jepler/axtls
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

merge into: jepler:master
Branches Tags
jepler:master
jepler:sanitize-undefined-fixes
jepler:micropython-2.1.3
jepler:ssl_eagain
jepler:micropython
jepler:v1.8.2
...
pull from: jepler:sanitize-undefined-fixes
Branches Tags
jepler:sanitize-undefined-fixes
jepler:micropython-2.1.3
jepler:ssl_eagain
jepler:master
jepler:micropython
jepler:v1.8.2

39 commits
master ... sanitize-u

Author SHA1 Message Date
Jeff Epler
3348622ec6 Fix -fsanitize=undefined diagnostics 
Fixes the following diagnostics:
```
bigint.c:631:39: runtime error: left shift of 162 by 24 places cannot be represented in type 'int'
sha1.c:124:42: runtime error: left shift of 152 by 24 places cannot be represented in type 'int'
```

Directs the sanitizer not to instrument the function where this diagnostic
otherwise occurs:
```
crypto_misc.c:131:5: runtime error: load of address 0x7ffd83a8633c with insufficient space for an object of type 'unsigned char'
```
.. this function deliberately reads memory in a way that is undefined
under the C standard, but is a semi-recognized technique to maybe supplement
a CSPRNG entropy pool; blindly removing it is the riskier option, a la
https://www.debian.org/security/2008/dsa-1571

These changes fix all the problems seen in axtls when running the testsuite
of a popular embedded python implementation on a linux amd64 desktop
with gcc 8.3.0 -fsanitize=undefined.
 2021-05-09 21:28:29 -05:00
Paul Sokolovsky
43a6e6bd3b crypto/aes.c: AES_set_key: If "iv" is NULL, don't copy it. 
IV is not needed for ECB cipher mode.
 2017-11-05 11:35:51 +02:00
Paul Sokolovsky
a1a6151c52 crypto/aes.c: Make public AES_encrypt(), AES_decrypt(). 
Currently, axTLS exposes only CBC mode functions, the above functions
may be useful to implement ECB mode. (Note that the above functions
expect data in big endian order.)

Motivatation: Implement MicroPython's "ucrypto" module, reusing
available axTLS routines.
 2017-11-05 11:32:59 +02:00
Paul Sokolovsky
dac9176cac ssl/tls1.c: If underlying stream returned EAGAIN, return SSL_EAGAIN. 
This helps better implement blocking vs non-blocking streams on top of
axTLS (e.g. in MicroPython). Value of SSL_EAGAIN is -4, care was taken
to make sure there's no TLS alert with value of 4 (because axTLS returns
negated alert values as errors).
 2017-10-29 19:52:01 +02:00
Paul Sokolovsky
9b3092eb3b ssl/tls1.c: Hack: dump record size on hitting SSL_ERROR_RECORD_OVERFLOW. 
This is MicroPython-specific hack to allow to easier understand why TLS
conenction doesn't work with some sites on low-heap systems (where TLS
record buffer size is set to far less than default 16K).
 2017-06-13 17:30:02 +03:00
Paul Sokolovsky
cf3c04293b tls1.c: DISPLAY_ALERT: Fix copy-paste error with SSL_ERROR_RECORD_OVERFLOW. 
Function dispatches on SSL_ALERT_*, so should use SSL_ALERT_RECORD_OVERFLOW.
 2017-06-11 23:50:52 +03:00
Paul Sokolovsky
884c0d9f4f os_port_micropython.h: Use MicroPython's SHA256 implementation. 
Which is in turn based on https://github.com/B-Con/crypto-algorithms .
 2017-06-11 14:12:11 +03:00
Paul Sokolovsky
6cfbae5e86 crypto/crypto.h, sha256.c: Allow to override SHA256 implementation. 
axTLS' SHA256 implementation is bloated, more than 10K of x86 code, which
is more than 25% of total library size. So, allow to substitute something
else.
 2017-06-11 14:09:50 +03:00
Paul Sokolovsky
8ab5447904 crypto/crypto_misc.c: RNG_initialize(): Don't do anything for esp8266. 
It's tentative RNG is already setup when axTLS runs.
 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
2d7a5cbe10 ssl/Makefile: Make archive index when creating libaxtls.a. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
ca8154db03 tls1.h: Allow to override RT_MAX_PLAIN_LENGTH and RT_EXTRA. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
a13e19fd69 bigint.c: bi_mod_power(): esp8266: Process pending events. 
To avoid watchdog reset/wifi disconnect during long operations.
 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
b68c01f17e makefile.conf: Accept CFLAGS_EXTRA. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
6be2d23370 crypto_misc.h: CONFIG_SSL_DIAGNOSTICS 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
dd7b7125a4 crypto_misc.h: Don't ifdef in headers. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
0da011ed4b crypto_misc.c: CONFIG_SSL_DIAGNOSTICS 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
a70c033196 crypto_misc.c: print_blob(): Use snprintf() for MicroPython compatibility. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
16ba2f70b5 os_int.h, os_port_micropython.h: Changes for esp8266 compatibility. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
aedf52b991 upyconfig: Enable server support. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
7f55429c02 upyconfig.client: Client-only config. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
f881758e7c os_port_micropython.h: Add ifdef'ed POSIX defines to ease testing. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
5d9fba8bb2 tls1_svr.c: CONFIG_SSL_ENABLE_SERVER 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
53dcd04bda tls1.c: CONFIG_SSL_ENABLE_SERVER 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
4557c27d45 crypto_misc.h: Don't ifdef declarations. 2017-06-11 00:07:18 +03:00
Paul Sokolovsky
49128c4472 tls1_svr.c: CONFIG_SSL_DIAGNOSTICS 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
f0413e1cec tls1_clnt.c: CONFIG_SSL_DIAGNOSTICS 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
60a5c1ca27 tls1.c: CONFIG_SSL_DIAGNOSTICS 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
2749777731 loader.c: CONFIG_SSL_ENABLE_SERVER 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
4cc7c800e3 ssl/Config.in: Add explicit CONFIG_SSL_ENABLE_SERVER. 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
a6f648e35f crypto/crypto_misc: Add tentative random generation for esp8266. 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
9ac4b4a314 Add namespace prefix to hmac_md5/hmac_sha1 functions. 
These are pretty common names and can easily clash with other libraries.
At least, add "ssl_" prefix, as many other axTLS functions have.
 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
4c6d3d3c5e Add .gitignore . 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
770c75c101 Add config for MicroPython build. 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
e61d795f63 En-masse other changes to minimize size and make embeddable into uPy. 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
ca5af256ad os_port, tls1: Let port decide whether POSIX-style select() will be used. 
POSIX-style select() is unlikely a good fit for embedded socket
implementation. It actually needed only for non-blocking sockets,
so let ports just be able to skip it. Going forward, this need
to be refactored into direct-purpose function to wait for socket
to be writable to be implemented per port.
 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
f42739973c tls1: Abstract away getting last errno for a socket operation. 
For usage with embedded ports where socket library may have other way to
pass errors rather than via C errno variable.
 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
db38e20282 hmac: hmac_md5(): Use single padding buffer. 
Saves 64 bytes of stack space.
 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
c7e085a63e hmac: hmac_sha1(): Use single padding buffer. 
Saves 64 bytes of stack space.
 2017-06-11 00:07:17 +03:00
Paul Sokolovsky
7cb4145b66 md5: Optimize for size. 
Original version is 2528 bytes for x86, optimized - 1208.
 2017-06-11 00:07:17 +03:00
29 changed files with 682 additions and 392 deletions
Show stats Expand all files Collapse all files

11
.gitignore vendored Normal file
View file

@ -0,0 +1,11 @@
*.o
_stage
.depend
.config*
config/config.h
config/scripts/config/conf
config/scripts/config/lex.zconf.c
config/scripts/config/lkc_defs.h
config/scripts/config/zconf.tab.c
config/scripts/config/zconf.tab.h
ssl/version.h

3
config/Rules.mak
View file

@ -174,7 +174,8 @@ ifeq ($(strip $(CONFIG_DEBUG)),y)
else else
CFLAGS+=$(WARNINGS) $(OPTIMIZATIONS) -D_GNU_SOURCE -DNDEBUG CFLAGS+=$(WARNINGS) $(OPTIMIZATIONS) -D_GNU_SOURCE -DNDEBUG
LDFLAGS += -Wl,-warn-common LDFLAGS += -Wl,-warn-common
STRIPCMD:=$(STRIP) -s --remove-section=.note --remove-section=.comment STRIPCMD:=echo
#$(STRIP) -s --remove-section=.note --remove-section=.comment
endif endif
ifeq ($(strip $(CONFIG_STATIC)),y) ifeq ($(strip $(CONFIG_STATIC)),y)
LDFLAGS += --static LDFLAGS += --static

12
config/makefile.conf
View file

@ -84,7 +84,7 @@ else # Not Win32
-include .depend -include .depend
CFLAGS += -I$(AXTLS_HOME)/config -I$(AXTLS_HOME)/ssl -I$(AXTLS_HOME)/crypto CFLAGS += -I$(AXTLS_HOME)/config -I$(AXTLS_HOME)/ssl -I$(AXTLS_HOME)/crypto $(CFLAGS_EXTRA)
LD=$(CC) LD=$(CC)
STRIP=$(CROSS)strip STRIP=$(CROSS)strip
@ -101,7 +101,7 @@ LDSHARED = -shared
# Linux # Linux
ifndef CONFIG_PLATFORM_CYGWIN ifndef CONFIG_PLATFORM_CYGWIN
ifndef CONFIG_PLATFORM_NOMMU ifndef CONFIG_PLATFORM_NOMMU
CFLAGS += -fPIC #CFLAGS += -fPIC
# Cygwin # Cygwin
else else
@ -114,11 +114,15 @@ endif
ifdef CONFIG_DEBUG ifdef CONFIG_DEBUG
CFLAGS += -g CFLAGS += -g
else else
LDFLAGS += -s #-m32
# -pg
LDFLAGS += -g -Wl,--gc-sections,--print-gc-sections,-Map,map.lst -fno-unwind-tables -fno-asynchronous-unwind-tables
ifdef CONFIG_PLATFORM_SOLARIS ifdef CONFIG_PLATFORM_SOLARIS
CFLAGS += -O CFLAGS += -O
else else
CFLAGS += -O3 #-m32
#-pg
CFLAGS += -g -Os -ffunction-sections -fdata-sections -fno-unwind-tables -fno-asynchronous-unwind-tables
endif endif
endif # CONFIG_DEBUG endif # CONFIG_DEBUG

117
config/upyconfig Normal file
View file

@ -0,0 +1,117 @@
#
# Automatically generated make config: don't edit
#
HAVE_DOT_CONFIG=y
CONFIG_PLATFORM_LINUX=y
# CONFIG_PLATFORM_CYGWIN is not set
# CONFIG_PLATFORM_WIN32 is not set
#
# General Configuration
#
PREFIX="/usr/local"
# CONFIG_DEBUG is not set
# CONFIG_STRIP_UNWANTED_SECTIONS is not set
# CONFIG_VISUAL_STUDIO_7_0 is not set
# CONFIG_VISUAL_STUDIO_8_0 is not set
# CONFIG_VISUAL_STUDIO_10_0 is not set
CONFIG_VISUAL_STUDIO_7_0_BASE=""
CONFIG_VISUAL_STUDIO_8_0_BASE=""
CONFIG_VISUAL_STUDIO_10_0_BASE=""
CONFIG_EXTRA_CFLAGS_OPTIONS=""
CONFIG_EXTRA_LDFLAGS_OPTIONS=""
#
# SSL Library
#
# CONFIG_SSL_SERVER_ONLY is not set
# CONFIG_SSL_CERT_VERIFICATION is not set
# CONFIG_SSL_FULL_MODE is not set
CONFIG_SSL_SKELETON_MODE=y
CONFIG_SSL_ENABLE_SERVER=y
CONFIG_SSL_ENABLE_CLIENT=y
# CONFIG_SSL_DIAGNOSTICS is not set
CONFIG_SSL_PROT_LOW=y
# CONFIG_SSL_PROT_MEDIUM is not set
# CONFIG_SSL_PROT_HIGH is not set
CONFIG_SSL_AES=y
CONFIG_SSL_USE_DEFAULT_KEY=y
CONFIG_SSL_PRIVATE_KEY_LOCATION=""
CONFIG_SSL_PRIVATE_KEY_PASSWORD=""
CONFIG_SSL_X509_CERT_LOCATION=""
# CONFIG_SSL_GENERATE_X509_CERT is not set
CONFIG_SSL_X509_COMMON_NAME=""
CONFIG_SSL_X509_ORGANIZATION_NAME=""
CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME=""
# CONFIG_SSL_ENABLE_V23_HANDSHAKE is not set
# CONFIG_SSL_HAS_PEM is not set
# CONFIG_SSL_USE_PKCS12 is not set
CONFIG_SSL_EXPIRY_TIME=0
CONFIG_X509_MAX_CA_CERTS=0
CONFIG_SSL_MAX_CERTS=3
# CONFIG_SSL_CTX_MUTEXING is not set
# CONFIG_USE_DEV_URANDOM is not set
# CONFIG_WIN32_USE_CRYPTO_LIB is not set
# CONFIG_OPENSSL_COMPATIBLE is not set
# CONFIG_PERFORMANCE_TESTING is not set
# CONFIG_SSL_TEST is not set
# CONFIG_AXTLSWRAP is not set
# CONFIG_AXHTTPD is not set
# CONFIG_HTTP_STATIC_BUILD is not set
CONFIG_HTTP_PORT=0
CONFIG_HTTP_HTTPS_PORT=0
CONFIG_HTTP_SESSION_CACHE_SIZE=0
CONFIG_HTTP_WEBROOT=""
CONFIG_HTTP_TIMEOUT=0
# CONFIG_HTTP_HAS_CGI is not set
CONFIG_HTTP_CGI_EXTENSIONS=""
# CONFIG_HTTP_ENABLE_LUA is not set
CONFIG_HTTP_LUA_PREFIX=""
# CONFIG_HTTP_BUILD_LUA is not set
CONFIG_HTTP_CGI_LAUNCHER=""
# CONFIG_HTTP_DIRECTORIES is not set
# CONFIG_HTTP_HAS_AUTHORIZATION is not set
# CONFIG_HTTP_HAS_IPV6 is not set
# CONFIG_HTTP_ENABLE_DIFFERENT_USER is not set
CONFIG_HTTP_USER=""
# CONFIG_HTTP_VERBOSE is not set
# CONFIG_HTTP_IS_DAEMON is not set
#
# Language Bindings
#
# CONFIG_BINDINGS is not set
# CONFIG_CSHARP_BINDINGS is not set
# CONFIG_VBNET_BINDINGS is not set
CONFIG_DOT_NET_FRAMEWORK_BASE=""
# CONFIG_JAVA_BINDINGS is not set
CONFIG_JAVA_HOME=""
# CONFIG_PERL_BINDINGS is not set
CONFIG_PERL_CORE=""
CONFIG_PERL_LIB=""
# CONFIG_LUA_BINDINGS is not set
CONFIG_LUA_CORE=""
#
# Samples
#
# CONFIG_SAMPLES is not set
# CONFIG_C_SAMPLES is not set
# CONFIG_CSHARP_SAMPLES is not set
# CONFIG_VBNET_SAMPLES is not set
# CONFIG_JAVA_SAMPLES is not set
# CONFIG_PERL_SAMPLES is not set
# CONFIG_LUA_SAMPLES is not set
# CONFIG_BIGINT_CLASSICAL is not set
# CONFIG_BIGINT_MONTGOMERY is not set
# CONFIG_BIGINT_BARRETT is not set
# CONFIG_BIGINT_CRT is not set
# CONFIG_BIGINT_KARATSUBA is not set
MUL_KARATSUBA_THRESH=0
SQU_KARATSUBA_THRESH=0
# CONFIG_BIGINT_SLIDING_WINDOW is not set
# CONFIG_BIGINT_SQUARE is not set
# CONFIG_BIGINT_CHECK_ON is not set
# CONFIG_INTEGER_32BIT is not set
# CONFIG_INTEGER_16BIT is not set
# CONFIG_INTEGER_8BIT is not set

116
config/upyconfig.client Normal file
View file

@ -0,0 +1,116 @@
#
# Automatically generated make config: don't edit
#
HAVE_DOT_CONFIG=y
CONFIG_PLATFORM_LINUX=y
# CONFIG_PLATFORM_CYGWIN is not set
# CONFIG_PLATFORM_WIN32 is not set
#
# General Configuration
#
PREFIX="/usr/local"
# CONFIG_DEBUG is not set
# CONFIG_STRIP_UNWANTED_SECTIONS is not set
# CONFIG_VISUAL_STUDIO_7_0 is not set
# CONFIG_VISUAL_STUDIO_8_0 is not set
# CONFIG_VISUAL_STUDIO_10_0 is not set
CONFIG_VISUAL_STUDIO_7_0_BASE=""
CONFIG_VISUAL_STUDIO_8_0_BASE=""
CONFIG_VISUAL_STUDIO_10_0_BASE=""
CONFIG_EXTRA_CFLAGS_OPTIONS=""
CONFIG_EXTRA_LDFLAGS_OPTIONS=""
#
# SSL Library
#
# CONFIG_SSL_SERVER_ONLY is not set
# CONFIG_SSL_CERT_VERIFICATION is not set
# CONFIG_SSL_FULL_MODE is not set
CONFIG_SSL_SKELETON_MODE=y
CONFIG_SSL_ENABLE_CLIENT=y
# CONFIG_SSL_DIAGNOSTICS is not set
CONFIG_SSL_PROT_LOW=y
# CONFIG_SSL_PROT_MEDIUM is not set
# CONFIG_SSL_PROT_HIGH is not set
CONFIG_SSL_AES=y
# CONFIG_SSL_USE_DEFAULT_KEY is not set
CONFIG_SSL_PRIVATE_KEY_LOCATION=""
CONFIG_SSL_PRIVATE_KEY_PASSWORD=""
CONFIG_SSL_X509_CERT_LOCATION=""
# CONFIG_SSL_GENERATE_X509_CERT is not set
CONFIG_SSL_X509_COMMON_NAME=""
CONFIG_SSL_X509_ORGANIZATION_NAME=""
CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME=""
# CONFIG_SSL_ENABLE_V23_HANDSHAKE is not set
# CONFIG_SSL_HAS_PEM is not set
# CONFIG_SSL_USE_PKCS12 is not set
CONFIG_SSL_EXPIRY_TIME=0
CONFIG_X509_MAX_CA_CERTS=0
CONFIG_SSL_MAX_CERTS=3
# CONFIG_SSL_CTX_MUTEXING is not set
# CONFIG_USE_DEV_URANDOM is not set
# CONFIG_WIN32_USE_CRYPTO_LIB is not set
# CONFIG_OPENSSL_COMPATIBLE is not set
# CONFIG_PERFORMANCE_TESTING is not set
# CONFIG_SSL_TEST is not set
# CONFIG_AXTLSWRAP is not set
# CONFIG_AXHTTPD is not set
# CONFIG_HTTP_STATIC_BUILD is not set
CONFIG_HTTP_PORT=0
CONFIG_HTTP_HTTPS_PORT=0
CONFIG_HTTP_SESSION_CACHE_SIZE=0
CONFIG_HTTP_WEBROOT=""
CONFIG_HTTP_TIMEOUT=0
# CONFIG_HTTP_HAS_CGI is not set
CONFIG_HTTP_CGI_EXTENSIONS=""
# CONFIG_HTTP_ENABLE_LUA is not set
CONFIG_HTTP_LUA_PREFIX=""
# CONFIG_HTTP_BUILD_LUA is not set
CONFIG_HTTP_CGI_LAUNCHER=""
# CONFIG_HTTP_DIRECTORIES is not set
# CONFIG_HTTP_HAS_AUTHORIZATION is not set
# CONFIG_HTTP_HAS_IPV6 is not set
# CONFIG_HTTP_ENABLE_DIFFERENT_USER is not set
CONFIG_HTTP_USER=""
# CONFIG_HTTP_VERBOSE is not set
# CONFIG_HTTP_IS_DAEMON is not set
#
# Language Bindings
#
# CONFIG_BINDINGS is not set
# CONFIG_CSHARP_BINDINGS is not set
# CONFIG_VBNET_BINDINGS is not set
CONFIG_DOT_NET_FRAMEWORK_BASE=""
# CONFIG_JAVA_BINDINGS is not set
CONFIG_JAVA_HOME=""
# CONFIG_PERL_BINDINGS is not set
CONFIG_PERL_CORE=""
CONFIG_PERL_LIB=""
# CONFIG_LUA_BINDINGS is not set
CONFIG_LUA_CORE=""
#
# Samples
#
# CONFIG_SAMPLES is not set
# CONFIG_C_SAMPLES is not set
# CONFIG_CSHARP_SAMPLES is not set
# CONFIG_VBNET_SAMPLES is not set
# CONFIG_JAVA_SAMPLES is not set
# CONFIG_PERL_SAMPLES is not set
# CONFIG_LUA_SAMPLES is not set
# CONFIG_BIGINT_CLASSICAL is not set
# CONFIG_BIGINT_MONTGOMERY is not set
# CONFIG_BIGINT_BARRETT is not set
# CONFIG_BIGINT_CRT is not set
# CONFIG_BIGINT_KARATSUBA is not set
MUL_KARATSUBA_THRESH=0
SQU_KARATSUBA_THRESH=0
# CONFIG_BIGINT_SLIDING_WINDOW is not set
# CONFIG_BIGINT_SQUARE is not set
# CONFIG_BIGINT_CHECK_ON is not set
# CONFIG_INTEGER_32BIT is not set
# CONFIG_INTEGER_16BIT is not set
# CONFIG_INTEGER_8BIT is not set

11
crypto/aes.c
View file

@ -159,8 +159,6 @@ static const unsigned char Rcon[30]=
}; };
/* ----- static functions ----- */ /* ----- static functions ----- */
static void AES_encrypt(const AES_CTX *ctx, uint32_t *data);
static void AES_decrypt(const AES_CTX *ctx, uint32_t *data);
/* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial /* Perform doubling in Galois Field GF(2^8) using the irreducible polynomial
x^8+x^4+x^3+x+1 */ x^8+x^4+x^3+x+1 */
@ -241,7 +239,10 @@ void AES_set_key(AES_CTX *ctx, const uint8_t *key,
} }
/* copy the iv across */ /* copy the iv across */
memcpy(ctx->iv, iv, 16); if (iv)
{
memcpy(ctx->iv, iv, 16);
}
} }
/** /**
@ -348,7 +349,7 @@ void AES_cbc_decrypt(AES_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
/** /**
* Encrypt a single block (16 bytes) of data * Encrypt a single block (16 bytes) of data
*/ */
static void AES_encrypt(const AES_CTX *ctx, uint32_t *data) void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
{ {
/* To make this code smaller, generate the sbox entries on the fly. /* To make this code smaller, generate the sbox entries on the fly.
* This will have a really heavy effect upon performance. * This will have a really heavy effect upon performance.
@ -398,7 +399,7 @@ static void AES_encrypt(const AES_CTX *ctx, uint32_t *data)
/** /**
* Decrypt a single block (16 bytes) of data * Decrypt a single block (16 bytes) of data
*/ */
static void AES_decrypt(const AES_CTX *ctx, uint32_t *data) void AES_decrypt(const AES_CTX *ctx, uint32_t *data)
{ {
uint32_t tmp[4]; uint32_t tmp[4];
uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6; uint32_t xt0,xt1,xt2,xt3,xt4,xt5,xt6;

6
crypto/bigint.c
View file

@ -628,7 +628,7 @@ bigint *bi_import(BI_CTX *ctx, const uint8_t *data, int size)
for (i = size-1; i >= 0; i--) for (i = size-1; i >= 0; i--)
{ {
biR->comps[offset] += data[i] << (j*8); biR->comps[offset] += (unsigned int)data[i] << (j*8);
if (++j == COMP_BYTE_SIZE) if (++j == COMP_BYTE_SIZE)
{ {
@ -1379,6 +1379,10 @@ bigint *bi_mod_power(BI_CTX *ctx, bigint *bi, bigint *biexp)
* will reduce to standard left-to-right exponentiation */ * will reduce to standard left-to-right exponentiation */
do do
{ {
#ifdef __ets__
void ets_loop_iter(void);
ets_loop_iter();
#endif
if (exp_bit_is_one(biexp, i)) if (exp_bit_is_one(biexp, i))
{ {
int l = i-window_size+1; int l = i-window_size+1;

16
crypto/crypto.h
View file

@ -51,12 +51,14 @@ extern "C" {
/* enable features based on a 'super-set' capbaility. */ /* enable features based on a 'super-set' capbaility. */
#if 0
#if defined(CONFIG_SSL_FULL_MODE) #if defined(CONFIG_SSL_FULL_MODE)
#define CONFIG_SSL_ENABLE_CLIENT #define CONFIG_SSL_ENABLE_CLIENT
#define CONFIG_SSL_CERT_VERIFICATION #define CONFIG_SSL_CERT_VERIFICATION
#elif defined(CONFIG_SSL_ENABLE_CLIENT) #elif defined(CONFIG_SSL_ENABLE_CLIENT)
#define CONFIG_SSL_CERT_VERIFICATION #define CONFIG_SSL_CERT_VERIFICATION
#endif #endif
#endif
/************************************************************************** /**************************************************************************
* AES declarations * AES declarations
@ -86,6 +88,8 @@ void AES_cbc_encrypt(AES_CTX *ctx, const uint8_t *msg,
uint8_t *out, int length); uint8_t *out, int length);
void AES_cbc_decrypt(AES_CTX *ks, const uint8_t *in, uint8_t *out, int length); void AES_cbc_decrypt(AES_CTX *ks, const uint8_t *in, uint8_t *out, int length);
void AES_convert_key(AES_CTX *ctx); void AES_convert_key(AES_CTX *ctx);
void AES_encrypt(const AES_CTX *ctx, uint32_t *data);
void AES_decrypt(const AES_CTX *ctx, uint32_t *data);
/************************************************************************** /**************************************************************************
* RC4 declarations * RC4 declarations
@ -128,6 +132,8 @@ void SHA1_Final(uint8_t *digest, SHA1_CTX *);
#define SHA256_SIZE 32 #define SHA256_SIZE 32
#ifndef SHA256_CTX
#define SHA256_CTX SHA256_CTX
typedef struct typedef struct
{ {
uint32_t total[2]; uint32_t total[2];
@ -138,6 +144,7 @@ typedef struct
void SHA256_Init(SHA256_CTX *c); void SHA256_Init(SHA256_CTX *c);
void SHA256_Update(SHA256_CTX *, const uint8_t *input, int len); void SHA256_Update(SHA256_CTX *, const uint8_t *input, int len);
void SHA256_Final(uint8_t *digest, SHA256_CTX *); void SHA256_Final(uint8_t *digest, SHA256_CTX *);
#endif
/************************************************************************** /**************************************************************************
* SHA512 declarations * SHA512 declarations
@ -196,9 +203,9 @@ EXP_FUNC void STDCALL MD5_Final(uint8_t *digest, MD5_CTX *);
/************************************************************************** /**************************************************************************
* HMAC declarations * HMAC declarations
**************************************************************************/ **************************************************************************/
void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, void ssl_hmac_md5(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest); int key_len, uint8_t *digest);
void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, void ssl_hmac_sha1(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest); int key_len, uint8_t *digest);
void hmac_sha256(const uint8_t *msg, int length, const uint8_t *key, void hmac_sha256(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest); int key_len, uint8_t *digest);
@ -242,14 +249,15 @@ void RSA_free(RSA_CTX *ctx);
int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint8_t *out_data, int RSA_decrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint8_t *out_data,
int out_len, int is_decryption); int out_len, int is_decryption);
bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg); bigint *RSA_private(const RSA_CTX *c, bigint *bi_msg);
#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT) // Don't bother to ifdef prototypes, let them be
//#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT)
bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len, bigint *RSA_sign_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len,
bigint *modulus, bigint *pub_exp); bigint *modulus, bigint *pub_exp);
bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg); bigint *RSA_public(const RSA_CTX * c, bigint *bi_msg);
int RSA_encrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint16_t in_len, int RSA_encrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint16_t in_len,
uint8_t *out_data, int is_signing); uint8_t *out_data, int is_signing);
void RSA_print(const RSA_CTX *ctx); void RSA_print(const RSA_CTX *ctx);
#endif //#endif
/************************************************************************** /**************************************************************************
* RNG declarations * RNG declarations

24
crypto/crypto_misc.c
View file

@ -42,7 +42,7 @@
#include "wincrypt.h" #include "wincrypt.h"
#endif #endif
#ifndef WIN32 #if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
static int rng_fd = -1; static int rng_fd = -1;
#elif defined(CONFIG_WIN32_USE_CRYPTO_LIB) #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB)
static HCRYPTPROV gCryptProv; static HCRYPTPROV gCryptProv;
@ -101,6 +101,12 @@ int get_file(const char *filename, uint8_t **buf)
* - On Linux use /dev/urandom * - On Linux use /dev/urandom
* - If none of these work then use a custom RNG. * - If none of these work then use a custom RNG.
*/ */
#ifdef __GNUC__
// The stack-entropy-grabbing memcpy() is tagged as an error by gcc
// -fsanitize=undefined.
__attribute__((no_sanitize_address))
__attribute__((no_sanitize_undefined))
#endif
EXP_FUNC void STDCALL RNG_initialize() EXP_FUNC void STDCALL RNG_initialize()
{ {
#if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM) #if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
@ -120,7 +126,7 @@ EXP_FUNC void STDCALL RNG_initialize()
exit(1); exit(1);
} }
} }
#else #elif !defined(__ets__)
/* start of with a stack to copy across */ /* start of with a stack to copy across */
int i; int i;
memcpy(entropy_pool, &i, ENTROPY_POOL_SIZE); memcpy(entropy_pool, &i, ENTROPY_POOL_SIZE);
@ -146,7 +152,7 @@ EXP_FUNC void STDCALL RNG_custom_init(const uint8_t *seed_buf, int size)
*/ */
EXP_FUNC void STDCALL RNG_terminate(void) EXP_FUNC void STDCALL RNG_terminate(void)
{ {
#ifndef WIN32 #if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
close(rng_fd); close(rng_fd);
#elif defined(CONFIG_WIN32_USE_CRYPTO_LIB) #elif defined(CONFIG_WIN32_USE_CRYPTO_LIB)
CryptReleaseContext(gCryptProv, 0); CryptReleaseContext(gCryptProv, 0);
@ -158,7 +164,13 @@ EXP_FUNC void STDCALL RNG_terminate(void)
*/ */
EXP_FUNC int STDCALL get_random(int num_rand_bytes, uint8_t *rand_data) EXP_FUNC int STDCALL get_random(int num_rand_bytes, uint8_t *rand_data)
{ {
#if !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM) #ifdef __ets__
// see http://esp8266-re.foogod.com/wiki/Random_Number_Generator
#define WDEV_HWRNG ((volatile uint32_t*)0x3ff20e44)
while (num_rand_bytes--) {
*rand_data++ = *WDEV_HWRNG;
}
#elif !defined(WIN32) && defined(CONFIG_USE_DEV_URANDOM)
/* use the Linux default - read from /dev/urandom */ /* use the Linux default - read from /dev/urandom */
if (read(rng_fd, rand_data, num_rand_bytes) < 0) if (read(rng_fd, rand_data, num_rand_bytes) < 0)
return -1; return -1;
@ -223,7 +235,7 @@ int get_random_NZ(int num_rand_bytes, uint8_t *rand_data)
/** /**
* Some useful diagnostic routines * Some useful diagnostic routines
*/ */
#if defined(CONFIG_SSL_FULL_MODE) || defined(CONFIG_DEBUG) #if defined(CONFIG_SSL_DIAGNOSTICS) || defined(CONFIG_DEBUG)
int hex_finish; int hex_finish;
int hex_index; int hex_index;
@ -276,7 +288,7 @@ EXP_FUNC void STDCALL print_blob(const char *format,
va_list(ap); va_list(ap);
va_start(ap, size); va_start(ap, size);
sprintf(tmp, "%s\n", format); snprintf(tmp, sizeof(tmp), "%s\n", format);
vprintf(tmp, ap); vprintf(tmp, ap);
print_hex_init(size); print_hex_init(size);
for (i = 0; i < size; i++) for (i = 0; i < size; i++)

58
crypto/hmac.c
View file

@ -42,31 +42,34 @@
* Perform HMAC-MD5 * Perform HMAC-MD5
* NOTE: does not handle keys larger than the block size. * NOTE: does not handle keys larger than the block size.
*/ */
void hmac_md5(const uint8_t *msg, int length, const uint8_t *key, void ssl_hmac_md5(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest) int key_len, uint8_t *digest)
{ {
MD5_CTX context; MD5_CTX context;
uint8_t k_ipad[64]; uint8_t k_pad[64];
uint8_t k_opad[64];
int i; int i;
memset(k_ipad, 0, sizeof k_ipad); memset(k_pad, 0, sizeof k_pad);
memset(k_opad, 0, sizeof k_opad); memcpy(k_pad, key, key_len);
memcpy(k_ipad, key, key_len); for (i = 0; i < 64; i++)
memcpy(k_opad, key, key_len);
for (i = 0; i < 64; i++)
{ {
k_ipad[i] ^= 0x36; k_pad[i] ^= 0x36;
k_opad[i] ^= 0x5c;
} }
MD5_Init(&context); MD5_Init(&context);
MD5_Update(&context, k_ipad, 64); MD5_Update(&context, k_pad, 64);
MD5_Update(&context, msg, length); MD5_Update(&context, msg, length);
MD5_Final(digest, &context); MD5_Final(digest, &context);
memset(k_pad, 0, sizeof k_pad);
memcpy(k_pad, key, key_len);
for (i = 0; i < 64; i++)
{
k_pad[i] ^= 0x5c;
}
MD5_Init(&context); MD5_Init(&context);
MD5_Update(&context, k_opad, 64); MD5_Update(&context, k_pad, 64);
MD5_Update(&context, digest, MD5_SIZE); MD5_Update(&context, digest, MD5_SIZE);
MD5_Final(digest, &context); MD5_Final(digest, &context);
} }
@ -75,31 +78,34 @@ void hmac_md5(const uint8_t *msg, int length, const uint8_t *key,
* Perform HMAC-SHA1 * Perform HMAC-SHA1
* NOTE: does not handle keys larger than the block size. * NOTE: does not handle keys larger than the block size.
*/ */
void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, void ssl_hmac_sha1(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest) int key_len, uint8_t *digest)
{ {
SHA1_CTX context; SHA1_CTX context;
uint8_t k_ipad[64]; uint8_t k_pad[64];
uint8_t k_opad[64];
int i; int i;
memset(k_ipad, 0, sizeof k_ipad); memset(k_pad, 0, sizeof k_pad);
memset(k_opad, 0, sizeof k_opad); memcpy(k_pad, key, key_len);
memcpy(k_ipad, key, key_len); for (i = 0; i < 64; i++)
memcpy(k_opad, key, key_len);
for (i = 0; i < 64; i++)
{ {
k_ipad[i] ^= 0x36; k_pad[i] ^= 0x36;
k_opad[i] ^= 0x5c;
} }
SHA1_Init(&context); SHA1_Init(&context);
SHA1_Update(&context, k_ipad, 64); SHA1_Update(&context, k_pad, 64);
SHA1_Update(&context, msg, length); SHA1_Update(&context, msg, length);
SHA1_Final(digest, &context); SHA1_Final(digest, &context);
memset(k_pad, 0, sizeof k_pad);
memcpy(k_pad, key, key_len);
for (i = 0; i < 64; i++)
{
k_pad[i] ^= 0x5c;
}
SHA1_Init(&context); SHA1_Init(&context);
SHA1_Update(&context, k_opad, 64); SHA1_Update(&context, k_pad, 64);
SHA1_Update(&context, digest, SHA1_SIZE); SHA1_Update(&context, digest, SHA1_SIZE);
SHA1_Final(digest, &context); SHA1_Final(digest, &context);
} }

139
crypto/md5.c
View file

@ -74,6 +74,13 @@ static const uint8_t PADDING[64] =
#define H(x, y, z) ((x) ^ (y) ^ (z)) #define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z))) #define I(x, y, z) ((y) ^ ((x) | (~z)))
/* Versions for size-optimized code. */
#define IDX(v) ((v) & 3)
#define F_(a, i) ((a[IDX(i + 1)] & a[IDX(i + 2)]) | (~a[IDX(i + 1)] & a[IDX(i + 3)]))
#define G_(a, i) ((a[IDX(i + 1)] & a[IDX(i + 3)]) | (a[IDX(i + 2)] & ~a[IDX(i + 3)]))
#define H_(a, i) (a[IDX(i + 1)] ^ a[IDX(i + 2)] ^ a[IDX(i + 3)])
#define I_(a, i) (a[IDX(i + 2)] ^ (a[IDX(i + 1)] | ~a[IDX(i + 3)]))
/* ROTATE_LEFT rotates x left n bits. */ /* ROTATE_LEFT rotates x left n bits. */
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) #define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
@ -178,6 +185,8 @@ EXP_FUNC void STDCALL MD5_Final(uint8_t *digest, MD5_CTX *ctx)
/** /**
* MD5 basic transformation. Transforms state based on block. * MD5 basic transformation. Transforms state based on block.
*/ */
#if OPTIMIZE_FOR_SPEED
static void MD5Transform(uint32_t state[4], const uint8_t block[64]) static void MD5Transform(uint32_t state[4], const uint8_t block[64])
{ {
uint32_t a = state[0], b = state[1], c = state[2], uint32_t a = state[0], b = state[1], c = state[2],
@ -263,6 +272,136 @@ static void MD5Transform(uint32_t state[4], const uint8_t block[64])
state[3] += d; state[3] += d;
} }
#else
static void MD5Transform(uint32_t state[4], const uint8_t block[64])
{
uint32_t arr[4], x[MD5_SIZE];
memcpy(arr, state, sizeof(arr));
Decode(x, block, 64);
static const uint32_t round_ac[] = {
0xd76aa478, /* 1 */
0xe8c7b756, /* 2 */
0x242070db, /* 3 */
0xc1bdceee, /* 4 */
0xf57c0faf, /* 5 */
0x4787c62a, /* 6 */
0xa8304613, /* 7 */
0xfd469501, /* 8 */
0x698098d8, /* 9 */
0x8b44f7af, /* 10 */
0xffff5bb1, /* 11 */
0x895cd7be, /* 12 */
0x6b901122, /* 13 */
0xfd987193, /* 14 */
0xa679438e, /* 15 */
0x49b40821, /* 16 */
0xf61e2562, /* 17 */
0xc040b340, /* 18 */
0x265e5a51, /* 19 */
0xe9b6c7aa, /* 20 */
0xd62f105d, /* 21 */
0x2441453, /* 22 */
0xd8a1e681, /* 23 */
0xe7d3fbc8, /* 24 */
0x21e1cde6, /* 25 */
0xc33707d6, /* 26 */
0xf4d50d87, /* 27 */
0x455a14ed, /* 28 */
0xa9e3e905, /* 29 */
0xfcefa3f8, /* 30 */
0x676f02d9, /* 31 */
0x8d2a4c8a, /* 32 */
0xfffa3942, /* 33 */
0x8771f681, /* 34 */
0x6d9d6122, /* 35 */
0xfde5380c, /* 36 */
0xa4beea44, /* 37 */
0x4bdecfa9, /* 38 */
0xf6bb4b60, /* 39 */
0xbebfbc70, /* 40 */
0x289b7ec6, /* 41 */
0xeaa127fa, /* 42 */
0xd4ef3085, /* 43 */
0x4881d05, /* 44 */
0xd9d4d039, /* 45 */
0xe6db99e5, /* 46 */
0x1fa27cf8, /* 47 */
0xc4ac5665, /* 48 */
0xf4292244, /* 49 */
0x432aff97, /* 50 */
0xab9423a7, /* 51 */
0xfc93a039, /* 52 */
0x655b59c3, /* 53 */
0x8f0ccc92, /* 54 */
0xffeff47d, /* 55 */
0x85845dd1, /* 56 */
0x6fa87e4f, /* 57 */
0xfe2ce6e0, /* 58 */
0xa3014314, /* 59 */
0x4e0811a1, /* 60 */
0xf7537e82, /* 61 */
0xbd3af235, /* 62 */
0x2ad7d2bb, /* 63 */
0xeb86d391, /* 64 */
};
static const uint8_t round1_s[] = {
7, 12, 17, 22,
5, 9, 14, 20,
4, 11, 16, 23,
6, 10, 15, 21,
};
static const uint8_t round_order[] = {
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15,
1, 6, 11, 0, 5, 10, 15, 4, 9, 14, 3, 8, 13, 2, 7, 12,
5, 8, 11, 14, 1, 4, 7, 10, 13, 0, 3, 6, 9, 12, 15, 2,
0, 7, 14, 5, 12, 3, 10, 1, 8, 15, 6, 13, 4, 11, 2, 9,
};
unsigned i;
const uint8_t *round_s = round1_s - 4;
for (i = 0; i < 64; i++) {
int off = IDX(4 - i);
uint32_t v;
// Code size is bigger
//round_s = round1_s + (i >> 4) * 4;
if ((i & 15) == 0) {
round_s += 4;
}
if (i < 32) {
if (i < 16) {
v = F_(arr, off);
} else {
v = G_(arr, off);
}
} else {
if (i < 48) {
v = H_(arr, off);
} else {
v = I_(arr, off);
}
}
v += arr[off];
v += x[round_order[i]] + round_ac[i];
v = ROTATE_LEFT(v, round_s[i & 3]);
v += arr[IDX(off + 1)];
arr[off] = v;
}
state[0] += arr[0];
state[1] += arr[1];
state[2] += arr[2];
state[3] += arr[3];
}
#endif // OPTIMIZE_FOR_SPEED
/** /**
* Encodes input (uint32_t) into output (uint8_t). Assumes len is * Encodes input (uint32_t) into output (uint8_t). Assumes len is
* a multiple of 4. * a multiple of 4.

2
crypto/rsa.c
View file

@ -231,7 +231,7 @@ void RSA_print(const RSA_CTX *rsa_ctx)
} }
#endif #endif
#if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT) #if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_GENERATE_X509_CERT) || (CONFIG_SSL_ENABLE_CLIENT)
/** /**
* Performs c = m^e mod n * Performs c = m^e mod n
*/ */

2
crypto/sha1.c
View file

@ -121,7 +121,7 @@ static void SHA1ProcessMessageBlock(SHA1_CTX *ctx)
*/ */
for (t = 0; t < 16; t++) for (t = 0; t < 16; t++)
{ {
W[t] = ctx->Message_Block[t * 4] << 24; W[t] = (uint32_t)ctx->Message_Block[t * 4] << 24;
W[t] |= ctx->Message_Block[t * 4 + 1] << 16; W[t] |= ctx->Message_Block[t * 4 + 1] << 16;
W[t] |= ctx->Message_Block[t * 4 + 2] << 8; W[t] |= ctx->Message_Block[t * 4 + 2] << 8;
W[t] |= ctx->Message_Block[t * 4 + 3]; W[t] |= ctx->Message_Block[t * 4 + 3];

4
crypto/sha256.c
View file

@ -32,6 +32,8 @@
#include "os_port.h" #include "os_port.h"
#include "crypto.h" #include "crypto.h"
#ifndef SHA256_CTX
#define GET_UINT32(n,b,i) \ #define GET_UINT32(n,b,i) \
{ \ { \
(n) = ((uint32_t) (b)[(i) ] << 24) \ (n) = ((uint32_t) (b)[(i) ] << 24) \
@ -272,3 +274,5 @@ void SHA256_Final(uint8_t *digest, SHA256_CTX *ctx)
PUT_UINT32(ctx->state[6], digest, 24); PUT_UINT32(ctx->state[6], digest, 24);
PUT_UINT32(ctx->state[7], digest, 28); PUT_UINT32(ctx->state[7], digest, 28);
} }
#endif // SHA256_CTX

6
samples/c/axssl.c
View file

@ -86,8 +86,8 @@ int main(int argc, char *argv[])
strcmp(argv[1], "s_server") && strcmp(argv[1], "s_client"))) strcmp(argv[1], "s_server") && strcmp(argv[1], "s_client")))
print_options(argc > 1 ? argv[1] : ""); print_options(argc > 1 ? argv[1] : "");
strcmp(argv[1], "s_server") ? // strcmp(argv[1], "s_server") ?
do_client(argc, argv) : do_server(argc, argv); do_client(argc, argv);// : do_server(argc, argv);
return 0; return 0;
} }
@ -573,6 +573,7 @@ static void do_client(int argc, char *argv[])
exit(1); exit(1);
} }
#ifndef CONFIG_SSL_SKELETON_MODE
if (private_key_file) if (private_key_file)
{ {
int obj_type = SSL_OBJ_RSA_KEY; int obj_type = SSL_OBJ_RSA_KEY;
@ -608,6 +609,7 @@ static void do_client(int argc, char *argv[])
exit(1); exit(1);
} }
} }
#endif
free(cert); free(cert);
free(ca_cert); free(ca_cert);

43
ssl/Config.in
View file

@ -34,16 +34,6 @@ config CONFIG_SSL_CERT_VERIFICATION
have an SSL server which requires client authentication (which is have an SSL server which requires client authentication (which is
uncommon in browser applications). uncommon in browser applications).
config CONFIG_SSL_ENABLE_CLIENT
bool "Client/Server enabled"
help
Enable client/server functionality (including peer authentication).
The axssl sample runs with the "s_client" option enabled.
This mode produces a library about 51kB in size. Use this mode if you
require axTLS to use SSL client functionality (the SSL server code
is always enabled).
config CONFIG_SSL_FULL_MODE config CONFIG_SSL_FULL_MODE
bool "Client/Server enabled with diagnostics" bool "Client/Server enabled with diagnostics"
@ -79,9 +69,30 @@ config CONFIG_SSL_SKELETON_MODE
endchoice endchoice
config CONFIG_SSL_ENABLE_SERVER
bool "Server enabled"
help
Enable server functionality.
config CONFIG_SSL_ENABLE_CLIENT
bool "Client enabled"
help
Enable client functionality.
The axssl sample runs with the "s_client" option enabled.
This mode produces a library about 51kB in size. Use this mode if you
require axTLS to use SSL client functionality (the SSL server code
is always enabled).
config CONFIG_SSL_DIAGNOSTICS
bool "Diagnostic messages"
help
Enable support for diagnostics of connection progress and state.
choice choice
prompt "Protocol Preference" prompt "Protocol Preference"
depends on !CONFIG_SSL_SKELETON_MODE # depends on !CONFIG_SSL_SKELETON_MODE
default CONFIG_SSL_PROT_MEDIUM default CONFIG_SSL_PROT_MEDIUM
config CONFIG_SSL_PROT_LOW config CONFIG_SSL_PROT_LOW
@ -110,9 +121,15 @@ config CONFIG_SSL_PROT_HIGH
endchoice endchoice
config CONFIG_SSL_AES
bool "Enable AES cipher"
default y
help
Enable/disable AES support.
config CONFIG_SSL_USE_DEFAULT_KEY config CONFIG_SSL_USE_DEFAULT_KEY
bool "Enable default key" bool "Enable default key"
depends on !CONFIG_SSL_SKELETON_MODE # depends on !CONFIG_SSL_SKELETON_MODE
default y default y
help help
Some applications will not require the default private key/certificate Some applications will not require the default private key/certificate
@ -241,7 +258,7 @@ config CONFIG_SSL_EXPIRY_TIME
config CONFIG_X509_MAX_CA_CERTS config CONFIG_X509_MAX_CA_CERTS
int "Maximum number of certificate authorites" int "Maximum number of certificate authorites"
default 150 default 150
depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE # depends on !CONFIG_SSL_SERVER_ONLY && !CONFIG_SSL_SKELETON_MODE
help help
Determines the number of CA's allowed. Determines the number of CA's allowed.

4
ssl/Makefile
View file

@ -62,7 +62,7 @@ STATIC_LIB=$(AXTLS_HOME)/$(STAGE)/axtls.static.lib
CRYPTO_PATH=$(AXTLS_HOME)\\crypto\\ CRYPTO_PATH=$(AXTLS_HOME)\\crypto\\
endif endif
libs: $(TARGET1) $(TARGET2) libs: $(TARGET1) #$(TARGET2)
CRYPTO_OBJ=\ CRYPTO_OBJ=\
$(CRYPTO_PATH)aes.o \ $(CRYPTO_PATH)aes.o \
@ -94,7 +94,7 @@ include $(AXTLS_HOME)/config/makefile.post
ifndef CONFIG_PLATFORM_WIN32 # Linux/Unix/Cygwin ifndef CONFIG_PLATFORM_WIN32 # Linux/Unix/Cygwin
$(TARGET1) : $(CRYPTO_OBJ) $(OBJ) $(TARGET1) : $(CRYPTO_OBJ) $(OBJ)
$(AR) -r $@ $(CRYPTO_OBJ) $(OBJ) $(AR) -rcs $@ $(CRYPTO_OBJ) $(OBJ)
$(TARGET2) : $(CRYPTO_OBJ) $(OBJ) $(TARGET2) : $(CRYPTO_OBJ) $(OBJ)
ifndef CONFIG_PLATFORM_CYGWIN ifndef CONFIG_PLATFORM_CYGWIN

14
ssl/crypto_misc.h
View file

@ -111,23 +111,23 @@ struct _x509_ctx
typedef struct _x509_ctx X509_CTX; typedef struct _x509_ctx X509_CTX;
#ifdef CONFIG_SSL_CERT_VERIFICATION //#ifdef CONFIG_SSL_CERT_VERIFICATION
typedef struct typedef struct
{ {
X509_CTX *cert[CONFIG_X509_MAX_CA_CERTS]; X509_CTX *cert[CONFIG_X509_MAX_CA_CERTS];
} CA_CERT_CTX; } CA_CERT_CTX;
#endif //#endif
int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx); int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx);
void x509_free(X509_CTX *x509_ctx); void x509_free(X509_CTX *x509_ctx);
#ifdef CONFIG_SSL_CERT_VERIFICATION //#ifdef CONFIG_SSL_CERT_VERIFICATION
int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert, int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert,
int *pathLenConstraint); int *pathLenConstraint);
#endif //#endif
#ifdef CONFIG_SSL_FULL_MODE //#ifdef CONFIG_SSL_FULL_MODE
void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx); void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx);
const char * x509_display_error(int error); const char * x509_display_error(int error);
#endif //#endif
/************************************************************************** /**************************************************************************
* ASN1 declarations * ASN1 declarations
@ -197,7 +197,7 @@ typedef void (*hmac_func)(const uint8_t *msg, int length, const uint8_t *key,
int get_file(const char *filename, uint8_t **buf); int get_file(const char *filename, uint8_t **buf);
#if defined(CONFIG_SSL_FULL_MODE) || defined(WIN32) || defined(CONFIG_DEBUG) #if defined(CONFIG_SSL_DIAGNOSTICS) || defined(WIN32) || defined(CONFIG_DEBUG)
EXP_FUNC void STDCALL print_blob(const char *format, const uint8_t *data, int size, ...); EXP_FUNC void STDCALL print_blob(const char *format, const uint8_t *data, int size, ...);
#else #else
#define print_blob(...) #define print_blob(...)

4
ssl/loader.c
View file

@ -44,6 +44,8 @@
#include "os_port.h" #include "os_port.h"
#include "ssl.h" #include "ssl.h"
#if CONFIG_SSL_ENABLE_SERVER
static int do_obj(SSL_CTX *ssl_ctx, int obj_type, static int do_obj(SSL_CTX *ssl_ctx, int obj_type,
SSLObjLoader *ssl_obj, const char *password); SSLObjLoader *ssl_obj, const char *password);
#ifdef CONFIG_SSL_HAS_PEM #ifdef CONFIG_SSL_HAS_PEM
@ -486,3 +488,5 @@ error:
return ret; return ret;
} }
#endif

92
ssl/os_port.c
View file

@ -1,92 +0,0 @@
/*
* Copyright (c) 2007-2016, Cameron Rich
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the axTLS project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file os_port.c
*
* OS specific functions.
*/
#include <time.h>
#include <stdlib.h>
#include <errno.h>
#include <stdarg.h>
#include "os_port.h"
#ifdef WIN32
/**
* gettimeofday() not in Win32
*/
EXP_FUNC void STDCALL gettimeofday(struct timeval* t, void* timezone)
{
#if defined(_WIN32_WCE)
t->tv_sec = time(NULL);
t->tv_usec = 0; /* 1sec precision only */
#else
struct _timeb timebuffer;
_ftime(&timebuffer);
t->tv_sec = (long)timebuffer.time;
t->tv_usec = 1000 * timebuffer.millitm; /* 1ms precision */
#endif
}
/**
* strcasecmp() not in Win32
*/
EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2)
{
while (tolower(*s1) == tolower(*s2++))
{
if (*s1++ == '\0')
{
return 0;
}
}
return *(unsigned char *)s1 - *(unsigned char *)(s2 - 1);
}
EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size)
{
HKEY hKey;
unsigned long datatype;
unsigned long bufferlength = buf_size;
if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,
TEXT("SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters"),
0, KEY_QUERY_VALUE, &hKey) != ERROR_SUCCESS)
return -1;
RegQueryValueEx(hKey, "Domain", NULL, &datatype, buf, &bufferlength);
RegCloseKey(hKey);
return 0;
}
#endif

188
ssl/os_port.h
View file

@ -1,188 +0,0 @@
/*
* Copyright (c) 2007-2016, Cameron Rich
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the axTLS project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file os_port.h
*
* Some stuff to minimise the differences between windows and linux/unix
*/
#ifndef HEADER_OS_PORT_H
#define HEADER_OS_PORT_H
#ifdef __cplusplus
extern "C" {
#endif
#include "os_int.h"
#include "config.h"
#include <stdio.h>
#if defined(WIN32)
#define STDCALL __stdcall
#define EXP_FUNC __declspec(dllexport)
#else
#define STDCALL
#define EXP_FUNC
#endif
#if defined(_WIN32_WCE)
#undef WIN32
#define WIN32
#endif
#ifdef WIN32
/* Windows CE stuff */
#if defined(_WIN32_WCE)
#include <basetsd.h>
#define abort() exit(1)
#else
#include <io.h>
#include <process.h>
#include <sys/timeb.h>
#include <fcntl.h>
#endif /* _WIN32_WCE */
#include <winsock.h>
#include <direct.h>
#undef getpid
#undef open
#undef close
#undef sleep
#undef gettimeofday
#undef dup2
#undef unlink
#define SOCKET_READ(A,B,C) recv(A,B,C,0)
#define SOCKET_WRITE(A,B,C) send(A,B,C,0)
#define SOCKET_CLOSE(A) closesocket(A)
#define srandom(A) srand(A)
#define random() rand()
#define getpid() _getpid()
#define snprintf _snprintf
#define open(A,B) _open(A,B)
#define dup2(A,B) _dup2(A,B)
#define unlink(A) _unlink(A)
#define close(A) _close(A)
#define read(A,B,C) _read(A,B,C)
#define write(A,B,C) _write(A,B,C)
#define sleep(A) Sleep(A*1000)
#define usleep(A) Sleep(A/1000)
#define strdup(A) _strdup(A)
#define chroot(A) _chdir(A)
#define chdir(A) _chdir(A)
#define alloca(A) _alloca(A)
#ifndef lseek
#define lseek(A,B,C) _lseek(A,B,C)
#endif
/* This fix gets around a problem where a win32 application on a cygwin xterm
doesn't display regular output (until a certain buffer limit) - but it works
fine under a normal DOS window. This is a hack to get around the issue -
see http://www.khngai.com/emacs/tty.php */
#define TTY_FLUSH() if (!_isatty(_fileno(stdout))) fflush(stdout);
/*
* automatically build some library dependencies.
*/
#pragma comment(lib, "WS2_32.lib")
#pragma comment(lib, "AdvAPI32.lib")
typedef int socklen_t;
EXP_FUNC void STDCALL gettimeofday(struct timeval* t,void* timezone);
EXP_FUNC int STDCALL strcasecmp(const char *s1, const char *s2);
EXP_FUNC int STDCALL getdomainname(char *buf, int buf_size);
#else /* Not Win32 */
#include <unistd.h>
#include <pwd.h>
#include <netdb.h>
#include <dirent.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <asm/byteorder.h>
#define SOCKET_READ(A,B,C) read(A,B,C)
#define SOCKET_WRITE(A,B,C) write(A,B,C)
#define SOCKET_CLOSE(A) if (A >= 0) close(A)
#define TTY_FLUSH()
#ifndef be64toh
#define be64toh(x) __be64_to_cpu(x)
#endif
#endif /* Not Win32 */
/* some functions to mutate the way these work */
EXP_FUNC int STDCALL ax_open(const char *pathname, int flags);
#ifdef CONFIG_PLATFORM_LINUX
void exit_now(const char *format, ...) __attribute((noreturn));
#else
void exit_now(const char *format, ...);
#endif
/* Mutexing definitions */
#if defined(CONFIG_SSL_CTX_MUTEXING)
#if defined(WIN32)
#define SSL_CTX_MUTEX_TYPE HANDLE
#define SSL_CTX_MUTEX_INIT(A) A=CreateMutex(0, FALSE, 0)
#define SSL_CTX_MUTEX_DESTROY(A) CloseHandle(A)
#define SSL_CTX_LOCK(A) WaitForSingleObject(A, INFINITE)
#define SSL_CTX_UNLOCK(A) ReleaseMutex(A)
#else
#include <pthread.h>
#define SSL_CTX_MUTEX_TYPE pthread_mutex_t
#define SSL_CTX_MUTEX_INIT(A) pthread_mutex_init(&A, NULL)
#define SSL_CTX_MUTEX_DESTROY(A) pthread_mutex_destroy(&A)
#define SSL_CTX_LOCK(A) pthread_mutex_lock(&A)
#define SSL_CTX_UNLOCK(A) pthread_mutex_unlock(&A)
#endif
#else /* no mutexing */
#define SSL_CTX_MUTEX_INIT(A)
#define SSL_CTX_MUTEX_DESTROY(A)
#define SSL_CTX_LOCK(A)
#define SSL_CTX_UNLOCK(A)
#endif
#ifdef __cplusplus
}
#endif
#endif

1
ssl/os_port.h Symbolic link
View file

@ -0,0 +1 @@
os_port_micropython.h

85
ssl/os_port_micropython.h Normal file
View file

@ -0,0 +1,85 @@
/*
* Copyright (c) 2007-2015, Cameron Rich
*
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are met:
*
* * Redistributions of source code must retain the above copyright notice,
* this list of conditions and the following disclaimer.
* * Redistributions in binary form must reproduce the above copyright notice,
* this list of conditions and the following disclaimer in the documentation
* and/or other materials provided with the distribution.
* * Neither the name of the axTLS project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* @file os_port.h
*
* Some stuff to minimise the differences between windows and linux/unix
*/
#ifndef HEADER_OS_PORT_H
#define HEADER_OS_PORT_H
#include "os_int.h"
#include <errno.h>
#include <sys/types.h>
#ifndef __ets__
#include <arpa/inet.h>
#endif
#include <sys/time.h>
#include "config.h"
ssize_t mp_stream_posix_write(void *sock_obj, const void *buf, size_t len);
ssize_t mp_stream_posix_read(void *sock_obj, void *buf, size_t len);
extern int mp_stream_errno;
#if 1
#define SOCKET_READ(A,B,C) mp_stream_posix_read((void*)A,B,C)
#define SOCKET_WRITE(A,B,C) mp_stream_posix_write((void*)A,B,C)
#define SOCKET_CLOSE(A) NOT_USED_IN_LIB_CODE
#define SOCKET_ERRNO() mp_stream_errno
#else
#define SOCKET_READ(A,B,C) read(A,B,C)
#define SOCKET_WRITE(A,B,C) write(A,B,C)
#define SOCKET_CLOSE(A) if (A >= 0) close(A)
#define SOCKET_ERRNO() errno
#endif
#define ax_calloc(x, y) calloc(x, y)
#define ax_open(x, y) open(x, y)
#ifndef be64toh
#define be64toh(x) __be64_to_cpu(x)
#endif
#define SSL_CTX_MUTEX_INIT(A)
#define SSL_CTX_MUTEX_DESTROY(A)
#define SSL_CTX_LOCK(A)
#define SSL_CTX_UNLOCK(A)
#define TTY_FLUSH()
#include "../../../extmod/crypto-algorithms/sha256.h"
#define SHA256_CTX CRYAL_SHA256_CTX
#define SHA256_Init(a) sha256_init(a)
#define SHA256_Update(a, b, c) sha256_update(a, b, c)
#define SHA256_Final(a, b) sha256_final(b, a)
#endif

2
ssl/p12.c
View file

@ -409,7 +409,7 @@ int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
key, SHA1_SIZE, PKCS12_MAC_ID)) < 0) key, SHA1_SIZE, PKCS12_MAC_ID)) < 0)
goto error; goto error;
hmac_sha1(auth_safes, auth_safes_len, key, SHA1_SIZE, mac); ssl_hmac_sha1(auth_safes, auth_safes_len, key, SHA1_SIZE, mac);
if (memcmp(mac, orig_mac, SHA1_SIZE)) if (memcmp(mac, orig_mac, SHA1_SIZE))
{ {

7
ssl/ssl.h
View file

@ -89,6 +89,7 @@ extern "C" {
#define SSL_NOT_OK -1 #define SSL_NOT_OK -1
#define SSL_ERROR_DEAD -2 #define SSL_ERROR_DEAD -2
#define SSL_CLOSE_NOTIFY -3 #define SSL_CLOSE_NOTIFY -3
#define SSL_EAGAIN -4
#define SSL_ERROR_CONN_LOST -256 #define SSL_ERROR_CONN_LOST -256
#define SSL_ERROR_RECORD_OVERFLOW -257 #define SSL_ERROR_RECORD_OVERFLOW -257
#define SSL_ERROR_SOCK_SETUP_FAILURE -258 #define SSL_ERROR_SOCK_SETUP_FAILURE -258
@ -255,7 +256,7 @@ EXP_FUNC void STDCALL ssl_ext_free(SSL_EXTENSIONS *ssl_ext);
* @param client_fd [in] The client's file descriptor. * @param client_fd [in] The client's file descriptor.
* @return An SSL object reference. * @return An SSL object reference.
*/ */
EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd); EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, long client_fd);
/** /**
* @brief (client only) Establish a new SSL connection to an SSL server. * @brief (client only) Establish a new SSL connection to an SSL server.
@ -277,7 +278,7 @@ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd);
* @return An SSL object reference. Use ssl_handshake_status() to check * @return An SSL object reference. Use ssl_handshake_status() to check
* if a handshake succeeded. * if a handshake succeeded.
*/ */
EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext); EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, long client_fd, const uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext);
/** /**
* @brief Free any used resources on this connection. * @brief Free any used resources on this connection.
@ -328,7 +329,7 @@ EXP_FUNC int STDCALL ssl_write(SSL *ssl, const uint8_t *out_data, int out_len);
* @return A reference to the SSL object. Returns null if the object could not * @return A reference to the SSL object. Returns null if the object could not
* be found. * be found.
*/ */
EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd); EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, long client_fd);
/** /**
* @brief Get the session id for a handshake. * @brief Get the session id for a handshake.

63
ssl/tls1.c
View file

@ -83,7 +83,7 @@ static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
16, /* block padding size */ 16, /* block padding size */
SHA1_SIZE, /* digest size */ SHA1_SIZE, /* digest size */
2*(SHA1_SIZE+16+16), /* key block size */ 2*(SHA1_SIZE+16+16), /* key block size */
hmac_sha1, /* hmac algorithm */ ssl_hmac_sha1, /* hmac algorithm */
(crypt_func)AES_cbc_encrypt, /* encrypt */ (crypt_func)AES_cbc_encrypt, /* encrypt */
(crypt_func)AES_cbc_decrypt /* decrypt */ (crypt_func)AES_cbc_decrypt /* decrypt */
}, },
@ -94,7 +94,7 @@ static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
16, /* block padding size */ 16, /* block padding size */
SHA1_SIZE, /* digest size */ SHA1_SIZE, /* digest size */
2*(SHA1_SIZE+32+16), /* key block size */ 2*(SHA1_SIZE+32+16), /* key block size */
hmac_sha1, /* hmac algorithm */ ssl_hmac_sha1, /* hmac algorithm */
(crypt_func)AES_cbc_encrypt, /* encrypt */ (crypt_func)AES_cbc_encrypt, /* encrypt */
(crypt_func)AES_cbc_decrypt /* decrypt */ (crypt_func)AES_cbc_decrypt /* decrypt */
}, },
@ -169,11 +169,13 @@ EXP_FUNC SSL_CTX *STDCALL ssl_ctx_new(uint32_t options, int num_sessions)
ssl_ctx->options = options; ssl_ctx->options = options;
RNG_initialize(); RNG_initialize();
#ifdef CONFIG_SSL_ENABLE_SERVER
if (load_key_certs(ssl_ctx) < 0) if (load_key_certs(ssl_ctx) < 0)
{ {
free(ssl_ctx); /* can't load our key/certificate pair, so die */ free(ssl_ctx); /* can't load our key/certificate pair, so die */
return NULL; return NULL;
} }
#endif
#ifndef CONFIG_SSL_SKELETON_MODE #ifndef CONFIG_SSL_SKELETON_MODE
ssl_ctx->num_sessions = num_sessions; ssl_ctx->num_sessions = num_sessions;
@ -352,7 +354,7 @@ int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
if (i == CONFIG_SSL_MAX_CERTS) /* too many certs */ if (i == CONFIG_SSL_MAX_CERTS) /* too many certs */
{ {
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_DIAGNOSTICS
printf("Error: maximum number of certs added (%d) - change of " printf("Error: maximum number of certs added (%d) - change of "
"compile-time configuration required\n", "compile-time configuration required\n",
CONFIG_SSL_MAX_CERTS); CONFIG_SSL_MAX_CERTS);
@ -531,7 +533,7 @@ EXP_FUNC const char * STDCALL ssl_get_cert_subject_alt_dnsname(const SSL *ssl,
/* /*
* Find an ssl object based on the client's file descriptor. * Find an ssl object based on the client's file descriptor.
*/ */
EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, int client_fd) EXP_FUNC SSL * STDCALL ssl_find(SSL_CTX *ssl_ctx, long client_fd)
{ {
SSL *ssl; SSL *ssl;
@ -603,7 +605,7 @@ static const cipher_info_t *get_cipher_info(uint8_t cipher)
/* /*
* Get a new ssl context for a new connection. * Get a new ssl context for a new connection.
*/ */
SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd) SSL *ssl_new(SSL_CTX *ssl_ctx, long client_fd)
{ {
SSL *ssl = (SSL *)calloc(1, sizeof(SSL)); SSL *ssl = (SSL *)calloc(1, sizeof(SSL));
ssl->ssl_ctx = ssl_ctx; ssl->ssl_ctx = ssl_ctx;
@ -800,9 +802,9 @@ static void p_hash_md5(const uint8_t *sec, int sec_len,
uint8_t a1[MD5_SIZE+77]; uint8_t a1[MD5_SIZE+77];
/* A(1) */ /* A(1) */
hmac_md5(seed, seed_len, sec, sec_len, a1); ssl_hmac_md5(seed, seed_len, sec, sec_len, a1);
memcpy(&a1[MD5_SIZE], seed, seed_len); memcpy(&a1[MD5_SIZE], seed, seed_len);
hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out); ssl_hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
while (olen > MD5_SIZE) while (olen > MD5_SIZE)
{ {
@ -811,11 +813,11 @@ static void p_hash_md5(const uint8_t *sec, int sec_len,
olen -= MD5_SIZE; olen -= MD5_SIZE;
/* A(N) */ /* A(N) */
hmac_md5(a1, MD5_SIZE, sec, sec_len, a2); ssl_hmac_md5(a1, MD5_SIZE, sec, sec_len, a2);
memcpy(a1, a2, MD5_SIZE); memcpy(a1, a2, MD5_SIZE);
/* work out the actual hash */ /* work out the actual hash */
hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out); ssl_hmac_md5(a1, MD5_SIZE+seed_len, sec, sec_len, out);
} }
} }
@ -828,9 +830,9 @@ static void p_hash_sha1(const uint8_t *sec, int sec_len,
uint8_t a1[SHA1_SIZE+77]; uint8_t a1[SHA1_SIZE+77];
/* A(1) */ /* A(1) */
hmac_sha1(seed, seed_len, sec, sec_len, a1); ssl_hmac_sha1(seed, seed_len, sec, sec_len, a1);
memcpy(&a1[SHA1_SIZE], seed, seed_len); memcpy(&a1[SHA1_SIZE], seed, seed_len);
hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out); ssl_hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
while (olen > SHA1_SIZE) while (olen > SHA1_SIZE)
{ {
@ -839,11 +841,11 @@ static void p_hash_sha1(const uint8_t *sec, int sec_len,
olen -= SHA1_SIZE; olen -= SHA1_SIZE;
/* A(N) */ /* A(N) */
hmac_sha1(a1, SHA1_SIZE, sec, sec_len, a2); ssl_hmac_sha1(a1, SHA1_SIZE, sec, sec_len, a2);
memcpy(a1, a2, SHA1_SIZE); memcpy(a1, a2, SHA1_SIZE);
/* work out the actual hash */ /* work out the actual hash */
hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out); ssl_hmac_sha1(a1, SHA1_SIZE+seed_len, sec, sec_len, out);
} }
} }
@ -1068,11 +1070,15 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol)
#ifdef WIN32 #ifdef WIN32
if (GetLastError() != WSAEWOULDBLOCK) if (GetLastError() != WSAEWOULDBLOCK)
#else #else
if (errno != EAGAIN && errno != EWOULDBLOCK) if (SOCKET_ERRNO() != EAGAIN && SOCKET_ERRNO() != EWOULDBLOCK)
#endif #endif
return SSL_ERROR_CONN_LOST; return SSL_ERROR_CONN_LOST;
} }
#ifdef PORT_USE_SELECT
// TODO: This should be factored into SOCKET_WAIT_WRITABLE(),
// with semantic being waiting until socket can be written
// regardless whether it is in blocking or non-blocking mode.
/* keep going until the write buffer has some space */ /* keep going until the write buffer has some space */
if (sent != pkt_size) if (sent != pkt_size)
{ {
@ -1084,6 +1090,7 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol)
if (select(ssl->client_fd + 1, NULL, &wfds, NULL, NULL) < 0) if (select(ssl->client_fd + 1, NULL, &wfds, NULL, NULL) < 0)
return SSL_ERROR_CONN_LOST; return SSL_ERROR_CONN_LOST;
} }
#endif
} }
SET_SSL_FLAG(SSL_NEED_RECORD); /* reset for next time */ SET_SSL_FLAG(SSL_NEED_RECORD); /* reset for next time */
@ -1304,9 +1311,9 @@ int basic_read(SSL *ssl, uint8_t **in_data)
#ifdef WIN32 #ifdef WIN32
if (GetLastError() == WSAEWOULDBLOCK) if (GetLastError() == WSAEWOULDBLOCK)
#else #else
if (errno == EAGAIN || errno == EWOULDBLOCK) if (SOCKET_ERRNO() == EAGAIN || SOCKET_ERRNO() == EWOULDBLOCK)
#endif #endif
return 0; return SSL_EAGAIN;
} }
/* connection has gone, so die */ /* connection has gone, so die */
@ -1347,6 +1354,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
/* do we violate the spec with the message size? */ /* do we violate the spec with the message size? */
if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET) if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
{ {
printf("TLS buffer overflow, record size: %u (+5)\n", ssl->need_bytes);
ret = SSL_ERROR_RECORD_OVERFLOW; ret = SSL_ERROR_RECORD_OVERFLOW;
goto error; goto error;
} }
@ -1493,10 +1501,12 @@ static int do_handshake(SSL *ssl, uint8_t *buf, int read_len)
if (handshake_type != HS_CERT_VERIFY && handshake_type != HS_HELLO_REQUEST) if (handshake_type != HS_CERT_VERIFY && handshake_type != HS_HELLO_REQUEST)
add_packet(ssl, buf, hs_len); add_packet(ssl, buf, hs_len);
#if defined(CONFIG_SSL_ENABLE_CLIENT) #if defined(CONFIG_SSL_ENABLE_CLIENT) && defined(CONFIG_SSL_ENABLE_SERVER)
ret = is_client ? ret = is_client ?
do_clnt_handshake(ssl, handshake_type, buf, hs_len) : do_clnt_handshake(ssl, handshake_type, buf, hs_len) :
do_svr_handshake(ssl, handshake_type, buf, hs_len); do_svr_handshake(ssl, handshake_type, buf, hs_len);
#elif defined(CONFIG_SSL_ENABLE_CLIENT)
ret = do_clnt_handshake(ssl, handshake_type, buf, hs_len);
#else #else
ret = do_svr_handshake(ssl, handshake_type, buf, hs_len); ret = do_svr_handshake(ssl, handshake_type, buf, hs_len);
#endif #endif
@ -1570,7 +1580,7 @@ int send_alert(SSL *ssl, int error_code)
return SSL_ERROR_CONN_LOST; return SSL_ERROR_CONN_LOST;
} }
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_DIAGNOSTICS
if (IS_SET_SSL_FLAG(SSL_DISPLAY_STATES)) if (IS_SET_SSL_FLAG(SSL_DISPLAY_STATES))
ssl_display_error(error_code); ssl_display_error(error_code);
#endif #endif
@ -1989,6 +1999,7 @@ EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl)
return ret; return ret;
} }
#endif /* CONFIG_SSL_CERT_VERIFICATION */
/** /**
* Process a certificate message. * Process a certificate message.
@ -2060,6 +2071,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
chain = certs[0]; chain = certs[0];
cert_used[0] = 1; cert_used[0] = 1;
#ifndef CONFIG_SSL_SKELETON_MODE
// repeat until the end of the chain is found // repeat until the end of the chain is found
while (1) while (1)
{ {
@ -2099,6 +2111,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
{ {
ret = ssl_verify_cert(ssl); ret = ssl_verify_cert(ssl);
} }
#endif
ssl->next_state = is_client ? HS_SERVER_HELLO_DONE : HS_CLIENT_KEY_XCHG; ssl->next_state = is_client ? HS_SERVER_HELLO_DONE : HS_CLIENT_KEY_XCHG;
ssl->dc->bm_proc_index += offset; ssl->dc->bm_proc_index += offset;
@ -2113,12 +2126,12 @@ error:
return ret; return ret;
} }
#endif /* CONFIG_SSL_CERT_VERIFICATION */ //#endif /* CONFIG_SSL_CERT_VERIFICATION */
/** /**
* Debugging routine to display SSL handshaking stuff. * Debugging routine to display SSL handshaking stuff.
*/ */
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_DIAGNOSTICS
/** /**
* Debugging routine to display SSL states. * Debugging routine to display SSL states.
*/ */
@ -2188,11 +2201,13 @@ void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok)
*/ */
void DISPLAY_RSA(SSL *ssl, const RSA_CTX *rsa_ctx) void DISPLAY_RSA(SSL *ssl, const RSA_CTX *rsa_ctx)
{ {
#ifdef CONFIG_SSL_FULL_MODE
if (!IS_SET_SSL_FLAG(SSL_DISPLAY_RSA)) if (!IS_SET_SSL_FLAG(SSL_DISPLAY_RSA))
return; return;
RSA_print(rsa_ctx); RSA_print(rsa_ctx);
TTY_FLUSH(); TTY_FLUSH();
#endif
} }
/** /**
@ -2338,7 +2353,7 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("bad record mac"); printf("bad record mac");
break; break;
case SSL_ERROR_RECORD_OVERFLOW: case SSL_ALERT_RECORD_OVERFLOW:
printf("record overlow"); printf("record overlow");
break; break;
@ -2409,13 +2424,13 @@ EXP_FUNC const char * STDCALL ssl_version()
* Enable the various language bindings to work regardless of the * Enable the various language bindings to work regardless of the
* configuration - they just return an error statement and a bad return code. * configuration - they just return an error statement and a bad return code.
*/ */
#if !defined(CONFIG_SSL_FULL_MODE) #if !defined(CONFIG_SSL_DIAGNOSTICS)
EXP_FUNC void STDCALL ssl_display_error(int error_code) {} EXP_FUNC void STDCALL ssl_display_error(int error_code) {}
#endif #endif
#ifdef CONFIG_BINDINGS #ifdef CONFIG_BINDINGS
#if !defined(CONFIG_SSL_ENABLE_CLIENT) #if !defined(CONFIG_SSL_ENABLE_CLIENT)
EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, long client_fd, const
uint8_t *session_id, uint8_t sess_id_size) uint8_t *session_id, uint8_t sess_id_size)
{ {
printf("%s", unsupported_str); printf("%s", unsupported_str);

18
ssl/tls1.h
View file

@ -76,8 +76,14 @@ extern "C" {
#define IS_SET_SSL_FLAG(A) (ssl->flag & A) #define IS_SET_SSL_FLAG(A) (ssl->flag & A)
#define MAX_KEY_BYTE_SIZE 512 /* for a 4096 bit key */ #define MAX_KEY_BYTE_SIZE 512 /* for a 4096 bit key */
/* On send, will send another SSL fragment if plaintext exceeds RT_MAX_PLAIN_LENGTH */
#ifndef RT_MAX_PLAIN_LENGTH
#define RT_MAX_PLAIN_LENGTH 16384 #define RT_MAX_PLAIN_LENGTH 16384
#endif
/* Total receive buffer is RT_MAX_PLAIN_LENGTH + RT_EXTRA */
#ifndef RT_EXTRA
#define RT_EXTRA 1024 #define RT_EXTRA 1024
#endif
#define BM_RECORD_OFFSET 5 #define BM_RECORD_OFFSET 5
#define NUM_PROTOCOLS 4 #define NUM_PROTOCOLS 4
@ -194,7 +200,7 @@ struct _SSL
int16_t next_state; int16_t next_state;
int16_t hs_status; int16_t hs_status;
DISPOSABLE_CTX *dc; /* temporary data which we'll get rid of soon */ DISPOSABLE_CTX *dc; /* temporary data which we'll get rid of soon */
int client_fd; long client_fd;
const cipher_info_t *cipher_info; const cipher_info_t *cipher_info;
void *encrypt_ctx; void *encrypt_ctx;
void *decrypt_ctx; void *decrypt_ctx;
@ -211,7 +217,7 @@ struct _SSL
uint16_t session_index; uint16_t session_index;
SSL_SESSION *session; SSL_SESSION *session;
#endif #endif
#ifdef CONFIG_SSL_CERT_VERIFICATION #if defined(CONFIG_SSL_CERT_VERIFICATION) || defined(CONFIG_SSL_ENABLE_CLIENT)
X509_CTX *x509_ctx; X509_CTX *x509_ctx;
#endif #endif
@ -256,7 +262,7 @@ typedef struct _SSL_CTX SSLCTX;
extern const uint8_t ssl_prot_prefs[NUM_PROTOCOLS]; extern const uint8_t ssl_prot_prefs[NUM_PROTOCOLS];
SSL *ssl_new(SSL_CTX *ssl_ctx, int client_fd); SSL *ssl_new(SSL_CTX *ssl_ctx, long client_fd);
void disposable_new(SSL *ssl); void disposable_new(SSL *ssl);
void disposable_free(SSL *ssl); void disposable_free(SSL *ssl);
int send_packet(SSL *ssl, uint8_t protocol, int send_packet(SSL *ssl, uint8_t protocol,
@ -287,7 +293,7 @@ void remove_ca_certs(CA_CERT_CTX *ca_cert_ctx);
int do_client_connect(SSL *ssl); int do_client_connect(SSL *ssl);
#endif #endif
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_DIAGNOSTICS
void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok); void DISPLAY_STATE(SSL *ssl, int is_send, uint8_t state, int not_ok);
void DISPLAY_BYTES(SSL *ssl, const char *format, void DISPLAY_BYTES(SSL *ssl, const char *format,
const uint8_t *data, int size, ...); const uint8_t *data, int size, ...);
@ -307,9 +313,9 @@ void DISPLAY_BYTES(SSL *ssl, const char *format,/* win32 has no variadic macros
#endif #endif
#endif #endif
#ifdef CONFIG_SSL_CERT_VERIFICATION //#ifdef CONFIG_SSL_CERT_VERIFICATION
int process_certificate(SSL *ssl, X509_CTX **x509_ctx); int process_certificate(SSL *ssl, X509_CTX **x509_ctx);
#endif //#endif
SSL_SESSION *ssl_session_update(int max_sessions, SSL_SESSION *ssl_session_update(int max_sessions,
SSL_SESSION *ssl_sessions[], SSL *ssl, SSL_SESSION *ssl_sessions[], SSL *ssl,

10
ssl/tls1_clnt.c
View file

@ -63,12 +63,13 @@ static int send_cert_verify(SSL *ssl);
/* /*
* Establish a new SSL connection to an SSL server. * Establish a new SSL connection to an SSL server.
*/ */
EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, long client_fd, const
uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext) uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext)
{ {
SSL *ssl = ssl_new(ssl_ctx, client_fd); SSL *ssl = ssl_new(ssl_ctx, client_fd);
ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */ ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */
#ifndef CONFIG_SSL_SKELETON_MODE
if (session_id && ssl_ctx->num_sessions) if (session_id && ssl_ctx->num_sessions)
{ {
if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */ if (sess_id_size > SSL_SESSION_ID_SIZE) /* validity check */
@ -81,6 +82,7 @@ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
ssl->sess_id_size = sess_id_size; ssl->sess_id_size = sess_id_size;
SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */ SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
} }
#endif
ssl->extensions = ssl_ext; ssl->extensions = ssl_ext;
@ -307,7 +309,9 @@ static int process_server_hello(SSL *ssl)
{ {
uint8_t *buf = ssl->bm_data; uint8_t *buf = ssl->bm_data;
int pkt_size = ssl->bm_index; int pkt_size = ssl->bm_index;
#ifndef CONFIG_SSL_SKELETON_MODE
int num_sessions = ssl->ssl_ctx->num_sessions; int num_sessions = ssl->ssl_ctx->num_sessions;
#endif
uint8_t sess_id_size; uint8_t sess_id_size;
int offset, ret = SSL_OK; int offset, ret = SSL_OK;
@ -320,7 +324,9 @@ static int process_server_hello(SSL *ssl)
else if (ssl->version < SSL_PROTOCOL_MIN_VERSION) else if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
{ {
ret = SSL_ERROR_INVALID_VERSION; ret = SSL_ERROR_INVALID_VERSION;
#ifdef CONFIG_SSL_DIAGNOSTICS
ssl_display_error(ret); ssl_display_error(ret);
#endif
goto error; goto error;
} }
@ -337,6 +343,7 @@ static int process_server_hello(SSL *ssl)
goto error; goto error;
} }
#ifndef CONFIG_SSL_SKELETON_MODE
if (num_sessions) if (num_sessions)
{ {
ssl->session = ssl_session_update(num_sessions, ssl->session = ssl_session_update(num_sessions,
@ -350,6 +357,7 @@ static int process_server_hello(SSL *ssl)
SSL_SESSION_ID_SIZE-sess_id_size); SSL_SESSION_ID_SIZE-sess_id_size);
} }
} }
#endif
memcpy(ssl->session_id, &buf[offset], sess_id_size); memcpy(ssl->session_id, &buf[offset], sess_id_size);
ssl->sess_id_size = sess_id_size; ssl->sess_id_size = sess_id_size;

13
ssl/tls1_svr.c
View file

@ -27,13 +27,14 @@
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/ */
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <stdio.h> #include <stdio.h>
#include "os_port.h" #include "os_port.h"
#include "ssl.h" #include "ssl.h"
#ifdef CONFIG_SSL_ENABLE_SERVER
static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 }; static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 };
static const uint8_t g_asn1_sha256[] = static const uint8_t g_asn1_sha256[] =
{ {
@ -54,14 +55,14 @@ static int process_cert_verify(SSL *ssl);
/* /*
* Establish a new SSL connection to an SSL client. * Establish a new SSL connection to an SSL client.
*/ */
EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd) EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, long client_fd)
{ {
SSL *ssl; SSL *ssl;
ssl = ssl_new(ssl_ctx, client_fd); ssl = ssl_new(ssl_ctx, client_fd);
ssl->next_state = HS_CLIENT_HELLO; ssl->next_state = HS_CLIENT_HELLO;
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_DIAGNOSTICS
if (ssl_ctx->chain_length == 0) if (ssl_ctx->chain_length == 0)
printf("Warning - no server certificate defined\n"); TTY_FLUSH(); printf("Warning - no server certificate defined\n"); TTY_FLUSH();
#endif #endif
@ -139,7 +140,9 @@ static int process_client_hello(SSL *ssl)
else if (version < SSL_PROTOCOL_MIN_VERSION) /* old version supported? */ else if (version < SSL_PROTOCOL_MIN_VERSION) /* old version supported? */
{ {
ret = SSL_ERROR_INVALID_VERSION; ret = SSL_ERROR_INVALID_VERSION;
#ifdef CONFIG_SSL_DIAGNOSTICS
ssl_display_error(ret); ssl_display_error(ret);
#endif
goto error; goto error;
} }
@ -245,6 +248,7 @@ error:
/* /*
* Send the entire server hello sequence * Send the entire server hello sequence
*/ */
#if CONFIG_SSL_ENABLE_SERVER
static int send_server_hello_sequence(SSL *ssl) static int send_server_hello_sequence(SSL *ssl)
{ {
int ret; int ret;
@ -356,6 +360,7 @@ static int send_server_hello_done(SSL *ssl)
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
g_hello_done, sizeof(g_hello_done)); g_hello_done, sizeof(g_hello_done));
} }
#endif
/* /*
* Pull apart a client key exchange message. Decrypt the pre-master key (using * Pull apart a client key exchange message. Decrypt the pre-master key (using
@ -524,3 +529,5 @@ error:
} }
#endif #endif
#endif

3
ssl/x509.c
View file

@ -814,6 +814,7 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
TTY_FLUSH(); TTY_FLUSH();
} }
#endif
const char * x509_display_error(int error) const char * x509_display_error(int error)
{ {
@ -856,5 +857,5 @@ const char * x509_display_error(int error)
return "Unknown"; return "Unknown";
} }
} }
#endif /* CONFIG_SSL_FULL_MODE */ //#endif /* CONFIG_SSL_FULL_MODE */