diff --git a/Makefile b/Makefile index c2c2469f5..2f9d349bf 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ OBJ_FILES := \ ssl/tls1_clnt.o \ ssl/tls1_svr.o \ ssl/x509.o \ -# crypto/crypto_misc.o \ + crypto/crypto_misc.o \ CPPFLAGS += -I$(XTENSA_LIBS)/include \ @@ -63,7 +63,7 @@ $(BIN_DIR): mkdir -p $(BIN_DIR) clean: - rm -rf $(OBJ_FILES) $(LWIP_AR) + rm -rf $(OBJ_FILES) $(AXTLS_AR) .PHONY: all clean diff --git a/crypto/crypto_misc.c b/crypto/crypto_misc.c index 62eb6fe70..9a85ee82b 100644 --- a/crypto/crypto_misc.c +++ b/crypto/crypto_misc.c @@ -42,7 +42,11 @@ #include "wincrypt.h" #endif -#ifndef WIN32 +#ifdef ESP8266 +#define CONFIG_SSL_SKELETON_MODE 1 +#endif + +#if defined(CONFIG_USE_DEV_URANDOM) static int rng_fd = -1; #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB) static HCRYPTPROV gCryptProv; @@ -146,7 +150,7 @@ EXP_FUNC void STDCALL RNG_custom_init(const uint8_t *seed_buf, int size) */ EXP_FUNC void STDCALL RNG_terminate(void) { -#ifndef WIN32 +#if defined(CONFIG_USE_DEV_URANDOM) close(rng_fd); #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB) CryptReleaseContext(gCryptProv, 0); diff --git a/crypto/rsa.c b/crypto/rsa.c index 143e66add..9d52c062f 100644 --- a/crypto/rsa.c +++ b/crypto/rsa.c @@ -146,7 +146,7 @@ int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, const int byte_size = ctx->num_octets; int i, size; bigint *decrypted_bi, *dat_bi; - uint8_t *block = (uint8_t *)alloca(byte_size); + uint8_t *block = (uint8_t *)malloc(byte_size); memset(out_data, 0, byte_size); /* initialise */ @@ -182,7 +182,7 @@ int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, /* get only the bit we want */ if (size > 0) memcpy(out_data, &block[i], size); - + free(block); return size ? size : -1; } diff --git a/ssl/config.h b/ssl/config.h index 3404b5be5..1bb1de6df 100644 --- a/ssl/config.h +++ b/ssl/config.h @@ -48,7 +48,7 @@ #define CONFIG_X509_MAX_CA_CERTS 150 #define CONFIG_SSL_MAX_CERTS 3 #undef CONFIG_SSL_CTX_MUTEXING -//#define CONFIG_USE_DEV_URANDOM 1 +#undef CONFIG_USE_DEV_URANDOM #undef CONFIG_WIN32_USE_CRYPTO_LIB #undef CONFIG_OPENSSL_COMPATIBLE #undef CONFIG_PERFORMANCE_TESTING diff --git a/ssl/gen_cert.c b/ssl/gen_cert.c index c2fe381eb..ef223b27b 100644 --- a/ssl/gen_cert.c +++ b/ssl/gen_cert.c @@ -214,14 +214,14 @@ static void gen_utc_time(uint8_t *buf, int *offset) static void gen_pub_key2(const RSA_CTX *rsa_ctx, uint8_t *buf, int *offset) { - static const uint8_t pub_key_seq[] = + static const uint8_t pub_key_seq[] = { ASN1_INTEGER, 0x03, 0x01, 0x00, 0x01 /* INTEGER 65537 */ }; int seq_offset; int pub_key_size = rsa_ctx->num_octets; - uint8_t *block = (uint8_t *)alloca(pub_key_size); + uint8_t *block = (uint8_t *)malloc(pub_key_size); int seq_size = pre_adjust_with_size( ASN1_SEQUENCE, &seq_offset, buf, offset); buf[(*offset)++] = ASN1_INTEGER; @@ -236,6 +236,7 @@ static void gen_pub_key2(const RSA_CTX *rsa_ctx, uint8_t *buf, int *offset) set_gen_length(pub_key_size, buf, offset); memcpy(&buf[*offset], block, pub_key_size); + free(block); *offset += pub_key_size; memcpy(&buf[*offset], pub_key_seq, sizeof(pub_key_seq)); *offset += sizeof(pub_key_seq); @@ -282,8 +283,8 @@ static void gen_signature(const RSA_CTX *rsa_ctx, const uint8_t *sha_dgst, ASN1_NULL, 0x00, ASN1_OCTET_STRING, 0x14 }; - uint8_t *enc_block = (uint8_t *)alloca(rsa_ctx->num_octets); - uint8_t *block = (uint8_t *)alloca(sizeof(asn1_sig) + SHA1_SIZE); + uint8_t *enc_block = (uint8_t *)malloc(rsa_ctx->num_octets); + uint8_t *block = (uint8_t *)malloc(sizeof(asn1_sig) + SHA1_SIZE); int sig_size; /* add the digest as an embedded asn.1 sequence */ @@ -297,6 +298,8 @@ static void gen_signature(const RSA_CTX *rsa_ctx, const uint8_t *sha_dgst, set_gen_length(sig_size+1, buf, offset); buf[(*offset)++] = 0; /* bit string is multiple of 8 */ memcpy(&buf[*offset], enc_block, sig_size); + free(enc_block); + free(block); *offset += sig_size; } @@ -342,7 +345,7 @@ EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const c { int ret = X509_OK, offset = 0, seq_offset; /* allocate enough space to load a new certificate */ - uint8_t *buf = (uint8_t *)alloca(ssl_ctx->rsa_ctx->num_octets*2 + 512); + uint8_t *buf = (uint8_t *)malloc(ssl_ctx->rsa_ctx->num_octets*2 + 512); uint8_t sha_dgst[SHA1_SIZE]; int seq_size = pre_adjust_with_size(ASN1_SEQUENCE, &seq_offset, buf, &offset); @@ -357,6 +360,7 @@ EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const c memcpy(*cert_data, buf, offset); error: + free(buf); return ret < 0 ? ret : offset; } diff --git a/ssl/os_port.c b/ssl/os_port.c index 6a71000b4..b8a2b19a8 100644 --- a/ssl/os_port.c +++ b/ssl/os_port.c @@ -1,18 +1,18 @@ /* * Copyright (c) 2007, Cameron Rich - * + * * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without + * + * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - * * Redistributions of source code must retain the above copyright notice, + * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. - * * Neither the name of the axTLS project nor the names of its contributors - * may be used to endorse or promote products derived from this software + * * Neither the name of the axTLS project nor the names of its contributors + * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS @@ -37,17 +37,18 @@ #include #include #include +#include #include "os_port.h" #ifdef WIN32 /** - * gettimeofday() not in Win32 + * gettimeofday() not in Win32 */ EXP_FUNC void STDCALL gettimeofday(struct timeval* t, void* timezone) -{ +{ #if defined(_WIN32_WCE) t->tv_sec = time(NULL); - t->tv_usec = 0; /* 1sec precision only */ + t->tv_usec = 0; /* 1sec precision only */ #else struct _timeb timebuffer; _ftime(&timebuffer); @@ -86,7 +87,7 @@ EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size) RegQueryValueEx(hKey, "Domain", NULL, &datatype, buf, &bufferlength); RegCloseKey(hKey); - return 0; + return 0; } #endif @@ -96,63 +97,3 @@ EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size) static const char * out_of_mem_str = "out of memory"; static const char * file_open_str = "Could not open file \"%s\""; - -/* - * Some functions that call display some error trace and then call abort(). - * This just makes life much easier on embedded systems, since we're - * suffering major trauma... - */ -EXP_FUNC void * STDCALL ax_malloc(size_t s) -{ - void *x; - - if ((x = malloc(s)) == NULL) - exit_now(out_of_mem_str); - - return x; -} - -EXP_FUNC void * STDCALL ax_realloc(void *y, size_t s) -{ - void *x; - - if ((x = realloc(y, s)) == NULL) - exit_now(out_of_mem_str); - - return x; -} - -EXP_FUNC void * STDCALL ax_calloc(size_t n, size_t s) -{ - void *x; - - if ((x = calloc(n, s)) == NULL) - exit_now(out_of_mem_str); - - return x; -} - -EXP_FUNC int STDCALL ax_open(const char *pathname, int flags) -{ - int x; - - if ((x = open(pathname, flags)) < 0) - exit_now(file_open_str, pathname); - - return x; -} - -/** - * This is a call which will deliberately exit an application, but will - * display some information before dying. - */ -void exit_now(const char *format, ...) -{ - va_list argp; - - va_start(argp, format); - vfprintf(stderr, format, argp); - va_end(argp); - abort(); -} - diff --git a/ssl/os_port.h b/ssl/os_port.h index f2195eed7..73a0e917b 100644 --- a/ssl/os_port.h +++ b/ssl/os_port.h @@ -1,18 +1,18 @@ /* * Copyright (c) 2007, Cameron Rich - * + * * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without + * + * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions are met: * - * * Redistributions of source code must retain the above copyright notice, + * * Redistributions of source code must retain the above copyright notice, * this list of conditions and the following disclaimer. - * * Redistributions in binary form must reproduce the above copyright notice, - * this list of conditions and the following disclaimer in the documentation + * * Redistributions in binary form must reproduce the above copyright notice, + * this list of conditions and the following disclaimer in the documentation * and/or other materials provided with the distribution. - * * Neither the name of the axTLS project nor the names of its contributors - * may be used to endorse or promote products derived from this software + * * Neither the name of the axTLS project nor the names of its contributors + * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS @@ -44,9 +44,6 @@ extern "C" { #include "os_int.h" #include - - - #ifdef WIN32 #define STDCALL __stdcall #define EXP_FUNC __declspec(dllexport) @@ -63,7 +60,8 @@ extern "C" { #if defined(ESP8266) #include "util/time.h" -#define alloca(size) __builtin_alloca(size) +#include +// #define alloca(size) __builtin_alloca(size) #define TTY_FLUSH() #ifdef putc #undef putc @@ -74,6 +72,15 @@ extern "C" { #endif #define printf(...) ets_printf(__VA_ARGS__) +#define SOCKET_READ(A,B,C) ax_port_read(A,B,C) +#define SOCKET_WRITE(A,B,C) ax_port_write(A,B,C) +#define SOCKET_CLOSE(A) ax_port_close(A) +#define get_file ax_get_file +#define EWOULDBLOCK EAGAIN + +#define hmac_sha1 ax_hmac_sha1 +#define hmac_md5 ax_hmac_md5 + #elif defined(WIN32) /* Windows CE stuff */ @@ -122,7 +129,7 @@ extern "C" { /* This fix gets around a problem where a win32 application on a cygwin xterm doesn't display regular output (until a certain buffer limit) - but it works - fine under a normal DOS window. This is a hack to get around the issue - + fine under a normal DOS window. This is a hack to get around the issue - see http://www.khngai.com/emacs/tty.php */ #define TTY_FLUSH() if (!_isatty(_fileno(stdout))) fflush(stdout); @@ -161,16 +168,27 @@ EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size); #endif /* Not Win32 */ /* some functions to mutate the way these work */ -#define malloc(A) ax_malloc(A) +#define malloc(A) ax_port_malloc(A, __FILE__, __LINE__) #ifndef realloc -#define realloc(A,B) ax_realloc(A,B) +#define realloc(A,B) ax_port_realloc(A,B, __FILE__, __LINE__) #endif -#define calloc(A,B) ax_calloc(A,B) +#define calloc(A,B) ax_port_calloc(A,B, __FILE__, __LINE__) +#define free(x) ax_port_free(x) -EXP_FUNC void * STDCALL ax_malloc(size_t s); -EXP_FUNC void * STDCALL ax_realloc(void *y, size_t s); -EXP_FUNC void * STDCALL ax_calloc(size_t n, size_t s); -EXP_FUNC int STDCALL ax_open(const char *pathname, int flags); +EXP_FUNC void * STDCALL ax_port_malloc(size_t s, const char*, int); +EXP_FUNC void * STDCALL ax_port_realloc(void *y, size_t s, const char*, int); +EXP_FUNC void * STDCALL ax_port_calloc(size_t n, size_t s, const char*, int); +EXP_FUNC void * STDCALL ax_port_free(void*); +EXP_FUNC int STDCALL ax_open(const char *pathname, int flags); + +inline uint32_t htonl(uint32_t n){ + return ((n & 0xff) << 24) | + ((n & 0xff00) << 8) | + ((n & 0xff0000UL) >> 8) | + ((n & 0xff000000UL) >> 24); +} + +#define ntohl htonl #ifdef CONFIG_PLATFORM_LINUX void exit_now(const char *format, ...) __attribute((noreturn)); @@ -186,7 +204,7 @@ void exit_now(const char *format, ...); #define SSL_CTX_MUTEX_DESTROY(A) CloseHandle(A) #define SSL_CTX_LOCK(A) WaitForSingleObject(A, INFINITE) #define SSL_CTX_UNLOCK(A) ReleaseMutex(A) -#else +#else #include #define SSL_CTX_MUTEX_TYPE pthread_mutex_t #define SSL_CTX_MUTEX_INIT(A) pthread_mutex_init(&A, NULL) @@ -205,4 +223,4 @@ void exit_now(const char *format, ...); } #endif -#endif +#endif diff --git a/ssl/tls1.c b/ssl/tls1.c index 2aaeb5b75..a5b9f014f 100644 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -647,7 +647,7 @@ static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header, const uint8_t *buf, int buf_len, uint8_t *hmac_buf) { int hmac_len = buf_len + 8 + SSL_RECORD_SIZE; - uint8_t *t_buf = (uint8_t *)alloca(hmac_len+10); + uint8_t *t_buf = (uint8_t *)malloc(hmac_len+10); memcpy(t_buf, (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE) ? ssl->write_sequence : ssl->read_sequence, 8); @@ -659,6 +659,7 @@ static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header, ssl->server_mac : ssl->client_mac, ssl->cipher_info->digest_size, hmac_buf); + free(t_buf); #if 0 print_blob("record", hmac_header, SSL_RECORD_SIZE); print_blob("buf", buf, buf_len); @@ -943,7 +944,6 @@ static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt) return NULL; /* its all gone wrong */ } -#ifndef ESP8266 /** * Send a packet over the socket. */ @@ -980,7 +980,7 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol) #endif return SSL_ERROR_CONN_LOST; } - +#ifndef ESP8266 /* keep going until the write buffer has some space */ if (sent != pkt_size) { @@ -992,6 +992,7 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol) if (select(ssl->client_fd + 1, NULL, &wfds, NULL, NULL) < 0) return SSL_ERROR_CONN_LOST; } +#endif } SET_SSL_FLAG(SSL_NEED_RECORD); /* reset for next time */ @@ -1005,7 +1006,6 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol) return ret; } -#endif /** * Send an encrypted packet with padding bytes if necessary. @@ -1075,11 +1075,12 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length) ssl->cipher_info->iv_size) { uint8_t iv_size = ssl->cipher_info->iv_size; - uint8_t *t_buf = alloca(msg_length + iv_size); + uint8_t *t_buf = malloc(msg_length + iv_size); memcpy(t_buf + iv_size, ssl->bm_data, msg_length); get_random(iv_size, t_buf); msg_length += iv_size; memcpy(ssl->bm_data, t_buf, msg_length); + free(t_buf); } /* now encrypt the packet */ @@ -1192,7 +1193,6 @@ static int set_key_block(SSL *ssl, int is_write) return 0; } -#ifndef ESP8266 /** * Read the SSL connection. */ @@ -1388,7 +1388,6 @@ error: return ret; } -#endif /** * Do some basic checking of data and then perform the appropriate handshaking. diff --git a/ssl/tls1.h b/ssl/tls1.h index 414a17343..4dcb9b503 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -75,7 +75,7 @@ extern "C" { #define IS_SET_SSL_FLAG(A) (ssl->flag & A) #define MAX_KEY_BYTE_SIZE 512 /* for a 4096 bit key */ -#define RT_MAX_PLAIN_LENGTH 16384 +#define RT_MAX_PLAIN_LENGTH 4096 #define RT_EXTRA 1024 #define BM_RECORD_OFFSET 5 diff --git a/ssl/x509.c b/ssl/x509.c index cb007fbbc..0b092111f 100644 --- a/ssl/x509.c +++ b/ssl/x509.c @@ -270,7 +270,7 @@ static bigint *sig_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, int i, size; bigint *decrypted_bi, *dat_bi; bigint *bir = NULL; - uint8_t *block = (uint8_t *)alloca(sig_len); + uint8_t *block = (uint8_t *)malloc(sig_len); /* decrypt */ dat_bi = bi_import(ctx, sig, sig_len); @@ -297,7 +297,7 @@ static bigint *sig_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, bir = bi_import(ctx, sig_ptr, len); } } - + free(block); /* save a few bytes of memory */ bi_clear_cache(ctx); return bir;