From 26153ffad6422b0b168bf87c4609df8e9dcfab75 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 10:52:32 -0700 Subject: [PATCH 1/7] add crl monitor flag, handle no revoked case --- ctaocrypt/src/asn.c | 3 +-- cyassl/crl.h | 2 +- cyassl/ctaocrypt/asn.h | 1 + cyassl/ssl.h | 7 ++++--- examples/client/client.c | 2 +- src/crl.c | 6 +++++- src/ssl.c | 16 ++++++++++------ 7 files changed, 23 insertions(+), 14 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 160974175..db1e0e1ec 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -4660,8 +4660,7 @@ int ParseCRL(DecodedCRL* dcrl, const byte* buff, long sz) if (GetBasicDate(buff, &idx, dcrl->nextDate, sz) < 0) return ASN_PARSE_E; - - if (idx != dcrl->sigIndex) { + if (idx != dcrl->sigIndex && buff[idx] != CRL_EXTENSIONS) { if (GetSequence(buff, &idx, &len, sz) < 0) return ASN_PARSE_E; diff --git a/cyassl/crl.h b/cyassl/crl.h index 918927cc2..5e2fa62b2 100644 --- a/cyassl/crl.h +++ b/cyassl/crl.h @@ -35,7 +35,7 @@ typedef struct CYASSL_CRL CYASSL_CRL; CYASSL_LOCAL int InitCRL(CYASSL_CRL*, CYASSL_CERT_MANAGER*); CYASSL_LOCAL void FreeCRL(CYASSL_CRL*); -CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type); +CYASSL_LOCAL int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int mon); CYASSL_LOCAL int BufferLoadCRL(CYASSL_CRL*, const byte*, long, int); CYASSL_LOCAL int CheckCertCRL(CYASSL_CRL*, DecodedCert*); diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 5f215b8fc..eaf06a794 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -62,6 +62,7 @@ enum ASN_Tags { ASN_SET = 0x11, ASN_UTC_TIME = 0x17, ASN_GENERALIZED_TIME = 0x18, + CRL_EXTENSIONS = 0xa0, ASN_EXTENSIONS = 0xa3, ASN_LONG_LENGTH = 0x80 }; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index c30a9ac52..f87da7307 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -791,17 +791,18 @@ CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); -CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*,int); +CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*, int, + int); CYASSL_API int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER*, CbMissingCRL); CYASSL_API int CyaSSL_EnableCRL(CYASSL* ssl, int options); CYASSL_API int CyaSSL_DisableCRL(CYASSL* ssl); -CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int); +CYASSL_API int CyaSSL_LoadCRL(CYASSL*, const char*, int, int); CYASSL_API int CyaSSL_SetCRL_Cb(CYASSL*, CbMissingCRL); CYASSL_API int CyaSSL_CTX_EnableCRL(CYASSL_CTX* ctx, int options); CYASSL_API int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx); -CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int); +CYASSL_API int CyaSSL_CTX_LoadCRL(CYASSL_CTX*, const char*, int, int); CYASSL_API int CyaSSL_CTX_SetCRL_Cb(CYASSL_CTX*, CbMissingCRL); diff --git a/examples/client/client.c b/examples/client/client.c index d09ec8cd3..7e5abcdb9 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -209,7 +209,7 @@ void client_test(void* args) CyaSSL_set_fd(ssl, sockfd); #ifdef HAVE_CRL CyaSSL_EnableCRL(ssl, 0); - CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM); + CyaSSL_LoadCRL(ssl, crlPemDir, SSL_FILETYPE_PEM, 0); CyaSSL_SetCRL_Cb(ssl, CRL_CallBack); #endif if (argc != 3) diff --git a/src/crl.c b/src/crl.c index b3211d274..561d573bf 100644 --- a/src/crl.c +++ b/src/crl.c @@ -250,7 +250,7 @@ int BufferLoadCRL(CYASSL_CRL* crl, const byte* buff, long sz, int type) /* Load CRL path files of type, SSL_SUCCESS on ok */ -int LoadCRL(CYASSL_CRL* crl, const char* path, int type) +int LoadCRL(CYASSL_CRL* crl, const char* path, int type, int monitor) { struct dirent* entry; DIR* dir; @@ -293,6 +293,10 @@ int LoadCRL(CYASSL_CRL* crl, const char* path, int type) } } + if (monitor) { + CYASSL_MSG("monitor path requested"); + } + return SSL_SUCCESS; } diff --git a/src/ssl.c b/src/ssl.c index b478e2d7a..bb7608763 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1332,6 +1332,10 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, if (ret == 0) ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm); +#ifdef HAVE_CRL + if (ret == 0 && cm->crlEnabled) + ret = CheckCertCRL(cm->crl, &cert); +#endif } FreeDecodedCert(&cert); @@ -1441,7 +1445,7 @@ int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, - int type) + int type, int monitor) { CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); if (cm == NULL) @@ -1454,7 +1458,7 @@ int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER* cm, const char* path, } } - return LoadCRL(cm->crl, path, type); + return LoadCRL(cm->crl, path, type, monitor); } @@ -1478,11 +1482,11 @@ int CyaSSL_DisableCRL(CYASSL* ssl) } -int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type) +int CyaSSL_LoadCRL(CYASSL* ssl, const char* path, int type, int monitor) { CYASSL_ENTER("CyaSSL_LoadCRL"); if (ssl) - return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type); + return CyaSSL_CertManagerLoadCRL(ssl->ctx->cm, path, type, monitor); else return BAD_FUNC_ARG; } @@ -1518,11 +1522,11 @@ int CyaSSL_CTX_DisableCRL(CYASSL_CTX* ctx) } -int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type) +int CyaSSL_CTX_LoadCRL(CYASSL_CTX* ctx, const char* path, int type, int monitor) { CYASSL_ENTER("CyaSSL_CTX_LoadCRL"); if (ctx) - return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type); + return CyaSSL_CertManagerLoadCRL(ctx->cm, path, type, monitor); else return BAD_FUNC_ARG; } From fd701223782885041224add5b88adaf649fdd438 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 11:03:44 -0700 Subject: [PATCH 2/7] add external der CRL checker --- cyassl/ssl.h | 2 ++ src/ssl.c | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 40 insertions(+) diff --git a/cyassl/ssl.h b/cyassl/ssl.h index f87da7307..f73b988c9 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -789,6 +789,8 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, const char* d); CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); +CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*, + int sz); CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); CYASSL_API int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER*); CYASSL_API int CyaSSL_CertManagerLoadCRL(CYASSL_CERT_MANAGER*, const char*, int, diff --git a/src/ssl.c b/src/ssl.c index bb7608763..96225df95 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1383,6 +1383,7 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file, } + /* turn on CRL if off and compiled in, set options */ int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options) { @@ -1432,6 +1433,43 @@ int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm) #ifdef HAVE_CRL +/* check CRL if enabled, SSL_SUCCESS */ +int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER* cm, byte* der, int sz) +{ + int ret; + DecodedCert cert; + + CYASSL_ENTER("CyaSSL_CertManagerCheckCRL"); + + if (cm == NULL) + return BAD_FUNC_ARG; + + if (cm->crlEnabled == 0) + return SSL_SUCCESS; + + InitDecodedCert(&cert, der, sz, NULL); + + ret = ParseCertRelative(&cert, CERT_TYPE, NO_VERIFY, cm); + if (ret != 0) { + CYASSL_MSG("ParseCert failed"); + return ret; + } + else { + ret = CheckCertCRL(cm->crl, &cert); + if (ret != 0) { + CYASSL_MSG("CheckCertCRL failed"); + } + } + + FreeDecodedCert(&cert); + + if (ret == 0) + return SSL_SUCCESS; /* convert */ + + return ret; +} + + int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb) { CYASSL_ENTER("CyaSSL_CertManagerLoadCRL"); From 2806c995a848bf8cb1af44bb318407944507af19 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 11:06:32 -0700 Subject: [PATCH 3/7] pre release 2.2.0 --- README | 13 ++++++++++++- configure.ac | 4 ++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/README b/README index 6ad169e03..2767c3a5f 100644 --- a/README +++ b/README @@ -34,7 +34,18 @@ before calling SSL_new(); Though it's not recommended. *** end Note *** -CyaSSL Release 2.0.8 (2/24/2012) +CyaSSL Release 2.2.0 (5/18/2012) + +Release 2.2.0 CyaSSL has bug fixes and a few new features including: +- + +The CyaSSL manual is available at: +http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions +and comments about the new features please check the manual. + + + +***************CyaSSL Release 2.0.8 (2/24/2012) Release 2.0.8 CyaSSL has bug fixes and a few new features including: - A fix for malicious certificates pointed out by Remi Gacogne (thanks) diff --git a/configure.ac b/configure.ac index 63a47696e..6bb2c4da6 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.1.7],[http://www.yassl.com]) +AC_INIT([cyassl],[2.2.0],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) @@ -25,7 +25,7 @@ AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -CYASSL_LIBRARY_VERSION=3:0:0 +CYASSL_LIBRARY_VERSION=3:1:0 # | | | # +------+ | +---+ # | | | From 6f90cdd4654dc8133b3ba0155b39a971a64ffcc9 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 18 May 2012 12:43:56 -0600 Subject: [PATCH 4/7] update README for 2.2.0 release --- README | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/README b/README index 2767c3a5f..43f8896c1 100644 --- a/README +++ b/README @@ -37,7 +37,15 @@ before calling SSL_new(); Though it's not recommended. CyaSSL Release 2.2.0 (5/18/2012) Release 2.2.0 CyaSSL has bug fixes and a few new features including: -- +- Initial CRL support (--enable-crl) +- Initial OCSP support (--enable-ocsp) +- Add static ECDH suites +- SHA-384 support +- Add example ECC client certificate +- Add medium session cache size (1055 sessions) +- Updated unit tests +- Protection against mutex reinitialization + The CyaSSL manual is available at: http://www.yassl.com/documentation/CyaSSL-Manual.pdf. For build instructions From 7e322558ef4fefa7637109442dc0608909647443 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 11:48:38 -0700 Subject: [PATCH 5/7] windows build fixes --- ctaocrypt/test/test.c | 7 +++++-- cyassl/openssl/ssl.h | 7 +++++++ cyassl/ssl.h | 6 ------ src/ssl.c | 24 +++++++++++++----------- 4 files changed, 25 insertions(+), 19 deletions(-) diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index bed8088ff..065de670e 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -1685,6 +1685,9 @@ int openssl_test() testVector a, b, c, d, e, f; byte hash[SHA_DIGEST_SIZE*4]; /* max size */ + (void)e; + (void)f; + a.input = "1234567890123456789012345678901234567890123456789012345678" "9012345678901234567890"; a.output = "\x57\xed\xf4\xa2\x2b\xe3\xc9\x55\xac\x49\xda\x2e\x21\x07\xb6" @@ -1758,7 +1761,7 @@ int openssl_test() #endif /* CYASSL_SHA384 */ -#ifdef CYASSL_SHA384 +#ifdef CYASSL_SHA512 f.input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhi" "jklmnoijklmnopjklmnopqklmnopqrlmnopqrsmnopqrstnopqrstu"; @@ -1779,7 +1782,7 @@ int openssl_test() if (memcmp(hash, f.output, SHA512_DIGEST_SIZE) != 0) return -80; -#endif /* CYASSL_SHA384 */ +#endif /* CYASSL_SHA512 */ if (RAND_bytes(hash, sizeof(hash)) != 1) diff --git a/cyassl/openssl/ssl.h b/cyassl/openssl/ssl.h index 22dac6700..2440b0d58 100644 --- a/cyassl/openssl/ssl.h +++ b/cyassl/openssl/ssl.h @@ -34,6 +34,13 @@ extern "C" { #endif +#ifdef _WIN32 + /* wincrypt.h clashes */ + #undef X509_NAME + #undef OCSP_REQUEST + #undef OCSP_RESPONSE +#endif + typedef CYASSL SSL; typedef CYASSL_SESSION SSL_SESSION; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index f73b988c9..88f4838ea 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -43,12 +43,6 @@ #define CYASSL_VERSION LIBCYASSL_VERSION_STRING #endif -#ifdef _WIN32 - /* wincrypt.h clashes */ - #undef X509_NAME - #undef OCSP_REQUEST - #undef OCSP_RESPONSE -#endif #ifdef __cplusplus diff --git a/src/ssl.c b/src/ssl.c index 96225df95..c0995a51c 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1387,15 +1387,15 @@ int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER* cm, const char* file, /* turn on CRL if off and compiled in, set options */ int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options) { + int ret = SSL_SUCCESS; + (void)options; CYASSL_ENTER("CyaSSL_CertManagerEnableCRL"); if (cm == NULL) return BAD_FUNC_ARG; - #ifndef HAVE_CRL - return NOT_COMPILED_IN; - #else + #ifdef HAVE_CRL if (cm->crl == NULL) { cm->crl = (CYASSL_CRL*)XMALLOC(sizeof(CYASSL_CRL), cm->heap, DYNAMIC_TYPE_CRL); @@ -1412,9 +1412,11 @@ int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER* cm, int options) cm->crlEnabled = 1; if (options & CYASSL_CRL_CHECKALL) cm->crlCheckAll = 1; + #else + ret = NOT_COMPILED_IN; #endif - return SSL_SUCCESS; + return ret; } @@ -5989,7 +5991,7 @@ static int initGlobalRNG = 0; { CYASSL_MSG("CyaSSL_BN_clear_free"); - return CyaSSL_BN_free(bn); + CyaSSL_BN_free(bn); } @@ -6866,6 +6868,7 @@ static int initGlobalRNG = 0; (void)cb; (void)bn; + (void)bits; if (InitRng(&rng) < 0) { CYASSL_MSG("RNG init failed"); @@ -6877,10 +6880,6 @@ static int initGlobalRNG = 0; CYASSL_MSG("MakeRsaKey failed"); return -1; } -#else - CYASSL_MSG("No Key Gen built in"); - return -1; -#endif if (SetRsaExternal(rsa) < 0) { CYASSL_MSG("SetRsaExternal failed"); @@ -6890,6 +6889,11 @@ static int initGlobalRNG = 0; rsa->inSet = 1; return 1; /* success */ +#else + CYASSL_MSG("No Key Gen built in"); + return -1; +#endif + } @@ -7218,7 +7222,6 @@ static int initGlobalRNG = 0; default: CYASSL_MSG("Bad digest id value"); - return NULL; } return NULL; @@ -7409,7 +7412,6 @@ static int initGlobalRNG = 0; default: { CYASSL_MSG("bad type"); - return 0; } } return 0; From c3627df01875c4b8ae5a9b262cfd611462a9ee71 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 11:50:08 -0700 Subject: [PATCH 6/7] README fix --- README | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README b/README index 43f8896c1..20fe9e40f 100644 --- a/README +++ b/README @@ -41,7 +41,7 @@ Release 2.2.0 CyaSSL has bug fixes and a few new features including: - Initial OCSP support (--enable-ocsp) - Add static ECDH suites - SHA-384 support -- Add example ECC client certificate +- ECC client certificate support - Add medium session cache size (1055 sessions) - Updated unit tests - Protection against mutex reinitialization From 88b46d58d7a9cb26a782f218300b70d615f58188 Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 18 May 2012 12:10:04 -0700 Subject: [PATCH 7/7] small warning fix --- src/ssl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index c0995a51c..143c413da 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -6866,9 +6866,10 @@ static int initGlobalRNG = 0; CYASSL_MSG("CyaSSL_RSA_generate_key_ex"); + (void)rsa; + (void)bits; (void)cb; (void)bn; - (void)bits; if (InitRng(&rng) < 0) { CYASSL_MSG("RNG init failed");