* X509 State, country and location are now used for verification and display.

* SNI hostname memory is now managed by the calling application * X509 version number is checked before processing v3 extensions. git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@272 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-10-15 11:26:40 +03:00 · 2016-12-19 20:20:01 +00:00
parent 425067abe6
commit 2213f30449
6 changed files with 107 additions and 41 deletions
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@@ -145,11 +145,7 @@ void DISPLAY_BYTES(SSL *ssl, const char *format,
 */
 EXP_FUNC SSL_EXTENSIONS * STDCALL ssl_ext_new()
 {
-    SSL_EXTENSIONS *ssl_ext = (SSL_EXTENSIONS *)malloc(sizeof(SSL_EXTENSIONS));
-    ssl_ext->max_fragment_size = 0;
-    ssl_ext->host_name = NULL;
-
-    return ssl_ext;
+    return (SSL_EXTENSIONS *)calloc(1, sizeof(SSL_EXTENSIONS));
 }

 /**
@@ -163,10 +159,6 @@ EXP_FUNC void STDCALL ssl_ext_free(SSL_EXTENSIONS *ssl_ext)
        return;
    }

-    if (ssl_ext->host_name != NULL) 
-    {
-        free(ssl_ext->host_name);
-    }
    free(ssl_ext);
 }

@@ -530,6 +522,15 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
        case SSL_X509_CERT_ORGANIZATIONAL_NAME:       
            return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT];

+        case SSL_X509_CERT_LOCATION:       
+            return ssl->x509_ctx->cert_dn[X509_LOCATION];
+
+        case SSL_X509_CERT_COUNTRY:       
+            return ssl->x509_ctx->cert_dn[X509_COUNTRY];
+
+        case SSL_X509_CERT_STATE:       
+            return ssl->x509_ctx->cert_dn[X509_STATE];
+
        case SSL_X509_CA_CERT_COMMON_NAME:
            return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME];

@@ -539,6 +540,15 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
        case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME:       
            return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT];

+        case SSL_X509_CA_CERT_LOCATION:       
+            return ssl->x509_ctx->ca_cert_dn[X509_LOCATION];
+
+        case SSL_X509_CA_CERT_COUNTRY:       
+            return ssl->x509_ctx->ca_cert_dn[X509_COUNTRY];
+
+        case SSL_X509_CA_CERT_STATE:       
+            return ssl->x509_ctx->ca_cert_dn[X509_STATE];
+
        default:
            return NULL;
    }
@@ -1393,7 +1403,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
    if (IS_SET_SSL_FLAG(SSL_NEED_RECORD))
    {
        /* check for sslv2 "client hello" */
-        if (buf[0] & 0x80 && buf[2] == 1)
+        if ((buf[0] & 0x80) && buf[2] == 1)
        {
 #ifdef CONFIG_SSL_FULL_MODE
            printf("Error: no SSLv23 handshaking allowed\n");
@@ -2149,6 +2159,10 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
            goto error;
        }

+#if defined (CONFIG_SSL_FULL_MODE)
+        if (ssl->ssl_ctx->options & SSL_DISPLAY_CERTS)
+            x509_print(certs[num_certs], NULL);
+#endif
        num_certs++;
        offset += cert_size;
    }
@@ -2168,6 +2182,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
        {
            if (certs[i] == chain) 
                continue;
+
            if (cert_used[i]) 
                continue; // don't allow loops