1 // Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6
7 // http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #include "ssl_pm.h"
16 #include "ssl_port.h"
17 #include "ssl_dbg.h"
18
19 /* mbedtls include */
20 #include "mbedtls/platform.h"
21 #include "mbedtls/net_sockets.h"
22 #include "mbedtls/debug.h"
23 #include "mbedtls/entropy.h"
24 #include "mbedtls/ctr_drbg.h"
25 #include "mbedtls/error.h"
26 #include "mbedtls/certs.h"
27 #include "openssl/bio.h"
28 #include "openssl/err.h"
29
30 #define X509_INFO_STRING_LENGTH 8192
31
32 struct ssl_pm
33 {
34 /* local socket file description */
35 mbedtls_net_context fd;
36 /* remote client socket file description */
37 mbedtls_net_context cl_fd;
38
39 mbedtls_ssl_config conf;
40
41 mbedtls_ctr_drbg_context ctr_drbg;
42
43 mbedtls_ssl_context ssl;
44
45 mbedtls_entropy_context entropy;
46 };
47
48 struct x509_pm
49 {
50 mbedtls_x509_crt *x509_crt;
51
52 mbedtls_x509_crt *ex_crt;
53 };
54
55 struct pkey_pm
56 {
57 mbedtls_pk_context *pkey;
58
59 mbedtls_pk_context *ex_pkey;
60 };
61
62 unsigned int max_content_len;
63
64 /*********************************************************************************************/
65 /************************************ SSL arch interface *************************************/
66
67 #ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
68
69 /* mbedtls debug level */
70 #define MBEDTLS_DEBUG_LEVEL 4
71
72 /**
73 * @brief mbedtls debug function
74 */
ssl_platform_debug(void * ctx,int level,const char * file,int line,const char * str)75 static void ssl_platform_debug(void *ctx, int level,
76 const char *file, int line,
77 const char *str)
78 {
79 /* Shorten 'file' from the whole file path to just the filename
80
81 This is a bit wasteful because the macros are compiled in with
82 the full _FILE_ path in each case.
83 */
84 char *file_sep = rindex(file, '/');
85 if(file_sep)
86 file = file_sep + 1;
87
88 SSL_DEBUG(SSL_DEBUG_ON, "%s:%d %s", file, line, str);
89 }
90 #endif
91
mbedtls_bio_send(void * ctx,const unsigned char * buf,size_t len)92 static int mbedtls_bio_send(void *ctx, const unsigned char *buf, size_t len )
93 {
94 BIO *bio = ctx;
95 int written = BIO_write(bio, buf, len);
96 if (written <= 0 && BIO_should_write(bio)) {
97 return MBEDTLS_ERR_SSL_WANT_WRITE;
98 }
99 return written;
100 }
101
mbedtls_bio_recv(void * ctx,unsigned char * buf,size_t len)102 static int mbedtls_bio_recv(void *ctx, unsigned char *buf, size_t len )
103 {
104 BIO *bio = ctx;
105 int read = BIO_read(bio, buf, len);
106 if (read <= 0 && BIO_should_read(bio)) {
107 return MBEDTLS_ERR_SSL_WANT_READ;
108 }
109 return read;
110 }
111
112 static int ssl_pm_reload_crt(SSL *ssl);
113
get_mbedtls_minor_ssl_version(int openssl_version_nr)114 static int get_mbedtls_minor_ssl_version(int openssl_version_nr)
115 {
116 if (TLS1_2_VERSION == openssl_version_nr)
117 return MBEDTLS_SSL_MINOR_VERSION_3;
118 if (TLS1_1_VERSION ==openssl_version_nr)
119 return MBEDTLS_SSL_MINOR_VERSION_2;
120 if (TLS1_VERSION == openssl_version_nr)
121 return MBEDTLS_SSL_MINOR_VERSION_1;
122 // SSLv3.0 otherwise
123 return MBEDTLS_SSL_MINOR_VERSION_0;
124 }
125 /**
126 * @brief create SSL low-level object
127 */
ssl_pm_new(SSL * ssl)128 int ssl_pm_new(SSL *ssl)
129 {
130 struct ssl_pm *ssl_pm;
131 int ret;
132
133 const unsigned char pers[] = "OpenSSL PM";
134 size_t pers_len = sizeof(pers);
135
136 int endpoint;
137
138 const SSL_METHOD *method = ssl->method;
139
140 ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
141 if (!ssl_pm) {
142 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)");
143 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
144 goto no_mem;
145 }
146
147 max_content_len = ssl->ctx->read_buffer_len;
148
149 mbedtls_net_init(&ssl_pm->fd);
150 mbedtls_net_init(&ssl_pm->cl_fd);
151
152 mbedtls_ssl_config_init(&ssl_pm->conf);
153 mbedtls_ctr_drbg_init(&ssl_pm->ctr_drbg);
154 mbedtls_entropy_init(&ssl_pm->entropy);
155 mbedtls_ssl_init(&ssl_pm->ssl);
156
157 ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
158 if (ret) {
159 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret);
160 OPENSSL_PUT_LIB_ERROR(ERR_LIB_RAND, ret);
161 goto mbedtls_err1;
162 }
163
164 if (method->endpoint) {
165 endpoint = MBEDTLS_SSL_IS_SERVER;
166 } else {
167 endpoint = MBEDTLS_SSL_IS_CLIENT;
168 }
169 ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
170 if (ret) {
171 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
172 OPENSSL_PUT_LIB_ERROR(ERR_LIB_CONF, ret);
173 goto mbedtls_err2;
174 }
175
176 if (TLS_ANY_VERSION != ssl->version) {
177 int min_version = ssl->ctx->min_version ? ssl->ctx->min_version : ssl->version;
178 int max_version = ssl->ctx->max_version ? ssl->ctx->max_version : ssl->version;
179
180 mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, get_mbedtls_minor_ssl_version(max_version));
181 mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, get_mbedtls_minor_ssl_version(min_version));
182 } else {
183 mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
184 mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
185 }
186
187 if (ssl->ctx->ssl_alpn.alpn_status == ALPN_ENABLE) {
188 #ifdef MBEDTLS_SSL_ALPN
189 mbedtls_ssl_conf_alpn_protocols( &ssl_pm->conf, ssl->ctx->ssl_alpn.alpn_list );
190 #else
191 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "CONFIG_MBEDTLS_SSL_ALPN must be enabled to use ALPN", -1);
192 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_FATAL);
193 #endif // MBEDTLS_SSL_ALPN
194 }
195 mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
196
197 #ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
198 mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL);
199 mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
200 #else
201 mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL);
202 #endif
203
204 ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
205 if (ret) {
206 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
207 OPENSSL_PUT_LIB_ERROR(ERR_LIB_CONF, ret);
208 goto mbedtls_err2;
209 }
210
211 mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
212
213 ssl->ssl_pm = ssl_pm;
214 ret = ssl_pm_reload_crt(ssl);
215 if (ret)
216 return 0;
217
218 return 0;
219
220 mbedtls_err2:
221 mbedtls_ssl_config_free(&ssl_pm->conf);
222 mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
223 mbedtls_err1:
224 mbedtls_entropy_free(&ssl_pm->entropy);
225 ssl_mem_free(ssl_pm);
226 no_mem:
227 return -1;
228 }
229
230 /**
231 * @brief free SSL low-level object
232 */
ssl_pm_free(SSL * ssl)233 void ssl_pm_free(SSL *ssl)
234 {
235 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
236
237 mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
238 mbedtls_entropy_free(&ssl_pm->entropy);
239 mbedtls_ssl_config_free(&ssl_pm->conf);
240 mbedtls_ssl_free(&ssl_pm->ssl);
241
242 ssl_mem_free(ssl_pm);
243 ssl->ssl_pm = NULL;
244 }
245
246 /**
247 * @brief reload SSL low-level certification object
248 */
ssl_pm_reload_crt(SSL * ssl)249 static int ssl_pm_reload_crt(SSL *ssl)
250 {
251 int ret;
252 int mode = MBEDTLS_SSL_VERIFY_UNSET;
253 struct ssl_pm *ssl_pm = ssl->ssl_pm;
254 struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
255
256 struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
257 struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
258
259 /* OpenSSL verification modes outline (see `man SSL_set_verify` for more details)
260 *
261 * | openssl mode | Server | Client |
262 * | SSL_VERIFY_NONE | will not send a client certificate request | server certificate which will be checked |
263 * handshake will be continued regardless |
264 * | SSL_VERIFY_PEER | depends on SSL_VERIFY_FAIL_IF_NO_PEER_CERT | handshake is terminated if verify fails |
265 * (unless anonymous ciphers--not supported |
266 * | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | handshake is terminated if | ignored |
267 * client cert verify fails | |
268 */
269 if (ssl->method->endpoint == MBEDTLS_SSL_IS_SERVER) {
270 if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
271 mode = MBEDTLS_SSL_VERIFY_REQUIRED;
272 else if (ssl->verify_mode & SSL_VERIFY_PEER)
273 mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
274 else if (ssl->verify_mode == SSL_VERIFY_NONE)
275 mode = MBEDTLS_SSL_VERIFY_NONE;
276 } else if (ssl->method->endpoint == MBEDTLS_SSL_IS_CLIENT) {
277 if (ssl->verify_mode & SSL_VERIFY_PEER)
278 mode = MBEDTLS_SSL_VERIFY_REQUIRED;
279 else if (ssl->verify_mode == SSL_VERIFY_NONE)
280 mode = MBEDTLS_SSL_VERIFY_NONE;
281 }
282
283 mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
284
285 if (ca_pm->x509_crt) {
286 mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
287 } else if (ca_pm->ex_crt) {
288 mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
289 }
290
291 if (crt_pm->x509_crt && pkey_pm->pkey) {
292 ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
293 } else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
294 ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
295 } else {
296 ret = 0;
297 }
298
299 if (ret) {
300 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
301 OPENSSL_PUT_LIB_ERROR(ERR_LIB_X509, ret);
302 ret = -1;
303 }
304
305 return ret;
306 }
307
308 /*
309 * Perform the mbedtls SSL handshake instead of mbedtls_ssl_handshake.
310 * We can add debug here.
311 */
mbedtls_handshake(mbedtls_ssl_context * ssl)312 static int mbedtls_handshake( mbedtls_ssl_context *ssl )
313 {
314 int ret = 0;
315
316 while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) {
317 ret = mbedtls_ssl_handshake_step(ssl);
318
319 SSL_DEBUG(SSL_PLATFORM_DEBUG_LEVEL, "ssl ret %d state %d", ret, ssl->state);
320
321 if (ret != 0)
322 break;
323 }
324
325 return ret;
326 }
327
ssl_pm_handshake(SSL * ssl)328 int ssl_pm_handshake(SSL *ssl)
329 {
330 int ret;
331 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
332
333 if (ssl->bio) {
334 // if using BIO, make sure the mode is supported
335 SSL_ASSERT1(ssl->mode & (SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER));
336 mbedtls_ssl_set_bio(&ssl_pm->ssl, ssl->bio, mbedtls_bio_send, mbedtls_bio_recv, NULL);
337 } else {
338 // defaults to SSL_read/write using a file descriptor -- expects default mode
339 SSL_ASSERT1(ssl->mode == 0);
340 }
341
342 ret = ssl_pm_reload_crt(ssl);
343 if (ret)
344 return 0;
345
346 ssl_speed_up_enter();
347
348 while((ret = mbedtls_handshake(&ssl_pm->ssl)) != 0) {
349 if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
350 // exit handshake in case of any other error
351 break;
352 } else if (ssl->bio) {
353 // exit even if wanted read/write if BIO used
354 if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
355 ssl->rwstate = SSL_READING;
356 } else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
357 ssl->rwstate = SSL_WRITING;
358 }
359 return ret;
360 }
361 }
362
363 ssl_speed_up_exit();
364 ssl->rwstate = SSL_NOTHING;
365 if (ret) {
366 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_handshake() return -0x%x", -ret);
367 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
368 ret = 0;
369 } else {
370 struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
371
372 x509_pm->ex_crt = (mbedtls_x509_crt *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl);
373 ret = 1;
374 }
375
376 return ret;
377 }
378
ssl_pm_shutdown(SSL * ssl)379 int ssl_pm_shutdown(SSL *ssl)
380 {
381 int ret;
382 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
383
384 ret = mbedtls_ssl_close_notify(&ssl_pm->ssl);
385 if (ret) {
386 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_close_notify() return -0x%x", -ret);
387 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
388 ret = -1;
389 } else {
390 struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
391
392 x509_pm->ex_crt = NULL;
393 }
394
395 return ret;
396 }
397
ssl_pm_clear(SSL * ssl)398 int ssl_pm_clear(SSL *ssl)
399 {
400 return ssl_pm_shutdown(ssl);
401 }
402
403
ssl_pm_read(SSL * ssl,void * buffer,int len)404 int ssl_pm_read(SSL *ssl, void *buffer, int len)
405 {
406 int ret;
407 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
408
409 ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, len);
410 if (ret < 0) {
411 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret);
412 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
413 ret = -1;
414 }
415
416 return ret;
417 }
418
ssl_pm_send(SSL * ssl,const void * buffer,int len)419 int ssl_pm_send(SSL *ssl, const void *buffer, int len)
420 {
421 int ret;
422 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
423
424 ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
425 if (ret < 0) {
426 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
427 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
428 ret = -1;
429 }
430
431 return ret;
432 }
433
ssl_pm_pending(const SSL * ssl)434 int ssl_pm_pending(const SSL *ssl)
435 {
436 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
437
438 return mbedtls_ssl_get_bytes_avail(&ssl_pm->ssl);
439 }
440
ssl_pm_set_fd(SSL * ssl,int fd,int mode)441 void ssl_pm_set_fd(SSL *ssl, int fd, int mode)
442 {
443 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
444
445 ssl_pm->fd.fd = fd;
446 }
447
ssl_pm_set_hostname(SSL * ssl,const char * hostname)448 void ssl_pm_set_hostname(SSL *ssl, const char *hostname)
449 {
450 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
451
452 mbedtls_ssl_set_hostname(&ssl_pm->ssl, hostname);
453 }
454
ssl_pm_get_fd(const SSL * ssl,int mode)455 int ssl_pm_get_fd(const SSL *ssl, int mode)
456 {
457 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
458
459 return ssl_pm->fd.fd;
460 }
461
ssl_pm_get_state(const SSL * ssl)462 OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl)
463 {
464 OSSL_HANDSHAKE_STATE state;
465
466 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
467
468 switch (ssl_pm->ssl.state)
469 {
470 case MBEDTLS_SSL_CLIENT_HELLO:
471 state = TLS_ST_CW_CLNT_HELLO;
472 break;
473 case MBEDTLS_SSL_SERVER_HELLO:
474 state = TLS_ST_SW_SRVR_HELLO;
475 break;
476 case MBEDTLS_SSL_SERVER_CERTIFICATE:
477 state = TLS_ST_SW_CERT;
478 break;
479 case MBEDTLS_SSL_SERVER_HELLO_DONE:
480 state = TLS_ST_SW_SRVR_DONE;
481 break;
482 case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
483 state = TLS_ST_CW_KEY_EXCH;
484 break;
485 case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
486 state = TLS_ST_CW_CHANGE;
487 break;
488 case MBEDTLS_SSL_CLIENT_FINISHED:
489 state = TLS_ST_CW_FINISHED;
490 break;
491 case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
492 state = TLS_ST_SW_CHANGE;
493 break;
494 case MBEDTLS_SSL_SERVER_FINISHED:
495 state = TLS_ST_SW_FINISHED;
496 break;
497 case MBEDTLS_SSL_CLIENT_CERTIFICATE:
498 state = TLS_ST_CW_CERT;
499 break;
500 case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
501 state = TLS_ST_SR_KEY_EXCH;
502 break;
503 case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
504 state = TLS_ST_SW_SESSION_TICKET;
505 break;
506 case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
507 state = TLS_ST_SW_CERT_REQ;
508 break;
509 case MBEDTLS_SSL_HANDSHAKE_OVER:
510 state = TLS_ST_OK;
511 break;
512 default :
513 state = TLS_ST_BEFORE;
514 break;
515 }
516
517 return state;
518 }
519
x509_pm_show_info(X509 * x)520 int x509_pm_show_info(X509 *x)
521 {
522 int ret;
523 char *buf;
524 mbedtls_x509_crt *x509_crt;
525 struct x509_pm *x509_pm = x->x509_pm;
526
527 if (x509_pm->x509_crt)
528 x509_crt = x509_pm->x509_crt;
529 else if (x509_pm->ex_crt)
530 x509_crt = x509_pm->ex_crt;
531 else
532 x509_crt = NULL;
533
534 if (!x509_crt)
535 return -1;
536
537 buf = ssl_mem_malloc(X509_INFO_STRING_LENGTH);
538 if (!buf) {
539 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (buf)");
540 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
541 goto no_mem;
542 }
543
544 ret = mbedtls_x509_crt_info(buf, X509_INFO_STRING_LENGTH - 1, "", x509_crt);
545 if (ret <= 0) {
546 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_info() return -0x%x", -ret);
547 OPENSSL_PUT_LIB_ERROR(ERR_LIB_X509, ret);
548 goto mbedtls_err1;
549 }
550
551 buf[ret] = 0;
552
553 ssl_mem_free(buf);
554
555 SSL_DEBUG(SSL_DEBUG_ON, "%s", buf);
556
557 return 0;
558
559 mbedtls_err1:
560 ssl_mem_free(buf);
561 no_mem:
562 return -1;
563 }
564
x509_pm_new(X509 * x,X509 * m_x)565 int x509_pm_new(X509 *x, X509 *m_x)
566 {
567 struct x509_pm *x509_pm;
568
569 x509_pm = ssl_mem_zalloc(sizeof(struct x509_pm));
570 if (!x509_pm) {
571 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm)");
572 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
573 goto failed1;
574 }
575
576 x->x509_pm = x509_pm;
577
578 if (m_x) {
579 struct x509_pm *m_x509_pm = (struct x509_pm *)m_x->x509_pm;
580
581 x509_pm->ex_crt = m_x509_pm->x509_crt;
582 }
583
584 return 0;
585
586 failed1:
587 return -1;
588 }
589
x509_pm_free(X509 * x)590 void x509_pm_free(X509 *x)
591 {
592 struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
593
594 if (x509_pm->x509_crt) {
595 mbedtls_x509_crt_free(x509_pm->x509_crt);
596
597 ssl_mem_free(x509_pm->x509_crt);
598 x509_pm->x509_crt = NULL;
599 }
600
601 ssl_mem_free(x->x509_pm);
602 x->x509_pm = NULL;
603 }
604
x509_pm_load(X509 * x,const unsigned char * buffer,int len)605 int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
606 {
607 int ret;
608 unsigned char *load_buf;
609 struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
610
611 if (x509_pm->x509_crt)
612 mbedtls_x509_crt_free(x509_pm->x509_crt);
613
614 if (!x509_pm->x509_crt) {
615 x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
616 if (!x509_pm->x509_crt) {
617 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
618 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
619 goto no_mem;
620 }
621 }
622
623 load_buf = ssl_mem_malloc(len + 1);
624 if (!load_buf) {
625 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
626 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
627 goto failed;
628 }
629
630 ssl_memcpy(load_buf, buffer, len);
631 load_buf[len] = '\0';
632
633 mbedtls_x509_crt_init(x509_pm->x509_crt);
634
635 ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1);
636 ssl_mem_free(load_buf);
637
638 if (ret) {
639 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_parse return -0x%x", -ret);
640 OPENSSL_PUT_LIB_ERROR(ERR_LIB_X509, ret);
641 goto failed;
642 }
643
644 return 0;
645
646 failed:
647 mbedtls_x509_crt_free(x509_pm->x509_crt);
648 ssl_mem_free(x509_pm->x509_crt);
649 x509_pm->x509_crt = NULL;
650 no_mem:
651 return -1;
652 }
653
pkey_pm_new(EVP_PKEY * pk,EVP_PKEY * m_pkey)654 int pkey_pm_new(EVP_PKEY *pk, EVP_PKEY *m_pkey)
655 {
656 struct pkey_pm *pkey_pm;
657
658 pkey_pm = ssl_mem_zalloc(sizeof(struct pkey_pm));
659 if (!pkey_pm)
660 return -1;
661
662 pk->pkey_pm = pkey_pm;
663
664 if (m_pkey) {
665 struct pkey_pm *m_pkey_pm = (struct pkey_pm *)m_pkey->pkey_pm;
666
667 pkey_pm->ex_pkey = m_pkey_pm->pkey;
668 }
669
670 return 0;
671 }
672
pkey_pm_free(EVP_PKEY * pk)673 void pkey_pm_free(EVP_PKEY *pk)
674 {
675 struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
676
677 if (pkey_pm->pkey) {
678 mbedtls_pk_free(pkey_pm->pkey);
679
680 ssl_mem_free(pkey_pm->pkey);
681 pkey_pm->pkey = NULL;
682 }
683
684 ssl_mem_free(pk->pkey_pm);
685 pk->pkey_pm = NULL;
686 }
687
pkey_pm_load(EVP_PKEY * pk,const unsigned char * buffer,int len)688 int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
689 {
690 int ret;
691 unsigned char *load_buf;
692 struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
693
694 if (pkey_pm->pkey)
695 mbedtls_pk_free(pkey_pm->pkey);
696
697 if (!pkey_pm->pkey) {
698 pkey_pm->pkey = ssl_mem_malloc(sizeof(mbedtls_pk_context));
699 if (!pkey_pm->pkey) {
700 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (pkey_pm->pkey)");
701 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
702 goto no_mem;
703 }
704 }
705
706 load_buf = ssl_mem_malloc(len + 1);
707 if (!load_buf) {
708 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
709 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
710 goto failed;
711 }
712
713 ssl_memcpy(load_buf, buffer, len);
714 load_buf[len] = '\0';
715
716 mbedtls_pk_init(pkey_pm->pkey);
717
718 ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len + 1, NULL, 0);
719 ssl_mem_free(load_buf);
720
721 if (ret) {
722 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_pk_parse_key return -0x%x", -ret);
723 OPENSSL_PUT_LIB_ERROR(ERR_LIB_PKCS8, ret);
724 goto failed;
725 }
726
727 return 0;
728
729 failed:
730 mbedtls_pk_free(pkey_pm->pkey);
731 ssl_mem_free(pkey_pm->pkey);
732 pkey_pm->pkey = NULL;
733 no_mem:
734 return -1;
735 }
736
737
738
ssl_pm_set_bufflen(SSL * ssl,int len)739 void ssl_pm_set_bufflen(SSL *ssl, int len)
740 {
741 max_content_len = len;
742 }
743
ssl_pm_get_verify_result(const SSL * ssl)744 long ssl_pm_get_verify_result(const SSL *ssl)
745 {
746 uint32_t ret;
747 long verify_result;
748 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
749
750 ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
751 if (ret) {
752 SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return 0x%x", ret);
753 OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
754 verify_result = X509_V_ERR_UNSPECIFIED;
755 } else
756 verify_result = X509_V_OK;
757
758 return verify_result;
759 }
760
761 /**
762 * @brief set expected hostname on peer cert CN
763 */
X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM * param,const char * name,size_t namelen)764 int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
765 const char *name, size_t namelen)
766 {
767 SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param));
768 struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
769 char *name_cstr = NULL;
770
771 if (namelen) {
772 name_cstr = malloc(namelen + 1);
773 if (!name_cstr) {
774 return 0;
775 }
776 memcpy(name_cstr, name, namelen);
777 name_cstr[namelen] = '\0';
778 name = name_cstr;
779 }
780
781 mbedtls_ssl_set_hostname(&ssl_pm->ssl, name);
782
783 if (namelen) {
784 free(name_cstr);
785 }
786
787 return 1;
788 }
789
