2021-10-14 04:17:24 -04:00
|
|
|
//
|
2021-05-28 09:13:32 -04:00
|
|
|
// SPDX-FileCopyrightText: 2021-2022 Espressif Systems (Shanghai) CO LTD
|
2021-10-14 04:17:24 -04:00
|
|
|
//
|
|
|
|
// SPDX-License-Identifier: BSL-1.0
|
|
|
|
//
|
|
|
|
#pragma once
|
|
|
|
|
|
|
|
#include "mbedtls/ssl.h"
|
|
|
|
#include "mbedtls/entropy.h"
|
|
|
|
#include "mbedtls/ctr_drbg.h"
|
|
|
|
#include "mbedtls/error.h"
|
|
|
|
#include "mbedtls/esp_debug.h"
|
|
|
|
#include "esp_log.h"
|
|
|
|
|
|
|
|
namespace asio {
|
|
|
|
namespace ssl {
|
|
|
|
namespace mbedtls {
|
|
|
|
|
|
|
|
const char *error_message(int error_code)
|
|
|
|
{
|
|
|
|
static char error_buf[100];
|
|
|
|
mbedtls_strerror(error_code, error_buf, sizeof(error_buf));
|
|
|
|
return error_buf;
|
|
|
|
}
|
|
|
|
|
|
|
|
void throw_alloc_failure(const char* location)
|
|
|
|
{
|
|
|
|
asio::error_code ec( MBEDTLS_ERR_SSL_ALLOC_FAILED, asio::error::get_mbedtls_category());
|
|
|
|
asio::detail::throw_error(ec, location);
|
|
|
|
}
|
|
|
|
|
|
|
|
namespace error_codes {
|
|
|
|
|
|
|
|
bool is_error(int ret)
|
|
|
|
{
|
|
|
|
return ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool want_write(int ret)
|
|
|
|
{
|
|
|
|
return ret == MBEDTLS_ERR_SSL_WANT_WRITE;
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool want_read(int ret)
|
|
|
|
{
|
|
|
|
return ret == MBEDTLS_ERR_SSL_WANT_READ;
|
|
|
|
}
|
|
|
|
|
|
|
|
} // namespace error_codes
|
|
|
|
|
|
|
|
enum rw_state {
|
|
|
|
IDLE, READING, WRITING, CLOSED
|
|
|
|
};
|
|
|
|
|
|
|
|
class engine {
|
|
|
|
public:
|
|
|
|
explicit engine(std::shared_ptr<context> ctx): ctx_(std::move(ctx)),
|
|
|
|
bio_(bio::new_pair("mbedtls-engine")), state_(IDLE), verify_mode_(0) {}
|
|
|
|
|
|
|
|
void set_verify_mode(asio::ssl::verify_mode mode)
|
|
|
|
{
|
|
|
|
verify_mode_ = mode;
|
|
|
|
}
|
|
|
|
|
|
|
|
bio* ext_bio() const
|
|
|
|
{
|
|
|
|
return bio_.second.get();
|
|
|
|
}
|
|
|
|
|
|
|
|
rw_state get_state() const
|
|
|
|
{
|
|
|
|
return state_;
|
|
|
|
}
|
|
|
|
|
|
|
|
int shutdown()
|
|
|
|
{
|
|
|
|
int ret = mbedtls_ssl_close_notify(&impl_.ssl_);
|
|
|
|
if (ret) {
|
|
|
|
impl::print_error("mbedtls_ssl_close_notify", ret);
|
|
|
|
}
|
|
|
|
state_ = CLOSED;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int connect()
|
|
|
|
{
|
|
|
|
return handshake(true);
|
|
|
|
}
|
|
|
|
|
|
|
|
int accept()
|
|
|
|
{
|
|
|
|
return handshake(false);
|
|
|
|
}
|
|
|
|
|
|
|
|
int write(const void *buffer, int len)
|
|
|
|
{
|
|
|
|
int ret = impl_.write(buffer, len);
|
|
|
|
state_ = ret == len ? IDLE: WRITING;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int read(void *buffer, int len)
|
|
|
|
{
|
|
|
|
int ret = impl_.read(buffer, len);
|
|
|
|
state_ = ret == len ? IDLE: READING;
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
private:
|
|
|
|
int handshake(bool is_client_not_server)
|
|
|
|
{
|
|
|
|
if (impl_.before_handshake()) {
|
|
|
|
impl_.configure(ctx_.get(), is_client_not_server, impl_verify_mode(is_client_not_server));
|
|
|
|
}
|
|
|
|
return do_handshake();
|
|
|
|
}
|
|
|
|
|
|
|
|
static int bio_read(void *ctx, unsigned char *buf, size_t len)
|
|
|
|
{
|
|
|
|
auto bio = static_cast<BIO*>(ctx);
|
|
|
|
int read = bio->read(buf, len);
|
|
|
|
if (read <= 0 && bio->should_read()) {
|
|
|
|
return MBEDTLS_ERR_SSL_WANT_READ;
|
|
|
|
}
|
|
|
|
return read;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int bio_write(void *ctx, const unsigned char *buf, size_t len)
|
|
|
|
{
|
|
|
|
auto bio = static_cast<BIO*>(ctx);
|
|
|
|
int written = bio->write(buf, len);
|
|
|
|
if (written <= 0 && bio->should_write()) {
|
|
|
|
return MBEDTLS_ERR_SSL_WANT_WRITE;
|
|
|
|
}
|
|
|
|
return written;
|
|
|
|
}
|
|
|
|
|
|
|
|
int do_handshake()
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
mbedtls_ssl_set_bio(&impl_.ssl_, bio_.first.get(), bio_write, bio_read, nullptr);
|
|
|
|
|
2021-05-28 09:13:32 -04:00
|
|
|
while (impl_.ssl_.MBEDTLS_PRIVATE(state) != MBEDTLS_SSL_HANDSHAKE_OVER) {
|
2021-10-14 04:17:24 -04:00
|
|
|
ret = mbedtls_ssl_handshake_step(&impl_.ssl_);
|
|
|
|
|
|
|
|
if (ret != 0) {
|
|
|
|
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
|
|
impl::print_error("mbedtls_ssl_handshake_step", ret);
|
|
|
|
}
|
|
|
|
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
|
|
|
|
state_ = READING;
|
|
|
|
} else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
|
|
state_ = WRITING;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Converts OpenSSL verification mode to mbedtls enum
|
|
|
|
int impl_verify_mode(bool is_client_not_server) const
|
|
|
|
{
|
|
|
|
int mode = MBEDTLS_SSL_VERIFY_UNSET;
|
|
|
|
if (is_client_not_server) {
|
|
|
|
if (verify_mode_ & SSL_VERIFY_PEER)
|
|
|
|
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
|
|
|
else if (verify_mode_ == SSL_VERIFY_NONE)
|
|
|
|
mode = MBEDTLS_SSL_VERIFY_NONE;
|
|
|
|
} else {
|
|
|
|
if (verify_mode_ & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
|
|
|
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
|
|
|
else if (verify_mode_ & SSL_VERIFY_PEER)
|
|
|
|
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
|
|
|
else if (verify_mode_ == SSL_VERIFY_NONE)
|
|
|
|
mode = MBEDTLS_SSL_VERIFY_NONE;
|
|
|
|
}
|
|
|
|
return mode;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct impl {
|
|
|
|
static void print_error(const char* function, int error_code)
|
|
|
|
{
|
|
|
|
constexpr const char *TAG="mbedtls-engine-impl";
|
|
|
|
ESP_LOGE(TAG, "%s() returned -0x%04X", function, -error_code);
|
|
|
|
ESP_LOGI(TAG, "-0x%04X: %s", -error_code, error_message(error_code));
|
|
|
|
}
|
|
|
|
|
|
|
|
bool before_handshake() const
|
|
|
|
{
|
2021-05-28 09:13:32 -04:00
|
|
|
return ssl_.MBEDTLS_PRIVATE(state) == 0;
|
2021-10-14 04:17:24 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
int write(const void *buffer, int len)
|
|
|
|
{
|
|
|
|
int ret = mbedtls_ssl_write(&ssl_, static_cast<const unsigned char *>(buffer), len);
|
|
|
|
if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
|
|
print_error("mbedtls_ssl_write", ret);
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int read(void *buffer, int len)
|
|
|
|
{
|
|
|
|
int ret = mbedtls_ssl_read(&ssl_, static_cast<unsigned char *>(buffer), len);
|
|
|
|
if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ) {
|
|
|
|
print_error("mbedtls_ssl_read", ret);
|
|
|
|
}
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
impl()
|
|
|
|
{
|
|
|
|
const unsigned char pers[] = "asio ssl";
|
|
|
|
mbedtls_ssl_init(&ssl_);
|
|
|
|
mbedtls_ssl_config_init(&conf_);
|
|
|
|
mbedtls_ctr_drbg_init(&ctr_drbg_);
|
|
|
|
#ifdef CONFIG_MBEDTLS_DEBUG
|
|
|
|
mbedtls_esp_enable_debug_log(&conf_, CONFIG_MBEDTLS_DEBUG_LEVEL);
|
|
|
|
#endif
|
|
|
|
mbedtls_entropy_init(&entropy_);
|
|
|
|
mbedtls_ctr_drbg_seed(&ctr_drbg_, mbedtls_entropy_func, &entropy_, pers, sizeof(pers));
|
|
|
|
mbedtls_x509_crt_init(&public_cert_);
|
|
|
|
mbedtls_pk_init(&pk_key_);
|
|
|
|
mbedtls_x509_crt_init(&ca_cert_);
|
|
|
|
}
|
|
|
|
|
|
|
|
bool configure(context *ctx, bool is_client_not_server, int mbedtls_verify_mode)
|
|
|
|
{
|
|
|
|
mbedtls_x509_crt_init(&public_cert_);
|
|
|
|
mbedtls_pk_init(&pk_key_);
|
|
|
|
mbedtls_x509_crt_init(&ca_cert_);
|
|
|
|
int ret = mbedtls_ssl_config_defaults(&conf_, is_client_not_server ? MBEDTLS_SSL_IS_CLIENT: MBEDTLS_SSL_IS_SERVER,
|
|
|
|
MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
|
|
|
|
if (ret) {
|
|
|
|
print_error("mbedtls_ssl_config_defaults", ret);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
mbedtls_ssl_conf_rng(&conf_, mbedtls_ctr_drbg_random, &ctr_drbg_);
|
|
|
|
mbedtls_ssl_conf_authmode(&conf_, mbedtls_verify_mode);
|
|
|
|
if (ctx->cert_chain_.size() > 0 && ctx->private_key_.size() > 0) {
|
|
|
|
ret = mbedtls_x509_crt_parse(&public_cert_, ctx->data(container::CERT), ctx->size(container::CERT));
|
|
|
|
if (ret < 0) {
|
|
|
|
print_error("mbedtls_x509_crt_parse", ret);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
ret = mbedtls_pk_parse_key(&pk_key_, ctx->data(container::PRIVKEY), ctx->size(container::PRIVKEY),
|
2021-05-28 09:13:32 -04:00
|
|
|
nullptr, 0, mbedtls_ctr_drbg_random, &ctr_drbg_);
|
2021-10-14 04:17:24 -04:00
|
|
|
if (ret < 0) {
|
|
|
|
print_error("mbedtls_pk_parse_keyfile", ret);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
ret = mbedtls_ssl_conf_own_cert(&conf_, &public_cert_, &pk_key_);
|
|
|
|
if (ret) {
|
|
|
|
print_error("mbedtls_ssl_conf_own_cert", ret);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ctx->ca_cert_.size() > 0) {
|
|
|
|
ret = mbedtls_x509_crt_parse(&ca_cert_, ctx->data(container::CA_CERT), ctx->size(container::CA_CERT));
|
|
|
|
if (ret < 0) {
|
|
|
|
print_error("mbedtls_x509_crt_parse", ret);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
mbedtls_ssl_conf_ca_chain(&conf_, &ca_cert_, nullptr);
|
|
|
|
} else {
|
|
|
|
mbedtls_ssl_conf_ca_chain(&conf_, nullptr, nullptr);
|
|
|
|
}
|
|
|
|
ret = mbedtls_ssl_setup(&ssl_, &conf_);
|
|
|
|
if (ret) {
|
|
|
|
print_error("mbedtls_ssl_setup", ret);
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
mbedtls_ssl_context ssl_{};
|
|
|
|
mbedtls_entropy_context entropy_{};
|
|
|
|
mbedtls_ctr_drbg_context ctr_drbg_{};
|
|
|
|
mbedtls_ssl_config conf_{};
|
|
|
|
mbedtls_x509_crt public_cert_{};
|
|
|
|
mbedtls_pk_context pk_key_{};
|
|
|
|
mbedtls_x509_crt ca_cert_{};
|
|
|
|
};
|
|
|
|
|
|
|
|
impl impl_{};
|
|
|
|
std::shared_ptr<context> ctx_;
|
|
|
|
std::pair<std::shared_ptr<bio>, std::shared_ptr<bio>> bio_;
|
|
|
|
enum rw_state state_;
|
|
|
|
asio::ssl::verify_mode verify_mode_;
|
|
|
|
};
|
|
|
|
|
|
|
|
} } } // namespace asio::ssl::mbedtls
|