Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-30 00:00:16 +01:00
Code Issues Releases Wiki Activity

mbedtls: finer-grained enable checks and OP-TEE

Browse source
This commit is contained in:
Andy Green 2019-01-11 13:14:32 +08:00
parent 4608dfc581
commit ad9c99a6d3
8 changed files with 55 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
CMakeLists.txt
View file

@ -1659,6 +1659,15 @@ if (LWS_WITH_MBEDTLS)
# not supported in esp-idf openssl wrapper yet, but is in our version # not supported in esp-idf openssl wrapper yet, but is in our version
set(LWS_HAVE_X509_VERIFY_PARAM_set1_host 1) set(LWS_HAVE_X509_VERIFY_PARAM_set1_host 1)
endif() endif()
CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_alpn_protocols LWS_HAVE_mbedtls_ssl_conf_alpn_protocols)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_get_alpn_protocol LWS_HAVE_mbedtls_ssl_get_alpn_protocol)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_sni LWS_HAVE_mbedtls_ssl_conf_sni)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_ca_chain LWS_HAVE_mbedtls_ssl_set_hs_ca_chain)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode)
CHECK_FUNCTION_EXISTS(mbedtls_net_init LWS_HAVE_mbedtls_net_init)
else() else()
CHECK_FUNCTION_EXISTS(TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD) CHECK_FUNCTION_EXISTS(TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD)
CHECK_FUNCTION_EXISTS(TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD) CHECK_FUNCTION_EXISTS(TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD)

7
cmake/lws_config.h.in
View file

@ -29,6 +29,13 @@
#cmakedefine LWS_HAVE_EVP_aes_128_wrap #cmakedefine LWS_HAVE_EVP_aes_128_wrap
#cmakedefine LWS_HAVE_LIBCAP #cmakedefine LWS_HAVE_LIBCAP
#cmakedefine LWS_HAVE_MALLOC_H #cmakedefine LWS_HAVE_MALLOC_H
#cmakedefine LWS_HAVE_mbedtls_net_init
#cmakedefine LWS_HAVE_mbedtls_ssl_conf_alpn_protocols
#cmakedefine LWS_HAVE_mbedtls_ssl_get_alpn_protocol
#cmakedefine LWS_HAVE_mbedtls_ssl_conf_sni
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_ca_chain
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_own_cert
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_authmode
#cmakedefine LWS_HAVE_NEW_UV_VERSION_H #cmakedefine LWS_HAVE_NEW_UV_VERSION_H
#cmakedefine LWS_HAVE_OPENSSL_ECDH_H #cmakedefine LWS_HAVE_OPENSSL_ECDH_H
#cmakedefine LWS_HAVE_PIPE2 #cmakedefine LWS_HAVE_PIPE2

1
lib/core/output.c
View file

@ -284,6 +284,7 @@ LWS_VISIBLE int
lws_ssl_capable_write_no_ssl(struct lws *wsi, unsigned char *buf, int len) lws_ssl_capable_write_no_ssl(struct lws *wsi, unsigned char *buf, int len)
{ {
int n = 0; int n = 0;
ssize_t send(int sockfd, const void *buf, size_t len, int flags);
if (lws_wsi_is_udp(wsi)) { if (lws_wsi_is_udp(wsi)) {
#if !defined(LWS_WITH_ESP32) && !defined(LWS_PLAT_OPTEE) #if !defined(LWS_WITH_ESP32) && !defined(LWS_PLAT_OPTEE)

14
lib/tls/mbedtls/wrapper/include/openssl/ssl.h
View file

@ -312,13 +312,7 @@ const SSL_METHOD* TLS_server_method(void);
* *
* @return none * @return none
*/ */
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb,
int (*cb) (SSL *ssl,
const unsigned char **out,
unsigned char *outlen,
const unsigned char *in,
unsigned int inlen,
void *arg),
void *arg); void *arg);
void SSL_set_alpn_select_cb(SSL *ssl, void *arg); void SSL_set_alpn_select_cb(SSL *ssl, void *arg);
@ -1172,7 +1166,7 @@ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
* *
* @return data point * @return data point
*/ */
char *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx); void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
/** /**
* @brief get the SSL context quiet shutdown option * @brief get the SSL context quiet shutdown option
@ -1748,7 +1742,7 @@ void SSL_set_shutdown(SSL *ssl, int mode);
* *
* @return session time * @return session time
*/ */
void SSL_set_time(SSL *ssl, long t); long SSL_set_time(SSL *ssl, long t);
/** /**
* @brief set SSL session timeout time * @brief set SSL session timeout time
@ -1758,7 +1752,7 @@ void SSL_set_time(SSL *ssl, long t);
* *
* @return session timeout time * @return session timeout time
*/ */
void SSL_set_timeout(SSL *ssl, long t); long SSL_set_timeout(SSL *ssl, long t);
/** /**
* @brief get SSL statement string * @brief get SSL statement string

6
lib/tls/mbedtls/wrapper/library/ssl_lib.c
View file

@ -19,6 +19,8 @@
#include "ssl_dbg.h" #include "ssl_dbg.h"
#include "ssl_port.h" #include "ssl_port.h"
#include "core/private.h"
char * char *
lws_strncpy(char *dest, const char *src, size_t size); lws_strncpy(char *dest, const char *src, size_t size);
@ -1647,10 +1649,6 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
* So accept the OpenSSL style and convert to mbedtls style * So accept the OpenSSL style and convert to mbedtls style
*/ */
struct alpn_ctx {
unsigned char data[23];
unsigned char len;
};
static void static void
_openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos) _openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos)

32
lib/tls/mbedtls/wrapper/platform/ssl_pm.c
View file

@ -25,7 +25,7 @@
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/certs.h" #include "mbedtls/certs.h"
#include <libwebsockets.h> #include "core/private.h"
#define X509_INFO_STRING_LENGTH 8192 #define X509_INFO_STRING_LENGTH 8192
@ -131,8 +131,8 @@ int ssl_pm_new(SSL *ssl)
ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len); ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
if (ret) { if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret); lwsl_notice("%s: mbedtls_ctr_drbg_seed() return -0x%x", __func__, -ret);
goto mbedtls_err1; //goto mbedtls_err1;
} }
if (method->endpoint) { if (method->endpoint) {
@ -142,6 +142,7 @@ int ssl_pm_new(SSL *ssl)
} }
ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
if (ret) { if (ret) {
lwsl_err("%s: mbedtls_ssl_config_defaults() return -0x%x", __func__, -ret);
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret); SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
goto mbedtls_err2; goto mbedtls_err2;
} }
@ -174,6 +175,8 @@ int ssl_pm_new(SSL *ssl)
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
if (ret) { if (ret) {
lwsl_err("%s: mbedtls_ssl_setup() return -0x%x", __func__, -ret);
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret); SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
goto mbedtls_err2; goto mbedtls_err2;
} }
@ -187,7 +190,7 @@ int ssl_pm_new(SSL *ssl)
mbedtls_err2: mbedtls_err2:
mbedtls_ssl_config_free(&ssl_pm->conf); mbedtls_ssl_config_free(&ssl_pm->conf);
mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg); mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
mbedtls_err1: //mbedtls_err1:
mbedtls_entropy_free(&ssl_pm->entropy); mbedtls_entropy_free(&ssl_pm->entropy);
ssl_mem_free(ssl_pm); ssl_mem_free(ssl_pm);
no_mem: no_mem:
@ -329,7 +332,7 @@ int ssl_pm_handshake(SSL *ssl)
return 0; return 0;
} }
printf("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret); lwsl_info("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret);
/* it's had it */ /* it's had it */
@ -829,6 +832,7 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
void _ssl_set_alpn_list(const SSL *ssl) void _ssl_set_alpn_list(const SSL *ssl)
{ {
#if defined(LWS_HAVE_mbedtls_ssl_conf_alpn_protocols)
if (ssl->alpn_protos) { if (ssl->alpn_protos) {
if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos)) if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos))
fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n"); fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
@ -839,11 +843,13 @@ void _ssl_set_alpn_list(const SSL *ssl)
return; return;
if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos)) if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos))
fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n"); fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
#endif
} }
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
unsigned int *len) unsigned int *len)
{ {
#if defined(LWS_HAVE_mbedtls_ssl_get_alpn_protocol)
const char *alp = mbedtls_ssl_get_alpn_protocol(&((struct ssl_pm *)(ssl->ssl_pm))->ssl); const char *alp = mbedtls_ssl_get_alpn_protocol(&((struct ssl_pm *)(ssl->ssl_pm))->ssl);
*data = (const unsigned char *)alp; *data = (const unsigned char *)alp;
@ -851,15 +857,17 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
*len = strlen(alp); *len = strlen(alp);
else else
*len = 0; *len = 0;
#endif
} }
int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *, int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *,
const unsigned char *, size_t), void *param) const unsigned char *, size_t), void *param)
{ {
#if defined(LWS_HAVE_mbedtls_ssl_conf_sni)
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
mbedtls_ssl_conf_sni(&ssl_pm->conf, cb, param); mbedtls_ssl_conf_sni(&ssl_pm->conf, cb, param);
#endif
return 0; return 0;
} }
@ -874,18 +882,20 @@ SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc)
void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
{ {
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
struct ssl_pm *ssl_pm = ssl->ssl_pm; struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm; struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm;
struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm; struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm; struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm;
int mode; int mode;
#endif
if (ssl->cert) if (ssl->cert)
ssl_cert_free(ssl->cert); ssl_cert_free(ssl->cert);
ssl->ctx = ctx; ssl->ctx = ctx;
ssl->cert = __ssl_cert_new(ctx->cert); ssl->cert = __ssl_cert_new(ctx->cert);
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
if (ctx->verify_mode == SSL_VERIFY_PEER) if (ctx->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL; mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
@ -894,14 +904,20 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
mode = MBEDTLS_SSL_VERIFY_UNSET; mode = MBEDTLS_SSL_VERIFY_UNSET;
else else
mode = MBEDTLS_SSL_VERIFY_NONE; mode = MBEDTLS_SSL_VERIFY_NONE;
#endif
// printf("ssl: %p, client ca x509_crt %p, mbedtls mode %d\n", ssl, x509_pm_ca->x509_crt, mode); // printf("ssl: %p, client ca x509_crt %p, mbedtls mode %d\n", ssl, x509_pm_ca->x509_crt, mode);
/* apply new ctx cert to ssl */ /* apply new ctx cert to ssl */
ssl->verify_mode = ctx->verify_mode; ssl->verify_mode = ctx->verify_mode;
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_ca_chain)
mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL); mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL);
#endif
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert)
mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, pkey_pm->pkey); mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, pkey_pm->pkey);
#endif
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode); mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode);
#endif
} }

7
lib/tls/mbedtls/x509.c
View file

@ -23,6 +23,13 @@
#include "tls/mbedtls/private.h" #include "tls/mbedtls/private.h"
#include <mbedtls/oid.h> #include <mbedtls/oid.h>
#if defined(LWS_PLAT_OPTEE)
time_t mktime(struct tm *t)
{
return (time_t)0;
}
#endif
static time_t static time_t
lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime) lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime)
{ {

2
lib/tls/openssl/openssl-client.c
View file

@ -498,7 +498,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx, n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
cert_mem_len, cert_mem); cert_mem_len, cert_mem);
if (n < 1) { if (n < 1) {
lwsl_err("%s: problem interpreting client cert '%s'\n", lwsl_err("%s: problem interpreting client cert\n",
__func__); __func__);
lws_tls_err_describe(); lws_tls_err_describe();
return 1; return 1;