Add support for libmbedtls

2026-03-14 21:10:02 +01:00 · 2022-04-05 17:50:43 +01:00 · 2022-04-05 17:50:43 +01:00 · 5d1317aac8
commit 5d1317aac8
parent e12c739d30
2 changed files with 80 additions and 17 deletions
--- a/configure.ac
+++ b/configure.ac
@ -19,11 +19,15 @@ AS_IF([test "x$enable_acs" = "xno"], [AC_DEFINE(ACS_MULTI)])
 AC_ARG_ENABLE(debug, [AS_HELP_STRING([--enable-debug], [enable debugging messages])], AC_DEFINE(WITH_CWMP_DEBUG),)
 AC_ARG_ENABLE(devel, [AS_HELP_STRING([--enable-devel], [enable development messages])], AC_DEFINE(WITH_DEV_DEBUG),)

-AC_ARG_ENABLE(libopenssl, [AS_HELP_STRING([--enable-libopenssl], [enable libopenssl feature])], AC_DEFINE(LOPENSSL),)
+AC_ARG_ENABLE(libopenssl, [AS_HELP_STRING([--enable-libopenssl], [enable libopenssl feature])], AC_DEFINE(LOPENSSL))
 AM_CONDITIONAL([LOPENSSL],[test "x$enable_libopenssl" = "xyes"])

 AC_ARG_ENABLE(libwolfssl, [AS_HELP_STRING([--enable-libwolfssl], [enable libwolfssl feature])], AC_DEFINE(LWOLFSSL))
 AM_CONDITIONAL([LWOLFSSL],[test "x$enable_libwolfssl" = "xyes"])
+
+AC_ARG_ENABLE(libmbedtls, [AS_HELP_STRING([--enable-libmbedtls], [enable libmbedtls feature])], AC_DEFINE(LMBEDTLS))
+AM_CONDITIONAL([LMBEDTLS],[test "x$enable_libmbedtls" = "xyes"])
+
 # checks for programs
 AC_PROG_CC
 AM_PROG_CC_C_O
@ -85,20 +89,25 @@ AC_SUBST([LIBUBUS_LIBS])
 LBLOBMSG_LIBS='-lblobmsg_json'
 AC_SUBST([LBLOBMSG_LIBS])

-LCRYPTO_LIBS='-lcrypto'
-AC_SUBST([LCRYPTO_LIBS])
-
 AM_COND_IF([LWOLFSSL], [
 	LSSL_LIBS='-lwolfssl'
+	LCRYPTO_LIBS='-lcrypto'
 	AC_SUBST([LSSL_LIBS])
+	AC_SUBST([LCRYPTO_LIBS])
 ])

 AM_COND_IF([LOPENSSL], [
 	LSSL_LIBS='-lssl'
+	LCRYPTO_LIBS='-lcrypto'
 	AC_SUBST([LSSL_LIBS])
-], [
-	LSSL_LIBS='-lwolfssl'
+	AC_SUBST([LCRYPTO_LIBS])
+])
+
+AM_COND_IF([LMBEDTLS], [
+	LSSL_LIBS='-lmbedtls'
+	LCRYPTO_LIBS='-lmbedcrypto'
 	AC_SUBST([LSSL_LIBS])
+	AC_SUBST([LCRYPTO_LIBS])
 ])

 PKG_CHECK_MODULES(LIBCURL, [libcurl])
--- a/ssl_utils.c
+++ b/ssl_utils.c
@ -18,14 +18,64 @@
 * 02110-1301 USA
 */

+#ifdef LMBEDTLS
+#include <mbedtls/md.h>
+#include <mbedtls/entropy.h>
+#include <mbedtls/ctr_drbg.h>
+#else
 #include <openssl/ssl.h>
 #include <openssl/hmac.h>
 #include <openssl/rand.h>
+#endif
+
 #include <string.h>

 #include "common.h"
 #include "log.h"

+static int rand_bytes(unsigned char *output, size_t len)
+{
+#ifdef LMBEDTLS
+	mbedtls_entropy_context ec = {0};
+	mbedtls_ctr_drbg_context cd_ctx = {0};
+	int res = 1;
+
+	union {
+		uint64_t seed;
+		uint8_t buffer[8];
+	} rand_buffer;
+
+	FILE *urand = fopen("/dev/urandom", "r");
+	if (urand) {
+		fread(&rand_buffer.seed, sizeof(rand_buffer.seed), 1, urand);
+		fclose(urand);
+	} else {
+		rand_buffer.seed = (uint64_t)clock();
+	}
+
+	mbedtls_entropy_init(&ec);
+	mbedtls_ctr_drbg_init(&cd_ctx);
+
+	if (mbedtls_ctr_drbg_seed(&cd_ctx, mbedtls_entropy_func, &ec, (const unsigned char *)rand_buffer.buffer, 8) != 0) {
+		CWMP_LOG(ERROR, "Failed to initialize random generator\n");
+		res = -1;
+		goto end;
+	}
+
+	if (mbedtls_ctr_drbg_random(&cd_ctx, output, len) != 0) {
+		CWMP_LOG(ERROR, "Failed to generate random bytes\n");
+		res = -1;
+	}
+
+end:
+	mbedtls_ctr_drbg_free(&cd_ctx);
+	mbedtls_entropy_free(&ec);
+	return res;
+#else
+	return RAND_bytes(output, len);
+#endif
+}
+
 char *generate_random_string(size_t size)
 {
 	unsigned char *buf = NULL;
@ -37,7 +87,7 @@ char *generate_random_string(size_t size)
 		goto end;
 	}

-	int written = RAND_bytes(buf, size);
+	int written = rand_bytes(buf, size);
 	if (written != 1) {
 		CWMP_LOG(ERROR,"Failed to get random bytes");
 		goto end;
@ -45,7 +95,7 @@ char *generate_random_string(size_t size)

 	hex = string_to_hex(buf, size);
 	if (hex == NULL)
-			goto end;
+		goto end;

 	hex[size] = '\0';

@ -56,22 +106,26 @@ end:

 void message_compute_signature(char *msg_out, char *signature, size_t len)
 {
-	int i;
 	int result_len = 20;
-	unsigned char *result;
 	struct cwmp *cwmp = &cwmp_main;
 	struct config *conf;
 	conf = &(cwmp->conf);
-	/*	unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
-	                    const unsigned char *d, size_t n, unsigned char *md,
-	                    unsigned int *md_len);*/
-	result = HMAC(EVP_sha1(), conf->acs_passwd, strlen(conf->acs_passwd), (unsigned char *)msg_out, strlen(msg_out), NULL, NULL);
-	for (i = 0; i < result_len; i++) {
+
+#ifdef LMBEDTLS
+	unsigned char result[MBEDTLS_MD_MAX_SIZE] = {0};
+	const mbedtls_md_info_t *md_info = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
+
+	mbedtls_md_hmac(md_info, (unsigned char *)conf->acs_passwd, strlen(conf->acs_passwd), (unsigned char *)msg_out, strlen(msg_out), result);
+#else
+	unsigned char result[EVP_MAX_MD_SIZE] = {0};
+
+	HMAC(EVP_sha1(), conf->acs_passwd, strlen(conf->acs_passwd), (unsigned char *)msg_out, strlen(msg_out), result, NULL);
+#endif
+
+	for (int i = 0; i < result_len; i++) {
 		if (len - strlen(signature) < 3) // each time 2 hex chars + '\0' at end so needed space is 3 bytes
 			break;

 		snprintf(&(signature[i * 2]), 3, "%02X", result[i]);
 	}
-	FREE(result);
 }
-