Gitiles
Code Review Sign In
192.168.1.100 / T108_Public / b618090ac2865be2bf7c28f41d44b807799a50c9 / . / mbtk / libmbtk_lib / net / mbtk_mbedtls.c
blob: aaa638a6f286d7d57d7783b1641c430350da13a4 [file] [log] [blame]
yq.wang39b54a22025-04-11 15:25:50 +0800[diff] [blame]1/*-----------------------------------------------------------------------------------------------*/
2/**
3 @file mbtk_mbedtls.c
4 @brief MBEDTLS API
5*/
6/*-----------------------------------------------------------------------------------------------*/
7
8/*-------------------------------------------------------------------------------------------------
9 Copyright (c) 2024 mobiletek Wireless Solution, Co., Ltd. All Rights Reserved.
10 mobiletek Wireless Solution Proprietary and Confidential.
11-------------------------------------------------------------------------------------------------*/
12
13/*-------------------------------------------------------------------------------------------------
14 EDIT HISTORY
15 This section contains comments describing changes made to the file.
16 Notice that changes are listed in reverse chronological order.
17 $Header: $
18 when who what, where, why
19 -------- --------- -----------------------------------------------------------------
20 20250409 yq.wang Created .
21-------------------------------------------------------------------------------------------------*/
22#ifdef MBTK_MBEDTLS_V3_6_2_SUPPORT
23#include <stdio.h>
24#include <stdlib.h>
25#include <string.h>
26#include <unistd.h>
27
28#include "mbtk_log.h"
29#include "mbtk_mbedtls.h"
30
31#define MBTK_SSL_PERS_STR_DEFAULT "mbtk_ssl"
32#define MBTK_SSL_INFO_FD_DEFAULT -1
33#define MBTK_SSL_BUFFER_SIZE_1024 1024
34#define MBTK_SSL_BUFFER_SIZE_128 128
35
36static mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_info_free(mbtk_mbedtls_ssl_info_s *ssl_info)
37{
38 if(NULL == ssl_info)
39 {
40 LOGE("[%s] ssl_info [NULL]", __func__);
41 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
42 }
43
44 if(NULL != ssl_info->entropy)
45 {
46 free(ssl_info->entropy);
47 ssl_info->entropy = NULL;
48 }
49
50 if(NULL != ssl_info->ctr_drbg)
51 {
52 free(ssl_info->ctr_drbg);
53 ssl_info->ctr_drbg = NULL;
54 }
55
56 if(NULL != ssl_info->ssl)
57 {
58 free(ssl_info->ssl);
59 ssl_info->ssl = NULL;
60 }
61
62 if(NULL != ssl_info->conf)
63 {
64 free(ssl_info->conf);
65 ssl_info->conf = NULL;
66 }
67
68 if(NULL != ssl_info->cacert)
69 {
70 free(ssl_info->cacert);
71 ssl_info->cacert = NULL;
72 }
73
74 if(NULL != ssl_info->clientcert)
75 {
76 free(ssl_info->clientcert);
77 ssl_info->clientcert = NULL;
78 }
79
80 if(NULL != ssl_info->clientkey)
81 {
82 free(ssl_info->clientkey);
83 ssl_info->clientkey = NULL;
84 }
85
86 return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
87}
88
89static mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_info_malloc(mbtk_mbedtls_ssl_info_s *ssl_info)
90{
91 if(NULL == ssl_info)
92 {
93 LOGE("[%s] ssl_info [NULL]", __func__);
94 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
95 }
96
97 ssl_info->entropy = (mbedtls_entropy_context *)malloc(sizeof(mbedtls_entropy_context));
98 if(NULL == ssl_info->entropy)
99 {
100 LOGE("[%s] entropy malloc() fail", __func__);
101 goto free_error;
102 }
103
104 ssl_info->ctr_drbg = (mbedtls_ctr_drbg_context *)malloc(sizeof(mbedtls_ctr_drbg_context));
105 if(NULL == ssl_info->ctr_drbg)
106 {
107 LOGE("[%s] ctr_drbg malloc() fail", __func__);
108 goto free_error;
109 }
110
111 ssl_info->ssl = (mbedtls_ssl_context *)malloc(sizeof(mbedtls_ssl_context));
112 if(NULL == ssl_info->ssl)
113 {
114 LOGE("[%s] ssl malloc() fail", __func__);
115 goto free_error;
116 }
117
118 ssl_info->conf = (mbedtls_ssl_config *)malloc(sizeof(mbedtls_ssl_config));
119 if(NULL == ssl_info->conf)
120 {
121 LOGE("[%s] conf malloc() fail", __func__);
122 goto free_error;
123 }
124
125 ssl_info->cacert = (mbedtls_x509_crt *)malloc(sizeof(mbedtls_x509_crt));
126 if(NULL == ssl_info->cacert)
127 {
128 LOGE("[%s] cacert malloc() fail", __func__);
129 goto free_error;
130 }
131
132 ssl_info->clientcert = (mbedtls_x509_crt *)malloc(sizeof(mbedtls_x509_crt));
133 if(NULL == ssl_info->clientcert)
134 {
135 LOGE("[%s] clientcert malloc() fail", __func__);
136 goto free_error;
137 }
138
139 ssl_info->clientkey = (mbedtls_pk_context *)malloc(sizeof(mbedtls_pk_context));
140 if(NULL == ssl_info->clientkey)
141 {
142 LOGE("[%s] clientkey malloc() fail", __func__);
143 goto free_error;
144 }
145
146 return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
147free_error:
148 mbtk_mbedtls_ssl_info_free(ssl_info);
149
150 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
151}
152
153mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_options_default(mbtk_mbedtls_ssl_options_s *opt)
154{
155 if(NULL == opt)
156 {
157 LOGE("[%s] opt [NULL]", __func__);
158 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
159 }
160
161 const mbedtls_x509_crt_profile mbtk_profile = mbedtls_x509_crt_profile_default;
162
163 opt->load_cert = false;
164 opt->ca_file = NULL;
165 opt->crt_file = NULL;
166 opt->key_file = NULL;
167 opt->pers_str = (unsigned char*)MBTK_SSL_PERS_STR_DEFAULT;
168 opt->pers_str_size = strlen((const char*)opt->pers_str);
169 opt->type = MBTK_MBEDTLS_SSL_IS_CLIENT;
170 opt->transprot = MBTK_MBEDTLS_SSL_TRANSPROT_STREAM;
171 opt->preset = MBTK_MBEDTLS_SSL_PRESET_DEFAULT;
172 opt->auth_mode = MBTK_MBEDTLS_SSL_VERIFY_OPTIONAL;
173 opt->renegotiation = MBTK_MBEDTLS_SSL_RENEGOTIATION_DISABLED;
174 opt->allow_legacy = MBTK_MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
175 opt->min_version = MBTK_MBEDTLS_SSL_MINOR_VERSION_3;
176 opt->max_version = MBTK_MBEDTLS_SSL_MINOR_VERSION_4;
177 opt->allowed_mds = mbtk_profile.allowed_mds;
178
179 return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
180}
181
182int mbtk_mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
183{
184 return mbedtls_ssl_write(ssl, buf, len);
185}
186
187int mbtk_mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
188{
189 return mbedtls_ssl_read(ssl, buf, len);
190}
191
192mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_init(int fd , mbtk_mbedtls_ssl_options_s *opt, mbtk_mbedtls_ssl_info_s* inter_info)
193{
194 int ret = -1;
195 uint32_t flags = 0;
196 char verify_err[MBTK_SSL_BUFFER_SIZE_1024 + 1] = {0};
197 char cert_buff[MBTK_SSL_BUFFER_SIZE_1024 + 1] = {0};
198 mbtk_mbedtls_ssl_options_s temp_opt = {0};
199 mbtk_mbedtls_ssl_info_s temp_ssl_info = {0};
200 mbedtls_x509_crt_profile mbtk_profile = mbedtls_x509_crt_profile_default;
201
202 if(NULL == inter_info)
203 {
204 LOGE("[%s] inter_info [NULL]", __func__);
205 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
206 }
207
208 if(NULL == opt)
209 {
210 ret = mbtk_mbedtls_ssl_options_default(&temp_opt);
211 }
212 else
213 {
214 memset(&temp_opt, 0x00, sizeof(mbtk_mbedtls_ssl_options_s));
215 memcpy(&temp_opt, opt, sizeof(mbtk_mbedtls_ssl_options_s));
216 }
217
218 memset(&temp_ssl_info, 0x00, sizeof(mbtk_mbedtls_ssl_info_s));
219 ret = mbtk_mbedtls_ssl_info_malloc(&temp_ssl_info);
220 if(ret != 0)
221 {
222 LOGE("[%s] mbtk_mbedtls_ssl_info_malloc() fail", __func__);
223 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
224 }
225
226 mbedtls_ctr_drbg_init(temp_ssl_info.ctr_drbg);
227 mbedtls_entropy_init(temp_ssl_info.entropy);
228 mbedtls_ssl_init(temp_ssl_info.ssl);
229 mbedtls_ssl_config_init(temp_ssl_info.conf);
230 mbedtls_x509_crt_init(temp_ssl_info.cacert);
231 mbedtls_x509_crt_init(temp_ssl_info.clientcert);
232 mbedtls_pk_init(temp_ssl_info.clientkey);
233
234 //1.Initialize the function for CTR_DRBG pseudorandom number generator
235 ret = mbedtls_ctr_drbg_seed(temp_ssl_info.ctr_drbg, mbedtls_entropy_func, temp_ssl_info.entropy, temp_opt.pers_str, temp_opt.pers_str_size);
236 if (ret != 0)
237 {
238 LOGE("[%s] mbedtls_ctr_drbg_seed() fail.[-0x%x]", __func__, -ret);
239 goto error;
240 }
241
242 //2.Load certificate
243 if(temp_opt.load_cert)
244 {
245 if(NULL == temp_opt.ca_file || NULL == temp_opt.crt_file || NULL == temp_opt.key_file)
246 {
247 LOGE("[%s] file [NULL]", __func__);
248 goto error;
249 }
250
251 //2.1-Load root certificate
252 ret = mbedtls_x509_crt_parse_file(temp_ssl_info.cacert, temp_opt.ca_file);
253 if(ret != 0)
254 {
255 LOGE("[%s] mbedtls_x509_crt_parse_file() CA fail.[-0x%x]", __func__, -ret);
256 goto error;
257 }
258
259 //2.2-Load the client public key
260 ret = mbedtls_x509_crt_parse_file(temp_ssl_info.clientcert, temp_opt.crt_file);
261 if(ret != 0)
262 {
263 LOGE("[%s] mbedtls_x509_crt_parse_file() CRT fail.[-0x%x]", __func__, -ret);
264 goto error;
265 }
266
267 //2.3-Load the client private key
268 ret = mbedtls_pk_parse_keyfile(temp_ssl_info.clientkey, temp_opt.key_file, NULL, mbedtls_ctr_drbg_random, temp_ssl_info.ctr_drbg);
269 if(ret != 0)
270 {
271 LOGE("[%s] mbedtls_pk_parse_keyfile() KEY fail.[-0x%x]", __func__, -ret);
272 goto error;
273 }
274 }
275
276 LOGD("[%s] Configure the SSL/TLS context...", __func__);
277 //3.Configure the SSL/TLS context
278 ret = mbedtls_ssl_config_defaults(temp_ssl_info.conf, temp_opt.type, temp_opt.transprot, temp_opt.preset);
279 if(ret != 0)
280 {
281 LOGE("[%s] mbedtls_ssl_config_defaults() fail.[-0x%x]", __func__, -ret);
282 goto error;
283 }
284
285 mbedtls_ssl_conf_authmode(temp_ssl_info.conf, temp_opt.auth_mode);
286 mbedtls_ssl_conf_ca_chain(temp_ssl_info.conf, temp_ssl_info.cacert, NULL);
287 if(temp_opt.load_cert)
288 {
289 ret = mbedtls_ssl_conf_own_cert(temp_ssl_info.conf, temp_ssl_info.clientcert, temp_ssl_info.clientkey);
290 if(ret != 0)
291 {
292 LOGE("[%s] mbedtls_ssl_conf_own_cert() fail.[-0x%x]", __func__, -ret);
293 goto error;
294 }
295 }
296
297 mbedtls_ssl_conf_rng(temp_ssl_info.conf, mbedtls_ctr_drbg_random, temp_ssl_info.ctr_drbg);
298 //mbedtls_ssl_conf_renegotiation(&conf, temp_opt.renegotiation);
299 mbedtls_ssl_conf_legacy_renegotiation(temp_ssl_info.conf, temp_opt.allow_legacy);
300 // TLS 1.2
301 mbedtls_ssl_conf_min_version(temp_ssl_info.conf, MBEDTLS_SSL_MAJOR_VERSION_3, temp_opt.min_version);
302 // TLS 1.3
303 mbedtls_ssl_conf_max_version(temp_ssl_info.conf, MBEDTLS_SSL_MAJOR_VERSION_3, temp_opt.max_version);
304
305 mbtk_profile.allowed_mds = temp_opt.allowed_mds;
306 mbedtls_ssl_conf_cert_profile(temp_ssl_info.conf, &mbtk_profile);
307
308 //4.Binding SSL configuration
309 ret = mbedtls_ssl_setup(temp_ssl_info.ssl, temp_ssl_info.conf);
310 if (ret != 0)
311 {
312 LOGE("[%s] mbedtls_ssl_setup() fail.[-0x%x]", __func__, -ret);
313 goto error;
314 }
315
316 mbedtls_ssl_set_bio(temp_ssl_info.ssl, &fd, mbedtls_net_send, mbedtls_net_recv, NULL);
317
318 LOGD("[%s] Performing the SSL/TLS handshake...", __func__);
319 //5.Shake hands
320 while((ret = mbedtls_ssl_handshake(temp_ssl_info.ssl)) != 0)
321 {
322 if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
323 {
324 LOGE("[%s] mbedtls_ssl_handshake() fail.[-0x%x]", __func__, -ret);
325 goto error;
326 }
327 }
328
329 LOGD("[%s] Handshake ok: Protocol[%s], Ciphersuite[%s]", __func__, mbedtls_ssl_get_version(temp_ssl_info.ssl), mbedtls_ssl_get_ciphersuite(temp_ssl_info.ssl));
330 //6.Verification certificate
331 flags = mbedtls_ssl_get_verify_result(temp_ssl_info.ssl);
332 if(flags != 0)
333 {
334 memset(verify_err, 0x00, MBTK_SSL_BUFFER_SIZE_1024 + 1);
335 mbedtls_x509_crt_verify_info(verify_err, MBTK_SSL_BUFFER_SIZE_1024, "[mbedtls_ssl_get_verify_result] ", flags);
336 LOGD("%s", verify_err);
337 if(temp_opt.auth_mode == MBTK_MBEDTLS_SSL_VERIFY_REQUIRED)
338 {
339 LOGE("[%s] mbedtls_ssl_get_verify_result() fail", __func__);
340 goto error;
341 }
342 }
343
344 if(mbedtls_ssl_get_peer_cert(temp_ssl_info.ssl) != NULL)
345 {
346 LOGD("[%s] Peer certificate information", __func__);
347 memset(cert_buff, 0x00, MBTK_SSL_BUFFER_SIZE_1024 + 1);
348 mbedtls_x509_crt_info(cert_buff, MBTK_SSL_BUFFER_SIZE_1024, "[mbedtls_ssl_get_verify_result] ", mbedtls_ssl_get_peer_cert(temp_ssl_info.ssl));
349 LOGD("%s", cert_buff);
350 }
351
352 temp_ssl_info.fd = fd;
353 memcpy(inter_info, &temp_ssl_info, sizeof(mbtk_mbedtls_ssl_info_s));
354
355 return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
356error:
357 mbedtls_ssl_close_notify(temp_ssl_info.ssl);
358 mbedtls_ssl_free(temp_ssl_info.ssl);
359 mbedtls_ssl_config_free(temp_ssl_info.conf);
360 mbedtls_ctr_drbg_free(temp_ssl_info.ctr_drbg);
361 mbedtls_entropy_free(temp_ssl_info.entropy);
362 mbedtls_pk_free(temp_ssl_info.clientkey);
363 mbedtls_x509_crt_free(temp_ssl_info.clientcert);
364 mbedtls_x509_crt_free(temp_ssl_info.cacert);
365
366 mbtk_mbedtls_ssl_info_free(&temp_ssl_info);
367 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
368}
369
370mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_deinit(mbtk_mbedtls_ssl_info_s* inter_info)
371{
372 if(NULL == inter_info)
373 {
374 LOGE("[%s] inter_info [NULL]", __func__);
375 return MBTK_MBEDTLS_SSL_RESULT_FAIL;
376 }
377
378 int ret = -1;
379 char error_buf[MBTK_SSL_BUFFER_SIZE_128 + 1] = {0};
380
381 do {
382 ret = mbedtls_ssl_close_notify(inter_info->ssl);
383 } while (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE);
384
385 if(ret != 0)
386 {
387 memset(error_buf, 0x00, MBTK_SSL_BUFFER_SIZE_128 + 1);
388 mbedtls_strerror(ret, error_buf, MBTK_SSL_BUFFER_SIZE_128);
389 LOGE("[%s] mbedtls_ssl_close_notify() fail.[%s]", __func__, error_buf);
390 }
391
392 mbedtls_ssl_close_notify(inter_info->ssl);
393 mbedtls_ssl_free(inter_info->ssl);
394 mbedtls_ssl_config_free(inter_info->conf);
395 mbedtls_ctr_drbg_free(inter_info->ctr_drbg);
396 mbedtls_entropy_free(inter_info->entropy);
397 mbedtls_pk_free(inter_info->clientkey);
398 mbedtls_x509_crt_free(inter_info->clientcert);
399 mbedtls_x509_crt_free(inter_info->cacert);
400 inter_info->fd = MBTK_SSL_INFO_FD_DEFAULT;
401
402 mbtk_mbedtls_ssl_info_free(inter_info);
403 return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
404}
405
406#endif