From ffb2668411ee7ea31c69a399a20f53fae2edadd2 Mon Sep 17 00:00:00 2001 From: "francois.berder@arm.com" <> Date: Wed, 7 Aug 2013 14:38:07 +0300 Subject: [PATCH] Fixed some bugs in HTTPS library --- libraries/net/https/HTTPSClient.cpp | 40 ++++++----- libraries/net/https/HTTPSClient.h | 2 +- libraries/net/https/axTLS/crypto/rsa.c | 4 ++ libraries/net/https/axTLS/ssl/loader.c | 6 +- libraries/net/https/axTLS/ssl/os_port.c | 2 +- libraries/net/https/axTLS/ssl/tls1.c | 96 ++++++++++++------------- libraries/net/https/axTLS/ssl/tls1.h | 2 +- 7 files changed, 76 insertions(+), 76 deletions(-) diff --git a/libraries/net/https/HTTPSClient.cpp b/libraries/net/https/HTTPSClient.cpp index 678961b3c3..76eae5b4a9 100644 --- a/libraries/net/https/HTTPSClient.cpp +++ b/libraries/net/https/HTTPSClient.cpp @@ -36,7 +36,7 @@ int HTTPSClient::connect(const char* host) { return -1; } - if(ssl_ctx_new(&_ssl_ctx, SSL_SERVER_VERIFY_LATER|SSL_DISPLAY_BYTES|SSL_DISPLAY_STATES, SSL_DEFAULT_CLNT_SESS) != &_ssl_ctx) + if(ssl_ctx_new(&_ssl_ctx, SSL_SERVER_VERIFY_LATER, SSL_DEFAULT_CLNT_SESS) != &_ssl_ctx) return -1; _ssl.ssl_ctx = &_ssl_ctx; @@ -75,7 +75,7 @@ HTTPHeader HTTPSClient::get(char *request) if((_sock_fd < 0) || !_is_connected) return HTTPHeader(); - sprintf(buf, "GET %s HTTP/1.1\r\nHost: %s:%d\r\n\r\n", request, _host.c_str(), get_port()); + sprintf(buf, "GET %s HTTP/1.1\r\nHost: %s\r\n\r\n", request, _host.c_str()); printf("buf=%s\n", buf); if(send(buf, strlen(buf)) != strlen(buf)) return HTTPHeader(); @@ -87,9 +87,10 @@ HTTPHeader HTTPSClient::get(char *request) HTTPHeader HTTPSClient::read_header() { _ssl.bm_read_index = 0; - + _ssl.bm_index = 0; HTTPHeader hdr; - read_line(); + if(read_line()) + return hdr; int status; @@ -98,36 +99,37 @@ HTTPHeader HTTPSClient::read_header() if(status == 200) hdr._status = HTTP_OK; - printf("status=%d\n", status); - read_line(); + if(read_line()) + return hdr; do { - string name, value; - int ret = sscanf(buf, "%s:%s", name, value); - printf("sscanf return=%d\n", ret); - printf("name=%s\n", name); - printf("value=%s\n", value); + string tmp(buf); + std::size_t sep = tmp.find(':'); + string name = tmp.substr(0, sep); + string value = tmp.substr(sep+2, tmp.size()); hdr._fields[name] = value; - read_line(); - printf("strlen(buf)=%d\n", strlen(buf)); + if(read_line()) + return hdr; }while(strlen(buf)); return hdr; } -void HTTPSClient::read_line() +uint8_t HTTPSClient::read_line() { int index = 0; do { - if(ssl_read(&_ssl, (uint8_t*)(&buf[index]), 1)) + if(ssl_read(&_ssl, (uint8_t*)(&buf[index]), 1) != 1) { - // error + return 1; } - - }while(buf[index++] != '\n' && index < 255); + index++; + }while(buf[index-1] != '\r' && index < 256); + ssl_read(&_ssl, (uint8_t*)(&buf[index-1]), 1); // skip '\n' buf[index-1] = '\0'; - printf("line=%s\n", buf); + + return 0; } // -1:error diff --git a/libraries/net/https/HTTPSClient.h b/libraries/net/https/HTTPSClient.h index 20d231225d..92c6908479 100644 --- a/libraries/net/https/HTTPSClient.h +++ b/libraries/net/https/HTTPSClient.h @@ -44,7 +44,7 @@ private: int send(char* data, int length); - void read_line(); + uint8_t read_line(); HTTPHeader read_header(); bool _is_connected; diff --git a/libraries/net/https/axTLS/crypto/rsa.c b/libraries/net/https/axTLS/crypto/rsa.c index 95a82b7c24..64282a2627 100644 --- a/libraries/net/https/axTLS/crypto/rsa.c +++ b/libraries/net/https/axTLS/crypto/rsa.c @@ -250,16 +250,20 @@ int RSA_encrypt(const RSA_CTX *ctx, const uint8_t *in_data, uint16_t in_len, out_data[1] = 2; get_random_NZ(num_pads_needed, &out_data[2]); } + out_data[2+num_pads_needed] = 0; memcpy(&out_data[3+num_pads_needed], in_data, in_len); /* now encrypt it */ dat_bi = bi_import(ctx->bi_ctx, out_data, byte_size); + encrypt_bi = is_signing ? RSA_private(ctx, dat_bi) : RSA_public(ctx, dat_bi); + bi_export(ctx->bi_ctx, encrypt_bi, out_data, byte_size); /* save a few bytes of memory */ bi_clear_cache(ctx->bi_ctx); + return byte_size; } diff --git a/libraries/net/https/axTLS/ssl/loader.c b/libraries/net/https/axTLS/ssl/loader.c index 7c328f18e0..8cc80d9c77 100644 --- a/libraries/net/https/axTLS/ssl/loader.c +++ b/libraries/net/https/axTLS/ssl/loader.c @@ -432,10 +432,10 @@ int load_key_certs(SSL_CTX *ssl_ctx) else if (!(options & SSL_NO_DEFAULT_KEY)) { #if defined(CONFIG_SSL_USE_DEFAULT_KEY) || defined(CONFIG_SSL_SKELETON_MODE) - // static const /* saves a few more bytes */ +// static const /* saves a few more bytes */ //#include "private_key.h" - // ssl_obj_memory_load(ssl_ctx, SSL_OBJ_RSA_KEY, default_private_key, - // default_private_key_len, NULL); +// ssl_obj_memory_load(ssl_ctx, SSL_OBJ_RSA_KEY, default_private_key, + // default_private_key_len, NULL); #endif } diff --git a/libraries/net/https/axTLS/ssl/os_port.c b/libraries/net/https/axTLS/ssl/os_port.c index 1441a41d03..a0627bf620 100644 --- a/libraries/net/https/axTLS/ssl/os_port.c +++ b/libraries/net/https/axTLS/ssl/os_port.c @@ -93,7 +93,7 @@ static void add_entry(void *x, size_t s, const char* f, const int l) if(memory_buf[i] == -1) { if(enable) - printf("new ptr:%X, size:%d at %s:%d", x, s, f, l); + printf("new ptr:%X, size:%d at %s:%d\n", x, s, f, l); memory_buf[i] = (int)(x); memory_buf[i+1] = s; return; diff --git a/libraries/net/https/axTLS/ssl/tls1.c b/libraries/net/https/axTLS/ssl/tls1.c index 8ae724ebaa..ab1e86d155 100644 --- a/libraries/net/https/axTLS/ssl/tls1.c +++ b/libraries/net/https/axTLS/ssl/tls1.c @@ -229,10 +229,10 @@ EXP_FUNC void STDCALL ssl_ctx_free(SSL_CTX *ssl_ctx) #endif i = 0; - while (i < CONFIG_SSL_MAX_CERTS && ssl_ctx->certs[i].buf) + //while (i < CONFIG_SSL_MAX_CERTS && ssl_ctx->certs[i].buf) { - free(ssl_ctx->certs[i].buf); - ssl_ctx->certs[i++].buf = NULL; + //free(ssl_ctx->certs[i].buf); + //ssl_ctx->certs[i++].buf = NULL; } #ifdef CONFIG_SSL_CERT_VERIFICATION @@ -351,8 +351,7 @@ int add_cert(SSL_CTX *ssl_ctx, const uint8_t *buf, int len) ssl_cert = &ssl_ctx->certs[i]; ssl_cert->size = len; - ssl_cert->buf = (uint8_t *)malloc(len); - memcpy(ssl_cert->buf, buf, len); + ssl_cert->buf = buf; ssl_ctx->chain_length++; len -= offset; ret = SSL_OK; /* ok so far */ @@ -553,6 +552,7 @@ SSL *ssl_new(SSL *ssl, int client_fd) ssl->client_fd = 0; ssl->flag = SSL_NEED_RECORD; ssl->bm_data = ssl->bm_all_data + BM_RECORD_OFFSET; + ssl->bm_read_index = 0; ssl->hs_status = SSL_NOT_OK; /* not connected */ #ifdef CONFIG_ENABLE_VERIFICATION ssl->ca_cert_ctx = ssl_ctx->ca_cert_ctx; @@ -981,7 +981,14 @@ static int send_raw_packet(SSL *ssl, uint8_t protocol) } } + fd_set wfds; + FD_ZERO(&wfds); + FD_SET(ssl->client_fd, &wfds); + /* block and wait for it */ + if (lwip_select(FD_SETSIZE, NULL, &wfds, NULL, NULL) < 0) + return SSL_ERROR_CONN_LOST; + SET_SSL_FLAG(SSL_NEED_RECORD); /* reset for next time */ ssl->bm_index = 0; @@ -1186,6 +1193,7 @@ static int set_key_block(SSL *ssl, int is_write) */ int basic_read2(SSL *ssl, uint8_t *data, uint32_t length) { + // printf("basic_read2\n"); if(data == NULL) return -1; @@ -1193,6 +1201,7 @@ int basic_read2(SSL *ssl, uint8_t *data, uint32_t length) do { + //printf("before_lwip_select\n"); fd_set rfds; FD_ZERO(&rfds); FD_SET(ssl->client_fd, &rfds); @@ -1200,9 +1209,11 @@ int basic_read2(SSL *ssl, uint8_t *data, uint32_t length) /* block and wait for it */ if (lwip_select(FD_SETSIZE, &rfds, NULL, NULL, NULL) < 0) return SSL_ERROR_CONN_LOST; - + // printf("after_lwip_select\n"); + int read_len = SOCKET_READ(ssl->client_fd, &data[ret], length-ret); - + // printf("read_len = %d\n", read_len); + if (read_len < 0) { @@ -1270,17 +1281,11 @@ int read_record(SSL *ssl) } ssl->need_bytes = (record[3] << 8) + record[4]; - printf("ssl->need_byte=%d\n", ssl->need_bytes); - /* do we violate the spec with the message size? */ - if (ssl->need_bytes > 4*(RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)) - { - return SSL_ERROR_INVALID_PROT_MSG; - } + memcpy(ssl->hmac_header, record, 3); /* store for hmac */ ssl->record_type = record[0]; CLR_SSL_FLAG(SSL_NEED_RECORD); - ssl->bm_index = 0; return SSL_OK; } @@ -1316,11 +1321,12 @@ int ssl_read(SSL *ssl, uint8_t *in_data, int len) { if(len <= 0 || in_data == NULL) return 0; - - if(ssl->bm_index == 0) + + if(IS_SET_SSL_FLAG(SSL_NEED_RECORD)) { read_record(ssl); } + return process_data(ssl, in_data, len); } @@ -1375,56 +1381,44 @@ int process_data(SSL* ssl, uint8_t *in_data, int len) return 0; if (in_data) { + uint16_t index = ssl->bm_index % 2048; if(ssl->bm_read_index == 0) { - int read_len = ssl->need_bytes - ssl->bm_index; - if(read_len > 4096-ssl->bm_index) - read_len = 4096-ssl->bm_index; - if(len < read_len) - read_len = len - (len % AES_BLOCKSIZE); + int read_len = len; + if(read_len > 2048-index) + read_len = 2048-index; + if(read_len > ssl->need_bytes) + read_len = ssl->need_bytes; + read_len -= read_len % AES_BLOCKSIZE; if(read_len <= 0) read_len = AES_BLOCKSIZE; - printf("read_len=%d\n", read_len); - int ret = basic_read2(ssl, ssl->bm_all_data + ssl->bm_index, read_len); + if(ssl->need_bytes < AES_BLOCKSIZE) + read_len = AES_BLOCKSIZE; + int ret = basic_read2(ssl, ssl->bm_all_data + index, read_len); if(ret != read_len) return 0; - - ssl->bm_read_index = basic_decrypt(ssl, ssl->bm_all_data + ssl->bm_index, read_len); + + ssl->bm_read_index = basic_decrypt(ssl, ssl->bm_all_data + index, read_len); + ssl->need_bytes -= ssl->bm_read_index; + if(ssl->need_bytes == 0) + { + ssl->bm_read_index = 0; + SET_SSL_FLAG(SSL_NEED_RECORD); + return ssl_read(ssl, in_data, len); + } } if(len > ssl->bm_read_index) len = ssl->bm_read_index; - - memcpy(in_data, ssl->bm_all_data+ssl->bm_index, len); + memcpy(in_data, ssl->bm_all_data+index, len); ssl->bm_index += len; ssl->bm_read_index -= len; - if(ssl->bm_index >= 4096) + if(ssl->need_bytes == 0) + SET_SSL_FLAG(SSL_NEED_RECORD); + if(ssl->bm_index >= 2048) ssl->bm_index = 0; return len; - - /* - int read_len = ssl->need_bytes; - if(len < ssl->need_bytes) - read_len = len - (len % AES_BLOCKSIZE); - if(read_len <= 0) - return 0; - int ret = basic_read2(ssl, in_data, read_len); - - if(ret != read_len) - return 0; - ssl->bm_index += ret; - if(ssl->bm_index >= ssl->need_bytes) - { - ssl->need_bytes = 0; - SET_SSL_FLAG(SSL_NEED_RECORD); - } - ret = basic_decrypt(ssl, in_data, read_len); - - if(ret < 0) - return 0; - return ret; - */ } return 0; diff --git a/libraries/net/https/axTLS/ssl/tls1.h b/libraries/net/https/axTLS/ssl/tls1.h index 5840400074..4a4f453fe2 100644 --- a/libraries/net/https/axTLS/ssl/tls1.h +++ b/libraries/net/https/axTLS/ssl/tls1.h @@ -76,7 +76,7 @@ extern "C" { #define IS_SET_SSL_FLAG(A) (ssl->flag & A) #define MAX_KEY_BYTE_SIZE 512 /* for a 4096 bit key */ -#define RT_MAX_PLAIN_LENGTH 4096//16384 +#define RT_MAX_PLAIN_LENGTH 2048//16384 #define RT_EXTRA 512//1024 #define BM_RECORD_OFFSET 5 #define BM_ALL_DATA_SIZE (RT_MAX_PLAIN_LENGTH+RT_EXTRA-BM_RECORD_OFFSET)