diff --git a/config/Config.in b/config/Config.in index 4721ac446..dc4075646 100644 --- a/config/Config.in +++ b/config/Config.in @@ -19,9 +19,6 @@ config CONFIG_PLATFORM_LINUX config CONFIG_PLATFORM_CYGWIN bool "Cygwin" -config CONFIG_PLATFORM_SOLARIS - bool "Solaris" - config CONFIG_PLATFORM_WIN32 bool "Win32" diff --git a/config/linuxconfig b/config/linuxconfig index 9068c5b0b..614fdd80e 100644 --- a/config/linuxconfig +++ b/config/linuxconfig @@ -74,7 +74,6 @@ CONFIG_HTTP_LUA_CGI_LAUNCHER="/bin/cgi" # CONFIG_HTTP_BUILD_LUA is not set CONFIG_HTTP_DIRECTORIES=y CONFIG_HTTP_HAS_AUTHORIZATION=y -# CONFIG_HTTP_CHANGE_UID is not set # CONFIG_HTTP_HAS_IPV6 is not set # CONFIG_HTTP_VERBOSE is not set # CONFIG_HTTP_IS_DAEMON is not set diff --git a/config/win32config b/config/win32config index cfff8094a..6c8d60712 100644 --- a/config/win32config +++ b/config/win32config @@ -74,7 +74,6 @@ CONFIG_HTTP_LUA_CGI_LAUNCHER="" # CONFIG_HTTP_BUILD_LUA is not set CONFIG_HTTP_DIRECTORIES=y CONFIG_HTTP_HAS_AUTHORIZATION=y -# CONFIG_HTTP_CHANGE_UID is not set # CONFIG_HTTP_HAS_IPV6 is not set CONFIG_HTTP_VERBOSE=y # CONFIG_HTTP_IS_DAEMON is not set diff --git a/crypto/rsa.c b/crypto/rsa.c index c0dcb0355..31627bb31 100644 --- a/crypto/rsa.c +++ b/crypto/rsa.c @@ -79,11 +79,12 @@ void RSA_pub_key_new(RSA_CTX **ctx, const uint8_t *pub_exp, int pub_len) { RSA_CTX *rsa_ctx; - BI_CTX *bi_ctx = bi_initialize(); + BI_CTX *bi_ctx; if (*ctx) /* if we load multiple certs, dump the old one */ RSA_free(*ctx); + bi_ctx = bi_initialize(); *ctx = (RSA_CTX *)calloc(1, sizeof(RSA_CTX)); rsa_ctx = *ctx; rsa_ctx->bi_ctx = bi_ctx; diff --git a/httpd/Config.in b/httpd/Config.in index ad66e2a16..c43eaa777 100644 --- a/httpd/Config.in +++ b/httpd/Config.in @@ -59,6 +59,7 @@ depends on !CONFIG_PLATFORM_WIN32 config CONFIG_HTTP_HAS_CGI bool "Enable CGI" default y + depends on !CONFIG_PLATFORM_WIN32 help Enable the CGI capability. Not available on Win32 platforms. @@ -119,15 +120,6 @@ config CONFIG_HTTP_HAS_AUTHORIZATION help Pages/directories can have passwords associated with them. -config CONFIG_HTTP_CHANGE_UID - bool "Change UID" - default n - depends on !CONFIG_PLATFORM_WIN32 - help - Call setgid()/setuid() to disable access to protected files. - - This feature is normally disabled. - config CONFIG_HTTP_HAS_IPV6 bool "Enable IPv6" default n diff --git a/httpd/axhttp.h b/httpd/axhttp.h index cc277f1a6..73c299fb1 100644 --- a/httpd/axhttp.h +++ b/httpd/axhttp.h @@ -41,7 +41,7 @@ #define BLOCKSIZE 4096 #define INITIAL_CONNECTION_SLOTS 10 -#define CONFIG_HTTP_DEFAULT_SSL_OPTIONS 0 +#define CONFIG_HTTP_DEFAULT_SSL_OPTIONS SSL_DISPLAY_CERTS #define STATE_WANT_TO_READ_HEAD 1 #define STATE_WANT_TO_SEND_HEAD 2 diff --git a/httpd/axhttpd.c b/httpd/axhttpd.c index de408022e..23b7f6d53 100644 --- a/httpd/axhttpd.c +++ b/httpd/axhttpd.c @@ -187,10 +187,6 @@ int main(int argc, char *argv[]) ax_chdir(); #ifndef WIN32 -#ifdef CONFIG_HTTP_CHANGE_UID - setgid(32767); - setuid(32767); -#endif #ifdef CONFIG_HTTP_IS_DAEMON if (fork() > 0) /* parent will die */ exit(0); diff --git a/httpd/proc.c b/httpd/proc.c index f27dfabec..30a2ee21c 100644 --- a/httpd/proc.c +++ b/httpd/proc.c @@ -321,7 +321,7 @@ void procreadhead(struct connstruct *cn) /* If we have a blank line, advance to next stage */ if (*next == '\r' || *next == '\n') { -#ifndef WIN32 +#if defined(CONFIG_HTTP_HAS_CGI) if (cn->reqtype == TYPE_POST && cn->content_length > 0) { if (init_read_post_data(buf,next,cn,rv) == 0) diff --git a/ssl/Config.in b/ssl/Config.in index 25cee495e..825d97d94 100644 --- a/ssl/Config.in +++ b/ssl/Config.in @@ -168,10 +168,11 @@ config CONFIG_SSL_X509_COMMON_NAME string "X.509 Common Name" depends on CONFIG_SSL_GENERATE_X509_CERT help - The common name for the X.509 certificate. This should in theory be - the URL for server. + The common name for the X.509 certificate. This should be the fully + qualified domain name (FQDN), e.g. www.foo.com. - If this is blank, then this will be value from gethostname(). + If this is blank, then this will be value from gethostname() and + getdomainname(). config CONFIG_SSL_X509_ORGANIZATION_NAME string "X.509 Organization Name" diff --git a/ssl/asn1.c b/ssl/asn1.c index 1639040d0..7d4d36e17 100644 --- a/ssl/asn1.c +++ b/ssl/asn1.c @@ -132,10 +132,10 @@ end_int_array: int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx) { int offset = 7; - uint8_t *modulus, *priv_exp, *pub_exp; + uint8_t *modulus = NULL, *priv_exp = NULL, *pub_exp = NULL; int mod_len, priv_len, pub_len; #ifdef CONFIG_BIGINT_CRT - uint8_t *p, *q, *dP, *dQ, *qInv; + uint8_t *p = NULL, *q = NULL, *dP = NULL, *dQ = NULL, *qInv = NULL; int p_len, q_len, dP_len, dQ_len, qInv_len; #endif @@ -348,7 +348,7 @@ end_name: int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) { int ret = X509_NOT_OK, mod_len, pub_len; - uint8_t *modulus, *pub_exp; + uint8_t *modulus = NULL, *pub_exp = NULL; if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 || asn1_skip_obj(cert, offset, ASN1_SEQUENCE) || diff --git a/ssl/crypto_misc.h b/ssl/crypto_misc.h index 3ceb9d1fc..dc1f6e145 100644 --- a/ssl/crypto_misc.h +++ b/ssl/crypto_misc.h @@ -62,7 +62,7 @@ extern "C" { #define X509_NUM_DN_TYPES 3 #define X509_COMMON_NAME 0 #define X509_ORGANIZATION 1 -#define X509_ORGANIZATIONAL_TYPE 2 +#define X509_ORGANIZATIONAL_UNIT 2 struct _x509_ctx { diff --git a/ssl/gen_cert.c b/ssl/gen_cert.c index faad29b0f..856dc3ac0 100644 --- a/ssl/gen_cert.c +++ b/ssl/gen_cert.c @@ -182,13 +182,18 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset) int seq_offset; int seq_size = pre_adjust_with_size( ASN1_SEQUENCE, &seq_offset, buf, offset); - char hostname[128]; + char fqdn[128]; - /* we need the common name, so if not configured, use the hostname */ + /* we need the common name, so if not configured, work out the fully + * qualified domain name */ if (dn[X509_COMMON_NAME] == NULL || strlen(dn[X509_COMMON_NAME]) == 0) { - gethostname(hostname, sizeof(hostname)); - dn[X509_COMMON_NAME] = hostname; + int fqdn_len; + gethostname(fqdn, sizeof(fqdn)); + fqdn_len = strlen(fqdn); + fqdn[fqdn_len++] = '.'; + getdomainname(&fqdn[fqdn_len], sizeof(fqdn)-fqdn_len); + dn[X509_COMMON_NAME] = fqdn; } if ((ret = gen_dn(dn[X509_COMMON_NAME], 3, buf, offset))) @@ -201,10 +206,10 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset) ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset)))) goto error; - if (dn[X509_ORGANIZATIONAL_TYPE] != NULL && - strlen(dn[X509_ORGANIZATIONAL_TYPE]) > 0) + if (dn[X509_ORGANIZATIONAL_UNIT] != NULL && + strlen(dn[X509_ORGANIZATIONAL_UNIT]) > 0) { - if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_TYPE], 11, buf, offset))) + if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_UNIT], 11, buf, offset))) goto error; } diff --git a/ssl/os_port.c b/ssl/os_port.c index cddbea32a..6a71000b4 100644 --- a/ssl/os_port.c +++ b/ssl/os_port.c @@ -72,6 +72,22 @@ EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2) return *(unsigned char *)s1 - *(unsigned char *)(s2 - 1); } + +EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size) +{ + HKEY hKey; + unsigned long datatype; + unsigned long bufferlength = buf_size; + + if (RegOpenKeyEx(HKEY_LOCAL_MACHINE, + TEXT("SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"), + 0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS) + return -1; + + RegQueryValueEx(hKey, "Domain", NULL, &datatype, buf, &bufferlength); + RegCloseKey(hKey); + return 0; +} #endif #undef malloc diff --git a/ssl/os_port.h b/ssl/os_port.h index 139850468..262c4dd70 100644 --- a/ssl/os_port.h +++ b/ssl/os_port.h @@ -114,10 +114,7 @@ extern "C" { * automatically build some library dependencies. */ #pragma comment(lib, "WS2_32.lib") - -#ifdef CONFIG_WIN32_USE_CRYPTO_LIB #pragma comment(lib, "AdvAPI32.lib") -#endif typedef UINT8 uint8_t; typedef INT8 int8_t; @@ -131,6 +128,7 @@ typedef int socklen_t; EXP_FUNC void STDCALL gettimeofday(struct timeval* t,void* timezone); EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2); +EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size); #else /* Not Win32 */ diff --git a/ssl/test/ssltest.c b/ssl/test/ssltest.c index a97a5b578..c4be8966d 100644 --- a/ssl/test/ssltest.c +++ b/ssl/test/ssltest.c @@ -1248,6 +1248,13 @@ static int SSL_client_test( goto client_test_exit; } } + + if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT, + "../ssl/test/axTLS.ca_x509.cer", NULL)) + { + printf("could not add cert auth\n"); TTY_FLUSH(); + goto client_test_exit; + } } if (sess_resume && !sess_resume->start_server) @@ -1257,16 +1264,7 @@ static int SSL_client_test( if ((client_fd = client_socket_init(g_port)) < 0) { - printf("could not start socket on %d\n", g_port); - TTY_FLUSH(); - goto client_test_exit; - } - - if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT, - "../ssl/test/axTLS.ca_x509.cer", NULL)) - { - printf("could not add cert auth\n"); - TTY_FLUSH(); + printf("could not start socket on %d\n", g_port); TTY_FLUSH(); goto client_test_exit; } diff --git a/ssl/tls1.c b/ssl/tls1.c index d84df3fb4..c98cd7a5f 100755 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -353,6 +353,11 @@ int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len) if ((ret = x509_new(buf, &offset, &cert))) goto error; +#if defined (CONFIG_SSL_FULL_MODE) + if (ssl_ctx->options & SSL_DISPLAY_CERTS) + x509_print(cert, NULL); +#endif + ssl_cert = &ssl_ctx->certs[i]; ssl_cert->size = len; ssl_cert->buf = (uint8_t *)malloc(len); @@ -448,7 +453,7 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component) return ssl->x509_ctx->cert_dn[X509_ORGANIZATION]; case SSL_X509_CERT_ORGANIZATIONAL_NAME: - return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_TYPE]; + return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT]; case SSL_X509_CA_CERT_COMMON_NAME: return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME]; @@ -457,7 +462,7 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component) return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATION]; case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME: - return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]; + return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT]; default: return NULL; diff --git a/ssl/x509.c b/ssl/x509.c index 758f3f0e1..9b41b944e 100644 --- a/ssl/x509.c +++ b/ssl/x509.c @@ -387,50 +387,42 @@ end_verify: /** * Used for diagnostics. */ +static const char *not_part_of_cert = ""; void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx) { if (cert == NULL) return; - printf("---------------- CERT DEBUG ----------------\n"); - printf("* CA Cert Distinguished Name\n"); - if (cert->ca_cert_dn[X509_COMMON_NAME]) - { - printf("Common Name (CN):\t%s\n", cert->ca_cert_dn[X509_COMMON_NAME]); - } + printf("=== CERTIFICATE ISSUED TO ===\n"); + printf("Common Name (CN):\t\t"); + printf("%s\n", cert->cert_dn[X509_COMMON_NAME] ? + cert->cert_dn[X509_COMMON_NAME] : not_part_of_cert); - if (cert->ca_cert_dn[X509_ORGANIZATION]) - { - printf("Organization (O):\t%s\n", cert->ca_cert_dn[X509_ORGANIZATION]); - } + printf("Organization (O):\t\t"); + printf("%s\n", cert->cert_dn[X509_ORGANIZATION] ? + cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert); - if (cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]) - { - printf("Organizational Unit (OU): %s\n", - cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]); - } + printf("Organizational Unit (OU):\t"); + printf("%s\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT] ? + cert->cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); - printf("* Cert Distinguished Name\n"); - if (cert->cert_dn[X509_COMMON_NAME]) - { - printf("Common Name (CN):\t%s\n", cert->cert_dn[X509_COMMON_NAME]); - } + printf("=== CERTIFICATE ISSUED BY ===\n"); + printf("Common Name (CN):\t\t"); + printf("%s\n", cert->ca_cert_dn[X509_COMMON_NAME] ? + cert->ca_cert_dn[X509_COMMON_NAME] : not_part_of_cert); - if (cert->cert_dn[X509_ORGANIZATION]) - { - printf("Organization (O):\t%s\n", cert->cert_dn[X509_ORGANIZATION]); - } + printf("Organization (O):\t\t"); + printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATION] ? + cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert); - if (cert->cert_dn[X509_ORGANIZATIONAL_TYPE]) - { - printf("Organizational Unit (OU): %s\n", - cert->cert_dn[X509_ORGANIZATIONAL_TYPE]); - } + printf("Organizational Unit (OU):\t"); + printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] ? + cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); - printf("Not Before:\t\t%s", ctime(&cert->not_before)); - printf("Not After:\t\t%s", ctime(&cert->not_after)); - printf("RSA bitsize:\t\t%d\n", cert->rsa_ctx->num_octets*8); - printf("Sig Type:\t\t"); + printf("Not Before:\t\t\t%s", ctime(&cert->not_before)); + printf("Not After:\t\t\t%s", ctime(&cert->not_after)); + printf("RSA bitsize:\t\t\t%d\n", cert->rsa_ctx->num_octets*8); + printf("Sig Type:\t\t\t"); switch (cert->sig_type) { case SIG_TYPE_MD5: