arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-04-19 23:22:16 +03:00
Code

Added some certificate loading tweaks.

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@190 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2011-01-04 04:20:21 +00:00
parent 9e082c868e
commit 26e256c758
6 changed files with 2636 additions and 7031 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
ssl/Config.in
View File

@ -252,7 +252,7 @@ config CONFIG_SSL_EXPIRY_TIME
config CONFIG_X509_MAX_CA_CERTS
int "Maximum number of certificate authorites"
default 120 if CONFIG_SSL_CERT_VERIFICATION
default 150 if CONFIG_SSL_CERT_VERIFICATION
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help
Determines the number of CA's allowed.

125
ssl/loader.c
View File

@ -290,79 +290,92 @@ error:
static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
int remain, const char *password)
{
int ret = SSL_OK;
int ret = SSL_ERROR_BAD_CERTIFICATE;
SSLObjLoader *ssl_obj = NULL;
int i, pem_size, obj_type;
char *start = NULL, *end = NULL;
for (i = 0; i < NUM_PEM_TYPES; i++)
while (remain > 0)
{
if ((start = strstr(where, begins[i])) &&
(end = strstr(where, ends[i])))
int i, pem_size, obj_type;
char *start = NULL, *end = NULL;
for (i = 0; i < NUM_PEM_TYPES; i++)
{
remain -= (int)(end-start);
start += strlen(begins[i]);
pem_size = (int)(end-start);
ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader));
/* 4/3 bigger than what we need but so what */
ssl_obj->buf = (uint8_t *)calloc(1, pem_size);
if (i == IS_RSA_PRIVATE_KEY &&
strstr(start, "Proc-Type:") &&
strstr(start, "4,ENCRYPTED"))
if ((start = strstr(where, begins[i])) &&
(end = strstr(where, ends[i])))
{
/* check for encrypted PEM file */
if (pem_decrypt(start, end, password, ssl_obj) < 0)
remain -= (int)(end-start);
start += strlen(begins[i]);
pem_size = (int)(end-start);
ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader));
/* 4/3 bigger than what we need but so what */
ssl_obj->buf = (uint8_t *)calloc(1, pem_size);
if (i == IS_RSA_PRIVATE_KEY &&
strstr(start, "Proc-Type:") &&
strstr(start, "4,ENCRYPTED"))
{
/* check for encrypted PEM file */
if (pem_decrypt(start, end, password, ssl_obj) < 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
else if (base64_decode(start, pem_size,
ssl_obj->buf, &ssl_obj->len) != 0)
goto error;
}
switch (i)
{
case IS_RSA_PRIVATE_KEY:
obj_type = SSL_OBJ_RSA_KEY;
break;
switch (i)
{
case IS_RSA_PRIVATE_KEY:
obj_type = SSL_OBJ_RSA_KEY;
break;
case IS_ENCRYPTED_PRIVATE_KEY:
obj_type = SSL_OBJ_PKCS8;
break;
case IS_ENCRYPTED_PRIVATE_KEY:
obj_type = SSL_OBJ_PKCS8;
break;
case IS_CERTIFICATE:
obj_type = is_cacert ?
SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT;
break;
case IS_CERTIFICATE:
obj_type = is_cacert ?
SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT;
break;
default:
default:
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
/* In a format we can now understand - so process it */
if ((ret = do_obj(ssl_ctx, obj_type, ssl_obj, password)))
goto error;
end += strlen(ends[i]);
remain -= strlen(ends[i]);
while (remain > 0 && (*end == '\r' || *end == '\n'))
{
end++;
remain--;
}
break;
}
}
/* In a format we can now understand - so process it */
if ((ret = do_obj(ssl_ctx, obj_type, ssl_obj, password)))
goto error;
ssl_obj_free(ssl_obj);
ssl_obj = NULL;
end += strlen(ends[i]);
remain -= strlen(ends[i]);
while (remain > 0 && (*end == '\r' || *end == '\n'))
{
end++;
remain--;
}
break;
if (i == NUM_PEM_TYPES)
{
ret = SSL_ERROR_BAD_CERTIFICATE;
goto error;
}
}
if (i == NUM_PEM_TYPES)
goto error;
/* more PEM stuff to process? */
if (remain)
ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password);
error:
ssl_obj_free(ssl_obj);
return ret;

9462
ssl/test/ca-bundle.crt
View File

File diff suppressed because it is too large Load Diff

41
ssl/test/ssltest.c
View File

@ -572,17 +572,6 @@ static int cert_tests(void)
SSL_CTX *ssl_ctx;
uint8_t *buf;
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
exit(0);
/* check a bunch of 3rd party certificates */
ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/microsoft.x509_ca", &buf);
@ -706,7 +695,17 @@ static int cert_tests(void)
x509_free(x509_ctx);
free(buf);
res = 0; /* all ok */
ssl_ctx = ssl_ctx_new(0, 0);
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
res = 0; /* all ok */
printf("All Certificate tests passed\n");
bad_cert:
@ -795,7 +794,7 @@ typedef struct
static void do_client(client_t *clnt)
{
char openssl_buf[2048];
usleep(500000); /* allow server to start */
usleep(200000); /* allow server to start */
/* show the session ids in the reconnect test */
if (strcmp(clnt->testname, "Session Reuse") == 0)
@ -1332,7 +1331,7 @@ static int SSL_client_test(
#endif
}
usleep(500000); /* allow server to start */
usleep(200000); /* allow server to start */
if (*ssl_ctx == NULL)
{
@ -1443,7 +1442,7 @@ static int SSL_client_test(
client_test_exit:
ssl_free(ssl);
SOCKET_CLOSE(client_fd);
usleep(500000); /* allow openssl to say something */
usleep(200000); /* allow openssl to say something */
if (sess_resume)
{
@ -1451,9 +1450,6 @@ client_test_exit:
{
ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(sess_resume->server_thread);
#endif
}
else if (sess_resume->start_server)
{
@ -1466,9 +1462,6 @@ client_test_exit:
{
ssl_ctx_free(*ssl_ctx);
*ssl_ctx = NULL;
#ifndef WIN32
pthread_cancel(thread);
#endif
}
if (ret == 0)
@ -1635,7 +1628,7 @@ static void do_basic(void)
SSL *ssl_clnt;
SSL_CTX *ssl_clnt_ctx = ssl_ctx_new(
DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
usleep(500000); /* allow server to start */
usleep(200000); /* allow server to start */
if ((client_fd = client_socket_init(g_port)) < 0)
goto error;
@ -1760,7 +1753,7 @@ void do_multi_clnt(multi_t *multi_data)
if ((client_fd = client_socket_init(multi_data->port)) < 0)
goto client_test_exit;
usleep(500000);
usleep(200000);
ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0);
if ((res = ssl_handshake_status(ssl)))
@ -1937,7 +1930,7 @@ static int header_issue(void)
size = fread(buf, 1, sizeof(buf), f);
SOCKET_WRITE(client_fd, buf, size);
usleep(500000);
usleep(200000);
ret = 0;
error:

31
ssl/tls1.c
View File

@ -386,9 +386,8 @@ error:
*/
int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
{
int i = 0;
int offset;
int ret = SSL_OK; /* ignore errors for now */
int i = 0;
CA_CERT_CTX *ca_cert_ctx;
if (ssl_ctx->ca_cert_ctx == NULL)
@ -399,24 +398,26 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
i++;
if (i >= CONFIG_X509_MAX_CA_CERTS)
while (len > 0)
{
int offset;
if (i >= CONFIG_X509_MAX_CA_CERTS)
{
#ifdef CONFIG_SSL_FULL_MODE
printf("Error: maximum number of CA certs added - change of "
"compile-time configuration required\n");
printf("Error: maximum number of CA certs added - change of "
"compile-time configuration required\n");
#endif
goto error;
break;
}
/* ignore the return code */
if (x509_new(buf, &offset, &ca_cert_ctx->cert[i]) == X509_OK)
i++;
len -= offset;
}
ret = x509_new(buf, &offset, &ca_cert_ctx->cert[i]);
len -= offset;
ret = SSL_OK; /* ok so far */
/* recurse? */
if (len > 0)
ret = add_cert_auth(ssl_ctx, &buf[offset], len);
error:
return ret;
}

6
ssl/x509.c
View File

@ -209,13 +209,15 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
ret = X509_OK;
end_cert:
#ifdef CONFIG_SSL_FULL_MODE
if (ret)
{
#ifdef CONFIG_SSL_FULL_MODE
printf("Error: Invalid X509 ASN.1 file (%s)\n",
x509_display_error(ret));
}
#endif
x509_free(x509_ctx);
*ctx = NULL;
}
return ret;
}