diff --git a/CMake/Modules/FindNF_Networking.cmake b/CMake/Modules/FindNF_Networking.cmake index a706db0bf7..281b6aa87f 100644 --- a/CMake/Modules/FindNF_Networking.cmake +++ b/CMake/Modules/FindNF_Networking.cmake @@ -36,7 +36,7 @@ set(NF_Networking_Security_SRCS ssl.cpp ssl_accept_internal.cpp ssl_add_cert_auth_internal.cpp - ssl_closesocket_internal.cpp + ssl_close_socket_internal.cpp ssl_connect_internal.cpp ssl_decode_private_key_internal.cpp ssl_exit_context_internal.cpp @@ -49,7 +49,6 @@ set(NF_Networking_Security_SRCS ssl_uninitialize_internal.cpp ssl_write_internal.cpp - # ssl_types.cpp ) diff --git a/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp b/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp index 74cdb0af2d..d6ce05bc08 100644 --- a/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp +++ b/src/DeviceInterfaces/System.Net/sys_net_native_System_Net_Security_SslNative.cpp @@ -536,8 +536,6 @@ HRESULT Library_sys_net_native_System_Net_Security_SslNative::InitHelper( CLR_RT password = hbPwd->StringText(); } - SSL_RegisterTimeCallback( Time_GetDateTime ); - if(isServer) { result = (SSL_ServerInit( sslMode, sslVerify, (const char*)sslCert, sslCert == NULL ? 0 : arrCert->m_numOfElements, pk, pk == NULL ? 0 : privateKey->m_numOfElements, password, hal_strlen_s(password), sslContext ) ? 0 : -1); diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/nf_mbedtls_config.h b/src/PAL/COM/sockets/ssl/mbedTLS/nf_mbedtls_config.h index 2e5a81dba3..0b33bb1a7d 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/nf_mbedtls_config.h +++ b/src/PAL/COM/sockets/ssl/mbedTLS/nf_mbedtls_config.h @@ -91,7 +91,7 @@ time_t nf_get_unix_epoch(); #define MBEDTLS_SSL_DTLS_HELLO_VERIFY #define MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE #define MBEDTLS_SSL_DTLS_BADMAC_LIMIT -#define MBEDTLS_SSL_EXPORT_KEYS +#define MBEDTLS_SSL_SERVER_NAME_INDICATION #define MBEDTLS_SSL_TRUNCATED_HMAC #define MBEDTLS_X509_CHECK_KEY_USAGE #define MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_accept_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_accept_internal.cpp index f0717d9128..1799c4a5e5 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_accept_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_accept_internal.cpp @@ -6,20 +6,22 @@ #include #include "mbedtls.h" -int ssl_accept_internal( int sd, int sslContextHandle ) +int ssl_accept_internal( + int sd, + int contextHandle ) { mbedTLS_NFContext* context; mbedtls_ssl_context *ssl; int nonblock = 0; int ret = SOCK_SOCKET_ERROR; - // Check sslContextHandle range - if((sslContextHandle >= (int)ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0)) + // Check contextHandle range + if((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0)) { goto error; } - context = (mbedTLS_NFContext*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext; + context = (mbedTLS_NFContext*)g_SSL_Driver.ContextArray[contextHandle].Context; ssl = context->ssl; // sanity check @@ -30,7 +32,6 @@ int ssl_accept_internal( int sd, int sslContextHandle ) // TODO check how to handle server certificates and certificate chain parsing - // if( ( ret = mbedtls_net_bind( context->server_fd, NULL, "4433", MBEDTLS_NET_PROTO_TCP ) ) != 0 ) // { // goto error; diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_add_cert_auth_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_add_cert_auth_internal.cpp index 4933df1384..24afcc7168 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_add_cert_auth_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_add_cert_auth_internal.cpp @@ -6,21 +6,25 @@ #include #include "mbedtls.h" -bool ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ) +bool ssl_add_cert_auth_internal( + int contextHandle, + const char* certificate, + int certLength, + const char* certPassword ) { (void)certPassword; mbedTLS_NFContext* context; - // Check sslContextHandle range - if((sslContextHandle >= (int)ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0)) + // Check contextHandle range + if((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0)) { - return FALSE; + return false; } // Retrieve SSL struct from g_SSL_Driver // sd should already have been created - context = (mbedTLS_NFContext*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext; + context = (mbedTLS_NFContext*)g_SSL_Driver.ContextArray[contextHandle].Context; if (context != NULL) { @@ -32,10 +36,13 @@ bool ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, if( mbedtls_x509_crt_parse(context->x509_crt, (const unsigned char*)certificate, certLength ) == 0) { // add to CA chain - mbedtls_ssl_conf_ca_chain( context->conf, context->x509_crt, NULL ); + mbedtls_ssl_conf_ca_chain( + context->conf, + context->x509_crt, + NULL ); // done - return TRUE; + return true; } } diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_closesocket_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_close_socket_internal.cpp similarity index 55% rename from src/PAL/COM/sockets/ssl/mbedTLS/ssl_closesocket_internal.cpp rename to src/PAL/COM/sockets/ssl/mbedTLS/ssl_close_socket_internal.cpp index f4fa481ae6..053492e178 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_closesocket_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_close_socket_internal.cpp @@ -6,21 +6,20 @@ #include #include "mbedtls.h" -int ssl_closesocket_internal( int sd ) +int ssl_close_socket_internal( int sd ) { mbedTLS_NFContext* context= (mbedTLS_NFContext*)SOCKET_DRIVER.GetSocketSslData(sd); - mbedtls_ssl_context *ssl = context->ssl; // sanity check - if(ssl == NULL) + if(context != NULL) { - return SOCK_SOCKET_ERROR; - } + mbedtls_ssl_context *ssl = context->ssl; + + // be nice and notify the peer that the connection is being closed + mbedtls_ssl_close_notify(ssl); - SOCKET_DRIVER.SetSocketSslData(sd, NULL); - SOCKET_DRIVER.UnregisterSocket(sd); - - mbedtls_ssl_close_notify(ssl); + SOCKET_DRIVER.SetSocketSslData(sd, NULL); + } SOCK_close( sd ); diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_connect_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_connect_internal.cpp index 4103d34479..56112f25c9 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_connect_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_connect_internal.cpp @@ -8,15 +8,18 @@ #include #include "mbedtls.h" -int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle) +int ssl_connect_internal( + int sd, + const char* szTargetHost, + int contextHandle) { mbedTLS_NFContext* context; int nonblock = 0; int ret = SOCK_SOCKET_ERROR; - // Check sslContextHandle range - if((sslContextHandle >= (int)ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0)) + // Check contextHandle range + if((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0)) { goto error; } @@ -24,7 +27,7 @@ int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle) // Retrieve SSL struct from g_SSL_Driver // sd should already have been created // Now do the SSL negotiation - context = (mbedTLS_NFContext*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext; + context = (mbedTLS_NFContext*)g_SSL_Driver.ContextArray[contextHandle].Context; if (context == NULL) { return false; diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp index 15e8d44588..d6c45e2a50 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_exit_context_internal.cpp @@ -9,32 +9,38 @@ #include "mbedtls.h" -bool ssl_exit_context_internal(int sslContextHandle ) +bool ssl_exit_context_internal( int contextHandle ) { - mbedTLS_NFContext* context = NULL; + mbedTLS_NFContext* context; - // Check sslContextHandle range - if((sslContextHandle >= (int)ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0) || (g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext == NULL)) + // Check contextHandle range + if((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0) || (g_SSL_Driver.ContextArray[contextHandle].Context == NULL)) { - return FALSE; + return false; } - context = (mbedTLS_NFContext*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext; + context = (mbedTLS_NFContext*)g_SSL_Driver.ContextArray[contextHandle].Context; if (context == NULL) { - return FALSE; + return false; } mbedtls_pk_free(context->pk); mbedtls_net_free(context->server_fd); mbedtls_ctr_drbg_free( context->ctr_drbg ); mbedtls_entropy_free( context->entropy ); + mbedtls_ssl_config_free( context->conf ); + mbedtls_x509_crt_free(context->x509_crt); + mbedtls_ssl_free(context->ssl); // zero memory to wipe any security critical info in RAM memset(context->ssl, 0, sizeof(mbedtls_ssl_context)); // free memory - platform_free(context->pk); + if(context->pk != NULL) + { + platform_free(context->pk); + } platform_free(context->server_fd); platform_free(context->entropy); platform_free(context->ctr_drbg); @@ -43,9 +49,9 @@ bool ssl_exit_context_internal(int sslContextHandle ) platform_free(context->ssl); platform_free(context); - NANOCLR_SSL_MEMSET(&g_SSL_Driver.m_sslContextArray[sslContextHandle], 0, sizeof(g_SSL_Driver.m_sslContextArray[sslContextHandle])); + memset(&g_SSL_Driver.ContextArray[contextHandle], 0, sizeof(g_SSL_Driver.ContextArray[contextHandle])); - g_SSL_Driver.m_sslContextCount --; + g_SSL_Driver.ContextCount --; - return TRUE; + return true; } diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic.cpp index dcc92803e6..a272ebb891 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic.cpp @@ -12,7 +12,10 @@ // this one lives in lwIPSocket.cpp extern int errno; -int sslRecv(void *ctx, unsigned char *buf, size_t len) +int sslRecv( + void *ctx, + unsigned char *buf, + size_t len) { (void)buf; (void)len; @@ -31,8 +34,13 @@ int sslRecv(void *ctx, unsigned char *buf, size_t len) return 0; } -// mbed TLS requires a function with this signature, so we are wrapping the call to our debug_printf here -void nf_debug( void *ctx, int level, const char *file, int line, const char *str ) +// mbedTLS requires a function with this signature, so we are wrapping the call to our debug_printf here +void nf_debug( + void *ctx, + int level, + const char *file, + int line, + const char *str ) { (void)level; (void)ctx; @@ -71,7 +79,10 @@ int net_would_block( const mbedtls_net_context *ctx ) return( 0 ); } -int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len ) +int mbedtls_net_recv( + void *ctx, + unsigned char *buf, + size_t len ) { int32_t ret; int32_t fd = ((mbedtls_net_context *) ctx)->fd; @@ -106,7 +117,10 @@ int mbedtls_net_recv( void *ctx, unsigned char *buf, size_t len ) return ret; } -int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ) +int mbedtls_net_send( + void *ctx, + const unsigned char *buf, + size_t len ) { int32_t ret; int fd = ((mbedtls_net_context *) ctx)->fd; @@ -141,7 +155,11 @@ int mbedtls_net_send( void *ctx, const unsigned char *buf, size_t len ) return ret; } -int mbedtls_net_recv_timeout( void *ctx, unsigned char *buf, size_t len, uint32_t timeout ) +int mbedtls_net_recv_timeout( + void *ctx, + unsigned char *buf, + size_t len, + uint32_t timeout ) { int ret; struct timeval tv; diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp index 6331aceef1..174684d037 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_generic_init_internal.cpp @@ -18,7 +18,7 @@ bool ssl_generic_init_internal( int privateKeyLength, const char* password, int passwordLength, - int& sslContextHandle, + int& contextHandle, bool isServer ) { (void)sslMode; @@ -26,6 +26,7 @@ bool ssl_generic_init_internal( int sslContexIndex = -1; int authMode = MBEDTLS_SSL_VERIFY_NONE; int endpoint = 0; + int ret = 0; mbedtls_x509_crt* ownCertificate = NULL; @@ -35,9 +36,9 @@ bool ssl_generic_init_internal( /////////////////////// mbedTLS_NFContext* context; - for(uint32_t i=0; ipk = NULL; + } mbedtls_ssl_conf_ca_chain( context->conf, context->x509_crt, NULL ); @@ -256,7 +262,8 @@ bool ssl_generic_init_internal( mbedtls_ssl_conf_dbg( context->conf, nf_debug, stdout ); #endif - if( mbedtls_ssl_setup( context->ssl, context->conf ) != 0 ) + ret = mbedtls_ssl_setup( context->ssl, context->conf ); + if( ret != 0 ) { // ssl_setup_failed goto error; @@ -264,14 +271,21 @@ bool ssl_generic_init_internal( ////////////////////////////////////// - g_SSL_Driver.m_sslContextArray[sslContexIndex].SslContext = context; - g_SSL_Driver.m_sslContextCount++; + g_SSL_Driver.ContextArray[sslContexIndex].Context = context; + g_SSL_Driver.ContextCount++; - sslContextHandle = sslContexIndex; + contextHandle = sslContexIndex; - return TRUE; + return true; error: + mbedtls_pk_free(context->pk); + mbedtls_net_free(context->server_fd); + mbedtls_ctr_drbg_free( context->ctr_drbg ); + mbedtls_entropy_free( context->entropy ); + mbedtls_x509_crt_free(context->x509_crt); + mbedtls_ssl_config_free( context->conf ); + mbedtls_ssl_free(context->ssl); // check for any memory allocation that needs to be freed before exiting if(context->ssl != NULL) platform_free(context->ssl); @@ -281,7 +295,16 @@ bool ssl_generic_init_internal( if(context->server_fd != NULL) platform_free(context->server_fd); if(context->x509_crt != NULL) platform_free(context->x509_crt); if(context->pk != NULL) platform_free(context->pk); - if(ownCertificate != NULL) mbedtls_x509_crt_free( ownCertificate ); + + if(ownCertificate != NULL) + { + mbedtls_x509_crt_free( ownCertificate ); + platform_free(ownCertificate); + } + if(context->pk != NULL) + { + platform_free(context); + } - return FALSE; + return false; } diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_initialize_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_initialize_internal.cpp index e952504f53..7450d355bb 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_initialize_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_initialize_internal.cpp @@ -10,7 +10,7 @@ bool ssl_initialize_internal() { - NANOCLR_SSL_MEMSET(&g_SSL_Driver, 0, sizeof(g_SSL_Driver)); + memset(&g_SSL_Driver, 0, sizeof(g_SSL_Driver)); - return TRUE; + return true; } diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_parse_certificate_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_parse_certificate_internal.cpp index e2d748f8ed..8169de41da 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_parse_certificate_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_parse_certificate_internal.cpp @@ -6,7 +6,9 @@ #include "mbedtls.h" -void SSL_GetCertDateTime_internal(DATE_TIME_INFO * dt, mbedtls_x509_time * mt ) +void SSL_GetCertDateTime_internal( + DATE_TIME_INFO * dt, + mbedtls_x509_time * mt ) { dt->year = mt->year; dt->month = mt->mon; @@ -19,7 +21,11 @@ void SSL_GetCertDateTime_internal(DATE_TIME_INFO * dt, mbedtls_x509_time * mt ) dt->tzOffset = 0; } -bool ssl_parse_certificate_internal(void * certificate, size_t size, void* pwd, void* x509CertData) +bool ssl_parse_certificate_internal( + void * certificate, + size_t size, + void* pwd, + void* x509CertData) { (void)pwd; @@ -34,17 +40,32 @@ bool ssl_parse_certificate_internal(void * certificate, size_t size, void* pwd, // this call parses certificates in both string and binary formats // // when the formart is a string it has to include the terminator otherwise the parse will fail // ///////////////////////////////////////////////////////////////////////////////////////////////// - ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *)certificate, size); + ret = mbedtls_x509_crt_parse( + &cacert, + (const unsigned char *)certificate, + size); if(ret < 0) { return false; } - mbedtls_x509_dn_gets( x509->Issuer, sizeof(x509->Issuer)-1, &cacert.issuer ); - mbedtls_x509_dn_gets( x509->Subject, sizeof(x509->Subject)-1, &cacert.subject ); - - SSL_GetCertDateTime_internal( &x509->EffectiveDate,&cacert.valid_from ); - SSL_GetCertDateTime_internal( &x509->ExpirationDate,&cacert.valid_to ); + mbedtls_x509_dn_gets( + x509->Issuer, + sizeof(x509->Issuer)-1, + &cacert.issuer ); + + mbedtls_x509_dn_gets( + x509->Subject, + sizeof(x509->Subject)-1, + &cacert.subject ); + + SSL_GetCertDateTime_internal( + &x509->EffectiveDate, + &cacert.valid_from ); + + SSL_GetCertDateTime_internal( + &x509->ExpirationDate, + &cacert.valid_to ); return true; } diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_read_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_read_internal.cpp index ef5f7a1e7b..1d8254b10b 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_read_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_read_internal.cpp @@ -6,7 +6,10 @@ #include #include "mbedtls.h" -int ssl_read_internal( int sd, char* data, size_t size ) +int ssl_read_internal( + int sd, + char* data, + size_t size ) { mbedTLS_NFContext* context= (mbedTLS_NFContext*)SOCKET_DRIVER.GetSocketSslData(sd); mbedtls_ssl_context *ssl = context->ssl; diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_types.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_types.cpp deleted file mode 100644 index 96fa24c365..0000000000 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_types.cpp +++ /dev/null @@ -1,4 +0,0 @@ -// -// Copyright (c) 2018 The nanoFramework project contributors -// See LICENSE file in the project root for full license information. -// diff --git a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_uninitialize_internal.cpp b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_uninitialize_internal.cpp index 696a64b9d6..fe044c2e6d 100644 --- a/src/PAL/COM/sockets/ssl/mbedTLS/ssl_uninitialize_internal.cpp +++ b/src/PAL/COM/sockets/ssl/mbedTLS/ssl_uninitialize_internal.cpp @@ -12,24 +12,17 @@ bool ssl_uninitialize_internal() { - bool result = TRUE; + bool result = true; - for(uint32_t i = 0; i #include "mbedtls.h" -int ssl_write_internal( int sd, const char* data, size_t req_len) +int ssl_write_internal( + int sd, + const char* data, + size_t req_len) { int ret; diff --git a/src/PAL/COM/sockets/ssl/ssl.cpp b/src/PAL/COM/sockets/ssl/ssl.cpp index d03bb1bb1d..84bfa0bd29 100644 --- a/src/PAL/COM/sockets/ssl/ssl.cpp +++ b/src/PAL/COM/sockets/ssl/ssl.cpp @@ -1,5 +1,5 @@ // -// Copyright (c) 2017 The nanoFramework project contributors +// Copyright (c) 2019 The nanoFramework project contributors // Portions Copyright (c) Microsoft Corporation. All rights reserved. // See LICENSE file in the project root for full license information. // @@ -10,8 +10,7 @@ SSL_Driver g_SSL_Driver; // Flag to postpone init until after heap has been cleared // in tinyhal.cpp -static bool s_init_done = false; - +static bool s_InitDone = false; bool SSL_Initialize() { @@ -25,28 +24,70 @@ bool SSL_Initialize() bool SSL_Uninitialize() { NATIVE_PROFILE_PAL_COM(); - bool retVal = true; - - retVal = ssl_uninitialize_internal(); - s_init_done = FALSE; + for(uint32_t i = 0; i -//#include -// Keey these in sync with SslProtocols in System.Net +// Keep these in sync with SslProtocols in System.Net /////////////////////////////////////////////////////////////////////////////////// // !!! KEEP IN SYNC WITH System.Net.Security.SslProtocols (in managed code) !!! // @@ -36,30 +35,51 @@ enum SslVerification SslVerification_VerifyClientOnce = 8, }; - -// Lifted from Apps.h -#define FORMAT_UNDEF 0 -#define FORMAT_ASN1 1 -#define FORMAT_TEXT 2 -#define FORMAT_PEM 3 -#define FORMAT_NETSCAPE 4 -#define FORMAT_PKCS12 5 -#define FORMAT_SMIME 6 -#define FORMAT_ENGINE 7 -#define FORMAT_IISSGC 8 - -bool ssl_parse_certificate_internal(void* buf, size_t size, void* pwd, void* x509 ); -int ssl_decode_private_key_internal( const unsigned char *key, size_t keyLength, const unsigned char *pwd, size_t pwdLength ); -int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle); -int ssl_accept_internal( int socket, int sslContextHandle ); -int ssl_read_internal( int socket, char* Data, size_t size ); -int ssl_write_internal( int socket, const char* Data, size_t size); -int ssl_closesocket_internal( int sd ); +bool ssl_parse_certificate_internal( + void* buf, + size_t size, + void* pwd, + void* x509 ); +int ssl_decode_private_key_internal( + const unsigned char *key, + size_t keyLength, + const unsigned char *pwd, + size_t pwdLength ); +int ssl_connect_internal( + int sd, + const char* szTargetHost, + int contextHandle); +int ssl_accept_internal( + int socket, + int contextHandle ); +int ssl_read_internal( + int socket, + char* data, + size_t size ); +int ssl_write_internal( + int socket, + const char* data, + size_t size); +int ssl_close_socket_internal( int sd ); int ssl_pending_internal( int sd ); -bool ssl_exit_context_internal(int sslContextHandle ); -bool ssl_generic_init_internal( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle, bool isServer ); +bool ssl_exit_context_internal( int contextHandle ); +bool ssl_generic_init_internal( + int sslMode, + int sslVerify, + const char* certificate, + int certLength, + const uint8_t* privateKey, + int privateKeyLength, + const char* password, + int passwordLength, + int& contextHandle, + bool isServer ); bool ssl_initialize_internal(); bool ssl_uninitialize_internal(); -bool ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ); +bool ssl_add_cert_auth_internal( + int contextHandle, + const char* certificate, + int certLength, + const char* certPassword ); -#endif +#endif // SSL_FUNCTIONS_H diff --git a/src/PAL/COM/sockets/ssl/ssl_stubs.cpp b/src/PAL/COM/sockets/ssl/ssl_stubs.cpp index a1b056bf85..1025cc34db 100644 --- a/src/PAL/COM/sockets/ssl/ssl_stubs.cpp +++ b/src/PAL/COM/sockets/ssl/ssl_stubs.cpp @@ -1,5 +1,5 @@ // -// Copyright (c) 2017 The nanoFramework project contributors +// Copyright (c) 2019 The nanoFramework project contributors // Portions Copyright (c) Microsoft Corporation. All rights reserved. // See LICENSE file in the project root for full license information. // @@ -29,86 +29,159 @@ __nfweak bool SSL_Uninitialize() return TRUE; } -__nfweak bool SSL_ServerInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ) +__nfweak bool SSL_ServerInit( + int sslMode, + int sslVerify, + const char* certificate, + int certLength, + const uint8_t* privateKey, + int privateKeyLength, + const char* password, + int passwordLength, + int& contextHandle ) { - (void)sslMode; (void)sslVerify; (void)certificate; (void)certLength; (void)privateKey; (void)privateKeyLength; (void)password; (void)passwordLength; (void)sslContextHandle; + (void)sslMode; + (void)sslVerify; + (void)certificate; + (void)certLength; + (void)privateKey; + (void)privateKeyLength; + (void)password; + (void)passwordLength; + (void)contextHandle; + NATIVE_PROFILE_PAL_COM(); + return TRUE; } -__nfweak bool SSL_ClientInit( int sslMode, int sslVerify, const char* certificate, int certLength, const uint8_t* privateKey, int privateKeyLength, const char* password, int passwordLength, int& sslContextHandle ) +__nfweak bool SSL_ClientInit( + int sslMode, + int sslVerify, + const char* certificate, + int certLength, + const uint8_t* privateKey, + int privateKeyLength, + const char* password, + int passwordLength, + int& contextHandle ) { - (void)sslMode; (void)sslVerify; (void)certificate; (void)certLength; (void)privateKey; (void)privateKeyLength; (void)password; (void)passwordLength; (void)sslContextHandle; + (void)sslMode; + (void)sslVerify; + (void)certificate; + (void)certLength; + (void)privateKey; + (void)privateKeyLength; + (void)password; + (void)passwordLength; + (void)contextHandle; + NATIVE_PROFILE_PAL_COM(); + return TRUE; } -__nfweak bool SSL_AddCertificateAuthority( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ) +__nfweak bool SSL_AddCertificateAuthority( + int contextHandle, + const char* certificate, + int certLength, + const char* certPassword ) { - (void)sslContextHandle; (void)certificate; (void)certLength; (void)certPassword; + (void)contextHandle; + (void)certificate; + (void)certLength; + (void)certPassword; + NATIVE_PROFILE_PAL_COM(); + return TRUE; } -__nfweak bool SSL_ExitContext( int sslContextHandle ) +__nfweak bool SSL_ExitContext( int contextHandle ) { - (void)sslContextHandle; + (void)contextHandle; + NATIVE_PROFILE_PAL_COM(); + return TRUE; } -__nfweak int SSL_Accept( SOCK_SOCKET socket, int sslContextHandle ) +__nfweak int SSL_Accept( + SOCK_SOCKET socket, + int contextHandle ) { - (void)socket; (void)sslContextHandle; + (void)socket; + (void)contextHandle; + NATIVE_PROFILE_PAL_COM(); + return 0; } -__nfweak int SSL_Connect( SOCK_SOCKET socket, const char* szTargetHost, int sslContextHandle ) +__nfweak int SSL_Connect( + SOCK_SOCKET socket, + const char* szTargetHost, + int contextHandle ) { - (void)socket; (void)szTargetHost; (void)sslContextHandle; + (void)socket; + (void)szTargetHost; + (void)contextHandle; + NATIVE_PROFILE_PAL_COM(); + return 0; } -__nfweak int SSL_Write( SOCK_SOCKET socket, const char* Data, size_t size ) -{ - (void)socket; (void)Data; (void)size; +__nfweak int SSL_Write( + SOCK_SOCKET socket, + const char* data, + size_t size ) +{ + (void)socket; + (void)data; + (void)size; + NATIVE_PROFILE_PAL_COM(); + return 0; } -__nfweak int SSL_Read( SOCK_SOCKET socket, char* Data, size_t size ) +__nfweak int SSL_Read( + SOCK_SOCKET socket, + char* data, + size_t size ) { - (void)socket; (void)Data; (void)size; + (void)socket; + (void)data; + (void)size; + NATIVE_PROFILE_PAL_COM(); + return 0; } __nfweak int SSL_CloseSocket( SOCK_SOCKET socket ) { - (void)socket; - NATIVE_PROFILE_PAL_COM(); - return 0; -} + (void)socket; -__nfweak void SSL_GetTime(DATE_TIME_INFO* pdt) -{ - (void)pdt; NATIVE_PROFILE_PAL_COM(); -} -__nfweak void SSL_RegisterTimeCallback(SSL_DATE_TIME_FUNC pfn) -{ - (void)pfn; - NATIVE_PROFILE_PAL_COM(); + return 0; } -__nfweak bool SSL_ParseCertificate( const char* certificate, size_t certLength, const char* password, X509CertData* certData ) +__nfweak bool SSL_ParseCertificate( + const char* certificate, + size_t certLength, + const char* password, + X509CertData* certData ) { - (void)certificate; (void)certLength; (void)password; (void)certData; + (void)certificate; + (void)certLength; + (void)password; + (void)certData; NATIVE_PROFILE_PAL_COM(); + return TRUE; } @@ -131,7 +204,9 @@ __nfweak int SSL_DecodePrivateKey( __nfweak int SSL_DataAvailable( SOCK_SOCKET socket ) { (void)socket; + NATIVE_PROFILE_PAL_COM(); + return 0; } diff --git a/src/PAL/COM/sockets/ssl/ssl_types.h b/src/PAL/COM/sockets/ssl/ssl_types.h index d89a7949e5..53960da5cf 100644 --- a/src/PAL/COM/sockets/ssl/ssl_types.h +++ b/src/PAL/COM/sockets/ssl/ssl_types.h @@ -12,13 +12,4 @@ #define TINYCLR_SSL_STRNCPY(a,b,c) hal_strncpy_s(a,c+1,b,c) #define NANOCLR_SSL_STRNCPY(a,b) hal_strcpy_s(a,hal_strlen_s(b)+1,b) - -// TODO clean up these -// possibly replacing with standard CRT calls -//#define NANOCLR_SSL_FPRINTF hal_fprintf_ssl -#define NANOCLR_SSL_PRINTF debug_printf -#define NANOCLR_SSL_MEMCPY memcpy -#define NANOCLR_SSL_MEMSET memset - - -#endif \ No newline at end of file +#endif // SSL_TYPES_H diff --git a/src/PAL/Include/nanoPAL_Sockets.h b/src/PAL/Include/nanoPAL_Sockets.h index 3f17f37b71..79b4037f67 100644 --- a/src/PAL/Include/nanoPAL_Sockets.h +++ b/src/PAL/Include/nanoPAL_Sockets.h @@ -612,8 +612,6 @@ int SSL_Connect ( int socket, const char* szTargetHost, int sslContextHandle int SSL_Write ( int socket, const char* Data, size_t size ); int SSL_Read ( int socket, char* Data, size_t size ); int SSL_CloseSocket( int socket ); -void SSL_GetTime(DATE_TIME_INFO* pdt); -void SSL_RegisterTimeCallback(SSL_DATE_TIME_FUNC pfn); bool SSL_ParseCertificate( const char* certificate, size_t certLength, const char* password, X509CertData* certData ); int SSL_DecodePrivateKey( const unsigned char *key, size_t keyLength, const unsigned char *password, size_t passwordLength ); int SSL_DataAvailable( int socket ); diff --git a/targets/CMSIS-OS/ChibiOS/ST_STM32F769I_DISCOVERY/mbedtls_config.h b/targets/CMSIS-OS/ChibiOS/ST_STM32F769I_DISCOVERY/mbedtls_config.h index 9877ca778c..344adf5be4 100644 --- a/targets/CMSIS-OS/ChibiOS/ST_STM32F769I_DISCOVERY/mbedtls_config.h +++ b/targets/CMSIS-OS/ChibiOS/ST_STM32F769I_DISCOVERY/mbedtls_config.h @@ -19,7 +19,6 @@ // #define SSL_DEBUG_RET MBEDTLS_SSL_DEBUG_RET // #define MBEDTLS_SSL_ALL_ALERT_MESSAGES -// #define MBEDTLS_SSL_DEBUG_ALL // #define MBEDTLS_VERSION_FEATURES // #define MBEDTLS_CERTS_C // #define MBEDTLS_ERROR_C @@ -47,6 +46,7 @@ // 4 Verbose // #define MBEDTLS_DEBUG_C +// #define MBEDTLS_SSL_DEBUG_ALL // #define MBEDTLS_SSL_ALL_ALERT_MESSAGES // #define MBEDTLS_DEBUG_THRESHOLD 2 diff --git a/targets/TI-SimpleLink/common/ssl_simplelink.cpp b/targets/TI-SimpleLink/common/ssl_simplelink.cpp index 957276cc2e..8b2935dfd1 100644 --- a/targets/TI-SimpleLink/common/ssl_simplelink.cpp +++ b/targets/TI-SimpleLink/common/ssl_simplelink.cpp @@ -23,7 +23,17 @@ extern "C" } // TODO -bool ssl_parse_certificate_internal(void* buf, size_t size, void* pwd, void* x509 ){(void)buf;(void)size;(void)pwd;(void)x509;} +bool ssl_parse_certificate_internal( + void* buf, + size_t size, + void* pwd, + void* x509 ) +{ + (void)buf; + (void)size; + (void)pwd; + (void)x509; +} int ssl_decode_private_key_internal( const unsigned char *key, @@ -39,15 +49,35 @@ int ssl_decode_private_key_internal( return 0; } -int ssl_accept_internal( int socket, int sslContextHandle ){(void)socket;(void)sslContextHandle;} -bool ssl_add_cert_auth_internal( int sslContextHandle, const char* certificate, int certLength, const char* certPassword ){(void)sslContextHandle;(void)certificate;(void)certLength;(void)certPassword;} +int ssl_accept_internal( + int socket, + int contextHandle ) +{ + (void)socket; + (void)contextHandle; +} + +bool ssl_add_cert_auth_internal( + int contextHandle, + const char* certificate, + int certLength, + const char* certPassword ) +{ + (void)contextHandle; + (void)certificate; + (void)certLength; + (void)certPassword; + +} // declared at sockets_simplelink extern int socketErrorCode; extern "C" { -void ssl_rand_seed(const void *seed, int length) +void ssl_rand_seed( + const void *seed, + int length) { (void)seed; (void)length; @@ -70,7 +100,7 @@ bool ssl_generic_init_internal( int privateKeyLength, const char* password, int passwordLength, - int& sslContextHandle, + int& contextHandle, bool isServer ) { (void)password; @@ -91,9 +121,9 @@ bool ssl_generic_init_internal( uint32_t configIndex = 0; /////////////////////// - for(uint32_t i=0; iSecurityAttributes, SLNETSOCK_SEC_ATTRIB_METHOD, (void *)&(securityMethod), sizeof(securityMethod)); if (status < 0) { @@ -175,7 +205,7 @@ bool ssl_generic_init_internal( // // // failed parsing the // // } - // // if( mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) != 0 ) + // // if( mbedtls_tls_conf_own_cert( &conf, &clicert, &pkey ) != 0 ) // // { // // // configuring own certificate failed // // goto error; @@ -196,10 +226,10 @@ bool ssl_generic_init_internal( ////////////////////////////////////// // the equivalent of SSL contex in Simple Link is the Security Attribute that we've been building - g_SSL_Driver.m_sslContextArray[sslContexIndex].SslContext = context; - g_SSL_Driver.m_sslContextCount++; + g_SSL_Driver.ContextArray[sslContexIndex].Context = context; + g_SSL_Driver.ContextCount++; - sslContextHandle = sslContexIndex; + contextHandle = sslContexIndex; return true; @@ -219,17 +249,17 @@ bool ssl_generic_init_internal( return false; } -bool ssl_exit_context_internal(int sslContextHandle) +bool ssl_exit_context_internal(int contextHandle) { SlSSL_Context* context = NULL; - // Check sslContextHandle range - if((sslContextHandle >= (int)ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0) || (g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext == NULL)) + // Check contextHandle range + if((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0) || (g_SSL_Driver.ContextArray[contextHandle].Context == NULL)) { return false; } - context = (SlSSL_Context*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext; + context = (SlSSL_Context*)g_SSL_Driver.ContextArray[contextHandle].Context; if (context == NULL) { return false; @@ -239,22 +269,25 @@ bool ssl_exit_context_internal(int sslContextHandle) platform_free(context); - memset(&g_SSL_Driver.m_sslContextArray[sslContextHandle], 0, sizeof(g_SSL_Driver.m_sslContextArray[sslContextHandle])); + memset(&g_SSL_Driver.ContextArray[contextHandle], 0, sizeof(g_SSL_Driver.ContextArray[contextHandle])); - g_SSL_Driver.m_sslContextCount --; + g_SSL_Driver.ContextCount --; return true; } -int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle) +int ssl_connect_internal( + int sd, + const char* szTargetHost, + int contextHandle) { SlSSL_Context* context; int32_t status; struct timespec ts; struct tm rtcTime; - // Check sslContextHandle range - if((sslContextHandle >= (int)ARRAYSIZE(g_SSL_Driver.m_sslContextArray)) || (sslContextHandle < 0)) + // Check contextHandle range + if((contextHandle >= (int)ARRAYSIZE(g_SSL_Driver.ContextArray)) || (contextHandle < 0)) { return SOCK_SOCKET_ERROR; } @@ -262,7 +295,7 @@ int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle) // Retrieve SSL context from g_SSL_Driver // sd should already have been created // Now do the SSL negotiation - context = (SlSSL_Context*)g_SSL_Driver.m_sslContextArray[sslContextHandle].SslContext; + context = (SlSSL_Context*)g_SSL_Driver.ContextArray[contextHandle].Context; if (context == NULL) { return SOCK_SOCKET_ERROR; @@ -273,7 +306,11 @@ int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle) if(szTargetHost != NULL && szTargetHost[0] != 0) { - status = SlNetSock_secAttribSet(context->SecurityAttributes, SLNETSOCK_SEC_ATTRIB_DOMAIN_NAME, (void *)szTargetHost, hal_strlen_s(szTargetHost)); + status = SlNetSock_secAttribSet( + context->SecurityAttributes, + SLNETSOCK_SEC_ATTRIB_DOMAIN_NAME, + (void *)szTargetHost, + hal_strlen_s(szTargetHost)); if (status < 0) { // hostname_failed @@ -298,18 +335,20 @@ int ssl_connect_internal(int sd, const char* szTargetHost, int sslContextHandle) // tm_year starts in 1970 dateTime.tm_year = rtcTime.tm_year + 1970; - sl_DeviceSet(SL_DEVICE_GENERAL, - SL_DEVICE_GENERAL_DATE_TIME, - sizeof(SlDateTime_t), - (uint8_t *)(&dateTime)); + sl_DeviceSet( + SL_DEVICE_GENERAL, + SL_DEVICE_GENERAL_DATE_TIME, + sizeof(SlDateTime_t), + (uint8_t *)(&dateTime)); // DON'T setup socket for blocking operation // start security context on socket - status = SlNetSock_startSec(context->SocketFd, - context->SecurityAttributes, context->IsServer ? - (SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY | SLNETSOCK_SEC_IS_SERVER) : - (SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY | SLNETSOCK_SEC_BIND_CONTEXT_ONLY)); + status = SlNetSock_startSec( + context->SocketFd, + context->SecurityAttributes, context->IsServer ? + (SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY | SLNETSOCK_SEC_IS_SERVER) : + (SLNETSOCK_SEC_START_SECURITY_SESSION_ONLY | SLNETSOCK_SEC_BIND_CONTEXT_ONLY)); if ( (status < 0) && (status != SLNETERR_ESEC_UNKNOWN_ROOT_CA) && @@ -332,11 +371,18 @@ int ssl_pending_internal( int sd ) return 0; } -int ssl_write_internal( int sd, const char* data, size_t req_len) +int ssl_write_internal( + int sd, + const char* data, + size_t req_len) { int32_t status; - socketErrorCode = SlNetSock_send(sd, (const void*)data, req_len, 0); + socketErrorCode = SlNetSock_send( + sd, + (const void*)data, + req_len, + 0); // anything below 0 is considered an error, so we have to report that no bytes were sent if (socketErrorCode < 0) @@ -347,32 +393,24 @@ int ssl_write_internal( int sd, const char* data, size_t req_len) return req_len; } -int ssl_read_internal( int sd, char* data, size_t size ) +int ssl_read_internal( + int sd, + char* data, + size_t size ) { - socketErrorCode = SlNetSock_recv(sd, (unsigned char *)(data), size, 0); + socketErrorCode = SlNetSock_recv( + sd, + (unsigned char *)(data), + size, + 0); return socketErrorCode; } -int ssl_closesocket_internal( int sd ) +int ssl_close_socket_internal( int sd ) { // Simple Link takes care of everything for us, just call close socket SOCK_close( sd ); - return 0; -} - -bool ssl_uninitialize_internal() -{ - for(uint32_t i = 0; i