Halaman utama Jelajahi Bantuan
Daftar Masuk
lusa
/
gd32450i-eval
1
0
Fork 0
Berkas Masalah 0 Permintaan Tarik 0 Wiki
Cabang: master
Ranting Tag
gd32450i-eval
/
app
/
goahead-5.1.0
/
paks
/
goahead-mbedtls
/
goahead-mbedtls.c

goahead-mbedtls.c 17 KB
Permalink Riwayat Mentahan

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599 
  1. /*
    2. 

  2.     goahead-mbedtls.c - MbedTLS interface to GoAhead
    3. 

  3. 

  4.     Copyright (c) All Rights Reserved. See details at the end of the file.
    5. 

  5.  */
    6. 

  6. /************************************ Include *********************************/
    7. 

  7. 

  8. #include    "goahead.h"
    9. 

  9. 

  10. #if ME_COM_MBEDTLS
    11. 

  11.  /*
    12. 

  12.     Indent to bypass MakeMe dependencies
    13. 

  13.   */
    14. 

  14.  #include    "mbedtls.h"
    15. 

  15. 

  16. /************************************* Defines ********************************/
    17. 

  17. 

  18. typedef struct MbedConfig {
    19. 

  19.     mbedtls_x509_crt            ca;             /* Certificate authority bundle to verify peer */
    20. 

  20.     mbedtls_ssl_cache_context   cache;          /* Session cache context */
    21. 

  21.     mbedtls_ssl_config          conf;           /* SSL configuration */
    22. 

  22.     mbedtls_x509_crt            cert;           /* Certificate (own) */
    23. 

  23.     mbedtls_ctr_drbg_context    ctr;            /* Counter random generator state */
    24. 

  24.     mbedtls_ssl_ticket_context  tickets;        /* Session tickets */
    25. 

  25.     mbedtls_entropy_context     entropy;        /* Entropy context */
    26. 

  26.     mbedtls_x509_crl            revoke;         /* Certificate authority bundle to verify peer */
    27. 

  27.     mbedtls_pk_context          pkey;           /* Private key */
    28. 

  28.     int                         *ciphers;       /* Set of acceptable ciphers - null terminated */
    29. 

  29. } MbedConfig;
    30. 

  30. 

  31. /*
    32. 

  32.     Per socket state
    33. 

  33.  */
    34. 

  34. typedef struct MbedSocket {
    35. 

  35.     mbedtls_ssl_context         ctx;            /* SSL state */
    36. 

  36.     mbedtls_ssl_session         session;        /* SSL sessions */
    37. 

  37. } MbedSocket;
    38. 

  38. 

  39. static MbedConfig   cfg;
    40. 

  40. 

  41. /*
    42. 

  42.     GoAhead Log level to start SSL tracing
    43. 

  43.  */
    44. 

  44. static int          mbedLogLevel = ME_GOAHEAD_SSL_LOG_LEVEL;
    45. 

  45. 

  46. /************************************ Forwards ********************************/
    47. 

  47. 

  48. static int *getCipherSuite(char *ciphers, int *len);
    49. 

  49. static int  mbedHandshake(Webs *wp);
    50. 

  50. static int  parseCert(mbedtls_x509_crt *cert, char *file);
    51. 

  51. static int  parseCrl(mbedtls_x509_crl *crl, char *path);
    52. 

  52. static int  parseKey(mbedtls_pk_context *key, char *path);
    53. 

  53. static void merror(int rc, char *fmt, ...);
    54. 

  54. static char *replaceHyphen(char *cipher, char from, char to);
    55. 

  55. static void traceMbed(void *context, int level, cchar *file, int line, cchar *str);
    56. 

  56. 

  57. /************************************** Code **********************************/
    58. 

  58. 

  59. PUBLIC int sslOpen()
    60. 

  60. {
    61. 

  61.     mbedtls_ssl_config  *conf;
    62. 

  62.     cuchar              dhm_p[] = MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN;
    63. 

  63.     cuchar              dhm_g[] = MBEDTLS_DHM_RFC3526_MODP_2048_G_BIN;
    64. 

  64.     int                 rc;
    65. 

  65. 

  66.     trace(7, "Initializing MbedTLS SSL"); 
    67. 

  67. 

  68.     mbedtls_entropy_init(&cfg.entropy);
    69. 

  69. 

  70.     conf = &cfg.conf;
    71. 

  71.     mbedtls_ssl_config_init(conf);
    72. 

  72. 

  73.     mbedtls_ssl_conf_dbg(conf, traceMbed, NULL);
    74. 

  74.     if (websGetLogLevel() >= mbedLogLevel) {
    75. 

  75.         mbedtls_debug_set_threshold(websGetLogLevel() - mbedLogLevel);
    76. 

  76.     }
    77. 

  77.     mbedtls_pk_init(&cfg.pkey);
    78. 

  78.     mbedtls_ssl_cache_init(&cfg.cache);
    79. 

  79.     mbedtls_ctr_drbg_init(&cfg.ctr);
    80. 

  80.     mbedtls_x509_crt_init(&cfg.cert);
    81. 

  81.     mbedtls_ssl_ticket_init(&cfg.tickets);
    82. 

  82. 

  83.     if ((rc = mbedtls_ctr_drbg_seed(&cfg.ctr, mbedtls_entropy_func, &cfg.entropy, (cuchar*) ME_NAME, slen(ME_NAME))) < 0) {
    84. 

  84.         merror(rc, "Cannot seed rng");
    85. 

  85.         return -1;
    86. 

  86.     }
    87. 

  87. 

  88.     /*
    89. 

  89.         Set the server certificate and key files
    90. 

  90.      */
    91. 

  91.     if (*ME_GOAHEAD_SSL_KEY) {
    92. 

  92.         /*
    93. 

  93.             Load a decrypted PEM format private key. The last arg is the private key.
    94. 

  94.          */
    95. 

  95.         if (parseKey(&cfg.pkey, ME_GOAHEAD_SSL_KEY) < 0) {
    96. 

  96.             return -1;
    97. 

  97.         }
    98. 

  98.     }
    99. 

  99.     if (*ME_GOAHEAD_SSL_CERTIFICATE) {
    100. 

  100.         /*
    101. 

  101.             Load a PEM format certificate file
    102. 

  102.          */
    103. 

  103.         if (parseCert(&cfg.cert, ME_GOAHEAD_SSL_CERTIFICATE) < 0) {
    104. 

  104.             return -1;
    105. 

  105.         }
    106. 

  106.     }
    107. 

  107.     if (*ME_GOAHEAD_SSL_AUTHORITY) {
    108. 

  108.         if (parseCert(&cfg.ca, ME_GOAHEAD_SSL_AUTHORITY) != 0) {
    109. 

  109.             return -1;
    110. 

  110.         }
    111. 

  111.     }
    112. 

  112.     if (*ME_GOAHEAD_SSL_REVOKE) {
    113. 

  113.         /*
    114. 

  114.             Load a PEM format certificate file
    115. 

  115.          */
    116. 

  116.         if (parseCrl(&cfg.revoke, (char*) ME_GOAHEAD_SSL_REVOKE) != 0) {
    117. 

  117.             return -1;
    118. 

  118.         }
    119. 

  119.     }
    120. 

  120.     if (ME_GOAHEAD_SSL_CIPHERS && *ME_GOAHEAD_SSL_CIPHERS) {
    121. 

  121.         cfg.ciphers = getCipherSuite(ME_GOAHEAD_SSL_CIPHERS, NULL);
    122. 

  122.     }
    123. 

  123. 

  124.     if ((rc = mbedtls_ssl_config_defaults(conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, 
    125. 

  125.             MBEDTLS_SSL_PRESET_DEFAULT)) < 0) {
    126. 

  126.         merror(rc, "Cannot set mbedtls defaults");
    127. 

  127.         return -1;
    128. 

  128.     }
    129. 

  129.     mbedtls_ssl_conf_rng(conf, mbedtls_ctr_drbg_random, &cfg.ctr);
    130. 

  130. 

  131.     /*
    132. 

  132.         Configure larger DH parameters
    133. 

  133.      */
    134. 

  134.     if ((rc = mbedtls_ssl_conf_dh_param_bin(conf, dhm_p, sizeof(dhm_g), dhm_g, sizeof(dhm_g))) < 0) {
    135. 

  135.         merror(rc, "Cannot set DH params");
    136. 

  136.         return -1;
    137. 

  137.     }
    138. 

  138. 

  139.     /*
    140. 

  140.         Set auth mode if peer cert should be verified
    141. 

  141.      */
    142. 

  142. 	mbedtls_ssl_conf_authmode(conf, ME_GOAHEAD_SSL_VERIFY_PEER ? MBEDTLS_SSL_VERIFY_OPTIONAL : MBEDTLS_SSL_VERIFY_NONE);
    143. 

  143. 

  144.     /*
    145. 

  145.         Configure ticket-based sessions
    146. 

  146.      */
    147. 

  147.     if (ME_GOAHEAD_SSL_TICKET) {
    148. 

  148.         if ((rc = mbedtls_ssl_ticket_setup(&cfg.tickets, mbedtls_ctr_drbg_random, &cfg.ctr,
    149. 

  149.                 MBEDTLS_CIPHER_AES_256_GCM, ME_GOAHEAD_SSL_TIMEOUT)) < 0) {
    150. 

  150.             merror(rc, "Cannot setup ticketing sessions");
    151. 

  151.             return -1;
    152. 

  152.         }
    153. 

  153.         mbedtls_ssl_conf_session_tickets_cb(conf, mbedtls_ssl_ticket_write, mbedtls_ssl_ticket_parse, &cfg.tickets);
    154. 

  154.     }
    155. 

  155. 

  156.     /*
    157. 

  157.         Configure server-side session cache
    158. 

  158.      */
    159. 

  159.     if (ME_GOAHEAD_SSL_CACHE) {
    160. 

  160.         mbedtls_ssl_conf_session_cache(conf, &cfg.cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set);
    161. 

  161.         mbedtls_ssl_cache_set_max_entries(&cfg.cache, ME_GOAHEAD_SSL_CACHE);
    162. 

  162.         mbedtls_ssl_cache_set_timeout(&cfg.cache, ME_GOAHEAD_SSL_TIMEOUT);
    163. 

  163.     }
    164. 

  164. 

  165.     /*
    166. 

  166.         Configure explicit cipher suite selection
    167. 

  167.      */
    168. 

  168.     if (cfg.ciphers) {
    169. 

  169.         mbedtls_ssl_conf_ciphersuites(conf, cfg.ciphers);
    170. 

  170.     }
    171. 

  171. 

  172.     /*
    173. 

  173.         Configure CA certificate bundle and revocation list
    174. 

  174.      */
    175. 

  175.     mbedtls_ssl_conf_ca_chain(conf, *ME_GOAHEAD_SSL_AUTHORITY ? &cfg.ca : NULL, *ME_GOAHEAD_SSL_REVOKE ? &cfg.revoke : NULL);
    176. 

  176. 

  177.     /*
    178. 

  178.         Configure server cert and key
    179. 

  179.      */
    180. 

  180.     if (ME_GOAHEAD_SSL_KEY[0] != '\0' && ME_GOAHEAD_SSL_CERTIFICATE[0] != '\0') {
    181. 

  181.         if ((rc = mbedtls_ssl_conf_own_cert(conf, &cfg.cert, &cfg.pkey)) < 0) {
    182. 

  182.             merror(rc, "Cannot define certificate and private key");
    183. 

  183.             return -1;
    184. 

  184.         }
    185. 

  185.     }
    186. 

  186.     if (websGetLogLevel() >= 5) {
    187. 

  187.         char    cipher[80];
    188. 

  188.         cint    *cp;
    189. 

  189.         trace(5, "mbedtls: Supported Ciphers");
    190. 

  190.         for (cp = mbedtls_ssl_list_ciphersuites(); *cp; cp++) {
    191. 

  191.             scopy(cipher, sizeof(cipher), (char*) mbedtls_ssl_get_ciphersuite_name(*cp));
    192. 

  192.             replaceHyphen(cipher, '-', '_');
    193. 

  193.             trace(5, "mbedtls: %s (0x%04X)", cipher, *cp);
    194. 

  194.         }
    195. 

  195.     }
    196. 

  196.     return 0;
    197. 

  197. }
    198. 

  198. 

  199. 

  200. PUBLIC void sslClose()
    201. 

  201. {
    202. 

  202.     mbedtls_ctr_drbg_free(&cfg.ctr);
    203. 

  203.     mbedtls_pk_free(&cfg.pkey);
    204. 

  204.     mbedtls_x509_crt_free(&cfg.cert);
    205. 

  205.     mbedtls_x509_crt_free(&cfg.ca);
    206. 

  206.     mbedtls_x509_crl_free(&cfg.revoke);
    207. 

  207.     mbedtls_ssl_cache_free(&cfg.cache);
    208. 

  208.     mbedtls_ssl_ticket_free(&cfg.tickets);
    209. 

  209.     mbedtls_ssl_config_free(&cfg.conf);
    210. 

  210.     mbedtls_entropy_free(&cfg.entropy);
    211. 

  211.     wfree(cfg.ciphers);
    212. 

  212. }
    213. 

  213. 

  214. 

  215. PUBLIC int sslUpgrade(Webs *wp)
    216. 

  216. {
    217. 

  217.     MbedSocket          *mb;
    218. 

  218.     WebsSocket          *sp;
    219. 

  219.     mbedtls_ssl_context *ctx;
    220. 

  220. 

  221.     assert(wp);
    222. 

  222.     if ((mb = walloc(sizeof(MbedSocket))) == 0) {
    223. 

  223.         return -1;
    224. 

  224.     }
    225. 

  225.     memset(mb, 0, sizeof(MbedSocket));
    226. 

  226.     wp->ssl = mb;
    227. 

  227.     sp = socketPtr(wp->sid);
    228. 

  228.     ctx = &mb->ctx;
    229. 

  229. 

  230.     mbedtls_ssl_init(ctx);
    231. 

  231.     mbedtls_ssl_setup(ctx, &cfg.conf);
    232. 

  232. 	mbedtls_ssl_set_bio(ctx, &sp->sock, mbedtls_net_send, mbedtls_net_recv, 0);
    233. 

  233. 

  234.     if (mbedHandshake(wp) < 0) {
    235. 

  235.         return -1;
    236. 

  236.     }
    237. 

  237.     return 0;
    238. 

  238. }
    239. 

  239. 

  240. 

  241. PUBLIC void sslFree(Webs *wp)
    242. 

  242. {
    243. 

  243.     MbedSocket  *mb;
    244. 

  244.     WebsSocket  *sp;
    245. 

  245. 

  246.     mb = wp->ssl;
    247. 

  247.     sp = socketPtr(wp->sid);
    248. 

  248.     if (mb) {
    249. 

  249.         if (!(sp->flags & SOCKET_EOF)) {
    250. 

  250.             mbedtls_ssl_close_notify(&mb->ctx);
    251. 

  251.         }
    252. 

  252.         mbedtls_ssl_free(&mb->ctx);
    253. 

  253.         wfree(mb);
    254. 

  254.         wp->ssl = 0;
    255. 

  255.     }
    256. 

  256. }
    257. 

  257. 

  258. 

  259. /*
    260. 

  260.     Initiate or continue SSL handshaking with the peer. This routine does not block.
    261. 

  261.     Return -1 on errors, 0 incomplete and awaiting I/O, 1 if successful
    262. 

  262.  */
    263. 

  263. static int mbedHandshake(Webs *wp)
    264. 

  264. {
    265. 

  265.     WebsSocket  *sp;
    266. 

  266.     MbedSocket  *mb;
    267. 

  267.     int         rc, vrc;
    268. 

  268. 

  269.     mb = (MbedSocket*) wp->ssl;
    270. 

  270.     rc = 0;
    271. 

  271. 

  272.     sp = socketPtr(wp->sid);
    273. 

  273.     sp->flags |= SOCKET_HANDSHAKING;
    274. 

  274. 

  275.     while (mb->ctx.state != MBEDTLS_SSL_HANDSHAKE_OVER && ((rc = mbedtls_ssl_handshake(&mb->ctx)) != 0)) {
    276. 

  276.         if (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE)  {
    277. 

  277.             return 0;
    278. 

  278.         }
    279. 

  279.         break;
    280. 

  280.     }
    281. 

  281.     sp->flags &= ~SOCKET_HANDSHAKING;
    282. 

  282. 

  283.     /*
    284. 

  284.         Analyze the handshake result
    285. 

  285.      */
    286. 

  286.     if (rc < 0) {
    287. 

  287.         if (rc == MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED && 
    288. 

  288.                 (ME_GOAHEAD_SSL_KEY[0] == '\0' || ME_GOAHEAD_SSL_CERTIFICATE[0] == '\0')) {
    289. 

  289.             error("Missing required certificate and key");
    290. 

  290.         } else {
    291. 

  291.             char ebuf[256];
    292. 

  292.             mbedtls_strerror(-rc, ebuf, sizeof(ebuf));
    293. 

  293.             error("%s: error -0x%x", ebuf, -rc);
    294. 

  294.         }
    295. 

  295.         sp->flags |= SOCKET_EOF;
    296. 

  296.         errno = EPROTO;
    297. 

  297.         return -1;
    298. 

  298. 

  299.     } else if ((vrc = mbedtls_ssl_get_verify_result(&mb->ctx)) != 0) {
    300. 

  300.         if (vrc & MBEDTLS_X509_BADCERT_MISSING) {
    301. 

  301.             logmsg(2, "Certificate missing");
    302. 

  302. 

  303.         } else if (vrc & MBEDTLS_X509_BADCERT_EXPIRED) {
    304. 

  304.             logmsg(2, "Certificate expired");
    305. 

  305. 

  306.         } else if (vrc & MBEDTLS_X509_BADCERT_REVOKED) {
    307. 

  307.             logmsg(2, "Certificate revoked");
    308. 

  308. 

  309.         } else if (vrc & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
    310. 

  310.             logmsg(2, "Certificate common name mismatch");
    311. 

  311. 

  312.         } else if (vrc & MBEDTLS_X509_BADCERT_KEY_USAGE || vrc & MBEDTLS_X509_BADCERT_EXT_KEY_USAGE) {
    313. 

  313.             logmsg(2, "Unauthorized key use in certificate");
    314. 

  314. 

  315.         } else if (vrc & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
    316. 

  316.             logmsg(2, "Certificate not trusted");
    317. 

  317.             if (!ME_GOAHEAD_SSL_VERIFY_ISSUER) {
    318. 

  318.                 vrc = 0;
    319. 

  319.             }
    320. 

  320. 

  321.         } else if (vrc & MBEDTLS_X509_BADCERT_SKIP_VERIFY) {
    322. 

  322.             /*
    323. 

  323.                 MBEDTLS_SSL_VERIFY_NONE requested, so ignore error
    324. 

  324.              */
    325. 

  325.             vrc = 0;
    326. 

  326. 

  327.         } else {
    328. 

  328.             if (mb->ctx.client_auth && !*ME_GOAHEAD_SSL_CERTIFICATE) {
    329. 

  329.                 logmsg(2, "Server requires a client certificate");
    330. 

  330. 

  331.             } else if (rc == MBEDTLS_ERR_NET_CONN_RESET) {
    332. 

  332.                 logmsg(2, "Peer disconnected");
    333. 

  333. 

  334.             } else {
    335. 

  335.                 logmsg(2, "Cannot handshake: error -0x%x", -rc);
    336. 

  336.             }
    337. 

  337.         }
    338. 

  338.         if (vrc != 0 && ME_GOAHEAD_SSL_VERIFY_PEER) {
    339. 

  339.             if (mbedtls_ssl_get_peer_cert(&mb->ctx) == 0) {
    340. 

  340.                 logmsg(2, "Peer did not provide a certificate");
    341. 

  341.             }
    342. 

  342.             sp->flags |= SOCKET_EOF;
    343. 

  343.             errno = EPROTO;
    344. 

  344.             return -1;
    345. 

  345.         }
    346. 

  346.     }
    347. 

  347.     return 1;
    348. 

  348. }
    349. 

  349. 

  350. 

  351. PUBLIC ssize sslRead(Webs *wp, void *buf, ssize len)
    352. 

  352. {
    353. 

  353.     WebsSocket      *sp;
    354. 

  354.     MbedSocket      *mb;
    355. 

  355.     int             rc;
    356. 

  356. 

  357.     if (!wp->ssl) {
    358. 

  358.         assert(0);
    359. 

  359.         return -1;
    360. 

  360.     }
    361. 

  361.     mb = (MbedSocket*) wp->ssl;
    362. 

  362.     assert(mb);
    363. 

  363.     sp = socketPtr(wp->sid);
    364. 

  364. 

  365.     if (mb->ctx.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
    366. 

  366.         if ((rc = mbedHandshake(wp)) <= 0) {
    367. 

  367.             return rc;
    368. 

  368.         }
    369. 

  369.     }
    370. 

  370.     while (1) {
    371. 

  371.         rc = mbedtls_ssl_read(&mb->ctx, buf, (int) len);
    372. 

  372.         trace(5, "mbedtls: mbedtls_ssl_read %d", rc);
    373. 

  373.         if (rc < 0) {
    374. 

  374.             if (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE)  {
    375. 

  375.                 rc = 0;
    376. 

  376.                 break;
    377. 

  377.             } else if (rc == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
    378. 

  378.                 trace(5, "mbedtls: connection was closed gracefully");
    379. 

  379.                 sp->flags |= SOCKET_EOF;
    380. 

  380.                 return -1;
    381. 

  381.             } else if (rc == MBEDTLS_ERR_NET_CONN_RESET) {
    382. 

  382.                 trace(5, "mbedtls: connection reset");
    383. 

  383.                 sp->flags |= SOCKET_EOF;
    384. 

  384.                 return -1;
    385. 

  385.             } else {
    386. 

  386.                 trace(4, "mbedtls: read error -0x%", -rc);
    387. 

  387.                 sp->flags |= SOCKET_EOF;
    388. 

  388.                 return -1; 
    389. 

  389.             }
    390. 

  390.         } else if (rc == 0) {
    391. 

  391.             sp->flags |= SOCKET_EOF;
    392. 

  392.             return -1; 
    393. 

  393.         }
    394. 

  394.         break;
    395. 

  395.     }
    396. 

  396.     socketHiddenData(sp, mbedtls_ssl_get_bytes_avail(&mb->ctx), SOCKET_READABLE);
    397. 

  397.     return rc;
    398. 

  398. }
    399. 

  399. 

  400. 

  401. PUBLIC ssize sslWrite(Webs *wp, void *buf, ssize len)
    402. 

  402. {
    403. 

  403.     MbedSocket  *mb;
    404. 

  404.     ssize       totalWritten;
    405. 

  405.     int         rc;
    406. 

  406. 

  407.     if (wp->ssl == 0 || len <= 0) {
    408. 

  408.         assert(0);
    409. 

  409.         return -1;
    410. 

  410.     }
    411. 

  411.     mb = (MbedSocket*) wp->ssl;
    412. 

  412.     if (mb->ctx.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
    413. 

  413.         if ((rc = mbedHandshake(wp)) <= 0) {
    414. 

  414.             return rc;
    415. 

  415.         }
    416. 

  416.     }
    417. 

  417.     totalWritten = 0;
    418. 

  418.     do {
    419. 

  419.         rc = mbedtls_ssl_write(&mb->ctx, (uchar*) buf, (int) len);
    420. 

  420.         trace(7, "mbedtls write: wrote %d of %zd", rc, len);
    421. 

  421.         if (rc <= 0) {
    422. 

  422.             if (rc == MBEDTLS_ERR_SSL_WANT_READ || rc == MBEDTLS_ERR_SSL_WANT_WRITE) {
    423. 

  423.                 socketSetError(EAGAIN);
    424. 

  424.                 return -1;
    425. 

  425.             }
    426. 

  426.             if (rc == MBEDTLS_ERR_NET_CONN_RESET) {
    427. 

  427.                 trace(4, "mbedtls_ssl_write peer closed");
    428. 

  428.                 return -1;
    429. 

  429.             } else {
    430. 

  430.                 trace(4, "mbedtls_ssl_write failed rc %d", rc);
    431. 

  431.                 return -1;
    432. 

  432.             }
    433. 

  433.         } else {
    434. 

  434.             totalWritten += rc;
    435. 

  435.             buf = (void*) ((char*) buf + rc);
    436. 

  436.             len -= rc;
    437. 

  437.         }
    438. 

  438.     } while (len > 0);
    439. 

  439. 

  440.     socketHiddenData(socketPtr(wp->sid), mb->ctx.in_left, SOCKET_WRITABLE);
    441. 

  441.     return totalWritten;
    442. 

  442. }
    443. 

  443. 

  444. 

  445. /*
    446. 

  446.     Convert string of IANA ciphers into a list of cipher codes
    447. 

  447.  */
    448. 

  448. static int *getCipherSuite(char *ciphers, int *len)
    449. 

  449. {
    450. 

  450.     char    *cipher, *next;
    451. 

  451.     cint    *cp;
    452. 

  452.     int     nciphers, i, *result, code;
    453. 

  453. 

  454.     if (!ciphers || *ciphers == 0) {
    455. 

  455.         return 0;
    456. 

  456.     }
    457. 

  457.     for (nciphers = 0, cp = mbedtls_ssl_list_ciphersuites(); cp && *cp; cp++, nciphers++) { }
    458. 

  458.     result = walloc((nciphers + 1) * sizeof(int));
    459. 

  459. 

  460.     next = sclone(ciphers);
    461. 

  461.     for (i = 0; (cipher = stok(next, ":, \t", &next)) != 0; ) {
    462. 

  462.         replaceHyphen(cipher, '_', '-');
    463. 

  463.         if ((code = mbedtls_ssl_get_ciphersuite_id(cipher)) <= 0) {
    464. 

  464.             error("Unsupported cipher \"%s\"", cipher);
    465. 

  465.             continue;
    466. 

  466.         }
    467. 

  467.         result[i++] = code;
    468. 

  468.     }
    469. 

  469.     result[i] = 0;
    470. 

  470.     if (len) {
    471. 

  471.         *len = i;
    472. 

  472.     }
    473. 

  473.     return result;
    474. 

  474. }
    475. 

  475. 

  476. 

  477. static int parseCert(mbedtls_x509_crt *cert, char *path)
    478. 

  478. {
    479. 

  479.     char    *buf;
    480. 

  480.     ssize   len;
    481. 

  481. 

  482.     if ((buf = websReadWholeFile(path)) == 0) {
    483. 

  483.         error("Unable to read certificate %s", path); 
    484. 

  484.         return -1;
    485. 

  485.     }
    486. 

  486.     len = slen(buf);
    487. 

  487.     if (strstr(buf, "-----BEGIN ")) {
    488. 

  488.         /* Looks PEM encoded so count the null in the length */
    489. 

  489.         len++;
    490. 

  490.     }
    491. 

  491.     if (mbedtls_x509_crt_parse(cert, (uchar*) buf, len) != 0) {
    492. 

  492.         memset(buf, 0, len);
    493. 

  493.         error("Unable to parse certificate %s", path); 
    494. 

  494.         return -1;
    495. 

  495.     }
    496. 

  496.     memset(buf, 0, len);
    497. 

  497.     wfree(buf);
    498. 

  498.     return 0;
    499. 

  499. }
    500. 

  500. 

  501. 

  502. static int parseKey(mbedtls_pk_context *key, char *path)
    503. 

  503. {
    504. 

  504.     char    *buf;
    505. 

  505.     ssize   len;
    506. 

  506. 

  507.     if ((buf = websReadWholeFile(path)) == 0) {
    508. 

  508.         error("Unable to read key %s", path); 
    509. 

  509.         return -1;
    510. 

  510.     }
    511. 

  511.     len = slen(buf);
    512. 

  512.     if (strstr(buf, "-----BEGIN ")) {
    513. 

  513.         len++;
    514. 

  514.     }
    515. 

  515.     if (mbedtls_pk_parse_key(key, (uchar*) buf, len, NULL, 0) != 0) {
    516. 

  516.         memset(buf, 0, len);
    517. 

  517.         error("Unable to parse key %s", path); 
    518. 

  518.         return -1;
    519. 

  519.     }
    520. 

  520.     memset(buf, 0, len);
    521. 

  521.     wfree(buf);
    522. 

  522.     return 0;
    523. 

  523. }
    524. 

  524. 

  525. 

  526. static int parseCrl(mbedtls_x509_crl *crl, char *path)
    527. 

  527. {
    528. 

  528.     char    *buf;
    529. 

  529.     ssize   len;
    530. 

  530. 

  531.     if ((buf = websReadWholeFile(path)) == 0) {
    532. 

  532.         error("Unable to read crl %s", path); 
    533. 

  533.         return -1;
    534. 

  534.     }
    535. 

  535.     len = slen(buf);
    536. 

  536.     if (strstr(buf, "-----BEGIN ")) {
    537. 

  537.         len++;
    538. 

  538.     }
    539. 

  539.     if (mbedtls_x509_crl_parse(crl, (uchar*) buf, len) != 0) {
    540. 

  540.         memset(buf, 0, len);
    541. 

  541.         error("Unable to parse crl %s", path); 
    542. 

  542.         return -1;
    543. 

  543.     }
    544. 

  544.     memset(buf, 0, len);
    545. 

  545.     wfree(buf);
    546. 

  546.     return 0;
    547. 

  547. }
    548. 

  548. 

  549. 

  550. static void traceMbed(void *context, int level, cchar *file, int line, cchar *str)
    551. 

  551. {
    552. 

  552.     char    *buf;
    553. 

  553. 

  554.     level += mbedLogLevel;
    555. 

  555.     if (level <= websGetLogLevel()) {
    556. 

  556.         buf = sclone((char*) str);
    557. 

  557.         buf[slen(buf) - 1] = '\0';
    558. 

  558.         trace(level, "%s", buf);
    559. 

  559.         wfree(buf);
    560. 

  560.     }
    561. 

  561. }
    562. 

  562. 

  563. 

  564. static void merror(int rc, char *fmt, ...)
    565. 

  565. {
    566. 

  566.     va_list     ap;
    567. 

  567.     char        ebuf[ME_MAX_BUFFER];
    568. 

  568. 

  569.     va_start(ap, fmt);
    570. 

  570.     mbedtls_strerror(-rc, ebuf, sizeof(ebuf));
    571. 

  571.     error("mbedtls", "mbedtls error: 0x%x %s %s", rc, sfmtv(fmt, ap), ebuf);
    572. 

  572.     va_end(ap);
    573. 

  573. }
    574. 

  574. 

  575. 

  576. static char *replaceHyphen(char *cipher, char from, char to)
    577. 

  577. {
    578. 

  578.     char    *cp;
    579. 

  579. 

  580.     for (cp = cipher; *cp; cp++) {
    581. 

  581.         if (*cp == from) {
    582. 

  582.             *cp = to;
    583. 

  583.         }
    584. 

  584.     }
    585. 

  585.     return cipher;
    586. 

  586. }
    587. 

  587. 

  588. #else
    589. 

  589. void mbedDummy() {}
    590. 

  590. #endif /* ME_COM_MBEDTLS */
    591. 

  591. 

  592. /*
    593. 

  593.     Copyright (c) Embedthis Software. All Rights Reserved.
    594. 

  594.     This software is distributed under commercial and open source licenses.
    595. 

  595.     You may use the Embedthis GoAhead open source license or you may acquire
    596. 

  596.     a commercial license from Embedthis Software. You agree to be fully bound
    597. 

  597.     by the terms of either license. Consult the LICENSE.md distributed with
    598. 

  598.     this software for full details and other copyrights.
    599. 

  599.  */
    600.