blob: 14e5bcd80f96d51a771835747b59cd2b9ef67bf1 [file] [log] [blame]
// Copyright 2021 The Pigweed Authors
//
// Licensed under the Apache License, Version 2.0 (the "License"); you may not
// use this file except in compliance with the License. You may obtain a copy of
// the License at
//
// https://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
// WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
// License for the specific language governing permissions and limitations under
// the License.
#include "mbedtls/ssl.h"
#include "pw_assert/check.h"
#include "pw_log/log.h"
#include "pw_tls_client/entropy.h"
#include "pw_tls_client/session.h"
#include "pw_tls_client_mbedtls/backend_types.h"
namespace pw::tls_client {
namespace backend {
int SessionImplementation::MbedTlsWrite(void* ctx,
const uint8_t* buf,
size_t len) {
PW_CHECK_NOTNULL(ctx);
PW_CHECK_NOTNULL(buf);
auto writer =
static_cast<SessionImplementation*>(ctx)->session_options_.transport();
PW_CHECK_NOTNULL(writer);
return writer->Write(buf, len).ok() ? len : -1;
}
int SessionImplementation::MbedTlsRead(void* ctx,
unsigned char* buf,
size_t len) {
PW_CHECK_NOTNULL(ctx);
PW_CHECK_NOTNULL(buf);
auto reader =
static_cast<SessionImplementation*>(ctx)->session_options_.transport();
PW_CHECK_NOTNULL(reader);
auto res = reader->Read(buf, len);
if (!res.ok()) {
return -1;
}
return res.value().size() == 0 ? MBEDTLS_ERR_SSL_WANT_READ
: res.value().size();
}
Status SessionImplementation::entropy_source_status_ = OkStatus();
void SessionImplementation::SetEntropySourceStatus(Status status) {
entropy_source_status_ = status;
}
// Entropy source callback
int SessionImplementation::MbedTlsEntropySource(void* ctx,
unsigned char* out,
size_t len,
size_t* output_length) {
Status status;
if (entropy_source_status_ != OkStatus()) {
status = entropy_source_status_;
} else {
status = GetRandomBytes({out, len});
}
if (!status.ok()) {
PW_LOG_DEBUG("Failed to generate random bytes");
auto session_impl = static_cast<SessionImplementation*>(ctx);
session_impl->SetTlsStatus(pw::tls_client::TLSStatus::kEntropySourceFailed);
return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED;
}
*output_length = len;
return 0;
}
SessionImplementation::SessionImplementation(SessionOptions options)
: session_options_(options) {
mbedtls_ssl_init(&ssl_ctx_);
mbedtls_ssl_config_init(&ssl_config_);
mbedtls_ctr_drbg_init(&drbg_ctx_);
mbedtls_entropy_init(&entropy_ctx_);
}
SessionImplementation::~SessionImplementation() {
mbedtls_ssl_free(&ssl_ctx_);
mbedtls_ssl_config_free(&ssl_config_);
mbedtls_ctr_drbg_free(&drbg_ctx_);
mbedtls_entropy_free(&entropy_ctx_);
}
Status SessionImplementation::Setup() {
int ret = 0;
// Set up default configuration.
ret = mbedtls_ssl_config_defaults(
&ssl_config_,
// Configured as client.
MBEDTLS_SSL_IS_CLIENT,
// Statndard TLS. The other option is MBEDTLS_SSL_TRANSPORT_DATAGRAM
// for DTLS, which we'll consider later.
MBEDTLS_SSL_TRANSPORT_STREAM,
// This option is used in all MbedTLS native examples.
// The other option is MBEDTLS_SSL_PRESET_SUITEB.
// However, there is no document/comment availalbe on what they do.
// Base on the source code, these options will restrict the version
// of TLS protocol. MBEDTLS_SSL_PRESET_SUITEB forces TLS 1.2.
// MBEDTLS_SSL_PRESET_DEFAULT is more relaxed. But since we
// define MBEDTLS_SSL_PROTO_TLS1_2 for all configs. There shouldn't be
// any difference.
MBEDTLS_SSL_PRESET_DEFAULT);
if (ret) {
return Status::Internal();
}
// Set up an entropy source.
ret = mbedtls_entropy_add_source(&entropy_ctx_,
MbedTlsEntropySource,
this,
1,
MBEDTLS_ENTROPY_SOURCE_STRONG);
if (ret) {
return Status::Internal();
}
// Set up drbg.
unsigned char personalized_bytes[] = "pw_tls_client";
ret = mbedtls_ctr_drbg_seed(&drbg_ctx_,
mbedtls_entropy_func,
&entropy_ctx_,
personalized_bytes,
sizeof(personalized_bytes));
if (ret) {
if (ret == MBEDTLS_ERR_CTR_DRBG_ENTROPY_SOURCE_FAILED) {
tls_status_ = TLSStatus::kEntropySourceFailed;
}
return Status::Internal();
}
// The API does not fail.
mbedtls_ssl_conf_rng(&ssl_config_, mbedtls_ctr_drbg_random, &drbg_ctx_);
// The API does not fail.
mbedtls_ssl_conf_authmode(&ssl_config_, MBEDTLS_SSL_VERIFY_REQUIRED);
// TODO(pwbug/398): Add logic for loading trust anchors.
// Load configuration to SSL.
ret = mbedtls_ssl_setup(&ssl_ctx_, &ssl_config_);
if (ret) {
return Status::Internal();
}
// Set up transport.
// The API does not fail.
mbedtls_ssl_set_bio(&ssl_ctx_, this, MbedTlsWrite, MbedTlsRead, nullptr);
ret = mbedtls_ssl_set_hostname(&ssl_ctx_,
session_options_.server_name().data());
if (ret) {
return Status::Internal();
}
return OkStatus();
}
} // namespace backend
Session::Session(const SessionOptions& options) : session_impl_(options) {}
Session::~Session() = default;
Result<Session*> Session::Create(const SessionOptions& options) {
if (!options.transport()) {
PW_LOG_DEBUG("Must provide a transport");
return Status::Internal();
}
auto sess = new Session(options);
if (!sess) {
return Status::ResourceExhausted();
}
// Set up the client.
auto setup_status = sess->session_impl_.Setup();
if (!setup_status.ok()) {
PW_LOG_DEBUG("Failed to setup");
// TODO(pwbug/398): `tls_status_` may be set, but the session object will
// be released. Map `tls_stauts_` to string and print out here so that
// the information can be catched.
delete sess;
return setup_status;
}
return sess;
}
Status Session::Open() {
// TODO(pwbug/398): To implement
return Status::Unimplemented();
}
Status Session::Close() {
// TODO(pwbug/398): To implement
return Status::Unimplemented();
}
StatusWithSize Session::DoRead(ByteSpan) {
// TODO(pwbug/398): To implement
return StatusWithSize(Status::Unimplemented(), 0);
}
Status Session::DoWrite(ConstByteSpan) {
// TODO(pwbug/398): To implement
return Status::Unimplemented();
}
TLSStatus Session::GetLastTLSStatus() { return session_impl_.GetTlsStatus(); }
} // namespace pw::tls_client