crl stage 2
This commit is contained in:
parent
32095795f2
commit
3ec2b9dbbc
@ -39,6 +39,7 @@ EXTRA_DIST+= cyassl.sln
|
||||
|
||||
include cyassl/include.am
|
||||
include certs/include.am
|
||||
include certs/crl/include.am
|
||||
include doc/include.am
|
||||
include swig/include.am
|
||||
|
||||
|
41
certs/crl/crl.pem
Normal file
41
certs/crl/crl.pem
Normal file
@ -0,0 +1,41 @@
|
||||
Certificate Revocation List (CRL):
|
||||
Version 2 (0x1)
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.yassl.com/emailAddress=info@yassl.com
|
||||
Last Update: May 15 23:51:25 2012 GMT
|
||||
Next Update: Jun 14 23:51:25 2012 GMT
|
||||
CRL extensions:
|
||||
X509v3 CRL Number:
|
||||
4
|
||||
Revoked Certificates:
|
||||
Serial Number: 02
|
||||
Revocation Date: May 4 17:06:05 2012 GMT
|
||||
Signature Algorithm: sha1WithRSAEncryption
|
||||
aa:e4:44:9b:6b:c9:0b:d3:6f:ba:09:3d:90:93:ae:96:86:73:
|
||||
f6:90:28:ba:93:3b:95:0c:91:c9:10:53:f1:15:fd:43:9a:ba:
|
||||
4e:dc:8e:e8:10:4d:d8:8b:be:a8:a2:12:4c:19:c1:13:9f:3c:
|
||||
fe:54:60:32:b7:45:77:17:2a:40:f2:16:52:9e:68:fe:be:03:
|
||||
99:9c:b1:d3:4b:be:87:5b:f4:12:3c:9e:3d:59:c8:b9:a2:2c:
|
||||
78:94:9c:cd:b0:17:d0:b3:bd:86:99:2b:1d:38:b5:03:d8:d1:
|
||||
0d:8f:1a:8c:97:ff:87:01:4f:91:22:30:c2:a5:10:bb:e3:fb:
|
||||
31:b7:44:8a:5a:82:e1:e5:30:69:84:d1:4b:c2:d3:07:bf:21:
|
||||
d5:33:2d:ad:4b:e4:6f:83:c1:66:16:74:31:7d:f9:d6:1e:10:
|
||||
66:fd:7d:ad:66:3c:32:cc:a3:98:75:63:16:5c:df:e1:37:3d:
|
||||
e9:08:d2:7b:05:dd:4c:31:92:53:0c:f1:ea:8e:be:31:d1:eb:
|
||||
ac:37:a8:cd:c4:30:c5:91:cc:38:a3:55:4a:51:01:39:cf:7d:
|
||||
50:57:d2:f2:47:4a:1d:7f:3a:32:16:89:e8:5a:1b:f8:64:33:
|
||||
48:e5:b8:ef:ba:2e:f3:52:7e:ba:28:0e:9b:f7:07:b8:b6:38:
|
||||
f9:d0:dd:78
|
||||
-----BEGIN X509 CRL-----
|
||||
MIICADCB6QIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMxEDAOBgNV
|
||||
BAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAPBgNVBAoTCFNhd3Rvb3Ro
|
||||
MRMwEQYDVQQLEwpDb25zdWx0aW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w
|
||||
GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTIwNTE1MjM1MTI1WhcNMTIw
|
||||
NjE0MjM1MTI1WjAUMBICAQIXDTEyMDUwNDE3MDYwNVqgDjAMMAoGA1UdFAQDAgEE
|
||||
MA0GCSqGSIb3DQEBBQUAA4IBAQCq5ESba8kL02+6CT2Qk66WhnP2kCi6kzuVDJHJ
|
||||
EFPxFf1DmrpO3I7oEE3Yi76oohJMGcETnzz+VGAyt0V3FypA8hZSnmj+vgOZnLHT
|
||||
S76HW/QSPJ49Wci5oix4lJzNsBfQs72GmSsdOLUD2NENjxqMl/+HAU+RIjDCpRC7
|
||||
4/sxt0SKWoLh5TBphNFLwtMHvyHVMy2tS+Rvg8FmFnQxffnWHhBm/X2tZjwyzKOY
|
||||
dWMWXN/hNz3pCNJ7Bd1MMZJTDPHqjr4x0eusN6jNxDDFkcw4o1VKUQE5z31QV9Ly
|
||||
R0odfzoyFonoWhv4ZDNI5bjvui7zUn66KA6b9we4tjj50N14
|
||||
-----END X509 CRL-----
|
9
certs/crl/include.am
Normal file
9
certs/crl/include.am
Normal file
@ -0,0 +1,9 @@
|
||||
# vim:ft=automake
|
||||
# All paths should be given relative to the root
|
||||
#
|
||||
|
||||
certs_DATA+= \
|
||||
certs/crl/crl.pem
|
||||
|
||||
EXTRA_DIST+= ${certs_DATA}
|
||||
|
@ -355,6 +355,8 @@ static int GetMyVersion(const byte* input, word32* inOutIdx, int* version)
|
||||
{
|
||||
word32 idx = *inOutIdx;
|
||||
|
||||
CYASSL_ENTER("GetMyVersion");
|
||||
|
||||
if (input[idx++] != ASN_INTEGER)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
@ -398,6 +400,7 @@ static int GetExplicitVersion(const byte* input, word32* inOutIdx, int* version)
|
||||
{
|
||||
word32 idx = *inOutIdx;
|
||||
|
||||
CYASSL_ENTER("GetExplicitVersion");
|
||||
if (input[idx++] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED)) {
|
||||
*inOutIdx = ++idx; /* eat header */
|
||||
return GetMyVersion(input, inOutIdx, version);
|
||||
@ -447,6 +450,8 @@ static int GetAlgoId(const byte* input, word32* inOutIdx, word32* oid,
|
||||
byte b;
|
||||
*oid = 0;
|
||||
|
||||
CYASSL_ENTER("GetAlgoId");
|
||||
|
||||
if (GetSequence(input, &i, &length, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
@ -1250,8 +1255,6 @@ static int GetName(DecodedCert* cert, int nameType)
|
||||
char* full = (nameType == ISSUER) ? cert->issuer : cert->subject;
|
||||
word32 idx = 0;
|
||||
|
||||
InitSha(&sha);
|
||||
|
||||
if (cert->source[cert->srcIdx] == ASN_OBJECT_ID) {
|
||||
CYASSL_MSG("Trying optional prefix...");
|
||||
|
||||
@ -1265,6 +1268,13 @@ static int GetName(DecodedCert* cert, int nameType)
|
||||
if (GetSequence(cert->source, &cert->srcIdx, &length, cert->maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
InitSha(&sha);
|
||||
ShaUpdate(&sha, &cert->source[cert->srcIdx], length);
|
||||
if (nameType == ISSUER)
|
||||
ShaFinal(&sha, cert->issuerHash);
|
||||
else
|
||||
ShaFinal(&sha, cert->subjectHash);
|
||||
|
||||
length += cert->srcIdx;
|
||||
|
||||
while (cert->srcIdx < (word32)length) {
|
||||
@ -1395,7 +1405,6 @@ static int GetName(DecodedCert* cert, int nameType)
|
||||
idx += strLen;
|
||||
}
|
||||
|
||||
ShaUpdate(&sha, &cert->source[cert->srcIdx], strLen);
|
||||
cert->srcIdx += strLen;
|
||||
}
|
||||
else {
|
||||
@ -1450,11 +1459,6 @@ static int GetName(DecodedCert* cert, int nameType)
|
||||
}
|
||||
full[idx++] = 0;
|
||||
|
||||
if (nameType == ISSUER)
|
||||
ShaFinal(&sha, cert->issuerHash);
|
||||
else
|
||||
ShaFinal(&sha, cert->subjectHash);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -4169,3 +4173,257 @@ int EncodeOcspRequest(DecodedCert* cert, byte* output, word32 outputSz)
|
||||
}
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
|
||||
/* initialize decoded CRL */
|
||||
void InitDecodedCRL(DecodedCRL* dcrl)
|
||||
{
|
||||
CYASSL_MSG("InitDecodedCRL");
|
||||
|
||||
dcrl->certBegin = 0;
|
||||
dcrl->sigIndex = 0;
|
||||
dcrl->sigLength = 0;
|
||||
dcrl->signatureOID = 0;
|
||||
dcrl->certs = NULL;
|
||||
dcrl->totalCerts = 0;
|
||||
}
|
||||
|
||||
|
||||
/* free decoded CRL resources */
|
||||
void FreeDecodedCRL(DecodedCRL* dcrl)
|
||||
{
|
||||
RevokedCert* tmp = dcrl->certs;
|
||||
|
||||
CYASSL_MSG("FreeDecodedCRL");
|
||||
|
||||
while(tmp) {
|
||||
RevokedCert* next = tmp->next;
|
||||
XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
|
||||
tmp = next;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
/* store SHA1 hash of NAME */
|
||||
static int GetNameHash(const byte* source, word32* idx, byte* hash, int maxIdx)
|
||||
{
|
||||
Sha sha;
|
||||
int length; /* length of all distinguished names */
|
||||
|
||||
CYASSL_ENTER("GetNameHash");
|
||||
|
||||
if (source[*idx] == ASN_OBJECT_ID) {
|
||||
CYASSL_MSG("Trying optional prefix...");
|
||||
|
||||
if (GetLength(source, idx, &length, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
*idx += length;
|
||||
CYASSL_MSG("Got optional prefix");
|
||||
}
|
||||
|
||||
if (GetSequence(source, idx, &length, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
InitSha(&sha);
|
||||
ShaUpdate(&sha, &source[*idx], length);
|
||||
ShaFinal(&sha, hash);
|
||||
|
||||
*idx += length;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Get raw Date only, no processing, 0 on success */
|
||||
static int GetBasicDate(const byte* source, word32* idx, byte* date, int maxIdx)
|
||||
{
|
||||
int length;
|
||||
byte b = source[*idx];
|
||||
|
||||
CYASSL_ENTER("GetBasicDate");
|
||||
|
||||
*idx += 1;
|
||||
if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME)
|
||||
return ASN_TIME_E;
|
||||
|
||||
if (GetLength(source, idx, &length, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (length > MAX_DATE_SIZE || length < MIN_DATE_SIZE)
|
||||
return ASN_DATE_SZ_E;
|
||||
|
||||
XMEMCPY(date, &source[*idx], length);
|
||||
*idx += length;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Get Revoked Cert list, 0 on success */
|
||||
static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
|
||||
int maxIdx)
|
||||
{
|
||||
int len;
|
||||
byte b;
|
||||
RevokedCert* rc;
|
||||
|
||||
CYASSL_ENTER("GetRevoked");
|
||||
|
||||
if (GetSequence(buff, idx, &len, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* get serial number */
|
||||
b = buff[*idx];
|
||||
*idx += 1;
|
||||
|
||||
if (b != ASN_INTEGER) {
|
||||
CYASSL_MSG("Expecting Integer");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetLength(buff, idx, &len, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (len > EXTERNAL_SERIAL_SIZE) {
|
||||
CYASSL_MSG("Serial Size too big");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
rc = XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
|
||||
if (rc == NULL) {
|
||||
CYASSL_MSG("Alloc Revoked Cert failed");
|
||||
return MEMORY_E;
|
||||
}
|
||||
|
||||
XMEMCPY(rc->serialNumber, &buff[*idx], len);
|
||||
rc->serialSz = len;
|
||||
|
||||
/* add to list */
|
||||
rc->next = dcrl->certs;
|
||||
dcrl->certs = rc;
|
||||
dcrl->totalCerts++;
|
||||
|
||||
*idx += len;
|
||||
|
||||
/* get date */
|
||||
b = buff[*idx];
|
||||
*idx += 1;
|
||||
|
||||
if (b != ASN_UTC_TIME && b != ASN_GENERALIZED_TIME) {
|
||||
CYASSL_MSG("Expecting Date");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetLength(buff, idx, &len, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* skip for now */
|
||||
*idx += len;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Get CRL Signature, 0 on success */
|
||||
static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
|
||||
int maxIdx)
|
||||
{
|
||||
int length;
|
||||
byte b;
|
||||
|
||||
CYASSL_ENTER("GetCRL_Signature");
|
||||
|
||||
b = source[*idx];
|
||||
*idx += 1;
|
||||
if (b != ASN_BIT_STRING)
|
||||
return ASN_BITSTR_E;
|
||||
|
||||
if (GetLength(source, idx, &length, maxIdx) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
dcrl->sigLength = length;
|
||||
|
||||
b = source[*idx];
|
||||
*idx += 1;
|
||||
if (b != 0x00)
|
||||
return ASN_EXPECT_0_E;
|
||||
|
||||
dcrl->sigLength--;
|
||||
dcrl->signature = (byte*)&source[*idx];
|
||||
|
||||
*idx += dcrl->sigLength;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* prase crl buffer into decoded state, 0 on success */
|
||||
int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
|
||||
{
|
||||
int version, len;
|
||||
word32 oid, idx = 0;
|
||||
Md5 md5;
|
||||
|
||||
CYASSL_MSG("ParseCRL");
|
||||
|
||||
/* raw crl hash */
|
||||
InitMd5(&md5);
|
||||
Md5Update(&md5, buff, sz);
|
||||
Md5Final(&md5, dcrl->crlHash);
|
||||
|
||||
if (GetSequence(buff, &idx, &len, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
dcrl->certBegin = idx;
|
||||
|
||||
if (GetSequence(buff, &idx, &len, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
dcrl->sigIndex = len + idx;
|
||||
|
||||
/* may have version */
|
||||
if (buff[idx] == ASN_INTEGER) {
|
||||
if (GetMyVersion(buff, &idx, &version) < 0)
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetAlgoId(buff, &idx, &oid, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (GetNameHash(buff, &idx, dcrl->issuerHash, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (GetBasicDate(buff, &idx, dcrl->lastDate, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
|
||||
if (idx != dcrl->sigIndex) {
|
||||
if (GetSequence(buff, &idx, &len, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
len += idx;
|
||||
|
||||
while (idx < len) {
|
||||
if (GetRevoked(buff, &idx, dcrl, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
}
|
||||
|
||||
if (idx != dcrl->sigIndex)
|
||||
idx = dcrl->sigIndex; /* skip extensions */
|
||||
|
||||
if (GetAlgoId(buff, &idx, &dcrl->signatureOID, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
#endif /* HAVE_CRL */
|
||||
|
17
cyassl/crl.h
17
cyassl/crl.h
@ -19,12 +19,12 @@
|
||||
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
|
||||
*/
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
|
||||
#ifndef CYASSL_CRL_H
|
||||
#define CYASSL_CRL_H
|
||||
|
||||
#include <cyassl/ctaocrypt/types.h>
|
||||
#include <cyassl/ssl.h>
|
||||
#include <cyassl/ctaocrypt/asn.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
@ -32,14 +32,12 @@
|
||||
|
||||
typedef struct CYASSL_CRL CYASSL_CRL;
|
||||
|
||||
CYASSL_LOCAL int InitCRL(CYASSL_CRL*, CYASSL_CERT_MANAGER*);
|
||||
CYASSL_LOCAL void FreeCRL(CYASSL_CRL*);
|
||||
|
||||
struct CYASSL_CRL {
|
||||
byte enabled; /* are we on */
|
||||
byte watchingPEM; /* are we monitoring PEM dir */
|
||||
byte watchingDER; /* are we monitoring DER dir *
|
||||
byte checkAll; /* always leaf, but all ? */
|
||||
|
||||
};
|
||||
CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type);
|
||||
CYASSL_LOCAL int BufferLoadCRL(CYASSL_CRL*, const byte*, long, int);
|
||||
CYASSL_LOCAL int CheckCertCRL(CYASSL_CRL*, DecodedCert*);
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
@ -47,4 +45,3 @@ struct CYASSL_CRL {
|
||||
#endif
|
||||
|
||||
#endif /* CYASSL_CRL_H */
|
||||
#endif /* HAVE_CRL */
|
||||
|
@ -28,6 +28,7 @@
|
||||
#include <cyassl/ctaocrypt/dh.h>
|
||||
#include <cyassl/ctaocrypt/dsa.h>
|
||||
#include <cyassl/ctaocrypt/sha.h>
|
||||
#include <cyassl/ctaocrypt/md5.h>
|
||||
#include <cyassl/ctaocrypt/asn_public.h> /* public interface */
|
||||
#ifdef HAVE_ECC
|
||||
#include <cyassl/ctaocrypt/ecc.h>
|
||||
@ -374,6 +375,41 @@ CYASSL_LOCAL int EncodeOcspRequest(DecodedCert*, byte*, word32);
|
||||
#endif /* HAVE_OCSP */
|
||||
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
|
||||
|
||||
typedef struct RevokedCert RevokedCert;
|
||||
|
||||
struct RevokedCert {
|
||||
byte serialNumber[EXTERNAL_SERIAL_SIZE];
|
||||
int serialSz;
|
||||
RevokedCert* next;
|
||||
};
|
||||
|
||||
typedef struct DecodedCRL DecodedCRL;
|
||||
|
||||
struct DecodedCRL {
|
||||
word32 certBegin; /* offset to start of cert */
|
||||
word32 sigIndex; /* offset to start of signature */
|
||||
word32 sigLength; /* length of signature */
|
||||
word32 signatureOID; /* sum of algorithm object id */
|
||||
byte* signature; /* pointer into raw source, not owned */
|
||||
byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */
|
||||
byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */
|
||||
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
|
||||
byte nextDate[MAX_DATE_SIZE]; /* next update date */
|
||||
RevokedCert* certs; /* revoked cert list */
|
||||
int totalCerts; /* number on list */
|
||||
};
|
||||
|
||||
CYASSL_LOCAL void InitDecodedCRL(DecodedCRL*);
|
||||
CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz);
|
||||
CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
|
||||
|
||||
|
||||
#endif /* HAVE_CRL */
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
} /* extern "C" */
|
||||
#endif
|
||||
|
@ -39,6 +39,7 @@ enum CertType {
|
||||
CERT_TYPE = 0,
|
||||
PRIVATEKEY_TYPE,
|
||||
DH_PARAM_TYPE,
|
||||
CRL_TYPE,
|
||||
CA_TYPE
|
||||
};
|
||||
|
||||
|
@ -202,7 +202,10 @@ enum {
|
||||
DYNAMIC_TYPE_WRITEV = 19,
|
||||
DYNAMIC_TYPE_OPENSSL = 20,
|
||||
DYNAMIC_TYPE_DSA = 21,
|
||||
DYNAMIC_TYPE_CERT_MANAGER = 22
|
||||
DYNAMIC_TYPE_CRL = 22,
|
||||
DYNAMIC_TYPE_REVOKED = 23,
|
||||
DYNAMIC_TYPE_CRL_ENTRY = 24,
|
||||
DYNAMIC_TYPE_CERT_MANAGER = 25
|
||||
};
|
||||
|
||||
/* stack protection */
|
||||
|
@ -92,14 +92,16 @@ enum CyaSSL_ErrorCodes {
|
||||
NOT_CA_ERROR = -257, /* Not a CA cert error */
|
||||
BAD_PATH_ERROR = -258, /* Bad path for opendir */
|
||||
BAD_CERT_MANAGER_ERROR = -259, /* Bad Cert Manager */
|
||||
OCSP_CERT_REVOKED = -260,
|
||||
CRL_CERT_REVOKED = -261, /* CRL Certificate revoked */
|
||||
CRL_MISSING = -262, /* CRL Not loaded */
|
||||
/* add strings to SetErrorString !!!!! */
|
||||
|
||||
/* begin negotiation parameter errors */
|
||||
UNSUPPORTED_SUITE = -270, /* unsupported cipher suite */
|
||||
MATCH_SUITE_ERROR = -271, /* can't match cipher suite */
|
||||
MATCH_SUITE_ERROR = -271 /* can't match cipher suite */
|
||||
/* end negotiation parameter errors only 10 for now */
|
||||
/* add strings to SetErrorString !!!!! */
|
||||
OCSP_CERT_REVOKED = -272
|
||||
};
|
||||
|
||||
|
||||
|
@ -25,6 +25,7 @@
|
||||
|
||||
|
||||
#include <cyassl/ssl.h>
|
||||
#include <cyassl/crl.h>
|
||||
#include <cyassl/ctaocrypt/types.h>
|
||||
#include <cyassl/ctaocrypt/random.h>
|
||||
#include <cyassl/ctaocrypt/des3.h>
|
||||
@ -622,12 +623,39 @@ CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*);
|
||||
CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*);
|
||||
|
||||
|
||||
|
||||
typedef struct CRL_Entry CRL_Entry;
|
||||
|
||||
/* Complete CRL */
|
||||
struct CRL_Entry {
|
||||
CRL_Entry* next; /* next entry */
|
||||
byte issuerHash[SHA_DIGEST_SIZE]; /* issuer hash */
|
||||
byte crlHash[MD5_DIGEST_SIZE]; /* raw crl data hash */
|
||||
byte lastDate[MAX_DATE_SIZE]; /* last date updated */
|
||||
byte nextDate[MAX_DATE_SIZE]; /* next update date */
|
||||
RevokedCert* certs; /* revoked cert list */
|
||||
int totalCerts; /* number on list */
|
||||
};
|
||||
|
||||
|
||||
/* CyaSSL CRL controller */
|
||||
struct CYASSL_CRL {
|
||||
CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */
|
||||
CRL_Entry* crlList; /* our CRL list */
|
||||
CyaSSL_Mutex crlLock; /* CRL list lock */
|
||||
};
|
||||
|
||||
|
||||
/* CyaSSL Certificate Manager */
|
||||
struct CYASSL_CERT_MANAGER {
|
||||
Signer* caList; /* the CA signer list */
|
||||
CyaSSL_Mutex caLock; /* CA list lock */
|
||||
CallbackCACache caCacheCallback; /* CA cache addition callback */
|
||||
void* heap; /* heap helper */
|
||||
CYASSL_CRL* crl; /* CRL checker */
|
||||
byte crlEnabled; /* is CRL on ? */
|
||||
byte crlCheckAll; /* always leaf, but all ? */
|
||||
CbMissingCRL cbMissingCRL; /* notify through cb of missing crl */
|
||||
};
|
||||
|
||||
|
||||
@ -1137,6 +1165,14 @@ typedef struct EncryptedInfo {
|
||||
CYASSL_CTX* ctx; /* CTX owner */
|
||||
} EncryptedInfo;
|
||||
|
||||
CYASSL_LOCAL int PemToDer(const unsigned char* buff, long sz, int type,
|
||||
buffer* der, void* heap, EncryptedInfo* info,
|
||||
int* eccKey);
|
||||
|
||||
CYASSL_LOCAL int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format,
|
||||
int type, CYASSL* ssl, int userChain,
|
||||
CYASSL_CRL* crl);
|
||||
|
||||
|
||||
#ifdef CYASSL_CALLBACKS
|
||||
CYASSL_LOCAL
|
||||
|
17
cyassl/ssl.h
17
cyassl/ssl.h
@ -429,6 +429,8 @@ enum {
|
||||
OCSP_RESPONSE = 8,
|
||||
OCSP_BASICRESP = 16,
|
||||
|
||||
CYASSL_CRL_CHECKALL = 1,
|
||||
|
||||
ASN1_GENERALIZEDTIME = 4,
|
||||
|
||||
SSL_OP_MICROSOFT_SESS_ID_BUG = 1,
|
||||
@ -776,6 +778,7 @@ CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
|
||||
int, const char*);
|
||||
|
||||
typedef void (*CallbackCACache)(unsigned char* der, int sz, int type);
|
||||
typedef void (*CbMissingCRL)(const char* url);
|
||||
|
||||
CYASSL_API void CyaSSL_CTX_SetCACb(CYASSL_CTX*, CallbackCACache);
|
||||
|
||||
@ -787,6 +790,20 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f,
|
||||
const char* d);
|
||||
CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f,
|
||||
int format);
|
||||
CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options);
|
||||
CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*);
|
||||
CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*,int);
|
||||
CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL);
|
||||
|
||||
CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options);
|
||||
CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl);
|
||||
CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int);
|
||||
|
||||
CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options);
|
||||
CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx);
|
||||
CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int);
|
||||
|
||||
|
||||
|
||||
#ifdef CYASSL_CALLBACKS
|
||||
|
||||
|
@ -109,6 +109,7 @@ static const char* ntruKey = "./certs/ntru-key.raw";
|
||||
static const char* dhParam = "./certs/dh2048.pem";
|
||||
static const char* cliEccKey = "./certs/ecc-client-key.pem";
|
||||
static const char* cliEccCert = "./certs/client-ecc-cert.pem";
|
||||
static const char* crlPemDir = "./certs/crl";
|
||||
|
||||
typedef struct tcp_ready {
|
||||
int ready; /* predicate */
|
||||
|
@ -136,6 +136,7 @@ void client_test(void* args)
|
||||
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify);
|
||||
#endif
|
||||
|
||||
|
||||
if (argc == 3) {
|
||||
/* ./client server securePort */
|
||||
CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, 0); /* TODO: add ca cert */
|
||||
@ -206,6 +207,10 @@ void client_test(void* args)
|
||||
|
||||
ssl = CyaSSL_new(ctx);
|
||||
CyaSSL_set_fd(ssl, sockfd);
|
||||
#ifdef HAVE_CRL
|
||||
CyaSSL_EnableCRL(ssl, 0);
|
||||
CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM);
|
||||
#endif
|
||||
if (argc != 3)
|
||||
CyaSSL_check_domain_name(ssl, "www.yassl.com");
|
||||
#ifdef NON_BLOCKING
|
||||
|
251
src/crl.c
251
src/crl.c
@ -26,12 +26,261 @@
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
|
||||
#include <cyassl/crl.h>
|
||||
#include <cyassl/internal.h>
|
||||
#include <cyassl/error.h>
|
||||
|
||||
#include <dirent.h>
|
||||
#include <string.h>
|
||||
|
||||
|
||||
/* Initialze CRL members */
|
||||
int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm)
|
||||
{
|
||||
CYASSL_ENTER("InitCRL");
|
||||
|
||||
crl->cm = cm;
|
||||
crl->crlList = NULL;
|
||||
if (InitMutex(&crl->crlLock) != 0)
|
||||
return BAD_MUTEX_ERROR;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Initialze CRL Entry */
|
||||
static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
|
||||
{
|
||||
CYASSL_ENTER("FreeCRL_Entry");
|
||||
|
||||
XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE);
|
||||
XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE);
|
||||
XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
|
||||
XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
|
||||
|
||||
crle->certs = dcrl->certs; /* take ownsership */
|
||||
dcrl->certs = NULL;
|
||||
crle->totalCerts = dcrl->totalCerts;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Free all CRL Entry resources */
|
||||
static void FreeCRL_Entry(CRL_Entry* crle)
|
||||
{
|
||||
RevokedCert* tmp = crle->certs;
|
||||
|
||||
CYASSL_ENTER("FreeCRL_Entry");
|
||||
|
||||
while(tmp) {
|
||||
RevokedCert* next = tmp->next;
|
||||
XFREE(tmp, NULL, DYNAMIC_TYPE_REVOKED);
|
||||
tmp = next;
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Free all CRL resources */
|
||||
void FreeCRL(CYASSL_CRL* crl)
|
||||
{
|
||||
CRL_Entry* tmp = crl->crlList;
|
||||
|
||||
CYASSL_ENTER("FreeCRL");
|
||||
|
||||
while(tmp) {
|
||||
CRL_Entry* next = tmp->next;
|
||||
FreeCRL_Entry(tmp);
|
||||
XFREE(tmp, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
||||
tmp = next;
|
||||
}
|
||||
|
||||
FreeMutex(&crl->crlLock);
|
||||
}
|
||||
|
||||
|
||||
/* Is the cert ok with CRL, return 0 on success */
|
||||
int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert)
|
||||
{
|
||||
CRL_Entry* crle;
|
||||
int foundEntry = 0;
|
||||
int revoked = 0;
|
||||
int ret = 0;
|
||||
|
||||
CYASSL_ENTER("CheckCertCRL");
|
||||
|
||||
if (LockMutex(&crl->crlLock) != 0) {
|
||||
CYASSL_MSG("LockMutex failed");
|
||||
return BAD_MUTEX_ERROR;
|
||||
}
|
||||
|
||||
crle = crl->crlList;
|
||||
|
||||
while (crle) {
|
||||
if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) {
|
||||
CYASSL_MSG("Found CRL Entry on list");
|
||||
foundEntry = 1;
|
||||
break;
|
||||
}
|
||||
crle = crle->next;
|
||||
}
|
||||
|
||||
if (foundEntry) {
|
||||
RevokedCert* rc = crle->certs;
|
||||
|
||||
while (rc) {
|
||||
if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
|
||||
CYASSL_MSG("Cert revoked");
|
||||
revoked = 1;
|
||||
ret = CRL_CERT_REVOKED;
|
||||
break;
|
||||
}
|
||||
rc = rc->next;
|
||||
}
|
||||
}
|
||||
|
||||
UnLockMutex(&crl->crlLock);
|
||||
|
||||
if (foundEntry == 0) {
|
||||
CYASSL_MSG("Couldn't find CRL for status check");
|
||||
ret = CRL_MISSING;
|
||||
if (crl->cm->cbMissingCRL)
|
||||
crl->cm->cbMissingCRL(NULL);
|
||||
}
|
||||
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
/* Add Decoded CRL, 0 on success */
|
||||
static int AddCRL(CYASSL_CRL* crl, DecodedCRL* dcrl)
|
||||
{
|
||||
CRL_Entry* crle;
|
||||
|
||||
CYASSL_ENTER("AddCRL");
|
||||
|
||||
crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
||||
if (crle == NULL) {
|
||||
CYASSL_MSG("alloc CRL Entry failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (InitCRL_Entry(crle, dcrl) < 0) {
|
||||
CYASSL_MSG("Init CRL Entry failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (LockMutex(&crl->crlLock) != 0) {
|
||||
CYASSL_MSG("LockMutex failed");
|
||||
FreeCRL_Entry(crle);
|
||||
return BAD_MUTEX_ERROR;
|
||||
}
|
||||
crle->next = crl->crlList;
|
||||
crl->crlList = crle;
|
||||
UnLockMutex(&crl->crlLock);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Load CRL File of type, SSL_SUCCESS on ok */
|
||||
int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type)
|
||||
{
|
||||
int ret = SSL_SUCCESS;
|
||||
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
||||
buffer der;
|
||||
DecodedCRL dcrl;
|
||||
|
||||
der.buffer = NULL;
|
||||
|
||||
CYASSL_ENTER("BufferLoadCRL");
|
||||
|
||||
if (crl == NULL || buff == NULL || sz == 0)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (type == SSL_FILETYPE_PEM) {
|
||||
int eccKey = 0; /* not used */
|
||||
EncryptedInfo info;
|
||||
info.ctx = NULL;
|
||||
|
||||
ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
||||
if (ret == 0) {
|
||||
myBuffer = der.buffer;
|
||||
sz = der.length;
|
||||
}
|
||||
else {
|
||||
CYASSL_MSG("Pem to Der failed");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
InitDecodedCRL(&dcrl);
|
||||
ret = ParseCRL(&dcrl, myBuffer, sz);
|
||||
if (ret != 0) {
|
||||
CYASSL_MSG("ParseCRL error");
|
||||
}
|
||||
else {
|
||||
ret = AddCRL(crl, &dcrl);
|
||||
if (ret != 0)
|
||||
CYASSL_MSG("AddCRL error");
|
||||
}
|
||||
FreeDecodedCRL(&dcrl);
|
||||
|
||||
if (der.buffer)
|
||||
XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
||||
|
||||
if (ret == 0)
|
||||
return SSL_SUCCESS; /* convert */
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
/* Load CRL path files of type, SSL_SUCCESS on ok */
|
||||
int LoadCRL(CYASSL_CRL* crl, const char* path, int type)
|
||||
{
|
||||
struct dirent* entry;
|
||||
DIR* dir;
|
||||
int ret = SSL_SUCCESS;
|
||||
|
||||
CYASSL_ENTER("LoadCRL");
|
||||
if (crl == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
dir = opendir(path);
|
||||
if (dir == NULL) {
|
||||
CYASSL_MSG("opendir path crl load failed");
|
||||
return BAD_PATH_ERROR;
|
||||
}
|
||||
while ( ret == SSL_SUCCESS && (entry = readdir(dir)) != NULL) {
|
||||
if (entry->d_type & DT_REG) {
|
||||
char name[MAX_FILENAME_SZ];
|
||||
|
||||
if (type == SSL_FILETYPE_PEM) {
|
||||
if (strstr(entry->d_name, ".pem") == NULL) {
|
||||
CYASSL_MSG("not .pem file, skipping");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (strstr(entry->d_name, ".der") == NULL &&
|
||||
strstr(entry->d_name, ".crl") == NULL) {
|
||||
|
||||
CYASSL_MSG("not .der or .crl file, skipping");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
XMEMSET(name, 0, sizeof(name));
|
||||
XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
|
||||
XSTRNCAT(name, "/", 1);
|
||||
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
|
||||
|
||||
ret = ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl);
|
||||
}
|
||||
}
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
#endif /* HAVE_CRL */
|
||||
|
@ -1702,6 +1702,17 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx)
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
if (ssl->ctx->cm->crlEnabled) {
|
||||
ret = CheckCertCRL(ssl->ctx->cm->crl, &dCert);
|
||||
|
||||
if (ret != 0) {
|
||||
CYASSL_MSG("\tCRL check not ok");
|
||||
fatal = 0;
|
||||
}
|
||||
}
|
||||
#endif /* HAVE_CRL */
|
||||
|
||||
#ifdef OPENSSL_EXTRA
|
||||
/* set X509 format for peer cert even if fatal */
|
||||
XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX);
|
||||
@ -3509,6 +3520,14 @@ void SetErrorString(int error, char* str)
|
||||
XSTRNCPY(str, "OCSP Cert revoked", max);
|
||||
break;
|
||||
|
||||
case CRL_CERT_REVOKED:
|
||||
XSTRNCPY(str, "CRL Cert revoked", max);
|
||||
break;
|
||||
|
||||
case CRL_MISSING:
|
||||
XSTRNCPY(str, "CRL missing, not loaded", max);
|
||||
break;
|
||||
|
||||
default :
|
||||
XSTRNCPY(str, "unknown error number", max);
|
||||
}
|
||||
|
202
src/ssl.c
202
src/ssl.c
@ -375,6 +375,10 @@ CYASSL_CERT_MANAGER* CyaSSL_CertManagerNew(void)
|
||||
cm->caList = NULL;
|
||||
cm->heap = NULL;
|
||||
cm->caCacheCallback = NULL;
|
||||
cm->crl = NULL;
|
||||
cm->crlEnabled = 0;
|
||||
cm->crlCheckAll = 0;
|
||||
cm->cbMissingCRL = NULL;
|
||||
|
||||
if (InitMutex(&cm->caLock) != 0) {
|
||||
CYASSL_MSG("Bad mutex init");
|
||||
@ -392,6 +396,10 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm)
|
||||
CYASSL_ENTER("CyaSSL_CertManagerFree");
|
||||
|
||||
if (cm) {
|
||||
#ifdef HAVE_CRL
|
||||
if (cm->crl)
|
||||
FreeCRL(cm->crl);
|
||||
#endif
|
||||
FreeSigners(cm->caList, NULL);
|
||||
FreeMutex(&cm->caLock);
|
||||
XFREE(cm, NULL, DYNAMIC_TYPE_CERT_MANAGER);
|
||||
@ -629,7 +637,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
|
||||
|
||||
/* Remove PEM header/footer, convert to ASN1, store any encrypted data
|
||||
info->consumed tracks of PEM bytes consumed in case multiple parts */
|
||||
static int PemToDer(const unsigned char* buff, long sz, int type,
|
||||
int PemToDer(const unsigned char* buff, long sz, int type,
|
||||
buffer* der, void* heap, EncryptedInfo* info, int* eccKey)
|
||||
{
|
||||
char header[PEM_LINE_LEN];
|
||||
@ -655,6 +663,10 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
|
||||
XSTRNCPY(header, "-----BEGIN DH PARAMETERS-----", sizeof(header));
|
||||
XSTRNCPY(footer, "-----END DH PARAMETERS-----", sizeof(footer));
|
||||
dynamicType = DYNAMIC_TYPE_KEY;
|
||||
} else if (type == CRL_TYPE) {
|
||||
XSTRNCPY(header, "-----BEGIN X509 CRL-----", sizeof(header));
|
||||
XSTRNCPY(footer, "-----END X509 CRL-----", sizeof(footer));
|
||||
dynamicType = DYNAMIC_TYPE_CRL;
|
||||
} else {
|
||||
XSTRNCPY(header, "-----BEGIN RSA PRIVATE KEY-----", sizeof(header));
|
||||
XSTRNCPY(footer, "-----END RSA PRIVATE KEY-----", sizeof(footer));
|
||||
@ -1144,8 +1156,8 @@ static int ProcessChainBuffer(CYASSL_CTX* ctx, const unsigned char* buff,
|
||||
|
||||
/* process a file with name fname into ctx of format and type
|
||||
userChain specifies a user certificate chain to pass during handshake */
|
||||
static int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type,
|
||||
CYASSL* ssl, int userChain)
|
||||
int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type,
|
||||
CYASSL* ssl, int userChain, CYASSL_CRL* crl)
|
||||
{
|
||||
byte staticBuffer[FILE_BUFFER_SIZE];
|
||||
byte* myBuffer = staticBuffer;
|
||||
@ -1174,6 +1186,8 @@ static int ProcessFile(CYASSL_CTX* ctx, const char* fname, int format, int type,
|
||||
else {
|
||||
if (type == CA_TYPE && format == SSL_FILETYPE_PEM)
|
||||
ret = ProcessChainBuffer(ctx, myBuffer, sz, format, type, ssl);
|
||||
else if (type == CRL_TYPE)
|
||||
ret = BufferLoadCRL(crl, myBuffer, sz, format);
|
||||
else
|
||||
ret = ProcessBuffer(ctx, myBuffer, sz, format, type, ssl, NULL,
|
||||
userChain);
|
||||
@ -1199,7 +1213,7 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file,
|
||||
return SSL_FAILURE;
|
||||
|
||||
if (file)
|
||||
ret = ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE, NULL, 0);
|
||||
ret = ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE, NULL, 0, NULL);
|
||||
|
||||
if (ret == SSL_SUCCESS && path) {
|
||||
/* try to load each regular file in path */
|
||||
@ -1224,7 +1238,8 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file,
|
||||
XSTRNCAT(name, "\\", 2);
|
||||
XSTRNCAT(name, FindFileData.cFileName, MAX_FILENAME_SZ/2);
|
||||
|
||||
ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0);
|
||||
ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0,
|
||||
NULL);
|
||||
}
|
||||
} while (ret == SSL_SUCCESS && FindNextFileA(hFind, &FindFileData));
|
||||
|
||||
@ -1246,7 +1261,8 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file,
|
||||
XSTRNCAT(name, "/", 1);
|
||||
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
|
||||
|
||||
ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0);
|
||||
ret = ProcessFile(ctx, name, SSL_FILETYPE_PEM, CA_TYPE, NULL,0,
|
||||
NULL);
|
||||
}
|
||||
}
|
||||
closedir(dir);
|
||||
@ -1356,6 +1372,146 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file,
|
||||
}
|
||||
|
||||
|
||||
/* turn on CRL if off and compiled in, set options */
|
||||
int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CertManagerEnableCRL");
|
||||
if (cm == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
#ifndef HAVE_CRL
|
||||
return NOT_COMPILED_IN;
|
||||
#else
|
||||
if (cm->crl == NULL) {
|
||||
cm->crl = (CYASSL_CRL*)XMALLOC(sizeof(CYASSL_CRL), cm->heap,
|
||||
DYNAMIC_TYPE_CRL);
|
||||
if (cm->crl == NULL)
|
||||
return MEMORY_E;
|
||||
|
||||
if (InitCRL(cm->crl, cm) != 0) {
|
||||
CYASSL_MSG("Init CRL failed");
|
||||
FreeCRL(cm->crl);
|
||||
cm->crl = NULL;
|
||||
return SSL_FAILURE;
|
||||
}
|
||||
}
|
||||
cm->crlEnabled = 1;
|
||||
if (options & CYASSL_CRL_CHECKALL)
|
||||
cm->crlCheckAll = 1;
|
||||
#endif
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CertManagerDisableCRL");
|
||||
if (cm == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
cm->crlEnabled = 0;
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
#ifdef HAVE_CRL
|
||||
|
||||
|
||||
int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CertManagerLoadCRL");
|
||||
if (cm == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
cm->cbMissingCRL = cb;
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path,
|
||||
int type)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CertManagerLoadCRL");
|
||||
if (cm == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (cm->crl == NULL) {
|
||||
if (CyaSSL_CertManagerEnableCRL(cm, 0) != SSL_SUCCESS) {
|
||||
CYASSL_MSG("Enable CRL failed");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
return LoadCRL(cm->crl, path, type);
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_EnableCRL(CYASSL* ssl, int options)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_EnableCRL");
|
||||
if (ssl)
|
||||
return CyaSSL_CertManagerEnableCRL(ssl->ctx->cm, options);
|
||||
else
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_DisableCRL(CYASSL* ssl)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_DisableCRL");
|
||||
if (ssl)
|
||||
return CyaSSL_CertManagerDisableCRL(ssl->ctx->cm);
|
||||
else
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_LoadCRL");
|
||||
if (ssl)
|
||||
return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type);
|
||||
else
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CTX_EnableCRL");
|
||||
if (ctx)
|
||||
return CyaSSL_CertManagerEnableCRL(ctx->cm, options);
|
||||
else
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CTX_DisableCRL");
|
||||
if (ctx)
|
||||
return CyaSSL_CertManagerDisableCRL(ctx->cm);
|
||||
else
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CTX_LoadCRL");
|
||||
if (ctx)
|
||||
return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type);
|
||||
else
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
|
||||
#endif /* HAVE_CRL */
|
||||
|
||||
|
||||
#ifdef CYASSL_DER_LOAD
|
||||
|
||||
/* Add format parameter to allow DER load of CA files */
|
||||
@ -1366,7 +1522,7 @@ int CyaSSL_CTX_der_load_verify_locations(CYASSL_CTX* ctx, const char* file,
|
||||
if (ctx == NULL || file == NULL)
|
||||
return SSL_FAILURE;
|
||||
|
||||
if (ProcessFile(ctx, file, format, CA_TYPE, NULL, 0) == SSL_SUCCESS)
|
||||
if (ProcessFile(ctx, file, format, CA_TYPE, NULL, 0, NULL) == SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
return SSL_FAILURE;
|
||||
@ -1436,7 +1592,7 @@ int CyaSSL_CTX_use_certificate_file(CYASSL_CTX* ctx, const char* file,
|
||||
int format)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CTX_use_certificate_file");
|
||||
if (ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0) == SSL_SUCCESS)
|
||||
if (ProcessFile(ctx, file, format, CERT_TYPE, NULL, 0, NULL) == SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
return SSL_FAILURE;
|
||||
@ -1446,7 +1602,8 @@ int CyaSSL_CTX_use_certificate_file(CYASSL_CTX* ctx, const char* file,
|
||||
int CyaSSL_CTX_use_PrivateKey_file(CYASSL_CTX* ctx, const char* file,int format)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CTX_use_PrivateKey_file");
|
||||
if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0) == SSL_SUCCESS)
|
||||
if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL, 0, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
return SSL_FAILURE;
|
||||
@ -1457,7 +1614,8 @@ int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX* ctx, const char* file)
|
||||
{
|
||||
/* procces up to MAX_CHAIN_DEPTH plus subject cert */
|
||||
CYASSL_ENTER("CyaSSL_CTX_use_certificate_chain_file");
|
||||
if (ProcessFile(ctx, file, SSL_FILETYPE_PEM,CERT_TYPE,NULL,1) == SSL_SUCCESS)
|
||||
if (ProcessFile(ctx, file, SSL_FILETYPE_PEM,CERT_TYPE,NULL,1, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
return SSL_FAILURE;
|
||||
@ -1470,7 +1628,8 @@ int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX* ctx, const char* file)
|
||||
int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_use_certificate_file");
|
||||
if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0) == SSL_SUCCESS)
|
||||
if (ProcessFile(ssl->ctx, file, format, CERT_TYPE, ssl, 0, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
return SSL_FAILURE;
|
||||
@ -1480,7 +1639,7 @@ int CyaSSL_use_certificate_file(CYASSL* ssl, const char* file, int format)
|
||||
int CyaSSL_use_PrivateKey_file(CYASSL* ssl, const char* file, int format)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_use_PrivateKey_file");
|
||||
if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0)
|
||||
if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
@ -1492,7 +1651,7 @@ int CyaSSL_use_certificate_chain_file(CYASSL* ssl, const char* file)
|
||||
{
|
||||
/* procces up to MAX_CHAIN_DEPTH plus subject cert */
|
||||
CYASSL_ENTER("CyaSSL_use_certificate_chain_file");
|
||||
if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1)
|
||||
if (ProcessFile(ssl->ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, ssl, 1, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
@ -1652,7 +1811,7 @@ int CyaSSL_CTX_SetTmpDH_file(CYASSL_CTX* ctx, const char* fname, int format)
|
||||
int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_CTX_use_NTRUPrivateKey_file");
|
||||
if (ProcessFile(ctx, file, SSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL, 0)
|
||||
if (ProcessFile(ctx, file, SSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL, 0, NULL)
|
||||
== SSL_SUCCESS) {
|
||||
ctx->haveNTRU = 1;
|
||||
return SSL_SUCCESS;
|
||||
@ -1671,7 +1830,8 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file)
|
||||
int format)
|
||||
{
|
||||
CYASSL_ENTER("SSL_CTX_use_RSAPrivateKey_file");
|
||||
if (ProcessFile(ctx, file,format,PRIVATEKEY_TYPE,NULL,0) == SSL_SUCCESS)
|
||||
if (ProcessFile(ctx, file,format,PRIVATEKEY_TYPE,NULL,0, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
return SSL_FAILURE;
|
||||
@ -1680,7 +1840,7 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(CYASSL_CTX* ctx, const char* file)
|
||||
int CyaSSL_use_RSAPrivateKey_file(CYASSL* ssl, const char* file, int format)
|
||||
{
|
||||
CYASSL_ENTER("CyaSSL_use_RSAPrivateKey_file");
|
||||
if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0)
|
||||
if (ProcessFile(ssl->ctx, file, format, PRIVATEKEY_TYPE, ssl, 0, NULL)
|
||||
== SSL_SUCCESS)
|
||||
return SSL_SUCCESS;
|
||||
|
||||
@ -2857,7 +3017,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
|
||||
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->optoins.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
}
|
||||
|
||||
|
||||
@ -5868,7 +6028,7 @@ static int initGlobalRNG = 0;
|
||||
if (bn == NULL || bn->internal == NULL)
|
||||
return 0;
|
||||
|
||||
if (mp_cmp_d((mp_int*)bn->internal, 1) == 0);
|
||||
if (mp_cmp_d((mp_int*)bn->internal, 1) == 0)
|
||||
return 1;
|
||||
|
||||
return 0;
|
||||
@ -5888,7 +6048,6 @@ static int initGlobalRNG = 0;
|
||||
|
||||
int CyaSSL_BN_cmp(const CYASSL_BIGNUM* a, const CYASSL_BIGNUM* b)
|
||||
{
|
||||
int ret;
|
||||
CYASSL_MSG("CyaSSL_BN_cmp");
|
||||
|
||||
if (a == NULL || a->internal == NULL || b == NULL || b->internal ==NULL)
|
||||
@ -5997,7 +6156,6 @@ static int initGlobalRNG = 0;
|
||||
{
|
||||
byte decoded[1024];
|
||||
word32 decSz = sizeof(decoded);
|
||||
int ret;
|
||||
|
||||
CYASSL_MSG("CyaSSL_BN_hex2bn");
|
||||
|
||||
@ -6288,7 +6446,6 @@ static int initGlobalRNG = 0;
|
||||
word32 pubSz = sizeof(pub);
|
||||
word32 privSz = sizeof(priv);
|
||||
word32 keySz;
|
||||
int ret;
|
||||
|
||||
CYASSL_MSG("CyaSSL_DH_compute_key");
|
||||
|
||||
@ -6692,7 +6849,6 @@ static int initGlobalRNG = 0;
|
||||
int CyaSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet,
|
||||
CYASSL_DSA* dsa)
|
||||
{
|
||||
word32 signSz;
|
||||
RNG tmpRNG;
|
||||
RNG* rng = &tmpRNG;
|
||||
|
||||
@ -6779,7 +6935,7 @@ static int initGlobalRNG = 0;
|
||||
}
|
||||
|
||||
signSz = EncodeSignature(encodedSig, m, mLen, type);
|
||||
if (signSz < 0) {
|
||||
if (signSz == 0) {
|
||||
CYASSL_MSG("Bad Encode Signature");
|
||||
return 0;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user