static int tls_server_accept(void)
{
int ret;
mbedtls_net_context client;
mbedtls_net_init(&client);
ret = mbedtls_net_accept(&stls.fd, &client, NULL, 0, NULL);
if (ret || ccnt >= MAXCLIENTS) {
printf("max clients\n");
goto err;
}
struct client *c = ctls + ccnt;
c->fd = client;
mbedtls_ssl_init(&c->ssl);
ret = mbedtls_ssl_setup(&c->ssl, &stls.conf);
if (ret) {
printf("cannot setup the ssl session\n");
goto err;
}
mbedtls_ssl_set_bio(&c->ssl, &c->fd, mbedtls_net_send, mbedtls_net_recv, NULL);
c->handler = tls_client_handshake;
ccnt++;
return 0;
err:
mbedtls_net_free(&client);
return -1;
}
static err_t
altcp_mbedtls_setup(void *conf, struct altcp_pcb *conn, struct altcp_pcb *inner_conn)
{
int ret;
struct altcp_tls_config *config = (struct altcp_tls_config *)conf;
altcp_mbedtls_state_t *state;
if (!conf) {
return ERR_ARG;
}
LWIP_ASSERT("invalid inner_conn", conn != inner_conn);
/* allocate mbedtls context */
state = altcp_mbedtls_alloc(conf);
if (state == NULL) {
return ERR_MEM;
}
/* initialize mbedtls context: */
mbedtls_ssl_init(&state->ssl_context);
ret = mbedtls_ssl_setup(&state->ssl_context, &config->conf);
if (ret != 0) {
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_setup failed\n"));
/* @todo: convert 'ret' to err_t */
altcp_mbedtls_free(conf, state);
return ERR_MEM;
}
/* tell mbedtls about our I/O functions */
mbedtls_ssl_set_bio(&state->ssl_context, conn, altcp_mbedtls_bio_send, altcp_mbedtls_bio_recv, NULL);
altcp_mbedtls_setup_callbacks(conn, inner_conn);
conn->inner_conn = inner_conn;
conn->fns = &altcp_mbedtls_functions;
conn->state = state;
return ERR_OK;
}
static void mbedtls_msg_server_step(pmbedtls_msg msg)
{
lwIP_ASSERT(msg);
/*to prevent memory leaks, ensure that each allocated is deleted at every handshake*/
if (msg->psession){
mbedtls_session_free(&msg->psession);
}
#if defined(ESP8266_PLATFORM)
if (msg->quiet && msg->ssl.out_buf)
{
mbedtls_zeroize(msg->ssl.out_buf, MBEDTLS_SSL_OUTBUFFER_LEN);
os_free(msg->ssl.out_buf);
msg->ssl.out_buf = NULL;
}
#endif
mbedtls_entropy_free(&msg->entropy);
mbedtls_ssl_free(&msg->ssl);
mbedtls_ssl_config_free(&msg->conf);
mbedtls_ctr_drbg_free(&msg->ctr_drbg);
/*New connection ensure that each initial for next handshake */
os_bzero(msg, sizeof(mbedtls_msg));
msg->psession = mbedtls_session_new();
if (msg->psession){
mbedtls_net_init(&msg->fd);
mbedtls_ssl_init(&msg->ssl);
mbedtls_ssl_config_init(&msg->conf);
mbedtls_ctr_drbg_init(&msg->ctr_drbg);
mbedtls_entropy_init(&msg->entropy);
}
}
int iot_tls_init(Network *pNetwork) {
IoT_Error_t ret_val = NONE_ERROR;
const char *pers = "aws_iot_tls_wrapper";
unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
mbedtls_net_init(&server_fd);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_x509_crt_init(&cacert);
mbedtls_x509_crt_init(&clicert);
mbedtls_pk_init(&pkey);
DEBUG("\n . Seeding the random number generator...");
mbedtls_entropy_init(&entropy);
if ((ret_val = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *) pers,
strlen(pers))) != 0) {
ERROR(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%x\n", -ret);
return ret;
} DEBUG("ok\n");
pNetwork->my_socket = 0;
pNetwork->connect = iot_tls_connect;
pNetwork->mqttread = iot_tls_read;
pNetwork->mqttwrite = iot_tls_write;
pNetwork->disconnect = iot_tls_disconnect;
pNetwork->isConnected = iot_tls_is_connected;
pNetwork->destroy = iot_tls_destroy;
return ret_val;
}
int websocket_connect(websocket_t *client, char *host, const char *port)
{
int r;
int tls_hs_retry = WEBSOCKET_MAX_TLS_HANDSHAKE;
TLS_HS_RETRY:
if ((r = connect_socket(client, host, port)) != WEBSOCKET_SUCCESS) {
return r;
}
if (websocket_config_socket(client->fd) != WEBSOCKET_SUCCESS) {
WEBSOCKET_CLOSE(client->fd);
return WEBSOCKET_SOCKET_ERROR;
}
if (client->tls_enabled) {
if ((r = websocket_tls_handshake(client, host, client->auth_mode)) != WEBSOCKET_SUCCESS) {
if (r == MBEDTLS_ERR_NET_SEND_FAILED || r == MBEDTLS_ERR_NET_RECV_FAILED || r == MBEDTLS_ERR_SSL_CONN_EOF) {
if (tls_hs_retry-- > 0) {
WEBSOCKET_DEBUG("Handshake again.... \n");
mbedtls_net_free(&(client->tls_net));
mbedtls_ssl_free(client->tls_ssl);
mbedtls_ssl_init(client->tls_ssl);
goto TLS_HS_RETRY;
}
}
return WEBSOCKET_TLS_HANDSHAKE_ERROR;
}
}
return r;
}
void* ssl_socket_init(int fd, const char *domain)
{
struct ssl_state *state = (struct ssl_state*)calloc(1, sizeof(*state));
state->domain = domain;
mbedtls_debug_set_threshold(DEBUG_LEVEL);
mbedtls_net_init(&state->net_ctx);
mbedtls_ssl_init(&state->ctx);
mbedtls_ssl_config_init(&state->conf);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init(&state->ca);
#endif
mbedtls_ctr_drbg_init(&state->ctr_drbg);
mbedtls_entropy_init(&state->entropy);
state->net_ctx.fd = fd;
if (mbedtls_ctr_drbg_seed(&state->ctr_drbg, mbedtls_entropy_func, &state->entropy, (const unsigned char*)pers, strlen(pers)) != 0)
goto error;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if (mbedtls_x509_crt_parse(&state->ca, (const unsigned char*)cacert_pem, sizeof(cacert_pem) / sizeof(cacert_pem[0])) < 0)
goto error;
#endif
return state;
error:
if (state)
free(state);
return NULL;
}
dtls_session_t *_DTLSSession_init()
{
dtls_session_t *p_dtls_session = NULL;
p_dtls_session = coap_malloc(sizeof(dtls_session_t));
mbedtls_debug_set_threshold(0);
mbedtls_platform_set_calloc_free(_DTLSCalloc_wrapper, _DTLSFree_wrapper);
if (NULL != p_dtls_session) {
mbedtls_net_init(&p_dtls_session->fd);
mbedtls_ssl_init(&p_dtls_session->context);
mbedtls_ssl_config_init(&p_dtls_session->conf);
mbedtls_net_init(&p_dtls_session->fd);
mbedtls_ssl_cookie_init(&p_dtls_session->cookie_ctx);
#ifdef MBEDTLS_X509_CRT_PARSE_C
mbedtls_x509_crt_init(&p_dtls_session->cacert);
#endif
mbedtls_ctr_drbg_init(&p_dtls_session->ctr_drbg);
mbedtls_entropy_init(&p_dtls_session->entropy);
DTLS_INFO("HAL_DTLSSession_init success\r\n");
}
return p_dtls_session;
}
static int coap_security_handler_init(coap_security_t *sec){
const char *pers = "dtls_client";
mbedtls_ssl_init( &sec->_ssl );
mbedtls_ssl_config_init( &sec->_conf );
mbedtls_ctr_drbg_init( &sec->_ctr_drbg );
mbedtls_entropy_init( &sec->_entropy );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &sec->_cacert );
mbedtls_x509_crt_init( &sec->_owncert );
#endif
mbedtls_pk_init( &sec->_pkey );
memset(&sec->_cookie, 0, sizeof(simple_cookie_t));
memset(&sec->_keyblk, 0, sizeof(key_block_t));
sec->_is_started = false;
//TODO: Must have at least 1 strong entropy source, otherwise DTLS will fail.
//This is NOT strong even we say it is!
if( mbedtls_entropy_add_source( &sec->_entropy, entropy_poll, NULL,
128, 1 ) < 0 ){
return -1;
}
if( ( mbedtls_ctr_drbg_seed( &sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
return -1;
}
return 0;
}
// コンテキストを初期化します。
// mtls_alloc() に続いてコールしてください。
// 成功すれば 0、失敗すれば -1 を返します。
int
mtls_init(mtlsctx_t* ctx)
{
int r;
TRACE("start\n");
// グローバルコンテキストの初期化
if (gctx.initialized == 0) {
mbedtls_ctr_drbg_init(&gctx.ctr_drbg);
mbedtls_entropy_init(&gctx.entropy);
// init RNG
r = mbedtls_ctr_drbg_seed(&gctx.ctr_drbg, mbedtls_entropy_func,
&gctx.entropy, "a", 1);
if (r != 0) {
ERROR("mbedtls_ctr_drbg_seed failed: %s\n", mtls_errmsg(r));
goto errexit;
}
gctx.initialized = 1;
}
ctx->usessl = 0;
mbedtls_net_init(&ctx->net);
mbedtls_ssl_init(&ctx->ssl);
mbedtls_ssl_config_init(&ctx->conf);
// TLS config
r = mbedtls_ssl_config_defaults(&ctx->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (r != 0) {
ERROR("mbedtls_ssl_config_defaults failed: %s\n", mtls_errmsg(r));
goto errexit;
}
mbedtls_ssl_conf_authmode(&ctx->conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&ctx->conf, mbedtls_ctr_drbg_random, &gctx.ctr_drbg);
mbedtls_ssl_conf_dbg(&ctx->conf, debug_callback, stderr);
r = mbedtls_ssl_setup(&ctx->ssl, &ctx->conf);
if (r != 0) {
ERROR("mbedtls_ssl_setup failed: %s\n", mtls_errmsg(r));
goto errexit;
}
mbedtls_ssl_set_bio(&ctx->ssl, &ctx->net, mbedtls_net_send, mbedtls_net_recv, NULL);
ctx->initialized = 1;
TRACE("done\n");
return 0;
errexit:
// cleanup
TRACE("NG\n");
return -1;
}
void DTLSMessageChannel::init()
{
server_public = nullptr;
mbedtls_ssl_init (&ssl_context);
mbedtls_ssl_config_init (&conf);
mbedtls_x509_crt_init (&clicert);
mbedtls_pk_init (&pkey);
mbedtls_debug_set_threshold(1);
}
static void ssl_init( SSLExt* ext )
{
mbedtls_net_init( &ext->nc );
mbedtls_ssl_init( &ext->sc );
mbedtls_ssl_config_init( &ext->conf );
mbedtls_ctr_drbg_init( &ext->ctr_drbg );
mbedtls_entropy_init( &ext->entropy );
//mbedtls_x509_crt_init( &ext->cacert );
}
/**
* @brief Initation the SSL client.
* @param[in] ssl: mbedtls ssl struct.
* @param[in] tcp_fd. The underlying file descriptor.
* @param[in] custom_config: custome config.
* @return The result. 0 is ok.
*/
static int nghttp2_ssl_client_init(mbedtls_ssl_context *ssl,
mbedtls_net_context *tcp_fd,
http2_ssl_custom_conf_t *custom_config)
{
int ret = -1;
http2_verify_source_t *verify_source = &custom_config->verify_source;
mbedtls_ssl_config *conf = &(custom_config->conf);
/*
* 0. Initialize the RNG and the session data
*/
#if defined(MBEDTLS_DEBUG_C)
mbedtls_debug_set_threshold(DEBUG_LEVEL);
#endif
mbedtls_net_init( tcp_fd );
mbedtls_ssl_init( ssl );
mbedtls_ssl_config_init( conf );
mbedtls_x509_crt_init( &(verify_source->cacertl) );
mbedtls_ctr_drbg_init( &ctr_drbg );
NGHTTP2_DBG( "\n . Seeding the random number generator..." );
mbedtls_entropy_init( &entropy );
if ( ( ret = mbedtls_ctr_drbg_seed( &ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 ) {
NGHTTP2_DBG( " failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret );
return ret;
}
NGHTTP2_DBG( " ok\n" );
/*
* 0. Initialize certificates
*/
NGHTTP2_DBG( " . Loading the CA root certificate ..." );
if (NULL != verify_source->trusted_ca_crt) {
if (0 != (ret = mbedtls_x509_crt_parse(&verify_source->cacertl,
(unsigned char *)verify_source->trusted_ca_crt,
strlen(verify_source->trusted_ca_crt) + 1))) {
NGHTTP2_DBG(" failed ! x509parse_crt returned -0x%04x", -ret);
return ret;
}
}
NGHTTP2_DBG( " ok (%d skipped)", ret );
return 0;
}
SSLContextData * SSLContext::constructor(State & state, bool & managed) {
SSLContextData * ssl_context_data = new SSLContextData;
ssl_context_data->context = new mbedtls_ssl_context;
ssl_context_data->state = &state;
ssl_context_data->recvRef = LUA_REFNIL;
ssl_context_data->recvTimeoutRef = LUA_REFNIL;
ssl_context_data->sendRef = LUA_REFNIL;
memset(ssl_context_data->context, 0, sizeof(mbedtls_ssl_context));
mbedtls_ssl_init(ssl_context_data->context);
return ssl_context_data;
}
static dukf_ssl_context_t *create_dukf_ssl_context(const char *hostname, int fd) {
char errortext[256];
dukf_ssl_context_t *dukf_ssl_context;
dukf_ssl_context = malloc(sizeof(dukf_ssl_context_t));
mbedtls_ssl_init(&dukf_ssl_context->ssl);
mbedtls_ssl_config_init(&dukf_ssl_context->conf);
mbedtls_x509_crt_init(&dukf_ssl_context->cacert);
mbedtls_ctr_drbg_init(&dukf_ssl_context->ctr_drbg);
mbedtls_entropy_init(&dukf_ssl_context->entropy);
mbedtls_ssl_conf_dbg(&dukf_ssl_context->conf, debug_log, NULL);
dukf_ssl_context->fd = fd;
int rc = mbedtls_ctr_drbg_seed(
&dukf_ssl_context->ctr_drbg,
mbedtls_entropy_func, &dukf_ssl_context->entropy, (const unsigned char *) pers, strlen(pers));
if (rc != 0) {
LOGE(" failed\n ! mbedtls_ctr_drbg_seed returned %d", rc);
return NULL;
}
rc = mbedtls_ssl_config_defaults(
&dukf_ssl_context->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (rc != 0) {
LOGE("mbedtls_ssl_config_defaults returned %d", rc);
return NULL;
}
mbedtls_ssl_conf_authmode(&dukf_ssl_context->conf, MBEDTLS_SSL_VERIFY_NONE);
mbedtls_ssl_conf_rng(&dukf_ssl_context->conf, mbedtls_ctr_drbg_random, &dukf_ssl_context->ctr_drbg);
rc = mbedtls_ssl_setup(&dukf_ssl_context->ssl, &dukf_ssl_context->conf);
if (rc != 0) {
mbedtls_strerror(rc, errortext, sizeof(errortext));
LOGE("error from mbedtls_ssl_setup: %d - %x - %s\n", rc, rc, errortext);
return NULL;
}
rc = mbedtls_ssl_set_hostname(&dukf_ssl_context->ssl, hostname);
if (rc) {
mbedtls_strerror(rc, errortext, sizeof(errortext));
LOGE("error from mbedtls_ssl_set_hostname: %s %d - %x - %s", hostname, rc, rc, errortext);
return NULL;
}
mbedtls_ssl_set_bio(&dukf_ssl_context->ssl, dukf_ssl_context, ssl_send, ssl_recv, NULL);
return dukf_ssl_context;
} // create_ssl_socket
static value ssl_new( value config ) {
int ret;
mbedtls_ssl_context *ssl;
val_check_kind(config,k_ssl_conf);
ssl = (mbedtls_ssl_context *)alloc(sizeof(mbedtls_ssl_context));
mbedtls_ssl_init(ssl);
if( (ret = mbedtls_ssl_setup(ssl, val_conf(config))) != 0 ){
mbedtls_ssl_free(ssl);
return ssl_error(ret);
}
return alloc_abstract( k_ssl, ssl );
}
/* Accept incoming TLS connection
*/
int tls_accept(int *sock, mbedtls_ssl_context *context, mbedtls_ssl_config *config, int timeout) {
int result, handshake;
struct timeval timer;
time_t start_time;
mbedtls_ssl_init(context);
if (mbedtls_ctr_drbg_reseed(&ctr_drbg, (const unsigned char*)"client thread", 13) != 0) {
return -1;
}
if (mbedtls_ssl_setup(context, config) != 0) {
return -1;
}
mbedtls_ssl_set_bio(context, sock, mbedtls_net_send, mbedtls_net_recv, NULL);
timer.tv_sec = timeout;
timer.tv_usec = 0;
setsockopt(*sock, SOL_SOCKET, SO_RCVTIMEO, (void*)&timer, sizeof(struct timeval));
start_time = time(NULL);
result = TLS_HANDSHAKE_OKE;
while ((handshake = mbedtls_ssl_handshake(context)) != 0) {
if (handshake == MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION) {
mbedtls_ssl_free(context);
result = TLS_HANDSHAKE_NO_MATCH;
break;
}
if ((handshake != MBEDTLS_ERR_SSL_WANT_READ) && (handshake != MBEDTLS_ERR_SSL_WANT_WRITE)) {
mbedtls_ssl_free(context);
result = TLS_HANDSHAKE_ERROR;
break;
}
if (time(NULL) - start_time >= timeout) {
mbedtls_ssl_free(context);
result = TLS_HANDSHAKE_TIMEOUT;
break;
}
}
if (result == TLS_HANDSHAKE_OKE) {
timer.tv_sec = 0;
timer.tv_usec = 0;
setsockopt(*sock, SOL_SOCKET, SO_RCVTIMEO, (void*)&timer, sizeof(struct timeval));
}
return result;
}
static void
rb_ssl_setup_client_context(rb_fde_t *F)
{
int ret;
mbedtls_ssl_init(SSL_P(ssl));
if ((ret = mbedtls_ssl_setup(SSL_P(F), &F->sctx->config)) != 0)
{
rb_lib_log("rb_ssl_setup_client_context: failed to set up ssl context: -0x%x", -ret);
rb_close(F);
return;
}
mbedtls_ssl_set_bio(SSL_P(ssl), F, rb_ssl_write_cb, rb_ssl_read_cb, NULL);
}
void ssl_init(SSLConnection* conn) {
/*
* Initialize the RNG and the session data
*/
mbedtls_net_init(&conn->net_ctx);
mbedtls_ssl_init(&conn->ssl_ctx);
mbedtls_ssl_config_init(&conn->ssl_conf);
mbedtls_x509_crt_init(&conn->ca_cert);
mbedtls_x509_crt_init(&conn->client_cert);
mbedtls_pk_init(&conn->client_key);
mbedtls_ctr_drbg_init(&conn->drbg_ctx);
mbedtls_entropy_init(&conn->entropy_ctx);
}
Error StreamPeerMbedTLS::connect_to_stream(Ref<StreamPeer> p_base, bool p_validate_certs, const String &p_for_hostname) {
base = p_base;
int ret = 0;
int authmode = p_validate_certs ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE;
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, NULL, 0);
if (ret != 0) {
ERR_PRINTS(" failed\n ! mbedtls_ctr_drbg_seed returned an error" + itos(ret));
return FAILED;
}
mbedtls_ssl_config_defaults(&conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_authmode(&conf, authmode);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
mbedtls_ssl_setup(&ssl, &conf);
mbedtls_ssl_set_hostname(&ssl, p_for_hostname.utf8().get_data());
mbedtls_ssl_set_bio(&ssl, this, bio_send, bio_recv, NULL);
while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
ERR_PRINTS("TLS handshake error: " + itos(ret));
_print_error(ret);
status = STATUS_ERROR_HOSTNAME_MISMATCH;
return FAILED;
}
}
connected = true;
status = STATUS_CONNECTED;
return OK;
}
static
Socket *dslink_socket_init(uint_fast8_t secure) {
if (secure) {
SslSocket *s = malloc(sizeof(SslSocket));
if (!s) {
return NULL;
}
s->secure = 1;
s->socket_fd = malloc(sizeof(mbedtls_net_context));
s->entropy = malloc(sizeof(mbedtls_entropy_context));
s->drbg = malloc(sizeof(mbedtls_ctr_drbg_context));
s->ssl = malloc(sizeof(mbedtls_ssl_context));
s->conf = malloc(sizeof(mbedtls_ssl_config));
if (!(s->socket_fd && s->entropy && s->drbg && s->ssl && s->conf)) {
DSLINK_CHECKED_EXEC(free, s->socket_fd);
DSLINK_CHECKED_EXEC(free, s->entropy);
DSLINK_CHECKED_EXEC(free, s->drbg);
DSLINK_CHECKED_EXEC(free, s->ssl);
DSLINK_CHECKED_EXEC(free, s->conf);
free(s);
return NULL;
}
mbedtls_net_init(s->socket_fd);
mbedtls_entropy_init(s->entropy);
mbedtls_ctr_drbg_init(s->drbg);
mbedtls_ssl_init(s->ssl);
mbedtls_ssl_config_init(s->conf);
return (Socket *) s;
} else {
Socket *s = malloc(sizeof(Socket));
if (!s) {
return NULL;
}
s->secure = 0;
s->socket_fd = malloc(sizeof(mbedtls_net_context));
if (!s->socket_fd) {
free(s);
return NULL;
}
return s;
}
}
int websocket_server_authenticate(websocket_t *server)
{
int r;
if (server->tls_enabled) {
server->tls_ssl = malloc(sizeof(mbedtls_ssl_context));
if (server->tls_ssl == NULL) {
WEBSOCKET_DEBUG("fail to allocate memory for server\n");
r = WEBSOCKET_ALLOCATION_ERROR;
goto EXIT_SERVER_START;
}
mbedtls_ssl_init(server->tls_ssl);
mbedtls_net_init(&(server->tls_net));
if ((r = websocket_tls_handshake(server, NULL, server->auth_mode)) != WEBSOCKET_SUCCESS) {
WEBSOCKET_DEBUG("fail to tls handshake\n");
r = WEBSOCKET_TLS_HANDSHAKE_ERROR;
goto EXIT_SERVER_START;
}
}
if (websocket_server_handshake(server) != WEBSOCKET_SUCCESS) {
WEBSOCKET_DEBUG("fail to handshake\n");
r = WEBSOCKET_HANDSHAKE_ERROR;
goto EXIT_SERVER_START;
}
return websocket_server_init(server);
EXIT_SERVER_START:
WEBSOCKET_CLOSE(server->fd);
if (server->tls_enabled) {
mbedtls_ssl_free(server->tls_ssl);
mbedtls_net_free(&(server->tls_net));
WEBSOCKET_FREE(server->tls_ssl);
}
websocket_update_state(server, WEBSOCKET_STOP);
return r;
}
static pmbedtls_msg mbedtls_msg_new(void)
{
pmbedtls_msg msg = (pmbedtls_msg)os_zalloc( sizeof(mbedtls_msg));
if (msg) {
os_bzero(msg, sizeof(mbedtls_msg));
msg->psession = mbedtls_session_new();
if (msg->psession){
mbedtls_net_init(&msg->listen_fd);
mbedtls_net_init(&msg->fd);
mbedtls_ssl_init(&msg->ssl);
mbedtls_ssl_config_init(&msg->conf);
mbedtls_ctr_drbg_init(&msg->ctr_drbg);
mbedtls_entropy_init(&msg->entropy);
} else{
os_free(msg);
msg = NULL;
}
}
return msg;
}
static int session_init(const global_context *gc,
session_context *sc,
const mbedtls_net_context *client_fd,
unsigned char client_ip[16], size_t cliip_len,
const unsigned char* first_packet, size_t first_packet_len) {
int ret;
memset(sc, 0, sizeof(*sc));
memcpy(&sc->client_fd, client_fd, sizeof(sc->client_fd));
if (cliip_len > sizeof(sc->client_ip)) {
log_error("session_init - client_ip size mismatch");
return 1;
}
memcpy(&sc->client_ip, client_ip, cliip_len);
sc->cliip_len = cliip_len;
mbedtls_ssl_init(&sc->ssl);
mbedtls_net_init(&sc->backend_fd);
sc->step = GOLDY_SESSION_STEP_HANDSHAKE;
sc->options = gc->options;
if ((ret = mbedtls_ssl_setup(&sc->ssl, &gc->conf)) != 0) {
check_return_code(ret, "session_init - mbedtls_ssl_steup");
return 1;
}
//mbedtls_ssl_set_hostname(&sc->ssl, "localhost");
mbedtls_ssl_set_timer_cb(&sc->ssl, &sc->timer,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
/* We already read the first packet of the SSL session from the network in
* the initial recvfrom() call on the listening fd. Here we copy the content
* of that packet into the SSL incoming data buffer so it'll be consumed on
* the next call to mbedtls_ssl_fetch_input(). */
if (first_packet_len<MBEDTLS_SSL_BUFFER_LEN) {
memcpy(sc->ssl.in_hdr, first_packet, first_packet_len);
sc->ssl.in_left = first_packet_len;
}
return 0;
}
/* Returns an opaque ssl context */
int openssl_connect(struct connection *conn)
{
if (!initialized) {
initialized = 1;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_ssl_config_init(&config);
if (mbedtls_ssl_config_defaults(&config,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT)) {
printf("Unable to initialize ssl defaults\n");
exit(1);
}
}
mbedtls_ssl_context *ssl = malloc(sizeof(mbedtls_ssl_context));
if (!ssl) {
printf("Out of memory");
return 1;
}
mbedtls_ssl_init(ssl);
if (mbedtls_ssl_setup(ssl, &config)) {
printf("Unable to set ssl defaults\n");
exit(1);
}
conn->ssl = ssl;
// mbedtls_ssl_set_rng(ssl, ctr_drbg_random, &ctr_drbg);
int *fd = &conn->poll->fd;
mbedtls_ssl_set_bio(ssl, fd, mbedtls_net_send, mbedtls_net_recv, NULL);
return openssl_check_connect(conn);
}
int _ssl_connect(nsp_state *N, TCP_SOCKET *sock)
{
#define __FN__ __FILE__ ":_ssl_connect()"
#if defined HAVE_OPENSSL
/* X509 *server_cert; */
int rc;
_ssl_init(N, sock, 0, NULL, NULL);
sock->ssl = SSL_new(sock->ssl_ctx);
SSL_set_fd(sock->ssl, sock->socket);
if ((rc = SSL_connect(sock->ssl)) == -1) {
n_warn(N, __FN__, "SSL_connect error %d", rc);
return -1;
}
/* the rest is optional */
/*
printf("SSL connection using %s\r\n", SSL_get_cipher(sock->ssl));
if ((server_cert=SSL_get_peer_certificate(sock->ssl))!=NULL) {
X509_free(server_cert);
}
*/
return 0;
#elif defined HAVE_MBEDTLS
int rc;
_ssl_init(N, sock, 0, NULL, NULL);
sock->net_context.fd = sock->socket;
mbedtls_ssl_init(&sock->ssl);
if ((rc = mbedtls_ssl_setup(&sock->ssl, &sock->conf)) != 0) {
print_mbedtls_error(N, __FN__, rc);
return -1;
}
mbedtls_ssl_set_bio(&sock->ssl, &sock->net_context, mbedtls_net_send, mbedtls_net_recv, NULL);
nc_memset((void *)&sock->ssn, 0, sizeof(mbedtls_ssl_session));
mbedtls_ssl_set_session(&sock->ssl, &sock->ssn);
return 0;
#endif
#undef __FN__
}
struct flb_tls_session *flb_tls_session_new(struct flb_tls_context *ctx)
{
int ret;
struct flb_tls_session *session;
session = malloc(sizeof(struct flb_tls_session));
if (!session) {
return NULL;
}
mbedtls_ssl_init(&session->ssl);
mbedtls_ssl_config_init(&session->conf);
ret = mbedtls_ssl_config_defaults(&session->conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0) {
io_tls_error(ret);
}
mbedtls_ssl_conf_rng(&session->conf,
mbedtls_ctr_drbg_random,
&ctx->ctr_drbg);
mbedtls_ssl_conf_authmode(&session->conf, MBEDTLS_SSL_VERIFY_NONE);
ret = mbedtls_ssl_setup(&session->ssl, &session->conf);
if (ret == -1) {
flb_error("[tls] ssl_setup");
goto error;
}
return session;
error:
free(session);
return NULL;
}
static unsigned int _DTLSContext_setup(dtls_session_t *p_dtls_session, coap_dtls_options_t *p_options)
{
int result = 0;
mbedtls_ssl_init(&p_dtls_session->context);
result = mbedtls_ssl_setup(&p_dtls_session->context, &p_dtls_session->conf);
DTLS_TRC("mbedtls_ssl_setup result 0x%04x\r\n", result);
if (result == 0) {
if (p_dtls_session->conf.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
mbedtls_ssl_set_timer_cb(&p_dtls_session->context,
(void *)&p_dtls_session->timer,
mbedtls_timing_set_delay,
mbedtls_timing_get_delay);
}
#ifdef MBEDTLS_X509_CRT_PARSE_C
DTLS_TRC("mbedtls_ssl_set_hostname %s\r\n", p_options->p_host);
mbedtls_ssl_set_hostname(&p_dtls_session->context, p_options->p_host);
#endif
mbedtls_ssl_set_bio(&p_dtls_session->context,
(void *)&p_dtls_session->fd,
mbedtls_net_send,
mbedtls_net_recv,
mbedtls_net_recv_timeout);
DTLS_TRC("mbedtls_ssl_set_bio result 0x%04x\r\n", result);
do {
result = mbedtls_ssl_handshake(&p_dtls_session->context);
} while (result == MBEDTLS_ERR_SSL_WANT_READ ||
result == MBEDTLS_ERR_SSL_WANT_WRITE);
DTLS_TRC("mbedtls_ssl_handshake result 0x%04x\r\n", result);
}
return (result ? DTLS_HANDSHAKE_FAILED : DTLS_SUCCESS);
}
static int coap_security_handler_init(coap_security_t *sec){
const char *pers = "dtls_client";
#ifdef COAP_SERVICE_PROVIDE_STRONG_ENTROPY_SOURCE
const int entropy_source_type = MBEDTLS_ENTROPY_SOURCE_STRONG;
#else
const int entropy_source_type = MBEDTLS_ENTROPY_SOURCE_WEAK;
#endif
mbedtls_ssl_init( &sec->_ssl );
mbedtls_ssl_config_init( &sec->_conf );
mbedtls_ctr_drbg_init( &sec->_ctr_drbg );
mbedtls_entropy_init( &sec->_entropy );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &sec->_cacert );
mbedtls_x509_crt_init( &sec->_owncert );
#endif
mbedtls_pk_init( &sec->_pkey );
memset(&sec->_cookie, 0, sizeof(simple_cookie_t));
memset(&sec->_keyblk, 0, sizeof(key_block_t));
sec->_is_started = false;
if( mbedtls_entropy_add_source( &sec->_entropy, entropy_poll, NULL,
128, entropy_source_type ) < 0 ){
return -1;
}
if( ( mbedtls_ctr_drbg_seed( &sec->_ctr_drbg, mbedtls_entropy_func, &sec->_entropy,
(const unsigned char *) pers,
strlen( pers ) ) ) != 0 )
{
return -1;
}
return 0;
}
int _ssl_accept(nsp_state *N, TCP_SOCKET *bsock, TCP_SOCKET *asock)
{
#define __FN__ __FILE__ ":_ssl_accept()"
#if defined HAVE_OPENSSL
if ((asock->ssl = SSL_new(bsock->ssl_ctx)) == NULL) {
return -1;
}
/* SSL_clear(asock->ssl); */
SSL_set_fd(asock->ssl, asock->socket);
if (SSL_accept(asock->ssl) == -1) {
return -1;
}
return 0;
#elif defined HAVE_MBEDTLS
int rc;
asock->net_context.fd = asock->socket;
mbedtls_ssl_init(&asock->ssl);
if ((rc = mbedtls_ssl_setup(&asock->ssl, &bsock->conf)) != 0) {
print_mbedtls_error(N, __FN__, rc);
return -1;
}
//mbedtls_ssl_session_reset(&asock->ssl);
mbedtls_ssl_set_bio(&asock->ssl, &asock->net_context, mbedtls_net_send, mbedtls_net_recv, NULL);
if ((rc = mbedtls_ssl_handshake(&asock->ssl)) < 0) {
if (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE) {
print_mbedtls_error(N, __FN__, rc);
}
else {
print_mbedtls_error(N, __FN__, rc);
}
}
return rc;
#endif
#undef __FN__
}
/* Connect to remote server via TLS
*/
int tls_connect(mbedtls_ssl_context *context, int *sock, char *hostname) {
if (mbedtls_ctr_drbg_reseed(&ctr_drbg, (const unsigned char*)"Reverse Proxy", 13) != 0) {
return -1;
}
mbedtls_ssl_init(context);
if (mbedtls_ssl_setup(context, &client_config) != 0) {
return -1;
}
mbedtls_ssl_set_bio(context, sock, mbedtls_net_send, mbedtls_net_recv, NULL);
if (hostname != NULL) {
mbedtls_ssl_set_hostname(context, hostname);
}
if (mbedtls_ssl_handshake(context) != 0) {
mbedtls_ssl_free(context);
return TLS_HANDSHAKE_ERROR;
}
return TLS_HANDSHAKE_OKE;
}
