|
@@ -28,7 +28,10 @@ typedef struct {
|
|
|
int mbed_sslctx_init(SSL_CTX *ctx, const char *crt);
|
|
int mbed_sslctx_init(SSL_CTX *ctx, const char *crt);
|
|
|
void mbed_sslctx_uninit(SSL_CTX *ctx);
|
|
void mbed_sslctx_uninit(SSL_CTX *ctx);
|
|
|
void mbed_ssl_close(mbedtls_ssl_context *ssl);
|
|
void mbed_ssl_close(mbedtls_ssl_context *ssl);
|
|
|
-int mbed_ssl_accept(mbedtls_ssl_context **ssl, SSL_CTX *ssl_ctx, int *sock);
|
|
|
|
|
|
|
+int mbed_ssl_accept(mbedtls_ssl_context **ssl,
|
|
|
|
|
+ SSL_CTX *ssl_ctx,
|
|
|
|
|
+ int *sock,
|
|
|
|
|
+ struct mg_context *phys_ctx);
|
|
|
int mbed_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, int len);
|
|
int mbed_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, int len);
|
|
|
int mbed_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, int len);
|
|
int mbed_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, int len);
|
|
|
|
|
|
|
@@ -50,20 +53,20 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt)
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- DEBUG_TRACE("Initializing MbedTLS SSL");
|
|
|
|
|
|
|
+ DEBUG_TRACE("%s", "Initializing MbedTLS SSL");
|
|
|
mbedtls_entropy_init(&ctx->entropy);
|
|
mbedtls_entropy_init(&ctx->entropy);
|
|
|
|
|
|
|
|
conf = &ctx->conf;
|
|
conf = &ctx->conf;
|
|
|
mbedtls_ssl_config_init(conf);
|
|
mbedtls_ssl_config_init(conf);
|
|
|
|
|
|
|
|
/* Set mbedTLS debug level by defining MG_CONFIG_MBEDTLS_DEBUG:
|
|
/* Set mbedTLS debug level by defining MG_CONFIG_MBEDTLS_DEBUG:
|
|
|
- * 0 No debug = mbedTLS DEFAULT
|
|
|
|
|
- * 1 Error (default if "DEBUG" is set for CivetWeb)
|
|
|
|
|
|
|
+ * 0 No debug = mbedTLS DEFAULT
|
|
|
|
|
+ * 1 Error (default if "DEBUG" is set for CivetWeb)
|
|
|
* 2 State change
|
|
* 2 State change
|
|
|
* 3 Informational
|
|
* 3 Informational
|
|
|
* 4 Verbose
|
|
* 4 Verbose
|
|
|
*/
|
|
*/
|
|
|
-#if defined(DEBUG) or defined(MG_CONFIG_MBEDTLS_DEBUG)
|
|
|
|
|
|
|
+#if defined(DEBUG) || defined(MG_CONFIG_MBEDTLS_DEBUG)
|
|
|
#if defined(MG_CONFIG_MBEDTLS_DEBUG)
|
|
#if defined(MG_CONFIG_MBEDTLS_DEBUG)
|
|
|
mbedtls_debug_set_threshold(MG_CONFIG_MBEDTLS_DEBUG);
|
|
mbedtls_debug_set_threshold(MG_CONFIG_MBEDTLS_DEBUG);
|
|
|
#else
|
|
#else
|
|
@@ -76,32 +79,35 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt)
|
|
|
mbedtls_pk_init(&ctx->pkey);
|
|
mbedtls_pk_init(&ctx->pkey);
|
|
|
mbedtls_ctr_drbg_init(&ctx->ctr);
|
|
mbedtls_ctr_drbg_init(&ctx->ctr);
|
|
|
mbedtls_x509_crt_init(&ctx->cert);
|
|
mbedtls_x509_crt_init(&ctx->cert);
|
|
|
- if ((rc = mbedtls_ctr_drbg_seed(&ctx->ctr,
|
|
|
|
|
- mbedtls_entropy_func,
|
|
|
|
|
- &ctx->entropy,
|
|
|
|
|
- (unsigned char *)"CivetWeb",
|
|
|
|
|
- strlen("CivetWeb")))
|
|
|
|
|
- != 0) {
|
|
|
|
|
- DEBUG_TRACE("TLS random seed failed");
|
|
|
|
|
|
|
+
|
|
|
|
|
+ rc = mbedtls_ctr_drbg_seed(&ctx->ctr,
|
|
|
|
|
+ mbedtls_entropy_func,
|
|
|
|
|
+ &ctx->entropy,
|
|
|
|
|
+ (unsigned char *)"CivetWeb",
|
|
|
|
|
+ strlen("CivetWeb"));
|
|
|
|
|
+ if (rc != 0) {
|
|
|
|
|
+ DEBUG_TRACE("TLS random seed failed (%i)", rc);
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- if (mbedtls_pk_parse_keyfile(&ctx->pkey, crt, NULL) != 0) {
|
|
|
|
|
- DEBUG_TRACE("TLS parse key file failed");
|
|
|
|
|
|
|
+ rc = mbedtls_pk_parse_keyfile(&ctx->pkey, crt, NULL);
|
|
|
|
|
+ if (rc != 0) {
|
|
|
|
|
+ DEBUG_TRACE("TLS parse key file failed (%i)", rc);
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- if (mbedtls_x509_crt_parse_file(&ctx->cert, crt) != 0) {
|
|
|
|
|
- DEBUG_TRACE("TLS parse crt file failed");
|
|
|
|
|
|
|
+ rc = mbedtls_x509_crt_parse_file(&ctx->cert, crt);
|
|
|
|
|
+ if (rc != 0) {
|
|
|
|
|
+ DEBUG_TRACE("TLS parse crt file failed (%i)", rc);
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- if ((rc = mbedtls_ssl_config_defaults(conf,
|
|
|
|
|
- MBEDTLS_SSL_IS_SERVER,
|
|
|
|
|
- MBEDTLS_SSL_TRANSPORT_STREAM,
|
|
|
|
|
- MBEDTLS_SSL_PRESET_DEFAULT))
|
|
|
|
|
- != 0) {
|
|
|
|
|
- DEBUG_TRACE("TLS set defaults failed");
|
|
|
|
|
|
|
+ rc = mbedtls_ssl_config_defaults(conf,
|
|
|
|
|
+ MBEDTLS_SSL_IS_SERVER,
|
|
|
|
|
+ MBEDTLS_SSL_TRANSPORT_STREAM,
|
|
|
|
|
+ MBEDTLS_SSL_PRESET_DEFAULT);
|
|
|
|
|
+ if (rc != 0) {
|
|
|
|
|
+ DEBUG_TRACE("TLS set defaults failed (%i)", rc);
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -112,8 +118,9 @@ mbed_sslctx_init(SSL_CTX *ctx, const char *crt)
|
|
|
mbedtls_ssl_conf_ca_chain(conf, NULL, NULL);
|
|
mbedtls_ssl_conf_ca_chain(conf, NULL, NULL);
|
|
|
|
|
|
|
|
/* Configure server cert and key */
|
|
/* Configure server cert and key */
|
|
|
- if ((rc = mbedtls_ssl_conf_own_cert(conf, &ctx->cert, &ctx->pkey)) != 0) {
|
|
|
|
|
- DEBUG_TRACE("TLS cannot set certificate and private key");
|
|
|
|
|
|
|
+ rc = mbedtls_ssl_conf_own_cert(conf, &ctx->cert, &ctx->pkey);
|
|
|
|
|
+ if (rc != 0) {
|
|
|
|
|
+ DEBUG_TRACE("TLS cannot set certificate and private key (%i)", rc);
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
return 0;
|
|
return 0;
|
|
@@ -132,23 +139,30 @@ mbed_sslctx_uninit(SSL_CTX *ctx)
|
|
|
|
|
|
|
|
|
|
|
|
|
int
|
|
int
|
|
|
-mbed_ssl_accept(mbedtls_ssl_context **ssl, SSL_CTX *ssl_ctx, int *sock)
|
|
|
|
|
|
|
+mbed_ssl_accept(mbedtls_ssl_context **ssl,
|
|
|
|
|
+ SSL_CTX *ssl_ctx,
|
|
|
|
|
+ int *sock,
|
|
|
|
|
+ struct mg_context *phys_ctx)
|
|
|
{
|
|
{
|
|
|
- *ssl = calloc(1, sizeof(**ssl));
|
|
|
|
|
|
|
+ int rc;
|
|
|
|
|
+ *ssl = mg_calloc_ctx(1, sizeof(**ssl), phys_ctx);
|
|
|
if (*ssl == NULL) {
|
|
if (*ssl == NULL) {
|
|
|
- DEBUG_TRACE("TLS accept: malloc ssl failed (%i)", sizeof(**ssl));
|
|
|
|
|
|
|
+ DEBUG_TRACE("TLS accept: malloc ssl failed (%i)", (int)sizeof(**ssl));
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
mbedtls_ssl_init(*ssl);
|
|
mbedtls_ssl_init(*ssl);
|
|
|
mbedtls_ssl_setup(*ssl, &ssl_ctx->conf);
|
|
mbedtls_ssl_setup(*ssl, &ssl_ctx->conf);
|
|
|
mbedtls_ssl_set_bio(*ssl, sock, mbedtls_net_send, mbedtls_net_recv, NULL);
|
|
mbedtls_ssl_set_bio(*ssl, sock, mbedtls_net_send, mbedtls_net_recv, NULL);
|
|
|
- if (mbed_ssl_handshake(*ssl) != 0) {
|
|
|
|
|
- DEBUG_TRACE("TLS handshake failed");
|
|
|
|
|
|
|
+ rc = mbed_ssl_handshake(*ssl);
|
|
|
|
|
+ if (rc != 0) {
|
|
|
|
|
+ DEBUG_TRACE("TLS handshake failed (%i)", rc);
|
|
|
|
|
+ mg_free(*ssl);
|
|
|
|
|
+ *ssl = NULL;
|
|
|
return -1;
|
|
return -1;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
- DEBUG_TRACE("TLS connection accepted, state: %d", (*ssl)->state);
|
|
|
|
|
|
|
+ DEBUG_TRACE("TLS connection %p accepted, state: %d", ssl, (*ssl)->state);
|
|
|
return 0;
|
|
return 0;
|
|
|
}
|
|
}
|
|
|
|
|
|
|
@@ -156,10 +170,10 @@ mbed_ssl_accept(mbedtls_ssl_context **ssl, SSL_CTX *ssl_ctx, int *sock)
|
|
|
void
|
|
void
|
|
|
mbed_ssl_close(mbedtls_ssl_context *ssl)
|
|
mbed_ssl_close(mbedtls_ssl_context *ssl)
|
|
|
{
|
|
{
|
|
|
- DEBUG_TRACE("TLS close");
|
|
|
|
|
|
|
+ DEBUG_TRACE("TLS connection %p closed", ssl);
|
|
|
mbedtls_ssl_close_notify(ssl);
|
|
mbedtls_ssl_close_notify(ssl);
|
|
|
mbedtls_ssl_free(ssl);
|
|
mbedtls_ssl_free(ssl);
|
|
|
- ssl = NULL;
|
|
|
|
|
|
|
+ mg_free(ssl); /* mg_free for mg_calloc in mbed_ssl_accept */
|
|
|
}
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@@ -206,7 +220,7 @@ mbed_debug(void *user_param,
|
|
|
{
|
|
{
|
|
|
(void)level; /* Ignored. Limit is set using mbedtls_debug_set_threshold */
|
|
(void)level; /* Ignored. Limit is set using mbedtls_debug_set_threshold */
|
|
|
(void)user_param; /* Ignored. User parameter (context) is set using
|
|
(void)user_param; /* Ignored. User parameter (context) is set using
|
|
|
- mbedtls_ssl_conf_dbg */
|
|
|
|
|
|
|
+ mbedtls_ssl_conf_dbg */
|
|
|
|
|
|
|
|
DEBUG_TRACE("mbedTLS DEBUG: file: [%s] line: [%d] str: [%s]",
|
|
DEBUG_TRACE("mbedTLS DEBUG: file: [%s] line: [%d] str: [%s]",
|
|
|
file,
|
|
file,
|
bel2125