espressif/esp-protocols
1
0
Fork 1
mirror of https://github.com/espressif/esp-protocols.git synced 2025-07-29 10:17:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

asio: Use internal ssl context and engine impl

Browse Source 
Implement asio-ssl layer with three classes in asio::ssl::mbedtls:
* context -- replaces SSL_CTX, used mainly as a container to options,
certs, keys
* engine -- replaces SSL, implements the actual mbedtls operations
* bio -- implements openssl BIO specifically tailered to mbedtls and
its asio usage

Further updates:
* asio: Used shared_ptr<> for bio pairs
* asio: Add error checks to mbedtls-bio
* asio: Address potential ssl-context ownership issue
* asio: Address potential bio-engine ownership issue


* Original commit: espressif/esp-idf@d823106aa6
This commit is contained in:
David Cermak
2021-10-14 10:17:24 +02:00
committed by gabsuren
parent abbc8d9c5a
commit f605fdd632
25 changed files with 1014 additions and 321 deletions
Download Patch File Download Diff File Expand all files Collapse all files

113
components/asio/port/mbedtls/include/mbedtls_bio.hpp Normal file
View File

@ -0,0 +1,113 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once
#include "asio/ssl/context_base.hpp"
#include "asio/ssl/context.hpp"
#include "sdkconfig.h"
namespace asio {
namespace ssl {
namespace mbedtls {
class bio {
static constexpr int BIO_SIZE = CONFIG_ASIO_SSL_BIO_SIZE;
static constexpr int BIO_FLAGS_READ = 1;
static constexpr int BIO_FLAGS_WRITE = 2;
public:
int write(const void *buf, int len)
{
if (buf == nullptr || len <= 0) {
// not an error, just empty operation (as in openssl/bio)
return 0;
}
int remaining = size_ - offset_;
if (remaining <= 0) {
flags_ |= BIO_FLAGS_WRITE;
return -1;
}
int len_to_write = len > remaining ? remaining : len;
std::memcpy(&data_[offset_], buf, len_to_write);
offset_ += len_to_write;
dlen_ = offset_;
if (len_to_write == len) {
flags_ &= ~BIO_FLAGS_WRITE;
}
return len_to_write;
}
int read(void *buf, int len)
{
if (buf == nullptr || len <= 0) {
// not an error, just empty operation (as in openssl/bio)
return 0;
}
int remaining = peer_->dlen_ - peer_->roffset_;
if (remaining <= 0) {
flags_ |= BIO_FLAGS_READ;
return -1;
}
int len_to_read = remaining > len ? len : remaining;
std::memcpy(buf, &peer_->data_[peer_->roffset_], len_to_read);
peer_->roffset_ += len_to_read;
if (len_to_read == len) {
flags_ &= ~BIO_FLAGS_READ;
}
if (peer_->offset_) {
// shift data back to the beginning of the buffer
std::memmove(&peer_->data_[0], &peer_->data_[peer_->roffset_], peer_->offset_ - peer_->roffset_);
peer_->offset_ -= peer_->roffset_;
peer_->roffset_ = 0;
peer_->dlen_ = peer_->offset_;
}
return len_to_read;
}
size_t wpending() const
{
return dlen_ - roffset_;
}
size_t ctrl_pending()
{
return peer_->dlen_ - peer_->roffset_;
}
bool should_write() const
{
return flags_ & BIO_FLAGS_WRITE;
}
bool should_read() const
{
return flags_ & BIO_FLAGS_READ;
}
static std::pair<std::shared_ptr<bio>, std::shared_ptr<bio>> new_pair(const char* error_location)
{
auto b1 = std::shared_ptr<bio>(new (std::nothrow) bio);
auto b2 = std::shared_ptr<bio>(new (std::nothrow) bio);
if (b1 == nullptr || b2 == nullptr) {
throw_alloc_failure(error_location);
} else {
b1->peer_ = b2;
b2->peer_ = b1;
}
return std::make_pair(b1, b2);
}
private:
std::array<uint8_t, BIO_SIZE> data_ {};
size_t size_ {BIO_SIZE};
std::shared_ptr<bio> peer_ {nullptr};
int dlen_ {0};
size_t offset_ {0};
size_t roffset_ {0};
size_t flags_ {0};
};
} } } // namespace asio::ssl::mbedtls

105
components/asio/port/mbedtls/include/mbedtls_context.hpp Normal file
View File

@ -0,0 +1,105 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once
#include "asio/ssl/context_base.hpp"
#include "asio/ssl/context.hpp"
namespace asio {
namespace error {
const asio::error_category& get_mbedtls_category();
} // namespace error
namespace ssl {
namespace mbedtls {
void throw_alloc_failure(const char* location);
const char *error_message(int error_code);
enum class container {
CERT, CA_CERT, PRIVKEY
};
template <typename T, typename... Args>
inline T* create(const char * location, Args &&... args)
{
T* t = new (std::nothrow) T(std::forward<Args>(args)...);
if (t == nullptr)
{
throw_alloc_failure(location);
}
return t;
}
class context {
public:
explicit context(context_base::method m): method_(m), options_(0) {}
const unsigned char *data(container c) const
{
switch (c) {
case container::CERT:
return static_cast<const unsigned char *>(cert_chain_.data());
case container::CA_CERT:
return static_cast<const unsigned char *>(ca_cert_.data());
case container::PRIVKEY:
return static_cast<const unsigned char *>(private_key_.data());
}
return nullptr;
}
std::size_t size(container c) const
{
switch (c) {
case container::CERT:
return cert_chain_.size();
case container::CA_CERT:
return ca_cert_.size();
case container::PRIVKEY:
return private_key_.size();
}
return 0;
}
context_base::method method_;
asio::ssl::context::options options_;
const_buffer cert_chain_;
const_buffer private_key_;
const_buffer ca_cert_;
};
/**
* @brief Wrapper class around SSL_CTX so we can easily create
* a shared pointer to the context without throwing the default exception.
* This is useful, as we can use asio::detail::throw_error for allocation errors.
*/
class shared_ctx {
public:
static SSL_CTX *create(const char* location, context_base::method m)
{
auto wrapped = asio::ssl::mbedtls::create<shared_ctx>(location, m);
if (wrapped->ctx_ == nullptr)
{
throw_alloc_failure(location);
}
return wrapped;
}
std::shared_ptr<mbedtls::context> get() const
{
return ctx_;
}
explicit shared_ctx(context_base::method m)
:ctx_(std::shared_ptr<context>(new (std::nothrow) context(m))) { }
private:
std::shared_ptr<mbedtls::context> ctx_;
};
} } } // namespace asio::ssl::mbedtls

294
components/asio/port/mbedtls/include/mbedtls_engine.hpp Normal file
View File

@ -0,0 +1,294 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/certs.h"
#include "mbedtls/esp_debug.h"
#include "esp_log.h"
namespace asio {
namespace ssl {
namespace mbedtls {
const char *error_message(int error_code)
{
static char error_buf[100];
mbedtls_strerror(error_code, error_buf, sizeof(error_buf));
return error_buf;
}
void throw_alloc_failure(const char* location)
{
asio::error_code ec( MBEDTLS_ERR_SSL_ALLOC_FAILED, asio::error::get_mbedtls_category());
asio::detail::throw_error(ec, location);
}
namespace error_codes {
bool is_error(int ret)
{
return ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE;
}
static bool want_write(int ret)
{
return ret == MBEDTLS_ERR_SSL_WANT_WRITE;
}
static bool want_read(int ret)
{
return ret == MBEDTLS_ERR_SSL_WANT_READ;
}
} // namespace error_codes
enum rw_state {
IDLE, READING, WRITING, CLOSED
};
class engine {
public:
explicit engine(std::shared_ptr<context> ctx): ctx_(std::move(ctx)),
bio_(bio::new_pair("mbedtls-engine")), state_(IDLE), verify_mode_(0) {}
void set_verify_mode(asio::ssl::verify_mode mode)
{
verify_mode_ = mode;
}
bio* ext_bio() const
{
return bio_.second.get();
}
rw_state get_state() const
{
return state_;
}
int shutdown()
{
int ret = mbedtls_ssl_close_notify(&impl_.ssl_);
if (ret) {
impl::print_error("mbedtls_ssl_close_notify", ret);
}
state_ = CLOSED;
return ret;
}
int connect()
{
return handshake(true);
}
int accept()
{
return handshake(false);
}
int write(const void *buffer, int len)
{
int ret = impl_.write(buffer, len);
state_ = ret == len ? IDLE: WRITING;
return ret;
}
int read(void *buffer, int len)
{
int ret = impl_.read(buffer, len);
state_ = ret == len ? IDLE: READING;
return ret;
}
private:
int handshake(bool is_client_not_server)
{
if (impl_.before_handshake()) {
impl_.configure(ctx_.get(), is_client_not_server, impl_verify_mode(is_client_not_server));
}
return do_handshake();
}
static int bio_read(void *ctx, unsigned char *buf, size_t len)
{
auto bio = static_cast<BIO*>(ctx);
int read = bio->read(buf, len);
if (read <= 0 && bio->should_read()) {
return MBEDTLS_ERR_SSL_WANT_READ;
}
return read;
}
static int bio_write(void *ctx, const unsigned char *buf, size_t len)
{
auto bio = static_cast<BIO*>(ctx);
int written = bio->write(buf, len);
if (written <= 0 && bio->should_write()) {
return MBEDTLS_ERR_SSL_WANT_WRITE;
}
return written;
}
int do_handshake()
{
int ret = 0;
mbedtls_ssl_set_bio(&impl_.ssl_, bio_.first.get(), bio_write, bio_read, nullptr);
while (impl_.ssl_.state != MBEDTLS_SSL_HANDSHAKE_OVER) {
ret = mbedtls_ssl_handshake_step(&impl_.ssl_);
if (ret != 0) {
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
impl::print_error("mbedtls_ssl_handshake_step", ret);
}
if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
state_ = READING;
} else if (ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
state_ = WRITING;
}
break;
}
}
return ret;
}
// Converts OpenSSL verification mode to mbedtls enum
int impl_verify_mode(bool is_client_not_server) const
{
int mode = MBEDTLS_SSL_VERIFY_UNSET;
if (is_client_not_server) {
if (verify_mode_ & SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (verify_mode_ == SSL_VERIFY_NONE)
mode = MBEDTLS_SSL_VERIFY_NONE;
} else {
if (verify_mode_ & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (verify_mode_ & SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (verify_mode_ == SSL_VERIFY_NONE)
mode = MBEDTLS_SSL_VERIFY_NONE;
}
return mode;
}
struct impl {
static void print_error(const char* function, int error_code)
{
constexpr const char *TAG="mbedtls-engine-impl";
ESP_LOGE(TAG, "%s() returned -0x%04X", function, -error_code);
ESP_LOGI(TAG, "-0x%04X: %s", -error_code, error_message(error_code));
}
bool before_handshake() const
{
return ssl_.state == 0;
}
int write(const void *buffer, int len)
{
int ret = mbedtls_ssl_write(&ssl_, static_cast<const unsigned char *>(buffer), len);
if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
print_error("mbedtls_ssl_write", ret);
}
return ret;
}
int read(void *buffer, int len)
{
int ret = mbedtls_ssl_read(&ssl_, static_cast<unsigned char *>(buffer), len);
if (ret < 0 && ret != MBEDTLS_ERR_SSL_WANT_READ) {
print_error("mbedtls_ssl_read", ret);
}
return ret;
}
impl()
{
const unsigned char pers[] = "asio ssl";
mbedtls_ssl_init(&ssl_);
mbedtls_ssl_config_init(&conf_);
mbedtls_ctr_drbg_init(&ctr_drbg_);
#ifdef CONFIG_MBEDTLS_DEBUG
mbedtls_esp_enable_debug_log(&conf_, CONFIG_MBEDTLS_DEBUG_LEVEL);
#endif
mbedtls_entropy_init(&entropy_);
mbedtls_ctr_drbg_seed(&ctr_drbg_, mbedtls_entropy_func, &entropy_, pers, sizeof(pers));
mbedtls_x509_crt_init(&public_cert_);
mbedtls_pk_init(&pk_key_);
mbedtls_x509_crt_init(&ca_cert_);
}
bool configure(context *ctx, bool is_client_not_server, int mbedtls_verify_mode)
{
mbedtls_x509_crt_init(&public_cert_);
mbedtls_pk_init(&pk_key_);
mbedtls_x509_crt_init(&ca_cert_);
int ret = mbedtls_ssl_config_defaults(&conf_, is_client_not_server ? MBEDTLS_SSL_IS_CLIENT: MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
if (ret) {
print_error("mbedtls_ssl_config_defaults", ret);
return false;
}
mbedtls_ssl_conf_rng(&conf_, mbedtls_ctr_drbg_random, &ctr_drbg_);
mbedtls_ssl_conf_authmode(&conf_, mbedtls_verify_mode);
if (ctx->cert_chain_.size() > 0 && ctx->private_key_.size() > 0) {
ret = mbedtls_x509_crt_parse(&public_cert_, ctx->data(container::CERT), ctx->size(container::CERT));
if (ret < 0) {
print_error("mbedtls_x509_crt_parse", ret);
return false;
}
ret = mbedtls_pk_parse_key(&pk_key_, ctx->data(container::PRIVKEY), ctx->size(container::PRIVKEY),
nullptr, 0);
if (ret < 0) {
print_error("mbedtls_pk_parse_keyfile", ret);
return false;
}
ret = mbedtls_ssl_conf_own_cert(&conf_, &public_cert_, &pk_key_);
if (ret) {
print_error("mbedtls_ssl_conf_own_cert", ret);
return false;
}
}
if (ctx->ca_cert_.size() > 0) {
ret = mbedtls_x509_crt_parse(&ca_cert_, ctx->data(container::CA_CERT), ctx->size(container::CA_CERT));
if (ret < 0) {
print_error("mbedtls_x509_crt_parse", ret);
return false;
}
mbedtls_ssl_conf_ca_chain(&conf_, &ca_cert_, nullptr);
} else {
mbedtls_ssl_conf_ca_chain(&conf_, nullptr, nullptr);
}
ret = mbedtls_ssl_setup(&ssl_, &conf_);
if (ret) {
print_error("mbedtls_ssl_setup", ret);
return false;
}
return true;
}
mbedtls_ssl_context ssl_{};
mbedtls_entropy_context entropy_{};
mbedtls_ctr_drbg_context ctr_drbg_{};
mbedtls_ssl_config conf_{};
mbedtls_x509_crt public_cert_{};
mbedtls_pk_context pk_key_{};
mbedtls_x509_crt ca_cert_{};
};
impl impl_{};
std::shared_ptr<context> ctx_;
std::pair<std::shared_ptr<bio>, std::shared_ptr<bio>> bio_;
enum rw_state state_;
asio::ssl::verify_mode verify_mode_;
};
} } } // namespace asio::ssl::mbedtls

55
components/asio/port/mbedtls/include/mbedtls_error.hpp Normal file
View File

@ -0,0 +1,55 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once
#include "asio/detail/config.hpp"
#include "asio/ssl/error.hpp"
#include "asio/ssl/detail/openssl_init.hpp"
#include "mbedtls_context.hpp"
namespace asio {
namespace error {
namespace detail {
class mbedtls_category : public asio::error_category
{
public:
const char* name() const ASIO_ERROR_CATEGORY_NOEXCEPT
{
return "asio.ssl";
}
std::string message(int value) const
{
const char* s = asio::ssl::mbedtls::error_message(value);
return s ? s : "asio.mbedtls error";
}
};
} // namespace detail
const asio::error_category& get_mbedtls_category()
{
static detail::mbedtls_category instance;
return instance;
}
const asio::error_category& get_ssl_category()
{
return asio::error::get_mbedtls_category();
}
} // namespace error
namespace ssl {
namespace error {
const asio::error_category& get_stream_category()
{
return asio::error::get_mbedtls_category();
}
} } } // namespace asio::ssl::error

6
components/asio/port/mbedtls/include/openssl/conf.h Normal file
View File

@ -0,0 +1,6 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once

6
components/asio/port/mbedtls/include/openssl/dh.h Normal file
View File

@ -0,0 +1,6 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once

6
components/asio/port/mbedtls/include/openssl/err.h Normal file
View File

@ -0,0 +1,6 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once

6
components/asio/port/mbedtls/include/openssl/rsa.h Normal file
View File

@ -0,0 +1,6 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once

8
components/asio/port/mbedtls/include/openssl/ssl.h Normal file
View File

@ -0,0 +1,8 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once
#include "openssl_stub.hpp"

6
components/asio/port/mbedtls/include/openssl/x509v3.h Normal file
View File

@ -0,0 +1,6 @@
//
// SPDX-FileCopyrightText: 2021 Espressif Systems (Shanghai) CO LTD
//
// SPDX-License-Identifier: BSL-1.0
//
#pragma once