mirrors/wolfssl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/wolfSSL/wolfssl into Certs

Browse Source
This commit is contained in:
Jacob Barthelmeh 2016-03-11 23:48:39 -07:00
commit 060e278559
24 changed files with 493 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

86
configure.ac
View File

@ -256,6 +256,21 @@ fi
AM_CONDITIONAL([BUILD_LEANPSK], [test "x$ENABLED_LEANPSK" = "xyes"])
# lean TLS build (TLS 1.2 client only (no client auth), ECC256, AES128 and SHA256 w/o Shamir)
AC_ARG_ENABLE([leantls],
[ --enable-leantls Enable Lean TLS build (default: disabled)],
[ ENABLED_LEANTLS=$enableval ],
[ ENABLED_LEANTLS=no ]
)
if test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DWOLFSSL_LEANTLS -DNO_WRITEV -DHAVE_ECC -DTFM_ECC256 -DECC_USER_CURVES -DNO_WOLFSSL_SERVER -DNO_RABBIT -DNO_RSA -DNO_DSA -DNO_DH -DNO_PWDBASED -DNO_DES3 -DNO_MD5 -DNO_ERROR_STRINGS -DNO_OLD_TLS -DNO_RC4 -DNO_SESSION_CACHE -DNO_SHA -DUSE_SLOW_SHA -DUSE_SLOW_SHA2 -DNO_PSK -DNO_WOLFSSL_MEMORY"
fi
AM_CONDITIONAL([BUILD_LEANTLS], [test "x$ENABLED_LEANTLS" = "xyes"])
# big cache
AC_ARG_ENABLE([bigcache],
[ --enable-bigcache Enable big session cache (default: disabled)],
@ -354,7 +369,7 @@ AC_ARG_ENABLE([sniffer],
[ ENABLED_SNIFFER=no ]
)
# sniffer does't work in maxstrength mode
# sniffer doesn't work in maxstrength mode
if test "$ENABLED_SNIFFER" = "yes" && test "$ENABLED_MAXSTRENGTH" = "yes"
then
AC_MSG_ERROR([cannot enable maxstrength in sniffer mode.])
@ -380,8 +395,8 @@ AC_ARG_ENABLE([aesgcm],
[ ENABLED_AESGCM=yes ]
)
# lean psk does't need gcm
if test "$ENABLED_LEANPSK" = "yes"
# leanpsk and leantls don't need gcm
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_AESGCM=no
fi
@ -566,8 +581,8 @@ AC_ARG_ENABLE([sha512],
[ ENABLED_SHA512=$SHA512_DEFAULT ]
)
# lean psk does't need sha512
if test "$ENABLED_LEANPSK" = "yes"
# leanpsk and leantls don't need sha512
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_SHA512=no
fi
@ -723,7 +738,7 @@ AC_ARG_ENABLE([ecc],
[ ENABLED_ECC=$ECC_DEFAULT ]
)
# lean psk does't need ecc
# lean psk doesn't need ecc
if test "$ENABLED_LEANPSK" = "yes"
then
ENABLED_ECC=no
@ -742,12 +757,6 @@ fi
AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"])
if test "$ENABLED_ECC" = "yes" && test "$ENABLED_SMALL" = "yes"
then
AC_MSG_ERROR([cannot enable ecc and small, ecc requires TLS which small turns off.])
fi
# for using memory optimization setting on both curve25519 and ed25519
ENABLED_CURVED25519_SMALL=no
@ -874,8 +883,8 @@ if test "$ENABLED_ERROR_STRINGS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
else
# turn off error strings if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off error strings if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_ERROR_STRINGS"
ENABLED_ERROR_STRINGS=no
@ -894,8 +903,8 @@ if test "$ENABLED_OLD_TLS" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
else
# turn off old if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off old if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_OLD_TLS"
ENABLED_OLD_TLS=no
@ -942,8 +951,8 @@ if test "$ENABLED_MEMORY" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_WOLFSSL_MEMORY"
else
# turn off memory cb if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off memory cb if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
# but don't turn on NO_WOLFSSL_MEMORY because using own
ENABLED_MEMORY=no
@ -964,8 +973,8 @@ if test "$ENABLED_RSA" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
else
# turn off RSA if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off RSA if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RSA"
ENABLED_RSA=no
@ -991,8 +1000,8 @@ if test "$ENABLED_DH" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DH"
else
# turn off DH if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off DH if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DH"
ENABLED_DH=no
@ -1137,8 +1146,8 @@ if test "$ENABLED_DES3" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
else
# turn off DES3 if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off DES3 if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_DES3"
ENABLED_DES3=no
@ -1180,8 +1189,8 @@ if test "$ENABLED_ARC4" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
else
# turn off ARC4 if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off ARC4 if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_RC4"
ENABLED_ARC4=no
@ -1202,8 +1211,8 @@ if test "$ENABLED_MD5" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
else
# turn off MD5 if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off MD5 if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_MD5 -DNO_OLD_TLS"
ENABLED_MD5=no
@ -1224,8 +1233,8 @@ if test "$ENABLED_SHA" = "no"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
else
# turn off SHA if leanpsk on
if test "$ENABLED_LEANPSK" = "yes"
# turn off SHA if leanpsk or leantls on
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
AM_CFLAGS="$AM_CFLAGS -DNO_SHA -DNO_OLD_TLS"
ENABLED_SHA=no
@ -1332,8 +1341,8 @@ AC_ARG_ENABLE([poly1305],
[ ENABLED_POLY1305=$POLY1305_DEFAULT]
)
# lean psk does't need poly1305
if test "$ENABLED_LEANPSK" = "yes"
# leanpsk and leantls don't need poly1305
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_POLY1305=no
fi
@ -1361,8 +1370,8 @@ AC_ARG_ENABLE([chacha],
[ ENABLED_CHACHA=$CHACHA_DEFAULT]
)
# lean psk does't need chacha
if test "$ENABLED_LEANPSK" = "yes"
# leanpsk and leantls don't need chacha
if test "$ENABLED_LEANPSK" = "yes" || test "$ENABLED_LEANTLS" = "yes"
then
ENABLED_CHACHA=no
fi
@ -1636,10 +1645,6 @@ AC_ARG_WITH([ntru],
AM_CONDITIONAL([BUILD_NTRU], [test "x$ENABLED_NTRU" = "xyes"])
if test "$ENABLED_NTRU" = "yes" && test "$ENABLED_SMALL" = "yes"
then
AC_MSG_ERROR([cannot enable ntru and small, ntru requires TLS which small turns off.])
fi
# SNI
AC_ARG_ENABLE([sni],
@ -2237,7 +2242,9 @@ AC_ARG_ENABLE([examples],
AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"])
AS_IF([test "x$ENABLED_INLINE" = "xno"], [ENABLED_EXAMPLES="no"])
AS_IF([test "x$ENABLED_CRYPTONLY" = "xyes"], [ENABLED_EXAMPLES="no"])
AM_CONDITIONAL([BUILD_EXAMPLES], [test "x$ENABLED_EXAMPLES" = "xyes"])
AM_CONDITIONAL([BUILD_EXAMPLE_SERVERS], [test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
AM_CONDITIONAL([BUILD_EXAMPLE_CLIENTS], [test "x$ENABLED_EXAMPLES" = "xyes"])
AM_CONDITIONAL([BUILD_TESTS], [test "x$ENABLED_EXAMPLES" = "xyes" && test "x$ENABLED_LEANTLS" = "xno"])
# Enable wolfCrypt test and benchmark
AC_ARG_ENABLE([crypttests],
@ -2771,6 +2778,7 @@ echo " * MD4: $ENABLED_MD4"
echo " * PSK: $ENABLED_PSK"
echo " * Poly1305: $ENABLED_POLY1305"
echo " * LEANPSK: $ENABLED_LEANPSK"
echo " * LEANTLS: $ENABLED_LEANTLS"
echo " * RSA: $ENABLED_RSA"
echo " * DSA: $ENABLED_DSA"
echo " * DH: $ENABLED_DH"

13
examples/client/client.c
View File

@ -148,11 +148,16 @@ int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
/* time passed in number of connects give average */
int times = benchmark;
int loops = resumeSession ? 2 : 1;
int i = 0;
int i = 0;
#ifndef NO_SESSION_CACHE
WOLFSSL_SESSION* benchSession = NULL;
#endif
(void)resumeSession;
while (loops--) {
#ifndef NO_SESSION_CACHE
int benchResume = resumeSession && loops == 0;
#endif
double start = current_time(), avg;
for (i = 0; i < times; i++) {
@ -163,25 +168,31 @@ int ClientBenchmarkConnections(WOLFSSL_CTX* ctx, char* host, word16 port,
tcp_connect(&sockfd, host, port, doDTLS, ssl);
#ifndef NO_SESSION_CACHE
if (benchResume)
wolfSSL_set_session(ssl, benchSession);
#endif
wolfSSL_set_fd(ssl, sockfd);
if (wolfSSL_connect(ssl) != SSL_SUCCESS)
err_sys("SSL_connect failed");
wolfSSL_shutdown(ssl);
#ifndef NO_SESSION_CACHE
if (i == (times-1) && resumeSession) {
benchSession = wolfSSL_get_session(ssl);
}
#endif
wolfSSL_free(ssl);
CloseSocket(sockfd);
}
avg = current_time() - start;
avg /= times;
avg *= 1000; /* milliseconds */
#ifndef NO_SESSION_CACHE
if (benchResume)
printf("wolfSSL_resume avg took: %8.3f milliseconds\n", avg);
else
#endif
printf("wolfSSL_connect avg took: %8.3f milliseconds\n", avg);
}

2
examples/client/include.am
View File

@ -1,7 +1,7 @@
# vim:ft=automake
# All paths should be given relative to the root
if BUILD_EXAMPLES
if BUILD_EXAMPLE_CLIENTS
noinst_PROGRAMS += examples/client/client
noinst_HEADERS += examples/client/client.h
examples_client_client_SOURCES = examples/client/client.c

2
examples/echoclient/include.am
View File

@ -3,7 +3,7 @@
# All paths should be given relative to the root
if BUILD_EXAMPLES
if BUILD_EXAMPLE_CLIENTS
noinst_PROGRAMS += examples/echoclient/echoclient
noinst_HEADERS += examples/echoclient/echoclient.h
examples_echoclient_echoclient_SOURCES = examples/echoclient/echoclient.c

2
examples/echoserver/include.am
View File

@ -3,7 +3,7 @@
# All paths should be given relative to the root
if BUILD_EXAMPLES
if BUILD_EXAMPLE_SERVERS
noinst_PROGRAMS += examples/echoserver/echoserver
noinst_HEADERS += examples/echoserver/echoserver.h
examples_echoserver_echoserver_SOURCES = examples/echoserver/echoserver.c

2
examples/server/include.am
View File

@ -3,7 +3,7 @@
# All paths should be given relative to the root
if BUILD_EXAMPLES
if BUILD_EXAMPLE_SERVERS
noinst_PROGRAMS += examples/server/server
noinst_HEADERS += examples/server/server.h
examples_server_server_SOURCES = examples/server/server.c

16
scripts/include.am
View File

@ -8,7 +8,7 @@ if BUILD_SNIFFTEST
dist_noinst_SCRIPTS+= scripts/sniffer-testsuite.test
endif
if BUILD_EXAMPLES
if BUILD_EXAMPLE_SERVERS
dist_noinst_SCRIPTS+= scripts/resume.test
EXTRA_DIST+= scripts/benchmark.test
@ -19,12 +19,6 @@ dist_noinst_SCRIPTS+= scripts/crl-revoked.test
scripts/crl-revoked.log: scripts/resume.log
endif
if !BUILD_IPV6
dist_noinst_SCRIPTS+= scripts/external.test
dist_noinst_SCRIPTS+= scripts/google.test
#dist_noinst_SCRIPTS+= scripts/openssl.test
endif
if BUILD_OCSP
dist_noinst_SCRIPTS+= scripts/ocsp.test
endif
@ -47,6 +41,14 @@ endif
endif
if BUILD_EXAMPLE_CLIENTS
if !BUILD_IPV6
dist_noinst_SCRIPTS+= scripts/external.test
dist_noinst_SCRIPTS+= scripts/google.test
#dist_noinst_SCRIPTS+= scripts/openssl.test
endif
endif
if BUILD_PSK
dist_noinst_SCRIPTS+= scripts/psk.test
endif

11
src/crl.c
View File

@ -263,7 +263,7 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
{
int ret = SSL_SUCCESS;
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
DerBuffer der;
DerBuffer* der = NULL;
#ifdef WOLFSSL_SMALL_STACK
DecodedCRL* dcrl;
#else
@ -275,11 +275,6 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
if (crl == NULL || buff == NULL || sz == 0)
return BAD_FUNC_ARG;
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
if (type == SSL_FILETYPE_PEM) {
int eccKey = 0; /* not used */
EncryptedInfo info;
@ -287,8 +282,8 @@ int BufferLoadCRL(WOLFSSL_CRL* crl, const byte* buff, long sz, int type)
ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
if (ret == 0) {
myBuffer = der.buffer;
sz = der.length;
myBuffer = der->buffer;
sz = der->length;
}
else {
WOLFSSL_MSG("Pem to Der failed");

209
src/internal.c
View File

@ -144,9 +144,6 @@ static int SSL_hmac(WOLFSSL* ssl, byte* digest, const byte* in, word32 sz,
static int BuildCertHashes(WOLFSSL* ssl, Hashes* hashes);
#endif
static void PickHashSigAlgo(WOLFSSL* ssl,
const byte* hashSigAlgo, word32 hashSigAlgoSz);
#ifdef HAVE_QSH
int QSH_Init(WOLFSSL* ssl);
#endif
@ -1643,7 +1640,7 @@ void InitX509(WOLFSSL_X509* x509, int dynamicFlag)
x509->version = 0;
x509->pubKey.buffer = NULL;
x509->sig.buffer = NULL;
InitDer(&x509->derCert);
x509->derCert = NULL;
x509->altNames = NULL;
x509->altNamesNext = NULL;
x509->dynamicMemory = (byte)dynamicFlag;
@ -1695,8 +1692,6 @@ void FreeX509(WOLFSSL_X509* x509)
#endif /* OPENSSL_EXTRA */
if (x509->altNames)
FreeAltNames(x509->altNames, NULL);
if (x509->dynamicMemory)
XFREE(x509, NULL, DYNAMIC_TYPE_X509);
}
@ -1763,13 +1758,15 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
{
byte havePSK = 0;
byte haveAnon = 0;
byte newSSL;
byte haveRSA = 0;
byte newSSL = ssl->ctx == NULL;
(void) haveAnon; /* Squash unused var warnings */
if(!ssl || !ctx || ssl->suites == NULL)
return BAD_FUNC_ARG;
newSSL = ssl->ctx == NULL; /* Assign after null check */
#ifndef NO_PSK
if (ctx->server_hint[0] && ssl->arrays == NULL) {
return BAD_FUNC_ARG; /* needed for copy below */
@ -1859,9 +1856,9 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
#ifndef NO_CERTS
/* ctx still owns certificate, certChain, key, dh, and cm */
XMEMCPY(&ssl->buffers.certificate, &ctx->certificate, sizeof(DerBuffer));
XMEMCPY(&ssl->buffers.certChain, &ctx->certChain, sizeof(DerBuffer));
XMEMCPY(&ssl->buffers.key, &ctx->privateKey, sizeof(DerBuffer));
ssl->buffers.certificate = ctx->certificate;
ssl->buffers.certChain = ctx->certChain;
ssl->buffers.key = ctx->privateKey;
#endif
#ifdef HAVE_CAVIUM
@ -1896,7 +1893,8 @@ int SetSSL_CTX(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
/* make sure server has cert and key unless using PSK or Anon
* This should be true even if just switching ssl ctx */
if (ssl->options.side == WOLFSSL_SERVER_END && !havePSK && !haveAnon)
if (!ssl->buffers.certificate.buffer || !ssl->buffers.key.buffer) {
if (!ssl->buffers.certificate || !ssl->buffers.certificate->buffer ||
!ssl->buffers.key || !ssl->buffers.key->buffer) {
WOLFSSL_MSG("Server missing certificate and/or private key");
return NO_PRIVATE_KEY;
}
@ -1921,7 +1919,7 @@ int InitSSL(WOLFSSL* ssl, WOLFSSL_CTX* ctx)
ssl->buffers.outputBuffer.buffer = ssl->buffers.outputBuffer.staticBuffer;
ssl->buffers.outputBuffer.bufferSize = STATIC_BUFFER_LEN;
#ifdef KEEP_PEER_CERT
#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
InitX509(&ssl->peerCert, 0);
#endif
@ -2202,7 +2200,7 @@ void SSL_ResourceFree(WOLFSSL* ssl)
nx_packet_release(ssl->nxCtx.nxPacket);
#endif
#if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS)
FreeX509(&(ssl->peerCert)); /* clang thinks this frees ssl itslef */
FreeX509(&ssl->peerCert);
#endif
}
@ -4470,7 +4468,7 @@ int CopyDecodedToX509(WOLFSSL_X509* x509, DecodedCert* dCert)
/* store cert for potential retrieval */
if (AllocDer(&x509->derCert, dCert->maxIdx, CERT_TYPE, NULL) == 0) {
XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx);
XMEMCPY(x509->derCert->buffer, dCert->source, dCert->maxIdx);
}
else {
ret = MEMORY_E;
@ -4542,7 +4540,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
int anyError = 0;
int totalCerts = 0; /* number of certs in certs buffer */
int count;
DerBuffer certs[MAX_CHAIN_DEPTH];
buffer certs[MAX_CHAIN_DEPTH];
#ifdef WOLFSSL_SMALL_STACK
char* domain = NULL;
@ -4593,10 +4591,6 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
if ((*inOutIdx - begin) + certSz > size)
return BUFFER_ERROR;
ret = InitDer(&certs[totalCerts]);
if (ret < 0) {
return 0;
}
certs[totalCerts].length = certSz;
certs[totalCerts].buffer = input + *inOutIdx;
@ -4660,7 +4654,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* verify up to peer's first */
while (count > 1) {
DerBuffer myCert = certs[count - 1];
buffer myCert = certs[count - 1];
byte* subjectHash;
InitDecodedCert(dCert, myCert.buffer, myCert.length, ssl->heap);
@ -4679,11 +4673,8 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Chain cert not verified by option, not adding as CA");
}
else if (ret == 0 && !AlreadySigner(ssl->ctx->cm, subjectHash)) {
DerBuffer add;
ret = InitDer(&add);
if (ret == 0) {
ret = AllocDer(&add, myCert.length, CA_TYPE, ssl->heap);
}
DerBuffer* add = NULL;
ret = AllocDer(&add, myCert.length, CA_TYPE, ssl->heap);
if (ret < 0) {
#ifdef WOLFSSL_SMALL_STACK
XFREE(dCert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -4693,7 +4684,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
WOLFSSL_MSG("Adding CA from chain");
XMEMCPY(add.buffer, myCert.buffer, myCert.length);
XMEMCPY(add->buffer, myCert.buffer, myCert.length);
/* already verified above */
ret = AddCA(ssl->ctx->cm, &add, WOLFSSL_CHAIN_CA, 0);
@ -4756,7 +4747,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* peer's, may not have one if blank client cert sent by TLSv1.2 */
if (count) {
DerBuffer myCert = certs[0];
buffer myCert = certs[0];
int fatal = 0;
WOLFSSL_MSG("Verifying Peer's cert");
@ -4860,7 +4851,7 @@ static int DoCertificate(WOLFSSL* ssl, byte* input, word32* inOutIdx,
#endif /* HAVE_OCSP || HAVE_CRL */
#ifdef KEEP_PEER_CERT
if (fatal == 0) {
{
/* set X509 format for peer cert even if fatal */
int copyRet = CopyDecodedToX509(&ssl->peerCert, dCert);
if (copyRet == MEMORY_E)
@ -6135,7 +6126,7 @@ static int DoDtlsHandShakeMsg(WOLFSSL* ssl, byte* input, word32* inOutIdx,
*inOutIdx += fragSz;
if(type == finished )
*inOutIdx += ssl->keys.padSz;
ret = 0;
ret = DtlsPoolSend(ssl);
}
else if (fragSz < size) {
/* Since this branch is in order, but fragmented, dtls_msg_list will be
@ -7646,6 +7637,7 @@ int ProcessReply(WOLFSSL* ssl)
}
#endif
#ifdef WOLFSSL_DTLS
/* Check for duplicate CCS message in DTLS mode.
* DTLS allows for duplicate messages, and it should be
* skipped. */
@ -7653,6 +7645,10 @@ int ProcessReply(WOLFSSL* ssl)
ssl->msgsReceived.got_change_cipher) {
WOLFSSL_MSG("Duplicate ChangeCipher msg");
ret = DtlsPoolSend(ssl);
if (ret != 0)
return ret;
if (ssl->curSize != 1) {
WOLFSSL_MSG("Malicious or corrupted"
" duplicate ChangeCipher msg");
@ -7661,6 +7657,7 @@ int ProcessReply(WOLFSSL* ssl)
ssl->buffers.inputBuffer.idx++;
break;
}
#endif
ret = SanityCheckMsgReceived(ssl, change_cipher_hs);
if (ret != 0)
@ -7723,6 +7720,12 @@ int ProcessReply(WOLFSSL* ssl)
case application_data:
WOLFSSL_MSG("got app DATA");
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls && ssl->options.dtlsHsRetain) {
FreeHandshakeResources(ssl);
ssl->options.dtlsHsRetain = 0;
}
#endif
if ((ret = DoApplicationData(ssl,
ssl->buffers.inputBuffer.buffer,
&ssl->buffers.inputBuffer.idx))
@ -7853,7 +7856,7 @@ int SendChangeCipher(WOLFSSL* ssl)
if (ssl->options.groupMessages)
return 0;
#ifdef WOLFSSL_DTLS
#if defined(WOLFSSL_DTLS) && !defined(WOLFSSL_DEBUG_DTLS)
else if (ssl->options.dtls) {
/* If using DTLS, force the ChangeCipherSpec message to be in the
* same datagram as the finished message. */
@ -8312,15 +8315,19 @@ int SendCertificate(WOLFSSL* ssl)
listSz = 0;
}
else {
certSz = ssl->buffers.certificate.length;
if (!ssl->buffers.certificate) {
WOLFSSL_MSG("Send Cert missing certificate buffer");
return BUFFER_ERROR;
}
certSz = ssl->buffers.certificate->length;
headerSz = 2 * CERT_HEADER_SZ;
/* list + cert size */
length = certSz + headerSz;
listSz = certSz + CERT_HEADER_SZ;
/* may need to send rest of chain, already has leading size(s) */
if (certSz) {
certChainSz = ssl->buffers.certChain.length;
if (certSz && ssl->buffers.certChain) {
certChainSz = ssl->buffers.certChain->length;
length += certChainSz;
listSz += certChainSz;
}
@ -8430,9 +8437,9 @@ int SendCertificate(WOLFSSL* ssl)
fragSz -= CERT_HEADER_SZ;
if (!IsEncryptionOn(ssl, 1)) {
HashOutputRaw(ssl, ssl->buffers.certificate.buffer, certSz);
HashOutputRaw(ssl, ssl->buffers.certificate->buffer, certSz);
if (certChainSz)
HashOutputRaw(ssl, ssl->buffers.certChain.buffer,
HashOutputRaw(ssl, ssl->buffers.certChain->buffer,
certChainSz);
}
}
@ -8454,7 +8461,7 @@ int SendCertificate(WOLFSSL* ssl)
if (certSz && ssl->fragOffset < certSz) {
word32 copySz = min(certSz - ssl->fragOffset, fragSz);
XMEMCPY(output + i,
ssl->buffers.certificate.buffer + ssl->fragOffset, copySz);
ssl->buffers.certificate->buffer + ssl->fragOffset, copySz);
i += copySz;
ssl->fragOffset += copySz;
length -= copySz;
@ -8463,7 +8470,7 @@ int SendCertificate(WOLFSSL* ssl)
if (certChainSz && fragSz) {
word32 copySz = min(certChainSz + certSz - ssl->fragOffset, fragSz);
XMEMCPY(output + i,
ssl->buffers.certChain.buffer + ssl->fragOffset - certSz,
ssl->buffers.certChain->buffer + ssl->fragOffset - certSz,
copySz);
i += copySz;
ssl->fragOffset += copySz;
@ -8738,14 +8745,16 @@ int SendCertificateStatus(WOLFSSL* ssl)
/* case WOLFSSL_CSR_OCSP: */
case WOLFSSL_CSR2_OCSP: {
OcspRequest* request = ssl->ctx->certOcspRequest;
buffer response = {NULL, 0};
buffer response;
XMEMSET(&response, 0, sizeof(response));
/* unable to fetch status. skip. */
if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0)
return 0;
if (!request || ssl->buffers.weOwnCert) {
DerBuffer der = ssl->buffers.certificate;
DerBuffer* der = ssl->buffers.certificate;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* cert = NULL;
#else
@ -8753,7 +8762,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
#endif
/* unable to fetch status. skip. */
if (der.buffer == NULL || der.length == 0)
if (der->buffer == NULL || der->length == 0)
return 0;
#ifdef WOLFSSL_SMALL_STACK
@ -8763,7 +8772,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
return MEMORY_E;
#endif
InitDecodedCert(cert, der.buffer, der.length, NULL);
InitDecodedCert(cert, der->buffer, der->length, NULL);
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
ssl->ctx->cm)) != 0) {
@ -8835,14 +8844,14 @@ int SendCertificateStatus(WOLFSSL* ssl)
buffer responses[1 + MAX_CHAIN_DEPTH];
int i = 0;
ForceZero(responses, sizeof(responses));
XMEMSET(responses, 0, sizeof(responses));
/* unable to fetch status. skip. */
if (ssl->ctx->cm == NULL || ssl->ctx->cm->ocspStaplingEnabled == 0)
return 0;
if (!request || ssl->buffers.weOwnCert) {
DerBuffer der = ssl->buffers.certificate;
DerBuffer* der = ssl->buffers.certificate;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* cert = NULL;
#else
@ -8850,7 +8859,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
#endif
/* unable to fetch status. skip. */
if (der.buffer == NULL || der.length == 0)
if (der->buffer == NULL || der->length == 0)
return 0;
#ifdef WOLFSSL_SMALL_STACK
@ -8860,7 +8869,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
return MEMORY_E;
#endif
InitDecodedCert(cert, der.buffer, der.length, NULL);
InitDecodedCert(cert, der->buffer, der->length, NULL);
if ((ret = ParseCertRelative(cert, CERT_TYPE, VERIFY,
ssl->ctx->cm)) != 0) {
@ -8915,7 +8924,7 @@ int SendCertificateStatus(WOLFSSL* ssl)
if (ret == 0 && (!ssl->ctx->chainOcspRequest[0]
|| ssl->buffers.weOwnCertChain)) {
DerBuffer der;
buffer der;
word32 idx = 0;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* cert = NULL;
@ -8923,26 +8932,23 @@ int SendCertificateStatus(WOLFSSL* ssl)
DecodedCert cert[1];
#endif
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
XMEMSET(&der, 0, sizeof(buffer));
#ifdef WOLFSSL_SMALL_STACK
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (cert == NULL)
return MEMORY_E;
#endif
#ifdef WOLFSSL_SMALL_STACK
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (cert == NULL)
return MEMORY_E;
#endif
while (idx + OPAQUE24_LEN < ssl->buffers.certChain.length) {
c24to32(ssl->buffers.certChain.buffer + idx, &der.length);
while (idx + OPAQUE24_LEN < ssl->buffers.certChain->length) {
c24to32(ssl->buffers.certChain->buffer + idx, &der.length);
idx += OPAQUE24_LEN;
der.buffer = ssl->buffers.certChain.buffer + idx;
der.buffer = ssl->buffers.certChain->buffer + idx;
idx += der.length;
if (idx > ssl->buffers.certChain.length)
if (idx > ssl->buffers.certChain->length)
break;
InitDecodedCert(cert, der.buffer, der.length, NULL);
@ -10625,7 +10631,7 @@ int SetCipherList(Suites* suites, const char* list)
return ret;
}
#if !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS)
static void PickHashSigAlgo(WOLFSSL* ssl,
const byte* hashSigAlgo, word32 hashSigAlgoSz)
{
@ -10661,7 +10667,7 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
}
}
}
#endif /* !defined(NO_WOLFSSL_SERVER) || !defined(NO_CERTS) */
#ifdef WOLFSSL_CALLBACKS
@ -11382,7 +11388,8 @@ static void PickHashSigAlgo(WOLFSSL* ssl,
/* don't send client cert or cert verify if user hasn't provided
cert and private key */
if (ssl->buffers.certificate.buffer && ssl->buffers.key.buffer)
if (ssl->buffers.certificate && ssl->buffers.certificate->buffer &&
ssl->buffers.key && ssl->buffers.key->buffer)
ssl->options.sendVerify = SEND_CERT;
else if (IsTLS(ssl))
ssl->options.sendVerify = SEND_BLANK_CERT;
@ -13464,8 +13471,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
ret = wc_InitRsaKey(&key, ssl->heap);
if (ret == 0) initRsaKey = 1;
if (ret == 0)
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &key,
ssl->buffers.key.length);
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &key,
ssl->buffers.key->length);
if (ret == 0)
sigOutSz = wc_RsaEncryptSize(&key);
else
@ -13474,9 +13481,14 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
#ifdef HAVE_ECC
WOLFSSL_MSG("Trying ECC client cert, RSA didn't work");
if (ssl->buffers.key == NULL) {
WOLFSSL_MSG("ECC Key missing");
return NO_PRIVATE_KEY;
}
idx = 0;
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &idx, &eccKey,
ssl->buffers.key.length);
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &idx, &eccKey,
ssl->buffers.key->length);
if (ret == 0) {
WOLFSSL_MSG("Using ECC client cert");
usingEcc = 1;
@ -13588,8 +13600,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
#ifdef HAVE_ECC
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
encodedSig, &localSz,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->buffers.key->buffer,
ssl->buffers.key->length,
ssl->EccSignCtx);
#endif /* HAVE_ECC */
#endif /*HAVE_PK_CALLBACKS */
@ -13683,8 +13695,8 @@ static word32 QSH_KeyExchangeWrite(WOLFSSL* ssl, byte isServer)
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
verify + extraSz + VERIFY_HEADER,
&ioLen,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->buffers.key->buffer,
ssl->buffers.key->length,
ssl->RsaSignCtx);
#endif /* NO_RSA */
#endif /*HAVE_PK_CALLBACKS */
@ -14013,11 +14025,13 @@ int DoSessionTicket(WOLFSSL* ssl,
int SendServerKeyExchange(WOLFSSL* ssl)
{
int ret = 0;
#ifdef HAVE_QSH
word32 qshSz = 0;
#endif
(void)ssl;
#define ERROR_OUT(err, eLabel) do { ret = err; goto eLabel; } while(0)
#ifdef HAVE_QSH
word32 qshSz = 0;
if (ssl->peerQSHKeyPresent && ssl->options.haveQSH) {
qshSz = QSH_KeyGetSize(ssl);
}
@ -14550,7 +14564,7 @@ int DoSessionTicket(WOLFSSL* ssl,
/* sig length */
length += LENGTH_SZ;
if (!ssl->buffers.key.buffer) {
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
#ifndef NO_RSA
wc_FreeRsaKey(&rsaKey);
#endif
@ -14562,8 +14576,8 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->specs.sig_algo == rsa_sa_algo) {
/* rsa sig size */
word32 i = 0;
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&rsaKey, ssl->buffers.key.length);
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &i,
&rsaKey, ssl->buffers.key->length);
if (ret != 0) {
goto done_a;
}
@ -14574,8 +14588,8 @@ int DoSessionTicket(WOLFSSL* ssl,
if (ssl->specs.sig_algo == ecc_dsa_sa_algo) {
/* ecdsa sig size */
word32 i = 0;
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&dsaKey, ssl->buffers.key.length);
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &i,
&dsaKey, ssl->buffers.key->length);
if (ret != 0) {
goto done_a;
}
@ -14953,8 +14967,8 @@ int DoSessionTicket(WOLFSSL* ssl,
word32 ioLen = sigSz;
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
output + idx, &ioLen,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->buffers.key->buffer,
ssl->buffers.key->length,
ssl->RsaSignCtx);
#endif /*HAVE_PK_CALLBACKS */
}
@ -15030,8 +15044,8 @@ int DoSessionTicket(WOLFSSL* ssl,
ret = ssl->ctx->EccSignCb(ssl, digest, digestSz,
output + LENGTH_SZ + idx,
&sz,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->buffers.key->buffer,
ssl->buffers.key->length,
ssl->EccSignCtx);
#endif
}
@ -15212,12 +15226,12 @@ int DoSessionTicket(WOLFSSL* ssl,
/* sig length */
length += LENGTH_SZ;
if (!ssl->buffers.key.buffer) {
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
return NO_PRIVATE_KEY;
}
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&rsaKey, ssl->buffers.key.length);
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &i,
&rsaKey, ssl->buffers.key->length);
if (ret == 0) {
sigSz = wc_RsaEncryptSize(&rsaKey);
length += sigSz;
@ -15611,8 +15625,8 @@ int DoSessionTicket(WOLFSSL* ssl,
word32 ioLen = sigSz;
ret = ssl->ctx->RsaSignCb(ssl, signBuffer, signSz,
output + idx, &ioLen,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->buffers.key->buffer,
ssl->buffers.key->length,
ssl->RsaSignCtx);
#endif
} else if (ret == 0) {
@ -15828,6 +15842,7 @@ int DoSessionTicket(WOLFSSL* ssl,
return 1;
}
#ifndef NO_WOLFSSL_SERVER
static int MatchSuite(WOLFSSL* ssl, Suites* peerSuites)
{
word16 i, j;
@ -15864,7 +15879,7 @@ int DoSessionTicket(WOLFSSL* ssl,
return MATCH_SUITE_ERROR;
}
#endif
#ifdef OLD_HELLO_ALLOWED
@ -17013,12 +17028,12 @@ int DoSessionTicket(WOLFSSL* ssl,
return ret;
}
if (!ssl->buffers.key.buffer) {
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
return NO_PRIVATE_KEY;
}
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key.buffer, &idx,
&key, ssl->buffers.key.length);
ret = wc_RsaPrivateKeyDecode(ssl->buffers.key->buffer, &idx,
&key, ssl->buffers.key->length);
if (ret == 0) {
length = wc_RsaEncryptSize(&key);
@ -17051,8 +17066,8 @@ int DoSessionTicket(WOLFSSL* ssl,
#ifdef HAVE_PK_CALLBACKS
ret = ssl->ctx->RsaDecCb(ssl,
input + *inOutIdx, length, &out,
ssl->buffers.key.buffer,
ssl->buffers.key.length,
ssl->buffers.key->buffer,
ssl->buffers.key->length,
ssl->RsaDecCtx);
#endif
}
@ -17198,7 +17213,7 @@ int DoSessionTicket(WOLFSSL* ssl,
word16 cipherLen;
word16 plainLen = sizeof(ssl->arrays->preMasterSecret);
if (!ssl->buffers.key.buffer) {
if (!ssl->buffers.key || !ssl->buffers.key->buffer) {
return NO_PRIVATE_KEY;
}
@ -17218,8 +17233,8 @@ int DoSessionTicket(WOLFSSL* ssl,
}
if (NTRU_OK != ntru_crypto_ntru_decrypt(
(word16) ssl->buffers.key.length,
ssl->buffers.key.buffer, cipherLen,
(word16) ssl->buffers.key->length,
ssl->buffers.key->buffer, cipherLen,
input + *inOutIdx, &plainLen,
ssl->arrays->preMasterSecret)) {
return NTRU_DECRYPT_ERROR;
@ -17300,8 +17315,8 @@ int DoSessionTicket(WOLFSSL* ssl,
word32 i = 0;
wc_ecc_init(&staticKey);
ret = wc_EccPrivateKeyDecode(ssl->buffers.key.buffer, &i,
&staticKey, ssl->buffers.key.length);
ret = wc_EccPrivateKeyDecode(ssl->buffers.key->buffer, &i,
&staticKey, ssl->buffers.key->length);
if (ret == 0) {
ret = wc_ecc_shared_secret(&staticKey, ssl->peerEccKey,

5
src/io.c
View File

@ -404,7 +404,10 @@ int EmbedReceiveFrom(WOLFSSL *ssl, char *buf, int sz, void *ctx)
WOLFSSL_ENTER("EmbedReceiveFrom()");
if (!wolfSSL_get_using_nonblock(ssl) && dtls_timeout != 0) {
if (ssl->options.handShakeDone)
dtls_timeout = 0;
if (!wolfSSL_get_using_nonblock(ssl)) {
#ifdef USE_WINDOWS_API
DWORD timeout = dtls_timeout * 1000;
#else

2
src/keys.c
View File

@ -3058,6 +3058,7 @@ int MakeMasterSecret(WOLFSSL* ssl)
/* show secret SerSi and CliSi */
#ifdef SHOW_SECRETS
{
word32 j;
printf("QSH generated secret material\n");
printf("SerSi : ");
@ -3070,6 +3071,7 @@ int MakeMasterSecret(WOLFSSL* ssl)
printf("%02x", ssl->QSH_secret->CliSi->buffer[j]);
}
printf("\n");
}
#endif
}
#endif

7
src/ocsp.c
View File

@ -118,7 +118,7 @@ static int xstat2err(int stat)
}
int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, void* encodedResponse)
int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, buffer* responseBuffer)
{
int ret = OCSP_LOOKUP_FAIL;
@ -141,7 +141,7 @@ int CheckCertOCSP(WOLFSSL_OCSP* ocsp, DecodedCert* cert, void* encodedResponse)
#endif
if (InitOcspRequest(ocspRequest, cert, ocsp->cm->ocspSendNonce) == 0) {
ret = CheckOcspRequest(ocsp, ocspRequest, encodedResponse);
ret = CheckOcspRequest(ocsp, ocspRequest, responseBuffer);
FreeOcspRequest(ocspRequest);
}
@ -239,14 +239,13 @@ static int GetOcspStatus(WOLFSSL_OCSP* ocsp, OcspRequest* request,
}
int CheckOcspRequest(WOLFSSL_OCSP* ocsp, OcspRequest* ocspRequest,
void* encodedResponse)
buffer* responseBuffer)
{
OcspEntry* entry = NULL;
CertStatus* status = NULL;
byte* request = NULL;
int requestSz = 2048;
byte* response = NULL;
buffer* responseBuffer = (buffer*) encodedResponse;
const char* url = NULL;
int urlSz = 0;
int ret = -1;

9
src/sniffer.c
View File

@ -1341,16 +1341,17 @@ static int ProcessClientKeyExchange(const byte* input, int* sslBytes,
RsaKey key;
int ret;
if (session->sslServer->buffers.key.buffer == NULL ||
session->sslServer->buffers.key.length == 0) {
if (session->sslServer->buffers.key == NULL ||
session->sslServer->buffers.key->buffer == NULL ||
session->sslServer->buffers.key->length == 0) {
SetError(RSA_KEY_MISSING_STR, error, session, FATAL_ERROR_STATE);
return -1;
}
ret = wc_InitRsaKey(&key, 0);
if (ret == 0)
ret = wc_RsaPrivateKeyDecode(session->sslServer->buffers.key.buffer,
&idx, &key, session->sslServer->buffers.key.length);
ret = wc_RsaPrivateKeyDecode(session->sslServer->buffers.key->buffer,
&idx, &key, session->sslServer->buffers.key->length);
if (ret == 0) {
int length = wc_RsaEncryptSize(&key);

370
src/ssl.c
View File

@ -1635,21 +1635,12 @@ int wolfSSL_GetHmacSize(WOLFSSL* ssl)
#ifndef NO_CERTS
int InitDer(DerBuffer* der)
int AllocDer(DerBuffer** pDer, word32 length, int type, void* heap)
{
int ret = BAD_FUNC_ARG;
if (der) {
XMEMSET(der, 0, sizeof(DerBuffer));
ret = 0;
}
return ret;
}
int AllocDer(DerBuffer* der, word32 length, int type, void* heap)
{
int ret = BAD_FUNC_ARG;
if (der) {
if (pDer) {
int dynType = 0;
DerBuffer* der;
/* Determine dynamic type */
switch (type) {
@ -1663,29 +1654,37 @@ int AllocDer(DerBuffer* der, word32 length, int type, void* heap)
}
/* Setup new buffer */
der->type = type;
der->dynType = dynType;
der->heap = heap;
der->buffer = (byte*)XMALLOC(length, heap, dynType);
if (!der->buffer) {
*pDer = (DerBuffer*)XMALLOC(sizeof(DerBuffer) + length, heap, dynType);
if (*pDer == NULL) {
return MEMORY_ERROR;
}
der = *pDer;
der->type = type;
der->dynType = dynType; /* Cache this for FreeDer */
der->heap = heap;
der->buffer = (byte*)der + sizeof(DerBuffer);
der->length = length;
ret = 0; /* Success */
}
return ret;
}
void FreeDer(DerBuffer* der)
void FreeDer(DerBuffer** pDer)
{
if (der && der->buffer) {
if (pDer && *pDer)
{
DerBuffer* der = (DerBuffer*)*pDer;
/* ForceZero private keys */
if (der->type == PRIVATEKEY_TYPE) {
ForceZero(der->buffer, der->length);
}
XFREE(der->buffer, der->heap, der->dynType);
der->buffer = NULL;
der->length = 0;
XFREE(der, der->heap, der->dynType);
*pDer = NULL;
}
}
@ -1798,7 +1797,7 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
{
int eccKey = 0;
int ret;
DerBuffer der;
DerBuffer* der = NULL;
#ifdef WOLFSSL_SMALL_STACK
EncryptedInfo* info = NULL;
#else
@ -1817,11 +1816,6 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
return BAD_FUNC_ARG;
}
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
#ifdef WOLFSSL_SMALL_STACK
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
@ -1843,9 +1837,9 @@ int wolfSSL_CertPemToDer(const unsigned char* pem, int pemSz,
WOLFSSL_MSG("Bad Pem To Der");
}
else {
if (der.length <= (word32)buffSz) {
XMEMCPY(buff, der.buffer, der.length);
ret = der.length;
if (der->length <= (word32)buffSz) {
XMEMCPY(buff, der->buffer, der->length);
ret = der->length;
}
else {
WOLFSSL_MSG("Bad der length");
@ -1902,7 +1896,7 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz,
{
int eccKey = 0;
int ret;
DerBuffer der;
DerBuffer* der = NULL;
#ifdef WOLFSSL_SMALL_STACK
EncryptedInfo* info = NULL;
#else
@ -1916,11 +1910,6 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz,
return BAD_FUNC_ARG;
}
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
#ifdef WOLFSSL_SMALL_STACK
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
@ -1962,9 +1951,9 @@ int wolfSSL_KeyPemToDer(const unsigned char* pem, int pemSz,
WOLFSSL_MSG("Bad Pem To Der");
}
else {
if (der.length <= (word32)buffSz) {
XMEMCPY(buff, der.buffer, der.length);
ret = der.length;
if (der->length <= (word32)buffSz) {
XMEMCPY(buff, der->buffer, der->length);
ret = der->length;
}
else {
WOLFSSL_MSG("Bad der length");
@ -2495,7 +2484,7 @@ int AddTrustedPeer(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int verify)
/* owns der, internal now uses too */
/* type flag ids from user or from chain received during verify
don't allow chain ones to be added w/o isCA extension */
int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify)
int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify)
{
int ret;
Signer* signer = 0;
@ -2506,6 +2495,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify)
#else
DecodedCert cert[1];
#endif
DerBuffer* der = *pDer;
WOLFSSL_MSG("Adding a CA");
@ -2601,7 +2591,7 @@ int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer* der, int type, int verify)
XFREE(cert, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
WOLFSSL_MSG(" Freeing der CA");
FreeDer(der);
FreeDer(pDer);
WOLFSSL_MSG(" OK Freeing der CA");
WOLFSSL_LEAVE("AddCA", ret);
@ -2877,7 +2867,7 @@ static int wolfssl_encrypt_buffer_key(byte* der, word32 derSz, byte* password,
/* Remove PEM header/footer, convert to ASN1, store any encrypted data
info->consumed tracks of PEM bytes consumed in case multiple parts */
int PemToDer(const unsigned char* buff, long longSz, int type,
DerBuffer* der, void* heap, EncryptedInfo* info, int* eccKey)
DerBuffer** pDer, void* heap, EncryptedInfo* info, int* eccKey)
{
const char* header = NULL;
const char* footer = NULL;
@ -2889,6 +2879,7 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
int ret = 0;
int sz = (int)longSz;
int encrypted_key = 0;
DerBuffer* der;
WOLFSSL_ENTER("PemToDer");
@ -3026,10 +3017,11 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
if (neededSz > sz || neededSz < 0)
return SSL_BAD_FILE;
ret = AllocDer(der, (word32)neededSz, type, heap);
ret = AllocDer(pDer, (word32)neededSz, type, heap);
if (ret < 0) {
return ret;
}
der = *pDer;
if (Base64_Decode((byte*)headerEnd, (word32)neededSz,
der->buffer, &der->length) < 0)
@ -3071,7 +3063,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
XFREE(password, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (ret < 0) {
FreeDer(der);
return ret;
}
@ -3085,7 +3076,6 @@ int PemToDer(const unsigned char* buff, long longSz, int type,
XFREE(password, heap, DYNAMIC_TYPE_TMP_BUFFER);
#endif
if (ret != SSL_SUCCESS) {
FreeDer(der);
return ret;
}
}
@ -3103,7 +3093,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
long sz, int format, int type, WOLFSSL* ssl,
long* used, int userChain)
{
DerBuffer der; /* holds DER or RAW (for NTRU) */
DerBuffer* der = NULL; /* holds DER or RAW (for NTRU) */
int ret;
int eccKey = 0;
int rsaKey = 0;
@ -3126,11 +3116,6 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
if (ctx == NULL && ssl == NULL)
return BAD_FUNC_ARG;
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
#ifdef WOLFSSL_SMALL_STACK
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), heap,
DYNAMIC_TYPE_TMP_BUFFER);
@ -3187,30 +3172,28 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
WOLFSSL_MSG("Processing Cert Chain");
while (consumed < sz) {
DerBuffer part;
DerBuffer* part = NULL;
info->consumed = 0;
ret = InitDer(&part);
ret = PemToDer(buff + consumed, sz - consumed, type, &part,
heap, info, &eccKey);
if (ret == 0) {
ret = PemToDer(buff + consumed, sz - consumed, type, &part,
heap, info, &eccKey);
if (ret == 0) {
gotOne = 1;
if ( (idx + part.length) > bufferSz) {
WOLFSSL_MSG(" Cert Chain bigger than buffer");
ret = BUFFER_E;
}
else {
c32to24(part.length, &chainBuffer[idx]);
idx += CERT_HEADER_SZ;
XMEMCPY(&chainBuffer[idx], part.buffer,part.length);
idx += part.length;
consumed += info->consumed;
if (used)
*used += info->consumed;
}
gotOne = 1;
if ( (idx + part->length) > bufferSz) {
WOLFSSL_MSG(" Cert Chain bigger than buffer");
ret = BUFFER_E;
}
else {
c32to24(part->length, &chainBuffer[idx]);
idx += CERT_HEADER_SZ;
XMEMCPY(&chainBuffer[idx], part->buffer, part->length);
idx += part->length;
consumed += info->consumed;
if (used)
*used += info->consumed;
}
FreeDer(&part);
}
FreeDer(&part);
if (ret == SSL_NO_PEM_HEADER && gotOne) {
WOLFSSL_MSG("We got one good PEM so stuff at end ok");
@ -3240,14 +3223,14 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
}
ret = AllocDer(&ssl->buffers.certChain, idx, type, heap);
if (ret == 0) {
XMEMCPY(ssl->buffers.certChain.buffer, chainBuffer, idx);
XMEMCPY(ssl->buffers.certChain->buffer, chainBuffer, idx);
ssl->buffers.weOwnCertChain = 1;
}
} else if (ctx) {
FreeDer(&ctx->certChain);
ret = AllocDer(&ctx->certChain, idx, type, heap);
if (ret == 0) {
XMEMCPY(ctx->certChain.buffer, chainBuffer, idx);
XMEMCPY(ctx->certChain->buffer, chainBuffer, idx);
}
}
}
@ -3273,7 +3256,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
return ret;
}
XMEMCPY(der.buffer, buff, sz);
XMEMCPY(der->buffer, buff, sz);
}
#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
@ -3301,7 +3284,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
0, ctx->userdata);
/* decrypt the key */
ret = wolfssl_decrypt_buffer_key(&der, (byte*)password,
ret = wolfssl_decrypt_buffer_key(der, (byte*)password,
passwordSz, info);
}
@ -3397,7 +3380,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
ret = wc_InitRsaKey(key, 0);
if (ret == 0) {
if (wc_RsaPrivateKeyDecode(der.buffer, &idx, key, der.length)
if (wc_RsaPrivateKeyDecode(der->buffer, &idx, key, der->length)
!= 0) {
#ifdef HAVE_ECC
/* could have DER ECC (or pkcs8 ecc), no easy way to tell */
@ -3428,7 +3411,8 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
ecc_key key;
wc_ecc_init(&key);
if (wc_EccPrivateKeyDecode(der.buffer,&idx,&key,der.length) != 0) {
if (wc_EccPrivateKeyDecode(der->buffer, &idx, &key,
der->length) != 0) {
wc_ecc_free(&key);
return SSL_BAD_FILE;
}
@ -3456,7 +3440,7 @@ static int ProcessBuffer(WOLFSSL_CTX* ctx, const unsigned char* buff,
#endif
WOLFSSL_MSG("Checking cert signature type");
InitDecodedCert(cert, der.buffer, der.length, heap);
InitDecodedCert(cert, der->buffer, der->length, heap);
if (DecodeToKey(cert, 0) < 0) {
WOLFSSL_MSG("Decode to key failed");
@ -3681,7 +3665,7 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
long sz, int format)
{
int ret = 0;
DerBuffer der;
DerBuffer* der = NULL;
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* cert = NULL;
#else
@ -3690,11 +3674,6 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
WOLFSSL_ENTER("wolfSSL_CertManagerVerifyBuffer");
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
#ifdef WOLFSSL_SMALL_STACK
cert = (DecodedCert*)XMALLOC(sizeof(DecodedCert), cm->heap,
DYNAMIC_TYPE_TMP_BUFFER);
@ -3724,7 +3703,7 @@ int wolfSSL_CertManagerVerifyBuffer(WOLFSSL_CERT_MANAGER* cm, const byte* buff,
info->consumed = 0;
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, info, &eccKey);
InitDecodedCert(cert, der.buffer, der.length, cm->heap);
InitDecodedCert(cert, der->buffer, der->length, cm->heap);
#ifdef WOLFSSL_SMALL_STACK
XFREE(info, cm->heap, DYNAMIC_TYPE_TMP_BUFFER);
@ -4519,7 +4498,7 @@ int wolfSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz)
int ecc = 0;
long sz = 0;
XFILE file = XFOPEN(fileName, "rb");
DerBuffer converted;
DerBuffer* converted = NULL;
WOLFSSL_ENTER("wolfSSL_PemCertToDer");
@ -4543,39 +4522,36 @@ int wolfSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz)
}
if (ret == 0) {
ret = InitDer(&converted);
if (ret == 0) {
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) {
ret = SSL_BAD_FILE;
}
else {
#ifdef WOLFSSL_SMALL_STACK
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (info == NULL)
ret = MEMORY_E;
else
#endif
{
ret = PemToDer(fileBuf, sz, CA_TYPE, &converted,
0, info, &ecc);
#ifdef WOLFSSL_SMALL_STACK
XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
}
}
if (ret == 0) {
if (converted.length < (word32)derSz) {
XMEMCPY(derBuf, converted.buffer, converted.length);
ret = converted.length;
}
else
ret = BUFFER_E;
}
FreeDer(&converted);
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0) {
ret = SSL_BAD_FILE;
}
else {
#ifdef WOLFSSL_SMALL_STACK
info = (EncryptedInfo*)XMALLOC(sizeof(EncryptedInfo), NULL,
DYNAMIC_TYPE_TMP_BUFFER);
if (info == NULL)
ret = MEMORY_E;
else
#endif
{
ret = PemToDer(fileBuf, sz, CA_TYPE, &converted,
0, info, &ecc);
#ifdef WOLFSSL_SMALL_STACK
XFREE(info, NULL, DYNAMIC_TYPE_TMP_BUFFER);
#endif
}
}
if (ret == 0) {
if (converted->length < (word32)derSz) {
XMEMCPY(derBuf, converted->buffer, converted->length);
ret = converted->length;
}
else
ret = BUFFER_E;
}
FreeDer(&converted);
}
XFCLOSE(file);
@ -4604,7 +4580,7 @@ int wolfSSL_PemPubKeyToDer(const char* fileName,
int ret = 0;
long sz = 0;
XFILE file = XFOPEN(fileName, "rb");
DerBuffer converted;
DerBuffer* converted = NULL;
WOLFSSL_ENTER("wolfSSL_PemPubKeyToDer");
@ -4627,25 +4603,22 @@ int wolfSSL_PemPubKeyToDer(const char* fileName,
dynamic = 1;
}
if (ret == 0) {
ret = InitDer(&converted);
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0)
ret = SSL_BAD_FILE;
else
ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted,
0, NULL, NULL);
if (ret == 0) {
if ( (ret = (int)XFREAD(fileBuf, sz, 1, file)) < 0)
ret = SSL_BAD_FILE;
else
ret = PemToDer(fileBuf, sz, PUBLICKEY_TYPE, &converted,
0, NULL, NULL);
if (ret == 0) {
if (converted.length < (word32)derSz) {
XMEMCPY(derBuf, converted.buffer, converted.length);
ret = converted.length;
}
else
ret = BUFFER_E;
if (converted->length < (word32)derSz) {
XMEMCPY(derBuf, converted->buffer, converted->length);
ret = converted->length;
}
FreeDer(&converted);
else
ret = BUFFER_E;
}
FreeDer(&converted);
}
XFCLOSE(file);
@ -4661,8 +4634,8 @@ int wolfSSL_PemPubKeyToDer(const char* fileName,
int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz,
unsigned char* buff, int buffSz)
{
int ret;
DerBuffer der;
int ret;
DerBuffer* der = NULL;
WOLFSSL_ENTER("wolfSSL_PubKeyPemToDer");
@ -4671,19 +4644,14 @@ int wolfSSL_PubKeyPemToDer(const unsigned char* pem, int pemSz,
return BAD_FUNC_ARG;
}
ret = InitDer(&der);
if (ret < 0) {
return ret;
}
ret = PemToDer(pem, pemSz, PUBLICKEY_TYPE, &der, NULL, NULL, NULL);
if (ret < 0) {
WOLFSSL_MSG("Bad Pem To Der");
}
else {
if (der.length <= (word32)buffSz) {
XMEMCPY(buff, der.buffer, der.length);
ret = der.length;
if (der->length <= (word32)buffSz) {
XMEMCPY(buff, der->buffer, der->length);
ret = der->length;
}
else {
WOLFSSL_MSG("Bad der length");
@ -6339,7 +6307,16 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
}
}
#endif /* NO_HANDSHAKE_DONE_CB */
FreeHandshakeResources(ssl);
if (!ssl->options.dtls) {
FreeHandshakeResources(ssl);
}
#ifdef WOLFSSL_DTLS
else {
ssl->options.dtlsHsRetain = 1;
}
#endif /* WOLFSSL_DTLS */
WOLFSSL_LEAVE("SSL_connect()", SSL_SUCCESS);
return SSL_SUCCESS;
@ -6430,9 +6407,11 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
#ifndef NO_CERTS
/* in case used set_accept_state after init */
if (!havePSK && !haveAnon &&
(ssl->buffers.certificate.buffer == NULL ||
ssl->buffers.key.buffer == NULL)) {
if (!havePSK && !haveAnon &&
(!ssl->buffers.certificate ||
!ssl->buffers.certificate->buffer ||
!ssl->buffers.key ||
!ssl->buffers.key->buffer)) {
WOLFSSL_MSG("accept error: don't have server cert and key");
ssl->error = NO_PRIVATE_KEY;
WOLFSSL_ERROR(ssl->error);
@ -6613,7 +6592,16 @@ int wolfSSL_DTLS_SetCookieSecret(WOLFSSL* ssl,
}
}
#endif /* NO_HANDSHAKE_DONE_CB */
FreeHandshakeResources(ssl);
if (!ssl->options.dtls) {
FreeHandshakeResources(ssl);
}
#ifdef WOLFSSL_DTLS
else {
ssl->options.dtlsHsRetain = 1;
}
#endif /* WOLFSSL_DTLS */
WOLFSSL_LEAVE("SSL_accept()", SSL_SUCCESS);
return SSL_SUCCESS;
@ -7697,9 +7685,8 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
const unsigned char* buf,
long sz, int format)
{
DerBuffer der;
DerBuffer* der = NULL;
int ret = 0;
int weOwnDer = 0;
word32 pSz = MAX_DH_SIZE;
word32 gSz = MAX_DH_SIZE;
#ifdef WOLFSSL_SMALL_STACK
@ -7713,8 +7700,12 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
if (ctx == NULL || buf == NULL)
return BAD_FUNC_ARG;
der.buffer = (byte*)buf;
der.length = (word32)sz;
ret = AllocDer(&der, 0, DH_PARAM_TYPE, ctx->heap);
if (ret != 0) {
return ret;
}
der->buffer = (byte*)buf;
der->length = (word32)sz;
#ifdef WOLFSSL_SMALL_STACK
p = (byte*)XMALLOC(pSz, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -7731,16 +7722,13 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
ret = SSL_BAD_FILETYPE;
else {
if (format == SSL_FILETYPE_PEM) {
ret = InitDer(&der);
if (ret == 0) {
ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap,
NULL, NULL);
weOwnDer = 1;
}
FreeDer(&der);
ret = PemToDer(buf, sz, DH_PARAM_TYPE, &der, ctx->heap,
NULL, NULL);
}
if (ret == 0) {
if (wc_DhParamsLoad(der.buffer, der.length, p, &pSz, g, &gSz) < 0)
if (wc_DhParamsLoad(der->buffer, der->length, p, &pSz, g, &gSz) < 0)
ret = SSL_BAD_FILETYPE;
else if (ssl)
ret = wolfSSL_SetTmpDH(ssl, p, pSz, g, gSz);
@ -7749,8 +7737,7 @@ int wolfSSL_set_compression(WOLFSSL* ssl)
}
}
if (weOwnDer)
FreeDer(&der);
FreeDer(&der);
#ifdef WOLFSSL_SMALL_STACK
XFREE(p, NULL, DYNAMIC_TYPE_TMP_BUFFER);
@ -9719,6 +9706,7 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
if (x509) {
if (x509->dynamicMemory) {
FreeX509(x509);
XFREE(x509, NULL, DYNAMIC_TYPE_X509);
} else {
WOLFSSL_MSG("free called on non dynamic object, not freeing");
}
@ -10091,8 +10079,8 @@ static void ExternalFreeX509(WOLFSSL_X509* x509)
if (x509 == NULL || outSz == NULL)
return NULL;
*outSz = (int)x509->derCert.length;
return x509->derCert.buffer;
*outSz = (int)x509->derCert->length;
return x509->derCert->buffer;
}
@ -10306,7 +10294,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
XFILE file;
WOLFSSL_X509* x509 = NULL;
DerBuffer der;
DerBuffer* der = NULL;
WOLFSSL_ENTER("wolfSSL_X509_load_certificate");
@ -10315,11 +10303,6 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
(format != SSL_FILETYPE_ASN1 && format != SSL_FILETYPE_PEM))
return NULL;
ret = InitDer(&der);
if (ret < 0) {
return NULL;
}
file = XFOPEN(fname, "rb");
if (file == XBADFILE)
return NULL;
@ -10385,7 +10368,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
else {
ret = AllocDer(&der, (word32)sz, CERT_TYPE, NULL);
if (ret == 0) {
XMEMCPY(der.buffer, fileBuffer, sz);
XMEMCPY(der->buffer, fileBuffer, sz);
}
}
@ -10394,7 +10377,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
/* At this point we want `der` to have the certificate in DER format */
/* ready to be decoded. */
if (der.buffer != NULL) {
if (der != NULL && der->buffer != NULL) {
#ifdef WOLFSSL_SMALL_STACK
DecodedCert* cert = NULL;
#else
@ -10407,7 +10390,7 @@ WOLFSSL_X509* wolfSSL_X509_load_certificate_file(const char* fname, int format)
if (cert != NULL)
#endif
{
InitDecodedCert(cert, der.buffer, der.length, NULL);
InitDecodedCert(cert, der->buffer, der->length, NULL);
if (ParseCertRelative(cert, CERT_TYPE, 0, NULL) == 0) {
x509 = (WOLFSSL_X509*)XMALLOC(sizeof(WOLFSSL_X509), NULL,
DYNAMIC_TYPE_X509);
@ -11194,19 +11177,17 @@ int wolfSSL_X509_STORE_add_cert(WOLFSSL_X509_STORE* store, WOLFSSL_X509* x509)
int result = SSL_FATAL_ERROR;
WOLFSSL_ENTER("wolfSSL_X509_STORE_add_cert");
if (store != NULL && store->cm != NULL && x509 != NULL) {
DerBuffer derCert;
if (store != NULL && store->cm != NULL && x509 != NULL
&& x509->derCert != NULL) {
DerBuffer* derCert = NULL;
result = InitDer(&derCert);
result = AllocDer(&derCert, x509->derCert->length,
x509->derCert->type, NULL);
if (result == 0) {
result = AllocDer(&derCert, x509->derCert.length,
x509->derCert.type, NULL);
if (result == 0) {
/* AddCA() frees the buffer. */
XMEMCPY(derCert.buffer,
x509->derCert.buffer, x509->derCert.length);
result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, 1);
}
/* AddCA() frees the buffer. */
XMEMCPY(derCert->buffer,
x509->derCert->buffer, x509->derCert->length);
result = AddCA(store->cm, &derCert, WOLFSSL_USER_CA, 1);
}
}
@ -11319,10 +11300,10 @@ void wolfSSL_X509_STORE_CTX_cleanup(WOLFSSL_X509_STORE_CTX* ctx)
int wolfSSL_X509_verify_cert(WOLFSSL_X509_STORE_CTX* ctx)
{
if (ctx != NULL && ctx->store != NULL && ctx->store->cm != NULL
&& ctx->current_cert != NULL) {
&& ctx->current_cert != NULL && ctx->current_cert->derCert != NULL) {
return wolfSSL_CertManagerVerifyBuffer(ctx->store->cm,
ctx->current_cert->derCert.buffer,
ctx->current_cert->derCert.length,
ctx->current_cert->derCert->buffer,
ctx->current_cert->derCert->length,
SSL_FILETYPE_ASN1);
}
return SSL_FATAL_ERROR;
@ -11776,12 +11757,7 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
int eccKey = 0;
WOLFSSL_CTX* ctx = ssl->ctx;
WOLFSSL_X509* peer_cert = &ssl->peerCert;
DerBuffer fileDer;
ret = InitDer(&fileDer);
if (ret < 0) {
return ret;
}
DerBuffer* fileDer = NULL;
file = XFOPEN(fname, "rb");
if (file == XBADFILE)
@ -11814,10 +11790,10 @@ int wolfSSL_cmp_peer_cert_to_file(WOLFSSL* ssl, const char *fname)
(XFREAD(myBuffer, sz, 1, file) > 0) &&
(PemToDer(myBuffer, sz, CERT_TYPE,
&fileDer, ctx->heap, info, &eccKey) == 0) &&
(fileDer.length != 0) &&
(fileDer.length == peer_cert->derCert.length) &&
(XMEMCMP(peer_cert->derCert.buffer, fileDer.buffer,
fileDer.length) == 0))
(fileDer->length != 0) &&
(fileDer->length == peer_cert->derCert->length) &&
(XMEMCMP(peer_cert->derCert->buffer, fileDer->buffer,
fileDer->length) == 0))
{
ret = 0;
}

22
src/tls.c
View File

@ -3400,13 +3400,13 @@ static void TLSX_QSHAgreement(TLSX** extensions)
{
TLSX* extension = TLSX_Find(*extensions, TLSX_QUANTUM_SAFE_HYBRID);
QSHScheme* format = NULL;
QSHScheme* delete = NULL;
QSHScheme* del = NULL;
QSHScheme* prev = NULL;
if (extension == NULL)
return;
format = extension->data;
format = (QSHScheme*)extension->data;
while (format) {
if (format->PKLen == 0) {
/* case of head */
@ -3415,10 +3415,10 @@ static void TLSX_QSHAgreement(TLSX** extensions)
}
if (prev)
prev->next = format->next;
delete = format;
del = format;
format = format->next;
XFREE(delete, 0, DYNAMIC_TYPE_TMP_ARRAY);
delete = NULL;
XFREE(del, 0, DYNAMIC_TYPE_TMP_ARRAY);
del = NULL;
} else {
prev = format;
format = format->next;
@ -3866,7 +3866,7 @@ void TLSX_FreeAll(TLSX* list)
break;
case TLSX_QUANTUM_SAFE_HYBRID:
QSH_FREE_ALL(extension->data);
QSH_FREE_ALL((QSHScheme*)extension->data);
break;
case TLSX_APPLICATION_LAYER_PROTOCOL:
@ -3941,7 +3941,7 @@ static word16 TLSX_GetSize(TLSX* list, byte* semaphore, byte isRequest)
break;
case TLSX_QUANTUM_SAFE_HYBRID:
length += QSH_GET_SIZE(extension->data, isRequest);
length += QSH_GET_SIZE((QSHScheme*)extension->data, isRequest);
break;
case TLSX_APPLICATION_LAYER_PROTOCOL:
@ -4023,9 +4023,9 @@ static word16 TLSX_Write(TLSX* list, byte* output, byte* semaphore,
case TLSX_QUANTUM_SAFE_HYBRID:
if (isRequest) {
offset += QSH_WRITE(extension->data, output + offset);
offset += QSH_WRITE((QSHScheme*)extension->data, output + offset);
}
offset += QSHPK_WRITE(extension->data, output + offset);
offset += QSHPK_WRITE((QSHScheme*)extension->data, output + offset);
offset += QSH_SERREQ(output + offset, isRequest);
break;
@ -4102,6 +4102,8 @@ static int TLSX_CreateQSHKey(WOLFSSL* ssl, int type)
static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key)
{
QSHKey* current;
if (key == NULL)
return BAD_FUNC_ARG;
@ -4110,7 +4112,7 @@ static int TLSX_AddQSHKey(QSHKey** list, QSHKey* key)
return 0;
/* first element to be added to the list */
QSHKey* current = *list;
current = *list;
if (current == NULL) {
*list = key;
return 0;

2
tests/include.am
View File

@ -3,7 +3,7 @@
# All paths should be given relative to the root
if BUILD_EXAMPLES
if BUILD_TESTS
check_PROGRAMS += tests/unit.test
noinst_PROGRAMS += tests/unit.test
tests_unit_test_SOURCES = \

2
testsuite/include.am
View File

@ -3,7 +3,7 @@
# All paths should be given relative to the root
if BUILD_EXAMPLES
if BUILD_TESTS
check_PROGRAMS += testsuite/testsuite.test
noinst_PROGRAMS += testsuite/testsuite.test
testsuite_testsuite_test_SOURCES = \

115
wolfcrypt/src/asn.c
View File

@ -4596,87 +4596,80 @@ static int DecodePolicyOID(char *out, word32 outSz, byte *in, word32 inSz)
#endif /* WOLFSSL_CERT_EXT && !WOLFSSL_SEP */
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
/* Reference: https://tools.ietf.org/html/rfc5280#section-4.2.1.4 */
static int DecodeCertPolicy(byte* input, int sz, DecodedCert* cert)
{
word32 idx = 0;
int total_length = 0, length = 0;
int total_length = 0, policy_length = 0, length = 0;
WOLFSSL_ENTER("DecodeCertPolicy");
/* Unwrap certificatePolicies */
if (GetSequence(input, &idx, &total_length, sz) < 0) {
WOLFSSL_MSG("\tdeviceType isn't OID");
WOLFSSL_MSG("\tGet CertPolicy total seq failed");
return ASN_PARSE_E;
}
if (GetSequence(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tdeviceType isn't OID");
return ASN_PARSE_E;
}
total_length -= (length+1);
if (input[idx++] != ASN_OBJECT_ID) {
WOLFSSL_MSG("\tdeviceType isn't OID");
return ASN_PARSE_E;
}
total_length--;
if (GetLength(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tCouldn't read length of deviceType");
/* Validate total length (2 is the CERT_POLICY_OID+SEQ) */
if ((total_length + 2) != sz) {
WOLFSSL_MSG("\tCertPolicy length mismatch");
return ASN_PARSE_E;
}
if (length > 0) {
#if defined(WOLFSSL_SEP)
cert->deviceType = (byte*)XMALLOC(length, cert->heap,
DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType == NULL) {
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
return MEMORY_E;
}
cert->deviceTypeSz = length;
XMEMCPY(cert->deviceType, input + idx, length);
#elif defined(WOLFSSL_CERT_EXT)
/* decode cert policy */
if (DecodePolicyOID(cert->extCertPolicies[0], MAX_CERTPOL_SZ,
input+idx, length) != 0) {
WOLFSSL_MSG("\tCouldn't read Policy OID 1");
/* Unwrap certificatePolicies */
do {
if (GetSequence(input, &idx, &policy_length, sz) < 0) {
WOLFSSL_MSG("\tGet CertPolicy seq failed");
return ASN_PARSE_E;
}
cert->extCertPoliciesNb++;
/* check if we have a second value */
if (total_length) {
idx += length;
if (input[idx++] != ASN_OBJECT_ID) {
WOLFSSL_MSG("\tCertPolicy isn't OID");
return ASN_PARSE_E;
}
policy_length--;
if (GetSequence(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tdeviceType isn't OID");
if (GetLength(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tGet CertPolicy length failed");
return ASN_PARSE_E;
}
policy_length--;
if (length > 0) {
/* Verify length won't overrun buffer */
if (length > (sz - (int)idx)) {
WOLFSSL_MSG("\tCertPolicy length exceeds input buffer");
return ASN_PARSE_E;
}
if (input[idx++] != ASN_OBJECT_ID) {
WOLFSSL_MSG("\tdeviceType isn't OID");
return ASN_PARSE_E;
#if defined(WOLFSSL_SEP)
cert->deviceType = (byte*)XMALLOC(length, cert->heap,
DYNAMIC_TYPE_X509_EXT);
if (cert->deviceType == NULL) {
WOLFSSL_MSG("\tCouldn't alloc memory for deviceType");
return MEMORY_E;
}
if (GetLength(input, &idx, &length, sz) < 0) {
WOLFSSL_MSG("\tCouldn't read length of deviceType");
return ASN_PARSE_E;
}
cert->deviceTypeSz = length;
XMEMCPY(cert->deviceType, input + idx, length);
break;
#elif defined(WOLFSSL_CERT_EXT)
/* decode cert policy */
if (DecodePolicyOID(cert->extCertPolicies[1], MAX_CERTPOL_SZ,
input+idx, length) != 0) {
WOLFSSL_MSG("\tCouldn't read Policy OID 2");
if (DecodePolicyOID(cert->extCertPolicies[cert->extCertPoliciesNb], MAX_CERTPOL_SZ,
input + idx, length) != 0) {
WOLFSSL_MSG("\tCouldn't decode CertPolicy");
return ASN_PARSE_E;
}
cert->extCertPoliciesNb++;
#else
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
return 0;
#endif
}
#else
WOLFSSL_LEAVE("DecodeCertPolicy : unsupported mode", 0);
return 0;
#endif
}
idx += policy_length;
} while((int)idx < total_length
#if defined(WOLFSSL_CERT_EXT)
&& cert->extCertPoliciesNb < MAX_CERTPOL_NB
#endif
);
WOLFSSL_LEAVE("DecodeCertPolicy", 0);
return 0;
@ -4802,7 +4795,6 @@ static int DecodeCertExtensions(DecodedCert* cert)
break;
case CERT_POLICY_OID:
WOLFSSL_MSG("Certificate Policy extension not supported yet.");
#ifdef WOLFSSL_SEP
#ifdef OPENSSL_EXTRA
cert->extCertPolicySet = 1;
@ -4810,8 +4802,11 @@ static int DecodeCertExtensions(DecodedCert* cert)
#endif
#endif
#if defined(WOLFSSL_SEP) || defined(WOLFSSL_CERT_EXT)
if (DecodeCertPolicy(&input[idx], length, cert) < 0)
return ASN_PARSE_E;
if (DecodeCertPolicy(&input[idx], length, cert) < 0) {
return ASN_PARSE_E;
}
#else
WOLFSSL_MSG("Certificate Policy extension not supported yet.");
#endif
break;
@ -4917,7 +4912,7 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm)
#endif
#ifdef WOLFCRYPT_ONLY
#if defined(WOLFCRYPT_ONLY) || defined(NO_CERTS)
/* dummy functions, not using wolfSSL so don't need actual ones */
Signer* GetCA(void* signers, byte* hash)
@ -4936,7 +4931,7 @@ Signer* GetCAByName(void* signers, byte* hash)
}
#endif /* NO_SKID */
#endif /* WOLFCRYPT_ONLY */
#endif /* WOLFCRYPT_ONLY || NO_CERTS */
#ifndef NO_ASN_TIME
int ParseCertRelative(DecodedCert* cert, int type, int verify, void* cm)

8
wolfcrypt/src/random.c
View File

@ -1160,7 +1160,13 @@ int wc_GenerateSeed(OS_Seed* os, byte* output, word32 sz)
int i;
/* turn on RNGA module */
SIM_SCGC3 |= SIM_SCGC3_RNGA_MASK;
#if defined(SIM_SCGC3_RNGA_MASK)
SIM_SCGC3 |= SIM_SCGC3_RNGA_MASK;
#endif
#if defined(SIM_SCGC6_RNGA_MASK)
/* additionally needed for at least K64F */
SIM_SCGC6 |= SIM_SCGC6_RNGA_MASK;
#endif
/* set SLP bit to 0 - "RNGA is not in sleep mode" */
RNG_CR &= ~RNG_CR_SLP_MASK;

6
wolfcrypt/test/test.c
View File

@ -3832,12 +3832,14 @@ int certext_test(void)
if (cert.isCA)
return -206;
#ifndef WOLFSSL_SEP /* test only if not using SEP policies */
/* check the Certificate Policies Id */
if (cert.extCertPoliciesNb != 1)
return -227;
if (strncmp(cert.extCertPolicies[0], "2.16.840.1.101.3.4.1.42", 23))
return -228;
#endif
FreeDecodedCert(&cert);
@ -3881,6 +3883,7 @@ int certext_test(void)
if (cert.isCA)
return -216;
#ifndef WOLFSSL_SEP /* test only if not using SEP policies */
/* check the Certificate Policies Id */
if (cert.extCertPoliciesNb != 2)
return -217;
@ -3890,6 +3893,7 @@ int certext_test(void)
if (strncmp(cert.extCertPolicies[1], "1.2.13025.489.1.113549", 22))
return -219;
#endif
FreeDecodedCert(&cert);
#endif /* HAVE_ECC */
@ -3933,6 +3937,7 @@ int certext_test(void)
if (!cert.isCA)
return -226;
#ifndef WOLFSSL_SEP /* test only if not using SEP policies */
/* check the Certificate Policies Id */
if (cert.extCertPoliciesNb != 2)
return -227;
@ -3942,6 +3947,7 @@ int certext_test(void)
if (strncmp(cert.extCertPolicies[1], "1.2.840.113549.1.9.16.6.5", 25))
return -229;
#endif
FreeDecodedCert(&cert);
free(tmp);

6
wolfssl-ntru.vcproj
View File

@ -177,6 +177,7 @@
<File
RelativePath=".\wolfcrypt\src\coding.c"
>
</File>
<File
RelativePath=".\wolfcrypt\src\chacha.c"
>
@ -268,6 +269,7 @@
<File
RelativePath=".\wolfcrypt\src\poly1305.c"
>
</File>
<File
RelativePath=".\wolfcrypt\src\wc_port.c"
>
@ -316,6 +318,10 @@
RelativePath=".\src\tls.c"
>
</File>
<File
RelativePath=".\wolfcrypt\src\wc_encrypt.c"
>
</File>
</Filter>
<Filter
Name="Header Files"

26
wolfssl/internal.h
View File

@ -1828,10 +1828,10 @@ struct WOLFSSL_CTX {
buffer serverDH_G;
#endif
#ifndef NO_CERTS
DerBuffer certificate;
DerBuffer certChain;
DerBuffer* certificate;
DerBuffer* certChain;
/* chain after self, in DER, with leading size for each cert */
DerBuffer privateKey;
DerBuffer* privateKey;
WOLFSSL_CERT_MANAGER* cm; /* our cert manager, ctx owns SSL will use */
#endif
Suites* suites; /* make dynamic, user may not need/set */
@ -1941,7 +1941,7 @@ int ProcessOldClientHello(WOLFSSL* ssl, const byte* input, word32* inOutIdx,
word32 inSz, word16 sz);
#ifndef NO_CERTS
WOLFSSL_LOCAL
int AddCA(WOLFSSL_CERT_MANAGER* ctx, DerBuffer* der, int type, int verify);
int AddCA(WOLFSSL_CERT_MANAGER* cm, DerBuffer** pDer, int type, int verify);
WOLFSSL_LOCAL
int AlreadySigner(WOLFSSL_CERT_MANAGER* cm, byte* hash);
#ifdef WOLFSSL_TRUST_PEER_CERT
@ -2209,9 +2209,9 @@ typedef struct Buffers {
buffer serverDH_Priv;
#endif
#ifndef NO_CERTS
DerBuffer certificate; /* WOLFSSL_CTX owns, unless we own */
DerBuffer key; /* WOLFSSL_CTX owns, unless we own */
DerBuffer certChain; /* WOLFSSL_CTX owns, unless we own */
DerBuffer* certificate; /* WOLFSSL_CTX owns, unless we own */
DerBuffer* key; /* WOLFSSL_CTX owns, unless we own */
DerBuffer* certChain; /* WOLFSSL_CTX owns, unless we own */
/* chain after self, in DER, with leading size for each cert */
#endif
#ifdef WOLFSSL_DTLS
@ -2286,6 +2286,9 @@ typedef struct Options {
word16 createTicket:1; /* Server to create new Ticket */
word16 useTicket:1; /* Use Ticket not session cache */
#endif
#ifdef WOLFSSL_DTLS
word16 dtlsHsRetain:1; /* DTLS retaining HS data */
#endif
/* need full byte values for this section */
byte processReply; /* nonblocking resume */
@ -2386,7 +2389,7 @@ struct WOLFSSL_X509 {
word32 pkCurveOID;
#endif /* HAVE_ECC */
#ifndef NO_CERTS
DerBuffer derCert; /* may need */
DerBuffer* derCert; /* may need */
#endif
DNS_entry* altNames; /* alt names list */
DNS_entry* altNamesNext; /* hint for retrieval */
@ -2710,12 +2713,11 @@ typedef struct EncryptedInfo {
#ifndef NO_CERTS
WOLFSSL_LOCAL int InitDer(DerBuffer* der);
WOLFSSL_LOCAL int AllocDer(DerBuffer* der, word32 length, int type, void* heap);
WOLFSSL_LOCAL void FreeDer(DerBuffer* der);
WOLFSSL_LOCAL int AllocDer(DerBuffer** der, word32 length, int type, void* heap);
WOLFSSL_LOCAL void FreeDer(DerBuffer** der);
WOLFSSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
DerBuffer* der, void* heap, EncryptedInfo* info,
DerBuffer** pDer, void* heap, EncryptedInfo* info,
int* eccKey);
WOLFSSL_LOCAL int ProcessFile(WOLFSSL_CTX* ctx, const char* fname, int format,

6
wolfssl/ocsp.h
View File

@ -34,14 +34,16 @@
extern "C" {
#endif
struct buffer;
typedef struct WOLFSSL_OCSP WOLFSSL_OCSP;
WOLFSSL_LOCAL int InitOCSP(WOLFSSL_OCSP*, WOLFSSL_CERT_MANAGER*);
WOLFSSL_LOCAL void FreeOCSP(WOLFSSL_OCSP*, int dynamic);
WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*, void*);
WOLFSSL_LOCAL int CheckCertOCSP(WOLFSSL_OCSP*, DecodedCert*,
struct buffer* responseBuffer);
WOLFSSL_LOCAL int CheckOcspRequest(WOLFSSL_OCSP* ocsp,
OcspRequest* ocspRequest, void*);
OcspRequest* ocspRequest, struct buffer* responseBuffer);
#ifdef __cplusplus
} /* extern "C" */

20
wolfssl/test.h
View File

@ -834,6 +834,9 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
{
SOCKADDR_IN_T client;
socklen_t client_len = sizeof(client);
tcp_ready* ready = NULL;
(void) ready; /* Account for case when "ready" is not used */
if (udp) {
udp_accept(sockfd, clientfd, useAnyAddr, port, args);
@ -845,8 +848,8 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
#if defined(_POSIX_THREADS) && defined(NO_MAIN_DRIVER) && !defined(__MINGW32__)
/* signal ready to tcp_accept */
{
tcp_ready* ready = args->signal;
if (args)
ready = args->signal;
if (ready) {
pthread_mutex_lock(&ready->mutex);
ready->ready = 1;
@ -854,18 +857,21 @@ static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd,
pthread_cond_signal(&ready->cond);
pthread_mutex_unlock(&ready->mutex);
}
}
#elif defined (WOLFSSL_TIRTOS)
/* Need mutex? */
tcp_ready* ready = args->signal;
ready->ready = 1;
ready->port = port;
if (args)
ready = args->signal;
if (ready) {
ready->ready = 1;
ready->port = port;
}
#endif
if (ready_file) {
#ifndef NO_FILESYSTEM
FILE* srf = NULL;
tcp_ready* ready = args ? args->signal : NULL;
if (args)
ready = args->signal;
if (ready) {
srf = fopen(ready->srfName, "w");