From f9ee197cffc36911c56c808fb4c46b0581b59e56 Mon Sep 17 00:00:00 2001 From: cameronrich Date: Wed, 29 Aug 2007 09:15:39 +0000 Subject: [PATCH] dir changes - things are broken at the moment git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@116 9a5d90b5-6617-0410-8a86-bb477d3ed2e3 --- Makefile | 2 + bindings/csharp/axTLS.cs | 8 +- bindings/java/Makefile | 33 +-- bindings/lua/Makefile | 24 +-- bindings/perl/Makefile | 30 ++- bindings/vbnet/axTLSvb.vb | 12 +- config/makefile.conf | 2 +- crypto/Makefile | 33 +++ {ssl => crypto}/aes.c | 0 crypto/crypto.h | 129 ++++++++++++ {ssl => crypto}/hmac.c | 32 +-- {ssl => crypto}/md5.c | 10 +- {ssl => crypto}/rc4.c | 0 {ssl => crypto}/sha1.c | 6 +- docsrc/axTLS.dox | 2 +- httpd/Makefile | 2 +- httpd/htpasswd.c | 8 +- httpd/proc.c | 8 +- samples/c/Makefile | 2 +- samples/c/axssl.c | 8 +- samples/csharp/axssl.cs | 3 +- samples/lua/axssl.lua | 7 +- samples/perl/axssl.pl | 7 +- ssl/Makefile | 13 +- ssl/asn1.c | 425 +------------------------------------- ssl/bigint.c | 44 +++- ssl/bigint.h | 7 + ssl/crypto.h | 285 ------------------------- ssl/crypto_misc.c | 2 +- ssl/loader.c | 18 +- ssl/p12.c | 14 +- ssl/rsa.c | 42 +--- ssl/ssl.h | 14 +- ssl/test/Makefile | 2 +- ssl/test/ssltest.c | 30 +-- ssl/tls1.c | 24 ++- ssl/tls1.h | 3 + ssl/tls1_clnt.c | 38 +++- ssl/tls1_svr.c | 2 + www/index.html | 2 +- 40 files changed, 432 insertions(+), 901 deletions(-) create mode 100644 crypto/Makefile rename {ssl => crypto}/aes.c (100%) create mode 100644 crypto/crypto.h rename {ssl => crypto}/hmac.c (76%) rename {ssl => crypto}/md5.c (97%) rename {ssl => crypto}/rc4.c (100%) rename {ssl => crypto}/sha1.c (97%) delete mode 100644 ssl/crypto.h diff --git a/Makefile b/Makefile index 568770c1e..01c2219d8 100644 --- a/Makefile +++ b/Makefile @@ -33,6 +33,7 @@ RELEASE=axTLS-$(VERSION) # standard version target: + $(MAKE) -C crypto $(MAKE) -C ssl ifdef CONFIG_AXHTTPD $(MAKE) -C httpd @@ -100,6 +101,7 @@ test: # tidy up things clean:: + @cd crypto; $(MAKE) clean @cd ssl; $(MAKE) clean @cd httpd; $(MAKE) clean @cd samples; $(MAKE) clean diff --git a/bindings/csharp/axTLS.cs b/bindings/csharp/axTLS.cs index a59209168..a3146f16d 100644 --- a/bindings/csharp/axTLS.cs +++ b/bindings/csharp/axTLS.cs @@ -95,9 +95,10 @@ namespace axTLS */ public byte[] GetSessionId() { - byte[] result = new byte[axtls.SSL_SESSION_ID_SIZE]; IntPtr ptr = axtls.ssl_get_session_id(m_ssl); - Marshal.Copy(ptr, result, 0, axtls.SSL_SESSION_ID_SIZE); + byte sess_id_size = axtls.ssl_get_session_id_size(m_ssl); + byte[] result = new byte[sess_id_size]; + Marshal.Copy(ptr, result, 0, sess_id_size); return result; } @@ -470,7 +471,8 @@ namespace axTLS public SSL Connect(Socket s, byte[] session_id) { int client_fd = s.Handle.ToInt32(); - return new SSL(axtls. ssl_client_new(m_ctx, client_fd, session_id)); + return new SSL(axtls. ssl_client_new(m_ctx, client_fd, session_id, + session_id ? null : session_id.Length)); } } } diff --git a/bindings/java/Makefile b/bindings/java/Makefile index 59aa6203b..0c58c1e7f 100644 --- a/bindings/java/Makefile +++ b/bindings/java/Makefile @@ -16,18 +16,20 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -include ../../config/.config -include ../../config/makefile.conf -include ../../config/makefile.java.conf +AXTLS_HOME=../.. + +include $(AXTLS_HOME)/config/.config +include $(AXTLS_HOME)/config/makefile.conf +include $(AXTLS_HOME)/config/makefile.java.conf all: lib jar -JAR=../../$(STAGE)/axtls.jar +JAR=$(AXTLS_HOME)/$(STAGE)/axtls.jar ifdef CONFIG_PLATFORM_WIN32 -TARGET=../../$(STAGE)/axtlsj.dll +TARGET=$(AXTLS_HOME)/$(STAGE)/axtlsj.dll else -TARGET=../../$(STAGE)/libaxtlsj.so +TARGET=$(AXTLS_HOME)/$(STAGE)/libaxtlsj.so endif lib: $(TARGET) @@ -46,32 +48,19 @@ JAVA_FILES= \ OBJ=axTLSj_wrap.o -AXTLS_HOME=../.. -SSL_HOME=$(AXTLS_HOME)/ssl -CONFIG_HOME=$(AXTLS_HOME)/config JAVA_CLASSES:=$(JAVA_FILES:%.java=classes/axTLSj/%.class) ifdef CONFIG_PLATFORM_WIN32 -CFLAGS += /I"$(shell cygpath -w $(SSL_HOME))" -CFLAGS += /I"$(shell cygpath -w $(CONFIG_HOME))" -LDFLAGS += axtls.lib /libpath:"../../$(STAGE)" +LDFLAGS += axtls.lib /libpath:"$(AXTLS_HOME)/$(STAGE)" -include ../../config/makefile.post +include $(AXTLS_HOME)/config/makefile.post $(TARGET) : $(OBJ) $(LD) $(LDFLAGS) $(LDSHARED) /out:$@ $(OBJ) else # Not Win32 -ifdef CONFIG_PLATFORM_CYGWIN -SSL_HOME:=$(shell cygpath -u $(SSL_HOME)) -CONFIG_HOME:=$(shell cygpath -u $(CONFIG_HOME)) -endif - -CFLAGS += -I$(SSL_HOME) -CFLAGS += -I$(CONFIG_HOME) - $(TARGET) : $(OBJ) - $(LD) $(LDFLAGS) -L ../../$(STAGE) $(LDSHARED) -o $@ $(OBJ) -laxtls + $(LD) $(LDFLAGS) -L $(AXTLS_HOME)/$(STAGE) $(LDSHARED) -o $@ $(OBJ) -laxtls endif jar: $(OBJ) $(JAR) diff --git a/bindings/lua/Makefile b/bindings/lua/Makefile index 30a5e9231..617a0eb89 100644 --- a/bindings/lua/Makefile +++ b/bindings/lua/Makefile @@ -16,36 +16,36 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -include ../../config/.config -include ../../config/makefile.conf +AXTLS_HOME=../.. + +include $(AXTLS_HOME)/config/.config +include $(AXTLS_HOME)/config/makefile.conf all: lib + ifdef CONFIG_PLATFORM_WIN32 -TARGET=../../$(STAGE)/axtlsl.dll +TARGET=$(AXTLS_HOME)/$(STAGE)/axtlsl.dll else -TARGET=../../$(STAGE)/axtlsl.so +TARGET=$(AXTLS_HOME)/$(STAGE)/axtlsl.so endif ifneq ($(MAKECMDGOALS), clean) lib: $(TARGET) -AXTLS_HOME=../.. -SSL_HOME=$(AXTLS_HOME)/ssl -CONFIG_HOME=$(AXTLS_HOME)/config OBJ:=axTLSl_wrap.o -include ../../config/makefile.post +include $(AXTLS_HOME)/config/makefile.post # there are a few static functions that aren't used CFLAGS += -funit-at-a-time $(TARGET) : $(OBJ) - $(LD) $(LDFLAGS) $(LDSHARED) -o $@ $^ -L../../$(STAGE) -L$(CONFIG_LUA_CORE)/lib -laxtls -llua + $(LD) $(LDFLAGS) $(LDSHARED) -o $@ $^ -L$(AXTLS_HOME)/$(STAGE) -L$(CONFIG_LUA_CORE)/lib -laxtls -llua -CFLAGS += -I$(CONFIG_HOME) -I$(SSL_HOME) -I $(CONFIG_LUA_CORE)/include +CFLAGS += -I $(CONFIG_LUA_CORE)/include else -CFLAGS += /I"`cygpath -w $(CONFIG_HOME)`" /I"`cygpath -w $(SSL_HOME)`" /I"`cygpath -w $(CONFIG_LUA_CORE)/include`" -LDFLAGS += axtls.lib /libpath:"../../$(STAGE)" +CFLAGS += /I"`cygpath -w $(CONFIG_LUA_CORE)/include`" +LDFLAGS += axtls.lib /libpath:"$(AXTLS_HOME)/$(STAGE)" $(TARGET) : $(OBJ) $(LD) $(LDFLAGS) $(LDSHARED) /out:$@ $(OBJ) diff --git a/bindings/perl/Makefile b/bindings/perl/Makefile index 71c405510..3f5b15e7d 100644 --- a/bindings/perl/Makefile +++ b/bindings/perl/Makefile @@ -16,15 +16,17 @@ # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # -include ../../config/.config -include ../../config/makefile.conf +AXTLS_HOME=../.. + +include $(AXTLS_HOME)/config/.config +include $(AXTLS_HOME)/config/makefile.conf all: lib ifdef CONFIG_PLATFORM_WIN32 -TARGET=../../$(STAGE)/axtlsp.dll +TARGET=$(AXTLS_HOME)/$(STAGE)/axtlsp.dll else -TARGET=../../$(STAGE)/libaxtlsp.so +TARGET=$(AXTLS_HOME)/$(STAGE)/libaxtlsp.so endif ifneq ($(MAKECMDGOALS), clean) @@ -46,11 +48,8 @@ test_perl: endif lib: $(TARGET) -AXTLS_HOME=../.. -SSL_HOME=$(AXTLS_HOME)/ssl -CONFIG_HOME=$(AXTLS_HOME)/config OBJ:=axTLSp_wrap.o -include ../../config/makefile.post +include $(AXTLS_HOME)/config/makefile.post ifndef CONFIG_PLATFORM_WIN32 # Linux/Unix/Cygwin @@ -60,22 +59,21 @@ ifndef CONFIG_PLATFORM_WIN32 # Linux/Unix/Cygwin # work. # $(TARGET) : $(OBJ) - $(LD) $(LDFLAGS) -L ../../$(STAGE) -L$(PERL5_CORE) $(LDSHARED) -o $@ $(OBJ) -laxtls -lperl + $(LD) $(LDFLAGS) -L$(AXTLS_HOME)/$(STAGE) -L$(PERL5_CORE) $(LDSHARED) -o $@ $(OBJ) -laxtls -lperl ifdef CONFIG_PLATFORM_CYGWIN - cd ../../$(STAGE); ln -sf $(notdir $@) axtlsp.dll + cd $(AXTLS_HOME)/$(STAGE); ln -sf $(notdir $@) axtlsp.dll endif - @install axtlsp.pm ../../$(STAGE) + @install axtlsp.pm $(AXTLS_HOME)/$(STAGE) -CFLAGS += -D_GNU_SOURCE -I$(CONFIG_HOME) -I$(SSL_HOME) -I$(PERL5_CORE) +CFLAGS += -D_GNU_SOURCE -I$(PERL5_CORE) else -CFLAGS += /I"`cygpath -w $(CONFIG_HOME)`" /I"`cygpath -w $(SSL_HOME)`" CFLAGS += /I"$(PERL5_CORE)" -LDFLAGS += $(CONFIG_PERL_LIB) /libpath:"$(PERL5_CORE)" axtls.lib /libpath:"../../$(STAGE)" +LDFLAGS += $(CONFIG_PERL_LIB) /libpath:"$(PERL5_CORE)" axtls.lib /libpath:"$(AXTLS_HOME)/$(STAGE)" $(TARGET) : $(OBJ) $(LD) $(LDFLAGS) $(LDSHARED) /out:$@ $(OBJ) - install axtlsp.pm ../../$(STAGE) + install axtlsp.pm $(AXTLS_HOME)/$(STAGE) endif # WIN32 clean:: - @rm -f $(TARGET) axtls* *.i axTLSp* *.c .depend ../../$(STAGE)/axtlsp.pm + @rm -f $(TARGET) axtls* *.i axTLSp* *.c .depend $(AXTLS_HOME)/$(STAGE)/axtlsp.pm diff --git a/bindings/vbnet/axTLSvb.vb b/bindings/vbnet/axTLSvb.vb index 9cec32c78..32f126321 100644 --- a/bindings/vbnet/axTLSvb.vb +++ b/bindings/vbnet/axTLSvb.vb @@ -46,9 +46,11 @@ Namespace axTLSvb End Function Public Function GetSessionId() As Byte() - Dim result(axtls.SSL_SESSION_ID_SIZE) As Byte Dim ptr As IntPtr = axtls.ssl_get_session_id(m_ssl) - Marshal.Copy(ptr, result, 0, axtls.SSL_SESSION_ID_SIZE) + Dim sess_id_size As Integer = axtls.ssl_get_session_id_size(m_ssl) + + Dim result(sess_id_size) As Byte + Marshal.Copy(ptr, result, 0, sess_id_size) Return result End Function @@ -170,9 +172,11 @@ Namespace axTLSvb End Sub Public Function Connect(ByVal s As Socket, _ - ByVal session_id As Byte()) As SSL + ByVal session_id As Byte(), _ + ByVal sess_id_size As Integer) As SSL Dim client_fd As Integer = s.Handle.ToInt32() - Return New SSL( axtls.ssl_client_new(m_ctx, client_fd, session_id)) + Return New SSL( axtls.ssl_client_new(m_ctx, client_fd, session_id, _ + sess_id_size)) End Function End Class diff --git a/config/makefile.conf b/config/makefile.conf index 829d3bf34..4844e3e5f 100644 --- a/config/makefile.conf +++ b/config/makefile.conf @@ -71,7 +71,7 @@ else # Not Win32 -include .depend -CFLAGS += -I../config +CFLAGS += -I$(AXTLS_HOME)/config -I$(AXTLS_HOME)/ssl -I$(AXTLS_HOME)/crypto LD=$(CC) # Solaris diff --git a/crypto/Makefile b/crypto/Makefile new file mode 100644 index 000000000..c824facc9 --- /dev/null +++ b/crypto/Makefile @@ -0,0 +1,33 @@ +# +# Copyright(C) 2007 Cameron Rich +# +# This library is free software; you can redistribute it and/or modify +# it under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This library is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU Lesser General Public License for more details. +# +# You should have received a copy of the GNU Lesser General Public License +# along with this library; if not, write to the Free Software +# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +# + +include ../config/.config +include ../config/makefile.conf + +AXTLS_HOME=.. + +OBJ=\ + aes.o \ + hmac.o \ + md5.o \ + rc4.o \ + sha1.o + +all: $(OBJ) + +include ../config/makefile.post diff --git a/ssl/aes.c b/crypto/aes.c similarity index 100% rename from ssl/aes.c rename to crypto/aes.c diff --git a/crypto/crypto.h b/crypto/crypto.h new file mode 100644 index 000000000..ad49646c0 --- /dev/null +++ b/crypto/crypto.h @@ -0,0 +1,129 @@ +/* + * Copyright(C) 2006 Cameron Rich + * + * This library is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this library; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + */ + +/** + * @file crypto.h + */ + +#ifndef HEADER_CRYPTO_H +#define HEADER_CRYPTO_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include "os_port.h" + +/************************************************************************** + * AES declarations + **************************************************************************/ + +#define AES_MAXROUNDS 14 +#define AES_BLOCKSIZE 16 +#define AES_IV_SIZE 16 + +typedef struct aes_key_st +{ + uint16_t rounds; + uint16_t key_size; + uint32_t ks[(AES_MAXROUNDS+1)*8]; + uint8_t iv[AES_IV_SIZE]; +} AES_CTX; + +typedef enum +{ + AES_MODE_128, + AES_MODE_256 +} AES_MODE; + +void AES_set_key(AES_CTX *ctx, const uint8_t *key, + const uint8_t *iv, AES_MODE mode); +void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg, + uint8_t *out, int length); +void AES_cbc_decrypt(AES_CTX *ks, const uint8_t *in, uint8_t *out, int length); +void AES_convert_key(AES_CTX *ctx); + +/************************************************************************** + * RC4 declarations + **************************************************************************/ + +typedef struct +{ + uint8_t x, y, m[256]; +} RC4_CTX; + +void RC4_setup(RC4_CTX *s, const uint8_t *key, int length); +void RC4_crypt(RC4_CTX *s, const uint8_t *msg, uint8_t *data, int length); + +/************************************************************************** + * SHA1 declarations + **************************************************************************/ + +#define SHA1_SIZE 20 + +/* + * This structure will hold context information for the SHA-1 + * hashing operation + */ +typedef struct +{ + uint32_t Intermediate_Hash[SHA1_SIZE/4]; /* Message Digest */ + uint32_t Length_Low; /* Message length in bits */ + uint32_t Length_High; /* Message length in bits */ + uint16_t Message_Block_Index; /* Index into message block array */ + uint8_t Message_Block[64]; /* 512-bit message blocks */ +} SHA1_CTX; + +void SHA1_Init(SHA1_CTX *); +void SHA1_Update(SHA1_CTX *, const uint8_t * msg, int len); +void SHA1_Final(uint8_t *digest, SHA1_CTX *); + +/************************************************************************** + * MD5 declarations + **************************************************************************/ + +/* MD5 context. */ + +#define MD5_SIZE 16 + +typedef struct +{ + uint32_t state[4]; /* state (ABCD) */ + uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */ + uint8_t buffer[64]; /* input buffer */ +} MD5_CTX; + +EXP_FUNC void STDCALL MD5_Init(MD5_CTX *); +EXP_FUNC void STDCALL MD5_Update(MD5_CTX *, const uint8_t *msg, int len); +EXP_FUNC void STDCALL MD5_Final(uint8_t *digest, MD5_CTX *); + +/************************************************************************** + * HMAC declarations + **************************************************************************/ +void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, + int key_len, uint8_t *digest); +void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, + int key_len, uint8_t *digest); + + + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/ssl/hmac.c b/crypto/hmac.c similarity index 76% rename from ssl/hmac.c rename to crypto/hmac.c index 8ac6ad3c1..880a21c05 100644 --- a/ssl/hmac.c +++ b/crypto/hmac.c @@ -45,14 +45,14 @@ void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, k_opad[i] ^= 0x5c; } - MD5Init(&context); - MD5Update(&context, k_ipad, 64); - MD5Update(&context, msg, length); - MD5Final(&context, digest); - MD5Init(&context); - MD5Update(&context, k_opad, 64); - MD5Update(&context, digest, MD5_SIZE); - MD5Final(&context, digest); + MD5_Init(&context); + MD5_Update(&context, k_ipad, 64); + MD5_Update(&context, msg, length); + MD5_Final(digest, &context); + MD5_Init(&context); + MD5_Update(&context, k_opad, 64); + MD5_Update(&context, digest, MD5_SIZE); + MD5_Final(digest, &context); } /** @@ -77,12 +77,12 @@ void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, k_opad[i] ^= 0x5c; } - SHA1Init(&context); - SHA1Update(&context, k_ipad, 64); - SHA1Update(&context, msg, length); - SHA1Final(&context, digest); - SHA1Init(&context); - SHA1Update(&context, k_opad, 64); - SHA1Update(&context, digest, SHA1_SIZE); - SHA1Final(&context, digest); + SHA1_Init(&context); + SHA1_Update(&context, k_ipad, 64); + SHA1_Update(&context, msg, length); + SHA1_Final(digest, &context); + SHA1_Init(&context); + SHA1_Update(&context, k_opad, 64); + SHA1_Update(&context, digest, SHA1_SIZE); + SHA1_Final(digest, &context); } diff --git a/ssl/md5.c b/crypto/md5.c similarity index 97% rename from ssl/md5.c rename to crypto/md5.c index 39272d998..caf21aa63 100644 --- a/ssl/md5.c +++ b/crypto/md5.c @@ -90,7 +90,7 @@ static const uint8_t PADDING[64] = /** * MD5 initialization - begins an MD5 operation, writing a new ctx. */ -EXP_FUNC void STDCALL MD5Init(MD5_CTX *ctx) +EXP_FUNC void STDCALL MD5_Init(MD5_CTX *ctx) { ctx->count[0] = ctx->count[1] = 0; @@ -105,7 +105,7 @@ EXP_FUNC void STDCALL MD5Init(MD5_CTX *ctx) /** * Accepts an array of octets as the next portion of the message. */ -EXP_FUNC void STDCALL MD5Update(MD5_CTX *ctx, const uint8_t * msg, int len) +EXP_FUNC void STDCALL MD5_Update(MD5_CTX *ctx, const uint8_t * msg, int len) { uint32_t x; int i, partLen; @@ -141,7 +141,7 @@ EXP_FUNC void STDCALL MD5Update(MD5_CTX *ctx, const uint8_t * msg, int len) /** * Return the 128-bit message digest into the user's array */ -EXP_FUNC void STDCALL MD5Final(MD5_CTX *ctx, uint8_t *digest) +EXP_FUNC void STDCALL MD5_Final(uint8_t *digest, MD5_CTX *ctx) { uint8_t bits[8]; uint32_t x, padLen; @@ -153,10 +153,10 @@ EXP_FUNC void STDCALL MD5Final(MD5_CTX *ctx, uint8_t *digest) */ x = (uint32_t)((ctx->count[0] >> 3) & 0x3f); padLen = (x < 56) ? (56 - x) : (120 - x); - MD5Update(ctx, PADDING, padLen); + MD5_Update(ctx, PADDING, padLen); /* Append length (before padding) */ - MD5Update(ctx, bits, 8); + MD5_Update(ctx, bits, 8); /* Store state in digest */ Encode(digest, ctx->state, MD5_SIZE); diff --git a/ssl/rc4.c b/crypto/rc4.c similarity index 100% rename from ssl/rc4.c rename to crypto/rc4.c diff --git a/ssl/sha1.c b/crypto/sha1.c similarity index 97% rename from ssl/sha1.c rename to crypto/sha1.c index 3feb6d54c..69110d487 100644 --- a/ssl/sha1.c +++ b/crypto/sha1.c @@ -37,7 +37,7 @@ static void SHA1ProcessMessageBlock(SHA1_CTX *ctx); /** * Initialize the SHA1 context */ -void SHA1Init(SHA1_CTX *ctx) +void SHA1_Init(SHA1_CTX *ctx) { ctx->Length_Low = 0; ctx->Length_High = 0; @@ -52,7 +52,7 @@ void SHA1Init(SHA1_CTX *ctx) /** * Accepts an array of octets as the next portion of the message. */ -void SHA1Update(SHA1_CTX *ctx, const uint8_t *msg, int len) +void SHA1_Update(SHA1_CTX *ctx, const uint8_t *msg, int len) { while (len--) { @@ -72,7 +72,7 @@ void SHA1Update(SHA1_CTX *ctx, const uint8_t *msg, int len) /** * Return the 160-bit message digest into the user's array */ -void SHA1Final(SHA1_CTX *ctx, uint8_t *digest) +void SHA1_Final(uint8_t *digest, SHA1_CTX *ctx) { int i; diff --git a/docsrc/axTLS.dox b/docsrc/axTLS.dox index e4763d6f3..678023768 100644 --- a/docsrc/axTLS.dox +++ b/docsrc/axTLS.dox @@ -1005,7 +1005,7 @@ INCLUDE_FILE_PATTERNS = # undefined via #undef or recursively expanded use the := operator # instead of the = operator. -PREDEFINED = CONFIG_SSL_CERT_VERIFICATION CONFIG_SSL_ENABLE_CLIENT CONFIG_SSL_MAX_CLNT_SESSIONS=1 CONFIG_BIGINT_MONTGOMERY CONFIG_BIGINT_BARRETT EXP_FUNC="" STDCALL="" +PREDEFINED = CONFIG_SSL_CERT_VERIFICATION CONFIG_SSL_ENABLE_CLIENT CONFIG_SSL_MAX_CLNT_SESSIONS=1 CONFIG_BIGINT_MONTGOMERY CONFIG_BIGINT_BARRETT CONFIG_BIGINT_CRT EXP_FUNC="" STDCALL="" # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then # this tag can be used to specify a list of macro names that should be expanded. diff --git a/httpd/Makefile b/httpd/Makefile index da173fa3d..8daae7690 100644 --- a/httpd/Makefile +++ b/httpd/Makefile @@ -37,7 +37,7 @@ else LIBS=-L../$(STAGE) -laxtls endif -CFLAGS += -I../ssl +AXTLS_HOME=.. ifdef CONFIG_HTTP_BUILD_LUA lua: kepler-1.1 diff --git a/httpd/htpasswd.c b/httpd/htpasswd.c index f188cdd14..f4e26814a 100644 --- a/httpd/htpasswd.c +++ b/httpd/htpasswd.c @@ -112,10 +112,10 @@ int main(int argc, char *argv[]) RNG_terminate(); base64_encode(md5_salt, MD5_SIZE, b64_salt, sizeof(b64_salt)); - MD5Init(&ctx); - MD5Update(&ctx, md5_salt, MD5_SIZE); - MD5Update(&ctx, (uint8_t *)pw, strlen(pw)); - MD5Final(&ctx, md5_pass); + MD5_Init(&ctx); + MD5_Update(&ctx, md5_salt, MD5_SIZE); + MD5_Update(&ctx, (uint8_t *)pw, strlen(pw)); + MD5_Final(md5_pass, &ctx); base64_encode(md5_pass, MD5_SIZE, b64_pass, sizeof(b64_pass)); printf("Add the following to your '.htpasswd' file\n"); diff --git a/httpd/proc.c b/httpd/proc.c index 0e4b3e526..8a760039e 100644 --- a/httpd/proc.c +++ b/httpd/proc.c @@ -903,10 +903,10 @@ static int check_digest(char *salt, const char *msg_passwd) return -1; /* very simple MD5 crypt algorithm, but then the salt we use is large */ - MD5Init(&ctx); - MD5Update(&ctx, b256_salt, salt_size); /* process the salt */ - MD5Update(&ctx, (uint8_t *)msg_passwd, strlen(msg_passwd)); - MD5Final(&ctx, md5_result); + MD5_Init(&ctx); + MD5_Update(&ctx, b256_salt, salt_size); /* process the salt */ + MD5_Update(&ctx, (uint8_t *)msg_passwd, strlen(msg_passwd)); + MD5_Final(md5_result, &ctx); return memcmp(md5_result, real_passwd, MD5_SIZE);/* 0 = ok */ } diff --git a/samples/c/Makefile b/samples/c/Makefile index 0ab81e70f..d4cf848cd 100644 --- a/samples/c/Makefile +++ b/samples/c/Makefile @@ -30,7 +30,7 @@ TARGET=../../$(STAGE)/axssl endif # cygwin LIBS=../../$(STAGE) -CFLAGS += -I../../ssl -I../../config +CFLAGS += -I../../crypto -I../../ssl -I../../config else TARGET=../../$(STAGE)/axssl.exe CFLAGS += /I"..\..\ssl" /I"..\..\config" diff --git a/samples/c/axssl.c b/samples/c/axssl.c index 999f3f8ac..a708fbfc2 100644 --- a/samples/c/axssl.c +++ b/samples/c/axssl.c @@ -607,7 +607,8 @@ static void do_client(int argc, char *argv[]) { while (reconnect--) { - ssl = ssl_client_new(ssl_ctx, client_fd, session_id); + ssl = ssl_client_new(ssl_ctx, client_fd, session_id, + sizeof(session_id)); if ((res = ssl_handshake_status(ssl)) != SSL_OK) { if (!quiet) @@ -635,7 +636,7 @@ static void do_client(int argc, char *argv[]) } else { - ssl = ssl_client_new(ssl_ctx, client_fd, NULL); + ssl = ssl_client_new(ssl_ctx, client_fd, NULL, 0); } /* check the return status */ @@ -854,9 +855,10 @@ static void display_session_id(SSL *ssl) { int i; const uint8_t *session_id = ssl_get_session_id(ssl); + int sess_id_size = ssl_get_session_id_size(ssl); printf("-----BEGIN SSL SESSION PARAMETERS-----\n"); - for (i = 0; i < SSL_SESSION_ID_SIZE; i++) + for (i = 0; i < sess_id_size; i++) { printf("%02x", session_id[i]); } diff --git a/samples/csharp/axssl.cs b/samples/csharp/axssl.cs index 1f1f95b58..665c72dab 100644 --- a/samples/csharp/axssl.cs +++ b/samples/csharp/axssl.cs @@ -508,7 +508,8 @@ public class axssl { while (reconnect-- > 0) { - ssl = ssl_ctx.Connect(client_sock, session_id); + ssl = ssl_ctx.Connect(client_sock, session_id, + axtls.SSL_SESSION_ID_SIZE); if ((res = ssl.HandshakeStatus()) != axtls.SSL_OK) { diff --git a/samples/lua/axssl.lua b/samples/lua/axssl.lua index 68c767860..d6e06b306 100755 --- a/samples/lua/axssl.lua +++ b/samples/lua/axssl.lua @@ -429,10 +429,12 @@ function do_client(build_mode) -- Try session resumption? if reconnect ~= 0 then local session_id = nil + local sess_id_size = 0 + while reconnect > 0 do reconnect = reconnect - 1 ssl = axtlsl.ssl_client_new(ssl_ctx, - client_sock:getfd(), session_id) + client_sock:getfd(), session_id, sess_id_size) res = axtlsl.ssl_handshake_status(ssl) if res ~= axtlsl.SSL_OK then @@ -443,6 +445,7 @@ function do_client(build_mode) display_session_id(ssl) session_id = axtlsl.ssl_get_session_id(ssl) + sess_id_size = axtlsl.ssl_get_session_id_size(ssl) if reconnect > 0 then axtlsl.ssl_free(ssl) @@ -452,7 +455,7 @@ function do_client(build_mode) end else - ssl = axtlsl.ssl_client_new(ssl_ctx, client_sock:getfd(), nil) + ssl = axtlsl.ssl_client_new(ssl_ctx, client_sock:getfd(), nil, 0) end -- check the return status diff --git a/samples/perl/axssl.pl b/samples/perl/axssl.pl index 15b052798..1eb6aac56 100755 --- a/samples/perl/axssl.pl +++ b/samples/perl/axssl.pl @@ -411,9 +411,12 @@ sub do_client if ($reconnect) { my $session_id = undef; + my $sess_id_size = 0; + while ($reconnect--) { - $ssl = axtlsp::ssl_client_new($ssl_ctx, $native_sock, $session_id); + $ssl = axtlsp::ssl_client_new($ssl_ctx, $native_sock, + $session_id, $sess_id_size); $res = axtlsp::ssl_handshake_status($ssl); if ($res != $axtlsp::SSL_OK) @@ -439,7 +442,7 @@ sub do_client } else { - $ssl = axtlsp::ssl_client_new($ssl_ctx, $native_sock, undef); + $ssl = axtlsp::ssl_client_new($ssl_ctx, $native_sock, undef, 0); } # check the return status diff --git a/ssl/Makefile b/ssl/Makefile index 139011d3d..ec99b220c 100644 --- a/ssl/Makefile +++ b/ssl/Makefile @@ -48,20 +48,23 @@ endif libs: $(TARGET1) $(TARGET2) +AXTLS_HOME=.. + OBJ=\ - aes.o \ + ../crypto/aes.o \ asn1.o \ + x509.o \ bigint.o \ crypto_misc.o \ - hmac.o \ + ../crypto/hmac.o \ os_port.o \ loader.o \ - md5.o \ + ../crypto/md5.o \ openssl.o \ p12.o \ rsa.o \ - rc4.o \ - sha1.o \ + ../crypto/rc4.o \ + ../crypto/sha1.o \ tls1.o \ tls1_svr.o \ tls1_clnt.o diff --git a/ssl/asn1.c b/ssl/asn1.c index 25e30f9aa..b248e3e21 100644 --- a/ssl/asn1.c +++ b/ssl/asn1.c @@ -19,22 +19,19 @@ /** * @file asn1.c * - * Some primitive asn methods for extraction rsa modulus information. It also - * is used for retrieving information from X.509 certificates. + * Some primitive asn methods for extraction ASN.1 data. */ #include #include #include #include +#include "os_port.h" #include "crypto.h" +#include "crypto_misc.h" #define SIG_OID_PREFIX_SIZE 8 -#define SIG_TYPE_MD2 0x02 -#define SIG_TYPE_MD5 0x04 -#define SIG_TYPE_SHA1 0x05 - /* Must be an RSA algorithm with either SHA1 or MD5 for verifying to work */ static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] = { @@ -44,7 +41,7 @@ static const uint8_t sig_oid_prefix[SIG_OID_PREFIX_SIZE] = /* CN, O, OU */ static const uint8_t g_dn_types[] = { 3, 10, 11 }; -static int get_asn1_length(const uint8_t *buf, int *offset) +int get_asn1_length(const uint8_t *buf, int *offset) { int len, i; @@ -209,7 +206,7 @@ end_utc_time: /** * Get the version type of a certificate (which we don't actually care about) */ -static int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) +int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) { int ret = X509_NOT_OK; @@ -225,7 +222,7 @@ end_version: /** * Retrieve the notbefore and notafter certificate times. */ -static int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) +int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) { return (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0 || asn1_get_utc_time(cert, offset, &x509_ctx->not_before) || @@ -281,7 +278,7 @@ end_pnt_str: /** * Get the subject name (or the issuer) of a certificate. */ -static int asn1_name(const uint8_t *cert, int *offset, char *dn[]) +int asn1_name(const uint8_t *cert, int *offset, char *dn[]) { int ret = X509_NOT_OK; int dn_type; @@ -332,7 +329,7 @@ end_name: /** * Read the modulus and public exponent of a certificate. */ -static int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) +int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) { int ret = X509_NOT_OK, mod_len, pub_len; uint8_t *modulus, *pub_exp; @@ -364,7 +361,7 @@ end_pub_key: /** * Read the signature of the certificate. */ -static int asn1_signature(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) +int asn1_signature(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) { int ret = X509_NOT_OK; @@ -417,7 +414,7 @@ void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx) * Compare 2 distinguished names for equality * @return 0 if a match */ -static int asn1_compare_dn(char * const dn1[], char * const dn2[]) +int asn1_compare_dn(char * const dn1[], char * const dn2[]) { int i; @@ -432,34 +429,13 @@ static int asn1_compare_dn(char * const dn1[], char * const dn2[]) return 0; /* all good */ } -/** - * Retrieve the signature from a certificate. - */ -const uint8_t *x509_get_signature(const uint8_t *asn1_sig, int *len) -{ - int offset = 0; - const uint8_t *ptr = NULL; - - if (asn1_next_obj(asn1_sig, &offset, ASN1_SEQUENCE) < 0 || - asn1_skip_obj(asn1_sig, &offset, ASN1_SEQUENCE)) - goto end_get_sig; - - if (asn1_sig[offset++] != ASN1_OCTET_STRING) - goto end_get_sig; - *len = get_asn1_length(asn1_sig, &offset); - ptr = &asn1_sig[offset]; /* all ok */ - -end_get_sig: - return ptr; -} - #endif /** * Read the signature type of the certificate. We only support RSA-MD5 and * RSA-SHA1 signature types. */ -static int asn1_signature_type(const uint8_t *cert, +int asn1_signature_type(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) { int ret = X509_NOT_OK, len; @@ -482,382 +458,3 @@ end_check_sig: return ret; } -/** - * Construct a new x509 object. - * @return 0 if ok. < 0 if there was a problem. - */ -int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx) -{ - int begin_tbs, end_tbs; - int ret = X509_NOT_OK, offset = 0, cert_size = 0; - X509_CTX *x509_ctx; - BI_CTX *bi_ctx; - - *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX)); - x509_ctx = *ctx; - - /* get the certificate size */ - asn1_skip_obj(cert, &cert_size, ASN1_SEQUENCE); - - if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) - goto end_cert; - - begin_tbs = offset; /* start of the tbs */ - end_tbs = begin_tbs; /* work out the end of the tbs */ - asn1_skip_obj(cert, &end_tbs, ASN1_SEQUENCE); - - if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) - goto end_cert; - - if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */ - { - if (asn1_version(cert, &offset, x509_ctx)) - goto end_cert; - } - - if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */ - asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) - goto end_cert; - - /* make sure the signature is ok */ - if (asn1_signature_type(cert, &offset, x509_ctx)) - { - ret = X509_VFY_ERROR_UNSUPPORTED_DIGEST; - goto end_cert; - } - - if (asn1_name(cert, &offset, x509_ctx->ca_cert_dn) || - asn1_validity(cert, &offset, x509_ctx) || - asn1_name(cert, &offset, x509_ctx->cert_dn) || - asn1_public_key(cert, &offset, x509_ctx)) - goto end_cert; - - bi_ctx = x509_ctx->rsa_ctx->bi_ctx; - -#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */ - /* use the appropriate signature algorithm (either SHA1 or MD5) */ - if (x509_ctx->sig_type == SIG_TYPE_MD5) - { - MD5_CTX md5_ctx; - uint8_t md5_dgst[MD5_SIZE]; - MD5Init(&md5_ctx); - MD5Update(&md5_ctx, &cert[begin_tbs], end_tbs-begin_tbs); - MD5Final(&md5_ctx, md5_dgst); - x509_ctx->digest = bi_import(bi_ctx, md5_dgst, MD5_SIZE); - } - else if (x509_ctx->sig_type == SIG_TYPE_SHA1) - { - SHA1_CTX sha_ctx; - uint8_t sha_dgst[SHA1_SIZE]; - SHA1Init(&sha_ctx); - SHA1Update(&sha_ctx, &cert[begin_tbs], end_tbs-begin_tbs); - SHA1Final(&sha_ctx, sha_dgst); - x509_ctx->digest = bi_import(bi_ctx, sha_dgst, SHA1_SIZE); - } - - offset = end_tbs; /* skip the v3 data */ - if (asn1_skip_obj(cert, &offset, ASN1_SEQUENCE) || - asn1_signature(cert, &offset, x509_ctx)) - goto end_cert; -#endif - - if (len) - { - *len = cert_size; - } - - ret = X509_OK; -end_cert: - -#ifdef CONFIG_SSL_FULL_MODE - if (ret) - { - printf("Error: Invalid X509 ASN.1 file\n"); - } -#endif - - return ret; -} - -/** - * Free an X.509 object's resources. - */ -void x509_free(X509_CTX *x509_ctx) -{ - X509_CTX *next; - int i; - - if (x509_ctx == NULL) /* if already null, then don't bother */ - return; - - for (i = 0; i < X509_NUM_DN_TYPES; i++) - { - free(x509_ctx->ca_cert_dn[i]); - free(x509_ctx->cert_dn[i]); - } - - free(x509_ctx->signature); - -#ifdef CONFIG_SSL_CERT_VERIFICATION - if (x509_ctx->digest) - { - bi_free(x509_ctx->rsa_ctx->bi_ctx, x509_ctx->digest); - } -#endif - - RSA_free(x509_ctx->rsa_ctx); - - next = x509_ctx->next; - free(x509_ctx); - x509_free(next); /* clear the chain */ -} - -#ifdef CONFIG_SSL_CERT_VERIFICATION -/** - * Do some basic checks on the certificate chain. - * - * Certificate verification consists of a number of checks: - * - A root certificate exists in the certificate store. - * - The date of the certificate is after the start date. - * - The date of the certificate is before the finish date. - * - The certificate chain is valid. - * - That the certificate(s) are not self-signed. - * - The signature of the certificate is valid. - */ -int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) -{ - int ret = X509_OK, i = 0; - bigint *cert_sig; - X509_CTX *next_cert = NULL; - BI_CTX *ctx; - bigint *mod, *expn; - struct timeval tv; - int match_ca_cert = 0; - - if (cert == NULL || ca_cert_ctx == NULL) - { - ret = X509_VFY_ERROR_NO_TRUSTED_CERT; - goto end_verify; - } - - /* last cert in the chain - look for a trusted cert */ - if (cert->next == NULL) - { - while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) - { - if (asn1_compare_dn(cert->ca_cert_dn, - ca_cert_ctx->cert[i]->cert_dn) == 0) - { - match_ca_cert = 1; - break; - } - - i++; - } - - if (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) - { - next_cert = ca_cert_ctx->cert[i]; - } - else /* trusted cert not found */ - { - ret = X509_VFY_ERROR_NO_TRUSTED_CERT; - goto end_verify; - } - } - else - { - next_cert = cert->next; - } - - gettimeofday(&tv, NULL); - - /* check the not before date */ - if (tv.tv_sec < cert->not_before) - { - ret = X509_VFY_ERROR_NOT_YET_VALID; - goto end_verify; - } - - /* check the not after date */ - if (tv.tv_sec > cert->not_after) - { - ret = X509_VFY_ERROR_EXPIRED; - goto end_verify; - } - - /* check the chain integrity */ - if (asn1_compare_dn(cert->ca_cert_dn, next_cert->cert_dn)) - { - ret = X509_VFY_ERROR_INVALID_CHAIN; - goto end_verify; - } - - /* check for self-signing */ - if (!match_ca_cert && asn1_compare_dn(cert->ca_cert_dn, cert->cert_dn) == 0) - { - ret = X509_VFY_ERROR_SELF_SIGNED; - goto end_verify; - } - - /* check the signature */ - ctx = cert->rsa_ctx->bi_ctx; - mod = next_cert->rsa_ctx->m; - expn = next_cert->rsa_ctx->e; - cert_sig = RSA_sign_verify(ctx, cert->signature, cert->sig_len, - bi_clone(ctx, mod), bi_clone(ctx, expn)); - - if (cert_sig) - { - ret = cert->digest ? /* check the signature */ - bi_compare(cert_sig, cert->digest) : - X509_VFY_ERROR_UNSUPPORTED_DIGEST; - bi_free(ctx, cert_sig); - - if (ret) - goto end_verify; - } - else - { - ret = X509_VFY_ERROR_BAD_SIGNATURE; - goto end_verify; - } - - /* go down the certificate chain using recursion. */ - if (ret == 0 && cert->next) - { - ret = x509_verify(ca_cert_ctx, next_cert); - } - -end_verify: - return ret; -} -#endif - -#if defined (CONFIG_SSL_FULL_MODE) -/** - * Used for diagnostics. - */ -void x509_print(CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) -{ - if (cert == NULL) - return; - - printf("---------------- CERT DEBUG ----------------\n"); - printf("* CA Cert Distinguished Name\n"); - if (cert->ca_cert_dn[X509_COMMON_NAME]) - { - printf("Common Name (CN):\t%s\n", cert->ca_cert_dn[X509_COMMON_NAME]); - } - - if (cert->ca_cert_dn[X509_ORGANIZATION]) - { - printf("Organization (O):\t%s\n", cert->ca_cert_dn[X509_ORGANIZATION]); - } - - if (cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]) - { - printf("Organizational Unit (OU): %s\n", - cert->ca_cert_dn[X509_ORGANIZATIONAL_TYPE]); - } - - printf("* Cert Distinguished Name\n"); - if (cert->cert_dn[X509_COMMON_NAME]) - { - printf("Common Name (CN):\t%s\n", cert->cert_dn[X509_COMMON_NAME]); - } - - if (cert->cert_dn[X509_ORGANIZATION]) - { - printf("Organization (O):\t%s\n", cert->cert_dn[X509_ORGANIZATION]); - } - - if (cert->cert_dn[X509_ORGANIZATIONAL_TYPE]) - { - printf("Organizational Unit (OU): %s\n", - cert->cert_dn[X509_ORGANIZATIONAL_TYPE]); - } - - printf("Not Before:\t\t%s", ctime(&cert->not_before)); - printf("Not After:\t\t%s", ctime(&cert->not_after)); - printf("RSA bitsize:\t\t%d\n", cert->rsa_ctx->num_octets*8); - printf("Sig Type:\t\t"); - switch (cert->sig_type) - { - case SIG_TYPE_MD5: - printf("MD5\n"); - break; - case SIG_TYPE_SHA1: - printf("SHA1\n"); - break; - case SIG_TYPE_MD2: - printf("MD2\n"); - break; - default: - printf("Unrecognized: %d\n", cert->sig_type); - break; - } - - printf("Verify:\t\t\t"); - - if (ca_cert_ctx) - { - x509_display_error(x509_verify(ca_cert_ctx, cert)); - } - - printf("\n"); -#if 0 - print_blob("Signature", cert->signature, cert->sig_len); - bi_print("Modulus", cert->rsa_ctx->m); - bi_print("Pub Exp", cert->rsa_ctx->e); -#endif - - if (ca_cert_ctx) - { - x509_print(ca_cert_ctx, cert->next); - } -} - -void x509_display_error(int error) -{ - switch (error) - { - case X509_NOT_OK: - printf("X509 not ok"); - break; - - case X509_VFY_ERROR_NO_TRUSTED_CERT: - printf("No trusted cert is available"); - break; - - case X509_VFY_ERROR_BAD_SIGNATURE: - printf("Bad signature"); - break; - - case X509_VFY_ERROR_NOT_YET_VALID: - printf("Cert is not yet valid"); - break; - - case X509_VFY_ERROR_EXPIRED: - printf("Cert has expired"); - break; - - case X509_VFY_ERROR_SELF_SIGNED: - printf("Cert is self-signed"); - break; - - case X509_VFY_ERROR_INVALID_CHAIN: - printf("Chain is invalid (check order of certs)"); - break; - - case X509_VFY_ERROR_UNSUPPORTED_DIGEST: - printf("Unsupported digest"); - break; - - case X509_INVALID_PRIV_KEY: - printf("Invalid private key"); - break; - } -} -#endif /* CONFIG_SSL_FULL_MODE */ - diff --git a/ssl/bigint.c b/ssl/bigint.c index 2551f593d..8a736cfee 100644 --- a/ssl/bigint.c +++ b/ssl/bigint.c @@ -54,7 +54,6 @@ #include #include #include "bigint.h" -#include "crypto.h" static bigint *bi_int_multiply(BI_CTX *ctx, bigint *bi, comp i); static bigint *bi_int_divide(BI_CTX *ctx, bigint *biR, comp denom); @@ -1366,6 +1365,7 @@ static void precompute_slide_window(BI_CTX *ctx, int window, bigint *g1) * @param ctx [in] The bigint session context. * @param bi [in] The bigint on which to perform the mod power operation. * @param biexp [in] The bigint exponent. + * @return The result of the mod exponentiation operation * @see bi_set_mod(). */ bigint *bi_mod_power(BI_CTX *ctx, bigint *bi, bigint *biexp) @@ -1467,6 +1467,7 @@ bigint *bi_mod_power(BI_CTX *ctx, bigint *bi, bigint *biexp) * @param bi [in] The bigint to perform the exp/mod. * @param bim [in] The temporary modulus. * @param biexp [in] The bigint exponent. + * @return The result of the mod exponentiation operation * @see bi_set_mod(). */ bigint *bi_mod_power2(BI_CTX *ctx, bigint *bi, bigint *bim, bigint *biexp) @@ -1493,4 +1494,45 @@ bigint *bi_mod_power2(BI_CTX *ctx, bigint *bi, bigint *bim, bigint *biexp) return biR; } #endif + +#ifdef CONFIG_BIGINT_CRT +/** + * @Use the Chinese Remainder Theorem to quickly perform RSA decrypts. + * + * @param ctx [in] The bigint session context. + * @param bi [in] The bigint to perform the exp/mod. + * @param dP [in] CRT's dP bigint + * @param dQ [in] CRT's dQ bigint + * @param p [in] CRT's p bigint + * @param q [in] CRT's q bigint + * @param qInv [in] CRT's qInv bigint + * @return The result of the CRT operation + */ +bigint *bi_crt(BI_CTX *ctx, bigint *bi, + bigint *dP, bigint *dQ, + bigint *p, bigint *q, bigint *qInv) +{ + bigint *m1, *m2, *h; + + /* Montgomery has a condition the 0 < x, y < m and these products violate + * that condition. So disable Montgomery when using CRT */ +#if defined(CONFIG_BIGINT_MONTGOMERY) + ctx->use_classical = 1; +#endif + ctx->mod_offset = BIGINT_P_OFFSET; + m1 = bi_mod_power(ctx, bi_copy(bi), dP); + + ctx->mod_offset = BIGINT_Q_OFFSET; + m2 = bi_mod_power(ctx, bi, dQ); + + h = bi_subtract(ctx, bi_add(ctx, m1, p), bi_copy(m2), NULL); + h = bi_multiply(ctx, h, qInv); + ctx->mod_offset = BIGINT_P_OFFSET; + h = bi_residue(ctx, h); +#if defined(CONFIG_BIGINT_MONTGOMERY) + ctx->use_classical = 0; /* reset for any further operation */ +#endif + return bi_add(ctx, m2, bi_multiply(ctx, q, h)); +} +#endif /** @} */ diff --git a/ssl/bigint.h b/ssl/bigint.h index 5a13c5ae4..5804a1c27 100644 --- a/ssl/bigint.h +++ b/ssl/bigint.h @@ -90,4 +90,11 @@ bigint *bi_square(BI_CTX *ctx, bigint *bi); #define bi_square(A, B) bi_multiply(A, bi_copy(B), B) #endif +#ifdef CONFIG_BIGINT_CRT +bigint *bi_crt(BI_CTX *ctx, bigint *bi, + bigint *dP, bigint *dQ, + bigint *p, bigint *q, + bigint *qInv); +#endif + #endif diff --git a/ssl/crypto.h b/ssl/crypto.h deleted file mode 100644 index d4e4bc016..000000000 --- a/ssl/crypto.h +++ /dev/null @@ -1,285 +0,0 @@ -/* - * Copyright(C) 2006 Cameron Rich - * - * This library is free software; you can redistribute it and/or modify - * it under the terms of the GNU Lesser General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This library is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU Lesser General Public License for more details. - * - * You should have received a copy of the GNU Lesser General Public License - * along with this library; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA - */ - -/** - * @file crypto.h - */ - -#ifndef HEADER_CRYPTO_H -#define HEADER_CRYPTO_H - -#ifdef __cplusplus -extern "C" { -#endif - -#include "bigint.h" - -/************************************************************************** - * AES declarations - **************************************************************************/ - -#define AES_MAXROUNDS 14 -#define AES_BLOCKSIZE 16 -#define AES_IV_SIZE 16 - -typedef struct aes_key_st -{ - uint16_t rounds; - uint16_t key_size; - uint32_t ks[(AES_MAXROUNDS+1)*8]; - uint8_t iv[AES_IV_SIZE]; -} AES_CTX; - -typedef enum -{ - AES_MODE_128, - AES_MODE_256 -} AES_MODE; - -void AES_set_key(AES_CTX *ctx, const uint8_t *key, - const uint8_t *iv, AES_MODE mode); -void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg, - uint8_t *out, int length); -void AES_cbc_decrypt(AES_CTX *ks, const uint8_t *in, uint8_t *out, int length); -void AES_convert_key(AES_CTX *ctx); - -/************************************************************************** - * RC4 declarations - **************************************************************************/ - -typedef struct -{ - uint8_t x, y, m[256]; -} RC4_CTX; - -void RC4_setup(RC4_CTX *s, const uint8_t *key, int length); -void RC4_crypt(RC4_CTX *s, const uint8_t *msg, uint8_t *data, int length); - -/************************************************************************** - * SHA1 declarations - **************************************************************************/ - -#define SHA1_SIZE 20 - -/* - * This structure will hold context information for the SHA-1 - * hashing operation - */ -typedef struct -{ - uint32_t Intermediate_Hash[SHA1_SIZE/4]; /* Message Digest */ - uint32_t Length_Low; /* Message length in bits */ - uint32_t Length_High; /* Message length in bits */ - uint16_t Message_Block_Index; /* Index into message block array */ - uint8_t Message_Block[64]; /* 512-bit message blocks */ -} SHA1_CTX; - -void SHA1Init(SHA1_CTX *); -void SHA1Update(SHA1_CTX *, const uint8_t * msg, int len); -void SHA1Final(SHA1_CTX *, uint8_t *digest); - -/************************************************************************** - * MD5 declarations - **************************************************************************/ - -/* MD5 context. */ - -#define MD5_SIZE 16 - -typedef struct -{ - uint32_t state[4]; /* state (ABCD) */ - uint32_t count[2]; /* number of bits, modulo 2^64 (lsb first) */ - uint8_t buffer[64]; /* input buffer */ -} MD5_CTX; - -EXP_FUNC void STDCALL MD5Init(MD5_CTX *); -EXP_FUNC void STDCALL MD5Update(MD5_CTX *, const uint8_t *msg, int len); -EXP_FUNC void STDCALL MD5Final(MD5_CTX *, uint8_t *digest); - -/************************************************************************** - * HMAC declarations - **************************************************************************/ -void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, - int key_len, uint8_t *digest); -void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, - int key_len, uint8_t *digest); - -/************************************************************************** - * RNG declarations - **************************************************************************/ -EXP_FUNC void STDCALL RNG_initialize(const uint8_t *seed_buf, int size); -EXP_FUNC void STDCALL RNG_terminate(void); -EXP_FUNC void STDCALL get_random(int num_rand_bytes, uint8_t *rand_data); -void get_random_NZ(int num_rand_bytes, uint8_t *rand_data); - -/************************************************************************** - * RSA declarations - **************************************************************************/ - -typedef struct -{ - bigint *m; /* modulus */ - bigint *e; /* public exponent */ - bigint *d; /* private exponent */ -#ifdef CONFIG_BIGINT_CRT - bigint *p; /* p as in m = pq */ - bigint *q; /* q as in m = pq */ - bigint *dP; /* d mod (p-1) */ - bigint *dQ; /* d mod (q-1) */ - bigint *qInv; /* q^-1 mod p */ -#endif - int num_octets; - BI_CTX *bi_ctx; -} RSA_CTX; - -void RSA_priv_key_new(RSA_CTX **rsa_ctx, - const uint8_t *modulus, int mod_len, - const uint8_t *pub_exp, int pub_len, - const uint8_t *priv_exp, int priv_len -#ifdef CONFIG_BIGINT_CRT - , const uint8_t *p, int p_len, - const uint8_t *q, int q_len, - const uint8_t *dP, int dP_len, - const uint8_t *dQ, int dQ_len, - const uint8_t *qInv, int qInv_len -#endif - ); -void RSA_pub_key_new(RSA_CTX **rsa_ctx, - const uint8_t *modulus, int mod_len, - const uint8_t *pub_exp, int pub_len); -void RSA_free(RSA_CTX *ctx); -int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint8_t *out_data, - int is_decryption); -bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg); -#ifdef CONFIG_SSL_CERT_VERIFICATION -bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, - bigint *modulus, bigint *pub_exp); -bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg); -int RSA_encrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint16_t in_len, - uint8_t *out_data, int is_signing); -void RSA_print(const RSA_CTX *ctx); -#endif - -/************************************************************************** - * ASN1 declarations - **************************************************************************/ -#define X509_OK 0 -#define X509_NOT_OK -1 -#define X509_VFY_ERROR_NO_TRUSTED_CERT -2 -#define X509_VFY_ERROR_BAD_SIGNATURE -3 -#define X509_VFY_ERROR_NOT_YET_VALID -4 -#define X509_VFY_ERROR_EXPIRED -5 -#define X509_VFY_ERROR_SELF_SIGNED -6 -#define X509_VFY_ERROR_INVALID_CHAIN -7 -#define X509_VFY_ERROR_UNSUPPORTED_DIGEST -8 -#define X509_INVALID_PRIV_KEY -9 - -/* - * The Distinguished Name - */ -#define X509_NUM_DN_TYPES 3 -#define X509_COMMON_NAME 0 -#define X509_ORGANIZATION 1 -#define X509_ORGANIZATIONAL_TYPE 2 - -#define ASN1_INTEGER 0x02 -#define ASN1_BIT_STRING 0x03 -#define ASN1_OCTET_STRING 0x04 -#define ASN1_NULL 0x05 -#define ASN1_OID 0x06 -#define ASN1_PRINTABLE_STR 0x13 -#define ASN1_TELETEX_STR 0x14 -#define ASN1_IA5_STR 0x16 -#define ASN1_UTC_TIME 0x17 -#define ASN1_SEQUENCE 0x30 -#define ASN1_SET 0x31 -#define ASN1_IMPLICIT_TAG 0x80 -#define ASN1_EXPLICIT_TAG 0xa0 - -#define SALT_SIZE 8 - -struct _x509_ctx -{ - char *ca_cert_dn[X509_NUM_DN_TYPES]; - char *cert_dn[X509_NUM_DN_TYPES]; -#if defined(_WIN32_WCE) - long not_before; - long not_after; -#else - time_t not_before; - time_t not_after; -#endif - uint8_t *signature; - uint16_t sig_len; - uint8_t sig_type; - RSA_CTX *rsa_ctx; - bigint *digest; - struct _x509_ctx *next; -}; - -typedef struct _x509_ctx X509_CTX; - -#ifdef CONFIG_SSL_CERT_VERIFICATION -typedef struct -{ - X509_CTX *cert[CONFIG_X509_MAX_CA_CERTS]; -} CA_CERT_CTX; -#endif - -int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx); -int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type); -int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type); -int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object); -int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx); -void x509_free(X509_CTX *x509_ctx); -#ifdef CONFIG_SSL_CERT_VERIFICATION -int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert); -const uint8_t *x509_get_signature(const uint8_t *asn1_signature, int *len); -#endif -#ifdef CONFIG_SSL_FULL_MODE -void x509_print(CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert); -void x509_display_error(int error); -#endif - -/************************************************************************** - * MISC declarations - **************************************************************************/ - -extern const char * const unsupported_str; - -typedef void (*crypt_func)(void *, const uint8_t *, uint8_t *, int); -typedef void (*hmac_func)(const uint8_t *msg, int length, const uint8_t *key, - int key_len, uint8_t *digest); - -int get_file(const char *filename, uint8_t **buf); - -#if defined(CONFIG_SSL_FULL_MODE) || defined(WIN32) || defined(CONFIG_DEBUG) -EXP_FUNC void STDCALL print_blob(const char *format, const uint8_t *data, int size, ...); -#else - #define print_blob(...) -#endif - -EXP_FUNC int STDCALL base64_decode(const char *in, int len, - uint8_t *out, int *outlen); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/ssl/crypto_misc.c b/ssl/crypto_misc.c index fec362089..29a28f9b3 100644 --- a/ssl/crypto_misc.c +++ b/ssl/crypto_misc.c @@ -24,7 +24,7 @@ #include #include #include -#include "crypto.h" +#include "crypto_misc.h" #ifdef CONFIG_WIN32_USE_CRYPTO_LIB #include "wincrypt.h" #endif diff --git a/ssl/loader.c b/ssl/loader.c index 717373a8a..d5ea6cb43 100644 --- a/ssl/loader.c +++ b/ssl/loader.c @@ -250,18 +250,18 @@ static int pem_decrypt(const char *where, const char *end, goto error; /* work out the key */ - MD5Init(&md5_ctx); - MD5Update(&md5_ctx, (const uint8_t *)password, strlen(password)); - MD5Update(&md5_ctx, iv, SALT_SIZE); - MD5Final(&md5_ctx, key); + MD5_Init(&md5_ctx); + MD5_Update(&md5_ctx, (const uint8_t *)password, strlen(password)); + MD5_Update(&md5_ctx, iv, SALT_SIZE); + MD5_Final(key, &md5_ctx); if (is_aes_256) { - MD5Init(&md5_ctx); - MD5Update(&md5_ctx, key, MD5_SIZE); - MD5Update(&md5_ctx, (const uint8_t *)password, strlen(password)); - MD5Update(&md5_ctx, iv, SALT_SIZE); - MD5Final(&md5_ctx, &key[MD5_SIZE]); + MD5_Init(&md5_ctx); + MD5_Update(&md5_ctx, key, MD5_SIZE); + MD5_Update(&md5_ctx, (const uint8_t *)password, strlen(password)); + MD5_Update(&md5_ctx, iv, SALT_SIZE); + MD5_Final(&key[MD5_SIZE], &md5_ctx); } /* decrypt using the key/iv */ diff --git a/ssl/p12.c b/ssl/p12.c index 19b00b872..d857a9b0c 100644 --- a/ssl/p12.c +++ b/ssl/p12.c @@ -190,16 +190,16 @@ static int p8_decrypt(const char *uni_pass, int uni_pass_len, } /* get the key - no IV since we are using RC4 */ - SHA1Init(&sha_ctx); - SHA1Update(&sha_ctx, d, sizeof(d)); - SHA1Update(&sha_ctx, p, sizeof(p)); - SHA1Final(&sha_ctx, Ai); + SHA1_Init(&sha_ctx); + SHA1_Update(&sha_ctx, d, sizeof(d)); + SHA1_Update(&sha_ctx, p, sizeof(p)); + SHA1_Final(Ai, &sha_ctx); for (i = 1; i < iter; i++) { - SHA1Init(&sha_ctx); - SHA1Update(&sha_ctx, Ai, SHA1_SIZE); - SHA1Final(&sha_ctx, Ai); + SHA1_Init(&sha_ctx); + SHA1_Update(&sha_ctx, Ai, SHA1_SIZE); + SHA1_Final(Ai, &sha_ctx); } /* do the decryption */ diff --git a/ssl/rsa.c b/ssl/rsa.c index 6f5c8a44a..97c5e6700 100644 --- a/ssl/rsa.c +++ b/ssl/rsa.c @@ -25,11 +25,7 @@ #include #include #include -#include "crypto.h" - -#ifdef CONFIG_BIGINT_CRT -static bigint *bi_crt(const RSA_CTX *rsa, bigint *bi); -#endif +#include "crypto_misc.h" void RSA_priv_key_new(RSA_CTX **ctx, const uint8_t *modulus, int mod_len, @@ -180,7 +176,7 @@ int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg) { #ifdef CONFIG_BIGINT_CRT - return bi_crt(c, bi_msg); + return bi_crt(c->bi_ctx, bi_msg, c->dP, c->dQ, c->p, c->q, c->qInv); #else BI_CTX *ctx = c->bi_ctx; ctx->mod_offset = BIGINT_M_OFFSET; @@ -188,39 +184,6 @@ bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg) #endif } -#ifdef CONFIG_BIGINT_CRT -/** - * Use the Chinese Remainder Theorem to quickly perform RSA decrypts. - * This should really be in bigint.c (and was at one stage), but needs - * access to the RSA_CTX context... - */ -static bigint *bi_crt(const RSA_CTX *rsa, bigint *bi) -{ - BI_CTX *ctx = rsa->bi_ctx; - bigint *m1, *m2, *h; - - /* Montgomery has a condition the 0 < x, y < m and these products violate - * that condition. So disable Montgomery when using CRT */ -#if defined(CONFIG_BIGINT_MONTGOMERY) - ctx->use_classical = 1; -#endif - ctx->mod_offset = BIGINT_P_OFFSET; - m1 = bi_mod_power(ctx, bi_copy(bi), rsa->dP); - - ctx->mod_offset = BIGINT_Q_OFFSET; - m2 = bi_mod_power(ctx, bi, rsa->dQ); - - h = bi_subtract(ctx, bi_add(ctx, m1, rsa->p), bi_copy(m2), NULL); - h = bi_multiply(ctx, h, rsa->qInv); - ctx->mod_offset = BIGINT_P_OFFSET; - h = bi_residue(ctx, h); -#if defined(CONFIG_BIGINT_MONTGOMERY) - ctx->use_classical = 0; /* reset for any further operation */ -#endif - return bi_add(ctx, m2, bi_multiply(ctx, rsa->q, h)); -} -#endif - #ifdef CONFIG_SSL_FULL_MODE /** * Used for diagnostics. @@ -294,7 +257,6 @@ bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, int i, size; bigint *decrypted_bi, *dat_bi; bigint *bir = NULL; - block = (uint8_t *)malloc(sig_len); /* decrypt */ diff --git a/ssl/ssl.h b/ssl/ssl.h index 6622415aa..05c917857 100644 --- a/ssl/ssl.h +++ b/ssl/ssl.h @@ -56,7 +56,7 @@ extern "C" { #endif #include -#include "crypto.h" +//#include "crypto.h" /* need to predefine before ssl_lib.h gets to it */ #define SSL_SESSION_ID_SIZE 32 @@ -221,10 +221,11 @@ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd); * @param session_id [in] A 32 byte session id for session resumption. This * can be null if no session resumption is being used or required. This option * is not used in skeleton mode. + * @param sess_id_size The size of the session id (max 32) * @return An SSL object reference. Use ssl_handshake_status() to check * if a handshake succeeded. */ -EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id); +EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size); /** * @brief Free any used resources on this connection. @@ -286,6 +287,15 @@ EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd); */ EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(const SSL *ssl); +/** + * @brief Get the session id size for a handshake. + * + * This will be 32 for a ssl server and may be something else for a ssl client. + * @param ssl [in] An SSL object reference. + * @return The number of valid bytes in a handshaking sequence + */ +EXP_FUNC uint8_t STDCALL ssl_get_session_id_size(const SSL *ssl); + /** * @brief Return the cipher id (in the SSL form). * @param ssl [in] An SSL object reference. diff --git a/ssl/test/Makefile b/ssl/test/Makefile index 43c9a6cef..ea61e2ae5 100644 --- a/ssl/test/Makefile +++ b/ssl/test/Makefile @@ -33,7 +33,7 @@ ifndef CONFIG_PLATFORM_WIN32 performance: ../../$(STAGE)/perf_bigint ssltesting: ../../$(STAGE)/ssltest LIBS=../../$(STAGE) -CFLAGS += -I../../ssl -I../../config +CFLAGS += -I../../ssl -I../../config -I../../crypto ../../$(STAGE)/perf_bigint: perf_bigint.o $(LIBS)/libaxtls.a $(CC) $(LDFLAGS) -o $@ $^ -L $(LIBS) -laxtls diff --git a/ssl/test/ssltest.c b/ssl/test/ssltest.c index 3e3d47fec..d97e153ae 100644 --- a/ssl/test/ssltest.c +++ b/ssl/test/ssltest.c @@ -250,9 +250,9 @@ static int SHA1_test(BI_CTX *bi_ctx) "A9993E364706816ABA3E25717850C26C9CD0D89D"); bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE); - SHA1Init(&ctx); - SHA1Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); - SHA1Final(&ctx, digest); + SHA1_Init(&ctx); + SHA1_Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); + SHA1_Final(digest, &ctx); if (memcmp(digest, ct, sizeof(ct))) { @@ -268,9 +268,9 @@ static int SHA1_test(BI_CTX *bi_ctx) "84983E441C3BD26EBAAE4AA1F95129E5E54670F1"); bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE); - SHA1Init(&ctx); - SHA1Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); - SHA1Final(&ctx, digest); + SHA1_Init(&ctx); + SHA1_Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); + SHA1_Final(digest, &ctx); if (memcmp(digest, ct, sizeof(ct))) { @@ -304,9 +304,9 @@ static int MD5_test(BI_CTX *bi_ctx) "900150983CD24FB0D6963F7D28E17F72"); bi_export(bi_ctx, ct_bi, ct, MD5_SIZE); - MD5Init(&ctx); - MD5Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); - MD5Final(&ctx, digest); + MD5_Init(&ctx); + MD5_Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); + MD5_Final(digest, &ctx); if (memcmp(digest, ct, sizeof(ct))) { @@ -322,9 +322,9 @@ static int MD5_test(BI_CTX *bi_ctx) bi_ctx, "D174AB98D277D9F5A5611C2C9F419D9F"); bi_export(bi_ctx, ct_bi, ct, MD5_SIZE); - MD5Init(&ctx); - MD5Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); - MD5Final(&ctx, digest); + MD5_Init(&ctx); + MD5_Update(&ctx, (const uint8_t *)in_str, strlen(in_str)); + MD5_Final(digest, &ctx); if (memcmp(digest, ct, sizeof(ct))) { @@ -1250,7 +1250,7 @@ static int SSL_client_test( goto client_test_exit; } - ssl = ssl_client_new(*ssl_ctx, client_fd, session_id); + ssl = ssl_client_new(*ssl_ctx, client_fd, session_id, sizeof(session_id)); /* check the return status */ if ((ret = ssl_handshake_status(ssl))) @@ -1469,7 +1469,7 @@ static void do_basic(void) "../ssl/test/axTLS.ca_x509.cer", NULL)) goto error; - ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL); + ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL, 0); /* check the return status */ if (ssl_handshake_status(ssl_clnt)) @@ -1588,7 +1588,7 @@ void do_multi_clnt(multi_t *multi_data) goto client_test_exit; sleep(1); - ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL); + ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0); if ((res = ssl_handshake_status(ssl))) { diff --git a/ssl/tls1.c b/ssl/tls1.c index 43d798ed6..1f7160cb1 100755 --- a/ssl/tls1.c +++ b/ssl/tls1.c @@ -834,14 +834,14 @@ void finished_digest(SSL *ssl, const char *label, uint8_t *digest) q += strlen(label); } - MD5Init(&md5_ctx); - MD5Update(&md5_ctx, ssl->all_pkts, ssl->all_pkts_len); - MD5Final(&md5_ctx, q); + MD5_Init(&md5_ctx); + MD5_Update(&md5_ctx, ssl->all_pkts, ssl->all_pkts_len); + MD5_Final(q, &md5_ctx); q += MD5_SIZE; - SHA1Init(&sha1_ctx); - SHA1Update(&sha1_ctx, ssl->all_pkts, ssl->all_pkts_len); - SHA1Final(&sha1_ctx, q); + SHA1_Init(&sha1_ctx); + SHA1_Update(&sha1_ctx, ssl->all_pkts, ssl->all_pkts_len); + SHA1_Final(q, &sha1_ctx); q += SHA1_SIZE; if (label) @@ -1532,8 +1532,8 @@ int send_certificate(SSL *ssl) * Find if an existing session has the same session id. If so, use the * master secret from this session for session resumption. */ -SSL_SESS *ssl_session_update(int max_sessions, - SSL_SESS *ssl_sessions[], SSL *ssl, const uint8_t *session_id) +SSL_SESS *ssl_session_update(int max_sessions, SSL_SESS *ssl_sessions[], + SSL *ssl, const uint8_t *session_id) { time_t tm = time(NULL); time_t oldest_sess_time = tm; @@ -1641,6 +1641,14 @@ EXP_FUNC const uint8_t * STDCALL ssl_get_session_id(const SSL *ssl) return ssl->session_id; } +/* + * Get the session id size for a handshake. + */ +EXP_FUNC uint8_t STDCALL ssl_get_session_id_size(const SSL *ssl) +{ + return ssl->sess_id_size; +} + /* * Return the cipher id (in the SSL form). */ diff --git a/ssl/tls1.h b/ssl/tls1.h index d14bb6d6e..1d07f29ac 100755 --- a/ssl/tls1.h +++ b/ssl/tls1.h @@ -29,6 +29,8 @@ extern "C" { #endif #include "version.h" +#include "crypto.h" +#include "crypto_misc.h" /* Mutexing definitions */ #if defined(CONFIG_SSL_CTX_MUTEXING) @@ -156,6 +158,7 @@ struct _SSL uint8_t record_type; uint8_t chain_length; uint8_t cipher; + uint8_t sess_id_size; int16_t next_state; int16_t hs_status; uint8_t *all_pkts; diff --git a/ssl/tls1_clnt.c b/ssl/tls1_clnt.c index e73258195..eda5b631d 100644 --- a/ssl/tls1_clnt.c +++ b/ssl/tls1_clnt.c @@ -35,7 +35,8 @@ static int send_cert_verify(SSL *ssl); /* * Establish a new SSL connection to an SSL server. */ -EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id) +EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const + uint8_t *session_id, uint8_t sess_id_size) { SSL *ssl; int ret; @@ -45,7 +46,14 @@ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uin if (session_id && ssl_ctx->num_sessions) { - memcpy(ssl->session_id, session_id, SSL_SESSION_ID_SIZE); + if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */ + { + ssl_free(ssl); + return NULL; + } + + memcpy(ssl->session_id, session_id, sess_id_size); + ssl->sess_id_size = sess_id_size; SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */ } @@ -176,11 +184,11 @@ static int send_client_hello(SSL *ssl) offset = 6 + SSL_RANDOM_SIZE; /* give session resumption a go */ - if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) /* set initially bu user */ + if (IS_SET_SSL_FLAG(SSL_SESSION_RESUME)) /* set initially by user */ { - buf[offset++] = SSL_SESSION_ID_SIZE; - memcpy(&buf[offset], ssl->session_id, SSL_SESSION_ID_SIZE); - offset += SSL_SESSION_ID_SIZE; + buf[offset++] = ssl->sess_id_size; + memcpy(&buf[offset], ssl->session_id, ssl->sess_id_size); + offset += ssl->sess_id_size; CLR_SSL_FLAG(SSL_SESSION_RESUME); /* clear so we can set later */ } else @@ -216,7 +224,7 @@ static int process_server_hello(SSL *ssl) int offset; int version = (buf[4] << 4) + buf[5]; int num_sessions = ssl->ssl_ctx->num_sessions; - uint8_t session_id_length; + uint8_t sess_id_size; int ret = SSL_OK; /* check that we are talking to a TLSv1 server */ @@ -226,17 +234,25 @@ static int process_server_hello(SSL *ssl) /* get the server random value */ memcpy(ssl->server_random, &buf[6], SSL_RANDOM_SIZE); offset = 6 + SSL_RANDOM_SIZE; /* skip of session id size */ - session_id_length = buf[offset++]; + sess_id_size = buf[offset++]; if (num_sessions) { ssl->session = ssl_session_update(num_sessions, ssl->ssl_ctx->ssl_sessions, ssl, &buf[offset]); - memcpy(ssl->session->session_id, &buf[offset], session_id_length); + memcpy(ssl->session->session_id, &buf[offset], sess_id_size); + + /* pad the rest with 0's */ + if (sess_id_size < SSL_SESSION_ID_SIZE) + { + memset(&ssl->session->session_id[sess_id_size], 0, + SSL_SESSION_ID_SIZE-sess_id_size); + } } - memcpy(ssl->session_id, &buf[offset], session_id_length); - offset += session_id_length; + memcpy(ssl->session_id, &buf[offset], sess_id_size); + ssl->sess_id_size = sess_id_size; + offset += sess_id_size; /* get the real cipher we are using */ ssl->cipher = buf[++offset]; diff --git a/ssl/tls1_svr.c b/ssl/tls1_svr.c index 167a57d82..e7860270e 100644 --- a/ssl/tls1_svr.c +++ b/ssl/tls1_svr.c @@ -311,12 +311,14 @@ static int send_server_hello(SSL *ssl) /* retrieve id from session cache */ memcpy(&buf[offset], ssl->session->session_id, SSL_SESSION_ID_SIZE); memcpy(ssl->session_id, ssl->session->session_id, SSL_SESSION_ID_SIZE); + ssl->sess_id_size = SSL_SESSION_ID_SIZE; } else /* generate our own session id */ #endif { get_random(SSL_SESSION_ID_SIZE, &buf[offset]); memcpy(ssl->session_id, &buf[offset], SSL_SESSION_ID_SIZE); + ssl->sess_id_size = SSL_SESSION_ID_SIZE; #ifndef CONFIG_SSL_SKELETON_MODE /* store id in session cache */ diff --git a/www/index.html b/www/index.html index cd563d14d..08bd7945b 100755 --- a/www/index.html +++ b/www/index.html @@ -7091,7 +7091,7 @@ if (useJavaSaver)
!GNU LESSER GENERAL PUBLIC LICENSE\n\nVersion 2.1, February 1999\n\nCopyright (C) 1991, 1999 Free Software Foundation, Inc.\n51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA\nEveryone is permitted to copy and distribute verbatim copies\nof this license document, but changing it is not allowed.\n\n[This is the first released version of the Lesser GPL. It also counts\n as the successor of the GNU Library Public License, version 2, hence\n the version number 2.1.]\n\n!!Preamble\n\nThe licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public Licenses are intended to guarantee your freedom to share and change free software -to make sure the software is free for all its users.\n\nThis license, the Lesser General Public License, applies to some specially designated software packages - typically libraries - of the Free Software Foundation and other authors who decide to use it. You can use it too, but we suggest you first think carefully about whether this license or the ordinary General Public License is the better strategy to use in any particular case, based on the explanations below.\n\nWhen we speak of free software, we are referring to freedom of use, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish); that you receive source code or can get it if you want it; that you can change the software and use pieces of it in new free programs; and that you are informed that you can do these things.\n\nTo protect your rights, we need to make restrictions that forbid distributors to deny you these rights or to ask you to surrender these rights. These restrictions translate to certain responsibilities for you if you distribute copies of the library or if you modify it.\n\nFor example, if you distribute copies of the library, whether gratis or for a fee, you must give the recipients all the rights that we gave you. You must make sure that they, too, receive or can get the source code. If you link other code with the library, you must provide complete object files to the recipients, so that they can relink them with the library after making changes to the library and recompiling it. And you must show them these terms so they know their rights.\n\nWe protect your rights with a two-step method: (1) we copyright the library, and (2) we offer you this license, which gives you legal permission to copy, distribute and/or modify the library.\n\nTo protect each distributor, we want to make it very clear that there is no warranty for the free library. Also, if the library is modified by someone else and passed on, the recipients should know that what they have is not the original version, so that the original author's reputation will not be affected by problems that might be introduced by others.\n\nFinally, software patents pose a constant threat to the existence of any free program. We wish to make sure that a company cannot effectively restrict the users of a free program by obtaining a restrictive license from a patent holder. Therefore, we insist that any patent license obtained for a version of the library must be consistent with the full freedom of use specified in this license.\n\nMost GNU software, including some libraries, is covered by the ordinary GNU General Public License. This license, the GNU Lesser General Public License, applies to certain designated libraries, and is quite different from the ordinary General Public License. We use this license for certain libraries in order to permit linking those libraries into non-free programs.\n\nWhen a program is linked with a library, whether statically or using a shared library, the combination of the two is legally speaking a combined work, a derivative of the original library. The ordinary General Public License therefore permits such linking only if the entire combination fits its criteria of freedom. The Lesser General Public License permits more lax criteria for linking other code with the library.\n\nWe call this license the "Lesser" General Public License because it does Less to protect the user's freedom than the ordinary General Public License. It also provides other free software developers Less of an advantage over competing non-free programs. These disadvantages are the reason we use the ordinary General Public License for many libraries. However, the Lesser license provides advantages in certain special circumstances.\n\nFor example, on rare occasions, there may be a special need to encourage the widest possible use of a certain library, so that it becomes a de-facto standard. To achieve this, non-free programs must be allowed to use the library. A more frequent case is that a free library does the same job as widely used non-free libraries. In this case, there is little to gain by limiting the free library to free software only, so we use the Lesser General Public License.\n\nIn other cases, permission to use a particular library in non-free programs enables a greater number of people to use a large body of free software. For example, permission to use the GNU C Library in non-free programs enables many more people to use the whole GNU operating system, as well as its variant, the GNU/Linux operating system.\n\nAlthough the Lesser General Public License is Less protective of the users' freedom, it does ensure that the user of a program that is linked with the Library has the freedom and the wherewithal to run that program using a modified version of the Library.\n\nThe precise terms and conditions for copying, distribution and modification follow. Pay close attention to the difference between a "work based on the library" and a "work that uses the library". The former contains code derived from the library, whereas the latter must be combined with the library in order to run.\n\n!!TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION\n\n0. This License Agreement applies to any software library or other program which contains a notice placed by the copyright holder or other authorized party saying it may be distributed under the terms of this Lesser General Public License (also called "this License"). Each licensee is addressed as "you".\n\nA "library" means a collection of software functions and/or data prepared so as to be conveniently linked with application programs (which use some of those functions and data) to form executables.\n\nThe "Library", below, refers to any such software library or work which has been distributed under these terms. A "work based on the Library" means either the Library or any derivative work under copyright law: that is to say, a work containing the Library or a portion of it, either verbatim or with modifications and/or translated straightforwardly into another language. (Hereinafter, translation is included without limitation in the term "modification".)\n\n"Source code" for a work means the preferred form of the work for making modifications to it. For a library, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the library.\n\nActivities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running a program using the Library is not restricted, and output from such a program is covered only if its contents constitute a work based on the Library (independent of the use of the Library in a tool for writing it). Whether that is true depends on what the Library does and what the program that uses the Library does.\n\n1. You may copy and distribute verbatim copies of the Library's complete source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and distribute a copy of this License along with the Library.\n\nYou may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee.\n\n2. You may modify your copy or copies of the Library or any portion of it, thus forming a work based on the Library, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions:\n\n * a) The modified work must itself be a software library.\n * b) You must cause the files modified to carry prominent notices stating that you changed the files and the date of any change.\n * c) You must cause the whole of the work to be licensed at no charge to all third parties under the terms of this License.\n * d) If a facility in the modified Library refers to a function or a table of data to be supplied by an application program that uses the facility, other than as an argument passed when the facility is invoked, then you must make a good faith effort to ensure that, in the event an application does not supply such function or table, the facility still operates, and performs whatever part of its purpose remains meaningful.\n\n (For example, a function in a library to compute square roots has a purpose that is entirely well-defined independent of the application. Therefore, Subsection 2d requires that any application-supplied function or table used by this function must be optional: if the application does not supply it, the square root function must still compute square roots.)\n\n These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Library, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Library, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it.\n\n Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Library.\n\n In addition, mere aggregation of another work not based on the Library with the Library (or with a work based on the Library) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.\n\n3. You may opt to apply the terms of the ordinary GNU General Public License instead of this License to a given copy of the Library. To do this, you must alter all the notices that refer to this License, so that they refer to the ordinary GNU General Public License, version 2, instead of to this License. (If a newer version than version 2 of the ordinary GNU General Public License has appeared, then you can specify that version instead if you wish.) Do not make any other change in these notices.\n\nOnce this change is made in a given copy, it is irreversible for that copy, so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy.\n\nThis option is useful when you wish to copy part of the code of the Library into a program that is not a library.\n\n4. You may copy and distribute the Library (or a portion or derivative of it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange.\n\nIf distribution of object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place satisfies the requirement to distribute the source code, even though third parties are not compelled to copy the source along with the object code.\n\n5. A program that contains no derivative of any portion of the Library, but is designed to work with the Library by being compiled or linked with it, is called a "work that uses the Library". Such a work, in isolation, is not a derivative work of the Library, and therefore falls outside the scope of this License.\n\nHowever, linking a "work that uses the Library" with the Library creates an executable that is a derivative of the Library (because it contains portions of the Library), rather than a "work that uses the library". The executable is therefore covered by this License. Section 6 states terms for distribution of such executables.\n\nWhen a "work that uses the Library" uses material from a header file that is part of the Library, the object code for the work may be a derivative work of the Library even though the source code is not. Whether this is true is especially significant if the work can be linked without the Library, or if the work is itself a library. The threshold for this to be true is not precisely defined by law.\n\nIf such an object file uses only numerical parameters, data structure layouts and accessors, and small macros and small inline functions (ten lines or less in length), then the use of the object file is unrestricted, regardless of whether it is legally a derivative work. (Executables containing this object code plus portions of the Library will still fall under Section 6.)\n\nOtherwise, if the work is a derivative of the Library, you may distribute the object code for the work under the terms of Section 6. Any executables containing that work also fall under Section 6, whether or not they are linked directly with the Library itself.\n\n6. As an exception to the Sections above, you may also combine or link a "work that uses the Library" with the Library to produce a work containing portions of the Library, and distribute that work under terms of your choice, provided that the terms permit modification of the work for the customer's own use and reverse engineering for debugging such modifications.\n\nYou must give prominent notice with each copy of the work that the Library is used in it and that the Library and its use are covered by this License. You must supply a copy of this License. If the work during execution displays copyright notices, you must include the copyright notice for the Library among them, as well as a reference directing the user to the copy of this License. Also, you must do one of these things:\n\n * a) Accompany the work with the complete corresponding machine-readable source code for the Library including whatever changes were used in the work (which must be distributed under Sections 1 and 2 above); and, if the work is an executable linked with the Library, with the complete machine-readable "work that uses the Library", as object code and/or source code, so that the user can modify the Library and then relink to produce a modified executable containing the modified Library. (It is understood that the user who changes the contents of definitions files in the Library will not necessarily be able to recompile the application to use the modified definitions.)\n * b) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (1) uses at run time a copy of the library already present on the user's computer system, rather than copying library functions into the executable, and (2) will operate properly with a modified version of the library, if the user installs one, as long as the modified version is interface-compatible with the version that the work was made with.\n * c) Accompany the work with a written offer, valid for at least three years, to give the same user the materials specified in Subsection 6a, above, for a charge no more than the cost of performing this distribution.\n * d) If distribution of the work is made by offering access to copy from a designated place, offer equivalent access to copy the above specified materials from the same place.\n * e) Verify that the user has already received a copy of these materials or that you have already sent this user a copy.\n\nFor an executable, the required form of the "work that uses the Library" must include any data and utility programs needed for reproducing the executable from it. However, as a special exception, the materials to be distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable.\n\nIt may happen that this requirement contradicts the license restrictions of other proprietary libraries that do not normally accompany the operating system. Such a contradiction means you cannot use both them and the Library together in an executable that you distribute.\n\n7. You may place library facilities that are a work based on the Library side-by-side in a single library together with other library facilities not covered by this License, and distribute such a combined library, provided that the separate distribution of the work based on the Library and of the other library facilities is otherwise permitted, and provided that you do these two things:\n\n * a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities. This must be distributed under the terms of the Sections above.\n * b) Give prominent notice with the combined library of the fact that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work.\n\n8. You may not copy, modify, sublicense, link with, or distribute the Library except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense, link with, or distribute the Library is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.\n\n9. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Library or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Library (or any work based on the Library), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Library or works based on it.\n\n10. Each time you redistribute the Library (or any work based on the Library), the recipient automatically receives a license from the original licensor to copy, distribute, link with or modify the Library subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties with this License.\n\n11. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Library at all. For example, if a patent license would not permit royalty-free redistribution of the Library by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Library.\n\nIf any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply, and the section as a whole is intended to apply in other circumstances.\n\nIt is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice.\n\nThis section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License.\n\n12. If the distribution and/or use of the Library is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Library under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License.\n\n13. The Free Software Foundation may publish revised and/or new versions of the Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns.\n\nEach version is given a distinguishing version number. If the Library specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Library does not specify a license version number, you may choose any version ever published by the Free Software Foundation.\n\n14. If you wish to incorporate parts of the Library into other free programs whose distribution conditions are incompatible with these, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally.\n\nNO WARRANTY\n\n15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE LIBRARY IS WITH YOU. SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.\n\n16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.\n\nEND OF TERMS AND CONDITIONS
[[Read Me]] \n[[Changelog]]\n[[axhttpd]]\n[[License]]
<div class='header' macro='gradient vert #390108 #900'>\n<div class='headerShadow'>\n<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;\n<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>\n</div>\n<div class='headerForeground'>\n<span class='siteTitle' refresh='content' tiddler='SiteTitle'></span>&nbsp;\n<span class='siteSubtitle' refresh='content' tiddler='SiteSubtitle'></span>\n</div>\n</div>\n<div id='mainMenu'>\n<div refresh='content' tiddler='MainMenu'></div>\n</div>\n<div id='sidebar'>\n<div id='sidebarOptions' refresh='content' tiddler='SideBarOptions'></div>\n<div id='sidebarTabs' refresh='content' force='true' tiddler='SideBarTabs'></div>\n</div>\n<div id='displayArea'>\n<div id='messageArea'></div>\n<div id='tiddlerDisplay'></div>\n</div>
-
!@@bgcolor(#ff0000):color(#ffffff):axTLS Quick Start Guide@@\n\nThis is a guide to get a small SSL web-server up and running quickly.\n\n!!__Introduction__\n\nThe axTLS project is an SSL client/server library using the ~TLSv1 protocol. It is designed to be small and fast, and is suited to embedded projects. A web server is included.\n\nThe basic web server + SSL library is around 60-70kB and is configurable for features or size.\n\n!!__Compilation__\n\nAll platforms require GNU make. This means on Win32 that Cygwin needs to be installed with "make" and various developer options selected.\n\nConfiguration now uses a tool called "mconf" which gives a nice way to configure options (similar to what is used in ~BusyBox and the Linux kernel).\n\nYou should be able to compile axTLS simply by extracting it, change into the extracted directory and typing:\n\n{{indent{{{{> make}}}\n\nSelect your platform type, save the configuration, exit, and then type "make" again.\n\nIf all goes well, you should end up with an executable called "axhttpd" (or axhttpd.exe) in the //_stage// directory.\n\nTo play with all the various axTLS options, type:\n\n{{indent{{{{> make menuconfig}}}\n\nSave the new configuration and rebuild.\n\n!!__Running it__\n\nTo run it, go to the //_stage// directory, and type (as superuser):\n\n{{indent{{{{> axhttpd}}}\n\nNote: you may have to set your ~LD_LIBRARY_PATH - e.g. go to //_stage// and type //export ~LD_LIBRARY_PATH=`pwd`//\n\nAnd then point your browser at https://127.0.0.1 And you should see a this html page with a padlock appearing on your browser. or type http://127.0.0.1 to see the same page unencrypted.\n\n!!__The axssl utilities__\n\nThe axssl suite of tools are the SSL test tools in the various language bindings. They are:\n\n* axssl - C sample\n* axssl.csharp - C# sample\n* axssl.vbnet - VB.NET sample\n* axtls.jar - Java sample\n* axssl.pl - Perl sample\n* axssl.lua - Lua sample\n\nAll the tools have identical command-line parameters. e.g. to run something interesting:\n\n{{indent{{{{> axssl s_server -verify -CAfile ../ssl/test/axTLS.ca_x509}}}\n\nand\n\n{{indent{{{{> axssl s_client -cert ../ssl/test/axTLS.x509_1024 -key ../ssl/test/axTLS.key_1024 -reconnect}}}\n\n!!!!C#\n\nIf building under Linux or other non-Win32 platforms, Mono must be installed and the executable is run as:\n\n{{indent{{{{> mono axssl.csharp.exe ...}}}\n\n!!!!Java\n\nThe java version is run as:\n\n{{indent{{{{> java -jar axtls.jar <options>}}}\n\n!!!!Perl\n\n{{indent{{{{> [perl] ./axssl.pl <options>}}}\n\nIf running under Win32, be sure to use the correct version of Perl (i.e. ~ActiveState's version works ok).\n\n!!!!Lua\n\n{{indent{{{{> [lua] ./axssl.lua <options>}}}\n\n!__Known Issues__\n\n* Firefox doesn't handle legacy ~SSLv2 at all well. Disabling ~SSLv2 still initiates a ~SSLv23 handshake (v1.5). And continuous pressing of the "Reload" page instigates a change to ~SSLv3 for some reason (even though the TLS 1.0 option is selected). This will cause a "Firefox and <server> cannot communicate securely because they have no common encryption algorithms" (v1.5), or "Firefox can't connect to <server> because the site uses a security protocol which isn't enabled" (v2.0). See bugzilla issues 343543 and 359484 (Comment #7). It's all broken (hopefully fixed soon).\n* Perl/Java bindings don't work on 64 bit Linux machines. I can't even compile the latest version of Perl on an ~AMD64 box (using ~FC3).\n* Java 1.4 or better is required for the Java interfaces.\n* Processes that fork can't use session resumption unless some form of IPC is used.\n* Ensure libperl.so and libaxtls.so are in the shared library path when running with the perl bindings. A way to do this is with:\n\n{{indent{{{{> export LD_LIBRARY_PATH=`perl -e 'use Config; print $Config{archlib};'`/CORE:.}}}\n* The lua sample requires the luabit library from http://luaforge.net/projects/bit.\n\n!!!!Win32 issues\n\n* Be careful about doing .NET executions on network drives - .NET complains with security exceptions on the binary. //TODO: Add a manifest file to prevent this.//\n* The test harness appears to be broken under ~VC8.0. Debugging shows a problem in the _close() function which is weird. CGI is also broken under ~VC8.0.\n* CGI works under Win32, but needs some more work to get it right.\n* The default Microsoft .NET SDK is v2.0.50727. Download from: http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.\n\n!!!!Solaris issues\n\n* mconf doesn't work well - some manual tweaking is required for string values.\n* GNU make is required and needs to be in $PATH.\n* To get swig's library dependencies to work (and for the C library to be found), I needed to type:\n\n{{indent{{{{> export LD_LIBRARY_PATH=/usr/local/gcc-3.3.1/lib:.}}}\n\n!!!!Cygwin issues\n\n* The bindings all compile but don't run under Cygwin with the exception of Perl. This is due to win32 executables being incompatible with Cygwin libraries.\n\n
+
!@@bgcolor(#ff0000):color(#ffffff):axTLS Quick Start Guide@@\n\nThis is a guide to get a small SSL web-server up and running quickly some stuff.\n\n!!__Introduction__\n\nThe axTLS project is an SSL client/server library using the ~TLSv1 protocol. It is designed to be small and fast, and is suited to embedded projects. A web server is included.\n\nThe basic web server + SSL library is around 60-70kB and is configurable for features or size.\n\n!!__Compilation__\n\nAll platforms require GNU make. This means on Win32 that Cygwin needs to be installed with "make" and various developer options selected.\n\nConfiguration now uses a tool called "mconf" which gives a nice way to configure options (similar to what is used in ~BusyBox and the Linux kernel).\n\nYou should be able to compile axTLS simply by extracting it, change into the extracted directory and typing:\n\n{{indent{{{{> make}}}\n\nSelect your platform type, save the configuration, exit, and then type "make" again.\n\nIf all goes well, you should end up with an executable called "axhttpd" (or axhttpd.exe) in the //_stage// directory.\n\nTo play with all the various axTLS options, type:\n\n{{indent{{{{> make menuconfig}}}\n\nSave the new configuration and rebuild.\n\n!!__Running it__\n\nTo run it, go to the //_stage// directory, and type (as superuser):\n\n{{indent{{{{> axhttpd}}}\n\nNote: you may have to set your ~LD_LIBRARY_PATH - e.g. go to //_stage// and type //export ~LD_LIBRARY_PATH=`pwd`//\n\nAnd then point your browser at https://127.0.0.1 And you should see a this html page with a padlock appearing on your browser. or type http://127.0.0.1 to see the same page unencrypted.\n\n!!__The axssl utilities__\n\nThe axssl suite of tools are the SSL test tools in the various language bindings. They are:\n\n* axssl - C sample\n* axssl.csharp - C# sample\n* axssl.vbnet - VB.NET sample\n* axtls.jar - Java sample\n* axssl.pl - Perl sample\n* axssl.lua - Lua sample\n\nAll the tools have identical command-line parameters. e.g. to run something interesting:\n\n{{indent{{{{> axssl s_server -verify -CAfile ../ssl/test/axTLS.ca_x509}}}\n\nand\n\n{{indent{{{{> axssl s_client -cert ../ssl/test/axTLS.x509_1024 -key ../ssl/test/axTLS.key_1024 -reconnect}}}\n\n!!!!C#\n\nIf building under Linux or other non-Win32 platforms, Mono must be installed and the executable is run as:\n\n{{indent{{{{> mono axssl.csharp.exe ...}}}\n\n!!!!Java\n\nThe java version is run as:\n\n{{indent{{{{> java -jar axtls.jar <options>}}}\n\n!!!!Perl\n\n{{indent{{{{> [perl] ./axssl.pl <options>}}}\n\nIf running under Win32, be sure to use the correct version of Perl (i.e. ~ActiveState's version works ok).\n\n!!!!Lua\n\n{{indent{{{{> [lua] ./axssl.lua <options>}}}\n\n!__Known Issues__\n\n* Firefox doesn't handle legacy ~SSLv2 at all well. Disabling ~SSLv2 still initiates a ~SSLv23 handshake (v1.5). And continuous pressing of the "Reload" page instigates a change to ~SSLv3 for some reason (even though the TLS 1.0 option is selected). This will cause a "Firefox and <server> cannot communicate securely because they have no common encryption algorithms" (v1.5), or "Firefox can't connect to <server> because the site uses a security protocol which isn't enabled" (v2.0). See bugzilla issues 343543 and 359484 (Comment #7). It's all broken (hopefully fixed soon).\n* Perl/Java bindings don't work on 64 bit Linux machines. I can't even compile the latest version of Perl on an ~AMD64 box (using ~FC3).\n* Java 1.4 or better is required for the Java interfaces.\n* Processes that fork can't use session resumption unless some form of IPC is used.\n* Ensure libperl.so and libaxtls.so are in the shared library path when running with the perl bindings. A way to do this is with:\n\n{{indent{{{{> export LD_LIBRARY_PATH=`perl -e 'use Config; print $Config{archlib};'`/CORE:.}}}\n* The lua sample requires the luabit library from http://luaforge.net/projects/bit.\n\n!!!!Win32 issues\n\n* Be careful about doing .NET executions on network drives - .NET complains with security exceptions on the binary. //TODO: Add a manifest file to prevent this.//\n* The test harness appears to be broken under ~VC8.0. Debugging shows a problem in the _close() function which is weird. CGI is also broken under ~VC8.0.\n* CGI works under Win32, but needs some more work to get it right.\n* The default Microsoft .NET SDK is v2.0.50727. Download from: http://msdn.microsoft.com/netframework/downloads/updates/default.aspx.\n\n!!!!Solaris issues\n\n* mconf doesn't work well - some manual tweaking is required for string values.\n* GNU make is required and needs to be in $PATH.\n* To get swig's library dependencies to work (and for the C library to be found), I needed to type:\n\n{{indent{{{{> export LD_LIBRARY_PATH=/usr/local/gcc-3.3.1/lib:.}}}\n\n!!!!Cygwin issues\n\n* The bindings all compile but don't run under Cygwin with the exception of Perl. This is due to win32 executables being incompatible with Cygwin libraries.\n\n
changes, notes and errata
axTLS Embedded SSL
http://axtls.cerocclub.com.au