alex/esp-idf
alex/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2024-10-05 20:47:46 -04:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

components/openssl: add SSL and SSL context verify mode selection

Browse Source
This commit is contained in:
dongheng 2016-09-23 11:41:57 +08:00
parent f5d9bfc7ae
commit e475d0539e
9 changed files with 88 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
components/openssl/include/internal/ssl_code.h
View File

@ -23,6 +23,11 @@
# define SSL_SENT_SHUTDOWN 1
# define SSL_RECEIVED_SHUTDOWN 2
# define SSL_VERIFY_NONE 0x00
# define SSL_VERIFY_PEER 0x01
# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
# define SSL_VERIFY_CLIENT_ONCE 0x04
/*
* The following 3 states are kept in ssl->rlayer.rstate when reads fail, you
* should not need these

2
components/openssl/include/internal/ssl_methods.h
View File

@ -22,7 +22,6 @@
set_fd, get_fd, \
set_bufflen, \
get_verify_result, \
ssl_reload_crt, \
get_state) \
static const SSL_METHOD_FUNC func_name LOCAL_ATRR = { \
new, \
@ -37,7 +36,6 @@
get_fd, \
set_bufflen, \
get_verify_result, \
ssl_reload_crt, \
get_state \
};

8
components/openssl/include/internal/ssl_types.h
View File

@ -171,6 +171,8 @@ struct ssl_ctx_st
int verify_mode;
int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx);
long session_timeout;
int read_ahead;
@ -209,6 +211,10 @@ struct ssl_st
SSL_SESSION session;
int verify_mode;
int (*verify_callback) (int ok, X509_STORE_CTX *ctx);
int rwstate;
long verify_result;
@ -259,8 +265,6 @@ struct ssl_method_func_st {
long (*ssl_get_verify_result)(const SSL *ssl);
int (*ssl_reload_crt)(SSL *ssl);
OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl);
};

2
components/openssl/include/platform/ssl_pm.h
View File

@ -51,6 +51,4 @@ void pkey_pm_unload(EVP_PKEY *pkey);
long ssl_pm_get_verify_result(const SSL *ssl);
int ssl_pm_reload_crt(SSL *ssl);
#endif

50
components/openssl/library/ssl_lib.c
View File

@ -284,6 +284,7 @@ SSL *SSL_new(SSL_CTX *ctx)
ssl->cert = ctx->cert;
ssl->client_CA = ctx->client_CA;
ssl->verify_mode = ctx->verify_mode;
ret = SSL_METHOD_CALL(new, ssl);
if (ret)
@ -1726,21 +1727,6 @@ long SSL_set_timeout(SSL *ssl, long t)
return t;
}
/*
* SSL_set_verify - set the SSL verifying of the SSL context
*
* @param ctx - SSL point
* @param mode - verifying mode
* @param verify_callback - verifying callback function
*
* @return none
*/
void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
{
SSL_ASSERT(ssl);
SSL_ASSERT(verify_callback);
}
/*
* SSL_get_verify_result - get the verifying result of the SSL certification
*
@ -1812,3 +1798,37 @@ void SSL_set_verify_depth(SSL *ssl, int depth)
ssl->param.depth = depth;
}
/*
* SSL_CTX_set_verify - set the SSL context verifying of the SSL context
*
* @param ctx - SSL context point
* @param mode - verifying mode
* @param verify_callback - verifying callback function
*
* @return none
*/
void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
{
SSL_ASSERT(ctx);
ctx->verify_mode = mode;
ctx->default_verify_callback = verify_callback;
}
/*
* SSL_set_verify - set the SSL verifying of the SSL context
*
* @param ctx - SSL point
* @param mode - verifying mode
* @param verify_callback - verifying callback function
*
* @return none
*/
void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
{
SSL_ASSERT(ctx);
ssl->verify_mode = mode;
ssl->verify_callback = verify_callback;
}

1
components/openssl/library/ssl_methods.c
View File

@ -26,7 +26,6 @@ IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func,
ssl_pm_set_fd, ssl_pm_get_fd,
ssl_pm_set_bufflen,
ssl_pm_get_verify_result,
ssl_pm_reload_crt,
ssl_pm_get_state);
/*

8
components/openssl/library/ssl_pkey.c
View File

@ -160,13 +160,7 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey)
ssl->cert->pkey = pkey;
ssl_ret = SSL_METHOD_CALL(reload_crt, ssl);
if (ssl_ret)
ret = 0;
else
ret = 1;
return ret;
return 1;
}
/*

11
components/openssl/library/ssl_x509.c
View File

@ -138,9 +138,6 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x)
*/
int SSL_add_client_CA(SSL *ssl, X509 *x)
{
int ret;
int ssl_ret;
SSL_ASSERT(ssl);
SSL_ASSERT(x);
@ -151,13 +148,7 @@ int SSL_add_client_CA(SSL *ssl, X509 *x)
ssl->client_CA = x;
ssl_ret = SSL_METHOD_CALL(reload_crt, ssl);
if (ssl_ret)
ret = 0;
else
ret = 1;
return ret;
return 1;
}
/*

96
components/openssl/platform/ssl_pm.c
View File

@ -71,14 +71,10 @@ int ssl_pm_new(SSL *ssl)
size_t pers_len = sizeof(pers);
int endpoint;
int mode;
int version;
const SSL_METHOD *method = ssl->method;
struct x509_pm *x509_pm;
struct pkey_pm *pkey_pm;
ssl->session.peer = ssl_zalloc(sizeof(X509));
if (!ssl->session.peer)
SSL_ERR(ret, failed1, "ssl_zalloc\n");
@ -123,28 +119,9 @@ int ssl_pm_new(SSL *ssl)
mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL);
x509_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
if (x509_pm->load) {
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL);
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
} else {
mode = MBEDTLS_SSL_VERIFY_NONE;
}
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
if (pkey_pm->load) {
x509_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey);
if (ret)
SSL_ERR(ret, failed4, "mbedtls_ssl_conf_own_cert:[%d]\n", ret);
}
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
if (ret)
SSL_ERR(ret, failed5, "mbedtls_ssl_setup:[-0x%x]\n", -ret);
SSL_ERR(ret, failed4, "mbedtls_ssl_setup:[-0x%x]\n", -ret);
mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
@ -152,9 +129,8 @@ int ssl_pm_new(SSL *ssl)
return 0;
failed5:
mbedtls_ssl_config_free(&ssl_pm->conf);
failed4:
mbedtls_ssl_config_free(&ssl_pm->conf);
mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
failed3:
mbedtls_entropy_free(&ssl_pm->entropy);
@ -177,11 +153,49 @@ void ssl_pm_free(SSL *ssl)
ssl->ssl_pm = NULL;
}
static int ssl_pm_reload_crt(SSL *ssl)
{
int ret;
int mode;
struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_NONE;
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
mode = MBEDTLS_SSL_VERIFY_UNSET;
else
mode = MBEDTLS_SSL_VERIFY_NONE;
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
if (ca_pm->load) {
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &ca_pm->x509_crt, NULL);
}
if (pkey_pm->load) {
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &crt_pm->x509_crt, &pkey_pm->pkey);
if (ret)
return -1;
}
return 0;
}
int ssl_pm_handshake(SSL *ssl)
{
int ret, mbed_ret;
struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
mbed_ret = ssl_pm_reload_crt(ssl);
if (mbed_ret)
return 0;
ssl_speed_up_enter();
while((mbed_ret = mbedtls_ssl_handshake(&ssl_pm->ssl)) != 0) {
if (mbed_ret != MBEDTLS_ERR_SSL_WANT_READ && mbed_ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
@ -475,33 +489,3 @@ long ssl_pm_get_verify_result(const SSL *ssl)
return verify_result;
}
int ssl_pm_reload_crt(SSL *ssl)
{
int ret;
int mode;
struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *x509_pm;
struct pkey_pm *pkey_pm;
x509_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
if (x509_pm->load) {
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL);
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
} else {
mode = MBEDTLS_SSL_VERIFY_NONE;
}
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
if (pkey_pm->load) {
x509_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey);
if (ret)
return -1;
}
return 0;
}