/**
* removeNode - Remove data for a USB node from the linked list data structure
*
* result - success 0 or failure -1
*/
int removeNode(struct usb_cypress *dev)
{
int i, serialNum = 0;
serialNum = getSerialNum(dev);
//A device has been disconnected
if( serialNum < 0 )
{
for( i = 0; i < MAX_BOARDS; i++ )
{
//Look for an active node that has dev structure incorrect
if( (USBBoards[i].isActive == TRUE) && (getSerialNum(USBBoards[i].data) < 0) )
{
USBBoards[i].isActive = FALSE;
USBBoards[i].data = NULL;
usb_board_count--;
printk(DRIVER_DESC ": USB board #%d removed from system\n",i);
return 0;
}
}
return -1;
}
//The driver is being powered off
else
{
for (i = 0; i < MAX_BOARDS; i++)
{
//Look for the board and remove it's data structure
if ((USBBoards[i].isActive == TRUE) && (i == serialNum))
{
USBBoards[i].isActive = FALSE;
USBBoards[i].data = NULL;
usb_board_count--;
printk(DRIVER_DESC ": USB board #%d detached from driver\n",i);
return 0;
}
}
return -1;
}
}
/**
* addNode - Add data for a USB node to the linked list data structure
*
* result - success 0 or failure -1
*/
int addNode(struct usb_cypress *dev)
{
int serialNum = getSerialNum(dev);
USBBoards[serialNum].isActive = TRUE; //Set the board as active
USBBoards[serialNum].data = dev; //Set pointer with data to point to dev struct
usb_board_count++; //Update count of number of USB boards attached
printk(DRIVER_DESC ": USB Board #%d Successfully Attached\n",serialNum);
return 0;
}
/*
Parse an X509 ASN.1 certificate stream
http://www.faqs.org/rfcs/rfc2459.html section 4.1
*/
int32 matrixX509ParseCert(psPool_t *pool, unsigned char *pp, int32 size,
sslRsaCert_t **outcert)
{
sslRsaCert_t *cert;
sslMd5Context_t md5Ctx;
sslSha1Context_t sha1Ctx;
unsigned char *p, *end, *certStart, *certEnd;
int32 certLen, len, parsing;
#ifdef USE_MD2
sslMd2Context_t md2Ctx;
#endif /* USE_MD2 */
/*
Allocate the cert structure right away. User MUST always call
matrixX509FreeCert regardless of whether this function succeeds.
memset is important because the test for NULL is what is used
to determine what to free
*/
*outcert = cert = psMalloc(pool, sizeof(sslRsaCert_t));
if (cert == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(cert, '\0', sizeof(sslRsaCert_t));
p = pp;
end = p + size;
/*
Certificate ::= SEQUENCE {
tbsCertificate TBSCertificate,
signatureAlgorithm AlgorithmIdentifier,
signatureValue BIT STRING }
*/
parsing = 1;
while (parsing) {
if (getSequence(&p, (int32)(end - p), &len) < 0) {
matrixStrDebugMsg("Initial cert parse error\n", NULL);
return -1;
}
certStart = p;
/*
TBSCertificate ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1,
serialNumber CertificateSerialNumber,
signature AlgorithmIdentifier,
issuer Name,
validity Validity,
subject Name,
subjectPublicKeyInfo SubjectPublicKeyInfo,
issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
-- If present, version shall be v2 or v3
extensions [3] EXPLICIT Extensions OPTIONAL
-- If present, version shall be v3 }
*/
if (getSequence(&p, (int32)(end - p), &len) < 0) {
matrixStrDebugMsg("ASN sequence parse error\n", NULL);
return -1;
}
certEnd = p + len;
certLen = (int32)(certEnd - certStart);
/*
Version ::= INTEGER { v1(0), v2(1), v3(2) }
*/
if (getExplicitVersion(&p, (int32)(end - p), 0, &cert->version) < 0) {
matrixStrDebugMsg("ASN version parse error\n", NULL);
return -1;
}
if (cert->version != 2) {
matrixIntDebugMsg("Warning: non-v3 certificate version: %d\n",
cert->version);
}
/*
CertificateSerialNumber ::= INTEGER
*/
if (getSerialNum(pool, &p, (int32)(end - p), &cert->serialNumber,
&cert->serialNumberLen) < 0) {
matrixStrDebugMsg("ASN serial number parse error\n", NULL);
return -1;
}
/*
AlgorithmIdentifier ::= SEQUENCE {
algorithm OBJECT IDENTIFIER,
parameters ANY DEFINED BY algorithm OPTIONAL }
*/
if (getAlgorithmIdentifier(&p, (int32)(end - p),
&cert->certAlgorithm, 0) < 0) {
return -1;
}
/*
Name ::= CHOICE {
RDNSequence }
RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
RelativeDistinguishedName ::= SET OF AttributeTypeAndValue
AttributeTypeAndValue ::= SEQUENCE {
type AttributeType,
value AttributeValue }
AttributeType ::= OBJECT IDENTIFIER
AttributeValue ::= ANY DEFINED BY AttributeType
*/
if (getDNAttributes(pool, &p, (int32)(end - p), &cert->issuer) < 0) {
return -1;
}
/*
Validity ::= SEQUENCE {
notBefore Time,
notAfter Time }
*/
if (getValidity(pool, &p, (int32)(end - p), &cert->notBefore,
&cert->notAfter) < 0) {
return -1;
}
/*
Subject DN
*/
if (getDNAttributes(pool, &p, (int32)(end - p), &cert->subject) < 0) {
return -1;
}
/*
SubjectPublicKeyInfo ::= SEQUENCE {
algorithm AlgorithmIdentifier,
subjectPublicKey BIT STRING }
*/
if (getSequence(&p, (int32)(end - p), &len) < 0) {
return -1;
}
if (getAlgorithmIdentifier(&p, (int32)(end - p),
&cert->pubKeyAlgorithm, 1) < 0) {
return -1;
}
if (getPubKey(pool, &p, (int32)(end - p), &cert->publicKey) < 0) {
return -1;
}
/*
As the next three values are optional, we can do a specific test here
*/
if (*p != (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
if (getImplicitBitString(pool, &p, (int32)(end - p), IMPLICIT_ISSUER_ID,
&cert->uniqueUserId, &cert->uniqueUserIdLen) < 0 ||
getImplicitBitString(pool, &p, (int32)(end - p), IMPLICIT_SUBJECT_ID,
&cert->uniqueSubjectId, &cert->uniqueSubjectIdLen) < 0 ||
getExplicitExtensions(pool, &p, (int32)(end - p), EXPLICIT_EXTENSION,
&cert->extensions) < 0) {
matrixStrDebugMsg("There was an error parsing a certificate\n", NULL);
matrixStrDebugMsg("extension. This is likely caused by an\n", NULL);
matrixStrDebugMsg("extension format that is not currently\n", NULL);
matrixStrDebugMsg("recognized. Please email [email protected]\n", NULL);
matrixStrDebugMsg("to add support for the extension.\n\n", NULL);
return -1;
}
}
/*
This is the end of the cert. Do a check here to be certain
*/
if (certEnd != p) {
return -1;
}
/*
Certificate signature info
*/
if (getAlgorithmIdentifier(&p, (int32)(end - p),
&cert->sigAlgorithm, 0) < 0) {
return -1;
}
/*
Signature algorithm must match that specified in TBS cert
*/
if (cert->certAlgorithm != cert->sigAlgorithm) {
matrixStrDebugMsg("Parse error: mismatched signature type\n", NULL);
return -1;
}
/*
Compute the hash of the cert here for CA validation
*/
if (cert->certAlgorithm == OID_RSA_MD5) {
matrixMd5Init(&md5Ctx);
matrixMd5Update(&md5Ctx, certStart, certLen);
matrixMd5Final(&md5Ctx, cert->sigHash);
} else if (cert->certAlgorithm == OID_RSA_SHA1) {
matrixSha1Init(&sha1Ctx);
matrixSha1Update(&sha1Ctx, certStart, certLen);
matrixSha1Final(&sha1Ctx, cert->sigHash);
}
#ifdef USE_MD2
else if (cert->certAlgorithm == OID_RSA_MD2) {
matrixMd2Init(&md2Ctx);
matrixMd2Update(&md2Ctx, certStart, certLen);
matrixMd2Final(&md2Ctx, cert->sigHash);
}
#endif /* USE_MD2 */
if (getSignature(pool, &p, (int32)(end - p), &cert->signature,
&cert->signatureLen) < 0) {
return -1;
}
/*
The ability to parse additional chained certs is a PKI product
feature addition. Chaining in MatrixSSL is handled internally.
*/
if (p != end) {
cert->next = psMalloc(pool, sizeof(sslRsaCert_t));
cert = cert->next;
memset(cert, '\0', sizeof(sslRsaCert_t));
} else {
parsing = 0;
}
}
return (int32)(p - pp);
}
/*
X509v3 extensions
*/
static int32 getExplicitExtensions(psPool_t *pool, unsigned char **pp,
int32 inlen, int32 expVal,
v3extensions_t *extensions)
{
unsigned char *p = *pp, *end;
unsigned char *extEnd, *extStart;
int32 len, noid, tmpLen, critical, fullExtLen;
unsigned char oid[SSL_MD5_HASH_SIZE];
sslMd5Context_t md5ctx;
end = p + inlen;
if (inlen < 1) {
return -1;
}
/*
Not treating this as an error because it is optional.
*/
if (*p != (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | expVal)) {
return 0;
}
p++;
if (asnParseLength(&p, (int32)(end - p), &len) < 0 || (end - p) < len) {
return -1;
}
/*
Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
Extension ::= SEQUENCE {
extnID OBJECT IDENTIFIER,
extnValue OCTET STRING }
*/
if (getSequence(&p, (int32)(end - p), &len) < 0) {
return -1;
}
extEnd = p + len;
while ((p != extEnd) && *p == (ASN_SEQUENCE | ASN_CONSTRUCTED)) {
if (getSequence(&p, (int32)(extEnd - p), &fullExtLen) < 0) {
return -1;
}
extStart = p;
/*
Conforming CAs MUST support key identifiers, basic constraints,
key usage, and certificate policies extensions
id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= { id-ce 35 }
id-ce-basicConstraints OBJECT IDENTIFIER ::= { id-ce 19 } 133
id-ce-keyUsage OBJECT IDENTIFIER ::= { id-ce 15 }
id-ce-certificatePolicies OBJECT IDENTIFIER ::= { id-ce 32 }
id-ce-subjectAltName OBJECT IDENTIFIER ::= { id-ce 17 } 131
*/
if (extEnd - p < 1 || *p++ != ASN_OID) {
return -1;
}
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
(extEnd - p) < len) {
return -1;
}
/*
Send the OID through a digest to get the unique id
*/
matrixMd5Init(&md5ctx);
while (len-- > 0) {
matrixMd5Update(&md5ctx, p, sizeof(char));
p++;
}
matrixMd5Final(&md5ctx, oid);
noid = lookupExt(oid);
/*
Possible boolean value here for 'critical' id. It's a failure if a
critical extension is found that is not supported
*/
critical = 0;
if (*p == ASN_BOOLEAN) {
p++;
if (*p++ != 1) {
matrixStrDebugMsg("Error parsing cert extension\n", NULL);
return -1;
}
if (*p++ > 0) {
critical = 1;
}
}
if (extEnd - p < 1 || (*p++ != ASN_OCTET_STRING) ||
asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
extEnd - p < len) {
matrixStrDebugMsg("Expecting OCTET STRING in ext parse\n", NULL);
return -1;
}
switch (noid) {
/*
BasicConstraints ::= SEQUENCE {
cA BOOLEAN DEFAULT FALSE,
pathLenConstraint INTEGER (0..MAX) OPTIONAL }
*/
case EXT_BASIC_CONSTRAINTS:
if (getSequence(&p, (int32)(extEnd - p), &len) < 0) {
return -1;
}
/*
"This goes against PKIX guidelines but some CAs do it and some
software requires this to avoid interpreting an end user
certificate as a CA."
- OpenSSL certificate configuration doc
basicConstraints=CA:FALSE
*/
if (len == 0) {
break;
}
if (extEnd - p < 3) {
return -1;
}
if (*p++ != ASN_BOOLEAN) {
return -1;
}
if (*p++ != 1) {
return -1;
}
extensions->bc.ca = *p++;
/*
Now need to check if there is a path constraint. Only makes
sense if cA is true. If it's missing, there is no limit to
the cert path
*/
if (*p == ASN_INTEGER) {
if (getInteger(&p, (int32)(extEnd - p),
&(extensions->bc.pathLenConstraint)) < 0) {
return -1;
}
} else {
extensions->bc.pathLenConstraint = -1;
}
break;
case EXT_ALT_SUBJECT_NAME:
if (getSequence(&p, (int32)(extEnd - p), &len) < 0) {
return -1;
}
/*
Looking only for DNS, URI, and email here to support
FQDN for Web clients
FUTURE: Support all subject alt name members
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
*/
while (len > 0) {
if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 2)) {
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
extensions->san.dns = psMalloc(pool, tmpLen + 1);
if (extensions->san.dns == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(extensions->san.dns, 0x0, tmpLen + 1);
memcpy(extensions->san.dns, p, tmpLen);
} else if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 6)) {
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
extensions->san.uri = psMalloc(pool, tmpLen + 1);
if (extensions->san.uri == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(extensions->san.uri, 0x0, tmpLen + 1);
memcpy(extensions->san.uri, p, tmpLen);
} else if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 1)) {
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
extensions->san.email = psMalloc(pool, tmpLen + 1);
if (extensions->san.email == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memset(extensions->san.email, 0x0, tmpLen + 1);
memcpy(extensions->san.email, p, tmpLen);
} else {
matrixStrDebugMsg("Unsupported subjectAltName type.n",
NULL);
p++;
tmpLen = *p++;
if (extEnd - p < tmpLen) {
return -1;
}
}
p = p + tmpLen;
len -= tmpLen + 2; /* the magic 2 is the type and length */
}
break;
#ifdef USE_FULL_CERT_PARSE
case EXT_AUTH_KEY_ID:
/*
AuthorityKeyIdentifier ::= SEQUENCE {
keyIdentifier [0] KeyIdentifier OPTIONAL,
authorityCertIssuer [1] GeneralNames OPTIONAL,
authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
KeyIdentifier ::= OCTET STRING
*/
if (getSequence(&p, (int32)(extEnd - p), &len) < 0) {
return -1;
}
/*
Have seen a cert that has a zero length ext here. Let it pass.
*/
if (len == 0) {
break;
}
/*
All memebers are optional
*/
if (*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 0)) {
p++;
if (asnParseLength(&p, (int32)(extEnd - p),
&extensions->ak.keyLen) < 0 ||
extEnd - p < extensions->ak.keyLen) {
return -1;
}
extensions->ak.keyId = psMalloc(pool, extensions->ak.keyLen);
if (extensions->ak.keyId == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memcpy(extensions->ak.keyId, p, extensions->ak.keyLen);
p = p + extensions->ak.keyLen;
}
if (*p == (ASN_CONTEXT_SPECIFIC | ASN_CONSTRUCTED | 1)) {
p++;
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
len < 1 || extEnd - p < len) {
return -1;
}
if ((*p ^ ASN_CONTEXT_SPECIFIC ^ ASN_CONSTRUCTED) != 4) {
/*
FUTURE: support other name types
We are just dealing with DN formats here
*/
matrixIntDebugMsg("Error auth key-id name type: %d\n",
*p ^ ASN_CONTEXT_SPECIFIC ^ ASN_CONSTRUCTED);
return -1;
}
p++;
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
extEnd - p < len) {
return -1;
}
if (getDNAttributes(pool, &p, (int32)(extEnd - p),
&(extensions->ak.attribs)) < 0) {
return -1;
}
}
if ((*p == (ASN_CONTEXT_SPECIFIC | ASN_PRIMITIVE | 2)) ||
(*p == ASN_INTEGER)){
/*
Treat as a serial number (not a native INTEGER)
*/
if (getSerialNum(pool, &p, (int32)(extEnd - p),
&(extensions->ak.serialNum), &len) < 0) {
return -1;
}
extensions->ak.serialNumLen = len;
}
break;
case EXT_KEY_USAGE:
/*
KeyUsage ::= BIT STRING {
digitalSignature (0),
nonRepudiation (1),
keyEncipherment (2),
dataEncipherment (3),
keyAgreement (4),
keyCertSign (5),
cRLSign (6),
encipherOnly (7),
decipherOnly (8) }
*/
if (*p++ != ASN_BIT_STRING) {
return -1;
}
if (asnParseLength(&p, (int32)(extEnd - p), &len) < 0 ||
extEnd - p < len) {
return -1;
}
if (len != 2) {
return -1;
}
/*
Assure all unused bits are 0 and store away
*/
extensions->keyUsage = (*(p + 1)) & ~((1 << *p) -1);
p = p + len;
break;
case EXT_SUBJ_KEY_ID:
/*
The value of the subject key identifier MUST be the value
placed in the key identifier field of the Auth Key Identifier
extension of certificates issued by the subject of
this certificate.
*/
if (*p++ != ASN_OCTET_STRING || asnParseLength(&p,
(int32)(extEnd - p), &(extensions->sk.len)) < 0 ||
extEnd - p < extensions->sk.len) {
return -1;
}
extensions->sk.id = psMalloc(pool, extensions->sk.len);
if (extensions->sk.id == NULL) {
return -8; /* SSL_MEM_ERROR */
}
memcpy(extensions->sk.id, p, extensions->sk.len);
p = p + extensions->sk.len;
break;
#endif /* USE_FULL_CERT_PARSE */
/*
Unsupported or skipping because USE_FULL_CERT_PARSE is undefined
*/
default:
if (critical) {
/*
SPEC DIFFERENCE: Ignoring an unrecognized critical
extension. The specification dictates an error should
occur, but real-world experience has shown this is not
a realistic or desirable action. Also, no other SSL
implementations have been found to error in this case.
It is NOT a security risk in an RSA authenticaion sense.
*/
matrixStrDebugMsg("Unknown critical ext encountered\n",
NULL);
}
p++;
/*
Skip over based on the length reported from the ASN_SEQUENCE
surrounding the entire extension. It is not a guarantee that
the value of the extension itself will contain it's own length.
*/
p = p + (fullExtLen - (p - extStart));
break;
}
}
*pp = p;
return 0;
}
