arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-13 13:01:55 +03:00
Code Activity

* Added SHA256

Browse Source 
* Return code checked for get_random()
* MD2 code removed.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@238 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich
2014-11-19 03:51:22 +00:00
parent 9ef84f9234
commit 82a7638efa
15 changed files with 531 additions and 288 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ssl/Makefile
View File

@ -69,11 +69,11 @@ CRYPTO_OBJ=\
$(CRYPTO_PATH)bigint.o \
$(CRYPTO_PATH)crypto_misc.o \
$(CRYPTO_PATH)hmac.o \
$(CRYPTO_PATH)md2.o \
$(CRYPTO_PATH)md5.o \
$(CRYPTO_PATH)rc4.o \
$(CRYPTO_PATH)rsa.o \
$(CRYPTO_PATH)sha1.o
$(CRYPTO_PATH)sha1.o \
$(CRYPTO_PATH)sha256.o
OBJ=\
asn1.o \

32
ssl/asn1.c
View File

@ -40,22 +40,23 @@
#include "crypto.h"
#include "crypto_misc.h"
#define SIG_OID_PREFIX_SIZE 8
#define SIG_IIS6_OID_SIZE 5
#define SIG_SUBJECT_ALT_NAME_SIZE 3
/* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */
static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] =
static const uint8_t sig_oid_prefix[] =
{
0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
};
static const uint8_t sig_sha1WithRSAEncrypt[SIG_IIS6_OID_SIZE] =
static const uint8_t sig_sha1WithRSAEncrypt[] =
{
0x2b, 0x0e, 0x03, 0x02, 0x1d
};
static const uint8_t sig_subject_alt_name[SIG_SUBJECT_ALT_NAME_SIZE] =
static const uint8_t sig_sha256WithRSAEncrypt[] =
{
0x60, 0x86, 0x48, 0x01, 0x65, 0x03, 0x04, 0x02, 0x01
};
static const uint8_t sig_subject_alt_name[] =
{
0x55, 0x1d, 0x11
};
@ -553,7 +554,7 @@ int asn1_find_oid(const uint8_t* cert, int* offset,
int asn1_find_subjectaltname(const uint8_t* cert, int offset)
{
if (asn1_find_oid(cert, &offset, sig_subject_alt_name,
SIG_SUBJECT_ALT_NAME_SIZE))
sizeof(sig_subject_alt_name)))
{
return offset;
}
@ -577,17 +578,24 @@ int asn1_signature_type(const uint8_t *cert,
len = get_asn1_length(cert, offset);
if (len == 5 && memcmp(sig_sha1WithRSAEncrypt, &cert[*offset],
SIG_IIS6_OID_SIZE) == 0)
if (len == sizeof(sig_sha1WithRSAEncrypt) &&
memcmp(sig_sha1WithRSAEncrypt, &cert[*offset],
sizeof(sig_sha1WithRSAEncrypt)) == 0)
{
x509_ctx->sig_type = SIG_TYPE_SHA1;
}
else if (len == sizeof(sig_sha256WithRSAEncrypt) &&
memcmp(sig_sha256WithRSAEncrypt, &cert[*offset],
sizeof(sig_sha256WithRSAEncrypt)) == 0)
{
x509_ctx->sig_type = SIG_TYPE_SHA256;
}
else
{
if (memcmp(sig_oid_prefix, &cert[*offset], SIG_OID_PREFIX_SIZE))
if (memcmp(sig_oid_prefix, &cert[*offset], sizeof(sig_oid_prefix)))
goto end_check_sig; /* unrecognised cert type */
x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
x509_ctx->sig_type = cert[*offset + sizeof(sig_oid_prefix)];
}
*offset += len;

1
ssl/crypto_misc.h
View File

@ -126,6 +126,7 @@ const char * x509_display_error(int error);
#define SIG_TYPE_MD2 0x02
#define SIG_TYPE_MD5 0x04
#define SIG_TYPE_SHA1 0x05
#define SIG_TYPE_SHA256 0x0b
int get_asn1_length(const uint8_t *buf, int *offset);
int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx);

31
ssl/test/camster_duckdns_org.crt Normal file
View File

@ -0,0 +1,31 @@
-----BEGIN CERTIFICATE-----
MIIFXTCCBEWgAwIBAgIQRKGXkBbin0Hge3vNu4Z04TANBgkqhkiG9w0BAQsFADCB
kDELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4G
A1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxNjA0BgNV
BAMTLUNPTU9ETyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD
QTAeFw0xNDExMTIwMDAwMDBaFw0xNzExMTEyMzU5NTlaMFcxITAfBgNVBAsTGERv
bWFpbiBDb250cm9sIFZhbGlkYXRlZDEUMBIGA1UECxMLUG9zaXRpdmVTU0wxHDAa
BgNVBAMTE2NhbXN0ZXIuZHVja2Rucy5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQCvKi9/3GOq1pqgnIQR2hTxr1kv17pUzpQeAVOZVCd/q6KbMrsw
ayPj41hJd+EVtu6DV8Zd/Rxv4P6i2HTRWev9aE2+vFfTmhIZG0HUZqs3Fbq6yONn
ox8d7Dsu/vwIkyaIE9mMAYYr81bX86v8cmvCHatCO/lluwUqjnXUjYpMOpTopHjC
hNzUe63ZtUDVmXfTBHneO5GLZqhQSSX7rd33cJzkojGCoPSFP5TUhN5WGyRi+xa2
bD+Q5xXlC4f/WVXiZxGiGPrWIpQBO5Y5o33S6Vo2ck9Bvg2g1atsR02m+yARtmH3
+IDlvg7DeyLL3AXgUwDNHnRb0t9LVDXcYOJnAgMBAAGjggHpMIIB5TAfBgNVHSME
GDAWgBSQr2o6lFoL2JDqElZz30O0Oija5zAdBgNVHQ4EFgQUGNRX8FYKZUYa1F4+
L7nyHOn3ArcwDgYDVR0PAQH/BAQDAgWgMAwGA1UdEwEB/wQCMAAwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCME8GA1UdIARIMEYwOgYLKwYBBAGyMQECAgcw
KzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2RvLmNvbS9DUFMwCAYG
Z4EMAQIBMFQGA1UdHwRNMEswSaBHoEWGQ2h0dHA6Ly9jcmwuY29tb2RvY2EuY29t
L0NPTU9ET1JTQURvbWFpblZhbGlkYXRpb25TZWN1cmVTZXJ2ZXJDQS5jcmwwgYUG
CCsGAQUFBwEBBHkwdzBPBggrBgEFBQcwAoZDaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNlcnZlckNBLmNydDAk
BggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29tb2RvY2EuY29tMDcGA1UdEQQwMC6C
E2NhbXN0ZXIuZHVja2Rucy5vcmeCF3d3dy5jYW1zdGVyLmR1Y2tkbnMub3JnMA0G
CSqGSIb3DQEBCwUAA4IBAQBpfJIXHPyoxbXlS1Jy5V4oDpDR+vKRIXXUPDp6GlmK
6w8W7M536W7JamLrT8wbA04hKgtjQkXD8pXZPFHBNJ92Lza5fKB/KiIlObz386lK
Z9AVc10TwWlkZlFYhYVhQ+kpTtcUUdj5QI2org81s9XQoSViVOM8cxIuYk/er20g
jY3Nvdbjg4dtakH1nsITGMYLN+wJglSAq1QGSQ76fLyYhMfF25nNjPYP96SFf1Dd
XinknP2tED6ukzIgfkimlyn2/XIbnz4Xry8ouq4x/cPd8MOcffWt1QWlGIel5B8i
I1vtVHceHSsHjnnNPSkXIn0/lpc5vzVZ+bw9yLt+Lvc6
-----END CERTIFICATE-----

224
ssl/test/ssltest.c
View File

@ -1,5 +1,5 @@
/*
* Copyright (c) 2007, Cameron Rich
* Copyright (c) 2007-2014, Cameron Rich
*
* All rights reserved.
*
@ -302,6 +302,60 @@ end:
return res;
}
/**************************************************************************
* SHA256 tests
*
* Run through a couple of the SHA-2 tests to verify that SHA256 is correct.
**************************************************************************/
static int SHA256_test(BI_CTX *bi_ctx)
{
SHA256_CTX ctx;
uint8_t ct[SHA256_SIZE];
uint8_t digest[SHA256_SIZE];
int res = 1;
{
const char *in_str = "abc";
bigint *ct_bi = bi_str_import(bi_ctx,
"BA7816BF8F01CFEA414140DE5DAE2223B00361A396177A9CB410FF61F20015AD");
bi_export(bi_ctx, ct_bi, ct, SHA256_SIZE);
SHA256_Init(&ctx);
SHA256_Update(&ctx, (const uint8_t *)in_str, strlen(in_str));
SHA256_Final(digest, &ctx);
if (memcmp(digest, ct, sizeof(ct)))
{
printf("Error: SHA256 # failed\n");
goto end;
}
}
{
const char *in_str =
"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq";
bigint *ct_bi = bi_str_import(bi_ctx,
"248D6A61D20638B8E5C026930C3E6039A33CE45964FF2167F6ECEDD419DB06C1");
bi_export(bi_ctx, ct_bi, ct, SHA256_SIZE);
SHA256_Init(&ctx);
SHA256_Update(&ctx, (const uint8_t *)in_str, strlen(in_str));
SHA256_Final(digest, &ctx);
if (memcmp(digest, ct, sizeof(ct)))
{
printf("Error: SHA256 #2 failed\n");
goto end;
}
}
res = 0;
printf("All SHA256 tests passed\n");
end:
return res;
}
/**************************************************************************
* MD5 tests
*
@ -521,6 +575,8 @@ static int RSA_test(void)
int len;
uint8_t *buf;
RNG_initialize();
/* extract the private key elements */
len = get_file("../ssl/test/axTLS.key_1024", &buf);
if (asn1_get_private_key(buf, len, &rsa_ctx) < 0)
@ -547,11 +603,16 @@ static int RSA_test(void)
goto end;
}
RSA_encrypt(rsa_ctx, (const uint8_t *)"abc", 3, enc_data2, 0);
if (RSA_encrypt(rsa_ctx, (const uint8_t *)"abc", 3, enc_data2, 0) < 0)
{
printf("Error: ENCRYPT #2 failed\n");
goto end;
}
RSA_decrypt(rsa_ctx, enc_data2, dec_data2, sizeof(dec_data2), 1);
if (memcmp("abc", dec_data2, 3))
{
printf("Error: ENCRYPT/DECRYPT #2 failed\n");
printf("Error: DECRYPT #2 failed\n");
goto end;
}
@ -560,6 +621,7 @@ static int RSA_test(void)
printf("All RSA tests passed\n");
end:
RNG_terminate();
return res;
}
@ -648,8 +710,8 @@ static int cert_tests(void)
free(buf);
ssl_ctx = ssl_ctx_new(0, 0);
len = get_file("../ssl/test/verisign.x509_ca", &buf);
if ((res = add_cert_auth(ssl_ctx, buf, len)) <0)
if ((res = ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT,
"../ssl/test/camster_duckdns_org.crt", NULL)) != SSL_OK)
{
printf("Cert #7\n");
ssl_display_error(res);
@ -657,23 +719,12 @@ static int cert_tests(void)
}
ssl_ctx_free(ssl_ctx);
free(buf);
if (get_file("../ssl/test/verisign.x509_my_cert", &buf) < 0 ||
x509_new(buf, &len, &x509_ctx))
{
printf("Cert #8\n");
ssl_display_error(res);
goto bad_cert;
}
x509_free(x509_ctx);
free(buf);
ssl_ctx = ssl_ctx_new(0, 0);
if ((res = ssl_obj_load(ssl_ctx,
SSL_OBJ_X509_CERT, "../ssl/test/ms_iis.cer", NULL)) != SSL_OK)
{
printf("Cert #9\n");
ssl_display_error(res);
goto bad_cert;
}
@ -683,14 +734,14 @@ static int cert_tests(void)
if (get_file("../ssl/test/qualityssl.com.der", &buf) < 0 ||
x509_new(buf, &len, &x509_ctx))
{
printf("Cert #9\n");
printf("Cert #10\n");
res = -1;
goto bad_cert;
}
if (strcmp(x509_ctx->subject_alt_dnsnames[1], "qualityssl.com"))
{
printf("Cert #9 (2)\n");
printf("Cert #11\n");
res = -1;
goto bad_cert;
}
@ -701,7 +752,7 @@ static int cert_tests(void)
if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT,
"../ssl/test/ca-bundle.crt", NULL))
{
printf("Cert #10\n");
printf("Cert #12\n");
goto bad_cert;
}
@ -2061,64 +2112,64 @@ error:
* Header issue
*
**************************************************************************/
static void do_header_issue(void)
{
char axtls_buf[2048];
#ifndef WIN32
pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
#endif
sprintf(axtls_buf, "./axssl s_client -connect localhost:%d", g_port);
SYSTEM(axtls_buf);
}
static int header_issue(void)
{
FILE *f = fopen("../ssl/test/header_issue.dat", "r");
int server_fd = -1, client_fd = -1, ret = 1;
uint8_t buf[2048];
int size = 0;
struct sockaddr_in client_addr;
socklen_t clnt_len = sizeof(client_addr);
#ifndef WIN32
pthread_t thread;
#endif
if (f == NULL || (server_fd = server_socket_init(&g_port)) < 0)
goto error;
#ifndef WIN32
pthread_create(&thread, NULL,
(void *(*)(void *))do_header_issue, NULL);
pthread_detach(thread);
#else
CreateThread(NULL, 1024, (LPTHREAD_START_ROUTINE)do_header_issue,
NULL, 0, NULL);
#endif
if ((client_fd = accept(server_fd,
(struct sockaddr *) &client_addr, &clnt_len)) < 0)
{
ret = SSL_ERROR_SOCK_SETUP_FAILURE;
goto error;
}
size = fread(buf, 1, sizeof(buf), f);
if (SOCKET_WRITE(client_fd, buf, size) < 0)
{
ret = SSL_ERROR_SOCK_SETUP_FAILURE;
goto error;
}
usleep(200000);
ret = 0;
error:
fclose(f);
SOCKET_CLOSE(client_fd);
SOCKET_CLOSE(server_fd);
TTY_FLUSH();
SYSTEM("killall axssl");
return ret;
}
//static void do_header_issue(void)
//{
// char axtls_buf[2048];
//#ifndef WIN32
// pthread_setcanceltype(PTHREAD_CANCEL_ASYNCHRONOUS, NULL);
//#endif
// sprintf(axtls_buf, "./axssl s_client -connect localhost:%d", g_port);
// SYSTEM(axtls_buf);
//}
//
//static int header_issue(void)
//{
// FILE *f = fopen("../ssl/test/header_issue.dat", "r");
// int server_fd = -1, client_fd = -1, ret = 1;
// uint8_t buf[2048];
// int size = 0;
// struct sockaddr_in client_addr;
// socklen_t clnt_len = sizeof(client_addr);
//#ifndef WIN32
// pthread_t thread;
//#endif
//
// if (f == NULL || (server_fd = server_socket_init(&g_port)) < 0)
// goto error;
//
//#ifndef WIN32
// pthread_create(&thread, NULL,
// (void *(*)(void *))do_header_issue, NULL);
// pthread_detach(thread);
//#else
// CreateThread(NULL, 1024, (LPTHREAD_START_ROUTINE)do_header_issue,
// NULL, 0, NULL);
//#endif
// if ((client_fd = accept(server_fd,
// (struct sockaddr *) &client_addr, &clnt_len)) < 0)
// {
// ret = SSL_ERROR_SOCK_SETUP_FAILURE;
// goto error;
// }
//
// size = fread(buf, 1, sizeof(buf), f);
// if (SOCKET_WRITE(client_fd, buf, size) < 0)
// {
// ret = SSL_ERROR_SOCK_SETUP_FAILURE;
// goto error;
// }
//
// usleep(200000);
//
// ret = 0;
//error:
// fclose(f);
// SOCKET_CLOSE(client_fd);
// SOCKET_CLOSE(server_fd);
// TTY_FLUSH();
// SYSTEM("killall axssl");
// return ret;
//}
/**************************************************************************
* main()
@ -2178,6 +2229,13 @@ int main(int argc, char *argv[])
}
TTY_FLUSH();
if (SHA256_test(bi_ctx))
{
printf("SHA256 tests failed\n");
goto cleanup;
}
TTY_FLUSH();
if (HMAC_test(bi_ctx))
{
printf("HMAC tests failed\n");
@ -2234,11 +2292,11 @@ int main(int argc, char *argv[])
SYSTEM("sh ../ssl/test/killopenssl.sh");
if (header_issue())
{
printf("Header tests failed\n"); TTY_FLUSH();
goto cleanup;
}
// if (header_issue())
// {
// printf("Header tests failed\n"); TTY_FLUSH();
// goto cleanup;
// }
ret = 0; /* all ok */
printf("**** ALL TESTS PASSED ****\n"); TTY_FLUSH();

BIN
ssl/test/verisign.x509_ca
View File

Binary file not shown.

BIN
ssl/test/verisign.x509_my_cert
View File

Binary file not shown.

4
ssl/tls1.c
View File

@ -1075,7 +1075,9 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
uint8_t iv_size = ssl->cipher_info->iv_size;
uint8_t *t_buf = alloca(msg_length + iv_size);
memcpy(t_buf + iv_size, ssl->bm_data, msg_length);
get_random(iv_size, t_buf);
if (get_random(iv_size, t_buf) < 0)
return SSL_NOT_OK;
msg_length += iv_size;
memcpy(ssl->bm_data, t_buf, msg_length);
}

8
ssl/tls1_clnt.c
View File

@ -187,7 +187,9 @@ static int send_client_hello(SSL *ssl)
*tm_ptr++ = (uint8_t)(((long)tm & 0x00ff0000) >> 16);
*tm_ptr++ = (uint8_t)(((long)tm & 0x0000ff00) >> 8);
*tm_ptr++ = (uint8_t)(((long)tm & 0x000000ff));
get_random(SSL_RANDOM_SIZE-4, &buf[10]);
if (get_random(SSL_RANDOM_SIZE-4, &buf[10]) < 0)
return SSL_NOT_OK;
memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);
offset = 6 + SSL_RANDOM_SIZE;
@ -313,7 +315,9 @@ static int send_client_key_xchg(SSL *ssl)
premaster_secret[0] = 0x03; /* encode the version number */
premaster_secret[1] = SSL_PROTOCOL_MINOR_VERSION; /* must be TLS 1.1 */
get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]);
if (get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]) < 0)
return SSL_NOT_OK;
DISPLAY_RSA(ssl, ssl->x509_ctx->rsa_ctx);
/* rsa_ctx->bi_ctx is not thread-safe */

23
ssl/x509.c
View File

@ -120,7 +120,7 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
bi_ctx = x509_ctx->rsa_ctx->bi_ctx;
#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
/* use the appropriate signature algorithm (SHA1/MD5/MD2) */
/* use the appropriate signature algorithm (SHA1/MD5/SHA256) */
if (x509_ctx->sig_type == SIG_TYPE_MD5)
{
MD5_CTX md5_ctx;
@ -139,14 +139,14 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
SHA1_Final(sha_dgst, &sha_ctx);
x509_ctx->digest = bi_import(bi_ctx, sha_dgst, SHA1_SIZE);
}
else if (x509_ctx->sig_type == SIG_TYPE_MD2)
else if (x509_ctx->sig_type == SIG_TYPE_SHA256)
{
MD2_CTX md2_ctx;
uint8_t md2_dgst[MD2_SIZE];
MD2_Init(&md2_ctx);
MD2_Update(&md2_ctx, &cert[begin_tbs], end_tbs-begin_tbs);
MD2_Final(md2_dgst, &md2_ctx);
x509_ctx->digest = bi_import(bi_ctx, md2_dgst, MD2_SIZE);
SHA256_CTX sha256_ctx;
uint8_t sha256_dgst[SHA256_SIZE];
SHA256_Init(&sha256_ctx);
SHA256_Update(&sha256_ctx, &cert[begin_tbs], end_tbs-begin_tbs);
SHA256_Final(sha256_dgst, &sha256_ctx);
x509_ctx->digest = bi_import(bi_ctx, sha256_dgst, SHA256_SIZE);
}
if (cert[offset] == ASN1_V3_DATA)
@ -483,14 +483,17 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
printf("Sig Type:\t\t\t");
switch (cert->sig_type)
{
case SIG_TYPE_MD2:
printf("MD2\n");
break;
case SIG_TYPE_MD5:
printf("MD5\n");
break;
case SIG_TYPE_SHA1:
printf("SHA1\n");
break;
case SIG_TYPE_MD2:
printf("MD2\n");
case SIG_TYPE_SHA256:
printf("SHA256\n");
break;
default:
printf("Unrecognized: %d\n", cert->sig_type);