Commit a25adb1c authored by Georgi Kodinov's avatar Georgi Kodinov

Bug#13706621 : UNIFY THE YASSL VERSIONS THAT WE USE BY BACKPORTING 5.1

AND 5.5 YASSL FIXES.

Took the 5.5 yassl code and applied it to the 5.0 codebase, keeping the
compilation files.
parent 12376c17
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -34,6 +35,7 @@ ...@@ -34,6 +35,7 @@
#include "yassl_types.hpp" // SignatureAlgorithm #include "yassl_types.hpp" // SignatureAlgorithm
#include "buffer.hpp" // input_buffer #include "buffer.hpp" // input_buffer
#include "asn.hpp" // SignerList #include "asn.hpp" // SignerList
#include "openssl/ssl.h" // internal and external use
#include STL_LIST_FILE #include STL_LIST_FILE
#include STL_ALGORITHM_FILE #include STL_ALGORITHM_FILE
...@@ -87,6 +89,7 @@ class CertManager { ...@@ -87,6 +89,7 @@ class CertManager {
bool verifyNone_; // no error if verify fails bool verifyNone_; // no error if verify fails
bool failNoCert_; bool failNoCert_;
bool sendVerify_; bool sendVerify_;
VerifyCallback verifyCallback_; // user verify callback
public: public:
CertManager(); CertManager();
~CertManager(); ~CertManager();
...@@ -118,6 +121,7 @@ public: ...@@ -118,6 +121,7 @@ public:
void setFailNoCert(); void setFailNoCert();
void setSendVerify(); void setSendVerify();
void setPeerX509(X509*); void setPeerX509(X509*);
void setVerifyCallback(VerifyCallback);
private: private:
CertManager(const CertManager&); // hide copy CertManager(const CertManager&); // hide copy
CertManager& operator=(const CertManager&); // and assign CertManager& operator=(const CertManager&); // and assign
......
/* /*
Copyright (C) 2006, 2007 MySQL AB Copyright (c) 2006, 2007 MySQL AB, 2008 Sun Microsystems, Inc.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -70,6 +71,7 @@ ...@@ -70,6 +71,7 @@
#define SSL_load_error_strings yaSSL_load_error_strings #define SSL_load_error_strings yaSSL_load_error_strings
#define SSL_set_session yaSSL_set_session #define SSL_set_session yaSSL_set_session
#define SSL_get_session yaSSL_get_session #define SSL_get_session yaSSL_get_session
#define SSL_flush_sessions yaSSL_flush_sessions
#define SSL_SESSION_set_timeout yaSSL_SESSION_set_timeout #define SSL_SESSION_set_timeout yaSSL_SESSION_set_timeout
#define SSL_CTX_set_session_cache_mode yaSSL_CTX_set_session_cache_mode #define SSL_CTX_set_session_cache_mode yaSSL_CTX_set_session_cache_mode
#define SSL_get_peer_certificate yaSSL_get_peer_certificate #define SSL_get_peer_certificate yaSSL_get_peer_certificate
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -170,8 +171,9 @@ enum { /* X509 Constants */ ...@@ -170,8 +171,9 @@ enum { /* X509 Constants */
X509_V_ERR_CRL_SIGNATURE_FAILURE = 10, X509_V_ERR_CRL_SIGNATURE_FAILURE = 10,
X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 11, X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD = 11,
X509_V_ERR_CRL_HAS_EXPIRED = 12, X509_V_ERR_CRL_HAS_EXPIRED = 12,
X509_V_ERR_CERT_REVOKED = 13 X509_V_ERR_CERT_REVOKED = 13,
X509_V_FLAG_CRL_CHECK = 14,
X509_V_FLAG_CRL_CHECK_ALL = 15
}; };
...@@ -202,7 +204,8 @@ SSL_CTX* SSL_CTX_new(SSL_METHOD*); ...@@ -202,7 +204,8 @@ SSL_CTX* SSL_CTX_new(SSL_METHOD*);
SSL* SSL_new(SSL_CTX*); SSL* SSL_new(SSL_CTX*);
int SSL_set_fd (SSL*, YASSL_SOCKET_T); int SSL_set_fd (SSL*, YASSL_SOCKET_T);
YASSL_SOCKET_T SSL_get_fd(const SSL*); YASSL_SOCKET_T SSL_get_fd(const SSL*);
int SSL_connect(SSL*); int SSL_connect(SSL*); /* if you get an error from connect
see note at top of REAMDE */
int SSL_write(SSL*, const void*, int); int SSL_write(SSL*, const void*, int);
int SSL_read(SSL*, void*, int); int SSL_read(SSL*, void*, int);
int SSL_accept(SSL*); int SSL_accept(SSL*);
...@@ -227,6 +230,7 @@ void SSL_load_error_strings(void); ...@@ -227,6 +230,7 @@ void SSL_load_error_strings(void);
int SSL_set_session(SSL *ssl, SSL_SESSION *session); int SSL_set_session(SSL *ssl, SSL_SESSION *session);
SSL_SESSION* SSL_get_session(SSL* ssl); SSL_SESSION* SSL_get_session(SSL* ssl);
void SSL_flush_sessions(SSL_CTX *ctx, long tm);
long SSL_SESSION_set_timeout(SSL_SESSION*, long); long SSL_SESSION_set_timeout(SSL_SESSION*, long);
long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode); long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode);
X509* SSL_get_peer_certificate(SSL*); X509* SSL_get_peer_certificate(SSL*);
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005-2007 MySQL AB, 2010 Sun Microsystems, Inc.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -64,7 +65,7 @@ enum YasslError { ...@@ -64,7 +65,7 @@ enum YasslError {
enum Library { yaSSL_Lib = 0, CryptoLib, SocketLib }; enum Library { yaSSL_Lib = 0, CryptoLib, SocketLib };
enum { MAX_ERROR_SZ = 80 }; enum { MAX_ERROR_SZ = 80 };
void SetErrorString(YasslError, char*); void SetErrorString(unsigned long, char*);
/* remove for now, if go back to exceptions use this wrapper /* remove for now, if go back to exceptions use this wrapper
// Base class for all yaSSL exceptions // Base class for all yaSSL exceptions
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -667,10 +668,12 @@ struct Parameters { ...@@ -667,10 +668,12 @@ struct Parameters {
Cipher suites_[MAX_SUITE_SZ]; Cipher suites_[MAX_SUITE_SZ];
char cipher_name_[MAX_SUITE_NAME]; char cipher_name_[MAX_SUITE_NAME];
char cipher_list_[MAX_CIPHERS][MAX_SUITE_NAME]; char cipher_list_[MAX_CIPHERS][MAX_SUITE_NAME];
bool removeDH_; // for server's later use
Parameters(ConnectionEnd, const Ciphers&, ProtocolVersion, bool haveDH); Parameters(ConnectionEnd, const Ciphers&, ProtocolVersion, bool haveDH);
void SetSuites(ProtocolVersion pv, bool removeDH = false); void SetSuites(ProtocolVersion pv, bool removeDH = false,
bool removeRSA = false, bool removeDSA = false);
void SetCipherNames(); void SetCipherNames();
private: private:
Parameters(const Parameters&); // hide copy Parameters(const Parameters&); // hide copy
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -34,9 +34,8 @@ ...@@ -34,9 +34,8 @@
#include "openssl/ssl.h" // ASN1_STRING and DH #include "openssl/ssl.h" // ASN1_STRING and DH
// Check if _POSIX_THREADS should be forced // Check if _POSIX_THREADS should be forced
#if !defined(_POSIX_THREADS) && (defined(__NETWARE__) || defined(__hpux)) #if !defined(_POSIX_THREADS) && defined(__hpux)
// HPUX does not define _POSIX_THREADS as it's not _fully_ implemented // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented
// Netware supports pthreads but does not announce it
#define _POSIX_THREADS #define _POSIX_THREADS
#endif #endif
...@@ -268,12 +267,14 @@ class Sessions { ...@@ -268,12 +267,14 @@ class Sessions {
STL::list<SSL_SESSION*> list_; STL::list<SSL_SESSION*> list_;
RandomPool random_; // for session cleaning RandomPool random_; // for session cleaning
Mutex mutex_; // no-op for single threaded Mutex mutex_; // no-op for single threaded
int count_; // flush counter
Sessions() {} // only GetSessions can create Sessions() : count_(0) {} // only GetSessions can create
public: public:
SSL_SESSION* lookup(const opaque*, SSL_SESSION* copy = 0); SSL_SESSION* lookup(const opaque*, SSL_SESSION* copy = 0);
void add(const SSL&); void add(const SSL&);
void remove(const opaque*); void remove(const opaque*);
void Flush();
~Sessions(); ~Sessions();
...@@ -425,8 +426,10 @@ private: ...@@ -425,8 +426,10 @@ private:
pem_password_cb passwordCb_; pem_password_cb passwordCb_;
void* userData_; void* userData_;
bool sessionCacheOff_; bool sessionCacheOff_;
bool sessionCacheFlushOff_;
Stats stats_; Stats stats_;
Mutex mutex_; // for Stats Mutex mutex_; // for Stats
VerifyCallback verifyCallback_;
public: public:
explicit SSL_CTX(SSL_METHOD* meth); explicit SSL_CTX(SSL_METHOD* meth);
~SSL_CTX(); ~SSL_CTX();
...@@ -437,18 +440,22 @@ public: ...@@ -437,18 +440,22 @@ public:
const Ciphers& GetCiphers() const; const Ciphers& GetCiphers() const;
const DH_Parms& GetDH_Parms() const; const DH_Parms& GetDH_Parms() const;
const Stats& GetStats() const; const Stats& GetStats() const;
VerifyCallback getVerifyCallback() const;
pem_password_cb GetPasswordCb() const; pem_password_cb GetPasswordCb() const;
void* GetUserData() const; void* GetUserData() const;
bool GetSessionCacheOff() const; bool GetSessionCacheOff() const;
bool GetSessionCacheFlushOff() const;
void setVerifyPeer(); void setVerifyPeer();
void setVerifyNone(); void setVerifyNone();
void setFailNoCert(); void setFailNoCert();
void setVerifyCallback(VerifyCallback);
bool SetCipherList(const char*); bool SetCipherList(const char*);
bool SetDH(const DH&); bool SetDH(const DH&);
void SetPasswordCb(pem_password_cb cb); void SetPasswordCb(pem_password_cb cb);
void SetUserData(void*); void SetUserData(void*);
void SetSessionCacheOff(); void SetSessionCacheOff();
void SetSessionCacheFlushOff();
void IncrementStats(StatsField); void IncrementStats(StatsField);
void AddCA(x509* ca); void AddCA(x509* ca);
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005-2007 MySQL AB, 2008 Sun Microsystems, Inc.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -29,6 +30,13 @@ ...@@ -29,6 +30,13 @@
#include "type_traits.hpp" #include "type_traits.hpp"
#ifdef _MSC_VER
// disable conversion warning
// 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy
#pragma warning(disable:4244 4996)
#endif
namespace yaSSL { namespace yaSSL {
#define YASSL_LIB #define YASSL_LIB
...@@ -163,7 +171,7 @@ const int RMD_LEN = 20; // RIPEMD-160 digest length ...@@ -163,7 +171,7 @@ const int RMD_LEN = 20; // RIPEMD-160 digest length
const int PREFIX = 3; // up to 3 prefix letters for secret rounds const int PREFIX = 3; // up to 3 prefix letters for secret rounds
const int KEY_PREFIX = 7; // up to 7 prefix letters for key rounds const int KEY_PREFIX = 7; // up to 7 prefix letters for key rounds
const int FORTEZZA_MAX = 128; // Maximum Fortezza Key length const int FORTEZZA_MAX = 128; // Maximum Fortezza Key length
const int MAX_SUITE_SZ = 64; // 32 max suites * sizeof(suite) const int MAX_SUITE_SZ = 128; // 64 max suites * sizeof(suite)
const int MAX_SUITE_NAME = 48; // max length of suite name const int MAX_SUITE_NAME = 48; // max length of suite name
const int MAX_CIPHERS = 32; // max supported ciphers for cipher list const int MAX_CIPHERS = 32; // max supported ciphers for cipher list
const int SIZEOF_ENUM = 1; // SSL considers an enum 1 byte, not 4 const int SIZEOF_ENUM = 1; // SSL considers an enum 1 byte, not 4
...@@ -205,6 +213,7 @@ const int SEED_LEN = RAN_LEN * 2; // TLS seed, client + server random ...@@ -205,6 +213,7 @@ const int SEED_LEN = RAN_LEN * 2; // TLS seed, client + server random
const int DEFAULT_TIMEOUT = 500; // Default Session timeout in seconds const int DEFAULT_TIMEOUT = 500; // Default Session timeout in seconds
const int MAX_RECORD_SIZE = 16384; // 2^14, max size by standard const int MAX_RECORD_SIZE = 16384; // 2^14, max size by standard
const int COMPRESS_EXTRA = 1024; // extra compression possible addition const int COMPRESS_EXTRA = 1024; // extra compression possible addition
const int SESSION_FLUSH_COUNT = 256; // when to flush session cache
typedef uint8 Cipher; // first byte is always 0x00 for SSLv3 & TLS typedef uint8 Cipher; // first byte is always 0x00 for SSLv3 & TLS
......
/* /*
Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. Copyright (c) 2005-2007 MySQL AB, 2008, 2009 Sun Microsystems, Inc.
Use is subject to license terms. Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
...@@ -25,6 +25,7 @@ ...@@ -25,6 +25,7 @@
#include "runtime.hpp" #include "runtime.hpp"
#include "cert_wrapper.hpp" #include "cert_wrapper.hpp"
#include "yassl_int.hpp" #include "yassl_int.hpp"
#include "error.hpp"
#if defined(USE_CML_LIB) #if defined(USE_CML_LIB)
#include "cmapi_cpp.h" #include "cmapi_cpp.h"
...@@ -91,7 +92,7 @@ opaque* x509::use_buffer() ...@@ -91,7 +92,7 @@ opaque* x509::use_buffer()
//CertManager //CertManager
CertManager::CertManager() CertManager::CertManager()
: peerX509_(0), verifyPeer_(false), verifyNone_(false), failNoCert_(false), : peerX509_(0), verifyPeer_(false), verifyNone_(false), failNoCert_(false),
sendVerify_(false) sendVerify_(false), verifyCallback_(0)
{} {}
...@@ -155,6 +156,12 @@ void CertManager::setSendVerify() ...@@ -155,6 +156,12 @@ void CertManager::setSendVerify()
} }
void CertManager::setVerifyCallback(VerifyCallback vc)
{
verifyCallback_ = vc;
}
void CertManager::AddPeerCert(x509* x) void CertManager::AddPeerCert(x509* x)
{ {
peerList_.push_back(x); // take ownership peerList_.push_back(x); // take ownership
...@@ -237,7 +244,7 @@ uint CertManager::get_privateKeyLength() const ...@@ -237,7 +244,7 @@ uint CertManager::get_privateKeyLength() const
int CertManager::Validate() int CertManager::Validate()
{ {
CertList::reverse_iterator last = peerList_.rbegin(); CertList::reverse_iterator last = peerList_.rbegin();
size_t count= peerList_.size(); size_t count = peerList_.size();
while ( count > 1 ) { while ( count > 1 ) {
TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length());
...@@ -258,7 +265,8 @@ int CertManager::Validate() ...@@ -258,7 +265,8 @@ int CertManager::Validate()
TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length()); TaoCrypt::Source source((*last)->get_buffer(), (*last)->get_length());
TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_); TaoCrypt::CertDecoder cert(source, true, &signers_, verifyNone_);
if (int err = cert.GetError().What()) int err = cert.GetError().What();
if ( err )
return err; return err;
uint sz = cert.GetPublicKey().size(); uint sz = cert.GetPublicKey().size();
...@@ -270,13 +278,25 @@ int CertManager::Validate() ...@@ -270,13 +278,25 @@ int CertManager::Validate()
else else
peerKeyType_ = dsa_sa_algo; peerKeyType_ = dsa_sa_algo;
size_t iSz= strlen(cert.GetIssuer()) + 1; size_t iSz = strlen(cert.GetIssuer()) + 1;
size_t sSz= strlen(cert.GetCommonName()) + 1; size_t sSz = strlen(cert.GetCommonName()) + 1;
size_t bSz= strlen(cert.GetBeforeDate()) + 1; int bSz = (int)strlen(cert.GetBeforeDate()) + 1;
size_t aSz= strlen(cert.GetAfterDate()) + 1; int aSz = (int)strlen(cert.GetAfterDate()) + 1;
peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(), peerX509_ = NEW_YS X509(cert.GetIssuer(), iSz, cert.GetCommonName(),
sSz, cert.GetBeforeDate(), (int) bSz, sSz, cert.GetBeforeDate(), bSz,
cert.GetAfterDate(), (int) aSz); cert.GetAfterDate(), aSz);
if (err == TaoCrypt::SIG_OTHER_E && verifyCallback_) {
X509_STORE_CTX store;
store.error = err;
store.error_depth = static_cast<int>(count) - 1;
store.current_cert = peerX509_;
int ok = verifyCallback_(0, &store);
if (ok) return 0;
}
if (err == TaoCrypt::SIG_OTHER_E) return err;
} }
return 0; return 0;
} }
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -953,7 +953,8 @@ x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info) ...@@ -953,7 +953,8 @@ x509* PemToDer(FILE* file, CertType type, EncryptedInfo* info)
info->set = true; info->set = true;
} }
} }
fgets(line,sizeof(line), file); // get blank line // get blank line
if (fgets(line, sizeof(line), file))
begin = ftell(file); begin = ftell(file);
} }
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -37,7 +37,7 @@ ...@@ -37,7 +37,7 @@
#include <fcntl.h> #include <fcntl.h>
#endif // _WIN32 #endif // _WIN32
#if defined(__sun) || defined(__SCO_VERSION__) || defined(__NETWARE__) #if defined(__sun) || defined(__SCO_VERSION__)
#include <sys/filio.h> #include <sys/filio.h>
#endif #endif
......
/* /*
Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. Copyright (c) 2005-2007 MySQL AB, 2008-2010 Sun Microsystems, Inc.
Use is subject to license terms. Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
...@@ -246,6 +246,7 @@ YASSL_SOCKET_T SSL_get_fd(const SSL* ssl) ...@@ -246,6 +246,7 @@ YASSL_SOCKET_T SSL_get_fd(const SSL* ssl)
} }
// if you get an error from connect see note at top of README
int SSL_connect(SSL* ssl) int SSL_connect(SSL* ssl)
{ {
if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ)) if (ssl->GetError() == YasslError(SSL_ERROR_WANT_READ))
...@@ -448,6 +449,9 @@ long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode) ...@@ -448,6 +449,9 @@ long SSL_CTX_set_session_cache_mode(SSL_CTX* ctx, long mode)
if (mode == SSL_SESS_CACHE_OFF) if (mode == SSL_SESS_CACHE_OFF)
ctx->SetSessionCacheOff(); ctx->SetSessionCacheOff();
if (mode == SSL_SESS_CACHE_NO_AUTO_CLEAR)
ctx->SetSessionCacheFlushOff();
return SSL_SUCCESS; return SSL_SUCCESS;
} }
...@@ -494,6 +498,15 @@ long SSL_get_default_timeout(SSL* /*ssl*/) ...@@ -494,6 +498,15 @@ long SSL_get_default_timeout(SSL* /*ssl*/)
} }
void SSL_flush_sessions(SSL_CTX *ctx, long /* tm */)
{
if (ctx->GetSessionCacheOff())
return;
GetSessions().Flush();
}
const char* SSL_get_cipher_name(SSL* ssl) const char* SSL_get_cipher_name(SSL* ssl)
{ {
return SSL_get_cipher(ssl); return SSL_get_cipher(ssl);
...@@ -561,7 +574,7 @@ int SSL_get_error(SSL* ssl, int /*previous*/) ...@@ -561,7 +574,7 @@ int SSL_get_error(SSL* ssl, int /*previous*/)
only need to turn on for client, becuase server on by default if built in only need to turn on for client, becuase server on by default if built in
but calling for server will tell you whether it's available or not but calling for server will tell you whether it's available or not
*/ */
int SSL_set_compression(SSL* ssl) int SSL_set_compression(SSL* ssl) /* Chad didn't rename to ya~ because it is prob. bug. */
{ {
return ssl->SetCompression(); return ssl->SetCompression();
} }
...@@ -605,13 +618,13 @@ char* X509_NAME_oneline(X509_NAME* name, char* buffer, int sz) ...@@ -605,13 +618,13 @@ char* X509_NAME_oneline(X509_NAME* name, char* buffer, int sz)
{ {
if (!name->GetName()) return buffer; if (!name->GetName()) return buffer;
size_t len= strlen(name->GetName()) + 1; int len = (int)strlen(name->GetName()) + 1;
int copySz = min((int) len, sz); int copySz = min(len, sz);
if (!buffer) { if (!buffer) {
buffer = (char*)malloc(len); buffer = (char*)malloc(len);
if (!buffer) return buffer; if (!buffer) return buffer;
copySz = (int) len; copySz = len;
} }
if (copySz == 0) if (copySz == 0)
...@@ -694,7 +707,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format) ...@@ -694,7 +707,7 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX* ctx, const char* file, int format)
} }
void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback vc)
{ {
if (mode & SSL_VERIFY_PEER) if (mode & SSL_VERIFY_PEER)
ctx->setVerifyPeer(); ctx->setVerifyPeer();
...@@ -704,6 +717,8 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/) ...@@ -704,6 +717,8 @@ void SSL_CTX_set_verify(SSL_CTX* ctx, int mode, VerifyCallback /*vc*/)
if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) if (mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
ctx->setFailNoCert(); ctx->setFailNoCert();
ctx->setVerifyCallback(vc);
} }
...@@ -977,7 +992,7 @@ char* ERR_error_string(unsigned long errNumber, char* buffer) ...@@ -977,7 +992,7 @@ char* ERR_error_string(unsigned long errNumber, char* buffer)
static char* msg = (char*)"Please supply a buffer for error string"; static char* msg = (char*)"Please supply a buffer for error string";
if (buffer) { if (buffer) {
SetErrorString(YasslError(errNumber), buffer); SetErrorString(errNumber, buffer);
return buffer; return buffer;
} }
...@@ -1451,6 +1466,8 @@ unsigned long err_helper(bool peek = false) ...@@ -1451,6 +1466,8 @@ unsigned long err_helper(bool peek = false)
default : default :
return 0; return 0;
} }
return 0; // shut up compiler
} }
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -26,6 +26,11 @@ ...@@ -26,6 +26,11 @@
#include "openssl/ssl.h" // SSL_ERROR_WANT_READ #include "openssl/ssl.h" // SSL_ERROR_WANT_READ
#include <string.h> // strncpy #include <string.h> // strncpy
#ifdef _MSC_VER
// 4996 warning to use MS extensions e.g., strcpy_s instead of strncpy
#pragma warning(disable: 4996)
#endif
namespace yaSSL { namespace yaSSL {
...@@ -50,7 +55,7 @@ Library Error::get_lib() const ...@@ -50,7 +55,7 @@ Library Error::get_lib() const
*/ */
void SetErrorString(YasslError error, char* buffer) void SetErrorString(unsigned long error, char* buffer)
{ {
using namespace TaoCrypt; using namespace TaoCrypt;
const int max = MAX_ERROR_SZ; // shorthand const int max = MAX_ERROR_SZ; // shorthand
...@@ -123,7 +128,7 @@ void SetErrorString(YasslError error, char* buffer) ...@@ -123,7 +128,7 @@ void SetErrorString(YasslError error, char* buffer)
break; break;
case badVersion_error : case badVersion_error :
strncpy(buffer, "protocl version mismatch", max); strncpy(buffer, "protocol version mismatch", max);
break; break;
case compress_error : case compress_error :
......
/* /*
Copyright (c) 2005-2008 MySQL AB, 2009 Sun Microsystems, Inc. Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -137,9 +136,19 @@ void DH_Server::build(SSL& ssl) ...@@ -137,9 +136,19 @@ void DH_Server::build(SSL& ssl)
const CertManager& cert = ssl.getCrypto().get_certManager(); const CertManager& cert = ssl.getCrypto().get_certManager();
if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo) if (ssl.getSecurity().get_parms().sig_algo_ == rsa_sa_algo)
{
if (cert.get_keyType() != rsa_sa_algo) {
ssl.SetError(privateKey_error);
return;
}
auth.reset(NEW_YS RSA(cert.get_privateKey(), auth.reset(NEW_YS RSA(cert.get_privateKey(),
cert.get_privateKeyLength(), false)); cert.get_privateKeyLength(), false));
}
else { else {
if (cert.get_keyType() != dsa_sa_algo) {
ssl.SetError(privateKey_error);
return;
}
auth.reset(NEW_YS DSS(cert.get_privateKey(), auth.reset(NEW_YS DSS(cert.get_privateKey(),
cert.get_privateKeyLength(), false)); cert.get_privateKeyLength(), false));
sigSz += DSS_ENCODED_EXTRA; sigSz += DSS_ENCODED_EXTRA;
...@@ -437,18 +446,21 @@ Parameters::Parameters(ConnectionEnd ce, const Ciphers& ciphers, ...@@ -437,18 +446,21 @@ Parameters::Parameters(ConnectionEnd ce, const Ciphers& ciphers,
pending_ = true; // suite not set yet pending_ = true; // suite not set yet
strncpy(cipher_name_, "NONE", 5); strncpy(cipher_name_, "NONE", 5);
removeDH_ = !haveDH; // only use on server side for set suites
if (ciphers.setSuites_) { // use user set list if (ciphers.setSuites_) { // use user set list
suites_size_ = ciphers.suiteSz_; suites_size_ = ciphers.suiteSz_;
memcpy(suites_, ciphers.suites_, ciphers.suiteSz_); memcpy(suites_, ciphers.suites_, ciphers.suiteSz_);
SetCipherNames(); SetCipherNames();
} }
else else
SetSuites(pv, ce == server_end && !haveDH); // defaults SetSuites(pv, ce == server_end && removeDH_); // defaults
} }
void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) void Parameters::SetSuites(ProtocolVersion pv, bool removeDH, bool removeRSA,
bool removeDSA)
{ {
int i = 0; int i = 0;
// available suites, best first // available suites, best first
...@@ -457,38 +469,49 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) ...@@ -457,38 +469,49 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH)
if (isTLS(pv)) { if (isTLS(pv)) {
if (!removeDH) { if (!removeDH) {
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA; suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_SHA;
}
if (!removeDSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA; suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_SHA;
} }
}
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA; suites_[i++] = TLS_RSA_WITH_AES_256_CBC_SHA;
}
if (!removeDH) { if (!removeDH) {
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA; suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_SHA;
}
if (!removeDSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA; suites_[i++] = TLS_DHE_DSS_WITH_AES_128_CBC_SHA;
} }
}
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA; suites_[i++] = TLS_RSA_WITH_AES_128_CBC_SHA;
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160; suites_[i++] = TLS_RSA_WITH_AES_256_CBC_RMD160;
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160; suites_[i++] = TLS_RSA_WITH_AES_128_CBC_RMD160;
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160; suites_[i++] = TLS_RSA_WITH_3DES_EDE_CBC_RMD160;
}
if (!removeDH) { if (!removeDH) {
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160; suites_[i++] = TLS_DHE_RSA_WITH_AES_256_CBC_RMD160;
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160; suites_[i++] = TLS_DHE_RSA_WITH_AES_128_CBC_RMD160;
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160; suites_[i++] = TLS_DHE_RSA_WITH_3DES_EDE_CBC_RMD160;
}
if (!removeDSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160; suites_[i++] = TLS_DHE_DSS_WITH_AES_256_CBC_RMD160;
suites_[i++] = 0x00; suites_[i++] = 0x00;
...@@ -497,7 +520,9 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) ...@@ -497,7 +520,9 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH)
suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160; suites_[i++] = TLS_DHE_DSS_WITH_3DES_EDE_CBC_RMD160;
} }
} }
}
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = SSL_RSA_WITH_RC4_128_SHA; suites_[i++] = SSL_RSA_WITH_RC4_128_SHA;
suites_[i++] = 0x00; suites_[i++] = 0x00;
...@@ -507,18 +532,25 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH) ...@@ -507,18 +532,25 @@ void Parameters::SetSuites(ProtocolVersion pv, bool removeDH)
suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA; suites_[i++] = SSL_RSA_WITH_3DES_EDE_CBC_SHA;
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA; suites_[i++] = SSL_RSA_WITH_DES_CBC_SHA;
}
if (!removeDH) { if (!removeDH) {
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA; suites_[i++] = SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA;
}
if (!removeDSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA; suites_[i++] = SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA;
}
if (!removeRSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA; suites_[i++] = SSL_DHE_RSA_WITH_DES_CBC_SHA;
}
if (!removeDSA) {
suites_[i++] = 0x00; suites_[i++] = 0x00;
suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA; suites_[i++] = SSL_DHE_DSS_WITH_DES_CBC_SHA;
} }
}
suites_size_ = i; suites_size_ = i;
...@@ -852,21 +884,19 @@ void Alert::Process(input_buffer& input, SSL& ssl) ...@@ -852,21 +884,19 @@ void Alert::Process(input_buffer& input, SSL& ssl)
else else
hmac(ssl, verify, data, aSz, alert, true); hmac(ssl, verify, data, aSz, alert, true);
// read mac and fill // read mac and skip fill
int digestSz = ssl.getCrypto().get_digest().get_digestSize(); int digestSz = ssl.getCrypto().get_digest().get_digestSize();
opaque mac[SHA_LEN]; opaque mac[SHA_LEN];
input.read(mac, digestSz); input.read(mac, digestSz);
if (ssl.getSecurity().get_parms().cipher_type_ == block) { if (ssl.getSecurity().get_parms().cipher_type_ == block) {
int ivExtra = 0; int ivExtra = 0;
opaque fill;
if (ssl.isTLSv1_1()) if (ssl.isTLSv1_1())
ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); ivExtra = ssl.getCrypto().get_cipher().get_blockSize();
int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra - int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra -
aSz - digestSz; aSz - digestSz;
for (int i = 0; i < padSz; i++) input.set_current(input.get_current() + padSz);
fill = input[AUTO];
} }
// verify // verify
...@@ -949,17 +979,17 @@ output_buffer& operator<<(output_buffer& output, const Data& data) ...@@ -949,17 +979,17 @@ output_buffer& operator<<(output_buffer& output, const Data& data)
void Data::Process(input_buffer& input, SSL& ssl) void Data::Process(input_buffer& input, SSL& ssl)
{ {
int msgSz = ssl.getSecurity().get_parms().encrypt_size_; int msgSz = ssl.getSecurity().get_parms().encrypt_size_;
int pad = 0, padByte = 0; int pad = 0, padSz = 0;
int ivExtra = 0; int ivExtra = 0;
if (ssl.getSecurity().get_parms().cipher_type_ == block) { if (ssl.getSecurity().get_parms().cipher_type_ == block) {
if (ssl.isTLSv1_1()) // IV if (ssl.isTLSv1_1()) // IV
ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); ivExtra = ssl.getCrypto().get_cipher().get_blockSize();
pad = *(input.get_buffer() + input.get_current() + msgSz -ivExtra - 1); pad = *(input.get_buffer() + input.get_current() + msgSz -ivExtra - 1);
padByte = 1; padSz = 1;
} }
int digestSz = ssl.getCrypto().get_digest().get_digestSize(); int digestSz = ssl.getCrypto().get_digest().get_digestSize();
int dataSz = msgSz - ivExtra - digestSz - pad - padByte; int dataSz = msgSz - ivExtra - digestSz - pad - padSz;
opaque verify[SHA_LEN]; opaque verify[SHA_LEN];
const byte* rawData = input.get_buffer() + input.get_current(); const byte* rawData = input.get_buffer() + input.get_current();
...@@ -988,14 +1018,10 @@ void Data::Process(input_buffer& input, SSL& ssl) ...@@ -988,14 +1018,10 @@ void Data::Process(input_buffer& input, SSL& ssl)
hmac(ssl, verify, rawData, dataSz, application_data, true); hmac(ssl, verify, rawData, dataSz, application_data, true);
} }
// read mac and fill // read mac and skip fill
opaque mac[SHA_LEN]; opaque mac[SHA_LEN];
opaque fill;
input.read(mac, digestSz); input.read(mac, digestSz);
for (int i = 0; i < pad; i++) input.set_current(input.get_current() + pad + padSz);
fill = input[AUTO];
if (padByte)
fill = input[AUTO];
// verify // verify
if (dataSz) { if (dataSz) {
...@@ -1472,7 +1498,19 @@ void ClientHello::Process(input_buffer&, SSL& ssl) ...@@ -1472,7 +1498,19 @@ void ClientHello::Process(input_buffer&, SSL& ssl)
// downgrade to SSLv3 // downgrade to SSLv3
ssl.useSecurity().use_connection().TurnOffTLS(); ssl.useSecurity().use_connection().TurnOffTLS();
ProtocolVersion pv = ssl.getSecurity().get_connection().version_; ProtocolVersion pv = ssl.getSecurity().get_connection().version_;
ssl.useSecurity().use_parms().SetSuites(pv); // reset w/ SSL suites bool removeDH = ssl.getSecurity().get_parms().removeDH_;
bool removeRSA = false;
bool removeDSA = false;
const CertManager& cm = ssl.getCrypto().get_certManager();
if (cm.get_keyType() == rsa_sa_algo)
removeDSA = true;
else
removeRSA = true;
// reset w/ SSL suites
ssl.useSecurity().use_parms().SetSuites(pv, removeDH, removeRSA,
removeDSA);
} }
else if (ssl.isTLSv1_1() && client_version_.minor_ == 1) else if (ssl.isTLSv1_1() && client_version_.minor_ == 1)
// downgrade to TLSv1, but use same suites // downgrade to TLSv1, but use same suites
...@@ -1518,6 +1556,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl) ...@@ -1518,6 +1556,7 @@ void ClientHello::Process(input_buffer&, SSL& ssl)
return; return;
} }
ssl.matchSuite(cipher_suites_, suite_len_); ssl.matchSuite(cipher_suites_, suite_len_);
if (ssl.GetError()) return;
ssl.set_pending(ssl.getSecurity().get_parms().suite_[1]); ssl.set_pending(ssl.getSecurity().get_parms().suite_[1]);
if (compression_methods_ == zlib) if (compression_methods_ == zlib)
...@@ -2028,11 +2067,9 @@ void Finished::Process(input_buffer& input, SSL& ssl) ...@@ -2028,11 +2067,9 @@ void Finished::Process(input_buffer& input, SSL& ssl)
if (ssl.isTLSv1_1()) if (ssl.isTLSv1_1())
ivExtra = ssl.getCrypto().get_cipher().get_blockSize(); ivExtra = ssl.getCrypto().get_cipher().get_blockSize();
opaque fill;
int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra - int padSz = ssl.getSecurity().get_parms().encrypt_size_ - ivExtra -
HANDSHAKE_HEADER - finishedSz - digestSz; HANDSHAKE_HEADER - finishedSz - digestSz;
for (int i = 0; i < padSz; i++) input.set_current(input.get_current() + padSz);
fill = input[AUTO];
// verify mac // verify mac
if (memcmp(mac, verifyMAC, digestSz)) { if (memcmp(mac, verifyMAC, digestSz)) {
......
/* /*
Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. Copyright (c) 2005, 2011, Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -309,6 +308,20 @@ SSL::SSL(SSL_CTX* ctx) ...@@ -309,6 +308,20 @@ SSL::SSL(SSL_CTX* ctx)
SetError(YasslError(err)); SetError(YasslError(err));
return; return;
} }
else if (serverSide && !(ctx->GetCiphers().setSuites_)) {
// remove RSA or DSA suites depending on cert key type
ProtocolVersion pv = secure_.get_connection().version_;
bool removeDH = secure_.use_parms().removeDH_;
bool removeRSA = false;
bool removeDSA = false;
if (cm.get_keyType() == rsa_sa_algo)
removeDSA = true;
else
removeRSA = true;
secure_.use_parms().SetSuites(pv, removeDH, removeRSA, removeDSA);
}
} }
else if (serverSide) { else if (serverSide) {
SetError(no_key_file); SetError(no_key_file);
...@@ -321,6 +334,7 @@ SSL::SSL(SSL_CTX* ctx) ...@@ -321,6 +334,7 @@ SSL::SSL(SSL_CTX* ctx)
cm.setVerifyNone(); cm.setVerifyNone();
if (ctx->getMethod()->failNoCert()) if (ctx->getMethod()->failNoCert())
cm.setFailNoCert(); cm.setFailNoCert();
cm.setVerifyCallback(ctx->getVerifyCallback());
if (serverSide) if (serverSide)
crypto_.SetDH(ctx->GetDH_Parms()); crypto_.SetDH(ctx->GetDH_Parms());
...@@ -1040,7 +1054,7 @@ void SSL::fillData(Data& data) ...@@ -1040,7 +1054,7 @@ void SSL::fillData(Data& data)
data.set_length(0); // output, actual data filled data.set_length(0); // output, actual data filled
dataSz = min(dataSz, bufferedData()); dataSz = min(dataSz, bufferedData());
for (uint i = 0; i < elements; i++) { for (size_t i = 0; i < elements; i++) {
input_buffer* front = buffers_.getData().front(); input_buffer* front = buffers_.getData().front();
uint frontSz = front->get_remaining(); uint frontSz = front->get_remaining();
uint readSz = min(dataSz - data.get_length(), frontSz); uint readSz = min(dataSz - data.get_length(), frontSz);
...@@ -1101,7 +1115,7 @@ void SSL::flushBuffer() ...@@ -1101,7 +1115,7 @@ void SSL::flushBuffer()
output_buffer out(sz); output_buffer out(sz);
size_t elements = buffers_.getHandShake().size(); size_t elements = buffers_.getHandShake().size();
for (uint i = 0; i < elements; i++) { for (size_t i = 0; i < elements; i++) {
output_buffer* front = buffers_.getHandShake().front(); output_buffer* front = buffers_.getHandShake().front();
out.write(front->get_buffer(), front->get_size()); out.write(front->get_buffer(), front->get_size());
...@@ -1277,6 +1291,7 @@ void SSL::matchSuite(const opaque* peer, uint length) ...@@ -1277,6 +1291,7 @@ void SSL::matchSuite(const opaque* peer, uint length)
if (secure_.use_parms().suites_[i] == peer[j]) { if (secure_.use_parms().suites_[i] == peer[j]) {
secure_.use_parms().suite_[0] = 0x00; secure_.use_parms().suite_[0] = 0x00;
secure_.use_parms().suite_[1] = peer[j]; secure_.use_parms().suite_[1] = peer[j];
return; return;
} }
...@@ -1567,12 +1582,18 @@ Errors& GetErrors() ...@@ -1567,12 +1582,18 @@ Errors& GetErrors()
typedef Mutex::Lock Lock; typedef Mutex::Lock Lock;
void Sessions::add(const SSL& ssl) void Sessions::add(const SSL& ssl)
{ {
if (ssl.getSecurity().get_connection().sessionID_Set_) { if (ssl.getSecurity().get_connection().sessionID_Set_) {
Lock guard(mutex_); Lock guard(mutex_);
list_.push_back(NEW_YS SSL_SESSION(ssl, random_)); list_.push_back(NEW_YS SSL_SESSION(ssl, random_));
count_++;
} }
if (count_ > SESSION_FLUSH_COUNT)
if (!ssl.getSecurity().GetContext()->GetSessionCacheFlushOff())
Flush();
} }
...@@ -1661,6 +1682,25 @@ void Sessions::remove(const opaque* id) ...@@ -1661,6 +1682,25 @@ void Sessions::remove(const opaque* id)
} }
// flush expired sessions from cache
void Sessions::Flush()
{
Lock guard(mutex_);
sess_iterator next = list_.begin();
uint current = lowResTimer();
while (next != list_.end()) {
sess_iterator si = next;
++next;
if ( ((*si)->GetBornOn() + (*si)->GetTimeOut()) < current) {
del_ptr_zero()(*si);
list_.erase(si);
}
}
count_ = 0; // reset flush counter
}
// remove a self thread error // remove a self thread error
void Errors::Remove() void Errors::Remove()
{ {
...@@ -1765,7 +1805,8 @@ bool SSL_METHOD::multipleProtocol() const ...@@ -1765,7 +1805,8 @@ bool SSL_METHOD::multipleProtocol() const
SSL_CTX::SSL_CTX(SSL_METHOD* meth) SSL_CTX::SSL_CTX(SSL_METHOD* meth)
: method_(meth), certificate_(0), privateKey_(0), passwordCb_(0), : method_(meth), certificate_(0), privateKey_(0), passwordCb_(0),
userData_(0), sessionCacheOff_(false) userData_(0), sessionCacheOff_(false), sessionCacheFlushOff_(false),
verifyCallback_(0)
{} {}
...@@ -1792,6 +1833,12 @@ SSL_CTX::GetCA_List() const ...@@ -1792,6 +1833,12 @@ SSL_CTX::GetCA_List() const
} }
VerifyCallback SSL_CTX::getVerifyCallback() const
{
return verifyCallback_;
}
const x509* SSL_CTX::getCert() const const x509* SSL_CTX::getCert() const
{ {
return certificate_; return certificate_;
...@@ -1852,6 +1899,12 @@ bool SSL_CTX::GetSessionCacheOff() const ...@@ -1852,6 +1899,12 @@ bool SSL_CTX::GetSessionCacheOff() const
} }
bool SSL_CTX::GetSessionCacheFlushOff() const
{
return sessionCacheFlushOff_;
}
void SSL_CTX::SetUserData(void* data) void SSL_CTX::SetUserData(void* data)
{ {
userData_ = data; userData_ = data;
...@@ -1864,6 +1917,12 @@ void SSL_CTX::SetSessionCacheOff() ...@@ -1864,6 +1917,12 @@ void SSL_CTX::SetSessionCacheOff()
} }
void SSL_CTX::SetSessionCacheFlushOff()
{
sessionCacheFlushOff_ = true;
}
void SSL_CTX::setVerifyPeer() void SSL_CTX::setVerifyPeer()
{ {
method_->setVerifyPeer(); method_->setVerifyPeer();
...@@ -1882,6 +1941,12 @@ void SSL_CTX::setFailNoCert() ...@@ -1882,6 +1941,12 @@ void SSL_CTX::setFailNoCert()
} }
void SSL_CTX::setVerifyCallback(VerifyCallback vc)
{
verifyCallback_ = vc;
}
bool SSL_CTX::SetDH(const DH& dh) bool SSL_CTX::SetDH(const DH& dh)
{ {
dhParms_.p_ = dh.p->int_; dhParms_.p_ = dh.p->int_;
...@@ -2355,10 +2420,10 @@ ASN1_STRING* X509_NAME::GetEntry(int i) ...@@ -2355,10 +2420,10 @@ ASN1_STRING* X509_NAME::GetEntry(int i)
memcpy(entry_.data, &name_[i], sz_ - i); memcpy(entry_.data, &name_[i], sz_ - i);
if (entry_.data[sz_ -i - 1]) { if (entry_.data[sz_ -i - 1]) {
entry_.data[sz_ - i] = 0; entry_.data[sz_ - i] = 0;
entry_.length = (int) (sz_ - i); entry_.length = int(sz_) - i;
} }
else else
entry_.length = (int) (sz_ - i - 1); entry_.length = int(sz_) - i - 1;
entry_.type = 0; entry_.type = 0;
return &entry_; return &entry_;
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -51,7 +51,7 @@ public: ...@@ -51,7 +51,7 @@ public:
enum { BLOCK_SIZE = BLOWFISH_BLOCK_SIZE, ROUNDS = 16 }; enum { BLOCK_SIZE = BLOWFISH_BLOCK_SIZE, ROUNDS = 16 };
Blowfish(CipherDir DIR, Mode MODE) Blowfish(CipherDir DIR, Mode MODE)
: Mode_BASE(BLOCK_SIZE, DIR, MODE) {} : Mode_BASE(BLOCK_SIZE, DIR, MODE), sbox_(pbox_ + ROUNDS + 2) {}
#ifdef DO_BLOWFISH_ASM #ifdef DO_BLOWFISH_ASM
void Process(byte*, const byte*, word32); void Process(byte*, const byte*, word32);
...@@ -62,8 +62,8 @@ private: ...@@ -62,8 +62,8 @@ private:
static const word32 p_init_[ROUNDS + 2]; static const word32 p_init_[ROUNDS + 2];
static const word32 s_init_[4 * 256]; static const word32 s_init_[4 * 256];
word32 pbox_[ROUNDS + 2]; word32 pbox_[ROUNDS + 2 + 4 * 256];
word32 sbox_[4 * 256]; word32* sbox_;
void crypt_block(const word32 in[2], word32 out[2]) const; void crypt_block(const word32 in[2], word32 out[2]) const;
void AsmProcess(const byte* in, byte* out) const; void AsmProcess(const byte* in, byte* out) const;
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -125,7 +125,7 @@ void CleanUp(); ...@@ -125,7 +125,7 @@ void CleanUp();
// no gas on these systems ?, disable for now // no gas on these systems ?, disable for now
#if defined(__sun__) || defined (__QNX__) || defined (__APPLE__) #if defined(__sun__) || defined (__APPLE__)
#define TAOCRYPT_DISABLE_X86ASM #define TAOCRYPT_DISABLE_X86ASM
#endif #endif
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -35,10 +35,7 @@ ...@@ -35,10 +35,7 @@
// Handler for pure virtual functions // Handler for pure virtual functions
namespace __Crun { namespace __Crun {
static void pure_error(void) void pure_error(void);
{
assert("Pure virtual method called." == "Aborted");
}
} // namespace __Crun } // namespace __Crun
#endif // __sun #endif // __sun
...@@ -54,16 +51,7 @@ extern "C" { ...@@ -54,16 +51,7 @@ extern "C" {
#else #else
#include "kernelc.hpp" #include "kernelc.hpp"
#endif #endif
int __cxa_pure_virtual () __attribute__ ((weak));
/* Disallow inline __cxa_pure_virtual() */
static int __cxa_pure_virtual() __attribute__((noinline, used));
static int __cxa_pure_virtual()
{
// oops, pure virtual called!
assert("Pure virtual method called." == "Aborted");
return 0;
}
} // extern "C" } // extern "C"
#endif // __GNUC__ > 2 #endif // __GNUC__ > 2
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -51,7 +51,7 @@ void AES::Process(byte* out, const byte* in, word32 sz) ...@@ -51,7 +51,7 @@ void AES::Process(byte* out, const byte* in, word32 sz)
out += BLOCK_SIZE; out += BLOCK_SIZE;
in += BLOCK_SIZE; in += BLOCK_SIZE;
} }
else if (mode_ == CBC) else if (mode_ == CBC) {
if (dir_ == ENCRYPTION) if (dir_ == ENCRYPTION)
while (blocks--) { while (blocks--) {
r_[0] ^= *(word32*)in; r_[0] ^= *(word32*)in;
...@@ -78,6 +78,7 @@ void AES::Process(byte* out, const byte* in, word32 sz) ...@@ -78,6 +78,7 @@ void AES::Process(byte* out, const byte* in, word32 sz)
out += BLOCK_SIZE; out += BLOCK_SIZE;
in += BLOCK_SIZE; in += BLOCK_SIZE;
} }
}
} }
#endif // DO_AES_ASM #endif // DO_AES_ASM
......
/* /*
Copyright (c) 2005-2007 MySQL AB, 2009 Sun Microsystems, Inc. Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
Use is subject to license terms.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -187,10 +186,10 @@ Integer AbstractGroup::CascadeScalarMultiply(const Element &x, ...@@ -187,10 +186,10 @@ Integer AbstractGroup::CascadeScalarMultiply(const Element &x,
struct WindowSlider struct WindowSlider
{ {
WindowSlider(const Integer &exp, bool fastNegate, WindowSlider(const Integer &expIn, bool fastNegateIn,
unsigned int windowSizeIn=0) unsigned int windowSizeIn=0)
: exp(exp), windowModulus(Integer::One()), windowSize(windowSizeIn), : exp(expIn), windowModulus(Integer::One()), windowSize(windowSizeIn),
windowBegin(0), fastNegate(fastNegate), firstTime(true), windowBegin(0), fastNegate(fastNegateIn), firstTime(true),
finished(false) finished(false)
{ {
if (windowSize == 0) if (windowSize == 0)
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -53,7 +53,7 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz) ...@@ -53,7 +53,7 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz)
out += BLOCK_SIZE; out += BLOCK_SIZE;
in += BLOCK_SIZE; in += BLOCK_SIZE;
} }
else if (mode_ == CBC) else if (mode_ == CBC) {
if (dir_ == ENCRYPTION) if (dir_ == ENCRYPTION)
while (blocks--) { while (blocks--) {
r_[0] ^= *(word32*)in; r_[0] ^= *(word32*)in;
...@@ -78,6 +78,7 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz) ...@@ -78,6 +78,7 @@ void Blowfish::Process(byte* out, const byte* in, word32 sz)
out += BLOCK_SIZE; out += BLOCK_SIZE;
in += BLOCK_SIZE; in += BLOCK_SIZE;
} }
}
} }
#endif // DO_BLOWFISH_ASM #endif // DO_BLOWFISH_ASM
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -185,7 +185,7 @@ void Base64Decoder::Decode() ...@@ -185,7 +185,7 @@ void Base64Decoder::Decode()
{ {
word32 bytes = coded_.size(); word32 bytes = coded_.size();
word32 plainSz = bytes - ((bytes + (pemLineSz - 1)) / pemLineSz); word32 plainSz = bytes - ((bytes + (pemLineSz - 1)) / pemLineSz);
plainSz = (plainSz * 3 + 3) / 4; plainSz = ((plainSz * 3) / 4) + 3;
decoded_.New(plainSz); decoded_.New(plainSz);
word32 i = 0; word32 i = 0;
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -283,12 +283,7 @@ DWord() {} ...@@ -283,12 +283,7 @@ DWord() {}
word GetHighHalfAsBorrow() const {return 0-halfs_.high;} word GetHighHalfAsBorrow() const {return 0-halfs_.high;}
private: private:
union struct dword_struct
{
#ifdef TAOCRYPT_NATIVE_DWORD_AVAILABLE
dword whole_;
#endif
struct
{ {
#ifdef LITTLE_ENDIAN_ORDER #ifdef LITTLE_ENDIAN_ORDER
word low; word low;
...@@ -297,7 +292,14 @@ private: ...@@ -297,7 +292,14 @@ private:
word high; word high;
word low; word low;
#endif #endif
} halfs_; };
union
{
#ifdef TAOCRYPT_NATIVE_DWORD_AVAILABLE
dword whole_;
#endif
struct dword_struct halfs_;
}; };
}; };
...@@ -1214,20 +1216,24 @@ public: ...@@ -1214,20 +1216,24 @@ public:
#define AS1(x) #x ";" #define AS1(x) #x ";"
#define AS2(x, y) #x ", " #y ";" #define AS2(x, y) #x ", " #y ";"
#define AddPrologue \ #define AddPrologue \
word res; \
__asm__ __volatile__ \ __asm__ __volatile__ \
( \ ( \
"push %%ebx;" /* save this manually, in case of -fPIC */ \ "push %%ebx;" /* save this manually, in case of -fPIC */ \
"mov %2, %%ebx;" \ "mov %3, %%ebx;" \
".intel_syntax noprefix;" \ ".intel_syntax noprefix;" \
"push ebp;" "push ebp;"
#define AddEpilogue \ #define AddEpilogue \
"pop ebp;" \ "pop ebp;" \
".att_syntax prefix;" \ ".att_syntax prefix;" \
"pop %%ebx;" \ "pop %%ebx;" \
: \ "mov %%eax, %0;" \
: "=g" (res) \
: "c" (C), "d" (A), "m" (B), "S" (N) \ : "c" (C), "d" (A), "m" (B), "S" (N) \
: "%edi", "memory", "cc" \ : "%edi", "memory", "cc" \
); ); \
return res;
#define MulPrologue \ #define MulPrologue \
__asm__ __volatile__ \ __asm__ __volatile__ \
( \ ( \
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -84,12 +84,23 @@ namespace STL = STL_NAMESPACE; ...@@ -84,12 +84,23 @@ namespace STL = STL_NAMESPACE;
} }
#if defined(__ICC) || defined(__INTEL_COMPILER) #ifdef __sun
// Handler for pure virtual functions
namespace __Crun {
void pure_error() {
assert(!"Aborted: pure virtual method called.");
}
}
#endif
#if defined(__ICC) || defined(__INTEL_COMPILER) || (__GNUC__ > 2)
extern "C" { extern "C" {
int __cxa_pure_virtual() { int __cxa_pure_virtual() {
assert("Pure virtual method called." == "Aborted"); assert(!"Aborted: pure virtual method called.");
return 0; return 0;
} }
...@@ -166,14 +177,6 @@ word Crop(word value, unsigned int size) ...@@ -166,14 +177,6 @@ word Crop(word value, unsigned int size)
#ifdef TAOCRYPT_X86ASM_AVAILABLE #ifdef TAOCRYPT_X86ASM_AVAILABLE
#ifndef _MSC_VER
static jmp_buf s_env;
static void SigIllHandler(int)
{
longjmp(s_env, 1);
}
#endif
bool HaveCpuId() bool HaveCpuId()
{ {
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2005, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -27,7 +27,6 @@ ...@@ -27,7 +27,6 @@
#include <time.h> #include <time.h>
#if defined(_WIN32) #if defined(_WIN32)
#define _WIN32_WINNT 0x0400
#include <windows.h> #include <windows.h>
#include <wincrypt.h> #include <wincrypt.h>
#else #else
...@@ -93,67 +92,6 @@ void OS_Seed::GenerateSeed(byte* output, word32 sz) ...@@ -93,67 +92,6 @@ void OS_Seed::GenerateSeed(byte* output, word32 sz)
} }
#elif defined(__NETWARE__)
/* The OS_Seed implementation for Netware */
#include <nks/thread.h>
#include <nks/plat.h>
// Loop on high resulution Read Time Stamp Counter
static void NetwareSeed(byte* output, word32 sz)
{
word32 tscResult;
for (word32 i = 0; i < sz; i += sizeof(tscResult)) {
#if defined(__GNUC__)
asm volatile("rdtsc" : "=A" (tscResult));
#else
#ifdef __MWERKS__
asm {
#else
__asm {
#endif
rdtsc
mov tscResult, eax
}
#endif
memcpy(output, &tscResult, sizeof(tscResult));
output += sizeof(tscResult);
NXThreadYield(); // induce more variance
}
}
OS_Seed::OS_Seed()
{
}
OS_Seed::~OS_Seed()
{
}
void OS_Seed::GenerateSeed(byte* output, word32 sz)
{
/*
Try to use NXSeedRandom as it will generate a strong
seed using the onboard 82802 chip
As it's not always supported, fallback to default
implementation if an error is returned
*/
if (NXSeedRandom(sz, output) != 0)
{
NetwareSeed(output, sz);
}
}
#else #else
/* The default OS_Seed implementation */ /* The default OS_Seed implementation */
......
/* /*
Copyright (C) 2000-2007 MySQL AB Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -54,7 +54,7 @@ void Twofish::Process(byte* out, const byte* in, word32 sz) ...@@ -54,7 +54,7 @@ void Twofish::Process(byte* out, const byte* in, word32 sz)
out += BLOCK_SIZE; out += BLOCK_SIZE;
in += BLOCK_SIZE; in += BLOCK_SIZE;
} }
else if (mode_ == CBC) else if (mode_ == CBC) {
if (dir_ == ENCRYPTION) if (dir_ == ENCRYPTION)
while (blocks--) { while (blocks--) {
r_[0] ^= *(word32*)in; r_[0] ^= *(word32*)in;
...@@ -82,6 +82,7 @@ void Twofish::Process(byte* out, const byte* in, word32 sz) ...@@ -82,6 +82,7 @@ void Twofish::Process(byte* out, const byte* in, word32 sz)
out += BLOCK_SIZE; out += BLOCK_SIZE;
in += BLOCK_SIZE; in += BLOCK_SIZE;
} }
}
} }
#endif // DO_TWOFISH_ASM #endif // DO_TWOFISH_ASM
......
/* /*
Copyright (C) 2006, 2007 MySQL AB Copyright (c) 2006, 2010, Oracle and/or its affiliates. All rights reserved.
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
...@@ -50,8 +50,7 @@ ...@@ -50,8 +50,7 @@
#endif /* _WIN32 */ #endif /* _WIN32 */
#if !defined(_SOCKLEN_T) && \ #if !defined(_SOCKLEN_T) && (defined(_WIN32) || defined(__APPLE__))
(defined(_WIN32) || defined(__NETWARE__) || defined(__APPLE__))
typedef int socklen_t; typedef int socklen_t;
#endif #endif
...@@ -60,18 +59,14 @@ ...@@ -60,18 +59,14 @@
#if defined(__hpux) #if defined(__hpux)
// HPUX uses int* for third parameter to accept // HPUX uses int* for third parameter to accept
typedef int* ACCEPT_THIRD_T; typedef int* ACCEPT_THIRD_T;
#elif defined(__NETWARE__)
// NetWare uses size_t* for third parameter to accept
typedef size_t* ACCEPT_THIRD_T;
#else #else
typedef socklen_t* ACCEPT_THIRD_T; typedef socklen_t* ACCEPT_THIRD_T;
#endif #endif
// Check if _POSIX_THREADS should be forced // Check if _POSIX_THREADS should be forced
#if !defined(_POSIX_THREADS) && (defined(__NETWARE__) || defined(__hpux)) #if !defined(_POSIX_THREADS) && defined(__hpux)
// HPUX does not define _POSIX_THREADS as it's not _fully_ implemented // HPUX does not define _POSIX_THREADS as it's not _fully_ implemented
// Netware supports pthreads but does not announce it
#define _POSIX_THREADS #define _POSIX_THREADS
#endif #endif
...@@ -178,6 +173,11 @@ inline void err_sys(const char* msg) ...@@ -178,6 +173,11 @@ inline void err_sys(const char* msg)
} }
extern "C" {
static int PasswordCallBack(char*, int, int, void*);
}
static int PasswordCallBack(char* passwd, int sz, int rw, void* userdata) static int PasswordCallBack(char* passwd, int sz, int rw, void* userdata)
{ {
strncpy(passwd, "12345678", sz); strncpy(passwd, "12345678", sz);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment