From 905180667c6a0604dd7117c80b20b91d6520e3a8 Mon Sep 17 00:00:00 2001 From: Dong Heng Date: Tue, 10 Jan 2017 20:49:24 +0800 Subject: [PATCH] components/openssl: refactor openssl debugging and assert function 1. add openssl option at menuconfig 2. remove SSL_ERR to reduce complexity 3. add more functions about debugging and assert According these, our coders and customers may use and debug the OpenSSL code easily. --- components/openssl/Kconfig | 70 ++++ components/openssl/include/internal/ssl_dbg.h | 208 +++++++++--- components/openssl/include/platform/ssl_opt.h | 30 +- components/openssl/include/platform/ssl_pm.h | 5 + .../openssl/include/platform/ssl_port.h | 28 +- components/openssl/library/ssl_cert.c | 26 +- components/openssl/library/ssl_lib.c | 316 ++++++++++-------- components/openssl/library/ssl_pkey.c | 69 ++-- components/openssl/library/ssl_stack.c | 18 +- components/openssl/library/ssl_x509.c | 78 +++-- components/openssl/platform/ssl_pm.c | 165 +++++---- components/openssl/platform/ssl_port.c | 39 +-- 12 files changed, 646 insertions(+), 406 deletions(-) create mode 100644 components/openssl/Kconfig diff --git a/components/openssl/Kconfig b/components/openssl/Kconfig new file mode 100644 index 000000000..7ade98c45 --- /dev/null +++ b/components/openssl/Kconfig @@ -0,0 +1,70 @@ +menu "OpenSSL" + +config OPENSSL_DEBUG + bool "Enable OpenSSL debugging" + default n + help + Enable OpenSSL debugging function. + + If the option is enabled, "SSL_DEBUG" works. + +config OPENSSL_DEBUG_LEVEL + int "OpenSSL debugging level" + default 0 + range 0 255 + depends on OPENSSL_DEBUG + help + OpenSSL debugging level. + + Only function whose debugging level is higher than "OPENSSL_DEBUG_LEVEL" works. + + For example: + If OPENSSL_DEBUG_LEVEL = 2, you use function "SSL_DEBUG(1, "malloc failed")". Because 1 < 2, it will not print. + +config OPENSSL_LOWLEVEL_DEBUG + bool "Enable OpenSSL low-level module debugging" + default n + depends on OPENSSL_DEBUG + select MBEDTLS_DEBUG + help + If the option is enabled, low-level module debugging function of OpenSSL is enabled, e.g. mbedtls internal debugging function. + +choice OPENSSL_ASSERT + prompt "Select OpenSSL assert function" + default CONFIG_OPENSSL_ASSERT_EXIT + help + OpenSSL function needs "assert" function to check if input parameters are valid. + + If you want to use assert debugging function, "OPENSSL_DEBUG" should be enabled. + +config OPENSSL_ASSERT_DO_NOTHING + bool "Do nothing" + help + Do nothing and "SSL_ASSERT" does not work. + +config OPENSSL_ASSERT_EXIT + bool "Check and exit" + help + Enable assert exiting, it will check and return error code. + +config OPENSSL_ASSERT_DEBUG + bool "Show debugging message" + depends on OPENSSL_DEBUG + help + Enable assert debugging, it will check and show debugging message. + +config OPENSSL_ASSERT_DEBUG_EXIT + bool "Show debugging message and exit" + depends on OPENSSL_DEBUG + help + Enable assert debugging and exiting, it will check, show debugging message and return error code. + +config OPENSSL_ASSERT_DEBUG_BLOCK + bool "Show debugging message and block" + depends on OPENSSL_DEBUG + help + Enable assert debugging and blocking, it will check, show debugging message and block by "while (1);". + +endchoice + +endmenu diff --git a/components/openssl/include/internal/ssl_dbg.h b/components/openssl/include/internal/ssl_dbg.h index b4c075463..12ba25f99 100644 --- a/components/openssl/include/internal/ssl_dbg.h +++ b/components/openssl/include/internal/ssl_dbg.h @@ -22,72 +22,170 @@ extern "C" { #endif -#ifndef SSL_DEBUG_ENBALE -#define SSL_DEBUG_ENBALE 0 -#endif - -#ifndef SSL_DEBUG_LEVEL -#define SSL_DEBUG_LEVEL 0 -#endif - -#ifndef SSL_ASSERT_ENABLE -#define SSL_ASSERT_ENABLE 0 -#endif - -#ifndef SSL_DEBUG_LOCATION_ENABLE -#define SSL_DEBUG_LOCATION_ENABLE 0 -#endif - -#if SSL_DEBUG_ENBALE - #if !defined(SSL_PRINT_LOG) || !defined(SSL_ERROR_LOG) || !defined(SSL_LOCAL_LOG) - #include "stdio.h" - extern int printf(const char *fmt, ...); - #ifndef SSL_PRINT_LOG - #define SSL_PRINT_LOG printf - #endif - #ifndef SSL_ERROR_LOG - #define SSL_ERROR_LOG printf - #endif - #ifndef SSL_LOCAL_LOG - #define SSL_LOCAL_LOG printf - #endif - #endif +#ifdef CONFIG_OPENSSL_DEBUG_LEVEL + #define SSL_DEBUG_LEVEL CONFIG_OPENSSL_DEBUG_LEVEL #else - #ifdef SSL_PRINT_LOG - #undef SSL_PRINT_LOG - #endif - #define SSL_PRINT_LOG(...) - - #ifdef SSL_ERROR_LOG - #undef SSL_ERROR_LOG - #endif - #define SSL_ERROR_LOG(...) - #ifdef SSL_LOCAL_LOG - #undef SSL_LOCAL_LOG - #endif - #define SSL_LOCAL_LOG(...) + #define SSL_DEBUG_LEVEL 0 #endif -#if SSL_DEBUG_LOCATION_ENABLE - #define SSL_DEBUG_LOCATION() SSL_LOCAL_LOG("%s %s line %d\n", __FILE__, __FUNCTION__, __LINE__) +#define SSL_DEBUG_ON (SSL_DEBUG_LEVEL + 1) +#define SSL_DEBUG_OFF (SSL_DEBUG_LEVEL - 1) + +#ifdef CONFIG_OPENSSL_DEBUG + #ifndef SSL_DEBUG_LOG + #error "SSL_DEBUG_LOG is not defined" + #endif + + #ifndef SSL_DEBUG_FL + #define SSL_DEBUG_FL "\n" + #endif + + #define SSL_SHOW_LOCATION() \ + SSL_DEBUG_LOG("SSL assert : %s %d\n", \ + __FILE__, __LINE__) + + #define SSL_DEBUG(level, fmt, ...) \ + { \ + if (level > SSL_DEBUG_LEVEL) { \ + SSL_DEBUG_LOG(fmt SSL_DEBUG_FL, ##__VA_ARGS__); \ + } \ + } +#else /* CONFIG_OPENSSL_DEBUG */ + #define SSL_SHOW_LOCATION() + + #define SSL_DEBUG(level, fmt, ...) +#endif /* CONFIG_OPENSSL_DEBUG */ + +/** + * OpenSSL assert function + * + * if select "CONFIG_OPENSSL_ASSERT_DEBUG", SSL_ASSERT* will show error file name and line + * if select "CONFIG_OPENSSL_ASSERT_EXIT", SSL_ASSERT* will just return error code. + * if select "CONFIG_OPENSSL_ASSERT_DEBUG_EXIT" SSL_ASSERT* will show error file name and line, + * then return error code. + * if select "CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK", SSL_ASSERT* will show error file name and line, + * then block here with "while (1)" + * + * SSL_ASSERT1 may will return "-1", so function's return argument is integer. + * SSL_ASSERT2 may will return "NULL", so function's return argument is a point. + * SSL_ASSERT2 may will return nothing, so function's return argument is "void". + */ +#if defined(CONFIG_OPENSSL_ASSERT_DEBUG) + #define SSL_ASSERT1(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + } \ + } + + #define SSL_ASSERT2(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + } \ + } + + #define SSL_ASSERT3(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + } \ + } +#elif defined(CONFIG_OPENSSL_ASSERT_EXIT) + #define SSL_ASSERT1(s) \ + { \ + if (!(s)) { \ + return -1; \ + } \ + } + + #define SSL_ASSERT2(s) \ + { \ + if (!(s)) { \ + return NULL; \ + } \ + } + + #define SSL_ASSERT3(s) \ + { \ + if (!(s)) { \ + return ; \ + } \ + } +#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_EXIT) + #define SSL_ASSERT1(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + return -1; \ + } \ + } + + #define SSL_ASSERT2(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + return NULL; \ + } \ + } + + #define SSL_ASSERT3(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + return ; \ + } \ + } +#elif defined(CONFIG_OPENSSL_ASSERT_DEBUG_BLOCK) + #define SSL_ASSERT1(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + while (1); \ + } \ + } + + #define SSL_ASSERT2(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + while (1); \ + } \ + } + + #define SSL_ASSERT3(s) \ + { \ + if (!(s)) { \ + SSL_SHOW_LOCATION(); \ + while (1); \ + } \ + } #else - #define SSL_DEBUG_LOCATION() + #define SSL_ASSERT1(s) + #define SSL_ASSERT2(s) + #define SSL_ASSERT3(s) #endif -#if SSL_ASSERT_ENABLE - #define SSL_ASSERT(s) { if (!(s)) { SSL_DEBUG_LOCATION(); } } -#else - #define SSL_ASSERT(s) -#endif +#define SSL_PLATFORM_DEBUG_LEVEL SSL_DEBUG_OFF +#define SSL_PLATFORM_ERROR_LEVEL SSL_DEBUG_ON -#define SSL_ERR(err, go, fmt, ...) { SSL_DEBUG_LOCATION(); SSL_ERROR_LOG(fmt, ##__VA_ARGS__); ret = err; goto go; } +#define SSL_CERT_DEBUG_LEVEL SSL_DEBUG_OFF +#define SSL_CERT_ERROR_LEVEL SSL_DEBUG_ON -#define SSL_RET(go, fmt, ...) { SSL_DEBUG_LOCATION(); SSL_ERROR_LOG(fmt, ##__VA_ARGS__); goto go; } +#define SSL_PKEY_DEBUG_LEVEL SSL_DEBUG_OFF +#define SSL_PKEY_ERROR_LEVEL SSL_DEBUG_ON -#define SSL_DEBUG(level, fmt, ...) { if (level > SSL_DEBUG_LEVEL) {SSL_PRINT_LOG(fmt, ##__VA_ARGS__);} } +#define SSL_X509_DEBUG_LEVEL SSL_DEBUG_OFF +#define SSL_X509_ERROR_LEVEL SSL_DEBUG_ON + +#define SSL_LIB_DEBUG_LEVEL SSL_DEBUG_OFF +#define SSL_LIB_ERROR_LEVEL SSL_DEBUG_ON + +#define SSL_STACK_DEBUG_LEVEL SSL_DEBUG_OFF +#define SSL_STACK_ERROR_LEVEL SSL_DEBUG_ON #ifdef __cplusplus -} + } #endif #endif diff --git a/components/openssl/include/platform/ssl_opt.h b/components/openssl/include/platform/ssl_opt.h index 01d438eb8..a9c55e8c4 100644 --- a/components/openssl/include/platform/ssl_opt.h +++ b/components/openssl/include/platform/ssl_opt.h @@ -15,34 +15,6 @@ #ifndef _SSL_OPT_H_ #define _SSL_OPT_H_ -#ifdef __cplusplus - extern "C" { -#endif - -/** - * if not define "ESP32_IDF_PLATFORM", system will use esp8266 platform interface - */ -#define ESP32_IDF_PLATFORM - -/** - * openssl debug print function enable - */ -#define SSL_DEBUG_ENBALE 0 - -/** - * openssl debug print function level. function whose level is lower that "SSL_DEBUG_LEVEL" - * will not print message - */ -#define SSL_DEBUG_LEVEL 0 - -/** - * openssl assert function enable, it will check the input paramter and print the message - */ -#define SSL_ASSERT_ENABLE 0 - -/** - * openssl location function enable, it will print location of the positioning error - */ -#define SSL_DEBUG_LOCATION_ENABLE 0 +#include "sdkconfig.h" #endif diff --git a/components/openssl/include/platform/ssl_pm.h b/components/openssl/include/platform/ssl_pm.h index a516d5742..cbbe3aa3a 100644 --- a/components/openssl/include/platform/ssl_pm.h +++ b/components/openssl/include/platform/ssl_pm.h @@ -19,6 +19,7 @@ extern "C" { #endif +#include #include "ssl_types.h" #include "ssl_port.h" @@ -53,4 +54,8 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len); long ssl_pm_get_verify_result(const SSL *ssl); +#ifdef __cplusplus + } +#endif + #endif diff --git a/components/openssl/include/platform/ssl_port.h b/components/openssl/include/platform/ssl_port.h index 35c8dc18f..492ea405b 100644 --- a/components/openssl/include/platform/ssl_port.h +++ b/components/openssl/include/platform/ssl_port.h @@ -19,31 +19,27 @@ extern "C" { #endif -#include "platform/ssl_opt.h" - -#ifdef ESP32_IDF_PLATFORM - #include "esp_types.h" #include "esp_log.h" +#include "string.h" +#include "malloc.h" void *ssl_mem_zalloc(size_t size); -void *ssl_mem_malloc(size_t size); -void ssl_mem_free(void *p); -void* ssl_memcpy(void *to, const void *from, size_t size); -size_t ssl_strlen(const char *src); +#define ssl_mem_malloc malloc +#define ssl_mem_free free -void ssl_speed_up_enter(void); -void ssl_speed_up_exit(void); +#define ssl_memcpy memcpy +#define ssl_strlen strlen -#define SSL_PRINT_LOG(fmt, ...) ESP_LOGD("openssl", fmt, ##__VA_ARGS__) -#define SSL_ERROR_LOG(fmt, ...) ESP_LOGE("openssl", fmt, ##__VA_ARGS__) -#define SSL_LOCAL_LOG(fmt, ...) ESP_LOGD("openssl", fmt, ##__VA_ARGS__) +#define ssl_speed_up_enter() +#define ssl_speed_up_exit() -#elif defined(SSL_PLATFORM_USER_INCLUDE) - -SSL_PLATFORM_USER_INCLUDE +#define SSL_DEBUG_FL +#define SSL_DEBUG_LOG(fmt, ...) ESP_LOGI("openssl", fmt, ##__VA_ARGS__) +#ifdef __cplusplus + } #endif #endif diff --git a/components/openssl/library/ssl_cert.c b/components/openssl/library/ssl_cert.c index 0193a441e..5c608125a 100644 --- a/components/openssl/library/ssl_cert.c +++ b/components/openssl/library/ssl_cert.c @@ -29,8 +29,10 @@ CERT *__ssl_cert_new(CERT *ic) EVP_PKEY *ipk; cert = ssl_mem_zalloc(sizeof(CERT)); - if (!cert) - SSL_RET(failed1, "ssl_mem_zalloc\n"); + if (!cert) { + SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "no enough memory > (cert)"); + goto no_mem; + } if (ic) { ipk = ic->pkey; @@ -41,20 +43,24 @@ CERT *__ssl_cert_new(CERT *ic) } cert->pkey = __EVP_PKEY_new(ipk); - if (!cert->pkey) - SSL_RET(failed2, "__EVP_PKEY_new\n"); + if (!cert->pkey) { + SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__EVP_PKEY_new() return NULL"); + goto pkey_err; + } cert->x509 = __X509_new(ix); - if (!cert->x509) - SSL_RET(failed3, "__X509_new\n"); + if (!cert->x509) { + SSL_DEBUG(SSL_CERT_ERROR_LEVEL, "__X509_new() return NULL"); + goto x509_err; + } return cert; -failed3: +x509_err: EVP_PKEY_free(cert->pkey); -failed2: +pkey_err: ssl_mem_free(cert); -failed1: +no_mem: return NULL; } @@ -71,6 +77,8 @@ CERT *ssl_cert_new(void) */ void ssl_cert_free(CERT *cert) { + SSL_ASSERT3(cert); + X509_free(cert->x509); EVP_PKEY_free(cert->pkey); diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c index 23b8bf4ce..43c130077 100644 --- a/components/openssl/library/ssl_lib.c +++ b/components/openssl/library/ssl_lib.c @@ -21,11 +21,49 @@ #define SSL_SEND_DATA_MAX_LENGTH 1460 +/** + * @brief create a new SSL session object + */ +static SSL_SESSION* SSL_SESSION_new(void) +{ + SSL_SESSION *session; + + session = ssl_mem_zalloc(sizeof(SSL_SESSION)); + if (!session) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (session)"); + goto failed1; + } + + session->peer = X509_new(); + if (!session->peer) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL"); + goto failed2; + } + + return session; + +failed2: + ssl_mem_free(session); +failed1: + return NULL; +} + +/** + * @brief free a new SSL session object + */ +static void SSL_SESSION_free(SSL_SESSION *session) +{ + X509_free(session->peer); + ssl_mem_free(session); +} + /** * @brief Discover whether the current connection is in the error state */ int ossl_statem_in_error(const SSL *ssl) { + SSL_ASSERT1(ssl); + if (ssl->statem.state == MSG_FLOW_ERROR) return 1; @@ -37,6 +75,8 @@ int ossl_statem_in_error(const SSL *ssl) */ int SSL_want(const SSL *ssl) { + SSL_ASSERT1(ssl); + return ssl->rwstate; } @@ -45,6 +85,8 @@ int SSL_want(const SSL *ssl) */ int SSL_want_nothing(const SSL *ssl) { + SSL_ASSERT1(ssl); + return (SSL_want(ssl) == SSL_NOTHING); } @@ -53,6 +95,8 @@ int SSL_want_nothing(const SSL *ssl) */ int SSL_want_read(const SSL *ssl) { + SSL_ASSERT1(ssl); + return (SSL_want(ssl) == SSL_READING); } @@ -61,6 +105,8 @@ int SSL_want_read(const SSL *ssl) */ int SSL_want_write(const SSL *ssl) { + SSL_ASSERT1(ssl); + return (SSL_want(ssl) == SSL_WRITING); } @@ -69,6 +115,8 @@ int SSL_want_write(const SSL *ssl) */ int SSL_want_x509_lookup(const SSL *ssl) { + SSL_ASSERT1(ssl); + return (SSL_want(ssl) == SSL_WRITING); } @@ -79,7 +127,7 @@ int SSL_get_error(const SSL *ssl, int ret_code) { int ret = SSL_ERROR_SYSCALL; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); if (ret_code > 0) ret = SSL_ERROR_NONE; @@ -110,45 +158,13 @@ OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl) { OSSL_HANDSHAKE_STATE state; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); state = SSL_METHOD_CALL(get_state, ssl); return state; } -/** - * @brief create a new SSL session object - */ -SSL_SESSION* SSL_SESSION_new(void) -{ - SSL_SESSION *session; - - session = ssl_mem_zalloc(sizeof(SSL_SESSION)); - if (!session) - SSL_RET(failed1, "ssl_mem_zalloc\n"); - - session->peer = X509_new(); - if (!session->peer) - SSL_RET(failed2, "X509_new\n"); - - return session; - -failed2: - ssl_mem_free(session); -failed1: - return NULL; -} - -/** - * @brief free a new SSL session object - */ -void SSL_SESSION_free(SSL_SESSION *session) -{ - X509_free(session->peer); - ssl_mem_free(session); -} - /** * @brief create a SSL context */ @@ -158,19 +174,28 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method) CERT *cert; X509 *client_ca; - if (!method) SSL_RET(go_failed1, "method:NULL\n"); + if (!method) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method"); + return NULL; + } client_ca = X509_new(); - if (!client_ca) - SSL_RET(go_failed1, "X509_new\n"); + if (!client_ca) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "X509_new() return NULL"); + goto failed1; + } cert = ssl_cert_new(); - if (!cert) - SSL_RET(go_failed2, "ssl_cert_new\n"); + if (!cert) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "ssl_cert_new() return NULL"); + goto failed2; + } ctx = (SSL_CTX *)ssl_mem_zalloc(sizeof(SSL_CTX)); - if (!ctx) - SSL_RET(go_failed3, "ssl_mem_zalloc:ctx\n"); + if (!ctx) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ctx)"); + goto failed3; + } ctx->method = method; ctx->client_CA = client_ca; @@ -180,11 +205,11 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method) return ctx; -go_failed3: +failed3: ssl_cert_free(cert); -go_failed2: +failed2: X509_free(client_ca); -go_failed1: +failed1: return NULL; } @@ -193,7 +218,7 @@ go_failed1: */ void SSL_CTX_free(SSL_CTX* ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT3(ctx); ssl_cert_free(ctx->cert); @@ -207,8 +232,8 @@ void SSL_CTX_free(SSL_CTX* ctx) */ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) { - SSL_ASSERT(ctx); - SSL_ASSERT(meth); + SSL_ASSERT1(ctx); + SSL_ASSERT1(meth); ctx->method = meth; @@ -222,7 +247,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) */ const SSL_METHOD *SSL_CTX_get_ssl_method(SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT2(ctx); return ctx->method; } @@ -235,24 +260,34 @@ SSL *SSL_new(SSL_CTX *ctx) int ret = 0; SSL *ssl; - if (!ctx) - SSL_RET(failed1, "ctx:NULL\n"); + if (!ctx) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no ctx"); + return NULL; + } ssl = (SSL *)ssl_mem_zalloc(sizeof(SSL)); - if (!ssl) - SSL_RET(failed1, "ssl_mem_zalloc\n"); + if (!ssl) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no enough memory > (ssl)"); + goto failed1; + } ssl->session = SSL_SESSION_new(); - if (!ssl->session) - SSL_RET(failed2, "SSL_SESSION_new\n"); + if (!ssl->session) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_SESSION_new() return NULL"); + goto failed2; + } ssl->cert = __ssl_cert_new(ctx->cert); - if (!ssl->cert) - SSL_RET(failed3, "__ssl_cert_new\n"); + if (!ssl->cert) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__ssl_cert_new() return NULL"); + goto failed3; + } ssl->client_CA = __X509_new(ctx->client_CA); - if (!ssl->client_CA) - SSL_RET(failed4, "__X509_new\n"); + if (!ssl->client_CA) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "__X509_new() return NULL"); + goto failed4; + } ssl->ctx = ctx; ssl->method = ctx->method; @@ -263,8 +298,10 @@ SSL *SSL_new(SSL_CTX *ctx) ssl->verify_mode = ctx->verify_mode; ret = SSL_METHOD_CALL(new, ssl); - if (ret) - SSL_RET(failed5, "ssl_new\n"); + if (ret) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); + goto failed5; + } ssl->rwstate = SSL_NOTHING; @@ -287,7 +324,7 @@ failed1: */ void SSL_free(SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); SSL_METHOD_CALL(free, ssl); @@ -307,7 +344,7 @@ int SSL_do_handshake(SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(handshake, ssl); @@ -319,7 +356,7 @@ int SSL_do_handshake(SSL *ssl) */ int SSL_connect(SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return SSL_do_handshake(ssl); } @@ -329,7 +366,7 @@ int SSL_connect(SSL *ssl) */ int SSL_accept(SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return SSL_do_handshake(ssl); } @@ -341,7 +378,7 @@ int SSL_shutdown(SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); if (SSL_get_state(ssl) != TLS_ST_OK) return 1; @@ -357,21 +394,25 @@ int SSL_clear(SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ret = SSL_shutdown(ssl); - if (1 != ret) - SSL_ERR(0, go_failed1, "SSL_shutdown\n"); + if (1 != ret) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret); + goto failed1; + } SSL_METHOD_CALL(free, ssl); ret = SSL_METHOD_CALL(new, ssl); - if (!ret) - SSL_ERR(0, go_failed1, "ssl_new\n"); + if (!ret) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); + goto failed1; + } return 1; -go_failed1: +failed1: return ret; } @@ -382,9 +423,9 @@ int SSL_read(SSL *ssl, void *buffer, int len) { int ret; - SSL_ASSERT(ssl); - SSL_ASSERT(buffer); - SSL_ASSERT(len); + SSL_ASSERT1(ssl); + SSL_ASSERT1(buffer); + SSL_ASSERT1(len); ssl->rwstate = SSL_READING; @@ -405,9 +446,9 @@ int SSL_write(SSL *ssl, const void *buffer, int len) int send_bytes; const unsigned char *pbuf; - SSL_ASSERT(ssl); - SSL_ASSERT(buffer); - SSL_ASSERT(len); + SSL_ASSERT1(ssl); + SSL_ASSERT1(buffer); + SSL_ASSERT1(len); ssl->rwstate = SSL_WRITING; @@ -443,7 +484,7 @@ int SSL_write(SSL *ssl, const void *buffer, int len) */ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); return ssl->ctx; } @@ -453,7 +494,7 @@ SSL_CTX *SSL_get_SSL_CTX(const SSL *ssl) */ const SSL_METHOD *SSL_get_ssl_method(SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); return ssl->method; } @@ -465,22 +506,26 @@ int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method) { int ret; - SSL_ASSERT(ssl); - SSL_ASSERT(method); + SSL_ASSERT1(ssl); + SSL_ASSERT1(method); if (ssl->version != method->version) { ret = SSL_shutdown(ssl); - if (1 != ret) - SSL_ERR(0, go_failed1, "SSL_shutdown\n"); + if (1 != ret) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_shutdown return %d", ret); + goto failed1; + } SSL_METHOD_CALL(free, ssl); ssl->method = method; ret = SSL_METHOD_CALL(new, ssl); - if (!ret) - SSL_ERR(0, go_failed1, "ssl_new\n"); + if (!ret) { + SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "SSL_METHOD_CALL(new) return %d", ret); + goto failed1; + } } else { ssl->method = method; } @@ -488,7 +533,7 @@ int SSL_set_ssl_method(SSL *ssl, const SSL_METHOD *method) return 1; -go_failed1: +failed1: return ret; } @@ -497,7 +542,7 @@ go_failed1: */ int SSL_get_shutdown(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->shutdown; } @@ -507,7 +552,7 @@ int SSL_get_shutdown(const SSL *ssl) */ void SSL_set_shutdown(SSL *ssl, int mode) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); ssl->shutdown = mode; } @@ -520,7 +565,7 @@ int SSL_pending(const SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(pending, ssl); @@ -534,7 +579,7 @@ int SSL_has_pending(const SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); if (SSL_pending(ssl)) ret = 1; @@ -549,6 +594,8 @@ int SSL_has_pending(const SSL *ssl) */ unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) { + SSL_ASSERT1(ctx); + return ctx->options &= ~op; } @@ -557,6 +604,8 @@ unsigned long SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op) */ unsigned long SSL_CTX_get_options(SSL_CTX *ctx) { + SSL_ASSERT1(ctx); + return ctx->options; } @@ -565,6 +614,8 @@ unsigned long SSL_CTX_get_options(SSL_CTX *ctx) */ unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt) { + SSL_ASSERT1(ctx); + return ctx->options |= opt; } @@ -573,7 +624,7 @@ unsigned long SSL_CTX_set_options(SSL_CTX *ctx, unsigned long opt) */ unsigned long SSL_clear_options(SSL *ssl, unsigned long op) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->options & ~op; } @@ -583,7 +634,7 @@ unsigned long SSL_clear_options(SSL *ssl, unsigned long op) */ unsigned long SSL_get_options(SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->options; } @@ -593,7 +644,7 @@ unsigned long SSL_get_options(SSL *ssl) */ unsigned long SSL_set_options(SSL *ssl, unsigned long op) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->options |= op; } @@ -605,7 +656,7 @@ int SSL_get_fd(const SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(get_fd, ssl, 0); @@ -619,7 +670,7 @@ int SSL_get_rfd(const SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(get_fd, ssl, 0); @@ -633,7 +684,7 @@ int SSL_get_wfd(const SSL *ssl) { int ret; - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ret = SSL_METHOD_CALL(get_fd, ssl, 0); @@ -645,8 +696,8 @@ int SSL_get_wfd(const SSL *ssl) */ int SSL_set_fd(SSL *ssl, int fd) { - SSL_ASSERT(ssl); - SSL_ASSERT(fd >= 0); + SSL_ASSERT1(ssl); + SSL_ASSERT1(fd >= 0); SSL_METHOD_CALL(set_fd, ssl, fd, 0); @@ -658,8 +709,8 @@ int SSL_set_fd(SSL *ssl, int fd) */ int SSL_set_rfd(SSL *ssl, int fd) { - SSL_ASSERT(ssl); - SSL_ASSERT(fd >= 0); + SSL_ASSERT1(ssl); + SSL_ASSERT1(fd >= 0); SSL_METHOD_CALL(set_fd, ssl, fd, 0); @@ -671,8 +722,8 @@ int SSL_set_rfd(SSL *ssl, int fd) */ int SSL_set_wfd(SSL *ssl, int fd) { - SSL_ASSERT(ssl); - SSL_ASSERT(fd >= 0); + SSL_ASSERT1(ssl); + SSL_ASSERT1(fd >= 0); SSL_METHOD_CALL(set_fd, ssl, fd, 0); @@ -684,7 +735,7 @@ int SSL_set_wfd(SSL *ssl, int fd) */ int SSL_version(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->version; } @@ -715,7 +766,7 @@ static const char* ssl_protocol_to_string(int version) */ const char *SSL_get_version(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); return ssl_protocol_to_string(SSL_version(ssl)); } @@ -987,7 +1038,7 @@ const char *SSL_rstate_string(SSL *ssl) { const char *str; - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); switch (ssl->rlayer.rstate) { @@ -1015,7 +1066,7 @@ const char *SSL_rstate_string_long(SSL *ssl) { const char *str = "unknown"; - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); switch (ssl->rlayer.rstate) { @@ -1042,7 +1093,7 @@ char *SSL_state_string(const SSL *ssl) { char *str = "UNKWN "; - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); if (ossl_statem_in_error(ssl)) str = "SSLERR"; @@ -1150,7 +1201,7 @@ char *SSL_state_string_long(const SSL *ssl) { char *str = "UNKWN "; - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); if (ossl_statem_in_error(ssl)) str = "SSLERR"; @@ -1262,8 +1313,7 @@ char *SSL_state_string_long(const SSL *ssl) */ void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) { - SSL_ASSERT(ctx); - SSL_ASSERT(len); + SSL_ASSERT3(ctx); ctx->read_buffer_len = len; } @@ -1273,8 +1323,8 @@ void SSL_CTX_set_default_read_buffer_len(SSL_CTX *ctx, size_t len) */ void SSL_set_default_read_buffer_len(SSL *ssl, size_t len) { - SSL_ASSERT(ssl); - SSL_ASSERT(len); + SSL_ASSERT3(ssl); + SSL_ASSERT3(len); SSL_METHOD_CALL(set_bufflen, ssl, len); } @@ -1284,7 +1334,7 @@ void SSL_set_default_read_buffer_len(SSL *ssl, size_t len) */ void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int val)) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); ssl->info_callback = cb; } @@ -1294,7 +1344,7 @@ void SSL_set_info_callback(SSL *ssl, void (*cb) (const SSL *ssl, int type, int v */ int SSL_CTX_up_ref(SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); /** * no support multi-thread SSL here @@ -1309,7 +1359,7 @@ int SSL_CTX_up_ref(SSL_CTX *ctx) */ void SSL_set_security_level(SSL *ssl, int level) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); ssl->cert->sec_level = level; } @@ -1319,7 +1369,7 @@ void SSL_set_security_level(SSL *ssl, int level) */ int SSL_get_security_level(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->cert->sec_level; } @@ -1329,7 +1379,7 @@ int SSL_get_security_level(const SSL *ssl) */ int SSL_CTX_get_verify_mode(const SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); return ctx->verify_mode; } @@ -1341,7 +1391,7 @@ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t) { long l; - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); l = ctx->session_timeout; ctx->session_timeout = t; @@ -1354,7 +1404,7 @@ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t) */ long SSL_CTX_get_timeout(const SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); return ctx->session_timeout; } @@ -1364,7 +1414,7 @@ long SSL_CTX_get_timeout(const SSL_CTX *ctx) */ void SSL_set_read_ahead(SSL *ssl, int yes) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); ssl->rlayer.read_ahead = yes; } @@ -1374,7 +1424,7 @@ void SSL_set_read_ahead(SSL *ssl, int yes) */ void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) { - SSL_ASSERT(ctx); + SSL_ASSERT3(ctx); ctx->read_ahead = yes; } @@ -1384,7 +1434,7 @@ void SSL_CTX_set_read_ahead(SSL_CTX *ctx, int yes) */ int SSL_get_read_ahead(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->rlayer.read_ahead; } @@ -1394,7 +1444,7 @@ int SSL_get_read_ahead(const SSL *ssl) */ long SSL_CTX_get_read_ahead(SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); return ctx->read_ahead; } @@ -1404,7 +1454,7 @@ long SSL_CTX_get_read_ahead(SSL_CTX *ctx) */ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); return ctx->read_ahead; } @@ -1414,7 +1464,7 @@ long SSL_CTX_get_default_read_ahead(SSL_CTX *ctx) */ long SSL_set_time(SSL *ssl, long t) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ssl->session->time = t; @@ -1426,7 +1476,7 @@ long SSL_set_time(SSL *ssl, long t) */ long SSL_set_timeout(SSL *ssl, long t) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); ssl->session->timeout = t; @@ -1438,7 +1488,7 @@ long SSL_set_timeout(SSL *ssl, long t) */ long SSL_get_verify_result(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return SSL_METHOD_CALL(get_verify_result, ssl); } @@ -1448,7 +1498,7 @@ long SSL_get_verify_result(const SSL *ssl) */ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) { - SSL_ASSERT(ctx); + SSL_ASSERT1(ctx); return ctx->param.depth; } @@ -1458,7 +1508,7 @@ int SSL_CTX_get_verify_depth(const SSL_CTX *ctx) */ void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) { - SSL_ASSERT(ctx); + SSL_ASSERT3(ctx); ctx->param.depth = depth; } @@ -1468,7 +1518,7 @@ void SSL_CTX_set_verify_depth(SSL_CTX *ctx, int depth) */ int SSL_get_verify_depth(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT1(ssl); return ssl->param.depth; } @@ -1478,7 +1528,7 @@ int SSL_get_verify_depth(const SSL *ssl) */ void SSL_set_verify_depth(SSL *ssl, int depth) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); ssl->param.depth = depth; } @@ -1488,7 +1538,7 @@ void SSL_set_verify_depth(SSL *ssl, int depth) */ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { - SSL_ASSERT(ctx); + SSL_ASSERT3(ctx); ctx->verify_mode = mode; ctx->default_verify_callback = verify_callback; @@ -1499,7 +1549,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509 */ void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { - SSL_ASSERT(ssl); + SSL_ASSERT3(ssl); ssl->verify_mode = mode; ssl->verify_callback = verify_callback; diff --git a/components/openssl/library/ssl_pkey.c b/components/openssl/library/ssl_pkey.c index dbd82dc9c..567a33e2c 100644 --- a/components/openssl/library/ssl_pkey.c +++ b/components/openssl/library/ssl_pkey.c @@ -26,8 +26,10 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk) EVP_PKEY *pkey; pkey = ssl_mem_zalloc(sizeof(EVP_PKEY)); - if (!pkey) - SSL_RET(failed1, "ssl_mem_zalloc\n"); + if (!pkey) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "no enough memory > (pkey)"); + goto no_mem; + } if (ipk) { pkey->method = ipk->method; @@ -36,14 +38,16 @@ EVP_PKEY* __EVP_PKEY_new(EVP_PKEY *ipk) } ret = EVP_PKEY_METHOD_CALL(new, pkey, ipk); - if (ret) - SSL_RET(failed2, "EVP_PKEY_METHOD_CALL\n"); + if (ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(new) return %d", ret); + goto failed; + } return pkey; -failed2: +failed: ssl_mem_free(pkey); -failed1: +no_mem: return NULL; } @@ -60,6 +64,8 @@ EVP_PKEY* EVP_PKEY_new(void) */ void EVP_PKEY_free(EVP_PKEY *pkey) { + SSL_ASSERT3(pkey); + EVP_PKEY_METHOD_CALL(free, pkey); ssl_mem_free(pkey); @@ -78,22 +84,27 @@ EVP_PKEY *d2i_PrivateKey(int type, int ret; EVP_PKEY *pkey; - SSL_ASSERT(pp); - SSL_ASSERT(*pp); - SSL_ASSERT(length); + SSL_ASSERT2(pp); + SSL_ASSERT2(*pp); + SSL_ASSERT2(length); if (a && *a) { pkey = *a; } else { pkey = EVP_PKEY_new();; - if (!pkey) - SSL_RET(failed1, "EVP_PKEY_new\n"); + if (!pkey) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_new() return NULL"); + goto failed1; + } + m = 1; } ret = EVP_PKEY_METHOD_CALL(load, pkey, *pp, length); - if (ret) - SSL_RET(failed2, "EVP_PKEY_METHOD_CALL\n"); + if (ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "EVP_PKEY_METHOD_CALL(load) return %d", ret); + goto failed2; + } if (a) *a = pkey; @@ -112,8 +123,8 @@ failed1: */ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) { - SSL_ASSERT(ctx); - SSL_ASSERT(pkey); + SSL_ASSERT1(ctx); + SSL_ASSERT1(pkey); if (ctx->cert->pkey == pkey) return 1; @@ -131,8 +142,8 @@ int SSL_CTX_use_PrivateKey(SSL_CTX *ctx, EVP_PKEY *pkey) */ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) { - SSL_ASSERT(ssl); - SSL_ASSERT(pkey); + SSL_ASSERT1(ssl); + SSL_ASSERT1(pkey); if (ssl->cert->pkey == pkey) return 1; @@ -155,12 +166,16 @@ int SSL_CTX_use_PrivateKey_ASN1(int type, SSL_CTX *ctx, EVP_PKEY *pk; pk = d2i_PrivateKey(0, NULL, &d, len); - if (!pk) - SSL_RET(failed1, "d2i_PrivateKey\n"); + if (!pk) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL"); + goto failed1; + } ret = SSL_CTX_use_PrivateKey(ctx, pk); - if (!ret) - SSL_RET(failed2, "SSL_CTX_use_PrivateKey\n"); + if (!ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_PrivateKey() return %d", ret); + goto failed2; + } return 1; @@ -180,12 +195,16 @@ int SSL_use_PrivateKey_ASN1(int type, SSL *ssl, EVP_PKEY *pk; pk = d2i_PrivateKey(0, NULL, &d, len); - if (!pk) - SSL_RET(failed1, "d2i_PrivateKey\n"); + if (!pk) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_PrivateKey() return NULL"); + goto failed1; + } ret = SSL_use_PrivateKey(ssl, pk); - if (!ret) - SSL_RET(failed2, "SSL_use_PrivateKey\n"); + if (!ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_PrivateKey() return %d", ret); + goto failed2; + } return 1; diff --git a/components/openssl/library/ssl_stack.c b/components/openssl/library/ssl_stack.c index 5dbb69af9..da836daf9 100644 --- a/components/openssl/library/ssl_stack.c +++ b/components/openssl/library/ssl_stack.c @@ -31,12 +31,16 @@ OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c) char **data; stack = ssl_mem_zalloc(sizeof(OPENSSL_STACK)); - if (!stack) - SSL_RET(failed1, "ssl_mem_zalloc\n"); + if (!stack) { + SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (stack)"); + goto no_mem1; + } data = ssl_mem_zalloc(sizeof(*data) * MIN_NODES); - if (!data) - SSL_RET(failed2, "ssl_mem_zalloc\n"); + if (!data) { + SSL_DEBUG(SSL_STACK_ERROR_LEVEL, "no enough memory > (data)"); + goto no_mem2; + } stack->data = data; stack->num_alloc = MIN_NODES; @@ -44,9 +48,9 @@ OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c) return stack; -failed2: +no_mem2: ssl_mem_free(stack); -failed1: +no_mem1: return NULL; } @@ -63,7 +67,7 @@ OPENSSL_STACK *OPENSSL_sk_new_null(void) */ void OPENSSL_sk_free(OPENSSL_STACK *stack) { - SSL_ASSERT(stack); + SSL_ASSERT3(stack); ssl_mem_free(stack->data); ssl_mem_free(stack); diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c index d0426db18..ef0503c05 100644 --- a/components/openssl/library/ssl_x509.c +++ b/components/openssl/library/ssl_x509.c @@ -34,8 +34,10 @@ X509* __X509_new(X509 *ix) X509 *x; x = ssl_mem_zalloc(sizeof(X509)); - if (!x) - SSL_RET(failed1, "ssl_mem_zalloc\n"); + if (!x) { + SSL_DEBUG(SSL_X509_ERROR_LEVEL, "no enough memory > (x)"); + goto no_mem; + } if (ix) x->method = ix->method; @@ -43,14 +45,16 @@ X509* __X509_new(X509 *ix) x->method = X509_method(); ret = X509_METHOD_CALL(new, x, ix); - if (ret) - SSL_RET(failed2, "x509_new\n"); + if (ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(new) return %d", ret); + goto failed; + } return x; -failed2: +failed: ssl_mem_free(x); -failed1: +no_mem: return NULL; } @@ -67,6 +71,8 @@ X509* X509_new(void) */ void X509_free(X509 *x) { + SSL_ASSERT3(x); + X509_METHOD_CALL(free, x); ssl_mem_free(x); @@ -82,21 +88,25 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len) int ret; X509 *x; - SSL_ASSERT(buffer); - SSL_ASSERT(len); + SSL_ASSERT2(buffer); + SSL_ASSERT2(len); if (cert && *cert) { x = *cert; } else { x = X509_new(); - if (!x) - SSL_RET(failed1, "X509_new\n"); + if (!x) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_new() return NULL"); + goto failed1; + } m = 1; } ret = X509_METHOD_CALL(load, x, buffer, len); - if (ret) - SSL_RET(failed2, "x509_load\n"); + if (ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "X509_METHOD_CALL(load) return %d", ret); + goto failed2; + } return x; @@ -112,8 +122,8 @@ failed1: */ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) { - SSL_ASSERT(ctx); - SSL_ASSERT(x); + SSL_ASSERT1(ctx); + SSL_ASSERT1(x); if (ctx->client_CA == x) return 1; @@ -130,8 +140,8 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) */ int SSL_add_client_CA(SSL *ssl, X509 *x) { - SSL_ASSERT(ssl); - SSL_ASSERT(x); + SSL_ASSERT1(ssl); + SSL_ASSERT1(x); if (ssl->client_CA == x) return 1; @@ -148,8 +158,8 @@ int SSL_add_client_CA(SSL *ssl, X509 *x) */ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) { - SSL_ASSERT(ctx); - SSL_ASSERT(x); + SSL_ASSERT1(ctx); + SSL_ASSERT1(x); if (ctx->cert->x509 == x) return 1; @@ -166,8 +176,8 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x) */ int SSL_use_certificate(SSL *ssl, X509 *x) { - SSL_ASSERT(ssl); - SSL_ASSERT(x); + SSL_ASSERT1(ssl); + SSL_ASSERT1(x); if (ssl->cert->x509 == x) return 1; @@ -184,7 +194,7 @@ int SSL_use_certificate(SSL *ssl, X509 *x) */ X509 *SSL_get_certificate(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); return ssl->cert->x509; } @@ -199,12 +209,16 @@ int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len, X509 *x; x = d2i_X509(NULL, d, len); - if (!x) - SSL_RET(failed1, "d2i_X509\n"); + if (!x) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL"); + goto failed1; + } ret = SSL_CTX_use_certificate(ctx, x); - if (!ret) - SSL_RET(failed2, "SSL_CTX_use_certificate\n"); + if (!ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_CTX_use_certificate() return %d", ret); + goto failed2; + } return 1; @@ -224,12 +238,16 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len, X509 *x; x = d2i_X509(NULL, d, len); - if (!x) - SSL_RET(failed1, "d2i_X509\n"); + if (!x) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "d2i_X509() return NULL"); + goto failed1; + } ret = SSL_use_certificate(ssl, x); - if (!ret) - SSL_RET(failed2, "SSL_use_certificate\n"); + if (!ret) { + SSL_DEBUG(SSL_PKEY_ERROR_LEVEL, "SSL_use_certificate() return %d", ret); + goto failed2; + } return 1; @@ -260,7 +278,7 @@ int SSL_use_certificate_file(SSL *ssl, const char *file, int type) */ X509 *SSL_get_peer_certificate(const SSL *ssl) { - SSL_ASSERT(ssl); + SSL_ASSERT2(ssl); return ssl->session->peer; } diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c index 15015107f..b175b3826 100755 --- a/components/openssl/platform/ssl_pm.c +++ b/components/openssl/platform/ssl_pm.c @@ -25,13 +25,7 @@ #include "mbedtls/error.h" #include "mbedtls/certs.h" -#if 0 - #define DEBUG_LOAD_BUF_STRING(str) SSL_DEBUG(1, "%s\n", str) -#else - #define DEBUG_LOAD_BUF_STRING(str) -#endif - -#define X509_INFO_STRING_LENGTH 1024 +#define X509_INFO_STRING_LENGTH 8192 struct ssl_pm { @@ -63,13 +57,36 @@ struct pkey_pm mbedtls_pk_context *ex_pkey; }; - unsigned int max_content_len; - /*********************************************************************************************/ /************************************ SSL arch interface *************************************/ +#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG + +/* mbedtls debug level */ +#define MBEDTLS_DEBUG_LEVEL 4 + +/** + * @brief mbedtls debug function + */ +static void ssl_platform_debug(void *ctx, int level, + const char *file, int line, + const char *str) +{ + /* Shorten 'file' from the whole file path to just the filename + + This is a bit wasteful because the macros are compiled in with + the full _FILE_ path in each case. + */ + char *file_sep = rindex(file, '/'); + if(file_sep) + file = file_sep + 1; + + SSL_DEBUG(SSL_DEBUG_ON, "%s:%d %s", file, line, str); +} +#endif + /** * @brief create SSL low-level object */ @@ -87,11 +104,13 @@ int ssl_pm_new(SSL *ssl) const SSL_METHOD *method = ssl->method; ssl_pm = ssl_mem_zalloc(sizeof(struct ssl_pm)); - if (!ssl_pm) - SSL_ERR(ret, failed1, "ssl_mem_zalloc\n"); + if (!ssl_pm) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (ssl_pm)"); + goto no_mem; + } max_content_len = ssl->ctx->read_buffer_len; - + mbedtls_net_init(&ssl_pm->fd); mbedtls_net_init(&ssl_pm->cl_fd); @@ -101,8 +120,10 @@ int ssl_pm_new(SSL *ssl) mbedtls_ssl_init(&ssl_pm->ssl); ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, pers, pers_len); - if (ret) - SSL_ERR(ret, failed2, "mbedtls_ctr_drbg_seed:[-0x%x]\n", -ret); + if (ret) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ctr_drbg_seed() return -0x%x", -ret); + goto mbedtls_err1; + } if (method->endpoint) { endpoint = MBEDTLS_SSL_IS_SERVER; @@ -110,8 +131,10 @@ int ssl_pm_new(SSL *ssl) endpoint = MBEDTLS_SSL_IS_CLIENT; } ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT); - if (ret) - SSL_ERR(ret, failed2, "mbedtls_ssl_config_defaults:[-0x%x]\n", -ret); + if (ret) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_config_defaults() return -0x%x", -ret); + goto mbedtls_err2; + } if (TLS_ANY_VERSION != ssl->version) { if (TLS1_2_VERSION == ssl->version) @@ -132,11 +155,18 @@ int ssl_pm_new(SSL *ssl) mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg); +#ifdef CONFIG_OPENSSL_LOWLEVEL_DEBUG + mbedtls_debug_set_threshold(MBEDTLS_DEBUG_LEVEL); + mbedtls_ssl_conf_dbg(&ssl_pm->conf, ssl_platform_debug, NULL); +#else mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL); +#endif ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); - if (ret) - SSL_ERR(ret, failed3, "mbedtls_ssl_setup:[-0x%x]\n", -ret); + if (ret) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_setup() return -0x%x", -ret); + goto mbedtls_err2; + } mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL); @@ -144,13 +174,13 @@ int ssl_pm_new(SSL *ssl) return 0; -failed3: +mbedtls_err2: mbedtls_ssl_config_free(&ssl_pm->conf); mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg); -failed2: +mbedtls_err1: mbedtls_entropy_free(&ssl_pm->entropy); ssl_mem_free(ssl_pm); -failed1: +no_mem: return -1; } @@ -222,16 +252,12 @@ static int mbedtls_handshake( mbedtls_ssl_context *ssl ) { int ret = 0; - if (ssl == NULL || ssl->conf == NULL) - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - while (ssl->state != MBEDTLS_SSL_HANDSHAKE_OVER) { ret = mbedtls_ssl_handshake_step(ssl); - - SSL_DEBUG(1, "ssl ret %d state %d heap %d\n", - ret, ssl->state, system_get_free_heap_size()); - + + SSL_DEBUG(SSL_PLATFORM_DEBUG_LEVEL, "ssl ret %d state %d", ret, ssl->state); + if (ret != 0) break; } @@ -248,19 +274,15 @@ int ssl_pm_handshake(SSL *ssl) if (mbed_ret) return 0; - SSL_DEBUG(1, "ssl_speed_up_enter "); ssl_speed_up_enter(); - SSL_DEBUG(1, "OK\n"); - + while((mbed_ret = mbedtls_handshake(&ssl_pm->ssl)) != 0) { if (mbed_ret != MBEDTLS_ERR_SSL_WANT_READ && mbed_ret != MBEDTLS_ERR_SSL_WANT_WRITE) { break; } } - - SSL_DEBUG(1, "ssl_speed_up_exit "); + ssl_speed_up_exit(); - SSL_DEBUG(1, "OK\n"); if (!mbed_ret) { struct x509_pm *x509_pm = (struct x509_pm *)ssl->session->peer->x509_pm; @@ -270,7 +292,7 @@ int ssl_pm_handshake(SSL *ssl) x509_pm->ex_crt = (mbedtls_x509_crt *)mbedtls_ssl_get_peer_cert(&ssl_pm->ssl); } else { ret = 0; - SSL_DEBUG(1, "mbedtls_ssl_handshake [-0x%x]\n", -mbed_ret); + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_handshake() return -0x%x", -mbed_ret); } return ret; @@ -430,23 +452,28 @@ int x509_pm_show_info(X509 *x) return -1; buf = ssl_mem_malloc(X509_INFO_STRING_LENGTH); - if (!buf) - SSL_RET(failed1, ""); + if (!buf) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (buf)"); + goto no_mem; + } ret = mbedtls_x509_crt_info(buf, X509_INFO_STRING_LENGTH - 1, "", x509_crt); - if (ret <= 0) - SSL_RET(failed2, ""); + if (ret <= 0) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_info() return -0x%x", -ret); + goto mbedtls_err1; + } + buf[ret] = 0; ssl_mem_free(buf); - SSL_DEBUG(1, "%s", buf); + SSL_DEBUG(SSL_DEBUG_ON, "%s", buf); return 0; -failed2: +mbedtls_err1: ssl_mem_free(buf); -failed1: +no_mem: return -1; } @@ -455,8 +482,10 @@ int x509_pm_new(X509 *x, X509 *m_x) struct x509_pm *x509_pm; x509_pm = ssl_mem_zalloc(sizeof(struct x509_pm)); - if (!x509_pm) - SSL_RET(failed1, "ssl_mem_zalloc\n"); + if (!x509_pm) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm)"); + goto failed1; + } x->x509_pm = x509_pm; @@ -498,34 +527,38 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len) if (!x509_pm->x509_crt) { x509_pm->x509_crt = ssl_mem_malloc(sizeof(mbedtls_x509_crt)); - if (!x509_pm->x509_crt) - SSL_RET(failed1, "ssl_mem_malloc\n"); + if (!x509_pm->x509_crt) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (x509_pm->x509_crt)"); + goto no_mem; + } } load_buf = ssl_mem_malloc(len + 1); - if (!load_buf) - SSL_RET(failed2, "ssl_mem_malloc\n"); + if (!load_buf) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)"); + goto failed; + } ssl_memcpy(load_buf, buffer, len); load_buf[len] = '\0'; - DEBUG_LOAD_BUF_STRING(load_buf); - mbedtls_x509_crt_init(x509_pm->x509_crt); ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len + 1); ssl_mem_free(load_buf); - if (ret) - SSL_RET(failed2, "mbedtls_x509_crt_parse, return [-0x%x]\n", -ret); + if (ret) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_x509_crt_parse return -0x%x", -ret); + goto failed; + } return 0; -failed2: +failed: mbedtls_x509_crt_free(x509_pm->x509_crt); ssl_mem_free(x509_pm->x509_crt); x509_pm->x509_crt = NULL; -failed1: +no_mem: return -1; } @@ -574,34 +607,38 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len) if (!pkey_pm->pkey) { pkey_pm->pkey = ssl_mem_malloc(sizeof(mbedtls_pk_context)); - if (!pkey_pm->pkey) - SSL_RET(failed1, "ssl_mem_malloc\n"); + if (!pkey_pm->pkey) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (pkey_pm->pkey)"); + goto no_mem; + } } load_buf = ssl_mem_malloc(len + 1); - if (!load_buf) - SSL_RET(failed2, "ssl_mem_malloc\n"); + if (!load_buf) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "no enough memory > (load_buf)"); + goto failed; + } ssl_memcpy(load_buf, buffer, len); load_buf[len] = '\0'; - DEBUG_LOAD_BUF_STRING(load_buf); - mbedtls_pk_init(pkey_pm->pkey); ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len + 1, NULL, 0); ssl_mem_free(load_buf); - if (ret) - SSL_RET(failed2, "mbedtls_pk_parse_key, return [-0x%x]\n", -ret); + if (ret) { + SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_pk_parse_key return -0x%x", -ret); + goto failed; + } return 0; -failed2: +failed: mbedtls_pk_free(pkey_pm->pkey); ssl_mem_free(pkey_pm->pkey); pkey_pm->pkey = NULL; -failed1: +no_mem: return -1; } diff --git a/components/openssl/platform/ssl_port.c b/components/openssl/platform/ssl_port.c index ae3b849ca..8c7a31338 100644 --- a/components/openssl/platform/ssl_port.c +++ b/components/openssl/platform/ssl_port.c @@ -14,15 +14,10 @@ #include "ssl_port.h" -#ifdef ESP32_IDF_PLATFORM - -#include "string.h" -#include "malloc.h" - /*********************************************************************************************/ /********************************* SSL general interface *************************************/ -void* ssl_mem_zalloc(size_t size) +void *ssl_mem_zalloc(size_t size) { void *p = malloc(size); @@ -32,35 +27,3 @@ void* ssl_mem_zalloc(size_t size) return p; } -void *ssl_mem_malloc(size_t size) -{ - return malloc(size); -} - -void ssl_mem_free(void *p) -{ - free(p); -} - -void* ssl_memcpy(void *to, const void *from, size_t size) -{ - return memcpy(to, from, size); -} - -size_t ssl_strlen(const char *src) -{ - return strlen(src); -} - -void ssl_speed_up_enter(void) -{ - -} - -void ssl_speed_up_exit(void) -{ - -} - -#endif -