Drop CRL from mbedTLS integration - let customer do a custom init if required

This commit is contained in:
Sergey Lyubka 2022-04-01 16:42:41 +01:00
parent df602c27d5
commit d954851d43
6 changed files with 8 additions and 31 deletions

View File

@ -6,8 +6,6 @@
cmake_minimum_required(VERSION 3.20.0) cmake_minimum_required(VERSION 3.20.0)
find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE}) find_package(Zephyr REQUIRED HINTS $ENV{ZEPHYR_BASE})
project(http_server) project(http_server)
#add_definitions(-DMG_ENABLE_LINES=1) #add_definitions(-DMG_ENABLE_LINES=1)
add_definitions(-DMG_ENABLE_SSI=0) add_definitions(-DMG_ENABLE_MBEDTLS=1)
target_sources(app PRIVATE src/main.c src/mongoose.c) target_sources(app PRIVATE src/main.c src/mongoose.c)

View File

@ -13,3 +13,5 @@ CONFIG_ISR_STACK_SIZE=2048
CONFIG_MAIN_STACK_SIZE=8192 CONFIG_MAIN_STACK_SIZE=8192
CONFIG_IDLE_STACK_SIZE=1024 CONFIG_IDLE_STACK_SIZE=1024
CONFIG_NET_CONFIG_SETTINGS=y CONFIG_NET_CONFIG_SETTINGS=y
CONFIG_MBEDTLS=y
CONFIG_MBEDTLS_SSL_MAX_CONTENT_LEN=2048

View File

@ -4257,7 +4257,6 @@ void mg_tls_free(struct mg_connection *c) {
mbedtls_ssl_free(&tls->ssl); mbedtls_ssl_free(&tls->ssl);
mbedtls_pk_free(&tls->pk); mbedtls_pk_free(&tls->pk);
mbedtls_x509_crt_free(&tls->ca); mbedtls_x509_crt_free(&tls->ca);
mbedtls_x509_crl_free(&tls->crl);
mbedtls_x509_crt_free(&tls->cert); mbedtls_x509_crt_free(&tls->cert);
mbedtls_ssl_config_free(&tls->conf); mbedtls_ssl_config_free(&tls->conf);
free(tls); free(tls);
@ -4344,7 +4343,6 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mbedtls_ssl_init(&tls->ssl); mbedtls_ssl_init(&tls->ssl);
mbedtls_ssl_config_init(&tls->conf); mbedtls_ssl_config_init(&tls->conf);
mbedtls_x509_crt_init(&tls->ca); mbedtls_x509_crt_init(&tls->ca);
mbedtls_x509_crl_init(&tls->crl);
mbedtls_x509_crt_init(&tls->cert); mbedtls_x509_crt_init(&tls->cert);
mbedtls_pk_init(&tls->pk); mbedtls_pk_init(&tls->pk);
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c); mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
@ -4362,18 +4360,9 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
if (opts->ca == NULL || strcmp(opts->ca, "*") == 0) { if (opts->ca == NULL || strcmp(opts->ca, "*") == 0) {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
} else if (opts->ca != NULL && opts->ca[0] != '\0') { } else if (opts->ca != NULL && opts->ca[0] != '\0') {
if (opts->crl != NULL && opts->crl[0] != '\0') {
struct mg_str s = mg_loadfile(fs, opts->crl);
rc = mbedtls_x509_crl_parse(&tls->crl, (uint8_t *) s.ptr, s.len + 1);
if (opts->crl[0] != '-') free((char *) s.ptr);
if (rc != 0) {
mg_error(c, "parse(%s) err %#x", opts->crl, -rc);
goto fail;
}
}
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK) #if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
tls->cafile = strdup(opts->ca); tls->cafile = strdup(opts->ca);
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, &tls->crl); rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL);
if (rc != 0) { if (rc != 0) {
mg_error(c, "parse on-disk chain(%s) err %#x", tls->cafile, -rc); mg_error(c, "parse on-disk chain(%s) err %#x", tls->cafile, -rc);
goto fail; goto fail;
@ -4386,7 +4375,7 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mg_error(c, "parse(%s) err %#x", opts->ca, -rc); mg_error(c, "parse(%s) err %#x", opts->ca, -rc);
goto fail; goto fail;
} }
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, &tls->crl); mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL);
#endif #endif
if (opts->srvname.len > 0) { if (opts->srvname.len > 0) {
char mem[128], *buf = mem; char mem[128], *buf = mem;

View File

@ -483,6 +483,7 @@ typedef int socklen_t;
#define strerror(x) zsock_gai_strerror(x) #define strerror(x) zsock_gai_strerror(x)
#define FD_CLOEXEC 0 #define FD_CLOEXEC 0
#define F_SETFD 0 #define F_SETFD 0
#define MG_ENABLE_SSI 0
int rand(void); int rand(void);
int sscanf(const char *, const char *, ...); int sscanf(const char *, const char *, ...);
@ -1063,7 +1064,6 @@ void mg_tls_handshake(struct mg_connection *);
struct mg_tls { struct mg_tls {
char *cafile; // CA certificate path char *cafile; // CA certificate path
mbedtls_x509_crt ca; // Parsed CA certificate mbedtls_x509_crt ca; // Parsed CA certificate
mbedtls_x509_crl crl; // Parsed Certificate Revocation List
mbedtls_x509_crt cert; // Parsed certificate mbedtls_x509_crt cert; // Parsed certificate
mbedtls_ssl_context ssl; // SSL/TLS context mbedtls_ssl_context ssl; // SSL/TLS context
mbedtls_ssl_config conf; // SSL-TLS config mbedtls_ssl_config conf; // SSL-TLS config

View File

@ -16,7 +16,6 @@ void mg_tls_free(struct mg_connection *c) {
mbedtls_ssl_free(&tls->ssl); mbedtls_ssl_free(&tls->ssl);
mbedtls_pk_free(&tls->pk); mbedtls_pk_free(&tls->pk);
mbedtls_x509_crt_free(&tls->ca); mbedtls_x509_crt_free(&tls->ca);
mbedtls_x509_crl_free(&tls->crl);
mbedtls_x509_crt_free(&tls->cert); mbedtls_x509_crt_free(&tls->cert);
mbedtls_ssl_config_free(&tls->conf); mbedtls_ssl_config_free(&tls->conf);
free(tls); free(tls);
@ -103,7 +102,6 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mbedtls_ssl_init(&tls->ssl); mbedtls_ssl_init(&tls->ssl);
mbedtls_ssl_config_init(&tls->conf); mbedtls_ssl_config_init(&tls->conf);
mbedtls_x509_crt_init(&tls->ca); mbedtls_x509_crt_init(&tls->ca);
mbedtls_x509_crl_init(&tls->crl);
mbedtls_x509_crt_init(&tls->cert); mbedtls_x509_crt_init(&tls->cert);
mbedtls_pk_init(&tls->pk); mbedtls_pk_init(&tls->pk);
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c); mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
@ -121,18 +119,9 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
if (opts->ca == NULL || strcmp(opts->ca, "*") == 0) { if (opts->ca == NULL || strcmp(opts->ca, "*") == 0) {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
} else if (opts->ca != NULL && opts->ca[0] != '\0') { } else if (opts->ca != NULL && opts->ca[0] != '\0') {
if (opts->crl != NULL && opts->crl[0] != '\0') {
struct mg_str s = mg_loadfile(fs, opts->crl);
rc = mbedtls_x509_crl_parse(&tls->crl, (uint8_t *) s.ptr, s.len + 1);
if (opts->crl[0] != '-') free((char *) s.ptr);
if (rc != 0) {
mg_error(c, "parse(%s) err %#x", opts->crl, -rc);
goto fail;
}
}
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK) #if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
tls->cafile = strdup(opts->ca); tls->cafile = strdup(opts->ca);
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, &tls->crl); rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL);
if (rc != 0) { if (rc != 0) {
mg_error(c, "parse on-disk chain(%s) err %#x", tls->cafile, -rc); mg_error(c, "parse on-disk chain(%s) err %#x", tls->cafile, -rc);
goto fail; goto fail;
@ -145,7 +134,7 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mg_error(c, "parse(%s) err %#x", opts->ca, -rc); mg_error(c, "parse(%s) err %#x", opts->ca, -rc);
goto fail; goto fail;
} }
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, &tls->crl); mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL);
#endif #endif
if (opts->srvname.len > 0) { if (opts->srvname.len > 0) {
char mem[128], *buf = mem; char mem[128], *buf = mem;

View File

@ -13,7 +13,6 @@
struct mg_tls { struct mg_tls {
char *cafile; // CA certificate path char *cafile; // CA certificate path
mbedtls_x509_crt ca; // Parsed CA certificate mbedtls_x509_crt ca; // Parsed CA certificate
mbedtls_x509_crl crl; // Parsed Certificate Revocation List
mbedtls_x509_crt cert; // Parsed certificate mbedtls_x509_crt cert; // Parsed certificate
mbedtls_ssl_context ssl; // SSL/TLS context mbedtls_ssl_context ssl; // SSL/TLS context
mbedtls_ssl_config conf; // SSL-TLS config mbedtls_ssl_config conf; // SSL-TLS config