arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-04-19 23:22:16 +03:00
Code

Added some certificate loading tweaks.

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@190 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2011-01-04 04:20:21 +00:00
parent 9e082c868e
commit 26e256c758
6 changed files with 2636 additions and 7031 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/Config.in
View File

@ -252,7 +252,7 @@ config CONFIG_SSL_EXPIRY_TIME
config CONFIG_X509_MAX_CA_CERTS config CONFIG_X509_MAX_CA_CERTS
int "Maximum number of certificate authorites" int "Maximum number of certificate authorites"
default 120 if CONFIG_SSL_CERT_VERIFICATION default 150 if CONFIG_SSL_CERT_VERIFICATION
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help help
Determines the number of CA's allowed. Determines the number of CA's allowed.

125
ssl/loader.c
View File

@ -290,79 +290,92 @@ error:
static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where, static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
int remain, const char *password) int remain, const char *password)
{ {
int ret = SSL_OK; int ret = SSL_ERROR_BAD_CERTIFICATE;
SSLObjLoader *ssl_obj = NULL; SSLObjLoader *ssl_obj = NULL;
int i, pem_size, obj_type;
char *start = NULL, *end = NULL;
for (i = 0; i < NUM_PEM_TYPES; i++) while (remain > 0)
{ {
if ((start = strstr(where, begins[i])) && int i, pem_size, obj_type;
(end = strstr(where, ends[i]))) char *start = NULL, *end = NULL;
for (i = 0; i < NUM_PEM_TYPES; i++)
{ {
remain -= (int)(end-start); if ((start = strstr(where, begins[i])) &&
start += strlen(begins[i]); (end = strstr(where, ends[i])))
pem_size = (int)(end-start);
ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader));
/* 4/3 bigger than what we need but so what */
ssl_obj->buf = (uint8_t *)calloc(1, pem_size);
if (i == IS_RSA_PRIVATE_KEY &&
strstr(start, "Proc-Type:") &&
strstr(start, "4,ENCRYPTED"))
{ {
/* check for encrypted PEM file */ remain -= (int)(end-start);
if (pem_decrypt(start, end, password, ssl_obj) < 0) start += strlen(begins[i]);
pem_size = (int)(end-start);
ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader));
/* 4/3 bigger than what we need but so what */
ssl_obj->buf = (uint8_t *)calloc(1, pem_size);
if (i == IS_RSA_PRIVATE_KEY &&
strstr(start, "Proc-Type:") &&
strstr(start, "4,ENCRYPTED"))
{
/* check for encrypted PEM file */
if (pem_decrypt(start, end, password, ssl_obj) < 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error; goto error;
} }
else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
goto error;
switch (i) switch (i)
{ {
case IS_RSA_PRIVATE_KEY: case IS_RSA_PRIVATE_KEY:
obj_type = SSL_OBJ_RSA_KEY; obj_type = SSL_OBJ_RSA_KEY;
break; break;
case IS_ENCRYPTED_PRIVATE_KEY: case IS_ENCRYPTED_PRIVATE_KEY:
obj_type = SSL_OBJ_PKCS8; obj_type = SSL_OBJ_PKCS8;
break; break;
case IS_CERTIFICATE: case IS_CERTIFICATE:
obj_type = is_cacert ? obj_type = is_cacert ?
SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT; SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT;
break; break;
default: default:
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
/* In a format we can now understand - so process it */
if ((ret = do_obj(ssl_ctx, obj_type, ssl_obj, password)))
goto error; goto error;
end += strlen(ends[i]);
remain -= strlen(ends[i]);
while (remain > 0 && (*end == '\r' || *end == '\n'))
{
end++;
remain--;
}
break;
} }
}
/* In a format we can now understand - so process it */ ssl_obj_free(ssl_obj);
if ((ret = do_obj(ssl_ctx, obj_type, ssl_obj, password))) ssl_obj = NULL;
goto error;
end += strlen(ends[i]); if (i == NUM_PEM_TYPES)
remain -= strlen(ends[i]); {
while (remain > 0 && (*end == '\r' || *end == '\n')) ret = SSL_ERROR_BAD_CERTIFICATE;
{ goto error;
end++;
remain--;
}
break;
} }
} }
if (i == NUM_PEM_TYPES)
goto error;
/* more PEM stuff to process? */
if (remain)
ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password);
error: error:
ssl_obj_free(ssl_obj); ssl_obj_free(ssl_obj);
return ret; return ret;

9462
ssl/test/ca-bundle.crt
View File

File diff suppressed because it is too large Load Diff

41
ssl/test/ssltest.c
View File

@ -572,17 +572,6 @@ static int cert_tests(void)
SSL_CTX *ssl_ctx; SSL_CTX *ssl_ctx;
uint8_t *buf; uint8_t *buf;
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
exit(0);
/* check a bunch of 3rd party certificates */ /* check a bunch of 3rd party certificates */
ssl_ctx = ssl_ctx_new(0, 0); ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/microsoft.x509_ca", &buf); len = get_file("../ssl/test/microsoft.x509_ca", &buf);
@ -706,7 +695,17 @@ static int cert_tests(void)
x509_free(x509_ctx); x509_free(x509_ctx);
free(buf); free(buf);
res = 0; /* all ok */ ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
res = 0; /* all ok */
printf("All Certificate tests passed\n"); printf("All Certificate tests passed\n");
bad_cert: bad_cert:
@ -795,7 +794,7 @@ typedef struct
static void do_client(client_t *clnt) static void do_client(client_t *clnt)
{ {
char openssl_buf[2048]; char openssl_buf[2048];
usleep(500000); /* allow server to start */ usleep(200000); /* allow server to start */
/* show the session ids in the reconnect test */ /* show the session ids in the reconnect test */
if (strcmp(clnt->testname, "Session Reuse") == 0) if (strcmp(clnt->testname, "Session Reuse") == 0)
@ -1332,7 +1331,7 @@ static int SSL_client_test(
#endif #endif
} }
usleep(500000); /* allow server to start */ usleep(200000); /* allow server to start */
if (*ssl_ctx == NULL) if (*ssl_ctx == NULL)
{ {
@ -1443,7 +1442,7 @@ static int SSL_client_test(
client_test_exit: client_test_exit:
ssl_free(ssl); ssl_free(ssl);
SOCKET_CLOSE(client_fd); SOCKET_CLOSE(client_fd);
usleep(500000); /* allow openssl to say something */ usleep(200000); /* allow openssl to say something */
if (sess_resume) if (sess_resume)
{ {
@ -1451,9 +1450,6 @@ client_test_exit:
{ {
ssl_ctx_free(*ssl_ctx); ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL; *ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(sess_resume->server_thread);
#endif
} }
else if (sess_resume->start_server) else if (sess_resume->start_server)
{ {
@ -1466,9 +1462,6 @@ client_test_exit:
{ {
ssl_ctx_free(*ssl_ctx); ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL; *ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(thread);
#endif
} }
if (ret == 0) if (ret == 0)
@ -1635,7 +1628,7 @@ static void do_basic(void)
SSL *ssl_clnt; SSL *ssl_clnt;
SSL_CTX *ssl_clnt_ctx = ssl_ctx_new( SSL_CTX *ssl_clnt_ctx = ssl_ctx_new(
DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS); DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
usleep(500000); /* allow server to start */ usleep(200000); /* allow server to start */
if ((client_fd = client_socket_init(g_port)) < 0) if ((client_fd = client_socket_init(g_port)) < 0)
goto error; goto error;
@ -1760,7 +1753,7 @@ void do_multi_clnt(multi_t *multi_data)
if ((client_fd = client_socket_init(multi_data->port)) < 0) if ((client_fd = client_socket_init(multi_data->port)) < 0)
goto client_test_exit; goto client_test_exit;
usleep(500000); usleep(200000);
ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0); ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0);
if ((res = ssl_handshake_status(ssl))) if ((res = ssl_handshake_status(ssl)))
@ -1937,7 +1930,7 @@ static int header_issue(void)
size = fread(buf, 1, sizeof(buf), f); size = fread(buf, 1, sizeof(buf), f);
SOCKET_WRITE(client_fd, buf, size); SOCKET_WRITE(client_fd, buf, size);
usleep(500000); usleep(200000);
ret = 0; ret = 0;
error: error:

31
ssl/tls1.c
View File

@ -386,9 +386,8 @@ error:
*/ */
int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len) int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
{ {
int i = 0;
int offset;
int ret = SSL_OK; /* ignore errors for now */ int ret = SSL_OK; /* ignore errors for now */
int i = 0;
CA_CERT_CTX *ca_cert_ctx; CA_CERT_CTX *ca_cert_ctx;
if (ssl_ctx->ca_cert_ctx == NULL) if (ssl_ctx->ca_cert_ctx == NULL)
@ -399,24 +398,26 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
i++; i++;
if (i >= CONFIG_X509_MAX_CA_CERTS) while (len > 0)
{ {
int offset;
if (i >= CONFIG_X509_MAX_CA_CERTS)
{
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
printf("Error: maximum number of CA certs added - change of " printf("Error: maximum number of CA certs added - change of "
"compile-time configuration required\n"); "compile-time configuration required\n");
#endif #endif
goto error; break;
}
/* ignore the return code */
if (x509_new(buf, &offset, &ca_cert_ctx->cert[i]) == X509_OK)
i++;
len -= offset;
} }
ret = x509_new(buf, &offset, &ca_cert_ctx->cert[i]);
len -= offset;
ret = SSL_OK; /* ok so far */
/* recurse? */
if (len > 0)
ret = add_cert_auth(ssl_ctx, &buf[offset], len);
error:
return ret; return ret;
} }

6
ssl/x509.c
View File

@ -209,13 +209,15 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
ret = X509_OK; ret = X509_OK;
end_cert: end_cert:
#ifdef CONFIG_SSL_FULL_MODE
if (ret) if (ret)
{ {
#ifdef CONFIG_SSL_FULL_MODE
printf("Error: Invalid X509 ASN.1 file (%s)\n", printf("Error: Invalid X509 ASN.1 file (%s)\n",
x509_display_error(ret)); x509_display_error(ret));
}
#endif #endif
x509_free(x509_ctx);
*ctx = NULL;
}
return ret; return ret;
} }