Add support for mbedtls

2026-03-14 21:20:28 +01:00 · 2022-04-04 13:16:52 +01:00 · 2022-04-04 13:16:52 +01:00 · 5d399b96b4
commit 5d399b96b4
parent 78751e0fc9
2 changed files with 159 additions and 24 deletions
--- a/configure.ac
+++ b/configure.ac
@ -20,6 +20,9 @@ AM_CONDITIONAL([LOPENSSL],[test "x$enable_libopenssl" = "xyes"])
 AC_ARG_ENABLE(libwolfssl, [AS_HELP_STRING([--enable-libwolfssl], [enable libwolfssl feature])], AC_DEFINE(LWOLFSSL),)
 AM_CONDITIONAL([LWOLFSSL],[test "x$enable_libwolfssl" = "xyes"])

+AC_ARG_ENABLE(libmbedtls, [AS_HELP_STRING([--enable-libmbedtls], [enable libmbedtls feature])], AC_DEFINE(LMBEDTLS),)
+AM_CONDITIONAL([LMBEDTLS],[test "x$enable_libmbedtls" = "xyes"])
+
 AC_ARG_ENABLE(vendor_extension, [AS_HELP_STRING([--enable-vendor-extension], [enable vendor extension])], AC_DEFINE(BBF_VENDOR_EXTENSION),)
 AM_CONDITIONAL([BBF_VENDOR_EXTENSION],[test "x$enable_vendor_extension" = "xyes"])

@ -123,6 +126,12 @@ AM_COND_IF([LOPENSSL], [
 	AC_DEFINE(LSSL)
 ])

+AM_COND_IF([LMBEDTLS], [
+	LIBSSL_LIBS='-lmbedtls'
+	AC_SUBST([LIBSSL_LIBS])
+	AC_DEFINE(LSSL)
+])
+
 # checks for header files
 AC_CHECK_HEADERS([stdlib.h string.h])

--- a/dmtree/tr181/security.c
+++ b/dmtree/tr181/security.c
@ -14,19 +14,24 @@
 #define MAX_CERT 32

 #ifdef LSSL
+
+#ifdef LMBEDTLS
+#include <mbedtls/x509_crt.h>
+#include <mbedtls/base64.h>
+#else
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-#include <openssl/evp.h>
-
-#ifdef LOPENSSL
-#include <openssl/obj_mac.h>
 #endif

 static char certifcates_paths[MAX_CERT][256];

 struct certificate_profile {
 	char *path;
-	X509 *openssl_cert;
+#ifdef LMBEDTLS
+	mbedtls_x509_crt cert;
+#else
+	X509 *cert;
+#endif
 	struct uci_section *dmmap_sect;
 };

@ -34,17 +39,70 @@ struct certificate_profile {
 * INIT
 **************************************************************/
 void init_certificate(char *path,
+#ifdef LMBEDTLS
+mbedtls_x509_crt cert,
+#else
 X509 *cert,
+#endif
 struct uci_section *dmsect, struct certificate_profile *certprofile)
 {
 	certprofile->path = path;
-	certprofile->openssl_cert = cert;
+	certprofile->cert = cert;
 	certprofile->dmmap_sect = dmsect;
 }

 /*************************************************************
 * COMMON FUNCTIONS
 **************************************************************/
+#ifdef LMBEDTLS
+static char *get_certificate_md(mbedtls_md_type_t sig_md)
+{
+	switch(sig_md) {
+	case MBEDTLS_MD_MD2:
+		return "md2";
+	case MBEDTLS_MD_MD4:
+		return "md4";
+	case MBEDTLS_MD_MD5:
+		return "md5";
+	case MBEDTLS_MD_SHA1:
+		return "sha1";
+	case MBEDTLS_MD_SHA224:
+		return "sha224";
+	case MBEDTLS_MD_SHA256:
+		return "sha256";
+	case MBEDTLS_MD_SHA384:
+		return "sha384";
+	case MBEDTLS_MD_SHA512:
+		return "sha512";
+	case MBEDTLS_MD_RIPEMD160:
+		return "ripemd160";
+	default:
+		return "";
+	}
+	return "";
+}
+
+static char *get_certificate_pk(mbedtls_pk_type_t sig_pk)
+{
+	switch(sig_pk) {
+	case MBEDTLS_PK_RSA:
+		return "RSA";
+	case MBEDTLS_PK_ECKEY:
+		return "ECKEY";
+	case MBEDTLS_PK_ECKEY_DH:
+		return "ECKEYDH";
+	case MBEDTLS_PK_ECDSA:
+		return "ECDSA";
+	case MBEDTLS_PK_RSA_ALT:
+		return "RSAALT";
+	case MBEDTLS_PK_RSASSA_PSS:
+		return "RSASSAPSS";
+	default:
+		return "";
+	}
+	return "";
+}
+#else
 static char *get_certificate_sig_alg(int sig_nid)
 {
 	switch(sig_nid) {
@ -65,6 +123,7 @@ static char *get_certificate_sig_alg(int sig_nid)
 	}
 	return "";
 }
+#endif

 static char *generate_serial_number(char *text, int length)
 {
@ -86,7 +145,7 @@ static void get_certificate_paths(void)
 	struct uci_section *s = NULL;
 	int cidx;

-	for (cidx=0; cidx<MAX_CERT; cidx++)
+	for (cidx = 0; cidx < MAX_CERT; cidx++)
 		memset(certifcates_paths[cidx], '\0', 256);

 	cidx = 0;
@ -139,35 +198,52 @@ static int browseSecurityCertificateInst(struct dmctx *dmctx, DMNODE *parent_nod
 	char *inst = NULL;
 	struct uci_section *dmmap_sect = NULL;
 	struct certificate_profile certificateprofile = {};
+	int i, status;

 	get_certificate_paths();
-	int i, status;
+
 	for (i = 0, status = DM_OK; i < MAX_CERT && status != DM_STOP; i++) {
+
 		if(!DM_STRLEN(certifcates_paths[i]))
 			break;
+
+#ifdef LMBEDTLS
+		mbedtls_x509_crt cert;
+
+		mbedtls_x509_crt_init(&cert);
+		if (mbedtls_x509_crt_parse_file(&cert, certifcates_paths[i]) < 0)
+			continue;
+#else
 		FILE *fp = fopen(certifcates_paths[i], "r");
 		if (fp == NULL)
 			continue;
+
 		X509 *cert = PEM_read_X509(fp, NULL, NULL, NULL);
 		if (!cert) {
 			fclose(fp);
 			continue;
 		}
+#endif

 		if ((dmmap_sect = get_dup_section_in_dmmap_opt("dmmap_security", "security_certificate", "path", certifcates_paths[i])) == NULL) {
 			dmuci_add_section_bbfdm("dmmap_security", "security_certificate", &dmmap_sect);
 			dmuci_set_value_by_section_bbfdm(dmmap_sect, "path", certifcates_paths[i]);
 		}
+
 		init_certificate(certifcates_paths[i], cert, dmmap_sect, &certificateprofile);

 		inst = handle_instance(dmctx, parent_node, dmmap_sect, "security_certificate_instance", "security_certificate_alias");

 		status = DM_LINK_INST_OBJ(dmctx, parent_node, (void *)&certificateprofile, inst);

+#ifdef LMBEDTLS
+		mbedtls_x509_crt_free(&cert);
+#else
 		X509_free(cert);
 		cert = NULL;
 		fclose(fp);
 		fp = NULL;
+#endif
 	}
 	return 0;
 }
@ -184,20 +260,28 @@ static int get_Security_CertificateNumberOfEntries(char *refparam, struct dmctx

 static int get_SecurityCertificate_LastModif(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
+	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
+	char buf[sizeof("AAAA-MM-JJTHH:MM:SSZ")] = "0001-01-01T00:00:00Z";
 	struct stat b;
-	char t[sizeof("AAAA-MM-JJTHH:MM:SSZ")] = "0001-01-01T00:00:00Z";
+
 	if (!stat(cert_profile->path, &b))
-		strftime(t, sizeof(t), "%Y-%m-%dT%H:%M:%SZ", gmtime(&b.st_mtime));
-	*value = dmstrdup(t);
+		strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%SZ", gmtime(&b.st_mtime));
+
+	*value = dmstrdup(buf);
 	return 0;
 }

 static int get_SecurityCertificate_SerialNumber(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
-	ASN1_INTEGER *serial = X509_get_serialNumber(cert_profile->openssl_cert);
+	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
+
+#ifdef LMBEDTLS
+	*value = generate_serial_number((char *)cert_profile->cert.serial.p, cert_profile->cert.serial.len);
+#else
+	ASN1_INTEGER *serial = X509_get_serialNumber(cert_profile->cert);
 	*value = generate_serial_number((char *)serial->data, serial->length);
+#endif
+
 	return 0;
 }

@ -206,23 +290,39 @@ static int get_SecurityCertificate_Issuer(char *refparam, struct dmctx *ctx, voi
 	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
 	char buf[256] = {0};

-	X509_NAME_oneline(X509_get_issuer_name(cert_profile->openssl_cert), buf, sizeof(buf));
+#ifdef LMBEDTLS
+	if (mbedtls_x509_dn_gets(buf, sizeof(buf), &cert_profile->cert.issuer) < 0)
+		return -1;
+
+	*value = dmstrdup(buf);
+#else
+	X509_NAME_oneline(X509_get_issuer_name(cert_profile->cert), buf, sizeof(buf));
 	*value = dmstrdup(buf);
 	if (*value[0] == '/')
 		(*value)++;
 	*value = replace_char(*value, '/', ' ');
+#endif
+
 	return 0;
 }

 static int get_SecurityCertificate_NotBefore(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
+	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
+
+#ifdef LMBEDTLS
+	dmasprintf(value, "%04d-%02d-%02dT%02d:%02d:%02dZ", cert_profile->cert.valid_from.year,
+														cert_profile->cert.valid_from.mon,
+														cert_profile->cert.valid_from.day,
+														cert_profile->cert.valid_from.hour,
+														cert_profile->cert.valid_from.min,
+														cert_profile->cert.valid_from.sec);
+#else
 	char not_before_str[DATE_LEN];
 	struct tm tm;

-	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
-	const ASN1_TIME *not_before = X509_get0_notBefore(cert_profile->openssl_cert);
+	const ASN1_TIME *not_before = X509_get0_notBefore(cert_profile->cert);

-	*value = "0001-01-01T00:00:00Z";
 #ifdef LWOLFSSL
 	ASN1_TIME_to_string((ASN1_TIME *)not_before, not_before_str, DATE_LEN);
 	if (!strptime(not_before_str, "%b %d %H:%M:%S %Y", &tm))
@ -233,18 +333,28 @@ static int get_SecurityCertificate_NotBefore(char *refparam, struct dmctx *ctx,

 	strftime(not_before_str, sizeof(not_before_str), "%Y-%m-%dT%H:%M:%SZ", &tm);
 	*value = dmstrdup(not_before_str);
+#endif
+
 	return 0;
 }

 static int get_SecurityCertificate_NotAfter(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
+	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
+
+#ifdef LMBEDTLS
+	dmasprintf(value, "%04d-%02d-%02dT%02d:%02d:%02dZ", cert_profile->cert.valid_to.year,
+														cert_profile->cert.valid_to.mon,
+														cert_profile->cert.valid_to.day,
+														cert_profile->cert.valid_to.hour,
+														cert_profile->cert.valid_to.min,
+														cert_profile->cert.valid_to.sec);
+#else
 	char not_after_str[DATE_LEN];
 	struct tm tm;

-	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
-	const ASN1_TIME *not_after = X509_get0_notAfter(cert_profile->openssl_cert);
+	const ASN1_TIME *not_after = X509_get0_notAfter(cert_profile->cert);

-	*value = "0001-01-01T00:00:00Z";
 #ifdef LWOLFSSL
 	ASN1_TIME_to_string((ASN1_TIME *)not_after, not_after_str, DATE_LEN);
 	if (!strptime(not_after_str, "%b %d %H:%M:%S %Y", &tm))
@ -255,6 +365,8 @@ static int get_SecurityCertificate_NotAfter(char *refparam, struct dmctx *ctx, v

 	strftime(not_after_str, sizeof(not_after_str), "%Y-%m-%dT%H:%M:%SZ", &tm);
 	*value = dmstrdup(not_after_str);
+#endif
+
 	return 0;
 }

@ -263,18 +375,32 @@ static int get_SecurityCertificate_Subject(char *refparam, struct dmctx *ctx, vo
 	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
 	char buf[256] = {0};

-	X509_NAME_oneline(X509_get_subject_name(cert_profile->openssl_cert), buf, sizeof(buf));
+#if LMBEDTLS
+	if (mbedtls_x509_dn_gets(buf, sizeof(buf), &cert_profile->cert.subject) < 0)
+		return -1;
+
+	*value = dmstrdup(buf);
+#else
+	X509_NAME_oneline(X509_get_subject_name(cert_profile->cert), buf, sizeof(buf));
 	*value = dmstrdup(buf);
 	if (*value[0] == '/')
 		(*value)++;
 	*value = replace_char(*value, '/', ' ');
+#endif
+
 	return 0;
 }

 static int get_SecurityCertificate_SignatureAlgorithm(char *refparam, struct dmctx *ctx, void *data, char *instance, char **value)
 {
-	struct certificate_profile *cert_profile = (struct certificate_profile*)data;
-	*value = dmstrdup(get_certificate_sig_alg(X509_get_signature_nid(cert_profile->openssl_cert)));
+	struct certificate_profile *cert_profile = (struct certificate_profile *)data;
+
+#ifdef LMBEDTLS
+	dmasprintf(value, "%sWith%sEncryption", get_certificate_md(cert_profile->cert.sig_md), get_certificate_pk(cert_profile->cert.sig_pk));
+#else
+	*value = dmstrdup(get_certificate_sig_alg(X509_get_signature_nid(cert_profile->cert)));
+#endif
+
 	return 0;
 }