diff --git a/ssl/test/axTLS.ca_x509_sha256.pem b/ssl/test/axTLS.ca_x509_sha256.pem new file mode 100644 index 000000000..f50a47583 --- /dev/null +++ b/ssl/test/axTLS.ca_x509_sha256.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5DCCAcwCCQDGL4Ul/VVK0TANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQKEylh +eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4 +MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMDQxMjAwBgNVBAoTKWF4VExTIFByb2pl +Y3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEF +AAOCAQ8AMIIBCgKCAQEA6d9BDlOJo6fdmSkUdAkMYFnlAK4Q5qwE/vYX8umY0Gz1 +CEIwEyKJq+rCpl2vmlwEETGcphlRsiybOMwVfdRDQv51ZfTJnz1WQZBKdsYb55xy +JWOZFHSpuZa+THW1TOImpvxXoK3OMh/dcuaQG5G7QoWMWRK5aZvpl27rRx033dik +U8lO12oaUtCD3AgNttU7zTLiIQjeIZ9JbES74mx1s4lT22nmXoL5/AdJa3yGjDjG +J1RX8hQ7/pbcC2s4+0XIjGthB2ClJWyvv8bY96POZ+Kc5XLFFjxYoGHtRzQbw2gx +rx7r5/a+d7XgWedMnwf1M1/v9vNA14kgjg2pwuFD4QIDAQABMA0GCSqGSIb3DQEB +CwUAA4IBAQBW9MtGYroXnu8id8rDvjki8Vk8lDBD0AkOq5QYbXB322Wbg2C+cmHP +zQAJ9YZU/NjnRZiEX1QVoZAXdSXXScbUbSlBQweEvGZmailTGPhJ/wtmNtK6P7ZP +YIJ6XaQdALvteULFMhEQKM9UUkrsbqh41wtoTjOsMlWcRvq9FHLujXxyzjvFPdEI +kz26d7F2yqtgzxW4YLAlclZu6vex/MzNmbjhHenMWp6LNWVWofdIv9jRS1tOSyK+ +hg2sV7CL75nzQ/A22ql8X3SZLAZNR/V7DF+MSBrIcHBzgFZ8QEGlNam29WseuC2C +51+ZXtv0DZ1bPmX+Pz1E06wMGlBTpC4z +-----END CERTIFICATE----- diff --git a/ssl/test/axTLS.x509_1024_sha256.pem b/ssl/test/axTLS.x509_1024_sha256.pem new file mode 100644 index 000000000..aba66956e --- /dev/null +++ b/ssl/test/axTLS.x509_1024_sha256.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWDCCAUACCQCMs+C6AhuzaTANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQKEylh +eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4 +MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl +Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAq9P2gjL8e0OgMrA81JoZeqaZMRmSaTH8xIHf7MkbGYW1ZyBWW+n+017itYgH +pu61CiYcyAfuUACTL2VBhrakCb+j53OF0V+9uEH/BkftUUcu+6ppBB4XI5KbYmTH +JjhBW8N1OHadHLCG4dkQLjnaFgekpM8xZzvd4kkbM4mZqtECAwEAATANBgkqhkiG +9w0BAQsFAAOCAQEAG/SBHWYNVf5drxN1aLx9UqTpryjmzDP9/gckKpuNEiDCmp38 +MIKBJYamL9hTwmtf1k4vHB2sxXfv9AVULwMa7+RcgUc3fhTWWoqf1LvYvzMrx9W9 +yU6bfXQh5zb6TOrq/j4fliA2NeDvAzq8tzhBVhiyvy0GhhU1C9eBRVFr4D9l/B2z +odWvCZ4ljLjtmoOhrSSf0OHFuk/eqFJ/SS1jo3ugl7wEmMzphOjmwgK7CLyACBSn +6Bzlh/A16AgqznniMHZ9p99zopMSqPUkCCHPEUiqs8hoy6Pc7O6FrTKfkeiAnY1u +SfKiOf4ODmDcLb5gVtDx+zp59Q/khBX+6IT+BA== +-----END CERTIFICATE----- diff --git a/ssl/test/axTLS.x509_1024_sha384.pem b/ssl/test/axTLS.x509_1024_sha384.pem new file mode 100644 index 000000000..a3adbb044 --- /dev/null +++ b/ssl/test/axTLS.x509_1024_sha384.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWDCCAUACCQCMs+C6AhuzajANBgkqhkiG9w0BAQwFADA0MTIwMAYDVQQKEylh +eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4 +MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl +Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAq9P2gjL8e0OgMrA81JoZeqaZMRmSaTH8xIHf7MkbGYW1ZyBWW+n+017itYgH +pu61CiYcyAfuUACTL2VBhrakCb+j53OF0V+9uEH/BkftUUcu+6ppBB4XI5KbYmTH +JjhBW8N1OHadHLCG4dkQLjnaFgekpM8xZzvd4kkbM4mZqtECAwEAATANBgkqhkiG +9w0BAQwFAAOCAQEA151mqDTC1YPiFq4t7J2UK84jYlGriW0z6KhfmtecLm18Uu07 +vDh+cvWoFRf/fgSlO7c6td0Jb4NGjPBwpV4UmoYND65d1+EkrP+Bl+2DndUi/xka +h4bwfmPrKAjDbUZaNnRi1zQdyPU9tta9b0MamHQVHFOIAyLQXDf1/Tz+wRaFPCIH +PfJEqjD4Nr15O41aMJOaM170rOtbQ9uH4Vlotpt+xJsHufmHFMf1fJtgBXayCzmS +1927ajoKNyDA/QQ+e+60uba6UN6CQnoMzmkMypMxD4JBUt6TEgB46uQ7nkkf3raS +tMAyMnytSc+O7EbhZSWWBSTUkeI+YWjLAtI42Q== +-----END CERTIFICATE----- diff --git a/ssl/test/axTLS.x509_1024_sha512.pem b/ssl/test/axTLS.x509_1024_sha512.pem new file mode 100644 index 000000000..cc369005e --- /dev/null +++ b/ssl/test/axTLS.x509_1024_sha512.pem @@ -0,0 +1,15 @@ +-----BEGIN CERTIFICATE----- +MIICWDCCAUACCQCMs+C6AhuzazANBgkqhkiG9w0BAQ0FADA0MTIwMAYDVQQKEylh +eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjA4 +MTUxMDIwNTZaFw0zMDA0MjQxMDIwNTZaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl +Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC +gYEAq9P2gjL8e0OgMrA81JoZeqaZMRmSaTH8xIHf7MkbGYW1ZyBWW+n+017itYgH +pu61CiYcyAfuUACTL2VBhrakCb+j53OF0V+9uEH/BkftUUcu+6ppBB4XI5KbYmTH +JjhBW8N1OHadHLCG4dkQLjnaFgekpM8xZzvd4kkbM4mZqtECAwEAATANBgkqhkiG +9w0BAQ0FAAOCAQEA51hsTX6DlE9WnI0XaNfx0hfWG74maMZK+GG1LQKi6JlaA6U4 +7aLpoluw4G7oZz39ROuNbOvTMrhN4kOXG16Zk2HGufzAQgqoegIsgI2BiaOtmBnn +vOchhiZ16JLmKB6ZMlESFubV1Ynyr6QacTLOipLGICGn3N65BrbwfaXD/nbJQd+a +YOwkJ9OHxbK9zqLMBG3kK/QKXqID3dI21+MDCGSSBAh/tVPhwTMcTzViF5vT4Mpq +81+Z9eg3vI++rOiBppdjRKH4CFcO74rEA6j9fNFHI0PiS142TtT4vXLf+D4PQLkI +tBuSq99ensRy5IvjYXpcx7/jixVd3MmwWrolbg== +-----END CERTIFICATE----- diff --git a/ssl/tls1.c b/ssl/tls1.c index ba84d043d..e3cea2bb9 100644 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -765,7 +765,9 @@ void add_packet(SSL *ssl, const uint8_t *pkt, int len) SHA256_Update(&ssl->dc->sha256_ctx, pkt, len); } - if (ssl->version < SSL_PROTOCOL_VERSION_TLS1_2) + if (ssl->version < SSL_PROTOCOL_VERSION_TLS1_2 || + ssl->next_state == HS_SERVER_HELLO || + ssl->next_state == 0) { MD5_Update(&ssl->dc->md5_ctx, pkt, len); SHA1_Update(&ssl->dc->sha1_ctx, pkt, len); @@ -894,7 +896,7 @@ static void prf(SSL *ssl, const uint8_t *sec, int sec_len, void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret) { uint8_t buf[128]; - //print_blob("premaster secret", premaster_secret, 48); +//print_blob("premaster secret", premaster_secret, 48); strcpy((char *)buf, "master secret"); memcpy(&buf[13], ssl->dc->client_random, SSL_RANDOM_SIZE); memcpy(&buf[45], ssl->dc->server_random, SSL_RANDOM_SIZE); @@ -1994,6 +1996,7 @@ static int check_certificate_chain(SSL *ssl) if (!found) { + ret = SSL_ERROR_INVALID_CERT_HASH_ALG; goto error; } @@ -2033,7 +2036,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx) uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index]; int pkt_size = ssl->bm_index; int cert_size, offset = 5, offset_start; - int total_cert_size = (buf[offset]<<8) + buf[offset+1]; + int total_cert_len = (buf[offset]<<8) + buf[offset+1]; int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT); X509_CTX *chain = 0; X509_CTX **certs = 0; @@ -2042,13 +2045,13 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx) int i = 0; offset += 2; - PARANOIA_CHECK(total_cert_size, offset); + PARANOIA_CHECK(pkt_size, total_cert_len + offset); // record the start point for the second pass offset_start = offset; // first pass - count the certificates - while (offset < total_cert_size) + while (offset < total_cert_len) { offset++; /* skip empty char */ cert_size = (buf[offset]<<8) + buf[offset+1]; @@ -2067,7 +2070,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx) offset = offset_start; // second pass - load the certificates - while (offset < total_cert_size) + while (offset < total_cert_len) { offset++; /* skip empty char */ cert_size = (buf[offset]<<8) + buf[offset+1]; diff --git a/ssl/tls1_clnt.c b/ssl/tls1_clnt.c index d0a85384a..7087de2f0 100644 --- a/ssl/tls1_clnt.c +++ b/ssl/tls1_clnt.c @@ -462,7 +462,7 @@ static int send_cert_verify(SSL *ssl) if (rsa_ctx) { SSL_CTX_LOCK(ssl->ssl_ctx->mutex); - n = RSA_encrypt(rsa_ctx, dgst, dgst_len, &buf[offset+2], 1); + n = RSA_encrypt(rsa_ctx, dgst, dgst_len, &buf[offset + 2], 1); SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex); if (n == 0) @@ -478,12 +478,13 @@ static int send_cert_verify(SSL *ssl) if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2 { - n += 2; + n += 2; // sig/alg + offset -= 2; } buf[2] = n >> 8; buf[3] = n & 0xff; - ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n + offset - 2); + ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n + offset); error: return ret; diff --git a/ssl/tls1_svr.c b/ssl/tls1_svr.c index e9d0269b9..6bc75e518 100644 --- a/ssl/tls1_svr.c +++ b/ssl/tls1_svr.c @@ -185,6 +185,12 @@ do_compression: offset += id_len; PARANOIA_CHECK(pkt_size, offset + id_len); + if (offset == pkt_size) + { + /* no extensions */ + goto error; + } + /* extension size */ id_len = buf[offset++] << 8; id_len += buf[offset++]; @@ -420,13 +426,23 @@ static const uint8_t g_cert_request[] = { HS_CERT_REQ, 0, 0, 0 }; +static const uint8_t g_cert_request_v1[] = { HS_CERT_REQ, 0, 0, 4, 1, 0, 0, 0 }; + /* * Send the certificate request message. */ static int send_certificate_request(SSL *ssl) { - return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, + if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2 + { + return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, g_cert_request, sizeof(g_cert_request)); + } + else + { + return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, + g_cert_request_v1, sizeof(g_cert_request_v1)); + } } /* @@ -442,8 +458,6 @@ static int process_cert_verify(SSL *ssl) X509_CTX *x509_ctx = ssl->x509_ctx; int ret = SSL_OK; int offset = 6; - uint8_t hash_alg; - uint8_t sig_alg; int rsa_len; int n; @@ -451,10 +465,12 @@ static int process_cert_verify(SSL *ssl) if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2 { - hash_alg = buf[4]; - sig_alg = buf[5]; + // TODO: need to be able to handle another hash type here + //uint8_t hash_alg = buf[4]; + //uint8_t sig_alg = buf[5]; offset = 8; rsa_len = (buf[6] << 8) + buf[7]; + //printf("YO, GOT %d %d\n", hash_alg, sig_alg); } else { diff --git a/tools/make_certs.sh b/tools/make_certs.sh index ace400f88..dc577e74e 100644 --- a/tools/make_certs.sh +++ b/tools/make_certs.sh @@ -56,7 +56,7 @@ prompt = no [ req_distinguished_name ] O = $PROJECT_NAME - CN = 127.0.0.1 + CN = localhost EOF cat > device_cert.conf << EOF @@ -70,20 +70,15 @@ EOF # private key generation openssl genrsa -out axTLS.ca_key.pem 2048 -openssl genrsa -out axTLS.key_512.pem 512 openssl genrsa -out axTLS.key_1024.pem 1024 -openssl genrsa -out axTLS.key_1042.pem 1042 openssl genrsa -out axTLS.key_2048.pem 2048 openssl genrsa -out axTLS.key_4096.pem 4096 openssl genrsa -out axTLS.device_key.pem 1024 -openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 512 -openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 512 - +openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 1024 +openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 1024 # convert private keys into DER format -openssl rsa -in axTLS.key_512.pem -out axTLS.key_512 -outform DER openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER -openssl rsa -in axTLS.key_1042.pem -out axTLS.key_1042 -outform DER openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER @@ -91,12 +86,8 @@ openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER # cert requests openssl req -out axTLS.ca_x509.req -key axTLS.ca_key.pem -new \ -config ./ca_cert.conf -openssl req -out axTLS.x509_512.req -key axTLS.key_512.pem -new \ - -config ./certs.conf openssl req -out axTLS.x509_1024.req -key axTLS.key_1024.pem -new \ -config ./certs.conf -openssl req -out axTLS.x509_1042.req -key axTLS.key_1042.pem -new \ - -config ./certs.conf openssl req -out axTLS.x509_2048.req -key axTLS.key_2048.pem -new \ -config ./certs.conf openssl req -out axTLS.x509_4096.req -key axTLS.key_4096.pem -new \ @@ -110,25 +101,32 @@ openssl req -out axTLS.x509_aes256.req -key axTLS.key_aes256.pem \ # generate the actual certs. openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509.pem \ - -sha1 -days 5000 -signkey axTLS.ca_key.pem -openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_512.pem \ - -sha1 -CAcreateserial -days 5000 \ - -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem + -sha1 -days 5000 -signkey axTLS.ca_key.pem \ + -CAkey axTLS.ca_key.pem +openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509_sha256.pem \ + -sha256 -days 5000 -signkey axTLS.ca_key.pem \ + -CAkey axTLS.ca_key.pem openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024.pem \ -sha1 -CAcreateserial -days 5000 \ -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -openssl x509 -req -in axTLS.x509_1042.req -out axTLS.x509_1042.pem \ - -sha1 -CAcreateserial -days 5000 \ - -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem +openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024_sha256.pem \ + -sha256 -CAcreateserial -days 5000 \ + -CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem +openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024_sha384.pem \ + -sha384 -CAcreateserial -days 5000 \ + -CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem +openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024_sha512.pem \ + -sha512 -CAcreateserial -days 5000 \ + -CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem openssl x509 -req -in axTLS.x509_2048.req -out axTLS.x509_2048.pem \ -sha1 -CAcreateserial -days 5000 \ -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem openssl x509 -req -in axTLS.x509_4096.req -out axTLS.x509_4096.pem \ - -sha256 -CAcreateserial -days 5000 \ + -sha1 -CAcreateserial -days 5000 \ -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem openssl x509 -req -in axTLS.x509_device.req -out axTLS.x509_device.pem \ -sha1 -CAcreateserial -days 5000 \ - -CA axTLS.x509_512.pem -CAkey axTLS.key_512.pem + -CA axTLS.x509_1024.pem -CAkey axTLS.key_1024.pem openssl x509 -req -in axTLS.x509_aes128.req \ -out axTLS.x509_aes128.pem \ -sha1 -CAcreateserial -days 5000 \ @@ -141,35 +139,33 @@ openssl x509 -req -in axTLS.x509_aes256.req \ # note: must be root to do this DATE_NOW=`date` if date -s "Jan 1 2025"; then -openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_before.pem \ +openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_bad_before.pem \ -sha1 -CAcreateserial -days 365 \ -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem date -s "$DATE_NOW" touch axTLS.x509_bad_before.pem fi -openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_after.pem \ +openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_bad_after.pem \ -sha1 -CAcreateserial -days -365 \ -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem # some cleanup rm axTLS*.req -rm axTLS.srl +rm *.srl rm *.conf # need this for the client tests openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer -openssl x509 -in axTLS.x509_512.pem -outform DER -out axTLS.x509_512.cer openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer -openssl x509 -in axTLS.x509_1042.pem -outform DER -out axTLS.x509_1042.cer openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer openssl x509 -in axTLS.x509_device.pem -outform DER -out axTLS.x509_device.cer # generate pkcs8 files (use RC4-128 for encryption) -openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8 -openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8 -openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8 -openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8 +openssl pkcs8 -in axTLS.key_1024.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8 +openssl pkcs8 -in axTLS.key_1024.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8 +openssl pkcs8 -in axTLS.key_1024.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8 +openssl pkcs8 -in axTLS.key_1024.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8 # generate pkcs12 files (use RC4-128 for encryption) openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd