Important changes to repositories hosted on mbed.com
Mbed hosted mercurial repositories are deprecated and are due to be permanently deleted in July 2026.
To keep a copy of this software download the repository Zip archive or clone locally using Mercurial.
It is also possible to export all your personal repositories from the account settings page.
Dependents: TYBLE16_simple_data_logger TYBLE16_MP3_Air
tls_sec_prot_lib.c
00001 /* 00002 * Copyright (c) 2019, Arm Limited and affiliates. 00003 * SPDX-License-Identifier: Apache-2.0 00004 * 00005 * Licensed under the Apache License, Version 2.0 (the "License"); 00006 * you may not use this file except in compliance with the License. 00007 * You may obtain a copy of the License at 00008 * 00009 * http://www.apache.org/licenses/LICENSE-2.0 00010 * 00011 * Unless required by applicable law or agreed to in writing, software 00012 * distributed under the License is distributed on an "AS IS" BASIS, 00013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 00014 * See the License for the specific language governing permissions and 00015 * limitations under the License. 00016 */ 00017 00018 #include "nsconfig.h" 00019 00020 #ifdef HAVE_WS 00021 #if !defined(MBEDTLS_CONFIG_FILE) 00022 #include "mbedtls/config.h" 00023 #else 00024 #include MBEDTLS_CONFIG_FILE 00025 #endif 00026 00027 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_X509_CRT_PARSE_C) 00028 #define WS_MBEDTLS_SECURITY_ENABLED 00029 #endif 00030 00031 #include <string.h> 00032 #include <randLIB.h> 00033 #include "ns_types.h" 00034 #include "ns_list.h" 00035 #include "ns_trace.h" 00036 #include "nsdynmemLIB.h" 00037 #include "common_functions.h" 00038 #include "Security/protocols/sec_prot_certs.h" 00039 #include "Security/protocols/tls_sec_prot/tls_sec_prot_lib.h" 00040 00041 #ifdef WS_MBEDTLS_SECURITY_ENABLED 00042 00043 #include "mbedtls/sha256.h" 00044 #include "mbedtls/error.h" 00045 #include "mbedtls/platform.h" 00046 #include "mbedtls/ssl_cookie.h" 00047 #include "mbedtls/entropy.h" 00048 #include "mbedtls/entropy_poll.h" 00049 #include "mbedtls/ctr_drbg.h" 00050 #include "mbedtls/ssl_ciphersuites.h" 00051 #include "mbedtls/debug.h" 00052 #include "mbedtls/oid.h" 00053 00054 #include "mbedtls/ssl_internal.h" 00055 00056 #define TRACE_GROUP "tlsl" 00057 00058 #define TLS_HANDSHAKE_TIMEOUT_MIN 25000 00059 #define TLS_HANDSHAKE_TIMEOUT_MAX 201000 00060 00061 //#define TLS_SEC_PROT_LIB_TLS_DEBUG // Enable mbed TLS debug traces 00062 00063 typedef int tls_sec_prot_lib_crt_verify_cb(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags); 00064 00065 struct tls_security_s { 00066 mbedtls_ssl_config conf; /**< mbed TLS SSL configuration */ 00067 mbedtls_ssl_context ssl; /**< mbed TLS SSL context */ 00068 00069 mbedtls_ctr_drbg_context ctr_drbg; /**< mbed TLS pseudo random number generator context */ 00070 mbedtls_entropy_context entropy; /**< mbed TLS entropy context */ 00071 00072 mbedtls_x509_crt cacert; /**< CA certificate(s) */ 00073 mbedtls_x509_crl *crl; /**< Certificate Revocation List */ 00074 mbedtls_x509_crt owncert; /**< Own certificate(s) */ 00075 mbedtls_pk_context pkey; /**< Private key for own certificate */ 00076 void *handle; /**< Handle provided in callbacks (defined by library user) */ 00077 bool ext_cert_valid : 1; /**< Extended certificate validation enabled */ 00078 tls_sec_prot_lib_crt_verify_cb *crt_verify; /**< Verify function for client/server certificate */ 00079 tls_sec_prot_lib_send *send; /**< Send callback */ 00080 tls_sec_prot_lib_receive *receive; /**< Receive callback */ 00081 tls_sec_prot_lib_export_keys *export_keys; /**< Export keys callback */ 00082 tls_sec_prot_lib_set_timer *set_timer; /**< Set timer callback */ 00083 tls_sec_prot_lib_get_timer *get_timer; /**< Get timer callback */ 00084 }; 00085 00086 static void tls_sec_prot_lib_ssl_set_timer(void *ctx, uint32_t int_ms, uint32_t fin_ms); 00087 static int tls_sec_prot_lib_ssl_get_timer(void *ctx); 00088 static int tls_sec_lib_entropy_poll(void *data, unsigned char *output, size_t len, size_t *olen); 00089 static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len); 00090 static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len); 00091 static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms, 00092 const unsigned char *kb, size_t maclen, size_t keylen, 00093 size_t ivlen, const unsigned char client_random[32], 00094 const unsigned char server_random[32], 00095 mbedtls_tls_prf_types tls_prf_type); 00096 00097 static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags); 00098 static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt); 00099 static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt); 00100 #ifdef HAVE_PAE_AUTH 00101 static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags); 00102 #endif 00103 #ifdef HAVE_PAE_SUPP 00104 static int tls_sec_prot_lib_x509_crt_server_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags); 00105 #endif 00106 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG 00107 static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string); 00108 #endif 00109 #ifdef MBEDTLS_PLATFORM_MEMORY 00110 // Disable for now 00111 //#define TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY 00112 #endif 00113 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY 00114 static void *tls_sec_prot_lib_mem_calloc(size_t count, size_t size); 00115 static void tls_sec_prot_lib_mem_free(void *ptr); 00116 #endif 00117 00118 #if defined(HAVE_PAE_AUTH) && defined(HAVE_PAE_SUPP) 00119 #define is_server_is_set (is_server == true) 00120 #define is_server_is_not_set (is_server == false) 00121 #elif defined(HAVE_PAE_AUTH) 00122 #define is_server_is_set true 00123 #define is_server_is_not_set false 00124 #elif defined(HAVE_PAE_SUPP) 00125 #define is_server_is_set false 00126 #define is_server_is_not_set true 00127 #endif 00128 00129 int8_t tls_sec_prot_lib_init(tls_security_t *sec) 00130 { 00131 const char *pers = "ws_tls"; 00132 00133 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY 00134 mbedtls_platform_set_calloc_free(tls_sec_prot_lib_mem_calloc, tls_sec_prot_lib_mem_free); 00135 #endif 00136 00137 mbedtls_ssl_init(&sec->ssl); 00138 mbedtls_ssl_config_init(&sec->conf); 00139 mbedtls_ctr_drbg_init(&sec->ctr_drbg); 00140 mbedtls_entropy_init(&sec->entropy); 00141 00142 mbedtls_x509_crt_init(&sec->cacert); 00143 00144 mbedtls_x509_crt_init(&sec->owncert); 00145 mbedtls_pk_init(&sec->pkey); 00146 00147 sec->crl = NULL; 00148 00149 if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL, 00150 128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) { 00151 tr_error("Entropy add fail"); 00152 return -1; 00153 } 00154 00155 if ((mbedtls_ctr_drbg_seed(&sec->ctr_drbg, mbedtls_entropy_func, &sec->entropy, 00156 (const unsigned char *) pers, strlen(pers))) != 0) { 00157 tr_error("drbg seed fail"); 00158 return -1; 00159 } 00160 00161 return 0; 00162 } 00163 00164 uint16_t tls_sec_prot_lib_size(void) 00165 { 00166 return sizeof(tls_security_t); 00167 } 00168 00169 void tls_sec_prot_lib_set_cb_register(tls_security_t *sec, void *handle, 00170 tls_sec_prot_lib_send *send, tls_sec_prot_lib_receive *receive, 00171 tls_sec_prot_lib_export_keys *export_keys, tls_sec_prot_lib_set_timer *set_timer, 00172 tls_sec_prot_lib_get_timer *get_timer) 00173 { 00174 if (!sec) { 00175 return; 00176 } 00177 00178 sec->handle = handle; 00179 sec->send = send; 00180 sec->receive = receive; 00181 sec->export_keys = export_keys; 00182 sec->set_timer = set_timer; 00183 sec->get_timer = get_timer; 00184 } 00185 00186 void tls_sec_prot_lib_free(tls_security_t *sec) 00187 { 00188 mbedtls_x509_crt_free(&sec->cacert); 00189 if (sec->crl) { 00190 mbedtls_x509_crl_free(sec->crl); 00191 ns_dyn_mem_free(sec->crl); 00192 } 00193 mbedtls_x509_crt_free(&sec->owncert); 00194 mbedtls_pk_free(&sec->pkey); 00195 mbedtls_entropy_free(&sec->entropy); 00196 mbedtls_ctr_drbg_free(&sec->ctr_drbg); 00197 mbedtls_ssl_config_free(&sec->conf); 00198 mbedtls_ssl_free(&sec->ssl); 00199 } 00200 00201 static int tls_sec_prot_lib_configure_certificates(tls_security_t *sec, const sec_prot_certs_t *certs) 00202 { 00203 if (!certs->own_cert_chain.cert[0]) { 00204 tr_error("no own cert"); 00205 return -1; 00206 } 00207 00208 // Parse own certificate chain 00209 uint8_t index = 0; 00210 while (true) { 00211 uint16_t cert_len; 00212 uint8_t *cert = sec_prot_certs_cert_get(&certs->own_cert_chain, index, &cert_len); 00213 if (!cert) { 00214 if (index == 0) { 00215 tr_error("No own cert"); 00216 return -1; 00217 } 00218 break; 00219 } 00220 if (mbedtls_x509_crt_parse(&sec->owncert, cert, cert_len) < 0) { 00221 tr_error("Own cert parse eror"); 00222 return -1; 00223 } 00224 index++; 00225 } 00226 00227 // Parse private key 00228 uint8_t key_len; 00229 uint8_t *key = sec_prot_certs_priv_key_get(&certs->own_cert_chain, &key_len); 00230 if (!key) { 00231 tr_error("No private key"); 00232 return -1; 00233 } 00234 00235 if (mbedtls_pk_parse_key(&sec->pkey, key, key_len, NULL, 0) < 0) { 00236 tr_error("Private key parse error"); 00237 return -1; 00238 } 00239 00240 // Configure own certificate chain and private key 00241 if (mbedtls_ssl_conf_own_cert(&sec->conf, &sec->owncert, &sec->pkey) != 0) { 00242 tr_error("Own cert and private key conf error"); 00243 return -1; 00244 } 00245 00246 // Parse trusted certificate chains 00247 ns_list_foreach(cert_chain_entry_t, entry, &certs->trusted_cert_chain_list) { 00248 index = 0; 00249 while (true) { 00250 uint16_t cert_len; 00251 uint8_t *cert = sec_prot_certs_cert_get(entry, index, &cert_len); 00252 if (!cert) { 00253 if (index == 0) { 00254 tr_error("No trusted cert"); 00255 return -1; 00256 } 00257 break; 00258 } 00259 if (mbedtls_x509_crt_parse(&sec->cacert, cert, cert_len) < 0) { 00260 tr_error("Trusted cert parse error"); 00261 return -1; 00262 } 00263 index++; 00264 } 00265 } 00266 00267 // Parse certificate revocation lists 00268 ns_list_foreach(cert_revocat_list_entry_t, entry, &certs->cert_revocat_lists) { 00269 uint16_t crl_len; 00270 const uint8_t *crl = sec_prot_certs_revocat_list_get(entry, &crl_len); 00271 if (!crl) { 00272 break; 00273 } 00274 if (!sec->crl) { 00275 sec->crl = ns_dyn_mem_temporary_alloc(sizeof(mbedtls_x509_crl)); 00276 if (!sec->crl) { 00277 tr_error("No memory for CRL"); 00278 return -1; 00279 } 00280 mbedtls_x509_crl_init(sec->crl); 00281 } 00282 00283 if (mbedtls_x509_crl_parse(sec->crl, crl, crl_len) < 0) { 00284 tr_error("CRL parse error"); 00285 return -1; 00286 } 00287 } 00288 00289 // Configure trusted certificates and certificate revocation lists 00290 mbedtls_ssl_conf_ca_chain(&sec->conf, &sec->cacert, sec->crl); 00291 00292 // Certificate verify required on both client and server 00293 mbedtls_ssl_conf_authmode(&sec->conf, MBEDTLS_SSL_VERIFY_REQUIRED); 00294 00295 // Get extended certificate validation setting 00296 sec->ext_cert_valid = sec_prot_certs_ext_certificate_validation_get(certs); 00297 00298 return 0; 00299 } 00300 00301 int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_prot_certs_t *certs) 00302 { 00303 #if !defined(HAVE_PAE_SUPP) || !defined(HAVE_PAE_AUTH) 00304 (void) is_server; 00305 #endif 00306 00307 if (!sec) { 00308 return -1; 00309 } 00310 00311 #ifdef HAVE_PAE_SUPP 00312 if (is_server_is_not_set) { 00313 sec->crt_verify = tls_sec_prot_lib_x509_crt_server_verify; 00314 } 00315 #endif 00316 #ifdef HAVE_PAE_AUTH 00317 if (is_server_is_set) { 00318 sec->crt_verify = tls_sec_prot_lib_x509_crt_idevid_ldevid_verify; 00319 } 00320 #endif 00321 00322 00323 if ((mbedtls_ssl_config_defaults(&sec->conf, 00324 is_server_is_set ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT, 00325 MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) { 00326 tr_error("config defaults fail"); 00327 return -1; 00328 } 00329 00330 // Configure random number generator 00331 mbedtls_ssl_conf_rng(&sec->conf, mbedtls_ctr_drbg_random, &sec->ctr_drbg); 00332 00333 #ifdef MBEDTLS_ECP_RESTARTABLE 00334 // Set ECC calculation maximum operations (affects only client) 00335 mbedtls_ecp_set_max_ops(ECC_CALCULATION_MAX_OPS); 00336 #endif 00337 00338 if ((mbedtls_ssl_setup(&sec->ssl, &sec->conf)) != 0) { 00339 tr_error("ssl setup fail"); 00340 return -1; 00341 } 00342 00343 // Set calbacks 00344 mbedtls_ssl_set_bio(&sec->ssl, sec, tls_sec_prot_lib_ssl_send, tls_sec_prot_lib_ssl_recv, NULL); 00345 mbedtls_ssl_set_timer_cb(&sec->ssl, sec, tls_sec_prot_lib_ssl_set_timer, tls_sec_prot_lib_ssl_get_timer); 00346 00347 // Configure certificates, keys and certificate revocation list 00348 if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) { 00349 tr_error("cert conf fail"); 00350 return -1; 00351 } 00352 00353 // Configure ciphersuites 00354 static const int sec_suites[] = { 00355 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, 00356 0, 00357 0, 00358 0 00359 }; 00360 mbedtls_ssl_conf_ciphersuites(&sec->conf, sec_suites); 00361 00362 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG 00363 mbedtls_ssl_conf_dbg(&sec->conf, tls_sec_prot_lib_debug, sec); 00364 mbedtls_debug_set_threshold(5); 00365 #endif 00366 00367 // Export keys callback 00368 mbedtls_ssl_conf_export_keys_ext_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec); 00369 00370 mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); 00371 mbedtls_ssl_conf_max_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3); 00372 00373 // Set certificate verify callback 00374 mbedtls_ssl_set_verify(&sec->ssl, tls_sec_prot_lib_x509_crt_verify, sec); 00375 00376 #ifdef MBEDTLS_ECP_RESTARTABLE 00377 if (is_server_is_set) { 00378 // Temporary to enable non blocking ECC */ 00379 sec->ssl.handshake->ecrs_enabled = 1; 00380 } 00381 #endif 00382 00383 return 0; 00384 } 00385 00386 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG 00387 static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string) 00388 { 00389 (void) ctx; 00390 tr_debug("%i %s %i %s", level, file, line, string); 00391 } 00392 #endif 00393 00394 int8_t tls_sec_prot_lib_process(tls_security_t *sec) 00395 { 00396 int ret = -1; 00397 00398 while (ret != MBEDTLS_ERR_SSL_WANT_READ) { 00399 ret = mbedtls_ssl_handshake_step(&sec->ssl); 00400 00401 #if defined(MBEDTLS_ECP_RESTARTABLE) && defined(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) 00402 if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS /* || ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS */) { 00403 return TLS_SEC_PROT_LIB_CALCULATING; 00404 } 00405 #endif 00406 00407 if (ret && (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)) { 00408 return TLS_SEC_PROT_LIB_ERROR; 00409 } 00410 00411 if (sec->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER) { 00412 return TLS_SEC_PROT_LIB_HANDSHAKE_OVER; 00413 } 00414 } 00415 00416 return TLS_SEC_PROT_LIB_CONTINUE; 00417 } 00418 00419 static void tls_sec_prot_lib_ssl_set_timer(void *ctx, uint32_t int_ms, uint32_t fin_ms) 00420 { 00421 tls_security_t *sec = (tls_security_t *)ctx; 00422 sec->set_timer(sec->handle, int_ms, fin_ms); 00423 } 00424 00425 static int tls_sec_prot_lib_ssl_get_timer(void *ctx) 00426 { 00427 tls_security_t *sec = (tls_security_t *)ctx; 00428 return sec->get_timer(sec->handle); 00429 } 00430 00431 static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len) 00432 { 00433 tls_security_t *sec = (tls_security_t *)ctx; 00434 return sec->send(sec->handle, buf, len); 00435 } 00436 00437 static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len) 00438 { 00439 tls_security_t *sec = (tls_security_t *)ctx; 00440 int16_t ret = sec->receive(sec->handle, buf, len); 00441 00442 if (ret == TLS_SEC_PROT_LIB_NO_DATA) { 00443 return MBEDTLS_ERR_SSL_WANT_READ; 00444 } 00445 return ret; 00446 } 00447 00448 static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms, 00449 const unsigned char *kb, size_t maclen, size_t keylen, 00450 size_t ivlen, const unsigned char client_random[32], 00451 const unsigned char server_random[32], 00452 mbedtls_tls_prf_types tls_prf_type) 00453 { 00454 (void) kb; 00455 (void) maclen; 00456 (void) keylen; 00457 (void) ivlen; 00458 00459 tls_security_t *sec = (tls_security_t *)p_expkey; 00460 00461 uint8_t eap_tls_key_material[128]; 00462 uint8_t random[64]; 00463 memcpy(random, client_random, 32); 00464 memcpy(&random[32], server_random, 32); 00465 00466 int ret = mbedtls_ssl_tls_prf(tls_prf_type, ms, 48, "client EAP encryption", 00467 random, 64, eap_tls_key_material, 128); 00468 00469 if (ret != 0) { 00470 tr_error("key material PRF error"); 00471 return 0; 00472 } 00473 00474 sec->export_keys(sec->handle, ms, eap_tls_key_material); 00475 return 0; 00476 } 00477 00478 static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags) 00479 { 00480 tls_security_t *sec = (tls_security_t *) ctx; 00481 00482 /* MD/PK forced by configuration flags and dynamic settings but traced also here 00483 to prevent invalid configurations/certificates */ 00484 if (crt->sig_md != MBEDTLS_MD_SHA256) { 00485 tr_error("Invalid signature md algorithm"); 00486 } 00487 if (crt->sig_pk != MBEDTLS_PK_ECDSA) { 00488 tr_error("Invalid signature pk algorithm"); 00489 } 00490 if (*flags & MBEDTLS_X509_BADCERT_FUTURE) { 00491 tr_info("Certificate time future"); 00492 *flags &= ~MBEDTLS_X509_BADCERT_FUTURE; 00493 } 00494 00495 // Verify client/server certificate of the chain 00496 if (certificate_depth == 0) { 00497 return sec->crt_verify(sec, crt, flags); 00498 } 00499 00500 // No further checks for intermediate and root certificates at the moment 00501 return 0; 00502 } 00503 00504 static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt) 00505 { 00506 mbedtls_asn1_sequence *seq = &crt->subject_alt_names; 00507 int8_t result = -1; 00508 while (seq) { 00509 mbedtls_x509_subject_alternative_name san; 00510 int ret_value = mbedtls_x509_parse_subject_alt_name((mbedtls_x509_buf *)&seq->buf, &san); 00511 if (ret_value == 0 && san.type == MBEDTLS_X509_SAN_OTHER_NAME) { 00512 // id-on-hardwareModuleName must be present (1.3.6.1.5.5.7.8.4) 00513 if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &san.san.other_name.value.hardware_module_name.oid)) { 00514 // Traces hardwareModuleName (1.3.6.1.4.1.<enteprise number>.<model,version,etc.>) 00515 char buffer[30]; 00516 ret_value = mbedtls_oid_get_numeric_string(buffer, sizeof(buffer), &san.san.other_name.value.hardware_module_name.oid); 00517 if (ret_value != MBEDTLS_ERR_OID_BUF_TOO_SMALL) { 00518 tr_info("id-on-hardwareModuleName %s", buffer); 00519 } 00520 // Traces serial number as hex string 00521 mbedtls_x509_buf *val = &san.san.other_name.value.hardware_module_name.val; 00522 if (val->p) { 00523 tr_info("id-on-hardwareModuleName hwSerialNum %s", trace_array(val->p, val->len)); 00524 } 00525 result = 0; 00526 } 00527 } else { 00528 tr_debug("Ignored subject alt name: %i", san.type); 00529 } 00530 seq = seq->next; 00531 } 00532 return result; 00533 } 00534 00535 static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt) 00536 { 00537 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE) 00538 // Extended key usage must be present 00539 if (mbedtls_x509_crt_check_extended_key_usage(crt, MBEDTLS_OID_WISUN_FAN, sizeof(MBEDTLS_OID_WISUN_FAN) - 1) != 0) { 00540 tr_error("invalid extended key usage"); 00541 return -1; // FAIL 00542 } 00543 #endif 00544 return 0; 00545 } 00546 00547 #ifdef HAVE_PAE_AUTH 00548 static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags) 00549 { 00550 // For both IDevID and LDevId both subject alternative name or extended key usage must be valid 00551 if (tls_sec_prot_lib_subject_alternative_name_validate(crt) < 0 || 00552 tls_sec_prot_lib_extended_key_usage_validate(crt) < 0) { 00553 tr_error("invalid cert"); 00554 if (sec->ext_cert_valid) { 00555 *flags |= MBEDTLS_X509_BADCERT_OTHER; 00556 return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; 00557 } 00558 } 00559 return 0; 00560 } 00561 #endif 00562 00563 #ifdef HAVE_PAE_SUPP 00564 static int tls_sec_prot_lib_x509_crt_server_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags) 00565 { 00566 int8_t sane_res = tls_sec_prot_lib_subject_alternative_name_validate(crt); 00567 int8_t ext_key_res = tls_sec_prot_lib_extended_key_usage_validate(crt); 00568 00569 // If either subject alternative name or extended key usage is present 00570 if (sane_res >= 0 || ext_key_res >= 0) { 00571 // Then both subject alternative name and extended key usage must be valid 00572 if (sane_res < 0 || ext_key_res < 0) { 00573 tr_error("invalid cert"); 00574 if (sec->ext_cert_valid) { 00575 *flags |= MBEDTLS_X509_BADCERT_OTHER; 00576 return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; 00577 } 00578 } 00579 } 00580 00581 return 0; 00582 } 00583 #endif 00584 00585 static int tls_sec_lib_entropy_poll(void *ctx, unsigned char *output, size_t len, size_t *olen) 00586 { 00587 (void)ctx; 00588 00589 char *c = (char *)ns_dyn_mem_temporary_alloc(len); 00590 if (!c) { 00591 tr_error("entropy alloca fail"); 00592 return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; 00593 } 00594 memset(c, 0, len); 00595 for (uint16_t i = 0; i < len; i++) { 00596 *(c + i) = (char)randLIB_get_8bit(); 00597 } 00598 memmove(output, c, len); 00599 *olen = len; 00600 00601 ns_dyn_mem_free(c); 00602 return (0); 00603 } 00604 00605 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY 00606 static void *tls_sec_prot_lib_mem_calloc(size_t count, size_t size) 00607 { 00608 void *mem_ptr = ns_dyn_mem_temporary_alloc(count * size); 00609 00610 if (mem_ptr) { 00611 // Calloc should initialize with zero 00612 memset(mem_ptr, 0, count * size); 00613 } 00614 return mem_ptr; 00615 } 00616 00617 static void tls_sec_prot_lib_mem_free(void *ptr) 00618 { 00619 ns_dyn_mem_free(ptr); 00620 } 00621 #endif 00622 00623 #else /* WS_MBEDTLS_SECURITY_ENABLED */ 00624 00625 int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_prot_certs_t *certs) 00626 { 00627 (void)sec; 00628 (void)is_server; 00629 (void)certs; 00630 return 0; 00631 } 00632 00633 void tls_sec_prot_lib_free(tls_security_t *sec) 00634 { 00635 (void)sec; 00636 } 00637 00638 int8_t tls_sec_prot_lib_init(tls_security_t *sec) 00639 { 00640 (void)sec; 00641 return 0; 00642 } 00643 00644 int8_t tls_sec_prot_lib_process(tls_security_t *sec) 00645 { 00646 (void)sec; 00647 return 0; 00648 } 00649 00650 void tls_sec_prot_lib_set_cb_register(tls_security_t *sec, void *handle, 00651 tls_sec_prot_lib_send *send, tls_sec_prot_lib_receive *receive, 00652 tls_sec_prot_lib_export_keys *export_keys, tls_sec_prot_lib_set_timer *set_timer, 00653 tls_sec_prot_lib_get_timer *get_timer) 00654 { 00655 (void)sec; 00656 (void)handle; 00657 (void)send; 00658 (void)receive; 00659 (void)export_keys; 00660 (void)set_timer; 00661 (void)get_timer; 00662 } 00663 00664 uint16_t tls_sec_prot_lib_size(void) 00665 { 00666 return 0; 00667 } 00668 #endif /* WS_MBEDTLS_SECURITY_ENABLED */ 00669 #endif /* HAVE_WS */
Generated on Tue Jul 12 2022 13:55:00 by
