mirror of
https://github.com/espressif/esp-idf.git
synced 2024-10-05 20:47:46 -04:00
openssl: basic support for errors and bio objects
Closes https://github.com/espressif/esp-idf/issues/3406
This commit is contained in:
parent
4a0a331122
commit
bd1e9b5ea7
@ -2,6 +2,8 @@ idf_component_register(SRCS "library/ssl_cert.c"
|
||||
"library/ssl_lib.c"
|
||||
"library/ssl_methods.c"
|
||||
"library/ssl_pkey.c"
|
||||
"library/ssl_bio.c"
|
||||
"library/ssl_err.c"
|
||||
"library/ssl_stack.c"
|
||||
"library/ssl_x509.c"
|
||||
"platform/ssl_pm.c"
|
||||
|
@ -8,6 +8,12 @@ menu "OpenSSL"
|
||||
|
||||
If the option is enabled, "SSL_DEBUG" works.
|
||||
|
||||
config OPENSSL_ERROR_STACK
|
||||
bool "Enable OpenSSL error structure"
|
||||
default y
|
||||
help
|
||||
Enable OpenSSL Error reporting
|
||||
|
||||
config OPENSSL_DEBUG_LEVEL
|
||||
int "OpenSSL debugging level"
|
||||
default 0
|
||||
|
@ -12,8 +12,8 @@ Chapter Introduction
|
||||
====================
|
||||
|
||||
- Chapter 1. SSL Context Method Create
|
||||
- Chapter 2. SSL Context Fucntion
|
||||
- Chapter 3. SSL Fucntion
|
||||
- Chapter 2. SSL Context Function
|
||||
- Chapter 3. SSL Function
|
||||
- Chapter 4. SSL X509 Certification and Private Key Function
|
||||
|
||||
|
||||
|
@ -55,6 +55,52 @@ EVP_PKEY* d2i_PrivateKey(int type,
|
||||
const unsigned char **pp,
|
||||
long length);
|
||||
|
||||
/**
|
||||
* @brief decodes and load a buffer BIO into a EVP key context. If '*a' is pointed to the
|
||||
* private key, then load key into it. Or create a new private key object
|
||||
*
|
||||
* @param bp BIO object containing the key
|
||||
* @param a Pointer to an existing EVP_KEY or NULL if a new key shall be created
|
||||
*
|
||||
* @return Created or updated EVP_PKEY
|
||||
*/
|
||||
EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a);
|
||||
|
||||
/**
|
||||
* @brief Same as d2i_PrivateKey_bio
|
||||
*
|
||||
* @param bp BIO object containing the key
|
||||
* @param a Pointer to an existing EVP_KEY or NULL if a new key shall be created
|
||||
*
|
||||
* @return Created or updated EVP_PKEY
|
||||
*/
|
||||
RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **rsa);
|
||||
|
||||
/**
|
||||
* @brief loads a private key in PEM format from BIO object
|
||||
*
|
||||
* @param bp BIO object containing the key
|
||||
* @param x Pointer to an existent PKEY or NULL if a new key shall be created
|
||||
* @param cb Password callback (not used)
|
||||
* @param u User context (not used)
|
||||
*
|
||||
* @return Created or updated EVP_PKEY
|
||||
*/
|
||||
EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, void *u);
|
||||
|
||||
/**
|
||||
* @brief RSA key in PEM format from BIO object
|
||||
*
|
||||
* @param bp BIO object containing the key
|
||||
* @param x Pointer to an existent PKEY or NULL if a new key shall be created
|
||||
* @param cb Password callback (not used)
|
||||
* @param u User context (not used)
|
||||
*
|
||||
* @return Created or updated EVP_PKEY
|
||||
*/
|
||||
|
||||
RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **rsa, pem_password_cb *cb, void *u);
|
||||
|
||||
/**
|
||||
* @brief free a private key object
|
||||
*
|
||||
|
@ -17,6 +17,49 @@
|
||||
} \
|
||||
|
||||
#define DEFINE_STACK_OF(t) SKM_DEFINE_STACK_OF(t, t, t)
|
||||
typedef struct asn1_string_st ASN1_OCTET_STRING;
|
||||
|
||||
struct stack_st_GENERAL_NAME;
|
||||
typedef struct GENERAL_NAME_st {
|
||||
int type;
|
||||
union {
|
||||
char *ptr;
|
||||
struct asn1_string_st* dNSName;
|
||||
ASN1_OCTET_STRING* iPAddress;
|
||||
} d;
|
||||
} GENERAL_NAME;
|
||||
|
||||
typedef struct asn1_string_st ASN1_OCTET_STRING;
|
||||
typedef struct X509_name_st X509_NAME;
|
||||
typedef struct asn1_string_st ASN1_STRING;
|
||||
typedef struct X509_name_entry_st X509_NAME_ENTRY;
|
||||
|
||||
typedef struct asn1_string_st {
|
||||
int type;
|
||||
int length;
|
||||
void *data;
|
||||
} ASN1_IA5STRING;
|
||||
|
||||
typedef STACK_OF(GENERAL_NAME) GENERAL_NAMES;
|
||||
|
||||
/**
|
||||
* @brief get nr of stack items
|
||||
*
|
||||
* @param sk Stack structure pointer
|
||||
*
|
||||
* @return number of items in the stack
|
||||
*/
|
||||
size_t sk_GENERAL_NAME_num(const struct stack_st_GENERAL_NAME *sk);
|
||||
|
||||
/**
|
||||
* @brief get GENERAL_NAME value from the stack
|
||||
*
|
||||
* @param sk Stack structure pointer
|
||||
* @param i Index to stack item
|
||||
*
|
||||
* @return GENERAL_NAME object pointer
|
||||
*/
|
||||
GENERAL_NAME *sk_GENERAL_NAME_value(const struct stack_st_GENERAL_NAME *sk, size_t i);
|
||||
|
||||
/**
|
||||
* @brief create a openssl stack object
|
||||
|
@ -20,6 +20,7 @@
|
||||
#endif
|
||||
|
||||
#include "ssl_code.h"
|
||||
#include <stddef.h>
|
||||
|
||||
typedef void SSL_CIPHER;
|
||||
|
||||
@ -30,6 +31,8 @@ typedef void RSA;
|
||||
|
||||
typedef void STACK;
|
||||
|
||||
typedef void DH;
|
||||
|
||||
#define ossl_inline inline
|
||||
|
||||
#define SSL_METHOD_CALL(f, s, ...) s->method->func->ssl_##f(s, ##__VA_ARGS__)
|
||||
@ -37,7 +40,7 @@ typedef void STACK;
|
||||
#define EVP_PKEY_METHOD_CALL(f, k, ...) k->method->pkey_##f(k, ##__VA_ARGS__)
|
||||
|
||||
typedef int (*OPENSSL_sk_compfunc)(const void *, const void *);
|
||||
|
||||
typedef int (*openssl_verify_callback)(int, X509_STORE_CTX *);
|
||||
struct stack_st;
|
||||
typedef struct stack_st OPENSSL_STACK;
|
||||
|
||||
@ -100,6 +103,8 @@ struct evp_pkey_st {
|
||||
void *pkey_pm;
|
||||
|
||||
const PKEY_METHOD *method;
|
||||
|
||||
int ref_counter;
|
||||
};
|
||||
|
||||
struct x509_st {
|
||||
@ -152,8 +157,16 @@ struct X509_VERIFY_PARAM_st {
|
||||
};
|
||||
|
||||
struct bio_st {
|
||||
const unsigned char * data;
|
||||
|
||||
unsigned char * data;
|
||||
int dlen;
|
||||
BIO* peer;
|
||||
size_t offset;
|
||||
size_t roffset;
|
||||
size_t size;
|
||||
size_t flags;
|
||||
size_t type;
|
||||
|
||||
};
|
||||
|
||||
typedef enum { ALPN_INIT, ALPN_ENABLE, ALPN_DISABLE, ALPN_ERROR } ALPN_STATUS;
|
||||
@ -166,6 +179,9 @@ struct ssl_alpn_st {
|
||||
const char *alpn_list[ALPN_LIST_MAX];
|
||||
};
|
||||
|
||||
typedef int pem_password_cb(char *buf, int size, int rwflag, void *userdata);
|
||||
|
||||
|
||||
struct ssl_ctx_st
|
||||
{
|
||||
int version;
|
||||
@ -193,6 +209,16 @@ struct ssl_ctx_st
|
||||
int read_buffer_len;
|
||||
|
||||
X509_VERIFY_PARAM param;
|
||||
|
||||
void *default_passwd_callback_userdata;
|
||||
|
||||
pem_password_cb *default_passwd_callback;
|
||||
|
||||
struct stack_st_X509 *extra_certs;
|
||||
|
||||
int max_version;
|
||||
int min_version;
|
||||
|
||||
};
|
||||
|
||||
struct ssl_st
|
||||
@ -236,6 +262,7 @@ struct ssl_st
|
||||
|
||||
/* SSL low-level system arch point */
|
||||
void *ssl_pm;
|
||||
void *bio;
|
||||
};
|
||||
|
||||
struct ssl_method_st {
|
||||
@ -299,6 +326,13 @@ struct pkey_method_st {
|
||||
int (*pkey_load)(EVP_PKEY *pkey, const unsigned char *buf, int len);
|
||||
};
|
||||
|
||||
struct bio_method_st {
|
||||
|
||||
unsigned type;
|
||||
|
||||
unsigned size;
|
||||
};
|
||||
|
||||
|
||||
typedef int (*next_proto_cb)(SSL *ssl, unsigned char **out,
|
||||
unsigned char *outlen, const unsigned char *in,
|
||||
|
@ -114,23 +114,6 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d);
|
||||
*/
|
||||
int X509_STORE_add_cert(X509_STORE *store, X509 *x);
|
||||
|
||||
/**
|
||||
* @brief load data in BIO
|
||||
*
|
||||
* Normally BIO_write should append data but that doesn't happen here, and
|
||||
* 'data' cannot be freed after the function is called, it should remain valid
|
||||
* until BIO object is in use.
|
||||
*
|
||||
* @param b - pointer to BIO
|
||||
* @param data - pointer to data
|
||||
* @param dlen - data bytes
|
||||
*
|
||||
* @return result
|
||||
* 0 : failed
|
||||
* 1 : OK
|
||||
*/
|
||||
int BIO_write(BIO *b, const void *data, int dlen);
|
||||
|
||||
/**
|
||||
* @brief load a character certification context into system context.
|
||||
*
|
||||
@ -145,28 +128,22 @@ int BIO_write(BIO *b, const void *data, int dlen);
|
||||
*
|
||||
* @return X509 certification object point
|
||||
*/
|
||||
X509 * PEM_read_bio_X509(BIO *bp, X509 **x, void *cb, void *u);
|
||||
X509 * PEM_read_bio_X509(BIO *bp, X509 **x, pem_password_cb cb, void *u);
|
||||
|
||||
/**
|
||||
* @brief create a BIO object
|
||||
*
|
||||
* @param method - pointer to BIO_METHOD
|
||||
* @brief load a character certification context into system context.
|
||||
*
|
||||
* @return pointer to BIO object
|
||||
*/
|
||||
BIO *BIO_new(void * method);
|
||||
|
||||
/**
|
||||
* @brief get the memory BIO method function
|
||||
*/
|
||||
void *BIO_s_mem(void);
|
||||
|
||||
/**
|
||||
* @brief free a BIO object
|
||||
* Current implementation directly calls PEM_read_bio_X509
|
||||
*
|
||||
* @param x - pointer to BIO object
|
||||
* @param bp - pointer to BIO
|
||||
* @param buffer - pointer to the certification context memory
|
||||
* @param cb - pointer to the callback (not implemented)
|
||||
* @param u - pointer to arbitrary data (not implemented)
|
||||
*
|
||||
* @return X509 certification object point
|
||||
*/
|
||||
void BIO_free(BIO *b);
|
||||
X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **cert, pem_password_cb *cb, void *u);
|
||||
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
179
components/openssl/include/openssl/bio.h
Normal file
179
components/openssl/include/openssl/bio.h
Normal file
@ -0,0 +1,179 @@
|
||||
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#ifndef _OPENSSL_BIO_H
|
||||
#define _OPENSSL_BIO_H
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/* These are the 'types' of BIOs */
|
||||
#define BIO_TYPE_NONE 0
|
||||
#define BIO_TYPE_MEM (1 | 0x0400)
|
||||
#define BIO_TYPE_BIO (19 | 0x0400) /* (half a) BIO pair */
|
||||
|
||||
/* Bio object flags */
|
||||
#define BIO_FLAGS_READ 0x01
|
||||
#define BIO_FLAGS_WRITE 0x02
|
||||
|
||||
#define BIO_should_read(a) BIO_test_flags(a, BIO_FLAGS_READ)
|
||||
#define BIO_should_write(a) BIO_test_flags(a, BIO_FLAGS_WRITE)
|
||||
|
||||
typedef struct bio_st BIO;
|
||||
typedef struct bio_method_st BIO_METHOD;
|
||||
|
||||
/**
|
||||
* @brief Create a BIO object as a file type
|
||||
* Current implementation return NULL as file types are discouraged on ESP platform
|
||||
*
|
||||
* @param filename Filename
|
||||
* @param mode Mode
|
||||
*
|
||||
* @return BIO object
|
||||
*/
|
||||
BIO *BIO_new_file(const char *filename, const char *mode);
|
||||
|
||||
/**
|
||||
* @brief Create a BIO object as a membuf type
|
||||
* Current implementation takes a shallow copy of the buffer
|
||||
*
|
||||
* @param buf Pointer to the buffer
|
||||
* @param len Length of the buffer
|
||||
*
|
||||
* @return BIO object
|
||||
*/
|
||||
BIO *BIO_new_mem_buf(void *buf, int len);
|
||||
|
||||
/**
|
||||
* @brief create a BIO object
|
||||
*
|
||||
* @param method - pointer to BIO_METHOD
|
||||
*
|
||||
* @return pointer to BIO object
|
||||
*/
|
||||
BIO *BIO_new(BIO_METHOD * method);
|
||||
|
||||
/**
|
||||
* @brief get the memory BIO method function
|
||||
*/
|
||||
void *BIO_s_mem(void);
|
||||
|
||||
/**
|
||||
* @brief free a BIO object
|
||||
*
|
||||
* @param x - pointer to BIO object
|
||||
*/
|
||||
void BIO_free(BIO *b);
|
||||
|
||||
/**
|
||||
* @brief Create a connected pair of BIOs bio1, bio2 with write buffer sizes writebuf1 and writebuf2
|
||||
*
|
||||
* @param out1 pointer to BIO1
|
||||
* @param writebuf1 write size of BIO1 (0 means default size will be used)
|
||||
* @param out2 pointer to BIO2
|
||||
* @param writebuf2 write size of BIO2 (0 means default size will be used)
|
||||
*
|
||||
* @return result
|
||||
* 0 : failed
|
||||
* 1 : OK
|
||||
*/
|
||||
int BIO_new_bio_pair(BIO **out1, size_t writebuf1, BIO **out2, size_t writebuf2);
|
||||
|
||||
/**
|
||||
* @brief Write data to BIO
|
||||
*
|
||||
* BIO_TYPE_BIO behaves the same way as OpenSSL bio object, other BIO types mock
|
||||
* this functionality to avoid excessive allocation/copy, so the 'data' cannot
|
||||
* be freed after the function is called, it should remain valid until BIO object is in use.
|
||||
*
|
||||
* @param b - pointer to BIO
|
||||
* @param data - pointer to data
|
||||
* @param dlen - data bytes
|
||||
*
|
||||
* @return result
|
||||
* -1, 0 : failed
|
||||
* 1 : OK
|
||||
*/
|
||||
int BIO_write(BIO *b, const void *data, int dlen);
|
||||
|
||||
/**
|
||||
* @brief Read data from BIO
|
||||
*
|
||||
* BIO_TYPE_BIO behaves the same way as OpenSSL bio object.
|
||||
* Other types just hold pointer
|
||||
*
|
||||
* @param b - pointer to BIO
|
||||
* @param data - pointer to data
|
||||
* @param dlen - data bytes
|
||||
*
|
||||
* @return result
|
||||
* -1, 0 : failed
|
||||
* 1 : OK
|
||||
*/
|
||||
int BIO_read(BIO *bio, void *data, int len);
|
||||
|
||||
/**
|
||||
* @brief Get number of pending characters in the BIOs write buffers.
|
||||
*
|
||||
* @param b Pointer to BIO
|
||||
*
|
||||
* @return Amount of pending data
|
||||
*/
|
||||
size_t BIO_wpending(const BIO *bio);
|
||||
|
||||
/**
|
||||
* @brief Get number of pending characters in the BIOs read buffers.
|
||||
*
|
||||
* @param b Pointer to BIO
|
||||
*
|
||||
* @return Amount of pending data
|
||||
*/
|
||||
size_t BIO_ctrl_pending(const BIO *bio);
|
||||
|
||||
/**
|
||||
* @brief Get the maximum length of data that can be currently written to the BIO
|
||||
*
|
||||
* @param b Pointer to BIO
|
||||
*
|
||||
* @return Max length of writable data
|
||||
*/
|
||||
size_t BIO_ctrl_get_write_guarantee(BIO *bio);
|
||||
|
||||
/**
|
||||
* @brief Returns the type of a BIO.
|
||||
*
|
||||
* @param b Pointer to BIO
|
||||
*
|
||||
* @return Type of the BIO object
|
||||
*/
|
||||
int BIO_method_type(const BIO *b);
|
||||
|
||||
/**
|
||||
* @brief Test flags of a BIO.
|
||||
*
|
||||
* @param b Pointer to BIO
|
||||
* @param flags Flags
|
||||
*
|
||||
* @return BIO object flags masked with the supplied flags
|
||||
*/
|
||||
int BIO_test_flags(const BIO *b, int flags);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif //_OPENSSL_BIO_H
|
228
components/openssl/include/openssl/openssl_err.h
Normal file
228
components/openssl/include/openssl/openssl_err.h
Normal file
@ -0,0 +1,228 @@
|
||||
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#ifndef _OPENSSL_ERR_H
|
||||
#define _OPENSSL_ERR_H
|
||||
|
||||
#include <stdint.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
/**
|
||||
* @note This file contains a very simple implementation of error stack provided
|
||||
* OpenSSL library. It is OFF by default.
|
||||
*/
|
||||
|
||||
#define OPENSSL_PUT_SYSTEM_ERROR() \
|
||||
ERR_put_error(ERR_LIB_SYS, 0, 0, __FILE__, __LINE__);
|
||||
|
||||
#define OPENSSL_PUT_LIB_ERROR(lib, code) \
|
||||
ERR_put_error(lib, 0, code, __FILE__, __LINE__);
|
||||
|
||||
#define ERR_GET_LIB(packed_error) ((int)(((packed_error) >> 24) & 0xff))
|
||||
#define ERR_GET_REASON(packed_error) ((int)((packed_error) & 0xffff))
|
||||
#define ERR_R_PEM_LIB ERR_LIB_PEM
|
||||
/* inherent openssl errors */
|
||||
# define ERR_R_FATAL 64
|
||||
# define ERR_R_MALLOC_FAILURE (1|ERR_R_FATAL)
|
||||
# define ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED (2|ERR_R_FATAL)
|
||||
# define ERR_R_PASSED_NULL_PARAMETER (3|ERR_R_FATAL)
|
||||
# define ERR_R_INTERNAL_ERROR (4|ERR_R_FATAL)
|
||||
# define ERR_R_DISABLED (5|ERR_R_FATAL)
|
||||
# define ERR_R_INIT_FAIL (6|ERR_R_FATAL)
|
||||
# define ERR_R_PASSED_INVALID_ARGUMENT (7)
|
||||
# define ERR_R_OPERATION_FAIL (8|ERR_R_FATAL)
|
||||
# define ERR_R_INVALID_PROVIDER_FUNCTIONS (9|ERR_R_FATAL)
|
||||
# define ERR_R_INTERRUPTED_OR_CANCELLED (10)
|
||||
|
||||
enum {
|
||||
ERR_LIB_NONE = 1,
|
||||
ERR_LIB_SYS,
|
||||
ERR_LIB_BN,
|
||||
ERR_LIB_RSA,
|
||||
ERR_LIB_DH,
|
||||
ERR_LIB_EVP,
|
||||
ERR_LIB_BUF,
|
||||
ERR_LIB_OBJ,
|
||||
ERR_LIB_PEM,
|
||||
ERR_LIB_DSA,
|
||||
ERR_LIB_X509,
|
||||
ERR_LIB_ASN1,
|
||||
ERR_LIB_CONF,
|
||||
ERR_LIB_CRYPTO,
|
||||
ERR_LIB_EC,
|
||||
ERR_LIB_SSL,
|
||||
ERR_LIB_BIO,
|
||||
ERR_LIB_PKCS7,
|
||||
ERR_LIB_PKCS8,
|
||||
ERR_LIB_X509V3,
|
||||
ERR_LIB_RAND,
|
||||
ERR_LIB_ENGINE,
|
||||
ERR_LIB_OCSP,
|
||||
ERR_LIB_UI,
|
||||
ERR_LIB_COMP,
|
||||
ERR_LIB_ECDSA,
|
||||
ERR_LIB_ECDH,
|
||||
ERR_LIB_HMAC,
|
||||
ERR_LIB_DIGEST,
|
||||
ERR_LIB_CIPHER,
|
||||
ERR_LIB_HKDF,
|
||||
ERR_LIB_USER,
|
||||
ERR_NUM_LIBS
|
||||
};
|
||||
|
||||
/**
|
||||
* @brief clear the SSL error code
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return none
|
||||
*/
|
||||
void ERR_clear_error(void);
|
||||
|
||||
/**
|
||||
* @brief get the current SSL error code
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_get_error(void);
|
||||
|
||||
/**
|
||||
* @brief peek the current SSL error code, not clearing it
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_peek_error(void);
|
||||
|
||||
/**
|
||||
* @brief peek the last SSL error code, not clearing it
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_peek_last_error(void);
|
||||
|
||||
/**
|
||||
* @brief register the SSL error strings
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return none
|
||||
*/
|
||||
void ERR_load_SSL_strings(void);
|
||||
|
||||
/**
|
||||
* @brief clear the SSL error code
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return none
|
||||
*/
|
||||
void ERR_clear_error(void);
|
||||
|
||||
/**
|
||||
* @brief peek the current SSL error code, not clearing it
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_peek_error(void);
|
||||
|
||||
/**
|
||||
* @brief peek the last SSL error code, not clearing it
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_peek_last_error(void);
|
||||
|
||||
/**
|
||||
* @brief capture the current error to the error structure
|
||||
*
|
||||
* @param library Related library
|
||||
* @param unused Not used (used for compliant function prototype)
|
||||
* @param reason The actual error code
|
||||
* @param file File name of the error report
|
||||
* @param line Line number of the error report
|
||||
*
|
||||
*/
|
||||
void ERR_put_error(int library, int unused, int reason, const char *file, unsigned line);
|
||||
|
||||
/**
|
||||
* @brief Peek the current SSL error, not clearing it
|
||||
*
|
||||
* @param file file name of the reported error
|
||||
* @param line line number of the reported error
|
||||
* @param data Associated data to the reported error
|
||||
* @param flags Flags associated to the error
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_peek_error_line_data(const char **file, int *line,
|
||||
const char **data, int *flags);
|
||||
|
||||
/**
|
||||
* @brief Get the current SSL error
|
||||
*
|
||||
* @param file file name of the reported error
|
||||
* @param line line number of the reported error
|
||||
* @param data Associated data to the reported error
|
||||
* @param flags Flags associated to the error
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
uint32_t ERR_get_error_line_data(const char **file, int *line,
|
||||
const char **data, int *flags);
|
||||
|
||||
/**
|
||||
* @brief API provided as a declaration only
|
||||
*
|
||||
*/
|
||||
void SSL_load_error_strings(void);
|
||||
|
||||
/**
|
||||
* @brief API provided as a declaration only
|
||||
*
|
||||
*/
|
||||
void ERR_free_strings(void);
|
||||
|
||||
/**
|
||||
* @brief API provided as a declaration only
|
||||
*
|
||||
*/
|
||||
void ERR_remove_state(unsigned long pid);
|
||||
|
||||
/**
|
||||
* @brief Returns error string -- Not implemented
|
||||
*
|
||||
* @param packed_error Packed error code
|
||||
*
|
||||
* @return NULL
|
||||
*/
|
||||
const char *ERR_reason_error_string(uint32_t packed_error);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif // _OPENSSL_ERR_H
|
@ -21,6 +21,8 @@
|
||||
|
||||
#include "internal/ssl_x509.h"
|
||||
#include "internal/ssl_pkey.h"
|
||||
#include "openssl/bio.h"
|
||||
#include "openssl/openssl_err.h"
|
||||
|
||||
/*
|
||||
{
|
||||
@ -297,6 +299,67 @@ const SSL_METHOD* SSLv3_server_method(void);
|
||||
*/
|
||||
const SSL_METHOD* TLS_server_method(void);
|
||||
|
||||
/**
|
||||
* @brief create the target SSL context method
|
||||
*
|
||||
* @return the TLS any version SSL context method
|
||||
*/
|
||||
const SSL_METHOD* TLS_method(void);
|
||||
|
||||
/**
|
||||
* @brief create the target SSL context method
|
||||
*
|
||||
* @return the TLS1.2 version SSL context method
|
||||
*/
|
||||
const SSL_METHOD* TLSv1_2_method(void);
|
||||
|
||||
/**
|
||||
* @brief create the target SSL context method
|
||||
*
|
||||
* @return the TLS1.1 version SSL context method
|
||||
*/
|
||||
const SSL_METHOD* TLSv1_1_method(void);
|
||||
|
||||
/**
|
||||
* @brief create the target SSL context method
|
||||
*
|
||||
* @return the TLS1.0 version SSL context method
|
||||
*/
|
||||
const SSL_METHOD* TLSv1_method(void);
|
||||
|
||||
/**
|
||||
* @brief create the target SSL context method
|
||||
*
|
||||
* @return the SSLV3.0 version SSL context method
|
||||
*/
|
||||
const SSL_METHOD* SSLv3_method(void);
|
||||
|
||||
/**
|
||||
* @brief create the target SSL context method
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return the SSLV2.3 version SSL context method
|
||||
*/
|
||||
const SSL_METHOD* SSLv23_method(void);
|
||||
|
||||
/**
|
||||
* @brief Set minimum protocol version for defined context
|
||||
*
|
||||
* @param ctx SSL context
|
||||
*
|
||||
* @return 1 on success
|
||||
*/
|
||||
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version);
|
||||
|
||||
/**
|
||||
* @brief Set maximum protocol version for defined context
|
||||
*
|
||||
* @param ctx SSL context
|
||||
*
|
||||
* @return 1 on success
|
||||
*/
|
||||
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version);
|
||||
|
||||
/**
|
||||
* @brief set the SSL context ALPN select callback function
|
||||
@ -348,43 +411,6 @@ void SSL_CTX_set_next_proto_select_cb(SSL_CTX *ctx,
|
||||
void *arg),
|
||||
void *arg);
|
||||
|
||||
/**
|
||||
* @brief get SSL error code
|
||||
*
|
||||
* @param ssl - SSL point
|
||||
* @param ret_code - SSL return code
|
||||
*
|
||||
* @return SSL error number
|
||||
*/
|
||||
int SSL_get_error(const SSL *ssl, int ret_code);
|
||||
|
||||
/**
|
||||
* @brief clear the SSL error code
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return none
|
||||
*/
|
||||
void ERR_clear_error(void);
|
||||
|
||||
/**
|
||||
* @brief get the current SSL error code
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return current SSL error number
|
||||
*/
|
||||
int ERR_get_error(void);
|
||||
|
||||
/**
|
||||
* @brief register the SSL error strings
|
||||
*
|
||||
* @param none
|
||||
*
|
||||
* @return none
|
||||
*/
|
||||
void ERR_load_SSL_strings(void);
|
||||
|
||||
/**
|
||||
* @brief initialize the SSL library
|
||||
*
|
||||
@ -1399,7 +1425,17 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl);
|
||||
*
|
||||
* @return application data
|
||||
*/
|
||||
char *SSL_get_app_data(SSL *ssl);
|
||||
void *SSL_get_app_data(SSL *ssl);
|
||||
|
||||
/**
|
||||
* @brief get SSL error code
|
||||
*
|
||||
* @param ssl - SSL point
|
||||
* @param ret_code - SSL return code
|
||||
*
|
||||
* @return SSL error number
|
||||
*/
|
||||
int SSL_get_error(const SSL *ssl, int ret_code);
|
||||
|
||||
/**
|
||||
* @brief get SSL cipher bits
|
||||
@ -1667,7 +1703,7 @@ void SSL_set_accept_state(SSL *ssl);
|
||||
*
|
||||
* @return none
|
||||
*/
|
||||
void SSL_set_app_data(SSL *ssl, char *arg);
|
||||
void SSL_set_app_data(SSL *ssl, void *arg);
|
||||
|
||||
/**
|
||||
* @brief set SSL BIO
|
||||
@ -1756,7 +1792,7 @@ void SSL_set_timeout(SSL *ssl, long t);
|
||||
*
|
||||
* @return SSL statement string
|
||||
*/
|
||||
char *SSL_state_string(const SSL *ssl);
|
||||
const char *SSL_state_string(const SSL *ssl);
|
||||
|
||||
/**
|
||||
* @brief get SSL statement long string
|
||||
@ -1815,6 +1851,43 @@ const char *SSL_get_psk_identity_hint(SSL *ssl);
|
||||
*/
|
||||
const char *SSL_get_psk_identity(SSL *ssl);
|
||||
|
||||
/**
|
||||
* @brief set the SSL verify depth of the SSL
|
||||
*
|
||||
* @param ssl - SSL context
|
||||
* @param depth - Depth level to verify
|
||||
*
|
||||
*/
|
||||
void SSL_set_verify_depth(SSL *ssl, int depth);
|
||||
|
||||
/**
|
||||
* @brief Get default verify callback
|
||||
*
|
||||
* @param ctx - SSL context
|
||||
* @return verify_callback - verifying callback function
|
||||
*
|
||||
*/
|
||||
openssl_verify_callback SSL_CTX_get_verify_callback(const SSL_CTX *ctx);
|
||||
|
||||
/**
|
||||
* @brief Get default verify callback
|
||||
*
|
||||
* @param ctx - SSL context
|
||||
* @return verify_callback - verifying callback function
|
||||
*
|
||||
*/
|
||||
openssl_verify_callback SSL_get_verify_callback(const SSL *s);
|
||||
|
||||
/**
|
||||
* @brief Frees RSA object
|
||||
*
|
||||
* Current implementation calls directly EVP_PKEY free
|
||||
*
|
||||
* @param r RSA object
|
||||
*
|
||||
*/
|
||||
void RSA_free(RSA *r);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
210
components/openssl/library/ssl_bio.c
Normal file
210
components/openssl/library/ssl_bio.c
Normal file
@ -0,0 +1,210 @@
|
||||
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#include "ssl_lib.h"
|
||||
#include "openssl/bio.h"
|
||||
#include "ssl_dbg.h"
|
||||
#include "openssl/openssl_err.h"
|
||||
|
||||
#define DEFAULT_BIO_SIZE 1024
|
||||
|
||||
BIO *BIO_new_mem_buf(void *buf, int len)
|
||||
{
|
||||
BIO_METHOD m = { .type = BIO_TYPE_MEM, .size = 0 };
|
||||
BIO *b = BIO_new(&m);
|
||||
if (b) {
|
||||
b->dlen = len;
|
||||
b->data = buf;
|
||||
}
|
||||
return b;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief create a BIO object
|
||||
*/
|
||||
BIO *BIO_new(BIO_METHOD * method)
|
||||
{
|
||||
BIO *b = (BIO *)ssl_mem_zalloc(sizeof(BIO));
|
||||
if (!b) {
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
if (method) {
|
||||
b->size = method->size;
|
||||
b->type = method->type;
|
||||
} else {
|
||||
b->type = BIO_TYPE_NONE;
|
||||
}
|
||||
if ((b->type & BIO_TYPE_BIO) && b->size) {
|
||||
b->data = ssl_mem_zalloc(b->size);
|
||||
if (!b->data) {
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_BIO, ERR_R_MALLOC_FAILURE);
|
||||
goto err;
|
||||
}
|
||||
}
|
||||
return b;
|
||||
|
||||
err:
|
||||
if (b && (b->type&BIO_TYPE_BIO)) {
|
||||
ssl_mem_free(b->data);
|
||||
}
|
||||
ssl_mem_free(b);
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief free a BIO object
|
||||
*/
|
||||
void BIO_free(BIO *b)
|
||||
{
|
||||
if (b && (b->type&BIO_TYPE_BIO)) {
|
||||
ssl_mem_free(b->data);
|
||||
}
|
||||
ssl_mem_free(b);
|
||||
}
|
||||
|
||||
int BIO_new_bio_pair(BIO **out1, size_t writebuf1, BIO **out2, size_t writebuf2)
|
||||
{
|
||||
BIO *bio1 = NULL;
|
||||
BIO *bio2 = NULL;
|
||||
if (!writebuf1) {
|
||||
writebuf1 = DEFAULT_BIO_SIZE;
|
||||
}
|
||||
if (!writebuf2) {
|
||||
writebuf2 = DEFAULT_BIO_SIZE;
|
||||
}
|
||||
BIO_METHOD m1 = {
|
||||
.size = writebuf1,
|
||||
.type = BIO_TYPE_BIO,
|
||||
};
|
||||
BIO_METHOD m2 = {
|
||||
.size = writebuf1,
|
||||
.type = BIO_TYPE_BIO,
|
||||
};
|
||||
bio1 = BIO_new(&m1);
|
||||
if (!bio1) {
|
||||
goto err;
|
||||
}
|
||||
bio2 = BIO_new(&m2);
|
||||
if (!bio2) {
|
||||
goto err;
|
||||
}
|
||||
*out1 = bio1;
|
||||
*out2 = bio2;
|
||||
bio1->peer = bio2;
|
||||
bio1->size = writebuf1;
|
||||
bio2->peer = bio1;
|
||||
bio2->size = writebuf2;
|
||||
return 1;
|
||||
|
||||
err:
|
||||
if (bio1)
|
||||
{
|
||||
BIO_free(bio1);
|
||||
*out1 = NULL;
|
||||
}
|
||||
if (bio2)
|
||||
{
|
||||
BIO_free(bio2);
|
||||
*out2 = NULL;
|
||||
}
|
||||
return 0;
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief get the memory BIO method function
|
||||
*/
|
||||
void *BIO_s_mem(void)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int BIO_method_type(const BIO *b)
|
||||
{
|
||||
SSL_ASSERT1(b);
|
||||
return b->type;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief load data into BIO.
|
||||
*
|
||||
*/
|
||||
int BIO_write(BIO *b, const void * data, int dlen)
|
||||
{
|
||||
SSL_ASSERT1(b);
|
||||
int remaining = b->size - b->offset;
|
||||
if (remaining <= 0) {
|
||||
b->flags |= BIO_FLAGS_WRITE;
|
||||
return -1;
|
||||
}
|
||||
int len_to_write = dlen > remaining?remaining:dlen;
|
||||
memcpy(b->data + b->offset, data, len_to_write);
|
||||
b->offset += len_to_write;
|
||||
b->dlen = b->offset;
|
||||
if (len_to_write == dlen) {
|
||||
b->flags &= ~BIO_FLAGS_WRITE;
|
||||
}
|
||||
return len_to_write;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief Read from BIO.
|
||||
*
|
||||
*/
|
||||
int BIO_read(BIO *bio, void *data, int len)
|
||||
{
|
||||
SSL_ASSERT1(bio);
|
||||
BIO *peer = bio->peer;
|
||||
int remaining = peer->dlen - peer->roffset;
|
||||
if (remaining <= 0) {
|
||||
bio->flags |= BIO_FLAGS_READ;
|
||||
return -1;
|
||||
}
|
||||
int len_to_read = remaining > len ? len : remaining;
|
||||
memcpy(data, peer->data + peer->roffset, len_to_read);
|
||||
peer->roffset += len_to_read;
|
||||
if (len_to_read == len) {
|
||||
bio->flags &= ~BIO_FLAGS_READ;
|
||||
}
|
||||
if (peer->offset) {
|
||||
// shift data back to the beginning of the buffer
|
||||
memmove(peer->data, peer->data+peer->roffset, peer->offset - peer->roffset);
|
||||
peer->offset -= peer->roffset;
|
||||
peer->roffset = 0;
|
||||
peer->dlen = peer->offset;
|
||||
}
|
||||
return len_to_read;
|
||||
}
|
||||
|
||||
size_t BIO_wpending(const BIO *bio)
|
||||
{
|
||||
return bio->dlen - bio->roffset;
|
||||
}
|
||||
|
||||
size_t BIO_ctrl_pending(const BIO *bio)
|
||||
{
|
||||
return bio->peer->dlen - bio->peer->roffset;
|
||||
}
|
||||
|
||||
size_t BIO_ctrl_get_write_guarantee(BIO *b)
|
||||
{
|
||||
return (long)b->size - b->dlen;
|
||||
}
|
||||
|
||||
int BIO_test_flags(const BIO *b, int flags)
|
||||
{
|
||||
return (b->flags & flags);
|
||||
}
|
||||
|
120
components/openssl/library/ssl_err.c
Normal file
120
components/openssl/library/ssl_err.c
Normal file
@ -0,0 +1,120 @@
|
||||
// Copyright 2020 Espressif Systems (Shanghai) PTE LTD
|
||||
//
|
||||
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||
// you may not use this file except in compliance with the License.
|
||||
// You may obtain a copy of the License at
|
||||
|
||||
// http://www.apache.org/licenses/LICENSE-2.0
|
||||
//
|
||||
// Unless required by applicable law or agreed to in writing, software
|
||||
// distributed under the License is distributed on an "AS IS" BASIS,
|
||||
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
// See the License for the specific language governing permissions and
|
||||
// limitations under the License.
|
||||
|
||||
#include "ssl_dbg.h"
|
||||
|
||||
struct err_error_st {
|
||||
/* file contains the filename where the error occurred. */
|
||||
const char *file;
|
||||
/* packed contains the error library and reason, as packed by ERR_PACK. */
|
||||
uint32_t packed;
|
||||
/* line contains the line number where the error occurred. */
|
||||
uint32_t line;
|
||||
};
|
||||
|
||||
#define ERR_NUM_ERRORS 4
|
||||
|
||||
typedef struct err_state_st {
|
||||
/* errors contains the ERR_NUM_ERRORS most recent errors, organised as a ring
|
||||
* buffer. */
|
||||
struct err_error_st errors[ERR_NUM_ERRORS];
|
||||
/* top contains the index one past the most recent error. If |top| equals
|
||||
* |bottom| then the queue is empty. */
|
||||
unsigned top;
|
||||
/* bottom contains the index of the last error in the queue. */
|
||||
unsigned bottom;
|
||||
} ERR_STATE;
|
||||
|
||||
#if CONFIG_OPENSSL_ERROR_STACK
|
||||
static ERR_STATE s_err_state = { 0 };
|
||||
#endif
|
||||
|
||||
void ERR_clear_error(void)
|
||||
{
|
||||
#if CONFIG_OPENSSL_ERROR_STACK
|
||||
memset(&s_err_state.errors[0], 0, sizeof(struct err_state_st));
|
||||
s_err_state.top = s_err_state.bottom = 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
static uint32_t ERR_get_peek_error_internal(const char **file, int *line, bool peak)
|
||||
{
|
||||
#if CONFIG_OPENSSL_ERROR_STACK
|
||||
if (s_err_state.top == s_err_state.bottom) {
|
||||
return 0;
|
||||
}
|
||||
unsigned new_bottom = (s_err_state.bottom + 1) % ERR_NUM_ERRORS;
|
||||
int err = s_err_state.errors[new_bottom].packed;
|
||||
|
||||
if (file) {
|
||||
*file = s_err_state.errors[new_bottom].file;
|
||||
}
|
||||
if (line) {
|
||||
*line = s_err_state.errors[new_bottom].line;
|
||||
}
|
||||
|
||||
if (peak == false) {
|
||||
memset(&s_err_state.errors[new_bottom], 0, sizeof(struct err_error_st));
|
||||
s_err_state.bottom = new_bottom;
|
||||
}
|
||||
|
||||
return err;
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
}
|
||||
|
||||
uint32_t ERR_get_error(void)
|
||||
{
|
||||
return ERR_get_peek_error_internal(NULL, NULL, false);
|
||||
}
|
||||
|
||||
uint32_t ERR_peek_error(void)
|
||||
{
|
||||
return ERR_get_peek_error_internal(NULL, NULL, true);
|
||||
}
|
||||
|
||||
uint32_t ERR_peek_last_error(void)
|
||||
{
|
||||
return ERR_get_peek_error_internal(NULL, NULL, true);
|
||||
}
|
||||
|
||||
uint32_t ERR_peek_error_line_data(const char **file, int *line, const char **data, int *flags)
|
||||
{
|
||||
return ERR_get_peek_error_internal(file, line, true);
|
||||
}
|
||||
|
||||
uint32_t ERR_get_error_line_data(const char **file, int *line, const char **data, int *flags)
|
||||
{
|
||||
return ERR_get_peek_error_internal(file, line, false);
|
||||
}
|
||||
|
||||
const char *ERR_reason_error_string(uint32_t packed_error)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void ERR_put_error(int library, int unused, int reason, const char *file, unsigned line)
|
||||
{
|
||||
#if CONFIG_OPENSSL_ERROR_STACK
|
||||
s_err_state.top = (s_err_state.top + 1) % ERR_NUM_ERRORS;
|
||||
if (s_err_state.top == s_err_state.bottom) {
|
||||
s_err_state.bottom = (s_err_state.bottom + 1) % ERR_NUM_ERRORS;
|
||||
}
|
||||
|
||||
s_err_state.errors[s_err_state.top].packed = (uint32_t)library<<24 | abs(reason);
|
||||
s_err_state.errors[s_err_state.top].file = file;
|
||||
s_err_state.errors[s_err_state.top].line = line;
|
||||
#endif
|
||||
}
|
@ -1476,6 +1476,46 @@ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx)
|
||||
return ctx->read_ahead;
|
||||
}
|
||||
|
||||
char *SSL_CTX_get_ex_data(const SSL_CTX *ctx, int idx)
|
||||
{
|
||||
SSL_ASSERT2(ctx);
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int SSL_CTX_set_app_data(SSL_CTX *ctx, void *arg)
|
||||
{
|
||||
SSL_ASSERT1(ctx);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void *SSL_get_app_data(SSL *ssl)
|
||||
{
|
||||
SSL_ASSERT2(ssl);
|
||||
|
||||
return NULL;
|
||||
}
|
||||
|
||||
void SSL_set_app_data(SSL *ssl, void *arg)
|
||||
{
|
||||
SSL_ASSERT3(ssl);
|
||||
}
|
||||
|
||||
void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio)
|
||||
{
|
||||
SSL_ASSERT3(ssl);
|
||||
|
||||
ssl->bio = rbio;
|
||||
}
|
||||
|
||||
int SSL_CTX_use_certificate_chain_file(SSL_CTX *ctx, const char *file)
|
||||
{
|
||||
SSL_ASSERT1(1)
|
||||
|
||||
return -1;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief set SSL session time
|
||||
*/
|
||||
@ -1572,6 +1612,26 @@ void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_C
|
||||
ssl->verify_callback = verify_callback;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief get the SSL verify callback from the context
|
||||
*/
|
||||
openssl_verify_callback SSL_CTX_get_verify_callback(const SSL_CTX *ctx)
|
||||
{
|
||||
SSL_ASSERT2(ctx);
|
||||
|
||||
return ctx->default_verify_callback;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief get the SSL verify callback from ssl pointer
|
||||
*/
|
||||
openssl_verify_callback SSL_get_verify_callback(const SSL *ssl)
|
||||
{
|
||||
SSL_ASSERT2(ssl);
|
||||
|
||||
return ssl->verify_callback;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief set the ALPN protocols in the preferred order. SSL APIs require the
|
||||
* protocols in a <length><value><length2><value2> format. mbedtls doesn't need
|
||||
@ -1606,4 +1666,3 @@ int SSL_CTX_set_alpn_protos(SSL_CTX *ctx, const unsigned char *protos, unsigned
|
||||
ctx->ssl_alpn.alpn_list[i] = NULL;
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
@ -49,7 +49,7 @@ IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, 1, TLS_method_func, TLSv1_1_server_method);
|
||||
|
||||
IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, 1, TLS_method_func, TLSv1_2_server_method);
|
||||
|
||||
IMPLEMENT_TLS_METHOD(TLS1_VERSION, 0, TLS_method_func, TLSv1_server_method);
|
||||
IMPLEMENT_TLS_METHOD(TLS1_VERSION, 1, TLS_method_func, TLSv1_server_method);
|
||||
|
||||
IMPLEMENT_SSL_METHOD(SSL3_VERSION, 1, TLS_method_func, SSLv3_server_method);
|
||||
|
||||
@ -58,11 +58,11 @@ IMPLEMENT_SSL_METHOD(SSL3_VERSION, 1, TLS_method_func, SSLv3_server_method);
|
||||
*/
|
||||
IMPLEMENT_TLS_METHOD(TLS_ANY_VERSION, -1, TLS_method_func, TLS_method);
|
||||
|
||||
IMPLEMENT_SSL_METHOD(TLS1_2_VERSION, -1, TLS_method_func, TLSv1_2_method);
|
||||
IMPLEMENT_TLS_METHOD(TLS1_2_VERSION, -1, TLS_method_func, TLSv1_2_method);
|
||||
|
||||
IMPLEMENT_SSL_METHOD(TLS1_1_VERSION, -1, TLS_method_func, TLSv1_1_method);
|
||||
IMPLEMENT_TLS_METHOD(TLS1_1_VERSION, -1, TLS_method_func, TLSv1_1_method);
|
||||
|
||||
IMPLEMENT_SSL_METHOD(TLS1_VERSION, -1, TLS_method_func, TLSv1_method);
|
||||
IMPLEMENT_TLS_METHOD(TLS1_VERSION, -1, TLS_method_func, TLSv1_method);
|
||||
|
||||
IMPLEMENT_SSL_METHOD(SSL3_VERSION, -1, TLS_method_func, SSLv3_method);
|
||||
|
||||
@ -79,3 +79,33 @@ IMPLEMENT_X509_METHOD(X509_method,
|
||||
IMPLEMENT_PKEY_METHOD(EVP_PKEY_method,
|
||||
pkey_pm_new, pkey_pm_free,
|
||||
pkey_pm_load);
|
||||
|
||||
/**
|
||||
* @brief Generic SSL/TLS methods
|
||||
*/
|
||||
const SSL_METHOD *SSLv23_method(void)
|
||||
{
|
||||
return TLS_method();
|
||||
}
|
||||
|
||||
const SSL_METHOD *SSLv23_server_method(void)
|
||||
{
|
||||
return TLS_server_method();
|
||||
}
|
||||
|
||||
const SSL_METHOD *SSLv23_client_method(void)
|
||||
{
|
||||
return TLS_client_method();
|
||||
}
|
||||
|
||||
int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version)
|
||||
{
|
||||
ctx->min_version = version;
|
||||
return 1;
|
||||
}
|
||||
|
||||
int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version)
|
||||
{
|
||||
ctx->max_version = version;
|
||||
return 1;
|
||||
}
|
||||
|
@ -16,6 +16,7 @@
|
||||
#include "ssl_methods.h"
|
||||
#include "ssl_dbg.h"
|
||||
#include "ssl_port.h"
|
||||
#include "openssl/bio.h"
|
||||
|
||||
/**
|
||||
* @brief create a private key object according to input private key
|
||||
@ -31,6 +32,8 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk)
|
||||
goto no_mem;
|
||||
}
|
||||
|
||||
pkey->ref_counter = 1;
|
||||
|
||||
if (ipk) {
|
||||
pkey->method = ipk->method;
|
||||
} else {
|
||||
@ -66,6 +69,10 @@ void EVP_PKEY_free(EVP_PKEY *pkey)
|
||||
{
|
||||
SSL_ASSERT3(pkey);
|
||||
|
||||
if (--pkey->ref_counter > 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
EVP_PKEY_METHOD_CALL(free, pkey);
|
||||
|
||||
ssl_mem_free(pkey);
|
||||
@ -118,6 +125,60 @@ failed1:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
EVP_PKEY *d2i_PrivateKey_bio(BIO *bp, EVP_PKEY **a)
|
||||
{
|
||||
return d2i_PrivateKey(0, a, (const unsigned char **)&bp->data, bp->dlen);
|
||||
}
|
||||
|
||||
RSA *d2i_RSAPrivateKey_bio(BIO *bp,RSA **a)
|
||||
{
|
||||
return d2i_PrivateKey_bio(bp, (EVP_PKEY**)a);
|
||||
}
|
||||
|
||||
RSA *PEM_read_bio_RSAPrivateKey(BIO *bp, RSA **x, pem_password_cb *cb, void *u)
|
||||
{
|
||||
return PEM_read_bio_PrivateKey(bp, (EVP_PKEY**)x, cb, u);
|
||||
}
|
||||
|
||||
EVP_PKEY *PEM_read_bio_PrivateKey(BIO *bp, EVP_PKEY **pk, pem_password_cb *cb, void *u)
|
||||
{
|
||||
|
||||
int m = 0;
|
||||
int ret;
|
||||
EVP_PKEY *x;
|
||||
|
||||
SSL_ASSERT2(BIO_method_type(bp) & BIO_TYPE_MEM);
|
||||
if (bp->data == NULL || bp->dlen == 0) {
|
||||
return NULL;
|
||||
}
|
||||
if (pk && *pk) {
|
||||
x = *pk;
|
||||
} else {
|
||||
x = EVP_PKEY_new();
|
||||
if (!x) {
|
||||
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL");
|
||||
goto failed;
|
||||
}
|
||||
m = 1;
|
||||
}
|
||||
|
||||
ret = EVP_PKEY_METHOD_CALL(load, x, bp->data, bp->dlen);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(load) return %d", ret);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
// If buffer successfully created a EVP_PKEY from the bio, mark the buffer as consumed
|
||||
bp->data = NULL;
|
||||
bp->dlen = 0;
|
||||
return x;
|
||||
|
||||
failed:
|
||||
if (m) {
|
||||
EVP_PKEY_free(x);
|
||||
}
|
||||
|
||||
return NULL;}
|
||||
/**
|
||||
* @brief set the SSL context private key
|
||||
*/
|
||||
@ -132,6 +193,7 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey)
|
||||
if (ctx->cert->pkey)
|
||||
EVP_PKEY_free(ctx->cert->pkey);
|
||||
|
||||
pkey->ref_counter++;
|
||||
ctx->cert->pkey = pkey;
|
||||
|
||||
return 1;
|
||||
@ -214,12 +276,15 @@ failed1:
|
||||
return 0;
|
||||
}
|
||||
|
||||
#define ESP_OPENSSL_FILES_NOT_SUPPORTED 1
|
||||
/**
|
||||
* @brief load the private key file into SSL context
|
||||
*/
|
||||
int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
|
||||
{
|
||||
return 0;
|
||||
// Using file name as private key is discouraged
|
||||
SSL_ASSERT1(ESP_OPENSSL_FILES_NOT_SUPPORTED);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -227,7 +292,9 @@ int SSL_CTX_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
|
||||
*/
|
||||
int SSL_use_PrivateKey_file(SSL_CTX *ctx, const char *file, int type)
|
||||
{
|
||||
return 0;
|
||||
// Using file name as private key is discouraged
|
||||
SSL_ASSERT1(ESP_OPENSSL_FILES_NOT_SUPPORTED);
|
||||
return -1;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -237,3 +304,8 @@ int SSL_CTX_use_RSAPrivateKey_ASN1(SSL_CTX *ctx, const unsigned char *d, long le
|
||||
{
|
||||
return SSL_CTX_use_PrivateKey_ASN1(0, ctx, d, len);
|
||||
}
|
||||
|
||||
void RSA_free (RSA *r)
|
||||
{
|
||||
EVP_PKEY_free(r);
|
||||
}
|
||||
|
@ -25,6 +25,29 @@
|
||||
/**
|
||||
* @brief create a openssl stack object
|
||||
*/
|
||||
typedef struct stack_st_tag {
|
||||
size_t num;
|
||||
void **data;
|
||||
} _STACK;
|
||||
|
||||
|
||||
GENERAL_NAME *sk_GENERAL_NAME_value(const struct stack_st_GENERAL_NAME *sk, size_t i)
|
||||
{
|
||||
if (!sk || i >= ((_STACK*)sk)->num) {
|
||||
return NULL;
|
||||
}
|
||||
return ((_STACK*)sk)->data[i];
|
||||
}
|
||||
|
||||
|
||||
size_t sk_GENERAL_NAME_num(const struct stack_st_GENERAL_NAME *sk)
|
||||
{
|
||||
if (sk == NULL) {
|
||||
return 0;
|
||||
}
|
||||
return ((_STACK*)sk)->num;
|
||||
}
|
||||
|
||||
OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c)
|
||||
{
|
||||
OPENSSL_STACK *stack;
|
||||
|
@ -42,7 +42,7 @@ X509* __X509_new(X509 *ix)
|
||||
|
||||
x->ref_counter = 1;
|
||||
|
||||
if (ix)
|
||||
if (ix && ix->method)
|
||||
x->method = ix->method;
|
||||
else
|
||||
x->method = X509_method();
|
||||
@ -205,6 +205,7 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
|
||||
X509_free(ctx->cert->x509);
|
||||
|
||||
ctx->cert->x509 = x;
|
||||
x->ref_counter++;
|
||||
|
||||
return 1;
|
||||
}
|
||||
@ -227,6 +228,11 @@ int SSL_use_certificate(SSL *ssl, X509 *x)
|
||||
return 1;
|
||||
}
|
||||
|
||||
long SSL_CTX_add_extra_chain_cert(SSL_CTX *ctx, X509 *x)
|
||||
{
|
||||
return SSL_CTX_use_certificate(ctx, x);
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief get the SSL certification point
|
||||
*/
|
||||
@ -252,12 +258,13 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
|
||||
goto failed1;
|
||||
}
|
||||
|
||||
ret = SSL_CTX_use_certificate(ctx, x);
|
||||
ret = SSL_CTX_use_certificate(ctx, x); // This uses the "x" so increments ref_count
|
||||
if (!ret) {
|
||||
SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_certificate() return %d", ret);
|
||||
goto failed2;
|
||||
}
|
||||
|
||||
X509_free(x); // decrements ref_count, so in case of happy flow doesn't free the "x"
|
||||
return 1;
|
||||
|
||||
failed2:
|
||||
@ -344,41 +351,21 @@ int X509_STORE_add_cert(X509_STORE *store, X509 *x) {
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief create a BIO object
|
||||
*/
|
||||
BIO *BIO_new(void *method) {
|
||||
BIO *b = (BIO *)malloc(sizeof(BIO));
|
||||
return b;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief load data into BIO.
|
||||
*
|
||||
* Normally BIO_write should append data but doesn't happen here, and
|
||||
* 'data' cannot be freed after the function is called, it should remain valid
|
||||
* until BIO object is in use.
|
||||
*/
|
||||
int BIO_write(BIO *b, const void * data, int dlen) {
|
||||
b->data = data;
|
||||
b->dlen = dlen;
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief load a character certification context into system context.
|
||||
*
|
||||
* If '*cert' is pointed to the certification, then load certification
|
||||
* into it, or create a new X509 certification object.
|
||||
*/
|
||||
X509 * PEM_read_bio_X509(BIO *bp, X509 **cert, void *cb, void *u) {
|
||||
X509 * PEM_read_bio_X509(BIO *bp, X509 **cert, pem_password_cb cb, void *u) {
|
||||
int m = 0;
|
||||
int ret;
|
||||
X509 *x;
|
||||
|
||||
SSL_ASSERT2(bp->data);
|
||||
SSL_ASSERT2(bp->dlen);
|
||||
|
||||
SSL_ASSERT2(BIO_method_type(bp) & BIO_TYPE_MEM);
|
||||
if (bp->data == NULL || bp->dlen == 0) {
|
||||
return NULL;
|
||||
}
|
||||
if (cert && *cert) {
|
||||
x = *cert;
|
||||
} else {
|
||||
@ -396,6 +383,9 @@ X509 * PEM_read_bio_X509(BIO *bp, X509 **cert, void *cb, void *u) {
|
||||
goto failed;
|
||||
}
|
||||
|
||||
// If buffer successfully created a X509 from the bio, mark the buffer as consumed
|
||||
bp->data = NULL;
|
||||
bp->dlen = 0;
|
||||
return x;
|
||||
|
||||
failed:
|
||||
@ -406,11 +396,9 @@ failed:
|
||||
return NULL;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief get the memory BIO method function
|
||||
*/
|
||||
void *BIO_s_mem(void) {
|
||||
return NULL;
|
||||
X509 *PEM_read_bio_X509_AUX(BIO *bp, X509 **cert, pem_password_cb *cb, void *u)
|
||||
{
|
||||
return PEM_read_bio_X509(bp, cert, cb, u);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -419,10 +407,3 @@ void *BIO_s_mem(void) {
|
||||
X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *ctx) {
|
||||
return (X509_STORE *)ctx;
|
||||
}
|
||||
|
||||
/**
|
||||
* @brief free a BIO object
|
||||
*/
|
||||
void BIO_free(BIO *b) {
|
||||
free(b);
|
||||
}
|
||||
|
@ -24,6 +24,8 @@
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/error.h"
|
||||
#include "mbedtls/certs.h"
|
||||
#include "openssl/bio.h"
|
||||
#include "openssl/openssl_err.h"
|
||||
|
||||
#define X509_INFO_STRING_LENGTH 8192
|
||||
|
||||
@ -87,6 +89,39 @@ static void ssl_platform_debug(void *ctx, int level,
|
||||
}
|
||||
#endif
|
||||
|
||||
int mbedtls_ssl_send(void *ctx, const unsigned char *buf, size_t len )
|
||||
{
|
||||
BIO *bio = ctx;
|
||||
int written = BIO_write(bio, buf, len);
|
||||
if (written <= 0 && BIO_should_write(bio)) {
|
||||
return MBEDTLS_ERR_SSL_WANT_WRITE;
|
||||
}
|
||||
return written;
|
||||
}
|
||||
|
||||
static int mbedtls_ssl_recv(void *ctx, unsigned char *buf, size_t len )
|
||||
{
|
||||
BIO *bio = ctx;
|
||||
int read = BIO_read(bio, buf, len);
|
||||
if (read <= 0 && BIO_should_read(bio)) {
|
||||
return MBEDTLS_ERR_SSL_WANT_READ;
|
||||
}
|
||||
return read;
|
||||
}
|
||||
|
||||
static int ssl_pm_reload_crt(SSL *ssl);
|
||||
|
||||
static int get_mbedtls_minor_ssl_version(int openssl_version_nr)
|
||||
{
|
||||
if (TLS1_2_VERSION == openssl_version_nr)
|
||||
return MBEDTLS_SSL_MINOR_VERSION_3;
|
||||
if (TLS1_1_VERSION ==openssl_version_nr)
|
||||
return MBEDTLS_SSL_MINOR_VERSION_2;
|
||||
if (TLS1_VERSION == openssl_version_nr)
|
||||
return MBEDTLS_SSL_MINOR_VERSION_1;
|
||||
// SSLv3.0 otherwise
|
||||
return MBEDTLS_SSL_MINOR_VERSION_0;
|
||||
}
|
||||
/**
|
||||
* @brief create SSL low-level object
|
||||
*/
|
||||
@ -99,13 +134,13 @@ int ssl_pm_new(SSL *ssl)
|
||||
size_t pers_len = sizeof(pers);
|
||||
|
||||
int endpoint;
|
||||
int version;
|
||||
|
||||
const SSL_METHOD *method = ssl->method;
|
||||
|
||||
ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
|
||||
if (!ssl_pm) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto no_mem;
|
||||
}
|
||||
|
||||
@ -122,6 +157,7 @@ int ssl_pm_new(SSL *ssl)
|
||||
ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_RAND, ret);
|
||||
goto mbedtls_err1;
|
||||
}
|
||||
|
||||
@ -133,21 +169,16 @@ int ssl_pm_new(SSL *ssl)
|
||||
ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_CONF, ret);
|
||||
goto mbedtls_err2;
|
||||
}
|
||||
|
||||
if (TLS_ANY_VERSION != ssl->version) {
|
||||
if (TLS1_2_VERSION == ssl->version)
|
||||
version = MBEDTLS_SSL_MINOR_VERSION_3;
|
||||
else if (TLS1_1_VERSION == ssl->version)
|
||||
version = MBEDTLS_SSL_MINOR_VERSION_2;
|
||||
else if (TLS1_VERSION == ssl->version)
|
||||
version = MBEDTLS_SSL_MINOR_VERSION_1;
|
||||
else
|
||||
version = MBEDTLS_SSL_MINOR_VERSION_0;
|
||||
int min_version = ssl->ctx->min_version ? ssl->ctx->min_version : ssl->version;
|
||||
int max_version = ssl->ctx->max_version ? ssl->ctx->max_version : ssl->version;
|
||||
|
||||
mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
|
||||
mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
|
||||
mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, get_mbedtls_minor_ssl_version(max_version));
|
||||
mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, get_mbedtls_minor_ssl_version(min_version));
|
||||
} else {
|
||||
mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
|
||||
mbedtls_ssl_conf_min_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_0);
|
||||
@ -158,6 +189,7 @@ int ssl_pm_new(SSL *ssl)
|
||||
mbedtls_ssl_conf_alpn_protocols( &ssl_pm->conf, ssl->ctx->ssl_alpn.alpn_list );
|
||||
#else
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "CONFIG_MBEDTLS_SSL_ALPN must be enabled to use ALPN", -1);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_FATAL);
|
||||
#endif // MBEDTLS_SSL_ALPN
|
||||
}
|
||||
mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
|
||||
@ -172,12 +204,16 @@ int ssl_pm_new(SSL *ssl)
|
||||
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_CONF, ret);
|
||||
goto mbedtls_err2;
|
||||
}
|
||||
|
||||
mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
|
||||
|
||||
ssl->ssl_pm = ssl_pm;
|
||||
ret = ssl_pm_reload_crt(ssl);
|
||||
if (ret)
|
||||
return 0;
|
||||
|
||||
return 0;
|
||||
|
||||
@ -247,6 +283,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
|
||||
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_X509, ret);
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
@ -278,6 +315,10 @@ int ssl_pm_handshake(SSL *ssl)
|
||||
int ret;
|
||||
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
|
||||
|
||||
if (ssl->bio) {
|
||||
mbedtls_ssl_set_bio(&ssl_pm->ssl, ssl->bio, mbedtls_ssl_send, mbedtls_ssl_recv, NULL);
|
||||
}
|
||||
|
||||
ret = ssl_pm_reload_crt(ssl);
|
||||
if (ret)
|
||||
return 0;
|
||||
@ -286,14 +327,24 @@ int ssl_pm_handshake(SSL *ssl)
|
||||
|
||||
while((ret = mbedtls_handshake(&ssl_pm->ssl)) != 0) {
|
||||
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
// exit handshake in case of any other error
|
||||
break;
|
||||
} else if (ssl->bio) {
|
||||
// exit even if wanted read/write if BIO used
|
||||
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
|
||||
ssl->rwstate = SSL_READING;
|
||||
} else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
||||
ssl->rwstate = SSL_WRITING;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
}
|
||||
|
||||
ssl_speed_up_exit();
|
||||
|
||||
ssl->rwstate = SSL_NOTHING;
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_handshake() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
|
||||
ret = 0;
|
||||
} else {
|
||||
struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
|
||||
@ -313,6 +364,7 @@ int ssl_pm_shutdown(SSL *ssl)
|
||||
ret = mbedtls_ssl_close_notify(&ssl_pm->ssl);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_close_notify() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
|
||||
ret = -1;
|
||||
} else {
|
||||
struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm;
|
||||
@ -337,6 +389,7 @@ int ssl_pm_read(SSL *ssl, void *buffer, int len)
|
||||
ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, len);
|
||||
if (ret < 0) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_read() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
@ -351,6 +404,7 @@ int ssl_pm_send(SSL *ssl, const void *buffer, int len)
|
||||
ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
|
||||
if (ret < 0) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_write() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
|
||||
ret = -1;
|
||||
}
|
||||
|
||||
@ -463,12 +517,14 @@ int x509_pm_show_info(X509 *x)
|
||||
buf = ssl_mem_malloc(X509_INFO_STRING_LENGTH);
|
||||
if (!buf) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (buf)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto no_mem;
|
||||
}
|
||||
|
||||
ret = mbedtls_x509_crt_info(buf, X509_INFO_STRING_LENGTH - 1, "", x509_crt);
|
||||
if (ret <= 0) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_info() return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_X509, ret);
|
||||
goto mbedtls_err1;
|
||||
}
|
||||
|
||||
@ -493,6 +549,7 @@ int x509_pm_new(X509 *x, X509 *m_x)
|
||||
x509_pm = ssl_mem_zalloc(sizeof(struct x509_pm));
|
||||
if (!x509_pm) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto failed1;
|
||||
}
|
||||
|
||||
@ -538,6 +595,7 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
|
||||
x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
|
||||
if (!x509_pm->x509_crt) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto no_mem;
|
||||
}
|
||||
}
|
||||
@ -545,6 +603,7 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
|
||||
load_buf = ssl_mem_malloc(len + 1);
|
||||
if (!load_buf) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@ -558,6 +617,7 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
|
||||
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_parse return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_X509, ret);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@ -618,6 +678,7 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
|
||||
pkey_pm->pkey = ssl_mem_malloc(sizeof(mbedtls_pk_context));
|
||||
if (!pkey_pm->pkey) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (pkey_pm->pkey)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto no_mem;
|
||||
}
|
||||
}
|
||||
@ -625,6 +686,7 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
|
||||
load_buf = ssl_mem_malloc(len + 1);
|
||||
if (!load_buf) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SYS, ERR_R_MALLOC_FAILURE);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@ -638,6 +700,7 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
|
||||
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_pk_parse_key return -0x%x", -ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_PKCS8, ret);
|
||||
goto failed;
|
||||
}
|
||||
|
||||
@ -667,6 +730,7 @@ long ssl_pm_get_verify_result(const SSL *ssl)
|
||||
ret = mbedtls_ssl_get_verify_result(&ssl_pm->ssl);
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_get_verify_result() return 0x%x", ret);
|
||||
OPENSSL_PUT_LIB_ERROR(ERR_LIB_SSL, ret);
|
||||
verify_result = X509_V_ERR_UNSPECIFIED;
|
||||
} else
|
||||
verify_result = X509_V_OK;
|
||||
|
2
components/openssl/test/CMakeLists.txt
Normal file
2
components/openssl/test/CMakeLists.txt
Normal file
@ -0,0 +1,2 @@
|
||||
idf_component_register(SRC_DIRS "."
|
||||
PRIV_REQUIRES unity test_utils openssl)
|
4
components/openssl/test/component.mk
Normal file
4
components/openssl/test/component.mk
Normal file
@ -0,0 +1,4 @@
|
||||
#
|
||||
#Component Makefile
|
||||
#
|
||||
COMPONENT_ADD_LDFLAGS = -Wl,--whole-archive -l$(COMPONENT_NAME) -Wl,--no-whole-archive
|
138
components/openssl/test/test_openssl.c
Normal file
138
components/openssl/test/test_openssl.c
Normal file
@ -0,0 +1,138 @@
|
||||
#include "test_utils.h"
|
||||
#include "openssl/ssl.h"
|
||||
#include "unity.h"
|
||||
|
||||
/**
|
||||
* @brief This simple test suite is taken from OpenSSL err_test.cc and bio_test.cc, the relevant test
|
||||
* cases were adopted to the supported fraction of OpenSSL port in esp-idf
|
||||
*/
|
||||
|
||||
//
|
||||
// Basic error stack support and test
|
||||
//
|
||||
#define ERR_NUM_ERRORS 4
|
||||
|
||||
TEST_CASE("ErrTest, Overflow", "[openssl]")
|
||||
{
|
||||
|
||||
for (unsigned i = 0; i < ERR_NUM_ERRORS*2; i++) {
|
||||
ERR_put_error(1, 0 /* unused */, i+1, "test", 1);
|
||||
}
|
||||
|
||||
for (unsigned i = 0; i < ERR_NUM_ERRORS - 1; i++) {
|
||||
uint32_t err = ERR_get_error();
|
||||
/* Errors are returned in order they were pushed, with the least recent ones
|
||||
* removed, up to |ERR_NUM_ERRORS - 1| errors. So the errors returned are
|
||||
* |ERR_NUM_ERRORS + 2| through |ERR_NUM_ERRORS * 2|, inclusive. */
|
||||
TEST_ASSERT_NOT_EQUAL(0u, err);
|
||||
TEST_ASSERT_EQUAL(i + ERR_NUM_ERRORS + 2, ERR_GET_REASON(err));
|
||||
}
|
||||
|
||||
TEST_ASSERT_EQUAL(0u, ERR_get_error());
|
||||
}
|
||||
|
||||
TEST_CASE("ErrTest, PutError", "[openssl]")
|
||||
{
|
||||
TEST_ASSERT_EQUAL(0u, ERR_get_error()); // ERR_get_error returned value before an error was added.
|
||||
|
||||
ERR_put_error(1, 0 /* unused */, 2, "test", 4);
|
||||
|
||||
int peeked_line, line, peeked_flags, flags;
|
||||
const char *peeked_file, *file, *peeked_data, *data;
|
||||
uint32_t peeked_packed_error =
|
||||
ERR_peek_error_line_data(&peeked_file, &peeked_line, &peeked_data,
|
||||
&peeked_flags);
|
||||
uint32_t packed_error = ERR_get_error_line_data(&file, &line, &data, &flags);
|
||||
|
||||
TEST_ASSERT_EQUAL(peeked_packed_error, packed_error);
|
||||
TEST_ASSERT_EQUAL(peeked_file, file);
|
||||
|
||||
TEST_ASSERT_EQUAL_STRING("test", file);
|
||||
TEST_ASSERT_EQUAL(4, line);
|
||||
TEST_ASSERT_EQUAL(1, ERR_GET_LIB(packed_error));
|
||||
TEST_ASSERT_EQUAL(2, ERR_GET_REASON(packed_error));
|
||||
}
|
||||
|
||||
TEST_CASE("ErrTest, ClearError", "[openssl]")
|
||||
{
|
||||
TEST_ASSERT_EQUAL(0u, ERR_get_error()); // ERR_get_error returned value before an error was added.
|
||||
|
||||
ERR_put_error(1, 0 /* unused */, 2, "test", 4);
|
||||
ERR_clear_error();
|
||||
|
||||
// The error queue should be cleared.
|
||||
TEST_ASSERT_EQUAL(0u, ERR_get_error());
|
||||
}
|
||||
|
||||
//
|
||||
// Simplified BIO support and check
|
||||
//
|
||||
TEST_CASE("BioTest, TestPair", "[openssl]")
|
||||
{
|
||||
BIO *bio1, *bio2;
|
||||
TEST_ASSERT_NOT_EQUAL(0, BIO_new_bio_pair(&bio1, 10, &bio2, 10));
|
||||
TEST_ASSERT_EQUAL(BIO_ctrl_get_write_guarantee(bio1), 10);
|
||||
|
||||
// Data written in one end may be read out the other.
|
||||
char buf[20];
|
||||
TEST_ASSERT_EQUAL(5, BIO_write(bio1, "12345", 5));
|
||||
TEST_ASSERT_EQUAL(5, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(5, BIO_read(bio2, buf, sizeof(buf)));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("12345", buf, 5);
|
||||
TEST_ASSERT_EQUAL(10, BIO_ctrl_get_write_guarantee(bio1));
|
||||
|
||||
// Attempting to write more than 10 bytes will write partially.
|
||||
TEST_ASSERT_EQUAL(10, BIO_write(bio1, "1234567890___", 13));
|
||||
TEST_ASSERT_EQUAL(0, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(-1, BIO_write(bio1, "z", 1));
|
||||
TEST_ASSERT_TRUE(BIO_should_write(bio1));
|
||||
TEST_ASSERT_EQUAL(10, BIO_read(bio2, buf, sizeof(buf)));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("1234567890", buf, 10);
|
||||
TEST_ASSERT_EQUAL(10, BIO_ctrl_get_write_guarantee(bio1));
|
||||
|
||||
// Unsuccessful reads update the read request.
|
||||
TEST_ASSERT_EQUAL(-1, BIO_read(bio2, buf, 5));
|
||||
TEST_ASSERT_TRUE(BIO_should_read(bio2));
|
||||
|
||||
// The read request is clamped to the size of the buffer.
|
||||
TEST_ASSERT_EQUAL(-1, BIO_read(bio2, buf, 20));
|
||||
TEST_ASSERT_TRUE(BIO_should_read(bio2));
|
||||
|
||||
// Data may be written and read in chunks.
|
||||
TEST_ASSERT_EQUAL(BIO_write(bio1, "12345", 5), 5);
|
||||
TEST_ASSERT_EQUAL(5, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(5, BIO_write(bio1, "67890___", 8));
|
||||
TEST_ASSERT_EQUAL(0, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(3, BIO_read(bio2, buf, 3));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("123", buf, 3);
|
||||
TEST_ASSERT_EQUAL(3, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(7, BIO_read(bio2, buf, sizeof(buf)));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("4567890", buf, 7);
|
||||
TEST_ASSERT_EQUAL(10, BIO_ctrl_get_write_guarantee(bio1));
|
||||
|
||||
// Test writes and reads starting in the middle of the ring buffer and
|
||||
// wrapping to front.
|
||||
TEST_ASSERT_EQUAL(8, BIO_write(bio1, "abcdefgh", 8));
|
||||
TEST_ASSERT_EQUAL(2, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(3, BIO_read(bio2, buf, 3));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("abc", buf, 3);
|
||||
TEST_ASSERT_EQUAL(5, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(5, BIO_write(bio1, "ijklm___", 8));
|
||||
TEST_ASSERT_EQUAL(0, BIO_ctrl_get_write_guarantee(bio1));
|
||||
TEST_ASSERT_EQUAL(10, BIO_read(bio2, buf, sizeof(buf)));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("defghijklm", buf, 10);
|
||||
TEST_ASSERT_EQUAL(10, BIO_ctrl_get_write_guarantee(bio1));
|
||||
|
||||
// Data may flow from both ends in parallel.
|
||||
TEST_ASSERT_EQUAL(5, BIO_write(bio1, "12345", 5));
|
||||
TEST_ASSERT_EQUAL(5, BIO_write(bio2, "67890", 5));
|
||||
TEST_ASSERT_EQUAL(5, BIO_read(bio2, buf, sizeof(buf)));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("12345", buf, 5);
|
||||
TEST_ASSERT_EQUAL(5, BIO_read(bio1, buf, sizeof(buf)));
|
||||
TEST_ASSERT_EQUAL_UINT8_ARRAY("67890", buf, 5);
|
||||
|
||||
// Other tests below not imported since BIO_shutdown_wr() not supported
|
||||
// - Closing the write end causes an EOF on the read half, after draining.
|
||||
// - A closed write end may not be written to.
|
||||
// - The other end is still functional.
|
||||
}
|
Loading…
Reference in New Issue
Block a user