Add wrapper to mbedtls 2.2

CMakeLists.txt

@@ -67,8 +67,16 @@ set(exec_prefix ${prefix}/bin)
 set(libdir ${prefix}/lib)
 set(includedir ${prefix}/include)
 
-get_filename_component(polarssl_library_path "${POLARSSL_LIBRARIES}" PATH)
-set(LIBS_PRIVATE "${LIBS_PRIVATE} -L${polarssl_library_path} -lpolarssl")
+if (MBEDTLS_FOUND)
+	get_filename_component(mbedtls_library_path "${MBEDTLS_LIBRARIES}" PATH)
+	set(LIBS_PRIVATE "${LIBS_PRIVATE} -L${mbedlts_library_path}")
+endif()
+
+if (POLARSSL_FOUND)
+	get_filename_component(polarssl_library_path "${POLARSSL_LIBRARIES}" PATH)
+	set(LIBS_PRIVATE "${LIBS_PRIVATE} -L${polarssl_library_path} -lpolarssl")
+endif()
+
 configure_file(${CMAKE_CURRENT_SOURCE_DIR}/bctoolbox.pc.in ${CMAKE_CURRENT_BINARY_DIR}/bctoolbox.pc)
 install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bctoolbox.pc DESTINATION lib/pkgconfig)
 
@@ -76,8 +84,16 @@ install(FILES ${CMAKE_CURRENT_BINARY_DIR}/bctoolbox.pc DESTINATION lib/pkgconfig
 include_directories(
 	include
 	src
-	${POLARSSL_INCLUDE_DIRS}
 )
+
+if (MBEDTLS_FOUND)
+	include_directories(${MBEDTLS_INCLUDE_DIRS})
+endif()
+
+if (POLARSSL_FOUND)
+	include_directories(${POLARSSL_INCLUDE_DIRS})
+endif()
+
 if(MSVC)
 	include_directories(${MSVC_INCLUDE_DIR})
 endif()

include/bctoolbox/crypto.h

@@ -70,13 +70,24 @@ Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 #define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_REVOKED		0x02  /**< The certificate has been revoked (is on a CRL). */
 #define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_CN_MISMATCH	0x04  /**< The certificate Common Name (CN) does not match with the expected CN. */
 #define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_NOT_TRUSTED	0x08  /**< The certificate is not correctly signed by the trusted CA. */
-#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_NOT_TRUSTED		0x10  /**< CRL is not correctly signed by the trusted CA. */
-#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_EXPIRED			0x20  /**< CRL is expired. */
-#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_MISSING		0x40  /**< Certificate was missing. */
-#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_SKIP_VERIFY	0x80  /**< Certificate verification was skipped. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_MISSING		0x10  /**< Certificate was missing. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_SKIP_VERIFY	0x20  /**< Certificate verification was skipped. */
 #define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_OTHER			0x0100  /**< Other reason (can be used by verify callback) */
 #define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_FUTURE			0x0200  /**< The certificate validity starts in the future. */
-#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_FUTURE			0x0400  /**< The CRL is from the future */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_KEY_USAGE      0x0400  /**< Usage does not match the keyUsage extension. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_EXT_KEY_USAGE  0x0800  /**< Usage does not match the extendedKeyUsage extension. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_NS_CERT_TYPE   0x1000  /**< Usage does not match the nsCertType extension. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_BAD_MD         0x2000  /**< The certificate is signed with an unacceptable hash. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_BAD_PK         0x4000  /**< The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCERT_BAD_KEY        0x8000  /**< The certificate is signed with an unacceptable key (eg bad curve, RSA too short). */
+
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_FUTURE			0x10000  /**< The CRL is from the future */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_NOT_TRUSTED		0x20000  /**< CRL is not correctly signed by the trusted CA. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_EXPIRED			0x40000  /**< CRL is expired. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_BAD_MD          0x80000  /**< The CRL is signed with an unacceptable hash. */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_BAD_PK          0x100000  /**< The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA). */
+#define BCTOOLBOX_CERTIFICATE_VERIFY_BADCRL_BAD_KEY         0x200000  /**< The CRL is signed with an unacceptable key (eg bad curve, RSA too short). */
+
 
 /* Hash functions type */
 typedef enum bctoolbox_md_type {
@@ -157,6 +168,7 @@ void bctoolbox_ssl_set_io_callbacks(bctoolbox_ssl_context_t *ssl_ctx, void *call
 const bctoolbox_x509_certificate_t *bctoolbox_ssl_get_peer_certificate(bctoolbox_ssl_context_t *ssl_ctx);
 
 bctoolbox_ssl_config_t *bctoolbox_ssl_config_new(void);
+int32_t bctoolbox_ssl_config_set_crypto_library_config(bctoolbox_ssl_config_t *ssl_config, void *internal_config);
 void bctoolbox_ssl_config_free(bctoolbox_ssl_config_t *ssl_config);
 int32_t bctoolbox_ssl_config_defaults(bctoolbox_ssl_config_t *ssl_config, int endpoint, int transport);
 int32_t bctoolbox_ssl_config_set_endpoint(bctoolbox_ssl_config_t *ssl_config, int endpoint);

src/CMakeLists.txt

@@ -22,9 +22,19 @@
 
 
 set(BCTOOLBOX_SOURCE_FILES
-	crypto.c
 )
 
+if (POLARSSL_FOUND)
+	set(BCTOOLBOX_SOURCE_FILES
+		${BCTOOLBOX_SOURCE_FILES}
+		crypto_polarssl.c
+	)
+elseif (MBEDTLS_FOUND)
+	set(BCTOOLBOX_SOURCE_FILES
+		${BCTOOLBOX_SOURCE_FILES}
+		crypto_mbedtls.c
+	)
+endif()
 
 if(ENABLE_STATIC)
 	add_library(bctoolbox STATIC ${BCTOOLBOX_HEADER_FILES} ${BCTOOLBOX_SOURCE_FILES})
@@ -41,8 +51,15 @@ else()
 	endif()
 endif()
 
-list(APPEND INCLUDES ${POLARSSL_INCLUDE_DIR})
-list(APPEND LIBS ${POLARSSL_LIBRARIES})
+
+if (POLARSSL_FOUND)
+	list(APPEND INCLUDES ${POLARSSL_INCLUDE_DIRS})
+	list(APPEND LIBS ${POLARSSL_LIBRARIES})
+elseif (MBEDTLS_FOUND)
+	list(APPEND INCLUDES ${MBEDTLS_INCLUDE_DIRS})
+	list(APPEND LIBS ${MBEDTLS_LIBRARIES})
+endif()
+
 
 
 target_include_directories(bctoolbox PUBLIC ${INCLUDES})

src/crypto.c → src/crypto_polarssl.c

 /*
-crypto.c
+crypto_polarssl.c
 Copyright (C) 2016  Belledonne Communications SARL
 
 This program is free software; you can redistribute it and/or
@@ -128,7 +128,7 @@ char *bctoolbox_signing_key_get_pem(bctoolbox_signing_key_t *key) {
 
 int32_t bctoolbox_signing_key_parse(bctoolbox_signing_key_t *key, const char *buffer, size_t buffer_length, const unsigned char *password, size_t password_length) {
 	int err;
-	err=pk_parse_key((pk_context *)key, (const unsigned char *)buffer, buffer_length, password, password_length);
+	err=pk_parse_key((pk_context *)key, (const unsigned char *)buffer, buffer_length+1, password, password_length);
 	if(err==0 && !pk_can_do((pk_context *)key, POLARSSL_PK_RSA)) {
 		err=POLARSSL_ERR_PK_TYPE_MISMATCH;
 	}
@@ -193,7 +193,7 @@ int32_t bctoolbox_x509_certificate_parse_path(bctoolbox_x509_certificate_t *cert
 }
 
 int32_t bctoolbox_x509_certificate_parse(bctoolbox_x509_certificate_t *cert, const char *buffer, size_t buffer_length) {
-	return x509_crt_parse((x509_crt *)cert, (const unsigned char *)buffer, buffer_length);
+	return x509_crt_parse((x509_crt *)cert, (const unsigned char *)buffer, buffer_length+1);
 }
 
 int32_t bctoolbox_x509_certificate_get_der_length(bctoolbox_x509_certificate_t *cert) {
@@ -304,6 +304,8 @@ int32_t bctoolbox_x509_certificate_generate_selfsigned(const char *subject, bcto
 	}
 
 	x509write_crt_free(&crt);
+	ctr_drbg_free(&ctr_drbg);
+	entropy_free(&entropy);
 
 	/* copy the key+cert in pem format into the given buffer */
 	if (pem != NULL) {
@@ -803,6 +805,10 @@ bctoolbox_ssl_config_t *bctoolbox_ssl_config_new(void) {
 	return ssl_config;
 }
 
+int32_t bctoolbox_ssl_config_set_crypto_library_config(bctoolbox_ssl_config_t *ssl_config, void *internal_config) {
+	return BCTOOLBOX_ERROR_UNAVAILABLE_FUNCTION;
+}
+
 void bctoolbox_ssl_config_free(bctoolbox_ssl_config_t *ssl_config) {
 	bctoolbox_free(ssl_config);
 }
@@ -1000,10 +1006,11 @@ int32_t bctoolbox_ssl_context_setup(bctoolbox_ssl_context_t *ssl_ctx, bctoolbox_
 		ssl_set_own_cert(&(ssl_ctx->ssl_ctx) , ssl_config->own_cert , ssl_config->own_cert_pk);
 	}
 
+#ifdef HAVE_DTLS_SRTP
 	if (ssl_config->dtls_srtp_profiles_number > 0) {
 		ssl_set_dtls_srtp_protection_profiles(&(ssl_ctx->ssl_ctx), ssl_config->dtls_srtp_profiles, ssl_config->dtls_srtp_profiles_number );
 	}
-
+#endif
 
 	return 0;
 }