components/openssl: add debug message and change verifying mode
This commit is contained in:
Dong Heng
parent
cf4aaf6397
commit
3882937427
9 changed files with 51 additions and 29 deletions
|
|
@ -19,10 +19,10 @@
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#define SSL_DEBUG_ENBALE 0
|
#define SSL_DEBUG_ENBALE 1
|
||||||
#define SSL_DEBUG_LEVEL 0
|
#define SSL_DEBUG_LEVEL 0
|
||||||
#define SSL_ASSERT_ENABLE 0
|
#define SSL_ASSERT_ENABLE 1
|
||||||
#define SSL_DEBUG_LOCATION_ENABLE 0
|
#define SSL_DEBUG_LOCATION_ENABLE 1
|
||||||
|
|
||||||
#if SSL_DEBUG_ENBALE
|
#if SSL_DEBUG_ENBALE
|
||||||
extern int ets_printf(const char *fmt, ...);
|
extern int ets_printf(const char *fmt, ...);
|
||||||
|
|
|
||||||
|
|
@ -15,6 +15,8 @@
|
||||||
#ifndef _SSL_METHODS_H_
|
#ifndef _SSL_METHODS_H_
|
||||||
#define _SSL_METHODS_H_
|
#define _SSL_METHODS_H_
|
||||||
|
|
||||||
|
#include "ssl_types.h"
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -63,6 +63,30 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len);
|
||||||
*/
|
*/
|
||||||
void X509_free(X509 *x);
|
void X509_free(X509 *x);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief set SSL context client CA certification
|
||||||
|
*
|
||||||
|
* @param ctx - SSL context point
|
||||||
|
* @param x - X509 certification point
|
||||||
|
*
|
||||||
|
* @return result
|
||||||
|
* 0 : failed
|
||||||
|
* 1 : OK
|
||||||
|
*/
|
||||||
|
int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @brief add CA client certification into the SSL
|
||||||
|
*
|
||||||
|
* @param ssl - SSL point
|
||||||
|
* @param x - X509 certification point
|
||||||
|
*
|
||||||
|
* @return result
|
||||||
|
* 0 : failed
|
||||||
|
* 1 : OK
|
||||||
|
*/
|
||||||
|
int SSL_add_client_CA(SSL *ssl, X509 *x);
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -126,11 +126,11 @@ SSL_SESSION* SSL_SESSION_new(void)
|
||||||
|
|
||||||
session = ssl_zalloc(sizeof(SSL_SESSION));
|
session = ssl_zalloc(sizeof(SSL_SESSION));
|
||||||
if (!session)
|
if (!session)
|
||||||
SSL_RET(failed1);
|
SSL_RET(failed1, "ssl_zalloc\n");
|
||||||
|
|
||||||
session->peer = X509_new();
|
session->peer = X509_new();
|
||||||
if (!session->peer)
|
if (!session->peer)
|
||||||
SSL_RET(failed2);
|
SSL_RET(failed2, "X509_new\n");
|
||||||
|
|
||||||
return session;
|
return session;
|
||||||
|
|
||||||
|
|
@ -1500,7 +1500,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509
|
||||||
*/
|
*/
|
||||||
void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
|
void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
|
||||||
{
|
{
|
||||||
SSL_ASSERT(ctx);
|
SSL_ASSERT(ssl);
|
||||||
|
|
||||||
ssl->verify_mode = mode;
|
ssl->verify_mode = mode;
|
||||||
ssl->verify_callback = verify_callback;
|
ssl->verify_callback = verify_callback;
|
||||||
|
|
|
||||||
|
|
@ -12,7 +12,6 @@
|
||||||
// See the License for the specific language governing permissions and
|
// See the License for the specific language governing permissions and
|
||||||
// limitations under the License.
|
// limitations under the License.
|
||||||
|
|
||||||
#include "ssl_lib.h"
|
|
||||||
#include "ssl_methods.h"
|
#include "ssl_methods.h"
|
||||||
#include "ssl_pm.h"
|
#include "ssl_pm.h"
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -12,9 +12,7 @@
|
||||||
// See the License for the specific language governing permissions and
|
// See the License for the specific language governing permissions and
|
||||||
// limitations under the License.
|
// limitations under the License.
|
||||||
|
|
||||||
#include "ssl_lib.h"
|
|
||||||
#include "ssl_pkey.h"
|
#include "ssl_pkey.h"
|
||||||
#include "ssl_cert.h"
|
|
||||||
#include "ssl_methods.h"
|
#include "ssl_methods.h"
|
||||||
#include "ssl_dbg.h"
|
#include "ssl_dbg.h"
|
||||||
#include "ssl_port.h"
|
#include "ssl_port.h"
|
||||||
|
|
|
||||||
|
|
@ -30,13 +30,13 @@ OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c)
|
||||||
OPENSSL_STACK *stack;
|
OPENSSL_STACK *stack;
|
||||||
char **data;
|
char **data;
|
||||||
|
|
||||||
stack = ssl_malloc(sizeof(OPENSSL_STACK));
|
stack = ssl_zalloc(sizeof(OPENSSL_STACK));
|
||||||
if (!stack)
|
if (!stack)
|
||||||
SSL_RET(failed1);
|
SSL_RET(failed1, "ssl_zalloc\n");
|
||||||
|
|
||||||
data = ssl_malloc(sizeof(*data) * MIN_NODES);
|
data = ssl_zalloc(sizeof(*data) * MIN_NODES);
|
||||||
if (!data)
|
if (!data)
|
||||||
SSL_RET(failed2);
|
SSL_RET(failed2, "ssl_zalloc\n");
|
||||||
|
|
||||||
stack->data = data;
|
stack->data = data;
|
||||||
stack->num_alloc = MIN_NODES;
|
stack->num_alloc = MIN_NODES;
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,6 @@
|
||||||
// limitations under the License.
|
// limitations under the License.
|
||||||
|
|
||||||
#include "ssl_x509.h"
|
#include "ssl_x509.h"
|
||||||
#include "ssl_cert.h"
|
|
||||||
#include "ssl_methods.h"
|
#include "ssl_methods.h"
|
||||||
#include "ssl_dbg.h"
|
#include "ssl_dbg.h"
|
||||||
#include "ssl_port.h"
|
#include "ssl_port.h"
|
||||||
|
|
@ -214,9 +213,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len,
|
||||||
const unsigned char *d)
|
const unsigned char *d)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
int reload;
|
|
||||||
X509 *x;
|
X509 *x;
|
||||||
int m = 0;
|
|
||||||
|
|
||||||
x = d2i_X509(NULL, d, len);
|
x = d2i_X509(NULL, d, len);
|
||||||
if (!x)
|
if (!x)
|
||||||
|
|
|
||||||
|
|
@ -112,7 +112,7 @@ int ssl_pm_new(SSL *ssl)
|
||||||
else
|
else
|
||||||
version = MBEDTLS_SSL_MINOR_VERSION_0;
|
version = MBEDTLS_SSL_MINOR_VERSION_0;
|
||||||
|
|
||||||
mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
|
//mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
|
||||||
|
|
||||||
mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
|
mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
|
||||||
|
|
||||||
|
|
@ -169,7 +169,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
|
||||||
if (ssl->verify_mode == SSL_VERIFY_PEER)
|
if (ssl->verify_mode == SSL_VERIFY_PEER)
|
||||||
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||||
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||||
mode = MBEDTLS_SSL_VERIFY_NONE;
|
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||||
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
|
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
|
||||||
mode = MBEDTLS_SSL_VERIFY_UNSET;
|
mode = MBEDTLS_SSL_VERIFY_UNSET;
|
||||||
else
|
else
|
||||||
|
|
@ -370,7 +370,7 @@ int x509_pm_new(X509 *x, X509 *m_x)
|
||||||
|
|
||||||
x509_pm = ssl_zalloc(sizeof(struct x509_pm));
|
x509_pm = ssl_zalloc(sizeof(struct x509_pm));
|
||||||
if (!x509_pm)
|
if (!x509_pm)
|
||||||
SSL_RET(failed1);
|
SSL_RET(failed1, "ssl_zalloc\n");
|
||||||
|
|
||||||
x->x509_pm = x509_pm;
|
x->x509_pm = x509_pm;
|
||||||
|
|
||||||
|
|
@ -408,27 +408,28 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
|
||||||
struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
|
struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
|
||||||
|
|
||||||
if (!x509_pm->x509_crt) {
|
if (!x509_pm->x509_crt) {
|
||||||
x509_pm->x509_crt = ssl_malloc(sizeof(mbedtls_x509_crt));
|
x509_pm->x509_crt = ssl_zalloc(sizeof(mbedtls_x509_crt));
|
||||||
if (!x509_pm->x509_crt)
|
if (!x509_pm->x509_crt)
|
||||||
SSL_RET(failed1);
|
SSL_RET(failed1, "ssl_zalloc\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
load_buf = ssl_malloc(len + 1);
|
load_buf = ssl_malloc(len + 1);
|
||||||
if (!load_buf)
|
if (!load_buf)
|
||||||
SSL_RET(failed2);
|
SSL_RET(failed2, "ssl_malloc\n");
|
||||||
|
|
||||||
ssl_memcpy(load_buf, buffer, len);
|
ssl_memcpy(load_buf, buffer, len);
|
||||||
load_buf[len] = '\0';
|
load_buf[len] = '\0';
|
||||||
|
|
||||||
|
mbedtls_x509_crt_init(x509_pm->x509_crt);
|
||||||
|
|
||||||
if (x509_pm->x509_crt)
|
if (x509_pm->x509_crt)
|
||||||
mbedtls_x509_crt_free(x509_pm->x509_crt);
|
mbedtls_x509_crt_free(x509_pm->x509_crt);
|
||||||
|
|
||||||
mbedtls_x509_crt_init(x509_pm->x509_crt);
|
|
||||||
ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len);
|
ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len);
|
||||||
ssl_free(load_buf);
|
ssl_free(load_buf);
|
||||||
|
|
||||||
if (ret)
|
if (ret)
|
||||||
SSL_RET(failed2);
|
SSL_RET(failed2, "mbedtls_x509_crt_parse, return [-0x%x]\n", -ret);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
|
@ -480,27 +481,28 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
|
||||||
struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
|
struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
|
||||||
|
|
||||||
if (!pkey_pm->pkey) {
|
if (!pkey_pm->pkey) {
|
||||||
pkey_pm->pkey = ssl_malloc(sizeof(mbedtls_pk_context));
|
pkey_pm->pkey = ssl_zalloc(sizeof(mbedtls_pk_context));
|
||||||
if (!pkey_pm->pkey)
|
if (!pkey_pm->pkey)
|
||||||
SSL_RET(failed1);
|
SSL_RET(failed1, "ssl_zalloc\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
load_buf = ssl_malloc(len + 1);
|
load_buf = ssl_malloc(len + 1);
|
||||||
if (!load_buf)
|
if (!load_buf)
|
||||||
SSL_RET(failed2);
|
SSL_RET(failed2, "ssl_malloc\n");
|
||||||
|
|
||||||
ssl_memcpy(load_buf, buffer, len);
|
ssl_memcpy(load_buf, buffer, len);
|
||||||
load_buf[len] = '\0';
|
load_buf[len] = '\0';
|
||||||
|
|
||||||
|
mbedtls_pk_init(pkey_pm->pkey);
|
||||||
|
|
||||||
if (pkey_pm->pkey)
|
if (pkey_pm->pkey)
|
||||||
mbedtls_pk_free(pkey_pm->pkey);
|
mbedtls_pk_free(pkey_pm->pkey);
|
||||||
|
|
||||||
mbedtls_pk_init(pkey_pm->pkey);
|
|
||||||
ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len, NULL, 0);
|
ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len, NULL, 0);
|
||||||
ssl_free(load_buf);
|
ssl_free(load_buf);
|
||||||
|
|
||||||
if (ret)
|
if (ret)
|
||||||
SSL_RET(failed2);
|
SSL_RET(failed2, "mbedtls_pk_parse_key, return [-0x%x]\n", -ret);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue