diff --git a/commit-tests.sh b/commit-tests.sh index dce1a728c..551cffdb9 100755 --- a/commit-tests.sh +++ b/commit-tests.sh @@ -12,7 +12,7 @@ RESULT=$? # make sure basic config is ok echo -e "\n\nTesting basic config too...\n\n" -./configure; +./configure --disable-fastmath; RESULT=$? [ $RESULT -ne 0 ] && echo -e "\n\nBasic config ./configure failed" && exit 1 diff --git a/ctaocrypt/src/integer.c b/ctaocrypt/src/integer.c index 32da4f612..f5f6a91e6 100644 --- a/ctaocrypt/src/integer.c +++ b/ctaocrypt/src/integer.c @@ -3400,7 +3400,7 @@ int mp_reduce (mp_int * x, mp_int * m, mp_int * mu) mp_rshd (&q, um - 1); /* according to HAC this optimization is ok */ - if (((unsigned long) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) { + if (((mp_word) um) > (((mp_digit)1) << (DIGIT_BIT - 1))) { if ((res = mp_mul (&q, mu, &q)) != MP_OKAY) { goto CLEANUP; } diff --git a/cyassl/ctaocrypt/types.h b/cyassl/ctaocrypt/types.h index adf69fdf1..a0a78812d 100644 --- a/cyassl/ctaocrypt/types.h +++ b/cyassl/ctaocrypt/types.h @@ -242,7 +242,8 @@ enum { DYNAMIC_TYPE_TMP_BUFFER = 38, DYNAMIC_TYPE_DTLS_MSG = 39, DYNAMIC_TYPE_CAVIUM_TMP = 40, - DYNAMIC_TYPE_CAVIUM_RSA = 41 + DYNAMIC_TYPE_CAVIUM_RSA = 41, + DYNAMIC_TYPE_X509 = 42 }; /* stack protection */ diff --git a/cyassl/internal.h b/cyassl/internal.h index 30c5588dc..aae92855b 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1536,6 +1536,7 @@ struct CYASSL_X509 { buffer derCert; /* may need */ DNS_entry* altNames; /* alt names list */ DNS_entry* altNamesNext; /* hint for retrieval */ + byte dynamicMemory; /* dynamic memory flag */ }; @@ -1882,11 +1883,12 @@ CYASSL_LOCAL int GrowInputBuffer(CYASSL* ssl, int size, int usedLength); #endif /* NO_TLS */ -typedef double timer_d; -CYASSL_LOCAL timer_d Timer(void); CYASSL_LOCAL word32 LowResTimer(void); +CYASSL_LOCAL void InitX509(CYASSL_X509*, int); +CYASSL_LOCAL void FreeX509(CYASSL_X509*); +CYASSL_LOCAL int CopyDecodedToX509(CYASSL_X509*, DecodedCert*); #ifdef __cplusplus diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 1812dfaf1..b50b31c09 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -167,6 +167,7 @@ CYASSL_API int CyaSSL_CTX_use_certificate_file(CYASSL_CTX*, const char*, int); CYASSL_API int CyaSSL_CTX_use_PrivateKey_file(CYASSL_CTX*, const char*, int); CYASSL_API int CyaSSL_CTX_load_verify_locations(CYASSL_CTX*, const char*, const char*); +CYASSL_API int CyaSSL_CTX_UnloadCAs(CYASSL_CTX*); CYASSL_API int CyaSSL_CTX_use_certificate_chain_file(CYASSL_CTX *, const char *file); CYASSL_API int CyaSSL_CTX_use_RSAPrivateKey_file(CYASSL_CTX*, const char*, int); @@ -713,6 +714,10 @@ CYASSL_API int CyaSSL_get_chain_count(CYASSL_X509_CHAIN* chain); CYASSL_API int CyaSSL_get_chain_length(CYASSL_X509_CHAIN*, int idx); /* index cert */ CYASSL_API unsigned char* CyaSSL_get_chain_cert(CYASSL_X509_CHAIN*, int idx); +/* index cert in X509 */ +CYASSL_API CYASSL_X509* CyaSSL_get_chain_X509(CYASSL_X509_CHAIN*, int idx); +/* free X509 */ +CYASSL_API void CyaSSL_FreeX509(CYASSL_X509*); /* get index cert in PEM */ CYASSL_API int CyaSSL_get_chain_cert_pem(CYASSL_X509_CHAIN*, int idx, unsigned char* buffer, int inLen, int* outLen); @@ -869,6 +874,7 @@ typedef void (*CbMissingCRL)(const char* url); CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, const char* d); + CYASSL_API int CyaSSL_CertManagerUnloadCAs(CYASSL_CERT_MANAGER* cm); CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); CYASSL_API int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, diff --git a/cyassl/test.h b/cyassl/test.h index 0e753c725..910a2b530 100644 --- a/cyassl/test.h +++ b/cyassl/test.h @@ -263,49 +263,53 @@ static INLINE int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) #endif +#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) + +static INLINE void ShowX509(CYASSL_X509* x509, const char* hdr) +{ + char* altName; + char* issuer = CyaSSL_X509_NAME_oneline( + CyaSSL_X509_get_issuer_name(x509), 0, 0); + char* subject = CyaSSL_X509_NAME_oneline( + CyaSSL_X509_get_subject_name(x509), 0, 0); + byte serial[32]; + int ret; + int sz = sizeof(serial); + + printf("%s\n issuer : %s\n subject: %s\n", hdr, issuer, subject); + + while ( (altName = CyaSSL_X509_get_next_altname(x509)) ) + printf(" altname = %s\n", altName); + + ret = CyaSSL_X509_get_serial_number(x509, serial, &sz); + if (ret == SSL_SUCCESS) { + int i; + int strLen; + char serialMsg[80]; + + /* testsuite has multiple threads writing to stdout, get output + message ready to write once */ + strLen = sprintf(serialMsg, " serial number"); + for (i = 0; i < sz; i++) + sprintf(serialMsg + strLen + (i*3), ":%02x ", serial[i]); + printf("%s\n", serialMsg); + } + + XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); + XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); +} + +#endif /* KEEP_PEER_CERT || SESSION_CERTS */ + + static INLINE void showPeer(CYASSL* ssl) { CYASSL_CIPHER* cipher; #ifdef KEEP_PEER_CERT - CYASSL_X509* peer = CyaSSL_get_peer_certificate(ssl); - if (peer) { -#ifdef OPENSSL_EXTRA - char* altName; - char* issuer = CyaSSL_X509_NAME_oneline( - CyaSSL_X509_get_issuer_name(peer), 0, 0); - char* subject = CyaSSL_X509_NAME_oneline( - CyaSSL_X509_get_subject_name(peer), 0, 0); - byte serial[32]; - int ret; - int sz = sizeof(serial); - - printf("peer's cert info:\n issuer : %s\n subject: %s\n", issuer, - subject); - - while ( (altName = CyaSSL_X509_get_next_altname(peer)) ) - printf(" altname = %s\n", altName); - - ret = CyaSSL_X509_get_serial_number(peer, serial, &sz); - if (ret == 0) { - int i; - int strLen; - char serialMsg[80]; - - /* testsuite has multiple threads writing to stdout, get output - message ready to write once */ - strLen = sprintf(serialMsg, " serial number"); - for (i = 0; i < sz; i++) - sprintf(serialMsg + strLen + (i*3), ":%02x ", serial[i]); - printf("%s\n", serialMsg); - } - - XFREE(subject, 0, DYNAMIC_TYPE_OPENSSL); - XFREE(issuer, 0, DYNAMIC_TYPE_OPENSSL); -#else - printf("peer has a cert!\n"); -#endif - } + CYASSL_X509* peer = CyaSSL_get_peer_certificate(ssl); + if (peer) + ShowX509(peer, "peer's cert info:"); else printf("peer has no cert!\n"); #endif @@ -323,10 +327,18 @@ static INLINE void showPeer(CYASSL* ssl) for (i = 0; i < count; i++) { int length; unsigned char buffer[3072]; + CYASSL_X509* chainX509; CyaSSL_get_chain_cert_pem(chain,i,buffer, sizeof(buffer), &length); buffer[length] = 0; printf("cert %d has length %d data = \n%s\n", i, length, buffer); + + chainX509 = CyaSSL_get_chain_X509(chain, i); + if (chainX509) + ShowX509(chainX509, "session cert info:"); + else + printf("get_chain_X509 failed\n"); + CyaSSL_FreeX509(chainX509); } } #endif diff --git a/examples/client/client.c b/examples/client/client.c index 4b0a0470d..f1a528cfb 100644 --- a/examples/client/client.c +++ b/examples/client/client.c @@ -113,6 +113,8 @@ static void Usage(void) printf("-m Match domain name in cert\n"); printf("-N Use Non-blocking sockets\n"); printf("-r Resume session\n"); + printf("-f Fewer packets/group messages\n"); + printf("-x Disable client cert/key loading\n"); #ifdef SHOW_SIZES printf("-z Print structure sizes\n"); #endif @@ -152,6 +154,8 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) int nonBlocking = 0; int resumeSession = 0; int trackMemory = 0; + int useClientCert = 1; + int fewerPackets = 0; char* cipherList = NULL; char* verifyCert = (char*)caCert; char* ourCert = (char*)cliCert; @@ -172,7 +176,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) (void)sslResume; (void)trackMemory; - while ((ch = mygetopt(argc, argv, "?gdusmNrth:p:v:l:A:c:k:b:z")) != -1) { + while ((ch = mygetopt(argc, argv, "?gdusmNrtfxh:p:v:l:A:c:k:b:z")) != -1) { switch (ch) { case '?' : Usage(); @@ -204,6 +208,14 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) matchName = 1; break; + case 'x' : + useClientCert = 0; + break; + + case 'f' : + fewerPackets = 1; + break; + case 'h' : host = myoptarg; domain = myoptarg; @@ -344,6 +356,9 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) usePsk = 1; #endif + if (fewerPackets) + CyaSSL_CTX_set_group_messages(ctx); + if (usePsk) { #ifndef NO_PSK CyaSSL_CTX_set_psk_client_callback(ctx, my_psk_client_cb); @@ -358,6 +373,7 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) err_sys("client can't set cipher list 2"); } #endif + useClientCert = 0; } #ifdef OPENSSL_EXTRA @@ -381,17 +397,18 @@ THREAD_RETURN CYASSL_THREAD client_test(void* args) CyaSSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, myVerify); #endif #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) - if (!usePsk){ - if (CyaSSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) - != SSL_SUCCESS) + if (useClientCert){ + if (CyaSSL_CTX_use_certificate_chain_file(ctx, ourCert) != SSL_SUCCESS) err_sys("can't load client cert file, check file and run from" " CyaSSL home dir"); if (CyaSSL_CTX_use_PrivateKey_file(ctx, ourKey, SSL_FILETYPE_PEM) != SSL_SUCCESS) err_sys("can't load client private key file, check file and run " - "from CyaSSL home dir"); + "from CyaSSL home dir"); + } + if (!usePsk) { if (CyaSSL_CTX_load_verify_locations(ctx, verifyCert, 0) != SSL_SUCCESS) err_sys("can't load ca file, Please run from CyaSSL home dir"); } diff --git a/examples/server/server.c b/examples/server/server.c index 376376a40..0fed1b501 100644 --- a/examples/server/server.c +++ b/examples/server/server.c @@ -108,6 +108,7 @@ static void Usage(void) printf("-t Track CyaSSL memory use\n"); printf("-u Use UDP DTLS," " add -v 2 for DTLSv1 (default), -v 3 for DTLSv1.2\n"); + printf("-f Fewer packets/group messages\n"); printf("-N Use Non-blocking sockets\n"); } @@ -131,9 +132,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) int port = yasslPort; int usePsk = 0; int doDTLS = 0; - int useNtruKey = 0; - int nonBlocking = 0; - int trackMemory = 0; + int useNtruKey = 0; + int nonBlocking = 0; + int trackMemory = 0; + int fewerPackets = 0; char* cipherList = NULL; char* verifyCert = (char*)cliCert; char* ourCert = (char*)svrCert; @@ -150,7 +152,7 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) #endif (void)trackMemory; - while ((ch = mygetopt(argc, argv, "?dbstnNup:v:l:A:c:k:")) != -1) { + while ((ch = mygetopt(argc, argv, "?dbstnNufp:v:l:A:c:k:")) != -1) { switch (ch) { case '?' : Usage(); @@ -182,6 +184,10 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) doDTLS = 1; break; + case 'f' : + fewerPackets = 1; + break; + case 'p' : port = atoi(myoptarg); #if !defined(NO_MAIN_DRIVER) || defined(USE_WINDOWS_API) @@ -299,6 +305,9 @@ THREAD_RETURN CYASSL_THREAD server_test(void* args) usePsk = 1; #endif + if (fewerPackets) + CyaSSL_CTX_set_group_messages(ctx); + #if !defined(NO_FILESYSTEM) && !defined(NO_CERTS) if (!usePsk) { if (SSL_CTX_use_certificate_file(ctx, ourCert, SSL_FILETYPE_PEM) diff --git a/src/internal.c b/src/internal.c index 197699ea1..ff5182d3a 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1182,6 +1182,30 @@ void InitSuites(Suites* suites, ProtocolVersion pv, byte haveRSA, byte havePSK, } +/* Initialize CyaSSL X509 type */ +void InitX509(CYASSL_X509* x509, int dynamicFlag) +{ + x509->derCert.buffer = NULL; + x509->altNames = NULL; + x509->altNamesNext = NULL; + x509->dynamicMemory = dynamicFlag; +} + + +/* Free CyaSSL X509 type */ +void FreeX509(CYASSL_X509* x509) +{ + if (x509 == NULL) + return; + + XFREE(x509->derCert.buffer, NULL, DYNAMIC_TYPE_CERT); + if (x509->altNames) + FreeAltNames(x509->altNames, NULL); + if (x509->dynamicMemory) + XFREE(x509, NULL, DYNAMIC_TYPE_X509); +} + + /* init everything to 0, NULL, default values before calling anything that may fail so that desctructor has a "good" state to cleanup */ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) @@ -1231,9 +1255,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->buffers.plainSz = 0; #ifdef KEEP_PEER_CERT - ssl->peerCert.derCert.buffer = NULL; - ssl->peerCert.altNames = NULL; - ssl->peerCert.altNamesNext = NULL; + InitX509(&ssl->peerCert, 0); #endif #ifdef HAVE_ECC @@ -1590,9 +1612,7 @@ void SSL_ResourceFree(CYASSL* ssl) ssl->buffers.dtlsCtx.peer.sa = NULL; #endif #if defined(KEEP_PEER_CERT) || defined(GOAHEAD_WS) - XFREE(ssl->peerCert.derCert.buffer, ssl->heap, DYNAMIC_TYPE_CERT); - if (ssl->peerCert.altNames) - FreeAltNames(ssl->peerCert.altNames, ssl->heap); + FreeX509(&ssl->peerCert); #endif #if defined(OPENSSL_EXTRA) || defined(GOAHEAD_WS) CyaSSL_BIO_free(ssl->biord); @@ -2023,7 +2043,7 @@ ProtocolVersion MakeDTLSv1_2(void) #ifdef USE_WINDOWS_API - timer_d Timer(void) + word32 LowResTimer(void) { static int init = 0; static LARGE_INTEGER freq; @@ -2036,16 +2056,9 @@ ProtocolVersion MakeDTLSv1_2(void) QueryPerformanceCounter(&count); - return (double)count.QuadPart / freq.QuadPart; + return (word32)(count.QuadPart / freq.QuadPart); } - - word32 LowResTimer(void) - { - return (word32)Timer(); - } - - #elif defined(THREADX) #include "rtptime.h" @@ -2805,6 +2818,54 @@ static int CheckAltNames(DecodedCert* dCert, char* domain) } +#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) + +/* Copy parts X509 needs from Decoded cert, 0 on success */ +int CopyDecodedToX509(CYASSL_X509* x509, DecodedCert* dCert) +{ + int ret = 0; + + if (x509 == NULL || dCert == NULL) + return BAD_FUNC_ARG; + + XSTRNCPY(x509->issuer.name, dCert->issuer, ASN_NAME_MAX); + x509->issuer.name[ASN_NAME_MAX - 1] = '\0'; + x509->issuer.sz = (int)XSTRLEN(x509->issuer.name) + 1; + + XSTRNCPY(x509->subject.name, dCert->subject, ASN_NAME_MAX); + x509->subject.name[ASN_NAME_MAX - 1] = '\0'; + x509->subject.sz = (int)XSTRLEN(x509->subject.name) + 1; + + XMEMCPY(x509->serial, dCert->serial, EXTERNAL_SERIAL_SIZE); + x509->serialSz = dCert->serialSz; + if (dCert->subjectCNLen < ASN_NAME_MAX) { + XMEMCPY(x509->subjectCN, dCert->subjectCN, dCert->subjectCNLen); + x509->subjectCN[dCert->subjectCNLen] = '\0'; + } + else + x509->subjectCN[0] = '\0'; + + /* store cert for potential retrieval */ + x509->derCert.buffer = (byte*)XMALLOC(dCert->maxIdx, NULL, + DYNAMIC_TYPE_CERT); + if (x509->derCert.buffer == NULL) { + ret = MEMORY_E; + } + else { + XMEMCPY(x509->derCert.buffer, dCert->source, dCert->maxIdx); + x509->derCert.length = dCert->maxIdx; + } + + x509->altNames = dCert->altNames; + dCert->altNames = NULL; /* takes ownership */ + x509->altNamesNext = x509->altNames; /* index hint */ + + return ret; +} + +#endif /* KEEP_PEER_CERT || SESSION_CERTS */ + + static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) { word32 listSz, i = *inOutIdx; @@ -2981,39 +3042,12 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) #endif /* HAVE_CRL */ #ifdef KEEP_PEER_CERT + { /* set X509 format for peer cert even if fatal */ - XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX); - ssl->peerCert.issuer.name[ASN_NAME_MAX - 1] = '\0'; - ssl->peerCert.issuer.sz = (int)XSTRLEN(ssl->peerCert.issuer.name) + 1; - - XSTRNCPY(ssl->peerCert.subject.name, dCert.subject, ASN_NAME_MAX); - ssl->peerCert.subject.name[ASN_NAME_MAX - 1] = '\0'; - ssl->peerCert.subject.sz = (int)XSTRLEN(ssl->peerCert.subject.name) + 1; - - XMEMCPY(ssl->peerCert.serial, dCert.serial, EXTERNAL_SERIAL_SIZE); - ssl->peerCert.serialSz = dCert.serialSz; - if (dCert.subjectCNLen < ASN_NAME_MAX) { - XMEMCPY(ssl->peerCert.subjectCN,dCert.subjectCN,dCert.subjectCNLen); - ssl->peerCert.subjectCN[dCert.subjectCNLen] = '\0'; - } - else - ssl->peerCert.subjectCN[0] = '\0'; - - /* store cert for potential retrieval */ - ssl->peerCert.derCert.buffer = (byte*)XMALLOC(myCert.length, ssl->heap, - DYNAMIC_TYPE_CERT); - if (ssl->peerCert.derCert.buffer == NULL) { - ret = MEMORY_E; + int copyRet = CopyDecodedToX509(&ssl->peerCert, &dCert); + if (copyRet == MEMORY_E) fatal = 1; } - else { - XMEMCPY(ssl->peerCert.derCert.buffer, myCert.buffer, myCert.length); - ssl->peerCert.derCert.length = myCert.length; - } - - ssl->peerCert.altNames = dCert.altNames; - dCert.altNames = NULL; /* takes ownership */ - ssl->peerCert.altNamesNext = ssl->peerCert.altNames; /* index hint */ #endif if (fatal) { diff --git a/src/ssl.c b/src/ssl.c index c880e9386..8f2588db6 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -692,6 +692,31 @@ void CyaSSL_CertManagerFree(CYASSL_CERT_MANAGER* cm) } + +/* Unload the CA signer list */ +int CyaSSL_CertManagerUnloadCAs(CYASSL_CERT_MANAGER* cm) +{ + Signer* signers; + + CYASSL_ENTER("CyaSSL_CertManagerUnloadCAs"); + + if (cm == NULL) + return BAD_FUNC_ARG; + + if (LockMutex(&cm->caLock) != 0) + return BAD_MUTEX_ERROR; + + signers = cm->caList; + cm->caList = NULL; + + UnLockMutex(&cm->caLock); + + FreeSigners(signers, NULL); + + return SSL_SUCCESS; +} + + #endif /* !NO_CERTS */ @@ -986,7 +1011,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify) int CyaSSL_Init(void) { - int ret = 0; + int ret = SSL_SUCCESS; CYASSL_ENTER("CyaSSL_Init"); @@ -2510,7 +2535,7 @@ void CyaSSL_load_error_strings(void) /* compatibility only */ int CyaSSL_library_init(void) { CYASSL_ENTER("SSL_library_init"); - if (CyaSSL_Init() == 0) + if (CyaSSL_Init() == SSL_SUCCESS) return SSL_SUCCESS; else return SSL_FATAL_ERROR; @@ -3131,13 +3156,13 @@ int CyaSSL_dtls_got_timeout(CYASSL* ssl) int CyaSSL_Cleanup(void) { - int ret = 0; + int ret = SSL_SUCCESS; int release = 0; CYASSL_ENTER("CyaSSL_Cleanup"); if (initRefCount == 0) - return 0; /* possibly no init yet */ + return ret; /* possibly no init yet, but not failure either way */ if (LockMutex(&count_mutex) != 0) { CYASSL_MSG("Bad Lock Mutex count"); @@ -3469,7 +3494,7 @@ int CyaSSL_check_domain_name(CYASSL* ssl, const char* dn) /* turn on CyaSSL zlib compression - returns 0 for success, else error (not built in) + returns SSL_SUCCESS for success, else error (not built in) */ int CyaSSL_set_compression(CYASSL* ssl) { @@ -3477,7 +3502,7 @@ int CyaSSL_set_compression(CYASSL* ssl) (void)ssl; #ifdef HAVE_LIBZ ssl->options.usingCompression = 1; - return 0; + return SSL_SUCCESS; #else return NOT_COMPILED_IN; #endif @@ -3882,6 +3907,16 @@ int CyaSSL_set_compression(CYASSL* ssl) ssl, NULL, 1); } + int CyaSSL_CTX_UnloadCAs(CYASSL_CTX* ctx) + { + CYASSL_ENTER("CyaSSL_CTX_UnloadCAs"); + + if (ctx == NULL) + return BAD_FUNC_ARG; + + return CyaSSL_CertManagerUnloadCAs(ctx->cm); + } + /* old NO_FILESYSTEM end */ #endif /* !NO_CERTS */ @@ -4082,65 +4117,6 @@ int CyaSSL_set_compression(CYASSL* ssl) } - /* return the next, if any, altname from the peer cert */ - char* CyaSSL_X509_get_next_altname(CYASSL_X509* cert) - { - char* ret = NULL; - CYASSL_ENTER("CyaSSL_X509_get_next_altname"); - - /* don't have any to work with */ - if (cert == NULL || cert->altNames == NULL) - return NULL; - - /* already went through them */ - if (cert->altNamesNext == NULL) - return NULL; - - ret = cert->altNamesNext->name; - cert->altNamesNext = cert->altNamesNext->next; - - return ret; - } - - - CYASSL_X509_NAME* CyaSSL_X509_get_issuer_name(CYASSL_X509* cert) - { - CYASSL_ENTER("X509_get_issuer_name"); - return &cert->issuer; - } - - - CYASSL_X509_NAME* CyaSSL_X509_get_subject_name(CYASSL_X509* cert) - { - CYASSL_ENTER("X509_get_subject_name"); - return &cert->subject; - } - - - /* copy name into in buffer, at most sz bytes, if buffer is null will - malloc buffer, call responsible for freeing */ - char* CyaSSL_X509_NAME_oneline(CYASSL_X509_NAME* name, char* in, int sz) - { - int copySz = min(sz, name->sz); - - CYASSL_ENTER("CyaSSL_X509_NAME_oneline"); - if (!name->sz) return in; - - if (!in) { - in = (char*)XMALLOC(name->sz, 0, DYNAMIC_TYPE_OPENSSL); - if (!in ) return in; - copySz = name->sz; - } - - if (copySz == 0) - return in; - - XMEMCPY(in, name->name, copySz - 1); - in[copySz - 1] = 0; - - return in; - } - CYASSL_X509* CyaSSL_X509_STORE_CTX_get_current_cert( CYASSL_X509_STORE_CTX* ctx) @@ -5112,7 +5088,7 @@ int CyaSSL_set_compression(CYASSL* ssl) } - /* store for external read of iv, 0 on success */ + /* store for external read of iv, SSL_SUCCESS on success */ int CyaSSL_StoreExternalIV(CYASSL_EVP_CIPHER_CTX* ctx) { CYASSL_ENTER("CyaSSL_StoreExternalIV"); @@ -5163,11 +5139,11 @@ int CyaSSL_set_compression(CYASSL* ssl) return -1; /* failure */ } } - return 0; /* success */ + return SSL_SUCCESS; } - /* set internal IV from external, 0 on success */ + /* set internal IV from external, SSL_SUCCESS on success */ int CyaSSL_SetInternalIV(CYASSL_EVP_CIPHER_CTX* ctx) { @@ -5219,7 +5195,7 @@ int CyaSSL_set_compression(CYASSL* ssl) return -1; /* failure */ } } - return 0; /* success */ + return SSL_SUCCESS; } @@ -5505,8 +5481,12 @@ int CyaSSL_set_compression(CYASSL* ssl) (void)flags; return 0; } -#endif -#ifdef KEEP_PEER_CERT + +#endif /* OPENSSL_EXTRA */ + + +#if defined(KEEP_PEER_CERT) + CYASSL_X509* CyaSSL_get_peer_certificate(CYASSL* ssl) { CYASSL_ENTER("SSL_get_peer_certificate"); @@ -5515,7 +5495,108 @@ int CyaSSL_set_compression(CYASSL* ssl) else return 0; } -#endif + +#endif /* KEEP_PEER_CERT */ + + +#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) + + void CyaSSL_FreeX509(CYASSL_X509* x509) + { + CYASSL_ENTER("CyaSSL_FreeX509"); + FreeX509(x509); + } + + + /* return the next, if any, altname from the peer cert */ + char* CyaSSL_X509_get_next_altname(CYASSL_X509* cert) + { + char* ret = NULL; + CYASSL_ENTER("CyaSSL_X509_get_next_altname"); + + /* don't have any to work with */ + if (cert == NULL || cert->altNames == NULL) + return NULL; + + /* already went through them */ + if (cert->altNamesNext == NULL) + return NULL; + + ret = cert->altNamesNext->name; + cert->altNamesNext = cert->altNamesNext->next; + + return ret; + } + + + CYASSL_X509_NAME* CyaSSL_X509_get_issuer_name(CYASSL_X509* cert) + { + CYASSL_ENTER("X509_get_issuer_name"); + return &cert->issuer; + } + + + CYASSL_X509_NAME* CyaSSL_X509_get_subject_name(CYASSL_X509* cert) + { + CYASSL_ENTER("X509_get_subject_name"); + return &cert->subject; + } + + + /* copy name into in buffer, at most sz bytes, if buffer is null will + malloc buffer, call responsible for freeing */ + char* CyaSSL_X509_NAME_oneline(CYASSL_X509_NAME* name, char* in, int sz) + { + int copySz = min(sz, name->sz); + + CYASSL_ENTER("CyaSSL_X509_NAME_oneline"); + if (!name->sz) return in; + + if (!in) { + in = (char*)XMALLOC(name->sz, 0, DYNAMIC_TYPE_OPENSSL); + if (!in ) return in; + copySz = name->sz; + } + + if (copySz == 0) + return in; + + XMEMCPY(in, name->name, copySz - 1); + in[copySz - 1] = 0; + + return in; + } + + + /* write X509 serial number in unsigned binary to buffer + buffer needs to be at least EXTERNAL_SERIAL_SIZE (32) for all cases + return SSL_SUCCESS on success */ + int CyaSSL_X509_get_serial_number(CYASSL_X509* x509, byte* in, int* inOutSz) + { + CYASSL_ENTER("CyaSSL_X509_get_serial_number"); + if (x509 == NULL || in == NULL || *inOutSz < x509->serialSz) + return BAD_FUNC_ARG; + + XMEMCPY(in, x509->serial, x509->serialSz); + *inOutSz = x509->serialSz; + + return SSL_SUCCESS; + } + + + const byte* CyaSSL_X509_get_der(CYASSL_X509* x509, int* outSz) + { + CYASSL_ENTER("CyaSSL_X509_get_der"); + + if (x509 == NULL || outSz == NULL) + return NULL; + + *outSz = (int)x509->derCert.length; + return x509->derCert.buffer; + } + +#endif /* KEEP_PEER_CERT || SESSION_CERTS */ + #ifdef OPENSSL_EXTRA int CyaSSL_set_ex_data(CYASSL* ssl, int idx, void* data) @@ -6661,32 +6742,6 @@ int CyaSSL_set_compression(CYASSL* ssl) return 0; } - /* write X509 serial number in unsigned binary to buffer - buffer needs to be at least EXTERNAL_SERIAL_SIZE (32) for all cases - return 0 on success */ - int CyaSSL_X509_get_serial_number(CYASSL_X509* x509, byte* in, int* inOutSz) - { - CYASSL_ENTER("CyaSSL_X509_get_serial_number"); - if (x509 == NULL || in == NULL || *inOutSz < x509->serialSz) - return BAD_FUNC_ARG; - - XMEMCPY(in, x509->serial, x509->serialSz); - *inOutSz = x509->serialSz; - - return 0; - } - - - const byte* CyaSSL_X509_get_der(CYASSL_X509* x509, int* outSz) - { - CYASSL_ENTER("CyaSSL_X509_get_der"); - - if (x509 == NULL || outSz == NULL) - return NULL; - - *outSz = (int)x509->derCert.length; - return x509->derCert.buffer; - } #endif /* OPENSSL_EXTRA */ @@ -7857,7 +7912,7 @@ static int initGlobalRNG = 0; #ifndef NO_DSA - /* return 0 on success, < 0 otherwise */ + /* return SSL_SUCCESS on success, < 0 otherwise */ int CyaSSL_DSA_do_sign(const unsigned char* d, unsigned char* sigRet, CYASSL_DSA* dsa) { @@ -7890,7 +7945,7 @@ static int initGlobalRNG = 0; return -1; } - return 0; + return SSL_SUCCESS; } #endif /* NO_DSA */ @@ -8434,7 +8489,7 @@ int CyaSSL_KeyPemToDer(const unsigned char* pem, int pemSz, unsigned char* buff, } -/* Load RSA from Der, 0 on success < 0 on error */ +/* Load RSA from Der, SSL_SUCCESS on success < 0 on error */ int CyaSSL_RSA_LoadDer(CYASSL_RSA* rsa, const unsigned char* der, int derSz) { word32 idx = 0; @@ -8460,12 +8515,12 @@ int CyaSSL_RSA_LoadDer(CYASSL_RSA* rsa, const unsigned char* der, int derSz) rsa->inSet = 1; - return 0; + return SSL_SUCCESS; } #ifndef NO_DSA -/* Load DSA from Der, 0 on success < 0 on error */ +/* Load DSA from Der, SSL_SUCCESS on success < 0 on error */ int CyaSSL_DSA_LoadDer(CYASSL_DSA* dsa, const unsigned char* der, int derSz) { word32 idx = 0; @@ -8491,7 +8546,7 @@ int CyaSSL_DSA_LoadDer(CYASSL_DSA* dsa, const unsigned char* der, int derSz) dsa->inSet = 1; - return 0; + return SSL_SUCCESS; } #endif /* NO_DSA */ @@ -8548,6 +8603,46 @@ byte* CyaSSL_get_chain_cert(CYASSL_X509_CHAIN* chain, int idx) } +/* Get peer's CyaSSL X509 ceritifcate at index (idx) */ +CYASSL_X509* CyaSSL_get_chain_X509(CYASSL_X509_CHAIN* chain, int idx) +{ + int ret; + CYASSL_X509* x509; + DecodedCert dCert; + + CYASSL_ENTER("CyaSSL_get_chain_X509"); + if (chain == NULL) + return NULL; + + InitDecodedCert(&dCert, chain->certs[idx].buffer, chain->certs[idx].length, + NULL); + ret = ParseCertRelative(&dCert, CERT_TYPE, 0, NULL); + if (ret != 0) { + CYASSL_MSG("Failed to parse cert"); + FreeDecodedCert(&dCert); + return NULL; + } + + x509 = (CYASSL_X509*)XMALLOC(sizeof(CYASSL_X509), NULL, DYNAMIC_TYPE_X509); + if (x509 == NULL) { + CYASSL_MSG("Failed alloc X509"); + FreeDecodedCert(&dCert); + return NULL; + } + InitX509(x509, 1); + + ret = CopyDecodedToX509(x509, &dCert); + if (ret != 0) { + CYASSL_MSG("Failed to copy decoded"); + XFREE(x509, NULL, DYNAMIC_TYPE_X509); + x509 = NULL; + } + FreeDecodedCert(&dCert); + + return x509; +} + + /* Get peer's PEM ceritifcate at index (idx), output to buffer if inLen big enough else return error (-1), output length is in *outLen */ int CyaSSL_get_chain_cert_pem(CYASSL_X509_CHAIN* chain, int idx, diff --git a/tests/api.c b/tests/api.c index fc0540c36..764b0e806 100644 --- a/tests/api.c +++ b/tests/api.c @@ -103,7 +103,7 @@ int test_CyaSSL_Init(void) printf(testingFmt, "CyaSSL_Init()"); result = CyaSSL_Init(); - printf(resultFmt, result ? failed : passed); + printf(resultFmt, result == SSL_SUCCESS ? passed : failed); return result; } @@ -114,7 +114,7 @@ static int test_CyaSSL_Cleanup(void) printf(testingFmt, "CyaSSL_Cleanup()"); result = CyaSSL_Cleanup(); - printf(resultFmt, result ? failed : passed); + printf(resultFmt, result == SSL_SUCCESS ? passed : failed); return result; }