fixed merge conflicts
This commit is contained in:
John Safranek
commit
4b8bb6cdfe
24
certs/crl/eccCliCRL.pem
Normal file
24
certs/crl/eccCliCRL.pem
Normal file
@ -0,0 +1,24 @@
|
||||
Certificate Revocation List (CRL):
|
||||
Version 2 (0x1)
|
||||
Signature Algorithm: ecdsa-with-SHA1
|
||||
Issuer: /C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.yassl.com/emailAddress=info@yassl.com
|
||||
Last Update: May 25 20:21:43 2012 GMT
|
||||
Next Update: Jun 24 20:21:43 2012 GMT
|
||||
CRL extensions:
|
||||
X509v3 CRL Number:
|
||||
1
|
||||
No Revoked Certificates.
|
||||
Signature Algorithm: ecdsa-with-SHA1
|
||||
30:45:02:21:00:c8:82:17:00:62:02:ae:73:f8:80:57:3d:19:
|
||||
df:f3:36:5a:4c:12:89:d5:d6:b4:aa:29:b6:c8:7d:f2:1d:2f:
|
||||
55:02:20:18:f4:ad:18:1a:c5:df:39:81:ad:0d:3e:45:14:3d:
|
||||
07:44:31:21:bd:ed:13:32:7b:32:03:41:a1:0f:fd:1a:67
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBIDCByAIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG
|
||||
T3JlZ29uMQ4wDAYDVQQHEwVTYWxlbTETMBEGA1UEChMKQ2xpZW50IEVDQzENMAsG
|
||||
A1UECxMERmFzdDEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsGCSqGSIb3DQEJ
|
||||
ARYOaW5mb0B5YXNzbC5jb20XDTEyMDUyNTIwMjE0M1oXDTEyMDYyNDIwMjE0M1qg
|
||||
DjAMMAoGA1UdFAQDAgEBMAkGByqGSM49BAEDSAAwRQIhAMiCFwBiAq5z+IBXPRnf
|
||||
8zZaTBKJ1da0qim2yH3yHS9VAiAY9K0YGsXfOYGtDT5FFD0HRDEhve0TMnsyA0Gh
|
||||
D/0aZw==
|
||||
-----END X509 CRL-----
|
||||
24
certs/crl/eccSrvCRL.pem
Normal file
24
certs/crl/eccSrvCRL.pem
Normal file
@ -0,0 +1,24 @@
|
||||
Certificate Revocation List (CRL):
|
||||
Version 2 (0x1)
|
||||
Signature Algorithm: ecdsa-with-SHA1
|
||||
Issuer: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.yassl.com/emailAddress=info@yassl.com
|
||||
Last Update: May 25 20:15:31 2012 GMT
|
||||
Next Update: Jun 24 20:15:31 2012 GMT
|
||||
CRL extensions:
|
||||
X509v3 CRL Number:
|
||||
1
|
||||
No Revoked Certificates.
|
||||
Signature Algorithm: ecdsa-with-SHA1
|
||||
30:46:02:21:00:d3:e3:d6:58:f7:92:c6:93:e3:c2:b9:81:dd:
|
||||
b2:3f:e8:c9:4d:61:b1:ed:25:d2:1d:49:da:bd:15:ab:c7:21:
|
||||
9f:02:21:00:e6:8f:20:2a:10:e7:85:26:6b:31:6e:c4:c2:08:
|
||||
b5:c3:fa:d0:fa:ca:34:8c:2a:85:6c:18:94:84:18:46:96:a7
|
||||
-----BEGIN X509 CRL-----
|
||||
MIIBIzCBygIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK
|
||||
V2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMHRWxpcHRpYzEM
|
||||
MAoGA1UECxMDRUNDMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN
|
||||
AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTIwNTI1MjAxNTMxWhcNMTIwNjI0MjAxNTMx
|
||||
WqAOMAwwCgYDVR0UBAMCAQEwCQYHKoZIzj0EAQNJADBGAiEA0+PWWPeSxpPjwrmB
|
||||
3bI/6MlNYbHtJdIdSdq9FavHIZ8CIQDmjyAqEOeFJmsxbsTCCLXD+tD6yjSMKoVs
|
||||
GJSEGEaWpw==
|
||||
-----END X509 CRL-----
|
||||
@ -4,7 +4,9 @@
|
||||
|
||||
EXTRA_DIST += \
|
||||
certs/crl/crl.pem \
|
||||
certs/crl/cliCrl.pem
|
||||
certs/crl/cliCrl.pem \
|
||||
certs/crl/eccSrvCRL.pem \
|
||||
certs/crl/eccCliCRL.pem
|
||||
|
||||
EXTRA_DIST += \
|
||||
certs/crl/crl.revoked
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
#
|
||||
#
|
||||
|
||||
AC_INIT([cyassl],[2.2.1],[http://www.yassl.com])
|
||||
AC_INIT([cyassl],[2.2.3],[http://www.yassl.com])
|
||||
|
||||
AC_CONFIG_AUX_DIR(config)
|
||||
|
||||
|
||||
@ -2083,6 +2083,10 @@ static void DecodeBasicCaConstraint(byte* input, int sz, DecodedCert* cert)
|
||||
CYASSL_ENTER("DecodeBasicCaConstraint");
|
||||
if (GetSequence(input, &idx, &length, sz) < 0) return;
|
||||
|
||||
if (length == 0) return;
|
||||
/* If the basic ca constraint is false, this extension may be named, but
|
||||
* left empty. So, if the length is 0, just return. */
|
||||
|
||||
if (input[idx++] != ASN_BOOLEAN)
|
||||
{
|
||||
CYASSL_MSG("\tfail: constraint not BOOLEAN");
|
||||
@ -4253,60 +4257,60 @@ static int DecodeSingleResponse(byte* source,
|
||||
static int DecodeOcspRespExtensions(byte* source,
|
||||
word32* ioIndex, OcspResponse* resp, word32 sz)
|
||||
{
|
||||
word32 index = *ioIndex;
|
||||
word32 idx = *ioIndex;
|
||||
int length;
|
||||
int ext_bound; /* boundary index for the sequence of extensions */
|
||||
word32 oid;
|
||||
|
||||
CYASSL_ENTER("DecodeOcspRespExtensions");
|
||||
|
||||
if (source[index++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
|
||||
if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC | 1))
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (GetLength(source, &index, &length, sz) < 0) return ASN_PARSE_E;
|
||||
if (GetLength(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
|
||||
|
||||
if (GetSequence(source, &index, &length, sz) < 0) return ASN_PARSE_E;
|
||||
if (GetSequence(source, &idx, &length, sz) < 0) return ASN_PARSE_E;
|
||||
|
||||
ext_bound = index + length;
|
||||
ext_bound = idx + length;
|
||||
|
||||
while (index < ext_bound) {
|
||||
if (GetSequence(source, &index, &length, sz) < 0) {
|
||||
while (idx < (word32)ext_bound) {
|
||||
if (GetSequence(source, &idx, &length, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: should be a SEQUENCE");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
oid = 0;
|
||||
if (GetObjectId(source, &index, &oid, sz) < 0) {
|
||||
if (GetObjectId(source, &idx, &oid, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: OBJECT ID");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
/* check for critical flag */
|
||||
if (source[index] == ASN_BOOLEAN) {
|
||||
if (source[idx] == ASN_BOOLEAN) {
|
||||
CYASSL_MSG("\tfound optional critical flag, moving past");
|
||||
index += (ASN_BOOL_SIZE + 1);
|
||||
idx += (ASN_BOOL_SIZE + 1);
|
||||
}
|
||||
|
||||
/* process the extension based on the OID */
|
||||
if (source[index++] != ASN_OCTET_STRING) {
|
||||
if (source[idx++] != ASN_OCTET_STRING) {
|
||||
CYASSL_MSG("\tfail: should be an OCTET STRING");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (GetLength(source, &index, &length, sz) < 0) {
|
||||
if (GetLength(source, &idx, &length, sz) < 0) {
|
||||
CYASSL_MSG("\tfail: extension data length");
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
if (oid == OCSP_NONCE_OID) {
|
||||
resp->nonce = source + index;
|
||||
resp->nonce = source + idx;
|
||||
resp->nonceSz = length;
|
||||
}
|
||||
|
||||
index += length;
|
||||
idx += length;
|
||||
}
|
||||
|
||||
*ioIndex = index;
|
||||
*ioIndex = idx;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -4314,54 +4318,54 @@ static int DecodeOcspRespExtensions(byte* source,
|
||||
static int DecodeResponseData(byte* source,
|
||||
word32* ioIndex, OcspResponse* resp, word32 size)
|
||||
{
|
||||
word32 index = *ioIndex;
|
||||
int length, result;
|
||||
word32 idx = *ioIndex;
|
||||
int length;
|
||||
int version;
|
||||
word32 responderId = 0;
|
||||
|
||||
if (GetSequence(source, &index, &length, size) < 0)
|
||||
if (GetSequence(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
resp->respBegin = index;
|
||||
resp->respBegin = idx;
|
||||
resp->respLength = length;
|
||||
|
||||
/* Get version. It is an EXPLICIT[0] DEFAULT(0) value. If this
|
||||
* item isn't an EXPLICIT[0], then set version to zero and move
|
||||
* onto the next item.
|
||||
*/
|
||||
if (source[index] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
|
||||
if (source[idx] == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED))
|
||||
{
|
||||
index += 2; /* Eat the value and length */
|
||||
if (GetMyVersion(source, &index, &version) < 0)
|
||||
idx += 2; /* Eat the value and length */
|
||||
if (GetMyVersion(source, &idx, &version) < 0)
|
||||
return ASN_PARSE_E;
|
||||
} else
|
||||
version = 0;
|
||||
|
||||
responderId = source[index++];
|
||||
responderId = source[idx++];
|
||||
if ((responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) ||
|
||||
(responderId == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 2)))
|
||||
{
|
||||
if (GetLength(source, &index, &length, size) < 0)
|
||||
if (GetLength(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
index += length;
|
||||
idx += length;
|
||||
}
|
||||
else
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* save pointer to the producedAt time */
|
||||
if (source[index++] != ASN_GENERALIZED_TIME)
|
||||
if (source[idx++] != ASN_GENERALIZED_TIME)
|
||||
return ASN_PARSE_E;
|
||||
if (GetLength(source, &index, &length, size) < 0)
|
||||
if (GetLength(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
resp->producedAt = source + index;
|
||||
index += length;
|
||||
resp->producedAt = source + idx;
|
||||
idx += length;
|
||||
|
||||
if (DecodeSingleResponse(source, &index, resp, size) < 0)
|
||||
if (DecodeSingleResponse(source, &idx, resp, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (DecodeOcspRespExtensions(source, &index, resp, size) < 0)
|
||||
if (DecodeOcspRespExtensions(source, &idx, resp, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
*ioIndex = index;
|
||||
*ioIndex = idx;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -4369,16 +4373,19 @@ static int DecodeResponseData(byte* source,
|
||||
static int DecodeCerts(byte* source,
|
||||
word32* ioIndex, OcspResponse* resp, word32 size)
|
||||
{
|
||||
word32 index = *ioIndex;
|
||||
if (source[index++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
|
||||
word32 idx = *ioIndex;
|
||||
|
||||
(void)resp;
|
||||
|
||||
if (source[idx++] == (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
|
||||
{
|
||||
int length;
|
||||
|
||||
if (GetLength(source, &index, &length, size) < 0)
|
||||
if (GetLength(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
index += length;
|
||||
idx += length;
|
||||
}
|
||||
*ioIndex = index;
|
||||
*ioIndex = idx;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -4386,42 +4393,42 @@ static int DecodeBasicOcspResponse(byte* source,
|
||||
word32* ioIndex, OcspResponse* resp, word32 size)
|
||||
{
|
||||
int length;
|
||||
word32 index = *ioIndex;
|
||||
word32 idx = *ioIndex;
|
||||
word32 end_index;
|
||||
|
||||
if (GetSequence(source, &index, &length, size) < 0)
|
||||
if (GetSequence(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (index + length > size)
|
||||
if (idx + length > size)
|
||||
return ASN_INPUT_E;
|
||||
end_index = index + length;
|
||||
end_index = idx + length;
|
||||
|
||||
if (DecodeResponseData(source, &index, resp, size) < 0)
|
||||
if (DecodeResponseData(source, &idx, resp, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* Get the signature algorithm */
|
||||
if (GetAlgoId(source, &index, &resp->sigOID, size) < 0)
|
||||
if (GetAlgoId(source, &idx, &resp->sigOID, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* Obtain pointer to the start of the signature, and save the size */
|
||||
if (source[index++] == ASN_BIT_STRING)
|
||||
if (source[idx++] == ASN_BIT_STRING)
|
||||
{
|
||||
int sigLength = 0;
|
||||
if (GetLength(source, &index, &sigLength, size) < 0)
|
||||
if (GetLength(source, &idx, &sigLength, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
resp->sigLength = sigLength;
|
||||
resp->sigIndex = index;
|
||||
index += sigLength;
|
||||
resp->sigIndex = idx;
|
||||
idx += sigLength;
|
||||
}
|
||||
|
||||
/*
|
||||
* Check the length of the BasicOcspResponse against the current index to
|
||||
* see if there are certificates, they are optional.
|
||||
*/
|
||||
if (index < end_index)
|
||||
return DecodeCerts(source, &index, resp, size);
|
||||
if (idx < end_index)
|
||||
return DecodeCerts(source, &idx, resp, size);
|
||||
|
||||
*ioIndex = index;
|
||||
*ioIndex = idx;
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -4435,52 +4442,55 @@ void InitOcspResponse(OcspResponse* resp, byte* source, word32 inSz, void* heap)
|
||||
}
|
||||
|
||||
|
||||
void FreeOcspResponse(OcspResponse* resp) {}
|
||||
void FreeOcspResponse(OcspResponse* resp)
|
||||
{
|
||||
(void)resp;
|
||||
}
|
||||
|
||||
|
||||
int OcspResponseDecode(OcspResponse* resp)
|
||||
{
|
||||
int length = 0;
|
||||
word32 index = 0;
|
||||
word32 idx = 0;
|
||||
byte* source = resp->source;
|
||||
word32 size = resp->maxIdx;
|
||||
word32 oid;
|
||||
|
||||
/* peel the outer SEQUENCE wrapper */
|
||||
if (GetSequence(source, &index, &length, size) < 0)
|
||||
if (GetSequence(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* First get the responseStatus, an ENUMERATED */
|
||||
if (GetEnumerated(source, &index, &resp->responseStatus) < 0)
|
||||
if (GetEnumerated(source, &idx, &resp->responseStatus) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (resp->responseStatus != OCSP_SUCCESSFUL)
|
||||
return 0;
|
||||
|
||||
/* Next is an EXPLICIT record called ResponseBytes, OPTIONAL */
|
||||
if (index >= size)
|
||||
if (idx >= size)
|
||||
return ASN_INPUT_E;
|
||||
if (source[index++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
|
||||
if (source[idx++] != (ASN_CONSTRUCTED | ASN_CONTEXT_SPECIFIC))
|
||||
return ASN_PARSE_E;
|
||||
if (GetLength(source, &index, &length, size) < 0)
|
||||
if (GetLength(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* Get the responseBytes SEQUENCE */
|
||||
if (GetSequence(source, &index, &length, size) < 0)
|
||||
if (GetSequence(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
/* Check ObjectID for the resposeBytes */
|
||||
if (GetObjectId(source, &index, &oid, size) < 0)
|
||||
if (GetObjectId(source, &idx, &oid, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
if (oid != OCSP_BASIC_OID)
|
||||
return ASN_PARSE_E;
|
||||
if (source[index++] != ASN_OCTET_STRING)
|
||||
if (source[idx++] != ASN_OCTET_STRING)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (GetLength(source, &index, &length, size) < 0)
|
||||
if (GetLength(source, &idx, &length, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
if (DecodeBasicOcspResponse(source, &index, resp, size) < 0)
|
||||
if (DecodeBasicOcspResponse(source, &idx, resp, size) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
return 0;
|
||||
@ -4568,6 +4578,8 @@ int EncodeOcspRequest(DecodedCert* cert, byte* output, word32 outputSz)
|
||||
extSz, totalSz;
|
||||
int i;
|
||||
|
||||
(void)outputSz;
|
||||
|
||||
CYASSL_ENTER("EncodeOcspRequest");
|
||||
algoSz = SetAlgoID(SHAh, algoArray, hashType);
|
||||
issuerSz = SetDigest(cert->issuerHash, SHA_SIZE, issuerArray);
|
||||
@ -4742,7 +4754,7 @@ static int GetRevoked(const byte* buff, word32* idx, DecodedCRL* dcrl,
|
||||
return ASN_PARSE_E;
|
||||
}
|
||||
|
||||
rc = XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
|
||||
rc = (RevokedCert*)XMALLOC(sizeof(RevokedCert), NULL, DYNAMIC_TYPE_CRL);
|
||||
if (rc == NULL) {
|
||||
CYASSL_MSG("Alloc Revoked Cert failed");
|
||||
return MEMORY_E;
|
||||
@ -4814,11 +4826,12 @@ static int GetCRL_Signature(const byte* source, word32* idx, DecodedCRL* dcrl,
|
||||
|
||||
|
||||
/* prase crl buffer into decoded state, 0 on success */
|
||||
int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
|
||||
int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz, void* cm)
|
||||
{
|
||||
int version, len;
|
||||
word32 oid, idx = 0;
|
||||
Md5 md5;
|
||||
int version, len;
|
||||
word32 oid, idx = 0;
|
||||
Md5 md5;
|
||||
Signer* ca;
|
||||
|
||||
CYASSL_MSG("ParseCRL");
|
||||
|
||||
@ -4880,6 +4893,25 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz)
|
||||
if (GetCRL_Signature(buff, &idx, dcrl, sz) < 0)
|
||||
return ASN_PARSE_E;
|
||||
|
||||
ca = GetCA(cm, dcrl->issuerHash);
|
||||
CYASSL_MSG("About to verify CRL signature");
|
||||
|
||||
if (ca) {
|
||||
CYASSL_MSG("Found CRL issuer CA");
|
||||
/* try to confirm/verify signature */
|
||||
if (!ConfirmSignature(buff + dcrl->certBegin,
|
||||
dcrl->sigIndex - dcrl->certBegin,
|
||||
ca->publicKey, ca->pubKeySize, ca->keyOID,
|
||||
dcrl->signature, dcrl->sigLength, dcrl->signatureOID, NULL)) {
|
||||
CYASSL_MSG("CRL Confirm signature failed");
|
||||
return ASN_SIG_CONFIRM_E;
|
||||
}
|
||||
}
|
||||
else {
|
||||
CYASSL_MSG("Did NOT find CRL issuer CA");
|
||||
return ASN_SIG_CONFIRM_E;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
@ -457,7 +457,7 @@ struct DecodedCRL {
|
||||
};
|
||||
|
||||
CYASSL_LOCAL void InitDecodedCRL(DecodedCRL*);
|
||||
CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz);
|
||||
CYASSL_LOCAL int ParseCRL(DecodedCRL*, const byte* buff, long sz, void* cm);
|
||||
CYASSL_LOCAL void FreeDecodedCRL(DecodedCRL*);
|
||||
|
||||
|
||||
|
||||
@ -782,7 +782,7 @@ typedef struct CipherSpecs {
|
||||
|
||||
/* Supported Ciphers from page 43 */
|
||||
enum BulkCipherAlgorithm {
|
||||
cipher_null,
|
||||
cipher_null = 0,
|
||||
rc4,
|
||||
rc2,
|
||||
des,
|
||||
@ -797,7 +797,7 @@ enum BulkCipherAlgorithm {
|
||||
|
||||
/* Supported Message Authentication Codes from page 43 */
|
||||
enum MACAlgorithm {
|
||||
no_mac = 0,
|
||||
no_mac = 10,
|
||||
md5_mac,
|
||||
sha_mac,
|
||||
sha224_mac,
|
||||
@ -810,19 +810,20 @@ enum MACAlgorithm {
|
||||
|
||||
/* Supported Key Exchange Protocols */
|
||||
enum KeyExchangeAlgorithm {
|
||||
no_kea = 0,
|
||||
no_kea = 20,
|
||||
rsa_kea,
|
||||
diffie_hellman_kea,
|
||||
fortezza_kea,
|
||||
psk_kea,
|
||||
ntru_kea,
|
||||
ecc_diffie_hellman_kea
|
||||
ecc_diffie_hellman_kea,
|
||||
ecc_static_diffie_hellman_kea /* for verify suite only */
|
||||
};
|
||||
|
||||
|
||||
/* Supported Authentication Schemes */
|
||||
enum SignatureAlgorithm {
|
||||
anonymous_sa_algo = 0,
|
||||
anonymous_sa_algo = 30,
|
||||
rsa_sa_algo,
|
||||
dsa_sa_algo,
|
||||
ecc_dsa_sa_algo
|
||||
|
||||
306
src/crl.c
306
src/crl.c
@ -36,48 +36,48 @@
|
||||
/* Initialze CRL members */
|
||||
int InitCRL(CYASSL_CRL* crl, CYASSL_CERT_MANAGER* cm)
|
||||
{
|
||||
CYASSL_ENTER("InitCRL");
|
||||
CYASSL_ENTER("InitCRL");
|
||||
|
||||
crl->cm = cm;
|
||||
crl->crlList = NULL;
|
||||
crl->cm = cm;
|
||||
crl->crlList = NULL;
|
||||
crl->monitors[0].path = NULL;
|
||||
crl->monitors[1].path = NULL;
|
||||
#ifdef HAVE_CRL_MONITOR
|
||||
crl->tid = 0;
|
||||
#endif
|
||||
if (InitMutex(&crl->crlLock) != 0)
|
||||
return BAD_MUTEX_ERROR;
|
||||
if (InitMutex(&crl->crlLock) != 0)
|
||||
return BAD_MUTEX_ERROR;
|
||||
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Initialze CRL Entry */
|
||||
static int InitCRL_Entry(CRL_Entry* crle, DecodedCRL* dcrl)
|
||||
{
|
||||
CYASSL_ENTER("FreeCRL_Entry");
|
||||
CYASSL_ENTER("FreeCRL_Entry");
|
||||
|
||||
XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE);
|
||||
XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE);
|
||||
XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
|
||||
XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
|
||||
XMEMCPY(crle->issuerHash, dcrl->issuerHash, SHA_DIGEST_SIZE);
|
||||
XMEMCPY(crle->crlHash, dcrl->crlHash, MD5_DIGEST_SIZE);
|
||||
XMEMCPY(crle->lastDate, dcrl->lastDate, MAX_DATE_SIZE);
|
||||
XMEMCPY(crle->nextDate, dcrl->nextDate, MAX_DATE_SIZE);
|
||||
crle->lastDateFormat = dcrl->lastDateFormat;
|
||||
crle->nextDateFormat = dcrl->nextDateFormat;
|
||||
|
||||
crle->certs = dcrl->certs; /* take ownsership */
|
||||
dcrl->certs = NULL;
|
||||
crle->totalCerts = dcrl->totalCerts;
|
||||
crle->certs = dcrl->certs; /* take ownsership */
|
||||
dcrl->certs = NULL;
|
||||
crle->totalCerts = dcrl->totalCerts;
|
||||
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Free all CRL Entry resources */
|
||||
static void FreeCRL_Entry(CRL_Entry* crle)
|
||||
{
|
||||
RevokedCert* tmp = crle->certs;
|
||||
RevokedCert* tmp = crle->certs;
|
||||
|
||||
CYASSL_ENTER("FreeCRL_Entry");
|
||||
CYASSL_ENTER("FreeCRL_Entry");
|
||||
|
||||
while(tmp) {
|
||||
RevokedCert* next = tmp->next;
|
||||
@ -91,9 +91,9 @@ static void FreeCRL_Entry(CRL_Entry* crle)
|
||||
/* Free all CRL resources */
|
||||
void FreeCRL(CYASSL_CRL* crl)
|
||||
{
|
||||
CRL_Entry* tmp = crl->crlList;
|
||||
CRL_Entry* tmp = crl->crlList;
|
||||
|
||||
CYASSL_ENTER("FreeCRL");
|
||||
CYASSL_ENTER("FreeCRL");
|
||||
|
||||
if (crl->monitors[0].path)
|
||||
XFREE(crl->monitors[0].path, NULL, DYNAMIC_TYPE_CRL_MONITOR);
|
||||
@ -135,9 +135,9 @@ int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert)
|
||||
|
||||
crle = crl->crlList;
|
||||
|
||||
while (crle) {
|
||||
if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) {
|
||||
CYASSL_MSG("Found CRL Entry on list");
|
||||
while (crle) {
|
||||
if (XMEMCMP(crle->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0) {
|
||||
CYASSL_MSG("Found CRL Entry on list");
|
||||
CYASSL_MSG("Checking next date validity");
|
||||
|
||||
if (!ValidateDate(crle->nextDate, crle->nextDateFormat, AFTER)) {
|
||||
@ -147,133 +147,133 @@ int CheckCertCRL(CYASSL_CRL* crl, DecodedCert* cert)
|
||||
else
|
||||
foundEntry = 1;
|
||||
break;
|
||||
}
|
||||
}
|
||||
crle = crle->next;
|
||||
}
|
||||
}
|
||||
|
||||
if (foundEntry) {
|
||||
RevokedCert* rc = crle->certs;
|
||||
if (foundEntry) {
|
||||
RevokedCert* rc = crle->certs;
|
||||
|
||||
while (rc) {
|
||||
if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
|
||||
CYASSL_MSG("Cert revoked");
|
||||
revoked = 1;
|
||||
ret = CRL_CERT_REVOKED;
|
||||
break;
|
||||
}
|
||||
rc = rc->next;
|
||||
}
|
||||
}
|
||||
|
||||
UnLockMutex(&crl->crlLock);
|
||||
|
||||
if (foundEntry == 0) {
|
||||
CYASSL_MSG("Couldn't find CRL for status check");
|
||||
ret = CRL_MISSING;
|
||||
if (crl->cm->cbMissingCRL) {
|
||||
char url[256];
|
||||
|
||||
CYASSL_MSG("Issuing missing CRL callback");
|
||||
url[0] = '\0';
|
||||
if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
|
||||
XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
|
||||
url[cert->extCrlInfoSz] = '\0';
|
||||
}
|
||||
else {
|
||||
CYASSL_MSG("CRL url too long");
|
||||
while (rc) {
|
||||
if (XMEMCMP(rc->serialNumber, cert->serial, rc->serialSz) == 0) {
|
||||
CYASSL_MSG("Cert revoked");
|
||||
revoked = 1;
|
||||
ret = CRL_CERT_REVOKED;
|
||||
break;
|
||||
}
|
||||
crl->cm->cbMissingCRL(url);
|
||||
}
|
||||
}
|
||||
rc = rc->next;
|
||||
}
|
||||
}
|
||||
|
||||
UnLockMutex(&crl->crlLock);
|
||||
|
||||
if (foundEntry == 0) {
|
||||
CYASSL_MSG("Couldn't find CRL for status check");
|
||||
ret = CRL_MISSING;
|
||||
if (crl->cm->cbMissingCRL) {
|
||||
char url[256];
|
||||
|
||||
CYASSL_MSG("Issuing missing CRL callback");
|
||||
url[0] = '\0';
|
||||
if (cert->extCrlInfoSz < (int)sizeof(url) -1 ) {
|
||||
XMEMCPY(url, cert->extCrlInfo, cert->extCrlInfoSz);
|
||||
url[cert->extCrlInfoSz] = '\0';
|
||||
}
|
||||
else {
|
||||
CYASSL_MSG("CRL url too long");
|
||||
}
|
||||
crl->cm->cbMissingCRL(url);
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
return ret;
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
/* Add Decoded CRL, 0 on success */
|
||||
static int AddCRL(CYASSL_CRL* crl, DecodedCRL* dcrl)
|
||||
{
|
||||
CRL_Entry* crle;
|
||||
CRL_Entry* crle;
|
||||
|
||||
CYASSL_ENTER("AddCRL");
|
||||
CYASSL_ENTER("AddCRL");
|
||||
|
||||
crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
||||
if (crle == NULL) {
|
||||
CYASSL_MSG("alloc CRL Entry failed");
|
||||
return -1;
|
||||
}
|
||||
crle = (CRL_Entry*)XMALLOC(sizeof(CRL_Entry), NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
||||
if (crle == NULL) {
|
||||
CYASSL_MSG("alloc CRL Entry failed");
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (InitCRL_Entry(crle, dcrl) < 0) {
|
||||
CYASSL_MSG("Init CRL Entry failed");
|
||||
if (InitCRL_Entry(crle, dcrl) < 0) {
|
||||
CYASSL_MSG("Init CRL Entry failed");
|
||||
XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
||||
return -1;
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (LockMutex(&crl->crlLock) != 0) {
|
||||
CYASSL_MSG("LockMutex failed");
|
||||
FreeCRL_Entry(crle);
|
||||
if (LockMutex(&crl->crlLock) != 0) {
|
||||
CYASSL_MSG("LockMutex failed");
|
||||
FreeCRL_Entry(crle);
|
||||
XFREE(crle, NULL, DYNAMIC_TYPE_CRL_ENTRY);
|
||||
return BAD_MUTEX_ERROR;
|
||||
}
|
||||
crle->next = crl->crlList;
|
||||
crl->crlList = crle;
|
||||
UnLockMutex(&crl->crlLock);
|
||||
return BAD_MUTEX_ERROR;
|
||||
}
|
||||
crle->next = crl->crlList;
|
||||
crl->crlList = crle;
|
||||
UnLockMutex(&crl->crlLock);
|
||||
|
||||
return 0;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
/* Load CRL File of type, SSL_SUCCESS on ok */
|
||||
int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type)
|
||||
{
|
||||
int ret = SSL_SUCCESS;
|
||||
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
||||
buffer der;
|
||||
DecodedCRL dcrl;
|
||||
int ret = SSL_SUCCESS;
|
||||
const byte* myBuffer = buff; /* if DER ok, otherwise switch */
|
||||
buffer der;
|
||||
DecodedCRL dcrl;
|
||||
|
||||
der.buffer = NULL;
|
||||
der.buffer = NULL;
|
||||
|
||||
CYASSL_ENTER("BufferLoadCRL");
|
||||
CYASSL_ENTER("BufferLoadCRL");
|
||||
|
||||
if (crl == NULL || buff == NULL || sz == 0)
|
||||
return BAD_FUNC_ARG;
|
||||
if (crl == NULL || buff == NULL || sz == 0)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
if (type == SSL_FILETYPE_PEM) {
|
||||
int eccKey = 0; /* not used */
|
||||
EncryptedInfo info;
|
||||
info.ctx = NULL;
|
||||
if (type == SSL_FILETYPE_PEM) {
|
||||
int eccKey = 0; /* not used */
|
||||
EncryptedInfo info;
|
||||
info.ctx = NULL;
|
||||
|
||||
ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
||||
if (ret == 0) {
|
||||
myBuffer = der.buffer;
|
||||
sz = der.length;
|
||||
}
|
||||
else {
|
||||
CYASSL_MSG("Pem to Der failed");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
InitDecodedCRL(&dcrl);
|
||||
ret = ParseCRL(&dcrl, myBuffer, sz);
|
||||
if (ret != 0) {
|
||||
CYASSL_MSG("ParseCRL error");
|
||||
}
|
||||
else {
|
||||
ret = AddCRL(crl, &dcrl);
|
||||
if (ret != 0) {
|
||||
CYASSL_MSG("AddCRL error");
|
||||
ret = PemToDer(buff, sz, CRL_TYPE, &der, NULL, &info, &eccKey);
|
||||
if (ret == 0) {
|
||||
myBuffer = der.buffer;
|
||||
sz = der.length;
|
||||
}
|
||||
}
|
||||
FreeDecodedCRL(&dcrl);
|
||||
else {
|
||||
CYASSL_MSG("Pem to Der failed");
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
|
||||
if (der.buffer)
|
||||
XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
||||
InitDecodedCRL(&dcrl);
|
||||
ret = ParseCRL(&dcrl, myBuffer, sz, crl->cm);
|
||||
if (ret != 0) {
|
||||
CYASSL_MSG("ParseCRL error");
|
||||
}
|
||||
else {
|
||||
ret = AddCRL(crl, &dcrl);
|
||||
if (ret != 0) {
|
||||
CYASSL_MSG("AddCRL error");
|
||||
}
|
||||
}
|
||||
FreeDecodedCRL(&dcrl);
|
||||
|
||||
if (ret == 0)
|
||||
return SSL_SUCCESS; /* convert */
|
||||
return ret;
|
||||
if (der.buffer)
|
||||
XFREE(der.buffer, NULL, DYNAMIC_TYPE_CRL);
|
||||
|
||||
if (ret == 0)
|
||||
return SSL_SUCCESS; /* convert */
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
@ -463,7 +463,7 @@ static void* DoMonitor(void* arg)
|
||||
|
||||
|
||||
/* Start Monitoring the CRL path(s) in a thread */
|
||||
int StartMonitorCRL(CYASSL_CRL* crl)
|
||||
static int StartMonitorCRL(CYASSL_CRL* crl)
|
||||
{
|
||||
pthread_attr_t attr;
|
||||
|
||||
@ -490,7 +490,7 @@ int StartMonitorCRL(CYASSL_CRL* crl)
|
||||
|
||||
#else /* HAVE_CRL_MONITOR */
|
||||
|
||||
int StartMonitorCRL(CYASSL_CRL* crl)
|
||||
static int StartMonitorCRL(CYASSL_CRL* crl)
|
||||
{
|
||||
return NOT_COMPILED_IN;
|
||||
}
|
||||
@ -501,49 +501,49 @@ int StartMonitorCRL(CYASSL_CRL* crl)
|
||||
/* Load CRL path files of type, SSL_SUCCESS on ok */
|
||||
int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
|
||||
{
|
||||
struct dirent* entry;
|
||||
DIR* dir;
|
||||
int ret = SSL_SUCCESS;
|
||||
struct dirent* entry;
|
||||
DIR* dir;
|
||||
int ret = SSL_SUCCESS;
|
||||
|
||||
CYASSL_ENTER("LoadCRL");
|
||||
if (crl == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
CYASSL_ENTER("LoadCRL");
|
||||
if (crl == NULL)
|
||||
return BAD_FUNC_ARG;
|
||||
|
||||
dir = opendir(path);
|
||||
if (dir == NULL) {
|
||||
CYASSL_MSG("opendir path crl load failed");
|
||||
return BAD_PATH_ERROR;
|
||||
}
|
||||
while ( (entry = readdir(dir)) != NULL) {
|
||||
if (entry->d_type & DT_REG) {
|
||||
char name[MAX_FILENAME_SZ];
|
||||
dir = opendir(path);
|
||||
if (dir == NULL) {
|
||||
CYASSL_MSG("opendir path crl load failed");
|
||||
return BAD_PATH_ERROR;
|
||||
}
|
||||
while ( (entry = readdir(dir)) != NULL) {
|
||||
if (entry->d_type & DT_REG) {
|
||||
char name[MAX_FILENAME_SZ];
|
||||
|
||||
if (type == SSL_FILETYPE_PEM) {
|
||||
if (strstr(entry->d_name, ".pem") == NULL) {
|
||||
CYASSL_MSG("not .pem file, skipping");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (strstr(entry->d_name, ".der") == NULL &&
|
||||
strstr(entry->d_name, ".crl") == NULL) {
|
||||
if (type == SSL_FILETYPE_PEM) {
|
||||
if (strstr(entry->d_name, ".pem") == NULL) {
|
||||
CYASSL_MSG("not .pem file, skipping");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
else {
|
||||
if (strstr(entry->d_name, ".der") == NULL &&
|
||||
strstr(entry->d_name, ".crl") == NULL) {
|
||||
|
||||
CYASSL_MSG("not .der or .crl file, skipping");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
CYASSL_MSG("not .der or .crl file, skipping");
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
XMEMSET(name, 0, sizeof(name));
|
||||
XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
|
||||
XSTRNCAT(name, "/", 1);
|
||||
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
|
||||
XMEMSET(name, 0, sizeof(name));
|
||||
XSTRNCPY(name, path, MAX_FILENAME_SZ/2 - 2);
|
||||
XSTRNCAT(name, "/", 1);
|
||||
XSTRNCAT(name, entry->d_name, MAX_FILENAME_SZ/2);
|
||||
|
||||
if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
|
||||
if (ProcessFile(NULL, name, type, CRL_TYPE, NULL, 0, crl)
|
||||
!= SSL_SUCCESS) {
|
||||
CYASSL_MSG("CRL file load failed, continuing");
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (monitor & CYASSL_CRL_MONITOR) {
|
||||
CYASSL_MSG("monitor path requested");
|
||||
@ -567,7 +567,7 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor)
|
||||
}
|
||||
}
|
||||
|
||||
return ret;
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif /* HAVE_CRL */
|
||||
|
||||
311
src/internal.c
311
src/internal.c
@ -5457,10 +5457,309 @@ int SetCipherList(Suites* s, const char* list)
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Does this cipher suite (first, second) have the requirement
|
||||
an ephemeral key exchange will still require the key for signing
|
||||
the key exchange so ECHDE_RSA requires an rsa key thus rsa_kea */
|
||||
static int CipherRequires(byte first, byte second, int requirement)
|
||||
{
|
||||
/* ECC extensions */
|
||||
if (first == ECC_BYTE) {
|
||||
|
||||
switch (second) {
|
||||
|
||||
case TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_RSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_RSA_WITH_RC4_128_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_RSA_WITH_RC4_128_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA :
|
||||
if (requirement == ecc_dsa_sa_algo)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_ECDSA_WITH_RC4_128_SHA :
|
||||
if (requirement == ecc_dsa_sa_algo)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_ECDSA_WITH_RC4_128_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_RSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == ecc_dsa_sa_algo)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == ecc_dsa_sa_algo)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == ecc_static_diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
CYASSL_MSG("Unsupported cipher suite, CipherRequires ECC");
|
||||
return 0;
|
||||
} /* switch */
|
||||
} /* if */
|
||||
if (first != ECC_BYTE) { /* normal suites */
|
||||
switch (second) {
|
||||
|
||||
case SSL_RSA_WITH_RC4_128_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_NTRU_RSA_WITH_RC4_128_SHA :
|
||||
if (requirement == ntru_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case SSL_RSA_WITH_RC4_128_MD5 :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case SSL_RSA_WITH_3DES_EDE_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_NTRU_RSA_WITH_3DES_EDE_CBC_SHA :
|
||||
if (requirement == ntru_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_AES_128_CBC_SHA256 :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_NTRU_RSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == ntru_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_AES_256_CBC_SHA256 :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == ntru_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_PSK_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == psk_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_PSK_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == psk_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
if (requirement == diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
if (requirement == diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_DHE_RSA_WITH_AES_128_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
if (requirement == diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_DHE_RSA_WITH_AES_256_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
if (requirement == diffie_hellman_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_HC_128_CBC_MD5 :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_HC_128_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
case TLS_RSA_WITH_RABBIT_CBC_SHA :
|
||||
if (requirement == rsa_kea)
|
||||
return 1;
|
||||
break;
|
||||
|
||||
default:
|
||||
CYASSL_MSG("Unsupported cipher suite, CipherRequires");
|
||||
return 0;
|
||||
} /* switch */
|
||||
} /* if ECC / Normal suites else */
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
/* Make sure cert/key are valid for this suite, true on success */
|
||||
static int VerifySuite(CYASSL* ssl, word16 idx)
|
||||
{
|
||||
int haveRSA = !ssl->options.haveECDSA;
|
||||
int havePSK = 0;
|
||||
byte first = ssl->suites.suites[idx];
|
||||
byte second = ssl->suites.suites[idx+1];
|
||||
|
||||
CYASSL_ENTER("VerifySuite");
|
||||
|
||||
#ifndef NO_PSK
|
||||
havePSK = ssl->options.havePSK;
|
||||
#endif
|
||||
|
||||
if (ssl->options.haveNTRU)
|
||||
haveRSA = 0;
|
||||
|
||||
if (CipherRequires(first, second, rsa_kea)) {
|
||||
CYASSL_MSG("Requires RSA");
|
||||
if (haveRSA == 0) {
|
||||
CYASSL_MSG("Don't have RSA");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (CipherRequires(first, second, diffie_hellman_kea)) {
|
||||
CYASSL_MSG("Requires DHE");
|
||||
if (ssl->options.haveDH == 0) {
|
||||
CYASSL_MSG("Don't have DHE");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (CipherRequires(first, second, ecc_dsa_sa_algo)) {
|
||||
CYASSL_MSG("Requires ECCDSA");
|
||||
if (ssl->options.haveECDSA == 0) {
|
||||
CYASSL_MSG("Don't have ECCDSA");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (CipherRequires(first, second, ecc_static_diffie_hellman_kea)) {
|
||||
CYASSL_MSG("Requires static ECC");
|
||||
if (ssl->options.haveStaticECC == 0) {
|
||||
CYASSL_MSG("Don't have static ECC");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (CipherRequires(first, second, psk_kea)) {
|
||||
CYASSL_MSG("Requires PSK");
|
||||
if (havePSK == 0) {
|
||||
CYASSL_MSG("Don't have PSK");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
if (CipherRequires(first, second, ntru_kea)) {
|
||||
CYASSL_MSG("Requires NTRU");
|
||||
if (ssl->options.haveNTRU == 0) {
|
||||
CYASSL_MSG("Don't have NTRU");
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
/* ECCDHE is always supported if ECC on */
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
|
||||
static int MatchSuite(CYASSL* ssl, Suites* peerSuites)
|
||||
{
|
||||
word16 i, j;
|
||||
|
||||
CYASSL_ENTER("MatchSuite");
|
||||
|
||||
/* & 0x1 equivalent % 2 */
|
||||
if (peerSuites->suiteSz == 0 || peerSuites->suiteSz & 0x1)
|
||||
return MATCH_SUITE_ERROR;
|
||||
@ -5471,9 +5770,15 @@ int SetCipherList(Suites* s, const char* list)
|
||||
if (ssl->suites.suites[i] == peerSuites->suites[j] &&
|
||||
ssl->suites.suites[i+1] == peerSuites->suites[j+1] ) {
|
||||
|
||||
ssl->options.cipherSuite0 = ssl->suites.suites[i];
|
||||
ssl->options.cipherSuite = ssl->suites.suites[i+1];
|
||||
return SetCipherSpecs(ssl);
|
||||
if (VerifySuite(ssl, i)) {
|
||||
CYASSL_MSG("Verified suite validity");
|
||||
ssl->options.cipherSuite0 = ssl->suites.suites[i];
|
||||
ssl->options.cipherSuite = ssl->suites.suites[i+1];
|
||||
return SetCipherSpecs(ssl);
|
||||
}
|
||||
else {
|
||||
CYASSL_MSG("Coult not verify suite validity, continue");
|
||||
}
|
||||
}
|
||||
|
||||
return MATCH_SUITE_ERROR;
|
||||
|
||||
@ -104,7 +104,7 @@ static int decode_url(const char* url, int urlSz,
|
||||
}
|
||||
else
|
||||
{
|
||||
int i, cur, hostname;
|
||||
int i, cur;
|
||||
|
||||
/* need to break the url down into scheme, address, and port */
|
||||
/* "http://example.com:8080/" */
|
||||
@ -185,8 +185,9 @@ static INLINE void tcp_socket(SOCKET_T* sockfd, SOCKADDR_IN_T* addr,
|
||||
entry->h_length);
|
||||
host = inet_ntoa(tmp.sin_addr);
|
||||
}
|
||||
else
|
||||
else {
|
||||
CYASSL_MSG("no entry for host");
|
||||
}
|
||||
}
|
||||
|
||||
*sockfd = socket(AF_INET_V, SOCK_STREAM, 0);
|
||||
@ -206,8 +207,9 @@ static INLINE void tcp_connect(SOCKET_T* sockfd, const char* ip, word16 port)
|
||||
SOCKADDR_IN_T addr;
|
||||
tcp_socket(sockfd, &addr, ip, port);
|
||||
|
||||
if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0)
|
||||
if (connect(*sockfd, (const struct sockaddr*)&addr, sizeof(addr)) != 0) {
|
||||
CYASSL_MSG("tcp connect failed");
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
@ -230,7 +232,6 @@ static byte* decode_http_response(byte* httpBuf, int httpBufSz, int* ocspRespSz)
|
||||
int stop = 0;
|
||||
byte* contentType = NULL;
|
||||
byte* contentLength = NULL;
|
||||
byte* content = NULL;
|
||||
char* buf = (char*)httpBuf; /* kludge so I'm not constantly casting */
|
||||
|
||||
if (strncasecmp(buf, "HTTP/1", 6) != 0)
|
||||
|
||||
@ -7706,8 +7706,8 @@ long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options)
|
||||
}
|
||||
return 0;
|
||||
#else
|
||||
(void*)ctx;
|
||||
(void*)options;
|
||||
(void)ctx;
|
||||
(void)options;
|
||||
return NOT_COMPILED_IN;
|
||||
#endif
|
||||
}
|
||||
@ -7719,8 +7719,8 @@ int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url)
|
||||
#ifdef HAVE_OCSP
|
||||
return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url);
|
||||
#else
|
||||
(void*)ctx;
|
||||
(void*)url;
|
||||
(void)ctx;
|
||||
(void)url;
|
||||
return NOT_COMPILED_IN;
|
||||
#endif
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user