From 6843c20d38e43f0f944dd16de56c32d2d2aba4cd Mon Sep 17 00:00:00 2001 From: cameronrich Date: Wed, 21 Feb 2007 13:22:36 +0000 Subject: [PATCH] Added openssl compatibility functions git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@64 9a5d90b5-6617-0410-8a86-bb477d3ed2e3 --- CHANGELOG | 3 + Makefile | 15 +-- bindings/generate_interface.pl | 4 + config/linuxconfig | 2 +- config/win32config | 2 +- httpd/axhttp.h | 3 +- httpd/axhttpd.c | 17 +++- httpd/proc.c | 15 +-- ssl/Config.in | 10 ++ ssl/Makefile | 1 + ssl/crypto_misc.c | 10 +- ssl/loader.c | 25 ++--- ssl/openssl.c | 180 +++++++++++++++++++++++++++++++++ ssl/os_port.c | 8 +- ssl/os_port.h | 2 +- ssl/ssl.h | 13 +-- ssl/tls1.c | 21 ++-- ssl/tls1.h | 3 + ssl/tls1_svr.c | 1 - 19 files changed, 278 insertions(+), 57 deletions(-) create mode 100644 ssl/openssl.c diff --git a/CHANGELOG b/CHANGELOG index fed344cdb..80ba19027 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -8,6 +8,8 @@ Changes since 1.0.0 * SSLCTX changed to SSL_CTX (to be consistent with openssl). * malloc()/open() etc call abort() on failure. * Fixed a memory leak in directory listings. +* Added openssl() compatibility functions. +* Fixed cygwin 'make install' issue. axhttpd Changes * main.c now becomes axhttpd.c. @@ -18,4 +20,5 @@ axhttpd Changes * Directory access protection implemented (via .htaccess). * Can now have more than one CGI file extension in mconf. * "If-Modified-Since" request now handled properly. +* Performance tweaks to remove ssl_find() diff --git a/Makefile b/Makefile index e78798ba0..568770c1e 100644 --- a/Makefile +++ b/Makefile @@ -73,18 +73,21 @@ win32_demo: install: $(PREFIX) all cp --no-dereference $(STAGE)/libax* $(PREFIX)/lib chmod 755 $(PREFIX)/lib/libax* - -install -m 755 $(STAGE)/ax* $(PREFIX)/bin -ifdef CONFIG_AXHTTPD - -install -m 755 $(STAGE)/htpasswd $(PREFIX)/bin + install -m 755 $(STAGE)/ax* $(PREFIX)/bin +ifdef CONFIG_HTTP_HAS_AUTHORIZATION + install -m 755 $(STAGE)/htpasswd $(PREFIX)/bin +endif +ifdef CONFIG_PLATFORM_CYGWIN + install -m 755 $(STAGE)/cygaxtls.dll $(PREFIX)/bin endif ifdef CONFIG_PERL_BINDINGS - -install -m 755 $(STAGE)/axtlsp.pm `perl -e 'use Config; print $$Config{installarchlib};'` + install -m 755 $(STAGE)/axtlsp.pm `perl -e 'use Config; print $$Config{installarchlib};'` endif @mkdir -p -m 755 $(PREFIX)/include/axTLS - -install -m 644 ssl/*.h $(PREFIX)/include/axTLS + install -m 644 ssl/*.h $(PREFIX)/include/axTLS -rm $(PREFIX)/include/axTLS/cert.h -rm $(PREFIX)/include/axTLS/private_key.h - -install -m 644 config/config.h $(PREFIX)/include/axTLS + install -m 644 config/config.h $(PREFIX)/include/axTLS installclean: -@rm $(PREFIX)/lib/libax* > /dev/null 2>&1 diff --git a/bindings/generate_interface.pl b/bindings/generate_interface.pl index 8110d80d0..816dd4775 100755 --- a/bindings/generate_interface.pl +++ b/bindings/generate_interface.pl @@ -56,8 +56,10 @@ sub transformSignature $line =~ s/uint8_t \* ?/byte[] /g; $line =~ s/uint8_t ?/byte /g; $line =~ s/const char \* ?/string /g; + $line =~ s/const SSL_CTX \* ?/IntPtr /g; $line =~ s/SSL_CTX \* ?/IntPtr /g; $line =~ s/SSLObjLoader \* ?/IntPtr /g; + $line =~ s/const SSL \* ?/IntPtr /g; $line =~ s/SSL \* ?/IntPtr /g; $line =~ s/\(void\)/()/g; } @@ -89,8 +91,10 @@ sub transformSignature $line =~ s/const uint8_t \* ?(\w+)/ByVal $1() As Byte/g; $line =~ s/uint8_t \* ?(\w+)/ByVal $1() As Byte/g; $line =~ s/const char \* ?(\w+)/ByVal $1 As String/g; + $line =~ s/const SSL_CTX \* ?(\w+)/ByVal $1 As IntPtr/g; $line =~ s/SSL_CTX \* ?(\w+)/ByVal $1 As IntPtr/g; $line =~ s/SSLObjLoader \* ?(\w+)/ByVal $1 As IntPtr/g; + $line =~ s/const SSL \* ?(\w+)/ByVal $1 As IntPtr/g; $line =~ s/SSL \* ?(\w+)/ByVal $1 As IntPtr/g; $line =~ s/void \* ?(\w+)/Byval $1 As IntPtr/g; $line =~ s/\(void\)/()/g; diff --git a/config/linuxconfig b/config/linuxconfig index 988e05dd6..8d021f7f1 100644 --- a/config/linuxconfig +++ b/config/linuxconfig @@ -39,7 +39,7 @@ CONFIG_SSL_USE_PKCS12=y CONFIG_SSL_EXPIRY_TIME=24 CONFIG_X509_MAX_CA_CERTS=4 CONFIG_SSL_MAX_CERTS=2 -# CONFIG_SSLCTX_MUTEXING is not set +# CONFIG_SSL_CTX_MUTEXING is not set CONFIG_USE_DEV_URANDOM=y # CONFIG_WIN32_USE_CRYPTO_LIB is not set # CONFIG_PERFORMANCE_TESTING is not set diff --git a/config/win32config b/config/win32config index 6687e9070..9155617c0 100644 --- a/config/win32config +++ b/config/win32config @@ -43,7 +43,7 @@ CONFIG_SSL_USE_PKCS12=y CONFIG_SSL_EXPIRY_TIME=24 CONFIG_X509_MAX_CA_CERTS=4 CONFIG_SSL_MAX_CERTS=2 -# CONFIG_SSLCTX_MUTEXING is not set +# CONFIG_SSL_CTX_MUTEXING is not set # CONFIG_USE_DEV_URANDOM is not set CONFIG_WIN32_USE_CRYPTO_LIB=y # CONFIG_PERFORMANCE_TESTING is not set diff --git a/httpd/axhttp.h b/httpd/axhttp.h index 4804d5654..d1d8bd76a 100644 --- a/httpd/axhttp.h +++ b/httpd/axhttp.h @@ -30,7 +30,7 @@ #define BLOCKSIZE 4096 #define INITIAL_CONNECTION_SLOTS 10 -#define CONFIG_HTTP_DEFAULT_SSL_OPTIONS 0 +#define CONFIG_HTTP_DEFAULT_SSL_OPTIONS 0 #define STATE_WANT_TO_READ_HEAD 1 #define STATE_WANT_TO_SEND_HEAD 2 @@ -52,6 +52,7 @@ struct connstruct int reqtype; int networkdesc; int filedesc; + SSL *ssl; #if defined(CONFIG_HTTP_DIRECTORIES) #ifdef WIN32 diff --git a/httpd/axhttpd.c b/httpd/axhttpd.c index 3f6eaba9f..0f4514482 100644 --- a/httpd/axhttpd.c +++ b/httpd/axhttpd.c @@ -48,6 +48,7 @@ static void reaper(int sigtype) #endif #endif +#ifdef CONFIG_HTTP_VERBOSE /* should really be in debug mode or something */ /* clean up memory for valgrind */ static void sigint_cleanup(int sig) { @@ -96,6 +97,7 @@ static void die(int sigtype) { exit(0); } +#endif int main(int argc, char *argv[]) { @@ -112,15 +114,19 @@ int main(int argc, char *argv[]) WSADATA wsaData; WSAStartup(wVersionRequested,&wsaData); #else - signal(SIGQUIT, die); signal(SIGPIPE, SIG_IGN); #if defined(CONFIG_HTTP_HAS_CGI) signal(SIGCHLD, reaper); #endif +#ifdef CONFIG_HTTP_VERBOSE + signal(SIGQUIT, die); +#endif #endif - signal(SIGINT, sigint_cleanup); +#ifdef CONFIG_HTTP_VERBOSE signal(SIGTERM, die); + signal(SIGINT, sigint_cleanup); +#endif mime_init(); tdate_init(); @@ -576,7 +582,7 @@ static void addconnection(int sd, char *ip, int is_ssl) tp->networkdesc = sd; if (is_ssl) - ssl_server_new(servers->ssl_ctx, sd); + tp->ssl = ssl_server_new(servers->ssl_ctx, sd); tp->is_ssl = is_ssl; tp->filedesc = -1; @@ -632,7 +638,10 @@ void removeconnection(struct connstruct *cn) if (cn->networkdesc != -1) { if (cn->is_ssl) - ssl_free(ssl_find(servers->ssl_ctx, cn->networkdesc)); + { + ssl_free(cn->ssl); + cn->ssl = NULL; + } SOCKET_CLOSE(cn->networkdesc); } diff --git a/httpd/proc.c b/httpd/proc.c index 753304f76..ae2663e7e 100644 --- a/httpd/proc.c +++ b/httpd/proc.c @@ -375,6 +375,7 @@ void procsendhead(struct connstruct *cn) { char tbuf[MAXREQUESTLENGTH]; sprintf(tbuf, "%s%s", cn->actualfile, index_file); + if (stat(tbuf, &stbuf) != -1) strcat(cn->actualfile, index_file); else @@ -429,9 +430,9 @@ void procsendhead(struct connstruct *cn) #if defined(WIN32) || defined(CONFIG_PLATFORM_CYGWIN) flags |= O_BINARY; #endif + cn->filedesc = open(cn->actualfile, flags); - cn->filedesc = ax_open(cn->actualfile, flags); - if (cn->filedesc == -1) + if (cn->filedesc < 0) { send_error(cn, 404); return; @@ -472,7 +473,7 @@ void procreadfile(struct connstruct *cn) { int rv = read(cn->filedesc, cn->databuf, BLOCKSIZE); - if (rv == 0 || rv == -1) + if (rv <= 0) { close(cn->filedesc); cn->filedesc = -1; @@ -516,7 +517,7 @@ static int special_write(struct connstruct *cn, { if (cn->is_ssl) { - SSL *ssl = ssl_find(servers->ssl_ctx, cn->networkdesc); + SSL *ssl = cn->ssl; return ssl ? ssl_write(ssl, (uint8_t *)buf, count) : -1; } else @@ -530,10 +531,10 @@ static int special_read(struct connstruct *cn, void *buf, size_t count) if (cn->is_ssl) { uint8_t *read_buf; - SSL *ssl = ssl_find(servers->ssl_ctx, cn->networkdesc); - - if ((res = ssl_read(ssl, &read_buf)) > SSL_OK) + if ((res = ssl_read(cn->ssl, &read_buf)) > SSL_OK) + { memcpy(buf, read_buf, res > (int)count ? count : res); + } } else res = SOCKET_READ(cn->networkdesc, buf, count); diff --git a/ssl/Config.in b/ssl/Config.in index f79d71be8..189aa0a11 100644 --- a/ssl/Config.in +++ b/ssl/Config.in @@ -244,6 +244,16 @@ config CONFIG_WIN32_USE_CRYPTO_LIB This will be the default on most Win32 systems. If using Visual Studio 6.0, then the SDK containing the crypto libraries must be used. +config CONFIG_OPENSSL_COMPATIBLE + bool "Enable openssl API compatibility" + default n + help + To ease the porting of openssl applications, a subset of the openssl + API is wrapped around the axTLS API. + + Note: not all the API is implemented, so parts may still break. And + it's definitely not 100% compatible. + config CONFIG_PERFORMANCE_TESTING bool "Build the bigint performance test tool" default n diff --git a/ssl/Makefile b/ssl/Makefile index 873d19f7f..139011d3d 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -57,6 +57,7 @@ OBJ=\ os_port.o \ loader.o \ md5.o \ + openssl.o \ p12.o \ rsa.o \ rc4.o \ diff --git a/ssl/crypto_misc.c b/ssl/crypto_misc.c index 4f4ffa698..8bbbfbcb5 100644 --- a/ssl/crypto_misc.c +++ b/ssl/crypto_misc.c @@ -52,7 +52,15 @@ int get_file(const char *filename, uint8_t **buf) int total_bytes = 0; int bytes_read = 0; int filesize; - FILE *stream = ax_fopen(filename, "rb"); + FILE *stream = fopen(filename, "rb"); + + if (stream == NULL) + { +#ifdef CONFIG_SSL_FULL_MODE + printf("file '%s' does not exist\n", filename); TTY_FLUSH(); +#endif + return -1; + } /* Win CE doesn't support stat() */ fseek(stream, 0, SEEK_END); diff --git a/ssl/loader.c b/ssl/loader.c index b33299897..4c8c738c2 100644 --- a/ssl/loader.c +++ b/ssl/loader.c @@ -35,8 +35,8 @@ static int do_obj(SSL_CTX *ssl_ctx, int obj_type, SSLObjLoader *ssl_obj, const char *password); #ifdef CONFIG_SSL_HAS_PEM -static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type, - SSLObjLoader *ssl_obj, const char *password); +static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, + const char *password); #endif /* @@ -70,7 +70,7 @@ EXP_FUNC int STDCALL ssl_obj_load(SSL_CTX *ssl_ctx, int obj_type, if (strncmp(ssl_obj->buf, begin, strlen(begin)) == 0) { #ifdef CONFIG_SSL_HAS_PEM - ret = ssl_obj_PEM_load(ssl_ctx, obj_type, ssl_obj, password); + ret = ssl_obj_PEM_load(ssl_ctx, ssl_obj, password); #else printf(unsupported_str); ret = SSL_ERROR_NOT_SUPPORTED; @@ -279,8 +279,8 @@ error: /** * Take a base64 blob of data and turn it into its proper ASN.1 form. */ -static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, uint8_t *where, - int remain, const char *password) +static int new_pem_obj(SSL_CTX *ssl_ctx, uint8_t *where, + int remain, const char *password) { int ret = SSL_OK; SSLObjLoader *ssl_obj = NULL; @@ -324,9 +324,11 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, uint8_t *where, break; case IS_CERTIFICATE: - obj_type = is_cacert ? - SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT; + obj_type = SSL_OBJ_X509_CERT; break; + + default: + goto error; } /* In a format we can now understand - so process it */ @@ -350,7 +352,7 @@ static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, uint8_t *where, /* more PEM stuff to process? */ if (remain) - ret = new_pem_obj(ssl_ctx, is_cacert, end, remain, password); + ret = new_pem_obj(ssl_ctx, end, remain, password); error: ssl_obj_free(ssl_obj); @@ -360,8 +362,8 @@ error: /* * Load a file into memory that is in ASCII PEM format. */ -static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type, - SSLObjLoader *ssl_obj, const char *password) +static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, + const char *password) { uint8_t *start; @@ -370,7 +372,6 @@ static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type, ssl_obj->buf = (uint8_t *)realloc(ssl_obj->buf, ssl_obj->len); ssl_obj->buf[ssl_obj->len-1] = 0; start = ssl_obj->buf; - return new_pem_obj(ssl_ctx, obj_type == SSL_OBJ_X509_CACERT, - start, ssl_obj->len, password); + return new_pem_obj(ssl_ctx, start, ssl_obj->len, password); } #endif /* CONFIG_SSL_HAS_PEM */ diff --git a/ssl/openssl.c b/ssl/openssl.c new file mode 100644 index 000000000..61e5b0f21 --- /dev/null +++ b/ssl/openssl.c @@ -0,0 +1,180 @@ +/* + * Copyright(C) 2007 Cameron Rich + * + * This library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2.1 of the License, or + * (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU General Lesser License + * along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/* + * Enable some openssl compatible functions. We don't aim to be 100% + * compatible - just to be able to do basic ports etc. + */ + +#include "config.h" + +#ifdef CONFIG_OPENSSL_COMPATIBLE +#include +#include +#include "ssl.h" + +#define OPENSSL_CTX_ATTR ((OPENSSL_CTX *)ssl_ctx->bonus_attr) +void *SSLv23_server_method(void) { return NULL; } +void *SSLv3_server_method(void) { return NULL; } +void *TLSv1_server_method(void) { return NULL; } +void *SSLv23_client_method(void) { return NULL; } +void *SSLv3_client_method(void) { return NULL; } +void *TLSv1_client_method(void) { return NULL; } + +typedef void * (*ssl_func_type_t)(void); + +typedef struct +{ + ssl_func_type_t ssl_func_type; +} OPENSSL_CTX; + +SSL_CTX * SSL_CTX_new(ssl_func_type_t meth) +{ + SSL_CTX *ssl_ctx = ssl_ctx_new(0, 5); + ssl_ctx->bonus_attr = malloc(sizeof(OPENSSL_CTX)); + OPENSSL_CTX_ATTR->ssl_func_type = meth; + return ssl_ctx; +} + +void SSL_CTX_free(SSL_CTX * ssl_ctx) +{ + free(ssl_ctx->bonus_attr); + ssl_ctx_free(ssl_ctx); +} + +SSL * SSL_new(SSL_CTX *ssl_ctx) +{ + SSL *ssl; + ssl_func_type_t ssl_func_type; + + ssl = ssl_new(ssl_ctx, -1); /* fd is set later */ + ssl_func_type = OPENSSL_CTX_ATTR->ssl_func_type; + +#ifdef CONFIG_SSL_ENABLE_CLIENT + if (ssl_func_type == SSLv23_client_method || + ssl_func_type == SSLv3_client_method || + ssl_func_type == TLSv1_client_method) + { + SET_SSL_FLAG(SSL_IS_CLIENT); + } + else +#endif + { + ssl->next_state = HS_CLIENT_HELLO; + } + + return ssl; +} + +int SSL_set_fd(SSL *s, int fd) +{ + s->client_fd = fd; + return 1; /* always succeeds */ +} + +int SSL_accept(SSL *ssl) +{ + while (ssl_read(ssl, NULL) == SSL_OK) + { + if (ssl->next_state == HS_CLIENT_HELLO) + return 1; /* we're done */ + } + + return -1; +} + +#ifdef CONFIG_SSL_ENABLE_CLIENT +int SSL_connect(SSL *ssl) +{ + return do_client_connect(ssl) == SSL_OK ? 1 : -1; +} +#endif + +void SSL_free(SSL *ssl) +{ + ssl_free(ssl); +} + +int SSL_read(SSL *ssl, void *buf, int num) +{ + uint8_t *read_buf; + int ret; + + while ((ret = ssl_read(ssl, &read_buf)) == SSL_OK); + + if (ret > SSL_OK) + { + memcpy(buf, read_buf, ret > num ? num : ret); + } + + return ret; +} + +int SSL_write(SSL *ssl, const void *buf, int num) +{ + return ssl_write(ssl, buf, num); +} + +int SSL_CTX_use_certificate_file(SSL_CTX *ssl_ctx, const char *file, int type) +{ + return (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, file, NULL) == SSL_OK); +} + +int SSL_CTX_use_PrivateKey_file(SSL_CTX *ssl_ctx, const char *file, int type) +{ + return (ssl_obj_load(ssl_ctx, SSL_OBJ_RSA_KEY, file, NULL) == SSL_OK); +} + +int SSL_CTX_use_certificate_ASN1(SSL_CTX *ssl_ctx, int len, const uint8_t *d) +{ + return (ssl_obj_memory_load(ssl_ctx, + SSL_OBJ_X509_CERT, d, len, NULL) == SSL_OK); +} + +#if 0 +const uint8_t *SSL_get_session(const SSL *ssl) +{ + /* TODO: return SSL_SESSION type */ + return ssl_get_session_id(ssl); +} +#endif + +int SSL_CTX_check_private_key(const SSL_CTX *ctx) +{ + return 1; +} + +int SSL_CTX_set_cipher_list(SSL *s, const char *str) +{ + return 1; +} + +int SSL_get_error(const SSL *ssl, int ret) +{ + ssl_display_error(ret); + return 0; /* TODO: return proper return code */ +} + +int SSL_library_init(void ) { return 1; } +void SSL_load_error_strings(void ) {} +void ERR_print_errors_fp(FILE *fp) {} +long SSL_CTX_get_timeout(const SSL_CTX *ssl_ctx) { + return CONFIG_SSL_EXPIRY_TIME*3600; } +long SSL_CTX_set_timeout(SSL_CTX *ssl_ctx, long t) { + return SSL_CTX_get_timeout(ssl_ctx); } +#endif diff --git a/ssl/os_port.c b/ssl/os_port.c index e49498907..9b2547389 100644 --- a/ssl/os_port.c +++ b/ssl/os_port.c @@ -111,10 +111,7 @@ EXP_FUNC FILE * STDCALL ax_fopen(const char *pathname, const char *type) FILE *f; if ((f = fopen(pathname, type)) == NULL) - { - perror("open: "); exit_now(file_open_str, pathname); - } return f; } @@ -124,10 +121,7 @@ EXP_FUNC int STDCALL ax_open(const char *pathname, int flags) int x; if ((x = open(pathname, flags)) < 0) - { - perror("open: "); exit_now(file_open_str, pathname); - } return x; } @@ -141,7 +135,7 @@ void exit_now(const char *format, ...) va_list argp; va_start(argp, format); - vsprintf(stderr, format, argp); + vfprintf(stderr, format, argp); va_end(argp); abort(); } diff --git a/ssl/os_port.h b/ssl/os_port.h index 00f4ceb29..54a7370db 100644 --- a/ssl/os_port.h +++ b/ssl/os_port.h @@ -31,7 +31,7 @@ extern "C" { #include -#if defined(WIN32) || defined(CONFIG_PLATFORM_CYGWIN) +#if defined(WIN32) #define STDCALL __stdcall #define EXP_FUNC __declspec(dllexport) #else diff --git a/ssl/ssl.h b/ssl/ssl.h index 3e366c44d..1ea8a8069 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -283,7 +283,7 @@ EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd); * @return The session id as a 32 byte sequence. * @note A SSLv23 handshake may have only 16 valid bytes. */ -EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(SSL *ssl); +EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(const SSL *ssl); /** * @brief Return the cipher id (in the SSL form). @@ -294,7 +294,7 @@ EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(SSL *ssl); * - SSL_RC4_128_SHA (0x05) * - SSL_RC4_128_MD5 (0x04) */ -EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(SSL *ssl); +EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(const SSL *ssl); /** * @brief Return the status of the handshake. @@ -302,7 +302,7 @@ EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(SSL *ssl); * @return SSL_OK if the handshake is complete and ok. * @see ssl.h for the error code list. */ -EXP_FUNC int STDCALL ssl_handshake_status(SSL *ssl); +EXP_FUNC int STDCALL ssl_handshake_status(const SSL *ssl); /** * @brief Retrieve various parameters about the axTLS engine. @@ -337,7 +337,7 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code); * @param ssl [in] An SSL object reference. * @return SSL_OK if the certificate is verified. */ -EXP_FUNC int STDCALL ssl_verify_cert(SSL *ssl); +EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl); /** * @brief Retrieve an X.509 distinguished name component. @@ -361,7 +361,7 @@ EXP_FUNC int STDCALL ssl_verify_cert(SSL *ssl); * @return The appropriate string (or null if not defined) * @note Verification build mode must be enabled. */ -EXP_FUNC const char * STDCALL ssl_get_cert_dn(SSL *ssl, int component); +EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component); /** * @brief Force the client to perform its handshake again. @@ -389,7 +389,8 @@ EXP_FUNC int STDCALL ssl_renegotiate(SSL *ssl); * - SSL_OBJ_PKCS8 (RC4-128 encrypted data supported) * - SSL_OBJ_PKCS12 (RC4-128 encrypted data supported) * - * PEM files are automatically detected (if supported). + * PEM files are automatically detected (if supported). The object type is + * also detected, and so is not relevant for these types of files. * @param filename [in] The location of a file in DER/PEM format. * @param password [in] The password used. Can be null if not required. * @return SSL_OK if all ok diff --git a/ssl/tls1.c b/ssl/tls1.c index 6a9294fea..47b76dc31 100644 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -429,7 +429,7 @@ error: /* * Retrieve an X.509 distinguished name component */ -EXP_FUNC const char * STDCALL ssl_get_cert_dn(SSL *ssl, int component) +EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component) { if (ssl->x509_ctx == NULL) return NULL; @@ -545,6 +545,7 @@ SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd) ssl->certs = ssl_ctx->certs; ssl->chain_length = ssl_ctx->chain_length; ssl->bm_data = ssl->bm_all_data+BM_RECORD_OFFSET; /* space at the start */ + ssl->hs_status = SSL_NOT_OK; /* not connected */ #ifdef CONFIG_ENABLE_VERIFICATION ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx; #endif @@ -566,7 +567,6 @@ SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd) } SSL_CTX_UNLOCK(ssl_ctx->mutex); - return ssl; } @@ -1241,8 +1241,11 @@ int basic_read(SSL *ssl, uint8_t **in_data) break; case PT_APP_PROTOCOL_DATA: - *in_data = ssl->bm_data; /* point to the work buffer */ - (*in_data)[read_len] = 0; /* null terminate just in case */ + if (in_data) + { + *in_data = ssl->bm_data; /* point to the work buffer */ + (*in_data)[read_len] = 0; /* null terminate just in case */ + } ret = read_len; break; @@ -1616,7 +1619,7 @@ void kill_ssl_session(SSL_SESS **ssl_sessions, SSL *ssl) /* * Get the session id for a handshake. This will be a 32 byte sequence. */ -EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(SSL *ssl) +EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(const SSL *ssl) { return ssl->session_id; } @@ -1624,7 +1627,7 @@ EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(SSL *ssl) /* * Return the cipher id (in the SSL form). */ -EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(SSL *ssl) +EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(const SSL *ssl) { return ssl->cipher; } @@ -1632,7 +1635,7 @@ EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(SSL *ssl) /* * Return the status of the handshake. */ -EXP_FUNC int STDCALL ssl_handshake_status(SSL *ssl) +EXP_FUNC int STDCALL ssl_handshake_status(const SSL *ssl) { return ssl->hs_status; } @@ -1678,7 +1681,7 @@ EXP_FUNC int STDCALL ssl_get_config(int offset) /** * Authenticate a received certificate. */ -EXP_FUNC int STDCALL ssl_verify_cert(SSL *ssl) +EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl) { int ret = x509_verify(ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx); @@ -2029,7 +2032,7 @@ EXP_FUNC int STDCALL ssl_verify_cert(SSL *ssl) return -1; } -EXP_FUNC const char * STDCALL ssl_get_cert_dn(SSL *ssl, int component) +EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component) { printf(unsupported_str); return NULL; diff --git a/ssl/tls1.h b/ssl/tls1.h index bb2b4d4b3..d2ebeefe0 100644 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -212,6 +212,9 @@ struct _SSL_CTX #ifdef CONFIG_SSL_CTX_MUTEXING SSL_CTX_MUTEX_TYPE mutex; #endif +#ifdef CONFIG_OPENSSL_COMPATIBLE + void *bonus_attr; +#endif }; typedef struct _SSL_CTX SSL_CTX; diff --git a/ssl/tls1_svr.c b/ssl/tls1_svr.c index d5593e0f8..133f9db69 100644 --- a/ssl/tls1_svr.c +++ b/ssl/tls1_svr.c @@ -41,7 +41,6 @@ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd) { SSL *ssl = ssl_new(ssl_ctx, client_fd); ssl->next_state = HS_CLIENT_HELLO; - ssl->hs_status = SSL_NOT_OK; /* not connected */ #ifdef CONFIG_SSL_FULL_MODE if (ssl_ctx->chain_length == 0)