Added some certificate loading tweaks.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@190 9a5d90b5-6617-0410-8a86-bb477d3ed2e3

ssl/Config.in

@@ -252,7 +252,7 @@ config CONFIG_SSL_EXPIRY_TIME
 
 config CONFIG_X509_MAX_CA_CERTS
     int "Maximum number of certificate authorites"
-    default 120 if CONFIG_SSL_CERT_VERIFICATION
+    default 150 if CONFIG_SSL_CERT_VERIFICATION
     depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
     help
         Determines the number of CA's allowed. 

ssl/loader.c

@@ -290,8 +290,11 @@ error:
 static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where, 
                     int remain, const char *password)
 {
-    int ret = SSL_OK;
+    int ret = SSL_ERROR_BAD_CERTIFICATE;
     SSLObjLoader *ssl_obj = NULL;
+
+    while (remain > 0)
+    {
         int i, pem_size, obj_type;
         char *start = NULL, *end = NULL;
 
@@ -315,11 +318,17 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
                 {
                     /* check for encrypted PEM file */
                     if (pem_decrypt(start, end, password, ssl_obj) < 0)
+                    {
+                        ret = SSL_ERROR_BAD_CERTIFICATE;
                         goto error;
                     }
+                }
                 else if (base64_decode(start, pem_size, 
                             ssl_obj->buf, &ssl_obj->len) != 0)
+                {
+                    ret = SSL_ERROR_BAD_CERTIFICATE;
                     goto error;
+                }
 
                 switch (i)
                 {
@@ -337,6 +346,7 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
                         break;
 
                     default:
+                        ret = SSL_ERROR_BAD_CERTIFICATE;
                         goto error;
                 }
 
@@ -356,12 +366,15 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
             }
         }
 
-    if (i == NUM_PEM_TYPES)
+        ssl_obj_free(ssl_obj);
-        goto error;
+        ssl_obj = NULL;
 
-    /* more PEM stuff to process? */
+        if (i == NUM_PEM_TYPES)
-    if (remain)
+        {
-        ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password);
+            ret = SSL_ERROR_BAD_CERTIFICATE;
+            goto error;
+        }
+    }
 
 error:
     ssl_obj_free(ssl_obj);

ssl/test/ssltest.c

@@ -572,17 +572,6 @@ static int cert_tests(void)
     SSL_CTX *ssl_ctx;
     uint8_t *buf;
 
-    ssl_ctx = ssl_ctx_new(0, 0);
-    if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, 
-            "../ssl/test/ca-bundle.crt", NULL))
-    {
-        printf("Cert #10\n");
-        goto bad_cert;
-    }
-
-    ssl_ctx_free(ssl_ctx);
-    exit(0);
-
     /* check a bunch of 3rd party certificates */
     ssl_ctx = ssl_ctx_new(0, 0);
     len = get_file("../ssl/test/microsoft.x509_ca", &buf);
@@ -706,6 +695,16 @@ static int cert_tests(void)
     x509_free(x509_ctx);
     free(buf);
 
+    ssl_ctx = ssl_ctx_new(0, 0);
+    if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, 
+            "../ssl/test/ca-bundle.crt", NULL))
+    {
+        printf("Cert #10\n");
+        goto bad_cert;
+    }
+
+    ssl_ctx_free(ssl_ctx);
+
 res = 0;        /* all ok */
     printf("All Certificate tests passed\n");
 
@@ -795,7 +794,7 @@ typedef struct
 static void do_client(client_t *clnt)
 {
     char openssl_buf[2048];
-    usleep(500000);           /* allow server to start */
+    usleep(200000);           /* allow server to start */
 
     /* show the session ids in the reconnect test */
     if (strcmp(clnt->testname, "Session Reuse") == 0)
@@ -1332,7 +1331,7 @@ static int SSL_client_test(
 #endif
     }
     
-    usleep(500000);           /* allow server to start */
+    usleep(200000);           /* allow server to start */
 
     if (*ssl_ctx == NULL)
     {
@@ -1443,7 +1442,7 @@ static int SSL_client_test(
 client_test_exit:
     ssl_free(ssl);
     SOCKET_CLOSE(client_fd);
-    usleep(500000);           /* allow openssl to say something */
+    usleep(200000);           /* allow openssl to say something */
 
     if (sess_resume)
     {
@@ -1451,9 +1450,6 @@ client_test_exit:
         {
             ssl_ctx_free(*ssl_ctx);
             *ssl_ctx = NULL;
-#ifndef WIN32
-            pthread_cancel(sess_resume->server_thread);
-#endif
         }
         else if (sess_resume->start_server)
         {
@@ -1466,9 +1462,6 @@ client_test_exit:
     {
         ssl_ctx_free(*ssl_ctx);
         *ssl_ctx = NULL;
-#ifndef WIN32
-        pthread_cancel(thread);
-#endif
     }
 
     if (ret == 0)
@@ -1635,7 +1628,7 @@ static void do_basic(void)
     SSL *ssl_clnt;
     SSL_CTX *ssl_clnt_ctx = ssl_ctx_new(
                             DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
-    usleep(500000);           /* allow server to start */
+    usleep(200000);           /* allow server to start */
 
     if ((client_fd = client_socket_init(g_port)) < 0)
         goto error;
@@ -1760,7 +1753,7 @@ void do_multi_clnt(multi_t *multi_data)
     if ((client_fd = client_socket_init(multi_data->port)) < 0)
         goto client_test_exit;
 
-    usleep(500000);
+    usleep(200000);
     ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0);
 
     if ((res = ssl_handshake_status(ssl)))
@@ -1937,7 +1930,7 @@ static int header_issue(void)
 
     size = fread(buf, 1, sizeof(buf), f);
     SOCKET_WRITE(client_fd, buf, size);
-    usleep(500000);
+    usleep(200000);
 
     ret = 0;
 error:

ssl/tls1.c

@@ -386,9 +386,8 @@ error:
  */
 int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
 {
-    int i = 0;
-    int offset;
     int ret = SSL_OK; /* ignore errors for now */
+    int i = 0;
     CA_CERT_CTX *ca_cert_ctx;
 
     if (ssl_ctx->ca_cert_ctx == NULL)
@@ -399,24 +398,26 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
     while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) 
         i++;
 
+    while (len > 0)
+    {
+        int offset;
         if (i >= CONFIG_X509_MAX_CA_CERTS)
         {
 #ifdef CONFIG_SSL_FULL_MODE
             printf("Error: maximum number of CA certs added - change of "
                     "compile-time configuration required\n");
 #endif
-        goto error;
+            break;
         }
 
-    ret = x509_new(buf, &offset, &ca_cert_ctx->cert[i]);
+
+        /* ignore the return code */
+        if (x509_new(buf, &offset, &ca_cert_ctx->cert[i]) == X509_OK)
+            i++;
+
         len -= offset;
-    ret = SSL_OK;           /* ok so far */
+    }
 
-    /* recurse? */
-    if (len > 0)
-        ret = add_cert_auth(ssl_ctx, &buf[offset], len);
-
-error:
     return ret;
 }
 

ssl/x509.c

@@ -209,13 +209,15 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
     ret = X509_OK;
 end_cert:
 
-#ifdef CONFIG_SSL_FULL_MODE
     if (ret)
     {
+#ifdef CONFIG_SSL_FULL_MODE
         printf("Error: Invalid X509 ASN.1 file (%s)\n",
                         x509_display_error(ret));
-    }
 #endif
+        x509_free(x509_ctx);
+        *ctx = NULL;
+    }
 
     return ret;
 }