diff --git a/CMakeLists.txt b/CMakeLists.txt index 2de6b036b..2710960b0 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1659,6 +1659,15 @@ if (LWS_WITH_MBEDTLS) # not supported in esp-idf openssl wrapper yet, but is in our version set(LWS_HAVE_X509_VERIFY_PARAM_set1_host 1) endif() + + CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_alpn_protocols LWS_HAVE_mbedtls_ssl_conf_alpn_protocols) + CHECK_FUNCTION_EXISTS(mbedtls_ssl_get_alpn_protocol LWS_HAVE_mbedtls_ssl_get_alpn_protocol) + CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_sni LWS_HAVE_mbedtls_ssl_conf_sni) + CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_ca_chain LWS_HAVE_mbedtls_ssl_set_hs_ca_chain) + CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert) + CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode) + CHECK_FUNCTION_EXISTS(mbedtls_net_init LWS_HAVE_mbedtls_net_init) + else() CHECK_FUNCTION_EXISTS(TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD) CHECK_FUNCTION_EXISTS(TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD) diff --git a/cmake/lws_config.h.in b/cmake/lws_config.h.in index 7c6cc5240..255bdf447 100644 --- a/cmake/lws_config.h.in +++ b/cmake/lws_config.h.in @@ -29,6 +29,13 @@ #cmakedefine LWS_HAVE_EVP_aes_128_wrap #cmakedefine LWS_HAVE_LIBCAP #cmakedefine LWS_HAVE_MALLOC_H +#cmakedefine LWS_HAVE_mbedtls_net_init +#cmakedefine LWS_HAVE_mbedtls_ssl_conf_alpn_protocols +#cmakedefine LWS_HAVE_mbedtls_ssl_get_alpn_protocol +#cmakedefine LWS_HAVE_mbedtls_ssl_conf_sni +#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_ca_chain +#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_own_cert +#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_authmode #cmakedefine LWS_HAVE_NEW_UV_VERSION_H #cmakedefine LWS_HAVE_OPENSSL_ECDH_H #cmakedefine LWS_HAVE_PIPE2 diff --git a/lib/core/output.c b/lib/core/output.c index b2de11916..64344407e 100644 --- a/lib/core/output.c +++ b/lib/core/output.c @@ -284,6 +284,7 @@ LWS_VISIBLE int lws_ssl_capable_write_no_ssl(struct lws *wsi, unsigned char *buf, int len) { int n = 0; + ssize_t send(int sockfd, const void *buf, size_t len, int flags); if (lws_wsi_is_udp(wsi)) { #if !defined(LWS_WITH_ESP32) && !defined(LWS_PLAT_OPTEE) diff --git a/lib/tls/mbedtls/wrapper/include/openssl/ssl.h b/lib/tls/mbedtls/wrapper/include/openssl/ssl.h index aa585d006..9427283a3 100755 --- a/lib/tls/mbedtls/wrapper/include/openssl/ssl.h +++ b/lib/tls/mbedtls/wrapper/include/openssl/ssl.h @@ -312,13 +312,7 @@ const SSL_METHOD* TLS_server_method(void); * * @return none */ -void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, - int (*cb) (SSL *ssl, - const unsigned char **out, - unsigned char *outlen, - const unsigned char *in, - unsigned int inlen, - void *arg), +void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb, void *arg); void SSL_set_alpn_select_cb(SSL *ssl, void *arg); @@ -1172,7 +1166,7 @@ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx); * * @return data point */ -char *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); +void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); /** * @brief get the SSL context quiet shutdown option @@ -1748,7 +1742,7 @@ void SSL_set_shutdown(SSL *ssl, int mode); * * @return session time */ -void SSL_set_time(SSL *ssl, long t); +long SSL_set_time(SSL *ssl, long t); /** * @brief set SSL session timeout time @@ -1758,7 +1752,7 @@ void SSL_set_time(SSL *ssl, long t); * * @return session timeout time */ -void SSL_set_timeout(SSL *ssl, long t); +long SSL_set_timeout(SSL *ssl, long t); /** * @brief get SSL statement string diff --git a/lib/tls/mbedtls/wrapper/library/ssl_lib.c b/lib/tls/mbedtls/wrapper/library/ssl_lib.c index 2f688ca9e..6d3e165f3 100644 --- a/lib/tls/mbedtls/wrapper/library/ssl_lib.c +++ b/lib/tls/mbedtls/wrapper/library/ssl_lib.c @@ -19,6 +19,8 @@ #include "ssl_dbg.h" #include "ssl_port.h" +#include "core/private.h" + char * lws_strncpy(char *dest, const char *src, size_t size); @@ -1647,10 +1649,6 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx) * So accept the OpenSSL style and convert to mbedtls style */ -struct alpn_ctx { - unsigned char data[23]; - unsigned char len; -}; static void _openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos) diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c index 4716c1ff5..37a53d2fc 100755 --- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c +++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c @@ -25,7 +25,7 @@ #include "mbedtls/error.h" #include "mbedtls/certs.h" -#include +#include "core/private.h" #define X509_INFO_STRING_LENGTH 8192 @@ -131,8 +131,8 @@ int ssl_pm_new(SSL *ssl) ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len); if (ret) { - SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret); - goto mbedtls_err1; + lwsl_notice("%s: mbedtls_ctr_drbg_seed() return -0x%x", __func__, -ret); + //goto mbedtls_err1; } if (method->endpoint) { @@ -142,6 +142,7 @@ int ssl_pm_new(SSL *ssl) } ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); if (ret) { + lwsl_err("%s: mbedtls_ssl_config_defaults() return -0x%x", __func__, -ret); SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret); goto mbedtls_err2; } @@ -174,6 +175,8 @@ int ssl_pm_new(SSL *ssl) ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); if (ret) { + lwsl_err("%s: mbedtls_ssl_setup() return -0x%x", __func__, -ret); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret); goto mbedtls_err2; } @@ -187,7 +190,7 @@ int ssl_pm_new(SSL *ssl) mbedtls_err2: mbedtls_ssl_config_free(&ssl_pm->conf); mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg); -mbedtls_err1: +//mbedtls_err1: mbedtls_entropy_free(&ssl_pm->entropy); ssl_mem_free(ssl_pm); no_mem: @@ -329,7 +332,7 @@ int ssl_pm_handshake(SSL *ssl) return 0; } - printf("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret); + lwsl_info("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret); /* it's had it */ @@ -829,6 +832,7 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, void _ssl_set_alpn_list(const SSL *ssl) { +#if defined(LWS_HAVE_mbedtls_ssl_conf_alpn_protocols) if (ssl->alpn_protos) { if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos)) fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n"); @@ -839,11 +843,13 @@ void _ssl_set_alpn_list(const SSL *ssl) return; if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos)) fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n"); +#endif } void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, unsigned int *len) { +#if defined(LWS_HAVE_mbedtls_ssl_get_alpn_protocol) const char *alp = mbedtls_ssl_get_alpn_protocol(&((struct ssl_pm *)(ssl->ssl_pm))->ssl); *data = (const unsigned char *)alp; @@ -851,15 +857,17 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, *len = strlen(alp); else *len = 0; +#endif } int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), void *param) { +#if defined(LWS_HAVE_mbedtls_ssl_conf_sni) struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; mbedtls_ssl_conf_sni(&ssl_pm->conf, cb, param); - +#endif return 0; } @@ -874,18 +882,20 @@ SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc) void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode) struct ssl_pm *ssl_pm = ssl->ssl_pm; struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm; struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm; - struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm; int mode; +#endif if (ssl->cert) ssl_cert_free(ssl->cert); ssl->ctx = ctx; ssl->cert = __ssl_cert_new(ctx->cert); +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode) if (ctx->verify_mode == SSL_VERIFY_PEER) mode = MBEDTLS_SSL_VERIFY_OPTIONAL; else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) @@ -894,14 +904,20 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) mode = MBEDTLS_SSL_VERIFY_UNSET; else mode = MBEDTLS_SSL_VERIFY_NONE; +#endif // printf("ssl: %p, client ca x509_crt %p, mbedtls mode %d\n", ssl, x509_pm_ca->x509_crt, mode); /* apply new ctx cert to ssl */ ssl->verify_mode = ctx->verify_mode; - +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_ca_chain) mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL); +#endif +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert) mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, pkey_pm->pkey); +#endif +#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode) mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode); +#endif } diff --git a/lib/tls/mbedtls/x509.c b/lib/tls/mbedtls/x509.c index 70faf1253..0c56862ff 100644 --- a/lib/tls/mbedtls/x509.c +++ b/lib/tls/mbedtls/x509.c @@ -23,6 +23,13 @@ #include "tls/mbedtls/private.h" #include +#if defined(LWS_PLAT_OPTEE) +time_t mktime(struct tm *t) +{ + return (time_t)0; +} +#endif + static time_t lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime) { diff --git a/lib/tls/openssl/openssl-client.c b/lib/tls/openssl/openssl-client.c index 4feeae8c1..26db7a868 100644 --- a/lib/tls/openssl/openssl-client.c +++ b/lib/tls/openssl/openssl-client.c @@ -498,7 +498,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh, n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx, cert_mem_len, cert_mem); if (n < 1) { - lwsl_err("%s: problem interpreting client cert '%s'\n", + lwsl_err("%s: problem interpreting client cert\n", __func__); lws_tls_err_describe(); return 1;