OVMS3-idf/components/openssl/platform/ssl_pm.c

#include "ssl_pm.h"
#include "ssl_dbg.h"

/* mbedtls include */
#include "mbedtls/platform.h"
#include "mbedtls/net.h"
#include "mbedtls/debug.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"

struct ssl_pm
{
    /* local socket file description */
    mbedtls_net_context fd;
    /* remote client socket file description */
    mbedtls_net_context cl_fd;

    mbedtls_ssl_config conf;

    mbedtls_ctr_drbg_context ctr_drbg;

    mbedtls_ssl_context ssl;

    mbedtls_entropy_context entropy;
};

struct x509_pm
{
    mbedtls_x509_crt x509_crt;
};

struct pkey_pm
{
    mbedtls_pk_context pkey;
};


unsigned int max_content_len;


/*********************************************************************************************/
/********************************* SSL general interface *************************************/

void* ssl_zalloc(size_t size)
{
    void *p = malloc(size);

    if (p)
        memset(p, 0, size);

    return p;
}

void *ssl_malloc(size_t size)
{
    return zalloc(size);
}

void ssl_free(void *p)
{
    free(p);
}

void* ssl_memcpy(void *to, const void *from, size_t size)
{
    return memcpy(to, from, size);
}

void ssl_speed_up_enter(void)
{

}

void ssl_speed_up_exit(void)
{

}

/*********************************************************************************************/
/************************************ SSL arch interface *************************************/

int ssl_pm_new(SSL *ssl)
{
    struct ssl_pm *ssl_pm;
    int ret;

    char *pers;
    int endpoint;

    SSL_CTX *ctx = ssl->ctx;
    const SSL_METHOD *method = ssl->method;

    ssl_pm = malloc(sizeof(struct ssl_pm));
    if (!ssl_pm)
        return -1;

    if (method->endpoint) {
        pers = "server";
        endpoint = MBEDTLS_SSL_IS_SERVER;
    } else {
        pers = "client";
        endpoint = MBEDTLS_SSL_IS_CLIENT;
    }

    //max_content_len = 4096;

    mbedtls_net_init(&ssl_pm->fd);
    mbedtls_net_init(&ssl_pm->cl_fd);

    mbedtls_ssl_config_init(&ssl_pm->conf);
    mbedtls_ctr_drbg_init(&ssl_pm->ctr_drbg);
    mbedtls_entropy_init(&ssl_pm->entropy);
    mbedtls_ssl_init(&ssl_pm->ssl);

    ret = mbedtls_ctr_drbg_seed(&ssl_pm->ctr_drbg, mbedtls_entropy_func, &ssl_pm->entropy, (const unsigned char *)pers, strlen(pers));
    if (ret)
        SSL_ERR(ret, failed1, "mbedtls_ctr_drbg_seed:[-0x%x]\n", -ret);

    ret = mbedtls_ssl_config_defaults(&ssl_pm->conf, endpoint, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
    if (ret)
        SSL_ERR(ret, failed2, "mbedtls_ssl_config_defaults:[-0x%x]\n", -ret);

    mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
    mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL);

    if (ctx->client_CA->x509_pm) {
        struct x509_pm *x509_pm = (struct x509_pm *)ctx->client_CA->x509_pm;

         mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL);
         mbedtls_ssl_conf_authmode(&ssl_pm->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
    } else {
        mbedtls_ssl_conf_authmode(&ssl_pm->conf, MBEDTLS_SSL_VERIFY_NONE);
    }
    if (ctx->cert->x509 &&
        ctx->cert->pkey) {
        struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm;
        struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm;

        ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey);
        if (ret)
            SSL_ERR(ret, failed4, "mbedtls_ssl_conf_own_cert:[%d]\n", ret);
    }

    ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf);
    if (ret)
        SSL_ERR(ret, failed4, "mbedtls_ssl_setup:[-0x%x]\n", -ret);

    mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL);

    ssl->ssl_pm = ssl_pm;

    return 0;

failed4:
    mbedtls_ssl_config_free(&ssl_pm->conf);
failed3:
    mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
failed2:
    mbedtls_entropy_free(&ssl_pm->entropy);
failed1:
    return -1;
}

void ssl_pm_free(SSL *ssl)
{
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    mbedtls_ssl_config_free(&ssl_pm->conf);
    mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg);
    mbedtls_entropy_free(&ssl_pm->entropy);
    mbedtls_ssl_free(&ssl_pm->ssl);

    mbedtls_net_free(&ssl_pm->fd);
    mbedtls_net_free(&ssl_pm->cl_fd);
}

int ssl_pm_handshake(SSL *ssl)
{
    int ret, mbed_ret;
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    ssl_speed_up_enter();
    while((mbed_ret = mbedtls_ssl_handshake(&ssl_pm->ssl)) != 0) {
        if (mbed_ret != MBEDTLS_ERR_SSL_WANT_READ && mbed_ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
           break;
        }
    }
    ssl_speed_up_exit();

    if (!mbed_ret)
        ret = 1;
    else {
        ret = 0;
        SSL_DEBUG(1, "mbedtls_ssl_handshake [-0x%x]\n", -mbed_ret);
    }

    return ret;
}

int ssl_pm_shutdown(SSL *ssl)
{
    int ret, mbed_ret;
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    mbed_ret = mbedtls_ssl_close_notify(&ssl_pm->ssl);
    if (!mbed_ret)
        ret = 0;
    else
        ret = -1;

    return ret;
}

int ssl_pm_clear(SSL *ssl)
{
    return ssl_pm_shutdown(ssl);
}


int ssl_pm_read(SSL *ssl, void *buffer, int len)
{
    int ret, mbed_ret;
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    mbed_ret = mbedtls_ssl_read(&ssl_pm->ssl, buffer, len);
    if (mbed_ret < 0)
        ret = -1;
    else if (mbed_ret == 0)
        ret = 0;
    else
        ret = mbed_ret;

    return ret;
}

int ssl_pm_send(SSL *ssl, const void *buffer, int len)
{
    int ret, mbed_ret;
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    mbed_ret = mbedtls_ssl_write(&ssl_pm->ssl, buffer, len);
    if (mbed_ret < 0)
        ret = -1;
    else if (mbed_ret == 0)
        ret = 0;
    else
        ret = mbed_ret;

    return ret;
}

int ssl_pm_pending(const SSL *ssl)
{
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    return mbedtls_ssl_get_bytes_avail(&ssl_pm->ssl);
}

void ssl_pm_set_fd(SSL *ssl, int fd, int mode)
{
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    ssl_pm->fd.fd = fd;
}

int ssl_pm_get_fd(const SSL *ssl, int mode)
{
    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    return ssl_pm->fd.fd;
}

OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl)
{
    OSSL_HANDSHAKE_STATE state;

    struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;

    switch (ssl_pm->ssl.state)
    {
        case MBEDTLS_SSL_CLIENT_HELLO:
            state = TLS_ST_CW_CLNT_HELLO;
            break;
        case MBEDTLS_SSL_SERVER_HELLO:
            state = TLS_ST_SW_SRVR_HELLO;
            break;
        case MBEDTLS_SSL_SERVER_CERTIFICATE:
            state = TLS_ST_SW_CERT;
            break;
        case MBEDTLS_SSL_SERVER_HELLO_DONE:
            state = TLS_ST_SW_SRVR_DONE;
            break;
        case MBEDTLS_SSL_CLIENT_KEY_EXCHANGE:
            state = TLS_ST_CW_KEY_EXCH;
            break;
        case MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC:
            state = TLS_ST_CW_CHANGE;
            break;
        case MBEDTLS_SSL_CLIENT_FINISHED:
            state = TLS_ST_CW_FINISHED;
            break;
        case MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC:
            state = TLS_ST_SW_CHANGE;
            break;
        case MBEDTLS_SSL_SERVER_FINISHED:
            state = TLS_ST_SW_FINISHED;
            break;
        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
            state = TLS_ST_CW_CERT;
            break;
        case MBEDTLS_SSL_SERVER_KEY_EXCHANGE:
            state = TLS_ST_SR_KEY_EXCH;
            break;
        case MBEDTLS_SSL_SERVER_NEW_SESSION_TICKET:
            state = TLS_ST_SW_SESSION_TICKET;
            break;
        case MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT:
            state = TLS_ST_SW_CERT_REQ;
            break;
        case MBEDTLS_SSL_HANDSHAKE_OVER:
            state = TLS_ST_OK;
            break;
        default :
            state = TLS_ST_BEFORE;
            break;
    }

    return state;
}

void* x509_pm_new(void)
{
    return ssl_malloc(sizeof(struct x509_pm));
}

void x509_pm_free(void *pm)
{
    ssl_free(pm);
}

int x509_pm_load_crt(void *pm, const unsigned char *buffer, int len)
{
    int ret;
    unsigned char *load_buf;
    struct x509_pm *x509_pm = (struct x509_pm *)pm;

    load_buf = ssl_malloc(len + 1);
    if (!load_buf)
        SSL_RET(failed1, "");

    ssl_memcpy(load_buf, buffer, len);
    load_buf[len] = '\0';

    mbedtls_x509_crt_init(&x509_pm->x509_crt);
    ret = mbedtls_x509_crt_parse(&x509_pm->x509_crt, load_buf, len);
    ssl_free(load_buf);

    if (ret)
        SSL_RET(failed1, "");

    return 0;

failed1:
    return -1;
}

void x509_pm_unload_crt(void *pm)
{
    struct x509_pm *x509_pm = (struct x509_pm *)pm;

    mbedtls_x509_crt_free(&x509_pm->x509_crt);
}

void* pkey_pm_new(void)
{
    return ssl_malloc(sizeof(struct pkey_pm));
}

void pkey_pm_free(void *pm)
{
    ssl_free(pm);
}

int pkey_pm_load_crt(void *pm, const unsigned char *buffer, int len)
{
    int ret;
    unsigned char *load_buf;
    struct pkey_pm *pkey_pm = (struct pkey_pm *)pm;

    load_buf = ssl_malloc(len + 1);
    if (!load_buf)
        SSL_RET(failed1, "");

    ssl_memcpy(load_buf, buffer, len);
    load_buf[len] = '\0';

    mbedtls_pk_init(&pkey_pm->pkey);
    ret = mbedtls_pk_parse_key(&pkey_pm->pkey, load_buf, len, NULL, 0);
    ssl_free(load_buf);

    if (ret)
        SSL_RET(failed1, "");

    return 0;

failed1:
    return -1;
}

void pkey_pm_unload_crt(void *pm)
{
    struct pkey_pm *pkey_pm = (struct pkey_pm *)pm;

    mbedtls_pk_free(&pkey_pm->pkey);
}

void ssl_pm_set_bufflen(SSL *ssl, int len)
{
    max_content_len = len;
}