From 0d2e75b9c7ea3a83e866cba83ac379b955ac97ff Mon Sep 17 00:00:00 2001 From: cameronrich Date: Wed, 29 Dec 2010 11:49:30 +0000 Subject: [PATCH] fixed regular_square. Some scan-build tweaks. Made os_port.h "private". git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@181 9a5d90b5-6617-0410-8a86-bb477d3ed2e3 --- config/Config.in | 12 ++++++------ crypto/aes.c | 2 +- crypto/bigint.c | 15 +++++++-------- samples/c/axssl.c | 2 -- ssl/BigIntConfig.in | 2 +- ssl/gen_cert.c | 1 + ssl/loader.c | 4 ++-- ssl/openssl.c | 1 + ssl/p12.c | 15 ++++++--------- ssl/test/killopenssl.sh | 1 - ssl/test/ssltest.c | 35 +++++++++-------------------------- ssl/tls1.c | 11 ++++++++--- ssl/tls1.h | 1 - ssl/tls1_clnt.c | 4 ++-- ssl/tls1_svr.c | 5 +++-- www/index.html | 2 +- 16 files changed, 48 insertions(+), 65 deletions(-) diff --git a/config/Config.in b/config/Config.in index bebbb0330..bc11f69d2 100644 --- a/config/Config.in +++ b/config/Config.in @@ -101,12 +101,6 @@ config CONFIG_EXTRA_LDFLAGS_OPTIONS endmenu source ssl/Config.in -config CONFIG_AXHTTPD - bool "Enable HTTP/HTTPS Web Server" - default y - help - Build the AXHTTPD web server - config CONFIG_AXTLSWRAP depends on !CONFIG_PLATFORM_WIN32 bool "Enable axtlswrap" @@ -115,6 +109,12 @@ config CONFIG_AXTLSWRAP axtlswrap is similar to sslwrap - http://www.rickk.com/sslwrap. It enables SSL for processes that don't have native SSL support. +config CONFIG_AXHTTPD + bool "Enable HTTP/HTTPS Web Server" + default y + help + Build the AXHTTPD web server + source httpd/Config.in source bindings/Config.in source samples/Config.in diff --git a/crypto/aes.c b/crypto/aes.c index 038a45bd8..9082a4069 100644 --- a/crypto/aes.c +++ b/crypto/aes.c @@ -168,7 +168,7 @@ static void AES_decrypt(const AES_CTX *ctx, uint32_t *data); x^8+x^4+x^3+x+1 */ static unsigned char AES_xtime(uint32_t x) { - return x = (x&0x80) ? (x<<1)^0x1b : x<<1; + return (x&0x80) ? (x<<1)^0x1b : x<<1; } /** diff --git a/crypto/bigint.c b/crypto/bigint.c index 28b3c0ca0..6a07a98d3 100644 --- a/crypto/bigint.c +++ b/crypto/bigint.c @@ -926,7 +926,7 @@ bigint *bi_multiply(BI_CTX *ctx, bigint *bia, bigint *bib) /* * Perform the actual square operion. It takes into account overflow. */ -bigint *regular_square(BI_CTX *ctx, bigint *bi) +static bigint *regular_square(BI_CTX *ctx, bigint *bi) { int t = bi->size; int i = 0, j; @@ -939,13 +939,13 @@ bigint *regular_square(BI_CTX *ctx, bigint *bi) do { long_comp tmp = w[2*i] + (long_comp)x[i]*x[i]; - uint8_t c = 0, q = 0; + uint8_t c = 0; w[2*i] = (comp)tmp; carry = (comp)(tmp >> COMP_BIT_SIZE); for (j = i+1; j < t; j++) { - c = q = 0; + c = 0; long_comp xx = (long_comp)x[i]*x[j]; if (COMP_MAX-xx < xx) c = 1; @@ -958,7 +958,7 @@ bigint *regular_square(BI_CTX *ctx, bigint *bi) tmp += w[i+j]; if (COMP_MAX-tmp < carry) - c = q = 1; + c = 1; tmp += carry; w[i+j] = (comp)tmp; @@ -968,10 +968,9 @@ bigint *regular_square(BI_CTX *ctx, bigint *bi) carry += COMP_RADIX; } - w[i+t] += carry; - - if (c && !q) - w[i+t+1] = 1; /* add carry */ + tmp = carry + w[i+t]; + w[i+t] = (comp)tmp; + w[i+t+1] = tmp >> COMP_BIT_SIZE; } while (++i < t); bi_free(ctx, bi); diff --git a/samples/c/axssl.c b/samples/c/axssl.c index d9d9a6071..20da957ec 100644 --- a/samples/c/axssl.c +++ b/samples/c/axssl.c @@ -310,7 +310,6 @@ static void do_server(int argc, char *argv[]) if ((client_fd = accept(server_fd, (struct sockaddr *)&client_addr, &client_len)) < 0) { - res = 1; break; } @@ -683,7 +682,6 @@ static void do_client(int argc, char *argv[]) for (;;) { uint8_t buf[1024]; - res = SSL_OK; /* allow parallel reading of server and standard input */ FD_SET(client_fd, &read_set); diff --git a/ssl/BigIntConfig.in b/ssl/BigIntConfig.in index cace9c568..944d2971b 100644 --- a/ssl/BigIntConfig.in +++ b/ssl/BigIntConfig.in @@ -8,7 +8,7 @@ menu "BigInt Options" choice prompt "Reduction Algorithm" - default CONFIG_BIGINT_MONTGOMERY + default CONFIG_BIGINT_CLASSICAL config CONFIG_BIGINT_CLASSICAL bool "Classical" diff --git a/ssl/gen_cert.c b/ssl/gen_cert.c index 94b74903c..c2fe381eb 100644 --- a/ssl/gen_cert.c +++ b/ssl/gen_cert.c @@ -33,6 +33,7 @@ #ifdef CONFIG_SSL_GENERATE_X509_CERT #include #include +#include "os_port.h" #include "ssl.h" /** diff --git a/ssl/loader.c b/ssl/loader.c index 4232f7eec..ab3c26651 100644 --- a/ssl/loader.c +++ b/ssl/loader.c @@ -41,7 +41,7 @@ #include #include #include - +#include "os_port.h" #include "ssl.h" static int do_obj(SSL_CTX *ssl_ctx, int obj_type, @@ -77,7 +77,7 @@ EXP_FUNC int STDCALL ssl_obj_load(SSL_CTX *ssl_ctx, int obj_type, } /* is the file a PEM file? */ - if (strncmp((char *)ssl_obj->buf, begin, strlen(begin)) == 0) + if (strstr((char *)ssl_obj->buf, begin) != NULL) { #ifdef CONFIG_SSL_HAS_PEM ret = ssl_obj_PEM_load(ssl_ctx, obj_type, ssl_obj, password); diff --git a/ssl/openssl.c b/ssl/openssl.c index b6b955008..6b5c4d8ee 100644 --- a/ssl/openssl.c +++ b/ssl/openssl.c @@ -42,6 +42,7 @@ #include #include #include +#include "os_port.h" #include "ssl.h" #define OPENSSL_CTX_ATTR ((OPENSSL_CTX *)ssl_ctx->bonus_attr) diff --git a/ssl/p12.c b/ssl/p12.c index 6ed92e431..2bafaf7ea 100644 --- a/ssl/p12.c +++ b/ssl/p12.c @@ -62,7 +62,7 @@ #include #include #include - +#include "os_port.h" #include "ssl.h" /* all commented out if not used */ @@ -233,15 +233,14 @@ static int p8_decrypt(const char *uni_pass, int uni_pass_len, int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password) { uint8_t *buf = ssl_obj->buf; - int all_ok = 0, len, iterations, auth_safes_start, + int len, iterations, auth_safes_start, auth_safes_end, auth_safes_len, key_offset, offset = 0; int all_certs = 0; uint8_t *version = NULL, *auth_safes = NULL, *cert, *orig_mac; uint8_t key[SHA1_SIZE]; uint8_t mac[SHA1_SIZE]; const uint8_t *salt; - int uni_pass_len, ret; - int error_code = SSL_ERROR_NOT_SUPPORTED; + int uni_pass_len, ret = SSL_OK; char *uni_pass = make_uni_pass(password, &uni_pass_len); static const uint8_t pkcs_data[] = /* pkc7 data */ { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 }; @@ -260,7 +259,7 @@ int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password) if (asn1_get_int(buf, &offset, &version) < 0 || *version != 3) { - error_code = SSL_ERROR_INVALID_VERSION; + ret = SSL_ERROR_INVALID_VERSION; goto error; } @@ -414,17 +413,15 @@ int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password) if (memcmp(mac, orig_mac, SHA1_SIZE)) { - error_code = SSL_ERROR_INVALID_HMAC; + ret = SSL_ERROR_INVALID_HMAC; goto error; } - all_ok = 1; - error: free(version); free(uni_pass); free(auth_safes); - return all_ok ? SSL_OK : error_code; + return ret; } /* diff --git a/ssl/test/killopenssl.sh b/ssl/test/killopenssl.sh index f5adf2db5..17950fbae 100755 --- a/ssl/test/killopenssl.sh +++ b/ssl/test/killopenssl.sh @@ -1,3 +1,2 @@ #!/bin/sh ps -ef|grep openssl | /usr/bin/awk '{print $2}' |xargs kill -9 -sleep 1 diff --git a/ssl/test/ssltest.c b/ssl/test/ssltest.c index 86997d785..68fc2b673 100644 --- a/ssl/test/ssltest.c +++ b/ssl/test/ssltest.c @@ -66,7 +66,6 @@ static int g_port = 19001; #define TEST1_SIZE 16 #define TEST2_SIZE 32 -#if 0 static int AES_test(BI_CTX *bi_ctx) { AES_CTX aes_key; @@ -420,7 +419,6 @@ static int HMAC_test(BI_CTX *bi_ctx) end: return res; } -#endif /************************************************************************** * BIGINT tests @@ -472,35 +470,20 @@ static int BIGINT_test(BI_CTX *ctx) * Multiply with psssible carry issue (8 bit) */ { - int i; - bigint *bi_x = bi_str_import( - ctx, - "AFD5060E224B70DA99EFB385BA5C0D2BEA0AD1DAAA52686E1A02D677BC65C1DA7A496BBDCC02999E8814F10AFC4B8E0DD4E6687E0762CE717A5EA1E452B5C56065C8431F0FB9D23CFF3A4B4149798C0670AF7F9565A0EAE5CF1AB16A1F0C3DD5E485DC5ABB96EBE0B6778A15B7302CBCE358E4BF2E2E30932758AC6EFA9F5828"); - uint8_t exp_sqr_result[bi_x->size*2]; - uint8_t exp_mlt_result[bi_x->size*2]; + bigint *bi_x = bi_str_import(ctx, + "AFD5060E224B70DA99EFB385BA5C0D2BEA0AD1DAAA52686E1A02D677BC65C1DA7A496BBDCC02999E8814F10AFC4B8E0DD4E6687E0762CE717A5EA1E452B5C56065C8431F0FB9D23CFF3A4B4149798C0670AF7F9565A0EAE5CF1AB16A1F0C3DD5E485DC5ABB96EBE0B6778A15B7302CBCE358E4BF2E2E30932758AC6EFA9F5828"); bigint *arg2 = bi_clone(ctx, bi_x); bigint *arg3 = bi_clone(ctx, bi_x); bigint *sqr_result = bi_square(ctx, bi_x); bigint *mlt_result = bi_multiply(ctx, arg2, arg3); - //bi_print("SQR_RESULT", sqr_result); - //bi_print("MLT_RESULT", mlt_result); if (bi_compare(sqr_result, mlt_result) != 0) { - bi_export(ctx, sqr_result, exp_sqr_result, sizeof(exp_sqr_result)); - bi_export(ctx, mlt_result, exp_mlt_result, sizeof(exp_mlt_result)); + bi_print("SQR_RESULT", sqr_result); + bi_print("MLT_RESULT", mlt_result); bi_free(ctx, sqr_result); bi_free(ctx, mlt_result); - - for (i = 0; i < sizeof(exp_sqr_result); i++) - { - if (exp_sqr_result[i] != exp_mlt_result[i]) - { - printf("Error: SQUARE failed %d %02x %02x\n", i, - exp_sqr_result[i], exp_mlt_result[i]); - goto end; - } - } + goto end; } bi_free(ctx, sqr_result); @@ -1203,6 +1186,7 @@ int SSL_server_tests(void) NULL, "abcd", DEFAULT_SVR_OPTION))) goto cleanup; +//#if 0 /* * AES128 Encrypted invalid key */ @@ -1215,6 +1199,7 @@ int SSL_server_tests(void) printf("SSL server test \"%s\" passed\n", "AES128 encrypted invalid key"); TTY_FLUSH(); +//#endif /* * PKCS#8 key (encrypted) @@ -1328,7 +1313,7 @@ static int SSL_client_test( #endif } - usleep(500000); /* allow server to start */ + sleep(5); /* allow server to start */ if (*ssl_ctx == NULL) { @@ -1590,6 +1575,7 @@ cleanup: { ssl_display_error(ret); printf("Error: A client test failed\n"); + system("sh ../ssl/test/killopenssl.sh"); exit(1); } else @@ -1685,7 +1671,6 @@ static int SSL_basic_test(void) if (size < SSL_OK) /* got some alert or something nasty */ { - printf("Server "); ssl_display_error(size); ret = size; break; @@ -1958,7 +1943,6 @@ int main(int argc, char *argv[]) bi_ctx = bi_initialize(); -#if 0 if (AES_test(bi_ctx)) { printf("AES tests failed\n"); @@ -1993,7 +1977,6 @@ int main(int argc, char *argv[]) goto cleanup; } TTY_FLUSH(); -#endif if (BIGINT_test(bi_ctx)) { diff --git a/ssl/tls1.c b/ssl/tls1.c index 809d45cb0..9d1be3782 100755 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -36,6 +36,7 @@ #include #include #include +#include "os_port.h" #include "ssl.h" /* The session expiry time */ @@ -1635,9 +1636,13 @@ SSL_SESSION *ssl_session_update(int max_sessions, SSL_SESSION *ssl_sessions[], } /* ok, we've used up all of our sessions. So blow the oldest session away */ - oldest_sess->conn_time = tm; - memset(oldest_sess->session_id, 0, sizeof(SSL_SESSION_ID_SIZE)); - memset(oldest_sess->master_secret, 0, sizeof(SSL_SECRET_SIZE)); + if (oldest_sess != NULL) + { + oldest_sess->conn_time = tm; + memset(oldest_sess->session_id, 0, sizeof(SSL_SESSION_ID_SIZE)); + memset(oldest_sess->master_secret, 0, sizeof(SSL_SECRET_SIZE)); + } + SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex); return oldest_sess; } diff --git a/ssl/tls1.h b/ssl/tls1.h index cead605de..a1e1bd982 100755 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -42,7 +42,6 @@ extern "C" { #include "version.h" #include "crypto.h" -#include "os_port.h" #include "crypto_misc.h" #define SSL_RANDOM_SIZE 32 diff --git a/ssl/tls1_clnt.c b/ssl/tls1_clnt.c index 0e9c10af4..3fb7f627d 100644 --- a/ssl/tls1_clnt.c +++ b/ssl/tls1_clnt.c @@ -32,7 +32,7 @@ #include #include #include - +#include "os_port.h" #include "ssl.h" #ifdef CONFIG_SSL_ENABLE_CLIENT /* all commented out if no client */ @@ -79,7 +79,7 @@ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const */ int do_clnt_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len) { - int ret = SSL_OK; + int ret; /* To get here the state must be valid */ switch (handshake_type) diff --git a/ssl/tls1_svr.c b/ssl/tls1_svr.c index 45b9bec6a..742ffd593 100644 --- a/ssl/tls1_svr.c +++ b/ssl/tls1_svr.c @@ -31,7 +31,7 @@ #include #include #include - +#include "os_port.h" #include "ssl.h" static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 }; @@ -416,8 +416,9 @@ static int process_client_key_xchg(SSL *ssl) #else ssl->next_state = HS_FINISHED; #endif -error: + ssl->dc->bm_proc_index += rsa_ctx->num_octets+offset; +error: return ret; } diff --git a/www/index.html b/www/index.html index e7e080e44..6411f28ba 100755 --- a/www/index.html +++ b/www/index.html @@ -7087,7 +7087,7 @@ if (useJavaSaver)
changes, notes and errata
Type the text for 'YourName'
-
@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.7@@\n\n!!__SSL Library__\n* A fix to find_max_exp_index() (thanks to Hardy Griech).\n* Check is made to get_cipher_info() if the appropriate cipher is not found (thanks to Hardy Griech).\n* Extra x509_free() removed from do_client_connect().\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.5@@\n\n!!__SSL Library__\n* The custom RNG updated to use an entropy pool (with better hooks to use counters).\n\n!!__axhttpd__\n* Headers are case insensitive (thanks to Joe Pruett for this and the following).\n* Child zombie issue fixed.\n* EOF on ~POSTs fixed.\n* Expect is ignored.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.4@@\n\n!!__SSL Library__\n* Client renegotiation now results in an error. This is the result of a security flaw described in this paper http://extendedsubset.com/Renegotiating_TLS.pdf, and also is explained in detail here http://www.cupfighter.net/index.php/2009/11/tls-renegotiation-attack/.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.3@@\n\n!!__SSL Library__\n* v3 certificates with ~SANs now supports (thanks to Carsten Sørensen).\n* axtlswrap added - a port of sslwrap (thanks to Steve Bennett)\n\n!!__axhttpd__\n* shutdown() called before socket close in CGI (thanks to Tom Brown)\n* command-line parameters to specify the http/https port.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.2@@\n\n!!__axhttpd__\n* File uploads over 1kB (but under MAXPOSTDATASIZE) are now supported.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.1@@\n\n!!__SSL Library__\n* Certificate verification now works for Firefox.\n* Extended the openssl API.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.0@@\n\n!!__SSL Library__\n* A self-signed certificate will be verified as ok provided that that it is on the certificate authority list.\n* Certificates are not verified when added as certificate authorities (since self-signed and expired certificates can be added to browsers etc)\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.9@@\n\n!!__SSL Library__\n* Now support MS IIS resource kit certificates (thanks to Carsten Sørensen).\n* Fixed a memory leak when freeing more than one CA certificate.\n* The bigint library had a problem with squaring which affected classical reduction (thanks to Manuel Klimek).\n\n!!__axhttpd__\n* Brought back setuid()/setgid() as an option.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.8@@\n\n!!__SSL Library__\n* Now using a BSD style license.\n* Self-signed certificates can now be automatically generated (the keys still need to be provided).\n* A new API call //ssl_x509_create()// can be used to programatically create the certificate.\n* Certificate/keys can be loaded automatically given a file location.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.7@@\n\n!!__SSL Library__\n\n* Variable sized session id's is now better handled for session caching. It has meant a new API call //ssl_get_session_id_size()// and a change to //ssl_client_new()// to define the session id size.\n* Muliple records with a single header are now better supported (thanks to Hervé Sibert).\n* ~MD2 added for Verisign root cert verification (thanks to Byron Rakitzis).\n* The ~MD5/~SHA1 digests are calculated incrementally to reduce memory (thanks to Byron Rakitzis).\n* The bigint cache is now cleared regularly to reduce memory.\n\n!!__axhttpd__\n\n* Improved the POST handling (thanks to Christian Melki).\n* CSS files now work properly.\n* Lua's CGI launcher location is configurable.\n* //vfork()// is now used for CGI for performance reasons.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.6@@\n\n!!__SSL Library__\n\n* ~RC4 speed improvements\n* Lua samples/bindings now work properly\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.5@@\n\n!!__SSL Library__\n\n* Session id's can now be variable lengths in server hello messages.\n* 0 length client certificates are now supported.\n* ssl_version() now returns just the version and not the date.\n* ssl_write() was not sending complete packets under load.\n\n!!__axhttpd__\n\n* Completely updated the CGI code.\n* Lua now integrated - Lua scripts and Lua Pages now run.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.4@@\n\n!!__SSL Library__\n\n* Fixed a Win32 crypto library issue with non-Administrator users\n* Removed compiler warnings that showed up in ~FC6.\n* GNU TLS certificates are now accepted.\n* Separated the send/receive headers for HMAC calculations.\n* Fixed a compilation problem with swig/perl/~FC6.\n* Fixed an issue with loading PEM CA certificates.\n\n!!__axhttpd__\n\n* Made //setuid()/setgid()// call an mconf option.\n* Made //chroot()// an mconf option. Default to //chdir()// instead.\n* Removed optional permissions checking.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.1@@\n\n!!__SSL Library__\n\n* AES should now work on 16bit processors (there was an alignment problem).\n* Various freed objects are cleared before freeing.\n* Header files now installed in ///usr/local/include/axTLS//.\n* -DCYGWIN replaced with -~DCONFIG_PLATFORM_CYGWIN (and the same for Solaris).\n* removed "-noextern" option in Swig. Fixed some other warnings in Win32.\n* SSLCTX changed to ~SSL_CTX (to be consistent with openssl). SSLCTX still exists for backwards compatibility.\n* malloc() and friends call abort() on failure.\n* Fixed a memory leak in directory listings.\n* Added openssl() compatibility functions.\n* Fixed Cygwin 'make install' issue.\n\n!!__axhttpd__\n\n* main.c now becomes axhttpd.c.\n* Header file issue fixed (in mime_types.c).\n* //chroot()// now used for better security.\n* Basic authentication implemented (via .htpasswd).\n* SSL access/denial protection implemented (via .htaccess).\n* Directory access protection implemented (via .htaccess).\n* Can now have more than one CGI file extension in mconf.\n* "~If-Modified-Since" request now handled properly.\n* Performance tweaks to remove //ssl_find()//.
+
@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.8@@\n\n!!__SSL Library__\n* Close notify is now sent as an error code from ssl_read(). Server code should be modified to check for ~SSL_CLOSE_NOTIFY (thanks to ehuman - 3132700).\n* regular_square issue fixed (thanks to Hardy Griech - 3078672)\n* Invalid session id size now returns ~SSL_ERROR_INVALID_SESSION (thanks to Hardy Griech - 3072881)\n* PEM file detection now looks for "-BEGIN" in any part of the file rather than at the start.\n* \n* 8/16/32 bit native int sizes can be selected in bigint_impl.h\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.7@@\n\n!!__SSL Library__\n* A fix to find_max_exp_index() (thanks to Hardy Griech).\n* Check is made to get_cipher_info() if the appropriate cipher is not found (thanks to Hardy Griech).\n* Extra x509_free() removed from do_client_connect().\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.5@@\n\n!!__SSL Library__\n* The custom RNG updated to use an entropy pool (with better hooks to use counters).\n\n!!__axhttpd__\n* Headers are case insensitive (thanks to Joe Pruett for this and the following).\n* Child zombie issue fixed.\n* EOF on ~POSTs fixed.\n* Expect is ignored.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.4@@\n\n!!__SSL Library__\n* Client renegotiation now results in an error. This is the result of a security flaw described in this paper http://extendedsubset.com/Renegotiating_TLS.pdf, and also is explained in detail here http://www.cupfighter.net/index.php/2009/11/tls-renegotiation-attack/.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.3@@\n\n!!__SSL Library__\n* v3 certificates with ~SANs now supports (thanks to Carsten Sørensen).\n* axtlswrap added - a port of sslwrap (thanks to Steve Bennett)\n\n!!__axhttpd__\n* shutdown() called before socket close in CGI (thanks to Tom Brown)\n* command-line parameters to specify the http/https port.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.2@@\n\n!!__axhttpd__\n* File uploads over 1kB (but under MAXPOSTDATASIZE) are now supported.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.1@@\n\n!!__SSL Library__\n* Certificate verification now works for Firefox.\n* Extended the openssl API.\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.2.0@@\n\n!!__SSL Library__\n* A self-signed certificate will be verified as ok provided that that it is on the certificate authority list.\n* Certificates are not verified when added as certificate authorities (since self-signed and expired certificates can be added to browsers etc)\n\n@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.9@@\n\n!!__SSL Library__\n* Now support MS IIS resource kit certificates (thanks to Carsten Sørensen).\n* Fixed a memory leak when freeing more than one CA certificate.\n* The bigint library had a problem with squaring which affected classical reduction (thanks to Manuel Klimek).\n\n!!__axhttpd__\n* Brought back setuid()/setgid() as an option.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.8@@\n\n!!__SSL Library__\n* Now using a BSD style license.\n* Self-signed certificates can now be automatically generated (the keys still need to be provided).\n* A new API call //ssl_x509_create()// can be used to programatically create the certificate.\n* Certificate/keys can be loaded automatically given a file location.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.7@@\n\n!!__SSL Library__\n\n* Variable sized session id's is now better handled for session caching. It has meant a new API call //ssl_get_session_id_size()// and a change to //ssl_client_new()// to define the session id size.\n* Muliple records with a single header are now better supported (thanks to Hervé Sibert).\n* ~MD2 added for Verisign root cert verification (thanks to Byron Rakitzis).\n* The ~MD5/~SHA1 digests are calculated incrementally to reduce memory (thanks to Byron Rakitzis).\n* The bigint cache is now cleared regularly to reduce memory.\n\n!!__axhttpd__\n\n* Improved the POST handling (thanks to Christian Melki).\n* CSS files now work properly.\n* Lua's CGI launcher location is configurable.\n* //vfork()// is now used for CGI for performance reasons.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.6@@\n\n!!__SSL Library__\n\n* ~RC4 speed improvements\n* Lua samples/bindings now work properly\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.5@@\n\n!!__SSL Library__\n\n* Session id's can now be variable lengths in server hello messages.\n* 0 length client certificates are now supported.\n* ssl_version() now returns just the version and not the date.\n* ssl_write() was not sending complete packets under load.\n\n!!__axhttpd__\n\n* Completely updated the CGI code.\n* Lua now integrated - Lua scripts and Lua Pages now run.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.4@@\n\n!!__SSL Library__\n\n* Fixed a Win32 crypto library issue with non-Administrator users\n* Removed compiler warnings that showed up in ~FC6.\n* GNU TLS certificates are now accepted.\n* Separated the send/receive headers for HMAC calculations.\n* Fixed a compilation problem with swig/perl/~FC6.\n* Fixed an issue with loading PEM CA certificates.\n\n!!__axhttpd__\n\n* Made //setuid()/setgid()// call an mconf option.\n* Made //chroot()// an mconf option. Default to //chdir()// instead.\n* Removed optional permissions checking.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.1@@\n\n!!__SSL Library__\n\n* AES should now work on 16bit processors (there was an alignment problem).\n* Various freed objects are cleared before freeing.\n* Header files now installed in ///usr/local/include/axTLS//.\n* -DCYGWIN replaced with -~DCONFIG_PLATFORM_CYGWIN (and the same for Solaris).\n* removed "-noextern" option in Swig. Fixed some other warnings in Win32.\n* SSLCTX changed to ~SSL_CTX (to be consistent with openssl). SSLCTX still exists for backwards compatibility.\n* malloc() and friends call abort() on failure.\n* Fixed a memory leak in directory listings.\n* Added openssl() compatibility functions.\n* Fixed Cygwin 'make install' issue.\n\n!!__axhttpd__\n\n* main.c now becomes axhttpd.c.\n* Header file issue fixed (in mime_types.c).\n* //chroot()// now used for better security.\n* Basic authentication implemented (via .htpasswd).\n* SSL access/denial protection implemented (via .htaccess).\n* Directory access protection implemented (via .htaccess).\n* Can now have more than one CGI file extension in mconf.\n* "~If-Modified-Since" request now handled properly.\n* Performance tweaks to remove //ssl_find()//.
[[Read Me]]
axTLS uses a BSD style license:\n\nCopyright (c) 2008, Cameron Rich All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this\nlist of conditions and the following disclaimer. Redistributions in binary\nform must reproduce the above copyright notice, this list of conditions and\nthe following disclaimer in the documentation and/or other materials\nprovided with the distribution. Neither the name of the axTLS Project nor\nthe names of its contributors may be used to endorse or promote products\nderived from this software without specific prior written permission. \n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\nARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\nLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\nOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH\nDAMAGE.
[[Read Me]] \n[[Changelog]]\n[[axhttpd]]\n[[License]]