len0rd/FreeRTOS-Kernel
1
0
Fork 0
mirror of https://github.com/FreeRTOS/FreeRTOS-Kernel.git synced 2025-12-15 16:15:08 -05:00
Code Issues Projects Releases Packages Wiki Activity

Use MbedTLS 3.5.1 and Add TLS 1.3 Support to WinSim Demos (#1135)

Browse source 
* Bump up to MBed-TLS V3.5.1, make changes to Visual Studio Projects to account for this.
* Update MBedTLS Transport files to call psa_crypto_init() if the MBEDTLS_PSA_CRYPTO_C is set.
* Add WIN32_LEAN_AND_MEAN to the corePKCS11_MQTT_Mutual_Auth_Windows_Simulator demo. Add in a check for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET when making a TLS handshake.
* Change transport interface files from using void * to mbedtls_pk_context * instead per changes in the MbedTLS API.
* Changes to Fleet Provisioning Demo and Demo Setup to use ECDSA keys
* Remove non-32 bit configs from various VisualStudio Projects. Enforce all projects using WIN32_LEAN_AND_MEAN as well as winsock2.h
This commit is contained in:
Soren Ptak 2023-12-15 15:30:39 -05:00 committed by GitHub
parent 4bad7a6ba4
commit 6b513cb1a2
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
71 changed files with 2620 additions and 2987 deletions
Download patch file Download diff file Expand all files Collapse all files

1
FreeRTOS-Plus/Source/Application-Protocols/network_transport/mbedtls_bio_tcp_sockets_wrapper.c
View file

@ -35,6 +35,7 @@
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "threading_alt.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"

275
FreeRTOS-Plus/Source/Application-Protocols/network_transport/mbedtls_pk_pkcs11.c
View file

@ -40,7 +40,22 @@
#include <string.h>
/* Mbedtls Includes */
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#endif /* MBEDTLS_ALLOW_PRIVATE_ACCESS */
/* MBedTLS Includes */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#ifdef MBEDTLS_PSA_CRYPTO_C
/* MbedTLS PSA Includes */
#include "psa/crypto.h"
#include "psa/crypto_values.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */
#include "mbedtls/pk.h"
#include "mbedtls/asn1.h"
@ -53,6 +68,9 @@
#include "core_pkcs11_config.h"
#include "core_pkcs11.h"
/* PKCS11 Includes */
#include "pkcs11t.h"
/*-----------------------------------------------------------*/
typedef struct P11PkCtx
@ -92,7 +110,7 @@ static void * p11_ecdsa_ctx_alloc( void );
* @param xPkHandle The CK_OBJECT_HANDLE for the target private key.
* @return CKR_OK on success
*/
static CK_RV p11_ecdsa_ctx_init( void * pvCtx,
static CK_RV p11_ecdsa_ctx_init( mbedtls_pk_context * pxMbedtlsPkCtx,
CK_FUNCTION_LIST_PTR pxFunctionList,
CK_SESSION_HANDLE xSessionHandle,
CK_OBJECT_HANDLE xPkHandle );
@ -119,7 +137,7 @@ static void p11_ecdsa_ctx_free( void * pvCtx );
* @return 0 on success
* @return A negative number on failure
*/
static int p11_ecdsa_sign( void * pvCtx,
static int p11_ecdsa_sign( mbedtls_pk_context * pk,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
@ -135,7 +153,7 @@ static int p11_ecdsa_sign( void * pvCtx,
* @param pvCtx Void pointer to the relevant P11EcDsaCtx_t.
* @return size_t Bit length of the key.
*/
static size_t p11_ecdsa_get_bitlen( const void * pvCtx );
static size_t p11_ecdsa_get_bitlen( const mbedtls_pk_context * pxMbedtlsPkCtx );
/**
* @brief Returns true if the pk context can perform the given pk operation.
@ -148,7 +166,7 @@ static int p11_ecdsa_can_do( mbedtls_pk_type_t xType );
/**
* @brief Perform an ECDSA verify operation with the given pk context.
*
* Validates that the signature given in the pucSig and xSigLen arguments
* @note Validates that the signature given in the pucSig and xSigLen arguments
* matches the hash given in pucHash and xSigLen for the P11EcDsaCtx_t
* specified in pvCtx.
*
@ -160,7 +178,7 @@ static int p11_ecdsa_can_do( mbedtls_pk_type_t xType );
* @param xSigLen Length of the signature given in pucSig
* @return 0 on success
*/
static int p11_ecdsa_verify( void * pvCtx,
static int p11_ecdsa_verify( mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
@ -168,11 +186,11 @@ static int p11_ecdsa_verify( void * pvCtx,
size_t xSigLen );
static int p11_ecdsa_check_pair( const void * pvPub,
const void * pvPrv,
const mbedtls_pk_context * pxMbedtlsPkCtx,
int ( * lFRng )( void *, unsigned char *, size_t ),
void * pvPRng );
static void p11_ecdsa_debug( const void * pvCtx,
static void p11_ecdsa_debug( const mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_pk_debug_item * pxItems );
static int prvEcdsaSigToASN1InPlace( unsigned char * pucSig,
@ -213,18 +231,18 @@ mbedtls_pk_info_t mbedtls_pkcs11_pk_ecdsa =
/*-----------------------------------------------------------*/
static size_t p11_rsa_get_bitlen( const void * pvCtx );
static size_t p11_rsa_get_bitlen( const mbedtls_pk_context * ctx );
static int p11_rsa_can_do( mbedtls_pk_type_t xType );
static int p11_rsa_verify( void * pvCtx,
static int p11_rsa_verify( mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
const unsigned char * pucSig,
size_t xSigLen );
static int p11_rsa_sign( void * ctx,
static int p11_rsa_sign( mbedtls_pk_context * pk,
mbedtls_md_type_t md_alg,
const unsigned char * hash,
size_t hash_len,
@ -235,20 +253,20 @@ static int p11_rsa_sign( void * ctx,
void * p_rng );
static int p11_rsa_check_pair( const void * pvPub,
const void * pvPrv,
const mbedtls_pk_context * pxMbedtlsPkCtx,
int ( * lFRng )( void *, unsigned char *, size_t ),
void * pvPRng );
static void * p11_rsa_ctx_alloc( void );
static CK_RV p11_rsa_ctx_init( void * pvCtx,
static CK_RV p11_rsa_ctx_init( mbedtls_pk_context * pk,
CK_FUNCTION_LIST_PTR pxFunctionList,
CK_SESSION_HANDLE xSessionHandle,
CK_OBJECT_HANDLE xPkHandle );
static void p11_rsa_ctx_free( void * pvCtx );
static void p11_rsa_debug( const void * pvCtx,
static void p11_rsa_debug( const mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_pk_debug_item * pxItems );
/*-----------------------------------------------------------*/
@ -422,13 +440,13 @@ static void p11_ecdsa_ctx_free( void * pvCtx )
/*-----------------------------------------------------------*/
static CK_RV p11_ecdsa_ctx_init( void * pvCtx,
static CK_RV p11_ecdsa_ctx_init( mbedtls_pk_context * pk,
CK_FUNCTION_LIST_PTR pxFunctionList,
CK_SESSION_HANDLE xSessionHandle,
CK_OBJECT_HANDLE xPkHandle )
{
CK_RV xResult = CKR_OK;
P11EcDsaCtx_t * pxP11EcDsaCtx = ( P11EcDsaCtx_t * ) pvCtx;
P11EcDsaCtx_t * pxP11EcDsaCtx = ( P11EcDsaCtx_t * ) pk;
mbedtls_ecdsa_context * pxMbedEcDsaCtx = NULL;
configASSERT( pxFunctionList != NULL );
@ -441,95 +459,98 @@ static CK_RV p11_ecdsa_ctx_init( void * pvCtx,
}
else
{
LogError( ( "Received a NULL mbedtls_pk_context" ) );
xResult = CKR_FUNCTION_FAILED;
}
/* Initialize public EC parameter data from attributes */
CK_ATTRIBUTE pxAttrs[ 2 ] =
{
{ .type = CKA_EC_PARAMS, .ulValueLen = 0, .pValue = NULL },
{ .type = CKA_EC_POINT, .ulValueLen = 0, .pValue = NULL }
};
/* Determine necessary size */
xResult = pxFunctionList->C_GetAttributeValue( xSessionHandle,
xPkHandle,
pxAttrs,
sizeof( pxAttrs ) / sizeof( CK_ATTRIBUTE ) );
if( xResult == CKR_OK )
{
if( pxAttrs[ 0 ].ulValueLen > 0 )
/* Initialize public EC parameter data from attributes */
CK_ATTRIBUTE pxAttrs[ 2 ] =
{
pxAttrs[ 0 ].pValue = pvPortMalloc( pxAttrs[ 0 ].ulValueLen );
}
if( pxAttrs[ 1 ].ulValueLen > 0 )
{
pxAttrs[ 1 ].pValue = pvPortMalloc( pxAttrs[ 1 ].ulValueLen );
}
{ .type = CKA_EC_PARAMS, .ulValueLen = 0, .pValue = NULL },
{ .type = CKA_EC_POINT, .ulValueLen = 0, .pValue = NULL }
};
/* Determine necessary size */
xResult = pxFunctionList->C_GetAttributeValue( xSessionHandle,
xPkHandle,
pxAttrs,
2 );
}
sizeof( pxAttrs ) / sizeof( CK_ATTRIBUTE ) );
/* Parse EC Group */
if( xResult == CKR_OK )
{
/*TODO: Parse the ECParameters object */
int lResult = mbedtls_ecp_group_load( &( pxMbedEcDsaCtx->grp ), MBEDTLS_ECP_DP_SECP256R1 );
if( lResult != 0 )
if( xResult == CKR_OK )
{
xResult = CKR_FUNCTION_FAILED;
}
}
if( pxAttrs[ 0 ].ulValueLen > 0 )
{
pxAttrs[ 0 ].pValue = pvPortMalloc( pxAttrs[ 0 ].ulValueLen );
}
/* Parse ECPoint */
if( xResult == CKR_OK )
{
unsigned char * pucIterator = pxAttrs[ 1 ].pValue;
size_t uxLen = pxAttrs[ 1 ].ulValueLen;
int lResult = 0;
if( pxAttrs[ 1 ].ulValueLen > 0 )
{
pxAttrs[ 1 ].pValue = pvPortMalloc( pxAttrs[ 1 ].ulValueLen );
}
lResult = mbedtls_asn1_get_tag( &pucIterator, &( pucIterator[ uxLen ] ), &uxLen, MBEDTLS_ASN1_OCTET_STRING );
if( lResult != 0 )
{
xResult = CKR_GENERAL_ERROR;
}
else
{
lResult = mbedtls_ecp_point_read_binary( &( pxMbedEcDsaCtx->grp ),
&( pxMbedEcDsaCtx->Q ),
pucIterator,
uxLen );
xResult = pxFunctionList->C_GetAttributeValue( xSessionHandle,
xPkHandle,
pxAttrs,
2 );
}
if( lResult != 0 )
/* Parse EC Group */
if( xResult == CKR_OK )
{
xResult = CKR_GENERAL_ERROR;
/*TODO: Parse the ECParameters object */
int lResult = mbedtls_ecp_group_load( &( pxMbedEcDsaCtx->grp ), MBEDTLS_ECP_DP_SECP256R1 );
if( lResult != 0 )
{
xResult = CKR_FUNCTION_FAILED;
}
}
}
if( pxAttrs[ 0 ].pValue != NULL )
{
vPortFree( pxAttrs[ 0 ].pValue );
}
/* Parse ECPoint */
if( xResult == CKR_OK )
{
unsigned char * pucIterator = pxAttrs[ 1 ].pValue;
size_t uxLen = pxAttrs[ 1 ].ulValueLen;
int lResult = 0;
if( pxAttrs[ 1 ].pValue != NULL )
{
vPortFree( pxAttrs[ 1 ].pValue );
}
lResult = mbedtls_asn1_get_tag( &pucIterator, &( pucIterator[ uxLen ] ), &uxLen, MBEDTLS_ASN1_OCTET_STRING );
if( xResult == CKR_OK )
{
pxP11EcDsaCtx->xP11PkCtx.pxFunctionList = pxFunctionList;
pxP11EcDsaCtx->xP11PkCtx.xSessionHandle = xSessionHandle;
pxP11EcDsaCtx->xP11PkCtx.xPkHandle = xPkHandle;
if( lResult != 0 )
{
xResult = CKR_GENERAL_ERROR;
}
else
{
lResult = mbedtls_ecp_point_read_binary( &( pxMbedEcDsaCtx->grp ),
&( pxMbedEcDsaCtx->Q ),
pucIterator,
uxLen );
}
if( lResult != 0 )
{
xResult = CKR_GENERAL_ERROR;
}
}
if( pxAttrs[ 0 ].pValue != NULL )
{
vPortFree( pxAttrs[ 0 ].pValue );
}
if( pxAttrs[ 1 ].pValue != NULL )
{
vPortFree( pxAttrs[ 1 ].pValue );
}
if( xResult == CKR_OK )
{
pxP11EcDsaCtx->xP11PkCtx.pxFunctionList = pxFunctionList;
pxP11EcDsaCtx->xP11PkCtx.xSessionHandle = xSessionHandle;
pxP11EcDsaCtx->xP11PkCtx.xPkHandle = xPkHandle;
}
}
return xResult;
@ -656,7 +677,7 @@ static int prvEcdsaSigToASN1InPlace( unsigned char * pucSig,
/*-----------------------------------------------------------*/
static int p11_ecdsa_sign( void * pvCtx,
static int p11_ecdsa_sign( mbedtls_pk_context * pk,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
@ -668,7 +689,7 @@ static int p11_ecdsa_sign( void * pvCtx,
{
CK_RV xResult = CKR_OK;
int32_t lFinalResult = 0;
const P11EcDsaCtx_t * pxEcDsaCtx = NULL;
const P11EcDsaCtx_t * pxEcDsaCtx = ( P11EcDsaCtx_t * ) pk->pk_ctx;
const P11PkCtx_t * pxP11Ctx = NULL;
unsigned char pucHashCopy[ MBEDTLS_MD_MAX_SIZE ];
@ -690,9 +711,8 @@ static int p11_ecdsa_sign( void * pvCtx,
configASSERT( pucHash != NULL );
configASSERT( xHashLen > 0 );
if( pvCtx != NULL )
if( pxEcDsaCtx != NULL )
{
pxEcDsaCtx = ( P11EcDsaCtx_t * ) pvCtx;
pxP11Ctx = &( pxEcDsaCtx->xP11PkCtx );
}
else
@ -739,13 +759,11 @@ static int p11_ecdsa_sign( void * pvCtx,
/*-----------------------------------------------------------*/
static size_t p11_ecdsa_get_bitlen( const void * pvCtx )
static size_t p11_ecdsa_get_bitlen( const mbedtls_pk_context * pxMbedtlsPkCtx )
{
P11EcDsaCtx_t * pxEcDsaCtx = ( P11EcDsaCtx_t * ) pvCtx;
configASSERT( mbedtls_ecdsa_info.get_bitlen );
return mbedtls_ecdsa_info.get_bitlen( &( pxEcDsaCtx->xMbedEcDsaCtx ) );
return mbedtls_ecdsa_info.get_bitlen( ( mbedtls_pk_context * ) pxMbedtlsPkCtx );
}
/*-----------------------------------------------------------*/
@ -757,18 +775,16 @@ static int p11_ecdsa_can_do( mbedtls_pk_type_t xType )
/*-----------------------------------------------------------*/
static int p11_ecdsa_verify( void * pvCtx,
static int p11_ecdsa_verify( mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
const unsigned char * pucSig,
size_t xSigLen )
{
P11EcDsaCtx_t * pxEcDsaCtx = ( P11EcDsaCtx_t * ) pvCtx;
configASSERT( mbedtls_ecdsa_info.verify_func );
return mbedtls_ecdsa_info.verify_func( &( pxEcDsaCtx->xMbedEcDsaCtx ),
return mbedtls_ecdsa_info.verify_func( pxMbedtlsPkCtx,
xMdAlg,
pucHash, xHashLen,
pucSig, xSigLen );
@ -777,14 +793,15 @@ static int p11_ecdsa_verify( void * pvCtx,
/*-----------------------------------------------------------*/
static int p11_ecdsa_check_pair( const void * pvPub,
const void * pvPrv,
const mbedtls_pk_context * pxMbedtlsPkCtx,
int ( * lFRng )( void *, unsigned char *, size_t ),
void * pvPRng )
{
mbedtls_ecp_keypair * pxPubKey = ( mbedtls_ecp_keypair * ) pvPub;
mbedtls_ecp_keypair * pxPrvKey = ( mbedtls_ecp_keypair * ) pvPrv;
P11EcDsaCtx_t * pxP11PrvKey = ( P11EcDsaCtx_t * ) pxMbedtlsPkCtx->pk_ctx;
mbedtls_ecp_keypair * pxPubKey = ( mbedtls_ecp_keypair * ) pvPub;
mbedtls_ecp_keypair * pxPrvKey = &( pxP11PrvKey->xMbedEcDsaCtx );
P11EcDsaCtx_t * pxP11PrvKey = ( P11EcDsaCtx_t * ) pvPrv;
int lResult = 0;
( void ) lFRng;
@ -832,7 +849,7 @@ static int p11_ecdsa_check_pair( const void * pvPub,
};
unsigned char pucTestSignature[ MBEDTLS_ECDSA_MAX_SIG_LEN( 256 ) ] = { 0 };
size_t uxSigLen = 0;
lResult = p11_ecdsa_sign( ( void * ) ( void * ) pvPrv, MBEDTLS_MD_SHA256,
lResult = p11_ecdsa_sign( pxMbedtlsPkCtx, MBEDTLS_MD_SHA256,
pucTestHash, sizeof( pucTestHash ),
pucTestSignature, sizeof( pucTestSignature ), &uxSigLen,
NULL, NULL );
@ -850,48 +867,44 @@ static int p11_ecdsa_check_pair( const void * pvPub,
/*-----------------------------------------------------------*/
static void p11_ecdsa_debug( const void * pvCtx,
static void p11_ecdsa_debug( const mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_pk_debug_item * pxItems )
{
P11EcDsaCtx_t * pxEcDsaCtx = ( P11EcDsaCtx_t * ) pvCtx;
configASSERT( mbedtls_ecdsa_info.debug_func );
mbedtls_ecdsa_info.debug_func( &( pxEcDsaCtx->xMbedEcDsaCtx ), pxItems );
mbedtls_ecdsa_info.debug_func( ( mbedtls_pk_context * ) pxMbedtlsPkCtx, pxItems );
}
/*-----------------------------------------------------------*/
static size_t p11_rsa_get_bitlen( const void * pvCtx )
static size_t p11_rsa_get_bitlen( const mbedtls_pk_context * pxMbedtlsPkCtx )
{
P11RsaCtx_t * pxRsaCtx = ( P11RsaCtx_t * ) pvCtx;
mbedtls_rsa_context * pxRsaCtx = ( mbedtls_rsa_context * ) pxMbedtlsPkCtx->pk_ctx;
configASSERT( mbedtls_rsa_info.get_bitlen );
return mbedtls_rsa_info.get_bitlen( &( pxRsaCtx->xMbedRsaCtx ) );
return mbedtls_rsa_info.get_bitlen( pxMbedtlsPkCtx );
}
/*-----------------------------------------------------------*/
static int p11_rsa_can_do( mbedtls_pk_type_t xType )
{
return( xType == MBEDTLS_PK_RSA );
return( ( xType == MBEDTLS_PK_RSA ) || ( xType == MBEDTLS_PK_RSASSA_PSS ) );
}
/*-----------------------------------------------------------*/
static int p11_rsa_verify( void * pvCtx,
static int p11_rsa_verify( mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
const unsigned char * pucSig,
size_t xSigLen )
{
P11RsaCtx_t * pxRsaCtx = ( P11RsaCtx_t * ) pvCtx;
configASSERT( mbedtls_rsa_info.verify_func );
return mbedtls_rsa_info.verify_func( &( pxRsaCtx->xMbedRsaCtx ),
return mbedtls_rsa_info.verify_func( pxMbedtlsPkCtx,
xMdAlg,
pucHash, xHashLen,
pucSig, xSigLen );
@ -899,7 +912,7 @@ static int p11_rsa_verify( void * pvCtx,
/*-----------------------------------------------------------*/
static int p11_rsa_sign( void * pvCtx,
static int p11_rsa_sign( mbedtls_pk_context * pk,
mbedtls_md_type_t xMdAlg,
const unsigned char * pucHash,
size_t xHashLen,
@ -942,9 +955,9 @@ static int p11_rsa_sign( void * pvCtx,
{
xResult = CKR_ARGUMENTS_BAD;
}
else if( pvCtx != NULL )
else if( pk != NULL )
{
pxP11RsaCtx = ( P11RsaCtx_t * ) pvCtx;
pxP11RsaCtx = ( P11RsaCtx_t * ) pk->pk_ctx;
pxP11Ctx = &( pxP11RsaCtx->xP11PkCtx );
}
else
@ -990,16 +1003,16 @@ static int p11_rsa_sign( void * pvCtx,
/*-----------------------------------------------------------*/
static int p11_rsa_check_pair( const void * pvPub,
const void * pvPrv,
const mbedtls_pk_context * pxMbedtlsPkCtx,
int ( * lFRng )( void *, unsigned char *, size_t ),
void * pvPRng )
{
P11RsaCtx_t * pxP11RsaCtx = ( P11RsaCtx_t * ) pvPrv;
configASSERT( mbedtls_rsa_info.check_pair_func );
return mbedtls_rsa_info.check_pair_func( pvPub, &( pxP11RsaCtx->xMbedRsaCtx ),
lFRng, pvPRng );
return mbedtls_rsa_info.check_pair_func( pvPub,
pxMbedtlsPkCtx,
lFRng,
pvPRng );
}
/*-----------------------------------------------------------*/
@ -1012,14 +1025,14 @@ static void * p11_rsa_ctx_alloc( void )
if( pvCtx != NULL )
{
P11RsaCtx_t * pxP11Rsa = ( P11RsaCtx_t * ) pvCtx;
P11RsaCtx_t * pxRsaCtx = ( P11RsaCtx_t * ) pvCtx;
/* Initialize other fields */
pxP11Rsa->xP11PkCtx.pxFunctionList = NULL;
pxP11Rsa->xP11PkCtx.xSessionHandle = CK_INVALID_HANDLE;
pxP11Rsa->xP11PkCtx.xPkHandle = CK_INVALID_HANDLE;
pxRsaCtx->xP11PkCtx.pxFunctionList = NULL;
pxRsaCtx->xP11PkCtx.xSessionHandle = CK_INVALID_HANDLE;
pxRsaCtx->xP11PkCtx.xPkHandle = CK_INVALID_HANDLE;
mbedtls_rsa_init( &( pxP11Rsa->xMbedRsaCtx ) );
mbedtls_rsa_init( &( pxRsaCtx->xMbedRsaCtx ) );
}
return pvCtx;
@ -1027,13 +1040,13 @@ static void * p11_rsa_ctx_alloc( void )
/*-----------------------------------------------------------*/
static CK_RV p11_rsa_ctx_init( void * pvCtx,
static CK_RV p11_rsa_ctx_init( mbedtls_pk_context * pk,
CK_FUNCTION_LIST_PTR pxFunctionList,
CK_SESSION_HANDLE xSessionHandle,
CK_OBJECT_HANDLE xPkHandle )
{
CK_RV xResult = CKR_OK;
P11RsaCtx_t * pxP11RsaCtx = ( P11RsaCtx_t * ) pvCtx;
P11RsaCtx_t * pxP11RsaCtx = ( P11RsaCtx_t * ) pk;
mbedtls_rsa_context * pxMbedRsaCtx = NULL;
configASSERT( pxFunctionList != NULL );
@ -1094,14 +1107,12 @@ static void p11_rsa_ctx_free( void * pvCtx )
/*-----------------------------------------------------------*/
static void p11_rsa_debug( const void * pvCtx,
static void p11_rsa_debug( const mbedtls_pk_context * pxMbedtlsPkCtx,
mbedtls_pk_debug_item * pxItems )
{
P11RsaCtx_t * pxP11RsaCtx = ( P11RsaCtx_t * ) pvCtx;
configASSERT( mbedtls_rsa_info.debug_func );
mbedtls_rsa_info.debug_func( &( pxP11RsaCtx->xMbedRsaCtx ), pxItems );
mbedtls_rsa_info.debug_func( pxMbedtlsPkCtx, pxItems );
}
/*-----------------------------------------------------------*/

9
FreeRTOS-Plus/Source/Application-Protocols/network_transport/mbedtls_rng_pkcs11.c
View file

@ -26,8 +26,13 @@
#include "logging_levels.h"
#define LIBRARY_LOG_NAME "MbedTLSRNGP11"
#define LIBRARY_LOG_LEVEL LOG_ERROR
#ifndef LIBRARY_LOG_NAME
#define LIBRARY_LOG_NAME "MbedTLSRNGP11"
#endif /* LIBRARY_LOG_NAME */
#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_ERROR
#endif /* LIBRARY_LOG_LEVEL */
#include "logging_stack.h"

81
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls.c
View file

@ -25,15 +25,20 @@
*/
/**
* @file tls_freertos.c
* @file transport_mbedtls.c
* @brief TLS transport interface implementations. This implementation uses
* mbedTLS.
*/
#include "logging_levels.h"
#define LIBRARY_LOG_NAME "MbedtlsTransport"
#define LIBRARY_LOG_LEVEL LOG_INFO
#ifndef LIBRARY_LOG_NAME
#define LIBRARY_LOG_NAME "MbedtlsTransport"
#endif /* LIBRARY_LOG_NAME */
#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_INFO
#endif /* LIBRARY_LOG_LEVEL*/
#include "logging_stack.h"
@ -43,7 +48,24 @@
/* FreeRTOS includes. */
#include "FreeRTOS.h"
/* MbedTLS Bio TCP sockets wrapper include. */
/* MBedTLS Includes */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#ifdef MBEDTLS_PSA_CRYPTO_C
/* MbedTLS PSA Includes */
#include "psa/crypto.h"
#include "psa/crypto_values.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */
#ifdef MBEDTLS_DEBUG_C
#include "mbedtls/debug.h"
#endif /* MBEDTLS_DEBUG_C */
/* MBedTLS Bio TCP sockets wrapper include. */
#include "mbedtls_bio_tcp_sockets_wrapper.h"
/* TLS transport header. */
@ -219,6 +241,22 @@ static TlsTransportStatus_t initMbedtls( mbedtls_entropy_context * pEntropyConte
/*-----------------------------------------------------------*/
#ifdef MBEDTLS_DEBUG_C
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str )
{
if( ( str != NULL ) && ( file != NULL ) )
{
LogDebug( ( "%s:%d: [%d] %s", file, line, level, str ) );
}
}
#endif /* MBEDTLS_DEBUG_C */
/*-----------------------------------------------------------*/
static void sslContextInit( SSLContext_t * pSslContext )
{
configASSERT( pSslContext != NULL );
@ -228,6 +266,12 @@ static void sslContextInit( SSLContext_t * pSslContext )
mbedtls_pk_init( &( pSslContext->privKey ) );
mbedtls_x509_crt_init( &( pSslContext->clientCert ) );
mbedtls_ssl_init( &( pSslContext->context ) );
#ifdef MBEDTLS_DEBUG_C
mbedtls_debug_set_threshold( LIBRARY_LOG_LEVEL + 1U );
mbedtls_ssl_conf_dbg( &( pSslContext->config ),
mbedtls_string_printf,
NULL );
#endif /* MBEDTLS_DEBUG_C */
}
/*-----------------------------------------------------------*/
@ -597,6 +641,19 @@ static TlsTransportStatus_t initMbedtls( mbedtls_entropy_context * pEntropyConte
returnStatus = TLS_TRANSPORT_INTERNAL_ERROR;
}
#ifdef MBEDTLS_PSA_CRYPTO_C
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
mbedtlsError = psa_crypto_init();
if( mbedtlsError != PSA_SUCCESS )
{
LogError( ( "Failed to initialize PSA Crypto implementation: %s", ( int ) mbedtlsError ) );
returnStatus = TLS_TRANSPORT_INTERNAL_ERROR;
}
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
/* Seed the random number generator. */
@ -809,8 +866,14 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_read." ) );
}
LogDebug( ( "Failed to read data. However, a read can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),
@ -868,8 +931,14 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_write." ) );
}
LogDebug( ( "Failed to send data. However, send can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),

57
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls.h
View file

@ -32,6 +32,22 @@
#ifndef USING_MBEDTLS
#define USING_MBEDTLS
/* MBed TLS includes. */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "mbedtls/build_info.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"
#include "mbedtls/threading.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
/**************************************************/
/******* DO NOT CHANGE the following order ********/
/**************************************************/
@ -53,9 +69,10 @@
#define LIBRARY_LOG_LEVEL LOG_ERROR
#endif
/* Prototype for the function used to print to console on Windows simulator
* of FreeRTOS.
* The function prints to the console before the network is connected;
/** @brief Prototype for the function used to print to console on Windows
* simulator of FreeRTOS.
*
* @note The function prints to the console before the network is connected;
* then a UDP port after the network has connected. */
extern void vLoggingPrintf( const char * pcFormatString,
... );
@ -76,15 +93,6 @@ extern void vLoggingPrintf( const char * pcFormatString,
/* Transport interface include. */
#include "transport_interface.h"
/* mbed TLS includes. */
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"
#include "mbedtls/threading.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
#include "mbedtls/build_info.h"
/**
* @brief Secured connection context.
*/
@ -183,7 +191,7 @@ void TLS_FreeRTOS_Disconnect( NetworkContext_t * pNetworkContext );
/**
* @brief Receives data from an established TLS connection.
*
* This is the TLS version of the transport interface's
* @note This is the TLS version of the transport interface's
* #TransportRecv_t function.
*
* @param[in] pNetworkContext The Network context.
@ -201,7 +209,7 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
/**
* @brief Sends data over an established TLS connection.
*
* This is the TLS version of the transport interface's
* @note This is the TLS version of the transport interface's
* #TransportSend_t function.
*
* @param[in] pNetworkContext The network context.
@ -216,4 +224,25 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
const void * pBuffer,
size_t bytesToSend );
#ifdef MBEDTLS_DEBUG_C
/**
* @brief Write an MBedTLS Debug message to the LogDebug() function
*
* @param[in] sslContext Pointer of the SSL Context that is being used
* @param[in] level The severity level of the debug message from MBedTLS
* @param[in] file Name of the file that the debug message is from
* @param[in] line The line number that the debug message is from
* @param[in] str The full string debug message from MBedTLS
*
* @return void
*/
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str );
#endif /* MBEDTLS_DEBUG_C */
#endif /* ifndef USING_MBEDTLS */

103
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls_pkcs11.c
View file

@ -30,19 +30,38 @@
* mbedTLS.
*/
/* Standard includes. */
#include <string.h>
#include "logging_levels.h"
#define LIBRARY_LOG_NAME "PkcsTlsTransport"
#define LIBRARY_LOG_LEVEL LOG_INFO
#define LIBRARY_LOG_NAME "PkcsTlsTransport"
#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_INFO
#endif /* LIBRARY_LOG_LEVEL */
#include "logging_stack.h"
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#include "mbedtls/private_access.h"
#endif /* MBEDTLS_ALLOW_PRIVATE_ACCESS */
#include "mbedtls/private_access.h"
/* MBedTLS Includes */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
/* Standard includes. */
#include <string.h>
#ifdef MBEDTLS_PSA_CRYPTO_C
/* MbedTLS PSA Includes */
#include "psa/crypto.h"
#include "psa/crypto_values.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */
#include "mbedtls/debug.h"
/* FreeRTOS includes. */
#include "FreeRTOS.h"
@ -205,6 +224,22 @@ static int32_t privateKeySigningCallback( void * pvContext,
void * pvRng );
/*-----------------------------------------------------------*/
#ifdef MBEDTLS_DEBUG_C
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str )
{
if( ( str != NULL ) && ( file != NULL ) )
{
LogDebug( ( "%s:%d: [%d] %s", file, line, level, str ) );
}
}
#endif /* MBEDTLS_DEBUG_C */
/*-----------------------------------------------------------*/
static void sslContextInit( SSLContext_t * pSslContext )
@ -215,6 +250,12 @@ static void sslContextInit( SSLContext_t * pSslContext )
mbedtls_x509_crt_init( &( pSslContext->rootCa ) );
mbedtls_x509_crt_init( &( pSslContext->clientCert ) );
mbedtls_ssl_init( &( pSslContext->context ) );
#ifdef MBEDTLS_DEBUG_C
mbedtls_debug_set_threshold( LIBRARY_LOG_LEVEL + 1U );
mbedtls_ssl_conf_dbg( &( pSslContext->config ),
mbedtls_string_printf,
NULL );
#endif /* MBEDTLS_DEBUG_C */
xInitializePkcs11Session( &( pSslContext->xP11Session ) );
C_GetFunctionList( &( pSslContext->pxP11FunctionList ) );
@ -274,6 +315,20 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
returnStatus = TLS_TRANSPORT_INSUFFICIENT_MEMORY;
}
#ifdef MBEDTLS_PSA_CRYPTO_C
mbedtlsError = psa_crypto_init();
if( mbedtlsError != PSA_SUCCESS )
{
LogError( ( "Failed to initialize PSA Crypto implementation: %s", ( int ) mbedtlsError ) );
returnStatus = TLS_TRANSPORT_INVALID_PARAMETER;
}
else
{
LogDebug( ( "Initialized the PSA Crypto Engine" ) );
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
/* Set up the certificate security profile, starting from the default value. */
@ -448,15 +503,23 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
{
mbedtlsError = mbedtls_ssl_handshake( &( pTlsTransportParams->sslContext.context ) );
} while( ( mbedtlsError == MBEDTLS_ERR_SSL_WANT_READ ) ||
( mbedtlsError == MBEDTLS_ERR_SSL_WANT_WRITE ) );
( mbedtlsError == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( mbedtlsError == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) );
if( mbedtlsError != 0 )
{
LogError( ( "Failed to perform TLS handshake: mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( mbedtlsError ),
mbedtlsLowLevelCodeOrDefault( mbedtlsError ) ) );
if( mbedtlsError == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_handshake." ) );
}
else
{
LogError( ( "Failed to perform TLS handshake: mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( mbedtlsError ),
mbedtlsLowLevelCodeOrDefault( mbedtlsError ) ) );
returnStatus = TLS_TRANSPORT_HANDSHAKE_FAILED;
returnStatus = TLS_TRANSPORT_HANDSHAKE_FAILED;
}
}
}
@ -633,7 +696,7 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx,
if( ( CKR_OK == xResult ) && ( pxCtx->xP11PrivateKey == CK_INVALID_HANDLE ) )
{
xResult = CK_INVALID_HANDLE;
LogError( ( "Could not find private key." ) );
LogError( ( "Could not find private key: %s", pcLabelName ) );
}
if( xResult == CKR_OK )
@ -808,8 +871,14 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_read." ) );
}
LogDebug( ( "Failed to read data. However, a read can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),
@ -867,8 +936,14 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_write." ) );
}
LogDebug( ( "Failed to send data. However, send can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),

30
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls_pkcs11.h
View file

@ -37,6 +37,12 @@
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "mbedtls/private_access.h"
/* TCP Sockets Wrapper include.*/
@ -46,6 +52,7 @@
#include "transport_interface.h"
/* mbed TLS includes. */
#include "mbedtls/build_info.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"
@ -181,7 +188,7 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
/**
* @brief Sends data over an established TLS connection.
*
* This is the TLS version of the transport interface's
* @note This is the TLS version of the transport interface's
* #TransportSend_t function.
*
* @param[in] pNetworkContext The network context.
@ -196,4 +203,25 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
const void * pBuffer,
size_t bytesToSend );
#ifdef MBEDTLS_DEBUG_C
/**
* @brief Write an MBedTLS Debug message to the LogDebug() function
*
* @param[in] sslContext Pointer of the SSL Context that is being used
* @param[in] level The severity level of the debug message from MBedTLS
* @param[in] file Name of the file that the debug message is from
* @param[in] line The line number that the debug message is from
* @param[in] str The full string debug message from MBedTLS
*
* @return void
*/
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str );
#endif /* MBEDTLS_DEBUG_C */
#endif /* ifndef TRANSPORT_MBEDTLS_PKCS11 */