Revert "Remove unused TLS, NET, and X.509 files"
This reverts commit a4308b29a4
.
This commit is contained in:
parent
314bc89b36
commit
458b8f2a59
40 changed files with 38846 additions and 0 deletions
51
doxygen/input/doc_ssltls.h
Normal file
51
doxygen/input/doc_ssltls.h
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
/**
|
||||||
|
* \file doc_ssltls.h
|
||||||
|
*
|
||||||
|
* \brief SSL/TLS communication module documentation file.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @addtogroup ssltls_communication_module SSL/TLS communication module
|
||||||
|
*
|
||||||
|
* The SSL/TLS communication module provides the means to create an SSL/TLS
|
||||||
|
* communication channel.
|
||||||
|
*
|
||||||
|
* The basic provisions are:
|
||||||
|
* - initialise an SSL/TLS context (see \c mbedtls_ssl_init()).
|
||||||
|
* - perform an SSL/TLS handshake (see \c mbedtls_ssl_handshake()).
|
||||||
|
* - read/write (see \c mbedtls_ssl_read() and \c mbedtls_ssl_write()).
|
||||||
|
* - notify a peer that connection is being closed (see \c mbedtls_ssl_close_notify()).
|
||||||
|
*
|
||||||
|
* Many aspects of such a channel are set through parameters and callback
|
||||||
|
* functions:
|
||||||
|
* - the endpoint role: client or server.
|
||||||
|
* - the authentication mode. Should verification take place.
|
||||||
|
* - the Host-to-host communication channel. A TCP/IP module is provided.
|
||||||
|
* - the random number generator (RNG).
|
||||||
|
* - the ciphers to use for encryption/decryption.
|
||||||
|
* - session control functions.
|
||||||
|
* - X.509 parameters for certificate-handling and key exchange.
|
||||||
|
*
|
||||||
|
* This module can be used to create an SSL/TLS server and client and to provide a basic
|
||||||
|
* framework to setup and communicate through an SSL/TLS communication channel.\n
|
||||||
|
* Note that you need to provide for several aspects yourself as mentioned above.
|
||||||
|
*/
|
46
doxygen/input/doc_tcpip.h
Normal file
46
doxygen/input/doc_tcpip.h
Normal file
|
@ -0,0 +1,46 @@
|
||||||
|
/**
|
||||||
|
* \file doc_tcpip.h
|
||||||
|
*
|
||||||
|
* \brief TCP/IP communication module documentation file.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @addtogroup tcpip_communication_module TCP/IP communication module
|
||||||
|
*
|
||||||
|
* The TCP/IP communication module provides for a channel of
|
||||||
|
* communication for the \link ssltls_communication_module SSL/TLS communication
|
||||||
|
* module\endlink to use.
|
||||||
|
* In the TCP/IP-model it provides for communication up to the Transport
|
||||||
|
* (or Host-to-host) layer.
|
||||||
|
* SSL/TLS resides on top of that, in the Application layer, and makes use of
|
||||||
|
* its basic provisions:
|
||||||
|
* - listening on a port (see \c mbedtls_net_bind()).
|
||||||
|
* - accepting a connection (through \c mbedtls_net_accept()).
|
||||||
|
* - read/write (through \c mbedtls_net_recv()/\c mbedtls_net_send()).
|
||||||
|
* - close a connection (through \c mbedtls_net_close()).
|
||||||
|
*
|
||||||
|
* This way you have the means to, for example, implement and use an UDP or
|
||||||
|
* IPSec communication solution as a basis.
|
||||||
|
*
|
||||||
|
* This module can be used at server- and clientside to provide a basic
|
||||||
|
* means of communication over the internet.
|
||||||
|
*/
|
45
doxygen/input/doc_x509.h
Normal file
45
doxygen/input/doc_x509.h
Normal file
|
@ -0,0 +1,45 @@
|
||||||
|
/**
|
||||||
|
* \file doc_x509.h
|
||||||
|
*
|
||||||
|
* \brief X.509 module documentation file.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @addtogroup x509_module X.509 module
|
||||||
|
*
|
||||||
|
* The X.509 module provides X.509 support for reading, writing and verification
|
||||||
|
* of certificates.
|
||||||
|
* In summary:
|
||||||
|
* - X.509 certificate (CRT) reading (see \c mbedtls_x509_crt_parse(),
|
||||||
|
* \c mbedtls_x509_crt_parse_der(), \c mbedtls_x509_crt_parse_file()).
|
||||||
|
* - X.509 certificate revocation list (CRL) reading (see
|
||||||
|
* \c mbedtls_x509_crl_parse(), \c mbedtls_x509_crl_parse_der(),
|
||||||
|
* and \c mbedtls_x509_crl_parse_file()).
|
||||||
|
* - X.509 certificate signature verification (see \c
|
||||||
|
* mbedtls_x509_crt_verify() and \c mbedtls_x509_crt_verify_with_profile().
|
||||||
|
* - X.509 certificate writing and certificate request writing (see
|
||||||
|
* \c mbedtls_x509write_crt_der() and \c mbedtls_x509write_csr_der()).
|
||||||
|
*
|
||||||
|
* This module can be used to build a certificate authority (CA) chain and
|
||||||
|
* verify its signature. It is also used to generate Certificate Signing
|
||||||
|
* Requests and X.509 certificates just as a CA would do.
|
||||||
|
*/
|
265
include/mbedtls/debug.h
Normal file
265
include/mbedtls/debug.h
Normal file
|
@ -0,0 +1,265 @@
|
||||||
|
/**
|
||||||
|
* \file debug.h
|
||||||
|
*
|
||||||
|
* \brief Functions for controlling and providing debug output from the library.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_DEBUG_H
|
||||||
|
#define MBEDTLS_DEBUG_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "ssl.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
#include "ecp.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_DEBUG_C)
|
||||||
|
|
||||||
|
#define MBEDTLS_DEBUG_STRIP_PARENS( ... ) __VA_ARGS__
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_DEBUG_MSG( level, args ) \
|
||||||
|
mbedtls_debug_print_msg( ssl, level, __FILE__, __LINE__, \
|
||||||
|
MBEDTLS_DEBUG_STRIP_PARENS args )
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_DEBUG_RET( level, text, ret ) \
|
||||||
|
mbedtls_debug_print_ret( ssl, level, __FILE__, __LINE__, text, ret )
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len ) \
|
||||||
|
mbedtls_debug_print_buf( ssl, level, __FILE__, __LINE__, text, buf, len )
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
#define MBEDTLS_SSL_DEBUG_MPI( level, text, X ) \
|
||||||
|
mbedtls_debug_print_mpi( ssl, level, __FILE__, __LINE__, text, X )
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
#define MBEDTLS_SSL_DEBUG_ECP( level, text, X ) \
|
||||||
|
mbedtls_debug_print_ecp( ssl, level, __FILE__, __LINE__, text, X )
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt ) \
|
||||||
|
mbedtls_debug_print_crt( ssl, level, __FILE__, __LINE__, text, crt )
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDH_C)
|
||||||
|
#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr ) \
|
||||||
|
mbedtls_debug_printf_ecdh( ssl, level, __FILE__, __LINE__, ecdh, attr )
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#else /* MBEDTLS_DEBUG_C */
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_DEBUG_MSG( level, args ) do { } while( 0 )
|
||||||
|
#define MBEDTLS_SSL_DEBUG_RET( level, text, ret ) do { } while( 0 )
|
||||||
|
#define MBEDTLS_SSL_DEBUG_BUF( level, text, buf, len ) do { } while( 0 )
|
||||||
|
#define MBEDTLS_SSL_DEBUG_MPI( level, text, X ) do { } while( 0 )
|
||||||
|
#define MBEDTLS_SSL_DEBUG_ECP( level, text, X ) do { } while( 0 )
|
||||||
|
#define MBEDTLS_SSL_DEBUG_CRT( level, text, crt ) do { } while( 0 )
|
||||||
|
#define MBEDTLS_SSL_DEBUG_ECDH( level, ecdh, attr ) do { } while( 0 )
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_DEBUG_C */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the threshold error level to handle globally all debug output.
|
||||||
|
* Debug messages that have a level over the threshold value are
|
||||||
|
* discarded.
|
||||||
|
* (Default value: 0 = No debug )
|
||||||
|
*
|
||||||
|
* \param threshold theshold level of messages to filter on. Messages at a
|
||||||
|
* higher level will be discarded.
|
||||||
|
* - Debug levels
|
||||||
|
* - 0 No debug
|
||||||
|
* - 1 Error
|
||||||
|
* - 2 State change
|
||||||
|
* - 3 Informational
|
||||||
|
* - 4 Verbose
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_set_threshold( int threshold );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Print a message to the debug output. This function is always used
|
||||||
|
* through the MBEDTLS_SSL_DEBUG_MSG() macro, which supplies the ssl
|
||||||
|
* context, file and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the message has occurred in
|
||||||
|
* \param line line number the message has occurred at
|
||||||
|
* \param format format specifier, in printf format
|
||||||
|
* \param ... variables used by the format specifier
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *format, ... );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Print the return value of a function to the debug output. This
|
||||||
|
* function is always used through the MBEDTLS_SSL_DEBUG_RET() macro,
|
||||||
|
* which supplies the ssl context, file and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the error has occurred in
|
||||||
|
* \param line line number the error has occurred in
|
||||||
|
* \param text the name of the function that returned the error
|
||||||
|
* \param ret the return code value
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, int ret );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Output a buffer of size len bytes to the debug output. This function
|
||||||
|
* is always used through the MBEDTLS_SSL_DEBUG_BUF() macro,
|
||||||
|
* which supplies the ssl context, file and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the error has occurred in
|
||||||
|
* \param line line number the error has occurred in
|
||||||
|
* \param text a name or label for the buffer being dumped. Normally the
|
||||||
|
* variable or buffer name
|
||||||
|
* \param buf the buffer to be outputted
|
||||||
|
* \param len length of the buffer
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line, const char *text,
|
||||||
|
const unsigned char *buf, size_t len );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
/**
|
||||||
|
* \brief Print a MPI variable to the debug output. This function is always
|
||||||
|
* used through the MBEDTLS_SSL_DEBUG_MPI() macro, which supplies the
|
||||||
|
* ssl context, file and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the error has occurred in
|
||||||
|
* \param line line number the error has occurred in
|
||||||
|
* \param text a name or label for the MPI being output. Normally the
|
||||||
|
* variable name
|
||||||
|
* \param X the MPI variable
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_mpi *X );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
/**
|
||||||
|
* \brief Print an ECP point to the debug output. This function is always
|
||||||
|
* used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the
|
||||||
|
* ssl context, file and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the error has occurred in
|
||||||
|
* \param line line number the error has occurred in
|
||||||
|
* \param text a name or label for the ECP point being output. Normally the
|
||||||
|
* variable name
|
||||||
|
* \param X the ECP point
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_ecp_point *X );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
/**
|
||||||
|
* \brief Print a X.509 certificate structure to the debug output. This
|
||||||
|
* function is always used through the MBEDTLS_SSL_DEBUG_CRT() macro,
|
||||||
|
* which supplies the ssl context, file and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the error has occurred in
|
||||||
|
* \param line line number the error has occurred in
|
||||||
|
* \param text a name or label for the certificate being output
|
||||||
|
* \param crt X.509 certificate structure
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_x509_crt *crt );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDH_C)
|
||||||
|
typedef enum
|
||||||
|
{
|
||||||
|
MBEDTLS_DEBUG_ECDH_Q,
|
||||||
|
MBEDTLS_DEBUG_ECDH_QP,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Z,
|
||||||
|
} mbedtls_debug_ecdh_attr;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Print a field of the ECDH structure in the SSL context to the debug
|
||||||
|
* output. This function is always used through the
|
||||||
|
* MBEDTLS_SSL_DEBUG_ECDH() macro, which supplies the ssl context, file
|
||||||
|
* and line number parameters.
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
* \param level error level of the debug message
|
||||||
|
* \param file file the error has occurred in
|
||||||
|
* \param line line number the error has occurred in
|
||||||
|
* \param ecdh the ECDH context
|
||||||
|
* \param attr the identifier of the attribute being output
|
||||||
|
*
|
||||||
|
* \attention This function is intended for INTERNAL usage within the
|
||||||
|
* library only.
|
||||||
|
*/
|
||||||
|
void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const mbedtls_ecdh_context *ecdh,
|
||||||
|
mbedtls_debug_ecdh_attr attr );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* debug.h */
|
||||||
|
|
37
include/mbedtls/net.h
Normal file
37
include/mbedtls/net.h
Normal file
|
@ -0,0 +1,37 @@
|
||||||
|
/**
|
||||||
|
* \file net.h
|
||||||
|
*
|
||||||
|
* \brief Deprecated header file that includes net_sockets.h
|
||||||
|
*
|
||||||
|
* \deprecated Superseded by mbedtls/net_sockets.h
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
|
||||||
|
#include "net_sockets.h"
|
||||||
|
#if defined(MBEDTLS_DEPRECATED_WARNING)
|
||||||
|
#warning "Deprecated header file: Superseded by mbedtls/net_sockets.h"
|
||||||
|
#endif /* MBEDTLS_DEPRECATED_WARNING */
|
||||||
|
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
|
271
include/mbedtls/net_sockets.h
Normal file
271
include/mbedtls/net_sockets.h
Normal file
|
@ -0,0 +1,271 @@
|
||||||
|
/**
|
||||||
|
* \file net_sockets.h
|
||||||
|
*
|
||||||
|
* \brief Network sockets abstraction layer to integrate Mbed TLS into a
|
||||||
|
* BSD-style sockets API.
|
||||||
|
*
|
||||||
|
* The network sockets module provides an example integration of the
|
||||||
|
* Mbed TLS library into a BSD sockets implementation. The module is
|
||||||
|
* intended to be an example of how Mbed TLS can be integrated into a
|
||||||
|
* networking stack, as well as to be Mbed TLS's network integration
|
||||||
|
* for its supported platforms.
|
||||||
|
*
|
||||||
|
* The module is intended only to be used with the Mbed TLS library and
|
||||||
|
* is not intended to be used by third party application software
|
||||||
|
* directly.
|
||||||
|
*
|
||||||
|
* The supported platforms are as follows:
|
||||||
|
* * Microsoft Windows and Windows CE
|
||||||
|
* * POSIX/Unix platforms including Linux, OS X
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_NET_SOCKETS_H
|
||||||
|
#define MBEDTLS_NET_SOCKETS_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "ssl.h"
|
||||||
|
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
#define MBEDTLS_ERR_NET_SOCKET_FAILED -0x0042 /**< Failed to open a socket. */
|
||||||
|
#define MBEDTLS_ERR_NET_CONNECT_FAILED -0x0044 /**< The connection to the given server / port failed. */
|
||||||
|
#define MBEDTLS_ERR_NET_BIND_FAILED -0x0046 /**< Binding of the socket failed. */
|
||||||
|
#define MBEDTLS_ERR_NET_LISTEN_FAILED -0x0048 /**< Could not listen on the socket. */
|
||||||
|
#define MBEDTLS_ERR_NET_ACCEPT_FAILED -0x004A /**< Could not accept the incoming connection. */
|
||||||
|
#define MBEDTLS_ERR_NET_RECV_FAILED -0x004C /**< Reading information from the socket failed. */
|
||||||
|
#define MBEDTLS_ERR_NET_SEND_FAILED -0x004E /**< Sending information through the socket failed. */
|
||||||
|
#define MBEDTLS_ERR_NET_CONN_RESET -0x0050 /**< Connection was reset by peer. */
|
||||||
|
#define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /**< Failed to get an IP address for the given hostname. */
|
||||||
|
#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL -0x0043 /**< Buffer is too small to hold the data. */
|
||||||
|
#define MBEDTLS_ERR_NET_INVALID_CONTEXT -0x0045 /**< The context is invalid, eg because it was free()ed. */
|
||||||
|
#define MBEDTLS_ERR_NET_POLL_FAILED -0x0047 /**< Polling the net context failed. */
|
||||||
|
#define MBEDTLS_ERR_NET_BAD_INPUT_DATA -0x0049 /**< Input invalid. */
|
||||||
|
|
||||||
|
#define MBEDTLS_NET_LISTEN_BACKLOG 10 /**< The backlog that listen() should use. */
|
||||||
|
|
||||||
|
#define MBEDTLS_NET_PROTO_TCP 0 /**< The TCP transport protocol */
|
||||||
|
#define MBEDTLS_NET_PROTO_UDP 1 /**< The UDP transport protocol */
|
||||||
|
|
||||||
|
#define MBEDTLS_NET_POLL_READ 1 /**< Used in \c mbedtls_net_poll to check for pending data */
|
||||||
|
#define MBEDTLS_NET_POLL_WRITE 2 /**< Used in \c mbedtls_net_poll to check if write possible */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Wrapper type for sockets.
|
||||||
|
*
|
||||||
|
* Currently backed by just a file descriptor, but might be more in the future
|
||||||
|
* (eg two file descriptors for combined IPv4 + IPv6 support, or additional
|
||||||
|
* structures for hand-made UDP demultiplexing).
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_net_context
|
||||||
|
{
|
||||||
|
int fd; /**< The underlying file descriptor */
|
||||||
|
}
|
||||||
|
mbedtls_net_context;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize a context
|
||||||
|
* Just makes the context ready to be used or freed safely.
|
||||||
|
*
|
||||||
|
* \param ctx Context to initialize
|
||||||
|
*/
|
||||||
|
void mbedtls_net_init( mbedtls_net_context *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initiate a connection with host:port in the given protocol
|
||||||
|
*
|
||||||
|
* \param ctx Socket to use
|
||||||
|
* \param host Host to connect to
|
||||||
|
* \param port Port to connect to
|
||||||
|
* \param proto Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or one of:
|
||||||
|
* MBEDTLS_ERR_NET_SOCKET_FAILED,
|
||||||
|
* MBEDTLS_ERR_NET_UNKNOWN_HOST,
|
||||||
|
* MBEDTLS_ERR_NET_CONNECT_FAILED
|
||||||
|
*
|
||||||
|
* \note Sets the socket in connected mode even with UDP.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, const char *port, int proto );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Create a receiving socket on bind_ip:port in the chosen
|
||||||
|
* protocol. If bind_ip == NULL, all interfaces are bound.
|
||||||
|
*
|
||||||
|
* \param ctx Socket to use
|
||||||
|
* \param bind_ip IP to bind to, can be NULL
|
||||||
|
* \param port Port number to use
|
||||||
|
* \param proto Protocol: MBEDTLS_NET_PROTO_TCP or MBEDTLS_NET_PROTO_UDP
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or one of:
|
||||||
|
* MBEDTLS_ERR_NET_SOCKET_FAILED,
|
||||||
|
* MBEDTLS_ERR_NET_BIND_FAILED,
|
||||||
|
* MBEDTLS_ERR_NET_LISTEN_FAILED
|
||||||
|
*
|
||||||
|
* \note Regardless of the protocol, opens the sockets and binds it.
|
||||||
|
* In addition, make the socket listening if protocol is TCP.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Accept a connection from a remote client
|
||||||
|
*
|
||||||
|
* \param bind_ctx Relevant socket
|
||||||
|
* \param client_ctx Will contain the connected client socket
|
||||||
|
* \param client_ip Will contain the client IP address, can be NULL
|
||||||
|
* \param buf_size Size of the client_ip buffer
|
||||||
|
* \param ip_len Will receive the size of the client IP written,
|
||||||
|
* can be NULL if client_ip is null
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or
|
||||||
|
* MBEDTLS_ERR_NET_ACCEPT_FAILED, or
|
||||||
|
* MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small,
|
||||||
|
* MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to
|
||||||
|
* non-blocking and accept() would block.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
|
||||||
|
mbedtls_net_context *client_ctx,
|
||||||
|
void *client_ip, size_t buf_size, size_t *ip_len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Check and wait for the context to be ready for read/write
|
||||||
|
*
|
||||||
|
* \param ctx Socket to check
|
||||||
|
* \param rw Bitflag composed of MBEDTLS_NET_POLL_READ and
|
||||||
|
* MBEDTLS_NET_POLL_WRITE specifying the events
|
||||||
|
* to wait for:
|
||||||
|
* - If MBEDTLS_NET_POLL_READ is set, the function
|
||||||
|
* will return as soon as the net context is available
|
||||||
|
* for reading.
|
||||||
|
* - If MBEDTLS_NET_POLL_WRITE is set, the function
|
||||||
|
* will return as soon as the net context is available
|
||||||
|
* for writing.
|
||||||
|
* \param timeout Maximal amount of time to wait before returning,
|
||||||
|
* in milliseconds. If \c timeout is zero, the
|
||||||
|
* function returns immediately. If \c timeout is
|
||||||
|
* -1u, the function blocks potentially indefinitely.
|
||||||
|
*
|
||||||
|
* \return Bitmask composed of MBEDTLS_NET_POLL_READ/WRITE
|
||||||
|
* on success or timeout, or a negative return code otherwise.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the socket blocking
|
||||||
|
*
|
||||||
|
* \param ctx Socket to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a non-zero error code
|
||||||
|
*/
|
||||||
|
int mbedtls_net_set_block( mbedtls_net_context *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the socket non-blocking
|
||||||
|
*
|
||||||
|
* \param ctx Socket to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a non-zero error code
|
||||||
|
*/
|
||||||
|
int mbedtls_net_set_nonblock( mbedtls_net_context *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Portable usleep helper
|
||||||
|
*
|
||||||
|
* \param usec Amount of microseconds to sleep
|
||||||
|
*
|
||||||
|
* \note Real amount of time slept will not be less than
|
||||||
|
* select()'s timeout granularity (typically, 10ms).
|
||||||
|
*/
|
||||||
|
void mbedtls_net_usleep( unsigned long usec );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Read at most 'len' characters. If no error occurs,
|
||||||
|
* the actual amount read is returned.
|
||||||
|
*
|
||||||
|
* \param ctx Socket
|
||||||
|
* \param buf The buffer to write to
|
||||||
|
* \param len Maximum length of the buffer
|
||||||
|
*
|
||||||
|
* \return the number of bytes received,
|
||||||
|
* or a non-zero error code; with a non-blocking socket,
|
||||||
|
* MBEDTLS_ERR_SSL_WANT_READ indicates read() would block.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Write at most 'len' characters. If no error occurs,
|
||||||
|
* the actual amount read is returned.
|
||||||
|
*
|
||||||
|
* \param ctx Socket
|
||||||
|
* \param buf The buffer to read from
|
||||||
|
* \param len The length of the buffer
|
||||||
|
*
|
||||||
|
* \return the number of bytes sent,
|
||||||
|
* or a non-zero error code; with a non-blocking socket,
|
||||||
|
* MBEDTLS_ERR_SSL_WANT_WRITE indicates write() would block.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Read at most 'len' characters, blocking for at most
|
||||||
|
* 'timeout' seconds. If no error occurs, the actual amount
|
||||||
|
* read is returned.
|
||||||
|
*
|
||||||
|
* \param ctx Socket
|
||||||
|
* \param buf The buffer to write to
|
||||||
|
* \param len Maximum length of the buffer
|
||||||
|
* \param timeout Maximum number of milliseconds to wait for data
|
||||||
|
* 0 means no timeout (wait forever)
|
||||||
|
*
|
||||||
|
* \return the number of bytes received,
|
||||||
|
* or a non-zero error code:
|
||||||
|
* MBEDTLS_ERR_SSL_TIMEOUT if the operation timed out,
|
||||||
|
* MBEDTLS_ERR_SSL_WANT_READ if interrupted by a signal.
|
||||||
|
*
|
||||||
|
* \note This function will block (until data becomes available or
|
||||||
|
* timeout is reached) even if the socket is set to
|
||||||
|
* non-blocking. Handling timeouts with non-blocking reads
|
||||||
|
* requires a different strategy.
|
||||||
|
*/
|
||||||
|
int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len,
|
||||||
|
uint32_t timeout );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Gracefully shutdown the connection and free associated data
|
||||||
|
*
|
||||||
|
* \param ctx The context to free
|
||||||
|
*/
|
||||||
|
void mbedtls_net_free( mbedtls_net_context *ctx );
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* net_sockets.h */
|
175
include/mbedtls/pkcs11.h
Normal file
175
include/mbedtls/pkcs11.h
Normal file
|
@ -0,0 +1,175 @@
|
||||||
|
/**
|
||||||
|
* \file pkcs11.h
|
||||||
|
*
|
||||||
|
* \brief Wrapper for PKCS#11 library libpkcs11-helper
|
||||||
|
*
|
||||||
|
* \author Adriaan de Jong <dejong@fox-it.com>
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_PKCS11_H
|
||||||
|
#define MBEDTLS_PKCS11_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS11_C)
|
||||||
|
|
||||||
|
#include "x509_crt.h"
|
||||||
|
|
||||||
|
#include <pkcs11-helper-1.0/pkcs11h-certificate.h>
|
||||||
|
|
||||||
|
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
||||||
|
!defined(inline) && !defined(__cplusplus)
|
||||||
|
#define inline __inline
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Context for PKCS #11 private keys.
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_pkcs11_context
|
||||||
|
{
|
||||||
|
pkcs11h_certificate_t pkcs11h_cert;
|
||||||
|
int len;
|
||||||
|
} mbedtls_pkcs11_context;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Initialize a mbedtls_pkcs11_context.
|
||||||
|
* (Just making memory references valid.)
|
||||||
|
*/
|
||||||
|
void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Fill in a mbed TLS certificate, based on the given PKCS11 helper certificate.
|
||||||
|
*
|
||||||
|
* \param cert X.509 certificate to fill
|
||||||
|
* \param pkcs11h_cert PKCS #11 helper certificate
|
||||||
|
*
|
||||||
|
* \return 0 on success.
|
||||||
|
*/
|
||||||
|
int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11h_cert );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Set up a mbedtls_pkcs11_context storing the given certificate. Note that the
|
||||||
|
* mbedtls_pkcs11_context will take over control of the certificate, freeing it when
|
||||||
|
* done.
|
||||||
|
*
|
||||||
|
* \param priv_key Private key structure to fill.
|
||||||
|
* \param pkcs11_cert PKCS #11 helper certificate
|
||||||
|
*
|
||||||
|
* \return 0 on success
|
||||||
|
*/
|
||||||
|
int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
|
||||||
|
pkcs11h_certificate_t pkcs11_cert );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Free the contents of the given private key context. Note that the structure
|
||||||
|
* itself is not freed.
|
||||||
|
*
|
||||||
|
* \param priv_key Private key structure to cleanup
|
||||||
|
*/
|
||||||
|
void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Do an RSA private key decrypt, then remove the message
|
||||||
|
* padding
|
||||||
|
*
|
||||||
|
* \param ctx PKCS #11 context
|
||||||
|
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
|
||||||
|
* \param input buffer holding the encrypted data
|
||||||
|
* \param output buffer that will hold the plaintext
|
||||||
|
* \param olen will contain the plaintext length
|
||||||
|
* \param output_max_len maximum length of the output buffer
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or an MBEDTLS_ERR_RSA_XXX error code
|
||||||
|
*
|
||||||
|
* \note The output buffer must be as large as the size
|
||||||
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used) otherwise
|
||||||
|
* an error is thrown.
|
||||||
|
*/
|
||||||
|
int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
|
||||||
|
int mode, size_t *olen,
|
||||||
|
const unsigned char *input,
|
||||||
|
unsigned char *output,
|
||||||
|
size_t output_max_len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Do a private RSA to sign a message digest
|
||||||
|
*
|
||||||
|
* \param ctx PKCS #11 context
|
||||||
|
* \param mode must be MBEDTLS_RSA_PRIVATE, for compatibility with rsa.c's signature
|
||||||
|
* \param md_alg a MBEDTLS_MD_XXX (use MBEDTLS_MD_NONE for signing raw data)
|
||||||
|
* \param hashlen message digest length (for MBEDTLS_MD_NONE only)
|
||||||
|
* \param hash buffer holding the message digest
|
||||||
|
* \param sig buffer that will hold the ciphertext
|
||||||
|
*
|
||||||
|
* \return 0 if the signing operation was successful,
|
||||||
|
* or an MBEDTLS_ERR_RSA_XXX error code
|
||||||
|
*
|
||||||
|
* \note The "sig" buffer must be as large as the size
|
||||||
|
* of ctx->N (eg. 128 bytes if RSA-1024 is used).
|
||||||
|
*/
|
||||||
|
int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
|
||||||
|
int mode,
|
||||||
|
mbedtls_md_type_t md_alg,
|
||||||
|
unsigned int hashlen,
|
||||||
|
const unsigned char *hash,
|
||||||
|
unsigned char *sig );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* SSL/TLS wrappers for PKCS#11 functions
|
||||||
|
*/
|
||||||
|
static inline int mbedtls_ssl_pkcs11_decrypt( void *ctx, int mode, size_t *olen,
|
||||||
|
const unsigned char *input, unsigned char *output,
|
||||||
|
size_t output_max_len )
|
||||||
|
{
|
||||||
|
return mbedtls_pkcs11_decrypt( (mbedtls_pkcs11_context *) ctx, mode, olen, input, output,
|
||||||
|
output_max_len );
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_pkcs11_sign( void *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||||
|
int mode, mbedtls_md_type_t md_alg, unsigned int hashlen,
|
||||||
|
const unsigned char *hash, unsigned char *sig )
|
||||||
|
{
|
||||||
|
((void) f_rng);
|
||||||
|
((void) p_rng);
|
||||||
|
return mbedtls_pkcs11_sign( (mbedtls_pkcs11_context *) ctx, mode, md_alg,
|
||||||
|
hashlen, hash, sig );
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline size_t mbedtls_ssl_pkcs11_key_len( void *ctx )
|
||||||
|
{
|
||||||
|
return ( (mbedtls_pkcs11_context *) ctx )->len;
|
||||||
|
}
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_PKCS11_C */
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_PKCS11_H */
|
3494
include/mbedtls/ssl.h
Normal file
3494
include/mbedtls/ssl.h
Normal file
File diff suppressed because it is too large
Load diff
151
include/mbedtls/ssl_cache.h
Normal file
151
include/mbedtls/ssl_cache.h
Normal file
|
@ -0,0 +1,151 @@
|
||||||
|
/**
|
||||||
|
* \file ssl_cache.h
|
||||||
|
*
|
||||||
|
* \brief SSL session cache implementation
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_SSL_CACHE_H
|
||||||
|
#define MBEDTLS_SSL_CACHE_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "ssl.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
#include "threading.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name SECTION: Module settings
|
||||||
|
*
|
||||||
|
* The configuration options you can set for this module are in this section.
|
||||||
|
* Either change them in config.h or define them on the compiler command line.
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT)
|
||||||
|
#define MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT 86400 /*!< 1 day */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES)
|
||||||
|
#define MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES 50 /*!< Maximum entries in cache */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* \} name SECTION: Module settings */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
typedef struct mbedtls_ssl_cache_context mbedtls_ssl_cache_context;
|
||||||
|
typedef struct mbedtls_ssl_cache_entry mbedtls_ssl_cache_entry;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief This structure is used for storing cache entries
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_cache_entry
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
mbedtls_time_t timestamp; /*!< entry timestamp */
|
||||||
|
#endif
|
||||||
|
mbedtls_ssl_session session; /*!< entry session */
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
mbedtls_x509_buf peer_cert; /*!< entry peer_cert */
|
||||||
|
#endif
|
||||||
|
mbedtls_ssl_cache_entry *next; /*!< chain pointer */
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Cache context
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_cache_context
|
||||||
|
{
|
||||||
|
mbedtls_ssl_cache_entry *chain; /*!< start of the chain */
|
||||||
|
int timeout; /*!< cache entry timeout */
|
||||||
|
int max_entries; /*!< maximum entries */
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_threading_mutex_t mutex; /*!< mutex */
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize an SSL cache context
|
||||||
|
*
|
||||||
|
* \param cache SSL cache context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Cache get callback implementation
|
||||||
|
* (Thread-safe if MBEDTLS_THREADING_C is enabled)
|
||||||
|
*
|
||||||
|
* \param data SSL cache context
|
||||||
|
* \param session session to retrieve entry for
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Cache set callback implementation
|
||||||
|
* (Thread-safe if MBEDTLS_THREADING_C is enabled)
|
||||||
|
*
|
||||||
|
* \param data SSL cache context
|
||||||
|
* \param session session to store entry for
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
/**
|
||||||
|
* \brief Set the cache timeout
|
||||||
|
* (Default: MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT (1 day))
|
||||||
|
*
|
||||||
|
* A timeout of 0 indicates no timeout.
|
||||||
|
*
|
||||||
|
* \param cache SSL cache context
|
||||||
|
* \param timeout cache entry timeout in seconds
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout );
|
||||||
|
#endif /* MBEDTLS_HAVE_TIME */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the maximum number of cache entries
|
||||||
|
* (Default: MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES (50))
|
||||||
|
*
|
||||||
|
* \param cache SSL cache context
|
||||||
|
* \param max cache entry maximum
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free referenced items in a cache context and clear memory
|
||||||
|
*
|
||||||
|
* \param cache SSL cache context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache );
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* ssl_cache.h */
|
558
include/mbedtls/ssl_ciphersuites.h
Normal file
558
include/mbedtls/ssl_ciphersuites.h
Normal file
|
@ -0,0 +1,558 @@
|
||||||
|
/**
|
||||||
|
* \file ssl_ciphersuites.h
|
||||||
|
*
|
||||||
|
* \brief SSL Ciphersuites for mbed TLS
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_SSL_CIPHERSUITES_H
|
||||||
|
#define MBEDTLS_SSL_CIPHERSUITES_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "pk.h"
|
||||||
|
#include "cipher.h"
|
||||||
|
#include "md.h"
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Supported ciphersuites (Official IANA names)
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_NULL_MD5 0x01 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA 0x02 /**< Weak! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_RC4_128_MD5 0x04
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_RC4_128_SHA 0x05
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_DES_CBC_SHA 0x09 /**< Weak! Not in TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x0A
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_DES_CBC_SHA 0x15 /**< Weak! Not in TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA 0x16
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA 0x2C /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA 0x2D /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA 0x2E /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA 0x2F
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA 0x33
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA 0x35
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA 0x39
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_NULL_SHA256 0x3B /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256 0x3C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 0x3D /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA 0x41
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA 0x45
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 0x67 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 0x6B /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA 0x84
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA 0x88
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_RC4_128_SHA 0x8A
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_3DES_EDE_CBC_SHA 0x8B
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA 0x8C
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA 0x8D
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_RC4_128_SHA 0x8E
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA 0x8F
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA 0x90
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA 0x91
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_RC4_128_SHA 0x92
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA 0x93
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA 0x94
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA 0x95
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_128_GCM_SHA256 0x9C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_256_GCM_SHA384 0x9D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 0x9E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 0x9F /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_128_GCM_SHA256 0xA8 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384 0xA9 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 0xAA /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 0xAB /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 0xAC /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 0xAD /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_128_CBC_SHA256 0xAE
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_256_CBC_SHA384 0xAF
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA256 0xB0 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_NULL_SHA384 0xB1 /**< Weak! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 0xB2
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 0xB3
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA256 0xB4 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_NULL_SHA384 0xB5 /**< Weak! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 0xB6
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 0xB7
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA256 0xB8 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_NULL_SHA384 0xB9 /**< Weak! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBA /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xBE /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC0 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 0xC4 /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_RC4_128_SHA 0xC002 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC003 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 /**< Not in SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_RC4_128_SHA 0xC007 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA 0xC008 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A /**< Not in SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_RC4_128_SHA 0xC00C /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA 0xC00D /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F /**< Not in SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_RC4_128_SHA 0xC011 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA 0xC012 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 /**< Not in SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_RC4_128_SHA 0xC033 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA 0xC034 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 0xC037 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 0xC038 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA 0xC039 /**< Weak! No SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256 0xC03A /**< Weak! No SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA384 0xC03B /**< Weak! No SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_ARIA_128_CBC_SHA256 0xC03C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_ARIA_256_CBC_SHA384 0xC03D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC044 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC045 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_ARIA_128_GCM_SHA256 0xC050 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_ARIA_256_GCM_SHA384 0xC051 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC052 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC053 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC066 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC067 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 0xC068 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 0xC069 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_ARIA_256_GCM_SHA384 0xC06B /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 0xC06C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 0xC06D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 0xC06E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 0xC06F /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 0xC070 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 0xC071 /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC075 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC078 /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC079 /**< Not in SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07A /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07B /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC07C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC07D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC088 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC089 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC08A /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC08B /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC08C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC08D /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC08E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC08F /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC090 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC091 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC092 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC093 /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC094
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC095
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC096
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC097
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC098
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC099
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 0xC09A /**< Not in SSL3! */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 0xC09B /**< Not in SSL3! */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM 0xC09C /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM 0xC09D /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM 0xC09E /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM 0xC09F /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_128_CCM_8 0xC0A0 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_WITH_AES_256_CCM_8 0xC0A1 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CCM_8 0xC0A2 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CCM_8 0xC0A3 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM 0xC0A4 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM 0xC0A5 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM 0xC0A6 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM 0xC0A7 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_128_CCM_8 0xC0A8 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_AES_256_CCM_8 0xC0A9 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_128_CCM_8 0xC0AA /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_AES_256_CCM_8 0xC0AB /**< TLS 1.2 */
|
||||||
|
/* The last two are named with PSK_DHE in the RFC, which looks like a typo */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM 0xC0AC /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM 0xC0AD /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 0xC0AE /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 0xC0AF /**< TLS 1.2 */
|
||||||
|
|
||||||
|
#define MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 0xC0FF /**< experimental */
|
||||||
|
|
||||||
|
/* RFC 7905 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA8 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 0xCCA9 /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256 0xCCAA /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAB /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAC /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAD /**< TLS 1.2 */
|
||||||
|
#define MBEDTLS_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 0xCCAE /**< TLS 1.2 */
|
||||||
|
|
||||||
|
/* Reminder: update mbedtls_ssl_premaster_secret when adding a new key exchange.
|
||||||
|
* Reminder: update MBEDTLS_KEY_EXCHANGE__xxx below
|
||||||
|
*/
|
||||||
|
typedef enum {
|
||||||
|
MBEDTLS_KEY_EXCHANGE_NONE = 0,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_RSA,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_DHE_RSA,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_PSK,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_DHE_PSK,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_RSA_PSK,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDH_RSA,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA,
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE,
|
||||||
|
} mbedtls_key_exchange_type_t;
|
||||||
|
|
||||||
|
/* Key exchanges using a certificate */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges allowing client certificate requests */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges involving server signature in ServerKeyExchange */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges using ECDH */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges that don't involve ephemeral keys */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges that involve ephemeral keys */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges using a PSK */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges using DHE */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges using ECDHE */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
|
||||||
|
|
||||||
|
#define MBEDTLS_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */
|
||||||
|
#define MBEDTLS_CIPHERSUITE_SHORT_TAG 0x02 /**< Short authentication tag,
|
||||||
|
eg for CCM_8 */
|
||||||
|
#define MBEDTLS_CIPHERSUITE_NODTLS 0x04 /**< Can't be used with DTLS */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief This structure is used for storing ciphersuite information
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_ciphersuite_t
|
||||||
|
{
|
||||||
|
int id;
|
||||||
|
const char * name;
|
||||||
|
|
||||||
|
mbedtls_cipher_type_t cipher;
|
||||||
|
mbedtls_md_type_t mac;
|
||||||
|
mbedtls_key_exchange_type_t key_exchange;
|
||||||
|
|
||||||
|
int min_major_ver;
|
||||||
|
int min_minor_ver;
|
||||||
|
int max_major_ver;
|
||||||
|
int max_minor_ver;
|
||||||
|
|
||||||
|
unsigned char flags;
|
||||||
|
};
|
||||||
|
|
||||||
|
const int *mbedtls_ssl_list_ciphersuites( void );
|
||||||
|
|
||||||
|
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
|
||||||
|
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PK_C)
|
||||||
|
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
|
||||||
|
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
|
||||||
|
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* ssl_ciphersuites.h */
|
115
include/mbedtls/ssl_cookie.h
Normal file
115
include/mbedtls/ssl_cookie.h
Normal file
|
@ -0,0 +1,115 @@
|
||||||
|
/**
|
||||||
|
* \file ssl_cookie.h
|
||||||
|
*
|
||||||
|
* \brief DTLS cookie callbacks implementation
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_SSL_COOKIE_H
|
||||||
|
#define MBEDTLS_SSL_COOKIE_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "ssl.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
#include "threading.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name SECTION: Module settings
|
||||||
|
*
|
||||||
|
* The configuration options you can set for this module are in this section.
|
||||||
|
* Either change them in config.h or define them on the compiler command line.
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_SSL_COOKIE_TIMEOUT
|
||||||
|
#define MBEDTLS_SSL_COOKIE_TIMEOUT 60 /**< Default expiration delay of DTLS cookies, in seconds if HAVE_TIME, or in number of cookies issued */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* \} name SECTION: Module settings */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Context for the default cookie functions.
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_ssl_cookie_ctx
|
||||||
|
{
|
||||||
|
mbedtls_md_context_t hmac_ctx; /*!< context for the HMAC portion */
|
||||||
|
#if !defined(MBEDTLS_HAVE_TIME)
|
||||||
|
unsigned long serial; /*!< serial number for expiration */
|
||||||
|
#endif
|
||||||
|
unsigned long timeout; /*!< timeout delay, in seconds if HAVE_TIME,
|
||||||
|
or in number of tickets issued */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_threading_mutex_t mutex;
|
||||||
|
#endif
|
||||||
|
} mbedtls_ssl_cookie_ctx;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize cookie context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Setup cookie context (generate keys)
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set expiration delay for cookies
|
||||||
|
* (Default MBEDTLS_SSL_COOKIE_TIMEOUT)
|
||||||
|
*
|
||||||
|
* \param ctx Cookie contex
|
||||||
|
* \param delay Delay, in seconds if HAVE_TIME, or in number of cookies
|
||||||
|
* issued in the meantime.
|
||||||
|
* 0 to disable expiration (NOT recommended)
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free cookie context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Generate cookie, see \c mbedtls_ssl_cookie_write_t
|
||||||
|
*/
|
||||||
|
mbedtls_ssl_cookie_write_t mbedtls_ssl_cookie_write;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Verify cookie, see \c mbedtls_ssl_cookie_write_t
|
||||||
|
*/
|
||||||
|
mbedtls_ssl_cookie_check_t mbedtls_ssl_cookie_check;
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* ssl_cookie.h */
|
819
include/mbedtls/ssl_internal.h
Normal file
819
include/mbedtls/ssl_internal.h
Normal file
|
@ -0,0 +1,819 @@
|
||||||
|
/**
|
||||||
|
* \file ssl_internal.h
|
||||||
|
*
|
||||||
|
* \brief Internal functions shared by the SSL modules
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_SSL_INTERNAL_H
|
||||||
|
#define MBEDTLS_SSL_INTERNAL_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "ssl.h"
|
||||||
|
#include "cipher.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_MD5_C)
|
||||||
|
#include "md5.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
|
#include "sha1.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
#include "sha256.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA512_C)
|
||||||
|
#include "sha512.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
#include "ecjpake.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#include "psa_util.h"
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
|
||||||
|
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
||||||
|
!defined(inline) && !defined(__cplusplus)
|
||||||
|
#define inline __inline
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Determine minimum supported version */
|
||||||
|
#define MBEDTLS_SSL_MIN_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
|
||||||
|
#else
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1)
|
||||||
|
#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
|
||||||
|
#else
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
|
#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
|
||||||
|
#else
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
|
#define MBEDTLS_SSL_MIN_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1 */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_MIN_VALID_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
|
||||||
|
#define MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
|
||||||
|
/* Determine maximum supported version */
|
||||||
|
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
|
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
|
#else
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
|
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_2
|
||||||
|
#else
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1)
|
||||||
|
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_1
|
||||||
|
#else
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_0
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1 */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
/* Shorthand for restartable ECC */
|
||||||
|
#if defined(MBEDTLS_ECP_RESTARTABLE) && \
|
||||||
|
defined(MBEDTLS_SSL_CLI_C) && \
|
||||||
|
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
|
#define MBEDTLS_SSL__ECP_RESTARTABLE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
|
||||||
|
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
|
||||||
|
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
|
||||||
|
#define MBEDTLS_SSL_RENEGOTIATION_PENDING 3 /* Requested (server only) */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* DTLS retransmission states, see RFC 6347 4.2.4
|
||||||
|
*
|
||||||
|
* The SENDING state is merged in PREPARING for initial sends,
|
||||||
|
* but is distinct for resends.
|
||||||
|
*
|
||||||
|
* Note: initial state is wrong for server, but is not used anyway.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_SSL_RETRANS_PREPARING 0
|
||||||
|
#define MBEDTLS_SSL_RETRANS_SENDING 1
|
||||||
|
#define MBEDTLS_SSL_RETRANS_WAITING 2
|
||||||
|
#define MBEDTLS_SSL_RETRANS_FINISHED 3
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Allow extra bytes for record, authentication and encryption overhead:
|
||||||
|
* counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256)
|
||||||
|
* and allow for a maximum of 1024 of compression expansion if
|
||||||
|
* enabled.
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_ZLIB_SUPPORT)
|
||||||
|
#define MBEDTLS_SSL_COMPRESSION_ADD 1024
|
||||||
|
#else
|
||||||
|
#define MBEDTLS_SSL_COMPRESSION_ADD 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ARC4_C) || defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||||
|
/* Ciphersuites using HMAC */
|
||||||
|
#if defined(MBEDTLS_SHA512_C)
|
||||||
|
#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
|
||||||
|
#elif defined(MBEDTLS_SHA256_C)
|
||||||
|
#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
|
||||||
|
#else
|
||||||
|
#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
|
||||||
|
#endif
|
||||||
|
#else
|
||||||
|
/* AEAD ciphersuites: GCM and CCM use a 128 bits tag */
|
||||||
|
#define MBEDTLS_SSL_MAC_ADD 16
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||||
|
#define MBEDTLS_SSL_PADDING_ADD 256
|
||||||
|
#else
|
||||||
|
#define MBEDTLS_SSL_PADDING_ADD 0
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_PAYLOAD_OVERHEAD ( MBEDTLS_SSL_COMPRESSION_ADD + \
|
||||||
|
MBEDTLS_MAX_IV_LENGTH + \
|
||||||
|
MBEDTLS_SSL_MAC_ADD + \
|
||||||
|
MBEDTLS_SSL_PADDING_ADD \
|
||||||
|
)
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_IN_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
|
||||||
|
( MBEDTLS_SSL_IN_CONTENT_LEN ) )
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_OUT_PAYLOAD_LEN ( MBEDTLS_SSL_PAYLOAD_OVERHEAD + \
|
||||||
|
( MBEDTLS_SSL_OUT_CONTENT_LEN ) )
|
||||||
|
|
||||||
|
/* The maximum number of buffered handshake messages. */
|
||||||
|
#define MBEDTLS_SSL_MAX_BUFFERED_HS 4
|
||||||
|
|
||||||
|
/* Maximum length we can advertise as our max content length for
|
||||||
|
RFC 6066 max_fragment_length extension negotiation purposes
|
||||||
|
(the lesser of both sizes, if they are unequal.)
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_TLS_EXT_ADV_CONTENT_LEN ( \
|
||||||
|
(MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_OUT_CONTENT_LEN) \
|
||||||
|
? ( MBEDTLS_SSL_OUT_CONTENT_LEN ) \
|
||||||
|
: ( MBEDTLS_SSL_IN_CONTENT_LEN ) \
|
||||||
|
)
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check that we obey the standard's message size bounds
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if MBEDTLS_SSL_MAX_CONTENT_LEN > 16384
|
||||||
|
#error "Bad configuration - record content too large."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if MBEDTLS_SSL_IN_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||||
|
#error "Bad configuration - incoming record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if MBEDTLS_SSL_OUT_CONTENT_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN
|
||||||
|
#error "Bad configuration - outgoing record content should not be larger than MBEDTLS_SSL_MAX_CONTENT_LEN."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if MBEDTLS_SSL_IN_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||||
|
#error "Bad configuration - incoming protected record payload too large."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if MBEDTLS_SSL_OUT_PAYLOAD_LEN > MBEDTLS_SSL_MAX_CONTENT_LEN + 2048
|
||||||
|
#error "Bad configuration - outgoing protected record payload too large."
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Calculate buffer sizes */
|
||||||
|
|
||||||
|
/* Note: Even though the TLS record header is only 5 bytes
|
||||||
|
long, we're internally using 8 bytes to store the
|
||||||
|
implicit sequence number. */
|
||||||
|
#define MBEDTLS_SSL_HEADER_LEN 13
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_IN_BUFFER_LEN \
|
||||||
|
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_IN_PAYLOAD_LEN ) )
|
||||||
|
|
||||||
|
#define MBEDTLS_SSL_OUT_BUFFER_LEN \
|
||||||
|
( ( MBEDTLS_SSL_HEADER_LEN ) + ( MBEDTLS_SSL_OUT_PAYLOAD_LEN ) )
|
||||||
|
|
||||||
|
#ifdef MBEDTLS_ZLIB_SUPPORT
|
||||||
|
/* Compression buffer holds both IN and OUT buffers, so should be size of the larger */
|
||||||
|
#define MBEDTLS_SSL_COMPRESS_BUFFER_LEN ( \
|
||||||
|
( MBEDTLS_SSL_IN_BUFFER_LEN > MBEDTLS_SSL_OUT_BUFFER_LEN ) \
|
||||||
|
? MBEDTLS_SSL_IN_BUFFER_LEN \
|
||||||
|
: MBEDTLS_SSL_OUT_BUFFER_LEN \
|
||||||
|
)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TLS extension flags (for extensions with outgoing ServerHello content
|
||||||
|
* that need it (e.g. for RENEGOTIATION_INFO the server already knows because
|
||||||
|
* of state of the renegotiation flag, so no indicator is required)
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
|
||||||
|
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
|
/*
|
||||||
|
* Abstraction for a grid of allowed signature-hash-algorithm pairs.
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_sig_hash_set_t
|
||||||
|
{
|
||||||
|
/* At the moment, we only need to remember a single suitable
|
||||||
|
* hash algorithm per signature algorithm. As long as that's
|
||||||
|
* the case - and we don't need a general lookup function -
|
||||||
|
* we can implement the sig-hash-set as a map from signatures
|
||||||
|
* to hash algorithms. */
|
||||||
|
mbedtls_md_type_t rsa;
|
||||||
|
mbedtls_md_type_t ecdsa;
|
||||||
|
};
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 &&
|
||||||
|
MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This structure contains the parameters only needed during handshake.
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_handshake_params
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Handshake specific crypto variables
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
|
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_DHM_C)
|
||||||
|
mbedtls_dhm_context dhm_ctx; /*!< DHM key exchange */
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_ECDH_C)
|
||||||
|
mbedtls_ecdh_context ecdh_ctx; /*!< ECDH key exchange */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
psa_ecc_curve_t ecdh_psa_curve;
|
||||||
|
psa_key_handle_t ecdh_psa_privkey;
|
||||||
|
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
|
||||||
|
size_t ecdh_psa_peerkey_len;
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
#endif /* MBEDTLS_ECDH_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */
|
||||||
|
#if defined(MBEDTLS_SSL_CLI_C)
|
||||||
|
unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */
|
||||||
|
size_t ecjpake_cache_len; /*!< Length of cached data */
|
||||||
|
#endif
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
const mbedtls_ecp_curve_info **curves; /*!< Supported elliptic curves */
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
unsigned char *psk; /*!< PSK from the callback */
|
||||||
|
size_t psk_len; /*!< Length of PSK from callback */
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
mbedtls_ssl_key_cert *key_cert; /*!< chosen key/cert pair (server) */
|
||||||
|
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||||
|
int sni_authmode; /*!< authmode from SNI callback */
|
||||||
|
mbedtls_ssl_key_cert *sni_key_cert; /*!< key/cert list from SNI */
|
||||||
|
mbedtls_x509_crt *sni_ca_chain; /*!< trusted CAs from SNI callback */
|
||||||
|
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
|
||||||
|
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
int ecrs_enabled; /*!< Handshake supports EC restart? */
|
||||||
|
mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
|
||||||
|
enum { /* this complements ssl->state with info on intra-state operations */
|
||||||
|
ssl_ecrs_none = 0, /*!< nothing going on (yet) */
|
||||||
|
ssl_ecrs_crt_verify, /*!< Certificate: crt_verify() */
|
||||||
|
ssl_ecrs_ske_start_processing, /*!< ServerKeyExchange: pk_verify() */
|
||||||
|
ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
|
||||||
|
ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
|
||||||
|
} ecrs_state; /*!< current (or last) operation */
|
||||||
|
mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
|
||||||
|
size_t ecrs_n; /*!< place for saving a length */
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
mbedtls_pk_context peer_pubkey; /*!< The public key from the peer. */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
|
||||||
|
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
|
||||||
|
|
||||||
|
unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
|
||||||
|
Srv: unused */
|
||||||
|
unsigned char verify_cookie_len; /*!< Cli: cookie length
|
||||||
|
Srv: flag for sending a cookie */
|
||||||
|
|
||||||
|
uint32_t retransmit_timeout; /*!< Current value of timeout */
|
||||||
|
unsigned char retransmit_state; /*!< Retransmission state */
|
||||||
|
mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
|
||||||
|
mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
|
||||||
|
unsigned char *cur_msg_p; /*!< Position in current message */
|
||||||
|
unsigned int in_flight_start_seq; /*!< Minimum message sequence in the
|
||||||
|
flight being received */
|
||||||
|
mbedtls_ssl_transform *alt_transform_out; /*!< Alternative transform for
|
||||||
|
resending messages */
|
||||||
|
unsigned char alt_out_ctr[8]; /*!< Alternative record epoch/counter
|
||||||
|
for resending messages */
|
||||||
|
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
size_t total_bytes_buffered; /*!< Cumulative size of heap allocated
|
||||||
|
* buffers used for message buffering. */
|
||||||
|
|
||||||
|
uint8_t seen_ccs; /*!< Indicates if a CCS message has
|
||||||
|
* been seen in the current flight. */
|
||||||
|
|
||||||
|
struct mbedtls_ssl_hs_buffer
|
||||||
|
{
|
||||||
|
unsigned is_valid : 1;
|
||||||
|
unsigned is_fragmented : 1;
|
||||||
|
unsigned is_complete : 1;
|
||||||
|
unsigned char *data;
|
||||||
|
size_t data_len;
|
||||||
|
} hs[MBEDTLS_SSL_MAX_BUFFERED_HS];
|
||||||
|
|
||||||
|
struct
|
||||||
|
{
|
||||||
|
unsigned char *data;
|
||||||
|
size_t len;
|
||||||
|
unsigned epoch;
|
||||||
|
} future_record;
|
||||||
|
|
||||||
|
} buffering;
|
||||||
|
|
||||||
|
uint16_t mtu; /*!< Handshake mtu, used to fragment outgoing messages */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Checksum contexts
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
|
mbedtls_md5_context fin_md5;
|
||||||
|
mbedtls_sha1_context fin_sha1;
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
psa_hash_operation_t fin_sha256_psa;
|
||||||
|
#else
|
||||||
|
mbedtls_sha256_context fin_sha256;
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA512_C)
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
psa_hash_operation_t fin_sha384_psa;
|
||||||
|
#else
|
||||||
|
mbedtls_sha512_context fin_sha512;
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
|
||||||
|
void (*calc_verify)(mbedtls_ssl_context *, unsigned char *);
|
||||||
|
void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
|
||||||
|
int (*tls_prf)(const unsigned char *, size_t, const char *,
|
||||||
|
const unsigned char *, size_t,
|
||||||
|
unsigned char *, size_t);
|
||||||
|
|
||||||
|
size_t pmslen; /*!< premaster length */
|
||||||
|
|
||||||
|
unsigned char randbytes[64]; /*!< random bytes */
|
||||||
|
unsigned char premaster[MBEDTLS_PREMASTER_SIZE];
|
||||||
|
/*!< premaster secret */
|
||||||
|
|
||||||
|
int resume; /*!< session resume indicator*/
|
||||||
|
int max_major_ver; /*!< max. major version client*/
|
||||||
|
int max_minor_ver; /*!< max. minor version client*/
|
||||||
|
int cli_exts; /*!< client extension presence*/
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
|
int new_session_ticket; /*!< use NewSessionTicket? */
|
||||||
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
|
int extended_ms; /*!< use Extended Master Secret? */
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||||
|
unsigned int async_in_progress : 1; /*!< an asynchronous operation is in progress */
|
||||||
|
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||||
|
/** Asynchronous operation context. This field is meant for use by the
|
||||||
|
* asynchronous operation callbacks (mbedtls_ssl_config::f_async_sign_start,
|
||||||
|
* mbedtls_ssl_config::f_async_decrypt_start,
|
||||||
|
* mbedtls_ssl_config::f_async_resume, mbedtls_ssl_config::f_async_cancel).
|
||||||
|
* The library does not use it internally. */
|
||||||
|
void *user_async_ctx;
|
||||||
|
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
|
||||||
|
};
|
||||||
|
|
||||||
|
typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This structure contains a full set of runtime transform parameters
|
||||||
|
* either in negotiation or active.
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_transform
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Session specific crypto layer
|
||||||
|
*/
|
||||||
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||||
|
/*!< Chosen cipersuite_info */
|
||||||
|
unsigned int keylen; /*!< symmetric key length (bytes) */
|
||||||
|
size_t minlen; /*!< min. ciphertext length */
|
||||||
|
size_t ivlen; /*!< IV length */
|
||||||
|
size_t fixed_ivlen; /*!< Fixed part of IV (AEAD) */
|
||||||
|
size_t maclen; /*!< MAC length */
|
||||||
|
|
||||||
|
unsigned char iv_enc[16]; /*!< IV (encryption) */
|
||||||
|
unsigned char iv_dec[16]; /*!< IV (decryption) */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
/* Needed only for SSL v3.0 secret */
|
||||||
|
unsigned char mac_enc[20]; /*!< SSL v3.0 secret (enc) */
|
||||||
|
unsigned char mac_dec[20]; /*!< SSL v3.0 secret (dec) */
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
|
|
||||||
|
mbedtls_md_context_t md_ctx_enc; /*!< MAC (encryption) */
|
||||||
|
mbedtls_md_context_t md_ctx_dec; /*!< MAC (decryption) */
|
||||||
|
|
||||||
|
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
|
||||||
|
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Session specific compression layer
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_ZLIB_SUPPORT)
|
||||||
|
z_stream ctx_deflate; /*!< compression context */
|
||||||
|
z_stream ctx_inflate; /*!< decompression context */
|
||||||
|
#endif
|
||||||
|
};
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
/*
|
||||||
|
* List of certificate + private key pairs
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_key_cert
|
||||||
|
{
|
||||||
|
mbedtls_x509_crt *cert; /*!< cert */
|
||||||
|
mbedtls_pk_context *key; /*!< private key */
|
||||||
|
mbedtls_ssl_key_cert *next; /*!< next key/cert pair */
|
||||||
|
};
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
/*
|
||||||
|
* List of handshake messages kept around for resending
|
||||||
|
*/
|
||||||
|
struct mbedtls_ssl_flight_item
|
||||||
|
{
|
||||||
|
unsigned char *p; /*!< message, including handshake headers */
|
||||||
|
size_t len; /*!< length of p */
|
||||||
|
unsigned char type; /*!< type of the message: handshake or CCS */
|
||||||
|
mbedtls_ssl_flight_item *next; /*!< next handshake message(s) */
|
||||||
|
};
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
|
|
||||||
|
/* Find an entry in a signature-hash set matching a given hash algorithm. */
|
||||||
|
mbedtls_md_type_t mbedtls_ssl_sig_hash_set_find( mbedtls_ssl_sig_hash_set_t *set,
|
||||||
|
mbedtls_pk_type_t sig_alg );
|
||||||
|
/* Add a signature-hash-pair to a signature-hash set */
|
||||||
|
void mbedtls_ssl_sig_hash_set_add( mbedtls_ssl_sig_hash_set_t *set,
|
||||||
|
mbedtls_pk_type_t sig_alg,
|
||||||
|
mbedtls_md_type_t md_alg );
|
||||||
|
/* Allow exactly one hash algorithm for each signature. */
|
||||||
|
void mbedtls_ssl_sig_hash_set_const_hash( mbedtls_ssl_sig_hash_set_t *set,
|
||||||
|
mbedtls_md_type_t md_alg );
|
||||||
|
|
||||||
|
/* Setup an empty signature-hash set */
|
||||||
|
static inline void mbedtls_ssl_sig_hash_set_init( mbedtls_ssl_sig_hash_set_t *set )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_sig_hash_set_const_hash( set, MBEDTLS_MD_NONE );
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2) &&
|
||||||
|
MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free referenced items in an SSL transform context and clear
|
||||||
|
* memory
|
||||||
|
*
|
||||||
|
* \param transform SSL transform context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_transform_free( mbedtls_ssl_transform *transform );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free referenced items in an SSL handshake context and clear
|
||||||
|
* memory
|
||||||
|
*
|
||||||
|
* \param ssl SSL context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
|
||||||
|
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_prepare_handshake_record( mbedtls_ssl_context *ssl );
|
||||||
|
void mbedtls_ssl_update_handshake_status( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Update record layer
|
||||||
|
*
|
||||||
|
* This function roughly separates the implementation
|
||||||
|
* of the logic of (D)TLS from the implementation
|
||||||
|
* of the secure transport.
|
||||||
|
*
|
||||||
|
* \param ssl The SSL context to use.
|
||||||
|
* \param update_hs_digest This indicates if the handshake digest
|
||||||
|
* should be automatically updated in case
|
||||||
|
* a handshake message is found.
|
||||||
|
*
|
||||||
|
* \return 0 or non-zero error code.
|
||||||
|
*
|
||||||
|
* \note A clarification on what is called 'record layer' here
|
||||||
|
* is in order, as many sensible definitions are possible:
|
||||||
|
*
|
||||||
|
* The record layer takes as input an untrusted underlying
|
||||||
|
* transport (stream or datagram) and transforms it into
|
||||||
|
* a serially multiplexed, secure transport, which
|
||||||
|
* conceptually provides the following:
|
||||||
|
*
|
||||||
|
* (1) Three datagram based, content-agnostic transports
|
||||||
|
* for handshake, alert and CCS messages.
|
||||||
|
* (2) One stream- or datagram-based transport
|
||||||
|
* for application data.
|
||||||
|
* (3) Functionality for changing the underlying transform
|
||||||
|
* securing the contents.
|
||||||
|
*
|
||||||
|
* The interface to this functionality is given as follows:
|
||||||
|
*
|
||||||
|
* a Updating
|
||||||
|
* [Currently implemented by mbedtls_ssl_read_record]
|
||||||
|
*
|
||||||
|
* Check if and on which of the four 'ports' data is pending:
|
||||||
|
* Nothing, a controlling datagram of type (1), or application
|
||||||
|
* data (2). In any case data is present, internal buffers
|
||||||
|
* provide access to the data for the user to process it.
|
||||||
|
* Consumption of type (1) datagrams is done automatically
|
||||||
|
* on the next update, invalidating that the internal buffers
|
||||||
|
* for previous datagrams, while consumption of application
|
||||||
|
* data (2) is user-controlled.
|
||||||
|
*
|
||||||
|
* b Reading of application data
|
||||||
|
* [Currently manual adaption of ssl->in_offt pointer]
|
||||||
|
*
|
||||||
|
* As mentioned in the last paragraph, consumption of data
|
||||||
|
* is different from the automatic consumption of control
|
||||||
|
* datagrams (1) because application data is treated as a stream.
|
||||||
|
*
|
||||||
|
* c Tracking availability of application data
|
||||||
|
* [Currently manually through decreasing ssl->in_msglen]
|
||||||
|
*
|
||||||
|
* For efficiency and to retain datagram semantics for
|
||||||
|
* application data in case of DTLS, the record layer
|
||||||
|
* provides functionality for checking how much application
|
||||||
|
* data is still available in the internal buffer.
|
||||||
|
*
|
||||||
|
* d Changing the transformation securing the communication.
|
||||||
|
*
|
||||||
|
* Given an opaque implementation of the record layer in the
|
||||||
|
* above sense, it should be possible to implement the logic
|
||||||
|
* of (D)TLS on top of it without the need to know anything
|
||||||
|
* about the record layer's internals. This is done e.g.
|
||||||
|
* in all the handshake handling functions, and in the
|
||||||
|
* application data reading function mbedtls_ssl_read.
|
||||||
|
*
|
||||||
|
* \note The above tries to give a conceptual picture of the
|
||||||
|
* record layer, but the current implementation deviates
|
||||||
|
* from it in some places. For example, our implementation of
|
||||||
|
* the update functionality through mbedtls_ssl_read_record
|
||||||
|
* discards datagrams depending on the current state, which
|
||||||
|
* wouldn't fall under the record layer's responsibility
|
||||||
|
* following the above definition.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_read_record( mbedtls_ssl_context *ssl,
|
||||||
|
unsigned update_hs_digest );
|
||||||
|
int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want );
|
||||||
|
|
||||||
|
int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush );
|
||||||
|
int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_write_change_cipher_spec( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||||
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||||
|
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PK_C)
|
||||||
|
unsigned char mbedtls_ssl_sig_from_pk( mbedtls_pk_context *pk );
|
||||||
|
unsigned char mbedtls_ssl_sig_from_pk_alg( mbedtls_pk_type_t type );
|
||||||
|
mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
|
||||||
|
unsigned char mbedtls_ssl_hash_from_md_alg( int md );
|
||||||
|
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
|
int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
|
||||||
|
mbedtls_md_type_t md );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_key_cert *key_cert;
|
||||||
|
|
||||||
|
if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
|
||||||
|
key_cert = ssl->handshake->key_cert;
|
||||||
|
else
|
||||||
|
key_cert = ssl->conf->key_cert;
|
||||||
|
|
||||||
|
return( key_cert == NULL ? NULL : key_cert->key );
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_key_cert *key_cert;
|
||||||
|
|
||||||
|
if( ssl->handshake != NULL && ssl->handshake->key_cert != NULL )
|
||||||
|
key_cert = ssl->handshake->key_cert;
|
||||||
|
else
|
||||||
|
key_cert = ssl->conf->key_cert;
|
||||||
|
|
||||||
|
return( key_cert == NULL ? NULL : key_cert->cert );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check usage of a certificate wrt extensions:
|
||||||
|
* keyUsage, extendedKeyUsage (later), and nSCertType (later).
|
||||||
|
*
|
||||||
|
* Warning: cert_endpoint is the endpoint of the cert (ie, of our peer when we
|
||||||
|
* check a cert we received from them)!
|
||||||
|
*
|
||||||
|
* Return 0 if everything is OK, -1 if not.
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||||
|
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||||
|
int cert_endpoint,
|
||||||
|
uint32_t *flags );
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
void mbedtls_ssl_write_version( int major, int minor, int transport,
|
||||||
|
unsigned char ver[2] );
|
||||||
|
void mbedtls_ssl_read_version( int *major, int *minor, int transport,
|
||||||
|
const unsigned char ver[2] );
|
||||||
|
|
||||||
|
static inline size_t mbedtls_ssl_hdr_len( const mbedtls_ssl_context *ssl )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
||||||
|
return( 13 );
|
||||||
|
#else
|
||||||
|
((void) ssl);
|
||||||
|
#endif
|
||||||
|
return( 5 );
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline size_t mbedtls_ssl_hs_hdr_len( const mbedtls_ssl_context *ssl )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
|
||||||
|
return( 12 );
|
||||||
|
#else
|
||||||
|
((void) ssl);
|
||||||
|
#endif
|
||||||
|
return( 4 );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
void mbedtls_ssl_send_flight_completed( mbedtls_ssl_context *ssl );
|
||||||
|
void mbedtls_ssl_recv_flight_completed( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_resend( mbedtls_ssl_context *ssl );
|
||||||
|
int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Visible for testing purposes only */
|
||||||
|
#if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
|
||||||
|
int mbedtls_ssl_dtls_replay_check( mbedtls_ssl_context *ssl );
|
||||||
|
void mbedtls_ssl_dtls_replay_update( mbedtls_ssl_context *ssl );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
int mbedtls_ssl_session_copy( mbedtls_ssl_session *dst,
|
||||||
|
const mbedtls_ssl_session *src );
|
||||||
|
|
||||||
|
/* constant-time buffer comparison */
|
||||||
|
static inline int mbedtls_ssl_safer_memcmp( const void *a, const void *b, size_t n )
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
volatile const unsigned char *A = (volatile const unsigned char *) a;
|
||||||
|
volatile const unsigned char *B = (volatile const unsigned char *) b;
|
||||||
|
volatile unsigned char diff = 0;
|
||||||
|
|
||||||
|
for( i = 0; i < n; i++ )
|
||||||
|
{
|
||||||
|
/* Read volatile data in order before computing diff.
|
||||||
|
* This avoids IAR compiler warning:
|
||||||
|
* 'the order of volatile accesses is undefined ..' */
|
||||||
|
unsigned char x = A[i], y = B[i];
|
||||||
|
diff |= x ^ y;
|
||||||
|
}
|
||||||
|
|
||||||
|
return( diff );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
|
int mbedtls_ssl_get_key_exchange_md_ssl_tls( mbedtls_ssl_context *ssl,
|
||||||
|
unsigned char *output,
|
||||||
|
unsigned char *data, size_t data_len );
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
||||||
|
MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
|
/* The hash buffer must have at least MBEDTLS_MD_MAX_SIZE bytes of length. */
|
||||||
|
int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
|
||||||
|
unsigned char *hash, size_t *hashlen,
|
||||||
|
unsigned char *data, size_t data_len,
|
||||||
|
mbedtls_md_type_t md_alg );
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
|
||||||
|
MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* ssl_internal.h */
|
142
include/mbedtls/ssl_ticket.h
Normal file
142
include/mbedtls/ssl_ticket.h
Normal file
|
@ -0,0 +1,142 @@
|
||||||
|
/**
|
||||||
|
* \file ssl_ticket.h
|
||||||
|
*
|
||||||
|
* \brief TLS server ticket callbacks implementation
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_SSL_TICKET_H
|
||||||
|
#define MBEDTLS_SSL_TICKET_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This implementation of the session ticket callbacks includes key
|
||||||
|
* management, rotating the keys periodically in order to preserve forward
|
||||||
|
* secrecy, when MBEDTLS_HAVE_TIME is defined.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "ssl.h"
|
||||||
|
#include "cipher.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
#include "threading.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Information for session ticket protection
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_ssl_ticket_key
|
||||||
|
{
|
||||||
|
unsigned char name[4]; /*!< random key identifier */
|
||||||
|
uint32_t generation_time; /*!< key generation timestamp (seconds) */
|
||||||
|
mbedtls_cipher_context_t ctx; /*!< context for auth enc/decryption */
|
||||||
|
}
|
||||||
|
mbedtls_ssl_ticket_key;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Context for session ticket handling functions
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_ssl_ticket_context
|
||||||
|
{
|
||||||
|
mbedtls_ssl_ticket_key keys[2]; /*!< ticket protection keys */
|
||||||
|
unsigned char active; /*!< index of the currently active key */
|
||||||
|
|
||||||
|
uint32_t ticket_lifetime; /*!< lifetime of tickets in seconds */
|
||||||
|
|
||||||
|
/** Callback for getting (pseudo-)random numbers */
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t);
|
||||||
|
void *p_rng; /*!< context for the RNG function */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_threading_mutex_t mutex;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
mbedtls_ssl_ticket_context;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize a ticket context.
|
||||||
|
* (Just make it ready for mbedtls_ssl_ticket_setup()
|
||||||
|
* or mbedtls_ssl_ticket_free().)
|
||||||
|
*
|
||||||
|
* \param ctx Context to be initialized
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Prepare context to be actually used
|
||||||
|
*
|
||||||
|
* \param ctx Context to be set up
|
||||||
|
* \param f_rng RNG callback function
|
||||||
|
* \param p_rng RNG callback context
|
||||||
|
* \param cipher AEAD cipher to use for ticket protection.
|
||||||
|
* Recommended value: MBEDTLS_CIPHER_AES_256_GCM.
|
||||||
|
* \param lifetime Tickets lifetime in seconds
|
||||||
|
* Recommended value: 86400 (one day).
|
||||||
|
*
|
||||||
|
* \note It is highly recommended to select a cipher that is at
|
||||||
|
* least as strong as the the strongest ciphersuite
|
||||||
|
* supported. Usually that means a 256-bit key.
|
||||||
|
*
|
||||||
|
* \note The lifetime of the keys is twice the lifetime of tickets.
|
||||||
|
* It is recommended to pick a reasonnable lifetime so as not
|
||||||
|
* to negate the benefits of forward secrecy.
|
||||||
|
*
|
||||||
|
* \return 0 if successful,
|
||||||
|
* or a specific MBEDTLS_ERR_XXX error code
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||||
|
mbedtls_cipher_type_t cipher,
|
||||||
|
uint32_t lifetime );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Implementation of the ticket write callback
|
||||||
|
*
|
||||||
|
* \note See \c mbedtls_ssl_ticket_write_t for description
|
||||||
|
*/
|
||||||
|
mbedtls_ssl_ticket_write_t mbedtls_ssl_ticket_write;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Implementation of the ticket parse callback
|
||||||
|
*
|
||||||
|
* \note See \c mbedtls_ssl_ticket_parse_t for description
|
||||||
|
*/
|
||||||
|
mbedtls_ssl_ticket_parse_t mbedtls_ssl_ticket_parse;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free a context's content and zeroize it.
|
||||||
|
*
|
||||||
|
* \param ctx Context to be cleaned up
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx );
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* ssl_ticket.h */
|
339
include/mbedtls/x509.h
Normal file
339
include/mbedtls/x509.h
Normal file
|
@ -0,0 +1,339 @@
|
||||||
|
/**
|
||||||
|
* \file x509.h
|
||||||
|
*
|
||||||
|
* \brief X.509 generic defines and structures
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_X509_H
|
||||||
|
#define MBEDTLS_X509_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "asn1.h"
|
||||||
|
#include "pk.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
#include "rsa.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \addtogroup x509_module
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_X509_MAX_INTERMEDIATE_CA)
|
||||||
|
/**
|
||||||
|
* Maximum number of intermediate CAs in a verification chain.
|
||||||
|
* That is, maximum length of the chain, excluding the end-entity certificate
|
||||||
|
* and the trusted root certificate.
|
||||||
|
*
|
||||||
|
* Set this to a low value to prevent an adversary from making you waste
|
||||||
|
* resources verifying an overlong certificate chain.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_X509_MAX_INTERMEDIATE_CA 8
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name X509 Error codes
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE -0x2080 /**< Unavailable feature, e.g. RSA hashing/encryption combination. */
|
||||||
|
#define MBEDTLS_ERR_X509_UNKNOWN_OID -0x2100 /**< Requested OID is unknown. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_FORMAT -0x2180 /**< The CRT/CRL/CSR format is invalid, e.g. different type expected. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_VERSION -0x2200 /**< The CRT/CRL/CSR version element is invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_SERIAL -0x2280 /**< The serial tag or value is invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_ALG -0x2300 /**< The algorithm tag or value is invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_NAME -0x2380 /**< The name tag or value is invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_DATE -0x2400 /**< The date tag or value is invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_SIGNATURE -0x2480 /**< The signature tag or value invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_INVALID_EXTENSIONS -0x2500 /**< The extension tag or value is invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_UNKNOWN_VERSION -0x2580 /**< CRT/CRL/CSR has an unsupported version number. */
|
||||||
|
#define MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG -0x2600 /**< Signature algorithm (oid) is unsupported. */
|
||||||
|
#define MBEDTLS_ERR_X509_SIG_MISMATCH -0x2680 /**< Signature algorithms do not match. (see \c ::mbedtls_x509_crt sig_oid) */
|
||||||
|
#define MBEDTLS_ERR_X509_CERT_VERIFY_FAILED -0x2700 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */
|
||||||
|
#define MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT -0x2780 /**< Format not recognized as DER or PEM. */
|
||||||
|
#define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 /**< Input invalid. */
|
||||||
|
#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 /**< Allocation of memory failed. */
|
||||||
|
#define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 /**< Read/write of file failed. */
|
||||||
|
#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 /**< Destination buffer is too small. */
|
||||||
|
#define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 /**< A fatal error occurred, eg the chain is too long or the vrfy callback failed. */
|
||||||
|
/* \} name */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name X509 Verify codes
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
/* Reminder: update x509_crt_verify_strings[] in library/x509_crt.c */
|
||||||
|
#define MBEDTLS_X509_BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */
|
||||||
|
#define MBEDTLS_X509_BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */
|
||||||
|
#define MBEDTLS_X509_BADCRL_NOT_TRUSTED 0x10 /**< The CRL is not correctly signed by the trusted CA. */
|
||||||
|
#define MBEDTLS_X509_BADCRL_EXPIRED 0x20 /**< The CRL is expired. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_MISSING 0x40 /**< Certificate was missing. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_OTHER 0x0100 /**< Other reason (can be used by verify callback) */
|
||||||
|
#define MBEDTLS_X509_BADCERT_FUTURE 0x0200 /**< The certificate validity starts in the future. */
|
||||||
|
#define MBEDTLS_X509_BADCRL_FUTURE 0x0400 /**< The CRL is from the future */
|
||||||
|
#define MBEDTLS_X509_BADCERT_KEY_USAGE 0x0800 /**< Usage does not match the keyUsage extension. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_EXT_KEY_USAGE 0x1000 /**< Usage does not match the extendedKeyUsage extension. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_NS_CERT_TYPE 0x2000 /**< Usage does not match the nsCertType extension. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_BAD_MD 0x4000 /**< The certificate is signed with an unacceptable hash. */
|
||||||
|
#define MBEDTLS_X509_BADCERT_BAD_PK 0x8000 /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
|
||||||
|
#define MBEDTLS_X509_BADCERT_BAD_KEY 0x010000 /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
|
||||||
|
#define MBEDTLS_X509_BADCRL_BAD_MD 0x020000 /**< The CRL is signed with an unacceptable hash. */
|
||||||
|
#define MBEDTLS_X509_BADCRL_BAD_PK 0x040000 /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
|
||||||
|
#define MBEDTLS_X509_BADCRL_BAD_KEY 0x080000 /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
|
||||||
|
|
||||||
|
/* \} name */
|
||||||
|
/* \} addtogroup x509_module */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 v3 Key Usage Extension flags
|
||||||
|
* Reminder: update x509_info_key_usage() when adding new flags.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_X509_KU_DIGITAL_SIGNATURE (0x80) /* bit 0 */
|
||||||
|
#define MBEDTLS_X509_KU_NON_REPUDIATION (0x40) /* bit 1 */
|
||||||
|
#define MBEDTLS_X509_KU_KEY_ENCIPHERMENT (0x20) /* bit 2 */
|
||||||
|
#define MBEDTLS_X509_KU_DATA_ENCIPHERMENT (0x10) /* bit 3 */
|
||||||
|
#define MBEDTLS_X509_KU_KEY_AGREEMENT (0x08) /* bit 4 */
|
||||||
|
#define MBEDTLS_X509_KU_KEY_CERT_SIGN (0x04) /* bit 5 */
|
||||||
|
#define MBEDTLS_X509_KU_CRL_SIGN (0x02) /* bit 6 */
|
||||||
|
#define MBEDTLS_X509_KU_ENCIPHER_ONLY (0x01) /* bit 7 */
|
||||||
|
#define MBEDTLS_X509_KU_DECIPHER_ONLY (0x8000) /* bit 8 */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Netscape certificate types
|
||||||
|
* (http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT (0x80) /* bit 0 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER (0x40) /* bit 1 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL (0x20) /* bit 2 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING (0x10) /* bit 3 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_RESERVED (0x08) /* bit 4 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_SSL_CA (0x04) /* bit 5 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_EMAIL_CA (0x02) /* bit 6 */
|
||||||
|
#define MBEDTLS_X509_NS_CERT_TYPE_OBJECT_SIGNING_CA (0x01) /* bit 7 */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 extension types
|
||||||
|
*
|
||||||
|
* Comments refer to the status for using certificates. Status can be
|
||||||
|
* different for writing certificates or reading CRLs or CSRs.
|
||||||
|
*
|
||||||
|
* Those are defined in oid.h as oid.c needs them in a data structure. Since
|
||||||
|
* these were previously defined here, let's have aliases for compatibility.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_X509_EXT_AUTHORITY_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_AUTHORITY_KEY_IDENTIFIER
|
||||||
|
#define MBEDTLS_X509_EXT_SUBJECT_KEY_IDENTIFIER MBEDTLS_OID_X509_EXT_SUBJECT_KEY_IDENTIFIER
|
||||||
|
#define MBEDTLS_X509_EXT_KEY_USAGE MBEDTLS_OID_X509_EXT_KEY_USAGE
|
||||||
|
#define MBEDTLS_X509_EXT_CERTIFICATE_POLICIES MBEDTLS_OID_X509_EXT_CERTIFICATE_POLICIES
|
||||||
|
#define MBEDTLS_X509_EXT_POLICY_MAPPINGS MBEDTLS_OID_X509_EXT_POLICY_MAPPINGS
|
||||||
|
#define MBEDTLS_X509_EXT_SUBJECT_ALT_NAME MBEDTLS_OID_X509_EXT_SUBJECT_ALT_NAME /* Supported (DNS) */
|
||||||
|
#define MBEDTLS_X509_EXT_ISSUER_ALT_NAME MBEDTLS_OID_X509_EXT_ISSUER_ALT_NAME
|
||||||
|
#define MBEDTLS_X509_EXT_SUBJECT_DIRECTORY_ATTRS MBEDTLS_OID_X509_EXT_SUBJECT_DIRECTORY_ATTRS
|
||||||
|
#define MBEDTLS_X509_EXT_BASIC_CONSTRAINTS MBEDTLS_OID_X509_EXT_BASIC_CONSTRAINTS /* Supported */
|
||||||
|
#define MBEDTLS_X509_EXT_NAME_CONSTRAINTS MBEDTLS_OID_X509_EXT_NAME_CONSTRAINTS
|
||||||
|
#define MBEDTLS_X509_EXT_POLICY_CONSTRAINTS MBEDTLS_OID_X509_EXT_POLICY_CONSTRAINTS
|
||||||
|
#define MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE MBEDTLS_OID_X509_EXT_EXTENDED_KEY_USAGE
|
||||||
|
#define MBEDTLS_X509_EXT_CRL_DISTRIBUTION_POINTS MBEDTLS_OID_X509_EXT_CRL_DISTRIBUTION_POINTS
|
||||||
|
#define MBEDTLS_X509_EXT_INIHIBIT_ANYPOLICY MBEDTLS_OID_X509_EXT_INIHIBIT_ANYPOLICY
|
||||||
|
#define MBEDTLS_X509_EXT_FRESHEST_CRL MBEDTLS_OID_X509_EXT_FRESHEST_CRL
|
||||||
|
#define MBEDTLS_X509_EXT_NS_CERT_TYPE MBEDTLS_OID_X509_EXT_NS_CERT_TYPE
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Storage format identifiers
|
||||||
|
* Recognized formats: PEM and DER
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_X509_FORMAT_DER 1
|
||||||
|
#define MBEDTLS_X509_FORMAT_PEM 2
|
||||||
|
|
||||||
|
#define MBEDTLS_X509_MAX_DN_NAME_SIZE 256 /**< Maximum value size of a DN entry */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \addtogroup x509_module
|
||||||
|
* \{ */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name Structures for parsing X.509 certificates, CRLs and CSRs
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Type-length-value structure that allows for ASN1 using DER.
|
||||||
|
*/
|
||||||
|
typedef mbedtls_asn1_buf mbedtls_x509_buf;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for ASN1 bit strings.
|
||||||
|
*/
|
||||||
|
typedef mbedtls_asn1_bitstring mbedtls_x509_bitstring;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for ASN1 named information objects.
|
||||||
|
* It allows for Relative Distinguished Names (e.g. cn=localhost,ou=code,etc.).
|
||||||
|
*/
|
||||||
|
typedef mbedtls_asn1_named_data mbedtls_x509_name;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for a sequence of ASN.1 items
|
||||||
|
*/
|
||||||
|
typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
|
||||||
|
|
||||||
|
/** Container for date and time (precision in seconds). */
|
||||||
|
typedef struct mbedtls_x509_time
|
||||||
|
{
|
||||||
|
int year, mon, day; /**< Date. */
|
||||||
|
int hour, min, sec; /**< Time. */
|
||||||
|
}
|
||||||
|
mbedtls_x509_time;
|
||||||
|
|
||||||
|
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
|
||||||
|
/** \} addtogroup x509_module */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Store the certificate DN in printable form into buf;
|
||||||
|
* no more than size characters will be written.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param dn The X509 name to represent
|
||||||
|
*
|
||||||
|
* \return The length of the string written (not including the
|
||||||
|
* terminated nul byte), or a negative error code.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_dn_gets( char *buf, size_t size, const mbedtls_x509_name *dn );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Store the certificate serial in printable form into buf;
|
||||||
|
* no more than size characters will be written.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param serial The X509 serial to represent
|
||||||
|
*
|
||||||
|
* \return The length of the string written (not including the
|
||||||
|
* terminated nul byte), or a negative error code.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_serial_gets( char *buf, size_t size, const mbedtls_x509_buf *serial );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Check a given mbedtls_x509_time against the system time
|
||||||
|
* and tell if it's in the past.
|
||||||
|
*
|
||||||
|
* \note Intended usage is "if( is_past( valid_to ) ) ERROR".
|
||||||
|
* Hence the return value of 1 if on internal errors.
|
||||||
|
*
|
||||||
|
* \param to mbedtls_x509_time to check
|
||||||
|
*
|
||||||
|
* \return 1 if the given time is in the past or an error occurred,
|
||||||
|
* 0 otherwise.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_time_is_past( const mbedtls_x509_time *to );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Check a given mbedtls_x509_time against the system time
|
||||||
|
* and tell if it's in the future.
|
||||||
|
*
|
||||||
|
* \note Intended usage is "if( is_future( valid_from ) ) ERROR".
|
||||||
|
* Hence the return value of 1 if on internal errors.
|
||||||
|
*
|
||||||
|
* \param from mbedtls_x509_time to check
|
||||||
|
*
|
||||||
|
* \return 1 if the given time is in the future or an error occurred,
|
||||||
|
* 0 otherwise.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_time_is_future( const mbedtls_x509_time *from );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SELF_TEST)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Checkup routine
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or 1 if the test failed
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_self_test( int verbose );
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_SELF_TEST */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Internal module functions. You probably do not want to use these unless you
|
||||||
|
* know you do.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_get_name( unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_name *cur );
|
||||||
|
int mbedtls_x509_get_alg_null( unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_buf *alg );
|
||||||
|
int mbedtls_x509_get_alg( unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_buf *alg, mbedtls_x509_buf *params );
|
||||||
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||||
|
int mbedtls_x509_get_rsassa_pss_params( const mbedtls_x509_buf *params,
|
||||||
|
mbedtls_md_type_t *md_alg, mbedtls_md_type_t *mgf_md,
|
||||||
|
int *salt_len );
|
||||||
|
#endif
|
||||||
|
int mbedtls_x509_get_sig( unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig );
|
||||||
|
int mbedtls_x509_get_sig_alg( const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params,
|
||||||
|
mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg,
|
||||||
|
void **sig_opts );
|
||||||
|
int mbedtls_x509_get_time( unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_time *t );
|
||||||
|
int mbedtls_x509_get_serial( unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_buf *serial );
|
||||||
|
int mbedtls_x509_get_ext( unsigned char **p, const unsigned char *end,
|
||||||
|
mbedtls_x509_buf *ext, int tag );
|
||||||
|
int mbedtls_x509_sig_alg_gets( char *buf, size_t size, const mbedtls_x509_buf *sig_oid,
|
||||||
|
mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg,
|
||||||
|
const void *sig_opts );
|
||||||
|
int mbedtls_x509_key_size_helper( char *buf, size_t buf_size, const char *name );
|
||||||
|
int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name );
|
||||||
|
int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
|
||||||
|
int critical, const unsigned char *val,
|
||||||
|
size_t val_len );
|
||||||
|
int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
|
||||||
|
mbedtls_asn1_named_data *first );
|
||||||
|
int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
|
||||||
|
mbedtls_asn1_named_data *first );
|
||||||
|
int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
|
||||||
|
const char *oid, size_t oid_len,
|
||||||
|
unsigned char *sig, size_t size );
|
||||||
|
|
||||||
|
#define MBEDTLS_X509_SAFE_SNPRINTF \
|
||||||
|
do { \
|
||||||
|
if( ret < 0 || (size_t) ret >= n ) \
|
||||||
|
return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); \
|
||||||
|
\
|
||||||
|
n -= (size_t) ret; \
|
||||||
|
p += (size_t) ret; \
|
||||||
|
} while( 0 )
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* x509.h */
|
174
include/mbedtls/x509_crl.h
Normal file
174
include/mbedtls/x509_crl.h
Normal file
|
@ -0,0 +1,174 @@
|
||||||
|
/**
|
||||||
|
* \file x509_crl.h
|
||||||
|
*
|
||||||
|
* \brief X.509 certificate revocation list parsing
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_X509_CRL_H
|
||||||
|
#define MBEDTLS_X509_CRL_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "x509.h"
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \addtogroup x509_module
|
||||||
|
* \{ */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name Structures and functions for parsing CRLs
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Certificate revocation list entry.
|
||||||
|
* Contains the CA-specific serial numbers and revocation dates.
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509_crl_entry
|
||||||
|
{
|
||||||
|
mbedtls_x509_buf raw;
|
||||||
|
|
||||||
|
mbedtls_x509_buf serial;
|
||||||
|
|
||||||
|
mbedtls_x509_time revocation_date;
|
||||||
|
|
||||||
|
mbedtls_x509_buf entry_ext;
|
||||||
|
|
||||||
|
struct mbedtls_x509_crl_entry *next;
|
||||||
|
}
|
||||||
|
mbedtls_x509_crl_entry;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Certificate revocation list structure.
|
||||||
|
* Every CRL may have multiple entries.
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509_crl
|
||||||
|
{
|
||||||
|
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
|
||||||
|
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
|
||||||
|
|
||||||
|
int version; /**< CRL version (1=v1, 2=v2) */
|
||||||
|
mbedtls_x509_buf sig_oid; /**< CRL signature type identifier */
|
||||||
|
|
||||||
|
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). */
|
||||||
|
|
||||||
|
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
|
||||||
|
|
||||||
|
mbedtls_x509_time this_update;
|
||||||
|
mbedtls_x509_time next_update;
|
||||||
|
|
||||||
|
mbedtls_x509_crl_entry entry; /**< The CRL entries containing the certificate revocation times for this CA. */
|
||||||
|
|
||||||
|
mbedtls_x509_buf crl_ext;
|
||||||
|
|
||||||
|
mbedtls_x509_buf sig_oid2;
|
||||||
|
mbedtls_x509_buf sig;
|
||||||
|
mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
||||||
|
mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
|
||||||
|
void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
|
||||||
|
|
||||||
|
struct mbedtls_x509_crl *next;
|
||||||
|
}
|
||||||
|
mbedtls_x509_crl;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Parse a DER-encoded CRL and append it to the chained list
|
||||||
|
*
|
||||||
|
* \param chain points to the start of the chain
|
||||||
|
* \param buf buffer holding the CRL data in DER format
|
||||||
|
* \param buflen size of the buffer
|
||||||
|
* (including the terminating null byte for PEM data)
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
|
||||||
|
const unsigned char *buf, size_t buflen );
|
||||||
|
/**
|
||||||
|
* \brief Parse one or more CRLs and append them to the chained list
|
||||||
|
*
|
||||||
|
* \note Multiple CRLs are accepted only if using PEM format
|
||||||
|
*
|
||||||
|
* \param chain points to the start of the chain
|
||||||
|
* \param buf buffer holding the CRL data in PEM or DER format
|
||||||
|
* \param buflen size of the buffer
|
||||||
|
* (including the terminating null byte for PEM data)
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO)
|
||||||
|
/**
|
||||||
|
* \brief Load one or more CRLs and append them to the chained list
|
||||||
|
*
|
||||||
|
* \note Multiple CRLs are accepted only if using PEM format
|
||||||
|
*
|
||||||
|
* \param chain points to the start of the chain
|
||||||
|
* \param path filename to read the CRLs from (in PEM or DER encoding)
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path );
|
||||||
|
#endif /* MBEDTLS_FS_IO */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Returns an informational string about the CRL.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param prefix A line prefix
|
||||||
|
* \param crl The X509 CRL to represent
|
||||||
|
*
|
||||||
|
* \return The length of the string written (not including the
|
||||||
|
* terminated nul byte), or a negative error code.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
|
||||||
|
const mbedtls_x509_crl *crl );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize a CRL (chain)
|
||||||
|
*
|
||||||
|
* \param crl CRL chain to initialize
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crl_init( mbedtls_x509_crl *crl );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Unallocate all CRL data
|
||||||
|
*
|
||||||
|
* \param crl CRL chain to free
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crl_free( mbedtls_x509_crl *crl );
|
||||||
|
|
||||||
|
/* \} name */
|
||||||
|
/* \} addtogroup x509_module */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* mbedtls_x509_crl.h */
|
921
include/mbedtls/x509_crt.h
Normal file
921
include/mbedtls/x509_crt.h
Normal file
|
@ -0,0 +1,921 @@
|
||||||
|
/**
|
||||||
|
* \file x509_crt.h
|
||||||
|
*
|
||||||
|
* \brief X.509 certificate parsing and writing
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_X509_CRT_H
|
||||||
|
#define MBEDTLS_X509_CRT_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "x509.h"
|
||||||
|
#include "x509_crl.h"
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \addtogroup x509_module
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name Structures and functions for parsing and writing X.509 certificates
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for an X.509 certificate. The certificate may be chained.
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509_crt
|
||||||
|
{
|
||||||
|
int own_buffer; /**< Indicates if \c raw is owned
|
||||||
|
* by the structure or not. */
|
||||||
|
mbedtls_x509_buf raw; /**< The raw certificate data (DER). */
|
||||||
|
mbedtls_x509_buf tbs; /**< The raw certificate body (DER). The part that is To Be Signed. */
|
||||||
|
|
||||||
|
int version; /**< The X.509 version. (1=v1, 2=v2, 3=v3) */
|
||||||
|
mbedtls_x509_buf serial; /**< Unique id for certificate issued by a specific CA. */
|
||||||
|
mbedtls_x509_buf sig_oid; /**< Signature algorithm, e.g. sha1RSA */
|
||||||
|
|
||||||
|
mbedtls_x509_buf issuer_raw; /**< The raw issuer data (DER). Used for quick comparison. */
|
||||||
|
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). Used for quick comparison. */
|
||||||
|
|
||||||
|
mbedtls_x509_name issuer; /**< The parsed issuer data (named information object). */
|
||||||
|
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
|
||||||
|
|
||||||
|
mbedtls_x509_time valid_from; /**< Start time of certificate validity. */
|
||||||
|
mbedtls_x509_time valid_to; /**< End time of certificate validity. */
|
||||||
|
|
||||||
|
mbedtls_x509_buf pk_raw;
|
||||||
|
mbedtls_pk_context pk; /**< Container for the public key context. */
|
||||||
|
|
||||||
|
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
|
||||||
|
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
|
||||||
|
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
|
||||||
|
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
|
||||||
|
|
||||||
|
int ext_types; /**< Bit string containing detected and parsed extensions */
|
||||||
|
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
|
||||||
|
int max_pathlen; /**< Optional Basic Constraint extension value: The maximum path length to the root certificate. Path length is 1 higher than RFC 5280 'meaning', so 1+ */
|
||||||
|
|
||||||
|
unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
|
||||||
|
|
||||||
|
mbedtls_x509_sequence ext_key_usage; /**< Optional list of extended key usage OIDs. */
|
||||||
|
|
||||||
|
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
|
||||||
|
|
||||||
|
mbedtls_x509_buf sig; /**< Signature: hash of the tbs part signed with the private key. */
|
||||||
|
mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
||||||
|
mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
|
||||||
|
void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
|
||||||
|
|
||||||
|
struct mbedtls_x509_crt *next; /**< Next certificate in the CA-chain. */
|
||||||
|
}
|
||||||
|
mbedtls_x509_crt;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Build flag from an algorithm/curve identifier (pk, md, ecp)
|
||||||
|
* Since 0 is always XXX_NONE, ignore it.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_X509_ID_FLAG( id ) ( 1 << ( id - 1 ) )
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Security profile for certificate verification.
|
||||||
|
*
|
||||||
|
* All lists are bitfields, built by ORing flags from MBEDTLS_X509_ID_FLAG().
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509_crt_profile
|
||||||
|
{
|
||||||
|
uint32_t allowed_mds; /**< MDs for signatures */
|
||||||
|
uint32_t allowed_pks; /**< PK algs for signatures */
|
||||||
|
uint32_t allowed_curves; /**< Elliptic curves for ECDSA */
|
||||||
|
uint32_t rsa_min_bitlen; /**< Minimum size for RSA keys */
|
||||||
|
}
|
||||||
|
mbedtls_x509_crt_profile;
|
||||||
|
|
||||||
|
#define MBEDTLS_X509_CRT_VERSION_1 0
|
||||||
|
#define MBEDTLS_X509_CRT_VERSION_2 1
|
||||||
|
#define MBEDTLS_X509_CRT_VERSION_3 2
|
||||||
|
|
||||||
|
#define MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN 32
|
||||||
|
#define MBEDTLS_X509_RFC5280_UTC_TIME_LEN 15
|
||||||
|
|
||||||
|
#if !defined( MBEDTLS_X509_MAX_FILE_PATH_LEN )
|
||||||
|
#define MBEDTLS_X509_MAX_FILE_PATH_LEN 512
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for writing a certificate (CRT)
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509write_cert
|
||||||
|
{
|
||||||
|
int version;
|
||||||
|
mbedtls_mpi serial;
|
||||||
|
mbedtls_pk_context *subject_key;
|
||||||
|
mbedtls_pk_context *issuer_key;
|
||||||
|
mbedtls_asn1_named_data *subject;
|
||||||
|
mbedtls_asn1_named_data *issuer;
|
||||||
|
mbedtls_md_type_t md_alg;
|
||||||
|
char not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
|
||||||
|
char not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN + 1];
|
||||||
|
mbedtls_asn1_named_data *extensions;
|
||||||
|
}
|
||||||
|
mbedtls_x509write_cert;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Item in a verification chain: cert and flags for it
|
||||||
|
*/
|
||||||
|
typedef struct {
|
||||||
|
mbedtls_x509_crt *crt;
|
||||||
|
uint32_t flags;
|
||||||
|
} mbedtls_x509_crt_verify_chain_item;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Max size of verification chain: end-entity + intermediates + trusted root
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE ( MBEDTLS_X509_MAX_INTERMEDIATE_CA + 2 )
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Verification chain as built by \c mbedtls_crt_verify_chain()
|
||||||
|
*/
|
||||||
|
typedef struct
|
||||||
|
{
|
||||||
|
mbedtls_x509_crt_verify_chain_item items[MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE];
|
||||||
|
unsigned len;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||||
|
/* This stores the list of potential trusted signers obtained from
|
||||||
|
* the CA callback used for the CRT verification, if configured.
|
||||||
|
* We must track it somewhere because the callback passes its
|
||||||
|
* ownership to the caller. */
|
||||||
|
mbedtls_x509_crt *trust_ca_cb_result;
|
||||||
|
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||||
|
} mbedtls_x509_crt_verify_chain;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Context for resuming X.509 verify operations
|
||||||
|
*/
|
||||||
|
typedef struct
|
||||||
|
{
|
||||||
|
/* for check_signature() */
|
||||||
|
mbedtls_pk_restart_ctx pk;
|
||||||
|
|
||||||
|
/* for find_parent_in() */
|
||||||
|
mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
|
||||||
|
mbedtls_x509_crt *fallback_parent;
|
||||||
|
int fallback_signature_is_good;
|
||||||
|
|
||||||
|
/* for find_parent() */
|
||||||
|
int parent_is_trusted; /* -1 if find_parent is not in progress */
|
||||||
|
|
||||||
|
/* for verify_chain() */
|
||||||
|
enum {
|
||||||
|
x509_crt_rs_none,
|
||||||
|
x509_crt_rs_find_parent,
|
||||||
|
} in_progress; /* none if no operation is in progress */
|
||||||
|
int self_cnt;
|
||||||
|
mbedtls_x509_crt_verify_chain ver_chain;
|
||||||
|
|
||||||
|
} mbedtls_x509_crt_restart_ctx;
|
||||||
|
|
||||||
|
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
|
/* Now we can declare functions that take a pointer to that */
|
||||||
|
typedef void mbedtls_x509_crt_restart_ctx;
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
/**
|
||||||
|
* Default security profile. Should provide a good balance between security
|
||||||
|
* and compatibility with current deployments.
|
||||||
|
*/
|
||||||
|
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_default;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Expected next default profile. Recommended for new deployments.
|
||||||
|
* Currently targets a 128-bit security level, except for RSA-2048.
|
||||||
|
*/
|
||||||
|
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_next;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* NSA Suite B profile.
|
||||||
|
*/
|
||||||
|
extern const mbedtls_x509_crt_profile mbedtls_x509_crt_profile_suiteb;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Parse a single DER formatted certificate and add it
|
||||||
|
* to the end of the provided chained list.
|
||||||
|
*
|
||||||
|
* \param chain The pointer to the start of the CRT chain to attach to.
|
||||||
|
* When parsing the first CRT in a chain, this should point
|
||||||
|
* to an instance of ::mbedtls_x509_crt initialized through
|
||||||
|
* mbedtls_x509_crt_init().
|
||||||
|
* \param buf The buffer holding the DER encoded certificate.
|
||||||
|
* \param buflen The size in Bytes of \p buf.
|
||||||
|
*
|
||||||
|
* \note This function makes an internal copy of the CRT buffer
|
||||||
|
* \p buf. In particular, \p buf may be destroyed or reused
|
||||||
|
* after this call returns. To avoid duplicating the CRT
|
||||||
|
* buffer (at the cost of stricter lifetime constraints),
|
||||||
|
* use mbedtls_x509_crt_parse_der_nocopy() instead.
|
||||||
|
*
|
||||||
|
* \return \c 0 if successful.
|
||||||
|
* \return A negative error code on failure.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_parse_der( mbedtls_x509_crt *chain,
|
||||||
|
const unsigned char *buf,
|
||||||
|
size_t buflen );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Parse a single DER formatted certificate and add it
|
||||||
|
* to the end of the provided chained list. This is a
|
||||||
|
* variant of mbedtls_x509_crt_parse_der() which takes
|
||||||
|
* temporary ownership of the CRT buffer until the CRT
|
||||||
|
* is destroyed.
|
||||||
|
*
|
||||||
|
* \param chain The pointer to the start of the CRT chain to attach to.
|
||||||
|
* When parsing the first CRT in a chain, this should point
|
||||||
|
* to an instance of ::mbedtls_x509_crt initialized through
|
||||||
|
* mbedtls_x509_crt_init().
|
||||||
|
* \param buf The address of the readable buffer holding the DER encoded
|
||||||
|
* certificate to use. On success, this buffer must be
|
||||||
|
* retained and not be changed for the liftetime of the
|
||||||
|
* CRT chain \p chain, that is, until \p chain is destroyed
|
||||||
|
* through a call to mbedtls_x509_crt_free().
|
||||||
|
* \param buflen The size in Bytes of \p buf.
|
||||||
|
*
|
||||||
|
* \note This call is functionally equivalent to
|
||||||
|
* mbedtls_x509_crt_parse_der(), but it avoids creating a
|
||||||
|
* copy of the input buffer at the cost of stronger lifetime
|
||||||
|
* constraints. This is useful in constrained environments
|
||||||
|
* where duplication of the CRT cannot be tolerated.
|
||||||
|
*
|
||||||
|
* \return \c 0 if successful.
|
||||||
|
* \return A negative error code on failure.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_parse_der_nocopy( mbedtls_x509_crt *chain,
|
||||||
|
const unsigned char *buf,
|
||||||
|
size_t buflen );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Parse one DER-encoded or one or more concatenated PEM-encoded
|
||||||
|
* certificates and add them to the chained list.
|
||||||
|
*
|
||||||
|
* For CRTs in PEM encoding, the function parses permissively:
|
||||||
|
* if at least one certificate can be parsed, the function
|
||||||
|
* returns the number of certificates for which parsing failed
|
||||||
|
* (hence \c 0 if all certificates were parsed successfully).
|
||||||
|
* If no certificate could be parsed, the function returns
|
||||||
|
* the first (negative) error encountered during parsing.
|
||||||
|
*
|
||||||
|
* PEM encoded certificates may be interleaved by other data
|
||||||
|
* such as human readable descriptions of their content, as
|
||||||
|
* long as the certificates are enclosed in the PEM specific
|
||||||
|
* '-----{BEGIN/END} CERTIFICATE-----' delimiters.
|
||||||
|
*
|
||||||
|
* \param chain The chain to which to add the parsed certificates.
|
||||||
|
* \param buf The buffer holding the certificate data in PEM or DER format.
|
||||||
|
* For certificates in PEM encoding, this may be a concatenation
|
||||||
|
* of multiple certificates; for DER encoding, the buffer must
|
||||||
|
* comprise exactly one certificate.
|
||||||
|
* \param buflen The size of \p buf, including the terminating \c NULL byte
|
||||||
|
* in case of PEM encoded data.
|
||||||
|
*
|
||||||
|
* \return \c 0 if all certificates were parsed successfully.
|
||||||
|
* \return The (positive) number of certificates that couldn't
|
||||||
|
* be parsed if parsing was partly successful (see above).
|
||||||
|
* \return A negative X509 or PEM error code otherwise.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_parse( mbedtls_x509_crt *chain, const unsigned char *buf, size_t buflen );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO)
|
||||||
|
/**
|
||||||
|
* \brief Load one or more certificates and add them
|
||||||
|
* to the chained list. Parses permissively. If some
|
||||||
|
* certificates can be parsed, the result is the number
|
||||||
|
* of failed certificates it encountered. If none complete
|
||||||
|
* correctly, the first error is returned.
|
||||||
|
*
|
||||||
|
* \param chain points to the start of the chain
|
||||||
|
* \param path filename to read the certificates from
|
||||||
|
*
|
||||||
|
* \return 0 if all certificates parsed successfully, a positive number
|
||||||
|
* if partly successful or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_parse_file( mbedtls_x509_crt *chain, const char *path );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Load one or more certificate files from a path and add them
|
||||||
|
* to the chained list. Parses permissively. If some
|
||||||
|
* certificates can be parsed, the result is the number
|
||||||
|
* of failed certificates it encountered. If none complete
|
||||||
|
* correctly, the first error is returned.
|
||||||
|
*
|
||||||
|
* \param chain points to the start of the chain
|
||||||
|
* \param path directory / folder to read the certificate files from
|
||||||
|
*
|
||||||
|
* \return 0 if all certificates parsed successfully, a positive number
|
||||||
|
* if partly successful or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_parse_path( mbedtls_x509_crt *chain, const char *path );
|
||||||
|
#endif /* MBEDTLS_FS_IO */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Returns an informational string about the
|
||||||
|
* certificate.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param prefix A line prefix
|
||||||
|
* \param crt The X509 certificate to represent
|
||||||
|
*
|
||||||
|
* \return The length of the string written (not including the
|
||||||
|
* terminated nul byte), or a negative error code.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
|
||||||
|
const mbedtls_x509_crt *crt );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Returns an informational string about the
|
||||||
|
* verification status of a certificate.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param prefix A line prefix
|
||||||
|
* \param flags Verification flags created by mbedtls_x509_crt_verify()
|
||||||
|
*
|
||||||
|
* \return The length of the string written (not including the
|
||||||
|
* terminated nul byte), or a negative error code.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||||
|
uint32_t flags );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Verify a chain of certificates.
|
||||||
|
*
|
||||||
|
* The verify callback is a user-supplied callback that
|
||||||
|
* can clear / modify / add flags for a certificate. If set,
|
||||||
|
* the verification callback is called for each
|
||||||
|
* certificate in the chain (from the trust-ca down to the
|
||||||
|
* presented crt). The parameters for the callback are:
|
||||||
|
* (void *parameter, mbedtls_x509_crt *crt, int certificate_depth,
|
||||||
|
* int *flags). With the flags representing current flags for
|
||||||
|
* that specific certificate and the certificate depth from
|
||||||
|
* the bottom (Peer cert depth = 0).
|
||||||
|
*
|
||||||
|
* All flags left after returning from the callback
|
||||||
|
* are also returned to the application. The function should
|
||||||
|
* return 0 for anything (including invalid certificates)
|
||||||
|
* other than fatal error, as a non-zero return code
|
||||||
|
* immediately aborts the verification process. For fatal
|
||||||
|
* errors, a specific error code should be used (different
|
||||||
|
* from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not
|
||||||
|
* be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR
|
||||||
|
* can be used if no better code is available.
|
||||||
|
*
|
||||||
|
* \note In case verification failed, the results can be displayed
|
||||||
|
* using \c mbedtls_x509_crt_verify_info()
|
||||||
|
*
|
||||||
|
* \note Same as \c mbedtls_x509_crt_verify_with_profile() with the
|
||||||
|
* default security profile.
|
||||||
|
*
|
||||||
|
* \note It is your responsibility to provide up-to-date CRLs for
|
||||||
|
* all trusted CAs. If no CRL is provided for the CA that was
|
||||||
|
* used to sign the certificate, CRL verification is skipped
|
||||||
|
* silently, that is *without* setting any flag.
|
||||||
|
*
|
||||||
|
* \note The \c trust_ca list can contain two types of certificates:
|
||||||
|
* (1) those of trusted root CAs, so that certificates
|
||||||
|
* chaining up to those CAs will be trusted, and (2)
|
||||||
|
* self-signed end-entity certificates to be trusted (for
|
||||||
|
* specific peers you know) - in that case, the self-signed
|
||||||
|
* certificate doesn't need to have the CA bit set.
|
||||||
|
*
|
||||||
|
* \param crt The certificate chain to be verified.
|
||||||
|
* \param trust_ca The list of trusted CAs.
|
||||||
|
* \param ca_crl The list of CRLs for trusted CAs.
|
||||||
|
* \param cn The expected Common Name. This may be \c NULL if the
|
||||||
|
* CN need not be verified.
|
||||||
|
* \param flags The address at which to store the result of the verification.
|
||||||
|
* If the verification couldn't be completed, the flag value is
|
||||||
|
* set to (uint32_t) -1.
|
||||||
|
* \param f_vrfy The verification callback to use. See the documentation
|
||||||
|
* of mbedtls_x509_crt_verify() for more information.
|
||||||
|
* \param p_vrfy The context to be passed to \p f_vrfy.
|
||||||
|
*
|
||||||
|
* \return \c 0 if the chain is valid with respect to the
|
||||||
|
* passed CN, CAs, CRLs and security profile.
|
||||||
|
* \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
|
||||||
|
* certificate chain verification failed. In this case,
|
||||||
|
* \c *flags will have one or more
|
||||||
|
* \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
|
||||||
|
* flags set.
|
||||||
|
* \return Another negative error code in case of a fatal error
|
||||||
|
* encountered during the verification process.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
mbedtls_x509_crl *ca_crl,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Verify a chain of certificates with respect to
|
||||||
|
* a configurable security profile.
|
||||||
|
*
|
||||||
|
* \note Same as \c mbedtls_x509_crt_verify(), but with explicit
|
||||||
|
* security profile.
|
||||||
|
*
|
||||||
|
* \note The restrictions on keys (RSA minimum size, allowed curves
|
||||||
|
* for ECDSA) apply to all certificates: trusted root,
|
||||||
|
* intermediate CAs if any, and end entity certificate.
|
||||||
|
*
|
||||||
|
* \param crt The certificate chain to be verified.
|
||||||
|
* \param trust_ca The list of trusted CAs.
|
||||||
|
* \param ca_crl The list of CRLs for trusted CAs.
|
||||||
|
* \param profile The security profile to use for the verification.
|
||||||
|
* \param cn The expected Common Name. This may be \c NULL if the
|
||||||
|
* CN need not be verified.
|
||||||
|
* \param flags The address at which to store the result of the verification.
|
||||||
|
* If the verification couldn't be completed, the flag value is
|
||||||
|
* set to (uint32_t) -1.
|
||||||
|
* \param f_vrfy The verification callback to use. See the documentation
|
||||||
|
* of mbedtls_x509_crt_verify() for more information.
|
||||||
|
* \param p_vrfy The context to be passed to \p f_vrfy.
|
||||||
|
*
|
||||||
|
* \return \c 0 if the chain is valid with respect to the
|
||||||
|
* passed CN, CAs, CRLs and security profile.
|
||||||
|
* \return #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED in case the
|
||||||
|
* certificate chain verification failed. In this case,
|
||||||
|
* \c *flags will have one or more
|
||||||
|
* \c MBEDTLS_X509_BADCERT_XXX or \c MBEDTLS_X509_BADCRL_XXX
|
||||||
|
* flags set.
|
||||||
|
* \return Another negative error code in case of a fatal error
|
||||||
|
* encountered during the verification process.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
mbedtls_x509_crl *ca_crl,
|
||||||
|
const mbedtls_x509_crt_profile *profile,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Restartable version of \c mbedtls_crt_verify_with_profile()
|
||||||
|
*
|
||||||
|
* \note Performs the same job as \c mbedtls_crt_verify_with_profile()
|
||||||
|
* but can return early and restart according to the limit
|
||||||
|
* set with \c mbedtls_ecp_set_max_ops() to reduce blocking.
|
||||||
|
*
|
||||||
|
* \param crt The certificate chain to be verified.
|
||||||
|
* \param trust_ca The list of trusted CAs.
|
||||||
|
* \param ca_crl The list of CRLs for trusted CAs.
|
||||||
|
* \param profile The security profile to use for the verification.
|
||||||
|
* \param cn The expected Common Name. This may be \c NULL if the
|
||||||
|
* CN need not be verified.
|
||||||
|
* \param flags The address at which to store the result of the verification.
|
||||||
|
* If the verification couldn't be completed, the flag value is
|
||||||
|
* set to (uint32_t) -1.
|
||||||
|
* \param f_vrfy The verification callback to use. See the documentation
|
||||||
|
* of mbedtls_x509_crt_verify() for more information.
|
||||||
|
* \param p_vrfy The context to be passed to \p f_vrfy.
|
||||||
|
* \param rs_ctx The restart context to use. This may be set to \c NULL
|
||||||
|
* to disable restartable ECC.
|
||||||
|
*
|
||||||
|
* \return See \c mbedtls_crt_verify_with_profile(), or
|
||||||
|
* \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
|
||||||
|
* operations was reached: see \c mbedtls_ecp_set_max_ops().
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt *trust_ca,
|
||||||
|
mbedtls_x509_crl *ca_crl,
|
||||||
|
const mbedtls_x509_crt_profile *profile,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy,
|
||||||
|
mbedtls_x509_crt_restart_ctx *rs_ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief The type of trusted certificate callbacks.
|
||||||
|
*
|
||||||
|
* Callbacks of this type are passed to and used by the CRT
|
||||||
|
* verification routine mbedtls_x509_crt_verify_with_ca_cb()
|
||||||
|
* when looking for trusted signers of a given certificate.
|
||||||
|
*
|
||||||
|
* On success, the callback returns a list of trusted
|
||||||
|
* certificates to be considered as potential signers
|
||||||
|
* for the input certificate.
|
||||||
|
*
|
||||||
|
* \param p_ctx An opaque context passed to the callback.
|
||||||
|
* \param child The certificate for which to search a potential signer.
|
||||||
|
* This will point to a readable certificate.
|
||||||
|
* \param candidate_cas The address at which to store the address of the first
|
||||||
|
* entry in the generated linked list of candidate signers.
|
||||||
|
* This will not be \c NULL.
|
||||||
|
*
|
||||||
|
* \note The callback must only return a non-zero value on a
|
||||||
|
* fatal error. If, in contrast, the search for a potential
|
||||||
|
* signer completes without a single candidate, the
|
||||||
|
* callback must return \c 0 and set \c *candidate_cas
|
||||||
|
* to \c NULL.
|
||||||
|
*
|
||||||
|
* \return \c 0 on success. In this case, \c *candidate_cas points
|
||||||
|
* to a heap-allocated linked list of instances of
|
||||||
|
* ::mbedtls_x509_crt, and ownership of this list is passed
|
||||||
|
* to the caller.
|
||||||
|
* \return A negative error code on failure.
|
||||||
|
*/
|
||||||
|
typedef int (*mbedtls_x509_crt_ca_cb_t)( void *p_ctx,
|
||||||
|
mbedtls_x509_crt const *child,
|
||||||
|
mbedtls_x509_crt **candidate_cas );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||||
|
/**
|
||||||
|
* \brief Version of \c mbedtls_x509_crt_verify_with_profile() which
|
||||||
|
* uses a callback to acquire the list of trusted CA
|
||||||
|
* certificates.
|
||||||
|
*
|
||||||
|
* \param crt The certificate chain to be verified.
|
||||||
|
* \param f_ca_cb The callback to be used to query for potential signers
|
||||||
|
* of a given child certificate. See the documentation of
|
||||||
|
* ::mbedtls_x509_crt_ca_cb_t for more information.
|
||||||
|
* \param p_ca_cb The opaque context to be passed to \p f_ca_cb.
|
||||||
|
* \param profile The security profile for the verification.
|
||||||
|
* \param cn The expected Common Name. This may be \c NULL if the
|
||||||
|
* CN need not be verified.
|
||||||
|
* \param flags The address at which to store the result of the verification.
|
||||||
|
* If the verification couldn't be completed, the flag value is
|
||||||
|
* set to (uint32_t) -1.
|
||||||
|
* \param f_vrfy The verification callback to use. See the documentation
|
||||||
|
* of mbedtls_x509_crt_verify() for more information.
|
||||||
|
* \param p_vrfy The context to be passed to \p f_vrfy.
|
||||||
|
*
|
||||||
|
* \return See \c mbedtls_crt_verify_with_profile().
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_verify_with_ca_cb( mbedtls_x509_crt *crt,
|
||||||
|
mbedtls_x509_crt_ca_cb_t f_ca_cb,
|
||||||
|
void *p_ca_cb,
|
||||||
|
const mbedtls_x509_crt_profile *profile,
|
||||||
|
const char *cn, uint32_t *flags,
|
||||||
|
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||||
|
void *p_vrfy );
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||||
|
/**
|
||||||
|
* \brief Check usage of certificate against keyUsage extension.
|
||||||
|
*
|
||||||
|
* \param crt Leaf certificate used.
|
||||||
|
* \param usage Intended usage(s) (eg MBEDTLS_X509_KU_KEY_ENCIPHERMENT
|
||||||
|
* before using the certificate to perform an RSA key
|
||||||
|
* exchange).
|
||||||
|
*
|
||||||
|
* \note Except for decipherOnly and encipherOnly, a bit set in the
|
||||||
|
* usage argument means this bit MUST be set in the
|
||||||
|
* certificate. For decipherOnly and encipherOnly, it means
|
||||||
|
* that bit MAY be set.
|
||||||
|
*
|
||||||
|
* \return 0 is these uses of the certificate are allowed,
|
||||||
|
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension
|
||||||
|
* is present but does not match the usage argument.
|
||||||
|
*
|
||||||
|
* \note You should only call this function on leaf certificates, on
|
||||||
|
* (intermediate) CAs the keyUsage extension is automatically
|
||||||
|
* checked by \c mbedtls_x509_crt_verify().
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
|
||||||
|
unsigned int usage );
|
||||||
|
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE) */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||||
|
/**
|
||||||
|
* \brief Check usage of certificate against extendedKeyUsage.
|
||||||
|
*
|
||||||
|
* \param crt Leaf certificate used.
|
||||||
|
* \param usage_oid Intended usage (eg MBEDTLS_OID_SERVER_AUTH or
|
||||||
|
* MBEDTLS_OID_CLIENT_AUTH).
|
||||||
|
* \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()).
|
||||||
|
*
|
||||||
|
* \return 0 if this use of the certificate is allowed,
|
||||||
|
* MBEDTLS_ERR_X509_BAD_INPUT_DATA if not.
|
||||||
|
*
|
||||||
|
* \note Usually only makes sense on leaf certificates.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_check_extended_key_usage( const mbedtls_x509_crt *crt,
|
||||||
|
const char *usage_oid,
|
||||||
|
size_t usage_len );
|
||||||
|
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRL_PARSE_C)
|
||||||
|
/**
|
||||||
|
* \brief Verify the certificate revocation status
|
||||||
|
*
|
||||||
|
* \param crt a certificate to be verified
|
||||||
|
* \param crl the CRL to verify against
|
||||||
|
*
|
||||||
|
* \return 1 if the certificate is revoked, 0 otherwise
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crt_is_revoked( const mbedtls_x509_crt *crt, const mbedtls_x509_crl *crl );
|
||||||
|
#endif /* MBEDTLS_X509_CRL_PARSE_C */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize a certificate (chain)
|
||||||
|
*
|
||||||
|
* \param crt Certificate chain to initialize
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_init( mbedtls_x509_crt *crt );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Unallocate all certificate data
|
||||||
|
*
|
||||||
|
* \param crt Certificate chain to free
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_free( mbedtls_x509_crt *crt );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||||
|
/**
|
||||||
|
* \brief Initialize a restart context
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free the components of a restart context
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx );
|
||||||
|
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
/* \} name */
|
||||||
|
/* \} addtogroup x509_module */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_WRITE_C)
|
||||||
|
/**
|
||||||
|
* \brief Initialize a CRT writing context
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to initialize
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the verion for a Certificate
|
||||||
|
* Default: MBEDTLS_X509_CRT_VERSION_3
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param version version to set (MBEDTLS_X509_CRT_VERSION_1, MBEDTLS_X509_CRT_VERSION_2 or
|
||||||
|
* MBEDTLS_X509_CRT_VERSION_3)
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the serial number for a Certificate.
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param serial serial number to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the validity period for a Certificate
|
||||||
|
* Timestamps should be in string format for UTC timezone
|
||||||
|
* i.e. "YYYYMMDDhhmmss"
|
||||||
|
* e.g. "20131231235959" for December 31st 2013
|
||||||
|
* at 23:59:59
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param not_before not_before timestamp
|
||||||
|
* \param not_after not_after timestamp
|
||||||
|
*
|
||||||
|
* \return 0 if timestamp was parsed successfully, or
|
||||||
|
* a specific error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
|
||||||
|
const char *not_after );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the issuer name for a Certificate
|
||||||
|
* Issuer names should contain a comma-separated list
|
||||||
|
* of OID types and values:
|
||||||
|
* e.g. "C=UK,O=ARM,CN=mbed TLS CA"
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param issuer_name issuer name to set
|
||||||
|
*
|
||||||
|
* \return 0 if issuer name was parsed successfully, or
|
||||||
|
* a specific error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
|
||||||
|
const char *issuer_name );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the subject name for a Certificate
|
||||||
|
* Subject names should contain a comma-separated list
|
||||||
|
* of OID types and values:
|
||||||
|
* e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param subject_name subject name to set
|
||||||
|
*
|
||||||
|
* \return 0 if subject name was parsed successfully, or
|
||||||
|
* a specific error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
|
||||||
|
const char *subject_name );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the subject public key for the certificate
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param key public key to include
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the issuer key used for signing the certificate
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param key private key to sign with
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the MD algorithm to use for the signature
|
||||||
|
* (e.g. MBEDTLS_MD_SHA1)
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param md_alg MD algorithm to use
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Generic function to add to or replace an extension in the
|
||||||
|
* CRT
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param oid OID of the extension
|
||||||
|
* \param oid_len length of the OID
|
||||||
|
* \param critical if the extension is critical (per the RFC's definition)
|
||||||
|
* \param val value of the extension OCTET STRING
|
||||||
|
* \param val_len length of the value data
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
|
||||||
|
const char *oid, size_t oid_len,
|
||||||
|
int critical,
|
||||||
|
const unsigned char *val, size_t val_len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the basicConstraints extension for a CRT
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param is_ca is this a CA certificate
|
||||||
|
* \param max_pathlen maximum length of certificate chains below this
|
||||||
|
* certificate (only for CA certificates, -1 is
|
||||||
|
* inlimited)
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
|
||||||
|
int is_ca, int max_pathlen );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
|
/**
|
||||||
|
* \brief Set the subjectKeyIdentifier extension for a CRT
|
||||||
|
* Requires that mbedtls_x509write_crt_set_subject_key() has been
|
||||||
|
* called before
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the authorityKeyIdentifier extension for a CRT
|
||||||
|
* Requires that mbedtls_x509write_crt_set_issuer_key() has been
|
||||||
|
* called before
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
|
||||||
|
#endif /* MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the Key Usage Extension flags
|
||||||
|
* (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param key_usage key usage flags to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
|
||||||
|
unsigned int key_usage );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the Netscape Cert Type flags
|
||||||
|
* (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to use
|
||||||
|
* \param ns_cert_type Netscape Cert Type flags to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
|
||||||
|
unsigned char ns_cert_type );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free the contents of a CRT write context
|
||||||
|
*
|
||||||
|
* \param ctx CRT context to free
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Write a built up certificate to a X509 DER structure
|
||||||
|
* Note: data is written at the end of the buffer! Use the
|
||||||
|
* return value to determine where you should start
|
||||||
|
* using the buffer
|
||||||
|
*
|
||||||
|
* \param ctx certificate to write away
|
||||||
|
* \param buf buffer to write to
|
||||||
|
* \param size size of the buffer
|
||||||
|
* \param f_rng RNG function (for signature, see note)
|
||||||
|
* \param p_rng RNG parameter
|
||||||
|
*
|
||||||
|
* \return length of data written if successful, or a specific
|
||||||
|
* error code
|
||||||
|
*
|
||||||
|
* \note f_rng may be NULL if RSA is used for signature and the
|
||||||
|
* signature is made offline (otherwise f_rng is desirable
|
||||||
|
* for countermeasures against timing attacks).
|
||||||
|
* ECDSA signatures always require a non-NULL f_rng.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
/**
|
||||||
|
* \brief Write a built up certificate to a X509 PEM string
|
||||||
|
*
|
||||||
|
* \param ctx certificate to write away
|
||||||
|
* \param buf buffer to write to
|
||||||
|
* \param size size of the buffer
|
||||||
|
* \param f_rng RNG function (for signature, see note)
|
||||||
|
* \param p_rng RNG parameter
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific error code
|
||||||
|
*
|
||||||
|
* \note f_rng may be NULL if RSA is used for signature and the
|
||||||
|
* signature is made offline (otherwise f_rng is desirable
|
||||||
|
* for countermeasures against timing attacks).
|
||||||
|
* ECDSA signatures always require a non-NULL f_rng.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng );
|
||||||
|
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_WRITE_C */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* mbedtls_x509_crt.h */
|
307
include/mbedtls/x509_csr.h
Normal file
307
include/mbedtls/x509_csr.h
Normal file
|
@ -0,0 +1,307 @@
|
||||||
|
/**
|
||||||
|
* \file x509_csr.h
|
||||||
|
*
|
||||||
|
* \brief X.509 certificate signing request parsing and writing
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_X509_CSR_H
|
||||||
|
#define MBEDTLS_X509_CSR_H
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "x509.h"
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \addtogroup x509_module
|
||||||
|
* \{ */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \name Structures and functions for X.509 Certificate Signing Requests (CSR)
|
||||||
|
* \{
|
||||||
|
*/
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Certificate Signing Request (CSR) structure.
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509_csr
|
||||||
|
{
|
||||||
|
mbedtls_x509_buf raw; /**< The raw CSR data (DER). */
|
||||||
|
mbedtls_x509_buf cri; /**< The raw CertificateRequestInfo body (DER). */
|
||||||
|
|
||||||
|
int version; /**< CSR version (1=v1). */
|
||||||
|
|
||||||
|
mbedtls_x509_buf subject_raw; /**< The raw subject data (DER). */
|
||||||
|
mbedtls_x509_name subject; /**< The parsed subject data (named information object). */
|
||||||
|
|
||||||
|
mbedtls_pk_context pk; /**< Container for the public key context. */
|
||||||
|
|
||||||
|
mbedtls_x509_buf sig_oid;
|
||||||
|
mbedtls_x509_buf sig;
|
||||||
|
mbedtls_md_type_t sig_md; /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */
|
||||||
|
mbedtls_pk_type_t sig_pk; /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */
|
||||||
|
void *sig_opts; /**< Signature options to be passed to mbedtls_pk_verify_ext(), e.g. for RSASSA-PSS */
|
||||||
|
}
|
||||||
|
mbedtls_x509_csr;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Container for writing a CSR
|
||||||
|
*/
|
||||||
|
typedef struct mbedtls_x509write_csr
|
||||||
|
{
|
||||||
|
mbedtls_pk_context *key;
|
||||||
|
mbedtls_asn1_named_data *subject;
|
||||||
|
mbedtls_md_type_t md_alg;
|
||||||
|
mbedtls_asn1_named_data *extensions;
|
||||||
|
}
|
||||||
|
mbedtls_x509write_csr;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||||
|
/**
|
||||||
|
* \brief Load a Certificate Signing Request (CSR) in DER format
|
||||||
|
*
|
||||||
|
* \note CSR attributes (if any) are currently silently ignored.
|
||||||
|
*
|
||||||
|
* \param csr CSR context to fill
|
||||||
|
* \param buf buffer holding the CRL data
|
||||||
|
* \param buflen size of the buffer
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
|
||||||
|
const unsigned char *buf, size_t buflen );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Load a Certificate Signing Request (CSR), DER or PEM format
|
||||||
|
*
|
||||||
|
* \note See notes for \c mbedtls_x509_csr_parse_der()
|
||||||
|
*
|
||||||
|
* \param csr CSR context to fill
|
||||||
|
* \param buf buffer holding the CRL data
|
||||||
|
* \param buflen size of the buffer
|
||||||
|
* (including the terminating null byte for PEM data)
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO)
|
||||||
|
/**
|
||||||
|
* \brief Load a Certificate Signing Request (CSR)
|
||||||
|
*
|
||||||
|
* \note See notes for \c mbedtls_x509_csr_parse()
|
||||||
|
*
|
||||||
|
* \param csr CSR context to fill
|
||||||
|
* \param path filename to read the CSR from
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific X509 or PEM error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path );
|
||||||
|
#endif /* MBEDTLS_FS_IO */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Returns an informational string about the
|
||||||
|
* CSR.
|
||||||
|
*
|
||||||
|
* \param buf Buffer to write to
|
||||||
|
* \param size Maximum size of buffer
|
||||||
|
* \param prefix A line prefix
|
||||||
|
* \param csr The X509 CSR to represent
|
||||||
|
*
|
||||||
|
* \return The length of the string written (not including the
|
||||||
|
* terminated nul byte), or a negative error code.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
|
||||||
|
const mbedtls_x509_csr *csr );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Initialize a CSR
|
||||||
|
*
|
||||||
|
* \param csr CSR to initialize
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_csr_init( mbedtls_x509_csr *csr );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Unallocate all CSR data
|
||||||
|
*
|
||||||
|
* \param csr CSR to free
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_csr_free( mbedtls_x509_csr *csr );
|
||||||
|
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
||||||
|
|
||||||
|
/* \} name */
|
||||||
|
/* \} addtogroup x509_module */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CSR_WRITE_C)
|
||||||
|
/**
|
||||||
|
* \brief Initialize a CSR context
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to initialize
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the subject name for a CSR
|
||||||
|
* Subject names should contain a comma-separated list
|
||||||
|
* of OID types and values:
|
||||||
|
* e.g. "C=UK,O=ARM,CN=mbed TLS Server 1"
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to use
|
||||||
|
* \param subject_name subject name to set
|
||||||
|
*
|
||||||
|
* \return 0 if subject name was parsed successfully, or
|
||||||
|
* a specific error code
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
|
||||||
|
const char *subject_name );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the key for a CSR (public key will be included,
|
||||||
|
* private key used to sign the CSR when writing it)
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to use
|
||||||
|
* \param key Asymetric key to include
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the MD algorithm to use for the signature
|
||||||
|
* (e.g. MBEDTLS_MD_SHA1)
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to use
|
||||||
|
* \param md_alg MD algorithm to use
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the Key Usage Extension flags
|
||||||
|
* (e.g. MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_KEY_CERT_SIGN)
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to use
|
||||||
|
* \param key_usage key usage flags to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*
|
||||||
|
* \note The <code>decipherOnly</code> flag from the Key Usage
|
||||||
|
* extension is represented by bit 8 (i.e.
|
||||||
|
* <code>0x8000</code>), which cannot typically be represented
|
||||||
|
* in an unsigned char. Therefore, the flag
|
||||||
|
* <code>decipherOnly</code> (i.e.
|
||||||
|
* #MBEDTLS_X509_KU_DECIPHER_ONLY) cannot be set using this
|
||||||
|
* function.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Set the Netscape Cert Type flags
|
||||||
|
* (e.g. MBEDTLS_X509_NS_CERT_TYPE_SSL_CLIENT | MBEDTLS_X509_NS_CERT_TYPE_EMAIL)
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to use
|
||||||
|
* \param ns_cert_type Netscape Cert Type flags to set
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
|
||||||
|
unsigned char ns_cert_type );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Generic function to add to or replace an extension in the
|
||||||
|
* CSR
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to use
|
||||||
|
* \param oid OID of the extension
|
||||||
|
* \param oid_len length of the OID
|
||||||
|
* \param val value of the extension OCTET STRING
|
||||||
|
* \param val_len length of the value data
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
|
||||||
|
const char *oid, size_t oid_len,
|
||||||
|
const unsigned char *val, size_t val_len );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Free the contents of a CSR context
|
||||||
|
*
|
||||||
|
* \param ctx CSR context to free
|
||||||
|
*/
|
||||||
|
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx );
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Write a CSR (Certificate Signing Request) to a
|
||||||
|
* DER structure
|
||||||
|
* Note: data is written at the end of the buffer! Use the
|
||||||
|
* return value to determine where you should start
|
||||||
|
* using the buffer
|
||||||
|
*
|
||||||
|
* \param ctx CSR to write away
|
||||||
|
* \param buf buffer to write to
|
||||||
|
* \param size size of the buffer
|
||||||
|
* \param f_rng RNG function (for signature, see note)
|
||||||
|
* \param p_rng RNG parameter
|
||||||
|
*
|
||||||
|
* \return length of data written if successful, or a specific
|
||||||
|
* error code
|
||||||
|
*
|
||||||
|
* \note f_rng may be NULL if RSA is used for signature and the
|
||||||
|
* signature is made offline (otherwise f_rng is desirable
|
||||||
|
* for countermeasures against timing attacks).
|
||||||
|
* ECDSA signatures always require a non-NULL f_rng.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
/**
|
||||||
|
* \brief Write a CSR (Certificate Signing Request) to a
|
||||||
|
* PEM string
|
||||||
|
*
|
||||||
|
* \param ctx CSR to write away
|
||||||
|
* \param buf buffer to write to
|
||||||
|
* \param size size of the buffer
|
||||||
|
* \param f_rng RNG function (for signature, see note)
|
||||||
|
* \param p_rng RNG parameter
|
||||||
|
*
|
||||||
|
* \return 0 if successful, or a specific error code
|
||||||
|
*
|
||||||
|
* \note f_rng may be NULL if RSA is used for signature and the
|
||||||
|
* signature is made offline (otherwise f_rng is desirable
|
||||||
|
* for countermeasures against timing attacks).
|
||||||
|
* ECDSA signatures always require a non-NULL f_rng.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng );
|
||||||
|
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||||
|
#endif /* MBEDTLS_X509_CSR_WRITE_C */
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* mbedtls_x509_csr.h */
|
436
library/certs.c
Normal file
436
library/certs.c
Normal file
|
@ -0,0 +1,436 @@
|
||||||
|
/*
|
||||||
|
* X.509 test certificates
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "mbedtls/certs.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_CERTS_C)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDSA_C)
|
||||||
|
#define TEST_CA_CRT_EC \
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||||
|
"MIICUjCCAdegAwIBAgIJAMFD4n5iQ8zoMAoGCCqGSM49BAMCMD4xCzAJBgNVBAYT\r\n" \
|
||||||
|
"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \
|
||||||
|
"QyBDQTAeFw0xMzA5MjQxNTQ5NDhaFw0yMzA5MjIxNTQ5NDhaMD4xCzAJBgNVBAYT\r\n" \
|
||||||
|
"Ak5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBF\r\n" \
|
||||||
|
"QyBDQTB2MBAGByqGSM49AgEGBSuBBAAiA2IABMPaKzRBN1gvh1b+/Im6KUNLTuBu\r\n" \
|
||||||
|
"ww5XUzM5WNRStJGVOQsj318XJGJI/BqVKc4sLYfCiFKAr9ZqqyHduNMcbli4yuiy\r\n" \
|
||||||
|
"aY7zQa0pw7RfdadHb9UZKVVpmlM7ILRmFmAzHqOBoDCBnTAdBgNVHQ4EFgQUnW0g\r\n" \
|
||||||
|
"JEkBPyvLeLUZvH4kydv7NnwwbgYDVR0jBGcwZYAUnW0gJEkBPyvLeLUZvH4kydv7\r\n" \
|
||||||
|
"NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEcMBoGA1UE\r\n" \
|
||||||
|
"AxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAwGA1UdEwQFMAMBAf8w\r\n" \
|
||||||
|
"CgYIKoZIzj0EAwIDaQAwZgIxAMO0YnNWKJUAfXgSJtJxexn4ipg+kv4znuR50v56\r\n" \
|
||||||
|
"t4d0PCu412mUC6Nnd7izvtE2MgIxAP1nnJQjZ8BWukszFQDG48wxCCyci9qpdSMv\r\n" \
|
||||||
|
"uCjn8pwUOkABXK8Mss90fzCfCEOtIA==\r\n" \
|
||||||
|
"-----END CERTIFICATE-----\r\n"
|
||||||
|
const char mbedtls_test_ca_crt_ec[] = TEST_CA_CRT_EC;
|
||||||
|
const size_t mbedtls_test_ca_crt_ec_len = sizeof( mbedtls_test_ca_crt_ec );
|
||||||
|
|
||||||
|
const char mbedtls_test_ca_key_ec[] =
|
||||||
|
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||||
|
"Proc-Type: 4,ENCRYPTED\r\n"
|
||||||
|
"DEK-Info: DES-EDE3-CBC,307EAB469933D64E\r\n"
|
||||||
|
"\r\n"
|
||||||
|
"IxbrRmKcAzctJqPdTQLA4SWyBYYGYJVkYEna+F7Pa5t5Yg/gKADrFKcm6B72e7DG\r\n"
|
||||||
|
"ihExtZI648s0zdYw6qSJ74vrPSuWDe5qm93BqsfVH9svtCzWHW0pm1p0KTBCFfUq\r\n"
|
||||||
|
"UsuWTITwJImcnlAs1gaRZ3sAWm7cOUidL0fo2G0fYUFNcYoCSLffCFTEHBuPnagb\r\n"
|
||||||
|
"a77x/sY1Bvii8S9/XhDTb6pTMx06wzrm\r\n"
|
||||||
|
"-----END EC PRIVATE KEY-----\r\n";
|
||||||
|
const size_t mbedtls_test_ca_key_ec_len = sizeof( mbedtls_test_ca_key_ec );
|
||||||
|
|
||||||
|
const char mbedtls_test_ca_pwd_ec[] = "PolarSSLTest";
|
||||||
|
const size_t mbedtls_test_ca_pwd_ec_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
|
||||||
|
|
||||||
|
const char mbedtls_test_srv_crt_ec[] =
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n"
|
||||||
|
"MIICHzCCAaWgAwIBAgIBCTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||||
|
"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
|
||||||
|
"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||||
|
"A1UEChMIUG9sYXJTU0wxEjAQBgNVBAMTCWxvY2FsaG9zdDBZMBMGByqGSM49AgEG\r\n"
|
||||||
|
"CCqGSM49AwEHA0IABDfMVtl2CR5acj7HWS3/IG7ufPkGkXTQrRS192giWWKSTuUA\r\n"
|
||||||
|
"2CMR/+ov0jRdXRa9iojCa3cNVc2KKg76Aci07f+jgZ0wgZowCQYDVR0TBAIwADAd\r\n"
|
||||||
|
"BgNVHQ4EFgQUUGGlj9QH2deCAQzlZX+MY0anE74wbgYDVR0jBGcwZYAUnW0gJEkB\r\n"
|
||||||
|
"PyvLeLUZvH4kydv7NnyhQqRAMD4xCzAJBgNVBAYTAk5MMREwDwYDVQQKEwhQb2xh\r\n"
|
||||||
|
"clNTTDEcMBoGA1UEAxMTUG9sYXJzc2wgVGVzdCBFQyBDQYIJAMFD4n5iQ8zoMAoG\r\n"
|
||||||
|
"CCqGSM49BAMCA2gAMGUCMQCaLFzXptui5WQN8LlO3ddh1hMxx6tzgLvT03MTVK2S\r\n"
|
||||||
|
"C12r0Lz3ri/moSEpNZWqPjkCMCE2f53GXcYLqyfyJR078c/xNSUU5+Xxl7VZ414V\r\n"
|
||||||
|
"fGa5kHvHARBPc8YAIVIqDvHH1Q==\r\n"
|
||||||
|
"-----END CERTIFICATE-----\r\n";
|
||||||
|
const size_t mbedtls_test_srv_crt_ec_len = sizeof( mbedtls_test_srv_crt_ec );
|
||||||
|
|
||||||
|
const char mbedtls_test_srv_key_ec[] =
|
||||||
|
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||||
|
"MHcCAQEEIPEqEyB2AnCoPL/9U/YDHvdqXYbIogTywwyp6/UfDw6noAoGCCqGSM49\r\n"
|
||||||
|
"AwEHoUQDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/\r\n"
|
||||||
|
"6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/w==\r\n"
|
||||||
|
"-----END EC PRIVATE KEY-----\r\n";
|
||||||
|
const size_t mbedtls_test_srv_key_ec_len = sizeof( mbedtls_test_srv_key_ec );
|
||||||
|
|
||||||
|
const char mbedtls_test_cli_crt_ec[] =
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n"
|
||||||
|
"MIICLDCCAbKgAwIBAgIBDTAKBggqhkjOPQQDAjA+MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||||
|
"A1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0EwHhcN\r\n"
|
||||||
|
"MTMwOTI0MTU1MjA0WhcNMjMwOTIyMTU1MjA0WjBBMQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||||
|
"A1UEChMIUG9sYXJTU0wxHzAdBgNVBAMTFlBvbGFyU1NMIFRlc3QgQ2xpZW50IDIw\r\n"
|
||||||
|
"WTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARX5a6xc9/TrLuTuIH/Eq7u5lOszlVT\r\n"
|
||||||
|
"9jQOzC7jYyUL35ji81xgNpbA1RgUcOV/n9VLRRjlsGzVXPiWj4dwo+THo4GdMIGa\r\n"
|
||||||
|
"MAkGA1UdEwQCMAAwHQYDVR0OBBYEFHoAX4Zk/OBd5REQO7LmO8QmP8/iMG4GA1Ud\r\n"
|
||||||
|
"IwRnMGWAFJ1tICRJAT8ry3i1Gbx+JMnb+zZ8oUKkQDA+MQswCQYDVQQGEwJOTDER\r\n"
|
||||||
|
"MA8GA1UEChMIUG9sYXJTU0wxHDAaBgNVBAMTE1BvbGFyc3NsIFRlc3QgRUMgQ0GC\r\n"
|
||||||
|
"CQDBQ+J+YkPM6DAKBggqhkjOPQQDAgNoADBlAjBKZQ17IIOimbmoD/yN7o89u3BM\r\n"
|
||||||
|
"lgOsjnhw3fIOoLIWy2WOGsk/LGF++DzvrRzuNiACMQCd8iem1XS4JK7haj8xocpU\r\n"
|
||||||
|
"LwjQje5PDGHfd3h9tP38Qknu5bJqws0md2KOKHyeV0U=\r\n"
|
||||||
|
"-----END CERTIFICATE-----\r\n";
|
||||||
|
const size_t mbedtls_test_cli_crt_ec_len = sizeof( mbedtls_test_cli_crt_ec );
|
||||||
|
|
||||||
|
const char mbedtls_test_cli_key_ec[] =
|
||||||
|
"-----BEGIN EC PRIVATE KEY-----\r\n"
|
||||||
|
"MHcCAQEEIPb3hmTxZ3/mZI3vyk7p3U3wBf+WIop6hDhkFzJhmLcqoAoGCCqGSM49\r\n"
|
||||||
|
"AwEHoUQDQgAEV+WusXPf06y7k7iB/xKu7uZTrM5VU/Y0Dswu42MlC9+Y4vNcYDaW\r\n"
|
||||||
|
"wNUYFHDlf5/VS0UY5bBs1Vz4lo+HcKPkxw==\r\n"
|
||||||
|
"-----END EC PRIVATE KEY-----\r\n";
|
||||||
|
const size_t mbedtls_test_cli_key_ec_len = sizeof( mbedtls_test_cli_key_ec );
|
||||||
|
#endif /* MBEDTLS_ECDSA_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
#define TEST_CA_CRT_RSA_SHA256 \
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||||
|
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||||
|
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||||
|
"MTcwNTA0MTY1NzAxWhcNMjcwNTA1MTY1NzAxWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||||
|
"A1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
|
||||||
|
"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
|
||||||
|
"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
|
||||||
|
"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
|
||||||
|
"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
|
||||||
|
"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
|
||||||
|
"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
|
||||||
|
"gZUwgZIwHQYDVR0OBBYEFLRa5KWz3tJS9rnVppUP6z68x/3/MGMGA1UdIwRcMFqA\r\n" \
|
||||||
|
"FLRa5KWz3tJS9rnVppUP6z68x/3/oT+kPTA7MQswCQYDVQQGEwJOTDERMA8GA1UE\r\n" \
|
||||||
|
"CgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0GCAQAwDAYDVR0T\r\n" \
|
||||||
|
"BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAHK/HHrTZMnnVMpde1io+voAtql7j\r\n" \
|
||||||
|
"4sRhLrjD7o3THtwRbDa2diCvpq0Sq23Ng2LMYoXsOxoL/RQK3iN7UKxV3MKPEr0w\r\n" \
|
||||||
|
"XQS+kKQqiT2bsfrjnWMVHZtUOMpm6FNqcdGm/Rss3vKda2lcKl8kUnq/ylc1+QbB\r\n" \
|
||||||
|
"G6A6tUvQcr2ZyWfVg+mM5XkhTrOOXus2OLikb4WwEtJTJRNE0f+yPODSUz0/vT57\r\n" \
|
||||||
|
"ApH0CnB80bYJshYHPHHymOtleAB8KSYtqm75g/YNobjnjB6cm4HkW3OZRVIl6fYY\r\n" \
|
||||||
|
"n20NRVA1Vjs6GAROr4NqW4k/+LofY9y0LLDE+p0oIEKXIsIvhPr39swxSA==\r\n" \
|
||||||
|
"-----END CERTIFICATE-----\r\n"
|
||||||
|
|
||||||
|
static const char mbedtls_test_ca_crt_rsa_sha256[] = TEST_CA_CRT_RSA_SHA256;
|
||||||
|
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA256;
|
||||||
|
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||||
|
#define TEST_CA_CRT_RSA_SOME
|
||||||
|
#endif /* MBEDTLS_SHA256_C */
|
||||||
|
|
||||||
|
#if !defined(TEST_CA_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
|
||||||
|
#define TEST_CA_CRT_RSA_SHA1 \
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||||
|
"MIIDhzCCAm+gAwIBAgIBADANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||||
|
"MA8GA1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||||
|
"MTEwMjEyMTQ0NDAwWhcNMjEwMjEyMTQ0NDAwWjA7MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||||
|
"A1UEChMIUG9sYXJTU0wxGTAXBgNVBAMTEFBvbGFyU1NMIFRlc3QgQ0EwggEiMA0G\r\n" \
|
||||||
|
"CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDA3zf8F7vglp0/ht6WMn1EpRagzSHx\r\n" \
|
||||||
|
"mdTs6st8GFgIlKXsm8WL3xoemTiZhx57wI053zhdcHgH057Zk+i5clHFzqMwUqny\r\n" \
|
||||||
|
"50BwFMtEonILwuVA+T7lpg6z+exKY8C4KQB0nFc7qKUEkHHxvYPZP9al4jwqj+8n\r\n" \
|
||||||
|
"YMPGn8u67GB9t+aEMr5P+1gmIgNb1LTV+/Xjli5wwOQuvfwu7uJBVcA0Ln0kcmnL\r\n" \
|
||||||
|
"R7EUQIN9Z/SG9jGr8XmksrUuEvmEF/Bibyc+E1ixVA0hmnM3oTDPb5Lc9un8rNsu\r\n" \
|
||||||
|
"KNF+AksjoBXyOGVkCeoMbo4bF6BxyLObyavpw/LPh5aPgAIynplYb6LVAgMBAAGj\r\n" \
|
||||||
|
"gZUwgZIwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUtFrkpbPe0lL2udWmlQ/rPrzH\r\n" \
|
||||||
|
"/f8wYwYDVR0jBFwwWoAUtFrkpbPe0lL2udWmlQ/rPrzH/f+hP6Q9MDsxCzAJBgNV\r\n" \
|
||||||
|
"BAYTAk5MMREwDwYDVQQKEwhQb2xhclNTTDEZMBcGA1UEAxMQUG9sYXJTU0wgVGVz\r\n" \
|
||||||
|
"dCBDQYIBADANBgkqhkiG9w0BAQUFAAOCAQEAuP1U2ABUkIslsCfdlc2i94QHHYeJ\r\n" \
|
||||||
|
"SsR4EdgHtdciUI5I62J6Mom+Y0dT/7a+8S6MVMCZP6C5NyNyXw1GWY/YR82XTJ8H\r\n" \
|
||||||
|
"DBJiCTok5DbZ6SzaONBzdWHXwWwmi5vg1dxn7YxrM9d0IjxM27WNKs4sDQhZBQkF\r\n" \
|
||||||
|
"pjmfs2cb4oPl4Y9T9meTx/lvdkRYEug61Jfn6cA+qHpyPYdTH+UshITnmp5/Ztkf\r\n" \
|
||||||
|
"m/UTSLBNFNHesiTZeH31NcxYGdHSme9Nc/gfidRa0FLOCfWxRlFqAI47zG9jAQCZ\r\n" \
|
||||||
|
"7Z2mCGDNMhjQc+BYcdnl0lPXjdDK6V0qCg1dVewhUBcW5gZKzV7e9+DpVA==\r\n" \
|
||||||
|
"-----END CERTIFICATE-----\r\n"
|
||||||
|
|
||||||
|
static const char mbedtls_test_ca_crt_rsa_sha1[] = TEST_CA_CRT_RSA_SHA1;
|
||||||
|
|
||||||
|
#if !defined (TEST_CA_CRT_RSA_SOME)
|
||||||
|
const char mbedtls_test_ca_crt_rsa[] = TEST_CA_CRT_RSA_SHA1;
|
||||||
|
const size_t mbedtls_test_ca_crt_rsa_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||||
|
#endif /* !TEST_CA_CRT_RSA_SOME */
|
||||||
|
#endif /* !TEST_CA_CRT_RSA_COME || MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
/* tests/data_files/server2-sha256.crt */
|
||||||
|
#define TEST_SRV_CRT_RSA_SHA256 \
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||||
|
"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||||
|
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||||
|
"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||||
|
"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
|
||||||
|
"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
|
||||||
|
"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
|
||||||
|
"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
|
||||||
|
"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
|
||||||
|
"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
|
||||||
|
"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
|
||||||
|
"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
|
||||||
|
"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAGGEshT5\r\n" \
|
||||||
|
"kvnRmLVScVeUEdwIrvW7ezbGbUvJ8VxeJ79/HSjlLiGbMc4uUathwtzEdi9R/4C5\r\n" \
|
||||||
|
"DXBNeEPTkbB+fhG1W06iHYj/Dp8+aaG7fuDxKVKHVZSqBnmQLn73ymyclZNHii5A\r\n" \
|
||||||
|
"3nTS8WUaHAzxN/rajOtoM7aH1P9tULpHrl+7HOeLMpxUnwI12ZqZaLIzxbcdJVcr\r\n" \
|
||||||
|
"ra2F00aXCGkYVLvyvbZIq7LC+yVysej5gCeQYD7VFOEks0jhFjrS06gP0/XnWv6v\r\n" \
|
||||||
|
"eBoPez9d+CCjkrhseiWzXOiriIMICX48EloO/DrsMRAtvlwq7EDz4QhILz6ffndm\r\n" \
|
||||||
|
"e4K1cVANRPN2o9Y=\r\n" \
|
||||||
|
"-----END CERTIFICATE-----\r\n"
|
||||||
|
|
||||||
|
const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA256;
|
||||||
|
const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||||
|
#define TEST_SRV_CRT_RSA_SOME
|
||||||
|
#endif /* MBEDTLS_SHA256_C */
|
||||||
|
|
||||||
|
#if !defined(TEST_SRV_CRT_RSA_SOME) || defined(MBEDTLS_SHA1_C)
|
||||||
|
/* tests/data_files/server2.crt */
|
||||||
|
#define TEST_SRV_CRT_RSA_SHA1 \
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n" \
|
||||||
|
"MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJOTDER\r\n" \
|
||||||
|
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n" \
|
||||||
|
"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8G\r\n" \
|
||||||
|
"A1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcN\r\n" \
|
||||||
|
"AQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTN\r\n" \
|
||||||
|
"owCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKz\r\n" \
|
||||||
|
"NtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kM\r\n" \
|
||||||
|
"tQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8P\r\n" \
|
||||||
|
"hYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjya\r\n" \
|
||||||
|
"HT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYD\r\n" \
|
||||||
|
"VR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgw\r\n" \
|
||||||
|
"FoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQEFBQADggEBAAFzC0rF\r\n" \
|
||||||
|
"y6De8WMcdgQrEw3AhBHFjzqnxZw1ene4IBSC7lTw8rBSy3jOWQdPUWn+0y/pCeeF\r\n" \
|
||||||
|
"kti6sevFdl1hLemGtd4q+T9TKEKGg3ND4ARfB5AUZZ9uEHq8WBkiwus5clGS17Qd\r\n" \
|
||||||
|
"dS/TOisB59tQruLx1E1bPLtBKyqk4koC5WAULJwfpswGSyWJTpYwIpxcWE3D2tBu\r\n" \
|
||||||
|
"UB6MZfXZFzWmWEOyKbeoXjXe8GBCGgHLywvYDsGQ36HSGtEsAvR2QaTLSxWYcfk1\r\n" \
|
||||||
|
"fbDn4jSWkb4yZy1r01UEigFQtONieGwRFaUqEcFJHJvEEGVgh9keaVlOj2vrwf5r\r\n" \
|
||||||
|
"4mN4lW7gLdenN6g=\r\n" \
|
||||||
|
"-----END CERTIFICATE-----\r\n";
|
||||||
|
|
||||||
|
#if !defined(TEST_SRV_CRT_RSA_SOME)
|
||||||
|
const char mbedtls_test_srv_crt_rsa[] = TEST_SRV_CRT_RSA_SHA1;
|
||||||
|
const size_t mbedtls_test_srv_crt_rsa_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||||
|
#endif /* TEST_SRV_CRT_RSA_SOME */
|
||||||
|
#endif /* !TEST_CA_CRT_RSA_SOME || MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
|
const char mbedtls_test_ca_key_rsa[] =
|
||||||
|
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||||
|
"Proc-Type: 4,ENCRYPTED\r\n"
|
||||||
|
"DEK-Info: DES-EDE3-CBC,A8A95B05D5B7206B\r\n"
|
||||||
|
"\r\n"
|
||||||
|
"9Qd9GeArejl1GDVh2lLV1bHt0cPtfbh5h/5zVpAVaFpqtSPMrElp50Rntn9et+JA\r\n"
|
||||||
|
"7VOyboR+Iy2t/HU4WvA687k3Bppe9GwKHjHhtl//8xFKwZr3Xb5yO5JUP8AUctQq\r\n"
|
||||||
|
"Nb8CLlZyuUC+52REAAthdWgsX+7dJO4yabzUcQ22Tp9JSD0hiL43BlkWYUNK3dAo\r\n"
|
||||||
|
"PZlmiptjnzVTjg1MxsBSydZinWOLBV8/JQgxSPo2yD4uEfig28qbvQ2wNIn0pnAb\r\n"
|
||||||
|
"GxnSAOazkongEGfvcjIIs+LZN9gXFhxcOh6kc4Q/c99B7QWETwLLkYgZ+z1a9VY9\r\n"
|
||||||
|
"gEU7CwCxYCD+h9hY6FPmsK0/lC4O7aeRKpYq00rPPxs6i7phiexg6ax6yTMmArQq\r\n"
|
||||||
|
"QmK3TAsJm8V/J5AWpLEV6jAFgRGymGGHnof0DXzVWZidrcZJWTNuGEX90nB3ee2w\r\n"
|
||||||
|
"PXJEFWKoD3K3aFcSLdHYr3mLGxP7H9ThQai9VsycxZKS5kwvBKQ//YMrmFfwPk8x\r\n"
|
||||||
|
"vTeY4KZMaUrveEel5tWZC94RSMKgxR6cyE1nBXyTQnDOGbfpNNgBKxyKbINWoOJU\r\n"
|
||||||
|
"WJZAwlsQn+QzCDwpri7+sV1mS3gBE6UY7aQmnmiiaC2V3Hbphxct/en5QsfDOt1X\r\n"
|
||||||
|
"JczSfpRWLlbPznZg8OQh/VgCMA58N5DjOzTIK7sJJ5r+94ZBTCpgAMbF588f0NTR\r\n"
|
||||||
|
"KCe4yrxGJR7X02M4nvD4IwOlpsQ8xQxZtOSgXv4LkxvdU9XJJKWZ/XNKJeWztxSe\r\n"
|
||||||
|
"Z1vdTc2YfsDBA2SEv33vxHx2g1vqtw8SjDRT2RaQSS0QuSaMJimdOX6mTOCBKk1J\r\n"
|
||||||
|
"9Q5mXTrER+/LnK0jEmXsBXWA5bqqVZIyahXSx4VYZ7l7w/PHiUDtDgyRhMMKi4n2\r\n"
|
||||||
|
"iQvQcWSQTjrpnlJbca1/DkpRt3YwrvJwdqb8asZU2VrNETh5x0QVefDRLFiVpif/\r\n"
|
||||||
|
"tUaeAe/P1F8OkS7OIZDs1SUbv/sD2vMbhNkUoCms3/PvNtdnvgL4F0zhaDpKCmlT\r\n"
|
||||||
|
"P8vx49E7v5CyRNmED9zZg4o3wmMqrQO93PtTug3Eu9oVx1zPQM1NVMyBa2+f29DL\r\n"
|
||||||
|
"1nuTCeXdo9+ni45xx+jAI4DCwrRdhJ9uzZyC6962H37H6D+5naNvClFR1s6li1Gb\r\n"
|
||||||
|
"nqPoiy/OBsEx9CaDGcqQBp5Wme/3XW+6z1ISOx+igwNTVCT14mHdBMbya0eIKft5\r\n"
|
||||||
|
"X+GnwtgEMyCYyyWuUct8g4RzErcY9+yW9Om5Hzpx4zOuW4NPZgPDTgK+t2RSL/Yq\r\n"
|
||||||
|
"rE1njrgeGYcVeG3f+OftH4s6fPbq7t1A5ZgUscbLMBqr9tK+OqygR4EgKBPsH6Cz\r\n"
|
||||||
|
"L6zlv/2RV0qAHvVuDJcIDIgwY5rJtINEm32rhOeFNJwZS5MNIC1czXZx5//ugX7l\r\n"
|
||||||
|
"I4sy5nbVhwSjtAk8Xg5dZbdTZ6mIrb7xqH+fdakZor1khG7bC2uIwibD3cSl2XkR\r\n"
|
||||||
|
"wN48lslbHnqqagr6Xm1nNOSVl8C/6kbJEsMpLhAezfRtGwvOucoaE+WbeUNolGde\r\n"
|
||||||
|
"P/eQiddSf0brnpiLJRh7qZrl9XuqYdpUqnoEdMAfotDOID8OtV7gt8a48ad8VPW2\r\n"
|
||||||
|
"-----END RSA PRIVATE KEY-----\r\n";
|
||||||
|
const size_t mbedtls_test_ca_key_rsa_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||||
|
|
||||||
|
const char mbedtls_test_ca_pwd_rsa[] = "PolarSSLTest";
|
||||||
|
const size_t mbedtls_test_ca_pwd_rsa_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||||
|
|
||||||
|
const char mbedtls_test_srv_key_rsa[] =
|
||||||
|
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||||
|
"MIIEpAIBAAKCAQEAwU2j3efNHdEE10lyuJmsDnjkOjxKzzoTFtBa5M2jAIin7h5r\r\n"
|
||||||
|
"lqdStJDvLXJ6PiSa/LY0rCT1d+AmZIycsCh9odrqjObJHJa8/sEEUrM21KP64bF2\r\n"
|
||||||
|
"2JDBYbRmUjaiJlOqq3ReB30Zgtsq2B+g2Q0cLUlm91slc0boC4pPaQy1AJDh2oIQ\r\n"
|
||||||
|
"Zn2uVCuLZXmRoeJhw81ASQjuaAzxi4bSRr/QuKoRAx5/VqgaHkQYDw+Fi9qLRF7i\r\n"
|
||||||
|
"GMZiL8dmjfpd2H3zJ4kpAcWQDj8n8TDISg7v1t7HxydrxwU9esQCPJodPg/oNJhb\r\n"
|
||||||
|
"y3NLUpbYEaIsgIhpOVrTD7DeWS8Rx/fqEgEwlwIDAQABAoIBAQCXR0S8EIHFGORZ\r\n"
|
||||||
|
"++AtOg6eENxD+xVs0f1IeGz57Tjo3QnXX7VBZNdj+p1ECvhCE/G7XnkgU5hLZX+G\r\n"
|
||||||
|
"Z0jkz/tqJOI0vRSdLBbipHnWouyBQ4e/A1yIJdlBtqXxJ1KE/ituHRbNc4j4kL8Z\r\n"
|
||||||
|
"/r6pvwnTI0PSx2Eqs048YdS92LT6qAv4flbNDxMn2uY7s4ycS4Q8w1JXnCeaAnYm\r\n"
|
||||||
|
"WYI5wxO+bvRELR2Mcz5DmVnL8jRyml6l6582bSv5oufReFIbyPZbQWlXgYnpu6He\r\n"
|
||||||
|
"GTc7E1zKYQGG/9+DQUl/1vQuCPqQwny0tQoX2w5tdYpdMdVm+zkLtbajzdTviJJa\r\n"
|
||||||
|
"TWzL6lt5AoGBAN86+SVeJDcmQJcv4Eq6UhtRr4QGMiQMz0Sod6ettYxYzMgxtw28\r\n"
|
||||||
|
"CIrgpozCc+UaZJLo7UxvC6an85r1b2nKPCLQFaggJ0H4Q0J/sZOhBIXaoBzWxveK\r\n"
|
||||||
|
"nupceKdVxGsFi8CDy86DBfiyFivfBj+47BbaQzPBj7C4rK7UlLjab2rDAoGBAN2u\r\n"
|
||||||
|
"AM2gchoFiu4v1HFL8D7lweEpi6ZnMJjnEu/dEgGQJFjwdpLnPbsj4c75odQ4Gz8g\r\n"
|
||||||
|
"sw9lao9VVzbusoRE/JGI4aTdO0pATXyG7eG1Qu+5Yc1YGXcCrliA2xM9xx+d7f+s\r\n"
|
||||||
|
"mPzN+WIEg5GJDYZDjAzHG5BNvi/FfM1C9dOtjv2dAoGAF0t5KmwbjWHBhcVqO4Ic\r\n"
|
||||||
|
"BVvN3BIlc1ue2YRXEDlxY5b0r8N4XceMgKmW18OHApZxfl8uPDauWZLXOgl4uepv\r\n"
|
||||||
|
"whZC3EuWrSyyICNhLY21Ah7hbIEBPF3L3ZsOwC+UErL+dXWLdB56Jgy3gZaBeW7b\r\n"
|
||||||
|
"vDrEnocJbqCm7IukhXHOBK8CgYEAwqdHB0hqyNSzIOGY7v9abzB6pUdA3BZiQvEs\r\n"
|
||||||
|
"3LjHVd4HPJ2x0N8CgrBIWOE0q8+0hSMmeE96WW/7jD3fPWwCR5zlXknxBQsfv0gP\r\n"
|
||||||
|
"3BC5PR0Qdypz+d+9zfMf625kyit4T/hzwhDveZUzHnk1Cf+IG7Q+TOEnLnWAWBED\r\n"
|
||||||
|
"ISOWmrUCgYAFEmRxgwAc/u+D6t0syCwAYh6POtscq9Y0i9GyWk89NzgC4NdwwbBH\r\n"
|
||||||
|
"4AgahOxIxXx2gxJnq3yfkJfIjwf0s2DyP0kY2y6Ua1OeomPeY9mrIS4tCuDQ6LrE\r\n"
|
||||||
|
"TB6l9VGoxJL4fyHnZb8L5gGvnB1bbD8cL6YPaDiOhcRseC9vBiEuVg==\r\n"
|
||||||
|
"-----END RSA PRIVATE KEY-----\r\n";
|
||||||
|
const size_t mbedtls_test_srv_key_rsa_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||||
|
|
||||||
|
/* tests/data_files/cli-rsa-sha256.crt */
|
||||||
|
const char mbedtls_test_cli_crt_rsa[] =
|
||||||
|
"-----BEGIN CERTIFICATE-----\r\n"
|
||||||
|
"MIIDPzCCAiegAwIBAgIBBDANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDER\r\n"
|
||||||
|
"MA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcN\r\n"
|
||||||
|
"MTEwMjEyMTQ0NDA2WhcNMjEwMjEyMTQ0NDA2WjA8MQswCQYDVQQGEwJOTDERMA8G\r\n"
|
||||||
|
"A1UECgwIUG9sYXJTU0wxGjAYBgNVBAMMEVBvbGFyU1NMIENsaWVudCAyMIIBIjAN\r\n"
|
||||||
|
"BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6f\r\n"
|
||||||
|
"M60Nj4o8VmXl3ETZzGaFB9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu\r\n"
|
||||||
|
"1C93KYRhTYJQj6eVSHD1bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEw\r\n"
|
||||||
|
"MjDV0/YI0FZPRo7yX/k9Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v\r\n"
|
||||||
|
"4Jv4EFbMs44TFeY0BGbH7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx/\r\n"
|
||||||
|
"/DZrtenNLQNiTrM9AM+vdqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQAB\r\n"
|
||||||
|
"o00wSzAJBgNVHRMEAjAAMB0GA1UdDgQWBBRxoQBzckAvVHZeM/xSj7zx3WtGITAf\r\n"
|
||||||
|
"BgNVHSMEGDAWgBS0WuSls97SUva51aaVD+s+vMf9/zANBgkqhkiG9w0BAQsFAAOC\r\n"
|
||||||
|
"AQEAlHabem2Tu69VUN7EipwnQn1dIHdgvT5i+iQHpSxY1crPnBbAeSdAXwsVEqLQ\r\n"
|
||||||
|
"gOOIAQD5VIITNuoGgo4i+4OpNh9u7ZkpRHla+/swsfrFWRRbBNP5Bcu74AGLstwU\r\n"
|
||||||
|
"zM8gIkBiyfM1Q1qDQISV9trlCG6O8vh8dp/rbI3rfzo99BOHXgFCrzXjCuW4vDsF\r\n"
|
||||||
|
"r+Dao26bX3sJ6UnEWg1H3o2x6PpUcvQ36h71/bz4TEbbUUEpe02V4QWuL+wrhHJL\r\n"
|
||||||
|
"U7o3SVE3Og7jPF8sat0a50YUWhwEFI256m02KAXLg89ueUyYKEr6rNwhcvXJpvU9\r\n"
|
||||||
|
"giIVvd0Sbjjnn7NC4VDbcXV8vw==\r\n"
|
||||||
|
"-----END CERTIFICATE-----\r\n";
|
||||||
|
const size_t mbedtls_test_cli_crt_rsa_len = sizeof( mbedtls_test_cli_crt_rsa );
|
||||||
|
|
||||||
|
/* tests/data_files/cli-rsa.key */
|
||||||
|
const char mbedtls_test_cli_key_rsa[] =
|
||||||
|
"-----BEGIN RSA PRIVATE KEY-----\r\n"
|
||||||
|
"MIIEpAIBAAKCAQEAyHTEzLn5tXnpRdkUYLB9u5Pyax6fM60Nj4o8VmXl3ETZzGaF\r\n"
|
||||||
|
"B9X4J7BKNdBjngpuG7fa8H6r7gwQk4ZJGDTzqCrSV/Uu1C93KYRhTYJQj6eVSHD1\r\n"
|
||||||
|
"bk2y1RPD0hrt5kPqQhTrdOrA7R/UV06p86jt0uDBMHEwMjDV0/YI0FZPRo7yX/k9\r\n"
|
||||||
|
"Z5GIMC5Cst99++UMd//sMcB4j7/Cf8qtbCHWjdmLao5v4Jv4EFbMs44TFeY0BGbH\r\n"
|
||||||
|
"7vk2DmqV9gmaBmf0ZXH4yqSxJeD+PIs1BGe64E92hfx//DZrtenNLQNiTrM9AM+v\r\n"
|
||||||
|
"dqBpVoNq0qjU51Bx5rU2BXcFbXvI5MT9TNUhXwIDAQABAoIBAGdNtfYDiap6bzst\r\n"
|
||||||
|
"yhCiI8m9TtrhZw4MisaEaN/ll3XSjaOG2dvV6xMZCMV+5TeXDHOAZnY18Yi18vzz\r\n"
|
||||||
|
"4Ut2TnNFzizCECYNaA2fST3WgInnxUkV3YXAyP6CNxJaCmv2aA0yFr2kFVSeaKGt\r\n"
|
||||||
|
"ymvljNp2NVkvm7Th8fBQBO7I7AXhz43k0mR7XmPgewe8ApZOG3hstkOaMvbWAvWA\r\n"
|
||||||
|
"zCZupdDjZYjOJqlA4eEA4H8/w7F83r5CugeBE8LgEREjLPiyejrU5H1fubEY+h0d\r\n"
|
||||||
|
"l5HZBJ68ybTXfQ5U9o/QKA3dd0toBEhhdRUDGzWtjvwkEQfqF1reGWj/tod/gCpf\r\n"
|
||||||
|
"DFi6X0ECgYEA4wOv/pjSC3ty6TuOvKX2rOUiBrLXXv2JSxZnMoMiWI5ipLQt+RYT\r\n"
|
||||||
|
"VPafL/m7Dn6MbwjayOkcZhBwk5CNz5A6Q4lJ64Mq/lqHznRCQQ2Mc1G8eyDF/fYL\r\n"
|
||||||
|
"Ze2pLvwP9VD5jTc2miDfw+MnvJhywRRLcemDFP8k4hQVtm8PMp3ZmNECgYEA4gz7\r\n"
|
||||||
|
"wzObR4gn8ibe617uQPZjWzUj9dUHYd+in1gwBCIrtNnaRn9I9U/Q6tegRYpii4ys\r\n"
|
||||||
|
"c176NmU+umy6XmuSKV5qD9bSpZWG2nLFnslrN15Lm3fhZxoeMNhBaEDTnLT26yoi\r\n"
|
||||||
|
"33gp0mSSWy94ZEqipms+ULF6sY1ZtFW6tpGFoy8CgYAQHhnnvJflIs2ky4q10B60\r\n"
|
||||||
|
"ZcxFp3rtDpkp0JxhFLhiizFrujMtZSjYNm5U7KkgPVHhLELEUvCmOnKTt4ap/vZ0\r\n"
|
||||||
|
"BxJNe1GZH3pW6SAvGDQpl9sG7uu/vTFP+lCxukmzxB0DrrDcvorEkKMom7ZCCRvW\r\n"
|
||||||
|
"KZsZ6YeH2Z81BauRj218kQKBgQCUV/DgKP2985xDTT79N08jUo3hTP5MVYCCuj/+\r\n"
|
||||||
|
"UeEw1TvZcx3LJby7P6Xad6a1/BqveaGyFKIfEFIaBUBItk801sDDpDaYc4gL00Xc\r\n"
|
||||||
|
"7lFuBHOZkxJYlss5QrGpuOEl9ZwUt5IrFLBdYaKqNHzNVC1pCPfb/JyH6Dr2HUxq\r\n"
|
||||||
|
"gxUwAQKBgQCcU6G2L8AG9d9c0UpOyL1tMvFe5Ttw0KjlQVdsh1MP6yigYo9DYuwu\r\n"
|
||||||
|
"bHFVW2r0dBTqegP2/KTOxKzaHfC1qf0RGDsUoJCNJrd1cwoCLG8P2EF4w3OBrKqv\r\n"
|
||||||
|
"8u4ytY0F+Vlanj5lm3TaoHSVF1+NWPyOTiwevIECGKwSxvlki4fDAA==\r\n"
|
||||||
|
"-----END RSA PRIVATE KEY-----\r\n";
|
||||||
|
const size_t mbedtls_test_cli_key_rsa_len = sizeof( mbedtls_test_cli_key_rsa );
|
||||||
|
#endif /* MBEDTLS_RSA_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
/* Concatenation of all available CA certificates */
|
||||||
|
const char mbedtls_test_cas_pem[] =
|
||||||
|
#ifdef TEST_CA_CRT_RSA_SHA1
|
||||||
|
TEST_CA_CRT_RSA_SHA1
|
||||||
|
#endif
|
||||||
|
#ifdef TEST_CA_CRT_RSA_SHA256
|
||||||
|
TEST_CA_CRT_RSA_SHA256
|
||||||
|
#endif
|
||||||
|
#ifdef TEST_CA_CRT_EC
|
||||||
|
TEST_CA_CRT_EC
|
||||||
|
#endif
|
||||||
|
"";
|
||||||
|
const size_t mbedtls_test_cas_pem_len = sizeof( mbedtls_test_cas_pem );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* List of all available CA certificates */
|
||||||
|
const char * mbedtls_test_cas[] = {
|
||||||
|
#if defined(TEST_CA_CRT_RSA_SHA1)
|
||||||
|
mbedtls_test_ca_crt_rsa_sha1,
|
||||||
|
#endif
|
||||||
|
#if defined(TEST_CA_CRT_RSA_SHA256)
|
||||||
|
mbedtls_test_ca_crt_rsa_sha256,
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_ECDSA_C)
|
||||||
|
mbedtls_test_ca_crt_ec,
|
||||||
|
#endif
|
||||||
|
NULL
|
||||||
|
};
|
||||||
|
const size_t mbedtls_test_cas_len[] = {
|
||||||
|
#if defined(TEST_CA_CRT_RSA_SHA1)
|
||||||
|
sizeof( mbedtls_test_ca_crt_rsa_sha1 ),
|
||||||
|
#endif
|
||||||
|
#if defined(TEST_CA_CRT_RSA_SHA256)
|
||||||
|
sizeof( mbedtls_test_ca_crt_rsa_sha256 ),
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_ECDSA_C)
|
||||||
|
sizeof( mbedtls_test_ca_crt_ec ),
|
||||||
|
#endif
|
||||||
|
0
|
||||||
|
};
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_rsa; /* SHA1 or SHA256 */
|
||||||
|
const char *mbedtls_test_ca_key = mbedtls_test_ca_key_rsa;
|
||||||
|
const char *mbedtls_test_ca_pwd = mbedtls_test_ca_pwd_rsa;
|
||||||
|
const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_rsa;
|
||||||
|
const char *mbedtls_test_srv_key = mbedtls_test_srv_key_rsa;
|
||||||
|
const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_rsa;
|
||||||
|
const char *mbedtls_test_cli_key = mbedtls_test_cli_key_rsa;
|
||||||
|
const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_rsa );
|
||||||
|
const size_t mbedtls_test_ca_key_len = sizeof( mbedtls_test_ca_key_rsa );
|
||||||
|
const size_t mbedtls_test_ca_pwd_len = sizeof( mbedtls_test_ca_pwd_rsa ) - 1;
|
||||||
|
const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_rsa );
|
||||||
|
const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_rsa );
|
||||||
|
const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_rsa );
|
||||||
|
const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_rsa );
|
||||||
|
#else /* ! MBEDTLS_RSA_C, so MBEDTLS_ECDSA_C */
|
||||||
|
const char *mbedtls_test_ca_crt = mbedtls_test_ca_crt_ec;
|
||||||
|
const char *mbedtls_test_ca_key = mbedtls_test_ca_key_ec;
|
||||||
|
const char *mbedtls_test_ca_pwd = mbedtls_test_ca_pwd_ec;
|
||||||
|
const char *mbedtls_test_srv_crt = mbedtls_test_srv_crt_ec;
|
||||||
|
const char *mbedtls_test_srv_key = mbedtls_test_srv_key_ec;
|
||||||
|
const char *mbedtls_test_cli_crt = mbedtls_test_cli_crt_ec;
|
||||||
|
const char *mbedtls_test_cli_key = mbedtls_test_cli_key_ec;
|
||||||
|
const size_t mbedtls_test_ca_crt_len = sizeof( mbedtls_test_ca_crt_ec );
|
||||||
|
const size_t mbedtls_test_ca_key_len = sizeof( mbedtls_test_ca_key_ec );
|
||||||
|
const size_t mbedtls_test_ca_pwd_len = sizeof( mbedtls_test_ca_pwd_ec ) - 1;
|
||||||
|
const size_t mbedtls_test_srv_crt_len = sizeof( mbedtls_test_srv_crt_ec );
|
||||||
|
const size_t mbedtls_test_srv_key_len = sizeof( mbedtls_test_srv_key_ec );
|
||||||
|
const size_t mbedtls_test_cli_crt_len = sizeof( mbedtls_test_cli_crt_ec );
|
||||||
|
const size_t mbedtls_test_cli_key_len = sizeof( mbedtls_test_cli_key_ec );
|
||||||
|
#endif /* MBEDTLS_RSA_C */
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_CERTS_C */
|
438
library/debug.c
Normal file
438
library/debug.c
Normal file
|
@ -0,0 +1,438 @@
|
||||||
|
/*
|
||||||
|
* Debugging routines
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_DEBUG_C)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_free free
|
||||||
|
#define mbedtls_time_t time_t
|
||||||
|
#define mbedtls_snprintf snprintf
|
||||||
|
#define mbedtls_vsnprintf vsnprintf
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "mbedtls/debug.h"
|
||||||
|
|
||||||
|
#include <stdarg.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
|
||||||
|
!defined(inline) && !defined(__cplusplus)
|
||||||
|
#define inline __inline
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#define DEBUG_BUF_SIZE 512
|
||||||
|
|
||||||
|
static int debug_threshold = 0;
|
||||||
|
|
||||||
|
void mbedtls_debug_set_threshold( int threshold )
|
||||||
|
{
|
||||||
|
debug_threshold = threshold;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* All calls to f_dbg must be made via this function
|
||||||
|
*/
|
||||||
|
static inline void debug_send_line( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *str )
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* If in a threaded environment, we need a thread identifier.
|
||||||
|
* Since there is no portable way to get one, use the address of the ssl
|
||||||
|
* context instead, as it shouldn't be shared between threads.
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
char idstr[20 + DEBUG_BUF_SIZE]; /* 0x + 16 nibbles + ': ' */
|
||||||
|
mbedtls_snprintf( idstr, sizeof( idstr ), "%p: %s", (void*)ssl, str );
|
||||||
|
ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, idstr );
|
||||||
|
#else
|
||||||
|
ssl->conf->f_dbg( ssl->conf->p_dbg, level, file, line, str );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_debug_print_msg( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *format, ... )
|
||||||
|
{
|
||||||
|
va_list argp;
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( NULL == ssl ||
|
||||||
|
NULL == ssl->conf ||
|
||||||
|
NULL == ssl->conf->f_dbg ||
|
||||||
|
level > debug_threshold )
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
va_start( argp, format );
|
||||||
|
ret = mbedtls_vsnprintf( str, DEBUG_BUF_SIZE, format, argp );
|
||||||
|
va_end( argp );
|
||||||
|
|
||||||
|
if( ret >= 0 && ret < DEBUG_BUF_SIZE - 1 )
|
||||||
|
{
|
||||||
|
str[ret] = '\n';
|
||||||
|
str[ret + 1] = '\0';
|
||||||
|
}
|
||||||
|
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_debug_print_ret( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, int ret )
|
||||||
|
{
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
|
||||||
|
if( NULL == ssl ||
|
||||||
|
NULL == ssl->conf ||
|
||||||
|
NULL == ssl->conf->f_dbg ||
|
||||||
|
level > debug_threshold )
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* With non-blocking I/O and examples that just retry immediately,
|
||||||
|
* the logs would be quickly flooded with WANT_READ, so ignore that.
|
||||||
|
* Don't ignore WANT_WRITE however, since is is usually rare.
|
||||||
|
*/
|
||||||
|
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
|
||||||
|
return;
|
||||||
|
|
||||||
|
mbedtls_snprintf( str, sizeof( str ), "%s() returned %d (-0x%04x)\n",
|
||||||
|
text, ret, -ret );
|
||||||
|
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_debug_print_buf( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line, const char *text,
|
||||||
|
const unsigned char *buf, size_t len )
|
||||||
|
{
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
char txt[17];
|
||||||
|
size_t i, idx = 0;
|
||||||
|
|
||||||
|
if( NULL == ssl ||
|
||||||
|
NULL == ssl->conf ||
|
||||||
|
NULL == ssl->conf->f_dbg ||
|
||||||
|
level > debug_threshold )
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "dumping '%s' (%u bytes)\n",
|
||||||
|
text, (unsigned int) len );
|
||||||
|
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
|
||||||
|
idx = 0;
|
||||||
|
memset( txt, 0, sizeof( txt ) );
|
||||||
|
for( i = 0; i < len; i++ )
|
||||||
|
{
|
||||||
|
if( i >= 4096 )
|
||||||
|
break;
|
||||||
|
|
||||||
|
if( i % 16 == 0 )
|
||||||
|
{
|
||||||
|
if( i > 0 )
|
||||||
|
{
|
||||||
|
mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt );
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
|
||||||
|
idx = 0;
|
||||||
|
memset( txt, 0, sizeof( txt ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, "%04x: ",
|
||||||
|
(unsigned int) i );
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x",
|
||||||
|
(unsigned int) buf[i] );
|
||||||
|
txt[i % 16] = ( buf[i] > 31 && buf[i] < 127 ) ? buf[i] : '.' ;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( len > 0 )
|
||||||
|
{
|
||||||
|
for( /* i = i */; i % 16 != 0; i++ )
|
||||||
|
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " " );
|
||||||
|
|
||||||
|
mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %s\n", txt );
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
void mbedtls_debug_print_ecp( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_ecp_point *X )
|
||||||
|
{
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
|
||||||
|
if( NULL == ssl ||
|
||||||
|
NULL == ssl->conf ||
|
||||||
|
NULL == ssl->conf->f_dbg ||
|
||||||
|
level > debug_threshold )
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_snprintf( str, sizeof( str ), "%s(X)", text );
|
||||||
|
mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->X );
|
||||||
|
|
||||||
|
mbedtls_snprintf( str, sizeof( str ), "%s(Y)", text );
|
||||||
|
mbedtls_debug_print_mpi( ssl, level, file, line, str, &X->Y );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECP_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BIGNUM_C)
|
||||||
|
void mbedtls_debug_print_mpi( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_mpi *X )
|
||||||
|
{
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
int j, k, zeros = 1;
|
||||||
|
size_t i, n, idx = 0;
|
||||||
|
|
||||||
|
if( NULL == ssl ||
|
||||||
|
NULL == ssl->conf ||
|
||||||
|
NULL == ssl->conf->f_dbg ||
|
||||||
|
NULL == X ||
|
||||||
|
level > debug_threshold )
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
for( n = X->n - 1; n > 0; n-- )
|
||||||
|
if( X->p[n] != 0 )
|
||||||
|
break;
|
||||||
|
|
||||||
|
for( j = ( sizeof(mbedtls_mpi_uint) << 3 ) - 1; j >= 0; j-- )
|
||||||
|
if( ( ( X->p[n] >> j ) & 1 ) != 0 )
|
||||||
|
break;
|
||||||
|
|
||||||
|
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "value of '%s' (%d bits) is:\n",
|
||||||
|
text, (int) ( ( n * ( sizeof(mbedtls_mpi_uint) << 3 ) ) + j + 1 ) );
|
||||||
|
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
|
||||||
|
idx = 0;
|
||||||
|
for( i = n + 1, j = 0; i > 0; i-- )
|
||||||
|
{
|
||||||
|
if( zeros && X->p[i - 1] == 0 )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
for( k = sizeof( mbedtls_mpi_uint ) - 1; k >= 0; k-- )
|
||||||
|
{
|
||||||
|
if( zeros && ( ( X->p[i - 1] >> ( k << 3 ) ) & 0xFF ) == 0 )
|
||||||
|
continue;
|
||||||
|
else
|
||||||
|
zeros = 0;
|
||||||
|
|
||||||
|
if( j % 16 == 0 )
|
||||||
|
{
|
||||||
|
if( j > 0 )
|
||||||
|
{
|
||||||
|
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
idx = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " %02x", (unsigned int)
|
||||||
|
( X->p[i - 1] >> ( k << 3 ) ) & 0xFF );
|
||||||
|
|
||||||
|
j++;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
if( zeros == 1 )
|
||||||
|
idx += mbedtls_snprintf( str + idx, sizeof( str ) - idx, " 00" );
|
||||||
|
|
||||||
|
mbedtls_snprintf( str + idx, sizeof( str ) - idx, "\n" );
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_BIGNUM_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
static void debug_print_pk( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_pk_context *pk )
|
||||||
|
{
|
||||||
|
size_t i;
|
||||||
|
mbedtls_pk_debug_item items[MBEDTLS_PK_DEBUG_MAX_ITEMS];
|
||||||
|
char name[16];
|
||||||
|
|
||||||
|
memset( items, 0, sizeof( items ) );
|
||||||
|
|
||||||
|
if( mbedtls_pk_debug( pk, items ) != 0 )
|
||||||
|
{
|
||||||
|
debug_send_line( ssl, level, file, line,
|
||||||
|
"invalid PK context\n" );
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
for( i = 0; i < MBEDTLS_PK_DEBUG_MAX_ITEMS; i++ )
|
||||||
|
{
|
||||||
|
if( items[i].type == MBEDTLS_PK_DEBUG_NONE )
|
||||||
|
return;
|
||||||
|
|
||||||
|
mbedtls_snprintf( name, sizeof( name ), "%s%s", text, items[i].name );
|
||||||
|
name[sizeof( name ) - 1] = '\0';
|
||||||
|
|
||||||
|
if( items[i].type == MBEDTLS_PK_DEBUG_MPI )
|
||||||
|
mbedtls_debug_print_mpi( ssl, level, file, line, name, items[i].value );
|
||||||
|
else
|
||||||
|
#if defined(MBEDTLS_ECP_C)
|
||||||
|
if( items[i].type == MBEDTLS_PK_DEBUG_ECP )
|
||||||
|
mbedtls_debug_print_ecp( ssl, level, file, line, name, items[i].value );
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
debug_send_line( ssl, level, file, line,
|
||||||
|
"should not happen\n" );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
static void debug_print_line_by_line( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line, const char *text )
|
||||||
|
{
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
const char *start, *cur;
|
||||||
|
|
||||||
|
start = text;
|
||||||
|
for( cur = text; *cur != '\0'; cur++ )
|
||||||
|
{
|
||||||
|
if( *cur == '\n' )
|
||||||
|
{
|
||||||
|
size_t len = cur - start + 1;
|
||||||
|
if( len > DEBUG_BUF_SIZE - 1 )
|
||||||
|
len = DEBUG_BUF_SIZE - 1;
|
||||||
|
|
||||||
|
memcpy( str, start, len );
|
||||||
|
str[len] = '\0';
|
||||||
|
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
|
||||||
|
start = cur + 1;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_debug_print_crt( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const char *text, const mbedtls_x509_crt *crt )
|
||||||
|
{
|
||||||
|
char str[DEBUG_BUF_SIZE];
|
||||||
|
int i = 0;
|
||||||
|
|
||||||
|
if( NULL == ssl ||
|
||||||
|
NULL == ssl->conf ||
|
||||||
|
NULL == ssl->conf->f_dbg ||
|
||||||
|
NULL == crt ||
|
||||||
|
level > debug_threshold )
|
||||||
|
{
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
while( crt != NULL )
|
||||||
|
{
|
||||||
|
char buf[1024];
|
||||||
|
|
||||||
|
mbedtls_snprintf( str, sizeof( str ), "%s #%d:\n", text, ++i );
|
||||||
|
debug_send_line( ssl, level, file, line, str );
|
||||||
|
|
||||||
|
mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
|
||||||
|
debug_print_line_by_line( ssl, level, file, line, buf );
|
||||||
|
|
||||||
|
debug_print_pk( ssl, level, file, line, "crt->", &crt->pk );
|
||||||
|
|
||||||
|
crt = crt->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_ECDH_C)
|
||||||
|
static void mbedtls_debug_printf_ecdh_internal( const mbedtls_ssl_context *ssl,
|
||||||
|
int level, const char *file,
|
||||||
|
int line,
|
||||||
|
const mbedtls_ecdh_context *ecdh,
|
||||||
|
mbedtls_debug_ecdh_attr attr )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||||||
|
const mbedtls_ecdh_context* ctx = ecdh;
|
||||||
|
#else
|
||||||
|
const mbedtls_ecdh_context_mbed* ctx = &ecdh->ctx.mbed_ecdh;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
switch( attr )
|
||||||
|
{
|
||||||
|
case MBEDTLS_DEBUG_ECDH_Q:
|
||||||
|
mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Q",
|
||||||
|
&ctx->Q );
|
||||||
|
break;
|
||||||
|
case MBEDTLS_DEBUG_ECDH_QP:
|
||||||
|
mbedtls_debug_print_ecp( ssl, level, file, line, "ECDH: Qp",
|
||||||
|
&ctx->Qp );
|
||||||
|
break;
|
||||||
|
case MBEDTLS_DEBUG_ECDH_Z:
|
||||||
|
mbedtls_debug_print_mpi( ssl, level, file, line, "ECDH: z",
|
||||||
|
&ctx->z );
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_debug_printf_ecdh( const mbedtls_ssl_context *ssl, int level,
|
||||||
|
const char *file, int line,
|
||||||
|
const mbedtls_ecdh_context *ecdh,
|
||||||
|
mbedtls_debug_ecdh_attr attr )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||||||
|
mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh, attr );
|
||||||
|
#else
|
||||||
|
switch( ecdh->var )
|
||||||
|
{
|
||||||
|
default:
|
||||||
|
mbedtls_debug_printf_ecdh_internal( ssl, level, file, line, ecdh,
|
||||||
|
attr );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_ECDH_C */
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_DEBUG_C */
|
200
library/error.c
200
library/error.c
|
@ -140,6 +140,10 @@
|
||||||
#include "mbedtls/md5.h"
|
#include "mbedtls/md5.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NET_C)
|
||||||
|
#include "mbedtls/net_sockets.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_OID_C)
|
#if defined(MBEDTLS_OID_C)
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
#endif
|
#endif
|
||||||
|
@ -192,10 +196,18 @@
|
||||||
#include "mbedtls/sha512.h"
|
#include "mbedtls/sha512.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TLS_C)
|
||||||
|
#include "mbedtls/ssl.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_THREADING_C)
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
#include "mbedtls/threading.h"
|
#include "mbedtls/threading.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||||
|
#include "mbedtls/x509.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_XTEA_C)
|
#if defined(MBEDTLS_XTEA_C)
|
||||||
#include "mbedtls/xtea.h"
|
#include "mbedtls/xtea.h"
|
||||||
#endif
|
#endif
|
||||||
|
@ -401,6 +413,165 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
|
||||||
if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
|
if( use_ret == -(MBEDTLS_ERR_RSA_HW_ACCEL_FAILED) )
|
||||||
mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
|
mbedtls_snprintf( buf, buflen, "RSA - RSA hardware accelerator failed" );
|
||||||
#endif /* MBEDTLS_RSA_C */
|
#endif /* MBEDTLS_RSA_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TLS_C)
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The requested feature is not available" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_INPUT_DATA) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Bad input parameters to function" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_MAC) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Verification of the message MAC failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_RECORD) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - An invalid SSL record was received" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CONN_EOF) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The connection indicated an EOF" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_CIPHER) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - An unknown cipher was received" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_NO_RNG) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The own private key or pre-shared key is not set, but needed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - No CA Chain is set, but required to operate" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - An unexpected message was received from our peer" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE) )
|
||||||
|
{
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - A fatal alert message was received from our peer" );
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Verification of our peer failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The peer notified us that the connection is going to be closed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientHello handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHello handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the Certificate handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateRequest handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerKeyExchange handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ServerHelloDone handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Read Public" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ClientKeyExchange handshake message failed in DHM / ECDH Calculate Secret" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the CertificateVerify handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_CHANGE_CIPHER_SPEC) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the ChangeCipherSpec handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_FINISHED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the Finished handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_ALLOC_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Memory allocation failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function returned with error" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Hardware acceleration function skipped / left alone data" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_COMPRESSION_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the compression / decompression failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Handshake protocol not within min/max boundaries" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BAD_HS_NEW_SESSION_TICKET) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Processing of the NewSessionTicket handshake message failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Session ticket has expired" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Public key type mismatch (eg, asked for RSA key exchange and presented EC key)" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Unknown identity received (eg, PSK identity)" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_INTERNAL_ERROR) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_COUNTER_WRAPPING) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_WAITING_SERVER_HELLO_RENEGO) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Unexpected message at ServerHello in renegotiation" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - DTLS client must retry for hello verification" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - A buffer is too small to receive or write a message" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - None of the common ciphersuites is usable (eg, no suitable certificate, see debug messages)" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_WANT_READ) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - No data of requested type currently available on underlying transport" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_WANT_WRITE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Connection requires a write call" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_TIMEOUT) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The operation timed out" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CLIENT_RECONNECT) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The client initiated a reconnect from the same port" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_RECORD) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Record header looks valid but is not expected" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_NON_FATAL) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The alert message received indicates a non-fatal error" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Couldn't set the hash for verifying CertificateVerify" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CONTINUE_PROCESSING) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that further message-processing should be done" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - The asynchronous operation is not completed yet" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_EARLY_MESSAGE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
|
||||||
|
#endif /* MBEDTLS_SSL_TLS_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_USE_C) || defined(MBEDTLS_X509_CREATE_C)
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Unavailable feature, e.g. RSA hashing/encryption combination" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_OID) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Requested OID is unknown" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_FORMAT) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR format is invalid, e.g. different type expected" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_VERSION) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The CRT/CRL/CSR version element is invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SERIAL) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The serial tag or value is invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_ALG) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The algorithm tag or value is invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_NAME) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The name tag or value is invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_DATE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The date tag or value is invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_SIGNATURE) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The signature tag or value invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_INVALID_EXTENSIONS) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - The extension tag or value is invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_VERSION) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - CRT/CRL/CSR has an unsupported version number" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Signature algorithm (oid) is unsupported" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_SIG_MISMATCH) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Signature algorithms do not match. (see \\c ::mbedtls_x509_crt sig_oid)" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Certificate verification failed, e.g. CRL, CA or signature check failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_CERT_UNKNOWN_FORMAT) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_BAD_INPUT_DATA) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Input invalid" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_ALLOC_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Allocation of memory failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_FILE_IO_ERROR) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Read/write of file failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_BUFFER_TOO_SMALL) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - Destination buffer is too small" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_X509_FATAL_ERROR) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "X509 - A fatal error occurred, eg the chain is too long or the vrfy callback failed" );
|
||||||
|
#endif /* MBEDTLS_X509_USE_C || MBEDTLS_X509_CREATE_C */
|
||||||
// END generated code
|
// END generated code
|
||||||
|
|
||||||
if( strlen( buf ) == 0 )
|
if( strlen( buf ) == 0 )
|
||||||
|
@ -629,6 +800,35 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
|
||||||
mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
|
mbedtls_snprintf( buf, buflen, "MD5 - MD5 hardware accelerator failed" );
|
||||||
#endif /* MBEDTLS_MD5_C */
|
#endif /* MBEDTLS_MD5_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NET_C)
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_SOCKET_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Failed to open a socket" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_CONNECT_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - The connection to the given server / port failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_BIND_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Binding of the socket failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_LISTEN_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Could not listen on the socket" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_ACCEPT_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Could not accept the incoming connection" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_RECV_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Reading information from the socket failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_SEND_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Sending information through the socket failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_CONN_RESET) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Connection was reset by peer" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_UNKNOWN_HOST) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Failed to get an IP address for the given hostname" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_BUFFER_TOO_SMALL) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Buffer is too small to hold the data" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_INVALID_CONTEXT) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - The context is invalid, eg because it was free()ed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_POLL_FAILED) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Polling the net context failed" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_NET_BAD_INPUT_DATA) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "NET - Input invalid" );
|
||||||
|
#endif /* MBEDTLS_NET_C */
|
||||||
|
|
||||||
#if defined(MBEDTLS_OID_C)
|
#if defined(MBEDTLS_OID_C)
|
||||||
if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
|
if( use_ret == -(MBEDTLS_ERR_OID_NOT_FOUND) )
|
||||||
mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
|
mbedtls_snprintf( buf, buflen, "OID - OID is not found" );
|
||||||
|
|
668
library/net_sockets.c
Normal file
668
library/net_sockets.c
Normal file
|
@ -0,0 +1,668 @@
|
||||||
|
/*
|
||||||
|
* TCP/IP or UDP/IP networking functions
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Enable definition of getaddrinfo() even when compiling with -std=c99. Must
|
||||||
|
* be set before config.h, which pulls in glibc's features.h indirectly.
|
||||||
|
* Harmless on other platforms. */
|
||||||
|
#define _POSIX_C_SOURCE 200112L
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_NET_C)
|
||||||
|
|
||||||
|
#if !defined(unix) && !defined(__unix__) && !defined(__unix) && \
|
||||||
|
!defined(__APPLE__) && !defined(_WIN32) && !defined(__QNXNTO__) && \
|
||||||
|
!defined(__HAIKU__)
|
||||||
|
#error "This module only works on Unix and Windows, see MBEDTLS_NET_C in config.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "mbedtls/net_sockets.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#if (defined(_WIN32) || defined(_WIN32_WCE)) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
|
||||||
|
#define IS_EINTR( ret ) ( ( ret ) == WSAEINTR )
|
||||||
|
|
||||||
|
#if !defined(_WIN32_WINNT) || (_WIN32_WINNT < 0x0501)
|
||||||
|
#undef _WIN32_WINNT
|
||||||
|
/* Enables getaddrinfo() & Co */
|
||||||
|
#define _WIN32_WINNT 0x0501
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include <ws2tcpip.h>
|
||||||
|
|
||||||
|
#include <winsock2.h>
|
||||||
|
#include <windows.h>
|
||||||
|
|
||||||
|
#if defined(_MSC_VER)
|
||||||
|
#if defined(_WIN32_WCE)
|
||||||
|
#pragma comment( lib, "ws2.lib" )
|
||||||
|
#else
|
||||||
|
#pragma comment( lib, "ws2_32.lib" )
|
||||||
|
#endif
|
||||||
|
#endif /* _MSC_VER */
|
||||||
|
|
||||||
|
#define read(fd,buf,len) recv( fd, (char*)( buf ), (int)( len ), 0 )
|
||||||
|
#define write(fd,buf,len) send( fd, (char*)( buf ), (int)( len ), 0 )
|
||||||
|
#define close(fd) closesocket(fd)
|
||||||
|
|
||||||
|
static int wsa_init_done = 0;
|
||||||
|
|
||||||
|
#else /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
|
||||||
|
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/socket.h>
|
||||||
|
#include <netinet/in.h>
|
||||||
|
#include <arpa/inet.h>
|
||||||
|
#include <sys/time.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <signal.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
#include <netdb.h>
|
||||||
|
#include <errno.h>
|
||||||
|
|
||||||
|
#define IS_EINTR( ret ) ( ( ret ) == EINTR )
|
||||||
|
|
||||||
|
#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
|
||||||
|
|
||||||
|
/* Some MS functions want int and MSVC warns if we pass size_t,
|
||||||
|
* but the standard functions use socklen_t, so cast only for MSVC */
|
||||||
|
#if defined(_MSC_VER)
|
||||||
|
#define MSVC_INT_CAST (int)
|
||||||
|
#else
|
||||||
|
#define MSVC_INT_CAST
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
#include <time.h>
|
||||||
|
|
||||||
|
#include <stdint.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Prepare for using the sockets interface
|
||||||
|
*/
|
||||||
|
static int net_prepare( void )
|
||||||
|
{
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
WSADATA wsaData;
|
||||||
|
|
||||||
|
if( wsa_init_done == 0 )
|
||||||
|
{
|
||||||
|
if( WSAStartup( MAKEWORD(2,0), &wsaData ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_SOCKET_FAILED );
|
||||||
|
|
||||||
|
wsa_init_done = 1;
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
#if !defined(EFIX64) && !defined(EFI32)
|
||||||
|
signal( SIGPIPE, SIG_IGN );
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Initialize a context
|
||||||
|
*/
|
||||||
|
void mbedtls_net_init( mbedtls_net_context *ctx )
|
||||||
|
{
|
||||||
|
ctx->fd = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Initiate a TCP connection with host:port and the given protocol
|
||||||
|
*/
|
||||||
|
int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
|
||||||
|
const char *port, int proto )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
struct addrinfo hints, *addr_list, *cur;
|
||||||
|
|
||||||
|
if( ( ret = net_prepare() ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
/* Do name resolution with both IPv6 and IPv4 */
|
||||||
|
memset( &hints, 0, sizeof( hints ) );
|
||||||
|
hints.ai_family = AF_UNSPEC;
|
||||||
|
hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
|
||||||
|
hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
|
||||||
|
|
||||||
|
if( getaddrinfo( host, port, &hints, &addr_list ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
|
||||||
|
|
||||||
|
/* Try the sockaddrs until a connection succeeds */
|
||||||
|
ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
|
||||||
|
for( cur = addr_list; cur != NULL; cur = cur->ai_next )
|
||||||
|
{
|
||||||
|
ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
|
||||||
|
cur->ai_protocol );
|
||||||
|
if( ctx->fd < 0 )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( connect( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) == 0 )
|
||||||
|
{
|
||||||
|
ret = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
close( ctx->fd );
|
||||||
|
ret = MBEDTLS_ERR_NET_CONNECT_FAILED;
|
||||||
|
}
|
||||||
|
|
||||||
|
freeaddrinfo( addr_list );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Create a listening socket on bind_ip:port
|
||||||
|
*/
|
||||||
|
int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
|
||||||
|
{
|
||||||
|
int n, ret;
|
||||||
|
struct addrinfo hints, *addr_list, *cur;
|
||||||
|
|
||||||
|
if( ( ret = net_prepare() ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
/* Bind to IPv6 and/or IPv4, but only in the desired protocol */
|
||||||
|
memset( &hints, 0, sizeof( hints ) );
|
||||||
|
hints.ai_family = AF_UNSPEC;
|
||||||
|
hints.ai_socktype = proto == MBEDTLS_NET_PROTO_UDP ? SOCK_DGRAM : SOCK_STREAM;
|
||||||
|
hints.ai_protocol = proto == MBEDTLS_NET_PROTO_UDP ? IPPROTO_UDP : IPPROTO_TCP;
|
||||||
|
if( bind_ip == NULL )
|
||||||
|
hints.ai_flags = AI_PASSIVE;
|
||||||
|
|
||||||
|
if( getaddrinfo( bind_ip, port, &hints, &addr_list ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_UNKNOWN_HOST );
|
||||||
|
|
||||||
|
/* Try the sockaddrs until a binding succeeds */
|
||||||
|
ret = MBEDTLS_ERR_NET_UNKNOWN_HOST;
|
||||||
|
for( cur = addr_list; cur != NULL; cur = cur->ai_next )
|
||||||
|
{
|
||||||
|
ctx->fd = (int) socket( cur->ai_family, cur->ai_socktype,
|
||||||
|
cur->ai_protocol );
|
||||||
|
if( ctx->fd < 0 )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
n = 1;
|
||||||
|
if( setsockopt( ctx->fd, SOL_SOCKET, SO_REUSEADDR,
|
||||||
|
(const char *) &n, sizeof( n ) ) != 0 )
|
||||||
|
{
|
||||||
|
close( ctx->fd );
|
||||||
|
ret = MBEDTLS_ERR_NET_SOCKET_FAILED;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( bind( ctx->fd, cur->ai_addr, MSVC_INT_CAST cur->ai_addrlen ) != 0 )
|
||||||
|
{
|
||||||
|
close( ctx->fd );
|
||||||
|
ret = MBEDTLS_ERR_NET_BIND_FAILED;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Listen only makes sense for TCP */
|
||||||
|
if( proto == MBEDTLS_NET_PROTO_TCP )
|
||||||
|
{
|
||||||
|
if( listen( ctx->fd, MBEDTLS_NET_LISTEN_BACKLOG ) != 0 )
|
||||||
|
{
|
||||||
|
close( ctx->fd );
|
||||||
|
ret = MBEDTLS_ERR_NET_LISTEN_FAILED;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Bind was successful */
|
||||||
|
ret = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
freeaddrinfo( addr_list );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
/*
|
||||||
|
* Check if the requested operation would be blocking on a non-blocking socket
|
||||||
|
* and thus 'failed' with a negative return value.
|
||||||
|
*/
|
||||||
|
static int net_would_block( const mbedtls_net_context *ctx )
|
||||||
|
{
|
||||||
|
((void) ctx);
|
||||||
|
return( WSAGetLastError() == WSAEWOULDBLOCK );
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
/*
|
||||||
|
* Check if the requested operation would be blocking on a non-blocking socket
|
||||||
|
* and thus 'failed' with a negative return value.
|
||||||
|
*
|
||||||
|
* Note: on a blocking socket this function always returns 0!
|
||||||
|
*/
|
||||||
|
static int net_would_block( const mbedtls_net_context *ctx )
|
||||||
|
{
|
||||||
|
int err = errno;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Never return 'WOULD BLOCK' on a non-blocking socket
|
||||||
|
*/
|
||||||
|
if( ( fcntl( ctx->fd, F_GETFL ) & O_NONBLOCK ) != O_NONBLOCK )
|
||||||
|
{
|
||||||
|
errno = err;
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
switch( errno = err )
|
||||||
|
{
|
||||||
|
#if defined EAGAIN
|
||||||
|
case EAGAIN:
|
||||||
|
#endif
|
||||||
|
#if defined EWOULDBLOCK && EWOULDBLOCK != EAGAIN
|
||||||
|
case EWOULDBLOCK:
|
||||||
|
#endif
|
||||||
|
return( 1 );
|
||||||
|
}
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* ( _WIN32 || _WIN32_WCE ) && !EFIX64 && !EFI32 */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Accept a connection from a remote client
|
||||||
|
*/
|
||||||
|
int mbedtls_net_accept( mbedtls_net_context *bind_ctx,
|
||||||
|
mbedtls_net_context *client_ctx,
|
||||||
|
void *client_ip, size_t buf_size, size_t *ip_len )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
int type;
|
||||||
|
|
||||||
|
struct sockaddr_storage client_addr;
|
||||||
|
|
||||||
|
#if defined(__socklen_t_defined) || defined(_SOCKLEN_T) || \
|
||||||
|
defined(_SOCKLEN_T_DECLARED) || defined(__DEFINED_socklen_t)
|
||||||
|
socklen_t n = (socklen_t) sizeof( client_addr );
|
||||||
|
socklen_t type_len = (socklen_t) sizeof( type );
|
||||||
|
#else
|
||||||
|
int n = (int) sizeof( client_addr );
|
||||||
|
int type_len = (int) sizeof( type );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Is this a TCP or UDP socket? */
|
||||||
|
if( getsockopt( bind_ctx->fd, SOL_SOCKET, SO_TYPE,
|
||||||
|
(void *) &type, &type_len ) != 0 ||
|
||||||
|
( type != SOCK_STREAM && type != SOCK_DGRAM ) )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( type == SOCK_STREAM )
|
||||||
|
{
|
||||||
|
/* TCP: actual accept() */
|
||||||
|
ret = client_ctx->fd = (int) accept( bind_ctx->fd,
|
||||||
|
(struct sockaddr *) &client_addr, &n );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* UDP: wait for a message, but keep it in the queue */
|
||||||
|
char buf[1] = { 0 };
|
||||||
|
|
||||||
|
ret = (int) recvfrom( bind_ctx->fd, buf, sizeof( buf ), MSG_PEEK,
|
||||||
|
(struct sockaddr *) &client_addr, &n );
|
||||||
|
|
||||||
|
#if defined(_WIN32)
|
||||||
|
if( ret == SOCKET_ERROR &&
|
||||||
|
WSAGetLastError() == WSAEMSGSIZE )
|
||||||
|
{
|
||||||
|
/* We know buf is too small, thanks, just peeking here */
|
||||||
|
ret = 0;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret < 0 )
|
||||||
|
{
|
||||||
|
if( net_would_block( bind_ctx ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
/* UDP: hijack the listening socket to communicate with the client,
|
||||||
|
* then bind a new socket to accept new connections */
|
||||||
|
if( type != SOCK_STREAM )
|
||||||
|
{
|
||||||
|
struct sockaddr_storage local_addr;
|
||||||
|
int one = 1;
|
||||||
|
|
||||||
|
if( connect( bind_ctx->fd, (struct sockaddr *) &client_addr, n ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_ACCEPT_FAILED );
|
||||||
|
|
||||||
|
client_ctx->fd = bind_ctx->fd;
|
||||||
|
bind_ctx->fd = -1; /* In case we exit early */
|
||||||
|
|
||||||
|
n = sizeof( struct sockaddr_storage );
|
||||||
|
if( getsockname( client_ctx->fd,
|
||||||
|
(struct sockaddr *) &local_addr, &n ) != 0 ||
|
||||||
|
( bind_ctx->fd = (int) socket( local_addr.ss_family,
|
||||||
|
SOCK_DGRAM, IPPROTO_UDP ) ) < 0 ||
|
||||||
|
setsockopt( bind_ctx->fd, SOL_SOCKET, SO_REUSEADDR,
|
||||||
|
(const char *) &one, sizeof( one ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_NET_SOCKET_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( bind( bind_ctx->fd, (struct sockaddr *) &local_addr, n ) != 0 )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_NET_BIND_FAILED );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if( client_ip != NULL )
|
||||||
|
{
|
||||||
|
if( client_addr.ss_family == AF_INET )
|
||||||
|
{
|
||||||
|
struct sockaddr_in *addr4 = (struct sockaddr_in *) &client_addr;
|
||||||
|
*ip_len = sizeof( addr4->sin_addr.s_addr );
|
||||||
|
|
||||||
|
if( buf_size < *ip_len )
|
||||||
|
return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
memcpy( client_ip, &addr4->sin_addr.s_addr, *ip_len );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
struct sockaddr_in6 *addr6 = (struct sockaddr_in6 *) &client_addr;
|
||||||
|
*ip_len = sizeof( addr6->sin6_addr.s6_addr );
|
||||||
|
|
||||||
|
if( buf_size < *ip_len )
|
||||||
|
return( MBEDTLS_ERR_NET_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
memcpy( client_ip, &addr6->sin6_addr.s6_addr, *ip_len);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Set the socket blocking or non-blocking
|
||||||
|
*/
|
||||||
|
int mbedtls_net_set_block( mbedtls_net_context *ctx )
|
||||||
|
{
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
u_long n = 0;
|
||||||
|
return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
|
||||||
|
#else
|
||||||
|
return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) & ~O_NONBLOCK ) );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_net_set_nonblock( mbedtls_net_context *ctx )
|
||||||
|
{
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
u_long n = 1;
|
||||||
|
return( ioctlsocket( ctx->fd, FIONBIO, &n ) );
|
||||||
|
#else
|
||||||
|
return( fcntl( ctx->fd, F_SETFL, fcntl( ctx->fd, F_GETFL ) | O_NONBLOCK ) );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check if data is available on the socket
|
||||||
|
*/
|
||||||
|
|
||||||
|
int mbedtls_net_poll( mbedtls_net_context *ctx, uint32_t rw, uint32_t timeout )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
struct timeval tv;
|
||||||
|
|
||||||
|
fd_set read_fds;
|
||||||
|
fd_set write_fds;
|
||||||
|
|
||||||
|
int fd = ctx->fd;
|
||||||
|
|
||||||
|
if( fd < 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||||
|
|
||||||
|
#if defined(__has_feature)
|
||||||
|
#if __has_feature(memory_sanitizer)
|
||||||
|
/* Ensure that memory sanitizers consider read_fds and write_fds as
|
||||||
|
* initialized even on platforms such as Glibc/x86_64 where FD_ZERO
|
||||||
|
* is implemented in assembly. */
|
||||||
|
memset( &read_fds, 0, sizeof( read_fds ) );
|
||||||
|
memset( &write_fds, 0, sizeof( write_fds ) );
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
FD_ZERO( &read_fds );
|
||||||
|
if( rw & MBEDTLS_NET_POLL_READ )
|
||||||
|
{
|
||||||
|
rw &= ~MBEDTLS_NET_POLL_READ;
|
||||||
|
FD_SET( fd, &read_fds );
|
||||||
|
}
|
||||||
|
|
||||||
|
FD_ZERO( &write_fds );
|
||||||
|
if( rw & MBEDTLS_NET_POLL_WRITE )
|
||||||
|
{
|
||||||
|
rw &= ~MBEDTLS_NET_POLL_WRITE;
|
||||||
|
FD_SET( fd, &write_fds );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( rw != 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
tv.tv_sec = timeout / 1000;
|
||||||
|
tv.tv_usec = ( timeout % 1000 ) * 1000;
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
ret = select( fd + 1, &read_fds, &write_fds, NULL,
|
||||||
|
timeout == (uint32_t) -1 ? NULL : &tv );
|
||||||
|
}
|
||||||
|
while( IS_EINTR( ret ) );
|
||||||
|
|
||||||
|
if( ret < 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_POLL_FAILED );
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
if( FD_ISSET( fd, &read_fds ) )
|
||||||
|
ret |= MBEDTLS_NET_POLL_READ;
|
||||||
|
if( FD_ISSET( fd, &write_fds ) )
|
||||||
|
ret |= MBEDTLS_NET_POLL_WRITE;
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Portable usleep helper
|
||||||
|
*/
|
||||||
|
void mbedtls_net_usleep( unsigned long usec )
|
||||||
|
{
|
||||||
|
#if defined(_WIN32)
|
||||||
|
Sleep( ( usec + 999 ) / 1000 );
|
||||||
|
#else
|
||||||
|
struct timeval tv;
|
||||||
|
tv.tv_sec = usec / 1000000;
|
||||||
|
#if defined(__unix__) || defined(__unix) || \
|
||||||
|
( defined(__APPLE__) && defined(__MACH__) )
|
||||||
|
tv.tv_usec = (suseconds_t) usec % 1000000;
|
||||||
|
#else
|
||||||
|
tv.tv_usec = usec % 1000000;
|
||||||
|
#endif
|
||||||
|
select( 0, NULL, NULL, NULL, &tv );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Read at most 'len' characters
|
||||||
|
*/
|
||||||
|
int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
int fd = ((mbedtls_net_context *) ctx)->fd;
|
||||||
|
|
||||||
|
if( fd < 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||||
|
|
||||||
|
ret = (int) read( fd, buf, len );
|
||||||
|
|
||||||
|
if( ret < 0 )
|
||||||
|
{
|
||||||
|
if( net_would_block( ctx ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||||
|
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
if( WSAGetLastError() == WSAECONNRESET )
|
||||||
|
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||||
|
#else
|
||||||
|
if( errno == EPIPE || errno == ECONNRESET )
|
||||||
|
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||||
|
|
||||||
|
if( errno == EINTR )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_NET_RECV_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Read at most 'len' characters, blocking for at most 'timeout' ms
|
||||||
|
*/
|
||||||
|
int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf,
|
||||||
|
size_t len, uint32_t timeout )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
struct timeval tv;
|
||||||
|
fd_set read_fds;
|
||||||
|
int fd = ((mbedtls_net_context *) ctx)->fd;
|
||||||
|
|
||||||
|
if( fd < 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||||
|
|
||||||
|
FD_ZERO( &read_fds );
|
||||||
|
FD_SET( fd, &read_fds );
|
||||||
|
|
||||||
|
tv.tv_sec = timeout / 1000;
|
||||||
|
tv.tv_usec = ( timeout % 1000 ) * 1000;
|
||||||
|
|
||||||
|
ret = select( fd + 1, &read_fds, NULL, NULL, timeout == 0 ? NULL : &tv );
|
||||||
|
|
||||||
|
/* Zero fds ready means we timed out */
|
||||||
|
if( ret == 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_TIMEOUT );
|
||||||
|
|
||||||
|
if( ret < 0 )
|
||||||
|
{
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
if( WSAGetLastError() == WSAEINTR )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||||
|
#else
|
||||||
|
if( errno == EINTR )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_READ );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_NET_RECV_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
/* This call will not block */
|
||||||
|
return( mbedtls_net_recv( ctx, buf, len ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Write at most 'len' characters
|
||||||
|
*/
|
||||||
|
int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
int fd = ((mbedtls_net_context *) ctx)->fd;
|
||||||
|
|
||||||
|
if( fd < 0 )
|
||||||
|
return( MBEDTLS_ERR_NET_INVALID_CONTEXT );
|
||||||
|
|
||||||
|
ret = (int) write( fd, buf, len );
|
||||||
|
|
||||||
|
if( ret < 0 )
|
||||||
|
{
|
||||||
|
if( net_would_block( ctx ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_WRITE );
|
||||||
|
|
||||||
|
#if ( defined(_WIN32) || defined(_WIN32_WCE) ) && !defined(EFIX64) && \
|
||||||
|
!defined(EFI32)
|
||||||
|
if( WSAGetLastError() == WSAECONNRESET )
|
||||||
|
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||||
|
#else
|
||||||
|
if( errno == EPIPE || errno == ECONNRESET )
|
||||||
|
return( MBEDTLS_ERR_NET_CONN_RESET );
|
||||||
|
|
||||||
|
if( errno == EINTR )
|
||||||
|
return( MBEDTLS_ERR_SSL_WANT_WRITE );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_NET_SEND_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Gracefully close the connection
|
||||||
|
*/
|
||||||
|
void mbedtls_net_free( mbedtls_net_context *ctx )
|
||||||
|
{
|
||||||
|
if( ctx->fd == -1 )
|
||||||
|
return;
|
||||||
|
|
||||||
|
shutdown( ctx->fd, 2 );
|
||||||
|
close( ctx->fd );
|
||||||
|
|
||||||
|
ctx->fd = -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_NET_C */
|
240
library/pkcs11.c
Normal file
240
library/pkcs11.c
Normal file
|
@ -0,0 +1,240 @@
|
||||||
|
/**
|
||||||
|
* \file pkcs11.c
|
||||||
|
*
|
||||||
|
* \brief Wrapper for PKCS#11 library libpkcs11-helper
|
||||||
|
*
|
||||||
|
* \author Adriaan de Jong <dejong@fox-it.com>
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#include "mbedtls/pkcs11.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PKCS11_C)
|
||||||
|
|
||||||
|
#include "mbedtls/md.h"
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
#include "mbedtls/x509_crt.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_free free
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
void mbedtls_pkcs11_init( mbedtls_pkcs11_context *ctx )
|
||||||
|
{
|
||||||
|
memset( ctx, 0, sizeof( mbedtls_pkcs11_context ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_pkcs11_x509_cert_bind( mbedtls_x509_crt *cert, pkcs11h_certificate_t pkcs11_cert )
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
unsigned char *cert_blob = NULL;
|
||||||
|
size_t cert_blob_size = 0;
|
||||||
|
|
||||||
|
if( cert == NULL )
|
||||||
|
{
|
||||||
|
ret = 2;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, NULL,
|
||||||
|
&cert_blob_size ) != CKR_OK )
|
||||||
|
{
|
||||||
|
ret = 3;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
cert_blob = mbedtls_calloc( 1, cert_blob_size );
|
||||||
|
if( NULL == cert_blob )
|
||||||
|
{
|
||||||
|
ret = 4;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( pkcs11h_certificate_getCertificateBlob( pkcs11_cert, cert_blob,
|
||||||
|
&cert_blob_size ) != CKR_OK )
|
||||||
|
{
|
||||||
|
ret = 5;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( 0 != mbedtls_x509_crt_parse( cert, cert_blob, cert_blob_size ) )
|
||||||
|
{
|
||||||
|
ret = 6;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
if( NULL != cert_blob )
|
||||||
|
mbedtls_free( cert_blob );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
int mbedtls_pkcs11_priv_key_bind( mbedtls_pkcs11_context *priv_key,
|
||||||
|
pkcs11h_certificate_t pkcs11_cert )
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
mbedtls_x509_crt cert;
|
||||||
|
|
||||||
|
mbedtls_x509_crt_init( &cert );
|
||||||
|
|
||||||
|
if( priv_key == NULL )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
if( 0 != mbedtls_pkcs11_x509_cert_bind( &cert, pkcs11_cert ) )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
priv_key->len = mbedtls_pk_get_len( &cert.pk );
|
||||||
|
priv_key->pkcs11h_cert = pkcs11_cert;
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
mbedtls_x509_crt_free( &cert );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_pkcs11_priv_key_free( mbedtls_pkcs11_context *priv_key )
|
||||||
|
{
|
||||||
|
if( NULL != priv_key )
|
||||||
|
pkcs11h_certificate_freeCertificate( priv_key->pkcs11h_cert );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_pkcs11_decrypt( mbedtls_pkcs11_context *ctx,
|
||||||
|
int mode, size_t *olen,
|
||||||
|
const unsigned char *input,
|
||||||
|
unsigned char *output,
|
||||||
|
size_t output_max_len )
|
||||||
|
{
|
||||||
|
size_t input_len, output_len;
|
||||||
|
|
||||||
|
if( NULL == ctx )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( MBEDTLS_RSA_PRIVATE != mode )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
output_len = input_len = ctx->len;
|
||||||
|
|
||||||
|
if( input_len < 16 || input_len > output_max_len )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
/* Determine size of output buffer */
|
||||||
|
if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
|
||||||
|
input_len, NULL, &output_len ) != CKR_OK )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( output_len > output_max_len )
|
||||||
|
return( MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE );
|
||||||
|
|
||||||
|
if( pkcs11h_certificate_decryptAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, input,
|
||||||
|
input_len, output, &output_len ) != CKR_OK )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
*olen = output_len;
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_pkcs11_sign( mbedtls_pkcs11_context *ctx,
|
||||||
|
int mode,
|
||||||
|
mbedtls_md_type_t md_alg,
|
||||||
|
unsigned int hashlen,
|
||||||
|
const unsigned char *hash,
|
||||||
|
unsigned char *sig )
|
||||||
|
{
|
||||||
|
size_t sig_len = 0, asn_len = 0, oid_size = 0;
|
||||||
|
unsigned char *p = sig;
|
||||||
|
const char *oid;
|
||||||
|
|
||||||
|
if( NULL == ctx )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( MBEDTLS_RSA_PRIVATE != mode )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( md_alg != MBEDTLS_MD_NONE )
|
||||||
|
{
|
||||||
|
const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type( md_alg );
|
||||||
|
if( md_info == NULL )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( mbedtls_oid_get_oid_by_md( md_alg, &oid, &oid_size ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
hashlen = mbedtls_md_get_size( md_info );
|
||||||
|
asn_len = 10 + oid_size;
|
||||||
|
}
|
||||||
|
|
||||||
|
sig_len = ctx->len;
|
||||||
|
if( hashlen > sig_len || asn_len > sig_len ||
|
||||||
|
hashlen + asn_len > sig_len )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( md_alg != MBEDTLS_MD_NONE )
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* DigestInfo ::= SEQUENCE {
|
||||||
|
* digestAlgorithm DigestAlgorithmIdentifier,
|
||||||
|
* digest Digest }
|
||||||
|
*
|
||||||
|
* DigestAlgorithmIdentifier ::= AlgorithmIdentifier
|
||||||
|
*
|
||||||
|
* Digest ::= OCTET STRING
|
||||||
|
*/
|
||||||
|
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
|
||||||
|
*p++ = (unsigned char) ( 0x08 + oid_size + hashlen );
|
||||||
|
*p++ = MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED;
|
||||||
|
*p++ = (unsigned char) ( 0x04 + oid_size );
|
||||||
|
*p++ = MBEDTLS_ASN1_OID;
|
||||||
|
*p++ = oid_size & 0xFF;
|
||||||
|
memcpy( p, oid, oid_size );
|
||||||
|
p += oid_size;
|
||||||
|
*p++ = MBEDTLS_ASN1_NULL;
|
||||||
|
*p++ = 0x00;
|
||||||
|
*p++ = MBEDTLS_ASN1_OCTET_STRING;
|
||||||
|
*p++ = hashlen;
|
||||||
|
}
|
||||||
|
|
||||||
|
memcpy( p, hash, hashlen );
|
||||||
|
|
||||||
|
if( pkcs11h_certificate_signAny( ctx->pkcs11h_cert, CKM_RSA_PKCS, sig,
|
||||||
|
asn_len + hashlen, sig, &sig_len ) != CKR_OK )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_RSA_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* defined(MBEDTLS_PKCS11_C) */
|
353
library/ssl_cache.c
Normal file
353
library/ssl_cache.c
Normal file
|
@ -0,0 +1,353 @@
|
||||||
|
/*
|
||||||
|
* SSL session cache implementation
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* These session callbacks use a simple chained list
|
||||||
|
* to store and retrieve the session information.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CACHE_C)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_free free
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "mbedtls/ssl_cache.h"
|
||||||
|
#include "mbedtls/ssl_internal.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
void mbedtls_ssl_cache_init( mbedtls_ssl_cache_context *cache )
|
||||||
|
{
|
||||||
|
memset( cache, 0, sizeof( mbedtls_ssl_cache_context ) );
|
||||||
|
|
||||||
|
cache->timeout = MBEDTLS_SSL_CACHE_DEFAULT_TIMEOUT;
|
||||||
|
cache->max_entries = MBEDTLS_SSL_CACHE_DEFAULT_MAX_ENTRIES;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_mutex_init( &cache->mutex );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
mbedtls_time_t t = mbedtls_time( NULL );
|
||||||
|
#endif
|
||||||
|
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
|
||||||
|
mbedtls_ssl_cache_entry *cur, *entry;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_lock( &cache->mutex ) != 0 )
|
||||||
|
return( 1 );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
cur = cache->chain;
|
||||||
|
entry = NULL;
|
||||||
|
|
||||||
|
while( cur != NULL )
|
||||||
|
{
|
||||||
|
entry = cur;
|
||||||
|
cur = cur->next;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
if( cache->timeout != 0 &&
|
||||||
|
(int) ( t - entry->timestamp ) > cache->timeout )
|
||||||
|
continue;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( session->ciphersuite != entry->session.ciphersuite ||
|
||||||
|
session->compression != entry->session.compression ||
|
||||||
|
session->id_len != entry->session.id_len )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if( memcmp( session->id, entry->session.id,
|
||||||
|
entry->session.id_len ) != 0 )
|
||||||
|
continue;
|
||||||
|
|
||||||
|
ret = mbedtls_ssl_session_copy( session, &entry->session );
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
/*
|
||||||
|
* Restore peer certificate (without rest of the original chain)
|
||||||
|
*/
|
||||||
|
if( entry->peer_cert.p != NULL )
|
||||||
|
{
|
||||||
|
/* `session->peer_cert` is NULL after the call to
|
||||||
|
* mbedtls_ssl_session_copy(), because cache entries
|
||||||
|
* have the `peer_cert` field set to NULL. */
|
||||||
|
|
||||||
|
if( ( session->peer_cert = mbedtls_calloc( 1,
|
||||||
|
sizeof(mbedtls_x509_crt) ) ) == NULL )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_x509_crt_init( session->peer_cert );
|
||||||
|
if( mbedtls_x509_crt_parse( session->peer_cert, entry->peer_cert.p,
|
||||||
|
entry->peer_cert.len ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_free( session->peer_cert );
|
||||||
|
session->peer_cert = NULL;
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
exit:
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
|
||||||
|
ret = 1;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_ssl_cache_set( void *data, const mbedtls_ssl_session *session )
|
||||||
|
{
|
||||||
|
int ret = 1;
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
mbedtls_time_t t = mbedtls_time( NULL ), oldest = 0;
|
||||||
|
mbedtls_ssl_cache_entry *old = NULL;
|
||||||
|
#endif
|
||||||
|
mbedtls_ssl_cache_context *cache = (mbedtls_ssl_cache_context *) data;
|
||||||
|
mbedtls_ssl_cache_entry *cur, *prv;
|
||||||
|
int count = 0;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( ( ret = mbedtls_mutex_lock( &cache->mutex ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
cur = cache->chain;
|
||||||
|
prv = NULL;
|
||||||
|
|
||||||
|
while( cur != NULL )
|
||||||
|
{
|
||||||
|
count++;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
if( cache->timeout != 0 &&
|
||||||
|
(int) ( t - cur->timestamp ) > cache->timeout )
|
||||||
|
{
|
||||||
|
cur->timestamp = t;
|
||||||
|
break; /* expired, reuse this slot, update timestamp */
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( memcmp( session->id, cur->session.id, cur->session.id_len ) == 0 )
|
||||||
|
break; /* client reconnected, keep timestamp for session id */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
if( oldest == 0 || cur->timestamp < oldest )
|
||||||
|
{
|
||||||
|
oldest = cur->timestamp;
|
||||||
|
old = cur;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
prv = cur;
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( cur == NULL )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
/*
|
||||||
|
* Reuse oldest entry if max_entries reached
|
||||||
|
*/
|
||||||
|
if( count >= cache->max_entries )
|
||||||
|
{
|
||||||
|
if( old == NULL )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
cur = old;
|
||||||
|
}
|
||||||
|
#else /* MBEDTLS_HAVE_TIME */
|
||||||
|
/*
|
||||||
|
* Reuse first entry in chain if max_entries reached,
|
||||||
|
* but move to last place
|
||||||
|
*/
|
||||||
|
if( count >= cache->max_entries )
|
||||||
|
{
|
||||||
|
if( cache->chain == NULL )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
cur = cache->chain;
|
||||||
|
cache->chain = cur->next;
|
||||||
|
cur->next = NULL;
|
||||||
|
prv->next = cur;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_HAVE_TIME */
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* max_entries not reached, create new entry
|
||||||
|
*/
|
||||||
|
cur = mbedtls_calloc( 1, sizeof(mbedtls_ssl_cache_entry) );
|
||||||
|
if( cur == NULL )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( prv == NULL )
|
||||||
|
cache->chain = cur;
|
||||||
|
else
|
||||||
|
prv->next = cur;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
cur->timestamp = t;
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
/*
|
||||||
|
* If we're reusing an entry, free its certificate first
|
||||||
|
*/
|
||||||
|
if( cur->peer_cert.p != NULL )
|
||||||
|
{
|
||||||
|
mbedtls_free( cur->peer_cert.p );
|
||||||
|
memset( &cur->peer_cert, 0, sizeof(mbedtls_x509_buf) );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
|
/* Copy the entire session; this temporarily makes a copy of the
|
||||||
|
* X.509 CRT structure even though we only want to store the raw CRT.
|
||||||
|
* This inefficiency will go away as soon as we implement on-demand
|
||||||
|
* parsing of CRTs, in which case there's no need for the `peer_cert`
|
||||||
|
* field anymore in the first place, and we're done after this call. */
|
||||||
|
ret = mbedtls_ssl_session_copy( &cur->session, session );
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
/* If present, free the X.509 structure and only store the raw CRT data. */
|
||||||
|
if( cur->session.peer_cert != NULL )
|
||||||
|
{
|
||||||
|
cur->peer_cert.p =
|
||||||
|
mbedtls_calloc( 1, cur->session.peer_cert->raw.len );
|
||||||
|
if( cur->peer_cert.p == NULL )
|
||||||
|
{
|
||||||
|
ret = 1;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
memcpy( cur->peer_cert.p,
|
||||||
|
cur->session.peer_cert->raw.p,
|
||||||
|
cur->session.peer_cert->raw.len );
|
||||||
|
cur->peer_cert.len = session->peer_cert->raw.len;
|
||||||
|
|
||||||
|
mbedtls_x509_crt_free( cur->session.peer_cert );
|
||||||
|
mbedtls_free( cur->session.peer_cert );
|
||||||
|
cur->session.peer_cert = NULL;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
|
ret = 0;
|
||||||
|
|
||||||
|
exit:
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_unlock( &cache->mutex ) != 0 )
|
||||||
|
ret = 1;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
void mbedtls_ssl_cache_set_timeout( mbedtls_ssl_cache_context *cache, int timeout )
|
||||||
|
{
|
||||||
|
if( timeout < 0 ) timeout = 0;
|
||||||
|
|
||||||
|
cache->timeout = timeout;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_HAVE_TIME */
|
||||||
|
|
||||||
|
void mbedtls_ssl_cache_set_max_entries( mbedtls_ssl_cache_context *cache, int max )
|
||||||
|
{
|
||||||
|
if( max < 0 ) max = 0;
|
||||||
|
|
||||||
|
cache->max_entries = max;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_ssl_cache_free( mbedtls_ssl_cache_context *cache )
|
||||||
|
{
|
||||||
|
mbedtls_ssl_cache_entry *cur, *prv;
|
||||||
|
|
||||||
|
cur = cache->chain;
|
||||||
|
|
||||||
|
while( cur != NULL )
|
||||||
|
{
|
||||||
|
prv = cur;
|
||||||
|
cur = cur->next;
|
||||||
|
|
||||||
|
mbedtls_ssl_session_free( &prv->session );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
|
||||||
|
defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
mbedtls_free( prv->peer_cert.p );
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
|
mbedtls_free( prv );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_mutex_free( &cache->mutex );
|
||||||
|
#endif
|
||||||
|
cache->chain = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_SSL_CACHE_C */
|
2373
library/ssl_ciphersuites.c
Normal file
2373
library/ssl_ciphersuites.c
Normal file
File diff suppressed because it is too large
Load diff
3944
library/ssl_cli.c
Normal file
3944
library/ssl_cli.c
Normal file
File diff suppressed because it is too large
Load diff
256
library/ssl_cookie.c
Normal file
256
library/ssl_cookie.c
Normal file
|
@ -0,0 +1,256 @@
|
||||||
|
/*
|
||||||
|
* DTLS cookie callbacks implementation
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* These session callbacks use a simple chained list
|
||||||
|
* to store and retrieve the session information.
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_COOKIE_C)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_free free
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "mbedtls/ssl_cookie.h"
|
||||||
|
#include "mbedtls/ssl_internal.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
* If DTLS is in use, then at least one of SHA-1, SHA-256, SHA-512 is
|
||||||
|
* available. Try SHA-256 first, 512 wastes resources since we need to stay
|
||||||
|
* with max 32 bytes of cookie for DTLS 1.0
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
#define COOKIE_MD MBEDTLS_MD_SHA224
|
||||||
|
#define COOKIE_MD_OUTLEN 32
|
||||||
|
#define COOKIE_HMAC_LEN 28
|
||||||
|
#elif defined(MBEDTLS_SHA512_C)
|
||||||
|
#define COOKIE_MD MBEDTLS_MD_SHA384
|
||||||
|
#define COOKIE_MD_OUTLEN 48
|
||||||
|
#define COOKIE_HMAC_LEN 28
|
||||||
|
#elif defined(MBEDTLS_SHA1_C)
|
||||||
|
#define COOKIE_MD MBEDTLS_MD_SHA1
|
||||||
|
#define COOKIE_MD_OUTLEN 20
|
||||||
|
#define COOKIE_HMAC_LEN 20
|
||||||
|
#else
|
||||||
|
#error "DTLS hello verify needs SHA-1 or SHA-2"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Cookies are formed of a 4-bytes timestamp (or serial number) and
|
||||||
|
* an HMAC of timestemp and client ID.
|
||||||
|
*/
|
||||||
|
#define COOKIE_LEN ( 4 + COOKIE_HMAC_LEN )
|
||||||
|
|
||||||
|
void mbedtls_ssl_cookie_init( mbedtls_ssl_cookie_ctx *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_md_init( &ctx->hmac_ctx );
|
||||||
|
#if !defined(MBEDTLS_HAVE_TIME)
|
||||||
|
ctx->serial = 0;
|
||||||
|
#endif
|
||||||
|
ctx->timeout = MBEDTLS_SSL_COOKIE_TIMEOUT;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_mutex_init( &ctx->mutex );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_ssl_cookie_set_timeout( mbedtls_ssl_cookie_ctx *ctx, unsigned long delay )
|
||||||
|
{
|
||||||
|
ctx->timeout = delay;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_ssl_cookie_free( mbedtls_ssl_cookie_ctx *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_md_free( &ctx->hmac_ctx );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_mutex_free( &ctx->mutex );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_cookie_ctx ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_ssl_cookie_setup( mbedtls_ssl_cookie_ctx *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char key[COOKIE_MD_OUTLEN];
|
||||||
|
|
||||||
|
if( ( ret = f_rng( p_rng, key, sizeof( key ) ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_md_setup( &ctx->hmac_ctx, mbedtls_md_info_from_type( COOKIE_MD ), 1 );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_md_hmac_starts( &ctx->hmac_ctx, key, sizeof( key ) );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( key, sizeof( key ) );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Generate the HMAC part of a cookie
|
||||||
|
*/
|
||||||
|
static int ssl_cookie_hmac( mbedtls_md_context_t *hmac_ctx,
|
||||||
|
const unsigned char time[4],
|
||||||
|
unsigned char **p, unsigned char *end,
|
||||||
|
const unsigned char *cli_id, size_t cli_id_len )
|
||||||
|
{
|
||||||
|
unsigned char hmac_out[COOKIE_MD_OUTLEN];
|
||||||
|
|
||||||
|
if( (size_t)( end - *p ) < COOKIE_HMAC_LEN )
|
||||||
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
if( mbedtls_md_hmac_reset( hmac_ctx ) != 0 ||
|
||||||
|
mbedtls_md_hmac_update( hmac_ctx, time, 4 ) != 0 ||
|
||||||
|
mbedtls_md_hmac_update( hmac_ctx, cli_id, cli_id_len ) != 0 ||
|
||||||
|
mbedtls_md_hmac_finish( hmac_ctx, hmac_out ) != 0 )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||||
|
}
|
||||||
|
|
||||||
|
memcpy( *p, hmac_out, COOKIE_HMAC_LEN );
|
||||||
|
*p += COOKIE_HMAC_LEN;
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Generate cookie for DTLS ClientHello verification
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_cookie_write( void *p_ctx,
|
||||||
|
unsigned char **p, unsigned char *end,
|
||||||
|
const unsigned char *cli_id, size_t cli_id_len )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
|
||||||
|
unsigned long t;
|
||||||
|
|
||||||
|
if( ctx == NULL || cli_id == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( (size_t)( end - *p ) < COOKIE_LEN )
|
||||||
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
t = (unsigned long) mbedtls_time( NULL );
|
||||||
|
#else
|
||||||
|
t = ctx->serial++;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
(*p)[0] = (unsigned char)( t >> 24 );
|
||||||
|
(*p)[1] = (unsigned char)( t >> 16 );
|
||||||
|
(*p)[2] = (unsigned char)( t >> 8 );
|
||||||
|
(*p)[3] = (unsigned char)( t );
|
||||||
|
*p += 4;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
ret = ssl_cookie_hmac( &ctx->hmac_ctx, *p - 4,
|
||||||
|
p, end, cli_id, cli_id_len );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
|
||||||
|
MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check a cookie
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_cookie_check( void *p_ctx,
|
||||||
|
const unsigned char *cookie, size_t cookie_len,
|
||||||
|
const unsigned char *cli_id, size_t cli_id_len )
|
||||||
|
{
|
||||||
|
unsigned char ref_hmac[COOKIE_HMAC_LEN];
|
||||||
|
int ret = 0;
|
||||||
|
unsigned char *p = ref_hmac;
|
||||||
|
mbedtls_ssl_cookie_ctx *ctx = (mbedtls_ssl_cookie_ctx *) p_ctx;
|
||||||
|
unsigned long cur_time, cookie_time;
|
||||||
|
|
||||||
|
if( ctx == NULL || cli_id == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( cookie_len != COOKIE_LEN )
|
||||||
|
return( -1 );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR + ret );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( ssl_cookie_hmac( &ctx->hmac_ctx, cookie,
|
||||||
|
&p, p + sizeof( ref_hmac ),
|
||||||
|
cli_id, cli_id_len ) != 0 )
|
||||||
|
ret = -1;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR +
|
||||||
|
MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( mbedtls_ssl_safer_memcmp( cookie + 4, ref_hmac, sizeof( ref_hmac ) ) != 0 )
|
||||||
|
return( -1 );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
cur_time = (unsigned long) mbedtls_time( NULL );
|
||||||
|
#else
|
||||||
|
cur_time = ctx->serial;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
cookie_time = ( (unsigned long) cookie[0] << 24 ) |
|
||||||
|
( (unsigned long) cookie[1] << 16 ) |
|
||||||
|
( (unsigned long) cookie[2] << 8 ) |
|
||||||
|
( (unsigned long) cookie[3] );
|
||||||
|
|
||||||
|
if( ctx->timeout != 0 && cur_time - cookie_time > ctx->timeout )
|
||||||
|
return( -1 );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_COOKIE_C */
|
4437
library/ssl_srv.c
Normal file
4437
library/ssl_srv.c
Normal file
File diff suppressed because it is too large
Load diff
595
library/ssl_ticket.c
Normal file
595
library/ssl_ticket.c
Normal file
|
@ -0,0 +1,595 @@
|
||||||
|
/*
|
||||||
|
* TLS server tickets callbacks implementation
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_TICKET_C)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_free free
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include "mbedtls/ssl_ticket.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Initialze context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_init( mbedtls_ssl_ticket_context *ctx )
|
||||||
|
{
|
||||||
|
memset( ctx, 0, sizeof( mbedtls_ssl_ticket_context ) );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_mutex_init( &ctx->mutex );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
#define MAX_KEY_BYTES 32 /* 256 bits */
|
||||||
|
|
||||||
|
#define TICKET_KEY_NAME_BYTES 4
|
||||||
|
#define TICKET_IV_BYTES 12
|
||||||
|
#define TICKET_CRYPT_LEN_BYTES 2
|
||||||
|
#define TICKET_AUTH_TAG_BYTES 16
|
||||||
|
|
||||||
|
#define TICKET_MIN_LEN ( TICKET_KEY_NAME_BYTES + \
|
||||||
|
TICKET_IV_BYTES + \
|
||||||
|
TICKET_CRYPT_LEN_BYTES + \
|
||||||
|
TICKET_AUTH_TAG_BYTES )
|
||||||
|
#define TICKET_ADD_DATA_LEN ( TICKET_KEY_NAME_BYTES + \
|
||||||
|
TICKET_IV_BYTES + \
|
||||||
|
TICKET_CRYPT_LEN_BYTES )
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Generate/update a key
|
||||||
|
*/
|
||||||
|
static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx,
|
||||||
|
unsigned char index )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char buf[MAX_KEY_BYTES];
|
||||||
|
mbedtls_ssl_ticket_key *key = ctx->keys + index;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
key->generation_time = (uint32_t) mbedtls_time( NULL );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( ( ret = ctx->f_rng( ctx->p_rng, key->name, sizeof( key->name ) ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( ( ret = ctx->f_rng( ctx->p_rng, buf, sizeof( buf ) ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
/* With GCM and CCM, same context can encrypt & decrypt */
|
||||||
|
ret = mbedtls_cipher_setkey( &key->ctx, buf,
|
||||||
|
mbedtls_cipher_get_key_bitlen( &key->ctx ),
|
||||||
|
MBEDTLS_ENCRYPT );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( buf, sizeof( buf ) );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Rotate/generate keys if necessary
|
||||||
|
*/
|
||||||
|
static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_HAVE_TIME)
|
||||||
|
((void) ctx);
|
||||||
|
#else
|
||||||
|
if( ctx->ticket_lifetime != 0 )
|
||||||
|
{
|
||||||
|
uint32_t current_time = (uint32_t) mbedtls_time( NULL );
|
||||||
|
uint32_t key_time = ctx->keys[ctx->active].generation_time;
|
||||||
|
|
||||||
|
if( current_time >= key_time &&
|
||||||
|
current_time - key_time < ctx->ticket_lifetime )
|
||||||
|
{
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
ctx->active = 1 - ctx->active;
|
||||||
|
|
||||||
|
return( ssl_ticket_gen_key( ctx, ctx->active ) );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif /* MBEDTLS_HAVE_TIME */
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Setup context for actual use
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
|
||||||
|
mbedtls_cipher_type_t cipher,
|
||||||
|
uint32_t lifetime )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
const mbedtls_cipher_info_t *cipher_info;
|
||||||
|
|
||||||
|
ctx->f_rng = f_rng;
|
||||||
|
ctx->p_rng = p_rng;
|
||||||
|
|
||||||
|
ctx->ticket_lifetime = lifetime;
|
||||||
|
|
||||||
|
cipher_info = mbedtls_cipher_info_from_type( cipher);
|
||||||
|
if( cipher_info == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( cipher_info->mode != MBEDTLS_MODE_GCM &&
|
||||||
|
cipher_info->mode != MBEDTLS_MODE_CCM )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( cipher_info->key_bitlen > 8 * MAX_KEY_BYTES )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
ret = mbedtls_cipher_setup_psa( &ctx->keys[0].ctx,
|
||||||
|
cipher_info, TICKET_AUTH_TAG_BYTES );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
return( ret );
|
||||||
|
/* We don't yet expect to support all ciphers through PSA,
|
||||||
|
* so allow fallback to ordinary mbedtls_cipher_setup(). */
|
||||||
|
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
if( ( ret = mbedtls_cipher_setup( &ctx->keys[0].ctx, cipher_info ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
ret = mbedtls_cipher_setup_psa( &ctx->keys[1].ctx,
|
||||||
|
cipher_info, TICKET_AUTH_TAG_BYTES );
|
||||||
|
if( ret != 0 && ret != MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
return( ret );
|
||||||
|
if( ret == MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE )
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
if( ( ret = mbedtls_cipher_setup( &ctx->keys[1].ctx, cipher_info ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( ( ret = ssl_ticket_gen_key( ctx, 0 ) ) != 0 ||
|
||||||
|
( ret = ssl_ticket_gen_key( ctx, 1 ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Serialize a session in the following format:
|
||||||
|
*
|
||||||
|
* - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled:
|
||||||
|
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
|
||||||
|
* n . n+2 peer_cert length = m (0 if no certificate)
|
||||||
|
* n+3 . n+2+m peer cert ASN.1
|
||||||
|
*
|
||||||
|
* - If MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled:
|
||||||
|
* 0 . n-1 session structure, n = sizeof(mbedtls_ssl_session)
|
||||||
|
* n . n length of peer certificate digest = k (0 if no digest)
|
||||||
|
* n+1 . n+k peer certificate digest (digest type encoded in session)
|
||||||
|
*/
|
||||||
|
static int ssl_save_session( const mbedtls_ssl_session *session,
|
||||||
|
unsigned char *buf, size_t buf_len,
|
||||||
|
size_t *olen )
|
||||||
|
{
|
||||||
|
unsigned char *p = buf;
|
||||||
|
size_t left = buf_len;
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
size_t cert_len;
|
||||||
|
#else
|
||||||
|
size_t cert_digest_len;
|
||||||
|
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
if( left < sizeof( mbedtls_ssl_session ) )
|
||||||
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
/* This also copies the values of pointer fields in the
|
||||||
|
* session to be serialized, but they'll be ignored when
|
||||||
|
* loading the session through ssl_load_session(). */
|
||||||
|
memcpy( p, session, sizeof( mbedtls_ssl_session ) );
|
||||||
|
p += sizeof( mbedtls_ssl_session );
|
||||||
|
left -= sizeof( mbedtls_ssl_session );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
if( session->peer_cert == NULL )
|
||||||
|
cert_len = 0;
|
||||||
|
else
|
||||||
|
cert_len = session->peer_cert->raw.len;
|
||||||
|
|
||||||
|
if( left < 3 + cert_len )
|
||||||
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
*p++ = (unsigned char)( ( cert_len >> 16 ) & 0xFF );
|
||||||
|
*p++ = (unsigned char)( ( cert_len >> 8 ) & 0xFF );
|
||||||
|
*p++ = (unsigned char)( ( cert_len ) & 0xFF );
|
||||||
|
left -= 3;
|
||||||
|
|
||||||
|
if( session->peer_cert != NULL )
|
||||||
|
memcpy( p, session->peer_cert->raw.p, cert_len );
|
||||||
|
|
||||||
|
p += cert_len;
|
||||||
|
left -= cert_len;
|
||||||
|
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
if( session->peer_cert_digest != NULL )
|
||||||
|
cert_digest_len = 0;
|
||||||
|
else
|
||||||
|
cert_digest_len = session->peer_cert_digest_len;
|
||||||
|
|
||||||
|
if( left < 1 + cert_digest_len )
|
||||||
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
*p++ = (unsigned char) cert_digest_len;
|
||||||
|
left--;
|
||||||
|
|
||||||
|
if( session->peer_cert_digest != NULL )
|
||||||
|
memcpy( p, session->peer_cert_digest, cert_digest_len );
|
||||||
|
|
||||||
|
p += cert_digest_len;
|
||||||
|
left -= cert_digest_len;
|
||||||
|
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
*olen = p - buf;
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Unserialise session, see ssl_save_session()
|
||||||
|
*/
|
||||||
|
static int ssl_load_session( mbedtls_ssl_session *session,
|
||||||
|
const unsigned char *buf, size_t len )
|
||||||
|
{
|
||||||
|
const unsigned char *p = buf;
|
||||||
|
const unsigned char * const end = buf + len;
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
size_t cert_len;
|
||||||
|
#else
|
||||||
|
size_t cert_digest_len;
|
||||||
|
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
if( sizeof( mbedtls_ssl_session ) > (size_t)( end - p ) )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
memcpy( session, p, sizeof( mbedtls_ssl_session ) );
|
||||||
|
p += sizeof( mbedtls_ssl_session );
|
||||||
|
|
||||||
|
/* Non-NULL pointer fields of `session` are meaningless
|
||||||
|
* and potentially harmful. Zeroize them for safety. */
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
session->peer_cert = NULL;
|
||||||
|
#else
|
||||||
|
session->peer_cert_digest = NULL;
|
||||||
|
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
|
||||||
|
session->ticket = NULL;
|
||||||
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
/* Deserialize CRT from the end of the ticket. */
|
||||||
|
if( 3 > (size_t)( end - p ) )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
cert_len = ( p[0] << 16 ) | ( p[1] << 8 ) | p[2];
|
||||||
|
p += 3;
|
||||||
|
|
||||||
|
if( cert_len != 0 )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( cert_len > (size_t)( end - p ) )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
session->peer_cert = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
|
||||||
|
|
||||||
|
if( session->peer_cert == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||||
|
|
||||||
|
mbedtls_x509_crt_init( session->peer_cert );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_crt_parse_der( session->peer_cert,
|
||||||
|
p, cert_len ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crt_free( session->peer_cert );
|
||||||
|
mbedtls_free( session->peer_cert );
|
||||||
|
session->peer_cert = NULL;
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
p += cert_len;
|
||||||
|
}
|
||||||
|
#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
/* Deserialize CRT digest from the end of the ticket. */
|
||||||
|
if( 1 > (size_t)( end - p ) )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
cert_digest_len = (size_t) p[0];
|
||||||
|
p++;
|
||||||
|
|
||||||
|
if( cert_digest_len != 0 )
|
||||||
|
{
|
||||||
|
if( cert_digest_len > (size_t)( end - p ) ||
|
||||||
|
cert_digest_len != session->peer_cert_digest_len )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
|
||||||
|
session->peer_cert_digest = mbedtls_calloc( 1, cert_digest_len );
|
||||||
|
if( session->peer_cert_digest == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||||
|
|
||||||
|
memcpy( session->peer_cert_digest, p, cert_digest_len );
|
||||||
|
p += cert_digest_len;
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
|
if( p != end )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Create session ticket, with the following structure:
|
||||||
|
*
|
||||||
|
* struct {
|
||||||
|
* opaque key_name[4];
|
||||||
|
* opaque iv[12];
|
||||||
|
* opaque encrypted_state<0..2^16-1>;
|
||||||
|
* opaque tag[16];
|
||||||
|
* } ticket;
|
||||||
|
*
|
||||||
|
* The key_name, iv, and length of encrypted_state are the additional
|
||||||
|
* authenticated data.
|
||||||
|
*/
|
||||||
|
|
||||||
|
int mbedtls_ssl_ticket_write( void *p_ticket,
|
||||||
|
const mbedtls_ssl_session *session,
|
||||||
|
unsigned char *start,
|
||||||
|
const unsigned char *end,
|
||||||
|
size_t *tlen,
|
||||||
|
uint32_t *ticket_lifetime )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||||
|
mbedtls_ssl_ticket_key *key;
|
||||||
|
unsigned char *key_name = start;
|
||||||
|
unsigned char *iv = start + TICKET_KEY_NAME_BYTES;
|
||||||
|
unsigned char *state_len_bytes = iv + TICKET_IV_BYTES;
|
||||||
|
unsigned char *state = state_len_bytes + TICKET_CRYPT_LEN_BYTES;
|
||||||
|
unsigned char *tag;
|
||||||
|
size_t clear_len, ciph_len;
|
||||||
|
|
||||||
|
*tlen = 0;
|
||||||
|
|
||||||
|
if( ctx == NULL || ctx->f_rng == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
/* We need at least 4 bytes for key_name, 12 for IV, 2 for len 16 for tag,
|
||||||
|
* in addition to session itself, that will be checked when writing it. */
|
||||||
|
if( end - start < TICKET_MIN_LEN )
|
||||||
|
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
key = &ctx->keys[ctx->active];
|
||||||
|
|
||||||
|
*ticket_lifetime = ctx->ticket_lifetime;
|
||||||
|
|
||||||
|
memcpy( key_name, key->name, TICKET_KEY_NAME_BYTES );
|
||||||
|
|
||||||
|
if( ( ret = ctx->f_rng( ctx->p_rng, iv, TICKET_IV_BYTES ) ) != 0 )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
/* Dump session state */
|
||||||
|
if( ( ret = ssl_save_session( session,
|
||||||
|
state, end - state, &clear_len ) ) != 0 ||
|
||||||
|
(unsigned long) clear_len > 65535 )
|
||||||
|
{
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
state_len_bytes[0] = ( clear_len >> 8 ) & 0xff;
|
||||||
|
state_len_bytes[1] = ( clear_len ) & 0xff;
|
||||||
|
|
||||||
|
/* Encrypt and authenticate */
|
||||||
|
tag = state + clear_len;
|
||||||
|
if( ( ret = mbedtls_cipher_auth_encrypt( &key->ctx,
|
||||||
|
iv, TICKET_IV_BYTES,
|
||||||
|
/* Additional data: key name, IV and length */
|
||||||
|
key_name, TICKET_ADD_DATA_LEN,
|
||||||
|
state, clear_len, state, &ciph_len,
|
||||||
|
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
|
||||||
|
{
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if( ciph_len != clear_len )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
*tlen = TICKET_MIN_LEN + ciph_len;
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Select key based on name
|
||||||
|
*/
|
||||||
|
static mbedtls_ssl_ticket_key *ssl_ticket_select_key(
|
||||||
|
mbedtls_ssl_ticket_context *ctx,
|
||||||
|
const unsigned char name[4] )
|
||||||
|
{
|
||||||
|
unsigned char i;
|
||||||
|
|
||||||
|
for( i = 0; i < sizeof( ctx->keys ) / sizeof( *ctx->keys ); i++ )
|
||||||
|
if( memcmp( name, ctx->keys[i].name, 4 ) == 0 )
|
||||||
|
return( &ctx->keys[i] );
|
||||||
|
|
||||||
|
return( NULL );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Load session ticket (see mbedtls_ssl_ticket_write for structure)
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_ticket_parse( void *p_ticket,
|
||||||
|
mbedtls_ssl_session *session,
|
||||||
|
unsigned char *buf,
|
||||||
|
size_t len )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
mbedtls_ssl_ticket_context *ctx = p_ticket;
|
||||||
|
mbedtls_ssl_ticket_key *key;
|
||||||
|
unsigned char *key_name = buf;
|
||||||
|
unsigned char *iv = buf + TICKET_KEY_NAME_BYTES;
|
||||||
|
unsigned char *enc_len_p = iv + TICKET_IV_BYTES;
|
||||||
|
unsigned char *ticket = enc_len_p + TICKET_CRYPT_LEN_BYTES;
|
||||||
|
unsigned char *tag;
|
||||||
|
size_t enc_len, clear_len;
|
||||||
|
|
||||||
|
if( ctx == NULL || ctx->f_rng == NULL )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( len < TICKET_MIN_LEN )
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( ( ret = mbedtls_mutex_lock( &ctx->mutex ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( ( ret = ssl_ticket_update_keys( ctx ) ) != 0 )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
enc_len = ( enc_len_p[0] << 8 ) | enc_len_p[1];
|
||||||
|
tag = ticket + enc_len;
|
||||||
|
|
||||||
|
if( len != TICKET_MIN_LEN + enc_len )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Select key */
|
||||||
|
if( ( key = ssl_ticket_select_key( ctx, key_name ) ) == NULL )
|
||||||
|
{
|
||||||
|
/* We can't know for sure but this is a likely option unless we're
|
||||||
|
* under attack - this is only informative anyway */
|
||||||
|
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Decrypt and authenticate */
|
||||||
|
if( ( ret = mbedtls_cipher_auth_decrypt( &key->ctx,
|
||||||
|
iv, TICKET_IV_BYTES,
|
||||||
|
/* Additional data: key name, IV and length */
|
||||||
|
key_name, TICKET_ADD_DATA_LEN,
|
||||||
|
ticket, enc_len,
|
||||||
|
ticket, &clear_len,
|
||||||
|
tag, TICKET_AUTH_TAG_BYTES ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_CIPHER_AUTH_FAILED )
|
||||||
|
ret = MBEDTLS_ERR_SSL_INVALID_MAC;
|
||||||
|
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
if( clear_len != enc_len )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Actually load session */
|
||||||
|
if( ( ret = ssl_load_session( session, ticket, clear_len ) ) != 0 )
|
||||||
|
goto cleanup;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
|
{
|
||||||
|
/* Check for expiration */
|
||||||
|
mbedtls_time_t current_time = mbedtls_time( NULL );
|
||||||
|
|
||||||
|
if( current_time < session->start ||
|
||||||
|
(uint32_t)( current_time - session->start ) > ctx->ticket_lifetime )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
|
||||||
|
goto cleanup;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
if( mbedtls_mutex_unlock( &ctx->mutex ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_THREADING_MUTEX_ERROR );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Free context
|
||||||
|
*/
|
||||||
|
void mbedtls_ssl_ticket_free( mbedtls_ssl_ticket_context *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_cipher_free( &ctx->keys[0].ctx );
|
||||||
|
mbedtls_cipher_free( &ctx->keys[1].ctx );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_THREADING_C)
|
||||||
|
mbedtls_mutex_free( &ctx->mutex );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_ssl_ticket_context ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_SSL_TICKET_C */
|
10634
library/ssl_tls.c
Normal file
10634
library/ssl_tls.c
Normal file
File diff suppressed because it is too large
Load diff
1062
library/x509.c
Normal file
1062
library/x509.c
Normal file
File diff suppressed because it is too large
Load diff
379
library/x509_create.c
Normal file
379
library/x509_create.c
Normal file
|
@ -0,0 +1,379 @@
|
||||||
|
/*
|
||||||
|
* X.509 base functions for creating certificates / CSRs
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CREATE_C)
|
||||||
|
|
||||||
|
#include "mbedtls/x509.h"
|
||||||
|
#include "mbedtls/asn1write.h"
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
/* Structure linking OIDs for X.509 DN AttributeTypes to their
|
||||||
|
* string representations and default string encodings used by Mbed TLS. */
|
||||||
|
typedef struct {
|
||||||
|
const char *name; /* String representation of AttributeType, e.g.
|
||||||
|
* "CN" or "emailAddress". */
|
||||||
|
size_t name_len; /* Length of 'name', without trailing 0 byte. */
|
||||||
|
const char *oid; /* String representation of OID of AttributeType,
|
||||||
|
* as per RFC 5280, Appendix A.1. */
|
||||||
|
int default_tag; /* The default character encoding used for the
|
||||||
|
* given attribute type, e.g.
|
||||||
|
* MBEDTLS_ASN1_UTF8_STRING for UTF-8. */
|
||||||
|
} x509_attr_descriptor_t;
|
||||||
|
|
||||||
|
#define ADD_STRLEN( s ) s, sizeof( s ) - 1
|
||||||
|
|
||||||
|
/* X.509 DN attributes from RFC 5280, Appendix A.1. */
|
||||||
|
static const x509_attr_descriptor_t x509_attrs[] =
|
||||||
|
{
|
||||||
|
{ ADD_STRLEN( "CN" ),
|
||||||
|
MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "commonName" ),
|
||||||
|
MBEDTLS_OID_AT_CN, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "C" ),
|
||||||
|
MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||||
|
{ ADD_STRLEN( "countryName" ),
|
||||||
|
MBEDTLS_OID_AT_COUNTRY, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||||
|
{ ADD_STRLEN( "O" ),
|
||||||
|
MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "organizationName" ),
|
||||||
|
MBEDTLS_OID_AT_ORGANIZATION, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "L" ),
|
||||||
|
MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "locality" ),
|
||||||
|
MBEDTLS_OID_AT_LOCALITY, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "R" ),
|
||||||
|
MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
|
||||||
|
{ ADD_STRLEN( "OU" ),
|
||||||
|
MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "organizationalUnitName" ),
|
||||||
|
MBEDTLS_OID_AT_ORG_UNIT, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "ST" ),
|
||||||
|
MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "stateOrProvinceName" ),
|
||||||
|
MBEDTLS_OID_AT_STATE, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "emailAddress" ),
|
||||||
|
MBEDTLS_OID_PKCS9_EMAIL, MBEDTLS_ASN1_IA5_STRING },
|
||||||
|
{ ADD_STRLEN( "serialNumber" ),
|
||||||
|
MBEDTLS_OID_AT_SERIAL_NUMBER, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||||
|
{ ADD_STRLEN( "postalAddress" ),
|
||||||
|
MBEDTLS_OID_AT_POSTAL_ADDRESS, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||||
|
{ ADD_STRLEN( "postalCode" ),
|
||||||
|
MBEDTLS_OID_AT_POSTAL_CODE, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||||
|
{ ADD_STRLEN( "dnQualifier" ),
|
||||||
|
MBEDTLS_OID_AT_DN_QUALIFIER, MBEDTLS_ASN1_PRINTABLE_STRING },
|
||||||
|
{ ADD_STRLEN( "title" ),
|
||||||
|
MBEDTLS_OID_AT_TITLE, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "surName" ),
|
||||||
|
MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "SN" ),
|
||||||
|
MBEDTLS_OID_AT_SUR_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "givenName" ),
|
||||||
|
MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "GN" ),
|
||||||
|
MBEDTLS_OID_AT_GIVEN_NAME, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "initials" ),
|
||||||
|
MBEDTLS_OID_AT_INITIALS, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "pseudonym" ),
|
||||||
|
MBEDTLS_OID_AT_PSEUDONYM, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "generationQualifier" ),
|
||||||
|
MBEDTLS_OID_AT_GENERATION_QUALIFIER, MBEDTLS_ASN1_UTF8_STRING },
|
||||||
|
{ ADD_STRLEN( "domainComponent" ),
|
||||||
|
MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
|
||||||
|
{ ADD_STRLEN( "DC" ),
|
||||||
|
MBEDTLS_OID_DOMAIN_COMPONENT, MBEDTLS_ASN1_IA5_STRING },
|
||||||
|
{ NULL, 0, NULL, MBEDTLS_ASN1_NULL }
|
||||||
|
};
|
||||||
|
|
||||||
|
static const x509_attr_descriptor_t *x509_attr_descr_from_name( const char *name, size_t name_len )
|
||||||
|
{
|
||||||
|
const x509_attr_descriptor_t *cur;
|
||||||
|
|
||||||
|
for( cur = x509_attrs; cur->name != NULL; cur++ )
|
||||||
|
if( cur->name_len == name_len &&
|
||||||
|
strncmp( cur->name, name, name_len ) == 0 )
|
||||||
|
break;
|
||||||
|
|
||||||
|
if ( cur->name == NULL )
|
||||||
|
return( NULL );
|
||||||
|
|
||||||
|
return( cur );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509_string_to_names( mbedtls_asn1_named_data **head, const char *name )
|
||||||
|
{
|
||||||
|
int ret = 0;
|
||||||
|
const char *s = name, *c = s;
|
||||||
|
const char *end = s + strlen( s );
|
||||||
|
const char *oid = NULL;
|
||||||
|
const x509_attr_descriptor_t* attr_descr = NULL;
|
||||||
|
int in_tag = 1;
|
||||||
|
char data[MBEDTLS_X509_MAX_DN_NAME_SIZE];
|
||||||
|
char *d = data;
|
||||||
|
|
||||||
|
/* Clear existing chain if present */
|
||||||
|
mbedtls_asn1_free_named_data_list( head );
|
||||||
|
|
||||||
|
while( c <= end )
|
||||||
|
{
|
||||||
|
if( in_tag && *c == '=' )
|
||||||
|
{
|
||||||
|
if( ( attr_descr = x509_attr_descr_from_name( s, c - s ) ) == NULL )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_X509_UNKNOWN_OID;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
|
||||||
|
oid = attr_descr->oid;
|
||||||
|
s = c + 1;
|
||||||
|
in_tag = 0;
|
||||||
|
d = data;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( !in_tag && *c == '\\' && c != end )
|
||||||
|
{
|
||||||
|
c++;
|
||||||
|
|
||||||
|
/* Check for valid escaped characters */
|
||||||
|
if( c == end || *c != ',' )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_X509_INVALID_NAME;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( !in_tag && ( *c == ',' || c == end ) )
|
||||||
|
{
|
||||||
|
mbedtls_asn1_named_data* cur =
|
||||||
|
mbedtls_asn1_store_named_data( head, oid, strlen( oid ),
|
||||||
|
(unsigned char *) data,
|
||||||
|
d - data );
|
||||||
|
|
||||||
|
if(cur == NULL )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
// set tagType
|
||||||
|
cur->val.tag = attr_descr->default_tag;
|
||||||
|
|
||||||
|
while( c < end && *(c + 1) == ' ' )
|
||||||
|
c++;
|
||||||
|
|
||||||
|
s = c + 1;
|
||||||
|
in_tag = 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( !in_tag && s != c + 1 )
|
||||||
|
{
|
||||||
|
*(d++) = *c;
|
||||||
|
|
||||||
|
if( d - data == MBEDTLS_X509_MAX_DN_NAME_SIZE )
|
||||||
|
{
|
||||||
|
ret = MBEDTLS_ERR_X509_INVALID_NAME;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
c++;
|
||||||
|
}
|
||||||
|
|
||||||
|
exit:
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/* The first byte of the value in the mbedtls_asn1_named_data structure is reserved
|
||||||
|
* to store the critical boolean for us
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_set_extension( mbedtls_asn1_named_data **head, const char *oid, size_t oid_len,
|
||||||
|
int critical, const unsigned char *val, size_t val_len )
|
||||||
|
{
|
||||||
|
mbedtls_asn1_named_data *cur;
|
||||||
|
|
||||||
|
if( ( cur = mbedtls_asn1_store_named_data( head, oid, oid_len,
|
||||||
|
NULL, val_len + 1 ) ) == NULL )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
cur->val.p[0] = critical;
|
||||||
|
memcpy( cur->val.p + 1, val, val_len );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* RelativeDistinguishedName ::=
|
||||||
|
* SET OF AttributeTypeAndValue
|
||||||
|
*
|
||||||
|
* AttributeTypeAndValue ::= SEQUENCE {
|
||||||
|
* type AttributeType,
|
||||||
|
* value AttributeValue }
|
||||||
|
*
|
||||||
|
* AttributeType ::= OBJECT IDENTIFIER
|
||||||
|
*
|
||||||
|
* AttributeValue ::= ANY DEFINED BY AttributeType
|
||||||
|
*/
|
||||||
|
static int x509_write_name( unsigned char **p, unsigned char *start, mbedtls_asn1_named_data* cur_name)
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
const char *oid = (const char*)cur_name->oid.p;
|
||||||
|
size_t oid_len = cur_name->oid.len;
|
||||||
|
const unsigned char *name = cur_name->val.p;
|
||||||
|
size_t name_len = cur_name->val.len;
|
||||||
|
|
||||||
|
// Write correct string tag and value
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tagged_string( p, start,
|
||||||
|
cur_name->val.tag,
|
||||||
|
(const char *) name,
|
||||||
|
name_len ) );
|
||||||
|
// Write OID
|
||||||
|
//
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( p, start, oid,
|
||||||
|
oid_len ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SET ) );
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509_write_names( unsigned char **p, unsigned char *start,
|
||||||
|
mbedtls_asn1_named_data *first )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
mbedtls_asn1_named_data *cur = first;
|
||||||
|
|
||||||
|
while( cur != NULL )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, x509_write_name( p, start, cur ) );
|
||||||
|
cur = cur->next;
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509_write_sig( unsigned char **p, unsigned char *start,
|
||||||
|
const char *oid, size_t oid_len,
|
||||||
|
unsigned char *sig, size_t size )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
if( *p < start || (size_t)( *p - start ) < size )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
|
len = size;
|
||||||
|
(*p) -= len;
|
||||||
|
memcpy( *p, sig, len );
|
||||||
|
|
||||||
|
if( *p - start < 1 )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
|
*--(*p) = 0;
|
||||||
|
len += 1;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_BIT_STRING ) );
|
||||||
|
|
||||||
|
// Write OID
|
||||||
|
//
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( p, start, oid,
|
||||||
|
oid_len, 0 ) );
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
static int x509_write_extension( unsigned char **p, unsigned char *start,
|
||||||
|
mbedtls_asn1_named_data *ext )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->val.p + 1,
|
||||||
|
ext->val.len - 1 ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->val.len - 1 ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OCTET_STRING ) );
|
||||||
|
|
||||||
|
if( ext->val.p[0] != 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( p, start, 1 ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start, ext->oid.p,
|
||||||
|
ext->oid.len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, ext->oid.len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_OID ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Extension ::= SEQUENCE {
|
||||||
|
* extnID OBJECT IDENTIFIER,
|
||||||
|
* critical BOOLEAN DEFAULT FALSE,
|
||||||
|
* extnValue OCTET STRING
|
||||||
|
* -- contains the DER encoding of an ASN.1 value
|
||||||
|
* -- corresponding to the extension type identified
|
||||||
|
* -- by extnID
|
||||||
|
* }
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_write_extensions( unsigned char **p, unsigned char *start,
|
||||||
|
mbedtls_asn1_named_data *first )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
mbedtls_asn1_named_data *cur_ext = first;
|
||||||
|
|
||||||
|
while( cur_ext != NULL )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, x509_write_extension( p, start, cur_ext ) );
|
||||||
|
cur_ext = cur_ext->next;
|
||||||
|
}
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_CREATE_C */
|
773
library/x509_crl.c
Normal file
773
library/x509_crl.c
Normal file
|
@ -0,0 +1,773 @@
|
||||||
|
/*
|
||||||
|
* X.509 Certidicate Revocation List (CRL) parsing
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* The ITU-T X.509 standard defines a certificate format for PKI.
|
||||||
|
*
|
||||||
|
* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
|
||||||
|
* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
|
||||||
|
* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
|
||||||
|
*
|
||||||
|
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
|
||||||
|
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRL_PARSE_C)
|
||||||
|
|
||||||
|
#include "mbedtls/x509_crl.h"
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
#include "mbedtls/pem.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#define mbedtls_free free
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_snprintf snprintf
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(_WIN32) && !defined(EFIX64) && !defined(EFI32)
|
||||||
|
#include <windows.h>
|
||||||
|
#else
|
||||||
|
#include <time.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
|
||||||
|
#include <stdio.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Version ::= INTEGER { v1(0), v2(1) }
|
||||||
|
*/
|
||||||
|
static int x509_crl_get_version( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
int *ver )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
|
{
|
||||||
|
*ver = 0;
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 CRL v2 extensions
|
||||||
|
*
|
||||||
|
* We currently don't parse any extension's content, but we do check that the
|
||||||
|
* list of extensions is well-formed and abort on critical extensions (that
|
||||||
|
* are unsupported as we don't support any extension so far)
|
||||||
|
*/
|
||||||
|
static int x509_get_crl_ext( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
mbedtls_x509_buf *ext )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* crlExtensions [0] EXPLICIT Extensions OPTIONAL
|
||||||
|
* -- if present, version MUST be v2
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_x509_get_ext( p, end, ext, 0 ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
while( *p < end )
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Extension ::= SEQUENCE {
|
||||||
|
* extnID OBJECT IDENTIFIER,
|
||||||
|
* critical BOOLEAN DEFAULT FALSE,
|
||||||
|
* extnValue OCTET STRING }
|
||||||
|
*/
|
||||||
|
int is_critical = 0;
|
||||||
|
const unsigned char *end_ext_data;
|
||||||
|
size_t len;
|
||||||
|
|
||||||
|
/* Get enclosing sequence tag */
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||||
|
|
||||||
|
end_ext_data = *p + len;
|
||||||
|
|
||||||
|
/* Get OID (currently ignored) */
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
|
||||||
|
MBEDTLS_ASN1_OID ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||||
|
}
|
||||||
|
*p += len;
|
||||||
|
|
||||||
|
/* Get optional critical */
|
||||||
|
if( ( ret = mbedtls_asn1_get_bool( p, end_ext_data,
|
||||||
|
&is_critical ) ) != 0 &&
|
||||||
|
( ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Data should be octet string type */
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end_ext_data, &len,
|
||||||
|
MBEDTLS_ASN1_OCTET_STRING ) ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||||
|
|
||||||
|
/* Ignore data so far and just check its length */
|
||||||
|
*p += len;
|
||||||
|
if( *p != end_ext_data )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
/* Abort on (unsupported) critical extensions */
|
||||||
|
if( is_critical )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||||
|
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( *p != end )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 CRL v2 entry extensions (no extensions parsed yet.)
|
||||||
|
*/
|
||||||
|
static int x509_get_crl_entry_ext( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
mbedtls_x509_buf *ext )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
/* OPTIONAL */
|
||||||
|
if( end <= *p )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
ext->tag = **p;
|
||||||
|
ext->p = *p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Get CRL-entry extension sequence header
|
||||||
|
* crlEntryExtensions Extensions OPTIONAL -- if present, MUST be v2
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end, &ext->len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
|
{
|
||||||
|
ext->p = NULL;
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
end = *p + ext->len;
|
||||||
|
|
||||||
|
if( end != *p + ext->len )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
while( *p < end )
|
||||||
|
{
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS + ret );
|
||||||
|
|
||||||
|
*p += len;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( *p != end )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_EXTENSIONS +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* X.509 CRL Entries
|
||||||
|
*/
|
||||||
|
static int x509_get_entries( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
mbedtls_x509_crl_entry *entry )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t entry_len;
|
||||||
|
mbedtls_x509_crl_entry *cur_entry = entry;
|
||||||
|
|
||||||
|
if( *p == end )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end, &entry_len,
|
||||||
|
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
|
return( 0 );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
end = *p + entry_len;
|
||||||
|
|
||||||
|
while( *p < end )
|
||||||
|
{
|
||||||
|
size_t len2;
|
||||||
|
const unsigned char *end2;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( p, end, &len2,
|
||||||
|
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_CONSTRUCTED ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
cur_entry->raw.tag = **p;
|
||||||
|
cur_entry->raw.p = *p;
|
||||||
|
cur_entry->raw.len = len2;
|
||||||
|
end2 = *p + len2;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_serial( p, end2, &cur_entry->serial ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_time( p, end2,
|
||||||
|
&cur_entry->revocation_date ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( ( ret = x509_get_crl_entry_ext( p, end2,
|
||||||
|
&cur_entry->entry_ext ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
if( *p < end )
|
||||||
|
{
|
||||||
|
cur_entry->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl_entry ) );
|
||||||
|
|
||||||
|
if( cur_entry->next == NULL )
|
||||||
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||||
|
|
||||||
|
cur_entry = cur_entry->next;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse one CRLs in DER format and append it to the chained list
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_parse_der( mbedtls_x509_crl *chain,
|
||||||
|
const unsigned char *buf, size_t buflen )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len;
|
||||||
|
unsigned char *p = NULL, *end = NULL;
|
||||||
|
mbedtls_x509_buf sig_params1, sig_params2, sig_oid2;
|
||||||
|
mbedtls_x509_crl *crl = chain;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check for valid input
|
||||||
|
*/
|
||||||
|
if( crl == NULL || buf == NULL )
|
||||||
|
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
memset( &sig_params1, 0, sizeof( mbedtls_x509_buf ) );
|
||||||
|
memset( &sig_params2, 0, sizeof( mbedtls_x509_buf ) );
|
||||||
|
memset( &sig_oid2, 0, sizeof( mbedtls_x509_buf ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Add new CRL on the end of the chain if needed.
|
||||||
|
*/
|
||||||
|
while( crl->version != 0 && crl->next != NULL )
|
||||||
|
crl = crl->next;
|
||||||
|
|
||||||
|
if( crl->version != 0 && crl->next == NULL )
|
||||||
|
{
|
||||||
|
crl->next = mbedtls_calloc( 1, sizeof( mbedtls_x509_crl ) );
|
||||||
|
|
||||||
|
if( crl->next == NULL )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_x509_crl_init( crl->next );
|
||||||
|
crl = crl->next;
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Copy raw DER-encoded CRL
|
||||||
|
*/
|
||||||
|
if( buflen == 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||||
|
|
||||||
|
p = mbedtls_calloc( 1, buflen );
|
||||||
|
if( p == NULL )
|
||||||
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||||
|
|
||||||
|
memcpy( p, buf, buflen );
|
||||||
|
|
||||||
|
crl->raw.p = p;
|
||||||
|
crl->raw.len = buflen;
|
||||||
|
|
||||||
|
end = p + buflen;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* CertificateList ::= SEQUENCE {
|
||||||
|
* tbsCertList TBSCertList,
|
||||||
|
* signatureAlgorithm AlgorithmIdentifier,
|
||||||
|
* signatureValue BIT STRING }
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( len != (size_t) ( end - p ) )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* TBSCertList ::= SEQUENCE {
|
||||||
|
*/
|
||||||
|
crl->tbs.p = p;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
end = p + len;
|
||||||
|
crl->tbs.len = end - crl->tbs.p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Version ::= INTEGER OPTIONAL { v1(0), v2(1) }
|
||||||
|
* -- if present, MUST be v2
|
||||||
|
*
|
||||||
|
* signature AlgorithmIdentifier
|
||||||
|
*/
|
||||||
|
if( ( ret = x509_crl_get_version( &p, end, &crl->version ) ) != 0 ||
|
||||||
|
( ret = mbedtls_x509_get_alg( &p, end, &crl->sig_oid, &sig_params1 ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( crl->version < 0 || crl->version > 1 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
||||||
|
}
|
||||||
|
|
||||||
|
crl->version++;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_sig_alg( &crl->sig_oid, &sig_params1,
|
||||||
|
&crl->sig_md, &crl->sig_pk,
|
||||||
|
&crl->sig_opts ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* issuer Name
|
||||||
|
*/
|
||||||
|
crl->issuer_raw.p = p;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_name( &p, p + len, &crl->issuer ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
crl->issuer_raw.len = p - crl->issuer_raw.p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* thisUpdate Time
|
||||||
|
* nextUpdate Time OPTIONAL
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_x509_get_time( &p, end, &crl->this_update ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_time( &p, end, &crl->next_update ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
|
||||||
|
MBEDTLS_ERR_ASN1_UNEXPECTED_TAG ) &&
|
||||||
|
ret != ( MBEDTLS_ERR_X509_INVALID_DATE +
|
||||||
|
MBEDTLS_ERR_ASN1_OUT_OF_DATA ) )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* revokedCertificates SEQUENCE OF SEQUENCE {
|
||||||
|
* userCertificate CertificateSerialNumber,
|
||||||
|
* revocationDate Time,
|
||||||
|
* crlEntryExtensions Extensions OPTIONAL
|
||||||
|
* -- if present, MUST be v2
|
||||||
|
* } OPTIONAL
|
||||||
|
*/
|
||||||
|
if( ( ret = x509_get_entries( &p, end, &crl->entry ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* crlExtensions EXPLICIT Extensions OPTIONAL
|
||||||
|
* -- if present, MUST be v2
|
||||||
|
*/
|
||||||
|
if( crl->version == 2 )
|
||||||
|
{
|
||||||
|
ret = x509_get_crl_ext( &p, end, &crl->crl_ext );
|
||||||
|
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if( p != end )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
}
|
||||||
|
|
||||||
|
end = crl->raw.p + crl->raw.len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* signatureAlgorithm AlgorithmIdentifier,
|
||||||
|
* signatureValue BIT STRING
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_x509_get_alg( &p, end, &sig_oid2, &sig_params2 ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( crl->sig_oid.len != sig_oid2.len ||
|
||||||
|
memcmp( crl->sig_oid.p, sig_oid2.p, crl->sig_oid.len ) != 0 ||
|
||||||
|
sig_params1.len != sig_params2.len ||
|
||||||
|
( sig_params1.len != 0 &&
|
||||||
|
memcmp( sig_params1.p, sig_params2.p, sig_params1.len ) != 0 ) )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_SIG_MISMATCH );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_sig( &p, end, &crl->sig ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( p != end )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl_free( crl );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse one or more CRLs and add them to the chained list
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_parse( mbedtls_x509_crl *chain, const unsigned char *buf, size_t buflen )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
int ret;
|
||||||
|
size_t use_len;
|
||||||
|
mbedtls_pem_context pem;
|
||||||
|
int is_pem = 0;
|
||||||
|
|
||||||
|
if( chain == NULL || buf == NULL )
|
||||||
|
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
mbedtls_pem_init( &pem );
|
||||||
|
|
||||||
|
// Avoid calling mbedtls_pem_read_buffer() on non-null-terminated
|
||||||
|
// string
|
||||||
|
if( buflen == 0 || buf[buflen - 1] != '\0' )
|
||||||
|
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
|
||||||
|
else
|
||||||
|
ret = mbedtls_pem_read_buffer( &pem,
|
||||||
|
"-----BEGIN X509 CRL-----",
|
||||||
|
"-----END X509 CRL-----",
|
||||||
|
buf, NULL, 0, &use_len );
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Was PEM encoded
|
||||||
|
*/
|
||||||
|
is_pem = 1;
|
||||||
|
|
||||||
|
buflen -= use_len;
|
||||||
|
buf += use_len;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_crl_parse_der( chain,
|
||||||
|
pem.buf, pem.buflen ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_pem_free( &pem );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( is_pem )
|
||||||
|
{
|
||||||
|
mbedtls_pem_free( &pem );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_pem_free( &pem );
|
||||||
|
}
|
||||||
|
/* In the PEM case, buflen is 1 at the end, for the terminated NULL byte.
|
||||||
|
* And a valid CRL cannot be less than 1 byte anyway. */
|
||||||
|
while( is_pem && buflen > 1 );
|
||||||
|
|
||||||
|
if( is_pem )
|
||||||
|
return( 0 );
|
||||||
|
else
|
||||||
|
#endif /* MBEDTLS_PEM_PARSE_C */
|
||||||
|
return( mbedtls_x509_crl_parse_der( chain, buf, buflen ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO)
|
||||||
|
/*
|
||||||
|
* Load one or more CRLs and add them to the chained list
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_parse_file( mbedtls_x509_crl *chain, const char *path )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t n;
|
||||||
|
unsigned char *buf;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_x509_crl_parse( chain, buf, n );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( buf, n );
|
||||||
|
mbedtls_free( buf );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_FS_IO */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Return an informational string about the certificate.
|
||||||
|
*/
|
||||||
|
#define BEFORE_COLON 14
|
||||||
|
#define BC "14"
|
||||||
|
/*
|
||||||
|
* Return an informational string about the CRL.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_crl_info( char *buf, size_t size, const char *prefix,
|
||||||
|
const mbedtls_x509_crl *crl )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t n;
|
||||||
|
char *p;
|
||||||
|
const mbedtls_x509_crl_entry *entry;
|
||||||
|
|
||||||
|
p = buf;
|
||||||
|
n = size;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "%sCRL version : %d",
|
||||||
|
prefix, crl->version );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%sissuer name : ", prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
ret = mbedtls_x509_dn_gets( p, n, &crl->issuer );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%sthis update : " \
|
||||||
|
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
|
||||||
|
crl->this_update.year, crl->this_update.mon,
|
||||||
|
crl->this_update.day, crl->this_update.hour,
|
||||||
|
crl->this_update.min, crl->this_update.sec );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%snext update : " \
|
||||||
|
"%04d-%02d-%02d %02d:%02d:%02d", prefix,
|
||||||
|
crl->next_update.year, crl->next_update.mon,
|
||||||
|
crl->next_update.day, crl->next_update.hour,
|
||||||
|
crl->next_update.min, crl->next_update.sec );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
entry = &crl->entry;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%sRevoked certificates:",
|
||||||
|
prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
while( entry != NULL && entry->raw.len != 0 )
|
||||||
|
{
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%sserial number: ",
|
||||||
|
prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_x509_serial_gets( p, n, &entry->serial );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, " revocation date: " \
|
||||||
|
"%04d-%02d-%02d %02d:%02d:%02d",
|
||||||
|
entry->revocation_date.year, entry->revocation_date.mon,
|
||||||
|
entry->revocation_date.day, entry->revocation_date.hour,
|
||||||
|
entry->revocation_date.min, entry->revocation_date.sec );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
entry = entry->next;
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_x509_sig_alg_gets( p, n, &crl->sig_oid, crl->sig_pk, crl->sig_md,
|
||||||
|
crl->sig_opts );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n" );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
return( (int) ( size - n ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Initialize a CRL chain
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crl_init( mbedtls_x509_crl *crl )
|
||||||
|
{
|
||||||
|
memset( crl, 0, sizeof(mbedtls_x509_crl) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Unallocate all CRL data
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_crl_free( mbedtls_x509_crl *crl )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crl *crl_cur = crl;
|
||||||
|
mbedtls_x509_crl *crl_prv;
|
||||||
|
mbedtls_x509_name *name_cur;
|
||||||
|
mbedtls_x509_name *name_prv;
|
||||||
|
mbedtls_x509_crl_entry *entry_cur;
|
||||||
|
mbedtls_x509_crl_entry *entry_prv;
|
||||||
|
|
||||||
|
if( crl == NULL )
|
||||||
|
return;
|
||||||
|
|
||||||
|
do
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||||
|
mbedtls_free( crl_cur->sig_opts );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
name_cur = crl_cur->issuer.next;
|
||||||
|
while( name_cur != NULL )
|
||||||
|
{
|
||||||
|
name_prv = name_cur;
|
||||||
|
name_cur = name_cur->next;
|
||||||
|
mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
|
||||||
|
mbedtls_free( name_prv );
|
||||||
|
}
|
||||||
|
|
||||||
|
entry_cur = crl_cur->entry.next;
|
||||||
|
while( entry_cur != NULL )
|
||||||
|
{
|
||||||
|
entry_prv = entry_cur;
|
||||||
|
entry_cur = entry_cur->next;
|
||||||
|
mbedtls_platform_zeroize( entry_prv,
|
||||||
|
sizeof( mbedtls_x509_crl_entry ) );
|
||||||
|
mbedtls_free( entry_prv );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( crl_cur->raw.p != NULL )
|
||||||
|
{
|
||||||
|
mbedtls_platform_zeroize( crl_cur->raw.p, crl_cur->raw.len );
|
||||||
|
mbedtls_free( crl_cur->raw.p );
|
||||||
|
}
|
||||||
|
|
||||||
|
crl_cur = crl_cur->next;
|
||||||
|
}
|
||||||
|
while( crl_cur != NULL );
|
||||||
|
|
||||||
|
crl_cur = crl;
|
||||||
|
do
|
||||||
|
{
|
||||||
|
crl_prv = crl_cur;
|
||||||
|
crl_cur = crl_cur->next;
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( crl_prv, sizeof( mbedtls_x509_crl ) );
|
||||||
|
if( crl_prv != crl )
|
||||||
|
mbedtls_free( crl_prv );
|
||||||
|
}
|
||||||
|
while( crl_cur != NULL );
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_CRL_PARSE_C */
|
2879
library/x509_crt.c
Normal file
2879
library/x509_crt.c
Normal file
File diff suppressed because it is too large
Load diff
419
library/x509_csr.c
Normal file
419
library/x509_csr.c
Normal file
|
@ -0,0 +1,419 @@
|
||||||
|
/*
|
||||||
|
* X.509 Certificate Signing Request (CSR) parsing
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* The ITU-T X.509 standard defines a certificate format for PKI.
|
||||||
|
*
|
||||||
|
* http://www.ietf.org/rfc/rfc5280.txt (Certificates and CRLs)
|
||||||
|
* http://www.ietf.org/rfc/rfc3279.txt (Alg IDs for CRLs)
|
||||||
|
* http://www.ietf.org/rfc/rfc2986.txt (CSRs, aka PKCS#10)
|
||||||
|
*
|
||||||
|
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.680-0207.pdf
|
||||||
|
* http://www.itu.int/ITU-T/studygroups/com17/languages/X.690-0207.pdf
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CSR_PARSE_C)
|
||||||
|
|
||||||
|
#include "mbedtls/x509_csr.h"
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
#include "mbedtls/pem.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PLATFORM_C)
|
||||||
|
#include "mbedtls/platform.h"
|
||||||
|
#else
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <stdio.h>
|
||||||
|
#define mbedtls_free free
|
||||||
|
#define mbedtls_calloc calloc
|
||||||
|
#define mbedtls_snprintf snprintf
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO) || defined(EFIX64) || defined(EFI32)
|
||||||
|
#include <stdio.h>
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Version ::= INTEGER { v1(0) }
|
||||||
|
*/
|
||||||
|
static int x509_csr_get_version( unsigned char **p,
|
||||||
|
const unsigned char *end,
|
||||||
|
int *ver )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_int( p, end, ver ) ) != 0 )
|
||||||
|
{
|
||||||
|
if( ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG )
|
||||||
|
{
|
||||||
|
*ver = 0;
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_VERSION + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse a CSR in DER format
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_der( mbedtls_x509_csr *csr,
|
||||||
|
const unsigned char *buf, size_t buflen )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len;
|
||||||
|
unsigned char *p, *end;
|
||||||
|
mbedtls_x509_buf sig_params;
|
||||||
|
|
||||||
|
memset( &sig_params, 0, sizeof( mbedtls_x509_buf ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check for valid input
|
||||||
|
*/
|
||||||
|
if( csr == NULL || buf == NULL || buflen == 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
mbedtls_x509_csr_init( csr );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* first copy the raw DER data
|
||||||
|
*/
|
||||||
|
p = mbedtls_calloc( 1, len = buflen );
|
||||||
|
|
||||||
|
if( p == NULL )
|
||||||
|
return( MBEDTLS_ERR_X509_ALLOC_FAILED );
|
||||||
|
|
||||||
|
memcpy( p, buf, buflen );
|
||||||
|
|
||||||
|
csr->raw.p = p;
|
||||||
|
csr->raw.len = len;
|
||||||
|
end = p + len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* CertificationRequest ::= SEQUENCE {
|
||||||
|
* certificationRequestInfo CertificationRequestInfo,
|
||||||
|
* signatureAlgorithm AlgorithmIdentifier,
|
||||||
|
* signature BIT STRING
|
||||||
|
* }
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( len != (size_t) ( end - p ) )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* CertificationRequestInfo ::= SEQUENCE {
|
||||||
|
*/
|
||||||
|
csr->cri.p = p;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
end = p + len;
|
||||||
|
csr->cri.len = end - csr->cri.p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Version ::= INTEGER { v1(0) }
|
||||||
|
*/
|
||||||
|
if( ( ret = x509_csr_get_version( &p, end, &csr->version ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( csr->version != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_UNKNOWN_VERSION );
|
||||||
|
}
|
||||||
|
|
||||||
|
csr->version++;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* subject Name
|
||||||
|
*/
|
||||||
|
csr->subject_raw.p = p;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_name( &p, p + len, &csr->subject ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
csr->subject_raw.len = p - csr->subject_raw.p;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* subjectPKInfo SubjectPublicKeyInfo
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_pk_parse_subpubkey( &p, end, &csr->pk ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* attributes [0] Attributes
|
||||||
|
*
|
||||||
|
* The list of possible attributes is open-ended, though RFC 2985
|
||||||
|
* (PKCS#9) defines a few in section 5.4. We currently don't support any,
|
||||||
|
* so we just ignore them. This is a safe thing to do as the worst thing
|
||||||
|
* that could happen is that we issue a certificate that does not match
|
||||||
|
* the requester's expectations - this cannot cause a violation of our
|
||||||
|
* signature policies.
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_asn1_get_tag( &p, end, &len,
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_CONTEXT_SPECIFIC ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT + ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
p += len;
|
||||||
|
|
||||||
|
end = csr->raw.p + csr->raw.len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* signatureAlgorithm AlgorithmIdentifier,
|
||||||
|
* signature BIT STRING
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_x509_get_alg( &p, end, &csr->sig_oid, &sig_params ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_sig_alg( &csr->sig_oid, &sig_params,
|
||||||
|
&csr->sig_md, &csr->sig_pk,
|
||||||
|
&csr->sig_opts ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_get_sig( &p, end, &csr->sig ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( p != end )
|
||||||
|
{
|
||||||
|
mbedtls_x509_csr_free( csr );
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT +
|
||||||
|
MBEDTLS_ERR_ASN1_LENGTH_MISMATCH );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse a CSR, allowing for PEM or raw DER encoding
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse( mbedtls_x509_csr *csr, const unsigned char *buf, size_t buflen )
|
||||||
|
{
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
int ret;
|
||||||
|
size_t use_len;
|
||||||
|
mbedtls_pem_context pem;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check for valid input
|
||||||
|
*/
|
||||||
|
if( csr == NULL || buf == NULL || buflen == 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
/* Avoid calling mbedtls_pem_read_buffer() on non-null-terminated string */
|
||||||
|
if( buf[buflen - 1] == '\0' )
|
||||||
|
{
|
||||||
|
mbedtls_pem_init( &pem );
|
||||||
|
ret = mbedtls_pem_read_buffer( &pem,
|
||||||
|
"-----BEGIN CERTIFICATE REQUEST-----",
|
||||||
|
"-----END CERTIFICATE REQUEST-----",
|
||||||
|
buf, NULL, 0, &use_len );
|
||||||
|
if( ret == MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
|
||||||
|
{
|
||||||
|
ret = mbedtls_pem_read_buffer( &pem,
|
||||||
|
"-----BEGIN NEW CERTIFICATE REQUEST-----",
|
||||||
|
"-----END NEW CERTIFICATE REQUEST-----",
|
||||||
|
buf, NULL, 0, &use_len );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
|
{
|
||||||
|
/*
|
||||||
|
* Was PEM encoded, parse the result
|
||||||
|
*/
|
||||||
|
ret = mbedtls_x509_csr_parse_der( csr, pem.buf, pem.buflen );
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_pem_free( &pem );
|
||||||
|
if( ret != MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT )
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_PEM_PARSE_C */
|
||||||
|
return( mbedtls_x509_csr_parse_der( csr, buf, buflen ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_FS_IO)
|
||||||
|
/*
|
||||||
|
* Load a CSR into the structure
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_parse_file( mbedtls_x509_csr *csr, const char *path )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t n;
|
||||||
|
unsigned char *buf;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_pk_load_file( path, &buf, &n ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_x509_csr_parse( csr, buf, n );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( buf, n );
|
||||||
|
mbedtls_free( buf );
|
||||||
|
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_FS_IO */
|
||||||
|
|
||||||
|
#define BEFORE_COLON 14
|
||||||
|
#define BC "14"
|
||||||
|
/*
|
||||||
|
* Return an informational string about the CSR.
|
||||||
|
*/
|
||||||
|
int mbedtls_x509_csr_info( char *buf, size_t size, const char *prefix,
|
||||||
|
const mbedtls_x509_csr *csr )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t n;
|
||||||
|
char *p;
|
||||||
|
char key_size_str[BEFORE_COLON];
|
||||||
|
|
||||||
|
p = buf;
|
||||||
|
n = size;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "%sCSR version : %d",
|
||||||
|
prefix, csr->version );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%ssubject name : ", prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
ret = mbedtls_x509_dn_gets( p, n, &csr->subject );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%ssigned using : ", prefix );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
ret = mbedtls_x509_sig_alg_gets( p, n, &csr->sig_oid, csr->sig_pk, csr->sig_md,
|
||||||
|
csr->sig_opts );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509_key_size_helper( key_size_str, BEFORE_COLON,
|
||||||
|
mbedtls_pk_get_name( &csr->pk ) ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
ret = mbedtls_snprintf( p, n, "\n%s%-" BC "s: %d bits\n", prefix, key_size_str,
|
||||||
|
(int) mbedtls_pk_get_bitlen( &csr->pk ) );
|
||||||
|
MBEDTLS_X509_SAFE_SNPRINTF;
|
||||||
|
|
||||||
|
return( (int) ( size - n ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Initialize a CSR
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_csr_init( mbedtls_x509_csr *csr )
|
||||||
|
{
|
||||||
|
memset( csr, 0, sizeof(mbedtls_x509_csr) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Unallocate all CSR data
|
||||||
|
*/
|
||||||
|
void mbedtls_x509_csr_free( mbedtls_x509_csr *csr )
|
||||||
|
{
|
||||||
|
mbedtls_x509_name *name_cur;
|
||||||
|
mbedtls_x509_name *name_prv;
|
||||||
|
|
||||||
|
if( csr == NULL )
|
||||||
|
return;
|
||||||
|
|
||||||
|
mbedtls_pk_free( &csr->pk );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||||
|
mbedtls_free( csr->sig_opts );
|
||||||
|
#endif
|
||||||
|
|
||||||
|
name_cur = csr->subject.next;
|
||||||
|
while( name_cur != NULL )
|
||||||
|
{
|
||||||
|
name_prv = name_cur;
|
||||||
|
name_cur = name_cur->next;
|
||||||
|
mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
|
||||||
|
mbedtls_free( name_prv );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( csr->raw.p != NULL )
|
||||||
|
{
|
||||||
|
mbedtls_platform_zeroize( csr->raw.p, csr->raw.len );
|
||||||
|
mbedtls_free( csr->raw.p );
|
||||||
|
}
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( csr, sizeof( mbedtls_x509_csr ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_CSR_PARSE_C */
|
495
library/x509write_crt.c
Normal file
495
library/x509write_crt.c
Normal file
|
@ -0,0 +1,495 @@
|
||||||
|
/*
|
||||||
|
* X.509 certificate writing
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* References:
|
||||||
|
* - certificates: RFC 5280, updated by RFC 6818
|
||||||
|
* - CSRs: PKCS#10 v1.7 aka RFC 2986
|
||||||
|
* - attributes: PKCS#9 v2.0 aka RFC 2985
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CRT_WRITE_C)
|
||||||
|
|
||||||
|
#include "mbedtls/x509_crt.h"
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
#include "mbedtls/asn1write.h"
|
||||||
|
#include "mbedtls/sha1.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
#include "mbedtls/pem.h"
|
||||||
|
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||||
|
|
||||||
|
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
||||||
|
{
|
||||||
|
memset( ctx, 0, sizeof( mbedtls_x509write_cert ) );
|
||||||
|
|
||||||
|
mbedtls_mpi_init( &ctx->serial );
|
||||||
|
ctx->version = MBEDTLS_X509_CRT_VERSION_3;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_crt_free( mbedtls_x509write_cert *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_mpi_free( &ctx->serial );
|
||||||
|
|
||||||
|
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
||||||
|
mbedtls_asn1_free_named_data_list( &ctx->issuer );
|
||||||
|
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_cert ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_crt_set_version( mbedtls_x509write_cert *ctx, int version )
|
||||||
|
{
|
||||||
|
ctx->version = version;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_crt_set_md_alg( mbedtls_x509write_cert *ctx, mbedtls_md_type_t md_alg )
|
||||||
|
{
|
||||||
|
ctx->md_alg = md_alg;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_crt_set_subject_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
|
||||||
|
{
|
||||||
|
ctx->subject_key = key;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_crt_set_issuer_key( mbedtls_x509write_cert *ctx, mbedtls_pk_context *key )
|
||||||
|
{
|
||||||
|
ctx->issuer_key = key;
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_subject_name( mbedtls_x509write_cert *ctx,
|
||||||
|
const char *subject_name )
|
||||||
|
{
|
||||||
|
return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_issuer_name( mbedtls_x509write_cert *ctx,
|
||||||
|
const char *issuer_name )
|
||||||
|
{
|
||||||
|
return mbedtls_x509_string_to_names( &ctx->issuer, issuer_name );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_serial( mbedtls_x509write_cert *ctx, const mbedtls_mpi *serial )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_mpi_copy( &ctx->serial, serial ) ) != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_validity( mbedtls_x509write_cert *ctx, const char *not_before,
|
||||||
|
const char *not_after )
|
||||||
|
{
|
||||||
|
if( strlen( not_before ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 ||
|
||||||
|
strlen( not_after ) != MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1 )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
}
|
||||||
|
strncpy( ctx->not_before, not_before, MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
|
||||||
|
strncpy( ctx->not_after , not_after , MBEDTLS_X509_RFC5280_UTC_TIME_LEN );
|
||||||
|
ctx->not_before[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
|
||||||
|
ctx->not_after[MBEDTLS_X509_RFC5280_UTC_TIME_LEN - 1] = 'Z';
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
|
||||||
|
const char *oid, size_t oid_len,
|
||||||
|
int critical,
|
||||||
|
const unsigned char *val, size_t val_len )
|
||||||
|
{
|
||||||
|
return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
|
||||||
|
critical, val, val_len );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
|
||||||
|
int is_ca, int max_pathlen )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char buf[9];
|
||||||
|
unsigned char *c = buf + sizeof(buf);
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
memset( buf, 0, sizeof(buf) );
|
||||||
|
|
||||||
|
if( is_ca && max_pathlen > 127 )
|
||||||
|
return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
|
||||||
|
|
||||||
|
if( is_ca )
|
||||||
|
{
|
||||||
|
if( max_pathlen >= 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, buf, max_pathlen ) );
|
||||||
|
}
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_bool( &c, buf, 1 ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_BASIC_CONSTRAINTS,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_BASIC_CONSTRAINTS ),
|
||||||
|
0, buf + sizeof(buf) - len, len );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
|
int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ctx )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
||||||
|
unsigned char *c = buf + sizeof(buf);
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
memset( buf, 0, sizeof(buf) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->subject_key ) );
|
||||||
|
|
||||||
|
ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
|
||||||
|
buf + sizeof( buf ) - 20 );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
c = buf + sizeof( buf ) - 20;
|
||||||
|
len = 20;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_OCTET_STRING ) );
|
||||||
|
|
||||||
|
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_SUBJECT_KEY_IDENTIFIER ),
|
||||||
|
0, buf + sizeof(buf) - len, len );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char buf[MBEDTLS_MPI_MAX_SIZE * 2 + 20]; /* tag, length + 2xMPI */
|
||||||
|
unsigned char *c = buf + sizeof( buf );
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
memset( buf, 0, sizeof(buf) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_pk_write_pubkey( &c, buf, ctx->issuer_key ) );
|
||||||
|
|
||||||
|
ret = mbedtls_sha1_ret( buf + sizeof( buf ) - len, len,
|
||||||
|
buf + sizeof( buf ) - 20 );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
c = buf + sizeof( buf ) - 20;
|
||||||
|
len = 20;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC | 0 ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
return mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_AUTHORITY_KEY_IDENTIFIER ),
|
||||||
|
0, buf + sizeof( buf ) - len, len );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SHA1_C */
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_key_usage( mbedtls_x509write_cert *ctx,
|
||||||
|
unsigned int key_usage )
|
||||||
|
{
|
||||||
|
unsigned char buf[5], ku[2];
|
||||||
|
unsigned char *c;
|
||||||
|
int ret;
|
||||||
|
const unsigned int allowed_bits = MBEDTLS_X509_KU_DIGITAL_SIGNATURE |
|
||||||
|
MBEDTLS_X509_KU_NON_REPUDIATION |
|
||||||
|
MBEDTLS_X509_KU_KEY_ENCIPHERMENT |
|
||||||
|
MBEDTLS_X509_KU_DATA_ENCIPHERMENT |
|
||||||
|
MBEDTLS_X509_KU_KEY_AGREEMENT |
|
||||||
|
MBEDTLS_X509_KU_KEY_CERT_SIGN |
|
||||||
|
MBEDTLS_X509_KU_CRL_SIGN |
|
||||||
|
MBEDTLS_X509_KU_ENCIPHER_ONLY |
|
||||||
|
MBEDTLS_X509_KU_DECIPHER_ONLY;
|
||||||
|
|
||||||
|
/* Check that nothing other than the allowed flags is set */
|
||||||
|
if( ( key_usage & ~allowed_bits ) != 0 )
|
||||||
|
return( MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE );
|
||||||
|
|
||||||
|
c = buf + 5;
|
||||||
|
ku[0] = (unsigned char)( key_usage );
|
||||||
|
ku[1] = (unsigned char)( key_usage >> 8 );
|
||||||
|
ret = mbedtls_asn1_write_named_bitstring( &c, buf, ku, 9 );
|
||||||
|
|
||||||
|
if( ret < 0 )
|
||||||
|
return( ret );
|
||||||
|
else if( ret < 3 || ret > 5 )
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_FORMAT );
|
||||||
|
|
||||||
|
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
|
||||||
|
1, c, (size_t)ret );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_set_ns_cert_type( mbedtls_x509write_cert *ctx,
|
||||||
|
unsigned char ns_cert_type )
|
||||||
|
{
|
||||||
|
unsigned char buf[4];
|
||||||
|
unsigned char *c;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
c = buf + 4;
|
||||||
|
|
||||||
|
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
|
||||||
|
if( ret < 3 || ret > 4 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_x509write_crt_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
|
||||||
|
0, c, (size_t)ret );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
static int x509_write_time( unsigned char **p, unsigned char *start,
|
||||||
|
const char *t, size_t size )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
size_t len = 0;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* write MBEDTLS_ASN1_UTC_TIME if year < 2050 (2 bytes shorter)
|
||||||
|
*/
|
||||||
|
if( t[0] == '2' && t[1] == '0' && t[2] < '5' )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
|
||||||
|
(const unsigned char *) t + 2,
|
||||||
|
size - 2 ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_UTC_TIME ) );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_raw_buffer( p, start,
|
||||||
|
(const unsigned char *) t,
|
||||||
|
size ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( p, start, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( p, start, MBEDTLS_ASN1_GENERALIZED_TIME ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_crt_der( mbedtls_x509write_cert *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
const char *sig_oid;
|
||||||
|
size_t sig_oid_len = 0;
|
||||||
|
unsigned char *c, *c2;
|
||||||
|
unsigned char hash[64];
|
||||||
|
unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
|
||||||
|
unsigned char tmp_buf[2048];
|
||||||
|
size_t sub_len = 0, pub_len = 0, sig_and_oid_len = 0, sig_len;
|
||||||
|
size_t len = 0;
|
||||||
|
mbedtls_pk_type_t pk_alg;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Prepare data to be signed in tmp_buf
|
||||||
|
*/
|
||||||
|
c = tmp_buf + sizeof( tmp_buf );
|
||||||
|
|
||||||
|
/* Signature algorithm needed in TBS, and later for actual signature */
|
||||||
|
|
||||||
|
/* There's no direct way of extracting a signature algorithm
|
||||||
|
* (represented as an element of mbedtls_pk_type_t) from a PK instance. */
|
||||||
|
if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_RSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_RSA;
|
||||||
|
else if( mbedtls_pk_can_do( ctx->issuer_key, MBEDTLS_PK_ECDSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_ECDSA;
|
||||||
|
else
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||||
|
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Only for v3 */
|
||||||
|
if( ctx->version == MBEDTLS_X509_CRT_VERSION_3 )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | 3 ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* SubjectPublicKeyInfo
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->subject_key,
|
||||||
|
tmp_buf, c - tmp_buf ) );
|
||||||
|
c -= pub_len;
|
||||||
|
len += pub_len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Subject ::= Name
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Validity ::= SEQUENCE {
|
||||||
|
* notBefore Time,
|
||||||
|
* notAfter Time }
|
||||||
|
*/
|
||||||
|
sub_len = 0;
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_after,
|
||||||
|
MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( sub_len, x509_write_time( &c, tmp_buf, ctx->not_before,
|
||||||
|
MBEDTLS_X509_RFC5280_UTC_TIME_LEN ) );
|
||||||
|
|
||||||
|
len += sub_len;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Issuer ::= Name
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->issuer ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Signature ::= AlgorithmIdentifier
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_algorithm_identifier( &c, tmp_buf,
|
||||||
|
sig_oid, strlen( sig_oid ), 0 ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Serial ::= INTEGER
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_mpi( &c, tmp_buf, &ctx->serial ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* Can be omitted for v1 */
|
||||||
|
if( ctx->version != MBEDTLS_X509_CRT_VERSION_1 )
|
||||||
|
{
|
||||||
|
sub_len = 0;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( sub_len, mbedtls_asn1_write_int( &c, tmp_buf, ctx->version ) );
|
||||||
|
len += sub_len;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, sub_len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONTEXT_SPECIFIC |
|
||||||
|
MBEDTLS_ASN1_CONSTRUCTED | 0 ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Make signature
|
||||||
|
*/
|
||||||
|
if( ( ret = mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c,
|
||||||
|
len, hash ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_pk_sign( ctx->issuer_key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||||
|
f_rng, p_rng ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Write data to output buffer
|
||||||
|
*/
|
||||||
|
c2 = buf + size;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
||||||
|
sig_oid, sig_oid_len, sig, sig_len ) );
|
||||||
|
|
||||||
|
if( len > (size_t)( c2 - buf ) )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
|
c2 -= len;
|
||||||
|
memcpy( c2, c, len );
|
||||||
|
|
||||||
|
len += sig_and_oid_len;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
#define PEM_BEGIN_CRT "-----BEGIN CERTIFICATE-----\n"
|
||||||
|
#define PEM_END_CRT "-----END CERTIFICATE-----\n"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
int mbedtls_x509write_crt_pem( mbedtls_x509write_cert *crt, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char output_buf[4096];
|
||||||
|
size_t olen = 0;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509write_crt_der( crt, output_buf, sizeof(output_buf),
|
||||||
|
f_rng, p_rng ) ) < 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CRT, PEM_END_CRT,
|
||||||
|
output_buf + sizeof(output_buf) - ret,
|
||||||
|
ret, buf, size, &olen ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_CRT_WRITE_C */
|
287
library/x509write_csr.c
Normal file
287
library/x509write_csr.c
Normal file
|
@ -0,0 +1,287 @@
|
||||||
|
/*
|
||||||
|
* X.509 Certificate Signing Request writing
|
||||||
|
*
|
||||||
|
* Copyright (C) 2006-2015, ARM Limited, All Rights Reserved
|
||||||
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
*
|
||||||
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
* not use this file except in compliance with the License.
|
||||||
|
* You may obtain a copy of the License at
|
||||||
|
*
|
||||||
|
* http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
*
|
||||||
|
* Unless required by applicable law or agreed to in writing, software
|
||||||
|
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||||
|
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
* See the License for the specific language governing permissions and
|
||||||
|
* limitations under the License.
|
||||||
|
*
|
||||||
|
* This file is part of mbed TLS (https://tls.mbed.org)
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* References:
|
||||||
|
* - CSRs: PKCS#10 v1.7 aka RFC 2986
|
||||||
|
* - attributes: PKCS#9 v2.0 aka RFC 2985
|
||||||
|
*/
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_CONFIG_FILE)
|
||||||
|
#include "mbedtls/config.h"
|
||||||
|
#else
|
||||||
|
#include MBEDTLS_CONFIG_FILE
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_X509_CSR_WRITE_C)
|
||||||
|
|
||||||
|
#include "mbedtls/x509_csr.h"
|
||||||
|
#include "mbedtls/oid.h"
|
||||||
|
#include "mbedtls/asn1write.h"
|
||||||
|
#include "mbedtls/platform_util.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#include "psa/crypto.h"
|
||||||
|
#include "mbedtls/psa_util.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#include <string.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
#include "mbedtls/pem.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
void mbedtls_x509write_csr_init( mbedtls_x509write_csr *ctx )
|
||||||
|
{
|
||||||
|
memset( ctx, 0, sizeof( mbedtls_x509write_csr ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_csr_free( mbedtls_x509write_csr *ctx )
|
||||||
|
{
|
||||||
|
mbedtls_asn1_free_named_data_list( &ctx->subject );
|
||||||
|
mbedtls_asn1_free_named_data_list( &ctx->extensions );
|
||||||
|
|
||||||
|
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_x509write_csr ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_csr_set_md_alg( mbedtls_x509write_csr *ctx, mbedtls_md_type_t md_alg )
|
||||||
|
{
|
||||||
|
ctx->md_alg = md_alg;
|
||||||
|
}
|
||||||
|
|
||||||
|
void mbedtls_x509write_csr_set_key( mbedtls_x509write_csr *ctx, mbedtls_pk_context *key )
|
||||||
|
{
|
||||||
|
ctx->key = key;
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_csr_set_subject_name( mbedtls_x509write_csr *ctx,
|
||||||
|
const char *subject_name )
|
||||||
|
{
|
||||||
|
return mbedtls_x509_string_to_names( &ctx->subject, subject_name );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_csr_set_extension( mbedtls_x509write_csr *ctx,
|
||||||
|
const char *oid, size_t oid_len,
|
||||||
|
const unsigned char *val, size_t val_len )
|
||||||
|
{
|
||||||
|
return mbedtls_x509_set_extension( &ctx->extensions, oid, oid_len,
|
||||||
|
0, val, val_len );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_csr_set_key_usage( mbedtls_x509write_csr *ctx, unsigned char key_usage )
|
||||||
|
{
|
||||||
|
unsigned char buf[4];
|
||||||
|
unsigned char *c;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
c = buf + 4;
|
||||||
|
|
||||||
|
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &key_usage, 8 );
|
||||||
|
if( ret < 3 || ret > 4 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_KEY_USAGE,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_KEY_USAGE ),
|
||||||
|
c, (size_t)ret );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_csr_set_ns_cert_type( mbedtls_x509write_csr *ctx,
|
||||||
|
unsigned char ns_cert_type )
|
||||||
|
{
|
||||||
|
unsigned char buf[4];
|
||||||
|
unsigned char *c;
|
||||||
|
int ret;
|
||||||
|
|
||||||
|
c = buf + 4;
|
||||||
|
|
||||||
|
ret = mbedtls_asn1_write_named_bitstring( &c, buf, &ns_cert_type, 8 );
|
||||||
|
if( ret < 3 || ret > 4 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
ret = mbedtls_x509write_csr_set_extension( ctx, MBEDTLS_OID_NS_CERT_TYPE,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_NS_CERT_TYPE ),
|
||||||
|
c, (size_t)ret );
|
||||||
|
if( ret != 0 )
|
||||||
|
return( ret );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
int mbedtls_x509write_csr_der( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
const char *sig_oid;
|
||||||
|
size_t sig_oid_len = 0;
|
||||||
|
unsigned char *c, *c2;
|
||||||
|
unsigned char hash[64];
|
||||||
|
unsigned char sig[MBEDTLS_MPI_MAX_SIZE];
|
||||||
|
unsigned char tmp_buf[2048];
|
||||||
|
size_t pub_len = 0, sig_and_oid_len = 0, sig_len;
|
||||||
|
size_t len = 0;
|
||||||
|
mbedtls_pk_type_t pk_alg;
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
psa_hash_operation_t hash_operation = PSA_HASH_OPERATION_INIT;
|
||||||
|
size_t hash_len;
|
||||||
|
psa_algorithm_t hash_alg = mbedtls_psa_translate_md( ctx->md_alg );
|
||||||
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
/*
|
||||||
|
* Prepare data to be signed in tmp_buf
|
||||||
|
*/
|
||||||
|
c = tmp_buf + sizeof( tmp_buf );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_extensions( &c, tmp_buf, ctx->extensions ) );
|
||||||
|
|
||||||
|
if( len )
|
||||||
|
{
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SET ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_oid( &c, tmp_buf, MBEDTLS_OID_PKCS9_CSR_EXT_REQ,
|
||||||
|
MBEDTLS_OID_SIZE( MBEDTLS_OID_PKCS9_CSR_EXT_REQ ) ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
}
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_CONTEXT_SPECIFIC ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( pub_len, mbedtls_pk_write_pubkey_der( ctx->key,
|
||||||
|
tmp_buf, c - tmp_buf ) );
|
||||||
|
c -= pub_len;
|
||||||
|
len += pub_len;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Subject ::= Name
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_x509_write_names( &c, tmp_buf, ctx->subject ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Version ::= INTEGER { v1(0), v2(1), v3(2) }
|
||||||
|
*/
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_int( &c, tmp_buf, 0 ) );
|
||||||
|
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c, tmp_buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c, tmp_buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Prepare signature
|
||||||
|
* Note: hash errors can happen only after an internal error
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
if( psa_hash_setup( &hash_operation, hash_alg ) != PSA_SUCCESS )
|
||||||
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||||
|
|
||||||
|
if( psa_hash_update( &hash_operation, c, len ) != PSA_SUCCESS )
|
||||||
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||||
|
|
||||||
|
if( psa_hash_finish( &hash_operation, hash, sizeof( hash ), &hash_len )
|
||||||
|
!= PSA_SUCCESS )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_X509_FATAL_ERROR );
|
||||||
|
}
|
||||||
|
#else /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
mbedtls_md( mbedtls_md_info_from_type( ctx->md_alg ), c, len, hash );
|
||||||
|
#endif
|
||||||
|
if( ( ret = mbedtls_pk_sign( ctx->key, ctx->md_alg, hash, 0, sig, &sig_len,
|
||||||
|
f_rng, p_rng ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_RSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_RSA;
|
||||||
|
else if( mbedtls_pk_can_do( ctx->key, MBEDTLS_PK_ECDSA ) )
|
||||||
|
pk_alg = MBEDTLS_PK_ECDSA;
|
||||||
|
else
|
||||||
|
return( MBEDTLS_ERR_X509_INVALID_ALG );
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_oid_get_oid_by_sig_alg( pk_alg, ctx->md_alg,
|
||||||
|
&sig_oid, &sig_oid_len ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Write data to output buffer
|
||||||
|
*/
|
||||||
|
c2 = buf + size;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( sig_and_oid_len, mbedtls_x509_write_sig( &c2, buf,
|
||||||
|
sig_oid, sig_oid_len, sig, sig_len ) );
|
||||||
|
|
||||||
|
if( len > (size_t)( c2 - buf ) )
|
||||||
|
return( MBEDTLS_ERR_ASN1_BUF_TOO_SMALL );
|
||||||
|
|
||||||
|
c2 -= len;
|
||||||
|
memcpy( c2, c, len );
|
||||||
|
|
||||||
|
len += sig_and_oid_len;
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_len( &c2, buf, len ) );
|
||||||
|
MBEDTLS_ASN1_CHK_ADD( len, mbedtls_asn1_write_tag( &c2, buf, MBEDTLS_ASN1_CONSTRUCTED |
|
||||||
|
MBEDTLS_ASN1_SEQUENCE ) );
|
||||||
|
|
||||||
|
return( (int) len );
|
||||||
|
}
|
||||||
|
|
||||||
|
#define PEM_BEGIN_CSR "-----BEGIN CERTIFICATE REQUEST-----\n"
|
||||||
|
#define PEM_END_CSR "-----END CERTIFICATE REQUEST-----\n"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PEM_WRITE_C)
|
||||||
|
int mbedtls_x509write_csr_pem( mbedtls_x509write_csr *ctx, unsigned char *buf, size_t size,
|
||||||
|
int (*f_rng)(void *, unsigned char *, size_t),
|
||||||
|
void *p_rng )
|
||||||
|
{
|
||||||
|
int ret;
|
||||||
|
unsigned char output_buf[4096];
|
||||||
|
size_t olen = 0;
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_x509write_csr_der( ctx, output_buf, sizeof(output_buf),
|
||||||
|
f_rng, p_rng ) ) < 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ( ret = mbedtls_pem_write_buffer( PEM_BEGIN_CSR, PEM_END_CSR,
|
||||||
|
output_buf + sizeof(output_buf) - ret,
|
||||||
|
ret, buf, size, &olen ) ) != 0 )
|
||||||
|
{
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_PEM_WRITE_C */
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_X509_CSR_WRITE_C */
|
|
@ -47,6 +47,7 @@
|
||||||
#include "mbedtls/cmac.h"
|
#include "mbedtls/cmac.h"
|
||||||
#include "mbedtls/compat-1.3.h"
|
#include "mbedtls/compat-1.3.h"
|
||||||
#include "mbedtls/ctr_drbg.h"
|
#include "mbedtls/ctr_drbg.h"
|
||||||
|
#include "mbedtls/debug.h"
|
||||||
#include "mbedtls/des.h"
|
#include "mbedtls/des.h"
|
||||||
#include "mbedtls/dhm.h"
|
#include "mbedtls/dhm.h"
|
||||||
#include "mbedtls/ecdh.h"
|
#include "mbedtls/ecdh.h"
|
||||||
|
@ -66,12 +67,15 @@
|
||||||
#include "mbedtls/md4.h"
|
#include "mbedtls/md4.h"
|
||||||
#include "mbedtls/md5.h"
|
#include "mbedtls/md5.h"
|
||||||
#include "mbedtls/md_internal.h"
|
#include "mbedtls/md_internal.h"
|
||||||
|
#include "mbedtls/net.h"
|
||||||
|
#include "mbedtls/net_sockets.h"
|
||||||
#include "mbedtls/nist_kw.h"
|
#include "mbedtls/nist_kw.h"
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
#include "mbedtls/padlock.h"
|
#include "mbedtls/padlock.h"
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#include "mbedtls/pk.h"
|
#include "mbedtls/pk.h"
|
||||||
#include "mbedtls/pk_internal.h"
|
#include "mbedtls/pk_internal.h"
|
||||||
|
#include "mbedtls/pkcs11.h"
|
||||||
#include "mbedtls/pkcs12.h"
|
#include "mbedtls/pkcs12.h"
|
||||||
#include "mbedtls/pkcs5.h"
|
#include "mbedtls/pkcs5.h"
|
||||||
#include "mbedtls/platform_time.h"
|
#include "mbedtls/platform_time.h"
|
||||||
|
@ -84,6 +88,12 @@
|
||||||
#include "mbedtls/sha1.h"
|
#include "mbedtls/sha1.h"
|
||||||
#include "mbedtls/sha256.h"
|
#include "mbedtls/sha256.h"
|
||||||
#include "mbedtls/sha512.h"
|
#include "mbedtls/sha512.h"
|
||||||
|
#include "mbedtls/ssl.h"
|
||||||
|
#include "mbedtls/ssl_cache.h"
|
||||||
|
#include "mbedtls/ssl_ciphersuites.h"
|
||||||
|
#include "mbedtls/ssl_cookie.h"
|
||||||
|
#include "mbedtls/ssl_internal.h"
|
||||||
|
#include "mbedtls/ssl_ticket.h"
|
||||||
#include "mbedtls/threading.h"
|
#include "mbedtls/threading.h"
|
||||||
#include "mbedtls/timing.h"
|
#include "mbedtls/timing.h"
|
||||||
#include "mbedtls/version.h"
|
#include "mbedtls/version.h"
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
#include "mbedtls/cipher.h"
|
#include "mbedtls/cipher.h"
|
||||||
#include "mbedtls/cmac.h"
|
#include "mbedtls/cmac.h"
|
||||||
#include "mbedtls/ctr_drbg.h"
|
#include "mbedtls/ctr_drbg.h"
|
||||||
|
#include "mbedtls/debug.h"
|
||||||
#include "mbedtls/des.h"
|
#include "mbedtls/des.h"
|
||||||
#include "mbedtls/dhm.h"
|
#include "mbedtls/dhm.h"
|
||||||
#include "mbedtls/ecdh.h"
|
#include "mbedtls/ecdh.h"
|
||||||
|
@ -71,11 +72,13 @@
|
||||||
#include "mbedtls/md4.h"
|
#include "mbedtls/md4.h"
|
||||||
#include "mbedtls/md5.h"
|
#include "mbedtls/md5.h"
|
||||||
#include "mbedtls/memory_buffer_alloc.h"
|
#include "mbedtls/memory_buffer_alloc.h"
|
||||||
|
#include "mbedtls/net_sockets.h"
|
||||||
#include "mbedtls/nist_kw.h"
|
#include "mbedtls/nist_kw.h"
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
#include "mbedtls/padlock.h"
|
#include "mbedtls/padlock.h"
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#include "mbedtls/pk.h"
|
#include "mbedtls/pk.h"
|
||||||
|
#include "mbedtls/pkcs11.h"
|
||||||
#include "mbedtls/pkcs12.h"
|
#include "mbedtls/pkcs12.h"
|
||||||
#include "mbedtls/pkcs5.h"
|
#include "mbedtls/pkcs5.h"
|
||||||
#include "mbedtls/platform_time.h"
|
#include "mbedtls/platform_time.h"
|
||||||
|
@ -86,9 +89,19 @@
|
||||||
#include "mbedtls/sha1.h"
|
#include "mbedtls/sha1.h"
|
||||||
#include "mbedtls/sha256.h"
|
#include "mbedtls/sha256.h"
|
||||||
#include "mbedtls/sha512.h"
|
#include "mbedtls/sha512.h"
|
||||||
|
#include "mbedtls/ssl.h"
|
||||||
|
#include "mbedtls/ssl_cache.h"
|
||||||
|
#include "mbedtls/ssl_ciphersuites.h"
|
||||||
|
#include "mbedtls/ssl_cookie.h"
|
||||||
|
#include "mbedtls/ssl_internal.h"
|
||||||
|
#include "mbedtls/ssl_ticket.h"
|
||||||
#include "mbedtls/threading.h"
|
#include "mbedtls/threading.h"
|
||||||
#include "mbedtls/timing.h"
|
#include "mbedtls/timing.h"
|
||||||
#include "mbedtls/version.h"
|
#include "mbedtls/version.h"
|
||||||
|
#include "mbedtls/x509.h"
|
||||||
|
#include "mbedtls/x509_crl.h"
|
||||||
|
#include "mbedtls/x509_crt.h"
|
||||||
|
#include "mbedtls/x509_csr.h"
|
||||||
#include "mbedtls/xtea.h"
|
#include "mbedtls/xtea.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
|
@ -53,6 +53,7 @@
|
||||||
#include "mbedtls/cipher.h"
|
#include "mbedtls/cipher.h"
|
||||||
#include "mbedtls/cmac.h"
|
#include "mbedtls/cmac.h"
|
||||||
#include "mbedtls/ctr_drbg.h"
|
#include "mbedtls/ctr_drbg.h"
|
||||||
|
#include "mbedtls/debug.h"
|
||||||
#include "mbedtls/des.h"
|
#include "mbedtls/des.h"
|
||||||
#include "mbedtls/dhm.h"
|
#include "mbedtls/dhm.h"
|
||||||
#include "mbedtls/ecdh.h"
|
#include "mbedtls/ecdh.h"
|
||||||
|
@ -71,11 +72,13 @@
|
||||||
#include "mbedtls/md4.h"
|
#include "mbedtls/md4.h"
|
||||||
#include "mbedtls/md5.h"
|
#include "mbedtls/md5.h"
|
||||||
#include "mbedtls/memory_buffer_alloc.h"
|
#include "mbedtls/memory_buffer_alloc.h"
|
||||||
|
#include "mbedtls/net_sockets.h"
|
||||||
#include "mbedtls/nist_kw.h"
|
#include "mbedtls/nist_kw.h"
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
#include "mbedtls/padlock.h"
|
#include "mbedtls/padlock.h"
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#include "mbedtls/pk.h"
|
#include "mbedtls/pk.h"
|
||||||
|
#include "mbedtls/pkcs11.h"
|
||||||
#include "mbedtls/pkcs12.h"
|
#include "mbedtls/pkcs12.h"
|
||||||
#include "mbedtls/pkcs5.h"
|
#include "mbedtls/pkcs5.h"
|
||||||
#include "mbedtls/platform_time.h"
|
#include "mbedtls/platform_time.h"
|
||||||
|
@ -86,9 +89,19 @@
|
||||||
#include "mbedtls/sha1.h"
|
#include "mbedtls/sha1.h"
|
||||||
#include "mbedtls/sha256.h"
|
#include "mbedtls/sha256.h"
|
||||||
#include "mbedtls/sha512.h"
|
#include "mbedtls/sha512.h"
|
||||||
|
#include "mbedtls/ssl.h"
|
||||||
|
#include "mbedtls/ssl_cache.h"
|
||||||
|
#include "mbedtls/ssl_ciphersuites.h"
|
||||||
|
#include "mbedtls/ssl_cookie.h"
|
||||||
|
#include "mbedtls/ssl_internal.h"
|
||||||
|
#include "mbedtls/ssl_ticket.h"
|
||||||
#include "mbedtls/threading.h"
|
#include "mbedtls/threading.h"
|
||||||
#include "mbedtls/timing.h"
|
#include "mbedtls/timing.h"
|
||||||
#include "mbedtls/version.h"
|
#include "mbedtls/version.h"
|
||||||
|
#include "mbedtls/x509.h"
|
||||||
|
#include "mbedtls/x509_crl.h"
|
||||||
|
#include "mbedtls/x509_crt.h"
|
||||||
|
#include "mbedtls/x509_csr.h"
|
||||||
#include "mbedtls/xtea.h"
|
#include "mbedtls/xtea.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
|
@ -172,6 +172,7 @@
|
||||||
<ClInclude Include="..\..\include\mbedtls\compat-1.3.h" />
|
<ClInclude Include="..\..\include\mbedtls\compat-1.3.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\config.h" />
|
<ClInclude Include="..\..\include\mbedtls\config.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\ctr_drbg.h" />
|
<ClInclude Include="..\..\include\mbedtls\ctr_drbg.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\debug.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\des.h" />
|
<ClInclude Include="..\..\include\mbedtls\des.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\dhm.h" />
|
<ClInclude Include="..\..\include\mbedtls\dhm.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\ecdh.h" />
|
<ClInclude Include="..\..\include\mbedtls\ecdh.h" />
|
||||||
|
@ -192,12 +193,15 @@
|
||||||
<ClInclude Include="..\..\include\mbedtls\md5.h" />
|
<ClInclude Include="..\..\include\mbedtls\md5.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\md_internal.h" />
|
<ClInclude Include="..\..\include\mbedtls\md_internal.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\memory_buffer_alloc.h" />
|
<ClInclude Include="..\..\include\mbedtls\memory_buffer_alloc.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\net.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\net_sockets.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\nist_kw.h" />
|
<ClInclude Include="..\..\include\mbedtls\nist_kw.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\oid.h" />
|
<ClInclude Include="..\..\include\mbedtls\oid.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\padlock.h" />
|
<ClInclude Include="..\..\include\mbedtls\padlock.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\pem.h" />
|
<ClInclude Include="..\..\include\mbedtls\pem.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\pk.h" />
|
<ClInclude Include="..\..\include\mbedtls\pk.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\pk_internal.h" />
|
<ClInclude Include="..\..\include\mbedtls\pk_internal.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\pkcs11.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\pkcs12.h" />
|
<ClInclude Include="..\..\include\mbedtls\pkcs12.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\pkcs5.h" />
|
<ClInclude Include="..\..\include\mbedtls\pkcs5.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\platform.h" />
|
<ClInclude Include="..\..\include\mbedtls\platform.h" />
|
||||||
|
@ -211,9 +215,19 @@
|
||||||
<ClInclude Include="..\..\include\mbedtls\sha1.h" />
|
<ClInclude Include="..\..\include\mbedtls\sha1.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\sha256.h" />
|
<ClInclude Include="..\..\include\mbedtls\sha256.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\sha512.h" />
|
<ClInclude Include="..\..\include\mbedtls\sha512.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\ssl.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\ssl_cache.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\ssl_ciphersuites.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\ssl_cookie.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\ssl_internal.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\ssl_ticket.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\threading.h" />
|
<ClInclude Include="..\..\include\mbedtls\threading.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\timing.h" />
|
<ClInclude Include="..\..\include\mbedtls\timing.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\version.h" />
|
<ClInclude Include="..\..\include\mbedtls\version.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\x509.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\x509_crl.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\x509_crt.h" />
|
||||||
|
<ClInclude Include="..\..\include\mbedtls\x509_csr.h" />
|
||||||
<ClInclude Include="..\..\include\mbedtls\xtea.h" />
|
<ClInclude Include="..\..\include\mbedtls\xtea.h" />
|
||||||
<ClInclude Include="..\..\include\psa\crypto.h" />
|
<ClInclude Include="..\..\include\psa\crypto.h" />
|
||||||
<ClInclude Include="..\..\include\psa\crypto_accel_driver.h" />
|
<ClInclude Include="..\..\include\psa\crypto_accel_driver.h" />
|
||||||
|
@ -251,12 +265,14 @@
|
||||||
<ClCompile Include="..\..\library\blowfish.c" />
|
<ClCompile Include="..\..\library\blowfish.c" />
|
||||||
<ClCompile Include="..\..\library\camellia.c" />
|
<ClCompile Include="..\..\library\camellia.c" />
|
||||||
<ClCompile Include="..\..\library\ccm.c" />
|
<ClCompile Include="..\..\library\ccm.c" />
|
||||||
|
<ClCompile Include="..\..\library\certs.c" />
|
||||||
<ClCompile Include="..\..\library\chacha20.c" />
|
<ClCompile Include="..\..\library\chacha20.c" />
|
||||||
<ClCompile Include="..\..\library\chachapoly.c" />
|
<ClCompile Include="..\..\library\chachapoly.c" />
|
||||||
<ClCompile Include="..\..\library\cipher.c" />
|
<ClCompile Include="..\..\library\cipher.c" />
|
||||||
<ClCompile Include="..\..\library\cipher_wrap.c" />
|
<ClCompile Include="..\..\library\cipher_wrap.c" />
|
||||||
<ClCompile Include="..\..\library\cmac.c" />
|
<ClCompile Include="..\..\library\cmac.c" />
|
||||||
<ClCompile Include="..\..\library\ctr_drbg.c" />
|
<ClCompile Include="..\..\library\ctr_drbg.c" />
|
||||||
|
<ClCompile Include="..\..\library\debug.c" />
|
||||||
<ClCompile Include="..\..\library\des.c" />
|
<ClCompile Include="..\..\library\des.c" />
|
||||||
<ClCompile Include="..\..\library\dhm.c" />
|
<ClCompile Include="..\..\library\dhm.c" />
|
||||||
<ClCompile Include="..\..\library\ecdh.c" />
|
<ClCompile Include="..\..\library\ecdh.c" />
|
||||||
|
@ -276,12 +292,14 @@
|
||||||
<ClCompile Include="..\..\library\md4.c" />
|
<ClCompile Include="..\..\library\md4.c" />
|
||||||
<ClCompile Include="..\..\library\md5.c" />
|
<ClCompile Include="..\..\library\md5.c" />
|
||||||
<ClCompile Include="..\..\library\memory_buffer_alloc.c" />
|
<ClCompile Include="..\..\library\memory_buffer_alloc.c" />
|
||||||
|
<ClCompile Include="..\..\library\net_sockets.c" />
|
||||||
<ClCompile Include="..\..\library\nist_kw.c" />
|
<ClCompile Include="..\..\library\nist_kw.c" />
|
||||||
<ClCompile Include="..\..\library\oid.c" />
|
<ClCompile Include="..\..\library\oid.c" />
|
||||||
<ClCompile Include="..\..\library\padlock.c" />
|
<ClCompile Include="..\..\library\padlock.c" />
|
||||||
<ClCompile Include="..\..\library\pem.c" />
|
<ClCompile Include="..\..\library\pem.c" />
|
||||||
<ClCompile Include="..\..\library\pk.c" />
|
<ClCompile Include="..\..\library\pk.c" />
|
||||||
<ClCompile Include="..\..\library\pk_wrap.c" />
|
<ClCompile Include="..\..\library\pk_wrap.c" />
|
||||||
|
<ClCompile Include="..\..\library\pkcs11.c" />
|
||||||
<ClCompile Include="..\..\library\pkcs12.c" />
|
<ClCompile Include="..\..\library\pkcs12.c" />
|
||||||
<ClCompile Include="..\..\library\pkcs5.c" />
|
<ClCompile Include="..\..\library\pkcs5.c" />
|
||||||
<ClCompile Include="..\..\library\pkparse.c" />
|
<ClCompile Include="..\..\library\pkparse.c" />
|
||||||
|
@ -300,10 +318,24 @@
|
||||||
<ClCompile Include="..\..\library\sha1.c" />
|
<ClCompile Include="..\..\library\sha1.c" />
|
||||||
<ClCompile Include="..\..\library\sha256.c" />
|
<ClCompile Include="..\..\library\sha256.c" />
|
||||||
<ClCompile Include="..\..\library\sha512.c" />
|
<ClCompile Include="..\..\library\sha512.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_cache.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_ciphersuites.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_cli.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_cookie.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_srv.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_ticket.c" />
|
||||||
|
<ClCompile Include="..\..\library\ssl_tls.c" />
|
||||||
<ClCompile Include="..\..\library\threading.c" />
|
<ClCompile Include="..\..\library\threading.c" />
|
||||||
<ClCompile Include="..\..\library\timing.c" />
|
<ClCompile Include="..\..\library\timing.c" />
|
||||||
<ClCompile Include="..\..\library\version.c" />
|
<ClCompile Include="..\..\library\version.c" />
|
||||||
<ClCompile Include="..\..\library\version_features.c" />
|
<ClCompile Include="..\..\library\version_features.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509_create.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509_crl.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509_crt.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509_csr.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509write_crt.c" />
|
||||||
|
<ClCompile Include="..\..\library\x509write_csr.c" />
|
||||||
<ClCompile Include="..\..\library\xtea.c" />
|
<ClCompile Include="..\..\library\xtea.c" />
|
||||||
<ClCompile Include="..\..\3rdparty\everest\library\everest.c" />
|
<ClCompile Include="..\..\3rdparty\everest\library\everest.c" />
|
||||||
<ClCompile Include="..\..\3rdparty\everest\library\Hacl_Curve25519_joined.c" />
|
<ClCompile Include="..\..\3rdparty\everest\library\Hacl_Curve25519_joined.c" />
|
||||||
|
|
Loading…
Reference in a new issue