jepler/axtls
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

merge into: jepler:micropython
Branches Tags
jepler:master
jepler:sanitize-undefined-fixes
jepler:micropython-2.1.3
jepler:ssl_eagain
jepler:micropython
jepler:v1.8.2
...
pull from: jepler:master
Branches Tags
jepler:sanitize-undefined-fixes
jepler:micropython-2.1.3
jepler:ssl_eagain
jepler:master
jepler:micropython
jepler:v1.8.2

15 commits
micropytho ... master

Author SHA1 Message Date
cameronrich
4315d76a67 Use <stdbool.h> for bools. 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@275 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2017-02-18 21:21:06 +00:00
cameronrich
8073d379d2 * Basic constraint/key usage v3 extensions now supported 
* Test harness must now be run without built-in default cert

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@274 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-12-30 21:59:50 +00:00
cameronrich
d19bcf5257 * Basic constraint functionality added. 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@273 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-12-28 19:43:52 +00:00
cameronrich
384241ebcd * X509 State, country and location are now used for verification and display. 
* SNI hostname memory is now managed by the calling application
* X509 version number is checked before processing v3 extensions.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@272 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-12-19 20:20:01 +00:00
cameronrich
df8e0afecf * SNI added 
* Some non-C sample code updated.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@271 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-12-12 19:27:38 +00:00
cameronrich
3805b7c2b9 * RC4 only used if PKCS12 is used. 
* Buffer sizes tightned up.
* Buffer check on client handshake due to some incompatibilities.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@270 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-08-30 10:26:04 +00:00
cameronrich
57b95e6e05 * Put back TLS 1.0. 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@268 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-08-17 10:42:49 +00:00
cameronrich
ee9f17bd6a * Tightened up the buffer sizes 
* Removed support for TLS1.0.

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@267 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-08-16 07:13:15 +00:00
cameronrich
1017d8a5cc TLS 1.2 now passing a bunch of tests. 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@266 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-08-15 10:51:02 +00:00
cameronrich
294159d75e Server side v1.2 is basically working 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@265 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-08-11 10:04:13 +00:00
cameronrich
10f359add6 Client side works with a certificate verify - still lots of work to go. 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@264 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-08-09 07:15:32 +00:00
cameronrich
e23d6c390c * Initial crack at TLS 1.2 client side only (server side is seriously broken). 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@263 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-07-27 11:05:09 +00:00
cameronrich
287ed7dc14 Cleaned up alerts as per TLS v1.2 spec (7.2.2) 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@262 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-07-21 19:26:45 +00:00
cameronrich
9daa8bcd30 * Backed out code where close notify from other side closed the socket and ssl session. This needs to be done by the application. 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@261 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-07-19 20:44:20 +00:00
cameronrich
789e8517c3 Tightened up closure alerts for v1.2 (7.2.1) 
git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@260 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
 2016-07-18 20:29:14 +00:00
85 changed files with 2556 additions and 977 deletions
Show stats Expand all files Collapse all files

1
Makefile
View file

@ -108,7 +108,6 @@ endif
install -m 644 ssl/*.h $(PREFIX)/include/axTLS install -m 644 ssl/*.h $(PREFIX)/include/axTLS
-rm $(PREFIX)/include/axTLS/cert.h -rm $(PREFIX)/include/axTLS/cert.h
-rm $(PREFIX)/include/axTLS/private_key.h -rm $(PREFIX)/include/axTLS/private_key.h
-rm $(PREFIX)/include/axTLS/os_port.h
install -m 644 config/config.h $(PREFIX)/include/axTLS install -m 644 config/config.h $(PREFIX)/include/axTLS
installclean: installclean:

2
bindings/Config.in
View file

@ -55,7 +55,7 @@ depends on CONFIG_JAVA_BINDINGS
config CONFIG_JAVA_HOME config CONFIG_JAVA_HOME
string "Location of JDK" string "Location of JDK"
default "c:\\Program Files\\Java\\jdk1.5.0_06" if CONFIG_PLATFORM_WIN32 || CONFIG_PLATFORM_CYGWIN default "c:\\Program Files\\Java\\jdk1.5.0_06" if CONFIG_PLATFORM_WIN32 || CONFIG_PLATFORM_CYGWIN
default "/usr/local/jdk142" if !CONFIG_PLATFORM_WIN32 && !CONFIG_PLATFORM_CYGWIN default "/usr/lib/jvm/java-7-openjdk-amd64" if !CONFIG_PLATFORM_WIN32 && !CONFIG_PLATFORM_CYGWIN
depends on CONFIG_JAVA_BINDINGS depends on CONFIG_JAVA_BINDINGS
help help
The location of Sun's JDK. The location of Sun's JDK.

6
bindings/csharp/axTLS.cs
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -89,8 +89,8 @@ namespace axTLS
* @return The cipher id which is one of: * @return The cipher id which is one of:
* - SSL_AES128_SHA (0x2f) * - SSL_AES128_SHA (0x2f)
* - SSL_AES256_SHA (0x35) * - SSL_AES256_SHA (0x35)
* - SSL_RC4_128_SHA (0x05) * - SSL_AES128_SHA256 (0x3c)
* - SSL_RC4_128_MD5 (0x04) * - SSL_AES256_SHA256 (0x3d)
*/ */
public byte GetCipherId() public byte GetCipherId()
{ {

3
bindings/generate_SWIG_interface.pl
View file

@ -126,7 +126,7 @@ my @raw_data;
if (not defined $ARGV[0]) if (not defined $ARGV[0])
{ {
goto ouch; die "Usage: $0 [-java | -perl | -lua]\n";
} }
if ($ARGV[0] eq "-java") if ($ARGV[0] eq "-java")
@ -149,7 +149,6 @@ elsif ($ARGV[0] eq "-lua")
} }
else else
{ {
ouch:
die "Usage: $0 [-java | -perl | -lua]\n"; die "Usage: $0 [-java | -perl | -lua]\n";
} }

6
bindings/java/SSL.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -89,8 +89,8 @@ public class SSL
* @return The cipher id which is one of: * @return The cipher id which is one of:
* - SSL_AES128_SHA (0x2f) * - SSL_AES128_SHA (0x2f)
* - SSL_AES256_SHA (0x35) * - SSL_AES256_SHA (0x35)
* - SSL_RC4_128_SHA (0x05) * - SSL_AES128_SHA256 (0x3c)
* - SSL_RC4_128_MD5 (0x04) * - SSL_AES256_SHA256 (0x3d)
*/ */
public byte getCipherId() public byte getCipherId()
{ {

2
config/makefile.conf
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2007-2015, Cameron Rich # Copyright (c) 2007-2016, Cameron Rich
# #
# All rights reserved. # All rights reserved.
# #

4
crypto/crypto.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007-2015, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -200,6 +200,8 @@ void hmac_md5(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest); int key_len, uint8_t *digest);
void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key, void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest); int key_len, uint8_t *digest);
void hmac_sha256(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest);
/************************************************************************** /**************************************************************************
* RSA declarations * RSA declarations

36
crypto/hmac.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -103,3 +103,37 @@ void hmac_sha1(const uint8_t *msg, int length, const uint8_t *key,
SHA1_Update(&context, digest, SHA1_SIZE); SHA1_Update(&context, digest, SHA1_SIZE);
SHA1_Final(digest, &context); SHA1_Final(digest, &context);
} }
/**
* Perform HMAC-SHA256
* NOTE: does not handle keys larger than the block size.
*/
void hmac_sha256(const uint8_t *msg, int length, const uint8_t *key,
int key_len, uint8_t *digest)
{
SHA256_CTX context;
uint8_t k_ipad[64];
uint8_t k_opad[64];
int i;
memset(k_ipad, 0, sizeof k_ipad);
memset(k_opad, 0, sizeof k_opad);
memcpy(k_ipad, key, key_len);
memcpy(k_opad, key, key_len);
for (i = 0; i < 64; i++)
{
k_ipad[i] ^= 0x36;
k_opad[i] ^= 0x5c;
}
SHA256_Init(&context);
SHA256_Update(&context, k_ipad, 64);
SHA256_Update(&context, msg, length);
SHA256_Final(digest, &context);
SHA256_Init(&context);
SHA256_Update(&context, k_opad, 64);
SHA256_Update(&context, digest, SHA256_SIZE);
SHA256_Final(digest, &context);
}

5
crypto/rc4.c
View file

@ -37,6 +37,9 @@
#include "os_port.h" #include "os_port.h"
#include "crypto.h" #include "crypto.h"
/* only used for PKCS12 now */
#ifdef CONFIG_SSL_USE_PKCS12
/** /**
* Get ready for an encrypt/decrypt operation * Get ready for an encrypt/decrypt operation
*/ */
@ -90,3 +93,5 @@ void RC4_crypt(RC4_CTX *ctx, const uint8_t *msg, uint8_t *out, int length)
ctx->x = x; ctx->x = x;
ctx->y = y; ctx->y = y;
} }
#endif

5
samples/c/Makefile
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2007, Cameron Rich # Copyright (c) 2007-2016, Cameron Rich
# #
# All rights reserved. # All rights reserved.
# #
@ -59,7 +59,8 @@ include $(AXTLS_HOME)/config/makefile.post
ifndef CONFIG_PLATFORM_WIN32 ifndef CONFIG_PLATFORM_WIN32
$(TARGET): $(OBJ) $(LIBS)/libaxtls.a $(TARGET): $(OBJ) $(LIBS)/libaxtls.a
$(LD) $(LDFLAGS) -o $@ $(OBJ) -L$(LIBS) -laxtls $(LD) $(LDFLAGS) -o $@ $(OBJ) $(LIBS)/libaxtls.a
# $(LD) $(LDFLAGS) -o $@ $(OBJ) -L$(LIBS) -laxtls (shared library)
ifdef CONFIG_STRIP_UNWANTED_SECTIONS ifdef CONFIG_STRIP_UNWANTED_SECTIONS
$(STRIP) --remove-section=.comment $(TARGET) $(STRIP) --remove-section=.comment $(TARGET)
endif # use strip endif # use strip

35
samples/c/axssl.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -448,6 +448,7 @@ static void do_client(int argc, char *argv[])
uint8_t session_id[SSL_SESSION_ID_SIZE]; uint8_t session_id[SSL_SESSION_ID_SIZE];
fd_set read_set; fd_set read_set;
const char *password = NULL; const char *password = NULL;
SSL_EXTENSIONS *extensions = NULL;
FD_ZERO(&read_set); FD_ZERO(&read_set);
sin_addr = inet_addr("127.0.0.1"); sin_addr = inet_addr("127.0.0.1");
@ -534,6 +535,16 @@ static void do_client(int argc, char *argv[])
password = argv[++i]; password = argv[++i];
} }
else if (strcmp(argv[i], "-servername") == 0)
{
if (i >= argc-1)
{
print_client_options(argv[i]);
}
extensions = ssl_ext_new();
extensions->host_name = argv[++i];
}
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
else if (strcmp(argv[i], "-debug") == 0) else if (strcmp(argv[i], "-debug") == 0)
{ {
@ -630,7 +641,7 @@ static void do_client(int argc, char *argv[])
while (reconnect--) while (reconnect--)
{ {
ssl = ssl_client_new(ssl_ctx, client_fd, session_id, ssl = ssl_client_new(ssl_ctx, client_fd, session_id,
sizeof(session_id)); sizeof(session_id), extensions);
if ((res = ssl_handshake_status(ssl)) != SSL_OK) if ((res = ssl_handshake_status(ssl)) != SSL_OK)
{ {
if (!quiet) if (!quiet)
@ -658,7 +669,7 @@ static void do_client(int argc, char *argv[])
} }
else else
{ {
ssl = ssl_client_new(ssl_ctx, client_fd, NULL, 0); ssl = ssl_client_new(ssl_ctx, client_fd, NULL, 0, extensions);
} }
/* check the return status */ /* check the return status */
@ -674,13 +685,6 @@ static void do_client(int argc, char *argv[])
if (!quiet) if (!quiet)
{ {
const char *common_name = ssl_get_cert_dn(ssl,
SSL_X509_CERT_COMMON_NAME);
if (common_name)
{
printf("Common Name:\t\t\t%s\n", common_name);
}
display_session_id(ssl); display_session_id(ssl);
display_cipher(ssl); display_cipher(ssl);
} }
@ -829,7 +833,8 @@ static void print_client_options(char *option)
printf(" -quiet\t\t- No client output\n"); printf(" -quiet\t\t- No client output\n");
printf(" -reconnect\t- Drop and re-make the connection " printf(" -reconnect\t- Drop and re-make the connection "
"with the same Session-ID\n"); "with the same Session-ID\n");
printf(" -pass\t\t- private key file pass phrase source\n"); printf(" -pass\t\t- Private key file pass phrase source\n");
printf(" -servername\t- Set TLS extension servername in ClientHello\n");
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
printf(" -debug\t\t- Print more output\n"); printf(" -debug\t\t- Print more output\n");
printf(" -state\t\t- Show state messages\n"); printf(" -state\t\t- Show state messages\n");
@ -857,12 +862,12 @@ static void display_cipher(SSL *ssl)
printf("AES256-SHA"); printf("AES256-SHA");
break; break;
case SSL_RC4_128_SHA: case SSL_AES128_SHA256:
printf("RC4-SHA"); printf("AES128-SHA256");
break; break;
case SSL_RC4_128_MD5: case SSL_AES256_SHA256:
printf("RC4-MD5"); printf("AES256-SHA256");
break; break;
default: default:

10
samples/csharp/axssl.cs
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -723,12 +723,12 @@ public class axssl
Console.WriteLine("AES256-SHA"); Console.WriteLine("AES256-SHA");
break; break;
case axtls.SSL_RC4_128_SHA: case axtls.SSL_AES128_SHA256:
Console.WriteLine("RC4-SHA"); Console.WriteLine("AES128-SHA256");
break; break;
case axtls.SSL_RC4_128_MD5: case axtls.SSL_AES256_SHA256:
Console.WriteLine("RC4-MD5"); Console.WriteLine("AES128-SHA256");
break; break;
default: default:

2
samples/java/Makefile
View file

@ -1,5 +1,5 @@
# #
# Copyright (c) 2007, Cameron Rich # Copyright (c) 2007-2016, Cameron Rich
# #
# All rights reserved. # All rights reserved.
# #

10
samples/java/axssl.java
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -714,10 +714,10 @@ public class axssl
System.out.println("AES128-SHA"); System.out.println("AES128-SHA");
else if (ciph_id == axtlsj.SSL_AES256_SHA) else if (ciph_id == axtlsj.SSL_AES256_SHA)
System.out.println("AES256-SHA"); System.out.println("AES256-SHA");
else if (ciph_id == axtlsj.SSL_RC4_128_SHA) else if (ciph_id == axtlsj.SSL_AES128_SHA256)
System.out.println("RC4-SHA"); System.out.println("AES128-SHA256");
else if (ciph_id == axtlsj.SSL_RC4_128_MD5) else if (ciph_id == axtlsj.SSL_AES256_SHA256)
System.out.println("RC4-MD5"); System.out.println("AES256-SHA256");
else else
System.out.println("Unknown - " + ssl.getCipherId()); System.out.println("Unknown - " + ssl.getCipherId());
} }

10
samples/lua/axssl.lua
View file

@ -1,7 +1,7 @@
#!/usr/local/bin/lua #!/usr/local/bin/lua
-- --
-- Copyright (c) 2007, Cameron Rich -- Copyright (c) 2007-2016, Cameron Rich
-- --
-- All rights reserved. -- All rights reserved.
-- --
@ -523,10 +523,10 @@ function display_cipher(ssl)
print("AES128-SHA") print("AES128-SHA")
elseif cipher_id == axtlsl.SSL_AES256_SHA then elseif cipher_id == axtlsl.SSL_AES256_SHA then
print("AES256-SHA") print("AES256-SHA")
elseif axtlsl.SSL_RC4_128_SHA then elseif axtlsl.SSL_AES128_SHA256 then
print("RC4-SHA") print("AES128-SHA256")
elseif axtlsl.SSL_RC4_128_MD5 then elseif axtlsl.SSL_AES256_SHA256 then
print("RC4-MD5") print("AES256-SHA256")
else else
print("Unknown - "..cipher_id) print("Unknown - "..cipher_id)
end end

10
samples/perl/axssl.pl
View file

@ -1,6 +1,6 @@
#!/usr/bin/perl -w #!/usr/bin/perl -w
# #
# Copyright (c) 2007, Cameron Rich # Copyright (c) 2007-2016, Cameron Rich
# #
# All rights reserved. # All rights reserved.
# #
@ -602,13 +602,13 @@ sub display_cipher
{ {
printf("AES256-SHA"); printf("AES256-SHA");
} }
elsif ($axtlsp::SSL_RC4_128_SHA) elsif ($axtlsp::SSL_AES128_SHA256)
{ {
printf("RC4-SHA"); printf("AES128-SHA256");
} }
elsif ($axtlsp::SSL_RC4_128_MD5) elsif ($axtlsp::SSL_AES256_SHA256)
{ {
printf("RC4-MD5"); printf("AES256-SHA256");
} }
else else
{ {

10
samples/vbnet/axssl.vb
View file

@ -1,5 +1,5 @@
' '
' Copyright (c) 2007, Cameron Rich ' Copyright (c) 2007-2016, Cameron Rich
' '
' All rights reserved. ' All rights reserved.
' '
@ -534,11 +534,11 @@ Public Class axssl
Case axtls.SSL_AES256_SHA Case axtls.SSL_AES256_SHA
Console.WriteLine("AES256-SHA") Console.WriteLine("AES256-SHA")
Case axtls.SSL_RC4_128_SHA Case axtls.SSL_AES128_SHA256
Console.WriteLine("RC4-SHA") Console.WriteLine("AES128-SHA256")
Case axtls.SSL_RC4_128_MD5 Case axtls.SSL_AES256_SHA256
Console.WriteLine("RC4-MD5") Console.WriteLine("AES256-SHA256")
Case Else Case Else
Console.WriteLine("Unknown - " & ssl.GetCipherId()) Console.WriteLine("Unknown - " & ssl.GetCipherId())

9
ssl/Config.in
View file

@ -87,21 +87,24 @@ choice
config CONFIG_SSL_PROT_LOW config CONFIG_SSL_PROT_LOW
bool "Low" bool "Low"
help help
Chooses the cipher in the order of RC4-SHA, AES128-SHA, AES256-SHA. Chooses the cipher in the order of AES128-SHA, AES128-SHA256,
AES256-SHA256.
This will use the fastest cipher(s) but at the expense of security. This will use the fastest cipher(s) but at the expense of security.
config CONFIG_SSL_PROT_MEDIUM config CONFIG_SSL_PROT_MEDIUM
bool "Medium" bool "Medium"
help help
Chooses the cipher in the order of AES128-SHA, AES256-SHA, RC4-SHA. Chooses the cipher in the order of AES128-SHA256, AES256-SHA256,
AES128-SHA
This mode is a balance between speed and security and is the default. This mode is a balance between speed and security and is the default.
config CONFIG_SSL_PROT_HIGH config CONFIG_SSL_PROT_HIGH
bool "High" bool "High"
help help
Chooses the cipher in the order of AES256-SHA, AES128-SHA, RC4-SHA. Chooses the cipher in the order of AES256-SHA256, AES128-SHA256,
AES128-SHA.
This will use the strongest cipher(s) at the cost of speed. This will use the strongest cipher(s) at the cost of speed.

192
ssl/asn1.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007-2015, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -80,8 +80,18 @@ static const uint8_t sig_subject_alt_name[] =
0x55, 0x1d, 0x11 0x55, 0x1d, 0x11
}; };
/* CN, O, OU */ static const uint8_t sig_basic_constraints[] =
static const uint8_t g_dn_types[] = { 3, 10, 11 }; {
0x55, 0x1d, 0x13
};
static const uint8_t sig_key_usage[] =
{
0x55, 0x1d, 0x0f
};
/* CN, O, OU, L, C, ST */
static const uint8_t g_dn_types[] = { 3, 10, 11, 7, 6, 8 };
uint32_t get_asn1_length(const uint8_t *buf, int *offset) uint32_t get_asn1_length(const uint8_t *buf, int *offset)
{ {
@ -117,6 +127,7 @@ int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type)
{ {
if (buf[*offset] != obj_type) if (buf[*offset] != obj_type)
return X509_NOT_OK; return X509_NOT_OK;
(*offset)++; (*offset)++;
return get_asn1_length(buf, offset); return get_asn1_length(buf, offset);
} }
@ -141,12 +152,12 @@ int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type)
* Read an integer value for ASN.1 data * Read an integer value for ASN.1 data
* Note: This function allocates memory which must be freed by the user. * Note: This function allocates memory which must be freed by the user.
*/ */
int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object) int asn1_get_big_int(const uint8_t *buf, int *offset, uint8_t **object)
{ {
int len; int len;
if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0) if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0)
goto end_int_array; goto end_big_int;
if (len > 1 && buf[*offset] == 0x00) /* ignore the negative byte */ if (len > 1 && buf[*offset] == 0x00) /* ignore the negative byte */
{ {
@ -158,10 +169,91 @@ int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object)
memcpy(*object, &buf[*offset], len); memcpy(*object, &buf[*offset], len);
*offset += len; *offset += len;
end_int_array: end_big_int:
return len; return len;
} }
/**
* Read an integer value for ASN.1 data
*/
int asn1_get_int(const uint8_t *buf, int *offset, int32_t *val)
{
int res = X509_OK;
int len;
int i;
if ((len = asn1_next_obj(buf, offset, ASN1_INTEGER)) < 0 ||
len > sizeof(int32_t))
{
res = X509_NOT_OK;
goto end_int;
}
*val = 0;
for (i = 0; i < len; i++)
{
*val <<= 8;
*val |= buf[(*offset)++];
}
end_int:
return res;
}
/**
* Read an boolean value for ASN.1 data
*/
int asn1_get_bool(const uint8_t *buf, int *offset, bool *val)
{
int res = X509_OK;
if (asn1_next_obj(buf, offset, ASN1_BOOLEAN) != 1)
{
res = X509_NOT_OK;
goto end_bool;
}
/* DER demands that "If the encoding represents the boolean value TRUE,
its single contents octet shall have all eight bits set to one."
Thus only 0 and 255 are valid encoded values. */
*val = buf[(*offset)++] == 0xFF;
end_bool:
return res;
}
/**
* Convert an ASN.1 bit string into a 32 bit integer. Used for key usage
*/
int asn1_get_bit_string_as_int(const uint8_t *buf, int *offset, uint32_t *val)
{
int res = X509_OK;
int len, i;
if ((len = asn1_next_obj(buf, offset, ASN1_BIT_STRING)) < 0 || len > 5)
{
res = X509_NOT_OK;
goto end_bit_string_as_int;
}
/* number of bits left unused in the final byte of content */
(*offset)++;
len--;
*val = 0;
/* not sure why key usage doesn't used proper DER spec version */
for (i = len-1; i >= 0; --i)
{
*val <<= 8;
*val |= buf[(*offset) + i];
}
*offset += len;
end_bit_string_as_int:
return res;
}
/** /**
* Get all the RSA private key specifics from an ASN.1 encoded file * Get all the RSA private key specifics from an ASN.1 encoded file
*/ */
@ -187,19 +279,19 @@ int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx)
/* Use the private key to mix up the RNG if possible. */ /* Use the private key to mix up the RNG if possible. */
RNG_custom_init(buf, len); RNG_custom_init(buf, len);
mod_len = asn1_get_int(buf, &offset, &modulus); mod_len = asn1_get_big_int(buf, &offset, &modulus);
pub_len = asn1_get_int(buf, &offset, &pub_exp); pub_len = asn1_get_big_int(buf, &offset, &pub_exp);
priv_len = asn1_get_int(buf, &offset, &priv_exp); priv_len = asn1_get_big_int(buf, &offset, &priv_exp);
if (mod_len <= 0 || pub_len <= 0 || priv_len <= 0) if (mod_len <= 0 || pub_len <= 0 || priv_len <= 0)
return X509_INVALID_PRIV_KEY; return X509_INVALID_PRIV_KEY;
#ifdef CONFIG_BIGINT_CRT #ifdef CONFIG_BIGINT_CRT
p_len = asn1_get_int(buf, &offset, &p); p_len = asn1_get_big_int(buf, &offset, &p);
q_len = asn1_get_int(buf, &offset, &q); q_len = asn1_get_big_int(buf, &offset, &q);
dP_len = asn1_get_int(buf, &offset, &dP); dP_len = asn1_get_big_int(buf, &offset, &dP);
dQ_len = asn1_get_int(buf, &offset, &dQ); dQ_len = asn1_get_big_int(buf, &offset, &dQ);
qInv_len = asn1_get_int(buf, &offset, &qInv); qInv_len = asn1_get_big_int(buf, &offset, &qInv);
if (p_len <= 0 || q_len <= 0 || dP_len <= 0 || dQ_len <= 0 || qInv_len <= 0) if (p_len <= 0 || q_len <= 0 || dP_len <= 0 || dQ_len <= 0 || qInv_len <= 0)
return X509_INVALID_PRIV_KEY; return X509_INVALID_PRIV_KEY;
@ -243,13 +335,16 @@ static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
memset(&tm, 0, sizeof(struct tm)); memset(&tm, 0, sizeof(struct tm));
tm.tm_year = (buf[t_offset] - '0')*10 + (buf[t_offset+1] - '0'); tm.tm_year = (buf[t_offset] - '0')*10 + (buf[t_offset+1] - '0');
if (tm.tm_year <= 50) /* 1951-2050 thing */ if (tm.tm_year < 50) /* 1951-2050 thing */
{ {
tm.tm_year += 100; tm.tm_year += 100;
} }
tm.tm_mon = (buf[t_offset+2] - '0')*10 + (buf[t_offset+3] - '0') - 1; tm.tm_mon = (buf[t_offset+2] - '0')*10 + (buf[t_offset+3] - '0') - 1;
tm.tm_mday = (buf[t_offset+4] - '0')*10 + (buf[t_offset+5] - '0'); tm.tm_mday = (buf[t_offset+4] - '0')*10 + (buf[t_offset+5] - '0');
tm.tm_hour = (buf[t_offset+6] - '0')*10 + (buf[t_offset+7] - '0');
tm.tm_min = (buf[t_offset+8] - '0')*10 + (buf[t_offset+9] - '0');
tm.tm_sec = (buf[t_offset+10] - '0')*10 + (buf[t_offset+11] - '0');
*t = mktime(&tm); *t = mktime(&tm);
*offset += len; *offset += len;
ret = X509_OK; ret = X509_OK;
@ -274,13 +369,14 @@ static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
} }
else else
{ {
tm.tm_year = abs_year - 1900; tm.tm_year = abs_year - 1900;
tm.tm_mon = (buf[t_offset+4] - '0')*10 + (buf[t_offset+5] - '0') - 1; tm.tm_mon = (buf[t_offset+4] - '0')*10 +
tm.tm_mday = (buf[t_offset+6] - '0')*10 + (buf[t_offset+7] - '0'); (buf[t_offset+5] - '0') - 1;
tm.tm_hour = (buf[t_offset+8] - '0')*10 + (buf[t_offset+9] - '0'); tm.tm_mday = (buf[t_offset+6] - '0')*10 + (buf[t_offset+7] - '0');
tm.tm_min = (buf[t_offset+10] - '0')*10 + (buf[t_offset+11] - '0'); tm.tm_hour = (buf[t_offset+8] - '0')*10 + (buf[t_offset+9] - '0');
tm.tm_sec = (buf[t_offset+12] - '0')*10 + (buf[t_offset+13] - '0'); tm.tm_min = (buf[t_offset+10] - '0')*10 + (buf[t_offset+11] - '0');
*t = mktime(&tm); tm.tm_sec = (buf[t_offset+12] - '0')*10 + (buf[t_offset+13] - '0');
*t = mktime(&tm);
} }
*offset += len; *offset += len;
@ -291,19 +387,12 @@ static int asn1_get_utc_time(const uint8_t *buf, int *offset, time_t *t)
} }
/** /**
* Get the version type of a certificate (which we don't actually care about) * Get the version type of a certificate
*/ */
int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx) int asn1_version(const uint8_t *cert, int *offset, int *val)
{ {
int ret = X509_NOT_OK;
(*offset) += 2; /* get past explicit tag */ (*offset) += 2; /* get past explicit tag */
if (asn1_skip_obj(cert, offset, ASN1_INTEGER)) return asn1_get_int(cert, offset, val);
goto end_version;
ret = X509_OK;
end_version:
return ret;
} }
/** /**
@ -453,8 +542,8 @@ int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx)
if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0) if (asn1_next_obj(cert, offset, ASN1_SEQUENCE) < 0)
goto end_pub_key; goto end_pub_key;
mod_len = asn1_get_int(cert, offset, &modulus); mod_len = asn1_get_big_int(cert, offset, &modulus);
pub_len = asn1_get_int(cert, offset, &pub_exp); pub_len = asn1_get_big_int(cert, offset, &pub_exp);
RSA_pub_key_new(&x509_ctx->rsa_ctx, modulus, mod_len, pub_exp, pub_len); RSA_pub_key_new(&x509_ctx->rsa_ctx, modulus, mod_len, pub_exp, pub_len);
@ -574,7 +663,7 @@ int asn1_find_oid(const uint8_t* cert, int* offset,
return 0; return 0;
} }
int asn1_find_subjectaltname(const uint8_t* cert, int offset) int asn1_is_subject_alt_name(const uint8_t *cert, int offset)
{ {
if (asn1_find_oid(cert, &offset, sig_subject_alt_name, if (asn1_find_oid(cert, &offset, sig_subject_alt_name,
sizeof(sig_subject_alt_name))) sizeof(sig_subject_alt_name)))
@ -585,6 +674,39 @@ int asn1_find_subjectaltname(const uint8_t* cert, int offset)
return 0; return 0;
} }
int asn1_is_basic_constraints(const uint8_t *cert, int offset)
{
if (asn1_find_oid(cert, &offset, sig_basic_constraints,
sizeof(sig_basic_constraints)))
{
return offset;
}
return 0;
}
int asn1_is_key_usage(const uint8_t *cert, int offset)
{
if (asn1_find_oid(cert, &offset, sig_key_usage,
sizeof(sig_key_usage)))
{
return offset;
}
return 0;
}
bool asn1_is_critical_ext(const uint8_t *buf, int *offset)
{
/* critical is optional */
bool res = false;
if (asn1_next_obj(buf, offset, ASN1_BOOLEAN) == 1)
res = buf[(*offset)++] == 0xFF;
return res;
}
#endif /* CONFIG_SSL_CERT_VERIFICATION */ #endif /* CONFIG_SSL_CERT_VERIFICATION */
/** /**

71
ssl/cert.h
View file

@ -1,43 +1,54 @@
unsigned char default_certificate[] = { unsigned char default_certificate[] = {
0x30, 0x82, 0x01, 0xd7, 0x30, 0x82, 0x01, 0x40, 0x02, 0x09, 0x00, 0xab, 0x30, 0x82, 0x02, 0x58, 0x30, 0x82, 0x01, 0x40, 0x02, 0x09, 0x00, 0xa5,
0x08, 0x18, 0xa7, 0x03, 0x07, 0x27, 0xfd, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x2a, 0xc8, 0x78, 0x87, 0xf2, 0xe7, 0xc5, 0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x34, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x30, 0x34,
0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x29, 0x61, 0x31, 0x32, 0x30, 0x30, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x29, 0x61,
0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74, 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x63, 0x74,
0x20, 0x44, 0x6f, 0x64, 0x67, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69, 0x20, 0x44, 0x6f, 0x64, 0x67, 0x79, 0x20, 0x43, 0x65, 0x72, 0x74, 0x69,
0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x20, 0x41, 0x75, 0x74, 0x68, 0x6f,
0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x30, 0x31, 0x32, 0x72, 0x69, 0x74, 0x79, 0x30, 0x1e, 0x17, 0x0d, 0x31, 0x36, 0x31, 0x32,
0x32, 0x36, 0x32, 0x32, 0x33, 0x33, 0x33, 0x39, 0x5a, 0x17, 0x0d, 0x32, 0x33, 0x30, 0x32, 0x31, 0x30, 0x34, 0x32, 0x37, 0x5a, 0x17, 0x0d, 0x33,
0x34, 0x30, 0x39, 0x30, 0x33, 0x32, 0x32, 0x33, 0x33, 0x33, 0x39, 0x5a, 0x30, 0x30, 0x39, 0x30, 0x38, 0x32, 0x31, 0x30, 0x34, 0x32, 0x37, 0x5a,
0x30, 0x2c, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x30, 0x2c, 0x31, 0x16, 0x30, 0x14, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13,
0x0d, 0x61, 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65, 0x0d, 0x61, 0x78, 0x54, 0x4c, 0x53, 0x20, 0x50, 0x72, 0x6f, 0x6a, 0x65,
0x63, 0x74, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13, 0x63, 0x74, 0x31, 0x12, 0x30, 0x10, 0x06, 0x03, 0x55, 0x04, 0x03, 0x13,
0x09, 0x31, 0x32, 0x37, 0x2e, 0x30, 0x2e, 0x30, 0x2e, 0x31, 0x30, 0x81, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x30, 0x81,
0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x9f, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01,
0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02, 0x01, 0x01, 0x05, 0x00, 0x03, 0x81, 0x8d, 0x00, 0x30, 0x81, 0x89, 0x02,
0x81, 0x81, 0x00, 0xcd, 0xfd, 0x89, 0x48, 0xbe, 0x36, 0xb9, 0x95, 0x76, 0x81, 0x81, 0x00, 0xbd, 0x0f, 0xd4, 0x42, 0xa8, 0x74, 0x87, 0x54, 0xaa,
0xd4, 0x13, 0x30, 0x0e, 0xbf, 0xb2, 0xed, 0x67, 0x0a, 0xc0, 0x16, 0x3f, 0xb9, 0x3a, 0x1f, 0x8b, 0xce, 0xbd, 0xb7, 0x65, 0xfb, 0x40, 0x3d, 0xd0,
0x51, 0x09, 0x9d, 0x29, 0x2f, 0xb2, 0x6d, 0x3f, 0x3e, 0x6c, 0x2f, 0x90, 0x11, 0x9a, 0x9c, 0xdc, 0x82, 0x7c, 0xea, 0xa8, 0x17, 0xe1, 0x74, 0xf3,
0x80, 0xa1, 0x71, 0xdf, 0xbe, 0x38, 0xc5, 0xcb, 0xa9, 0x9a, 0x40, 0x14, 0x05, 0x0e, 0x61, 0xc1, 0xc1, 0x78, 0x8a, 0xb2, 0xba, 0x15, 0x22, 0x5a,
0x90, 0x0a, 0xf9, 0xb7, 0x07, 0x0b, 0xe1, 0xda, 0xe7, 0x09, 0xbf, 0x0d, 0xff, 0x9b, 0xb8, 0x7a, 0x2e, 0x0f, 0x88, 0xb7, 0x74, 0xde, 0x04, 0x99,
0x57, 0x41, 0x86, 0x60, 0xa1, 0xc1, 0x27, 0x91, 0x5b, 0x0a, 0x98, 0x46, 0xa5, 0xa2, 0x99, 0x53, 0x8b, 0xad, 0x78, 0x5a, 0x31, 0xed, 0xbc, 0x01,
0x1b, 0xf6, 0xa2, 0x84, 0xf8, 0x65, 0xc7, 0xce, 0x2d, 0x96, 0x17, 0xaa, 0xe7, 0xdf, 0xe9, 0xec, 0x2f, 0xa0, 0x5d, 0x53, 0xf6, 0xe6, 0x8a, 0xa0,
0x91, 0xf8, 0x61, 0x04, 0x50, 0x70, 0xeb, 0xb4, 0x43, 0xb7, 0xdc, 0x9a, 0xc8, 0x6d, 0x41, 0x45, 0x63, 0x23, 0xb3, 0xcf, 0x4e, 0x50, 0x1f, 0x28,
0xcc, 0x31, 0x01, 0x14, 0xd4, 0xcd, 0xcc, 0xc2, 0x37, 0x6d, 0x69, 0x82, 0xdf, 0x36, 0xe2, 0x73, 0xdf, 0xd6, 0xa1, 0xb3, 0x46, 0x4f, 0x6e, 0xbb,
0xd6, 0xc6, 0xc4, 0xbe, 0xf2, 0x34, 0xa5, 0xc9, 0xa6, 0x19, 0x53, 0x32, 0x0d, 0x9b, 0xef, 0xa8, 0xf9, 0x4c, 0xa5, 0x71, 0xa1, 0x88, 0xdd, 0x07,
0x7a, 0x86, 0x0e, 0x91, 0x82, 0x0f, 0xa1, 0x42, 0x54, 0xaa, 0x01, 0x02, 0xa9, 0x86, 0x0d, 0x3f, 0xcd, 0x99, 0x23, 0xa2, 0x84, 0x77, 0x0f, 0x02,
0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0x03, 0x01, 0x00, 0x01, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86,
0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x81, 0x81, 0x00, 0x40, 0xf7, 0x0d, 0x01, 0x01, 0x05, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00,
0xb4, 0x94, 0x9a, 0xa8, 0x89, 0x72, 0x1d, 0x07, 0xe5, 0xb3, 0x6b, 0x88, 0x32, 0xe0, 0x3c, 0x6e, 0x21, 0xe6, 0xa6, 0xf4, 0xb8, 0x10, 0x9f, 0x8a,
0x21, 0xc2, 0x38, 0x36, 0x9e, 0x7a, 0x8c, 0x49, 0x48, 0x68, 0x0c, 0x06, 0xe6, 0x0b, 0x84, 0x4e, 0x2c, 0xe5, 0x14, 0xca, 0x56, 0x81, 0x3f, 0xc0,
0xe8, 0xdb, 0x1f, 0x4e, 0x05, 0xe6, 0x31, 0xe3, 0xfd, 0xe6, 0x0d, 0x6b, 0x2c, 0xa3, 0x39, 0x89, 0x24, 0xce, 0xaf, 0x47, 0x2e, 0x19, 0x62, 0xb2,
0xd8, 0x13, 0x17, 0xe0, 0x2d, 0x0d, 0xb8, 0x7e, 0xcb, 0x20, 0x6c, 0xa8, 0xe4, 0x76, 0x91, 0x25, 0xbc, 0xe1, 0xa8, 0xee, 0x6a, 0x68, 0x3a, 0x77,
0x73, 0xa7, 0xfd, 0xe3, 0xa7, 0xfa, 0xf3, 0x02, 0x60, 0x78, 0x1f, 0x13, 0xb9, 0xb2, 0x62, 0x97, 0x0c, 0x25, 0x3c, 0x5e, 0x13, 0x48, 0x87, 0x80,
0x40, 0x45, 0xee, 0x75, 0xf5, 0x10, 0xfd, 0x8f, 0x68, 0x74, 0xd4, 0xac, 0xa3, 0x91, 0xd9, 0x2e, 0xe6, 0x92, 0x2b, 0x1c, 0x52, 0x24, 0xb1, 0x77,
0xae, 0x04, 0x09, 0x55, 0x2c, 0xdb, 0xd8, 0x07, 0x07, 0x65, 0x69, 0x27, 0xc6, 0xf6, 0xde, 0xd8, 0x9b, 0xd9, 0x57, 0x37, 0x56, 0x68, 0x17, 0x32,
0x6e, 0xbf, 0x5e, 0x61, 0x40, 0x56, 0x8b, 0xd7, 0x33, 0x3b, 0xff, 0x6e, 0x66, 0x01, 0x08, 0x38, 0x08, 0x9a, 0xc1, 0x8c, 0x5e, 0x3f, 0xe7, 0xc9,
0x53, 0x7e, 0x9d, 0x3f, 0xc0, 0x40, 0x3a, 0xab, 0xa0, 0x50, 0x4e, 0x80, 0x44, 0xcb, 0x62, 0xb9, 0x48, 0xc7, 0x89, 0xa6, 0xff, 0x8e, 0x7d, 0x3d,
0x47, 0x46, 0x0d, 0x1e, 0xdb, 0x4c, 0xf1, 0x1b, 0x5d, 0x3c, 0x2a, 0x54, 0xe1, 0x46, 0x32, 0x9c, 0x13, 0x06, 0x9a, 0xd1, 0x17, 0xab, 0x3f, 0xa9,
0xa7, 0x4d, 0xfa, 0x7b, 0x72, 0x66, 0xc5 0x90, 0x04, 0x33, 0x2d, 0x3f, 0x81, 0x0a, 0xa5, 0x55, 0xce, 0xb6, 0x95,
0x54, 0xad, 0xf1, 0x4f, 0xa2, 0xca, 0xc3, 0xf6, 0x25, 0x7b, 0x71, 0xd2,
0x68, 0x85, 0xe9, 0x72, 0xb6, 0x99, 0x34, 0x6d, 0xe5, 0x5f, 0xf6, 0x74,
0x1c, 0xb9, 0xa2, 0xda, 0x2b, 0x04, 0xff, 0x82, 0xc5, 0x09, 0x04, 0xc4,
0xba, 0xbc, 0x82, 0x3e, 0xb4, 0x72, 0x18, 0x8e, 0x30, 0x68, 0x48, 0x4a,
0x0d, 0xa7, 0x3d, 0xb5, 0xf4, 0x42, 0x3a, 0x97, 0x60, 0x7d, 0xa8, 0x61,
0x8a, 0x9e, 0x98, 0xc4, 0x7e, 0x65, 0x99, 0xea, 0x7e, 0xca, 0x75, 0xe7,
0xdb, 0x21, 0x5d, 0xce, 0x7c, 0x66, 0x3d, 0x7e, 0xdc, 0x14, 0xfe, 0x55,
0x04, 0x97, 0xa8, 0x64, 0x12, 0xb4, 0xb5, 0x30, 0x48, 0x72, 0xbc, 0xdb,
0xeb, 0x5b, 0x4f, 0xa6, 0xfb, 0x87, 0x01, 0x41, 0x91, 0xec, 0x98, 0x98,
0xf1, 0x4b, 0x38, 0xa2, 0x40, 0xf1, 0x05, 0x90, 0xbb, 0x9b, 0x5d, 0x96,
0xb1, 0x22, 0x6b, 0x50
}; };
unsigned int default_certificate_len = 475; unsigned int default_certificate_len = 604;

54
ssl/crypto_misc.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007-2015, Cameron Rich * Copyright (c) 2007-2017, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -39,6 +39,7 @@
extern "C" { extern "C" {
#endif #endif
#include <stdbool.h>
#include "crypto.h" #include "crypto.h"
#include "bigint.h" #include "bigint.h"
@ -56,14 +57,33 @@ extern "C" {
#define X509_VFY_ERROR_UNSUPPORTED_DIGEST -8 #define X509_VFY_ERROR_UNSUPPORTED_DIGEST -8
#define X509_INVALID_PRIV_KEY -9 #define X509_INVALID_PRIV_KEY -9
#define X509_MAX_CERTS -10 #define X509_MAX_CERTS -10
#define X509_VFY_ERROR_BASIC_CONSTRAINT -11
/* /*
* The Distinguished Name * The Distinguished Name
*/ */
#define X509_NUM_DN_TYPES 3 #define X509_NUM_DN_TYPES 6
#define X509_COMMON_NAME 0 #define X509_COMMON_NAME 0
#define X509_ORGANIZATION 1 #define X509_ORGANIZATION 1
#define X509_ORGANIZATIONAL_UNIT 2 #define X509_ORGANIZATIONAL_UNIT 2
#define X509_LOCATION 3
#define X509_COUNTRY 4
#define X509_STATE 5
/*
* Key Usage bits
*/
#define IS_SET_KEY_USAGE_FLAG(A, B) (A->key_usage & B)
#define KEY_USAGE_DIGITAL_SIGNATURE 0x0080
#define KEY_USAGE_NON_REPUDIATION 0x0040
#define KEY_USAGE_KEY_ENCIPHERMENT 0x0020
#define KEY_USAGE_DATA_ENCIPHERMENT 0x0010
#define KEY_USAGE_KEY_AGREEMENT 0x0008
#define KEY_USAGE_KEY_CERT_SIGN 0x0004
#define KEY_USAGE_CRL_SIGN 0x0002
#define KEY_USAGE_ENCIPHER_ONLY 0x0001
#define KEY_USAGE_DECIPHER_ONLY 0x8000
struct _x509_ctx struct _x509_ctx
{ {
@ -73,10 +93,19 @@ struct _x509_ctx
time_t not_before; time_t not_before;
time_t not_after; time_t not_after;
uint8_t *signature; uint8_t *signature;
uint16_t sig_len;
uint8_t sig_type;
RSA_CTX *rsa_ctx; RSA_CTX *rsa_ctx;
bigint *digest; bigint *digest;
uint16_t sig_len;
uint8_t sig_type;
bool basic_constraint_present;
bool basic_constraint_is_critical;
bool key_usage_present;
bool key_usage_is_critical;
bool subject_alt_name_present;
bool subject_alt_name_is_critical;
bool basic_constraint_cA;
int basic_constraint_pathLenConstraint;
uint32_t key_usage;
struct _x509_ctx *next; struct _x509_ctx *next;
}; };
@ -92,7 +121,8 @@ typedef struct
int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx); int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx);
void x509_free(X509_CTX *x509_ctx); void x509_free(X509_CTX *x509_ctx);
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert); int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert,
int *pathLenConstraint);
#endif #endif
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx); void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx);
@ -102,6 +132,7 @@ const char * x509_display_error(int error);
/************************************************************************** /**************************************************************************
* ASN1 declarations * ASN1 declarations
**************************************************************************/ **************************************************************************/
#define ASN1_BOOLEAN 0x01
#define ASN1_INTEGER 0x02 #define ASN1_INTEGER 0x02
#define ASN1_BIT_STRING 0x03 #define ASN1_BIT_STRING 0x03
#define ASN1_OCTET_STRING 0x04 #define ASN1_OCTET_STRING 0x04
@ -124,7 +155,6 @@ const char * x509_display_error(int error);
#define ASN1_EXPLICIT_TAG 0xa0 #define ASN1_EXPLICIT_TAG 0xa0
#define ASN1_V3_DATA 0xa3 #define ASN1_V3_DATA 0xa3
#define SIG_TYPE_MD2 0x02
#define SIG_TYPE_MD5 0x04 #define SIG_TYPE_MD5 0x04
#define SIG_TYPE_SHA1 0x05 #define SIG_TYPE_SHA1 0x05
#define SIG_TYPE_SHA256 0x0b #define SIG_TYPE_SHA256 0x0b
@ -135,15 +165,21 @@ uint32_t get_asn1_length(const uint8_t *buf, int *offset);
int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx); int asn1_get_private_key(const uint8_t *buf, int len, RSA_CTX **rsa_ctx);
int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type); int asn1_next_obj(const uint8_t *buf, int *offset, int obj_type);
int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type); int asn1_skip_obj(const uint8_t *buf, int *offset, int obj_type);
int asn1_get_int(const uint8_t *buf, int *offset, uint8_t **object); int asn1_get_big_int(const uint8_t *buf, int *offset, uint8_t **object);
int asn1_version(const uint8_t *cert, int *offset, X509_CTX *x509_ctx); int asn1_get_int(const uint8_t *buf, int *offset, int32_t *val);
int asn1_get_bool(const uint8_t *buf, int *offset, bool *val);
int asn1_get_bit_string_as_int(const uint8_t *buf, int *offset, uint32_t *val);
int asn1_version(const uint8_t *cert, int *offset, int *val);
int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx); int asn1_validity(const uint8_t *cert, int *offset, X509_CTX *x509_ctx);
int asn1_name(const uint8_t *cert, int *offset, char *dn[]); int asn1_name(const uint8_t *cert, int *offset, char *dn[]);
int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx); int asn1_public_key(const uint8_t *cert, int *offset, X509_CTX *x509_ctx);
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
int asn1_signature(const uint8_t *cert, int *offset, X509_CTX *x509_ctx); int asn1_signature(const uint8_t *cert, int *offset, X509_CTX *x509_ctx);
int asn1_find_subjectaltname(const uint8_t* cert, int offset);
int asn1_compare_dn(char * const dn1[], char * const dn2[]); int asn1_compare_dn(char * const dn1[], char * const dn2[]);
int asn1_is_subject_alt_name(const uint8_t *cert, int offset);
int asn1_is_basic_constraints(const uint8_t *cert, int offset);
int asn1_is_key_usage(const uint8_t *cert, int offset);
bool asn1_is_critical_ext(const uint8_t *buf, int *offset);
#endif /* CONFIG_SSL_CERT_VERIFICATION */ #endif /* CONFIG_SSL_CERT_VERIFICATION */
int asn1_signature_type(const uint8_t *cert, int asn1_signature_type(const uint8_t *cert,
int *offset, X509_CTX *x509_ctx); int *offset, X509_CTX *x509_ctx);

1
ssl/loader.c
View file

@ -468,7 +468,6 @@ int load_key_certs(SSL_CTX *ssl_ctx)
else if (!(options & SSL_NO_DEFAULT_KEY)) else if (!(options & SSL_NO_DEFAULT_KEY))
{ {
#if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE) #if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE)
static const /* saves a few bytes and RAM */
#include "cert.h" #include "cert.h"
ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CERT, ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CERT,
default_certificate, default_certificate_len, NULL); default_certificate, default_certificate_len, NULL);

6
ssl/p12.c
View file

@ -105,7 +105,7 @@ int pkcs8_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
} }
/* unencrypted key? */ /* unencrypted key? */
if (asn1_get_int(buf, &offset, &version) > 0 && *version == 0) if (asn1_get_big_int(buf, &offset, &version) > 0 && *version == 0)
{ {
ret = p8_add_key(ssl_ctx, buf); ret = p8_add_key(ssl_ctx, buf);
goto error; goto error;
@ -257,7 +257,7 @@ int pkcs12_decode(SSL_CTX *ssl_ctx, SSLObjLoader *ssl_obj, const char *password)
goto error; goto error;
} }
if (asn1_get_int(buf, &offset, &version) < 0 || *version != 3) if (asn1_get_big_int(buf, &offset, &version) < 0 || *version != 3)
{ {
ret = SSL_ERROR_INVALID_VERSION; ret = SSL_ERROR_INVALID_VERSION;
goto error; goto error;
@ -463,7 +463,7 @@ static int get_pbe_params(uint8_t *buf, int *offset,
*salt = &buf[*offset]; *salt = &buf[*offset];
*offset += len; *offset += len;
if ((len = asn1_get_int(buf, offset, &iter)) < 0) if ((len = asn1_get_big_int(buf, offset, &iter)) < 0)
goto error; goto error;
*iterations = 0; *iterations = 0;

102
ssl/private_key.h
View file

@ -1,54 +1,54 @@
unsigned char default_private_key[] = { unsigned char default_private_key[] = {
0x30, 0x82, 0x02, 0x5d, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xcd, 0x30, 0x82, 0x02, 0x5d, 0x02, 0x01, 0x00, 0x02, 0x81, 0x81, 0x00, 0xbd,
0xfd, 0x89, 0x48, 0xbe, 0x36, 0xb9, 0x95, 0x76, 0xd4, 0x13, 0x30, 0x0e, 0x0f, 0xd4, 0x42, 0xa8, 0x74, 0x87, 0x54, 0xaa, 0xb9, 0x3a, 0x1f, 0x8b,
0xbf, 0xb2, 0xed, 0x67, 0x0a, 0xc0, 0x16, 0x3f, 0x51, 0x09, 0x9d, 0x29, 0xce, 0xbd, 0xb7, 0x65, 0xfb, 0x40, 0x3d, 0xd0, 0x11, 0x9a, 0x9c, 0xdc,
0x2f, 0xb2, 0x6d, 0x3f, 0x3e, 0x6c, 0x2f, 0x90, 0x80, 0xa1, 0x71, 0xdf, 0x82, 0x7c, 0xea, 0xa8, 0x17, 0xe1, 0x74, 0xf3, 0x05, 0x0e, 0x61, 0xc1,
0xbe, 0x38, 0xc5, 0xcb, 0xa9, 0x9a, 0x40, 0x14, 0x90, 0x0a, 0xf9, 0xb7, 0xc1, 0x78, 0x8a, 0xb2, 0xba, 0x15, 0x22, 0x5a, 0xff, 0x9b, 0xb8, 0x7a,
0x07, 0x0b, 0xe1, 0xda, 0xe7, 0x09, 0xbf, 0x0d, 0x57, 0x41, 0x86, 0x60, 0x2e, 0x0f, 0x88, 0xb7, 0x74, 0xde, 0x04, 0x99, 0xa5, 0xa2, 0x99, 0x53,
0xa1, 0xc1, 0x27, 0x91, 0x5b, 0x0a, 0x98, 0x46, 0x1b, 0xf6, 0xa2, 0x84, 0x8b, 0xad, 0x78, 0x5a, 0x31, 0xed, 0xbc, 0x01, 0xe7, 0xdf, 0xe9, 0xec,
0xf8, 0x65, 0xc7, 0xce, 0x2d, 0x96, 0x17, 0xaa, 0x91, 0xf8, 0x61, 0x04, 0x2f, 0xa0, 0x5d, 0x53, 0xf6, 0xe6, 0x8a, 0xa0, 0xc8, 0x6d, 0x41, 0x45,
0x50, 0x70, 0xeb, 0xb4, 0x43, 0xb7, 0xdc, 0x9a, 0xcc, 0x31, 0x01, 0x14, 0x63, 0x23, 0xb3, 0xcf, 0x4e, 0x50, 0x1f, 0x28, 0xdf, 0x36, 0xe2, 0x73,
0xd4, 0xcd, 0xcc, 0xc2, 0x37, 0x6d, 0x69, 0x82, 0xd6, 0xc6, 0xc4, 0xbe, 0xdf, 0xd6, 0xa1, 0xb3, 0x46, 0x4f, 0x6e, 0xbb, 0x0d, 0x9b, 0xef, 0xa8,
0xf2, 0x34, 0xa5, 0xc9, 0xa6, 0x19, 0x53, 0x32, 0x7a, 0x86, 0x0e, 0x91, 0xf9, 0x4c, 0xa5, 0x71, 0xa1, 0x88, 0xdd, 0x07, 0xa9, 0x86, 0x0d, 0x3f,
0x82, 0x0f, 0xa1, 0x42, 0x54, 0xaa, 0x01, 0x02, 0x03, 0x01, 0x00, 0x01, 0xcd, 0x99, 0x23, 0xa2, 0x84, 0x77, 0x0f, 0x02, 0x03, 0x01, 0x00, 0x01,
0x02, 0x81, 0x81, 0x00, 0x95, 0xaa, 0x6e, 0x11, 0xf5, 0x6a, 0x8b, 0xa2, 0x02, 0x81, 0x80, 0x26, 0x3f, 0xec, 0x96, 0xab, 0xd4, 0x1f, 0x89, 0x0e,
0xc6, 0x48, 0xc6, 0x7c, 0x37, 0x6b, 0x1f, 0x55, 0x10, 0x76, 0x26, 0x24, 0x9d, 0x38, 0xd8, 0x27, 0x05, 0xe5, 0xb6, 0x14, 0x08, 0xd7, 0xff, 0x69,
0xc3, 0xf2, 0x5c, 0x5a, 0xdd, 0x2e, 0xf3, 0xa4, 0x1e, 0xbc, 0x7b, 0x1c, 0x78, 0x16, 0x4a, 0xc4, 0x06, 0x16, 0x55, 0xb7, 0x3a, 0x55, 0x9f, 0xbe,
0x80, 0x10, 0x85, 0xbc, 0xd8, 0x45, 0x3c, 0xb8, 0xb2, 0x06, 0x53, 0xb5, 0x86, 0xf8, 0x58, 0xe8, 0xc5, 0x46, 0xa8, 0xf0, 0xed, 0xda, 0xd6, 0xbf,
0xd5, 0x7a, 0xe7, 0x0e, 0x92, 0xe6, 0x42, 0xc2, 0xe2, 0x2a, 0xd5, 0xd1, 0x88, 0x55, 0x2d, 0xe6, 0x72, 0x29, 0x2c, 0x64, 0xc9, 0x5d, 0x1d, 0x9b,
0x03, 0x9f, 0x6f, 0x53, 0x74, 0x68, 0x72, 0x8e, 0xbf, 0x03, 0xbb, 0xab, 0x24, 0x3a, 0x98, 0x40, 0xa1, 0xd2, 0xaf, 0x5c, 0xab, 0x23, 0xe4, 0x33,
0xbd, 0xa1, 0xf9, 0x81, 0x7d, 0x12, 0xd4, 0x9d, 0xb6, 0xae, 0x4c, 0xad, 0xd0, 0xea, 0x60, 0x52, 0xe7, 0x7a, 0x9e, 0x73, 0x5f, 0x2e, 0x80, 0xd1,
0xca, 0xa8, 0xc9, 0x80, 0x8d, 0x0d, 0xd5, 0xd0, 0xa1, 0xbf, 0xec, 0x60, 0xdc, 0x6f, 0x47, 0x0f, 0x97, 0x80, 0x36, 0xd2, 0x30, 0x07, 0xdd, 0xd6,
0x48, 0x49, 0xed, 0x97, 0x0f, 0x5e, 0xed, 0xfc, 0x39, 0x15, 0x96, 0x9e, 0xd7, 0x15, 0x89, 0x2b, 0x74, 0xd5, 0x7e, 0x8a, 0xbc, 0x63, 0x42, 0x0a,
0x5d, 0xe2, 0xb4, 0x5d, 0x2e, 0x04, 0xdc, 0x08, 0xa2, 0x65, 0x29, 0x2d, 0xf2, 0x31, 0x29, 0xbf, 0xf9, 0xf9, 0xf0, 0x88, 0x8f, 0x8a, 0xc2, 0x22,
0x37, 0xfb, 0x62, 0x90, 0x1b, 0x7b, 0xe5, 0x3a, 0x58, 0x05, 0x55, 0xc1, 0x6e, 0x15, 0x26, 0xb7, 0x5e, 0x5b, 0x58, 0x44, 0x1c, 0x3b, 0x79, 0x02,
0x02, 0x41, 0x00, 0xfc, 0x69, 0x28, 0xc9, 0xa8, 0xc4, 0x5c, 0xe3, 0xd0, 0x41, 0x00, 0xe1, 0xf1, 0xb2, 0xe5, 0xc8, 0x80, 0x93, 0x40, 0x50, 0x74,
0x5e, 0xaa, 0xda, 0xde, 0x87, 0x74, 0xdb, 0xcb, 0x40, 0x78, 0x8e, 0x1d, 0x14, 0xdd, 0xb2, 0xf2, 0x27, 0x5c, 0x0c, 0x3d, 0xc0, 0x5f, 0xee, 0x9c,
0x12, 0x96, 0x16, 0x61, 0x3f, 0xb3, 0x3e, 0xa3, 0x0d, 0xdc, 0x49, 0xa5, 0x45, 0x6c, 0x13, 0x00, 0xdf, 0xd0, 0xd9, 0x83, 0xfa, 0x90, 0x2c, 0x84,
0x25, 0x87, 0xc5, 0x97, 0x85, 0x9d, 0xbb, 0xb4, 0xf0, 0x44, 0xfd, 0x6c, 0xf2, 0xaa, 0xc2, 0xdd, 0xfb, 0xcf, 0x03, 0x41, 0x88, 0x10, 0xc6, 0xbb,
0xe8, 0xd2, 0x8c, 0xec, 0x33, 0x81, 0x46, 0x1e, 0x10, 0x12, 0x33, 0x16, 0x5e, 0xb7, 0xb6, 0x2e, 0xa6, 0x1d, 0xaa, 0xba, 0xfb, 0x4a, 0x72, 0xd8,
0x95, 0x00, 0x4f, 0x75, 0xb4, 0xe5, 0x79, 0x02, 0x41, 0x00, 0xd0, 0xeb, 0x9a, 0xad, 0x88, 0x0d, 0x6a, 0x15, 0x02, 0x41, 0x00, 0xd6, 0x36, 0x23,
0x65, 0x07, 0x10, 0x3b, 0xd9, 0x03, 0xeb, 0xdc, 0x6f, 0x4b, 0x8f, 0xc3, 0xf3, 0x5d, 0x77, 0xc8, 0xd3, 0x49, 0xc1, 0x93, 0xfe, 0xca, 0x0d, 0xeb,
0x87, 0xce, 0x76, 0xd6, 0xc5, 0x14, 0x21, 0x4e, 0xe7, 0x4f, 0x1b, 0xe8, 0x9b, 0xda, 0xbd, 0x47, 0x28, 0x73, 0x97, 0xa0, 0x50, 0xd7, 0x4c, 0x24,
0x05, 0xf8, 0x84, 0x1a, 0xe0, 0xc5, 0xd6, 0xe3, 0x08, 0xb3, 0x54, 0x57, 0xdf, 0x9b, 0x0b, 0x37, 0xae, 0xc3, 0x31, 0xb5, 0x4f, 0x62, 0x08, 0xca,
0x02, 0x1f, 0xd4, 0xd9, 0xfb, 0xff, 0x40, 0xb1, 0x56, 0x1c, 0x60, 0xf7, 0xe5, 0xef, 0x97, 0x7b, 0x43, 0xa0, 0xda, 0x2b, 0x1f, 0xbf, 0xa8, 0x08,
0xac, 0x91, 0xf3, 0xd3, 0xc6, 0x7f, 0x84, 0xfd, 0x84, 0x9d, 0xea, 0x26, 0x93, 0xd2, 0x16, 0x1c, 0x89, 0x99, 0xf1, 0xdf, 0x26, 0xd1, 0x42, 0x99,
0xee, 0xc9, 0x02, 0x41, 0x00, 0xa6, 0xcf, 0x1c, 0x6c, 0x81, 0x03, 0x1c, 0x93, 0x02, 0x41, 0x00, 0xb1, 0x41, 0xe4, 0x7e, 0xdf, 0x20, 0xf7, 0xe4,
0x5c, 0x56, 0x05, 0x6a, 0x26, 0x70, 0xef, 0xd6, 0x13, 0xb7, 0x74, 0x28, 0xf1, 0xf9, 0x4f, 0xd1, 0x6a, 0x2d, 0x0d, 0xf1, 0xe9, 0xec, 0x9c, 0x3a,
0xf7, 0xca, 0x50, 0xd1, 0x2d, 0x83, 0x21, 0x64, 0xe4, 0xdd, 0x3f, 0x38, 0xe6, 0xc0, 0x94, 0xba, 0x27, 0xe2, 0x7c, 0xb4, 0xa5, 0xa1, 0x23, 0xf6,
0xb8, 0xd6, 0xd2, 0x41, 0xb3, 0x1c, 0x9a, 0xea, 0x0d, 0xf5, 0xda, 0xdf, 0xed, 0xe6, 0x53, 0x56, 0xe2, 0x50, 0x32, 0xd8, 0x02, 0x8e, 0xeb, 0xc7,
0xcd, 0x17, 0x9f, 0x9a, 0x1e, 0x15, 0xaf, 0x48, 0x1c, 0xbd, 0x9b, 0x63, 0x75, 0x91, 0xd3, 0xca, 0x3e, 0xd4, 0x34, 0x20, 0x7c, 0x2b, 0xfb, 0x2f,
0x5b, 0xad, 0xed, 0xd4, 0xa1, 0xae, 0xa9, 0x59, 0x09, 0x02, 0x40, 0x4e, 0x3a, 0x10, 0x72, 0xb1, 0x07, 0x56, 0xb6, 0xcd, 0x02, 0x40, 0x1e, 0x3b,
0x08, 0xce, 0xa8, 0x8f, 0xc0, 0xba, 0xf3, 0x83, 0x02, 0xc8, 0x33, 0x62, 0xf2, 0x03, 0x0d, 0x74, 0x34, 0xb2, 0x2d, 0xbc, 0xd6, 0xc8, 0xa5, 0x78,
0x14, 0x77, 0xc2, 0x7f, 0x93, 0x02, 0xf3, 0xdc, 0xe9, 0x1a, 0xee, 0xea, 0x25, 0x83, 0x0f, 0xf2, 0x9b, 0x32, 0x88, 0x6e, 0x24, 0x40, 0x84, 0xc2,
0x8e, 0x84, 0xc4, 0x69, 0x9b, 0x9c, 0x7f, 0x69, 0x1f, 0x4e, 0x1d, 0xa5, 0xc8, 0x89, 0x8e, 0xf6, 0x9c, 0x5b, 0x5c, 0x4d, 0x8d, 0xcb, 0xb0, 0x88,
0x90, 0x06, 0x44, 0x1b, 0x7d, 0xfc, 0x69, 0x40, 0x21, 0xbc, 0xf7, 0x46, 0x91, 0x2a, 0xb7, 0x10, 0x68, 0x63, 0x79, 0x36, 0x91, 0xd3, 0x9f, 0x57,
0xa4, 0xdc, 0x39, 0x7b, 0xe8, 0x8b, 0x49, 0x10, 0x44, 0x9d, 0x67, 0x5a, 0x76, 0x2e, 0x76, 0xfe, 0x8b, 0xf4, 0x97, 0xf7, 0xdd, 0x89, 0x3b, 0x0b,
0x91, 0x86, 0x39, 0x02, 0x40, 0x41, 0x2c, 0x4e, 0xfe, 0xd9, 0x90, 0x89, 0xed, 0x65, 0x02, 0x41, 0x00, 0xb9, 0xaf, 0xbf, 0x09, 0xc9, 0x90, 0x26,
0x00, 0x5c, 0x94, 0x0a, 0x4a, 0x7e, 0x1b, 0x1a, 0x80, 0x06, 0x01, 0x37, 0xf3, 0x72, 0x8b, 0xbf, 0xb3, 0x7c, 0xe7, 0x6f, 0x6f, 0x5b, 0xa3, 0x95,
0xda, 0x50, 0x61, 0x9d, 0x9c, 0xfe, 0x25, 0x7f, 0xd8, 0xd4, 0xc4, 0x9e, 0xb8, 0x9e, 0x03, 0xb9, 0xcf, 0xa0, 0x53, 0xba, 0x32, 0xc1, 0xd3, 0xad,
0x81, 0xf2, 0x0c, 0x1e, 0x38, 0x21, 0x1e, 0x90, 0x3f, 0xd4, 0xba, 0x6c, 0x85, 0xbb, 0x79, 0x48, 0x09, 0xd6, 0x3f, 0x9c, 0xd9, 0x37, 0x91, 0x11,
0x53, 0xcb, 0xf0, 0x77, 0x79, 0x9b, 0xf1, 0xfa, 0x3f, 0x81, 0xdc, 0xf3, 0x0d, 0x04, 0xd5, 0x3b, 0xca, 0x74, 0x5d, 0x1c, 0x91, 0x8d, 0x3d, 0xf1,
0x21, 0x02, 0x6d, 0xb7, 0x95, 0xc3, 0x2e, 0xce, 0xd5 0xf8, 0xf9, 0xbe, 0x35, 0xd7, 0xb2, 0x53, 0x50, 0x1d
}; };
unsigned int default_private_key_len = 609; unsigned int default_private_key_len = 609;

57
ssl/ssl.h
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -90,13 +90,16 @@ extern "C" {
#define SSL_ERROR_DEAD -2 #define SSL_ERROR_DEAD -2
#define SSL_CLOSE_NOTIFY -3 #define SSL_CLOSE_NOTIFY -3
#define SSL_ERROR_CONN_LOST -256 #define SSL_ERROR_CONN_LOST -256
#define SSL_ERROR_RECORD_OVERFLOW -257
#define SSL_ERROR_SOCK_SETUP_FAILURE -258 #define SSL_ERROR_SOCK_SETUP_FAILURE -258
#define SSL_ERROR_INVALID_HANDSHAKE -260 #define SSL_ERROR_INVALID_HANDSHAKE -260
#define SSL_ERROR_INVALID_PROT_MSG -261 #define SSL_ERROR_INVALID_PROT_MSG -261
#define SSL_ERROR_INVALID_HMAC -262 #define SSL_ERROR_INVALID_HMAC -262
#define SSL_ERROR_INVALID_VERSION -263 #define SSL_ERROR_INVALID_VERSION -263
#define SSL_ERROR_UNSUPPORTED_EXTENSION -264
#define SSL_ERROR_INVALID_SESSION -265 #define SSL_ERROR_INVALID_SESSION -265
#define SSL_ERROR_NO_CIPHER -266 #define SSL_ERROR_NO_CIPHER -266
#define SSL_ERROR_INVALID_CERT_HASH_ALG -267
#define SSL_ERROR_BAD_CERTIFICATE -268 #define SSL_ERROR_BAD_CERTIFICATE -268
#define SSL_ERROR_INVALID_KEY -269 #define SSL_ERROR_INVALID_KEY -269
#define SSL_ERROR_FINISHED_INVALID -271 #define SSL_ERROR_FINISHED_INVALID -271
@ -114,19 +117,25 @@ extern "C" {
#define SSL_ALERT_CLOSE_NOTIFY 0 #define SSL_ALERT_CLOSE_NOTIFY 0
#define SSL_ALERT_UNEXPECTED_MESSAGE 10 #define SSL_ALERT_UNEXPECTED_MESSAGE 10
#define SSL_ALERT_BAD_RECORD_MAC 20 #define SSL_ALERT_BAD_RECORD_MAC 20
#define SSL_ALERT_RECORD_OVERFLOW 22
#define SSL_ALERT_HANDSHAKE_FAILURE 40 #define SSL_ALERT_HANDSHAKE_FAILURE 40
#define SSL_ALERT_BAD_CERTIFICATE 42 #define SSL_ALERT_BAD_CERTIFICATE 42
#define SSL_ALERT_UNSUPPORTED_CERTIFICATE 43
#define SSL_ALERT_CERTIFICATE_EXPIRED 45
#define SSL_ALERT_CERTIFICATE_UNKNOWN 46
#define SSL_ALERT_ILLEGAL_PARAMETER 47 #define SSL_ALERT_ILLEGAL_PARAMETER 47
#define SSL_ALERT_UNKNOWN_CA 48
#define SSL_ALERT_DECODE_ERROR 50 #define SSL_ALERT_DECODE_ERROR 50
#define SSL_ALERT_DECRYPT_ERROR 51 #define SSL_ALERT_DECRYPT_ERROR 51
#define SSL_ALERT_INVALID_VERSION 70 #define SSL_ALERT_INVALID_VERSION 70
#define SSL_ALERT_NO_RENEGOTIATION 100 #define SSL_ALERT_NO_RENEGOTIATION 100
#define SSL_ALERT_UNSUPPORTED_EXTENSION 110
/* The ciphers that are supported */ /* The ciphers that are supported */
#define SSL_AES128_SHA 0x2f #define SSL_AES128_SHA 0x2f
#define SSL_AES256_SHA 0x35 #define SSL_AES256_SHA 0x35
#define SSL_RC4_128_SHA 0x05 #define SSL_AES128_SHA256 0x3c
#define SSL_RC4_128_MD5 0x04 #define SSL_AES256_SHA256 0x3d
/* build mode ids' */ /* build mode ids' */
#define SSL_BUILD_SKELETON_MODE 0x01 #define SSL_BUILD_SKELETON_MODE 0x01
@ -149,9 +158,15 @@ extern "C" {
#define SSL_X509_CERT_COMMON_NAME 0 #define SSL_X509_CERT_COMMON_NAME 0
#define SSL_X509_CERT_ORGANIZATION 1 #define SSL_X509_CERT_ORGANIZATION 1
#define SSL_X509_CERT_ORGANIZATIONAL_NAME 2 #define SSL_X509_CERT_ORGANIZATIONAL_NAME 2
#define SSL_X509_CA_CERT_COMMON_NAME 3 #define SSL_X509_CERT_LOCATION 3
#define SSL_X509_CA_CERT_ORGANIZATION 4 #define SSL_X509_CERT_COUNTRY 4
#define SSL_X509_CA_CERT_ORGANIZATIONAL_NAME 5 #define SSL_X509_CERT_STATE 5
#define SSL_X509_CA_CERT_COMMON_NAME 6
#define SSL_X509_CA_CERT_ORGANIZATION 7
#define SSL_X509_CA_CERT_ORGANIZATIONAL_NAME 8
#define SSL_X509_CA_CERT_LOCATION 9
#define SSL_X509_CA_CERT_COUNTRY 10
#define SSL_X509_CA_CERT_STATE 11
/* SSL object loader types */ /* SSL object loader types */
#define SSL_OBJ_X509_CERT 1 #define SSL_OBJ_X509_CERT 1
@ -215,6 +230,22 @@ EXP_FUNC SSL_CTX * STDCALL ssl_ctx_new(uint32_t options, int num_sessions);
*/ */
EXP_FUNC void STDCALL ssl_ctx_free(SSL_CTX *ssl_ctx); EXP_FUNC void STDCALL ssl_ctx_free(SSL_CTX *ssl_ctx);
/**
* @brief Allocates new SSL extensions structure and returns pointer to it
*
* @return ssl_ext Pointer to SSL_EXTENSIONS structure
*
*/
EXP_FUNC SSL_EXTENSIONS * STDCALL ssl_ext_new(void);
/**
* @brief Frees SSL extensions structure
*
* @param ssl_ext [in] Pointer to SSL_EXTENSION structure
*
*/
EXP_FUNC void STDCALL ssl_ext_free(SSL_EXTENSIONS *ssl_ext);
/** /**
* @brief (server only) Establish a new SSL connection to an SSL client. * @brief (server only) Establish a new SSL connection to an SSL client.
* *
@ -241,10 +272,12 @@ EXP_FUNC SSL * STDCALL ssl_server_new(SSL_CTX *ssl_ctx, int client_fd);
* can be null if no session resumption is being used or required. This option * can be null if no session resumption is being used or required. This option
* is not used in skeleton mode. * is not used in skeleton mode.
* @param sess_id_size The size of the session id (max 32) * @param sess_id_size The size of the session id (max 32)
* @param ssl_ext pointer to a structure with the activated SSL extensions
* and their values
* @return An SSL object reference. Use ssl_handshake_status() to check * @return An SSL object reference. Use ssl_handshake_status() to check
* if a handshake succeeded. * if a handshake succeeded.
*/ */
EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size); EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext);
/** /**
* @brief Free any used resources on this connection. * @brief Free any used resources on this connection.
@ -323,8 +356,8 @@ EXP_FUNC uint8_t STDCALL ssl_get_session_id_size(const SSL *ssl);
* @return The cipher id. This will be one of the following: * @return The cipher id. This will be one of the following:
* - SSL_AES128_SHA (0x2f) * - SSL_AES128_SHA (0x2f)
* - SSL_AES256_SHA (0x35) * - SSL_AES256_SHA (0x35)
* - SSL_RC4_128_SHA (0x05) * - SSL_AES128_SHA256 (0x3c)
* - SSL_RC4_128_MD5 (0x04) * - SSL_AES256_SHA256 (0x3d)
*/ */
EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(const SSL *ssl); EXP_FUNC uint8_t STDCALL ssl_get_cipher_id(const SSL *ssl);
@ -385,9 +418,15 @@ EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl);
* - SSL_X509_CERT_COMMON_NAME * - SSL_X509_CERT_COMMON_NAME
* - SSL_X509_CERT_ORGANIZATION * - SSL_X509_CERT_ORGANIZATION
* - SSL_X509_CERT_ORGANIZATIONAL_NAME * - SSL_X509_CERT_ORGANIZATIONAL_NAME
* - SSL_X509_CERT_LOCATION
* - SSL_X509_CERT_COUNTRY
* - SSL_X509_CERT_STATE
* - SSL_X509_CA_CERT_COMMON_NAME * - SSL_X509_CA_CERT_COMMON_NAME
* - SSL_X509_CA_CERT_ORGANIZATION * - SSL_X509_CA_CERT_ORGANIZATION
* - SSL_X509_CA_CERT_ORGANIZATIONAL_NAME * - SSL_X509_CA_CERT_ORGANIZATIONAL_NAME
* - SSL_X509_CA_CERT_LOCATION
* - SSL_X509_CA_CERT_COUNTRY
* - SSL_X509_CA_CERT_STATE
* @return The appropriate string (or null if not defined) * @return The appropriate string (or null if not defined)
* @note Verification build mode must be enabled. * @note Verification build mode must be enabled.
*/ */

38
ssl/test/axTLS.ca_key.pem
View file

@ -1,15 +1,27 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQCfxX6VHEhZNsMIqPPxt53h1UpfX1jU7ctqwBR4dpWRj3H6cCBN MIIEpAIBAAKCAQEAsSMwkpYHlwIsi1oxllJLjAPjjycx9t6Q3BOzXBSoZHc1wA+r
EK8xj7IVcBTJq6vcMRDwrAUrElSIZl8Kv6+ZqhTss2j+E2tfzkzehP9LcAdAR+UM QVuKHarpe8tYOKlNP8b79ejbCv/1U3NlVkMJJtLZUPtDwTEwUZNEG17ixS438mGI
JPBsYXic/+vmH5JCMO7CXLUsDJmO2q2Z1TjTtchu2DgAueTo0hWRtMvbMwIDAQAB 1AbHXvwhPaoT24UymEOcbJxAZuClDfzKpN7Cl6OzN7Ox44gHmBCBSnUhRAnJYxD6
AoGARYOF+ZZenAJJhSENUiPTm4hTXX98hNgZYw7DWU4u8S/6JT5Xr3AM6YFduBoV x8wBLw8HdH0bMdoc2+H4KyW31uMGva7C9YlUCPVQGPJsTP1DLRskqy+zO1NERUTO
0VDR63GlrzEI5p6JDPeNbn3MBl14ZNZVOOkzenxsCsymCHKhickxR8VlRoN26Xpb XytHeYLlh/X/o+NYVvUf7WKu6qC3I4HK+OZ5OW3E+EaE73oYRmUVDaVavL7bRKEf
OcMxsnEOJ8zh0F97Re8bsE7OQhk4Z7KtArby2jY1bpSqkRECQQDQ0D9lIq0oINaS 2NSbzowU+VsFEnyXIF7YnRFp0D1yrMzaC49bDQIDAQABAoIBAQCwOrNLUunwKaCJ
Uezmj/eSlmRjUwF+Vx8t16Yu8mD8CJZUVBEhDn/Xo2GWlkFgbWUoAPanr8zAwKJX b00gIXW5sfDGbhc+ZUU3Pn5V4NN7SEJ4dt5JYrnxNCWgHLkDfiQ1jFEF4QlzUx0O
6gImgMVPAkEAw+AxIgMqxs0GmsiesQMPe3Rf5kRId7ApFdhCq15J4URGOTdnyIUj TiMGhCDpuCGueJx66uYIcnvywx7XT1kn0jNfxfK6JBsqDzg8ULL6W2GXiIhmEZ8E
LBzJpGSiQFb/Fkt5dGrsDzawFd7hlBCa3QJAcWJCqiX0JDAAkx8NJfzSj7Q9+njd YHh3OIvec2WMyED1flMXzWvj2M4ksfMgZH290T9BSxzlEj9X7dZu55K4sFtu0XNi
/L5N3dSVFjTiWLhI+K1VR7/ZxzueB+i6wyNjpB8xz8fzxE5VWKtmU4XknQJBAKW+ 7uJDB0vF8KfW5gLpwj6pd7i32Cm/Pgpl+7lcqMNpDHo0U2dMyWeH1EmWinS4rHxd
K/UK1wR3cnJA9j70RwKA27D98JAOaQWKBAf79en+mqlJn7EGL1fhWCKZ4M0ukBSu mGDm0N0qK4BOYAJdasq7HwRjzDZkAPuNqcH0gOzSq3aYCI2tP2E6IvprM/vbqA4I
cqw22V6aOO+YtCpUzqUCQQCapy9lw3tDuCAljW8H3p9ce/+wuK1FTnF0TCalgHQp ooo+GDJhAoGBAORiphxweuGBRTpSqoi9qEICM2WMC2NZW8bpFyWn79CuALGzvvc+
kn4btRLmj0josAj4lRrzi2uaYfwq39h9OIuy7ES7YKcv Buw8W3LVElByUyTVWBnBQQ1iXZGe9f1x2P9q8R1Bdl0rpePg3J9ff9674VRLrcov
M85/NUHkj1fJ+2CkCx7KG5BFm3GaAb74e+7MceEW/eErMmCqtNgkR2Z5AoGBAMaO
O9SnVNd4wgnJAjVgN4fqaXWNzZz6NYWtnFVIcTTO7vU1P9t5NjgcsdF9+SnLA/jV
Ylo5Pl0fLPKg5QtIvlooZjXB8hgKVjrVGRLFt9TN0tJMeJ//11Bo88MNMOf0OQPg
i2OMWI3w/oRFJthmpeYWOgXNlLOcoSW1LsnWR0Q1AoGBALAXi+KTq3tiM+FzSb/j
E+/JSJ28bC9u/7+Pi2RiZxrsfuaFI/H4ZlgRdaVFujhC3e6hfKtnAWRzepfEDAEd
neXaLAyVo9DUzbS1dQaBGNPA400eiOJCoNxP4t1qgEd9GhB6i4Ry6uvDb8YYq832
Q4BtLEUUeC38I3y7QnMBDfhpAoGAZ13InA54xqvhKELy2WK7xhAs0rv93MkNcAhP
qL5L4RgRoqoUEmfp6BBYKh2Qx0cfTD2aNCo04znFppJIazV1k24Qt8+9/vHyrjIe
GX3BFBIKvNx+t5zzNLNOo66MVVT5EaGmLy7zMwHRHn75mBLoLv5HOpop3c+evQiz
0POyqjkCgYA2+ql0jS7Qbk7EPyFXftQhHcD/Ld8TKjonShkASoudSEHKwuQGBuit
ftPsg/E5YfhlRpQB6p00kXb4vZsdpFV38eXkyLuLwg0kbpaLedahIujIENNvWP1w
89T/ueiafWPqvwu3M7sAkkd/ReAQ0LcPwrsBHlOk0uujq+WV+b+Xfw==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.ca_x509.cer
View file

Binary file not shown.

28
ssl/test/axTLS.ca_x509.pem
View file

@ -1,13 +1,19 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIB3zCCAUgCCQD76Ccq3Co3qjANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh MIIDDjCCAfagAwIBAgIJAORglrABpAToMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNV
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDEy BAoTKWF4VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
MjYyMjMzMzdaFw0yNDA5MDMyMjMzMzdaMDQxMjAwBgNVBAoTKWF4VExTIFByb2pl DTE2MTIzMDIxMDQyN1oXDTMwMDkwODIxMDQyN1owNDEyMDAGA1UEChMpYXhUTFMg
Y3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUA UHJvamVjdCBEb2RneSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
A4GNADCBiQKBgQCfxX6VHEhZNsMIqPPxt53h1UpfX1jU7ctqwBR4dpWRj3H6cCBN DQEBAQUAA4IBDwAwggEKAoIBAQCxIzCSlgeXAiyLWjGWUkuMA+OPJzH23pDcE7Nc
EK8xj7IVcBTJq6vcMRDwrAUrElSIZl8Kv6+ZqhTss2j+E2tfzkzehP9LcAdAR+UM FKhkdzXAD6tBW4odqul7y1g4qU0/xvv16NsK//VTc2VWQwkm0tlQ+0PBMTBRk0Qb
JPBsYXic/+vmH5JCMO7CXLUsDJmO2q2Z1TjTtchu2DgAueTo0hWRtMvbMwIDAQAB XuLFLjfyYYjUBsde/CE9qhPbhTKYQ5xsnEBm4KUN/Mqk3sKXo7M3s7HjiAeYEIFK
MA0GCSqGSIb3DQEBBQUAA4GBABoJU0aQMTocVLNbcY4tbfqLck2oAn/OVjG0p/8p dSFECcljEPrHzAEvDwd0fRsx2hzb4fgrJbfW4wa9rsL1iVQI9VAY8mxM/UMtGySr
GIJzlVKOtZ76ZkqHIbcXNKNlgjXy+4S3R+6+mkYcn0JVbVg7eN0tsDlMB04YyFaD L7M7U0RFRM5fK0d5guWH9f+j41hW9R/tYq7qoLcjgcr45nk5bcT4RoTvehhGZRUN
95D47KEzmDky4Yj2nqI4SmvVTf2lyYxV1zknrFUXND+WvjGxge3gpJxtMoTGE5E0 pVq8vttEoR/Y1JvOjBT5WwUSfJcgXtidEWnQPXKszNoLj1sNAgMBAAGjIzAhMA8G
Jc3F A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4IB
AQByY8+gtxSKO5ASYKArY8Sb4xJw0MNwsosARm17sT/8UTerS9CssUQXkW4LaU3T
SzFVxRUz9O+74yu87W58IaxGNq80quFkOfpS39eCtbqD2e4Y/JuC30hK/GmhBquD
gVh3z3hD8+DUXq83T1+9zgjCppLeQfaFejbaJSwQ7+K6gJn5JZNiaHVGN1GO6lT6
5W3zqep5zU6a4T5UeZqkYyuzfTBbIkgEga0JzPaCdd5JOrwFR3UNWlICOxr7htDI
FqiTrA0RH2ZNmrmJDcM1pFWlQAPnvDoRLeMpmvWZDnGrWYDzyt0j5G0bIPL7214c
b5kxOvfGlM4E6v+lMSw/HDrI
-----END CERTIFICATE----- -----END CERTIFICATE-----

19
ssl/test/axTLS.ca_x509_sha256.pem Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDDjCCAfagAwIBAgIJAJRCXZlKhZeHMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAoTKWF4VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE2MTIzMDIxMDQyN1oXDTMwMDkwODIxMDQyN1owNDEyMDAGA1UEChMpYXhUTFMg
UHJvamVjdCBEb2RneSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxIzCSlgeXAiyLWjGWUkuMA+OPJzH23pDcE7Nc
FKhkdzXAD6tBW4odqul7y1g4qU0/xvv16NsK//VTc2VWQwkm0tlQ+0PBMTBRk0Qb
XuLFLjfyYYjUBsde/CE9qhPbhTKYQ5xsnEBm4KUN/Mqk3sKXo7M3s7HjiAeYEIFK
dSFECcljEPrHzAEvDwd0fRsx2hzb4fgrJbfW4wa9rsL1iVQI9VAY8mxM/UMtGySr
L7M7U0RFRM5fK0d5guWH9f+j41hW9R/tYq7qoLcjgcr45nk5bcT4RoTvehhGZRUN
pVq8vttEoR/Y1JvOjBT5WwUSfJcgXtidEWnQPXKszNoLj1sNAgMBAAGjIzAhMA8G
A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IB
AQAm3qU+APMkgTRCWhw0m4+06gc2iGaf7l+3i/Kg6EvDB9js4cI1sqzRpSdqdjTZ
BwVlIURlB6BnEMCB3hP69IF/oSnqrnIxx2KIeVJt4CCwW1mXKsBwxNMXwHYD3A02
08eFTRkP0ofn+YBRfUYFkDFebqba4V3NBZtBW497YtQk/ssKAL1xaI0V26M4E/VH
jkJtk99mcMjfuD8HPoqjTeVBGtY2h0A3j2LQPmOJNdSxv30SJuVjvpG7vejQripq
9MW0kPMBIRKhBpUBLIthLLxm/2VBe0IHU34kpe60YpQdJqebbldtOG1Uxe4F2JpN
LfUXs2/UCNpEHS60Xl8UDJXA
-----END CERTIFICATE-----

BIN
ssl/test/axTLS.device_key
View file

Binary file not shown.

15
ssl/test/axTLS.device_key.pem
View file

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICXAIBAAKBgQDH2LDa/QrOXOLHsqLCayRYs74qlWlk9yLTtIJVxumBJNo40TwG
8g+Sq6LhtZBAD7tZaM9XjgIi1iFjc1eKALFaEKpzT5pS9HM0mK48bgwO4DV0gbvC
t1LlwfEC1EkXgoMDumZwF0bpoKldLK9ayp6sXOYe7dcBc8CVjOiqzVCDowIDAQAB
AoGAZ2ap0xS8I5wRxouaBQgUrUSK71ORTalFPs6V5TXfGW/s7RrteRaDkjr2MtyT
f2HkaNV++mlCl629ZsyGDaRgHjPI6skemqbwws4l+QMglXkLQ2ST6xuMqrNlCaKN
Ys0l291VftlS6Bi/C/LD3bwMf6HTGThufchmQ87OvXYtNQkCQQD1jC5jypbk+Ilc
X4aGXaOSsyzrf3QblhPFTsXTIHwV56JNap5D1405LUeH9XvAca+EZyYAg0N/pOXB
rkSXww3PAkEA0Fp8+/zDI00liFOEud2hQ0A/VCqg0+SyCVGvA7AFnuXEURPbMkSB
ktk/x4BBn5DZUJMfOOal/ewbgPNqbClV7QJAPMw31EeeMxWC1VdltLFMxg8NSUYm
looDXTBS9SKu9rGC005Z34xokEaw1m4m9RBxGAR+OVRHCzzmEp22qCkIqwJAWSDM
ZHMs+rXuv1GS7nuLl5wtOxD9OYeUTX4+0uIClYWOpGxNEUTS9QGwUeRgriSlgd1d
ttab3XKaFWCLfvdzxQJBANuWeyBMYnNDBi3j++/NmmKEg9Reiby0dT3wSPe6oJKf
ux9foG8SpLGGnHuJQerD1IkACP+GuaGxWUxsVzPxtns=
-----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.encrypted.p8
View file

Binary file not shown.

23
ssl/test/axTLS.encrypted_pem.p8
View file

@ -1,10 +1,17 @@
-----BEGIN ENCRYPTED PRIVATE KEY----- -----BEGIN ENCRYPTED PRIVATE KEY-----
MIIBezAcBgoqhkiG9w0BDAEBMA4ECEHizqvZwHfYAgIIAASCAVkWuzUFR3hk3vXG MIICnTAcBgoqhkiG9w0BDAEBMA4ECLZOmsNEeDZnAgIIAASCAnu22JX3BRRr9cTr
BoX1ULCIr+Om40+UkD0T/Vxl8zo6Vuvl13vAYqo2eDSNd75yKpYle0gSHn+aVeWZ j4x62+iDbrqcwmhQkybM1xShFgWObY3/OQf1NJfH4DO4zGQN45ZN0X9zSUVRu8Dd
gKYrmpSqXF14CDeBXAd2GRwun9EIAwgkv9AMMPGzCXVTVFM/pLyuLexj283qvZf5 ycHls5qsROJ96PYQ8d1xnuh1C9TWmFiLieM0qUyn35raHcKPQiBl8PYHtNr3+m0K
/7Fe/cizYx/DxtiRw9QUsNWYckt3RAM6i87PTBw8uI7NqEMEkstHT51l5TR85JjL bsql6T23hE5ZjVhbRtcRdRd9MsQeTZ6n4mdWPEhzN1+rmSPV8ybCbrtJl3/Dh1v8
F8ZYSuqv9LH/jkWhoedgID35r+ffjeYV06clebuRJAIcS78LG8833D1SyINlnj4y LnswXB92T6WcmHRyRiNsbAXR9SQkOaXFZ/1RUXDNqoRYZjlWPBWdcQf48mzgaDjq
Ts2NYf2R4CtR0rDJeDCcucDBnzPPIBv4JqsbUGDTMrlFIGJvmL4RuNP3TNIAk9tZ 3RXF1mjbOlX2x4/V4qVwH1qZADlT38fSRk/iVdRfureS+wfOuJgJ/g9Riwa0o41K
FHw2QEBrcv6XNQa8DJwk/162CdDxQG5uWc/Ye4hF5OXzAd6gxKz8u6C3wCq0q3+b 2q+sOEcTOv4rShXRGp/0ckeuwhARDdSMymlSBhgBWdf14qdgxCx0rAXYlRAc/4Ze
PDc9wulGEejbL/lecZ7qT76CqYLupNmCBFAa8idGjAhU3LDwv4ooGF1aWFiGgG4= Zl9ErfydwdUfDJoPK+QlGZMF//hFRF+vdO/wJHleLsels4KaqN9v/sB+BrGWaeUC
ScKMISixquCwfWi2qGiqLQGsxHn0d6ejiMblZR4kTf7dcuWVWGXdf5VZqxLNP8Xg
zzjjeP59OxHRVH0ytGBUejTehcxWDKq+6ESAuujzVXa0v1+5QzZXsJ8rPyZOINzj
bdpN4Cr3tZj9ALrNzoC2oG62+OO45U7lg54cV1nyrQ2QiI4XFnt0WA06K1G1JrRW
a/y6nZkntGybbCpuuIBiWl2FfdcTepctiXcJ0vCYqVNOTT4L2Y1RwajDzALhgb7e
wOy0eA8gmOmMLNozSlMV7siL0LeE1WlotLwK+AHMU1lmPMqS7jK9nycXtZyg4IKl
eBAnW052fnKZhT4zNlfJkZqpcp6YWpCU16PWx6L+/FDzFPzswluHyfB72oVqRniI
2A==
-----END ENCRYPTED PRIVATE KEY----- -----END ENCRYPTED PRIVATE KEY-----

BIN
ssl/test/axTLS.key_1024
View file

Binary file not shown.

26
ssl/test/axTLS.key_1024.pem
View file

@ -1,15 +1,15 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDN/YlIvja5lXbUEzAOv7LtZwrAFj9RCZ0pL7JtPz5sL5CAoXHf MIICXQIBAAKBgQC9D9RCqHSHVKq5Oh+Lzr23ZftAPdARmpzcgnzqqBfhdPMFDmHB
vjjFy6maQBSQCvm3Bwvh2ucJvw1XQYZgocEnkVsKmEYb9qKE+GXHzi2WF6qR+GEE wXiKsroVIlr/m7h6Lg+It3TeBJmloplTi614WjHtvAHn3+nsL6BdU/bmiqDIbUFF
UHDrtEO33JrMMQEU1M3MwjdtaYLWxsS+8jSlyaYZUzJ6hg6Rgg+hQlSqAQIDAQAB YyOzz05QHyjfNuJz39ahs0ZPbrsNm++o+UylcaGI3Qephg0/zZkjooR3DwIDAQAB
AoGBAJWqbhH1aouixkjGfDdrH1UQdiYkw/JcWt0u86QevHscgBCFvNhFPLiyBlO1 AoGAJj/slqvUH4kOnTjYJwXlthQI1/9peBZKxAYWVbc6VZ++hvhY6MVGqPDt2ta/
1XrnDpLmQsLiKtXRA59vU3Roco6/A7urvaH5gX0S1J22rkytyqjJgI0N1dChv+xg iFUt5nIpLGTJXR2bJDqYQKHSr1yrI+Qz0OpgUud6nnNfLoDR3G9HD5eANtIwB93W
SEntlw9e7fw5FZaeXeK0XS4E3AiiZSktN/tikBt75TpYBVXBAkEA/GkoyajEXOPQ 1xWJK3TVfoq8Y0IK8jEpv/n58IiPisIibhUmt15bWEQcO3kCQQDh8bLlyICTQFB0
Xqra3od028tAeI4dEpYWYT+zPqMN3EmlJYfFl4Wdu7TwRP1s6NKM7DOBRh4QEjMW FN2y8idcDD3AX+6cRWwTAN/Q2YP6kCyE8qrC3fvPA0GIEMa7Xre2LqYdqrr7SnLY
lQBPdbTleQJBANDrZQcQO9kD69xvS4/Dh8521sUUIU7nTxvoBfiEGuDF1uMIs1RX mq2IDWoVAkEA1jYj8113yNNJwZP+yg3rm9q9Ryhzl6BQ10wk35sLN67DMbVPYgjK
Ah/U2fv/QLFWHGD3rJHz08Z/hP2Eneom7skCQQCmzxxsgQMcXFYFaiZw79YTt3Qo 5e+Xe0Og2isfv6gIk9IWHImZ8d8m0UKZkwJBALFB5H7fIPfk8flP0WotDfHp7Jw6
98pQ0S2DIWTk3T84uNbSQbMcmuoN9drfzRefmh4Vr0gcvZtjW63t1KGuqVkJAkBO 5sCUuififLSloSP27eZTVuJQMtgCjuvHdZHTyj7UNCB8K/svOhBysQdWts0CQB47
CM6oj8C684MCyDNiFHfCf5MC89zpGu7qjoTEaZucf2kfTh2lkAZEG338aUAhvPdG 8gMNdDSyLbzWyKV4JYMP8psyiG4kQITCyImO9pxbXE2Ny7CIkSq3EGhjeTaR059X
pNw5e+iLSRBEnWdakYY5AkBBLE7+2ZCJAFyUCkp+GxqABgE32lBhnZz+JX/Y1MSe di52/ov0l/fdiTsL7WUCQQC5r78JyZAm83KLv7N8529vW6OVuJ4Duc+gU7oywdOt
gfIMHjghHpA/1LpsU8vwd3mb8fo/gdzzIQJtt5XDLs7V hbt5SAnWP5zZN5ERDQTVO8p0XRyRjT3x+Pm+NdeyU1Ad
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.key_1042
View file

Binary file not shown.

15
ssl/test/axTLS.key_1042.pem
View file

@ -1,15 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIICZwIBAAKBgwNRhe0y5s4OG7KtaFgPt+iYXplAx2O9BJhAgQTN0/Q2xmrprfAz
WTp0wHWGYywZtPmM196fcl2EvazwBDiuKjockPdEJ6A4qv1G3avrYy9YVIx+Vzpf
hsf5sXGychWNboP4UtJ5U95XGkHQFUhC/apIU2tMOVhspT9G0YPH5N+AzfnhAgMB
AAECgYMBqUlbwxTK6UMygx9unofaOJV7MXPgWZs4QWqVphlK9DUHBu9eBcbQvewv
qdRyGniASeMz/yy45qAyOIJUgdR//RU9oaW/J+HZOM4LJRqP12BPmSjujuVd10h4
xRmEt3xCW5JwEIcBWhrMqhlU0QoiX/kT+tv5esBeCglE0yeynOqjtQJCAfUa/zZV
ReqIEH7NaYWHMZ6NOhS35gB15Ka8JDR9avQFJVq0D2NpF1ysohGqorvB0Z19IhHW
9HfYZ4kBOAf856pDAkIBsf8PJGBnBema7096ZLFmykGaTiECDOJH52wLlqnWVr/W
UmlNzC/Dh+WFDwxH5csW7iLciLkNwhFTLltOMEw7owsCQgHOjbgNIFOkdSq80cHY
5v2PfI+jdklSHYENw9eruCWU0Hc1rcYSnnxZKGWF5zvGEtf6Bvr++qu5QMH5fm2J
OhNiXwJCANlis/f5ncEVaTjzq4/iWGV5BMybtgY0FeYydX+LJMShJL505rYfOqbI
baTC9wSAfMTdi2+kmeKagPrYW0rP9JNPAkEwMQ3d0gOzgT6nxG1BCTXOABZKg4Gl
Q7OOtmo+ZZEyjE8q/jfs5YsQi2TTFCpwwgS++LqrFAuXHzJZC3X4hrUNuw==
-----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.key_2048
View file

Binary file not shown.

50
ssl/test/axTLS.key_2048.pem
View file

@ -1,27 +1,27 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEApaC6WCGcPJ25ATSgSfk+BSqhb+CccHwPzd26bJBT4po1RCGa MIIEpAIBAAKCAQEA+Vp2PKclcZoKZ3OicQZNA4XpGZbD96Gasb5E66voMPub7l+y
RxfXrDqNm3/UhBqol3l0bIa3/NHqv2lm3ngM1esJnwmBWTnyBOippSE02hEh5SJi ln6A9CYveBna0i/cQHRCwpYuzzbHQgOjAAw7rcveiIqm8nJMxA8BFNMJCHv0knDl
P+xyo/elmIFiNU8z6OXVGKsi21LX3UmiKoWGvg52Q6Q8TBXUUvKHuze/04cChLyb RT3H28xoTt08Z/MCfCYyOXoVsJOS6BSOSdFVyzhfU6nAie5iskYnmKecmhYaFm94
dTdxsPjm1lTAsQVKAQqwExhSsTTeLpGPAcrWw0ZsnUnC/p5aUYupieUYjVOChmvH S8WWJMNgEvwzPyhdmE4rpqUBHRSu3zPgHUnRRIOfui5KdZGzKpaC+i1Gn58MOC4W
lJ5n/ZGKLWNcq/ZOIoutK5J75aXB5tIra7z+xGJDwXoVkja9W3ZLoWMcuBk+KOO6 L8kguEMDCEkQD6zxFq0PX5GBgu+zVqCFByX7soxZB027FsmJUN6WNoo3hR/H1QV8
zFvpdGW/4Cx+ZHqTfGeYpFWCoi++Xg8yVRaLLQIDAQABAoIBAQCUcALxn1W1oak/ RdXvgMbT00yymEnYVfn9ZL7nXShKI70Pi5Y11QIDAQABAoIBAQDQQBrrgPUmsW3r
olmRUnY6DSXX7ZZm3VkQqIo+Z+82I/xfDjqFQqIA8g0dcqgUqQu1jZ1A8lAMnllj BIowNwDu5lHNizrTf+ZAeBX7dbEP57NNHCN8yN5OCe4vMfis/kfGlNKEzQT/DlLP
qOQPt8nRIi9iQBOT0vHLYnU/0A3c7gPRpkolfhSUTQs1LafFnTEppmmgDShVJd7e 8VWa3pyhA9kw1AumBIvUWmuexrmOmmeiPiNc9sIJ8edTpjWi4zO6F/RuSGYA+N8C
rPJQZ5EF3lIxdwyvJ9U9ba0lpeYefO02GBVobeF/sERK1gOEo+V8H82/6p/X91Ro cNh9EhXDCaujpewlxjArj6fWOHXzwMewghiGCm/fW0rWri5HCQ7ec+WuHPC2KQGQ
jZezh0ATKJd27jhX5f0+PRop9lM16op48biJMAVDyS8+9fcb6V7zpOsbJhL2C91Q mRDpkXUsxWzTIMIsMKe3M2jYD+pk4xkJqN1+OV/APmQfLyshkGD4EN/qG1dieMQ0
CZe6vMpCcp4t5fby1vx9CttnWYEewWyfVkdMuCf4E5hLuqMCYocmQYx9wOebE2b5 e85HxxCxbFETOzip0+pHXMbtxY/ok25/SCdtBXkBUJK1KqAysEZdHtOWmmk4HDaz
eoI194XFAoGBAM6O6mcvpzlTRjKsNG2eKbEkqHBvINWkYUuo7GowLHlXvDoTnrep Dx2PBbKpAoGBAP+BT/WXeVgtOv1idyv9RG34kOJCDaROtVk3g5MNLfj9mIklcwEd
qJ5jtIZ0DIFAYmwoXOcDb0icrGL1gb9KZxW9HPKT+HXGlPf1YSWKY6aKEA/nxach SylhpFxvvrFQAWQIDFPzFkukMs8aIuC0Gm4zxH+8RF45lwhgcXlXP87IiIyW6Bqu
Pcb8iAYeVf9BsYiK2xBOH21eEdG/kDCcjpX3fzlZxqGmZpd+TaM9FKmLAoGBAM1F aglmWAM9UHol3/b2AD1UdpqGe0nvWo0rIqs4pdtGTA5BSSUYeaZXhzFDAoGBAPnW
wXym78pmw8+qp4035j6ZcH0SPbS3Dbj9v+MHuvevZlLhX1kUT/JrNV8ouac4qHjZ GWqDarzSbZM4TWcrx6O+cjLnstxDW+cgSCIrm9iVq2ys+Hn5O03aN9SsklyGxXgo
765QNoRfHEsO3uYqS5E8lss5YuEB9/X+2msWxQS9EvYio+v+rIZfhr/bFNqVafTx ygdGvbYnnPl3ugT139KEiIeUSCBU15WP/NZejpHmtUHduDw1Y6SlBJ9T+p5CSDE+
oacsAXVGFiRBQsV9GtVykFfv4YP8K1UhyCRJAwUnAoGAJvpjE0uzw6aKNZ+3WQQi 2kJoZu1zG7W3eBprZsyqNWtw3Dwc2N+emrF+NF8HAoGBANzErAVFq6if9E+KK/SL
m/Ht8yGVUZtuXMeorTUf/1nmBBOVvNTAI/tuonydq3pJ2F0ZguJsCoi+IwJvFHjm cvwegXmun0DwbUu4ZuzBv45b+NfPzu4QlKgd4TmpqDhnK7x2I8jJyuLy7p/6Mla7
0PxZzRDNLvRlQhFE3r+ppFCjTU0QSESGktkulfD9i2iLJtgFFKOZXJsGw8zhWbsB 5/Z+rnO8hcpwsmqfgozY8Z5HsYzgu46KU77penTaHtZcMYefCZf0ikJ8nrzEnxZJ
UR1eHaVqTTDIZUgJQIeTMZcCgYEAyXkhw3sF+B6NKhJRiaXH8sEfS2LP9cOFUICe RjxxxwWPWRocGQp/emVbTconAoGAUClmFkr8YIGULvyNuWDOubdNpQ+6z/m87zfo
CfLYa6pYQBi8QO5S2ZioNdH/BkXx9UvSl8BbAeloF7Nsy3PP36kcSDL2/em0ull9 bS5Y3vGHA2OshlZ1tNEjwNVuUMndamSMDjGghWXIdDL6OMU7f6yOshHd4qHWWmLM
f4ZFsbTyG2s8gLDiHLE9zKj2+uOTr7pJ846Zj8VOjh8Prk5wO/fJ/MWRDr4+ubwC 2WuVizLfTbb6ejcXNajNBuJHM6hIyaRFG7Gr9NxOM8weeTukzF6ArWyU/aSz4Wxe
eLrAoBkCgYBHwbHMfgouSHD8OEYkSTOd4DVNE8zpUBKiN8mlm8+vmmPEKfuNMlpK bjz0SNkCgYBVC0xdMPauqO1Ie/Gp6SPrIx9+bDDlwEvnDki/2RN7z5IkmBnRFxPy
ZbhhsKpLi4eo3qEr28Z2jVfdnclRGtuN9B5qICj4la8TuoI9AQ5kNP9c3By3swAx 6wqBiMFRxJXI4q3SSSbicb+7TQlK2/Vq/bL6QfjjQM8ZEzpPenYpP/wyMQXdVxfh
ltt7aGTVYI9kuDJ65hkmSdi8IFdCTQY3REsBwvrLd14pWuHcU34XRg== 1GFDTzeiAhXTvBsZVj8R64VNhNaNn4naMlC4hqxaZ2KA0wrjTRKR0g==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.key_4096
View file

Binary file not shown.

98
ssl/test/axTLS.key_4096.pem
View file

@ -1,51 +1,51 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
MIIJKAIBAAKCAgEAo5gChsj+wQBrSNjdaeHZQFNBsrMsgQXT8+5U56Gq2ddnVP7s MIIJJwIBAAKCAgEAwApOo9f0syXI8DmEkP88eHCgZZ8FumcICcqcFe0OywR9UsXU
s9O6SzyKNab45c3+68uDRhlAOk62O63smiDpfc8OvV+cYJkH0HLNSpUMILc61jdW dQhMqKfMLi8Wlco+rNqFcDfsNyAllCDiq89dp/aNj3inCVAoXnaJuiZQ6dX9UtBR
WnxrHRvHQm5Drlkc/s+VCf7YMNybOzKaigddZ1qMI5vtNd1kK3jx9q718T/Wmnj5 VEW9cr/z6RjgrZQ9+MkbOx+MXVd44I8jEWVuW2oK1eQzU+FUb12dj45mTaLpL6Bx
nSwpSK5uV3+KGbkiBubBJtFatsfNkncxq8wIcwrAK8JQMxTWzhV6T4PFm1rcCko8 XcXGC7e2KSeO75iWwitMyGmJQirV8fttUNa6VfKu7isxESz5jaUmuSsMZIl6Hjm/
HlpCtb1+6k1PTVcQmRAGOk7ybzM+txdBYpTSbZiWP7spehs3D5i4WChlGEksR1Ro KxmZxkBuFv1Zm2KkKqItV/WqQYCrngil1I5zJLjHWFNjA634U63yWZo5LWQY8pp5
Y39FRVSmN1NnwDqsKq6I4yDVJpWbWkI/jMOTbBiuSV8dIz8j0JnEGiLFYSZhxU0D wy0stC87yJD70rsszjm3zejtXAVipm27+GWe1bKI6UAVfyG3y+bEAKOGc9b6UpUJ
FERyblAuYtaG8Tw9Mvkyg6GRo4Cffs0W3OqN9IehMwyZfOoWNXW0pkmy1D7+9zrU 7iRPd32DrZCJ1xubVW3Lx+gK5YILsf7fQARPAbc1KbuJ2GJ2v9ihINzkqyT6N6FJ
gqnkJwp7q89l9kf+3tnH2H/uuBBCbBh8NFu/QYgrBPAUjmHEf1eKk9ClLQK85T9J ns/BcZnHAXk+KorS03xDMgI/CMKEjoc5YjFY9ioOUvvtpeg2kb0VUqvAHOm4i+DU
6aGpJVj0x1Vm2/vlars5qBx3TSrC+BKg2FVQoTKbbN5ySS3a6RyWWiGkuvkfvFFK f5pQ82uH16tHVk2YyZqNWNVu8cbYsLAKFYPtyur9EO2TeKhCI+vAjl5FNw3TQAjy
WTW9d8lpeH1ivXPGvUVZ5LOW/2W7pUAV3tFX76LR+P30WeOBYwVQe99dUTEJL6Oc 1N4P7olDpJh1Vkx5q2fbaQvIq1HMovSmGKKvObXjjAoqlwVaiCukkr/djV1Teu1J
PVXN+pYdzVquKRJnULU5pMvd4QPILRHI99HAIVaTiidRtpRsmAR6CTVRCQECAwEA T50aP7tqCOOrBYBaWHO1IOB6xFOSfpAkuZVf4gqHsl2jTiLY6zDhkafJgoECAwEA
AQKCAgBIbWlY8S3QlvXop5LHaOU9VF721dqzOLhQ+8h9UJcKoRIvkDmNmASXgLMT AQKCAgAlKVlyZzXY/PTXV6oJjPqcq96+C3nGSm3Jx0VREOCN9L5zqAim5QZAlMf0
89uoKl5dWJnC9DT6W5TUsTjaOA4H1B8LeoQKRFYwVFNNXNWkulqDMra5kvH9TioW H/SU4+Ag/uBXiNrTCAt9kKeMa8JJ4HIgU06vhK1rKjEYrpV1yo0M23cBgcVZUT/X
4Ch4zR1INvEeHsTqRRE40TuYNpCEzJLUxRjtSxopIP/HHkjmyUOi2kJw8ndIpWlW 2ZKQxGEBpZj5Ze95mJWxjsFQenpSgkC6h0BPeQkny8vTndC6MU5Cgx+s77qVReWg
tbGXl95Xvdvv6qpF2AnMeZb1H3zyKeVQulO1edlsHhgrkgRvtndK2vjo2z9DpSTG LSGBx9tUk6B2H8YJ4dQo0Wij/gls3FtxhzYlhrh76nuF1Yi+Y8QX2UDfDEMvlAQ5
aPneHNjNW0nWkNNGpiJy/wnEsmzDdtW2W4+ObvQepJeg+Clh6it/XQBmZJdvjX2V uqj+YqY2AdAYd1eM+WM8X5wHd9FcR817kBdW/PFS8BQ3tppd6ELTn4T0eedurr04
awi5E4Db2K/kFsonrf68pC3sjT373RfHAEjiNY2Kspr7fgUNsFVOfyaORuWcqbzo 4KV6b/IJri2dUPetmPUwE4gOV0vW5LP1DSNS+sBD1OrsQ+Ytovht868GLMQ/d6M+
TMBG9vryGOfhsADISSWtJFN8FW4rjoIJ9Y0Oac95MCoMOFI82sr8VuEibwtbnhAz 82IDz2at0lDQ+6JLGBrY2rOXYi22fqGgSg2ErDENgYU1dft1Yc8sAzCTl5WC/Bhg
2r6aB85XoSarJdfy6ejMTp6LHorJu7zcw7alNpEjiRxbMFTxRGeZoif2TKUmElxs IxbfUChsYqURvq7faaqVfb50FcMYUcj/rAXVSLOuix2HUgLsQSj2MTtvuR7+BUgh
oaN76hZm3fOScvo3YhoZokz0MlSg0KzJzdpKlWvkoEhSr5RLHY+qlpd5sYAtf4bJ 2KEmiCaMJy6CQyIgtOTjhmPqMr5Se/JYi1SRG0SxZpsYhGRPfjC8jg1k/VmRoAmS
EIH0vVrP5/B42Hnf/9g2wwP7wP+UfjzWCNPeniLOrfWyP//q2pdYjVX9U+pIVPOZ pvqfhqgUMB0vAjfynoxFOZGNZIVrSR+yuC3xaORBW5UAPGvZHS1XzuxdybjpPm74
cdNbOtH+GO3VHBAAG8QR7L85I+r+8L6w0ugWZp2cznQexDwO0QKCAQEA2bBmFxEV 0NB1JIc3ylAWcJEWdpnpk8OzZCAhifx0Farrq6Xauk6/ZLtd4QKCAQEA4a0DaHcp
8BUSnaFAvTipo5uKixVWpkV1EUWCE//2R1c0U0blW3KocefURIFHGYmu+XdmnI2H OqFTudM8kC/N21FuE9U5MRLtJ2HP42iTEAfMi1bpZjO35giqYhfxNJiyTPnWDbkS
MTDB9Nh0I6oqceXiRKeyvTppudIASrJER04ZEskw2YQEtDsRTZlBk4fK84ZtNAcs HVvNuSLAG58/Xs0KTuXCEgWuALBFtgg39BrPTT9Kw2CdqCgIpx5ArBwF+3lDfGIH
RJX0nIIP1yFaSWoZWktiZB3RBDPBzfNU647Rw1wlsa7d1h0n4SGVfkq2NB+85Uqu lIeoOhR7OKnN8a1/6l7KVOHxV4FMX9aVmom8FKKqjZYcObY86MgLObMtt50v0cKY
y2xAR1d61S5SxZAD2H3yNAwJBbEeJm3uiryDQKnDHuiGq9yngkGpyM5lWJ4q07Jw GgNZCy1HLoXHRGJ+3pypZEV0qxbOt2jGAhEpDf/LdX9Ez4AIYK16/a5AvUnNJlvN
sbdRW++c9xM0OmwUAZPjOXG3yOW/9/+X5/gYUh8HntCuq66DVjyEPbQH97rhB6rp d28LPgTCvPK8Mhz/m+7ms8IfZ2j0hJgm2j9jiMTK0QvyhWq57TfrU+8HWCKzsUfH
JroahvRzkpPinQKCAQEAwGJxZvJCCAaPnBvy4KcJ2ko5M12l7I91x5UDylAahexY M1Riwt0z8u9HpQKCAQEA2dhE79/lyaGe3lxqJmzxdLG3Khp3wAk4/SM6CP9elN9J
u4TyxeRSm+UcaYoV0BRG2usW2ImioxP1FNr+GSp0M3bOxE/dAebi061rpiMdS76j 4kg7UFGIE1AUs73HPwlXmoOyE1r+g6W2CaNMds5qqJKOIIS/89mrGZs68hpTLbdR
ddH/uczVGZgKn3O8iZLyWquhCaxyAt5SdIVHfJ11IpMN4A6SxotQdAk6sjKjYXRQ rTrNNeTLlOQcF/txNfawYEtPwAedjIxUFATKDibbDwfe0p3mRZSm/ji0N3n5ehJl
WgR8a+OG9vgrcADHV3GaBcQBZ3NRgkU1YddFyauTx5QPaWJSFmJcWn6HyNN2v3hG yDwfaSVsZsoHWm0GUfhMVGwu1OZjAGGpGZIf/tcjMNQ3cKAmqAvRpRrlc51eUw5M
HeskNeOyWgiT2roBO8mJvpM7lRQiFdWRKAeSMaJBpR0aLhEdwNn4HNjrQRgrWLWR +Z+POgRY2mnrKgTUREFzaLG62umaTVTGC6dn++QLPmFgoFuloSUJNUbRRvIg9d+a
I3tU48+H8nmf/Br6xbF2IRRg7+26X5bPA7P3F3gQtQKCAQEAoVq4AUb/zMnB16cL aatn2eiusBILVarQcHGWdysuMFqxUJ9VHQqCNqI4rQKCAQBjPcZF5kEHO3KqQS5c
tnXGf+etpHP3mx0GrfuodCyYnr6LoWJ+ZO8y3eMpmnF8gvhkArM3ErlwyMxMJ7E9 6ejJDaIurpGb9wq7StQ02QPzBLr6e5ngC9ZPHnhu8sBrtMqT9zoehshkiL6LL7Dz
PKZH+c6cjakDunEOptZ6suM56uR/f0YzeDb7yZ+yrqL3UWQo0aMFVLgwXtIL0uow dLBVbC2gTIFvk3fVba76Qdr5SeDnw3GJQa+TByfm9fLSvPAUilsXE7TpqE5eXCtj
1ZP6OUp0alJQJsdXA1ddwssnWcatwrGNmwtzkN5hjeT3yvmT3kTcHdTihRPC/V5h 26hpIzchRdYMRd/v7zg63Q6lCvTezjnaUazP5EgcxfvJv/XWzRT+VWi158r8k0i+
RJyma5vYzeJk4aE+GsLzByca1iju3MI4R7OxBrhyTQFg2N/rjOkH84xjLcckfhG4 OK5McFQCaTpEkhagNkNpfHW26vz23woF/ZWw+ki02xU/AaYOl6nTuIM+hmKXP1iz
dgb9AoTTu2uj1BNvV3C8fxUrwpxJYq1vV490uPqMjSIkHxxPf5c8bxOG59awDPIq 5rrD/uSZGhHx8ugEfa8psA9F4qJOvtvB2lMoQKrKmtCt9GtyYrBKwZnkBLP5pXT2
rC4DnQKCAQAE03Nczb7yTJfVpq3VDNumai49J6A96utdclOCA7hmm6MuMQuWA0A/ 3CrRAoIBABiIz/LIH6QezLq0Y8wiFuuSnFNkmboKD94Kmp2qzSctIrAWfH+mPxIV
QOQRkbEyYw/T9gnArNMznBCN0WCGaRY5JEXTjt1QauZNwQ/uPvtBJysajYYItyax wc8gf5Es5y3iySp+5A1Fm4PoXVNAGikUIGevK8M175w5rGDZ8CZE8DD3X2dDdl41
WasKjPCx0snZlGyZvYWupL0UxzMf4SNLFr1GXZc4+82s235pcfO/Qhex6mLkofSE dqiIzA5M0z51HO0+rlLG9y0uAOepHqDJvSGxYN7TSB93mWxqE1vZOJddlhgMe/Hz
xXzxdlOJ0gO3GU+ftLjat7m7Fpddk7xFSWWJkznT7eu7KWlmlEdqTi4UGg3yfB/B rPJVNxICSe50JK4bqGjBlv7nQy07Y547OGc50kC43AqhRdhIj/gAs1Cl1Mau+KbY
Om3bEsdtJIUcDr1z4+lm+tCFXItCS3uyFKTPewZwDAe5UYe1PlH4C7X0WeerP019 qQCZfKKXUH0pDydaieNNueRUHVT0MQP8iZpl1/iXKDtU13sLCAVJAqYGBPM4znvL
u6dTv6mCxAzej5BO9Hu0YigXQ7BzGkPxAoIBAB8nbMVXC8yNlp617XQJkciLiN7h /HTQgRs4375aIaCWhkPTPg3AQjwO9x0CggEANIoxDPtty49prkkd8xQQceySEbnf
oLI/zM2QcScGmgsqnhWLZjXAOd/pq/v5V6wJHcRjMzyxdnWSsPSkr7aux6JS8ffN CeTljNd1uUEqki5DSJMfXajwuSkUrhZAnSevT7k9BjsAzqHM9sWqo3C3PQpFA2Q/
J7pW9VBit38UW3fRrWRMX+PCtILT+MWjb8q0NYDbBhKphDtHbKk/fJuzBVW5TwoA seTA7lSIxyKvQ4bt/ZaMMeryCzC/WKH81+F35IoQ616nzJz+A7khHX/+l6ZdS9Ud
TXsihp5wxO4JXXMXaw8BFtXt2BFv3d+Dr3Ua7wcCTFXrnEdFor/k3OPwJ0rqKahD LYmYUEB1PQVd0PFQQ67dnNCJ265Hi54XLez9rzuYbuNFIb+wg4FsjV8NHUQSMow3
PaidQ+zu64aZF1MjDEWUHXumDli/vVCu6dmgQAGAlRMKd60oZUzxonx2SZ85cQo0 LQLLMO16nqs9lQA17WdTlhyR6fYrovh6h7puGzONesSF0s9uLSyiOQ9UDKenNPPb
TdXq1LOweaGRYe1RqUWGdcLX2BZI0EZ9L+aNzzFnSVbhnHx0sMKpOp8SlAM= nBdM3Bwq5M72o11IKwTPvq95e09o2eFY0SlqwqLdqeD9lrbh/HWfO9VpWA==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.key_512
View file

Binary file not shown.

9
ssl/test/axTLS.key_512.pem
View file

@ -1,9 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIBOwIBAAJBAMjKXU67trg56k7LhG5v5XhsUTpVFI5ZOpcat/ry3WhtJS6q3lnB
3vGQ4n/U47F7yXVTIpDJ0Zxv2hm/0LfudBcCAwEAAQJAJDnee8YCQVqxm2W8jvBB
RmjEfvG6s7QFjh2T9AK9T4mPsva55HuPnRee1WgkIVFLCB2wy+xeKqYUatT/Lcy1
AQIhAO4vmcbILievlsnHew3SZcs+mjJTMlgt0/0yUz03w+FJAiEA187GrlzN0yFB
5HnYap/rzz6AR6zaHSJOSU/WXLTpCl8CIDkzj0+w5Xy8a48b7A5+t9meuDNbzZxl
rSKCgoESMmWZAiEAsPzQTOenlePMmoijSK7nQgxMQHwuVX5xHgbwEw/7n5kCIQDp
i1Gb2CDHu79/fL6kcQ9DEfGMT9i9lQ+bNiggYoL4uw==
-----END RSA PRIVATE KEY-----

22
ssl/test/axTLS.key_aes128.pem
View file

@ -1,12 +1,18 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,ECA1836F07770828A77072CB8E75B461 DEK-Info: AES-128-CBC,7BFA0887B7740C1BBA458D0362E75F89
IEKSJV5xp91M43nqeO3tWV42uXhRuQq1QYlwHNTJoJ+P/+Pw2g6DODFU2xcWoM89 aBIhF2zVGRMFZAWg8s11WnxoTQhGabdzchHBxPltnipEgvwOM9FGmYnVIDsFPvyb
/QHcZIjC+Er4GM/IcRWI307XWexpxd3SSsvDd1D08HU6DyPts7Yb9zy0bwzDfS1g hSA2HgmN972SPeRG4hITzrIXiRZMBOd6Lchz9p2Ui/mqkR6RUfnUBkUtkgxGymSa
wDhifACXUEYnpiTCAbO8Pni+4TMV4tQ25Iugis8IfUiBtqfsEAo/tOHbTIRTWUNN oD7WAmbpNG73+7KX4gV36tevC1dM9lQzbClhhXQL9FH9LFh11cS7ZFa9L/esWHbb
yh7LS+7TKU0GuvEUP6uoxn0i1tDXtP9vaqgkO+DNFgi8A/Pm98qdTvLtp8mNHlJx sxgicR8zG919UEA+XvhLPVXpYD3AVHTcyEHbPWiGY49SIEI+GOcLi6rvxQizcXKY
kX+U3+9yxm+HlwtjhU2DgHxBXq8eAtBW3rZj/pM7bFubSNeqbsD086hlxvom7ISa pFtmlk/jM06OdZWur5/qLg3HqGP/o8GUjjA6KuAe5SIWVrmlkHCYHj6c1KFLVQJZ
Rpm7QhoPcrbFYy3rjs2JyQBoRvIAPXX2tYCuKh+Iylq5KztPspGIXXd3Sxv4g1tB 7qAUNvjVaELXOc3+SE64Fl4OMP/4MiUA5WJ+gcdIKFtX/qksjywzF7goNTsxB1ZX
bQRVfmSwLNKo8rEP5vWa/DCVZl1GJoJTIR7vmQvGGkc= 8g9JP6m5BF2VS/Woz+9ypekzk7DEKST4Knh8cYBNdz6yYwX73FBb93jk1aPMXv2K
SzhupTSHyAt7ddvXm+QYXBrklpZgUcuvinrkb7TNYEDcc2h3iDkLMHhI2VW0fiSF
JcL2DZWLu1UChg+Nkc43+9f8Ao76tjJHdV+IkWfINlKz8cpKthIfOiUSQWYK4Czr
0E3dyUrljIqFyKmZGokQ2QH+kdMmcm2/R+8NwL4s0Y4k1ylB0mZ5+A55t0ESaUVC
8NJtoIMrLz2pyhf2ohXMVepcjvR/Id8vNxSlLFResmIwSo4orTZOnsHBlQqm5hJl
9dr8G0o7n7WVfGbHLlpuPHoKegn1OK5xLbDbAi14HnZIi7/lUnbQHMbFFBjyS5EE
v+SMbI7JU+5zeJc34WLUTm1zll1ZNpFH/76vlP7tUWxYqVUZfKYHOndqS4b1rAs2
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

22
ssl/test/axTLS.key_aes256.pem
View file

@ -1,12 +1,18 @@
-----BEGIN RSA PRIVATE KEY----- -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,22B407B6BE071AC8FEADA8834A3C0FBB DEK-Info: AES-256-CBC,5AA67B48694516B66EECE19E0F3BB048
a9LRlNUJ0oatOOxS4eMMNd3mJLre6llYU8JXnJVFyuNzmh99sgdAFao2xDOoszYj eXbuyN1kJR84JMhFruS9yeJ/WnyD0V6h9w/6fhEcPfxW0HmFqgIk35IE4c4QYazZ
ZcBUDD5OcZxDIVRNnbsCC7iDXsOdIrBseDmC/qiRouNZ8i2a6Dh7IMTrpToPxNQ6 aMC0J1S19Yb4kKnRd7j0+92IDBw3B7zeJKjPDrcRDSo8R8K7O7+6MYwcmJJ/DZlC
rfDC1pEf2yUtbK8fefzIKzkXz84igCGrqLCIz1aqW+xjOOoTfXXIZj/LoYueLzag yqcaHr3cJEiS4I8NS3EdffffFA37Uf2O4C26b96ewg899YZXmPtai6uOvKbF1A90
i8/nasxFQqDFEFskH38dEOMTwiKs1xZh6cUA0sQo8l4IYiwjAsAqPMiNiOdBA6sD aRV4PdCpJdJq0q69VfoSeQ5p//Wokb4RfDGWTNxpgclYr0SK2F8qfITjCNDbqR+E
9322LCQwPqqU7ZelTXl8NCWvxX5S5yxV7KYmEV7VeSiPj4/ZlI8t13TTw+2Lu5j0 r+6tRsy9VcHVRjswuewU19HOQNQzaPlIiNaoGBGvOVRHLdE0s8b1Czyh3oeuRAZi
35Rh18I5iUPsDUV8VaU3df81wQHnWamKFGUAY2imS8X7z1uUiUiycuJipZNSoAHx EK/SPEdZ5JMWbtxpKi+rdqFZhW3sGE5T9QItYqAWezScOCcuZw7ivVITWj0HuAJl
3QvISza1zXCqbzs8lI8JQqja+Onope0CeeCBKBo9fuUirI8NsG6EPrnp5IxACPXl YZnkL4CS2qMKfQ7oz/YBAuShDvfl/W1M2YXt8caoYIox8NWnGaifHbk+eP7sQRE3
UMA/71gfz4AOUSKOWTNCen+qeAImyRi++6kFOVyAZnmvGAj1INv76xh6tHP9aDN+
0ROlEMeL+4EyqEeTeRL5+i9xEGtA247hMjtwB6i8SDl2N9RZkIzGOj6GmJpWQhHK
qRSu+PvoDfSHqfHYXof0rtvCuKj6pAhYgKeL5Ycfc0FtJX6gTvErlKWENUrsJxgV
RJNcRbltxcOylmdYP2tUe/PxQCSFcYIzFbQbXJDoZ9hMgJRv086fzn/QWiZEx59o
9r8kKQrYhKjS34Aq13ghFBf/Mr+GKrB8JtO5DnlC4N9AnapVlDgeZn2NmXyVZygA
mcIq5MTJcZzCdX6PdzNVBsttRfYeItN9M8aP5q5YodBfuLXPOvFhV2J7wc5Bgt4i
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----

27
ssl/test/axTLS.key_device.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvV0Pomdmpxx7s19ue0itPlPusWrTSwofoWEU141dp7cS9eXc
SnQV5pfvYvvw21HsZHy+xW2cupjQBzvqPtrrqAz4p2E9VHTMuzvDSScj6GU0BUD+
GQ3qthLkXMfh7pJZFN5DYtVqzSE+ufZlYlfBqsT1BON9eRs2fTf6OnMFApx0ANjJ
yFElu2cEf3iif/3Z6PF0iUNtKaDNDVvVBoiRa9mUuj4vxnyH4HmyzThp2bXDLMUO
Viz/WWZs9Nl/QoJduyJZGEii1UM5VS81qQnu2dT1g/E0yPXwtOQUnVgjSMPfW+CA
yJ1XTdSwVDSsyXApyxxtSEYbM81t3GGvmmCf+QIDAQABAoIBAFFO4COvmlgu1r6S
P3IYJqsYhukPIWKbGjHE6ZoUTR5ycWW8KPafGbhFjLhHzYeeiY4sMg27nwxQCSLS
CyaqAX3K9AmKqzbUYAQVCSkj8TscGVYYLgK8Awfi3MMp4Ez78dwQA4cwdAdYOwLG
VYoAfFvC7iIHPB0AHklt+7eVI5WWsYlOIf9aS6+PDVii86GVoCpBE0eNZjE3JJo7
hC0ctcjOqSVZRPC4p5KLFI8QkwyEK3vstyIiQOKSCFbZIn5Wi0+d6A9K96WhwssM
OpmenLv3xgz4zrUkRDbv0cPAU+/e7ZVPCiIbL/Y78qk3lBjUuyztX6fwQ/eDFadw
BS6LcvECgYEA+Nlwgi1Kzcd46xKG7xryI0mYjHO4cbZMsTcB4FQK5xXkGlg6j+WD
NAi/LKDJhaKcBKIYDhYi8tY1ye7JSDmyrPfZ0WvQF8K4yprUAqidNIuwOPMASjTW
CEBgTfMwCATNYNiaQ8eRuTLyknF4I2lrc4Ifby7cYEZrJ6aLGyolvdcCgYEAws4J
rGQS8W1DmzrL9mIDlSUtMFkTWqhx7nvG4lCYWVGpMByiQwf4DRvcqmXhwPr0syaj
qE6nu8G3iuOywSx2qrPX1a6NzeoZZybOSL7poaVmnpxgtS1xXyo1Bdc5ZPPOom1T
apb1QXHIPFVFKsuKsrQvyXfYLFGlQbYh3TGrtq8CgYEAmDqT+95vI0ECNHNp/f0y
4OlVm53y2AUYF1S6Hhvra3/VwVP1xy80uvEa2dcmUEywOplaM8vQ51KpJvWfRkKd
jfg01Eqqys5AsxhR16qEOK+3Rq9InxyBThzrjOPWnyEo7jSy8gG0oGGNSI6HWspT
hB620hINmAub426bLCv1WJMCgYEAkdfBZEAT8o30BH5TfyVIO1v25fB6TfA4Q+yF
LKBcPtqlSPDXBkosClxmq2fVSS5ZDtsJwZMJfsb8C86G4JrSSOCV4VNqtNPjqtdh
rxLHRQ7YsjyvJlVcQHwP8Ex+mrbxZ6djwTQ9b36pA4pvWyfBsiK2eCXyQNPrXjPm
THzIat8CgYAXN7CO+EUKtBil/r3PTj8FpWxvfZiKMbmktiHKD9ntcN3te2hrOWVs
1SmrIzr8/eBIsh7OGS3LUZTb4wKGtY29N6fTHuoA8pYILeRcJALGZnmrsTyFDzGH
iXBSkZ94EXpywxWHAEglow028nQ9UNugKk9SIkpg42u4vrqhRitMqw==
-----END RSA PRIVATE KEY-----

27
ssl/test/axTLS.key_end_chain.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA7R4S75j5ZfknrzbsAvUnqS997FNk545sGo0YraDQ7CeJXGqe
DyUTpdwtzBt8H8/axNP1BFdgNEWnF1C1HXVbhqWxq16IlakqZYkYldHJMPQgFa3Y
uRN4Y0i8sn8A1Fbe69D//57JZr1wt+qxAJWWn0anPGXmR0HlO0At1ACQkKGSE+aj
TB2TnO7UTsjKRrXPv16FdWTXkJTVHUdVuAs6IfgAKkvQQ5zA8D6IXgjWsToWdFzl
I8eTDHZqZJiw8gPg7xG0jepN9JU05JRc4NduzeVj/0WT0tdilO0jQP/+8FgikdOe
DU6wo4/e0Ta5bdZe7apqOBfdDnq3EUnHO1ZQbQIDAQABAoIBADbu47Yse4L7YQ0/
rRfWUfTpMsQgYd0far4P+Cqpeh1r32/Qp4OctFuVkeqaZ3w7PFSjQj1aPMh/ZoGJ
ShxkBus/0dSA1yXNBix1wYNcEb9Mn25GU1I1R4vA2y6DK98FrSl2xwgickhiFQ4W
yiD3huiphq8AcIQLqR679KIL63IF+lMnHmYTrm9/rkGvO/wiW55OMhLvhuR4w7/n
5g+PMBLF4vEqtN6wEpb5f3Q8ugNCG35ykpgBMFWI6FGGmcZkYgux+xnTweZ9+Xol
tBQRrq9cY3/ouIrRX4K30e/EcaJN0eA0Cx9WerEHfYO45BWUJGySsxPab9vk6Qep
uxRnHoECgYEA+uv054HQKGQOZPjgZ9lCqfPB4wQ98T4hNSLgNwAkd85D7UtF6Wb9
GMsEecJ5aPIQjDN6dTT6Nb45AV4e0XWtQFtxHFXP6SKfyIlf0Zcl0cd8Fvt7CX/e
ghZF6ndUxHaWtAltALVwo+Fi6LOgEN7+dsBjkAZf994cZNfqrr6B1s0CgYEA8eqY
u2p/QE7YNfw7naMUKDqgqGzo41IjF915rznYOyuO4hu+zGrL2D+7EeZnLWfSCSxl
t0uowOzDOKkm6XeungMyJFH0DnzhYEgh6K9AXMi3QF0zfgGrh7hhK5wFEt+a4nOY
hIAnqhANqISRhOOd0iT2VIt+igQhEQv8XLjAICECgYAVvkKfmQkfpuP0bfiMJzB2
p6/Ca0iu0fJwt0/0lCeU1iPeuSoaupjuABGoN2jr5iX28DMJWwjfhVdNPgmvnuHf
dM0NZoY4ro5oAzdxYwac8gtXtn0H6rOuVB3E3ohS6e/PNA3lBNP473vxrDcPnzMv
uSYngdXpFa8iMe+dKtb3dQKBgQCAzse56q+Mvy5yODZJ7f4amXTXmP27pA1ZdKyI
90TB5KR0kg9aanbVUsG5ezNuwrvb9I7INPnKl4Yu0ioM35PTQKJfIl/PowChsmaT
rVSY0qp4E+gJ7Lu3TR44CR/Od87RSnln+5CjBV8wXj3ZQxTSQqoCRDABLseoevhJ
Knnp4QKBgEHHHpegaCXl7+kaPzD/qD38iN6AmoAya9ZUxCUH55bDmkTFu1ZGgA6S
87fuXQ2tzwFyOtaxAftPuOkSKMpZYRPJY92SalHA4WyN1pl0MhWMZQiyKOh0QQ7A
yaHjrLn5wPrhHhkpmYu2L1ZNiN+NIFDuD/j+APCX+wqb9otfbfxk
-----END RSA PRIVATE KEY-----

27
ssl/test/axTLS.key_intermediate_ca.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAzhdv9CgZ895+JuF4J5ttgKS8HDKL5uCAYOS2B+o1OkGzYRkS
I+vA41BpPfE8D8P9lgjcbzAOrOvgYHPZneE3Ix1mhlyPwbnXesC48AahbWXeHFJL
u3Hr3EfjIVngptIHF0/FXmLtOjcxLpP/mXyUTX7bm0NMhgEvxAX34fPfgM4r6AwP
YLwxJGl0c4rrb9choDmXp7+72NnjiO/pXzrUkI0VL+fV6U/cT9ro6p6wJYewvfXA
zqV01B76xf+QhYGp6h/HSZQntTQfA2KIp3H7jhaVXgC/CyyZ/fvx1QUAVCy8pMck
Fs7YuLtVuhAOZ1KpeZzaQotwRjTEeRkF99iCxwIDAQABAoIBAFNxi+O4hOGHuV42
tjabKNgIWx2znY+KYJBaqhVET+7ZgS6UPxMKNlwTR7lLvjzH5xnjVpUySQ7cpkmH
Ppo9AN0X31YRjicq/sL12ytcE+o+b5LaA03Oz2euN5leUaZZrYNTyh7wQQrsI96v
D7NujIFgFryjoA0118gvfnEfE+SLW5q4m+n7D4cZ2D1nolDnOo2noLhKhMVWT9jp
UVoa5sO+9/Ap71ElAaet2LawNsKbyjjRuI84544G09zQ+YUfcelADaqtXyYZpSJL
iWrmHasD1w8NfiHB84y2hWHySoiuTBfVBJFfTjg075TaxBwCtDbzzEe0ecDCVGnb
gZfkevECgYEA5+5cUFf9LXt7Cwqc/lnuIUYmX7pvTPVVZbdjEzd1MUvu12p01cRN
QYk4K41LZsQYwDrCk82TFn1+hDbVt27i5r4FPJ9GbkSh4AiqUFDkqpqE/U06ZiUX
JOosU6laI6MmguWbXAAQuv2OwK7xVA0575HdbsEK8LRP2bSTRUYNFjkCgYEA43qb
FaKixVC4KOm8dyNYFHB5oldZW0u4ieemum8B+a9wd2BEG8FdxFw6IuGnKyMQ1BWu
NVwN2wZsHbosmCYxGO7cX4OT37711hdCr4pCGQhQ3gf9eNls4ZjjykZp8EHWQnx8
SYl7sjQMQUjhfqePKwR396IGx4KSrc/l1rxKYP8CgYEAjYPPJ+bIQFw7s30CVeAh
gIQBHh/vkZGQTcQb27nW9AFU9nOqXlSsnvRPJaPNAiNcxs4Ts4OX3/0qmRmsRYSP
RiNjpp24p8eQzdX7tY3mOIKX6saYf4LaIFgSO+n1ahE+ilf296fCjZXw6HjWH2cC
lr710YJQXpZmsnuP8JDRo2ECgYBrasL+5WydZi+ASldPnuYByNb3HO46GTiMDlKB
6Ndy8zBVfqTKwnWnurFNNWc+DHHu5En+Mnjse0zkgLx8IFTA5FI13Ckg18i4jwVT
ZSMvNOkS340G2wz6PrsaEkQGSuCFRsld5Ej/7mn3DhZFO5R0iMipq94tqe/fmbN7
wjAROwKBgHLl/XNhPTI/ed76ZjmCpbCvQlKZeYLhNbTS4lHvKCuniHKQsPz4BxjB
fuVCUDH61yQT7WM31zIMfzQZjx9hTgFYYvnptRWj9zIBlIZJEieX3//flvEJ3Qmd
/tbSoADa/1y+Y58biKkgmM4f4qS9h0AkVe88OCbpm14Xs2u7/4Nu
-----END RSA PRIVATE KEY-----

27
ssl/test/axTLS.key_intermediate_ca2.pem Normal file
View file

@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAqhp+ySEP4Oods+29nF39auqEmJ/qTUqQCz+9iWyOhp6NU5pJ
2LZiQNxVWIzasFHp9I1cvmf+4fnstMpaFl/TtdCpQnuV+eFIe7alEP6+Pc3YiFrO
zyO0XnqJcZwmmkpr5omvGcx9FbcrKflzfgmn4ZvGIdgtwkA+ZAj6WkpZHGGpzqLY
yAFz86fwANeT4I3a90aGwOEo/on+jvJA+O8KARsFx+yspxrfSZtNVTNWFfQfkIIt
7vOWnevZNAEkMnHxY8jDFq8EACNGDo3r0j+G5imRl8P0hdklpN261OS1hANVM3l2
t2INNN/UkZjJe3/T7RW30A0VZ3Wk/nz3IgKlDwIDAQABAoIBACV6FurrPNtZ2Vd2
DqtvzdCLgNE7klybC+dekLzBTRl9vzdnK9PyQu11XdxXlCr6sSfvKTrOIMrazHr8
hiKd1EAfi9sY7W8TYmvXTsDSz0lAm+9Wym+6txeFudhtBdhCg0lUll6BviFVrM3f
psFjETjUoC9+uH4ut1BE5huUe9OTmOXxupLWdETcHViMc2VrpnDsNKX/lFIMFSo7
3JDVojyTA/xdawJgkksCmQyHLICDvqJrIbLaDKxCfEiMKMyjVqgf9qwR33WAJ73e
ES8XMVtgIce2Zpzx6OITf+gNhS0ekqsxZJ56iiacOVHxpphNKk+BwSj1bBxHLRoo
narBebkCgYEA1BuLsbfr5lXAmGxE4JG1XrOZ7YtTqQNMYzy03s6fndoITqS+YpHk
dtPqM/lQ6qByqLbaPZFVEqecIb9EVRoG1m+9rIkAutiWf/vAWwr7w7yIbFID2YBH
50crmdtbK+1eoml/MkNx2grmgelqtMy5iOzwbPcFzmgXaTBzXvJvZEUCgYEAzU3F
f3QP0xgbrT0iK6138waegsuPaLoBdq+arlZ0LMzuN7T3KTKiNfkJKWbxoaECmu1p
PpJsQpG+0cQxyKU1PK9Pz+9qUXaPf/OsRKTcvpiS2kdBFXLPEgGi2JeSoPZxErYM
WuaqLIM8krYrV0JBRgGv38Pd0u0VaSbQvPx5u0MCgYEAidFoIE6IKf64CJH44w3q
EiGSt8Va06u/+48bWtZY4kEkOq1Sw0tWbltdhu3NRNaCCdvdzDldVKSxjz/vD3i8
zqKGVNAkOEO47mnO35kwY0tiPTfBJpbyoXUeAHeGMvGmFtODgU5PcMS6Z9kZq2aG
e1CxG6waCraZ15BStnPCKx0CgYA2n7Olhp7TPn3WqQZXcq8QdTlleX2tkpfjGTPh
oNUGOnxDTB3a00L/c0QxxNcTdwB3ciVnZZPyXk7UBwxr4zD39XkZzQyPoijqFU5H
cUneWD/yXbT+XO6lTtQiJqn3s7pADTnaUbcDYuOR8XA0pkcxti8yLS3u+e+Ra6ds
MQy+ewKBgDfHrvBhbxyYskxc/xHnSeAZjrKsKoFNmV3/n9XTmms3WAVoCYydIEou
Pm3p5kDiaiTTqLBpxoa4g2tuaEXBJpgLwxq79Jod4PA1bnip45ERRrk4kRROIaFg
eHV6U0+PQTrdFhiJkvK7CgNZVr+NLiS1V1pM3x7xI81nAV9Sv4c5
-----END RSA PRIVATE KEY-----

BIN
ssl/test/axTLS.noname.p12
View file

Binary file not shown.

BIN
ssl/test/axTLS.unencrypted.p8
View file

Binary file not shown.

22
ssl/test/axTLS.unencrypted_pem.p8
View file

@ -1,10 +1,16 @@
-----BEGIN PRIVATE KEY----- -----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAyMpdTru2uDnqTsuE MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAL0P1EKodIdUqrk6
bm/leGxROlUUjlk6lxq3+vLdaG0lLqreWcHe8ZDif9TjsXvJdVMikMnRnG/aGb/Q H4vOvbdl+0A90BGanNyCfOqoF+F08wUOYcHBeIqyuhUiWv+buHouD4i3dN4EmaWi
t+50FwIDAQABAkAkOd57xgJBWrGbZbyO8EFGaMR+8bqztAWOHZP0Ar1PiY+y9rnk mVOLrXhaMe28Aeff6ewvoF1T9uaKoMhtQUVjI7PPTlAfKN824nPf1qGzRk9uuw2b
e4+dF57VaCQhUUsIHbDL7F4qphRq1P8tzLUBAiEA7i+ZxsguJ6+Wycd7DdJlyz6a 76j5TKVxoYjdB6mGDT/NmSOihHcPAgMBAAECgYAmP+yWq9QfiQ6dONgnBeW2FAjX
MlMyWC3T/TJTPTfD4UkCIQDXzsauXM3TIUHkedhqn+vPPoBHrNodIk5JT9ZctOkK /2l4FkrEBhZVtzpVn76G+FjoxUao8O3a1r+IVS3mciksZMldHZskOphAodKvXKsj
XwIgOTOPT7DlfLxrjxvsDn632Z64M1vNnGWtIoKCgRIyZZkCIQCw/NBM56eV48ya 5DPQ6mBS53qec18ugNHcb0cPl4A20jAH3dbXFYkrdNV+irxjQgryMSm/+fnwiI+K
iKNIrudCDExAfC5VfnEeBvATD/ufmQIhAOmLUZvYIMe7v398vqRxD0MR8YxP2L2V wiJuFSa3XltYRBw7eQJBAOHxsuXIgJNAUHQU3bLyJ1wMPcBf7pxFbBMA39DZg/qQ
D5s2KCBigvi7 LITyqsLd+88DQYgQxrtet7Yuph2quvtKctiarYgNahUCQQDWNiPzXXfI00nBk/7K
Deub2r1HKHOXoFDXTCTfmws3rsMxtU9iCMrl75d7Q6DaKx+/qAiT0hYciZnx3ybR
QpmTAkEAsUHkft8g9+Tx+U/Rai0N8ensnDrmwJS6J+J8tKWhI/bt5lNW4lAy2AKO
68d1kdPKPtQ0IHwr+y86EHKxB1a2zQJAHjvyAw10NLItvNbIpXglgw/ymzKIbiRA
hMLIiY72nFtcTY3LsIiRKrcQaGN5NpHTn1d2Lnb+i/SX992JOwvtZQJBALmvvwnJ
kCbzcou/s3znb29bo5W4ngO5z6BTujLB062Fu3lICdY/nNk3kRENBNU7ynRdHJGN
PfH4+b4117JTUB0=
-----END PRIVATE KEY----- -----END PRIVATE KEY-----

BIN
ssl/test/axTLS.withCA.p12
View file

Binary file not shown.

BIN
ssl/test/axTLS.withoutCA.p12
View file

Binary file not shown.

BIN
ssl/test/axTLS.x509_1024.cer
View file

Binary file not shown.

23
ssl/test/axTLS.x509_1024.pem
View file

@ -1,12 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIB1zCCAUACCQCrCBinAwcn/TANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh MIICWDCCAUACCQClKsh4h/LnxTANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDEy eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
MjYyMjMzMzlaFw0yNDA5MDMyMjMzMzlaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl MzAyMTA0MjdaFw0zMDA5MDgyMTA0MjdaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCTEyNy4wLjAuMTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAzf2JSL42uZV21BMwDr+y7WcKwBY/UQmdKS+ybT8+bC+QgKFx3744xcupmkAU gYEAvQ/UQqh0h1SquTofi869t2X7QD3QEZqc3IJ86qgX4XTzBQ5hwcF4irK6FSJa
kAr5twcL4drnCb8NV0GGYKHBJ5FbCphGG/aihPhlx84tlheqkfhhBFBw67RDt9ya /5u4ei4PiLd03gSZpaKZU4uteFox7bwB59/p7C+gXVP25oqgyG1BRWMjs89OUB8o
zDEBFNTNzMI3bWmC1sbEvvI0pcmmGVMyeoYOkYIPoUJUqgECAwEAATANBgkqhkiG 3zbic9/WobNGT267DZvvqPlMpXGhiN0HqYYNP82ZI6KEdw8CAwEAATANBgkqhkiG
9w0BAQUFAAOBgQBAtJSaqIlyHQfls2uIIcI4Np56jElIaAwG6NsfTgXmMeP95g1r 9w0BAQUFAAOCAQEAMuA8biHmpvS4EJ+K5guETizlFMpWgT/ALKM5iSTOr0cuGWKy
2BMX4C0NuH7LIGyoc6f946f68wJgeB8TQEXudfUQ/Y9odNSsrgQJVSzb2AcHZWkn 5HaRJbzhqO5qaDp3ubJilwwlPF4TSIeAo5HZLuaSKxxSJLF3xvbe2JvZVzdWaBcy
br9eYUBWi9czO/9uU36dP8BAOqugUE6AR0YNHttM8RtdPCpUp036e3JmxQ== ZgEIOAiawYxeP+fJRMtiuUjHiab/jn094UYynBMGmtEXqz+pkAQzLT+BCqVVzraV
VK3xT6LKw/Yle3HSaIXpcraZNG3lX/Z0HLmi2isE/4LFCQTEuryCPrRyGI4waEhK
Dac9tfRCOpdgfahhip6YxH5lmep+ynXn2yFdznxmPX7cFP5VBJeoZBK0tTBIcrzb
61tPpvuHAUGR7JiY8Us4okDxBZC7m12WsSJrUA==
-----END CERTIFICATE----- -----END CERTIFICATE-----

15
ssl/test/axTLS.x509_1024_sha256.pem Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAUACCQClKsh4h/LnxjANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
MzAyMTA0MjdaFw0zMDA5MDgyMTA0MjdaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAvQ/UQqh0h1SquTofi869t2X7QD3QEZqc3IJ86qgX4XTzBQ5hwcF4irK6FSJa
/5u4ei4PiLd03gSZpaKZU4uteFox7bwB59/p7C+gXVP25oqgyG1BRWMjs89OUB8o
3zbic9/WobNGT267DZvvqPlMpXGhiN0HqYYNP82ZI6KEdw8CAwEAATANBgkqhkiG
9w0BAQsFAAOCAQEAbpbFPGnc74yvFgxKiNGA8+9azns10+KionRirc6g/1X1zBnJ
7vBXW9aXwUr2y9G3jnmX82eut0YnaJ3xlU5rp2NbGSH43fQd/OvWC+6yDFBeHfJG
JqbyP9oBkrUSuaXO/svsGUr8z1YVnxvtN7A1NGt+xQmgTyNq2QWg3MSQQwVtNsQt
84mQqU0BmmyRyi14LOCi2dHxjduXFVgHIcM6XzVL8lxQ1oaabA1mP5u8dzH+n+sT
uVDMmn6ABDZsnnCo9i7WidPI8pfJ4k6xR5l0wUdcOQeY8ynwUmILBt7lhKhxtAIG
j9SHuiQYstmr5+6wIBv6LRwjuXNDEwcqdT+o1g==
-----END CERTIFICATE-----

15
ssl/test/axTLS.x509_1024_sha384.pem Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAUACCQClKsh4h/LnxzANBgkqhkiG9w0BAQwFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
MzAyMTA0MjdaFw0zMDA5MDgyMTA0MjdaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAvQ/UQqh0h1SquTofi869t2X7QD3QEZqc3IJ86qgX4XTzBQ5hwcF4irK6FSJa
/5u4ei4PiLd03gSZpaKZU4uteFox7bwB59/p7C+gXVP25oqgyG1BRWMjs89OUB8o
3zbic9/WobNGT267DZvvqPlMpXGhiN0HqYYNP82ZI6KEdw8CAwEAATANBgkqhkiG
9w0BAQwFAAOCAQEAcVYgGWa/OFtWSpsH55h4iHan1Hj8WMzhvczirWDP8EaG3N1P
WVo7LQdfhs9OvQwLlacAym3eawwsMe7ODU6Iq2vsbajeKMuF0jb5teghb7dMIiIW
UIy3zRe9pmOZZpIcwJfuzTMTXMq+UksNfSzgB8mGqnIj+4D3UPXce5KYMvxzAjYU
HAAFR9+ZkTdpratH/qFlk14DJ4CKlH69/RUpekkXcn3lk1DutfQ15kaTnaFObTUs
HvGr2pX5PsofeR7DW4NStIMbOwMvTby6thCw8zImI2yyouCv+LkilGxmxEMAV85X
ZKu5dNZXbJwfOFjkmHEtDfmISsdl8NoQxyz55A==
-----END CERTIFICATE-----

15
ssl/test/axTLS.x509_1024_sha512.pem Normal file
View file

@ -0,0 +1,15 @@
-----BEGIN CERTIFICATE-----
MIICWDCCAUACCQClKsh4h/LnyDANBgkqhkiG9w0BAQ0FADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
MzAyMTA0MjdaFw0zMDA5MDgyMTA0MjdaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
gYEAvQ/UQqh0h1SquTofi869t2X7QD3QEZqc3IJ86qgX4XTzBQ5hwcF4irK6FSJa
/5u4ei4PiLd03gSZpaKZU4uteFox7bwB59/p7C+gXVP25oqgyG1BRWMjs89OUB8o
3zbic9/WobNGT267DZvvqPlMpXGhiN0HqYYNP82ZI6KEdw8CAwEAATANBgkqhkiG
9w0BAQ0FAAOCAQEAbrG+mMdCorMaq6VHQC071CdXzqdUGFgXM/qpVjNo3tKjqUbD
73FJOYYoSgXO7aJPebraaZTdSpgHO2vdJrifUjrJg+2RKDwIzCP853fgi3Nm4n+R
7uDsd6K/cj4xvcnhIdmQZC3TPIJFujjbMy0Tw9EQ5Zoz5rNwR0Oy++HtWoULOjTe
xsVsagshFaGajLF6RXoH+caKHIi4HANlWwJvHCBpqQYUyhUCAHUm9Pdo0+h7Viuj
evzm3SPr5rOisE8xTDU4WPOhwel3lggZWfh6nbDG7+1sWmT4qTtAkv3V1m1o1h+8
4TeJUOV9QHm88a2UUqWIZocaLxPYB6NThoBNVg==
-----END CERTIFICATE-----

BIN
ssl/test/axTLS.x509_1042.cer
View file

Binary file not shown.

12
ssl/test/axTLS.x509_1042.pem
View file

@ -1,12 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIB2TCCAUICCQCrCBinAwcn/jANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDEy
MjYyMjMzNDBaFw0yNDA5MDMyMjMzNDBaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCTEyNy4wLjAuMTCBoTANBgkqhkiG9w0BAQEFAAOBjwAwgYsC
gYMDUYXtMubODhuyrWhYD7fomF6ZQMdjvQSYQIEEzdP0NsZq6a3wM1k6dMB1hmMs
GbT5jNfen3JdhL2s8AQ4rio6HJD3RCegOKr9Rt2r62MvWFSMflc6X4bH+bFxsnIV
jW6D+FLSeVPeVxpB0BVIQv2qSFNrTDlYbKU/RtGDx+TfgM354QIDAQABMA0GCSqG
SIb3DQEBBQUAA4GBAIEoXdKa4a2ThBYfcfAO8CCwnU4qUKOpAut3k3XSRdwOnQrG
epJ3UP1OpoMeoN2gtagcjcTzhXv/QPYbx5lRko5QfERFJwpNthy+Z8pa11JNY1dX
YugRs4Ad1BoKrCBYnm/QE7ZKVPEGFt2b/geFAW8HpndNWzn2PnTcdDQ/tC2X
-----END CERTIFICATE-----

BIN
ssl/test/axTLS.x509_2048.cer
View file

Binary file not shown.

29
ssl/test/axTLS.x509_2048.pem
View file

@ -1,15 +1,18 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICWzCCAcQCCQCrCBinAwcn/zANBgkqhkiG9w0BAQQFADA0MTIwMAYDVQQKEylh MIIC3DCCAcQCCQClKsh4h/LnyTANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDEy eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
MjYyMjMzNDBaFw0yNDA5MDMyMjMzNDBaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl MzAyMTA0MjdaFw0zMDA5MDgyMTA0MjdaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCTEyNy4wLjAuMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKWgulghnDyduQE0oEn5PgUqoW/gnHB8D83dumyQU+KaNUQhmkcX16w6 AQoCggEBAPladjynJXGaCmdzonEGTQOF6RmWw/ehmrG+ROur6DD7m+5fspZ+gPQm
jZt/1IQaqJd5dGyGt/zR6r9pZt54DNXrCZ8JgVk58gToqaUhNNoRIeUiYj/scqP3 L3gZ2tIv3EB0QsKWLs82x0IDowAMO63L3oiKpvJyTMQPARTTCQh79JJw5UU9x9vM
pZiBYjVPM+jl1RirIttS191JoiqFhr4OdkOkPEwV1FLyh7s3v9OHAoS8m3U3cbD4 aE7dPGfzAnwmMjl6FbCTkugUjknRVcs4X1OpwInuYrJGJ5innJoWGhZveEvFliTD
5tZUwLEFSgEKsBMYUrE03i6RjwHK1sNGbJ1Jwv6eWlGLqYnlGI1TgoZrx5SeZ/2R YBL8Mz8oXZhOK6alAR0Urt8z4B1J0USDn7ouSnWRsyqWgvotRp+fDDguFi/JILhD
ii1jXKv2TiKLrSuSe+WlwebSK2u8/sRiQ8F6FZI2vVt2S6FjHLgZPijjusxb6XRl AwhJEA+s8RatD1+RgYLvs1aghQcl+7KMWQdNuxbJiVDeljaKN4Ufx9UFfEXV74DG
v+AsfmR6k3xnmKRVgqIvvl4PMlUWiy0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQAY 09NMsphJ2FX5/WS+510oSiO9D4uWNdUCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEA
uw++Zz6+68dQvmd9MiHeYZxVsajDJ0RVEiV9V/TFLsGmJXmtHHX0vVjZJSpDomWJ HKqK24TYW7NvGoIifLaFyaSwAQV/OODpiZmTie3X5RBHR34v9fnBk5qnBf7EZEfC
WKPZu/HvR6KrtOtz+HM2ap5FFfPcg5LA2Dqau2tvTub1KdvDSbfaTqRsh1cQ8FQI uMg/mdMQm2Fst4uBzx9q8PltfcmCaX+/1M0F5nzhEszJ3cDevMBexNl7Q4nfYNTN
222gV/DG5AZ8AlSuDzTgrMuIeWjKZ6hhkirZVIO+rg== QShJyhSgr9cQ/K48k9IA64RRcRP9DWtSNzt0zzA4UCqlkBvKd6TdcC+rAzOigdhT
z0e1a9KVfKSxtXxyCAQZyKdsfWlhVyXPWd2urd8IfLfHdiFMKwyyreCCc4tCDjcA
QcJkv2bfL8Cb4cUd2vtI8kic9zUBFaOWyz9tOicGG2k3SBjN99iQfBAsqbHjtGnj
+dKbDCxXy4udsNINgfE3aA==
-----END CERTIFICATE----- -----END CERTIFICATE-----

BIN
ssl/test/axTLS.x509_4096.cer
View file

Binary file not shown.

39
ssl/test/axTLS.x509_4096.pem
View file

@ -1,20 +1,23 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIDWzCCAsQCCQCrCBinAwcoADANBgkqhkiG9w0BAQQFADA0MTIwMAYDVQQKEylh MIID3DCCAsQCCQClKsh4h/LnyjANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDEy eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
MjYyMjMzNDFaFw0yNDA5MDMyMjMzNDFaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl MzAyMTA0MjdaFw0zMDA5MDgyMTA0MjdaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
Y3QxEjAQBgNVBAMTCTEyNy4wLjAuMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCC
AgoCggIBAKOYAobI/sEAa0jY3Wnh2UBTQbKzLIEF0/PuVOehqtnXZ1T+7LPTuks8 AgoCggIBAMAKTqPX9LMlyPA5hJD/PHhwoGWfBbpnCAnKnBXtDssEfVLF1HUITKin
ijWm+OXN/uvLg0YZQDpOtjut7Jog6X3PDr1fnGCZB9ByzUqVDCC3OtY3Vlp8ax0b zC4vFpXKPqzahXA37DcgJZQg4qvPXaf2jY94pwlQKF52ibomUOnV/VLQUVRFvXK/
x0JuQ65ZHP7PlQn+2DDcmzsymooHXWdajCOb7TXdZCt48fau9fE/1pp4+Z0sKUiu 8+kY4K2UPfjJGzsfjF1XeOCPIxFlbltqCtXkM1PhVG9dnY+OZk2i6S+gcV3Fxgu3
bld/ihm5IgbmwSbRWrbHzZJ3MavMCHMKwCvCUDMU1s4Vek+DxZta3ApKPB5aQrW9 tiknju+YlsIrTMhpiUIq1fH7bVDWulXyru4rMREs+Y2lJrkrDGSJeh45vysZmcZA
fupNT01XEJkQBjpO8m8zPrcXQWKU0m2Ylj+7KXobNw+YuFgoZRhJLEdUaGN/RUVU bhb9WZtipCqiLVf1qkGAq54IpdSOcyS4x1hTYwOt+FOt8lmaOS1kGPKaecMtLLQv
pjdTZ8A6rCquiOMg1SaVm1pCP4zDk2wYrklfHSM/I9CZxBoixWEmYcVNAxREcm5Q O8iQ+9K7LM45t83o7VwFYqZtu/hlntWyiOlAFX8ht8vmxACjhnPW+lKVCe4kT3d9
LmLWhvE8PTL5MoOhkaOAn37NFtzqjfSHoTMMmXzqFjV1tKZJstQ+/vc61IKp5CcK g62Qidcbm1Vty8foCuWCC7H+30AETwG3NSm7idhidr/YoSDc5Ksk+jehSZ7PwXGZ
e6vPZfZH/t7Zx9h/7rgQQmwYfDRbv0GIKwTwFI5hxH9XipPQpS0CvOU/SemhqSVY xwF5PiqK0tN8QzICPwjChI6HOWIxWPYqDlL77aXoNpG9FVKrwBzpuIvg1H+aUPNr
9MdVZtv75Wq7Oagcd00qwvgSoNhVUKEym2zeckkt2ukcllohpLr5H7xRSlk1vXfJ h9erR1ZNmMmajVjVbvHG2LCwChWD7crq/RDtk3ioQiPrwI5eRTcN00AI8tTeD+6J
aXh9Yr1zxr1FWeSzlv9lu6VAFd7RV++i0fj99FnjgWMFUHvfXVExCS+jnD1VzfqW Q6SYdVZMeatn22kLyKtRzKL0phiirzm144wKKpcFWogrpJK/3Y1dU3rtSU+dGj+7
Hc1arikSZ1C1OaTL3eEDyC0RyPfRwCFWk4onUbaUbJgEegk1UQkBAgMBAAEwDQYJ agjjqwWAWlhztSDgesRTkn6QJLmVX+IKh7Jdo04i2Osw4ZGnyYKBAgMBAAEwDQYJ
KoZIhvcNAQEEBQADgYEAihEFhLAmC2H+wWMajxFOuGnKwIACS2XZiYX24/8wNUbJ KoZIhvcNAQEFBQADggEBABPkfLZVIJ5z5cIhmiN5yqjMKotzGMwi7ihiPx8YSgBc
CvE/iTv170ZPnT16Asfrc+PJWdVPU3j72bllHjKHtihgBoSCGceK2rN5I/vgVzm6 2grI7Aqyojn/gPBTvKXGRYCGC7aXIBo69RlbnZy0VW1fLqoNo8y6+zLiryCtxsv6
EbMBJBZVch8FHLNHqR0GXEtge1k8B4mI6rL3f9ZjmCkYgG9Ii7b8o3s2NT1e4E4= 3orQmHslh2WofzzhkNyazT3WoGvzV4qhzK5KU7vkrFpHcwiLFRglBMP4ruoOq8jY
4wKDrP3FpgaSpY4NOm7ro7LiYzmVcj6A9Gci6mm55er6ZGX0yI9O1FXOZCxABPJF
kDEAk4GQScbaEDBZWjFAhkmdwYnE3n6usPnURwp08vDRkd4bGdrMT2KtP5ASNigQ
vEaYj2pQJLS8Eljwc6nEBeGrZ14fGXXaVh+p9TKrpM8=
-----END CERTIFICATE----- -----END CERTIFICATE-----

BIN
ssl/test/axTLS.x509_512.cer
View file

Binary file not shown.

11
ssl/test/axTLS.x509_512.pem
View file

@ -1,11 +0,0 @@
-----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAKsIGKcDByf8MA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNVBAoTKWF4
VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTIy
NjIyMzMzOFoXDTI0MDkwMzIyMzMzOFowLDEWMBQGA1UEChMNYXhUTFMgUHJvamVj
dDESMBAGA1UEAxMJMTI3LjAuMC4xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMjK
XU67trg56k7LhG5v5XhsUTpVFI5ZOpcat/ry3WhtJS6q3lnB3vGQ4n/U47F7yXVT
IpDJ0Zxv2hm/0LfudBcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQAblnZaFNsGtBkI
K9rqJqB1HX4ty2lU8ALFvOfBdiUHXTjt0UAChirMdr96ELZutPic4P3Spe6oa7Ay
YEuqS9I6/TN3iEHeBkG7tYRpfmUeFuZl8EqzWbLmQsMhNj0CE86utPOnkygYRYIK
PRUw3ZLDlmePKJOZ3LC7kKBBNrKYgw==
-----END CERTIFICATE-----

22
ssl/test/axTLS.x509_aes128.pem
View file

@ -1,11 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAKsIGKcDBygCMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNVBAoTKWF4 MIICWDCCAUACCQClKsh4h/Ln0DANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTIy eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
NjIyMzM0M1oXDTI0MDkwMzIyMzM0M1owLDEWMBQGA1UEChMNYXhUTFMgUHJvamVj MzAyMTA0MjhaFw0zMDA5MDgyMTA0MjhaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
dDESMBAGA1UEAxMJMTI3LjAuMC4xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALll Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
NkpkyLOhA5d2ys+edm5yNrkFg/vq++Uu6BXJEqvto7UabK624NzvI9APboEMbHVJ gYEA8k4Lr67fner/JtPfbCJe9+RMyq4ErKmXDlxQnXDEcvn/7Mw/CcNQXDPDRTN2
gceP8Gc05uj6rnldy+sCAwEAATANBgkqhkiG9w0BAQUFAAOBgQApsgHtuktgEuwC /pw0Cwb45Pgv0bqTAFPK2sWhp68QMiuyl+lIUGSrgXX69nW7B2cAp4YSNW55M8SQ
kWRG4e4wIRcWl6E1SN6tW0vtGU+KGXtAxXHikIfK/0krnfQMKfHGV4Rhj689X1j5 EISL3QOkzl1oHW3iuxxGeuCGuVv0i4gRxhQ1XkHdoGOc4G0CAwEAATANBgkqhkiG
CoYYBZduyc/hJuCMhwwEqELrSQ60Rv33tZniYZ/iYDQEoE//q4cvwG/sK830w9wx 9w0BAQUFAAOCAQEAPbTh7YlIYA/XOKC1Laf0SQ0HQU4hC9rd1IowBIyKYT5YlKVM
/5Dm3eR7kLXGtzHeVUnUWKGv4FILNw== VIrmqN7B3ytUZbP3eL9ZO63G5NHmGk/i+RpxF+O0oX09uhIPWHlupZ1LeEHDwsSG
5OjZ1scU0bbIX/aBNPDL8hU7/TSTtL7NY9939cHE5LVwdSuOqndXl5nPFKxyJjfB
npworzs+UUwXLAcJSRHTruyRf6fvSfl1NdMabWiR/L7+tzDV0842+HwUsJLUlWFv
osK0avS8ER8PrFMRnKqGIK416B38ZMjn65G/J5v1j/RSHDAWjp+SYAFHaxiU0gEk
WOAZlVmG1vVlFk/ubTJ/vd+RAk0QYI+THgwlbQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----

22
ssl/test/axTLS.x509_aes256.pem
View file

@ -1,11 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAKsIGKcDBygDMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNVBAoTKWF4 MIICWDCCAUACCQClKsh4h/Ln0TANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTIy eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
NjIyMzM0M1oXDTI0MDkwMzIyMzM0M1owLDEWMBQGA1UEChMNYXhUTFMgUHJvamVj MzAyMTA0MjhaFw0zMDA5MDgyMTA0MjhaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
dDESMBAGA1UEAxMJMTI3LjAuMC4xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAKwr Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
ugc8AhMAcq/BiZYLgyKL9mAWBHDJxuUGS/NHE2WDdMOVE1Tf1Ame4onsYVTorN0Y gYEAqn/ZBpw3WLD87W/rVp8rdvg2yoml5CSMfePkcXKCfbWMAkZOJJtMupPoMFC9
/3Emj8/WBcBpqmRxHtUCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBr2uCTrm9d9x4B CbQ5EUmSV47BHGTh0xnQK/4s4bc6lPVtkK7dJtFfonCsiTErW0p6z0q7tQfWFEd3
MIak3R+RxRUb3920uhASV8PMZ0vYXW2qPnHKAol8ZK2p5ywTzPPRjlTQpF65y9aM NGNFv/qVIsB0hJDOJn8x30wYWCOY+gC+53KJzRVcRMoM75sCAwEAATANBgkqhkiG
K3wFRR7hjBfbf9qzr5jwh3p658OoXSQ9hR0KxvgeDWvnLZRJAAebl/4FE1XV0HZ8 9w0BAQUFAAOCAQEAqI4YkmyznQ9lE0+2cSkRX7ELJeKGedGFCCKJZaee5k9R4PBc
qhFk5fMnD5nabFdq4FK6pWQjUZjMmw== fg97WsEMARSl2WLzAkK3rjSQWslbRxb/u1NYhd2uBdrYGIMXgPyBIjV7sSoI0TkC
3muhke+W2yZsVp55DoJpfsX9dIfzbM0ICbaD509xuClfraIafO/6VLrw/+BzTTVM
DECTo1dCheYYXyOJPgdgdcABKKb3WkTLJPkV6SCK0D8xAHpTRR8AtT0xu60JDRoq
wcKZie02AXOgg3mEQPdvmVDb+cgOL2Cb/nyraS2OVKPRTZfQfvhve0mU3DN/TVDB
7N9bVd1WNst+bsNIE0SbnYiF/oSdnHGNQxaLGA==
-----END CERTIFICATE----- -----END CERTIFICATE-----

22
ssl/test/axTLS.x509_bad_after.pem
View file

@ -1,11 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAKsIGKcDBygFMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNVBAoTKWF4 MIICWDCCAUACCQClKsh4h/Ln0zANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTEwMTIy eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xNjEy
NjIyMzM0NFoXDTA5MTIyNjIyMzM0NFowLDEWMBQGA1UEChMNYXhUTFMgUHJvamVj MzAyMTA0MjhaFw0xNTEyMzEyMTA0MjhaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
dDESMBAGA1UEAxMJMTI3LjAuMC4xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMjK Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
XU67trg56k7LhG5v5XhsUTpVFI5ZOpcat/ry3WhtJS6q3lnB3vGQ4n/U47F7yXVT gYEAvQ/UQqh0h1SquTofi869t2X7QD3QEZqc3IJ86qgX4XTzBQ5hwcF4irK6FSJa
IpDJ0Zxv2hm/0LfudBcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCdnukuKxxoJB14 /5u4ei4PiLd03gSZpaKZU4uteFox7bwB59/p7C+gXVP25oqgyG1BRWMjs89OUB8o
jBVwv4fZLffn3b/GT2LrjLCtk9/mQv9ECbHxOZ9ZOGtFCkkMIP6lnzrng/U/fTT4 3zbic9/WobNGT267DZvvqPlMpXGhiN0HqYYNP82ZI6KEdw8CAwEAATANBgkqhkiG
hMdxCCEljxUA7zdCvvLjNgYYW4B4BiEwOokG33fIGM/6dpVrybxJ4Z225AvKAkU9 9w0BAQUFAAOCAQEAqk3O/LBqyketDzFqMe7L8nqmM/crpmjZ93KEwhrc7uRKJgXm
p8h6yItFqR4/SMYqZLzsr75PlCKyIw== CjfTSm7D43l4xbz/NbHnNvSFnblFoioAQP23opotJV/WutmrGCIjpidLc682GvcP
DvhlOTAqoVFFWmjL6gj2iKEtIUzxCMI7K/h/znQvk/NrsfvOF0uZtpMoLqqo4o3Y
V2vogbTEPpr77952JMpsLvJYatwiYo8G7Pc8qdl86mk3tx1Kqn/Pl9CgMgj8tgFi
tcBRFePe3WvAiK7vnSqz7H4NUXrcv0RTA7f/bUXNWoRUI98GbYKVpxgIY7uFmLF8
0jb92pWMlA9Ps0fAdMKs98c7dIaJi0buM5Mtuw==
-----END CERTIFICATE----- -----END CERTIFICATE-----

22
ssl/test/axTLS.x509_bad_before.pem
View file

@ -1,11 +1,15 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBkjCB/AIJAKsIGKcDBygEMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNVBAoTKWF4 MIICWDCCAUACCQClKsh4h/Ln0jANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh
VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI0MTIz eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yNDEy
MTE0MDAwMFoXDTI1MTIzMTE0MDAwMFowLDEWMBQGA1UEChMNYXhUTFMgUHJvamVj MzExNDAwMDBaFw0yNTEyMzExNDAwMDBaMCwxFjAUBgNVBAoTDWF4VExTIFByb2pl
dDESMBAGA1UEAxMJMTI3LjAuMC4xMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMjK Y3QxEjAQBgNVBAMTCWxvY2FsaG9zdDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkC
XU67trg56k7LhG5v5XhsUTpVFI5ZOpcat/ry3WhtJS6q3lnB3vGQ4n/U47F7yXVT gYEAvQ/UQqh0h1SquTofi869t2X7QD3QEZqc3IJ86qgX4XTzBQ5hwcF4irK6FSJa
IpDJ0Zxv2hm/0LfudBcCAwEAATANBgkqhkiG9w0BAQUFAAOBgQCMgBB+4M4ud6Zf /5u4ei4PiLd03gSZpaKZU4uteFox7bwB59/p7C+gXVP25oqgyG1BRWMjs89OUB8o
kZgxFB+upuKhRkXD+6Am2N+XGvJzsB8CsZ4jMxPczgZwrMTPKxm/bCbX7ftLwtps 3zbic9/WobNGT267DZvvqPlMpXGhiN0HqYYNP82ZI6KEdw8CAwEAATANBgkqhkiG
77eyjihTCE3WzFZMEwT+mY28Cn0B7FkovrLvKEXQROfyDwkt7HWBGJEuSO6JAdAa 9w0BAQUFAAOCAQEALWtzVdl7s7NHPKslDc0NN2N/kqd8V5Ug93s9POLPQV6Cq7fH
0mesxjwqjiLmmBoY5BLtfc1CGa8muw== WPzxdU/IcLwocngqDzYEADlKJL1prRIP7IEtclRW109kVf5ge4waL7BIFogX0iII
WzjSlLTdYFo6ZK/oxwg86+zVA9UbkWbvQwSGE60Hqr8GEaqon09CxYUpFTtOq7qZ
Ikjjf1Rz/t1AAGXoN2Yls1hm2ONYFuxQq+dBME0sSL7hdhwFoOi/u3Q0QXmg4Z1Y
xe0J3Pg1mt5nsh4cY0QDNZdSbZz1p4jVY5RxQsoYzgyVYQWBeDJGKs2RN8o1CFko
EMQ4Bq65fSUs5hPnYGl4iibWmQQgAWkasKZwaw==
-----END CERTIFICATE----- -----END CERTIFICATE-----

BIN
ssl/test/axTLS.x509_device.cer
View file

Binary file not shown.

50
ssl/test/axTLS.x509_device.pem
View file

@ -1,24 +1,34 @@
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBjTCCATcCCQCrCBinAwcoATANBgkqhkiG9w0BAQUFADAsMRYwFAYDVQQKEw1h MIICUjCCAbsCCQClKsh4h/LnyzANBgkqhkiG9w0BAQUFADAsMRYwFAYDVQQKEw1h
eFRMUyBQcm9qZWN0MRIwEAYDVQQDEwkxMjcuMC4wLjEwHhcNMTAxMjI2MjIzMzQy eFRMUyBQcm9qZWN0MRIwEAYDVQQDEwlsb2NhbGhvc3QwHhcNMTYxMjMwMjEwNDI3
WhcNMjQwOTAzMjIzMzQyWjArMSkwJwYDVQQKEyBheFRMUyBQcm9qZWN0IERldmlj WhcNMzAwOTA4MjEwNDI3WjArMSkwJwYDVQQKEyBheFRMUyBQcm9qZWN0IERldmlj
ZSBDZXJ0aWZpY2F0ZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAx9iw2v0K ZSBDZXJ0aWZpY2F0ZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL1d
zlzix7KiwmskWLO+KpVpZPci07SCVcbpgSTaONE8BvIPkqui4bWQQA+7WWjPV44C D6JnZqcce7NfbntIrT5T7rFq00sKH6FhFNeNXae3EvXl3Ep0FeaX72L78NtR7GR8
ItYhY3NXigCxWhCqc0+aUvRzNJiuPG4MDuA1dIG7wrdS5cHxAtRJF4KDA7pmcBdG vsVtnLqY0Ac76j7a66gM+KdhPVR0zLs7w0knI+hlNAVA/hkN6rYS5FzH4e6SWRTe
6aCpXSyvWsqerFzmHu3XAXPAlYzoqs1Qg6MCAwEAATANBgkqhkiG9w0BAQUFAANB Q2LVas0hPrn2ZWJXwarE9QTjfXkbNn03+jpzBQKcdADYychRJbtnBH94on/92ejx
ALx4Z9moVhA05QsUrMiyy/+NCiFhaOtZfe6kElJoAl4B1EcGQor8ozE3cFuLOLeQ dIlDbSmgzQ1b1QaIkWvZlLo+L8Z8h+B5ss04adm1wyzFDlYs/1lmbPTZf0KCXbsi
YuAX5YpbpxuafYbzw1AdAU8= WRhIotVDOVUvNakJ7tnU9YPxNMj18LTkFJ1YI0jD31vggMidV03UsFQ0rMlwKcsc
bUhGGzPNbdxhr5pgn/kCAwEAATANBgkqhkiG9w0BAQUFAAOBgQBX+beg1jGMSqQd
6Q/d07mQCLuEwmXmmz7hc0lgp6IumjsxulO2xLiotXie7e3GIRAVgJsd6ysRJKim
IioOMxcwUMWw0CcqjcwqorczJjsqzW99dzCd3NcDiDxx+7Pye58D8qOLHGtafC9n
TjQELV6dNIUX5IfH/18jAkPEmFcOUg==
-----END CERTIFICATE----- -----END CERTIFICATE-----
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIB3zCCAUgCCQD76Ccq3Co3qjANBgkqhkiG9w0BAQUFADA0MTIwMAYDVQQKEylh MIIDDjCCAfagAwIBAgIJAORglrABpAToMA0GCSqGSIb3DQEBBQUAMDQxMjAwBgNV
eFRMUyBQcm9qZWN0IERvZGd5IENlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0xMDEy BAoTKWF4VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
MjYyMjMzMzdaFw0yNDA5MDMyMjMzMzdaMDQxMjAwBgNVBAoTKWF4VExTIFByb2pl DTE2MTIzMDIxMDQyN1oXDTMwMDkwODIxMDQyN1owNDEyMDAGA1UEChMpYXhUTFMg
Y3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUA UHJvamVjdCBEb2RneSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEiMA0GCSqGSIb3
A4GNADCBiQKBgQCfxX6VHEhZNsMIqPPxt53h1UpfX1jU7ctqwBR4dpWRj3H6cCBN DQEBAQUAA4IBDwAwggEKAoIBAQCxIzCSlgeXAiyLWjGWUkuMA+OPJzH23pDcE7Nc
EK8xj7IVcBTJq6vcMRDwrAUrElSIZl8Kv6+ZqhTss2j+E2tfzkzehP9LcAdAR+UM FKhkdzXAD6tBW4odqul7y1g4qU0/xvv16NsK//VTc2VWQwkm0tlQ+0PBMTBRk0Qb
JPBsYXic/+vmH5JCMO7CXLUsDJmO2q2Z1TjTtchu2DgAueTo0hWRtMvbMwIDAQAB XuLFLjfyYYjUBsde/CE9qhPbhTKYQ5xsnEBm4KUN/Mqk3sKXo7M3s7HjiAeYEIFK
MA0GCSqGSIb3DQEBBQUAA4GBABoJU0aQMTocVLNbcY4tbfqLck2oAn/OVjG0p/8p dSFECcljEPrHzAEvDwd0fRsx2hzb4fgrJbfW4wa9rsL1iVQI9VAY8mxM/UMtGySr
GIJzlVKOtZ76ZkqHIbcXNKNlgjXy+4S3R+6+mkYcn0JVbVg7eN0tsDlMB04YyFaD L7M7U0RFRM5fK0d5guWH9f+j41hW9R/tYq7qoLcjgcr45nk5bcT4RoTvehhGZRUN
95D47KEzmDky4Yj2nqI4SmvVTf2lyYxV1zknrFUXND+WvjGxge3gpJxtMoTGE5E0 pVq8vttEoR/Y1JvOjBT5WwUSfJcgXtidEWnQPXKszNoLj1sNAgMBAAGjIzAhMA8G
Jc3F A1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBBQUAA4IB
AQByY8+gtxSKO5ASYKArY8Sb4xJw0MNwsosARm17sT/8UTerS9CssUQXkW4LaU3T
SzFVxRUz9O+74yu87W58IaxGNq80quFkOfpS39eCtbqD2e4Y/JuC30hK/GmhBquD
gVh3z3hD8+DUXq83T1+9zgjCppLeQfaFejbaJSwQ7+K6gJn5JZNiaHVGN1GO6lT6
5W3zqep5zU6a4T5UeZqkYyuzfTBbIkgEga0JzPaCdd5JOrwFR3UNWlICOxr7htDI
FqiTrA0RH2ZNmrmJDcM1pFWlQAPnvDoRLeMpmvWZDnGrWYDzyt0j5G0bIPL7214c
b5kxOvfGlM4E6v+lMSw/HDrI
-----END CERTIFICATE----- -----END CERTIFICATE-----

19
ssl/test/axTLS.x509_end_chain.pem Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDJDCCAgygAwIBAgIJAKUqyHiH8ufOMA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
BAoTHWF4VExTIFByb2plY3QgSW50ZXJtZWRpYXRlIENBMB4XDTE2MTIzMDIxMDQy
OFoXDTMwMDkwODIxMDQyOFowLDEWMBQGA1UEChMNYXhUTFMgUHJvamVjdDESMBAG
A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
7R4S75j5ZfknrzbsAvUnqS997FNk545sGo0YraDQ7CeJXGqeDyUTpdwtzBt8H8/a
xNP1BFdgNEWnF1C1HXVbhqWxq16IlakqZYkYldHJMPQgFa3YuRN4Y0i8sn8A1Fbe
69D//57JZr1wt+qxAJWWn0anPGXmR0HlO0At1ACQkKGSE+ajTB2TnO7UTsjKRrXP
v16FdWTXkJTVHUdVuAs6IfgAKkvQQ5zA8D6IXgjWsToWdFzlI8eTDHZqZJiw8gPg
7xG0jepN9JU05JRc4NduzeVj/0WT0tdilO0jQP/+8FgikdOeDU6wo4/e0Ta5bdZe
7apqOBfdDnq3EUnHO1ZQbQIDAQABo00wSzAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB
/wQEAwIF4DArBgNVHREEJDAigg93d3cuZXhhbXBsZS5uZXSCD3d3dy5leGFtcGxl
Lm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAbPQ1Y205Ricl1K2ByVa2RHJyYGP0Qj+H
5mWj4A92N1vAb6uOrliqFYOClYINGsKKC8YDZdyA4c8ZglCKZ2RePwOSdaWIw7wi
Efhysyq3WLSlo5jEcnkO7o5dV/7V7FX/+65UEXu35ZqaE8ZY++eotmLzccnInYP3
1e4oaF5hyZIHVNCXnywNvchSkXjN0HhvIpeLTyzC5MQkQMMEOi8EBOgTGAo4UvL9
eau3YhhpvfnCDlrRB6N79RcTLmJyOj5g1YO/9wn/du+EMwEkKUg5QJHzwUB2+ISp
57JjKh2BQt0g/XJfRugHQcNtjUu73Ziexpl0qaXjNjb8mvsuV9RX0g==
-----END CERTIFICATE-----

19
ssl/test/axTLS.x509_end_chain_bad.pem Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDJjCCAg6gAwIBAgIJAKUqyHiH8ufPMA0GCSqGSIb3DQEBCwUAMCoxKDAmBgNV
BAoTH2F4VExTIFByb2plY3QgSW50ZXJtZWRpYXRlIDIgQ0EwHhcNMTYxMjMwMjEw
NDI4WhcNMzAwOTA4MjEwNDI4WjAsMRYwFAYDVQQKEw1heFRMUyBQcm9qZWN0MRIw
EAYDVQQDEwlsb2NhbGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQDtHhLvmPll+SevNuwC9SepL33sU2TnjmwajRitoNDsJ4lcap4PJROl3C3MG3wf
z9rE0/UEV2A0RacXULUddVuGpbGrXoiVqSpliRiV0ckw9CAVrdi5E3hjSLyyfwDU
Vt7r0P//nslmvXC36rEAlZafRqc8ZeZHQeU7QC3UAJCQoZIT5qNMHZOc7tROyMpG
tc+/XoV1ZNeQlNUdR1W4Czoh+AAqS9BDnMDwPoheCNaxOhZ0XOUjx5MMdmpkmLDy
A+DvEbSN6k30lTTklFzg127N5WP/RZPS12KU7SNA//7wWCKR054NTrCjj97RNrlt
1l7tqmo4F90OercRScc7VlBtAgMBAAGjTTBLMAwGA1UdEwEB/wQCMAAwDgYDVR0P
AQH/BAQDAgXgMCsGA1UdEQQkMCKCD3d3dy5leGFtcGxlLm5ldIIPd3d3LmV4YW1w
bGUub3JnMA0GCSqGSIb3DQEBCwUAA4IBAQBGJydzARx5fNYprptRG9c3pqecGKlX
ArxbLe+K+83wS427HnWONnuZ5LJKGkuXjIeh1G/2AfKYXJz/SMN0IPYY3ro5Lt1Z
GOPyn01qcj6OkfyiUPCDIsVFS9V0TVLTBLTMZFa1j6nMHs8Ajmm10Fkf/NQP/CVk
zEgoktjb+wLqw1iPUGqkVepVtp3wg7VQY6E07SliNp/06Q3ue6xLJnYlKqFhUQf7
064JyRIH9W/C2WnxWbKRBjsE4gCRnMvKQrCrfR64VohCr6XvygIIufwCG/CLJogn
4OJMqz1oDkABPgSgjNhOdwnt+3dvxbjQBiRy1ERfNAJLo+V6x6aO1Gqz
-----END CERTIFICATE-----

19
ssl/test/axTLS.x509_intermediate_ca.pem Normal file
View file

@ -0,0 +1,19 @@
-----BEGIN CERTIFICATE-----
MIIDAjCCAeqgAwIBAgIJAKUqyHiH8ufMMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAoTKWF4VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE2MTIzMDIxMDQyN1oXDTMwMDkwODIxMDQyN1owKDEmMCQGA1UEChMdYXhUTFMg
UHJvamVjdCBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDOF2/0KBnz3n4m4Xgnm22ApLwcMovm4IBg5LYH6jU6QbNhGRIj68Dj
UGk98TwPw/2WCNxvMA6s6+Bgc9md4TcjHWaGXI/Budd6wLjwBqFtZd4cUku7cevc
R+MhWeCm0gcXT8VeYu06NzEuk/+ZfJRNftubQ0yGAS/EBffh89+AzivoDA9gvDEk
aXRziutv1yGgOZenv7vY2eOI7+lfOtSQjRUv59XpT9xP2ujqnrAlh7C99cDOpXTU
HvrF/5CFganqH8dJlCe1NB8DYoincfuOFpVeAL8LLJn9+/HVBQBULLykxyQWzti4
u1W6EA5nUql5nNpCi3BGNMR5GQX32ILHAgMBAAGjIzAhMBIGA1UdEwEB/wQIMAYB
Af8CAQAwCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAYt1Wq1XsZjOWf
mH9XzI3k8UEtErTkBX5SXH10siY5tYmHzH02jaZVRC1yNrxQevqARhR1yj3daKg3
+innX8foKlYRCxTfFeE/HELcm7rIt5mrIGdGAFn2fnImO5kpXxbPk6IAXRTp6lN8
QS08Ah1Aaeh0ae2Ruzx2TOnG/IuB7ChliJxepo0KtRw6RN6ETvC2KS0glSf5fPW7
c18UPbTesecrki12FlaGbPD/sWHOltBIpPXzgef7G8b6CiYqaX0T3T/47RLRwrMm
SAcbMerJZoyudbLd+OHGtvz5kOmYCoZYkay121MSvtFucHnR3UjEui2lUbL1Qi92
2L3MUIVn
-----END CERTIFICATE-----

37
ssl/test/axTLS.x509_intermediate_ca2.pem Normal file
View file

@ -0,0 +1,37 @@
-----BEGIN CERTIFICATE-----
MIIC+TCCAeGgAwIBAgIJAKUqyHiH8ufNMA0GCSqGSIb3DQEBCwUAMCgxJjAkBgNV
BAoTHWF4VExTIFByb2plY3QgSW50ZXJtZWRpYXRlIENBMB4XDTE2MTIzMDIxMDQy
N1oXDTMwMDkwODIxMDQyN1owKjEoMCYGA1UEChMfYXhUTFMgUHJvamVjdCBJbnRl
cm1lZGlhdGUgMiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKoa
fskhD+DqHbPtvZxd/WrqhJif6k1KkAs/vYlsjoaejVOaSdi2YkDcVViM2rBR6fSN
XL5n/uH57LTKWhZf07XQqUJ7lfnhSHu2pRD+vj3N2Ihazs8jtF56iXGcJppKa+aJ
rxnMfRW3Kyn5c34Jp+GbxiHYLcJAPmQI+lpKWRxhqc6i2MgBc/On8ADXk+CN2vdG
hsDhKP6J/o7yQPjvCgEbBcfsrKca30mbTVUzVhX0H5CCLe7zlp3r2TQBJDJx8WPI
wxavBAAjRg6N69I/huYpkZfD9IXZJaTdutTktYQDVTN5drdiDTTf1JGYyXt/0+0V
t9ANFWd1pP589yICpQ8CAwEAAaMkMCIwEgYDVR0TAQH/BAgwBgEB/wIBCjAMBgNV
HQ8EBQMDBwWAMA0GCSqGSIb3DQEBCwUAA4IBAQBNWDjqxlO0BwMdyxfUs1wDsLiq
4hOmUFwCv8TuTFsL9aNe7OIJRT8IF2pHw07qyvAxJVEWUCLK/KLq0HrRTzRZO/tK
eNroHMHS+fBwFuHFp+1RGMK2rHLajxVVB6X0aeLWKrNKrvUQZL+Tx+NZ3dEO62rq
rANnElCrnyI1bIBKwHdUbOMOHeZAECr7H0KfvaX8F67aln4IwPzCauQM3DFf9h9Z
FvmxUdVgjRZK4e5he9k4gT/Faom0z/ApnW4DJRF8rpCPWqN872aNpL8NPZuOFtiD
Gzg5O4wJYx7OWIPa/qcQ0hTbn5waPzC68X448tlJTPiwyeKsYT3JwWqLi6o5
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDAjCCAeqgAwIBAgIJAKUqyHiH8ufMMA0GCSqGSIb3DQEBCwUAMDQxMjAwBgNV
BAoTKWF4VExTIFByb2plY3QgRG9kZ3kgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X
DTE2MTIzMDIxMDQyN1oXDTMwMDkwODIxMDQyN1owKDEmMCQGA1UEChMdYXhUTFMg
UHJvamVjdCBJbnRlcm1lZGlhdGUgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDOF2/0KBnz3n4m4Xgnm22ApLwcMovm4IBg5LYH6jU6QbNhGRIj68Dj
UGk98TwPw/2WCNxvMA6s6+Bgc9md4TcjHWaGXI/Budd6wLjwBqFtZd4cUku7cevc
R+MhWeCm0gcXT8VeYu06NzEuk/+ZfJRNftubQ0yGAS/EBffh89+AzivoDA9gvDEk
aXRziutv1yGgOZenv7vY2eOI7+lfOtSQjRUv59XpT9xP2ujqnrAlh7C99cDOpXTU
HvrF/5CFganqH8dJlCe1NB8DYoincfuOFpVeAL8LLJn9+/HVBQBULLykxyQWzti4
u1W6EA5nUql5nNpCi3BGNMR5GQX32ILHAgMBAAGjIzAhMBIGA1UdEwEB/wQIMAYB
Af8CAQAwCwYDVR0PBAQDAgGGMA0GCSqGSIb3DQEBCwUAA4IBAQAYt1Wq1XsZjOWf
mH9XzI3k8UEtErTkBX5SXH10siY5tYmHzH02jaZVRC1yNrxQevqARhR1yj3daKg3
+innX8foKlYRCxTfFeE/HELcm7rIt5mrIGdGAFn2fnImO5kpXxbPk6IAXRTp6lN8
QS08Ah1Aaeh0ae2Ruzx2TOnG/IuB7ChliJxepo0KtRw6RN6ETvC2KS0glSf5fPW7
c18UPbTesecrki12FlaGbPD/sWHOltBIpPXzgef7G8b6CiYqaX0T3T/47RLRwrMm
SAcbMerJZoyudbLd+OHGtvz5kOmYCoZYkay121MSvtFucHnR3UjEui2lUbL1Qi92
2L3MUIVn
-----END CERTIFICATE-----

176
ssl/test/make_certs.sh
View file

@ -1,7 +1,7 @@
#!/bin/sh #!/bin/sh
# #
# Copyright (c) 2007, Cameron Rich # Copyright (c) 2007-2016, Cameron Rich
# #
# All rights reserved. # All rights reserved.
# #
@ -39,21 +39,36 @@ PROJECT_NAME="axTLS Project"
# Generate the openssl configuration files. # Generate the openssl configuration files.
cat > ca_cert.conf << EOF cat > ca_cert.conf << EOF
[ req ] [ req ]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
prompt = no prompt = no
req_extensions = v3_ca
[ req_distinguished_name ] [ req_distinguished_name ]
O = $PROJECT_NAME Dodgy Certificate Authority O = $PROJECT_NAME Dodgy Certificate Authority
[ v3_ca ]
basicConstraints = critical, CA:true
keyUsage = critical, cRLSign, keyCertSign, digitalSignature
EOF EOF
cat > certs.conf << EOF cat > certs.conf << EOF
[ req ] [ req ]
distinguished_name = req_distinguished_name distinguished_name = req_distinguished_name
prompt = no prompt = no
req_extensions = v3_usr_cert
[ req_distinguished_name ] [ req_distinguished_name ]
O = $PROJECT_NAME O = $PROJECT_NAME
CN = 127.0.0.1 CN = localhost
[ v3_usr_cert ]
basicConstraints = critical, CA:false
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.example.net
DNS.2 = www.example.org
EOF EOF
cat > device_cert.conf << EOF cat > device_cert.conf << EOF
@ -65,72 +80,130 @@ prompt = no
O = $PROJECT_NAME Device Certificate O = $PROJECT_NAME Device Certificate
EOF EOF
cat > intermediate_ca.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_intermediate_ca
[ req_distinguished_name ]
O = $PROJECT_NAME Intermediate CA
[ v3_intermediate_ca ]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = cRLSign, keyCertSign, digitalSignature
EOF
cat > intermediate_ca2.conf << EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no
req_extensions = v3_intermediate_ca2
[ req_distinguished_name ]
O = $PROJECT_NAME Intermediate 2 CA
[ v3_intermediate_ca2 ]
basicConstraints = critical, CA:true, pathlen:10
keyUsage = encipherOnly, keyCertSign, decipherOnly
EOF
# private key generation # private key generation
openssl genrsa -out axTLS.ca_key.pem 1024 openssl genrsa -out axTLS.ca_key.pem 2048
openssl genrsa -out axTLS.key_512.pem 512
openssl genrsa -out axTLS.key_1024.pem 1024 openssl genrsa -out axTLS.key_1024.pem 1024
openssl genrsa -out axTLS.key_1042.pem 1042
openssl genrsa -out axTLS.key_2048.pem 2048 openssl genrsa -out axTLS.key_2048.pem 2048
openssl genrsa -out axTLS.key_4096.pem 4096 openssl genrsa -out axTLS.key_4096.pem 4096
openssl genrsa -out axTLS.device_key.pem 1024 openssl genrsa -out axTLS.key_device.pem 2048
openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 512 openssl genrsa -out axTLS.key_intermediate_ca.pem 2048
openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 512 openssl genrsa -out axTLS.key_intermediate_ca2.pem 2048
openssl genrsa -out axTLS.key_end_chain.pem 2048
openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 1024
openssl genrsa -aes256 -passout pass:abcd -out axTLS.key_aes256.pem 1024
# convert private keys into DER format # convert private keys into DER format
openssl rsa -in axTLS.key_512.pem -out axTLS.key_512 -outform DER
openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER openssl rsa -in axTLS.key_1024.pem -out axTLS.key_1024 -outform DER
openssl rsa -in axTLS.key_1042.pem -out axTLS.key_1042 -outform DER
openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER openssl rsa -in axTLS.key_2048.pem -out axTLS.key_2048 -outform DER
openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER openssl rsa -in axTLS.key_4096.pem -out axTLS.key_4096 -outform DER
openssl rsa -in axTLS.device_key.pem -out axTLS.device_key -outform DER
# cert requests # cert requests
openssl req -out axTLS.ca_x509.req -key axTLS.ca_key.pem -new \ openssl req -out axTLS.ca_x509.csr -key axTLS.ca_key.pem -new \
-config ./ca_cert.conf -config ./ca_cert.conf
openssl req -out axTLS.x509_512.req -key axTLS.key_512.pem -new \ openssl req -out axTLS.x509_1024.csr -key axTLS.key_1024.pem -new \
-config ./certs.conf -config ./certs.conf
openssl req -out axTLS.x509_1024.req -key axTLS.key_1024.pem -new \ openssl req -out axTLS.x509_2048.csr -key axTLS.key_2048.pem -new \
-config ./certs.conf -config ./certs.conf
openssl req -out axTLS.x509_1042.req -key axTLS.key_1042.pem -new \ openssl req -out axTLS.x509_4096.csr -key axTLS.key_4096.pem -new \
-config ./certs.conf -config ./certs.conf
openssl req -out axTLS.x509_2048.req -key axTLS.key_2048.pem -new \ openssl req -out axTLS.x509_device.csr -key axTLS.key_device.pem -new \
-config ./certs.conf
openssl req -out axTLS.x509_4096.req -key axTLS.key_4096.pem -new \
-config ./certs.conf
openssl req -out axTLS.x509_device.req -key axTLS.device_key.pem -new \
-config ./device_cert.conf -config ./device_cert.conf
openssl req -out axTLS.x509_aes128.req -key axTLS.key_aes128.pem \ openssl req -out axTLS.x509_intermediate_ca.csr \
-key axTLS.key_intermediate_ca.pem -new \
-config ./intermediate_ca.conf
openssl req -out axTLS.x509_intermediate_ca2.csr \
-key axTLS.key_intermediate_ca2.pem -new \
-config ./intermediate_ca2.conf
openssl req -out axTLS.x509_end_chain.csr -key axTLS.key_end_chain.pem -new \
-config ./certs.conf
openssl req -out axTLS.x509_aes128.csr -key axTLS.key_aes128.pem \
-new -config ./certs.conf -passin pass:abcd -new -config ./certs.conf -passin pass:abcd
openssl req -out axTLS.x509_aes256.req -key axTLS.key_aes256.pem \ openssl req -out axTLS.x509_aes256.csr -key axTLS.key_aes256.pem \
-new -config ./certs.conf -passin pass:abcd -new -config ./certs.conf -passin pass:abcd
# generate the actual certs. # generate the actual certs.
openssl x509 -req -in axTLS.ca_x509.req -out axTLS.ca_x509.pem \ openssl x509 -req -in axTLS.ca_x509.csr -out axTLS.ca_x509.pem \
-sha1 -days 5000 -signkey axTLS.ca_key.pem -sha1 -days 5000 -signkey axTLS.ca_key.pem \
openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_512.pem \ -CAkey axTLS.ca_key.pem -extfile ./ca_cert.conf -extensions v3_ca
openssl x509 -req -in axTLS.ca_x509.csr -out axTLS.ca_x509_sha256.pem \
-sha256 -days 5000 -signkey axTLS.ca_key.pem \
-CAkey axTLS.ca_key.pem -extfile ./ca_cert.conf -extensions v3_ca
openssl x509 -req -in axTLS.x509_1024.csr -out axTLS.x509_1024.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1024.req -out axTLS.x509_1024.pem \ openssl x509 -req -in axTLS.x509_1024.csr -out axTLS.x509_1024_sha256.pem \
-sha256 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1024.csr -out axTLS.x509_1024_sha384.pem \
-sha384 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1024.csr -out axTLS.x509_1024_sha512.pem \
-sha512 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509_sha256.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_2048.csr -out axTLS.x509_2048.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_1042.req -out axTLS.x509_1042.pem \ openssl x509 -req -in axTLS.x509_4096.csr -out axTLS.x509_4096.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_2048.req -out axTLS.x509_2048.pem \ openssl x509 -req -in axTLS.x509_device.csr -out axTLS.x509_device.pem \
-md5 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_4096.req -out axTLS.x509_4096.pem \
-md5 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_device.req -out axTLS.x509_device.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.x509_512.pem -CAkey axTLS.key_512.pem -CA axTLS.x509_1024.pem -CAkey axTLS.key_1024.pem
openssl x509 -req -in axTLS.x509_aes128.req \ openssl x509 -req -in axTLS.x509_intermediate_ca.csr -out axTLS.x509_intermediate_ca.pem \
-sha256 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem \
-extfile ./intermediate_ca.conf -extensions v3_intermediate_ca
openssl x509 -req -in axTLS.x509_intermediate_ca2.csr -out axTLS.x509_intermediate_ca2.pem \
-sha256 -CAcreateserial -days 5000 \
-CA axTLS.x509_intermediate_ca.pem \
-CAkey axTLS.key_intermediate_ca.pem \
-extfile ./intermediate_ca2.conf -extensions v3_intermediate_ca2
openssl x509 -req -in axTLS.x509_end_chain.csr -out axTLS.x509_end_chain.pem \
-sha256 -CAcreateserial -days 5000 \
-CA axTLS.x509_intermediate_ca.pem \
-CAkey axTLS.key_intermediate_ca.pem \
-extfile ./certs.conf -extensions v3_usr_cert
# basic constraint path len failure
openssl x509 -req -in axTLS.x509_end_chain.csr \
-out axTLS.x509_end_chain_bad.pem \
-sha256 -CAcreateserial -days 5000 \
-CA axTLS.x509_intermediate_ca2.pem \
-CAkey axTLS.key_intermediate_ca2.pem \
-extfile ./certs.conf -extensions v3_usr_cert
cat axTLS.x509_intermediate_ca.pem >> axTLS.x509_intermediate_ca2.pem
openssl x509 -req -in axTLS.x509_aes128.csr \
-out axTLS.x509_aes128.pem \ -out axTLS.x509_aes128.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
openssl x509 -req -in axTLS.x509_aes256.req \ openssl x509 -req -in axTLS.x509_aes256.csr \
-out axTLS.x509_aes256.pem \ -out axTLS.x509_aes256.pem \
-sha1 -CAcreateserial -days 5000 \ -sha1 -CAcreateserial -days 5000 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
@ -138,35 +211,32 @@ openssl x509 -req -in axTLS.x509_aes256.req \
# note: must be root to do this # note: must be root to do this
DATE_NOW=`date` DATE_NOW=`date`
if date -s "Jan 1 2025"; then if date -s "Jan 1 2025"; then
openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_before.pem \ openssl x509 -req -in axTLS.x509_1024.csr -out axTLS.x509_bad_before.pem \
-sha1 -CAcreateserial -days 365 \ -sha1 -CAcreateserial -days 365 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
date -s "$DATE_NOW" date -s "$DATE_NOW"
touch axTLS.x509_bad_before.pem touch axTLS.x509_bad_before.pem
fi fi
openssl x509 -req -in axTLS.x509_512.req -out axTLS.x509_bad_after.pem \ openssl x509 -req -in axTLS.x509_1024.csr -out axTLS.x509_bad_after.pem \
-sha1 -CAcreateserial -days -365 \ -sha1 -CAcreateserial -days -365 \
-CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem -CA axTLS.ca_x509.pem -CAkey axTLS.ca_key.pem
# some cleanup # some cleanup
rm axTLS*.req rm axTLS*.csr
rm axTLS.srl rm *.srl
rm *.conf rm *.conf
# need this for the client tests # need this for the client tests
openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer openssl x509 -in axTLS.ca_x509.pem -outform DER -out axTLS.ca_x509.cer
openssl x509 -in axTLS.x509_512.pem -outform DER -out axTLS.x509_512.cer
openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer openssl x509 -in axTLS.x509_1024.pem -outform DER -out axTLS.x509_1024.cer
openssl x509 -in axTLS.x509_1042.pem -outform DER -out axTLS.x509_1042.cer
openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer openssl x509 -in axTLS.x509_2048.pem -outform DER -out axTLS.x509_2048.cer
openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer openssl x509 -in axTLS.x509_4096.pem -outform DER -out axTLS.x509_4096.cer
openssl x509 -in axTLS.x509_device.pem -outform DER -out axTLS.x509_device.cer
# generate pkcs8 files (use RC4-128 for encryption) # generate pkcs8 files (use RC4-128 for encryption)
openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8 openssl pkcs8 -in axTLS.key_1024.pem -passout pass:abcd -topk8 -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted_pem.p8
openssl pkcs8 -in axTLS.key_512.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8 openssl pkcs8 -in axTLS.key_1024.pem -passout pass:abcd -topk8 -outform DER -v1 PBE-SHA1-RC4-128 -out axTLS.encrypted.p8
openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8 openssl pkcs8 -in axTLS.key_1024.pem -nocrypt -topk8 -out axTLS.unencrypted_pem.p8
openssl pkcs8 -in axTLS.key_512.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8 openssl pkcs8 -in axTLS.key_1024.pem -nocrypt -topk8 -outform DER -out axTLS.unencrypted.p8
# generate pkcs12 files (use RC4-128 for encryption) # generate pkcs12 files (use RC4-128 for encryption)
openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd openssl pkcs12 -export -in axTLS.x509_1024.pem -inkey axTLS.key_1024.pem -certfile axTLS.ca_x509.pem -keypbe PBE-SHA1-RC4-128 -certpbe PBE-SHA1-RC4-128 -name "p12_with_CA" -out axTLS.withCA.p12 -password pass:abcd

523
ssl/test/ssltest.c
View file

@ -50,8 +50,8 @@
#include "os_port.h" #include "os_port.h"
#include "ssl.h" #include "ssl.h"
#define DEFAULT_CERT "../ssl/test/axTLS.x509_512.cer" #define DEFAULT_CERT "../ssl/test/axTLS.x509_1024.cer"
#define DEFAULT_KEY "../ssl/test/axTLS.key_512" #define DEFAULT_KEY "../ssl/test/axTLS.key_1024"
//#define DEFAULT_SVR_OPTION SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES //#define DEFAULT_SVR_OPTION SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES
#define DEFAULT_SVR_OPTION 0 #define DEFAULT_SVR_OPTION 0
//#define DEFAULT_CLNT_OPTION SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES //#define DEFAULT_CLNT_OPTION SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES
@ -176,78 +176,6 @@ end:
return res; return res;
} }
/**************************************************************************
* RC4 tests
*
* ARC4 tests vectors from OpenSSL (crypto/rc4/rc4test.c)
**************************************************************************/
static const uint8_t keys[7][30]=
{
{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
{8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00},
{4,0xef,0x01,0x23,0x45},
{8,0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef},
{4,0xef,0x01,0x23,0x45},
};
static const uint8_t data_len[7]={8,8,8,20,28,10};
static uint8_t data[7][30]=
{
{0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef,0xff},
{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xff},
{0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
0x12,0x34,0x56,0x78,0x9A,0xBC,0xDE,0xF0,
0x12,0x34,0x56,0x78,0xff},
{0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0xff},
{0},
};
static const uint8_t output[7][30]=
{
{0x75,0xb7,0x87,0x80,0x99,0xe0,0xc5,0x96,0x00},
{0x74,0x94,0xc2,0xe7,0x10,0x4b,0x08,0x79,0x00},
{0xde,0x18,0x89,0x41,0xa3,0x37,0x5d,0x3a,0x00},
{0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,
0xbd,0x61,0x5a,0x11,0x62,0xe1,0xc7,0xba,
0x36,0xb6,0x78,0x58,0x00},
{0x66,0xa0,0x94,0x9f,0x8a,0xf7,0xd6,0x89,
0x1f,0x7f,0x83,0x2b,0xa8,0x33,0xc0,0x0c,
0x89,0x2e,0xbe,0x30,0x14,0x3c,0xe2,0x87,
0x40,0x01,0x1e,0xcf,0x00},
{0xd6,0xa1,0x41,0xa7,0xec,0x3c,0x38,0xdf,0xbd,0x61,0x00},
{0},
};
static int RC4_test(BI_CTX *bi_ctx)
{
int i, res = 1;
RC4_CTX s;
for (i = 0; i < 6; i++)
{
RC4_setup(&s, &keys[i][1], keys[i][0]);
RC4_crypt(&s, data[i], data[i], data_len[i]);
if (memcmp(data[i], output[i], data_len[i]))
{
printf("Error: RC4 CRYPT #%d failed\n", i);
goto end;
}
}
res = 0;
printf("All RC4 tests passed\n");
end:
return res;
}
/************************************************************************** /**************************************************************************
* SHA1 tests * SHA1 tests
* *
@ -522,9 +450,9 @@ end:
**************************************************************************/ **************************************************************************/
static int HMAC_test(BI_CTX *bi_ctx) static int HMAC_test(BI_CTX *bi_ctx)
{ {
uint8_t key[SHA1_SIZE]; uint8_t key[SHA256_SIZE];
uint8_t ct[SHA1_SIZE]; uint8_t ct[SHA256_SIZE];
uint8_t dgst[SHA1_SIZE]; uint8_t dgst[SHA256_SIZE];
int res = 1; int res = 1;
const char *key_str; const char *key_str;
@ -553,8 +481,8 @@ static int HMAC_test(BI_CTX *bi_ctx)
data_str = "Hi There"; data_str = "Hi There";
key_bi = bi_str_import(bi_ctx, "0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B"); key_bi = bi_str_import(bi_ctx, "0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B");
bi_export(bi_ctx, key_bi, key, SHA1_SIZE);
ct_bi = bi_str_import(bi_ctx, "B617318655057264E28BC0B6FB378C8EF146BE00"); ct_bi = bi_str_import(bi_ctx, "B617318655057264E28BC0B6FB378C8EF146BE00");
bi_export(bi_ctx, key_bi, key, SHA1_SIZE);
bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE); bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE);
hmac_sha1((const uint8_t *)data_str, 8, hmac_sha1((const uint8_t *)data_str, 8,
@ -570,13 +498,78 @@ static int HMAC_test(BI_CTX *bi_ctx)
ct_bi = bi_str_import(bi_ctx, "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79"); ct_bi = bi_str_import(bi_ctx, "EFFCDF6AE5EB2FA2D27416D5F184DF9C259A7C79");
bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE); bi_export(bi_ctx, ct_bi, ct, SHA1_SIZE);
hmac_sha1((const uint8_t *)data_str, 28, (const uint8_t *)key_str, 5, dgst); hmac_sha1((const uint8_t *)data_str, 28, (const uint8_t *)key_str, 4, dgst);
if (memcmp(dgst, ct, SHA1_SIZE)) if (memcmp(dgst, ct, SHA1_SIZE))
{ {
printf("HMAC SHA1 failed\n"); printf("HMAC SHA1 #2 failed\n");
exit(1); goto end;
} }
data_str = "Hi There";
key_bi = bi_str_import(bi_ctx, "0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B0B");
ct_bi = bi_str_import(bi_ctx,
"B0344C61D8DB38535CA8AFCEAF0BF12B881DC200C9833DA726E9376C2E32CFF7");
bi_export(bi_ctx, key_bi, key, 20);
bi_export(bi_ctx, ct_bi, ct, SHA256_SIZE);
hmac_sha256((const uint8_t *)data_str, 8,
(const uint8_t *)key, 20, dgst);
if (memcmp(dgst, ct, SHA256_SIZE))
{
printf("HMAC SHA256 #1 failed\n");
goto end;
}
data_str = "what do ya want for nothing?";
key_str = "Jefe";
ct_bi = bi_str_import(bi_ctx,
"5BDCC146BF60754E6A042426089575C75A003F089D2739839DEC58B964EC3843");
bi_export(bi_ctx, ct_bi, ct, SHA256_SIZE);
hmac_sha256((const uint8_t *)data_str, 28,
(const uint8_t *)key_str, 4, dgst);
if (memcmp(dgst, ct, SHA256_SIZE))
{
printf("HMAC SHA256 #2 failed\n");
goto end;
}
// other test
/*uint8_t secret[16];
key_str = "9BBE436BA940F017B17652849A71DB35";
ct_bi = bi_str_import(bi_ctx, key_str);
bi_export(bi_ctx, ct_bi, secret, 16);
uint8_t random[26];
data_str = "74657374206C6162656CA0BA9F936CDA311827A6F796FFD5198C";
ct_bi = bi_str_import(bi_ctx, data_str);
bi_export(bi_ctx, ct_bi, random, 26);
uint8_t output[256];
p_hash_sha256(secret, 16, random, 26, output, 100);
ct_bi = bi_import(bi_ctx, output, 100);
bi_print("RESULT", ct_bi);
*/
/*uint8_t secret[48];
uint8_t random[256];
uint8_t output[256];
key_str =
"8C6D256467157DAEC7BAEBC1371E6DABFF1AB686EFA7DCF6B65242AA6EEBFC0A7472A1E583C4F2B23F784F25A6DE05A6";
ct_bi = bi_str_import(bi_ctx, key_str);
bi_export(bi_ctx, ct_bi, secret, 48);
data_str =
"636C69656E742066696E697368656475F80B2E4375CFA44105D16694A5E2D232302FF27241BDF52BA681C13E2CDF9F";
ct_bi = bi_str_import(bi_ctx, data_str);
bi_export(bi_ctx, ct_bi, random, 47);
p_hash_sha256(secret, 48, random, 47, output, 12);
ct_bi = bi_import(bi_ctx, output, 12);
bi_print("RESULT1", ct_bi);*/
res = 0; res = 0;
printf("All HMAC tests passed\n"); printf("All HMAC tests passed\n");
@ -969,31 +962,32 @@ static void do_client(client_t *clnt)
/* show the session ids in the reconnect test */ /* show the session ids in the reconnect test */
if (strcmp(clnt->testname, "Session Reuse") == 0) if (strcmp(clnt->testname, "Session Reuse") == 0)
{ {
sprintf(openssl_buf, "echo \"hello client\" | openssl s_client -tls1 " sprintf(openssl_buf, "echo \"hello client\" | openssl s_client "
"-connect localhost:%d %s 2>&1 | grep \"Session-ID:\"", "-connect localhost:%d %s 2>&1 | grep \"Session-ID:\"",
g_port, clnt->openssl_option); g_port, clnt->openssl_option);
} }
else if (strstr(clnt->testname, "GNUTLS") == NULL) else if (strstr(clnt->testname, "GNUTLS") == NULL)
{ {
sprintf(openssl_buf, "echo \"hello client\" | openssl s_client -tls1 " sprintf(openssl_buf, "echo \"hello client\" | openssl s_client "
#ifdef WIN32 #ifdef WIN32
"-connect localhost:%d -quiet %s", "-connect localhost:%d -quiet %s",
#else #else
"-connect localhost:%d -quiet %s > /dev/null 2>&1", "-connect localhost:%d -quiet %s > /dev/null 2>&1",
#endif #endif
g_port, clnt->openssl_option); g_port, clnt->openssl_option);
} }
else /* gnutls */ else /* gnutls */
{ {
sprintf(openssl_buf, "echo \"hello client\" | gnutls-cli " sprintf(openssl_buf, "echo \"hello client\" | gnutls-cli "
#ifdef WIN32 #ifdef WIN32
"-p %d %s 127.0.0.1", "-p %d %s localhost",
#else #else
"-p %d %s 127.0.0.1 > /dev/null 2>&1", "-p %d %s localhost > /dev/null 2>&1",
#endif #endif
g_port, clnt->openssl_option); g_port, clnt->openssl_option);
} }
//printf("CLIENT %s\n", openssl_buf);
SYSTEM(openssl_buf); SYSTEM(openssl_buf);
} }
@ -1145,21 +1139,60 @@ int SSL_server_tests(void)
/* Go through the algorithms */ /* Go through the algorithms */
/* /*
* TLS1 client hello * TLS client hello
*/ */
/* /*
* AES128-SHA * AES128-SHA TLS1.2
*/ */
if ((ret = SSL_server_test("AES128-SHA", "-cipher AES128-SHA", if ((ret = SSL_server_test("AES128-SHA TLS1.2",
"-cipher AES128-SHA -tls1_2",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL, DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION))) DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
/* /*
* AES256-SHA * AES256-SHA TLS1.2
*/ */
if ((ret = SSL_server_test("AES256-SHA", "-cipher AES128-SHA", if ((ret = SSL_server_test("AES256-SHA TLS1.2",
"-cipher AES256-SHA -tls1_2",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* AES128-SHA256 TLS1.2
*/
if ((ret = SSL_server_test("AES128-SHA256 TLS1.2",
"-cipher AES128-SHA256 -tls1_2",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* AES256-SHA256 TLS1.2
*/
if ((ret = SSL_server_test("AES256-SHA256 TLS1.2",
"-cipher AES256-SHA256 -tls1_2",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* AES128-SHA TLS1.1
*/
if ((ret = SSL_server_test("AES128-SHA TLS1.1",
"-cipher AES128-SHA -tls1_1",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* AES128-SHA TLS1.0
*/
if ((ret = SSL_server_test("AES128-SHA TLS1.0",
"-cipher AES128-SHA -tls1",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL, DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION))) DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1169,45 +1202,26 @@ int SSL_server_tests(void)
* all the session id's should match for session resumption. * all the session id's should match for session resumption.
*/ */
if ((ret = SSL_server_test("Session Reuse", if ((ret = SSL_server_test("Session Reuse",
"-cipher AES128-SHA -reconnect", "-cipher AES128-SHA -reconnect -tls1_2",
DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL, DEFAULT_CERT, NULL, DEFAULT_KEY, NULL, NULL,
DEFAULT_SVR_OPTION))) DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
/*
* 512 bit RSA key
*/
if ((ret = SSL_server_test("512 bit key",
"-cipher AES128-SHA",
"../ssl/test/axTLS.x509_512.cer", NULL,
"../ssl/test/axTLS.key_512",
NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/* /*
* 1024 bit RSA key (check certificate chaining) * 1024 bit RSA key (check certificate chaining)
*/ */
if ((ret = SSL_server_test("1024 bit key", if ((ret = SSL_server_test("1024 bit key",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_1024.cer", NULL, "../ssl/test/axTLS.x509_1024.cer", NULL,
"../ssl/test/axTLS.key_1024", "../ssl/test/axTLS.key_1024",
NULL, NULL, DEFAULT_SVR_OPTION))) NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
/*
* 1042 bit RSA key (check certificate chaining)
*/
if ((ret = SSL_server_test("1042 bit key",
"-cipher AES128-SHA",
"../ssl/test/axTLS.x509_1042.cer", NULL,
"../ssl/test/axTLS.key_1042",
NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/* /*
* 2048 bit RSA key * 2048 bit RSA key
*/ */
if ((ret = SSL_server_test("2048 bit key", if ((ret = SSL_server_test("2048 bit key",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_2048.cer", NULL, "../ssl/test/axTLS.x509_2048.cer", NULL,
"../ssl/test/axTLS.key_2048", "../ssl/test/axTLS.key_2048",
NULL, NULL, DEFAULT_SVR_OPTION))) NULL, NULL, DEFAULT_SVR_OPTION)))
@ -1217,20 +1231,63 @@ int SSL_server_tests(void)
* 4096 bit RSA key * 4096 bit RSA key
*/ */
if ((ret = SSL_server_test("4096 bit key", if ((ret = SSL_server_test("4096 bit key",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_4096.cer", NULL, "../ssl/test/axTLS.x509_4096.cer", NULL,
"../ssl/test/axTLS.key_4096", "../ssl/test/axTLS.key_4096",
NULL, NULL, DEFAULT_SVR_OPTION))) NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
/*
* RSA1024/SHA256
*/
if ((ret = SSL_server_test("RSA1024/SHA256",
"-tls1_2",
"../ssl/test/axTLS.x509_1024_sha256.pem" , NULL,
"../ssl/test/axTLS.key_1024",
NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* RSA1024/SHA384
*/
if ((ret = SSL_server_test("RSA1024/SHA384",
"-tls1_2",
"../ssl/test/axTLS.x509_1024_sha384.pem" , NULL,
"../ssl/test/axTLS.key_1024",
NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/*
* RSA1024/SHA512
*/
if ((ret = SSL_server_test("RSA1024/SHA512",
"-tls1_2",
"../ssl/test/axTLS.x509_1024_sha512.pem" , NULL,
"../ssl/test/axTLS.key_1024",
NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup;
/* /*
* Client Verification * Client Verification
*/ */
if ((ret = SSL_server_test("Client Verification", if ((ret = SSL_server_test("Client Verification TLS1.2",
"-cipher AES128-SHA -tls1 " "-cipher AES128-SHA -tls1_2 "
"-cert ../ssl/test/axTLS.x509_2048.pem "
"-key ../ssl/test/axTLS.key_2048.pem ",
NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
"../ssl/test/axTLS.ca_x509.cer", NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)))
goto cleanup;
if ((ret = SSL_server_test("Client Verification TLS1.1",
"-cipher AES128-SHA -tls1_1 "
"-cert ../ssl/test/axTLS.x509_2048.pem " "-cert ../ssl/test/axTLS.x509_2048.pem "
"-key ../ssl/test/axTLS.key_2048.pem ", "-key ../ssl/test/axTLS.key_2048.pem ",
NULL, NULL, NULL, NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
"../ssl/test/axTLS.ca_x509.cer", NULL, "../ssl/test/axTLS.ca_x509.cer", NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION))) DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)))
goto cleanup; goto cleanup;
@ -1239,10 +1296,12 @@ int SSL_server_tests(void)
if (stat("../ssl/test/axTLS.x509_bad_before.pem", &stat_buf) >= 0) if (stat("../ssl/test/axTLS.x509_bad_before.pem", &stat_buf) >= 0)
{ {
if ((ret = SSL_server_test("Error: Bad Before Cert", if ((ret = SSL_server_test("Error: Bad Before Cert",
"-cipher AES128-SHA -tls1 " "-cipher AES128-SHA -tls1_2 "
"-cert ../ssl/test/axTLS.x509_bad_before.pem " "-cert ../ssl/test/axTLS.x509_bad_before.pem "
"-key ../ssl/test/axTLS.key_512.pem ", "-key ../ssl/test/axTLS.key_1024.pem ",
NULL, NULL, NULL, NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
"../ssl/test/axTLS.ca_x509.cer", NULL, "../ssl/test/axTLS.ca_x509.cer", NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) != DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID)) SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID))
@ -1254,10 +1313,12 @@ int SSL_server_tests(void)
/* this test should fail */ /* this test should fail */
if ((ret = SSL_server_test("Error: Bad After Cert", if ((ret = SSL_server_test("Error: Bad After Cert",
"-cipher AES128-SHA -tls1 " "-cipher AES128-SHA -tls1_2 "
"-cert ../ssl/test/axTLS.x509_bad_after.pem " "-cert ../ssl/test/axTLS.x509_bad_after.pem "
"-key ../ssl/test/axTLS.key_512.pem ", "-key ../ssl/test/axTLS.key_1024.pem ",
NULL, NULL, NULL, NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
"../ssl/test/axTLS.ca_x509.cer", NULL, "../ssl/test/axTLS.ca_x509.cer", NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) != DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED)) SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED))
@ -1270,10 +1331,12 @@ int SSL_server_tests(void)
* No trusted cert * No trusted cert
*/ */
if ((ret = SSL_server_test("Error: No trusted certificate", if ((ret = SSL_server_test("Error: No trusted certificate",
"-cipher AES128-SHA -tls1 " "-cipher AES128-SHA -tls1_2 "
"-cert ../ssl/test/axTLS.x509_512.pem " "-cert ../ssl/test/axTLS.x509_1024.pem "
"-key ../ssl/test/axTLS.key_512.pem ", "-key ../ssl/test/axTLS.key_1024.pem ",
NULL, NULL, NULL, NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
NULL, NULL, NULL, NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) != DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT)) SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT))
@ -1286,11 +1349,13 @@ int SSL_server_tests(void)
* Self-signed (from the server) * Self-signed (from the server)
*/ */
if ((ret = SSL_server_test("Error: Self-signed certificate (from server)", if ((ret = SSL_server_test("Error: Self-signed certificate (from server)",
"-cipher AES128-SHA -tls1 " "-cipher AES128-SHA -tls1_2 "
"-cert ../ssl/test/axTLS.x509_512.pem " "-cert ../ssl/test/axTLS.x509_1024.pem "
"-key ../ssl/test/axTLS.key_512.pem " "-key ../ssl/test/axTLS.key_1024.pem "
"-CAfile ../ssl/test/axTLS.ca_x509.pem ", "-CAfile ../ssl/test/axTLS.ca_x509.pem ",
NULL, NULL, NULL, NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
NULL, NULL, NULL, NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) != DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)) !=
SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED)) SSL_X509_ERROR(X509_VFY_ERROR_SELF_SIGNED))
@ -1304,10 +1369,12 @@ int SSL_server_tests(void)
* Self-signed (from the client) * Self-signed (from the client)
*/ */
if ((ret = SSL_server_test("Self-signed certificate (from client)", if ((ret = SSL_server_test("Self-signed certificate (from client)",
"-cipher AES128-SHA -tls1 " "-cipher AES128-SHA -tls1_2 "
"-cert ../ssl/test/axTLS.x509_512.pem " "-cert ../ssl/test/axTLS.x509_1024.pem "
"-key ../ssl/test/axTLS.key_512.pem ", "-key ../ssl/test/axTLS.key_1024.pem ",
NULL, NULL, NULL, NULL,
"../ssl/test/axTLS.x509_1024.pem",
"../ssl/test/axTLS.key_1024.pem",
"../ssl/test/axTLS.ca_x509.cer", "../ssl/test/axTLS.ca_x509.cer",
NULL, NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION))) DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)))
@ -1317,9 +1384,9 @@ int SSL_server_tests(void)
* Key in PEM format * Key in PEM format
*/ */
if ((ret = SSL_server_test("Key in PEM format", if ((ret = SSL_server_test("Key in PEM format",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_512.cer", NULL, "../ssl/test/axTLS.x509_1024.cer", NULL,
"../ssl/test/axTLS.key_512.pem", NULL, "../ssl/test/axTLS.key_1024.pem", NULL,
NULL, DEFAULT_SVR_OPTION))) NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1327,9 +1394,9 @@ int SSL_server_tests(void)
* Cert in PEM format * Cert in PEM format
*/ */
if ((ret = SSL_server_test("Cert in PEM format", if ((ret = SSL_server_test("Cert in PEM format",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_512.pem", NULL, "../ssl/test/axTLS.x509_1024.pem", NULL,
"../ssl/test/axTLS.key_512.pem", NULL, "../ssl/test/axTLS.key_1024.pem", NULL,
NULL, DEFAULT_SVR_OPTION))) NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1337,9 +1404,9 @@ int SSL_server_tests(void)
* Cert chain in PEM format * Cert chain in PEM format
*/ */
if ((ret = SSL_server_test("Cert chain in PEM format", if ((ret = SSL_server_test("Cert chain in PEM format",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_device.pem", "../ssl/test/axTLS.x509_device.pem",
NULL, "../ssl/test/axTLS.device_key.pem", NULL, "../ssl/test/axTLS.key_device.pem",
"../ssl/test/axTLS.ca_x509.pem", NULL, DEFAULT_SVR_OPTION))) "../ssl/test/axTLS.ca_x509.pem", NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1347,7 +1414,7 @@ int SSL_server_tests(void)
* AES128 Encrypted key * AES128 Encrypted key
*/ */
if ((ret = SSL_server_test("AES128 encrypted key", if ((ret = SSL_server_test("AES128 encrypted key",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_aes128.pem", NULL, "../ssl/test/axTLS.x509_aes128.pem", NULL,
"../ssl/test/axTLS.key_aes128.pem", "../ssl/test/axTLS.key_aes128.pem",
NULL, "abcd", DEFAULT_SVR_OPTION))) NULL, "abcd", DEFAULT_SVR_OPTION)))
@ -1357,7 +1424,7 @@ int SSL_server_tests(void)
* AES256 Encrypted key * AES256 Encrypted key
*/ */
if ((ret = SSL_server_test("AES256 encrypted key", if ((ret = SSL_server_test("AES256 encrypted key",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_aes256.pem", NULL, "../ssl/test/axTLS.x509_aes256.pem", NULL,
"../ssl/test/axTLS.key_aes256.pem", "../ssl/test/axTLS.key_aes256.pem",
NULL, "abcd", DEFAULT_SVR_OPTION))) NULL, "abcd", DEFAULT_SVR_OPTION)))
@ -1367,7 +1434,7 @@ int SSL_server_tests(void)
* AES128 Encrypted invalid key * AES128 Encrypted invalid key
*/ */
if ((ret = SSL_server_test("AES128 encrypted invalid key", if ((ret = SSL_server_test("AES128 encrypted invalid key",
"-cipher AES128-SHA", "-cipher AES128-SHA -tls1_2",
"../ssl/test/axTLS.x509_aes128.pem", NULL, "../ssl/test/axTLS.x509_aes128.pem", NULL,
"../ssl/test/axTLS.key_aes128.pem", "../ssl/test/axTLS.key_aes128.pem",
NULL, "xyz", DEFAULT_SVR_OPTION)) != SSL_ERROR_INVALID_KEY) NULL, "xyz", DEFAULT_SVR_OPTION)) != SSL_ERROR_INVALID_KEY)
@ -1379,7 +1446,8 @@ int SSL_server_tests(void)
/* /*
* PKCS#8 key (encrypted) * PKCS#8 key (encrypted)
*/ */
if ((ret = SSL_server_test("pkcs#8 encrypted", "-cipher AES128-SHA", if ((ret = SSL_server_test("pkcs#8 encrypted",
"-cipher AES128-SHA -tls1_2",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.encrypted.p8", DEFAULT_CERT, NULL, "../ssl/test/axTLS.encrypted.p8",
NULL, "abcd", DEFAULT_SVR_OPTION))) NULL, "abcd", DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1387,7 +1455,8 @@ int SSL_server_tests(void)
/* /*
* PKCS#8 key (unencrypted DER format) * PKCS#8 key (unencrypted DER format)
*/ */
if ((ret = SSL_server_test("pkcs#8 DER unencrypted", "-cipher AES128-SHA", if ((ret = SSL_server_test("pkcs#8 DER unencrypted",
"-cipher AES128-SHA -tls1_2",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted.p8", DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted.p8",
NULL, NULL, DEFAULT_SVR_OPTION))) NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1395,7 +1464,8 @@ int SSL_server_tests(void)
/* /*
* PKCS#8 key (unencrypted PEM format) * PKCS#8 key (unencrypted PEM format)
*/ */
if ((ret = SSL_server_test("pkcs#8 PEM unencrypted", "-cipher AES128-SHA", if ((ret = SSL_server_test("pkcs#8 PEM unencrypted",
"-cipher AES128-SHA -tls1_2",
DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted_pem.p8", DEFAULT_CERT, NULL, "../ssl/test/axTLS.unencrypted_pem.p8",
NULL, NULL, DEFAULT_SVR_OPTION))) NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
@ -1422,6 +1492,15 @@ int SSL_server_tests(void)
"../ssl/test/axTLS.key_1024", "../ssl/test/axTLS.key_1024",
NULL, NULL, DEFAULT_SVR_OPTION))) NULL, NULL, DEFAULT_SVR_OPTION)))
goto cleanup; goto cleanup;
if ((ret = SSL_server_test("GNUTLS client with verify",
"--x509certfile ../ssl/test/axTLS.x509_1024.pem "
"--x509keyfile ../ssl/test/axTLS.key_1024.pem",
"../ssl/test/axTLS.x509_1024.cer", NULL,
"../ssl/test/axTLS.key_1024",
"../ssl/test/axTLS.ca_x509.cer", NULL,
DEFAULT_SVR_OPTION|SSL_CLIENT_AUTHENTICATION)))
goto cleanup;
ret = 0; ret = 0;
cleanup: cleanup:
@ -1474,10 +1553,15 @@ static void do_server(server_t *svr)
} }
else else
{ {
sprintf(openssl_buf, "openssl s_server -tls1 " sprintf(openssl_buf, "openssl s_server "
"-accept %d -quiet %s ", g_port, svr->openssl_option); #ifdef WIN32
"-accept %d -quiet %s",
#else
"-accept %d -quiet %s > /dev/null",
#endif
g_port, svr->openssl_option);
} }
//printf("SERVER %s\n", openssl_buf);
SYSTEM(openssl_buf); SYSTEM(openssl_buf);
} }
@ -1579,7 +1663,8 @@ static int SSL_client_test(
goto client_test_exit; goto client_test_exit;
} }
ssl = ssl_client_new(*ssl_ctx, client_fd, session_id, sizeof(session_id)); ssl = ssl_client_new(*ssl_ctx, client_fd,
session_id, sizeof(session_id), NULL);
/* check the return status */ /* check the return status */
if ((ret = ssl_handshake_status(ssl))) if ((ret = ssl_handshake_status(ssl)))
@ -1669,10 +1754,11 @@ int SSL_client_tests(void)
sess_resume.start_server = 1; sess_resume.start_server = 1;
printf("### starting client tests\n"); printf("### starting client tests\n");
if ((ret = SSL_client_test("512 bit key", if ((ret = SSL_client_test("1024 bit key",
&ssl_ctx, &ssl_ctx,
"-cert ../ssl/test/axTLS.x509_512.pem " "-cert ../ssl/test/axTLS.x509_1024.pem "
"-key ../ssl/test/axTLS.key_512.pem", &sess_resume, "-key ../ssl/test/axTLS.key_1024.pem",
&sess_resume,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL))) DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
goto cleanup; goto cleanup;
@ -1719,11 +1805,52 @@ int SSL_client_tests(void)
DEFAULT_CLNT_OPTION, NULL, NULL, NULL))) DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
goto cleanup; goto cleanup;
if ((ret = SSL_client_test("TLS 1.1",
&ssl_ctx,
"-cert ../ssl/test/axTLS.x509_1024.pem "
"-key ../ssl/test/axTLS.key_1024.pem -tls1_1", NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
goto cleanup;
if ((ret = SSL_client_test("TLS 1.0",
&ssl_ctx,
"-cert ../ssl/test/axTLS.x509_1024.pem "
"-key ../ssl/test/axTLS.key_1024.pem -tls1", NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
goto cleanup;
if ((ret = SSL_client_test("Basic Constraint - len OK",
&ssl_ctx,
"-cert ../ssl/test/axTLS.x509_end_chain.pem -key "
"../ssl/test/axTLS.key_end_chain.pem -CAfile "
"../ssl/test/axTLS.x509_intermediate_ca.pem",
NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
goto cleanup;
if ((ret = SSL_client_test("Basic Constraint - len NOT OK",
&ssl_ctx,
"-cert ../ssl/test/axTLS.x509_end_chain_bad.pem -key "
"../ssl/test/axTLS.key_end_chain.pem -CAfile "
"../ssl/test/axTLS.x509_intermediate_ca2.pem",
NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL))
!= SSL_X509_ERROR(X509_VFY_ERROR_BASIC_CONSTRAINT))
{
printf("*** Error: %d\n", ret);
if (ret == 0)
ret = SSL_NOT_OK;
goto cleanup;
}
printf("SSL server test \"%s\" passed\n", "Basic Constraint - len NOT OK");
if ((ret = SSL_client_test("Server cert chaining", if ((ret = SSL_client_test("Server cert chaining",
&ssl_ctx, &ssl_ctx,
"-cert ../ssl/test/axTLS.x509_device.pem " "-cert ../ssl/test/axTLS.x509_device.pem "
"-key ../ssl/test/axTLS.device_key.pem " "-key ../ssl/test/axTLS.key_device.pem "
"-CAfile ../ssl/test/axTLS.x509_512.pem ", NULL, "-CAfile ../ssl/test/axTLS.x509_1024.pem ", NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL))) DEFAULT_CLNT_OPTION, NULL, NULL, NULL)))
goto cleanup; goto cleanup;
@ -1738,12 +1865,23 @@ int SSL_client_tests(void)
"../ssl/test/axTLS.x509_1024.cer"))) "../ssl/test/axTLS.x509_1024.cer")))
goto cleanup; goto cleanup;
/* Check the server can verify the client */
if ((ret = SSL_client_test("Client peer authentication TLS1.1",
&ssl_ctx,
"-cert ../ssl/test/axTLS.x509_2048.pem "
"-key ../ssl/test/axTLS.key_2048.pem "
"-CAfile ../ssl/test/axTLS.ca_x509.pem "
"-verify 1 -tls1_1", NULL, DEFAULT_CLNT_OPTION,
"../ssl/test/axTLS.key_1024", NULL,
"../ssl/test/axTLS.x509_1024.cer")))
goto cleanup;
/* Should get an "ERROR" from openssl (as the handshake fails as soon as /* Should get an "ERROR" from openssl (as the handshake fails as soon as
* the certificate verification fails) */ * the certificate verification fails) */
if ((ret = SSL_client_test("Error: Expired cert (verify now)", if ((ret = SSL_client_test("Error: Expired cert (verify now)",
&ssl_ctx, &ssl_ctx,
"-cert ../ssl/test/axTLS.x509_bad_after.pem " "-cert ../ssl/test/axTLS.x509_bad_after.pem "
"-key ../ssl/test/axTLS.key_512.pem", NULL, "-key ../ssl/test/axTLS.key_1024.pem", NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL)) != DEFAULT_CLNT_OPTION, NULL, NULL, NULL)) !=
SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED)) SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED))
{ {
@ -1757,7 +1895,7 @@ int SSL_client_tests(void)
if ((ret = SSL_client_test("Error: Expired cert (verify later)", if ((ret = SSL_client_test("Error: Expired cert (verify later)",
&ssl_ctx, &ssl_ctx,
"-cert ../ssl/test/axTLS.x509_bad_after.pem " "-cert ../ssl/test/axTLS.x509_bad_after.pem "
"-key ../ssl/test/axTLS.key_512.pem", NULL, "-key ../ssl/test/axTLS.key_1024.pem", NULL,
DEFAULT_CLNT_OPTION|SSL_SERVER_VERIFY_LATER, NULL, DEFAULT_CLNT_OPTION|SSL_SERVER_VERIFY_LATER, NULL,
NULL, NULL)) != SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED)) NULL, NULL)) != SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED))
{ {
@ -1768,27 +1906,43 @@ int SSL_client_tests(void)
printf("SSL client test \"Expired cert (verify later)\" passed\n"); printf("SSL client test \"Expired cert (verify later)\" passed\n");
/* invalid cert type */ /* invalid cert type */
if ((ret = SSL_client_test("Error: Invalid certificate type", /*if ((ret = SSL_client_test("Error: Invalid certificate type",
&ssl_ctx, &ssl_ctx,
"-cert ../ssl/test/axTLS.x509_2048.pem " "-cert ../ssl/test/axTLS.x509_2048.pem "
"-key ../ssl/test/axTLS.key_2048.pem " "-key ../ssl/test/axTLS.key_2048.pem "
"-CAfile ../ssl/test/axTLS.ca_x509.pem " "-CAfile ../ssl/test/axTLS.ca_x509.pem "
"-verify 1 ", NULL, DEFAULT_CLNT_OPTION, "-verify 1 ", NULL, DEFAULT_CLNT_OPTION,
"../ssl/test/axTLS.x509_1024.cer", NULL, "../ssl/test/axTLS.key_1024.pem", NULL,
"../ssl/test/axTLS.x509_1024.cer")) "../ssl/test/axTLS.x509_1024.pem"))
!= SSL_ERROR_INVALID_KEY) != SSL_ERROR_INVALID_KEY)
{ {
if (ret == 0)
ret = SSL_NOT_OK;
printf("*** Error: %d\n", ret); TTY_FLUSH(); printf("*** Error: %d\n", ret); TTY_FLUSH();
goto cleanup; goto cleanup;
} }
printf("SSL client test \"Invalid certificate type\" passed\n"); printf("SSL client test \"Invalid certificate type\" passed\n"); */
if ((ret = SSL_client_test("GNUTLS client", if ((ret = SSL_client_test("GNUTLS client",
&ssl_ctx, &ssl_ctx,
"--x509certfile ../ssl/test/axTLS.x509_1024.pem " "--x509certfile ../ssl/test/axTLS.x509_1024.pem "
"--x509keyfile ../ssl/test/axTLS.key_1024.pem -q", NULL, "--x509keyfile ../ssl/test/axTLS.key_1024.pem -g", NULL,
DEFAULT_CLNT_OPTION, NULL, NULL, NULL))) DEFAULT_CLNT_OPTION,
"../ssl/test/axTLS.key_1024.pem", NULL,
"../ssl/test/axTLS.x509_1024.pem")))
goto cleanup;
ret = 0;
if ((ret = SSL_client_test("GNUTLS client with verify",
&ssl_ctx,
"--x509certfile ../ssl/test/axTLS.x509_1024.pem "
"--x509keyfile ../ssl/test/axTLS.key_1024.pem -r -g", NULL,
DEFAULT_CLNT_OPTION|SSL_SERVER_VERIFY_LATER,
"../ssl/test/axTLS.key_1024.pem", NULL,
"../ssl/test/axTLS.x509_1024.pem")))
goto cleanup; goto cleanup;
ret = 0; ret = 0;
@ -1832,7 +1986,7 @@ static void do_basic(void)
"../ssl/test/axTLS.ca_x509.cer", NULL)) "../ssl/test/axTLS.ca_x509.cer", NULL))
goto error; goto error;
ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL, 0); ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL, 0, NULL);
/* check the return status */ /* check the return status */
if (ssl_handshake_status(ssl_clnt) < 0) if (ssl_handshake_status(ssl_clnt) < 0)
@ -1869,7 +2023,13 @@ static int SSL_basic_test(void)
goto error; goto error;
ssl_svr_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS); ssl_svr_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS);
if ((ret = ssl_obj_load(ssl_svr_ctx, SSL_OBJ_X509_CERT,
"../ssl/test/axTLS.x509_1024.pem", NULL)) != SSL_OK)
goto error;
if ((ret = ssl_obj_load(ssl_svr_ctx, SSL_OBJ_RSA_KEY,
"../ssl/test/axTLS.key_1024.pem", NULL)) != SSL_OK)
goto error;
#ifndef WIN32 #ifndef WIN32
pthread_create(&thread, NULL, pthread_create(&thread, NULL,
(void *(*)(void *))do_basic, NULL); (void *(*)(void *))do_basic, NULL);
@ -1956,7 +2116,7 @@ static void do_unblocked(void)
"../ssl/test/axTLS.ca_x509.cer", NULL)) "../ssl/test/axTLS.ca_x509.cer", NULL))
goto error; goto error;
ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL, 0); ssl_clnt = ssl_client_new(ssl_clnt_ctx, client_fd, NULL, 0, NULL);
while (ssl_handshake_status(ssl_clnt) != SSL_OK) while (ssl_handshake_status(ssl_clnt) != SSL_OK)
{ {
@ -1995,6 +2155,13 @@ static int SSL_unblocked_test(void)
goto error; goto error;
ssl_svr_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS); ssl_svr_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS);
if ((ret = ssl_obj_load(ssl_svr_ctx, SSL_OBJ_X509_CERT,
"../ssl/test/axTLS.x509_1024.pem", NULL)) != SSL_OK)
goto error;
if ((ret = ssl_obj_load(ssl_svr_ctx, SSL_OBJ_RSA_KEY,
"../ssl/test/axTLS.key_1024.pem", NULL)) != SSL_OK)
goto error;
#ifndef WIN32 #ifndef WIN32
pthread_create(&thread, NULL, pthread_create(&thread, NULL,
@ -2076,7 +2243,7 @@ void do_multi_clnt(multi_t *multi_data)
goto client_test_exit; goto client_test_exit;
usleep(200000); usleep(200000);
ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0); ssl = ssl_client_new(multi_data->ssl_clnt_ctx, client_fd, NULL, 0, NULL);
if ((res = ssl_handshake_status(ssl))) if ((res = ssl_handshake_status(ssl)))
{ {
@ -2146,7 +2313,14 @@ int multi_thread_test(void)
printf("Do multi-threading test (takes a minute)\n"); printf("Do multi-threading test (takes a minute)\n");
ssl_server_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS); ssl_svr_ctx = ssl_ctx_new(DEFAULT_SVR_OPTION, SSL_DEFAULT_SVR_SESS);
if ((ret = ssl_obj_load(ssl_svr_ctx, SSL_OBJ_X509_CERT,
"../ssl/test/axTLS.x509_1024.pem", NULL)) != SSL_OK)
goto error;
if ((ret = ssl_obj_load(ssl_svr_ctx, SSL_OBJ_RSA_KEY,
"../ssl/test/axTLS.key_1024.pem", NULL)) != SSL_OK)
goto error;
ssl_clnt_ctx = ssl_ctx_new(DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS); ssl_clnt_ctx = ssl_ctx_new(DEFAULT_CLNT_OPTION, SSL_DEFAULT_CLNT_SESS);
if (ssl_obj_load(ssl_clnt_ctx, SSL_OBJ_X509_CACERT, if (ssl_obj_load(ssl_clnt_ctx, SSL_OBJ_X509_CACERT,
@ -2199,7 +2373,7 @@ int multi_thread_test(void)
printf("Multi-thread test passed (%d)\n", NUM_THREADS); printf("Multi-thread test passed (%d)\n", NUM_THREADS);
error: error:
ssl_ctx_free(ssl_server_ctx); ssl_ctx_free(ssl_svr_ctx);
ssl_ctx_free(ssl_clnt_ctx); ssl_ctx_free(ssl_clnt_ctx);
SOCKET_CLOSE(server_fd); SOCKET_CLOSE(server_fd);
return res; return res;
@ -2306,13 +2480,6 @@ int main(int argc, char *argv[])
} }
TTY_FLUSH(); TTY_FLUSH();
if (RC4_test(bi_ctx))
{
printf("RC4 tests failed\n");
goto cleanup;
}
TTY_FLUSH();
if (MD5_test(bi_ctx)) if (MD5_test(bi_ctx))
{ {
printf("MD5 tests failed\n"); printf("MD5 tests failed\n");

518
ssl/tls1.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -52,6 +52,7 @@ static int set_key_block(SSL *ssl, int is_write);
static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len); static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len);
static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt); static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt);
static int send_raw_packet(SSL *ssl, uint8_t protocol); static int send_raw_packet(SSL *ssl, uint8_t protocol);
static int check_certificate_chain(SSL *ssl);
/** /**
* The server will pick the cipher based on the order that the order that the * The server will pick the cipher based on the order that the order that the
@ -62,13 +63,14 @@ static void session_free(SSL_SESSION *ssl_sessions[], int sess_index);
#endif #endif
const uint8_t ssl_prot_prefs[NUM_PROTOCOLS] = const uint8_t ssl_prot_prefs[NUM_PROTOCOLS] =
#ifdef CONFIG_SSL_PROT_LOW /* same as medium for now */ #ifdef CONFIG_SSL_PROT_LOW /* low security, fast speed */
{ SSL_AES128_SHA, SSL_AES256_SHA }; { SSL_AES128_SHA, SSL_AES128_SHA256, SSL_AES256_SHA, SSL_AES256_SHA256 };
#elif CONFIG_SSL_PROT_MEDIUM /* medium security, medium speed */ #elif CONFIG_SSL_PROT_MEDIUM /* medium security, medium speed */
{ SSL_AES128_SHA, SSL_AES256_SHA }; { SSL_AES128_SHA256, SSL_AES256_SHA256, SSL_AES256_SHA, SSL_AES128_SHA };
#else /* CONFIG_SSL_PROT_HIGH */ /* high security, low speed */ #else /* CONFIG_SSL_PROT_HIGH */ /* high security, low speed */
{ SSL_AES256_SHA, SSL_AES128_SHA }; { SSL_AES256_SHA256, SSL_AES128_SHA256, SSL_AES256_SHA, SSL_AES128_SHA };
#endif #endif
/** /**
* The cipher map containing all the essentials for each cipher. * The cipher map containing all the essentials for each cipher.
*/ */
@ -78,9 +80,9 @@ static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
SSL_AES128_SHA, /* AES128-SHA */ SSL_AES128_SHA, /* AES128-SHA */
16, /* key size */ 16, /* key size */
16, /* iv size */ 16, /* iv size */
2*(SHA1_SIZE+16+16), /* key block size */
16, /* block padding size */ 16, /* block padding size */
SHA1_SIZE, /* digest size */ SHA1_SIZE, /* digest size */
2*(SHA1_SIZE+16+16), /* key block size */
hmac_sha1, /* hmac algorithm */ hmac_sha1, /* hmac algorithm */
(crypt_func)AES_cbc_encrypt, /* encrypt */ (crypt_func)AES_cbc_encrypt, /* encrypt */
(crypt_func)AES_cbc_decrypt /* decrypt */ (crypt_func)AES_cbc_decrypt /* decrypt */
@ -89,16 +91,39 @@ static const cipher_info_t cipher_info[NUM_PROTOCOLS] =
SSL_AES256_SHA, /* AES256-SHA */ SSL_AES256_SHA, /* AES256-SHA */
32, /* key size */ 32, /* key size */
16, /* iv size */ 16, /* iv size */
2*(SHA1_SIZE+32+16), /* key block size */
16, /* block padding size */ 16, /* block padding size */
SHA1_SIZE, /* digest size */ SHA1_SIZE, /* digest size */
2*(SHA1_SIZE+32+16), /* key block size */
hmac_sha1, /* hmac algorithm */ hmac_sha1, /* hmac algorithm */
(crypt_func)AES_cbc_encrypt, /* encrypt */ (crypt_func)AES_cbc_encrypt, /* encrypt */
(crypt_func)AES_cbc_decrypt /* decrypt */ (crypt_func)AES_cbc_decrypt /* decrypt */
}, },
{ /* AES128-SHA256 */
SSL_AES128_SHA256, /* AES128-SHA256 */
16, /* key size */
16, /* iv size */
16, /* block padding size */
SHA256_SIZE, /* digest size */
2*(SHA256_SIZE+32+16), /* key block size */
hmac_sha256, /* hmac algorithm */
(crypt_func)AES_cbc_encrypt, /* encrypt */
(crypt_func)AES_cbc_decrypt /* decrypt */
},
{ /* AES256-SHA256 */
SSL_AES256_SHA256, /* AES256-SHA256 */
32, /* key size */
16, /* iv size */
16, /* block padding size */
SHA256_SIZE, /* digest size */
2*(SHA256_SIZE+32+16), /* key block size */
hmac_sha256, /* hmac algorithm */
(crypt_func)AES_cbc_encrypt, /* encrypt */
(crypt_func)AES_cbc_decrypt /* decrypt */
}
}; };
static void prf(const uint8_t *sec, int sec_len, uint8_t *seed, int seed_len, static void prf(SSL *ssl, const uint8_t *sec, int sec_len,
uint8_t *seed, int seed_len,
uint8_t *out, int olen); uint8_t *out, int olen);
static const cipher_info_t *get_cipher_info(uint8_t cipher); static const cipher_info_t *get_cipher_info(uint8_t cipher);
static void increment_read_sequence(SSL *ssl); static void increment_read_sequence(SSL *ssl);
@ -112,6 +137,29 @@ void DISPLAY_BYTES(SSL *ssl, const char *format,
const uint8_t *data, int size, ...) {} const uint8_t *data, int size, ...) {}
#endif #endif
/**
* Allocates new SSL extensions structure and returns pointer to it
*
*/
EXP_FUNC SSL_EXTENSIONS * STDCALL ssl_ext_new()
{
return (SSL_EXTENSIONS *)calloc(1, sizeof(SSL_EXTENSIONS));
}
/**
* Allocates new SSL extensions structure and returns pointer to it
*
*/
EXP_FUNC void STDCALL ssl_ext_free(SSL_EXTENSIONS *ssl_ext)
{
if (ssl_ext == NULL )
{
return;
}
free(ssl_ext);
}
/** /**
* Establish a new client/server context. * Establish a new client/server context.
*/ */
@ -203,7 +251,7 @@ EXP_FUNC void STDCALL ssl_free(SSL *ssl)
/* only notify if we weren't notified first */ /* only notify if we weren't notified first */
/* spec says we must notify when we are dying */ /* spec says we must notify when we are dying */
if (!IS_SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY)) if (!IS_SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY))
send_alert(ssl, SSL_ALERT_CLOSE_NOTIFY); send_alert(ssl, SSL_ALERT_CLOSE_NOTIFY);
ssl_ctx = ssl->ssl_ctx; ssl_ctx = ssl->ssl_ctx;
@ -224,12 +272,16 @@ EXP_FUNC void STDCALL ssl_free(SSL *ssl)
/* may already be free - but be sure */ /* may already be free - but be sure */
free(ssl->encrypt_ctx); free(ssl->encrypt_ctx);
ssl->encrypt_ctx = NULL;
free(ssl->decrypt_ctx); free(ssl->decrypt_ctx);
ssl->decrypt_ctx = NULL;
disposable_free(ssl); disposable_free(ssl);
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
x509_free(ssl->x509_ctx); x509_free(ssl->x509_ctx);
#endif #endif
ssl_ext_free(ssl->extensions);
ssl->extensions = NULL;
free(ssl); free(ssl);
} }
@ -319,6 +371,26 @@ int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len)
ssl_cert = &ssl_ctx->certs[i]; ssl_cert = &ssl_ctx->certs[i];
ssl_cert->size = len; ssl_cert->size = len;
ssl_cert->buf = (uint8_t *)malloc(len); ssl_cert->buf = (uint8_t *)malloc(len);
switch (cert->sig_type)
{
case SIG_TYPE_SHA1:
ssl_cert->hash_alg = SIG_ALG_SHA1;
break;
case SIG_TYPE_SHA256:
ssl_cert->hash_alg = SIG_ALG_SHA256;
break;
case SIG_TYPE_SHA384:
ssl_cert->hash_alg = SIG_ALG_SHA384;
break;
case SIG_TYPE_SHA512:
ssl_cert->hash_alg = SIG_ALG_SHA512;
break;
}
memcpy(ssl_cert->buf, buf, len); memcpy(ssl_cert->buf, buf, len);
ssl_ctx->chain_length++; ssl_ctx->chain_length++;
len -= offset; len -= offset;
@ -402,6 +474,15 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
case SSL_X509_CERT_ORGANIZATIONAL_NAME: case SSL_X509_CERT_ORGANIZATIONAL_NAME:
return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT]; return ssl->x509_ctx->cert_dn[X509_ORGANIZATIONAL_UNIT];
case SSL_X509_CERT_LOCATION:
return ssl->x509_ctx->cert_dn[X509_LOCATION];
case SSL_X509_CERT_COUNTRY:
return ssl->x509_ctx->cert_dn[X509_COUNTRY];
case SSL_X509_CERT_STATE:
return ssl->x509_ctx->cert_dn[X509_STATE];
case SSL_X509_CA_CERT_COMMON_NAME: case SSL_X509_CA_CERT_COMMON_NAME:
return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME]; return ssl->x509_ctx->ca_cert_dn[X509_COMMON_NAME];
@ -411,6 +492,15 @@ EXP_FUNC const char * STDCALL ssl_get_cert_dn(const SSL *ssl, int component)
case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME: case SSL_X509_CA_CERT_ORGANIZATIONAL_NAME:
return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT]; return ssl->x509_ctx->ca_cert_dn[X509_ORGANIZATIONAL_UNIT];
case SSL_X509_CA_CERT_LOCATION:
return ssl->x509_ctx->ca_cert_dn[X509_LOCATION];
case SSL_X509_CA_CERT_COUNTRY:
return ssl->x509_ctx->ca_cert_dn[X509_COUNTRY];
case SSL_X509_CA_CERT_STATE:
return ssl->x509_ctx->ca_cert_dn[X509_STATE];
default: default:
return NULL; return NULL;
} }
@ -600,7 +690,7 @@ static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header,
const uint8_t *buf, int buf_len, uint8_t *hmac_buf) const uint8_t *buf, int buf_len, uint8_t *hmac_buf)
{ {
int hmac_len = buf_len + 8 + SSL_RECORD_SIZE; int hmac_len = buf_len + 8 + SSL_RECORD_SIZE;
uint8_t *t_buf = (uint8_t *)alloca(hmac_len+10); uint8_t *t_buf = (uint8_t *)alloca(hmac_len);
memcpy(t_buf, (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE) ? memcpy(t_buf, (mode == SSL_SERVER_WRITE || mode == SSL_CLIENT_WRITE) ?
ssl->write_sequence : ssl->read_sequence, 8); ssl->write_sequence : ssl->read_sequence, 8);
@ -634,7 +724,7 @@ static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header,
print_blob("client mac", print_blob("client mac",
ssl->client_mac, ssl->cipher_info->digest_size); ssl->client_mac, ssl->cipher_info->digest_size);
} }
print_blob("hmac", hmac_buf, SHA1_SIZE); print_blob("hmac", hmac_buf, ssl->cipher_info->digest_size);
#endif #endif
} }
@ -643,39 +733,27 @@ static void add_hmac_digest(SSL *ssl, int mode, uint8_t *hmac_header,
*/ */
static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len) static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len)
{ {
uint8_t hmac_buf[SHA1_SIZE]; uint8_t hmac_buf[SHA256_SIZE]; // size of largest digest
int hmac_offset; int hmac_offset;
if (ssl->cipher_info->padding_size) int last_blk_size = buf[read_len-1], i;
{ hmac_offset = read_len-last_blk_size-ssl->cipher_info->digest_size-1;
int last_blk_size = buf[read_len-1], i;
hmac_offset = read_len-last_blk_size-ssl->cipher_info->digest_size-1;
/* guard against a timing attack - make sure we do the digest */ /* guard against a timing attack - make sure we do the digest */
if (hmac_offset < 0) if (hmac_offset < 0)
{ {
hmac_offset = 0; hmac_offset = 0;
}
else
{
/* already looked at last byte */
for (i = 1; i < last_blk_size; i++)
{
if (buf[read_len-i] != last_blk_size)
{
hmac_offset = 0;
break;
}
}
}
} }
else /* stream cipher */ else
{ {
hmac_offset = read_len - ssl->cipher_info->digest_size; /* already looked at last byte */
for (i = 1; i < last_blk_size; i++)
if (hmac_offset < 0)
{ {
hmac_offset = 0; if (buf[read_len-i] != last_blk_size)
{
hmac_offset = 0;
break;
}
} }
} }
@ -698,8 +776,19 @@ static int verify_digest(SSL *ssl, int mode, const uint8_t *buf, int read_len)
*/ */
void add_packet(SSL *ssl, const uint8_t *pkt, int len) void add_packet(SSL *ssl, const uint8_t *pkt, int len)
{ {
MD5_Update(&ssl->dc->md5_ctx, pkt, len); // TLS1.2+
SHA1_Update(&ssl->dc->sha1_ctx, pkt, len); if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2 || ssl->version == 0)
{
SHA256_Update(&ssl->dc->sha256_ctx, pkt, len);
}
if (ssl->version < SSL_PROTOCOL_VERSION_TLS1_2 ||
ssl->next_state == HS_SERVER_HELLO ||
ssl->next_state == 0)
{
MD5_Update(&ssl->dc->md5_ctx, pkt, len);
SHA1_Update(&ssl->dc->sha1_ctx, pkt, len);
}
} }
/** /**
@ -708,7 +797,7 @@ void add_packet(SSL *ssl, const uint8_t *pkt, int len)
static void p_hash_md5(const uint8_t *sec, int sec_len, static void p_hash_md5(const uint8_t *sec, int sec_len,
uint8_t *seed, int seed_len, uint8_t *out, int olen) uint8_t *seed, int seed_len, uint8_t *out, int olen)
{ {
uint8_t a1[128]; uint8_t a1[MD5_SIZE+77];
/* A(1) */ /* A(1) */
hmac_md5(seed, seed_len, sec, sec_len, a1); hmac_md5(seed, seed_len, sec, sec_len, a1);
@ -736,7 +825,7 @@ static void p_hash_md5(const uint8_t *sec, int sec_len,
static void p_hash_sha1(const uint8_t *sec, int sec_len, static void p_hash_sha1(const uint8_t *sec, int sec_len,
uint8_t *seed, int seed_len, uint8_t *out, int olen) uint8_t *seed, int seed_len, uint8_t *out, int olen)
{ {
uint8_t a1[128]; uint8_t a1[SHA1_SIZE+77];
/* A(1) */ /* A(1) */
hmac_sha1(seed, seed_len, sec, sec_len, a1); hmac_sha1(seed, seed_len, sec, sec_len, a1);
@ -758,27 +847,63 @@ static void p_hash_sha1(const uint8_t *sec, int sec_len,
} }
} }
/**
* Work out the SHA256 PRF.
*/
static void p_hash_sha256(const uint8_t *sec, int sec_len,
uint8_t *seed, int seed_len, uint8_t *out, int olen)
{
uint8_t a1[SHA256_SIZE+77];
/* A(1) */
hmac_sha256(seed, seed_len, sec, sec_len, a1);
memcpy(&a1[SHA256_SIZE], seed, seed_len);
hmac_sha256(a1, SHA256_SIZE+seed_len, sec, sec_len, out);
while (olen > SHA256_SIZE)
{
uint8_t a2[SHA256_SIZE];
out += SHA256_SIZE;
olen -= SHA256_SIZE;
// A(N)
hmac_sha256(a1, SHA256_SIZE, sec, sec_len, a2);
memcpy(a1, a2, SHA256_SIZE);
// work out the actual hash
hmac_sha256(a1, SHA256_SIZE+seed_len, sec, sec_len, out);
}
}
/** /**
* Work out the PRF. * Work out the PRF.
*/ */
static void prf(const uint8_t *sec, int sec_len, uint8_t *seed, int seed_len, static void prf(SSL *ssl, const uint8_t *sec, int sec_len,
uint8_t *seed, int seed_len,
uint8_t *out, int olen) uint8_t *out, int olen)
{ {
int len, i; if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
const uint8_t *S1, *S2; {
uint8_t xbuf[256]; /* needs to be > the amount of key data */ p_hash_sha256(sec, sec_len, seed, seed_len, out, olen);
uint8_t ybuf[256]; /* needs to be > the amount of key data */ }
else // TLS1.0/1.1
{
int len, i;
const uint8_t *S1, *S2;
uint8_t xbuf[2*(SHA256_SIZE+32+16) + MD5_SIZE]; /* max keyblock */
uint8_t ybuf[2*(SHA256_SIZE+32+16) + SHA1_SIZE]; /* max keyblock */
len = sec_len/2; len = sec_len/2;
S1 = sec; S1 = sec;
S2 = &sec[len]; S2 = &sec[len];
len += (sec_len & 1); /* add for odd, make longer */ len += (sec_len & 1); /* add for odd, make longer */
p_hash_md5(S1, len, seed, seed_len, xbuf, olen); p_hash_md5(S1, len, seed, seed_len, xbuf, olen);
p_hash_sha1(S2, len, seed, seed_len, ybuf, olen); p_hash_sha1(S2, len, seed, seed_len, ybuf, olen);
for (i = 0; i < olen; i++) for (i = 0; i < olen; i++)
out[i] = xbuf[i] ^ ybuf[i]; out[i] = xbuf[i] ^ ybuf[i];
}
} }
/** /**
@ -787,37 +912,44 @@ static void prf(const uint8_t *sec, int sec_len, uint8_t *seed, int seed_len,
*/ */
void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret) void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret)
{ {
uint8_t buf[128]; /* needs to be > 13+32+32 in size */ uint8_t buf[77];
//print_blob("premaster secret", premaster_secret, 48);
strcpy((char *)buf, "master secret"); strcpy((char *)buf, "master secret");
memcpy(&buf[13], ssl->dc->client_random, SSL_RANDOM_SIZE); memcpy(&buf[13], ssl->dc->client_random, SSL_RANDOM_SIZE);
memcpy(&buf[45], ssl->dc->server_random, SSL_RANDOM_SIZE); memcpy(&buf[45], ssl->dc->server_random, SSL_RANDOM_SIZE);
prf(premaster_secret, SSL_SECRET_SIZE, buf, 77, ssl->dc->master_secret, prf(ssl, premaster_secret, SSL_SECRET_SIZE, buf, 77, ssl->dc->master_secret,
SSL_SECRET_SIZE); SSL_SECRET_SIZE);
#if 0
print_blob("client random", ssl->dc->client_random, 32);
print_blob("server random", ssl->dc->server_random, 32);
print_blob("master secret", ssl->dc->master_secret, 48);
#endif
} }
/** /**
* Generate a 'random' blob of data used for the generation of keys. * Generate a 'random' blob of data used for the generation of keys.
*/ */
static void generate_key_block(uint8_t *client_random, uint8_t *server_random, static void generate_key_block(SSL *ssl,
uint8_t *client_random, uint8_t *server_random,
uint8_t *master_secret, uint8_t *key_block, int key_block_size) uint8_t *master_secret, uint8_t *key_block, int key_block_size)
{ {
uint8_t buf[128]; uint8_t buf[77];
strcpy((char *)buf, "key expansion"); strcpy((char *)buf, "key expansion");
memcpy(&buf[13], server_random, SSL_RANDOM_SIZE); memcpy(&buf[13], server_random, SSL_RANDOM_SIZE);
memcpy(&buf[45], client_random, SSL_RANDOM_SIZE); memcpy(&buf[45], client_random, SSL_RANDOM_SIZE);
prf(master_secret, SSL_SECRET_SIZE, buf, 77, key_block, key_block_size); prf(ssl, master_secret, SSL_SECRET_SIZE, buf, 77,
key_block, key_block_size);
} }
/** /**
* Calculate the digest used in the finished message. This function also * Calculate the digest used in the finished message. This function also
* doubles up as a certificate verify function. * doubles up as a certificate verify function.
*/ */
void finished_digest(SSL *ssl, const char *label, uint8_t *digest) int finished_digest(SSL *ssl, const char *label, uint8_t *digest)
{ {
uint8_t mac_buf[128]; uint8_t mac_buf[SHA1_SIZE+MD5_SIZE+15];
uint8_t *q = mac_buf; uint8_t *q = mac_buf;
MD5_CTX md5_ctx = ssl->dc->md5_ctx; int dgst_len;
SHA1_CTX sha1_ctx = ssl->dc->sha1_ctx;
if (label) if (label)
{ {
@ -825,28 +957,43 @@ void finished_digest(SSL *ssl, const char *label, uint8_t *digest)
q += strlen(label); q += strlen(label);
} }
MD5_Final(q, &md5_ctx); if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
q += MD5_SIZE; {
SHA256_CTX sha256_ctx = ssl->dc->sha256_ctx; // interim copy
SHA1_Final(q, &sha1_ctx); SHA256_Final(q, &sha256_ctx);
q += SHA1_SIZE; q += SHA256_SIZE;
dgst_len = (int)(q-mac_buf);
}
else // TLS1.0/1.1
{
MD5_CTX md5_ctx = ssl->dc->md5_ctx; // interim copy
SHA1_CTX sha1_ctx = ssl->dc->sha1_ctx;
MD5_Final(q, &md5_ctx);
q += MD5_SIZE;
SHA1_Final(q, &sha1_ctx);
q += SHA1_SIZE;
dgst_len = (int)(q-mac_buf);
}
if (label) if (label)
{ {
prf(ssl->dc->master_secret, SSL_SECRET_SIZE, mac_buf, (int)(q-mac_buf), prf(ssl, ssl->dc->master_secret, SSL_SECRET_SIZE,
digest, SSL_FINISHED_HASH_SIZE); mac_buf, dgst_len, digest, SSL_FINISHED_HASH_SIZE);
} }
else /* for use in a certificate verify */ else /* for use in a certificate verify */
{ {
memcpy(digest, mac_buf, MD5_SIZE + SHA1_SIZE); memcpy(digest, mac_buf, dgst_len);
} }
#if 0 #if 0
printf("label: %s\n", label); printf("label: %s\n", label);
print_blob("master secret", ssl->dc->master_secret, 48); print_blob("mac_buf", mac_buf, dgst_len);
print_blob("mac_buf", mac_buf, q-mac_buf);
print_blob("finished digest", digest, SSL_FINISHED_HASH_SIZE); print_blob("finished digest", digest, SSL_FINISHED_HASH_SIZE);
#endif #endif
return dgst_len;
} }
/** /**
@ -857,6 +1004,7 @@ static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt)
switch (ssl->cipher) switch (ssl->cipher)
{ {
case SSL_AES128_SHA: case SSL_AES128_SHA:
case SSL_AES128_SHA256:
{ {
AES_CTX *aes_ctx = (AES_CTX *)malloc(sizeof(AES_CTX)); AES_CTX *aes_ctx = (AES_CTX *)malloc(sizeof(AES_CTX));
AES_set_key(aes_ctx, key, iv, AES_MODE_128); AES_set_key(aes_ctx, key, iv, AES_MODE_128);
@ -870,6 +1018,7 @@ static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt)
} }
case SSL_AES256_SHA: case SSL_AES256_SHA:
case SSL_AES256_SHA256:
{ {
AES_CTX *aes_ctx = (AES_CTX *)malloc(sizeof(AES_CTX)); AES_CTX *aes_ctx = (AES_CTX *)malloc(sizeof(AES_CTX));
AES_set_key(aes_ctx, key, iv, AES_MODE_256); AES_set_key(aes_ctx, key, iv, AES_MODE_256);
@ -881,6 +1030,7 @@ static void *crypt_new(SSL *ssl, uint8_t *key, uint8_t *iv, int is_decrypt)
return (void *)aes_ctx; return (void *)aes_ctx;
} }
} }
return NULL; /* its all gone wrong */ return NULL; /* its all gone wrong */
@ -959,6 +1109,9 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
if (ssl->hs_status == SSL_ERROR_DEAD) if (ssl->hs_status == SSL_ERROR_DEAD)
return SSL_ERROR_CONN_LOST; return SSL_ERROR_CONN_LOST;
if (IS_SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY))
return SSL_CLOSE_NOTIFY;
if (in) /* has the buffer already been initialised? */ if (in) /* has the buffer already been initialised? */
{ {
memcpy(ssl->bm_data, in, length); memcpy(ssl->bm_data, in, length);
@ -994,8 +1147,7 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
&ssl->bm_data[msg_length]); &ssl->bm_data[msg_length]);
msg_length += ssl->cipher_info->digest_size; msg_length += ssl->cipher_info->digest_size;
/* add padding? */ /* add padding */
if (ssl->cipher_info->padding_size)
{ {
int last_blk_size = msg_length%ssl->cipher_info->padding_size; int last_blk_size = msg_length%ssl->cipher_info->padding_size;
int pad_bytes = ssl->cipher_info->padding_size - last_blk_size; int pad_bytes = ssl->cipher_info->padding_size - last_blk_size;
@ -1012,8 +1164,7 @@ int send_packet(SSL *ssl, uint8_t protocol, const uint8_t *in, int length)
increment_write_sequence(ssl); increment_write_sequence(ssl);
/* add the explicit IV for TLS1.1 */ /* add the explicit IV for TLS1.1 */
if (ssl->version >= SSL_PROTOCOL_VERSION1_1 && if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_1)
ssl->cipher_info->iv_size)
{ {
uint8_t iv_size = ssl->cipher_info->iv_size; uint8_t iv_size = ssl->cipher_info->iv_size;
uint8_t *t_buf = alloca(msg_length + iv_size); uint8_t *t_buf = alloca(msg_length + iv_size);
@ -1062,21 +1213,18 @@ static int set_key_block(SSL *ssl, int is_write)
return -1; return -1;
/* only do once in a handshake */ /* only do once in a handshake */
if (ssl->dc->key_block == NULL) if (!ssl->dc->key_block_generated)
{ {
ssl->dc->key_block = (uint8_t *)malloc(ciph_info->key_block_size); generate_key_block(ssl, ssl->dc->client_random, ssl->dc->server_random,
#if 0
print_blob("client", ssl->dc->client_random, 32);
print_blob("server", ssl->dc->server_random, 32);
print_blob("master", ssl->dc->master_secret, SSL_SECRET_SIZE);
#endif
generate_key_block(ssl->dc->client_random, ssl->dc->server_random,
ssl->dc->master_secret, ssl->dc->key_block, ssl->dc->master_secret, ssl->dc->key_block,
ciph_info->key_block_size); ciph_info->key_block_size);
#if 0 #if 0
print_blob("master", ssl->dc->master_secret, SSL_SECRET_SIZE);
print_blob("keyblock", ssl->dc->key_block, ciph_info->key_block_size); print_blob("keyblock", ssl->dc->key_block, ciph_info->key_block_size);
print_blob("client random", ssl->dc->client_random, 32);
print_blob("server random", ssl->dc->server_random, 32);
#endif #endif
ssl->dc->key_block_generated = 1;
} }
q = ssl->dc->key_block; q = ssl->dc->key_block;
@ -1099,13 +1247,16 @@ static int set_key_block(SSL *ssl, int is_write)
memcpy(server_key, q, ciph_info->key_size); memcpy(server_key, q, ciph_info->key_size);
q += ciph_info->key_size; q += ciph_info->key_size;
if (ciph_info->iv_size) /* RC4 has no IV, AES does */ memcpy(client_iv, q, ciph_info->iv_size);
{ q += ciph_info->iv_size;
memcpy(client_iv, q, ciph_info->iv_size); memcpy(server_iv, q, ciph_info->iv_size);
q += ciph_info->iv_size; q += ciph_info->iv_size;
memcpy(server_iv, q, ciph_info->iv_size); #if 0
q += ciph_info->iv_size; print_blob("client key", client_key, ciph_info->key_size);
} print_blob("server key", server_key, ciph_info->key_size);
print_blob("client iv", client_iv, ciph_info->iv_size);
print_blob("server iv", server_iv, ciph_info->iv_size);
#endif
free(is_write ? ssl->encrypt_ctx : ssl->decrypt_ctx); free(is_write ? ssl->encrypt_ctx : ssl->decrypt_ctx);
@ -1142,6 +1293,9 @@ int basic_read(SSL *ssl, uint8_t **in_data)
int read_len, is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT); int read_len, is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
uint8_t *buf = ssl->bm_data; uint8_t *buf = ssl->bm_data;
if (IS_SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY))
return SSL_CLOSE_NOTIFY;
read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_read_index], read_len = SOCKET_READ(ssl->client_fd, &buf[ssl->bm_read_index],
ssl->need_bytes-ssl->got_bytes); ssl->need_bytes-ssl->got_bytes);
@ -1179,7 +1333,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
if (IS_SET_SSL_FLAG(SSL_NEED_RECORD)) if (IS_SET_SSL_FLAG(SSL_NEED_RECORD))
{ {
/* check for sslv2 "client hello" */ /* check for sslv2 "client hello" */
if (buf[0] & 0x80 && buf[2] == 1) if ((buf[0] & 0x80) && buf[2] == 1)
{ {
#ifdef CONFIG_SSL_FULL_MODE #ifdef CONFIG_SSL_FULL_MODE
printf("Error: no SSLv23 handshaking allowed\n"); printf("Error: no SSLv23 handshaking allowed\n");
@ -1193,7 +1347,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
/* do we violate the spec with the message size? */ /* do we violate the spec with the message size? */
if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET) if (ssl->need_bytes > RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)
{ {
ret = SSL_ERROR_INVALID_PROT_MSG; ret = SSL_ERROR_RECORD_OVERFLOW;
goto error; goto error;
} }
@ -1212,8 +1366,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
{ {
ssl->cipher_info->decrypt(ssl->decrypt_ctx, buf, buf, read_len); ssl->cipher_info->decrypt(ssl->decrypt_ctx, buf, buf, read_len);
if (ssl->version >= SSL_PROTOCOL_VERSION1_1 && if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_1)
ssl->cipher_info->iv_size)
{ {
buf += ssl->cipher_info->iv_size; buf += ssl->cipher_info->iv_size;
read_len -= ssl->cipher_info->iv_size; read_len -= ssl->cipher_info->iv_size;
@ -1280,7 +1433,7 @@ int basic_read(SSL *ssl, uint8_t **in_data)
case PT_ALERT_PROTOCOL: case PT_ALERT_PROTOCOL:
/* return the alert # with alert bit set */ /* return the alert # with alert bit set */
if(buf[0] == SSL_ALERT_TYPE_WARNING && if (buf[0] == SSL_ALERT_TYPE_WARNING &&
buf[1] == SSL_ALERT_CLOSE_NOTIFY) buf[1] == SSL_ALERT_CLOSE_NOTIFY)
{ {
ret = SSL_CLOSE_NOTIFY; ret = SSL_CLOSE_NOTIFY;
@ -1380,7 +1533,7 @@ int send_change_cipher_spec(SSL *ssl)
*/ */
int send_finished(SSL *ssl) int send_finished(SSL *ssl)
{ {
uint8_t buf[SSL_FINISHED_HASH_SIZE+4] = { uint8_t buf[SHA1_SIZE+MD5_SIZE+15+4] = {
HS_FINISHED, 0, 0, SSL_FINISHED_HASH_SIZE }; HS_FINISHED, 0, 0, SSL_FINISHED_HASH_SIZE };
/* now add the finished digest mac (12 bytes) */ /* now add the finished digest mac (12 bytes) */
@ -1411,7 +1564,7 @@ int send_alert(SSL *ssl, int error_code)
int is_warning = 0; int is_warning = 0;
uint8_t buf[2]; uint8_t buf[2];
/* Don't bother we're already dead */ /* Don't bother, we're already dead */
if (ssl->hs_status == SSL_ERROR_DEAD) if (ssl->hs_status == SSL_ERROR_DEAD)
{ {
return SSL_ERROR_CONN_LOST; return SSL_ERROR_CONN_LOST;
@ -1433,38 +1586,60 @@ int send_alert(SSL *ssl, int error_code)
is_warning = 1; is_warning = 1;
break; break;
case SSL_ERROR_INVALID_HANDSHAKE: case SSL_ERROR_NO_CIPHER:
case SSL_ERROR_INVALID_PROT_MSG:
alert_num = SSL_ALERT_HANDSHAKE_FAILURE; alert_num = SSL_ALERT_HANDSHAKE_FAILURE;
break; break;
case SSL_ERROR_INVALID_HMAC: case SSL_ERROR_INVALID_HMAC:
case SSL_ERROR_FINISHED_INVALID:
alert_num = SSL_ALERT_BAD_RECORD_MAC; alert_num = SSL_ALERT_BAD_RECORD_MAC;
break; break;
case SSL_ERROR_FINISHED_INVALID:
case SSL_ERROR_INVALID_KEY:
alert_num = SSL_ALERT_DECRYPT_ERROR;
break;
case SSL_ERROR_INVALID_VERSION: case SSL_ERROR_INVALID_VERSION:
alert_num = SSL_ALERT_INVALID_VERSION; alert_num = SSL_ALERT_INVALID_VERSION;
break; break;
case SSL_ERROR_INVALID_SESSION: case SSL_ERROR_INVALID_SESSION:
case SSL_ERROR_NO_CIPHER:
case SSL_ERROR_INVALID_KEY:
alert_num = SSL_ALERT_ILLEGAL_PARAMETER; alert_num = SSL_ALERT_ILLEGAL_PARAMETER;
break; break;
case SSL_ERROR_BAD_CERTIFICATE:
alert_num = SSL_ALERT_BAD_CERTIFICATE;
break;
case SSL_ERROR_NO_CLIENT_RENOG: case SSL_ERROR_NO_CLIENT_RENOG:
alert_num = SSL_ALERT_NO_RENEGOTIATION; alert_num = SSL_ALERT_NO_RENEGOTIATION;
break; break;
case SSL_ERROR_RECORD_OVERFLOW:
alert_num = SSL_ALERT_RECORD_OVERFLOW;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_EXPIRED):
case SSL_X509_ERROR(X509_VFY_ERROR_NOT_YET_VALID):
alert_num = SSL_ALERT_CERTIFICATE_EXPIRED;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_NO_TRUSTED_CERT):
alert_num = SSL_ALERT_UNKNOWN_CA;
break;
case SSL_X509_ERROR(X509_VFY_ERROR_UNSUPPORTED_DIGEST):
case SSL_ERROR_INVALID_CERT_HASH_ALG:
alert_num = SSL_ALERT_UNSUPPORTED_CERTIFICATE;
break;
case SSL_ERROR_BAD_CERTIFICATE:
case SSL_X509_ERROR(X509_VFY_ERROR_BAD_SIGNATURE):
alert_num = SSL_ALERT_BAD_CERTIFICATE;
break;
case SSL_ERROR_INVALID_HANDSHAKE:
case SSL_ERROR_INVALID_PROT_MSG:
default: default:
/* a catch-all for any badly verified certificates */ /* a catch-all for anything bad */
alert_num = (error_code <= SSL_X509_OFFSET) ? alert_num = (error_code <= SSL_X509_OFFSET) ?
SSL_ALERT_BAD_CERTIFICATE : SSL_ALERT_UNEXPECTED_MESSAGE; SSL_ALERT_CERTIFICATE_UNKNOWN: SSL_ALERT_UNEXPECTED_MESSAGE;
break; break;
} }
@ -1509,6 +1684,7 @@ error:
*/ */
int send_certificate(SSL *ssl) int send_certificate(SSL *ssl)
{ {
int ret = SSL_OK;
int i = 0; int i = 0;
uint8_t *buf = ssl->bm_data; uint8_t *buf = ssl->bm_data;
int offset = 7; int offset = 7;
@ -1518,6 +1694,14 @@ int send_certificate(SSL *ssl)
buf[1] = 0; buf[1] = 0;
buf[4] = 0; buf[4] = 0;
/* spec says we must check if the hash/sig algorithm is OK */
if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2 &&
((ret = check_certificate_chain(ssl)) != SSL_OK))
{
ret = SSL_ERROR_INVALID_CERT_HASH_ALG;
goto error;
}
while (i < ssl->ssl_ctx->chain_length) while (i < ssl->ssl_ctx->chain_length)
{ {
SSL_CERT *cert = &ssl->ssl_ctx->certs[i]; SSL_CERT *cert = &ssl->ssl_ctx->certs[i];
@ -1536,7 +1720,10 @@ int send_certificate(SSL *ssl)
buf[2] = chain_length >> 8; /* handshake length */ buf[2] = chain_length >> 8; /* handshake length */
buf[3] = chain_length & 0xff; buf[3] = chain_length & 0xff;
ssl->bm_index = offset; ssl->bm_index = offset;
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset); ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
error:
return ret;
} }
/** /**
@ -1548,6 +1735,7 @@ void disposable_new(SSL *ssl)
if (ssl->dc == NULL) if (ssl->dc == NULL)
{ {
ssl->dc = (DISPOSABLE_CTX *)calloc(1, sizeof(DISPOSABLE_CTX)); ssl->dc = (DISPOSABLE_CTX *)calloc(1, sizeof(DISPOSABLE_CTX));
SHA256_Init(&ssl->dc->sha256_ctx);
MD5_Init(&ssl->dc->md5_ctx); MD5_Init(&ssl->dc->md5_ctx);
SHA1_Init(&ssl->dc->sha1_ctx); SHA1_Init(&ssl->dc->sha1_ctx);
} }
@ -1560,7 +1748,6 @@ void disposable_free(SSL *ssl)
{ {
if (ssl->dc) if (ssl->dc)
{ {
free(ssl->dc->key_block);
memset(ssl->dc, 0, sizeof(DISPOSABLE_CTX)); memset(ssl->dc, 0, sizeof(DISPOSABLE_CTX));
free(ssl->dc); free(ssl->dc);
ssl->dc = NULL; ssl->dc = NULL;
@ -1744,6 +1931,43 @@ EXP_FUNC int STDCALL ssl_get_config(int offset)
} }
} }
/**
* Check the certificate chain to see if the certs are supported
*/
static int check_certificate_chain(SSL *ssl)
{
int i = 0;
int ret = SSL_OK;
while (i < ssl->ssl_ctx->chain_length)
{
int j = 0;
uint8_t found = 0;
SSL_CERT *cert = &ssl->ssl_ctx->certs[i];
while (j < ssl->num_sig_algs)
{
if (ssl->sig_algs[j++] == cert->hash_alg)
{
found = 1;
break;
}
}
if (!found)
{
ret = SSL_ERROR_INVALID_CERT_HASH_ALG;
goto error;
}
i++;
}
error:
return ret;
}
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
/** /**
* Authenticate a received certificate. * Authenticate a received certificate.
@ -1751,8 +1975,11 @@ EXP_FUNC int STDCALL ssl_get_config(int offset)
EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl) EXP_FUNC int STDCALL ssl_verify_cert(const SSL *ssl)
{ {
int ret; int ret;
int pathLenConstraint = 0;
SSL_CTX_LOCK(ssl->ssl_ctx->mutex); SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
ret = x509_verify(ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx); ret = x509_verify(ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx,
&pathLenConstraint);
SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex); SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
if (ret) /* modify into an SSL error type */ if (ret) /* modify into an SSL error type */
@ -1772,7 +1999,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index]; uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
int pkt_size = ssl->bm_index; int pkt_size = ssl->bm_index;
int cert_size, offset = 5, offset_start; int cert_size, offset = 5, offset_start;
int total_cert_size = (buf[offset]<<8) + buf[offset+1]; int total_cert_len = (buf[offset]<<8) + buf[offset+1];
int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT); int is_client = IS_SET_SSL_FLAG(SSL_IS_CLIENT);
X509_CTX *chain = 0; X509_CTX *chain = 0;
X509_CTX **certs = 0; X509_CTX **certs = 0;
@ -1781,13 +2008,13 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
int i = 0; int i = 0;
offset += 2; offset += 2;
PARANOIA_CHECK(total_cert_size, offset); PARANOIA_CHECK(pkt_size, total_cert_len + offset);
// record the start point for the second pass // record the start point for the second pass
offset_start = offset; offset_start = offset;
// first pass - count the certificates // first pass - count the certificates
while (offset < total_cert_size) while (offset < total_cert_len)
{ {
offset++; /* skip empty char */ offset++; /* skip empty char */
cert_size = (buf[offset]<<8) + buf[offset+1]; cert_size = (buf[offset]<<8) + buf[offset+1];
@ -1806,7 +2033,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
offset = offset_start; offset = offset_start;
// second pass - load the certificates // second pass - load the certificates
while (offset < total_cert_size) while (offset < total_cert_len)
{ {
offset++; /* skip empty char */ offset++; /* skip empty char */
cert_size = (buf[offset]<<8) + buf[offset+1]; cert_size = (buf[offset]<<8) + buf[offset+1];
@ -1818,6 +2045,10 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
goto error; goto error;
} }
#if defined (CONFIG_SSL_FULL_MODE)
if (ssl->ssl_ctx->options & SSL_DISPLAY_CERTS)
x509_print(certs[num_certs], NULL);
#endif
num_certs++; num_certs++;
offset += cert_size; offset += cert_size;
} }
@ -1837,6 +2068,7 @@ int process_certificate(SSL *ssl, X509_CTX **x509_ctx)
{ {
if (certs[i] == chain) if (certs[i] == chain)
continue; continue;
if (cert_used[i]) if (cert_used[i])
continue; // don't allow loops continue; // don't allow loops
@ -2010,6 +2242,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
printf("connection dead"); printf("connection dead");
break; break;
case SSL_ERROR_RECORD_OVERFLOW:
printf("record overflow");
break;
case SSL_ERROR_INVALID_HANDSHAKE: case SSL_ERROR_INVALID_HANDSHAKE:
printf("invalid handshake"); printf("invalid handshake");
break; break;
@ -2034,6 +2270,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
printf("no cipher"); printf("no cipher");
break; break;
case SSL_ERROR_INVALID_CERT_HASH_ALG:
printf("invalid cert hash algorithm");
break;
case SSL_ERROR_CONN_LOST: case SSL_ERROR_CONN_LOST:
printf("connection lost"); printf("connection lost");
break; break;
@ -2070,6 +2310,10 @@ EXP_FUNC void STDCALL ssl_display_error(int error_code)
printf("\n"); printf("\n");
} }
/**
* Debugging routine to display alerts.
*/
/** /**
* Debugging routine to display alerts. * Debugging routine to display alerts.
*/ */
@ -2086,14 +2330,6 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("close notify"); printf("close notify");
break; break;
case SSL_ALERT_INVALID_VERSION:
printf("invalid version");
break;
case SSL_ALERT_BAD_CERTIFICATE:
printf("bad certificate");
break;
case SSL_ALERT_UNEXPECTED_MESSAGE: case SSL_ALERT_UNEXPECTED_MESSAGE:
printf("unexpected message"); printf("unexpected message");
break; break;
@ -2102,14 +2338,38 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("bad record mac"); printf("bad record mac");
break; break;
case SSL_ERROR_RECORD_OVERFLOW:
printf("record overlow");
break;
case SSL_ALERT_HANDSHAKE_FAILURE: case SSL_ALERT_HANDSHAKE_FAILURE:
printf("handshake failure"); printf("handshake failure");
break; break;
case SSL_ALERT_BAD_CERTIFICATE:
printf("bad certificate");
break;
case SSL_ALERT_UNSUPPORTED_CERTIFICATE:
printf("unsupported certificate");
break;
case SSL_ALERT_CERTIFICATE_EXPIRED:
printf("certificate expired");
break;
case SSL_ALERT_CERTIFICATE_UNKNOWN:
printf("certificate unknown");
break;
case SSL_ALERT_ILLEGAL_PARAMETER: case SSL_ALERT_ILLEGAL_PARAMETER:
printf("illegal parameter"); printf("illegal parameter");
break; break;
case SSL_ALERT_UNKNOWN_CA:
printf("unknown ca");
break;
case SSL_ALERT_DECODE_ERROR: case SSL_ALERT_DECODE_ERROR:
printf("decode error"); printf("decode error");
break; break;
@ -2118,6 +2378,10 @@ void DISPLAY_ALERT(SSL *ssl, int alert)
printf("decrypt error"); printf("decrypt error");
break; break;
case SSL_ALERT_INVALID_VERSION:
printf("invalid version");
break;
case SSL_ALERT_NO_RENEGOTIATION: case SSL_ALERT_NO_RENEGOTIATION:
printf("no renegotiation"); printf("no renegotiation");
break; break;

55
ssl/tls1.h
View file

@ -48,9 +48,9 @@ extern "C" {
#include "crypto_misc.h" #include "crypto_misc.h"
#define SSL_PROTOCOL_MIN_VERSION 0x31 /* TLS v1.0 */ #define SSL_PROTOCOL_MIN_VERSION 0x31 /* TLS v1.0 */
#define SSL_PROTOCOL_MINOR_VERSION 0x02 /* TLS v1.1 */ #define SSL_PROTOCOL_VERSION_MAX 0x33 /* TLS v1.3 */
#define SSL_PROTOCOL_VERSION_MAX 0x32 /* TLS v1.1 */ #define SSL_PROTOCOL_VERSION_TLS1_1 0x32 /* TLS v1.1 */
#define SSL_PROTOCOL_VERSION1_1 0x32 /* TLS v1.1 */ #define SSL_PROTOCOL_VERSION_TLS1_2 0x33 /* TLS v1.2 */
#define SSL_RANDOM_SIZE 32 #define SSL_RANDOM_SIZE 32
#define SSL_SECRET_SIZE 48 #define SSL_SECRET_SIZE 48
#define SSL_FINISHED_HASH_SIZE 12 #define SSL_FINISHED_HASH_SIZE 12
@ -80,7 +80,14 @@ extern "C" {
#define RT_EXTRA 1024 #define RT_EXTRA 1024
#define BM_RECORD_OFFSET 5 #define BM_RECORD_OFFSET 5
#define NUM_PROTOCOLS 2 #define NUM_PROTOCOLS 4
#define MAX_SIG_ALGORITHMS 4
#define SIG_ALG_SHA1 2
#define SIG_ALG_SHA256 4
#define SIG_ALG_SHA384 5
#define SIG_ALG_SHA512 6
#define SIG_ALG_RSA 1
#define PARANOIA_CHECK(A, B) if (A < B) { \ #define PARANOIA_CHECK(A, B) if (A < B) { \
ret = SSL_ERROR_INVALID_HANDSHAKE; goto error; } ret = SSL_ERROR_INVALID_HANDSHAKE; goto error; }
@ -109,14 +116,22 @@ enum
HS_FINISHED = 20 HS_FINISHED = 20
}; };
/* SSL extension types */
enum
{
SSL_EXT_SERVER_NAME = 0,
SSL_EXT_MAX_FRAGMENT_SIZE,
SSL_EXT_SIG_ALG = 0x0d,
};
typedef struct typedef struct
{ {
uint8_t cipher; uint8_t cipher;
uint8_t key_size; uint8_t key_size;
uint8_t iv_size; uint8_t iv_size;
uint8_t key_block_size;
uint8_t padding_size; uint8_t padding_size;
uint8_t digest_size; uint8_t digest_size;
uint8_t key_block_size;
hmac_func hmac; hmac_func hmac;
crypt_func encrypt; crypt_func encrypt;
crypt_func decrypt; crypt_func decrypt;
@ -141,20 +156,31 @@ typedef struct
{ {
uint8_t *buf; uint8_t *buf;
int size; int size;
uint8_t hash_alg;
} SSL_CERT; } SSL_CERT;
typedef struct typedef struct
{ {
MD5_CTX md5_ctx; MD5_CTX md5_ctx;
SHA1_CTX sha1_ctx; SHA1_CTX sha1_ctx;
uint8_t final_finish_mac[SSL_FINISHED_HASH_SIZE]; SHA256_CTX sha256_ctx;
uint8_t *key_block;
uint8_t master_secret[SSL_SECRET_SIZE];
uint8_t client_random[SSL_RANDOM_SIZE]; /* client's random sequence */ uint8_t client_random[SSL_RANDOM_SIZE]; /* client's random sequence */
uint8_t server_random[SSL_RANDOM_SIZE]; /* server's random sequence */ uint8_t server_random[SSL_RANDOM_SIZE]; /* server's random sequence */
uint8_t final_finish_mac[128];
uint8_t master_secret[SSL_SECRET_SIZE];
uint8_t key_block[256];
uint16_t bm_proc_index; uint16_t bm_proc_index;
uint8_t key_block_generated;
} DISPOSABLE_CTX; } DISPOSABLE_CTX;
typedef struct
{
char *host_name; /* Needed for the SNI support */
/* Needed for the Max Fragment Size Extension.
Allowed values: 2^9, 2^10 .. 2^14 */
uint16_t max_fragment_size;
} SSL_EXTENSIONS;
struct _SSL struct _SSL
{ {
uint32_t flag; uint32_t flag;
@ -176,6 +202,8 @@ struct _SSL
uint8_t *bm_data; uint8_t *bm_data;
uint16_t bm_index; uint16_t bm_index;
uint16_t bm_read_index; uint16_t bm_read_index;
uint8_t sig_algs[MAX_SIG_ALGORITHMS];
uint8_t num_sig_algs;
struct _SSL *next; /* doubly linked list */ struct _SSL *next; /* doubly linked list */
struct _SSL *prev; struct _SSL *prev;
struct _SSL_CTX *ssl_ctx; /* back reference to a clnt/svr ctx */ struct _SSL_CTX *ssl_ctx; /* back reference to a clnt/svr ctx */
@ -188,11 +216,12 @@ struct _SSL
#endif #endif
uint8_t session_id[SSL_SESSION_ID_SIZE]; uint8_t session_id[SSL_SESSION_ID_SIZE];
uint8_t client_mac[SHA1_SIZE]; /* for HMAC verification */ uint8_t client_mac[SHA256_SIZE]; /* for HMAC verification */
uint8_t server_mac[SHA1_SIZE]; /* for HMAC verification */ uint8_t server_mac[SHA256_SIZE]; /* for HMAC verification */
uint8_t read_sequence[8]; /* 64 bit sequence number */ uint8_t read_sequence[8]; /* 64 bit sequence number */
uint8_t write_sequence[8]; /* 64 bit sequence number */ uint8_t write_sequence[8]; /* 64 bit sequence number */
uint8_t hmac_header[SSL_RECORD_SIZE]; /* rx hmac */ uint8_t hmac_header[SSL_RECORD_SIZE]; /* rx hmac */
SSL_EXTENSIONS *extensions; /* Contains the SSL (client) extensions */
}; };
typedef struct _SSL SSL; typedef struct _SSL SSL;
@ -241,7 +270,7 @@ int send_finished(SSL *ssl);
int send_certificate(SSL *ssl); int send_certificate(SSL *ssl);
int basic_read(SSL *ssl, uint8_t **in_data); int basic_read(SSL *ssl, uint8_t **in_data);
int send_change_cipher_spec(SSL *ssl); int send_change_cipher_spec(SSL *ssl);
void finished_digest(SSL *ssl, const char *label, uint8_t *digest); int finished_digest(SSL *ssl, const char *label, uint8_t *digest);
void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret); void generate_master_secret(SSL *ssl, const uint8_t *premaster_secret);
void add_packet(SSL *ssl, const uint8_t *pkt, int len); void add_packet(SSL *ssl, const uint8_t *pkt, int len);
int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len); int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len);

172
ssl/tls1_clnt.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -37,6 +37,22 @@
#ifdef CONFIG_SSL_ENABLE_CLIENT /* all commented out if no client */ #ifdef CONFIG_SSL_ENABLE_CLIENT /* all commented out if no client */
/* support sha512/384/256/1 RSA */
static const uint8_t g_sig_alg[] = {
0x00, SSL_EXT_SIG_ALG,
0x00, 0x0a, 0x00, 0x08,
SIG_ALG_SHA512, SIG_ALG_RSA,
SIG_ALG_SHA384, SIG_ALG_RSA,
SIG_ALG_SHA256, SIG_ALG_RSA,
SIG_ALG_SHA1, SIG_ALG_RSA
};
static const uint8_t g_asn1_sha256[] =
{
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
};
static int send_client_hello(SSL *ssl); static int send_client_hello(SSL *ssl);
static int process_server_hello(SSL *ssl); static int process_server_hello(SSL *ssl);
static int process_server_hello_done(SSL *ssl); static int process_server_hello_done(SSL *ssl);
@ -48,7 +64,7 @@ static int send_cert_verify(SSL *ssl);
* Establish a new SSL connection to an SSL server. * Establish a new SSL connection to an SSL server.
*/ */
EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
uint8_t *session_id, uint8_t sess_id_size) uint8_t *session_id, uint8_t sess_id_size, SSL_EXTENSIONS* ssl_ext)
{ {
SSL *ssl = ssl_new(ssl_ctx, client_fd); SSL *ssl = ssl_new(ssl_ctx, client_fd);
ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */ ssl->version = SSL_PROTOCOL_VERSION_MAX; /* try top version first */
@ -66,6 +82,8 @@ EXP_FUNC SSL * STDCALL ssl_client_new(SSL_CTX *ssl_ctx, int client_fd, const
SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */ SET_SSL_FLAG(SSL_SESSION_RESUME); /* just flag for later */
} }
ssl->extensions = ssl_ext;
SET_SSL_FLAG(SSL_IS_CLIENT); SET_SSL_FLAG(SSL_IS_CLIENT);
do_client_connect(ssl); do_client_connect(ssl);
return ssl; return ssl;
@ -173,7 +191,9 @@ static int send_client_hello(SSL *ssl)
uint8_t *buf = ssl->bm_data; uint8_t *buf = ssl->bm_data;
time_t tm = time(NULL); time_t tm = time(NULL);
uint8_t *tm_ptr = &buf[6]; /* time will go here */ uint8_t *tm_ptr = &buf[6]; /* time will go here */
int i, offset; int i, offset, ext_offset;
int ext_len = 0;
buf[0] = HS_CLIENT_HELLO; buf[0] = HS_CLIENT_HELLO;
buf[1] = 0; buf[1] = 0;
@ -219,8 +239,64 @@ static int send_client_hello(SSL *ssl)
buf[offset++] = 1; /* no compression */ buf[offset++] = 1; /* no compression */
buf[offset++] = 0; buf[offset++] = 0;
buf[3] = offset - 4; /* handshake size */
ext_offset = offset;
buf[offset++] = 0; /* total length of extensions */
buf[offset++] = 0;
/* send the signature algorithm extension for TLS 1.2+ */
if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2)
{
memcpy(&buf[offset], g_sig_alg, sizeof(g_sig_alg));
offset += sizeof(g_sig_alg);
ext_len += sizeof(g_sig_alg);
}
if (ssl->extensions != NULL)
{
/* send the host name if specified */
if (ssl->extensions->host_name != NULL)
{
size_t host_len = strlen(ssl->extensions->host_name);
buf[offset++] = 0;
buf[offset++] = SSL_EXT_SERVER_NAME; /* server_name(0) (65535) */
buf[offset++] = 0;
buf[offset++] = host_len + 5; /* server_name length */
buf[offset++] = 0;
buf[offset++] = host_len + 3; /* server_list length */
buf[offset++] = 0; /* host_name(0) (255) */
buf[offset++] = 0;
buf[offset++] = host_len; /* host_name length */
strncpy((char*) &buf[offset], ssl->extensions->host_name, host_len);
offset += host_len;
ext_len += host_len + 9;
}
if (ssl->extensions->max_fragment_size)
{
buf[offset++] = 0;
buf[offset++] = SSL_EXT_MAX_FRAGMENT_SIZE;
buf[offset++] = 0; // size of data
buf[offset++] = 2;
buf[offset++] = (uint8_t)
((ssl->extensions->max_fragment_size >> 8) & 0xff);
buf[offset++] = (uint8_t)
(ssl->extensions->max_fragment_size & 0xff);
ext_len += 6;
}
}
if (ext_len > 0)
{
// update the extensions length value
buf[ext_offset] = (uint8_t) ((ext_len >> 8) & 0xff);
buf[ext_offset + 1] = (uint8_t) (ext_len & 0xff);
}
buf[3] = offset - 4; /* handshake size */
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset); return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
} }
@ -279,15 +355,18 @@ static int process_server_hello(SSL *ssl)
ssl->sess_id_size = sess_id_size; ssl->sess_id_size = sess_id_size;
offset += sess_id_size; offset += sess_id_size;
/* get the real cipher we are using */ /* get the real cipher we are using - ignore MSB */
ssl->cipher = buf[++offset]; ssl->cipher = buf[++offset];
ssl->next_state = IS_SET_SSL_FLAG(SSL_SESSION_RESUME) ? ssl->next_state = IS_SET_SSL_FLAG(SSL_SESSION_RESUME) ?
HS_FINISHED : HS_CERTIFICATE; HS_FINISHED : HS_CERTIFICATE;
offset++; // skip the compr offset += 2; // ignore compression
PARANOIA_CHECK(pkt_size, offset); PARANOIA_CHECK(pkt_size, offset);
ssl->dc->bm_proc_index = offset+1;
ssl->dc->bm_proc_index = offset;
PARANOIA_CHECK(pkt_size, offset);
// no extensions
error: error:
return ret; return ret;
} }
@ -313,8 +392,10 @@ static int send_client_key_xchg(SSL *ssl)
buf[0] = HS_CLIENT_KEY_XCHG; buf[0] = HS_CLIENT_KEY_XCHG;
buf[1] = 0; buf[1] = 0;
premaster_secret[0] = 0x03; /* encode the version number */ // spec says client must use the what is initially negotiated -
premaster_secret[1] = SSL_PROTOCOL_MINOR_VERSION; /* must be TLS 1.1 */ // and this is our current version
premaster_secret[0] = 0x03;
premaster_secret[1] = SSL_PROTOCOL_VERSION_MAX & 0x0f;
if (get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]) < 0) if (get_random(SSL_SECRET_SIZE-2, &premaster_secret[2]) < 0)
return SSL_NOT_OK; return SSL_NOT_OK;
@ -342,14 +423,47 @@ static int process_cert_req(SSL *ssl)
{ {
uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index]; uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
int ret = SSL_OK; int ret = SSL_OK;
int offset = (buf[2] << 4) + buf[3]; int cert_req_size = (buf[2]<<8) + buf[3];
int offset = 4;
int pkt_size = ssl->bm_index; int pkt_size = ssl->bm_index;
uint8_t cert_type_len, sig_alg_len;
PARANOIA_CHECK(pkt_size, offset + cert_req_size);
ssl->dc->bm_proc_index = cert_req_size;
/* don't do any processing - we will send back an RSA certificate anyway */ /* don't do any processing - we will send back an RSA certificate anyway */
ssl->next_state = HS_SERVER_HELLO_DONE; ssl->next_state = HS_SERVER_HELLO_DONE;
SET_SSL_FLAG(SSL_HAS_CERT_REQ); SET_SSL_FLAG(SSL_HAS_CERT_REQ);
ssl->dc->bm_proc_index += offset;
PARANOIA_CHECK(pkt_size, offset); if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
{
// supported certificate types
cert_type_len = buf[offset++];
PARANOIA_CHECK(pkt_size, offset + cert_type_len);
offset += cert_type_len;
// supported signature algorithms
sig_alg_len = buf[offset++] << 8;
sig_alg_len += buf[offset++];
PARANOIA_CHECK(pkt_size, offset + sig_alg_len);
while (sig_alg_len > 0)
{
uint8_t hash_alg = buf[offset++];
uint8_t sig_alg = buf[offset++];
sig_alg_len -= 2;
if (sig_alg == SIG_ALG_RSA &&
(hash_alg == SIG_ALG_SHA1 ||
hash_alg == SIG_ALG_SHA256 ||
hash_alg == SIG_ALG_SHA384 ||
hash_alg == SIG_ALG_SHA512))
{
ssl->sig_algs[ssl->num_sig_algs++] = hash_alg;
}
}
}
error: error:
return ret; return ret;
} }
@ -360,9 +474,11 @@ error:
static int send_cert_verify(SSL *ssl) static int send_cert_verify(SSL *ssl)
{ {
uint8_t *buf = ssl->bm_data; uint8_t *buf = ssl->bm_data;
uint8_t dgst[MD5_SIZE+SHA1_SIZE]; uint8_t dgst[SHA1_SIZE+MD5_SIZE+15];
RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx; RSA_CTX *rsa_ctx = ssl->ssl_ctx->rsa_ctx;
int n = 0, ret; int n = 0, ret;
int offset = 0;
int dgst_len;
if (rsa_ctx == NULL) if (rsa_ctx == NULL)
return SSL_OK; return SSL_OK;
@ -372,13 +488,26 @@ static int send_cert_verify(SSL *ssl)
buf[0] = HS_CERT_VERIFY; buf[0] = HS_CERT_VERIFY;
buf[1] = 0; buf[1] = 0;
finished_digest(ssl, NULL, dgst); /* calculate the digest */ if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
{
buf[4] = SIG_ALG_SHA256;
buf[5] = SIG_ALG_RSA;
offset = 6;
memcpy(dgst, g_asn1_sha256, sizeof(g_asn1_sha256));
dgst_len = finished_digest(ssl, NULL, &dgst[sizeof(g_asn1_sha256)]) +
sizeof(g_asn1_sha256);
}
else
{
offset = 4;
dgst_len = finished_digest(ssl, NULL, dgst);
}
/* rsa_ctx->bi_ctx is not thread-safe */ /* rsa_ctx->bi_ctx is not thread-safe */
if (rsa_ctx) if (rsa_ctx)
{ {
SSL_CTX_LOCK(ssl->ssl_ctx->mutex); SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
n = RSA_encrypt(rsa_ctx, dgst, sizeof(dgst), &buf[6], 1); n = RSA_encrypt(rsa_ctx, dgst, dgst_len, &buf[offset + 2], 1);
SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex); SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
if (n == 0) if (n == 0)
@ -388,12 +517,19 @@ static int send_cert_verify(SSL *ssl)
} }
} }
buf[4] = n >> 8; /* add the RSA size (not officially documented) */ buf[offset] = n >> 8; /* add the RSA size */
buf[5] = n & 0xff; buf[offset+1] = n & 0xff;
n += 2; n += 2;
if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
{
n += 2; // sig/alg
offset -= 2;
}
buf[2] = n >> 8; buf[2] = n >> 8;
buf[3] = n & 0xff; buf[3] = n & 0xff;
ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n+4); ret = send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, n + offset);
error: error:
return ret; return ret;

161
ssl/tls1_svr.c
View file

@ -35,6 +35,11 @@
#include "ssl.h" #include "ssl.h"
static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 }; static const uint8_t g_hello_done[] = { HS_SERVER_HELLO_DONE, 0, 0, 0 };
static const uint8_t g_asn1_sha256[] =
{
0x30, 0x31, 0x30, 0x0d, 0x06, 0x09, 0x60, 0x86, 0x48, 0x01, 0x65, 0x03,
0x04, 0x02, 0x01, 0x05, 0x00, 0x04, 0x20
};
static int process_client_hello(SSL *ssl); static int process_client_hello(SSL *ssl);
static int send_server_hello_sequence(SSL *ssl); static int send_server_hello_sequence(SSL *ssl);
@ -87,8 +92,10 @@ int do_svr_handshake(SSL *ssl, int handshake_type, uint8_t *buf, int hs_len)
if (ret == SSL_OK) /* verify the cert */ if (ret == SSL_OK) /* verify the cert */
{ {
int cert_res; int cert_res;
cert_res = x509_verify( int pathLenConstraint = 0;
ssl->ssl_ctx->ca_cert_ctx, ssl->x509_ctx);
cert_res = x509_verify(ssl->ssl_ctx->ca_cert_ctx,
ssl->x509_ctx, &pathLenConstraint);
ret = (cert_res == 0) ? SSL_OK : SSL_X509_ERROR(cert_res); ret = (cert_res == 0) ? SSL_OK : SSL_X509_ERROR(cert_res);
} }
break; break;
@ -154,7 +161,7 @@ static int process_client_hello(SSL *ssl)
cs_len = (buf[offset]<<8) + buf[offset+1]; cs_len = (buf[offset]<<8) + buf[offset+1];
offset += 3; /* add 1 due to all cipher suites being 8 bit */ offset += 3; /* add 1 due to all cipher suites being 8 bit */
PARANOIA_CHECK(pkt_size, offset); PARANOIA_CHECK(pkt_size, offset + cs_len);
/* work out what cipher suite we are going to use - client defines /* work out what cipher suite we are going to use - client defines
the preference */ the preference */
@ -165,15 +172,72 @@ static int process_client_hello(SSL *ssl)
if (ssl_prot_prefs[j] == buf[offset+i]) /* got a match? */ if (ssl_prot_prefs[j] == buf[offset+i]) /* got a match? */
{ {
ssl->cipher = ssl_prot_prefs[j]; ssl->cipher = ssl_prot_prefs[j];
goto do_state; goto do_compression;
} }
} }
} }
/* ouch! protocol is not supported */ /* ouch! protocol is not supported */
ret = SSL_ERROR_NO_CIPHER; return SSL_ERROR_NO_CIPHER;
/* completely ignore compression */
do_compression:
offset += cs_len;
id_len = buf[offset++];
offset += id_len;
PARANOIA_CHECK(pkt_size, offset + id_len);
if (offset == pkt_size)
{
/* no extensions */
goto error;
}
/* extension size */
id_len = buf[offset++] << 8;
id_len += buf[offset++];
PARANOIA_CHECK(pkt_size, offset + id_len);
// Check for extensions from the client - only the signature algorithm
// is supported
while (offset < pkt_size)
{
int ext = buf[offset++] << 8;
ext += buf[offset++];
int ext_len = buf[offset++] << 8;
ext_len += buf[offset++];
PARANOIA_CHECK(pkt_size, offset + ext_len);
if (ext == SSL_EXT_SIG_ALG)
{
while (ext_len > 0)
{
uint8_t hash_alg = buf[offset++];
uint8_t sig_alg = buf[offset++];
ext_len -= 2;
if (sig_alg == SIG_ALG_RSA &&
(hash_alg == SIG_ALG_SHA1 ||
hash_alg == SIG_ALG_SHA256 ||
hash_alg == SIG_ALG_SHA384 ||
hash_alg == SIG_ALG_SHA512))
{
ssl->sig_algs[ssl->num_sig_algs++] = hash_alg;
}
}
}
else
{
offset += ext_len;
}
}
/* default is RSA/SHA1 */
if (ssl->num_sig_algs == 0)
{
ssl->sig_algs[ssl->num_sig_algs++] = SIG_ALG_SHA1;
}
do_state:
error: error:
return ret; return ret;
} }
@ -279,7 +343,7 @@ static int send_server_hello(SSL *ssl)
buf[offset++] = 0; /* cipher we are using */ buf[offset++] = 0; /* cipher we are using */
buf[offset++] = ssl->cipher; buf[offset++] = ssl->cipher;
buf[offset++] = 0; /* no compression */ buf[offset++] = 0; /* no compression and no extensions supported */
buf[3] = offset - 4; /* handshake size */ buf[3] = offset - 4; /* handshake size */
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset); return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, NULL, offset);
} }
@ -338,10 +402,6 @@ static int process_client_key_xchg(SSL *ssl)
/* and continue - will die eventually when checking the mac */ /* and continue - will die eventually when checking the mac */
} }
#if 0
print_blob("pre-master", premaster_secret, SSL_SECRET_SIZE);
#endif
generate_master_secret(ssl, premaster_secret); generate_master_secret(ssl, premaster_secret);
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
@ -357,15 +417,34 @@ error:
} }
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
static const uint8_t g_cert_request[] = { HS_CERT_REQ, 0, 0, 4, 1, 0, 0, 0 }; static const uint8_t g_cert_request[] = { HS_CERT_REQ, 0,
0, 0x0e,
1, 1, // rsa sign
0x00, 0x08,
SIG_ALG_SHA256, SIG_ALG_RSA,
SIG_ALG_SHA512, SIG_ALG_RSA,
SIG_ALG_SHA384, SIG_ALG_RSA,
SIG_ALG_SHA1, SIG_ALG_RSA,
0, 0
};
static const uint8_t g_cert_request_v1[] = { HS_CERT_REQ, 0, 0, 4, 1, 0, 0, 0 };
/* /*
* Send the certificate request message. * Send the certificate request message.
*/ */
static int send_certificate_request(SSL *ssl) static int send_certificate_request(SSL *ssl)
{ {
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL, if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
{
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
g_cert_request, sizeof(g_cert_request)); g_cert_request, sizeof(g_cert_request));
}
else
{
return send_packet(ssl, PT_HANDSHAKE_PROTOCOL,
g_cert_request_v1, sizeof(g_cert_request_v1));
}
} }
/* /*
@ -377,29 +456,65 @@ static int process_cert_verify(SSL *ssl)
uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index]; uint8_t *buf = &ssl->bm_data[ssl->dc->bm_proc_index];
int pkt_size = ssl->bm_index; int pkt_size = ssl->bm_index;
uint8_t dgst_buf[MAX_KEY_BYTE_SIZE]; uint8_t dgst_buf[MAX_KEY_BYTE_SIZE];
uint8_t dgst[MD5_SIZE+SHA1_SIZE]; uint8_t dgst[MD5_SIZE + SHA1_SIZE];
X509_CTX *x509_ctx = ssl->x509_ctx; X509_CTX *x509_ctx = ssl->x509_ctx;
int ret = SSL_OK; int ret = SSL_OK;
int offset = 6;
int rsa_len;
int n; int n;
PARANOIA_CHECK(pkt_size, x509_ctx->rsa_ctx->num_octets+6);
DISPLAY_RSA(ssl, x509_ctx->rsa_ctx); DISPLAY_RSA(ssl, x509_ctx->rsa_ctx);
if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
{
// TODO: should really need to be able to handle other algorihms. An
// assumption is made on RSA/SHA256 and appears to be OK.
//uint8_t hash_alg = buf[4];
//uint8_t sig_alg = buf[5];
offset = 8;
rsa_len = (buf[6] << 8) + buf[7];
}
else
{
rsa_len = (buf[4] << 8) + buf[5];
}
PARANOIA_CHECK(pkt_size, offset + rsa_len);
/* rsa_ctx->bi_ctx is not thread-safe */ /* rsa_ctx->bi_ctx is not thread-safe */
SSL_CTX_LOCK(ssl->ssl_ctx->mutex); SSL_CTX_LOCK(ssl->ssl_ctx->mutex);
n = RSA_decrypt(x509_ctx->rsa_ctx, &buf[6], dgst_buf, sizeof(dgst_buf), 0); n = RSA_decrypt(x509_ctx->rsa_ctx, &buf[offset], dgst_buf,
sizeof(dgst_buf), 0);
SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex); SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
if (n != SHA1_SIZE + MD5_SIZE) if (ssl->version >= SSL_PROTOCOL_VERSION_TLS1_2) // TLS1.2+
{ {
ret = SSL_ERROR_INVALID_KEY; if (memcmp(dgst_buf, g_asn1_sha256, sizeof(g_asn1_sha256)))
goto end_cert_vfy; {
} ret = SSL_ERROR_INVALID_KEY;
goto error;
}
finished_digest(ssl, NULL, dgst); /* calculate the digest */ finished_digest(ssl, NULL, dgst); /* calculate the digest */
if (memcmp(dgst_buf, dgst, MD5_SIZE + SHA1_SIZE)) if (memcmp(&dgst_buf[sizeof(g_asn1_sha256)], dgst, SHA256_SIZE))
{
ret = SSL_ERROR_INVALID_KEY;
goto error;
}
}
else // TLS1.0/1.1
{ {
ret = SSL_ERROR_INVALID_KEY; if (n != SHA1_SIZE + MD5_SIZE)
{
ret = SSL_ERROR_INVALID_KEY;
goto end_cert_vfy;
}
finished_digest(ssl, NULL, dgst); /* calculate the digest */
if (memcmp(dgst_buf, dgst, MD5_SIZE + SHA1_SIZE))
{
ret = SSL_ERROR_INVALID_KEY;
}
} }
end_cert_vfy: end_cert_vfy:

390
ssl/x509.c
View file

@ -1,5 +1,5 @@
/* /*
* Copyright (c) 2007-2015, Cameron Rich * Copyright (c) 2007-2016, Cameron Rich
* *
* All rights reserved. * All rights reserved.
* *
@ -42,6 +42,13 @@
#include "crypto_misc.h" #include "crypto_misc.h"
#ifdef CONFIG_SSL_CERT_VERIFICATION #ifdef CONFIG_SSL_CERT_VERIFICATION
static int x509_v3_subject_alt_name(const uint8_t *cert, int offset,
X509_CTX *x509_ctx);
static int x509_v3_basic_constraints(const uint8_t *cert, int offset,
X509_CTX *x509_ctx);
static int x509_v3_key_usage(const uint8_t *cert, int offset,
X509_CTX *x509_ctx);
/** /**
* Retrieve the signature from a certificate. * Retrieve the signature from a certificate.
*/ */
@ -73,8 +80,11 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
{ {
int begin_tbs, end_tbs; int begin_tbs, end_tbs;
int ret = X509_NOT_OK, offset = 0, cert_size = 0; int ret = X509_NOT_OK, offset = 0, cert_size = 0;
int version = 0;
X509_CTX *x509_ctx; X509_CTX *x509_ctx;
#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
BI_CTX *bi_ctx; BI_CTX *bi_ctx;
#endif
*ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX)); *ctx = (X509_CTX *)calloc(1, sizeof(X509_CTX));
x509_ctx = *ctx; x509_ctx = *ctx;
@ -92,11 +102,10 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) if (asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0)
goto end_cert; goto end_cert;
if (cert[offset] == ASN1_EXPLICIT_TAG) /* optional version */ /* optional version */
{ if (cert[offset] == ASN1_EXPLICIT_TAG &&
if (asn1_version(cert, &offset, x509_ctx)) asn1_version(cert, &offset, &version) == X509_NOT_OK)
goto end_cert; goto end_cert;
}
if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */ if (asn1_skip_obj(cert, &offset, ASN1_INTEGER) || /* serial number */
asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0) asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0)
@ -117,9 +126,9 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
goto end_cert; goto end_cert;
} }
#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
bi_ctx = x509_ctx->rsa_ctx->bi_ctx; bi_ctx = x509_ctx->rsa_ctx->bi_ctx;
#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
/* use the appropriate signature algorithm */ /* use the appropriate signature algorithm */
switch (x509_ctx->sig_type) switch (x509_ctx->sig_type)
{ {
@ -179,50 +188,11 @@ int x509_new(const uint8_t *cert, int *len, X509_CTX **ctx)
break; break;
} }
if (cert[offset] == ASN1_V3_DATA) if (version == 2 && asn1_next_obj(cert, &offset, ASN1_V3_DATA) > 0)
{ {
int suboffset; x509_v3_subject_alt_name(cert, offset, x509_ctx);
x509_v3_basic_constraints(cert, offset, x509_ctx);
++offset; x509_v3_key_usage(cert, offset, x509_ctx);
get_asn1_length(cert, &offset);
if ((suboffset = asn1_find_subjectaltname(cert, offset)) > 0)
{
if (asn1_next_obj(cert, &suboffset, ASN1_OCTET_STRING) > 0)
{
int altlen;
if ((altlen = asn1_next_obj(cert,
&suboffset, ASN1_SEQUENCE)) > 0)
{
int endalt = suboffset + altlen;
int totalnames = 0;
while (suboffset < endalt)
{
int type = cert[suboffset++];
int dnslen = get_asn1_length(cert, &suboffset);
if (type == ASN1_CONTEXT_DNSNAME)
{
x509_ctx->subject_alt_dnsnames = (char**)
realloc(x509_ctx->subject_alt_dnsnames,
(totalnames + 2) * sizeof(char*));
x509_ctx->subject_alt_dnsnames[totalnames] =
(char*)malloc(dnslen + 1);
x509_ctx->subject_alt_dnsnames[totalnames+1] = NULL;
memcpy(x509_ctx->subject_alt_dnsnames[totalnames],
cert + suboffset, dnslen);
x509_ctx->subject_alt_dnsnames[
totalnames][dnslen] = 0;
++totalnames;
}
suboffset += dnslen;
}
}
}
}
} }
offset = end_tbs; /* skip the rest of v3 data */ offset = end_tbs; /* skip the rest of v3 data */
@ -250,6 +220,106 @@ end_cert:
return ret; return ret;
} }
#ifdef CONFIG_SSL_CERT_VERIFICATION /* only care if doing verification */
static int x509_v3_subject_alt_name(const uint8_t *cert, int offset,
X509_CTX *x509_ctx)
{
if ((offset = asn1_is_subject_alt_name(cert, offset)) > 0)
{
x509_ctx->subject_alt_name_present = true;
x509_ctx->subject_alt_name_is_critical =
asn1_is_critical_ext(cert, &offset);
if (asn1_next_obj(cert, &offset, ASN1_OCTET_STRING) > 0)
{
int altlen;
if ((altlen = asn1_next_obj(cert, &offset, ASN1_SEQUENCE)) > 0)
{
int endalt = offset + altlen;
int totalnames = 0;
while (offset < endalt)
{
int type = cert[offset++];
int dnslen = get_asn1_length(cert, &offset);
if (type == ASN1_CONTEXT_DNSNAME)
{
x509_ctx->subject_alt_dnsnames = (char**)
realloc(x509_ctx->subject_alt_dnsnames,
(totalnames + 2) * sizeof(char*));
x509_ctx->subject_alt_dnsnames[totalnames] =
(char*)malloc(dnslen + 1);
x509_ctx->subject_alt_dnsnames[totalnames+1] = NULL;
memcpy(x509_ctx->subject_alt_dnsnames[totalnames],
cert + offset, dnslen);
x509_ctx->subject_alt_dnsnames[totalnames][dnslen] = 0;
totalnames++;
}
offset += dnslen;
}
}
}
}
return X509_OK;
}
/**
* Basic constraints - see https://tools.ietf.org/html/rfc5280#page-39
*/
static int x509_v3_basic_constraints(const uint8_t *cert, int offset,
X509_CTX *x509_ctx)
{
int ret = X509_OK;
if ((offset = asn1_is_basic_constraints(cert, offset)) == 0)
goto end_contraints;
x509_ctx->basic_constraint_present = true;
x509_ctx->basic_constraint_is_critical =
asn1_is_critical_ext(cert, &offset);
if (asn1_next_obj(cert, &offset, ASN1_OCTET_STRING) < 0 ||
asn1_next_obj(cert, &offset, ASN1_SEQUENCE) < 0 ||
asn1_get_bool(cert, &offset, &x509_ctx->basic_constraint_cA) < 0 ||
asn1_get_int(cert, &offset,
&x509_ctx->basic_constraint_pathLenConstraint) < 0)
{
ret = X509_NOT_OK;
}
end_contraints:
return ret;
}
/*
* Key usage - see https://tools.ietf.org/html/rfc5280#section-4.2.1.3
*/
static int x509_v3_key_usage(const uint8_t *cert, int offset,
X509_CTX *x509_ctx)
{
int ret = X509_OK;
if ((offset = asn1_is_key_usage(cert, offset)) == 0)
goto end_key_usage;
x509_ctx->key_usage_present = true;
x509_ctx->key_usage_is_critical = asn1_is_critical_ext(cert, &offset);
if (asn1_next_obj(cert, &offset, ASN1_OCTET_STRING) < 0 ||
asn1_get_bit_string_as_int(cert, &offset, &x509_ctx->key_usage))
{
ret = X509_NOT_OK;
}
end_key_usage:
return ret;
}
#endif
/** /**
* Free an X.509 object's resources. * Free an X.509 object's resources.
*/ */
@ -343,8 +413,10 @@ static bigint *sig_verify(BI_CTX *ctx, const uint8_t *sig, int sig_len,
* - That the certificate(s) are not self-signed. * - That the certificate(s) are not self-signed.
* - The certificate chain is valid. * - The certificate chain is valid.
* - The signature of the certificate is valid. * - The signature of the certificate is valid.
* - Basic constraints
*/ */
int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert) int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert,
int *pathLenConstraint)
{ {
int ret = X509_OK, i = 0; int ret = X509_OK, i = 0;
bigint *cert_sig; bigint *cert_sig;
@ -387,6 +459,33 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
goto end_verify; goto end_verify;
} }
if (cert->basic_constraint_present)
{
/* If the cA boolean is not asserted,
then the keyCertSign bit in the key usage extension MUST NOT be
asserted. */
if (!cert->basic_constraint_cA &&
IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_CERT_SIGN))
{
ret = X509_VFY_ERROR_BASIC_CONSTRAINT;
goto end_verify;
}
/* The pathLenConstraint field is meaningful only if the cA boolean is
asserted and the key usage extension, if present, asserts the
keyCertSign bit. In this case, it gives the maximum number of
non-self-issued intermediate certificates that may follow this
certificate in a valid certification path. */
if (cert->basic_constraint_cA &&
(!cert->key_usage_present ||
IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_CERT_SIGN)) &&
(cert->basic_constraint_pathLenConstraint+1) < *pathLenConstraint)
{
ret = X509_VFY_ERROR_BASIC_CONSTRAINT;
goto end_verify;
}
}
next_cert = cert->next; next_cert = cert->next;
/* last cert in the chain - look for a trusted cert */ /* last cert in the chain - look for a trusted cert */
@ -394,17 +493,26 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
{ {
if (ca_cert_ctx != NULL) if (ca_cert_ctx != NULL)
{ {
/* go thu the CA store */ /* go thru the CA store */
while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i]) while (i < CONFIG_X509_MAX_CA_CERTS && ca_cert_ctx->cert[i])
{ {
/* the extension is present but the cA boolean is not
asserted, then the certified public key MUST NOT be used
to verify certificate signatures. */
if (cert->basic_constraint_present &&
!ca_cert_ctx->cert[i]->basic_constraint_cA)
continue;
if (asn1_compare_dn(cert->ca_cert_dn, if (asn1_compare_dn(cert->ca_cert_dn,
ca_cert_ctx->cert[i]->cert_dn) == 0) ca_cert_ctx->cert[i]->cert_dn) == 0)
{ {
/* use this CA certificate for signature verification */ /* use this CA certificate for signature verification */
match_ca_cert = 1; match_ca_cert = true;
ctx = ca_cert_ctx->cert[i]->rsa_ctx->bi_ctx; ctx = ca_cert_ctx->cert[i]->rsa_ctx->bi_ctx;
mod = ca_cert_ctx->cert[i]->rsa_ctx->m; mod = ca_cert_ctx->cert[i]->rsa_ctx->m;
expn = ca_cert_ctx->cert[i]->rsa_ctx->e; expn = ca_cert_ctx->cert[i]->rsa_ctx->e;
break; break;
} }
@ -463,7 +571,8 @@ int x509_verify(const CA_CERT_CTX *ca_cert_ctx, const X509_CTX *cert)
/* go down the certificate chain using recursion. */ /* go down the certificate chain using recursion. */
if (next_cert != NULL) if (next_cert != NULL)
{ {
ret = x509_verify(ca_cert_ctx, next_cert); (*pathLenConstraint)++; /* don't include last certificate */
ret = x509_verify(ca_cert_ctx, next_cert, pathLenConstraint);
} }
end_verify: end_verify:
@ -490,9 +599,140 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
printf("%s\n", cert->cert_dn[X509_ORGANIZATION] ? printf("%s\n", cert->cert_dn[X509_ORGANIZATION] ?
cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert); cert->cert_dn[X509_ORGANIZATION] : not_part_of_cert);
printf("Organizational Unit (OU):\t"); if (cert->cert_dn[X509_ORGANIZATIONAL_UNIT])
printf("%s\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT] ? {
cert->cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); printf("Organizational Unit (OU):\t");
printf("%s\n", cert->cert_dn[X509_ORGANIZATIONAL_UNIT]);
}
if (cert->cert_dn[X509_LOCATION])
{
printf("Location (L):\t\t\t");
printf("%s\n", cert->cert_dn[X509_LOCATION]);
}
if (cert->cert_dn[X509_COUNTRY])
{
printf("Country (C):\t\t\t");
printf("%s\n", cert->cert_dn[X509_COUNTRY]);
}
if (cert->cert_dn[X509_STATE])
{
printf("State (ST):\t\t\t");
printf("%s\n", cert->cert_dn[X509_STATE]);
}
if (cert->basic_constraint_present)
{
printf("Basic Constraints:\t\t%sCA:%s, pathlen:%d\n",
cert->basic_constraint_is_critical ?
"critical, " : "",
cert->basic_constraint_cA? "TRUE" : "FALSE",
cert->basic_constraint_pathLenConstraint);
}
if (cert->key_usage_present)
{
printf("Key Usage:\t\t\t%s", cert->key_usage_is_critical ?
"critical, " : "");
bool has_started = false;
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_DIGITAL_SIGNATURE))
{
printf("Digital Signature");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_NON_REPUDIATION))
{
if (has_started)
printf(", ");
printf("Non Repudiation");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_ENCIPHERMENT))
{
if (has_started)
printf(", ");
printf("Key Encipherment");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_DATA_ENCIPHERMENT))
{
if (has_started)
printf(", ");
printf("Data Encipherment");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_AGREEMENT))
{
if (has_started)
printf(", ");
printf("Key Agreement");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_KEY_CERT_SIGN))
{
if (has_started)
printf(", ");
printf("Key Cert Sign");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_CRL_SIGN))
{
if (has_started)
printf(", ");
printf("CRL Sign");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_ENCIPHER_ONLY))
{
if (has_started)
printf(", ");
printf("Encipher Only");
has_started = true;
}
if (IS_SET_KEY_USAGE_FLAG(cert, KEY_USAGE_DECIPHER_ONLY))
{
if (has_started)
printf(", ");
printf("Decipher Only");
has_started = true;
}
printf("\n");
}
if (cert->subject_alt_name_present)
{
printf("Subject Alt Name:\t\t%s", cert->subject_alt_name_is_critical
? "critical, " : "");
if (cert->subject_alt_dnsnames)
{
int i = 0;
while (cert->subject_alt_dnsnames[i])
printf("%s ", cert->subject_alt_dnsnames[i++]);
}
printf("\n");
}
printf("=== CERTIFICATE ISSUED BY ===\n"); printf("=== CERTIFICATE ISSUED BY ===\n");
printf("Common Name (CN):\t\t"); printf("Common Name (CN):\t\t");
@ -503,9 +743,29 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATION] ? printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATION] ?
cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert); cert->ca_cert_dn[X509_ORGANIZATION] : not_part_of_cert);
printf("Organizational Unit (OU):\t"); if (cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT])
printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] ? {
cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT] : not_part_of_cert); printf("Organizational Unit (OU):\t");
printf("%s\n", cert->ca_cert_dn[X509_ORGANIZATIONAL_UNIT]);
}
if (cert->ca_cert_dn[X509_LOCATION])
{
printf("Location (L):\t\t\t");
printf("%s\n", cert->ca_cert_dn[X509_LOCATION]);
}
if (cert->ca_cert_dn[X509_COUNTRY])
{
printf("Country (C):\t\t\t");
printf("%s\n", cert->ca_cert_dn[X509_COUNTRY]);
}
if (cert->ca_cert_dn[X509_STATE])
{
printf("State (ST):\t\t\t");
printf("%s\n", cert->ca_cert_dn[X509_STATE]);
}
printf("Not Before:\t\t\t%s", ctime(&cert->not_before)); printf("Not Before:\t\t\t%s", ctime(&cert->not_before));
printf("Not After:\t\t\t%s", ctime(&cert->not_after)); printf("Not After:\t\t\t%s", ctime(&cert->not_after));
@ -513,9 +773,6 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
printf("Sig Type:\t\t\t"); printf("Sig Type:\t\t\t");
switch (cert->sig_type) switch (cert->sig_type)
{ {
case SIG_TYPE_MD2:
printf("MD2\n");
break;
case SIG_TYPE_MD5: case SIG_TYPE_MD5:
printf("MD5\n"); printf("MD5\n");
break; break;
@ -538,8 +795,10 @@ void x509_print(const X509_CTX *cert, CA_CERT_CTX *ca_cert_ctx)
if (ca_cert_ctx) if (ca_cert_ctx)
{ {
int pathLenConstraint = 0;
printf("Verify:\t\t\t\t%s\n", printf("Verify:\t\t\t\t%s\n",
x509_display_error(x509_verify(ca_cert_ctx, cert))); x509_display_error(x509_verify(ca_cert_ctx, cert,
&pathLenConstraint)));
} }
#if 0 #if 0
@ -590,6 +849,9 @@ const char * x509_display_error(int error)
case X509_INVALID_PRIV_KEY: case X509_INVALID_PRIV_KEY:
return "Invalid private key"; return "Invalid private key";
case X509_VFY_ERROR_BASIC_CONSTRAINT:
return "Basic constraint invalid";
default: default:
return "Unknown"; return "Unknown";
} }

3
www/index.html
View file

File diff suppressed because one or more lines are too long