2016-09-21 22:28:08 -04:00
|
|
|
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
|
|
|
|
//
|
|
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
// you may not use this file except in compliance with the License.
|
|
|
|
// You may obtain a copy of the License at
|
|
|
|
|
|
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
//
|
|
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
// See the License for the specific language governing permissions and
|
|
|
|
// limitations under the License.
|
|
|
|
|
2016-09-20 04:58:46 -04:00
|
|
|
#include "ssl_x509.h"
|
2016-09-21 22:28:08 -04:00
|
|
|
#include "ssl_methods.h"
|
2016-09-20 04:58:46 -04:00
|
|
|
#include "ssl_dbg.h"
|
2016-09-21 22:28:08 -04:00
|
|
|
#include "ssl_port.h"
|
2018-02-08 03:36:14 -05:00
|
|
|
#include "ssl.h"
|
2016-09-20 04:58:46 -04:00
|
|
|
|
2016-10-09 04:42:49 -04:00
|
|
|
/**
|
|
|
|
* @brief show X509 certification information
|
|
|
|
*/
|
|
|
|
int __X509_show_info(X509 *x)
|
|
|
|
{
|
|
|
|
return X509_METHOD_CALL(show_info, x);
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
2016-09-25 23:14:19 -04:00
|
|
|
* @brief create a X509 certification object according to input X509 certification
|
2016-09-21 22:28:08 -04:00
|
|
|
*/
|
2016-09-25 23:14:19 -04:00
|
|
|
X509* __X509_new(X509 *ix)
|
2016-09-20 04:58:46 -04:00
|
|
|
{
|
2016-09-21 22:28:08 -04:00
|
|
|
int ret;
|
|
|
|
X509 *x;
|
|
|
|
|
2016-11-01 01:07:10 -04:00
|
|
|
x = ssl_mem_zalloc(sizeof(X509));
|
2017-01-10 07:49:24 -05:00
|
|
|
if (!x) {
|
|
|
|
SSL_DEBUG(SSL_X509_ERROR_LEVEL, "no enough memory > (x)");
|
|
|
|
goto no_mem;
|
|
|
|
}
|
2016-09-21 22:28:08 -04:00
|
|
|
|
2018-02-08 03:36:14 -05:00
|
|
|
x->ref_counter = 1;
|
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
if (ix && ix->method)
|
2016-09-25 23:14:19 -04:00
|
|
|
x->method = ix->method;
|
|
|
|
else
|
|
|
|
x->method = X509_method();
|
2016-09-21 22:28:08 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
ret = X509_METHOD_CALL(new, x, ix);
|
2017-01-10 07:49:24 -05:00
|
|
|
if (ret) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(new) return %d", ret);
|
|
|
|
goto failed;
|
|
|
|
}
|
2016-09-21 22:28:08 -04:00
|
|
|
|
|
|
|
return x;
|
|
|
|
|
2017-01-10 07:49:24 -05:00
|
|
|
failed:
|
2016-11-01 01:07:10 -04:00
|
|
|
ssl_mem_free(x);
|
2017-01-10 07:49:24 -05:00
|
|
|
no_mem:
|
2016-09-21 22:28:08 -04:00
|
|
|
return NULL;
|
2016-09-20 04:58:46 -04:00
|
|
|
}
|
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
/**
|
|
|
|
* @brief create a X509 certification object
|
|
|
|
*/
|
|
|
|
X509* X509_new(void)
|
|
|
|
{
|
|
|
|
return __X509_new(NULL);
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief free a X509 certification object
|
2016-09-21 22:28:08 -04:00
|
|
|
*/
|
|
|
|
void X509_free(X509 *x)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT3(x);
|
|
|
|
|
2018-02-08 03:36:14 -05:00
|
|
|
if (--x->ref_counter > 0) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2016-09-21 22:28:08 -04:00
|
|
|
X509_METHOD_CALL(free, x);
|
|
|
|
|
2016-11-01 01:07:10 -04:00
|
|
|
ssl_mem_free(x);
|
2016-09-21 22:28:08 -04:00
|
|
|
};
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief load a character certification context into system context. If '*cert' is pointed to the
|
|
|
|
* certification, then load certification into it. Or create a new X509 certification object
|
2016-09-21 22:28:08 -04:00
|
|
|
*/
|
2016-09-20 04:58:46 -04:00
|
|
|
X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len)
|
|
|
|
{
|
2016-09-22 02:42:49 -04:00
|
|
|
int m = 0;
|
2016-09-20 04:58:46 -04:00
|
|
|
int ret;
|
2016-09-21 22:28:08 -04:00
|
|
|
X509 *x;
|
2016-09-20 04:58:46 -04:00
|
|
|
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT2(buffer);
|
|
|
|
SSL_ASSERT2(len);
|
2016-09-20 04:58:46 -04:00
|
|
|
|
2016-09-21 22:28:08 -04:00
|
|
|
if (cert && *cert) {
|
|
|
|
x = *cert;
|
|
|
|
} else {
|
2016-09-22 02:42:49 -04:00
|
|
|
x = X509_new();
|
2017-01-10 07:49:24 -05:00
|
|
|
if (!x) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_new() return NULL");
|
|
|
|
goto failed1;
|
|
|
|
}
|
2016-09-22 02:42:49 -04:00
|
|
|
m = 1;
|
2016-09-21 22:28:08 -04:00
|
|
|
}
|
2016-09-20 04:58:46 -04:00
|
|
|
|
2016-09-21 22:28:08 -04:00
|
|
|
ret = X509_METHOD_CALL(load, x, buffer, len);
|
2017-01-10 07:49:24 -05:00
|
|
|
if (ret) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(load) return %d", ret);
|
|
|
|
goto failed2;
|
|
|
|
}
|
2016-09-20 04:58:46 -04:00
|
|
|
|
2016-09-21 22:28:08 -04:00
|
|
|
return x;
|
2016-09-20 04:58:46 -04:00
|
|
|
|
|
|
|
failed2:
|
2016-09-22 02:42:49 -04:00
|
|
|
if (m)
|
|
|
|
X509_free(x);
|
2016-09-20 04:58:46 -04:00
|
|
|
failed1:
|
|
|
|
return NULL;
|
|
|
|
}
|
2016-09-21 23:43:59 -04:00
|
|
|
|
2017-09-09 20:00:27 -04:00
|
|
|
/**
|
|
|
|
* @brief return SSL X509 verify parameters
|
|
|
|
*/
|
|
|
|
|
|
|
|
X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl)
|
|
|
|
{
|
|
|
|
return &ssl->param;
|
|
|
|
}
|
|
|
|
|
2017-09-09 20:05:09 -04:00
|
|
|
/**
|
|
|
|
* @brief set X509 host verification flags
|
|
|
|
*/
|
|
|
|
|
|
|
|
int X509_VERIFY_PARAM_set_hostflags(X509_VERIFY_PARAM *param,
|
|
|
|
unsigned long flags)
|
|
|
|
{
|
|
|
|
/* flags not supported yet */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief clear X509 host verification flags
|
|
|
|
*/
|
|
|
|
|
|
|
|
int X509_VERIFY_PARAM_clear_hostflags(X509_VERIFY_PARAM *param,
|
|
|
|
unsigned long flags)
|
|
|
|
{
|
|
|
|
/* flags not supported yet */
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief set SSL context client CA certification
|
2016-09-21 23:43:59 -04:00
|
|
|
*/
|
|
|
|
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT1(ctx);
|
|
|
|
SSL_ASSERT1(x);
|
2016-09-21 23:43:59 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
if (ctx->client_CA == x)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
X509_free(ctx->client_CA);
|
2016-09-22 02:42:49 -04:00
|
|
|
|
2016-09-21 23:43:59 -04:00
|
|
|
ctx->client_CA = x;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief add CA client certification into the SSL
|
2016-09-22 00:57:39 -04:00
|
|
|
*/
|
|
|
|
int SSL_add_client_CA(SSL *ssl, X509 *x)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT1(ssl);
|
|
|
|
SSL_ASSERT1(x);
|
2016-09-22 02:42:49 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
if (ssl->client_CA == x)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
X509_free(ssl->client_CA);
|
2016-09-22 02:42:49 -04:00
|
|
|
|
|
|
|
ssl->client_CA = x;
|
|
|
|
|
2016-09-22 23:41:57 -04:00
|
|
|
return 1;
|
2016-09-22 00:57:39 -04:00
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief set the SSL context certification
|
2016-09-21 23:43:59 -04:00
|
|
|
*/
|
|
|
|
int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT1(ctx);
|
|
|
|
SSL_ASSERT1(x);
|
2016-09-21 23:43:59 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
if (ctx->cert->x509 == x)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
X509_free(ctx->cert->x509);
|
|
|
|
|
2016-09-21 23:43:59 -04:00
|
|
|
ctx->cert->x509 = x;
|
2020-06-05 08:20:04 -04:00
|
|
|
x->ref_counter++;
|
2016-09-21 23:43:59 -04:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief set the SSL certification
|
2016-09-22 03:56:56 -04:00
|
|
|
*/
|
|
|
|
int SSL_use_certificate(SSL *ssl, X509 *x)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT1(ssl);
|
|
|
|
SSL_ASSERT1(x);
|
2016-09-22 03:56:56 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
if (ssl->cert->x509 == x)
|
|
|
|
return 1;
|
|
|
|
|
|
|
|
X509_free(ssl->cert->x509);
|
|
|
|
|
2016-09-22 03:56:56 -04:00
|
|
|
ssl->cert->x509 = x;
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x)
|
|
|
|
{
|
|
|
|
return SSL_CTX_use_certificate(ctx, x);
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief get the SSL certification point
|
2016-09-22 00:57:39 -04:00
|
|
|
*/
|
|
|
|
X509 *SSL_get_certificate(const SSL *ssl)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT2(ssl);
|
2016-09-22 03:56:56 -04:00
|
|
|
|
2016-09-22 00:57:39 -04:00
|
|
|
return ssl->cert->x509;
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief load certification into the SSL context
|
2016-09-21 23:43:59 -04:00
|
|
|
*/
|
|
|
|
int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
|
|
|
|
const unsigned char *d)
|
|
|
|
{
|
|
|
|
int ret;
|
2016-09-25 23:14:19 -04:00
|
|
|
X509 *x;
|
2016-09-21 23:43:59 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
x = d2i_X509(NULL, d, len);
|
2017-01-10 07:49:24 -05:00
|
|
|
if (!x) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
|
|
|
|
goto failed1;
|
|
|
|
}
|
2016-09-21 23:43:59 -04:00
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
ret = SSL_CTX_use_certificate(ctx, x); // This uses the "x" so increments ref_count
|
2017-01-10 07:49:24 -05:00
|
|
|
if (!ret) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_certificate() return %d", ret);
|
|
|
|
goto failed2;
|
|
|
|
}
|
2016-09-21 23:43:59 -04:00
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
X509_free(x); // decrements ref_count, so in case of happy flow doesn't free the "x"
|
2016-09-21 23:43:59 -04:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
failed2:
|
2016-09-25 23:14:19 -04:00
|
|
|
X509_free(x);
|
2016-09-21 23:43:59 -04:00
|
|
|
failed1:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief load certification into the SSL
|
2016-09-22 03:56:56 -04:00
|
|
|
*/
|
|
|
|
int SSL_use_certificate_ASN1(SSL *ssl, int len,
|
|
|
|
const unsigned char *d)
|
|
|
|
{
|
|
|
|
int ret;
|
2016-09-22 22:33:31 -04:00
|
|
|
X509 *x;
|
2016-09-22 03:56:56 -04:00
|
|
|
|
2016-09-25 23:14:19 -04:00
|
|
|
x = d2i_X509(NULL, d, len);
|
2017-01-10 07:49:24 -05:00
|
|
|
if (!x) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL");
|
|
|
|
goto failed1;
|
|
|
|
}
|
2016-09-22 22:33:31 -04:00
|
|
|
|
|
|
|
ret = SSL_use_certificate(ssl, x);
|
2017-01-10 07:49:24 -05:00
|
|
|
if (!ret) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_certificate() return %d", ret);
|
|
|
|
goto failed2;
|
|
|
|
}
|
2016-09-22 04:41:51 -04:00
|
|
|
|
2016-09-22 03:56:56 -04:00
|
|
|
return 1;
|
|
|
|
|
|
|
|
failed2:
|
2016-09-25 23:14:19 -04:00
|
|
|
X509_free(x);
|
2016-09-22 03:56:56 -04:00
|
|
|
failed1:
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief load the certification file into SSL context
|
2016-09-22 03:39:28 -04:00
|
|
|
*/
|
|
|
|
int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2016-09-22 03:56:56 -04:00
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief load the certification file into SSL
|
2016-09-22 03:56:56 -04:00
|
|
|
*/
|
|
|
|
int SSL_use_certificate_file(SSL *ssl, const char *file, int type)
|
|
|
|
{
|
|
|
|
return 0;
|
|
|
|
}
|
2016-09-22 05:20:07 -04:00
|
|
|
|
2016-09-23 02:50:27 -04:00
|
|
|
/**
|
|
|
|
* @brief get peer certification
|
2016-09-22 05:20:07 -04:00
|
|
|
*/
|
|
|
|
X509 *SSL_get_peer_certificate(const SSL *ssl)
|
|
|
|
{
|
2017-01-10 07:49:24 -05:00
|
|
|
SSL_ASSERT2(ssl);
|
2016-09-22 05:20:07 -04:00
|
|
|
|
2016-09-23 06:13:10 -04:00
|
|
|
return ssl->session->peer;
|
2016-09-22 05:20:07 -04:00
|
|
|
}
|
2016-10-09 04:42:49 -04:00
|
|
|
|
2018-02-08 03:36:14 -05:00
|
|
|
/**
|
|
|
|
* @brief set SSL context client CA certification
|
|
|
|
*/
|
|
|
|
int X509_STORE_add_cert(X509_STORE *store, X509 *x) {
|
|
|
|
|
|
|
|
x->ref_counter++;
|
|
|
|
|
|
|
|
SSL_CTX *ctx = (SSL_CTX *)store;
|
|
|
|
SSL_ASSERT1(ctx);
|
|
|
|
SSL_ASSERT1(x);
|
|
|
|
|
|
|
|
if (ctx->client_CA == x) {
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctx->client_CA!=NULL) {
|
|
|
|
X509_free(ctx->client_CA);
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx->client_CA = x;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief load a character certification context into system context.
|
2020-11-10 02:40:01 -05:00
|
|
|
*
|
2018-02-08 03:36:14 -05:00
|
|
|
* If '*cert' is pointed to the certification, then load certification
|
|
|
|
* into it, or create a new X509 certification object.
|
|
|
|
*/
|
2020-06-05 08:20:04 -04:00
|
|
|
X509 * PEM_read_bio_X509(BIO *bp, X509 **cert, pem_password_cb cb, void *u) {
|
2018-02-08 03:36:14 -05:00
|
|
|
int m = 0;
|
|
|
|
int ret;
|
|
|
|
X509 *x;
|
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
SSL_ASSERT2(BIO_method_type(bp) & BIO_TYPE_MEM);
|
|
|
|
if (bp->data == NULL || bp->dlen == 0) {
|
|
|
|
return NULL;
|
|
|
|
}
|
2018-02-08 03:36:14 -05:00
|
|
|
if (cert && *cert) {
|
|
|
|
x = *cert;
|
|
|
|
} else {
|
|
|
|
x = X509_new();
|
|
|
|
if (!x) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_new() return NULL");
|
|
|
|
goto failed;
|
|
|
|
}
|
|
|
|
m = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = X509_METHOD_CALL(load, x, bp->data, bp->dlen);
|
|
|
|
if (ret) {
|
|
|
|
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(load) return %d", ret);
|
|
|
|
goto failed;
|
|
|
|
}
|
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
// If buffer successfully created a X509 from the bio, mark the buffer as consumed
|
|
|
|
bp->data = NULL;
|
|
|
|
bp->dlen = 0;
|
2018-02-08 03:36:14 -05:00
|
|
|
return x;
|
|
|
|
|
|
|
|
failed:
|
|
|
|
if (m) {
|
|
|
|
X509_free(x);
|
|
|
|
}
|
|
|
|
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2020-06-05 08:20:04 -04:00
|
|
|
X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **cert, pem_password_cb *cb, void *u)
|
|
|
|
{
|
|
|
|
return PEM_read_bio_X509(bp, cert, cb, u);
|
2018-02-08 03:36:14 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief get the SSL context object X509 certification storage
|
|
|
|
*/
|
|
|
|
X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {
|
|
|
|
return (X509_STORE *)ctx;
|
|
|
|
}
|