Remove unused TLS, NET, and X.509 files
We've removed all software that depends on or uses the TLS, NET, and X.509 modules. This means TLS, NET, and X.509 are unused and can be removed. Remove TLS, NET, and X.509.
This commit is contained in:
Jaeden Amero
parent
bb1f701212
commit
a4308b29a4
40 changed files with 0 additions and 38846 deletions
436
library/certs.c
436
library/certs.c
|
|
@ -1,436 +0,0 @@
|
|||
/*
|
||||
* X.509 test certificates
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#include "mbedtls/certs.h"
|
||||
|
||||
#if defined(MBEDTLS_CERTS_C)
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
#define TEST_CA_CRT_EC \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" \
|
||||
"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \
|
||||
"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n" \
|
||||
"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \
|
||||
"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n" \
|
||||
"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n" \
|
||||
"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n" \
|
||||
"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n" \
|
||||
"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n" \
|
||||
"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n" \
|
||||
"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n" \
|
||||
"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n" \
|
||||
"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
|
||||
const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
|
||||
|
||||
const char mbedtls_test_ca_key_ec[] =
|
||||
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||
"Proc-Type: 4,ENCRYPTED\r\n"
|
||||
"DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"
|
||||
"\r\n"
|
||||
"IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n"
|
||||
"ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n"
|
||||
"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
|
||||
"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
|
||||
"-----END EC PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
|
||||
|
||||
const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
|
||||
const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
|
||||
|
||||
const char mbedtls_test_srv_crt_ec[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
"MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
|
||||
"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n"
|
||||
"CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n"
|
||||
"2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n"
|
||||
"BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n"
|
||||
"PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n"
|
||||
"clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n"
|
||||
"CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n"
|
||||
"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
|
||||
"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
|
||||
|
||||
const char mbedtls_test_srv_key_ec[] =
|
||||
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||
"MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n"
|
||||
"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
|
||||
"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
|
||||
"-----END EC PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
|
||||
|
||||
const char mbedtls_test_cli_crt_ec[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
"MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
|
||||
"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n"
|
||||
"WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n"
|
||||
"9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n"
|
||||
"MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n"
|
||||
"IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n"
|
||||
"MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n"
|
||||
"CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n"
|
||||
"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
|
||||
"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
|
||||
|
||||
const char mbedtls_test_cli_key_ec[] =
|
||||
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||
"MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n"
|
||||
"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
|
||||
"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
|
||||
"-----END EC PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
|
||||
#endif /* MBEDTLS_ECDSA_C */
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#define TEST_CA_CRT_RSA_SHA256 \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||
"MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||
"A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
|
||||
"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
|
||||
"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
|
||||
"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
|
||||
"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
|
||||
"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
|
||||
"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
|
||||
"gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n" \
|
||||
"FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n" \
|
||||
"CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n" \
|
||||
"BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n" \
|
||||
"4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n" \
|
||||
"XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n" \
|
||||
"G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n" \
|
||||
"ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n" \
|
||||
"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
|
||||
static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
|
||||
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA256;
|
||||
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||
#define TEST_CA_CRT_RSA_SOME
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
|
||||
#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
|
||||
#define TEST_CA_CRT_RSA_SHA1 \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||
"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||
"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||
"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
|
||||
"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
|
||||
"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
|
||||
"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
|
||||
"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
|
||||
"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
|
||||
"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
|
||||
"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n" \
|
||||
"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n" \
|
||||
"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n" \
|
||||
"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n" \
|
||||
"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n" \
|
||||
"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n" \
|
||||
"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n" \
|
||||
"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n" \
|
||||
"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
|
||||
static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
|
||||
|
||||
#if !defined (TEST_CA_CRT_RSA_SOME)
|
||||
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1;
|
||||
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||
#endif /* !TEST_CA_CRT_RSA_SOME */
|
||||
#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */
|
||||
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
/* tests/data_files/server2-sha256.crt */
|
||||
#define TEST_SRV_CRT_RSA_SHA256 \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||
"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||
"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
|
||||
"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
|
||||
"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
|
||||
"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
|
||||
"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
|
||||
"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
|
||||
"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
|
||||
"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
|
||||
"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n" \
|
||||
"kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n" \
|
||||
"DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n" \
|
||||
"3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n" \
|
||||
"ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n" \
|
||||
"eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n" \
|
||||
"e4K1cVANRPN2o9Y=\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n"
|
||||
|
||||
const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256;
|
||||
const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||
#define TEST_SRV_CRT_RSA_SOME
|
||||
#endif /* MBEDTLS_SHA256_C */
|
||||
|
||||
#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
|
||||
/* tests/data_files/server2.crt */
|
||||
#define TEST_SRV_CRT_RSA_SHA1 \
|
||||
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||
"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||
"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||
"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
|
||||
"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
|
||||
"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
|
||||
"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
|
||||
"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
|
||||
"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
|
||||
"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
|
||||
"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
|
||||
"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAAFzC0rF\r\n" \
|
||||
"y6De8WMcdgQrEw3AhBHFjzqnxZw1ene4IBSC7lTw8rBSy3jOWQdPUWn+0y/pCeeF\r\n" \
|
||||
"kti6sevFdl1hLemGtd4q+T9TKEKGg3ND4ARfB5AUZZ9uEHq8WBkiwus5clGS17Qd\r\n" \
|
||||
"dS/TOisB59tQruLx1E1bPLtBKyqk4koC5WAULJwfpswGSyWJTpYwIpxcWE3D2tBu\r\n" \
|
||||
"UB6MZfXZFzWmWEOyKbeoXjXe8GBCGgHLywvYDsGQ36HSGtEsAvR2QaTLSxWYcfk1\r\n" \
|
||||
"fbDn4jSWkb4yZy1r01UEigFQtONieGwRFaUqEcFJHJvEEGVgh9keaVlOj2vrwf5r\r\n" \
|
||||
"4mN4lW7gLdenN6g=\r\n" \
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
|
||||
#if !defined(TEST_SRV_CRT_RSA_SOME)
|
||||
const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1;
|
||||
const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||
#endif /* TEST_SRV_CRT_RSA_SOME */
|
||||
#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */
|
||||
|
||||
const char mbedtls_test_ca_key_rsa[] =
|
||||
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||
"Proc-Type: 4,ENCRYPTED\r\n"
|
||||
"DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"
|
||||
"\r\n"
|
||||
"9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n"
|
||||
"7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n"
|
||||
"Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n"
|
||||
"PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n"
|
||||
"GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n"
|
||||
"gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n"
|
||||
"QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n"
|
||||
"PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n"
|
||||
"vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n"
|
||||
"WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n"
|
||||
"JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n"
|
||||
"KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n"
|
||||
"Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n"
|
||||
"9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n"
|
||||
"iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n"
|
||||
"tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n"
|
||||
"P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n"
|
||||
"1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n"
|
||||
"nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n"
|
||||
"X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n"
|
||||
"rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n"
|
||||
"L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n"
|
||||
"I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n"
|
||||
"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
|
||||
"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
|
||||
"-----END RSA PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||
|
||||
const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
|
||||
const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||
|
||||
const char mbedtls_test_srv_key_rsa[] =
|
||||
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||
"MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
|
||||
"lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
|
||||
"2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
|
||||
"Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
|
||||
"GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
|
||||
"y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
|
||||
"++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
|
||||
"Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
|
||||
"/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
|
||||
"WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
|
||||
"GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
|
||||
"TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
|
||||
"CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
|
||||
"nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
|
||||
"AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
|
||||
"sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
|
||||
"mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
|
||||
"BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
|
||||
"whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
|
||||
"vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
|
||||
"3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
|
||||
"3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
|
||||
"ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
|
||||
"4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
|
||||
"TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
|
||||
"-----END RSA PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||
|
||||
/* tests/data_files/cli-rsa-sha256.crt */
|
||||
const char mbedtls_test_cli_crt_rsa[] =
|
||||
"-----BEGIN CERTIFICATE-----\r\n"
|
||||
"MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
|
||||
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
|
||||
"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||
"A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
|
||||
"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
|
||||
"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
|
||||
"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
|
||||
"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
|
||||
"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
|
||||
"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
|
||||
"o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n"
|
||||
"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n"
|
||||
"AQEAlHabem2Tu69VUN7EipwnQn1dIHdgvT5i+iQHpSxY1crPnBbAeSdAXwsVEqLQ\r\n"
|
||||
"gOOIAQD5VIITNuoGgo4i+4OpNh9u7ZkpRHla+/swsfrFWRRbBNP5Bcu74AGLstwU\r\n"
|
||||
"zM8gIkBiyfM1Q1qDQISV9trlCG6O8vh8dp/rbI3rfzo99BOHXgFCrzXjCuW4vDsF\r\n"
|
||||
"r+Dao26bX3sJ6UnEWg1H3o2x6PpUcvQ36h71/bz4TEbbUUEpe02V4QWuL+wrhHJL\r\n"
|
||||
"U7o3SVE3Og7jPF8sat0a50YUWhwEFI256m02KAXLg89ueUyYKEr6rNwhcvXJpvU9\r\n"
|
||||
"giIVvd0Sbjjnn7NC4VDbcXV8vw==\r\n"
|
||||
"-----END CERTIFICATE-----\r\n";
|
||||
const size_t mbedtls_test_cli_crt_rsa_len = sizeof( mbedtls_test_cli_crt_rsa );
|
||||
|
||||
/* tests/data_files/cli-rsa.key */
|
||||
const char mbedtls_test_cli_key_rsa[] =
|
||||
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||
"MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"
|
||||
"B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"
|
||||
"bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"
|
||||
"Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"
|
||||
"7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"
|
||||
"dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"
|
||||
"yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"
|
||||
"4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"
|
||||
"ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"
|
||||
"zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"
|
||||
"l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"
|
||||
"DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"
|
||||
"VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"
|
||||
"Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"
|
||||
"wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"
|
||||
"c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"
|
||||
"33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"
|
||||
"ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"
|
||||
"BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"
|
||||
"KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"
|
||||
"UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"
|
||||
"7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"
|
||||
"gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"
|
||||
"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
|
||||
"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
|
||||
"-----END RSA PRIVATE KEY-----\r\n";
|
||||
const size_t mbedtls_test_cli_key_rsa_len = sizeof( mbedtls_test_cli_key_rsa );
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
/* Concatenation of all available CA certificates */
|
||||
const char mbedtls_test_cas_pem[] =
|
||||
#ifdef TEST_CA_CRT_RSA_SHA1
|
||||
TEST_CA_CRT_RSA_SHA1
|
||||
#endif
|
||||
#ifdef TEST_CA_CRT_RSA_SHA256
|
||||
TEST_CA_CRT_RSA_SHA256
|
||||
#endif
|
||||
#ifdef TEST_CA_CRT_EC
|
||||
TEST_CA_CRT_EC
|
||||
#endif
|
||||
"";
|
||||
const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
|
||||
#endif
|
||||
|
||||
/* List of all available CA certificates */
|
||||
const char * mbedtls_test_cas[] = {
|
||||
#if defined(TEST_CA_CRT_RSA_SHA1)
|
||||
mbedtls_test_ca_crt_rsa_sha1,
|
||||
#endif
|
||||
#if defined(TEST_CA_CRT_RSA_SHA256)
|
||||
mbedtls_test_ca_crt_rsa_sha256,
|
||||
#endif
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
mbedtls_test_ca_crt_ec,
|
||||
#endif
|
||||
NULL
|
||||
};
|
||||
const size_t mbedtls_test_cas_len[] = {
|
||||
#if defined(TEST_CA_CRT_RSA_SHA1)
|
||||
sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
|
||||
#endif
|
||||
#if defined(TEST_CA_CRT_RSA_SHA256)
|
||||
sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
|
||||
#endif
|
||||
#if defined(MBEDTLS_ECDSA_C)
|
||||
sizeof( mbedtls_test_ca_crt_ec ),
|
||||
#endif
|
||||
0
|
||||
};
|
||||
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_rsa; /* SHA1 or SHA256 */
|
||||
const char *mbedtls_test_ca_key = mbedtls_test_ca_key_rsa;
|
||||
const char *mbedtls_test_ca_pwd = mbedtls_test_ca_pwd_rsa;
|
||||
const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
|
||||
const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
|
||||
const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
|
||||
const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
|
||||
const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||
const size_t mbedtls_test_ca_key_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||
const size_t mbedtls_test_ca_pwd_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||
const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||
const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||
const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa );
|
||||
const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_rsa );
|
||||
#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
|
||||
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_ec;
|
||||
const char *mbedtls_test_ca_key = mbedtls_test_ca_key_ec;
|
||||
const char *mbedtls_test_ca_pwd = mbedtls_test_ca_pwd_ec;
|
||||
const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_ec;
|
||||
const char *mbedtls_test_srv_key = mbedtls_test_srv_key_ec;
|
||||
const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_ec;
|
||||
const char *mbedtls_test_cli_key = mbedtls_test_cli_key_ec;
|
||||
const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_ec );
|
||||
const size_t mbedtls_test_ca_key_len = sizeof( mbedtls_test_ca_key_ec );
|
||||
const size_t mbedtls_test_ca_pwd_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
|
||||
const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_ec );
|
||||
const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_ec );
|
||||
const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_ec );
|
||||
const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_ec );
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
|
||||
#endif /* MBEDTLS_CERTS_C */
|
||||
438
library/debug.c
438
library/debug.c
|
|
@ -1,438 +0,0 @@
|
|||
/*
|
||||
* Debugging routines
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_DEBUG_C)
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#define mbedtls_time_t time_t
|
||||
#define mbedtls_snprintf snprintf
|
||||
#define mbedtls_vsnprintf vsnprintf
|
||||
#endif
|
||||
|
||||
#include "mbedtls/debug.h"
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
||||
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
||||
!defined(inline) && !defined(__cplusplus)
|
||||
#define inline __inline
|
||||
#endif
|
||||
|
||||
#define DEBUG_BUF_SIZE 512
|
||||
|
||||
static int debug_threshold = 0;
|
||||
|
||||
void mbedtls_debug_set_threshold( int threshold )
|
||||
{
|
||||
debug_threshold = threshold;
|
||||
}
|
||||
|
||||
/*
|
||||
* All calls to f_dbg must be made via this function
|
||||
*/
|
||||
static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *str )
|
||||
{
|
||||
/*
|
||||
* If in a threaded environment, we need a thread identifier.
|
||||
* Since there is no portable way to get one, use the address of the ssl
|
||||
* context instead, as it shouldn't be shared between threads.
|
||||
*/
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
|
||||
mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", (void*)ssl, str );
|
||||
ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr );
|
||||
#else
|
||||
ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str );
|
||||
#endif
|
||||
}
|
||||
|
||||
void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *format, ... )
|
||||
{
|
||||
va_list argp;
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
int ret;
|
||||
|
||||
if( NULL == ssl ||
|
||||
NULL == ssl->conf ||
|
||||
NULL == ssl->conf->f_dbg ||
|
||||
level > debug_threshold )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
va_start( argp, format );
|
||||
ret = mbedtls_vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
|
||||
va_end( argp );
|
||||
|
||||
if( ret >= 0 && ret < DEBUG_BUF_SIZE - 1 )
|
||||
{
|
||||
str[ret] = '\n';
|
||||
str[ret + 1] = '\0';
|
||||
}
|
||||
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
}
|
||||
|
||||
void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *text, int ret )
|
||||
{
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
|
||||
if( NULL == ssl ||
|
||||
NULL == ssl->conf ||
|
||||
NULL == ssl->conf->f_dbg ||
|
||||
level > debug_threshold )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
/*
|
||||
* With non-blocking I/O and examples that just retry immediately,
|
||||
* the logs would be quickly flooded with WANT_READ, so ignore that.
|
||||
* Don't ignore WANT_WRITE however, since is is usually rare.
|
||||
*/
|
||||
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
|
||||
return;
|
||||
|
||||
mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n",
|
||||
text, ret, -ret );
|
||||
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
}
|
||||
|
||||
void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line, const char *text,
|
||||
const unsigned char *buf, size_t len )
|
||||
{
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
char txt[17];
|
||||
size_t i, idx = 0;
|
||||
|
||||
if( NULL == ssl ||
|
||||
NULL == ssl->conf ||
|
||||
NULL == ssl->conf->f_dbg ||
|
||||
level > debug_threshold )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
|
||||
text, (unsigned int) len );
|
||||
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
|
||||
idx = 0;
|
||||
memset( txt, 0, sizeof( txt ) );
|
||||
for( i = 0; i < len; i++ )
|
||||
{
|
||||
if( i >= 4096 )
|
||||
break;
|
||||
|
||||
if( i % 16 == 0 )
|
||||
{
|
||||
if( i > 0 )
|
||||
{
|
||||
mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt );
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
|
||||
idx = 0;
|
||||
memset( txt, 0, sizeof( txt ) );
|
||||
}
|
||||
|
||||
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "%04x: ",
|
||||
(unsigned int) i );
|
||||
|
||||
}
|
||||
|
||||
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x",
|
||||
(unsigned int) buf[i] );
|
||||
txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
|
||||
}
|
||||
|
||||
if( len > 0 )
|
||||
{
|
||||
for( /* i = i */; i % 16 != 0; i++ )
|
||||
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " " );
|
||||
|
||||
mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt );
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *text, const mbedtls_ecp_point *X )
|
||||
{
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
|
||||
if( NULL == ssl ||
|
||||
NULL == ssl->conf ||
|
||||
NULL == ssl->conf->f_dbg ||
|
||||
level > debug_threshold )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
|
||||
mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
|
||||
|
||||
mbedtls_snprintf( str, sizeof( str ), "%s(Y)", text );
|
||||
mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->Y );
|
||||
}
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_BIGNUM_C)
|
||||
void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *text, const mbedtls_mpi *X )
|
||||
{
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
int j, k, zeros = 1;
|
||||
size_t i, n, idx = 0;
|
||||
|
||||
if( NULL == ssl ||
|
||||
NULL == ssl->conf ||
|
||||
NULL == ssl->conf->f_dbg ||
|
||||
NULL == X ||
|
||||
level > debug_threshold )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
for( n = X->n - 1; n > 0; n-- )
|
||||
if( X->p[n] != 0 )
|
||||
break;
|
||||
|
||||
for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
|
||||
if( ( ( X->p[n] >> j ) & 1 ) != 0 )
|
||||
break;
|
||||
|
||||
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
|
||||
text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
|
||||
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
|
||||
idx = 0;
|
||||
for( i = n + 1, j = 0; i > 0; i-- )
|
||||
{
|
||||
if( zeros && X->p[i - 1] == 0 )
|
||||
continue;
|
||||
|
||||
for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
|
||||
{
|
||||
if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
|
||||
continue;
|
||||
else
|
||||
zeros = 0;
|
||||
|
||||
if( j % 16 == 0 )
|
||||
{
|
||||
if( j > 0 )
|
||||
{
|
||||
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
idx = 0;
|
||||
}
|
||||
}
|
||||
|
||||
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
|
||||
( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
|
||||
|
||||
j++;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
if( zeros == 1 )
|
||||
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
|
||||
|
||||
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
}
|
||||
#endif /* MBEDTLS_BIGNUM_C */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
static void debug_print_pk( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *text, const mbedtls_pk_context *pk )
|
||||
{
|
||||
size_t i;
|
||||
mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
|
||||
char name[16];
|
||||
|
||||
memset( items, 0, sizeof( items ) );
|
||||
|
||||
if( mbedtls_pk_debug( pk, items ) != 0 )
|
||||
{
|
||||
debug_send_line( ssl, level, file, line,
|
||||
"invalid PK context\n" );
|
||||
return;
|
||||
}
|
||||
|
||||
for( i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++ )
|
||||
{
|
||||
if( items[i].type == MBEDTLS_PK_DEBUG_NONE )
|
||||
return;
|
||||
|
||||
mbedtls_snprintf( name, sizeof( name ), "%s%s", text, items[i].name );
|
||||
name[sizeof( name ) - 1] = '\0';
|
||||
|
||||
if( items[i].type == MBEDTLS_PK_DEBUG_MPI )
|
||||
mbedtls_debug_print_mpi( ssl, level, file, line, name, items[i].value );
|
||||
else
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
if( items[i].type == MBEDTLS_PK_DEBUG_ECP )
|
||||
mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value );
|
||||
else
|
||||
#endif
|
||||
debug_send_line( ssl, level, file, line,
|
||||
"should not happen\n" );
|
||||
}
|
||||
}
|
||||
|
||||
static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line, const char *text )
|
||||
{
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
const char *start, *cur;
|
||||
|
||||
start = text;
|
||||
for( cur = text; *cur != '\0'; cur++ )
|
||||
{
|
||||
if( *cur == '\n' )
|
||||
{
|
||||
size_t len = cur - start + 1;
|
||||
if( len > DEBUG_BUF_SIZE - 1 )
|
||||
len = DEBUG_BUF_SIZE - 1;
|
||||
|
||||
memcpy( str, start, len );
|
||||
str[len] = '\0';
|
||||
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
|
||||
start = cur + 1;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const char *text, const mbedtls_x509_crt *crt )
|
||||
{
|
||||
char str[DEBUG_BUF_SIZE];
|
||||
int i = 0;
|
||||
|
||||
if( NULL == ssl ||
|
||||
NULL == ssl->conf ||
|
||||
NULL == ssl->conf->f_dbg ||
|
||||
NULL == crt ||
|
||||
level > debug_threshold )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
while( crt != NULL )
|
||||
{
|
||||
char buf[1024];
|
||||
|
||||
mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i );
|
||||
debug_send_line( ssl, level, file, line, str );
|
||||
|
||||
mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
|
||||
debug_print_line_by_line( ssl, level, file, line, buf );
|
||||
|
||||
debug_print_pk( ssl, level, file, line, "crt->", &crt->pk );
|
||||
|
||||
crt = crt->next;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C)
|
||||
static void mbedtls_debug_printf_ecdh_internal( const mbedtls_ssl_context *ssl,
|
||||
int level, const char *file,
|
||||
int line,
|
||||
const mbedtls_ecdh_context *ecdh,
|
||||
mbedtls_debug_ecdh_attr attr )
|
||||
{
|
||||
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||||
const mbedtls_ecdh_context* ctx = ecdh;
|
||||
#else
|
||||
const mbedtls_ecdh_context_mbed* ctx = &ecdh->ctx.mbed_ecdh;
|
||||
#endif
|
||||
|
||||
switch( attr )
|
||||
{
|
||||
case MBEDTLS_DEBUG_ECDH_Q:
|
||||
mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Q",
|
||||
&ctx->Q );
|
||||
break;
|
||||
case MBEDTLS_DEBUG_ECDH_QP:
|
||||
mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Qp",
|
||||
&ctx->Qp );
|
||||
break;
|
||||
case MBEDTLS_DEBUG_ECDH_Z:
|
||||
mbedtls_debug_print_mpi( ssl, level, file, line, "ECDH: z",
|
||||
&ctx->z );
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
|
||||
const char *file, int line,
|
||||
const mbedtls_ecdh_context *ecdh,
|
||||
mbedtls_debug_ecdh_attr attr )
|
||||
{
|
||||
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||||
mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh, attr );
|
||||
#else
|
||||
switch( ecdh->var )
|
||||
{
|
||||
default:
|
||||
mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh,
|
||||
attr );
|
||||
}
|
||||
#endif
|
||||
}
|
||||
#endif /* MBEDTLS_ECDH_C */
|
||||
|
||||
#endif /* MBEDTLS_DEBUG_C */
|
||||
200
library/error.c
200
library/error.c
|
|
@ -137,10 +137,6 @@
|
|||
#include "mbedtls/md5.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_NET_C)
|
||||
#include "mbedtls/net_sockets.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_OID_C)
|
||||
#include "mbedtls/oid.h"
|
||||
#endif
|
||||
|
|
@ -193,18 +189,10 @@
|
|||
#include "mbedtls/sha512.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS_C)
|
||||
#include "mbedtls/ssl.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
#include "mbedtls/threading.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||
#include "mbedtls/x509.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_XTEA_C)
|
||||
#include "mbedtls/xtea.h"
|
||||
#endif
|
||||
|
|
@ -410,165 +398,6 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
|
|||
if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
|
||||
#endif /* MBEDTLS_RSA_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_TLS_C)
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The requested feature is not available" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Bad input parameters to function" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - An unknown cipher was received" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_NO_RNG) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE) )
|
||||
{
|
||||
mbedtls_snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
|
||||
return;
|
||||
}
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Verification of our peer failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Memory allocation failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Session ticket has expired" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Unknown identity received (eg, PSK identity)" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - No data of requested type currently available on underlying transport" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
|
||||
if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
|
||||
mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
|
||||
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Requested OID is unknown" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Input invalid" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
|
||||
if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
|
||||
mbedtls_snprintf( buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
|
||||
#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
|
||||
// END generated code
|
||||
|
||||
if( strlen( buf ) == 0 )
|
||||
|
|
@ -790,35 +619,6 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
|
|||
mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
|
||||
#endif /* MBEDTLS_MD5_C */
|
||||
|
||||
#if defined(MBEDTLS_NET_C)
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Binding of the socket failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Could not listen on the socket" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Reading information from the socket failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Polling the net context failed" );
|
||||
if( use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA) )
|
||||
mbedtls_snprintf( buf, buflen, "NET - Input invalid" );
|
||||
#endif /* MBEDTLS_NET_C */
|
||||
|
||||
#if defined(MBEDTLS_OID_C)
|
||||
if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
|
||||
mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
|
||||
|
|
|
|||
|
|
@ -1,668 +0,0 @@
|
|||
/*
|
||||
* TCP/IP or UDP/IP networking functions
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
|
||||
* be set before config.h, which pulls in glibc's features.h indirectly.
|
||||
* Harmless on other platforms. */
|
||||
#define _POSIX_C_SOURCE 200112L
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_NET_C)
|
||||
|
||||
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
|
||||
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
|
||||
!defined(__HAIKU__)
|
||||
#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#endif
|
||||
|
||||
#include "mbedtls/net_sockets.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
|
||||
#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
|
||||
|
||||
#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
|
||||
#undef _WIN32_WINNT
|
||||
/* Enables getaddrinfo() & Co */
|
||||
#define _WIN32_WINNT 0x0501
|
||||
#endif
|
||||
|
||||
#include <ws2tcpip.h>
|
||||
|
||||
#include <winsock2.h>
|
||||
#include <windows.h>
|
||||
|
||||
#if defined(_MSC_VER)
|
||||
#if defined(_WIN32_WCE)
|
||||
#pragma comment( lib, "ws2.lib" )
|
||||
#else
|
||||
#pragma comment( lib, "ws2_32.lib" )
|
||||
#endif
|
||||
#endif /* _MSC_VER */
|
||||
|
||||
#define read(fd,buf,len) recv( fd, (char*)( buf ), (int)( len ), 0 )
|
||||
#define write(fd,buf,len) send( fd, (char*)( buf ), (int)( len ), 0 )
|
||||
#define close(fd) closesocket(fd)
|
||||
|
||||
static int wsa_init_done = 0;
|
||||
|
||||
#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/time.h>
|
||||
#include <unistd.h>
|
||||
#include <signal.h>
|
||||
#include <fcntl.h>
|
||||
#include <netdb.h>
|
||||
#include <errno.h>
|
||||
|
||||
#define IS_EINTR( ret ) ( ( ret ) == EINTR )
|
||||
|
||||
#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
|
||||
|
||||
/* Some MS functions want int and MSVC warns if we pass size_t,
|
||||
* but the standard functions use socklen_t, so cast only for MSVC */
|
||||
#if defined(_MSC_VER)
|
||||
#define MSVC_INT_CAST (int)
|
||||
#else
|
||||
#define MSVC_INT_CAST
|
||||
#endif
|
||||
|
||||
#include <stdio.h>
|
||||
|
||||
#include <time.h>
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
/*
|
||||
* Prepare for using the sockets interface
|
||||
*/
|
||||
static int net_prepare( void )
|
||||
{
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
WSADATA wsaData;
|
||||
|
||||
if( wsa_init_done == 0 )
|
||||
{
|
||||
if( WSAStartup( MAKEWORD(2,0), &wsaData ) != 0 )
|
||||
return( MBEDTLS_ERR_NET_SOCKET_FAILED );
|
||||
|
||||
wsa_init_done = 1;
|
||||
}
|
||||
#else
|
||||
#if !defined(EFIX64) && !defined(EFI32)
|
||||
signal( SIGPIPE, SIG_IGN );
|
||||
#endif
|
||||
#endif
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize a context
|
||||
*/
|
||||
void mbedtls_net_init( mbedtls_net_context *ctx )
|
||||
{
|
||||
ctx->fd = -1;
|
||||
}
|
||||
|
||||
/*
|
||||
* Initiate a TCP connection with host:port and the given protocol
|
||||
*/
|
||||
int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
|
||||
const char *port, int proto )
|
||||
{
|
||||
int ret;
|
||||
struct addrinfo hints, *addr_list, *cur;
|
||||
|
||||
if( ( ret = net_prepare() ) != 0 )
|
||||
return( ret );
|
||||
|
||||
/* Do name resolution with both IPv6 and IPv4 */
|
||||
memset( &hints, 0, sizeof( hints ) );
|
||||
hints.ai_family = AF_UNSPEC;
|
||||
hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
|
||||
hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
|
||||
|
||||
if( getaddrinfo( host, port, &hints, &addr_list ) != 0 )
|
||||
return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
|
||||
|
||||
/* Try the sockaddrs until a connection succeeds */
|
||||
ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
|
||||
for( cur = addr_list; cur != NULL; cur = cur->ai_next )
|
||||
{
|
||||
ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
|
||||
cur->ai_protocol );
|
||||
if( ctx->fd < 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
|
||||
continue;
|
||||
}
|
||||
|
||||
if( connect( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) == 0 )
|
||||
{
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
close( ctx->fd );
|
||||
ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
|
||||
}
|
||||
|
||||
freeaddrinfo( addr_list );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Create a listening socket on bind_ip:port
|
||||
*/
|
||||
int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
|
||||
{
|
||||
int n, ret;
|
||||
struct addrinfo hints, *addr_list, *cur;
|
||||
|
||||
if( ( ret = net_prepare() ) != 0 )
|
||||
return( ret );
|
||||
|
||||
/* Bind to IPv6 and/or IPv4, but only in the desired protocol */
|
||||
memset( &hints, 0, sizeof( hints ) );
|
||||
hints.ai_family = AF_UNSPEC;
|
||||
hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
|
||||
hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
|
||||
if( bind_ip == NULL )
|
||||
hints.ai_flags = AI_PASSIVE;
|
||||
|
||||
if( getaddrinfo( bind_ip, port, &hints, &addr_list ) != 0 )
|
||||
return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
|
||||
|
||||
/* Try the sockaddrs until a binding succeeds */
|
||||
ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
|
||||
for( cur = addr_list; cur != NULL; cur = cur->ai_next )
|
||||
{
|
||||
ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
|
||||
cur->ai_protocol );
|
||||
if( ctx->fd < 0 )
|
||||
{
|
||||
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
|
||||
continue;
|
||||
}
|
||||
|
||||
n = 1;
|
||||
if( setsockopt( ctx->fd, SOL_SOCKET, SO_REUSEADDR,
|
||||
(const char *) &n, sizeof( n ) ) != 0 )
|
||||
{
|
||||
close( ctx->fd );
|
||||
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
|
||||
continue;
|
||||
}
|
||||
|
||||
if( bind( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) != 0 )
|
||||
{
|
||||
close( ctx->fd );
|
||||
ret = MBEDTLS_ERR_NET_BIND_FAILED;
|
||||
continue;
|
||||
}
|
||||
|
||||
/* Listen only makes sense for TCP */
|
||||
if( proto == MBEDTLS_NET_PROTO_TCP )
|
||||
{
|
||||
if( listen( ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG ) != 0 )
|
||||
{
|
||||
close( ctx->fd );
|
||||
ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
/* Bind was successful */
|
||||
ret = 0;
|
||||
break;
|
||||
}
|
||||
|
||||
freeaddrinfo( addr_list );
|
||||
|
||||
return( ret );
|
||||
|
||||
}
|
||||
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
/*
|
||||
* Check if the requested operation would be blocking on a non-blocking socket
|
||||
* and thus 'failed' with a negative return value.
|
||||
*/
|
||||
static int net_would_block( const mbedtls_net_context *ctx )
|
||||
{
|
||||
((void) ctx);
|
||||
return( WSAGetLastError() == WSAEWOULDBLOCK );
|
||||
}
|
||||
#else
|
||||
/*
|
||||
* Check if the requested operation would be blocking on a non-blocking socket
|
||||
* and thus 'failed' with a negative return value.
|
||||
*
|
||||
* Note: on a blocking socket this function always returns 0!
|
||||
*/
|
||||
static int net_would_block( const mbedtls_net_context *ctx )
|
||||
{
|
||||
int err = errno;
|
||||
|
||||
/*
|
||||
* Never return 'WOULD BLOCK' on a non-blocking socket
|
||||
*/
|
||||
if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
|
||||
{
|
||||
errno = err;
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
switch( errno = err )
|
||||
{
|
||||
#if defined EAGAIN
|
||||
case EAGAIN:
|
||||
#endif
|
||||
#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
|
||||
case EWOULDBLOCK:
|
||||
#endif
|
||||
return( 1 );
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
|
||||
|
||||
/*
|
||||
* Accept a connection from a remote client
|
||||
*/
|
||||
int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
|
||||
mbedtls_net_context *client_ctx,
|
||||
void *client_ip, size_t buf_size, size_t *ip_len )
|
||||
{
|
||||
int ret;
|
||||
int type;
|
||||
|
||||
struct sockaddr_storage client_addr;
|
||||
|
||||
#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
|
||||
defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
|
||||
socklen_t n = (socklen_t) sizeof( client_addr );
|
||||
socklen_t type_len = (socklen_t) sizeof( type );
|
||||
#else
|
||||
int n = (int) sizeof( client_addr );
|
||||
int type_len = (int) sizeof( type );
|
||||
#endif
|
||||
|
||||
/* Is this a TCP or UDP socket? */
|
||||
if( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
|
||||
(void *) &type, &type_len ) != 0 ||
|
||||
( type != SOCK_STREAM && type != SOCK_DGRAM ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
|
||||
}
|
||||
|
||||
if( type == SOCK_STREAM )
|
||||
{
|
||||
/* TCP: actual accept() */
|
||||
ret = client_ctx->fd = (int) accept( bind_ctx->fd,
|
||||
(struct sockaddr *) &client_addr, &n );
|
||||
}
|
||||
else
|
||||
{
|
||||
/* UDP: wait for a message, but keep it in the queue */
|
||||
char buf[1] = { 0 };
|
||||
|
||||
ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
|
||||
(struct sockaddr *) &client_addr, &n );
|
||||
|
||||
#if defined(_WIN32)
|
||||
if( ret == SOCKET_ERROR &&
|
||||
WSAGetLastError() == WSAEMSGSIZE )
|
||||
{
|
||||
/* We know buf is too small, thanks, just peeking here */
|
||||
ret = 0;
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
if( ret < 0 )
|
||||
{
|
||||
if( net_would_block( bind_ctx ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||
|
||||
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
|
||||
}
|
||||
|
||||
/* UDP: hijack the listening socket to communicate with the client,
|
||||
* then bind a new socket to accept new connections */
|
||||
if( type != SOCK_STREAM )
|
||||
{
|
||||
struct sockaddr_storage local_addr;
|
||||
int one = 1;
|
||||
|
||||
if( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 )
|
||||
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
|
||||
|
||||
client_ctx->fd = bind_ctx->fd;
|
||||
bind_ctx->fd = -1; /* In case we exit early */
|
||||
|
||||
n = sizeof( struct sockaddr_storage );
|
||||
if( getsockname( client_ctx->fd,
|
||||
(struct sockaddr *) &local_addr, &n ) != 0 ||
|
||||
( bind_ctx->fd = (int) socket( local_addr.ss_family,
|
||||
SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
|
||||
setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
|
||||
(const char *) &one, sizeof( one ) ) != 0 )
|
||||
{
|
||||
return( MBEDTLS_ERR_NET_SOCKET_FAILED );
|
||||
}
|
||||
|
||||
if( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 )
|
||||
{
|
||||
return( MBEDTLS_ERR_NET_BIND_FAILED );
|
||||
}
|
||||
}
|
||||
|
||||
if( client_ip != NULL )
|
||||
{
|
||||
if( client_addr.ss_family == AF_INET )
|
||||
{
|
||||
struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
|
||||
*ip_len = sizeof( addr4->sin_addr.s_addr );
|
||||
|
||||
if( buf_size < *ip_len )
|
||||
return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
|
||||
|
||||
memcpy( client_ip, &addr4->sin_addr.s_addr, *ip_len );
|
||||
}
|
||||
else
|
||||
{
|
||||
struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
|
||||
*ip_len = sizeof( addr6->sin6_addr.s6_addr );
|
||||
|
||||
if( buf_size < *ip_len )
|
||||
return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
|
||||
|
||||
memcpy( client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
|
||||
}
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Set the socket blocking or non-blocking
|
||||
*/
|
||||
int mbedtls_net_set_block( mbedtls_net_context *ctx )
|
||||
{
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
u_long n = 0;
|
||||
return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
|
||||
#else
|
||||
return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
|
||||
#endif
|
||||
}
|
||||
|
||||
int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
|
||||
{
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
u_long n = 1;
|
||||
return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
|
||||
#else
|
||||
return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) | O_NONBLOCK ) );
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Check if data is available on the socket
|
||||
*/
|
||||
|
||||
int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout )
|
||||
{
|
||||
int ret;
|
||||
struct timeval tv;
|
||||
|
||||
fd_set read_fds;
|
||||
fd_set write_fds;
|
||||
|
||||
int fd = ctx->fd;
|
||||
|
||||
if( fd < 0 )
|
||||
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||
|
||||
#if defined(__has_feature)
|
||||
#if __has_feature(memory_sanitizer)
|
||||
/* Ensure that memory sanitizers consider read_fds and write_fds as
|
||||
* initialized even on platforms such as Glibc/x86_64 where FD_ZERO
|
||||
* is implemented in assembly. */
|
||||
memset( &read_fds, 0, sizeof( read_fds ) );
|
||||
memset( &write_fds, 0, sizeof( write_fds ) );
|
||||
#endif
|
||||
#endif
|
||||
|
||||
FD_ZERO( &read_fds );
|
||||
if( rw & MBEDTLS_NET_POLL_READ )
|
||||
{
|
||||
rw &= ~MBEDTLS_NET_POLL_READ;
|
||||
FD_SET( fd, &read_fds );
|
||||
}
|
||||
|
||||
FD_ZERO( &write_fds );
|
||||
if( rw & MBEDTLS_NET_POLL_WRITE )
|
||||
{
|
||||
rw &= ~MBEDTLS_NET_POLL_WRITE;
|
||||
FD_SET( fd, &write_fds );
|
||||
}
|
||||
|
||||
if( rw != 0 )
|
||||
return( MBEDTLS_ERR_NET_BAD_INPUT_DATA );
|
||||
|
||||
tv.tv_sec = timeout / 1000;
|
||||
tv.tv_usec = ( timeout % 1000 ) * 1000;
|
||||
|
||||
do
|
||||
{
|
||||
ret = select( fd + 1, &read_fds, &write_fds, NULL,
|
||||
timeout == (uint32_t) -1 ? NULL : &tv );
|
||||
}
|
||||
while( IS_EINTR( ret ) );
|
||||
|
||||
if( ret < 0 )
|
||||
return( MBEDTLS_ERR_NET_POLL_FAILED );
|
||||
|
||||
ret = 0;
|
||||
if( FD_ISSET( fd, &read_fds ) )
|
||||
ret |= MBEDTLS_NET_POLL_READ;
|
||||
if( FD_ISSET( fd, &write_fds ) )
|
||||
ret |= MBEDTLS_NET_POLL_WRITE;
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Portable usleep helper
|
||||
*/
|
||||
void mbedtls_net_usleep( unsigned long usec )
|
||||
{
|
||||
#if defined(_WIN32)
|
||||
Sleep( ( usec + 999 ) / 1000 );
|
||||
#else
|
||||
struct timeval tv;
|
||||
tv.tv_sec = usec / 1000000;
|
||||
#if defined(__unix__) || defined(__unix) || \
|
||||
( defined(__APPLE__) && defined(__MACH__) )
|
||||
tv.tv_usec = (suseconds_t) usec % 1000000;
|
||||
#else
|
||||
tv.tv_usec = usec % 1000000;
|
||||
#endif
|
||||
select( 0, NULL, NULL, NULL, &tv );
|
||||
#endif
|
||||
}
|
||||
|
||||
/*
|
||||
* Read at most 'len' characters
|
||||
*/
|
||||
int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
|
||||
{
|
||||
int ret;
|
||||
int fd = ((mbedtls_net_context *) ctx)->fd;
|
||||
|
||||
if( fd < 0 )
|
||||
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||
|
||||
ret = (int) read( fd, buf, len );
|
||||
|
||||
if( ret < 0 )
|
||||
{
|
||||
if( net_would_block( ctx ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
if( WSAGetLastError() == WSAECONNRESET )
|
||||
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||
#else
|
||||
if( errno == EPIPE || errno == ECONNRESET )
|
||||
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||
|
||||
if( errno == EINTR )
|
||||
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||
#endif
|
||||
|
||||
return( MBEDTLS_ERR_NET_RECV_FAILED );
|
||||
}
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Read at most 'len' characters, blocking for at most 'timeout' ms
|
||||
*/
|
||||
int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf,
|
||||
size_t len, uint32_t timeout )
|
||||
{
|
||||
int ret;
|
||||
struct timeval tv;
|
||||
fd_set read_fds;
|
||||
int fd = ((mbedtls_net_context *) ctx)->fd;
|
||||
|
||||
if( fd < 0 )
|
||||
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||
|
||||
FD_ZERO( &read_fds );
|
||||
FD_SET( fd, &read_fds );
|
||||
|
||||
tv.tv_sec = timeout / 1000;
|
||||
tv.tv_usec = ( timeout % 1000 ) * 1000;
|
||||
|
||||
ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
|
||||
|
||||
/* Zero fds ready means we timed out */
|
||||
if( ret == 0 )
|
||||
return( MBEDTLS_ERR_SSL_TIMEOUT );
|
||||
|
||||
if( ret < 0 )
|
||||
{
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
if( WSAGetLastError() == WSAEINTR )
|
||||
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||
#else
|
||||
if( errno == EINTR )
|
||||
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||
#endif
|
||||
|
||||
return( MBEDTLS_ERR_NET_RECV_FAILED );
|
||||
}
|
||||
|
||||
/* This call will not block */
|
||||
return( mbedtls_net_recv( ctx, buf, len ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Write at most 'len' characters
|
||||
*/
|
||||
int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
|
||||
{
|
||||
int ret;
|
||||
int fd = ((mbedtls_net_context *) ctx)->fd;
|
||||
|
||||
if( fd < 0 )
|
||||
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||
|
||||
ret = (int) write( fd, buf, len );
|
||||
|
||||
if( ret < 0 )
|
||||
{
|
||||
if( net_would_block( ctx ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_WANT_WRITE );
|
||||
|
||||
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||
!defined(EFI32)
|
||||
if( WSAGetLastError() == WSAECONNRESET )
|
||||
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||
#else
|
||||
if( errno == EPIPE || errno == ECONNRESET )
|
||||
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||
|
||||
if( errno == EINTR )
|
||||
return( MBEDTLS_ERR_SSL_WANT_WRITE );
|
||||
#endif
|
||||
|
||||
return( MBEDTLS_ERR_NET_SEND_FAILED );
|
||||
}
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Gracefully close the connection
|
||||
*/
|
||||
void mbedtls_net_free( mbedtls_net_context *ctx )
|
||||
{
|
||||
if( ctx->fd == -1 )
|
||||
return;
|
||||
|
||||
shutdown( ctx->fd, 2 );
|
||||
close( ctx->fd );
|
||||
|
||||
ctx->fd = -1;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_NET_C */
|
||||
240
library/pkcs11.c
240
library/pkcs11.c
|
|
@ -1,240 +0,0 @@
|
|||
/**
|
||||
* \file pkcs11.c
|
||||
*
|
||||
* \brief Wrapper for PKCS#11 library libpkcs11-helper
|
||||
*
|
||||
* \author Adriaan de Jong <dejong@fox-it.com>
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#include "mbedtls/pkcs11.h"
|
||||
|
||||
#if defined(MBEDTLS_PKCS11_C)
|
||||
|
||||
#include "mbedtls/md.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/x509_crt.h"
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
|
||||
void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
|
||||
}
|
||||
|
||||
int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
|
||||
{
|
||||
int ret = 1;
|
||||
unsigned char *cert_blob = NULL;
|
||||
size_t cert_blob_size = 0;
|
||||
|
||||
if( cert == NULL )
|
||||
{
|
||||
ret = 2;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
|
||||
&cert_blob_size ) != CKR_OK )
|
||||
{
|
||||
ret = 3;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
cert_blob = mbedtls_calloc( 1, cert_blob_size );
|
||||
if( NULL == cert_blob )
|
||||
{
|
||||
ret = 4;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
|
||||
&cert_blob_size ) != CKR_OK )
|
||||
{
|
||||
ret = 5;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
|
||||
{
|
||||
ret = 6;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
ret = 0;
|
||||
|
||||
cleanup:
|
||||
if( NULL != cert_blob )
|
||||
mbedtls_free( cert_blob );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
|
||||
int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
|
||||
pkcs11h_certificate_t pkcs11_cert )
|
||||
{
|
||||
int ret = 1;
|
||||
mbedtls_x509_crt cert;
|
||||
|
||||
mbedtls_x509_crt_init( &cert );
|
||||
|
||||
if( priv_key == NULL )
|
||||
goto cleanup;
|
||||
|
||||
if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
|
||||
goto cleanup;
|
||||
|
||||
priv_key->len = mbedtls_pk_get_len( &cert.pk );
|
||||
priv_key->pkcs11h_cert = pkcs11_cert;
|
||||
|
||||
ret = 0;
|
||||
|
||||
cleanup:
|
||||
mbedtls_x509_crt_free( &cert );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
|
||||
{
|
||||
if( NULL != priv_key )
|
||||
pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
|
||||
}
|
||||
|
||||
int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
|
||||
int mode, size_t *olen,
|
||||
const unsigned char *input,
|
||||
unsigned char *output,
|
||||
size_t output_max_len )
|
||||
{
|
||||
size_t input_len, output_len;
|
||||
|
||||
if( NULL == ctx )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( MBEDTLS_RSA_PRIVATE != mode )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
output_len = input_len = ctx->len;
|
||||
|
||||
if( input_len < 16 || input_len > output_max_len )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
/* Determine size of output buffer */
|
||||
if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
|
||||
input_len, NULL, &output_len ) != CKR_OK )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( output_len > output_max_len )
|
||||
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
|
||||
|
||||
if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
|
||||
input_len, output, &output_len ) != CKR_OK )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
*olen = output_len;
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
|
||||
int mode,
|
||||
mbedtls_md_type_t md_alg,
|
||||
unsigned int hashlen,
|
||||
const unsigned char *hash,
|
||||
unsigned char *sig )
|
||||
{
|
||||
size_t sig_len = 0, asn_len = 0, oid_size = 0;
|
||||
unsigned char *p = sig;
|
||||
const char *oid;
|
||||
|
||||
if( NULL == ctx )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( MBEDTLS_RSA_PRIVATE != mode )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( md_alg != MBEDTLS_MD_NONE )
|
||||
{
|
||||
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
|
||||
if( md_info == NULL )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
|
||||
hashlen = mbedtls_md_get_size( md_info );
|
||||
asn_len = 10 + oid_size;
|
||||
}
|
||||
|
||||
sig_len = ctx->len;
|
||||
if( hashlen > sig_len || asn_len > sig_len ||
|
||||
hashlen + asn_len > sig_len )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( md_alg != MBEDTLS_MD_NONE )
|
||||
{
|
||||
/*
|
||||
* DigestInfo ::= SEQUENCE {
|
||||
* digestAlgorithm DigestAlgorithmIdentifier,
|
||||
* digest Digest }
|
||||
*
|
||||
* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
|
||||
*
|
||||
* Digest ::= OCTET STRING
|
||||
*/
|
||||
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
|
||||
*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
|
||||
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
|
||||
*p++ = (unsigned char) ( 0x04 + oid_size );
|
||||
*p++ = MBEDTLS_ASN1_OID;
|
||||
*p++ = oid_size & 0xFF;
|
||||
memcpy( p, oid, oid_size );
|
||||
p += oid_size;
|
||||
*p++ = MBEDTLS_ASN1_NULL;
|
||||
*p++ = 0x00;
|
||||
*p++ = MBEDTLS_ASN1_OCTET_STRING;
|
||||
*p++ = hashlen;
|
||||
}
|
||||
|
||||
memcpy( p, hash, hashlen );
|
||||
|
||||
if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
|
||||
asn_len + hashlen, sig, &sig_len ) != CKR_OK )
|
||||
{
|
||||
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* defined(MBEDTLS_PKCS11_C) */
|
||||
|
|
@ -1,353 +0,0 @@
|
|||
/*
|
||||
* SSL session cache implementation
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
/*
|
||||
* These session callbacks use a simple chained list
|
||||
* to store and retrieve the session information.
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_CACHE_C)
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#include "mbedtls/ssl_cache.h"
|
||||
#include "mbedtls/ssl_internal.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
|
||||
{
|
||||
memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
|
||||
|
||||
cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
|
||||
cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_init( &cache->mutex );
|
||||
#endif
|
||||
}
|
||||
|
||||
int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
||||
{
|
||||
int ret = 1;
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
mbedtls_time_t t = mbedtls_time( NULL );
|
||||
#endif
|
||||
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
|
||||
mbedtls_ssl_cache_entry *cur, *entry;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_lock( &cache->mutex ) != 0 )
|
||||
return( 1 );
|
||||
#endif
|
||||
|
||||
cur = cache->chain;
|
||||
entry = NULL;
|
||||
|
||||
while( cur != NULL )
|
||||
{
|
||||
entry = cur;
|
||||
cur = cur->next;
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
if( cache->timeout != 0 &&
|
||||
(int) ( t - entry->timestamp ) > cache->timeout )
|
||||
continue;
|
||||
#endif
|
||||
|
||||
if( session->ciphersuite != entry->session.ciphersuite ||
|
||||
session->compression != entry->session.compression ||
|
||||
session->id_len != entry->session.id_len )
|
||||
continue;
|
||||
|
||||
if( memcmp( session->id, entry->session.id,
|
||||
entry->session.id_len ) != 0 )
|
||||
continue;
|
||||
|
||||
ret = mbedtls_ssl_session_copy( session, &entry->session );
|
||||
if( ret != 0 )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/*
|
||||
* Restore peer certificate (without rest of the original chain)
|
||||
*/
|
||||
if( entry->peer_cert.p != NULL )
|
||||
{
|
||||
/* `session->peer_cert` is NULL after the call to
|
||||
* mbedtls_ssl_session_copy(), because cache entries
|
||||
* have the `peer_cert` field set to NULL. */
|
||||
|
||||
if( ( session->peer_cert = mbedtls_calloc( 1,
|
||||
sizeof(mbedtls_x509_crt) ) ) == NULL )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
mbedtls_x509_crt_init( session->peer_cert );
|
||||
if( mbedtls_x509_crt_parse( session->peer_cert, entry->peer_cert.p,
|
||||
entry->peer_cert.len ) != 0 )
|
||||
{
|
||||
mbedtls_free( session->peer_cert );
|
||||
session->peer_cert = NULL;
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
ret = 0;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
|
||||
ret = 1;
|
||||
#endif
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
||||
{
|
||||
int ret = 1;
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
mbedtls_time_t t = mbedtls_time( NULL ), oldest = 0;
|
||||
mbedtls_ssl_cache_entry *old = NULL;
|
||||
#endif
|
||||
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
|
||||
mbedtls_ssl_cache_entry *cur, *prv;
|
||||
int count = 0;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( ( ret = mbedtls_mutex_lock( &cache->mutex ) ) != 0 )
|
||||
return( ret );
|
||||
#endif
|
||||
|
||||
cur = cache->chain;
|
||||
prv = NULL;
|
||||
|
||||
while( cur != NULL )
|
||||
{
|
||||
count++;
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
if( cache->timeout != 0 &&
|
||||
(int) ( t - cur->timestamp ) > cache->timeout )
|
||||
{
|
||||
cur->timestamp = t;
|
||||
break; /* expired, reuse this slot, update timestamp */
|
||||
}
|
||||
#endif
|
||||
|
||||
if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
|
||||
break; /* client reconnected, keep timestamp for session id */
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
if( oldest == 0 || cur->timestamp < oldest )
|
||||
{
|
||||
oldest = cur->timestamp;
|
||||
old = cur;
|
||||
}
|
||||
#endif
|
||||
|
||||
prv = cur;
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
if( cur == NULL )
|
||||
{
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
/*
|
||||
* Reuse oldest entry if max_entries reached
|
||||
*/
|
||||
if( count >= cache->max_entries )
|
||||
{
|
||||
if( old == NULL )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
cur = old;
|
||||
}
|
||||
#else /* MBEDTLS_HAVE_TIME */
|
||||
/*
|
||||
* Reuse first entry in chain if max_entries reached,
|
||||
* but move to last place
|
||||
*/
|
||||
if( count >= cache->max_entries )
|
||||
{
|
||||
if( cache->chain == NULL )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
cur = cache->chain;
|
||||
cache->chain = cur->next;
|
||||
cur->next = NULL;
|
||||
prv->next = cur;
|
||||
}
|
||||
#endif /* MBEDTLS_HAVE_TIME */
|
||||
else
|
||||
{
|
||||
/*
|
||||
* max_entries not reached, create new entry
|
||||
*/
|
||||
cur = mbedtls_calloc( 1, sizeof(mbedtls_ssl_cache_entry) );
|
||||
if( cur == NULL )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if( prv == NULL )
|
||||
cache->chain = cur;
|
||||
else
|
||||
prv->next = cur;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
cur->timestamp = t;
|
||||
#endif
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/*
|
||||
* If we're reusing an entry, free its certificate first
|
||||
*/
|
||||
if( cur->peer_cert.p != NULL )
|
||||
{
|
||||
mbedtls_free( cur->peer_cert.p );
|
||||
memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
/* Copy the entire session; this temporarily makes a copy of the
|
||||
* X.509 CRT structure even though we only want to store the raw CRT.
|
||||
* This inefficiency will go away as soon as we implement on-demand
|
||||
* parsing of CRTs, in which case there's no need for the `peer_cert`
|
||||
* field anymore in the first place, and we're done after this call. */
|
||||
ret = mbedtls_ssl_session_copy( &cur->session, session );
|
||||
if( ret != 0 )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/* If present, free the X.509 structure and only store the raw CRT data. */
|
||||
if( cur->session.peer_cert != NULL )
|
||||
{
|
||||
cur->peer_cert.p =
|
||||
mbedtls_calloc( 1, cur->session.peer_cert->raw.len );
|
||||
if( cur->peer_cert.p == NULL )
|
||||
{
|
||||
ret = 1;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
memcpy( cur->peer_cert.p,
|
||||
cur->session.peer_cert->raw.p,
|
||||
cur->session.peer_cert->raw.len );
|
||||
cur->peer_cert.len = session->peer_cert->raw.len;
|
||||
|
||||
mbedtls_x509_crt_free( cur->session.peer_cert );
|
||||
mbedtls_free( cur->session.peer_cert );
|
||||
cur->session.peer_cert = NULL;
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
ret = 0;
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
|
||||
ret = 1;
|
||||
#endif
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout )
|
||||
{
|
||||
if( timeout < 0 ) timeout = 0;
|
||||
|
||||
cache->timeout = timeout;
|
||||
}
|
||||
#endif /* MBEDTLS_HAVE_TIME */
|
||||
|
||||
void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max )
|
||||
{
|
||||
if( max < 0 ) max = 0;
|
||||
|
||||
cache->max_entries = max;
|
||||
}
|
||||
|
||||
void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
|
||||
{
|
||||
mbedtls_ssl_cache_entry *cur, *prv;
|
||||
|
||||
cur = cache->chain;
|
||||
|
||||
while( cur != NULL )
|
||||
{
|
||||
prv = cur;
|
||||
cur = cur->next;
|
||||
|
||||
mbedtls_ssl_session_free( &prv->session );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
mbedtls_free( prv->peer_cert.p );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
|
||||
mbedtls_free( prv );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_free( &cache->mutex );
|
||||
#endif
|
||||
cache->chain = NULL;
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_CACHE_C */
|
||||
File diff suppressed because it is too large
Load diff
3944
library/ssl_cli.c
3944
library/ssl_cli.c
File diff suppressed because it is too large
Load diff
|
|
@ -1,256 +0,0 @@
|
|||
/*
|
||||
* DTLS cookie callbacks implementation
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
/*
|
||||
* These session callbacks use a simple chained list
|
||||
* to store and retrieve the session information.
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_COOKIE_C)
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#include "mbedtls/ssl_cookie.h"
|
||||
#include "mbedtls/ssl_internal.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
/*
|
||||
* If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
|
||||
* available. Try SHA-256 first, 512 wastes resources since we need to stay
|
||||
* with max 32 bytes of cookie for DTLS 1.0
|
||||
*/
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
#define COOKIE_MD MBEDTLS_MD_SHA224
|
||||
#define COOKIE_MD_OUTLEN 32
|
||||
#define COOKIE_HMAC_LEN 28
|
||||
#elif defined(MBEDTLS_SHA512_C)
|
||||
#define COOKIE_MD MBEDTLS_MD_SHA384
|
||||
#define COOKIE_MD_OUTLEN 48
|
||||
#define COOKIE_HMAC_LEN 28
|
||||
#elif defined(MBEDTLS_SHA1_C)
|
||||
#define COOKIE_MD MBEDTLS_MD_SHA1
|
||||
#define COOKIE_MD_OUTLEN 20
|
||||
#define COOKIE_HMAC_LEN 20
|
||||
#else
|
||||
#error "DTLS hello verify needs SHA-1 or SHA-2"
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Cookies are formed of a 4-bytes timestamp (or serial number) and
|
||||
* an HMAC of timestemp and client ID.
|
||||
*/
|
||||
#define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN )
|
||||
|
||||
void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx )
|
||||
{
|
||||
mbedtls_md_init( &ctx->hmac_ctx );
|
||||
#if !defined(MBEDTLS_HAVE_TIME)
|
||||
ctx->serial = 0;
|
||||
#endif
|
||||
ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_init( &ctx->mutex );
|
||||
#endif
|
||||
}
|
||||
|
||||
void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay )
|
||||
{
|
||||
ctx->timeout = delay;
|
||||
}
|
||||
|
||||
void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
|
||||
{
|
||||
mbedtls_md_free( &ctx->hmac_ctx );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_free( &ctx->mutex );
|
||||
#endif
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng )
|
||||
{
|
||||
int ret;
|
||||
unsigned char key[COOKIE_MD_OUTLEN];
|
||||
|
||||
if( ( ret = f_rng( p_rng, key, sizeof( key ) ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_md_setup( &ctx->hmac_ctx, mbedtls_md_info_from_type( COOKIE_MD ), 1 );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_md_hmac_starts( &ctx->hmac_ctx, key, sizeof( key ) );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
mbedtls_platform_zeroize( key, sizeof( key ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Generate the HMAC part of a cookie
|
||||
*/
|
||||
static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
|
||||
const unsigned char time[4],
|
||||
unsigned char **p, unsigned char *end,
|
||||
const unsigned char *cli_id, size_t cli_id_len )
|
||||
{
|
||||
unsigned char hmac_out[COOKIE_MD_OUTLEN];
|
||||
|
||||
if( (size_t)( end - *p ) < COOKIE_HMAC_LEN )
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
||||
if( mbedtls_md_hmac_reset( hmac_ctx ) != 0 ||
|
||||
mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
|
||||
mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 ||
|
||||
mbedtls_md_hmac_finish( hmac_ctx, hmac_out ) != 0 )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
}
|
||||
|
||||
memcpy( *p, hmac_out, COOKIE_HMAC_LEN );
|
||||
*p += COOKIE_HMAC_LEN;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Generate cookie for DTLS ClientHello verification
|
||||
*/
|
||||
int mbedtls_ssl_cookie_write( void *p_ctx,
|
||||
unsigned char **p, unsigned char *end,
|
||||
const unsigned char *cli_id, size_t cli_id_len )
|
||||
{
|
||||
int ret;
|
||||
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
|
||||
unsigned long t;
|
||||
|
||||
if( ctx == NULL || cli_id == NULL )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
if( (size_t)( end - *p ) < COOKIE_LEN )
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
t = (unsigned long) mbedtls_time( NULL );
|
||||
#else
|
||||
t = ctx->serial++;
|
||||
#endif
|
||||
|
||||
(*p)[0] = (unsigned char)( t >> 24 );
|
||||
(*p)[1] = (unsigned char)( t >> 16 );
|
||||
(*p)[2] = (unsigned char)( t >> 8 );
|
||||
(*p)[3] = (unsigned char)( t );
|
||||
*p += 4;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
|
||||
#endif
|
||||
|
||||
ret = ssl_cookie_hmac( &ctx->hmac_ctx, *p - 4,
|
||||
p, end, cli_id, cli_id_len );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
|
||||
MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||
#endif
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Check a cookie
|
||||
*/
|
||||
int mbedtls_ssl_cookie_check( void *p_ctx,
|
||||
const unsigned char *cookie, size_t cookie_len,
|
||||
const unsigned char *cli_id, size_t cli_id_len )
|
||||
{
|
||||
unsigned char ref_hmac[COOKIE_HMAC_LEN];
|
||||
int ret = 0;
|
||||
unsigned char *p = ref_hmac;
|
||||
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
|
||||
unsigned long cur_time, cookie_time;
|
||||
|
||||
if( ctx == NULL || cli_id == NULL )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
if( cookie_len != COOKIE_LEN )
|
||||
return( -1 );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
|
||||
#endif
|
||||
|
||||
if( ssl_cookie_hmac( &ctx->hmac_ctx, cookie,
|
||||
&p, p + sizeof( ref_hmac ),
|
||||
cli_id, cli_id_len ) != 0 )
|
||||
ret = -1;
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
|
||||
MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||
#endif
|
||||
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
|
||||
return( -1 );
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
cur_time = (unsigned long) mbedtls_time( NULL );
|
||||
#else
|
||||
cur_time = ctx->serial;
|
||||
#endif
|
||||
|
||||
cookie_time = ( (unsigned long) cookie[0] << 24 ) |
|
||||
( (unsigned long) cookie[1] << 16 ) |
|
||||
( (unsigned long) cookie[2] << 8 ) |
|
||||
( (unsigned long) cookie[3] );
|
||||
|
||||
if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
|
||||
return( -1 );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_COOKIE_C */
|
||||
4437
library/ssl_srv.c
4437
library/ssl_srv.c
File diff suppressed because it is too large
Load diff
|
|
@ -1,595 +0,0 @@
|
|||
/*
|
||||
* TLS server tickets callbacks implementation
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_TICKET_C)
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_free free
|
||||
#endif
|
||||
|
||||
#include "mbedtls/ssl_ticket.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
/*
|
||||
* Initialze context
|
||||
*/
|
||||
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_init( &ctx->mutex );
|
||||
#endif
|
||||
}
|
||||
|
||||
#define MAX_KEY_BYTES 32 /* 256 bits */
|
||||
|
||||
#define TICKET_KEY_NAME_BYTES 4
|
||||
#define TICKET_IV_BYTES 12
|
||||
#define TICKET_CRYPT_LEN_BYTES 2
|
||||
#define TICKET_AUTH_TAG_BYTES 16
|
||||
|
||||
#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
|
||||
TICKET_IV_BYTES + \
|
||||
TICKET_CRYPT_LEN_BYTES + \
|
||||
TICKET_AUTH_TAG_BYTES )
|
||||
#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
|
||||
TICKET_IV_BYTES + \
|
||||
TICKET_CRYPT_LEN_BYTES )
|
||||
|
||||
/*
|
||||
* Generate/update a key
|
||||
*/
|
||||
static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
|
||||
unsigned char index )
|
||||
{
|
||||
int ret;
|
||||
unsigned char buf[MAX_KEY_BYTES];
|
||||
mbedtls_ssl_ticket_key *key = ctx->keys + index;
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
key->generation_time = (uint32_t) mbedtls_time( NULL );
|
||||
#endif
|
||||
|
||||
if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
/* With GCM and CCM, same context can encrypt & decrypt */
|
||||
ret = mbedtls_cipher_setkey( &key->ctx, buf,
|
||||
mbedtls_cipher_get_key_bitlen( &key->ctx ),
|
||||
MBEDTLS_ENCRYPT );
|
||||
|
||||
mbedtls_platform_zeroize( buf, sizeof( buf ) );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Rotate/generate keys if necessary
|
||||
*/
|
||||
static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
|
||||
{
|
||||
#if !defined(MBEDTLS_HAVE_TIME)
|
||||
((void) ctx);
|
||||
#else
|
||||
if( ctx->ticket_lifetime != 0 )
|
||||
{
|
||||
uint32_t current_time = (uint32_t) mbedtls_time( NULL );
|
||||
uint32_t key_time = ctx->keys[ctx->active].generation_time;
|
||||
|
||||
if( current_time >= key_time &&
|
||||
current_time - key_time < ctx->ticket_lifetime )
|
||||
{
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
ctx->active = 1 - ctx->active;
|
||||
|
||||
return( ssl_ticket_gen_key( ctx, ctx->active ) );
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_HAVE_TIME */
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Setup context for actual use
|
||||
*/
|
||||
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||
mbedtls_cipher_type_t cipher,
|
||||
uint32_t lifetime )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_cipher_info_t *cipher_info;
|
||||
|
||||
ctx->f_rng = f_rng;
|
||||
ctx->p_rng = p_rng;
|
||||
|
||||
ctx->ticket_lifetime = lifetime;
|
||||
|
||||
cipher_info = mbedtls_cipher_info_from_type( cipher);
|
||||
if( cipher_info == NULL )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
if( cipher_info->mode != MBEDTLS_MODE_GCM &&
|
||||
cipher_info->mode != MBEDTLS_MODE_CCM )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
|
||||
cipher_info, TICKET_AUTH_TAG_BYTES );
|
||||
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||
return( ret );
|
||||
/* We don't yet expect to support all ciphers through PSA,
|
||||
* so allow fallback to ordinary mbedtls_cipher_setup(). */
|
||||
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
|
||||
cipher_info, TICKET_AUTH_TAG_BYTES );
|
||||
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||
return( ret );
|
||||
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
|
||||
( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Serialize a session in the following format:
|
||||
*
|
||||
* - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled:
|
||||
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
|
||||
* n . n+2 peer_cert length = m (0 if no certificate)
|
||||
* n+3 . n+2+m peer cert ASN.1
|
||||
*
|
||||
* - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled:
|
||||
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
|
||||
* n . n length of peer certificate digest = k (0 if no digest)
|
||||
* n+1 . n+k peer certificate digest (digest type encoded in session)
|
||||
*/
|
||||
static int ssl_save_session( const mbedtls_ssl_session *session,
|
||||
unsigned char *buf, size_t buf_len,
|
||||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
size_t left = buf_len;
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
size_t cert_len;
|
||||
#else
|
||||
size_t cert_digest_len;
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
if( left < sizeof( mbedtls_ssl_session ) )
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
||||
/* This also copies the values of pointer fields in the
|
||||
* session to be serialized, but they'll be ignored when
|
||||
* loading the session through ssl_load_session(). */
|
||||
memcpy( p, session, sizeof( mbedtls_ssl_session ) );
|
||||
p += sizeof( mbedtls_ssl_session );
|
||||
left -= sizeof( mbedtls_ssl_session );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
if( session->peer_cert == NULL )
|
||||
cert_len = 0;
|
||||
else
|
||||
cert_len = session->peer_cert->raw.len;
|
||||
|
||||
if( left < 3 + cert_len )
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
||||
*p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( cert_len ) & 0xFF );
|
||||
left -= 3;
|
||||
|
||||
if( session->peer_cert != NULL )
|
||||
memcpy( p, session->peer_cert->raw.p, cert_len );
|
||||
|
||||
p += cert_len;
|
||||
left -= cert_len;
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
if( session->peer_cert_digest != NULL )
|
||||
cert_digest_len = 0;
|
||||
else
|
||||
cert_digest_len = session->peer_cert_digest_len;
|
||||
|
||||
if( left < 1 + cert_digest_len )
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
||||
*p++ = (unsigned char) cert_digest_len;
|
||||
left--;
|
||||
|
||||
if( session->peer_cert_digest != NULL )
|
||||
memcpy( p, session->peer_cert_digest, cert_digest_len );
|
||||
|
||||
p += cert_digest_len;
|
||||
left -= cert_digest_len;
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
*olen = p - buf;
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Unserialise session, see ssl_save_session()
|
||||
*/
|
||||
static int ssl_load_session( mbedtls_ssl_session *session,
|
||||
const unsigned char *buf, size_t len )
|
||||
{
|
||||
const unsigned char *p = buf;
|
||||
const unsigned char * const end = buf + len;
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
size_t cert_len;
|
||||
#else
|
||||
size_t cert_digest_len;
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
memcpy( session, p, sizeof( mbedtls_ssl_session ) );
|
||||
p += sizeof( mbedtls_ssl_session );
|
||||
|
||||
/* Non-NULL pointer fields of `session` are meaningless
|
||||
* and potentially harmful. Zeroize them for safety. */
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
session->peer_cert = NULL;
|
||||
#else
|
||||
session->peer_cert_digest = NULL;
|
||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
session->ticket = NULL;
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/* Deserialize CRT from the end of the ticket. */
|
||||
if( 3 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
|
||||
p += 3;
|
||||
|
||||
if( cert_len != 0 )
|
||||
{
|
||||
int ret;
|
||||
|
||||
if( cert_len > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
|
||||
|
||||
if( session->peer_cert == NULL )
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
|
||||
mbedtls_x509_crt_init( session->peer_cert );
|
||||
|
||||
if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
|
||||
p, cert_len ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crt_free( session->peer_cert );
|
||||
mbedtls_free( session->peer_cert );
|
||||
session->peer_cert = NULL;
|
||||
return( ret );
|
||||
}
|
||||
|
||||
p += cert_len;
|
||||
}
|
||||
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
/* Deserialize CRT digest from the end of the ticket. */
|
||||
if( 1 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
cert_digest_len = (size_t) p[0];
|
||||
p++;
|
||||
|
||||
if( cert_digest_len != 0 )
|
||||
{
|
||||
if( cert_digest_len > (size_t)( end - p ) ||
|
||||
cert_digest_len != session->peer_cert_digest_len )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
session->peer_cert_digest = mbedtls_calloc( 1, cert_digest_len );
|
||||
if( session->peer_cert_digest == NULL )
|
||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||
|
||||
memcpy( session->peer_cert_digest, p, cert_digest_len );
|
||||
p += cert_digest_len;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
if( p != end )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Create session ticket, with the following structure:
|
||||
*
|
||||
* struct {
|
||||
* opaque key_name[4];
|
||||
* opaque iv[12];
|
||||
* opaque encrypted_state<0..2^16-1>;
|
||||
* opaque tag[16];
|
||||
* } ticket;
|
||||
*
|
||||
* The key_name, iv, and length of encrypted_state are the additional
|
||||
* authenticated data.
|
||||
*/
|
||||
|
||||
int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||
const mbedtls_ssl_session *session,
|
||||
unsigned char *start,
|
||||
const unsigned char *end,
|
||||
size_t *tlen,
|
||||
uint32_t *ticket_lifetime )
|
||||
{
|
||||
int ret;
|
||||
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||
mbedtls_ssl_ticket_key *key;
|
||||
unsigned char *key_name = start;
|
||||
unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
|
||||
unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
|
||||
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
|
||||
unsigned char *tag;
|
||||
size_t clear_len, ciph_len;
|
||||
|
||||
*tlen = 0;
|
||||
|
||||
if( ctx == NULL || ctx->f_rng == NULL )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
/* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
|
||||
* in addition to session itself, that will be checked when writing it. */
|
||||
if( end - start < TICKET_MIN_LEN )
|
||||
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||
return( ret );
|
||||
#endif
|
||||
|
||||
if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
key = &ctx->keys[ctx->active];
|
||||
|
||||
*ticket_lifetime = ctx->ticket_lifetime;
|
||||
|
||||
memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
|
||||
|
||||
if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
/* Dump session state */
|
||||
if( ( ret = ssl_save_session( session,
|
||||
state, end - state, &clear_len ) ) != 0 ||
|
||||
(unsigned long) clear_len > 65535 )
|
||||
{
|
||||
goto cleanup;
|
||||
}
|
||||
state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
|
||||
state_len_bytes[1] = ( clear_len ) & 0xff;
|
||||
|
||||
/* Encrypt and authenticate */
|
||||
tag = state + clear_len;
|
||||
if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
|
||||
iv, TICKET_IV_BYTES,
|
||||
/* Additional data: key name, IV and length */
|
||||
key_name, TICKET_ADD_DATA_LEN,
|
||||
state, clear_len, state, &ciph_len,
|
||||
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
|
||||
{
|
||||
goto cleanup;
|
||||
}
|
||||
if( ciph_len != clear_len )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
*tlen = TICKET_MIN_LEN + ciph_len;
|
||||
|
||||
cleanup:
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||
#endif
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Select key based on name
|
||||
*/
|
||||
static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
|
||||
mbedtls_ssl_ticket_context *ctx,
|
||||
const unsigned char name[4] )
|
||||
{
|
||||
unsigned char i;
|
||||
|
||||
for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
|
||||
if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
|
||||
return( &ctx->keys[i] );
|
||||
|
||||
return( NULL );
|
||||
}
|
||||
|
||||
/*
|
||||
* Load session ticket (see mbedtls_ssl_ticket_write for structure)
|
||||
*/
|
||||
int mbedtls_ssl_ticket_parse( void *p_ticket,
|
||||
mbedtls_ssl_session *session,
|
||||
unsigned char *buf,
|
||||
size_t len )
|
||||
{
|
||||
int ret;
|
||||
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||
mbedtls_ssl_ticket_key *key;
|
||||
unsigned char *key_name = buf;
|
||||
unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
|
||||
unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
|
||||
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
|
||||
unsigned char *tag;
|
||||
size_t enc_len, clear_len;
|
||||
|
||||
if( ctx == NULL || ctx->f_rng == NULL )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
if( len < TICKET_MIN_LEN )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||
return( ret );
|
||||
#endif
|
||||
|
||||
if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
|
||||
tag = ticket + enc_len;
|
||||
|
||||
if( len != TICKET_MIN_LEN + enc_len )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Select key */
|
||||
if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
|
||||
{
|
||||
/* We can't know for sure but this is a likely option unless we're
|
||||
* under attack - this is only informative anyway */
|
||||
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Decrypt and authenticate */
|
||||
if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
|
||||
iv, TICKET_IV_BYTES,
|
||||
/* Additional data: key name, IV and length */
|
||||
key_name, TICKET_ADD_DATA_LEN,
|
||||
ticket, enc_len,
|
||||
ticket, &clear_len,
|
||||
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
|
||||
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
|
||||
|
||||
goto cleanup;
|
||||
}
|
||||
if( clear_len != enc_len )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
/* Actually load session */
|
||||
if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
|
||||
goto cleanup;
|
||||
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
{
|
||||
/* Check for expiration */
|
||||
mbedtls_time_t current_time = mbedtls_time( NULL );
|
||||
|
||||
if( current_time < session->start ||
|
||||
(uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
|
||||
goto cleanup;
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
||||
cleanup:
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||
#endif
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Free context
|
||||
*/
|
||||
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
|
||||
{
|
||||
mbedtls_cipher_free( &ctx->keys[0].ctx );
|
||||
mbedtls_cipher_free( &ctx->keys[1].ctx );
|
||||
|
||||
#if defined(MBEDTLS_THREADING_C)
|
||||
mbedtls_mutex_free( &ctx->mutex );
|
||||
#endif
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_TICKET_C */
|
||||
10634
library/ssl_tls.c
10634
library/ssl_tls.c
File diff suppressed because it is too large
Load diff
1062
library/x509.c
1062
library/x509.c
File diff suppressed because it is too large
Load diff
|
|
@ -1,379 +0,0 @@
|
|||
/*
|
||||
* X.509 base functions for creating certificates / CSRs
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CREATE_C)
|
||||
|
||||
#include "mbedtls/x509.h"
|
||||
#include "mbedtls/asn1write.h"
|
||||
#include "mbedtls/oid.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
/* Structure linking OIDs for X.509 DN AttributeTypes to their
|
||||
* string representations and default string encodings used by Mbed TLS. */
|
||||
typedef struct {
|
||||
const char *name; /* String representation of AttributeType, e.g.
|
||||
* "CN" or "emailAddress". */
|
||||
size_t name_len; /* Length of 'name', without trailing 0 byte. */
|
||||
const char *oid; /* String representation of OID of AttributeType,
|
||||
* as per RFC 5280, Appendix A.1. */
|
||||
int default_tag; /* The default character encoding used for the
|
||||
* given attribute type, e.g.
|
||||
* MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
|
||||
} x509_attr_descriptor_t;
|
||||
|
||||
#define ADD_STRLEN( s ) s, sizeof( s ) - 1
|
||||
|
||||
/* X.509 DN attributes from RFC 5280, Appendix A.1. */
|
||||
static const x509_attr_descriptor_t x509_attrs[] =
|
||||
{
|
||||
{ ADD_STRLEN( "CN" ),
|
||||
MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "commonName" ),
|
||||
MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "C" ),
|
||||
MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||
{ ADD_STRLEN( "countryName" ),
|
||||
MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||
{ ADD_STRLEN( "O" ),
|
||||
MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "organizationName" ),
|
||||
MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "L" ),
|
||||
MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "locality" ),
|
||||
MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "R" ),
|
||||
MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
|
||||
{ ADD_STRLEN( "OU" ),
|
||||
MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "organizationalUnitName" ),
|
||||
MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "ST" ),
|
||||
MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "stateOrProvinceName" ),
|
||||
MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "emailAddress" ),
|
||||
MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
|
||||
{ ADD_STRLEN( "serialNumber" ),
|
||||
MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||
{ ADD_STRLEN( "postalAddress" ),
|
||||
MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||
{ ADD_STRLEN( "postalCode" ),
|
||||
MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||
{ ADD_STRLEN( "dnQualifier" ),
|
||||
MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||
{ ADD_STRLEN( "title" ),
|
||||
MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "surName" ),
|
||||
MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "SN" ),
|
||||
MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "givenName" ),
|
||||
MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "GN" ),
|
||||
MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "initials" ),
|
||||
MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "pseudonym" ),
|
||||
MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "generationQualifier" ),
|
||||
MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING },
|
||||
{ ADD_STRLEN( "domainComponent" ),
|
||||
MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
|
||||
{ ADD_STRLEN( "DC" ),
|
||||
MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
|
||||
{ NULL, 0, NULL, MBEDTLS_ASN1_NULL }
|
||||
};
|
||||
|
||||
static const x509_attr_descriptor_t *x509_attr_descr_from_name( const char *name, size_t name_len )
|
||||
{
|
||||
const x509_attr_descriptor_t *cur;
|
||||
|
||||
for( cur = x509_attrs; cur->name != NULL; cur++ )
|
||||
if( cur->name_len == name_len &&
|
||||
strncmp( cur->name, name, name_len ) == 0 )
|
||||
break;
|
||||
|
||||
if ( cur->name == NULL )
|
||||
return( NULL );
|
||||
|
||||
return( cur );
|
||||
}
|
||||
|
||||
int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )
|
||||
{
|
||||
int ret = 0;
|
||||
const char *s = name, *c = s;
|
||||
const char *end = s + strlen( s );
|
||||
const char *oid = NULL;
|
||||
const x509_attr_descriptor_t* attr_descr = NULL;
|
||||
int in_tag = 1;
|
||||
char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
|
||||
char *d = data;
|
||||
|
||||
/* Clear existing chain if present */
|
||||
mbedtls_asn1_free_named_data_list( head );
|
||||
|
||||
while( c <= end )
|
||||
{
|
||||
if( in_tag && *c == '=' )
|
||||
{
|
||||
if( ( attr_descr = x509_attr_descr_from_name( s, c - s ) ) == NULL )
|
||||
{
|
||||
ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
oid = attr_descr->oid;
|
||||
s = c + 1;
|
||||
in_tag = 0;
|
||||
d = data;
|
||||
}
|
||||
|
||||
if( !in_tag && *c == '\\' && c != end )
|
||||
{
|
||||
c++;
|
||||
|
||||
/* Check for valid escaped characters */
|
||||
if( c == end || *c != ',' )
|
||||
{
|
||||
ret = MBEDTLS_ERR_X509_INVALID_NAME;
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
else if( !in_tag && ( *c == ',' || c == end ) )
|
||||
{
|
||||
mbedtls_asn1_named_data* cur =
|
||||
mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
|
||||
(unsigned char *) data,
|
||||
d - data );
|
||||
|
||||
if(cur == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||
}
|
||||
|
||||
// set tagType
|
||||
cur->val.tag = attr_descr->default_tag;
|
||||
|
||||
while( c < end && *(c + 1) == ' ' )
|
||||
c++;
|
||||
|
||||
s = c + 1;
|
||||
in_tag = 1;
|
||||
}
|
||||
|
||||
if( !in_tag && s != c + 1 )
|
||||
{
|
||||
*(d++) = *c;
|
||||
|
||||
if( d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE )
|
||||
{
|
||||
ret = MBEDTLS_ERR_X509_INVALID_NAME;
|
||||
goto exit;
|
||||
}
|
||||
}
|
||||
|
||||
c++;
|
||||
}
|
||||
|
||||
exit:
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
|
||||
* to store the critical boolean for us
|
||||
*/
|
||||
int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
|
||||
int critical, const unsigned char *val, size_t val_len )
|
||||
{
|
||||
mbedtls_asn1_named_data *cur;
|
||||
|
||||
if( ( cur = mbedtls_asn1_store_named_data( head, oid, oid_len,
|
||||
NULL, val_len + 1 ) ) == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||
}
|
||||
|
||||
cur->val.p[0] = critical;
|
||||
memcpy( cur->val.p + 1, val, val_len );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* RelativeDistinguishedName ::=
|
||||
* SET OF AttributeTypeAndValue
|
||||
*
|
||||
* AttributeTypeAndValue ::= SEQUENCE {
|
||||
* type AttributeType,
|
||||
* value AttributeValue }
|
||||
*
|
||||
* AttributeType ::= OBJECT IDENTIFIER
|
||||
*
|
||||
* AttributeValue ::= ANY DEFINED BY AttributeType
|
||||
*/
|
||||
static int x509_write_name( unsigned char **p, unsigned char *start, mbedtls_asn1_named_data* cur_name)
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
const char *oid = (const char*)cur_name->oid.p;
|
||||
size_t oid_len = cur_name->oid.len;
|
||||
const unsigned char *name = cur_name->val.p;
|
||||
size_t name_len = cur_name->val.len;
|
||||
|
||||
// Write correct string tag and value
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tagged_string( p, start,
|
||||
cur_name->val.tag,
|
||||
(const char *) name,
|
||||
name_len ) );
|
||||
// Write OID
|
||||
//
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid,
|
||||
oid_len ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
|
||||
MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
|
||||
MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SET ) );
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
|
||||
mbedtls_asn1_named_data *first )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
mbedtls_asn1_named_data *cur = first;
|
||||
|
||||
while( cur != NULL )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, cur ) );
|
||||
cur = cur->next;
|
||||
}
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
|
||||
const char *oid, size_t oid_len,
|
||||
unsigned char *sig, size_t size )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
|
||||
if( *p < start || (size_t)( *p - start ) < size )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
len = size;
|
||||
(*p) -= len;
|
||||
memcpy( *p, sig, len );
|
||||
|
||||
if( *p - start < 1 )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
*--(*p) = 0;
|
||||
len += 1;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
|
||||
|
||||
// Write OID
|
||||
//
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( p, start, oid,
|
||||
oid_len, 0 ) );
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
static int x509_write_extension( unsigned char **p, unsigned char *start,
|
||||
mbedtls_asn1_named_data *ext )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->val.p + 1,
|
||||
ext->val.len - 1 ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->val.len - 1 ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
|
||||
|
||||
if( ext->val.p[0] != 0 )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( p, start, 1 ) );
|
||||
}
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->oid.p,
|
||||
ext->oid.len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->oid.len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
/*
|
||||
* Extension ::= SEQUENCE {
|
||||
* extnID OBJECT IDENTIFIER,
|
||||
* critical BOOLEAN DEFAULT FALSE,
|
||||
* extnValue OCTET STRING
|
||||
* -- contains the DER encoding of an ASN.1 value
|
||||
* -- corresponding to the extension type identified
|
||||
* -- by extnID
|
||||
* }
|
||||
*/
|
||||
int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
|
||||
mbedtls_asn1_named_data *first )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
mbedtls_asn1_named_data *cur_ext = first;
|
||||
|
||||
while( cur_ext != NULL )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
|
||||
cur_ext = cur_ext->next;
|
||||
}
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_X509_CREATE_C */
|
||||
|
|
@ -1,773 +0,0 @@
|
|||
/*
|
||||
* X.509 Certidicate Revocation List (CRL) parsing
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
/*
|
||||
* The ITU-T X.509 standard defines a certificate format for PKI.
|
||||
*
|
||||
* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
|
||||
* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
|
||||
* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
|
||||
*
|
||||
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
|
||||
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRL_PARSE_C)
|
||||
|
||||
#include "mbedtls/x509_crl.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
#include "mbedtls/pem.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#define mbedtls_free free
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_snprintf snprintf
|
||||
#endif
|
||||
|
||||
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
|
||||
#include <windows.h>
|
||||
#else
|
||||
#include <time.h>
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
|
||||
#include <stdio.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Version ::= INTEGER { v1(0), v2(1) }
|
||||
*/
|
||||
static int x509_crl_get_version( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
int *ver )
|
||||
{
|
||||
int ret;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||
{
|
||||
*ver = 0;
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* X.509 CRL v2 extensions
|
||||
*
|
||||
* We currently don't parse any extension's content, but we do check that the
|
||||
* list of extensions is well-formed and abort on critical extensions (that
|
||||
* are unsupported as we don't support any extension so far)
|
||||
*/
|
||||
static int x509_get_crl_ext( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_buf *ext )
|
||||
{
|
||||
int ret;
|
||||
|
||||
/*
|
||||
* crlExtensions [0] EXPLICIT Extensions OPTIONAL
|
||||
* -- if present, version MUST be v2
|
||||
*/
|
||||
if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||
return( 0 );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
while( *p < end )
|
||||
{
|
||||
/*
|
||||
* Extension ::= SEQUENCE {
|
||||
* extnID OBJECT IDENTIFIER,
|
||||
* critical BOOLEAN DEFAULT FALSE,
|
||||
* extnValue OCTET STRING }
|
||||
*/
|
||||
int is_critical = 0;
|
||||
const unsigned char *end_ext_data;
|
||||
size_t len;
|
||||
|
||||
/* Get enclosing sequence tag */
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
|
||||
end_ext_data = *p + len;
|
||||
|
||||
/* Get OID (currently ignored) */
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
|
||||
MBEDTLS_ASN1_OID ) ) != 0 )
|
||||
{
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
}
|
||||
*p += len;
|
||||
|
||||
/* Get optional critical */
|
||||
if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
|
||||
&is_critical ) ) != 0 &&
|
||||
( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
}
|
||||
|
||||
/* Data should be octet string type */
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
|
||||
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
|
||||
/* Ignore data so far and just check its length */
|
||||
*p += len;
|
||||
if( *p != end_ext_data )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
/* Abort on (unsupported) critical extensions */
|
||||
if( is_critical )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
|
||||
}
|
||||
|
||||
if( *p != end )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* X.509 CRL v2 entry extensions (no extensions parsed yet.)
|
||||
*/
|
||||
static int x509_get_crl_entry_ext( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_buf *ext )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
|
||||
/* OPTIONAL */
|
||||
if( end <= *p )
|
||||
return( 0 );
|
||||
|
||||
ext->tag = **p;
|
||||
ext->p = *p;
|
||||
|
||||
/*
|
||||
* Get CRL-entry extension sequence header
|
||||
* crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
|
||||
*/
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||
{
|
||||
ext->p = NULL;
|
||||
return( 0 );
|
||||
}
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
}
|
||||
|
||||
end = *p + ext->len;
|
||||
|
||||
if( end != *p + ext->len )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
while( *p < end )
|
||||
{
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||
|
||||
*p += len;
|
||||
}
|
||||
|
||||
if( *p != end )
|
||||
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* X.509 CRL Entries
|
||||
*/
|
||||
static int x509_get_entries( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
mbedtls_x509_crl_entry *entry )
|
||||
{
|
||||
int ret;
|
||||
size_t entry_len;
|
||||
mbedtls_x509_crl_entry *cur_entry = entry;
|
||||
|
||||
if( *p == end )
|
||||
return( 0 );
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
|
||||
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||
return( 0 );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
|
||||
end = *p + entry_len;
|
||||
|
||||
while( *p < end )
|
||||
{
|
||||
size_t len2;
|
||||
const unsigned char *end2;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
|
||||
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
cur_entry->raw.tag = **p;
|
||||
cur_entry->raw.p = *p;
|
||||
cur_entry->raw.len = len2;
|
||||
end2 = *p + len2;
|
||||
|
||||
if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
if( ( ret = mbedtls_x509_get_time( p, end2,
|
||||
&cur_entry->revocation_date ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
if( ( ret = x509_get_crl_entry_ext( p, end2,
|
||||
&cur_entry->entry_ext ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
if( *p < end )
|
||||
{
|
||||
cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
|
||||
|
||||
if( cur_entry->next == NULL )
|
||||
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||
|
||||
cur_entry = cur_entry->next;
|
||||
}
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse one CRLs in DER format and append it to the chained list
|
||||
*/
|
||||
int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
|
||||
const unsigned char *buf, size_t buflen )
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
unsigned char *p = NULL, *end = NULL;
|
||||
mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
|
||||
mbedtls_x509_crl *crl = chain;
|
||||
|
||||
/*
|
||||
* Check for valid input
|
||||
*/
|
||||
if( crl == NULL || buf == NULL )
|
||||
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||
|
||||
memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
|
||||
memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
|
||||
memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
|
||||
|
||||
/*
|
||||
* Add new CRL on the end of the chain if needed.
|
||||
*/
|
||||
while( crl->version != 0 && crl->next != NULL )
|
||||
crl = crl->next;
|
||||
|
||||
if( crl->version != 0 && crl->next == NULL )
|
||||
{
|
||||
crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
|
||||
|
||||
if( crl->next == NULL )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||
}
|
||||
|
||||
mbedtls_x509_crl_init( crl->next );
|
||||
crl = crl->next;
|
||||
}
|
||||
|
||||
/*
|
||||
* Copy raw DER-encoded CRL
|
||||
*/
|
||||
if( buflen == 0 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||
|
||||
p = mbedtls_calloc( 1, buflen );
|
||||
if( p == NULL )
|
||||
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||
|
||||
memcpy( p, buf, buflen );
|
||||
|
||||
crl->raw.p = p;
|
||||
crl->raw.len = buflen;
|
||||
|
||||
end = p + buflen;
|
||||
|
||||
/*
|
||||
* CertificateList ::= SEQUENCE {
|
||||
* tbsCertList TBSCertList,
|
||||
* signatureAlgorithm AlgorithmIdentifier,
|
||||
* signatureValue BIT STRING }
|
||||
*/
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||
}
|
||||
|
||||
if( len != (size_t) ( end - p ) )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
}
|
||||
|
||||
/*
|
||||
* TBSCertList ::= SEQUENCE {
|
||||
*/
|
||||
crl->tbs.p = p;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||
}
|
||||
|
||||
end = p + len;
|
||||
crl->tbs.len = end - crl->tbs.p;
|
||||
|
||||
/*
|
||||
* Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
|
||||
* -- if present, MUST be v2
|
||||
*
|
||||
* signature AlgorithmIdentifier
|
||||
*/
|
||||
if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
|
||||
( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( crl->version < 0 || crl->version > 1 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
||||
}
|
||||
|
||||
crl->version++;
|
||||
|
||||
if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
|
||||
&crl->sig_md, &crl->sig_pk,
|
||||
&crl->sig_opts ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
|
||||
}
|
||||
|
||||
/*
|
||||
* issuer Name
|
||||
*/
|
||||
crl->issuer_raw.p = p;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
crl->issuer_raw.len = p - crl->issuer_raw.p;
|
||||
|
||||
/*
|
||||
* thisUpdate Time
|
||||
* nextUpdate Time OPTIONAL
|
||||
*/
|
||||
if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
|
||||
{
|
||||
if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
|
||||
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
|
||||
ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
|
||||
MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* revokedCertificates SEQUENCE OF SEQUENCE {
|
||||
* userCertificate CertificateSerialNumber,
|
||||
* revocationDate Time,
|
||||
* crlEntryExtensions Extensions OPTIONAL
|
||||
* -- if present, MUST be v2
|
||||
* } OPTIONAL
|
||||
*/
|
||||
if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* crlExtensions EXPLICIT Extensions OPTIONAL
|
||||
* -- if present, MUST be v2
|
||||
*/
|
||||
if( crl->version == 2 )
|
||||
{
|
||||
ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
}
|
||||
|
||||
if( p != end )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
}
|
||||
|
||||
end = crl->raw.p + crl->raw.len;
|
||||
|
||||
/*
|
||||
* signatureAlgorithm AlgorithmIdentifier,
|
||||
* signatureValue BIT STRING
|
||||
*/
|
||||
if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( crl->sig_oid.len != sig_oid2.len ||
|
||||
memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
|
||||
sig_params1.len != sig_params2.len ||
|
||||
( sig_params1.len != 0 &&
|
||||
memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_SIG_MISMATCH );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( p != end )
|
||||
{
|
||||
mbedtls_x509_crl_free( crl );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse one or more CRLs and add them to the chained list
|
||||
*/
|
||||
int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
|
||||
{
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
int ret;
|
||||
size_t use_len;
|
||||
mbedtls_pem_context pem;
|
||||
int is_pem = 0;
|
||||
|
||||
if( chain == NULL || buf == NULL )
|
||||
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||
|
||||
do
|
||||
{
|
||||
mbedtls_pem_init( &pem );
|
||||
|
||||
// Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
|
||||
// string
|
||||
if( buflen == 0 || buf[buflen - 1] != '\0' )
|
||||
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
|
||||
else
|
||||
ret = mbedtls_pem_read_buffer( &pem,
|
||||
"-----BEGIN X509 CRL-----",
|
||||
"-----END X509 CRL-----",
|
||||
buf, NULL, 0, &use_len );
|
||||
|
||||
if( ret == 0 )
|
||||
{
|
||||
/*
|
||||
* Was PEM encoded
|
||||
*/
|
||||
is_pem = 1;
|
||||
|
||||
buflen -= use_len;
|
||||
buf += use_len;
|
||||
|
||||
if( ( ret = mbedtls_x509_crl_parse_der( chain,
|
||||
pem.buf, pem.buflen ) ) != 0 )
|
||||
{
|
||||
mbedtls_pem_free( &pem );
|
||||
return( ret );
|
||||
}
|
||||
}
|
||||
else if( is_pem )
|
||||
{
|
||||
mbedtls_pem_free( &pem );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
mbedtls_pem_free( &pem );
|
||||
}
|
||||
/* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
|
||||
* And a valid CRL cannot be less than 1 byte anyway. */
|
||||
while( is_pem && buflen > 1 );
|
||||
|
||||
if( is_pem )
|
||||
return( 0 );
|
||||
else
|
||||
#endif /* MBEDTLS_PEM_PARSE_C */
|
||||
return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_FS_IO)
|
||||
/*
|
||||
* Load one or more CRLs and add them to the chained list
|
||||
*/
|
||||
int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
|
||||
{
|
||||
int ret;
|
||||
size_t n;
|
||||
unsigned char *buf;
|
||||
|
||||
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_x509_crl_parse( chain, buf, n );
|
||||
|
||||
mbedtls_platform_zeroize( buf, n );
|
||||
mbedtls_free( buf );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
|
||||
/*
|
||||
* Return an informational string about the certificate.
|
||||
*/
|
||||
#define BEFORE_COLON 14
|
||||
#define BC "14"
|
||||
/*
|
||||
* Return an informational string about the CRL.
|
||||
*/
|
||||
int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
|
||||
const mbedtls_x509_crl *crl )
|
||||
{
|
||||
int ret;
|
||||
size_t n;
|
||||
char *p;
|
||||
const mbedtls_x509_crl_entry *entry;
|
||||
|
||||
p = buf;
|
||||
n = size;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "%sCRL version : %d",
|
||||
prefix, crl->version );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%sthis update : " \
|
||||
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
|
||||
crl->this_update.year, crl->this_update.mon,
|
||||
crl->this_update.day, crl->this_update.hour,
|
||||
crl->this_update.min, crl->this_update.sec );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%snext update : " \
|
||||
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
|
||||
crl->next_update.year, crl->next_update.mon,
|
||||
crl->next_update.day, crl->next_update.hour,
|
||||
crl->next_update.min, crl->next_update.sec );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
entry = &crl->entry;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
|
||||
prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
while( entry != NULL && entry->raw.len != 0 )
|
||||
{
|
||||
ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
|
||||
prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, " revocation date: " \
|
||||
"%04d-%02d-%02d %02d:%02d:%02d",
|
||||
entry->revocation_date.year, entry->revocation_date.mon,
|
||||
entry->revocation_date.day, entry->revocation_date.hour,
|
||||
entry->revocation_date.min, entry->revocation_date.sec );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
entry = entry->next;
|
||||
}
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
|
||||
crl->sig_opts );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n" );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
return( (int) ( size - n ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize a CRL chain
|
||||
*/
|
||||
void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
|
||||
{
|
||||
memset( crl, 0, sizeof(mbedtls_x509_crl) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Unallocate all CRL data
|
||||
*/
|
||||
void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
|
||||
{
|
||||
mbedtls_x509_crl *crl_cur = crl;
|
||||
mbedtls_x509_crl *crl_prv;
|
||||
mbedtls_x509_name *name_cur;
|
||||
mbedtls_x509_name *name_prv;
|
||||
mbedtls_x509_crl_entry *entry_cur;
|
||||
mbedtls_x509_crl_entry *entry_prv;
|
||||
|
||||
if( crl == NULL )
|
||||
return;
|
||||
|
||||
do
|
||||
{
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
mbedtls_free( crl_cur->sig_opts );
|
||||
#endif
|
||||
|
||||
name_cur = crl_cur->issuer.next;
|
||||
while( name_cur != NULL )
|
||||
{
|
||||
name_prv = name_cur;
|
||||
name_cur = name_cur->next;
|
||||
mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
|
||||
mbedtls_free( name_prv );
|
||||
}
|
||||
|
||||
entry_cur = crl_cur->entry.next;
|
||||
while( entry_cur != NULL )
|
||||
{
|
||||
entry_prv = entry_cur;
|
||||
entry_cur = entry_cur->next;
|
||||
mbedtls_platform_zeroize( entry_prv,
|
||||
sizeof( mbedtls_x509_crl_entry ) );
|
||||
mbedtls_free( entry_prv );
|
||||
}
|
||||
|
||||
if( crl_cur->raw.p != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
|
||||
mbedtls_free( crl_cur->raw.p );
|
||||
}
|
||||
|
||||
crl_cur = crl_cur->next;
|
||||
}
|
||||
while( crl_cur != NULL );
|
||||
|
||||
crl_cur = crl;
|
||||
do
|
||||
{
|
||||
crl_prv = crl_cur;
|
||||
crl_cur = crl_cur->next;
|
||||
|
||||
mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
|
||||
if( crl_prv != crl )
|
||||
mbedtls_free( crl_prv );
|
||||
}
|
||||
while( crl_cur != NULL );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_X509_CRL_PARSE_C */
|
||||
2879
library/x509_crt.c
2879
library/x509_crt.c
File diff suppressed because it is too large
Load diff
|
|
@ -1,419 +0,0 @@
|
|||
/*
|
||||
* X.509 Certificate Signing Request (CSR) parsing
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
/*
|
||||
* The ITU-T X.509 standard defines a certificate format for PKI.
|
||||
*
|
||||
* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
|
||||
* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
|
||||
* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
|
||||
*
|
||||
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
|
||||
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||
|
||||
#include "mbedtls/x509_csr.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
#include "mbedtls/pem.h"
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_PLATFORM_C)
|
||||
#include "mbedtls/platform.h"
|
||||
#else
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
#define mbedtls_free free
|
||||
#define mbedtls_calloc calloc
|
||||
#define mbedtls_snprintf snprintf
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
|
||||
#include <stdio.h>
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Version ::= INTEGER { v1(0) }
|
||||
*/
|
||||
static int x509_csr_get_version( unsigned char **p,
|
||||
const unsigned char *end,
|
||||
int *ver )
|
||||
{
|
||||
int ret;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
|
||||
{
|
||||
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||
{
|
||||
*ver = 0;
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse a CSR in DER format
|
||||
*/
|
||||
int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
|
||||
const unsigned char *buf, size_t buflen )
|
||||
{
|
||||
int ret;
|
||||
size_t len;
|
||||
unsigned char *p, *end;
|
||||
mbedtls_x509_buf sig_params;
|
||||
|
||||
memset( &sig_params, 0, sizeof( mbedtls_x509_buf ) );
|
||||
|
||||
/*
|
||||
* Check for valid input
|
||||
*/
|
||||
if( csr == NULL || buf == NULL || buflen == 0 )
|
||||
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||
|
||||
mbedtls_x509_csr_init( csr );
|
||||
|
||||
/*
|
||||
* first copy the raw DER data
|
||||
*/
|
||||
p = mbedtls_calloc( 1, len = buflen );
|
||||
|
||||
if( p == NULL )
|
||||
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||
|
||||
memcpy( p, buf, buflen );
|
||||
|
||||
csr->raw.p = p;
|
||||
csr->raw.len = len;
|
||||
end = p + len;
|
||||
|
||||
/*
|
||||
* CertificationRequest ::= SEQUENCE {
|
||||
* certificationRequestInfo CertificationRequestInfo,
|
||||
* signatureAlgorithm AlgorithmIdentifier,
|
||||
* signature BIT STRING
|
||||
* }
|
||||
*/
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||
}
|
||||
|
||||
if( len != (size_t) ( end - p ) )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
}
|
||||
|
||||
/*
|
||||
* CertificationRequestInfo ::= SEQUENCE {
|
||||
*/
|
||||
csr->cri.p = p;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||
}
|
||||
|
||||
end = p + len;
|
||||
csr->cri.len = end - csr->cri.p;
|
||||
|
||||
/*
|
||||
* Version ::= INTEGER { v1(0) }
|
||||
*/
|
||||
if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( csr->version != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
||||
}
|
||||
|
||||
csr->version++;
|
||||
|
||||
/*
|
||||
* subject Name
|
||||
*/
|
||||
csr->subject_raw.p = p;
|
||||
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
csr->subject_raw.len = p - csr->subject_raw.p;
|
||||
|
||||
/*
|
||||
* subjectPKInfo SubjectPublicKeyInfo
|
||||
*/
|
||||
if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* attributes [0] Attributes
|
||||
*
|
||||
* The list of possible attributes is open-ended, though RFC 2985
|
||||
* (PKCS#9) defines a few in section 5.4. We currently don't support any,
|
||||
* so we just ignore them. This is a safe thing to do as the worst thing
|
||||
* that could happen is that we issue a certificate that does not match
|
||||
* the requester's expectations - this cannot cause a violation of our
|
||||
* signature policies.
|
||||
*/
|
||||
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||
}
|
||||
|
||||
p += len;
|
||||
|
||||
end = csr->raw.p + csr->raw.len;
|
||||
|
||||
/*
|
||||
* signatureAlgorithm AlgorithmIdentifier,
|
||||
* signature BIT STRING
|
||||
*/
|
||||
if( ( ret = mbedtls_x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509_get_sig_alg( &csr->sig_oid, &sig_params,
|
||||
&csr->sig_md, &csr->sig_pk,
|
||||
&csr->sig_opts ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_x509_get_sig( &p, end, &csr->sig ) ) != 0 )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( p != end )
|
||||
{
|
||||
mbedtls_x509_csr_free( csr );
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
/*
|
||||
* Parse a CSR, allowing for PEM or raw DER encoding
|
||||
*/
|
||||
int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
|
||||
{
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
int ret;
|
||||
size_t use_len;
|
||||
mbedtls_pem_context pem;
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Check for valid input
|
||||
*/
|
||||
if( csr == NULL || buf == NULL || buflen == 0 )
|
||||
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||
|
||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
|
||||
if( buf[buflen - 1] == '\0' )
|
||||
{
|
||||
mbedtls_pem_init( &pem );
|
||||
ret = mbedtls_pem_read_buffer( &pem,
|
||||
"-----BEGIN CERTIFICATE REQUEST-----",
|
||||
"-----END CERTIFICATE REQUEST-----",
|
||||
buf, NULL, 0, &use_len );
|
||||
if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
|
||||
{
|
||||
ret = mbedtls_pem_read_buffer( &pem,
|
||||
"-----BEGIN NEW CERTIFICATE REQUEST-----",
|
||||
"-----END NEW CERTIFICATE REQUEST-----",
|
||||
buf, NULL, 0, &use_len );
|
||||
}
|
||||
|
||||
if( ret == 0 )
|
||||
{
|
||||
/*
|
||||
* Was PEM encoded, parse the result
|
||||
*/
|
||||
ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
|
||||
}
|
||||
|
||||
mbedtls_pem_free( &pem );
|
||||
if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_PEM_PARSE_C */
|
||||
return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_FS_IO)
|
||||
/*
|
||||
* Load a CSR into the structure
|
||||
*/
|
||||
int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path )
|
||||
{
|
||||
int ret;
|
||||
size_t n;
|
||||
unsigned char *buf;
|
||||
|
||||
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_x509_csr_parse( csr, buf, n );
|
||||
|
||||
mbedtls_platform_zeroize( buf, n );
|
||||
mbedtls_free( buf );
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_FS_IO */
|
||||
|
||||
#define BEFORE_COLON 14
|
||||
#define BC "14"
|
||||
/*
|
||||
* Return an informational string about the CSR.
|
||||
*/
|
||||
int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
|
||||
const mbedtls_x509_csr *csr )
|
||||
{
|
||||
int ret;
|
||||
size_t n;
|
||||
char *p;
|
||||
char key_size_str[BEFORE_COLON];
|
||||
|
||||
p = buf;
|
||||
n = size;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "%sCSR version : %d",
|
||||
prefix, csr->version );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
ret = mbedtls_x509_dn_gets( p, n, &csr->subject );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
ret = mbedtls_x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
|
||||
csr->sig_opts );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
|
||||
mbedtls_pk_get_name( &csr->pk ) ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
|
||||
(int) mbedtls_pk_get_bitlen( &csr->pk ) );
|
||||
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||
|
||||
return( (int) ( size - n ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Initialize a CSR
|
||||
*/
|
||||
void mbedtls_x509_csr_init( mbedtls_x509_csr *csr )
|
||||
{
|
||||
memset( csr, 0, sizeof(mbedtls_x509_csr) );
|
||||
}
|
||||
|
||||
/*
|
||||
* Unallocate all CSR data
|
||||
*/
|
||||
void mbedtls_x509_csr_free( mbedtls_x509_csr *csr )
|
||||
{
|
||||
mbedtls_x509_name *name_cur;
|
||||
mbedtls_x509_name *name_prv;
|
||||
|
||||
if( csr == NULL )
|
||||
return;
|
||||
|
||||
mbedtls_pk_free( &csr->pk );
|
||||
|
||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||
mbedtls_free( csr->sig_opts );
|
||||
#endif
|
||||
|
||||
name_cur = csr->subject.next;
|
||||
while( name_cur != NULL )
|
||||
{
|
||||
name_prv = name_cur;
|
||||
name_cur = name_cur->next;
|
||||
mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
|
||||
mbedtls_free( name_prv );
|
||||
}
|
||||
|
||||
if( csr->raw.p != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( csr->raw.p, csr->raw.len );
|
||||
mbedtls_free( csr->raw.p );
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize( csr, sizeof( mbedtls_x509_csr ) );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
||||
|
|
@ -1,495 +0,0 @@
|
|||
/*
|
||||
* X.509 certificate writing
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
/*
|
||||
* References:
|
||||
* - certificates: RFC 5280, updated by RFC 6818
|
||||
* - CSRs: PKCS#10 v1.7 aka RFC 2986
|
||||
* - attributes: PKCS#9 v2.0 aka RFC 2985
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_WRITE_C)
|
||||
|
||||
#include "mbedtls/x509_crt.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/asn1write.h"
|
||||
#include "mbedtls/sha1.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#include <string.h>
|
||||
|
||||
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||
#include "mbedtls/pem.h"
|
||||
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||
|
||||
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
|
||||
|
||||
mbedtls_mpi_init( &ctx->serial );
|
||||
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
|
||||
}
|
||||
|
||||
void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
|
||||
{
|
||||
mbedtls_mpi_free( &ctx->serial );
|
||||
|
||||
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
||||
mbedtls_asn1_free_named_data_list( &ctx->issuer );
|
||||
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
|
||||
}
|
||||
|
||||
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
|
||||
{
|
||||
ctx->version = version;
|
||||
}
|
||||
|
||||
void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg )
|
||||
{
|
||||
ctx->md_alg = md_alg;
|
||||
}
|
||||
|
||||
void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
|
||||
{
|
||||
ctx->subject_key = key;
|
||||
}
|
||||
|
||||
void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
|
||||
{
|
||||
ctx->issuer_key = key;
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
|
||||
const char *subject_name )
|
||||
{
|
||||
return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
|
||||
const char *issuer_name )
|
||||
{
|
||||
return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
|
||||
{
|
||||
int ret;
|
||||
|
||||
if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
|
||||
return( ret );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
|
||||
const char *not_after )
|
||||
{
|
||||
if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
|
||||
strlen( not_after ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )
|
||||
{
|
||||
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||
}
|
||||
strncpy( ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
|
||||
strncpy( ctx->not_after , not_after , MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
|
||||
ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
|
||||
ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
|
||||
const char *oid, size_t oid_len,
|
||||
int critical,
|
||||
const unsigned char *val, size_t val_len )
|
||||
{
|
||||
return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
|
||||
critical, val, val_len );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
|
||||
int is_ca, int max_pathlen )
|
||||
{
|
||||
int ret;
|
||||
unsigned char buf[9];
|
||||
unsigned char *c = buf + sizeof(buf);
|
||||
size_t len = 0;
|
||||
|
||||
memset( buf, 0, sizeof(buf) );
|
||||
|
||||
if( is_ca && max_pathlen > 127 )
|
||||
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||
|
||||
if( is_ca )
|
||||
{
|
||||
if( max_pathlen >= 0 )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
|
||||
}
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
|
||||
}
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
|
||||
0, buf + sizeof(buf) - len, len );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SHA1_C)
|
||||
int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
|
||||
{
|
||||
int ret;
|
||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
||||
unsigned char *c = buf + sizeof(buf);
|
||||
size_t len = 0;
|
||||
|
||||
memset( buf, 0, sizeof(buf) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
|
||||
|
||||
ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
|
||||
buf + sizeof( buf ) - 20 );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
c = buf + sizeof( buf ) - 20;
|
||||
len = 20;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) );
|
||||
|
||||
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
|
||||
0, buf + sizeof(buf) - len, len );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
|
||||
{
|
||||
int ret;
|
||||
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
||||
unsigned char *c = buf + sizeof( buf );
|
||||
size_t len = 0;
|
||||
|
||||
memset( buf, 0, sizeof(buf) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
|
||||
|
||||
ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
|
||||
buf + sizeof( buf ) - 20 );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
c = buf + sizeof( buf ) - 20;
|
||||
len = 20;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
|
||||
0, buf + sizeof( buf ) - len, len );
|
||||
}
|
||||
#endif /* MBEDTLS_SHA1_C */
|
||||
|
||||
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
|
||||
unsigned int key_usage )
|
||||
{
|
||||
unsigned char buf[5], ku[2];
|
||||
unsigned char *c;
|
||||
int ret;
|
||||
const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
|
||||
MBEDTLS_X509_KU_NON_REPUDIATION |
|
||||
MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
|
||||
MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
|
||||
MBEDTLS_X509_KU_KEY_AGREEMENT |
|
||||
MBEDTLS_X509_KU_KEY_CERT_SIGN |
|
||||
MBEDTLS_X509_KU_CRL_SIGN |
|
||||
MBEDTLS_X509_KU_ENCIPHER_ONLY |
|
||||
MBEDTLS_X509_KU_DECIPHER_ONLY;
|
||||
|
||||
/* Check that nothing other than the allowed flags is set */
|
||||
if( ( key_usage & ~allowed_bits ) != 0 )
|
||||
return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
|
||||
|
||||
c = buf + 5;
|
||||
ku[0] = (unsigned char)( key_usage );
|
||||
ku[1] = (unsigned char)( key_usage >> 8 );
|
||||
ret = mbedtls_asn1_write_named_bitstring( &c, buf, ku, 9 );
|
||||
|
||||
if( ret < 0 )
|
||||
return( ret );
|
||||
else if( ret < 3 || ret > 5 )
|
||||
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
|
||||
1, c, (size_t)ret );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
|
||||
unsigned char ns_cert_type )
|
||||
{
|
||||
unsigned char buf[4];
|
||||
unsigned char *c;
|
||||
int ret;
|
||||
|
||||
c = buf + 4;
|
||||
|
||||
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
|
||||
if( ret < 3 || ret > 4 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
|
||||
0, c, (size_t)ret );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
static int x509_write_time( unsigned char **p, unsigned char *start,
|
||||
const char *t, size_t size )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
|
||||
/*
|
||||
* write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
|
||||
*/
|
||||
if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
|
||||
(const unsigned char *) t + 2,
|
||||
size - 2 ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
|
||||
}
|
||||
else
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
|
||||
(const unsigned char *) t,
|
||||
size ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
|
||||
}
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng )
|
||||
{
|
||||
int ret;
|
||||
const char *sig_oid;
|
||||
size_t sig_oid_len = 0;
|
||||
unsigned char *c, *c2;
|
||||
unsigned char hash[64];
|
||||
unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
|
||||
unsigned char tmp_buf[2048];
|
||||
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
|
||||
size_t len = 0;
|
||||
mbedtls_pk_type_t pk_alg;
|
||||
|
||||
/*
|
||||
* Prepare data to be signed in tmp_buf
|
||||
*/
|
||||
c = tmp_buf + sizeof( tmp_buf );
|
||||
|
||||
/* Signature algorithm needed in TBS, and later for actual signature */
|
||||
|
||||
/* There's no direct way of extracting a signature algorithm
|
||||
* (represented as an element of mbedtls_pk_type_t) from a PK instance. */
|
||||
if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
|
||||
pk_alg = MBEDTLS_PK_RSA;
|
||||
else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
|
||||
pk_alg = MBEDTLS_PK_ECDSA;
|
||||
else
|
||||
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||
|
||||
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||
*/
|
||||
|
||||
/* Only for v3 */
|
||||
if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
|
||||
}
|
||||
|
||||
/*
|
||||
* SubjectPublicKeyInfo
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
|
||||
tmp_buf, c - tmp_buf ) );
|
||||
c -= pub_len;
|
||||
len += pub_len;
|
||||
|
||||
/*
|
||||
* Subject ::= Name
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
|
||||
|
||||
/*
|
||||
* Validity ::= SEQUENCE {
|
||||
* notBefore Time,
|
||||
* notAfter Time }
|
||||
*/
|
||||
sub_len = 0;
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
|
||||
MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
|
||||
MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
|
||||
|
||||
len += sub_len;
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
/*
|
||||
* Issuer ::= Name
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
|
||||
|
||||
/*
|
||||
* Signature ::= AlgorithmIdentifier
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
|
||||
sig_oid, strlen( sig_oid ), 0 ) );
|
||||
|
||||
/*
|
||||
* Serial ::= INTEGER
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
|
||||
|
||||
/*
|
||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||
*/
|
||||
|
||||
/* Can be omitted for v1 */
|
||||
if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
|
||||
{
|
||||
sub_len = 0;
|
||||
MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
|
||||
len += sub_len;
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||
MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
|
||||
}
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
/*
|
||||
* Make signature
|
||||
*/
|
||||
if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
|
||||
len, hash ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||
f_rng, p_rng ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Write data to output buffer
|
||||
*/
|
||||
c2 = buf + size;
|
||||
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
||||
sig_oid, sig_oid_len, sig, sig_len ) );
|
||||
|
||||
if( len > (size_t)( c2 - buf ) )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
c2 -= len;
|
||||
memcpy( c2, c, len );
|
||||
|
||||
len += sig_and_oid_len;
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
|
||||
#define PEM_END_CRT "-----END CERTIFICATE-----\n"
|
||||
|
||||
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||
int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng )
|
||||
{
|
||||
int ret;
|
||||
unsigned char output_buf[4096];
|
||||
size_t olen = 0;
|
||||
|
||||
if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
|
||||
f_rng, p_rng ) ) < 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
|
||||
output_buf + sizeof(output_buf) - ret,
|
||||
ret, buf, size, &olen ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||
|
||||
#endif /* MBEDTLS_X509_CRT_WRITE_C */
|
||||
|
|
@ -1,287 +0,0 @@
|
|||
/*
|
||||
* X.509 Certificate Signing Request writing
|
||||
*
|
||||
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||
* SPDX-License-Identifier: Apache-2.0
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
* not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*
|
||||
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||
*/
|
||||
/*
|
||||
* References:
|
||||
* - CSRs: PKCS#10 v1.7 aka RFC 2986
|
||||
* - attributes: PKCS#9 v2.0 aka RFC 2985
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||
#include "mbedtls/config.h"
|
||||
#else
|
||||
#include MBEDTLS_CONFIG_FILE
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CSR_WRITE_C)
|
||||
|
||||
#include "mbedtls/x509_csr.h"
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/asn1write.h"
|
||||
#include "mbedtls/platform_util.h"
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
#include "psa/crypto.h"
|
||||
#include "mbedtls/psa_util.h"
|
||||
#endif
|
||||
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
|
||||
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||
#include "mbedtls/pem.h"
|
||||
#endif
|
||||
|
||||
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
|
||||
{
|
||||
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
|
||||
}
|
||||
|
||||
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
||||
{
|
||||
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
||||
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
|
||||
}
|
||||
|
||||
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
|
||||
{
|
||||
ctx->md_alg = md_alg;
|
||||
}
|
||||
|
||||
void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
|
||||
{
|
||||
ctx->key = key;
|
||||
}
|
||||
|
||||
int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
|
||||
const char *subject_name )
|
||||
{
|
||||
return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
|
||||
const char *oid, size_t oid_len,
|
||||
const unsigned char *val, size_t val_len )
|
||||
{
|
||||
return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
|
||||
0, val, val_len );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
|
||||
{
|
||||
unsigned char buf[4];
|
||||
unsigned char *c;
|
||||
int ret;
|
||||
|
||||
c = buf + 4;
|
||||
|
||||
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 );
|
||||
if( ret < 3 || ret > 4 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
|
||||
c, (size_t)ret );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
|
||||
unsigned char ns_cert_type )
|
||||
{
|
||||
unsigned char buf[4];
|
||||
unsigned char *c;
|
||||
int ret;
|
||||
|
||||
c = buf + 4;
|
||||
|
||||
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
|
||||
if( ret < 3 || ret > 4 )
|
||||
return( ret );
|
||||
|
||||
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
|
||||
c, (size_t)ret );
|
||||
if( ret != 0 )
|
||||
return( ret );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng )
|
||||
{
|
||||
int ret;
|
||||
const char *sig_oid;
|
||||
size_t sig_oid_len = 0;
|
||||
unsigned char *c, *c2;
|
||||
unsigned char hash[64];
|
||||
unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
|
||||
unsigned char tmp_buf[2048];
|
||||
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
|
||||
size_t len = 0;
|
||||
mbedtls_pk_type_t pk_alg;
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
|
||||
size_t hash_len;
|
||||
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
/*
|
||||
* Prepare data to be signed in tmp_buf
|
||||
*/
|
||||
c = tmp_buf + sizeof( tmp_buf );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||
|
||||
if( len )
|
||||
{
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SET ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
|
||||
MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
}
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
|
||||
tmp_buf, c - tmp_buf ) );
|
||||
c -= pub_len;
|
||||
len += pub_len;
|
||||
|
||||
/*
|
||||
* Subject ::= Name
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
|
||||
|
||||
/*
|
||||
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||
*/
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
|
||||
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
/*
|
||||
* Prepare signature
|
||||
* Note: hash errors can happen only after an internal error
|
||||
*/
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||
|
||||
if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||
|
||||
if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
|
||||
!= PSA_SUCCESS )
|
||||
{
|
||||
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||
}
|
||||
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
||||
#endif
|
||||
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||
f_rng, p_rng ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
|
||||
pk_alg = MBEDTLS_PK_RSA;
|
||||
else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
|
||||
pk_alg = MBEDTLS_PK_ECDSA;
|
||||
else
|
||||
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||
|
||||
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
/*
|
||||
* Write data to output buffer
|
||||
*/
|
||||
c2 = buf + size;
|
||||
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
||||
sig_oid, sig_oid_len, sig, sig_len ) );
|
||||
|
||||
if( len > (size_t)( c2 - buf ) )
|
||||
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||
|
||||
c2 -= len;
|
||||
memcpy( c2, c, len );
|
||||
|
||||
len += sig_and_oid_len;
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
|
||||
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||
MBEDTLS_ASN1_SEQUENCE ) );
|
||||
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
|
||||
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
|
||||
|
||||
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||
int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
||||
int (*f_rng)(void *, unsigned char *, size_t),
|
||||
void *p_rng )
|
||||
{
|
||||
int ret;
|
||||
unsigned char output_buf[4096];
|
||||
size_t olen = 0;
|
||||
|
||||
if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
|
||||
f_rng, p_rng ) ) < 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
|
||||
output_buf + sizeof(output_buf) - ret,
|
||||
ret, buf, size, &olen ) ) != 0 )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||
|
||||
#endif /* MBEDTLS_X509_CSR_WRITE_C */
|
||||
Loading…
Add table
Add a link
Reference in a new issue