diff options
Diffstat (limited to 'extra/yassl')
| -rwxr-xr-x | extra/yassl/CMakeLists.txt | 1 | ||||
| -rw-r--r-- | extra/yassl/Makefile.am | 2 | ||||
| -rw-r--r-- | extra/yassl/include/cert_wrapper.hpp | 3 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/prefix_ssl.h | 1 | ||||
| -rw-r--r-- | extra/yassl/include/openssl/ssl.h | 9 | ||||
| -rw-r--r-- | extra/yassl/include/yassl_error.hpp | 2 | ||||
| -rw-r--r-- | extra/yassl/include/yassl_imp.hpp | 4 | ||||
| -rw-r--r-- | extra/yassl/include/yassl_int.hpp | 12 | ||||
| -rw-r--r-- | extra/yassl/include/yassl_types.hpp | 12 | ||||
| -rw-r--r-- | extra/yassl/src/cert_wrapper.cpp | 40 | ||||
| -rw-r--r-- | extra/yassl/src/ssl.cpp | 31 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_error.cpp | 9 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_imp.cpp | 154 | ||||
| -rw-r--r-- | extra/yassl/src/yassl_int.cpp | 100 | ||||
| -rw-r--r-- | extra/yassl/taocrypt/Makefile.am | 2 | ||||
| -rw-r--r-- | extra/yassl/taocrypt/src/random.cpp | 1 |
16 files changed, 281 insertions, 102 deletions
diff --git a/extra/yassl/CMakeLists.txt b/extra/yassl/CMakeLists.txt index 981f679f785..3407aa7d0dc 100755 --- a/extra/yassl/CMakeLists.txt +++ b/extra/yassl/CMakeLists.txt @@ -24,4 +24,5 @@ SET(YASSL_SOURCES src/buffer.cpp src/cert_wrapper.cpp src/crypto_wrapper.cpp sr src/yassl_imp.cpp src/yassl_int.cpp) IF(NOT SOURCE_SUBLIBS) ADD_LIBRARY(yassl ${YASSL_SOURCES}) + ADD_DEPENDENCIES(yassl GenError) ENDIF(NOT SOURCE_SUBLIBS) diff --git a/extra/yassl/Makefile.am b/extra/yassl/Makefile.am index 35946e002c4..ddd57d60a99 100644 --- a/extra/yassl/Makefile.am +++ b/extra/yassl/Makefile.am @@ -1,5 +1,5 @@ SUBDIRS = taocrypt src testsuite -EXTRA_DIST = yassl.dsp yassl.dsw CMakeLists.txt +EXTRA_DIST = CMakeLists.txt # Don't update the files from bitkeeper %::SCCS/s.% diff --git a/extra/yassl/include/cert_wrapper.hpp b/extra/yassl/include/cert_wrapper.hpp index ce8003aa4cf..572b9f87293 100644 --- a/extra/yassl/include/cert_wrapper.hpp +++ b/extra/yassl/include/cert_wrapper.hpp @@ -34,6 +34,7 @@ #include "yassl_types.hpp" // SignatureAlgorithm #include "buffer.hpp" // input_buffer #include "asn.hpp" // SignerList +#include "openssl/ssl.h" // internal and external use #include STL_LIST_FILE #include STL_ALGORITHM_FILE @@ -87,6 +88,7 @@ class CertManager { bool verifyNone_; // no error if verify fails bool failNoCert_; bool sendVerify_; + VerifyCallback verifyCallback_; // user verify callback public: CertManager(); ~CertManager(); @@ -118,6 +120,7 @@ public: void setFailNoCert(); void setSendVerify(); void setPeerX509(X509*); + void setVerifyCallback(VerifyCallback); private: CertManager(const CertManager&); // hide copy CertManager& operator=(const CertManager&); // and assign diff --git a/extra/yassl/include/openssl/prefix_ssl.h b/extra/yassl/include/openssl/prefix_ssl.h index 3a3a8c26c9c..138d9fb8821 100644 --- a/extra/yassl/include/openssl/prefix_ssl.h +++ b/extra/yassl/include/openssl/prefix_ssl.h @@ -52,6 +52,7 @@ #define SSL_load_error_strings yaSSL_load_error_strings #define SSL_set_session yaSSL_set_session #define SSL_get_session yaSSL_get_session +#define SSL_flush_sessions yaSSL_flush_sessions #define SSL_SESSION_set_timeout yaSSL_SESSION_set_timeout #define SSL_CTX_set_session_cache_mode yaSSL_CTX_set_session_cache_mode #define SSL_get_peer_certificate yaSSL_get_peer_certificate diff --git a/extra/yassl/include/openssl/ssl.h b/extra/yassl/include/openssl/ssl.h index c0b87f804ad..05b34a0dc45 100644 --- a/extra/yassl/include/openssl/ssl.h +++ b/extra/yassl/include/openssl/ssl.h @@ -170,8 +170,9 @@ enum { /* X509 Constants */ X509_V_ERR_CRL_SIGNATURE_FAILURE = 10, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 11, X509_V_ERR_CRL_HAS_EXPIRED = 12, - X509_V_ERR_CERT_REVOKED = 13 - + X509_V_ERR_CERT_REVOKED = 13, + X509_V_FLAG_CRL_CHECK = 14, + X509_V_FLAG_CRL_CHECK_ALL = 15 }; @@ -202,7 +203,8 @@ SSL_CTX* SSL_CTX_new(SSL_METHOD*); SSL* SSL_new(SSL_CTX*); int SSL_set_fd (SSL*, YASSL_SOCKET_T); YASSL_SOCKET_T SSL_get_fd(const SSL*); -int SSL_connect(SSL*); +int SSL_connect(SSL*); /* if you get an error from connect + see note at top of REAMDE */ int SSL_write(SSL*, const void*, int); int SSL_read(SSL*, void*, int); int SSL_accept(SSL*); @@ -227,6 +229,7 @@ void SSL_load_error_strings(void); int SSL_set_session(SSL *ssl, SSL_SESSION *session); SSL_SESSION* SSL_get_session(SSL* ssl); +void SSL_flush_sessions(SSL_CTX *ctx, long tm); long SSL_SESSION_set_timeout(SSL_SESSION*, long); long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode); X509* SSL_get_peer_certificate(SSL*); diff --git a/extra/yassl/include/yassl_error.hpp b/extra/yassl/include/yassl_error.hpp index 63fa9a761ba..d2473fb3e2b 100644 --- a/extra/yassl/include/yassl_error.hpp +++ b/extra/yassl/include/yassl_error.hpp @@ -64,7 +64,7 @@ enum YasslError { enum Library { yaSSL_Lib = 0, CryptoLib, SocketLib }; enum { MAX_ERROR_SZ = 80 }; -void SetErrorString(YasslError, char*); +void SetErrorString(unsigned long, char*); /* remove for now, if go back to exceptions use this wrapper // Base class for all yaSSL exceptions diff --git a/extra/yassl/include/yassl_imp.hpp b/extra/yassl/include/yassl_imp.hpp index f6434443cb0..8893ba8a8ba 100644 --- a/extra/yassl/include/yassl_imp.hpp +++ b/extra/yassl/include/yassl_imp.hpp @@ -667,10 +667,12 @@ struct Parameters { Cipher suites_[MAX_SUITE_SZ]; char cipher_name_[MAX_SUITE_NAME]; char cipher_list_[MAX_CIPHERS][MAX_SUITE_NAME]; + bool removeDH_; // for server's later use Parameters(ConnectionEnd, const Ciphers&, ProtocolVersion, bool haveDH); - void SetSuites(ProtocolVersion pv, bool removeDH = false); + void SetSuites(ProtocolVersion pv, bool removeDH = false, + bool removeRSA = false, bool removeDSA = false); void SetCipherNames(); private: Parameters(const Parameters&); // hide copy diff --git a/extra/yassl/include/yassl_int.hpp b/extra/yassl/include/yassl_int.hpp index b207f0bffbd..1e761f559e2 100644 --- a/extra/yassl/include/yassl_int.hpp +++ b/extra/yassl/include/yassl_int.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -268,12 +268,14 @@ class Sessions { STL::list<SSL_SESSION*> list_; RandomPool random_; // for session cleaning Mutex mutex_; // no-op for single threaded + int count_; // flush counter - Sessions() {} // only GetSessions can create + Sessions() : count_(0) {} // only GetSessions can create public: SSL_SESSION* lookup(const opaque*, SSL_SESSION* copy = 0); void add(const SSL&); void remove(const opaque*); + void Flush(); ~Sessions(); @@ -425,8 +427,10 @@ private: pem_password_cb passwordCb_; void* userData_; bool sessionCacheOff_; + bool sessionCacheFlushOff_; Stats stats_; Mutex mutex_; // for Stats + VerifyCallback verifyCallback_; public: explicit SSL_CTX(SSL_METHOD* meth); ~SSL_CTX(); @@ -437,18 +441,22 @@ public: const Ciphers& GetCiphers() const; const DH_Parms& GetDH_Parms() const; const Stats& GetStats() const; + VerifyCallback getVerifyCallback() const; pem_password_cb GetPasswordCb() const; void* GetUserData() const; bool GetSessionCacheOff() const; + bool GetSessionCacheFlushOff() const; void setVerifyPeer(); void setVerifyNone(); void setFailNoCert(); + void setVerifyCallback(VerifyCallback); bool SetCipherList(const char*); bool SetDH(const DH&); void SetPasswordCb(pem_password_cb cb); void SetUserData(void*); void SetSessionCacheOff(); + void SetSessionCacheFlushOff(); void IncrementStats(StatsField); void AddCA(x509* ca); diff --git a/extra/yassl/include/yassl_types.hpp b/extra/yassl/include/yassl_types.hpp index e4b81f98fff..28535792828 100644 --- a/extra/yassl/include/yassl_types.hpp +++ b/extra/yassl/include/yassl_types.hpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -29,6 +29,13 @@ #include "type_traits.hpp" +#ifdef _MSC_VER + // disable conversion warning + // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy + #pragma warning(disable:4244 4996) +#endif + + namespace yaSSL { #define YASSL_LIB @@ -163,7 +170,7 @@ const int RMD_LEN = 20; // RIPEMD-160 digest length const int PREFIX = 3; // up to 3 prefix letters for secret rounds const int KEY_PREFIX = 7; // up to 7 prefix letters for key rounds const int FORTEZZA_MAX = 128; // Maximum Fortezza Key length -const int MAX_SUITE_SZ = 64; // 32 max suites * sizeof(suite) +const int MAX_SUITE_SZ = 128; // 64 max suites * sizeof(suite) const int MAX_SUITE_NAME = 48; // max length of suite name const int MAX_CIPHERS = 32; // max supported ciphers for cipher list const int SIZEOF_ENUM = 1; // SSL considers an enum 1 byte, not 4 @@ -205,6 +212,7 @@ const int SEED_LEN = RAN_LEN * 2; // TLS seed, client + server random const int DEFAULT_TIMEOUT = 500; // Default Session timeout in seconds const int MAX_RECORD_SIZE = 16384; // 2^14, max size by standard const int COMPRESS_EXTRA = 1024; // extra compression possible addition +const int SESSION_FLUSH_COUNT = 256; // when to flush session cache typedef uint8 Cipher; // first byte is always 0x00 for SSLv3 & TLS diff --git a/extra/yassl/src/cert_wrapper.cpp b/extra/yassl/src/cert_wrapper.cpp index 8caca8f9649..ebec0882265 100644 --- a/extra/yassl/src/cert_wrapper.cpp +++ b/extra/yassl/src/cert_wrapper.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -24,6 +24,7 @@ #include "runtime.hpp" #include "cert_wrapper.hpp" #include "yassl_int.hpp" +#include "error.hpp" #if defined(USE_CML_LIB) #include "cmapi_cpp.h" @@ -90,7 +91,7 @@ opaque* x509::use_buffer() //CertManager CertManager::CertManager() : peerX509_(0), verifyPeer_(false), verifyNone_(false), failNoCert_(false), - sendVerify_(false) + sendVerify_(false), verifyCallback_(0) {} @@ -154,6 +155,12 @@ void CertManager::setSendVerify() } +void CertManager::setVerifyCallback(VerifyCallback vc) +{ + verifyCallback_ = vc; +} + + void CertManager::AddPeerCert(x509* x) { peerList_.push_back(x); // take ownership @@ -236,7 +243,7 @@ uint CertManager::get_privateKeyLength() const int CertManager::Validate() { CertList::reverse_iterator last = peerList_.rbegin(); - size_t count= peerList_.size(); + size_t count = peerList_.size(); while ( count > 1 ) { TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); @@ -257,7 +264,8 @@ int CertManager::Validate() TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_); - if (int err = cert.GetError().What()) + int err = cert.GetError().What(); + if ( err ) return err; uint sz = cert.GetPublicKey().size(); @@ -269,13 +277,25 @@ int CertManager::Validate() else peerKeyType_ = dsa_sa_algo; - size_t iSz= strlen(cert.GetIssuer()) + 1; - size_t sSz= strlen(cert.GetCommonName()) + 1; - size_t bSz= strlen(cert.GetBeforeDate()) + 1; - size_t aSz= strlen(cert.GetAfterDate()) + 1; + size_t iSz = strlen(cert.GetIssuer()) + 1; + size_t sSz = strlen(cert.GetCommonName()) + 1; + int bSz = (int)strlen(cert.GetBeforeDate()) + 1; + int aSz = (int)strlen(cert.GetAfterDate()) + 1; peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(), - sSz, cert.GetBeforeDate(), (int) bSz, - cert.GetAfterDate(), (int) aSz); + sSz, cert.GetBeforeDate(), bSz, + cert.GetAfterDate(), aSz); + + if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) { + X509_STORE_CTX store; + store.error = err; + store.error_depth = static_cast<int>(count) - 1; + store.current_cert = peerX509_; + + int ok = verifyCallback_(0, &store); + if (ok) return 0; + } + + if (err == TaoCrypt::SIG_OTHER_E) return err; } return 0; } diff --git a/extra/yassl/src/ssl.cpp b/extra/yassl/src/ssl.cpp index 781cfa36a70..4d8b6ac69b8 100644 --- a/extra/yassl/src/ssl.cpp +++ b/extra/yassl/src/ssl.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -245,6 +245,7 @@ YASSL_SOCKET_T SSL_get_fd(const SSL* ssl) } +// if you get an error from connect see note at top of README int SSL_connect(SSL* ssl) { if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ)) @@ -447,6 +448,9 @@ long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode) if (mode == SSL_SESS_CACHE_OFF) ctx->SetSessionCacheOff(); + if (mode == SSL_SESS_CACHE_NO_AUTO_CLEAR) + ctx->SetSessionCacheFlushOff(); + return SSL_SUCCESS; } @@ -493,6 +497,15 @@ long SSL_get_default_timeout(SSL* /*ssl*/) } +void SSL_flush_sessions(SSL_CTX *ctx, long /* tm */) +{ + if (ctx->GetSessionCacheOff()) + return; + + GetSessions().Flush(); +} + + const char* SSL_get_cipher_name(SSL* ssl) { return SSL_get_cipher(ssl); @@ -560,7 +573,7 @@ int SSL_get_error(SSL* ssl, int /*previous*/) only need to turn on for client, becuase server on by default if built in but calling for server will tell you whether it's available or not */ -int SSL_set_compression(SSL* ssl) +int SSL_set_compression(SSL* ssl) /* Chad didn't rename to ya~ because it is prob. bug. */ { return ssl->SetCompression(); } @@ -604,13 +617,13 @@ char* X509_NAME_oneline(X509_NAME* name, char* buffer, int sz) { if (!name->GetName()) return buffer; - size_t len= strlen(name->GetName()) + 1; - int copySz = min((int) len, sz); + int len = (int)strlen(name->GetName()) + 1; + int copySz = min(len, sz); if (!buffer) { buffer = (char*)malloc(len); if (!buffer) return buffer; - copySz = (int) len; + copySz = len; } if (copySz == 0) @@ -693,7 +706,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format) } -void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) +void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc) { if (mode & SSL_VERIFY_PEER) ctx->setVerifyPeer(); @@ -703,6 +716,8 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) ctx->setFailNoCert(); + + ctx->setVerifyCallback(vc); } @@ -976,7 +991,7 @@ char* ERR_error_string(unsigned long errNumber, char* buffer) static char* msg = (char*)"Please supply a buffer for error string"; if (buffer) { - SetErrorString(YasslError(errNumber), buffer); + SetErrorString(errNumber, buffer); return buffer; } @@ -1450,6 +1465,8 @@ unsigned long err_helper(bool peek = false) default : return 0; } + + return 0; // shut up compiler } diff --git a/extra/yassl/src/yassl_error.cpp b/extra/yassl/src/yassl_error.cpp index dc120028e13..dd30348cd93 100644 --- a/extra/yassl/src/yassl_error.cpp +++ b/extra/yassl/src/yassl_error.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -26,6 +26,11 @@ #include "openssl/ssl.h" // SSL_ERROR_WANT_READ #include <string.h> // strncpy +#ifdef _MSC_VER + // 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy + #pragma warning(disable: 4996) +#endif + namespace yaSSL { @@ -50,7 +55,7 @@ Library Error::get_lib() const */ -void SetErrorString(YasslError error, char* buffer) +void SetErrorString(unsigned long error, char* buffer) { using namespace TaoCrypt; const int max = MAX_ERROR_SZ; // shorthand diff --git a/extra/yassl/src/yassl_imp.cpp b/extra/yassl/src/yassl_imp.cpp index 2b2efbbe04f..f079df8c7ce 100644 --- a/extra/yassl/src/yassl_imp.cpp +++ b/extra/yassl/src/yassl_imp.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -136,9 +136,19 @@ void DH_Server::build(SSL& ssl) const CertManager& cert = ssl.getCrypto().get_certManager(); if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo) + { + if (cert.get_keyType() != rsa_sa_algo) { + ssl.SetError(privateKey_error); + return; + } auth.reset(NEW_YS RSA(cert.get_privateKey(), cert.get_privateKeyLength(), false)); + } else { + if (cert.get_keyType() != dsa_sa_algo) { + ssl.SetError(privateKey_error); + return; + } auth.reset(NEW_YS DSS(cert.get_privateKey(), cert.get_privateKeyLength(), false)); sigSz += DSS_ENCODED_EXTRA; @@ -436,18 +446,21 @@ Parameters::Parameters(ConnectionEnd ce, const Ciphers& ciphers, pending_ = true; // suite not set yet strncpy(cipher_name_, "NONE", 5); + removeDH_ = !haveDH; // only use on server side for set suites + if (ciphers.setSuites_) { // use user set list suites_size_ = ciphers.suiteSz_; memcpy(suites_, ciphers.suites_, ciphers.suiteSz_); SetCipherNames(); } else - SetSuites(pv, ce == server_end && !haveDH); // defaults + SetSuites(pv, ce == server_end && removeDH_); // defaults } -void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) +void Parameters::SetSuites(ProtocolVersion pv, bool removeDH, bool removeRSA, + bool removeDSA) { int i = 0; // available suites, best first @@ -456,67 +469,87 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) if (isTLS(pv)) { if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; + } + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; } - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; - if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; + } + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; } - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; - - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; - if (!removeDH) { + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_RMD160; + suites_[i++] = 0x00; + suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; + } + } + } + + if (!removeRSA) { suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_RC4_128_MD5; suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; - suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; suites_[i++] = 0x00; - suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; + suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; } - } - - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_RC4_128_MD5; - - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; - if (!removeDH) { - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; - - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; - suites_[i++] = 0x00; - suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; + } + if (!removeRSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; + } + if (!removeDSA) { + suites_[i++] = 0x00; + suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; + } } suites_size_ = i; @@ -1471,7 +1504,19 @@ void ClientHello::Process(input_buffer&, SSL& ssl) // downgrade to SSLv3 ssl.useSecurity().use_connection().TurnOffTLS(); ProtocolVersion pv = ssl.getSecurity().get_connection().version_; - ssl.useSecurity().use_parms().SetSuites(pv); // reset w/ SSL suites + bool removeDH = ssl.getSecurity().get_parms().removeDH_; + bool removeRSA = false; + bool removeDSA = false; + + const CertManager& cm = ssl.getCrypto().get_certManager(); + if (cm.get_keyType() == rsa_sa_algo) + removeDSA = true; + else + removeRSA = true; + + // reset w/ SSL suites + ssl.useSecurity().use_parms().SetSuites(pv, removeDH, removeRSA, + removeDSA); } else if (ssl.isTLSv1_1() && client_version_.minor_ == 1) // downgrade to TLSv1, but use same suites @@ -1517,6 +1562,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl) return; } ssl.matchSuite(cipher_suites_, suite_len_); + if (ssl.GetError()) return; ssl.set_pending(ssl.getSecurity().get_parms().suite_[1]); if (compression_methods_ == zlib) diff --git a/extra/yassl/src/yassl_int.cpp b/extra/yassl/src/yassl_int.cpp index ba8ee8f66ab..8e4a9aa95ec 100644 --- a/extra/yassl/src/yassl_int.cpp +++ b/extra/yassl/src/yassl_int.cpp @@ -1,5 +1,5 @@ /* - Copyright (C) 2000-2007 MySQL AB + Copyright 2000-2008 MySQL AB, 2008 Sun Microsystems, Inc. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -40,28 +40,28 @@ void* operator new(size_t sz, yaSSL::new_t) { - void* ptr = malloc(sz ? sz : 1); - if (!ptr) abort(); + void* ptr = malloc(sz ? sz : 1); + if (!ptr) abort(); - return ptr; + return ptr; } void operator delete(void* ptr, yaSSL::new_t) { - if (ptr) free(ptr); + if (ptr) free(ptr); } void* operator new[](size_t sz, yaSSL::new_t nt) { - return ::operator new(sz, nt); + return ::operator new(sz, nt); } void operator delete[](void* ptr, yaSSL::new_t nt) { - ::operator delete(ptr, nt); + ::operator delete(ptr, nt); } namespace yaSSL { @@ -308,6 +308,20 @@ SSL::SSL(SSL_CTX* ctx) SetError(YasslError(err)); return; } + else if (serverSide) { + // remove RSA or DSA suites depending on cert key type + ProtocolVersion pv = secure_.get_connection().version_; + + bool removeDH = secure_.use_parms().removeDH_; + bool removeRSA = false; + bool removeDSA = false; + + if (cm.get_keyType() == rsa_sa_algo) + removeDSA = true; + else + removeRSA = true; + secure_.use_parms().SetSuites(pv, removeDH, removeRSA, removeDSA); + } } else if (serverSide) { SetError(no_key_file); @@ -320,6 +334,7 @@ SSL::SSL(SSL_CTX* ctx) cm.setVerifyNone(); if (ctx->getMethod()->failNoCert()) cm.setFailNoCert(); + cm.setVerifyCallback(ctx->getVerifyCallback()); if (serverSide) crypto_.SetDH(ctx->GetDH_Parms()); @@ -1039,7 +1054,7 @@ void SSL::fillData(Data& data) data.set_length(0); // output, actual data filled dataSz = min(dataSz, bufferedData()); - for (uint i = 0; i < elements; i++) { + for (size_t i = 0; i < elements; i++) { input_buffer* front = buffers_.getData().front(); uint frontSz = front->get_remaining(); uint readSz = min(dataSz - data.get_length(), frontSz); @@ -1063,7 +1078,7 @@ void SSL::fillData(Data& data) void SSL::PeekData(Data& data) { if (GetError()) return; - uint dataSz = data.get_length(); // input, data size to fill + uint dataSz = data.get_length(); // input, data size to fill size_t elements = buffers_.getData().size(); data.set_length(0); // output, actual data filled @@ -1100,7 +1115,7 @@ void SSL::flushBuffer() output_buffer out(sz); size_t elements = buffers_.getHandShake().size(); - for (uint i = 0; i < elements; i++) { + for (size_t i = 0; i < elements; i++) { output_buffer* front = buffers_.getHandShake().front(); out.write(front->get_buffer(), front->get_size()); @@ -1276,6 +1291,7 @@ void SSL::matchSuite(const opaque* peer, uint length) if (secure_.use_parms().suites_[i] == peer[j]) { secure_.use_parms().suite_[0] = 0x00; secure_.use_parms().suite_[1] = peer[j]; + return; } @@ -1284,7 +1300,7 @@ void SSL::matchSuite(const opaque* peer, uint length) void SSL::set_session(SSL_SESSION* s) -{ +{ if (getSecurity().GetContext()->GetSessionCacheOff()) return; @@ -1565,13 +1581,19 @@ Errors& GetErrors() typedef Mutex::Lock Lock; + void Sessions::add(const SSL& ssl) { if (ssl.getSecurity().get_connection().sessionID_Set_) { - Lock guard(mutex_); - list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); + Lock guard(mutex_); + list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); + count_++; } + + if (count_ > SESSION_FLUSH_COUNT) + if (!ssl.getSecurity().GetContext()->GetSessionCacheFlushOff()) + Flush(); } @@ -1660,6 +1682,25 @@ void Sessions::remove(const opaque* id) } +// flush expired sessions from cache +void Sessions::Flush() +{ + Lock guard(mutex_); + sess_iterator next = list_.begin(); + uint current = lowResTimer(); + + while (next != list_.end()) { + sess_iterator si = next; + ++next; + if ( ((*si)->GetBornOn() + (*si)->GetTimeOut()) < current) { + del_ptr_zero()(*si); + list_.erase(si); + } + } + count_ = 0; // reset flush counter +} + + // remove a self thread error void Errors::Remove() { @@ -1764,7 +1805,8 @@ bool SSL_METHOD::multipleProtocol() const SSL_CTX::SSL_CTX(SSL_METHOD* meth) : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0), - userData_(0), sessionCacheOff_(false) + userData_(0), sessionCacheOff_(false), sessionCacheFlushOff_(false), + verifyCallback_(0) {} @@ -1791,6 +1833,12 @@ SSL_CTX::GetCA_List() const } +VerifyCallback SSL_CTX::getVerifyCallback() const +{ + return verifyCallback_; +} + + const x509* SSL_CTX::getCert() const { return certificate_; @@ -1851,6 +1899,12 @@ bool SSL_CTX::GetSessionCacheOff() const } +bool SSL_CTX::GetSessionCacheFlushOff() const +{ + return sessionCacheFlushOff_; +} + + void SSL_CTX::SetUserData(void* data) { userData_ = data; @@ -1863,6 +1917,12 @@ void SSL_CTX::SetSessionCacheOff() } +void SSL_CTX::SetSessionCacheFlushOff() +{ + sessionCacheFlushOff_ = true; +} + + void SSL_CTX::setVerifyPeer() { method_->setVerifyPeer(); @@ -1881,6 +1941,12 @@ void SSL_CTX::setFailNoCert() } +void SSL_CTX::setVerifyCallback(VerifyCallback vc) +{ + verifyCallback_ = vc; +} + + bool SSL_CTX::SetDH(const DH& dh) { dhParms_.p_ = dh.p->int_; @@ -2316,7 +2382,7 @@ X509::X509(const char* i, size_t iSz, const char* s, size_t sSz, : issuer_(i, iSz), subject_(s, sSz), beforeDate_(b, bSz), afterDate_(a, aSz) {} - + X509_NAME* X509::GetIssuer() { @@ -2354,10 +2420,10 @@ ASN1_STRING* X509_NAME::GetEntry(int i) memcpy(entry_.data, &name_[i], sz_ - i); if (entry_.data[sz_ -i - 1]) { entry_.data[sz_ - i] = 0; - entry_.length = (int) (sz_ - i); + entry_.length = int(sz_) - i; } else - entry_.length = (int) (sz_ - i - 1); + entry_.length = int(sz_) - i - 1; entry_.type = 0; return &entry_; diff --git a/extra/yassl/taocrypt/Makefile.am b/extra/yassl/taocrypt/Makefile.am index c03c1a2713b..11fea2064f0 100644 --- a/extra/yassl/taocrypt/Makefile.am +++ b/extra/yassl/taocrypt/Makefile.am @@ -1,5 +1,5 @@ SUBDIRS = src test benchmark -EXTRA_DIST = taocrypt.dsw taocrypt.dsp CMakeLists.txt $(wildcard mySTL/*.hpp) +EXTRA_DIST = CMakeLists.txt $(wildcard mySTL/*.hpp) # Don't update the files from bitkeeper %::SCCS/s.% diff --git a/extra/yassl/taocrypt/src/random.cpp b/extra/yassl/taocrypt/src/random.cpp index 89fd5f7c7bc..2bbc0a85e8b 100644 --- a/extra/yassl/taocrypt/src/random.cpp +++ b/extra/yassl/taocrypt/src/random.cpp @@ -27,7 +27,6 @@ #include <time.h> #if defined(_WIN32) - #define _WIN32_WINNT 0x0400 #include <windows.h> #include <wincrypt.h> #else |