WolfSSL
/
wolfssl
mirror of https://github.com/wolfSSL/wolfssl.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge branch 'master' of github.com:cyassl/cyassl

pull/1/head
John Safranek 2012-05-31 17:29:41 -07:00
parent 6d76b2f247 fbc5c8d6dc
commit ca7bf0d01e
5 changed files with 108 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
cyassl/internal.h
View File

@ -475,9 +475,6 @@ struct CYASSL_BIO {
struct CYASSL_METHOD { struct CYASSL_METHOD {
ProtocolVersion version; ProtocolVersion version;
byte side; /* connection side, server or client */ byte side; /* connection side, server or client */
byte verifyPeer; /* request or send certificate */
byte verifyNone; /* whether to verify certificate */
byte failNoCert; /* fail if no certificate */
byte downgrade; /* whether to downgrade version, default no */ byte downgrade; /* whether to downgrade version, default no */
}; };

7
cyassl/ssl.h
View File

@ -769,10 +769,15 @@ CYASSL_API void CyaSSL_SetIOWriteCtx(CYASSL* ssl, void *ctx);
/* CA cache callbacks */ /* CA cache callbacks */
enum { enum {
CYASSL_SSLV3 = 0,
CYASSL_TLSV1 = 1,
CYASSL_TLSV1_1 = 2,
CYASSL_TLSV1_2 = 3,
CYASSL_USER_CA = 1, /* user added as trusted */ CYASSL_USER_CA = 1, /* user added as trusted */
CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */ CYASSL_CHAIN_CA = 2 /* added to cache from trusted chain */
}; };
CYASSL_API int CyaSSL_SetVersion(CYASSL* ssl, int version);
CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*, CYASSL_API int CyaSSL_KeyPemToDer(const unsigned char*, int sz, unsigned char*,
int, const char*); int, const char*);
@ -789,6 +794,8 @@ CYASSL_API int CyaSSL_CertManagerLoadCA(CYASSL_CERT_MANAGER*, const char* f,
const char* d); const char* d);
CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f, CYASSL_API int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER*, const char* f,
int format); int format);
CYASSL_API int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm,
const unsigned char* buff, int sz, int format);
CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*, CYASSL_API int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER*, unsigned char*,
int sz); int sz);
CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options); CYASSL_API int CyaSSL_CertManagerEnableCRL(CYASSL_CERT_MANAGER*, int options);

11
src/internal.c
View File

@ -315,9 +315,6 @@ void InitSSL_Method(CYASSL_METHOD* method, ProtocolVersion pv)
{ {
method->version = pv; method->version = pv;
method->side = CLIENT_END; method->side = CLIENT_END;
method->verifyPeer = 0;
method->verifyNone = 0;
method->failNoCert = 0;
method->downgrade = 0; method->downgrade = 0;
} }
@ -913,11 +910,11 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx)
if (ssl->options.side == SERVER_END) if (ssl->options.side == SERVER_END)
InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK, InitSuites(&ssl->suites, ssl->version,ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
else else
InitSuites(&ssl->suites, ssl->version, TRUE, havePSK, InitSuites(&ssl->suites, ssl->version, TRUE, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
#ifdef SESSION_CERTS #ifdef SESSION_CERTS
@ -5850,7 +5847,7 @@ int SetCipherList(Suites* s, const char* list)
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
} }
/* suite size */ /* suite size */
@ -5981,7 +5978,7 @@ int SetCipherList(Suites* s, const char* list)
#endif #endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
} }
/* random */ /* random */
XMEMCPY(ssl->arrays.clientRandom, input + i, RAN_LEN); XMEMCPY(ssl->arrays.clientRandom, input + i, RAN_LEN);

3
src/ocsp.c
View File

@ -23,6 +23,8 @@
#include <config.h> #include <config.h>
#endif #endif
#ifdef HAVE_OCSP
#include <cyassl/error.h> #include <cyassl/error.h>
#include <cyassl/ocsp.h> #include <cyassl/ocsp.h>
#include <cyassl/internal.h> #include <cyassl/internal.h>
@ -40,7 +42,6 @@
#include <sys/socket.h> #include <sys/socket.h>
#ifdef HAVE_OCSP
CYASSL_API int ocsp_test(unsigned char* buf, int sz); CYASSL_API int ocsp_test(unsigned char* buf, int sz);
#define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */ #define CYASSL_OCSP_ENABLE 0x0001 /* Enable OCSP lookups */
#define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL #define CYASSL_OCSP_URL_OVERRIDE 0x0002 /* Use the override URL instead of URL

132
src/ssl.c
View File

@ -228,7 +228,7 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
#endif #endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH,
havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA, havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
CYASSL_LEAVE("CyaSSL_SetTmpDH", 0); CYASSL_LEAVE("CyaSSL_SetTmpDH", 0);
return 0; return 0;
@ -473,6 +473,51 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
} }
int CyaSSL_SetVersion(CYASSL* ssl, int version)
{
byte havePSK = 0;
CYASSL_ENTER("CyaSSL_SetVersion");
if (ssl == NULL) {
CYASSL_MSG("Bad function argument");
return BAD_FUNC_ARG;
}
switch (version) {
case CYASSL_SSLV3:
ssl->version = MakeSSLv3();
break;
case CYASSL_TLSV1:
ssl->version = MakeTLSv1();
break;
case CYASSL_TLSV1_1:
ssl->version = MakeTLSv1_1();
break;
case CYASSL_TLSV1_2:
ssl->version = MakeTLSv1_2();
break;
default:
CYASSL_MSG("Bad function argument");
return BAD_FUNC_ARG;
}
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->options.side);
return SSL_SUCCESS;
}
/* does CA already exist on signer list */ /* does CA already exist on signer list */
int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash) int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash)
{ {
@ -1280,28 +1325,64 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file,
} }
/* Verify the ceritficate, 1 for success, < 0 for error */
int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const byte* buff,
int sz, int format)
{
int ret = 0;
int eccKey = 0; /* not used */
DecodedCert cert;
buffer der;
CYASSL_ENTER("CyaSSL_CertManagerVerifyBuffer");
der.buffer = NULL;
if (format == SSL_FILETYPE_PEM) {
EncryptedInfo info;
info.set = 0;
info.ctx = NULL;
info.consumed = 0;
ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, &info, &eccKey);
InitDecodedCert(&cert, der.buffer, der.length, cm->heap);
}
else
InitDecodedCert(&cert, (byte*)buff, sz, cm->heap);
if (ret == 0)
ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);
#ifdef HAVE_CRL
if (ret == 0 && cm->crlEnabled)
ret = CheckCertCRL(cm->crl, &cert);
#endif
FreeDecodedCert(&cert);
XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT);
return ret;
}
/* Verify the ceritficate, 1 for success, < 0 for error */ /* Verify the ceritficate, 1 for success, < 0 for error */
int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname, int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname,
int format) int format)
{ {
int ret = SSL_FATAL_ERROR; int ret = SSL_FATAL_ERROR;
int eccKey = 0; /* not used */
DecodedCert cert;
byte staticBuffer[FILE_BUFFER_SIZE]; byte staticBuffer[FILE_BUFFER_SIZE];
byte* myBuffer = staticBuffer; byte* myBuffer = staticBuffer;
int dynamic = 0; int dynamic = 0;
long sz = 0; long sz = 0;
buffer der;
XFILE* file = XFOPEN(fname, "rb"); XFILE* file = XFOPEN(fname, "rb");
CYASSL_ENTER("CyaSSL_CertManagerVerify");
if (!file) return SSL_BAD_FILE; if (!file) return SSL_BAD_FILE;
XFSEEK(file, 0, XSEEK_END); XFSEEK(file, 0, XSEEK_END);
sz = XFTELL(file); sz = XFTELL(file);
XREWIND(file); XREWIND(file);
der.buffer = NULL;
if (sz > (long)sizeof(staticBuffer)) { if (sz > (long)sizeof(staticBuffer)) {
CYASSL_MSG("Getting dynamic buffer"); CYASSL_MSG("Getting dynamic buffer");
myBuffer = (byte*) XMALLOC(sz, cm->heap, DYNAMIC_TYPE_FILE); myBuffer = (byte*) XMALLOC(sz, cm->heap, DYNAMIC_TYPE_FILE);
@ -1314,32 +1395,9 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname,
if ( (ret = XFREAD(myBuffer, sz, 1, file)) < 0) if ( (ret = XFREAD(myBuffer, sz, 1, file)) < 0)
ret = SSL_BAD_FILE; ret = SSL_BAD_FILE;
else { else
ret = 0; /* ok */ ret = CyaSSL_CertManagerVerifyBuffer(cm, myBuffer, sz, format);
if (format == SSL_FILETYPE_PEM) {
EncryptedInfo info;
info.set = 0;
info.ctx = NULL;
info.consumed = 0;
ret = PemToDer(myBuffer, sz, CERT_TYPE, &der, cm->heap, &info,
&eccKey);
InitDecodedCert(&cert, der.buffer, der.length, cm->heap);
}
else
InitDecodedCert(&cert, myBuffer, sz, cm->heap);
if (ret == 0)
ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);
#ifdef HAVE_CRL
if (ret == 0 && cm->crlEnabled)
ret = CheckCertCRL(cm->crl, &cert);
#endif
}
FreeDecodedCert(&cert);
XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT);
XFCLOSE(file); XFCLOSE(file);
if (dynamic) XFREE(myBuffer, cm->heap, DYNAMIC_TYPE_FILE); if (dynamic) XFREE(myBuffer, cm->heap, DYNAMIC_TYPE_FILE);
@ -2051,7 +2109,7 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list)
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
return SSL_SUCCESS; return SSL_SUCCESS;
} }
@ -3075,7 +3133,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU, InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU,
ssl->options.haveECDSA, ssl->options.haveStaticECC, ssl->options.haveECDSA, ssl->options.haveStaticECC,
ssl->ctx->method->side); ssl->options.side);
} }
@ -3096,7 +3154,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE, InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
} }
@ -3330,7 +3388,7 @@ int CyaSSL_set_compression(CYASSL* ssl)
#endif #endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK, InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
ssl->options.haveNTRU, ssl->options.haveECDSA, ssl->options.haveNTRU, ssl->options.haveECDSA,
ssl->options.haveStaticECC, ssl->ctx->method->side); ssl->options.haveStaticECC, ssl->options.side);
} }