Removed os_port.h dependency. Fixed CA number issue (default now 120).

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@188 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
2025-06-06 05:21:22 +03:00 · 2011-01-03 23:08:49 +00:00 · 2011-01-03 23:08:49 +00:00 · f5dbc8875e
commit f5dbc8875e
parent b8d6697ef8
20 changed files with 8062 additions and 21 deletions
--- a/1
+++ b/1
@ -108,6 +108,7 @@ endif
 	install -m 644 ssl/*.h $(PREFIX)/include/axTLS
 	-rm $(PREFIX)/include/axTLS/cert.h
 	-rm $(PREFIX)/include/axTLS/private_key.h
+	-rm $(PREFIX)/include/axTLS/os_port.h
 	install -m 644 config/config.h $(PREFIX)/include/axTLS

 installclean:
--- a/crypto/aes.c
+++ b/crypto/aes.c
@ -35,6 +35,7 @@
 */

 #include <string.h>
+#include "os_port.h"
 #include "crypto.h"

 /* all commented out in skeleton mode */
--- a/crypto/bigint.c
+++ b/crypto/bigint.c
@ -65,6 +65,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <time.h>
+#include "os_port.h"
 #include "bigint.h"

 #define V1      v->comps[v->size-1]                 /**< v1 for division */
@ -953,13 +954,12 @@ static bigint *regular_square(BI_CTX *ctx, bigint *bi)
    do
    {
        long_comp tmp = w[2*i] + (long_comp)x[i]*x[i];
-        uint8_t c = 0;
        w[2*i] = (comp)tmp;
        carry = tmp >> COMP_BIT_SIZE;

        for (j = i+1; j < t; j++)
        {
-            c = 0;
+            uint8_t c = 0;
            long_comp xx = (long_comp)x[i]*x[j];
            if (COMP_MAX-xx < xx)
                c = 1;
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@ -40,10 +40,17 @@ extern "C" {
 #endif

 #include "config.h"
-#include "os_port.h"
 #include "bigint_impl.h"
 #include "bigint.h"

+#ifndef STDCALL
+#define STDCALL
+#endif
+#ifndef EXP_FUNC
+#define EXP_FUNC
+#endif
+
+
 /* enable features based on a 'super-set' capbaility. */
 #if defined(CONFIG_SSL_FULL_MODE) 
 #define CONFIG_SSL_ENABLE_CLIENT
--- a/crypto/crypto_misc.c
+++ b/crypto/crypto_misc.c
@ -36,6 +36,7 @@
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
+#include "os_port.h"
 #include "crypto_misc.h"
 #ifdef CONFIG_WIN32_USE_CRYPTO_LIB
 #include "wincrypt.h"
--- a/crypto/hmac.c
+++ b/crypto/hmac.c
@ -33,6 +33,7 @@
 */

 #include <string.h>
+#include "os_port.h"
 #include "crypto.h"

 /**
--- a/crypto/md2.c
+++ b/crypto/md2.c
@ -38,7 +38,7 @@

 #include <string.h>
 #include <stdio.h>
-
+#include "os_port.h"
 #include "crypto.h"

 /**
--- a/crypto/md5.c
+++ b/crypto/md5.c
@ -33,6 +33,7 @@
 */

 #include <string.h>
+#include "os_port.h"
 #include "crypto.h"

 /* Constants for MD5Transform routine.
--- a/crypto/rc4.c
+++ b/crypto/rc4.c
@ -34,6 +34,7 @@
 */

 #include <string.h>
+#include "os_port.h"
 #include "crypto.h"

 /**
--- a/crypto/rsa.c
+++ b/crypto/rsa.c
@ -37,6 +37,7 @@
 #include <string.h>
 #include <time.h>
 #include <stdlib.h>
+#include "os_port.h"
 #include "crypto.h"

 void RSA_priv_key_new(RSA_CTX **ctx, 
--- a/crypto/sha1.c
+++ b/crypto/sha1.c
@ -34,6 +34,7 @@
 */

 #include <string.h>
+#include "os_port.h"
 #include "crypto.h"

 /*
--- a/httpd/axhttp.h
+++ b/httpd/axhttp.h
@ -28,6 +28,7 @@
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

+#include "os_port.h"
 #include "ssl.h"

 #define BACKLOG 15
--- a/httpd/htpasswd.c
+++ b/httpd/htpasswd.c
@ -31,6 +31,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include "os_port.h"
 #include "ssl.h"

 int tfd;
--- a/samples/c/axssl.c
+++ b/samples/c/axssl.c
@ -46,6 +46,7 @@
 #include <string.h>
 #include <stdio.h>
 #include <stdlib.h>
+#include "os_port.h"
 #include "ssl.h"

 /* define standard input */
--- a/ssl/Config.in
+++ b/ssl/Config.in
@ -252,7 +252,7 @@ config CONFIG_SSL_EXPIRY_TIME

 config CONFIG_X509_MAX_CA_CERTS
    int "Maximum number of certificate authorites"
-    default 4
+    default 120 if CONFIG_SSL_CERT_VERIFICATION
    depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
    help
        Determines the number of CA's allowed. 
@ -260,11 +260,11 @@ config CONFIG_X509_MAX_CA_CERTS
        Increase this figure if more trusted sites are allowed. Each
        certificate adds about 300 bytes (when added).

-        The default is to allow four certification authorities.
+        The default is to allow the Debian cert bundle to be parsed.

 config CONFIG_SSL_MAX_CERTS
    int "Maximum number of chained certificates"
-    default 2
+    default 3
    help
        Determines the number of certificates used in a certificate
        chain. The chain length must be at least 1.
@ -272,8 +272,7 @@ config CONFIG_SSL_MAX_CERTS
        Increase this figure if more certificates are to be added to the 
        chain. Each certificate adds about 300 bytes (when added).

-        The default is to allow one certificate + 1 certificate in the chain
-        (which may be the certificate authority certificate).
+        The default is to allow one certificate + 2 certificates in the chain.

 config CONFIG_SSL_CTX_MUTEXING
    bool "Enable SSL_CTX mutexing"
--- a/ssl/os_port.h
+++ b/ssl/os_port.h
@ -152,7 +152,7 @@ EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size);

 #define SOCKET_READ(A,B,C)      read(A,B,C)
 #define SOCKET_WRITE(A,B,C)     write(A,B,C)
-#define SOCKET_CLOSE(A)         close(A)
+#define SOCKET_CLOSE(A)         if (A >= 0) close(A)
 #define SOCKET_BLOCK(A)         int fd = fcntl(A, F_GETFL, NULL); \
                                fcntl(A, F_SETFL, fd & ~O_NONBLOCK)
 #define TTY_FLUSH()
--- a/ssl/ssl.h
+++ b/ssl/ssl.h
@ -68,7 +68,6 @@ extern "C" {
 #endif

 #include <time.h>
-//#include "crypto.h"

 /* need to predefine before ssl_lib.h gets to it */
 #define SSL_SESSION_ID_SIZE                     32
--- a/ssl/test/ca-bundle.crt
+++ b/ssl/test/ca-bundle.crt
--- a/ssl/test/ssltest.c
+++ b/ssl/test/ssltest.c
@ -47,6 +47,7 @@
 #include <pthread.h>
 #endif

+#include "os_port.h"
 #include "ssl.h"

 #define DEFAULT_CERT            "../ssl/test/axTLS.x509_512.cer"
@ -694,6 +695,16 @@ static int cert_tests(void)
    x509_free(x509_ctx);
    free(buf);

+    ssl_ctx = ssl_ctx_new(0, 0);
+    if (ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, 
+            "../ssl/test/ca-bundle.crt", NULL))
+    {
+        printf("Cert #10\n");
+        goto bad_cert;
+    }
+
+    ssl_ctx_free(ssl_ctx);
+
    res = 0;        /* all ok */
    printf("All Certificate tests passed\n");

@ -1008,7 +1019,8 @@ int SSL_server_tests(void)
    /* 
     * 512 bit RSA key 
     */
-    if ((ret = SSL_server_test("512 bit key", "-cipher RC4-SHA", 
+    if ((ret = SSL_server_test("512 bit key", 
+                    "-cipher RC4-SHA", 
                    "../ssl/test/axTLS.x509_512.cer", NULL, 
                    "../ssl/test/axTLS.key_512",
                    NULL, NULL, DEFAULT_SVR_OPTION)))
@ -1018,13 +1030,21 @@ int SSL_server_tests(void)
     * 1024 bit RSA key (check certificate chaining)
     */
    if ((ret = SSL_server_test("1024 bit key", 
-                    "-cipher RC4-SHA", 
-                    "../ssl/test/axTLS.x509_device.cer", 
-                    "../ssl/test/axTLS.x509_512.cer", 
-                    "../ssl/test/axTLS.device_key",
+                    "-cipher RC4-SHA",
+                    "../ssl/test/axTLS.x509_1024.cer", NULL, 
+                    "../ssl/test/axTLS.key_1024",
                    NULL, NULL, DEFAULT_SVR_OPTION)))
        goto cleanup;

+    /* 
+     * 1042 bit RSA key (check certificate chaining)
+     */
+    if ((ret = SSL_server_test("1042 bit key", 
+                    "-cipher RC4-SHA",
+                    "../ssl/test/axTLS.x509_1042.cer", NULL, 
+                    "../ssl/test/axTLS.key_1042",
+                    NULL, NULL, DEFAULT_SVR_OPTION)))
+        goto cleanup;
    /* 
     * 2048 bit RSA key 
     */
@ -1311,7 +1331,7 @@ static int SSL_client_test(
 #endif
    }
    
-    sleep(5);           /* allow server to start */
+    usleep(500000);           /* allow server to start */

    if (*ssl_ctx == NULL)
    {
@ -1354,8 +1374,8 @@ static int SSL_client_test(
            }
        }

-	if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT, 
-				"../ssl/test/axTLS.ca_x509.cer", NULL))
+        if (ssl_obj_load(*ssl_ctx, SSL_OBJ_X509_CACERT, 
+                "../ssl/test/axTLS.ca_x509.cer", NULL))
        {
            printf("could not add cert auth\n"); TTY_FLUSH();
            goto client_test_exit;
@ -1566,6 +1586,23 @@ int SSL_client_tests(void)
    }

    printf("SSL client test \"Expired cert (verify later)\" passed\n");
+
+    /* invalid cert type */
+    if ((ret = SSL_client_test("Error: Invalid certificate type", 
+                    &ssl_ctx,
+                    "-cert ../ssl/test/axTLS.x509_2048.pem "
+                    "-key ../ssl/test/axTLS.key_2048.pem "
+                    "-CAfile ../ssl/test/axTLS.ca_x509.pem "
+                    "-verify 1 ", NULL, DEFAULT_CLNT_OPTION, 
+                    "../ssl/test/axTLS.x509_1024.cer", NULL,
+                    "../ssl/test/axTLS.x509_1024.cer")) 
+                            != SSL_ERROR_INVALID_KEY)
+    {
+        printf("*** Error: %d\n", ret); TTY_FLUSH();
+        goto cleanup;
+    }
+
+    printf("SSL client test \"Invalid certificate type\" passed\n");
    ret = 0;

 cleanup:
--- a/ssl/tls1.c
+++ b/ssl/tls1.c
@ -399,7 +399,7 @@ int add_cert_auth(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
    while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) 
        i++;

-    if (i > CONFIG_X509_MAX_CA_CERTS)
+    if (i >= CONFIG_X509_MAX_CA_CERTS)
    {
 #ifdef CONFIG_SSL_FULL_MODE
        printf("Error: maximum number of CA certs added - change of "
@ -422,7 +422,6 @@ error:
    return ret;
 }

-
 /*
 * Retrieve an X.509 distinguished name component
 */