1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00

mbedtls: Add mbedTLS backend support

This commit is contained in:
Juraj Vijtiuk 2017-08-28 20:22:20 +08:00 committed by Andy Green
parent 77a71e94d1
commit 41909eac97
15 changed files with 186 additions and 76 deletions

View file

@ -170,7 +170,6 @@ endif()
if (LWS_WITH_ESP32)
set(LWS_WITH_SHARED OFF)
set(LWS_WITH_SSL ON)
set(LWS_USE_MBEDTLS ON)
# set(LWS_WITHOUT_CLIENT ON)
set(LWS_WITHOUT_TESTAPPS ON)
@ -595,22 +594,35 @@ if (NOT LWS_WITHOUT_CLIENT)
lib/client-parser.c)
endif()
if (LWS_WITH_SSL)
list(APPEND SOURCES
lib/ssl.c)
if (NOT LWS_WITHOUT_SERVER)
list(APPEND SOURCES
lib/ssl-server.c)
endif()
if (NOT LWS_WITHOUT_CLIENT)
list(APPEND SOURCES
lib/ssl-client.c)
endif()
endif()
if (LWS_USE_MBEDTLS)
set(LWS_WITH_SSL ON)
list(APPEND HDR_PRIVATE
lib/mbedtls_wrapper/include/internal/ssl3.h
lib/mbedtls_wrapper/include/internal/ssl_cert.h
lib/mbedtls_wrapper/include/internal/ssl_code.h
lib/mbedtls_wrapper/include/internal/ssl_dbg.h
lib/mbedtls_wrapper/include/internal/ssl_lib.h
lib/mbedtls_wrapper/include/internal/ssl_methods.h
lib/mbedtls_wrapper/include/internal/ssl_pkey.h
lib/mbedtls_wrapper/include/internal/ssl_stack.h
lib/mbedtls_wrapper/include/internal/ssl_types.h
lib/mbedtls_wrapper/include/internal/ssl_x509.h
lib/mbedtls_wrapper/include/internal/tls1.h
lib/mbedtls_wrapper/include/internal/x509_vfy.h)
list(APPEND HDR_PRIVATE
lib/mbedtls_wrapper/include/openssl/ssl.h)
list(APPEND HDR_PRIVATE
lib/mbedtls_wrapper/include/platform/ssl_pm.h
lib/mbedtls_wrapper/include/platform/ssl_port.h)
include_directories(lib/mbedtls_wrapper/include)
include_directories(lib/mbedtls_wrapper/include/platform)
include_directories(lib/mbedtls_wrapper/include/internal)
include_directories(lib/mbedtls_wrapper/include/openssl)
if (LWS_WITH_MBEDTLS)
# list(APPEND HDR_PRIVATE)
list(APPEND SOURCES
lib/mbedtls_wrapper/library/ssl_cert.c
lib/mbedtls_wrapper/library/ssl_lib.c
@ -624,6 +636,19 @@ if (LWS_WITH_MBEDTLS)
lib/mbedtls_wrapper/platform/ssl_port.c)
endif()
if (LWS_WITH_SSL)
list(APPEND SOURCES
lib/ssl.c)
if (NOT LWS_WITHOUT_SERVER)
list(APPEND SOURCES
lib/ssl-server.c)
endif()
if (NOT LWS_WITHOUT_CLIENT)
list(APPEND SOURCES
lib/ssl-client.c)
endif()
endif()
if (NOT LWS_WITHOUT_BUILTIN_SHA1)
list(APPEND SOURCES
@ -1087,7 +1112,7 @@ set(CMAKE_REQUIRED_LIBRARIES ${LIB_LIST})
CHECK_FUNCTION_EXISTS(SSL_CTX_set1_param LWS_HAVE_SSL_CTX_set1_param)
CHECK_FUNCTION_EXISTS(SSL_set_info_callback LWS_HAVE_SSL_SET_INFO_CALLBACK)
CHECK_FUNCTION_EXISTS(X509_VERIFY_PARAM_set1_host LWS_HAVE_X509_VERIFY_PARAM_set1_host)
if (LWS_WITH_ESP32)
if (LWS_USE_MBEDTLS)
set(LWS_HAVE_TLS_CLIENT_METHOD 1)
else()
CHECK_FUNCTION_EXISTS(TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD)

View file

@ -204,7 +204,7 @@ typedef unsigned long long lws_intptr_t;
#endif /* not USE_OLD_CYASSL */
#else
#include <openssl/ssl.h>
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
#include <openssl/err.h>
#endif
#endif /* not USE_WOLFSSL */

View file

@ -15,7 +15,6 @@
#ifndef _SSL_DEBUG_H_
#define _SSL_DEBUG_H_
#include "platform/ssl_opt.h"
#include "platform/ssl_port.h"
#ifdef __cplusplus

View file

@ -101,6 +101,8 @@ int SSL_add_client_CA(SSL *ssl, X509 *x);
*/
int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d);
const char *X509_verify_cert_error_string(long n);
#ifdef __cplusplus
}
#endif

View file

@ -104,6 +104,11 @@
#define X509_V_ERR_PROXY_SUBJECT_NAME_VIOLATION 72
typedef void X509_STORE_CTX;
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx);
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx);
#ifdef __cplusplus
}
#endif

View file

@ -19,6 +19,7 @@
extern "C" {
#endif
#include <stdlib.h>
#include "internal/ssl_x509.h"
#include "internal/ssl_pkey.h"
@ -26,6 +27,7 @@
{
*/
#define SSL_CB_ALERT 0x4000
/**
* @brief create a SSL context
*

View file

@ -1,20 +0,0 @@
// Copyright 2015-2016 Espressif Systems (Shanghai) PTE LTD
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
#ifndef _SSL_OPT_H_
#define _SSL_OPT_H_
#include "sdkconfig.h"
#endif

View file

@ -19,8 +19,10 @@
extern "C" {
#endif
/*
#include "esp_types.h"
#include "esp_log.h"
*/
#include "string.h"
#include "malloc.h"

View file

@ -1554,3 +1554,26 @@ void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_C
ssl->verify_mode = mode;
ssl->verify_callback = verify_callback;
}
void ERR_error_string_n(unsigned long e, char *buf, size_t len)
{
strncpy(buf, "unknown", len);
}
void ERR_free_strings(void)
{
}
char *ERR_error_string(unsigned long e, char *buf)
{
if (buf) {
strcpy(buf, "unknown");
}
return "unknown";
}
void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
{
return NULL;
}

View file

@ -283,3 +283,17 @@ X509 *SSL_get_peer_certificate(const SSL *ssl)
return ssl->session->peer;
}
int X509_STORE_CTX_get_error(X509_STORE_CTX *ctx)
{
return X509_V_ERR_UNSPECIFIED;
}
int X509_STORE_CTX_get_error_depth(X509_STORE_CTX *ctx)
{
return 0;
}
const char *X509_verify_cert_error_string(long n)
{
return "unknown";
}

View file

@ -18,7 +18,7 @@
/* mbedtls include */
#include "mbedtls/platform.h"
#include "mbedtls/net.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/debug.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"

View file

@ -274,7 +274,7 @@ lws_plat_get_peer_simple(struct lws *wsi, char *name, int namelen);
#endif /* not USE_OLD_CYASSL */
#else
#include <openssl/ssl.h>
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/md5.h>

View file

@ -35,7 +35,7 @@ extern int lws_ssl_get_error(struct lws *wsi, int n);
static int
OpenSSL_client_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
// long gvr = ssl_pm_get_verify_result(
lwsl_notice("%s\n", __func__);
@ -149,14 +149,14 @@ lws_ssl_client_bio_create(struct lws *wsi)
#endif
#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
#if !defined(USE_WOLFSSL) && !defined(LWS_USE_MBEDTLS)
#ifndef USE_OLD_CYASSL
/* OpenSSL_client_verify_callback will be called @ SSL_connect() */
SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
#endif
#endif
#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
#if !defined(USE_WOLFSSL) && !defined(LWS_USE_MBEDTLS)
SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
#endif
/*
@ -174,7 +174,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
#endif
#endif
#else
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
// esp-idf openssl shim does not seem ready for this
// SSL_set_verify(wsi->ssl, SSL_VERIFY_PEER, OpenSSL_client_verify_callback);
SSL_set_verify(wsi->ssl, SSL_VERIFY_NONE, OpenSSL_client_verify_callback);
@ -203,7 +203,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
#endif
#endif /* USE_WOLFSSL */
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
wsi->client_bio = BIO_new_socket(wsi->desc.sockfd, BIO_NOCLOSE);
SSL_set_bio(wsi->ssl, wsi->client_bio, wsi->client_bio);
#else
@ -217,12 +217,12 @@ lws_ssl_client_bio_create(struct lws *wsi)
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
BIO_set_nbio(wsi->client_bio, 1); /* nonblocking */
#endif
#endif
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
SSL_set_ex_data(wsi->ssl, openssl_websocket_private_data_index,
wsi);
#endif
@ -230,7 +230,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
return 0;
}
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
int ERR_get_error(void)
{
return 0;
@ -377,7 +377,7 @@ lws_ssl_client_connect2(struct lws *wsi)
}
}
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
{
X509 *peer = SSL_get_peer_certificate(wsi->ssl);
@ -434,7 +434,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
SSL_METHOD *method = NULL;
struct lws wsi;
unsigned long error;
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
const char *cipher_list = info->ssl_cipher_list;
const char *ca_filepath = info->ssl_ca_filepath;
const char *private_key_filepath = info->ssl_private_key_filepath;
@ -502,7 +502,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
SSL_CTX_set_options(vhost->ssl_client_ctx, SSL_OP_NO_COMPRESSION);
#endif
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
SSL_CTX_set_options(vhost->ssl_client_ctx,
SSL_OP_CIPHER_SERVER_PREFERENCE);
@ -541,7 +541,7 @@ int lws_context_init_client_ssl(struct lws_context_creation_info *info,
* callback allowing user code to load extra verification certs
* helping the client to verify server identity
*/
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
/* support for client-side certificate authentication */
if (cert_filepath) {

View file

@ -27,7 +27,7 @@ extern int openssl_websocket_private_data_index,
extern void
lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, struct lws_context_creation_info *info);
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
static int
OpenSSL_verify_callback(int preverify_ok, X509_STORE_CTX *x509_ctx)
{
@ -130,7 +130,7 @@ lws_context_ssl_init_ecdh_curve(struct lws_context_creation_info *info,
lwsl_notice(" SSL ECDH curve '%s'\n", ecdh_curve);
#else
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
lwsl_notice(" OpenSSL doesn't support ECDH\n");
#endif
#endif
@ -230,7 +230,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
* versions", compared to e.g. TLSv1_2_server_method() which only allows
* tlsv1.2. Unwanted versions must be disabled using SSL_CTX_set_options()
*/
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
{
SSL_METHOD *method;
@ -263,7 +263,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
}
#endif
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
/* associate the lws context with the SSL_CTX */
@ -292,7 +292,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
verify_options |= SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
SSL_CTX_set_session_id_context(vhost->ssl_ctx,
(unsigned char *)context, sizeof(void *));
@ -312,7 +312,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
* give user code a chance to load certs into the server
* allowing it to verify incoming client certs
*/
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
if (info->ssl_ca_filepath &&
!SSL_CTX_load_verify_locations(vhost->ssl_ctx,
info->ssl_ca_filepath, NULL)) {
@ -346,7 +346,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
if (vhost->use_ssl) {
/* openssl init for server sockets */
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
/* set the local certificate from CertFile */
n = SSL_CTX_use_certificate_chain_file(vhost->ssl_ctx,
info->ssl_cert_filepath);
@ -377,6 +377,10 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
lwsl_err("Problem loading cert\n");
return 1;
}
#if !defined(LWS_WITH_ESP32)
free(p);
p = NULL;
#endif
if (alloc_pem_to_der_file(vhost->context,
info->ssl_private_key_filepath, &p, &flen)) {
@ -392,10 +396,13 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
return 1;
}
// free(p);
#if !defined(LWS_WITH_ESP32)
free(p);
p = NULL;
#endif
#endif
if (info->ssl_private_key_filepath != NULL) {
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
/* set the private key from KeyFile */
if (SSL_CTX_use_PrivateKey_file(vhost->ssl_ctx,
info->ssl_private_key_filepath,
@ -416,7 +423,7 @@ lws_context_init_server_ssl(struct lws_context_creation_info *info,
return 1;
}
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
/* verify private key */
if (!SSL_CTX_check_private_key(vhost->ssl_ctx)) {
lwsl_err("Private SSL key doesn't match cert\n");

View file

@ -54,6 +54,7 @@ bail:
return ret;
}
#if defined(LWS_USE_MBEDTLS)
#if defined(LWS_WITH_ESP32)
int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
lws_filepos_t *amount)
@ -85,6 +86,56 @@ bail:
return n;
}
#else
int alloc_file(struct lws_context *context, const char *filename, uint8_t **buf,
lws_filepos_t *amount)
{
FILE *f;
size_t s;
int n = 0;
f =fopen(filename, "rb");
if (f == NULL) {
n = 1;
goto bail;
}
if (fseek(f, 0, SEEK_END) != 0) {
n = 1;
goto bail;
}
s = ftell(f);
if (s == -1) {
n = 1;
goto bail;
}
if (fseek(f, 0, SEEK_SET) != 0) {
n = 1;
goto bail;
}
*buf = malloc(s);
if (!*buf) {
n = 2;
goto bail;
}
if (fread(*buf, s, 1, f) != 1) {
free(*buf);
n = 1;
goto bail;
}
*amount = s;
bail:
fclose(f);
return n;
}
#endif
int alloc_pem_to_der_file(struct lws_context *context, const char *filename, uint8_t **buf,
lws_filepos_t *amount)
{
@ -199,7 +250,7 @@ char* lws_ssl_get_error_string(int status, int ret, char *buf, size_t len) {
void
lws_ssl_elaborate_error(void)
{
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
#else
char buf[256];
u_long err;
@ -211,7 +262,7 @@ lws_ssl_elaborate_error(void)
#endif
}
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
static int
lws_context_init_ssl_pem_passwd_cb(char * buf, int size, int rwflag, void *userdata)
@ -265,7 +316,7 @@ lws_context_init_ssl_library(struct lws_context_creation_info *info)
lwsl_notice("Doing SSL library init\n");
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
SSL_library_init();
OpenSSL_add_all_algorithms();
SSL_load_error_strings();
@ -291,7 +342,7 @@ lws_ssl_destroy(struct lws_vhost *vhost)
SSL_CTX_free(vhost->ssl_ctx);
if (!vhost->user_supplied_ssl_ctx && vhost->ssl_client_ctx)
SSL_CTX_free(vhost->ssl_client_ctx);
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
// after 1.1.0 no need
#if (OPENSSL_VERSION_NUMBER < 0x10100000)
@ -352,7 +403,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
int n = 0;
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
int ssl_read_errno = 0;
#endif
@ -388,7 +439,7 @@ lws_ssl_capable_read(struct lws *wsi, unsigned char *buf, int len)
return LWS_SSL_CAPABLE_ERROR;
if (n == SSL_ERROR_SYSCALL) {
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
int err = ERR_get_error();
if (err == 0 && (ssl_read_errno == EPIPE ||
ssl_read_errno == ECONNABORTED ||
@ -483,7 +534,7 @@ LWS_VISIBLE int
lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
{
int n;
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
int ssl_read_errno = 0;
#endif
@ -506,7 +557,7 @@ lws_ssl_capable_write(struct lws *wsi, unsigned char *buf, int len)
if (n == SSL_ERROR_ZERO_RETURN)
return LWS_SSL_CAPABLE_ERROR;
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
if (n == SSL_ERROR_SYSCALL) {
int err = ERR_get_error();
@ -618,7 +669,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
struct lws_context *context = wsi->context;
struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
int n, m;
#if !defined(USE_WOLFSSL) && !defined(LWS_WITH_ESP32)
#if !defined(USE_WOLFSSL) && !defined(LWS_USE_MBEDTLS)
BIO *bio;
#endif
char buf[256];
@ -661,7 +712,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
context->updated = 1;
#endif
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
SSL_set_ex_data(wsi->ssl,
openssl_websocket_private_data_index, wsi);
#endif
@ -674,7 +725,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
wolfSSL_set_using_nonblock(wsi->ssl, 1);
#endif
#else
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
lws_plat_set_socket_options(wsi->vhost, accept_fd);
#else
SSL_set_mode(wsi->ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
@ -791,7 +842,7 @@ lws_server_socket_service_ssl(struct lws *wsi, lws_sockfd_type accept_fd)
m = lws_ssl_get_error(wsi, n);
#if defined(LWS_WITH_ESP32)
#if defined(LWS_USE_MBEDTLS)
if (m == 5 && errno == 11)
m = SSL_ERROR_WANT_READ;
#endif
@ -864,7 +915,7 @@ void
lws_ssl_context_destroy(struct lws_context *context)
{
#if !defined(LWS_WITH_ESP32)
#if !defined(LWS_USE_MBEDTLS)
// after 1.1.0 no need
#if (OPENSSL_VERSION_NUMBER < 0x10100000)