From cf978c8189bc6e8535666819c4ee4dc595e55919 Mon Sep 17 00:00:00 2001 From: Todd A Ouska Date: Mon, 4 Apr 2011 17:42:50 -0700 Subject: [PATCH] more porting changes --- .gitignore | 1 + configure.in | 2 +- ctaocrypt/include/config.h | 2 +- ctaocrypt/src/misc.c | 2 +- include/cyassl_int.h | 6 +- include/openssl/evp.h | 2 +- include/openssl/ssl.h | 13 +++-- src/cyassl_int.c | 19 ++++-- src/ssl.c | 116 +++++++++++++++++++++++++++++-------- 9 files changed, 124 insertions(+), 39 deletions(-) diff --git a/.gitignore b/.gitignore index 232120497..77d15ac2c 100644 --- a/.gitignore +++ b/.gitignore @@ -28,6 +28,7 @@ sslSniffer/sslSnifferTest/tracefile.txt *.gz *.zip *.bak +*.dummy NTRU_algorithm/ build-test/ build/ diff --git a/configure.in b/configure.in index ba2f8f38e..fa0212633 100644 --- a/configure.in +++ b/configure.in @@ -1,6 +1,6 @@ AC_INIT AC_CANONICAL_SYSTEM -AM_INIT_AUTOMAKE(cyassl,1.9.0) # !!! also change in ssl.h !!! +AM_INIT_AUTOMAKE(cyassl,1.9.5) # !!! also change in ssl.h !!! AM_CONFIG_HEADER(ctaocrypt/include/config.h) diff --git a/ctaocrypt/include/config.h b/ctaocrypt/include/config.h index 2104ebc9f..4eecc7199 100644 --- a/ctaocrypt/include/config.h +++ b/ctaocrypt/include/config.h @@ -79,7 +79,7 @@ #define STDC_HEADERS 1 /* Version number of package */ -#define VERSION "1.9.0" +#define VERSION "1.9.5" /* Define to 1 if your processor stores words with the most significant byte first (like Motorola and SPARC, unlike Intel and VAX). */ diff --git a/ctaocrypt/src/misc.c b/ctaocrypt/src/misc.c index bd2830642..d823fc621 100644 --- a/ctaocrypt/src/misc.c +++ b/ctaocrypt/src/misc.c @@ -158,7 +158,7 @@ STATIC INLINE void XorWords(word* r, const word* a, word32 n) STATIC INLINE void xorbuf(byte* buf, const byte* mask, word32 count) { - if (((size_t)buf | (size_t)mask | count) % WORD_SIZE == 0) + if (((word)buf | (word)mask | count) % WORD_SIZE == 0) XorWords( (word*)buf, (const word*)mask, count / WORD_SIZE); else { word32 i; diff --git a/include/cyassl_int.h b/include/cyassl_int.h index f7a79289b..ef66af310 100644 --- a/include/cyassl_int.h +++ b/include/cyassl_int.h @@ -835,8 +835,8 @@ enum AcceptState { typedef struct Buffers { - buffer certificate; /* SSL_CTX owns */ - buffer key; /* SSL_CTX owns */ + buffer certificate; /* SSL_CTX owns, unless we own */ + buffer key; /* SSL_CTX owns, unless we own */ buffer domainName; /* for client check */ buffer serverDH_P; buffer serverDH_G; @@ -849,6 +849,8 @@ typedef struct Buffers { when got WANT_WRITE */ int plainSz; /* plain text bytes in buffer to send when got WANT_WRITE */ + byte weOwnCert; /* SSL own cert flag */ + byte weOwnKey; /* SSL own key flag */ } Buffers; diff --git a/include/openssl/evp.h b/include/openssl/evp.h index a795dcab8..b50477f21 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -64,7 +64,7 @@ void EVP_MD_CTX_init(EVP_MD_CTX* ctx); int EVP_MD_CTX_cleanup(EVP_MD_CTX* ctx); int EVP_DigestInit(EVP_MD_CTX* ctx, const EVP_MD* type); -int EVP_DigestUpdate(EVP_MD_CTX* ctx, const void* data, size_t sz); +int EVP_DigestUpdate(EVP_MD_CTX* ctx, const void* data, unsigned long sz); int EVP_DigestFinal(EVP_MD_CTX* ctx, unsigned char* md, unsigned int* s); int EVP_DigestFinal_ex(EVP_MD_CTX* ctx, unsigned char* md, unsigned int* s); diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h index 617ab6699..3f83b8f59 100644 --- a/include/openssl/ssl.h +++ b/include/openssl/ssl.h @@ -39,7 +39,7 @@ #include "prefix_ssl.h" #endif -#define CYASSL_VERSION "1.9.0" +#define CYASSL_VERSION "1.9.5" #undef X509_NAME /* wincrypt.h clash */ @@ -194,7 +194,7 @@ long SSL_CTX_set_session_cache_mode(SSL_CTX*, long); int SSL_CTX_set_cipher_list(SSL_CTX*, const char*); char* ERR_error_string(unsigned long,char*); -void ERR_error_string_n(unsigned long e, char *buf, size_t len); +void ERR_error_string_n(unsigned long e, char *buf, unsigned long len); /* extras */ @@ -228,7 +228,7 @@ SSL_METHOD* SSLv2_client_method(void); SSL_METHOD* SSLv2_server_method(void); void MD4_Init(MD4_CTX*); -void MD4_Update(MD4_CTX*, const void*, size_t); +void MD4_Update(MD4_CTX*, const void*, unsigned long); void MD4_Final(unsigned char*, MD4_CTX*); BIO* BIO_new(BIO_METHOD*); @@ -258,7 +258,7 @@ int SSLeay_add_ssl_algorithms(void); int SSLeay_add_all_algorithms(void); void RAND_screen(void); -const char* RAND_file_name(char*, size_t); +const char* RAND_file_name(char*, unsigned long); int RAND_write_file(const char*); int RAND_load_file(const char*, long); int RAND_egd(const char*); @@ -635,11 +635,16 @@ int CyaSSL_X509_get_serial_number(X509*, unsigned char*); #endif +/* SSL_CTX versions */ int CyaSSL_CTX_load_verify_buffer(SSL_CTX*, const unsigned char*, long, int); int CyaSSL_CTX_use_certificate_buffer(SSL_CTX*, const unsigned char*, long,int); int CyaSSL_CTX_use_PrivateKey_buffer(SSL_CTX*, const unsigned char*, long, int); int CyaSSL_CTX_use_certificate_chain_buffer(SSL_CTX*,const unsigned char*,long); +/* SSL versions */ +int CyaSSL_use_certificate_buffer(SSL*, const unsigned char*, long,int); +int CyaSSL_use_PrivateKey_buffer(SSL*, const unsigned char*, long, int); +int CyaSSL_use_certificate_chain_buffer(SSL*,const unsigned char*,long); /* I/O callbacks */ diff --git a/src/cyassl_int.c b/src/cyassl_int.c index e22edefee..d8f2ba484 100644 --- a/src/cyassl_int.c +++ b/src/cyassl_int.c @@ -698,6 +698,8 @@ int InitSSL(SSL* ssl, SSL_CTX* ctx) /* SSL_CTX still owns certificate, key, and caList buffers */ ssl->buffers.certificate = ctx->certificate; ssl->buffers.key = ctx->privateKey; + ssl->buffers.weOwnCert = 0; + ssl->buffers.weOwnKey = 0; ssl->caList = ctx->caList; #ifdef OPENSSL_EXTRA @@ -782,6 +784,12 @@ void SSL_ResourceFree(SSL* ssl) XFREE(ssl->buffers.serverDH_G.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.serverDH_P.buffer, ssl->heap, DYNAMIC_TYPE_DH); XFREE(ssl->buffers.domainName.buffer, ssl->heap, DYNAMIC_TYPE_DOMAIN); + + if (ssl->buffers.weOwnCert) + XFREE(ssl->buffers.certificate.buffer, ssl->heap, DYNAMIC_TYPE_CERT); + if (ssl->buffers.weOwnKey) + XFREE(ssl->buffers.key.buffer, ssl->heap, DYNAMIC_TYPE_KEY); + FreeRsaKey(&ssl->peerRsaKey); if (ssl->buffers.inputBuffer.dynamicFlag) ShrinkInputBuffer(ssl, FORCED_FREE); @@ -1395,7 +1403,10 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx) c24to32(&input[i], &certSz); i += CERT_HEADER_SZ; - + + if (listSz > MAX_RECORD_SIZE || certSz > MAX_RECORD_SIZE) + return BUFFER_E; + myCert.length = certSz; myCert.buffer = input + i; i += certSz; @@ -1912,7 +1923,7 @@ static int DoAlert(SSL* ssl, byte* input, word32* inOutIdx, int* type) return level; } -static int GetInputData(SSL *ssl, size_t size) +static int GetInputData(SSL *ssl, word32 size) { int in; int inSz; @@ -3314,14 +3325,14 @@ int SetCipherList(SSL_CTX* ctx, const char* list) if (XSTRNCMP(haystack, "ALL", 3) == 0) return 1; /* CyaSSL defualt */ for(;;) { - size_t len; + word32 len; prev = haystack; haystack = XSTRSTR(haystack, needle); if (!haystack) /* last cipher */ len = min(sizeof(name), XSTRLEN(prev)); else - len = min(sizeof(name), (size_t)(haystack - prev)); + len = min(sizeof(name), (word32)(haystack - prev)); XSTRNCPY(name, prev, len); name[(len == sizeof(name)) ? len - 1 : len] = 0; diff --git a/src/ssl.c b/src/ssl.c index 2bf06a098..8e216b368 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -265,7 +265,7 @@ char* ERR_error_string(unsigned long errNumber, char* buffer) } -void ERR_error_string_n(unsigned long e, char* buf, size_t len) +void ERR_error_string_n(unsigned long e, char* buf, unsigned long len) { if (len) ERR_error_string(e, buf); } @@ -508,7 +508,7 @@ static int AddCA(SSL_CTX* ctx, buffer der) static int ProcessBuffer(SSL_CTX* ctx, const unsigned char* buff, - long sz, int format, int type) + long sz, int format, int type, SSL* ssl) { EncryptedInfo info; buffer der; /* holds DER or RAW (for NTRU) */ @@ -598,14 +598,31 @@ static int AddCA(SSL_CTX* ctx, buffer der) if (type == CA_TYPE) return AddCA(ctx, der); /* takes der over */ else if (type == CERT_TYPE) { - if (ctx->certificate.buffer) - XFREE(ctx->certificate.buffer, ctx->heap, dynamicType); - ctx->certificate = der; /* takes der over */ + if (ssl) { + if (ssl->buffers.weOwnCert && ssl->buffers.certificate.buffer) + XFREE(ssl->buffers.certificate.buffer, ctx->heap, + dynamicType); + ssl->buffers.certificate = der; + ssl->buffers.weOwnCert = 1; + } + else { + if (ctx->certificate.buffer) + XFREE(ctx->certificate.buffer, ctx->heap, dynamicType); + ctx->certificate = der; /* takes der over */ + } } else if (type == PRIVATEKEY_TYPE) { - if (ctx->privateKey.buffer) - XFREE(ctx->privateKey.buffer, ctx->heap, dynamicType); - ctx->privateKey = der; /* takes der over */ + if (ssl) { + if (ssl->buffers.weOwnKey && ssl->buffers.key.buffer) + XFREE(ssl->buffers.key.buffer, ctx->heap, dynamicType); + ssl->buffers.key = der; + ssl->buffers.weOwnKey = 1; + } + else { + if (ctx->privateKey.buffer) + XFREE(ctx->privateKey.buffer, ctx->heap, dynamicType); + ctx->privateKey = der; /* takes der over */ + } } else { XFREE(der.buffer, ctx->heap, dynamicType); @@ -676,7 +693,8 @@ static int AddCA(SSL_CTX* ctx, buffer der) #define XSEEK_END FS_SEEK_END #endif -static int ProcessFile(SSL_CTX* ctx, const char* fname, int format, int type) +static int ProcessFile(SSL_CTX* ctx, const char* fname, int format, int type, + SSL* ssl) { byte staticBuffer[FILE_BUFFER_SIZE]; byte* buffer = staticBuffer; @@ -702,7 +720,7 @@ static int ProcessFile(SSL_CTX* ctx, const char* fname, int format, int type) if ( (ret = XFREAD(buffer, sz, 1, file)) < 0) ret = SSL_BAD_FILE; else - ret = ProcessBuffer(ctx, buffer, sz, format, type); + ret = ProcessBuffer(ctx, buffer, sz, format, type, ssl); XFCLOSE(file); if (dynamic) XFREE(buffer, ctx->heap, DYNAMIC_TYPE_FILE); @@ -715,7 +733,7 @@ static int ProcessFile(SSL_CTX* ctx, const char* fname, int format, int type) int SSL_CTX_load_verify_locations(SSL_CTX* ctx, const char* file, const char* path) { - if (ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE) == SSL_SUCCESS) + if (ProcessFile(ctx, file, SSL_FILETYPE_PEM, CA_TYPE, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -727,7 +745,7 @@ int SSL_CTX_load_verify_locations(SSL_CTX* ctx, const char* file, /* Add format parameter to allow DER load of CA files */ int CyaSSL_CTX_load_verify_locations(SSL_CTX* ctx, const char* file, int format) { - if (ProcessFile(ctx, file, format, CA_TYPE) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, CA_TYPE, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -758,7 +776,7 @@ int CyaSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz) sz = XFTELL(file); XREWIND(file); - if (sz > sizeof(staticBuffer)) { + if (sz > (long)sizeof(staticBuffer)) { fileBuf = (byte*) XMALLOC(sz, 0, DYNAMIC_TYPE_FILE); if (fileBuf == NULL) { XFCLOSE(file); @@ -794,7 +812,7 @@ int CyaSSL_PemCertToDer(const char* fileName, unsigned char* derBuf, int derSz) int SSL_CTX_use_certificate_file(SSL_CTX* ctx, const char* file, int format) { - if (ProcessFile(ctx, file, format, CERT_TYPE) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, CERT_TYPE, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -803,7 +821,7 @@ int SSL_CTX_use_certificate_file(SSL_CTX* ctx, const char* file, int format) int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format) { - if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -813,7 +831,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format) int SSL_CTX_use_certificate_chain_file(SSL_CTX* ctx, const char* file) { /* add first to ctx, all tested implementations support this */ - if (ProcessFile(ctx, file, SSL_FILETYPE_PEM, CERT_TYPE) == SSL_SUCCESS) + if (ProcessFile(ctx, file, SSL_FILETYPE_PEM, CERT_TYPE, NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -824,7 +842,7 @@ int SSL_CTX_use_certificate_chain_file(SSL_CTX* ctx, const char* file) int CyaSSL_CTX_use_NTRUPrivateKey_file(SSL_CTX* ctx, const char* file) { - if (ProcessFile(ctx, file, SSL_FILETYPE_RAW, PRIVATEKEY_TYPE) + if (ProcessFile(ctx, file, SSL_FILETYPE_RAW, PRIVATEKEY_TYPE, NULL) == SSL_SUCCESS) { ctx->haveNTRU = 1; return SSL_SUCCESS; @@ -841,7 +859,7 @@ int CyaSSL_CTX_use_NTRUPrivateKey_file(SSL_CTX* ctx, const char* file) int SSL_CTX_use_RSAPrivateKey_file(SSL_CTX* ctx,const char* file,int format) { - if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE) == SSL_SUCCESS) + if (ProcessFile(ctx, file, format, PRIVATEKEY_TYPE,NULL) == SSL_SUCCESS) return SSL_SUCCESS; return SSL_FAILURE; @@ -1172,17 +1190,43 @@ int SSL_CTX_set_cipher_list(SSL_CTX* ctx, const char* list) int SSL_accept(SSL* ssl) { + byte havePSK = 0; CYASSL_ENTER("SSL_accept()"); #ifdef HAVE_ERRNO_H errno = 0; #endif + #ifndef NO_PSK + havePSK = ssl->optoins.havePSK; + #endif + if (ssl->options.side != SERVER_END) { CYASSL_ERROR(ssl->error = SIDE_ERROR); return SSL_FATAL_ERROR; } + /* in case used set_accept_state after init */ + if (!havePSK && (ssl->buffers.certificate.buffer == NULL || + ssl->buffers.key.buffer == NULL)) { + CYASSL_MSG("accept error: don't have server cert and key"); + ssl->error = NO_PRIVATE_KEY; + CYASSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + + #ifdef HAVE_ECC + /* in case used set_accept_state after init */ + if (ssl->eccTempKeyPresent == 0) { + if (ecc_make_key(&ssl->rng, ECDHE_SIZE, &ssl->eccTempKey) != 0){ + ssl->error = ECC_MAKEKEY_ERROR; + CYASSL_ERROR(ssl->error); + return SSL_FATAL_ERROR; + } + ssl->eccTempKeyPresent = 1; + } + #endif + #ifdef CYASSL_DTLS if (ssl->version.major == DTLS_MAJOR && ssl->version.minor == DTLS_MINOR) { @@ -1882,21 +1926,21 @@ int CyaSSL_set_compression(SSL* ssl) int CyaSSL_CTX_load_verify_buffer(SSL_CTX* ctx, const unsigned char* buffer, long sz, int format) { - return ProcessBuffer(ctx, buffer, sz, format, CA_TYPE); + return ProcessBuffer(ctx, buffer, sz, format, CA_TYPE, NULL); } int CyaSSL_CTX_use_certificate_buffer(SSL_CTX* ctx, const unsigned char* buffer,long sz,int format) { - return ProcessBuffer(ctx, buffer, sz, format, CERT_TYPE); + return ProcessBuffer(ctx, buffer, sz, format, CERT_TYPE, NULL); } int CyaSSL_CTX_use_PrivateKey_buffer(SSL_CTX* ctx, const unsigned char* buffer,long sz,int format) { - return ProcessBuffer(ctx, buffer, sz, format, PRIVATEKEY_TYPE); + return ProcessBuffer(ctx, buffer, sz, format, PRIVATEKEY_TYPE, NULL); } @@ -1904,7 +1948,29 @@ int CyaSSL_set_compression(SSL* ssl) const unsigned char* buffer, long sz) { /* add first to ctx, all tested implementations support this */ - return ProcessBuffer(ctx, buffer, sz, SSL_FILETYPE_PEM, CA_TYPE); + return ProcessBuffer(ctx, buffer, sz, SSL_FILETYPE_PEM, CA_TYPE, NULL); + } + + int CyaSSL_use_certificate_buffer(SSL* ssl, + const unsigned char* buffer,long sz,int format) + { + return ProcessBuffer(ssl->ctx, buffer, sz, format, CERT_TYPE, ssl); + } + + + int CyaSSL_use_PrivateKey_buffer(SSL* ssl, + const unsigned char* buffer,long sz,int format) + { + return ProcessBuffer(ssl->ctx, buffer, sz, format, PRIVATEKEY_TYPE,ssl); + } + + + int CyaSSL_use_certificate_chain_buffer(SSL* ssl, + const unsigned char* buffer, long sz) + { + /* add first to ctx, all tested implementations support this */ + return ProcessBuffer(ssl->ctx, buffer, sz, SSL_FILETYPE_PEM, CA_TYPE, + ssl); } /* old NO_FILESYSTEM end */ @@ -2523,7 +2589,7 @@ int CyaSSL_set_compression(SSL* ssl) } - int EVP_DigestUpdate(EVP_MD_CTX* ctx, const void* data, size_t sz) + int EVP_DigestUpdate(EVP_MD_CTX* ctx, const void* data, unsigned long sz) { if (ctx->macType == MD5) MD5_Update((MD5_CTX*)&ctx->hash, data, (unsigned long)sz); @@ -2915,7 +2981,7 @@ int CyaSSL_set_compression(SSL* ssl) } - void MD4_Update(MD4_CTX* md4, const void* data, size_t len) + void MD4_Update(MD4_CTX* md4, const void* data, unsigned long len) { Md4Update((Md4*)md4, (const byte*)data, (word32)len); } @@ -2967,7 +3033,7 @@ int CyaSSL_set_compression(SSL* ssl) } - const char* RAND_file_name(char* fname, size_t len) + const char* RAND_file_name(char* fname, unsigned long len) { return 0; }