mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-30 00:00:16 +01:00
mbedtls: finer-grained enable checks and OP-TEE
This commit is contained in:
Andy Green
parent
4608dfc581
commit
ad9c99a6d3
8 changed files with 55 additions and 23 deletions
|
|
@ -1659,6 +1659,15 @@ if (LWS_WITH_MBEDTLS)
|
|||
# not supported in esp-idf openssl wrapper yet, but is in our version
|
||||
set(LWS_HAVE_X509_VERIFY_PARAM_set1_host 1)
|
||||
endif()
|
||||
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_alpn_protocols LWS_HAVE_mbedtls_ssl_conf_alpn_protocols)
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_ssl_get_alpn_protocol LWS_HAVE_mbedtls_ssl_get_alpn_protocol)
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_sni LWS_HAVE_mbedtls_ssl_conf_sni)
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_ca_chain LWS_HAVE_mbedtls_ssl_set_hs_ca_chain)
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert)
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode)
|
||||
CHECK_FUNCTION_EXISTS(mbedtls_net_init LWS_HAVE_mbedtls_net_init)
|
||||
|
||||
else()
|
||||
CHECK_FUNCTION_EXISTS(TLS_client_method LWS_HAVE_TLS_CLIENT_METHOD)
|
||||
CHECK_FUNCTION_EXISTS(TLSv1_2_client_method LWS_HAVE_TLSV1_2_CLIENT_METHOD)
|
||||
|
|
|
|||
|
|
@ -29,6 +29,13 @@
|
|||
#cmakedefine LWS_HAVE_EVP_aes_128_wrap
|
||||
#cmakedefine LWS_HAVE_LIBCAP
|
||||
#cmakedefine LWS_HAVE_MALLOC_H
|
||||
#cmakedefine LWS_HAVE_mbedtls_net_init
|
||||
#cmakedefine LWS_HAVE_mbedtls_ssl_conf_alpn_protocols
|
||||
#cmakedefine LWS_HAVE_mbedtls_ssl_get_alpn_protocol
|
||||
#cmakedefine LWS_HAVE_mbedtls_ssl_conf_sni
|
||||
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_ca_chain
|
||||
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_own_cert
|
||||
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_authmode
|
||||
#cmakedefine LWS_HAVE_NEW_UV_VERSION_H
|
||||
#cmakedefine LWS_HAVE_OPENSSL_ECDH_H
|
||||
#cmakedefine LWS_HAVE_PIPE2
|
||||
|
|
|
|||
|
|
@ -284,6 +284,7 @@ LWS_VISIBLE int
|
|||
lws_ssl_capable_write_no_ssl(struct lws *wsi, unsigned char *buf, int len)
|
||||
{
|
||||
int n = 0;
|
||||
ssize_t send(int sockfd, const void *buf, size_t len, int flags);
|
||||
|
||||
if (lws_wsi_is_udp(wsi)) {
|
||||
#if !defined(LWS_WITH_ESP32) && !defined(LWS_PLAT_OPTEE)
|
||||
|
|
|
|||
|
|
@ -312,13 +312,7 @@ const SSL_METHOD* TLS_server_method(void);
|
|||
*
|
||||
* @return none
|
||||
*/
|
||||
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx,
|
||||
int (*cb) (SSL *ssl,
|
||||
const unsigned char **out,
|
||||
unsigned char *outlen,
|
||||
const unsigned char *in,
|
||||
unsigned int inlen,
|
||||
void *arg),
|
||||
void SSL_CTX_set_alpn_select_cb(SSL_CTX *ctx, next_proto_cb cb,
|
||||
void *arg);
|
||||
|
||||
void SSL_set_alpn_select_cb(SSL *ssl, void *arg);
|
||||
|
|
@ -1172,7 +1166,7 @@ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx);
|
|||
*
|
||||
* @return data point
|
||||
*/
|
||||
char *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
|
||||
void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx);
|
||||
|
||||
/**
|
||||
* @brief get the SSL context quiet shutdown option
|
||||
|
|
@ -1748,7 +1742,7 @@ void SSL_set_shutdown(SSL *ssl, int mode);
|
|||
*
|
||||
* @return session time
|
||||
*/
|
||||
void SSL_set_time(SSL *ssl, long t);
|
||||
long SSL_set_time(SSL *ssl, long t);
|
||||
|
||||
/**
|
||||
* @brief set SSL session timeout time
|
||||
|
|
@ -1758,7 +1752,7 @@ void SSL_set_time(SSL *ssl, long t);
|
|||
*
|
||||
* @return session timeout time
|
||||
*/
|
||||
void SSL_set_timeout(SSL *ssl, long t);
|
||||
long SSL_set_timeout(SSL *ssl, long t);
|
||||
|
||||
/**
|
||||
* @brief get SSL statement string
|
||||
|
|
|
|||
|
|
@ -19,6 +19,8 @@
|
|||
#include "ssl_dbg.h"
|
||||
#include "ssl_port.h"
|
||||
|
||||
#include "core/private.h"
|
||||
|
||||
char *
|
||||
lws_strncpy(char *dest, const char *src, size_t size);
|
||||
|
||||
|
|
@ -1647,10 +1649,6 @@ void *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
|
|||
* So accept the OpenSSL style and convert to mbedtls style
|
||||
*/
|
||||
|
||||
struct alpn_ctx {
|
||||
unsigned char data[23];
|
||||
unsigned char len;
|
||||
};
|
||||
|
||||
static void
|
||||
_openssl_alpn_to_mbedtls(struct alpn_ctx *ac, char ***palpn_protos)
|
||||
|
|
|
|||
|
|
@ -25,7 +25,7 @@
|
|||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/certs.h"
|
||||
|
||||
#include <libwebsockets.h>
|
||||
#include "core/private.h"
|
||||
|
||||
#define X509_INFO_STRING_LENGTH 8192
|
||||
|
||||
|
|
@ -131,8 +131,8 @@ int ssl_pm_new(SSL *ssl)
|
|||
|
||||
ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret);
|
||||
goto mbedtls_err1;
|
||||
lwsl_notice("%s: mbedtls_ctr_drbg_seed() return -0x%x", __func__, -ret);
|
||||
//goto mbedtls_err1;
|
||||
}
|
||||
|
||||
if (method->endpoint) {
|
||||
|
|
@ -142,6 +142,7 @@ int ssl_pm_new(SSL *ssl)
|
|||
}
|
||||
ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
|
||||
if (ret) {
|
||||
lwsl_err("%s: mbedtls_ssl_config_defaults() return -0x%x", __func__, -ret);
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
|
||||
goto mbedtls_err2;
|
||||
}
|
||||
|
|
@ -174,6 +175,8 @@ int ssl_pm_new(SSL *ssl)
|
|||
|
||||
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
|
||||
if (ret) {
|
||||
lwsl_err("%s: mbedtls_ssl_setup() return -0x%x", __func__, -ret);
|
||||
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
|
||||
goto mbedtls_err2;
|
||||
}
|
||||
|
|
@ -187,7 +190,7 @@ int ssl_pm_new(SSL *ssl)
|
|||
mbedtls_err2:
|
||||
mbedtls_ssl_config_free(&ssl_pm->conf);
|
||||
mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
|
||||
mbedtls_err1:
|
||||
//mbedtls_err1:
|
||||
mbedtls_entropy_free(&ssl_pm->entropy);
|
||||
ssl_mem_free(ssl_pm);
|
||||
no_mem:
|
||||
|
|
@ -329,7 +332,7 @@ int ssl_pm_handshake(SSL *ssl)
|
|||
return 0;
|
||||
}
|
||||
|
||||
printf("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret);
|
||||
lwsl_info("%s: mbedtls_ssl_handshake() returned -0x%x\n", __func__, -ret);
|
||||
|
||||
/* it's had it */
|
||||
|
||||
|
|
@ -829,6 +832,7 @@ int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
|
|||
|
||||
void _ssl_set_alpn_list(const SSL *ssl)
|
||||
{
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_conf_alpn_protocols)
|
||||
if (ssl->alpn_protos) {
|
||||
if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->alpn_protos))
|
||||
fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
|
||||
|
|
@ -839,11 +843,13 @@ void _ssl_set_alpn_list(const SSL *ssl)
|
|||
return;
|
||||
if (mbedtls_ssl_conf_alpn_protocols(&((struct ssl_pm *)(ssl->ssl_pm))->conf, ssl->ctx->alpn_protos))
|
||||
fprintf(stderr, "mbedtls_ssl_conf_alpn_protocols failed\n");
|
||||
#endif
|
||||
}
|
||||
|
||||
void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
|
||||
unsigned int *len)
|
||||
{
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_get_alpn_protocol)
|
||||
const char *alp = mbedtls_ssl_get_alpn_protocol(&((struct ssl_pm *)(ssl->ssl_pm))->ssl);
|
||||
|
||||
*data = (const unsigned char *)alp;
|
||||
|
|
@ -851,15 +857,17 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data,
|
|||
*len = strlen(alp);
|
||||
else
|
||||
*len = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
int SSL_set_sni_callback(SSL *ssl, int(*cb)(void *, mbedtls_ssl_context *,
|
||||
const unsigned char *, size_t), void *param)
|
||||
{
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_conf_sni)
|
||||
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
|
||||
|
||||
mbedtls_ssl_conf_sni(&ssl_pm->conf, cb, param);
|
||||
|
||||
#endif
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
@ -874,18 +882,20 @@ SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc)
|
|||
|
||||
void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
|
||||
{
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
|
||||
struct ssl_pm *ssl_pm = ssl->ssl_pm;
|
||||
struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm;
|
||||
struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm;
|
||||
|
||||
struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm;
|
||||
int mode;
|
||||
#endif
|
||||
|
||||
if (ssl->cert)
|
||||
ssl_cert_free(ssl->cert);
|
||||
ssl->ctx = ctx;
|
||||
ssl->cert = __ssl_cert_new(ctx->cert);
|
||||
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
|
||||
if (ctx->verify_mode == SSL_VERIFY_PEER)
|
||||
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||
else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
|
|
@ -894,14 +904,20 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
|
|||
mode = MBEDTLS_SSL_VERIFY_UNSET;
|
||||
else
|
||||
mode = MBEDTLS_SSL_VERIFY_NONE;
|
||||
#endif
|
||||
|
||||
// printf("ssl: %p, client ca x509_crt %p, mbedtls mode %d\n", ssl, x509_pm_ca->x509_crt, mode);
|
||||
|
||||
/* apply new ctx cert to ssl */
|
||||
|
||||
ssl->verify_mode = ctx->verify_mode;
|
||||
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_ca_chain)
|
||||
mbedtls_ssl_set_hs_ca_chain(&ssl_pm->ssl, x509_pm_ca->x509_crt, NULL);
|
||||
#endif
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_own_cert)
|
||||
mbedtls_ssl_set_hs_own_cert(&ssl_pm->ssl, x509_pm->x509_crt, pkey_pm->pkey);
|
||||
#endif
|
||||
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
|
||||
mbedtls_ssl_set_hs_authmode(&ssl_pm->ssl, mode);
|
||||
#endif
|
||||
}
|
||||
|
|
|
|||
|
|
@ -23,6 +23,13 @@
|
|||
#include "tls/mbedtls/private.h"
|
||||
#include <mbedtls/oid.h>
|
||||
|
||||
#if defined(LWS_PLAT_OPTEE)
|
||||
time_t mktime(struct tm *t)
|
||||
{
|
||||
return (time_t)0;
|
||||
}
|
||||
#endif
|
||||
|
||||
static time_t
|
||||
lws_tls_mbedtls_time_to_unix(mbedtls_x509_time *xtime)
|
||||
{
|
||||
|
|
|
|||
|
|
@ -498,7 +498,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
|
|||
n = SSL_CTX_use_certificate_ASN1(vh->tls.ssl_client_ctx,
|
||||
cert_mem_len, cert_mem);
|
||||
if (n < 1) {
|
||||
lwsl_err("%s: problem interpreting client cert '%s'\n",
|
||||
lwsl_err("%s: problem interpreting client cert\n",
|
||||
__func__);
|
||||
lws_tls_err_describe();
|
||||
return 1;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue