Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-16 00:00:07 +01:00
Code Issues Releases Wiki Activity
libwebsockets/lib/tls/mbedtls/mbedtls-server.c
Andy Green bce8cca042 refactor: also migrate tls to the ops struct and private.h pattern 
Several new ops are planned for tls... so better to bite the bullet and
clean it out to the same level as roles + event-libs first.

Also adds a new travis target "mbedtls" and all the tests except
autobahn against mbedtls build.
2018-05-02 12:10:36 +08:00

694 lines
17 KiB
C
Raw Blame History

/*
* libwebsockets - mbedTLS-specific server functions
*
* Copyright (C) 2010-2017 Andy Green <andy@warmcat.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation:
* version 2.1 of the License.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02110-1301 USA
*/
#include "private-libwebsockets.h"
#include <mbedtls/x509_csr.h>
int
lws_tls_server_client_cert_verify_config(struct lws_vhost *vh)
{
int verify_options = SSL_VERIFY_PEER;
/* as a server, are we requiring clients to identify themselves? */
if (!lws_check_opt(vh->options,
LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT)) {
lwsl_notice("no client cert required\n");
return 0;
}
/*
* The wrapper has this messed-up mapping:
*
* else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
* mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
*
* ie the meaning is inverted. So where we should test for ! we don't
*/
if (lws_check_opt(vh->options, LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED))
verify_options = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
lwsl_notice("%s: vh %s requires client cert %d\n", __func__, vh->name,
verify_options);
SSL_CTX_set_verify(vh->tls.ssl_ctx, verify_options, NULL);
return 0;
}
static int
lws_mbedtls_sni_cb(void *arg, mbedtls_ssl_context *mbedtls_ctx,
const unsigned char *servername, size_t len)
{
SSL *ssl = SSL_SSL_from_mbedtls_ssl_context(mbedtls_ctx);
struct lws_context *context = (struct lws_context *)arg;
struct lws_vhost *vhost, *vh;
lwsl_notice("%s: %s\n", __func__, servername);
/*
* We can only get ssl accepted connections by using a vhost's ssl_ctx
* find out which listening one took us and only match vhosts on the
* same port.
*/
vh = context->vhost_list;
while (vh) {
if (!vh->being_destroyed &&
vh->tls.ssl_ctx == SSL_get_SSL_CTX(ssl))
break;
vh = vh->vhost_next;
}
if (!vh) {
assert(vh); /* can't match the incoming vh? */
return 0;
}
vhost = lws_select_vhost(context, vh->listen_port,
(const char *)servername);
if (!vhost) {
lwsl_info("SNI: none: %s:%d\n", servername, vh->listen_port);
return 0;
}
lwsl_info("SNI: Found: %s:%d at vhost '%s'\n", servername,
vh->listen_port, vhost->name);
/* select the ssl ctx from the selected vhost for this conn */
SSL_set_SSL_CTX(ssl, vhost->tls.ssl_ctx);
return 0;
}
int
lws_tls_server_certs_load(struct lws_vhost *vhost, struct lws *wsi,
const char *cert, const char *private_key,
const char *mem_cert, size_t len_mem_cert,
const char *mem_privkey, size_t mem_privkey_len)
{
int n, f = 0;
const char *filepath = private_key;
uint8_t *mem = NULL, *p = NULL;
size_t mem_len = 0;
lws_filepos_t flen;
long err;
if (!cert || !private_key) {
lwsl_notice("%s: no paths\n", __func__);
return 0;
}
n = lws_tls_generic_cert_checks(vhost, cert, private_key);
if (n == LWS_TLS_EXTANT_NO && (!mem_cert || !mem_privkey))
return 0;
/*
* we can't read the root-privs files. But if mem_cert is provided,
* we should use that.
*/
if (n == LWS_TLS_EXTANT_NO)
n = LWS_TLS_EXTANT_ALTERNATIVE;
if (n == LWS_TLS_EXTANT_ALTERNATIVE && (!mem_cert || !mem_privkey))
return 1; /* no alternative */
if (n == LWS_TLS_EXTANT_ALTERNATIVE) {
/*
* Although we have prepared update certs, we no longer have
* the rights to read our own cert + key we saved.
*
* If we were passed copies in memory buffers, use those
* instead.
*
* The passed memory-buffer cert image is in DER, and the
* memory-buffer private key image is PEM.
*/
/* mem cert is already DER */
p = (uint8_t *)mem_cert;
flen = len_mem_cert;
/* mem private key is PEM, so go through the motions */
mem = (uint8_t *)mem_privkey;
mem_len = mem_privkey_len;
filepath = NULL;
} else {
if (lws_tls_alloc_pem_to_der_file(vhost->context, cert, NULL,
0, &p, &flen)) {
lwsl_err("couldn't find cert file %s\n", cert);
return 1;
}
f = 1;
}
err = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx, flen, p);
if (!err) {
free(p);
lwsl_err("Problem loading cert\n");
return 1;
}
if (f)
free(p);
p = NULL;
if (private_key || n == LWS_TLS_EXTANT_ALTERNATIVE) {
if (lws_tls_alloc_pem_to_der_file(vhost->context, filepath,
(char *)mem, mem_len, &p,
&flen)) {
lwsl_err("couldn't find private key file %s\n",
private_key);
return 1;
}
err = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx, p, flen);
if (!err) {
free(p);
lwsl_err("Problem loading key\n");
return 1;
}
}
if (p && !mem_privkey) {
free(p);
p = NULL;
}
if (!private_key && !mem_privkey &&
vhost->protocols[0].callback(wsi,
LWS_CALLBACK_OPENSSL_CONTEXT_REQUIRES_PRIVATE_KEY,
vhost->tls.ssl_ctx, NULL, 0)) {
lwsl_err("ssl private key not set\n");
return 1;
}
vhost->tls.skipped_certs = 0;
return 0;
}
int
lws_tls_server_vhost_backend_init(const struct lws_context_creation_info *info,
struct lws_vhost *vhost, struct lws *wsi)
{
const SSL_METHOD *method = TLS_server_method();
uint8_t *p;
lws_filepos_t flen;
int n;
vhost->tls.ssl_ctx = SSL_CTX_new(method); /* create context */
if (!vhost->tls.ssl_ctx) {
lwsl_err("problem creating ssl context\n");
return 1;
}
if (!vhost->tls.use_ssl || !info->ssl_cert_filepath)
return 0;
if (info->ssl_ca_filepath) {
lwsl_notice("%s: vh %s: loading CA filepath %s\n", __func__,
vhost->name, info->ssl_ca_filepath);
if (lws_tls_alloc_pem_to_der_file(vhost->context,
info->ssl_ca_filepath, NULL, 0, &p, &flen)) {
lwsl_err("couldn't find client CA file %s\n",
info->ssl_ca_filepath);
return 1;
}
if (SSL_CTX_add_client_CA_ASN1(vhost->tls.ssl_ctx, (int)flen, p) != 1) {
lwsl_err("%s: SSL_CTX_add_client_CA_ASN1 unhappy\n",
__func__);
free(p);
return 1;
}
free(p);
}
n = lws_tls_server_certs_load(vhost, wsi, info->ssl_cert_filepath,
info->ssl_private_key_filepath, NULL,
0, NULL, 0);
if (n)
return n;
return 0;
}
int
lws_tls_server_new_nonblocking(struct lws *wsi, lws_sockfd_type accept_fd)
{
errno = 0;
wsi->tls.ssl = SSL_new(wsi->vhost->tls.ssl_ctx);
if (wsi->tls.ssl == NULL) {
lwsl_err("SSL_new failed: errno %d\n", errno);
lws_ssl_elaborate_error();
return 1;
}
SSL_set_fd(wsi->tls.ssl, accept_fd);
if (wsi->vhost->tls.ssl_info_event_mask)
SSL_set_info_callback(wsi->tls.ssl, lws_ssl_info_callback);
SSL_set_sni_callback(wsi->tls.ssl, lws_mbedtls_sni_cb, wsi->context);
return 0;
}
int
lws_tls_server_abort_connection(struct lws *wsi)
{
__lws_tls_shutdown(wsi);
SSL_free(wsi->tls.ssl);
return 0;
}
enum lws_ssl_capable_status
lws_tls_server_accept(struct lws *wsi)
{
union lws_tls_cert_info_results ir;
int m, n;
n = SSL_accept(wsi->tls.ssl);
if (n == 1) {
if (strstr(wsi->vhost->name, ".invalid")) {
lwsl_notice("%s: vhost has .invalid, rejecting accept\n", __func__);
return LWS_SSL_CAPABLE_ERROR;
}
n = lws_tls_peer_cert_info(wsi, LWS_TLS_CERT_INFO_COMMON_NAME, &ir,
sizeof(ir.ns.name));
if (!n)
lwsl_notice("%s: client cert CN '%s'\n",
__func__, ir.ns.name);
else
lwsl_info("%s: couldn't get client cert CN\n", __func__);
return LWS_SSL_CAPABLE_DONE;
}
m = SSL_get_error(wsi->tls.ssl, n);
lwsl_debug("%s: %p: accept SSL_get_error %d errno %d\n", __func__,
wsi, m, errno);
// mbedtls wrapper only
if (m == SSL_ERROR_SYSCALL && errno == 11)
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
if (m == SSL_ERROR_SYSCALL || m == SSL_ERROR_SSL)
return LWS_SSL_CAPABLE_ERROR;
if (m == SSL_ERROR_WANT_READ || SSL_want_read(wsi->tls.ssl)) {
if (lws_change_pollfd(wsi, 0, LWS_POLLIN)) {
lwsl_info("%s: WANT_READ change_pollfd failed\n", __func__);
return LWS_SSL_CAPABLE_ERROR;
}
lwsl_info("SSL_ERROR_WANT_READ\n");
return LWS_SSL_CAPABLE_MORE_SERVICE_READ;
}
if (m == SSL_ERROR_WANT_WRITE || SSL_want_write(wsi->tls.ssl)) {
lwsl_debug("%s: WANT_WRITE\n", __func__);
if (lws_change_pollfd(wsi, 0, LWS_POLLOUT)) {
lwsl_info("%s: WANT_WRITE change_pollfd failed\n", __func__);
return LWS_SSL_CAPABLE_ERROR;
}
return LWS_SSL_CAPABLE_MORE_SERVICE_WRITE;
}
return LWS_SSL_CAPABLE_ERROR;
}
#if defined(LWS_WITH_ACME)
/*
* mbedtls doesn't support SAN for cert creation. So we use a known-good
* tls-sni-01 cert from OpenSSL that worked on Let's Encrypt, and just replace
* the pubkey n part and the signature part.
*
* This will need redoing for tls-sni-02...
*/
static uint8_t ss_cert_leadin[] = {
0x30, 0x82,
0x05, 0x56, /* total length: LEN1 (+2 / +3) (correct for 513 + 512)*/
0x30, 0x82, /* length: LEN2 (+6 / +7) (correct for 513) */
0x03, 0x3e,
/* addition: v3 cert (+5 bytes)*/
0xa0, 0x03,
0x02, 0x01, 0x02,
0x02, 0x01, 0x01,
0x30, 0x0d, 0x06, 0x09, 0x2a,
0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30, 0x3f,
0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13, 0x02, 0x47,
0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x0c, 0x0b,
0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e, 0x79, 0x31,
0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11, 0x74, 0x65,
0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e, 0x76, 0x61,
0x6c, 0x69, 0x64, 0x30, 0x1e, 0x17, 0x0d,
/* from 2017-10-29 ... */
0x31, 0x37, 0x31, 0x30, 0x32, 0x39, 0x31, 0x31, 0x34, 0x39, 0x34, 0x35,
0x5a, 0x17, 0x0d,
/* thru 2049-10-29 we immediately discard the private key, no worries */
0x34, 0x39, 0x31, 0x30, 0x32, 0x39, 0x31, 0x32, 0x34, 0x39, 0x34, 0x35,
0x5a,
0x30, 0x3f, 0x31, 0x0b, 0x30, 0x09, 0x06, 0x03, 0x55, 0x04, 0x06, 0x13,
0x02, 0x47, 0x42, 0x31, 0x14, 0x30, 0x12, 0x06, 0x03, 0x55, 0x04, 0x0a,
0x0c, 0x0b, 0x73, 0x6f, 0x6d, 0x65, 0x63, 0x6f, 0x6d, 0x70, 0x61, 0x6e,
0x79, 0x31, 0x1a, 0x30, 0x18, 0x06, 0x03, 0x55, 0x04, 0x03, 0x0c, 0x11,
0x74, 0x65, 0x6d, 0x70, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69, 0x6e,
0x76, 0x61, 0x6c, 0x69, 0x64, 0x30,
0x82,
0x02, 0x22, /* LEN3 (+C3 / C4) */
0x30, 0x0d, 0x06,
0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00,
0x03,
0x82,
0x02, 0x0f, /* LEN4 (+D6 / D7) */
0x00, 0x30, 0x82,
0x02, 0x0a, /* LEN5 (+ DB / DC) */
0x02, 0x82,
//0x02, 0x01, /* length of n in bytes (including leading 00 if any) */
},
/* 1 + (keybits / 8) bytes N */
ss_cert_san_leadin[] = {
/* e - fixed */
0x02, 0x03, 0x01, 0x00, 0x01,
0xa3, 0x5d, 0x30, 0x5b, 0x30, 0x59, 0x06, 0x03, 0x55, 0x1d,
0x11, 0x04, 0x52, 0x30, 0x50, /* <-- SAN length + 2 */
0x82, 0x4e, /* <-- SAN length */
},
/* 78 bytes of SAN (tls-sni-01)
0x61, 0x64, 0x34, 0x31, 0x61, 0x66, 0x62, 0x65, 0x30, 0x63, 0x61, 0x34,
0x36, 0x34, 0x32, 0x66, 0x30, 0x61, 0x34, 0x34, 0x39, 0x64, 0x39, 0x63,
0x61, 0x37, 0x36, 0x65, 0x62, 0x61, 0x61, 0x62, 0x2e, 0x32, 0x38, 0x39,
0x34, 0x64, 0x34, 0x31, 0x36, 0x63, 0x39, 0x38, 0x33, 0x66, 0x31, 0x32,
0x65, 0x64, 0x37, 0x33, 0x31, 0x61, 0x33, 0x30, 0x66, 0x35, 0x63, 0x34,
0x34, 0x37, 0x37, 0x66, 0x65, 0x2e, 0x61, 0x63, 0x6d, 0x65, 0x2e, 0x69,
0x6e, 0x76, 0x61, 0x6c, 0x69, 0x64, */
/* end of LEN2 area */
ss_cert_sig_leadin[] = {
/* it's saying that the signature is SHA256 + RSA */
0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d,
0x01, 0x01, 0x0b, 0x05, 0x00, 0x03,
0x82,
0x02, 0x01,
0x00,
};
/* (keybits / 8) bytes signature to end of LEN1 area */
#define SAN_A_LENGTH 78
LWS_VISIBLE int
lws_tls_acme_sni_cert_create(struct lws_vhost *vhost, const char *san_a,
const char *san_b)
{
int buflen = 0x560;
uint8_t *buf = lws_malloc(buflen, "tmp cert buf"), *p = buf, *pkey_asn1;
struct lws_genrsa_ctx ctx;
struct lws_genrsa_elements el;
uint8_t digest[32];
struct lws_genhash_ctx hash_ctx;
int pkey_asn1_len = 3 * 1024;
int n, m, keybits = lws_plat_recommended_rsa_bits(), adj;
if (!buf)
return 1;
n = lws_genrsa_new_keypair(vhost->context, &ctx, &el, keybits);
if (n < 0) {
lws_jwk_destroy_genrsa_elements(&el);
goto bail1;
}
n = sizeof(ss_cert_leadin);
memcpy(p, ss_cert_leadin, n);
p += n;
adj = (0x0556 - 0x401) + (keybits / 4) + 1;
buf[2] = adj >> 8;
buf[3] = adj & 0xff;
adj = (0x033e - 0x201) + (keybits / 8) + 1;
buf[6] = adj >> 8;
buf[7] = adj & 0xff;
adj = (0x0222 - 0x201) + (keybits / 8) + 1;
buf[0xc3] = adj >> 8;
buf[0xc4] = adj & 0xff;
adj = (0x020f - 0x201) + (keybits / 8) + 1;
buf[0xd6] = adj >> 8;
buf[0xd7] = adj & 0xff;
adj = (0x020a - 0x201) + (keybits / 8) + 1;
buf[0xdb] = adj >> 8;
buf[0xdc] = adj & 0xff;
*p++ = ((keybits / 8) + 1) >> 8;
*p++ = ((keybits / 8) + 1) & 0xff;
/* we need to drop 1 + (keybits / 8) bytes of n in here, 00 + key */
*p++ = 0x00;
memcpy(p, el.e[JWK_KEY_N].buf, el.e[JWK_KEY_N].len);
p += el.e[JWK_KEY_N].len;
memcpy(p, ss_cert_san_leadin, sizeof(ss_cert_san_leadin));
p += sizeof(ss_cert_san_leadin);
/* drop in 78 bytes of san_a */
memcpy(p, san_a, SAN_A_LENGTH);
p += SAN_A_LENGTH;
memcpy(p, ss_cert_sig_leadin, sizeof(ss_cert_sig_leadin));
p[17] = ((keybits / 8) + 1) >> 8;
p[18] = ((keybits / 8) + 1) & 0xff;
p += sizeof(ss_cert_sig_leadin);
/* hash the cert plaintext */
if (lws_genhash_init(&hash_ctx, LWS_GENHASH_TYPE_SHA256))
goto bail2;
if (lws_genhash_update(&hash_ctx, buf, lws_ptr_diff(p, buf))) {
lws_genhash_destroy(&hash_ctx, NULL);
goto bail2;
}
if (lws_genhash_destroy(&hash_ctx, digest))
goto bail2;
/* sign the hash */
n = lws_genrsa_public_sign(&ctx, digest, LWS_GENHASH_TYPE_SHA256, p,
buflen - lws_ptr_diff(p, buf));
if (n < 0)
goto bail2;
p += n;
pkey_asn1 = lws_malloc(pkey_asn1_len, "mbed crt tmp");
if (!pkey_asn1)
goto bail2;
m = lws_genrsa_render_pkey_asn1(&ctx, 1, pkey_asn1, pkey_asn1_len);
if (m < 0) {
lws_free(pkey_asn1);
goto bail2;
}
// lwsl_hexdump_level(LLL_DEBUG, buf, lws_ptr_diff(p, buf));
n = SSL_CTX_use_certificate_ASN1(vhost->tls.ssl_ctx,
lws_ptr_diff(p, buf), buf);
if (n != 1) {
lws_free(pkey_asn1);
lwsl_err("%s: generated cert failed to load 0x%x\n",
__func__, -n);
} else {
//lwsl_debug("private key\n");
//lwsl_hexdump_level(LLL_DEBUG, pkey_asn1, n);
/* and to use our generated private key */
n = SSL_CTX_use_PrivateKey_ASN1(0, vhost->tls.ssl_ctx, pkey_asn1, m);
lws_free(pkey_asn1);
if (n != 1) {
lwsl_err("%s: SSL_CTX_use_PrivateKey_ASN1 failed\n",
__func__);
}
}
lws_genrsa_destroy(&ctx);
lws_jwk_destroy_genrsa_elements(&el);
lws_free(buf);
return n != 1;
bail2:
lws_genrsa_destroy(&ctx);
lws_jwk_destroy_genrsa_elements(&el);
bail1:
lws_free(buf);
return -1;
}
void
lws_tls_acme_sni_cert_destroy(struct lws_vhost *vhost)
{
}
#if defined(LWS_WITH_JWS)
static int
_rngf(void *context, unsigned char *buf, size_t len)
{
if ((size_t)lws_get_random(context, buf, len) == len)
return 0;
return -1;
}
static const char *x5[] = { "C", "ST", "L", "O", "CN" };
/*
* CSR is output formatted as b64url(DER)
* Private key is output as a PEM in memory
*/
LWS_VISIBLE LWS_EXTERN int
lws_tls_acme_sni_csr_create(struct lws_context *context, const char *elements[],
uint8_t *dcsr, size_t csr_len, char **privkey_pem,
size_t *privkey_len)
{
mbedtls_x509write_csr csr;
mbedtls_pk_context mpk;
int buf_size = 4096, n;
char subject[200], *p = subject, *end = p + sizeof(subject) - 1;
uint8_t *buf = malloc(buf_size); /* malloc because given to user code */
if (!buf)
return -1;
mbedtls_x509write_csr_init(&csr);
mbedtls_pk_init(&mpk);
if (mbedtls_pk_setup(&mpk, mbedtls_pk_info_from_type(MBEDTLS_PK_RSA))) {
lwsl_notice("%s: pk_setup failed\n", __func__);
goto fail;
}
n = mbedtls_rsa_gen_key(mbedtls_pk_rsa(mpk), _rngf, context,
lws_plat_recommended_rsa_bits(), 65537);
if (n) {
lwsl_notice("%s: failed to generate keys\n", __func__);
goto fail1;
}
/* subject must be formatted like "C=TW,O=warmcat,CN=myserver" */
for (n = 0; n < (int)ARRAY_SIZE(x5); n++) {
if (p != subject)
*p++ = ',';
if (elements[n])
p += lws_snprintf(p, end - p, "%s=%s", x5[n],
elements[n]);
}
if (mbedtls_x509write_csr_set_subject_name(&csr, subject))
goto fail1;
mbedtls_x509write_csr_set_key(&csr, &mpk);
mbedtls_x509write_csr_set_md_alg(&csr, MBEDTLS_MD_SHA256);
/*
* data is written at the end of the buffer! Use the
* return value to determine where you should start
* using the buffer
*/
n = mbedtls_x509write_csr_der(&csr, buf, buf_size, _rngf, context);
if (n < 0) {
lwsl_notice("%s: write csr der failed\n", __func__);
goto fail1;
}
/* we have it in DER, we need it in b64URL */
n = lws_jws_base64_enc((char *)(buf + buf_size) - n, n,
(char *)dcsr, csr_len);
if (n < 0)
goto fail1;
/*
* okay, the CSR is done, last we need the private key in PEM
* re-use the DER CSR buf as the result buffer since we cn do it in
* one step
*/
if (mbedtls_pk_write_key_pem(&mpk, buf, buf_size)) {
lwsl_notice("write key pem failed\n");
goto fail1;
}
*privkey_pem = (char *)buf;
*privkey_len = strlen((const char *)buf);
mbedtls_pk_free(&mpk);
mbedtls_x509write_csr_free(&csr);
return n;
fail1:
mbedtls_pk_free(&mpk);
fail:
mbedtls_x509write_csr_free(&csr);
free(buf);
return -1;
}
#endif
#endif
Reference in a new issue View git blame Copy permalink