summaryrefslogtreecommitdiff
path: root/FreeRTOS-Plus/CyaSSL/src/ssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'FreeRTOS-Plus/CyaSSL/src/ssl.c')
-rw-r--r--FreeRTOS-Plus/CyaSSL/src/ssl.c275
1 files changed, 204 insertions, 71 deletions
diff --git a/FreeRTOS-Plus/CyaSSL/src/ssl.c b/FreeRTOS-Plus/CyaSSL/src/ssl.c
index 143c413da..8456c5839 100644
--- a/FreeRTOS-Plus/CyaSSL/src/ssl.c
+++ b/FreeRTOS-Plus/CyaSSL/src/ssl.c
@@ -77,6 +77,24 @@
#endif /* min */
+char* mystrnstr(const char* s1, const char* s2, unsigned int n)
+{
+ unsigned int s2_len = XSTRLEN(s2);
+
+ if (s2_len == 0)
+ return (char*)s1;
+
+ while (n >= s2_len && s1[0]) {
+ if (s1[0] == s2[0])
+ if (XMEMCMP(s1, s2, s2_len) == 0)
+ return (char*)s1;
+ s1++;
+ n--;
+ }
+
+ return NULL;
+}
+
CYASSL_CTX* CyaSSL_CTX_new(CYASSL_METHOD* method)
{
@@ -227,8 +245,8 @@ int CyaSSL_SetTmpDH(CYASSL* ssl, const unsigned char* p, int pSz,
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH,
- havePSK, ssl->options.haveNTRU, ssl->options.haveECDSA,
- ssl->options.haveStaticECC, ssl->ctx->method->side);
+ havePSK, ssl->options.haveNTRU, ssl->options.haveECDSAsig,
+ ssl->options.haveStaticECC, ssl->options.side);
CYASSL_LEAVE("CyaSSL_SetTmpDH", 0);
return 0;
@@ -473,6 +491,53 @@ int CyaSSL_set_group_messages(CYASSL* ssl)
}
+int CyaSSL_SetVersion(CYASSL* ssl, int version)
+{
+ byte havePSK = 0;
+
+ CYASSL_ENTER("CyaSSL_SetVersion");
+
+ if (ssl == NULL) {
+ CYASSL_MSG("Bad function argument");
+ return BAD_FUNC_ARG;
+ }
+
+ switch (version) {
+ case CYASSL_SSLV3:
+ ssl->version = MakeSSLv3();
+ break;
+
+#ifndef NO_TLS
+ case CYASSL_TLSV1:
+ ssl->version = MakeTLSv1();
+ break;
+
+ case CYASSL_TLSV1_1:
+ ssl->version = MakeTLSv1_1();
+ break;
+
+ case CYASSL_TLSV1_2:
+ ssl->version = MakeTLSv1_2();
+ break;
+#endif
+
+ default:
+ CYASSL_MSG("Bad function argument");
+ return BAD_FUNC_ARG;
+ }
+
+ #ifndef NO_PSK
+ havePSK = ssl->options.havePSK;
+ #endif
+
+ InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
+ ssl->options.haveNTRU, ssl->options.haveECDSAsig,
+ ssl->options.haveStaticECC, ssl->options.side);
+
+ return SSL_SUCCESS;
+}
+
+
/* does CA already exist on signer list */
int AlreadySigner(CYASSL_CERT_MANAGER* cm, byte* hash)
{
@@ -674,12 +739,12 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
}
/* find header */
- headerEnd = XSTRSTR((char*)buff, header);
+ headerEnd = XSTRNSTR((char*)buff, header, sz);
if (!headerEnd && type == PRIVATEKEY_TYPE) { /* may be pkcs8 */
XSTRNCPY(header, "-----BEGIN PRIVATE KEY-----", sizeof(header));
XSTRNCPY(footer, "-----END PRIVATE KEY-----", sizeof(footer));
- headerEnd = XSTRSTR((char*)buff, header);
+ headerEnd = XSTRNSTR((char*)buff, header, sz);
if (headerEnd)
pkcs8 = 1;
else {
@@ -688,7 +753,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
XSTRNCPY(footer, "-----END ENCRYPTED PRIVATE KEY-----",
sizeof(footer));
- headerEnd = XSTRSTR((char*)buff, header);
+ headerEnd = XSTRNSTR((char*)buff, header, sz);
if (headerEnd)
pkcs8Enc = 1;
}
@@ -697,7 +762,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
XSTRNCPY(header, "-----BEGIN EC PRIVATE KEY-----", sizeof(header));
XSTRNCPY(footer, "-----END EC PRIVATE KEY-----", sizeof(footer));
- headerEnd = XSTRSTR((char*)buff, header);
+ headerEnd = XSTRNSTR((char*)buff, header, sz);
if (headerEnd)
*eccKey = 1;
}
@@ -705,7 +770,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
XSTRNCPY(header, "-----BEGIN DSA PRIVATE KEY-----", sizeof(header));
XSTRNCPY(footer, "-----END DSA PRIVATE KEY-----", sizeof(footer));
- headerEnd = XSTRSTR((char*)buff, header);
+ headerEnd = XSTRNSTR((char*)buff, header, sz);
}
if (!headerEnd)
return SSL_BAD_FILE;
@@ -723,28 +788,28 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
{
/* remove encrypted header if there */
char encHeader[] = "Proc-Type";
- char* line = XSTRSTR((char*)buff, encHeader);
+ char* line = XSTRNSTR((char*)buff, encHeader, PEM_LINE_LEN);
if (line) {
char* newline;
char* finish;
- char* start = XSTRSTR(line, "DES");
+ char* start = XSTRNSTR(line, "DES", PEM_LINE_LEN);
if (!start)
- start = XSTRSTR(line, "AES");
+ start = XSTRNSTR(line, "AES", PEM_LINE_LEN);
if (!start) return SSL_BAD_FILE;
if (!info) return SSL_BAD_FILE;
- finish = XSTRSTR(start, ",");
+ finish = XSTRNSTR(start, ",", PEM_LINE_LEN);
if (start && finish && (start < finish)) {
- newline = XSTRSTR(finish, "\r");
+ newline = XSTRNSTR(finish, "\r", PEM_LINE_LEN);
XMEMCPY(info->name, start, finish - start);
info->name[finish - start] = 0;
XMEMCPY(info->iv, finish + 1, sizeof(info->iv));
- if (!newline) newline = XSTRSTR(finish, "\n");
+ if (!newline) newline = XSTRNSTR(finish, "\n", PEM_LINE_LEN);
if (newline && (newline > finish)) {
info->ivSz = (word32)(newline - (finish + 1));
info->set = 1;
@@ -764,7 +829,7 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
/* find footer */
- footerEnd = XSTRSTR((char*)buff, footer);
+ footerEnd = XSTRNSTR((char*)buff, footer, sz);
if (!footerEnd) return SSL_BAD_FILE;
consumedEnd = footerEnd + XSTRLEN(footer);
@@ -1085,9 +1150,9 @@ int AddCA(CYASSL_CERT_MANAGER* cm, buffer der, int type, int verify)
case CTC_SHA384wECDSA:
case CTC_SHA512wECDSA:
CYASSL_MSG("ECDSA cert signature");
- ctx->haveECDSA = 1;
+ ctx->haveECDSAsig = 1;
if (ssl)
- ssl->options.haveECDSA = 1;
+ ssl->options.haveECDSAsig = 1;
break;
default:
CYASSL_MSG("Not ECDSA cert signature");
@@ -1281,27 +1346,63 @@ int CyaSSL_CTX_load_verify_locations(CYASSL_CTX* ctx, const char* file,
/* Verify the ceritficate, 1 for success, < 0 for error */
+int CyaSSL_CertManagerVerifyBuffer(CYASSL_CERT_MANAGER* cm, const byte* buff,
+ int sz, int format)
+{
+ int ret = 0;
+ int eccKey = 0; /* not used */
+
+ DecodedCert cert;
+ buffer der;
+
+ CYASSL_ENTER("CyaSSL_CertManagerVerifyBuffer");
+
+ der.buffer = NULL;
+
+ if (format == SSL_FILETYPE_PEM) {
+ EncryptedInfo info;
+
+ info.set = 0;
+ info.ctx = NULL;
+ info.consumed = 0;
+ ret = PemToDer(buff, sz, CERT_TYPE, &der, cm->heap, &info, &eccKey);
+ InitDecodedCert(&cert, der.buffer, der.length, cm->heap);
+ }
+ else
+ InitDecodedCert(&cert, (byte*)buff, sz, cm->heap);
+
+ if (ret == 0)
+ ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);
+#ifdef HAVE_CRL
+ if (ret == 0 && cm->crlEnabled)
+ ret = CheckCertCRL(cm->crl, &cert);
+#endif
+
+ FreeDecodedCert(&cert);
+ XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT);
+
+ return ret;
+}
+
+
+/* Verify the ceritficate, 1 for success, < 0 for error */
int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname,
int format)
{
- int ret = SSL_FATAL_ERROR;
- int eccKey = 0; /* not used */
- DecodedCert cert;
-
+ int ret = SSL_FATAL_ERROR;
byte staticBuffer[FILE_BUFFER_SIZE];
byte* myBuffer = staticBuffer;
int dynamic = 0;
long sz = 0;
- buffer der;
XFILE* file = XFOPEN(fname, "rb");
+ CYASSL_ENTER("CyaSSL_CertManagerVerify");
+
if (!file) return SSL_BAD_FILE;
XFSEEK(file, 0, XSEEK_END);
sz = XFTELL(file);
XREWIND(file);
- der.buffer = NULL;
-
if (sz > (long)sizeof(staticBuffer)) {
CYASSL_MSG("Getting dynamic buffer");
myBuffer = (byte*) XMALLOC(sz, cm->heap, DYNAMIC_TYPE_FILE);
@@ -1314,32 +1415,9 @@ int CyaSSL_CertManagerVerify(CYASSL_CERT_MANAGER* cm, const char* fname,
if ( (ret = XFREAD(myBuffer, sz, 1, file)) < 0)
ret = SSL_BAD_FILE;
- else {
- ret = 0; /* ok */
- if (format == SSL_FILETYPE_PEM) {
- EncryptedInfo info;
-
- info.set = 0;
- info.ctx = NULL;
- info.consumed = 0;
- ret = PemToDer(myBuffer, sz, CERT_TYPE, &der, cm->heap, &info,
- &eccKey);
- InitDecodedCert(&cert, der.buffer, der.length, cm->heap);
-
- }
- else
- InitDecodedCert(&cert, myBuffer, sz, cm->heap);
+ else
+ ret = CyaSSL_CertManagerVerifyBuffer(cm, myBuffer, sz, format);
- if (ret == 0)
- ret = ParseCertRelative(&cert, CERT_TYPE, 1, cm);
-#ifdef HAVE_CRL
- if (ret == 0 && cm->crlEnabled)
- ret = CheckCertCRL(cm->crl, &cert);
-#endif
- }
-
- FreeDecodedCert(&cert);
- XFREE(der.buffer, cm->heap, DYNAMIC_TYPE_CERT);
XFCLOSE(file);
if (dynamic) XFREE(myBuffer, cm->heap, DYNAMIC_TYPE_FILE);
@@ -1432,6 +1510,15 @@ int CyaSSL_CertManagerDisableCRL(CYASSL_CERT_MANAGER* cm)
}
+int CyaSSL_CTX_check_private_key(CYASSL_CTX* ctx)
+{
+ /* TODO: check private against public for RSA match */
+ (void)ctx;
+ CYASSL_ENTER("SSL_CTX_check_private_key");
+ return SSL_SUCCESS;
+}
+
+
#ifdef HAVE_CRL
@@ -1474,7 +1561,7 @@ int CyaSSL_CertManagerCheckCRL(CYASSL_CERT_MANAGER* cm, byte* der, int sz)
int CyaSSL_CertManagerSetCRL_Cb(CYASSL_CERT_MANAGER* cm, CbMissingCRL cb)
{
- CYASSL_ENTER("CyaSSL_CertManagerLoadCRL");
+ CYASSL_ENTER("CyaSSL_CertManagerSetCRL_Cb");
if (cm == NULL)
return BAD_FUNC_ARG;
@@ -2050,8 +2137,8 @@ int CyaSSL_set_cipher_list(CYASSL* ssl, const char* list)
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
- ssl->options.haveNTRU, ssl->options.haveECDSA,
- ssl->options.haveStaticECC, ssl->ctx->method->side);
+ ssl->options.haveNTRU, ssl->options.haveECDSAsig,
+ ssl->options.haveStaticECC, ssl->options.side);
return SSL_SUCCESS;
}
@@ -3074,8 +3161,8 @@ int CyaSSL_set_compression(CYASSL* ssl)
ssl->options.client_psk_cb = cb;
InitSuites(&ssl->suites, ssl->version,TRUE,TRUE, ssl->options.haveNTRU,
- ssl->options.haveECDSA, ssl->options.haveStaticECC,
- ssl->ctx->method->side);
+ ssl->options.haveECDSAsig, ssl->options.haveStaticECC,
+ ssl->options.side);
}
@@ -3095,8 +3182,8 @@ int CyaSSL_set_compression(CYASSL* ssl)
ssl->options.server_psk_cb = cb;
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, TRUE,
- ssl->options.haveNTRU, ssl->options.haveECDSA,
- ssl->options.haveStaticECC, ssl->ctx->method->side);
+ ssl->options.haveNTRU, ssl->options.haveECDSAsig,
+ ssl->options.haveStaticECC, ssl->options.side);
}
@@ -3244,15 +3331,6 @@ int CyaSSL_set_compression(CYASSL* ssl)
}
- int CyaSSL_CTX_check_private_key(CYASSL_CTX* ctx)
- {
- /* TODO: check private against public for RSA match */
- (void)ctx;
- CYASSL_ENTER("SSL_CTX_check_private_key");
- return SSL_SUCCESS;
- }
-
-
void CyaSSL_set_bio(CYASSL* ssl, CYASSL_BIO* rd, CYASSL_BIO* wr)
{
CYASSL_ENTER("SSL_set_bio");
@@ -3329,8 +3407,8 @@ int CyaSSL_set_compression(CYASSL* ssl)
havePSK = ssl->options.havePSK;
#endif
InitSuites(&ssl->suites, ssl->version, ssl->options.haveDH, havePSK,
- ssl->options.haveNTRU, ssl->options.haveECDSA,
- ssl->options.haveStaticECC, ssl->ctx->method->side);
+ ssl->options.haveNTRU, ssl->options.haveECDSAsig,
+ ssl->options.haveStaticECC, ssl->options.side);
}
@@ -3407,6 +3485,27 @@ int CyaSSL_set_compression(CYASSL* ssl)
}
+ /* return the next, if any, altname from the peer cert */
+ char* CyaSSL_X509_get_next_altname(CYASSL_X509* cert)
+ {
+ char* ret = NULL;
+ CYASSL_ENTER("CyaSSL_X509_get_next_altname");
+
+ /* don't have any to work with */
+ if (cert == NULL || cert->altNames == NULL)
+ return NULL;
+
+ /* already went through them */
+ if (cert->altNamesNext == NULL)
+ return NULL;
+
+ ret = cert->altNamesNext->name;
+ cert->altNamesNext = cert->altNamesNext->next;
+
+ return ret;
+ }
+
+
CYASSL_X509_NAME* CyaSSL_X509_get_issuer_name(CYASSL_X509* cert)
{
CYASSL_ENTER("X509_get_issuer_name");
@@ -4942,6 +5041,23 @@ int CyaSSL_set_compression(CYASSL* ssl)
case TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA :
return "TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA";
+ case TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 :
+ return "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256";
+ case TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 :
+ return "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384";
+ case TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 :
+ return "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256";
+ case TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 :
+ return "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384";
+ case TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 :
+ return "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256";
+ case TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 :
+ return "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384";
+ case TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 :
+ return "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256";
+ case TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 :
+ return "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384";
+
default:
return "NONE";
}
@@ -4990,6 +5106,14 @@ int CyaSSL_set_compression(CYASSL* ssl)
return "TLS_NTRU_RSA_WITH_AES_128_CBC_SHA";
case TLS_NTRU_RSA_WITH_AES_256_CBC_SHA :
return "TLS_NTRU_RSA_WITH_AES_256_CBC_SHA";
+ case TLS_RSA_WITH_AES_128_GCM_SHA256 :
+ return "TLS_RSA_WITH_AES_128_GCM_SHA256";
+ case TLS_RSA_WITH_AES_256_GCM_SHA384 :
+ return "TLS_RSA_WITH_AES_256_GCM_SHA384";
+ case TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 :
+ return "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256";
+ case TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 :
+ return "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384";
default:
return "NONE";
} /* switch */
@@ -7695,25 +7819,34 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session)
#endif /* SESSION_CERTS */
-#ifdef HAVE_OCSP
-
long CyaSSL_CTX_OCSP_set_options(CYASSL_CTX* ctx, long options)
{
CYASSL_ENTER("CyaSSL_CTX_OCSP_set_options");
+#ifdef HAVE_OCSP
if (ctx != NULL) {
- ctx->ocsp.enabled = (options && CYASSL_OCSP_ENABLE) != 0;
- ctx->ocsp.useOverrideUrl = (options && CYASSL_OCSP_URL_OVERRIDE) != 0;
+ ctx->ocsp.enabled = (options & CYASSL_OCSP_ENABLE) != 0;
+ ctx->ocsp.useOverrideUrl = (options & CYASSL_OCSP_URL_OVERRIDE) != 0;
return 1;
}
return 0;
+#else
+ (void)ctx;
+ (void)options;
+ return NOT_COMPILED_IN;
+#endif
}
int CyaSSL_CTX_OCSP_set_override_url(CYASSL_CTX* ctx, const char* url)
{
CYASSL_ENTER("CyaSSL_CTX_OCSP_set_override_url");
+#ifdef HAVE_OCSP
return CyaSSL_OCSP_set_override_url(&ctx->ocsp, url);
+#else
+ (void)ctx;
+ (void)url;
+ return NOT_COMPILED_IN;
+#endif
}
-#endif
View Lorry Controller Status