diff --git a/configure.ac b/configure.ac index 037fbf5ba..58d76707d 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.1.0],[http://www.yassl.com]) +AC_INIT([cyassl],[2.1.1],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) @@ -199,7 +199,7 @@ AC_ARG_ENABLE(bump, if test "$ENABLED_BUMP" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DCYASSL_CERT_GEN -DCYASSL_KEY_GEN -DHUGE_SESSION_CACHE -DOPENSSL_EXTRA -DFP_MAX_BITS=8192 -DCYASSL_DER_LOAD" + AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DCYASSL_CERT_GEN -DCYASSL_KEY_GEN -DHUGE_SESSION_CACHE -DOPENSSL_EXTRA -DFP_MAX_BITS=8192 -DCYASSL_DER_LOAD -DCYASSL_ALT_NAMES" fi # fastmath @@ -470,6 +470,21 @@ then fi +# OCSP +AC_ARG_ENABLE(ocsp, + [ --enable-ocsp Enable OCSP (default: disabled)], + [ ENABLED_OCSP=$enableval ], + [ ENABLED_OCSP=no ], + ) + +if test "$ENABLED_OCSP" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" +fi + +AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + + # NTRU ntruHome=`pwd`/NTRU_algorithm ntruInclude=$ntruHome/cryptolib diff --git a/ctaocrypt/src/aes.c b/ctaocrypt/src/aes.c index e58f6c0ca..ca1afb140 100644 --- a/ctaocrypt/src/aes.c +++ b/ctaocrypt/src/aes.c @@ -724,10 +724,25 @@ static const word32 Td[5][256] = { #ifdef CYASSL_AESNI -#define cpuid(func,ax,bx,cx,dx)\ +#ifndef _MSC_VER + + #define cpuid(func,ax,bx,cx,dx)\ __asm__ __volatile__ ("cpuid":\ "=a" (ax), "=b" (bx), "=c" (cx), "=d" (dx) : "a" (func)); +#else + + #define cpuid(func,ax,bx,cx,dx)\ + __asm mov eax, func \ + __asm cpuid \ + __asm mov ax, eax \ + __asm mov bx, ebx \ + __asm mov cx, ecx \ + __asm mov dx, edx + +#endif /* _MSC_VER */ + + static int Check_CPU_support_AES() { unsigned int a,b,c,d; diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index a65e42ef9..6a2362ef6 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1016,6 +1016,8 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->signature = 0; cert->subjectCN = 0; cert->subjectCNLen = 0; + cert->issuer[0] = '\0'; + cert->subject[0] = '\0'; cert->source = source; /* don't own */ cert->srcIdx = 0; cert->maxIdx = inSz; /* can't go over this index */ @@ -2412,6 +2414,10 @@ void CTaoCryptErrorString(int error, char* buffer) XSTRNCPY(buffer, "No password provided by user", max); break; + case ALT_NAME_E : + XSTRNCPY(buffer, "Alt Name problem, too big", max); + break; + default: XSTRNCPY(buffer, "unknown error number", max); @@ -2601,7 +2607,9 @@ void InitCert(Cert* cert) cert->selfSigned = 1; cert->isCA = 0; cert->bodySz = 0; +#ifdef CYASSL_ALT_NAMES cert->altNamesSz = 0; +#endif cert->keyType = RSA_KEY; XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE); @@ -3149,12 +3157,14 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, RNG* rng, else der->extensionsSz = 0; +#ifdef CYASSL_ALT_NAMES if (der->extensionsSz == 0 && cert->altNamesSz) { der->extensionsSz = SetExtensions(der->extensions, cert->altNames, cert->altNamesSz); if (der->extensionsSz == 0) return EXTENSIONS_E; } +#endif der->total = der->versionSz + der->serialSz + der->sigAlgoSz + der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz + @@ -3340,6 +3350,8 @@ int MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, RsaKey* key, RNG* rng) } +#ifdef CYASSL_ALT_NAMES + /* Set Alt Names from der cert, return 0 on success */ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) { @@ -3410,6 +3422,8 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) else { cert->altNamesSz = 0; CYASSL_MSG("AltNames extensions too big"); + FreeDecodedCert(&decoded); + return ALT_NAME_E; } } decoded.srcIdx = tmpIdx + length; @@ -3420,6 +3434,8 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) return 0; } +#endif /* CYASSL_ALT_NAMES */ + /* Set cn name from der buffer, return 0 on success */ static int SetNameFromCert(CertName* cn, const byte* der, int derSz) @@ -3518,6 +3534,8 @@ int SetSubject(Cert* cert, const char* subjectFile) } +#ifdef CYASSL_ALT_NAMES + /* Set atl names from file in PEM */ int SetAltNames(Cert* cert, const char* file) { @@ -3527,6 +3545,8 @@ int SetAltNames(Cert* cert, const char* file) return SetAltNamesFromCert(cert, der, derSz); } +#endif /* CYASSL_ALT_NAMES */ + #endif /* NO_FILESYSTEM */ /* Set cert issuer from DER buffer */ @@ -3544,12 +3564,15 @@ int SetSubjectBuffer(Cert* cert, const byte* der, int derSz) } +#ifdef CYASSL_ALT_NAMES + /* Set cert alt names from DER buffer */ int SetAltNamesBuffer(Cert* cert, const byte* der, int derSz) { return SetAltNamesFromCert(cert, der, derSz); } +#endif /* CYASSL_ALT_NAMES */ #endif /* CYASSL_CERT_GEN */ diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index c3a809a32..21020d5cd 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -127,7 +127,11 @@ enum Misc_ASN { MAX_RSA_E_SZ = 16, /* Max RSA public e size */ MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */ #ifdef CYASSL_CERT_GEN - MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, + #ifdef CYASSL_ALT_NAMES + MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, + #else + MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ, + #endif /* Max total extensions, id + len + others */ #endif MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2 diff --git a/cyassl/ctaocrypt/asn_public.h b/cyassl/ctaocrypt/asn_public.h index 666606244..200470e21 100644 --- a/cyassl/ctaocrypt/asn_public.h +++ b/cyassl/ctaocrypt/asn_public.h @@ -58,9 +58,9 @@ enum Ctc_SigType { #ifdef CYASSL_CERT_GEN enum Ctc_Misc { - CTC_NAME_SIZE = 64, - CTC_MAX_ALT_SIZE = 512, - CTC_SERIAL_SIZE = 8 + CTC_NAME_SIZE = 64, + CTC_MAX_ALT_SIZE = 8192, /* may be huge */ + CTC_SERIAL_SIZE = 8 }; typedef struct CertName { @@ -88,8 +88,10 @@ typedef struct Cert { /* internal use only */ int bodySz; /* pre sign total size */ int keyType; /* public key type of subject */ +#ifdef CYASSL_ALT_NAMES byte altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */ int altNamesSz; /* altNames size in bytes */ +#endif } Cert; @@ -113,7 +115,9 @@ CYASSL_API int MakeSelfCert(Cert*, byte* derBuffer, word32 derSz, RsaKey*, RNG*); CYASSL_API int SetIssuer(Cert*, const char*); CYASSL_API int SetSubject(Cert*, const char*); -CYASSL_API int SetAltNames(Cert*, const char*); +#ifdef CYASSL_ALT_NAMES + CYASSL_API int SetAltNames(Cert*, const char*); +#endif CYASSL_API int SetIssuerBuffer(Cert*, const byte*, int); CYASSL_API int SetSubjectBuffer(Cert*, const byte*, int); CYASSL_API int SetAltNamesBuffer(Cert*, const byte*, int); diff --git a/cyassl/ctaocrypt/error.h b/cyassl/ctaocrypt/error.h index fcc8b48dc..59298bbc6 100644 --- a/cyassl/ctaocrypt/error.h +++ b/cyassl/ctaocrypt/error.h @@ -96,6 +96,7 @@ enum { NOT_COMPILED_IN = -174, /* Feature not compiled in */ UNICODE_SIZE_E = -175, /* Unicode password too big */ NO_PASSWORD = -176, /* no password provided by user */ + ALT_NAME_E = -177, /* alt name size problem, too big */ MIN_CODE_E = -200 /* errors -101 - -199 */ }; diff --git a/src/include.am b/src/include.am index 49f610a8f..e4fab5f52 100644 --- a/src/include.am +++ b/src/include.am @@ -66,3 +66,7 @@ if BUILD_ECC src_libcyassl_la_SOURCES += ctaocrypt/src/ecc.c endif +if BUILD_OCSP +src_libcyassl_la_SOURCES += src/ocsp.c +endif + diff --git a/src/internal.c b/src/internal.c index 30ce12e55..3dc5d592e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1624,21 +1624,15 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) } } - if (fatal) { - FreeDecodedCert(&dCert); - ssl->error = ret; - return ret; - } - ssl->options.havePeerCert = 1; - /* set X509 format */ #ifdef OPENSSL_EXTRA + /* set X509 format for peer cert even if fatal */ XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX); ssl->peerCert.issuer.name[ASN_NAME_MAX - 1] = '\0'; - ssl->peerCert.issuer.sz = (int)XSTRLEN(dCert.issuer) + 1; + ssl->peerCert.issuer.sz = (int)XSTRLEN(ssl->peerCert.issuer.name) + 1; XSTRNCPY(ssl->peerCert.subject.name, dCert.subject, ASN_NAME_MAX); ssl->peerCert.subject.name[ASN_NAME_MAX - 1] = '\0'; - ssl->peerCert.subject.sz = (int)XSTRLEN(dCert.subject) + 1; + ssl->peerCert.subject.sz = (int)XSTRLEN(ssl->peerCert.subject.name) + 1; XMEMCPY(ssl->peerCert.serial, dCert.serial, EXTERNAL_SERIAL_SIZE); ssl->peerCert.serialSz = dCert.serialSz; @@ -1658,6 +1652,13 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) ssl->peerCert.derCert.length = myCert.length; #endif + if (fatal) { + FreeDecodedCert(&dCert); + ssl->error = ret; + return ret; + } + ssl->options.havePeerCert = 1; + /* store for callback use */ if (dCert.subjectCNLen < ASN_NAME_MAX) { XMEMCPY(domain, dCert.subjectCN, dCert.subjectCNLen); diff --git a/src/ocsp.c b/src/ocsp.c new file mode 100644 index 000000000..a7407efea --- /dev/null +++ b/src/ocsp.c @@ -0,0 +1,35 @@ +/* ocsp.c + * + * Copyright (C) 2006-2012 Sawtooth Consulting Ltd. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include + + +#ifdef HAVE_OCSP + +void ocsp_stub(void) {} + +#endif /* HAVE_OCSP */ + diff --git a/src/ssl.c b/src/ssl.c index 8d82a62bd..6ad767c88 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2095,17 +2095,28 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list) #endif /* NO_CYASSL_SERVER */ +/* prevent multiple mutex initializations */ +static volatile int initRefCount = 0; int CyaSSL_Init(void) { int ret = 0; + CYASSL_ENTER("CyaSSL_Init"); + + if (initRefCount == 0) { #ifndef NO_SESSION_CACHE - if (InitMutex(&session_mutex) != 0) - ret = BAD_MUTEX_ERROR; + if (InitMutex(&session_mutex) != 0) + ret = BAD_MUTEX_ERROR; #endif - if (InitMutex(&ca_mutex) != 0) - ret = BAD_MUTEX_ERROR; + if (InitMutex(&ca_mutex) != 0) + ret = BAD_MUTEX_ERROR; + } + if (ret == 0) { + LockMutex(&ca_mutex); + initRefCount++; + UnLockMutex(&ca_mutex); + } return ret; } @@ -2114,7 +2125,21 @@ int CyaSSL_Init(void) int CyaSSL_Cleanup(void) { int ret = 0; + int release = 0; + CYASSL_ENTER("CyaSSL_Cleanup"); + + LockMutex(&ca_mutex); + + release = initRefCount-- == 1; + if (initRefCount < 0) + initRefCount = 0; + + UnLockMutex(&ca_mutex); + + if (!release) + return ret; + #ifndef NO_SESSION_CACHE if (FreeMutex(&session_mutex) != 0) ret = BAD_MUTEX_ERROR; diff --git a/tests/api.c b/tests/api.c index 8cb651407..c0067b9f5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32,16 +32,19 @@ static int test_CyaSSL_Init(void); static int test_CyaSSL_Cleanup(void); static int test_CyaSSL_Method_Allocators(void); static int test_CyaSSL_CTX_new(CYASSL_METHOD *method); +#ifndef NO_FILESYSTEM static int test_CyaSSL_CTX_use_certificate_file(void); static int test_CyaSSL_CTX_use_PrivateKey_file(void); static int test_CyaSSL_CTX_load_verify_locations(void); static int test_server_CyaSSL_new(void); static int test_client_CyaSSL_new(void); static int test_CyaSSL_read_write(void); +#endif /* test function helpers */ static int test_method(CYASSL_METHOD *method, const char *name); static int test_method2(CYASSL_METHOD *method, const char *name); +#ifndef NO_FILESYSTEM static int test_ucf(CYASSL_CTX *ctx, const char* file, int type, int cond, const char* name); static int test_upkf(CYASSL_CTX *ctx, const char* file, int type, @@ -52,6 +55,7 @@ static int test_lvl(CYASSL_CTX *ctx, const char* file, const char* path, THREAD_RETURN CYASSL_THREAD test_server_nofail(void*); void test_client_nofail(void*); void wait_tcp_ready(func_args*); +#endif static const char* bogusFile = "/dev/null"; static const char* testingFmt = " %s:"; @@ -69,12 +73,14 @@ int ApiTest(void) test_CyaSSL_Init(); test_CyaSSL_Method_Allocators(); test_CyaSSL_CTX_new(CyaSSLv23_server_method()); +#ifndef NO_FILESYSTEM test_CyaSSL_CTX_use_certificate_file(); test_CyaSSL_CTX_use_PrivateKey_file(); test_CyaSSL_CTX_load_verify_locations(); test_server_CyaSSL_new(); test_client_CyaSSL_new(); test_CyaSSL_read_write(); +#endif test_CyaSSL_Cleanup(); printf(" End API Tests\n"); @@ -191,6 +197,7 @@ int test_CyaSSL_CTX_new(CYASSL_METHOD *method) return TEST_SUCCESS; } +#ifndef NO_FILESYSTEM /* Helper for testing CyaSSL_CTX_use_certificate_file() */ int test_ucf(CYASSL_CTX *ctx, const char* file, int type, int cond, const char* name) @@ -771,6 +778,6 @@ void FreeTcpReady(tcp_ready* ready) pthread_cond_destroy(&ready->cond); #endif } - +#endif /* NO_FILESYSTEM */ diff --git a/tests/hash.c b/tests/hash.c index 29d5073cc..cc4dc5fe5 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -19,6 +19,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H + #include +#endif + #include #include