Merge branch 'master' of github.com:cyassl/cyassl
This commit is contained in:
John Safranek
commit
ca7bf0d01e
@ -475,9 +475,6 @@ struct CYASSL_BIO {
|
||||
struct CYASSL_METHOD {
|
||||
ProtocolVersion version;
|
||||
byte side; /* connection side, server or client */
|
||||
byte verifyPeer; /* request or send certificate */
|
||||
byte verifyNone; /* whether to verify certificate */
|
||||
byte failNoCert; /* fail if no certificate */
|
||||
byte downgrade; /* whether to downgrade version, default no */
|
||||
};
|
||||
|
||||
|
||||
@ -769,10 +769,15 @@ CYASSL_API void CyaSSL_SetIOWriteCtx(CYASSL* ssl, void *ctx);
|
||||
|
||||
/* CA cache callbacks */
|
||||
enum {
|
||||
CYASSL_SSLV3 = 0,
|
||||
CYASSL_TLSV1 = 1,
|
||||
CYASSL_TLSV1_1 = 2,
|
||||
CYASSL_TLSV1_2 = 3,
|
||||
CYASSL_USER_CA = 1, /* user added as trusted */
|
||||
CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */
|
||||
};
|
||||
|
||||
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
|
||||
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
|
||||
int, const char*);
|
||||
|
||||
@ -789,6 +794,8 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f,
|
||||
const char* d);
|
||||
CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f,
|
||||
int format);
|
||||
CYASSL_API int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm,
|
||||
const unsigned char* buff, int sz, int format);
|
||||
CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*,
|
||||
int sz);
|
||||
CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options);
|
||||
|
||||
@ -315,9 +315,6 @@ void InitSSL_Method(CYASSL_METHOD* method, ProtocolVersion pv)
|
||||
{
|
||||
method->version = pv;
|
||||
method->side = CLIENT_END;
|
||||
method->verifyPeer = 0;
|
||||
method->verifyNone = 0;
|
||||
method->failNoCert = 0;
|
||||
method->downgrade = 0;
|
||||
}
|
||||
|
||||
@ -913,11 +910,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
|
||||
if (ssl->options.side == SERVER_END)
|
||||
InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
else
|
||||
InitSuites(&ssl->suites, ssl->version, TRUE, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
|
||||
|
||||
#ifdef SESSION_CERTS
|
||||
@ -5850,7 +5847,7 @@ int SetCipherList(Suites* s, const char* list)
|
||||
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
}
|
||||
|
||||
/* suite size */
|
||||
@ -5981,7 +5978,7 @@ int SetCipherList(Suites* s, const char* list)
|
||||
#endif
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
}
|
||||
/* random */
|
||||
XMEMCPY(ssl->arrays.clientRandom, input + i, RAN_LEN);
|
||||
|
||||
@ -23,6 +23,8 @@
|
||||
#include <config.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_OCSP
|
||||
|
||||
#include <cyassl/error.h>
|
||||
#include <cyassl/ocsp.h>
|
||||
#include <cyassl/internal.h>
|
||||
@ -40,7 +42,6 @@
|
||||
#include <sys/socket.h>
|
||||
|
||||
|
||||
#ifdef HAVE_OCSP
|
||||
CYASSL_API int ocsp_test(unsigned char* buf, int sz);
|
||||
#define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */
|
||||
#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL
|
||||
|
||||
132
src/ssl.c
132
src/ssl.c
@ -228,7 +228,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
|
||||
#endif
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH,
|
||||
havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
|
||||
CYASSL_LEAVE("CyaSSL_SetTmpDH", 0);
|
||||
return 0;
|
||||
@ -473,6 +473,51 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
|
||||
}
|
||||
|
||||
|
||||
int CyaSSL_SetVersion(CYASSL* ssl, int version)
|
||||
{
|
||||
byte havePSK = 0;
|
||||
|
||||
CYASSL_ENTER("CyaSSL_SetVersion");
|
||||
|
||||
if (ssl == NULL) {
|
||||
CYASSL_MSG("Bad function argument");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
switch (version) {
|
||||
case CYASSL_SSLV3:
|
||||
ssl->version = MakeSSLv3();
|
||||
break;
|
||||
|
||||
case CYASSL_TLSV1:
|
||||
ssl->version = MakeTLSv1();
|
||||
break;
|
||||
|
||||
case CYASSL_TLSV1_1:
|
||||
ssl->version = MakeTLSv1_1();
|
||||
break;
|
||||
|
||||
case CYASSL_TLSV1_2:
|
||||
ssl->version = MakeTLSv1_2();
|
||||
break;
|
||||
|
||||
default:
|
||||
CYASSL_MSG("Bad function argument");
|
||||
return BAD_FUNC_ARG;
|
||||
}
|
||||
|
||||
#ifndef NO_PSK
|
||||
havePSK = ssl->options.havePSK;
|
||||
#endif
|
||||
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
|
||||
|
||||
/* does CA already exist on signer list */
|
||||
int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash)
|
||||
{
|
||||
@ -1280,28 +1325,64 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file,
|
||||
}
|
||||
|
||||
|
||||
/* Verify the ceritficate, 1 for success, < 0 for error */
|
||||
int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const byte* buff,
|
||||
int sz, int format)
|
||||
{
|
||||
int ret = 0;
|
||||
int eccKey = 0; /* not used */
|
||||
|
||||
DecodedCert cert;
|
||||
buffer der;
|
||||
|
||||
CYASSL_ENTER("CyaSSL_CertManagerVerifyBuffer");
|
||||
|
||||
der.buffer = NULL;
|
||||
|
||||
if (format == SSL_FILETYPE_PEM) {
|
||||
EncryptedInfo info;
|
||||
|
||||
info.set = 0;
|
||||
info.ctx = NULL;
|
||||
info.consumed = 0;
|
||||
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, &info, &eccKey);
|
||||
InitDecodedCert(&cert, der.buffer, der.length, cm->heap);
|
||||
}
|
||||
else
|
||||
InitDecodedCert(&cert, (byte*)buff, sz, cm->heap);
|
||||
|
||||
if (ret == 0)
|
||||
ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);
|
||||
#ifdef HAVE_CRL
|
||||
if (ret == 0 && cm->crlEnabled)
|
||||
ret = CheckCertCRL(cm->crl, &cert);
|
||||
#endif
|
||||
|
||||
FreeDecodedCert(&cert);
|
||||
XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
|
||||
/* Verify the ceritficate, 1 for success, < 0 for error */
|
||||
int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname,
|
||||
int format)
|
||||
{
|
||||
int ret = SSL_FATAL_ERROR;
|
||||
int eccKey = 0; /* not used */
|
||||
DecodedCert cert;
|
||||
|
||||
int ret = SSL_FATAL_ERROR;
|
||||
byte staticBuffer[FILE_BUFFER_SIZE];
|
||||
byte* myBuffer = staticBuffer;
|
||||
int dynamic = 0;
|
||||
long sz = 0;
|
||||
buffer der;
|
||||
XFILE* file = XFOPEN(fname, "rb");
|
||||
|
||||
CYASSL_ENTER("CyaSSL_CertManagerVerify");
|
||||
|
||||
if (!file) return SSL_BAD_FILE;
|
||||
XFSEEK(file, 0, XSEEK_END);
|
||||
sz = XFTELL(file);
|
||||
XREWIND(file);
|
||||
|
||||
der.buffer = NULL;
|
||||
|
||||
if (sz > (long)sizeof(staticBuffer)) {
|
||||
CYASSL_MSG("Getting dynamic buffer");
|
||||
myBuffer = (byte*) XMALLOC(sz, cm->heap, DYNAMIC_TYPE_FILE);
|
||||
@ -1314,32 +1395,9 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname,
|
||||
|
||||
if ( (ret = XFREAD(myBuffer, sz, 1, file)) < 0)
|
||||
ret = SSL_BAD_FILE;
|
||||
else {
|
||||
ret = 0; /* ok */
|
||||
if (format == SSL_FILETYPE_PEM) {
|
||||
EncryptedInfo info;
|
||||
|
||||
info.set = 0;
|
||||
info.ctx = NULL;
|
||||
info.consumed = 0;
|
||||
ret = PemToDer(myBuffer, sz, CERT_TYPE, &der, cm->heap, &info,
|
||||
&eccKey);
|
||||
InitDecodedCert(&cert, der.buffer, der.length, cm->heap);
|
||||
else
|
||||
ret = CyaSSL_CertManagerVerifyBuffer(cm, myBuffer, sz, format);
|
||||
|
||||
}
|
||||
else
|
||||
InitDecodedCert(&cert, myBuffer, sz, cm->heap);
|
||||
|
||||
if (ret == 0)
|
||||
ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);
|
||||
#ifdef HAVE_CRL
|
||||
if (ret == 0 && cm->crlEnabled)
|
||||
ret = CheckCertCRL(cm->crl, &cert);
|
||||
#endif
|
||||
}
|
||||
|
||||
FreeDecodedCert(&cert);
|
||||
XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT);
|
||||
XFCLOSE(file);
|
||||
if (dynamic) XFREE(myBuffer, cm->heap, DYNAMIC_TYPE_FILE);
|
||||
|
||||
@ -2051,7 +2109,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list)
|
||||
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
|
||||
return SSL_SUCCESS;
|
||||
}
|
||||
@ -3075,7 +3133,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
|
||||
|
||||
InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU,
|
||||
ssl->options.haveECDSA, ssl->options.haveStaticECC,
|
||||
ssl->ctx->method->side);
|
||||
ssl->options.side);
|
||||
}
|
||||
|
||||
|
||||
@ -3096,7 +3154,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
|
||||
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
}
|
||||
|
||||
|
||||
@ -3330,7 +3388,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
|
||||
#endif
|
||||
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
|
||||
ssl->options.haveNTRU, ssl->options.haveECDSA,
|
||||
ssl->options.haveStaticECC, ssl->ctx->method->side);
|
||||
ssl->options.haveStaticECC, ssl->options.side);
|
||||
}
|
||||
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user