Adds support for bctbx openssl implementation

Use SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER for openssl SSL_CTX configurations. Enable Crypto test suite with openssl backend Fix Diffie Hellman testcase for openssl backend. Fix Openssl implementation of AES key wrap. Do not expect failure for large rng output size for openssl backend Support openssl hkdf library introduced in Openssl 3.0 Fix conflicting argument type for bctbx_ssl_get_dtls_srtp_key_material Fix MBEDTLS_FOUND -> MbedTLS_FOUND Put all HKDF code in one source file and choose implementation in the source file instead of cmake files Adds bas64 interface implementation for openssl Remove support for versions prior to openssl 3.0 for hkdf implementation Fix missing implementation bctbx_random for OpenSSL implementation Use new openssl api for generating an rsa key for the self signed cert. Refactor openssl diffie hellman key exchange code to use non deprecated openssl functions. Fixes a couple of null pointer crashes for openssl backend small rework on openssl/mbedtls c++ api fix openssl handle join function Remove some old test code Move SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER ssl option setting to make sure it is set for all connections. memory leak Fix subject and subject alt name parsing from certificates with openssl Improve AES-GCM testing Support new tls state machine definitions for openssl 3.2.0+ Fix some memory leaks from openssl certificate functions. Update readme with reference to openssl functionality Update bctbx_aes_gcm_finish() mbedtls implementation to verify incoming authentication tags AES-GCM test with wrong tag for C API too memory leaks in openssl DHM Drop support for mbedtls v2 Relax condition on RNG variance to pass the test memory leak
BelledonneCommunications · Dec 11, 2023 · 71c3532 · 71c3532
1 parent 9a7efd8
commit 71c3532
Show file tree

Hide file tree

Showing 18 changed files with 2,531 additions and 2,315 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -34,6 +34,7 @@ set(BCTOOLBOXTESTER_SO_VERSION 1)
 
 option(ENABLE_DEBUG_LOGS "Turn on or off debug level logs." NO)
 option(ENABLE_MBEDTLS "Enable mbedtls support" ON)
+option(ENABLE_OPENSSL "Enable openssl support" OFF)
 option(ENABLE_DECAF "Enable Elliptic Curve Cryptography support" ON)
 option(ENABLE_STRICT "Pass strict flags to the compiler" ON)
 option(ENABLE_TESTS_COMPONENT "Enable compilation of tests helper library" ON)
@@ -54,6 +55,10 @@ include("cmake/BCToolboxCMakeUtils.cmake")
 
 list(APPEND CMAKE_MODULE_PATH "${PROJECT_SOURCE_DIR}/cmake")
 
+if(ENABLE_MBEDTLS AND ENABLE_OPENSSL)
+	fatal("Cannot build bctoolbox with both openssl and mbedtls enabled")
+endif()
+
 if(NOT CPACK_GENERATOR AND NOT CMAKE_INSTALL_RPATH AND CMAKE_INSTALL_PREFIX)
 	set(CMAKE_INSTALL_RPATH ${CMAKE_INSTALL_FULL_LIBDIR})
 	message(STATUS "Setting install rpath to ${CMAKE_INSTALL_RPATH}")
@@ -67,14 +72,24 @@ if(ENABLE_MBEDTLS)
 	message(STATUS "MBEDTLS Enabled")
 	find_package(MbedTLS)
 	if(MbedTLS_FOUND)
-		message(STATUS "Using mbedTLS v${MbedTLS_VERSION}")
-		if(MbedTLS_VERSION LESS 2)
-			message(WARNING "Mbedtls version incompatible (requires v2 or v3), build will probably fail")
+		message(STATUS "Found mbedTLS v${MbedTLS_VERSION}")
+		if(MbedTLS_VERSION LESS 3)
+			fatal(WARNING "Mbedtls version incompatible (requires v3)")
 		endif()
 		set(HAVE_MBEDTLS 1)
 	endif()
 endif()
 
+if(ENABLE_OPENSSL)
+	message(STATUS "OPENSSL Enabled")
+	find_package(OpenSSL)
+	if(OPENSSL_FOUND)
+		message(STATUS "Using OPENSSL v. ${OPENSSL_VERSION}")
+		set(HAVE_OPENSSL 1)
+		set(DTLS_SRTP_AVAILABLE TRUE)
+	endif()
+endif()
+
 if(ENABLE_DECAF)
 	find_package(Decaf)
 	if(Decaf_FOUND)

diff --git a/README.md b/README.md
@@ -12,6 +12,7 @@ Depends
 - **mbedtls[1]**: implementation of TLS interface of BcToolbox. For backward
   compatibility, support of mbedtlsv2 is also provided.
 - **bcunit[2]** for unitary test tools. (optional)
+- **openssl[3]** alternate TLS and crypto implementation. (optional)
 
 
 To compile
@@ -36,10 +37,11 @@ Options
 
 - `CMAKE_INSTALL_PREFIX=<string>`: install prefix.
 - `CMAKE_PREFIX_PATH=<string>`: search path prefix for dependencies e.g. mbedtls.
-- `ENABLE_MBEDTLS=NO`: do not look for mbedtls. Then, polarssl will be selected.
+- `ENABLE_MBEDTLS=NO`: do not look for mbedtls.
+- `ENABLE_OPENSSL=NO`: do not look for openssl.
 - `ENABLE_STRICT=NO`: do not build with strict compilator flags e.g. `-Wall -Werror`.
 - `ENABLE_UNIT_TESTS=NO`: do not build testing binaries.
-- `ENABLE_TESTS_COMPONENT=NO`: do not build libbctoolbox-tester.
+- `ENABLE_TESTS_COMPONENT=NO`: do not build libbctoolbox-tester.
 
 
 Notes
@@ -60,4 +62,5 @@ while you invoke cmake.
 
 - [1] <https://github.com/ARMmbed/mbedtls.git>
 - [2] git://git.linphone.org/bctoolbox.git or <http://www.linphone.org/releases/sources/bctoolbox/>
+- [3] <https://github.com/openssl/openssl.git>
 
diff --git a/cmake/FindMbedTLS.cmake b/cmake/FindMbedTLS.cmake
@@ -94,7 +94,7 @@ else()
     	message("MESSAGE: MbedTLS_LIBRARY=" ${_MbedTLS_LIBRARY})
 	    message("MESSAGE: MbedX509_LIBRARY=" ${MbedX509_LIBRARY})
   	  message("MESSAGE: MbedCrypto_LIBRARY=" ${MbedCrypto_LIBRARY})
-			set(_MbedTLS_VERSION 1)
+			set(MbedTLS_VERSION 1)
 		else()
 			# Are we mbdetls 2 or 3?
 			# From version 3 and on, version number is given in include/mbedtls/build_info.h.

diff --git a/config.h.cmake b/config.h.cmake
@@ -23,6 +23,7 @@
 #cmakedefine HAVE_DTLS_SRTP 1
 #cmakedefine HAVE_DECAF 1
 #cmakedefine HAVE_MBEDTLS 1
+#cmakedefine HAVE_OPENSSL 1
 #cmakedefine HAVE_CTR_DRGB_FREE 1
 #cmakedefine HAVE_CU_GET_SUITE 1
 #cmakedefine HAVE_CU_CURSES 1

diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt
@@ -44,7 +44,7 @@ if(APPLE)
 	list(APPEND HEADER_FILES ios_utils.hh)
 endif()
 
-if(MbedTLS_FOUND)
+if(MbedTLS_FOUND OR OPENSSL_FOUND)
 	list(APPEND HEADER_FILES crypto.h)
 	list(APPEND HEADER_FILES crypto.hh)
 endif()

diff --git a/include/bctoolbox/crypto.h b/include/bctoolbox/crypto.h
@@ -164,7 +164,7 @@ typedef enum bctbx_srtp_profile {
 	BCTBX_SRTP_NULL_HMAC_SHA1_32
 } bctbx_dtls_srtp_profile_t;
 
-typedef enum bctbx_type_implementation { BCTBX_MBEDTLS2, BCTBX_MBEDTLS } bctbx_type_implementation_t;
+typedef enum bctbx_type_implementation { BCTBX_MBEDTLS2, BCTBX_MBEDTLS, BCTBX_OPENSSL } bctbx_type_implementation_t;
 
 #ifdef __cplusplus
 extern "C" {
@@ -566,14 +566,21 @@ BCTBX_PUBLIC int32_t bctbx_ssl_config_set_ca_chain(bctbx_ssl_config_t *ssl_confi
 BCTBX_PUBLIC int32_t bctbx_ssl_config_set_own_cert(bctbx_ssl_config_t *ssl_config,
                                                    bctbx_x509_certificate_t *cert,
                                                    bctbx_signing_key_t *key);
-BCTBX_PUBLIC int32_t bctbx_ssl_config_set_ciphersuites(bctbx_ssl_config_t *ssl_config, const int *ciphersuites);
+BCTBX_PUBLIC int32_t bctbx_ssl_config_set_ciphersuites(bctbx_ssl_config_t *ssl_config,
+                                                       const bctbx_list_t *ciphersuites);
+
+/**
+ * @brief Configure the groups used by the tls connection
+ * Examples are "P-256", "P-384", "X448", etc..
+ */
+BCTBX_PUBLIC int32_t bctbx_ssl_config_set_groups(bctbx_ssl_config_t *ssl_config, const bctbx_list_t *groups);
 
 /***** DTLS-SRTP functions *****/
 BCTBX_PUBLIC bctbx_dtls_srtp_profile_t bctbx_ssl_get_dtls_srtp_protection_profile(bctbx_ssl_context_t *ssl_ctx);
 BCTBX_PUBLIC int32_t bctbx_ssl_config_set_dtls_srtp_protection_profiles(bctbx_ssl_config_t *ssl_config,
                                                                         const bctbx_dtls_srtp_profile_t *profiles,
                                                                         size_t profiles_number);
-BCTBX_PUBLIC int32_t bctbx_ssl_get_dtls_srtp_key_material(bctbx_ssl_config_t *ssl_ctx,
+BCTBX_PUBLIC int32_t bctbx_ssl_get_dtls_srtp_key_material(bctbx_ssl_context_t *ssl_ctx,
                                                           uint8_t *output,
                                                           size_t *output_length);
 BCTBX_PUBLIC uint8_t bctbx_dtls_srtp_supported(void);

diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -73,20 +73,25 @@ if(WIN32)
 	list(APPEND STRICT_OPTIONS_CXX "/EHa")
 	add_definitions(-EHa)
 endif()
-if(MbedTLS_FOUND)
+if(MbedTLS_FOUND OR OPENSSL_FOUND)
 	list(APPEND BCTOOLBOX_C_SOURCE_FILES crypto/crypto.c)
 	list(APPEND BCTOOLBOX_CXX_SOURCE_FILES
+		crypto/crypto.cc
 		crypto/ecc.cc
-		crypto/mbedtls.cc
 		vfs/vfs_encrypted.cc
 		vfs/vfs_encryption_module_dummy.cc
 		vfs/vfs_encryption_module_aes256gcm_sha256.cc)
 endif()
-if(MbedTLS_VERSION GREATER_EQUAL 3)
+if(OPENSSL_FOUND)
+	list(APPEND BCTOOLBOX_C_SOURCE_FILES crypto/openssl.c)
+	list(APPEND BCTOOLBOX_CXX_SOURCE_FILES crypto/openssl.cc)
+endif()
+
+if(MbedTLS_FOUND)
 	list(APPEND BCTOOLBOX_C_SOURCE_FILES crypto/mbedtls.c)
-elseif(MbedTLS_VERSION EQUAL 2)
-	list(APPEND BCTOOLBOX_C_SOURCE_FILES crypto/mbedtls-v2.c)
+	list(APPEND BCTOOLBOX_CXX_SOURCE_FILES crypto/mbedtls.cc)
 endif()
+
 if(ENABLE_TESTS_COMPONENT)
 	set(BCTOOLBOX_C_TESTER_SOURCE_FILES tester.c)
 endif()
@@ -235,6 +240,9 @@ endif()
 if(Decaf_FOUND)
 	target_link_libraries(bctoolbox PRIVATE ${Decaf_TARGET})
 endif()
+if (OPENSSL_FOUND)
+	target_link_libraries(bctoolbox PRIVATE OpenSSL::SSL)
+endif ()
 
 install(TARGETS bctoolbox EXPORT ${PROJECT_NAME}Targets
 	RUNTIME DESTINATION ${CMAKE_INSTALL_BINDIR}

diff --git a/src/crypto/crypto.c b/src/crypto/crypto.c
@@ -87,32 +87,33 @@ int bctbx_aes_gcm_encryptFile(void **cryptoContext, unsigned char *key, size_t l
  */
 int bctbx_aes_gcm_decryptFile(void **cryptoContext, unsigned char *key, size_t length, char *plain, char *cipher) {
 	bctbx_aes_gcm_context_t *gcmContext;
+	int ret = -1;
 
-	if (*cryptoContext == NULL && key == NULL) return -1; // we need the key, at least at first call
+	if (*cryptoContext == NULL && key == NULL) return ret; // we need the key, at least at first call
 
 	if (*cryptoContext == NULL) { /* first call to the function, allocate a crypto context and initialise it */
 
 		/* key contains 192bits of key || 64 bits of Initialisation Vector, no additional data */
 		gcmContext = bctbx_aes_gcm_context_new(key, 24, NULL, 0, key + 24, 8, BCTBX_GCM_DECRYPT);
 		if (gcmContext == NULL) {
-			return -1;
+			return ret;
 		}
 		*cryptoContext = gcmContext;
 	} else { /* this is not the first call, get the context */
 		gcmContext = (bctbx_aes_gcm_context_t *)*cryptoContext;
 	}
 
 	if (cipher != NULL) {
-		bctbx_aes_gcm_process_chunk(gcmContext, (const uint8_t *)cipher, length, (uint8_t *)plain);
+		ret = bctbx_aes_gcm_process_chunk(gcmContext, (const uint8_t *)cipher, length, (uint8_t *)plain);
 	} else { /* cipher is NULL, finish the stream, if plain is not null and we have a length, compute the authentication
 		        tag*/
 		if (plain != NULL && length > 0) {
-			bctbx_aes_gcm_finish(gcmContext, (uint8_t *)plain, length);
+			ret = bctbx_aes_gcm_finish(gcmContext, (uint8_t *)plain, length);
 		} else {
-			bctbx_aes_gcm_finish(gcmContext, NULL, 0);
+			ret = bctbx_aes_gcm_finish(gcmContext, NULL, 0);
 		}
 		*cryptoContext = NULL;
 	}
 
-	return 0;
+	return ret;
 }