espressif/ESP8266_RTOS_SDK
1
0
Fork 0
mirror of https://github.com/espressif/ESP8266_RTOS_SDK.git synced 2025-08-06 15:15:15 +08:00
Code Issues Packages Projects Releases Wiki Activity

feat(mbedtls): Modify openssl according to mbedtls V2.8.0

Browse Source 
1. Remove SSL_CTX_set_default_read_buffer_len and SSL_set_default_read_buffer_len.
2. Add SSL_CTX_load_verify_buffer to load CA certification.
This commit is contained in:
Zhang Jun Hao
2018-05-17 20:50:46 +08:00
parent d51cf5c3da
commit 5340fae48b
12 changed files with 116 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
components/ssl/Kconfig
View File

@ -48,6 +48,14 @@ config MBEDTLS_DEBUG
If this option is enabled, you must call mbedtls_esp_enable_debug_log If this option is enabled, you must call mbedtls_esp_enable_debug_log
at runtime in order to enable mbedTLS debug output. at runtime in order to enable mbedTLS debug output.
config MBEDTLS_DEBUG_LEVEL
int "Mbedtls debugging level"
default 4
range 0 4
depends on MBEDTLS_DEBUG
help
Mbedtls debugging level.
config MBEDTLS_HAVE_TIME config MBEDTLS_HAVE_TIME
bool "Enable mbedtls time" bool "Enable mbedtls time"
default y default y
@ -475,6 +483,77 @@ config MBEDTLS_ECP_NIST_OPTIM
# end of Elliptic Curve options # end of Elliptic Curve options
menu "OpenSSL"
config OPENSSL_DEBUG
bool "Enable OpenSSL debugging"
default n
help
Enable OpenSSL debugging function.
If the option is enabled, "SSL_DEBUG" works.
config OPENSSL_DEBUG_LEVEL
int "OpenSSL debugging level"
default 0
range 0 255
depends on OPENSSL_DEBUG
help
OpenSSL debugging level.
Only function whose debugging level is higher than "OPENSSL_DEBUG_LEVEL" works.
For example:
If OPENSSL_DEBUG_LEVEL = 2, you use function "SSL_DEBUG(1, "malloc failed")". Because 1 < 2, it will not print.
config OPENSSL_LOWLEVEL_DEBUG
bool "Enable OpenSSL low-level module debugging"
default n
depends on OPENSSL_DEBUG
select MBEDTLS_DEBUG
help
If the option is enabled, low-level module debugging function of OpenSSL is enabled, e.g. mbedtls internal debugging function.
choice OPENSSL_ASSERT
prompt "Select OpenSSL assert function"
default CONFIG_OPENSSL_ASSERT_EXIT
help
OpenSSL function needs "assert" function to check if input parameters are valid.
If you want to use assert debugging function, "OPENSSL_DEBUG" should be enabled.
config OPENSSL_ASSERT_DO_NOTHING
bool "Do nothing"
help
Do nothing and "SSL_ASSERT" does not work.
config OPENSSL_ASSERT_EXIT
bool "Check and exit"
help
Enable assert exiting, it will check and return error code.
config OPENSSL_ASSERT_DEBUG
bool "Show debugging message"
depends on OPENSSL_DEBUG
help
Enable assert debugging, it will check and show debugging message.
config OPENSSL_ASSERT_DEBUG_EXIT
bool "Show debugging message and exit"
depends on OPENSSL_DEBUG
help
Enable assert debugging and exiting, it will check, show debugging message and return error code.
config OPENSSL_ASSERT_DEBUG_BLOCK
bool "Show debugging message and block"
depends on OPENSSL_DEBUG
help
Enable assert debugging and blocking, it will check, show debugging message and block by "while (1);".
endchoice
endmenu
endmenu # mbedTLS endmenu # mbedTLS
endmenu endmenu

2
components/ssl/mbedtls/mbedtls/library/net_sockets.c
View File

@ -183,7 +183,7 @@ int mbedtls_net_connect( mbedtls_net_context *ctx, const char *host,
*/ */
int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto ) int mbedtls_net_bind( mbedtls_net_context *ctx, const char *bind_ip, const char *port, int proto )
{ {
int n, ret; int ret;
struct addrinfo hints, *addr_list, *cur; struct addrinfo hints, *addr_list, *cur;
if( ( ret = net_prepare() ) != 0 ) if( ( ret = net_prepare() ) != 0 )

1
components/ssl/mbedtls/port/openssl/include/internal/ssl_dbg.h
View File

@ -17,6 +17,7 @@
#include "platform/ssl_opt.h" #include "platform/ssl_opt.h"
#include "platform/ssl_port.h" #include "platform/ssl_port.h"
#include "sdkconfig.h"
#ifdef __cplusplus #ifdef __cplusplus
extern "C" { extern "C" {

2
components/ssl/mbedtls/port/openssl/include/internal/ssl_methods.h
View File

@ -29,7 +29,6 @@
handshake, shutdown, clear, \ handshake, shutdown, clear, \
read, send, pending, \ read, send, pending, \
set_fd, get_fd, \ set_fd, get_fd, \
set_bufflen, \
get_verify_result, \ get_verify_result, \
get_state) \ get_state) \
static const SSL_METHOD_FUNC func_name = { \ static const SSL_METHOD_FUNC func_name = { \
@ -43,7 +42,6 @@
pending, \ pending, \
set_fd, \ set_fd, \
get_fd, \ get_fd, \
set_bufflen, \
get_verify_result, \ get_verify_result, \
get_state \ get_state \
}; };

4
components/ssl/mbedtls/port/openssl/include/internal/ssl_types.h
View File

@ -170,8 +170,6 @@ struct ssl_ctx_st
int read_ahead; int read_ahead;
int read_buffer_len;
X509_VERIFY_PARAM param; X509_VERIFY_PARAM param;
}; };
@ -250,8 +248,6 @@ struct ssl_method_func_st {
int (*ssl_get_fd)(const SSL *ssl, int mode); int (*ssl_get_fd)(const SSL *ssl, int mode);
void (*ssl_set_bufflen)(SSL *ssl, int len);
long (*ssl_get_verify_result)(const SSL *ssl); long (*ssl_get_verify_result)(const SSL *ssl);
OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl); OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl);

13
components/ssl/mbedtls/port/openssl/include/internal/ssl_x509.h
View File

@ -87,6 +87,19 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
*/ */
int SSL_add_client_CA(SSL *ssl, X509 *x); int SSL_add_client_CA(SSL *ssl, X509 *x);
/**
* @brief add CA client certification into the CTX
*
* @param ctx - SSL context point
* @param buffer - a point pointed to the certification context memory point
*
* @return result
* 0 : failed
* 1 : OK
*/
int SSL_CTX_load_verify_buffer(SSL_CTX *ctx, const unsigned char* buffer, long len);
/** /**
* @brief load certification into the SSL * @brief load certification into the SSL
* *

20
components/ssl/mbedtls/port/openssl/include/openssl/ssl.h
View File

@ -635,26 +635,6 @@ void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int v
*/ */
OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl); OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl);
/**
* @brief set the SSL context read buffer length
*
* @param ctx - SSL context point
* @param len - read buffer length
*
* @return none
*/
void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len);
/**
* @brief set the SSL read buffer length
*
* @param ssl - SSL point
* @param len - read buffer length
*
* @return none
*/
void SSL_set_default_read_buffer_len(SSL *ssl, size_t len);
/** /**
* @brief set the SSL security level * @brief set the SSL security level
* *

2
components/ssl/mbedtls/port/openssl/include/platform/ssl_pm.h
View File

@ -39,8 +39,6 @@ int ssl_pm_get_fd(const SSL *ssl, int mode);
OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl); OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl);
void ssl_pm_set_bufflen(SSL *ssl, int len);
int x509_pm_show_info(X509 *x); int x509_pm_show_info(X509 *x);
int x509_pm_new(X509 *x, X509 *m_x); int x509_pm_new(X509 *x, X509 *m_x);
void x509_pm_free(X509 *x); void x509_pm_free(X509 *x);

21
components/ssl/mbedtls/port/openssl/source/library/ssl_lib.c
View File

@ -1308,27 +1308,6 @@ char *SSL_state_string_long(const SSL *ssl)
return str; return str;
} }
/**
* @brief set the SSL context read buffer length
*/
void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len)
{
SSL_ASSERT3(ctx);
ctx->read_buffer_len = len;
}
/**
* @brief set the SSL read buffer length
*/
void SSL_set_default_read_buffer_len(SSL *ssl, size_t len)
{
SSL_ASSERT3(ssl);
SSL_ASSERT3(len);
SSL_METHOD_CALL(set_bufflen, ssl, len);
}
/** /**
* @brief set the SSL information callback function * @brief set the SSL information callback function
*/ */

1
components/ssl/mbedtls/port/openssl/source/library/ssl_methods.c
View File

@ -23,7 +23,6 @@ IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func,
ssl_pm_handshake, ssl_pm_shutdown, ssl_pm_clear, ssl_pm_handshake, ssl_pm_shutdown, ssl_pm_clear,
ssl_pm_read, ssl_pm_send, ssl_pm_pending, ssl_pm_read, ssl_pm_send, ssl_pm_pending,
ssl_pm_set_fd, ssl_pm_get_fd, ssl_pm_set_fd, ssl_pm_get_fd,
ssl_pm_set_bufflen,
ssl_pm_get_verify_result, ssl_pm_get_verify_result,
ssl_pm_get_state); ssl_pm_get_state);

18
components/ssl/mbedtls/port/openssl/source/library/ssl_x509.c
View File

@ -153,6 +153,24 @@ int SSL_add_client_CA(SSL *ssl, X509 *x)
return 1; return 1;
} }
/**
* @brief add CA client certification into the CTX
*/
int SSL_CTX_load_verify_buffer(SSL_CTX *ctx, const unsigned char* buffer, long len)
{
SSL_ASSERT1(ctx);
SSL_ASSERT1(buffer);
X509* cacrt = d2i_X509(NULL, buffer, len);
if (cacrt) {
SSL_CTX_add_client_CA(ctx, cacrt);
return 1;
} else {
return 0;
}
}
/** /**
* @brief set the SSL context certification * @brief set the SSL context certification
*/ */

50
components/ssl/mbedtls/port/openssl/source/platform/ssl_pm.c
View File

@ -24,6 +24,7 @@
#include "mbedtls/ctr_drbg.h" #include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h" #include "mbedtls/error.h"
#include "mbedtls/certs.h" #include "mbedtls/certs.h"
#include "mbedtls/esp_debug.h"
#define X509_INFO_STRING_LENGTH 3072 #define X509_INFO_STRING_LENGTH 3072
#define OPENSSL_READ_BUFFER_LENGTH_MIN 2048 #define OPENSSL_READ_BUFFER_LENGTH_MIN 2048
@ -59,36 +60,9 @@ struct pkey_pm
mbedtls_pk_context *ex_pkey; mbedtls_pk_context *ex_pkey;
}; };
unsigned int max_content_len;
/*********************************************************************************************/ /*********************************************************************************************/
/************************************ SSL arch interface *************************************/ /************************************ SSL arch interface *************************************/
#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG
/* mbedtls debug level */
#define MBEDTLS_DEBUG_LEVEL 4
/**
* @brief mbedtls debug function
*/
static void ssl_platform_debug(void *ctx, int level,
const char *file, int line,
const char *str)
{
/* Shorten 'file' from the whole file path to just the filename
This is a bit wasteful because the macros are compiled in with
the full _FILE_ path in each case.
*/
char *file_sep = rindex(file, '/');
if(file_sep)
file = file_sep + 1;
SSL_DEBUG(SSL_DEBUG_ON, "%s:%d %s", file, line, str);
}
#endif
/** /**
* @brief create SSL low-level object * @brief create SSL low-level object
*/ */
@ -105,18 +79,12 @@ int ssl_pm_new(SSL *ssl)
const SSL_METHOD *method = ssl->method; const SSL_METHOD *method = ssl->method;
if (ssl->ctx->read_buffer_len < OPENSSL_READ_BUFFER_LENGTH_MIN || ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
ssl->ctx->read_buffer_len > OPENSSL_READ_BUFFER_LENGTH_MAX)
return -1;
ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm));
if (!ssl_pm) { if (!ssl_pm) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)"); SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)");
goto no_mem; goto no_mem;
} }
max_content_len = ssl->ctx->read_buffer_len;
mbedtls_net_init(&ssl_pm->fd); mbedtls_net_init(&ssl_pm->fd);
mbedtls_net_init(&ssl_pm->cl_fd); mbedtls_net_init(&ssl_pm->cl_fd);
@ -161,11 +129,8 @@ int ssl_pm_new(SSL *ssl)
mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg); mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG #ifdef CONFIG_MBEDTLS_DEBUG
mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL); mbedtls_esp_enable_debug_log(&ssl_pm->conf, CONFIG_MBEDTLS_DEBUG_LEVEL);
mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL);
#else
mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL);
#endif #endif
ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
@ -643,13 +608,6 @@ no_mem:
return -1; return -1;
} }
void ssl_pm_set_bufflen(SSL *ssl, int len)
{
max_content_len = len;
}
long ssl_pm_get_verify_result(const SSL *ssl) long ssl_pm_get_verify_result(const SSL *ssl)
{ {
long ret; long ret;