adapters/tlsio_mbedtls.c (1,053 lines of code) (raw):
// Copyright (c) Microsoft. All rights reserved.
// Licensed under the MIT license. See LICENSE file in the project root for full license information.
#include <stdlib.h>
#include <stdio.h>
#include <stdint.h>
#include <stdbool.h>
#include <string.h>
#define TLSIO_MBEDTLS_VERSION_2_16_0 0x02160000
#define TLSIO_MBEDTLS_VERSION_3_0_0 0x03000000
#include "mbedtls/version.h"
#include "mbedtls/debug.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#if !defined(MBEDTLS_VERSION_NUMBER) || MBEDTLS_VERSION_NUMBER < TLSIO_MBEDTLS_VERSION_3_0_0
#include "mbedtls/certs.h"
#include "mbedtls/entropy_poll.h"
#endif // MBEDTLS_VERSION_NUMBER
#include "mbedtls/pk.h"
#include "azure_c_shared_utility/gballoc.h"
#include "azure_c_shared_utility/optimize_size.h"
#include "azure_c_shared_utility/tlsio.h"
#include "azure_c_shared_utility/tlsio_mbedtls.h"
#include "azure_c_shared_utility/socketio.h"
#include "azure_c_shared_utility/crt_abstractions.h"
#include "azure_c_shared_utility/shared_util_options.h"
#include "azure_c_shared_utility/threadapi.h"
#include "azure_c_shared_utility/safe_math.h"
static const char *const OPTION_UNDERLYING_IO_OPTIONS = "underlying_io_options";
#define HANDSHAKE_TIMEOUT_MS 5000
#define HANDSHAKE_WAIT_INTERVAL_MS 10
typedef enum TLSIO_STATE_ENUM_TAG
{
TLSIO_STATE_NOT_OPEN,
TLSIO_STATE_OPENING_UNDERLYING_IO,
TLSIO_STATE_IN_HANDSHAKE,
TLSIO_STATE_OPEN,
TLSIO_STATE_CLOSING,
TLSIO_STATE_ERROR
} TLSIO_STATE_ENUM;
typedef struct SEND_COMPLETE_INFO_TAG
{
bool is_fragmented_req;
IO_SEND_RESULT last_fragmented_req_status;
ON_SEND_COMPLETE on_send_complete;
void *on_send_complete_callback_context;
} SEND_COMPLETE_INFO;
typedef struct TLS_IO_INSTANCE_TAG
{
XIO_HANDLE socket_io;
ON_BYTES_RECEIVED on_bytes_received;
ON_IO_OPEN_COMPLETE on_io_open_complete;
ON_IO_CLOSE_COMPLETE on_io_close_complete;
ON_IO_ERROR on_io_error;
void *on_bytes_received_context;
void *on_io_open_complete_context;
void *on_io_close_complete_context;
void *on_io_error_context;
TLSIO_STATE_ENUM tlsio_state;
unsigned char *socket_io_read_bytes;
size_t socket_io_read_byte_count;
SEND_COMPLETE_INFO send_complete_info;
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config config;
mbedtls_x509_crt trusted_certificates_parsed;
mbedtls_ssl_session ssn;
char *trusted_certificates;
bool invoke_on_send_complete_callback_for_fragments;
char *hostname;
mbedtls_x509_crt owncert;
mbedtls_pk_context pKey;
char* x509_certificate;
char* x509_private_key;
int tls_status;
} TLS_IO_INSTANCE;
typedef enum TLS_STATE_TAG
{
TLS_STATE_NOT_INITIALIZED,
TLS_STATE_INITIALIZED,
TLS_STATE_CLOSING,
} TLS_STATE;
static void indicate_error(TLS_IO_INSTANCE *tls_io_instance)
{
if ((tls_io_instance->tlsio_state != TLSIO_STATE_NOT_OPEN) && (tls_io_instance->tlsio_state != TLSIO_STATE_ERROR))
{
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
if (tls_io_instance->on_io_error != NULL)
{
tls_io_instance->on_io_error(tls_io_instance->on_io_error_context);
}
}
}
static void indicate_open_complete(TLS_IO_INSTANCE *tls_io_instance, IO_OPEN_RESULT open_result)
{
if (tls_io_instance->on_io_open_complete != NULL)
{
tls_io_instance->on_io_open_complete(tls_io_instance->on_io_open_complete_context, open_result);
}
}
static int decode_ssl_received_bytes(TLS_IO_INSTANCE *tls_io_instance)
{
int result = 0;
unsigned char buffer[64];
int rcv_bytes = 1;
while (rcv_bytes > 0)
{
rcv_bytes = mbedtls_ssl_read(&tls_io_instance->ssl, buffer, sizeof(buffer));
if (rcv_bytes > 0)
{
if (tls_io_instance->on_bytes_received != NULL)
{
tls_io_instance->on_bytes_received(tls_io_instance->on_bytes_received_context, buffer, rcv_bytes);
}
}
}
return result;
}
static bool is_fragmented_send_request(TLS_IO_INSTANCE *tls_io_instance, size_t send_size)
{
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= TLSIO_MBEDTLS_VERSION_2_16_0
size_t max_len = mbedtls_ssl_get_max_out_record_payload(&tls_io_instance->ssl);
#else // MBEDTLS_VERSION_NUMBER
size_t max_len = mbedtls_ssl_get_max_frag_len(&tls_io_instance->ssl);
#endif // MBEDTLS_VERSION_NUMBER
#else
size_t max_len = MBEDTLS_SSL_MAX_CONTENT_LEN;
(void)tls_io_instance;
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
bool result;
if (send_size > max_len)
{
result = true;
}
else
{
result = false;
}
return result;
}
static void on_underlying_io_open_complete(void *context, IO_OPEN_RESULT open_result)
{
if (context == NULL)
{
LogError("Invalid context NULL value passed");
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)context;
int result = 0;
if (open_result != IO_OPEN_OK)
{
xio_close(tls_io_instance->socket_io, NULL, NULL);
tls_io_instance->tlsio_state = TLSIO_STATE_NOT_OPEN;
indicate_open_complete(tls_io_instance, IO_OPEN_ERROR);
}
else
{
tls_io_instance->tlsio_state = TLSIO_STATE_IN_HANDSHAKE;
do
{
result = mbedtls_ssl_handshake(&tls_io_instance->ssl);
} while (result == MBEDTLS_ERR_SSL_WANT_READ || result == MBEDTLS_ERR_SSL_WANT_WRITE);
if (result == 0)
{
tls_io_instance->tlsio_state = TLSIO_STATE_OPEN;
indicate_open_complete(tls_io_instance, IO_OPEN_OK);
}
else
{
if (result == MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED)
{
LogError("Failure in ssl handshake has the server certificate been added?");
}
else
{
LogError("Failure ssl handshake %d", result);
}
xio_close(tls_io_instance->socket_io, NULL, NULL);
tls_io_instance->tlsio_state = TLSIO_STATE_NOT_OPEN;
indicate_open_complete(tls_io_instance, IO_OPEN_ERROR);
}
}
}
}
static void on_underlying_io_bytes_received(void *context, const unsigned char *buffer, size_t size)
{
if (context != NULL)
{
unsigned char* new_socket_io_read_bytes;
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)context;
size_t realloc_size = safe_add_size_t(tls_io_instance->socket_io_read_byte_count, size);
if (realloc_size == SIZE_MAX)
{
LogError("Invalid realloc size");
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_error(tls_io_instance);
}
else if ((new_socket_io_read_bytes = (unsigned char*)realloc(tls_io_instance->socket_io_read_bytes, realloc_size)) == NULL)
{
LogError("realloc failed");
tls_io_instance->tlsio_state = TLSIO_STATE_ERROR;
indicate_error(tls_io_instance);
}
else
{
tls_io_instance->socket_io_read_bytes = new_socket_io_read_bytes;
(void)memcpy(tls_io_instance->socket_io_read_bytes + tls_io_instance->socket_io_read_byte_count, buffer, size);
tls_io_instance->socket_io_read_byte_count += size;
}
}
else
{
LogError("NULL value passed in context");
}
}
static void on_underlying_io_error(void *context)
{
if (context == NULL)
{
LogError("Invalid context NULL value passed");
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)context;
switch (tls_io_instance->tlsio_state)
{
default:
case TLSIO_STATE_NOT_OPEN:
case TLSIO_STATE_ERROR:
break;
case TLSIO_STATE_OPENING_UNDERLYING_IO:
case TLSIO_STATE_IN_HANDSHAKE:
// Existing socket impls are all synchronous close, and this
// adapter does not yet support async close.
xio_close(tls_io_instance->socket_io, NULL, NULL);
tls_io_instance->tlsio_state = TLSIO_STATE_NOT_OPEN;
indicate_open_complete(tls_io_instance, IO_OPEN_ERROR);
break;
case TLSIO_STATE_OPEN:
indicate_error(tls_io_instance);
break;
}
}
}
static void on_underlying_io_close_complete_during_close(void *context)
{
if (context == NULL)
{
LogError("NULL value passed in context");
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)context;
tls_io_instance->tlsio_state = TLSIO_STATE_NOT_OPEN;
if (tls_io_instance->on_io_close_complete != NULL)
{
tls_io_instance->on_io_close_complete(tls_io_instance->on_io_close_complete_context);
}
}
}
static int on_io_recv(void *context, unsigned char *buf, size_t sz)
{
int result;
if (context == NULL)
{
LogError("Invalid context NULL value passed");
result = MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)context;
unsigned char *new_socket_io_read_bytes;
int pending = 0;
while (tls_io_instance->socket_io_read_byte_count == 0)
{
xio_dowork(tls_io_instance->socket_io);
if (tls_io_instance->tlsio_state == TLSIO_STATE_OPEN)
{
break;
}
else if (tls_io_instance->tlsio_state == TLSIO_STATE_NOT_OPEN ||
tls_io_instance->tlsio_state == TLSIO_STATE_CLOSING ||
tls_io_instance->tlsio_state == TLSIO_STATE_ERROR)
{
// Underlying io error, exit.
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
else
{
// Handkshake
if (tls_io_instance->socket_io_read_byte_count == 0)
{
if (pending++ >= HANDSHAKE_TIMEOUT_MS / HANDSHAKE_WAIT_INTERVAL_MS)
{
// The connection is close from server side and no response.
LogError("Tlsio_Failure: encountered unknow connection issue, the connection will be restarted.");
indicate_error(tls_io_instance);
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ThreadAPI_Sleep(HANDSHAKE_WAIT_INTERVAL_MS);
}
}
}
result = (int) tls_io_instance->socket_io_read_byte_count;
if (result > (int)sz)
{
result = (int)sz;
}
if (result > 0)
{
size_t read_byte_count = safe_subtract_size_t(tls_io_instance->socket_io_read_byte_count, (size_t)result);
if (read_byte_count != SIZE_MAX)
{
(void)memcpy((void*)buf, tls_io_instance->socket_io_read_bytes, result);
(void)memmove(tls_io_instance->socket_io_read_bytes, tls_io_instance->socket_io_read_bytes + result, read_byte_count);
tls_io_instance->socket_io_read_byte_count = read_byte_count;
if (tls_io_instance->socket_io_read_byte_count > 0)
{
new_socket_io_read_bytes = (unsigned char*)realloc(tls_io_instance->socket_io_read_bytes, tls_io_instance->socket_io_read_byte_count);
if (new_socket_io_read_bytes != NULL)
{
tls_io_instance->socket_io_read_bytes = new_socket_io_read_bytes;
}
}
else
{
free(tls_io_instance->socket_io_read_bytes);
tls_io_instance->socket_io_read_bytes = NULL;
}
}
else
{
LogError("Tlsio_Failure: memmove invalid size.");
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
}
if ((result == 0) && (tls_io_instance->tlsio_state == TLSIO_STATE_OPEN))
{
result = MBEDTLS_ERR_SSL_WANT_READ;
}
}
return result;
}
static void on_send_complete(void* context, IO_SEND_RESULT send_result)
{
TLS_IO_INSTANCE* tls_io_instance = (TLS_IO_INSTANCE *)context;
if (tls_io_instance != NULL)
{
// update fragment status
if (tls_io_instance->send_complete_info.is_fragmented_req)
{
tls_io_instance->send_complete_info.last_fragmented_req_status = send_result;
}
if (tls_io_instance->send_complete_info.on_send_complete != NULL &&
tls_io_instance->tlsio_state != TLSIO_STATE_CLOSING)
{
// trigger callback always on failure, otherwise call it on last fragment completion
// In case of http communication (ie blob upload), the callback is called with each fragment
if((tls_io_instance->invoke_on_send_complete_callback_for_fragments && tls_io_instance->send_complete_info.is_fragmented_req)||
(send_result != IO_SEND_OK || !tls_io_instance->send_complete_info.is_fragmented_req))
{
void *ctx = tls_io_instance->send_complete_info.on_send_complete_callback_context;
tls_io_instance->send_complete_info.on_send_complete(ctx, send_result);
}
}
}
else
{
LogError("Invalid context NULL value passed");
}
}
static int on_io_send(void *context, const unsigned char *buf, size_t sz)
{
int result;
if (context == NULL)
{
LogError("Invalid context NULL value passed");
result = 0;
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)context;
ON_SEND_COMPLETE on_complete_callback = NULL;
context = NULL;
// Only allow Application data type message to send on_send_complete callback.
#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= TLSIO_MBEDTLS_VERSION_3_0_0
if (tls_io_instance->ssl.MBEDTLS_PRIVATE(out_msgtype) == MBEDTLS_SSL_MSG_APPLICATION_DATA)
#else
if (tls_io_instance->ssl.out_msgtype == MBEDTLS_SSL_MSG_APPLICATION_DATA)
#endif
{
on_complete_callback = on_send_complete;
context = tls_io_instance;
}
if (xio_send(tls_io_instance->socket_io, buf, sz, on_complete_callback, context) != 0)
{
indicate_error(tls_io_instance);
result = 0;
}
else
{
result = (int)sz;
}
}
return result;
}
static int tlsio_entropy_poll(void *v, unsigned char *output, size_t len, size_t *olen)
{
(void)v;
int result = 0;
srand((unsigned int)time(NULL));
for (uint16_t i = 0; i < len; i++)
{
output[i] = rand() % 256;
}
*olen = len;
return result;
}
// Un-initialize mbedTLS
static void mbedtls_uninit(TLS_IO_INSTANCE *tls_io_instance)
{
if (tls_io_instance->tls_status != TLS_STATE_NOT_INITIALIZED)
{
// mbedTLS cleanup...
mbedtls_ssl_free(&tls_io_instance->ssl);
mbedtls_ssl_session_free(&tls_io_instance->ssn);
mbedtls_ssl_config_free(&tls_io_instance->config);
mbedtls_x509_crt_free(&tls_io_instance->trusted_certificates_parsed);
mbedtls_x509_crt_free(&tls_io_instance->owncert);
mbedtls_pk_free(&tls_io_instance->pKey);
mbedtls_ctr_drbg_free(&tls_io_instance->ctr_drbg);
mbedtls_entropy_free(&tls_io_instance->entropy);
tls_io_instance->tls_status = TLS_STATE_NOT_INITIALIZED;
}
else
{
LogError("Uninitialzing when not previously initialized");
}
}
static void mbedtls_init(TLS_IO_INSTANCE *tls_io_instance)
{
const char* pers = "azure_iot_client";
if (tls_io_instance->tls_status != TLS_STATE_INITIALIZED)
{
if (tls_io_instance->tls_status == TLS_STATE_CLOSING)
{
// The underlying connection has been closed, so here un-initialize first
mbedtls_uninit(tls_io_instance);
}
// mbedTLS initialize...
mbedtls_x509_crt_init(&tls_io_instance->trusted_certificates_parsed);
mbedtls_x509_crt_init(&tls_io_instance->owncert);
mbedtls_pk_init(&tls_io_instance->pKey);
mbedtls_entropy_init(&tls_io_instance->entropy);
// Add a weak entropy source here,avoid some platform doesn't have strong / hardware entropy
mbedtls_entropy_add_source(&tls_io_instance->entropy, tlsio_entropy_poll, NULL, MBEDTLS_ENTROPY_MAX_GATHER, MBEDTLS_ENTROPY_SOURCE_WEAK);
mbedtls_ctr_drbg_init(&tls_io_instance->ctr_drbg);
mbedtls_ctr_drbg_seed(&tls_io_instance->ctr_drbg, mbedtls_entropy_func, &tls_io_instance->entropy, (const unsigned char *)pers, strlen(pers));
mbedtls_ssl_config_init(&tls_io_instance->config);
mbedtls_ssl_config_defaults(&tls_io_instance->config, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
mbedtls_ssl_conf_rng(&tls_io_instance->config, mbedtls_ctr_drbg_random, &tls_io_instance->ctr_drbg);
mbedtls_ssl_conf_authmode(&tls_io_instance->config, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_min_version(&tls_io_instance->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); // v1.2
mbedtls_ssl_init(&tls_io_instance->ssl);
mbedtls_ssl_set_bio(&tls_io_instance->ssl, tls_io_instance, on_io_send, on_io_recv, NULL);
mbedtls_ssl_set_hostname(&tls_io_instance->ssl, tls_io_instance->hostname);
mbedtls_ssl_session_init(&tls_io_instance->ssn);
mbedtls_ssl_set_session(&tls_io_instance->ssl, &tls_io_instance->ssn);
mbedtls_ssl_setup(&tls_io_instance->ssl, &tls_io_instance->config);
tls_io_instance->tls_status = TLS_STATE_INITIALIZED;
}
}
CONCRETE_IO_HANDLE tlsio_mbedtls_create(void *io_create_parameters)
{
TLSIO_CONFIG *tls_io_config = (TLSIO_CONFIG *)io_create_parameters;
TLS_IO_INSTANCE *result;
if (tls_io_config == NULL)
{
LogError("NULL tls_io_config");
result = NULL;
}
else
{
// Codes_SRS_TLSIO_MBED_OS5_TLS_99_006: [ The tlsio_mbedtls_create shall return NULL if allocating memory for TLS_IO_INSTANCE failed. ]
result = calloc(1, sizeof(TLS_IO_INSTANCE));
if (result != NULL)
{
SOCKETIO_CONFIG socketio_config;
const IO_INTERFACE_DESCRIPTION *underlying_io_interface;
void *io_interface_parameters;
if (tls_io_config->underlying_io_interface != NULL)
{
underlying_io_interface = tls_io_config->underlying_io_interface;
io_interface_parameters = tls_io_config->underlying_io_parameters;
}
else
{
socketio_config.hostname = tls_io_config->hostname;
socketio_config.port = tls_io_config->port;
socketio_config.accepted_socket = NULL;
underlying_io_interface = socketio_get_interface_description();
io_interface_parameters = &socketio_config;
}
if (underlying_io_interface == NULL)
{
free(result);
result = NULL;
LogError("Failed getting socket IO interface description.");
}
else
{
if (mallocAndStrcpy_s((char **)&result->hostname, tls_io_config->hostname) != 0)
{
free(result);
result = NULL;
LogError("Failure allocating hostname.");
}
else if ((result->socket_io = xio_create(underlying_io_interface, io_interface_parameters)) == NULL)
{
LogError("socket xio create failed");
free(result->hostname);
free(result);
result = NULL;
}
else
{
result->tls_status = TLS_STATE_NOT_INITIALIZED;
mbedtls_init((void*)result);
result->tlsio_state = TLSIO_STATE_NOT_OPEN;
result->invoke_on_send_complete_callback_for_fragments = tls_io_config->invoke_on_send_complete_callback_for_fragments;
}
}
}
else
{
LogError("Failure allocating TLS object");
}
}
return result;
}
void tlsio_mbedtls_destroy(CONCRETE_IO_HANDLE tls_io)
{
if (tls_io != NULL)
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)tls_io;
mbedtls_uninit(tls_io_instance);
if (tls_io_instance->socket_io_read_bytes != NULL)
{
free(tls_io_instance->socket_io_read_bytes);
tls_io_instance->socket_io_read_bytes = NULL;
}
xio_destroy(tls_io_instance->socket_io);
if (tls_io_instance->hostname != NULL)
{
free(tls_io_instance->hostname);
tls_io_instance->hostname = NULL;
}
if (tls_io_instance->trusted_certificates != NULL)
{
free(tls_io_instance->trusted_certificates);
tls_io_instance->trusted_certificates = NULL;
}
if (tls_io_instance->x509_certificate != NULL)
{
free(tls_io_instance->x509_certificate);
tls_io_instance->x509_certificate = NULL;
}
if (tls_io_instance->x509_private_key != NULL)
{
free(tls_io_instance->x509_private_key);
tls_io_instance->x509_private_key = NULL;
}
free(tls_io);
}
}
int tlsio_mbedtls_open(CONCRETE_IO_HANDLE tls_io, ON_IO_OPEN_COMPLETE on_io_open_complete, void *on_io_open_complete_context, ON_BYTES_RECEIVED on_bytes_received, void *on_bytes_received_context, ON_IO_ERROR on_io_error, void *on_io_error_context)
{
int result = 0;
if (tls_io == NULL)
{
LogError("Invalid parameter specified tls_io: NULL");
result = MU_FAILURE;
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)tls_io;
if (tls_io_instance->tlsio_state != TLSIO_STATE_NOT_OPEN)
{
LogError("IO should not be open: %d", tls_io_instance->tlsio_state);
result = MU_FAILURE;
}
else
{
tls_io_instance->on_bytes_received = on_bytes_received;
tls_io_instance->on_bytes_received_context = on_bytes_received_context;
tls_io_instance->on_io_open_complete = on_io_open_complete;
tls_io_instance->on_io_open_complete_context = on_io_open_complete_context;
tls_io_instance->on_io_error = on_io_error;
tls_io_instance->on_io_error_context = on_io_error_context;
tls_io_instance->tlsio_state = TLSIO_STATE_OPENING_UNDERLYING_IO;
mbedtls_ssl_session_reset(&tls_io_instance->ssl);
if (xio_open(tls_io_instance->socket_io, on_underlying_io_open_complete, tls_io_instance, on_underlying_io_bytes_received, tls_io_instance, on_underlying_io_error, tls_io_instance) != 0)
{
LogError("Underlying IO open failed");
tls_io_instance->tlsio_state = TLSIO_STATE_NOT_OPEN;
result = MU_FAILURE;
}
}
}
return result;
}
int tlsio_mbedtls_close(CONCRETE_IO_HANDLE tls_io, ON_IO_CLOSE_COMPLETE on_io_close_complete, void *callback_context)
{
int result = 0;
if (tls_io == NULL)
{
LogError("Invalid parameter specified tls_io: NULL");
result = MU_FAILURE;
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)tls_io;
if ((tls_io_instance->tlsio_state == TLSIO_STATE_NOT_OPEN) ||
(tls_io_instance->tlsio_state == TLSIO_STATE_CLOSING))
{
LogError("IO should not be closed: %d", tls_io_instance->tlsio_state);
result = MU_FAILURE;
}
else
{
int is_error = tls_io_instance->tlsio_state == TLSIO_STATE_ERROR;
tls_io_instance->tlsio_state = TLSIO_STATE_CLOSING;
if (tls_io_instance->tls_status == TLS_STATE_INITIALIZED)
{
if (is_error)
{
// forced shutdown if tls is in ERROR state
mbedtls_ssl_session_reset(&tls_io_instance->ssl);
}
else
{
// Tell the peer that you're going to close
mbedtls_ssl_close_notify(&tls_io_instance->ssl);
}
tls_io_instance->tls_status = TLS_STATE_CLOSING;
}
tls_io_instance->on_io_close_complete = on_io_close_complete;
tls_io_instance->on_io_close_complete_context = callback_context;
if (xio_close(tls_io_instance->socket_io, on_underlying_io_close_complete_during_close, tls_io_instance) != 0)
{
LogError("xio_close failed");
result = MU_FAILURE;
}
else
{
result = 0;
}
}
}
return result;
}
int tlsio_mbedtls_send(CONCRETE_IO_HANDLE tls_io, const void *buffer, size_t size, ON_SEND_COMPLETE on_send_complete_callback, void *callback_context)
{
int result = 0;
if (tls_io == NULL || (buffer == NULL) || (size == 0))
{
LogError("Invalid parameter specified tls_io: %p, buffer: %p, size: %ul", tls_io, buffer, (unsigned int)size);
result = MU_FAILURE;
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)tls_io;
if (tls_io_instance->tlsio_state != TLSIO_STATE_OPEN)
{
LogError("Invalid state specified %d", tls_io_instance->tlsio_state);
result = MU_FAILURE;
}
else
{
tls_io_instance->send_complete_info.on_send_complete = on_send_complete_callback;
tls_io_instance->send_complete_info.on_send_complete_callback_context = callback_context;
tls_io_instance->send_complete_info.last_fragmented_req_status = IO_SEND_OK;
int out_left = (int)size;
result = 0;
do
{
tls_io_instance->send_complete_info.is_fragmented_req = is_fragmented_send_request(tls_io_instance, out_left);
unsigned char *buf = (unsigned char *)buffer + size - out_left;
int ret = mbedtls_ssl_write(&tls_io_instance->ssl, buf, out_left);
if (ret < 0)
{
LogError("Unexpected data size returned from mbedtls_ssl_write %d/%d", ret, (int)size);
result = MU_FAILURE;
break;
}
else if (tls_io_instance->send_complete_info.last_fragmented_req_status != IO_SEND_OK)
{
LogError("Failed to send last fragment with error:0x%0x, aborting whole send",
tls_io_instance->send_complete_info.last_fragmented_req_status);
result = MU_FAILURE;
break;
}
out_left -= ret;
} while (out_left > 0);
// remove on send complete info
memset((void*)&tls_io_instance->send_complete_info, 0, sizeof(tls_io_instance->send_complete_info));
}
}
return result;
}
void tlsio_mbedtls_dowork(CONCRETE_IO_HANDLE tls_io)
{
if (tls_io != NULL)
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)tls_io;
if (tls_io_instance->tlsio_state == TLSIO_STATE_IN_HANDSHAKE || tls_io_instance->tlsio_state == TLSIO_STATE_OPEN)
{
decode_ssl_received_bytes(tls_io_instance);
}
xio_dowork(tls_io_instance->socket_io);
}
}
// this function will clone an option given by name and value
static void *tlsio_mbedtls_CloneOption(const char *name, const void *value)
{
void *result = NULL;
if (name == NULL || value == NULL)
{
LogError("invalid parameter detected: const char* name=%p, const void* value=%p", name, value);
result = NULL;
}
else
{
if (strcmp(name, OPTION_UNDERLYING_IO_OPTIONS) == 0)
{
result = (void*)OptionHandler_Clone((OPTIONHANDLER_HANDLE)value);
}
else if (strcmp(name, OPTION_TRUSTED_CERT) == 0)
{
if (mallocAndStrcpy_s((char **)&result, value) != 0)
{
LogError("unable to mallocAndStrcpy_s TrustedCerts value");
result = NULL;
}
else
{
/*return as is*/
}
}
else if (strcmp(name, SU_OPTION_X509_CERT) == 0)
{
if (mallocAndStrcpy_s((char**)&result, value) != 0)
{
LogError("unable to mallocAndStrcpy_s x509certificate value");
result = NULL;
}
else
{
/*return as is*/
}
}
else if (strcmp(name, SU_OPTION_X509_PRIVATE_KEY) == 0)
{
if (mallocAndStrcpy_s((char**)&result, value) != 0)
{
LogError("unable to mallocAndStrcpy_s x509privatekey value");
result = NULL;
}
else
{
/*return as is*/
}
}
else if (strcmp(name, OPTION_X509_ECC_CERT) == 0)
{
if (mallocAndStrcpy_s((char**)&result, value) != 0)
{
LogError("unable to mallocAndStrcpy_s x509EccCertificate value");
result = NULL;
}
else
{
/*return as is*/
}
}
else if (strcmp(name, OPTION_X509_ECC_KEY) == 0)
{
if (mallocAndStrcpy_s((char**)&result, value) != 0)
{
LogError("unable to mallocAndStrcpy_s x509EccKey value");
result = NULL;
}
else
{
/*return as is*/
}
}
else
{
LogError("not handled option : %s", name);
result = NULL;
}
}
return result;
}
// this function destroys an option previously created
static void tlsio_mbedtls_DestroyOption(const char *name, const void *value)
{
// since all options for this layer are actually string copies., disposing of one is just calling free
if (name == NULL || value == NULL)
{
LogError("invalid parameter detected: const char* name=%p, const void* value=%p", name, value);
}
else
{
if (
(strcmp(name, OPTION_TRUSTED_CERT) == 0) ||
(strcmp(name, SU_OPTION_X509_CERT) == 0) ||
(strcmp(name, SU_OPTION_X509_PRIVATE_KEY) == 0) ||
(strcmp(name, OPTION_X509_ECC_CERT) == 0) ||
(strcmp(name, OPTION_X509_ECC_KEY) == 0)
)
{
free((void*)value);
}
else if (strcmp(name, OPTION_UNDERLYING_IO_OPTIONS) == 0)
{
OptionHandler_Destroy((OPTIONHANDLER_HANDLE)value);
}
else
{
LogError("not handled option : %s", name);
}
}
}
static int parse_key(char* key, mbedtls_pk_context* out_parsed_key)
{
int result;
#if defined(MBEDTLS_VERSION_NUMBER) && MBEDTLS_VERSION_NUMBER >= TLSIO_MBEDTLS_VERSION_3_0_0
const char *pers = "tlsio_mbedtls";
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
if ((result = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(const unsigned char *) pers,
strlen(pers))) != 0) {
LogError("mbedtls_ctr_drbg_seed failed (%d)", result);
}
else if ((result = mbedtls_pk_parse_key(out_parsed_key,
(const unsigned char *)key, (int)(strlen(key) + 1),
NULL, 0, mbedtls_ctr_drbg_random, &ctr_drbg)) != 0)
{
LogError("mbedtls_pk_parse_key failed (%d)", result);
}
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#else
if ((result = mbedtls_pk_parse_key(out_parsed_key,
(const unsigned char *)key, (int)(strlen(key) + 1),
NULL, 0)) != 0)
{
LogError("mbedtls_pk_parse_key failed (%d)", result);
}
#endif
return result;
}
int tlsio_mbedtls_setoption(CONCRETE_IO_HANDLE tls_io, const char *optionName, const void *value)
{
int result = 0;
if (tls_io == NULL || optionName == NULL)
{
result = MU_FAILURE;
}
else
{
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)tls_io;
if (strcmp(OPTION_TRUSTED_CERT, optionName) == 0)
{
if (tls_io_instance->trusted_certificates != NULL)
{
// Free the memory if it has been previously allocated
free(tls_io_instance->trusted_certificates);
tls_io_instance->trusted_certificates = NULL;
}
if (mallocAndStrcpy_s(&tls_io_instance->trusted_certificates, (const char *)value) != 0)
{
LogError("unable to mallocAndStrcpy_s");
result = MU_FAILURE;
}
else
{
int parse_result = mbedtls_x509_crt_parse(&tls_io_instance->trusted_certificates_parsed, (const unsigned char *)value, (int)(strlen(value) + 1));
if (parse_result != 0)
{
LogInfo("Malformed pem certificate");
free(tls_io_instance->trusted_certificates);
tls_io_instance->trusted_certificates = NULL;
result = MU_FAILURE;
}
else
{
mbedtls_ssl_conf_ca_chain(&tls_io_instance->config, &tls_io_instance->trusted_certificates_parsed, NULL);
}
}
}
else if (strcmp(SU_OPTION_X509_CERT, optionName) == 0 || strcmp(OPTION_X509_ECC_CERT, optionName) == 0)
{
char* temp_cert;
if (mallocAndStrcpy_s(&temp_cert, (const char *)value) != 0)
{
LogError("unable to mallocAndStrcpy_s on certificate");
result = MU_FAILURE;
}
else if (mbedtls_x509_crt_parse(&tls_io_instance->owncert, (const unsigned char *)temp_cert, (int)(strlen(temp_cert) + 1)) != 0)
{
LogError("failure parsing certificate");
free(temp_cert);
result = MU_FAILURE;
}
else if (mbedtls_pk_get_type(&tls_io_instance->pKey) != MBEDTLS_PK_NONE &&
mbedtls_ssl_conf_own_cert(&tls_io_instance->config, &tls_io_instance->owncert, &tls_io_instance->pKey) != 0)
{
LogError("failure calling mbedtls_ssl_conf_own_cert");
free(temp_cert);
result = MU_FAILURE;
}
else
{
if (tls_io_instance->x509_certificate != NULL)
{
// Free the memory if it has been previously allocated
free(tls_io_instance->x509_certificate);
}
tls_io_instance->x509_certificate = temp_cert;
result = 0;
}
}
else if (strcmp(SU_OPTION_X509_PRIVATE_KEY, optionName) == 0 || strcmp(OPTION_X509_ECC_KEY, optionName) == 0)
{
char* temp_key;
if (mallocAndStrcpy_s(&temp_key, (const char *)value) != 0)
{
LogError("unable to mallocAndStrcpy_s on private key");
result = MU_FAILURE;
}
else if (parse_key(temp_key, &tls_io_instance->pKey) != 0)
{
LogError("failure calling parse_key");
free(temp_key);
result = MU_FAILURE;
}
else if (tls_io_instance->owncert.version > 0 && mbedtls_ssl_conf_own_cert(&tls_io_instance->config, &tls_io_instance->owncert, &tls_io_instance->pKey))
{
LogError("failure calling mbedtls_ssl_conf_own_cert");
free(temp_key);
result = MU_FAILURE;
}
else
{
if (tls_io_instance->x509_private_key != NULL)
{
// Free the memory if it has been previously allocated
free(tls_io_instance->x509_private_key);
}
tls_io_instance->x509_private_key = temp_key;
result = 0;
}
}
else if (strcmp(optionName, OPTION_UNDERLYING_IO_OPTIONS) == 0)
{
if (OptionHandler_FeedOptions((OPTIONHANDLER_HANDLE)value, (void*)tls_io_instance->socket_io) != OPTIONHANDLER_OK)
{
LogError("failed feeding options to underlying I/O instance");
result = MU_FAILURE;
}
else
{
result = 0;
}
}
else if (strcmp(optionName, OPTION_SET_TLS_RENEGOTIATION) == 0)
{
if (value == NULL)
{
LogError("Invalid value set for tls renegotiation");
result = MU_FAILURE;
}
else
{
bool set_renegotiation = *((bool*)(value));
mbedtls_ssl_conf_renegotiation(&tls_io_instance->config, set_renegotiation ? 1 : 0);
result = 0;
}
}
else
{
// tls_io_instance->socket_io is never NULL
result = xio_setoption(tls_io_instance->socket_io, optionName, value);
}
}
return result;
}
OPTIONHANDLER_HANDLE tlsio_mbedtls_retrieveoptions(CONCRETE_IO_HANDLE handle)
{
OPTIONHANDLER_HANDLE result = NULL;
if (handle == NULL)
{
LogError("invalid parameter detected: CONCRETE_IO_HANDLE handle=%p", handle);
result = NULL;
}
else
{
result = OptionHandler_Create(tlsio_mbedtls_CloneOption, tlsio_mbedtls_DestroyOption, tlsio_mbedtls_setoption);
if (result == NULL)
{
LogError("unable to OptionHandler_Create");
// return as is
}
else
{
// this layer cares about the certificates
TLS_IO_INSTANCE *tls_io_instance = (TLS_IO_INSTANCE *)handle;
OPTIONHANDLER_HANDLE underlying_io_options;
if ((underlying_io_options = xio_retrieveoptions(tls_io_instance->socket_io)) == NULL)
{
LogError("unable to retrieve underlying_io options");
OptionHandler_Destroy(result);
result = NULL;
}
else
{
if (OptionHandler_AddOption(result, OPTION_UNDERLYING_IO_OPTIONS, underlying_io_options) != OPTIONHANDLER_OK)
{
LogError("unable to save underlying_io options");
OptionHandler_Destroy(result);
result = NULL;
}
else if (tls_io_instance->trusted_certificates != NULL &&
OptionHandler_AddOption(result, OPTION_TRUSTED_CERT, tls_io_instance->trusted_certificates) != OPTIONHANDLER_OK)
{
LogError("unable to save TrustedCerts option");
OptionHandler_Destroy(result);
result = NULL;
}
else if (tls_io_instance->x509_certificate != NULL &&
OptionHandler_AddOption(result, SU_OPTION_X509_CERT, tls_io_instance->x509_certificate) != OPTIONHANDLER_OK)
{
LogError("unable to save x509certificate option");
OptionHandler_Destroy(result);
result = NULL;
}
else if (tls_io_instance->x509_private_key != NULL &&
OptionHandler_AddOption(result, SU_OPTION_X509_PRIVATE_KEY, tls_io_instance->x509_private_key) != OPTIONHANDLER_OK)
{
LogError("unable to save x509privatekey option");
OptionHandler_Destroy(result);
result = NULL;
}
else
{
// all is fine, all interesting options have been saved
// return as is
}
OptionHandler_Destroy(underlying_io_options);
}
}
}
return result;
}
static const IO_INTERFACE_DESCRIPTION tlsio_mbedtls_interface_description =
{
tlsio_mbedtls_retrieveoptions,
tlsio_mbedtls_create,
tlsio_mbedtls_destroy,
tlsio_mbedtls_open,
tlsio_mbedtls_close,
tlsio_mbedtls_send,
tlsio_mbedtls_dowork,
tlsio_mbedtls_setoption
};
const IO_INTERFACE_DESCRIPTION *tlsio_mbedtls_get_interface_description(void)
{
return &tlsio_mbedtls_interface_description;
}