From 909b9258d6187aba3265cddfc9e598ef18ed71e6 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 31 Jan 2014 16:59:13 -0800 Subject: [PATCH 01/49] Thread safe OCSP. --- cyassl/internal.h | 1 + src/ocsp.c | 214 +++++++++++++++++++++------------------------- 2 files changed, 98 insertions(+), 117 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index 085d2a393..2154087cd 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -999,6 +999,7 @@ struct OCSP_Entry { struct CYASSL_OCSP { CYASSL_CERT_MANAGER* cm; /* pointer back to cert manager */ OCSP_Entry* ocspList; /* OCSP response list */ + CyaSSL_Mutex ocspLock; /* OCSP list lock */ }; #ifndef MAX_DATE_SIZE diff --git a/src/ocsp.c b/src/ocsp.c index f24fc48b5..d03f66d88 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -37,6 +37,8 @@ int InitOCSP(CYASSL_OCSP* ocsp, CYASSL_CERT_MANAGER* cm) CYASSL_ENTER("InitOCSP"); XMEMSET(ocsp, 0, sizeof(*ocsp)); ocsp->cm = cm; + if (InitMutex(&ocsp->ocspLock) != 0) + return BAD_MUTEX_E; return 0; } @@ -46,11 +48,9 @@ static int InitOCSP_Entry(OCSP_Entry* ocspe, DecodedCert* cert) { CYASSL_ENTER("InitOCSP_Entry"); - ocspe->next = NULL; + XMEMSET(ocspe, 0, sizeof(*ocspe)); XMEMCPY(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE); XMEMCPY(ocspe->issuerKeyHash, cert->issuerKeyHash, SHA_DIGEST_SIZE); - ocspe->status = NULL; - ocspe->totalStatus = 0; return 0; } @@ -83,84 +83,12 @@ void FreeOCSP(CYASSL_OCSP* ocsp, int dynamic) tmp = next; } + FreeMutex(&ocsp->ocspLock); if (dynamic) XFREE(ocsp, NULL, DYNAMIC_TYPE_OCSP); } -static OCSP_Entry* find_ocsp_entry(CYASSL_OCSP* ocsp, DecodedCert* cert) -{ - OCSP_Entry* entry = ocsp->ocspList; - - while (entry) - { - if (XMEMCMP(entry->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0 - && XMEMCMP(entry->issuerKeyHash, cert->issuerKeyHash, - SHA_DIGEST_SIZE) == 0) - { - CYASSL_MSG("Found OCSP responder"); - break; - } - else - { - entry = entry->next; - } - } - - if (entry == NULL) - { - CYASSL_MSG("Add a new OCSP entry"); - entry = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry), - NULL, DYNAMIC_TYPE_OCSP_ENTRY); - if (entry != NULL) - { - InitOCSP_Entry(entry, cert); - entry->next = ocsp->ocspList; - ocsp->ocspList = entry; - } - } - - return entry; -} - - -static CertStatus* find_cert_status(OCSP_Entry* ocspe, DecodedCert* cert) -{ - CertStatus* stat = ocspe->status; - - while (stat) - { - if(stat->serialSz == cert->serialSz && - (XMEMCMP(stat->serial, cert->serial, cert->serialSz) == 0)) - { - break; - } - else - { - stat = stat->next; - } - } - if (stat == NULL) - { - stat = (CertStatus*)XMALLOC(sizeof(CertStatus), - NULL, DYNAMIC_TYPE_OCSP_STATUS); - if (stat != NULL) - { - XMEMCPY(stat->serial, cert->serial, cert->serialSz); - stat->serialSz = cert->serialSz; - stat->status = -1; - stat->nextDate[0] = 0; - ocspe->totalStatus++; - - stat->next = ocspe->status; - ocspe->status = stat; - } - } - - return stat; -} - - static int xstat2err(int stat) { switch (stat) { @@ -184,46 +112,73 @@ int CheckCertOCSP(CYASSL_OCSP* ocsp, DecodedCert* cert) byte* ocspRespBuf = NULL; OcspRequest ocspRequest; OcspResponse ocspResponse; - int result = 0; + int result = -1; OCSP_Entry* ocspe; - CertStatus* certStatus; + CertStatus* certStatus = NULL; + CertStatus newStatus; const char *url; int urlSz; CYASSL_ENTER("CheckCertOCSP"); - ocspe = find_ocsp_entry(ocsp, cert); + if (LockMutex(&ocsp->ocspLock) != 0) { + CYASSL_LEAVE("CheckCertOCSP", BAD_MUTEX_E); + return BAD_MUTEX_E; + } + + ocspe = ocsp->ocspList; + while (ocspe) { + if (XMEMCMP(ocspe->issuerHash, cert->issuerHash, SHA_DIGEST_SIZE) == 0 + && XMEMCMP(ocspe->issuerKeyHash, cert->issuerKeyHash, + SHA_DIGEST_SIZE) == 0) + break; + else + ocspe = ocspe->next; + } + if (ocspe == NULL) { - CYASSL_MSG("alloc OCSP entry failed"); - return MEMORY_ERROR; + ocspe = (OCSP_Entry*)XMALLOC(sizeof(OCSP_Entry), + NULL, DYNAMIC_TYPE_OCSP_ENTRY); + if (ocspe != NULL) { + InitOCSP_Entry(ocspe, cert); + ocspe->next = ocsp->ocspList; + ocsp->ocspList = ocspe; + } + else { + UnLockMutex(&ocsp->ocspLock); + CYASSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); + return MEMORY_ERROR; + } + } + else { + certStatus = ocspe->status; + while (certStatus) { + if (certStatus->serialSz == cert->serialSz && + XMEMCMP(certStatus->serial, cert->serial, cert->serialSz) == 0) + break; + else + certStatus = certStatus->next; + } } - certStatus = find_cert_status(ocspe, cert); - if (certStatus == NULL) - { - CYASSL_MSG("alloc OCSP cert status failed"); - return MEMORY_ERROR; - } - - if (certStatus->status != -1) - { + if (certStatus != NULL) { if (!ValidateDate(certStatus->thisDate, certStatus->thisDateFormat, BEFORE) || (certStatus->nextDate[0] == 0) || !ValidateDate(certStatus->nextDate, - certStatus->nextDateFormat, AFTER)) - { + certStatus->nextDateFormat, AFTER)) { CYASSL_MSG("\tinvalid status date, looking up cert"); - certStatus->status = -1; } - else - { - CYASSL_MSG("\tusing cached status"); + else { result = xstat2err(certStatus->status); + UnLockMutex(&ocsp->ocspLock); + CYASSL_LEAVE("CheckCertOCSP", result); return result; } } + UnLockMutex(&ocsp->ocspLock); + if (ocsp->cm->ocspUseOverrideURL) { url = ocsp->cm->ocspOverrideURL; if (url != NULL && url[0] != '\0') @@ -236,57 +191,82 @@ int CheckCertOCSP(CYASSL_OCSP* ocsp, DecodedCert* cert) urlSz = cert->extAuthInfoSz; } else { - CYASSL_MSG("\tcert doesn't have extAuthInfo, assuming CERT_GOOD"); + /* cert doesn't have extAuthInfo, assuming CERT_GOOD */ return 0; } ocspReqBuf = (byte*)XMALLOC(ocspReqSz, NULL, DYNAMIC_TYPE_IN_BUFFER); if (ocspReqBuf == NULL) { - CYASSL_MSG("\talloc OCSP request buffer failed"); + CYASSL_LEAVE("CheckCertOCSP", MEMORY_ERROR); return MEMORY_ERROR; } InitOcspRequest(&ocspRequest, cert, ocsp->cm->ocspSendNonce, ocspReqBuf, ocspReqSz); ocspReqSz = EncodeOcspRequest(&ocspRequest); - if (ocsp->cm->ocspIOCb) { + if (ocsp->cm->ocspIOCb) result = ocsp->cm->ocspIOCb(ocsp->cm->ocspIOCtx, url, urlSz, - ocspReqBuf, ocspReqSz, &ocspRespBuf); - } + ocspReqBuf, ocspReqSz, &ocspRespBuf); if (result >= 0 && ocspRespBuf) { - InitOcspResponse(&ocspResponse, certStatus, ocspRespBuf, result); + XMEMSET(&newStatus, 0, sizeof(CertStatus)); + + InitOcspResponse(&ocspResponse, &newStatus, ocspRespBuf, result); OcspResponseDecode(&ocspResponse); - if (ocspResponse.responseStatus != OCSP_SUCCESSFUL) { - CYASSL_MSG("OCSP Responder failure"); + if (ocspResponse.responseStatus != OCSP_SUCCESSFUL) result = OCSP_LOOKUP_FAIL; - } else { - if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0) - { + else { + if (CompareOcspReqResp(&ocspRequest, &ocspResponse) == 0) { result = xstat2err(ocspResponse.status->status); + + if (LockMutex(&ocsp->ocspLock) != 0) + result = BAD_MUTEX_E; + else { + if (certStatus != NULL) + /* Replace existing certificate entry with updated */ + XMEMCPY(certStatus, &newStatus, sizeof(CertStatus)); + else { + /* Save new certificate entry */ + certStatus = (CertStatus*)XMALLOC(sizeof(CertStatus), + NULL, DYNAMIC_TYPE_OCSP_STATUS); + if (certStatus != NULL) { + XMEMCPY(certStatus, &newStatus, sizeof(CertStatus)); + certStatus->next = ocspe->status; + ocspe->status = certStatus; + ocspe->totalStatus++; + } + } + + UnLockMutex(&ocsp->ocspLock); + } } else - { - CYASSL_MSG("OCSP Response incorrect for Request"); result = OCSP_LOOKUP_FAIL; - } } } - else { + else result = OCSP_LOOKUP_FAIL; - } - if (ocspReqBuf != NULL) { + if (ocspReqBuf != NULL) XFREE(ocspReqBuf, NULL, DYNAMIC_TYPE_IN_BUFFER); - } - if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb) { - ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf); - } + if (ocspRespBuf != NULL && ocsp->cm->ocspRespFreeCb) + ocsp->cm->ocspRespFreeCb(ocsp->cm->ocspIOCtx, ocspRespBuf); + + CYASSL_LEAVE("CheckCertOCSP", result); return result; } +#else /* HAVE_OCSP */ + + +#ifdef _MSC_VER + /* 4206 warning for blank file */ + #pragma warning(disable: 4206) +#endif + + #endif /* HAVE_OCSP */ From 36b5bf0df1096b1c6c29530616026cccfcf92d15 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 3 Feb 2014 16:11:57 -0300 Subject: [PATCH 02/49] Renaming Elliptic Curves to Supported Curves for better extension representation and avoid confusion. --- configure.ac | 20 ++++++++++---------- cyassl/internal.h | 6 +++--- cyassl/ssl.h | 8 ++++---- src/internal.c | 2 +- src/ssl.c | 12 ++++++------ src/tls.c | 10 +++++----- tests/api.c | 30 +++++++++++++++--------------- 7 files changed, 44 insertions(+), 44 deletions(-) diff --git a/configure.ac b/configure.ac index 36c82960d..a558b69f9 100644 --- a/configure.ac +++ b/configure.ac @@ -1226,16 +1226,16 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_RENEGOTIATION_INDICATION" fi -# Elliptic Curves Extensions -AC_ARG_ENABLE([ellipticcurves], - [ --enable-ellipticcurves Enable Elliptic Curves (default: disabled)], - [ ENABLED_ELLIPTIC_CURVES=$enableval ], - [ ENABLED_ELLIPTIC_CURVES=no ] +# Supported Elliptic Curves Extensions +AC_ARG_ENABLE([supportedcurves], + [ --enable-supportedcurves Enable Supported Elliptic Curves (default: disabled)], + [ ENABLED_SUPPORTED_CURVES=$enableval ], + [ ENABLED_SUPPORTED_CURVES=no ] ) -if test "x$ENABLED_ELLIPTIC_CURVES" = "xyes" +if test "x$ENABLED_SUPPORTED_CURVES" = "xyes" then - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_ELLIPTIC_CURVES" + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SUPPORTED_CURVES" fi # TLS Extensions @@ -1251,8 +1251,8 @@ then ENABLED_MAX_FRAGMENT=yes ENABLED_TRUNCATED_HMAC=yes ENABLED_RENEGOTIATION_INDICATION=yes - ENABLED_ELLIPTIC_CURVES=yes - AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION -DHAVE_ELLIPTIC_CURVES" + ENABLED_SUPPORTED_CURVES=yes + AM_CFLAGS="$AM_CFLAGS -DHAVE_TLS_EXTENSIONS -DHAVE_SNI -DHAVE_MAX_FRAGMENT -DHAVE_TRUNCATED_HMAC -DHAVE_RENEGOTIATION_INDICATION -DHAVE_SUPPORTED_CURVES" fi # PKCS7 @@ -1689,7 +1689,7 @@ echo " * SNI: $ENABLED_SNI" echo " * Maximum Fragment Length: $ENABLED_MAX_FRAGMENT" echo " * Truncated HMAC: $ENABLED_TRUNCATED_HMAC" echo " * Renegotiation Indication: $ENABLED_RENEGOTIATION_INDICATION" -echo " * Elliptic Curves: $ENABLED_ELLIPTIC_CURVES" +echo " * Supported Elliptic Curves: $ENABLED_SUPPORTED_CURVES" echo " * All TLS Extensions: $ENABLED_TLSX" echo " * PKCS#7 $ENABLED_PKCS7" echo " * wolfSCEP $ENABLED_WOLFSCEP" diff --git a/cyassl/internal.h b/cyassl/internal.h index 104a9c1cd..f31591853 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1177,7 +1177,7 @@ CYASSL_LOCAL int TLSX_UseTruncatedHMAC(TLSX** extensions); #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES typedef struct EllipticCurve { word16 name; /* CurveNames */ @@ -1185,14 +1185,14 @@ typedef struct EllipticCurve { } EllipticCurve; -CYASSL_LOCAL int TLSX_UseEllipticCurve(TLSX** extensions, word16 name); +CYASSL_LOCAL int TLSX_UseSupportedCurve(TLSX** extensions, word16 name); #ifndef NO_CYASSL_SERVER CYASSL_LOCAL int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second); #endif -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #endif /* HAVE_TLS_EXTENSIONS */ diff --git a/cyassl/ssl.h b/cyassl/ssl.h index aa7056246..9013e5345 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -1242,7 +1242,7 @@ CYASSL_API int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx); #endif /* HAVE_TRUNCATED_HMAC */ /* Elliptic Curves */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES enum { CYASSL_ECC_SECP160R1 = 0x10, @@ -1255,12 +1255,12 @@ enum { #ifndef NO_CYASSL_CLIENT -CYASSL_API int CyaSSL_UseEllipticCurve(CYASSL* ssl, unsigned short name); -CYASSL_API int CyaSSL_CTX_UseEllipticCurve(CYASSL_CTX* ctx, +CYASSL_API int CyaSSL_UseSupportedCurve(CYASSL* ssl, unsigned short name); +CYASSL_API int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx, unsigned short name); #endif /* NO_CYASSL_CLIENT */ -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #define CYASSL_CRL_MONITOR 0x01 /* monitor this dir flag */ diff --git a/src/internal.c b/src/internal.c index d797d75cc..e56d49d37 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9765,7 +9765,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } } -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES if (!TLSX_ValidateEllipticCurves(ssl, first, second)) { CYASSL_MSG("Don't have matching curves"); return 0; diff --git a/src/ssl.c b/src/ssl.c index 902ebd042..55a3488a7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -623,27 +623,27 @@ int CyaSSL_CTX_UseTruncatedHMAC(CYASSL_CTX* ctx) #endif /* HAVE_TRUNCATED_HMAC */ /* Elliptic Curves */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES #ifndef NO_CYASSL_CLIENT -int CyaSSL_UseEllipticCurve(CYASSL* ssl, word16 name) +int CyaSSL_UseSupportedCurve(CYASSL* ssl, word16 name) { if (ssl == NULL) return BAD_FUNC_ARG; - return TLSX_UseEllipticCurve(&ssl->extensions, name); + return TLSX_UseSupportedCurve(&ssl->extensions, name); } -int CyaSSL_CTX_UseEllipticCurve(CYASSL_CTX* ctx, word16 name) +int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx, word16 name) { if (ctx == NULL) return BAD_FUNC_ARG; - return TLSX_UseEllipticCurve(&ctx->extensions, name); + return TLSX_UseSupportedCurve(&ctx->extensions, name); } #endif /* NO_CYASSL_CLIENT */ -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #ifndef CYASSL_LEANPSK diff --git a/src/tls.c b/src/tls.c index 872016460..f4445fb7b 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1160,7 +1160,7 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length, #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES +#ifdef HAVE_SUPPORTED_CURVES #ifndef HAVE_ECC #error "Elliptic Curves Extension requires Elliptic Curve Cryptography. \ @@ -1270,7 +1270,7 @@ static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length, ato16(input + offset, &name); offset -= OPAQUE16_LEN; - r = TLSX_UseEllipticCurve(&ssl->extensions, name); + r = TLSX_UseSupportedCurve(&ssl->extensions, name); if (r) return r; /* throw error */ } @@ -1371,7 +1371,7 @@ int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) { #endif /* NO_CYASSL_SERVER */ -int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) +int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) { TLSX* extension = NULL; EllipticCurve* curve = NULL; @@ -1456,7 +1456,7 @@ int TLSX_UseEllipticCurve(TLSX** extensions, word16 name) #define EC_PARSE(a, b, c, d) 0 #define EC_VALIDATE_REQUEST(a, b) -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ TLSX* TLSX_Find(TLSX* list, TLSX_Type type) { @@ -1788,7 +1788,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, #elif defined(HAVE_SNI) \ || defined(HAVE_MAX_FRAGMENT) \ || defined(HAVE_TRUNCATED_HMAC) \ - || defined(HAVE_ELLIPTIC_CURVES) + || defined(HAVE_SUPPORTED_CURVES) #error "Using TLS extensions requires HAVE_TLS_EXTENSIONS to be defined." diff --git a/tests/api.c b/tests/api.c index 9de246eb0..94a232f06 100644 --- a/tests/api.c +++ b/tests/api.c @@ -56,9 +56,9 @@ static void test_CyaSSL_UseMaxFragment(void); #ifdef HAVE_TRUNCATED_HMAC static void test_CyaSSL_UseTruncatedHMAC(void); #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES -static void test_CyaSSL_UseEllipticCurve(void); -#endif /* HAVE_ELLIPTIC_CURVES */ +#ifdef HAVE_SUPPORTED_CURVES +static void test_CyaSSL_UseSupportedCurve(void); +#endif /* HAVE_SUPPORTED_CURVES */ /* test function helpers */ static int test_method(CYASSL_METHOD *method, const char *name); @@ -119,9 +119,9 @@ int ApiTest(void) #ifdef HAVE_TRUNCATED_HMAC test_CyaSSL_UseTruncatedHMAC(); #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES - test_CyaSSL_UseEllipticCurve(); -#endif /* HAVE_ELLIPTIC_CURVES */ +#ifdef HAVE_SUPPORTED_CURVES + test_CyaSSL_UseSupportedCurve(); +#endif /* HAVE_SUPPORTED_CURVES */ test_CyaSSL_Cleanup(); printf(" End API Tests\n"); @@ -542,8 +542,8 @@ static void test_CyaSSL_UseTruncatedHMAC(void) } #endif /* HAVE_TRUNCATED_HMAC */ -#ifdef HAVE_ELLIPTIC_CURVES -static void test_CyaSSL_UseEllipticCurve(void) +#ifdef HAVE_SUPPORTED_CURVES +static void test_CyaSSL_UseSupportedCurve(void) { CYASSL_CTX *ctx = CyaSSL_CTX_new(CyaSSLv23_client_method()); CYASSL *ssl = CyaSSL_new(ctx); @@ -553,21 +553,21 @@ static void test_CyaSSL_UseEllipticCurve(void) #ifndef NO_CYASSL_CLIENT /* error cases */ - AssertIntNE(1, CyaSSL_CTX_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); - AssertIntNE(1, CyaSSL_CTX_UseEllipticCurve(ctx, 0)); + AssertIntNE(1, CyaSSL_CTX_UseSupportedCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(1, CyaSSL_CTX_UseSupportedCurve(ctx, 0)); - AssertIntNE(1, CyaSSL_UseEllipticCurve(NULL, CYASSL_ECC_SECP160R1)); - AssertIntNE(1, CyaSSL_UseEllipticCurve(ssl, 0)); + AssertIntNE(1, CyaSSL_UseSupportedCurve(NULL, CYASSL_ECC_SECP160R1)); + AssertIntNE(1, CyaSSL_UseSupportedCurve(ssl, 0)); /* success case */ - AssertIntEQ(1, CyaSSL_CTX_UseEllipticCurve(ctx, CYASSL_ECC_SECP160R1)); - AssertIntEQ(1, CyaSSL_UseEllipticCurve(ssl, CYASSL_ECC_SECP160R1)); + AssertIntEQ(1, CyaSSL_CTX_UseSupportedCurve(ctx, CYASSL_ECC_SECP160R1)); + AssertIntEQ(1, CyaSSL_UseSupportedCurve(ssl, CYASSL_ECC_SECP160R1)); #endif CyaSSL_free(ssl); CyaSSL_CTX_free(ctx); } -#endif /* HAVE_ELLIPTIC_CURVES */ +#endif /* HAVE_SUPPORTED_CURVES */ #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) /* Helper for testing CyaSSL_CTX_use_certificate_file() */ From 2758f40a09f3b3953a4103e80fe3c5ad89bb4021 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 3 Feb 2014 14:39:41 -0800 Subject: [PATCH 03/49] For OCSP, when decoding X.509 Auth Info Access record, find the first OCSP responder, rather than only looking at the first item. --- ctaocrypt/src/asn.c | 38 +++++++++++++++----------------------- cyassl/ctaocrypt/asn.h | 5 +++++ 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index d1c82f8e1..1dc9eef9d 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -3081,6 +3081,7 @@ static void DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) { word32 idx = 0; int length = 0; + byte b; word32 oid; CYASSL_ENTER("DecodeAuthInfo"); @@ -3088,35 +3089,26 @@ static void DecodeAuthInfo(byte* input, int sz, DecodedCert* cert) /* Unwrap the list of AIAs */ if (GetSequence(input, &idx, &length, sz) < 0) return; - /* Unwrap a single AIA */ - if (GetSequence(input, &idx, &length, sz) < 0) return; + while (idx < (word32)sz) { + /* Unwrap a single AIA */ + if (GetSequence(input, &idx, &length, sz) < 0) return; - oid = 0; - if (GetObjectId(input, &idx, &oid, sz) < 0) return; + oid = 0; + if (GetObjectId(input, &idx, &oid, sz) < 0) return; - /* Only supporting URIs right now. */ - if (input[idx] == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI)) - { - idx++; + /* Only supporting URIs right now. */ + b = input[idx++]; if (GetLength(input, &idx, &length, sz) < 0) return; - cert->extAuthInfoSz = length; - cert->extAuthInfo = input + idx; + if (b == (ASN_CONTEXT_SPECIFIC | GENERALNAME_URI) && + oid == AIA_OCSP_OID) + { + cert->extAuthInfoSz = length; + cert->extAuthInfo = input + idx; + break; + } idx += length; } - else - { - /* Skip anything else. */ - idx++; - if (GetLength(input, &idx, &length, sz) < 0) return; - idx += length; - } - - if (idx < (word32)sz) - { - CYASSL_MSG("\tThere are more Authority Information Access records, " - "but we only use first one."); - } return; } diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index 90ba8c7a1..da5c5e0ab 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -227,6 +227,11 @@ enum SepHardwareName_Sum { HW_NAME_OID = 79 /* 1.3.6.1.5.5.7.8.4 from RFC 4108*/ }; +enum AuthInfo_Sum { + AIA_OCSP_OID = 116, /* 1.3.6.1.5.5.7.48.1 */ + AIA_CA_ISSUER_OID = 117 /* 1.3.6.1.5.5.7.48.2 */ +}; + enum VerifyType { NO_VERIFY = 0, From 468e26a3a2476993ec2836143473874d7f044053 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 3 Feb 2014 21:54:31 -0300 Subject: [PATCH 04/49] fixed error catching on TLSX_EllipticCurve_Parse fixed unsupported curves handling --- src/ssl.c | 26 ++++++++++++++++++++++++++ src/tls.c | 16 ++-------------- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 55a3488a7..c77ec56c1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -631,6 +631,19 @@ int CyaSSL_UseSupportedCurve(CYASSL* ssl, word16 name) if (ssl == NULL) return BAD_FUNC_ARG; + switch (name) { + case CYASSL_ECC_SECP160R1: + case CYASSL_ECC_SECP192R1: + case CYASSL_ECC_SECP224R1: + case CYASSL_ECC_SECP256R1: + case CYASSL_ECC_SECP384R1: + case CYASSL_ECC_SECP521R1: + break; + + default: + return BAD_FUNC_ARG; + } + return TLSX_UseSupportedCurve(&ssl->extensions, name); } @@ -639,6 +652,19 @@ int CyaSSL_CTX_UseSupportedCurve(CYASSL_CTX* ctx, word16 name) if (ctx == NULL) return BAD_FUNC_ARG; + switch (name) { + case CYASSL_ECC_SECP160R1: + case CYASSL_ECC_SECP192R1: + case CYASSL_ECC_SECP224R1: + case CYASSL_ECC_SECP256R1: + case CYASSL_ECC_SECP384R1: + case CYASSL_ECC_SECP521R1: + break; + + default: + return BAD_FUNC_ARG; + } + return TLSX_UseSupportedCurve(&ctx->extensions, name); } diff --git a/src/tls.c b/src/tls.c index f4445fb7b..6f4d4e6cb 100644 --- a/src/tls.c +++ b/src/tls.c @@ -1272,7 +1272,7 @@ static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length, r = TLSX_UseSupportedCurve(&ssl->extensions, name); - if (r) return r; /* throw error */ + if (r != SSL_SUCCESS) return r; /* throw error */ } return 0; @@ -1300,6 +1300,7 @@ int TLSX_ValidateEllipticCurves(CYASSL* ssl, byte first, byte second) { case CYASSL_ECC_SECP256R1: oid = ECC_256R1; octets = 32; break; case CYASSL_ECC_SECP384R1: oid = ECC_384R1; octets = 48; break; case CYASSL_ECC_SECP521R1: oid = ECC_521R1; octets = 66; break; + default: continue; /* unsupported curve */ } switch (second) { @@ -1380,19 +1381,6 @@ int TLSX_UseSupportedCurve(TLSX** extensions, word16 name) if (extensions == NULL) return BAD_FUNC_ARG; - switch (name) { - case CYASSL_ECC_SECP160R1: - case CYASSL_ECC_SECP192R1: - case CYASSL_ECC_SECP224R1: - case CYASSL_ECC_SECP256R1: - case CYASSL_ECC_SECP384R1: - case CYASSL_ECC_SECP521R1: - break; - - default: - return BAD_FUNC_ARG; - } - if ((ret = TLSX_EllipticCurve_Append(&curve, name)) != 0) return ret; From 4a0afa19bfb127c5d0e84549f2011938c4f2e519 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 4 Feb 2014 07:36:59 -0800 Subject: [PATCH 05/49] Reinitialize the index when processing stored DTLS handshake messages. --- src/internal.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/internal.c b/src/internal.c index e56d49d37..04c516389 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3936,7 +3936,6 @@ static int DtlsMsgDrain(CYASSL* ssl) { DtlsMsg* item = ssl->dtls_msg_list; int ret = 0; - word32 idx = 0; /* While there is an item in the store list, and it is the expected * message, and it is complete, and there hasn't been an error in the @@ -3945,6 +3944,7 @@ static int DtlsMsgDrain(CYASSL* ssl) ssl->keys.dtls_expected_peer_handshake_number == item->seq && item->fragSz == item->sz && ret == 0) { + word32 idx = 0; ssl->keys.dtls_expected_peer_handshake_number++; ret = DoHandShakeMsgType(ssl, item->msg, &idx, item->type, item->sz, item->sz); From 9a275fbe8b305624bc4d87e4818189dfd93773d9 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 7 Feb 2014 12:17:01 -0800 Subject: [PATCH 06/49] updated CRLs for a year --- certs/crl/cliCrl.pem | 58 +++++++++++++++++++++-------------------- certs/crl/crl.pem | 52 ++++++++++++++++++------------------ certs/crl/crl.revoked | 54 +++++++++++++++++++------------------- certs/crl/eccCliCRL.pem | 28 +++++++++++--------- certs/crl/eccSrvCRL.pem | 28 +++++++++++--------- certs/crl/gencrls.sh | 10 +++---- 6 files changed, 118 insertions(+), 112 deletions(-) diff --git a/certs/crl/cliCrl.pem b/certs/crl/cliCrl.pem index d94d778e7..e623562a9 100644 --- a/certs/crl/cliCrl.pem +++ b/certs/crl/cliCrl.pem @@ -2,38 +2,40 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/ST=Oregon/L=Portland/O=yaSSL/OU=Programming/CN=www.yassl.com/emailAddress=info@yassl.com - Last Update: Jun 17 21:32:30 2013 GMT - Next Update: Dec 14 21:32:30 2013 GMT + Last Update: Feb 7 20:14:06 2014 GMT + Next Update: Feb 7 20:14:06 2015 GMT CRL extensions: X509v3 CRL Number: - 87 -No Revoked Certificates. + 3 +Revoked Certificates: + Serial Number: 02 + Revocation Date: Feb 7 20:14:06 2014 GMT Signature Algorithm: sha1WithRSAEncryption - 0f:16:d2:d6:62:f8:c0:db:b2:2c:de:9d:0a:10:72:0e:85:6e: - 25:1d:38:20:1b:d5:66:d9:d3:9e:0e:a6:9e:e8:60:20:1c:b5: - c9:ab:09:c3:a5:d5:c3:91:a3:9a:ff:44:40:68:da:7b:da:4a: - 3c:15:17:89:0a:49:b9:af:b2:ac:f0:e2:b5:0e:4d:c0:22:d7: - 5e:c1:02:9e:f3:95:20:62:7c:88:d9:32:97:12:04:1a:6f:8c: - d8:7b:9f:0c:1e:91:fe:98:52:17:de:f2:ee:7c:66:e7:db:91: - 99:7a:f7:09:c9:15:16:3d:a2:1c:13:af:ad:e0:70:b8:6b:e5: - dc:8e:f8:b5:ec:ff:f7:88:1b:ce:46:eb:22:ff:10:2f:ea:53: - f0:86:62:1a:ab:6f:4d:05:45:e8:5c:ba:b5:8d:0d:38:72:cd: - df:a1:74:31:bb:ad:68:7d:56:be:d8:7e:7a:f5:ef:52:be:14: - 5c:6d:ed:b4:2a:c9:ab:97:ba:e8:93:c5:6b:79:66:c7:52:a8: - 0d:62:dc:cb:e2:4c:e6:53:f4:c3:5c:ce:47:0f:39:46:9a:cb: - 82:d9:98:7d:69:41:aa:ac:6a:7a:e9:02:c9:9b:77:59:7f:6a: - 90:54:10:8a:45:c7:49:5f:ca:be:66:6a:20:e1:cd:e8:10:09: - 30:7e:16:44 + 36:33:8d:75:7a:2c:40:dc:e2:64:71:de:1d:06:b4:0e:d3:98: + 63:05:79:84:53:76:9b:aa:51:70:a1:3a:ab:12:f7:da:69:70: + 34:5b:4d:08:01:a6:3b:16:25:ac:3d:11:0c:80:94:bc:dc:b5: + 51:7c:84:11:65:d7:d2:24:16:f5:ac:11:0b:ea:72:62:4a:cb: + 83:c1:6c:96:ec:6b:ce:1f:26:88:89:8a:74:90:fb:d3:67:91: + 8c:f7:ef:0e:ca:81:39:22:89:1a:52:75:d0:13:ba:ee:83:0c: + 61:e9:b4:d8:f1:3f:80:77:29:d2:bb:7e:81:29:a8:fb:1f:ad: + 92:91:bd:e9:b8:29:3f:a3:ec:44:b5:09:e5:03:3c:1b:2d:df: + 4c:27:45:94:da:be:50:dd:b9:78:3f:1f:92:92:59:a5:ad:5a: + ef:95:71:ff:ca:ff:db:70:53:17:aa:00:40:9b:4c:ff:fb:be: + 73:7a:8e:0f:07:9b:b9:14:fd:a4:b4:d7:79:4b:3e:ff:c6:90: + ef:91:2e:a2:f3:ee:4b:1f:16:47:2a:a3:39:f9:b5:fd:74:fa: + 8f:c4:15:8d:77:7f:46:78:6f:ba:a5:4e:bc:63:8f:39:63:c9: + 68:3d:8f:02:3a:4a:d0:d5:c4:47:6a:2c:4d:6c:d5:e2:a7:5f: + 35:ba:65:e4 -----BEGIN X509 CRL----- -MIIB6DCB0QIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxDzANBgNV +MIIB/jCB5wIBATANBgkqhkiG9w0BAQUFADCBjjELMAkGA1UEBhMCVVMxDzANBgNV BAgTBk9yZWdvbjERMA8GA1UEBxMIUG9ydGxhbmQxDjAMBgNVBAoTBXlhU1NMMRQw EgYDVQQLEwtQcm9ncmFtbWluZzEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsG -CSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20XDTEzMDYxNzIxMzIzMFoXDTEzMTIx -NDIxMzIzMFqgDjAMMAoGA1UdFAQDAgFXMA0GCSqGSIb3DQEBBQUAA4IBAQAPFtLW -YvjA27Is3p0KEHIOhW4lHTggG9Vm2dOeDqae6GAgHLXJqwnDpdXDkaOa/0RAaNp7 -2ko8FReJCkm5r7Ks8OK1Dk3AItdewQKe85UgYnyI2TKXEgQab4zYe58MHpH+mFIX -3vLufGbn25GZevcJyRUWPaIcE6+t4HC4a+Xcjvi17P/3iBvORusi/xAv6lPwhmIa -q29NBUXoXLq1jQ04cs3foXQxu61ofVa+2H569e9SvhRcbe20Ksmrl7rok8VreWbH -UqgNYtzL4kzmU/TDXM5HDzlGmsuC2Zh9aUGqrGp66QLJm3dZf2qQVBCKRcdJX8q+ -Zmog4c3oEAkwfhZE +CSqGSIb3DQEJARYOaW5mb0B5YXNzbC5jb20XDTE0MDIwNzIwMTQwNloXDTE1MDIw +NzIwMTQwNlowFDASAgECFw0xNDAyMDcyMDE0MDZaoA4wDDAKBgNVHRQEAwIBAzAN +BgkqhkiG9w0BAQUFAAOCAQEANjONdXosQNziZHHeHQa0DtOYYwV5hFN2m6pRcKE6 +qxL32mlwNFtNCAGmOxYlrD0RDICUvNy1UXyEEWXX0iQW9awRC+pyYkrLg8Fsluxr +zh8miImKdJD702eRjPfvDsqBOSKJGlJ10BO67oMMYem02PE/gHcp0rt+gSmo+x+t +kpG96bgpP6PsRLUJ5QM8Gy3fTCdFlNq+UN25eD8fkpJZpa1a75Vx/8r/23BTF6oA +QJtM//u+c3qODwebuRT9pLTXeUs+/8aQ75EuovPuSx8WRyqjOfm1/XT6j8QVjXd/ +RnhvuqVOvGOPOWPJaD2PAjpK0NXER2osTWzV4qdfNbpl5A== -----END X509 CRL----- diff --git a/certs/crl/crl.pem b/certs/crl/crl.pem index 06ebdebe2..d93a4707e 100644 --- a/certs/crl/crl.pem +++ b/certs/crl/crl.pem @@ -2,38 +2,38 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.yassl.com/emailAddress=info@yassl.com - Last Update: Jun 17 21:32:30 2013 GMT - Next Update: Dec 14 21:32:30 2013 GMT + Last Update: Feb 7 20:14:06 2014 GMT + Next Update: Feb 7 20:14:06 2015 GMT CRL extensions: X509v3 CRL Number: - 85 + 1 No Revoked Certificates. Signature Algorithm: sha1WithRSAEncryption - 4d:9c:63:22:02:91:fe:52:35:93:7c:b6:5b:e8:86:5a:29:a2: - 4d:9a:bc:d9:16:e0:8a:04:90:4d:ae:21:00:be:9c:81:5b:68: - 6e:90:1a:fd:1a:37:70:85:50:f2:02:87:1c:38:f4:ef:9d:41: - f5:4f:53:66:d4:c0:22:80:00:82:7a:09:42:49:c3:1c:c9:4c: - 9f:92:f9:66:f4:21:1f:24:67:4f:83:6a:bd:3a:19:f1:04:99: - ea:30:05:bf:a7:3d:bf:71:ac:3e:3a:ba:2a:c5:05:12:53:eb: - 5c:6f:ed:2d:4b:c0:f5:00:e1:95:45:c9:62:b5:89:66:4b:2b: - 01:fc:66:29:a3:0a:9a:05:ae:f7:9f:51:2a:9c:3b:18:03:ed: - c4:7c:33:62:93:30:49:ab:c4:d1:07:f4:18:ac:96:24:1e:c2: - fa:37:ed:82:db:06:66:8d:fb:25:93:35:7b:39:88:e8:8e:70: - e9:c8:be:00:c4:f7:a7:67:83:f8:3d:af:8b:71:5b:25:3b:1d: - 56:cd:d0:15:86:31:d1:cb:57:3a:00:b5:1c:7c:3e:99:44:ce: - bc:89:a7:78:37:50:ed:a1:b6:16:cd:72:20:c9:1f:60:b2:8a: - c5:62:30:26:f0:aa:b6:73:ca:8e:d6:ba:31:0a:21:a2:6e:40: - 4b:66:30:11 + 4b:c1:68:4f:80:01:0e:ab:ff:c1:8f:5e:e5:3c:01:7a:fd:9c: + bb:21:b3:68:73:7c:e9:dc:c5:70:a8:fd:1b:74:27:c2:9e:7d: + 11:9c:95:b9:fb:73:ac:50:bb:b7:4a:5e:f1:f3:44:b4:7c:b5: + 21:0f:32:48:2e:b2:03:95:a7:09:6b:25:87:c3:1d:9c:3f:8f: + 69:91:30:fb:e5:a1:b2:26:1a:ed:8f:73:06:2d:bd:bc:72:f4: + b8:bd:63:61:90:c7:91:2b:68:52:51:47:0d:d6:a1:79:b8:4b: + bc:30:57:94:fa:b7:49:80:1a:1f:4d:aa:a3:8b:cd:8f:5d:8e: + ad:8b:d6:d1:5b:c1:cf:f2:0c:60:22:19:87:42:db:42:8b:aa: + 47:36:4d:20:eb:cb:72:ce:4b:48:1b:f3:4d:0b:e0:f8:58:27: + 65:60:e7:97:50:83:a9:80:58:62:a8:02:ac:4e:37:79:42:47: + 65:aa:55:ca:7c:9a:9c:bf:6c:36:89:f3:f7:60:d3:30:be:d4: + ce:f1:af:41:7e:02:75:6e:82:86:96:b9:16:07:15:29:c0:65: + 4d:2f:13:4f:01:ec:47:f1:af:36:0a:d6:a1:dc:81:57:18:2d: + 00:7b:d4:49:88:c0:61:81:0e:cd:a7:39:6a:53:2a:7c:91:3d: + ac:62:8d:49 -----BEGIN X509 CRL----- MIIB6jCB0wIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAPBgNVBAoTCFNhd3Rvb3Ro MRMwEQYDVQQLEwpDb25zdWx0aW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w -GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTMwNjE3MjEzMjMwWhcNMTMx -MjE0MjEzMjMwWqAOMAwwCgYDVR0UBAMCAVUwDQYJKoZIhvcNAQEFBQADggEBAE2c -YyICkf5SNZN8tlvohlopok2avNkW4IoEkE2uIQC+nIFbaG6QGv0aN3CFUPIChxw4 -9O+dQfVPU2bUwCKAAIJ6CUJJwxzJTJ+S+Wb0IR8kZ0+Dar06GfEEmeowBb+nPb9x -rD46uirFBRJT61xv7S1LwPUA4ZVFyWK1iWZLKwH8ZimjCpoFrvefUSqcOxgD7cR8 -M2KTMEmrxNEH9BisliQewvo37YLbBmaN+yWTNXs5iOiOcOnIvgDE96dng/g9r4tx -WyU7HVbN0BWGMdHLVzoAtRx8PplEzryJp3g3UO2hthbNciDJH2CyisViMCbwqrZz -yo7WujEKIaJuQEtmMBE= +GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTQwMjA3MjAxNDA2WhcNMTUw +MjA3MjAxNDA2WqAOMAwwCgYDVR0UBAMCAQEwDQYJKoZIhvcNAQEFBQADggEBAEvB +aE+AAQ6r/8GPXuU8AXr9nLshs2hzfOncxXCo/Rt0J8KefRGclbn7c6xQu7dKXvHz +RLR8tSEPMkgusgOVpwlrJYfDHZw/j2mRMPvlobImGu2PcwYtvbxy9Li9Y2GQx5Er +aFJRRw3WoXm4S7wwV5T6t0mAGh9NqqOLzY9djq2L1tFbwc/yDGAiGYdC20KLqkc2 +TSDry3LOS0gb800L4PhYJ2Vg55dQg6mAWGKoAqxON3lCR2WqVcp8mpy/bDaJ8/dg +0zC+1M7xr0F+AnVugoaWuRYHFSnAZU0vE08B7EfxrzYK1qHcgVcYLQB71EmIwGGB +Ds2nOWpTKnyRPaxijUk= -----END X509 CRL----- diff --git a/certs/crl/crl.revoked b/certs/crl/crl.revoked index 734593600..b67ee676d 100644 --- a/certs/crl/crl.revoked +++ b/certs/crl/crl.revoked @@ -2,40 +2,40 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /C=US/ST=Montana/L=Bozeman/O=Sawtooth/OU=Consulting/CN=www.yassl.com/emailAddress=info@yassl.com - Last Update: Jun 17 21:32:30 2013 GMT - Next Update: Dec 14 21:32:30 2013 GMT + Last Update: Feb 7 20:14:06 2014 GMT + Next Update: Feb 7 20:14:06 2015 GMT CRL extensions: X509v3 CRL Number: - 86 + 2 Revoked Certificates: Serial Number: 02 - Revocation Date: Jun 17 21:32:30 2013 GMT + Revocation Date: Feb 7 20:14:06 2014 GMT Signature Algorithm: sha1WithRSAEncryption - 87:3b:bb:ac:6b:1a:e8:96:87:6f:a3:8e:39:77:28:01:a7:ea: - 76:36:c2:48:e2:41:02:3f:f3:f7:64:09:60:91:87:9e:57:74: - 38:a0:c3:20:47:7d:82:4b:2c:34:23:fe:66:dc:2b:3e:8a:a1: - d9:e3:06:ec:75:0f:b1:ef:32:e2:28:ab:7d:40:2c:82:59:74: - c9:95:b5:62:a6:6a:8e:34:e6:f6:f8:91:ff:aa:c1:21:93:79: - cb:6f:dc:be:94:21:b1:c8:dd:9e:b8:fe:ad:e8:50:6e:0d:76: - 92:32:54:51:96:cd:c7:be:d2:0f:6f:63:69:5f:b3:28:c1:57: - 0e:61:f7:62:81:9f:ea:e7:a5:14:89:41:56:63:46:da:bc:d8: - e0:78:44:c6:c7:1a:ab:1b:f1:0b:59:d5:4e:6d:14:bc:16:c2: - 02:43:06:0b:f4:16:6e:26:8c:36:09:61:0c:53:3f:72:85:64: - 33:4d:bf:70:44:c8:23:83:c3:51:98:a8:14:f7:b2:03:a1:7b: - 72:48:4d:24:d0:a8:a9:22:3d:9b:94:bf:24:24:01:6f:2e:4b: - 2b:21:24:8f:64:46:20:79:45:b3:45:1a:4f:93:10:e1:8d:04: - 4c:8d:83:63:96:9f:28:c5:37:0f:10:8e:02:9b:4d:96:8b:ea: - a3:31:88:9f + 10:5d:b1:d0:79:d2:8a:15:2d:40:0b:44:d6:d9:df:58:73:eb: + 55:2c:81:fe:e1:7b:62:48:8f:34:c5:06:51:e5:e8:50:70:8c: + 12:ba:e3:6e:fe:7d:0d:ce:44:08:9d:dc:d9:57:43:6c:54:12: + 82:d4:ed:6c:71:e5:74:44:bd:d1:a8:98:96:63:8b:68:5f:d2: + 87:28:dd:99:4f:aa:ba:8e:18:9e:c4:4f:69:9e:66:13:03:28: + 5f:3c:35:01:15:77:22:7c:ed:c5:4a:67:44:af:85:7f:df:8a: + fd:49:8b:e1:be:52:e3:ca:e8:ae:a3:ad:07:91:2c:51:c6:28: + 5f:26:17:14:39:5d:4e:21:9f:11:6f:c4:a2:ef:ef:b8:ec:27: + af:45:ad:b9:ed:e0:14:09:60:a0:50:ee:dd:f7:b1:3e:58:c4: + 0d:e8:b5:0b:a9:0d:98:ad:7c:74:ab:1c:d6:fa:c8:7d:e7:5a: + 3b:91:23:d5:62:ba:d4:e4:be:58:78:fe:09:ba:63:f6:9e:2c: + 3f:93:c2:fe:de:c5:00:21:50:39:91:ac:71:e6:fc:4a:37:a4: + e4:e9:5e:e7:ac:8d:95:21:d6:76:aa:10:a8:3c:28:3e:ef:1c: + 64:58:e9:1e:f6:7e:54:f3:cb:bb:ed:6f:5d:27:5a:b1:4b:91: + 8e:8c:67:7d -----BEGIN X509 CRL----- MIICADCB6QIBATANBgkqhkiG9w0BAQUFADCBkDELMAkGA1UEBhMCVVMxEDAOBgNV BAgTB01vbnRhbmExEDAOBgNVBAcTB0JvemVtYW4xETAPBgNVBAoTCFNhd3Rvb3Ro MRMwEQYDVQQLEwpDb25zdWx0aW5nMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0w -GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTMwNjE3MjEzMjMwWhcNMTMx -MjE0MjEzMjMwWjAUMBICAQIXDTEzMDYxNzIxMzIzMFqgDjAMMAoGA1UdFAQDAgFW -MA0GCSqGSIb3DQEBBQUAA4IBAQCHO7usaxrolodvo445dygBp+p2NsJI4kECP/P3 -ZAlgkYeeV3Q4oMMgR32CSyw0I/5m3Cs+iqHZ4wbsdQ+x7zLiKKt9QCyCWXTJlbVi -pmqONOb2+JH/qsEhk3nLb9y+lCGxyN2euP6t6FBuDXaSMlRRls3HvtIPb2NpX7Mo -wVcOYfdigZ/q56UUiUFWY0bavNjgeETGxxqrG/ELWdVObRS8FsICQwYL9BZuJow2 -CWEMUz9yhWQzTb9wRMgjg8NRmKgU97IDoXtySE0k0KipIj2blL8kJAFvLksrISSP -ZEYgeUWzRRpPkxDhjQRMjYNjlp8oxTcPEI4Cm02Wi+qjMYif +GwYJKoZIhvcNAQkBFg5pbmZvQHlhc3NsLmNvbRcNMTQwMjA3MjAxNDA2WhcNMTUw +MjA3MjAxNDA2WjAUMBICAQIXDTE0MDIwNzIwMTQwNlqgDjAMMAoGA1UdFAQDAgEC +MA0GCSqGSIb3DQEBBQUAA4IBAQAQXbHQedKKFS1AC0TW2d9Yc+tVLIH+4XtiSI80 +xQZR5ehQcIwSuuNu/n0NzkQIndzZV0NsVBKC1O1sceV0RL3RqJiWY4toX9KHKN2Z +T6q6jhiexE9pnmYTAyhfPDUBFXcifO3FSmdEr4V/34r9SYvhvlLjyuiuo60HkSxR +xihfJhcUOV1OIZ8Rb8Si7++47CevRa257eAUCWCgUO7d97E+WMQN6LULqQ2YrXx0 +qxzW+sh951o7kSPVYrrU5L5YeP4JumP2niw/k8L+3sUAIVA5kaxx5vxKN6Tk6V7n +rI2VIdZ2qhCoPCg+7xxkWOke9n5U88u77W9dJ1qxS5GOjGd9 -----END X509 CRL----- diff --git a/certs/crl/eccCliCRL.pem b/certs/crl/eccCliCRL.pem index d83afecd7..5cfe2d566 100644 --- a/certs/crl/eccCliCRL.pem +++ b/certs/crl/eccCliCRL.pem @@ -2,23 +2,25 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: ecdsa-with-SHA1 Issuer: /C=US/ST=Oregon/L=Salem/O=Client ECC/OU=Fast/CN=www.yassl.com/emailAddress=info@yassl.com - Last Update: Jun 17 21:32:30 2013 GMT - Next Update: Dec 14 21:32:30 2013 GMT + Last Update: Feb 7 20:14:06 2014 GMT + Next Update: Feb 7 20:14:06 2015 GMT CRL extensions: X509v3 CRL Number: - 88 -No Revoked Certificates. + 4 +Revoked Certificates: + Serial Number: 02 + Revocation Date: Feb 7 20:14:06 2014 GMT Signature Algorithm: ecdsa-with-SHA1 - 30:45:02:21:00:eb:6e:1b:5d:f9:43:f9:67:5b:4e:d1:6d:30: - c7:c1:57:a3:e6:25:af:87:7a:77:8d:d9:89:47:1d:a4:64:0e: - 21:02:20:11:20:49:d5:84:47:fa:12:61:46:ec:b6:db:0e:d0: - 9d:3d:95:24:4f:a3:43:ab:d0:ad:dd:d9:61:b7:49:e2:5e + 30:44:02:20:10:95:f9:c8:20:bc:7d:ce:79:6d:35:23:4c:82: + 8c:f5:8b:d1:4f:69:a9:5e:70:97:dd:bb:c2:67:13:46:b0:47: + 02:20:4f:1f:43:c2:cc:63:1c:6e:26:89:2d:e7:ce:69:45:6d: + fb:8f:53:cd:1f:84:0f:93:fe:83:91:69:f2:91:c6:f9 -----BEGIN X509 CRL----- -MIIBIDCByAIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG +MIIBNTCB3gIBATAJBgcqhkjOPQQBMIGJMQswCQYDVQQGEwJVUzEPMA0GA1UECBMG T3JlZ29uMQ4wDAYDVQQHEwVTYWxlbTETMBEGA1UEChMKQ2xpZW50IEVDQzENMAsG A1UECxMERmFzdDEWMBQGA1UEAxMNd3d3Lnlhc3NsLmNvbTEdMBsGCSqGSIb3DQEJ -ARYOaW5mb0B5YXNzbC5jb20XDTEzMDYxNzIxMzIzMFoXDTEzMTIxNDIxMzIzMFqg -DjAMMAoGA1UdFAQDAgFYMAkGByqGSM49BAEDSAAwRQIhAOtuG135Q/lnW07RbTDH -wVej5iWvh3p3jdmJRx2kZA4hAiARIEnVhEf6EmFG7LbbDtCdPZUkT6NDq9Ct3dlh -t0niXg== +ARYOaW5mb0B5YXNzbC5jb20XDTE0MDIwNzIwMTQwNloXDTE1MDIwNzIwMTQwNlow +FDASAgECFw0xNDAyMDcyMDE0MDZaoA4wDDAKBgNVHRQEAwIBBDAJBgcqhkjOPQQB +A0cAMEQCIBCV+cggvH3OeW01I0yCjPWL0U9pqV5wl927wmcTRrBHAiBPH0PCzGMc +biaJLefOaUVt+49TzR+ED5P+g5Fp8pHG+Q== -----END X509 CRL----- diff --git a/certs/crl/eccSrvCRL.pem b/certs/crl/eccSrvCRL.pem index c62ce585a..48fae36f3 100644 --- a/certs/crl/eccSrvCRL.pem +++ b/certs/crl/eccSrvCRL.pem @@ -2,23 +2,25 @@ Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: ecdsa-with-SHA1 Issuer: /C=US/ST=Washington/L=Seattle/O=Eliptic/OU=ECC/CN=www.yassl.com/emailAddress=info@yassl.com - Last Update: Jun 17 21:32:30 2013 GMT - Next Update: Dec 14 21:32:30 2013 GMT + Last Update: Feb 7 20:14:06 2014 GMT + Next Update: Feb 7 20:14:06 2015 GMT CRL extensions: X509v3 CRL Number: - 89 -No Revoked Certificates. + 5 +Revoked Certificates: + Serial Number: 02 + Revocation Date: Feb 7 20:14:06 2014 GMT Signature Algorithm: ecdsa-with-SHA1 - 30:44:02:20:0c:78:df:c4:4b:8b:e0:70:15:4f:f6:7d:82:d6: - 0d:dd:a5:a0:e2:6a:95:4b:2b:6b:29:14:15:ba:51:0d:e3:1f: - 02:20:2b:4b:1d:7c:9d:2f:5a:01:3d:9b:c1:94:cd:10:86:fe: - e2:9d:a0:b2:3c:97:10:ba:a6:56:43:78:b3:92:9b:0b + 30:44:02:20:2a:2a:2c:ff:8a:0f:6a:74:57:b8:41:a8:5a:5c: + 8c:7d:c1:7d:b1:76:a3:db:ff:22:1a:69:cd:80:8d:d5:e4:2a: + 02:20:2d:51:3e:01:5b:79:6c:f4:89:89:63:46:0b:65:44:46: + 59:2d:42:3e:ba:a8:6d:08:4a:20:1f:9a:06:cc:a9:65 -----BEGIN X509 CRL----- -MIIBITCBygIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK +MIIBNzCB4AIBATAJBgcqhkjOPQQBMIGLMQswCQYDVQQGEwJVUzETMBEGA1UECBMK V2FzaGluZ3RvbjEQMA4GA1UEBxMHU2VhdHRsZTEQMA4GA1UEChMHRWxpcHRpYzEM MAoGA1UECxMDRUNDMRYwFAYDVQQDEw13d3cueWFzc2wuY29tMR0wGwYJKoZIhvcN -AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTMwNjE3MjEzMjMwWhcNMTMxMjE0MjEzMjMw -WqAOMAwwCgYDVR0UBAMCAVkwCQYHKoZIzj0EAQNHADBEAiAMeN/ES4vgcBVP9n2C -1g3dpaDiapVLK2spFBW6UQ3jHwIgK0sdfJ0vWgE9m8GUzRCG/uKdoLI8lxC6plZD -eLOSmws= +AQkBFg5pbmZvQHlhc3NsLmNvbRcNMTQwMjA3MjAxNDA2WhcNMTUwMjA3MjAxNDA2 +WjAUMBICAQIXDTE0MDIwNzIwMTQwNlqgDjAMMAoGA1UdFAQDAgEFMAkGByqGSM49 +BAEDRwAwRAIgKios/4oPanRXuEGoWlyMfcF9sXaj2/8iGmnNgI3V5CoCIC1RPgFb +eWz0iYljRgtlREZZLUI+uqhtCEogH5oGzKll -----END X509 CRL----- diff --git a/certs/crl/gencrls.sh b/certs/crl/gencrls.sh index a2ae48ff5..df7d27143 100755 --- a/certs/crl/gencrls.sh +++ b/certs/crl/gencrls.sh @@ -5,7 +5,7 @@ # caCrl -openssl ca -gencrl -crldays 180 -out crl.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem +openssl ca -gencrl -crldays 365 -out crl.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem # metadata openssl crl -in crl.pem -text > tmp @@ -17,7 +17,7 @@ cp crl.pem ~/cyassl/certs/crl/crl.pem openssl ca -revoke ~/cyassl/certs/server-cert.pem -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem # caCrl server revoked generation -openssl ca -gencrl -crldays 180 -out crl.revoked -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem +openssl ca -gencrl -crldays 365 -out crl.revoked -keyfile ~/cyassl/certs/ca-key.pem -cert ~/cyassl/certs/ca-cert.pem # metadata openssl crl -in crl.revoked -text > tmp @@ -29,7 +29,7 @@ cp crl.revoked ~/cyassl/certs/crl/crl.revoked cp blank.index.txt demoCA/index.txt # cliCrl -openssl ca -gencrl -crldays 180 -out cliCrl.pem -keyfile ~/cyassl/certs/client-key.pem -cert ~/cyassl/certs/client-cert.pem +openssl ca -gencrl -crldays 365 -out cliCrl.pem -keyfile ~/cyassl/certs/client-key.pem -cert ~/cyassl/certs/client-cert.pem # metadata openssl crl -in cliCrl.pem -text > tmp @@ -38,7 +38,7 @@ mv tmp cliCrl.pem cp cliCrl.pem ~/cyassl/certs/crl/cliCrl.pem # eccCliCRL -openssl ca -gencrl -crldays 180 -out eccCliCRL.pem -keyfile ~/cyassl/certs/ecc-client-key.pem -cert ~/cyassl/certs/client-ecc-cert.pem +openssl ca -gencrl -crldays 365 -out eccCliCRL.pem -keyfile ~/cyassl/certs/ecc-client-key.pem -cert ~/cyassl/certs/client-ecc-cert.pem # metadata openssl crl -in eccCliCRL.pem -text > tmp @@ -47,7 +47,7 @@ mv tmp eccCliCRL.pem cp eccCliCRL.pem ~/cyassl/certs/crl/eccCliCRL.pem # eccSrvCRL -openssl ca -gencrl -crldays 180 -out eccSrvCRL.pem -keyfile ~/cyassl/certs/ecc-key.pem -cert ~/cyassl/certs/server-ecc.pem +openssl ca -gencrl -crldays 365 -out eccSrvCRL.pem -keyfile ~/cyassl/certs/ecc-key.pem -cert ~/cyassl/certs/server-ecc.pem # metadata openssl crl -in eccSrvCRL.pem -text > tmp From 594feec68b9d87a40942001ffbbf22b09bf731d5 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 7 Feb 2014 12:28:41 -0800 Subject: [PATCH 07/49] v2.9.0 release --- README | 24 +++++++++++++++++++++++- configure.ac | 4 ++-- cyassl/version.h | 4 ++-- 3 files changed, 27 insertions(+), 5 deletions(-) diff --git a/README b/README index f0c02b584..e8c6c4965 100644 --- a/README +++ b/README @@ -35,11 +35,33 @@ before calling SSL_new(); Though it's not recommended. *** end Notes *** -CyaSSL Release 2.9.0 (X/XX/XXXX) +CyaSSL Release 2.9.0 (02/07/2014) Release 2.9.0 CyaSSL has bug fixes and new features including: - Freescale Kinetis RNGB support - Freescale Kinetis mmCAU support +- TLS Hello extensions + - ECC + - Secure Renegotiation (null) + - Truncated HMAC +- SCEP support + - PKCS #7 Enveloped data and signed data + - PKCS #10 Certificate Signing Request generation +- DTLS sliding window +- OCSP Improvements + - API change to integrate into Certificate Manager + - IPv4/IPv6 agnostic + - example client/server support for OCSP + - OCSP nonces are optional +- GMAC hashing +- Windows build additions +- Windows CYGWIN build fixes +- Updated test certificates +- Microchip MPLAB Harmony support +- Update autoconf scripts +- Additional X.509 inspection functions +- ECC encrypt/decrypt primitives +- ECC Certificate generation The Freescale Kinetis K53 RNGB documentation can be found in Chapter 33 of the K53 Sub-Family Reference Manual: diff --git a/configure.ac b/configure.ac index a558b69f9..6ba48ab95 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.8.6],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com]) +AC_INIT([cyassl],[2.9.0],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com]) AC_CONFIG_AUX_DIR([build-aux]) @@ -33,7 +33,7 @@ AC_CONFIG_MACRO_DIR([m4]) AC_CONFIG_HEADERS([config.h:config.in])dnl Keep filename to 8.3 for MS-DOS. #shared library versioning -CYASSL_LIBRARY_VERSION=5:2:0 +CYASSL_LIBRARY_VERSION=5:3:0 # | | | # +------+ | +---+ # | | | diff --git a/cyassl/version.h b/cyassl/version.h index 192ff9874..30bf70457 100644 --- a/cyassl/version.h +++ b/cyassl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBCYASSL_VERSION_STRING "2.8.6" -#define LIBCYASSL_VERSION_HEX 0x02008006 +#define LIBCYASSL_VERSION_STRING "2.9.0" +#define LIBCYASSL_VERSION_HEX 0x02009000 #ifdef __cplusplus } From f1c225065215c933138b08bca5971c2550608c35 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 7 Feb 2014 14:52:44 -0800 Subject: [PATCH 08/49] fix static analysis warning, g++ compile warning --- ctaocrypt/src/asn.c | 3 ++- tests/suites.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 1e7d0e5a0..bf6811375 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -3418,7 +3418,8 @@ int ParseCert(DecodedCert* cert, int type, int verify, void* cm) cert->subjectCNStored = 1; } - if (cert->keyOID == RSAk && cert->pubKeySize > 0) { + if (cert->keyOID == RSAk && + cert->publicKey != NULL && cert->pubKeySize > 0) { ptr = (char*) XMALLOC(cert->pubKeySize, cert->heap, DYNAMIC_TYPE_PUBLIC_KEY); if (ptr == NULL) diff --git a/tests/suites.c b/tests/suites.c index 72e23e1ba..4df5a469b 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -80,8 +80,8 @@ static int IsValidCipherSuite(const char* line, char* suite) int valid = 0; const char* find = "-l "; - char* begin = strstr(line, find); - char* end; + const char* begin = strstr(line, find); + const char* end; suite[0] = '\0'; From fd44cb056fbf19a69cea34830e6d7ba2145cd7ac Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 10 Feb 2014 16:27:44 -0800 Subject: [PATCH 09/49] allow badly reassembled sniffer packets to try on full length vs zero length --- src/sniffer.c | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/sniffer.c b/src/sniffer.c index 8e0bff995..b94eb503c 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -962,12 +962,13 @@ int ssl_SetPrivateKey(const char* serverAddress, int port, const char* keyFile, /* Check IP Header for IPV4, TCP, and a registered server address */ /* returns 0 on success, -1 on error */ -static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, char* error) +static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, int length, char* error) { int version = IP_V(iphdr); TraceIP(iphdr); Trace(IP_CHECK_STR); + if (version != IPV4) { SetError(BAD_IPVER_STR, error, NULL, 0); return -1; @@ -988,6 +989,9 @@ static int CheckIpHdr(IpHdr* iphdr, IpInfo* info, char* error) info->src = iphdr->src; info->dst = iphdr->dst; + if (info->total == 0) + info->total = length; /* reassembled may be off */ + return 0; } @@ -1856,20 +1860,24 @@ static int CheckHeaders(IpInfo* ipInfo, TcpInfo* tcpInfo, const byte* packet, { TraceHeader(); TracePacket(); + + /* ip header */ if (length < IP_HDR_SZ) { SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return -1; } - if (CheckIpHdr((IpHdr*)packet, ipInfo, error) != 0) + if (CheckIpHdr((IpHdr*)packet, ipInfo, length, error) != 0) return -1; - + + /* tcp header */ if (length < (ipInfo->length + TCP_HDR_SZ)) { SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); return -1; } if (CheckTcpHdr((TcpHdr*)(packet + ipInfo->length), tcpInfo, error) != 0) return -1; - + + /* setup */ *sslFrame = packet + ipInfo->length + tcpInfo->length; if (*sslFrame > packet + length) { SetError(PACKET_HDR_SHORT_STR, error, NULL, 0); @@ -2314,6 +2322,10 @@ static int ProcessMessage(const byte* sslFrame, SnifferSession* session, session->sslServer : session->sslClient; doMessage: notEnough = 0; + if (sslBytes < 0) { + SetError(PACKET_HDR_SHORT_STR, error, session, FATAL_ERROR_STATE); + return -1; + } if (sslBytes >= RECORD_HEADER_SZ) { if (GetRecordHeader(sslFrame, &rh, &rhSize) != 0) { SetError(BAD_RECORD_HDR_STR, error, session, FATAL_ERROR_STATE); From 8178acfe13c8e58741243a888276da57363a8c69 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 11 Feb 2014 10:21:16 -0800 Subject: [PATCH 10/49] fix minor configure error for debug builds --- m4/ax_append_to_file.m4 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/m4/ax_append_to_file.m4 b/m4/ax_append_to_file.m4 index f9f54e088..15395178c 100644 --- a/m4/ax_append_to_file.m4 +++ b/m4/ax_append_to_file.m4 @@ -23,5 +23,5 @@ AC_DEFUN([AX_APPEND_TO_FILE],[ AC_REQUIRE([AX_FILE_ESCAPES]) -printf "$2\n" >> "$1" +printf -- "$2\n" >> "$1" ]) From 1cf884dcccbd439b6ec13e1165b04f937e020025 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 11 Feb 2014 13:08:12 -0800 Subject: [PATCH 11/49] add enable-certservice, ease of use --- configure.ac | 24 ++++++++++++++++++++++++ cyassl/ssl.h | 6 +++++- src/ssl.c | 6 ++++++ 3 files changed, 35 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 6ba48ab95..d59587eaf 100644 --- a/configure.ac +++ b/configure.ac @@ -1340,6 +1340,30 @@ then fi +# Certificate Service Support +AC_ARG_ENABLE([certservice], + [ --enable-certservice Enable cert service (default: disabled)], + [ ENABLED_CERT_SERVICE=$enableval ], + [ ENABLED_CERT_SERVICE=no ] + ) +if test "$ENABLED_CERT_SERVICE" = "yes" +then + # Requires ecc and certgen, make sure on + if test "x$ENABLED_CERTGEN" = "xno" + then + ENABLED_CERTGEN="yes" + AM_CFLAGS="$AM_CFLAGS -DCYASSL_CERT_GEN" + fi + if test "x$ENABLED_ECC" = "xno" + then + ENABLED_ECC="yes" + AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" + AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) + fi + AM_CFLAGS="$AM_CFLAGS -DCYASSL_HAVE_CERT_SERVICE" +fi + + # set fastmath default FASTMATH_DEFAULT=no diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 9013e5345..b1f56bc77 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -1285,9 +1285,13 @@ CYASSL_API int CyaSSL_accept_ex(CYASSL*, HandShakeCallBack, TimeoutCallBack, #ifdef CYASSL_HAVE_WOLFSCEP -CYASSL_API void CyaSSL_wolfSCEP(void); + CYASSL_API void CyaSSL_wolfSCEP(void); #endif /* CYASSL_HAVE_WOLFSCEP */ +#ifdef CYASSL_HAVE_CERT_SERVICE + CYASSL_API void CyaSSL_cert_service(void); +#endif + #ifdef __cplusplus } /* extern "C" */ diff --git a/src/ssl.c b/src/ssl.c index c77ec56c1..6ab70d1c4 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11403,3 +11403,9 @@ void* CyaSSL_GetRsaDecCtx(CYASSL* ssl) void CyaSSL_wolfSCEP(void) {} #endif + +#ifdef CYASSL_HAVE_CERT_SERVICE + /* Used by autoconf to see if cert service is available */ + void CyaSSL_cert_service(void) {} +#endif + From 2ff78b7fdaa31440928bf3ec0348ac98705f47d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Tue, 11 Feb 2014 11:24:11 -0300 Subject: [PATCH 12/49] Boundaries check for client hello parsing. -- INCOMPLETE DATA checked only once with hello size against buffer size -- BUFFER_ERROR returned in case of message overflow (piece larger than the hello size) -- OPAQUE16_LEN used whenever 2 bytes are needed. -- Session id checking improved. TLS extensions return codes fixed. --- src/internal.c | 129 +++++++++++++++++++++++++++++++++---------------- src/tls.c | 62 +++++++++++------------- 2 files changed, 114 insertions(+), 77 deletions(-) diff --git a/src/internal.c b/src/internal.c index 04c516389..e15249829 100644 --- a/src/internal.c +++ b/src/internal.c @@ -9988,30 +9988,39 @@ static void PickHashSigAlgo(CYASSL* ssl, static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, word32 totalSz, word32 helloSz) { - byte b; + byte b; ProtocolVersion pv; Suites clSuites; - word32 i = *inOutIdx; - word32 begin = i; + word32 i = *inOutIdx; + word32 begin = i; #ifdef CYASSL_CALLBACKS if (ssl->hsInfoOn) AddPacketName("ClientHello", &ssl->handShakeInfo); if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); #endif - /* make sure can read up to session */ - if (i + sizeof(pv) + RAN_LEN + ENUM_LEN > totalSz) + + /* make sure can read the client hello */ + if (begin + helloSz > totalSz) return INCOMPLETE_DATA; - XMEMCPY(&pv, input + i, sizeof(pv)); + /* protocol version, random and session id length check */ + if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz) + return BUFFER_ERROR; + + /* protocol version */ + XMEMCPY(&pv, input + i, OPAQUE16_LEN); ssl->chVersion = pv; /* store */ - i += (word32)sizeof(pv); + i += OPAQUE16_LEN; + if (ssl->version.minor > pv.minor) { byte haveRSA = 0; byte havePSK = 0; + if (!ssl->options.downgrade) { CYASSL_MSG("Client trying to connect with lesser version"); return VERSION_ERROR; } + if (pv.minor == SSLv3_MINOR) { /* turn off tls */ CYASSL_MSG(" downgrading to SSLv3"); @@ -10040,6 +10049,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ssl->options.haveECDSAsig, ssl->options.haveStaticECC, ssl->options.side); } + /* random */ XMEMCPY(ssl->arrays->clientRandom, input + i, RAN_LEN); i += RAN_LEN; @@ -10053,79 +10063,103 @@ static void PickHashSigAlgo(CYASSL* ssl, printf("\n"); } #endif + /* session id */ b = input[i++]; - if (b) { - if (i + ID_LEN > totalSz) - return INCOMPLETE_DATA; + + if (b == ID_LEN) { + if ((i - begin) + ID_LEN > helloSz) + return BUFFER_ERROR; + XMEMCPY(ssl->arrays->sessionID, input + i, ID_LEN); - i += b; - ssl->options.resuming= 1; /* client wants to resume */ + i += ID_LEN; + ssl->options.resuming = 1; /* client wants to resume */ CYASSL_MSG("Client wants to resume session"); } + else if (b) + return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ #ifdef CYASSL_DTLS /* cookie */ if (ssl->options.dtls) { + + if ((i - begin) + ENUM_LEN > helloSz) + return BUFFER_ERROR; + b = input[i++]; + if (b) { byte cookie[MAX_COOKIE_LEN]; if (b > MAX_COOKIE_LEN) return BUFFER_ERROR; - if (i + b > totalSz) - return INCOMPLETE_DATA; + + if ((i - begin) + b > helloSz) + return BUFFER_ERROR; + if (ssl->ctx->CBIOCookie == NULL) { CYASSL_MSG("Your Cookie callback is null, please set"); return COOKIE_ERROR; } + if ((ssl->ctx->CBIOCookie(ssl, cookie, COOKIE_SZ, ssl->IOCB_CookieCtx) != COOKIE_SZ) || (b != COOKIE_SZ) || (XMEMCMP(cookie, input + i, b) != 0)) { return COOKIE_ERROR; } + i += b; } } #endif - if (i + LENGTH_SZ > totalSz) - return INCOMPLETE_DATA; /* suites */ - ato16(&input[i], &clSuites.suiteSz); - i += 2; + if ((i - begin) + OPAQUE16_LEN > helloSz) + return BUFFER_ERROR; + + ato16(&input[i], &clSuites.suiteSz); + i += OPAQUE16_LEN; + + /* suites and compression length check */ + if ((i - begin) + clSuites.suiteSz + ENUM_LEN > helloSz) + return BUFFER_ERROR; - /* suites and comp len */ - if (i + clSuites.suiteSz + ENUM_LEN > totalSz) - return INCOMPLETE_DATA; if (clSuites.suiteSz > MAX_SUITE_SZ) return BUFFER_ERROR; + XMEMCPY(clSuites.suites, input + i, clSuites.suiteSz); i += clSuites.suiteSz; clSuites.hashSigAlgoSz = 0; - b = input[i++]; /* comp len */ - if (i + b > totalSz) - return INCOMPLETE_DATA; + /* compression length */ + b = input[i++]; + + if ((i - begin) + b > helloSz) + return BUFFER_ERROR; if (ssl->options.usingCompression) { int match = 0; + while (b--) { byte comp = input[i++]; + if (comp == ZLIB_COMPRESSION) match = 1; } + if (!match) { CYASSL_MSG("Not matching compression, turning off"); ssl->options.usingCompression = 0; /* turn off */ } } else - i += b; /* ignore, since we're not on */ + i += b; /* ignore, since we're not on */ *inOutIdx = i; - if ( (i - begin) < helloSz) { + + /* tls extensions */ + if ((i - begin) < helloSz) { #ifdef HAVE_TLS_EXTENSIONS if (IsTLS(ssl)) { int ret = 0; @@ -10135,10 +10169,14 @@ static void PickHashSigAlgo(CYASSL* ssl, /* Process the hello extension. Skip unsupported. */ word16 totalExtSz; + if ((i - begin) + OPAQUE16_LEN > helloSz) + return BUFFER_ERROR; + ato16(&input[i], &totalExtSz); - i += LENGTH_SZ; - if (totalExtSz > helloSz + begin - i) - return INCOMPLETE_DATA; + i += OPAQUE16_LEN; + + if ((i - begin) + totalExtSz > helloSz) + return BUFFER_ERROR; #ifdef HAVE_TLS_EXTENSIONS if ((ret = TLSX_Parse(ssl, (byte *) input + i, @@ -10149,19 +10187,24 @@ static void PickHashSigAlgo(CYASSL* ssl, #else while (totalExtSz) { word16 extId, extSz; + + if (OPAQUE16_LEN + OPAQUE16_LEN > totalExtSz) + return BUFFER_ERROR; ato16(&input[i], &extId); - i += LENGTH_SZ; + i += OPAQUE16_LEN; ato16(&input[i], &extSz); - i += EXT_ID_SZ; - if (extSz > totalExtSz - LENGTH_SZ - EXT_ID_SZ) - return INCOMPLETE_DATA; + i += OPAQUE16_LEN; + + if (OPAQUE16_LEN + OPAQUE16_LEN + extSz > totalExtSz) + return BUFFER_ERROR; if (extId == HELLO_EXT_SIG_ALGO) { ato16(&input[i], &clSuites.hashSigAlgoSz); - i += LENGTH_SZ; - if (clSuites.hashSigAlgoSz > extSz - LENGTH_SZ) - return INCOMPLETE_DATA; + i += OPAQUE16_LEN; + + if (OPAQUE16_LEN + clSuites.hashSigAlgoSz > extSz) + return BUFFER_ERROR; XMEMCPY(clSuites.hashSigAlgo, &input[i], min(clSuites.hashSigAlgoSz, HELLO_EXT_SIGALGO_MAX)); @@ -10170,27 +10213,29 @@ static void PickHashSigAlgo(CYASSL* ssl, else i += extSz; - totalExtSz -= LENGTH_SZ + EXT_ID_SZ + extSz; + totalExtSz -= OPAQUE16_LEN + OPAQUE16_LEN + extSz; } #endif *inOutIdx = i; } else - *inOutIdx = begin + helloSz; /* skip extensions */ + *inOutIdx = begin + helloSz; /* skip extensions */ } - ssl->options.clientState = CLIENT_HELLO_COMPLETE; - + ssl->options.clientState = CLIENT_HELLO_COMPLETE; ssl->options.haveSessionId = 1; + /* ProcessOld uses same resume code */ if (ssl->options.resuming && (!ssl->options.dtls || - ssl->options.acceptState == HELLO_VERIFY_SENT)) { /* let's try */ + ssl->options.acceptState == HELLO_VERIFY_SENT)) { /* let's try */ int ret = -1; CYASSL_SESSION* session = GetSession(ssl,ssl->arrays->masterSecret); + if (!session) { CYASSL_MSG("Session lookup for resume failed"); ssl->options.resuming = 0; - } else { + } + else { if (MatchSuite(ssl, &clSuites) < 0) { CYASSL_MSG("Unsupported cipher suite, ClientHello"); return UNSUPPORTED_SUITE; diff --git a/src/tls.c b/src/tls.c index 6f4d4e6cb..02d69a57d 100644 --- a/src/tls.c +++ b/src/tls.c @@ -721,46 +721,38 @@ static int TLSX_SNI_Parse(CYASSL* ssl, byte* input, word16 length, if (!extension) extension = TLSX_Find(ssl->ctx->extensions, SERVER_NAME_INDICATION); - if (!extension || !extension->data) { - if (!isRequest) { - CYASSL_MSG("Unexpected SNI response from server"); - } + if (!extension || !extension->data) + return isRequest ? 0 : BUFFER_ERROR; /* not using SNI OR unexpected + SNI response from server. */ - return 0; /* not using SNI */ - } - - if (!isRequest) { - if (length) { - CYASSL_MSG("SNI response should be empty!"); - } - - return 0; /* nothing to do */ - } + if (!isRequest) + return length ? BUFFER_ERROR : 0; /* SNI response must be empty! + Nothing else to do. */ #ifndef NO_CYASSL_SERVER if (OPAQUE16_LEN > length) - return INCOMPLETE_DATA; + return BUFFER_ERROR; ato16(input, &size); offset += OPAQUE16_LEN; /* validating sni list length */ if (length != OPAQUE16_LEN + size) - return INCOMPLETE_DATA; + return BUFFER_ERROR; for (size = 0; offset < length; offset += size) { SNI *sni; byte type = input[offset++]; if (offset + OPAQUE16_LEN > length) - return INCOMPLETE_DATA; + return BUFFER_ERROR; ato16(input + offset, &size); offset += OPAQUE16_LEN; if (offset + size > length) - return INCOMPLETE_DATA; + return BUFFER_ERROR; if (!(sni = TLSX_SNI_Find((SNI *) extension->data, type))) { continue; /* not using this SNI type */ @@ -905,34 +897,34 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, offset += HANDSHAKE_HEADER_SZ; if (offset + len32 > helloSz) - return INCOMPLETE_DATA; + return BUFFER_ERROR; /* client hello */ offset += VERSION_SZ + RAN_LEN; /* version, random */ if (helloSz < offset + clientHello[offset]) - return INCOMPLETE_DATA; + return BUFFER_ERROR; offset += ENUM_LEN + clientHello[offset]; /* skip session id */ /* cypher suites */ if (helloSz < offset + OPAQUE16_LEN) - return INCOMPLETE_DATA; + return BUFFER_ERROR; ato16(clientHello + offset, &len16); offset += OPAQUE16_LEN; if (helloSz < offset + len16) - return INCOMPLETE_DATA; + return BUFFER_ERROR; offset += len16; /* skip cypher suites */ /* compression methods */ if (helloSz < offset + 1) - return INCOMPLETE_DATA; + return BUFFER_ERROR; if (helloSz < offset + clientHello[offset]) - return INCOMPLETE_DATA; + return BUFFER_ERROR; offset += ENUM_LEN + clientHello[offset]; /* skip compression methods */ @@ -944,7 +936,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, offset += OPAQUE16_LEN; if (helloSz < offset + len16) - return INCOMPLETE_DATA; + return BUFFER_ERROR; while (len16 > OPAQUE16_LEN + OPAQUE16_LEN) { word16 extType; @@ -957,7 +949,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, offset += OPAQUE16_LEN; if (helloSz < offset + extLen) - return INCOMPLETE_DATA; + return BUFFER_ERROR; if (extType != SERVER_NAME_INDICATION) { offset += extLen; /* skip extension */ @@ -968,7 +960,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, offset += OPAQUE16_LEN; if (helloSz < offset + listLen) - return INCOMPLETE_DATA; + return BUFFER_ERROR; while (listLen > ENUM_LEN + OPAQUE16_LEN) { byte sniType = clientHello[offset++]; @@ -978,7 +970,7 @@ int TLSX_SNI_GetFromBuffer(const byte* clientHello, word32 helloSz, offset += OPAQUE16_LEN; if (helloSz < offset + sniLen) - return INCOMPLETE_DATA; + return BUFFER_ERROR; if (sniType != type) { offset += sniLen; @@ -1028,7 +1020,7 @@ static int TLSX_MFL_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest) { if (length != ENUM_LEN) - return INCOMPLETE_DATA; + return BUFFER_ERROR; switch (*input) { case CYASSL_MFL_2_9 : ssl->max_fragment = 512; break; @@ -1135,7 +1127,7 @@ static int TLSX_THM_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest) { if (length != 0 || input == NULL) - return INCOMPLETE_DATA; + return BUFFER_ERROR; #ifndef NO_CYASSL_SERVER if (isRequest) { @@ -1258,13 +1250,13 @@ static int TLSX_EllipticCurve_Parse(CYASSL* ssl, byte* input, word16 length, (void) isRequest; /* shut up compiler! */ if (OPAQUE16_LEN > length || length % OPAQUE16_LEN) - return INCOMPLETE_DATA; + return BUFFER_ERROR; ato16(input, &offset); /* validating curve list length */ if (length != OPAQUE16_LEN + offset) - return INCOMPLETE_DATA; + return BUFFER_ERROR; while (offset) { ato16(input + offset, &name); @@ -1705,7 +1697,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, word16 size; if (length - offset < HELLO_EXT_TYPE_SZ + OPAQUE16_LEN) - return INCOMPLETE_DATA; + return BUFFER_ERROR; ato16(input + offset, &type); offset += HELLO_EXT_TYPE_SZ; @@ -1714,7 +1706,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, offset += OPAQUE16_LEN; if (offset + size > length) - return INCOMPLETE_DATA; + return BUFFER_ERROR; switch (type) { case SERVER_NAME_INDICATION: @@ -1748,7 +1740,7 @@ int TLSX_Parse(CYASSL* ssl, byte* input, word16 length, byte isRequest, ato16(input + offset, &suites->hashSigAlgoSz); if (suites->hashSigAlgoSz > size - OPAQUE16_LEN) - return INCOMPLETE_DATA; + return BUFFER_ERROR; XMEMCPY(suites->hashSigAlgo, input + offset + OPAQUE16_LEN, From 6bc30095442918b4f76fb4ccca58bb140f52c818 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 11 Feb 2014 17:49:19 -0800 Subject: [PATCH 13/49] fix minor configure error for debug builds redux 1. Backed out change from commit 8178acfe. 2. AX_DEBUG calling AX_ADD_AM_MACRO incorrectly. Syntax should be AX_ADD_AM_MACRO( VAR += value ), not AX_ADD_AM_MACRO( value, VAR ). --- m4/ax_append_to_file.m4 | 2 +- m4/ax_debug.m4 | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/m4/ax_append_to_file.m4 b/m4/ax_append_to_file.m4 index 15395178c..f9f54e088 100644 --- a/m4/ax_append_to_file.m4 +++ b/m4/ax_append_to_file.m4 @@ -23,5 +23,5 @@ AC_DEFUN([AX_APPEND_TO_FILE],[ AC_REQUIRE([AX_FILE_ESCAPES]) -printf -- "$2\n" >> "$1" +printf "$2\n" >> "$1" ]) diff --git a/m4/ax_debug.m4 b/m4/ax_debug.m4 index 5ea3c3594..7696a1147 100644 --- a/m4/ax_debug.m4 +++ b/m4/ax_debug.m4 @@ -52,8 +52,8 @@ AC_DEFUN([AX_DEBUG], [Add debug code/turns off optimizations (yes|no) @<:@default=no@:>@])], [ax_enable_debug=yes AC_DEFINE([DEBUG],[1],[Define to 1 to enable debugging code.]) - AX_ADD_AM_MACRO([--debug],[AM_YFLAGS]) - AX_ADD_AM_MACRO([-D_GLIBCXX_DEBUG],[AM_CPPFLAGS])], + AX_ADD_AM_MACRO([AM_YFLAGS += --debug]) + AX_ADD_AM_MACRO([AM_CPPFLAGS += -D_GLIBCXX_DEBUG])], [ax_enable_debug=no AC_SUBST([MCHECK]) AC_DEFINE([DEBUG],[0],[Define to 1 to enable debugging code.])]) From ba1cbdd8bcf744a87dc9c9ede49f2778711ac158 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 11 Feb 2014 17:56:59 -0800 Subject: [PATCH 14/49] When NTRU enabled, testsuite should use NTRU cipher suites for testing. --- testsuite/testsuite.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 6d6cc8921..8629f0b10 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -117,7 +117,7 @@ int main(int argc, char** argv) myArgv[1] = argc1; myArgv[2] = argc2; - echo_args.argc = NUMARGS; + echo_args.argc = 3; echo_args.argv = myArgv; strcpy(echo_args.argv[0], "echoclient"); @@ -171,10 +171,16 @@ void simple_test(func_args* args) THREAD_TYPE serverThread; func_args svrArgs; - char *svrArgv[NUMARGS]; + char *svrArgv[9]; char argc0s[32]; char argc1s[32]; char argc2s[32]; + char argc3s[32]; + char argc4s[32]; + char argc5s[32]; + char argc6s[32]; + char argc7s[32]; + char argc8s[32]; func_args cliArgs; char *cliArgv[NUMARGS]; @@ -185,6 +191,12 @@ void simple_test(func_args* args) svrArgv[0] = argc0s; svrArgv[1] = argc1s; svrArgv[2] = argc2s; + svrArgv[3] = argc3s; + svrArgv[4] = argc4s; + svrArgv[5] = argc5s; + svrArgv[6] = argc6s; + svrArgv[7] = argc7s; + svrArgv[8] = argc8s; cliArgv[0] = argc0c; cliArgv[1] = argc1c; cliArgv[2] = argc2c; @@ -198,9 +210,16 @@ void simple_test(func_args* args) strcpy(svrArgs.argv[0], "SimpleServer"); #if !defined(USE_WINDOWS_API) && !defined(CYASSL_SNIFFER) - svrArgs.argc = NUMARGS; - strcpy(svrArgs.argv[1], "-p"); - strcpy(svrArgs.argv[2], "0"); + strcpy(svrArgs.argv[svrArgs.argc++], "-p"); + strcpy(svrArgs.argv[svrArgs.argc++], "0"); + #endif + #ifdef HAVE_NTRU + strcpy(svrArgs.argv[svrArgs.argc++], "-d"); + strcpy(svrArgs.argv[svrArgs.argc++], "-n"); + strcpy(svrArgs.argv[svrArgs.argc++], "-c"); + strcpy(svrArgs.argv[svrArgs.argc++], "./certs/ntru-cert.pem"); + strcpy(svrArgs.argv[svrArgs.argc++], "-k"); + strcpy(svrArgs.argv[svrArgs.argc++], "./certs/ntru-key.raw"); #endif /* Set the last arg later, when it is known. */ From b6d4f10222ae454f8ff2993fc5d6d6df48cee9a3 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 11 Feb 2014 18:59:20 -0800 Subject: [PATCH 15/49] Reenabled examples when building single-threaded. Changed testsuite and unit tests to leave out tests cases that require threading. --- configure.ac | 1 - tests/api.c | 8 ++++++++ tests/unit.c | 25 +++++++++++++++++++----- testsuite/testsuite.c | 44 +++++++++++++++++++++++++++++++++++-------- 4 files changed, 64 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index d59587eaf..ff4b5a687 100644 --- a/configure.ac +++ b/configure.ac @@ -1422,7 +1422,6 @@ AC_ARG_ENABLE([examples], [ ENABLED_EXAMPLES=yes ] ) -AS_IF([test "x$ENABLED_SINGLETHREADED" = "xyes"], [ENABLED_EXAMPLES="no"]) AS_IF([test "x$ENABLED_FILESYSTEM" = "xno"], [ENABLED_EXAMPLES="no"]) AS_IF([test "x$ENABLED_INLINE" = "xno"], [ENABLED_EXAMPLES="no"]) # certs still have sha signatures for now diff --git a/tests/api.c b/tests/api.c index 94a232f06..efbce2d33 100644 --- a/tests/api.c +++ b/tests/api.c @@ -44,7 +44,9 @@ static int test_CyaSSL_CTX_load_verify_locations(void); #ifndef NO_RSA static int test_server_CyaSSL_new(void); static int test_client_CyaSSL_new(void); +#ifndef SINGLE_THREADED static int test_CyaSSL_read_write(void); +#endif /* SINGLE_THREADED */ #endif /* NO_RSA */ #endif /* NO_FILESYSTEM */ #ifdef HAVE_SNI @@ -107,7 +109,9 @@ int ApiTest(void) #ifndef NO_RSA test_server_CyaSSL_new(); test_client_CyaSSL_new(); +#ifndef SINGLE_THREADED test_CyaSSL_read_write(); +#endif /* SINGLE_THREADED */ #endif /* NO_RSA */ #endif /* NO_FILESYSTEM */ #ifdef HAVE_SNI @@ -892,6 +896,8 @@ int test_client_CyaSSL_new(void) } +#ifndef SINGLE_THREADED + static int test_CyaSSL_read_write(void) { /* The unit testing for read and write shall happen simutaneously, since @@ -1278,4 +1284,6 @@ void test_CyaSSL_client_server(callback_functions* client_callbacks, FreeTcpReady(&ready); } +#endif /* SINGLE_THREADED*/ + #endif /* NO_FILESYSTEM */ diff --git a/tests/unit.c b/tests/unit.c index f1926f2e9..287ad3cf7 100644 --- a/tests/unit.c +++ b/tests/unit.c @@ -42,10 +42,12 @@ int main(int argc, char** argv) return ret; } +#ifndef SINGLE_THREADED if ( (ret = SuiteTest()) != 0){ printf("suite test failed with %d\n", ret); return ret; } +#endif #ifdef HAVE_CAVIUM CspShutdown(CAVIUM_DEV_ID); @@ -55,9 +57,12 @@ int main(int argc, char** argv) } + void wait_tcp_ready(func_args* args) { -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) +#ifdef SINGLE_THREADED + (void)args; +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_mutex_lock(&args->signal->mutex); if (!args->signal->ready) @@ -73,7 +78,11 @@ void wait_tcp_ready(func_args* args) void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread) { -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) +#ifdef SINGLE_THREADED + (void)fun; + (void)args; + (void)thread; +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_create(thread, 0, fun, args); return; #else @@ -84,7 +93,9 @@ void start_thread(THREAD_FUNC fun, func_args* args, THREAD_TYPE* thread) void join_thread(THREAD_TYPE thread) { -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) +#ifdef SINGLE_THREADED + (void)thread; +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_join(thread, 0); #else int res = WaitForSingleObject((HANDLE)thread, INFINITE); @@ -99,7 +110,8 @@ void InitTcpReady(tcp_ready* ready) { ready->ready = 0; ready->port = 0; -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) +#ifdef SINGLE_THREADED +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_mutex_init(&ready->mutex, 0); pthread_cond_init(&ready->cond, 0); #endif @@ -108,10 +120,13 @@ void InitTcpReady(tcp_ready* ready) void FreeTcpReady(tcp_ready* ready) { -#if defined(_POSIX_THREADS) && !defined(__MINGW32__) +#ifdef SINGLE_THREADED + (void)ready; +#elif defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_mutex_destroy(&ready->mutex); pthread_cond_destroy(&ready->cond); #else (void)ready; #endif } + diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 8629f0b10..2a5ba498f 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -25,22 +25,18 @@ #include -#include #include -#include - #include "ctaocrypt/test/test.h" -#ifdef SINGLE_THREADED - #error testsuite needs threads to run, please run ctaocrypt/test, \ - and the examples/ individually -#endif +#ifndef SINGLE_THREADED + +#include +#include #include "examples/echoclient/echoclient.h" #include "examples/echoserver/echoserver.h" #include "examples/server/server.h" #include "examples/client/client.h" -#include "ctaocrypt/test/test.h" void file_test(const char* file, byte* hash); @@ -336,3 +332,35 @@ void file_test(const char* file, byte* check) } +#else /* SINGLE_THREADED */ + + +int myoptind = 0; +char* myoptarg = NULL; + + +int main(int argc, char** argv) +{ + func_args server_args; + + server_args.argc = argc; + server_args.argv = argv; + + if (CurrentDir("testsuite") || CurrentDir("_build")) + ChangeDirBack(1); + else if (CurrentDir("Debug") || CurrentDir("Release")) + ChangeDirBack(3); /* Xcode->Preferences->Locations->Locations*/ + /* Derived Data Advanced -> Custom */ + /* Relative to Workspace, Build/Products */ + /* Debug or Release */ + + ctaocrypt_test(&server_args); + if (server_args.return_code != 0) return server_args.return_code; + + printf("\nAll tests passed!\n"); + return EXIT_SUCCESS; +} + + +#endif /* SINGLE_THREADED */ + From cf6eaf219a0af58da93b7ef952d2bb7352068408 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 12 Feb 2014 13:39:38 -0700 Subject: [PATCH 16/49] tyto build - add GenerateSeed, exclude ctype.h, test.h --- ctaocrypt/src/random.c | 12 ++++++++++++ ctaocrypt/test/test.c | 4 +++- cyassl/ctaocrypt/types.h | 4 +++- 3 files changed, 18 insertions(+), 2 deletions(-) diff --git a/ctaocrypt/src/random.c b/ctaocrypt/src/random.c index 03dd75553..0b84af3e5 100644 --- a/ctaocrypt/src/random.c +++ b/ctaocrypt/src/random.c @@ -629,6 +629,18 @@ int GenerateSeed(OS_Seed* os, byte* output, word32 sz) return 0; } +#elif defined(CYASSL_TYTO) + + int GenerateSeed(OS_Seed* os, byte* output, word32 sz) + { + int i; + + for (i = 0; i < sz; i++ ) + output[i] = rand_gen(); + + return 0; + } + #elif defined(NO_DEV_RANDOM) #error "you need to write an os specific GenerateSeed() here" diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index 293879c03..a0e72d83a 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -121,7 +121,9 @@ #define printf dc_log_printf #endif -#include "ctaocrypt/test/test.h" +#ifndef CYASSL_TYTO + #include "ctaocrypt/test/test.h" +#endif typedef struct testVector { diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index ea9cf8c11..4d101275e 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -211,7 +211,9 @@ enum { #endif #ifndef CTYPE_USER - #include + #ifndef CYASSL_TYTO + #include + #endif #if defined(HAVE_ECC) || defined(HAVE_OCSP) #define XTOUPPER(c) toupper((c)) #define XISALPHA(c) isalpha((c)) From e3f8b74181d2317135c6394173b4d501cfa16692 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Wed, 12 Feb 2014 14:18:23 -0700 Subject: [PATCH 17/49] update tyto settings.h --- cyassl/ctaocrypt/settings.h | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index 22dea06d0..517c14d46 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -157,13 +157,21 @@ #define NO_FILESYSTEM #define CYASSL_USER_IO #define NO_DEV_RANDOM + #define HAVE_HKDF + + /* ECC and optimizations */ #define HAVE_ECC #define HAVE_ECC_ENCRYPT - #define ECC_SHAMIR - #define HAVE_HKDF #define USE_FAST_MATH #define TFM_TIMING_RESISTANT + #define TFM_ECC256 + #define ECC_SHAMIR + #define FP_ECC + #define FP_ENTRIES 2 + #define FP_LUT 4 #define FP_MAX_BITS 512 + + /* remove features */ #define NO_OLD_TLS #define NO_MD4 #define NO_RABBIT From cfdb76215b847c290c283a585b2b55b2250870ff Mon Sep 17 00:00:00 2001 From: Brian Aker Date: Wed, 12 Feb 2014 13:47:39 -0800 Subject: [PATCH 18/49] Updates for building rpm. --- rpm/spec.in | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/rpm/spec.in b/rpm/spec.in index c18eedf57..4ea152a32 100644 --- a/rpm/spec.in +++ b/rpm/spec.in @@ -4,7 +4,15 @@ Version: @VERSION@ Release: 1 License: GPLv2 Group: System Environment/Libraries -BuildRequires: bison +BuildRequires: gcc +BuildRequires: glibc +BuildRequires: glibc-common +BuildRequires: glibc-devel +BuildRequires: glibc-headers +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: sed +BuildRequires: tar URL: http://www.yassl.com/yaSSL/Home.html Packager: Brian Aker @@ -61,7 +69,7 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/libcyassl.la %{_libdir}/libcyassl.so %{_libdir}/libcyassl.so.5 -%{_libdir}/libcyassl.so.5.0.2 +%{_libdir}/libcyassl.so.5.0.3 %files devel %defattr(-,root,root,-) @@ -96,6 +104,8 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/cyassl/ctaocrypt/misc.h %{_includedir}/cyassl/ctaocrypt/mpi_class.h %{_includedir}/cyassl/ctaocrypt/mpi_superclass.h +%{_includedir}/cyassl/ctaocrypt/pkcs7.h +%{_includedir}/cyassl/ctaocrypt/port.h %{_includedir}/cyassl/ctaocrypt/pwdbased.h %{_includedir}/cyassl/ctaocrypt/rabbit.h %{_includedir}/cyassl/ctaocrypt/random.h @@ -109,7 +119,6 @@ mkdir -p $RPM_BUILD_ROOT/ %{_includedir}/cyassl/ctaocrypt/types.h %{_includedir}/cyassl/ctaocrypt/visibility.h %{_includedir}/cyassl/error.h -%{_includedir}/cyassl/internal.h %{_includedir}/cyassl/ocsp.h %{_includedir}/cyassl/openssl/asn1.h %{_includedir}/cyassl/openssl/bio.h @@ -152,5 +161,5 @@ mkdir -p $RPM_BUILD_ROOT/ %{_libdir}/pkgconfig/cyassl.pc %changelog -* Fri Oct 20 2012 Brian Aker - 0.1-1 +* Fri Oct 20 2012 Brian Aker - Initial package From 757db12917d6696f1090a113b070d3c28a60b619 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 13 Feb 2014 08:53:12 -0800 Subject: [PATCH 19/49] add to certservice requirements --- configure.ac | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index d59587eaf..6f35ea22e 100644 --- a/configure.ac +++ b/configure.ac @@ -1348,7 +1348,7 @@ AC_ARG_ENABLE([certservice], ) if test "$ENABLED_CERT_SERVICE" = "yes" then - # Requires ecc and certgen, make sure on + # Requires ecc,certgen, and opensslextra make sure on if test "x$ENABLED_CERTGEN" = "xno" then ENABLED_CERTGEN="yes" @@ -1360,6 +1360,11 @@ then AM_CFLAGS="$AM_CFLAGS -DHAVE_ECC -DTFM_ECC256 -DECC_SHAMIR" AM_CONDITIONAL([BUILD_ECC], [test "x$ENABLED_ECC" = "xyes"]) fi + if test "x$ENABLED_OPENSSLEXTRA" = "xno" + then + ENABLED_OPENSSLEXTRA="yes" + AM_CFLAGS="-DOPENSSL_EXTRA $AM_CFLAGS" + fi AM_CFLAGS="$AM_CFLAGS -DCYASSL_HAVE_CERT_SERVICE" fi From 1a075e36293585b74ffa29fad01fbe8b808b598c Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 13 Feb 2014 09:33:30 -0800 Subject: [PATCH 20/49] use host_cpu instead of target_cpu to determine cpu to run on, target is now only for cross compilation tools --- configure.ac | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index e9f71f9b3..3d94bc68b 100644 --- a/configure.ac +++ b/configure.ac @@ -10,8 +10,6 @@ AC_INIT([cyassl],[2.9.0],[https://github.com/cyassl/cyassl/issues],[cyassl],[htt AC_CONFIG_AUX_DIR([build-aux]) -# using $targget_cpu to only turn on fastmath by default on x86_64 -AC_CANONICAL_TARGET AC_CANONICAL_HOST AC_CANONICAL_BUILD @@ -1372,7 +1370,7 @@ fi # set fastmath default FASTMATH_DEFAULT=no -if test "$target_cpu" = "x86_64" +if test "$host_cpu" = "x86_64" then FASTMATH_DEFAULT=yes fi From 7959239fb09572e0fb6b0af2b8a84e1d83c28158 Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 13 Feb 2014 15:15:49 -0800 Subject: [PATCH 21/49] bump dev version --- configure.ac | 2 +- cyassl/version.h | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 3d94bc68b..eded5ddef 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.9.0],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com]) +AC_INIT([cyassl],[2.9.1],[https://github.com/cyassl/cyassl/issues],[cyassl],[http://www.yassl.com]) AC_CONFIG_AUX_DIR([build-aux]) diff --git a/cyassl/version.h b/cyassl/version.h index 30bf70457..dbd2a819c 100644 --- a/cyassl/version.h +++ b/cyassl/version.h @@ -26,8 +26,8 @@ extern "C" { #endif -#define LIBCYASSL_VERSION_STRING "2.9.0" -#define LIBCYASSL_VERSION_HEX 0x02009000 +#define LIBCYASSL_VERSION_STRING "2.9.1" +#define LIBCYASSL_VERSION_HEX 0x02009001 #ifdef __cplusplus } From bc3fc658bb140669abafdeaf7e0f2b44b5dd9f21 Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 14 Feb 2014 14:46:49 -0700 Subject: [PATCH 22/49] move filesystem abstraction to port.h --- cyassl/ctaocrypt/port.h | 70 +++++++++++++++++++++++++++++++++++++++++ src/ssl.c | 65 -------------------------------------- 2 files changed, 70 insertions(+), 65 deletions(-) diff --git a/cyassl/ctaocrypt/port.h b/cyassl/ctaocrypt/port.h index 1591d4c8b..945e30a47 100644 --- a/cyassl/ctaocrypt/port.h +++ b/cyassl/ctaocrypt/port.h @@ -111,6 +111,76 @@ CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*); CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*); +#ifndef NO_FILESYSTEM + +#if defined(EBSNET) + #define XFILE int + #define XFOPEN(NAME, MODE) vf_open((const char *)NAME, VO_RDONLY, 0); + #define XFSEEK vf_lseek + #define XFTELL vf_tell + #define XREWIND vf_rewind + #define XFREAD(BUF, SZ, AMT, FD) vf_read(FD, BUF, SZ*AMT) + #define XFWRITE(BUF, SZ, AMT, FD) vf_write(FD, BUF, SZ*AMT) + #define XFCLOSE vf_close + #define XSEEK_END VSEEK_END + #define XBADFILE -1 +#elif defined(LSR_FS) + #include + #define XFILE struct fs_file* + #define XFOPEN(NAME, MODE) fs_open((char*)NAME); + #define XFSEEK(F, O, W) (void)F + #define XFTELL(F) (F)->len + #define XREWIND(F) (void)F + #define XFREAD(BUF, SZ, AMT, F) fs_read(F, (char*)BUF, SZ*AMT) + #define XFWRITE(BUF, SZ, AMT, F) fs_write(F, (char*)BUF, SZ*AMT) + #define XFCLOSE fs_close + #define XSEEK_END 0 + #define XBADFILE NULL +#elif defined(FREESCALE_MQX) + #define XFILE MQX_FILE_PTR + #define XFOPEN fopen + #define XFSEEK fseek + #define XFTELL ftell + #define XREWIND(F) fseek(F, 0, IO_SEEK_SET) + #define XFREAD fread + #define XFWRITE fwrite + #define XFCLOSE fclose + #define XSEEK_END IO_SEEK_END + #define XBADFILE NULL +#elif defined(MICRIUM) + #include + #define XFILE FS_FILE* + #define XFOPEN fs_fopen + #define XFSEEK fs_fseek + #define XFTELL fs_ftell + #define XREWIND fs_rewind + #define XFREAD fs_fread + #define XFWRITE fs_fwrite + #define XFCLOSE fs_fclose + #define XSEEK_END FS_SEEK_END + #define XBADFILE NULL +#else + /* stdio, default case */ + #define XFILE FILE* + #if defined(CYASSL_MDK_ARM) + extern FILE * CyaSSL_fopen(const char *name, const char *mode) ; + #define XFOPEN CyaSSL_fopen + #else + #define XFOPEN fopen + #endif + #define XFSEEK fseek + #define XFTELL ftell + #define XREWIND rewind + #define XFREAD fread + #define XFWRITE fwrite + #define XFCLOSE fclose + #define XSEEK_END SEEK_END + #define XBADFILE NULL +#endif + +#endif /* NO_FILESYSTEM */ + + #ifdef __cplusplus } /* extern "C" */ #endif diff --git a/src/ssl.c b/src/ssl.c index 6ab70d1c4..07e79a161 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2257,71 +2257,6 @@ int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const byte* buff, #ifndef NO_FILESYSTEM -#if defined(EBSNET) - #define XFILE int - #define XFOPEN(NAME, MODE) vf_open((const char *)NAME, VO_RDONLY, 0); - #define XFSEEK vf_lseek - #define XFTELL vf_tell - #define XREWIND vf_rewind - #define XFREAD(BUF, SZ, AMT, FD) vf_read(FD, BUF, SZ*AMT) - #define XFWRITE(BUF, SZ, AMT, FD) vf_write(FD, BUF, SZ*AMT) - #define XFCLOSE vf_close - #define XSEEK_END VSEEK_END - #define XBADFILE -1 -#elif defined(LSR_FS) - #include - #define XFILE struct fs_file* - #define XFOPEN(NAME, MODE) fs_open((char*)NAME); - #define XFSEEK(F, O, W) (void)F - #define XFTELL(F) (F)->len - #define XREWIND(F) (void)F - #define XFREAD(BUF, SZ, AMT, F) fs_read(F, (char*)BUF, SZ*AMT) - #define XFWRITE(BUF, SZ, AMT, F) fs_write(F, (char*)BUF, SZ*AMT) - #define XFCLOSE fs_close - #define XSEEK_END 0 - #define XBADFILE NULL -#elif defined(FREESCALE_MQX) - #define XFILE MQX_FILE_PTR - #define XFOPEN fopen - #define XFSEEK fseek - #define XFTELL ftell - #define XREWIND(F) fseek(F, 0, IO_SEEK_SET) - #define XFREAD fread - #define XFWRITE fwrite - #define XFCLOSE fclose - #define XSEEK_END IO_SEEK_END - #define XBADFILE NULL -#elif defined(MICRIUM) - #include - #define XFILE FS_FILE* - #define XFOPEN fs_fopen - #define XFSEEK fs_fseek - #define XFTELL fs_ftell - #define XREWIND fs_rewind - #define XFREAD fs_fread - #define XFWRITE fs_fwrite - #define XFCLOSE fs_fclose - #define XSEEK_END FS_SEEK_END - #define XBADFILE NULL -#else - /* stdio, default case */ - #define XFILE FILE* - #if defined(CYASSL_MDK_ARM) - extern FILE * CyaSSL_fopen(const char *name, const char *mode) ; - #define XFOPEN CyaSSL_fopen - #else - #define XFOPEN fopen - #endif - #define XFSEEK fseek - #define XFTELL ftell - #define XREWIND rewind - #define XFREAD fread - #define XFWRITE fwrite - #define XFCLOSE fclose - #define XSEEK_END SEEK_END - #define XBADFILE NULL -#endif - /* process a file with name fname into ctx of format and type userChain specifies a user certificate chain to pass during handshake */ From 85a47b45963a1d6c430de630f709579de3fcbbdf Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Fri, 14 Feb 2014 14:57:43 -0700 Subject: [PATCH 23/49] add NO_STDIO_FILESYSTEM to exclude FILE usage from non standard filesystems --- cyassl/ctaocrypt/port.h | 1 + cyassl/ssl.h | 8 +++++--- src/ssl.c | 6 +++++- 3 files changed, 11 insertions(+), 4 deletions(-) diff --git a/cyassl/ctaocrypt/port.h b/cyassl/ctaocrypt/port.h index 945e30a47..5741c255e 100644 --- a/cyassl/ctaocrypt/port.h +++ b/cyassl/ctaocrypt/port.h @@ -111,6 +111,7 @@ CYASSL_LOCAL int LockMutex(CyaSSL_Mutex*); CYASSL_LOCAL int UnLockMutex(CyaSSL_Mutex*); +/* filesystem abstraction layer, used by ssl.c */ #ifndef NO_FILESYSTEM #if defined(EBSNET) diff --git a/cyassl/ssl.h b/cyassl/ssl.h index b1f56bc77..7821cefd2 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -619,7 +619,7 @@ enum { /* extras end */ -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) /* CyaSSL extension, provide last error from SSL_get_error since not using thread storage error queue */ CYASSL_API void CyaSSL_ERR_print_errors_fp(FILE*, int err); @@ -824,8 +824,10 @@ CYASSL_API char* CyaSSL_X509_get_next_altname(CYASSL_X509*); CYASSL_API CYASSL_X509* CyaSSL_X509_d2i(CYASSL_X509** x509, const unsigned char* in, int len); #ifndef NO_FILESYSTEM -CYASSL_API CYASSL_X509* - CyaSSL_X509_d2i_fp(CYASSL_X509** x509, FILE* file); + #ifndef NO_STDIO_FILESYSTEM + CYASSL_API CYASSL_X509* + CyaSSL_X509_d2i_fp(CYASSL_X509** x509, FILE* file); + #endif CYASSL_API CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format); #endif diff --git a/src/ssl.c b/src/ssl.c index 07e79a161..3bbeeff37 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1231,7 +1231,7 @@ int CyaSSL_KeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff, -#ifndef NO_FILESYSTEM +#if !defined(NO_FILESYSTEM) && !defined(NO_STDIO_FILESYSTEM) void CyaSSL_ERR_print_errors_fp(FILE* fp, int err) { @@ -7877,6 +7877,8 @@ CYASSL_X509* CyaSSL_X509_d2i(CYASSL_X509** x509, const byte* in, int len) #ifndef NO_FILESYSTEM +#ifndef NO_STDIO_FILESYSTEM + CYASSL_X509* CyaSSL_X509_d2i_fp(CYASSL_X509** x509, XFILE file) { CYASSL_X509* newX509 = NULL; @@ -7906,6 +7908,8 @@ CYASSL_X509* CyaSSL_X509_d2i_fp(CYASSL_X509** x509, XFILE file) return newX509; } +#endif /* NO_STDIO_FILESYSTEM */ + CYASSL_X509* CyaSSL_X509_load_certificate_file(const char* fname, int format) { byte staticBuffer[FILE_BUFFER_SIZE]; From 260c37acecc99aacd0ebcbd74537d0008f6888ef Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 14 Feb 2014 15:59:59 -0800 Subject: [PATCH 24/49] Update autoconf scripts 1. Since AX_HARDEN is called always, moved the few items set in configure for gcc-hardening to AX_HARDEN. 2. Dropped the macros that AX_DEBUG was setting that we haven't been using and aren't using now. --- configure.ac | 12 +----------- m4/ax_debug.m4 | 4 +--- m4/ax_harden_compiler_flags.m4 | 1 + 3 files changed, 3 insertions(+), 14 deletions(-) diff --git a/configure.ac b/configure.ac index eded5ddef..e1ed459fb 100644 --- a/configure.ac +++ b/configure.ac @@ -95,6 +95,7 @@ AC_TYPE_UINT8_T AM_PROG_AS AM_PROG_CC_C_O LT_LIB_M +AX_HARDEN_CC_COMPILER_FLAGS OPTIMIZE_CFLAGS="-Os -fomit-frame-pointer" OPTIMIZE_FAST_CFLAGS="-O2 -fomit-frame-pointer" @@ -1554,17 +1555,6 @@ fi LIB_SOCKET_NSL -AC_ARG_ENABLE([gcc-hardening], -AS_HELP_STRING(--enable-gcc-hardening, Enable compiler security checks (default: disabled)), -[if test x$enableval = xyes; then - AM_CFLAGS="$AM_CFLAGS -D_FORTIFY_SOURCE=2 -fstack-protector-all" - AM_CFLAGS="$AM_CFLAGS -fwrapv -fPIE -Wstack-protector" - AM_CFLAGS="$AM_CFLAGS --param ssp-buffer-size=1" - LDFLAGS="$LDFLAGS -pie" -fi]) - -AX_HARDEN_CC_COMPILER_FLAGS - # link to ws2_32 if on mingw case $host_os in *mingw32) diff --git a/m4/ax_debug.m4 b/m4/ax_debug.m4 index 7696a1147..63c883c34 100644 --- a/m4/ax_debug.m4 +++ b/m4/ax_debug.m4 @@ -51,9 +51,7 @@ AC_DEFUN([AX_DEBUG], [AS_HELP_STRING([--enable-debug], [Add debug code/turns off optimizations (yes|no) @<:@default=no@:>@])], [ax_enable_debug=yes - AC_DEFINE([DEBUG],[1],[Define to 1 to enable debugging code.]) - AX_ADD_AM_MACRO([AM_YFLAGS += --debug]) - AX_ADD_AM_MACRO([AM_CPPFLAGS += -D_GLIBCXX_DEBUG])], + AC_DEFINE([DEBUG],[1],[Define to 1 to enable debugging code.])], [ax_enable_debug=no AC_SUBST([MCHECK]) AC_DEFINE([DEBUG],[0],[Define to 1 to enable debugging code.])]) diff --git a/m4/ax_harden_compiler_flags.m4 b/m4/ax_harden_compiler_flags.m4 index 6f01c1aca..c02af319d 100644 --- a/m4/ax_harden_compiler_flags.m4 +++ b/m4/ax_harden_compiler_flags.m4 @@ -156,6 +156,7 @@ AX_APPEND_COMPILE_FLAGS([-Wunused-variable],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wwrite-strings],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-fwrapv],,[$ax_append_compile_cflags_extra]) + AX_APPEND_COMPILE_FLAGS([-fPIE],,[$ax_append_compile_cflags_extra]) AC_LANG_POP ]) From 24dcddb216f309d1b93dad108995295f9ededf55 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 17 Feb 2014 15:33:07 -0800 Subject: [PATCH 25/49] Update autoconf scripts 1. Add patch to AX_TLS to let it work with AC v2.63. 2. AX_TLS() call needs a no-op in the false case. 3. Move AX_HARDEN call back to its original position. 4. Print CC rather than CC_VERSION in configuration summary. --- configure.ac | 8 ++++---- m4/ax_tls.m4 | 18 +++++++++++++++++- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index e1ed459fb..32da5f401 100644 --- a/configure.ac +++ b/configure.ac @@ -95,7 +95,6 @@ AC_TYPE_UINT8_T AM_PROG_AS AM_PROG_CC_C_O LT_LIB_M -AX_HARDEN_CC_COMPILER_FLAGS OPTIMIZE_CFLAGS="-Os -fomit-frame-pointer" OPTIMIZE_FAST_CFLAGS="-O2 -fomit-frame-pointer" @@ -103,7 +102,7 @@ OPTIMIZE_HUGE_CFLAGS="-funroll-loops -DTFM_SMALL_SET -DTFM_HUGE_SET" DEBUG_CFLAGS="-g -DDEBUG -DDEBUG_CYASSL" # Thread local storage -AX_TLS([AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"]) +AX_TLS([AM_CFLAGS="$AM_CFLAGS -DHAVE_THREAD_LS"], [:]) # DEBUG AX_DEBUG @@ -1554,6 +1553,7 @@ then fi LIB_SOCKET_NSL +AX_HARDEN_CC_COMPILER_FLAGS # link to ws2_32 if on mingw case $host_os in @@ -1640,9 +1640,9 @@ echo "" echo " * Installation prefix: $prefix" echo " * System type: $host_vendor-$host_os" echo " * Host CPU: $host_cpu" -echo " * C Compiler: $CC_VERSION" +echo " * C Compiler: $CC" echo " * C Flags: $CFLAGS" -echo " * C++ Compiler: $CXX_VERSION" +echo " * C++ Compiler: $CXX" echo " * C++ Flags: $CXXFLAGS" echo " * CPP Flags: $CPPFLAGS" echo " * LIB Flags: $LIB" diff --git a/m4/ax_tls.m4 b/m4/ax_tls.m4 index 033e3b135..3f6b5e10b 100644 --- a/m4/ax_tls.m4 +++ b/m4/ax_tls.m4 @@ -44,7 +44,23 @@ # modified version of the Autoconf Macro, you may extend this special # exception to the GPL to apply to your modified version as well. -#serial 10 +#serial 11 + +# Define m4_ifblank and m4_ifnblank macros from introduced in +# autotools 2.64 m4sugar.m4 if using an earlier autotools. + +ifdef([m4_ifblank], [], [ + m4_define([m4_ifblank], + [m4_if(m4_translit([[$1]], [ ][ ][ +]), [], [$2], [$3])]) + ]) + + +ifdef([m4_ifnblank], [], [ + m4_define([m4_ifnblank], + [m4_if(m4_translit([[$1]], [ ][ ][ +]), [], [$3], [$2])]) + ]) AC_DEFUN([AX_TLS], [ AC_MSG_CHECKING(for thread local storage (TLS) class) From 45859e97bf2b9ed8873d620a584c48aa7e6131fd Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 18 Feb 2014 16:45:43 -0800 Subject: [PATCH 26/49] fix arm thumb mode assembly --- ctaocrypt/src/asm.c | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/ctaocrypt/src/asm.c b/ctaocrypt/src/asm.c index 941478a42..8b588aa4d 100644 --- a/ctaocrypt/src/asm.c +++ b/ctaocrypt/src/asm.c @@ -318,6 +318,36 @@ __asm__( \ #define LOOP_START \ mu = c[x] * mp + +#ifdef __thumb__ + +#define INNERMUL \ +__asm__( \ + " LDR r0,%1 \n\t" \ + " ADDS r0,r0,%0 \n\t" \ + " ITE CS \n\t" \ + " MOVCS %0,#1 \n\t" \ + " MOVCC %0,#0 \n\t" \ + " UMLAL r0,%0,%3,%4 \n\t" \ + " STR r0,%1 \n\t" \ +:"=r"(cy),"=m"(_c[0]):"0"(cy),"r"(mu),"r"(*tmpm++),"m"(_c[0]):"r0","cc"); + +#define PROPCARRY \ +__asm__( \ + " LDR r0,%1 \n\t" \ + " ADDS r0,r0,%0 \n\t" \ + " STR r0,%1 \n\t" \ + " ITE CS \n\t" \ + " MOVCS %0,#1 \n\t" \ + " MOVCC %0,#0 \n\t" \ +:"=r"(cy),"=m"(_c[0]):"0"(cy),"m"(_c[0]):"r0","cc"); + + +/* TAO thumb mode uses ite (if then else) to detect carry directly + * fixed unmatched constraint warning by changing 1 to m */ + +#else /* __thumb__ */ + #define INNERMUL \ __asm__( \ " LDR r0,%1 \n\t" \ @@ -337,6 +367,8 @@ __asm__( \ " MOVCC %0,#0 \n\t" \ :"=r"(cy),"=m"(_c[0]):"0"(cy),"1"(_c[0]):"r0","cc"); +#endif /* __thumb__ */ + #elif defined(TFM_PPC32) /* PPC32 */ @@ -725,9 +757,11 @@ __asm__( \ #define SQRADDSC(i, j) \ __asm__( \ -" UMULL %0,%1,%6,%7 \n\t" \ +" UMULL %0,%1,%3,%4 \n\t" \ " SUB %2,%2,%2 \n\t" \ -:"=r"(sc0), "=r"(sc1), "=r"(sc2) : "0"(sc0), "1"(sc1), "2"(sc2), "r"(i), "r"(j) : "cc"); +:"=r"(sc0), "=r"(sc1), "=r"(sc2) : "r"(i), "r"(j) : "cc"); + +/* TAO removed sc0,1,2 as input to remove warning so %6,%7 become %3,%4 */ #define SQRADDAC(i, j) \ __asm__( \ From 5421990c8078894147abf628ea03f0a711a7c055 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 18 Feb 2014 17:01:27 -0800 Subject: [PATCH 27/49] add ARM to settings --- cyassl/ctaocrypt/settings.h | 1 + 1 file changed, 1 insertion(+) diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index 517c14d46..d01deba82 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -165,6 +165,7 @@ #define USE_FAST_MATH #define TFM_TIMING_RESISTANT #define TFM_ECC256 + #define TFM_ARM #define ECC_SHAMIR #define FP_ECC #define FP_ENTRIES 2 From 12a1b2faed87d61a6f7b4243dbf314ff2980359b Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 18 Feb 2014 17:46:08 -0800 Subject: [PATCH 28/49] more settings --- cyassl/ctaocrypt/settings.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/cyassl/ctaocrypt/settings.h b/cyassl/ctaocrypt/settings.h index d01deba82..7be8ed79a 100644 --- a/cyassl/ctaocrypt/settings.h +++ b/cyassl/ctaocrypt/settings.h @@ -158,8 +158,11 @@ #define CYASSL_USER_IO #define NO_DEV_RANDOM #define HAVE_HKDF + #define NO_MAIN_DRIVER + #define CYASSL_LWIP /* ECC and optimizations */ + #define FREESCALE_MMCAU 1 #define HAVE_ECC #define HAVE_ECC_ENCRYPT #define USE_FAST_MATH From 77403c7ee22a307c8306ac28fdffe1d04c585b48 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 21 Feb 2014 16:33:47 -0800 Subject: [PATCH 29/49] Sniffer should ignore MATCH_SUITE_ERRORs when processing old client hello messages. --- src/sniffer.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/sniffer.c b/src/sniffer.c index b94eb503c..6779b4d8e 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1782,7 +1782,7 @@ static int DoOldHello(SnifferSession* session, const byte* sslFrame, ret = ProcessOldClientHello(session->sslServer, input, &idx, *sslBytes, *rhSize); - if (ret < 0) { + if (ret < 0 && ret != MATCH_SUITE_ERROR) { SetError(BAD_OLD_CLIENT_STR, error, session, FATAL_ERROR_STATE); return -1; } From cf2f657036cd3b5ccf7dcbbce015a62494967484 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 21 Feb 2014 22:26:10 -0800 Subject: [PATCH 30/49] In AX_HARDEN, delete extra comma when appending no-strict-aliasing. --- m4/ax_harden_compiler_flags.m4 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/m4/ax_harden_compiler_flags.m4 b/m4/ax_harden_compiler_flags.m4 index c02af319d..adcbebfb4 100644 --- a/m4/ax_harden_compiler_flags.m4 +++ b/m4/ax_harden_compiler_flags.m4 @@ -117,7 +117,7 @@ AX_APPEND_COMPILE_FLAGS([-Wno-pragmas],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wall],,[$ax_append_compile_cflags_extra]) - AX_APPEND_COMPILE_FLAGS([-Wno-strict-aliasing],,,[$ax_append_compile_cflags_extra]) + AX_APPEND_COMPILE_FLAGS([-Wno-strict-aliasing],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wextra],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wunknown-pragmas],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wthis-test-should-fail],,[$ax_append_compile_cflags_extra]) @@ -186,7 +186,7 @@ ]) AX_APPEND_COMPILE_FLAGS([-Wall],,[$ax_append_compile_cxxflags_extra]) - AX_APPEND_COMPILE_FLAGS([-Wno-strict-aliasing],,,[$ax_append_compile_cxxflags_extra]) + AX_APPEND_COMPILE_FLAGS([-Wno-strict-aliasing],,[$ax_append_compile_cxxflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wextra],,[$ax_append_compile_cxxflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wunknown-pragmas],,[$ax_append_compile_cxxflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wthis-test-should-fail],,[$ax_append_compile_cxxflags_extra]) From c03263ae70ca26ef3486fd199e457e25c1c0cf75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Sun, 16 Feb 2014 10:19:40 -0300 Subject: [PATCH 31/49] fixing HAVE_MAX_FRAGMENT ifdef --- examples/client/client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/client/client.c b/examples/client/client.c index ac6f935a8..807d7e91e 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -133,7 +133,7 @@ static void Usage(void) #ifdef HAVE_SNI printf("-S Use Host Name Indication\n"); #endif -#ifdef HAVE_MAXFRAGMENT +#ifdef HAVE_MAX_FRAGMENT printf("-L Use Maximum Fragment Length [1-5]\n"); #endif #ifdef HAVE_TRUNCATED_HMAC From 95bc9542735ed93f694278870825777a7bfe9298 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Sun, 16 Feb 2014 12:15:10 -0300 Subject: [PATCH 32/49] Boundaries check for server hello parsing. -- added totalSz to the function parameters -- INCOMPLETE DATA checked only once with hello size against buffer size -- BUFFER_ERROR returned in case of message overflow (piece larger than the hello size) -- OPAQUE16_LEN used whenever 2 bytes are needed. -- Session id checking improved. --- src/internal.c | 80 ++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 61 insertions(+), 19 deletions(-) diff --git a/src/internal.c b/src/internal.c index e15249829..02512906b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -70,7 +70,8 @@ CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS #ifndef NO_CYASSL_CLIENT static int DoHelloVerifyRequest(CYASSL* ssl, const byte* input, word32*); - static int DoServerHello(CYASSL* ssl, const byte* input, word32*, word32); + static int DoServerHello(CYASSL* ssl, const byte* input, word32*, word32, + word32); static int DoServerKeyExchange(CYASSL* ssl, const byte* input, word32*); #ifndef NO_CERTS static int DoCertificateRequest(CYASSL* ssl, const byte* input,word32*); @@ -3778,7 +3779,7 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, case server_hello: CYASSL_MSG("processing server hello"); - ret = DoServerHello(ssl, input, inOutIdx, size); + ret = DoServerHello(ssl, input, inOutIdx, totalSz, size); break; #ifndef NO_CERTS @@ -7459,31 +7460,44 @@ static void PickHashSigAlgo(CYASSL* ssl, static int DoServerHello(CYASSL* ssl, const byte* input, word32* inOutIdx, - word32 helloSz) + word32 totalSz, word32 helloSz) { - byte b; - byte compression; + byte b; ProtocolVersion pv; - word32 i = *inOutIdx; - word32 begin = i; + byte compression; + word32 i = *inOutIdx; + word32 begin = i; #ifdef CYASSL_CALLBACKS if (ssl->hsInfoOn) AddPacketName("ServerHello", &ssl->handShakeInfo); if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); #endif - XMEMCPY(&pv, input + i, sizeof(pv)); - i += (word32)sizeof(pv); + + /* make sure can read the server hello */ + if (begin + helloSz > totalSz) + return INCOMPLETE_DATA; + + /* protocol version, random and session id length check */ + if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz) + return BUFFER_ERROR; + + /* protocol version */ + XMEMCPY(&pv, input + i, OPAQUE16_LEN); + i += OPAQUE16_LEN; + if (pv.minor > ssl->version.minor) { CYASSL_MSG("Server using higher version, fatal error"); return VERSION_ERROR; } else if (pv.minor < ssl->version.minor) { CYASSL_MSG("server using lower version"); + if (!ssl->options.downgrade) { CYASSL_MSG(" no downgrade allowed, fatal error"); return VERSION_ERROR; } - else if (pv.minor == SSLv3_MINOR) { + + if (pv.minor == SSLv3_MINOR) { /* turn off tls */ CYASSL_MSG(" downgrading to SSLv3"); ssl->options.tls = 0; @@ -7501,14 +7515,31 @@ static void PickHashSigAlgo(CYASSL* ssl, ssl->version.minor = TLSv1_1_MINOR; } } + + /* random */ XMEMCPY(ssl->arrays->serverRandom, input + i, RAN_LEN); i += RAN_LEN; + + /* session id */ b = input[i++]; - if (b) { + + if (b == ID_LEN) { + if ((i - begin) + ID_LEN > helloSz) + return BUFFER_ERROR; + XMEMCPY(ssl->arrays->sessionID, input + i, min(b, ID_LEN)); - i += b; + i += ID_LEN; ssl->options.haveSessionId = 1; } + else if (b) { + CYASSL_MSG("Invalid session ID size"); + return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ + } + + /* suite and compression */ + if ((i - begin) + OPAQUE16_LEN + ENUM_LEN > helloSz) + return BUFFER_ERROR; + ssl->options.cipherSuite0 = input[i++]; ssl->options.cipherSuite = input[i++]; compression = input[i++]; @@ -7519,17 +7550,23 @@ static void PickHashSigAlgo(CYASSL* ssl, } *inOutIdx = i; + + /* tls extensions */ if ( (i - begin) < helloSz) { #ifdef HAVE_TLS_EXTENSIONS if (IsTLS(ssl)) { - int ret = 0; + int ret = 0; word16 totalExtSz; Suites clSuites; /* just for compatibility right now */ + if ((i - begin) + OPAQUE16_LEN > helloSz) + return BUFFER_ERROR; + ato16(&input[i], &totalExtSz); - i += LENGTH_SZ; - if (totalExtSz > helloSz + begin - i) - return INCOMPLETE_DATA; + i += OPAQUE16_LEN; + + if ((i - begin) + totalExtSz > helloSz) + return BUFFER_ERROR; if ((ret = TLSX_Parse(ssl, (byte *) input + i, totalExtSz, 0, &clSuites))) @@ -7540,7 +7577,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } else #endif - *inOutIdx = begin + helloSz; /* skip extensions */ + *inOutIdx = begin + helloSz; /* skip extensions */ } ssl->options.serverState = SERVER_HELLO_COMPLETE; @@ -7549,7 +7586,8 @@ static void PickHashSigAlgo(CYASSL* ssl, if (ssl->options.haveSessionId && XMEMCMP(ssl->arrays->sessionID, ssl->session.sessionID, ID_LEN) == 0) { if (SetCipherSpecs(ssl) == 0) { - int ret = -1; + int ret = -1; + XMEMCPY(ssl->arrays->masterSecret, ssl->session.masterSecret, SECRET_LEN); #ifdef NO_OLD_TLS @@ -7563,6 +7601,7 @@ static void PickHashSigAlgo(CYASSL* ssl, ret = DeriveKeys(ssl); #endif ssl->options.serverState = SERVER_HELLODONE_COMPLETE; + return ret; } else { @@ -7580,6 +7619,7 @@ static void PickHashSigAlgo(CYASSL* ssl, DtlsPoolReset(ssl); } #endif + return SetCipherSpecs(ssl); } @@ -10076,8 +10116,10 @@ static void PickHashSigAlgo(CYASSL* ssl, ssl->options.resuming = 1; /* client wants to resume */ CYASSL_MSG("Client wants to resume session"); } - else if (b) + else if (b) { + CYASSL_MSG("Invalid session ID size"); return BUFFER_ERROR; /* session ID nor 0 neither 32 bytes long */ + } #ifdef CYASSL_DTLS /* cookie */ From 76c8146bf160d251345cd492b376acbfd9be77b1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 17 Feb 2014 11:33:51 -0300 Subject: [PATCH 33/49] moving available data length check to DoHandShakeMsgType --- src/internal.c | 28 ++++++++++++---------------- 1 file changed, 12 insertions(+), 16 deletions(-) diff --git a/src/internal.c b/src/internal.c index 02512906b..55ec5078a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -70,8 +70,7 @@ CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS #ifndef NO_CYASSL_CLIENT static int DoHelloVerifyRequest(CYASSL* ssl, const byte* input, word32*); - static int DoServerHello(CYASSL* ssl, const byte* input, word32*, word32, - word32); + static int DoServerHello(CYASSL* ssl, const byte* input, word32*, word32); static int DoServerKeyExchange(CYASSL* ssl, const byte* input, word32*); #ifndef NO_CERTS static int DoCertificateRequest(CYASSL* ssl, const byte* input,word32*); @@ -80,8 +79,7 @@ CYASSL_CALLBACKS needs LARGE_STATIC_BUFFERS, please add LARGE_STATIC_BUFFERS #ifndef NO_CYASSL_SERVER - static int DoClientHello(CYASSL* ssl, const byte* input, word32*, word32, - word32); + static int DoClientHello(CYASSL* ssl, const byte* input, word32*, word32); static int DoClientKeyExchange(CYASSL* ssl, byte* input, word32*, word32); #if !defined(NO_RSA) || defined(HAVE_ECC) static int DoCertificateVerify(CYASSL* ssl, byte*, word32*, word32); @@ -3724,7 +3722,12 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, CYASSL_ENTER("DoHandShakeMsgType"); + /* make sure can read the message */ + if (*inOutIdx + size > totalSz) + return INCOMPLETE_DATA; + HashInput(ssl, input + *inOutIdx, size); + #ifdef CYASSL_CALLBACKS /* add name later, add on record and handshake header part back on */ if (ssl->toInfoOn) { @@ -3779,7 +3782,7 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, case server_hello: CYASSL_MSG("processing server hello"); - ret = DoServerHello(ssl, input, inOutIdx, totalSz, size); + ret = DoServerHello(ssl, input, inOutIdx, size); break; #ifndef NO_CERTS @@ -3821,7 +3824,7 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, #ifndef NO_CYASSL_SERVER case client_hello: CYASSL_MSG("processing client hello"); - ret = DoClientHello(ssl, input, inOutIdx, totalSz, size); + ret = DoClientHello(ssl, input, inOutIdx, size); break; case client_key_exchange: @@ -3841,6 +3844,7 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, default: CYASSL_MSG("Unknown handshake message type"); ret = UNKNOWN_HANDSHAKE_TYPE; + break; } CYASSL_LEAVE("DoHandShakeMsgType()", ret); @@ -7460,7 +7464,7 @@ static void PickHashSigAlgo(CYASSL* ssl, static int DoServerHello(CYASSL* ssl, const byte* input, word32* inOutIdx, - word32 totalSz, word32 helloSz) + word32 helloSz) { byte b; ProtocolVersion pv; @@ -7473,10 +7477,6 @@ static void PickHashSigAlgo(CYASSL* ssl, if (ssl->toInfoOn) AddLateName("ServerHello", &ssl->timeoutInfo); #endif - /* make sure can read the server hello */ - if (begin + helloSz > totalSz) - return INCOMPLETE_DATA; - /* protocol version, random and session id length check */ if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz) return BUFFER_ERROR; @@ -10026,7 +10026,7 @@ static void PickHashSigAlgo(CYASSL* ssl, static int DoClientHello(CYASSL* ssl, const byte* input, word32* inOutIdx, - word32 totalSz, word32 helloSz) + word32 helloSz) { byte b; ProtocolVersion pv; @@ -10039,10 +10039,6 @@ static void PickHashSigAlgo(CYASSL* ssl, if (ssl->toInfoOn) AddLateName("ClientHello", &ssl->timeoutInfo); #endif - /* make sure can read the client hello */ - if (begin + helloSz > totalSz) - return INCOMPLETE_DATA; - /* protocol version, random and session id length check */ if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz) return BUFFER_ERROR; From 78bab9161583c9abd225900e40406b0d6d9bf211 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 24 Feb 2014 11:26:55 -0300 Subject: [PATCH 34/49] removed duplicated check for INCOMPLETE_DATA added new size enums --- cyassl/internal.h | 4 +++- src/internal.c | 17 +++++++---------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index 989947acd..146019236 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -599,7 +599,9 @@ enum Misc { COOKIE_SZ = 20, /* use a 20 byte cookie */ SUITE_LEN = 2, /* cipher suite sz length */ ENUM_LEN = 1, /* always a byte */ - OPAQUE16_LEN = 2, /* always 2 bytes */ + OPAQUE8_LEN = 1, /* 1 byte */ + OPAQUE16_LEN = 2, /* 2 bytes */ + OPAQUE24_LEN = 3, /* 3 bytes */ COMP_LEN = 1, /* compression length */ CURVE_LEN = 2, /* ecc named curve length */ SERVER_ID_LEN = 20, /* server session id length */ diff --git a/src/internal.c b/src/internal.c index 55ec5078a..c1dd03c0b 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3855,18 +3855,15 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, static int DoHandShakeMsg(CYASSL* ssl, byte* input, word32* inOutIdx, word32 totalSz) { - byte type; + byte type; word32 size; - int ret = 0; + int ret = 0; CYASSL_ENTER("DoHandShakeMsg()"); if (GetHandShakeHeader(ssl, input, inOutIdx, &type, &size) != 0) return PARSE_ERROR; - if (*inOutIdx + size > totalSz) - return INCOMPLETE_DATA; - ret = DoHandShakeMsgType(ssl, input, inOutIdx, type, size, totalSz); CYASSL_LEAVE("DoHandShakeMsg()", ret); @@ -7478,7 +7475,7 @@ static void PickHashSigAlgo(CYASSL* ssl, #endif /* protocol version, random and session id length check */ - if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz) + if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) return BUFFER_ERROR; /* protocol version */ @@ -7537,7 +7534,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } /* suite and compression */ - if ((i - begin) + OPAQUE16_LEN + ENUM_LEN > helloSz) + if ((i - begin) + OPAQUE16_LEN + OPAQUE8_LEN > helloSz) return BUFFER_ERROR; ssl->options.cipherSuite0 = input[i++]; @@ -10040,7 +10037,7 @@ static void PickHashSigAlgo(CYASSL* ssl, #endif /* protocol version, random and session id length check */ - if ((i - begin) + OPAQUE16_LEN + RAN_LEN + ENUM_LEN > helloSz) + if ((i - begin) + OPAQUE16_LEN + RAN_LEN + OPAQUE8_LEN > helloSz) return BUFFER_ERROR; /* protocol version */ @@ -10121,7 +10118,7 @@ static void PickHashSigAlgo(CYASSL* ssl, /* cookie */ if (ssl->options.dtls) { - if ((i - begin) + ENUM_LEN > helloSz) + if ((i - begin) + OPAQUE8_LEN > helloSz) return BUFFER_ERROR; b = input[i++]; @@ -10160,7 +10157,7 @@ static void PickHashSigAlgo(CYASSL* ssl, i += OPAQUE16_LEN; /* suites and compression length check */ - if ((i - begin) + clSuites.suiteSz + ENUM_LEN > helloSz) + if ((i - begin) + clSuites.suiteSz + OPAQUE8_LEN > helloSz) return BUFFER_ERROR; if (clSuites.suiteSz > MAX_SUITE_SZ) From d26b3bb44593865a7de87a87f484d8adfd7673d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mois=C3=A9s=20Guimar=C3=A3es?= Date: Mon, 24 Feb 2014 12:41:50 -0300 Subject: [PATCH 35/49] Boundaries check for DoClientKeyExchange. -- switched from totalSz to size in the function parameters -- BUFFER_ERROR returned in case of message overflow (piece larger than the hello size) -- OPAQUE16_LEN used whenever 2 bytes are needed. --- src/internal.c | 155 ++++++++++++++++++++++++++++++------------------- 1 file changed, 95 insertions(+), 60 deletions(-) diff --git a/src/internal.c b/src/internal.c index c1dd03c0b..121d5d9de 100644 --- a/src/internal.c +++ b/src/internal.c @@ -3829,7 +3829,7 @@ static int DoHandShakeMsgType(CYASSL* ssl, byte* input, word32* inOutIdx, case client_key_exchange: CYASSL_MSG("processing client key exchange"); - ret = DoClientKeyExchange(ssl, input, inOutIdx, totalSz); + ret = DoClientKeyExchange(ssl, input, inOutIdx, size); break; #if !defined(NO_RSA) || defined(HAVE_ECC) @@ -10547,18 +10547,19 @@ static void PickHashSigAlgo(CYASSL* ssl, } #endif - static int DoClientKeyExchange(CYASSL* ssl, byte* input, - word32* inOutIdx, word32 totalSz) + static int DoClientKeyExchange(CYASSL* ssl, byte* input, word32* inOutIdx, + word32 size) { int ret = 0; word32 length = 0; byte* out = NULL; + word32 begin = *inOutIdx; (void)length; /* shut up compiler warnings */ (void)out; (void)input; (void)inOutIdx; - (void)totalSz; + (void)size; if (ssl->options.clientState < CLIENT_HELLO_COMPLETE) { CYASSL_MSG("Client sending keyexchange at wrong time"); @@ -10587,15 +10588,12 @@ static void PickHashSigAlgo(CYASSL* ssl, { word32 idx = 0; RsaKey key; - byte* tmp = 0; byte doUserRsa = 0; #ifdef HAVE_PK_CALLBACKS - #ifndef NO_RSA - if (ssl->ctx->RsaDecCb) - doUserRsa = 1; - #endif /* NO_RSA */ - #endif /*HAVE_PK_CALLBACKS */ + if (ssl->ctx->RsaDecCb) + doUserRsa = 1; + #endif InitRsaKey(&key, ssl->heap); @@ -10611,28 +10609,31 @@ static void PickHashSigAlgo(CYASSL* ssl, if (ssl->options.tls) { word16 check; + + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + return BUFFER_ERROR; + ato16(input + *inOutIdx, &check); - if ((word32)check != length) { + *inOutIdx += OPAQUE16_LEN; + + if ((word32) check != length) { CYASSL_MSG("RSA explicit size doesn't match"); FreeRsaKey(&key); return RSA_PRIVATE_ERROR; } - (*inOutIdx) += 2; } - tmp = input + *inOutIdx; - *inOutIdx += length; - if (*inOutIdx > totalSz) { + if ((*inOutIdx - begin) + length > size) { CYASSL_MSG("RSA message too big"); FreeRsaKey(&key); - return INCOMPLETE_DATA; + return BUFFER_ERROR; } if (doUserRsa) { #ifdef HAVE_PK_CALLBACKS #ifndef NO_RSA ret = ssl->ctx->RsaDecCb(ssl, - tmp, length, &out, + input + *inOutIdx, length, &out, ssl->buffers.key.buffer, ssl->buffers.key.length, ssl->RsaDecCtx); @@ -10640,9 +10641,12 @@ static void PickHashSigAlgo(CYASSL* ssl, #endif /*HAVE_PK_CALLBACKS */ } else { - ret = RsaPrivateDecryptInline(tmp, length, &out, &key); + ret = RsaPrivateDecryptInline(input + *inOutIdx, length, + &out, &key); } + *inOutIdx += length; + if (ret == SECRET_LEN) { XMEMCPY(ssl->arrays->preMasterSecret, out, SECRET_LEN); if (ssl->arrays->preMasterSecret[0] != @@ -10668,36 +10672,46 @@ static void PickHashSigAlgo(CYASSL* ssl, byte* pms = ssl->arrays->preMasterSecret; word16 ci_sz; - ato16(&input[*inOutIdx], &ci_sz); - *inOutIdx += LENGTH_SZ; - if (ci_sz > MAX_PSK_ID_LEN) return CLIENT_ID_ERROR; + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + return BUFFER_ERROR; - XMEMCPY(ssl->arrays->client_identity, &input[*inOutIdx], ci_sz); + ato16(input + *inOutIdx, &ci_sz); + *inOutIdx += OPAQUE16_LEN; + + if (ci_sz > MAX_PSK_ID_LEN) + return CLIENT_ID_ERROR; + + if ((*inOutIdx - begin) + ci_sz > size) + return BUFFER_ERROR; + + XMEMCPY(ssl->arrays->client_identity, input + *inOutIdx, ci_sz); *inOutIdx += ci_sz; - if (ci_sz < MAX_PSK_ID_LEN) - ssl->arrays->client_identity[ci_sz] = 0; - else - ssl->arrays->client_identity[MAX_PSK_ID_LEN-1] = 0; + ssl->arrays->client_identity[min(ci_sz, MAX_PSK_ID_LEN-1)] = 0; ssl->arrays->psk_keySz = ssl->options.server_psk_cb(ssl, ssl->arrays->client_identity, ssl->arrays->psk_key, MAX_PSK_KEY_LEN); + if (ssl->arrays->psk_keySz == 0 || - ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) + ssl->arrays->psk_keySz > MAX_PSK_KEY_LEN) return PSK_KEY_ERROR; /* make psk pre master secret */ /* length of key + length 0s + length of key + key */ - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += 2; + c16toa((word16) ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; + XMEMSET(pms, 0, ssl->arrays->psk_keySz); pms += ssl->arrays->psk_keySz; - c16toa((word16)ssl->arrays->psk_keySz, pms); - pms += 2; + + c16toa((word16) ssl->arrays->psk_keySz, pms); + pms += OPAQUE16_LEN; + XMEMCPY(pms, ssl->arrays->psk_key, ssl->arrays->psk_keySz); ssl->arrays->preMasterSz = ssl->arrays->psk_keySz * 2 + 4; ret = MakeMasterSecret(ssl); + /* No further need for PSK */ XMEMSET(ssl->arrays->psk_key, 0, ssl->arrays->psk_keySz); ssl->arrays->psk_keySz = 0; @@ -10707,26 +10721,34 @@ static void PickHashSigAlgo(CYASSL* ssl, #ifdef HAVE_NTRU case ntru_kea: { - word32 rc; word16 cipherLen; word16 plainLen = sizeof(ssl->arrays->preMasterSecret); - byte* tmp; if (!ssl->buffers.key.buffer) return NO_PRIVATE_KEY; - ato16(&input[*inOutIdx], &cipherLen); - *inOutIdx += LENGTH_SZ; + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + return BUFFER_ERROR; + + ato16(input + *inOutIdx, &cipherLen); + *inOutIdx += OPAQUE16_LEN; + if (cipherLen > MAX_NTRU_ENCRYPT_SZ) return NTRU_KEY_ERROR; - tmp = input + *inOutIdx; - rc = crypto_ntru_decrypt((word16)ssl->buffers.key.length, - ssl->buffers.key.buffer, cipherLen, tmp, &plainLen, - ssl->arrays->preMasterSecret); + if ((*inOutIdx - begin) + cipherLen > size) + return BUFFER_ERROR; - if (rc != NTRU_OK || plainLen != SECRET_LEN) + if (NTRU_OK != crypto_ntru_decrypt( + (word16) ssl->buffers.key.length, + ssl->buffers.key.buffer, cipherLen, + input + *inOutIdx, &plainLen, + ssl->arrays->preMasterSecret)) return NTRU_DECRYPT_ERROR; + + if (plainLen != SECRET_LEN) + return NTRU_DECRYPT_ERROR; + *inOutIdx += cipherLen; ssl->arrays->preMasterSz = plainLen; @@ -10737,18 +10759,23 @@ static void PickHashSigAlgo(CYASSL* ssl, #ifdef HAVE_ECC case ecc_diffie_hellman_kea: { - word32 size; - word32 bLength = input[*inOutIdx]; /* one byte length */ - *inOutIdx += 1; + if ((*inOutIdx - begin) + OPAQUE8_LEN > size) + return BUFFER_ERROR; - ret = ecc_import_x963(&input[*inOutIdx], - bLength, ssl->peerEccKey); - if (ret != 0) + length = input[*inOutIdx]; + *inOutIdx += OPAQUE8_LEN; + + if ((*inOutIdx - begin) + length > size) + return BUFFER_ERROR; + + if (ecc_import_x963(input + *inOutIdx, length, ssl->peerEccKey)) return ECC_PEERKEY_ERROR; - *inOutIdx += bLength; + + *inOutIdx += length; ssl->peerEccKeyPresent = 1; - size = sizeof(ssl->arrays->preMasterSecret); + length = sizeof(ssl->arrays->preMasterSecret); + if (ssl->specs.static_ecdh) { ecc_key staticKey; word32 i = 0; @@ -10756,17 +10783,21 @@ static void PickHashSigAlgo(CYASSL* ssl, ecc_init(&staticKey); ret = EccPrivateKeyDecode(ssl->buffers.key.buffer, &i, &staticKey, ssl->buffers.key.length); + if (ret == 0) ret = ecc_shared_secret(&staticKey, ssl->peerEccKey, - ssl->arrays->preMasterSecret, &size); + ssl->arrays->preMasterSecret, &length); + ecc_free(&staticKey); } - else + else ret = ecc_shared_secret(ssl->eccTempKey, ssl->peerEccKey, - ssl->arrays->preMasterSecret, &size); + ssl->arrays->preMasterSecret, &length); + if (ret != 0) return ECC_SHARED_ERROR; - ssl->arrays->preMasterSz = size; + + ssl->arrays->preMasterSz = length; ret = MakeMasterSecret(ssl); } break; @@ -10774,15 +10805,17 @@ static void PickHashSigAlgo(CYASSL* ssl, #ifdef OPENSSL_EXTRA case diffie_hellman_kea: { - byte* clientPub; word16 clientPubSz; DhKey dhKey; - ato16(&input[*inOutIdx], &clientPubSz); - *inOutIdx += LENGTH_SZ; + if ((*inOutIdx - begin) + OPAQUE16_LEN > size) + return BUFFER_ERROR; - clientPub = &input[*inOutIdx]; - *inOutIdx += clientPubSz; + ato16(input + *inOutIdx, &clientPubSz); + *inOutIdx += OPAQUE16_LEN; + + if ((*inOutIdx - begin) + clientPubSz > size) + return BUFFER_ERROR; InitDhKey(&dhKey); ret = DhSetKey(&dhKey, ssl->buffers.serverDH_P.buffer, @@ -10794,8 +10827,11 @@ static void PickHashSigAlgo(CYASSL* ssl, &ssl->arrays->preMasterSz, ssl->buffers.serverDH_Priv.buffer, ssl->buffers.serverDH_Priv.length, - clientPub, clientPubSz); + input + *inOutIdx, clientPubSz); FreeDhKey(&dhKey); + + *inOutIdx += clientPubSz; + if (ret == 0) ret = MakeMasterSecret(ssl); } @@ -10808,6 +10844,7 @@ static void PickHashSigAlgo(CYASSL* ssl, } break; } + /* No further need for PMS */ XMEMSET(ssl->arrays->preMasterSecret, 0, ssl->arrays->preMasterSz); ssl->arrays->preMasterSz = 0; @@ -10824,5 +10861,3 @@ static void PickHashSigAlgo(CYASSL* ssl, } #endif /* NO_CYASSL_SERVER */ - - From ac7cb3c8aadc633581bc3bac98bb090b8401fd36 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 24 Feb 2014 11:15:22 -0800 Subject: [PATCH 36/49] add -Wunreachable-code --- ctaocrypt/src/asn.c | 8 ++++---- ctaocrypt/src/hmac.c | 1 - ctaocrypt/test/test.c | 4 ---- m4/ax_harden_compiler_flags.m4 | 2 ++ src/internal.c | 8 ++++---- src/tls.c | 1 - 6 files changed, 10 insertions(+), 14 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index bf6811375..276029f47 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1516,8 +1516,9 @@ static int GetKey(DecodedCert* cert) XMEMCPY(cert->publicKey, keyBlob, keyLen); cert->pubKeyStored = 1; cert->pubKeySize = keyLen; + + return 0; } - break; #endif /* HAVE_NTRU */ #ifdef HAVE_ECC case ECDSAk: @@ -1560,14 +1561,13 @@ static int GetKey(DecodedCert* cert) cert->pubKeySize = length; cert->srcIdx += length; + + return 0; } - break; #endif /* HAVE_ECC */ default: return ASN_UNKNOWN_OID_E; } - - return 0; } diff --git a/ctaocrypt/src/hmac.c b/ctaocrypt/src/hmac.c index 003eb6317..71fd0cad4 100644 --- a/ctaocrypt/src/hmac.c +++ b/ctaocrypt/src/hmac.c @@ -86,7 +86,6 @@ static int InitHmac(Hmac* hmac, int type) default: return BAD_FUNC_ARG; - break; } return 0; diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index a0e72d83a..f55452aee 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -2412,10 +2412,6 @@ int camellia_test(void) {CAM_CBC_DEC, ptc, ivc, c6, k6, sizeof(k6), -125} }; - if ((sizeof(pte) != CAMELLIA_BLOCK_SIZE) || - (sizeof(ptc) != CAMELLIA_BLOCK_SIZE)) - return -113; - testsSz = sizeof(testVectors)/sizeof(test_vector_t); for (i = 0; i < testsSz; i++) { CamelliaSetKey(&cam, testVectors[i].key, testVectors[i].keySz, diff --git a/m4/ax_harden_compiler_flags.m4 b/m4/ax_harden_compiler_flags.m4 index c02af319d..903bb9382 100644 --- a/m4/ax_harden_compiler_flags.m4 +++ b/m4/ax_harden_compiler_flags.m4 @@ -121,6 +121,7 @@ AX_APPEND_COMPILE_FLAGS([-Wextra],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wunknown-pragmas],,[$ax_append_compile_cflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wthis-test-should-fail],,[$ax_append_compile_cflags_extra]) + AX_APPEND_COMPILE_FLAGS([-Wunreachable-code],,[$ax_append_compile_cflags_extra]) dnl Anything below this comment please keep sorted. AS_IF([test "$CC" = "clang"],[],[ AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1],,[$ax_append_compile_cflags_extra]) @@ -190,6 +191,7 @@ AX_APPEND_COMPILE_FLAGS([-Wextra],,[$ax_append_compile_cxxflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wunknown-pragmas],,[$ax_append_compile_cxxflags_extra]) AX_APPEND_COMPILE_FLAGS([-Wthis-test-should-fail],,[$ax_append_compile_cxxflags_extra]) + AX_APPEND_COMPILE_FLAGS([-Wunreachable-code],,[$ax_append_compile_cxxflags_extra]) dnl Anything below this comment please keep sorted. AX_APPEND_COMPILE_FLAGS([--param=ssp-buffer-size=1],,[$ax_append_compile_cxxflags_extra]) AX_APPEND_COMPILE_FLAGS([-Waddress],,[$ax_append_compile_cxxflags_extra]) diff --git a/src/internal.c b/src/internal.c index e15249829..0e78e6a62 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4154,8 +4154,9 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word16 sz) additional, AEAD_AUTH_DATA_SZ); AeadIncrementExpIV(ssl); XMEMSET(nonce, 0, AEAD_NONCE_SZ); + + break; } - break; #endif #ifdef HAVE_CAMELLIA @@ -4172,7 +4173,6 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word16 sz) #ifdef BUILD_RABBIT case cyassl_rabbit: return RabbitProcess(ssl->encrypt.rabbit, out, input, sz); - break; #endif #ifdef HAVE_NULL_CIPHER @@ -4309,7 +4309,6 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input, #ifdef BUILD_RABBIT case cyassl_rabbit: return RabbitProcess(ssl->decrypt.rabbit, plain, input, sz); - break; #endif #ifdef HAVE_NULL_CIPHER @@ -4861,7 +4860,7 @@ int ProcessReply(CYASSL* ssl) #endif for (;;) { - switch ((processReply)ssl->options.processReply) { + switch (ssl->options.processReply) { /* in the CYASSL_SERVER case, get the first byte for detecting * old client hello */ @@ -5184,6 +5183,7 @@ int ProcessReply(CYASSL* ssl) ssl->options.processReply = doProcessInit; continue; } + default: CYASSL_MSG("Bad process input state, programming error"); return INPUT_CASE_ERROR; diff --git a/src/tls.c b/src/tls.c index 02d69a57d..cd6f96edd 100644 --- a/src/tls.c +++ b/src/tls.c @@ -608,7 +608,6 @@ static int TLSX_SNI_Append(SNI** list, byte type, const void* data, word16 size) default: /* invalid type */ XFREE(sni, 0, DYNAMIC_TYPE_TLSX); return BAD_FUNC_ARG; - break; } sni->type = type; From 9c5ee66c8cf401f9f6c04a468c6a3738ee0c19ad Mon Sep 17 00:00:00 2001 From: toddouska Date: Sun, 2 Mar 2014 10:59:03 -0800 Subject: [PATCH 37/49] fix -Wunused-macros --- src/ssl.c | 9 ++++----- tests/suites.c | 4 +++- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index 3bbeeff37..c34878541 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1615,13 +1615,8 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) static ClientRow ClientCache[SESSION_ROWS]; /* Client Cache */ /* uses session mutex */ - #endif /* NO_CLIENT_CACHE */ - /* for persistance, if changes to layout need to increment and modify - save_session_cache() and restore_session_cache and memory versions too */ - #define CYASSL_CACHE_VERSION 2 - #endif /* NO_SESSION_CACHE */ @@ -3455,6 +3450,10 @@ int CyaSSL_SetServerID(CYASSL* ssl, const byte* id, int len, int newSession) #if defined(PERSIST_SESSION_CACHE) +/* for persistance, if changes to layout need to increment and modify + save_session_cache() and restore_session_cache and memory versions too */ +#define CYASSL_CACHE_VERSION 2 + /* Session Cache Header information */ typedef struct { int version; /* cache layout version id */ diff --git a/tests/suites.c b/tests/suites.c index 4df5a469b..f3cd7ff05 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -36,7 +36,9 @@ #define MAX_COMMAND_SZ 240 #define MAX_SUITE_SZ 80 #define NOT_BUILT_IN -123 -#define VERSION_TOO_OLD -124 +#ifdef NO_OLD_TLS + #define VERSION_TOO_OLD -124 +#endif #include "examples/client/client.h" #include "examples/server/server.h" From 7b00374930565416699e3467198936bb34044ec6 Mon Sep 17 00:00:00 2001 From: toddouska Date: Sun, 2 Mar 2014 11:06:41 -0800 Subject: [PATCH 38/49] fix -Wmissing-variable-declarations --- ctaocrypt/benchmark/benchmark.c | 42 +++++++++++++++++---------------- ctaocrypt/src/des3.c | 2 +- src/internal.c | 4 ++-- tests/suites.c | 12 +++++----- testsuite/testsuite.c | 4 ++-- 5 files changed, 33 insertions(+), 31 deletions(-) diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index 2086aaf10..e495521ca 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -219,27 +219,27 @@ int benchmark_test(void *args) #ifdef BENCH_EMBEDDED -const int numBlocks = 25; /* how many kB/megs to test (en/de)cryption */ -const char blockType[] = "kB"; /* used in printf output */ -const int ntimes = 1; /* public key iterations */ -const int genTimes = 5; -const int agreeTimes = 5; +static const int numBlocks = 25; /* how many kB/megs to test (en/de)cryption */ +static const char blockType[] = "kB"; /* used in printf output */ +static const int ntimes = 1; /* public key iterations */ +static const int genTimes = 5; +static const int agreeTimes = 5; #else -const int numBlocks = 5; -const char blockType[] = "megs"; -const int ntimes = 100; -const int genTimes = 100; -const int agreeTimes = 100; +static const int numBlocks = 5; +static const char blockType[] = "megs"; +static const int ntimes = 100; +static const int genTimes = 100; +static const int agreeTimes = 100; #endif -const byte key[] = +static const byte key[] = { 0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef, 0xfe,0xde,0xba,0x98,0x76,0x54,0x32,0x10, 0x89,0xab,0xcd,0xef,0x01,0x23,0x45,0x67 }; -const byte iv[] = +static const byte iv[] = { 0x12,0x34,0x56,0x78,0x90,0xab,0xcd,0xef, 0x01,0x01,0x01,0x01,0x01,0x01,0x01,0x01, @@ -250,11 +250,11 @@ const byte iv[] = /* use kB instead of mB for embedded benchmarking */ #ifdef BENCH_EMBEDDED -byte plain [1024]; -byte cipher[1024]; +static byte plain [1024]; +static byte cipher[1024]; #else -byte plain [1024*1024]; -byte cipher[1024*1024]; +static byte plain [1024*1024]; +static byte cipher[1024*1024]; #endif @@ -294,8 +294,10 @@ void bench_aes(int show) #endif -byte additional[13]; -byte tag[16]; +#if defined(HAVE_AESGCM) || defined(HAVE_AESCCM) + static byte additional[13]; + static byte tag[16]; +#endif #ifdef HAVE_AESGCM @@ -675,7 +677,7 @@ void bench_blake2(void) #if !defined(NO_RSA) || !defined(NO_DH) \ || defined(CYASSL_KEYGEN) || defined(HAVE_ECC) -RNG rng; +static RNG rng; #endif #ifndef NO_RSA @@ -684,7 +686,7 @@ RNG rng; #if !defined(USE_CERT_BUFFERS_1024) && !defined(USE_CERT_BUFFERS_2048) && \ defined(CYASSL_MDK_SHELL) static char *certRSAname = "certs/rsa2048.der" ; -void set_Bench_RSA_File(char * cert) { certRSAname = cert ; } +static void set_Bench_RSA_File(char * cert) { certRSAname = cert ; } /* set by shell command */ #elif defined(CYASSL_MDK_SHELL) /* nothing */ diff --git a/ctaocrypt/src/des3.c b/ctaocrypt/src/des3.c index cdccaaaea..15016b2b3 100644 --- a/ctaocrypt/src/des3.c +++ b/ctaocrypt/src/des3.c @@ -633,7 +633,7 @@ static const int bytebit[] = { 0200,0100,040,020,010,04,02,01 }; -const word32 Spbox[8][64] = { +static const word32 Spbox[8][64] = { { 0x01010400,0x00000000,0x00010000,0x01010404, 0x01010004,0x00010404,0x00000004,0x00010000, diff --git a/src/internal.c b/src/internal.c index 1fd2b6801..d6752f823 100644 --- a/src/internal.c +++ b/src/internal.c @@ -6363,7 +6363,7 @@ void SetErrorString(int error, char* str) /* be sure to add to cipher_name_idx too !!!! */ -const char* const cipher_names[] = +static const char* const cipher_names[] = { #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA "RC4-SHA", @@ -6682,7 +6682,7 @@ const char* const cipher_names[] = /* cipher suite number that matches above name table */ -int cipher_name_idx[] = +static int cipher_name_idx[] = { #ifdef BUILD_SSL_RSA_WITH_RC4_128_SHA diff --git a/tests/suites.c b/tests/suites.c index f3cd7ff05..a695476b3 100644 --- a/tests/suites.c +++ b/tests/suites.c @@ -44,12 +44,12 @@ #include "examples/server/server.h" -CYASSL_CTX* cipherSuiteCtx = NULL; -char nonblockFlag[] = "-N"; -char noVerifyFlag[] = "-d"; -char portFlag[] = "-p"; -char flagSep[] = " "; -char svrPort[] = "0"; +static CYASSL_CTX* cipherSuiteCtx = NULL; +static char nonblockFlag[] = "-N"; +static char noVerifyFlag[] = "-d"; +static char portFlag[] = "-p"; +static char flagSep[] = " "; +static char svrPort[] = "0"; #ifdef NO_OLD_TLS diff --git a/testsuite/testsuite.c b/testsuite/testsuite.c index 2a5ba498f..909090718 100644 --- a/testsuite/testsuite.c +++ b/testsuite/testsuite.c @@ -48,9 +48,9 @@ enum { }; #ifndef USE_WINDOWS_API - const char outputName[] = "/tmp/output"; + static const char outputName[] = "/tmp/output"; #else - const char outputName[] = "output"; + static const char outputName[] = "output"; #endif From f0f6497526ce02ef31c948780247964b139d3e23 Mon Sep 17 00:00:00 2001 From: toddouska Date: Sun, 2 Mar 2014 11:11:39 -0800 Subject: [PATCH 39/49] fix -Wconditional-uninitialized --- ctaocrypt/benchmark/benchmark.c | 2 +- src/internal.c | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index e495521ca..8fa17e725 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -800,7 +800,7 @@ void bench_dh(void) int i, ret; byte tmp[1024]; size_t bytes; - word32 idx = 0, pubSz, privSz, pubSz2, privSz2, agreeSz; + word32 idx = 0, pubSz, privSz = 0, pubSz2, privSz2, agreeSz; byte pub[256]; /* for 2048 bit */ byte priv[256]; /* for 2048 bit */ diff --git a/src/internal.c b/src/internal.c index d6752f823..29e2724e0 100644 --- a/src/internal.c +++ b/src/internal.c @@ -10336,8 +10336,8 @@ static void PickHashSigAlgo(CYASSL* ssl, /* RSA */ #ifndef NO_RSA if (ssl->peerRsaKeyPresent != 0) { - byte* out; - int outLen; + byte* out = NULL; + int outLen = 0; byte doUserRsa = 0; #ifdef HAVE_PK_CALLBACKS @@ -10388,12 +10388,12 @@ static void PickHashSigAlgo(CYASSL* ssl, sigSz = EncodeSignature(encodedSig, digest, digestSz, typeH); - if (outLen == (int)sigSz && XMEMCMP(out, encodedSig, + if (outLen == (int)sigSz && out && XMEMCMP(out, encodedSig, min(sigSz, MAX_ENCODED_SIG_SZ)) == 0) ret = 0; /* verified */ } else { - if (outLen == FINISHED_SZ && XMEMCMP(out, + if (outLen == FINISHED_SZ && out && XMEMCMP(out, &ssl->certHashes, FINISHED_SZ) == 0) ret = 0; /* verified */ } From a50d2e1e218dcb35f1a8230523ba2294e9a0d057 Mon Sep 17 00:00:00 2001 From: toddouska Date: Sun, 2 Mar 2014 11:47:43 -0800 Subject: [PATCH 40/49] fix -Wcast-align --- ctaocrypt/src/md4.c | 6 +++--- ctaocrypt/src/md5.c | 6 +++--- ctaocrypt/src/misc.c | 16 +++++----------- ctaocrypt/src/ripemd.c | 7 ++++--- ctaocrypt/src/sha.c | 11 ++++++----- ctaocrypt/src/sha256.c | 12 +++++++----- cyassl/ctaocrypt/misc.h | 4 +--- cyassl/test.h | 6 ++++-- 8 files changed, 33 insertions(+), 35 deletions(-) diff --git a/ctaocrypt/src/md4.c b/ctaocrypt/src/md4.c index 0126428a7..15961a007 100644 --- a/ctaocrypt/src/md4.c +++ b/ctaocrypt/src/md4.c @@ -161,7 +161,7 @@ void Md4Update(Md4* md4, const byte* data, word32 len) if (md4->buffLen == MD4_BLOCK_SIZE) { #ifdef BIG_ENDIAN_ORDER - ByteReverseBytes(local, local, MD4_BLOCK_SIZE); + ByteReverseWords(md4->buffer, md4->buffer, MD4_BLOCK_SIZE); #endif Transform(md4); AddLength(md4, MD4_BLOCK_SIZE); @@ -185,7 +185,7 @@ void Md4Final(Md4* md4, byte* hash) md4->buffLen += MD4_BLOCK_SIZE - md4->buffLen; #ifdef BIG_ENDIAN_ORDER - ByteReverseBytes(local, local, MD4_BLOCK_SIZE); + ByteReverseWords(md4->buffer, md4->buffer, MD4_BLOCK_SIZE); #endif Transform(md4); md4->buffLen = 0; @@ -199,7 +199,7 @@ void Md4Final(Md4* md4, byte* hash) /* store lengths */ #ifdef BIG_ENDIAN_ORDER - ByteReverseBytes(local, local, MD4_BLOCK_SIZE); + ByteReverseWords(md4->buffer, md4->buffer, MD4_BLOCK_SIZE); #endif /* ! length ordering dependent on digest endian type ! */ XMEMCPY(&local[MD4_PAD_SIZE], &md4->loLen, sizeof(word32)); diff --git a/ctaocrypt/src/md5.c b/ctaocrypt/src/md5.c index 7d2fe1429..96bcc359d 100644 --- a/ctaocrypt/src/md5.c +++ b/ctaocrypt/src/md5.c @@ -300,7 +300,7 @@ void Md5Update(Md5* md5, const byte* data, word32 len) if (md5->buffLen == MD5_BLOCK_SIZE) { #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, MD5_BLOCK_SIZE); + ByteReverseWords(md5->buffer, md5->buffer, MD5_BLOCK_SIZE); #endif XTRANSFORM(md5, local); AddLength(md5, MD5_BLOCK_SIZE); @@ -324,7 +324,7 @@ void Md5Final(Md5* md5, byte* hash) md5->buffLen += MD5_BLOCK_SIZE - md5->buffLen; #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, MD5_BLOCK_SIZE); + ByteReverseWords(md5->buffer, md5->buffer, MD5_BLOCK_SIZE); #endif XTRANSFORM(md5, local); md5->buffLen = 0; @@ -338,7 +338,7 @@ void Md5Final(Md5* md5, byte* hash) /* store lengths */ #if defined(BIG_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, MD5_BLOCK_SIZE); + ByteReverseWords(md5->buffer, md5->buffer, MD5_BLOCK_SIZE); #endif /* ! length ordering dependent on digest endian type ! */ XMEMCPY(&local[MD5_PAD_SIZE], &md5->loLen, sizeof(word32)); diff --git a/ctaocrypt/src/misc.c b/ctaocrypt/src/misc.c index 453608957..971af0aa5 100644 --- a/ctaocrypt/src/misc.c +++ b/ctaocrypt/src/misc.c @@ -146,15 +146,6 @@ STATIC INLINE void ByteReverseWords64(word64* out, const word64* in, #endif /* WORD64_AVAILABLE */ -STATIC INLINE void ByteReverseBytes(byte* out, const byte* in, word32 byteCount) -{ - word32* op = (word32*)out; - const word32* ip = (const word32*)in; - - ByteReverseWords(op, ip, byteCount); -} - - STATIC INLINE void XorWords(word* r, const word* a, word32 n) { word32 i; @@ -163,13 +154,16 @@ STATIC INLINE void XorWords(word* r, const word* a, word32 n) } -STATIC INLINE void xorbuf(byte* buf, const byte* mask, word32 count) +STATIC INLINE void xorbuf(void* buf, const void* mask, word32 count) { if (((word)buf | (word)mask | count) % CYASSL_WORD_SIZE == 0) XorWords( (word*)buf, (const word*)mask, count / CYASSL_WORD_SIZE); else { word32 i; - for (i = 0; i < count; i++) buf[i] ^= mask[i]; + byte* b = (byte*)buf; + const byte* m = (const byte*)mask; + + for (i = 0; i < count; i++) b[i] ^= m[i]; } } #undef STATIC diff --git a/ctaocrypt/src/ripemd.c b/ctaocrypt/src/ripemd.c index f32351d5c..f885a6f30 100644 --- a/ctaocrypt/src/ripemd.c +++ b/ctaocrypt/src/ripemd.c @@ -295,7 +295,8 @@ void RipeMdUpdate(RipeMd* ripemd, const byte* data, word32 len) if (ripemd->buffLen == RIPEMD_BLOCK_SIZE) { #ifdef BIG_ENDIAN_ORDER - ByteReverseBytes(local, local, RIPEMD_BLOCK_SIZE); + ByteReverseWords(ripemd->buffer, ripemd->buffer, + RIPEMD_BLOCK_SIZE); #endif Transform(ripemd); AddLength(ripemd, RIPEMD_BLOCK_SIZE); @@ -319,7 +320,7 @@ void RipeMdFinal(RipeMd* ripemd, byte* hash) ripemd->buffLen += RIPEMD_BLOCK_SIZE - ripemd->buffLen; #ifdef BIG_ENDIAN_ORDER - ByteReverseBytes(local, local, RIPEMD_BLOCK_SIZE); + ByteReverseWords(ripemd->buffer, ripemd->buffer, RIPEMD_BLOCK_SIZE); #endif Transform(ripemd); ripemd->buffLen = 0; @@ -333,7 +334,7 @@ void RipeMdFinal(RipeMd* ripemd, byte* hash) /* store lengths */ #ifdef BIG_ENDIAN_ORDER - ByteReverseBytes(local, local, RIPEMD_BLOCK_SIZE); + ByteReverseWords(ripemd->buffer, ripemd->buffer, RIPEMD_BLOCK_SIZE); #endif /* ! length ordering dependent on digest endian type ! */ XMEMCPY(&local[RIPEMD_PAD_SIZE], &ripemd->loLen, sizeof(word32)); diff --git a/ctaocrypt/src/sha.c b/ctaocrypt/src/sha.c index 30b669341..93683ee95 100644 --- a/ctaocrypt/src/sha.c +++ b/ctaocrypt/src/sha.c @@ -311,7 +311,7 @@ void ShaUpdate(Sha* sha, const byte* data, word32 len) if (sha->buffLen == SHA_BLOCK_SIZE) { #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, SHA_BLOCK_SIZE); + ByteReverseWords(sha->buffer, sha->buffer, SHA_BLOCK_SIZE); #endif XTRANSFORM(sha, local); AddLength(sha, SHA_BLOCK_SIZE); @@ -335,7 +335,7 @@ void ShaFinal(Sha* sha, byte* hash) sha->buffLen += SHA_BLOCK_SIZE - sha->buffLen; #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, SHA_BLOCK_SIZE); + ByteReverseWords(sha->buffer, sha->buffer, SHA_BLOCK_SIZE); #endif XTRANSFORM(sha, local); sha->buffLen = 0; @@ -349,7 +349,7 @@ void ShaFinal(Sha* sha, byte* hash) /* store lengths */ #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, SHA_BLOCK_SIZE); + ByteReverseWords(sha->buffer, sha->buffer, SHA_BLOCK_SIZE); #endif /* ! length ordering dependent on digest endian type ! */ XMEMCPY(&local[SHA_PAD_SIZE], &sha->hiLen, sizeof(word32)); @@ -357,8 +357,9 @@ void ShaFinal(Sha* sha, byte* hash) #ifdef FREESCALE_MMCAU /* Kinetis requires only these bytes reversed */ - ByteReverseBytes(&local[SHA_PAD_SIZE], &local[SHA_PAD_SIZE], - 2 * sizeof(word32)); + ByteReverseWords(&sha->buffer[SHA_PAD_SIZE/sizeof(word32)], + &sha->buffer[SHA_PAD_SIZE/sizeof(word32)], + 2 * sizeof(word32)); #endif XTRANSFORM(sha, local); diff --git a/ctaocrypt/src/sha256.c b/ctaocrypt/src/sha256.c index 97f64a3ca..769edf9e2 100644 --- a/ctaocrypt/src/sha256.c +++ b/ctaocrypt/src/sha256.c @@ -167,7 +167,8 @@ void Sha256Update(Sha256* sha256, const byte* data, word32 len) if (sha256->buffLen == SHA256_BLOCK_SIZE) { #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, SHA256_BLOCK_SIZE); + ByteReverseWords(sha256->buffer, sha256->buffer, + SHA256_BLOCK_SIZE); #endif XTRANSFORM(sha256, local); AddLength(sha256, SHA256_BLOCK_SIZE); @@ -191,7 +192,7 @@ void Sha256Final(Sha256* sha256, byte* hash) sha256->buffLen += SHA256_BLOCK_SIZE - sha256->buffLen; #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, SHA256_BLOCK_SIZE); + ByteReverseWords(sha256->buffer, sha256->buffer, SHA256_BLOCK_SIZE); #endif XTRANSFORM(sha256, local); sha256->buffLen = 0; @@ -205,7 +206,7 @@ void Sha256Final(Sha256* sha256, byte* hash) /* store lengths */ #if defined(LITTLE_ENDIAN_ORDER) && !defined(FREESCALE_MMCAU) - ByteReverseBytes(local, local, SHA256_BLOCK_SIZE); + ByteReverseWords(sha256->buffer, sha256->buffer, SHA256_BLOCK_SIZE); #endif /* ! length ordering dependent on digest endian type ! */ XMEMCPY(&local[SHA256_PAD_SIZE], &sha256->hiLen, sizeof(word32)); @@ -214,8 +215,9 @@ void Sha256Final(Sha256* sha256, byte* hash) #ifdef FREESCALE_MMCAU /* Kinetis requires only these bytes reversed */ - ByteReverseBytes(&local[SHA256_PAD_SIZE], &local[SHA256_PAD_SIZE], - 2 * sizeof(word32)); + ByteReverseWords(&sha256->buffer[SHA256_PAD_SIZE/sizeof(word32)], + &sha256->buffer[SHA256_PAD_SIZE/sizeof(word32)], + 2 * sizeof(word32)); #endif XTRANSFORM(sha256, local); diff --git a/cyassl/ctaocrypt/misc.h b/cyassl/ctaocrypt/misc.h index 49c9fa179..1740e1ab7 100644 --- a/cyassl/ctaocrypt/misc.h +++ b/cyassl/ctaocrypt/misc.h @@ -42,13 +42,11 @@ CYASSL_LOCAL word32 ByteReverseWord32(word32); CYASSL_LOCAL void ByteReverseWords(word32*, const word32*, word32); -CYASSL_LOCAL -void ByteReverseBytes(byte*, const byte*, word32); CYASSL_LOCAL void XorWords(word*, const word*, word32); CYASSL_LOCAL -void xorbuf(byte*, const byte*, word32); +void xorbuf(void*, const void*, word32); #ifdef WORD64_AVAILABLE CYASSL_LOCAL diff --git a/cyassl/test.h b/cyassl/test.h index c5e2799d0..91ef89692 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -1146,7 +1146,8 @@ static INLINE int CurrentDir(const char* str) if (ptr == NULL) return; - mt = (memoryTrack*)((byte*)ptr - sizeof(memoryTrack)); + mt = (memoryTrack*)ptr; + --mt; /* same as minus sizeof(memoryTrack), removes header */ #ifdef DO_MEM_STATS ourMemStats.currentBytes -= mt->u.hint.thisSize; @@ -1162,7 +1163,8 @@ static INLINE int CurrentDir(const char* str) if (ptr) { /* if realloc is bigger, don't overread old ptr */ - memoryTrack* mt = (memoryTrack*)((byte*)ptr - sizeof(memoryTrack)); + memoryTrack* mt = (memoryTrack*)ptr; + --mt; /* same as minus sizeof(memoryTrack), removes header */ if (mt->u.hint.thisSize < sz) sz = mt->u.hint.thisSize; From ec7c79c12edc12f9e1c238deab1c18fed916702f Mon Sep 17 00:00:00 2001 From: John Safranek Date: Sun, 2 Mar 2014 18:38:12 -0800 Subject: [PATCH 41/49] fix a couple more uninitialized variables --- ctaocrypt/src/asn.c | 5 +---- src/internal.c | 9 +++++---- 2 files changed, 6 insertions(+), 8 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index 276029f47..e5c23f15d 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -3276,9 +3276,7 @@ static void DecodeCertExtensions(DecodedCert* cert) byte* input = cert->extensions; int length; word32 oid; - byte critical; - - (void)critical; + byte critical = 0; CYASSL_ENTER("DecodeCertExtensions"); @@ -3391,7 +3389,6 @@ static void DecodeCertExtensions(DecodedCert* cert) } idx += length; } - (void)critical; CYASSL_LEAVE("DecodeCertExtensions", 0); return; diff --git a/src/internal.c b/src/internal.c index 29e2724e0..1adabdd4a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -7856,8 +7856,8 @@ static void PickHashSigAlgo(CYASSL* ssl, /* rsa */ if (sigAlgo == rsa_sa_algo) { - int ret; - byte* out; + int ret = 0; + byte* out = NULL; byte doUserRsa = 0; #ifdef HAVE_PK_CALLBACKS @@ -7919,12 +7919,13 @@ static void PickHashSigAlgo(CYASSL* ssl, encSigSz = EncodeSignature(encodedSig, digest, digestSz, typeH); - if (encSigSz != (word32)ret || XMEMCMP(out, encodedSig, + if (encSigSz != (word32)ret || !out || XMEMCMP(out, encodedSig, min(encSigSz, MAX_ENCODED_SIG_SZ)) != 0) return VERIFY_SIGN_ERROR; } else { - if (ret != sizeof(hash) || XMEMCMP(out, hash,sizeof(hash)) != 0) + if (ret != sizeof(hash) || !out || XMEMCMP(out, + hash, sizeof(hash)) != 0) return VERIFY_SIGN_ERROR; } } else From c39cdbea549547de3f01d60bdda81dff2c264f29 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 3 Mar 2014 12:18:26 -0800 Subject: [PATCH 42/49] make sure enable-webserver (HAVE_WEBSERVER) can handle password callbacks as well as opensslextra unless NO_PWDBASED defined --- configure.ac | 30 +++++++++++++++--------------- cyassl/test.h | 2 +- examples/client/client.c | 2 +- examples/echoclient/echoclient.c | 2 +- examples/echoserver/echoserver.c | 2 +- examples/server/server.c | 2 +- src/internal.c | 2 +- src/ssl.c | 4 ++-- 8 files changed, 23 insertions(+), 23 deletions(-) diff --git a/configure.ac b/configure.ac index 32da5f401..d10f6c9f7 100644 --- a/configure.ac +++ b/configure.ac @@ -985,6 +985,19 @@ fi AM_CONDITIONAL([BUILD_MD4], [test "x$ENABLED_MD4" = "xyes"]) +# Web Server Build +AC_ARG_ENABLE([webserver], + [ --enable-webserver Enable Web Server (default: disabled)], + [ ENABLED_WEBSERVER=$enableval ], + [ ENABLED_WEBSERVER=no ] + ) + +if test "$ENABLED_WEBSERVER" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_WEBSERVER" +fi + + # PWDBASED AC_ARG_ENABLE([pwdbased], [ --enable-pwdbased Enable PWDBASED (default: disabled)], @@ -994,9 +1007,9 @@ AC_ARG_ENABLE([pwdbased], if test "$ENABLED_PWDBASED" = "no" then - if test "$ENABLED_OPENSSLEXTRA" = "yes" + if test "$ENABLED_OPENSSLEXTRA" = "yes" || test "$ENABLED_WEBSERVER" = "yes" then - # opensslextra needs pwdbased + # opensslextra and webserver needs pwdbased ENABLED_PWDBASED=yes else AM_CFLAGS="$AM_CFLAGS -DNO_PWDBASED" @@ -1040,19 +1053,6 @@ fi AM_CONDITIONAL([BUILD_RABBIT], [test "x$ENABLED_RABBIT" = "xyes"]) -# Web Server Build -AC_ARG_ENABLE([webserver], - [ --enable-webserver Enable Web Server (default: disabled)], - [ ENABLED_WEBSERVER=$enableval ], - [ ENABLED_WEBSERVER=no ] - ) - -if test "$ENABLED_WEBSERVER" = "yes" -then - AM_CFLAGS="$AM_CFLAGS -DHAVE_WEBSERVER" -fi - - # Filesystem Build AC_ARG_ENABLE([filesystem], [ --enable-filesystem Enable Filesystem support (default: enabled)], diff --git a/cyassl/test.h b/cyassl/test.h index 91ef89692..a59924823 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -282,7 +282,7 @@ static INLINE int mygetopt(int argc, char** argv, const char* optstring) } -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) static INLINE int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) { diff --git a/examples/client/client.c b/examples/client/client.c index 807d7e91e..edc601e48 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -490,7 +490,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) useClientCert = 0; } -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) CyaSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index ee654d481..903af3563 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -139,7 +139,7 @@ void echoclient_test(void* args) #endif } -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 1eac9b5a9..10bd3bab4 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -125,7 +125,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) ctx = CyaSSL_CTX_new(method); /* CyaSSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); */ -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) CyaSSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif diff --git a/examples/server/server.c b/examples/server/server.c index f99be0aa2..5c6920a00 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -374,7 +374,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) if (fewerPackets) CyaSSL_CTX_set_group_messages(ctx); -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) SSL_CTX_set_default_passwd_cb(ctx, PasswordCallBack); #endif diff --git a/src/internal.c b/src/internal.c index 1adabdd4a..5a4dfd564 100644 --- a/src/internal.c +++ b/src/internal.c @@ -367,7 +367,7 @@ int InitSSL_Ctx(CYASSL_CTX* ctx, CYASSL_METHOD* method) ctx->eccTempKeySz = ECDHE_SIZE; #endif -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) ctx->passwd_cb = 0; ctx->userdata = 0; #endif /* OPENSSL_EXTRA */ diff --git a/src/ssl.c b/src/ssl.c index c34878541..8bd06a7e7 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1193,7 +1193,7 @@ int CyaSSL_KeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff, info.consumed = 0; der.buffer = NULL; -#ifdef OPENSSL_EXTRA +#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER) if (pass) { info.ctx = CyaSSL_CTX_new(CyaSSLv23_client_method()); if (info.ctx == NULL) @@ -1829,7 +1829,7 @@ int CyaSSL_Init(void) } } -#if defined(OPENSSL_EXTRA) && !defined(NO_PWDBASED) +#if (defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)) && !defined(NO_PWDBASED) if (pkcs8Enc) { int passwordSz; char password[80]; From 1fd62456007159265de2605b83a3560ced8411a5 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 3 Mar 2014 13:27:52 -0800 Subject: [PATCH 43/49] fix all clang warnings except Wpadded (diagnostic), Wconversion which inludes Wsign-conversion (implicit conversions part of standard) --- ctaocrypt/benchmark/benchmark.c | 2 +- ctaocrypt/src/ecc.c | 3 ++- ctaocrypt/src/tfm.c | 2 +- src/internal.c | 2 +- src/ocsp.c | 3 --- tests/api.c | 2 +- 6 files changed, 6 insertions(+), 8 deletions(-) diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index 8fa17e725..4b4a3fa6d 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -956,7 +956,7 @@ void bench_eccKeyAgree(void) byte shared[1024]; byte sig[1024]; byte digest[32]; - word32 x; + word32 x = 0; ecc_init(&genKey); ecc_init(&genKey2); diff --git a/ctaocrypt/src/ecc.c b/ctaocrypt/src/ecc.c index 609a386f8..bf21125f3 100644 --- a/ctaocrypt/src/ecc.c +++ b/ctaocrypt/src/ecc.c @@ -971,7 +971,8 @@ static int ecc_mulmod(mp_int* k, ecc_point *G, ecc_point *R, mp_int* modulus, mp_int mu; mp_digit mp; unsigned long buf; - int first, bitbuf, bitcpy, bitcnt, mode, digidx; + int first = 1, bitbuf = 0, bitcpy = 0, bitcnt = 0, mode = 0, + digidx = 0; if (k == NULL || G == NULL || R == NULL || modulus == NULL) return ECC_BAD_ARG_E; diff --git a/ctaocrypt/src/tfm.c b/ctaocrypt/src/tfm.c index 9f71484d6..2fa280e9c 100644 --- a/ctaocrypt/src/tfm.c +++ b/ctaocrypt/src/tfm.c @@ -2402,7 +2402,7 @@ int mp_add_d(fp_int *a, fp_digit b, fp_int *c) #ifdef HAVE_ECC /* chars used in radix conversions */ -const char *fp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"; +static const char *fp_s_rmap = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz+/"; static int fp_read_radix(fp_int *a, const char *str, int radix) { diff --git a/src/internal.c b/src/internal.c index 5a4dfd564..bba554558 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2817,7 +2817,7 @@ static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx, #endif /* verify record type here as well */ - switch ((enum ContentType)rh->type) { + switch (rh->type) { case handshake: case change_cipher_spec: case application_data: diff --git a/src/ocsp.c b/src/ocsp.c index d03f66d88..cb55c4e04 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -94,13 +94,10 @@ static int xstat2err(int stat) switch (stat) { case CERT_GOOD: return 0; - break; case CERT_REVOKED: return OCSP_CERT_REVOKED; - break; default: return OCSP_CERT_UNKNOWN; - break; } } diff --git a/tests/api.c b/tests/api.c index efbce2d33..1342f251a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -948,7 +948,7 @@ static int test_CyaSSL_read_write(void) FreeTcpReady(&ready); return test_result; -}; +} #endif From 1bb09fb97a4b47c98ec756bf1e73ea5a7d41fda2 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Mon, 3 Mar 2014 14:51:57 -0800 Subject: [PATCH 44/49] Added epoch to sequence number for AES-CCM with DTLS encrypt/decrypt. --- src/internal.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/internal.c b/src/internal.c index 1adabdd4a..5fd9b96ff 100644 --- a/src/internal.c +++ b/src/internal.c @@ -4134,8 +4134,10 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word16 sz) /* Store the type, version. Unfortunately, they are in * the input buffer ahead of the plaintext. */ #ifdef CYASSL_DTLS - if (ssl->options.dtls) + if (ssl->options.dtls) { + c16toa(ssl->keys.dtls_epoch, additional); additionalSrc -= DTLS_HANDSHAKE_EXTRA; + } #endif XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3); @@ -4271,7 +4273,12 @@ static INLINE int Decrypt(CYASSL* ssl, byte* plain, const byte* input, /* sequence number field is 64-bits, we only use 32-bits */ c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET); - + + #ifdef CYASSL_DTLS + if (ssl->options.dtls) + c16toa(ssl->keys.dtls_state.curEpoch, additional); + #endif + additional[AEAD_TYPE_OFFSET] = ssl->curRL.type; additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor; additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor; From f1597c86b1c435ed279d2fd325c7dfb4619960a2 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 3 Mar 2014 16:46:48 -0800 Subject: [PATCH 45/49] fix clang -Wconversion except -Wsign-conversion --- ctaocrypt/benchmark/benchmark.c | 2 +- ctaocrypt/src/asn.c | 4 ++-- ctaocrypt/src/coding.c | 16 ++++++++-------- ctaocrypt/test/test.c | 2 +- cyassl/test.h | 10 +++++----- examples/client/client.c | 4 ++-- examples/echoclient/echoclient.c | 2 +- examples/echoserver/echoserver.c | 4 ++-- examples/server/server.c | 4 ++-- src/internal.c | 6 +++--- src/sniffer.c | 14 +++++++------- 11 files changed, 34 insertions(+), 34 deletions(-) diff --git a/ctaocrypt/benchmark/benchmark.c b/ctaocrypt/benchmark/benchmark.c index 4b4a3fa6d..72503131b 100644 --- a/ctaocrypt/benchmark/benchmark.c +++ b/ctaocrypt/benchmark/benchmark.c @@ -998,7 +998,7 @@ void bench_eccKeyAgree(void) /* make dummy digest */ for (i = 0; i < (int)sizeof(digest); i++) - digest[i] = i; + digest[i] = (byte)i; start = current_time(1); diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index e5c23f15d..f0e93b949 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -3210,11 +3210,11 @@ static void DecodeSubjKeyId(byte* input, int sz, DecodedCert* cert) length--; if (length == 2) { - cert->extKeyUsage = (input[idx] << 8) | input[idx+1]; + cert->extKeyUsage = (word16)((input[idx] << 8) | input[idx+1]); cert->extKeyUsage >>= unusedBits; } else if (length == 1) - cert->extKeyUsage = (input[idx] << 1); + cert->extKeyUsage = (word16)(input[idx] << 1); return; } diff --git a/ctaocrypt/src/coding.c b/ctaocrypt/src/coding.c index 8add2d59a..c18c7ee05 100644 --- a/ctaocrypt/src/coding.c +++ b/ctaocrypt/src/coding.c @@ -95,9 +95,9 @@ int Base64_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) e3 = (e3 == PAD) ? 0 : base64Decode[e3 - 0x2B]; e4 = (e4 == PAD) ? 0 : base64Decode[e4 - 0x2B]; - b1 = (e1 << 2) | (e2 >> 4); - b2 = ((e2 & 0xF) << 4) | (e3 >> 2); - b3 = ((e3 & 0x3) << 6) | e4; + b1 = (byte)((e1 << 2) | (e2 >> 4)); + b2 = (byte)(((e2 & 0xF) << 4) | (e3 >> 2)); + b3 = (byte)(((e3 & 0x3) << 6) | e4); out[i++] = b1; if (!pad3) @@ -251,8 +251,8 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out, /* encoded idx */ byte e1 = b1 >> 2; - byte e2 = ((b1 & 0x3) << 4) | (b2 >> 4); - byte e3 = ((b2 & 0xF) << 2) | (b3 >> 6); + byte e2 = (byte)(((b1 & 0x3) << 4) | (b2 >> 4)); + byte e3 = (byte)(((b2 & 0xF) << 2) | (b3 >> 6)); byte e4 = b3 & 0x3F; /* store */ @@ -281,8 +281,8 @@ static int DoBase64_Encode(const byte* in, word32 inLen, byte* out, byte b2 = (twoBytes) ? in[j++] : 0; byte e1 = b1 >> 2; - byte e2 = ((b1 & 0x3) << 4) | (b2 >> 4); - byte e3 = (b2 & 0xF) << 2; + byte e2 = (byte)(((b1 & 0x3) << 4) | (b2 >> 4)); + byte e3 = (byte)((b2 & 0xF) << 2); ret = CEscape(escaped, e1, out, &i, *outLen, 0); if (ret == 0) @@ -375,7 +375,7 @@ int Base16_Decode(const byte* in, word32 inLen, byte* out, word32* outLen) if (b == BAD || b2 == BAD) return ASN_INPUT_E; - out[outIdx++] = (b << 4) | b2; + out[outIdx++] = (byte)((b << 4) | b2); inLen -= 2; } diff --git a/ctaocrypt/test/test.c b/ctaocrypt/test/test.c index f55452aee..a21d1b8c8 100644 --- a/ctaocrypt/test/test.c +++ b/ctaocrypt/test/test.c @@ -3784,7 +3784,7 @@ int ecc_test(void) /* test DSA sign hash */ for (i = 0; i < (int)sizeof(digest); i++) - digest[i] = i; + digest[i] = (byte)i; x = sizeof(sig); ret = ecc_sign_hash(digest, sizeof(digest), sig, &x, &rng, &userA); diff --git a/cyassl/test.h b/cyassl/test.h index a59924823..e176e3b28 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -159,8 +159,8 @@ #define crlPemDir "./certs/crl" typedef struct tcp_ready { - int ready; /* predicate */ - int port; + word16 ready; /* predicate */ + word16 port; #if defined(_POSIX_THREADS) && !defined(__MINGW32__) pthread_mutex_t mutex; pthread_cond_t cond; @@ -558,7 +558,7 @@ static INLINE int tcp_select(SOCKET_T socketfd, int to_sec) #endif /* !CYASSL_MDK_ARM */ -static INLINE void tcp_listen(SOCKET_T* sockfd, int* port, int useAnyAddr, +static INLINE void tcp_listen(SOCKET_T* sockfd, word16* port, int useAnyAddr, int udp) { SOCKADDR_IN_T addr; @@ -620,7 +620,7 @@ static INLINE int udp_read_connect(SOCKET_T sockfd) } static INLINE void udp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, - int useAnyAddr, int port, func_args* args) + int useAnyAddr, word16 port, func_args* args) { SOCKADDR_IN_T addr; @@ -671,7 +671,7 @@ static INLINE void udp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, } static INLINE void tcp_accept(SOCKET_T* sockfd, SOCKET_T* clientfd, - func_args* args, int port, int useAnyAddr, + func_args* args, word16 port, int useAnyAddr, int udp) { SOCKADDR_IN_T client; diff --git a/examples/client/client.c b/examples/client/client.c index edc601e48..b2564d102 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -175,7 +175,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) int input; int msgSz = (int)strlen(msg); - int port = yasslPort; + word16 port = yasslPort; char* host = (char*)yasslIP; char* domain = (char*)"www.yassl.com"; @@ -293,7 +293,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) break; case 'p' : - port = atoi(myoptarg); + port = (word16)atoi(myoptarg); #if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API) if (port == 0) err_sys("port number cannot be 0"); diff --git a/examples/echoclient/echoclient.c b/examples/echoclient/echoclient.c index 903af3563..787d104ef 100644 --- a/examples/echoclient/echoclient.c +++ b/examples/echoclient/echoclient.c @@ -60,7 +60,7 @@ void echoclient_test(void* args) int sendSz; int argc = 0; char** argv = 0; - int port = yasslPort; + word16 port = yasslPort; ((func_args*)args)->return_code = -1; /* error state */ diff --git a/examples/echoserver/echoserver.c b/examples/echoserver/echoserver.c index 10bd3bab4..d612bfb76 100644 --- a/examples/echoserver/echoserver.c +++ b/examples/echoserver/echoserver.c @@ -48,7 +48,7 @@ #define SVR_COMMAND_SIZE 256 -static void SignalReady(void* args, int port) +static void SignalReady(void* args, word16 port) { #if defined(_POSIX_THREADS) && defined(NO_MAIN_DRIVER) && !defined(__MINGW32__) /* signal ready to tcp_accept */ @@ -76,7 +76,7 @@ THREAD_RETURN CYASSL_THREAD echoserver_test(void* args) int outCreated = 0; int shutDown = 0; int useAnyAddr = 0; - int port = yasslPort; + word16 port = yasslPort; int argc = ((func_args*)args)->argc; char** argv = ((func_args*)args)->argv; diff --git a/examples/server/server.c b/examples/server/server.c index 5c6920a00..435db8a23 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -153,7 +153,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int version = SERVER_DEFAULT_VERSION; int doCliCertCheck = 1; int useAnyAddr = 0; - int port = yasslPort; + word16 port = yasslPort; int usePsk = 0; int doDTLS = 0; int useNtruKey = 0; @@ -230,7 +230,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) break; case 'p' : - port = atoi(myoptarg); + port = (word16)atoi(myoptarg); #if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API) if (port == 0) err_sys("port number cannot be 0"); diff --git a/src/internal.c b/src/internal.c index bba554558..0568337e3 100644 --- a/src/internal.c +++ b/src/internal.c @@ -231,7 +231,7 @@ static INLINE void c24to32(const word24 u24, word32* u32) /* convert opaque to 16 bit integer */ static INLINE void ato16(const byte* c, word16* u16) { - *u16 = (c[0] << 8) | (c[1]); + *u16 = (word16) ((c[0] << 8) | (c[1])); } @@ -4703,7 +4703,7 @@ static int DoAlert(CYASSL* ssl, byte* input, word32* inOutIdx, int* type) RECORD_HEADER_SZ, 2 + RECORD_HEADER_SZ, ssl->heap); #endif level = input[(*inOutIdx)++]; - code = (int)input[(*inOutIdx)++]; + code = input[(*inOutIdx)++]; ssl->alert_history.last_rx.code = code; ssl->alert_history.last_rx.level = level; *type = code; @@ -4904,7 +4904,7 @@ int ProcessReply(CYASSL* ssl) ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; b1 = ssl->buffers.inputBuffer.buffer[ssl->buffers.inputBuffer.idx++]; - ssl->curSize = ((b0 & 0x7f) << 8) | b1; + ssl->curSize = (word16)(((b0 & 0x7f) << 8) | b1); } else { ssl->options.processReply = getRecordLayerHeader; diff --git a/src/sniffer.c b/src/sniffer.c index 6779b4d8e..67a40a16c 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1142,7 +1142,7 @@ static int ProcessSessionTicket(const byte* input, int* sslBytes, input += TICKET_HINT_LEN; /* skip over hint */ *sslBytes -= TICKET_HINT_LEN; - len = (input[0] << 8) | input[1]; + len = (word16)((input[0] << 8) | input[1]); input += LENGTH_SZ; *sslBytes -= LENGTH_SZ; @@ -1349,7 +1349,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return -1; } - len = (input[0] << 8) | input[1]; + len = (word16)((input[0] << 8) | input[1]); input += SUITE_LEN; *sslBytes -= SUITE_LEN; /* make sure can read suites + comp len */ @@ -1382,7 +1382,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, SetError(CLIENT_HELLO_INPUT_STR, error, session, FATAL_ERROR_STATE); return -1; } - len = (input[0] << 8) | input[1]; + len = (word16)((input[0] << 8) | input[1]); input += SUITE_LEN; *sslBytes -= SUITE_LEN; /* make sure can read through all extensions */ @@ -1400,7 +1400,7 @@ static int ProcessClientHello(const byte* input, int* sslBytes, input += EXT_TYPE_SZ; *sslBytes -= EXT_TYPE_SZ; - extLen = (input[0] << 8) | input[1]; + extLen = (word16)((input[0] << 8) | input[1]); input += LENGTH_SZ; *sslBytes -= LENGTH_SZ; @@ -1700,8 +1700,8 @@ static SnifferSession* CreateSession(IpInfo* ipInfo, TcpInfo* tcpInfo, InitSession(session); session->server = ipInfo->dst; session->client = ipInfo->src; - session->srvPort = tcpInfo->dstPort; - session->cliPort = tcpInfo->srcPort; + session->srvPort = (word16)tcpInfo->dstPort; + session->cliPort = (word16)tcpInfo->srcPort; session->cliSeqStart = tcpInfo->sequence; session->cliExpected = 1; /* relative */ session->lastUsed= time(NULL); @@ -1781,7 +1781,7 @@ static int DoOldHello(SnifferSession* session, const byte* sslFrame, } ret = ProcessOldClientHello(session->sslServer, input, &idx, *sslBytes, - *rhSize); + (word16)*rhSize); if (ret < 0 && ret != MATCH_SUITE_ERROR) { SetError(BAD_OLD_CLIENT_STR, error, session, FATAL_ERROR_STATE); return -1; From b0d255ed40154053e74ff98ce88b9b739067e0e0 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 5 Mar 2014 13:12:42 -0800 Subject: [PATCH 46/49] fix IE session tickets, they don't have sessionIDs like Chrome, Safari, and Firefox do --- src/sniffer.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/sniffer.c b/src/sniffer.c index 67a40a16c..53d4b9948 100644 --- a/src/sniffer.c +++ b/src/sniffer.c @@ -1236,8 +1236,10 @@ static int ProcessServerHello(const byte* input, int* sslBytes, doResume = 1; if (session->ticketID && doResume) { - /* use ticketID to retrieve from session */ + /* use ticketID to retrieve from session, prefer over sessionID */ XMEMCPY(session->sslServer->arrays->sessionID,session->ticketID,ID_LEN); + session->sslServer->options.haveSessionId = 1; /* may not have + actual sessionID */ } if (doResume ) { From 18f60966f4584103847f9425e73d42e64a54690b Mon Sep 17 00:00:00 2001 From: John Safranek Date: Thu, 6 Mar 2014 21:34:33 -0800 Subject: [PATCH 47/49] force make tests to run serially --- .gitignore | 2 ++ Makefile.am | 2 ++ tests/include.am | 14 +++++++------- testsuite/include.am | 14 +++++++------- 4 files changed, 18 insertions(+), 14 deletions(-) diff --git a/.gitignore b/.gitignore index ee2053048..44ff8d102 100644 --- a/.gitignore +++ b/.gitignore @@ -41,6 +41,8 @@ output mcapi/test testsuite/testsuite tests/unit +testsuite/testsuite.test +tests/unit.test testsuite/*.der testsuite/*.pem testsuite/*.raw diff --git a/Makefile.am b/Makefile.am index 02fea25cc..1c03717ca 100644 --- a/Makefile.am +++ b/Makefile.am @@ -76,8 +76,10 @@ if USE_VALGRIND TESTS_ENVIRONMENT=./valgrind-error.sh endif +TEST_EXTENSIONS=.test TESTS += $(check_PROGRAMS) test: check +testsuite/testsuite.log: tests/unit.log DISTCLEANFILES+= cyassl-config diff --git a/tests/include.am b/tests/include.am index 239a169be..8fcc542cf 100644 --- a/tests/include.am +++ b/tests/include.am @@ -4,20 +4,20 @@ if BUILD_EXAMPLES -check_PROGRAMS += tests/unit -noinst_PROGRAMS += tests/unit -tests_unit_SOURCES = \ +check_PROGRAMS += tests/unit.test +noinst_PROGRAMS += tests/unit.test +tests_unit_test_SOURCES = \ tests/unit.c \ tests/api.c \ tests/suites.c \ tests/hash.c \ examples/client/client.c \ examples/server/server.c -tests_unit_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -tests_unit_LDADD = src/libcyassl.la -tests_unit_DEPENDENCIES = src/libcyassl.la +tests_unit_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) +tests_unit_test_LDADD = src/libcyassl.la +tests_unit_test_DEPENDENCIES = src/libcyassl.la endif EXTRA_DIST += tests/unit.h EXTRA_DIST += tests/test.conf \ tests/test-dtls.conf -DISTCLEANFILES+= tests/.libs/unit +DISTCLEANFILES+= tests/.libs/unit.test diff --git a/testsuite/include.am b/testsuite/include.am index 6f4bac772..900ee8d9a 100644 --- a/testsuite/include.am +++ b/testsuite/include.am @@ -4,22 +4,22 @@ if BUILD_EXAMPLES -check_PROGRAMS += testsuite/testsuite -noinst_PROGRAMS += testsuite/testsuite -testsuite_testsuite_SOURCES = \ +check_PROGRAMS += testsuite/testsuite.test +noinst_PROGRAMS += testsuite/testsuite.test +testsuite_testsuite_test_SOURCES = \ ctaocrypt/test/test.c \ examples/client/client.c \ examples/echoclient/echoclient.c \ examples/echoserver/echoserver.c \ examples/server/server.c \ testsuite/testsuite.c -testsuite_testsuite_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) -testsuite_testsuite_LDADD = src/libcyassl.la -testsuite_testsuite_DEPENDENCIES = src/libcyassl.la +testsuite_testsuite_test_CFLAGS = -DNO_MAIN_DRIVER $(AM_CFLAGS) +testsuite_testsuite_test_LDADD = src/libcyassl.la +testsuite_testsuite_test_DEPENDENCIES = src/libcyassl.la endif EXTRA_DIST += testsuite/testsuite.sln EXTRA_DIST += testsuite/testsuite-ntru.vcproj EXTRA_DIST += testsuite/testsuite.vcproj EXTRA_DIST += input EXTRA_DIST += quit -DISTCLEANFILES+= testsuite/.libs/testsuite +DISTCLEANFILES+= testsuite/.libs/testsuite.test From c671f1c66358b144c8918be4b5ac684b3a621a0c Mon Sep 17 00:00:00 2001 From: toddouska Date: Fri, 7 Mar 2014 14:29:37 -0800 Subject: [PATCH 48/49] reverse suite test dependency --- Makefile.am | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 1c03717ca..72cf64cb9 100644 --- a/Makefile.am +++ b/Makefile.am @@ -79,7 +79,7 @@ endif TEST_EXTENSIONS=.test TESTS += $(check_PROGRAMS) test: check -testsuite/testsuite.log: tests/unit.log +tests/unit.log: testsuite/testsuite.log DISTCLEANFILES+= cyassl-config From ceb4a8f5688d0b07199a4b272afe004298747c26 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Sun, 9 Mar 2014 15:08:18 -0700 Subject: [PATCH 49/49] port 0 hack for the API unit test --- tests/api.c | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/tests/api.c b/tests/api.c index 1342f251a..23346a10d 100644 --- a/tests/api.c +++ b/tests/api.c @@ -929,6 +929,7 @@ static int test_CyaSSL_read_write(void) InitTcpReady(&ready); server_args.signal = &ready; + client_args.signal = &ready; start_thread(test_server_nofail, &server_args, &serverThread); wait_tcp_ready(&server_args); test_client_nofail(&client_args); @@ -956,6 +957,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) { SOCKET_T sockfd = 0; SOCKET_T clientfd = 0; + word16 port = yasslPort; CYASSL_METHOD* method = 0; CYASSL_CTX* ctx = 0; @@ -969,6 +971,11 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) method = CyaSSLv23_server_method(); ctx = CyaSSL_CTX_new(method); +#if defined(NO_MAIN_DRIVER) && !defined(USE_WINDOWS_API) && \ + !defined(CYASSL_SNIFFER) && !defined(CYASSL_MDK_SHELL) + port = 0; +#endif + CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); @@ -996,7 +1003,7 @@ THREAD_RETURN CYASSL_THREAD test_server_nofail(void* args) goto done; } ssl = CyaSSL_new(ctx); - tcp_accept(&sockfd, &clientfd, (func_args*)args, yasslPort, 0, 0); + tcp_accept(&sockfd, &clientfd, (func_args*)args, port, 0, 0); CloseSocket(sockfd); CyaSSL_set_fd(ssl, clientfd); @@ -1080,7 +1087,7 @@ void test_client_nofail(void* args) goto done2; } - tcp_connect(&sockfd, yasslIP, yasslPort, 0); + tcp_connect(&sockfd, yasslIP, ((func_args*)args)->signal->port, 0); ssl = CyaSSL_new(ctx); CyaSSL_set_fd(ssl, sockfd); @@ -1145,7 +1152,7 @@ void run_cyassl_client(void* args) if (callbacks->ctx_ready) callbacks->ctx_ready(ctx); - tcp_connect(&sfd, yasslIP, yasslPort, 0); + tcp_connect(&sfd, yasslIP, ((func_args*)args)->signal->port, 0); ssl = CyaSSL_new(ctx); CyaSSL_set_fd(ssl, sfd); @@ -1184,6 +1191,7 @@ THREAD_RETURN CYASSL_THREAD run_cyassl_server(void* args) CYASSL* ssl = NULL; SOCKET_T sfd = 0; SOCKET_T cfd = 0; + word16 port = yasslPort; char msg[] = "I hear you fa shizzle!"; int len = (int) XSTRLEN(msg); @@ -1192,6 +1200,11 @@ THREAD_RETURN CYASSL_THREAD run_cyassl_server(void* args) ((func_args*)args)->return_code = TEST_FAIL; +#if defined(NO_MAIN_DRIVER) && !defined(USE_WINDOWS_API) && \ + !defined(CYASSL_SNIFFER) && !defined(CYASSL_MDK_SHELL) + port = 0; +#endif + CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0); @@ -1213,7 +1226,7 @@ THREAD_RETURN CYASSL_THREAD run_cyassl_server(void* args) ssl = CyaSSL_new(ctx); - tcp_accept(&sfd, &cfd, (func_args*)args, yasslPort, 0, 0); + tcp_accept(&sfd, &cfd, (func_args*)args, port, 0, 0); CloseSocket(sfd); CyaSSL_set_fd(ssl, cfd); @@ -1274,6 +1287,7 @@ void test_CyaSSL_client_server(callback_functions* client_callbacks, /* RUN Server side */ InitTcpReady(&ready); server_args.signal = &ready; + client_args.signal = &ready; start_thread(run_cyassl_server, &server_args, &serverThread); wait_tcp_ready(&server_args);