This is an automated email from the ASF dual-hosted git repository. jiuzhudong pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/nuttx-apps.git
commit 94ffd5e9f0823144320465b4d269280c22ca48eb Author: makejian <[email protected]> AuthorDate: Fri Jun 6 13:43:24 2025 +0800 openssl_wrapper_mbedtls: extend openssl interfaces in ssl module for mqtt VELAPLATFO-62586 Change-Id: I3b56b028e76aee118ed90211c097ac3fe86bc129 Signed-off-by: makejian <[email protected]> (cherry picked from commit 7a567e98489f64b740044b9ce4066fa8d41af359) --- .../{mbedtls/err.c => include/openssl/crypto.h} | 38 +- .../openssl_mbedtls_wrapper/include/openssl/err.h | 6 + .../openssl_mbedtls_wrapper/include/openssl/evp.h | 8 + .../openssl_mbedtls_wrapper/include/openssl/ssl.h | 240 +++++++++--- .../include/openssl/ssl_local.h | 40 +- .../openssl_mbedtls_wrapper/include/openssl/tls1.h | 53 ++- .../include/openssl/types.h | 18 +- .../openssl_mbedtls_wrapper/include/openssl/x509.h | 18 +- crypto/openssl_mbedtls_wrapper/mbedtls/err.c | 27 ++ crypto/openssl_mbedtls_wrapper/mbedtls/evp.c | 9 + crypto/openssl_mbedtls_wrapper/mbedtls/ssl_lib.c | 404 ++++++++++++++++++++- .../openssl_mbedtls_wrapper/mbedtls/ssl_methods.c | 3 +- .../openssl_mbedtls_wrapper/mbedtls/ssl_methods.h | 30 +- crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c | 166 +++++---- crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.h | 6 +- crypto/openssl_mbedtls_wrapper/mbedtls/ssl_rsa.c | 5 + 16 files changed, 880 insertions(+), 191 deletions(-) diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/err.c b/crypto/openssl_mbedtls_wrapper/include/openssl/crypto.h similarity index 65% copy from crypto/openssl_mbedtls_wrapper/mbedtls/err.c copy to crypto/openssl_mbedtls_wrapper/include/openssl/crypto.h index 34dad8dc5..b573b2949 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/err.c +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/crypto.h @@ -1,7 +1,5 @@ /**************************************************************************** - * apps/crypto/openssl_mbedtls_wrapper/mbedtls/err.c - * - * SPDX-License-Identifier: Apache-2.0 + * apps/crypto/openssl_mbedtls_wrapper/include/openssl/crypto.h * * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with @@ -17,28 +15,34 @@ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the * License for the specific language governing permissions and limitations * under the License. - * ****************************************************************************/ +#ifndef OPENSSL_MBEDTLS_WRAPPER_CRYPTO_H +#define OPENSSL_MBEDTLS_WRAPPER_CRYPTO_H + /**************************************************************************** * Included Files ****************************************************************************/ -#include <openssl/err.h> -#include <mbedtls/error.h> -#include <mbedtls/cipher.h> -#include <errno.h> +#include <openssl/base.h> /**************************************************************************** - * Public Functions + * Pre-processor Definitions ****************************************************************************/ -unsigned long ERR_peek_last_error(void) -{ - return errno; -} +#define CRYPTO_num_locks() 1 +#define CRYPTO_set_locking_callback(func) + +#define CRYPTO_set_id_callback(func) + +/* These defines where used in combination with the old locking callbacks, + * they are not called anymore, but old code that's not called might still + * use them. + */ + +#define CRYPTO_LOCK 1 +#define CRYPTO_UNLOCK 2 +#define CRYPTO_READ 4 +#define CRYPTO_WRITE 8 -void ERR_error_string_n(unsigned long e, char *buf, size_t len) -{ - mbedtls_strerror(e, buf, len); -} +#endif /* OPENSSL_MBEDTLS_WRAPPER_CRYPTO_H */ diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/err.h b/crypto/openssl_mbedtls_wrapper/include/openssl/err.h index f6637eca4..1453be16e 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/err.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/err.h @@ -49,6 +49,12 @@ unsigned long ERR_peek_last_error(void); void ERR_error_string_n(unsigned long e, char *buf, size_t len); void ERR_free_strings(void); char *ERR_error_string(unsigned long e, char *buf); +void ERR_clear_error(void); +unsigned long ERR_get_error(void); +void ERR_remove_state(unsigned long pid); +int ERR_load_crypto_strings(void); +void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), + void *u); #ifdef __cplusplus } diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/evp.h b/crypto/openssl_mbedtls_wrapper/include/openssl/evp.h index f65a51d88..e1696bfa6 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/evp.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/evp.h @@ -44,6 +44,10 @@ #define EVP_PKEY_X25519 NID_X25519 +/**************************************************************************** + * Public Types + ****************************************************************************/ + struct evp_pkey_st { void *pkey_pm; @@ -166,6 +170,10 @@ int PKCS5_PBKDF2_HMAC(const char *password, size_t password_len, const PKEY_METHOD *EVP_PKEY_method(void); +int OpenSSL_add_all_algorithms(void); + +void EVP_cleanup(void); + #ifdef __cplusplus } #endif diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/ssl.h b/crypto/openssl_mbedtls_wrapper/include/openssl/ssl.h index 937c1ab95..94291eea8 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/ssl.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/ssl.h @@ -25,13 +25,19 @@ ****************************************************************************/ #include <stddef.h> +#include <openssl/ex_data.h> #include <openssl/types.h> +#include <openssl/x509.h> #include <openssl/x509_vfy.h> #include <openssl/tls1.h> +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ -#define SSL_SENT_SHUTDOWN 1 -#define SSL_RECEIVED_SHUTDOWN 2 +#define SSL_SENT_SHUTDOWN 1 +#define SSL_RECEIVED_SHUTDOWN 2 #define SSL_VERIFY_NONE 0x00 #define SSL_VERIFY_PEER 0x01 @@ -57,52 +63,133 @@ #define SSL_ERROR_WANT_READ 2 #define SSL_ERROR_WANT_WRITE 3 #define SSL_ERROR_WANT_X509_LOOKUP 4 -#define SSL_ERROR_SYSCALL 5/* look at error stack/return value/errno */ +#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */ #define SSL_ERROR_ZERO_RETURN 6 #define SSL_ERROR_WANT_CONNECT 7 #define SSL_ERROR_WANT_ACCEPT 8 #define SSL_ERROR_WANT_ASYNC 9 -#define SSL_ERROR_WANT_ASYNC_JOB 10 +#define SSL_ERROR_WANT_ASYNC_JOB 10 + +#define SSL_ST_CONNECT 0x1000 +#define SSL_ST_ACCEPT 0x2000 + +#define SSL_ST_MASK 0x0FFF + +#define SSL_CB_LOOP 0x01 +#define SSL_CB_EXIT 0x02 +#define SSL_CB_READ 0x04 +#define SSL_CB_WRITE 0x08 +#define SSL_CB_ALERT 0x4000 /* used in callback */ +#define SSL_CB_READ_ALERT (SSL_CB_ALERT | SSL_CB_READ) +#define SSL_CB_WRITE_ALERT (SSL_CB_ALERT | SSL_CB_WRITE) +#define SSL_CB_ACCEPT_LOOP (SSL_ST_ACCEPT | SSL_CB_LOOP) +#define SSL_CB_ACCEPT_EXIT (SSL_ST_ACCEPT | SSL_CB_EXIT) +#define SSL_CB_CONNECT_LOOP (SSL_ST_CONNECT | SSL_CB_LOOP) +#define SSL_CB_CONNECT_EXIT (SSL_ST_CONNECT | SSL_CB_EXIT) +#define SSL_CB_HANDSHAKE_START 0x10 +#define SSL_CB_HANDSHAKE_DONE 0x20 + +#define SSL_FILETYPE_ASN1 X509_FILETYPE_ASN1 +#define SSL_FILETYPE_PEM X509_FILETYPE_PEM + +/* Allow SSL_write(..., n) to return r with 0 < r < n (i.e. report success + * when just a single record has been written): + */ + +#define SSL_MODE_ENABLE_PARTIAL_WRITE 0x00000001U + +/* Make it possible to retry SSL_write() with changed buffer location (buffer + * contents must stay the same!); this is not the default to avoid the + * misconception that non-blocking SSL_write() behaves like non-blocking + * write(): + */ + +#define SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER 0x00000002U + +#define SSLEAY_VERSION 0 +#define SSLEAY_CFLAGS 1 +#define SSLEAY_BUILT_ON 2 +#define SSLEAY_PLATFORM 3 +#define SSLEAY_DIR 4 + +#define SSL2_VERSION 0x0002 + +#define SSL2_MT_CLIENT_HELLO 1 + +#define SSLv23_client_method TLS_client_method +#define SSL_library_init() 1 +#define SSL_load_error_strings() + +/**************************************************************************** + * Public Types + ****************************************************************************/ + +typedef unsigned int (*SSL_psk_client_cb_func)(SSL *ssl, + const char *hint, + char *identity, + unsigned int max_identity_len, + unsigned char *psk, + unsigned int max_psk_len); + +typedef void (*ossl_msg_cb)(int write_p, int version, int content_type, + const void *buf, size_t len, SSL *ssl, void *arg); typedef enum { - TLS_ST_BEFORE, - TLS_ST_OK, - DTLS_ST_CR_HELLO_VERIFY_REQUEST, - TLS_ST_CR_SRVR_HELLO, - TLS_ST_CR_CERT, - TLS_ST_CR_CERT_STATUS, - TLS_ST_CR_KEY_EXCH, - TLS_ST_CR_CERT_REQ, - TLS_ST_CR_SRVR_DONE, - TLS_ST_CR_SESSION_TICKET, - TLS_ST_CR_CHANGE, - TLS_ST_CR_FINISHED, - TLS_ST_CW_CLNT_HELLO, - TLS_ST_CW_CERT, - TLS_ST_CW_KEY_EXCH, - TLS_ST_CW_CERT_VRFY, - TLS_ST_CW_CHANGE, - TLS_ST_CW_NEXT_PROTO, - TLS_ST_CW_FINISHED, - TLS_ST_SW_HELLO_REQ, - TLS_ST_SR_CLNT_HELLO, - DTLS_ST_SW_HELLO_VERIFY_REQUEST, - TLS_ST_SW_SRVR_HELLO, - TLS_ST_SW_CERT, - TLS_ST_SW_KEY_EXCH, - TLS_ST_SW_CERT_REQ, - TLS_ST_SW_SRVR_DONE, - TLS_ST_SR_CERT, - TLS_ST_SR_KEY_EXCH, - TLS_ST_SR_CERT_VRFY, - TLS_ST_SR_NEXT_PROTO, - TLS_ST_SR_CHANGE, - TLS_ST_SR_FINISHED, - TLS_ST_SW_SESSION_TICKET, - TLS_ST_SW_CERT_STATUS, - TLS_ST_SW_CHANGE, - TLS_ST_SW_FINISHED + TLS_ST_BEFORE, + TLS_ST_OK, + DTLS_ST_CR_HELLO_VERIFY_REQUEST, + TLS_ST_CR_SRVR_HELLO, + TLS_ST_CR_CERT, + TLS_ST_CR_COMP_CERT, + TLS_ST_CR_CERT_STATUS, + TLS_ST_CR_KEY_EXCH, + TLS_ST_CR_CERT_REQ, + TLS_ST_CR_SRVR_DONE, + TLS_ST_CR_SESSION_TICKET, + TLS_ST_CR_CHANGE, + TLS_ST_CR_FINISHED, + TLS_ST_CW_CLNT_HELLO, + TLS_ST_CW_CERT, + TLS_ST_CW_COMP_CERT, + TLS_ST_CW_KEY_EXCH, + TLS_ST_CW_CERT_VRFY, + TLS_ST_CW_CHANGE, + TLS_ST_CW_NEXT_PROTO, + TLS_ST_CW_FINISHED, + TLS_ST_SW_HELLO_REQ, + TLS_ST_SR_CLNT_HELLO, + DTLS_ST_SW_HELLO_VERIFY_REQUEST, + TLS_ST_SW_SRVR_HELLO, + TLS_ST_SW_CERT, + TLS_ST_SW_COMP_CERT, + TLS_ST_SW_KEY_EXCH, + TLS_ST_SW_CERT_REQ, + TLS_ST_SW_SRVR_DONE, + TLS_ST_SR_CERT, + TLS_ST_SR_COMP_CERT, + TLS_ST_SR_KEY_EXCH, + TLS_ST_SR_CERT_VRFY, + TLS_ST_SR_NEXT_PROTO, + TLS_ST_SR_CHANGE, + TLS_ST_SR_FINISHED, + TLS_ST_SW_SESSION_TICKET, + TLS_ST_SW_CERT_STATUS, + TLS_ST_SW_CHANGE, + TLS_ST_SW_FINISHED, + TLS_ST_SW_ENCRYPTED_EXTENSIONS, + TLS_ST_CR_ENCRYPTED_EXTENSIONS, + TLS_ST_CR_CERT_VRFY, + TLS_ST_SW_CERT_VRFY, + TLS_ST_CR_HELLO_REQ, + TLS_ST_SW_KEY_UPDATE, + TLS_ST_CW_KEY_UPDATE, + TLS_ST_SR_KEY_UPDATE, + TLS_ST_CR_KEY_UPDATE, + TLS_ST_EARLY_DATA, + TLS_ST_PENDING_EARLY_DATA_END, + TLS_ST_CW_END_OF_EARLY_DATA, + TLS_ST_SR_END_OF_EARLY_DATA } OSSL_HANDSHAKE_STATE; @@ -141,6 +228,8 @@ int SSL_use_certificate_ASN1(SSL *ssl, const unsigned char *d, int len); int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type); +int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file); + int SSL_use_certificate_file(SSL *ssl, const char *file, int type); X509 *SSL_get_peer_certificate(const SSL *ssl); @@ -161,7 +250,7 @@ int SSL_get_error(const SSL *ssl, int ret_code); OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl); -SSL_CTX *SSL_CTX_new(const SSL_METHOD *method, void *rngctx); +SSL_CTX *SSL_CTX_new(const SSL_METHOD *method, ...); void SSL_CTX_free(SSL_CTX *ctx); @@ -299,6 +388,73 @@ int SSL_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type); int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long len); +const SSL_METHOD *TLS_method(void); +const SSL_METHOD *TLS_server_method(void); +const SSL_METHOD *TLS_client_method(void); + +const SSL_METHOD *TLSv1_method(void); /* TLSv1.0 */ +const SSL_METHOD *TLSv1_server_method(void); +const SSL_METHOD *TLSv1_client_method(void); + +const SSL_METHOD *TLSv1_1_method(void); /* TLSv1.1 */ +const SSL_METHOD *TLSv1_1_server_method(void); +const SSL_METHOD *TLSv1_1_client_method(void); + +const SSL_METHOD *TLSv1_2_method(void); /* TLSv1.2 */ +const SSL_METHOD *TLSv1_2_server_method(void); +const SSL_METHOD *TLSv1_2_client_method(void); + +SSL_SESSION *SSL_get1_session(SSL *ssl); + +void SSL_SESSION_free(SSL_SESSION *session); + +int SSL_set_session(SSL *s, SSL_SESSION *session); + +const char *SSLeay_version(int t); + +const char *SSL_state_string_long(const SSL *s); + +const char *SSL_get_cipher_name(const SSL *s); + +const char *SSL_alert_type_string_long(int value); + +const char *SSL_alert_desc_string_long(int value); + +void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); + +void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); + +int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx); + +void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb); + +long SSL_CTX_set_mode(SSL_CTX *ctx, long larg); + +void SSL_CTX_set_info_callback(SSL_CTX *ctx, + void (*cb)(const SSL *ssl, int type, int val)); + +void SSL_CTX_set_msg_callback(SSL_CTX *ctx, + void (*cb)(int write_p, int version, + int content_type, const void *buf, + size_t len, SSL *ssl, void *arg)); + +const char *SSL_get_cipher_list(const SSL *s, int n); + +long SSL_set_tlsext_host_name(SSL *s, void *parg); + +int SSL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func); + +const char *SSL_get_cipher_list(const SSL *s, int n); + +int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str); + +int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg); + +int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath); + #ifdef __cplusplus } #endif diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/ssl_local.h b/crypto/openssl_mbedtls_wrapper/include/openssl/ssl_local.h index b9295d1c9..13f692b4e 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/ssl_local.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/ssl_local.h @@ -30,11 +30,6 @@ #include <openssl/x509_local.h> #include <openssl/x509_vfy.h> -#ifdef __cplusplus -extern "C" -{ -#endif - /**************************************************************************** * Public Types ****************************************************************************/ @@ -61,6 +56,24 @@ struct ssl_ctx_st int read_ahead; int read_buffer_len; X509_VERIFY_PARAM param; + + /* Default password callback. */ + + pem_password_cb *default_passwd_callback; + + /* Default password callback user data. */ + + void *default_passwd_callback_userdata; + uint32_t mode; + + /* optional informational callback */ + + void (*info_callback)(const SSL *ssl, int type, int val); + + /* callback that allows applications to peek at protocol messages */ + + ossl_msg_cb msg_callback; + SSL_psk_client_cb_func psk_client_callback; }; struct ssl_method_func_st @@ -97,6 +110,12 @@ struct ssl_session_st long timeout; long time; X509 *peer; + const SSL_CIPHER *cipher; + int references; + struct + { + char hostname[TLSEXT_MAXLEN_host_name]; + } ext; }; struct ssl_st @@ -132,8 +151,19 @@ struct ssl_st /* SSL low-level system arch point */ void *ssl_pm; + SSL_CIPHER *cipher_list; +}; + +struct ssl_cipher_st +{ + const char *name; /* text name */ }; +#ifdef __cplusplus +extern "C" +{ +#endif + /**************************************************************************** * Public Function Prototypes ****************************************************************************/ diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/tls1.h b/crypto/openssl_mbedtls_wrapper/include/openssl/tls1.h index 57fd4fa26..6f0ff49cb 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/tls1.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/tls1.h @@ -20,42 +20,63 @@ #ifndef OPENSSL_MBEDTLS_WRAPPER_TLS1_H #define OPENSSL_MBEDTLS_WRAPPER_TLS1_H -#ifdef __cplusplus -extern "C" -{ -#endif +/**************************************************************************** + * Included Files + ****************************************************************************/ + +#include <openssl/ssl.h> + +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ #define TLS1_AD_DECRYPTION_FAILED 21 #define TLS1_AD_RECORD_OVERFLOW 22 -#define TLS1_AD_UNKNOWN_CA 48/* fatal */ -#define TLS1_AD_ACCESS_DENIED 49/* fatal */ -#define TLS1_AD_DECODE_ERROR 50/* fatal */ +#define TLS1_AD_UNKNOWN_CA 48 /* fatal */ +#define TLS1_AD_ACCESS_DENIED 49 /* fatal */ +#define TLS1_AD_DECODE_ERROR 50 /* fatal */ #define TLS1_AD_DECRYPT_ERROR 51 -#define TLS1_AD_EXPORT_RESTRICTION 60/* fatal */ -#define TLS1_AD_PROTOCOL_VERSION 70/* fatal */ -#define TLS1_AD_INSUFFICIENT_SECURITY 71/* fatal */ -#define TLS1_AD_INTERNAL_ERROR 80/* fatal */ -#define TLS1_AD_INAPPROPRIATE_FALLBACK 86/* fatal */ +#define TLS1_AD_EXPORT_RESTRICTION 60 /* fatal */ +#define TLS1_AD_PROTOCOL_VERSION 70 /* fatal */ +#define TLS1_AD_INSUFFICIENT_SECURITY 71 /* fatal */ +#define TLS1_AD_INTERNAL_ERROR 80 /* fatal */ +#define TLS1_AD_INAPPROPRIATE_FALLBACK 86 /* fatal */ #define TLS1_AD_USER_CANCELLED 90 #define TLS1_AD_NO_RENEGOTIATION 100 + /* codes 110-114 are from RFC3546 */ + #define TLS1_AD_UNSUPPORTED_EXTENSION 110 #define TLS1_AD_CERTIFICATE_UNOBTAINABLE 111 #define TLS1_AD_UNRECOGNIZED_NAME 112 #define TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE 113 #define TLS1_AD_BAD_CERTIFICATE_HASH_VALUE 114 -#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115/* fatal */ -#define TLS1_AD_NO_APPLICATION_PROTOCOL 120/* fatal */ +#define TLS1_AD_UNKNOWN_PSK_IDENTITY 115 /* fatal */ +#define TLS1_AD_NO_APPLICATION_PROTOCOL 120 /* fatal */ /* Special value for method supporting multiple versions */ + #define TLS_ANY_VERSION 0x10000 #define TLS1_VERSION 0x0301 #define TLS1_1_VERSION 0x0302 #define TLS1_2_VERSION 0x0303 -#define SSL_TLSEXT_ERR_OK 0 -#define SSL_TLSEXT_ERR_NOACK 3 +#define SSL_TLSEXT_ERR_OK 0 +#define SSL_TLSEXT_ERR_NOACK 3 + +#define TLSEXT_MAXLEN_host_name 255 + +#ifdef __cplusplus +extern "C" +{ +#endif + +/**************************************************************************** + * Public Function Prototypes + ****************************************************************************/ + +long SSL_set_tlsext_host_name(SSL *s, void *parg); #ifdef __cplusplus } diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/types.h b/crypto/openssl_mbedtls_wrapper/include/openssl/types.h index c03078645..294ef20f6 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/types.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/types.h @@ -20,17 +20,18 @@ #ifndef OPENSSL_MBEDTLS_WRAPPER_TYPES_H #define OPENSSL_MBEDTLS_WRAPPER_TYPES_H -#ifdef __cplusplus -extern "C" -{ -#endif +/**************************************************************************** + * Public Types + ****************************************************************************/ -typedef void SSL_CIPHER; +typedef void CRYPTO_EX_new; +typedef void CRYPTO_THREADID; typedef void X509_STORE; - typedef void RSA; typedef int (*OPENSSL_sk_compfunc)(const void *, const void *); +typedef int pem_password_cb(char *buf, int size, + int rwflag, void *userdata); typedef struct bio_buf_mem_st BIO_BUF_MEM; typedef struct bio_method_st BIO_METHOD; @@ -43,6 +44,7 @@ typedef struct ossl_statem_st OSSL_STATEM; typedef struct ssl_session_st SSL_SESSION; typedef struct ssl_ctx_st SSL_CTX; typedef struct ssl_st SSL; +typedef struct ssl_cipher_st SSL_CIPHER; typedef struct cert_st CERT; typedef struct x509_st X509; typedef struct X509_VERIFY_PARAM_st X509_VERIFY_PARAM; @@ -68,8 +70,4 @@ struct pkey_method_st int (*pkey_load)(EVP_PKEY *pkey, const unsigned char *buf, int len); }; -#ifdef __cplusplus -} -#endif - #endif /* OPENSSL_MBEDTLS_WRAPPER_TYPES_H */ diff --git a/crypto/openssl_mbedtls_wrapper/include/openssl/x509.h b/crypto/openssl_mbedtls_wrapper/include/openssl/x509.h index 847aaa4bc..d7cff9a4b 100644 --- a/crypto/openssl_mbedtls_wrapper/include/openssl/x509.h +++ b/crypto/openssl_mbedtls_wrapper/include/openssl/x509.h @@ -34,10 +34,13 @@ #include <openssl/obj.h> #include <openssl/types.h> -#ifdef __cplusplus -extern "C" -{ -#endif +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ + +#define X509_FILETYPE_PEM 1 +#define X509_FILETYPE_ASN1 2 +#define X509_FILETYPE_DEFAULT 3 /**************************************************************************** * Public Types @@ -56,6 +59,8 @@ struct x509_method_st int (*x509_new)(X509 *x, X509 *m_x); void (*x509_free)(X509 *x); int (*x509_load)(X509 *x, const unsigned char *buf, int len); + int (*x509_load_file)(X509 *x, const char *file); + int (*x509_load_path)(X509 *x, const char *path); int (*x509_show_info)(X509 *x); }; @@ -66,6 +71,11 @@ struct cert_st EVP_PKEY *pkey; }; +#ifdef __cplusplus +extern "C" +{ +#endif + /**************************************************************************** * Public Function Prototypes ****************************************************************************/ diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/err.c b/crypto/openssl_mbedtls_wrapper/mbedtls/err.c index 34dad8dc5..4657259f7 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/err.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/err.c @@ -38,7 +38,34 @@ unsigned long ERR_peek_last_error(void) return errno; } +void ERR_free_strings(void) +{ +} + void ERR_error_string_n(unsigned long e, char *buf, size_t len) { mbedtls_strerror(e, buf, len); } + +void ERR_clear_error(void) +{ +} + +unsigned long ERR_get_error(void) +{ + return errno; +} + +void ERR_remove_state(unsigned long pid) +{ +} + +int ERR_load_crypto_strings(void) +{ + return 1; +} + +void ERR_print_errors_cb(int (*cb)(const char *str, size_t len, void *u), + void *u) +{ +} diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/evp.c b/crypto/openssl_mbedtls_wrapper/mbedtls/evp.c index 3045c495a..b1feae343 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/evp.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/evp.c @@ -344,3 +344,12 @@ int EVP_PKEY_get_raw_private_key(const EVP_PKEY *pkey, { return 0; } + +int OpenSSL_add_all_algorithms(void) +{ + return 0; +} + +void EVP_cleanup(void) +{ +} diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_lib.c b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_lib.c index a4f0eea40..4e7bf0968 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_lib.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_lib.c @@ -21,13 +21,22 @@ * Included Files ****************************************************************************/ +#include <nuttx/atomic.h> #include <openssl/ssl_dbg.h> #include <openssl/ssl3.h> #include <openssl/ssl_local.h> #include "ssl_port.h" +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ + #define SSL_SEND_DATA_MAX_LENGTH 1460 +/**************************************************************************** + * Private Types + ****************************************************************************/ + struct alpn_ctx { unsigned char data[23]; @@ -56,6 +65,7 @@ static SSL_SESSION *SSL_SESSION_new(void) goto failed2; } + session->references = 1; return session; failed2: @@ -64,12 +74,6 @@ failed1: return NULL; } -static void SSL_SESSION_free(SSL_SESSION *session) -{ - X509_free(session->peer); - ssl_mem_free(session); -} - static void _openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos) { @@ -256,7 +260,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) return ret; } -SSL_CTX *SSL_CTX_new(const SSL_METHOD *method, void *rngctx) +SSL_CTX *SSL_CTX_new(const SSL_METHOD *method, ...) { SSL_CTX *ctx; CERT *cert; @@ -1014,3 +1018,389 @@ void SSL_set_alpn_select_cb(SSL *ssl, void *arg) _ssl_set_alpn_list(ssl); } + +SSL_SESSION *SSL_get1_session(SSL *ssl) +{ + SSL_ASSERT2(ssl); + + atomic_fetch_add(&ssl->session->references, 1); + return ssl->session; +} + +void SSL_SESSION_free(SSL_SESSION *session) +{ + SSL_ASSERT3(session); + + if (atomic_fetch_sub(&session->references, 1) == 1) + { + X509_free(session->peer); + ssl_mem_free(session); + } +} + +int SSL_set_session(SSL *s, SSL_SESSION *session) +{ + SSL_ASSERT1(s); + SSL_ASSERT1(session); + + SSL_SESSION_free(s->session); + s->session = session; + return 1; +} + +const char *SSLeay_version(int t) +{ + return "not available"; +} + +const char *SSL_state_string_long(const SSL *s) +{ + SSL_ASSERT2(s); + + switch (SSL_get_state(s)) + { + case TLS_ST_CR_CERT_STATUS: + return "SSLv3/TLS read certificate status"; + case TLS_ST_CW_NEXT_PROTO: + return "SSLv3/TLS write next proto"; + case TLS_ST_SR_NEXT_PROTO: + return "SSLv3/TLS read next proto"; + case TLS_ST_SW_CERT_STATUS: + return "SSLv3/TLS write certificate status"; + case TLS_ST_BEFORE: + return "before SSL initialization"; + case TLS_ST_OK: + return "SSL negotiation finished successfully"; + case TLS_ST_CW_CLNT_HELLO: + return "SSLv3/TLS write client hello"; + case TLS_ST_CR_SRVR_HELLO: + return "SSLv3/TLS read server hello"; + case TLS_ST_CR_CERT: + return "SSLv3/TLS read server certificate"; + case TLS_ST_CR_COMP_CERT: + return "TLSv1.3 read server compressed certificate"; + case TLS_ST_CR_KEY_EXCH: + return "SSLv3/TLS read server key exchange"; + case TLS_ST_CR_CERT_REQ: + return "SSLv3/TLS read server certificate request"; + case TLS_ST_CR_SESSION_TICKET: + return "SSLv3/TLS read server session ticket"; + case TLS_ST_CR_SRVR_DONE: + return "SSLv3/TLS read server done"; + case TLS_ST_CW_CERT: + return "SSLv3/TLS write client certificate"; + case TLS_ST_CW_COMP_CERT: + return "TLSv1.3 write client compressed certificate"; + case TLS_ST_CW_KEY_EXCH: + return "SSLv3/TLS write client key exchange"; + case TLS_ST_CW_CERT_VRFY: + return "SSLv3/TLS write certificate verify"; + case TLS_ST_CW_CHANGE: + case TLS_ST_SW_CHANGE: + return "SSLv3/TLS write change cipher spec"; + case TLS_ST_CW_FINISHED: + case TLS_ST_SW_FINISHED: + return "SSLv3/TLS write finished"; + case TLS_ST_CR_CHANGE: + case TLS_ST_SR_CHANGE: + return "SSLv3/TLS read change cipher spec"; + case TLS_ST_CR_FINISHED: + case TLS_ST_SR_FINISHED: + return "SSLv3/TLS read finished"; + case TLS_ST_SR_CLNT_HELLO: + return "SSLv3/TLS read client hello"; + case TLS_ST_SW_HELLO_REQ: + return "SSLv3/TLS write hello request"; + case TLS_ST_SW_SRVR_HELLO: + return "SSLv3/TLS write server hello"; + case TLS_ST_SW_CERT: + return "SSLv3/TLS write certificate"; + case TLS_ST_SW_COMP_CERT: + return "TLSv1.3 write server compressed certificate"; + case TLS_ST_SW_KEY_EXCH: + return "SSLv3/TLS write key exchange"; + case TLS_ST_SW_CERT_REQ: + return "SSLv3/TLS write certificate request"; + case TLS_ST_SW_SESSION_TICKET: + return "SSLv3/TLS write session ticket"; + case TLS_ST_SW_SRVR_DONE: + return "SSLv3/TLS write server done"; + case TLS_ST_SR_CERT: + return "SSLv3/TLS read client certificate"; + case TLS_ST_SR_COMP_CERT: + return "TLSv1.3 read client compressed certificate"; + case TLS_ST_SR_KEY_EXCH: + return "SSLv3/TLS read client key exchange"; + case TLS_ST_SR_CERT_VRFY: + return "SSLv3/TLS read certificate verify"; + case DTLS_ST_CR_HELLO_VERIFY_REQUEST: + return "DTLS1 read hello verify request"; + case DTLS_ST_SW_HELLO_VERIFY_REQUEST: + return "DTLS1 write hello verify request"; + case TLS_ST_SW_ENCRYPTED_EXTENSIONS: + return "TLSv1.3 write encrypted extensions"; + case TLS_ST_CR_ENCRYPTED_EXTENSIONS: + return "TLSv1.3 read encrypted extensions"; + case TLS_ST_CR_CERT_VRFY: + return "TLSv1.3 read server certificate verify"; + case TLS_ST_SW_CERT_VRFY: + return "TLSv1.3 write server certificate verify"; + case TLS_ST_CR_HELLO_REQ: + return "SSLv3/TLS read hello request"; + case TLS_ST_SW_KEY_UPDATE: + return "TLSv1.3 write server key update"; + case TLS_ST_CW_KEY_UPDATE: + return "TLSv1.3 write client key update"; + case TLS_ST_SR_KEY_UPDATE: + return "TLSv1.3 read client key update"; + case TLS_ST_CR_KEY_UPDATE: + return "TLSv1.3 read server key update"; + case TLS_ST_EARLY_DATA: + return "TLSv1.3 early data"; + case TLS_ST_PENDING_EARLY_DATA_END: + return "TLSv1.3 pending early data end"; + case TLS_ST_CW_END_OF_EARLY_DATA: + return "TLSv1.3 write end of early data"; + case TLS_ST_SR_END_OF_EARLY_DATA: + return "TLSv1.3 read end of early data"; + default: + return "unknown state"; + } +} + +const char *SSL_get_cipher_name(const SSL *s) +{ + SSL_ASSERT2(s); + SSL_ASSERT2(s->session); + + return s->session->cipher->name ? s->session->cipher->name : "(NONE)"; +} + +const char *SSL_alert_type_string_long(int value) +{ + switch (value >> 8) + { + case SSL3_AL_WARNING: + return "warning"; + case SSL3_AL_FATAL: + return "fatal"; + } + + return "unknown"; +} + +const char *SSL_alert_desc_string_long(int value) +{ + switch (value & 0xff) + { + case SSL3_AD_CLOSE_NOTIFY: + return "close notify"; + case SSL3_AD_UNEXPECTED_MESSAGE: + return "unexpected message"; + case SSL3_AD_BAD_RECORD_MAC: + return "bad record mac"; + case SSL3_AD_DECOMPRESSION_FAILURE: + return "decompression failure"; + case SSL3_AD_HANDSHAKE_FAILURE: + return "handshake failure"; + case SSL3_AD_NO_CERTIFICATE: + return "no certificate"; + case SSL3_AD_BAD_CERTIFICATE: + return "bad certificate"; + case SSL3_AD_UNSUPPORTED_CERTIFICATE: + return "unsupported certificate"; + case SSL3_AD_CERTIFICATE_REVOKED: + return "certificate revoked"; + case SSL3_AD_CERTIFICATE_EXPIRED: + return "certificate expired"; + case SSL3_AD_CERTIFICATE_UNKNOWN: + return "certificate unknown"; + case SSL3_AD_ILLEGAL_PARAMETER: + return "illegal parameter"; + case TLS1_AD_DECRYPTION_FAILED: + return "decryption failed"; + case TLS1_AD_RECORD_OVERFLOW: + return "record overflow"; + case TLS1_AD_UNKNOWN_CA: + return "unknown CA"; + case TLS1_AD_ACCESS_DENIED: + return "access denied"; + case TLS1_AD_DECODE_ERROR: + return "decode error"; + case TLS1_AD_DECRYPT_ERROR: + return "decrypt error"; + case TLS1_AD_EXPORT_RESTRICTION: + return "export restriction"; + case TLS1_AD_PROTOCOL_VERSION: + return "protocol version"; + case TLS1_AD_INSUFFICIENT_SECURITY: + return "insufficient security"; + case TLS1_AD_INTERNAL_ERROR: + return "internal error"; + case TLS1_AD_USER_CANCELLED: + return "user canceled"; + case TLS1_AD_NO_RENEGOTIATION: + return "no renegotiation"; + case TLS1_AD_UNSUPPORTED_EXTENSION: + return "unsupported extension"; + case TLS1_AD_CERTIFICATE_UNOBTAINABLE: + return "certificate unobtainable"; + case TLS1_AD_UNRECOGNIZED_NAME: + return "unrecognized name"; + case TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE: + return "bad certificate status response"; + case TLS1_AD_BAD_CERTIFICATE_HASH_VALUE: + return "bad certificate hash value"; + case TLS1_AD_UNKNOWN_PSK_IDENTITY: + return "unknown PSK identity"; + case TLS1_AD_NO_APPLICATION_PROTOCOL: + return "no application protocol"; + default: + return "unknown"; + } +} + +void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb) +{ + ctx->default_passwd_callback = cb; +} + +void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u) +{ + ctx->default_passwd_callback_userdata = u; +} + +void SSL_CTX_set_psk_client_callback(SSL_CTX *ctx, SSL_psk_client_cb_func cb) +{ + ctx->psk_client_callback = cb; +} + +int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx) +{ + return 0; +} + +long SSL_CTX_set_mode(SSL_CTX *ctx, long larg) +{ + return ctx->mode |= larg; +} + +void SSL_CTX_set_info_callback(SSL_CTX *ctx, + void (*cb)(const SSL *ssl, int type, int val)) +{ + ctx->info_callback = cb; +} + +void SSL_CTX_set_msg_callback(SSL_CTX *ctx, + void (*cb)(int write_p, int version, + int content_type, const void *buf, + size_t len, SSL *ssl, void *arg)) +{ + ctx->msg_callback = cb; +} + +long SSL_set_tlsext_host_name(SSL *s, void *parg) +{ + size_t len; + + SSL_ASSERT1(s); + SSL_ASSERT1(s->session); + + if (parg == NULL) + { + return 1; + } + + len = strlen(parg); + if (len == 0 || len > TLSEXT_MAXLEN_host_name) + { + return 0; + } + + memset(s->session->ext.hostname, 0, TLSEXT_MAXLEN_host_name); + memcpy(s->session->ext.hostname, parg, len); + return 1; +} + +int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile) +{ + X509 *x; + int ret; + + SSL_ASSERT1(ctx); + SSL_ASSERT1(CAfile); + + x = X509_new(); + ret = X509_METHOD_CALL(load_file, x, CAfile); + if (ret) + { + X509_free(x); + return 0; + } + + SSL_CTX_add_client_CA(ctx, x); + return 1; +} + +int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath) +{ + X509 *x; + int ret; + + SSL_ASSERT1(ctx); + SSL_ASSERT1(CApath); + + x = X509_new(); + ret = X509_METHOD_CALL(load_path, x, CApath); + if (ret) + { + X509_free(x); + return 0; + } + + SSL_CTX_add_client_CA(ctx, x); + return 1; +} + +int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile, + const char *CApath) +{ + if (CAfile == NULL && CApath == NULL) + { + return 0; + } + + if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile)) + { + return 0; + } + + if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath)) + { + return 0; + } + + return 1; +} + +int SSL_get_ex_new_index(long argl, void *argp, + CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, + CRYPTO_EX_free *free_func) +{ + return 0; +} + +const char *SSL_get_cipher_list(const SSL *s, int n) +{ + return NULL; +} + +int SSL_CTX_set_ex_data(SSL_CTX *s, int idx, void *arg) +{ + return 0; +} + +int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str) +{ + return 0; +} diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.c b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.c index 7abddee9f..a5b8e5bb0 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.c @@ -95,7 +95,8 @@ IMPLEMENT_SSL_METHOD(SSL3_VERSION, -1, TLS_method_func, SSLv3_method); IMPLEMENT_X509_METHOD(X509_method, x509_pm_new, x509_pm_free, - x509_pm_load, x509_pm_show_info); + x509_pm_load, x509_pm_load_file, + x509_pm_load_path, x509_pm_show_info); /** * @brief get private key object method diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.h b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.h index 3c2647814..c93546fc7 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.h +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_methods.h @@ -27,10 +27,9 @@ #include <openssl/ssl.h> #include "ssl_pm.h" -#ifdef __cplusplus -extern "C" -{ -#endif +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ /* TLS method function implement */ @@ -42,7 +41,7 @@ extern "C" set_bufflen, \ get_verify_result, \ get_state) \ - static const SSL_METHOD_FUNC func_name LOCAL_ATRR = \ + static const SSL_METHOD_FUNC func_name = \ { \ new, \ free, \ @@ -62,7 +61,7 @@ extern "C" #define IMPLEMENT_TLS_METHOD(ver, mode, fun, func_name) \ const SSL_METHOD* func_name(void) \ { \ - static const SSL_METHOD func_name##_data LOCAL_ATRR = \ + static const SSL_METHOD func_name##_data = \ { \ ver, \ mode, \ @@ -74,7 +73,7 @@ extern "C" #define IMPLEMENT_SSL_METHOD(ver, mode, fun, func_name) \ const SSL_METHOD* func_name(void) \ { \ - static const SSL_METHOD func_name##_data LOCAL_ATRR = \ + static const SSL_METHOD func_name##_data = \ { \ ver, \ mode, \ @@ -87,14 +86,18 @@ extern "C" new, \ free, \ load, \ + load_file, \ + load_path, \ show_info) \ const X509_METHOD* func_name(void) \ { \ - static const X509_METHOD func_name##_data LOCAL_ATRR = \ + static const X509_METHOD func_name##_data = \ { \ new, \ free, \ load, \ + load_file, \ + load_path, \ show_info \ }; \ return &func_name##_data; \ @@ -106,7 +109,7 @@ extern "C" load) \ const PKEY_METHOD* func_name(void) \ { \ - static const PKEY_METHOD func_name##_data LOCAL_ATRR = \ + static const PKEY_METHOD func_name##_data = \ { \ new, \ free, \ @@ -115,6 +118,15 @@ extern "C" return &func_name##_data; \ } +#ifdef __cplusplus +extern "C" +{ +#endif + +/**************************************************************************** + * Public Function Prototypes + ****************************************************************************/ + /** * @brief get X509 object method * diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c index 95bec900e..086968794 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c @@ -38,7 +38,16 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" +/**************************************************************************** + * Pre-processor Definitions + ****************************************************************************/ + #define X509_INFO_STRING_LENGTH 8192 +#define READ_TIMEOUT_MS 50000 /* 50 seconds */ + +/**************************************************************************** + * Private Types + ****************************************************************************/ struct ssl_pm { @@ -58,7 +67,7 @@ struct ssl_pm struct x509_pm { - mbedtls_x509_crt *x509_crt; + mbedtls_x509_crt x509_crt; mbedtls_x509_crt *ex_crt; }; @@ -68,10 +77,15 @@ struct pkey_pm mbedtls_pk_context *ex_pkey; }; +/**************************************************************************** + * Public Data + ****************************************************************************/ + unsigned int max_content_len; -/* mbedtls debug level */ -#define MBEDTLS_DEBUG_LEVEL 4 +/**************************************************************************** + * Private Functions + ****************************************************************************/ /** * @brief mbedtls debug function @@ -134,6 +148,7 @@ int ssl_pm_new(SSL *ssl) mbedtls_ctr_drbg_init(&ssl_pm->ctr_drbg); mbedtls_entropy_init(&ssl_pm->entropy); mbedtls_ssl_init(&ssl_pm->ssl); + mbedtls_ssl_conf_read_timeout(&ssl_pm->conf, READ_TIMEOUT_MS); ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len); @@ -210,7 +225,8 @@ int ssl_pm_new(SSL *ssl) } mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, - mbedtls_net_send, mbedtls_net_recv, NULL); + mbedtls_net_send, mbedtls_net_recv, + mbedtls_net_recv_timeout); ssl->ssl_pm = ssl_pm; @@ -249,7 +265,7 @@ void ssl_pm_free(SSL *ssl) static int ssl_pm_reload_crt(SSL *ssl) { - int ret; + int ret = 0; int mode; struct ssl_pm *ssl_pm = ssl->ssl_pm; struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm; @@ -275,29 +291,16 @@ static int ssl_pm_reload_crt(SSL *ssl) } mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode); - - if (ca_pm->x509_crt) - { - mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL); - } - else if (ca_pm->ex_crt) + mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &ca_pm->x509_crt, NULL); + if (ca_pm->ex_crt) { mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL); } - if (crt_pm->x509_crt && pkey_pm->pkey) - { - ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, - crt_pm->x509_crt, pkey_pm->pkey); - } - else if (crt_pm->ex_crt && pkey_pm->ex_pkey) + if (pkey_pm->pkey) { ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, - crt_pm->ex_crt, pkey_pm->ex_pkey); - } - else - { - ret = 0; + &crt_pm->x509_crt, pkey_pm->pkey); } if (ret) @@ -342,7 +345,8 @@ int ssl_pm_handshake(SSL *ssl) ret = ssl_pm_reload_crt(ssl); if (ret) { - printf("%s: cert reload failed\n", __func__); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "%s: cert reload failed\n", __func__); return 0; } @@ -396,7 +400,8 @@ int ssl_pm_handshake(SSL *ssl) return 0; } - printf("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret); /* it's had it */ @@ -415,7 +420,7 @@ ssl_ctx_get_mbedtls_x509_crt(SSL_CTX *ssl_ctx) return NULL; } - return x509_pm->x509_crt; + return &x509_pm->x509_crt; } mbedtls_x509_crt * @@ -451,7 +456,7 @@ int ssl_pm_shutdown(SSL *ssl) else { struct x509_pm *x509_pm = - (struct x509_pm *)ssl->session->peer->x509_pm; + (struct x509_pm *)ssl->session->peer->x509_pm; x509_pm->ex_crt = NULL; ret = 1; /* OpenSSL: "The shutdown was successfully completed" @@ -628,20 +633,8 @@ int x509_pm_show_info(X509 *x) mbedtls_x509_crt *x509_crt; struct x509_pm *x509_pm = x->x509_pm; - if (x509_pm->x509_crt) - { - x509_crt = x509_pm->x509_crt; - } - else if (x509_pm->ex_crt) - { - x509_crt = x509_pm->ex_crt; - } - else - { - x509_crt = NULL; - } - - if (!x509_crt) + x509_crt = &x509_pm->x509_crt; + if (x509_crt->version == 0) { return -1; } @@ -693,7 +686,7 @@ int x509_pm_new(X509 *x, X509 *m_x) { struct x509_pm *m_x509_pm = (struct x509_pm *)m_x->x509_pm; - x509_pm->ex_crt = m_x509_pm->x509_crt; + x509_pm->ex_crt = &m_x509_pm->x509_crt; } return 0; @@ -706,14 +699,7 @@ void x509_pm_free(X509 *x) { struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm; - if (x509_pm->x509_crt) - { - mbedtls_x509_crt_free(x509_pm->x509_crt); - - ssl_mem_free(x509_pm->x509_crt); - x509_pm->x509_crt = NULL; - } - + mbedtls_x509_crt_free(&x509_pm->x509_crt); ssl_mem_free(x->x509_pm); x->x509_pm = NULL; } @@ -724,23 +710,8 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len) unsigned char *load_buf; struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm; - if (x509_pm->x509_crt) - { - mbedtls_x509_crt_free(x509_pm->x509_crt); - } - - if (!x509_pm->x509_crt) - { - x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt)); - if (!x509_pm->x509_crt) - { - SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, - "no enough memory > (x509_pm->x509_crt)"); - goto no_mem; - } - } - - mbedtls_x509_crt_init(x509_pm->x509_crt); + mbedtls_x509_crt_free(&x509_pm->x509_crt); + mbedtls_x509_crt_init(&x509_pm->x509_crt); if (buffer[0] != 0x30) { load_buf = ssl_mem_malloc(len + 1); @@ -754,32 +725,67 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len) ssl_memcpy(load_buf, buffer, len); load_buf[len] = '\0'; - ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1); + ret = mbedtls_x509_crt_parse(&x509_pm->x509_crt, load_buf, len + 1); ssl_mem_free(load_buf); } else { - printf("parsing as der\n"); - - ret = mbedtls_x509_crt_parse_der(x509_pm->x509_crt, buffer, len); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "parsing as der\n"); + ret = mbedtls_x509_crt_parse_der(&x509_pm->x509_crt, buffer, len); } if (ret) { - printf("mbedtls_x509_crt_parse return -0x%x", -ret); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "mbedtls_x509_crt_parse return -0x%x", -ret); goto failed; } return 0; failed: - mbedtls_x509_crt_free(x509_pm->x509_crt); - ssl_mem_free(x509_pm->x509_crt); - x509_pm->x509_crt = NULL; -no_mem: + mbedtls_x509_crt_free(&x509_pm->x509_crt); return -1; } +int x509_pm_load_file(X509 *x, const char *path) +{ + int ret; + struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm; + + mbedtls_x509_crt_free(&x509_pm->x509_crt); + mbedtls_x509_crt_init(&x509_pm->x509_crt); + ret = mbedtls_x509_crt_parse_file(&x509_pm->x509_crt, path); + if (ret) + { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "mbedtls_x509_crt_parse_file return -0x%x", -ret); + mbedtls_x509_crt_free(&x509_pm->x509_crt); + return -1; + } + + return 0; +} + +int x509_pm_load_path(X509 *x, const char *path) +{ + int ret; + struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm; + + mbedtls_x509_crt_free(&x509_pm->x509_crt); + mbedtls_x509_crt_init(&x509_pm->x509_crt); + ret = mbedtls_x509_crt_parse_path(&x509_pm->x509_crt, path); + if (ret) + { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "mbedtls_x509_crt_parse_file return -0x%x", -ret); + mbedtls_x509_crt_free(&x509_pm->x509_crt); + return -1; + } + + return 0; +} + int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey) { struct pkey_pm *pkey_pm; @@ -977,7 +983,8 @@ void _ssl_set_alpn_list(const SSL *ssl) &((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos)) { - fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n"); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "mbedtls_ssl_conf_alpn_protocols failed\n"); } return; @@ -992,7 +999,8 @@ void _ssl_set_alpn_list(const SSL *ssl) &((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos)) { - fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n"); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, + "mbedtls_ssl_conf_alpn_protocols failed\n"); } } @@ -1070,8 +1078,8 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) ssl->verify_mode = ctx->verify_mode; - mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL); - mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, + mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, &x509_pm_ca->x509_crt, NULL); + mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, &x509_pm->x509_crt, pkey_pm->pkey); mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode); } diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.h b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.h index 22e6eda4a..0d2065024 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.h +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.h @@ -33,7 +33,9 @@ extern "C" { #endif -#define LOCAL_ATRR +/**************************************************************************** + * Public Function Prototypes + ****************************************************************************/ int ssl_pm_new(SSL *ssl); void ssl_pm_free(SSL *ssl); @@ -57,6 +59,8 @@ int x509_pm_show_info(X509 *x); int x509_pm_new(X509 *x, X509 *m_x); void x509_pm_free(X509 *x); int x509_pm_load(X509 *x, const unsigned char *buffer, int len); +int x509_pm_load_file(X509 *x, const char *path); +int x509_pm_load_path(X509 *x, const char *path); int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pk); void pkey_pm_free(EVP_PKEY *pk); diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_rsa.c b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_rsa.c index 0a754317d..7f21912ea 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_rsa.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_rsa.c @@ -124,6 +124,11 @@ int SSL_CTX_use_certificate_file(SSL_CTX *ctx, const char *file, int type) return 0; } +int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file) +{ + return 0; +} + int SSL_use_certificate_file(SSL *ssl, const char *file, int type) { return 0;
