1
0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-10 14:42:08 +03:00

Added some certificate loading tweaks.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@190 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2011-01-04 04:20:21 +00:00
parent 9e082c868e
commit 26e256c758
6 changed files with 2636 additions and 7031 deletions

View File

@ -252,7 +252,7 @@ config CONFIG_SSL_EXPIRY_TIME
config CONFIG_X509_MAX_CA_CERTS config CONFIG_X509_MAX_CA_CERTS
int "Maximum number of certificate authorites" int "Maximum number of certificate authorites"
default 120 if CONFIG_SSL_CERT_VERIFICATION default 150 if CONFIG_SSL_CERT_VERIFICATION
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help help
Determines the number of CA's allowed. Determines the number of CA's allowed.

View File

@ -290,8 +290,11 @@ error:
static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where, static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
int remain, const char *password) int remain, const char *password)
{ {
int ret = SSL_OK; int ret = SSL_ERROR_BAD_CERTIFICATE;
SSLObjLoader *ssl_obj = NULL; SSLObjLoader *ssl_obj = NULL;
while (remain > 0)
{
int i, pem_size, obj_type; int i, pem_size, obj_type;
char *start = NULL, *end = NULL; char *start = NULL, *end = NULL;
@ -315,11 +318,17 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
{ {
/* check for encrypted PEM file */ /* check for encrypted PEM file */
if (pem_decrypt(start, end, password, ssl_obj) < 0) if (pem_decrypt(start, end, password, ssl_obj) < 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error; goto error;
} }
}
else if (base64_decode(start, pem_size, else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0) ssl_obj->buf, &ssl_obj->len) != 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error; goto error;
}
switch (i) switch (i)
{ {
@ -337,6 +346,7 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
break; break;
default: default:
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error; goto error;
} }
@ -356,12 +366,15 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
} }
} }
if (i == NUM_PEM_TYPES) ssl_obj_free(ssl_obj);
goto error; ssl_obj = NULL;
/* more PEM stuff to process? */ if (i == NUM_PEM_TYPES)
if (remain) {
ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password); ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
error: error:
ssl_obj_free(ssl_obj); ssl_obj_free(ssl_obj);

File diff suppressed because it is too large Load Diff

View File

@ -572,17 +572,6 @@ static int cert_tests(void)
SSL_CTX *ssl_ctx; SSL_CTX *ssl_ctx;
uint8_t *buf; uint8_t *buf;
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
exit(0);
/* check a bunch of 3rd party certificates */ /* check a bunch of 3rd party certificates */
ssl_ctx = ssl_ctx_new(0, 0); ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/microsoft.x509_ca", &buf); len = get_file("../ssl/test/microsoft.x509_ca", &buf);
@ -706,6 +695,16 @@ static int cert_tests(void)
x509_free(x509_ctx); x509_free(x509_ctx);
free(buf); free(buf);
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
res = 0; /* all ok */ res = 0; /* all ok */
printf("All Certificate tests passed\n"); printf("All Certificate tests passed\n");
@ -795,7 +794,7 @@ typedef struct
static void do_client(client_t *clnt) static void do_client(client_t *clnt)
{ {
char openssl_buf[2048]; char openssl_buf[2048];
usleep(500000); /* allow server to start */ usleep(200000); /* allow server to start */
/* show the session ids in the reconnect test */ /* show the session ids in the reconnect test */
if (strcmp(clnt->testname, "Session Reuse") == 0) if (strcmp(clnt->testname, "Session Reuse") == 0)
@ -1332,7 +1331,7 @@ static int SSL_client_test(
#endif #endif
} }
usleep(500000); /* allow server to start */ usleep(200000); /* allow server to start */
if (*ssl_ctx == NULL) if (*ssl_ctx == NULL)
{ {
@ -1443,7 +1442,7 @@ static int SSL_client_test(
client_test_exit: client_test_exit:
ssl_free(ssl); ssl_free(ssl);
SOCKET_CLOSE(client_fd); SOCKET_CLOSE(client_fd);
usleep(500000); /* allow openssl to say something */ usleep(200000); /* allow openssl to say something */
if (sess_resume) if (sess_resume)
{ {
@ -1451,9 +1450,6 @@ client_test_exit:
{ {
ssl_ctx_free(*ssl_ctx); ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL; *ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(sess_resume->server_thread);
#endif
} }
else if (sess_resume->start_server) else if (sess_resume->start_server)
{ {
@ -1466,9 +1462,6 @@ client_test_exit:
{ {
ssl_ctx_free(*ssl_ctx); ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL; *ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(thread);
#endif
} }
if (ret == 0) if (ret == 0)
@ -1635,7 +1628,7 @@ static void do_basic(void)
SSL *ssl_clnt; SSL *ssl_clnt;
SSL_CTX *ssl_clnt_ctx = ssl_ctx_new( SSL_CTX *ssl_clnt_ctx = ssl_ctx_new(
DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS); DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
usleep(500000); /* allow server to start */ usleep(200000); /* allow server to start */
if ((client_fd = client_socket_init(g_port)) < 0) if ((client_fd = client_socket_init(g_port)) < 0)
goto error; goto error;
@ -1760,7 +1753,7 @@ void do_multi_clnt(multi_t *multi_data)
if ((client_fd = client_socket_init(multi_data->port)) < 0) if ((client_fd = client_socket_init(multi_data->port)) < 0)
goto client_test_exit; goto client_test_exit;
usleep(500000); usleep(200000);
ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0); ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0);
if ((res = ssl_handshake_status(ssl))) if ((res = ssl_handshake_status(ssl)))
@ -1937,7 +1930,7 @@ static int header_issue(void)
size = fread(buf, 1, sizeof(buf), f); size = fread(buf, 1, sizeof(buf), f);
SOCKET_WRITE(client_fd, buf, size); SOCKET_WRITE(client_fd, buf, size);
usleep(500000); usleep(200000);
ret = 0; ret = 0;
error: error:

View File

@ -386,9 +386,8 @@ error:
*/ */
int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len) int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
{ {
int i = 0;
int offset;
int ret = SSL_OK; /* ignore errors for now */ int ret = SSL_OK; /* ignore errors for now */
int i = 0;
CA_CERT_CTX *ca_cert_ctx; CA_CERT_CTX *ca_cert_ctx;
if (ssl_ctx->ca_cert_ctx == NULL) if (ssl_ctx->ca_cert_ctx == NULL)
@ -399,24 +398,26 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
i++; i++;
while (len > 0)
{
int offset;
if (i >= CONFIG_X509_MAX_CA_CERTS) if (i >= CONFIG_X509_MAX_CA_CERTS)
{ {
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
printf("Error: maximum number of CA certs added - change of " printf("Error: maximum number of CA certs added - change of "
"compile-time configuration required\n"); "compile-time configuration required\n");
#endif #endif
goto error; break;
} }
ret = x509_new(buf, &offset, &ca_cert_ctx->cert[i]);
/* ignore the return code */
if (x509_new(buf, &offset, &ca_cert_ctx->cert[i]) == X509_OK)
i++;
len -= offset; len -= offset;
ret = SSL_OK; /* ok so far */ }
/* recurse? */
if (len > 0)
ret = add_cert_auth(ssl_ctx, &buf[offset], len);
error:
return ret; return ret;
} }

View File

@ -209,13 +209,15 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
ret = X509_OK; ret = X509_OK;
end_cert: end_cert:
#ifdef CONFIG_SSL_FULL_MODE
if (ret) if (ret)
{ {
#ifdef CONFIG_SSL_FULL_MODE
printf("Error: Invalid X509 ASN.1 file (%s)\n", printf("Error: Invalid X509 ASN.1 file (%s)\n",
x509_display_error(ret)); x509_display_error(ret));
}
#endif #endif
x509_free(x509_ctx);
*ctx = NULL;
}
return ret; return ret;
} }