Beispiel #1
0
static int tls_server_accept(void)
{
	int ret;
	mbedtls_net_context client;

	mbedtls_net_init(&client);
	ret = mbedtls_net_accept(&stls.fd, &client, NULL, 0, NULL);
	if (ret || ccnt >= MAXCLIENTS) {
		printf("max clients\n");
		goto err;
	}

	struct client *c = ctls + ccnt;
	c->fd = client;
	mbedtls_ssl_init(&c->ssl);

	ret = mbedtls_ssl_setup(&c->ssl, &stls.conf);
	if (ret) {
		printf("cannot setup the ssl session\n");
		goto err;
	}

	mbedtls_ssl_set_bio(&c->ssl, &c->fd, mbedtls_net_send, mbedtls_net_recv, NULL);

	c->handler = tls_client_handshake;
	ccnt++;
	return 0;

err:
	mbedtls_net_free(&client);
	return -1;
}
Beispiel #2
0
static err_t
altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_conn)
{
  int ret;
  struct altcp_tls_config *config = (struct altcp_tls_config *)conf;
  altcp_mbedtls_state_t *state;
  if (!conf) {
    return ERR_ARG;
  }
  LWIP_ASSERT("invalid inner_conn", conn != inner_conn);

  /* allocate mbedtls context */
  state = altcp_mbedtls_alloc(conf);
  if (state == NULL) {
    return ERR_MEM;
  }
  /* initialize mbedtls context: */
  mbedtls_ssl_init(&state->ssl_context);
  ret = mbedtls_ssl_setup(&state->ssl_context, &config->conf);
  if (ret != 0) {
    LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_setup failed\n"));
    /* @todo: convert 'ret' to err_t */
    altcp_mbedtls_free(conf, state);
    return ERR_MEM;
  }
  /* tell mbedtls about our I/O functions */
  mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);

  altcp_mbedtls_setup_callbacks(conn, inner_conn);
  conn->inner_conn = inner_conn;
  conn->fns = &altcp_mbedtls_functions;
  conn->state = state;
  return ERR_OK;
}
static void mbedtls_msg_server_step(pmbedtls_msg msg)
{
	lwIP_ASSERT(msg);

	/*to prevent memory leaks, ensure that each allocated is deleted at every handshake*/
	if (msg->psession){
		mbedtls_session_free(&msg->psession);
	}
#if defined(ESP8266_PLATFORM)
    if (msg->quiet && msg->ssl.out_buf)
    {
        mbedtls_zeroize(msg->ssl.out_buf, MBEDTLS_SSL_OUTBUFFER_LEN);
        os_free(msg->ssl.out_buf);
        msg->ssl.out_buf = NULL;
    }
#endif
	mbedtls_entropy_free(&msg->entropy);
	mbedtls_ssl_free(&msg->ssl);
	mbedtls_ssl_config_free(&msg->conf);
	mbedtls_ctr_drbg_free(&msg->ctr_drbg);

	/*New connection ensure that each initial for next handshake */
	os_bzero(msg, sizeof(mbedtls_msg));
	msg->psession = mbedtls_session_new();
	if (msg->psession){
		mbedtls_net_init(&msg->fd);
		mbedtls_ssl_init(&msg->ssl);
		mbedtls_ssl_config_init(&msg->conf);
		mbedtls_ctr_drbg_init(&msg->ctr_drbg);
		mbedtls_entropy_init(&msg->entropy);
	}	
}
int iot_tls_init(Network *pNetwork) {
	IoT_Error_t ret_val = NONE_ERROR;
	const char *pers = "aws_iot_tls_wrapper";
	unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];

	mbedtls_net_init(&server_fd);
	mbedtls_ssl_init(&ssl);
	mbedtls_ssl_config_init(&conf);
	mbedtls_ctr_drbg_init(&ctr_drbg);
	mbedtls_x509_crt_init(&cacert);
	mbedtls_x509_crt_init(&clicert);
	mbedtls_pk_init(&pkey);

	DEBUG("\n  . Seeding the random number generator...");
	mbedtls_entropy_init(&entropy);
	if ((ret_val = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers,
			strlen(pers))) != 0) {
		ERROR(" failed\n  ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret);
		return ret;
	} DEBUG("ok\n");

	pNetwork->my_socket = 0;
	pNetwork->connect = iot_tls_connect;
	pNetwork->mqttread = iot_tls_read;
	pNetwork->mqttwrite = iot_tls_write;
	pNetwork->disconnect = iot_tls_disconnect;
	pNetwork->isConnected = iot_tls_is_connected;
	pNetwork->destroy = iot_tls_destroy;

	return ret_val;
}
Beispiel #5
0
int websocket_connect(websocket_t *client, char *host, const char *port)
{
	int r;
	int tls_hs_retry = WEBSOCKET_MAX_TLS_HANDSHAKE;

TLS_HS_RETRY:
	if ((r = connect_socket(client, host, port)) != WEBSOCKET_SUCCESS) {
		return r;
	}

	if (websocket_config_socket(client->fd) != WEBSOCKET_SUCCESS) {
		WEBSOCKET_CLOSE(client->fd);
		return WEBSOCKET_SOCKET_ERROR;
	}

	if (client->tls_enabled) {
		if ((r = websocket_tls_handshake(client, host, client->auth_mode)) != WEBSOCKET_SUCCESS) {
			if (r == MBEDTLS_ERR_NET_SEND_FAILED || r == MBEDTLS_ERR_NET_RECV_FAILED || r == MBEDTLS_ERR_SSL_CONN_EOF) {
				if (tls_hs_retry-- > 0) {
					WEBSOCKET_DEBUG("Handshake again.... \n");
					mbedtls_net_free(&(client->tls_net));
					mbedtls_ssl_free(client->tls_ssl);
					mbedtls_ssl_init(client->tls_ssl);
					goto TLS_HS_RETRY;
				}
			}
			return WEBSOCKET_TLS_HANDSHAKE_ERROR;
		}
	}
	return r;
}
Beispiel #6
0
void* ssl_socket_init(int fd, const char *domain)
{
   struct ssl_state *state = (struct ssl_state*)calloc(1, sizeof(*state));

   state->domain = domain;

   mbedtls_debug_set_threshold(DEBUG_LEVEL);

   mbedtls_net_init(&state->net_ctx);
   mbedtls_ssl_init(&state->ctx);
   mbedtls_ssl_config_init(&state->conf);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
   mbedtls_x509_crt_init(&state->ca);
#endif
   mbedtls_ctr_drbg_init(&state->ctr_drbg);
   mbedtls_entropy_init(&state->entropy);

   state->net_ctx.fd = fd;

   if (mbedtls_ctr_drbg_seed(&state->ctr_drbg, mbedtls_entropy_func, &state->entropy, (const unsigned char*)pers, strlen(pers)) != 0)
      goto error;

#if defined(MBEDTLS_X509_CRT_PARSE_C)
   if (mbedtls_x509_crt_parse(&state->ca, (const unsigned char*)cacert_pem, sizeof(cacert_pem) / sizeof(cacert_pem[0])) < 0)
      goto error;
#endif

   return state;

error:
   if (state)
      free(state);
   return NULL;
}
dtls_session_t *_DTLSSession_init()
{
    dtls_session_t *p_dtls_session = NULL;
    p_dtls_session = coap_malloc(sizeof(dtls_session_t));

    mbedtls_debug_set_threshold(0);
    mbedtls_platform_set_calloc_free(_DTLSCalloc_wrapper, _DTLSFree_wrapper);
    if (NULL != p_dtls_session) {
        mbedtls_net_init(&p_dtls_session->fd);
        mbedtls_ssl_init(&p_dtls_session->context);
        mbedtls_ssl_config_init(&p_dtls_session->conf);
        mbedtls_net_init(&p_dtls_session->fd);

        mbedtls_ssl_cookie_init(&p_dtls_session->cookie_ctx);

#ifdef MBEDTLS_X509_CRT_PARSE_C
        mbedtls_x509_crt_init(&p_dtls_session->cacert);
#endif
        mbedtls_ctr_drbg_init(&p_dtls_session->ctr_drbg);
        mbedtls_entropy_init(&p_dtls_session->entropy);
        DTLS_INFO("HAL_DTLSSession_init success\r\n");

    }

    return p_dtls_session;
}
static int coap_security_handler_init(coap_security_t *sec){
    const char *pers = "dtls_client";
    mbedtls_ssl_init( &sec->_ssl );
    mbedtls_ssl_config_init( &sec->_conf );
    mbedtls_ctr_drbg_init( &sec->_ctr_drbg );
    mbedtls_entropy_init( &sec->_entropy );

#if defined(MBEDTLS_X509_CRT_PARSE_C)
    mbedtls_x509_crt_init( &sec->_cacert );
    mbedtls_x509_crt_init( &sec->_owncert );
#endif
    mbedtls_pk_init( &sec->_pkey );

    memset(&sec->_cookie, 0, sizeof(simple_cookie_t));
    memset(&sec->_keyblk, 0, sizeof(key_block_t));

    sec->_is_started = false;

    //TODO: Must have at least 1 strong entropy source, otherwise DTLS will fail.
    //This is NOT strong even we say it is!
    if( mbedtls_entropy_add_source( &sec->_entropy, entropy_poll, NULL,
                                128, 1 ) < 0 ){
        return -1;
    }

    if( ( mbedtls_ctr_drbg_seed( &sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
                               (const unsigned char *) pers,
                               strlen( pers ) ) ) != 0 )
    {
        return -1;
    }
    return 0;
}
Beispiel #9
0
// コンテキストを初期化します。
// mtls_alloc() に続いてコールしてください。
// 成功すれば 0、失敗すれば -1 を返します。
int
mtls_init(mtlsctx_t* ctx)
{
	int r;

	TRACE("start\n");

	// グローバルコンテキストの初期化
	if (gctx.initialized == 0) {
		mbedtls_ctr_drbg_init(&gctx.ctr_drbg);
		mbedtls_entropy_init(&gctx.entropy);
		// init RNG
		r = mbedtls_ctr_drbg_seed(&gctx.ctr_drbg, mbedtls_entropy_func,
			&gctx.entropy, "a", 1);
		if (r != 0) {
			ERROR("mbedtls_ctr_drbg_seed failed: %s\n", mtls_errmsg(r));
			goto errexit;
		}
		gctx.initialized = 1;
	}

	ctx->usessl = 0;
	mbedtls_net_init(&ctx->net);
	mbedtls_ssl_init(&ctx->ssl);
	mbedtls_ssl_config_init(&ctx->conf);

	// TLS config
	r = mbedtls_ssl_config_defaults(&ctx->conf,
			MBEDTLS_SSL_IS_CLIENT,
			MBEDTLS_SSL_TRANSPORT_STREAM,
			MBEDTLS_SSL_PRESET_DEFAULT);
	if (r != 0) {
		ERROR("mbedtls_ssl_config_defaults failed: %s\n", mtls_errmsg(r));
		goto errexit;
	}

	mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_NONE);
	mbedtls_ssl_conf_rng(&ctx->conf, mbedtls_ctr_drbg_random, &gctx.ctr_drbg);
	mbedtls_ssl_conf_dbg(&ctx->conf, debug_callback, stderr);

	r = mbedtls_ssl_setup(&ctx->ssl, &ctx->conf);
	if (r != 0) {
		ERROR("mbedtls_ssl_setup failed: %s\n", mtls_errmsg(r));
		goto errexit;
	}

	mbedtls_ssl_set_bio(&ctx->ssl, &ctx->net, mbedtls_net_send, mbedtls_net_recv, NULL);

	ctx->initialized = 1;
	TRACE("done\n");
	return 0;

 errexit:
	// cleanup
	TRACE("NG\n");
	return -1;
}
void DTLSMessageChannel::init()
{
	server_public = nullptr;
	mbedtls_ssl_init (&ssl_context);
	mbedtls_ssl_config_init (&conf);
	mbedtls_x509_crt_init (&clicert);
	mbedtls_pk_init (&pkey);
	mbedtls_debug_set_threshold(1);
}
Beispiel #11
0
static void ssl_init( SSLExt* ext )
{
    mbedtls_net_init( &ext->nc );
    mbedtls_ssl_init( &ext->sc );
    mbedtls_ssl_config_init( &ext->conf );
    mbedtls_ctr_drbg_init( &ext->ctr_drbg );
    mbedtls_entropy_init( &ext->entropy );

    //mbedtls_x509_crt_init( &ext->cacert );
}
Beispiel #12
0
/**
* @brief         Initation the SSL client.
* @param[in]     ssl: mbedtls ssl struct.
* @param[in]     tcp_fd. The underlying file descriptor.
* @param[in]     custom_config: custome config.
* @return        The result. 0 is ok.
*/
static int nghttp2_ssl_client_init(mbedtls_ssl_context *ssl,
                                   mbedtls_net_context *tcp_fd,
                                   http2_ssl_custom_conf_t *custom_config)
{
    int ret = -1;


    http2_verify_source_t *verify_source = &custom_config->verify_source;
    mbedtls_ssl_config *conf = &(custom_config->conf);

    /*
     * 0. Initialize the RNG and the session data
     */
#if defined(MBEDTLS_DEBUG_C)
    mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
    mbedtls_net_init( tcp_fd );
    mbedtls_ssl_init( ssl );
    mbedtls_ssl_config_init( conf );

    mbedtls_x509_crt_init( &(verify_source->cacertl) );
    mbedtls_ctr_drbg_init( &ctr_drbg );

    NGHTTP2_DBG( "\n  . Seeding the random number generator..." );

    mbedtls_entropy_init( &entropy );
    if ( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
                                        (const unsigned char *) pers,
                                        strlen( pers ) ) ) != 0 ) {
        NGHTTP2_DBG( " failed\n  ! mbedtls_ctr_drbg_seed returned %d\n", ret );
        return ret;
    }

    NGHTTP2_DBG( " ok\n" );

    /*
     * 0. Initialize certificates
     */

    NGHTTP2_DBG( "  . Loading the CA root certificate ..." );

    if (NULL != verify_source->trusted_ca_crt) {
        if (0 != (ret = mbedtls_x509_crt_parse(&verify_source->cacertl,
                                               (unsigned char *)verify_source->trusted_ca_crt,
                                               strlen(verify_source->trusted_ca_crt) + 1))) {
            NGHTTP2_DBG(" failed ! x509parse_crt returned -0x%04x", -ret);
            return ret;
        }
    }

    NGHTTP2_DBG( " ok (%d skipped)", ret );

    return 0;
}
Beispiel #13
0
SSLContextData * SSLContext::constructor(State & state, bool & managed) {
    SSLContextData * ssl_context_data = new SSLContextData;
    ssl_context_data->context = new mbedtls_ssl_context;
    ssl_context_data->state = &state;
    ssl_context_data->recvRef = LUA_REFNIL;
    ssl_context_data->recvTimeoutRef = LUA_REFNIL;
    ssl_context_data->sendRef = LUA_REFNIL;
    memset(ssl_context_data->context, 0, sizeof(mbedtls_ssl_context));
    mbedtls_ssl_init(ssl_context_data->context);
    return ssl_context_data;
}
Beispiel #14
0
static dukf_ssl_context_t *create_dukf_ssl_context(const char *hostname, int fd) {
	char errortext[256];
	dukf_ssl_context_t *dukf_ssl_context;

	dukf_ssl_context = malloc(sizeof(dukf_ssl_context_t));
	mbedtls_ssl_init(&dukf_ssl_context->ssl);
	mbedtls_ssl_config_init(&dukf_ssl_context->conf);
	mbedtls_x509_crt_init(&dukf_ssl_context->cacert);
	mbedtls_ctr_drbg_init(&dukf_ssl_context->ctr_drbg);
	mbedtls_entropy_init(&dukf_ssl_context->entropy);

	mbedtls_ssl_conf_dbg(&dukf_ssl_context->conf, debug_log, NULL);
	dukf_ssl_context->fd = fd;

  int rc = mbedtls_ctr_drbg_seed(
     &dukf_ssl_context->ctr_drbg,
     mbedtls_entropy_func, &dukf_ssl_context->entropy, (const unsigned char *) pers, strlen(pers));
  if (rc != 0) {
     LOGE(" failed\n  ! mbedtls_ctr_drbg_seed returned %d", rc);
     return NULL;
  }

  rc = mbedtls_ssl_config_defaults(
		&dukf_ssl_context->conf,
		MBEDTLS_SSL_IS_CLIENT,
		MBEDTLS_SSL_TRANSPORT_STREAM,
		MBEDTLS_SSL_PRESET_DEFAULT);
	if (rc != 0) {
		 LOGE("mbedtls_ssl_config_defaults returned %d", rc);
		 return NULL;
	}

	mbedtls_ssl_conf_authmode(&dukf_ssl_context->conf, MBEDTLS_SSL_VERIFY_NONE);

	mbedtls_ssl_conf_rng(&dukf_ssl_context->conf, mbedtls_ctr_drbg_random, &dukf_ssl_context->ctr_drbg);

	rc = mbedtls_ssl_setup(&dukf_ssl_context->ssl, &dukf_ssl_context->conf);
	if (rc != 0) {
		 mbedtls_strerror(rc, errortext, sizeof(errortext));
		 LOGE("error from mbedtls_ssl_setup: %d - %x - %s\n", rc, rc, errortext);
		 return NULL;
	}

	rc = mbedtls_ssl_set_hostname(&dukf_ssl_context->ssl, hostname);
	if (rc) {
		 mbedtls_strerror(rc, errortext, sizeof(errortext));
		 LOGE("error from mbedtls_ssl_set_hostname: %s %d - %x - %s", hostname, rc, rc, errortext);
		 return NULL;
	}

	mbedtls_ssl_set_bio(&dukf_ssl_context->ssl, dukf_ssl_context, ssl_send, ssl_recv, NULL);
	return dukf_ssl_context;
} // create_ssl_socket
Beispiel #15
0
static value ssl_new( value config ) {
	int ret;
	mbedtls_ssl_context *ssl;
	val_check_kind(config,k_ssl_conf);
	ssl = (mbedtls_ssl_context *)alloc(sizeof(mbedtls_ssl_context));
	mbedtls_ssl_init(ssl);
	if( (ret = mbedtls_ssl_setup(ssl, val_conf(config))) != 0 ){
		mbedtls_ssl_free(ssl);
		return ssl_error(ret);
	}
	return alloc_abstract( k_ssl, ssl );
}
Beispiel #16
0
/* Accept incoming TLS connection
 */
int tls_accept(int *sock, mbedtls_ssl_context *context, mbedtls_ssl_config *config, int timeout) {
	int result, handshake;
	struct timeval timer;
	time_t start_time;

	mbedtls_ssl_init(context);

	if (mbedtls_ctr_drbg_reseed(&ctr_drbg, (const unsigned char*)"client thread", 13) != 0) {
		return -1;
	}

	if (mbedtls_ssl_setup(context, config) != 0) {
		return -1;
	}

	mbedtls_ssl_set_bio(context, sock, mbedtls_net_send, mbedtls_net_recv, NULL);

	timer.tv_sec = timeout;
	timer.tv_usec = 0;
	setsockopt(*sock, SOL_SOCKET, SO_RCVTIMEO, (void*)&timer, sizeof(struct timeval));
	start_time = time(NULL);

	result = TLS_HANDSHAKE_OKE;
	while ((handshake = mbedtls_ssl_handshake(context)) != 0) {
		if (handshake == MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) {
			mbedtls_ssl_free(context);
			result = TLS_HANDSHAKE_NO_MATCH;
			break;
		}

		if ((handshake != MBEDTLS_ERR_SSL_WANT_READ) && (handshake != MBEDTLS_ERR_SSL_WANT_WRITE)) {
			mbedtls_ssl_free(context);
			result = TLS_HANDSHAKE_ERROR;
			break;
		}

		if (time(NULL) - start_time >= timeout) {
			mbedtls_ssl_free(context);
			result = TLS_HANDSHAKE_TIMEOUT;
			break;
		}
	}

	if (result == TLS_HANDSHAKE_OKE) {
		timer.tv_sec = 0;
		timer.tv_usec = 0;
		setsockopt(*sock, SOL_SOCKET, SO_RCVTIMEO, (void*)&timer, sizeof(struct timeval));
	}

	return result;
}
Beispiel #17
0
static void
rb_ssl_setup_client_context(rb_fde_t *F)
{
	int ret;

	mbedtls_ssl_init(SSL_P(ssl));
	if ((ret = mbedtls_ssl_setup(SSL_P(F), &F->sctx->config)) != 0)
	{
		rb_lib_log("rb_ssl_setup_client_context: failed to set up ssl context: -0x%x", -ret);
		rb_close(F);
		return;
	}

	mbedtls_ssl_set_bio(SSL_P(ssl), F, rb_ssl_write_cb, rb_ssl_read_cb, NULL);
}
void ssl_init(SSLConnection* conn) {
    /*
     * Initialize the RNG and the session data
     */
    mbedtls_net_init(&conn->net_ctx);
    mbedtls_ssl_init(&conn->ssl_ctx);
    mbedtls_ssl_config_init(&conn->ssl_conf);

    mbedtls_x509_crt_init(&conn->ca_cert);
    mbedtls_x509_crt_init(&conn->client_cert);
    mbedtls_pk_init(&conn->client_key);

    mbedtls_ctr_drbg_init(&conn->drbg_ctx);
    mbedtls_entropy_init(&conn->entropy_ctx);

}
Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname) {

	base = p_base;
	int ret = 0;
	int authmode = p_validate_certs ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE;

	mbedtls_ssl_init(&ssl);
	mbedtls_ssl_config_init(&conf);
	mbedtls_ctr_drbg_init(&ctr_drbg);
	mbedtls_entropy_init(&entropy);

	ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
	if (ret != 0) {
		ERR_PRINTS(" failed\n  ! mbedtls_ctr_drbg_seed returned an error" + itos(ret));
		return FAILED;
	}

	mbedtls_ssl_config_defaults(&conf,
			MBEDTLS_SSL_IS_CLIENT,
			MBEDTLS_SSL_TRANSPORT_STREAM,
			MBEDTLS_SSL_PRESET_DEFAULT);

	mbedtls_ssl_conf_authmode(&conf, authmode);
	mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
	mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
	mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
	mbedtls_ssl_setup(&ssl, &conf);
	mbedtls_ssl_set_hostname(&ssl, p_for_hostname.utf8().get_data());

	mbedtls_ssl_set_bio(&ssl, this, bio_send, bio_recv, NULL);

	while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
		if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
			ERR_PRINTS("TLS handshake error: " + itos(ret));
			_print_error(ret);
			status = STATUS_ERROR_HOSTNAME_MISMATCH;
			return FAILED;
		}
	}

	connected = true;
	status = STATUS_CONNECTED;

	return OK;
}
Beispiel #20
0
static
Socket *dslink_socket_init(uint_fast8_t secure) {
    if (secure) {
        SslSocket *s = malloc(sizeof(SslSocket));
        if (!s) {
            return NULL;
        }
        s->secure = 1;
        s->socket_fd = malloc(sizeof(mbedtls_net_context));
        s->entropy = malloc(sizeof(mbedtls_entropy_context));
        s->drbg = malloc(sizeof(mbedtls_ctr_drbg_context));
        s->ssl = malloc(sizeof(mbedtls_ssl_context));
        s->conf = malloc(sizeof(mbedtls_ssl_config));

        if (!(s->socket_fd && s->entropy && s->drbg && s->ssl && s->conf)) {
            DSLINK_CHECKED_EXEC(free, s->socket_fd);
            DSLINK_CHECKED_EXEC(free, s->entropy);
            DSLINK_CHECKED_EXEC(free, s->drbg);
            DSLINK_CHECKED_EXEC(free, s->ssl);
            DSLINK_CHECKED_EXEC(free, s->conf);
            free(s);
            return NULL;
        }

        mbedtls_net_init(s->socket_fd);
        mbedtls_entropy_init(s->entropy);
        mbedtls_ctr_drbg_init(s->drbg);
        mbedtls_ssl_init(s->ssl);
        mbedtls_ssl_config_init(s->conf);
        return (Socket *) s;
    } else {
        Socket *s = malloc(sizeof(Socket));
        if (!s) {
            return NULL;
        }
        s->secure = 0;
        s->socket_fd = malloc(sizeof(mbedtls_net_context));
        if (!s->socket_fd) {
            free(s);
            return NULL;
        }
        return s;
    }
}
Beispiel #21
0
int websocket_server_authenticate(websocket_t *server)
{
	int r;

	if (server->tls_enabled) {
		server->tls_ssl = malloc(sizeof(mbedtls_ssl_context));
		if (server->tls_ssl == NULL) {
			WEBSOCKET_DEBUG("fail to allocate memory for server\n");
			r = WEBSOCKET_ALLOCATION_ERROR;
			goto EXIT_SERVER_START;
		}

		mbedtls_ssl_init(server->tls_ssl);
		mbedtls_net_init(&(server->tls_net));

		if ((r = websocket_tls_handshake(server, NULL, server->auth_mode)) != WEBSOCKET_SUCCESS) {
			WEBSOCKET_DEBUG("fail to tls handshake\n");
			r = WEBSOCKET_TLS_HANDSHAKE_ERROR;
			goto EXIT_SERVER_START;
		}
	}

	if (websocket_server_handshake(server) != WEBSOCKET_SUCCESS) {
		WEBSOCKET_DEBUG("fail to handshake\n");
		r = WEBSOCKET_HANDSHAKE_ERROR;
		goto EXIT_SERVER_START;
	}

	return websocket_server_init(server);

EXIT_SERVER_START:
	WEBSOCKET_CLOSE(server->fd);

	if (server->tls_enabled) {
		mbedtls_ssl_free(server->tls_ssl);
		mbedtls_net_free(&(server->tls_net));
		WEBSOCKET_FREE(server->tls_ssl);
	}

	websocket_update_state(server, WEBSOCKET_STOP);

	return r;
}
static pmbedtls_msg mbedtls_msg_new(void)
{
	pmbedtls_msg msg = (pmbedtls_msg)os_zalloc( sizeof(mbedtls_msg));
	if (msg) {
		os_bzero(msg, sizeof(mbedtls_msg));
		msg->psession = mbedtls_session_new();
		if (msg->psession){
			mbedtls_net_init(&msg->listen_fd);
			mbedtls_net_init(&msg->fd);
			mbedtls_ssl_init(&msg->ssl);
			mbedtls_ssl_config_init(&msg->conf);		
			mbedtls_ctr_drbg_init(&msg->ctr_drbg);
			mbedtls_entropy_init(&msg->entropy);
		} else{
			os_free(msg);
			msg = NULL;
		}
	}
	return msg;
}
Beispiel #23
0
static int session_init(const global_context *gc,
                        session_context *sc,
                        const mbedtls_net_context *client_fd,
                        unsigned char client_ip[16], size_t cliip_len,
                        const unsigned char* first_packet, size_t first_packet_len) {
  int ret;

  memset(sc, 0, sizeof(*sc));
  memcpy(&sc->client_fd, client_fd, sizeof(sc->client_fd));
  if (cliip_len > sizeof(sc->client_ip)) {
    log_error("session_init - client_ip size mismatch");
    return 1;
  }
  memcpy(&sc->client_ip, client_ip, cliip_len);
  sc->cliip_len = cliip_len;
  mbedtls_ssl_init(&sc->ssl);
  mbedtls_net_init(&sc->backend_fd);
  sc->step = GOLDY_SESSION_STEP_HANDSHAKE;
  sc->options = gc->options;

  if ((ret = mbedtls_ssl_setup(&sc->ssl, &gc->conf)) != 0) {
    check_return_code(ret, "session_init - mbedtls_ssl_steup");
    return 1;
  }

  //mbedtls_ssl_set_hostname(&sc->ssl, "localhost");
  mbedtls_ssl_set_timer_cb(&sc->ssl, &sc->timer,
                           mbedtls_timing_set_delay,
                           mbedtls_timing_get_delay);

  /* We already read the first packet of the SSL session from the network in
   * the initial recvfrom() call on the listening fd. Here we copy the content
   * of that packet into the SSL incoming data buffer so it'll be consumed on
   * the next call to mbedtls_ssl_fetch_input(). */
  if (first_packet_len<MBEDTLS_SSL_BUFFER_LEN) {
    memcpy(sc->ssl.in_hdr, first_packet, first_packet_len);
    sc->ssl.in_left = first_packet_len;
  }

  return 0;
}
Beispiel #24
0
/* Returns an opaque ssl context */
int openssl_connect(struct connection *conn)
{
	if (!initialized) {
		initialized = 1;

		mbedtls_entropy_init(&entropy);
		mbedtls_ctr_drbg_init(&ctr_drbg);

		mbedtls_ssl_config_init(&config);
		if (mbedtls_ssl_config_defaults(&config,
										MBEDTLS_SSL_IS_CLIENT,
										MBEDTLS_SSL_TRANSPORT_STREAM,
										MBEDTLS_SSL_PRESET_DEFAULT)) {
			printf("Unable to initialize ssl defaults\n");
			exit(1);
		}
	}

	mbedtls_ssl_context *ssl = malloc(sizeof(mbedtls_ssl_context));
	if (!ssl) {
		printf("Out of memory");
		return 1;
	}

	mbedtls_ssl_init(ssl);
	if (mbedtls_ssl_setup(ssl, &config)) {
		printf("Unable to set ssl defaults\n");
		exit(1);
	}

	conn->ssl = ssl;


//	mbedtls_ssl_set_rng(ssl, ctr_drbg_random, &ctr_drbg);

	int *fd = &conn->poll->fd;
	mbedtls_ssl_set_bio(ssl, fd, mbedtls_net_send, mbedtls_net_recv, NULL);

	return openssl_check_connect(conn);
}
Beispiel #25
0
int _ssl_connect(nsp_state *N, TCP_SOCKET *sock)
{
#define __FN__ __FILE__ ":_ssl_connect()"
#if defined HAVE_OPENSSL
	/* X509 *server_cert; */
	int rc;

	_ssl_init(N, sock, 0, NULL, NULL);
	sock->ssl = SSL_new(sock->ssl_ctx);
	SSL_set_fd(sock->ssl, sock->socket);
	if ((rc = SSL_connect(sock->ssl)) == -1) {
		n_warn(N, __FN__, "SSL_connect error %d", rc);
		return -1;
	}
	/* the rest is optional */
/*
	printf("SSL connection using %s\r\n", SSL_get_cipher(sock->ssl));
	if ((server_cert=SSL_get_peer_certificate(sock->ssl))!=NULL) {
		X509_free(server_cert);
	}
*/
	return 0;
#elif defined HAVE_MBEDTLS
	int rc;

	_ssl_init(N, sock, 0, NULL, NULL);
	sock->net_context.fd = sock->socket;
	mbedtls_ssl_init(&sock->ssl);
	if ((rc = mbedtls_ssl_setup(&sock->ssl, &sock->conf)) != 0) {
		print_mbedtls_error(N, __FN__, rc);
		return -1;
	}
	mbedtls_ssl_set_bio(&sock->ssl, &sock->net_context, mbedtls_net_send, mbedtls_net_recv, NULL);
	nc_memset((void *)&sock->ssn, 0, sizeof(mbedtls_ssl_session));
	mbedtls_ssl_set_session(&sock->ssl, &sock->ssn);
	return 0;
#endif
#undef __FN__
}
Beispiel #26
0
struct flb_tls_session *flb_tls_session_new(struct flb_tls_context *ctx)
{
    int ret;
    struct flb_tls_session *session;

    session = malloc(sizeof(struct flb_tls_session));
    if (!session) {
        return NULL;
    }

    mbedtls_ssl_init(&session->ssl);
    mbedtls_ssl_config_init(&session->conf);

    ret = mbedtls_ssl_config_defaults(&session->conf,
                                      MBEDTLS_SSL_IS_CLIENT,
                                      MBEDTLS_SSL_TRANSPORT_STREAM,
                                      MBEDTLS_SSL_PRESET_DEFAULT);
    if (ret != 0) {
        io_tls_error(ret);
    }

    mbedtls_ssl_conf_rng(&session->conf,
                         mbedtls_ctr_drbg_random,
                         &ctx->ctr_drbg);
    mbedtls_ssl_conf_authmode(&session->conf, MBEDTLS_SSL_VERIFY_NONE);

    ret = mbedtls_ssl_setup(&session->ssl, &session->conf);
    if (ret == -1) {
        flb_error("[tls] ssl_setup");
        goto error;
    }

    return session;

 error:
    free(session);
    return NULL;
}
static unsigned int _DTLSContext_setup(dtls_session_t *p_dtls_session, coap_dtls_options_t  *p_options)
{
    int   result = 0;

    mbedtls_ssl_init(&p_dtls_session->context);

    result = mbedtls_ssl_setup(&p_dtls_session->context, &p_dtls_session->conf);
    DTLS_TRC("mbedtls_ssl_setup result 0x%04x\r\n", result);

    if (result == 0) {
        if (p_dtls_session->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
            mbedtls_ssl_set_timer_cb(&p_dtls_session->context,
                                     (void *)&p_dtls_session->timer,
                                     mbedtls_timing_set_delay,
                                     mbedtls_timing_get_delay);
        }

#ifdef MBEDTLS_X509_CRT_PARSE_C
        DTLS_TRC("mbedtls_ssl_set_hostname %s\r\n", p_options->p_host);
        mbedtls_ssl_set_hostname(&p_dtls_session->context, p_options->p_host);
#endif
        mbedtls_ssl_set_bio(&p_dtls_session->context,
                            (void *)&p_dtls_session->fd,
                            mbedtls_net_send,
                            mbedtls_net_recv,
                            mbedtls_net_recv_timeout);
        DTLS_TRC("mbedtls_ssl_set_bio result 0x%04x\r\n", result);

        do {
            result = mbedtls_ssl_handshake(&p_dtls_session->context);
        } while (result == MBEDTLS_ERR_SSL_WANT_READ ||
                 result == MBEDTLS_ERR_SSL_WANT_WRITE);
        DTLS_TRC("mbedtls_ssl_handshake result 0x%04x\r\n", result);
    }

    return (result ? DTLS_HANDSHAKE_FAILED : DTLS_SUCCESS);
}
static int coap_security_handler_init(coap_security_t *sec){
    const char *pers = "dtls_client";
#ifdef COAP_SERVICE_PROVIDE_STRONG_ENTROPY_SOURCE
    const int entropy_source_type = MBEDTLS_ENTROPY_SOURCE_STRONG;
#else
    const int entropy_source_type = MBEDTLS_ENTROPY_SOURCE_WEAK;
#endif
    
    mbedtls_ssl_init( &sec->_ssl );
    mbedtls_ssl_config_init( &sec->_conf );
    mbedtls_ctr_drbg_init( &sec->_ctr_drbg );
    mbedtls_entropy_init( &sec->_entropy );

#if defined(MBEDTLS_X509_CRT_PARSE_C)
    mbedtls_x509_crt_init( &sec->_cacert );
    mbedtls_x509_crt_init( &sec->_owncert );
#endif
    mbedtls_pk_init( &sec->_pkey );

    memset(&sec->_cookie, 0, sizeof(simple_cookie_t));
    memset(&sec->_keyblk, 0, sizeof(key_block_t));

    sec->_is_started = false;

    if( mbedtls_entropy_add_source( &sec->_entropy, entropy_poll, NULL,
                                128, entropy_source_type ) < 0 ){
        return -1;
    }

    if( ( mbedtls_ctr_drbg_seed( &sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
                               (const unsigned char *) pers,
                               strlen( pers ) ) ) != 0 )
    {
        return -1;
    }
    return 0;
}
Beispiel #29
0
int _ssl_accept(nsp_state *N, TCP_SOCKET *bsock, TCP_SOCKET *asock)
{
#define __FN__ __FILE__ ":_ssl_accept()"
#if defined HAVE_OPENSSL
	if ((asock->ssl = SSL_new(bsock->ssl_ctx)) == NULL) {
		return -1;
	}
	/*	SSL_clear(asock->ssl); */
	SSL_set_fd(asock->ssl, asock->socket);
	if (SSL_accept(asock->ssl) == -1) {
		return -1;
	}
	return 0;
#elif defined HAVE_MBEDTLS
	int rc;

	asock->net_context.fd = asock->socket;
	mbedtls_ssl_init(&asock->ssl);
	if ((rc = mbedtls_ssl_setup(&asock->ssl, &bsock->conf)) != 0) {
		print_mbedtls_error(N, __FN__, rc);
		return -1;
	}
	//mbedtls_ssl_session_reset(&asock->ssl);
	mbedtls_ssl_set_bio(&asock->ssl, &asock->net_context, mbedtls_net_send, mbedtls_net_recv, NULL);
	if ((rc = mbedtls_ssl_handshake(&asock->ssl)) < 0) {
		if (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE) {
			print_mbedtls_error(N, __FN__, rc);
		}
		else {
			print_mbedtls_error(N, __FN__, rc);
		}
	}
	return rc;
#endif
#undef __FN__
}
Beispiel #30
0
/* Connect to remote server via TLS
 */
int tls_connect(mbedtls_ssl_context *context, int *sock, char *hostname) {
	if (mbedtls_ctr_drbg_reseed(&ctr_drbg, (const unsigned char*)"Reverse Proxy", 13) != 0) {
		return -1;
	}

	mbedtls_ssl_init(context);

	if (mbedtls_ssl_setup(context, &client_config) != 0) {
		return -1;
	}

	mbedtls_ssl_set_bio(context, sock, mbedtls_net_send, mbedtls_net_recv, NULL);

	if (hostname != NULL) {
		mbedtls_ssl_set_hostname(context, hostname);
	}

	if (mbedtls_ssl_handshake(context) != 0) {
		mbedtls_ssl_free(context);
		return TLS_HANDSHAKE_ERROR;
	}

	return TLS_HANDSHAKE_OKE;
}