diff --git a/components/openssl/include/internal/ssl_dbg.h b/components/openssl/include/internal/ssl_dbg.h index 27a4bc4db5..d6ae47499e 100644 --- a/components/openssl/include/internal/ssl_dbg.h +++ b/components/openssl/include/internal/ssl_dbg.h @@ -19,10 +19,10 @@ extern "C" { #endif -#define SSL_DEBUG_ENBALE 0 +#define SSL_DEBUG_ENBALE 1 #define SSL_DEBUG_LEVEL 0 -#define SSL_ASSERT_ENABLE 0 -#define SSL_DEBUG_LOCATION_ENABLE 0 +#define SSL_ASSERT_ENABLE 1 +#define SSL_DEBUG_LOCATION_ENABLE 1 #if SSL_DEBUG_ENBALE extern int ets_printf(const char *fmt, ...); diff --git a/components/openssl/include/internal/ssl_methods.h b/components/openssl/include/internal/ssl_methods.h index 9fd9ce9068..7a63b9e949 100644 --- a/components/openssl/include/internal/ssl_methods.h +++ b/components/openssl/include/internal/ssl_methods.h @@ -15,6 +15,8 @@ #ifndef _SSL_METHODS_H_ #define _SSL_METHODS_H_ +#include "ssl_types.h" + #ifdef __cplusplus extern "C" { #endif diff --git a/components/openssl/include/internal/ssl_x509.h b/components/openssl/include/internal/ssl_x509.h index 2c72980b07..b5fea34f1a 100644 --- a/components/openssl/include/internal/ssl_x509.h +++ b/components/openssl/include/internal/ssl_x509.h @@ -63,6 +63,30 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len); */ void X509_free(X509 *x); +/** + * @brief set SSL context client CA certification + * + * @param ctx - SSL context point + * @param x - X509 certification point + * + * @return result + * 0 : failed + * 1 : OK + */ +int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x); + +/** + * @brief add CA client certification into the SSL + * + * @param ssl - SSL point + * @param x - X509 certification point + * + * @return result + * 0 : failed + * 1 : OK + */ +int SSL_add_client_CA(SSL *ssl, X509 *x); + #ifdef __cplusplus } #endif diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c index b82d54cd26..267d23f25f 100644 --- a/components/openssl/library/ssl_lib.c +++ b/components/openssl/library/ssl_lib.c @@ -126,11 +126,11 @@ SSL_SESSION* SSL_SESSION_new(void) session = ssl_zalloc(sizeof(SSL_SESSION)); if (!session) - SSL_RET(failed1); + SSL_RET(failed1, "ssl_zalloc\n"); session->peer = X509_new(); if (!session->peer) - SSL_RET(failed2); + SSL_RET(failed2, "X509_new\n"); return session; @@ -1500,7 +1500,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509 */ void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) { - SSL_ASSERT(ctx); + SSL_ASSERT(ssl); ssl->verify_mode = mode; ssl->verify_callback = verify_callback; diff --git a/components/openssl/library/ssl_methods.c b/components/openssl/library/ssl_methods.c index e363b5e46d..8159511c49 100644 --- a/components/openssl/library/ssl_methods.c +++ b/components/openssl/library/ssl_methods.c @@ -12,7 +12,6 @@ // See the License for the specific language governing permissions and // limitations under the License. -#include "ssl_lib.h" #include "ssl_methods.h" #include "ssl_pm.h" diff --git a/components/openssl/library/ssl_pkey.c b/components/openssl/library/ssl_pkey.c index 573b1f2e8f..20debfbcfc 100644 --- a/components/openssl/library/ssl_pkey.c +++ b/components/openssl/library/ssl_pkey.c @@ -12,9 +12,7 @@ // See the License for the specific language governing permissions and // limitations under the License. -#include "ssl_lib.h" #include "ssl_pkey.h" -#include "ssl_cert.h" #include "ssl_methods.h" #include "ssl_dbg.h" #include "ssl_port.h" diff --git a/components/openssl/library/ssl_stack.c b/components/openssl/library/ssl_stack.c index 46e6f7efd8..4ea40e7259 100644 --- a/components/openssl/library/ssl_stack.c +++ b/components/openssl/library/ssl_stack.c @@ -30,13 +30,13 @@ OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c) OPENSSL_STACK *stack; char **data; - stack = ssl_malloc(sizeof(OPENSSL_STACK)); + stack = ssl_zalloc(sizeof(OPENSSL_STACK)); if (!stack) - SSL_RET(failed1); + SSL_RET(failed1, "ssl_zalloc\n"); - data = ssl_malloc(sizeof(*data) * MIN_NODES); + data = ssl_zalloc(sizeof(*data) * MIN_NODES); if (!data) - SSL_RET(failed2); + SSL_RET(failed2, "ssl_zalloc\n"); stack->data = data; stack->num_alloc = MIN_NODES; diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c index b57cc0dfb9..d060419e6a 100644 --- a/components/openssl/library/ssl_x509.c +++ b/components/openssl/library/ssl_x509.c @@ -13,7 +13,6 @@ // limitations under the License. #include "ssl_x509.h" -#include "ssl_cert.h" #include "ssl_methods.h" #include "ssl_dbg.h" #include "ssl_port.h" @@ -214,9 +213,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len, const unsigned char *d) { int ret; - int reload; X509 *x; - int m = 0; x = d2i_X509(NULL, d, len); if (!x) diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c index 9f5290cc52..151adbaf81 100644 --- a/components/openssl/platform/ssl_pm.c +++ b/components/openssl/platform/ssl_pm.c @@ -112,7 +112,7 @@ int ssl_pm_new(SSL *ssl) else version = MBEDTLS_SSL_MINOR_VERSION_0; - mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version); + //mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version); mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg); @@ -169,7 +169,7 @@ static int ssl_pm_reload_crt(SSL *ssl) if (ssl->verify_mode == SSL_VERIFY_PEER) mode = MBEDTLS_SSL_VERIFY_REQUIRED; else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) - mode = MBEDTLS_SSL_VERIFY_NONE; + mode = MBEDTLS_SSL_VERIFY_OPTIONAL; else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE) mode = MBEDTLS_SSL_VERIFY_UNSET; else @@ -370,7 +370,7 @@ int x509_pm_new(X509 *x, X509 *m_x) x509_pm = ssl_zalloc(sizeof(struct x509_pm)); if (!x509_pm) - SSL_RET(failed1); + SSL_RET(failed1, "ssl_zalloc\n"); x->x509_pm = x509_pm; @@ -408,27 +408,28 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len) struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm; if (!x509_pm->x509_crt) { - x509_pm->x509_crt = ssl_malloc(sizeof(mbedtls_x509_crt)); + x509_pm->x509_crt = ssl_zalloc(sizeof(mbedtls_x509_crt)); if (!x509_pm->x509_crt) - SSL_RET(failed1); + SSL_RET(failed1, "ssl_zalloc\n"); } load_buf = ssl_malloc(len + 1); if (!load_buf) - SSL_RET(failed2); + SSL_RET(failed2, "ssl_malloc\n"); ssl_memcpy(load_buf, buffer, len); load_buf[len] = '\0'; + mbedtls_x509_crt_init(x509_pm->x509_crt); + if (x509_pm->x509_crt) mbedtls_x509_crt_free(x509_pm->x509_crt); - mbedtls_x509_crt_init(x509_pm->x509_crt); ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len); ssl_free(load_buf); if (ret) - SSL_RET(failed2); + SSL_RET(failed2, "mbedtls_x509_crt_parse, return [-0x%x]\n", -ret); return 0; @@ -480,27 +481,28 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len) struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm; if (!pkey_pm->pkey) { - pkey_pm->pkey = ssl_malloc(sizeof(mbedtls_pk_context)); + pkey_pm->pkey = ssl_zalloc(sizeof(mbedtls_pk_context)); if (!pkey_pm->pkey) - SSL_RET(failed1); + SSL_RET(failed1, "ssl_zalloc\n"); } load_buf = ssl_malloc(len + 1); if (!load_buf) - SSL_RET(failed2); + SSL_RET(failed2, "ssl_malloc\n"); ssl_memcpy(load_buf, buffer, len); load_buf[len] = '\0'; + mbedtls_pk_init(pkey_pm->pkey); + if (pkey_pm->pkey) mbedtls_pk_free(pkey_pm->pkey); - mbedtls_pk_init(pkey_pm->pkey); ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len, NULL, 0); ssl_free(load_buf); if (ret) - SSL_RET(failed2); + SSL_RET(failed2, "mbedtls_pk_parse_key, return [-0x%x]\n", -ret); return 0;