v1.1.9-2 changes

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@150 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-04-21 10:26:06 +03:00 · 2008-05-13 11:32:33 +00:00 · 2008-05-13 11:32:33 +00:00 · bc1e70c101
commit bc1e70c101
parent d02abde904
12 changed files with 116 additions and 23 deletions
--- a/crypto/bigint_impl.h
+++ b/crypto/bigint_impl.h
@ -44,7 +44,7 @@
 /* Architecture specific functions for big ints */
 #ifdef WIN32
 #define COMP_RADIX          4294967296i64         
-#define COMP_MAX            0xFFFFFFFFFFFFFFFFi64
+#define COMP_MAX            0xFFFFFFFFFFFFFFFFui64
 #else
 #define COMP_RADIX          4294967296ULL         /**< Max component + 1 */
 #define COMP_MAX            0xFFFFFFFFFFFFFFFFULL/**< (Max dbl comp -1) */
--- a/crypto/crypto_misc.c
+++ b/crypto/crypto_misc.c
@ -127,7 +127,7 @@ EXP_FUNC void STDCALL RNG_initialize(const uint8_t *seed_buf, int size)
        for (i = 0; i < size/(int)sizeof(uint64_t); i++)
            rng_num ^= *((uint64_t *)&seed_buf[i*sizeof(uint64_t)]);

-        srand((long)seed_buf);  /* use the stack ptr as another rnd seed */
+        srand((long)&seed_buf);  /* use the stack ptr as another rnd seed */
 #endif
    }

--- a/httpd/Config.in
+++ b/httpd/Config.in
@ -129,6 +129,20 @@ config CONFIG_HTTP_HAS_IPV6
    
        Does not work under Win32

+config CONFIG_HTTP_ENABLE_DIFFERENT_USER
+    bool "Enable different user"
+    default n
+    depends on !CONFIG_PLATFORM_WIN32
+    help
+        Allow the web server to be run as a different user
+    
+config CONFIG_HTTP_USER
+    string "As User"
+    default "nobody"
+    depends on CONFIG_HTTP_ENABLE_DIFFERENT_USER
+    help
+        The user name that will be used to run axhttpd.
+
 config CONFIG_HTTP_VERBOSE
    bool "Verbose Mode"
    default y if CONFIG_SSL_FULL_MODE
--- a/httpd/axhttpd.c
+++ b/httpd/axhttpd.c
@ -34,6 +34,7 @@
 #include <signal.h>
 #include <stdlib.h>
 #include <sys/stat.h>
+#include <pwd.h>
 #include "axhttp.h"

 struct serverstruct *servers;
@ -186,6 +187,28 @@ int main(int argc, char *argv[])

    ax_chdir();

+#ifdef CONFIG_HTTP_ENABLE_DIFFERENT_USER
+    {
+        struct passwd *pd = getpwnam(CONFIG_HTTP_USER);
+
+        if (pd != NULL)
+        {
+            int res = setuid(pd->pw_uid);
+            res |= setgid(pd->pw_gid);
+
+#if defined(CONFIG_HTTP_VERBOSE)
+            if (res == 0)
+            {
+                printf("change to '%s' successful\n", CONFIG_HTTP_USER); 
+                TTY_FLUSH();
+            }
+#endif
+        }
+
+    }
+#endif
+
+
 #ifndef WIN32 
 #ifdef CONFIG_HTTP_IS_DAEMON
    if (fork() > 0)  /* parent will die */
--- a/ssl/asn1.c
+++ b/ssl/asn1.c
@ -41,6 +41,7 @@
 #include "crypto_misc.h"

 #define SIG_OID_PREFIX_SIZE 8
+#define SIG_IIS6_OID_SIZE   5

 /* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */
 static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] = 
@ -48,6 +49,11 @@ static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] =
    0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01
 };

+static const uint8_t sig_iis6_oid[SIG_IIS6_OID_SIZE] =
+{
+    0x2b, 0x0e, 0x03, 0x02, 0x1d
+};
+
 /* CN, O, OU */
 static const uint8_t g_dn_types[] = { 3, 10, 11 };

@ -278,15 +284,33 @@ static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)

    /* some certs have this awful crud in them for some reason */
    if (buf[*offset] != ASN1_PRINTABLE_STR &&  
-            buf[*offset] != ASN1_TELETEX_STR && buf[*offset] != ASN1_IA5_STR)
+            buf[*offset] != ASN1_TELETEX_STR &&  
+            buf[*offset] != ASN1_IA5_STR &&  
+            buf[*offset] != ASN1_UNICODE_STR)
        goto end_pnt_str;

        (*offset)++;
        len = get_asn1_length(buf, offset);
+
+        if (buf[*offset - 1] == ASN1_UNICODE_STR)
+        {
+            int i;
+            *str = (char *)malloc(len/2+1);     /* allow for null */
+
+            for (i = 0; i < len; i += 2)
+                (*str)[i/2] = buf[*offset + i + 1];
+
+            (*str)[len/2] = 0;                  /* null terminate */
+        }
+        else
+        {
            *str = (char *)malloc(len+1);       /* allow for null */
            memcpy(*str, &buf[*offset], len);
            (*str)[len] = 0;                    /* null terminate */
+        }
+
        *offset += len;
+
 end_pnt_str:
    return len;
 }
@ -424,7 +448,7 @@ void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx)
    while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
    {
        x509_free(ca_cert_ctx->cert[i]);
-        ca_cert_ctx->cert[i] = NULL;
+        ca_cert_ctx->cert[i++] = NULL;
    }

    free(ca_cert_ctx);
@ -463,10 +487,18 @@ int asn1_signature_type(const uint8_t *cert,

    len = get_asn1_length(cert, offset);

+    if (len == 5 && memcmp(sig_iis6_oid, &cert[*offset], 
+                                    SIG_IIS6_OID_SIZE) == 0)
+    {
+        x509_ctx->sig_type = SIG_TYPE_SHA1;
+    }
+    else
+    {
        if (memcmp(sig_oid_prefix, &cert[*offset], SIG_OID_PREFIX_SIZE))
            goto end_check_sig;     /* unrecognised cert type */

        x509_ctx->sig_type = cert[*offset + SIG_OID_PREFIX_SIZE];
+    }

    *offset += len;
    asn1_skip_obj(cert, offset, ASN1_NULL); /* if it's there */
--- a/ssl/crypto_misc.h
+++ b/ssl/crypto_misc.h
@ -109,6 +109,7 @@ const char * x509_display_error(int error);
 #define ASN1_TELETEX_STR        0x14
 #define ASN1_IA5_STR            0x16
 #define ASN1_UTC_TIME           0x17
+#define ASN1_UNICODE_STR        0x1e
 #define ASN1_SEQUENCE           0x30
 #define ASN1_SET                0x31
 #define ASN1_IMPLICIT_TAG       0x80
--- a/ssl/gen_cert.c
+++ b/ssl/gen_cert.c
@ -178,7 +178,7 @@ static int gen_issuer(const char * dn[], uint8_t *buf, int *offset)

    if (dn[X509_ORGANIZATION] != NULL && strlen(dn[X509_ORGANIZATION]) > 0)
    {
-        if ((ret = gen_dn(dn[X509_ORGANIZATIONAL_UNIT], 10, buf, offset)))
+        if ((ret = gen_dn(dn[X509_ORGANIZATION], 10, buf, offset)))
            goto error;
    }

--- a/ssl/loader.c
+++ b/ssl/loader.c
@ -70,7 +70,6 @@ EXP_FUNC int STDCALL ssl_obj_load(SSL_CTX *ssl_ctx, int obj_type,

    ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader));
    ssl_obj->len = get_file(filename, &ssl_obj->buf); 
-
    if (ssl_obj->len <= 0)
    {
        ret = SSL_ERROR_INVALID_KEY;
--- a/ssl/test/ms_iis.cer
+++ b/ssl/test/ms_iis.cer
@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB5jCCAVOgAwIBAgIQWPe7KyA+U7lLUohulwW2HDAJBgUrDgMCHQUAMCExHzAd
+BgNVBAMTFmF4dGxzLmNlcm9jY2x1Yi5jb20uYXUwHhcNMDgwMzE3MTAyMTA2WhcN
+MDkwMzE3MTAyMTA2WjAhMR8wHQYDVQQDExZheHRscy5jZXJvY2NsdWIuY29tLmF1
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC9JqHlQjrQMt3JW8yxcGhFagDa
+D4QiIY8+KItTt13fIBt5g1AG4VXniaylSqKKYNPwVzqSWl7WhxMmoFU73veF8o4M
+G0Zc5qbVB6ukrSV4WaTgHrIO6pWkyiaQ4L/eYfCo/2pByhl0IUKkf/TMN346/rFg
+JgrElx01l6QHNQrzVQIDAQABoycwJTATBgNVHSUEDDAKBggrBgEFBQcDATAOBgNV
+HQ8EBwMFALAAAAAwCQYFKw4DAh0FAAOBgQAbH94H1fryngROJ//Oa0D3vvTO8CJ3
+8VW+3gQEwrPBOWmN6RV8OM0dE6pf8wD3s7PTCcM5+/HI1Qk53nUGrNiOmKM1s0JB
+bvsO9RT+UF8mtdbo/n30M0MHMWPCC76baW3R+ANBp/V/z4l1ytpUTt+MHvz0VlUs
+J4uJA3s3uh23Tg==
+-----END CERTIFICATE-----
--- a/ssl/test/ssltest.c
+++ b/ssl/test/ssltest.c
@ -638,6 +638,16 @@ static int cert_tests(void)

    x509_free(x509_ctx);
    free(buf);
+
+    ssl_ctx = ssl_ctx_new(0, 0);
+    if ((res = ssl_obj_load(ssl_ctx, 
+              SSL_OBJ_X509_CERT, "../ssl/test/ms_iis.cer", NULL)) != SSL_OK)
+    {
+        ssl_display_error(res);
+        goto bad_cert;
+    }
+
+    ssl_ctx_free(ssl_ctx);
    res = 0;        /* all ok */
    printf("All Certificate tests passed\n");

--- a/ssl/x509.c
+++ b/ssl/x509.c
@ -292,7 +292,7 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
        }

        /* trusted cert not found */
-        if (i >= CONFIG_X509_MAX_CA_CERTS)
+        if (match_ca_cert == 0)
        {
            ret = X509_VFY_ERROR_NO_TRUSTED_CERT;       
            goto end_verify;
--- a/www/index.html
+++ b/www/index.html