avs_commons 4.10.0

BREAKING CHANGES: - New API for PSK security credentials, unified with avs_crypto_security_info_union_t Features: - Added support for Mbed TLS 3.1 - Added support for using PSK security credentials through hardware security engines - Added API for uploading software-based private keys onto hardware security engines Improvements: - Added a AVS_COMMONS_WITHOUT_TLS macro public for easier checking of (D)TLS support - Stopped using LOG macro in expression context for better compatibility with external logger implementations - Lowered log level of the "scheduler already shut down" as that is not really a fatal condition Bugfixes: - Failure to load DANE credentials if DANE is enforced is now properly a fatal error in OpenSSL backend - Fixed support for PEM-formatted certificates and CRLs in Mbed TLS backend
AVSystem · Apr 8, 2022 · c2ebe62 · c2ebe62
1 parent c90c817
commit c2ebe62
Show file tree

Hide file tree

Showing 264 changed files with 1,457 additions and 732 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,4 +1,4 @@
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -17,7 +17,7 @@
 cmake_minimum_required(VERSION 3.6.0)
 project(avs_commons C)
 
-set(AVS_COMMONS_VERSION "4.9.1")
+set(AVS_COMMONS_VERSION "4.10.0")
 
 ################# DISTRIBUTION #################################################
 
@@ -517,7 +517,7 @@ option(WITH_CUSTOM_TLS "Enable support for custom TLS socket implementation" OFF
 set(AVS_COMMONS_WITH_CUSTOM_TLS ${WITH_CUSTOM_TLS})
 
 cmake_dependent_option(WITH_PSK "Enable pre-shared key support" ON "WITH_OPENSSL OR WITH_MBEDTLS OR WITH_TINYDTLS OR WITH_CUSTOM_TLS" OFF)
-set(AVS_COMMONS_NET_WITH_PSK ${WITH_PSK})
+set(AVS_COMMONS_WITH_AVS_CRYPTO_PSK ${WITH_PSK})
 
 set(WITH_PKI_DEFAULT_VALUE ON)
 if(DEFINED WITH_X509)
@@ -529,8 +529,18 @@ cmake_dependent_option(WITH_PKI "Enable X.509 certificate support" "${WITH_PKI_D
 set(AVS_COMMONS_WITH_AVS_CRYPTO_PKI ${WITH_PKI})
 
 # Hardware security engines
-cmake_dependent_option(WITH_AVS_CRYPTO_ENGINE "Enable hardware-based security engine support" OFF "WITH_OPENSSL OR WITH_MBEDTLS OR WITH_CUSTOM_TLS" OFF)
-set(AVS_COMMONS_WITH_AVS_CRYPTO_ENGINE ${WITH_AVS_CRYPTO_ENGINE})
+set(WITH_AVS_CRYPTO_PKI_ENGINE_DEFAULT_VALUE OFF)
+if(DEFINED WITH_AVS_CRYPTO_ENGINE)
+    message(WARNING "WITH_AVS_CRYPTO_ENGINE is deprecated since avs_commons 4.10. Please use WITH_AVS_CRYPTO_PKI_ENGINE instead.")
+    set(WITH_AVS_CRYPTO_PKI_ENGINE_DEFAULT_VALUE "${WITH_AVS_CRYPTO_ENGINE}")
+endif()
+
+cmake_dependent_option(WITH_AVS_CRYPTO_PKI_ENGINE "Enable hardware-based PKI engine support" "${WITH_AVS_CRYPTO_PKI_ENGINE_DEFAULT_VALUE}"
+                       "WITH_OPENSSL OR WITH_MBEDTLS OR WITH_CUSTOM_TLS;WITH_PKI" OFF)
+set(AVS_COMMONS_WITH_AVS_CRYPTO_PKI_ENGINE ${WITH_AVS_CRYPTO_PKI_ENGINE})
+
+cmake_dependent_option(WITH_AVS_CRYPTO_PSK_ENGINE "Enable hardware-based PSK engine support" OFF "WITH_MBEDTLS OR WITH_CUSTOM_TLS;WITH_PSK" OFF)
+set(AVS_COMMONS_WITH_AVS_CRYPTO_PSK_ENGINE ${WITH_AVS_CRYPTO_PSK_ENGINE})
 
 if(WITH_OPENSSL)
     avs_add_find_routine("find_package(OpenSSL REQUIRED)")

diff --git a/avs_commons-config.cmake.in b/avs_commons-config.cmake.in
@@ -1,4 +1,4 @@
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/avs_commons-version.cmake.in b/avs_commons-version.cmake.in
@@ -1,4 +1,4 @@
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake
@@ -1,4 +1,4 @@
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/cmake/FindTinyDTLS.cmake b/cmake/FindTinyDTLS.cmake
@@ -1,4 +1,4 @@
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/cmake/PosixFeatures.cmake b/cmake/PosixFeatures.cmake
@@ -1,4 +1,4 @@
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/compat/lwip-posix-compat.h b/compat/lwip-posix-compat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/compat/winsock-posix-compat.h b/compat/winsock-posix-compat.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/covconfig b/covconfig
@@ -1,6 +1,6 @@
 #!/bin/sh
 #
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/devconfig b/devconfig
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 #
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/gdb/print-avs-list.py b/gdb/print-avs-list.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/gdb/print-avs-rbtree.py b/gdb/print-avs-rbtree.py
@@ -1,6 +1,6 @@
 # -*- coding: utf-8 -*-
 #
-# Copyright 2021 AVSystem <avsystem@avsystem.com>
+# Copyright 2022 AVSystem <avsystem@avsystem.com>
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

diff --git a/include_public/avsystem/commons/avs_addrinfo.h b/include_public/avsystem/commons/avs_addrinfo.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/include_public/avsystem/commons/avs_aead.h b/include_public/avsystem/commons/avs_aead.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/include_public/avsystem/commons/avs_base64.h b/include_public/avsystem/commons/avs_base64.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/include_public/avsystem/commons/avs_buffer.h b/include_public/avsystem/commons/avs_buffer.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/include_public/avsystem/commons/avs_cleanup.h b/include_public/avsystem/commons/avs_cleanup.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.

diff --git a/include_public/avsystem/commons/avs_commons_config.h.in b/include_public/avsystem/commons/avs_commons_config.h.in
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -292,15 +292,29 @@
  */
 #cmakedefine AVS_COMMONS_WITH_AVS_CRYPTO_PKI
 
+/**
+ * If the TLS backend is either mbed TLS, OpenSSL or TinyDTLS, enables support
+ * of pre-shared key security.
+ *
+ * PSK is the only supported security mode for the TinyDTLS backend, so this
+ * option MUST be enabled to utilize it.
+ *
+ * It also enables support for pre-shared key security in avs_net, if that
+ * module is also enabled.
+ */
+#cmakedefine AVS_COMMONS_WITH_AVS_CRYPTO_PSK
+
 /**
  * Enables usage of Valgrind API to suppress some of the false positives
  * generated by the OpenSSL backend.
  */
 #cmakedefine AVS_COMMONS_WITH_AVS_CRYPTO_VALGRIND
 
 /**
- * Enables high-level support for hardware-based security, i.e. loading,
- * generating and managing keys and certificates via external engines.
+ * Enables high-level support for hardware-based PKI security, i.e. loading,
+ * generating and managing key pairs and certificates via external engines.
+ *
+ * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_PKI to be enabled.
  *
  * An actual implementation is required to use this feature. In the commercial
  * version, you may use one of the default ones (see
@@ -313,6 +327,7 @@
  * - <c>avs_crypto_pki_engine_certificate_store()</c>
  * - <c>avs_crypto_pki_engine_key_gen()</c>
  * - <c>avs_crypto_pki_engine_key_rm()</c>
+ * - <c>avs_crypto_pki_engine_key_store()</c>
  * - When targeting the Mbed TLS backend:
  *   - <c>_avs_crypto_mbedtls_engine_initialize_global_state()</c>
  *   - <c>_avs_crypto_mbedtls_engine_cleanup_global_state()</c>
@@ -326,15 +341,39 @@
  *   - <c>_avs_crypto_openssl_engine_load_crls()</c>
  *   - <c>_avs_crypto_openssl_engine_load_private_key()</c>
  *
- * External engines are NOT supported in the TinyDTLS backend.
+ * External PKI engines are NOT supported in the TinyDTLS backend.
+ */
+#cmakedefine AVS_COMMONS_WITH_AVS_CRYPTO_PKI_ENGINE
+
+/**
+ * Enables high-level support for hardware-based PSK security, i.e. loading
+ * and managing PSK keys and identities via external engine.
+ *
+ * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_PKI to be enabled.
+ *
+ * An actual implementation is required to use this feature. In the commercial
+ * version, you may use the default PSA-based one (see
+ * @ref AVS_COMMONS_WITH_MBEDTLS_PSA_ENGINE) or provide your own.
+ *
+ * The functions that need to be provided in case of a custom implementation:
+ * - <c>avs_crypto_psk_engine_identity_store()</c>
+ * - <c>avs_crypto_psk_engine_identity_rm()</c>
+ * - <c>avs_crypto_psk_engine_key_store()</c>
+ * - <c>avs_crypto_psk_engine_key_rm()</c>
+ * - When targeting the Mbed TLS backend:
+ *   - <c>_avs_crypto_mbedtls_engine_initialize_global_state()</c>
+ *   - <c>_avs_crypto_mbedtls_engine_cleanup_global_state()</c>
+ *   - <c>_avs_crypto_mbedtls_engine_load_psk_key()</c>
+ *
+ * External PSK engines are NOT supported in the OpenSSL and TinyDTLS backend.
  */
-#cmakedefine AVS_COMMONS_WITH_AVS_CRYPTO_ENGINE
+#cmakedefine AVS_COMMONS_WITH_AVS_CRYPTO_PSK_ENGINE
 
 /**
  * Enables the default implementation of avs_crypto engine, based on Mbed TLS
  * and PKCS#11.
  *
- * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_ENGINE to be enabled.
+ * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_PKI_ENGINE to be enabled.
  *
  * NOTE: Query string format for this engine is a subset of the PKCS#11 URI
  * scheme (see RFC 7512), modelled after the format accepted by libp11 OpenSSL
@@ -352,7 +391,8 @@
  * Enables the default implementation of avs_crypto engine, based on Mbed TLS
  * and Platform Security Architecture (PSA).
  *
- * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_ENGINE to be enabled.
+ * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_PKI_ENGINE or
+ * @ref AVS_COMMONS_WITH_AVS_CRYPTO_PSK_ENGINE to be enabled.
  *
  * NOTE: Query string format for this engine is:
  *
@@ -407,7 +447,7 @@
  * Enables the default implementation of avs_crypto engine, based on OpenSSL and
  * PKCS#11.
  *
- * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_ENGINE to be enabled.
+ * Requires @ref AVS_COMMONS_WITH_AVS_CRYPTO_PKI_ENGINE to be enabled.
  *
  * NOTE: Query string format for this engine is a subset of the PKCS#11 URI
  * scheme (see RFC 7512), modelled after the format accepted by libp11 OpenSSL
@@ -557,14 +597,6 @@
  */
 #cmakedefine AVS_COMMONS_NET_WITH_POSIX_AVS_SOCKET
 
-/**
- * If the TLS backend is either mbed TLS or OpenSSL, enables support of
- * pre-shared key security.
- *
- * PSK is the only supported security mode for the TinyDTLS backend.
- */
-#cmakedefine AVS_COMMONS_NET_WITH_PSK
-
 /**
  * Enables support for logging socket communication to file.
  *

diff --git a/include_public/avsystem/commons/avs_condvar.h b/include_public/avsystem/commons/avs_condvar.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2021 AVSystem <avsystem@avsystem.com>
+ * Copyright 2022 AVSystem <avsystem@avsystem.com>
  *
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.