result_t X509Cert::load(const x509_crt *crt) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); int ret; ret = x509_crt_parse_der(&m_crt, crt->raw.p, crt->raw.len); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; }
result_t X509Cert::load(Buffer_base *derCert) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); int ret; std::string crt; derCert->toString(crt); ret = x509_crt_parse_der(&m_crt, (const unsigned char *)crt.c_str(), crt.length()); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; }
result_t X509Cert::loadFile(const char *filename) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); result_t hr; std::string data; int ret; hr = fs_base::ac_readFile(filename, data); if (hr < 0) return hr; if (qstrstr(data.c_str(), "BEGIN CERTIFICATE") || qstrstr(data.c_str(), "CKO_CERTIFICATE")) return load(data.c_str()); ret = x509_crt_parse_der(&m_crt, (const unsigned char *)data.c_str(), data.length()); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; }
static CURLcode polarssl_connect_step2(struct connectdata *conn, int sockindex) { int ret; struct Curl_easy *data = conn->data; struct ssl_connect_data* connssl = &conn->ssl[sockindex]; char buffer[1024]; const char * const pinnedpubkey = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; char errorbuf[128]; errorbuf[0] = 0; conn->recv[sockindex] = polarssl_recv; conn->send[sockindex] = polarssl_send; ret = ssl_handshake(&BACKEND->ssl); switch(ret) { case 0: break; case POLARSSL_ERR_NET_WANT_READ: connssl->connecting_state = ssl_connect_2_reading; return CURLE_OK; case POLARSSL_ERR_NET_WANT_WRITE: connssl->connecting_state = ssl_connect_2_writing; return CURLE_OK; default: error_strerror(ret, errorbuf, sizeof(errorbuf)); failf(data, "ssl_handshake returned - PolarSSL: (-0x%04X) %s", -ret, errorbuf); return CURLE_SSL_CONNECT_ERROR; } infof(data, "PolarSSL: Handshake complete, cipher is %s\n", ssl_get_ciphersuite(&BACKEND->ssl) ); ret = ssl_get_verify_result(&BACKEND->ssl); if(ret && SSL_CONN_CONFIG(verifypeer)) { if(ret & BADCERT_EXPIRED) failf(data, "Cert verify failed: BADCERT_EXPIRED"); if(ret & BADCERT_REVOKED) { failf(data, "Cert verify failed: BADCERT_REVOKED"); return CURLE_SSL_CACERT; } if(ret & BADCERT_CN_MISMATCH) failf(data, "Cert verify failed: BADCERT_CN_MISMATCH"); if(ret & BADCERT_NOT_TRUSTED) failf(data, "Cert verify failed: BADCERT_NOT_TRUSTED"); return CURLE_PEER_FAILED_VERIFICATION; } if(ssl_get_peer_cert(&(BACKEND->ssl))) { /* If the session was resumed, there will be no peer certs */ memset(buffer, 0, sizeof(buffer)); if(x509_crt_info(buffer, sizeof(buffer), (char *)"* ", ssl_get_peer_cert(&(BACKEND->ssl))) != -1) infof(data, "Dumping cert info:\n%s\n", buffer); } /* adapted from mbedtls.c */ if(pinnedpubkey) { int size; CURLcode result; x509_crt *p; unsigned char pubkey[PUB_DER_MAX_BYTES]; const x509_crt *peercert; peercert = ssl_get_peer_cert(&BACKEND->ssl); if(!peercert || !peercert->raw.p || !peercert->raw.len) { failf(data, "Failed due to missing peer certificate"); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; } p = calloc(1, sizeof(*p)); if(!p) return CURLE_OUT_OF_MEMORY; x509_crt_init(p); /* Make a copy of our const peercert because pk_write_pubkey_der needs a non-const key, for now. https://github.com/ARMmbed/mbedtls/issues/396 */ if(x509_crt_parse_der(p, peercert->raw.p, peercert->raw.len)) { failf(data, "Failed copying peer certificate"); x509_crt_free(p); free(p); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; } size = pk_write_pubkey_der(&p->pk, pubkey, PUB_DER_MAX_BYTES); if(size <= 0) { failf(data, "Failed copying public key from peer certificate"); x509_crt_free(p); free(p); return CURLE_SSL_PINNEDPUBKEYNOTMATCH; } /* pk_write_pubkey_der writes data at the end of the buffer. */ result = Curl_pin_peer_pubkey(data, pinnedpubkey, &pubkey[PUB_DER_MAX_BYTES - size], size); if(result) { x509_crt_free(p); free(p); return result; } x509_crt_free(p); free(p); } #ifdef HAS_ALPN if(conn->bits.tls_enable_alpn) { const char *next_protocol = ssl_get_alpn_protocol(&BACKEND->ssl); if(next_protocol != NULL) { infof(data, "ALPN, server accepted to use %s\n", next_protocol); #ifdef USE_NGHTTP2 if(!strncmp(next_protocol, NGHTTP2_PROTO_VERSION_ID, NGHTTP2_PROTO_VERSION_ID_LEN)) { conn->negnpn = CURL_HTTP_VERSION_2; } else #endif if(!strncmp(next_protocol, ALPN_HTTP_1_1, ALPN_HTTP_1_1_LENGTH)) { conn->negnpn = CURL_HTTP_VERSION_1_1; } } else infof(data, "ALPN, server did not agree to a protocol\n"); } #endif connssl->connecting_state = ssl_connect_3; infof(data, "SSL connected\n"); return CURLE_OK; }
IPCCommandResult CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) { SIOCtlVBuffer CommandBuffer(_CommandAddress); u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0; u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0; u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0; u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0; if (CommandBuffer.InBuffer.size() > 0) { _BufferIn = CommandBuffer.InBuffer.at(0).m_Address; BufferInSize = CommandBuffer.InBuffer.at(0).m_Size; } if (CommandBuffer.InBuffer.size() > 1) { _BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address; BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size; } if (CommandBuffer.InBuffer.size() > 2) { _BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address; BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 0) { BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address; BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 1) { BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address; BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 2) { BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address; BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size; } // I don't trust SSL to be deterministic, and this is never going to sync // as such (as opposed to forwarding IPC results or whatever), so - if (Core::g_want_determinism) { Memory::Write_U32(-1, _CommandAddress + 0x4); return IPC_DEFAULT_REPLY; } switch (CommandBuffer.Parameter) { case IOCTLV_NET_SSL_NEW: { int verifyOption = Memory::Read_U32(BufferOut); std::string hostname = Memory::GetString(BufferOut2, BufferOutSize2); int freeSSL = GetSSLFreeID(); if (freeSSL) { int sslID = freeSSL - 1; WII_SSL* ssl = &_SSL[sslID]; int ret = ssl_init(&ssl->ctx); if (ret) { goto _SSL_NEW_ERROR; } entropy_init(&ssl->entropy); const char* pers = "dolphin-emu"; ret = ctr_drbg_init(&ssl->ctr_drbg, entropy_func, &ssl->entropy, (const unsigned char*)pers, strlen(pers)); if (ret) { ssl_free(&ssl->ctx); entropy_free(&ssl->entropy); goto _SSL_NEW_ERROR; } ssl_set_rng(&ssl->ctx, ctr_drbg_random, &ssl->ctr_drbg); // For some reason we can't use TLSv1.2, v1.1 and below are fine! ssl_set_max_version(&ssl->ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2); ssl_set_session(&ssl->ctx, &ssl->session); ssl_set_endpoint(&ssl->ctx, SSL_IS_CLIENT); ssl_set_authmode(&ssl->ctx, SSL_VERIFY_NONE); ssl_set_renegotiation(&ssl->ctx, SSL_RENEGOTIATION_ENABLED); ssl->hostname = hostname; ssl_set_hostname(&ssl->ctx, ssl->hostname.c_str()); ssl->active = true; Memory::Write_U32(freeSSL, _BufferIn); } else { _SSL_NEW_ERROR: Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", verifyOption, hostname.c_str(), _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SHUTDOWN: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; ssl_close_notify(&ssl->ctx); ssl_session_free(&ssl->session); ssl_free(&ssl->ctx); entropy_free(&ssl->entropy); x509_crt_free(&ssl->cacert); x509_crt_free(&ssl->clicert); ssl->hostname.clear(); ssl->active = false; Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCA: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; int ret = x509_crt_parse_der( &ssl->cacert, Memory::GetPointer(BufferOut2), BufferOutSize2); if (ret) { Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str()); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; std::string cert_base_path = File::GetUserPath(D_SESSION_WIIROOT_IDX); int ret = x509_crt_parse_file(&ssl->clicert, (cert_base_path + "clientca.pem").c_str()); int pk_ret = pk_parse_keyfile(&ssl->pk, (cert_base_path + "clientcakey.pem").c_str(), nullptr); if (ret || pk_ret) { x509_crt_free(&ssl->clicert); pk_free(&ssl->pk); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_own_cert(&ssl->ctx, &ssl->clicert, &ssl->pk); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_REMOVECLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; x509_crt_free(&ssl->clicert); pk_free(&ssl->pk); ssl_set_own_cert(&ssl->ctx, nullptr, nullptr); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_SETBUILTINROOTCA: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; int ret = x509_crt_parse_file(&ssl->cacert, (File::GetUserPath(D_SESSION_WIIROOT_IDX) + "/rootca.pem").c_str()); if (ret) { x509_crt_free(&ssl->clicert); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str()); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_CONNECT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WII_SSL* ssl = &_SSL[sslID]; ssl->sockfd = Memory::Read_U32(BufferOut2); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", ssl->sockfd); ssl_set_bio(&ssl->ctx, net_recv, &ssl->sockfd, net_send, &ssl->sockfd); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_DOHANDSHAKE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::GetInstance(); sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE); return IPC_NO_REPLY; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_WRITE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::GetInstance(); sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE); return IPC_NO_REPLY; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); INFO_LOG(WII_IPC_SSL, "%s", Memory::GetString(BufferOut2).c_str()); break; } case IOCTLV_NET_SSL_READ: { int ret = 0; int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::GetInstance(); sm.DoSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ); return IPC_NO_REPLY; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)" "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", ret, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCADEFAULT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } default: ERROR_LOG(WII_IPC_SSL, "%i " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", CommandBuffer.Parameter, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } // SSL return codes are written to BufferIn Memory::Write_U32(0, _CommandAddress+4); return IPC_DEFAULT_REPLY; }
result_t X509Cert::load(const char *txtCert) { if (m_root) return CHECK_ERROR(CALL_E_INVALID_CALL); int ret; if (qstrstr(txtCert, "BEGIN CERTIFICATE")) { ret = x509_crt_parse(&m_crt, (const unsigned char *)txtCert, qstrlen(txtCert)); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); return 0; } _parser p(txtCert, (int)qstrlen(txtCert)); bool is_loaded = false; while (!p.end()) { std::string cka_value; bool in_multiline = false, in_obj = false; bool is_cert = false; bool is_value = false; while (!p.end()) { std::string line; std::string cmd, type, value; p.getLine(line); _parser p1(line); p1.skipSpace(); if (p1.get() == '#') continue; if (in_multiline) { if (p1.get() == '\\') { if (is_value) { while (p1.get() == '\\') { char ch1, ch2, ch3; p1.skip(); ch1 = p1.getChar(); if (ch1 < '0' || ch1 > '7') break; ch2 = p1.getChar(); if (ch2 < '0' || ch2 > '7') break; ch3 = p1.getChar(); if (ch3 < '0' || ch3 > '7') break; ch1 = (ch1 - '0') * 64 + (ch2 - '0') * 8 + (ch3 - '0'); cka_value.append(&ch1, 1); } } continue; } p1.getWord(cmd); if (!qstrcmp(cmd.c_str(), "END")) in_multiline = false; continue; } p1.getWord(cmd); p1.skipSpace(); p1.getWord(type); if (!qstrcmp(type.c_str(), "MULTILINE_OCTAL")) { is_value = is_cert && !qstrcmp(cmd.c_str(), "CKA_VALUE"); if (is_value) cka_value.resize(0); in_multiline = true; continue; } p1.skipSpace(); p1.getLeft(value); if (!in_obj) { if (!qstrcmp(cmd.c_str(), "CKA_CLASS")) { in_obj = true; is_cert = !qstrcmp(value.c_str(), "CKO_CERTIFICATE"); } continue; } if (cmd.empty()) break; } if (!cka_value.empty()) { ret = x509_crt_parse_der(&m_crt, (const unsigned char *)cka_value.c_str(), cka_value.length()); if (ret != 0) return CHECK_ERROR(_ssl::setError(ret)); is_loaded = true; } } if (!is_loaded) return CHECK_ERROR(_ssl::setError(POLARSSL_ERR_X509_INVALID_FORMAT)); return 0; }
bool CWII_IPC_HLE_Device_net_ssl::IOCtlV(u32 _CommandAddress) { SIOCtlVBuffer CommandBuffer(_CommandAddress); u32 _BufferIn = 0, _BufferIn2 = 0, _BufferIn3 = 0; u32 BufferInSize = 0, BufferInSize2 = 0, BufferInSize3 = 0; u32 BufferOut = 0, BufferOut2 = 0, BufferOut3 = 0; u32 BufferOutSize = 0, BufferOutSize2 = 0, BufferOutSize3 = 0; if (CommandBuffer.InBuffer.size() > 0) { _BufferIn = CommandBuffer.InBuffer.at(0).m_Address; BufferInSize = CommandBuffer.InBuffer.at(0).m_Size; } if (CommandBuffer.InBuffer.size() > 1) { _BufferIn2 = CommandBuffer.InBuffer.at(1).m_Address; BufferInSize2 = CommandBuffer.InBuffer.at(1).m_Size; } if (CommandBuffer.InBuffer.size() > 2) { _BufferIn3 = CommandBuffer.InBuffer.at(2).m_Address; BufferInSize3 = CommandBuffer.InBuffer.at(2).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 0) { BufferOut = CommandBuffer.PayloadBuffer.at(0).m_Address; BufferOutSize = CommandBuffer.PayloadBuffer.at(0).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 1) { BufferOut2 = CommandBuffer.PayloadBuffer.at(1).m_Address; BufferOutSize2 = CommandBuffer.PayloadBuffer.at(1).m_Size; } if (CommandBuffer.PayloadBuffer.size() > 2) { BufferOut3 = CommandBuffer.PayloadBuffer.at(2).m_Address; BufferOutSize3 = CommandBuffer.PayloadBuffer.at(2).m_Size; } switch (CommandBuffer.Parameter) { case IOCTLV_NET_SSL_NEW: { int verifyOption = Memory::Read_U32(BufferOut); const char * hostname = (const char*) Memory::GetPointer(BufferOut2); int freeSSL = this->getSSLFreeID(); if (freeSSL) { int sslID = freeSSL - 1; int ret = ssl_init(&_SSL[sslID].ctx); if (ret) { // Cleanup possibly dirty ctx memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context)); goto _SSL_NEW_ERROR; } entropy_init(&_SSL[sslID].entropy); const char* pers = "dolphin-emu"; ret = ctr_drbg_init(&_SSL[sslID].ctr_drbg, entropy_func, &_SSL[sslID].entropy, (const unsigned char*)pers, strlen(pers)); if (ret) { ssl_free(&_SSL[sslID].ctx); // Cleanup possibly dirty ctx memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context)); entropy_free(&_SSL[sslID].entropy); goto _SSL_NEW_ERROR; } ssl_set_rng(&_SSL[sslID].ctx, ctr_drbg_random, &_SSL[sslID].ctr_drbg); // For some reason we can't use TLSv1.2, v1.1 and below are fine! ssl_set_max_version(&_SSL[sslID].ctx, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2); ssl_set_session(&_SSL[sslID].ctx, &_SSL[sslID].session); ssl_set_endpoint(&_SSL[sslID].ctx, SSL_IS_CLIENT); ssl_set_authmode(&_SSL[sslID].ctx, SSL_VERIFY_NONE); ssl_set_renegotiation(&_SSL[sslID].ctx, SSL_RENEGOTIATION_ENABLED); memcpy(_SSL[sslID].hostname, hostname, min((int)BufferOutSize2, NET_SSL_MAX_HOSTNAME_LEN)); _SSL[sslID].hostname[NET_SSL_MAX_HOSTNAME_LEN-1] = '\0'; ssl_set_hostname(&_SSL[sslID].ctx, _SSL[sslID].hostname); _SSL[sslID].active = true; Memory::Write_U32(freeSSL, _BufferIn); } else { _SSL_NEW_ERROR: Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_NEW (%d, %s) " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", verifyOption, hostname, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SHUTDOWN: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { ssl_close_notify(&_SSL[sslID].ctx); ssl_session_free(&_SSL[sslID].session); ssl_free(&_SSL[sslID].ctx); entropy_free(&_SSL[sslID].entropy); x509_crt_free(&_SSL[sslID].cacert); x509_crt_free(&_SSL[sslID].clicert); memset(&_SSL[sslID].ctx, 0, sizeof(ssl_context)); memset(&_SSL[sslID].session, 0, sizeof(ssl_session)); memset(&_SSL[sslID].entropy, 0, sizeof(entropy_context)); memset(_SSL[sslID].hostname, 0, NET_SSL_MAX_HOSTNAME_LEN); _SSL[sslID].active = false; Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SHUTDOWN " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCA: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { int ret = x509_crt_parse_der( &_SSL[sslID].cacert, Memory::GetPointer(BufferOut2), BufferOutSize2); if (ret) { Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&_SSL[sslID].ctx, &_SSL[sslID].cacert, NULL, _SSL[sslID].hostname); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { std::string cert_base_path(File::GetUserPath(D_WIIUSER_IDX)); int ret = x509_crt_parse_file(&_SSL[sslID].clicert, (cert_base_path + "clientca.pem").c_str()); int pk_ret = pk_parse_keyfile(&_SSL[sslID].pk, (cert_base_path + "clientcakey.pem").c_str(), NULL); if (ret || pk_ret) { x509_crt_free(&_SSL[sslID].clicert); pk_free(&_SSL[sslID].pk); memset(&_SSL[sslID].clicert, 0, sizeof(x509_crt)); memset(&_SSL[sslID].pk, 0, sizeof(pk_context)); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_own_cert(&_SSL[sslID].ctx, &_SSL[sslID].clicert, &_SSL[sslID].pk); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT = (%d, %d)", ret, pk_ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_REMOVECLIENTCERT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_REMOVECLIENTCERT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { x509_crt_free(&_SSL[sslID].clicert); pk_free(&_SSL[sslID].pk); memset(&_SSL[sslID].clicert, 0, sizeof(x509_crt)); memset(&_SSL[sslID].pk, 0, sizeof(pk_context)); ssl_set_own_cert(&_SSL[sslID].ctx, NULL, NULL); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT invalid sslID = %d", sslID); } break; } case IOCTLV_NET_SSL_SETBUILTINROOTCA: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { std::string cert_base_path(File::GetUserPath(D_WIIUSER_IDX)); int ret = x509_crt_parse_file(&_SSL[sslID].cacert, (cert_base_path + "rootca.pem").c_str()); if (ret) { x509_crt_free(&_SSL[sslID].clicert); Memory::Write_U32(SSL_ERR_FAILED, _BufferIn); } else { ssl_set_ca_chain(&_SSL[sslID].ctx, &_SSL[sslID].cacert, NULL, _SSL[sslID].hostname); Memory::Write_U32(SSL_OK, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA = %d", ret); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINROOTCA " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_CONNECT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { _SSL[sslID].sockfd = Memory::Read_U32(BufferOut2); INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT socket = %d", _SSL[sslID].sockfd); ssl_set_bio(&_SSL[sslID].ctx, net_recv, &_SSL[sslID].sockfd, net_send, &_SSL[sslID].sockfd); Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_CONNECT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_DOHANDSHAKE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::getInstance(); sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_DOHANDSHAKE); return false; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } case IOCTLV_NET_SSL_WRITE: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::getInstance(); sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_WRITE); return false; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_WRITE " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); INFO_LOG(WII_IPC_SSL, "%s", Memory::GetPointer(BufferOut2)); break; } case IOCTLV_NET_SSL_READ: { int ret = 0; int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { WiiSockMan &sm = WiiSockMan::getInstance(); sm.doSock(_SSL[sslID].sockfd, _CommandAddress, IOCTLV_NET_SSL_READ); return false; } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_READ(%d)" "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", ret, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETROOTCADEFAULT: { int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCADEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } case IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT: { INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETCLIENTCERTDEFAULT " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); int sslID = Memory::Read_U32(BufferOut) - 1; if (SSLID_VALID(sslID)) { Memory::Write_U32(SSL_OK, _BufferIn); } else { Memory::Write_U32(SSL_ERR_ID, _BufferIn); } break; } default: ERROR_LOG(WII_IPC_SSL, "%i " "BufferIn: (%08x, %i), BufferIn2: (%08x, %i), " "BufferIn3: (%08x, %i), BufferOut: (%08x, %i), " "BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)", CommandBuffer.Parameter, _BufferIn, BufferInSize, _BufferIn2, BufferInSize2, _BufferIn3, BufferInSize3, BufferOut, BufferOutSize, BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3); break; } // SSL return codes are written to BufferIn Memory::Write_U32(0, _CommandAddress+4); return true; }
int main( void ) { int ret = exit_ok; int server_fd = -1; struct sockaddr_in addr; #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt ca; #endif entropy_context entropy; ctr_drbg_context ctr_drbg; ssl_context ssl; /* * 0. Initialize and setup stuff */ memset( &ssl, 0, sizeof( ssl_context ) ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_init( &ca ); #endif entropy_init( &entropy ); if( ctr_drbg_init( &ctr_drbg, entropy_func, &entropy, (const unsigned char *) pers, strlen( pers ) ) != 0 ) { ret = ssl_init_failed; goto exit; } if( ssl_init( &ssl ) != 0 ) { ret = ssl_init_failed; goto exit; } ssl_set_endpoint( &ssl, SSL_IS_CLIENT ); ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg ); #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) ssl_set_psk( &ssl, psk, sizeof( psk ), (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); #endif #if defined(POLARSSL_X509_CRT_PARSE_C) if( x509_crt_parse_der( &ca, ca_cert, sizeof( ca_cert ) ) != 0 ) { ret = x509_crt_parse_failed; goto exit; } ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME ); ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED ); #endif /* * 1. Start the connection */ memset( &addr, 0, sizeof( addr ) ); addr.sin_family = AF_INET; ret = 1; /* for endianness detection */ addr.sin_port = *((char *) &ret) == ret ? PORT_LE : PORT_BE; addr.sin_addr.s_addr = *((char *) &ret) == ret ? ADDR_LE : ADDR_BE; ret = 0; if( ( server_fd = socket( AF_INET, SOCK_STREAM, 0 ) ) < 0 ) { ret = socket_failed; goto exit; } if( connect( server_fd, (const struct sockaddr *) &addr, sizeof( addr ) ) < 0 ) { ret = connect_failed; goto exit; } ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd ); if( ssl_handshake( &ssl ) != 0 ) { ret = ssl_handshake_failed; goto exit; } /* * 2. Write the GET request and close the connection */ if( ssl_write( &ssl, (const unsigned char *) GET_REQUEST, sizeof( GET_REQUEST ) - 1 ) <= 0 ) { ret = ssl_write_failed; goto exit; } ssl_close_notify( &ssl ); exit: if( server_fd != -1 ) net_close( server_fd ); ssl_free( &ssl ); ctr_drbg_free( &ctr_drbg ); entropy_free( &entropy ); #if defined(POLARSSL_X509_CRT_PARSE_C) x509_crt_free( &ca ); #endif return( ret ); }
/* * Parse one or more PEM certificates from a buffer and add them to the chained list */ int x509_crt_parse( x509_crt *chain, const unsigned char *buf, size_t buflen ) { int success = 0, first_error = 0, total_failed = 0; int buf_format = X509_FORMAT_DER; /* * Check for valid input */ if( chain == NULL || buf == NULL ) return( POLARSSL_ERR_X509_BAD_INPUT_DATA ); /* * Determine buffer content. Buffer contains either one DER certificate or * one or more PEM certificates. */ #if defined(POLARSSL_PEM_PARSE_C) if( strstr( (const char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL ) buf_format = X509_FORMAT_PEM; #endif if( buf_format == X509_FORMAT_DER ) return x509_crt_parse_der( chain, buf, buflen ); #if defined(POLARSSL_PEM_PARSE_C) if( buf_format == X509_FORMAT_PEM ) { int ret; pem_context pem; while( buflen > 0 ) { size_t use_len; pem_init( &pem ); ret = pem_read_buffer( &pem, "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----", buf, NULL, 0, &use_len ); if( ret == 0 ) { /* * Was PEM encoded */ buflen -= use_len; buf += use_len; } else if( ret == POLARSSL_ERR_PEM_BAD_INPUT_DATA ) { return( ret ); } else if( ret != POLARSSL_ERR_PEM_NO_HEADER_FOOTER_PRESENT ) { pem_free( &pem ); /* * PEM header and footer were found */ buflen -= use_len; buf += use_len; if( first_error == 0 ) first_error = ret; continue; } else break; ret = x509_crt_parse_der( chain, pem.buf, pem.buflen ); pem_free( &pem ); if( ret != 0 ) { /* * Quit parsing on a memory error */ if( ret == POLARSSL_ERR_X509_MALLOC_FAILED ) return( ret ); if( first_error == 0 ) first_error = ret; total_failed++; continue; } success = 1; } } #endif if( success ) return( total_failed ); else if( first_error ) return( first_error ); else return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT ); }