From bf91fd4da76a0c9780557b7a3581547323d78102 Mon Sep 17 00:00:00 2001 From: yokota Date: Thu, 17 May 2018 08:34:15 +0900 Subject: [PATCH 01/48] Add "mbed TLS" type to TLS type --- ext/tls/tls.ac | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index ae7626b3fb..2e3e8dbc96 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -17,8 +17,9 @@ AC_ARG_ENABLE(tls, AS_CASE([$enableval], [no|none], [enable_tls=no], [axtls], [enable_tls=axtls], + [mbedtls], [enable_tls=mbedtls], dnl [openssl], [enable_tls=openssl], - [echo "TLS type must be either one of 'axtls' or 'none'"]) + [echo "TLS type must be either one of 'axtls', 'mbedtls' or 'none'"]) ], [enable_tls=axtls]) AS_CASE([$enable_tls], @@ -36,6 +37,10 @@ AS_CASE([$enable_tls], ]) GAUCHE_TLS_SWITCH_NONE="@%:@" ], + [mbedtls], [ + AC_DEFINE(GAUCHE_USE_MBEDTLS, 1, [Define if you use mbed TLS]) + GAUCHE_TLS_TYPE=mbedtls + ], dnl [openssl], [ dnl AC_DEFINE(GAUCHE_USE_OPENSSL, 1, [Define if you use openssl]) dnl GAUCHE_TLS_TYPE=openssl From 1a46774bdb212d222801fe6f63ba6c319dc8196d Mon Sep 17 00:00:00 2001 From: yokota Date: Thu, 17 May 2018 08:53:53 +0900 Subject: [PATCH 02/48] Add Makefile switch to mbed TLS --- ext/tls/tls.ac | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index 2e3e8dbc96..bacabd71d5 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -40,6 +40,10 @@ AS_CASE([$enable_tls], [mbedtls], [ AC_DEFINE(GAUCHE_USE_MBEDTLS, 1, [Define if you use mbed TLS]) GAUCHE_TLS_TYPE=mbedtls + GAUCHE_TLS_SWITCH_AXTLS="@%:@" + GAUCHE_TLS_SWITCH_AXTLS_TEST="@%:@" + GAUCHE_TLS_SWITCH_MBEDTLS= + GAUCHE_TLS_SWITCH_NONE="@%:@" ], dnl [openssl], [ dnl AC_DEFINE(GAUCHE_USE_OPENSSL, 1, [Define if you use openssl]) From f8589ccb72177901287cd4c08a45ece4185308af Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 27 May 2018 06:17:59 +0900 Subject: [PATCH 03/48] Use canonical name of "mbed TLS" library --- ext/tls/tls.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index bacabd71d5..d52c8cf15a 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -39,7 +39,7 @@ AS_CASE([$enable_tls], ], [mbedtls], [ AC_DEFINE(GAUCHE_USE_MBEDTLS, 1, [Define if you use mbed TLS]) - GAUCHE_TLS_TYPE=mbedtls + GAUCHE_TLS_TYPE=mbedTLS GAUCHE_TLS_SWITCH_AXTLS="@%:@" GAUCHE_TLS_SWITCH_AXTLS_TEST="@%:@" GAUCHE_TLS_SWITCH_MBEDTLS= From e8339fc81480ef088b9e443ada9fac082cd063e4 Mon Sep 17 00:00:00 2001 From: yokota Date: Thu, 17 May 2018 21:57:16 +0900 Subject: [PATCH 04/48] Add substitution --- ext/tls/tls.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index d52c8cf15a..59df55d328 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -59,6 +59,7 @@ dnl ], AC_SUBST(GAUCHE_TLS_SWITCH_AXTLS) AC_SUBST(GAUCHE_TLS_SWITCH_AXTLS_TEST) +AC_SUBST(GAUCHE_TLS_SWITCH_MBEDTLS) AC_SUBST(GAUCHE_TLS_SWITCH_NONE) dnl From 8627458465ebf8ba9a816bf1350dcf7ff5de70ed Mon Sep 17 00:00:00 2001 From: yokota Date: Thu, 17 May 2018 23:23:58 +0900 Subject: [PATCH 05/48] Add mbed TLS switch value --- ext/tls/tls.ac | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index 59df55d328..c65b55a887 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -35,6 +35,7 @@ AS_CASE([$enable_tls], ], [ GAUCHE_TLS_SWITCH_AXTLS_TEST= ]) + GAUCHE_TLS_SWITCH_MBEDTLS="@%:@" GAUCHE_TLS_SWITCH_NONE="@%:@" ], [mbedtls], [ @@ -54,6 +55,7 @@ dnl ], GAUCHE_TLS_TYPE=none GAUCHE_TLS_SWITCH_AXTLS="@%:@" GAUCHE_TLS_SWITCH_AXTLS_TEST="@%:@" + GAUCHE_TLS_SWITCH_MBEDTLS="@%:@" GAUCHE_TLS_SWITCH_NONE= ]) From d694e93c46f52cc53644fc3697d7542267a61b74 Mon Sep 17 00:00:00 2001 From: yokota Date: Fri, 18 May 2018 08:15:49 +0900 Subject: [PATCH 06/48] Add mbed TLS stub code --- ext/tls/gauche-tls.h | 21 +++++++++++++++++++++ ext/tls/tls.c | 43 ++++++++++++++++++++++++++++++++++-------- src/gauche/config.h.in | 3 +++ 3 files changed, 59 insertions(+), 8 deletions(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index ac22c4db49..6fb172ca2e 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -43,6 +43,23 @@ #if defined(GAUCHE_USE_AXTLS) #include "axTLS/ssl/ssl.h" +#elif defined(GAUCHE_USE_MBEDTLS) +#include +#include +#define SSL_CLIENT_AUTHENTICATION 0x00010000 +#define SSL_SERVER_VERIFY_LATER 0x00020000 +#define SSL_NO_DEFAULT_KEY 0x00040000 +#define SSL_DISPLAY_STATES 0x00080000 +#define SSL_DISPLAY_BYTES 0x00100000 +#define SSL_DISPLAY_CERTS 0x00200000 +#define SSL_DISPLAY_RSA 0x00400000 +#define SSL_CONNECT_IN_PARTS 0x00800000 +#define SSL_OBJ_X509_CERT 1 +#define SSL_OBJ_X509_CACERT 2 +#define SSL_OBJ_RSA_KEY 3 +#define SSL_OBJ_PKCS8 4 +#define SSL_OBJ_PKCS12 5 + #else /*!GAUCHE_USE_AXTLS*/ #define SSL_CLIENT_AUTHENTICATION 0x00010000 #define SSL_SERVER_VERIFY_LATER 0x00020000 @@ -67,6 +84,10 @@ typedef struct ScmTLSRec { SSL_CTX* ctx; SSL* conn; ScmPort* in_port, * out_port; +#elif defined(GAUCHE_USE_MBEDTLS) + mbedtls_ssl_context *ctx; + mbedtls_net_context *conn; + ScmPort *in_port, *out_port; #endif /*GAUCHE_USE_AXTLS*/ } ScmTLS; diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 538497c8d6..9089d7a585 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -55,19 +55,21 @@ static void tls_finalize(ScmObj obj, void* data) ssl_ctx_free(t->ctx); t->ctx = NULL; } +#elif defined(GAUCHE_USE_MBEDTLS) + #endif /*GAUCHE_USE_AXTLS*/ } static void context_check(ScmTLS* tls, const char* op) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) if (!tls->ctx) Scm_Error("attempt to %s destroyed TLS: %S", op, tls); #endif /*GAUCHE_USE_AXTLS*/ } static void close_check(ScmTLS* tls, const char* op) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) if (!tls->conn) Scm_Error("attempt to %s closed TLS: %S", op, tls); #endif /*GAUCHE_USE_AXTLS*/ } @@ -80,6 +82,8 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) t->ctx = ssl_ctx_new(options, num_sessions); t->conn = NULL; t->in_port = t->out_port = 0; +#elif defined(GAUCHE_USE_MBEDTLS) + #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); return SCM_OBJ(t); @@ -90,7 +94,7 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) up all fds, so explicit destruction is recommended whenever possible. */ ScmObj Scm_TLSDestroy(ScmTLS* t) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) tls_finalize(SCM_OBJ(t), NULL); #endif /*GAUCHE_USE_AXTLS*/ return SCM_TRUE; @@ -104,6 +108,8 @@ ScmObj Scm_TLSClose(ScmTLS* t) t->conn = 0; t->in_port = t->out_port = 0; } +#elif defined(GAUCHE_USE_MBEDTLS) + #endif /*GAUCHE_USE_AXTLS*/ return SCM_TRUE; } @@ -115,6 +121,8 @@ ScmObj Scm_TLSLoadObject(ScmTLS* t, ScmObj obj_type, uint32_t type = Scm_GetIntegerU32Clamp(obj_type, SCM_CLAMP_ERROR, NULL); if (ssl_obj_load(t->ctx, type, filename, password) == SSL_OK) return SCM_TRUE; +#elif defined(GAUCHE_USE_MBEDTLS) + #endif /*GAUCHE_USE_AXTLS*/ return SCM_FALSE; } @@ -129,6 +137,9 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) if (r != SSL_OK) { Scm_Error("TLS handshake failed: %d", r); } +#elif defined(GAUCHE_USE_MBEDTLS) + context_check(t, "connect"); + #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); } @@ -139,6 +150,8 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) context_check(t, "accept"); if (t->conn) Scm_SysError("attempt to connect already-connected TLS %S", t); t->conn = ssl_server_new(t->ctx, fd); +#elif defined(GAUCHE_USE_MBEDTLS) + #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); } @@ -152,12 +165,17 @@ ScmObj Scm_TLSRead(ScmTLS* t) while ((r = ssl_read(t->conn, &buf)) == SSL_OK); if (r < 0) Scm_SysError("ssl_read() failed"); return Scm_MakeString((char*) buf, r, r, SCM_STRING_INCOMPLETE); +#elif defined(GAUCHE_USE_MBEDTLS) + context_check(t, "read"); + close_check(t, "read"); + + return SCM_FALSE; #else /*!GAUCHE_USE_AXTLS*/ return SCM_FALSE; #endif /*!GAUCHE_USE_AXTLS*/ } -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) static const uint8_t* get_message_body(ScmObj msg, u_int *size) { if (SCM_UVECTORP(msg)) { @@ -185,6 +203,11 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) Scm_SysError("ssl_write() failed"); } return SCM_MAKE_INT(r); +#elif defined(GAUCHE_USE_MBEDTLS) + context_check(t, "write"); + close_check(t, "write"); + + return SCM_FALSE; #else /*!GAUCHE_USE_AXTLS*/ return SCM_FALSE; #endif /*!GAUCHE_USE_AXTLS*/ @@ -192,21 +215,25 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) ScmObj Scm_TLSInputPort(ScmTLS* t) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) return SCM_OBJ(t->in_port); +#else + return SCM_UNDEFINED; #endif /*GAUCHE_USE_AXTLS*/ } ScmObj Scm_TLSOutputPort(ScmTLS* t) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) return SCM_OBJ(t->out_port); +#else + return SCM_UNDEFINED; #endif /*GAUCHE_USE_AXTLS*/ } ScmObj Scm_TLSInputPortSet(ScmTLS* t, ScmObj port) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) t->in_port = SCM_PORT(port); #endif /*GAUCHE_USE_AXTLS*/ return port; @@ -214,7 +241,7 @@ ScmObj Scm_TLSInputPortSet(ScmTLS* t, ScmObj port) ScmObj Scm_TLSOutputPortSet(ScmTLS* t, ScmObj port) { -#if defined(GAUCHE_USE_AXTLS) +#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) t->out_port = SCM_PORT(port); #endif /*GAUCHE_USE_AXTLS*/ return port; diff --git a/src/gauche/config.h.in b/src/gauche/config.h.in index 987f2b66af..ff28a155d5 100644 --- a/src/gauche/config.h.in +++ b/src/gauche/config.h.in @@ -44,6 +44,9 @@ /* Define if you use axTLS */ #undef GAUCHE_USE_AXTLS +/* Define if you use mbed TLS */ +#undef GAUCHE_USE_MBEDTLS + /* Define if we use pthreads */ #undef GAUCHE_USE_PTHREADS From 10447c07b6f567b6b857d09ad2250e45416460fc Mon Sep 17 00:00:00 2001 From: yokota Date: Fri, 18 May 2018 08:19:37 +0900 Subject: [PATCH 07/48] Add code --- ext/tls/tls.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 9089d7a585..2194eb7d31 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -56,7 +56,12 @@ static void tls_finalize(ScmObj obj, void* data) t->ctx = NULL; } #elif defined(GAUCHE_USE_MBEDTLS) - + if (t->ctx) { + Scm_TLSClose(t); + + + t->ctx = NULL; + } #endif /*GAUCHE_USE_AXTLS*/ } @@ -84,6 +89,8 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) t->in_port = t->out_port = 0; #elif defined(GAUCHE_USE_MBEDTLS) + t->conn = NULL; + t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); return SCM_OBJ(t); @@ -109,7 +116,12 @@ ScmObj Scm_TLSClose(ScmTLS* t) t->in_port = t->out_port = 0; } #elif defined(GAUCHE_USE_MBEDTLS) + if (t->ctx && t->conn) { + + t->conn = 0; + t->in_port = t->out_port = 0; + } #endif /*GAUCHE_USE_AXTLS*/ return SCM_TRUE; } @@ -151,6 +163,7 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) if (t->conn) Scm_SysError("attempt to connect already-connected TLS %S", t); t->conn = ssl_server_new(t->ctx, fd); #elif defined(GAUCHE_USE_MBEDTLS) + context_check(t, "accept"); #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); @@ -207,6 +220,9 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) context_check(t, "write"); close_check(t, "write"); + u_int size; + const uint8_t* cmsg = get_message_body(msg, &size); + return SCM_FALSE; #else /*!GAUCHE_USE_AXTLS*/ return SCM_FALSE; From 209e9bc87090578dc5a1b6d58570a75dda4801b6 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 11:20:43 +0900 Subject: [PATCH 08/48] Add required libraries --- ext/tls/Makefile.in | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ext/tls/Makefile.in b/ext/tls/Makefile.in index 92862505fd..9d27026a95 100644 --- a/ext/tls/Makefile.in +++ b/ext/tls/Makefile.in @@ -53,6 +53,8 @@ SSLTEST_OBJECTS = axTLS/ssl/test/ssltest.mod.$(OBJEXT) @GAUCHE_TLS_SWITCH_AXTLS@EXTRA_DIRS_TARGET = axtls_dirs +@GAUCHE_TLS_SWITCH_MBEDTLS@LIBS += -lmbedtls -lmbedx509 -lmbedcrypto + GENERATED = Makefile kick_openssl.sh XCLEANFILES = rfc--tls.c *.sci $(AXTLS_OBJECTS) $(SSLTEST_OBJECTS) $(SSLTEST_GENERATED) $(SSLTEST) ssltest.log axTLS/ssl/openssl.pid axtls_dirs From a344d52c1619632945a84846498f42747aae0285 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 12:22:01 +0900 Subject: [PATCH 09/48] Add initialize code --- ext/tls/gauche-tls.h | 7 +++++++ ext/tls/tls.c | 24 ++++++++++++++++++------ 2 files changed, 25 insertions(+), 6 deletions(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 6fb172ca2e..8e012148aa 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -46,6 +46,9 @@ #elif defined(GAUCHE_USE_MBEDTLS) #include #include +#include +#include + #define SSL_CLIENT_AUTHENTICATION 0x00010000 #define SSL_SERVER_VERIFY_LATER 0x00020000 #define SSL_NO_DEFAULT_KEY 0x00040000 @@ -87,6 +90,10 @@ typedef struct ScmTLSRec { #elif defined(GAUCHE_USE_MBEDTLS) mbedtls_ssl_context *ctx; mbedtls_net_context *conn; + mbedtls_entropy_context *entropy; + mbedtls_ctr_drbg_context *ctr_drbg; + mbedtls_ssl_config *conf; + ScmPort *in_port, *out_port; #endif /*GAUCHE_USE_AXTLS*/ } ScmTLS; diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 2194eb7d31..27befc4323 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -59,8 +59,14 @@ static void tls_finalize(ScmObj obj, void* data) if (t->ctx) { Scm_TLSClose(t); - + mbedtls_ssl_free(t->ctx); t->ctx = NULL; + mbedtls_ssl_config_free(t->conf); + t->conf = NULL; + mbedtls_ctr_drbg_free(t->ctr_drbg); + t->ctr_drbg = NULL; + mbedtls_entropy_free(t->entropy); + t->entropy = NULL; } #endif /*GAUCHE_USE_AXTLS*/ } @@ -88,8 +94,14 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) t->conn = NULL; t->in_port = t->out_port = 0; #elif defined(GAUCHE_USE_MBEDTLS) + mbedtls_ctr_drbg_init(t->ctr_drbg); + + mbedtls_net_init(t->conn); + mbedtls_ssl_init(t->ctx); + mbedtls_ssl_config_init(t->conf); + + mbedtls_entropy_init(t->entropy); - t->conn = NULL; t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); @@ -117,10 +129,10 @@ ScmObj Scm_TLSClose(ScmTLS* t) } #elif defined(GAUCHE_USE_MBEDTLS) if (t->ctx && t->conn) { - - - t->conn = 0; - t->in_port = t->out_port = 0; + mbedtls_ssl_close_notify(t->ctx); + mbedtls_net_free(t->conn); + t->conn = NULL; + t->in_port = t->out_port = 0; } #endif /*GAUCHE_USE_AXTLS*/ return SCM_TRUE; From f60afc84506d3f4a0e4e2e07f88903e7e5d3712c Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 13:46:59 +0900 Subject: [PATCH 10/48] Add reader and writer --- ext/tls/tls.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 27befc4323..55af51b17d 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -194,7 +194,13 @@ ScmObj Scm_TLSRead(ScmTLS* t) context_check(t, "read"); close_check(t, "read"); - return SCM_FALSE; + uint8_t buf[1024]; + int r; + r = mbedtls_ssl_read(t->ctx, buf, sizeof(buf)); + + if (r < 0) { Scm_SysError("mbedtls_ssl_read() failed"); } + + return Scm_MakeString((char *)buf, r, r, SCM_STRING_INCOMPLETE); #else /*!GAUCHE_USE_AXTLS*/ return SCM_FALSE; #endif /*!GAUCHE_USE_AXTLS*/ @@ -235,7 +241,10 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) u_int size; const uint8_t* cmsg = get_message_body(msg, &size); - return SCM_FALSE; + int r; + r = mbedtls_ssl_write(t->ctx, cmsg, size); + + return SCM_MAKE_INT(r); #else /*!GAUCHE_USE_AXTLS*/ return SCM_FALSE; #endif /*!GAUCHE_USE_AXTLS*/ From 32edaef23878f17e8ec389e08b26ec93b520c055 Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 20 May 2018 00:31:40 +0900 Subject: [PATCH 11/48] Copy imported data to own buffer --- ext/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 55af51b17d..3831083d39 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -200,7 +200,7 @@ ScmObj Scm_TLSRead(ScmTLS* t) if (r < 0) { Scm_SysError("mbedtls_ssl_read() failed"); } - return Scm_MakeString((char *)buf, r, r, SCM_STRING_INCOMPLETE); + return Scm_MakeString((char *)buf, r, r, SCM_STRING_INCOMPLETE | SCM_STRING_COPYING); #else /*!GAUCHE_USE_AXTLS*/ return SCM_FALSE; #endif /*!GAUCHE_USE_AXTLS*/ From e9f0999c72ddecd0f67a7b8b252357aa312fb1f3 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 14:26:55 +0900 Subject: [PATCH 12/48] Clear buffer --- ext/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 3831083d39..5500937d03 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -194,7 +194,7 @@ ScmObj Scm_TLSRead(ScmTLS* t) context_check(t, "read"); close_check(t, "read"); - uint8_t buf[1024]; + uint8_t buf[1024] = {}; int r; r = mbedtls_ssl_read(t->ctx, buf, sizeof(buf)); From d3142136519c3420ca4f7fb52079e4da20128a8b Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 14:26:34 +0900 Subject: [PATCH 13/48] Add configure code --- ext/tls/tls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 5500937d03..853427d170 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -102,6 +102,13 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_entropy_init(t->entropy); + if (mbedtls_ssl_config_defaults(t->conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT) != 0) { + Scm_SysError("mbedtls_ssl_config_defaults() failed"); + } + t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); @@ -163,6 +170,10 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "connect"); + if (t->conn->fd < 0) { + Scm_SysError("attempt to connect already-connected TLS %S", t); + } + #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); From 36c9fa6ab5c98431a5d7fbd5c42706783ccb71e6 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 14:59:56 +0900 Subject: [PATCH 14/48] Add check code --- ext/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 853427d170..063e2c6f97 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -170,7 +170,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "connect"); - if (t->conn->fd < 0) { + if (t->conn == NULL || t->conn->fd < 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } From 3387cc031027c3c4055c50bb33ee2da8cfc2fd86 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 15:13:29 +0900 Subject: [PATCH 15/48] Fix check code --- ext/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 063e2c6f97..80f95f4800 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -170,7 +170,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "connect"); - if (t->conn == NULL || t->conn->fd < 0) { + if (t->conn != NULL && t->conn->fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } From 12d6d78fe51374d91e2f38f691d732204b928cc5 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 15:16:31 +0900 Subject: [PATCH 16/48] Connect fd --- ext/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 80f95f4800..e573b91750 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -173,7 +173,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) if (t->conn != NULL && t->conn->fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } - + t->conn->fd = fd; #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); From b0d0c54d3eb8b25490e007256557ae97ec6e2a19 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 15:22:01 +0900 Subject: [PATCH 17/48] Add handshake code --- ext/tls/tls.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index e573b91750..34ed50fb6e 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -174,7 +174,11 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) Scm_SysError("attempt to connect already-connected TLS %S", t); } t->conn->fd = fd; - + mbedtls_ssl_set_bio(t->ctx, t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); + int r = mbedtls_ssl_handshake(t->ctx); + if (r != 0) { + Scm_Error("TLS handshake failed: %d", r); + } #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); } @@ -187,6 +191,9 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) t->conn = ssl_server_new(t->ctx, fd); #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "accept"); + if (t->conn != NULL && t->conn->fd >= 0) { + Scm_SysError("attempt to connect already-connected TLS %S", t); + } #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); From 1450a0939e606221ae343b3f9b0cf0457c91685f Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 15:31:23 +0900 Subject: [PATCH 18/48] Set up connection to server --- ext/tls/tls.c | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 34ed50fb6e..cb56e8a671 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -102,13 +102,6 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_entropy_init(t->entropy); - if (mbedtls_ssl_config_defaults(t->conf, - MBEDTLS_SSL_IS_CLIENT, - MBEDTLS_SSL_TRANSPORT_STREAM, - MBEDTLS_SSL_PRESET_DEFAULT) != 0) { - Scm_SysError("mbedtls_ssl_config_defaults() failed"); - } - t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); @@ -174,7 +167,20 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) Scm_SysError("attempt to connect already-connected TLS %S", t); } t->conn->fd = fd; + + if (mbedtls_ssl_config_defaults(t->conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT) != 0) { + Scm_SysError("mbedtls_ssl_config_defaults() failed"); + } + + if(mbedtls_ssl_setup(t->ctx, t->conf) != 0) { + Scm_SysError("mbedtls_ssl_setup() failed"); + } + mbedtls_ssl_set_bio(t->ctx, t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); + int r = mbedtls_ssl_handshake(t->ctx); if (r != 0) { Scm_Error("TLS handshake failed: %d", r); From 95e8f4456cf96cfbc4e010c26ef6b507f0866f4b Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 15:34:37 +0900 Subject: [PATCH 19/48] Add server side code --- ext/tls/tls.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index cb56e8a671..092873a53a 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -200,7 +200,25 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) if (t->conn != NULL && t->conn->fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } + t->conn->fd = fd; + if (mbedtls_ssl_config_defaults(t->conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT) != 0) { + Scm_SysError("mbedtls_ssl_config_defaults() failed"); + } + + if(mbedtls_ssl_setup(t->ctx, t->conf) != 0) { + Scm_SysError("mbedtls_ssl_setup() failed"); + } + + mbedtls_ssl_set_bio(t->ctx, t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); + + int r = mbedtls_ssl_handshake(t->ctx); + if (r != 0) { + Scm_Error("TLS handshake failed: %d", r); + } #endif /*GAUCHE_USE_AXTLS*/ return SCM_OBJ(t); } From 2cfdce3a9421d7c39b2f785d4d3305f84cd8b29c Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 16:03:37 +0900 Subject: [PATCH 20/48] Allocate context memory area by caller functions --- ext/tls/gauche-tls.h | 10 +++--- ext/tls/tls.c | 76 ++++++++++++++++++++++---------------------- 2 files changed, 43 insertions(+), 43 deletions(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 8e012148aa..e28d246cc4 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -88,11 +88,11 @@ typedef struct ScmTLSRec { SSL* conn; ScmPort* in_port, * out_port; #elif defined(GAUCHE_USE_MBEDTLS) - mbedtls_ssl_context *ctx; - mbedtls_net_context *conn; - mbedtls_entropy_context *entropy; - mbedtls_ctr_drbg_context *ctr_drbg; - mbedtls_ssl_config *conf; + mbedtls_ssl_context ctx; + mbedtls_net_context conn; + mbedtls_entropy_context entropy; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_ssl_config conf; ScmPort *in_port, *out_port; #endif /*GAUCHE_USE_AXTLS*/ diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 092873a53a..f749a4b97c 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -56,32 +56,34 @@ static void tls_finalize(ScmObj obj, void* data) t->ctx = NULL; } #elif defined(GAUCHE_USE_MBEDTLS) - if (t->ctx) { - Scm_TLSClose(t); - mbedtls_ssl_free(t->ctx); - t->ctx = NULL; - mbedtls_ssl_config_free(t->conf); - t->conf = NULL; - mbedtls_ctr_drbg_free(t->ctr_drbg); - t->ctr_drbg = NULL; - mbedtls_entropy_free(t->entropy); - t->entropy = NULL; - } + Scm_TLSClose(t); + + mbedtls_ssl_free(&t->ctx); + mbedtls_ssl_config_free(&t->conf); + mbedtls_ctr_drbg_free(&t->ctr_drbg); + mbedtls_entropy_free(&t->entropy); + #endif /*GAUCHE_USE_AXTLS*/ } static void context_check(ScmTLS* tls, const char* op) { -#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) +#if defined(GAUCHE_USE_AXTLS) if (!tls->ctx) Scm_Error("attempt to %s destroyed TLS: %S", op, tls); +#elif defined(GAUCHE_USE_MBEDTLS) + #endif /*GAUCHE_USE_AXTLS*/ } static void close_check(ScmTLS* tls, const char* op) { -#if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) +#if defined(GAUCHE_USE_AXTLS) if (!tls->conn) Scm_Error("attempt to %s closed TLS: %S", op, tls); +#elif defined(GAUCHE_USE_MBEDTLS) + if (tls->conn.fd < 0) { + Scm_Error("attempt to %s closed TLS: %S", op, tls); + } #endif /*GAUCHE_USE_AXTLS*/ } @@ -94,13 +96,13 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) t->conn = NULL; t->in_port = t->out_port = 0; #elif defined(GAUCHE_USE_MBEDTLS) - mbedtls_ctr_drbg_init(t->ctr_drbg); + mbedtls_ctr_drbg_init(&t->ctr_drbg); - mbedtls_net_init(t->conn); - mbedtls_ssl_init(t->ctx); - mbedtls_ssl_config_init(t->conf); + mbedtls_net_init(&t->conn); + mbedtls_ssl_init(&t->ctx); + mbedtls_ssl_config_init(&t->conf); - mbedtls_entropy_init(t->entropy); + mbedtls_entropy_init(&t->entropy); t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ @@ -128,12 +130,10 @@ ScmObj Scm_TLSClose(ScmTLS* t) t->in_port = t->out_port = 0; } #elif defined(GAUCHE_USE_MBEDTLS) - if (t->ctx && t->conn) { - mbedtls_ssl_close_notify(t->ctx); - mbedtls_net_free(t->conn); - t->conn = NULL; - t->in_port = t->out_port = 0; - } + + mbedtls_ssl_close_notify(&t->ctx); + mbedtls_net_free(&t->conn); + t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ return SCM_TRUE; } @@ -163,25 +163,25 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "connect"); - if (t->conn != NULL && t->conn->fd >= 0) { + if (t->conn.fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } - t->conn->fd = fd; + t->conn.fd = fd; - if (mbedtls_ssl_config_defaults(t->conf, + if (mbedtls_ssl_config_defaults(&t->conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) { Scm_SysError("mbedtls_ssl_config_defaults() failed"); } - if(mbedtls_ssl_setup(t->ctx, t->conf) != 0) { + if(mbedtls_ssl_setup(&t->ctx, &t->conf) != 0) { Scm_SysError("mbedtls_ssl_setup() failed"); } - mbedtls_ssl_set_bio(t->ctx, t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); + mbedtls_ssl_set_bio(&t->ctx, &t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); - int r = mbedtls_ssl_handshake(t->ctx); + int r = mbedtls_ssl_handshake(&t->ctx); if (r != 0) { Scm_Error("TLS handshake failed: %d", r); } @@ -197,25 +197,25 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) t->conn = ssl_server_new(t->ctx, fd); #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "accept"); - if (t->conn != NULL && t->conn->fd >= 0) { + if (t->conn.fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } - t->conn->fd = fd; + t->conn.fd = fd; - if (mbedtls_ssl_config_defaults(t->conf, + if (mbedtls_ssl_config_defaults(&t->conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT) != 0) { Scm_SysError("mbedtls_ssl_config_defaults() failed"); } - if(mbedtls_ssl_setup(t->ctx, t->conf) != 0) { + if(mbedtls_ssl_setup(&t->ctx, &t->conf) != 0) { Scm_SysError("mbedtls_ssl_setup() failed"); } - mbedtls_ssl_set_bio(t->ctx, t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); + mbedtls_ssl_set_bio(&t->ctx, &t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); - int r = mbedtls_ssl_handshake(t->ctx); + int r = mbedtls_ssl_handshake(&t->ctx); if (r != 0) { Scm_Error("TLS handshake failed: %d", r); } @@ -238,7 +238,7 @@ ScmObj Scm_TLSRead(ScmTLS* t) uint8_t buf[1024] = {}; int r; - r = mbedtls_ssl_read(t->ctx, buf, sizeof(buf)); + r = mbedtls_ssl_read(&t->ctx, buf, sizeof(buf)); if (r < 0) { Scm_SysError("mbedtls_ssl_read() failed"); } @@ -284,7 +284,7 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) const uint8_t* cmsg = get_message_body(msg, &size); int r; - r = mbedtls_ssl_write(t->ctx, cmsg, size); + r = mbedtls_ssl_write(&t->ctx, cmsg, size); return SCM_MAKE_INT(r); #else /*!GAUCHE_USE_AXTLS*/ From 2367e2f1795e64fdf54fca81da8a3a77734df768 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 16:09:25 +0900 Subject: [PATCH 21/48] Add error handling code --- ext/tls/tls.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index f749a4b97c..bf1d43c545 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -285,6 +285,9 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) int r; r = mbedtls_ssl_write(&t->ctx, cmsg, size); + if (r < 0) { + Scm_SysError("mbedtls_ssl_write() failed"); + } return SCM_MAKE_INT(r); #else /*!GAUCHE_USE_AXTLS*/ From c99ab450b50757f50739b37e7e7ab99906c26b78 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 18:43:57 +0900 Subject: [PATCH 22/48] Add RNG code --- ext/tls/tls.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index bf1d43c545..d8fbd0eda2 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -104,6 +104,12 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_entropy_init(&t->entropy); + const char* pers = "Gauche"; + if(mbedtls_ctr_drbg_seed(&t->ctr_drbg, mbedtls_entropy_func, &t->entropy, + (const unsigned char *)pers, strlen(pers)) != 0) { + Scm_SysError("mbedtls_ctr_drbg_seed() failed"); + } + t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); @@ -174,6 +180,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) MBEDTLS_SSL_PRESET_DEFAULT) != 0) { Scm_SysError("mbedtls_ssl_config_defaults() failed"); } + mbedtls_ssl_conf_rng(&t->conf, mbedtls_ctr_drbg_random, &t->ctr_drbg); if(mbedtls_ssl_setup(&t->ctx, &t->conf) != 0) { Scm_SysError("mbedtls_ssl_setup() failed"); From d411c345b984df3093f5133983b37866124ffa5d Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 18:59:44 +0900 Subject: [PATCH 23/48] Move connection code --- ext/tls/tls.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index d8fbd0eda2..24c9e6a7c3 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -104,12 +104,6 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_entropy_init(&t->entropy); - const char* pers = "Gauche"; - if(mbedtls_ctr_drbg_seed(&t->ctr_drbg, mbedtls_entropy_func, &t->entropy, - (const unsigned char *)pers, strlen(pers)) != 0) { - Scm_SysError("mbedtls_ctr_drbg_seed() failed"); - } - t->in_port = t->out_port = 0; #endif /*GAUCHE_USE_AXTLS*/ Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); @@ -169,6 +163,13 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "connect"); + + const char* pers = "Gauche"; + if(mbedtls_ctr_drbg_seed(&t->ctr_drbg, mbedtls_entropy_func, &t->entropy, + (const unsigned char *)pers, strlen(pers)) != 0) { + Scm_SysError("mbedtls_ctr_drbg_seed() failed"); + } + if (t->conn.fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } From e00c8fcfebb80cba57d4f1ec7e7f475e341cdc5f Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 20 May 2018 02:40:22 +0900 Subject: [PATCH 24/48] Add RNG to server side code --- ext/tls/tls.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 24c9e6a7c3..8124453a18 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -205,6 +205,13 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) t->conn = ssl_server_new(t->ctx, fd); #elif defined(GAUCHE_USE_MBEDTLS) context_check(t, "accept"); + + const char* pers = "Gauche"; + if(mbedtls_ctr_drbg_seed(&t->ctr_drbg, mbedtls_entropy_func, &t->entropy, + (const unsigned char *)pers, strlen(pers)) != 0) { + Scm_SysError("mbedtls_ctr_drbg_seed() failed"); + } + if (t->conn.fd >= 0) { Scm_SysError("attempt to connect already-connected TLS %S", t); } @@ -216,6 +223,8 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) MBEDTLS_SSL_PRESET_DEFAULT) != 0) { Scm_SysError("mbedtls_ssl_config_defaults() failed"); } + mbedtls_ssl_conf_rng(&t->conf, mbedtls_ctr_drbg_random, &t->ctr_drbg); + if(mbedtls_ssl_setup(&t->ctx, &t->conf) != 0) { Scm_SysError("mbedtls_ssl_setup() failed"); From c3c3c5613f35716cf64dc712d98f0a256ec7998e Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 18:44:49 +0900 Subject: [PATCH 25/48] Add CA stub code --- ext/tls/gauche-tls.h | 1 + ext/tls/tls.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index e28d246cc4..4762a6a883 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -93,6 +93,7 @@ typedef struct ScmTLSRec { mbedtls_entropy_context entropy; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_ssl_config conf; + mbedtls_x509_crt ca; ScmPort *in_port, *out_port; #endif /*GAUCHE_USE_AXTLS*/ diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 8124453a18..6832d9408f 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -63,6 +63,7 @@ static void tls_finalize(ScmObj obj, void* data) mbedtls_ssl_config_free(&t->conf); mbedtls_ctr_drbg_free(&t->ctr_drbg); mbedtls_entropy_free(&t->entropy); + mbedtls_x509_crt_free(&t->ca); #endif /*GAUCHE_USE_AXTLS*/ } @@ -101,6 +102,7 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_net_init(&t->conn); mbedtls_ssl_init(&t->ctx); mbedtls_ssl_config_init(&t->conf); + mbedtls_x509_crt_init(&t->ca); mbedtls_entropy_init(&t->entropy); From a1547a706353f9aa027ded2c7c6112384fbdae0f Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 19 May 2018 20:10:53 +0900 Subject: [PATCH 26/48] Add CA reader --- ext/tls/tls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 6832d9408f..44fa7b819a 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -185,6 +185,12 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } mbedtls_ssl_conf_rng(&t->conf, mbedtls_ctr_drbg_random, &t->ctr_drbg); + if(mbedtls_x509_crt_parse_path(&t->ca, "./certs") != 0) { + Scm_SysError("mbedtls_x509_crt_parse_path() failed"); + } + mbedtls_ssl_conf_ca_chain(&t->conf, &t->ca, NULL); + mbedtls_ssl_conf_authmode(&t->conf, MBEDTLS_SSL_VERIFY_REQUIRED); + if(mbedtls_ssl_setup(&t->ctx, &t->conf) != 0) { Scm_SysError("mbedtls_ssl_setup() failed"); } From adcd593b207535f2307c398b132560ebfe5e0ad9 Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 20 May 2018 02:14:38 +0900 Subject: [PATCH 27/48] Read certificates from single file --- ext/tls/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 44fa7b819a..5a9f72edcd 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -185,8 +185,8 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } mbedtls_ssl_conf_rng(&t->conf, mbedtls_ctr_drbg_random, &t->ctr_drbg); - if(mbedtls_x509_crt_parse_path(&t->ca, "./certs") != 0) { - Scm_SysError("mbedtls_x509_crt_parse_path() failed"); + if(mbedtls_x509_crt_parse_file(&t->ca, "./certs/ca-certificates.crt") != 0) { + Scm_SysError("mbedtls_x509_crt_parse_file() failed"); } mbedtls_ssl_conf_ca_chain(&t->conf, &t->ca, NULL); mbedtls_ssl_conf_authmode(&t->conf, MBEDTLS_SSL_VERIFY_REQUIRED); From 2ab4ba84990a5b6f2e5d5cc5133b3db35d124aab Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 20 May 2018 11:35:31 +0900 Subject: [PATCH 28/48] Move CA file path to header --- ext/tls/gauche-tls.h | 2 ++ ext/tls/tls.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 4762a6a883..5e9a4cd013 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -49,6 +49,8 @@ #include #include +#define X509_CA_FILE "./certs/ca-certificates.crt" + #define SSL_CLIENT_AUTHENTICATION 0x00010000 #define SSL_SERVER_VERIFY_LATER 0x00020000 #define SSL_NO_DEFAULT_KEY 0x00040000 diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 5a9f72edcd..e7a650174b 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -185,7 +185,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) } mbedtls_ssl_conf_rng(&t->conf, mbedtls_ctr_drbg_random, &t->ctr_drbg); - if(mbedtls_x509_crt_parse_file(&t->ca, "./certs/ca-certificates.crt") != 0) { + if(mbedtls_x509_crt_parse_file(&t->ca, X509_CA_FILE) != 0) { Scm_SysError("mbedtls_x509_crt_parse_file() failed"); } mbedtls_ssl_conf_ca_chain(&t->conf, &t->ca, NULL); From 6320acceff54d89bced3d9e7f45d2da0b0c640d2 Mon Sep 17 00:00:00 2001 From: yokota Date: Mon, 21 May 2018 00:42:01 +0900 Subject: [PATCH 29/48] Make CA certificate file path to configurable --- ext/tls/Makefile.in | 3 ++- ext/tls/gauche-tls.h | 4 +++- ext/tls/tls.ac | 12 ++++++++++++ 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/ext/tls/Makefile.in b/ext/tls/Makefile.in index 9d27026a95..8c0c169fb1 100644 --- a/ext/tls/Makefile.in +++ b/ext/tls/Makefile.in @@ -53,7 +53,8 @@ SSLTEST_OBJECTS = axTLS/ssl/test/ssltest.mod.$(OBJEXT) @GAUCHE_TLS_SWITCH_AXTLS@EXTRA_DIRS_TARGET = axtls_dirs -@GAUCHE_TLS_SWITCH_MBEDTLS@LIBS += -lmbedtls -lmbedx509 -lmbedcrypto +@GAUCHE_TLS_SWITCH_MBEDTLS@LIBS += -lmbedtls -lmbedx509 -lmbedcrypto +@GAUCHE_TLS_SWITCH_MBEDTLS@CPPFLAGS += -DX509_CA_FILE=@X509_CA_FILE@ GENERATED = Makefile kick_openssl.sh XCLEANFILES = rfc--tls.c *.sci $(AXTLS_OBJECTS) $(SSLTEST_OBJECTS) $(SSLTEST_GENERATED) $(SSLTEST) ssltest.log axTLS/ssl/openssl.pid axtls_dirs diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 5e9a4cd013..3e96c669c1 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -49,7 +49,9 @@ #include #include -#define X509_CA_FILE "./certs/ca-certificates.crt" +#ifndef X509_CA_FILE +#define X509_CA_FILE "ca-cert.crt" +#endif #define SSL_CLIENT_AUTHENTICATION 0x00010000 #define SSL_SERVER_VERIFY_LATER 0x00020000 diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index c65b55a887..846ff8b864 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -64,6 +64,18 @@ AC_SUBST(GAUCHE_TLS_SWITCH_AXTLS_TEST) AC_SUBST(GAUCHE_TLS_SWITCH_MBEDTLS) AC_SUBST(GAUCHE_TLS_SWITCH_NONE) +AC_ARG_ENABLE([tls-ca-file-path], + AS_HELP_STRING([--enable-tls-ca-file-path=/path/to/ca-cert.crt], + [Specify CA certificate file path for TLS certificate validation. This file is required to use mbed TLS.]), + [ + AS_CASE([$enable_tls_ca_file_path], + [yes|no], [X509_CA_FILE="ca-cert.crt"], + [X509_CA_FILE=$enable_tls_ca_file_path] + )], [ + X509_CA_FILE="ca-cert.crt" + ]) +AC_SUBST(X509_CA_FILE) + dnl dnl Check openssl command; if available, we use it for axTLS tests. dnl This is needed even if we don't support libopenssl binding. From 49a0ad972ff741fe239889e1b9785e137aa76bc6 Mon Sep 17 00:00:00 2001 From: yokota Date: Mon, 21 May 2018 01:28:54 +0900 Subject: [PATCH 30/48] Add quote to string value --- ext/tls/Makefile.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/Makefile.in b/ext/tls/Makefile.in index 8c0c169fb1..8b60d5c401 100644 --- a/ext/tls/Makefile.in +++ b/ext/tls/Makefile.in @@ -54,7 +54,7 @@ SSLTEST_OBJECTS = axTLS/ssl/test/ssltest.mod.$(OBJEXT) @GAUCHE_TLS_SWITCH_AXTLS@EXTRA_DIRS_TARGET = axtls_dirs @GAUCHE_TLS_SWITCH_MBEDTLS@LIBS += -lmbedtls -lmbedx509 -lmbedcrypto -@GAUCHE_TLS_SWITCH_MBEDTLS@CPPFLAGS += -DX509_CA_FILE=@X509_CA_FILE@ +@GAUCHE_TLS_SWITCH_MBEDTLS@CPPFLAGS += -DX509_CA_FILE='"@X509_CA_FILE@"' GENERATED = Makefile kick_openssl.sh XCLEANFILES = rfc--tls.c *.sci $(AXTLS_OBJECTS) $(SSLTEST_OBJECTS) $(SSLTEST_GENERATED) $(SSLTEST) ssltest.log axTLS/ssl/openssl.pid axtls_dirs From 48acf5a66f88726e12aaae073f4be9feecc0b261 Mon Sep 17 00:00:00 2001 From: yokota Date: Mon, 21 May 2018 01:28:17 +0900 Subject: [PATCH 31/48] Improve error message --- ext/tls/tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index e7a650174b..13123eb0d9 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -186,7 +186,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) mbedtls_ssl_conf_rng(&t->conf, mbedtls_ctr_drbg_random, &t->ctr_drbg); if(mbedtls_x509_crt_parse_file(&t->ca, X509_CA_FILE) != 0) { - Scm_SysError("mbedtls_x509_crt_parse_file() failed"); + Scm_SysError("mbedtls_x509_crt_parse_file() failed: file=%s", X509_CA_FILE); } mbedtls_ssl_conf_ca_chain(&t->conf, &t->ca, NULL); mbedtls_ssl_conf_authmode(&t->conf, MBEDTLS_SSL_VERIFY_REQUIRED); From bb304c9a69d80d1843ec7f3e527ecaa50d240020 Mon Sep 17 00:00:00 2001 From: yokota Date: Mon, 21 May 2018 03:18:32 +0900 Subject: [PATCH 32/48] Use Autoconf functions instead of own implementation --- ext/tls/Makefile.in | 1 - ext/tls/tls.ac | 10 +++++----- src/gauche/config.h.in | 3 +++ 3 files changed, 8 insertions(+), 6 deletions(-) diff --git a/ext/tls/Makefile.in b/ext/tls/Makefile.in index 8b60d5c401..687aa7c3a3 100644 --- a/ext/tls/Makefile.in +++ b/ext/tls/Makefile.in @@ -54,7 +54,6 @@ SSLTEST_OBJECTS = axTLS/ssl/test/ssltest.mod.$(OBJEXT) @GAUCHE_TLS_SWITCH_AXTLS@EXTRA_DIRS_TARGET = axtls_dirs @GAUCHE_TLS_SWITCH_MBEDTLS@LIBS += -lmbedtls -lmbedx509 -lmbedcrypto -@GAUCHE_TLS_SWITCH_MBEDTLS@CPPFLAGS += -DX509_CA_FILE='"@X509_CA_FILE@"' GENERATED = Makefile kick_openssl.sh XCLEANFILES = rfc--tls.c *.sci $(AXTLS_OBJECTS) $(SSLTEST_OBJECTS) $(SSLTEST_GENERATED) $(SSLTEST) ssltest.log axTLS/ssl/openssl.pid axtls_dirs diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index 846ff8b864..49074c7c88 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -69,12 +69,12 @@ AC_ARG_ENABLE([tls-ca-file-path], [Specify CA certificate file path for TLS certificate validation. This file is required to use mbed TLS.]), [ AS_CASE([$enable_tls_ca_file_path], - [yes|no], [X509_CA_FILE="ca-cert.crt"], - [X509_CA_FILE=$enable_tls_ca_file_path] - )], [ - X509_CA_FILE="ca-cert.crt" + [yes|no], [AC_DEFINE([X509_CA_FILE], ["ca-cert.crt"])], + [AC_DEFINE_UNQUOTED([X509_CA_FILE], ["$enable_tls_ca_file_path"], [CA file path])] + ) + ], [ + AC_DEFINE([X509_CA_FILE], ["ca-cert.crt"]) ]) -AC_SUBST(X509_CA_FILE) dnl dnl Check openssl command; if available, we use it for axTLS tests. diff --git a/src/gauche/config.h.in b/src/gauche/config.h.in index ff28a155d5..b0e0e8e734 100644 --- a/src/gauche/config.h.in +++ b/src/gauche/config.h.in @@ -497,6 +497,9 @@ # endif #endif +/* CA file path */ +#undef X509_CA_FILE + /* Enable large inode numbers on Mac OS X 10.5. */ #ifndef _DARWIN_USE_64_BIT_INODE # define _DARWIN_USE_64_BIT_INODE 1 From 931fdf67a8474fe127965d7bfac80d8dd5102e47 Mon Sep 17 00:00:00 2001 From: yokota Date: Wed, 23 May 2018 00:27:28 +0900 Subject: [PATCH 33/48] Add mbed TLS help string --- ext/tls/tls.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index 49074c7c88..c4cb70112a 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -11,8 +11,8 @@ dnl In future we may support 'openssl' as well. dnl AC_ARG_ENABLE(tls, AS_HELP_STRING([--enable-tls=TYPE], [enable TLS/SSL support. TYPE can be - 'axtls' (to use bundled source of Cameron Rich's axTLS), or 'none' - (disable TLS/SSL support)]), + 'axtls' (to use bundled source of Cameron Rich's axTLS), 'mbedtls' (to use + mbed TLS), or 'none' (disable TLS/SSL support)]), [ AS_CASE([$enableval], [no|none], [enable_tls=no], From dd8f3fc76f967143cdbe35bcaa8f9c558e689c0e Mon Sep 17 00:00:00 2001 From: yokota Date: Wed, 23 May 2018 00:53:28 +0900 Subject: [PATCH 34/48] Remove outdated comment --- ext/tls/gauche-tls.h | 6 +++--- ext/tls/tls.c | 36 ++++++++++++++++++------------------ 2 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 3e96c669c1..0d3c0ed954 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -67,7 +67,7 @@ #define SSL_OBJ_PKCS8 4 #define SSL_OBJ_PKCS12 5 -#else /*!GAUCHE_USE_AXTLS*/ +#else #define SSL_CLIENT_AUTHENTICATION 0x00010000 #define SSL_SERVER_VERIFY_LATER 0x00020000 #define SSL_NO_DEFAULT_KEY 0x00040000 @@ -81,7 +81,7 @@ #define SSL_OBJ_RSA_KEY 3 #define SSL_OBJ_PKCS8 4 #define SSL_OBJ_PKCS12 5 -#endif /*!GAUCHE_USE_AXTLS*/ +#endif SCM_DECL_BEGIN @@ -100,7 +100,7 @@ typedef struct ScmTLSRec { mbedtls_x509_crt ca; ScmPort *in_port, *out_port; -#endif /*GAUCHE_USE_AXTLS*/ +#endif } ScmTLS; SCM_CLASS_DECL(Scm_TLSClass); diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 13123eb0d9..4e04eccc97 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -65,7 +65,7 @@ static void tls_finalize(ScmObj obj, void* data) mbedtls_entropy_free(&t->entropy); mbedtls_x509_crt_free(&t->ca); -#endif /*GAUCHE_USE_AXTLS*/ +#endif } static void context_check(ScmTLS* tls, const char* op) @@ -74,7 +74,7 @@ static void context_check(ScmTLS* tls, const char* op) if (!tls->ctx) Scm_Error("attempt to %s destroyed TLS: %S", op, tls); #elif defined(GAUCHE_USE_MBEDTLS) -#endif /*GAUCHE_USE_AXTLS*/ +#endif } static void close_check(ScmTLS* tls, const char* op) @@ -85,7 +85,7 @@ static void close_check(ScmTLS* tls, const char* op) if (tls->conn.fd < 0) { Scm_Error("attempt to %s closed TLS: %S", op, tls); } -#endif /*GAUCHE_USE_AXTLS*/ +#endif } ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) @@ -107,7 +107,7 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_entropy_init(&t->entropy); t->in_port = t->out_port = 0; -#endif /*GAUCHE_USE_AXTLS*/ +#endif Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); return SCM_OBJ(t); } @@ -119,7 +119,7 @@ ScmObj Scm_TLSDestroy(ScmTLS* t) { #if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) tls_finalize(SCM_OBJ(t), NULL); -#endif /*GAUCHE_USE_AXTLS*/ +#endif return SCM_TRUE; } @@ -136,7 +136,7 @@ ScmObj Scm_TLSClose(ScmTLS* t) mbedtls_ssl_close_notify(&t->ctx); mbedtls_net_free(&t->conn); t->in_port = t->out_port = 0; -#endif /*GAUCHE_USE_AXTLS*/ +#endif return SCM_TRUE; } @@ -149,7 +149,7 @@ ScmObj Scm_TLSLoadObject(ScmTLS* t, ScmObj obj_type, return SCM_TRUE; #elif defined(GAUCHE_USE_MBEDTLS) -#endif /*GAUCHE_USE_AXTLS*/ +#endif return SCM_FALSE; } @@ -201,7 +201,7 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) if (r != 0) { Scm_Error("TLS handshake failed: %d", r); } -#endif /*GAUCHE_USE_AXTLS*/ +#endif return SCM_OBJ(t); } @@ -244,7 +244,7 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) if (r != 0) { Scm_Error("TLS handshake failed: %d", r); } -#endif /*GAUCHE_USE_AXTLS*/ +#endif return SCM_OBJ(t); } @@ -268,9 +268,9 @@ ScmObj Scm_TLSRead(ScmTLS* t) if (r < 0) { Scm_SysError("mbedtls_ssl_read() failed"); } return Scm_MakeString((char *)buf, r, r, SCM_STRING_INCOMPLETE | SCM_STRING_COPYING); -#else /*!GAUCHE_USE_AXTLS*/ +#else return SCM_FALSE; -#endif /*!GAUCHE_USE_AXTLS*/ +#endif } #if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) @@ -287,7 +287,7 @@ static const uint8_t* get_message_body(ScmObj msg, u_int *size) return 0; } } -#endif /*GAUCHE_USE_AXTLS*/ +#endif ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) { @@ -315,9 +315,9 @@ ScmObj Scm_TLSWrite(ScmTLS* t, ScmObj msg) } return SCM_MAKE_INT(r); -#else /*!GAUCHE_USE_AXTLS*/ +#else return SCM_FALSE; -#endif /*!GAUCHE_USE_AXTLS*/ +#endif } ScmObj Scm_TLSInputPort(ScmTLS* t) @@ -326,7 +326,7 @@ ScmObj Scm_TLSInputPort(ScmTLS* t) return SCM_OBJ(t->in_port); #else return SCM_UNDEFINED; -#endif /*GAUCHE_USE_AXTLS*/ +#endif } ScmObj Scm_TLSOutputPort(ScmTLS* t) @@ -335,14 +335,14 @@ ScmObj Scm_TLSOutputPort(ScmTLS* t) return SCM_OBJ(t->out_port); #else return SCM_UNDEFINED; -#endif /*GAUCHE_USE_AXTLS*/ +#endif } ScmObj Scm_TLSInputPortSet(ScmTLS* t, ScmObj port) { #if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) t->in_port = SCM_PORT(port); -#endif /*GAUCHE_USE_AXTLS*/ +#endif return port; } @@ -350,7 +350,7 @@ ScmObj Scm_TLSOutputPortSet(ScmTLS* t, ScmObj port) { #if defined(GAUCHE_USE_AXTLS) || defined(GAUCHE_USE_MBEDTLS) t->out_port = SCM_PORT(port); -#endif /*GAUCHE_USE_AXTLS*/ +#endif return port; } From 124ba71fcbc03d4b80bdaa436acb2bd00a02fdeb Mon Sep 17 00:00:00 2001 From: yokota Date: Wed, 23 May 2018 00:57:05 +0900 Subject: [PATCH 35/48] Refactor duplicated lines --- ext/tls/gauche-tls.h | 17 +++-------------- 1 file changed, 3 insertions(+), 14 deletions(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 0d3c0ed954..0b59f51209 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -53,21 +53,10 @@ #define X509_CA_FILE "ca-cert.crt" #endif -#define SSL_CLIENT_AUTHENTICATION 0x00010000 -#define SSL_SERVER_VERIFY_LATER 0x00020000 -#define SSL_NO_DEFAULT_KEY 0x00040000 -#define SSL_DISPLAY_STATES 0x00080000 -#define SSL_DISPLAY_BYTES 0x00100000 -#define SSL_DISPLAY_CERTS 0x00200000 -#define SSL_DISPLAY_RSA 0x00400000 -#define SSL_CONNECT_IN_PARTS 0x00800000 -#define SSL_OBJ_X509_CERT 1 -#define SSL_OBJ_X509_CACERT 2 -#define SSL_OBJ_RSA_KEY 3 -#define SSL_OBJ_PKCS8 4 -#define SSL_OBJ_PKCS12 5 +#endif -#else +#ifndef GAUCHE_USE_AXTLS +/* dummy symbols */ #define SSL_CLIENT_AUTHENTICATION 0x00010000 #define SSL_SERVER_VERIFY_LATER 0x00020000 #define SSL_NO_DEFAULT_KEY 0x00040000 From 0b52889bd21962a872e3ad4b03ace18d1f0d2afa Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 27 May 2018 21:30:06 +0900 Subject: [PATCH 36/48] Add server side accept() code. --- ext/tls/tls.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 4e04eccc97..d4de735cbc 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -238,7 +238,15 @@ ScmObj Scm_TLSAccept(ScmTLS* t, int fd) Scm_SysError("mbedtls_ssl_setup() failed"); } - mbedtls_ssl_set_bio(&t->ctx, &t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); + mbedtls_net_context client_fd; + mbedtls_net_free(&client_fd); + + mbedtls_ssl_session_reset(&t->ctx); + + if(mbedtls_net_accept(&t->conn, &client_fd, NULL, 0, NULL) != 0) { + Scm_SysError("mbedtls_net_accept() failed"); + } + mbedtls_ssl_set_bio(&t->ctx, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL); int r = mbedtls_ssl_handshake(&t->ctx); if (r != 0) { From 2106035a611cce69888d3df4b44f50b71f12a203 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 26 May 2018 17:13:15 +0900 Subject: [PATCH 37/48] Enable static link build --- ext/tls/Makefile.in | 2 +- ext/tls/tls.ac | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/ext/tls/Makefile.in b/ext/tls/Makefile.in index 687aa7c3a3..33a3d3e80b 100644 --- a/ext/tls/Makefile.in +++ b/ext/tls/Makefile.in @@ -53,7 +53,7 @@ SSLTEST_OBJECTS = axTLS/ssl/test/ssltest.mod.$(OBJEXT) @GAUCHE_TLS_SWITCH_AXTLS@EXTRA_DIRS_TARGET = axtls_dirs -@GAUCHE_TLS_SWITCH_MBEDTLS@LIBS += -lmbedtls -lmbedx509 -lmbedcrypto +@GAUCHE_TLS_SWITCH_MBEDTLS@XLIBS = -lmbedtls -lmbedx509 -lmbedcrypto GENERATED = Makefile kick_openssl.sh XCLEANFILES = rfc--tls.c *.sci $(AXTLS_OBJECTS) $(SSLTEST_OBJECTS) $(SSLTEST_GENERATED) $(SSLTEST) ssltest.log axTLS/ssl/openssl.pid axtls_dirs diff --git a/ext/tls/tls.ac b/ext/tls/tls.ac index c4cb70112a..65012af2e9 100644 --- a/ext/tls/tls.ac +++ b/ext/tls/tls.ac @@ -45,6 +45,8 @@ AS_CASE([$enable_tls], GAUCHE_TLS_SWITCH_AXTLS_TEST="@%:@" GAUCHE_TLS_SWITCH_MBEDTLS= GAUCHE_TLS_SWITCH_NONE="@%:@" + + EXT_LIBS="${EXT_LIBS} -lmbedtls -lmbedx509 -lmbedcrypto" ], dnl [openssl], [ dnl AC_DEFINE(GAUCHE_USE_OPENSSL, 1, [Define if you use openssl]) From b79cc8c91eb0e0258c90db5660c6e2c3b468303d Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 27 May 2018 10:04:24 +0900 Subject: [PATCH 38/48] Add mbed TLS feature symbol --- src/core.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/core.c b/src/core.c index 6cb07f5f46..03f9553b9c 100644 --- a/src/core.c +++ b/src/core.c @@ -518,6 +518,9 @@ init_cond_features() #if defined(GAUCHE_USE_AXTLS) { "gauche.net.tls", "rfc.tls" }, { "gauche.net.tls.axtls", "rfc.tls" }, +#elif defined(GAUCHE_USE_MBEDTLS) + { "gauche.net.tls", "rfc.tls" }, + { "gauche.net.tls.mbedtls", "rfc.tls" }, #elif defined(GAUCHE_USE_OPENSSL) { "gauche.net.tls", "rfc.tls" }, { "gauche.net.tls.openssl", "rfc.tls" }, From 1de35febe13e96877418ffab4f99270c13ed67d0 Mon Sep 17 00:00:00 2001 From: yokota Date: Sat, 26 May 2018 17:37:37 +0900 Subject: [PATCH 39/48] Fix library name conflicts If $STATIC_LIBS is "-lmbedtls -lm", it makes wrong outputs like "-lmbedtls". Because "-lm" is a substring of "-lmbedtls". --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 022535be8e..11fa9fde57 100644 --- a/configure.ac +++ b/configure.ac @@ -888,7 +888,7 @@ m4_include([ext/tls/tls.ac]) dnl Setup STATIC_LIBS STATIC_LIBS= for lib in $EXT_LIBS $LIBS; do - if [ echo "$STATIC_LIBS" | grep -e $lib > /dev/null 2>&1 ] + if [ echo ":${STATIC_LIBS}:" | tr ' ' ':' | grep -e ":${lib}:" > /dev/null 2>&1 ] then : # lib is alreay in STATIC_LIBS. do nothing else From 792cdadf3ba7678f0635d99195f82857e7e3cc95 Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 27 May 2018 05:29:16 +0900 Subject: [PATCH 40/48] Refactor grep usage --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 11fa9fde57..35125ed023 100644 --- a/configure.ac +++ b/configure.ac @@ -888,7 +888,7 @@ m4_include([ext/tls/tls.ac]) dnl Setup STATIC_LIBS STATIC_LIBS= for lib in $EXT_LIBS $LIBS; do - if [ echo ":${STATIC_LIBS}:" | tr ' ' ':' | grep -e ":${lib}:" > /dev/null 2>&1 ] + if [ echo "${STATIC_LIBS}" | grep -w -e "${lib}" > /dev/null 2>&1 ] then : # lib is alreay in STATIC_LIBS. do nothing else From 56113862f9660a95b0ee94831569313f1e61bb88 Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 27 May 2018 10:19:15 +0900 Subject: [PATCH 41/48] Use simple string match instead of regexp Some library has "." as its name. Regexp treats "." as special character, and unexpectedly drops those library. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 35125ed023..8ddeaa3341 100644 --- a/configure.ac +++ b/configure.ac @@ -888,7 +888,7 @@ m4_include([ext/tls/tls.ac]) dnl Setup STATIC_LIBS STATIC_LIBS= for lib in $EXT_LIBS $LIBS; do - if [ echo "${STATIC_LIBS}" | grep -w -e "${lib}" > /dev/null 2>&1 ] + if [ echo "${STATIC_LIBS}" | grep -F -w -e "${lib}" > /dev/null 2>&1 ] then : # lib is alreay in STATIC_LIBS. do nothing else From 820a0270f71566c40b54f121c772332000560c8d Mon Sep 17 00:00:00 2001 From: yokota Date: Sun, 27 May 2018 14:00:53 +0900 Subject: [PATCH 42/48] Refactor Autoconf syntax --- configure.ac | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/configure.ac b/configure.ac index 8ddeaa3341..a4a84326e6 100644 --- a/configure.ac +++ b/configure.ac @@ -888,12 +888,9 @@ m4_include([ext/tls/tls.ac]) dnl Setup STATIC_LIBS STATIC_LIBS= for lib in $EXT_LIBS $LIBS; do - if [ echo "${STATIC_LIBS}" | grep -F -w -e "${lib}" > /dev/null 2>&1 ] - then - : # lib is alreay in STATIC_LIBS. do nothing - else - STATIC_LIBS="$STATIC_LIBS $lib" - fi + AS_IF([ echo "${STATIC_LIBS}" | grep -F -w -e "${lib}" > /dev/null 2>&1 ], + [], dnl lib is alreay in STATIC_LIBS. do nothing + [STATIC_LIBS="$STATIC_LIBS $lib"]) done STATIC_LIBS="`echo $LIBGAUCHE_STATIC | sed s/^lib/-l/` $STATIC_LIBS" AC_SUBST(STATIC_LIBS) From 81737448d6da10e1b8befb58f321452167715e26 Mon Sep 17 00:00:00 2001 From: yokota Date: Wed, 23 May 2018 01:03:45 +0900 Subject: [PATCH 43/48] Add copyright line --- AUTHORS | 2 +- ext/tls/gauche-tls.h | 1 + ext/tls/tls.c | 1 + 3 files changed, 3 insertions(+), 1 deletion(-) diff --git a/AUTHORS b/AUTHORS index 0ad18a19ea..4359097ea7 100644 --- a/AUTHORS +++ b/AUTHORS @@ -28,5 +28,5 @@ OGURISU Osamu OOHASHI Daichi Shin-ichi Hirata Tatsuya BIZENN -Yokota Hiroshi +YOKOTA Hiroshi Yuuki Takahashi diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index 0b59f51209..ba66d0c9c7 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -2,6 +2,7 @@ * gauche-tls.h - TLS secure connection interface * * Copyright (c) 2011 Kirill Zorin + * 2018 YOKOTA Hiroshi * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/ext/tls/tls.c b/ext/tls/tls.c index d4de735cbc..1a9a3cb2bb 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -2,6 +2,7 @@ * tls.c - tls secure connection interface * * Copyright (c) 2011 Kirill Zorin + * 2018 YOKOTA Hiroshi * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions From c66ea56a07a2bb6d8458d779c05235e0bbc0d20f Mon Sep 17 00:00:00 2001 From: yokota Date: Tue, 29 May 2018 02:33:42 +0900 Subject: [PATCH 44/48] SNI extension support Some server depends this option. --- ext/tls/gauche-tls.h | 3 ++- ext/tls/tls.c | 8 +++++++- ext/tls/tls.scm | 4 ++-- lib/rfc/http.scm | 2 +- 4 files changed, 12 insertions(+), 5 deletions(-) diff --git a/ext/tls/gauche-tls.h b/ext/tls/gauche-tls.h index ba66d0c9c7..203c4e45de 100644 --- a/ext/tls/gauche-tls.h +++ b/ext/tls/gauche-tls.h @@ -89,6 +89,7 @@ typedef struct ScmTLSRec { mbedtls_ssl_config conf; mbedtls_x509_crt ca; + ScmString *server_name; ScmPort *in_port, *out_port; #endif } ScmTLS; @@ -99,7 +100,7 @@ SCM_CLASS_DECL(Scm_TLSClass); #define SCM_TLS(obj) ((ScmTLS*)obj) #define SCM_TLSP(obj) SCM_XTYPEP(obj, SCM_CLASS_TLS) -extern ScmObj Scm_MakeTLS(uint32_t options, int num_sessions); +extern ScmObj Scm_MakeTLS(uint32_t options, int num_sessions, ScmString* server_name); extern ScmObj Scm_TLSDestroy(ScmTLS* t); extern ScmObj Scm_TLSLoadObject(ScmTLS* t, ScmObj obj_type, const char *filename, diff --git a/ext/tls/tls.c b/ext/tls/tls.c index 1a9a3cb2bb..db64fffc8c 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -89,7 +89,7 @@ static void close_check(ScmTLS* tls, const char* op) #endif } -ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) +ScmObj Scm_MakeTLS(uint32_t options, int num_sessions, ScmString* server_name) { ScmTLS* t = SCM_NEW(ScmTLS); SCM_SET_CLASS(t, SCM_CLASS_TLS); @@ -107,6 +107,7 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions) mbedtls_entropy_init(&t->entropy); + t->server_name = server_name; t->in_port = t->out_port = 0; #endif Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); @@ -196,6 +197,11 @@ ScmObj Scm_TLSConnect(ScmTLS* t, int fd) Scm_SysError("mbedtls_ssl_setup() failed"); } + const char* hostname = t->server_name ? Scm_GetStringConst(t->server_name) : NULL; + if(mbedtls_ssl_set_hostname(&t->ctx, hostname) != 0) { + Scm_SysError("mbedtls_ssl_set_hostname() failed"); + } + mbedtls_ssl_set_bio(&t->ctx, &t->conn, mbedtls_net_send, mbedtls_net_recv, NULL); int r = mbedtls_ssl_handshake(&t->ctx); diff --git a/ext/tls/tls.scm b/ext/tls/tls.scm index 15e33473f1..a2daad8cc0 100644 --- a/ext/tls/tls.scm +++ b/ext/tls/tls.scm @@ -66,14 +66,14 @@ (define-enum SSL_OBJ_PKCS8) (define-enum SSL_OBJ_PKCS12) - (define-cproc make-tls (:optional flags (num-sessions:: 0)) + (define-cproc make-tls (:optional flags (num-sessions:: 0) (server-name::? #f)) ;; NB: By default, we don't support certificate validation/trust. ;; Future work will have to take care of this if anyone cares about ;; it at the policy level. (let* ([f::uint32_t SSL_SERVER_VERIFY_LATER]) (when (SCM_INTEGERP flags) (set! f (Scm_GetIntegerU32Clamp flags SCM_CLAMP_ERROR NULL))) - (return (Scm_MakeTLS f num-sessions)))) + (return (Scm_MakeTLS f num-sessions server-name)))) (define-cproc tls-load-object (tls:: obj-type filename:: :optional (password::? #f)) Scm_TLSLoadObject) (define-cproc tls-destroy (tls::) Scm_TLSDestroy) diff --git a/lib/rfc/http.scm b/lib/rfc/http.scm index abb830004b..bd05c033ba 100644 --- a/lib/rfc/http.scm +++ b/lib/rfc/http.scm @@ -898,7 +898,7 @@ (when (~ conn'secure-agent) (shutdown-secure-agent conn)) (ecase (~ conn'secure) [(tls) - (let1 tls (make-tls) + (let1 tls (make-tls 0 0 (or (~ conn'proxy) (~ conn'server))) (set! (~ conn'secure-agent) tls) (tls-connect tls (socket-fd (~ conn'socket))))] [(stunnel) From 43b73f968a67cc9d0bc6dcc19206cf64bc64096b Mon Sep 17 00:00:00 2001 From: yokota Date: Tue, 29 May 2018 02:34:28 +0900 Subject: [PATCH 45/48] Use NULL for pointer value --- ext/tls/tls.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index db64fffc8c..ae86d33a7d 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -108,7 +108,7 @@ ScmObj Scm_MakeTLS(uint32_t options, int num_sessions, ScmString* server_name) mbedtls_entropy_init(&t->entropy); t->server_name = server_name; - t->in_port = t->out_port = 0; + t->in_port = t->out_port = NULL; #endif Scm_RegisterFinalizer(SCM_OBJ(t), tls_finalize, NULL); return SCM_OBJ(t); @@ -137,7 +137,7 @@ ScmObj Scm_TLSClose(ScmTLS* t) mbedtls_ssl_close_notify(&t->ctx); mbedtls_net_free(&t->conn); - t->in_port = t->out_port = 0; + t->in_port = t->out_port = NULL; #endif return SCM_TRUE; } From df271e23dcab0429d5af3ca14e5e7048f11d4714 Mon Sep 17 00:00:00 2001 From: yokota Date: Tue, 29 May 2018 02:40:46 +0900 Subject: [PATCH 46/48] Clear server name --- ext/tls/tls.c | 1 + 1 file changed, 1 insertion(+) diff --git a/ext/tls/tls.c b/ext/tls/tls.c index ae86d33a7d..3986e450d5 100644 --- a/ext/tls/tls.c +++ b/ext/tls/tls.c @@ -137,6 +137,7 @@ ScmObj Scm_TLSClose(ScmTLS* t) mbedtls_ssl_close_notify(&t->ctx); mbedtls_net_free(&t->conn); + t->server_name = NULL; t->in_port = t->out_port = NULL; #endif return SCM_TRUE; From 9ea83b63ea3e3a0d989d9c203acc167897fb50d8 Mon Sep 17 00:00:00 2001 From: yokota Date: Tue, 29 May 2018 02:49:10 +0900 Subject: [PATCH 47/48] Always tell server name Because SNI tells target server name to the connected server, not proxy name. --- lib/rfc/http.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rfc/http.scm b/lib/rfc/http.scm index bd05c033ba..98ac31875c 100644 --- a/lib/rfc/http.scm +++ b/lib/rfc/http.scm @@ -898,7 +898,7 @@ (when (~ conn'secure-agent) (shutdown-secure-agent conn)) (ecase (~ conn'secure) [(tls) - (let1 tls (make-tls 0 0 (or (~ conn'proxy) (~ conn'server))) + (let1 tls (make-tls 0 0 (~ conn'server)) (set! (~ conn'secure-agent) tls) (tls-connect tls (socket-fd (~ conn'socket))))] [(stunnel) From 3a420d6cf7b06b0ca11deb5dfb57d905411cef9e Mon Sep 17 00:00:00 2001 From: yokota Date: Tue, 29 May 2018 03:33:18 +0900 Subject: [PATCH 48/48] Use dummy value for non-used value --- lib/rfc/http.scm | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/rfc/http.scm b/lib/rfc/http.scm index 98ac31875c..3ac81f91a0 100644 --- a/lib/rfc/http.scm +++ b/lib/rfc/http.scm @@ -898,7 +898,7 @@ (when (~ conn'secure-agent) (shutdown-secure-agent conn)) (ecase (~ conn'secure) [(tls) - (let1 tls (make-tls 0 0 (~ conn'server)) + (let1 tls (make-tls #f 0 (~ conn'server)) (set! (~ conn'secure-agent) tls) (tls-connect tls (socket-fd (~ conn'socket))))] [(stunnel)