arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-10-15 11:26:40 +03:00
Code Activity

* X509 State, country and location are now used for verification and display.

Browse Source 
* SNI hostname memory is now managed by the calling application
* X509 version number is checked before processing v3 extensions.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@272 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich
2016-12-19 20:20:01 +00:00
committed by Ivan Grokhotkov
parent 425067abe6
commit 2213f30449
6 changed files with 107 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
samples/c/axssl.c
View File

@@ -650,7 +650,6 @@ static void do_client(int argc, char *argv[])
} }
ssl_free(ssl); ssl_free(ssl);
ssl_ext_free(extensions);
exit(1); exit(1);
} }
@@ -660,7 +659,6 @@ static void do_client(int argc, char *argv[])
if (reconnect) if (reconnect)
{ {
ssl_free(ssl); ssl_free(ssl);
ssl_ext_free(extensions);
SOCKET_CLOSE(client_fd); SOCKET_CLOSE(client_fd);
client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP); client_fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
@@ -687,13 +685,6 @@ static void do_client(int argc, char *argv[])
if (!quiet) if (!quiet)
{ {
const char *common_name = ssl_get_cert_dn(ssl,
SSL_X509_CERT_COMMON_NAME);
if (common_name)
{
printf("Common Name:\t\t\t%s\n", common_name);
}
display_session_id(ssl); display_session_id(ssl);
display_cipher(ssl); display_cipher(ssl);
} }
@@ -766,7 +757,6 @@ static void do_client(int argc, char *argv[])
} }
ssl_ctx_free(ssl_ctx); ssl_ctx_free(ssl_ctx);
ssl_ext_free(extensions);
SOCKET_CLOSE(client_fd); SOCKET_CLOSE(client_fd);
#else #else
print_client_options(argv[1]); print_client_options(argv[1]);

20
ssl/asn1.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007-2015, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@@ -80,8 +80,8 @@ static const uint8_t sig_subject_alt_name[] =
0x55, 0x1d, 0x11 0x55, 0x1d, 0x11
}; };
/* CN, O, OU */ /* CN, O, OU, L, C, ST */
static const uint8_t g_dn_types[] = { 3, 10, 11 }; static const uint8_t g_dn_types[] = { 3, 10, 11, 7, 6, 8 };
uint32_t get_asn1_length(const uint8_t *buf, int *offset) uint32_t get_asn1_length(const uint8_t *buf, int *offset)
{ {
@@ -300,13 +300,19 @@ static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
{ {
int ret = X509_NOT_OK; int ret = X509_NOT_OK;
int len;
(*offset) += 2; /* get past explicit tag */ (*offset) += 2; /* get past explicit tag */
if (asn1_skip_obj(cert, offset, ASN1_INTEGER)) if (cert[(*offset)++] != ASN1_INTEGER)
goto end_version; return X509_NOT_OK;
ret = X509_OK; len = get_asn1_length(cert, offset);
end_version: if (len == 1)
{
ret = cert[*offset];
}
*offset += len;
return ret; return ret;
} }

5
ssl/crypto_misc.h
View File

@@ -60,10 +60,13 @@ extern "C" {
/* /*
* The Distinguished Name * The Distinguished Name
*/ */
#define X509_NUM_DN_TYPES 3 #define X509_NUM_DN_TYPES 6
#define X509_COMMON_NAME 0 #define X509_COMMON_NAME 0
#define X509_ORGANIZATION 1 #define X509_ORGANIZATION 1
#define X509_ORGANIZATIONAL_UNIT 2 #define X509_ORGANIZATIONAL_UNIT 2
#define X509_LOCATION 3
#define X509_COUNTRY 4
#define X509_STATE 5
struct _x509_ctx struct _x509_ctx
{ {

18
ssl/ssl.h
View File

@@ -159,9 +159,15 @@ extern "C" {
#define SSL_X509_CERT_COMMON_NAME 0 #define SSL_X509_CERT_COMMON_NAME 0
#define SSL_X509_CERT_ORGANIZATION 1 #define SSL_X509_CERT_ORGANIZATION 1
#define SSL_X509_CERT_ORGANIZATIONAL_NAME 2 #define SSL_X509_CERT_ORGANIZATIONAL_NAME 2
#define SSL_X509_CA_CERT_COMMON_NAME 3 #define SSL_X509_CERT_LOCATION 3
#define SSL_X509_CA_CERT_ORGANIZATION 4 #define SSL_X509_CERT_COUNTRY 4
#define SSL_X509_CA_CERT_ORGANIZATIONAL_NAME 5 #define SSL_X509_CERT_STATE 5
#define SSL_X509_CA_CERT_COMMON_NAME 6
#define SSL_X509_CA_CERT_ORGANIZATION 7
#define SSL_X509_CA_CERT_ORGANIZATIONAL_NAME 8
#define SSL_X509_CA_CERT_LOCATION 9
#define SSL_X509_CA_CERT_COUNTRY 10
#define SSL_X509_CA_CERT_STATE 11
/* SSL object loader types */ /* SSL object loader types */
#define SSL_OBJ_X509_CERT 1 #define SSL_OBJ_X509_CERT 1
@@ -454,9 +460,15 @@ EXP_FUNC int STDCALL ssl_match_spki_sha256(const SSL *ssl, const uint8_t* hash);
* - SSL_X509_CERT_COMMON_NAME * - SSL_X509_CERT_COMMON_NAME
* - SSL_X509_CERT_ORGANIZATION * - SSL_X509_CERT_ORGANIZATION
* - SSL_X509_CERT_ORGANIZATIONAL_NAME * - SSL_X509_CERT_ORGANIZATIONAL_NAME
* - SSL_X509_CERT_LOCATION
* - SSL_X509_CERT_COUNTRY
* - SSL_X509_CERT_STATE
* - SSL_X509_CA_CERT_COMMON_NAME * - SSL_X509_CA_CERT_COMMON_NAME
* - SSL_X509_CA_CERT_ORGANIZATION * - SSL_X509_CA_CERT_ORGANIZATION
* - SSL_X509_CA_CERT_ORGANIZATIONAL_NAME * - SSL_X509_CA_CERT_ORGANIZATIONAL_NAME
* - SSL_X509_CA_CERT_LOCATION
* - SSL_X509_CA_CERT_COUNTRY
* - SSL_X509_CA_CERT_STATE
* @return The appropriate string (or null if not defined) * @return The appropriate string (or null if not defined)
* @note Verification build mode must be enabled. * @note Verification build mode must be enabled.
*/ */

35
ssl/tls1.c
View File

@@ -145,11 +145,7 @@ void DISPLAY_BYTES(SSL *ssl, const char *format,
*/ */
EXP_FUNC SSL_EXTENSIONS * STDCALL ssl_ext_new() EXP_FUNC SSL_EXTENSIONS * STDCALL ssl_ext_new()
{ {
SSL_EXTENSIONS *ssl_ext = (SSL_EXTENSIONS *)malloc(sizeof(SSL_EXTENSIONS)); return (SSL_EXTENSIONS *)calloc(1, sizeof(SSL_EXTENSIONS));
ssl_ext->max_fragment_size = 0;
ssl_ext->host_name = NULL;
return ssl_ext;
} }
/** /**
@@ -163,10 +159,6 @@ EXP_FUNC void STDCALL ssl_ext_free(SSL_EXTENSIONS *ssl_ext)
return; return;
} }
if (ssl_ext->host_name != NULL)
{
free(ssl_ext->host_name);
}
free(ssl_ext); free(ssl_ext);
} }
@@ -530,6 +522,15 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
case SSL_X509_CERT_ORGANIZATIONAL_NAME: case SSL_X509_CERT_ORGANIZATIONAL_NAME:
return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT]; return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT];
case SSL_X509_CERT_LOCATION:
return ssl->x509_ctx->cert_dn[X509_LOCATION];
case SSL_X509_CERT_COUNTRY:
return ssl->x509_ctx->cert_dn[X509_COUNTRY];
case SSL_X509_CERT_STATE:
return ssl->x509_ctx->cert_dn[X509_STATE];
case SSL_X509_CA_CERT_COMMON_NAME: case SSL_X509_CA_CERT_COMMON_NAME:
return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME]; return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME];
@@ -539,6 +540,15 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME: case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME:
return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT]; return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT];
case SSL_X509_CA_CERT_LOCATION:
return ssl->x509_ctx->ca_cert_dn[X509_LOCATION];
case SSL_X509_CA_CERT_COUNTRY:
return ssl->x509_ctx->ca_cert_dn[X509_COUNTRY];
case SSL_X509_CA_CERT_STATE:
return ssl->x509_ctx->ca_cert_dn[X509_STATE];
default: default:
return NULL; return NULL;
} }
@@ -1393,7 +1403,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
if (IS_SET_SSL_FLAG(SSL_NEED_RECORD)) if (IS_SET_SSL_FLAG(SSL_NEED_RECORD))
{ {
/* check for sslv2 "client hello" */ /* check for sslv2 "client hello" */
if (buf[0] & 0x80 && buf[2] == 1) if ((buf[0] & 0x80) && buf[2] == 1)
{ {
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
printf("Error: no SSLv23 handshaking allowed\n"); printf("Error: no SSLv23 handshaking allowed\n");
@@ -2149,6 +2159,10 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
goto error; goto error;
} }
#if defined (CONFIG_SSL_FULL_MODE)
if (ssl->ssl_ctx->options & SSL_DISPLAY_CERTS)
x509_print(certs[num_certs], NULL);
#endif
num_certs++; num_certs++;
offset += cert_size; offset += cert_size;
} }
@@ -2168,6 +2182,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
{ {
if (certs[i] == chain) if (certs[i] == chain)
continue; continue;
if (cert_used[i]) if (cert_used[i])
continue; // don't allow loops continue; // don't allow loops

60
ssl/x509.c
View File

@@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007-2015, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@@ -73,6 +73,7 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
{ {
int begin_tbs, end_tbs, begin_spki, end_spki; int begin_tbs, end_tbs, begin_spki, end_spki;
int ret = X509_NOT_OK, offset = 0, cert_size = 0; int ret = X509_NOT_OK, offset = 0, cert_size = 0;
int version = 0;
X509_CTX *x509_ctx; X509_CTX *x509_ctx;
#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */ #ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
BI_CTX *bi_ctx; BI_CTX *bi_ctx;
@@ -96,7 +97,7 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */ if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */
{ {
if (asn1_version(cert, &offset, x509_ctx)) if ((version = asn1_version(cert, &offset, x509_ctx)) == X509_NOT_OK)
goto end_cert; goto end_cert;
} }
@@ -122,7 +123,6 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
goto end_cert; goto end_cert;
end_spki = offset; end_spki = offset;
x509_ctx->fingerprint = malloc(SHA1_SIZE); x509_ctx->fingerprint = malloc(SHA1_SIZE);
SHA1_CTX sha_fp_ctx; SHA1_CTX sha_fp_ctx;
SHA1_Init(&sha_fp_ctx); SHA1_Init(&sha_fp_ctx);
@@ -197,7 +197,7 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
break; break;
} }
if (cert[offset] == ASN1_V3_DATA) if (version == 2 && cert[offset] == ASN1_V3_DATA)
{ {
int suboffset; int suboffset;
@@ -518,9 +518,29 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
printf("%s\n", cert->cert_dn[X509_ORGANIZATION] ? printf("%s\n", cert->cert_dn[X509_ORGANIZATION] ?
cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert); cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert);
printf("Organizational Unit (OU):\t"); if (cert->cert_dn[X509_ORGANIZATIONAL_UNIT])
printf("%s\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT] ? {
cert->cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); printf("Organizational Unit (OU):\t");
printf("%s\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT]);
}
if (cert->cert_dn[X509_LOCATION])
{
printf("Location (L):\t\t\t");
printf("%s\n", cert->cert_dn[X509_LOCATION]);
}
if (cert->cert_dn[X509_COUNTRY])
{
printf("Country (C):\t\t\t");
printf("%s\n", cert->cert_dn[X509_COUNTRY]);
}
if (cert->cert_dn[X509_STATE])
{
printf("State (ST):\t\t\t");
printf("%s\n", cert->cert_dn[X509_STATE]);
}
printf("=== CERTIFICATE ISSUED BY ===\n"); printf("=== CERTIFICATE ISSUED BY ===\n");
printf("Common Name (CN):\t\t"); printf("Common Name (CN):\t\t");
@@ -531,9 +551,29 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATION] ? printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATION] ?
cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert); cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert);
printf("Organizational Unit (OU):\t"); if (cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT])
printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] ? {
cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); printf("Organizational Unit (OU):\t");
printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT]);
}
if (cert->ca_cert_dn[X509_LOCATION])
{
printf("Location (L):\t\t\t");
printf("%s\n", cert->ca_cert_dn[X509_LOCATION]);
}
if (cert->ca_cert_dn[X509_COUNTRY])
{
printf("Country (C):\t\t\t");
printf("%s\n", cert->ca_cert_dn[X509_COUNTRY]);
}
if (cert->ca_cert_dn[X509_STATE])
{
printf("State (ST):\t\t\t");
printf("%s\n", cert->ca_cert_dn[X509_STATE]);
}
printf("Not Before:\t\t\t%s", ctime(&cert->not_before)); printf("Not Before:\t\t\t%s", ctime(&cert->not_before));
printf("Not After:\t\t\t%s", ctime(&cert->not_after)); printf("Not After:\t\t\t%s", ctime(&cert->not_after));