diff --git a/components/ssl/Kconfig b/components/ssl/Kconfig index 719feee8..8ac28716 100644 --- a/components/ssl/Kconfig +++ b/components/ssl/Kconfig @@ -48,6 +48,14 @@ config MBEDTLS_DEBUG If this option is enabled, you must call mbedtls_esp_enable_debug_log at runtime in order to enable mbedTLS debug output. +config MBEDTLS_DEBUG_LEVEL + int "Mbedtls debugging level" + default 4 + range 0 4 + depends on MBEDTLS_DEBUG + help + Mbedtls debugging level. + config MBEDTLS_HAVE_TIME bool "Enable mbedtls time" default y @@ -475,6 +483,77 @@ config MBEDTLS_ECP_NIST_OPTIM # end of Elliptic Curve options +menu "OpenSSL" + +config OPENSSL_DEBUG + bool "Enable OpenSSL debugging" + default n + help + Enable OpenSSL debugging function. + + If the option is enabled, "SSL_DEBUG" works. + +config OPENSSL_DEBUG_LEVEL + int "OpenSSL debugging level" + default 0 + range 0 255 + depends on OPENSSL_DEBUG + help + OpenSSL debugging level. + + Only function whose debugging level is higher than "OPENSSL_DEBUG_LEVEL" works. + + For example: + If OPENSSL_DEBUG_LEVEL = 2, you use function "SSL_DEBUG(1, "malloc failed")". Because 1 < 2, it will not print. + +config OPENSSL_LOWLEVEL_DEBUG + bool "Enable OpenSSL low-level module debugging" + default n + depends on OPENSSL_DEBUG + select MBEDTLS_DEBUG + help + If the option is enabled, low-level module debugging function of OpenSSL is enabled, e.g. mbedtls internal debugging function. + +choice OPENSSL_ASSERT + prompt "Select OpenSSL assert function" + default CONFIG_OPENSSL_ASSERT_EXIT + help + OpenSSL function needs "assert" function to check if input parameters are valid. + + If you want to use assert debugging function, "OPENSSL_DEBUG" should be enabled. + +config OPENSSL_ASSERT_DO_NOTHING + bool "Do nothing" + help + Do nothing and "SSL_ASSERT" does not work. + +config OPENSSL_ASSERT_EXIT + bool "Check and exit" + help + Enable assert exiting, it will check and return error code. + +config OPENSSL_ASSERT_DEBUG + bool "Show debugging message" + depends on OPENSSL_DEBUG + help + Enable assert debugging, it will check and show debugging message. + +config OPENSSL_ASSERT_DEBUG_EXIT + bool "Show debugging message and exit" + depends on OPENSSL_DEBUG + help + Enable assert debugging and exiting, it will check, show debugging message and return error code. + +config OPENSSL_ASSERT_DEBUG_BLOCK + bool "Show debugging message and block" + depends on OPENSSL_DEBUG + help + Enable assert debugging and blocking, it will check, show debugging message and block by "while (1);". + +endchoice + +endmenu + endmenu # mbedTLS endmenu diff --git a/components/ssl/mbedtls/mbedtls/library/net_sockets.c b/components/ssl/mbedtls/mbedtls/library/net_sockets.c index 345f1022..b1e8f41d 100644 --- a/components/ssl/mbedtls/mbedtls/library/net_sockets.c +++ b/components/ssl/mbedtls/mbedtls/library/net_sockets.c @@ -183,7 +183,7 @@ int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host, */ int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto ) { - int n, ret; + int ret; struct addrinfo hints, *addr_list, *cur; if( ( ret = net_prepare() ) != 0 ) diff --git a/components/ssl/mbedtls/port/openssl/include/internal/ssl_dbg.h b/components/ssl/mbedtls/port/openssl/include/internal/ssl_dbg.h index 12ba25f9..e3e1b144 100644 --- a/components/ssl/mbedtls/port/openssl/include/internal/ssl_dbg.h +++ b/components/ssl/mbedtls/port/openssl/include/internal/ssl_dbg.h @@ -17,6 +17,7 @@ #include "platform/ssl_opt.h" #include "platform/ssl_port.h" +#include "sdkconfig.h" #ifdef __cplusplus extern "C" { diff --git a/components/ssl/mbedtls/port/openssl/include/internal/ssl_methods.h b/components/ssl/mbedtls/port/openssl/include/internal/ssl_methods.h index bd3b1640..3ba6a63a 100644 --- a/components/ssl/mbedtls/port/openssl/include/internal/ssl_methods.h +++ b/components/ssl/mbedtls/port/openssl/include/internal/ssl_methods.h @@ -29,7 +29,6 @@ handshake, shutdown, clear, \ read, send, pending, \ set_fd, get_fd, \ - set_bufflen, \ get_verify_result, \ get_state) \ static const SSL_METHOD_FUNC func_name = { \ @@ -43,7 +42,6 @@ pending, \ set_fd, \ get_fd, \ - set_bufflen, \ get_verify_result, \ get_state \ }; diff --git a/components/ssl/mbedtls/port/openssl/include/internal/ssl_types.h b/components/ssl/mbedtls/port/openssl/include/internal/ssl_types.h index 5aaee941..633b1f18 100644 --- a/components/ssl/mbedtls/port/openssl/include/internal/ssl_types.h +++ b/components/ssl/mbedtls/port/openssl/include/internal/ssl_types.h @@ -170,8 +170,6 @@ struct ssl_ctx_st int read_ahead; - int read_buffer_len; - X509_VERIFY_PARAM param; }; @@ -250,8 +248,6 @@ struct ssl_method_func_st { int (*ssl_get_fd)(const SSL *ssl, int mode); - void (*ssl_set_bufflen)(SSL *ssl, int len); - long (*ssl_get_verify_result)(const SSL *ssl); OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl); diff --git a/components/ssl/mbedtls/port/openssl/include/internal/ssl_x509.h b/components/ssl/mbedtls/port/openssl/include/internal/ssl_x509.h index 840fbf1e..334455ca 100644 --- a/components/ssl/mbedtls/port/openssl/include/internal/ssl_x509.h +++ b/components/ssl/mbedtls/port/openssl/include/internal/ssl_x509.h @@ -87,6 +87,19 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x); */ int SSL_add_client_CA(SSL *ssl, X509 *x); + +/** + * @brief add CA client certification into the CTX + * + * @param ctx - SSL context point + * @param buffer - a point pointed to the certification context memory point + * + * @return result + * 0 : failed + * 1 : OK + */ +int SSL_CTX_load_verify_buffer(SSL_CTX *ctx, const unsigned char* buffer, long len); + /** * @brief load certification into the SSL * diff --git a/components/ssl/mbedtls/port/openssl/include/openssl/ssl.h b/components/ssl/mbedtls/port/openssl/include/openssl/ssl.h index e367f194..b04eaa66 100644 --- a/components/ssl/mbedtls/port/openssl/include/openssl/ssl.h +++ b/components/ssl/mbedtls/port/openssl/include/openssl/ssl.h @@ -635,26 +635,6 @@ void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int v */ OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl); -/** - * @brief set the SSL context read buffer length - * - * @param ctx - SSL context point - * @param len - read buffer length - * - * @return none - */ -void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len); - -/** - * @brief set the SSL read buffer length - * - * @param ssl - SSL point - * @param len - read buffer length - * - * @return none - */ -void SSL_set_default_read_buffer_len(SSL *ssl, size_t len); - /** * @brief set the SSL security level * diff --git a/components/ssl/mbedtls/port/openssl/include/platform/ssl_pm.h b/components/ssl/mbedtls/port/openssl/include/platform/ssl_pm.h index e6ce49bf..e05e05cd 100644 --- a/components/ssl/mbedtls/port/openssl/include/platform/ssl_pm.h +++ b/components/ssl/mbedtls/port/openssl/include/platform/ssl_pm.h @@ -39,8 +39,6 @@ int ssl_pm_get_fd(const SSL *ssl, int mode); OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl); -void ssl_pm_set_bufflen(SSL *ssl, int len); - int x509_pm_show_info(X509 *x); int x509_pm_new(X509 *x, X509 *m_x); void x509_pm_free(X509 *x); diff --git a/components/ssl/mbedtls/port/openssl/source/library/ssl_lib.c b/components/ssl/mbedtls/port/openssl/source/library/ssl_lib.c index 43c13007..ce189a8d 100644 --- a/components/ssl/mbedtls/port/openssl/source/library/ssl_lib.c +++ b/components/ssl/mbedtls/port/openssl/source/library/ssl_lib.c @@ -1308,27 +1308,6 @@ char *SSL_state_string_long(const SSL *ssl) return str; } -/** - * @brief set the SSL context read buffer length - */ -void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) -{ - SSL_ASSERT3(ctx); - - ctx->read_buffer_len = len; -} - -/** - * @brief set the SSL read buffer length - */ -void SSL_set_default_read_buffer_len(SSL *ssl, size_t len) -{ - SSL_ASSERT3(ssl); - SSL_ASSERT3(len); - - SSL_METHOD_CALL(set_bufflen, ssl, len); -} - /** * @brief set the SSL information callback function */ diff --git a/components/ssl/mbedtls/port/openssl/source/library/ssl_methods.c b/components/ssl/mbedtls/port/openssl/source/library/ssl_methods.c index 00023608..9abeac57 100644 --- a/components/ssl/mbedtls/port/openssl/source/library/ssl_methods.c +++ b/components/ssl/mbedtls/port/openssl/source/library/ssl_methods.c @@ -23,7 +23,6 @@ IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func, ssl_pm_handshake, ssl_pm_shutdown, ssl_pm_clear, ssl_pm_read, ssl_pm_send, ssl_pm_pending, ssl_pm_set_fd, ssl_pm_get_fd, - ssl_pm_set_bufflen, ssl_pm_get_verify_result, ssl_pm_get_state); diff --git a/components/ssl/mbedtls/port/openssl/source/library/ssl_x509.c b/components/ssl/mbedtls/port/openssl/source/library/ssl_x509.c index ef0503c0..b6cc8983 100644 --- a/components/ssl/mbedtls/port/openssl/source/library/ssl_x509.c +++ b/components/ssl/mbedtls/port/openssl/source/library/ssl_x509.c @@ -153,6 +153,24 @@ int SSL_add_client_CA(SSL *ssl, X509 *x) return 1; } +/** + * @brief add CA client certification into the CTX + */ +int SSL_CTX_load_verify_buffer(SSL_CTX *ctx, const unsigned char* buffer, long len) +{ + SSL_ASSERT1(ctx); + SSL_ASSERT1(buffer); + + X509* cacrt = d2i_X509(NULL, buffer, len); + + if (cacrt) { + SSL_CTX_add_client_CA(ctx, cacrt); + return 1; + } else { + return 0; + } +} + /** * @brief set the SSL context certification */ diff --git a/components/ssl/mbedtls/port/openssl/source/platform/ssl_pm.c b/components/ssl/mbedtls/port/openssl/source/platform/ssl_pm.c index 74a0f4ff..c5b8cbc3 100644 --- a/components/ssl/mbedtls/port/openssl/source/platform/ssl_pm.c +++ b/components/ssl/mbedtls/port/openssl/source/platform/ssl_pm.c @@ -24,6 +24,7 @@ #include "mbedtls/ctr_drbg.h" #include "mbedtls/error.h" #include "mbedtls/certs.h" +#include "mbedtls/esp_debug.h" #define X509_INFO_STRING_LENGTH 3072 #define OPENSSL_READ_BUFFER_LENGTH_MIN 2048 @@ -59,36 +60,9 @@ struct pkey_pm mbedtls_pk_context *ex_pkey; }; -unsigned int max_content_len; - /*********************************************************************************************/ /************************************ SSL arch interface *************************************/ -#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG - -/* mbedtls debug level */ -#define MBEDTLS_DEBUG_LEVEL 4 - -/** - * @brief mbedtls debug function - */ -static void ssl_platform_debug(void *ctx, int level, - const char *file, int line, - const char *str) -{ - /* Shorten 'file' from the whole file path to just the filename - - This is a bit wasteful because the macros are compiled in with - the full _FILE_ path in each case. - */ - char *file_sep = rindex(file, '/'); - if(file_sep) - file = file_sep + 1; - - SSL_DEBUG(SSL_DEBUG_ON, "%s:%d %s", file, line, str); -} -#endif - /** * @brief create SSL low-level object */ @@ -105,18 +79,12 @@ int ssl_pm_new(SSL *ssl) const SSL_METHOD *method = ssl->method; - if (ssl->ctx->read_buffer_len < OPENSSL_READ_BUFFER_LENGTH_MIN || - ssl->ctx->read_buffer_len > OPENSSL_READ_BUFFER_LENGTH_MAX) - return -1; - - ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm)); + ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm)); if (!ssl_pm) { SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)"); goto no_mem; } - max_content_len = ssl->ctx->read_buffer_len; - mbedtls_net_init(&ssl_pm->fd); mbedtls_net_init(&ssl_pm->cl_fd); @@ -161,11 +129,8 @@ int ssl_pm_new(SSL *ssl) mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg); -#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG - mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL); - mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL); -#else - mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL); +#ifdef CONFIG_MBEDTLS_DEBUG + mbedtls_esp_enable_debug_log(&ssl_pm->conf, CONFIG_MBEDTLS_DEBUG_LEVEL); #endif ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); @@ -643,13 +608,6 @@ no_mem: return -1; } - - -void ssl_pm_set_bufflen(SSL *ssl, int len) -{ - max_content_len = len; -} - long ssl_pm_get_verify_result(const SSL *ssl) { long ret;