mars_nwe/mars-matrixssl
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

MatrixSSL 3.9.3

Browse Source
This commit is contained in:
Janne Johansson
2017-06-22 16:11:29 +03:00
parent e05dfbf650
commit 0790908cb0
80 changed files with 4908 additions and 1096 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
matrixssl/cipherSuite.c
View File

@@ -2818,6 +2818,12 @@ const sslCipherSpec_t *sslGetCipherSpec(const ssl_t *ssl, uint16_t id)
#ifdef VALIDATE_KEY_MATERIAL
if (ssl->keys != NULL)
{
if ((ssl->flags & SSL_FLAGS_SERVER) == 0)
{
/* Client: Just accept the cipher suite, because we do not
know of server public key yet. */
return &supportedCiphers[i];
}
if (haveKeyMaterial(ssl, supportedCiphers[i].type, 0)
== PS_SUCCESS)
{

9
matrixssl/hsDecode.c
View File

@@ -1599,6 +1599,15 @@ int32 parseServerHello(ssl_t *ssl, int32 hsLen, unsigned char **cp,
/* See if the protocol is being downgraded */
if (ssl->reqMinVer != ssl->minVer)
{
if (ssl->clientRejectVersionDowngrade)
{
ssl->err = SSL_ALERT_PROTOCOL_VERSION;
psTraceInfo("Error: version downgrade attempt by server ");
psTraceInfo(" rejected: ServerHello.server_version <");
psTraceInfo(" ClientHello.client_version\n");
return MATRIXSSL_ERROR;
}
if (ssl->reqMinVer == SSL3_MIN_VER && ssl->minVer >= TLS_MIN_VER)
{
# ifdef DISABLE_SSLV3

161
matrixssl/matrixssl.c
View File

@@ -531,6 +531,97 @@ int32 matrixSslLoadEcKeys(sslKeys_t *keys, const char *certFile,
# endif /* USE_ECC */
# if defined(USE_RSA) || defined(USE_ECC)
int32_t matrixSslLoadKeysMem(sslKeys_t *keys,
const unsigned char *certBuf, int32 certLen,
const unsigned char *privBuf, int32 privLen,
const unsigned char *CAbuf, int32 CAlen,
matrixSslLoadKeysOpts_t *opts)
{
psPubKey_t tmp_privkey;
int32_t keytype = 0;
if (opts)
keytype = opts->key_type;
if (privBuf == NULL)
keytype = 1;
if (privBuf != NULL && keytype == 0)
{
/*
Caller did not tell us the type of privkey to expect, so try
to find it out.*/
memset(&tmp_privkey, 0, sizeof(psPubKey_t));
keytype = psParseUnknownPrivKeyMem(NULL,
(unsigned char*)privBuf, privLen,
NULL, &tmp_privkey);
if (keytype < 0)
{
psTraceInfo("Could not load private key from file\n");
return keytype;
}
psClearPubKey(&tmp_privkey);
}
switch (keytype)
{
case 1: /* RSA */
return matrixSslLoadKeyMaterialMem(keys, certBuf, certLen,
privBuf, privLen, CAbuf, CAlen, PS_RSA);
break;
case 2: /* ECC */
return matrixSslLoadKeyMaterialMem(keys, certBuf, certLen,
privBuf, privLen, CAbuf, CAlen, PS_ECC);
break;
}
return PS_FAILURE;
}
int32_t matrixSslLoadKeys(sslKeys_t *keys, const char *certFile,
const char *privFile, const char *privPass, const char *CAfile,
matrixSslLoadKeysOpts_t *opts)
{
psPubKey_t tmp_privkey;
int32_t keytype = 0;
if (opts)
keytype = opts->key_type;
if (privFile == NULL)
keytype = 1;
if (keytype == 0)
{
/*
Caller did not tell us the type of privkey to expect, so try
to find it out.*/
memset(&tmp_privkey, 0, sizeof(psPubKey_t));
keytype = psParseUnknownPrivKey(NULL, 1, privFile, privPass,
&tmp_privkey);
if (keytype < 0)
{
psTraceInfo("Could not load private key from file\n");
return keytype;
}
psClearPubKey(&tmp_privkey);
}
switch (keytype)
{
case 1: /* RSA */
return matrixSslLoadKeyMaterial(keys, certFile, privFile, privPass,
CAfile, PS_RSA);
break;
case 2: /* ECC */
return matrixSslLoadKeyMaterial(keys, certFile, privFile, privPass,
CAfile, PS_ECC);
break;
}
return PS_FAILURE;
}
static int32 matrixSslLoadKeyMaterial(sslKeys_t *keys, const char *certFile,
const char *privFile, const char *privPass, const char *CAfile,
int32 privKeyType)
@@ -662,9 +753,24 @@ static int32 matrixSslLoadKeyMaterial(sslKeys_t *keys, const char *certFile,
{
return PS_UNSUPPORTED_FAIL;
}
#ifdef ALLOW_CA_BUNDLE_PARTIAL_PARSE
flags |= CERT_ALLOW_BUNDLE_PARTIAL_PARSE;
#endif /* ALLOW_CA_BUNDLE_PARTIAL_PARSE */
err = psX509ParseCertFile(pool, (char *) CAfile, &keys->CAcerts, flags);
if (err >= 0)
{
#ifdef ALLOW_CA_BUNDLE_PARTIAL_PARSE
if (err == 0)
{
psTraceInfo("Failed to load any CA certs.\n");
err = PS_PARSE_FAIL;
goto ca_load_failed;
}
else
{
psTraceIntInfo("Loaded %d CA certs\n", err);
}
#endif /* ALLOW_CA_BUNDLE_PARTIAL_PARSE */
if (keys->CAcerts->authFailFlags)
{
/* This should be the only no err, FailFlags case currently */
@@ -677,6 +783,11 @@ static int32 matrixSslLoadKeyMaterial(sslKeys_t *keys, const char *certFile,
# endif
}
}
#ifdef ALLOW_CA_BUNDLE_PARTIAL_PARSE
ca_load_failed:
#endif /* ALLOW_CA_BUNDLE_PARTIAL_PARSE */
if (err < 0)
{
# if defined(USE_SERVER_SIDE_SSL) || defined(USE_CLIENT_AUTH)
@@ -819,6 +930,11 @@ static int32 matrixSslLoadKeyMaterialMem(sslKeys_t *keys,
psPool_t *pool;
int32 err, flags = 0;
if (certBuf == NULL && privBuf == NULL && CAbuf == NULL)
{
return PS_ARG_FAIL;
}
if (keys == NULL)
{
return PS_ARG_FAIL;
@@ -933,22 +1049,46 @@ static int32 matrixSslLoadKeyMaterialMem(sslKeys_t *keys,
{
return PS_UNSUPPORTED_FAIL;
}
if ((err = psX509ParseCert(pool, (unsigned char *) CAbuf, (uint32) CAlen,
&keys->CAcerts, flags)) < 0)
#ifdef ALLOW_CA_BUNDLE_PARTIAL_PARSE
flags |= CERT_ALLOW_BUNDLE_PARTIAL_PARSE;
#endif /* ALLOW_CA_BUNDLE_PARTIAL_PARSE */
err = psX509ParseCert(pool, (unsigned char *) CAbuf, (uint32) CAlen,
&keys->CAcerts, flags);
if (err < 0)
{
# if defined(USE_SERVER_SIDE_SSL) || defined(USE_CLIENT_AUTH)
psClearPubKey(&keys->privKey);
psX509FreeCert(keys->cert);
psX509FreeCert(keys->CAcerts);
keys->cert = keys->CAcerts = NULL;
# endif
return err;
#ifdef ALLOW_CA_BUNDLE_PARTIAL_PARSE
if (err == 0)
{
psTraceInfo("Failed to load any CA certs.\n");
err = PS_PARSE_FAIL;
goto ca_load_failed;
}
else
{
psTraceIntInfo("Loaded %d CA certs\n", err);
}
#endif /* ALLOW_CA_BUNDLE_PARTIAL_PARSE */
}
# else
psTraceInfo("Ignoring CAbuf in matrixSslReadKeysMem\n");
# endif /* USE_CLIENT_SIDE_SSL || USE_CLIENT_AUTH */
}
#ifdef ALLOW_CA_BUNDLE_PARTIAL_PARSE
ca_load_failed:
#endif /* ALLOW_CA_BUNDLE_PARTIAL_PARSE */
# if defined(USE_SERVER_SIDE_SSL) || defined(USE_CLIENT_AUTH)
if (err < 0)
{
psClearPubKey(&keys->privKey);
psX509FreeCert(keys->cert);
psX509FreeCert(keys->CAcerts);
keys->cert = keys->CAcerts = NULL;
return err;
}
# endif
return PS_SUCCESS;
}
#endif /* USE_RSA || USE_ECC */
@@ -1295,6 +1435,9 @@ int32 matrixSslNewSession(ssl_t **ssl, const sslKeys_t *keys,
options->validateCertsOpts.max_verify_depth;
}
if (options->userDataPtr != NULL)
lssl->userDataPtr = options->userDataPtr;
#ifdef USE_ECC
/* If user specified EC curves they support, let's check that against
the key material they provided so there are no conflicts. Don't

5
matrixssl/matrixsslApi.c
View File

@@ -140,6 +140,11 @@ int32_t matrixSslNewClientSession(ssl_t **ssl, const sslKeys_t *keys,
}
lssl->userPtr = options->userPtr;
if (options->clientRejectVersionDowngrade)
{
lssl->clientRejectVersionDowngrade = 1;
}
# ifndef USE_ONLY_PSK_CIPHER_SUITE
if (expectedName)
{

14
matrixssl/matrixsslApi.h
View File

@@ -99,6 +99,20 @@ PSPUBLIC void matrixSslClose(void);
*/
PSPUBLIC int32 matrixSslNewKeys(sslKeys_t **keys, void *poolUserPtr);
PSPUBLIC void matrixSslDeleteKeys(sslKeys_t *keys);
# if defined(USE_RSA) || defined(USE_ECC)
typedef struct {
uint32_t flags;
int32_t key_type;
} matrixSslLoadKeysOpts_t;
int32_t matrixSslLoadKeys(sslKeys_t *keys, const char *certFile,
const char *privFile, const char *privPass, const char *CAfile,
matrixSslLoadKeysOpts_t *opts);
int32_t matrixSslLoadKeysMem(sslKeys_t *keys,
const unsigned char *certBuf, int32 certLen,
const unsigned char *privBuf, int32 privLen,
const unsigned char *CAbuf, int32 CAlen,
matrixSslLoadKeysOpts_t *opts);
# endif /* USE_RSA || USE_ECC */
# ifdef USE_RSA
PSPUBLIC int32 matrixSslLoadRsaKeys(sslKeys_t *keys, const char *certFile,
const char *privFile, const char *privPass,

11
matrixssl/matrixssllib.h
View File

@@ -955,6 +955,12 @@ typedef struct
CertificateVerify externally. */
# endif /* USE_EXT_CERTIFICATE_VERIFY_SIGNING */
int32 versionFlag; /* The SSL_FLAGS_TLS_ version (+ DTLS flag here) */
#ifdef USE_CLIENT_SIDE_SSL
uint8_t clientRejectVersionDowngrade; /* Send SSL_ALERT_PROTOCOL_VERSION if server proposes
a lower version than what the client sent in the
ClientHello. Effectively, this ensures that only
the version in versionFlag can be negotiated. */
#endif /* USE_CLIENT_SIDE_SSL */
void *userPtr; /* Initial value of ssl->userPtr during NewSession */
void *memAllocPtr; /* Will be passed to psOpenPool for each call
related to this session */
@@ -964,6 +970,7 @@ typedef struct
is deleted */
matrixValidateCertsOptions_t validateCertsOpts; /* Certificate validation
options. */
void *userDataPtr; /* Initial value of ssl->userDataPtr during NewSession. */
} sslSessOpts_t;
typedef struct
@@ -1343,6 +1350,9 @@ struct ssl
uint8_t reqMinVer;
uint8_t majVer;
uint8_t minVer;
#ifdef USE_CLIENT_SIDE_SSL
uint8_t clientRejectVersionDowngrade;
#endif /* USE_CLIENT_SIDE_SSL */
uint8_t outRecType;
# ifdef ENABLE_SECURE_REHANDSHAKES
@@ -1483,6 +1493,7 @@ struct ssl
void *memAllocPtr; /* Will be passed to psOpenPool for each call
related to this session */
void *userPtr;
void *userDataPtr;
};
typedef struct ssl ssl_t;

4
matrixssl/version.h
View File

@@ -8,10 +8,10 @@
extern "C" {
#endif
#define MATRIXSSL_VERSION "3.9.1-OPEN"
#define MATRIXSSL_VERSION "3.9.3-OPEN"
#define MATRIXSSL_VERSION_MAJOR 3
#define MATRIXSSL_VERSION_MINOR 9
#define MATRIXSSL_VERSION_PATCH 1
#define MATRIXSSL_VERSION_PATCH 3
#define MATRIXSSL_VERSION_CODE "OPEN"
#ifdef __cplusplus