Kenji Arai / mbed-os_TYBLE16

Dependents:   TYBLE16_simple_data_logger TYBLE16_MP3_Air

Embed: (wiki syntax)

« Back to documentation index

Show/hide line numbers tls_sec_prot_lib.c Source File

tls_sec_prot_lib.c

00001 /*
00002  * Copyright (c) 2019, Arm Limited and affiliates.
00003  * SPDX-License-Identifier: Apache-2.0
00004  *
00005  * Licensed under the Apache License, Version 2.0 (the "License");
00006  * you may not use this file except in compliance with the License.
00007  * You may obtain a copy of the License at
00008  *
00009  *     http://www.apache.org/licenses/LICENSE-2.0
00010  *
00011  * Unless required by applicable law or agreed to in writing, software
00012  * distributed under the License is distributed on an "AS IS" BASIS,
00013  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
00014  * See the License for the specific language governing permissions and
00015  * limitations under the License.
00016  */
00017 
00018 #include "nsconfig.h"
00019 
00020 #ifdef HAVE_WS
00021 #if !defined(MBEDTLS_CONFIG_FILE)
00022 #include "mbedtls/config.h"
00023 #else
00024 #include MBEDTLS_CONFIG_FILE
00025 #endif
00026 
00027 #if defined(MBEDTLS_SSL_TLS_C) && defined(MBEDTLS_X509_CRT_PARSE_C)
00028 #define WS_MBEDTLS_SECURITY_ENABLED
00029 #endif
00030 
00031 #include <string.h>
00032 #include <randLIB.h>
00033 #include "ns_types.h"
00034 #include "ns_list.h"
00035 #include "ns_trace.h"
00036 #include "nsdynmemLIB.h"
00037 #include "common_functions.h"
00038 #include "Security/protocols/sec_prot_certs.h"
00039 #include "Security/protocols/tls_sec_prot/tls_sec_prot_lib.h"
00040 
00041 #ifdef WS_MBEDTLS_SECURITY_ENABLED
00042 
00043 #include "mbedtls/sha256.h"
00044 #include "mbedtls/error.h"
00045 #include "mbedtls/platform.h"
00046 #include "mbedtls/ssl_cookie.h"
00047 #include "mbedtls/entropy.h"
00048 #include "mbedtls/entropy_poll.h"
00049 #include "mbedtls/ctr_drbg.h"
00050 #include "mbedtls/ssl_ciphersuites.h"
00051 #include "mbedtls/debug.h"
00052 #include "mbedtls/oid.h"
00053 
00054 #include "mbedtls/ssl_internal.h"
00055 
00056 #define TRACE_GROUP "tlsl"
00057 
00058 #define TLS_HANDSHAKE_TIMEOUT_MIN 25000
00059 #define TLS_HANDSHAKE_TIMEOUT_MAX 201000
00060 
00061 //#define TLS_SEC_PROT_LIB_TLS_DEBUG       // Enable mbed TLS debug traces
00062 
00063 typedef int tls_sec_prot_lib_crt_verify_cb(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags);
00064 
00065 struct tls_security_s {
00066     mbedtls_ssl_config             conf;                 /**< mbed TLS SSL configuration */
00067     mbedtls_ssl_context            ssl;                  /**< mbed TLS SSL context */
00068 
00069     mbedtls_ctr_drbg_context       ctr_drbg;             /**< mbed TLS pseudo random number generator context */
00070     mbedtls_entropy_context        entropy;              /**< mbed TLS entropy context */
00071 
00072     mbedtls_x509_crt               cacert;               /**< CA certificate(s) */
00073     mbedtls_x509_crl               *crl;                 /**< Certificate Revocation List */
00074     mbedtls_x509_crt               owncert;              /**< Own certificate(s) */
00075     mbedtls_pk_context             pkey;                 /**< Private key for own certificate */
00076     void                           *handle;              /**< Handle provided in callbacks (defined by library user) */
00077     bool                           ext_cert_valid : 1;   /**< Extended certificate validation enabled */
00078     tls_sec_prot_lib_crt_verify_cb *crt_verify;          /**< Verify function for client/server certificate */
00079     tls_sec_prot_lib_send          *send;                /**< Send callback */
00080     tls_sec_prot_lib_receive       *receive;             /**< Receive callback */
00081     tls_sec_prot_lib_export_keys   *export_keys;         /**< Export keys callback */
00082     tls_sec_prot_lib_set_timer     *set_timer;           /**< Set timer callback */
00083     tls_sec_prot_lib_get_timer     *get_timer;           /**< Get timer callback */
00084 };
00085 
00086 static void tls_sec_prot_lib_ssl_set_timer(void *ctx, uint32_t int_ms, uint32_t fin_ms);
00087 static int tls_sec_prot_lib_ssl_get_timer(void *ctx);
00088 static int tls_sec_lib_entropy_poll(void *data, unsigned char *output, size_t len, size_t *olen);
00089 static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len);
00090 static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len);
00091 static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms,
00092                                             const unsigned char *kb, size_t maclen, size_t keylen,
00093                                             size_t ivlen, const unsigned char client_random[32],
00094                                             const unsigned char server_random[32],
00095                                             mbedtls_tls_prf_types tls_prf_type);
00096 
00097 static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags);
00098 static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt);
00099 static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt);
00100 #ifdef HAVE_PAE_AUTH
00101 static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags);
00102 #endif
00103 #ifdef HAVE_PAE_SUPP
00104 static int tls_sec_prot_lib_x509_crt_server_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags);
00105 #endif
00106 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG
00107 static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string);
00108 #endif
00109 #ifdef MBEDTLS_PLATFORM_MEMORY
00110 // Disable for now
00111 //#define TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY
00112 #endif
00113 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY
00114 static void *tls_sec_prot_lib_mem_calloc(size_t count, size_t size);
00115 static void tls_sec_prot_lib_mem_free(void *ptr);
00116 #endif
00117 
00118 #if defined(HAVE_PAE_AUTH) && defined(HAVE_PAE_SUPP)
00119 #define is_server_is_set (is_server == true)
00120 #define is_server_is_not_set (is_server == false)
00121 #elif defined(HAVE_PAE_AUTH)
00122 #define is_server_is_set true
00123 #define is_server_is_not_set false
00124 #elif defined(HAVE_PAE_SUPP)
00125 #define is_server_is_set false
00126 #define is_server_is_not_set true
00127 #endif
00128 
00129 int8_t tls_sec_prot_lib_init(tls_security_t *sec)
00130 {
00131     const char *pers = "ws_tls";
00132 
00133 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY
00134     mbedtls_platform_set_calloc_free(tls_sec_prot_lib_mem_calloc, tls_sec_prot_lib_mem_free);
00135 #endif
00136 
00137     mbedtls_ssl_init(&sec->ssl);
00138     mbedtls_ssl_config_init(&sec->conf);
00139     mbedtls_ctr_drbg_init(&sec->ctr_drbg);
00140     mbedtls_entropy_init(&sec->entropy);
00141 
00142     mbedtls_x509_crt_init(&sec->cacert);
00143 
00144     mbedtls_x509_crt_init(&sec->owncert);
00145     mbedtls_pk_init(&sec->pkey);
00146 
00147     sec->crl = NULL;
00148 
00149     if (mbedtls_entropy_add_source(&sec->entropy, tls_sec_lib_entropy_poll, NULL,
00150                                    128, MBEDTLS_ENTROPY_SOURCE_WEAK) < 0) {
00151         tr_error("Entropy add fail");
00152         return -1;
00153     }
00154 
00155     if ((mbedtls_ctr_drbg_seed(&sec->ctr_drbg, mbedtls_entropy_func, &sec->entropy,
00156                                (const unsigned char *) pers, strlen(pers))) != 0) {
00157         tr_error("drbg seed fail");
00158         return -1;
00159     }
00160 
00161     return 0;
00162 }
00163 
00164 uint16_t tls_sec_prot_lib_size(void)
00165 {
00166     return sizeof(tls_security_t);
00167 }
00168 
00169 void tls_sec_prot_lib_set_cb_register(tls_security_t *sec, void *handle,
00170                                       tls_sec_prot_lib_send *send, tls_sec_prot_lib_receive *receive,
00171                                       tls_sec_prot_lib_export_keys *export_keys, tls_sec_prot_lib_set_timer *set_timer,
00172                                       tls_sec_prot_lib_get_timer *get_timer)
00173 {
00174     if (!sec) {
00175         return;
00176     }
00177 
00178     sec->handle = handle;
00179     sec->send = send;
00180     sec->receive = receive;
00181     sec->export_keys = export_keys;
00182     sec->set_timer = set_timer;
00183     sec->get_timer = get_timer;
00184 }
00185 
00186 void tls_sec_prot_lib_free(tls_security_t *sec)
00187 {
00188     mbedtls_x509_crt_free(&sec->cacert);
00189     if (sec->crl) {
00190         mbedtls_x509_crl_free(sec->crl);
00191         ns_dyn_mem_free(sec->crl);
00192     }
00193     mbedtls_x509_crt_free(&sec->owncert);
00194     mbedtls_pk_free(&sec->pkey);
00195     mbedtls_entropy_free(&sec->entropy);
00196     mbedtls_ctr_drbg_free(&sec->ctr_drbg);
00197     mbedtls_ssl_config_free(&sec->conf);
00198     mbedtls_ssl_free(&sec->ssl);
00199 }
00200 
00201 static int tls_sec_prot_lib_configure_certificates(tls_security_t *sec, const sec_prot_certs_t *certs)
00202 {
00203     if (!certs->own_cert_chain.cert[0]) {
00204         tr_error("no own cert");
00205         return -1;
00206     }
00207 
00208     // Parse own certificate chain
00209     uint8_t index = 0;
00210     while (true) {
00211         uint16_t cert_len;
00212         uint8_t *cert = sec_prot_certs_cert_get(&certs->own_cert_chain, index, &cert_len);
00213         if (!cert) {
00214             if (index == 0) {
00215                 tr_error("No own cert");
00216                 return -1;
00217             }
00218             break;
00219         }
00220         if (mbedtls_x509_crt_parse(&sec->owncert, cert, cert_len) < 0) {
00221             tr_error("Own cert parse eror");
00222             return -1;
00223         }
00224         index++;
00225     }
00226 
00227     // Parse private key
00228     uint8_t key_len;
00229     uint8_t *key = sec_prot_certs_priv_key_get(&certs->own_cert_chain, &key_len);
00230     if (!key) {
00231         tr_error("No private key");
00232         return -1;
00233     }
00234 
00235     if (mbedtls_pk_parse_key(&sec->pkey, key, key_len, NULL, 0) < 0) {
00236         tr_error("Private key parse error");
00237         return -1;
00238     }
00239 
00240     // Configure own certificate chain and private key
00241     if (mbedtls_ssl_conf_own_cert(&sec->conf, &sec->owncert, &sec->pkey) != 0) {
00242         tr_error("Own cert and private key conf error");
00243         return -1;
00244     }
00245 
00246     // Parse trusted certificate chains
00247     ns_list_foreach(cert_chain_entry_t, entry, &certs->trusted_cert_chain_list) {
00248         index = 0;
00249         while (true) {
00250             uint16_t cert_len;
00251             uint8_t *cert = sec_prot_certs_cert_get(entry, index, &cert_len);
00252             if (!cert) {
00253                 if (index == 0) {
00254                     tr_error("No trusted cert");
00255                     return -1;
00256                 }
00257                 break;
00258             }
00259             if (mbedtls_x509_crt_parse(&sec->cacert, cert, cert_len) < 0) {
00260                 tr_error("Trusted cert parse error");
00261                 return -1;
00262             }
00263             index++;
00264         }
00265     }
00266 
00267     // Parse certificate revocation lists
00268     ns_list_foreach(cert_revocat_list_entry_t, entry, &certs->cert_revocat_lists) {
00269         uint16_t crl_len;
00270         const uint8_t *crl = sec_prot_certs_revocat_list_get(entry, &crl_len);
00271         if (!crl) {
00272             break;
00273         }
00274         if (!sec->crl) {
00275             sec->crl = ns_dyn_mem_temporary_alloc(sizeof(mbedtls_x509_crl));
00276             if (!sec->crl) {
00277                 tr_error("No memory for CRL");
00278                 return -1;
00279             }
00280             mbedtls_x509_crl_init(sec->crl);
00281         }
00282 
00283         if (mbedtls_x509_crl_parse(sec->crl, crl, crl_len) < 0) {
00284             tr_error("CRL parse error");
00285             return -1;
00286         }
00287     }
00288 
00289     // Configure trusted certificates and certificate revocation lists
00290     mbedtls_ssl_conf_ca_chain(&sec->conf, &sec->cacert, sec->crl);
00291 
00292     // Certificate verify required on both client and server
00293     mbedtls_ssl_conf_authmode(&sec->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
00294 
00295     // Get extended certificate validation setting
00296     sec->ext_cert_valid = sec_prot_certs_ext_certificate_validation_get(certs);
00297 
00298     return 0;
00299 }
00300 
00301 int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_prot_certs_t *certs)
00302 {
00303 #if !defined(HAVE_PAE_SUPP) || !defined(HAVE_PAE_AUTH)
00304     (void) is_server;
00305 #endif
00306 
00307     if (!sec) {
00308         return -1;
00309     }
00310 
00311 #ifdef HAVE_PAE_SUPP
00312     if (is_server_is_not_set) {
00313         sec->crt_verify = tls_sec_prot_lib_x509_crt_server_verify;
00314     }
00315 #endif
00316 #ifdef HAVE_PAE_AUTH
00317     if (is_server_is_set) {
00318         sec->crt_verify = tls_sec_prot_lib_x509_crt_idevid_ldevid_verify;
00319     }
00320 #endif
00321 
00322 
00323     if ((mbedtls_ssl_config_defaults(&sec->conf,
00324                                      is_server_is_set ? MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT,
00325                                      MBEDTLS_SSL_TRANSPORT_STREAM, 0)) != 0) {
00326         tr_error("config defaults fail");
00327         return -1;
00328     }
00329 
00330     // Configure random number generator
00331     mbedtls_ssl_conf_rng(&sec->conf, mbedtls_ctr_drbg_random, &sec->ctr_drbg);
00332 
00333 #ifdef MBEDTLS_ECP_RESTARTABLE
00334     // Set ECC calculation maximum operations (affects only client)
00335     mbedtls_ecp_set_max_ops(ECC_CALCULATION_MAX_OPS);
00336 #endif
00337 
00338     if ((mbedtls_ssl_setup(&sec->ssl, &sec->conf)) != 0) {
00339         tr_error("ssl setup fail");
00340         return -1;
00341     }
00342 
00343     // Set calbacks
00344     mbedtls_ssl_set_bio(&sec->ssl, sec, tls_sec_prot_lib_ssl_send, tls_sec_prot_lib_ssl_recv, NULL);
00345     mbedtls_ssl_set_timer_cb(&sec->ssl, sec, tls_sec_prot_lib_ssl_set_timer, tls_sec_prot_lib_ssl_get_timer);
00346 
00347     // Configure certificates, keys and certificate revocation list
00348     if (tls_sec_prot_lib_configure_certificates(sec, certs) != 0) {
00349         tr_error("cert conf fail");
00350         return -1;
00351     }
00352 
00353     // Configure ciphersuites
00354     static const int sec_suites[] = {
00355         MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8,
00356         0,
00357         0,
00358         0
00359     };
00360     mbedtls_ssl_conf_ciphersuites(&sec->conf, sec_suites);
00361 
00362 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG
00363     mbedtls_ssl_conf_dbg(&sec->conf, tls_sec_prot_lib_debug, sec);
00364     mbedtls_debug_set_threshold(5);
00365 #endif
00366 
00367     // Export keys callback
00368     mbedtls_ssl_conf_export_keys_ext_cb(&sec->conf, tls_sec_prot_lib_ssl_export_keys, sec);
00369 
00370     mbedtls_ssl_conf_min_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
00371     mbedtls_ssl_conf_max_version(&sec->conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MAJOR_VERSION_3);
00372 
00373     // Set certificate verify callback
00374     mbedtls_ssl_set_verify(&sec->ssl, tls_sec_prot_lib_x509_crt_verify, sec);
00375 
00376 #ifdef MBEDTLS_ECP_RESTARTABLE
00377     if (is_server_is_set) {
00378         // Temporary to enable non blocking ECC */
00379         sec->ssl.handshake->ecrs_enabled = 1;
00380     }
00381 #endif
00382 
00383     return 0;
00384 }
00385 
00386 #ifdef TLS_SEC_PROT_LIB_TLS_DEBUG
00387 static void tls_sec_prot_lib_debug(void *ctx, int level, const char *file, int line, const char *string)
00388 {
00389     (void) ctx;
00390     tr_debug("%i %s %i %s", level, file, line, string);
00391 }
00392 #endif
00393 
00394 int8_t tls_sec_prot_lib_process(tls_security_t *sec)
00395 {
00396     int ret = -1;
00397 
00398     while (ret != MBEDTLS_ERR_SSL_WANT_READ) {
00399         ret = mbedtls_ssl_handshake_step(&sec->ssl);
00400 
00401 #if defined(MBEDTLS_ECP_RESTARTABLE) && defined(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS)
00402         if (ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS /* || ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS */) {
00403             return TLS_SEC_PROT_LIB_CALCULATING;
00404         }
00405 #endif
00406 
00407         if (ret && (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)) {
00408             return TLS_SEC_PROT_LIB_ERROR;
00409         }
00410 
00411         if (sec->ssl.state == MBEDTLS_SSL_HANDSHAKE_OVER) {
00412             return TLS_SEC_PROT_LIB_HANDSHAKE_OVER;
00413         }
00414     }
00415 
00416     return TLS_SEC_PROT_LIB_CONTINUE;
00417 }
00418 
00419 static void tls_sec_prot_lib_ssl_set_timer(void *ctx, uint32_t int_ms, uint32_t fin_ms)
00420 {
00421     tls_security_t *sec = (tls_security_t *)ctx;
00422     sec->set_timer(sec->handle, int_ms, fin_ms);
00423 }
00424 
00425 static int tls_sec_prot_lib_ssl_get_timer(void *ctx)
00426 {
00427     tls_security_t *sec = (tls_security_t *)ctx;
00428     return sec->get_timer(sec->handle);
00429 }
00430 
00431 static int tls_sec_prot_lib_ssl_send(void *ctx, const unsigned char *buf, size_t len)
00432 {
00433     tls_security_t *sec = (tls_security_t *)ctx;
00434     return sec->send(sec->handle, buf, len);
00435 }
00436 
00437 static int tls_sec_prot_lib_ssl_recv(void *ctx, unsigned char *buf, size_t len)
00438 {
00439     tls_security_t *sec = (tls_security_t *)ctx;
00440     int16_t ret = sec->receive(sec->handle, buf, len);
00441 
00442     if (ret == TLS_SEC_PROT_LIB_NO_DATA) {
00443         return MBEDTLS_ERR_SSL_WANT_READ;
00444     }
00445     return ret;
00446 }
00447 
00448 static int tls_sec_prot_lib_ssl_export_keys(void *p_expkey, const unsigned char *ms,
00449                                             const unsigned char *kb, size_t maclen, size_t keylen,
00450                                             size_t ivlen, const unsigned char client_random[32],
00451                                             const unsigned char server_random[32],
00452                                             mbedtls_tls_prf_types tls_prf_type)
00453 {
00454     (void) kb;
00455     (void) maclen;
00456     (void) keylen;
00457     (void) ivlen;
00458 
00459     tls_security_t *sec = (tls_security_t *)p_expkey;
00460 
00461     uint8_t eap_tls_key_material[128];
00462     uint8_t random[64];
00463     memcpy(random, client_random, 32);
00464     memcpy(&random[32], server_random, 32);
00465 
00466     int ret = mbedtls_ssl_tls_prf(tls_prf_type, ms, 48, "client EAP encryption",
00467                                   random, 64, eap_tls_key_material, 128);
00468 
00469     if (ret != 0) {
00470         tr_error("key material PRF error");
00471         return 0;
00472     }
00473 
00474     sec->export_keys(sec->handle, ms, eap_tls_key_material);
00475     return 0;
00476 }
00477 
00478 static int tls_sec_prot_lib_x509_crt_verify(void *ctx, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags)
00479 {
00480     tls_security_t *sec = (tls_security_t *) ctx;
00481 
00482     /* MD/PK forced by configuration flags and dynamic settings but traced also here
00483        to prevent invalid configurations/certificates */
00484     if (crt->sig_md != MBEDTLS_MD_SHA256) {
00485         tr_error("Invalid signature md algorithm");
00486     }
00487     if (crt->sig_pk != MBEDTLS_PK_ECDSA) {
00488         tr_error("Invalid signature pk algorithm");
00489     }
00490     if (*flags & MBEDTLS_X509_BADCERT_FUTURE) {
00491         tr_info("Certificate time future");
00492         *flags &= ~MBEDTLS_X509_BADCERT_FUTURE;
00493     }
00494 
00495     // Verify client/server certificate of the chain
00496     if (certificate_depth == 0) {
00497         return sec->crt_verify(sec, crt, flags);
00498     }
00499 
00500     // No further checks for intermediate and root certificates at the moment
00501     return 0;
00502 }
00503 
00504 static int8_t tls_sec_prot_lib_subject_alternative_name_validate(mbedtls_x509_crt *crt)
00505 {
00506     mbedtls_asn1_sequence *seq = &crt->subject_alt_names;
00507     int8_t result = -1;
00508     while (seq) {
00509         mbedtls_x509_subject_alternative_name san;
00510         int ret_value = mbedtls_x509_parse_subject_alt_name((mbedtls_x509_buf *)&seq->buf, &san);
00511         if (ret_value == 0 && san.type == MBEDTLS_X509_SAN_OTHER_NAME) {
00512             // id-on-hardwareModuleName must be present (1.3.6.1.5.5.7.8.4)
00513             if (MBEDTLS_OID_CMP(MBEDTLS_OID_ON_HW_MODULE_NAME, &san.san.other_name.value.hardware_module_name.oid)) {
00514                 // Traces hardwareModuleName (1.3.6.1.4.1.<enteprise number>.<model,version,etc.>)
00515                 char buffer[30];
00516                 ret_value = mbedtls_oid_get_numeric_string(buffer, sizeof(buffer), &san.san.other_name.value.hardware_module_name.oid);
00517                 if (ret_value != MBEDTLS_ERR_OID_BUF_TOO_SMALL) {
00518                     tr_info("id-on-hardwareModuleName %s", buffer);
00519                 }
00520                 // Traces serial number as hex string
00521                 mbedtls_x509_buf *val = &san.san.other_name.value.hardware_module_name.val;
00522                 if (val->p) {
00523                     tr_info("id-on-hardwareModuleName hwSerialNum %s", trace_array(val->p, val->len));
00524                 }
00525                 result = 0;
00526             }
00527         } else {
00528             tr_debug("Ignored subject alt name: %i", san.type);
00529         }
00530         seq = seq->next;
00531     }
00532     return result;
00533 }
00534 
00535 static int8_t tls_sec_prot_lib_extended_key_usage_validate(mbedtls_x509_crt *crt)
00536 {
00537 #if defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
00538     // Extended key usage must be present
00539     if (mbedtls_x509_crt_check_extended_key_usage(crt, MBEDTLS_OID_WISUN_FAN, sizeof(MBEDTLS_OID_WISUN_FAN) - 1) != 0) {
00540         tr_error("invalid extended key usage");
00541         return -1; // FAIL
00542     }
00543 #endif
00544     return 0;
00545 }
00546 
00547 #ifdef HAVE_PAE_AUTH
00548 static int tls_sec_prot_lib_x509_crt_idevid_ldevid_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags)
00549 {
00550     // For both IDevID and LDevId both subject alternative name or extended key usage must be valid
00551     if (tls_sec_prot_lib_subject_alternative_name_validate(crt) < 0 ||
00552             tls_sec_prot_lib_extended_key_usage_validate(crt) < 0) {
00553         tr_error("invalid cert");
00554         if (sec->ext_cert_valid) {
00555             *flags |= MBEDTLS_X509_BADCERT_OTHER;
00556             return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
00557         }
00558     }
00559     return 0;
00560 }
00561 #endif
00562 
00563 #ifdef HAVE_PAE_SUPP
00564 static int tls_sec_prot_lib_x509_crt_server_verify(tls_security_t *sec, mbedtls_x509_crt *crt, uint32_t *flags)
00565 {
00566     int8_t sane_res = tls_sec_prot_lib_subject_alternative_name_validate(crt);
00567     int8_t ext_key_res = tls_sec_prot_lib_extended_key_usage_validate(crt);
00568 
00569     // If either subject alternative name or extended key usage is present
00570     if (sane_res >= 0 || ext_key_res >= 0) {
00571         // Then both subject alternative name and extended key usage must be valid
00572         if (sane_res < 0 || ext_key_res < 0) {
00573             tr_error("invalid cert");
00574             if (sec->ext_cert_valid) {
00575                 *flags |= MBEDTLS_X509_BADCERT_OTHER;
00576                 return MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
00577             }
00578         }
00579     }
00580 
00581     return 0;
00582 }
00583 #endif
00584 
00585 static int tls_sec_lib_entropy_poll(void *ctx, unsigned char *output, size_t len, size_t *olen)
00586 {
00587     (void)ctx;
00588 
00589     char *c = (char *)ns_dyn_mem_temporary_alloc(len);
00590     if (!c) {
00591         tr_error("entropy alloca fail");
00592         return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
00593     }
00594     memset(c, 0, len);
00595     for (uint16_t i = 0; i < len; i++) {
00596         *(c + i) = (char)randLIB_get_8bit();
00597     }
00598     memmove(output, c, len);
00599     *olen = len;
00600 
00601     ns_dyn_mem_free(c);
00602     return (0);
00603 }
00604 
00605 #ifdef TLS_SEC_PROT_LIB_USE_MBEDTLS_PLATFORM_MEMORY
00606 static void *tls_sec_prot_lib_mem_calloc(size_t count, size_t size)
00607 {
00608     void *mem_ptr = ns_dyn_mem_temporary_alloc(count * size);
00609 
00610     if (mem_ptr) {
00611         // Calloc should initialize with zero
00612         memset(mem_ptr, 0, count * size);
00613     }
00614     return mem_ptr;
00615 }
00616 
00617 static void tls_sec_prot_lib_mem_free(void *ptr)
00618 {
00619     ns_dyn_mem_free(ptr);
00620 }
00621 #endif
00622 
00623 #else /* WS_MBEDTLS_SECURITY_ENABLED */
00624 
00625 int8_t tls_sec_prot_lib_connect(tls_security_t *sec, bool is_server, const sec_prot_certs_t *certs)
00626 {
00627     (void)sec;
00628     (void)is_server;
00629     (void)certs;
00630     return 0;
00631 }
00632 
00633 void tls_sec_prot_lib_free(tls_security_t *sec)
00634 {
00635     (void)sec;
00636 }
00637 
00638 int8_t tls_sec_prot_lib_init(tls_security_t *sec)
00639 {
00640     (void)sec;
00641     return 0;
00642 }
00643 
00644 int8_t tls_sec_prot_lib_process(tls_security_t *sec)
00645 {
00646     (void)sec;
00647     return 0;
00648 }
00649 
00650 void tls_sec_prot_lib_set_cb_register(tls_security_t *sec, void *handle,
00651                                       tls_sec_prot_lib_send *send, tls_sec_prot_lib_receive *receive,
00652                                       tls_sec_prot_lib_export_keys *export_keys, tls_sec_prot_lib_set_timer *set_timer,
00653                                       tls_sec_prot_lib_get_timer *get_timer)
00654 {
00655     (void)sec;
00656     (void)handle;
00657     (void)send;
00658     (void)receive;
00659     (void)export_keys;
00660     (void)set_timer;
00661     (void)get_timer;
00662 }
00663 
00664 uint16_t tls_sec_prot_lib_size(void)
00665 {
00666     return 0;
00667 }
00668 #endif /* WS_MBEDTLS_SECURITY_ENABLED */
00669 #endif /* HAVE_WS */