arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-07 16:23:38 +03:00
Code

tx/rx hmac records separated. fixed gnu tls issue

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@80 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2007-03-30 23:57:28 +00:00
parent efdf49ba76
commit 55d6b77f70
14 changed files with 117 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bindings/perl/Makefile
View File

@ -66,7 +66,7 @@ ifdef CONFIG_PLATFORM_CYGWIN
endif
@install axtlsp.pm ../../$(STAGE)
CFLAGS += -D__USE_GNU -I$(CONFIG_HOME) -I$(SSL_HOME) -I$(PERL5_CORE)
CFLAGS += -D_GNU_SOURCE -I$(CONFIG_HOME) -I$(SSL_HOME) -I$(PERL5_CORE)
else
CFLAGS += /I"`cygpath -w $(CONFIG_HOME)`" /I"`cygpath -w $(SSL_HOME)`"
CFLAGS += /I"$(PERL5_CORE)"

106
config/config.h
View File

@ -1,106 +0,0 @@
/*
* Automatically generated header file: don't edit
*/
#define HAVE_DOT_CONFIG 1
#undef CONFIG_PLATFORM_LINUX
#define CONFIG_PLATFORM_CYGWIN 1
#undef CONFIG_PLATFORM_SOLARIS
#undef CONFIG_PLATFORM_WIN32
/*
* General Configuration
*/
#define PREFIX "/usr/local"
#undef CONFIG_DEBUG
#undef CONFIG_VISUAL_STUDIO_6_0
#undef CONFIG_VISUAL_STUDIO_7_0
#undef CONFIG_VISUAL_STUDIO_8_0
#define CONFIG_VISUAL_STUDIO_6_0_BASE ""
#define CONFIG_VISUAL_STUDIO_7_0_BASE ""
#define CONFIG_VISUAL_STUDIO_8_0_BASE ""
#define CONFIG_EXTRA_CFLAGS_OPTIONS ""
#define CONFIG_EXTRA_LDFLAGS_OPTIONS ""
/*
* SSL Library
*/
#undef CONFIG_SSL_SERVER_ONLY
#undef CONFIG_SSL_CERT_VERIFICATION
#undef CONFIG_SSL_ENABLE_CLIENT
#define CONFIG_SSL_FULL_MODE 1
#undef CONFIG_SSL_SKELETON_MODE
#undef CONFIG_SSL_PROT_LOW
#define CONFIG_SSL_PROT_MEDIUM 1
#undef CONFIG_SSL_PROT_HIGH
#define CONFIG_SSL_USE_DEFAULT_KEY 1
#define CONFIG_SSL_ENABLE_V23_HANDSHAKE 1
#define CONFIG_SSL_HAS_PEM 1
#define CONFIG_SSL_USE_PKCS12 1
#define CONFIG_SSL_EXPIRY_TIME 24
#define CONFIG_X509_MAX_CA_CERTS 4
#define CONFIG_SSL_MAX_CERTS 2
#undef CONFIG_SSL_CTX_MUTEXING
#define CONFIG_USE_DEV_URANDOM 1
#undef CONFIG_WIN32_USE_CRYPTO_LIB
#undef CONFIG_OPENSSL_COMPATIBLE
#undef CONFIG_PERFORMANCE_TESTING
#undef CONFIG_SSL_TEST
#define CONFIG_AXHTTPD 1
/*
* Axhttpd Configuration
*/
#undef CONFIG_HTTP_STATIC_BUILD
#define CONFIG_HTTP_PORT 80
#define CONFIG_HTTP_HTTPS_PORT 443
#define CONFIG_HTTP_SESSION_CACHE_SIZE 5
#define CONFIG_HTTP_WEBROOT "../www"
#define CONFIG_HTTP_TIMEOUT 300
#undef CONFIG_HTTP_HAS_CGI
#define CONFIG_HTTP_CGI_EXTENSIONS ""
#undef CONFIG_HTTP_DIRECTORIES
#undef CONFIG_HTTP_HAS_AUTHORIZATION
#undef CONFIG_HTTP_USE_CHROOT
#undef CONFIG_HTTP_CHANGE_UID
#undef CONFIG_HTTP_HAS_IPV6
#undef CONFIG_HTTP_ALL_MIME_TYPES
#define CONFIG_HTTP_VERBOSE 1
#undef CONFIG_HTTP_IS_DAEMON
/*
* Language Bindings
*/
#undef CONFIG_BINDINGS
#undef CONFIG_CSHARP_BINDINGS
#undef CONFIG_VBNET_BINDINGS
#define CONFIG_DOT_NET_FRAMEWORK_BASE ""
#undef CONFIG_JAVA_BINDINGS
#define CONFIG_JAVA_HOME ""
#undef CONFIG_PERL_BINDINGS
#define CONFIG_PERL_CORE ""
#define CONFIG_PERL_LIB ""
/*
* Samples
*/
#define CONFIG_SAMPLES 1
#define CONFIG_C_SAMPLES 1
#undef CONFIG_CSHARP_SAMPLES
#undef CONFIG_VBNET_SAMPLES
#undef CONFIG_JAVA_SAMPLES
#undef CONFIG_PERL_SAMPLES
/*
* BigInt Options
*/
#undef CONFIG_BIGINT_CLASSICAL
#undef CONFIG_BIGINT_MONTGOMERY
#define CONFIG_BIGINT_BARRETT 1
#define CONFIG_BIGINT_CRT 1
#undef CONFIG_BIGINT_KARATSUBA
#define MUL_KARATSUBA_THRESH
#define SQU_KARATSUBA_THRESH
#define CONFIG_BIGINT_SLIDING_WINDOW 1
#define CONFIG_BIGINT_SQUARE 1
#undef CONFIG_BIGINT_CHECK_ON

3
ssl/asn1.c
View File

@ -475,8 +475,7 @@ static int asn1_signature_type(const uint8_t *cert,
x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
*offset += len;
if (asn1_skip_obj(cert, offset, ASN1_NULL))
goto end_check_sig;
asn1_skip_obj(cert, offset, ASN1_NULL); /* if it's there */
ret = X509_OK;
end_check_sig:

20
ssl/loader.c
View File

@ -35,8 +35,8 @@
static int do_obj(SSL_CTX *ssl_ctx, int obj_type,
SSLObjLoader *ssl_obj, const char *password);
#ifdef CONFIG_SSL_HAS_PEM
static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj,
const char *password);
static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type,
SSLObjLoader *ssl_obj, const char *password);
#endif
/*
@ -70,7 +70,7 @@ EXP_FUNC int STDCALL ssl_obj_load(SSL_CTX *ssl_ctx, int obj_type,
if (strncmp((char *)ssl_obj->buf, begin, strlen(begin)) == 0)
{
#ifdef CONFIG_SSL_HAS_PEM
ret = ssl_obj_PEM_load(ssl_ctx, ssl_obj, password);
ret = ssl_obj_PEM_load(ssl_ctx, obj_type, ssl_obj, password);
#else
printf(unsupported_str);
ret = SSL_ERROR_NOT_SUPPORTED;
@ -277,7 +277,7 @@ error:
/**
* Take a base64 blob of data and turn it into its proper ASN.1 form.
*/
static int new_pem_obj(SSL_CTX *ssl_ctx, char *where,
static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where,
int remain, const char *password)
{
int ret = SSL_OK;
@ -322,7 +322,8 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, char *where,
break;
case IS_CERTIFICATE:
obj_type = SSL_OBJ_X509_CERT;
obj_type = is_cacert ?
SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT;
break;
default:
@ -350,7 +351,7 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, char *where,
/* more PEM stuff to process? */
if (remain)
ret = new_pem_obj(ssl_ctx, end, remain, password);
ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password);
error:
ssl_obj_free(ssl_obj);
@ -360,8 +361,8 @@ error:
/*
* Load a file into memory that is in ASCII PEM format.
*/
static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj,
const char *password)
static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type,
SSLObjLoader *ssl_obj, const char *password)
{
char *start;
@ -370,6 +371,7 @@ static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj,
ssl_obj->buf = (uint8_t *)realloc(ssl_obj->buf, ssl_obj->len);
ssl_obj->buf[ssl_obj->len-1] = 0;
start = (char *)ssl_obj->buf;
return new_pem_obj(ssl_ctx, start, ssl_obj->len, password);
return new_pem_obj(ssl_ctx, obj_type == SSL_OBJ_X509_CACERT,
start, ssl_obj->len, password);
}
#endif /* CONFIG_SSL_HAS_PEM */

2
ssl/os_port.h
View File

@ -145,7 +145,9 @@ EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2);
/* some functions to mutate the way these work */
#define malloc(A) ax_malloc(A)
#ifndef realloc
#define realloc(A,B) ax_realloc(A,B)
#endif
#define calloc(A,B) ax_calloc(A,B)
EXP_FUNC void * STDCALL ax_malloc(size_t s);

BIN
ssl/test/gnutls.cer Executable file
View File

Binary file not shown.

BIN
ssl/test/socgen.cer Executable file
View File

Binary file not shown.

30
ssl/test/ssltest.c
View File

@ -580,13 +580,37 @@ static int cert_tests(void)
ssl_ctx_free(ssl_ctx);
free(buf);
ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/gnutls.cer", &buf);
if ((res = add_cert(ssl_ctx, buf, len)) < 0)
{
printf("Cert #5\n");
ssl_display_error(res);
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
free(buf);
ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/socgen.cer", &buf);
if ((res = add_cert(ssl_ctx, buf, len)) < 0)
{
printf("Cert #6\n");
ssl_display_error(res);
goto bad_cert;
}
ssl_ctx_free(ssl_ctx);
free(buf);
/* Verisign use MD2 which is not supported */
ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/verisign.x509_ca", &buf);
if ((res = add_cert_auth(ssl_ctx, buf, len)) !=
X509_VFY_ERROR_UNSUPPORTED_DIGEST)
{
printf("Cert #5\n");
printf("Cert #7\n");
ssl_display_error(res);
goto bad_cert;
}
@ -597,7 +621,7 @@ static int cert_tests(void)
if (get_file("../ssl/test/verisign.x509_my_cert", &buf) < 0 ||
x509_new(buf, &len, &x509_ctx))
{
printf("Cert #6\n");
printf("Cert #8\n");
ssl_display_error(res);
goto bad_cert;
}
@ -1023,7 +1047,7 @@ int SSL_server_tests(void)
"-cipher RC4-SHA",
"../ssl/test/axTLS.x509_device.pem",
NULL, "../ssl/test/axTLS.device_key.pem",
NULL, NULL, DEFAULT_SVR_OPTION)))
"../ssl/test/axTLS.ca_x509.pem", NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/*

4
ssl/test/test_axssl.sh
View File

@ -37,7 +37,7 @@ else
KILL_AXSSL="killall axssl"
KILL_PERL="killall /usr/bin/perl"
else # Linux
JAVA_BIN=/usr/lib/java/bin
JAVA_BIN=/usr/java/default/bin
PERL_BIN=/usr/bin/perl
KILL_AXSSL="killall axssl"
KILL_CSHARP="killall mono"
@ -81,7 +81,7 @@ sleep 1
"$JAVA_BIN/java" -jar ./axtls.jar $SERVER_PEM_ARGS &
echo "Java Test passed" | "$JAVA_BIN/java" -jar ./axtls.jar $CLIENT_PEM_ARGS
$KILL_JAVA
sleep 1
sleep 2
echo "### Java tests complete"
fi

141
ssl/tls1.c
View File

@ -145,7 +145,7 @@ static void prf(const uint8_t *sec, int sec_len, uint8_t *seed, int seed_len,
static const cipher_info_t *get_cipher_info(uint8_t cipher);
static void increment_read_sequence(SSL *ssl);
static void increment_write_sequence(SSL *ssl);
static void add_hmac_digest(SSL *ssl, int snd,
static void add_hmac_digest(SSL *ssl, int snd, uint8_t *hmac_header,
const uint8_t *buf, int buf_len, uint8_t *hmac_buf);
/* win32 VC6.0 doesn't have variadic macros */
@ -619,29 +619,24 @@ static void increment_write_sequence(SSL *ssl)
/**
* Work out the HMAC digest in a packet.
*/
static void add_hmac_digest(SSL *ssl, int mode,
static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header,
const uint8_t *buf, int buf_len, uint8_t *hmac_buf)
{
int hmac_len = buf_len + 8 + SSL_RECORD_SIZE;
uint8_t *t_buf = (uint8_t *)malloc(hmac_len);
uint8_t *t_ptr = t_buf;
uint8_t *t_buf = (uint8_t *)malloc(hmac_len+10);
memcpy(t_buf, (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE) ?
ssl->write_sequence : ssl->read_sequence, 8);
t_buf += 8;
ssl->write_sequence : ssl->read_sequence, 8);
memcpy(&t_buf[8], hmac_header, SSL_RECORD_SIZE);
memcpy(&t_buf[8+SSL_RECORD_SIZE], buf, buf_len);
memcpy(t_buf, ssl->record_buf, SSL_RECORD_SIZE);
t_buf += SSL_RECORD_SIZE;
memcpy(t_buf, buf, buf_len);
ssl->cipher_info->hmac(t_ptr, hmac_len,
ssl->cipher_info->hmac(t_buf, hmac_len,
(mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_READ) ?
ssl->server_mac : ssl->client_mac,
ssl->cipher_info->digest_size, hmac_buf);
#if 0
print_blob("record", ssl->record_buf, SSL_RECORD_SIZE);
print_blob("record", ssl->hmac_tx, SSL_RECORD_SIZE);
print_blob("buf", buf, buf_len);
if (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE)
{
@ -665,7 +660,7 @@ static void add_hmac_digest(SSL *ssl, int mode,
print_blob("hmac", hmac_buf, SHA1_SIZE);
#endif
free(t_ptr);
free(t_buf);
}
/**
@ -691,9 +686,9 @@ static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len)
return SSL_ERROR_INVALID_HMAC;
}
ssl->record_buf[3] = hmac_offset >> 8; /* insert size */
ssl->record_buf[4] = hmac_offset & 0xff;
add_hmac_digest(ssl, mode, buf, hmac_offset, hmac_buf);
ssl->hmac_header[3] = hmac_offset >> 8; /* insert size */
ssl->hmac_header[4] = hmac_offset & 0xff;
add_hmac_digest(ssl, mode, ssl->hmac_header, buf, hmac_offset, hmac_buf);
if (memcmp(hmac_buf, &buf[hmac_offset], ssl->cipher_info->digest_size))
{
@ -972,9 +967,13 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
{
int mode = IS_SET_SSL_FLAG(SSL_IS_CLIENT) ?
SSL_CLIENT_WRITE : SSL_SERVER_WRITE;
ssl->record_buf[0] = protocol;
ssl->record_buf[3] = length >> 8;
ssl->record_buf[4] = length & 0xff;
uint8_t hmac_header[SSL_RECORD_SIZE];
hmac_header[0] = protocol;
hmac_header[1] = 0x03;
hmac_header[2] = 0x01;
hmac_header[3] = length >> 8;
hmac_header[4] = length & 0xff;
if (protocol == PT_HANDSHAKE_PROTOCOL)
{
@ -989,7 +988,7 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
/* add the packet digest */
msg_length += ssl->cipher_info->digest_size;
ssl->bm_index = msg_length;
add_hmac_digest(ssl, mode, ssl->bm_data, length,
add_hmac_digest(ssl, mode, hmac_header, ssl->bm_data, length,
&ssl->bm_data[length]);
/* add padding? */
@ -1135,12 +1134,10 @@ static void set_key_block(SSL *ssl, int is_write)
int basic_read(SSL *ssl, uint8_t **in_data)
{
int ret = SSL_OK;
int read_len, is_record;
int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
uint8_t *buf;
int read_len, is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
uint8_t *buf = ssl->bm_data;
buf = ssl->bm_data;
read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_index],
read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_read_index],
ssl->need_bytes-ssl->got_bytes);
/* connection has gone, so die */
@ -1152,10 +1149,10 @@ int basic_read(SSL *ssl, uint8_t **in_data)
}
DISPLAY_BYTES(ssl, "received %d bytes",
&ssl->bm_data[ssl->bm_index], read_len, read_len);
&ssl->bm_data[ssl->bm_read_index], read_len, read_len);
ssl->got_bytes += read_len;
ssl->bm_index += read_len;
ssl->bm_read_index += read_len;
/* haven't quite got what we want, so try again later */
if (ssl->got_bytes < ssl->need_bytes)
@ -1190,19 +1187,17 @@ int basic_read(SSL *ssl, uint8_t **in_data)
}
CLR_SSL_FLAG(SSL_NEED_RECORD);
memcpy(ssl->record_buf, buf, 3); /* store for hmac */
is_record = 1;
}
else
{
SET_SSL_FLAG(SSL_NEED_RECORD);
ssl->need_bytes = SSL_RECORD_SIZE;
is_record = 0;
memcpy(ssl->hmac_header, buf, 3); /* store for hmac */
ssl->record_type = buf[0];
goto error; /* no error, we're done */
}
if (is_record)
ssl->record_type = buf[0];
else if (IS_SET_SSL_FLAG(SSL_RX_ENCRYPTED))
/* for next time - just do it now in case of an error */
SET_SSL_FLAG(SSL_NEED_RECORD);
ssl->need_bytes = SSL_RECORD_SIZE;
/* decrypt if we need to */
if (IS_SET_SSL_FLAG(SSL_RX_ENCRYPTED))
{
ssl->cipher_info->decrypt(ssl->decrypt_ctx, buf, buf, read_len);
read_len = verify_digest(ssl,
@ -1220,52 +1215,50 @@ int basic_read(SSL *ssl, uint8_t **in_data)
}
/* The main part of the SSL packet */
if (!is_record)
switch (ssl->record_type)
{
switch (ssl->record_type)
{
case PT_HANDSHAKE_PROTOCOL:
ret = do_handshake(ssl, buf, read_len);
break;
case PT_HANDSHAKE_PROTOCOL:
ret = do_handshake(ssl, buf, read_len);
break;
case PT_CHANGE_CIPHER_SPEC:
if (ssl->next_state != HS_FINISHED)
{
ret = SSL_ERROR_INVALID_HANDSHAKE;
goto error;
}
case PT_CHANGE_CIPHER_SPEC:
if (ssl->next_state != HS_FINISHED)
{
ret = SSL_ERROR_INVALID_HANDSHAKE;
goto error;
}
SET_SSL_FLAG(SSL_RX_ENCRYPTED);
set_key_block(ssl, 0);
memset(ssl->read_sequence, 0, 8);
break;
/* all encrypted from now on */
SET_SSL_FLAG(SSL_RX_ENCRYPTED);
set_key_block(ssl, 0);
memset(ssl->read_sequence, 0, 8);
break;
case PT_APP_PROTOCOL_DATA:
if (in_data)
{
*in_data = ssl->bm_data; /* point to the work buffer */
(*in_data)[read_len] = 0; /* null terminate just in case */
}
case PT_APP_PROTOCOL_DATA:
if (in_data)
{
*in_data = ssl->bm_data; /* point to the work buffer */
(*in_data)[read_len] = 0; /* null terminate just in case */
}
ret = read_len;
break;
ret = read_len;
break;
case PT_ALERT_PROTOCOL:
/* return the alert # with alert bit set */
ret = -buf[1];
DISPLAY_ALERT(ssl, buf[1]);
break;
case PT_ALERT_PROTOCOL:
/* return the alert # with alert bit set */
ret = -buf[1];
DISPLAY_ALERT(ssl, buf[1]);
break;
default:
ret = SSL_ERROR_INVALID_PROT_MSG;
break;
}
default:
ret = SSL_ERROR_INVALID_PROT_MSG;
break;
}
error:
ssl->bm_index = 0; /* reset to go again */
ssl->bm_read_index = 0; /* reset to go again */
if (ret < SSL_OK && in_data) /* if all wrong, then clear this buffer ptr */
if (ret < SSL_OK && in_data)/* if all wrong, then clear this buffer ptr */
*in_data = NULL;
return ret;

5
ssl/tls1.h
View File

@ -168,7 +168,8 @@ struct _SSL
void *decrypt_ctx;
uint8_t bm_all_data[RT_MAX_PLAIN_LENGTH+RT_EXTRA];
uint8_t *bm_data;
int bm_index;
uint16_t bm_index;
uint16_t bm_read_index;
struct _SSL *next; /* doubly linked list */
struct _SSL *prev;
SSL_CERT *certs;
@ -189,7 +190,7 @@ struct _SSL
uint8_t *master_secret;
uint8_t read_sequence[8]; /* 64 bit sequence number */
uint8_t write_sequence[8]; /* 64 bit sequence number */
uint8_t record_buf[SSL_RECORD_SIZE]; /* storage for hmac calls later */
uint8_t hmac_header[SSL_RECORD_SIZE]; /* rx hmac */
};
typedef struct _SSL SSL;

2
ssl/tls1_clnt.c
View File

@ -117,7 +117,7 @@ int do_client_connect(SSL *ssl)
int ret = SSL_OK;
send_client_hello(ssl); /* send the client hello */
ssl->bm_index = 0;
ssl->bm_read_index = 0;
ssl->next_state = HS_SERVER_HELLO;
ssl->hs_status = SSL_NOT_OK; /* not connected */

2
ssl/tls1_svr.c
View File

@ -102,7 +102,7 @@ int do_svr_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
static int process_client_hello(SSL *ssl)
{
uint8_t *buf = ssl->bm_data;
uint8_t *record_buf = ssl->record_buf;
uint8_t *record_buf = ssl->hmac_header;
int pkt_size = ssl->bm_index;
int i, j, cs_len, id_len, offset = 6 + SSL_RANDOM_SIZE;
int version = (record_buf[1] << 4) + record_buf[2];

2
www/index.html
View File

File diff suppressed because one or more lines are too long