Rough and ready port of axTLS
ssl/loader.c@0:5a29fd060ac8, 2013-05-13 (annotated)
- Committer:
- ashleymills
- Date:
- Mon May 13 18:15:18 2013 +0000
- Revision:
- 0:5a29fd060ac8
initial commit
Who changed what in which revision?
User | Revision | Line number | New contents of line |
---|---|---|---|
ashleymills | 0:5a29fd060ac8 | 1 | /* |
ashleymills | 0:5a29fd060ac8 | 2 | * Copyright (c) 2007, Cameron Rich |
ashleymills | 0:5a29fd060ac8 | 3 | * |
ashleymills | 0:5a29fd060ac8 | 4 | * All rights reserved. |
ashleymills | 0:5a29fd060ac8 | 5 | * |
ashleymills | 0:5a29fd060ac8 | 6 | * Redistribution and use in source and binary forms, with or without |
ashleymills | 0:5a29fd060ac8 | 7 | * modification, are permitted provided that the following conditions are met: |
ashleymills | 0:5a29fd060ac8 | 8 | * |
ashleymills | 0:5a29fd060ac8 | 9 | * * Redistributions of source code must retain the above copyright notice, |
ashleymills | 0:5a29fd060ac8 | 10 | * this list of conditions and the following disclaimer. |
ashleymills | 0:5a29fd060ac8 | 11 | * * Redistributions in binary form must reproduce the above copyright notice, |
ashleymills | 0:5a29fd060ac8 | 12 | * this list of conditions and the following disclaimer in the documentation |
ashleymills | 0:5a29fd060ac8 | 13 | * and/or other materials provided with the distribution. |
ashleymills | 0:5a29fd060ac8 | 14 | * * Neither the name of the axTLS project nor the names of its contributors |
ashleymills | 0:5a29fd060ac8 | 15 | * may be used to endorse or promote products derived from this software |
ashleymills | 0:5a29fd060ac8 | 16 | * without specific prior written permission. |
ashleymills | 0:5a29fd060ac8 | 17 | * |
ashleymills | 0:5a29fd060ac8 | 18 | * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS |
ashleymills | 0:5a29fd060ac8 | 19 | * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT |
ashleymills | 0:5a29fd060ac8 | 20 | * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR |
ashleymills | 0:5a29fd060ac8 | 21 | * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR |
ashleymills | 0:5a29fd060ac8 | 22 | * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, |
ashleymills | 0:5a29fd060ac8 | 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, |
ashleymills | 0:5a29fd060ac8 | 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR |
ashleymills | 0:5a29fd060ac8 | 25 | * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF |
ashleymills | 0:5a29fd060ac8 | 26 | * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING |
ashleymills | 0:5a29fd060ac8 | 27 | * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS |
ashleymills | 0:5a29fd060ac8 | 28 | * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
ashleymills | 0:5a29fd060ac8 | 29 | */ |
ashleymills | 0:5a29fd060ac8 | 30 | |
ashleymills | 0:5a29fd060ac8 | 31 | /** |
ashleymills | 0:5a29fd060ac8 | 32 | * Load certificates/keys into memory. These can be in many different formats. |
ashleymills | 0:5a29fd060ac8 | 33 | * PEM support and other formats can be processed here. |
ashleymills | 0:5a29fd060ac8 | 34 | * |
ashleymills | 0:5a29fd060ac8 | 35 | * The PEM private keys may be optionally encrypted with AES128 or AES256. |
ashleymills | 0:5a29fd060ac8 | 36 | * The encrypted PEM keys were generated with something like: |
ashleymills | 0:5a29fd060ac8 | 37 | * |
ashleymills | 0:5a29fd060ac8 | 38 | * openssl genrsa -aes128 -passout pass:abcd -out axTLS.key_aes128.pem 512 |
ashleymills | 0:5a29fd060ac8 | 39 | */ |
ashleymills | 0:5a29fd060ac8 | 40 | |
ashleymills | 0:5a29fd060ac8 | 41 | #include <stdlib.h> |
ashleymills | 0:5a29fd060ac8 | 42 | #include <string.h> |
ashleymills | 0:5a29fd060ac8 | 43 | #include <stdio.h> |
ashleymills | 0:5a29fd060ac8 | 44 | #include "os_port.h" |
ashleymills | 0:5a29fd060ac8 | 45 | #include "ssl.h" |
ashleymills | 0:5a29fd060ac8 | 46 | #include "config.h" |
ashleymills | 0:5a29fd060ac8 | 47 | |
ashleymills | 0:5a29fd060ac8 | 48 | static int do_obj(SSL_CTX *ssl_ctx, int obj_type, |
ashleymills | 0:5a29fd060ac8 | 49 | SSLObjLoader *ssl_obj, const char *password); |
ashleymills | 0:5a29fd060ac8 | 50 | #ifdef CONFIG_SSL_HAS_PEM |
ashleymills | 0:5a29fd060ac8 | 51 | static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type, |
ashleymills | 0:5a29fd060ac8 | 52 | SSLObjLoader *ssl_obj, const char *password); |
ashleymills | 0:5a29fd060ac8 | 53 | #endif |
ashleymills | 0:5a29fd060ac8 | 54 | |
ashleymills | 0:5a29fd060ac8 | 55 | /* |
ashleymills | 0:5a29fd060ac8 | 56 | * Load a file into memory that is in binary DER (or ascii PEM) format. |
ashleymills | 0:5a29fd060ac8 | 57 | */ |
ashleymills | 0:5a29fd060ac8 | 58 | EXP_FUNC int STDCALL ssl_obj_load(SSL_CTX *ssl_ctx, int obj_type, |
ashleymills | 0:5a29fd060ac8 | 59 | const char *filename, const char *password) |
ashleymills | 0:5a29fd060ac8 | 60 | { |
ashleymills | 0:5a29fd060ac8 | 61 | #ifndef CONFIG_SSL_SKELETON_MODE |
ashleymills | 0:5a29fd060ac8 | 62 | static const char * const begin = "-----BEGIN"; |
ashleymills | 0:5a29fd060ac8 | 63 | int ret = SSL_OK; |
ashleymills | 0:5a29fd060ac8 | 64 | SSLObjLoader *ssl_obj = NULL; |
ashleymills | 0:5a29fd060ac8 | 65 | |
ashleymills | 0:5a29fd060ac8 | 66 | if (filename == NULL) |
ashleymills | 0:5a29fd060ac8 | 67 | { |
ashleymills | 0:5a29fd060ac8 | 68 | ret = SSL_ERROR_INVALID_KEY; |
ashleymills | 0:5a29fd060ac8 | 69 | goto error; |
ashleymills | 0:5a29fd060ac8 | 70 | } |
ashleymills | 0:5a29fd060ac8 | 71 | |
ashleymills | 0:5a29fd060ac8 | 72 | ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader)); |
ashleymills | 0:5a29fd060ac8 | 73 | ssl_obj->len = get_file(filename, &ssl_obj->buf); |
ashleymills | 0:5a29fd060ac8 | 74 | if (ssl_obj->len <= 0) |
ashleymills | 0:5a29fd060ac8 | 75 | { |
ashleymills | 0:5a29fd060ac8 | 76 | ret = SSL_ERROR_INVALID_KEY; |
ashleymills | 0:5a29fd060ac8 | 77 | goto error; |
ashleymills | 0:5a29fd060ac8 | 78 | } |
ashleymills | 0:5a29fd060ac8 | 79 | |
ashleymills | 0:5a29fd060ac8 | 80 | /* is the file a PEM file? */ |
ashleymills | 0:5a29fd060ac8 | 81 | if (strstr((char *)ssl_obj->buf, begin) != NULL) |
ashleymills | 0:5a29fd060ac8 | 82 | { |
ashleymills | 0:5a29fd060ac8 | 83 | #ifdef CONFIG_SSL_HAS_PEM |
ashleymills | 0:5a29fd060ac8 | 84 | ret = ssl_obj_PEM_load(ssl_ctx, obj_type, ssl_obj, password); |
ashleymills | 0:5a29fd060ac8 | 85 | #else |
ashleymills | 0:5a29fd060ac8 | 86 | printf(unsupported_str); |
ashleymills | 0:5a29fd060ac8 | 87 | ret = SSL_ERROR_NOT_SUPPORTED; |
ashleymills | 0:5a29fd060ac8 | 88 | #endif |
ashleymills | 0:5a29fd060ac8 | 89 | } |
ashleymills | 0:5a29fd060ac8 | 90 | else |
ashleymills | 0:5a29fd060ac8 | 91 | ret = do_obj(ssl_ctx, obj_type, ssl_obj, password); |
ashleymills | 0:5a29fd060ac8 | 92 | |
ashleymills | 0:5a29fd060ac8 | 93 | error: |
ashleymills | 0:5a29fd060ac8 | 94 | ssl_obj_free(ssl_obj); |
ashleymills | 0:5a29fd060ac8 | 95 | return ret; |
ashleymills | 0:5a29fd060ac8 | 96 | #else |
ashleymills | 0:5a29fd060ac8 | 97 | printf(unsupported_str); |
ashleymills | 0:5a29fd060ac8 | 98 | return SSL_ERROR_NOT_SUPPORTED; |
ashleymills | 0:5a29fd060ac8 | 99 | #endif /* CONFIG_SSL_SKELETON_MODE */ |
ashleymills | 0:5a29fd060ac8 | 100 | } |
ashleymills | 0:5a29fd060ac8 | 101 | |
ashleymills | 0:5a29fd060ac8 | 102 | /* |
ashleymills | 0:5a29fd060ac8 | 103 | * Transfer binary data into the object loader. |
ashleymills | 0:5a29fd060ac8 | 104 | */ |
ashleymills | 0:5a29fd060ac8 | 105 | EXP_FUNC int STDCALL ssl_obj_memory_load(SSL_CTX *ssl_ctx, int mem_type, |
ashleymills | 0:5a29fd060ac8 | 106 | const uint8_t *data, int len, const char *password) |
ashleymills | 0:5a29fd060ac8 | 107 | { |
ashleymills | 0:5a29fd060ac8 | 108 | int ret; |
ashleymills | 0:5a29fd060ac8 | 109 | SSLObjLoader *ssl_obj; |
ashleymills | 0:5a29fd060ac8 | 110 | |
ashleymills | 0:5a29fd060ac8 | 111 | ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader)); |
ashleymills | 0:5a29fd060ac8 | 112 | ssl_obj->buf = (uint8_t *)malloc(len); |
ashleymills | 0:5a29fd060ac8 | 113 | memcpy(ssl_obj->buf, data, len); |
ashleymills | 0:5a29fd060ac8 | 114 | ssl_obj->len = len; |
ashleymills | 0:5a29fd060ac8 | 115 | ret = do_obj(ssl_ctx, mem_type, ssl_obj, password); |
ashleymills | 0:5a29fd060ac8 | 116 | ssl_obj_free(ssl_obj); |
ashleymills | 0:5a29fd060ac8 | 117 | return ret; |
ashleymills | 0:5a29fd060ac8 | 118 | } |
ashleymills | 0:5a29fd060ac8 | 119 | |
ashleymills | 0:5a29fd060ac8 | 120 | /* |
ashleymills | 0:5a29fd060ac8 | 121 | * Actually work out what we are doing |
ashleymills | 0:5a29fd060ac8 | 122 | */ |
ashleymills | 0:5a29fd060ac8 | 123 | static int do_obj(SSL_CTX *ssl_ctx, int obj_type, |
ashleymills | 0:5a29fd060ac8 | 124 | SSLObjLoader *ssl_obj, const char *password) |
ashleymills | 0:5a29fd060ac8 | 125 | { |
ashleymills | 0:5a29fd060ac8 | 126 | int ret = SSL_OK; |
ashleymills | 0:5a29fd060ac8 | 127 | |
ashleymills | 0:5a29fd060ac8 | 128 | switch (obj_type) |
ashleymills | 0:5a29fd060ac8 | 129 | { |
ashleymills | 0:5a29fd060ac8 | 130 | case SSL_OBJ_RSA_KEY: |
ashleymills | 0:5a29fd060ac8 | 131 | ret = add_private_key(ssl_ctx, ssl_obj); |
ashleymills | 0:5a29fd060ac8 | 132 | break; |
ashleymills | 0:5a29fd060ac8 | 133 | |
ashleymills | 0:5a29fd060ac8 | 134 | case SSL_OBJ_X509_CERT: |
ashleymills | 0:5a29fd060ac8 | 135 | ret = add_cert(ssl_ctx, ssl_obj->buf, ssl_obj->len); |
ashleymills | 0:5a29fd060ac8 | 136 | break; |
ashleymills | 0:5a29fd060ac8 | 137 | |
ashleymills | 0:5a29fd060ac8 | 138 | #ifdef CONFIG_SSL_CERT_VERIFICATION |
ashleymills | 0:5a29fd060ac8 | 139 | case SSL_OBJ_X509_CACERT: |
ashleymills | 0:5a29fd060ac8 | 140 | add_cert_auth(ssl_ctx, ssl_obj->buf, ssl_obj->len); |
ashleymills | 0:5a29fd060ac8 | 141 | break; |
ashleymills | 0:5a29fd060ac8 | 142 | #endif |
ashleymills | 0:5a29fd060ac8 | 143 | |
ashleymills | 0:5a29fd060ac8 | 144 | #ifdef CONFIG_SSL_USE_PKCS12 |
ashleymills | 0:5a29fd060ac8 | 145 | case SSL_OBJ_PKCS8: |
ashleymills | 0:5a29fd060ac8 | 146 | ret = pkcs8_decode(ssl_ctx, ssl_obj, password); |
ashleymills | 0:5a29fd060ac8 | 147 | break; |
ashleymills | 0:5a29fd060ac8 | 148 | |
ashleymills | 0:5a29fd060ac8 | 149 | case SSL_OBJ_PKCS12: |
ashleymills | 0:5a29fd060ac8 | 150 | ret = pkcs12_decode(ssl_ctx, ssl_obj, password); |
ashleymills | 0:5a29fd060ac8 | 151 | break; |
ashleymills | 0:5a29fd060ac8 | 152 | #endif |
ashleymills | 0:5a29fd060ac8 | 153 | default: |
ashleymills | 0:5a29fd060ac8 | 154 | printf(unsupported_str); |
ashleymills | 0:5a29fd060ac8 | 155 | ret = SSL_ERROR_NOT_SUPPORTED; |
ashleymills | 0:5a29fd060ac8 | 156 | break; |
ashleymills | 0:5a29fd060ac8 | 157 | } |
ashleymills | 0:5a29fd060ac8 | 158 | |
ashleymills | 0:5a29fd060ac8 | 159 | return ret; |
ashleymills | 0:5a29fd060ac8 | 160 | } |
ashleymills | 0:5a29fd060ac8 | 161 | |
ashleymills | 0:5a29fd060ac8 | 162 | /* |
ashleymills | 0:5a29fd060ac8 | 163 | * Clean up our mess. |
ashleymills | 0:5a29fd060ac8 | 164 | */ |
ashleymills | 0:5a29fd060ac8 | 165 | void ssl_obj_free(SSLObjLoader *ssl_obj) |
ashleymills | 0:5a29fd060ac8 | 166 | { |
ashleymills | 0:5a29fd060ac8 | 167 | if (ssl_obj) |
ashleymills | 0:5a29fd060ac8 | 168 | { |
ashleymills | 0:5a29fd060ac8 | 169 | free(ssl_obj->buf); |
ashleymills | 0:5a29fd060ac8 | 170 | free(ssl_obj); |
ashleymills | 0:5a29fd060ac8 | 171 | } |
ashleymills | 0:5a29fd060ac8 | 172 | } |
ashleymills | 0:5a29fd060ac8 | 173 | |
ashleymills | 0:5a29fd060ac8 | 174 | /* |
ashleymills | 0:5a29fd060ac8 | 175 | * Support for PEM encoded keys/certificates. |
ashleymills | 0:5a29fd060ac8 | 176 | */ |
ashleymills | 0:5a29fd060ac8 | 177 | #ifdef CONFIG_SSL_HAS_PEM |
ashleymills | 0:5a29fd060ac8 | 178 | |
ashleymills | 0:5a29fd060ac8 | 179 | #define NUM_PEM_TYPES 4 |
ashleymills | 0:5a29fd060ac8 | 180 | #define IV_SIZE 16 |
ashleymills | 0:5a29fd060ac8 | 181 | #define IS_RSA_PRIVATE_KEY 0 |
ashleymills | 0:5a29fd060ac8 | 182 | #define IS_ENCRYPTED_PRIVATE_KEY 1 |
ashleymills | 0:5a29fd060ac8 | 183 | #define IS_PRIVATE_KEY 2 |
ashleymills | 0:5a29fd060ac8 | 184 | #define IS_CERTIFICATE 3 |
ashleymills | 0:5a29fd060ac8 | 185 | |
ashleymills | 0:5a29fd060ac8 | 186 | static const char * const begins[NUM_PEM_TYPES] = |
ashleymills | 0:5a29fd060ac8 | 187 | { |
ashleymills | 0:5a29fd060ac8 | 188 | "-----BEGIN RSA PRIVATE KEY-----", |
ashleymills | 0:5a29fd060ac8 | 189 | "-----BEGIN ENCRYPTED PRIVATE KEY-----", |
ashleymills | 0:5a29fd060ac8 | 190 | "-----BEGIN PRIVATE KEY-----", |
ashleymills | 0:5a29fd060ac8 | 191 | "-----BEGIN CERTIFICATE-----", |
ashleymills | 0:5a29fd060ac8 | 192 | }; |
ashleymills | 0:5a29fd060ac8 | 193 | |
ashleymills | 0:5a29fd060ac8 | 194 | static const char * const ends[NUM_PEM_TYPES] = |
ashleymills | 0:5a29fd060ac8 | 195 | { |
ashleymills | 0:5a29fd060ac8 | 196 | "-----END RSA PRIVATE KEY-----", |
ashleymills | 0:5a29fd060ac8 | 197 | "-----END ENCRYPTED PRIVATE KEY-----", |
ashleymills | 0:5a29fd060ac8 | 198 | "-----END PRIVATE KEY-----", |
ashleymills | 0:5a29fd060ac8 | 199 | "-----END CERTIFICATE-----", |
ashleymills | 0:5a29fd060ac8 | 200 | }; |
ashleymills | 0:5a29fd060ac8 | 201 | |
ashleymills | 0:5a29fd060ac8 | 202 | static const char * const aes_str[2] = |
ashleymills | 0:5a29fd060ac8 | 203 | { |
ashleymills | 0:5a29fd060ac8 | 204 | "DEK-Info: AES-128-CBC,", |
ashleymills | 0:5a29fd060ac8 | 205 | "DEK-Info: AES-256-CBC," |
ashleymills | 0:5a29fd060ac8 | 206 | }; |
ashleymills | 0:5a29fd060ac8 | 207 | |
ashleymills | 0:5a29fd060ac8 | 208 | /** |
ashleymills | 0:5a29fd060ac8 | 209 | * Take a base64 blob of data and decrypt it (using AES) into its |
ashleymills | 0:5a29fd060ac8 | 210 | * proper ASN.1 form. |
ashleymills | 0:5a29fd060ac8 | 211 | */ |
ashleymills | 0:5a29fd060ac8 | 212 | static int pem_decrypt(const char *where, const char *end, |
ashleymills | 0:5a29fd060ac8 | 213 | const char *password, SSLObjLoader *ssl_obj) |
ashleymills | 0:5a29fd060ac8 | 214 | { |
ashleymills | 0:5a29fd060ac8 | 215 | int ret = -1; |
ashleymills | 0:5a29fd060ac8 | 216 | int is_aes_256 = 0; |
ashleymills | 0:5a29fd060ac8 | 217 | char *start = NULL; |
ashleymills | 0:5a29fd060ac8 | 218 | uint8_t iv[IV_SIZE]; |
ashleymills | 0:5a29fd060ac8 | 219 | int i, pem_size; |
ashleymills | 0:5a29fd060ac8 | 220 | MD5_CTX md5_ctx; |
ashleymills | 0:5a29fd060ac8 | 221 | AES_CTX aes_ctx; |
ashleymills | 0:5a29fd060ac8 | 222 | uint8_t key[32]; /* AES256 size */ |
ashleymills | 0:5a29fd060ac8 | 223 | |
ashleymills | 0:5a29fd060ac8 | 224 | if (password == NULL || strlen(password) == 0) |
ashleymills | 0:5a29fd060ac8 | 225 | { |
ashleymills | 0:5a29fd060ac8 | 226 | #ifdef CONFIG_SSL_FULL_MODE |
ashleymills | 0:5a29fd060ac8 | 227 | printf("Error: Need a password for this PEM file\n"); TTY_FLUSH(); |
ashleymills | 0:5a29fd060ac8 | 228 | #endif |
ashleymills | 0:5a29fd060ac8 | 229 | goto error; |
ashleymills | 0:5a29fd060ac8 | 230 | } |
ashleymills | 0:5a29fd060ac8 | 231 | |
ashleymills | 0:5a29fd060ac8 | 232 | if ((start = strstr((const char *)where, aes_str[0]))) /* AES128? */ |
ashleymills | 0:5a29fd060ac8 | 233 | { |
ashleymills | 0:5a29fd060ac8 | 234 | start += strlen(aes_str[0]); |
ashleymills | 0:5a29fd060ac8 | 235 | } |
ashleymills | 0:5a29fd060ac8 | 236 | else if ((start = strstr((const char *)where, aes_str[1]))) /* AES256? */ |
ashleymills | 0:5a29fd060ac8 | 237 | { |
ashleymills | 0:5a29fd060ac8 | 238 | is_aes_256 = 1; |
ashleymills | 0:5a29fd060ac8 | 239 | start += strlen(aes_str[1]); |
ashleymills | 0:5a29fd060ac8 | 240 | } |
ashleymills | 0:5a29fd060ac8 | 241 | else |
ashleymills | 0:5a29fd060ac8 | 242 | { |
ashleymills | 0:5a29fd060ac8 | 243 | #ifdef CONFIG_SSL_FULL_MODE |
ashleymills | 0:5a29fd060ac8 | 244 | printf("Error: Unsupported password cipher\n"); TTY_FLUSH(); |
ashleymills | 0:5a29fd060ac8 | 245 | #endif |
ashleymills | 0:5a29fd060ac8 | 246 | goto error; |
ashleymills | 0:5a29fd060ac8 | 247 | } |
ashleymills | 0:5a29fd060ac8 | 248 | |
ashleymills | 0:5a29fd060ac8 | 249 | /* convert from hex to binary - assumes uppercase hex */ |
ashleymills | 0:5a29fd060ac8 | 250 | for (i = 0; i < IV_SIZE; i++) |
ashleymills | 0:5a29fd060ac8 | 251 | { |
ashleymills | 0:5a29fd060ac8 | 252 | char c = *start++ - '0'; |
ashleymills | 0:5a29fd060ac8 | 253 | iv[i] = (c > 9 ? c + '0' - 'A' + 10 : c) << 4; |
ashleymills | 0:5a29fd060ac8 | 254 | c = *start++ - '0'; |
ashleymills | 0:5a29fd060ac8 | 255 | iv[i] += (c > 9 ? c + '0' - 'A' + 10 : c); |
ashleymills | 0:5a29fd060ac8 | 256 | } |
ashleymills | 0:5a29fd060ac8 | 257 | |
ashleymills | 0:5a29fd060ac8 | 258 | while (*start == '\r' || *start == '\n') |
ashleymills | 0:5a29fd060ac8 | 259 | start++; |
ashleymills | 0:5a29fd060ac8 | 260 | |
ashleymills | 0:5a29fd060ac8 | 261 | /* turn base64 into binary */ |
ashleymills | 0:5a29fd060ac8 | 262 | pem_size = (int)(end-start); |
ashleymills | 0:5a29fd060ac8 | 263 | if (base64_decode(start, pem_size, ssl_obj->buf, &ssl_obj->len) != 0) |
ashleymills | 0:5a29fd060ac8 | 264 | goto error; |
ashleymills | 0:5a29fd060ac8 | 265 | |
ashleymills | 0:5a29fd060ac8 | 266 | /* work out the key */ |
ashleymills | 0:5a29fd060ac8 | 267 | MD5_Init(&md5_ctx); |
ashleymills | 0:5a29fd060ac8 | 268 | MD5_Update(&md5_ctx, (const uint8_t *)password, strlen(password)); |
ashleymills | 0:5a29fd060ac8 | 269 | MD5_Update(&md5_ctx, iv, SALT_SIZE); |
ashleymills | 0:5a29fd060ac8 | 270 | MD5_Final(key, &md5_ctx); |
ashleymills | 0:5a29fd060ac8 | 271 | |
ashleymills | 0:5a29fd060ac8 | 272 | if (is_aes_256) |
ashleymills | 0:5a29fd060ac8 | 273 | { |
ashleymills | 0:5a29fd060ac8 | 274 | MD5_Init(&md5_ctx); |
ashleymills | 0:5a29fd060ac8 | 275 | MD5_Update(&md5_ctx, key, MD5_SIZE); |
ashleymills | 0:5a29fd060ac8 | 276 | MD5_Update(&md5_ctx, (const uint8_t *)password, strlen(password)); |
ashleymills | 0:5a29fd060ac8 | 277 | MD5_Update(&md5_ctx, iv, SALT_SIZE); |
ashleymills | 0:5a29fd060ac8 | 278 | MD5_Final(&key[MD5_SIZE], &md5_ctx); |
ashleymills | 0:5a29fd060ac8 | 279 | } |
ashleymills | 0:5a29fd060ac8 | 280 | |
ashleymills | 0:5a29fd060ac8 | 281 | /* decrypt using the key/iv */ |
ashleymills | 0:5a29fd060ac8 | 282 | AES_set_key(&aes_ctx, key, iv, is_aes_256 ? AES_MODE_256 : AES_MODE_128); |
ashleymills | 0:5a29fd060ac8 | 283 | AES_convert_key(&aes_ctx); |
ashleymills | 0:5a29fd060ac8 | 284 | AES_cbc_decrypt(&aes_ctx, ssl_obj->buf, ssl_obj->buf, ssl_obj->len); |
ashleymills | 0:5a29fd060ac8 | 285 | ret = 0; |
ashleymills | 0:5a29fd060ac8 | 286 | |
ashleymills | 0:5a29fd060ac8 | 287 | error: |
ashleymills | 0:5a29fd060ac8 | 288 | return ret; |
ashleymills | 0:5a29fd060ac8 | 289 | } |
ashleymills | 0:5a29fd060ac8 | 290 | |
ashleymills | 0:5a29fd060ac8 | 291 | /** |
ashleymills | 0:5a29fd060ac8 | 292 | * Take a base64 blob of data and turn it into its proper ASN.1 form. |
ashleymills | 0:5a29fd060ac8 | 293 | */ |
ashleymills | 0:5a29fd060ac8 | 294 | static int new_pem_obj(SSL_CTX *ssl_ctx, int is_cacert, char *where, |
ashleymills | 0:5a29fd060ac8 | 295 | int remain, const char *password) |
ashleymills | 0:5a29fd060ac8 | 296 | { |
ashleymills | 0:5a29fd060ac8 | 297 | int ret = SSL_ERROR_BAD_CERTIFICATE; |
ashleymills | 0:5a29fd060ac8 | 298 | SSLObjLoader *ssl_obj = NULL; |
ashleymills | 0:5a29fd060ac8 | 299 | |
ashleymills | 0:5a29fd060ac8 | 300 | while (remain > 0) |
ashleymills | 0:5a29fd060ac8 | 301 | { |
ashleymills | 0:5a29fd060ac8 | 302 | int i, pem_size, obj_type; |
ashleymills | 0:5a29fd060ac8 | 303 | char *start = NULL, *end = NULL; |
ashleymills | 0:5a29fd060ac8 | 304 | |
ashleymills | 0:5a29fd060ac8 | 305 | for (i = 0; i < NUM_PEM_TYPES; i++) |
ashleymills | 0:5a29fd060ac8 | 306 | { |
ashleymills | 0:5a29fd060ac8 | 307 | if ((start = strstr(where, begins[i])) && |
ashleymills | 0:5a29fd060ac8 | 308 | (end = strstr(where, ends[i]))) |
ashleymills | 0:5a29fd060ac8 | 309 | { |
ashleymills | 0:5a29fd060ac8 | 310 | remain -= (int)(end-where); |
ashleymills | 0:5a29fd060ac8 | 311 | start += strlen(begins[i]); |
ashleymills | 0:5a29fd060ac8 | 312 | pem_size = (int)(end-start); |
ashleymills | 0:5a29fd060ac8 | 313 | |
ashleymills | 0:5a29fd060ac8 | 314 | ssl_obj = (SSLObjLoader *)calloc(1, sizeof(SSLObjLoader)); |
ashleymills | 0:5a29fd060ac8 | 315 | |
ashleymills | 0:5a29fd060ac8 | 316 | /* 4/3 bigger than what we need but so what */ |
ashleymills | 0:5a29fd060ac8 | 317 | ssl_obj->buf = (uint8_t *)calloc(1, pem_size); |
ashleymills | 0:5a29fd060ac8 | 318 | ssl_obj->len = pem_size; |
ashleymills | 0:5a29fd060ac8 | 319 | |
ashleymills | 0:5a29fd060ac8 | 320 | if (i == IS_RSA_PRIVATE_KEY && |
ashleymills | 0:5a29fd060ac8 | 321 | strstr(start, "Proc-Type:") && |
ashleymills | 0:5a29fd060ac8 | 322 | strstr(start, "4,ENCRYPTED")) |
ashleymills | 0:5a29fd060ac8 | 323 | { |
ashleymills | 0:5a29fd060ac8 | 324 | /* check for encrypted PEM file */ |
ashleymills | 0:5a29fd060ac8 | 325 | if (pem_decrypt(start, end, password, ssl_obj) < 0) |
ashleymills | 0:5a29fd060ac8 | 326 | { |
ashleymills | 0:5a29fd060ac8 | 327 | ret = SSL_ERROR_BAD_CERTIFICATE; |
ashleymills | 0:5a29fd060ac8 | 328 | goto error; |
ashleymills | 0:5a29fd060ac8 | 329 | } |
ashleymills | 0:5a29fd060ac8 | 330 | } |
ashleymills | 0:5a29fd060ac8 | 331 | else |
ashleymills | 0:5a29fd060ac8 | 332 | { |
ashleymills | 0:5a29fd060ac8 | 333 | ssl_obj->len = pem_size; |
ashleymills | 0:5a29fd060ac8 | 334 | if (base64_decode(start, pem_size, |
ashleymills | 0:5a29fd060ac8 | 335 | ssl_obj->buf, &ssl_obj->len) != 0) |
ashleymills | 0:5a29fd060ac8 | 336 | { |
ashleymills | 0:5a29fd060ac8 | 337 | ret = SSL_ERROR_BAD_CERTIFICATE; |
ashleymills | 0:5a29fd060ac8 | 338 | goto error; |
ashleymills | 0:5a29fd060ac8 | 339 | } |
ashleymills | 0:5a29fd060ac8 | 340 | } |
ashleymills | 0:5a29fd060ac8 | 341 | |
ashleymills | 0:5a29fd060ac8 | 342 | switch (i) |
ashleymills | 0:5a29fd060ac8 | 343 | { |
ashleymills | 0:5a29fd060ac8 | 344 | case IS_RSA_PRIVATE_KEY: |
ashleymills | 0:5a29fd060ac8 | 345 | obj_type = SSL_OBJ_RSA_KEY; |
ashleymills | 0:5a29fd060ac8 | 346 | break; |
ashleymills | 0:5a29fd060ac8 | 347 | |
ashleymills | 0:5a29fd060ac8 | 348 | case IS_ENCRYPTED_PRIVATE_KEY: |
ashleymills | 0:5a29fd060ac8 | 349 | case IS_PRIVATE_KEY: |
ashleymills | 0:5a29fd060ac8 | 350 | obj_type = SSL_OBJ_PKCS8; |
ashleymills | 0:5a29fd060ac8 | 351 | break; |
ashleymills | 0:5a29fd060ac8 | 352 | |
ashleymills | 0:5a29fd060ac8 | 353 | case IS_CERTIFICATE: |
ashleymills | 0:5a29fd060ac8 | 354 | obj_type = is_cacert ? |
ashleymills | 0:5a29fd060ac8 | 355 | SSL_OBJ_X509_CACERT : SSL_OBJ_X509_CERT; |
ashleymills | 0:5a29fd060ac8 | 356 | break; |
ashleymills | 0:5a29fd060ac8 | 357 | |
ashleymills | 0:5a29fd060ac8 | 358 | default: |
ashleymills | 0:5a29fd060ac8 | 359 | ret = SSL_ERROR_BAD_CERTIFICATE; |
ashleymills | 0:5a29fd060ac8 | 360 | goto error; |
ashleymills | 0:5a29fd060ac8 | 361 | } |
ashleymills | 0:5a29fd060ac8 | 362 | |
ashleymills | 0:5a29fd060ac8 | 363 | /* In a format we can now understand - so process it */ |
ashleymills | 0:5a29fd060ac8 | 364 | if ((ret = do_obj(ssl_ctx, obj_type, ssl_obj, password))) |
ashleymills | 0:5a29fd060ac8 | 365 | goto error; |
ashleymills | 0:5a29fd060ac8 | 366 | |
ashleymills | 0:5a29fd060ac8 | 367 | end += strlen(ends[i]); |
ashleymills | 0:5a29fd060ac8 | 368 | remain -= strlen(ends[i]); |
ashleymills | 0:5a29fd060ac8 | 369 | while (remain > 0 && (*end == '\r' || *end == '\n')) |
ashleymills | 0:5a29fd060ac8 | 370 | { |
ashleymills | 0:5a29fd060ac8 | 371 | end++; |
ashleymills | 0:5a29fd060ac8 | 372 | remain--; |
ashleymills | 0:5a29fd060ac8 | 373 | } |
ashleymills | 0:5a29fd060ac8 | 374 | |
ashleymills | 0:5a29fd060ac8 | 375 | where = end; |
ashleymills | 0:5a29fd060ac8 | 376 | break; |
ashleymills | 0:5a29fd060ac8 | 377 | } |
ashleymills | 0:5a29fd060ac8 | 378 | } |
ashleymills | 0:5a29fd060ac8 | 379 | |
ashleymills | 0:5a29fd060ac8 | 380 | ssl_obj_free(ssl_obj); |
ashleymills | 0:5a29fd060ac8 | 381 | ssl_obj = NULL; |
ashleymills | 0:5a29fd060ac8 | 382 | if (start == NULL) |
ashleymills | 0:5a29fd060ac8 | 383 | break; |
ashleymills | 0:5a29fd060ac8 | 384 | } |
ashleymills | 0:5a29fd060ac8 | 385 | error: |
ashleymills | 0:5a29fd060ac8 | 386 | ssl_obj_free(ssl_obj); |
ashleymills | 0:5a29fd060ac8 | 387 | return ret; |
ashleymills | 0:5a29fd060ac8 | 388 | } |
ashleymills | 0:5a29fd060ac8 | 389 | |
ashleymills | 0:5a29fd060ac8 | 390 | /* |
ashleymills | 0:5a29fd060ac8 | 391 | * Load a file into memory that is in ASCII PEM format. |
ashleymills | 0:5a29fd060ac8 | 392 | */ |
ashleymills | 0:5a29fd060ac8 | 393 | static int ssl_obj_PEM_load(SSL_CTX *ssl_ctx, int obj_type, |
ashleymills | 0:5a29fd060ac8 | 394 | SSLObjLoader *ssl_obj, const char *password) |
ashleymills | 0:5a29fd060ac8 | 395 | { |
ashleymills | 0:5a29fd060ac8 | 396 | char *start; |
ashleymills | 0:5a29fd060ac8 | 397 | |
ashleymills | 0:5a29fd060ac8 | 398 | /* add a null terminator */ |
ashleymills | 0:5a29fd060ac8 | 399 | ssl_obj->len++; |
ashleymills | 0:5a29fd060ac8 | 400 | ssl_obj->buf = (uint8_t *)realloc(ssl_obj->buf, ssl_obj->len); |
ashleymills | 0:5a29fd060ac8 | 401 | ssl_obj->buf[ssl_obj->len-1] = 0; |
ashleymills | 0:5a29fd060ac8 | 402 | start = (char *)ssl_obj->buf; |
ashleymills | 0:5a29fd060ac8 | 403 | return new_pem_obj(ssl_ctx, obj_type == SSL_OBJ_X509_CACERT, |
ashleymills | 0:5a29fd060ac8 | 404 | start, ssl_obj->len, password); |
ashleymills | 0:5a29fd060ac8 | 405 | } |
ashleymills | 0:5a29fd060ac8 | 406 | #endif /* CONFIG_SSL_HAS_PEM */ |
ashleymills | 0:5a29fd060ac8 | 407 | |
ashleymills | 0:5a29fd060ac8 | 408 | /** |
ashleymills | 0:5a29fd060ac8 | 409 | * Load the key/certificates in memory depending on compile-time and user |
ashleymills | 0:5a29fd060ac8 | 410 | * options. |
ashleymills | 0:5a29fd060ac8 | 411 | */ |
ashleymills | 0:5a29fd060ac8 | 412 | int load_key_certs(SSL_CTX *ssl_ctx) |
ashleymills | 0:5a29fd060ac8 | 413 | { |
ashleymills | 0:5a29fd060ac8 | 414 | printf("loading key certs\r\n"); |
ashleymills | 0:5a29fd060ac8 | 415 | int ret = SSL_OK; |
ashleymills | 0:5a29fd060ac8 | 416 | uint32_t options = ssl_ctx->options; |
ashleymills | 0:5a29fd060ac8 | 417 | #ifdef CONFIG_SSL_GENERATE_X509_CERT |
ashleymills | 0:5a29fd060ac8 | 418 | uint8_t *cert_data = NULL; |
ashleymills | 0:5a29fd060ac8 | 419 | int cert_size; |
ashleymills | 0:5a29fd060ac8 | 420 | static const char *dn[] = |
ashleymills | 0:5a29fd060ac8 | 421 | { |
ashleymills | 0:5a29fd060ac8 | 422 | CONFIG_SSL_X509_COMMON_NAME, |
ashleymills | 0:5a29fd060ac8 | 423 | CONFIG_SSL_X509_ORGANIZATION_NAME, |
ashleymills | 0:5a29fd060ac8 | 424 | CONFIG_SSL_X509_ORGANIZATION_UNIT_NAME |
ashleymills | 0:5a29fd060ac8 | 425 | }; |
ashleymills | 0:5a29fd060ac8 | 426 | #endif |
ashleymills | 0:5a29fd060ac8 | 427 | |
ashleymills | 0:5a29fd060ac8 | 428 | /* do the private key first */ |
ashleymills | 0:5a29fd060ac8 | 429 | if (strlen(CONFIG_SSL_PRIVATE_KEY_LOCATION) > 0) |
ashleymills | 0:5a29fd060ac8 | 430 | { |
ashleymills | 0:5a29fd060ac8 | 431 | if ((ret = ssl_obj_load(ssl_ctx, SSL_OBJ_RSA_KEY, |
ashleymills | 0:5a29fd060ac8 | 432 | CONFIG_SSL_PRIVATE_KEY_LOCATION, |
ashleymills | 0:5a29fd060ac8 | 433 | CONFIG_SSL_PRIVATE_KEY_PASSWORD)) < 0) |
ashleymills | 0:5a29fd060ac8 | 434 | goto error; |
ashleymills | 0:5a29fd060ac8 | 435 | } |
ashleymills | 0:5a29fd060ac8 | 436 | else if (!(options & SSL_NO_DEFAULT_KEY)) |
ashleymills | 0:5a29fd060ac8 | 437 | { |
ashleymills | 0:5a29fd060ac8 | 438 | #if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE) |
ashleymills | 0:5a29fd060ac8 | 439 | static const /* saves a few more bytes */ |
ashleymills | 0:5a29fd060ac8 | 440 | #include "private_key.h" |
ashleymills | 0:5a29fd060ac8 | 441 | ssl_obj_memory_load(ssl_ctx, SSL_OBJ_RSA_KEY, default_private_key, |
ashleymills | 0:5a29fd060ac8 | 442 | default_private_key_len, NULL); |
ashleymills | 0:5a29fd060ac8 | 443 | #endif |
ashleymills | 0:5a29fd060ac8 | 444 | } |
ashleymills | 0:5a29fd060ac8 | 445 | |
ashleymills | 0:5a29fd060ac8 | 446 | /* now load the certificate */ |
ashleymills | 0:5a29fd060ac8 | 447 | #ifdef CONFIG_SSL_GENERATE_X509_CERT |
ashleymills | 0:5a29fd060ac8 | 448 | if ((cert_size = ssl_x509_create(ssl_ctx, 0, dn, &cert_data)) < 0) |
ashleymills | 0:5a29fd060ac8 | 449 | { |
ashleymills | 0:5a29fd060ac8 | 450 | ret = cert_size; |
ashleymills | 0:5a29fd060ac8 | 451 | goto error; |
ashleymills | 0:5a29fd060ac8 | 452 | } |
ashleymills | 0:5a29fd060ac8 | 453 | |
ashleymills | 0:5a29fd060ac8 | 454 | ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CERT, cert_data, cert_size, NULL); |
ashleymills | 0:5a29fd060ac8 | 455 | free(cert_data); |
ashleymills | 0:5a29fd060ac8 | 456 | #else |
ashleymills | 0:5a29fd060ac8 | 457 | if (strlen(CONFIG_SSL_X509_CERT_LOCATION)) |
ashleymills | 0:5a29fd060ac8 | 458 | { |
ashleymills | 0:5a29fd060ac8 | 459 | if ((ret = ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CERT, |
ashleymills | 0:5a29fd060ac8 | 460 | CONFIG_SSL_X509_CERT_LOCATION, NULL)) < 0) |
ashleymills | 0:5a29fd060ac8 | 461 | goto error; |
ashleymills | 0:5a29fd060ac8 | 462 | } |
ashleymills | 0:5a29fd060ac8 | 463 | else if (!(options & SSL_NO_DEFAULT_KEY)) |
ashleymills | 0:5a29fd060ac8 | 464 | { |
ashleymills | 0:5a29fd060ac8 | 465 | #if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE) |
ashleymills | 0:5a29fd060ac8 | 466 | static const /* saves a few bytes and RAM */ |
ashleymills | 0:5a29fd060ac8 | 467 | #include "cert.h" |
ashleymills | 0:5a29fd060ac8 | 468 | ssl_obj_memory_load(ssl_ctx, SSL_OBJ_X509_CERT, |
ashleymills | 0:5a29fd060ac8 | 469 | default_certificate, default_certificate_len, NULL); |
ashleymills | 0:5a29fd060ac8 | 470 | #endif |
ashleymills | 0:5a29fd060ac8 | 471 | } |
ashleymills | 0:5a29fd060ac8 | 472 | #endif |
ashleymills | 0:5a29fd060ac8 | 473 | |
ashleymills | 0:5a29fd060ac8 | 474 | error: |
ashleymills | 0:5a29fd060ac8 | 475 | #ifdef CONFIG_SSL_FULL_MODE |
ashleymills | 0:5a29fd060ac8 | 476 | if (ret) |
ashleymills | 0:5a29fd060ac8 | 477 | { |
ashleymills | 0:5a29fd060ac8 | 478 | printf("Error: Certificate or key not loaded\n"); TTY_FLUSH(); |
ashleymills | 0:5a29fd060ac8 | 479 | } |
ashleymills | 0:5a29fd060ac8 | 480 | #endif |
ashleymills | 0:5a29fd060ac8 | 481 | |
ashleymills | 0:5a29fd060ac8 | 482 | return ret; |
ashleymills | 0:5a29fd060ac8 | 483 | |
ashleymills | 0:5a29fd060ac8 | 484 | } |