From 3ec2b9dbbce4c91c61df79e2ba6186b46e5b4c9e Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 16 May 2012 17:04:56 -0700 Subject: [PATCH] crl stage 2 --- Makefile.am | 1 + certs/crl/crl.pem | 41 +++++ certs/crl/include.am | 9 ++ ctaocrypt/src/asn.c | 276 ++++++++++++++++++++++++++++++++-- cyassl/crl.h | 17 +-- cyassl/ctaocrypt/asn.h | 36 +++++ cyassl/ctaocrypt/asn_public.h | 1 + cyassl/ctaocrypt/types.h | 5 +- cyassl/error.h | 6 +- cyassl/internal.h | 36 +++++ cyassl/ssl.h | 17 +++ cyassl/test.h | 1 + examples/client/client.c | 5 + src/crl.c | 251 ++++++++++++++++++++++++++++++- src/internal.c | 27 +++- src/ssl.c | 202 ++++++++++++++++++++++--- 16 files changed, 881 insertions(+), 50 deletions(-) create mode 100644 certs/crl/crl.pem create mode 100644 certs/crl/include.am diff --git a/Makefile.am b/Makefile.am index a502fe4f1..95d4ead56 100644 --- a/Makefile.am +++ b/Makefile.am @@ -39,6 +39,7 @@ EXTRA_DIST+= cyassl.sln include cyassl/include.am include certs/include.am +include certs/crl/include.am include doc/include.am include swig/include.am diff --git a/certs/crl/crl.pem b/certs/crl/crl.pem new file mode 100644 index 000000000..90af3b8ec --- /dev/null +++ b/certs/crl/crl.pem @@ -0,0 +1,41 @@ +Certificate Revocation List (CRL): + Version 2 (0x1) + Signature Algorithm: sha1WithRSAEncryption + Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.yassl.com/emailAddress=info@yassl.com + Last Update: May 15 23:51:25 2012 GMT + Next Update: Jun 14 23:51:25 2012 GMT + CRL extensions: + X509v3 CRL Number: + 4 +Revoked Certificates: + Serial Number: 02 + Revocation Date: May 4 17:06:05 2012 GMT + Signature Algorithm: sha1WithRSAEncryption + aa:e4:44:9b:6b:c9:0b:d3:6f:ba:09:3d:90:93:ae:96:86:73: + f6:90:28:ba:93:3b:95:0c:91:c9:10:53:f1:15:fd:43:9a:ba: + 4e:dc:8e:e8:10:4d:d8:8b:be:a8:a2:12:4c:19:c1:13:9f:3c: + fe:54:60:32:b7:45:77:17:2a:40:f2:16:52:9e:68:fe:be:03: + 99:9c:b1:d3:4b:be:87:5b:f4:12:3c:9e:3d:59:c8:b9:a2:2c: + 78:94:9c:cd:b0:17:d0:b3:bd:86:99:2b:1d:38:b5:03:d8:d1: + 0d:8f:1a:8c:97:ff:87:01:4f:91:22:30:c2:a5:10:bb:e3:fb: + 31:b7:44:8a:5a:82:e1:e5:30:69:84:d1:4b:c2:d3:07:bf:21: + d5:33:2d:ad:4b:e4:6f:83:c1:66:16:74:31:7d:f9:d6:1e:10: + 66:fd:7d:ad:66:3c:32:cc:a3:98:75:63:16:5c:df:e1:37:3d: + e9:08:d2:7b:05:dd:4c:31:92:53:0c:f1:ea:8e:be:31:d1:eb: + ac:37:a8:cd:c4:30:c5:91:cc:38:a3:55:4a:51:01:39:cf:7d: + 50:57:d2:f2:47:4a:1d:7f:3a:32:16:89:e8:5a:1b:f8:64:33: + 48:e5:b8:ef:ba:2e:f3:52:7e:ba:28:0e:9b:f7:07:b8:b6:38: + f9:d0:dd:78 +-----BEGIN X509 CRL----- +MIICADCB6QIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMxEDAOBgNV +BAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAPBgNVBAoTCFNhd3Rvb3Ro +MRMwEQYDVQQLEwpDb25zdWx0aW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w +GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTIwNTE1MjM1MTI1WhcNMTIw +NjE0MjM1MTI1WjAUMBICAQIXDTEyMDUwNDE3MDYwNVqgDjAMMAoGA1UdFAQDAgEE +MA0GCSqGSIb3DQEBBQUAA4IBAQCq5ESba8kL02+6CT2Qk66WhnP2kCi6kzuVDJHJ +EFPxFf1DmrpO3I7oEE3Yi76oohJMGcETnzz+VGAyt0V3FypA8hZSnmj+vgOZnLHT +S76HW/QSPJ49Wci5oix4lJzNsBfQs72GmSsdOLUD2NENjxqMl/+HAU+RIjDCpRC7 +4/sxt0SKWoLh5TBphNFLwtMHvyHVMy2tS+Rvg8FmFnQxffnWHhBm/X2tZjwyzKOY +dWMWXN/hNz3pCNJ7Bd1MMZJTDPHqjr4x0eusN6jNxDDFkcw4o1VKUQE5z31QV9Ly +R0odfzoyFonoWhv4ZDNI5bjvui7zUn66KA6b9we4tjj50N14 +-----END X509 CRL----- diff --git a/certs/crl/include.am b/certs/crl/include.am new file mode 100644 index 000000000..da58bbb8a --- /dev/null +++ b/certs/crl/include.am @@ -0,0 +1,9 @@ +# vim:ft=automake +# All paths should be given relative to the root +# + +certs_DATA+= \ + certs/crl/crl.pem + +EXTRA_DIST+= ${certs_DATA} + diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 0af015174..a4a8e8c34 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -355,6 +355,8 @@ static int GetMyVersion(const byte* input, word32* inOutIdx, int* version) { word32 idx = *inOutIdx; + CYASSL_ENTER("GetMyVersion"); + if (input[idx++] != ASN_INTEGER) return ASN_PARSE_E; @@ -398,6 +400,7 @@ static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version) { word32 idx = *inOutIdx; + CYASSL_ENTER("GetExplicitVersion"); if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) { *inOutIdx = ++idx; /* eat header */ return GetMyVersion(input, inOutIdx, version); @@ -446,7 +449,9 @@ static int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid, word32 i = *inOutIdx; byte b; *oid = 0; - + + CYASSL_ENTER("GetAlgoId"); + if (GetSequence(input, &i, &length, maxIdx) < 0) return ASN_PARSE_E; @@ -1250,8 +1255,6 @@ static int GetName(DecodedCert* cert, int nameType) char* full = (nameType == ISSUER) ? cert->issuer : cert->subject; word32 idx = 0; - InitSha(&sha); - if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) { CYASSL_MSG("Trying optional prefix..."); @@ -1265,6 +1268,13 @@ static int GetName(DecodedCert* cert, int nameType) if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0) return ASN_PARSE_E; + InitSha(&sha); + ShaUpdate(&sha, &cert->source[cert->srcIdx], length); + if (nameType == ISSUER) + ShaFinal(&sha, cert->issuerHash); + else + ShaFinal(&sha, cert->subjectHash); + length += cert->srcIdx; while (cert->srcIdx < (word32)length) { @@ -1395,7 +1405,6 @@ static int GetName(DecodedCert* cert, int nameType) idx += strLen; } - ShaUpdate(&sha, &cert->source[cert->srcIdx], strLen); cert->srcIdx += strLen; } else { @@ -1450,11 +1459,6 @@ static int GetName(DecodedCert* cert, int nameType) } full[idx++] = 0; - if (nameType == ISSUER) - ShaFinal(&sha, cert->issuerHash); - else - ShaFinal(&sha, cert->subjectHash); - return 0; } @@ -4169,3 +4173,257 @@ int EncodeOcspRequest(DecodedCert* cert, byte* output, word32 outputSz) } #endif + + +#ifdef HAVE_CRL + +/* initialize decoded CRL */ +void InitDecodedCRL(DecodedCRL* dcrl) +{ + CYASSL_MSG("InitDecodedCRL"); + + dcrl->certBegin = 0; + dcrl->sigIndex = 0; + dcrl->sigLength = 0; + dcrl->signatureOID = 0; + dcrl->certs = NULL; + dcrl->totalCerts = 0; +} + + +/* free decoded CRL resources */ +void FreeDecodedCRL(DecodedCRL* dcrl) +{ + RevokedCert* tmp = dcrl->certs; + + CYASSL_MSG("FreeDecodedCRL"); + + while(tmp) { + RevokedCert* next = tmp->next; + XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED); + tmp = next; + } +} + + +/* store SHA1 hash of NAME */ +static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx) +{ + Sha sha; + int length; /* length of all distinguished names */ + + CYASSL_ENTER("GetNameHash"); + + if (source[*idx] == ASN_OBJECT_ID) { + CYASSL_MSG("Trying optional prefix..."); + + if (GetLength(source, idx, &length, maxIdx) < 0) + return ASN_PARSE_E; + + *idx += length; + CYASSL_MSG("Got optional prefix"); + } + + if (GetSequence(source, idx, &length, maxIdx) < 0) + return ASN_PARSE_E; + + InitSha(&sha); + ShaUpdate(&sha, &source[*idx], length); + ShaFinal(&sha, hash); + + *idx += length; + + return 0; +} + + +/* Get raw Date only, no processing, 0 on success */ +static int GetBasicDate(const byte* source, word32* idx, byte* date, int maxIdx) +{ + int length; + byte b = source[*idx]; + + CYASSL_ENTER("GetBasicDate"); + + *idx += 1; + if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) + return ASN_TIME_E; + + if (GetLength(source, idx, &length, maxIdx) < 0) + return ASN_PARSE_E; + + if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE) + return ASN_DATE_SZ_E; + + XMEMCPY(date, &source[*idx], length); + *idx += length; + + return 0; +} + + +/* Get Revoked Cert list, 0 on success */ +static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl, + int maxIdx) +{ + int len; + byte b; + RevokedCert* rc; + + CYASSL_ENTER("GetRevoked"); + + if (GetSequence(buff, idx, &len, maxIdx) < 0) + return ASN_PARSE_E; + + /* get serial number */ + b = buff[*idx]; + *idx += 1; + + if (b != ASN_INTEGER) { + CYASSL_MSG("Expecting Integer"); + return ASN_PARSE_E; + } + + if (GetLength(buff, idx, &len, maxIdx) < 0) + return ASN_PARSE_E; + + if (len > EXTERNAL_SERIAL_SIZE) { + CYASSL_MSG("Serial Size too big"); + return ASN_PARSE_E; + } + + rc = XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL); + if (rc == NULL) { + CYASSL_MSG("Alloc Revoked Cert failed"); + return MEMORY_E; + } + + XMEMCPY(rc->serialNumber, &buff[*idx], len); + rc->serialSz = len; + + /* add to list */ + rc->next = dcrl->certs; + dcrl->certs = rc; + dcrl->totalCerts++; + + *idx += len; + + /* get date */ + b = buff[*idx]; + *idx += 1; + + if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) { + CYASSL_MSG("Expecting Date"); + return ASN_PARSE_E; + } + + if (GetLength(buff, idx, &len, maxIdx) < 0) + return ASN_PARSE_E; + + /* skip for now */ + *idx += len; + + return 0; +} + + +/* Get CRL Signature, 0 on success */ +static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl, + int maxIdx) +{ + int length; + byte b; + + CYASSL_ENTER("GetCRL_Signature"); + + b = source[*idx]; + *idx += 1; + if (b != ASN_BIT_STRING) + return ASN_BITSTR_E; + + if (GetLength(source, idx, &length, maxIdx) < 0) + return ASN_PARSE_E; + + dcrl->sigLength = length; + + b = source[*idx]; + *idx += 1; + if (b != 0x00) + return ASN_EXPECT_0_E; + + dcrl->sigLength--; + dcrl->signature = (byte*)&source[*idx]; + + *idx += dcrl->sigLength; + + return 0; +} + + +/* prase crl buffer into decoded state, 0 on success */ +int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) +{ + int version, len; + word32 oid, idx = 0; + Md5 md5; + + CYASSL_MSG("ParseCRL"); + + /* raw crl hash */ + InitMd5(&md5); + Md5Update(&md5, buff, sz); + Md5Final(&md5, dcrl->crlHash); + + if (GetSequence(buff, &idx, &len, sz) < 0) + return ASN_PARSE_E; + + dcrl->certBegin = idx; + + if (GetSequence(buff, &idx, &len, sz) < 0) + return ASN_PARSE_E; + dcrl->sigIndex = len + idx; + + /* may have version */ + if (buff[idx] == ASN_INTEGER) { + if (GetMyVersion(buff, &idx, &version) < 0) + return ASN_PARSE_E; + } + + if (GetAlgoId(buff, &idx, &oid, sz) < 0) + return ASN_PARSE_E; + + if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0) + return ASN_PARSE_E; + + if (GetBasicDate(buff, &idx, dcrl->lastDate, sz) < 0) + return ASN_PARSE_E; + + if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0) + return ASN_PARSE_E; + + + if (idx != dcrl->sigIndex) { + if (GetSequence(buff, &idx, &len, sz) < 0) + return ASN_PARSE_E; + + len += idx; + + while (idx < len) { + if (GetRevoked(buff, &idx, dcrl, sz) < 0) + return ASN_PARSE_E; + } + } + + if (idx != dcrl->sigIndex) + idx = dcrl->sigIndex; /* skip extensions */ + + if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0) + return ASN_PARSE_E; + + if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0) + return ASN_PARSE_E; + + return 0; +} + +#endif /* HAVE_CRL */ diff --git a/cyassl/crl.h b/cyassl/crl.h index 66e1d47ee..918927cc2 100644 --- a/cyassl/crl.h +++ b/cyassl/crl.h @@ -19,12 +19,12 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ -#ifdef HAVE_CRL #ifndef CYASSL_CRL_H #define CYASSL_CRL_H -#include +#include +#include #ifdef __cplusplus extern "C" { @@ -32,14 +32,12 @@ typedef struct CYASSL_CRL CYASSL_CRL; +CYASSL_LOCAL int InitCRL(CYASSL_CRL*, CYASSL_CERT_MANAGER*); +CYASSL_LOCAL void FreeCRL(CYASSL_CRL*); -struct CYASSL_CRL { - byte enabled; /* are we on */ - byte watchingPEM; /* are we monitoring PEM dir */ - byte watchingDER; /* are we monitoring DER dir * - byte checkAll; /* always leaf, but all ? */ - -}; +CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type); +CYASSL_LOCAL int BufferLoadCRL(CYASSL_CRL*, const byte*, long, int); +CYASSL_LOCAL int CheckCertCRL(CYASSL_CRL*, DecodedCert*); #ifdef __cplusplus @@ -47,4 +45,3 @@ struct CYASSL_CRL { #endif #endif /* CYASSL_CRL_H */ -#endif /* HAVE_CRL */ diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 3090288f4..243aab252 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -28,6 +28,7 @@ #include #include #include +#include #include /* public interface */ #ifdef HAVE_ECC #include @@ -374,6 +375,41 @@ CYASSL_LOCAL int EncodeOcspRequest(DecodedCert*, byte*, word32); #endif /* HAVE_OCSP */ +#ifdef HAVE_CRL + + +typedef struct RevokedCert RevokedCert; + +struct RevokedCert { + byte serialNumber[EXTERNAL_SERIAL_SIZE]; + int serialSz; + RevokedCert* next; +}; + +typedef struct DecodedCRL DecodedCRL; + +struct DecodedCRL { + word32 certBegin; /* offset to start of cert */ + word32 sigIndex; /* offset to start of signature */ + word32 sigLength; /* length of signature */ + word32 signatureOID; /* sum of algorithm object id */ + byte* signature; /* pointer into raw source, not owned */ + byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ + byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */ + byte lastDate[MAX_DATE_SIZE]; /* last date updated */ + byte nextDate[MAX_DATE_SIZE]; /* next update date */ + RevokedCert* certs; /* revoked cert list */ + int totalCerts; /* number on list */ +}; + +CYASSL_LOCAL void InitDecodedCRL(DecodedCRL*); +CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz); +CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*); + + +#endif /* HAVE_CRL */ + + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/cyassl/ctaocrypt/asn_public.h b/cyassl/ctaocrypt/asn_public.h index 8a16b5ef2..aa4534ac4 100644 --- a/cyassl/ctaocrypt/asn_public.h +++ b/cyassl/ctaocrypt/asn_public.h @@ -39,6 +39,7 @@ enum CertType { CERT_TYPE = 0, PRIVATEKEY_TYPE, DH_PARAM_TYPE, + CRL_TYPE, CA_TYPE }; diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index 06aeb99d9..7468e73b0 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -202,7 +202,10 @@ enum { DYNAMIC_TYPE_WRITEV = 19, DYNAMIC_TYPE_OPENSSL = 20, DYNAMIC_TYPE_DSA = 21, - DYNAMIC_TYPE_CERT_MANAGER = 22 + DYNAMIC_TYPE_CRL = 22, + DYNAMIC_TYPE_REVOKED = 23, + DYNAMIC_TYPE_CRL_ENTRY = 24, + DYNAMIC_TYPE_CERT_MANAGER = 25 }; /* stack protection */ diff --git a/cyassl/error.h b/cyassl/error.h index 0d8d8d273..fd6781c19 100644 --- a/cyassl/error.h +++ b/cyassl/error.h @@ -92,14 +92,16 @@ enum CyaSSL_ErrorCodes { NOT_CA_ERROR = -257, /* Not a CA cert error */ BAD_PATH_ERROR = -258, /* Bad path for opendir */ BAD_CERT_MANAGER_ERROR = -259, /* Bad Cert Manager */ + OCSP_CERT_REVOKED = -260, + CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */ + CRL_MISSING = -262, /* CRL Not loaded */ /* add strings to SetErrorString !!!!! */ /* begin negotiation parameter errors */ UNSUPPORTED_SUITE = -270, /* unsupported cipher suite */ - MATCH_SUITE_ERROR = -271, /* can't match cipher suite */ + MATCH_SUITE_ERROR = -271 /* can't match cipher suite */ /* end negotiation parameter errors only 10 for now */ /* add strings to SetErrorString !!!!! */ - OCSP_CERT_REVOKED = -272 }; diff --git a/cyassl/internal.h b/cyassl/internal.h index 76c970aa6..952660f05 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -25,6 +25,7 @@ #include +#include #include #include #include @@ -622,12 +623,39 @@ CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*); CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*); + +typedef struct CRL_Entry CRL_Entry; + +/* Complete CRL */ +struct CRL_Entry { + CRL_Entry* next; /* next entry */ + byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */ + byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */ + byte lastDate[MAX_DATE_SIZE]; /* last date updated */ + byte nextDate[MAX_DATE_SIZE]; /* next update date */ + RevokedCert* certs; /* revoked cert list */ + int totalCerts; /* number on list */ +}; + + +/* CyaSSL CRL controller */ +struct CYASSL_CRL { + CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */ + CRL_Entry* crlList; /* our CRL list */ + CyaSSL_Mutex crlLock; /* CRL list lock */ +}; + + /* CyaSSL Certificate Manager */ struct CYASSL_CERT_MANAGER { Signer* caList; /* the CA signer list */ CyaSSL_Mutex caLock; /* CA list lock */ CallbackCACache caCacheCallback; /* CA cache addition callback */ void* heap; /* heap helper */ + CYASSL_CRL* crl; /* CRL checker */ + byte crlEnabled; /* is CRL on ? */ + byte crlCheckAll; /* always leaf, but all ? */ + CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */ }; @@ -1137,6 +1165,14 @@ typedef struct EncryptedInfo { CYASSL_CTX* ctx; /* CTX owner */ } EncryptedInfo; +CYASSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type, + buffer* der, void* heap, EncryptedInfo* info, + int* eccKey); + +CYASSL_LOCAL int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, + int type, CYASSL* ssl, int userChain, + CYASSL_CRL* crl); + #ifdef CYASSL_CALLBACKS CYASSL_LOCAL diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 97ef23297..3e9f6b270 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -429,6 +429,8 @@ enum { OCSP_RESPONSE = 8, OCSP_BASICRESP = 16, + CYASSL_CRL_CHECKALL = 1, + ASN1_GENERALIZEDTIME = 4, SSL_OP_MICROSOFT_SESS_ID_BUG = 1, @@ -776,6 +778,7 @@ CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*, int, const char*); typedef void (*CallbackCACache)(unsigned char* der, int sz, int type); +typedef void (*CbMissingCRL)(const char* url); CYASSL_API void CyaSSL_CTX_SetCACb(CYASSL_CTX*, CallbackCACache); @@ -787,6 +790,20 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, const char* d); CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); +CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); +CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); +CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*,int); +CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL); + +CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); +CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); +CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int); + +CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); +CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); +CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int); + + #ifdef CYASSL_CALLBACKS diff --git a/cyassl/test.h b/cyassl/test.h index 57986f835..fcc3b63cd 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -109,6 +109,7 @@ static const char* ntruKey = "./certs/ntru-key.raw"; static const char* dhParam = "./certs/dh2048.pem"; static const char* cliEccKey = "./certs/ecc-client-key.pem"; static const char* cliEccCert = "./certs/client-ecc-cert.pem"; +static const char* crlPemDir = "./certs/crl"; typedef struct tcp_ready { int ready; /* predicate */ diff --git a/examples/client/client.c b/examples/client/client.c index 0f2b72bbd..42317a2e0 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -136,6 +136,7 @@ void client_test(void* args) CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); #endif + if (argc == 3) { /* ./client server securePort */ CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); /* TODO: add ca cert */ @@ -206,6 +207,10 @@ void client_test(void* args) ssl = CyaSSL_new(ctx); CyaSSL_set_fd(ssl, sockfd); +#ifdef HAVE_CRL + CyaSSL_EnableCRL(ssl, 0); + CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM); +#endif if (argc != 3) CyaSSL_check_domain_name(ssl, "www.yassl.com"); #ifdef NON_BLOCKING diff --git a/src/crl.c b/src/crl.c index 81c0b4578..4c8200911 100644 --- a/src/crl.c +++ b/src/crl.c @@ -26,12 +26,261 @@ #ifdef HAVE_CRL -#include +#include +#include + +#include +#include + + +/* Initialze CRL members */ +int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm) +{ + CYASSL_ENTER("InitCRL"); + + crl->cm = cm; + crl->crlList = NULL; + if (InitMutex(&crl->crlLock) != 0) + return BAD_MUTEX_ERROR; + + return 0; +} + + +/* Initialze CRL Entry */ +static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl) +{ + CYASSL_ENTER("FreeCRL_Entry"); + + XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE); + XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE); + XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE); + XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE); + + crle->certs = dcrl->certs; /* take ownsership */ + dcrl->certs = NULL; + crle->totalCerts = dcrl->totalCerts; + + return 0; +} + + +/* Free all CRL Entry resources */ +static void FreeCRL_Entry(CRL_Entry* crle) +{ + RevokedCert* tmp = crle->certs; + + CYASSL_ENTER("FreeCRL_Entry"); + + while(tmp) { + RevokedCert* next = tmp->next; + XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED); + tmp = next; + } +} +/* Free all CRL resources */ +void FreeCRL(CYASSL_CRL* crl) +{ + CRL_Entry* tmp = crl->crlList; + + CYASSL_ENTER("FreeCRL"); + + while(tmp) { + CRL_Entry* next = tmp->next; + FreeCRL_Entry(tmp); + XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY); + tmp = next; + } + + FreeMutex(&crl->crlLock); +} +/* Is the cert ok with CRL, return 0 on success */ +int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert) +{ + CRL_Entry* crle; + int foundEntry = 0; + int revoked = 0; + int ret = 0; + CYASSL_ENTER("CheckCertCRL"); + + if (LockMutex(&crl->crlLock) != 0) { + CYASSL_MSG("LockMutex failed"); + return BAD_MUTEX_ERROR; + } + + crle = crl->crlList; + + while (crle) { + if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) { + CYASSL_MSG("Found CRL Entry on list"); + foundEntry = 1; + break; + } + crle = crle->next; + } + + if (foundEntry) { + RevokedCert* rc = crle->certs; + + while (rc) { + if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) { + CYASSL_MSG("Cert revoked"); + revoked = 1; + ret = CRL_CERT_REVOKED; + break; + } + rc = rc->next; + } + } + + UnLockMutex(&crl->crlLock); + + if (foundEntry == 0) { + CYASSL_MSG("Couldn't find CRL for status check"); + ret = CRL_MISSING; + if (crl->cm->cbMissingCRL) + crl->cm->cbMissingCRL(NULL); + } + + + return ret; +} + + +/* Add Decoded CRL, 0 on success */ +static int AddCRL(CYASSL_CRL* crl, DecodedCRL* dcrl) +{ + CRL_Entry* crle; + + CYASSL_ENTER("AddCRL"); + + crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY); + if (crle == NULL) { + CYASSL_MSG("alloc CRL Entry failed"); + return -1; + } + + if (InitCRL_Entry(crle, dcrl) < 0) { + CYASSL_MSG("Init CRL Entry failed"); + return -1; + } + + if (LockMutex(&crl->crlLock) != 0) { + CYASSL_MSG("LockMutex failed"); + FreeCRL_Entry(crle); + return BAD_MUTEX_ERROR; + } + crle->next = crl->crlList; + crl->crlList = crle; + UnLockMutex(&crl->crlLock); + + return 0; +} + + +/* Load CRL File of type, SSL_SUCCESS on ok */ +int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) +{ + int ret = SSL_SUCCESS; + const byte* myBuffer = buff; /* if DER ok, otherwise switch */ + buffer der; + DecodedCRL dcrl; + + der.buffer = NULL; + + CYASSL_ENTER("BufferLoadCRL"); + + if (crl == NULL || buff == NULL || sz == 0) + return BAD_FUNC_ARG; + + if (type == SSL_FILETYPE_PEM) { + int eccKey = 0; /* not used */ + EncryptedInfo info; + info.ctx = NULL; + + ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey); + if (ret == 0) { + myBuffer = der.buffer; + sz = der.length; + } + else { + CYASSL_MSG("Pem to Der failed"); + return -1; + } + } + + InitDecodedCRL(&dcrl); + ret = ParseCRL(&dcrl, myBuffer, sz); + if (ret != 0) { + CYASSL_MSG("ParseCRL error"); + } + else { + ret = AddCRL(crl, &dcrl); + if (ret != 0) + CYASSL_MSG("AddCRL error"); + } + FreeDecodedCRL(&dcrl); + + if (der.buffer) + XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL); + + if (ret == 0) + return SSL_SUCCESS; /* convert */ + return ret; +} + + +/* Load CRL path files of type, SSL_SUCCESS on ok */ +int LoadCRL(CYASSL_CRL* crl, const char* path, int type) +{ + struct dirent* entry; + DIR* dir; + int ret = SSL_SUCCESS; + + CYASSL_ENTER("LoadCRL"); + if (crl == NULL) + return BAD_FUNC_ARG; + + dir = opendir(path); + if (dir == NULL) { + CYASSL_MSG("opendir path crl load failed"); + return BAD_PATH_ERROR; + } + while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) { + if (entry->d_type & DT_REG) { + char name[MAX_FILENAME_SZ]; + + if (type == SSL_FILETYPE_PEM) { + if (strstr(entry->d_name, ".pem") == NULL) { + CYASSL_MSG("not .pem file, skipping"); + continue; + } + } + else { + if (strstr(entry->d_name, ".der") == NULL && + strstr(entry->d_name, ".crl") == NULL) { + + CYASSL_MSG("not .der or .crl file, skipping"); + continue; + } + } + + XMEMSET(name, 0, sizeof(name)); + XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2); + XSTRNCAT(name, "/", 1); + XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); + + ret = ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl); + } + } + + return SSL_SUCCESS; +} #endif /* HAVE_CRL */ diff --git a/src/internal.c b/src/internal.c index bfe2a9ddf..2f1e2e72c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1696,12 +1696,23 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) #ifdef HAVE_OCSP if (CyaSSL_OCSP_Lookup_Cert(&ssl->ctx->ocsp, &dCert) == CERT_REVOKED) { - CYASSL_MSG("\tOCSP Lookup returned revoked"); - ret = OCSP_CERT_REVOKED; - fatal = 0; - } + CYASSL_MSG("\tOCSP Lookup returned revoked"); + ret = OCSP_CERT_REVOKED; + fatal = 0; + } #endif +#ifdef HAVE_CRL + if (ssl->ctx->cm->crlEnabled) { + ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert); + + if (ret != 0) { + CYASSL_MSG("\tCRL check not ok"); + fatal = 0; + } + } +#endif /* HAVE_CRL */ + #ifdef OPENSSL_EXTRA /* set X509 format for peer cert even if fatal */ XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX); @@ -3509,6 +3520,14 @@ void SetErrorString(int error, char* str) XSTRNCPY(str, "OCSP Cert revoked", max); break; + case CRL_CERT_REVOKED: + XSTRNCPY(str, "CRL Cert revoked", max); + break; + + case CRL_MISSING: + XSTRNCPY(str, "CRL missing, not loaded", max); + break; + default : XSTRNCPY(str, "unknown error number", max); } diff --git a/src/ssl.c b/src/ssl.c index f353ccd03..01b48adbc 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -375,6 +375,10 @@ CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void) cm->caList = NULL; cm->heap = NULL; cm->caCacheCallback = NULL; + cm->crl = NULL; + cm->crlEnabled = 0; + cm->crlCheckAll = 0; + cm->cbMissingCRL = NULL; if (InitMutex(&cm->caLock) != 0) { CYASSL_MSG("Bad mutex init"); @@ -392,6 +396,10 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm) CYASSL_ENTER("CyaSSL_CertManagerFree"); if (cm) { + #ifdef HAVE_CRL + if (cm->crl) + FreeCRL(cm->crl); + #endif FreeSigners(cm->caList, NULL); FreeMutex(&cm->caLock); XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER); @@ -629,7 +637,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) /* Remove PEM header/footer, convert to ASN1, store any encrypted data info->consumed tracks of PEM bytes consumed in case multiple parts */ - static int PemToDer(const unsigned char* buff, long sz, int type, + int PemToDer(const unsigned char* buff, long sz, int type, buffer* der, void* heap, EncryptedInfo* info, int* eccKey) { char header[PEM_LINE_LEN]; @@ -655,6 +663,10 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) XSTRNCPY(header, "-----BEGIN DH PARAMETERS-----", sizeof(header)); XSTRNCPY(footer, "-----END DH PARAMETERS-----", sizeof(footer)); dynamicType = DYNAMIC_TYPE_KEY; + } else if (type == CRL_TYPE) { + XSTRNCPY(header, "-----BEGIN X509 CRL-----", sizeof(header)); + XSTRNCPY(footer, "-----END X509 CRL-----", sizeof(footer)); + dynamicType = DYNAMIC_TYPE_CRL; } else { XSTRNCPY(header, "-----BEGIN RSA PRIVATE KEY-----", sizeof(header)); XSTRNCPY(footer, "-----END RSA PRIVATE KEY-----", sizeof(footer)); @@ -1144,8 +1156,8 @@ static int ProcessChainBuffer(CYASSL_CTX* ctx, const unsigned char* buff, /* process a file with name fname into ctx of format and type userChain specifies a user certificate chain to pass during handshake */ -static int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type, - CYASSL* ssl, int userChain) +int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type, + CYASSL* ssl, int userChain, CYASSL_CRL* crl) { byte staticBuffer[FILE_BUFFER_SIZE]; byte* myBuffer = staticBuffer; @@ -1174,6 +1186,8 @@ static int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type, else { if (type == CA_TYPE && format == SSL_FILETYPE_PEM) ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl); + else if (type == CRL_TYPE) + ret = BufferLoadCRL(crl, myBuffer, sz, format); else ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL, userChain); @@ -1199,7 +1213,7 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file, return SSL_FAILURE; if (file) - ret = ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE, NULL, 0); + ret = ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL); if (ret == SSL_SUCCESS && path) { /* try to load each regular file in path */ @@ -1224,7 +1238,8 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file, XSTRNCAT(name, "\\", 2); XSTRNCAT(name, FindFileData.cFileName, MAX_FILENAME_SZ/2); - ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0); + ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0, + NULL); } } while (ret == SSL_SUCCESS && FindNextFileA(hFind, &FindFileData)); @@ -1246,7 +1261,8 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file, XSTRNCAT(name, "/", 1); XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2); - ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0); + ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0, + NULL); } } closedir(dir); @@ -1356,6 +1372,146 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file, } +/* turn on CRL if off and compiled in, set options */ +int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options) +{ + CYASSL_ENTER("CyaSSL_CertManagerEnableCRL"); + if (cm == NULL) + return BAD_FUNC_ARG; + + #ifndef HAVE_CRL + return NOT_COMPILED_IN; + #else + if (cm->crl == NULL) { + cm->crl = (CYASSL_CRL*)XMALLOC(sizeof(CYASSL_CRL), cm->heap, + DYNAMIC_TYPE_CRL); + if (cm->crl == NULL) + return MEMORY_E; + + if (InitCRL(cm->crl, cm) != 0) { + CYASSL_MSG("Init CRL failed"); + FreeCRL(cm->crl); + cm->crl = NULL; + return SSL_FAILURE; + } + } + cm->crlEnabled = 1; + if (options & CYASSL_CRL_CHECKALL) + cm->crlCheckAll = 1; + #endif + + return SSL_SUCCESS; +} + + +int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm) +{ + CYASSL_ENTER("CyaSSL_CertManagerDisableCRL"); + if (cm == NULL) + return BAD_FUNC_ARG; + + cm->crlEnabled = 0; + + return SSL_SUCCESS; +} + + +#ifdef HAVE_CRL + + +int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) +{ + CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); + if (cm == NULL) + return BAD_FUNC_ARG; + + cm->cbMissingCRL = cb; + + return SSL_SUCCESS; +} + + +int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, + int type) +{ + CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); + if (cm == NULL) + return BAD_FUNC_ARG; + + if (cm->crl == NULL) { + if (CyaSSL_CertManagerEnableCRL(cm, 0) != SSL_SUCCESS) { + CYASSL_MSG("Enable CRL failed"); + return -1; + } + } + + return LoadCRL(cm->crl, path, type); +} + + +int CyaSSL_EnableCRL(CYASSL* ssl, int options) +{ + CYASSL_ENTER("CyaSSL_EnableCRL"); + if (ssl) + return CyaSSL_CertManagerEnableCRL(ssl->ctx->cm, options); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_DisableCRL(CYASSL* ssl) +{ + CYASSL_ENTER("CyaSSL_DisableCRL"); + if (ssl) + return CyaSSL_CertManagerDisableCRL(ssl->ctx->cm); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type) +{ + CYASSL_ENTER("CyaSSL_LoadCRL"); + if (ssl) + return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options) +{ + CYASSL_ENTER("CyaSSL_CTX_EnableCRL"); + if (ctx) + return CyaSSL_CertManagerEnableCRL(ctx->cm, options); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx) +{ + CYASSL_ENTER("CyaSSL_CTX_DisableCRL"); + if (ctx) + return CyaSSL_CertManagerDisableCRL(ctx->cm); + else + return BAD_FUNC_ARG; +} + + +int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type) +{ + CYASSL_ENTER("CyaSSL_CTX_LoadCRL"); + if (ctx) + return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type); + else + return BAD_FUNC_ARG; +} + + +#endif /* HAVE_CRL */ + + #ifdef CYASSL_DER_LOAD /* Add format parameter to allow DER load of CA files */ @@ -1366,7 +1522,7 @@ int CyaSSL_CTX_der_load_verify_locations(CYASSL_CTX* ctx, const char* file, if (ctx == NULL || file == NULL) return SSL_FAILURE; - if (ProcessFile(ctx, file, format, CA_TYPE, NULL, 0) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1436,7 +1592,7 @@ int CyaSSL_CTX_use_certificate_file(CYASSL_CTX* ctx, const char* file, int format) { CYASSL_ENTER("CyaSSL_CTX_use_certificate_file"); - if (ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1446,7 +1602,8 @@ int CyaSSL_CTX_use_certificate_file(CYASSL_CTX* ctx, const char* file, int CyaSSL_CTX_use_PrivateKey_file(CYASSL_CTX* ctx, const char* file,int format) { CYASSL_ENTER("CyaSSL_CTX_use_PrivateKey_file"); - if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0, NULL) + == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1457,7 +1614,8 @@ int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX* ctx, const char* file) { /* procces up to MAX_CHAIN_DEPTH plus subject cert */ CYASSL_ENTER("CyaSSL_CTX_use_certificate_chain_file"); - if (ProcessFile(ctx, file, SSL_FILETYPE_PEM,CERT_TYPE,NULL,1) == SSL_SUCCESS) + if (ProcessFile(ctx, file, SSL_FILETYPE_PEM,CERT_TYPE,NULL,1, NULL) + == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1470,7 +1628,8 @@ int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX* ctx, const char* file) int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format) { CYASSL_ENTER("CyaSSL_use_certificate_file"); - if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0) == SSL_SUCCESS) + if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL) + == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1480,7 +1639,7 @@ int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format) int CyaSSL_use_PrivateKey_file(CYASSL* ssl, const char* file, int format) { CYASSL_ENTER("CyaSSL_use_PrivateKey_file"); - if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0) + if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL) == SSL_SUCCESS) return SSL_SUCCESS; @@ -1492,7 +1651,7 @@ int CyaSSL_use_certificate_chain_file(CYASSL* ssl, const char* file) { /* procces up to MAX_CHAIN_DEPTH plus subject cert */ CYASSL_ENTER("CyaSSL_use_certificate_chain_file"); - if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1) + if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1, NULL) == SSL_SUCCESS) return SSL_SUCCESS; @@ -1652,7 +1811,7 @@ int CyaSSL_CTX_SetTmpDH_file(CYASSL_CTX* ctx, const char* fname, int format) int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file) { CYASSL_ENTER("CyaSSL_CTX_use_NTRUPrivateKey_file"); - if (ProcessFile(ctx, file, SSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL, 0) + if (ProcessFile(ctx, file, SSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL, 0, NULL) == SSL_SUCCESS) { ctx->haveNTRU = 1; return SSL_SUCCESS; @@ -1671,7 +1830,8 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file) int format) { CYASSL_ENTER("SSL_CTX_use_RSAPrivateKey_file"); - if (ProcessFile(ctx, file,format,PRIVATEKEY_TYPE,NULL,0) == SSL_SUCCESS) + if (ProcessFile(ctx, file,format,PRIVATEKEY_TYPE,NULL,0, NULL) + == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1680,7 +1840,7 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file) int CyaSSL_use_RSAPrivateKey_file(CYASSL* ssl, const char* file, int format) { CYASSL_ENTER("CyaSSL_use_RSAPrivateKey_file"); - if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0) + if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL) == SSL_SUCCESS) return SSL_SUCCESS; @@ -2857,7 +3017,7 @@ int CyaSSL_set_compression(CYASSL* ssl) InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->optoins.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->ctx->method->side); } @@ -5868,7 +6028,7 @@ static int initGlobalRNG = 0; if (bn == NULL || bn->internal == NULL) return 0; - if (mp_cmp_d((mp_int*)bn->internal, 1) == 0); + if (mp_cmp_d((mp_int*)bn->internal, 1) == 0) return 1; return 0; @@ -5888,7 +6048,6 @@ static int initGlobalRNG = 0; int CyaSSL_BN_cmp(const CYASSL_BIGNUM* a, const CYASSL_BIGNUM* b) { - int ret; CYASSL_MSG("CyaSSL_BN_cmp"); if (a == NULL || a->internal == NULL || b == NULL || b->internal ==NULL) @@ -5997,7 +6156,6 @@ static int initGlobalRNG = 0; { byte decoded[1024]; word32 decSz = sizeof(decoded); - int ret; CYASSL_MSG("CyaSSL_BN_hex2bn"); @@ -6288,7 +6446,6 @@ static int initGlobalRNG = 0; word32 pubSz = sizeof(pub); word32 privSz = sizeof(priv); word32 keySz; - int ret; CYASSL_MSG("CyaSSL_DH_compute_key"); @@ -6692,7 +6849,6 @@ static int initGlobalRNG = 0; int CyaSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, CYASSL_DSA* dsa) { - word32 signSz; RNG tmpRNG; RNG* rng = &tmpRNG; @@ -6779,7 +6935,7 @@ static int initGlobalRNG = 0; } signSz = EncodeSignature(encodedSig, m, mLen, type); - if (signSz < 0) { + if (signSz == 0) { CYASSL_MSG("Bad Encode Signature"); return 0; }