for next block */
XMEMCPY(iv, temp_block, DES_BLOCK_SIZE);
len -= DES_BLOCK_SIZE;
offset += DES_BLOCK_SIZE;
}
return;
}
void Des3_CbcEncrypt(Des3* des, byte* out, const byte* in, word32 sz)
{
int i;
int offset = 0;
int len = sz;
byte *iv;
byte temp_block[DES_BLOCK_SIZE];
iv = (byte*)des->reg;
while (len > 0)
{
XMEMCPY(temp_block, in + offset, DES_BLOCK_SIZE);
/* XOR block with IV for CBC */
for (i = 0; i < DES_BLOCK_SIZE; i++)
temp_block[i] ^= iv[i];
cau_des_encrypt(temp_block , (byte*)des->key[0], out + offset);
cau_des_decrypt(out + offset, (byte*)des->key[1], out + offset);
cau_des_encrypt(out + offset, (byte*)des->key[2], out + offset);
len -= DES_BLOCK_SIZE;
offset += DES_BLOCK_SIZE;
/* store IV for next block */
XMEMCPY(iv, out + offset - DES_BLOCK_SIZE, DES_BLOCK_SIZE);
}
return;
}
void Des3_CbcDecrypt(Des3* des, byte* out, const byte* in, word32 sz)
{
int i;
int offset = 0;
int len = sz;
byte* iv;
byte temp_block[DES_BLOCK_SIZE];
iv = (byte*)des->reg;
while (len > 0)
{
XMEMCPY(temp_block, in + offset, DES_BLOCK_SIZE);
cau_des_decrypt(in + offset , (byte*)des->key[2], out + offset);
cau_des_encrypt(out + offset, (byte*)des->key[1], out + offset);
cau_des_decrypt(out + offset, (byte*)des->key[0], out + offset);
/* XOR block with IV for CBC */
for (i = 0; i < DES_BLOCK_SIZE; i++)
(out + offset)[i] ^= iv[i];
/* store IV for next block */
XMEMCPY(iv, temp_block, DES_BLOCK_SIZE);
len -= DES_BLOCK_SIZE;
offset += DES_BLOCK_SIZE;
}
return;
}
#else /* CTaoCrypt software implementation */
/* permuted choice table (key) */

12
ctaocrypt/src/error.c
View File

@ -331,6 +331,18 @@ void CTaoCryptErrorString(int error, char* buffer)
XSTRNCPY(buffer, "Bad padding, message wrong length", max);
break;
case REQ_ATTRIBUTE_E:
XSTRNCPY(buffer, "Setting cert request attributes error", max);
break;
case PKCS7_OID_E:
XSTRNCPY(buffer, "PKCS#7 error: mismatched OID value", max);
break;
case PKCS7_RECIP_E:
XSTRNCPY(buffer, "PKCS#7 error: no matching recipient found", max);
break;
default:
XSTRNCPY(buffer, "unknown error number", max);

4
ctaocrypt/src/fp_sqr_comba_12.i
View File

@ -24,7 +24,9 @@
void fp_sqr_comba12(fp_int *A, fp_int *B)
{
fp_digit *a, b[24], c0, c1, c2, sc0, sc1, sc2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_17.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba17(fp_int *A, fp_int *B)
{
fp_digit *a, b[34], c0, c1, c2, sc0, sc1, sc2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_3.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba3(fp_int *A, fp_int *B)
{
fp_digit *a, b[6], c0, c1, c2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_4.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba4(fp_int *A, fp_int *B)
{
fp_digit *a, b[8], c0, c1, c2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_6.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba6(fp_int *A, fp_int *B)
{
fp_digit *a, b[12], c0, c1, c2, sc0, sc1, sc2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_7.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba7(fp_int *A, fp_int *B)
{
fp_digit *a, b[14], c0, c1, c2, sc0, sc1, sc2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_8.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba8(fp_int *A, fp_int *B)
{
fp_digit *a, b[16], c0, c1, c2, sc0, sc1, sc2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

3
ctaocrypt/src/fp_sqr_comba_9.i
View File

@ -24,6 +24,9 @@
void fp_sqr_comba9(fp_int *A, fp_int *B)
{
fp_digit *a, b[18], c0, c1, c2, sc0, sc1, sc2;
#ifdef TFM_ISO
fp_word tt;
#endif
a = A->dp;
COMBA_START;

2
ctaocrypt/src/integer.c
View File

@ -3765,7 +3765,7 @@ int mp_sqrmod (mp_int * a, mp_int * b, mp_int * c)
#endif
#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(CYASSL_SNIFFER)
#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(CYASSL_SNIFFER) || defined(CYASSL_HAVE_WOLFSCEP)
/* single digit addition */
int mp_add_d (mp_int* a, mp_digit b, mp_int* c)

24
ctaocrypt/src/md5.c
View File

@ -36,6 +36,13 @@
#include <ctaocrypt/src/misc.c>
#endif
#ifdef FREESCALE_MMCAU
#include "cau_api.h"
#define XTRANSFORM(S,B) cau_md5_hash_n((B), 1, (unsigned char*)(S)->digest)
#else
#define XTRANSFORM(S,B) Transform((S))
#endif
#ifdef STM32F2_HASH
/*
@ -174,6 +181,7 @@ void InitMd5(Md5* md5)
md5->hiLen = 0;
}
#ifndef FREESCALE_MMCAU
static void Transform(Md5* md5)
{
@ -266,6 +274,8 @@ static void Transform(Md5* md5)
md5->digest[3] += d;
}
#endif /* FREESCALE_MMCAU */
static INLINE void AddLength(Md5* md5, word32 len)
{
@ -289,10 +299,10 @@ void Md5Update(Md5* md5, const byte* data, word32 len)
len -= add;
if (md5->buffLen == MD5_BLOCK_SIZE) {
#ifdef BIG_ENDIAN_ORDER
#if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, MD5_BLOCK_SIZE);
#endif
Transform(md5);
XTRANSFORM(md5, local);
AddLength(md5, MD5_BLOCK_SIZE);
md5->buffLen = 0;
}
@ -304,7 +314,7 @@ void Md5Final(Md5* md5, byte* hash)
{
byte* local = (byte*)md5->buffer;
AddLength(md5, md5->buffLen); /* before adding pads */
AddLength(md5, md5->buffLen); /* before adding pads */
local[md5->buffLen++] = 0x80; /* add 1 */
@ -313,10 +323,10 @@ void Md5Final(Md5* md5, byte* hash)
XMEMSET(&local[md5->buffLen], 0, MD5_BLOCK_SIZE - md5->buffLen);
md5->buffLen += MD5_BLOCK_SIZE - md5->buffLen;
#ifdef BIG_ENDIAN_ORDER
#if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, MD5_BLOCK_SIZE);
#endif
Transform(md5);
XTRANSFORM(md5, local);
md5->buffLen = 0;
}
XMEMSET(&local[md5->buffLen], 0, MD5_PAD_SIZE - md5->buffLen);
@ -327,14 +337,14 @@ void Md5Final(Md5* md5, byte* hash)
md5->loLen = md5->loLen << 3;
/* store lengths */
#ifdef BIG_ENDIAN_ORDER
#if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, MD5_BLOCK_SIZE);
#endif
/* ! length ordering dependent on digest endian type ! */
XMEMCPY(&local[MD5_PAD_SIZE], &md5->loLen, sizeof(word32));
XMEMCPY(&local[MD5_PAD_SIZE + sizeof(word32)], &md5->hiLen, sizeof(word32));
Transform(md5);
XTRANSFORM(md5, local);
#ifdef BIG_ENDIAN_ORDER
ByteReverseWords(md5->digest, md5->digest, MD5_DIGEST_SIZE);
#endif

1348
ctaocrypt/src/pkcs7.c Normal file
View File

File diff suppressed because it is too large Load Diff

45
ctaocrypt/src/sha.c
View File

@ -35,6 +35,13 @@
#include <ctaocrypt/src/misc.c>
#endif
#ifdef FREESCALE_MMCAU
#include "cau_api.h"
#define XTRANSFORM(S,B) cau_sha1_hash_n((B), 1, ((S))->digest)
#else
#define XTRANSFORM(S,B) Transform((S))
#endif
#ifdef STM32F2_HASH
/*
@ -164,17 +171,23 @@
void InitSha(Sha* sha)
{
sha->digest[0] = 0x67452301L;
sha->digest[1] = 0xEFCDAB89L;
sha->digest[2] = 0x98BADCFEL;
sha->digest[3] = 0x10325476L;
sha->digest[4] = 0xC3D2E1F0L;
#ifdef FREESCALE_MMCAU
cau_sha1_initialize_output(sha->digest);
#else
sha->digest[0] = 0x67452301L;
sha->digest[1] = 0xEFCDAB89L;
sha->digest[2] = 0x98BADCFEL;
sha->digest[3] = 0x10325476L;
sha->digest[4] = 0xC3D2E1F0L;
#endif
sha->buffLen = 0;
sha->loLen = 0;
sha->hiLen = 0;
}
#ifndef FREESCALE_MMCAU
#define blk0(i) (W[i] = sha->buffer[i])
#define blk1(i) (W[i&15] = \
rotlFixed(W[(i+13)&15]^W[(i+8)&15]^W[(i+2)&15]^W[i&15],1))
@ -272,6 +285,8 @@ static void Transform(Sha* sha)
sha->digest[4] += e;
}
#endif /* FREESCALE_MMCAU */
static INLINE void AddLength(Sha* sha, word32 len)
{
@ -295,10 +310,10 @@ void ShaUpdate(Sha* sha, const byte* data, word32 len)
len -= add;
if (sha->buffLen == SHA_BLOCK_SIZE) {
#ifdef LITTLE_ENDIAN_ORDER
#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, SHA_BLOCK_SIZE);
#endif
Transform(sha);
XTRANSFORM(sha, local);
AddLength(sha, SHA_BLOCK_SIZE);
sha->buffLen = 0;
}
@ -310,7 +325,7 @@ void ShaFinal(Sha* sha, byte* hash)
{
byte* local = (byte*)sha->buffer;
AddLength(sha, sha->buffLen); /* before adding pads */
AddLength(sha, sha->buffLen); /* before adding pads */
local[sha->buffLen++] = 0x80; /* add 1 */
@ -319,10 +334,10 @@ void ShaFinal(Sha* sha, byte* hash)
XMEMSET(&local[sha->buffLen], 0, SHA_BLOCK_SIZE - sha->buffLen);
sha->buffLen += SHA_BLOCK_SIZE - sha->buffLen;
#ifdef LITTLE_ENDIAN_ORDER
#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, SHA_BLOCK_SIZE);
#endif
Transform(sha);
XTRANSFORM(sha, local);
sha->buffLen = 0;
}
XMEMSET(&local[sha->buffLen], 0, SHA_PAD_SIZE - sha->buffLen);
@ -333,14 +348,20 @@ void ShaFinal(Sha* sha, byte* hash)
sha->loLen = sha->loLen << 3;
/* store lengths */
#ifdef LITTLE_ENDIAN_ORDER
#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, SHA_BLOCK_SIZE);
#endif
/* ! length ordering dependent on digest endian type ! */
XMEMCPY(&local[SHA_PAD_SIZE], &sha->hiLen, sizeof(word32));
XMEMCPY(&local[SHA_PAD_SIZE + sizeof(word32)], &sha->loLen, sizeof(word32));
Transform(sha);
#ifdef FREESCALE_MMCAU
/* Kinetis requires only these bytes reversed */
ByteReverseBytes(&local[SHA_PAD_SIZE], &local[SHA_PAD_SIZE],
2 * sizeof(word32));
#endif
XTRANSFORM(sha, local);
#ifdef LITTLE_ENDIAN_ORDER
ByteReverseWords(sha->digest, sha->digest, SHA_DIGEST_SIZE);
#endif

51
ctaocrypt/src/sha256.c
View File

@ -37,6 +37,13 @@
#include <ctaocrypt/src/misc.c>
#endif
#ifdef FREESCALE_MMCAU
#include "cau_api.h"
#define XTRANSFORM(S,B) cau_sha256_hash_n((B), 1, ((S))->digest)
#else
#define XTRANSFORM(S,B) Transform((S))
#endif
#ifndef min
@ -50,20 +57,26 @@
void InitSha256(Sha256* sha256)
{
sha256->digest[0] = 0x6A09E667L;
sha256->digest[1] = 0xBB67AE85L;
sha256->digest[2] = 0x3C6EF372L;
sha256->digest[3] = 0xA54FF53AL;
sha256->digest[4] = 0x510E527FL;
sha256->digest[5] = 0x9B05688CL;
sha256->digest[6] = 0x1F83D9ABL;
sha256->digest[7] = 0x5BE0CD19L;
#ifdef FREESCALE_MMCAU
cau_sha256_initialize_output(sha256->digest);
#else
sha256->digest[0] = 0x6A09E667L;
sha256->digest[1] = 0xBB67AE85L;
sha256->digest[2] = 0x3C6EF372L;
sha256->digest[3] = 0xA54FF53AL;
sha256->digest[4] = 0x510E527FL;
sha256->digest[5] = 0x9B05688CL;
sha256->digest[6] = 0x1F83D9ABL;
sha256->digest[7] = 0x5BE0CD19L;
#endif
sha256->buffLen = 0;
sha256->loLen = 0;
sha256->hiLen = 0;
}
#ifndef FREESCALE_MMCAU
static const word32 K[64] = {
0x428A2F98L, 0x71374491L, 0xB5C0FBCFL, 0xE9B5DBA5L, 0x3956C25BL,
0x59F111F1L, 0x923F82A4L, 0xAB1C5ED5L, 0xD807AA98L, 0x12835B01L,
@ -128,6 +141,8 @@ static void Transform(Sha256* sha256)
}
}
#endif /* FREESCALE_MMCAU */
static INLINE void AddLength(Sha256* sha256, word32 len)
{
@ -151,10 +166,10 @@ void Sha256Update(Sha256* sha256, const byte* data, word32 len)
len -= add;
if (sha256->buffLen == SHA256_BLOCK_SIZE) {
#ifdef LITTLE_ENDIAN_ORDER
#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, SHA256_BLOCK_SIZE);
#endif
Transform(sha256);
XTRANSFORM(sha256, local);
AddLength(sha256, SHA256_BLOCK_SIZE);
sha256->buffLen = 0;
}
@ -168,17 +183,17 @@ void Sha256Final(Sha256* sha256, byte* hash)
AddLength(sha256, sha256->buffLen); /* before adding pads */
local[sha256->buffLen++] = 0x80; /* add 1 */
local[sha256->buffLen++] = 0x80; /* add 1 */
/* pad with zeros */
if (sha256->buffLen > SHA256_PAD_SIZE) {
XMEMSET(&local[sha256->buffLen], 0, SHA256_BLOCK_SIZE - sha256->buffLen);
sha256->buffLen += SHA256_BLOCK_SIZE - sha256->buffLen;
#ifdef LITTLE_ENDIAN_ORDER
#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, SHA256_BLOCK_SIZE);
#endif
Transform(sha256);
XTRANSFORM(sha256, local);
sha256->buffLen = 0;
}
XMEMSET(&local[sha256->buffLen], 0, SHA256_PAD_SIZE - sha256->buffLen);
@ -189,7 +204,7 @@ void Sha256Final(Sha256* sha256, byte* hash)
sha256->loLen = sha256->loLen << 3;
/* store lengths */
#ifdef LITTLE_ENDIAN_ORDER
#if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU)
ByteReverseBytes(local, local, SHA256_BLOCK_SIZE);
#endif
/* ! length ordering dependent on digest endian type ! */
@ -197,7 +212,13 @@ void Sha256Final(Sha256* sha256, byte* hash)
XMEMCPY(&local[SHA256_PAD_SIZE + sizeof(word32)], &sha256->loLen,
sizeof(word32));
Transform(sha256);
#ifdef FREESCALE_MMCAU
/* Kinetis requires only these bytes reversed */
ByteReverseBytes(&local[SHA256_PAD_SIZE], &local[SHA256_PAD_SIZE],
2 * sizeof(word32));
#endif
XTRANSFORM(sha256, local);
#ifdef LITTLE_ENDIAN_ORDER
ByteReverseWords(sha256->digest, sha256->digest, SHA256_DIGEST_SIZE);
#endif

26
ctaocrypt/src/sha512.c
View File

@ -146,13 +146,24 @@ static void Transform(Sha512* sha512)
/* Copy digest to working vars */
XMEMCPY(T, sha512->digest, sizeof(T));
/* 64 operations, partially loop unrolled */
#ifdef USE_SLOW_SHA2
/* over twice as small, but 50% slower */
/* 80 operations, not unrolled */
for (j = 0; j < 80; j += 16) {
int m;
for (m = 0; m < 16; m++) { /* braces needed here for macros {} */
R(m);
}
}
#else
/* 80 operations, partially loop unrolled */
for (j = 0; j < 80; j += 16) {
R( 0); R( 1); R( 2); R( 3);
R( 4); R( 5); R( 6); R( 7);
R( 8); R( 9); R(10); R(11);
R(12); R(13); R(14); R(15);
}
#endif /* USE_SLOW_SHA2 */
/* Add the working vars back into digest */
@ -280,13 +291,24 @@ static void Transform384(Sha384* sha384)
/* Copy digest to working vars */
XMEMCPY(T, sha384->digest, sizeof(T));
/* 64 operations, partially loop unrolled */
#ifdef USE_SLOW_SHA2
/* over twice as small, but 50% slower */
/* 80 operations, not unrolled */
for (j = 0; j < 80; j += 16) {
int m;
for (m = 0; m < 16; m++) { /* braces needed for macros {} */
R2(m);
}
}
#else
/* 80 operations, partially loop unrolled */
for (j = 0; j < 80; j += 16) {
R2( 0); R2( 1); R2( 2); R2( 3);
R2( 4); R2( 5); R2( 6); R2( 7);
R2( 8); R2( 9); R2(10); R2(11);
R2(12); R2(13); R2(14); R2(15);
}
#endif /* USE_SLOW_SHA2 */
/* Add the working vars back into digest */

374
ctaocrypt/test/test.c
View File

@ -61,6 +61,9 @@
#ifdef HAVE_LIBZ
#include <cyassl/ctaocrypt/compress.h>
#endif
#ifdef HAVE_PKCS7
#include <cyassl/ctaocrypt/pkcs7.h>
#endif
#ifdef _MSC_VER
/* 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy */
@ -174,6 +177,10 @@ int pbkdf2_test(void);
#ifdef HAVE_LIBZ
int compress_test(void);
#endif
#ifdef HAVE_PKCS7
int pkcs7enveloped_test(void);
int pkcs7signed_test(void);
#endif
@ -458,6 +465,18 @@ void ctaocrypt_test(void* args)
printf( "COMPRESS test passed!\n");
#endif
#ifdef HAVE_PKCS7
if ( (ret = pkcs7enveloped_test()) != 0)
err_sys("PKCS7enveloped test failed!\n", ret);
else
printf( "PKCS7enveloped test passed!\n");
if ( (ret = pkcs7signed_test()) != 0)
err_sys("PKCS7signed test failed!\n", ret);
else
printf( "PKCS7signed test passed!\n");
#endif
((func_args*)args)->return_code = ret;
}
@ -1897,6 +1916,12 @@ int aes_test(void)
0x79,0x21,0x70,0xa0,0xf3,0x00,0x9c,0xee
};
const byte oddCipher[] =
{
0xb9,0xd7,0xcb,0x08,0xb0,0xe1,0x7b,0xa0,
0xc2
};
AesSetKeyDirect(&enc, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
/* Ctr only uses encrypt, even on key setup */
AesSetKeyDirect(&dec, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
@ -1909,6 +1934,30 @@ int aes_test(void)
if (memcmp(cipher, ctrCipher, AES_BLOCK_SIZE*4))
return -67;
/* let's try with just 9 bytes, non block size test */
AesSetKeyDirect(&enc, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
/* Ctr only uses encrypt, even on key setup */
AesSetKeyDirect(&dec, ctrKey, AES_BLOCK_SIZE, ctrIv, AES_ENCRYPTION);
AesCtrEncrypt(&enc, cipher, ctrPlain, 9);
AesCtrEncrypt(&dec, plain, cipher, 9);
if (memcmp(plain, ctrPlain, 9))
return -68;
if (memcmp(cipher, ctrCipher, 9))
return -69;
/* and an additional 9 bytes to reuse tmp left buffer */
AesCtrEncrypt(&enc, cipher, ctrPlain, 9);
AesCtrEncrypt(&dec, plain, cipher, 9);
if (memcmp(plain, ctrPlain, 9))
return -70;
if (memcmp(cipher, oddCipher, 9))
return -71;
}
#endif /* CYASSL_AES_COUNTER */
@ -3043,6 +3092,66 @@ int rsa_test(void)
FreeRsaKey(&caKey);
}
#endif /* HAVE_NTRU */
#ifdef CYASSL_CERT_REQ
{
Cert req;
byte* der;
byte* pem;
int derSz;
int pemSz;
FILE* reqFile;
der = (byte*)malloc(FOURK_BUF);
if (der == NULL)
return -463;
pem = (byte*)malloc(FOURK_BUF);
if (pem == NULL)
return -464;
InitCert(&req);
req.version = 0;
req.isCA = 1;
strncpy(req.challengePw, "yassl123", CTC_NAME_SIZE);
strncpy(req.subject.country, "US", CTC_NAME_SIZE);
strncpy(req.subject.state, "OR", CTC_NAME_SIZE);
strncpy(req.subject.locality, "Portland", CTC_NAME_SIZE);
strncpy(req.subject.org, "yaSSL", CTC_NAME_SIZE);
strncpy(req.subject.unit, "Development", CTC_NAME_SIZE);
strncpy(req.subject.commonName, "www.yassl.com", CTC_NAME_SIZE);
strncpy(req.subject.email, "info@yassl.com", CTC_NAME_SIZE);
req.sigType = CTC_SHA256wRSA;
derSz = MakeCertReq(&req, der, FOURK_BUF, &key, NULL);
if (derSz < 0)
return -465;
derSz = SignCert(req.bodySz, req.sigType, der, FOURK_BUF,
&key, NULL, &rng);
if (derSz < 0)
return -466;
pemSz = DerToPem(der, derSz, pem, FOURK_BUF, CERTREQ_TYPE);
if (pemSz < 0)
return -467;
reqFile = fopen("./certreq.der", "wb");
if (!reqFile)
return -468;
ret = (int)fwrite(der, derSz, 1, reqFile);
fclose(reqFile);
reqFile = fopen("./certreq.pem", "wb");
if (!reqFile)
return -469;
ret = (int)fwrite(pem, pemSz, 1, reqFile);
fclose(reqFile);
free(pem);
free(der);
}
#endif /* CYASSL_CERT_REQ */
#endif /* CYASSL_CERT_GEN */
FreeRsaKey(&key);
@ -3949,4 +4058,269 @@ int compress_test(void)
#endif /* HAVE_LIBZ */
#ifdef HAVE_PKCS7
int pkcs7enveloped_test(void)
{
int ret = 0;
int cipher = DES3b;
int envelopedSz, decodedSz;
PKCS7 pkcs7;
byte* cert;
byte* privKey;
byte enveloped[2048];
byte decoded[2048];
size_t certSz;
size_t privKeySz;
FILE* certFile;
FILE* keyFile;
FILE* pkcs7File;
const char* pkcs7OutFile = "pkcs7envelopedData.der";
const byte data[] = { /* Hello World */
0x48,0x65,0x6c,0x6c,0x6f,0x20,0x57,0x6f,
0x72,0x6c,0x64
};
/* read client cert and key in DER format */
cert = (byte*)malloc(FOURK_BUF);
if (cert == NULL)
return -201;
privKey = (byte*)malloc(FOURK_BUF);
if (privKey == NULL)
return -202;
certFile = fopen(clientCert, "rb");
if (!certFile)
err_sys("can't open ./certs/client-cert.der, "
"Please run from CyaSSL home dir", -42);
certSz = fread(cert, 1, FOURK_BUF, certFile);
fclose(certFile);
keyFile = fopen(clientKey, "rb");
if (!keyFile)
err_sys("can't open ./certs/client-key.der, "
"Please run from CyaSSL home dir", -43);
privKeySz = fread(privKey, 1, FOURK_BUF, keyFile);
fclose(keyFile);
PKCS7_InitWithCert(&pkcs7, cert, (word32)certSz);
pkcs7.content = (byte*)data;
pkcs7.contentSz = (word32)sizeof(data);
pkcs7.contentOID = DATA;
pkcs7.encryptOID = cipher;
pkcs7.privateKey = privKey;
pkcs7.privateKeySz = (word32)privKeySz;
/* encode envelopedData */
envelopedSz = PKCS7_EncodeEnvelopedData(&pkcs7, enveloped,
sizeof(enveloped));
if (envelopedSz <= 0)
return -203;
/* decode envelopedData */
decodedSz = PKCS7_DecodeEnvelopedData(&pkcs7, enveloped, envelopedSz,
decoded, sizeof(decoded));
if (decodedSz <= 0)
return -204;
/* test decode result */
if (memcmp(decoded, data, sizeof(data)) != 0) {
return -205;
}
/* output pkcs7 envelopedData for external testing */
pkcs7File = fopen(pkcs7OutFile, "wb");
if (!pkcs7File)
return -206;
ret = (int)fwrite(enveloped, envelopedSz, 1, pkcs7File);
fclose(pkcs7File);
free(cert);
free(privKey);
PKCS7_Free(&pkcs7);
if (ret > 0)
return 0;
return ret;
}
int pkcs7signed_test(void)
{
int ret = 0;
FILE* file;
byte* certDer;
byte* keyDer;
byte* out;
char data[] = "Hello World";
word32 dataSz, outSz, certDerSz, keyDerSz;
PKCS7 msg;
RNG rng;
byte transIdOid[] =
{ 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
0x09, 0x07 };
byte messageTypeOid[] =
{ 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
0x09, 0x02 };
byte senderNonceOid[] =
{ 0x06, 0x0a, 0x60, 0x86, 0x48, 0x01, 0x86, 0xF8, 0x45, 0x01,
0x09, 0x05 };
byte transId[(SHA_DIGEST_SIZE + 1) * 2 + 1];
byte messageType[] = { 0x13, 2, '1', '9' };
byte senderNonce[PKCS7_NONCE_SZ + 2];
PKCS7Attrib attribs[] =
{
{ transIdOid, sizeof(transIdOid),
transId, sizeof(transId) - 1 }, /* take off the null */
{ messageTypeOid, sizeof(messageTypeOid),
messageType, sizeof(messageType) },
{ senderNonceOid, sizeof(senderNonceOid),
senderNonce, sizeof(senderNonce) }
};
dataSz = (word32) strlen(data);
outSz = FOURK_BUF;
certDer = (byte*)malloc(FOURK_BUF);
keyDer = (byte*)malloc(FOURK_BUF);
out = (byte*)malloc(FOURK_BUF);
if (certDer == NULL)
return -207;
if (keyDer == NULL)
return -208;
if (out == NULL)
return -209;
/* read in DER cert of recipient, into cert of size certSz */
file = fopen(clientCert, "rb");
if (!file) {
free(certDer);
free(keyDer);
free(out);
err_sys("can't open ./certs/client-cert.der, "
"Please run from CyaSSL home dir", -44);
}
certDerSz = (word32)fread(certDer, 1, FOURK_BUF, file);
fclose(file);
file = fopen(clientKey, "rb");
if (!file) {
free(certDer);
free(keyDer);
free(out);
err_sys("can't open ./certs/client-key.der, "
"Please run from CyaSSL home dir", -45);
}
keyDerSz = (word32)fread(keyDer, 1, FOURK_BUF, file);
fclose(file);
ret = InitRng(&rng);
senderNonce[0] = 0x04;
senderNonce[1] = PKCS7_NONCE_SZ;
RNG_GenerateBlock(&rng, &senderNonce[2], PKCS7_NONCE_SZ);
PKCS7_InitWithCert(&msg, certDer, certDerSz);
msg.privateKey = keyDer;
msg.privateKeySz = keyDerSz;
msg.content = (byte*)data;
msg.contentSz = dataSz;
msg.hashOID = SHAh;
msg.encryptOID = RSAk;
msg.signedAttribs = attribs;
msg.signedAttribsSz = sizeof(attribs)/sizeof(PKCS7Attrib);
msg.rng = &rng;
{
Sha sha;
byte digest[SHA_DIGEST_SIZE];
int i,j;
transId[0] = 0x13;
transId[1] = SHA_DIGEST_SIZE * 2;
InitSha(&sha);
ShaUpdate(&sha, msg.publicKey, msg.publicKeySz);
ShaFinal(&sha, digest);
for (i = 0, j = 2; i < SHA_DIGEST_SIZE; i++, j += 2) {
snprintf((char*)&transId[j], 3, "%02x", digest[i]);
}
}
ret = PKCS7_EncodeSignedData(&msg, out, outSz);
if (ret < 0) {
free(certDer);
free(keyDer);
free(out);
PKCS7_Free(&msg);
return -210;
}
else
outSz = ret;
/* write PKCS#7 to output file for more testing */
file = fopen("./pkcs7signedData.der", "wb");
if (!file) {
free(certDer);
free(keyDer);
free(out);
PKCS7_Free(&msg);
return -211;
}
ret = (int)fwrite(out, 1, outSz, file);
fclose(file);
PKCS7_Free(&msg);
PKCS7_InitWithCert(&msg, NULL, 0);
ret = PKCS7_VerifySignedData(&msg, out, outSz);
if (ret < 0) {
free(certDer);
free(keyDer);
free(out);
PKCS7_Free(&msg);
return -212;
}
if (msg.singleCert == NULL || msg.singleCertSz == 0) {
free(certDer);
free(keyDer);
free(out);
PKCS7_Free(&msg);
return -213;
}
file = fopen("./pkcs7cert.der", "wb");
if (!file) {
free(certDer);
free(keyDer);
free(out);
PKCS7_Free(&msg);
return -214;
}
ret = (int)fwrite(msg.singleCert, 1, msg.singleCertSz, file);
fclose(file);
free(certDer);
free(keyDer);
free(out);
PKCS7_Free(&msg);
if (ret > 0)
return 0;
return ret;
}
#endif /* HAVE_PKCS7 */
#endif /* NO_CRYPT_TEST */

3
cyassl/ctaocrypt/aes.h
View File

@ -92,6 +92,9 @@ typedef struct Aes {
word32 magic; /* using cavium magic */
word64 contextHandle; /* nitrox context memory handle */
#endif
#ifdef CYASSL_AES_COUNTER
word32 left; /* unsued bytes left from last call */
#endif
} Aes;

58
cyassl/ctaocrypt/asn.h
View File

@ -59,6 +59,7 @@ enum ASN_Tags {
ASN_TAG_NULL = 0x05,
ASN_OBJECT_ID = 0x06,
ASN_ENUMERATED = 0x0a,
ASN_UTF8STRING = 0x0c,
ASN_SEQUENCE = 0x10,
ASN_SET = 0x11,
ASN_UTC_TIME = 0x17,
@ -125,6 +126,9 @@ enum Misc_ASN {
MAX_ALGO_SZ = 20,
MAX_SEQ_SZ = 5, /* enum(seq | con) + length(4) */
MAX_SET_SZ = 5, /* enum(set | con) + length(4) */
MAX_OCTET_STR_SZ = 5, /* enum(set | con) + length(4) */
MAX_EXP_SZ = 5, /* enum(contextspec|con|exp) + length(4) */
MAX_PRSTR_SZ = 5, /* enum(prstr) + length(4) */
MAX_VERSION_SZ = 5, /* enum + id + version(byte) + (header(2))*/
MAX_ENCODED_DIG_SZ = 73, /* sha512 + enum(bit or octet) + legnth(4) */
MAX_RSA_INT_SZ = 517, /* RSA raw sz 4096 for bits + tag + len(4) */
@ -135,6 +139,11 @@ enum Misc_ASN {
MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */
MAX_SN_SZ = 35, /* Max encoded serial number (INT) length */
#ifdef CYASSL_CERT_GEN
#ifdef CYASSL_CERT_REQ
/* Max encoded cert req attributes length */
MAX_ATTRIB_SZ = MAX_SEQ_SZ * 3 + (11 + MAX_SEQ_SZ) * 2 +
MAX_PRSTR_SZ + CTC_NAME_SIZE, /* 11 is the OID size */
#endif
#ifdef CYASSL_ALT_NAMES
MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE,
#else
@ -154,7 +163,8 @@ enum Oid_Types {
hashType = 0,
sigType = 1,
keyType = 2,
curveType = 3
curveType = 3,
blkType = 4
};
@ -168,6 +178,12 @@ enum Hash_Sum {
};
enum Block_Sum {
DESb = 69,
DES3b = 652
};
enum Key_Sum {
DSAk = 515,
RSAk = 645,
@ -211,6 +227,11 @@ enum SepHardwareName_Sum {
HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/
};
enum AuthInfo_Sum {
AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */
AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */
};
enum VerifyType {
NO_VERIFY = 0,
@ -327,14 +348,18 @@ struct DecodedCert {
word32 extAuthKeyIdSz;
byte* extSubjKeyIdSrc;
word32 extSubjKeyIdSz;
#ifdef HAVE_ECC
word32 pkCurveOID; /* Public Key's curve OID */
#endif /* HAVE_ECC */
#endif
#ifdef HAVE_ECC
word32 pkCurveOID; /* Public Key's curve OID */
#endif /* HAVE_ECC */
byte* beforeDate;
int beforeDateLen;
byte* afterDate;
int afterDateLen;
#ifdef HAVE_PKCS7
byte* issuerRaw; /* pointer to issuer inside source */
int issuerRawLen;
#endif
#if defined(CYASSL_CERT_GEN)
/* easy access to subject info for other sign */
char* subjectSN;
@ -423,6 +448,31 @@ CYASSL_LOCAL int ToTraditionalEnc(byte* buffer, word32 length,const char*, int);
CYASSL_LOCAL int ValidateDate(const byte* date, byte format, int dateType);
/* ASN.1 helper functions */
CYASSL_LOCAL int GetLength(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
CYASSL_LOCAL int GetSequence(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
CYASSL_LOCAL int GetSet(const byte* input, word32* inOutIdx, int* len,
word32 maxIdx);
CYASSL_LOCAL int GetMyVersion(const byte* input, word32* inOutIdx,
int* version);
CYASSL_LOCAL int GetInt(mp_int* mpi, const byte* input, word32* inOutIdx,
word32 maxIdx);
CYASSL_LOCAL int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
word32 maxIdx);
CYASSL_LOCAL word32 SetLength(word32 length, byte* output);
CYASSL_LOCAL word32 SetSequence(word32 len, byte* output);
CYASSL_LOCAL word32 SetOctetString(word32 len, byte* output);
CYASSL_LOCAL word32 SetImplicit(byte tag, byte number, word32 len,byte* output);
CYASSL_LOCAL word32 SetExplicit(byte number, word32 len, byte* output);
CYASSL_LOCAL word32 SetSet(word32 len, byte* output);
CYASSL_LOCAL word32 SetAlgoID(int algoOID, byte* output, int type, int curveSz);
CYASSL_LOCAL int SetMyVersion(word32 version, byte* output, int header);
CYASSL_LOCAL int SetSerialNumber(const byte* sn, word32 snSz, byte* output);
CYASSL_LOCAL int GetNameHash(const byte* source, word32* idx, byte* hash,
int maxIdx);
#ifdef HAVE_ECC
/* ASN sig helpers */
CYASSL_LOCAL int StoreECC_DSA_Sig(byte* out, word32* outLen, mp_int* r,

10
cyassl/ctaocrypt/asn_public.h
View File

@ -42,7 +42,8 @@ enum CertType {
DH_PARAM_TYPE,
CRL_TYPE,
CA_TYPE,
ECC_PRIVATEKEY_TYPE
ECC_PRIVATEKEY_TYPE,
CERTREQ_TYPE
};
@ -108,6 +109,9 @@ typedef struct Cert {
byte afterDate[CTC_DATE_SIZE]; /* after date copy */
int afterDateSz; /* size of copy */
#endif
#ifdef CYASSL_CERT_REQ
char challengePw[CTC_NAME_SIZE];
#endif
} Cert;
@ -127,6 +131,10 @@ typedef struct Cert {
CYASSL_API void InitCert(Cert*);
CYASSL_API int MakeCert(Cert*, byte* derBuffer, word32 derSz, RsaKey*,
ecc_key*, RNG*);
#ifdef CYASSL_CERT_REQ
CYASSL_API int MakeCertReq(Cert*, byte* derBuffer, word32 derSz, RsaKey*,
ecc_key*);
#endif
CYASSL_API int SignCert(int requestSz, int sigType, byte* derBuffer,
word32 derSz, RsaKey*, ecc_key*, RNG*);
CYASSL_API int MakeSelfCert(Cert*, byte* derBuffer, word32 derSz, RsaKey*,

3
cyassl/ctaocrypt/coding.h
View File

@ -39,6 +39,9 @@ CYASSL_LOCAL int Base64_Decode(const byte* in, word32 inLen, byte* out,
CYASSL_API
int Base64_Encode(const byte* in, word32 inLen, byte* out,
word32* outLen);
CYASSL_API
int Base64_EncodeEsc(const byte* in, word32 inLen, byte* out,
word32* outLen);
CYASSL_LOCAL
int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen);
#endif

5
cyassl/ctaocrypt/error.h
View File

@ -117,6 +117,11 @@ enum {
BAD_ENC_STATE_E = -192, /* Bad ecc enc state operation */
BAD_PADDING_E = -193, /* Bad padding, msg not correct length */
REQ_ATTRIBUTE_E = -194, /* setting cert request attributes error */
PKCS7_OID_E = -195, /* PKCS#7, mismatched OID error */
PKCS7_RECIP_E = -196, /* PKCS#7, recipient error */
MIN_CODE_E = -200 /* errors -101 - -199 */
};

1
cyassl/ctaocrypt/include.am
View File

@ -21,6 +21,7 @@ nobase_include_HEADERS+= \
cyassl/ctaocrypt/md4.h \
cyassl/ctaocrypt/md5.h \
cyassl/ctaocrypt/misc.h \
cyassl/ctaocrypt/pkcs7.h \
cyassl/ctaocrypt/port.h \
cyassl/ctaocrypt/pwdbased.h \
cyassl/ctaocrypt/rabbit.h \

5
cyassl/ctaocrypt/integer.h
View File

@ -286,6 +286,7 @@ int mp_2expt (mp_int * a, int b);
int mp_reduce_2k_setup(mp_int *a, mp_digit *d);
int mp_add_d (mp_int* a, mp_digit b, mp_int* c);
int mp_set_int (mp_int * a, unsigned long b);
int mp_sub_d (mp_int * a, mp_digit b, mp_int * c);
/* end support added functions */
/* added */
@ -305,10 +306,6 @@ int mp_init_multi(mp_int* a, mp_int* b, mp_int* c, mp_int* d, mp_int* e,
int mp_lcm (mp_int * a, mp_int * b, mp_int * c);
#endif
#if defined(HAVE_ECC) || !defined(NO_PWDBASED) || defined(CYASSL_SNIFFER)
int mp_sub_d (mp_int * a, mp_digit b, mp_int * c);
#endif
#ifdef __cplusplus
}
#endif

123
cyassl/ctaocrypt/pkcs7.h Normal file
View File

@ -0,0 +1,123 @@
/* pkcs7.h
*
* Copyright (C) 2006-2013 wolfSSL Inc.
*
* This file is part of CyaSSL.
*
* CyaSSL is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* CyaSSL is distributed in the hope that it will be useful,
* * but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
*/
#ifdef HAVE_PKCS7
#ifndef CTAO_CRYPT_PKCS7_H
#define CTAO_CRYPT_PKCS7_H
#include <cyassl/ctaocrypt/types.h>
#include <cyassl/ctaocrypt/asn.h>
#include <cyassl/ctaocrypt/asn_public.h>
#include <cyassl/ctaocrypt/random.h>
#include <cyassl/ctaocrypt/des3.h>
#ifdef __cplusplus
extern "C" {
#endif
/* PKCS#7 content types, ref RFC 2315 (Section 14) */
enum PKCS7_TYPES {
PKCS7_MSG = 650, /* 1.2.840.113549.1.7 */
DATA = 651, /* 1.2.840.113549.1.7.1 */
SIGNED_DATA = 652, /* 1.2.840.113549.1.7.2 */
ENVELOPED_DATA = 653, /* 1.2.840.113549.1.7.3 */
SIGNED_AND_ENVELOPED_DATA = 654, /* 1.2.840.113549.1.7.4 */
DIGESTED_DATA = 655, /* 1.2.840.113549.1.7.5 */
ENCRYPTED_DATA = 656 /* 1.2.840.113549.1.7.6 */
};
enum Pkcs7_Misc {
PKCS7_NONCE_SZ = 16,
MAX_ENCRYPTED_KEY_SZ = 512, /* max enc. key size, RSA <= 4096 */
MAX_CONTENT_KEY_LEN = DES3_KEYLEN, /* highest current cipher is 3DES */
MAX_RECIP_SZ = MAX_VERSION_SZ +
MAX_SEQ_SZ + ASN_NAME_MAX + MAX_SN_SZ +
MAX_SEQ_SZ + MAX_ALGO_SZ + 1 + MAX_ENCRYPTED_KEY_SZ
};
typedef struct PKCS7Attrib {
byte* oid;
word32 oidSz;
byte* value;
word32 valueSz;
} PKCS7Attrib;
typedef struct PKCS7 {
byte* content; /* inner content, not owner */
word32 contentSz; /* content size */
int contentOID; /* PKCS#7 content type OID sum */
RNG* rng;
int hashOID;
int encryptOID; /* key encryption algorithm OID */
byte* singleCert; /* recipient cert, DER, not owner */
word32 singleCertSz; /* size of recipient cert buffer, bytes */
byte issuerHash[SHA_SIZE]; /* hash of all alt Names */
byte* issuer; /* issuer name of singleCert */
word32 issuerSz; /* length of issuer name */
byte issuerSn[MAX_SN_SZ]; /* singleCert's serial number */
word32 issuerSnSz; /* length of serial number */
byte publicKey[512];
word32 publicKeySz;
byte* privateKey; /* private key, DER, not owner */
word32 privateKeySz; /* size of private key buffer, bytes */
PKCS7Attrib* signedAttribs;
word32 signedAttribsSz;
} PKCS7;
CYASSL_LOCAL int SetContentType(int pkcs7TypeOID, byte* output);
CYASSL_LOCAL int GetContentType(const byte* input, word32* inOutIdx,
word32* oid, word32 maxIdx);
CYASSL_LOCAL int CreateRecipientInfo(const byte* cert, word32 certSz,
int keyEncAlgo, int blockKeySz,
RNG* rng, byte* contentKeyPlain,
byte* contentKeyEnc,
int* keyEncSz, byte* out, word32 outSz);
CYASSL_API int PKCS7_InitWithCert(PKCS7* pkcs7, byte* cert, word32 certSz);
CYASSL_API void PKCS7_Free(PKCS7* pkcs7);
CYASSL_API int PKCS7_EncodeData(PKCS7* pkcs7, byte* output, word32 outputSz);
CYASSL_API int PKCS7_EncodeSignedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
CYASSL_API int PKCS7_VerifySignedData(PKCS7* pkcs7,
byte* pkiMsg, word32 pkiMsgSz);
CYASSL_API int PKCS7_EncodeEnvelopedData(PKCS7* pkcs7,
byte* output, word32 outputSz);
CYASSL_API int PKCS7_DecodeEnvelopedData(PKCS7* pkcs7, byte* pkiMsg,
word32 pkiMsgSz, byte* output,
word32 outputSz);
#ifdef __cplusplus
} /* extern "C" */
#endif
#endif /* CTAO_CRYPT_PKCS7_H */
#endif /* HAVE_PKCS7 */

20
cyassl/ctaocrypt/settings.h
View File

@ -152,10 +152,26 @@
#endif /* MBED */
#ifdef CYASSL_TYTO
#include "rand.h"
#define FREERTOS
#define NO_FILESYSTEM
#define CYASSL_USER_IO
#define NO_DEV_RANDOM
#define HAVE_ECC
#define HAVE_ECC_ENCRYPT
#define ECC_SHAMIR
#define HAVE_HKDF
#define USE_FAST_MATH
#define TFM_TIMING_RESISTANT
#define FP_MAX_BITS 512
#define NO_OLD_TLS
#define NO_MD4
#define NO_RABBIT
#define NO_HC128
#define NO_RSA
#define NO_DSA
#define NO_PWDBASED
#define NO_PSK
#endif
#ifdef FREERTOS_WINSIM
@ -316,8 +332,8 @@
#include "mutex.h"
#endif
#define XMALLOC(s, h, type) (void *)_mem_alloc_system((s))
#define XFREE(p, h, type) _mem_free(p)
#define XMALLOC(s, h, t) (void *)_mem_alloc_system((s))
#define XFREE(p, h, t) {void* xp = (p); if ((xp)) _mem_free((xp));}
/* Note: MQX has no realloc, using fastmath above */
#endif

68
cyassl/ctaocrypt/tfm.h
View File

@ -510,104 +510,104 @@ void s_fp_add(fp_int *a, fp_int *b, fp_int *c);
void s_fp_sub(fp_int *a, fp_int *b, fp_int *c);
void fp_reverse(unsigned char *s, int len);
void fp_mul_comba(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba(fp_int *a, fp_int *b, fp_int *c);
#ifdef TFM_SMALL_SET
void fp_mul_comba_small(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba_small(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL3
void fp_mul_comba3(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba3(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL4
void fp_mul_comba4(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba4(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL6
void fp_mul_comba6(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba6(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL7
void fp_mul_comba7(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba7(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL8
void fp_mul_comba8(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba8(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL9
void fp_mul_comba9(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba9(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL12
void fp_mul_comba12(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba12(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL17
void fp_mul_comba17(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba17(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL20
void fp_mul_comba20(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba20(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL24
void fp_mul_comba24(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba24(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL28
void fp_mul_comba28(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba28(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL32
void fp_mul_comba32(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba32(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL48
void fp_mul_comba48(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba48(fp_int *a, fp_int *b, fp_int *c);
#endif
#ifdef TFM_MUL64
void fp_mul_comba64(fp_int *A, fp_int *B, fp_int *C);
void fp_mul_comba64(fp_int *a, fp_int *b, fp_int *c);
#endif
void fp_sqr_comba(fp_int *A, fp_int *B);
void fp_sqr_comba(fp_int *a, fp_int *b);
#ifdef TFM_SMALL_SET
void fp_sqr_comba_small(fp_int *A, fp_int *B);
void fp_sqr_comba_small(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR3
void fp_sqr_comba3(fp_int *A, fp_int *B);
void fp_sqr_comba3(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR4
void fp_sqr_comba4(fp_int *A, fp_int *B);
void fp_sqr_comba4(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR6
void fp_sqr_comba6(fp_int *A, fp_int *B);
void fp_sqr_comba6(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR7
void fp_sqr_comba7(fp_int *A, fp_int *B);
void fp_sqr_comba7(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR8
void fp_sqr_comba8(fp_int *A, fp_int *B);
void fp_sqr_comba8(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR9
void fp_sqr_comba9(fp_int *A, fp_int *B);
void fp_sqr_comba9(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR12
void fp_sqr_comba12(fp_int *A, fp_int *B);
void fp_sqr_comba12(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR17
void fp_sqr_comba17(fp_int *A, fp_int *B);
void fp_sqr_comba17(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR20
void fp_sqr_comba20(fp_int *A, fp_int *B);
void fp_sqr_comba20(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR24
void fp_sqr_comba24(fp_int *A, fp_int *B);
void fp_sqr_comba24(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR28
void fp_sqr_comba28(fp_int *A, fp_int *B);
void fp_sqr_comba28(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR32
void fp_sqr_comba32(fp_int *A, fp_int *B);
void fp_sqr_comba32(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR48
void fp_sqr_comba48(fp_int *A, fp_int *B);
void fp_sqr_comba48(fp_int *a, fp_int *b);
#endif
#ifdef TFM_SQR64
void fp_sqr_comba64(fp_int *A, fp_int *B);
void fp_sqr_comba64(fp_int *a, fp_int *b);
#endif
/*extern const char *fp_s_rmap;*/
@ -642,7 +642,7 @@ int mp_mul (mp_int * a, mp_int * b, mp_int * c);
int mp_mulmod (mp_int * a, mp_int * b, mp_int * c, mp_int * d);
int mp_mod(mp_int *a, mp_int *b, mp_int *c);
int mp_invmod(mp_int *a, mp_int *b, mp_int *c);
int mp_exptmod (mp_int * G, mp_int * X, mp_int * P, mp_int * Y);
int mp_exptmod (mp_int * g, mp_int * x, mp_int * p, mp_int * y);
int mp_cmp(mp_int *a, mp_int *b);
int mp_cmp_d(mp_int *a, mp_digit b);
@ -663,7 +663,7 @@ void mp_rshb(mp_int *a, int x);
#ifdef HAVE_ECC
int mp_read_radix(mp_int* a, const char* str, int radix);
int mp_set(fp_int *a, fp_digit b);
int mp_sqr(fp_int *A, fp_int *B);
int mp_sqr(fp_int *a, fp_int *b);
int mp_montgomery_reduce(fp_int *a, fp_int *m, fp_digit mp);
int mp_montgomery_setup(fp_int *a, fp_digit *rho);
int mp_div_2(fp_int * a, fp_int * b);

8
cyassl/ctaocrypt/types.h
View File

@ -217,6 +217,11 @@ enum {
#define XISALPHA(c) isalpha((c))
#endif
/* needed by CyaSSL_check_domain_name() */
#ifdef __CYGWIN__
/* Cygwin uses a macro version of tolower() by default, use the
* function version. */
#undef tolower
#endif
#define XTOLOWER(c) tolower((c))
#endif
@ -265,7 +270,8 @@ enum {
DYNAMIC_TYPE_CAVIUM_TMP = 40,
DYNAMIC_TYPE_CAVIUM_RSA = 41,
DYNAMIC_TYPE_X509 = 42,
DYNAMIC_TYPE_TLSX = 43
DYNAMIC_TYPE_TLSX = 43,
DYNAMIC_TYPE_OCSP = 44
};
/* max error buffer string size */

5
cyassl/include.am
View File

@ -9,7 +9,6 @@ EXTRA_DIST+= cyassl/sniffer_error.rc
nobase_include_HEADERS+= \
cyassl/error.h \
cyassl/internal.h \
cyassl/ssl.h \
cyassl/sniffer_error.h \
cyassl/sniffer.h \
@ -20,3 +19,7 @@ nobase_include_HEADERS+= \
cyassl/options.h \
cyassl/ocsp.h \
cyassl/crl.h
noinst_HEADERS+= \
cyassl/internal.h

60
cyassl/internal.h
View File

@ -483,7 +483,6 @@ enum {
TLS_RSA_WITH_AES_256_CBC_B2B256 = 0xF9,
TLS_RSA_WITH_HC_128_B2B256 = 0xFA, /* eSTREAM too */
/* CyaSSL extension - NTRU */
TLS_NTRU_RSA_WITH_RC4_128_SHA = 0xe5,
TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA = 0xe6,
@ -533,8 +532,10 @@ enum {
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA = 0x45,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA = 0x88,
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 = 0xbe,
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0xc4
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 = 0xc4,
/* Renegotiation Indication Extension Special Suite */
TLS_EMPTY_RENEGOTIATION_INFO_SCSV = 0xff
};
@ -982,24 +983,23 @@ typedef struct OCSP_Entry OCSP_Entry;
#endif
struct OCSP_Entry {
OCSP_Entry* next; /* next entry */
OCSP_Entry* next; /* next entry */
byte issuerHash[OCSP_DIGEST_SIZE]; /* issuer hash */
byte issuerKeyHash[OCSP_DIGEST_SIZE]; /* issuer public key hash */
CertStatus* status; /* OCSP response list */
int totalStatus; /* number on list */
CertStatus* status; /* OCSP response list */
int totalStatus; /* number on list */
};
#ifndef HAVE_OCSP
typedef struct CYASSL_OCSP CYASSL_OCSP;
#endif
/* CyaSSL OCSP controller */
struct CYASSL_OCSP {
byte enabled;
byte useOverrideUrl;
byte useNonce;
char overrideUrl[80];
OCSP_Entry* ocspList;
void* IOCB_OcspCtx;
CallbackIOOcsp CBIOOcsp;
CallbackIOOcspRespFree CBIOOcspRespFree;
CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */
OCSP_Entry* ocspList; /* OCSP response list */
CyaSSL_Mutex ocspLock; /* OCSP list lock */
};
#ifndef MAX_DATE_SIZE
@ -1077,6 +1077,14 @@ struct CYASSL_CERT_MANAGER {
byte crlEnabled; /* is CRL on ? */
byte crlCheckAll; /* always leaf, but all ? */
CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */
CYASSL_OCSP* ocsp; /* OCSP checker */
byte ocspEnabled; /* is OCSP on ? */
byte ocspSendNonce; /* send the OCSP nonce ? */
byte ocspUseOverrideURL; /* ignore cert's responder, override */
char* ocspOverrideURL; /* use this responder */
void* ocspIOCtx; /* I/O callback CTX */
CbOCSPIO ocspIOCb; /* I/O callback for OCSP lookup */
CbOCSPRespFree ocspRespFreeCb; /* Frees OCSP Response from IO Cb */
};
CYASSL_LOCAL int CM_SaveCertCache(CYASSL_CERT_MANAGER*, const char*);
@ -1102,11 +1110,8 @@ typedef struct CYASSL_DTLS_CTX {
typedef enum {
SERVER_NAME_INDICATION = 0,
MAX_FRAGMENT_LENGTH = 1,
/*CLIENT_CERTIFICATE_URL = 2,
TRUSTED_CA_KEYS = 3,*/
TRUNCATED_HMAC = 4,
/*STATUS_REQUEST = 5,
SIGNATURE_ALGORITHMS = 13,*/
ELLIPTIC_CURVES = 10
} TLSX_Type;
typedef struct TLSX {
@ -1169,12 +1174,27 @@ CYASSL_LOCAL int TLSX_UseMaxFragment(TLSX** extensions, byte mfl);
#ifdef HAVE_TRUNCATED_HMAC
#define TRUNCATED_HMAC_SIZE 10
CYASSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions);
#endif /* HAVE_TRUNCATED_HMAC */
#ifdef HAVE_SUPPORTED_CURVES
typedef struct EllipticCurve {
word16 name; /* CurveNames */
struct EllipticCurve* next; /* List Behavior */
} EllipticCurve;
CYASSL_LOCAL int TLSX_UseSupportedCurve(TLSX** extensions, word16 name);
#ifndef NO_CYASSL_SERVER
CYASSL_LOCAL int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first,
byte second);
#endif
#endif /* HAVE_SUPPORTED_CURVES */
#endif /* HAVE_TLS_EXTENSIONS */
/* CyaSSL context type */
@ -1216,6 +1236,7 @@ struct CYASSL_CTX {
word32 timeout; /* session timeout */
#ifdef HAVE_ECC
word16 eccTempKeySz; /* in octets 20 - 66 */
word32 pkCurveOID; /* curve Ecc_Sum */
#endif
#ifndef NO_PSK
byte havePSK; /* psk key set by user */
@ -1835,6 +1856,7 @@ struct CYASSL {
ecc_key* eccTempKey; /* private ECDHE key */
ecc_key* eccDsaKey; /* private ECDSA key */
word16 eccTempKeySz; /* in octets 20 - 66 */
word32 pkCurveOID; /* curve Ecc_Sum */
byte peerEccKeyPresent;
byte peerEccDsaKeyPresent;
byte eccTempKeyPresent;

8
cyassl/ocsp.h
View File

@ -36,12 +36,10 @@
typedef struct CYASSL_OCSP CYASSL_OCSP;
CYASSL_LOCAL int CyaSSL_OCSP_Init(CYASSL_OCSP*);
CYASSL_LOCAL void CyaSSL_OCSP_Cleanup(CYASSL_OCSP*);
CYASSL_LOCAL int CyaSSL_OCSP_set_override_url(CYASSL_OCSP*, const char*);
CYASSL_LOCAL int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP*, DecodedCert*);
CYASSL_LOCAL int InitOCSP(CYASSL_OCSP*, CYASSL_CERT_MANAGER*);
CYASSL_LOCAL void FreeOCSP(CYASSL_OCSP*, int dynamic);
CYASSL_LOCAL int CheckCertOCSP(CYASSL_OCSP*, DecodedCert*);
#ifdef __cplusplus
} /* extern "C" */

71
cyassl/ssl.h
View File

@ -543,6 +543,9 @@ enum {
OCSP_RESPONSE = 8,
OCSP_BASICRESP = 16,
CYASSL_OCSP_URL_OVERRIDE = 1,
CYASSL_OCSP_NO_NONCE = 2,
CYASSL_CRL_CHECKALL = 1,
ASN1_GENERALIZEDTIME = 4,
@ -823,9 +826,9 @@ CYASSL_API CYASSL_X509*
#ifndef NO_FILESYSTEM
CYASSL_API CYASSL_X509*
CyaSSL_X509_d2i_fp(CYASSL_X509** x509, FILE* file);
#endif
CYASSL_API CYASSL_X509*
CyaSSL_X509_load_certificate_file(const char* fname, int format);
#endif
#ifdef CYASSL_SEP
CYASSL_API unsigned char*
@ -943,15 +946,6 @@ CYASSL_API void CyaSSL_CTX_SetGenCookie(CYASSL_CTX*, CallbackGenCookie);
CYASSL_API void CyaSSL_SetCookieCtx(CYASSL* ssl, void *ctx);
CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl);
typedef int (*CallbackIOOcsp)(void*, const char*, int,
unsigned char*, int, unsigned char**);
typedef void (*CallbackIOOcspRespFree)(void*,unsigned char*);
#ifdef HAVE_OCSP
CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX *ocsp, CallbackIOOcsp cb);
CYASSL_API void CyaSSL_SetIOOcspRespFree(CYASSL_CTX *ocsp,
CallbackIOOcspRespFree cb);
CYASSL_API void CyaSSL_SetIOOcspCtx(CYASSL_CTX *ocsp, void *octx);
#endif
/* I/O Callback default errors */
enum IOerrors {
@ -979,9 +973,14 @@ CYASSL_API int CyaSSL_GetObjectSize(void); /* object size based on build */
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
int, const char*);
CYASSL_API int CyaSSL_CertPemToDer(const unsigned char*, int sz, unsigned char*,
int, int);
typedef void (*CallbackCACache)(unsigned char* der, int sz, int type);
typedef void (*CbMissingCRL)(const char* url);
typedef int (*CbOCSPIO)(void*, const char*, int,
unsigned char*, int, unsigned char**);
typedef void (*CbOCSPRespFree)(void*,unsigned char*);
/* User Atomic Record Layer CallBacks */
typedef int (*CallbackMacEncrypt)(CYASSL* ssl, unsigned char* macOut,
@ -1007,6 +1006,7 @@ CYASSL_API const unsigned char* CyaSSL_GetClientWriteIV(CYASSL*);
CYASSL_API const unsigned char* CyaSSL_GetServerWriteKey(CYASSL*);
CYASSL_API const unsigned char* CyaSSL_GetServerWriteIV(CYASSL*);
CYASSL_API int CyaSSL_GetKeySize(CYASSL*);
CYASSL_API int CyaSSL_GetIVSize(CYASSL*);
CYASSL_API int CyaSSL_GetSide(CYASSL*);
CYASSL_API int CyaSSL_IsTLSv1_1(CYASSL*);
CYASSL_API int CyaSSL_GetBulkCipher(CYASSL*);
@ -1126,16 +1126,34 @@ CYASSL_API void* CyaSSL_GetRsaDecCtx(CYASSL* ssl);
int, int);
CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*,
CbMissingCRL);
CYASSL_API int CyaSSL_CertManagerCheckOCSP(CYASSL_CERT_MANAGER*,
unsigned char*, int sz);
CYASSL_API int CyaSSL_CertManagerEnableOCSP(CYASSL_CERT_MANAGER*,
int options);
CYASSL_API int CyaSSL_CertManagerDisableOCSP(CYASSL_CERT_MANAGER*);
CYASSL_API int CyaSSL_CertManagerSetOCSPOverrideURL(CYASSL_CERT_MANAGER*,
const char*);
CYASSL_API int CyaSSL_CertManagerSetOCSP_Cb(CYASSL_CERT_MANAGER*,
CbOCSPIO, CbOCSPRespFree, void*);
CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options);
CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl);
CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int);
CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL);
CYASSL_API int CyaSSL_EnableOCSP(CYASSL*, int options);
CYASSL_API int CyaSSL_DisableOCSP(CYASSL*);
CYASSL_API int CyaSSL_SetOCSP_OverrideURL(CYASSL*, const char*);
CYASSL_API int CyaSSL_SetOCSP_Cb(CYASSL*, CbOCSPIO, CbOCSPRespFree, void*);
CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options);
CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx);
CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int);
CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL);
CYASSL_API int CyaSSL_CTX_EnableOCSP(CYASSL_CTX*, int options);
CYASSL_API int CyaSSL_CTX_DisableOCSP(CYASSL_CTX*);
CYASSL_API int CyaSSL_CTX_SetOCSP_OverrideURL(CYASSL_CTX*, const char*);
CYASSL_API int CyaSSL_CTX_SetOCSP_Cb(CYASSL_CTX*,
CbOCSPIO, CbOCSPRespFree, void*);
#endif /* !NO_CERTS */
/* end of handshake frees temporary arrays, if user needs for get_keys or
@ -1213,6 +1231,7 @@ CYASSL_API int CyaSSL_CTX_UseMaxFragment(CYASSL_CTX* ctx, unsigned char mfl);
#endif /* NO_CYASSL_CLIENT */
#endif /* HAVE_MAX_FRAGMENT */
/* Truncated HMAC */
#ifdef HAVE_TRUNCATED_HMAC
#ifndef NO_CYASSL_CLIENT
@ -1222,6 +1241,27 @@ CYASSL_API int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx);
#endif /* NO_CYASSL_CLIENT */
#endif /* HAVE_TRUNCATED_HMAC */
/* Elliptic Curves */
#ifdef HAVE_SUPPORTED_CURVES
enum {
CYASSL_ECC_SECP160R1 = 0x10,
CYASSL_ECC_SECP192R1 = 0x13,
CYASSL_ECC_SECP224R1 = 0x15,
CYASSL_ECC_SECP256R1 = 0x17,
CYASSL_ECC_SECP384R1 = 0x18,
CYASSL_ECC_SECP521R1 = 0x19
};
#ifndef NO_CYASSL_CLIENT
CYASSL_API int CyaSSL_UseSupportedCurve(CYASSL* ssl, unsigned short name);
CYASSL_API int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx,
unsigned short name);
#endif /* NO_CYASSL_CLIENT */
#endif /* HAVE_SUPPORTED_CURVES */
#define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */
#define CYASSL_CRL_START_MON 0x02 /* start monitoring flag */
@ -1244,14 +1284,9 @@ CYASSL_API int CyaSSL_accept_ex(CYASSL*, HandShakeCallBack, TimeoutCallBack,
#endif /* CYASSL_CALLBACKS */
CYASSL_API int CyaSSL_CTX_OCSP_set_options(CYASSL_CTX*, int);
CYASSL_API int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX*, const char*);
/* OCSP Options */
#define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */
#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
* in certificate */
#define CYASSL_OCSP_NO_NONCE 0x0004 /* Disables the request nonce. */
#ifdef CYASSL_HAVE_WOLFSCEP
CYASSL_API void CyaSSL_wolfSCEP(void);
#endif /* CYASSL_HAVE_WOLFSCEP */
#ifdef __cplusplus

4
cyassl/version.h
View File

@ -26,8 +26,8 @@
extern "C" {
#endif
#define LIBCYASSL_VERSION_STRING "2.8.4"
#define LIBCYASSL_VERSION_HEX 0x02008004
#define LIBCYASSL_VERSION_STRING "2.9.0"
#define LIBCYASSL_VERSION_HEX 0x02009000
#ifdef __cplusplus
}

22
examples/client/client.c
View File

@ -505,10 +505,13 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args)
#ifdef HAVE_OCSP
if (useOcsp) {
CyaSSL_CTX_OCSP_set_options(ctx,
CYASSL_OCSP_ENABLE | CYASSL_OCSP_NO_NONCE);
if (ocspUrl != NULL)
CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl);
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
@ -547,17 +550,18 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args)
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName)))
if (CyaSSL_CTX_UseSNI(ctx, 0, sniHostName, XSTRLEN(sniHostName))
!= SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
#ifdef HAVE_MAX_FRAGMENT
if (maxFragment)
if (CyaSSL_CTX_UseMaxFragment(ctx, maxFragment))
if (CyaSSL_CTX_UseMaxFragment(ctx, maxFragment) != SSL_SUCCESS)
err_sys("UseMaxFragment failed");
#endif
#ifdef HAVE_TRUNCATED_HMAC
if (truncatedHMAC)
if (CyaSSL_CTX_UseTruncatedHMAC(ctx))
if (CyaSSL_CTX_UseTruncatedHMAC(ctx) != SSL_SUCCESS)
err_sys("UseTruncatedHMAC failed");
#endif
@ -803,8 +807,10 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args)
#if defined(DEBUG_CYASSL) && !defined(CYASSL_MDK_SHELL) && !defined(STACK_TRAP)
CyaSSL_Debugging_ON();
#endif
if (CurrentDir("client") || CurrentDir("build"))
if (CurrentDir("client"))
ChangeDirBack(2);
else if (CurrentDir("Debug") || CurrentDir("Release"))
ChangeDirBack(3);
#ifdef HAVE_STACK_SIZE
StackSizeCheck(&args, client_test);

4
examples/echoclient/echoclient.c
View File

@ -255,8 +255,10 @@ void echoclient_test(void* args)
CyaSSL_Debugging_ON();
#endif
if (CurrentDir("echoclient") || CurrentDir("build"))
if (CurrentDir("echoclient"))
ChangeDirBack(2);
else if (CurrentDir("Debug") || CurrentDir("Release"))
ChangeDirBack(3);
echoclient_test(&args);
CyaSSL_Cleanup();

4
examples/echoserver/echoserver.c
View File

@ -339,8 +339,10 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args)
#if defined(DEBUG_CYASSL) && !defined(CYASSL_MDK_SHELL)
CyaSSL_Debugging_ON();
#endif
if (CurrentDir("echoserver") || CurrentDir("build"))
if (CurrentDir("echoserver"))
ChangeDirBack(2);
else if (CurrentDir("Debug") || CurrentDir("Release"))
ChangeDirBack(3);
echoserver_test(&args);
CyaSSL_Cleanup();

25
examples/server/server.c
View File

@ -374,6 +374,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
if (fewerPackets)
CyaSSL_CTX_set_group_messages(ctx);
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
if (!usePsk) {
if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM)
@ -428,10 +432,6 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
}
#endif
#ifdef OPENSSL_EXTRA
SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack);
#endif
#if defined(CYASSL_SNIFFER) && !defined(HAVE_NTRU) && !defined(HAVE_ECC)
/* don't use EDH, can't sniff tmp keys */
if (cipherList == NULL) {
@ -443,7 +443,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#ifdef HAVE_SNI
if (sniHostName)
if (CyaSSL_CTX_UseSNI(ctx, CYASSL_SNI_HOST_NAME, sniHostName,
XSTRLEN(sniHostName)))
XSTRLEN(sniHostName)) != SSL_SUCCESS)
err_sys("UseSNI failed");
#endif
@ -459,10 +459,13 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#endif
#ifdef HAVE_OCSP
if (useOcsp) {
CyaSSL_CTX_OCSP_set_options(ctx,
CYASSL_OCSP_ENABLE | CYASSL_OCSP_NO_NONCE);
if (ocspUrl != NULL)
CyaSSL_CTX_OCSP_set_override_url(ctx, ocspUrl);
if (ocspUrl != NULL) {
CyaSSL_CTX_SetOCSP_OverrideURL(ctx, ocspUrl);
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE
| CYASSL_OCSP_URL_OVERRIDE);
}
else
CyaSSL_CTX_EnableOCSP(ctx, CYASSL_OCSP_NO_NONCE);
}
#endif
#ifdef HAVE_PK_CALLBACKS
@ -556,8 +559,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args)
#if defined(DEBUG_CYASSL) && !defined(CYASSL_MDK_SHELL)
CyaSSL_Debugging_ON();
#endif
if (CurrentDir("server") || CurrentDir("build"))
if (CurrentDir("server"))
ChangeDirBack(2);
else if (CurrentDir("Debug") || CurrentDir("Release"))
ChangeDirBack(3);
#ifdef HAVE_STACK_SIZE
StackSizeCheck(&args, server_test);

1
m4/ax_debug.m4
View File

@ -52,7 +52,6 @@ AC_DEFUN([AX_DEBUG],
[Add debug code/turns off optimizations (yes|no) @<:@default=no@:>@])],
[ax_enable_debug=yes
AC_DEFINE([DEBUG],[1],[Define to 1 to enable debugging code.])
AX_CHECK_LIBRARY([MCHECK],[mcheck.h],[mcheck],[AX_APPEND_LINK_FLAGS([-lmcheck])])
AX_ADD_AM_MACRO([--debug],[AM_YFLAGS])
AX_ADD_AM_MACRO([-D_GLIBCXX_DEBUG],[AM_CPPFLAGS])],
[ax_enable_debug=no

4
src/include.am
View File

@ -136,3 +136,7 @@ if BUILD_LIBZ
src_libcyassl_la_SOURCES += ctaocrypt/src/compress.c
endif
if BUILD_PKCS7
src_libcyassl_la_SOURCES += ctaocrypt/src/pkcs7.c
endif

57
src/internal.c
View File

@ -89,8 +89,8 @@ CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS
#ifdef CYASSL_DTLS
static int DtlsCheckWindow(DtlsState* state);
static int DtlsUpdateWindow(DtlsState* state);
static INLINE int DtlsCheckWindow(DtlsState* state);
static INLINE int DtlsUpdateWindow(DtlsState* state);
#endif
@ -426,9 +426,6 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method)
ctx->sendVerify = 0;
ctx->quietShutdown = 0;
ctx->groupMessages = 0;
#ifdef HAVE_OCSP
CyaSSL_OCSP_Init(&ctx->ocsp);
#endif
#ifdef HAVE_CAVIUM
ctx->devId = NO_CAVIUM_DEVICE;
#endif
@ -479,9 +476,6 @@ void SSL_CtxResourceFree(CYASSL_CTX* ctx)
XFREE(ctx->certChain.buffer, ctx->heap, DYNAMIC_TYPE_CERT);
CyaSSL_CertManagerFree(ctx->cm);
#endif
#ifdef HAVE_OCSP
CyaSSL_OCSP_Cleanup(&ctx->ocsp);
#endif
#ifdef HAVE_TLS_EXTENSIONS
TLSX_FreeAll(ctx->extensions);
#endif
@ -635,8 +629,10 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
if (suites->setSuites)
return; /* trust user settings, don't override */
if (side == CYASSL_SERVER_END && haveStaticECC)
if (side == CYASSL_SERVER_END && haveStaticECC) {
haveRSA = 0; /* can't do RSA with ECDSA key */
(void)haveRSA; /* some builds won't read */
}
if (side == CYASSL_SERVER_END && haveECDSAsig) {
haveRSAsig = 0; /* can't have RSA sig if signed by ECDSA */
@ -650,6 +646,13 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK,
}
#endif
#ifdef HAVE_RENEGOTIATION_INDICATION
if (side == CYASSL_CLIENT_END) {
suites->suites[idx++] = 0;
suites->suites[idx++] = TLS_EMPTY_RENEGOTIATION_INFO_SCSV;
}
#endif
#ifdef BUILD_TLS_NTRU_RSA_WITH_AES_256_CBC_SHA
if (tls && haveNTRU && haveRSA) {
suites->suites[idx++] = 0;
@ -1279,6 +1282,9 @@ void InitX509(CYASSL_X509* x509, int dynamicFlag)
x509->altNamesNext = NULL;
x509->dynamicMemory = (byte)dynamicFlag;
x509->isCa = 0;
#ifdef HAVE_ECC
x509->pkCurveOID = 0;
#endif /* HAVE_ECC */
#ifdef OPENSSL_EXTRA
x509->pathLength = 0;
x509->basicConstSet = 0;
@ -1297,9 +1303,6 @@ void InitX509(CYASSL_X509* x509, int dynamicFlag)
x509->keyUsageSet = 0;
x509->keyUsageCrit = 0;
x509->keyUsage = 0;
#ifdef HAVE_ECC
x509->pkCurveOID = 0;
#endif /* HAVE_ECC */
#ifdef CYASSL_SEP
x509->certPolicySet = 0;
x509->certPolicyCrit = 0;
@ -1397,6 +1400,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
#ifdef HAVE_ECC
ssl->eccTempKeySz = ctx->eccTempKeySz;
ssl->pkCurveOID = ctx->pkCurveOID;
ssl->peerEccKeyPresent = 0;
ssl->peerEccDsaKeyPresent = 0;
ssl->eccDsaKeyPresent = 0;
@ -3221,14 +3225,14 @@ int CopyDecodedToX509(CYASSL_X509* x509, DecodedCert* dCert)
}
x509->keyUsageSet = dCert->extKeyUsageSet;
x509->keyUsageCrit = dCert->extKeyUsageCrit;
#ifdef HAVE_ECC
x509->pkCurveOID = dCert->pkCurveOID;
#endif /* HAVE_ECC */
#ifdef CYASSL_SEP
x509->certPolicySet = dCert->extCertPolicySet;
x509->certPolicyCrit = dCert->extCertPolicyCrit;
#endif /* CYASSL_SEP */
#endif /* OPENSSL_EXTRA */
#ifdef HAVE_ECC
x509->pkCurveOID = dCert->pkCurveOID;
#endif /* HAVE_ECC */
return ret;
}
@ -3391,8 +3395,8 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
}
#ifdef HAVE_OCSP
if (fatal == 0) {
ret = CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert);
if (fatal == 0 && ssl->ctx->cm->ocspEnabled) {
ret = CheckCertOCSP(ssl->ctx->cm->ocsp, &dCert);
if (ret != 0) {
CYASSL_MSG("\tOCSP Lookup not ok");
fatal = 0;
@ -3405,7 +3409,7 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
int doCrlLookup = 1;
#ifdef HAVE_OCSP
if (ssl->ctx->ocsp.enabled) {
if (ssl->ctx->cm->ocspEnabled) {
doCrlLookup = (ret == OCSP_CERT_UNKNOWN);
}
#endif /* HAVE_OCSP */
@ -3932,7 +3936,6 @@ static int DtlsMsgDrain(CYASSL* ssl)
{
DtlsMsg* item = ssl->dtls_msg_list;
int ret = 0;
word32 idx = 0;
/* While there is an item in the store list, and it is the expected
* message, and it is complete, and there hasn't been an error in the
@ -3941,6 +3944,7 @@ static int DtlsMsgDrain(CYASSL* ssl)
ssl->keys.dtls_expected_peer_handshake_number == item->seq &&
item->fragSz == item->sz &&
ret == 0) {
word32 idx = 0;
ssl->keys.dtls_expected_peer_handshake_number++;
ret = DoHandShakeMsgType(ssl, item->msg,
&idx, item->type, item->sz, item->sz);
@ -4328,7 +4332,7 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input,
static int SanityCheckCipherText(CYASSL* ssl, word32 encryptSz)
{
#ifdef HAVE_TRUNCATED_HMAC
word32 minLength = ssl->truncated_hmac ? TRUNCATED_HMAC_SIZE
word32 minLength = ssl->truncated_hmac ? TRUNCATED_HMAC_SZ
: ssl->specs.hash_size;
#else
word32 minLength = ssl->specs.hash_size; /* covers stream */
@ -8118,7 +8122,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
case ecc_diffie_hellman_kea:
{
ecc_key myKey;
ecc_key* peerKey = &myKey;
ecc_key* peerKey = NULL;
word32 size = sizeof(encSecret);
if (ssl->specs.static_ecdh) {
@ -8133,6 +8137,9 @@ static void PickHashSigAlgo(CYASSL* ssl,
peerKey = ssl->peerEccKey;
}
if (peerKey == NULL)
return NO_PEER_KEY;
ecc_init(&myKey);
ret = ecc_make_key(ssl->rng, peerKey->dp->size, &myKey);
if (ret != 0)
@ -9758,6 +9765,13 @@ static void PickHashSigAlgo(CYASSL* ssl,
}
}
#ifdef HAVE_SUPPORTED_CURVES
if (!TLSX_ValidateEllipticCurves(ssl, first, second)) {
CYASSL_MSG("Don't have matching curves");
return 0;
}
#endif
/* ECCDHE is always supported if ECC on */
return 1;
@ -9887,6 +9901,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
if (clSuites.suiteSz > MAX_SUITE_SZ)
return BUFFER_ERROR;
clSuites.hashSigAlgoSz = 0;
/* session size */
ato16(&input[idx], &sessionSz);

129
src/io.c
View File

@ -352,7 +352,7 @@ int EmbedReceiveFrom(CYASSL *ssl, char *buf, int sz, void *ctx)
int err;
int sd = dtlsCtx->fd;
int dtls_timeout = CyaSSL_dtls_get_current_timeout(ssl);
struct sockaddr_in6 peer;
struct sockaddr_storage peer;
XSOCKLENT peerSz = sizeof(peer);
CYASSL_ENTER("EmbedReceiveFrom()");
@ -471,34 +471,21 @@ int EmbedSendTo(CYASSL* ssl, char *buf, int sz, void *ctx)
int EmbedGenerateCookie(CYASSL* ssl, byte *buf, int sz, void *ctx)
{
int sd = ssl->wfd;
struct sockaddr_in6 peer;
struct sockaddr_storage peer;
XSOCKLENT peerSz = sizeof(peer);
Sha sha;
byte digest[SHA_DIGEST_SIZE];
(void)ctx;
XMEMSET(&peer, 0, sizeof(peer));
if (getpeername(sd, (struct sockaddr*)&peer, &peerSz) != 0) {
CYASSL_MSG("getpeername failed in EmbedGenerateCookie");
return GEN_COOKIE_E;
}
InitSha(&sha);
if (peer.sin6_family == AF_INET6) {
ShaUpdate(&sha, (byte*)&peer.sin6_port, sizeof(peer.sin6_port));
ShaUpdate(&sha, (byte*)&peer.sin6_addr, sizeof(peer.sin6_addr));
}
else if (peer.sin6_family == AF_INET) {
struct sockaddr_in *s = (struct sockaddr_in*)&peer;
ShaUpdate(&sha, (byte*)&s->sin_port, sizeof(s->sin_port));
ShaUpdate(&sha, (byte*)&s->sin_addr, sizeof(s->sin_addr));
}
else {
CYASSL_MSG("peer sin_family unknown type in EmbedGenerateCookie");
return GEN_COOKIE_E;
}
ShaUpdate(&sha, (byte*)&peer, peerSz);
ShaFinal(&sha, digest);
if (sz > SHA_DIGEST_SIZE)
@ -512,52 +499,62 @@ int EmbedGenerateCookie(CYASSL* ssl, byte *buf, int sz, void *ctx)
#ifdef HAVE_OCSP
#ifdef TEST_IPV6
typedef struct sockaddr_in6 SOCKADDR_IN_T;
#define AF_INET_V AF_INET6
#else
typedef struct sockaddr_in SOCKADDR_IN_T;
#define AF_INET_V AF_INET
#endif
static INLINE int tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
static int tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
{
SOCKADDR_IN_T addr;
const char* host = ip;
struct sockaddr_storage addr;
int sockaddr_len = sizeof(struct sockaddr_in);
XMEMSET(&addr, 0, sizeof(addr));
/* peer could be in human readable form */
if (ip != INADDR_ANY && isalpha(ip[0])) {
#ifdef HAVE_GETADDRINFO
{
struct addrinfo hints;
struct addrinfo* answer = NULL;
char strPort[8];
XMEMSET(&hints, 0, sizeof(hints));
hints.ai_family = AF_UNSPEC;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
XSNPRINTF(strPort, sizeof(strPort), "%d", port);
strPort[7] = '\0';
if (getaddrinfo(ip, strPort, &hints, &answer) < 0 || answer == NULL) {
CYASSL_MSG("no addr info for OCSP responder");
return -1;
}
sockaddr_len = answer->ai_addrlen;
XMEMCPY(&addr, answer->ai_addr, sockaddr_len);
freeaddrinfo(answer);
}
#else /* HAVE_GETADDRINFO */
{
struct hostent* entry = gethostbyname(ip);
struct sockaddr_in *sin = (struct sockaddr_in *)&addr;
if (entry) {
struct sockaddr_in tmp;
XMEMSET(&tmp, 0, sizeof(struct sockaddr_in));
XMEMCPY(&tmp.sin_addr.s_addr, entry->h_addr_list[0],
entry->h_length);
host = inet_ntoa(tmp.sin_addr);
sin->sin_family = AF_INET;
sin->sin_port = htons(port);
XMEMCPY(&sin->sin_addr.s_addr, entry->h_addr_list[0],
entry->h_length);
}
else {
CYASSL_MSG("no addr entry for OCSP responder");
CYASSL_MSG("no addr info for OCSP responder");
return -1;
}
}
#endif /* HAVE_GETADDRINFO */
*sockfd = socket(AF_INET_V, SOCK_STREAM, 0);
*sockfd = socket(addr.ss_family, SOCK_STREAM, 0);
if (*sockfd < 0) {
CYASSL_MSG("bad socket fd, out of fds?");
return -1;
}
XMEMSET(&addr, 0, sizeof(SOCKADDR_IN_T));
addr.sin_family = AF_INET_V;
addr.sin_port = htons(port);
if (host == INADDR_ANY)
addr.sin_addr.s_addr = INADDR_ANY;
else
addr.sin_addr.s_addr = inet_addr(host);
if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) {
if (connect(*sockfd, (struct sockaddr *)&addr, sockaddr_len) != 0) {
CYASSL_MSG("OCSP responder tcp connect failed");
return -1;
}
@ -597,15 +594,26 @@ static int decode_url(const char* url, int urlSz,
int i, cur;
/* need to break the url down into scheme, address, and port */
/* "http://example.com:8080/" */
/* "http://example.com:8080/" */
/* "http://[::1]:443/" */
if (XSTRNCMP(url, "http://", 7) == 0) {
cur = 7;
} else cur = 0;
i = 0;
while (url[cur] != 0 && url[cur] != ':' &&
if (url[cur] == '[') {
cur++;
/* copy until ']' */
while (url[cur] != 0 && url[cur] != ']' && cur < urlSz) {
outName[i++] = url[cur++];
}
cur++; /* skip ']' */
}
else {
while (url[cur] != 0 && url[cur] != ':' &&
url[cur] != '/' && cur < urlSz) {
outName[i++] = url[cur++];
outName[i++] = url[cur++];
}
}
outName[i] = 0;
/* Need to pick out the path after the domain name */
@ -670,7 +678,7 @@ static int process_http_response(int sfd, byte** respBuf,
if (result > 0) {
len += result;
start = (char*)httpBuf;
start[len+1] = 0;
start[len] = 0;
}
else {
CYASSL_MSG("process_http_response recv http from peer failed");
@ -929,27 +937,6 @@ CYASSL_API void* CyaSSL_GetCookieCtx(CYASSL* ssl)
#endif /* CYASSL_DTLS */
#ifdef HAVE_OCSP
CYASSL_API void CyaSSL_SetIOOcsp(CYASSL_CTX* ctx, CallbackIOOcsp cb)
{
ctx->ocsp.CBIOOcsp = cb;
}
CYASSL_API void CyaSSL_SetIOOcspRespFree(CYASSL_CTX* ctx,
CallbackIOOcspRespFree cb)
{
ctx->ocsp.CBIOOcspRespFree = cb;
}
CYASSL_API void CyaSSL_SetIOOcspCtx(CYASSL_CTX* ctx, void *octx)
{
ctx->ocsp.IOCB_OcspCtx = octx;
}
#endif
#ifdef HAVE_NETX
/* The NetX receive callback

321
src/ocsp.c
View File

@ -27,55 +27,32 @@
#ifdef HAVE_OCSP
#ifdef EBSNET
#include "rtip.h"
#include "socket.h"
#endif
#include <cyassl/error.h>
#include <cyassl/ocsp.h>
#include <cyassl/internal.h>
#include <ctype.h>
#include <string.h>
#ifndef EBSNET
#include <unistd.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/types.h>
#include <sys/socket.h>
#endif
CYASSL_API int ocsp_test(unsigned char* buf, int sz);
#define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */
#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
* in certificate */
#define CYASSL_OCSP_NO_NONCE 0x0004 /* Disables the request nonce */
typedef struct sockaddr_in SOCKADDR_IN_T;
#define AF_INET_V AF_INET
#define SOCKET_T unsigned int
int CyaSSL_OCSP_Init(CYASSL_OCSP* ocsp)
int InitOCSP(CYASSL_OCSP* ocsp, CYASSL_CERT_MANAGER* cm)
{
if (ocsp != NULL) {
XMEMSET(ocsp, 0, sizeof(*ocsp));
ocsp->useNonce = 1;
#ifndef CYASSL_USER_IO
ocsp->CBIOOcsp = EmbedOcspLookup;
ocsp->CBIOOcspRespFree = EmbedOcspRespFree;
#endif
return 0;
}
CYASSL_ENTER("InitOCSP");
XMEMSET(ocsp, 0, sizeof(*ocsp));
ocsp->cm = cm;
if (InitMutex(&ocsp->ocspLock) != 0)
return BAD_MUTEX_E;
return -1;
return 0;
}
static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert)
{
CYASSL_ENTER("InitOCSP_Entry");
XMEMSET(ocspe, 0, sizeof(*ocspe));
XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE);
XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE);
return 0;
}
@ -93,118 +70,22 @@ static void FreeOCSP_Entry(OCSP_Entry* ocspe)
}
void CyaSSL_OCSP_Cleanup(CYASSL_OCSP* ocsp)
void FreeOCSP(CYASSL_OCSP* ocsp, int dynamic)
{
OCSP_Entry* tmp = ocsp->ocspList;
ocsp->enabled = 0;
CYASSL_ENTER("FreeOCSP");
while (tmp) {
OCSP_Entry* next = tmp->next;
FreeOCSP_Entry(tmp);
XFREE(tmp, NULL, DYNAMIC_TYPE_OCSP_ENTRY);
tmp = next;
}
}
int CyaSSL_OCSP_set_override_url(CYASSL_OCSP* ocsp, const char* url)
{
if (ocsp != NULL) {
int urlSz = (int)XSTRLEN(url);
if (urlSz < (int)sizeof(ocsp->overrideUrl)) {
XSTRNCPY(ocsp->overrideUrl, url, urlSz);
return 1;
}
}
return 0;
}
static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert)
{
CYASSL_ENTER("InitOCSP_Entry");
ocspe->next = NULL;
XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE);
XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE);
ocspe->status = NULL;
ocspe->totalStatus = 0;
return 0;
}
static OCSP_Entry* find_ocsp_entry(CYASSL_OCSP* ocsp, DecodedCert* cert)
{
OCSP_Entry* entry = ocsp->ocspList;
while (entry)
{
if (XMEMCMP(entry->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0
&& XMEMCMP(entry->issuerKeyHash, cert->issuerKeyHash,
SHA_DIGEST_SIZE) == 0)
{
CYASSL_MSG("Found OCSP responder");
break;
}
else
{
entry = entry->next;
}
}
if (entry == NULL)
{
CYASSL_MSG("Add a new OCSP entry");
entry = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry),
NULL, DYNAMIC_TYPE_OCSP_ENTRY);
if (entry != NULL)
{
InitOCSP_Entry(entry, cert);
entry->next = ocsp->ocspList;
ocsp->ocspList = entry;
}
}
return entry;
}
static CertStatus* find_cert_status(OCSP_Entry* ocspe, DecodedCert* cert)
{
CertStatus* stat = ocspe->status;
while (stat)
{
if(stat->serialSz == cert->serialSz &&
(XMEMCMP(stat->serial, cert->serial, cert->serialSz) == 0))
{
break;
}
else
{
stat = stat->next;
}
}
if (stat == NULL)
{
stat = (CertStatus*)XMALLOC(sizeof(CertStatus),
NULL, DYNAMIC_TYPE_OCSP_STATUS);
if (stat != NULL)
{
XMEMCPY(stat->serial, cert->serial, cert->serialSz);
stat->serialSz = cert->serialSz;
stat->status = -1;
stat->nextDate[0] = 0;
ocspe->totalStatus++;
stat->next = ocspe->status;
ocspe->status = stat;
}
}
return stat;
FreeMutex(&ocsp->ocspLock);
if (dynamic)
XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP);
}
@ -224,62 +105,84 @@ static int xstat2err(int stat)
}
int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
int CheckCertOCSP(CYASSL_OCSP* ocsp, DecodedCert* cert)
{
byte* ocspReqBuf = NULL;
int ocspReqSz = 2048;
byte* ocspRespBuf = NULL;
OcspRequest ocspRequest;
OcspResponse ocspResponse;
int result = 0;
int result = -1;
OCSP_Entry* ocspe;
CertStatus* certStatus;
CertStatus* certStatus = NULL;
CertStatus newStatus;
const char *url;
int urlSz;
/* If OCSP lookups are disabled, return success. */
if (!ocsp->enabled) {
CYASSL_MSG("OCSP lookup disabled, assuming CERT_GOOD");
return 0;
CYASSL_ENTER("CheckCertOCSP");
if (LockMutex(&ocsp->ocspLock) != 0) {
CYASSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E);
return BAD_MUTEX_E;
}
ocspe = ocsp->ocspList;
while (ocspe) {
if (XMEMCMP(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0
&& XMEMCMP(ocspe->issuerKeyHash, cert->issuerKeyHash,
SHA_DIGEST_SIZE) == 0)
break;
else
ocspe = ocspe->next;
}
ocspe = find_ocsp_entry(ocsp, cert);
if (ocspe == NULL) {
CYASSL_MSG("alloc OCSP entry failed");
return MEMORY_ERROR;
ocspe = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry),
NULL, DYNAMIC_TYPE_OCSP_ENTRY);
if (ocspe != NULL) {
InitOCSP_Entry(ocspe, cert);
ocspe->next = ocsp->ocspList;
ocsp->ocspList = ocspe;
}
else {
UnLockMutex(&ocsp->ocspLock);
CYASSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_ERROR;
}
}
else {
certStatus = ocspe->status;
while (certStatus) {
if (certStatus->serialSz == cert->serialSz &&
XMEMCMP(certStatus->serial, cert->serial, cert->serialSz) == 0)
break;
else
certStatus = certStatus->next;
}
}
certStatus = find_cert_status(ocspe, cert);
if (certStatus == NULL)
{
CYASSL_MSG("alloc OCSP cert status failed");
return MEMORY_ERROR;
}
if (certStatus->status != -1)
{
if (certStatus != NULL) {
if (!ValidateDate(certStatus->thisDate,
certStatus->thisDateFormat, BEFORE) ||
(certStatus->nextDate[0] == 0) ||
!ValidateDate(certStatus->nextDate,
certStatus->nextDateFormat, AFTER))
{
certStatus->nextDateFormat, AFTER)) {
CYASSL_MSG("\tinvalid status date, looking up cert");
certStatus->status = -1;
}
else
{
CYASSL_MSG("\tusing cached status");
else {
result = xstat2err(certStatus->status);
UnLockMutex(&ocsp->ocspLock);
CYASSL_LEAVE("CheckCertOCSP", result);
return result;
}
}
if (ocsp->useOverrideUrl) {
if (ocsp->overrideUrl[0] != '\0') {
url = ocsp->overrideUrl;
UnLockMutex(&ocsp->ocspLock);
if (ocsp->cm->ocspUseOverrideURL) {
url = ocsp->cm->ocspOverrideURL;
if (url != NULL && url[0] != '\0')
urlSz = (int)XSTRLEN(url);
}
else
return OCSP_NEED_URL;
}
@ -288,56 +191,82 @@ int CyaSSL_OCSP_Lookup_Cert(CYASSL_OCSP* ocsp, DecodedCert* cert)
urlSz = cert->extAuthInfoSz;
}
else {
CYASSL_MSG("\tcert doesn't have extAuthInfo, assuming CERT_GOOD");
/* cert doesn't have extAuthInfo, assuming CERT_GOOD */
return 0;
}
ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER);
if (ocspReqBuf == NULL) {
CYASSL_MSG("\talloc OCSP request buffer failed");
CYASSL_LEAVE("CheckCertOCSP", MEMORY_ERROR);
return MEMORY_ERROR;
}
InitOcspRequest(&ocspRequest, cert, ocsp->useNonce, ocspReqBuf, ocspReqSz);
InitOcspRequest(&ocspRequest, cert, ocsp->cm->ocspSendNonce,
ocspReqBuf, ocspReqSz);
ocspReqSz = EncodeOcspRequest(&ocspRequest);
if (ocsp->CBIOOcsp) {
result = ocsp->CBIOOcsp(ocsp->IOCB_OcspCtx, url, urlSz,
ocspReqBuf, ocspReqSz, &ocspRespBuf);
}
if (ocsp->cm->ocspIOCb)
result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz,
ocspReqBuf, ocspReqSz, &ocspRespBuf);
if (result >= 0 && ocspRespBuf) {
InitOcspResponse(&ocspResponse, certStatus, ocspRespBuf, result);
XMEMSET(&newStatus, 0, sizeof(CertStatus));
InitOcspResponse(&ocspResponse, &newStatus, ocspRespBuf, result);
OcspResponseDecode(&ocspResponse);
if (ocspResponse.responseStatus != OCSP_SUCCESSFUL) {
CYASSL_MSG("OCSP Responder failure");
if (ocspResponse.responseStatus != OCSP_SUCCESSFUL)
result = OCSP_LOOKUP_FAIL;
} else {
if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0)
{
else {
if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0) {
result = xstat2err(ocspResponse.status->status);
if (LockMutex(&ocsp->ocspLock) != 0)
result = BAD_MUTEX_E;
else {
if (certStatus != NULL)
/* Replace existing certificate entry with updated */
XMEMCPY(certStatus, &newStatus, sizeof(CertStatus));
else {
/* Save new certificate entry */
certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus),
NULL, DYNAMIC_TYPE_OCSP_STATUS);
if (certStatus != NULL) {
XMEMCPY(certStatus, &newStatus, sizeof(CertStatus));
certStatus->next = ocspe->status;
ocspe->status = certStatus;
ocspe->totalStatus++;
}
}
UnLockMutex(&ocsp->ocspLock);
}
}
else
{
CYASSL_MSG("OCSP Response incorrect for Request");
result = OCSP_LOOKUP_FAIL;
}
}
}
else {
else
result = OCSP_LOOKUP_FAIL;
}
if (ocspReqBuf != NULL) {
if (ocspReqBuf != NULL)
XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER);
}
if (ocspRespBuf != NULL && ocsp->CBIOOcspRespFree) {
ocsp->CBIOOcspRespFree(ocsp->IOCB_OcspCtx, ocspRespBuf);
}
if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb)
ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf);
CYASSL_LEAVE("CheckCertOCSP", result);
return result;
}
#else /* HAVE_OCSP */
#ifdef _MSC_VER
/* 4206 warning for blank file */
#pragma warning(disable: 4206)
#endif
#endif /* HAVE_OCSP */

7
src/sniffer.c
View File

@ -417,6 +417,13 @@ void ssl_FreeSniffer(void)
FreeMutex(&SessionMutex);
FreeMutex(&ServerListMutex);
if (TraceFile) {
TraceOn = 0;
fclose(TraceFile);
TraceFile = NULL;
}
CyaSSL_Cleanup();
}

452
src/ssl.c
View File

@ -622,6 +622,56 @@ int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx)
#endif /* NO_CYASSL_CLIENT */
#endif /* HAVE_TRUNCATED_HMAC */
/* Elliptic Curves */
#ifdef HAVE_SUPPORTED_CURVES
#ifndef NO_CYASSL_CLIENT
int CyaSSL_UseSupportedCurve(CYASSL* ssl, word16 name)
{
if (ssl == NULL)
return BAD_FUNC_ARG;
switch (name) {
case CYASSL_ECC_SECP160R1:
case CYASSL_ECC_SECP192R1:
case CYASSL_ECC_SECP224R1:
case CYASSL_ECC_SECP256R1:
case CYASSL_ECC_SECP384R1:
case CYASSL_ECC_SECP521R1:
break;
default:
return BAD_FUNC_ARG;
}
return TLSX_UseSupportedCurve(&ssl->extensions, name);
}
int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx, word16 name)
{
if (ctx == NULL)
return BAD_FUNC_ARG;
switch (name) {
case CYASSL_ECC_SECP160R1:
case CYASSL_ECC_SECP192R1:
case CYASSL_ECC_SECP224R1:
case CYASSL_ECC_SECP256R1:
case CYASSL_ECC_SECP384R1:
case CYASSL_ECC_SECP521R1:
break;
default:
return BAD_FUNC_ARG;
}
return TLSX_UseSupportedCurve(&ctx->extensions, name);
}
#endif /* NO_CYASSL_CLIENT */
#endif /* HAVE_SUPPORTED_CURVES */
#ifndef CYASSL_LEANPSK
int CyaSSL_send(CYASSL* ssl, const void* data, int sz, int flags)
{
@ -910,6 +960,15 @@ int CyaSSL_GetKeySize(CYASSL* ssl)
}
int CyaSSL_GetIVSize(CYASSL* ssl)
{
if (ssl)
return ssl->specs.iv_size;
return BAD_FUNC_ARG;
}
int CyaSSL_GetBulkCipher(CYASSL* ssl)
{
if (ssl)
@ -976,8 +1035,9 @@ int CyaSSL_GetSide(CYASSL* ssl)
int CyaSSL_GetHmacSize(CYASSL* ssl)
{
/* AEAD ciphers don't have HMAC keys */
if (ssl)
return ssl->specs.hash_size;
return (ssl->specs.cipher_type != aead) ? ssl->specs.hash_size : 0;
return BAD_FUNC_ARG;
}
@ -995,16 +1055,7 @@ CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void)
cm = (CYASSL_CERT_MANAGER*) XMALLOC(sizeof(CYASSL_CERT_MANAGER), 0,
DYNAMIC_TYPE_CERT_MANAGER);
if (cm) {
int i;
for (i = 0; i < CA_TABLE_SIZE; i++)
cm->caTable[i] = NULL;
cm->heap = NULL;
cm->caCacheCallback = NULL;
cm->crl = NULL;
cm->crlEnabled = 0;
cm->crlCheckAll = 0;
cm->cbMissingCRL = NULL;
XMEMSET(cm, 0, sizeof(CYASSL_CERT_MANAGER));
if (InitMutex(&cm->caLock) != 0) {
CYASSL_MSG("Bad mutex init");
@ -1026,6 +1077,10 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm)
if (cm->crl)
FreeCRL(cm->crl, 1);
#endif
#ifdef HAVE_OCSP
if (cm->ocsp)
FreeOCSP(cm->ocsp, 1);
#endif
FreeSignerTable(cm->caTable, CA_TABLE_SIZE, NULL);
FreeMutex(&cm->caLock);
XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER);
@ -1054,6 +1109,67 @@ int CyaSSL_CertManagerUnloadCAs(CYASSL_CERT_MANAGER* cm)
}
/* Return bytes written to buff or < 0 for error */
int CyaSSL_CertPemToDer(const unsigned char* pem, int pemSz,
unsigned char* buff, int buffSz,
int type)
{
EncryptedInfo info;
int eccKey = 0;
int ret;
buffer der;
CYASSL_ENTER("CyaSSL_CertPemToDer");
if (pem == NULL || buff == NULL || buffSz <= 0) {
CYASSL_MSG("Bad pem der args");
return BAD_FUNC_ARG;
}
if (type != CERT_TYPE && type != CA_TYPE && type != CERTREQ_TYPE) {
CYASSL_MSG("Bad cert type");
return BAD_FUNC_ARG;
}
info.set = 0;
info.ctx = NULL;
info.consumed = 0;
der.buffer = NULL;
ret = PemToDer(pem, pemSz, type, &der, NULL, &info, &eccKey);
if (ret < 0) {
CYASSL_MSG("Bad Pem To Der");
}
else {
if (der.length <= (word32)buffSz) {
XMEMCPY(buff, der.buffer, der.length);
ret = der.length;
}
else {
CYASSL_MSG("Bad der length");
ret = BAD_FUNC_ARG;
}
}
XFREE(der.buffer, NULL, DYNAMIC_TYPE_KEY);
return ret;
}
/* our KeyPemToDer password callback, password in userData */
static INLINE int OurPasswordCb(char* passwd, int sz, int rw, void* userdata)
{
(void)rw;
if (userdata == NULL)
return 0;
XSTRNCPY(passwd, (char*)userdata, sz);
return min((word32)sz, (word32)XSTRLEN((char*)userdata));
}
/* Return bytes written to buff or < 0 for error */
int CyaSSL_KeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff,
int buffSz, const char* pass)
@ -1077,6 +1193,16 @@ int CyaSSL_KeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff,
info.consumed = 0;
der.buffer = NULL;
#ifdef OPENSSL_EXTRA
if (pass) {
info.ctx = CyaSSL_CTX_new(CyaSSLv23_client_method());
if (info.ctx == NULL)
return MEMORY_E;
CyaSSL_CTX_set_default_passwd_cb(info.ctx, OurPasswordCb);
CyaSSL_CTX_set_default_passwd_cb_userdata(info.ctx, (void*)pass);
}
#endif
ret = PemToDer(pem, pemSz, PRIVATEKEY_TYPE, &der, NULL, &info, &eccKey);
if (ret < 0) {
CYASSL_MSG("Bad Pem To Der");
@ -1094,6 +1220,9 @@ int CyaSSL_KeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff,
XFREE(der.buffer, NULL, DYNAMIC_TYPE_KEY);
if (info.ctx)
CyaSSL_CTX_free(info.ctx);
return ret;
}
@ -1537,6 +1666,7 @@ int CyaSSL_Init(void)
char* consumedEnd;
char* bufferEnd = (char*)(buff + longSz);
long neededSz;
int ret = 0;
int pkcs8 = 0;
int pkcs8Enc = 0;
int dynamicType = 0;
@ -1550,6 +1680,12 @@ int CyaSSL_Init(void)
XSTRNCPY(footer, "-----END CERTIFICATE-----", sizeof(footer));
dynamicType = (type == CA_TYPE) ? DYNAMIC_TYPE_CA :
DYNAMIC_TYPE_CERT;
} else if (type == CERTREQ_TYPE) {
XSTRNCPY(header, "-----BEGIN CERTIFICATE REQUEST-----",
sizeof(header));
XSTRNCPY(footer, "-----END CERTIFICATE REQUEST-----",
sizeof(footer));
dynamicType = DYNAMIC_TYPE_KEY;
} else if (type == DH_PARAM_TYPE) {
XSTRNCPY(header, "-----BEGIN DH PARAMETERS-----", sizeof(header));
XSTRNCPY(footer, "-----END DH PARAMETERS-----", sizeof(footer));
@ -1688,8 +1824,15 @@ int CyaSSL_Init(void)
&der->length) < 0)
return SSL_BAD_FILE;
if (pkcs8)
return ToTraditional(der->buffer, der->length);
if (pkcs8) {
/* convert and adjust length */
if ( (ret = ToTraditional(der->buffer, der->length)) < 0 ) {
return ret;
} else {
der->length = ret;
return 0;
}
}
#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED)
if (pkcs8Enc) {
@ -1700,8 +1843,14 @@ int CyaSSL_Init(void)
return SSL_BAD_FILE; /* no callback error */
passwordSz = info->ctx->passwd_cb(password, sizeof(password), 0,
info->ctx->userdata);
return ToTraditionalEnc(der->buffer, der->length, password,
passwordSz);
/* convert and adjust length */
if ( (ret = ToTraditionalEnc(der->buffer, der->length, password,
passwordSz)) < 0 ) {
return ret;
} else {
der->length = ret;
return 0;
}
}
#endif
@ -1730,6 +1879,7 @@ int CyaSSL_Init(void)
der.buffer = 0;
(void)dynamicType;
(void)rsaKey;
if (used)
*used = sz; /* used bytes default to sz, PEM chain may shorten*/
@ -1980,7 +2130,8 @@ int CyaSSL_Init(void)
}
ecc_free(&key);
eccKey = 1;
ctx->haveStaticECC = 1;
if (ctx)
ctx->haveStaticECC = 1;
if (ssl)
ssl->options.haveStaticECC = 1;
}
@ -2012,6 +2163,13 @@ int CyaSSL_Init(void)
break;
}
#ifdef HAVE_ECC
if (ctx)
ctx->pkCurveOID = cert.pkCurveOID;
if (ssl)
ssl->pkCurveOID = cert.pkCurveOID;
#endif
FreeDecodedCert(&cert);
}
@ -2452,6 +2610,62 @@ int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm)
}
/* turn on OCSP if off and compiled in, set options */
int CyaSSL_CertManagerEnableOCSP(CYASSL_CERT_MANAGER* cm, int options)
{
int ret = SSL_SUCCESS;
(void)options;
CYASSL_ENTER("CyaSSL_CertManagerEnableOCSP");
if (cm == NULL)
return BAD_FUNC_ARG;
#ifdef HAVE_OCSP
if (cm->ocsp == NULL) {
cm->ocsp = (CYASSL_OCSP*)XMALLOC(sizeof(CYASSL_OCSP), cm->heap,
DYNAMIC_TYPE_OCSP);
if (cm->ocsp == NULL)
return MEMORY_E;
if (InitOCSP(cm->ocsp, cm) != 0) {
CYASSL_MSG("Init OCSP failed");
FreeOCSP(cm->ocsp, 1);
cm->ocsp = NULL;
return SSL_FAILURE;
}
}
cm->ocspEnabled = 1;
if (options & CYASSL_OCSP_URL_OVERRIDE)
cm->ocspUseOverrideURL = 1;
if (options & CYASSL_OCSP_NO_NONCE)
cm->ocspSendNonce = 0;
else
cm->ocspSendNonce = 1;
#ifndef CYASSL_USER_IO
cm->ocspIOCb = EmbedOcspLookup;
cm->ocspRespFreeCb = EmbedOcspRespFree;
#endif /* CYASSL_USER_IO */
#else
ret = NOT_COMPILED_IN;
#endif
return ret;
}
int CyaSSL_CertManagerDisableOCSP(CYASSL_CERT_MANAGER* cm)
{
CYASSL_ENTER("CyaSSL_CertManagerDisableOCSP");
if (cm == NULL)
return BAD_FUNC_ARG;
cm->ocspEnabled = 0;
return SSL_SUCCESS;
}
int CyaSSL_CTX_check_private_key(CYASSL_CTX* ctx)
{
/* TODO: check private against public for RSA match */
@ -2614,6 +2828,171 @@ int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX* ctx, CbMissingCRL cb)
#endif /* HAVE_CRL */
#ifdef HAVE_OCSP
/* check CRL if enabled, SSL_SUCCESS */
int CyaSSL_CertManagerCheckOCSP(CYASSL_CERT_MANAGER* cm, byte* der, int sz)
{
int ret;
DecodedCert cert;
CYASSL_ENTER("CyaSSL_CertManagerCheckOCSP");
if (cm == NULL)
return BAD_FUNC_ARG;
if (cm->ocspEnabled == 0)
return SSL_SUCCESS;
InitDecodedCert(&cert, der, sz, NULL);
ret = ParseCertRelative(&cert, CERT_TYPE, NO_VERIFY, cm);
if (ret != 0) {
CYASSL_MSG("ParseCert failed");
return ret;
}
else {
ret = CheckCertOCSP(cm->ocsp, &cert);
if (ret != 0) {
CYASSL_MSG("CheckCertOCSP failed");
}
}
FreeDecodedCert(&cert);
if (ret == 0)
return SSL_SUCCESS; /* convert */
return ret;
}
int CyaSSL_CertManagerSetOCSPOverrideURL(CYASSL_CERT_MANAGER* cm,
const char* url)
{
CYASSL_ENTER("CyaSSL_CertManagerSetOCSPOverrideURL");
if (cm == NULL)
return BAD_FUNC_ARG;
XFREE(cm->ocspOverrideURL, cm->heap, 0);
if (url != NULL) {
int urlSz = (int)XSTRLEN(url) + 1;
cm->ocspOverrideURL = (char*)XMALLOC(urlSz, cm->heap, 0);
if (cm->ocspOverrideURL != NULL) {
XMEMCPY(cm->ocspOverrideURL, url, urlSz);
}
else
return MEMORY_E;
}
else
cm->ocspOverrideURL = NULL;
return SSL_SUCCESS;
}
int CyaSSL_CertManagerSetOCSP_Cb(CYASSL_CERT_MANAGER* cm,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
CYASSL_ENTER("CyaSSL_CertManagerSetOCSP_Cb");
if (cm == NULL)
return BAD_FUNC_ARG;
cm->ocspIOCb = ioCb;
cm->ocspRespFreeCb = respFreeCb;
cm->ocspIOCtx = ioCbCtx;
return SSL_SUCCESS;
}
int CyaSSL_EnableOCSP(CYASSL* ssl, int options)
{
CYASSL_ENTER("CyaSSL_EnableOCSP");
if (ssl)
return CyaSSL_CertManagerEnableOCSP(ssl->ctx->cm, options);
else
return BAD_FUNC_ARG;
}
int CyaSSL_DisableOCSP(CYASSL* ssl)
{
CYASSL_ENTER("CyaSSL_DisableOCSP");
if (ssl)
return CyaSSL_CertManagerDisableOCSP(ssl->ctx->cm);
else
return BAD_FUNC_ARG;
}
int CyaSSL_SetOCSP_OverrideURL(CYASSL* ssl, const char* url)
{
CYASSL_ENTER("CyaSSL_SetOCSP_OverrideURL");
if (ssl)
return CyaSSL_CertManagerSetOCSPOverrideURL(ssl->ctx->cm, url);
else
return BAD_FUNC_ARG;
}
int CyaSSL_SetOCSP_Cb(CYASSL* ssl,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
CYASSL_ENTER("CyaSSL_SetOCSP_Cb");
if (ssl)
return CyaSSL_CertManagerSetOCSP_Cb(ssl->ctx->cm,
ioCb, respFreeCb, ioCbCtx);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_EnableOCSP(CYASSL_CTX* ctx, int options)
{
CYASSL_ENTER("CyaSSL_CTX_EnableOCSP");
if (ctx)
return CyaSSL_CertManagerEnableOCSP(ctx->cm, options);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_DisableOCSP(CYASSL_CTX* ctx)
{
CYASSL_ENTER("CyaSSL_CTX_DisableOCSP");
if (ctx)
return CyaSSL_CertManagerDisableOCSP(ctx->cm);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_SetOCSP_OverrideURL(CYASSL_CTX* ctx, const char* url)
{
CYASSL_ENTER("CyaSSL_SetOCSP_OverrideURL");
if (ctx)
return CyaSSL_CertManagerSetOCSPOverrideURL(ctx->cm, url);
else
return BAD_FUNC_ARG;
}
int CyaSSL_CTX_SetOCSP_Cb(CYASSL_CTX* ctx,
CbOCSPIO ioCb, CbOCSPRespFree respFreeCb, void* ioCbCtx)
{
CYASSL_ENTER("CyaSSL_CTX_SetOCSP_Cb");
if (ctx)
return CyaSSL_CertManagerSetOCSP_Cb(ctx->cm, ioCb, respFreeCb, ioCbCtx);
else
return BAD_FUNC_ARG;
}
#endif /* HAVE_OCSP */
#ifdef CYASSL_DER_LOAD
/* Add format parameter to allow DER load of CA files */
@ -7561,6 +7940,8 @@ CYASSL_X509* CyaSSL_X509_d2i(CYASSL_X509** x509, const byte* in, int len)
}
#ifndef NO_FILESYSTEM
CYASSL_X509* CyaSSL_X509_d2i_fp(CYASSL_X509** x509, XFILE file)
{
CYASSL_X509* newX509 = NULL;
@ -7684,6 +8065,7 @@ CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format)
return x509;
}
#endif /* NO_FILESYSTEM */
#endif /* KEEP_PEER_CERT || SESSION_CERTS */
@ -10866,38 +11248,6 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session)
#endif /* SESSION_CERTS */
int CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, int options)
{
CYASSL_ENTER("CyaSSL_CTX_OCSP_set_options");
#ifdef HAVE_OCSP
if (ctx != NULL) {
ctx->ocsp.enabled = (options & CYASSL_OCSP_ENABLE) != 0;
ctx->ocsp.useOverrideUrl = (options & CYASSL_OCSP_URL_OVERRIDE) != 0;
ctx->ocsp.useNonce = (options & CYASSL_OCSP_NO_NONCE) == 0;
return SSL_SUCCESS;
}
return SSL_FAILURE;
#else
(void)ctx;
(void)options;
return NOT_COMPILED_IN;
#endif
}
int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url)
{
CYASSL_ENTER("CyaSSL_CTX_OCSP_set_override_url");
#ifdef HAVE_OCSP
return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url);
#else
(void)ctx;
(void)url;
return NOT_COMPILED_IN;
#endif
}
#ifndef NO_CERTS
#ifdef HAVE_PK_CALLBACKS
@ -11047,3 +11397,9 @@ void* CyaSSL_GetRsaDecCtx(CYASSL* ssl)
#endif /* HAVE_PK_CALLBACKS */
#endif /* NO_CERTS */
#ifdef CYASSL_HAVE_WOLFSCEP
/* Used by autoconf to see if wolfSCEP is available */
void CyaSSL_wolfSCEP(void) {}
#endif

350
src/tls.c
View File

@ -515,6 +515,12 @@ void TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz,
#ifdef HAVE_TLS_EXTENSIONS
#define IS_OFF(semaphore, light) \
((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8)))
#define TURN_ON(semaphore, light) \
((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
static int TLSX_Append(TLSX** list, TLSX_Type type)
{
TLSX* extension;
@ -536,7 +542,9 @@ static int TLSX_Append(TLSX** list, TLSX_Type type)
#ifndef NO_CYASSL_SERVER
static void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type)
void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type);
void TLSX_SetResponse(CYASSL* ssl, TLSX_Type type)
{
TLSX *ext = TLSX_Find(ssl->extensions, type);
@ -768,7 +776,7 @@ static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length,
int r = TLSX_UseSNI(&ssl->extensions,
type, input + offset, size);
if (r) return r; /* throw error */
if (r != SSL_SUCCESS) return r; /* throw error */
TLSX_SNI_SetStatus(ssl->extensions, type,
matched ? CYASSL_SNI_REAL_MATCH : CYASSL_SNI_FAKE_MATCH);
@ -834,7 +842,7 @@ int TLSX_UseSNI(TLSX** extensions, byte type, const void* data, word16 size)
}
} while ((sni = sni->next));
return 0;
return SSL_SUCCESS;
}
#ifndef NO_CYASSL_SERVER
@ -974,7 +982,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
if (sniType != type) {
offset += sniLen;
listLen -= MIN(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
listLen -= min(ENUM_LEN + OPAQUE16_LEN + sniLen, listLen);
continue;
}
@ -985,10 +993,10 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz,
}
}
len16 -= MIN(2 * OPAQUE16_LEN + extLen, len16);
len16 -= min(2 * OPAQUE16_LEN + extLen, len16);
}
return len16 ? BUFFER_ERROR : 0;
return len16 ? BUFFER_ERROR : SSL_SUCCESS;
}
#endif
@ -1039,7 +1047,7 @@ static int TLSX_MFL_Parse(CYASSL* ssl, byte* input, word16 length,
if (isRequest) {
int r = TLSX_UseMaxFragment(&ssl->extensions, *input);
if (r) return r; /* throw error */
if (r != SSL_SUCCESS) return r; /* throw error */
TLSX_SetResponse(ssl, MAX_FRAGMENT_LENGTH);
}
@ -1089,7 +1097,7 @@ int TLSX_UseMaxFragment(TLSX** extensions, byte mfl)
}
} while ((extension = extension->next));
return 0;
return SSL_SUCCESS;
}
@ -1120,7 +1128,7 @@ int TLSX_UseTruncatedHMAC(TLSX** extensions)
if ((ret = TLSX_Append(extensions, TRUNCATED_HMAC)) != 0)
return ret;
return 0;
return SSL_SUCCESS;
}
static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length,
@ -1133,7 +1141,7 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length,
if (isRequest) {
int r = TLSX_UseTruncatedHMAC(&ssl->extensions);
if (r) return r; /* throw error */
if (r != SSL_SUCCESS) return r; /* throw error */
TLSX_SetResponse(ssl, TRUNCATED_HMAC);
}
@ -1152,6 +1160,292 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length,
#endif /* HAVE_TRUNCATED_HMAC */
#ifdef HAVE_SUPPORTED_CURVES
#ifndef HAVE_ECC
#error "Elliptic Curves Extension requires Elliptic Curve Cryptography. \
Use --enable-ecc in the configure script or define HAVE_ECC."
#endif
static void TLSX_EllipticCurve_FreeAll(EllipticCurve* list)
{
EllipticCurve* curve;
while ((curve = list)) {
list = curve->next;
XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
}
}
static int TLSX_EllipticCurve_Append(EllipticCurve** list, word16 name)
{
EllipticCurve* curve;
if (list == NULL)
return BAD_FUNC_ARG;
if ((curve = XMALLOC(sizeof(EllipticCurve), 0, DYNAMIC_TYPE_TLSX)) == NULL)
return MEMORY_E;
curve->name = name;
curve->next = *list;
*list = curve;
return 0;
}
#ifndef NO_CYASSL_CLIENT
static void TLSX_EllipticCurve_ValidateRequest(CYASSL* ssl, byte* semaphore)
{
int i;
for (i = 0; i < ssl->suites->suiteSz; i+= 2)
if (ssl->suites->suites[i] == ECC_BYTE)
return;
/* No elliptic curve suite found */
TURN_ON(semaphore, ELLIPTIC_CURVES);
}
static word16 TLSX_EllipticCurve_GetSize(EllipticCurve* list)
{
EllipticCurve* curve;
word16 length = OPAQUE16_LEN; /* list length */
while ((curve = list)) {
list = curve->next;
length += OPAQUE16_LEN; /* curve length */
}
return length;
}
static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output);
static word16 TLSX_EllipticCurve_WriteR(EllipticCurve* curve, byte* output)
{
word16 offset = 0;
if (!curve)
return offset;
offset = TLSX_EllipticCurve_WriteR(curve->next, output);
c16toa(curve->name, output + offset);
return OPAQUE16_LEN + offset;
}
static word16 TLSX_EllipticCurve_Write(EllipticCurve* list, byte* output)
{
word16 length = TLSX_EllipticCurve_WriteR(list, output + OPAQUE16_LEN);
c16toa(length, output); /* writing list length */
return OPAQUE16_LEN + length;
}
#endif /* NO_CYASSL_CLIENT */
#ifndef NO_CYASSL_SERVER
static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length,
byte isRequest)
{
word16 offset;
word16 name;
int r;
(void) isRequest; /* shut up compiler! */
if (OPAQUE16_LEN > length || length % OPAQUE16_LEN)
return INCOMPLETE_DATA;
ato16(input, &offset);
/* validating curve list length */
if (length != OPAQUE16_LEN + offset)
return INCOMPLETE_DATA;
while (offset) {
ato16(input + offset, &name);
offset -= OPAQUE16_LEN;
r = TLSX_UseSupportedCurve(&ssl->extensions, name);
if (r != SSL_SUCCESS) return r; /* throw error */
}
return 0;
}
int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) {
TLSX* extension = (first == ECC_BYTE)
? TLSX_Find(ssl->extensions, ELLIPTIC_CURVES)
: NULL;
EllipticCurve* curve = NULL;
word32 oid = 0;
word16 octets = 0; /* acording to 'ecc_set_type ecc_sets[];' */
int sig = 0; /* valitade signature */
int key = 0; /* validate key */
if (!extension)
return 1; /* no suite restriction */
for (curve = extension->data; curve && !(sig && key); curve = curve->next) {
switch (curve->name) {
case CYASSL_ECC_SECP160R1: oid = ECC_160R1; octets = 20; break;
case CYASSL_ECC_SECP192R1: oid = ECC_192R1; octets = 24; break;
case CYASSL_ECC_SECP224R1: oid = ECC_224R1; octets = 28; break;
case CYASSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break;
case CYASSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break;
case CYASSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break;
default: continue; /* unsupported curve */
}
switch (second) {
#ifndef NO_DSA
/* ECDHE_ECDSA */
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA:
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384:
case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384:
case TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8:
case TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8:
sig |= ssl->pkCurveOID == oid;
key |= ssl->eccTempKeySz == octets;
break;
/* ECDH_ECDSA */
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA:
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA:
case TLS_ECDH_ECDSA_WITH_RC4_128_SHA:
case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384:
case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384:
sig |= ssl->pkCurveOID == oid;
key |= ssl->pkCurveOID == oid;
break;
#endif
#ifndef NO_RSA
/* ECDHE_RSA */
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA:
case TLS_ECDHE_RSA_WITH_RC4_128_SHA:
case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384:
case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384:
sig = 1;
key |= ssl->eccTempKeySz == octets;
break;
/* ECDH_RSA */
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA:
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA:
case TLS_ECDH_RSA_WITH_RC4_128_SHA:
case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA:
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256:
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384:
case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256:
case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384:
sig = 1;
key |= ssl->pkCurveOID == oid;
break;
#endif
default:
sig = 1;
key = 1;
break;
}
}
return sig && key;
}
#endif /* NO_CYASSL_SERVER */
int TLSX_UseSupportedCurve(TLSX** extensions, word16 name)
{
TLSX* extension = NULL;
EllipticCurve* curve = NULL;
int ret = 0;
if (extensions == NULL)
return BAD_FUNC_ARG;
if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0)
return ret;
extension = *extensions;
/* find EllipticCurve extension if it already exists. */
while (extension && extension->type != ELLIPTIC_CURVES)
extension = extension->next;
/* push new EllipticCurve extension if it doesn't exists. */
if (!extension) {
if ((ret = TLSX_Append(extensions, ELLIPTIC_CURVES)) != 0) {
XFREE(curve, 0, DYNAMIC_TYPE_TLSX);
return ret;
}
extension = *extensions;
}
/* push new EllipticCurve object to extension data. */
curve->next = (EllipticCurve*) extension->data;
extension->data = (void*) curve;
/* look for another curve of the same name to remove (replacement) */
do {
if (curve->next && curve->next->name == name) {
EllipticCurve *next = curve->next;
curve->next = next->next;
XFREE(next, 0, DYNAMIC_TYPE_TLSX);
break;
}
} while ((curve = curve->next));
return SSL_SUCCESS;
}
#define EC_FREE_ALL TLSX_EllipticCurve_FreeAll
#define EC_VALIDATE_REQUEST TLSX_EllipticCurve_ValidateRequest
#ifndef NO_CYASSL_CLIENT
#define EC_GET_SIZE TLSX_EllipticCurve_GetSize
#define EC_WRITE TLSX_EllipticCurve_Write
#else
#define EC_GET_SIZE(list) 0
#define EC_WRITE(a, b) 0
#endif
#ifndef NO_CYASSL_SERVER
#define EC_PARSE TLSX_EllipticCurve_Parse
#else
#define EC_PARSE(a, b, c, d) 0
#endif
#else
#define EC_FREE_ALL(list)
#define EC_GET_SIZE(list) 0
#define EC_WRITE(a, b) 0
#define EC_PARSE(a, b, c, d) 0
#define EC_VALIDATE_REQUEST(a, b)
#endif /* HAVE_SUPPORTED_CURVES */
TLSX* TLSX_Find(TLSX* list, TLSX_Type type)
{
TLSX* extension = list;
@ -1181,18 +1475,16 @@ void TLSX_FreeAll(TLSX* list)
case TRUNCATED_HMAC:
/* Nothing to do. */
break;
case ELLIPTIC_CURVES:
EC_FREE_ALL(extension->data);
break;
}
XFREE(extension, 0, DYNAMIC_TYPE_TLSX);
}
}
#define IS_OFF(semaphore, light) \
((semaphore)[(light) / 8] ^ (byte) (0x01 << ((light) % 8)))
#define TURN_ON(semaphore, light) \
((semaphore)[(light) / 8] |= (byte) (0x01 << ((light) % 8)))
static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
{
TLSX* extension;
@ -1220,6 +1512,10 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
case TRUNCATED_HMAC:
/* empty extension. */
break;
case ELLIPTIC_CURVES:
length += EC_GET_SIZE((EllipticCurve *) extension->data);
break;
}
TURN_ON(semaphore, extension->type);
@ -1264,6 +1560,11 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
case TRUNCATED_HMAC:
/* empty extension. */
break;
case ELLIPTIC_CURVES:
offset += EC_WRITE((EllipticCurve *) extension->data,
output + offset);
break;
}
/* writing extension data length */
@ -1286,6 +1587,8 @@ word16 TLSX_GetRequestSize(CYASSL* ssl)
if (ssl && IsTLS(ssl)) {
byte semaphore[16] = {0};
EC_VALIDATE_REQUEST(ssl, semaphore);
if (ssl->extensions)
length += TLSX_GetSize(ssl->extensions, semaphore, 1);
@ -1311,6 +1614,8 @@ word16 TLSX_WriteRequest(CYASSL* ssl, byte* output)
offset += OPAQUE16_LEN; /* extensions length */
EC_VALIDATE_REQUEST(ssl, semaphore);
if (ssl->extensions)
offset += TLSX_Write(ssl->extensions, output + offset,
semaphore, 1);
@ -1430,6 +1735,12 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
ret = THM_PARSE(ssl, input + offset, size, isRequest);
break;
case ELLIPTIC_CURVES:
CYASSL_MSG("Elliptic Curves extension received");
ret = EC_PARSE(ssl, input + offset, size, isRequest);
break;
case HELLO_EXT_SIG_ALGO:
if (isRequest) {
/* do not mess with offset inside the switch! */
@ -1462,6 +1773,13 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest,
#undef IS_OFF
#undef TURN_ON
#elif defined(HAVE_SNI) \
|| defined(HAVE_MAX_FRAGMENT) \
|| defined(HAVE_TRUNCATED_HMAC) \
|| defined(HAVE_SUPPORTED_CURVES)
#error "Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined."
#endif /* HAVE_TLS_EXTENSIONS */

2
sslSniffer/sslSnifferTest/include.am
View File

@ -2,7 +2,7 @@
# included from Top Level Makefile.am
# All paths should be given relative to the root
if BUILD_SNIFFER
if BUILD_SNIFFTEST
noinst_PROGRAMS += sslSniffer/sslSnifferTest/snifftest
sslSniffer_sslSnifferTest_snifftest_SOURCES = sslSniffer/sslSnifferTest/snifftest.c
sslSniffer_sslSnifferTest_snifftest_LDADD = src/libcyassl.la -lpcap

24
sslSniffer/sslSnifferTest/snifftest.c
View File

@ -69,18 +69,25 @@ enum {
};
pcap_t* pcap = 0;
pcap_if_t *alldevs;
pcap_t* pcap = NULL;
pcap_if_t* alldevs = NULL;
static void FreeAll(void)
{
if (pcap)
pcap_close(pcap);
if (alldevs)
pcap_freealldevs(alldevs);
#ifndef _WIN32
ssl_FreeSniffer();
#endif
}
static void sig_handler(const int sig)
{
printf("SIGINT handled = %d.\n", sig);
if (pcap)
pcap_close(pcap);
pcap_freealldevs(alldevs);
#ifndef _WIN32
ssl_FreeSniffer();
#endif
FreeAll();
if (sig)
exit(EXIT_SUCCESS);
}
@ -286,6 +293,7 @@ int main(int argc, char** argv)
else if (saveFile)
break; /* we're done reading file */
}
FreeAll();
return EXIT_SUCCESS;
}

108
tests/api.c
View File

@ -56,6 +56,9 @@ static void test_CyaSSL_UseMaxFragment(void);
#ifdef HAVE_TRUNCATED_HMAC
static void test_CyaSSL_UseTruncatedHMAC(void);
#endif /* HAVE_TRUNCATED_HMAC */
#ifdef HAVE_SUPPORTED_CURVES
static void test_CyaSSL_UseSupportedCurve(void);
#endif /* HAVE_SUPPORTED_CURVES */
/* test function helpers */
static int test_method(CYASSL_METHOD *method, const char *name);
@ -116,6 +119,9 @@ int ApiTest(void)
#ifdef HAVE_TRUNCATED_HMAC
test_CyaSSL_UseTruncatedHMAC();
#endif /* HAVE_TRUNCATED_HMAC */
#ifdef HAVE_SUPPORTED_CURVES
test_CyaSSL_UseSupportedCurve();
#endif /* HAVE_SUPPORTED_CURVES */
test_CyaSSL_Cleanup();
printf(" End API Tests\n");
@ -236,14 +242,13 @@ int test_CyaSSL_CTX_new(CYASSL_METHOD *method)
return TEST_SUCCESS;
}
#ifdef HAVE_TLS_EXTENSIONS
#ifdef HAVE_SNI
static void use_SNI_at_ctx(CYASSL_CTX* ctx)
{
byte type = CYASSL_SNI_HOST_NAME;
char name[] = "www.yassl.com";
AssertIntEQ(0, CyaSSL_CTX_UseSNI(ctx, type, (void *) name, XSTRLEN(name)));
AssertIntEQ(1, CyaSSL_CTX_UseSNI(ctx, type, (void *) name, XSTRLEN(name)));
}
static void use_SNI_at_ssl(CYASSL* ssl)
@ -251,7 +256,7 @@ static void use_SNI_at_ssl(CYASSL* ssl)
byte type = CYASSL_SNI_HOST_NAME;
char name[] = "www.yassl.com";
AssertIntEQ(0, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name)));
AssertIntEQ(1, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name)));
}
static void different_SNI_at_ssl(CYASSL* ssl)
@ -259,7 +264,7 @@ static void different_SNI_at_ssl(CYASSL* ssl)
byte type = CYASSL_SNI_HOST_NAME;
char name[] = "ww2.yassl.com";
AssertIntEQ(0, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name)));
AssertIntEQ(1, CyaSSL_UseSNI(ssl, type, (void *) name, XSTRLEN(name)));
}
static void use_SNI_WITH_CONTINUE_at_ssl(CYASSL* ssl)
@ -379,11 +384,11 @@ static void test_CyaSSL_SNI_GetFromBuffer(void)
byte result[32] = {0};
word32 length = 32;
AssertIntEQ(0, CyaSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3), 0,
result, &length));
AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer3, sizeof(buffer3),
0, result, &length));
AssertIntEQ(0, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2), 1,
result, &length));
AssertIntEQ(SSL_SUCCESS, CyaSSL_SNI_GetFromBuffer(buffer2, sizeof(buffer2),
1, result, &length));
AssertIntEQ(-228, CyaSSL_SNI_GetFromBuffer(buffer, sizeof(buffer), 0,
result, &length));
@ -426,20 +431,22 @@ void test_CyaSSL_UseSNI(void)
AssertNotNull(ssl);
/* error cases */
AssertIntNE(0, CyaSSL_CTX_UseSNI(NULL, 0, (void *) "ctx", XSTRLEN("ctx")));
AssertIntNE(0, CyaSSL_UseSNI( NULL, 0, (void *) "ssl", XSTRLEN("ssl")));
AssertIntNE(0, CyaSSL_CTX_UseSNI(ctx, -1, (void *) "ctx", XSTRLEN("ctx")));
AssertIntNE(0, CyaSSL_UseSNI( ssl, -1, (void *) "ssl", XSTRLEN("ssl")));
AssertIntNE(0, CyaSSL_CTX_UseSNI(ctx, 0, (void *) NULL, XSTRLEN("ctx")));
AssertIntNE(0, CyaSSL_UseSNI( ssl, 0, (void *) NULL, XSTRLEN("ssl")));
AssertIntNE(1, CyaSSL_CTX_UseSNI(NULL, 0, (void *) "ctx", XSTRLEN("ctx")));
AssertIntNE(1, CyaSSL_UseSNI( NULL, 0, (void *) "ssl", XSTRLEN("ssl")));
AssertIntNE(1, CyaSSL_CTX_UseSNI(ctx, -1, (void *) "ctx", XSTRLEN("ctx")));
AssertIntNE(1, CyaSSL_UseSNI( ssl, -1, (void *) "ssl", XSTRLEN("ssl")));
AssertIntNE(1, CyaSSL_CTX_UseSNI(ctx, 0, (void *) NULL, XSTRLEN("ctx")));
AssertIntNE(1, CyaSSL_UseSNI( ssl, 0, (void *) NULL, XSTRLEN("ssl")));
/* success case */
AssertIntEQ(0, CyaSSL_CTX_UseSNI(ctx, 0, (void *) "ctx", XSTRLEN("ctx")));
AssertIntEQ(0, CyaSSL_UseSNI( ssl, 0, (void *) "ssl", XSTRLEN("ssl")));
AssertIntEQ(1, CyaSSL_CTX_UseSNI(ctx, 0, (void *) "ctx", XSTRLEN("ctx")));
AssertIntEQ(1, CyaSSL_UseSNI( ssl, 0, (void *) "ssl", XSTRLEN("ssl")));
CyaSSL_free(ssl);
CyaSSL_CTX_free(ctx);
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* Testing success case at ctx */
client_callbacks.ctx_ready = server_callbacks.ctx_ready = use_SNI_at_ctx;
server_callbacks.on_result = verify_SNI_real_matching;
@ -473,6 +480,8 @@ void test_CyaSSL_UseSNI(void)
test_CyaSSL_client_server(&client_callbacks, &server_callbacks);
#endif
test_CyaSSL_SNI_GetFromBuffer();
}
#endif /* HAVE_SNI */
@ -487,24 +496,24 @@ static void test_CyaSSL_UseMaxFragment(void)
AssertNotNull(ssl);
/* error cases */
AssertIntNE(0, CyaSSL_CTX_UseMaxFragment(NULL, CYASSL_MFL_2_9));
AssertIntNE(0, CyaSSL_UseMaxFragment( NULL, CYASSL_MFL_2_9));
AssertIntNE(0, CyaSSL_CTX_UseMaxFragment(ctx, 0));
AssertIntNE(0, CyaSSL_CTX_UseMaxFragment(ctx, 6));
AssertIntNE(0, CyaSSL_UseMaxFragment(ssl, 0));
AssertIntNE(0, CyaSSL_UseMaxFragment(ssl, 6));
AssertIntNE(1, CyaSSL_CTX_UseMaxFragment(NULL, CYASSL_MFL_2_9));
AssertIntNE(1, CyaSSL_UseMaxFragment( NULL, CYASSL_MFL_2_9));
AssertIntNE(1, CyaSSL_CTX_UseMaxFragment(ctx, 0));
AssertIntNE(1, CyaSSL_CTX_UseMaxFragment(ctx, 6));
AssertIntNE(1, CyaSSL_UseMaxFragment(ssl, 0));
AssertIntNE(1, CyaSSL_UseMaxFragment(ssl, 6));
/* success case */
AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_9));
AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_10));
AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_11));
AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_12));
AssertIntEQ(0, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_13));
AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_9));
AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_10));
AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_11));
AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_12));
AssertIntEQ(0, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_13));
AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_9));
AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_10));
AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_11));
AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_12));
AssertIntEQ(1, CyaSSL_CTX_UseMaxFragment(ctx, CYASSL_MFL_2_13));
AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_9));
AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_10));
AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_11));
AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_12));
AssertIntEQ(1, CyaSSL_UseMaxFragment( ssl, CYASSL_MFL_2_13));
CyaSSL_free(ssl);
CyaSSL_CTX_free(ctx);
@ -521,19 +530,44 @@ static void test_CyaSSL_UseTruncatedHMAC(void)
AssertNotNull(ssl);
/* error cases */
AssertIntNE(0, CyaSSL_CTX_UseTruncatedHMAC(NULL));
AssertIntNE(0, CyaSSL_UseTruncatedHMAC(NULL));
AssertIntNE(1, CyaSSL_CTX_UseTruncatedHMAC(NULL));
AssertIntNE(1, CyaSSL_UseTruncatedHMAC(NULL));
/* success case */
AssertIntEQ(0, CyaSSL_CTX_UseTruncatedHMAC(ctx));
AssertIntEQ(0, CyaSSL_UseTruncatedHMAC(ssl));
AssertIntEQ(1, CyaSSL_CTX_UseTruncatedHMAC(ctx));
AssertIntEQ(1, CyaSSL_UseTruncatedHMAC(ssl));
CyaSSL_free(ssl);
CyaSSL_CTX_free(ctx);
}
#endif /* HAVE_TRUNCATED_HMAC */
#endif /* HAVE_TLS_EXTENSIONS */
#ifdef HAVE_SUPPORTED_CURVES
static void test_CyaSSL_UseSupportedCurve(void)
{
CYASSL_CTX *ctx = CyaSSL_CTX_new(CyaSSLv23_client_method());
CYASSL *ssl = CyaSSL_new(ctx);
AssertNotNull(ctx);
AssertNotNull(ssl);
#ifndef NO_CYASSL_CLIENT
/* error cases */
AssertIntNE(1, CyaSSL_CTX_UseSupportedCurve(NULL, CYASSL_ECC_SECP160R1));
AssertIntNE(1, CyaSSL_CTX_UseSupportedCurve(ctx, 0));
AssertIntNE(1, CyaSSL_UseSupportedCurve(NULL, CYASSL_ECC_SECP160R1));
AssertIntNE(1, CyaSSL_UseSupportedCurve(ssl, 0));
/* success case */
AssertIntEQ(1, CyaSSL_CTX_UseSupportedCurve(ctx, CYASSL_ECC_SECP160R1));
AssertIntEQ(1, CyaSSL_UseSupportedCurve(ssl, CYASSL_ECC_SECP160R1));
#endif
CyaSSL_free(ssl);
CyaSSL_CTX_free(ctx);
}
#endif /* HAVE_SUPPORTED_CURVES */
#if !defined(NO_FILESYSTEM) && !defined(NO_CERTS)
/* Helper for testing CyaSSL_CTX_use_certificate_file() */

4
tests/suites.c
View File

@ -80,8 +80,8 @@ static int IsValidCipherSuite(const char* line, char* suite)
int valid = 0;
const char* find = "-l ";
char* begin = strstr(line, find);
char* end;
const char* begin = strstr(line, find);
const char* end;
suite[0] = '\0';

6
tests/unit.c
View File

@ -27,10 +27,10 @@ int main(int argc, char** argv)
err_sys("Cavium OpenNitroxDevice failed");
#endif /* HAVE_CAVIUM */
if (CurrentDir("tests"))
if (CurrentDir("tests") || CurrentDir("_build"))
ChangeDirBack(1);
else if (CurrentDir("build"))
ChangeDirBack(2);
else if (CurrentDir("Debug") || CurrentDir("Release"))
ChangeDirBack(3);
if ( (ret = ApiTest()) != 0) {
printf("api test failed with %d\n", ret);

23
testsuite/testsuite.c
View File

@ -51,11 +51,16 @@ enum {
NUMARGS = 3
};
#ifndef USE_WINDOWS_API
const char outputName[] = "/tmp/output";
#else
const char outputName[] = "output";
#endif
int myoptind = 0;
char* myoptarg = NULL;
int main(int argc, char** argv)
{
func_args server_args;
@ -79,11 +84,13 @@ int main(int argc, char** argv)
CyaSSL_Debugging_ON();
#endif
if (CurrentDir("testsuite"))
if (CurrentDir("testsuite") || CurrentDir("_build"))
ChangeDirBack(1);
else if (CurrentDir("build")) /* Xcode->Preferences->Locations->Build */
ChangeDirBack(2); /* Location "Place build product in locations
specified by targets", uses build/Debug */
else if (CurrentDir("Debug") || CurrentDir("Release"))
ChangeDirBack(3); /* Xcode->Preferences->Locations->Locations*/
/* Derived Data Advanced -> Custom */
/* Relative to Workspace, Build/Products */
/* Debug or Release */
server_args.signal = &ready;
InitTcpReady(&ready);
@ -115,8 +122,8 @@ int main(int argc, char** argv)
strcpy(echo_args.argv[0], "echoclient");
strcpy(echo_args.argv[1], "input");
strcpy(echo_args.argv[2], "output");
remove("output");
strcpy(echo_args.argv[2], outputName);
remove(outputName);
/* Share the signal, it has the new port number in it. */
echo_args.signal = server_args.signal;
@ -144,7 +151,7 @@ int main(int argc, char** argv)
byte output[SHA256_DIGEST_SIZE];
file_test("input", input);
file_test("output", output);
file_test(outputName, output);
if (memcmp(input, output, sizeof(input)) != 0)
return EXIT_FAILURE;
}