1
0

Update mbedtls to 2.5.1 (#3964)

* Renaming changes:
  * macro prefix "POLARSSL" -> "MBEDTLS"
  * functions now prefixed with "mbedtls_"
  * rename PolarSSL++ -> mbedTLS++
  * rename polarssl submodule

* Use mbedtls' AES-CFB8 implementation.

* Add cSslConfig to wrap mbedtls_ssl_config

* Update cTCPLink and cBlockingSslClientSocket to use cSslConfig

* Use cSslConfig in cHTTPServer

* Use cSslConfig for cMojangAPI::SecureRequest

* CI Fixes

* Set -fomit-frame-pointer on the right target
This commit is contained in:
peterbell10
2017-08-30 15:00:06 +01:00
committed by Tiger Wang
parent c6bc822054
commit 84941bcc9f
59 changed files with 952 additions and 699 deletions

View File

@@ -1,4 +1,4 @@
// HTTPServer.cpp
// Implements the cHTTPServer class representing a HTTP webserver that uses cListenThread and cSocketThreads for processing
@@ -9,6 +9,7 @@
#include "HTTPServerConnection.h"
#include "HTTPFormParser.h"
#include "SslHTTPServerConnection.h"
#include "mbedTLS++/SslConfig.h"
@@ -88,17 +89,23 @@ bool cHTTPServer::Initialize(void)
AString KeyFile = cFile::ReadWholeFile("webadmin/httpskey.pem");
if (!CertFile.empty() && !KeyFile.empty())
{
m_Cert.reset(new cX509Cert);
int res = m_Cert->Parse(CertFile.data(), CertFile.size());
auto Cert = std::make_shared<cX509Cert>();
int res = Cert->Parse(CertFile.data(), CertFile.size());
if (res == 0)
{
m_CertPrivKey.reset(new cCryptoKey);
int res2 = m_CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), "");
if (res2 != 0)
auto CertPrivKey = std::make_shared<cCryptoKey>();
res = CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), "");
if (res == 0)
{
// Modifyable locally but otherwise must be const
auto Config = cSslConfig::MakeDefaultConfig(false);
Config->SetOwnCert(Cert, CertPrivKey);
m_SslConfig = std::move(Config);
}
else
{
// Reading the private key failed, reset the cert:
LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res2);
m_Cert.reset();
LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res);
}
}
else
@@ -108,7 +115,7 @@ bool cHTTPServer::Initialize(void)
}
// Notify the admin about the HTTPS / HTTP status
if (m_Cert.get() == nullptr)
if (m_SslConfig == nullptr)
{
LOGWARNING("WebServer: The server will run in unsecured HTTP mode.");
LOGINFO("Put a valid HTTPS certificate in file 'webadmin/httpscert.crt' and its corresponding private key to 'webadmin/httpskey.pem' (without any password) to enable HTTPS support");
@@ -184,9 +191,9 @@ cTCPLink::cCallbacksPtr cHTTPServer::OnIncomingConnection(const AString & a_Remo
UNUSED(a_RemoteIPAddress);
UNUSED(a_RemotePort);
if (m_Cert.get() != nullptr)
if (m_SslConfig != nullptr)
{
return std::make_shared<cSslHTTPServerConnection>(*this, m_Cert, m_CertPrivKey);
return std::make_shared<cSslHTTPServerConnection>(*this, m_SslConfig);
}
else
{

View File

@@ -1,4 +1,4 @@
// HTTPServer.h
// Declares the cHTTPServer class representing a HTTP webserver that uses cListenThread and cSocketThreads for processing
@@ -11,8 +11,8 @@
#include "../OSSupport/Network.h"
#include "../IniFile.h"
#include "PolarSSL++/CryptoKey.h"
#include "PolarSSL++/X509Cert.h"
#include "mbedTLS++/CryptoKey.h"
#include "mbedTLS++/X509Cert.h"
@@ -21,6 +21,7 @@
// fwd:
class cHTTPIncomingRequest;
class cHTTPServerConnection;
class cSslConfig;
@@ -70,11 +71,8 @@ protected:
/** The callbacks to call for various events */
cCallbacks * m_Callbacks;
/** The server certificate to use for the SSL connections */
cX509CertPtr m_Cert;
/** The private key for m_Cert. */
cCryptoKeyPtr m_CertPrivKey;
/** Configuration for server ssl connections. */
std::shared_ptr<const cSslConfig> m_SslConfig;
/** Called by cHTTPServerListenCallbacks when there's a new incoming connection.

View File

@@ -1,4 +1,4 @@
// SslHTTPConnection.cpp
// Implements the cSslHTTPServerConnection class representing a HTTP connection made over a SSL link
@@ -11,14 +11,18 @@
cSslHTTPServerConnection::cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, const cX509CertPtr & a_Cert, const cCryptoKeyPtr & a_PrivateKey) :
cSslHTTPServerConnection::cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, std::shared_ptr<const cSslConfig> a_Config):
super(a_HTTPServer),
m_Ssl(64000),
m_Cert(a_Cert),
m_PrivateKey(a_PrivateKey)
m_Ssl(64000)
{
m_Ssl.Initialize(false);
m_Ssl.SetOwnCert(a_Cert, a_PrivateKey);
if (a_Config != nullptr)
{
m_Ssl.Initialize(a_Config);
}
else
{
m_Ssl.Initialize(false);
}
}
@@ -59,7 +63,7 @@ void cSslHTTPServerConnection::OnReceivedData(const char * a_Data, size_t a_Size
// The link may have closed while processing the data, bail out:
return;
}
else if (NumRead == POLARSSL_ERR_NET_WANT_READ)
else if (NumRead == MBEDTLS_ERR_SSL_WANT_READ)
{
// SSL requires us to send data to peer first, do so by "sending" empty data:
SendData(nullptr, 0);

View File

@@ -1,4 +1,4 @@
// SslHTTPServerConnection.h
// Declares the cSslHTTPServerConnection class representing a HTTP connection made over an SSL link
@@ -10,7 +10,7 @@
#pragma once
#include "HTTPServerConnection.h"
#include "PolarSSL++/BufferedSslContext.h"
#include "mbedTLS++/BufferedSslContext.h"
@@ -24,19 +24,13 @@ class cSslHTTPServerConnection :
public:
/** Creates a new connection on the specified server.
Sends the specified cert as the server certificate, uses the private key for decryption. */
cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, const cX509CertPtr & a_Cert, const cCryptoKeyPtr & a_PrivateKey);
cSslHTTPServerConnection(cHTTPServer & a_HTTPServer, std::shared_ptr<const cSslConfig> a_Config);
virtual ~cSslHTTPServerConnection() override;
protected:
cBufferedSslContext m_Ssl;
/** The certificate to send to the client */
cX509CertPtr m_Cert;
/** The private key used for the certificate */
cCryptoKeyPtr m_PrivateKey;
// cHTTPConnection overrides:
virtual void OnReceivedData(const char * a_Data, size_t a_Size) override; // Data is received from the client
virtual void SendData(const void * a_Data, size_t a_Size) override; // Data is to be sent to client

View File

@@ -7,8 +7,8 @@
#include "UrlClient.h"
#include "UrlParser.h"
#include "HTTPMessageParser.h"
#include "../PolarSSL++/X509Cert.h"
#include "../PolarSSL++/CryptoKey.h"
#include "../mbedTLS++/X509Cert.h"
#include "../mbedTLS++/CryptoKey.h"