changes for 1.1.8

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@145 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-06-09 03:41:41 +03:00 · 2007-12-02 22:15:46 +00:00 · 2007-12-02 22:15:46 +00:00 · 31efa00831
commit 31efa00831
parent 785380660e
17 changed files with 82 additions and 83 deletions
--- a/config/Config.in
+++ b/config/Config.in
@ -19,9 +19,6 @@ config CONFIG_PLATFORM_LINUX
 config CONFIG_PLATFORM_CYGWIN
    bool "Cygwin"

-config CONFIG_PLATFORM_SOLARIS
-    bool "Solaris"
-
 config CONFIG_PLATFORM_WIN32
    bool "Win32"

--- a/config/linuxconfig
+++ b/config/linuxconfig
@ -74,7 +74,6 @@ CONFIG_HTTP_LUA_CGI_LAUNCHER="/bin/cgi"
 # CONFIG_HTTP_BUILD_LUA is not set
 CONFIG_HTTP_DIRECTORIES=y
 CONFIG_HTTP_HAS_AUTHORIZATION=y
-# CONFIG_HTTP_CHANGE_UID is not set
 # CONFIG_HTTP_HAS_IPV6 is not set
 # CONFIG_HTTP_VERBOSE is not set
 # CONFIG_HTTP_IS_DAEMON is not set
--- a/config/win32config
+++ b/config/win32config
@ -74,7 +74,6 @@ CONFIG_HTTP_LUA_CGI_LAUNCHER=""
 # CONFIG_HTTP_BUILD_LUA is not set
 CONFIG_HTTP_DIRECTORIES=y
 CONFIG_HTTP_HAS_AUTHORIZATION=y
-# CONFIG_HTTP_CHANGE_UID is not set
 # CONFIG_HTTP_HAS_IPV6 is not set
 CONFIG_HTTP_VERBOSE=y
 # CONFIG_HTTP_IS_DAEMON is not set
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@ -79,11 +79,12 @@ void RSA_pub_key_new(RSA_CTX **ctx,
        const uint8_t *pub_exp, int pub_len)
 {
    RSA_CTX *rsa_ctx;
-    BI_CTX *bi_ctx = bi_initialize();
+    BI_CTX *bi_ctx;

    if (*ctx)   /* if we load multiple certs, dump the old one */
        RSA_free(*ctx);

+    bi_ctx = bi_initialize();
    *ctx = (RSA_CTX *)calloc(1, sizeof(RSA_CTX));
    rsa_ctx = *ctx;
    rsa_ctx->bi_ctx = bi_ctx;
--- a/httpd/Config.in
+++ b/httpd/Config.in
@ -59,6 +59,7 @@ depends on !CONFIG_PLATFORM_WIN32
 config CONFIG_HTTP_HAS_CGI
    bool "Enable CGI"
    default y
+    depends on !CONFIG_PLATFORM_WIN32
    help
        Enable the CGI capability. Not available on Win32 platforms.

@ -119,15 +120,6 @@ config CONFIG_HTTP_HAS_AUTHORIZATION
    help
        Pages/directories can have passwords associated with them.

-config CONFIG_HTTP_CHANGE_UID
-    bool "Change UID"
-    default n
-    depends on !CONFIG_PLATFORM_WIN32
-    help
-        Call setgid()/setuid() to disable access to protected files.
-        
-        This feature is normally disabled.
-
 config CONFIG_HTTP_HAS_IPV6
    bool "Enable IPv6"
    default n
--- a/httpd/axhttp.h
+++ b/httpd/axhttp.h
@ -41,7 +41,7 @@
 #define BLOCKSIZE                           4096

 #define INITIAL_CONNECTION_SLOTS            10
-#define CONFIG_HTTP_DEFAULT_SSL_OPTIONS     0 
+#define CONFIG_HTTP_DEFAULT_SSL_OPTIONS     SSL_DISPLAY_CERTS

 #define STATE_WANT_TO_READ_HEAD             1
 #define STATE_WANT_TO_SEND_HEAD             2
--- a/httpd/axhttpd.c
+++ b/httpd/axhttpd.c
@ -187,10 +187,6 @@ int main(int argc, char *argv[])
    ax_chdir();

 #ifndef WIN32 
-#ifdef CONFIG_HTTP_CHANGE_UID
-    setgid(32767);
-    setuid(32767);
-#endif
 #ifdef CONFIG_HTTP_IS_DAEMON
    if (fork() > 0)  /* parent will die */
        exit(0);
--- a/httpd/proc.c
+++ b/httpd/proc.c
@ -321,7 +321,7 @@ void procreadhead(struct connstruct *cn)
        /* If we have a blank line, advance to next stage */
        if (*next == '\r' || *next == '\n') 
        {
-#ifndef WIN32
+#if defined(CONFIG_HTTP_HAS_CGI)
            if (cn->reqtype == TYPE_POST && cn->content_length > 0)
            {
                if (init_read_post_data(buf,next,cn,rv) == 0)
--- a/ssl/Config.in
+++ b/ssl/Config.in
@ -168,10 +168,11 @@ config CONFIG_SSL_X509_COMMON_NAME
    string "X.509 Common Name"
    depends on CONFIG_SSL_GENERATE_X509_CERT
    help
-        The common name for the X.509 certificate. This should in theory be
-        the URL for server.
+        The common name for the X.509 certificate. This should be the fully 
+        qualified domain name (FQDN), e.g. www.foo.com.

-        If this is blank, then this will be value from gethostname().
+        If this is blank, then this will be value from gethostname() and
+        getdomainname().

 config CONFIG_SSL_X509_ORGANIZATION_NAME
    string "X.509 Organization Name"
--- a/ssl/asn1.c
+++ b/ssl/asn1.c
@ -132,10 +132,10 @@ end_int_array:
 int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx)
 {
    int offset = 7;
-    uint8_t *modulus, *priv_exp, *pub_exp;
+    uint8_t *modulus = NULL, *priv_exp = NULL, *pub_exp = NULL;
    int mod_len, priv_len, pub_len;
 #ifdef CONFIG_BIGINT_CRT
-    uint8_t *p, *q, *dP, *dQ, *qInv;
+    uint8_t *p = NULL, *q = NULL, *dP = NULL, *dQ = NULL, *qInv = NULL;
    int p_len, q_len, dP_len, dQ_len, qInv_len;
 #endif

@ -348,7 +348,7 @@ end_name:
 int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
 {
    int ret = X509_NOT_OK, mod_len, pub_len;
-    uint8_t *modulus, *pub_exp;
+    uint8_t *modulus = NULL, *pub_exp = NULL;

    if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
            asn1_skip_obj(cert, offset, ASN1_SEQUENCE) ||
--- a/ssl/crypto_misc.h
+++ b/ssl/crypto_misc.h
@ -62,7 +62,7 @@ extern "C" {
 #define X509_NUM_DN_TYPES                   3
 #define X509_COMMON_NAME                    0
 #define X509_ORGANIZATION                   1
-#define X509_ORGANIZATIONAL_TYPE            2
+#define X509_ORGANIZATIONAL_UNIT            2

 struct _x509_ctx
 {
--- a/ssl/gen_cert.c
+++ b/ssl/gen_cert.c
@ -182,13 +182,18 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset)
    int seq_offset;
    int seq_size = pre_adjust_with_size(
                            ASN1_SEQUENCE, &seq_offset, buf, offset);
-    char hostname[128];
+    char fqdn[128]; 

-    /* we need the common name, so if not configured, use the hostname */
+    /* we need the common name, so if not configured, work out the fully
+     * qualified domain name */
    if (dn[X509_COMMON_NAME] == NULL || strlen(dn[X509_COMMON_NAME]) == 0)
    {
-        gethostname(hostname, sizeof(hostname));
-        dn[X509_COMMON_NAME] = hostname;
+        int fqdn_len;
+        gethostname(fqdn, sizeof(fqdn));
+        fqdn_len = strlen(fqdn);
+        fqdn[fqdn_len++] = '.';
+        getdomainname(&fqdn[fqdn_len], sizeof(fqdn)-fqdn_len);
+        dn[X509_COMMON_NAME] = fqdn;
    }

    if ((ret = gen_dn(dn[X509_COMMON_NAME], 3, buf, offset)))
@ -201,10 +206,10 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset)
            ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset))))
        goto error;

-    if (dn[X509_ORGANIZATIONAL_TYPE] != NULL &&
-                                strlen(dn[X509_ORGANIZATIONAL_TYPE]) > 0)
+    if (dn[X509_ORGANIZATIONAL_UNIT] != NULL &&
+                                strlen(dn[X509_ORGANIZATIONAL_UNIT]) > 0)
    {
-        if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_TYPE], 11, buf, offset)))
+        if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_UNIT], 11, buf, offset)))
            goto error;
    }

--- a/ssl/os_port.c
+++ b/ssl/os_port.c
@ -72,6 +72,22 @@ EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2)
    return *(unsigned char *)s1 - *(unsigned char *)(s2 - 1);
 }

+
+EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size)
+{
+    HKEY hKey;
+    unsigned long datatype;
+    unsigned long bufferlength = buf_size;
+
+    if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
+            TEXT("SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"),
+                        0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
+        return -1;
+
+    RegQueryValueEx(hKey, "Domain", NULL, &datatype, buf, &bufferlength);
+    RegCloseKey(hKey);
+    return 0; 
+}
 #endif

 #undef malloc
--- a/ssl/os_port.h
+++ b/ssl/os_port.h
@ -114,10 +114,7 @@ extern "C" {
 * automatically build some library dependencies.
 */
 #pragma comment(lib, "WS2_32.lib")
-
-#ifdef CONFIG_WIN32_USE_CRYPTO_LIB
 #pragma comment(lib, "AdvAPI32.lib")
-#endif

 typedef UINT8 uint8_t;
 typedef INT8 int8_t;
@ -131,6 +128,7 @@ typedef int socklen_t;

 EXP_FUNC void STDCALL gettimeofday(struct timeval* t,void* timezone);
 EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2);
+EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size);

 #else   /* Not Win32 */

--- a/ssl/test/ssltest.c
+++ b/ssl/test/ssltest.c
@ -1248,6 +1248,13 @@ static int SSL_client_test(
                goto client_test_exit;
            }
        }
+
+	if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT, 
+				"../ssl/test/axTLS.ca_x509.cer", NULL))
+        {
+            printf("could not add cert auth\n"); TTY_FLUSH();
+            goto client_test_exit;
+        }
    }
    
    if (sess_resume && !sess_resume->start_server) 
@ -1257,16 +1264,7 @@ static int SSL_client_test(

    if ((client_fd = client_socket_init(g_port)) < 0)
    {
-        printf("could not start socket on %d\n", g_port);
-        TTY_FLUSH();
-        goto client_test_exit;
-    }
-
-    if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT, 
-                                        "../ssl/test/axTLS.ca_x509.cer", NULL))
-    {
-        printf("could not add cert auth\n");
-        TTY_FLUSH();
+        printf("could not start socket on %d\n", g_port); TTY_FLUSH();
        goto client_test_exit;
    }

--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@ -353,6 +353,11 @@ int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
    if ((ret = x509_new(buf, &offset, &cert)))
        goto error;

+#if defined (CONFIG_SSL_FULL_MODE)
+    if (ssl_ctx->options & SSL_DISPLAY_CERTS)
+        x509_print(cert, NULL);
+#endif
+
    ssl_cert = &ssl_ctx->certs[i];
    ssl_cert->size = len;
    ssl_cert->buf = (uint8_t *)malloc(len);
@ -448,7 +453,7 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
            return ssl->x509_ctx->cert_dn[X509_ORGANIZATION];

        case SSL_X509_CERT_ORGANIZATIONAL_NAME:       
-            return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_TYPE];
+            return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT];

        case SSL_X509_CA_CERT_COMMON_NAME:
            return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME];
@ -457,7 +462,7 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
            return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATION];

        case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME:       
-            return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_TYPE];
+            return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT];

        default:
            return NULL;
--- a/ssl/x509.c
+++ b/ssl/x509.c
@ -387,50 +387,42 @@ end_verify:
 /**
 * Used for diagnostics.
 */
+static const char *not_part_of_cert = "<Not Part Of Certificate>";
 void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx) 
 {
    if (cert == NULL)
        return;

-    printf("----------------   CERT DEBUG   ----------------\n");
-    printf("* CA Cert Distinguished Name\n");
-    if (cert->ca_cert_dn[X509_COMMON_NAME])
-    {
-        printf("Common Name (CN):\t%s\n", cert->ca_cert_dn[X509_COMMON_NAME]);
-    }
+    printf("=== CERTIFICATE ISSUED TO ===\n");
+    printf("Common Name (CN):\t\t");
+    printf("%s\n", cert->cert_dn[X509_COMMON_NAME] ?
+                    cert->cert_dn[X509_COMMON_NAME] : not_part_of_cert);

-    if (cert->ca_cert_dn[X509_ORGANIZATION])
-    {
-        printf("Organization (O):\t%s\n", cert->ca_cert_dn[X509_ORGANIZATION]);
-    }
+    printf("Organization (O):\t\t");
+    printf("%s\n", cert->cert_dn[X509_ORGANIZATION] ?
+        cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert);

-    if (cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE])
-    {
-        printf("Organizational Unit (OU): %s\n", 
-                cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]);
-    }
+    printf("Organizational Unit (OU):\t");
+    printf("%s\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT] ?
+        cert->cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert);

-    printf("* Cert Distinguished Name\n");
-    if (cert->cert_dn[X509_COMMON_NAME])
-    {
-        printf("Common Name (CN):\t%s\n", cert->cert_dn[X509_COMMON_NAME]);
-    }
+    printf("=== CERTIFICATE ISSUED BY ===\n");
+    printf("Common Name (CN):\t\t");
+    printf("%s\n", cert->ca_cert_dn[X509_COMMON_NAME] ?
+                    cert->ca_cert_dn[X509_COMMON_NAME] : not_part_of_cert);

-    if (cert->cert_dn[X509_ORGANIZATION])
-    {
-        printf("Organization (O):\t%s\n", cert->cert_dn[X509_ORGANIZATION]);
-    }
+    printf("Organization (O):\t\t");
+    printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATION] ?
+        cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert);

-    if (cert->cert_dn[X509_ORGANIZATIONAL_TYPE])
-    {
-        printf("Organizational Unit (OU): %s\n", 
-                cert->cert_dn[X509_ORGANIZATIONAL_TYPE]);
-    }
+    printf("Organizational Unit (OU):\t");
+    printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] ?
+        cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert);

-    printf("Not Before:\t\t%s", ctime(&cert->not_before));
-    printf("Not After:\t\t%s", ctime(&cert->not_after));
-    printf("RSA bitsize:\t\t%d\n", cert->rsa_ctx->num_octets*8);
-    printf("Sig Type:\t\t");
+    printf("Not Before:\t\t\t%s", ctime(&cert->not_before));
+    printf("Not After:\t\t\t%s", ctime(&cert->not_after));
+    printf("RSA bitsize:\t\t\t%d\n", cert->rsa_ctx->num_octets*8);
+    printf("Sig Type:\t\t\t");
    switch (cert->sig_type)
    {
        case SIG_TYPE_MD5: