arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-04-19 23:22:16 +03:00
Code

Added some certificate loading tweaks.

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@190 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2011-01-04 04:20:21 +00:00
parent 9e082c868e
commit 26e256c758
6 changed files with 2636 additions and 7031 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/Config.in
View File

@ -252,7 +252,7 @@ config CONFIG_SSL_EXPIRY_TIME
config CONFIG_X509_MAX_CA_CERTS
int "Maximum number of certificate authorites"
default 120 if CONFIG_SSL_CERT_VERIFICATION
default 150 if CONFIG_SSL_CERT_VERIFICATION
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help
Determines the number of CA's allowed.

25
ssl/loader.c
View File

@ -290,8 +290,11 @@ error:
static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
int remain, const char *password)
{
int ret = SSL_OK;
int ret = SSL_ERROR_BAD_CERTIFICATE;
SSLObjLoader *ssl_obj = NULL;
while (remain > 0)
{
int i, pem_size, obj_type;
char *start = NULL, *end = NULL;
@ -315,11 +318,17 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
{
/* check for encrypted PEM file */
if (pem_decrypt(start, end, password, ssl_obj) < 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
switch (i)
{
@ -337,6 +346,7 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
break;
default:
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
@ -356,12 +366,15 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
}
}
if (i == NUM_PEM_TYPES)
goto error;
ssl_obj_free(ssl_obj);
ssl_obj = NULL;
/* more PEM stuff to process? */
if (remain)
ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password);
if (i == NUM_PEM_TYPES)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
error:
ssl_obj_free(ssl_obj);

9462
ssl/test/ca-bundle.crt
View File

File diff suppressed because it is too large Load Diff

39
ssl/test/ssltest.c
View File

@ -572,17 +572,6 @@ static int cert_tests(void)
SSL_CTX *ssl_ctx;
uint8_t *buf;
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
exit(0);
/* check a bunch of 3rd party certificates */
ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/microsoft.x509_ca", &buf);
@ -706,6 +695,16 @@ static int cert_tests(void)
x509_free(x509_ctx);
free(buf);
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
res = 0; /* all ok */
printf("All Certificate tests passed\n");
@ -795,7 +794,7 @@ typedef struct
static void do_client(client_t *clnt)
{
char openssl_buf[2048];
usleep(500000); /* allow server to start */
usleep(200000); /* allow server to start */
/* show the session ids in the reconnect test */
if (strcmp(clnt->testname, "Session Reuse") == 0)
@ -1332,7 +1331,7 @@ static int SSL_client_test(
#endif
}
usleep(500000); /* allow server to start */
usleep(200000); /* allow server to start */
if (*ssl_ctx == NULL)
{
@ -1443,7 +1442,7 @@ static int SSL_client_test(
client_test_exit:
ssl_free(ssl);
SOCKET_CLOSE(client_fd);
usleep(500000); /* allow openssl to say something */
usleep(200000); /* allow openssl to say something */
if (sess_resume)
{
@ -1451,9 +1450,6 @@ client_test_exit:
{
ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(sess_resume->server_thread);
#endif
}
else if (sess_resume->start_server)
{
@ -1466,9 +1462,6 @@ client_test_exit:
{
ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(thread);
#endif
}
if (ret == 0)
@ -1635,7 +1628,7 @@ static void do_basic(void)
SSL *ssl_clnt;
SSL_CTX *ssl_clnt_ctx = ssl_ctx_new(
DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
usleep(500000); /* allow server to start */
usleep(200000); /* allow server to start */
if ((client_fd = client_socket_init(g_port)) < 0)
goto error;
@ -1760,7 +1753,7 @@ void do_multi_clnt(multi_t *multi_data)
if ((client_fd = client_socket_init(multi_data->port)) < 0)
goto client_test_exit;
usleep(500000);
usleep(200000);
ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0);
if ((res = ssl_handshake_status(ssl)))
@ -1937,7 +1930,7 @@ static int header_issue(void)
size = fread(buf, 1, sizeof(buf), f);
SOCKET_WRITE(client_fd, buf, size);
usleep(500000);
usleep(200000);
ret = 0;
error:

21
ssl/tls1.c
View File

@ -386,9 +386,8 @@ error:
*/
int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
{
int i = 0;
int offset;
int ret = SSL_OK; /* ignore errors for now */
int i = 0;
CA_CERT_CTX *ca_cert_ctx;
if (ssl_ctx->ca_cert_ctx == NULL)
@ -399,24 +398,26 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
i++;
while (len > 0)
{
int offset;
if (i >= CONFIG_X509_MAX_CA_CERTS)
{
#ifdef CONFIG_SSL_FULL_MODE
printf("Error: maximum number of CA certs added - change of "
"compile-time configuration required\n");
#endif
goto error;
break;
}
ret = x509_new(buf, &offset, &ca_cert_ctx->cert[i]);
/* ignore the return code */
if (x509_new(buf, &offset, &ca_cert_ctx->cert[i]) == X509_OK)
i++;
len -= offset;
ret = SSL_OK; /* ok so far */
}
/* recurse? */
if (len > 0)
ret = add_cert_auth(ssl_ctx, &buf[offset], len);
error:
return ret;
}

6
ssl/x509.c
View File

@ -209,13 +209,15 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
ret = X509_OK;
end_cert:
#ifdef CONFIG_SSL_FULL_MODE
if (ret)
{
#ifdef CONFIG_SSL_FULL_MODE
printf("Error: Invalid X509 ASN.1 file (%s)\n",
x509_display_error(ret));
}
#endif
x509_free(x509_ctx);
*ctx = NULL;
}
return ret;
}