diff --git a/Makefile b/Makefile index f6948de35..02c33d248 100644 --- a/Makefile +++ b/Makefile @@ -82,6 +82,7 @@ docs: # build the Win32 demo release version win32_demo: + @echo "#define AXTLS_VERSION \"$(VERSION)\"" > ssl/version.h $(MAKE) win32releaseconf install: $(PREFIX) all diff --git a/config/axhttpd.aip b/config/axhttpd.aip index 5d1a2254f..412fe3b4d 100755 --- a/config/axhttpd.aip +++ b/config/axhttpd.aip @@ -1,5 +1,5 @@ - + @@ -8,10 +8,10 @@ - + - + @@ -51,8 +51,8 @@ - - + + @@ -69,7 +69,7 @@ - + @@ -105,15 +105,15 @@ - - + + - + diff --git a/config/linuxconfig b/config/linuxconfig index 949ac051b..9068c5b0b 100644 --- a/config/linuxconfig +++ b/config/linuxconfig @@ -12,6 +12,7 @@ CONFIG_PLATFORM_LINUX=y # PREFIX="/usr/local" # CONFIG_DEBUG is not set +CONFIG_STRIP_UNWANTED_SECTIONS=y # CONFIG_VISUAL_STUDIO_7_0 is not set # CONFIG_VISUAL_STUDIO_8_0 is not set CONFIG_VISUAL_STUDIO_7_0_BASE="" @@ -31,6 +32,13 @@ CONFIG_SSL_FULL_MODE=y CONFIG_SSL_PROT_MEDIUM=y # CONFIG_SSL_PROT_HIGH is not set CONFIG_SSL_USE_DEFAULT_KEY=y +CONFIG_SSL_PRIVATE_KEY_LOCATION="" +CONFIG_SSL_PRIVATE_KEY_PASSWORD="" +CONFIG_SSL_X509_CERT_LOCATION="" +CONFIG_SSL_GENERATE_X509_CERT=y +CONFIG_SSL_X509_COMMON_NAME="" +CONFIG_SSL_X509_ORGANIZATION_NAME="" +CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME="" CONFIG_SSL_ENABLE_V23_HANDSHAKE=y CONFIG_SSL_HAS_PEM=y CONFIG_SSL_USE_PKCS12=y @@ -62,6 +70,7 @@ CONFIG_HTTP_HAS_CGI=y CONFIG_HTTP_CGI_EXTENSIONS=".lua,.lp" CONFIG_HTTP_ENABLE_LUA=y CONFIG_HTTP_LUA_PREFIX="/usr/local" +CONFIG_HTTP_LUA_CGI_LAUNCHER="/bin/cgi" # CONFIG_HTTP_BUILD_LUA is not set CONFIG_HTTP_DIRECTORIES=y CONFIG_HTTP_HAS_AUTHORIZATION=y diff --git a/config/win32config b/config/win32config index 8640ea0f7..cfff8094a 100644 --- a/config/win32config +++ b/config/win32config @@ -1,117 +1,120 @@ -# -# Automatically generated make config: don't edit -# -HAVE_DOT_CONFIG=y -# CONFIG_PLATFORM_LINUX is not set -# CONFIG_PLATFORM_CYGWIN is not set -# CONFIG_PLATFORM_SOLARIS is not set -CONFIG_PLATFORM_WIN32=y - -# -# General Configuration -# -PREFIX="" -# CONFIG_DEBUG is not set -# CONFIG_STRIP_UNWANTED_SECTIONS is not set - -# -# Microsoft Compiler Options -# -# CONFIG_VISUAL_STUDIO_7_0 is not set -CONFIG_VISUAL_STUDIO_8_0=y -CONFIG_VISUAL_STUDIO_7_0_BASE="" -CONFIG_VISUAL_STUDIO_8_0_BASE="c:\\Program Files\\Microsoft Visual Studio 8" -CONFIG_EXTRA_CFLAGS_OPTIONS="" -CONFIG_EXTRA_LDFLAGS_OPTIONS="" - -# -# SSL Library -# -# CONFIG_SSL_SERVER_ONLY is not set -# CONFIG_SSL_CERT_VERIFICATION is not set -# CONFIG_SSL_ENABLE_CLIENT is not set -CONFIG_SSL_FULL_MODE=y -# CONFIG_SSL_SKELETON_MODE is not set -# CONFIG_SSL_PROT_LOW is not set -CONFIG_SSL_PROT_MEDIUM=y -# CONFIG_SSL_PROT_HIGH is not set -CONFIG_SSL_USE_DEFAULT_KEY=y -CONFIG_SSL_ENABLE_V23_HANDSHAKE=y -CONFIG_SSL_HAS_PEM=y -CONFIG_SSL_USE_PKCS12=y -CONFIG_SSL_EXPIRY_TIME=24 -CONFIG_X509_MAX_CA_CERTS=4 -CONFIG_SSL_MAX_CERTS=2 -# CONFIG_SSL_CTX_MUTEXING is not set -# CONFIG_USE_DEV_URANDOM is not set -CONFIG_WIN32_USE_CRYPTO_LIB=y -# CONFIG_OPENSSL_COMPATIBLE is not set -# CONFIG_PERFORMANCE_TESTING is not set -# CONFIG_SSL_TEST is not set -CONFIG_AXHTTPD=y - -# -# Axhttpd Configuration -# -# CONFIG_HTTP_STATIC_BUILD is not set -CONFIG_HTTP_PORT=80 -CONFIG_HTTP_HTTPS_PORT=443 -CONFIG_HTTP_SESSION_CACHE_SIZE=5 -CONFIG_HTTP_WEBROOT="www" -CONFIG_HTTP_TIMEOUT=300 - -# -# CGI -# -# CONFIG_HTTP_HAS_CGI is not set -CONFIG_HTTP_CGI_EXTENSIONS="" -# CONFIG_HTTP_ENABLE_LUA is not set -CONFIG_HTTP_LUA_PREFIX="" -CONFIG_HTTP_LUA_CGI_LAUNCHER="" -# CONFIG_HTTP_BUILD_LUA is not set -CONFIG_HTTP_DIRECTORIES=y -CONFIG_HTTP_HAS_AUTHORIZATION=y -# CONFIG_HTTP_CHANGE_UID is not set -# CONFIG_HTTP_HAS_IPV6 is not set -CONFIG_HTTP_VERBOSE=y -# CONFIG_HTTP_IS_DAEMON is not set - -# -# Language Bindings -# -# CONFIG_BINDINGS is not set -# CONFIG_CSHARP_BINDINGS is not set -# CONFIG_VBNET_BINDINGS is not set -CONFIG_DOT_NET_FRAMEWORK_BASE="" -# CONFIG_JAVA_BINDINGS is not set -CONFIG_JAVA_HOME="" -# CONFIG_PERL_BINDINGS is not set -CONFIG_PERL_CORE="" -CONFIG_PERL_LIB="" -# CONFIG_LUA_BINDINGS is not set -CONFIG_LUA_CORE="" - -# -# Samples -# -CONFIG_SAMPLES=y -CONFIG_C_SAMPLES=y -# CONFIG_CSHARP_SAMPLES is not set -# CONFIG_VBNET_SAMPLES is not set -# CONFIG_JAVA_SAMPLES is not set -# CONFIG_PERL_SAMPLES is not set -# CONFIG_LUA_SAMPLES is not set - -# -# BigInt Options -# -# CONFIG_BIGINT_CLASSICAL is not set -# CONFIG_BIGINT_MONTGOMERY is not set -CONFIG_BIGINT_BARRETT=y -CONFIG_BIGINT_CRT=y -# CONFIG_BIGINT_KARATSUBA is not set -MUL_KARATSUBA_THRESH=0 -SQU_KARATSUBA_THRESH=0 -CONFIG_BIGINT_SLIDING_WINDOW=y -CONFIG_BIGINT_SQUARE=y -# CONFIG_BIGINT_CHECK_ON is not set +# +# Automatically generated make config: don't edit +# +HAVE_DOT_CONFIG=y +# CONFIG_PLATFORM_LINUX is not set +# CONFIG_PLATFORM_CYGWIN is not set +# CONFIG_PLATFORM_SOLARIS is not set +CONFIG_PLATFORM_WIN32=y + +# +# General Configuration +# +PREFIX="" +# CONFIG_DEBUG is not set +# CONFIG_STRIP_UNWANTED_SECTIONS is not set + +# +# Microsoft Compiler Options +# +# CONFIG_VISUAL_STUDIO_7_0 is not set +CONFIG_VISUAL_STUDIO_8_0=y +CONFIG_VISUAL_STUDIO_7_0_BASE="" +CONFIG_VISUAL_STUDIO_8_0_BASE="c:\\Program Files\\Microsoft Visual Studio 8" +CONFIG_EXTRA_CFLAGS_OPTIONS="" +CONFIG_EXTRA_LDFLAGS_OPTIONS="" + +# +# SSL Library +# +# CONFIG_SSL_SERVER_ONLY is not set +# CONFIG_SSL_CERT_VERIFICATION is not set +# CONFIG_SSL_ENABLE_CLIENT is not set +CONFIG_SSL_FULL_MODE=y +# CONFIG_SSL_SKELETON_MODE is not set +# CONFIG_SSL_PROT_LOW is not set +CONFIG_SSL_PROT_MEDIUM=y +# CONFIG_SSL_PROT_HIGH is not set +CONFIG_SSL_USE_DEFAULT_KEY=y +CONFIG_SSL_PRIVATE_KEY_LOCATION="" +CONFIG_SSL_PRIVATE_KEY_PASSWORD="" +CONFIG_SSL_X509_CERT_LOCATION="" +CONFIG_SSL_GENERATE_X509_CERT=y +CONFIG_SSL_X509_COMMON_NAME="" +CONFIG_SSL_X509_ORGANIZATION_NAME="" +CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME="" +CONFIG_SSL_ENABLE_V23_HANDSHAKE=y +CONFIG_SSL_HAS_PEM=y +CONFIG_SSL_USE_PKCS12=y +CONFIG_SSL_EXPIRY_TIME=24 +CONFIG_X509_MAX_CA_CERTS=4 +CONFIG_SSL_MAX_CERTS=2 +# CONFIG_SSL_CTX_MUTEXING is not set +# CONFIG_USE_DEV_URANDOM is not set +CONFIG_WIN32_USE_CRYPTO_LIB=y +# CONFIG_OPENSSL_COMPATIBLE is not set +# CONFIG_PERFORMANCE_TESTING is not set +# CONFIG_SSL_TEST is not set +CONFIG_AXHTTPD=y + +# +# Axhttpd Configuration +# +# CONFIG_HTTP_STATIC_BUILD is not set +CONFIG_HTTP_PORT=80 +CONFIG_HTTP_HTTPS_PORT=443 +CONFIG_HTTP_SESSION_CACHE_SIZE=5 +CONFIG_HTTP_WEBROOT="www" +CONFIG_HTTP_TIMEOUT=300 +# CONFIG_HTTP_HAS_CGI is not set +CONFIG_HTTP_CGI_EXTENSIONS="" +# CONFIG_HTTP_ENABLE_LUA is not set +CONFIG_HTTP_LUA_PREFIX="" +CONFIG_HTTP_LUA_CGI_LAUNCHER="" +# CONFIG_HTTP_BUILD_LUA is not set +CONFIG_HTTP_DIRECTORIES=y +CONFIG_HTTP_HAS_AUTHORIZATION=y +# CONFIG_HTTP_CHANGE_UID is not set +# CONFIG_HTTP_HAS_IPV6 is not set +CONFIG_HTTP_VERBOSE=y +# CONFIG_HTTP_IS_DAEMON is not set + +# +# Language Bindings +# +# CONFIG_BINDINGS is not set +# CONFIG_CSHARP_BINDINGS is not set +# CONFIG_VBNET_BINDINGS is not set +CONFIG_DOT_NET_FRAMEWORK_BASE="" +# CONFIG_JAVA_BINDINGS is not set +CONFIG_JAVA_HOME="" +# CONFIG_PERL_BINDINGS is not set +CONFIG_PERL_CORE="" +CONFIG_PERL_LIB="" +# CONFIG_LUA_BINDINGS is not set +CONFIG_LUA_CORE="" + +# +# Samples +# +CONFIG_SAMPLES=y +CONFIG_C_SAMPLES=y +# CONFIG_CSHARP_SAMPLES is not set +# CONFIG_VBNET_SAMPLES is not set +# CONFIG_JAVA_SAMPLES is not set +# CONFIG_PERL_SAMPLES is not set +# CONFIG_LUA_SAMPLES is not set + +# +# BigInt Options +# +# CONFIG_BIGINT_CLASSICAL is not set +# CONFIG_BIGINT_MONTGOMERY is not set +CONFIG_BIGINT_BARRETT=y +CONFIG_BIGINT_CRT=y +# CONFIG_BIGINT_KARATSUBA is not set +MUL_KARATSUBA_THRESH=0 +SQU_KARATSUBA_THRESH=0 +CONFIG_BIGINT_SLIDING_WINDOW=y +CONFIG_BIGINT_SQUARE=y +# CONFIG_BIGINT_CHECK_ON is not set diff --git a/crypto/crypto.h b/crypto/crypto.h index a4e608658..5c95f2159 100644 --- a/crypto/crypto.h +++ b/crypto/crypto.h @@ -198,7 +198,7 @@ void RSA_free(RSA_CTX *ctx); int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint8_t *out_data, int is_decryption); bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg); -#ifdef CONFIG_SSL_CERT_VERIFICATION +#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT) bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, bigint *modulus, bigint *pub_exp); bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg); diff --git a/httpd/axhttp.h b/httpd/axhttp.h index 62a36fd03..cc277f1a6 100644 --- a/httpd/axhttp.h +++ b/httpd/axhttp.h @@ -28,7 +28,6 @@ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#include "os_port.h" #include "ssl.h" #define BACKLOG 15 diff --git a/ssl/Config.in b/ssl/Config.in index 05d88688c..25cee495e 100644 --- a/ssl/Config.in +++ b/ssl/Config.in @@ -144,7 +144,7 @@ config CONFIG_SSL_PRIVATE_KEY_PASSWORD config CONFIG_SSL_X509_CERT_LOCATION string "X.509 certificate file location" - depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_SKELETON_MODE + depends on !CONFIG_SSL_GENERATE_X509_CERT && !CONFIG_SSL_USE_DEFAULT_KEY && !CONFIG_SSL_SKELETON_MODE help The file location of the X.509 certificate which will be automatically loaded on a ssl_ctx_new(). @@ -156,10 +156,13 @@ config CONFIG_SSL_GENERATE_X509_CERT An X.509 certificate can be automatically generated on a ssl_ctx_new(). A private key still needs to be provided (the private key in ss/private_key.h will be used unless - CONFIG_SSL_PRIVATE_KEY_LOCATION is set. + CONFIG_SSL_PRIVATE_KEY_LOCATION is set). The certificate is generated on the fly, and so a minor start-up time - penalty is to be expected. + penalty is to be expected. This feature adds around 5kB to the + library. + + This feature is disabled by default. config CONFIG_SSL_X509_COMMON_NAME string "X.509 Common Name" @@ -168,7 +171,7 @@ config CONFIG_SSL_X509_COMMON_NAME The common name for the X.509 certificate. This should in theory be the URL for server. - If this is blank, then the hostname is used. + If this is blank, then this will be value from gethostname(). config CONFIG_SSL_X509_ORGANIZATION_NAME string "X.509 Organization Name" @@ -176,14 +179,15 @@ config CONFIG_SSL_X509_ORGANIZATION_NAME help The organization name for the generated X.509 certificate. - If this is blank, then $USERNAME will be used. + If this is blank, then $USERDOMAIN will be used. config CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME string "X.509 Organization Unit Name" depends on CONFIG_SSL_GENERATE_X509_CERT help - The organization unit name for the generated X.509 certificate. This - field is optional. + The organization unit name for the generated X.509 certificate. + + This field is optional. config CONFIG_SSL_ENABLE_V23_HANDSHAKE bool "Enable v23 Handshake" @@ -322,7 +326,7 @@ config CONFIG_PERFORMANCE_TESTING config CONFIG_SSL_TEST bool "Build the SSL testing tool" default n - depends on CONFIG_SSL_FULL_MODE + depends on CONFIG_SSL_FULL_MODE && !CONFIG_SSL_GENERATE_X509_CERT help Used for sanity checking the SSL handshaking. diff --git a/ssl/asn1.c b/ssl/asn1.c index 0fa9820e6..1639040d0 100644 --- a/ssl/asn1.c +++ b/ssl/asn1.c @@ -112,7 +112,7 @@ int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object) if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0) goto end_int_array; - if (buf[*offset] == 0x00) /* ignore the negative byte */ + if (len > 1 && buf[*offset] == 0x00) /* ignore the negative byte */ { len--; (*offset)++; diff --git a/ssl/cert.h b/ssl/cert.h index 972a9e4b5..7a85d2d84 100644 --- a/ssl/cert.h +++ b/ssl/cert.h @@ -1,43 +1,43 @@ -unsigned char default_certificate[] = { - 0x30, 0x82, 0x01, 0xd7, 0x30, 0x82, 0x01, 0x40, 0x02, 0x09, 0x00, 0xf1, - 0xc3, 0x87, 0xc0, 0xd4, 0xf4, 0x57, 0xc3, 0x30, 0x0d, 0x06, 0x09, 0x2a, - 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x34, - 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x29, 0x61, - 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, - 0x20, 0x44, 0x6f, 0x64, 0x67, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, - 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, - 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x30, 0x36, - 0x30, 0x37, 0x31, 0x31, 0x34, 0x34, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x33, - 0x33, 0x31, 0x30, 0x32, 0x33, 0x31, 0x31, 0x34, 0x34, 0x33, 0x32, 0x5a, - 0x30, 0x2c, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, - 0x0d, 0x61, 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, - 0x63, 0x74, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, - 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30, 0x81, - 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, - 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, - 0x81, 0x81, 0x00, 0xd8, 0xe0, 0xbf, 0x15, 0xde, 0xea, 0xaf, 0xe8, 0xd5, - 0xfd, 0x0b, 0xa8, 0xa8, 0xb3, 0xd7, 0x46, 0x5d, 0xa7, 0x26, 0x6c, 0x0c, - 0xb5, 0xd9, 0xbc, 0xc6, 0xf8, 0xc0, 0x78, 0xd0, 0xf6, 0x56, 0x65, 0xf8, - 0x29, 0x48, 0x0e, 0x7b, 0x0b, 0xa6, 0x25, 0x7e, 0xe8, 0x7b, 0x79, 0x6f, - 0x38, 0xe5, 0xb5, 0xb7, 0xf4, 0xe0, 0x9c, 0x91, 0x60, 0xf4, 0x06, 0xf3, - 0x40, 0x1e, 0xf9, 0x91, 0x19, 0xa9, 0x2f, 0x47, 0x43, 0xb5, 0x9b, 0x1e, - 0xdc, 0xf6, 0xaa, 0x1c, 0x49, 0x79, 0x21, 0x28, 0xcb, 0xaa, 0x49, 0x73, - 0xd9, 0x09, 0x05, 0x4c, 0x02, 0xf2, 0x4c, 0x4d, 0x6c, 0x1c, 0x80, 0xa7, - 0x14, 0x91, 0x44, 0xfc, 0x12, 0xb3, 0xe1, 0xe7, 0xe3, 0x4f, 0x44, 0xba, - 0x8c, 0xc3, 0x74, 0x39, 0xe8, 0x4c, 0xd0, 0xd4, 0x4c, 0x24, 0x61, 0xb4, - 0x40, 0x95, 0x8c, 0xc0, 0x0a, 0xb7, 0x02, 0x39, 0x31, 0x85, 0x93, 0x02, - 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, - 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x0b, - 0x47, 0x24, 0x52, 0x7d, 0xb6, 0x63, 0x78, 0xbc, 0x80, 0xdd, 0x87, 0x6c, - 0x90, 0x4c, 0x33, 0xc3, 0x5c, 0xa7, 0x97, 0x09, 0x1c, 0x09, 0x4f, 0x9b, - 0x6e, 0xb3, 0x5a, 0x3e, 0x46, 0x92, 0x1a, 0xc7, 0x87, 0x15, 0x59, 0xe1, - 0x88, 0x5c, 0xce, 0x6a, 0xe2, 0x96, 0xaa, 0x32, 0xec, 0xc2, 0xed, 0x78, - 0x8b, 0xe0, 0x90, 0x66, 0x93, 0x14, 0xc3, 0x98, 0xab, 0x33, 0x35, 0xd3, - 0x7d, 0x5d, 0x51, 0x0a, 0x9c, 0xb9, 0x10, 0x58, 0x47, 0x7a, 0x98, 0x95, - 0x64, 0xff, 0x4c, 0x5d, 0x82, 0x19, 0xf9, 0xea, 0x0f, 0x5e, 0x9a, 0xcb, - 0x32, 0x27, 0x64, 0xca, 0x6f, 0x58, 0x8a, 0xd0, 0xc0, 0x36, 0xf4, 0xb9, - 0x63, 0x34, 0xa5, 0xda, 0x36, 0x50, 0x36, 0x49, 0xd2, 0xb7, 0x3a, 0x21, - 0x33, 0x5b, 0x3e, 0xd6, 0x5f, 0x0c, 0x99, 0x83, 0xb7, 0xb2, 0xf7, 0x8b, - 0x44, 0xc4, 0x5e, 0x73, 0x41, 0xa9, 0x02 -}; -unsigned int default_certificate_len = 475; +unsigned char default_certificate[] = { + 0x30, 0x82, 0x01, 0xd7, 0x30, 0x82, 0x01, 0x40, 0x02, 0x09, 0x00, 0xf1, + 0xc3, 0x87, 0xc0, 0xd4, 0xf4, 0x57, 0xc3, 0x30, 0x0d, 0x06, 0x09, 0x2a, + 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x34, + 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x29, 0x61, + 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, + 0x20, 0x44, 0x6f, 0x64, 0x67, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, + 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, + 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x30, 0x36, 0x30, 0x36, + 0x30, 0x37, 0x31, 0x31, 0x34, 0x34, 0x33, 0x32, 0x5a, 0x17, 0x0d, 0x33, + 0x33, 0x31, 0x30, 0x32, 0x33, 0x31, 0x31, 0x34, 0x34, 0x33, 0x32, 0x5a, + 0x30, 0x2c, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, + 0x0d, 0x61, 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, + 0x63, 0x74, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, + 0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30, 0x81, + 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, + 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, + 0x81, 0x81, 0x00, 0xd8, 0xe0, 0xbf, 0x15, 0xde, 0xea, 0xaf, 0xe8, 0xd5, + 0xfd, 0x0b, 0xa8, 0xa8, 0xb3, 0xd7, 0x46, 0x5d, 0xa7, 0x26, 0x6c, 0x0c, + 0xb5, 0xd9, 0xbc, 0xc6, 0xf8, 0xc0, 0x78, 0xd0, 0xf6, 0x56, 0x65, 0xf8, + 0x29, 0x48, 0x0e, 0x7b, 0x0b, 0xa6, 0x25, 0x7e, 0xe8, 0x7b, 0x79, 0x6f, + 0x38, 0xe5, 0xb5, 0xb7, 0xf4, 0xe0, 0x9c, 0x91, 0x60, 0xf4, 0x06, 0xf3, + 0x40, 0x1e, 0xf9, 0x91, 0x19, 0xa9, 0x2f, 0x47, 0x43, 0xb5, 0x9b, 0x1e, + 0xdc, 0xf6, 0xaa, 0x1c, 0x49, 0x79, 0x21, 0x28, 0xcb, 0xaa, 0x49, 0x73, + 0xd9, 0x09, 0x05, 0x4c, 0x02, 0xf2, 0x4c, 0x4d, 0x6c, 0x1c, 0x80, 0xa7, + 0x14, 0x91, 0x44, 0xfc, 0x12, 0xb3, 0xe1, 0xe7, 0xe3, 0x4f, 0x44, 0xba, + 0x8c, 0xc3, 0x74, 0x39, 0xe8, 0x4c, 0xd0, 0xd4, 0x4c, 0x24, 0x61, 0xb4, + 0x40, 0x95, 0x8c, 0xc0, 0x0a, 0xb7, 0x02, 0x39, 0x31, 0x85, 0x93, 0x02, + 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, + 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x0b, + 0x47, 0x24, 0x52, 0x7d, 0xb6, 0x63, 0x78, 0xbc, 0x80, 0xdd, 0x87, 0x6c, + 0x90, 0x4c, 0x33, 0xc3, 0x5c, 0xa7, 0x97, 0x09, 0x1c, 0x09, 0x4f, 0x9b, + 0x6e, 0xb3, 0x5a, 0x3e, 0x46, 0x92, 0x1a, 0xc7, 0x87, 0x15, 0x59, 0xe1, + 0x88, 0x5c, 0xce, 0x6a, 0xe2, 0x96, 0xaa, 0x32, 0xec, 0xc2, 0xed, 0x78, + 0x8b, 0xe0, 0x90, 0x66, 0x93, 0x14, 0xc3, 0x98, 0xab, 0x33, 0x35, 0xd3, + 0x7d, 0x5d, 0x51, 0x0a, 0x9c, 0xb9, 0x10, 0x58, 0x47, 0x7a, 0x98, 0x95, + 0x64, 0xff, 0x4c, 0x5d, 0x82, 0x19, 0xf9, 0xea, 0x0f, 0x5e, 0x9a, 0xcb, + 0x32, 0x27, 0x64, 0xca, 0x6f, 0x58, 0x8a, 0xd0, 0xc0, 0x36, 0xf4, 0xb9, + 0x63, 0x34, 0xa5, 0xda, 0x36, 0x50, 0x36, 0x49, 0xd2, 0xb7, 0x3a, 0x21, + 0x33, 0x5b, 0x3e, 0xd6, 0x5f, 0x0c, 0x99, 0x83, 0xb7, 0xb2, 0xf7, 0x8b, + 0x44, 0xc4, 0x5e, 0x73, 0x41, 0xa9, 0x02 +}; +unsigned int default_certificate_len = 475; diff --git a/ssl/gen_cert.c b/ssl/gen_cert.c index f58463ca0..faad29b0f 100644 --- a/ssl/gen_cert.c +++ b/ssl/gen_cert.c @@ -195,14 +195,14 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset) goto error; if (dn[X509_ORGANIZATION] == NULL || strlen(dn[X509_ORGANIZATION]) == 0) - dn[X509_ORGANIZATION] = getenv("USERNAME"); + dn[X509_ORGANIZATION] = getenv("USERDOMAIN"); if (dn[X509_ORGANIZATION] != NULL && ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset)))) goto error; if (dn[X509_ORGANIZATIONAL_TYPE] != NULL && - strlen(dn[X509_ORGANIZATIONAL_TYPE]) != 0) + strlen(dn[X509_ORGANIZATIONAL_TYPE]) > 0) { if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_TYPE], 11, buf, offset))) goto error; @@ -219,8 +219,8 @@ static const uint8_t time_seq[] = ASN1_SEQUENCE, 30, ASN1_UTC_TIME, 13, '0', '7', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z', - ASN1_UTC_TIME, 13, /* make it good for 40 or so years */ - '4', '9', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z' + ASN1_UTC_TIME, 13, /* make it good for 30 or so years */ + '3', '8', '0', '1', '0', '1', '0', '0', '0', '0', '0', '0', 'Z' }; static void gen_utc_time(uint8_t *buf, int *offset) @@ -342,7 +342,7 @@ error: /** * Create a new certificate. */ -EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, const char * dn[], uint32_t options, uint8_t **cert_data) +EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const char * dn[], uint8_t **cert_data) { int ret = X509_OK, offset = 0, seq_offset; /* allocate enough space to load a new certificate */ diff --git a/ssl/loader.c b/ssl/loader.c index 4909d0628..a6e4d94fb 100644 --- a/ssl/loader.c +++ b/ssl/loader.c @@ -395,6 +395,16 @@ int load_key_certs(SSL_CTX *ssl_ctx) { int ret = SSL_OK; uint32_t options = ssl_ctx->options; +#ifdef CONFIG_SSL_GENERATE_X509_CERT + uint8_t *cert_data = NULL; + int cert_size; + static const char *dn[] = + { + CONFIG_SSL_X509_COMMON_NAME, + CONFIG_SSL_X509_ORGANIZATION_NAME, + CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME + }; +#endif /* do the private key first */ if (strlen(CONFIG_SSL_PRIVATE_KEY_LOCATION) > 0) @@ -417,16 +427,7 @@ int load_key_certs(SSL_CTX *ssl_ctx) /* now load the certificate */ #ifdef CONFIG_SSL_GENERATE_X509_CERT - uint8_t *cert_data; - int cert_size; - static const char *dn[] = - { - CONFIG_SSL_X509_COMMON_NAME, - CONFIG_SSL_X509_ORGANIZATION_NAME, - CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME - }; - - if ((cert_size = ssl_x509_create(ssl_ctx, dn, &cert_data)) < 0) + if ((cert_size = ssl_x509_create(ssl_ctx, 0, dn, &cert_data)) < 0) { ret = cert_size; goto error; diff --git a/ssl/os_port.h b/ssl/os_port.h index 8b47e3664..139850468 100644 --- a/ssl/os_port.h +++ b/ssl/os_port.h @@ -99,7 +99,7 @@ extern "C" { #define strdup(A) _strdup(A) #define chroot(A) _chdir(A) #define chdir(A) _chdir(A) -#define alloca(A) _alloca(A) +#define alloca(A) _alloca(A) #ifndef lseek #define lseek(A,B,C) _lseek(A,B,C) #endif diff --git a/ssl/private_key.h b/ssl/private_key.h index 1ce34d674..96a525331 100644 --- a/ssl/private_key.h +++ b/ssl/private_key.h @@ -1,54 +1,54 @@ -unsigned char default_private_key[] = { - 0x30, 0x82, 0x02, 0x5d, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xd8, - 0xe0, 0xbf, 0x15, 0xde, 0xea, 0xaf, 0xe8, 0xd5, 0xfd, 0x0b, 0xa8, 0xa8, - 0xb3, 0xd7, 0x46, 0x5d, 0xa7, 0x26, 0x6c, 0x0c, 0xb5, 0xd9, 0xbc, 0xc6, - 0xf8, 0xc0, 0x78, 0xd0, 0xf6, 0x56, 0x65, 0xf8, 0x29, 0x48, 0x0e, 0x7b, - 0x0b, 0xa6, 0x25, 0x7e, 0xe8, 0x7b, 0x79, 0x6f, 0x38, 0xe5, 0xb5, 0xb7, - 0xf4, 0xe0, 0x9c, 0x91, 0x60, 0xf4, 0x06, 0xf3, 0x40, 0x1e, 0xf9, 0x91, - 0x19, 0xa9, 0x2f, 0x47, 0x43, 0xb5, 0x9b, 0x1e, 0xdc, 0xf6, 0xaa, 0x1c, - 0x49, 0x79, 0x21, 0x28, 0xcb, 0xaa, 0x49, 0x73, 0xd9, 0x09, 0x05, 0x4c, - 0x02, 0xf2, 0x4c, 0x4d, 0x6c, 0x1c, 0x80, 0xa7, 0x14, 0x91, 0x44, 0xfc, - 0x12, 0xb3, 0xe1, 0xe7, 0xe3, 0x4f, 0x44, 0xba, 0x8c, 0xc3, 0x74, 0x39, - 0xe8, 0x4c, 0xd0, 0xd4, 0x4c, 0x24, 0x61, 0xb4, 0x40, 0x95, 0x8c, 0xc0, - 0x0a, 0xb7, 0x02, 0x39, 0x31, 0x85, 0x93, 0x02, 0x03, 0x01, 0x00, 0x01, - 0x02, 0x81, 0x81, 0x00, 0x94, 0x07, 0x72, 0xe5, 0xbe, 0xad, 0x79, 0x3b, - 0xf7, 0x33, 0x2c, 0x8e, 0x05, 0xf8, 0x1a, 0x6b, 0xd0, 0xe8, 0x91, 0xf5, - 0x16, 0x07, 0xd9, 0x82, 0x5c, 0x5c, 0xd5, 0x22, 0xa1, 0x9e, 0x42, 0x02, - 0x7f, 0x8b, 0xcd, 0xbe, 0xf4, 0x85, 0x52, 0xf6, 0x2c, 0xd5, 0x09, 0xd2, - 0x2c, 0xf4, 0x2c, 0xf6, 0x07, 0x85, 0x80, 0xf9, 0xdc, 0xd0, 0xcc, 0x3f, - 0x22, 0x31, 0x15, 0xf3, 0x49, 0xf2, 0xb5, 0xe2, 0x69, 0x99, 0x04, 0x04, - 0x49, 0x21, 0xdb, 0x9f, 0xa1, 0x54, 0x5a, 0xfa, 0xe4, 0xd9, 0xf9, 0x07, - 0x05, 0xff, 0x9a, 0x65, 0xa4, 0xeb, 0xf2, 0x47, 0xce, 0x56, 0xc7, 0x72, - 0x49, 0x48, 0x5c, 0xe8, 0x14, 0xd7, 0x8f, 0x25, 0xcc, 0x49, 0x29, 0x06, - 0x6a, 0x54, 0x7b, 0x17, 0xdc, 0x9e, 0xd4, 0x53, 0xf0, 0xf5, 0x9e, 0x85, - 0x25, 0xa1, 0xeb, 0x3d, 0xe9, 0x2f, 0xb9, 0x9c, 0xf6, 0xe1, 0x80, 0x81, - 0x02, 0x41, 0x00, 0xee, 0x02, 0x78, 0xc7, 0x78, 0x85, 0x04, 0x97, 0xcc, - 0x36, 0xbd, 0xd6, 0x11, 0xe2, 0xc7, 0x39, 0xd9, 0x34, 0x51, 0x72, 0x6f, - 0x8a, 0x0f, 0xcd, 0x88, 0x32, 0x33, 0x9b, 0xc7, 0xa7, 0x03, 0x77, 0xd9, - 0x82, 0x35, 0xb6, 0xdd, 0x1f, 0xc2, 0xc1, 0x13, 0x40, 0x83, 0x55, 0xeb, - 0x60, 0xeb, 0x81, 0x8e, 0x0c, 0x16, 0x62, 0xb4, 0xb4, 0x3c, 0xeb, 0x08, - 0x80, 0x9c, 0x79, 0xd3, 0x38, 0xca, 0xf1, 0x02, 0x41, 0x00, 0xe9, 0x45, - 0x5f, 0x2e, 0x16, 0xcc, 0x93, 0x50, 0x40, 0xb6, 0x79, 0xbc, 0x38, 0xe0, - 0x56, 0x68, 0x50, 0xd3, 0x2f, 0x73, 0x8c, 0x8c, 0x2a, 0x0e, 0x81, 0x4a, - 0x8a, 0xbb, 0xcc, 0xf0, 0x64, 0x34, 0x46, 0x9f, 0x07, 0x7d, 0x22, 0xb6, - 0xf9, 0x46, 0xac, 0x57, 0x23, 0x8c, 0x1e, 0xeb, 0xd3, 0x05, 0x4d, 0xa8, - 0x83, 0x6a, 0x67, 0xf6, 0xa6, 0xb1, 0xab, 0x8e, 0xc1, 0xef, 0xef, 0x7d, - 0xf0, 0xc3, 0x02, 0x40, 0x2f, 0xc6, 0x59, 0x3e, 0x18, 0xe8, 0x02, 0x73, - 0x01, 0xef, 0xdf, 0x0d, 0x30, 0x4b, 0xe8, 0x17, 0xa9, 0x8c, 0xc1, 0xe8, - 0x89, 0x91, 0x19, 0xf8, 0xf4, 0xa4, 0xb7, 0x0d, 0x46, 0xf7, 0x34, 0x50, - 0x03, 0x5e, 0x0a, 0xb0, 0x29, 0x14, 0xae, 0x00, 0x19, 0x80, 0x32, 0x9c, - 0xb5, 0x81, 0x9f, 0xe4, 0x42, 0x82, 0x14, 0xa0, 0x3d, 0x8b, 0x8c, 0x4a, - 0xd5, 0x4b, 0x13, 0x9d, 0xb4, 0x93, 0x4a, 0xd1, 0x02, 0x40, 0x64, 0x8c, - 0x83, 0x77, 0x61, 0x5a, 0x73, 0x11, 0x3f, 0xa3, 0xa8, 0x1b, 0x8a, 0xc4, - 0xa0, 0x5a, 0x3c, 0xa4, 0x9b, 0x2a, 0x8a, 0x65, 0x8c, 0x67, 0x4e, 0x31, - 0xac, 0x55, 0x41, 0x04, 0x49, 0x9d, 0x02, 0xe7, 0xdf, 0x99, 0x7f, 0xd2, - 0x30, 0xe6, 0xd6, 0xb8, 0x84, 0xd9, 0x0c, 0x27, 0x08, 0x81, 0x9b, 0xb4, - 0xcc, 0x58, 0x9c, 0x51, 0x84, 0x0e, 0xc7, 0x6d, 0x34, 0x89, 0x50, 0xc9, - 0x0f, 0x73, 0x02, 0x41, 0x00, 0xda, 0xde, 0x5e, 0x1a, 0xac, 0x1d, 0x1d, - 0xd7, 0xb9, 0x65, 0x26, 0x00, 0xf5, 0xd4, 0xe4, 0x28, 0x84, 0x86, 0x2f, - 0x00, 0x9c, 0x41, 0x00, 0x52, 0xe1, 0x47, 0x91, 0xc0, 0x52, 0x05, 0x4e, - 0x0f, 0x2f, 0x0d, 0xca, 0x9b, 0x3d, 0x89, 0x41, 0xbf, 0xee, 0x9f, 0xa1, - 0xe6, 0x9d, 0xa4, 0xeb, 0x45, 0x7f, 0xe3, 0xcb, 0xa4, 0x6b, 0x0a, 0xe2, - 0x7e, 0xb0, 0x87, 0x5c, 0x40, 0xb1, 0x51, 0x11, 0x1d -}; -unsigned int default_private_key_len = 609; +unsigned char default_private_key[] = { + 0x30, 0x82, 0x02, 0x5d, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xd8, + 0xe0, 0xbf, 0x15, 0xde, 0xea, 0xaf, 0xe8, 0xd5, 0xfd, 0x0b, 0xa8, 0xa8, + 0xb3, 0xd7, 0x46, 0x5d, 0xa7, 0x26, 0x6c, 0x0c, 0xb5, 0xd9, 0xbc, 0xc6, + 0xf8, 0xc0, 0x78, 0xd0, 0xf6, 0x56, 0x65, 0xf8, 0x29, 0x48, 0x0e, 0x7b, + 0x0b, 0xa6, 0x25, 0x7e, 0xe8, 0x7b, 0x79, 0x6f, 0x38, 0xe5, 0xb5, 0xb7, + 0xf4, 0xe0, 0x9c, 0x91, 0x60, 0xf4, 0x06, 0xf3, 0x40, 0x1e, 0xf9, 0x91, + 0x19, 0xa9, 0x2f, 0x47, 0x43, 0xb5, 0x9b, 0x1e, 0xdc, 0xf6, 0xaa, 0x1c, + 0x49, 0x79, 0x21, 0x28, 0xcb, 0xaa, 0x49, 0x73, 0xd9, 0x09, 0x05, 0x4c, + 0x02, 0xf2, 0x4c, 0x4d, 0x6c, 0x1c, 0x80, 0xa7, 0x14, 0x91, 0x44, 0xfc, + 0x12, 0xb3, 0xe1, 0xe7, 0xe3, 0x4f, 0x44, 0xba, 0x8c, 0xc3, 0x74, 0x39, + 0xe8, 0x4c, 0xd0, 0xd4, 0x4c, 0x24, 0x61, 0xb4, 0x40, 0x95, 0x8c, 0xc0, + 0x0a, 0xb7, 0x02, 0x39, 0x31, 0x85, 0x93, 0x02, 0x03, 0x01, 0x00, 0x01, + 0x02, 0x81, 0x81, 0x00, 0x94, 0x07, 0x72, 0xe5, 0xbe, 0xad, 0x79, 0x3b, + 0xf7, 0x33, 0x2c, 0x8e, 0x05, 0xf8, 0x1a, 0x6b, 0xd0, 0xe8, 0x91, 0xf5, + 0x16, 0x07, 0xd9, 0x82, 0x5c, 0x5c, 0xd5, 0x22, 0xa1, 0x9e, 0x42, 0x02, + 0x7f, 0x8b, 0xcd, 0xbe, 0xf4, 0x85, 0x52, 0xf6, 0x2c, 0xd5, 0x09, 0xd2, + 0x2c, 0xf4, 0x2c, 0xf6, 0x07, 0x85, 0x80, 0xf9, 0xdc, 0xd0, 0xcc, 0x3f, + 0x22, 0x31, 0x15, 0xf3, 0x49, 0xf2, 0xb5, 0xe2, 0x69, 0x99, 0x04, 0x04, + 0x49, 0x21, 0xdb, 0x9f, 0xa1, 0x54, 0x5a, 0xfa, 0xe4, 0xd9, 0xf9, 0x07, + 0x05, 0xff, 0x9a, 0x65, 0xa4, 0xeb, 0xf2, 0x47, 0xce, 0x56, 0xc7, 0x72, + 0x49, 0x48, 0x5c, 0xe8, 0x14, 0xd7, 0x8f, 0x25, 0xcc, 0x49, 0x29, 0x06, + 0x6a, 0x54, 0x7b, 0x17, 0xdc, 0x9e, 0xd4, 0x53, 0xf0, 0xf5, 0x9e, 0x85, + 0x25, 0xa1, 0xeb, 0x3d, 0xe9, 0x2f, 0xb9, 0x9c, 0xf6, 0xe1, 0x80, 0x81, + 0x02, 0x41, 0x00, 0xee, 0x02, 0x78, 0xc7, 0x78, 0x85, 0x04, 0x97, 0xcc, + 0x36, 0xbd, 0xd6, 0x11, 0xe2, 0xc7, 0x39, 0xd9, 0x34, 0x51, 0x72, 0x6f, + 0x8a, 0x0f, 0xcd, 0x88, 0x32, 0x33, 0x9b, 0xc7, 0xa7, 0x03, 0x77, 0xd9, + 0x82, 0x35, 0xb6, 0xdd, 0x1f, 0xc2, 0xc1, 0x13, 0x40, 0x83, 0x55, 0xeb, + 0x60, 0xeb, 0x81, 0x8e, 0x0c, 0x16, 0x62, 0xb4, 0xb4, 0x3c, 0xeb, 0x08, + 0x80, 0x9c, 0x79, 0xd3, 0x38, 0xca, 0xf1, 0x02, 0x41, 0x00, 0xe9, 0x45, + 0x5f, 0x2e, 0x16, 0xcc, 0x93, 0x50, 0x40, 0xb6, 0x79, 0xbc, 0x38, 0xe0, + 0x56, 0x68, 0x50, 0xd3, 0x2f, 0x73, 0x8c, 0x8c, 0x2a, 0x0e, 0x81, 0x4a, + 0x8a, 0xbb, 0xcc, 0xf0, 0x64, 0x34, 0x46, 0x9f, 0x07, 0x7d, 0x22, 0xb6, + 0xf9, 0x46, 0xac, 0x57, 0x23, 0x8c, 0x1e, 0xeb, 0xd3, 0x05, 0x4d, 0xa8, + 0x83, 0x6a, 0x67, 0xf6, 0xa6, 0xb1, 0xab, 0x8e, 0xc1, 0xef, 0xef, 0x7d, + 0xf0, 0xc3, 0x02, 0x40, 0x2f, 0xc6, 0x59, 0x3e, 0x18, 0xe8, 0x02, 0x73, + 0x01, 0xef, 0xdf, 0x0d, 0x30, 0x4b, 0xe8, 0x17, 0xa9, 0x8c, 0xc1, 0xe8, + 0x89, 0x91, 0x19, 0xf8, 0xf4, 0xa4, 0xb7, 0x0d, 0x46, 0xf7, 0x34, 0x50, + 0x03, 0x5e, 0x0a, 0xb0, 0x29, 0x14, 0xae, 0x00, 0x19, 0x80, 0x32, 0x9c, + 0xb5, 0x81, 0x9f, 0xe4, 0x42, 0x82, 0x14, 0xa0, 0x3d, 0x8b, 0x8c, 0x4a, + 0xd5, 0x4b, 0x13, 0x9d, 0xb4, 0x93, 0x4a, 0xd1, 0x02, 0x40, 0x64, 0x8c, + 0x83, 0x77, 0x61, 0x5a, 0x73, 0x11, 0x3f, 0xa3, 0xa8, 0x1b, 0x8a, 0xc4, + 0xa0, 0x5a, 0x3c, 0xa4, 0x9b, 0x2a, 0x8a, 0x65, 0x8c, 0x67, 0x4e, 0x31, + 0xac, 0x55, 0x41, 0x04, 0x49, 0x9d, 0x02, 0xe7, 0xdf, 0x99, 0x7f, 0xd2, + 0x30, 0xe6, 0xd6, 0xb8, 0x84, 0xd9, 0x0c, 0x27, 0x08, 0x81, 0x9b, 0xb4, + 0xcc, 0x58, 0x9c, 0x51, 0x84, 0x0e, 0xc7, 0x6d, 0x34, 0x89, 0x50, 0xc9, + 0x0f, 0x73, 0x02, 0x41, 0x00, 0xda, 0xde, 0x5e, 0x1a, 0xac, 0x1d, 0x1d, + 0xd7, 0xb9, 0x65, 0x26, 0x00, 0xf5, 0xd4, 0xe4, 0x28, 0x84, 0x86, 0x2f, + 0x00, 0x9c, 0x41, 0x00, 0x52, 0xe1, 0x47, 0x91, 0xc0, 0x52, 0x05, 0x4e, + 0x0f, 0x2f, 0x0d, 0xca, 0x9b, 0x3d, 0x89, 0x41, 0xbf, 0xee, 0x9f, 0xa1, + 0xe6, 0x9d, 0xa4, 0xeb, 0x45, 0x7f, 0xe3, 0xcb, 0xa4, 0x6b, 0x0a, 0xe2, + 0x7e, 0xb0, 0x87, 0x5c, 0x40, 0xb1, 0x51, 0x11, 0x1d +}; +unsigned int default_private_key_len = 609; diff --git a/ssl/ssl.h b/ssl/ssl.h index 103c28b87..539d0a305 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -439,9 +439,10 @@ EXP_FUNC int STDCALL ssl_obj_memory_load(SSL_CTX *ssl_ctx, int obj_type, const u * @brief Create an X.509 certificate. * * This certificate is a self-signed v1 cert with a fixed start/stop validity - * times. It is also signed with the private key in ssl_ctx->rsa_ctx. + * times. It is signed with an internal private key in ssl_ctx. * * @param ssl_ctx [in] The client/server context. + * @param options [in] Not used yet. * @param dn [in] An array of distinguished name strings. The array is defined * by: * - SSL_X509_CERT_COMMON_NAME (0) @@ -452,12 +453,11 @@ EXP_FUNC int STDCALL ssl_obj_memory_load(SSL_CTX *ssl_ctx, int obj_type, const u * will be used. * - SSL_X509_CERT_ORGANIZATIONAL_NAME (2) * - SSL_X509_CERT_ORGANIZATIONAL_NAME is optional. - * @param options [in] Not used yet. * @param cert_data [out] The certificate as a sequence of bytes. * @return < 0 if an error, or the size of the certificate in bytes. * @note cert_data must be freed when there is no more need for it. */ -EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, const char * dn[], uint32_t options, uint8_t **cert_data); +EXP_FUNC int STDCALL ssl_x509_create(SSL_CTX *ssl_ctx, uint32_t options, const char * dn[], uint8_t **cert_data); #endif /** diff --git a/ssl/test/Makefile b/ssl/test/Makefile index 42465600f..56c711f19 100644 --- a/ssl/test/Makefile +++ b/ssl/test/Makefile @@ -75,11 +75,12 @@ CRYPTO_OBJ=\ OBJ=\ $(AXTLS_SSL_PATH)asn1.obj \ - $(AXTLS_SSL_PATH)x509.obj \ - $(AXTLS_SSL_PATH)os_port.obj \ + $(AXTLS_SSL_PATH)gen_cert.obj \ $(AXTLS_SSL_PATH)loader.obj \ $(AXTLS_SSL_PATH)openssl.obj \ + $(AXTLS_SSL_PATH)os_port.obj \ $(AXTLS_SSL_PATH)p12.obj \ + $(AXTLS_SSL_PATH)x509.obj \ $(AXTLS_SSL_PATH)tls1.obj \ $(AXTLS_SSL_PATH)tls1_svr.obj \ $(AXTLS_SSL_PATH)tls1_clnt.obj diff --git a/ssl/test/ssltest.c b/ssl/test/ssltest.c index db71fe130..a97a5b578 100644 --- a/ssl/test/ssltest.c +++ b/ssl/test/ssltest.c @@ -58,7 +58,6 @@ static int g_port = 19001; -#if 0 /************************************************************************** * AES tests * @@ -647,7 +646,6 @@ bad_cert: printf("Error: A certificate test failed\n"); return res; } -#endif /** * init a server socket. @@ -781,6 +779,11 @@ static int SSL_server_test( if ((server_fd = server_socket_init(&g_port)) < 0) goto error; + if (private_key) + { + axolotls_option |= SSL_NO_DEFAULT_KEY; + } + if ((ssl_ctx = ssl_ctx_new(axolotls_option, SSL_DEFAULT_SVR_SESS)) == NULL) { ret = SSL_ERROR_INVALID_KEY; @@ -881,7 +884,6 @@ static int SSL_server_test( error: ssl_ctx_free(ssl_ctx); -printf("RES %d\n", ret); TTY_FLUSH(); return ret; } @@ -1126,9 +1128,14 @@ int SSL_server_tests(void) cleanup: if (ret) { - printf("Error: A server test failed\n"); TTY_FLUSH(); + printf("Error: A server test failed\n"); + ssl_display_error(ret); exit(1); } + else + { + printf("All server tests passed\n"); TTY_FLUSH(); + } return ret; } @@ -1203,6 +1210,11 @@ static int SSL_client_test( if (*ssl_ctx == NULL) { + if (private_key) + { + client_options |= SSL_NO_DEFAULT_KEY; + } + if ((*ssl_ctx = ssl_ctx_new( client_options, SSL_DEFAULT_CLNT_SESS)) == NULL) { @@ -1402,7 +1414,7 @@ int SSL_client_tests(void) &ssl_ctx, "-cert ../ssl/test/axTLS.x509_device.pem " "-key ../ssl/test/axTLS.device_key.pem " - "-CAfile ../ssl/test/axTLS.x509_512.pem", NULL, + "-CAfile ../ssl/test/axTLS.x509_512.pem ", NULL, DEFAULT_CLNT_OPTION, NULL, NULL, NULL))) goto cleanup; @@ -1414,7 +1426,8 @@ int SSL_client_tests(void) "-CAfile ../ssl/test/axTLS.ca_x509.pem " "-verify 1 ", NULL, DEFAULT_CLNT_OPTION, "../ssl/test/axTLS.key_1024", NULL, - "../ssl/test/axTLS.x509_1024.cer"))) + "../ssl/test/axTLS.x509_1024.cer")) + != SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED)) goto cleanup; /* Should get an "ERROR" from openssl (as the handshake fails as soon as @@ -1451,7 +1464,15 @@ int SSL_client_tests(void) cleanup: if (ret) + { + ssl_display_error(ret); printf("Error: A client test failed\n"); + exit(1); + } + else + { + printf("All client tests passed\n"); TTY_FLUSH(); + } return ret; } @@ -1460,7 +1481,6 @@ cleanup: * SSL Basic Testing (test a big packet handshake) * **************************************************************************/ -#if 0 static uint8_t basic_buf[256*1024]; static void do_basic(void) @@ -1483,6 +1503,7 @@ static void do_basic(void) /* check the return status */ if (ssl_handshake_status(ssl_clnt) < 0) { + printf("YA YA\n"); ssl_display_error(ssl_handshake_status(ssl_clnt)); goto error; } @@ -1571,7 +1592,6 @@ error: ssl_ctx_free(ssl_svr_ctx); return ret; } -#endif #if !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING) /************************************************************************** @@ -1725,7 +1745,7 @@ error: SOCKET_CLOSE(server_fd); return res; } -#endif +#endif /* !defined(WIN32) && defined(CONFIG_SSL_CTX_MUTEXING) */ /************************************************************************** * Header issue @@ -1792,7 +1812,7 @@ error: int main(int argc, char *argv[]) { int ret = 1; - //BI_CTX *bi_ctx; + BI_CTX *bi_ctx; int fd; #ifdef WIN32 @@ -1807,7 +1827,12 @@ int main(int argc, char *argv[]) dup2(fd, 2); #endif -#if 0 + /* can't do testing in this mode */ +#if defined CONFIG_SSL_GENERATE_X509_CERT + printf("Error: Must compile with default key/certificates\n"); + exit(1); +#endif + bi_ctx = bi_initialize(); if (AES_test(bi_ctx)) @@ -1882,7 +1907,6 @@ int main(int argc, char *argv[]) goto cleanup; system("sh ../ssl/test/killopenssl.sh"); -#endif if (SSL_server_tests()) goto cleanup; @@ -1891,7 +1915,7 @@ int main(int argc, char *argv[]) if (header_issue()) { - printf("Header tests failed\n"); + printf("Header tests failed\n"); TTY_FLUSH(); goto cleanup; } diff --git a/ssl/tls1.c b/ssl/tls1.c index cd01cbdff..d84df3fb4 100755 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -414,7 +414,7 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len) x509_free(cert); /* get rid of it */ ca_cert_ctx->cert[i] = NULL; #ifdef CONFIG_SSL_FULL_MODE - printf("Error: %s\n", x509_display_error(ret)); + printf("Error: %s\n", x509_display_error(ret)); TTY_FLUSH(); #endif goto error; } @@ -1477,7 +1477,6 @@ int send_certificate(SSL *ssl) while (i < ssl->ssl_ctx->chain_length) { - X509_CTX *cert_ctx; SSL_CERT *cert = &ssl->ssl_ctx->certs[i]; buf[offset++] = 0; buf[offset++] = cert->size >> 8; /* cert 1 length */ @@ -1485,10 +1484,6 @@ int send_certificate(SSL *ssl) memcpy(&buf[offset], cert->buf, cert->size); offset += cert->size; i++; - // TODO: get rid of these - x509_new(cert->buf, &cert->size, &cert_ctx); - x509_print(cert_ctx, NULL); - x509_free(cert_ctx); } chain_length = offset - 7; diff --git a/ssl/tls1.h b/ssl/tls1.h index af4dc115b..05258ed0d 100755 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -42,6 +42,7 @@ extern "C" { #include "version.h" #include "crypto.h" +#include "os_port.h" #include "crypto_misc.h" #define SSL_RANDOM_SIZE 32 @@ -261,8 +262,8 @@ void DISPLAY_RSA(SSL *ssl, const RSA_CTX *rsa_ctx); void DISPLAY_ALERT(SSL *ssl, int alert); #else #define DISPLAY_STATE(A,B,C,D) -#define DISPLAY_CERT(A,B,C) -#define DISPLAY_RSA(A,B,C) +#define DISPLAY_CERT(A,B) +#define DISPLAY_RSA(A,B) #define DISPLAY_ALERT(A, B) #ifdef WIN32 void DISPLAY_BYTES(SSL *ssl, const char *format,/* win32 has no variadic macros */ diff --git a/ssl/tls1_clnt.c b/ssl/tls1_clnt.c index b1a58ca13..91314333c 100644 --- a/ssl/tls1_clnt.c +++ b/ssl/tls1_clnt.c @@ -305,7 +305,7 @@ static int send_client_key_xchg(SSL *ssl) premaster_secret[0] = 0x03; /* encode the version number */ premaster_secret[1] = 0x01; get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]); - DISPLAY_RSA(ssl, "send_client_key_xchg", ssl->x509_ctx->rsa_ctx); + DISPLAY_RSA(ssl, ssl->x509_ctx->rsa_ctx); /* rsa_ctx->bi_ctx is not thread-safe */ SSL_CTX_LOCK(ssl->ssl_ctx->mutex); @@ -351,7 +351,7 @@ static int send_cert_verify(SSL *ssl) RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx; int n = 0, ret; - DISPLAY_RSA(ssl, "send_cert_verify", rsa_ctx); + DISPLAY_RSA(ssl, rsa_ctx); buf[0] = HS_CERT_VERIFY; buf[1] = 0; diff --git a/ssl/tls1_svr.c b/ssl/tls1_svr.c index 26813692d..3a79c31c9 100644 --- a/ssl/tls1_svr.c +++ b/ssl/tls1_svr.c @@ -378,7 +378,7 @@ static int process_client_key_xchg(SSL *ssl) int offset = 4; int ret = SSL_OK; - DISPLAY_RSA(ssl, "process_client_key_xchg", rsa_ctx); + DISPLAY_RSA(ssl, rsa_ctx); /* is there an extra size field? */ if ((secret_length - 2) == rsa_ctx->num_octets) @@ -444,7 +444,7 @@ static int process_cert_verify(SSL *ssl) PARANOIA_CHECK(pkt_size, x509_ctx->rsa_ctx->num_octets+6); - DISPLAY_RSA(ssl, "process_cert_verify", x509_ctx->rsa_ctx); + DISPLAY_RSA(ssl, x509_ctx->rsa_ctx); /* rsa_ctx->bi_ctx is not thread-safe */ SSL_CTX_LOCK(ssl->ssl_ctx->mutex); diff --git a/ssl/x509.c b/ssl/x509.c index a51ed1bb5..758f3f0e1 100644 --- a/ssl/x509.c +++ b/ssl/x509.c @@ -264,7 +264,7 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) bigint *cert_sig; X509_CTX *next_cert = NULL; BI_CTX *ctx; - bigint *mod, *expn; + bigint *mod = NULL, *expn = NULL; struct timeval tv; int match_ca_cert = 0; uint8_t is_self_signed = 0; @@ -319,14 +319,6 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) goto end_verify; } - /* check the chain integrity */ - if (next_cert && !match_ca_cert && - asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) == 0) - { - ret = X509_VFY_ERROR_INVALID_CHAIN; - goto end_verify; - } - ctx = cert->rsa_ctx->bi_ctx; /* check for self-signing */ @@ -336,30 +328,42 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) mod = cert->rsa_ctx->m; expn = cert->rsa_ctx->e; } - else + else if (next_cert != NULL) { mod = next_cert->rsa_ctx->m; expn = next_cert->rsa_ctx->e; + + /* check the chain integrity */ + if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn) != 0) + { + ret = X509_VFY_ERROR_INVALID_CHAIN; + goto end_verify; + } } /* check the signature */ - cert_sig = sig_verify(ctx, cert->signature, cert->sig_len, - bi_clone(ctx, mod), bi_clone(ctx, expn)); - - if (cert_sig && cert->digest) + if (mod != NULL) { - if (bi_compare(cert_sig, cert->digest)) + cert_sig = sig_verify(ctx, cert->signature, cert->sig_len, + bi_clone(ctx, mod), bi_clone(ctx, expn)); + + if (cert_sig && cert->digest) + { + if (bi_compare(cert_sig, cert->digest)) + { + ret = X509_VFY_ERROR_BAD_SIGNATURE; + } + + bi_free(ctx, cert_sig); + + if (ret) + goto end_verify; + } + else + { ret = X509_VFY_ERROR_BAD_SIGNATURE; - - bi_free(ctx, cert_sig); - - if (ret) goto end_verify; - } - else - { - ret = X509_VFY_ERROR_BAD_SIGNATURE; - goto end_verify; + } } if (is_self_signed) diff --git a/www/index.html b/www/index.html index 707b1af73..9628314f0 100755 --- a/www/index.html +++ b/www/index.html @@ -7086,12 +7086,12 @@ if (useJavaSaver)
changes, notes and errata
-
!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.8@@\n\n!!__SSL Library__\n* Now using a BSD style license.\n* Certificates can now be automatically generated (the keys still need to be provided).\n* Certificate/keys can be loaded automatically given a file location.\n* ~SSL_NO_DEFAULT_KEY has been removed (it is now largely redundant).\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.7@@\n\n!!__SSL Library__\n\n* Variable sized session id's is now better handled for session caching. It has meant a new API call ssl_get_session_id_size() and a change to ssl_client_new() to define the session id size.\n* Muliple records with a single header are now better supported (thanks to Hervé Sibert).\n* ~MD2 added for Verisign root cert verification (thanks to Byron Rakitzis).\n* The ~MD5/~SHA1 digests are calculated incrementally to reduce memory (thanks to Byron Rakitzis).\n* The bigint cache is now cleared regularly to reduce memory.\n\n!!__axhttpd__\n\n* Improved the POST handling (thanks to Christian Melki).\n* CSS files now work properly.\n* Lua's CGI launcher location is configurable.\n* vfork() is now used for CGI for performance reasons.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.6@@\n\n!!__SSL Library__\n\n* ~RC4 speed improvements\n* Lua samples/bindings now work properly\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.5@@\n\n!!__SSL Library__\n\n* Session id's can now be variable lengths in server hello messages.\n* 0 length client certificates are now supported.\n* ssl_version() now returns just the version and not the date.\n* ssl_write() was not sending complete packets under load.\n\n!!__axhttpd__\n\n* Completely updated the CGI code.\n* Lua now integrated - Lua scripts and Lua Pages now run.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.4@@\n\n!!__SSL Library__\n\n* Fixed a Win32 crypto library issue with non-Administrator users\n* Removed compiler warnings that showed up in ~FC6.\n* GNU TLS certificates are now accepted.\n* Separated the send/receive headers for HMAC calculations.\n* Fixed a compilation problem with swig/perl/~FC6.\n* Fixed an issue with loading PEM CA certificates.\n\n!!__axhttpd__\n\n* Made //setuid()/setgid()// call an mconf option.\n* Made //chroot()// an mconf option. Default to //chdir()// instead.\n* Removed optional permissions checking.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.1@@\n\n!!__SSL Library__\n\n* AES should now work on 16bit processors (there was an alignment problem).\n* Various freed objects are cleared before freeing.\n* Header files now installed in ///usr/local/include/axTLS//.\n* -DCYGWIN replaced with -~DCONFIG_PLATFORM_CYGWIN (and the same for Solaris).\n* removed "-noextern" option in Swig. Fixed some other warnings in Win32.\n* SSLCTX changed to ~SSL_CTX (to be consistent with openssl). SSLCTX still exists for backwards compatibility.\n* malloc() and friends call abort() on failure.\n* Fixed a memory leak in directory listings.\n* Added openssl() compatibility functions.\n* Fixed Cygwin 'make install' issue.\n\n!!__axhttpd__\n\n* main.c now becomes axhttpd.c.\n* Header file issue fixed (in mime_types.c).\n* //chroot()// now used for better security.\n* Basic authentication implemented (via .htpasswd).\n* SSL access/denial protection implemented (via .htaccess).\n* Directory access protection implemented (via .htaccess).\n* Can now have more than one CGI file extension in mconf.\n* "~If-Modified-Since" request now handled properly.\n* Performance tweaks to remove //ssl_find()//.
+
!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.8@@\n\n!!__SSL Library__\n* Now using a BSD style license.\n* Self-signed certificates can now be automatically generated (the keys still need to be provided).\n* A new API call //ssl_x509_create()// can be used to programmatically create the certificate.\n* Certificate/keys can be loaded automatically given a file location.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.7@@\n\n!!__SSL Library__\n\n* Variable sized session id's is now better handled for session caching. It has meant a new API call //ssl_get_session_id_size()// and a change to //ssl_client_new()// to define the session id size.\n* Muliple records with a single header are now better supported (thanks to Hervé Sibert).\n* ~MD2 added for Verisign root cert verification (thanks to Byron Rakitzis).\n* The ~MD5/~SHA1 digests are calculated incrementally to reduce memory (thanks to Byron Rakitzis).\n* The bigint cache is now cleared regularly to reduce memory.\n\n!!__axhttpd__\n\n* Improved the POST handling (thanks to Christian Melki).\n* CSS files now work properly.\n* Lua's CGI launcher location is configurable.\n* //vfork()// is now used for CGI for performance reasons.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.6@@\n\n!!__SSL Library__\n\n* ~RC4 speed improvements\n* Lua samples/bindings now work properly\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.5@@\n\n!!__SSL Library__\n\n* Session id's can now be variable lengths in server hello messages.\n* 0 length client certificates are now supported.\n* ssl_version() now returns just the version and not the date.\n* ssl_write() was not sending complete packets under load.\n\n!!__axhttpd__\n\n* Completely updated the CGI code.\n* Lua now integrated - Lua scripts and Lua Pages now run.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.4@@\n\n!!__SSL Library__\n\n* Fixed a Win32 crypto library issue with non-Administrator users\n* Removed compiler warnings that showed up in ~FC6.\n* GNU TLS certificates are now accepted.\n* Separated the send/receive headers for HMAC calculations.\n* Fixed a compilation problem with swig/perl/~FC6.\n* Fixed an issue with loading PEM CA certificates.\n\n!!__axhttpd__\n\n* Made //setuid()/setgid()// call an mconf option.\n* Made //chroot()// an mconf option. Default to //chdir()// instead.\n* Removed optional permissions checking.\n\n!@@bgcolor(#ff0000):color(#ffffff):Changes for 1.1.1@@\n\n!!__SSL Library__\n\n* AES should now work on 16bit processors (there was an alignment problem).\n* Various freed objects are cleared before freeing.\n* Header files now installed in ///usr/local/include/axTLS//.\n* -DCYGWIN replaced with -~DCONFIG_PLATFORM_CYGWIN (and the same for Solaris).\n* removed "-noextern" option in Swig. Fixed some other warnings in Win32.\n* SSLCTX changed to ~SSL_CTX (to be consistent with openssl). SSLCTX still exists for backwards compatibility.\n* malloc() and friends call abort() on failure.\n* Fixed a memory leak in directory listings.\n* Added openssl() compatibility functions.\n* Fixed Cygwin 'make install' issue.\n\n!!__axhttpd__\n\n* main.c now becomes axhttpd.c.\n* Header file issue fixed (in mime_types.c).\n* //chroot()// now used for better security.\n* Basic authentication implemented (via .htpasswd).\n* SSL access/denial protection implemented (via .htaccess).\n* Directory access protection implemented (via .htaccess).\n* Can now have more than one CGI file extension in mconf.\n* "~If-Modified-Since" request now handled properly.\n* Performance tweaks to remove //ssl_find()//.
[[Read Me]]
axTLS uses a BSD style license:\n\nCopyright (c) 2007, Cameron Rich All rights reserved.\n\nRedistribution and use in source and binary forms, with or without\nmodification, are permitted provided that the following conditions are met:\n\nRedistributions of source code must retain the above copyright notice, this\nlist of conditions and the following disclaimer. Redistributions in binary\nform must reproduce the above copyright notice, this list of conditions and\nthe following disclaimer in the documentation and/or other materials\nprovided with the distribution. Neither the name of the axTLS Project nor\nthe names of its contributors may be used to endorse or promote products\nderived from this software without specific prior written permission. \n\nTHIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"\nAND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\nIMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\nARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR\nANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\nDAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR\nSERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER\nCAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\nLIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\nOUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH\nDAMAGE.
[[Read Me]] \n[[Changelog]]\n[[axhttpd]]\n[[License]]
<div class='header' macro='gradient vert #390108 #900'>\n<div class='headerShadow'>\n<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;\n<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>\n</div>\n<div class='headerForeground'>\n<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;\n<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>\n</div>\n</div>\n<div id='mainMenu'>\n<div refresh='content' tiddler='MainMenu'></div>\n</div>\n<div id='sidebar'>\n<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>\n<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>\n</div>\n<div id='displayArea'>\n<div id='messageArea'></div>\n<div id='tiddlerDisplay'></div>\n</div>
-
!@@bgcolor(#ff0000):color(#ffffff):axTLS Quick Start Guide@@\n\nThis is a guide to get a small SSL web-server up and running quickly some stuff.\n\n!!__Introduction__\n\nThe axTLS project is an SSL client/server library using the ~TLSv1 protocol. It is designed to be small and fast, and is suited to embedded projects. A web server is included.\n\nThe basic web server + SSL library is around 60-70kB and is configurable for features or size.\n\n!!__Compilation__\n\nAll platforms require GNU make. This means on Win32 that Cygwin needs to be installed with "make" and various developer options selected.\n\nConfiguration now uses a tool called "mconf" which gives a nice way to configure options (similar to what is used in ~BusyBox and the Linux kernel).\n\nYou should be able to compile axTLS simply by extracting it, change into the extracted directory and typing:\n\n{{indent{{{{> make}}}\n\nSelect your platform type, save the configuration, exit, and then type "make" again.\n\nIf all goes well, you should end up with an executable called "axhttpd" (or axhttpd.exe) in the //_stage// directory.\n\nTo play with all the various axTLS options, type:\n\n{{indent{{{{> make menuconfig}}}\n\nSave the new configuration and rebuild.\n\n!!__Running it__\n\nTo run it, go to the //_stage// directory, and type (as superuser):\n\n{{indent{{{{> axhttpd}}}\n\nNote: you may have to set your ~LD_LIBRARY_PATH - e.g. go to //_stage// and type //export ~LD_LIBRARY_PATH=`pwd`//\n\nAnd then point your browser at https://127.0.0.1 And you should see a this html page with a padlock appearing on your browser. or type http://127.0.0.1 to see the same page unencrypted.\n\n!!__The axssl utilities__\n\nThe axssl suite of tools are the SSL test tools in the various language bindings. They are:\n\n* axssl - C sample\n* axssl.csharp - C# sample\n* axssl.vbnet - VB.NET sample\n* axtls.jar - Java sample\n* axssl.pl - Perl sample\n* axssl.lua - Lua sample\n\nAll the tools have identical command-line parameters. e.g. to run something interesting:\n\n{{indent{{{{> axssl s_server -verify -CAfile ../ssl/test/axTLS.ca_x509}}}\n\nand\n\n{{indent{{{{> axssl s_client -cert ../ssl/test/axTLS.x509_1024 -key ../ssl/test/axTLS.key_1024 -reconnect}}}\n\n!!!!C#\n\nIf building under Linux or other non-Win32 platforms, Mono must be installed and the executable is run as:\n\n{{indent{{{{> mono axssl.csharp.exe ...}}}\n\n!!!!Java\n\nThe java version is run as:\n\n{{indent{{{{> java -jar axtls.jar <options>}}}\n\n!!!!Perl\n\n{{indent{{{{> [perl] ./axssl.pl <options>}}}\n\nIf running under Win32, be sure to use the correct version of Perl (i.e. ~ActiveState's version works ok).\n\n!!!!Lua\n\n{{indent{{{{> [lua] ./axssl.lua <options>}}}\n\n!__Known Issues__\n\n* Firefox doesn't handle legacy ~SSLv2 at all well. Disabling ~SSLv2 still initiates a ~SSLv23 handshake (v1.5). And continuous pressing of the "Reload" page instigates a change to ~SSLv3 for some reason (even though the TLS 1.0 option is selected). This will cause a "Firefox and <server> cannot communicate securely because they have no common encryption algorithms" (v1.5), or "Firefox can't connect to <server> because the site uses a security protocol which isn't enabled" (v2.0). See bugzilla issues 343543 and 359484 (Comment #7). It's all broken (hopefully fixed soon).\n* Perl/Java bindings don't work on 64 bit Linux machines. I can't even compile the latest version of Perl on an ~AMD64 box (using ~FC3).\n* Java 1.4 or better is required for the Java interfaces.\n* Processes that fork can't use session resumption unless some form of IPC is used.\n* Ensure libperl.so and libaxtls.so are in the shared library path when running with the perl bindings. A way to do this is with:\n\n{{indent{{{{> export LD_LIBRARY_PATH=`perl -e 'use Config; print $Config{archlib};'`/CORE:.}}}\n* The lua sample requires the luabit library from http://luaforge.net/projects/bit.\n\n!!!!Win32 issues\n\n* Be careful about doing .NET executions on network drives - .NET complains with security exceptions on the binary. //TODO: Add a manifest file to prevent this.//\n* CGI has been removed from Win32 - it needs a lot more work to get it right.\n* The default Microsoft .NET SDK is v2.0.50727. Download from: http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.\n\n!!!!Solaris issues\n\n* mconf doesn't work well - some manual tweaking is required for string values.\n* GNU make is required and needs to be in $PATH.\n* To get swig's library dependencies to work (and for the C library to be found), I needed to type:\n\n{{indent{{{{> export LD_LIBRARY_PATH=/usr/local/gcc-3.3.1/lib:.}}}\n\n!!!!Cygwin issues\n\n* The bindings all compile but don't run under Cygwin with the exception of Perl. This is due to win32 executables being incompatible with Cygwin libraries.\n\n
+
!@@bgcolor(#ff0000):color(#ffffff):axTLS Quick Start Guide@@\n\nThis is a guide to get a small SSL web-server up and running quickly.\n\n!!__Introduction__\n\nThe axTLS project is an SSL client/server library using the ~TLSv1 protocol. It is designed to be small and fast, and is suited to embedded projects. A web server is included.\n\nThe basic web server + SSL library is around 60-70kB and is configurable for features or size.\n\n!!__Compilation__\n\nAll platforms require GNU make. This means on Win32 that Cygwin needs to be installed with "make" and various developer options selected.\n\nConfiguration now uses a tool called "mconf" which gives a nice way to configure options (similar to what is used in ~BusyBox and the Linux kernel).\n\nYou should be able to compile axTLS simply by extracting it, change into the extracted directory and typing:\n\n{{indent{{{{> make}}}\n\nSelect your platform type, save the configuration, exit, and then type "make" again.\n\nIf all goes well, you should end up with an executable called "axhttpd" (or axhttpd.exe) in the //_stage// directory.\n\nTo play with all the various axTLS options, type:\n\n{{indent{{{{> make menuconfig}}}\n\nSave the new configuration and rebuild.\n\n!!__Running it__\n\nTo run it, go to the //_stage// directory, and type (as superuser):\n\n{{indent{{{{> axhttpd}}}\n\nNote: you may have to set your ~LD_LIBRARY_PATH - e.g. go to //_stage// and type //export ~LD_LIBRARY_PATH=`pwd`//\n\nAnd then point your browser at https://127.0.0.1 And you should see a this html page with a padlock appearing on your browser. or type http://127.0.0.1 to see the same page unencrypted.\n\n!!__The axssl utilities__\n\nThe axssl suite of tools are the SSL test tools in the various language bindings. They are:\n\n* axssl - C sample\n* axssl.csharp - C# sample\n* axssl.vbnet - VB.NET sample\n* axtls.jar - Java sample\n* axssl.pl - Perl sample\n* axssl.lua - Lua sample\n\nAll the tools have identical command-line parameters. e.g. to run something interesting:\n\n{{indent{{{{> axssl s_server -verify -CAfile ../ssl/test/axTLS.ca_x509}}}\n\nand\n\n{{indent{{{{> axssl s_client -cert ../ssl/test/axTLS.x509_1024 -key ../ssl/test/axTLS.key_1024 -reconnect}}}\n\n!!!!C#\n\nIf building under Linux or other non-Win32 platforms, Mono must be installed and the executable is run as:\n\n{{indent{{{{> mono axssl.csharp.exe ...}}}\n\n!!!!Java\n\nThe java version is run as:\n\n{{indent{{{{> java -jar axtls.jar <options>}}}\n\n!!!!Perl\n\n{{indent{{{{> [perl] ./axssl.pl <options>}}}\n\nIf running under Win32, be sure to use the correct version of Perl (i.e. ~ActiveState's version works ok).\n\n!!!!Lua\n\n{{indent{{{{> [lua] ./axssl.lua <options>}}}\n\n!__Known Issues__\n\n* Firefox doesn't handle legacy ~SSLv2 at all well. Disabling ~SSLv2 still initiates a ~SSLv23 handshake (v1.5). And continuous pressing of the "Reload" page instigates a change to ~SSLv3 for some reason (even though the TLS 1.0 option is selected). This will cause a "Firefox and <server> cannot communicate securely because they have no common encryption algorithms" (v1.5), or "Firefox can't connect to <server> because the site uses a security protocol which isn't enabled" (v2.0). See bugzilla issues 343543 and 359484 (Comment #7). It's all broken (hopefully fixed soon).\n* Perl/Java bindings don't work on 64 bit Linux machines. I can't even compile the latest version of Perl on an ~AMD64 box (using ~FC3).\n* Java 1.4 or better is required for the Java interfaces.\n* Processes that fork can't use session resumption unless some form of IPC is used.\n* Ensure libperl.so and libaxtls.so are in the shared library path when running with the perl bindings. A way to do this is with:\n\n{{indent{{{{> export LD_LIBRARY_PATH=`perl -e 'use Config; print $Config{archlib};'`/CORE:.}}}\n* The lua sample requires the luabit library from http://luaforge.net/projects/bit.\n\n!!!!Win32 issues\n\n* Be careful about doing .NET executions on network drives - .NET complains with security exceptions on the binary. //TODO: Add a manifest file to prevent this.//\n* CGI has been removed from Win32 - it needs a lot more work to get it right.\n* The default Microsoft .NET SDK is v2.0.50727. Download from: http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.\n\n!!!!Solaris issues\n\n* mconf doesn't work well - some manual tweaking is required for string values.\n* GNU make is required and needs to be in $PATH.\n* To get swig's library dependencies to work (and for the C library to be found), I needed to type:\n\n{{indent{{{{> export LD_LIBRARY_PATH=/usr/local/gcc-3.3.1/lib:.}}}\n\n!!!!Cygwin issues\n\n* The bindings all compile but don't run under Cygwin with the exception of Perl. This is due to win32 executables being incompatible with Cygwin libraries.\n\n
changes, notes and errata
axTLS Embedded SSL
http://axtls.cerocclub.com.au