v1.1.9-2 changes

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@150 9a5d90b5-6617-0410-8a86-bb477d3ed2e3

ssl/asn1.c

@@ -40,7 +40,8 @@
 #include "crypto.h"
 #include "crypto_misc.h"
 
-#define SIG_OID_PREFIX_SIZE     8
+#define SIG_OID_PREFIX_SIZE 8
+#define SIG_IIS6_OID_SIZE   5
 
 /* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */
 static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] = 
@@ -48,6 +49,11 @@ static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] =
     0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
 };
 
+static const uint8_t sig_iis6_oid[SIG_IIS6_OID_SIZE] =
+{
+    0x2b, 0x0e, 0x03, 0x02, 0x1d
+};
+
 /* CN, O, OU */
 static const uint8_t g_dn_types[] = { 3, 10, 11 };
 
@@ -277,16 +283,34 @@ static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
     int len = X509_NOT_OK;
 
     /* some certs have this awful crud in them for some reason */
-    if (buf[*offset] != ASN1_PRINTABLE_STR && 
-            buf[*offset] != ASN1_TELETEX_STR && buf[*offset] != ASN1_IA5_STR)
+    if (buf[*offset] != ASN1_PRINTABLE_STR &&  
+            buf[*offset] != ASN1_TELETEX_STR &&  
+            buf[*offset] != ASN1_IA5_STR &&  
+            buf[*offset] != ASN1_UNICODE_STR)
         goto end_pnt_str;
 
-    (*offset)++;
-    len = get_asn1_length(buf, offset);
-    *str = (char *)malloc(len+1);                   /* allow for null */
-    memcpy(*str, &buf[*offset], len);
-    (*str)[len] = 0;                                /* null terminate */
-    *offset += len;
+        (*offset)++;
+        len = get_asn1_length(buf, offset);
+
+        if (buf[*offset - 1] == ASN1_UNICODE_STR)
+        {
+            int i;
+            *str = (char *)malloc(len/2+1);     /* allow for null */
+
+            for (i = 0; i < len; i += 2)
+                (*str)[i/2] = buf[*offset + i + 1];
+
+            (*str)[len/2] = 0;                  /* null terminate */
+        }
+        else
+        {
+            *str = (char *)malloc(len+1);       /* allow for null */
+            memcpy(*str, &buf[*offset], len);
+            (*str)[len] = 0;                    /* null terminate */
+        }
+
+        *offset += len;
+
 end_pnt_str:
     return len;
 }
@@ -424,7 +448,7 @@ void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx)
     while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
     {
         x509_free(ca_cert_ctx->cert[i]);
-        ca_cert_ctx->cert[i] = NULL;
+        ca_cert_ctx->cert[i++] = NULL;
     }
 
     free(ca_cert_ctx);
@@ -463,10 +487,18 @@ int asn1_signature_type(const uint8_t *cert,
 
     len = get_asn1_length(cert, offset);
 
-    if (memcmp(sig_oid_prefix, &cert[*offset], SIG_OID_PREFIX_SIZE))
-        goto end_check_sig;     /* unrecognised cert type */
+    if (len == 5 && memcmp(sig_iis6_oid, &cert[*offset], 
+                                    SIG_IIS6_OID_SIZE) == 0)
+    {
+        x509_ctx->sig_type = SIG_TYPE_SHA1;
+    }
+    else
+    {
+        if (memcmp(sig_oid_prefix, &cert[*offset], SIG_OID_PREFIX_SIZE))
+            goto end_check_sig;     /* unrecognised cert type */
 
-    x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
+        x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
+    }
 
     *offset += len;
     asn1_skip_obj(cert, offset, ASN1_NULL); /* if it's there */

ssl/crypto_misc.h

@@ -109,6 +109,7 @@ const char * x509_display_error(int error);
 #define ASN1_TELETEX_STR        0x14
 #define ASN1_IA5_STR            0x16
 #define ASN1_UTC_TIME           0x17
+#define ASN1_UNICODE_STR        0x1e
 #define ASN1_SEQUENCE           0x30
 #define ASN1_SET                0x31
 #define ASN1_IMPLICIT_TAG       0x80

ssl/gen_cert.c

@@ -178,7 +178,7 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset)
 
     if (dn[X509_ORGANIZATION] != NULL && strlen(dn[X509_ORGANIZATION]) > 0)
     {
-        if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_UNIT], 10, buf, offset)))
+        if ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset)))
             goto error;
     }
 

ssl/loader.c

@@ -69,8 +69,7 @@ EXP_FUNC int STDCALL ssl_obj_load(SSL_CTX *ssl_ctx, int obj_type,
     }
 
     ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader));
-    ssl_obj->len = get_file(filename, &ssl_obj->buf);
-
+    ssl_obj->len = get_file(filename, &ssl_obj->buf); 
     if (ssl_obj->len <= 0)
     {
         ret = SSL_ERROR_INVALID_KEY;

ssl/test/ms_iis.cer

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAVOgAwIBAgIQWPe7KyA+U7lLUohulwW2HDAJBgUrDgMCHQUAMCExHzAd
+BgNVBAMTFmF4dGxzLmNlcm9jY2x1Yi5jb20uYXUwHhcNMDgwMzE3MTAyMTA2WhcN
+MDkwMzE3MTAyMTA2WjAhMR8wHQYDVQQDExZheHRscy5jZXJvY2NsdWIuY29tLmF1
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9JqHlQjrQMt3JW8yxcGhFagDa
+D4QiIY8+KItTt13fIBt5g1AG4VXniaylSqKKYNPwVzqSWl7WhxMmoFU73veF8o4M
+G0Zc5qbVB6ukrSV4WaTgHrIO6pWkyiaQ4L/eYfCo/2pByhl0IUKkf/TMN346/rFg
+JgrElx01l6QHNQrzVQIDAQABoycwJTATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNV
+HQ8EBwMFALAAAAAwCQYFKw4DAh0FAAOBgQAbH94H1fryngROJ//Oa0D3vvTO8CJ3
+8VW+3gQEwrPBOWmN6RV8OM0dE6pf8wD3s7PTCcM5+/HI1Qk53nUGrNiOmKM1s0JB
+bvsO9RT+UF8mtdbo/n30M0MHMWPCC76baW3R+ANBp/V/z4l1ytpUTt+MHvz0VlUs
+J4uJA3s3uh23Tg==
+-----END CERTIFICATE-----

ssl/test/ssltest.c

@@ -638,6 +638,16 @@ static int cert_tests(void)
 
     x509_free(x509_ctx);
     free(buf);
+
+    ssl_ctx = ssl_ctx_new(0, 0);
+    if ((res = ssl_obj_load(ssl_ctx, 
+              SSL_OBJ_X509_CERT, "../ssl/test/ms_iis.cer", NULL)) != SSL_OK)
+    {
+        ssl_display_error(res);
+        goto bad_cert;
+    }
+
+    ssl_ctx_free(ssl_ctx);
     res = 0;        /* all ok */
     printf("All Certificate tests passed\n");
 

ssl/x509.c

@@ -292,7 +292,7 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
         }
 
         /* trusted cert not found */
-        if (i >= CONFIG_X509_MAX_CA_CERTS)
+        if (match_ca_cert == 0)
         {
             ret = X509_VFY_ERROR_NO_TRUSTED_CERT;       
             goto end_verify;