From 84941bcc9f25cbe3fd3b2604080d0a1cfd8fbaa7 Mon Sep 17 00:00:00 2001 From: peterbell10 Date: Wed, 30 Aug 2017 15:00:06 +0100 Subject: Update mbedtls to 2.5.1 (#3964) * Renaming changes: * macro prefix "POLARSSL" -> "MBEDTLS" * functions now prefixed with "mbedtls_" * rename PolarSSL++ -> mbedTLS++ * rename polarssl submodule * Use mbedtls' AES-CFB8 implementation. * Add cSslConfig to wrap mbedtls_ssl_config * Update cTCPLink and cBlockingSslClientSocket to use cSslConfig * Use cSslConfig in cHTTPServer * Use cSslConfig for cMojangAPI::SecureRequest * CI Fixes * Set -fomit-frame-pointer on the right target --- src/HTTP/HTTPServer.cpp | 29 ++++++++++++++++++----------- src/HTTP/HTTPServer.h | 14 ++++++-------- src/HTTP/SslHTTPServerConnection.cpp | 20 ++++++++++++-------- src/HTTP/SslHTTPServerConnection.h | 12 +++--------- src/HTTP/UrlClient.cpp | 4 ++-- 5 files changed, 41 insertions(+), 38 deletions(-) (limited to 'src/HTTP') diff --git a/src/HTTP/HTTPServer.cpp b/src/HTTP/HTTPServer.cpp index 836dfa6e9..24c09aa38 100644 --- a/src/HTTP/HTTPServer.cpp +++ b/src/HTTP/HTTPServer.cpp @@ -1,4 +1,4 @@ - + // HTTPServer.cpp // Implements the cHTTPServer class representing a HTTP webserver that uses cListenThread and cSocketThreads for processing @@ -9,6 +9,7 @@ #include "HTTPServerConnection.h" #include "HTTPFormParser.h" #include "SslHTTPServerConnection.h" +#include "mbedTLS++/SslConfig.h" @@ -88,17 +89,23 @@ bool cHTTPServer::Initialize(void) AString KeyFile = cFile::ReadWholeFile("webadmin/httpskey.pem"); if (!CertFile.empty() && !KeyFile.empty()) { - m_Cert.reset(new cX509Cert); - int res = m_Cert->Parse(CertFile.data(), CertFile.size()); + auto Cert = std::make_shared(); + int res = Cert->Parse(CertFile.data(), CertFile.size()); if (res == 0) { - m_CertPrivKey.reset(new cCryptoKey); - int res2 = m_CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), ""); - if (res2 != 0) + auto CertPrivKey = std::make_shared(); + res = CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), ""); + if (res == 0) + { + // Modifyable locally but otherwise must be const + auto Config = cSslConfig::MakeDefaultConfig(false); + Config->SetOwnCert(Cert, CertPrivKey); + m_SslConfig = std::move(Config); + } + else { // Reading the private key failed, reset the cert: - LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res2); - m_Cert.reset(); + LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res); } } else @@ -108,7 +115,7 @@ bool cHTTPServer::Initialize(void) } // Notify the admin about the HTTPS / HTTP status - if (m_Cert.get() == nullptr) + if (m_SslConfig == nullptr) { LOGWARNING("WebServer: The server will run in unsecured HTTP mode."); LOGINFO("Put a valid HTTPS certificate in file 'webadmin/httpscert.crt' and its corresponding private key to 'webadmin/httpskey.pem' (without any password) to enable HTTPS support"); @@ -184,9 +191,9 @@ cTCPLink::cCallbacksPtr cHTTPServer::OnIncomingConnection(const AString & a_Remo UNUSED(a_RemoteIPAddress); UNUSED(a_RemotePort); - if (m_Cert.get() != nullptr) + if (m_SslConfig != nullptr) { - return std::make_shared(*this, m_Cert, m_CertPrivKey); + return std::make_shared(*this, m_SslConfig); } else { diff --git a/src/HTTP/HTTPServer.h b/src/HTTP/HTTPServer.h index cd944bb89..a2d5d84fc 100644 --- a/src/HTTP/HTTPServer.h +++ b/src/HTTP/HTTPServer.h @@ -1,4 +1,4 @@ - + // HTTPServer.h // Declares the cHTTPServer class representing a HTTP webserver that uses cListenThread and cSocketThreads for processing @@ -11,8 +11,8 @@ #include "../OSSupport/Network.h" #include "../IniFile.h" -#include "PolarSSL++/CryptoKey.h" -#include "PolarSSL++/X509Cert.h" +#include "mbedTLS++/CryptoKey.h" +#include "mbedTLS++/X509Cert.h" @@ -21,6 +21,7 @@ // fwd: class cHTTPIncomingRequest; class cHTTPServerConnection; +class cSslConfig; @@ -70,11 +71,8 @@ protected: /** The callbacks to call for various events */ cCallbacks * m_Callbacks; - /** The server certificate to use for the SSL connections */ - cX509CertPtr m_Cert; - - /** The private key for m_Cert. */ - cCryptoKeyPtr m_CertPrivKey; + /** Configuration for server ssl connections. */ + std::shared_ptr m_SslConfig; /** Called by cHTTPServerListenCallbacks when there's a new incoming connection. diff --git a/src/HTTP/SslHTTPServerConnection.cpp b/src/HTTP/SslHTTPServerConnection.cpp index 547e6de3a..99fb1b956 100644 --- a/src/HTTP/SslHTTPServerConnection.cpp +++ b/src/HTTP/SslHTTPServerConnection.cpp @@ -1,4 +1,4 @@ - + // SslHTTPConnection.cpp // Implements the cSslHTTPServerConnection class representing a HTTP connection made over a SSL link @@ -11,14 +11,18 @@ -cSslHTTPServerConnection::cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, const cX509CertPtr & a_Cert, const cCryptoKeyPtr & a_PrivateKey) : +cSslHTTPServerConnection::cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, std::shared_ptr a_Config): super(a_HTTPServer), - m_Ssl(64000), - m_Cert(a_Cert), - m_PrivateKey(a_PrivateKey) + m_Ssl(64000) { - m_Ssl.Initialize(false); - m_Ssl.SetOwnCert(a_Cert, a_PrivateKey); + if (a_Config != nullptr) + { + m_Ssl.Initialize(a_Config); + } + else + { + m_Ssl.Initialize(false); + } } @@ -59,7 +63,7 @@ void cSslHTTPServerConnection::OnReceivedData(const char * a_Data, size_t a_Size // The link may have closed while processing the data, bail out: return; } - else if (NumRead == POLARSSL_ERR_NET_WANT_READ) + else if (NumRead == MBEDTLS_ERR_SSL_WANT_READ) { // SSL requires us to send data to peer first, do so by "sending" empty data: SendData(nullptr, 0); diff --git a/src/HTTP/SslHTTPServerConnection.h b/src/HTTP/SslHTTPServerConnection.h index 0f56d082f..894a2cc4a 100644 --- a/src/HTTP/SslHTTPServerConnection.h +++ b/src/HTTP/SslHTTPServerConnection.h @@ -1,4 +1,4 @@ - + // SslHTTPServerConnection.h // Declares the cSslHTTPServerConnection class representing a HTTP connection made over an SSL link @@ -10,7 +10,7 @@ #pragma once #include "HTTPServerConnection.h" -#include "PolarSSL++/BufferedSslContext.h" +#include "mbedTLS++/BufferedSslContext.h" @@ -24,19 +24,13 @@ class cSslHTTPServerConnection : public: /** Creates a new connection on the specified server. Sends the specified cert as the server certificate, uses the private key for decryption. */ - cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, const cX509CertPtr & a_Cert, const cCryptoKeyPtr & a_PrivateKey); + cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, std::shared_ptr a_Config); virtual ~cSslHTTPServerConnection() override; protected: cBufferedSslContext m_Ssl; - /** The certificate to send to the client */ - cX509CertPtr m_Cert; - - /** The private key used for the certificate */ - cCryptoKeyPtr m_PrivateKey; - // cHTTPConnection overrides: virtual void OnReceivedData(const char * a_Data, size_t a_Size) override; // Data is received from the client virtual void SendData(const void * a_Data, size_t a_Size) override; // Data is to be sent to client diff --git a/src/HTTP/UrlClient.cpp b/src/HTTP/UrlClient.cpp index f7d12028d..29ee7e18d 100644 --- a/src/HTTP/UrlClient.cpp +++ b/src/HTTP/UrlClient.cpp @@ -7,8 +7,8 @@ #include "UrlClient.h" #include "UrlParser.h" #include "HTTPMessageParser.h" -#include "../PolarSSL++/X509Cert.h" -#include "../PolarSSL++/CryptoKey.h" +#include "../mbedTLS++/X509Cert.h" +#include "../mbedTLS++/CryptoKey.h" -- cgit v1.2.3