1

(1 replies, posted in wolfSSL)

There is something missing in wolfSSL_Read, there is no MSG_PEEK function, which causes this to be syntactically different than standard socket_read(  , MSG_PEEK) which allows for getting the first bytes of the pending income stream without advancing the internal byte poniter

Here is my new version of wolfSSL_read() -> ReceiveData( ) in internal.c

Set the sz value to a negative < 0 value and it will PEEK without changing the internal
buffer pointer

int ReceiveData(CYASSL* ssl, byte* output, int sz)
{
        int size;
        int peek = 0 ;

        CYASSL_ENTER("ReceiveData()");

        if (ssl->error == WANT_READ)
                ssl->error = 0;

        if (ssl->options.handShakeState != HANDSHAKE_DONE) {
                int err;
                CYASSL_MSG("Handshake not complete, trying to finish");
                if ( (err = CyaSSL_negotiate(ssl)) != 0)
                        return  err;
        }

        while (ssl->buffers.clearOutputBuffer.length == 0)
                if ( (ssl->error = ProcessReply(ssl)) < 0) {
                        CYASSL_ERROR(ssl->error);
                        if (ssl->error == ZERO_RETURN) {
                                CYASSL_MSG("Zero return, no more data coming");
                                ssl->options.isClosed = 1;
                                return 0;         /* no more data coming */
                        }
                        if (ssl->error == SOCKET_ERROR_E) {
                                if (ssl->options.connReset || ssl->options.isClosed) {
                                        CYASSL_MSG("Peer reset or closed, connection done");
                                        return 0;     /* peer reset or closed */
                                }
                        }
                        return ssl->error;
                }

        if (sz < 0)
        {
            //We are peeking at the data
            peek = 1 ;
            //Flip the size back to a positive value
            sz = sz * -1 ;
        }

        if (sz < (int)ssl->buffers.clearOutputBuffer.length)
                size = sz;
        else
                size = ssl->buffers.clearOutputBuffer.length;

        XMEMCPY(output, ssl->buffers.clearOutputBuffer.buffer, size);

        if (peek == 0)
        {
            ssl->buffers.clearOutputBuffer.length -= size;
            ssl->buffers.clearOutputBuffer.buffer += size;
        }

        if (ssl->buffers.clearOutputBuffer.length == 0 &&
                                                                                     ssl->buffers.inputBuffer.dynamicFlag)
             ShrinkInputBuffer(ssl, NO_FORCED_FREE);

        CYASSL_LEAVE("ReceiveData()", size);
        return size;
}

2

(1 replies, posted in wolfSSL)

I have posted topics related to certificate validation and wolfSSL was written to have a callback in VERIFY_PEER function allow for handling certificate errors and allowing the connection to continue.

But I wanted a mechanism that is always going to return GOOD on wolfSSL_connect
and then allow me to analyze the failure and take action

so I patched wolfSSL.2.4.0

internal.h - struct wolfSSL - Added two integer members

        int validcert ;
        int certerr ;


ssl.h - Added 2 functions

WOLFSSL_API int  wolfSSL_validcert(WOLFSSL*);
WOLFSSL_API int  wolfSSL_certerr(WOLFSSL*);

ssl.c - Added 2 functions

int wolfSSL_validcert(WOLFSSL* ssl)
{
    return (ssl->validcert) ;
}
int  wolfSSL_certerr(WOLFSSL* ssl)
{
    return (ssl->certerr) ;
}

internal.c - wherever verifyCallback is called, commented that code out

if (ssl->verifyCallback) {  changed to: fatal = 0 ;


        if (ret == 0 && ssl->options.side == CLIENT_END)
                ssl->options.serverState = SERVER_CERT_COMPLETE;

        //Code addition - we intercept the layer that
        //handles the verify callback
        //and replace it with just setting error flags
        //
        ssl->certerr = ret ;
        ssl->validcert = -22 ;
        if (ret == 0) ssl->validcert = 22 ;
                ret = 0 ;


        /* COMMENT OUT CODE BLOCK

        if (ret != 0)
        {
                if (!ssl->options.verifyNone) {
                        int why = bad_certificate;

COMMENT all of the verifycallback code block

Maybe wolfSSL could add a choice whether you want a callback or some function calls and maybe a #define NO_VERIFY_CALLBACK, #define WANT_CERT_ERRORS or something to that effect to allow for clients to connect to ANY HTTPS server regardless of CA cert validation and
then allow them to continue or stop based on security requirements

I never liked to have a mixture of callbacks and member functions, straight function calls are more readable and more

But some may want callbacks because it may give greater flexibility the the CTX_509_STORE structure, but I will not use it.

3

(1 replies, posted in wolfSSL)

ChrisC - You ROCK!  Thanks for the SUPER FAST reply from my earlier post.

I was able to have the client verify the server using the CA crt files.

This situation is where there are valid signed certificates on HTTPS servers on the internet
and I want to validate them on the client. 

Is there any way to have the clients automatically download CA certs or would this
be inherently non secure?  (Web browsers, SSH, etc, all seem to be able to download a cert as long as you accept the MD5 fingerprint)

wolfSSL_CTX_load_verify_locations( ) is for CA certificate file loading for client validation of server certificates.

Which call is the equivalent to this call for memory buffers instead of file based CA cert?

Thanks for any reply,

md

Continued elsewhere....

Ok.  Based on an earlier post from team wolfSSL, I built the example client and used it against mikestoolbox-DOT-org

Client was built on Visual Studio 2008. wolfSSL 2.4.0 (downloaded today) on Windows XP Sp3.

Google also FAILS.

What wolfSSL cannot do is actually verify a secure web site based on the DEBUG_WOLF
dumps that I included below.  It always throws -155 Error

############mikestoolbox-DOT-org##################

F:\download\wolfssl-2.4.0\Debug>client.exe -h 24.234.114.35 -p 443
wolfSSL Entering WOLF_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering GetMyVersion
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Couldn't find PEM header
We got one good PEM file so stuff at end ok
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
        found optional critical flag, moving past
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Veriying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeAltNames
        Not DNS type
        Extension type not handled, skipping
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override availalbe, fatal
wolfSSL Leaving DoHandShakeMsgType(), return -155
wolfSSL Leaving DoHandShakeMsg(), return -155
wolfSSL error occured, error = -155
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -155
wolfSSL Entering ERR_error_string
err = -155, ASN sig error, confirm failure
wolfssl error: SSL_connect failed

############google-DOT-com##################

F:\download\wolfssl-2.4.0\Debug>ping google-DOT-com

Pinging google-DOT-com [173.194.37.80] with 32 bytes of data:

Reply from 173.194.37.80: bytes=32 time=85ms TTL=53
Reply from 173.194.37.80: bytes=32 time=87ms TTL=53
Reply from 173.194.37.80: bytes=32 time=87ms TTL=53
Reply from 173.194.37.80: bytes=32 time=87ms TTL=53

Ping statistics for 173.194.37.80:
    Packets: Sent = 2, Received = 2, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 85ms, Maximum = 87ms, Average = 86ms

F:\download\wolfssl-2.4.0\Debug>client.exe -h 173.194.37.80 -p 443
wolfSSL Entering WOLFSSL_CTX_new
wolfSSL Entering wolfSSL_CertManagerNew
wolfSSL Leaving WOLFSSL_CTX_new, return 0
wolfSSL Entering SSL_CTX_set_default_passwd_cb
wolfSSL Entering wolfSSL_CTX_use_certificate_file
Getting dynamic buffer
Checking cert signature type
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
Not ECDSA cert signature
wolfSSL Entering wolfSSL_CTX_use_PrivateKey_file
Getting dynamic buffer
wolfSSL Entering GetMyVersion
wolfSSL Entering wolfSSL_CTX_load_verify_locations
Getting dynamic buffer
Processing CA PEM file
Adding a CA
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering GetAlgoId
    Parsed new CA
    Freeing Parsed CA
    Freeing der CA
        OK Freeing der CA
wolfSSL Leaving AddCA, return 0
   Processed a CA
Couldn't find PEM header
We got one good PEM file so stuff at end ok
wolfSSL Entering SSL_new
wolfSSL Leaving SSL_new, return 0
wolfSSL Entering SSL_set_fd
wolfSSL Leaving SSL_set_fd, return 1
wolfSSL Entering SSL_connect()
growing output buffer

Shrinking output buffer

connect state: CLIENT_HELLO_SENT
growing input buffer

growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing server hello
wolfSSL Leaving DoHandShakeMsgType(), return 0
wolfSSL Leaving DoHandShakeMsg(), return 0
growing input buffer

received record layer msg
wolfSSL Entering DoHandShakeMsg()
wolfSSL Entering DoHandShakeMsgType
processing certificate
Loading peer's cert chain
    Put another cert into chain
    Put another cert into chain
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
        Extension type not handled, skipping
        Extension type not handled, skipping
wolfSSL Entering DecodeAltNames
        Not DNS type
        Extension type not handled, skipping
wolfSSL Entering DecodeCrlDist
        Extension type not handled, skipping
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify CA from chain
Veriying Peer's cert
wolfSSL Entering GetExplicitVersion
wolfSSL Entering GetMyVersion
wolfSSL Entering GetAlgoId
Getting Cert Name
Getting Cert Name
wolfSSL Entering GetAlgoId
wolfSSL Entering DecodeCertExtensions
        found optional critical flag, moving past
wolfSSL Entering DecodeBasicCaConstraint
wolfSSL Entering DecodeCrlDist
        Extension type not handled, skipping
        There are more Authority Information Access records, but we only use fir
st one.
wolfSSL Entering GetAlgoId
About to verify certificate signature
No CA signer to verify with
Failed to verify Peer's cert
        No callback override availalbe, fatal
wolfSSL Leaving DoHandShakeMsgType(), return -155
wolfSSL Leaving DoHandShakeMsg(), return -155
wolfSSL error occured, error = -155
wolfSSL Entering SSL_get_error
wolfSSL Leaving SSL_get_error, return -155
wolfSSL Entering ERR_error_string
err = -155, ASN sig error, confirm failure
wolfSSL error: SSL_connect failed

Last edited by rpzrpzrpz (2012-11-15 16:35:55)