implement IANA cipher suite support for mbedtls backend #3537

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open

pppaulpeter wants to merge 1 commit into warmcat:main from pppaulpeter:feat/mbedtls-iana-ciphers

cmake/lws_config.h.in

-Original file line number
+Diff line change
@@ Expand Up / @@ -73,6 +73,8 @@ @@
     #cmakedefine LWS_HAVE_mbedtls_ssl_conf_alpn_protocols
     #cmakedefine LWS_HAVE_mbedtls_ssl_get_alpn_protocol
     #cmakedefine LWS_HAVE_mbedtls_ssl_conf_sni
+    #cmakedefine LWS_HAVE_mbedtls_ssl_conf_ciphersuites
+    #cmakedefine LWS_HAVE_mbedtls_ssl_session_save
     #cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_ca_chain
     #cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_own_cert
     #cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_authmode
@@ Expand Down @@

lib/tls/CMakeLists.txt

-Original file line number
+Diff line change
@@ Expand Up / @@ -430,6 +430,8 @@ if (LWS_WITH_MBEDTLS) @@
     		set(LWS_HAVE_mbedtls_ssl_conf_alpn_protocols 1 CACHE BOOL x)
     		set(LWS_HAVE_mbedtls_ssl_get_alpn_protocol 1 CACHE BOOL x)
     		set(LWS_HAVE_mbedtls_ssl_conf_sni 1 CACHE BOOL x)
+    		set(LWS_HAVE_mbedtls_ssl_conf_ciphersuites 1 CACHE BOOL x)
+    		set(LWS_HAVE_mbedtls_ssl_session_save 1 CACHE BOOL x)
     		set(LWS_HAVE_mbedtls_ssl_set_hs_ca_chain 1 CACHE BOOL x)
     		set(LWS_HAVE_mbedtls_ssl_set_hs_own_cert 1 CACHE BOOL x)
     		set(LWS_HAVE_mbedtls_ssl_set_hs_authmode 1 CACHE BOOL x)
@@ Expand All / @@ -445,6 +447,8 @@ if (LWS_WITH_MBEDTLS) @@
     		CHECK_FUNCTION_EXISTS(mbedtls_ssl_get_alpn_protocol LWS_HAVE_mbedtls_ssl_get_alpn_protocol PARENT_SCOPE)
     		CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_sni LWS_HAVE_mbedtls_ssl_conf_sni PARENT_SCOPE)
+    		CHECK_FUNCTION_EXISTS(mbedtls_ssl_conf_ciphersuites LWS_HAVE_mbedtls_ssl_conf_ciphersuites PARENT_SCOPE)
+    		CHECK_FUNCTION_EXISTS(mbedtls_ssl_session_save LWS_HAVE_mbedtls_ssl_session_save PARENT_SCOPE)
     		CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_ca_chain LWS_HAVE_mbedtls_ssl_set_hs_ca_chain PARENT_SCOPE)
     		CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert PARENT_SCOPE)
     		CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode PARENT_SCOPE)
@@ Expand Down Expand Up / @@ -612,6 +616,8 @@ exports_to_parent_scope() @@
     set(LWS_HAVE_MBEDTLS_NET_SOCKETS ${LWS_HAVE_MBEDTLS_NET_SOCKETS} PARENT_SCOPE)
     set(LWS_HAVE_MBEDTLS_SSL_NEW_SESSION_TICKET ${LWS_HAVE_MBEDTLS_SSL_NEW_SESSION_TICKET} PARENT_SCOPE)
     set(LWS_HAVE_mbedtls_ssl_conf_alpn_protocols ${LWS_HAVE_mbedtls_ssl_conf_alpn_protocols} PARENT_SCOPE)
+    set(LWS_HAVE_mbedtls_ssl_conf_ciphersuites ${LWS_HAVE_mbedtls_ssl_conf_ciphersuites} PARENT_SCOPE)
+    set(LWS_HAVE_mbedtls_ssl_session_save ${LWS_HAVE_mbedtls_ssl_session_save} PARENT_SCOPE)
     set(TEST_SERVER_SSL_KEY "${TEST_SERVER_SSL_KEY}" PARENT_SCOPE)
     set(TEST_SERVER_SSL_CERT "${TEST_SERVER_SSL_CERT}" PARENT_SCOPE)
     set(TEST_SERVER_DATA ${TEST_SERVER_DATA} PARENT_SCOPE)
@@ Expand Down @@

lib/tls/mbedtls/mbedtls-server.c

-Original file line number
+Diff line change
@@ Expand Up @@
     	if (n)
     		return n;
+    	/* Apply cipher list if specified */
+    	if (info->ssl_cipher_list) {
+    		if (SSL_CTX_set_cipher_list(vhost->tls.ssl_ctx,
+    					    info->ssl_cipher_list) == 0) {
+    			lwsl_err("SSL_CTX_set_cipher_list(%s) failed\n",
+    				 info->ssl_cipher_list);
+    			return 1;
+    		}
+    		lwsl_notice("%s: vh %s: applied cipher list: %s\n", __func__,
+    			    vhost->name, info->ssl_cipher_list);
+    	}
     	return 0;
     }
@@ Expand Down @@

lib/tls/mbedtls/mbedtls-session.c

-Original file line number
+Diff line change
@@ Expand Up / @@ -106,11 +106,16 @@ lws_tls_reuse_session(struct lws *wsi) @@
     	mbedtls_ssl_session_init(&session);
+    #if defined(LWS_HAVE_mbedtls_ssl_session_save)
     	if (mbedtls_ssl_session_load(&session, ts->ser_data->data,
     				     ts->ser_data->len)) {
     		mbedtls_ssl_session_free(&session);
     		goto bail;
     	}
+    #else
+    	/* Session load/save not supported in this mbedtls version */
+    	goto bail;
+    #endif
     	lwsl_tlssess("%s: %s\n", __func__, (const char *)&ts[1]);
     	wsi->tls_session_reused = 1;
@@ Expand Down Expand Up / @@ -256,13 +261,19 @@ lws_tls_session_new_mbedtls(struct lws *wsi) @@
     			goto bail;
     		}
+    #if defined(LWS_HAVE_mbedtls_ssl_session_save)
     		if (mbedtls_ssl_session_save(&temp_session, ts->ser_data->data,
     					     sizeof(ts->ser_data->data),
     					     &ts->ser_data->len)) {
     			/* Serialization failed, cache entry will be invalid */
     			lws_free(ts->ser_data);
     			ts->ser_data = NULL;
     		}
+    #else
+    		/* Session save not supported in this mbedtls version */
+    		lws_free(ts->ser_data);
+    		ts->ser_data = NULL;
+    #endif
     		lws_dll2_add_tail(&ts->list, &vh->tls_sessions);
@@ Expand All / @@ -285,13 +296,19 @@ lws_tls_session_new_mbedtls(struct lws *wsi) @@
     				goto bail;
     		}
+    #if defined(LWS_HAVE_mbedtls_ssl_session_save)
     		if (mbedtls_ssl_session_save(&temp_session, ts->ser_data->data,
     					     sizeof(ts->ser_data->data),
     					     &ts->ser_data->len)) {
     			/* Serialization failed, cache entry will be invalid */
     			lws_free(ts->ser_data);
     			ts->ser_data = NULL;
     		}
+    #else
+    		/* Session save not supported in this mbedtls version */
+    		lws_free(ts->ser_data);
+    		ts->ser_data = NULL;
+    #endif
     		/* keep our session list sorted in lru -> mru order */
@@ Expand Down @@

lib/tls/mbedtls/wrapper/include/internal/ssl_types.h

-Original file line number
+Diff line change
@@ Expand Up / @@ -195,6 +195,9 @@ struct ssl_ctx_st @@
         int read_buffer_len;
+        /* optional list of mbedTLS ciphersuite ids, terminated by 0 */
+        int *ciphersuites;
         X509_VERIFY_PARAM param;
         void *rngctx;
@@ Expand Down @@

lib/tls/mbedtls/wrapper/include/platform/ssl_pm.h

-Original file line number
+Diff line change
@@ Expand Up / @@ -42,6 +42,7 @@ int ssl_pm_get_fd(const SSL *ssl, int mode); @@
     OSSL_HANDSHAKE_STATE ssl_pm_get_state(const SSL *ssl);
     void ssl_pm_set_bufflen(SSL *ssl, int len);
+    int ssl_pm_set_ciphersuites(SSL *ssl, const int *ciphersuites);
     int x509_pm_show_info(X509 *x);
     int x509_pm_new(X509 *x, X509 *m_x);
@@ Expand Down @@

lib/tls/mbedtls/wrapper/library/ssl_lib.c

-Original file line number
+Diff line change
@@ Expand Up / @@ -21,6 +21,86 @@ @@
     #include "ssl_cert.h"
     #include "ssl_dbg.h"
     #include "ssl_port.h"
+    #include "platform/ssl_pm.h"
+    #include <string.h>
+    /* Parse a colon/comma/space separated list of IANA/mbedTLS ciphers
+     * into a malloc'ed int[] terminated with 0.
+     */
+    static int *parse_cipher_list_to_ids(const char *str)
+    {
+        int   *result = NULL;
+        size_t tokens = 0, out = 0;
+        struct lws_tokenize ts;
+        lws_tokenize_elem e;
+        char tok[256];
+        if (!str || !*str)
+            return NULL;
+        /* First pass: count tokens */
+        lws_tokenize_init(&ts, str, 0);
+        while (lws_tokenize(&ts) != LWS_TOKZE_ENDED) {
+            if (ts.e == LWS_TOKZE_TOKEN)
+                tokens++;
+        }
+        if (tokens == 0)
+            return NULL;
+        result = ssl_mem_malloc((tokens + 1) * sizeof(int));
+        if (!result)
+            return NULL;
+        /* Second pass: parse and convert tokens */
+        lws_tokenize_init(&ts, str, 0);
+        while ((e = lws_tokenize(&ts)) != LWS_TOKZE_ENDED) {
+            int id = 0;
+            if (e != LWS_TOKZE_TOKEN)
+                continue;
+            /* Copy token to null-terminated buffer */
+            if (lws_tokenize_cstr(&ts, tok, sizeof(tok)) != 0)
+                continue;  /* token too long, skip it */
+            /* 1) try mbedTLS native name directly */
+            id = mbedtls_ssl_get_ciphersuite_id(tok);
+            /* 2) if that failed and it looks like IANA (TLS_...) convert '_' -> '-' */
+            if (id <= 0 && strncmp(tok, "TLS_", 4) == 0) {
+                char name[256];
+                size_t k;
+                strncpy(name, tok, sizeof(name) - 1);
+                name[sizeof(name) - 1] = '\0';
+                for (k = 0; name[k]; ++k) {
+                    if (name[k] == '_')
+                        name[k] = '-';
+                }
+                id = mbedtls_ssl_get_ciphersuite_id(name);
+            }
+            if (id > 0) {
+                result[out++] = id;
+            } else {
+                /* Optional: log unknown cipher */
+                // lws_notice("unknown TLS ciphersuite '%s' in list '%s'\n", tok, str);
+            }
+        }
+        if (!out) {
+            ssl_mem_free(result);
+            return NULL;
+        }
+        result[out] = 0;
+        return result;
+    }
     char *
     lws_strncpy(char *dest, const char *src, size_t size);
@@ Expand Down Expand Up / @@ -256,6 +336,11 @@ void SSL_CTX_free(SSL_CTX* ctx) @@
     {
         SSL_ASSERT3(ctx);
+        if (ctx->ciphersuites) {
+            ssl_mem_free(ctx->ciphersuites);
+            ctx->ciphersuites = NULL;
+        }
         ssl_cert_free(ctx->cert);
     #if defined(LWS_HAVE_mbedtls_x509_crt_parse_file)
@@ Expand All / @@ -279,6 +364,42 @@ void SSL_CTX_free(SSL_CTX* ctx) @@
         ssl_mem_free(ctx);
     }
+    int SSL_CTX_set_cipher_list(SSL_CTX *ctx, const char *str)
+    {
+        int *ids;
+        SSL_ASSERT1(ctx);
+        /* free previous list if any */
+        if (ctx->ciphersuites) {
+            ssl_mem_free(ctx->ciphersuites);
+            ctx->ciphersuites = NULL;
+        }
+        ids = parse_cipher_list_to_ids(str);
+        if (!ids)
+            return 0;
+        ctx->ciphersuites = ids;
+        return 1;
+    }
+    int SSL_set_cipher_list(SSL *ssl, const char *str)
+    {
+        int ok;
+        SSL_ASSERT1(ssl);
+        ok = SSL_CTX_set_cipher_list(ssl->ctx, str);
+        /* if config exists for this ssl instance, apply immediately if possible */
+        if (ok && ssl->ssl_pm && ssl->ctx && ssl->ctx->ciphersuites) {
+            ssl_pm_set_ciphersuites(ssl, ssl->ctx->ciphersuites);
+        }
+        return ok;
+    }
     /**
      * @brief set  the SSL context version
      */
@@ Expand Down @@

lib/tls/mbedtls/wrapper/platform/ssl_pm.c

-Original file line number
+Diff line change
@@ Expand Up / @@ -283,9 +283,34 @@ static int ssl_pm_reload_crt(SSL *ssl) @@
             ret = -1;
         }
+        /* if the SSL_CTX has a ciphersuite list, apply it to this config */
+    #if defined(LWS_HAVE_mbedtls_ssl_conf_ciphersuites)
+        if (ssl->ctx && ssl->ctx->ciphersuites) {
+            mbedtls_ssl_conf_ciphersuites(&ssl_pm->conf, ssl->ctx->ciphersuites);
+        }
+    #endif
         return ret;
     }
+    /*
+     * Set ciphersuites on an existing SSL connection
+     */
+    int ssl_pm_set_ciphersuites(SSL *ssl, const int *ciphersuites)
+    {
+        struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm;
+        if (!ssl || !ssl_pm || !ciphersuites)
+            return 0;
+    #if defined(LWS_HAVE_mbedtls_ssl_conf_ciphersuites)
+        mbedtls_ssl_conf_ciphersuites(&ssl_pm->conf, ciphersuites);
+        return 1;
+    #else
+        return 0;
+    #endif
+    }
     /*
      * Perform the mbedtls SSL handshake instead of mbedtls_ssl_handshake.
      * We can add debug here.
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

implement IANA cipher suite support for mbedtls backend #3537

Uh oh!

Diff view

Diff view

There are no files selected for viewing

implement IANA cipher suite support for mbedtls backend #3537

Are you sure you want to change the base?

Uh oh!

implement IANA cipher suite support for mbedtls backend #3537

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing