From f528f5a7d31531decb646e918923930a9acda159 Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 29 May 2012 12:04:48 -0700 Subject: [PATCH 1/4] add CertManager Verify with Buffer --- cyassl/ssl.h | 2 ++ src/ssl.c | 77 ++++++++++++++++++++++++++++++---------------------- 2 files changed, 47 insertions(+), 32 deletions(-) diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 702486e38..9d37b869a 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -789,6 +789,8 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f, const char* d); CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, int format); +CYASSL_API int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, + const unsigned char* buff, int sz, int format); CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*, int sz); CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); diff --git a/src/ssl.c b/src/ssl.c index 207e55cda..764341949 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1280,28 +1280,64 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file, } +/* Verify the ceritficate, 1 for success, < 0 for error */ +int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const byte* buff, + int sz, int format) +{ + int ret = 0; + int eccKey = 0; /* not used */ + + DecodedCert cert; + buffer der; + + CYASSL_ENTER("CyaSSL_CertManagerVerifyBuffer"); + + der.buffer = NULL; + + if (format == SSL_FILETYPE_PEM) { + EncryptedInfo info; + + info.set = 0; + info.ctx = NULL; + info.consumed = 0; + ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, &info, &eccKey); + InitDecodedCert(&cert, der.buffer, der.length, cm->heap); + } + else + InitDecodedCert(&cert, buff, sz, cm->heap); + + if (ret == 0) + ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm); +#ifdef HAVE_CRL + if (ret == 0 && cm->crlEnabled) + ret = CheckCertCRL(cm->crl, &cert); +#endif + + FreeDecodedCert(&cert); + XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT); + + return ret; +} + + /* Verify the ceritficate, 1 for success, < 0 for error */ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, int format) { - int ret = SSL_FATAL_ERROR; - int eccKey = 0; /* not used */ - DecodedCert cert; - + int ret = SSL_FATAL_ERROR; byte staticBuffer[FILE_BUFFER_SIZE]; byte* myBuffer = staticBuffer; int dynamic = 0; long sz = 0; - buffer der; XFILE* file = XFOPEN(fname, "rb"); + CYASSL_ENTER("CyaSSL_CertManagerVerify"); + if (!file) return SSL_BAD_FILE; XFSEEK(file, 0, XSEEK_END); sz = XFTELL(file); XREWIND(file); - der.buffer = NULL; - if (sz > (long)sizeof(staticBuffer)) { CYASSL_MSG("Getting dynamic buffer"); myBuffer = (byte*) XMALLOC(sz, cm->heap, DYNAMIC_TYPE_FILE); @@ -1314,32 +1350,9 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, if ( (ret = XFREAD(myBuffer, sz, 1, file)) < 0) ret = SSL_BAD_FILE; - else { - ret = 0; /* ok */ - if (format == SSL_FILETYPE_PEM) { - EncryptedInfo info; - - info.set = 0; - info.ctx = NULL; - info.consumed = 0; - ret = PemToDer(myBuffer, sz, CERT_TYPE, &der, cm->heap, &info, - &eccKey); - InitDecodedCert(&cert, der.buffer, der.length, cm->heap); + else + ret = CyaSSL_CertManagerVerifyBuffer(cm, myBuffer, sz, format); - } - else - InitDecodedCert(&cert, myBuffer, sz, cm->heap); - - if (ret == 0) - ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm); -#ifdef HAVE_CRL - if (ret == 0 && cm->crlEnabled) - ret = CheckCertCRL(cm->crl, &cert); -#endif - } - - FreeDecodedCert(&cert); - XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT); XFCLOSE(file); if (dynamic) XFREE(myBuffer, cm->heap, DYNAMIC_TYPE_FILE); From 458302f9fec3e30a6969e7be03c8aaaf69e27995 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 30 May 2012 10:03:05 -0700 Subject: [PATCH 2/4] warning cast --- src/ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ssl.c b/src/ssl.c index 764341949..9bc526ab1 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -1304,7 +1304,7 @@ int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const byte* buff, InitDecodedCert(&cert, der.buffer, der.length, cm->heap); } else - InitDecodedCert(&cert, buff, sz, cm->heap); + InitDecodedCert(&cert, (byte*)buff, sz, cm->heap); if (ret == 0) ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm); From a1157da3040318cfb37a00f4d1932ef2da391ce3 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 30 May 2012 14:40:25 -0700 Subject: [PATCH 3/4] move HAVE_OCSP to top of source for different build envs --- src/ocsp.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/ocsp.c b/src/ocsp.c index acba2b3c5..85c5ffeec 100644 --- a/src/ocsp.c +++ b/src/ocsp.c @@ -23,6 +23,8 @@ #include #endif +#ifdef HAVE_OCSP + #include #include #include @@ -40,7 +42,6 @@ #include -#ifdef HAVE_OCSP CYASSL_API int ocsp_test(unsigned char* buf, int sz); #define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */ #define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL From fbc5c8d6dc5d90f59618af2f079eb802fc7a082d Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 31 May 2012 15:24:25 -0700 Subject: [PATCH 4/4] add SSL set version, different from ctx version --- cyassl/internal.h | 3 --- cyassl/ssl.h | 5 +++++ src/internal.c | 11 ++++------ src/ssl.c | 55 ++++++++++++++++++++++++++++++++++++++++++----- 4 files changed, 59 insertions(+), 15 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index 99baa3c0d..02046eb18 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -475,9 +475,6 @@ struct CYASSL_BIO { struct CYASSL_METHOD { ProtocolVersion version; byte side; /* connection side, server or client */ - byte verifyPeer; /* request or send certificate */ - byte verifyNone; /* whether to verify certificate */ - byte failNoCert; /* fail if no certificate */ byte downgrade; /* whether to downgrade version, default no */ }; diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 9d37b869a..95d222bf2 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -769,10 +769,15 @@ CYASSL_API void CyaSSL_SetIOWriteCtx(CYASSL* ssl, void *ctx); /* CA cache callbacks */ enum { + CYASSL_SSLV3 = 0, + CYASSL_TLSV1 = 1, + CYASSL_TLSV1_1 = 2, + CYASSL_TLSV1_2 = 3, CYASSL_USER_CA = 1, /* user added as trusted */ CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */ }; +CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version); CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*, int, const char*); diff --git a/src/internal.c b/src/internal.c index 446c069ab..4e807f1bd 100644 --- a/src/internal.c +++ b/src/internal.c @@ -315,9 +315,6 @@ void InitSSL_Method(CYASSL_METHOD* method, ProtocolVersion pv) { method->version = pv; method->side = CLIENT_END; - method->verifyPeer = 0; - method->verifyNone = 0; - method->failNoCert = 0; method->downgrade = 0; } @@ -913,11 +910,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) if (ssl->options.side == SERVER_END) InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); else InitSuites(&ssl->suites, ssl->version, TRUE, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); #ifdef SESSION_CERTS @@ -5850,7 +5847,7 @@ int SetCipherList(Suites* s, const char* list) InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); } /* suite size */ @@ -5981,7 +5978,7 @@ int SetCipherList(Suites* s, const char* list) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); } /* random */ XMEMCPY(ssl->arrays.clientRandom, input + i, RAN_LEN); diff --git a/src/ssl.c b/src/ssl.c index 9bc526ab1..2a5cfefb9 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -228,7 +228,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz, #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); CYASSL_LEAVE("CyaSSL_SetTmpDH", 0); return 0; @@ -473,6 +473,51 @@ int CyaSSL_set_group_messages(CYASSL* ssl) } +int CyaSSL_SetVersion(CYASSL* ssl, int version) +{ + byte havePSK = 0; + + CYASSL_ENTER("CyaSSL_SetVersion"); + + if (ssl == NULL) { + CYASSL_MSG("Bad function argument"); + return BAD_FUNC_ARG; + } + + switch (version) { + case CYASSL_SSLV3: + ssl->version = MakeSSLv3(); + break; + + case CYASSL_TLSV1: + ssl->version = MakeTLSv1(); + break; + + case CYASSL_TLSV1_1: + ssl->version = MakeTLSv1_1(); + break; + + case CYASSL_TLSV1_2: + ssl->version = MakeTLSv1_2(); + break; + + default: + CYASSL_MSG("Bad function argument"); + return BAD_FUNC_ARG; + } + + #ifndef NO_PSK + havePSK = ssl->options.havePSK; + #endif + + InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, + ssl->options.haveNTRU, ssl->options.haveECDSA, + ssl->options.haveStaticECC, ssl->options.side); + + return SSL_SUCCESS; +} + + /* does CA already exist on signer list */ int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash) { @@ -2064,7 +2109,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list) InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); return SSL_SUCCESS; } @@ -3088,7 +3133,7 @@ int CyaSSL_set_compression(CYASSL* ssl) InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveStaticECC, - ssl->ctx->method->side); + ssl->options.side); } @@ -3109,7 +3154,7 @@ int CyaSSL_set_compression(CYASSL* ssl) InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); } @@ -3343,7 +3388,7 @@ int CyaSSL_set_compression(CYASSL* ssl) #endif InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, - ssl->options.haveStaticECC, ssl->ctx->method->side); + ssl->options.haveStaticECC, ssl->options.side); }