Merge branch 'mbedtls' of git://github.com/qykth-git/Gauche into qykt…

…h-git-mbedtls
shirok · Jun 2, 2018 · d449f01 · d449f01
2 parents 201c34d + 3a420d6
commit d449f01
Show file tree

Hide file tree

Showing 10 changed files with 250 additions and 42 deletions.
diff --git a/AUTHORS b/AUTHORS
@@ -28,5 +28,5 @@ OGURISU Osamu
 OOHASHI Daichi
 Shin-ichi Hirata
 Tatsuya BIZENN
-Yokota Hiroshi
+YOKOTA Hiroshi
 Yuuki Takahashi
diff --git a/configure.ac b/configure.ac
@@ -888,12 +888,9 @@ m4_include([ext/tls/tls.ac])
 dnl Setup STATIC_LIBS
 STATIC_LIBS=
 for lib in $EXT_LIBS $LIBS; do
-  if [ echo "$STATIC_LIBS" | grep -e $lib > /dev/null 2>&1 ]
-  then
-    : # lib is alreay in STATIC_LIBS.  do nothing
-  else
-    STATIC_LIBS="$STATIC_LIBS $lib"
-  fi
+  AS_IF([ echo "${STATIC_LIBS}" | grep -F -w -e "${lib}" > /dev/null 2>&1 ],
+        [], dnl lib is alreay in STATIC_LIBS.  do nothing
+        [STATIC_LIBS="$STATIC_LIBS $lib"])
 done
 STATIC_LIBS="`echo $LIBGAUCHE_STATIC | sed s/^lib/-l/` $STATIC_LIBS"
 AC_SUBST(STATIC_LIBS)

diff --git a/ext/tls/Makefile.in b/ext/tls/Makefile.in
@@ -53,6 +53,8 @@ SSLTEST_OBJECTS = axTLS/ssl/test/ssltest.mod.$(OBJEXT)
 
 @GAUCHE_TLS_SWITCH_AXTLS@EXTRA_DIRS_TARGET = axtls_dirs
 
+@GAUCHE_TLS_SWITCH_MBEDTLS@XLIBS = -lmbedtls -lmbedx509 -lmbedcrypto
+
 GENERATED = Makefile kick_openssl.sh
 XCLEANFILES = rfc--tls.c *.sci $(AXTLS_OBJECTS) $(SSLTEST_OBJECTS) $(SSLTEST_GENERATED) $(SSLTEST) ssltest.log axTLS/ssl/openssl.pid axtls_dirs
 

diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h
@@ -2,6 +2,7 @@
  * gauche-tls.h - TLS secure connection interface
  *
  *   Copyright (c) 2011 Kirill Zorin <k.zorin@me.com>
+ *                 2018 YOKOTA Hiroshi
  *
  *   Redistribution and use in source and binary forms, with or without
  *   modification, are permitted provided that the following conditions
@@ -43,7 +44,20 @@
 
 #if defined(GAUCHE_USE_AXTLS)
 #include "axTLS/ssl/ssl.h"
-#else /*!GAUCHE_USE_AXTLS*/
+#elif defined(GAUCHE_USE_MBEDTLS)
+#include <mbedtls/ssl.h>
+#include <mbedtls/net_sockets.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+
+#ifndef X509_CA_FILE
+#define X509_CA_FILE "ca-cert.crt"
+#endif
+
+#endif
+
+#ifndef GAUCHE_USE_AXTLS
+/* dummy symbols */
 #define SSL_CLIENT_AUTHENTICATION               0x00010000
 #define SSL_SERVER_VERIFY_LATER                 0x00020000
 #define SSL_NO_DEFAULT_KEY                      0x00040000
@@ -57,7 +71,7 @@
 #define SSL_OBJ_RSA_KEY                         3
 #define SSL_OBJ_PKCS8                           4
 #define SSL_OBJ_PKCS12                          5
-#endif /*!GAUCHE_USE_AXTLS*/
+#endif
 
 SCM_DECL_BEGIN
 
@@ -67,7 +81,17 @@ typedef struct ScmTLSRec {
   SSL_CTX* ctx;
   SSL* conn;
   ScmPort* in_port, * out_port;
-#endif /*GAUCHE_USE_AXTLS*/
+#elif defined(GAUCHE_USE_MBEDTLS)
+  mbedtls_ssl_context ctx;
+  mbedtls_net_context conn;
+  mbedtls_entropy_context entropy;
+  mbedtls_ctr_drbg_context ctr_drbg;
+  mbedtls_ssl_config conf;
+  mbedtls_x509_crt ca;
+
+  ScmString *server_name;
+  ScmPort *in_port, *out_port;
+#endif
 } ScmTLS;
 
 SCM_CLASS_DECL(Scm_TLSClass);
@@ -76,7 +100,7 @@ SCM_CLASS_DECL(Scm_TLSClass);
 #define SCM_TLS(obj)    ((ScmTLS*)obj)
 #define SCM_TLSP(obj)   SCM_XTYPEP(obj, SCM_CLASS_TLS)
 
-extern ScmObj Scm_MakeTLS(uint32_t options, int num_sessions);
+extern ScmObj Scm_MakeTLS(uint32_t options, int num_sessions, ScmString* server_name);
 extern ScmObj Scm_TLSDestroy(ScmTLS* t);
 extern ScmObj Scm_TLSLoadObject(ScmTLS* t, ScmObj obj_type,
                                 const char *filename,

diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac
@@ -11,14 +11,15 @@ dnl   In future we may support 'openssl' as well.
 dnl
 AC_ARG_ENABLE(tls,
   AS_HELP_STRING([--enable-tls=TYPE], [enable TLS/SSL support.  TYPE can be
-  'axtls' (to use bundled source of Cameron Rich's axTLS), or 'none'
-  (disable TLS/SSL support)]),
+  'axtls' (to use bundled source of Cameron Rich's axTLS), 'mbedtls' (to use
+  mbed TLS), or 'none' (disable TLS/SSL support)]),
   [
     AS_CASE([$enableval],
       [no|none], [enable_tls=no],
       [axtls],   [enable_tls=axtls],
+      [mbedtls], [enable_tls=mbedtls],
 dnl      [openssl], [enable_tls=openssl],
-		 [echo "TLS type must be either one of 'axtls' or 'none'"])
+		 [echo "TLS type must be either one of 'axtls', 'mbedtls' or 'none'"])
   ], [enable_tls=axtls])
 
 AS_CASE([$enable_tls],
@@ -34,8 +35,19 @@ AS_CASE([$enable_tls],
 	   ], [
 	     GAUCHE_TLS_SWITCH_AXTLS_TEST=
 	   ])
+	   GAUCHE_TLS_SWITCH_MBEDTLS="@%:@"
 	   GAUCHE_TLS_SWITCH_NONE="@%:@"
 	   ],
+  [mbedtls], [
+	   AC_DEFINE(GAUCHE_USE_MBEDTLS, 1, [Define if you use mbed TLS])
+	   GAUCHE_TLS_TYPE=mbedTLS
+	   GAUCHE_TLS_SWITCH_AXTLS="@%:@"
+	   GAUCHE_TLS_SWITCH_AXTLS_TEST="@%:@"
+	   GAUCHE_TLS_SWITCH_MBEDTLS=
+	   GAUCHE_TLS_SWITCH_NONE="@%:@"
+
+	   EXT_LIBS="${EXT_LIBS} -lmbedtls -lmbedx509 -lmbedcrypto"
+	  ],
 dnl [openssl], [
 dnl	   AC_DEFINE(GAUCHE_USE_OPENSSL, 1, [Define if you use openssl])
 dnl	   GAUCHE_TLS_TYPE=openssl
@@ -45,13 +57,27 @@ dnl	  ],
 	   GAUCHE_TLS_TYPE=none
 	   GAUCHE_TLS_SWITCH_AXTLS="@%:@"
 	   GAUCHE_TLS_SWITCH_AXTLS_TEST="@%:@"
+	   GAUCHE_TLS_SWITCH_MBEDTLS="@%:@"
 	   GAUCHE_TLS_SWITCH_NONE=
 	  ])
 
 AC_SUBST(GAUCHE_TLS_SWITCH_AXTLS)
 AC_SUBST(GAUCHE_TLS_SWITCH_AXTLS_TEST)
+AC_SUBST(GAUCHE_TLS_SWITCH_MBEDTLS)
 AC_SUBST(GAUCHE_TLS_SWITCH_NONE)
 
+AC_ARG_ENABLE([tls-ca-file-path],
+  AS_HELP_STRING([--enable-tls-ca-file-path=/path/to/ca-cert.crt],
+		 [Specify CA certificate file path for TLS certificate validation. This file is required to use mbed TLS.]),
+  [
+    AS_CASE([$enable_tls_ca_file_path],
+	[yes|no], [AC_DEFINE([X509_CA_FILE], ["ca-cert.crt"])],
+                  [AC_DEFINE_UNQUOTED([X509_CA_FILE], ["$enable_tls_ca_file_path"], [CA file path])]
+     )
+  ], [
+    AC_DEFINE([X509_CA_FILE], ["ca-cert.crt"])
+  ])
+
 dnl
 dnl Check openssl command; if available, we use it for axTLS tests.
 dnl This is needed even if we don't support libopenssl binding.