Mirrors_Framework/FreeRTOS
1
0
Fork 0
mirror of https://github.com/FreeRTOS/FreeRTOS.git synced 2025-12-13 23:57:02 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use MbedTLS 3.5.1 and Add TLS 1.3 Support to WinSim Demos (#1135)

Browse Source 
* Bump up to MBed-TLS V3.5.1, make changes to Visual Studio Projects to account for this.
* Update MBedTLS Transport files to call psa_crypto_init() if the MBEDTLS_PSA_CRYPTO_C is set.
* Add WIN32_LEAN_AND_MEAN to the corePKCS11_MQTT_Mutual_Auth_Windows_Simulator demo. Add in a check for MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET when making a TLS handshake.
* Change transport interface files from using void * to mbedtls_pk_context * instead per changes in the MbedTLS API.
* Changes to Fleet Provisioning Demo and Demo Setup to use ECDSA keys
* Remove non-32 bit configs from various VisualStudio Projects. Enforce all projects using WIN32_LEAN_AND_MEAN as well as winsock2.h
This commit is contained in:
Soren Ptak
2023-12-15 15:30:39 -05:00
committed by GitHub
parent 4bad7a6ba4
commit 6b513cb1a2
71 changed files with 2620 additions and 2987 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
FreeRTOS-Plus/Source/Application-Protocols/network_transport/mbedtls_bio_tcp_sockets_wrapper.c
View File

@@ -35,6 +35,7 @@
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "threading_alt.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"

275
FreeRTOS-Plus/Source/Application-Protocols/network_transport/mbedtls_pk_pkcs11.c
View File

File diff suppressed because it is too large Load Diff

9
FreeRTOS-Plus/Source/Application-Protocols/network_transport/mbedtls_rng_pkcs11.c
View File

@@ -26,8 +26,13 @@
#include "logging_levels.h"
#define LIBRARY_LOG_NAME "MbedTLSRNGP11"
#define LIBRARY_LOG_LEVEL LOG_ERROR
#ifndef LIBRARY_LOG_NAME
#define LIBRARY_LOG_NAME "MbedTLSRNGP11"
#endif /* LIBRARY_LOG_NAME */
#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_ERROR
#endif /* LIBRARY_LOG_LEVEL */
#include "logging_stack.h"

81
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls.c
View File

@@ -25,15 +25,20 @@
*/
/**
* @file tls_freertos.c
* @file transport_mbedtls.c
* @brief TLS transport interface implementations. This implementation uses
* mbedTLS.
*/
#include "logging_levels.h"
#define LIBRARY_LOG_NAME "MbedtlsTransport"
#define LIBRARY_LOG_LEVEL LOG_INFO
#ifndef LIBRARY_LOG_NAME
#define LIBRARY_LOG_NAME "MbedtlsTransport"
#endif /* LIBRARY_LOG_NAME */
#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_INFO
#endif /* LIBRARY_LOG_LEVEL*/
#include "logging_stack.h"
@@ -43,7 +48,24 @@
/* FreeRTOS includes. */
#include "FreeRTOS.h"
/* MbedTLS Bio TCP sockets wrapper include. */
/* MBedTLS Includes */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#ifdef MBEDTLS_PSA_CRYPTO_C
/* MbedTLS PSA Includes */
#include "psa/crypto.h"
#include "psa/crypto_values.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */
#ifdef MBEDTLS_DEBUG_C
#include "mbedtls/debug.h"
#endif /* MBEDTLS_DEBUG_C */
/* MBedTLS Bio TCP sockets wrapper include. */
#include "mbedtls_bio_tcp_sockets_wrapper.h"
/* TLS transport header. */
@@ -219,6 +241,22 @@ static TlsTransportStatus_t initMbedtls( mbedtls_entropy_context * pEntropyConte
/*-----------------------------------------------------------*/
#ifdef MBEDTLS_DEBUG_C
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str )
{
if( ( str != NULL ) && ( file != NULL ) )
{
LogDebug( ( "%s:%d: [%d] %s", file, line, level, str ) );
}
}
#endif /* MBEDTLS_DEBUG_C */
/*-----------------------------------------------------------*/
static void sslContextInit( SSLContext_t * pSslContext )
{
configASSERT( pSslContext != NULL );
@@ -228,6 +266,12 @@ static void sslContextInit( SSLContext_t * pSslContext )
mbedtls_pk_init( &( pSslContext->privKey ) );
mbedtls_x509_crt_init( &( pSslContext->clientCert ) );
mbedtls_ssl_init( &( pSslContext->context ) );
#ifdef MBEDTLS_DEBUG_C
mbedtls_debug_set_threshold( LIBRARY_LOG_LEVEL + 1U );
mbedtls_ssl_conf_dbg( &( pSslContext->config ),
mbedtls_string_printf,
NULL );
#endif /* MBEDTLS_DEBUG_C */
}
/*-----------------------------------------------------------*/
@@ -597,6 +641,19 @@ static TlsTransportStatus_t initMbedtls( mbedtls_entropy_context * pEntropyConte
returnStatus = TLS_TRANSPORT_INTERNAL_ERROR;
}
#ifdef MBEDTLS_PSA_CRYPTO_C
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
mbedtlsError = psa_crypto_init();
if( mbedtlsError != PSA_SUCCESS )
{
LogError( ( "Failed to initialize PSA Crypto implementation: %s", ( int ) mbedtlsError ) );
returnStatus = TLS_TRANSPORT_INTERNAL_ERROR;
}
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
/* Seed the random number generator. */
@@ -809,8 +866,14 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_read." ) );
}
LogDebug( ( "Failed to read data. However, a read can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),
@@ -868,8 +931,14 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_write." ) );
}
LogDebug( ( "Failed to send data. However, send can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),

57
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls.h
View File

@@ -32,6 +32,22 @@
#ifndef USING_MBEDTLS
#define USING_MBEDTLS
/* MBed TLS includes. */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "mbedtls/build_info.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"
#include "mbedtls/threading.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
/**************************************************/
/******* DO NOT CHANGE the following order ********/
/**************************************************/
@@ -53,9 +69,10 @@
#define LIBRARY_LOG_LEVEL LOG_ERROR
#endif
/* Prototype for the function used to print to console on Windows simulator
* of FreeRTOS.
* The function prints to the console before the network is connected;
/** @brief Prototype for the function used to print to console on Windows
* simulator of FreeRTOS.
*
* @note The function prints to the console before the network is connected;
* then a UDP port after the network has connected. */
extern void vLoggingPrintf( const char * pcFormatString,
... );
@@ -76,15 +93,6 @@ extern void vLoggingPrintf( const char * pcFormatString,
/* Transport interface include. */
#include "transport_interface.h"
/* mbed TLS includes. */
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"
#include "mbedtls/threading.h"
#include "mbedtls/x509.h"
#include "mbedtls/error.h"
#include "mbedtls/build_info.h"
/**
* @brief Secured connection context.
*/
@@ -183,7 +191,7 @@ void TLS_FreeRTOS_Disconnect( NetworkContext_t * pNetworkContext );
/**
* @brief Receives data from an established TLS connection.
*
* This is the TLS version of the transport interface's
* @note This is the TLS version of the transport interface's
* #TransportRecv_t function.
*
* @param[in] pNetworkContext The Network context.
@@ -201,7 +209,7 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
/**
* @brief Sends data over an established TLS connection.
*
* This is the TLS version of the transport interface's
* @note This is the TLS version of the transport interface's
* #TransportSend_t function.
*
* @param[in] pNetworkContext The network context.
@@ -216,4 +224,25 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
const void * pBuffer,
size_t bytesToSend );
#ifdef MBEDTLS_DEBUG_C
/**
* @brief Write an MBedTLS Debug message to the LogDebug() function
*
* @param[in] sslContext Pointer of the SSL Context that is being used
* @param[in] level The severity level of the debug message from MBedTLS
* @param[in] file Name of the file that the debug message is from
* @param[in] line The line number that the debug message is from
* @param[in] str The full string debug message from MBedTLS
*
* @return void
*/
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str );
#endif /* MBEDTLS_DEBUG_C */
#endif /* ifndef USING_MBEDTLS */

103
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls_pkcs11.c
View File

@@ -30,19 +30,38 @@
* mbedTLS.
*/
/* Standard includes. */
#include <string.h>
#include "logging_levels.h"
#define LIBRARY_LOG_NAME "PkcsTlsTransport"
#define LIBRARY_LOG_LEVEL LOG_INFO
#define LIBRARY_LOG_NAME "PkcsTlsTransport"
#ifndef LIBRARY_LOG_LEVEL
#define LIBRARY_LOG_LEVEL LOG_INFO
#endif /* LIBRARY_LOG_LEVEL */
#include "logging_stack.h"
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#ifndef MBEDTLS_ALLOW_PRIVATE_ACCESS
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#include "mbedtls/private_access.h"
#endif /* MBEDTLS_ALLOW_PRIVATE_ACCESS */
#include "mbedtls/private_access.h"
/* MBedTLS Includes */
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
/* Standard includes. */
#include <string.h>
#ifdef MBEDTLS_PSA_CRYPTO_C
/* MbedTLS PSA Includes */
#include "psa/crypto.h"
#include "psa/crypto_values.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */
#include "mbedtls/debug.h"
/* FreeRTOS includes. */
#include "FreeRTOS.h"
@@ -205,6 +224,22 @@ static int32_t privateKeySigningCallback( void * pvContext,
void * pvRng );
/*-----------------------------------------------------------*/
#ifdef MBEDTLS_DEBUG_C
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str )
{
if( ( str != NULL ) && ( file != NULL ) )
{
LogDebug( ( "%s:%d: [%d] %s", file, line, level, str ) );
}
}
#endif /* MBEDTLS_DEBUG_C */
/*-----------------------------------------------------------*/
static void sslContextInit( SSLContext_t * pSslContext )
@@ -215,6 +250,12 @@ static void sslContextInit( SSLContext_t * pSslContext )
mbedtls_x509_crt_init( &( pSslContext->rootCa ) );
mbedtls_x509_crt_init( &( pSslContext->clientCert ) );
mbedtls_ssl_init( &( pSslContext->context ) );
#ifdef MBEDTLS_DEBUG_C
mbedtls_debug_set_threshold( LIBRARY_LOG_LEVEL + 1U );
mbedtls_ssl_conf_dbg( &( pSslContext->config ),
mbedtls_string_printf,
NULL );
#endif /* MBEDTLS_DEBUG_C */
xInitializePkcs11Session( &( pSslContext->xP11Session ) );
C_GetFunctionList( &( pSslContext->pxP11FunctionList ) );
@@ -274,6 +315,20 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
returnStatus = TLS_TRANSPORT_INSUFFICIENT_MEMORY;
}
#ifdef MBEDTLS_PSA_CRYPTO_C
mbedtlsError = psa_crypto_init();
if( mbedtlsError != PSA_SUCCESS )
{
LogError( ( "Failed to initialize PSA Crypto implementation: %s", ( int ) mbedtlsError ) );
returnStatus = TLS_TRANSPORT_INVALID_PARAMETER;
}
else
{
LogDebug( ( "Initialized the PSA Crypto Engine" ) );
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
if( returnStatus == TLS_TRANSPORT_SUCCESS )
{
/* Set up the certificate security profile, starting from the default value. */
@@ -448,15 +503,23 @@ static TlsTransportStatus_t tlsSetup( NetworkContext_t * pNetworkContext,
{
mbedtlsError = mbedtls_ssl_handshake( &( pTlsTransportParams->sslContext.context ) );
} while( ( mbedtlsError == MBEDTLS_ERR_SSL_WANT_READ ) ||
( mbedtlsError == MBEDTLS_ERR_SSL_WANT_WRITE ) );
( mbedtlsError == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( mbedtlsError == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) );
if( mbedtlsError != 0 )
{
LogError( ( "Failed to perform TLS handshake: mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( mbedtlsError ),
mbedtlsLowLevelCodeOrDefault( mbedtlsError ) ) );
if( mbedtlsError == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_handshake." ) );
}
else
{
LogError( ( "Failed to perform TLS handshake: mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( mbedtlsError ),
mbedtlsLowLevelCodeOrDefault( mbedtlsError ) ) );
returnStatus = TLS_TRANSPORT_HANDSHAKE_FAILED;
returnStatus = TLS_TRANSPORT_HANDSHAKE_FAILED;
}
}
}
@@ -633,7 +696,7 @@ static CK_RV initializeClientKeys( SSLContext_t * pxCtx,
if( ( CKR_OK == xResult ) && ( pxCtx->xP11PrivateKey == CK_INVALID_HANDLE ) )
{
xResult = CK_INVALID_HANDLE;
LogError( ( "Could not find private key." ) );
LogError( ( "Could not find private key: %s", pcLabelName ) );
}
if( xResult == CKR_OK )
@@ -808,8 +871,14 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_read." ) );
}
LogDebug( ( "Failed to read data. However, a read can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),
@@ -867,8 +936,14 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
if( ( tlsStatus == MBEDTLS_ERR_SSL_TIMEOUT ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_READ ) ||
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) )
( tlsStatus == MBEDTLS_ERR_SSL_WANT_WRITE ) ||
( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET ) )
{
if( tlsStatus == MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET )
{
LogDebug( ( "Received a MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET return code from mbedtls_ssl_write." ) );
}
LogDebug( ( "Failed to send data. However, send can be retried on this error. "
"mbedTLSError= %s : %s.",
mbedtlsHighLevelCodeOrDefault( tlsStatus ),

30
FreeRTOS-Plus/Source/Application-Protocols/network_transport/transport_mbedtls_pkcs11.h
View File

@@ -37,6 +37,12 @@
#define MBEDTLS_ALLOW_PRIVATE_ACCESS
#if !defined( MBEDTLS_CONFIG_FILE )
#include "mbedtls/mbedtls_config.h"
#else
#include MBEDTLS_CONFIG_FILE
#endif
#include "mbedtls/private_access.h"
/* TCP Sockets Wrapper include.*/
@@ -46,6 +52,7 @@
#include "transport_interface.h"
/* mbed TLS includes. */
#include "mbedtls/build_info.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ssl.h"
@@ -181,7 +188,7 @@ int32_t TLS_FreeRTOS_recv( NetworkContext_t * pNetworkContext,
/**
* @brief Sends data over an established TLS connection.
*
* This is the TLS version of the transport interface's
* @note This is the TLS version of the transport interface's
* #TransportSend_t function.
*
* @param[in] pNetworkContext The network context.
@@ -196,4 +203,25 @@ int32_t TLS_FreeRTOS_send( NetworkContext_t * pNetworkContext,
const void * pBuffer,
size_t bytesToSend );
#ifdef MBEDTLS_DEBUG_C
/**
* @brief Write an MBedTLS Debug message to the LogDebug() function
*
* @param[in] sslContext Pointer of the SSL Context that is being used
* @param[in] level The severity level of the debug message from MBedTLS
* @param[in] file Name of the file that the debug message is from
* @param[in] line The line number that the debug message is from
* @param[in] str The full string debug message from MBedTLS
*
* @return void
*/
void mbedtls_string_printf( void * sslContext,
int level,
const char * file,
int line,
const char * str );
#endif /* MBEDTLS_DEBUG_C */
#endif /* ifndef TRANSPORT_MBEDTLS_PKCS11 */

2
FreeRTOS-Plus/Source/corePKCS11

Submodule FreeRTOS-Plus/Source/corePKCS11 updated: 6ddc35ebdc...8b5ec3b3e3