1 /*
2 * Copyright (c) 2020 HiSilicon (Shanghai) Technologies CO., LIMITED.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 * Description: In mbedtls lib, adaption for polarssl.
15 */
16 #include "common.h"
17 #if defined(VENDOR_POLARSSL_API_C)
18 #include "mbedtls/x509_crl.h"
19 #include "mbedtls/hw_polarssl_api.h"
20 #include "mbedtls/debug.h"
21 #include "mbedtls/error.h"
22 #include "mbedtls/platform.h"
23 #include "ssl_misc.h"
24 #include <stdio.h>
25 #include <memory.h>
26 #include <unistd.h>
27 #include <dirent.h>
28 #include <stdlib.h>
29 #include <string.h>
30 #include <fcntl.h>
31 #include <sys/stat.h>
32 #include <sys/ioctl.h>
33
34 #ifndef O_NONBLOCK
35 #define O_NONBLOCK 00004000
36 #endif
37
38 typedef struct {
39 unsigned int versions[4];
40 unsigned int cipher_conf;
41 unsigned int version_conf;
42 unsigned int kex_size_conf;
43 unsigned int new_board_conf;
44 } ssl_config_data_s;
45
46 /* 配置的版本信息,分别为TLSv1_2 TLSv1_3 */
47 static ssl_config_data_s gst_ssl_config = { {1, 1, 1, 1}, 1 , 1, 0, 0 };
48
49 mbedtls_ssl_sni sni_use;
50 static int g_enable_caupdate = 0; /* CA证书更新功能的开关 */
51 static int g_ignore_checktime = 1;
52 static PdtCertTimeCheckFunc g_pdtCertTimeCheckFunc = NULL;
53 static PdtCrlTimeCheckFunc g_pdtCrlTimeCheckFunc = NULL;
54
55 /* 设置sni */
polarssl_ssl_set_sni(mbedtls_ssl_adapt * ssl,const char * hostname)56 int polarssl_ssl_set_sni(mbedtls_ssl_adapt *ssl, const char *hostname)
57 {
58 (void)ssl;
59 if (strlen(hostname) >= MAX_SNI_LEN) {
60 return 1;
61 }
62 sni_use.send_sni = 1;
63 strncpy(sni_use.hostname, hostname, sizeof(sni_use.hostname) - 1);
64 return 0;
65 }
66
67 /* 清理sni */
polarssl_ssl_clear_sni()68 static void polarssl_ssl_clear_sni()
69 {
70 memset(&sni_use, 0 , sizeof(mbedtls_ssl_sni));
71 }
72
ssl_deprecated_cipher_support(void)73 static int ssl_deprecated_cipher_support(void)
74 {
75 return gst_ssl_config.cipher_conf;
76 }
77
ssl_deprecated_kexsize_support(void)78 int ssl_deprecated_kexsize_support(void)
79 {
80 return gst_ssl_config.kex_size_conf;
81 }
82
ssl_deprecated_newboard_support(void)83 static int ssl_deprecated_newboard_support(void)
84 {
85 return gst_ssl_config.new_board_conf;
86 }
87
ssl_init_version(void)88 int ssl_init_version(void)
89 {
90 ssl_config_data_s ssl_config = { 0 };
91 FILE *file = fopen("/var/hw_ssl_version", "r");
92 if (file == NULL) {
93 return 0;
94 }
95
96 (void)fread(&ssl_config, sizeof(ssl_config_data_s), 1, file);
97 fclose(file);
98
99 (void)memcpy(&gst_ssl_config, &ssl_config, sizeof(ssl_config));
100
101 return 0;
102 }
103
104 /* 设置不校验时间标志 */
SetIgnoreTime(int value)105 int SetIgnoreTime(int value)
106 {
107 g_ignore_checktime = value;
108 return 0;
109 }
110
polarssl_get_checktime(void)111 int polarssl_get_checktime(void)
112 {
113 /* 如果产品没有通过sntp或者olt完成时间同步,直接返回0认为时间校验通过 */
114 if (access("/var/timesyncflag", F_OK) != 0) {
115 return 0;
116 }
117
118 return 1;
119 }
120
121 /* 校验证书有效期的回调函数 */
polarssl_cert_date_checker(mbedtls_x509_crt * crt)122 int polarssl_cert_date_checker(mbedtls_x509_crt *crt)
123 {
124 mbedtls_printf( "Use custome CRT time verification callback" );
125
126 if ( polarssl_ischeck_crttime( crt ) == 0 )
127 return 0;
128
129 if( mbedtls_x509_time_is_past( &crt->valid_to ) )
130 return MBEDTLS_X509_BADCERT_EXPIRED;
131
132 if( mbedtls_x509_time_is_future( &crt->valid_from ) )
133 return MBEDTLS_X509_BADCERT_FUTURE;
134
135 return 0;
136 }
137
138 /* 校验CRL有效期的回调函数 */
polarssl_crl_date_checker(mbedtls_x509_crl * crl)139 int polarssl_crl_date_checker(mbedtls_x509_crl *crl)
140 {
141 mbedtls_printf( "Use custome CRL time verification callback" );
142
143 if ( polarssl_ischeck_crltime( crl ) == 0 )
144 return 0;
145
146 if( mbedtls_x509_time_is_past( &crl->next_update ) )
147 return MBEDTLS_X509_BADCRL_EXPIRED;
148
149 if( mbedtls_x509_time_is_future( &crl->this_update ) )
150 return MBEDTLS_X509_BADCRL_FUTURE;
151
152 return 0;
153 }
154
SetPdtCertTimeCheckFunc(PdtCertTimeCheckFunc func)155 int SetPdtCertTimeCheckFunc(PdtCertTimeCheckFunc func)
156 {
157 g_pdtCertTimeCheckFunc = func;
158 hw_mbedtls_regist_cert_date_chcker( polarssl_cert_date_checker );
159 return 0;
160 }
161
polarssl_ischeck_crttime(mbedtls_x509_crt * crt)162 int polarssl_ischeck_crttime(mbedtls_x509_crt *crt)
163 {
164 /* 如果没有设置产品决策函数,则默认校验证书时间 */
165 if (g_pdtCertTimeCheckFunc == NULL) {
166 return 1;
167 }
168
169 return g_pdtCertTimeCheckFunc((const mbedtls_x509_crt *)crt);
170 }
171
SetPdtCrlTimeCheckFunc(PdtCrlTimeCheckFunc func)172 int SetPdtCrlTimeCheckFunc(PdtCrlTimeCheckFunc func)
173 {
174 g_pdtCrlTimeCheckFunc = func;
175 hw_mbedtls_regist_crl_date_chcker( polarssl_crl_date_checker );
176 return 0;
177 }
178
polarssl_ischeck_crltime(mbedtls_x509_crl * crl)179 int polarssl_ischeck_crltime(mbedtls_x509_crl *crl)
180 {
181 /* 如果没有设置产品决策函数,则默认校验证书吊销文件时间 */
182 if (g_pdtCrlTimeCheckFunc == NULL) {
183 return 1;
184 }
185
186 return g_pdtCrlTimeCheckFunc((const mbedtls_x509_crl *)crl);
187 }
188
189 /* 安全随机函数 */
get_random()190 unsigned int get_random()
191 {
192 /* 首先从random中获取,若没有就从urandom中获取 */
193 const char *randomPath[] = {
194 "/dev/random",
195 "/dev/urandom"
196 };
197 int randomFlag[] = {
198 O_RDONLY | O_NONBLOCK, /* 对于/dev/random 要设置非阻塞方式 */
199 O_RDONLY /* /dev/urandom 本来就是非阻塞的, 直接读取就行了 */
200 };
201
202 unsigned int random = 0;
203 for (unsigned int loop = 0; loop < 2; loop++) {
204 int fd = open(randomPath[loop], randomFlag[loop], 0);
205 if (fd != -1) {
206 int readBytes = read(fd, (void *)&random, sizeof(unsigned int));
207 close(fd);
208 if (readBytes == (int)sizeof(unsigned int)) {
209 break;
210 }
211 }
212 }
213
214 return random;
215 }
216
217 /* random函数 */
myrand(void * rng_state,unsigned char * output,size_t len)218 static int myrand( void *rng_state, unsigned char *output, size_t len )
219 {
220 size_t use_len;
221 int rnd;
222
223 if (rng_state != NULL)
224 rng_state = NULL;
225
226 while (len > 0) {
227 use_len = len;
228 if (use_len > sizeof(int))
229 use_len = sizeof(int);
230
231 rnd = (int)get_random();
232 memcpy(output, &rnd, use_len);
233 output += use_len;
234 len -= use_len;
235 }
236
237 return 0;
238 }
239
240 /* 设置协商时的算法集合,外部请使用静态变量 */
polarssl_ssl_conf_ciphersuites(mbedtls_ssl_config_adapt * conf,const int * ciphersuites)241 void polarssl_ssl_conf_ciphersuites(mbedtls_ssl_config_adapt *conf, const int *ciphersuites)
242 {
243 if (conf == NULL || ciphersuites == NULL) {
244 return ;
245 }
246
247 mbedtls_ssl_conf_ciphersuites(conf->config, ciphersuites);
248 }
249
250 /*
251 * Derive and export the shared secret (G^Y)^X mod P
252 */
polarssl_dhm_calc_secret(mbedtls_dhm_context * ctx,unsigned char * output,size_t output_size,unsigned int * olen)253 int polarssl_dhm_calc_secret(mbedtls_dhm_context *ctx, unsigned char *output, size_t output_size, unsigned int *olen)
254 {
255 return mbedtls_dhm_calc_secret(ctx, output, output_size, (size_t*)olen, myrand, NULL);
256 }
257
258 /*
259 * Import X from unsigned binary data, big endian
260 */
polarssl_mpi_read_binary(mbedtls_mpi * X,const unsigned char * buf,unsigned int buflen)261 int polarssl_mpi_read_binary(mbedtls_mpi *X, const unsigned char *buf, unsigned int buflen)
262 {
263 return mbedtls_mpi_read_binary(X, buf, buflen);
264 }
265
266 /*
267 * Export X into unsigned binary data, big endian
268 */
polarssl_mpi_write_binary(const mbedtls_mpi * X,unsigned char * buf,size_t buflen)269 int polarssl_mpi_write_binary(const mbedtls_mpi *X, unsigned char *buf, size_t buflen)
270 {
271 return mbedtls_mpi_write_binary(X, buf, buflen);
272 }
273
274 /* setAesKey */
polarssl_aes_setkey_enc(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)275 int polarssl_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits)
276 {
277 return mbedtls_aes_setkey_enc(ctx, key, keybits);
278 }
279
280 /*
281 * AES-CBC buffer encryption/decryption
282 */
polarssl_aes_crypt_cbc(mbedtls_aes_context * ctx,int mode,unsigned int length,unsigned char iv[16],const unsigned char * input,unsigned char * output)283 int polarssl_aes_crypt_cbc(mbedtls_aes_context *ctx, int mode, unsigned int length, unsigned char iv[16],
284 const unsigned char *input, unsigned char *output)
285 {
286
287 return mbedtls_aes_crypt_cbc(ctx,mode,length,iv,input,output);
288 }
289
290 /* setAesKey */
polarssl_aes_setkey_dec(mbedtls_aes_context * ctx,const unsigned char * key,unsigned int keybits)291 int polarssl_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key, unsigned int keybits)
292 {
293
294 return mbedtls_aes_setkey_dec(ctx, key, keybits);
295 }
296
297
298 /* init the para */
polarssl_aes_init(mbedtls_aes_context * ctx)299 void polarssl_aes_init(mbedtls_aes_context *ctx)
300 {
301 mbedtls_aes_init(ctx);
302 }
303
304 /*
305 * Create own private value X and export G^X
306 */
polarssl_dhm_make_public(mbedtls_dhm_context * ctx,int x_size,unsigned char * output,size_t olen)307 int polarssl_dhm_make_public(mbedtls_dhm_context *ctx, int x_size, unsigned char *output, size_t olen)
308 {
309 return mbedtls_dhm_make_public(ctx, x_size, output, olen, myrand, NULL);
310 }
311
312 /*
313 * Return the total size in bytes
314 */
polarssl_mpi_size(const mbedtls_mpi * X)315 size_t polarssl_mpi_size(const mbedtls_mpi *X)
316 {
317 return mbedtls_mpi_size(X);
318 }
319
320 /*
321 * Import from an ASCII string
322 */
polarssl_mpi_read_string(mbedtls_mpi * X,int radix,const char * s)323 int polarssl_mpi_read_string(mbedtls_mpi *X, int radix, const char *s)
324 {
325 return mbedtls_mpi_read_string(X, radix, s);
326 }
327
328 /* init the dh */
polarssl_dhm_init(mbedtls_dhm_context * ctx)329 void polarssl_dhm_init(mbedtls_dhm_context *ctx)
330 {
331 mbedtls_dhm_init(ctx);
332 }
333
334 /*
335 * Free the components of a DHM key
336 */
polarssl_dhm_free(mbedtls_dhm_context * ctx)337 void polarssl_dhm_free(mbedtls_dhm_context *ctx)
338 {
339 mbedtls_dhm_free(ctx);
340 }
341
342 /* free pk */
polarssl_pk_free(mbedtls_pk_context * ctx)343 void polarssl_pk_free(mbedtls_pk_context *ctx)
344 {
345 mbedtls_pk_free(ctx);
346 }
347
348 /* sha512 */
polarssl_sha512(const unsigned char * input,size_t ilen,unsigned char output[64],int is384)349 void polarssl_sha512(const unsigned char *input, size_t ilen, unsigned char output[64], int is384)
350 {
351 mbedtls_sha512(input, ilen, output, is384);
352 }
353
354
355 /* hmac512 */
polarssl_md_hmac512(const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output)356 int polarssl_md_hmac512(const unsigned char *key, size_t keylen, const unsigned char *input, size_t ilen,
357 unsigned char *output)
358 {
359 return mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), key, keylen, input, ilen, output);
360 }
361
362 /* 通知对端关闭连接 */
polarssl_shutdown(mbedtls_ssl_adapt * ssl)363 int polarssl_shutdown(mbedtls_ssl_adapt *ssl)
364 {
365 if (ssl == NULL) {
366 return -1;
367 }
368 return mbedtls_ssl_close_notify(ssl->ssl);
369 }
370
371 /* 校验证书日期是否有效 */
polarssl_x509_crt_check_date(const char * filename)372 int polarssl_x509_crt_check_date(const char* filename)
373 {
374 return mbedtls_x509_crt_check_date(filename);
375 }
376
377 /* free crt 证书 */
polarssl_x509_crt_free(mbedtls_x509_crt * crt)378 void polarssl_x509_crt_free(mbedtls_x509_crt *crt)
379 {
380 if (crt == NULL) {
381 return ;
382 }
383 mbedtls_x509_crt_free(crt);
384 mbedtls_free(crt);
385 crt = NULL;
386 }
387
388 /* 获取debug Level等级 */
polarssl_get_debug_level()389 static int polarssl_get_debug_level()
390 {
391 int debug_level = 0;
392
393 FILE *fp=fopen("/var/ssl_debug_level", "r");
394 if (!fp) {
395 return debug_level;
396 }
397 fscanf(fp, "%d", &debug_level);
398 fclose(fp);
399
400 return debug_level;
401 }
402
403 /* SSL accept函数 */
polarssl_accept(mbedtls_ssl_adapt * ssl)404 int polarssl_accept(mbedtls_ssl_adapt *ssl)
405 {
406 if (ssl == NULL) {
407 return -1;
408 }
409 #if defined(VENDOR_POLARSSL_API_DEBUG_C)
410 mbedtls_debug_set_threshold(polarssl_get_debug_level());
411 #endif
412 return mbedtls_ssl_handshake(ssl->ssl);
413 }
414
415 /* SSL accept函数 */
polarssl_connect(mbedtls_ssl_adapt * ssl)416 int polarssl_connect(mbedtls_ssl_adapt *ssl)
417 {
418 if (ssl == NULL) {
419 return -1;
420 }
421 #if defined(VENDOR_POLARSSL_API_DEBUG_C)
422 mbedtls_debug_set_threshold(polarssl_get_debug_level());
423 #endif
424
425 /* 如果使能的缓存恢复缓存 */
426 if (ssl->saved_session != NULL) {
427 mbedtls_ssl_set_session(ssl->ssl, ssl->saved_session);
428 }
429
430 int32_t ret = mbedtls_ssl_handshake(ssl->ssl);
431 if (ret == 0) {
432 /* 成功则记录下缓存 */
433 if (ssl->saved_session != NULL) {
434 mbedtls_ssl_get_session(ssl->ssl, ssl->saved_session);
435 }
436 }
437
438 return ret;
439 }
440
441 /* SSL free函数 */
polarssl_free(mbedtls_ssl_adapt * ssl)442 void polarssl_free(mbedtls_ssl_adapt *ssl)
443 {
444 if (ssl == NULL) {
445 return;
446 }
447
448 if (ssl->saved_session != NULL) {
449 mbedtls_ssl_session_free(ssl->saved_session);
450 mbedtls_free(ssl->saved_session);
451 ssl->saved_session = NULL;
452 }
453
454
455 mbedtls_ssl_free(ssl->ssl);
456 mbedtls_free(ssl->ssl);
457 ssl->ssl = NULL;
458 mbedtls_free(ssl);
459 ssl = NULL;
460 }
461
462 /* SSL 配置设置 */
polarssl_ssl_config_defaults(mbedtls_ssl_config * conf,int type)463 static int polarssl_ssl_config_defaults(mbedtls_ssl_config *conf, int type)
464 {
465 return mbedtls_ssl_config_defaults(conf, type, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
466 }
467
468 /* 使能服务端的缓存,失败也不影响功能 */
polarssl_enable_server_cache(mbedtls_ssl_config_adapt * conf,uint32_t cache_num,uint32_t timeout)469 void polarssl_enable_server_cache(mbedtls_ssl_config_adapt *conf, uint32_t cache_num, uint32_t timeout)
470 {
471 if (conf == NULL || conf->config == NULL) {
472 return;
473 }
474
475 if (conf->cache == NULL) {
476 conf->cache = (mbedtls_ssl_cache_context *)mbedtls_calloc(1, sizeof(mbedtls_ssl_cache_context));
477 if (conf->cache != NULL) {
478 mbedtls_ssl_cache_init(conf->cache);
479 mbedtls_ssl_cache_set_max_entries(conf->cache, cache_num);
480 mbedtls_ssl_cache_set_timeout(conf->cache, timeout);
481 mbedtls_ssl_conf_session_cache(conf->config, conf->cache, mbedtls_ssl_cache_get, mbedtls_ssl_cache_set);
482 }
483 }
484
485 }
486
487 /* 使能客户端缓存 */
polarssl_enable_client_cache(mbedtls_ssl_adapt * ssl)488 void polarssl_enable_client_cache(mbedtls_ssl_adapt *ssl)
489 {
490 if (ssl->saved_session == NULL) {
491 /* calloc会memset 0 */
492 ssl->saved_session = mbedtls_calloc(1, sizeof(mbedtls_ssl_session));
493 }
494
495 }
496
497 /* SSL配置变量释放 */
polarssl_free_config_adapt(mbedtls_ssl_config_adapt * conf)498 void polarssl_free_config_adapt(mbedtls_ssl_config_adapt *conf)
499 {
500 if (conf == NULL) {
501 return;
502 }
503
504 if (conf->config != NULL) {
505 if (conf->config->MBEDTLS_PRIVATE(ca_crl) != NULL) {
506 mbedtls_x509_crl_free(conf->config->MBEDTLS_PRIVATE(ca_crl));
507 mbedtls_free(conf->config->MBEDTLS_PRIVATE(ca_crl));
508 conf->config->MBEDTLS_PRIVATE(ca_crl) = NULL;
509 }
510 mbedtls_ssl_config_free(conf->config);
511 mbedtls_free(conf->config);
512 conf->config = NULL;
513 }
514
515 if (conf->entropy != NULL) {
516 mbedtls_entropy_free(conf->entropy);
517 mbedtls_free(conf->entropy);
518 conf->entropy = NULL;
519 }
520
521 if (conf->ctr_drbg != NULL) {
522 mbedtls_ctr_drbg_free(conf->ctr_drbg);
523 mbedtls_free(conf->ctr_drbg);
524 conf->ctr_drbg = NULL;
525 }
526
527 if (conf->prv != NULL) {
528 mbedtls_pk_free(conf->prv);
529 mbedtls_free(conf->prv);
530 conf->prv = NULL;
531 }
532
533 if (conf->pubcert != NULL) {
534 mbedtls_x509_crt_free(conf->pubcert);
535 mbedtls_free(conf->pubcert);
536 conf->pubcert = NULL;
537 }
538
539 if (conf->chainHead != NULL) {
540 mbedtls_x509_crt_free(conf->chainHead);
541 mbedtls_free(conf->chainHead);
542 conf->chainHead = NULL;
543 }
544
545 if (conf->cache != NULL) {
546 mbedtls_ssl_cache_free(conf->cache);
547 mbedtls_free(conf->cache);
548 conf->cache = NULL;
549 }
550
551 mbedtls_free(conf);
552 conf = NULL;
553 }
554
555 /* 设置CN域名,后面会继续校验,同时会发送SNI */
polarssl_ssl_set_hostname(mbedtls_ssl_adapt * ssl,const char * hostname)556 int polarssl_ssl_set_hostname(mbedtls_ssl_adapt *ssl, const char *hostname)
557 {
558 if (ssl == NULL) {
559 return -1;
560 }
561 return mbedtls_ssl_set_hostname(ssl->ssl,hostname);
562 }
563
564 /* 设置认证模式 */
polarssl_conf_authmode(mbedtls_ssl_config_adapt * conf,int authmode)565 void polarssl_conf_authmode(mbedtls_ssl_config_adapt *conf, int authmode)
566 {
567 if (conf == NULL) {
568 return ;
569 }
570 mbedtls_ssl_conf_authmode(conf->config, authmode);
571 }
572
573 /* hmac包装,摘要方法为sha1 */
polarssl_hmac_with_sha1(const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output,size_t * outlen)574 int polarssl_hmac_with_sha1(const unsigned char *key, size_t keylen,
575 const unsigned char *input, size_t ilen,
576 unsigned char *output,size_t * outlen)
577 {
578 *outlen = 20;
579 return mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), key, keylen, input, ilen, output);
580 }
581
582 /* hmac包装,摘要方法为sha256 */
polarssl_hmac_with_sha256(const unsigned char * key,size_t keylen,const unsigned char * input,size_t ilen,unsigned char * output,size_t outlen)583 int polarssl_hmac_with_sha256(const unsigned char *key, size_t keylen,
584 const unsigned char *input, size_t ilen,
585 unsigned char *output,size_t outlen)
586 {
587 outlen = outlen;
588 return mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), key, keylen, input, ilen, output);
589 }
590
591 /* 根据文件解析crt/der格式的证书,chain是个链表,如果已存在放在则放在其next里面 */
polarssl_x509_crt_parse_file(const char * path)592 mbedtls_x509_crt *polarssl_x509_crt_parse_file(const char *path)
593 {
594 mbedtls_x509_crt *crt = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
595 if (crt == NULL) {
596 return NULL;
597 }
598
599 memset(crt, 0, sizeof(mbedtls_x509_crt));
600 int ret = mbedtls_x509_crt_parse_file(crt, path);
601 if (ret != 0) {
602 mbedtls_free(crt);
603 crt = NULL;
604 }
605
606 return crt;
607 }
608
polarssl_pem_free(mbedtls_pem_context * ctx)609 void polarssl_pem_free(mbedtls_pem_context *ctx)
610 {
611 mbedtls_pem_free(ctx);
612 }
613
614 /* 解析PUBLIC KEY证书 */
polarssl_pem_read_buffer(mbedtls_pem_context * pem,unsigned char * pub)615 int polarssl_pem_read_buffer(mbedtls_pem_context *pem, unsigned char *pub)
616 {
617 size_t use_len = 0;
618 return mbedtls_pem_read_buffer(pem, "-----BEGIN PUBLIC KEY-----", "-----END PUBLIC KEY-----",
619 pub, NULL, 0, &use_len);
620 }
621
622
623 /* 从der格式的公钥中解析出N/E rsa key,要求der格式简单,只有最内一层 */
polarssl_pk_parse_subpubkey(unsigned char * buf,int len,mbedtls_pk_context * pk)624 int polarssl_pk_parse_subpubkey(unsigned char *buf, int len, mbedtls_pk_context *pk)
625 {
626 return mbedtls_pk_parse_subpubkey(&buf, buf + len, pk);
627 }
628
629 /* 将一套pub/priv key设置到其中 */
polarssl_set_pub_prv_to_conf(mbedtls_ssl_config_adapt * conf,const char * prvPath,const char * pubPath,const char * prvPassword)630 int polarssl_set_pub_prv_to_conf(mbedtls_ssl_config_adapt *conf, const char *prvPath,const char *pubPath,const char *prvPassword)
631 {
632 if (conf == NULL) {
633 return -1;
634 }
635
636 conf->pubcert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
637 if (conf->pubcert == NULL) {
638 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
639 }
640
641 conf->prv = mbedtls_calloc(1, sizeof(mbedtls_pk_context));
642 if(conf->prv == NULL) {
643 mbedtls_free(conf->pubcert);
644 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
645 }
646
647 int ret = mbedtls_x509_crt_parse_file(conf->pubcert, pubPath);
648 ret |= mbedtls_pk_parse_keyfile(conf->prv, prvPath, prvPassword, mbedtls_ctr_drbg_random, conf->ctr_drbg);
649 ret |= mbedtls_ssl_conf_own_cert(conf->config, conf->pubcert, conf->prv);
650
651 return ret;
652 }
653
654 /* SSL的read函数 */
polarssl_ssl_read(mbedtls_ssl_adapt * ssl,unsigned char * buf,size_t len)655 int polarssl_ssl_read(mbedtls_ssl_adapt *ssl, unsigned char *buf, size_t len)
656 {
657 if (ssl == NULL) {
658 return -1;
659 }
660 return mbedtls_ssl_read(ssl->ssl, buf, len);
661 }
662
663 /* SSL的write函数 */
polarssl_ssl_write(mbedtls_ssl_adapt * ssl,const unsigned char * buf,size_t len)664 int polarssl_ssl_write(mbedtls_ssl_adapt *ssl, const unsigned char *buf, size_t len)
665 {
666 if (ssl == NULL) {
667 return -1;
668 }
669 return mbedtls_ssl_write(ssl->ssl, buf, len);
670 }
671
672 /* SSL获取version */
polarssl_ssl_get_version(const mbedtls_ssl_adapt * ssl)673 const char *polarssl_ssl_get_version(const mbedtls_ssl_adapt *ssl)
674 {
675 if (ssl == NULL) {
676 return NULL;
677 }
678 return mbedtls_ssl_get_version(ssl->ssl);
679 }
680
681 /* hash256 摘要下 x509 rsa证书校验判断 */
polarssl_rsassl_vertify(unsigned char * sig,unsigned int siglen,unsigned char * data,unsigned int datalen,mbedtls_rsa_context * rsa)682 int polarssl_rsassl_vertify(unsigned char *sig, unsigned int siglen, unsigned char *data, unsigned int datalen,
683 mbedtls_rsa_context *rsa)
684 {
685 unsigned char hash[1024] = {0}; /* Enough for any hash */
686 siglen = siglen;
687 datalen= datalen;
688
689 int ret = mbedtls_md(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), data, datalen, hash);
690 if (ret != 0) {
691 return ret;
692 }
693
694 return mbedtls_rsa_pkcs1_verify(rsa, MBEDTLS_MD_SHA256, 32, hash, sig);
695 }
696
697 /* 将cafile和cadir目录下的所有文件设置到conf中去,没有有效证书则失败 */
polarssl_conf_setCaList(mbedtls_ssl_config_adapt * conf,char * cafile,char * cadir,char * crlFile)698 int polarssl_conf_setCaList(mbedtls_ssl_config_adapt *conf, char *cafile, char *cadir, char *crlFile)
699 {
700 if (conf == NULL) {
701 return -1;
702 }
703
704 conf->chainHead = mbedtls_calloc(1, sizeof(mbedtls_x509_crt));
705 if (conf->chainHead == NULL) {
706 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
707 }
708
709 if (cafile != NULL) {
710 mbedtls_x509_crt_parse_file(conf->chainHead, cafile);
711 }
712
713 if (cadir != NULL) {
714 void *dir = opendir(cadir);
715 if (dir == NULL) {
716 return 1;
717 }
718
719 char path[512] = {0};
720 struct dirent *filename = NULL;
721 while ((filename = readdir(dir)) != NULL) {
722 memset(path, 0, sizeof(path));
723 if(!strcmp(filename->d_name,".") || !strcmp(filename->d_name,".."))
724 continue;
725 (void)sprintf(path,"%s/%s",cadir,filename->d_name);
726 mbedtls_x509_crt_parse_file(conf->chainHead, path);
727 }
728
729 closedir(dir);
730 }
731
732 mbedtls_x509_crl *crl = NULL;
733 if ((crlFile != NULL) && (access(crlFile, F_OK) == 0)) { /* crl 文件存在 */
734 crl = mbedtls_calloc(1, sizeof(mbedtls_x509_crl));
735 if (crl == NULL) {
736 return MBEDTLS_ERR_SSL_ALLOC_FAILED;
737 }
738
739 mbedtls_x509_crl_init(crl);
740 int32_t rc = mbedtls_x509_crl_parse_file(crl, crlFile);
741 if (rc != 0) {
742 mbedtls_free(crl);
743 return rc;
744 }
745 }
746
747 mbedtls_ssl_conf_ca_chain(conf->config, conf->chainHead, crl);
748
749 return 0;
750 }
751
752 /* 获取ssl连接中使用的加密算法 */
polarssl_ssl_get_ciphersuite(const mbedtls_ssl_adapt * ssl)753 const char *polarssl_ssl_get_ciphersuite(const mbedtls_ssl_adapt *ssl)
754 {
755 if (ssl == NULL) {
756 return NULL;
757 }
758
759 return mbedtls_ssl_get_ciphersuite(ssl->ssl);
760 }
761
762 /* scp中的特殊业务流程 */
polarssl_enable_ca_update(int enable)763 void polarssl_enable_ca_update(int enable)
764 {
765 g_enable_caupdate = enable;
766 }
767
polarssl_get_caupdate(void)768 int polarssl_get_caupdate(void)
769 {
770 return g_enable_caupdate;
771 }
772
773 /* 将socket设置到ssl连接中 */
polarssl_ssl_set_bio(mbedtls_ssl_adapt * ssl,int fd)774 void polarssl_ssl_set_bio(mbedtls_ssl_adapt *ssl, int fd)
775 {
776 if (ssl == NULL) {
777 return ;
778 }
779 ssl->bio.fd = fd;
780 mbedtls_ssl_set_bio(ssl->ssl,&ssl->bio, mbedtls_net_send, mbedtls_net_recv, NULL);
781 }
782
783 /* debug函数 */
mbedtls_debug(void * ctx,int level,const char * file,int line,const char * str)784 static void mbedtls_debug(void *ctx, int level, const char *file, int line, const char *str)
785 {
786 ((void)level);
787
788 mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
789 fflush((FILE *)ctx);
790 }
791
792 /* 证书校验适配放开,不然证书算法太弱会拒绝连接 */
793 const mbedtls_x509_crt_profile easyConnect = {
794 /* 根据需要适当限制,当前放开 */
795 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA1 ) |
796
797 #if defined(MBEDTLS_MD2_C)
798 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_MD2 ) |
799 #endif
800 #if defined(MBEDTLS_MD4_C)
801 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_MD4 ) |
802 #endif
803
804 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_MD5 ) |
805 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA224 ) |
806 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA256 ) |
807 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA384 ) |
808 MBEDTLS_X509_ID_FLAG( MBEDTLS_MD_SHA512 ),
809 0xFFFFFFF, /* Any PK alg */
810 0xFFFFFFF, /* Any curve */
811 2048, /* 3.1.0版本,rsa最小支持2048bit */
812 };
813
814 /* 默认 */
815 const int ssl_ciphers[] = {
816 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
817 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
818 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
819 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
820 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
821 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
822 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
823 MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA256,
824 MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA256 ,
825 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
826 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
827 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
828 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
829 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
830 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
831 0
832 };
833
834 /* 符合公司安全默认用加密套件 */
835 const int g_sslSafeCiphers[] = {
836 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
837 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
838 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
839 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
840 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
841 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
842 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
843 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
844 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
845 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
846 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
847 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
848 0
849 };
850
851 const int g_sslUdmCiphers[] = {
852 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
853 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
854 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,
855 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,
856 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
857 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
858 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
859 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
860 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
861 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
862 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
863 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
864 0
865 };
866
867 /* TLS1.3 加密套件 */
868 const int g_tls13Ciphers[] = {
869 MBEDTLS_TLS1_3_AES_128_GCM_SHA256,
870 MBEDTLS_TLS1_3_AES_256_GCM_SHA384,
871 0
872 };
873
874 /* 按照公司要求,新单板删除CBC加密套, 保留GCM加密套 */
875 const int g_sslGcmCiphers[] = {
876 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
877 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
878 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
879 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
880 0
881 };
882
883 /* 埃及VDF要求支持安全等级高且算法长度大于128的算法 */
884 const int g_sslHighCiphers[] = {
885 MBEDTLS_TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,
886 MBEDTLS_TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,
887 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
888 MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
889 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
890 MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
891 0
892 };
893
mbedtls_set_udm_ssl_conf(mbedtls_ssl_config_adapt * config)894 void mbedtls_set_udm_ssl_conf(mbedtls_ssl_config_adapt *config)
895 {
896 if (config == NULL) {
897 return;
898 }
899
900 mbedtls_ssl_conf_ciphersuites(config->config, g_sslUdmCiphers);
901 return;
902 }
903
904 /* 配合cyassl连接模型 适配函数 */
polarssl_new_ctx_ssl_conf(int connect_type)905 mbedtls_ssl_config_adapt *polarssl_new_ctx_ssl_conf(int connect_type)
906 {
907 const char *pers = (connect_type == MBEDTLS_SSL_IS_CLIENT) ? "ssl_client":"ssl_server";
908
909 mbedtls_ssl_config_adapt *config = mbedtls_calloc(1, sizeof(mbedtls_ssl_config_adapt));
910 if (config == NULL) {
911 return NULL;
912 }
913
914 config->entropy = mbedtls_calloc(1, sizeof(mbedtls_entropy_context));
915 if (config->entropy == NULL) {
916 mbedtls_free(config);
917 return NULL;
918 }
919
920 config->ctr_drbg = mbedtls_calloc(1, sizeof(mbedtls_ctr_drbg_context));
921 if (config->ctr_drbg == NULL) {
922 mbedtls_free(config->entropy);
923 mbedtls_free(config);
924 return NULL;
925 }
926
927 config->config = mbedtls_calloc(1, sizeof(mbedtls_ssl_config));
928 if (config->config == NULL) {
929 mbedtls_free(config->ctr_drbg);
930 mbedtls_free(config->entropy);
931 mbedtls_free(config);
932 return NULL;
933 }
934
935 /* 初始化协议 */
936 ssl_init_version();
937 /* 清理sni */
938 polarssl_ssl_clear_sni();
939
940 mbedtls_entropy_init(config->entropy);
941 mbedtls_ctr_drbg_init(config->ctr_drbg);
942 mbedtls_ssl_config_init(config->config);
943 (void)polarssl_ssl_config_defaults(config->config,connect_type);
944 (void)mbedtls_ssl_conf_cert_profile(config->config, &easyConnect);
945 (void)mbedtls_ctr_drbg_seed(config->ctr_drbg, mbedtls_entropy_func, config->entropy,
946 (const unsigned char *)pers, strlen(pers));
947
948 if (polarss_feather_support("FT_SSL_CIPHERSUITE_HIGH")) {
949 mbedtls_ssl_conf_ciphersuites(config->config, g_sslHighCiphers);
950 } else {
951 if (ssl_deprecated_newboard_support()) {
952 mbedtls_ssl_conf_ciphersuites(config->config, g_sslGcmCiphers);
953 } else {
954 /* 设置默认算法合集 */
955 mbedtls_ssl_conf_ciphersuites(config->config, g_sslSafeCiphers);
956
957 /* 特性开关打开则打开,rc4 */
958 if (ssl_deprecated_cipher_support()) {
959 /* 特性开关控制设置兼容过时算法合集 */
960 mbedtls_ssl_conf_ciphersuites(config->config, ssl_ciphers);
961 }
962 }
963 }
964
965 /* dh算法长度校验 */
966 if (ssl_deprecated_kexsize_support() == 1) {
967 mbedtls_ssl_conf_dhm_min_bitlen(config->config, 0);
968 }
969
970 /* mbedtls 只能使用TLS1.2或者TLS1.3 服务端暂不支持1.3, 客户端支持 */
971 mbedtls_ssl_conf_max_version(config->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
972 mbedtls_ssl_conf_min_version(config->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
973 if ((access("/var/force_tls13", F_OK) == 0) && (connect_type == MBEDTLS_SSL_IS_CLIENT)) {
974 mbedtls_ssl_conf_ciphersuites(config->config, g_tls13Ciphers);
975 mbedtls_ssl_conf_max_version(config->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
976 mbedtls_ssl_conf_min_version(config->config, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_4);
977 }
978
979 /* 设置随机函数 */
980 mbedtls_ssl_conf_rng( config->config, mbedtls_ctr_drbg_random, config->ctr_drbg );
981
982 /* 调试手段 */
983 mbedtls_ssl_conf_dbg( config->config, mbedtls_debug, stdout );
984
985 /* 设置随机dm */
986 mbedtls_dhm_context dhm;
987 mbedtls_dhm_init(&dhm);
988 int ret = mbedtls_dhm_parse_dhmfile(&dhm, "/mnt/jffs2/dhparams.pem");
989 if (ret == 0) {
990 mbedtls_ssl_conf_dh_param_ctx(config->config, &dhm);
991 }
992 mbedtls_dhm_free(&dhm);
993
994 return config;
995 }
996
997 /* 配合cyassl模型创建ssl连接 */
polarssl_new_ssl(mbedtls_ssl_config_adapt * config)998 mbedtls_ssl_adapt *polarssl_new_ssl(mbedtls_ssl_config_adapt * config)
999 {
1000 if (config == NULL) {
1001 return NULL;
1002 }
1003
1004 mbedtls_ssl_adapt *ssl = mbedtls_calloc(1, sizeof(mbedtls_ssl_adapt));
1005 if (ssl == NULL) {
1006 return NULL;
1007 }
1008
1009 ssl->ssl = mbedtls_calloc(1, sizeof(mbedtls_ssl_context));
1010 if (ssl->ssl == NULL) {
1011 mbedtls_free(ssl);
1012 return NULL;
1013 }
1014
1015 mbedtls_ssl_init(ssl->ssl);
1016 (void)mbedtls_ssl_setup(ssl->ssl, config->config);
1017
1018 return ssl;
1019 }
1020
1021 /* 摘要算法合集 */
polarssl_dgst(int type,unsigned char * input,size_t ilen,unsigned char * output,size_t * olen)1022 void polarssl_dgst(int type, unsigned char *input, size_t ilen, unsigned char * output,size_t * olen)
1023 {
1024 switch (type) {
1025 case MBEDTLS_MD_MD5:
1026 mbedtls_md5(input, ilen, output);
1027 *olen = 16;
1028 break;
1029 case MBEDTLS_MD_SHA1:
1030 mbedtls_sha1(input, ilen, output);
1031 *olen = 20;
1032 break;
1033 default:
1034 break;
1035 }
1036
1037 return ;
1038 }
1039
1040 /* 适配init/update/final摘要算法格式合集 */
polarssl_dgst_init(mbedtls_md_context_t * ctx,int type)1041 int polarssl_dgst_init(mbedtls_md_context_t *ctx, int type)
1042 {
1043 mbedtls_md_init(ctx);
1044
1045 int ret = mbedtls_md_setup(ctx, mbedtls_md_info_from_type(type), 0);
1046 if (ret != 0) {
1047 return ret;
1048 }
1049 mbedtls_md_starts(ctx);
1050
1051 return 0;
1052 }
1053
1054 /* 适配init/update/final摘要算法格式合集 */
polarssl_dgst_update(mbedtls_md_context_t * ctx,unsigned char * input,size_t ilen)1055 void polarssl_dgst_update(mbedtls_md_context_t *ctx, unsigned char *input, size_t ilen)
1056 {
1057 mbedtls_md_update(ctx, input, ilen);
1058 }
1059
1060 /* 适配init/update/final摘要算法格式合集 */
polarssl_dgst_final(mbedtls_md_context_t * ctx,unsigned char * output)1061 void polarssl_dgst_final(mbedtls_md_context_t *ctx, unsigned char *output)
1062 {
1063 mbedtls_md_finish(ctx, output);
1064 mbedtls_md_free(ctx);
1065 }
1066
1067 #if defined(VENDOR_POLARSSL_API_FT_C)
1068 #define FT_MAX_LEN 32
1069 /* FEATURE ioctl数据结构 */
1070 typedef struct {
1071 uint32_t Ret;
1072 uint8_t EnableFlag; /* 使能和初始化标志 */
1073 char CustomDefine; /* 是否支持运营商定制 */
1074 uint16_t FtID; /* 最大支持65535个特性开关 */
1075 char FtName[FT_MAX_LEN];
1076 } HW_OPEN_FT_IOCTL_INFO;
1077
1078 #define HW_FT_CMD_MAGIC 'X'
1079 #define HW_OPEN_FT_IOCTL_CMD_BY_NAME _IOWR(HW_FT_CMD_MAGIC, 4, HW_OPEN_FT_IOCTL_INFO)
1080
1081 /* 特性开关判断 */
polarss_feather_support(char * featureName)1082 int polarss_feather_support(char *featureName)
1083 {
1084 int fd = open("/proc/wap_proc/feature", O_RDONLY, 0);
1085 if (fd < 0) {
1086 return 0;
1087 }
1088
1089 HW_OPEN_FT_IOCTL_INFO ft = {0};
1090 strncpy(ft.FtName, featureName, sizeof(ft.FtName) - 1);
1091
1092 int ret = ioctl(fd, HW_OPEN_FT_IOCTL_CMD_BY_NAME, &ft);
1093 close(fd);
1094 if (ret < 0 || ft.Ret != 0) {
1095 return 0;
1096 }
1097
1098 return ft.EnableFlag;
1099 }
1100
1101 #else
polarss_feather_support(char * featureName)1102 int polarss_feather_support(char *featureName){
1103 (void)featureName;
1104 return 0;
1105 }
1106 #endif
1107
1108 /*摘要算法校验 md2,md4算法是否支持 */
polarssl_dgst_check(mbedtls_md_type_t md_alg)1109 int polarssl_dgst_check(mbedtls_md_type_t md_alg)
1110 {
1111 (void)md_alg;
1112
1113 /* 不同市场算法不一 特性开关开启的条件下 做校验 -1表示禁止*/
1114 #if defined(MBEDTLS_MD2_C)
1115 if (md_alg == MBEDTLS_MD_MD2 || md_alg == MBEDTLS_MD_MD4) {
1116 if (polarss_feather_support("FT_OLD_MD_DDGST_FORBIDDEN")) {
1117 return -1;
1118 }
1119 }
1120 #endif
1121
1122 #if defined(MBEDTLS_MD4_C)
1123 if (md_alg == MBEDTLS_MD_MD4) {
1124 if (polarss_feather_support("FT_OLD_MD_DDGST_FORBIDDEN")) {
1125 return -1;
1126 }
1127 }
1128 #endif
1129
1130 return 0;
1131 }
1132
1133 /* 配置dh参数 */
polarssl_ssl_conf_dh_param_ctx(mbedtls_ssl_config_adapt * conf,mbedtls_dhm_context * ctx)1134 int polarssl_ssl_conf_dh_param_ctx(mbedtls_ssl_config_adapt *conf, mbedtls_dhm_context *ctx)
1135 {
1136 if (conf == NULL || ctx == NULL) {
1137 return -1;
1138 }
1139
1140 return mbedtls_ssl_conf_dh_param_ctx(conf->config, ctx);
1141 }
1142
1143 /* 计算共享密钥 */
polarssl_ssl_calc_key(const unsigned char * pw,unsigned int pwLen,const unsigned char * salt,unsigned int saltLen,unsigned char * key,unsigned int keyLen)1144 int polarssl_ssl_calc_key(const unsigned char *pw, unsigned int pwLen, const unsigned char *salt, unsigned int saltLen,
1145 unsigned char *key, unsigned int keyLen)
1146 {
1147 mbedtls_md_context_t shaCtx;
1148 const mbedtls_md_info_t *shaInfo = NULL;
1149
1150 mbedtls_md_init(&shaCtx);
1151 shaInfo = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
1152 if (shaInfo == NULL) {
1153 return -1;
1154 }
1155
1156 int ret = mbedtls_md_setup(&shaCtx, shaInfo, 1);
1157 if (ret != 0) {
1158 mbedtls_md_free(&shaCtx);
1159 return ret;
1160 }
1161
1162 /* pks count至少10000,与服务端保持一致 */
1163 ret = mbedtls_pkcs5_pbkdf2_hmac(&shaCtx, pw, pwLen, salt, saltLen, 10000, keyLen, key);
1164 if (ret != 0) {
1165 mbedtls_md_free(&shaCtx);
1166 return ret;
1167 }
1168
1169 mbedtls_md_free(&shaCtx);
1170
1171 return (ret);
1172 }
1173
1174 /* 配置共享密钥 */
polarssl_ssl_conf_psk(mbedtls_ssl_config_adapt * ctx,unsigned char * key,unsigned int keyLen,const unsigned char * ident,unsigned int identLen)1175 void polarssl_ssl_conf_psk(mbedtls_ssl_config_adapt *ctx, unsigned char *key, unsigned int keyLen,
1176 const unsigned char *ident, unsigned int identLen)
1177 {
1178 (void)mbedtls_ssl_conf_psk(ctx->config, key, keyLen, ident, identLen);
1179 }
1180
polarssl_pk_parse_keyfile(mbedtls_pk_context * ctx,const char * path,const char * password)1181 int polarssl_pk_parse_keyfile(mbedtls_pk_context *ctx, const char *path, const char *password)
1182 {
1183 return mbedtls_pk_parse_keyfile(ctx, path, password, myrand, NULL);
1184 }
1185
polarssl_pk_parse_key(mbedtls_pk_context * ctx,const unsigned char * key,size_t keylen,const unsigned char * pwd,size_t pwdlen)1186 int polarssl_pk_parse_key(mbedtls_pk_context *ctx, const unsigned char *key, size_t keylen,
1187 const unsigned char *pwd, size_t pwdlen)
1188 {
1189 return mbedtls_pk_parse_key(ctx, key, keylen, pwd, pwdlen, myrand, NULL);
1190 }
1191
polarssl_pk_check_pair(const mbedtls_pk_context * pub,const mbedtls_pk_context * prv)1192 int polarssl_pk_check_pair(const mbedtls_pk_context *pub, const mbedtls_pk_context *prv)
1193 {
1194 return mbedtls_pk_check_pair(pub, prv, myrand, NULL);
1195 }
1196
1197
pem_pbkdf1(unsigned char * key,size_t keylen,unsigned char * iv,const unsigned char * pwd,size_t pwdlen)1198 static int pem_pbkdf1( unsigned char *key, size_t keylen,
1199 unsigned char *iv,
1200 const unsigned char *pwd, size_t pwdlen )
1201 {
1202 mbedtls_md5_context md5_ctx;
1203 unsigned char md5sum[16];
1204 size_t use_len;
1205 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1206
1207 mbedtls_md5_init( &md5_ctx );
1208
1209 /*
1210 * key[ 0..15] = MD5(pwd || IV)
1211 */
1212 if( ( ret = mbedtls_md5_starts( &md5_ctx ) ) != 0 )
1213 goto exit;
1214 if( ( ret = mbedtls_md5_update( &md5_ctx, pwd, pwdlen ) ) != 0 )
1215 goto exit;
1216 if( ( ret = mbedtls_md5_update( &md5_ctx, iv, 8 ) ) != 0 )
1217 goto exit;
1218 if( ( ret = mbedtls_md5_finish( &md5_ctx, md5sum ) ) != 0 )
1219 goto exit;
1220
1221 if( keylen <= 16 )
1222 {
1223 memcpy( key, md5sum, keylen );
1224 goto exit;
1225 }
1226
1227 memcpy( key, md5sum, 16 );
1228
1229 /*
1230 * key[16..23] = MD5(key[ 0..15] || pwd || IV])
1231 */
1232 if( ( ret = mbedtls_md5_starts( &md5_ctx ) ) != 0 )
1233 goto exit;
1234 if( ( ret = mbedtls_md5_update( &md5_ctx, md5sum, 16 ) ) != 0 )
1235 goto exit;
1236 if( ( ret = mbedtls_md5_update( &md5_ctx, pwd, pwdlen ) ) != 0 )
1237 goto exit;
1238 if( ( ret = mbedtls_md5_update( &md5_ctx, iv, 8 ) ) != 0 )
1239 goto exit;
1240 if( ( ret = mbedtls_md5_finish( &md5_ctx, md5sum ) ) != 0 )
1241 goto exit;
1242
1243 use_len = 16;
1244 if( keylen < 32 )
1245 use_len = keylen - 16;
1246
1247 memcpy( key + 16, md5sum, use_len );
1248
1249 exit:
1250 mbedtls_md5_free( &md5_ctx );
1251 mbedtls_platform_zeroize( md5sum, 16 );
1252
1253 return( ret );
1254 }
1255
1256
pem_aes_encrypt(unsigned char * aes_iv,unsigned int keylen,unsigned char * buf,size_t buflen,const unsigned char * pwd,size_t pwdlen)1257 static int pem_aes_encrypt(unsigned char *aes_iv, unsigned int keylen, unsigned char *buf, size_t buflen,
1258 const unsigned char *pwd, size_t pwdlen)
1259 {
1260 int ret;
1261 unsigned char aes_key[32];
1262 mbedtls_aes_context aes_ctx;
1263
1264 mbedtls_aes_init(&aes_ctx);
1265
1266 ret = pem_pbkdf1(aes_key, keylen, aes_iv, pwd, pwdlen);
1267 if (ret != 0 )
1268 goto exit;
1269
1270 ret = mbedtls_aes_setkey_enc(&aes_ctx, aes_key, keylen * 8);
1271 if (ret != 0)
1272 goto exit;
1273
1274 ret = mbedtls_aes_crypt_cbc(&aes_ctx, MBEDTLS_AES_ENCRYPT, buflen, aes_iv, buf, buf);
1275
1276 exit:
1277 mbedtls_aes_free(&aes_ctx);
1278 mbedtls_platform_zeroize(aes_key, keylen);
1279
1280 return ret;
1281 }
1282
1283
mbedtls_pem_generate_iv(unsigned char * iv,int len)1284 static int mbedtls_pem_generate_iv(unsigned char *iv, int len)
1285 {
1286 int ret;
1287 mbedtls_entropy_context entropy;
1288 mbedtls_ctr_drbg_context drbgCtx;
1289
1290 mbedtls_ctr_drbg_init(&drbgCtx);
1291 mbedtls_entropy_init(&entropy);
1292
1293 ret = mbedtls_ctr_drbg_seed(&drbgCtx, mbedtls_entropy_func, &entropy, NULL, 0);
1294 if (ret != 0)
1295 goto cleanup;
1296
1297 ret = mbedtls_ctr_drbg_random(&drbgCtx, iv, len);
1298 if (ret != 0)
1299 goto cleanup;
1300
1301 cleanup:
1302 mbedtls_ctr_drbg_free(&drbgCtx);
1303 mbedtls_entropy_free(&entropy);
1304 return ret;
1305 }
1306
mbedtls_pem_write_crypt_buffer(const char * header,const char * footer,unsigned char * der_data,size_t der_len,const unsigned char * pwd,size_t pwdlen,unsigned char * buf,size_t buf_len,size_t * olen)1307 int mbedtls_pem_write_crypt_buffer(const char *header, const char *footer,
1308 unsigned char *der_data, size_t der_len,
1309 const unsigned char * pwd, size_t pwdlen,
1310 unsigned char *buf, size_t buf_len, size_t *olen)
1311 {
1312 int i;
1313 int ret;
1314 char head[256];
1315 char iv[33];
1316 unsigned char aes_iv[17];
1317
1318 ret = mbedtls_pem_generate_iv(aes_iv, 16);
1319 if (ret != 0)
1320 return ret;
1321
1322 memset(iv, 0x00, sizeof(iv));
1323 for (i = 0; i < 16; i++)
1324 sprintf(iv + i * 2, "%02X", aes_iv[i]);
1325
1326 ret = pem_aes_encrypt(aes_iv, 32, der_data, der_len, pwd, pwdlen);
1327 if (ret != 0)
1328 return ret;
1329
1330 memset(buf, 0, buf_len);
1331 sprintf(head, "%s%s\n\n", header, iv);
1332 ret = mbedtls_pem_write_buffer(head, footer, der_data, der_len, buf, buf_len, olen);
1333
1334 return ret;
1335 }
1336
mbedtls_x509_crt_check_date(const char * filename)1337 int mbedtls_x509_crt_check_date(const char* filename)
1338 {
1339 int ret = 0;
1340 mbedtls_x509_crt crt ;
1341
1342 memset( &crt, 0, sizeof( mbedtls_x509_crt ) );
1343 ret = mbedtls_x509_crt_parse_file( &crt, filename );
1344 if( ret != 0 )
1345 return ( ret );
1346
1347 if(polarssl_ischeck_crttime(&crt) && mbedtls_x509_time_is_past(&crt.valid_to))
1348 {
1349 mbedtls_x509_crt_free( &crt );
1350 return ( MBEDTLS_X509_BADCERT_EXPIRED );
1351 }
1352
1353 if(polarssl_ischeck_crttime(&crt) && mbedtls_x509_time_is_future(&crt.valid_from))
1354 {
1355 mbedtls_x509_crt_free(&crt);
1356 return ( MBEDTLS_X509_BADCERT_FUTURE );
1357 }
1358 mbedtls_x509_crt_free(&crt);
1359
1360 return ( 0 );
1361 }
1362
1363
1364 #define PEM_ENCRYPT_BEGIN_PRIVATE_KEY_RSA "-----BEGIN RSA PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,"
1365 #define PEM_END_PRIVATE_KEY_RSA "-----END RSA PRIVATE KEY-----\n"
1366 #define PEM_ENCRYPT_BEGIN_PRIVATE_KEY_EC "-----BEGIN EC PRIVATE KEY-----\nProc-Type: 4,ENCRYPTED\nDEK-Info: AES-256-CBC,"
1367 #define PEM_END_PRIVATE_KEY_EC "-----END EC PRIVATE KEY-----\n"
1368
1369 #if defined(MBEDTLS_RSA_C)
1370 #define MPI_MAX_SIZE_2 ( MBEDTLS_MPI_MAX_SIZE / 2 + MBEDTLS_MPI_MAX_SIZE % 2 )
1371 #define RSA_PRV_DER_MAX_BYTES ( 47 + 3 * MBEDTLS_MPI_MAX_SIZE + 5 * MPI_MAX_SIZE_2 )
1372 #else /* MBEDTLS_RSA_C */
1373 #define RSA_PRV_DER_MAX_BYTES 0
1374 #endif /* MBEDTLS_RSA_C */
1375 #if defined(MBEDTLS_ECP_C)
1376 #define ECP_PRV_DER_MAX_BYTES ( 29 + 3 * MBEDTLS_ECP_MAX_BYTES )
1377 #else /* MBEDTLS_ECP_C */
1378 #define ECP_PRV_DER_MAX_BYTES 0
1379 #endif /* MBEDTLS_ECP_C */
1380 #define PRV_DER_MAX_BYTES ( RSA_PRV_DER_MAX_BYTES > ECP_PRV_DER_MAX_BYTES ? RSA_PRV_DER_MAX_BYTES : ECP_PRV_DER_MAX_BYTES )
1381
mbedtls_pk_write_crypt_key_pem(mbedtls_pk_context * key,const unsigned char * pwd,unsigned char * buf,size_t size)1382 int mbedtls_pk_write_crypt_key_pem(mbedtls_pk_context *key, const unsigned char *pwd, unsigned char *buf, size_t size )
1383 {
1384 int ret;
1385 int i;
1386 size_t olen = 0;
1387 int plain_len;
1388 int pad_len;
1389 unsigned char output_buf[PRV_DER_MAX_BYTES];
1390 unsigned char plain[PRV_DER_MAX_BYTES];
1391 const char *begin, *end;
1392
1393 if ((key == NULL) || (pwd == NULL) || (buf == NULL) || (size == 0))
1394 return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
1395
1396 ret = mbedtls_pk_write_key_der(key, output_buf, sizeof(output_buf));
1397 if (ret < 0)
1398 return ret;
1399
1400 plain_len = (ret % 16) == 0 ? ret : ((ret / 16 + 1) * 16);
1401 memset(plain, 0x00, sizeof(plain));
1402 memcpy(plain, output_buf + sizeof(output_buf) - ret, ret);
1403 pad_len = plain_len - ret;
1404
1405 for (i = 0; i < pad_len; i++)
1406 plain[ret + i] = pad_len;
1407
1408 if ( mbedtls_pk_get_type( key ) == MBEDTLS_PK_RSA )
1409 {
1410 begin = PEM_ENCRYPT_BEGIN_PRIVATE_KEY_RSA;
1411 end = PEM_END_PRIVATE_KEY_RSA;
1412 }
1413 else if ( mbedtls_pk_get_type( key ) == MBEDTLS_PK_ECKEY )
1414 {
1415 begin = PEM_ENCRYPT_BEGIN_PRIVATE_KEY_EC;
1416 end = PEM_END_PRIVATE_KEY_EC;
1417 }
1418 else {
1419 return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
1420 }
1421
1422 return mbedtls_pem_write_crypt_buffer(begin, end, plain, plain_len,
1423 pwd, strlen((const char*)pwd), buf, size, &olen );
1424 }
1425
x509_info_subject_alt_name(char ** buf,size_t * size,const mbedtls_x509_sequence * subject_alt_name,const char * prefix)1426 int x509_info_subject_alt_name( char **buf, size_t *size,
1427 const mbedtls_x509_sequence *subject_alt_name,
1428 const char *prefix )
1429 {
1430 int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
1431 size_t n = *size;
1432 char *p = *buf;
1433 const mbedtls_x509_sequence *cur = subject_alt_name;
1434 mbedtls_x509_subject_alternative_name san;
1435 int parse_ret;
1436
1437 while( cur != NULL )
1438 {
1439 memset( &san, 0, sizeof( san ) );
1440 parse_ret = mbedtls_x509_parse_subject_alt_name( &cur->buf, &san );
1441 if( parse_ret != 0 )
1442 {
1443 if( parse_ret == MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE )
1444 {
1445 ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix );
1446 MBEDTLS_X509_SAFE_SNPRINTF;
1447 }
1448 else
1449 {
1450 ret = mbedtls_snprintf( p, n, "\n%s <malformed>", prefix );
1451 MBEDTLS_X509_SAFE_SNPRINTF;
1452 }
1453 cur = cur->next;
1454 continue;
1455 }
1456
1457 switch( san.type )
1458 {
1459 /*
1460 * otherName
1461 */
1462 case MBEDTLS_X509_SAN_OTHER_NAME:
1463 {
1464 mbedtls_x509_san_other_name *other_name = &san.san.other_name;
1465
1466 ret = mbedtls_snprintf( p, n, "\n%s otherName :", prefix );
1467 MBEDTLS_X509_SAFE_SNPRINTF;
1468
1469 if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME,
1470 &other_name->value.hardware_module_name.oid ) != 0 )
1471 {
1472 ret = mbedtls_snprintf( p, n, "\n%s hardware module name :", prefix );
1473 MBEDTLS_X509_SAFE_SNPRINTF;
1474 ret = mbedtls_snprintf( p, n, "\n%s hardware type : ", prefix );
1475 MBEDTLS_X509_SAFE_SNPRINTF;
1476
1477 ret = mbedtls_oid_get_numeric_string( p, n, &other_name->value.hardware_module_name.oid );
1478 MBEDTLS_X509_SAFE_SNPRINTF;
1479
1480 ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix );
1481 MBEDTLS_X509_SAFE_SNPRINTF;
1482
1483 if( other_name->value.hardware_module_name.val.len >= n )
1484 {
1485 *p = '\0';
1486 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
1487 }
1488
1489 memcpy( p, other_name->value.hardware_module_name.val.p,
1490 other_name->value.hardware_module_name.val.len );
1491 p += other_name->value.hardware_module_name.val.len;
1492
1493 n -= other_name->value.hardware_module_name.val.len;
1494
1495 }/* MBEDTLS_OID_ON_HW_MODULE_NAME */
1496 }
1497 break;
1498
1499 /*
1500 * dNSName
1501 */
1502 case MBEDTLS_X509_SAN_DNS_NAME:
1503 {
1504 ret = mbedtls_snprintf( p, n, "\n%s dNSName : ", prefix );
1505 MBEDTLS_X509_SAFE_SNPRINTF;
1506 if( san.san.unstructured_name.len >= n )
1507 {
1508 *p = '\0';
1509 return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL );
1510 }
1511
1512 memcpy( p, san.san.unstructured_name.p, san.san.unstructured_name.len );
1513 p += san.san.unstructured_name.len;
1514 n -= san.san.unstructured_name.len;
1515 }
1516 break;
1517
1518 /*
1519 * Type not supported, skip item.
1520 */
1521 default:
1522 ret = mbedtls_snprintf( p, n, "\n%s <unsupported>", prefix );
1523 MBEDTLS_X509_SAFE_SNPRINTF;
1524 break;
1525 }
1526
1527 cur = cur->next;
1528 }
1529
1530 *p = '\0';
1531
1532 *size = n;
1533 *buf = p;
1534
1535 return( 0 );
1536 }
1537 #endif
1538
1539