From b9e6d44bf712f7e8f334b66aa162f49176455626 Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 4 Apr 2012 16:19:42 -0700 Subject: [PATCH 1/8] don't reinit mutexes --- src/ssl.c | 33 +++++++++++++++++++++++++++++---- 1 file changed, 29 insertions(+), 4 deletions(-) diff --git a/src/ssl.c b/src/ssl.c index d91e924f0..0c862562e 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -2090,17 +2090,28 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list) #endif /* NO_CYASSL_SERVER */ +/* prevent multiple mutex initializations */ +static volatile int initRefCount = 0; int CyaSSL_Init(void) { int ret = 0; + CYASSL_ENTER("CyaSSL_Init"); + + if (initRefCount == 0) { #ifndef NO_SESSION_CACHE - if (InitMutex(&session_mutex) != 0) - ret = BAD_MUTEX_ERROR; + if (InitMutex(&session_mutex) != 0) + ret = BAD_MUTEX_ERROR; #endif - if (InitMutex(&ca_mutex) != 0) - ret = BAD_MUTEX_ERROR; + if (InitMutex(&ca_mutex) != 0) + ret = BAD_MUTEX_ERROR; + } + if (ret == 0) { + LockMutex(&ca_mutex); + initRefCount++; + UnLockMutex(&ca_mutex); + } return ret; } @@ -2109,7 +2120,21 @@ int CyaSSL_Init(void) int CyaSSL_Cleanup(void) { int ret = 0; + int release = 0; + CYASSL_ENTER("CyaSSL_Cleanup"); + + LockMutex(&ca_mutex); + + release = initRefCount-- == 1; + if (initRefCount < 0) + initRefCount = 0; + + UnLockMutex(&ca_mutex); + + if (!release) + return ret; + #ifndef NO_SESSION_CACHE if (FreeMutex(&session_mutex) != 0) ret = BAD_MUTEX_ERROR; From 3001804c519492dd27bb05a9821640a14fc0a6fb Mon Sep 17 00:00:00 2001 From: toddouska Date: Thu, 5 Apr 2012 12:48:28 -0700 Subject: [PATCH 2/8] make SetAltNames optional since need bigger buffer with -DCYASSL_ALT_NAMES --- configure.ac | 4 ++-- ctaocrypt/src/asn.c | 21 +++++++++++++++++++++ cyassl/ctaocrypt/asn.h | 6 +++++- cyassl/ctaocrypt/asn_public.h | 12 ++++++++---- cyassl/ctaocrypt/error.h | 1 + 5 files changed, 37 insertions(+), 7 deletions(-) diff --git a/configure.ac b/configure.ac index 202b3e6e5..cc9cad36a 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.0.9],[http://www.yassl.com]) +AC_INIT([cyassl],[2.1.0],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) @@ -199,7 +199,7 @@ AC_ARG_ENABLE(bump, if test "$ENABLED_BUMP" = "yes" then - AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DCYASSL_CERT_GEN -DCYASSL_KEY_GEN -DHUGE_SESSION_CACHE -DOPENSSL_EXTRA -DFP_MAX_BITS=8192 -DCYASSL_DER_LOAD" + AM_CFLAGS="$AM_CFLAGS -DLARGE_STATIC_BUFFERS -DCYASSL_CERT_GEN -DCYASSL_KEY_GEN -DHUGE_SESSION_CACHE -DOPENSSL_EXTRA -DFP_MAX_BITS=8192 -DCYASSL_DER_LOAD -DCYASSL_ALT_NAMES" fi # fastmath diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index a65e42ef9..b8c455113 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -2412,6 +2412,10 @@ void CTaoCryptErrorString(int error, char* buffer) XSTRNCPY(buffer, "No password provided by user", max); break; + case ALT_NAME_E : + XSTRNCPY(buffer, "Alt Name problem, too big", max); + break; + default: XSTRNCPY(buffer, "unknown error number", max); @@ -2601,7 +2605,9 @@ void InitCert(Cert* cert) cert->selfSigned = 1; cert->isCA = 0; cert->bodySz = 0; +#ifdef CYASSL_ALT_NAMES cert->altNamesSz = 0; +#endif cert->keyType = RSA_KEY; XMEMSET(cert->serial, 0, CTC_SERIAL_SIZE); @@ -3149,12 +3155,14 @@ static int EncodeCert(Cert* cert, DerCert* der, RsaKey* rsaKey, RNG* rng, else der->extensionsSz = 0; +#ifdef CYASSL_ALT_NAMES if (der->extensionsSz == 0 && cert->altNamesSz) { der->extensionsSz = SetExtensions(der->extensions, cert->altNames, cert->altNamesSz); if (der->extensionsSz == 0) return EXTENSIONS_E; } +#endif der->total = der->versionSz + der->serialSz + der->sigAlgoSz + der->publicKeySz + der->validitySz + der->subjectSz + der->issuerSz + @@ -3340,6 +3348,8 @@ int MakeSelfCert(Cert* cert, byte* buffer, word32 buffSz, RsaKey* key, RNG* rng) } +#ifdef CYASSL_ALT_NAMES + /* Set Alt Names from der cert, return 0 on success */ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) { @@ -3410,6 +3420,8 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) else { cert->altNamesSz = 0; CYASSL_MSG("AltNames extensions too big"); + FreeDecodedCert(&decoded); + return ALT_NAME_E; } } decoded.srcIdx = tmpIdx + length; @@ -3420,6 +3432,8 @@ static int SetAltNamesFromCert(Cert* cert, const byte* der, int derSz) return 0; } +#endif /* CYASSL_ALT_NAMES */ + /* Set cn name from der buffer, return 0 on success */ static int SetNameFromCert(CertName* cn, const byte* der, int derSz) @@ -3518,6 +3532,8 @@ int SetSubject(Cert* cert, const char* subjectFile) } +#ifdef CYASSL_ALT_NAMES + /* Set atl names from file in PEM */ int SetAltNames(Cert* cert, const char* file) { @@ -3527,6 +3543,8 @@ int SetAltNames(Cert* cert, const char* file) return SetAltNamesFromCert(cert, der, derSz); } +#endif /* CYASSL_ALT_NAMES */ + #endif /* NO_FILESYSTEM */ /* Set cert issuer from DER buffer */ @@ -3544,12 +3562,15 @@ int SetSubjectBuffer(Cert* cert, const byte* der, int derSz) } +#ifdef CYASSL_ALT_NAMES + /* Set cert alt names from DER buffer */ int SetAltNamesBuffer(Cert* cert, const byte* der, int derSz) { return SetAltNamesFromCert(cert, der, derSz); } +#endif /* CYASSL_ALT_NAMES */ #endif /* CYASSL_CERT_GEN */ diff --git a/cyassl/ctaocrypt/asn.h b/cyassl/ctaocrypt/asn.h index c3a809a32..21020d5cd 100644 --- a/cyassl/ctaocrypt/asn.h +++ b/cyassl/ctaocrypt/asn.h @@ -127,7 +127,11 @@ enum Misc_ASN { MAX_RSA_E_SZ = 16, /* Max RSA public e size */ MAX_CA_SZ = 32, /* Max encoded CA basic constraint length */ #ifdef CYASSL_CERT_GEN - MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, + #ifdef CYASSL_ALT_NAMES + MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + CTC_MAX_ALT_SIZE, + #else + MAX_EXTENSIONS_SZ = 1 + MAX_LENGTH_SZ + MAX_CA_SZ, + #endif /* Max total extensions, id + len + others */ #endif MAX_PUBLIC_KEY_SZ = MAX_NTRU_ENC_SZ + MAX_ALGO_SZ + MAX_SEQ_SZ * 2 diff --git a/cyassl/ctaocrypt/asn_public.h b/cyassl/ctaocrypt/asn_public.h index 666606244..200470e21 100644 --- a/cyassl/ctaocrypt/asn_public.h +++ b/cyassl/ctaocrypt/asn_public.h @@ -58,9 +58,9 @@ enum Ctc_SigType { #ifdef CYASSL_CERT_GEN enum Ctc_Misc { - CTC_NAME_SIZE = 64, - CTC_MAX_ALT_SIZE = 512, - CTC_SERIAL_SIZE = 8 + CTC_NAME_SIZE = 64, + CTC_MAX_ALT_SIZE = 8192, /* may be huge */ + CTC_SERIAL_SIZE = 8 }; typedef struct CertName { @@ -88,8 +88,10 @@ typedef struct Cert { /* internal use only */ int bodySz; /* pre sign total size */ int keyType; /* public key type of subject */ +#ifdef CYASSL_ALT_NAMES byte altNames[CTC_MAX_ALT_SIZE]; /* altNames copy */ int altNamesSz; /* altNames size in bytes */ +#endif } Cert; @@ -113,7 +115,9 @@ CYASSL_API int MakeSelfCert(Cert*, byte* derBuffer, word32 derSz, RsaKey*, RNG*); CYASSL_API int SetIssuer(Cert*, const char*); CYASSL_API int SetSubject(Cert*, const char*); -CYASSL_API int SetAltNames(Cert*, const char*); +#ifdef CYASSL_ALT_NAMES + CYASSL_API int SetAltNames(Cert*, const char*); +#endif CYASSL_API int SetIssuerBuffer(Cert*, const byte*, int); CYASSL_API int SetSubjectBuffer(Cert*, const byte*, int); CYASSL_API int SetAltNamesBuffer(Cert*, const byte*, int); diff --git a/cyassl/ctaocrypt/error.h b/cyassl/ctaocrypt/error.h index fcc8b48dc..59298bbc6 100644 --- a/cyassl/ctaocrypt/error.h +++ b/cyassl/ctaocrypt/error.h @@ -96,6 +96,7 @@ enum { NOT_COMPILED_IN = -174, /* Feature not compiled in */ UNICODE_SIZE_E = -175, /* Unicode password too big */ NO_PASSWORD = -176, /* no password provided by user */ + ALT_NAME_E = -177, /* alt name size problem, too big */ MIN_CODE_E = -200 /* errors -101 - -199 */ }; From 607fcb2f3d60d8dd8136781c3e54fd69cc49b133 Mon Sep 17 00:00:00 2001 From: toddouska Date: Mon, 9 Apr 2012 11:56:28 -0700 Subject: [PATCH 3/8] allow peer cert get even on fatal verify --- ctaocrypt/src/asn.c | 2 ++ src/internal.c | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 9 deletions(-) diff --git a/ctaocrypt/src/asn.c b/ctaocrypt/src/asn.c index b8c455113..6a2362ef6 100644 --- a/ctaocrypt/src/asn.c +++ b/ctaocrypt/src/asn.c @@ -1016,6 +1016,8 @@ void InitDecodedCert(DecodedCert* cert, byte* source, word32 inSz, void* heap) cert->signature = 0; cert->subjectCN = 0; cert->subjectCNLen = 0; + cert->issuer[0] = '\0'; + cert->subject[0] = '\0'; cert->source = source; /* don't own */ cert->srcIdx = 0; cert->maxIdx = inSz; /* can't go over this index */ diff --git a/src/internal.c b/src/internal.c index 30ce12e55..3dc5d592e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1624,21 +1624,15 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) } } - if (fatal) { - FreeDecodedCert(&dCert); - ssl->error = ret; - return ret; - } - ssl->options.havePeerCert = 1; - /* set X509 format */ #ifdef OPENSSL_EXTRA + /* set X509 format for peer cert even if fatal */ XSTRNCPY(ssl->peerCert.issuer.name, dCert.issuer, ASN_NAME_MAX); ssl->peerCert.issuer.name[ASN_NAME_MAX - 1] = '\0'; - ssl->peerCert.issuer.sz = (int)XSTRLEN(dCert.issuer) + 1; + ssl->peerCert.issuer.sz = (int)XSTRLEN(ssl->peerCert.issuer.name) + 1; XSTRNCPY(ssl->peerCert.subject.name, dCert.subject, ASN_NAME_MAX); ssl->peerCert.subject.name[ASN_NAME_MAX - 1] = '\0'; - ssl->peerCert.subject.sz = (int)XSTRLEN(dCert.subject) + 1; + ssl->peerCert.subject.sz = (int)XSTRLEN(ssl->peerCert.subject.name) + 1; XMEMCPY(ssl->peerCert.serial, dCert.serial, EXTERNAL_SERIAL_SIZE); ssl->peerCert.serialSz = dCert.serialSz; @@ -1658,6 +1652,13 @@ static int DoCertificate(CYASSL* ssl, byte* input, word32* inOutIdx) ssl->peerCert.derCert.length = myCert.length; #endif + if (fatal) { + FreeDecodedCert(&dCert); + ssl->error = ret; + return ret; + } + ssl->options.havePeerCert = 1; + /* store for callback use */ if (dCert.subjectCNLen < ASN_NAME_MAX) { XMEMCPY(domain, dCert.subjectCN, dCert.subjectCNLen); From c0783e4ec404657f97f173a488b583e3cc477e17 Mon Sep 17 00:00:00 2001 From: John Safranek Date: Fri, 13 Apr 2012 09:39:19 -0700 Subject: [PATCH 4/8] added configure option and a stub source file for OCSP --- configure.ac | 15 +++++++++++++++ src/include.am | 4 ++++ src/ocsp.c | 35 +++++++++++++++++++++++++++++++++++ 3 files changed, 54 insertions(+) create mode 100644 src/ocsp.c diff --git a/configure.ac b/configure.ac index cc9cad36a..045eefb4f 100644 --- a/configure.ac +++ b/configure.ac @@ -470,6 +470,21 @@ then fi +# OCSP +AC_ARG_ENABLE(ocsp, + [ --enable-ocsp Enable OCSP (default: disabled)], + [ ENABLED_OCSP=$enableval ], + [ ENABLED_OCSP=no ], + ) + +if test "$ENABLED_OCSP" = "yes" +then + AM_CFLAGS="$AM_CFLAGS -DHAVE_OCSP" +fi + +AM_CONDITIONAL([BUILD_OCSP], [test "x$ENABLED_OCSP" = "xyes"]) + + # NTRU ntruHome=`pwd`/NTRU_algorithm ntruInclude=$ntruHome/cryptolib diff --git a/src/include.am b/src/include.am index 49f610a8f..e4fab5f52 100644 --- a/src/include.am +++ b/src/include.am @@ -66,3 +66,7 @@ if BUILD_ECC src_libcyassl_la_SOURCES += ctaocrypt/src/ecc.c endif +if BUILD_OCSP +src_libcyassl_la_SOURCES += src/ocsp.c +endif + diff --git a/src/ocsp.c b/src/ocsp.c new file mode 100644 index 000000000..a7407efea --- /dev/null +++ b/src/ocsp.c @@ -0,0 +1,35 @@ +/* ocsp.c + * + * Copyright (C) 2006-2012 Sawtooth Consulting Ltd. + * + * This file is part of CyaSSL. + * + * CyaSSL is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * CyaSSL is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA + */ + +#ifdef HAVE_CONFIG_H + #include +#endif + +#include +#include + + +#ifdef HAVE_OCSP + +void ocsp_stub(void) {} + +#endif /* HAVE_OCSP */ + From 6b1644c6b92e5856c6b020e30b98e9f1561d917b Mon Sep 17 00:00:00 2001 From: John Safranek Date: Tue, 17 Apr 2012 11:03:39 -0700 Subject: [PATCH 5/8] added checks to the api test for NO_FILESYSTEM and exclude tests that load files --- tests/api.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/tests/api.c b/tests/api.c index 8cb651407..c0067b9f5 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32,16 +32,19 @@ static int test_CyaSSL_Init(void); static int test_CyaSSL_Cleanup(void); static int test_CyaSSL_Method_Allocators(void); static int test_CyaSSL_CTX_new(CYASSL_METHOD *method); +#ifndef NO_FILESYSTEM static int test_CyaSSL_CTX_use_certificate_file(void); static int test_CyaSSL_CTX_use_PrivateKey_file(void); static int test_CyaSSL_CTX_load_verify_locations(void); static int test_server_CyaSSL_new(void); static int test_client_CyaSSL_new(void); static int test_CyaSSL_read_write(void); +#endif /* test function helpers */ static int test_method(CYASSL_METHOD *method, const char *name); static int test_method2(CYASSL_METHOD *method, const char *name); +#ifndef NO_FILESYSTEM static int test_ucf(CYASSL_CTX *ctx, const char* file, int type, int cond, const char* name); static int test_upkf(CYASSL_CTX *ctx, const char* file, int type, @@ -52,6 +55,7 @@ static int test_lvl(CYASSL_CTX *ctx, const char* file, const char* path, THREAD_RETURN CYASSL_THREAD test_server_nofail(void*); void test_client_nofail(void*); void wait_tcp_ready(func_args*); +#endif static const char* bogusFile = "/dev/null"; static const char* testingFmt = " %s:"; @@ -69,12 +73,14 @@ int ApiTest(void) test_CyaSSL_Init(); test_CyaSSL_Method_Allocators(); test_CyaSSL_CTX_new(CyaSSLv23_server_method()); +#ifndef NO_FILESYSTEM test_CyaSSL_CTX_use_certificate_file(); test_CyaSSL_CTX_use_PrivateKey_file(); test_CyaSSL_CTX_load_verify_locations(); test_server_CyaSSL_new(); test_client_CyaSSL_new(); test_CyaSSL_read_write(); +#endif test_CyaSSL_Cleanup(); printf(" End API Tests\n"); @@ -191,6 +197,7 @@ int test_CyaSSL_CTX_new(CYASSL_METHOD *method) return TEST_SUCCESS; } +#ifndef NO_FILESYSTEM /* Helper for testing CyaSSL_CTX_use_certificate_file() */ int test_ucf(CYASSL_CTX *ctx, const char* file, int type, int cond, const char* name) @@ -771,6 +778,6 @@ void FreeTcpReady(tcp_ready* ready) pthread_cond_destroy(&ready->cond); #endif } - +#endif /* NO_FILESYSTEM */ From d858e9e7b6d95148f8f6192318eb544768c467ce Mon Sep 17 00:00:00 2001 From: toddouska Date: Tue, 17 Apr 2012 11:24:41 -0700 Subject: [PATCH 6/8] 2.1.1 for bloxx --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index cc9cad36a..04979a294 100644 --- a/configure.ac +++ b/configure.ac @@ -6,7 +6,7 @@ # # -AC_INIT([cyassl],[2.1.0],[http://www.yassl.com]) +AC_INIT([cyassl],[2.1.1],[http://www.yassl.com]) AC_CONFIG_AUX_DIR(config) From b13a9e1b4e4f3066a4224e5c3de9307aaef7aebc Mon Sep 17 00:00:00 2001 From: Chris Conlon Date: Tue, 17 Apr 2012 13:59:02 -0600 Subject: [PATCH 7/8] add config.h to hash test --- tests/hash.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/tests/hash.c b/tests/hash.c index 29d5073cc..cc4dc5fe5 100644 --- a/tests/hash.c +++ b/tests/hash.c @@ -19,6 +19,10 @@ * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA */ +#ifdef HAVE_CONFIG_H + #include +#endif + #include #include From 8fe36b417f012c9e07dbc04e81c1d815eea180af Mon Sep 17 00:00:00 2001 From: toddouska Date: Wed, 25 Apr 2012 15:17:25 -0700 Subject: [PATCH 8/8] add cpuid asm for Windows, aes-ni .s still needs work --- ctaocrypt/src/aes.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/ctaocrypt/src/aes.c b/ctaocrypt/src/aes.c index 48879a6e1..22c5e47b4 100644 --- a/ctaocrypt/src/aes.c +++ b/ctaocrypt/src/aes.c @@ -724,10 +724,25 @@ static const word32 Td[5][256] = { #ifdef CYASSL_AESNI -#define cpuid(func,ax,bx,cx,dx)\ +#ifndef _MSC_VER + + #define cpuid(func,ax,bx,cx,dx)\ __asm__ __volatile__ ("cpuid":\ "=a" (ax), "=b" (bx), "=c" (cx), "=d" (dx) : "a" (func)); +#else + + #define cpuid(func,ax,bx,cx,dx)\ + __asm mov eax, func \ + __asm cpuid \ + __asm mov ax, eax \ + __asm mov bx, ebx \ + __asm mov cx, ecx \ + __asm mov dx, edx + +#endif /* _MSC_VER */ + + static int Check_CPU_support_AES() { unsigned int a,b,c,d;