arduino/esp8266
1
0
Fork 0
mirror of https://github.com/esp8266/Arduino.git synced 2025-06-07 16:23:38 +03:00
Code

fixed pkcs12 mac issue

Browse Source 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@40 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich 2006-11-27 02:41:54 +00:00
parent 73c11ecadb
commit c98ded2eca
5 changed files with 131 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
httpd/awhttpd.patch
View File

@ -1,6 +1,6 @@
diff -Naur awhttpd/aw3.h axTLS/httpd/awhttpd/aw3.h diff -Naur awhttpd/aw3.h axTLS/httpd/awhttpd/aw3.h
--- awhttpd/aw3.h 2005-01-23 13:17:14.000000000 +1000 --- awhttpd/aw3.h 2005-01-23 13:17:14.000000000 +1000
+++ axTLS/httpd/awhttpd/aw3.h 2006-08-12 19:16:59.687500000 +1000 +++ axTLS/httpd/awhttpd/aw3.h 2006-11-15 15:09:14.196258200 +1000
@@ -7,17 +7,16 @@ @@ -7,17 +7,16 @@
*/ */
@ -192,7 +192,7 @@ diff -Naur awhttpd/aw3.h axTLS/httpd/awhttpd/aw3.h
+void initlists(void); +void initlists(void);
diff -Naur awhttpd/cgi.c axTLS/httpd/awhttpd/cgi.c diff -Naur awhttpd/cgi.c axTLS/httpd/awhttpd/cgi.c
--- awhttpd/cgi.c 2005-06-04 14:09:52.000000000 +1000 --- awhttpd/cgi.c 2005-06-04 14:09:52.000000000 +1000
+++ axTLS/httpd/awhttpd/cgi.c 2006-08-12 19:17:29.171875000 +1000 +++ axTLS/httpd/awhttpd/cgi.c 2006-11-15 15:09:14.211883700 +1000
@@ -7,93 +7,46 @@ @@ -7,93 +7,46 @@
*/ */
@ -654,7 +654,7 @@ diff -Naur awhttpd/conf.c axTLS/httpd/awhttpd/conf.c
-} -}
diff -Naur awhttpd/conn.c axTLS/httpd/awhttpd/conn.c diff -Naur awhttpd/conn.c axTLS/httpd/awhttpd/conn.c
--- awhttpd/conn.c 2004-12-07 16:11:02.000000000 +1000 --- awhttpd/conn.c 2004-12-07 16:11:02.000000000 +1000
+++ axTLS/httpd/awhttpd/conn.c 2006-08-12 19:16:59.687500000 +1000 +++ axTLS/httpd/awhttpd/conn.c 2006-11-15 15:09:14.243134700 +1000
@@ -9,26 +9,16 @@ @@ -9,26 +9,16 @@
#include <stdio.h> #include <stdio.h>
@ -761,7 +761,7 @@ diff -Naur awhttpd/conn.c axTLS/httpd/awhttpd/conn.c
} }
diff -Naur awhttpd/errors.c axTLS/httpd/awhttpd/errors.c diff -Naur awhttpd/errors.c axTLS/httpd/awhttpd/errors.c
--- awhttpd/errors.c 2005-01-23 06:49:29.000000000 +1000 --- awhttpd/errors.c 2005-01-23 06:49:29.000000000 +1000
+++ axTLS/httpd/awhttpd/errors.c 2006-08-12 19:16:59.687500000 +1000 +++ axTLS/httpd/awhttpd/errors.c 2006-11-15 15:09:14.258760200 +1000
@@ -8,7 +8,6 @@ @@ -8,7 +8,6 @@
@ -804,7 +804,7 @@ diff -Naur awhttpd/errors.c axTLS/httpd/awhttpd/errors.c
diff -Naur awhttpd/index.c axTLS/httpd/awhttpd/index.c diff -Naur awhttpd/index.c axTLS/httpd/awhttpd/index.c
--- awhttpd/index.c 2005-06-04 14:09:52.000000000 +1000 --- awhttpd/index.c 2005-06-04 14:09:52.000000000 +1000
+++ axTLS/httpd/awhttpd/index.c 2006-08-12 19:16:59.687500000 +1000 +++ axTLS/httpd/awhttpd/index.c 2006-11-15 15:09:14.258760200 +1000
@@ -11,7 +11,6 @@ @@ -11,7 +11,6 @@
#include <string.h> #include <string.h>
#include <sys/types.h> #include <sys/types.h>
@ -851,7 +851,7 @@ diff -Naur awhttpd/index.c axTLS/httpd/awhttpd/index.c
my_strncpy(cn->actualfile, tbuf, MAXREQUESTLENGTH); my_strncpy(cn->actualfile, tbuf, MAXREQUESTLENGTH);
diff -Naur awhttpd/main.c axTLS/httpd/awhttpd/main.c diff -Naur awhttpd/main.c axTLS/httpd/awhttpd/main.c
--- awhttpd/main.c 2005-06-04 14:09:52.000000000 +1000 --- awhttpd/main.c 2005-06-04 14:09:52.000000000 +1000
+++ axTLS/httpd/awhttpd/main.c 2006-08-12 19:16:59.687500000 +1000 +++ axTLS/httpd/awhttpd/main.c 2006-11-21 16:30:37.093363800 +1000
@@ -11,7 +11,6 @@ @@ -11,7 +11,6 @@
#include <string.h> #include <string.h>
#include <sys/types.h> #include <sys/types.h>
@ -903,7 +903,7 @@ diff -Naur awhttpd/main.c axTLS/httpd/awhttpd/main.c
void initlists() { void initlists() {
int i; int i;
@@ -33,108 +64,119 @@ @@ -33,108 +64,118 @@
servers = NULL; servers = NULL;
usedconns = NULL; usedconns = NULL;
freeconns = NULL; freeconns = NULL;
@ -1040,7 +1040,7 @@ diff -Naur awhttpd/main.c axTLS/httpd/awhttpd/main.c
pid = fork(); pid = fork();
if(pid > 0) { if(pid > 0) {
status(); - status();
exit(0); exit(0);
} else if(pid == -1) { } else if(pid == -1) {
+#ifdef CONFIG_HTTP_VERBOSE +#ifdef CONFIG_HTTP_VERBOSE
@ -1085,7 +1085,7 @@ diff -Naur awhttpd/main.c axTLS/httpd/awhttpd/main.c
return 0; return 0;
diff -Naur awhttpd/mime_types.c axTLS/httpd/awhttpd/mime_types.c diff -Naur awhttpd/mime_types.c axTLS/httpd/awhttpd/mime_types.c
--- awhttpd/mime_types.c 2004-01-26 01:08:47.000000000 +1000 --- awhttpd/mime_types.c 2004-01-26 01:08:47.000000000 +1000
+++ axTLS/httpd/awhttpd/mime_types.c 2006-08-12 19:16:59.703125000 +1000 +++ axTLS/httpd/awhttpd/mime_types.c 2006-11-15 15:09:14.305636700 +1000
@@ -7,28 +7,21 @@ @@ -7,28 +7,21 @@
*/ */
@ -1170,7 +1170,7 @@ diff -Naur awhttpd/mime_types.c axTLS/httpd/awhttpd/mime_types.c
+ +
diff -Naur awhttpd/misc.c axTLS/httpd/awhttpd/misc.c diff -Naur awhttpd/misc.c axTLS/httpd/awhttpd/misc.c
--- awhttpd/misc.c 2005-01-23 12:59:09.000000000 +1000 --- awhttpd/misc.c 2005-01-23 12:59:09.000000000 +1000
+++ axTLS/httpd/awhttpd/misc.c 2006-08-12 19:16:59.703125000 +1000 +++ axTLS/httpd/awhttpd/misc.c 2006-11-15 15:09:14.321262200 +1000
@@ -7,33 +7,33 @@ @@ -7,33 +7,33 @@
*/ */
@ -1487,7 +1487,7 @@ diff -Naur awhttpd/misc.c axTLS/httpd/awhttpd/misc.c
+#endif +#endif
diff -Naur awhttpd/net.c axTLS/httpd/awhttpd/net.c diff -Naur awhttpd/net.c axTLS/httpd/awhttpd/net.c
--- awhttpd/net.c 2005-06-04 14:09:52.000000000 +1000 --- awhttpd/net.c 2005-06-04 14:09:52.000000000 +1000
+++ axTLS/httpd/awhttpd/net.c 2006-08-12 19:16:59.703125000 +1000 +++ axTLS/httpd/awhttpd/net.c 2006-11-15 15:09:14.352513200 +1000
@@ -8,9 +8,7 @@ @@ -8,9 +8,7 @@
@ -1598,7 +1598,7 @@ diff -Naur awhttpd/net.c axTLS/httpd/awhttpd/net.c
diff -Naur awhttpd/permcheck.c axTLS/httpd/awhttpd/permcheck.c diff -Naur awhttpd/permcheck.c axTLS/httpd/awhttpd/permcheck.c
--- awhttpd/permcheck.c 2005-01-23 06:49:29.000000000 +1000 --- awhttpd/permcheck.c 2005-01-23 06:49:29.000000000 +1000
+++ axTLS/httpd/awhttpd/permcheck.c 2006-08-12 19:16:59.703125000 +1000 +++ axTLS/httpd/awhttpd/permcheck.c 2006-11-15 15:09:14.368138700 +1000
@@ -7,21 +7,23 @@ @@ -7,21 +7,23 @@
*/ */
@ -1689,7 +1689,7 @@ diff -Naur awhttpd/permcheck.c axTLS/httpd/awhttpd/permcheck.c
+#endif /* CONFIG_HTTP_PERM_CHECK */ +#endif /* CONFIG_HTTP_PERM_CHECK */
diff -Naur awhttpd/proc.c axTLS/httpd/awhttpd/proc.c diff -Naur awhttpd/proc.c axTLS/httpd/awhttpd/proc.c
--- awhttpd/proc.c 2005-01-23 10:59:41.000000000 +1000 --- awhttpd/proc.c 2005-01-23 10:59:41.000000000 +1000
+++ axTLS/httpd/awhttpd/proc.c 2006-08-12 19:16:59.703125000 +1000 +++ axTLS/httpd/awhttpd/proc.c 2006-11-15 15:09:14.399389700 +1000
@@ -13,91 +13,92 @@ @@ -13,91 +13,92 @@
#include <sys/types.h> #include <sys/types.h>
#include <sys/stat.h> #include <sys/stat.h>
@ -2229,7 +2229,7 @@ diff -Naur awhttpd/proc.c axTLS/httpd/awhttpd/proc.c
} }
diff -Naur awhttpd/socket.c axTLS/httpd/awhttpd/socket.c diff -Naur awhttpd/socket.c axTLS/httpd/awhttpd/socket.c
--- awhttpd/socket.c 2004-04-25 13:03:05.000000000 +1000 --- awhttpd/socket.c 2004-04-25 13:03:05.000000000 +1000
+++ axTLS/httpd/awhttpd/socket.c 2006-08-12 19:16:59.718750000 +1000 +++ axTLS/httpd/awhttpd/socket.c 2006-11-15 15:09:14.415015200 +1000
@@ -8,61 +8,17 @@ @@ -8,61 +8,17 @@
@ -2350,7 +2350,7 @@ diff -Naur awhttpd/socket.c axTLS/httpd/awhttpd/socket.c
memset(&(my_addr.sin_zero), 0, 8); // zero the rest of the struct memset(&(my_addr.sin_zero), 0, 8); // zero the rest of the struct
diff -Naur awhttpd/urlencode.c axTLS/httpd/awhttpd/urlencode.c diff -Naur awhttpd/urlencode.c axTLS/httpd/awhttpd/urlencode.c
--- awhttpd/urlencode.c 2004-05-14 10:53:47.000000000 +1000 --- awhttpd/urlencode.c 2004-05-14 10:53:47.000000000 +1000
+++ axTLS/httpd/awhttpd/urlencode.c 2006-08-12 19:16:59.718750000 +1000 +++ axTLS/httpd/awhttpd/urlencode.c 2006-11-15 15:09:14.430640700 +1000
@@ -13,7 +13,7 @@ @@ -13,7 +13,7 @@
#include <ctype.h> #include <ctype.h>

2
samples/c/Makefile
View File

@ -46,7 +46,7 @@ include ../../config/makefile.post
ifndef CONFIG_PLATFORM_WIN32 ifndef CONFIG_PLATFORM_WIN32
$(TARGET): $(OBJ) $(TARGET): $(OBJ) $(LIBS)/libaxtls.a
$(LD) $(LDFLAGS) -o $@ $< -L$(LIBS) -laxtls $(LD) $(LDFLAGS) -o $@ $< -L$(LIBS) -laxtls
ifndef CONFIG_DEBUG ifndef CONFIG_DEBUG
ifndef CONFIG_PLATFORM_SOLARIS ifndef CONFIG_PLATFORM_SOLARIS

22
ssl/asn1.c
View File

@ -42,7 +42,7 @@ static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] =
}; };
/* CN, O, OU */ /* CN, O, OU */
static uint8_t g_dn_types[] = { 3, 10, 11 }; static const uint8_t g_dn_types[] = { 3, 10, 11 };
static int get_asn1_length(const uint8_t *buf, int *offset) static int get_asn1_length(const uint8_t *buf, int *offset)
{ {
@ -152,8 +152,7 @@ int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx)
dQ_len = asn1_get_int(buf, &offset, &dQ); dQ_len = asn1_get_int(buf, &offset, &dQ);
qInv_len = asn1_get_int(buf, &offset, &qInv); qInv_len = asn1_get_int(buf, &offset, &qInv);
if (p_len <= 0 || q_len <= 0 || dP_len <= 0 || if (p_len <= 0 || q_len <= 0 || dP_len <= 0 || dQ_len <= 0 || qInv_len <= 0)
dQ_len <= 0 || qInv_len <= 0)
return X509_INVALID_PRIV_KEY; return X509_INVALID_PRIV_KEY;
RSA_priv_key_new(rsa_ctx, RSA_priv_key_new(rsa_ctx,
@ -191,6 +190,7 @@ static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
memset(&tm, 0, sizeof(struct tm)); memset(&tm, 0, sizeof(struct tm));
tm.tm_year = (buf[t_offset] - '0')*10 + (buf[t_offset+1] - '0'); tm.tm_year = (buf[t_offset] - '0')*10 + (buf[t_offset+1] - '0');
if (tm.tm_year <= 50) /* 1951-2050 thing */ if (tm.tm_year <= 50) /* 1951-2050 thing */
{ {
tm.tm_year += 100; tm.tm_year += 100;
@ -228,8 +228,8 @@ end_version:
static int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) static int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
{ {
return (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 || return (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 ||
asn1_get_utc_time(cert, offset, &x509_ctx->not_before) || asn1_get_utc_time(cert, offset, &x509_ctx->not_before) ||
asn1_get_utc_time(cert, offset, &x509_ctx->not_after)); asn1_get_utc_time(cert, offset, &x509_ctx->not_after));
} }
/** /**
@ -259,15 +259,13 @@ end_oid:
/** /**
* Obtain an ASN.1 printable string type. * Obtain an ASN.1 printable string type.
*/ */
static int asn1_get_printable_str(const uint8_t *buf, static int asn1_get_printable_str(const uint8_t *buf, int *offset, char **str)
int *offset, char **str)
{ {
int len = X509_NOT_OK; int len = X509_NOT_OK;
/* some certs have this awful crud in them for some reason */ /* some certs have this awful crud in them for some reason */
if (buf[*offset] != ASN1_PRINTABLE_STR && if (buf[*offset] != ASN1_PRINTABLE_STR &&
buf[*offset] != ASN1_TELETEX_STR && buf[*offset] != ASN1_TELETEX_STR && buf[*offset] != ASN1_IA5_STR)
buf[*offset] != ASN1_IA5_STR)
goto end_pnt_str; goto end_pnt_str;
(*offset)++; (*offset)++;
@ -334,8 +332,7 @@ end_name:
/** /**
* Read the modulus and public exponent of a certificate. * Read the modulus and public exponent of a certificate.
*/ */
static int asn1_public_key(const uint8_t *cert, int *offset, static int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
X509_CTX *x509_ctx)
{ {
int ret = X509_NOT_OK, mod_len, pub_len; int ret = X509_NOT_OK, mod_len, pub_len;
uint8_t *modulus, *pub_exp; uint8_t *modulus, *pub_exp;
@ -353,8 +350,7 @@ static int asn1_public_key(const uint8_t *cert, int *offset,
mod_len = asn1_get_int(cert, offset, &modulus); mod_len = asn1_get_int(cert, offset, &modulus);
pub_len = asn1_get_int(cert, offset, &pub_exp); pub_len = asn1_get_int(cert, offset, &pub_exp);
RSA_pub_key_new(&x509_ctx->rsa_ctx, RSA_pub_key_new(&x509_ctx->rsa_ctx, modulus, mod_len, pub_exp, pub_len);
modulus, mod_len, pub_exp, pub_len);
free(modulus); free(modulus);
free(pub_exp); free(pub_exp);

132
ssl/p12.c
View File

@ -57,9 +57,14 @@
#ifdef CONFIG_SSL_USE_PKCS12 #ifdef CONFIG_SSL_USE_PKCS12
#define BLOCK_SIZE 64 #define BLOCK_SIZE 64
#define PKCS12_KEY_ID 1
#define PKCS12_IV_ID 2
#define PKCS12_MAC_ID 3
static int p8_decrypt(const char *password, const uint8_t *salt, int iter, static char *make_uni_pass(const char *password, int *uni_pass_len);
uint8_t *priv_key, int priv_key_len); static int p8_decrypt(const char *uni_pass, int uni_pass_len,
const uint8_t *salt, int iter,
uint8_t *priv_key, int priv_key_len, int id);
static int p8_add_key(SSLCTX *ssl_ctx, uint8_t *priv_key); static int p8_add_key(SSLCTX *ssl_ctx, uint8_t *priv_key);
static int get_pbe_params(uint8_t *buf, int *offset, static int get_pbe_params(uint8_t *buf, int *offset,
const uint8_t **salt, int *iterations); const uint8_t **salt, int *iterations);
@ -76,6 +81,8 @@ int pkcs8_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
uint8_t *version = NULL; uint8_t *version = NULL;
const uint8_t *salt; const uint8_t *salt;
uint8_t *priv_key; uint8_t *priv_key;
int uni_pass_len;
char *uni_pass = make_uni_pass(password, &uni_pass_len);
if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0) if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0)
{ {
@ -100,11 +107,13 @@ int pkcs8_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
priv_key = &buf[offset]; priv_key = &buf[offset];
p8_decrypt(password, salt, iterations, priv_key, len); p8_decrypt(uni_pass, uni_pass_len, salt,
iterations, priv_key, len, PKCS12_KEY_ID);
ret = p8_add_key(ssl_ctx, priv_key); ret = p8_add_key(ssl_ctx, priv_key);
error: error:
free(version); free(version);
free(uni_pass);
return ret; return ret;
} }
@ -132,20 +141,12 @@ error:
} }
/* /*
* Decrypt a pkcs8 block. * Create the unicode password
*/ */
static int p8_decrypt(const char *password, const uint8_t *salt, int iter, static char *make_uni_pass(const char *password, int *uni_pass_len)
uint8_t *priv_key, int priv_key_len)
{ {
uint8_t p[BLOCK_SIZE*2]; int pass_len = 0, i;
uint8_t d[BLOCK_SIZE]; char *uni_pass;
uint8_t Ai[SHA1_SIZE];
SHA1_CTX sha_ctx;
RC4_CTX rc4_ctx;
uint8_t *uni_pass = NULL;
int i;
int uni_pass_len = 0;
int id = 1; /* key id */
if (password == NULL) if (password == NULL)
{ {
@ -157,12 +158,29 @@ static int p8_decrypt(const char *password, const uint8_t *salt, int iter,
/* modify the password into a unicode version */ /* modify the password into a unicode version */
for (i = 0; i < (int)strlen(password); i++) for (i = 0; i < (int)strlen(password); i++)
{ {
uni_pass[uni_pass_len++] = 0; uni_pass[pass_len++] = 0;
uni_pass[uni_pass_len++] = password[i]; uni_pass[pass_len++] = password[i];
} }
uni_pass[uni_pass_len++] = 0; /* null terminate */ uni_pass[pass_len++] = 0; /* null terminate */
uni_pass[uni_pass_len++] = 0; uni_pass[pass_len++] = 0;
*uni_pass_len = pass_len;
return uni_pass;
}
/*
* Decrypt a pkcs8 block.
*/
static int p8_decrypt(const char *uni_pass, int uni_pass_len,
const uint8_t *salt, int iter,
uint8_t *priv_key, int priv_key_len, int id)
{
uint8_t p[BLOCK_SIZE*2];
uint8_t d[BLOCK_SIZE];
uint8_t Ai[SHA1_SIZE];
SHA1_CTX sha_ctx;
RC4_CTX rc4_ctx;
int i;
for (i = 0; i < BLOCK_SIZE; i++) for (i = 0; i < BLOCK_SIZE; i++)
{ {
@ -185,9 +203,14 @@ static int p8_decrypt(const char *password, const uint8_t *salt, int iter,
} }
/* do the decryption */ /* do the decryption */
RC4_setup(&rc4_ctx, Ai, 16); if (id == PKCS12_KEY_ID)
RC4_crypt(&rc4_ctx, priv_key, priv_key, priv_key_len); {
free(uni_pass); RC4_setup(&rc4_ctx, Ai, 16);
RC4_crypt(&rc4_ctx, priv_key, priv_key, priv_key_len);
}
else /* MAC */
memcpy(priv_key, Ai, SHA1_SIZE);
return 0; return 0;
} }
@ -198,13 +221,16 @@ static int p8_decrypt(const char *password, const uint8_t *salt, int iter,
int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password) int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
{ {
uint8_t *buf = ssl_obj->buf; uint8_t *buf = ssl_obj->buf;
int all_ok = 0, len, iterations, key_offset, offset = 0; int all_ok = 0, len, iterations, auth_safes_start,
auth_safes_end, auth_safes_len, key_offset, offset = 0;
int all_certs = 0; int all_certs = 0;
uint8_t *version = NULL, *cert, *mac; uint8_t *version = NULL, *auth_safes = NULL, *cert, *orig_mac;
SHA1_CTX sha_ctx; char key[SHA1_SIZE];
char sha[SHA1_SIZE]; char mac[SHA1_SIZE];
const uint8_t *salt; const uint8_t *salt;
int ret; int uni_pass_len, ret;
int error_code = SSL_ERROR_NOT_SUPPORTED;
char *uni_pass = make_uni_pass(password, &uni_pass_len);
static const uint8_t pkcs_data[] = /* pkc7 data */ static const uint8_t pkcs_data[] = /* pkc7 data */
{ 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 }; { 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x07, 0x01 };
static const uint8_t pkcs_encrypted[] = /* pkc7 encrypted */ static const uint8_t pkcs_encrypted[] = /* pkc7 encrypted */
@ -221,14 +247,10 @@ int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
} }
if (asn1_get_int(buf, &offset, &version) < 0 || *version != 3) if (asn1_get_int(buf, &offset, &version) < 0 || *version != 3)
{
error_code = SSL_ERROR_INVALID_VERSION;
goto error; goto error;
}
/* work out the MAC of this bit */
key_offset = offset;
asn1_skip_obj(buf, &key_offset, ASN1_SEQUENCE);
SHA1Init(&sha_ctx);
SHA1Update(&sha_ctx, &buf[offset], key_offset-offset);
SHA1Final(&sha_ctx, sha);
/* remove all the boring pcks7 bits */ /* remove all the boring pcks7 bits */
if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 || if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
@ -240,8 +262,18 @@ int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
offset += len; offset += len;
if (asn1_next_obj(buf, &offset, ASN1_EXPLICIT_TAG) < 0 || if (asn1_next_obj(buf, &offset, ASN1_EXPLICIT_TAG) < 0 ||
asn1_next_obj(buf, &offset, ASN1_OCTET_STRING) < 0 || asn1_next_obj(buf, &offset, ASN1_OCTET_STRING) < 0)
asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 || goto error;
/* work out the MAC start/end points (done on AuthSafes) */
auth_safes_start = offset;
auth_safes_end = offset;
asn1_skip_obj(buf, &auth_safes_end, ASN1_SEQUENCE);
auth_safes_len = auth_safes_end - auth_safes_start;
auth_safes = malloc(auth_safes_len);
memcpy(auth_safes, &buf[auth_safes_start], auth_safes_len);
if (asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 || asn1_next_obj(buf, &offset, ASN1_SEQUENCE) < 0 ||
(len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 || (len = asn1_next_obj(buf, &offset, ASN1_OID)) < 0 ||
(len != sizeof(pkcs_encrypted) || (len != sizeof(pkcs_encrypted) ||
@ -268,7 +300,8 @@ int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
/* decrypt the certificate */ /* decrypt the certificate */
cert = &buf[offset]; cert = &buf[offset];
if ((ret = p8_decrypt(password, salt, iterations, cert, len)) < 0) if ((ret = p8_decrypt(uni_pass, uni_pass_len, salt, iterations, cert,
len, PKCS12_KEY_ID)) < 0)
goto error; goto error;
offset += len; offset += len;
@ -327,7 +360,8 @@ int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
/* decrypt the private key */ /* decrypt the private key */
cert = &buf[offset]; cert = &buf[offset];
if ((ret = p8_decrypt(password, salt, iterations, cert, len)) < 0) if ((ret = p8_decrypt(uni_pass, uni_pass_len, salt, iterations, cert,
len, PKCS12_KEY_ID)) < 0)
goto error; goto error;
offset += len; offset += len;
@ -348,28 +382,34 @@ int pkcs12_decode(SSLCTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
len != SHA1_SIZE) len != SHA1_SIZE)
goto error; goto error;
mac = &buf[offset]; orig_mac = &buf[offset];
offset += len; offset += len;
/* get the salt */ /* get the salt */
if ((len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0 || if ((len = asn1_next_obj(buf, &offset, ASN1_OCTET_STRING)) < 0 || len != 8)
len != 8)
goto error; goto error;
salt = &buf[offset]; salt = &buf[offset];
/* work out what the mac should be */ /* work out what the mac should be */
if ((ret = p8_decrypt(password, salt, iterations, mac, SHA1_SIZE)) < 0) if ((ret = p8_decrypt(uni_pass, uni_pass_len, salt, iterations,
key, SHA1_SIZE, PKCS12_MAC_ID)) < 0)
goto error; goto error;
/* TODO: actually memcmp the MAC - there is something wrong at the moment */ hmac_sha1(auth_safes, auth_safes_len, key, SHA1_SIZE, mac);
/* print_blob("MAC orig", sha, SHA1_SIZE); */
/* print_blob("MAC calc", mac, SHA1_SIZE); */ if (memcmp(mac, orig_mac, SHA1_SIZE))
{
error_code = SSL_ERROR_INVALID_HMAC;
goto error;
}
all_ok = 1; all_ok = 1;
error: error:
free(version); free(version);
return all_ok ? SSL_OK : SSL_ERROR_NOT_SUPPORTED; free(uni_pass);
free(auth_safes);
return all_ok ? SSL_OK : error_code;
} }
/* /*

40
ssl/test/ssltest.c
View File

@ -1083,34 +1083,34 @@ int SSL_server_tests(void)
TTY_FLUSH(); TTY_FLUSH();
/* /*
* PKCS 8 key (encrypted) * PKCS#8 key (encrypted)
*/ */
if ((ret = SSL_server_test(NULL, "pkcs 8 encrypted", "-cipher RC4-SHA", if ((ret = SSL_server_test(NULL, "pkcs#8 encrypted", "-cipher RC4-SHA",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.encrypted.p8", NULL, "abcd", DEFAULT_CERT, NULL, "../ssl/test/axTLS.encrypted.p8",
DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* PKCS 8 key (unencrypted)
*/
if ((ret = SSL_server_test(NULL, "pkcs 8 unencrypted", "-cipher RC4-SHA",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted.p8", NULL, NULL,
DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* PKCS 12 key/certificate
*/
if ((ret = SSL_server_test(NULL, "pkcs 12 no CA", "-cipher RC4-SHA",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.withoutCA.p12",
NULL, "abcd", DEFAULT_SVR_OPTION))) NULL, "abcd", DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
if ((ret = SSL_server_test(NULL, "pkcs 12 with CA", "-cipher RC4-SHA", /*
* PKCS#8 key (unencrypted)
*/
if ((ret = SSL_server_test(NULL, "pkcs#8 unencrypted", "-cipher RC4-SHA",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted.p8",
NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* PKCS#12 key/certificate
*/
if ((ret = SSL_server_test(NULL, "pkcs#12 with CA", "-cipher RC4-SHA",
NULL, NULL, "../ssl/test/axTLS.withCA.p12", NULL, NULL, "../ssl/test/axTLS.withCA.p12",
NULL, "abcd", DEFAULT_SVR_OPTION))) NULL, "abcd", DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
if ((ret = SSL_server_test(NULL, "pkcs#12 no CA", "-cipher RC4-SHA",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.withoutCA.p12",
NULL, "abcd", DEFAULT_SVR_OPTION)))
goto cleanup;
ret = 0; ret = 0;
cleanup: cleanup: