1.9.0 release doc

.gitignore

@@ -0,0 +1,32 @@
+*.lo
+*.la
+*.o
+*.m4
+*.deps
+*.libs
+*sh
+*.cache
+config*
+stamp*
+Makefile.in
+Makefile
+depcomp
+missing
+libtool
+tags
+benchmark
+test
+client
+echoclient
+echoserver
+server
+snifftest
+output
+testsuite
+diff
+sslSniffer/sslSnifferTest/tracefile.txt
+*.gz
+*.zip
+*.bak
+NTRU_algorithm/
+build-test/

README

@@ -13,7 +13,19 @@ before calling SSL_new();  Though it's not recommended.
 
 *** end Note ***
 
-CyaSSL Release 1.8.0 (12/23/2010)
+CyaSSL Release 1.9.0 (3/2/2011)
+
+Release 1.9.0 for CyaSSL adds bug fixes, improved TLSv1.2 through testing and
+better hash/sig algo ids, --enable-webServer for the yaSSL embedded web server,
+improper AES key setup detection, user cert verify callback improvements, and
+more.
+
+The CyaSSL manual offering is included in the doc/ directory.  For build
+instructions and comments about the new features please check the manual.
+
+Please send any comments or questions to support@yassl.com.
+
+****************** CyaSSL Release 1.8.0 (12/23/2010)
 
 Release 1.8.0 for CyaSSL adds bug fixes, x509 v3 CA signed certificate
 generation, a C standard library abstraction layer, lower memory use, increased

configure.in

@@ -1,6 +1,6 @@
 AC_INIT
 AC_CANONICAL_SYSTEM
-AM_INIT_AUTOMAKE(cyassl,1.8.8)
+AM_INIT_AUTOMAKE(cyassl,1.9.0) # !!! also change in ssl.h !!!
 AM_CONFIG_HEADER(ctaocrypt/include/config.h)
 
 
@@ -305,6 +305,19 @@ then
 fi
 
 
+# Web Server Build 
+AC_ARG_ENABLE(webServer,
+    [  --enable-webServer      Enable Web Server (default: disabled)],
+    [ ENABLED_WEBSERVER=$enableval ],
+    [ ENABLED_WEBSERVER=no ]
+    )
+
+if test "$ENABLED_WEBSERVER" = "yes"
+then
+    CFLAGS="$CFLAGS -DHAVE_WEBSERVER"
+fi
+
+
 # ECC 
 AC_ARG_ENABLE(ecc,
     [  --enable-ecc            Enable ECC (default: disabled)],

ctaocrypt/include/coding.h

@@ -33,7 +33,7 @@
 /* decode needed by CyaSSL */
 int Base64Decode(const byte* in, word32 inLen, byte* out, word32* outLen);
 
-#if defined(OPENSSL_EXTRA) || defined(SESSION_CERTS) || defined(CYASSL_KEY_GEN)  || defined(CYASSL_CERT_GEN)
+#if defined(OPENSSL_EXTRA) || defined(SESSION_CERTS) || defined(CYASSL_KEY_GEN)  || defined(CYASSL_CERT_GEN) || defined(HAVE_WEBSERVER)
     /* encode isn't */
     int Base64Encode(const byte* in, word32 inLen, byte* out, word32* outLen);
     int Base16Decode(const byte* in, word32 inLen, byte* out, word32* outLen);

ctaocrypt/include/config.h

@@ -79,7 +79,7 @@
 #define STDC_HEADERS 1
 
 /* Version number of package */
-#define VERSION "1.8.8"
+#define VERSION "1.9.0"
 
 /* Define to 1 if your processor stores words with the most significant byte
    first (like Motorola and SPARC, unlike Intel and VAX). */

ctaocrypt/include/os_settings.h

@@ -64,6 +64,7 @@
 
 #ifdef MICRIUM
 
+    #include "stdlib.h"
     #include "net_cfg.h"
     #include "ssl_cfg.h"
     #include "net_secure_os.h"

ctaocrypt/src/aes.c

@@ -973,6 +973,8 @@ void AesEncrypt(Aes* aes, const byte* inBlock, byte* outBlock)
     word32 r = aes->rounds >> 1;
 
     const word32* rk = aes->key;
+    if (r > 7)
+        return;  /* stop instead of segfaulting, set up your keys! */
     /*
      * map byte array block to cipher state
      * and add initial round key:
@@ -1107,6 +1109,8 @@ void AesDecrypt(Aes* aes, const byte* inBlock, byte* outBlock)
     word32 r = aes->rounds >> 1;
 
     const word32* rk = aes->key;
+    if (r > 7)
+        return;  /* stop instead of segfaulting, set up your keys! */
     /*
      * map byte array block to cipher state
      * and add initial round key:

ctaocrypt/src/coding.c

@@ -109,7 +109,7 @@ int Base64Decode(const byte* in, word32 inLen, byte* out, word32* outLen)
 }
 
 
-#if defined(OPENSSL_EXTRA) || defined (SESSION_CERTS) || defined(CYASSL_KEY_GEN) || defined(CYASSL_CERT_GEN)
+#if defined(OPENSSL_EXTRA) || defined (SESSION_CERTS) || defined(CYASSL_KEY_GEN) || defined(CYASSL_CERT_GEN) || defined(HAVE_WEBSERVER)
 
 static
 const byte base64Encode[] = { 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J',

ctaocrypt/src/integer.c

@@ -25,6 +25,8 @@
  */
 
 
+#include "os_settings.h"     /* in case user set USE_FAST_MATH there */
+
 #ifndef USE_FAST_MATH
 
 #include "integer.h"

ctaocrypt/src/tfm.c

@@ -29,6 +29,7 @@
  *  to fit CyaSSL's needs.
  */
 
+#include "os_settings.h"     /* in case user set USE_FAST_MATH there */
 
 #ifdef USE_FAST_MATH
 

cyassl-ntru.sln

@@ -1,65 +1,65 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cyassl", "cyassl-ntru.vcproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "testsuite\testsuite-ntru.vcproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoserver", "examples\echoserver\echoserver-ntru.vcproj", "{07D97C48-E08F-4E34-9F67-3064039FF2CB}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoclient", "examples\echoclient\echoclient-ntru.vcproj", "{8362A816-C5DC-4E22-B5C5-9E6806387073}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "client", "examples\client\client-ntru.vcproj", "{3ADE9549-582D-4D8E-9826-B172197A7959}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "server", "examples\server\server-ntru.vcproj", "{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Win32 = Debug|Win32
-		Release|Win32 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.ActiveCfg = Debug|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.Build.0 = Debug|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.ActiveCfg = Release|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.Build.0 = Release|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.ActiveCfg = Debug|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.Build.0 = Debug|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.ActiveCfg = Release|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.Build.0 = Release|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.ActiveCfg = Debug|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.Build.0 = Debug|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.ActiveCfg = Release|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.Build.0 = Release|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.ActiveCfg = Debug|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.Build.0 = Debug|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.ActiveCfg = Release|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 10.00
+# Visual C++ Express 2008
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cyassl", "cyassl-ntru.vcproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "testsuite\testsuite-ntru.vcproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoserver", "examples\echoserver\echoserver-ntru.vcproj", "{07D97C48-E08F-4E34-9F67-3064039FF2CB}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoclient", "examples\echoclient\echoclient-ntru.vcproj", "{8362A816-C5DC-4E22-B5C5-9E6806387073}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "client", "examples\client\client-ntru.vcproj", "{3ADE9549-582D-4D8E-9826-B172197A7959}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "server", "examples\server\server-ntru.vcproj", "{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.ActiveCfg = Debug|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.Build.0 = Debug|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.ActiveCfg = Release|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.Build.0 = Release|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.ActiveCfg = Debug|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.Build.0 = Debug|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.ActiveCfg = Release|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.Build.0 = Release|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.Build.0 = Debug|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.ActiveCfg = Release|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.Build.0 = Release|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.ActiveCfg = Debug|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.Build.0 = Debug|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.ActiveCfg = Release|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

cyassl.sln

@@ -1,74 +1,74 @@
-
-Microsoft Visual Studio Solution File, Format Version 10.00
-# Visual C++ Express 2008
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cyassl", "cyassl.vcproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "testsuite\testsuite.vcproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sslSniffer", "sslSniffer\sslSniffer.vcproj", "{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoserver", "examples\echoserver\echoserver.vcproj", "{07D97C48-E08F-4E34-9F67-3064039FF2CB}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoclient", "examples\echoclient\echoclient.vcproj", "{8362A816-C5DC-4E22-B5C5-9E6806387073}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "client", "examples\client\client.vcproj", "{3ADE9549-582D-4D8E-9826-B172197A7959}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "server", "examples\server\server.vcproj", "{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}"
-	ProjectSection(ProjectDependencies) = postProject
-		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
-	EndProjectSection
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Win32 = Debug|Win32
-		Release|Win32 = Release|Win32
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32
-		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32
-		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32
-		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Debug|Win32.ActiveCfg = Debug|Win32
-		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Debug|Win32.Build.0 = Debug|Win32
-		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Release|Win32.ActiveCfg = Release|Win32
-		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Release|Win32.Build.0 = Release|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.ActiveCfg = Debug|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.Build.0 = Debug|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.ActiveCfg = Release|Win32
-		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.Build.0 = Release|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.ActiveCfg = Debug|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.Build.0 = Debug|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.ActiveCfg = Release|Win32
-		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.Build.0 = Release|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.ActiveCfg = Debug|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.Build.0 = Debug|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.ActiveCfg = Release|Win32
-		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.Build.0 = Release|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.ActiveCfg = Debug|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.Build.0 = Debug|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.ActiveCfg = Release|Win32
-		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.Build.0 = Release|Win32
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-EndGlobal
+
+Microsoft Visual Studio Solution File, Format Version 10.00
+# Visual C++ Express 2008
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cyassl", "cyassl.vcproj", "{73973223-5EE8-41CA-8E88-1D60E89A237B}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "testsuite", "testsuite\testsuite.vcproj", "{611E8971-46E0-4D0A-B5A1-632C3B00CB80}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "sslSniffer", "sslSniffer\sslSniffer.vcproj", "{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoserver", "examples\echoserver\echoserver.vcproj", "{07D97C48-E08F-4E34-9F67-3064039FF2CB}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "echoclient", "examples\echoclient\echoclient.vcproj", "{8362A816-C5DC-4E22-B5C5-9E6806387073}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "client", "examples\client\client.vcproj", "{3ADE9549-582D-4D8E-9826-B172197A7959}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "server", "examples\server\server.vcproj", "{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}"
+	ProjectSection(ProjectDependencies) = postProject
+		{73973223-5EE8-41CA-8E88-1D60E89A237B} = {73973223-5EE8-41CA-8E88-1D60E89A237B}
+	EndProjectSection
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.ActiveCfg = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Debug|Win32.Build.0 = Debug|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.ActiveCfg = Release|Win32
+		{73973223-5EE8-41CA-8E88-1D60E89A237B}.Release|Win32.Build.0 = Release|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.ActiveCfg = Debug|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Debug|Win32.Build.0 = Debug|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.ActiveCfg = Release|Win32
+		{611E8971-46E0-4D0A-B5A1-632C3B00CB80}.Release|Win32.Build.0 = Release|Win32
+		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Debug|Win32.ActiveCfg = Debug|Win32
+		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Debug|Win32.Build.0 = Debug|Win32
+		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Release|Win32.ActiveCfg = Release|Win32
+		{34FAE5A6-2B0F-4B55-86FE-0C43E4810F4D}.Release|Win32.Build.0 = Release|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.ActiveCfg = Debug|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Debug|Win32.Build.0 = Debug|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.ActiveCfg = Release|Win32
+		{07D97C48-E08F-4E34-9F67-3064039FF2CB}.Release|Win32.Build.0 = Release|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.ActiveCfg = Debug|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Debug|Win32.Build.0 = Debug|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.ActiveCfg = Release|Win32
+		{8362A816-C5DC-4E22-B5C5-9E6806387073}.Release|Win32.Build.0 = Release|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.ActiveCfg = Debug|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Debug|Win32.Build.0 = Debug|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.ActiveCfg = Release|Win32
+		{3ADE9549-582D-4D8E-9826-B172197A7959}.Release|Win32.Build.0 = Release|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.ActiveCfg = Debug|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Debug|Win32.Build.0 = Debug|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.ActiveCfg = Release|Win32
+		{E9FB0BA5-BA46-4A59-A953-39C18CD1DCB1}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

examples/echoclient/input

@@ -1,87 +1,87 @@
-/* echoclient.c  */
-
-#include "openssl/ssl.h"
-#include "../test.h"
-
-
-int main(int argc, char** argv)
-{
-    SOCKET_T sockfd = 0;
-
-    FILE* fin  = stdin;
-    FILE* fout = stdout;
-
-    int inCreated  = 0;
-    int outCreated = 0;
-
-    char send[1024];
-    char reply[1024];
-
-    SSL_METHOD* method = 0;
-    SSL_CTX*    ctx    = 0;
-    SSL*        ssl    = 0;
-
-#ifdef _WIN32
-    WSADATA wsd;
-    WSAStartup(0x0002, &wsd);
-#endif
-
-    if (argc >= 2) {
-        fin  = fopen(argv[1], "r"); 
-        inCreated = 1;
-    }
-    if (argc >= 3) {
-        fout = fopen(argv[2], "w");
-        outCreated = 1;
-    }
-
-    if (!fin)  err_sys("can't open input file");
-    if (!fout) err_sys("can't open output file");
-
-    tcp_connect(&sockfd);
-
-    method = SSLv3_client_method();
-    ctx    = SSL_CTX_new(method);
-
-    if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
-        err_sys("can't load ca file");
-
-    ssl = SSL_new(ctx);
-
-    SSL_set_fd(ssl, sockfd);
-    if (SSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed");
-
-    while (fgets(send, sizeof(send), fin)) {
-
-        int  sendSz = strlen(send) + 1;
-
-        if (SSL_write(ssl, send, sendSz) != sendSz)
-            err_sys("SSL_write failed");
-
-        if (strncmp(send, "quit", 4) == 0) {
-            fputs("sending server shutdown command: quit!\n", fout);
-            break;
-        }
-
-        if (SSL_read(ssl, reply, sizeof(reply)) > 0) 
-            fputs(reply, fout);
-    }
-
-    SSL_shutdown(ssl);
-    SSL_free(ssl);
-    SSL_CTX_free(ctx);
-
-    fflush(fout);
-    if (inCreated)  fclose(fin);
-    if (outCreated) fclose(fout);
-
-#ifdef _WIN32
-    closesocket(sockfd);
-#else
-    close(sockfd);
-#endif
-
-    return 0;
-}
-
-
+/* echoclient.c  */
+
+#include "openssl/ssl.h"
+#include "../test.h"
+
+
+int main(int argc, char** argv)
+{
+    SOCKET_T sockfd = 0;
+
+    FILE* fin  = stdin;
+    FILE* fout = stdout;
+
+    int inCreated  = 0;
+    int outCreated = 0;
+
+    char send[1024];
+    char reply[1024];
+
+    SSL_METHOD* method = 0;
+    SSL_CTX*    ctx    = 0;
+    SSL*        ssl    = 0;
+
+#ifdef _WIN32
+    WSADATA wsd;
+    WSAStartup(0x0002, &wsd);
+#endif
+
+    if (argc >= 2) {
+        fin  = fopen(argv[1], "r"); 
+        inCreated = 1;
+    }
+    if (argc >= 3) {
+        fout = fopen(argv[2], "w");
+        outCreated = 1;
+    }
+
+    if (!fin)  err_sys("can't open input file");
+    if (!fout) err_sys("can't open output file");
+
+    tcp_connect(&sockfd);
+
+    method = SSLv3_client_method();
+    ctx    = SSL_CTX_new(method);
+
+    if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
+        err_sys("can't load ca file");
+
+    ssl = SSL_new(ctx);
+
+    SSL_set_fd(ssl, sockfd);
+    if (SSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed");
+
+    while (fgets(send, sizeof(send), fin)) {
+
+        int  sendSz = strlen(send) + 1;
+
+        if (SSL_write(ssl, send, sendSz) != sendSz)
+            err_sys("SSL_write failed");
+
+        if (strncmp(send, "quit", 4) == 0) {
+            fputs("sending server shutdown command: quit!\n", fout);
+            break;
+        }
+
+        if (SSL_read(ssl, reply, sizeof(reply)) > 0) 
+            fputs(reply, fout);
+    }
+
+    SSL_shutdown(ssl);
+    SSL_free(ssl);
+    SSL_CTX_free(ctx);
+
+    fflush(fout);
+    if (inCreated)  fclose(fin);
+    if (outCreated) fclose(fout);
+
+#ifdef _WIN32
+    closesocket(sockfd);
+#else
+    close(sockfd);
+#endif
+
+    return 0;
+}
+
+

include/cyassl_int.h

@@ -36,6 +36,9 @@
 #ifdef HAVE_ECC
     #include "ctc_ecc.h"
 #endif
+#ifndef NO_SHA256
+    #include "sha256.h"
+#endif
 
 #ifdef CYASSL_CALLBACKS
     #include "cyassl_callbacks.h"
@@ -333,6 +336,8 @@ enum Misc {
     NO_SNIFF           =   0,  /* not sniffing */
     SNIFF              =   1,  /* currently sniffing */
 
+    HASH_SIG_SIZE      =   2,  /* default SHA1 RSA */
+
     NO_COPY            =   0,  /* should we copy static buffer for write */
     COPY               =   1   /* should we copy static buffer for write */
 };
@@ -587,7 +592,7 @@ struct SSL_CTX {
     psk_server_callback server_psk_cb;  /* server callback */
     char        server_hint[MAX_PSK_ID_LEN];
 #endif /* NO_PSK */
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
     pem_password_cb passwd_cb;
     void*            userdata;
 #endif /* OPENSSL_EXTRA */
@@ -635,11 +640,14 @@ enum BulkCipherAlgorithm {
 
 /* Supported Message Authentication Codes from page 43 */
 enum MACAlgorithm { 
-    no_mac,
+    no_mac = 0,
     md5_mac,
     sha_mac,
-    rmd_mac,
-    sha256_mac
+    sha224_mac,
+    sha256_mac,
+    sha384_mac,
+    sha512_mac,
+    rmd_mac
 };
 
 
@@ -949,6 +957,9 @@ struct SSL {
     RNG             rng;
     Md5             hashMd5;            /* md5 hash of handshake msgs */
     Sha             hashSha;            /* sha hash of handshake msgs */
+#ifndef NO_SHA256
+    Sha256          hashSha256;         /* sha256 hash of handshake msgs */
+#endif
     Hashes          verifyHashes;
     Hashes          certHashes;         /* for cert verify */
     Signer*         caList;             /* SSL_CTX owns */

include/openssl/ssl.h

@@ -39,6 +39,8 @@
     #include "prefix_ssl.h"
 #endif
 
+#define CYASSL_VERSION "1.9.0"
+
 #undef X509_NAME   /* wincrypt.h clash */
 
 #ifdef __cplusplus

src/cyassl_int.c

@@ -621,6 +621,9 @@ int InitSSL(SSL* ssl, SSL_CTX* ctx)
 
     InitMd5(&ssl->hashMd5);
     InitSha(&ssl->hashSha);
+#ifndef NO_SHA256
+    InitSha256(&ssl->hashSha256);
+#endif
     InitRsaKey(&ssl->peerRsaKey, ctx->heap);
 
     ssl->peerRsaKeyPresent = 0;
@@ -904,6 +907,10 @@ static void HashOutput(SSL* ssl, const byte* output, int sz, int ivSz)
 
     Md5Update(&ssl->hashMd5, buffer, sz);
     ShaUpdate(&ssl->hashSha, buffer, sz);
+#ifndef NO_SHA256
+    if (IsAtLeastTLSv1_2(ssl))
+        Sha256Update(&ssl->hashSha256, buffer, sz);
+#endif
 }
 
 
@@ -922,6 +929,10 @@ static void HashInput(SSL* ssl, const byte* input, int sz)
 
     Md5Update(&ssl->hashMd5, buffer, sz);
     ShaUpdate(&ssl->hashSha, buffer, sz);
+#ifndef NO_SHA256
+    if (IsAtLeastTLSv1_2(ssl))
+        Sha256Update(&ssl->hashSha256, buffer, sz);
+#endif
 }
 
 
@@ -1322,6 +1333,11 @@ static void BuildFinished(SSL* ssl, Hashes* hashes, const byte* sender)
     /* store current states, building requires get_digest which resets state */
     Md5 md5 = ssl->hashMd5;
     Sha sha = ssl->hashSha;
+#ifndef NO_SHA256
+    Sha256 sha256;
+    if (IsAtLeastTLSv1_2(ssl))
+        sha256 = ssl->hashSha256;
+#endif
 
     if (ssl->options.tls)
         BuildTlsFinished(ssl, hashes, sender);
@@ -1333,6 +1349,10 @@ static void BuildFinished(SSL* ssl, Hashes* hashes, const byte* sender)
     /* restore */
     ssl->hashMd5 = md5;
     ssl->hashSha = sha;
+#ifndef NO_SHA256
+    if (IsAtLeastTLSv1_2(ssl))
+        ssl->hashSha256 = sha256;
+#endif
 }
 
 
@@ -1340,6 +1360,7 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
 {
     word32 listSz, i = *inOutIdx;
     int    ret = 0;
+    int    anyError = 0;
     int    firstTime = 1;  /* peer's is at front */
     char   domain[ASN_NAME_MAX];
 
@@ -1350,7 +1371,7 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
     c24to32(&input[i], &listSz);
     i += CERT_HEADER_SZ;
     
-    while (listSz && ret == 0) {
+    while (listSz) {
         /* cert size */
         buffer      myCert;
         word32      certSz;
@@ -1366,6 +1387,9 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
 
         listSz -= certSz + CERT_HEADER_SZ;
 
+        if (ret != 0 && anyError == 0)
+            anyError = ret;   /* save error from last time */
+
 #ifdef SESSION_CERTS
         if (ssl->session.chain.count < MAX_CHAIN_DEPTH &&
                                        myCert.length < MAX_X509_SIZE) {
@@ -1456,6 +1480,9 @@ static int DoCertificate(SSL* ssl, byte* input, word32* inOutIdx)
         FreeDecodedCert(&dCert);
     }
 
+    if (anyError != 0)
+        ret = anyError;
+
     if (ret == 0 && ssl->options.side == CLIENT_END)
         ssl->options.serverState = SERVER_CERT_COMPLETE;
 
@@ -2311,6 +2338,11 @@ static void BuildCertHashes(SSL* ssl, Hashes* hashes)
     /* store current states, building requires get_digest which resets state */
     Md5 md5 = ssl->hashMd5;
     Sha sha = ssl->hashSha;
+#ifndef NO_SHA256     /* for possible future changes */
+    Sha256 sha256;
+    if (IsAtLeastTLSv1_2(ssl))
+        sha256 = ssl->hashSha256;
+#endif
 
     if (ssl->options.tls) {
         Md5Final(&ssl->hashMd5, hashes->md5);
@@ -2324,6 +2356,10 @@ static void BuildCertHashes(SSL* ssl, Hashes* hashes)
     /* restore */
     ssl->hashMd5 = md5;
     ssl->hashSha = sha;
+#ifndef NO_SHA256
+    if (IsAtLeastTLSv1_2(ssl))
+        ssl->hashSha256 = sha256;
+#endif
 }
 
 
@@ -2528,6 +2564,9 @@ int SendCertificateRequest(SSL* ssl)
     int  typeTotal = 1;  /* only rsa for now */
     int  reqSz = ENUM_LEN + typeTotal + REQ_HEADER_SZ;  /* add auth later */
 
+    if (IsAtLeastTLSv1_2(ssl))
+        reqSz += LENGTH_SZ + HASH_SIG_SIZE;
+
     if (ssl->options.usingPSK_cipher) return 0;  /* not needed */
 
     sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + reqSz;
@@ -2551,6 +2590,15 @@ int SendCertificateRequest(SSL* ssl)
     output[i++] = typeTotal;  /* # of types */
     output[i++] = rsa_sign;
 
+    /* supported hash/sig */
+    if (IsAtLeastTLSv1_2(ssl)) {
+        c16toa(HASH_SIG_SIZE, &output[i]);
+        i += LENGTH_SZ;
+
+        output[i++] = sha_mac;      /* hash */
+        output[i++] = rsa_sa_algo;  /* sig  */
+    }
+
     c16toa(0, &output[i]);  /* auth's */
     i += REQ_HEADER_SZ;
 
@@ -3573,14 +3621,15 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
             if (XMEMCMP(ssl->arrays.sessionID, ssl->session.sessionID, ID_LEN)
                                                                         == 0) {
                 if (SetCipherSpecs(ssl) == 0) {
+                    int ret; 
                     XMEMCPY(ssl->arrays.masterSecret, ssl->session.masterSecret,
                            SECRET_LEN);
                     if (ssl->options.tls)
-                        DeriveTlsKeys(ssl);
+                        ret = DeriveTlsKeys(ssl);
                     else
-                        DeriveKeys(ssl);
+                        ret = DeriveKeys(ssl);
                     ssl->options.serverState = SERVER_HELLODONE_COMPLETE;
-                    return 0;
+                    return ret;
                 }
                 else
                     return UNSUPPORTED_SUITE;
@@ -3612,6 +3661,13 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
         ato16(&input[*inOutIdx], &len);
         *inOutIdx += LENGTH_SZ;
 
+        if (IsAtLeastTLSv1_2(ssl)) {
+            /* hash sig format */
+            *inOutIdx += len;
+            ato16(&input[*inOutIdx], &len);
+            *inOutIdx += LENGTH_SZ;
+        }
+
         /* authorities */
         while (len) {
             word16 dnSz;
@@ -3755,6 +3811,11 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
             return BUFFER_ERROR;
         XMEMCPY(messageVerify, &input[*inOutIdx - verifySz], verifySz);
 
+        if (IsAtLeastTLSv1_2(ssl)) {
+            /* just advance for now TODO: validate hash algo params */
+            *inOutIdx += LENGTH_SZ;
+        }
+
         /* signature */
         ato16(&input[*inOutIdx], &length);
         *inOutIdx += LENGTH_SZ;
@@ -4071,14 +4132,20 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
                                            HANDSHAKE_HEADER_SZ];
             byte*  signBuffer = ssl->certHashes.md5;
             word32 signSz = sizeof(Hashes);
-            byte  encodedSig[MAX_ENCODED_SIG_SZ];
+            byte   encodedSig[MAX_ENCODED_SIG_SZ];
+            word32 extraSz = 0;  /* tls 1.2 hash/sig */
 
             #ifdef CYASSL_DTLS
                 if (ssl->options.dtls)
                     verify += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
             #endif
             length = RsaEncryptSize(&key);
-            c16toa((word16)length, verify);   /* prepend verify header */
+            if (IsAtLeastTLSv1_2(ssl)) {
+                verify[0] = sha_mac;
+                verify[1] = rsa_sa_algo;
+                extraSz = HASH_SIG_SIZE;
+            }
+            c16toa((word16)length, verify + extraSz); /* prepend verify header*/
 
             if (IsAtLeastTLSv1_2(ssl)) {
                 byte* digest;
@@ -4094,17 +4161,17 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
                 signBuffer = encodedSig;
             }
 
-            ret = RsaSSL_Sign(signBuffer, signSz, verify +
+            ret = RsaSSL_Sign(signBuffer, signSz, verify + extraSz +
                   VERIFY_HEADER, ENCRYPT_LEN, &key, &ssl->rng);
 
             if (ret > 0) {
                 ret = 0;  /* reset */
 
-                AddHeaders(output, length + VERIFY_HEADER, certificate_verify,
-                           ssl);
+                AddHeaders(output, length + extraSz + VERIFY_HEADER,
+                           certificate_verify, ssl);
 
                 sendSz = RECORD_HEADER_SZ + HANDSHAKE_HEADER_SZ + length +
-                                            VERIFY_HEADER;
+                         extraSz + VERIFY_HEADER;
                 #ifdef CYASSL_DTLS
                     if (ssl->options.dtls)
                         sendSz += DTLS_RECORD_EXTRA + DTLS_HANDSHAKE_EXTRA;
@@ -4364,6 +4431,9 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
             }
             length += sigSz;
 
+            if (IsAtLeastTLSv1_2(ssl))
+                length += HASH_SIG_SIZE;
+
             sendSz = length + HANDSHAKE_HEADER_SZ + RECORD_HEADER_SZ;
 
             #ifdef CYASSL_DTLS 
@@ -4392,6 +4462,10 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
             output[idx++] = expSz;
             XMEMCPY(output + idx, export, expSz);
             idx += expSz;
+            if (IsAtLeastTLSv1_2(ssl)) {
+                output[idx++] = sha_mac;
+                output[idx++] = ssl->specs.sig_algo;
+            }
             c16toa(sigSz, output + idx);
             idx += LENGTH_SZ;
 
@@ -4514,6 +4588,10 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
         /* manually hash input since different format */
         Md5Update(&ssl->hashMd5, input + idx, sz);
         ShaUpdate(&ssl->hashSha, input + idx, sz);
+#ifndef NO_SHA256
+    if (IsAtLeastTLSv1_2(ssl))
+        Sha256Update(&ssl->hashSha256, input + idx, sz);
+#endif
 
         /* does this value mean client_hello? */
         idx++;
@@ -4589,6 +4667,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
 
         /* DoClientHello uses same resume code */
         while (ssl->options.resuming) {  /* let's try */
+            int ret; 
             SSL_SESSION* session = GetSession(ssl, ssl->arrays.masterSecret);
             if (!session) {
                 ssl->options.resuming = 0;
@@ -4599,12 +4678,12 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
 
             RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN);
             if (ssl->options.tls)
-                DeriveTlsKeys(ssl);
+                ret = DeriveTlsKeys(ssl);
             else
-                DeriveKeys(ssl);
+                ret = DeriveKeys(ssl);
             ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
 
-            return 0;
+            return ret;
         }
 
         return MatchSuite(ssl, &clSuites);
@@ -4719,6 +4798,7 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
         
         /* ProcessOld uses same resume code */
         while (ssl->options.resuming) {  /* let's try */
+            int ret;            
             SSL_SESSION* session = GetSession(ssl, ssl->arrays.masterSecret);
             if (!session) {
                 ssl->options.resuming = 0;
@@ -4729,12 +4809,12 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
 
             RNG_GenerateBlock(&ssl->rng, ssl->arrays.serverRandom, RAN_LEN);
             if (ssl->options.tls)
-                DeriveTlsKeys(ssl);
+                ret = DeriveTlsKeys(ssl);
             else
-                DeriveKeys(ssl);
+                ret = DeriveKeys(ssl);
             ssl->options.clientState = CLIENT_KEYEXCHANGE_COMPLETE;
 
-            return 0;
+            return ret;
         }
         return MatchSuite(ssl, &clSuites);
     }
@@ -4759,6 +4839,8 @@ int SetCipherList(SSL_CTX* ctx, const char* list)
         if ( (i + VERIFY_HEADER) > totalSz)
             return INCOMPLETE_DATA;
 
+        if (IsAtLeastTLSv1_2(ssl))
+           i += HASH_SIG_SIZE; 
         ato16(&input[i], &sz);
         i += VERIFY_HEADER;
 

src/keys.c

@@ -431,7 +431,7 @@ int SetCipherSpecs(SSL* ssl)
 #ifndef NO_TLS
         ssl->options.tls = 1;
         ssl->hmac = TLS_hmac;
-        if (ssl->version.minor == 2)
+        if (ssl->version.minor >= 2)
             ssl->options.tls1_1 = 1;
 #endif
     }
@@ -678,7 +678,7 @@ int MakeMasterSecret(SSL* ssl)
     byte   shaOutput[SHA_DIGEST_SIZE];
     byte   md5Input[ENCRYPT_LEN + SHA_DIGEST_SIZE];
     byte   shaInput[PREFIX + ENCRYPT_LEN + 2 * RAN_LEN];
-    int    i;
+    int    i, ret;
     word32 idx;
     word32 pmsSz = ssl->arrays.preMasterSz;
 
@@ -740,10 +740,10 @@ int MakeMasterSecret(SSL* ssl)
     }
 #endif
 
-    DeriveKeys(ssl);
+    ret = DeriveKeys(ssl);
     CleanPreMaster(ssl);
 
-    return 0;
+    return ret;
 }
 
 

src/sniffer.c

@@ -1905,7 +1905,7 @@ static int CheckPreRecord(IpInfo* ipInfo, TcpInfo* tcpInfo,
     if ( (length = ssl->buffers.inputBuffer.length) ) {
         Trace(PARTIAL_ADD_STR);
         
-        if ( (*sslBytes + length) > sizeof(ssl->buffers.inputBuffer.buffer)) {
+        if ( (*sslBytes + length) > ssl->buffers.inputBuffer.bufferSize) {
             SetError(BUFFER_ERROR_STR, error, session, FATAL_ERROR_STATE);
             return -1;
         }
@@ -2010,7 +2010,7 @@ doMessage:
         
         /* store partial if not there already or we advanced */
         if (ssl->buffers.inputBuffer.length == 0 || sslBegin != sslFrame) {
-            if (sslBytes > sizeof(ssl->buffers.inputBuffer.buffer)) {
+            if (sslBytes > ssl->buffers.inputBuffer.bufferSize) {
                 SetError(BUFFER_ERROR_STR, error, session, FATAL_ERROR_STATE);
                 return -1;
             }

src/ssl.c

@@ -25,9 +25,12 @@
 #include "cyassl_error.h"
 #include "coding.h"
 
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+    #include "evp.h"
+#endif
+
 #ifdef OPENSSL_EXTRA
     /* openssl headers begin */
-    #include "evp.h"
     #include "hmac.h"
     #include "crypto.h"
     #include "des.h"
@@ -405,7 +408,7 @@ static int AddCA(SSL_CTX* ctx, buffer der)
         else
             return SSL_BAD_FILE;
 
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
     {
         /* remove encrypted header if there */
         char encHeader[] = "Proc-Type";
@@ -447,7 +450,7 @@ static int AddCA(SSL_CTX* ctx, buffer der)
             headerEnd = newline;
         }
     }
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
 
         /* find footer */
         footerEnd = XSTRSTR((char*)buff, footer);
@@ -511,7 +514,7 @@ static int AddCA(SSL_CTX* ctx, buffer der)
             der.length = sz;
         }
 
-#ifdef OPENSSL_EXTRA
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
         if (info.set) {
             /* decrypt */
             char password[80];
@@ -560,7 +563,7 @@ static int AddCA(SSL_CTX* ctx, buffer der)
             else 
                 return SSL_BAD_FILE;
         }
-#endif /* OPENSSL_EXTRA */
+#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
 
         if (type == CA_TYPE)
             return AddCA(ctx, der);     /* takes der over */
@@ -999,6 +1002,10 @@ int SSL_CTX_set_cipher_list(SSL_CTX* ctx, const char* list)
                     /* re-init hashes, exclude first hello and verify request */
                     InitMd5(&ssl->hashMd5);
                     InitSha(&ssl->hashSha);
+                    #ifndef NO_SHA256
+                        if (IsAtLeastTLSv1_2(ssl))
+                            InitSha256(&ssl->hashSha256);
+                    #endif
                     if ( (ssl->error = SendClientHello(ssl)) != 0) {
                         CYASSL_ERROR(ssl->error);
                         return SSL_FATAL_ERROR;
@@ -1196,6 +1203,10 @@ int SSL_CTX_set_cipher_list(SSL_CTX* ctx, const char* list)
                     /* re-init hashes, exclude first hello and verify request */
                     InitMd5(&ssl->hashMd5);
                     InitSha(&ssl->hashSha);
+                    #ifndef NO_SHA256
+                        if (IsAtLeastTLSv1_2(ssl))
+                            InitSha256(&ssl->hashSha256);
+                    #endif
 
                     while (ssl->options.clientState < CLIENT_HELLO_COMPLETE)
                         if ( (ssl->error = ProcessReply(ssl)) < 0) {
@@ -2241,6 +2252,129 @@ int CyaSSL_set_compression(SSL* ssl)
 #endif /* OPENSSL_EXTRA || GOAHEAD_WS */
 
 
+#if defined(OPENSSL_EXTRA) || defined(HAVE_WEBSERVER)
+
+    void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX* ctx, void* userdata)
+    {
+        ctx->userdata = userdata;
+    }
+
+
+    void SSL_CTX_set_default_passwd_cb(SSL_CTX* ctx, pem_password_cb cb)
+    {
+        ctx->passwd_cb = cb;
+    }
+
+    int CRYPTO_num_locks(void)
+    {
+        return 0;
+    }
+
+    void CRYPTO_set_locking_callback(void (*f)(int, int, const char*, int))
+    {
+      
+    }
+
+    void CRYPTO_set_id_callback(unsigned long (*f)(void))
+    {
+    
+    }
+
+    unsigned long ERR_get_error(void)
+    {
+        /* TODO: */
+        return 0;
+    }
+
+    int EVP_BytesToKey(const EVP_CIPHER* type, const EVP_MD* md,
+                       const byte* salt, const byte* data, int sz, int count,
+                       byte* key, byte* iv)
+    {
+        int keyLen = 0;
+        int ivLen  = 0;
+
+        Md5    myMD;
+        byte   digest[MD5_DIGEST_SIZE];
+
+        int j;
+        int keyLeft;
+        int ivLeft;
+        int keyOutput = 0;
+
+        InitMd5(&myMD);
+
+        /* only support MD5 for now */
+        if (XSTRNCMP(md, "MD5", 3)) return 0;
+
+        /* only support CBC DES and AES for now */
+        if (XSTRNCMP(type, "DES-CBC", 7) == 0) {
+            keyLen = DES_KEY_SIZE;
+            ivLen  = DES_IV_SIZE;
+        }
+        else if (XSTRNCMP(type, "DES-EDE3-CBC", 12) == 0) {
+            keyLen = DES3_KEY_SIZE;
+            ivLen  = DES_IV_SIZE;
+        }
+        else if (XSTRNCMP(type, "AES-128-CBC", 11) == 0) {
+            keyLen = AES_128_KEY_SIZE;
+            ivLen  = AES_IV_SIZE;
+        }
+        else if (XSTRNCMP(type, "AES-192-CBC", 11) == 0) {
+            keyLen = AES_192_KEY_SIZE;
+            ivLen  = AES_IV_SIZE;
+        }
+        else if (XSTRNCMP(type, "AES-256-CBC", 11) == 0) {
+            keyLen = AES_256_KEY_SIZE;
+            ivLen  = AES_IV_SIZE;
+        }
+        else
+            return 0;
+
+        keyLeft   = keyLen;
+        ivLeft    = ivLen;
+
+        while (keyOutput < (keyLen + ivLen)) {
+            int digestLeft = MD5_DIGEST_SIZE;
+            /* D_(i - 1) */
+            if (keyOutput)                      /* first time D_0 is empty */
+                Md5Update(&myMD, digest, MD5_DIGEST_SIZE);
+            /* data */
+            Md5Update(&myMD, data, sz);
+            /* salt */
+            if (salt)
+                Md5Update(&myMD, salt, EVP_SALT_SIZE);
+            Md5Final(&myMD, digest);
+            /* count */
+            for (j = 1; j < count; j++) {
+                Md5Update(&myMD, digest, MD5_DIGEST_SIZE);
+                Md5Final(&myMD, digest);
+            }
+
+            if (keyLeft) {
+                int store = min(keyLeft, MD5_DIGEST_SIZE);
+                XMEMCPY(&key[keyLen - keyLeft], digest, store);
+
+                keyOutput  += store;
+                keyLeft    -= store;
+                digestLeft -= store;
+            }
+
+            if (ivLeft && digestLeft) {
+                int store = min(ivLeft, digestLeft);
+                XMEMCPY(&iv[ivLen - ivLeft], &digest[MD5_DIGEST_SIZE -
+                                                    digestLeft], store);
+                keyOutput += store;
+                ivLeft    -= store;
+            }
+        }
+        if (keyOutput != (keyLen + ivLen))
+            return 0;
+        return keyOutput;
+    }
+
+#endif /* OPENSSL_EXTRA || HAVE_WEBSERVER */
+
+
 #ifdef OPENSSL_EXTRA
 
     unsigned long SSLeay(void)
@@ -2401,12 +2535,6 @@ int CyaSSL_set_compression(SSL* ssl)
         return md;
     }
 
-    unsigned long ERR_get_error(void)
-    {
-        /* TODO: */
-        return 0;
-    }
-
     void ERR_clear_error(void)
     {
         /* TODO: */
@@ -2840,24 +2968,6 @@ int CyaSSL_set_compression(SSL* ssl)
     }
 
 
-    int CRYPTO_num_locks(void)
-    {
-        return 0;
-    }
-
-
-    void CRYPTO_set_id_callback(unsigned long (*f)(void))
-    {
-    
-    }
-
-
-    void CRYPTO_set_locking_callback(void (*f)(int, int, const char*, int))
-    {
-      
-    }
-
-
     void CRYPTO_set_dynlock_create_callback(CRYPTO_dynlock_value* (*f)(
                                                               const char*, int))
     {
@@ -3059,18 +3169,6 @@ int CyaSSL_set_compression(SSL* ssl)
     }
 
 
-    void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX* ctx, void* userdata)
-    {
-        ctx->userdata = userdata;
-    }
-
-
-    void SSL_CTX_set_default_passwd_cb(SSL_CTX* ctx, pem_password_cb cb)
-    {
-        ctx->passwd_cb = cb;
-    }
-
-
     long SSL_CTX_set_timeout(SSL_CTX* ctx, long to)
     {
         return 0;
@@ -3237,92 +3335,6 @@ int CyaSSL_set_compression(SSL* ssl)
     }
 
 
-    int EVP_BytesToKey(const EVP_CIPHER* type, const EVP_MD* md,
-                       const byte* salt, const byte* data, int sz, int count,
-                       byte* key, byte* iv)
-    {
-        int keyLen = 0;
-        int ivLen  = 0;
-
-        Md5    myMD;
-        byte   digest[MD5_DIGEST_SIZE];
-
-        int j;
-        int keyLeft;
-        int ivLeft;
-        int keyOutput = 0;
-
-        InitMd5(&myMD);
-
-        /* only support MD5 for now */
-        if (XSTRNCMP(md, "MD5", 3)) return 0;
-
-        /* only support CBC DES and AES for now */
-        if (XSTRNCMP(type, "DES-CBC", 7) == 0) {
-            keyLen = DES_KEY_SIZE;
-            ivLen  = DES_IV_SIZE;
-        }
-        else if (XSTRNCMP(type, "DES-EDE3-CBC", 12) == 0) {
-            keyLen = DES3_KEY_SIZE;
-            ivLen  = DES_IV_SIZE;
-        }
-        else if (XSTRNCMP(type, "AES-128-CBC", 11) == 0) {
-            keyLen = AES_128_KEY_SIZE;
-            ivLen  = AES_IV_SIZE;
-        }
-        else if (XSTRNCMP(type, "AES-192-CBC", 11) == 0) {
-            keyLen = AES_192_KEY_SIZE;
-            ivLen  = AES_IV_SIZE;
-        }
-        else if (XSTRNCMP(type, "AES-256-CBC", 11) == 0) {
-            keyLen = AES_256_KEY_SIZE;
-            ivLen  = AES_IV_SIZE;
-        }
-        else
-            return 0;
-
-        keyLeft   = keyLen;
-        ivLeft    = ivLen;
-
-        while (keyOutput < (keyLen + ivLen)) {
-            int digestLeft = MD5_DIGEST_SIZE;
-            /* D_(i - 1) */
-            if (keyOutput)                      /* first time D_0 is empty */
-                Md5Update(&myMD, digest, MD5_DIGEST_SIZE);
-            /* data */
-            Md5Update(&myMD, data, sz);
-            /* salt */
-            if (salt)
-                Md5Update(&myMD, salt, EVP_SALT_SIZE);
-            Md5Final(&myMD, digest);
-            /* count */
-            for (j = 1; j < count; j++) {
-                Md5Update(&myMD, digest, MD5_DIGEST_SIZE);
-                Md5Final(&myMD, digest);
-            }
-
-            if (keyLeft) {
-                int store = min(keyLeft, MD5_DIGEST_SIZE);
-                XMEMCPY(&key[keyLen - keyLeft], digest, store);
-
-                keyOutput  += store;
-                keyLeft    -= store;
-                digestLeft -= store;
-            }
-
-            if (ivLeft && digestLeft) {
-                int store = min(ivLeft, digestLeft);
-                XMEMCPY(&iv[ivLen - ivLeft], &digest[MD5_DIGEST_SIZE -
-                                                    digestLeft], store);
-                keyOutput += store;
-                ivLeft    -= store;
-            }
-        }
-        if (keyOutput != (keyLen + ivLen))
-            return 0;
-        return keyOutput;
-    }
-
     /* stunnel 4.28 needs */
     void* SSL_CTX_get_ex_data(const SSL_CTX* ctx, int d)
     {

src/tls.c

@@ -136,10 +136,17 @@ static void PRF(byte* digest, word32 digLen, const byte* secret, word32 secLen,
 void BuildTlsFinished(SSL* ssl, Hashes* hashes, const byte* sender)
 {
     const byte* side;
-    byte handshake_hash[FINISHED_SZ];
+    byte        handshake_hash[FINISHED_SZ];
+    word32      hashSz = FINISHED_SZ;
 
     Md5Final(&ssl->hashMd5, handshake_hash);
     ShaFinal(&ssl->hashSha, &handshake_hash[MD5_DIGEST_SIZE]);
+#ifndef NO_SHA256
+    if (IsAtLeastTLSv1_2(ssl)) {
+        Sha256Final(&ssl->hashSha256, handshake_hash);
+        hashSz = SHA256_DIGEST_SIZE;
+    }
+#endif
    
     if ( XSTRNCMP((const char*)sender, (const char*)client, SIZEOF_SENDER) == 0)
         side = tls_client;
@@ -147,8 +154,7 @@ void BuildTlsFinished(SSL* ssl, Hashes* hashes, const byte* sender)
         side = tls_server;
 
     PRF(hashes->md5, TLS_FINISHED_SZ, ssl->arrays.masterSecret, SECRET_LEN,
-        side, FINISHED_LABEL_SZ, handshake_hash, FINISHED_SZ,
-        IsAtLeastTLSv1_2(ssl));
+        side, FINISHED_LABEL_SZ, handshake_hash, hashSz, IsAtLeastTLSv1_2(ssl));
 }
 
 

testsuite/input

@@ -1,87 +1,87 @@
-/* echoclient.c  */
-
-#include "openssl/ssl.h"
-#include "../test.h"
-
-
-int main(int argc, char** argv)
-{
-    SOCKET_T sockfd = 0;
-
-    FILE* fin  = stdin;
-    FILE* fout = stdout;
-
-    int inCreated  = 0;
-    int outCreated = 0;
-
-    char send[1024];
-    char reply[1024];
-
-    SSL_METHOD* method = 0;
-    SSL_CTX*    ctx    = 0;
-    SSL*        ssl    = 0;
-
-#ifdef _WIN32
-    WSADATA wsd;
-    WSAStartup(0x0002, &wsd);
-#endif
-
-    if (argc >= 2) {
-        fin  = fopen(argv[1], "r"); 
-        inCreated = 1;
-    }
-    if (argc >= 3) {
-        fout = fopen(argv[2], "w");
-        outCreated = 1;
-    }
-
-    if (!fin)  err_sys("can't open input file");
-    if (!fout) err_sys("can't open output file");
-
-    tcp_connect(&sockfd);
-
-    method = SSLv3_client_method();
-    ctx    = SSL_CTX_new(method);
-
-    if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
-        err_sys("can't load ca file");
-
-    ssl = SSL_new(ctx);
-
-    SSL_set_fd(ssl, sockfd);
-    if (SSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed");
-
-    while (fgets(send, sizeof(send), fin)) {
-
-        int  sendSz = strlen(send) + 1;
-
-        if (SSL_write(ssl, send, sendSz) != sendSz)
-            err_sys("SSL_write failed");
-
-        if (strncmp(send, "quit", 4) == 0) {
-            fputs("sending server shutdown command: quit!\n", fout);
-            break;
-        }
-
-        if (SSL_read(ssl, reply, sizeof(reply)) > 0) 
-            fputs(reply, fout);
-    }
-
-    SSL_shutdown(ssl);
-    SSL_free(ssl);
-    SSL_CTX_free(ctx);
-
-    fflush(fout);
-    if (inCreated)  fclose(fin);
-    if (outCreated) fclose(fout);
-
-#ifdef _WIN32
-    closesocket(sockfd);
-#else
-    close(sockfd);
-#endif
-
-    return 0;
-}
-
-
+/* echoclient.c  */
+
+#include "openssl/ssl.h"
+#include "../test.h"
+
+
+int main(int argc, char** argv)
+{
+    SOCKET_T sockfd = 0;
+
+    FILE* fin  = stdin;
+    FILE* fout = stdout;
+
+    int inCreated  = 0;
+    int outCreated = 0;
+
+    char send[1024];
+    char reply[1024];
+
+    SSL_METHOD* method = 0;
+    SSL_CTX*    ctx    = 0;
+    SSL*        ssl    = 0;
+
+#ifdef _WIN32
+    WSADATA wsd;
+    WSAStartup(0x0002, &wsd);
+#endif
+
+    if (argc >= 2) {
+        fin  = fopen(argv[1], "r"); 
+        inCreated = 1;
+    }
+    if (argc >= 3) {
+        fout = fopen(argv[2], "w");
+        outCreated = 1;
+    }
+
+    if (!fin)  err_sys("can't open input file");
+    if (!fout) err_sys("can't open output file");
+
+    tcp_connect(&sockfd);
+
+    method = SSLv3_client_method();
+    ctx    = SSL_CTX_new(method);
+
+    if (SSL_CTX_load_verify_locations(ctx, caCert, 0) != SSL_SUCCESS)
+        err_sys("can't load ca file");
+
+    ssl = SSL_new(ctx);
+
+    SSL_set_fd(ssl, sockfd);
+    if (SSL_connect(ssl) != SSL_SUCCESS) err_sys("SSL_connect failed");
+
+    while (fgets(send, sizeof(send), fin)) {
+
+        int  sendSz = strlen(send) + 1;
+
+        if (SSL_write(ssl, send, sendSz) != sendSz)
+            err_sys("SSL_write failed");
+
+        if (strncmp(send, "quit", 4) == 0) {
+            fputs("sending server shutdown command: quit!\n", fout);
+            break;
+        }
+
+        if (SSL_read(ssl, reply, sizeof(reply)) > 0) 
+            fputs(reply, fout);
+    }
+
+    SSL_shutdown(ssl);
+    SSL_free(ssl);
+    SSL_CTX_free(ctx);
+
+    fflush(fout);
+    if (inCreated)  fclose(fin);
+    if (outCreated) fclose(fout);
+
+#ifdef _WIN32
+    closesocket(sockfd);
+#else
+    close(sockfd);
+#endif
+
+    return 0;
+}
+
+