/*
* Checkup routine
*/
int mbedtls_x509_self_test( int verbose )
{
#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA256_C)
int ret;
uint32_t flags;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
if( verbose != 0 )
mbedtls_printf( " X.509 certificate load: " );
mbedtls_x509_crt_init( &clicert );
ret = mbedtls_x509_crt_parse( &clicert, (const unsigned char *) mbedtls_test_cli_crt,
mbedtls_test_cli_crt_len );
if( ret != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( ret );
}
mbedtls_x509_crt_init( &cacert );
ret = mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_ca_crt,
mbedtls_test_ca_crt_len );
if( ret != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( ret );
}
if( verbose != 0 )
mbedtls_printf( "passed\n X.509 signature verify: ");
ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL );
if( ret != 0 )
{
if( verbose != 0 )
mbedtls_printf( "failed\n" );
return( ret );
}
if( verbose != 0 )
mbedtls_printf( "passed\n\n");
mbedtls_x509_crt_free( &cacert );
mbedtls_x509_crt_free( &clicert );
return( 0 );
#else
((void) verbose);
return( 0 );
#endif /* MBEDTLS_CERTS_C && MBEDTLS_SHA1_C */
}
void Curl_mbedtls_close(struct connectdata *conn, int sockindex)
{
/* mbedtls_rsa_free(&conn->ssl[sockindex].rsa); */
mbedtls_x509_crt_free(&conn->ssl[sockindex].clicert);
mbedtls_x509_crt_free(&conn->ssl[sockindex].cacert);
mbedtls_x509_crl_free(&conn->ssl[sockindex].crl);
mbedtls_ssl_free(&conn->ssl[sockindex].ssl);
}
static void tls_server_free(struct server *s)
{
mbedtls_net_free(&s->fd);
mbedtls_pk_free(&s->pkey);
mbedtls_x509_crt_free(&s->srvcert);
mbedtls_x509_crt_free(&s->cacert);
mbedtls_ssl_config_free(&s->conf);
mbedtls_ctr_drbg_free(&s->ctr_drbg);
mbedtls_entropy_free(&s->entropy);
}
int ssl_destroy(SSLConnection* conn) {
mbedtls_net_free(&conn->net_ctx);
mbedtls_ssl_free(&conn->ssl_ctx);
mbedtls_ssl_config_free(&conn->ssl_conf);
mbedtls_ctr_drbg_free(&conn->drbg_ctx);
mbedtls_entropy_free(&conn->entropy_ctx);
mbedtls_x509_crt_free(&conn->ca_cert);
mbedtls_x509_crt_free(&conn->client_cert);
mbedtls_pk_free(&conn->client_key);
return 0;
}
static void mbedtls_session_free(pmbedtls_session *session)
{
lwIP_ASSERT(session);
lwIP_ASSERT(*session);
mbedtls_x509_crt_free(&(*session)->cacert);
mbedtls_x509_crt_free(&(*session)->clicert);
mbedtls_pk_free(&(*session)->pkey);
// mbedtls_entropy_free(&(*session)->entropy);
os_free(*session);
*session = NULL;
}
static void coap_security_handler_reset(coap_security_t *sec){
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_free(&sec->_cacert);
mbedtls_x509_crt_free(&sec->_owncert);
#endif
mbedtls_pk_free(&sec->_pkey);
mbedtls_entropy_free( &sec->_entropy );
mbedtls_ctr_drbg_free( &sec->_ctr_drbg );
mbedtls_ssl_config_free(&sec->_conf);
mbedtls_ssl_free(&sec->_ssl);
}
void Curl_mbedtls_close(struct connectdata *conn, int sockindex)
{
mbedtls_pk_free(&conn->ssl[sockindex].pk);
mbedtls_x509_crt_free(&conn->ssl[sockindex].clicert);
mbedtls_x509_crt_free(&conn->ssl[sockindex].cacert);
mbedtls_x509_crl_free(&conn->ssl[sockindex].crl);
mbedtls_ssl_config_free(&conn->ssl[sockindex].config);
mbedtls_ssl_free(&conn->ssl[sockindex].ssl);
mbedtls_ctr_drbg_free(&conn->ssl[sockindex].ctr_drbg);
#ifndef THREADING_SUPPORT
mbedtls_entropy_free(&conn->ssl[sockindex].entropy);
#endif /* THREADING_SUPPORT */
}
STATIC mp_uint_t socket_ioctl(mp_obj_t o_in, mp_uint_t request, uintptr_t arg, int *errcode) {
mp_obj_ssl_socket_t *self = MP_OBJ_TO_PTR(o_in);
if (request == MP_STREAM_CLOSE) {
mbedtls_pk_free(&self->pkey);
mbedtls_x509_crt_free(&self->cert);
mbedtls_x509_crt_free(&self->cacert);
mbedtls_ssl_free(&self->ssl);
mbedtls_ssl_config_free(&self->conf);
mbedtls_ctr_drbg_free(&self->ctr_drbg);
mbedtls_entropy_free(&self->entropy);
}
// Pass all requests down to the underlying socket
return mp_get_stream(self->sock)->ioctl(self->sock, request, arg, errcode);
}
static void Curl_mbedtls_close(struct connectdata *conn, int sockindex)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
mbedtls_pk_free(&BACKEND->pk);
mbedtls_x509_crt_free(&BACKEND->clicert);
mbedtls_x509_crt_free(&BACKEND->cacert);
mbedtls_x509_crl_free(&BACKEND->crl);
mbedtls_ssl_config_free(&BACKEND->config);
mbedtls_ssl_free(&BACKEND->ssl);
mbedtls_ctr_drbg_free(&BACKEND->ctr_drbg);
#ifndef THREADING_SUPPORT
mbedtls_entropy_free(&BACKEND->entropy);
#endif /* THREADING_SUPPORT */
}
int iot_tls_destroy(Network *pNetwork) {
mbedtls_net_free(&server_fd);
mbedtls_x509_crt_free(&clicert);
mbedtls_x509_crt_free(&cacert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
return 0;
}
void
altcp_tls_free_config(struct altcp_tls_config *conf)
{
if (conf->pkey) {
mbedtls_pk_free(conf->pkey);
}
if (conf->cert) {
mbedtls_x509_crt_free(conf->cert);
}
if (conf->ca) {
mbedtls_x509_crt_free(conf->ca);
}
altcp_mbedtls_free_config(conf);
}
IoT_Error_t iot_tls_destroy(Network *pNetwork) {
TLSDataParams *tlsDataParams = &(pNetwork->tlsDataParams);
mbedtls_net_free(&(tlsDataParams->server_fd));
mbedtls_x509_crt_free(&(tlsDataParams->clicert));
mbedtls_x509_crt_free(&(tlsDataParams->cacert));
mbedtls_pk_free(&(tlsDataParams->pkey));
mbedtls_ssl_free(&(tlsDataParams->ssl));
mbedtls_ssl_config_free(&(tlsDataParams->conf));
mbedtls_ctr_drbg_free(&(tlsDataParams->ctr_drbg));
mbedtls_entropy_free(&(tlsDataParams->entropy));
return SUCCESS;
}
int
pkcs11_certificate_serial (pkcs11h_certificate_t cert, char *serial,
size_t serial_len)
{
int ret = 1;
mbedtls_x509_crt mbed_crt = {0};
if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) {
msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
goto cleanup;
}
if (-1 == mbedtls_x509_serial_gets (serial, serial_len, &mbed_crt.serial)) {
msg (M_FATAL, "PKCS#11: mbed TLS cannot parse serial");
goto cleanup;
}
ret = 0;
cleanup:
mbedtls_x509_crt_free(&mbed_crt);
return ret;
}
void esp_tls_free_global_ca_store()
{
if (global_cacert) {
mbedtls_x509_crt_free(global_cacert);
global_cacert = NULL;
}
}
static UA_StatusCode
certificateVerification_verifyApplicationURI(void *verificationContext,
const UA_ByteString *certificate,
const UA_String *applicationURI) {
CertInfo *ci = (CertInfo*)verificationContext;
if(!ci)
return UA_STATUSCODE_BADINTERNALERROR;
/* Parse the certificate */
mbedtls_x509_crt remoteCertificate;
mbedtls_x509_crt_init(&remoteCertificate);
int mbedErr = mbedtls_x509_crt_parse(&remoteCertificate, certificate->data,
certificate->length);
if(mbedErr)
return UA_STATUSCODE_BADSECURITYCHECKSFAILED;
/* Poor man's ApplicationUri verification. mbedTLS does not parse all fields
* of the Alternative Subject Name. Instead test whether the URI-string is
* present in the v3_ext field in general.
*
* TODO: Improve parsing of the Alternative Subject Name */
UA_StatusCode retval = UA_STATUSCODE_GOOD;
if(bstrstr(remoteCertificate.v3_ext.p, remoteCertificate.v3_ext.len,
applicationURI->data, applicationURI->length) == NULL)
retval = UA_STATUSCODE_BADCERTIFICATEURIINVALID;
mbedtls_x509_crt_free(&remoteCertificate);
return retval;
}
char *
pkcs11_certificate_dn (pkcs11h_certificate_t cert, struct gc_arena *gc)
{
char *ret = NULL;
char dn[1024] = {0};
mbedtls_x509_crt mbed_crt = {0};
if (mbedtls_pkcs11_x509_cert_bind(&mbed_crt, cert)) {
msg (M_FATAL, "PKCS#11: Cannot retrieve mbed TLS certificate object");
goto cleanup;
}
if (-1 == mbedtls_x509_dn_gets (dn, sizeof(dn), &mbed_crt.subject)) {
msg (M_FATAL, "PKCS#11: mbed TLS cannot parse subject");
goto cleanup;
}
ret = string_alloc(dn, gc);
cleanup:
mbedtls_x509_crt_free(&mbed_crt);
return ret;
}
void Server_destroy(Server *srv)
{
if(srv) {
if(srv->use_ssl) {
free(srv->rng_ctx);
mbedtls_x509_crt_free(&srv->own_cert);
mbedtls_pk_free(&srv->pk_key);
// srv->ciphers freed (if non-default) by h_free
}
RouteMap_destroy(srv->hosts);
Server_destroy_handlers(srv);
bdestroy(srv->bind_addr);
bdestroy(srv->uuid);
bdestroy(srv->chroot);
bdestroy(srv->access_log);
bdestroy(srv->error_log);
bdestroy(srv->pid_file);
bdestroy(srv->control_port);
bdestroy(srv->default_hostname);
if(srv->listen_fd >= 0) fdclose(srv->listen_fd);
h_free(srv);
}
}
/** Create new TLS configuration
* This is a suboptimal version that gets the encrypted private key and its password,
* as well as the server certificate.
*/
struct altcp_tls_config *
altcp_tls_create_config_server_privkey_cert(const u8_t *privkey, size_t privkey_len,
const u8_t *privkey_pass, size_t privkey_pass_len,
const u8_t *cert, size_t cert_len)
{
int ret;
mbedtls_x509_crt *srvcert;
mbedtls_pk_context *pkey;
struct altcp_tls_config *conf = altcp_tls_create_config(1, 1, 1, 0);
if (conf == NULL) {
return NULL;
}
srvcert = conf->cert;
mbedtls_x509_crt_init(srvcert);
pkey = conf->pkey;
mbedtls_pk_init(pkey);
/* Load the certificates and private key */
ret = mbedtls_x509_crt_parse(srvcert, cert, cert_len);
if (ret != 0) {
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_x509_crt_parse failed: %d\n", ret));
altcp_mbedtls_free_config(conf);
return NULL;
}
ret = mbedtls_pk_parse_key(pkey, (const unsigned char *) privkey, privkey_len, privkey_pass, privkey_pass_len);
if (ret != 0) {
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_pk_parse_public_key failed: %d\n", ret));
mbedtls_x509_crt_free(srvcert);
altcp_mbedtls_free_config(conf);
return NULL;
}
mbedtls_ssl_conf_ca_chain(&conf->conf, srvcert->next, NULL);
ret = mbedtls_ssl_conf_own_cert(&conf->conf, srvcert, pkey);
if (ret != 0) {
LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG, ("mbedtls_ssl_conf_own_cert failed: %d\n", ret));
mbedtls_x509_crt_free(srvcert);
mbedtls_pk_free(pkey);
altcp_mbedtls_free_config(conf);
return NULL;
}
return conf;
}
void Dtls::FreeMbedtls(void)
{
#ifdef MBEDTLS_SSL_COOKIE_C
mbedtls_ssl_cookie_free(&mCookieCtx);
#endif
#if OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
#ifdef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
mbedtls_x509_crt_free(&mCaChain);
mbedtls_x509_crt_free(&mOwnCert);
mbedtls_pk_free(&mPrivateKey);
#endif // MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
#endif // OPENTHREAD_ENABLE_APPLICATION_COAP_SECURE
mbedtls_entropy_free(&mEntropy);
mbedtls_ctr_drbg_free(&mCtrDrbg);
mbedtls_ssl_config_free(&mConf);
mbedtls_ssl_free(&mSsl);
}
int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
{
int ret;
unsigned char *load_buf;
struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
if (x509_pm->x509_crt)
mbedtls_x509_crt_free(x509_pm->x509_crt);
if (!x509_pm->x509_crt) {
x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt));
if (!x509_pm->x509_crt) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)");
goto no_mem;
}
}
load_buf = ssl_mem_malloc(len + 1);
if (!load_buf) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)");
goto failed;
}
ssl_memcpy(load_buf, buffer, len);
load_buf[len] = '\0';
mbedtls_x509_crt_init(x509_pm->x509_crt);
ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1);
ssl_mem_free(load_buf);
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_parse return -0x%x", -ret);
goto failed;
}
return 0;
failed:
mbedtls_x509_crt_free(x509_pm->x509_crt);
ssl_mem_free(x509_pm->x509_crt);
x509_pm->x509_crt = NULL;
no_mem:
return -1;
}
void DTLSMessageChannel::dispose()
{
mbedtls_x509_crt_free (&clicert);
mbedtls_pk_free (&pkey);
mbedtls_ssl_config_free (&conf);
mbedtls_ssl_free (&ssl_context);
delete this->server_public;
server_public_len = 0;
}
static void mbedtls_cleanup(esp_tls_t *tls)
{
if (!tls) {
return;
}
if (tls->cacert_ptr != global_cacert) {
mbedtls_x509_crt_free(tls->cacert_ptr);
}
tls->cacert_ptr = NULL;
mbedtls_x509_crt_free(&tls->cacert);
mbedtls_x509_crt_free(&tls->clientcert);
mbedtls_pk_free(&tls->clientkey);
mbedtls_entropy_free(&tls->entropy);
mbedtls_ssl_config_free(&tls->conf);
mbedtls_ctr_drbg_free(&tls->ctr_drbg);
mbedtls_ssl_free(&tls->ssl);
mbedtls_net_free(&tls->server_fd);
}
static void
certificateVerification_deleteMembers(UA_CertificateVerification *cv) {
CertInfo *ci = (CertInfo*)cv->context;
if(!ci)
return;
mbedtls_x509_crt_free(&ci->certificateTrustList);
mbedtls_x509_crl_free(&ci->certificateRevocationList);
UA_free(ci);
cv->context = NULL;
}
result_t X509Cert::clear()
{
if (m_root)
return CHECK_ERROR(CALL_E_INVALID_CALL);
mbedtls_x509_crt_free(&m_crt);
mbedtls_x509_crt_init(&m_crt);
m_rootLoaded = false;
return 0;
}
void websocket_tls_release(int param, mbedtls_ssl_config *conf, mbedtls_x509_crt *cert, mbedtls_pk_context *pkey, mbedtls_entropy_context *entropy, mbedtls_ctr_drbg_context *ctr_drbg, mbedtls_ssl_cache_context *cache)
{
if (!param) {
mbedtls_ssl_cache_free(cache);
}
mbedtls_ctr_drbg_free(ctr_drbg);
mbedtls_entropy_free(entropy);
mbedtls_pk_free(pkey);
mbedtls_x509_crt_free(cert);
mbedtls_ssl_config_free(conf);
}
void x509_pm_free(X509 *x)
{
struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
if (x509_pm->x509_crt) {
mbedtls_x509_crt_free(x509_pm->x509_crt);
ssl_mem_free(x509_pm->x509_crt);
x509_pm->x509_crt = NULL;
}
ssl_mem_free(x->x509_pm);
x->x509_pm = NULL;
}
static int global_deinit(global_context *gc) {
int ret = 0;
mbedtls_net_free(&gc->listen_fd);
mbedtls_x509_crt_free(&gc->cacert);
mbedtls_ssl_config_free(&gc->conf);
mbedtls_ssl_cookie_free(&gc->cookie_ctx);
#if defined(MBEDTLS_SSL_CACHE_C)
mbedtls_ssl_cache_free(&gc->cache);
#endif
mbedtls_ctr_drbg_free(&gc->ctr_drbg);
mbedtls_entropy_free(&gc->entropy);
return ret == 0 ? 0 : 1;
}
void ssl_socket_free(void *state_data)
{
struct ssl_state *state = (struct ssl_state*)state_data;
if (!state)
return;
mbedtls_ssl_free(&state->ctx);
mbedtls_ssl_config_free(&state->conf);
mbedtls_ctr_drbg_free(&state->ctr_drbg);
mbedtls_entropy_free(&state->entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_free(&state->ca);
#endif
free(state);
}
static void https_shutdown(struct http_client_ctx *ctx)
{
if (!ctx->https.tid) {
return;
}
/* Empty the fifo just in case there is any received packets
* still there.
*/
while (1) {
struct rx_fifo_block *rx_data;
rx_data = k_fifo_get(&ctx->https.mbedtls.ssl_ctx.rx_fifo,
K_NO_WAIT);
if (!rx_data) {
break;
}
net_pkt_unref(rx_data->pkt);
k_mem_pool_free(&rx_data->block);
}
k_fifo_cancel_wait(&ctx->https.mbedtls.ssl_ctx.rx_fifo);
/* Let the ssl_rx() run if there is anything there waiting */
k_yield();
mbedtls_ssl_close_notify(&ctx->https.mbedtls.ssl);
mbedtls_ssl_free(&ctx->https.mbedtls.ssl);
mbedtls_ssl_config_free(&ctx->https.mbedtls.conf);
mbedtls_ctr_drbg_free(&ctx->https.mbedtls.ctr_drbg);
mbedtls_entropy_free(&ctx->https.mbedtls.entropy);
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_free(&ctx->https.mbedtls.ca_cert);
#endif
tcp_disconnect(ctx);
NET_DBG("HTTPS thread %p stopped for %p", ctx->https.tid, ctx);
k_thread_abort(ctx->https.tid);
ctx->https.tid = 0;
}
int _ssl_shutdown(nsp_state *N, TCP_SOCKET *sock)
{
#define __FN__ __FILE__ ":_ssl_shutdown()"
#if defined HAVE_OPENSSL
if (sock->ssl_ctx) {
SSL_CTX_free(sock->ssl_ctx);
sock->ssl_ctx = NULL;
}
return 0;
#elif defined HAVE_MBEDTLS
if (sock->use_ssl) {
/* x509 and rsa for server sockets */
mbedtls_x509_crt_free(&sock->srvcert);
mbedtls_pk_free(&sock->pubkey);
//rsa_free(&sock->pubkey);
mbedtls_ssl_free(&sock->ssl);
sock->use_ssl = 0;
}
return 0;
#endif
#undef __FN__
}