Bug#808059: gatling: switch from polarssl to mbedtls

Tue, 15 Dec 2015 08:38:49 -0800 

Source: gatling
Version: 0.13-5
Severity: important
Tags: patch
User: james...@cowgill.org.uk
Usertag: polarssl-to-mbedtls

Hi,

Around a year ago, the polarssl project was rebranded as "mbed TLS".
Due to this and due to some major API changes in the 2.0 release, I've
uploaded a new mbedtls package which is intended to replace polarssl.

Please can you switch to mbedtls instead of using polarssl. I did a bit
of work at porting this. The attached patch should work (or you can use
it as the basis for another fix).

Thanks,
James
Description: Switch from polarssl to mbedtls
Author: James Cowgill <james...@cowgill.org>
Forwarded: no
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -84,10 +84,10 @@ tlsgatling_nofail: gatling.c ssl.o $(HTT
 	-$(CC) -o tlsgatling gatling.c ssl.o $(HTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS $(LDFLAGS) -lssl -lcrypto $(LDLIBS)
 
 ptlsgatling: gatling.c pssl.o $(PHTTPS_OBJS) libsocket libiconv libcrypt
-	$(CC) -o $@ gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_POLARSSL $(LDFLAGS) -lpolarssl $(LDLIBS)
+	$(CC) -o $@ gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_MBEDTLS $(LDFLAGS) -lmbedcrypto -lmbedx509 -lmbedtls $(LDLIBS)
 
 ptlsgatling_nofail: gatling.c pssl.o $(PHTTPS_OBJS) libsocket libiconv libcrypt
-	-$(CC) -o ptlsgatling gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_POLARSSL $(LDFLAGS) -lpolarssl $(LDLIBS)
+	-$(CC) -o ptlsgatling gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_MBEDTLS $(LDFLAGS) -lmbedcrypto -lmbedx509 -lmbedtls $(LDLIBS)
 
 gatling: gatling.o $(OBJS) md5lib
 	$(CC) $(LDFLAGS) $@.o $(OBJS) -o $@ $(LDLIBS) `cat md5lib`
@@ -113,7 +113,7 @@ https.o: http.c
 	$(CC) -c $< -o $@ -I. $(CFLAGS) -DSUPPORT_HTTPS
 
 phttps.o: http.c
-	$(CC) -c $< -o $@ -I. $(CFLAGS) -DSUPPORT_HTTPS -DUSE_POLARSSL
+	$(CC) -c $< -o $@ -I. $(CFLAGS) -DSUPPORT_HTTPS -DUSE_MBEDTLS
 
 %: %.o
 	$(CC) $(LDFLAGS) $@.o -o $@ $(LDLIBS)
--- a/gatling.c
+++ b/gatling.c
@@ -259,8 +259,8 @@ void cleanup(int64 fd) {
 #ifdef USE_OPENSSL
     if (h->ssl) SSL_free(h->ssl);
 #endif
-#ifdef USE_POLARSSL
-    ssl_free(&h->ssl);
+#ifdef USE_MBEDTLS
+    mbedtls_ssl_free(&h->ssl);
 #endif
 #endif
 #ifdef SUPPORT_SMB
@@ -707,11 +707,7 @@ static void accept_server_connection(int
 #else
 	  fchdir(origdir);
 #endif
-#ifdef USE_OPENSSL
 	  if (init_serverside_tls(&h->ssl,n))
-#elif defined(USE_POLARSSL)
-	  if (init_serverside_tls(&h->ssl,&h->ssn,n))
-#endif
 	  {
 	    if (logging) {
 	      char a[FMT_ULONG];
@@ -789,22 +785,22 @@ int handle_ssl_error_code(int sock,int c
     io_wantwrite(sock);
     io_dontwantread(sock);
     return 0;
-#elif defined(USE_POLARSSL)
-  case POLARSSL_ERR_NET_WANT_READ:
+#elif defined(USE_MBEDTLS)
+  case MBEDTLS_ERR_SSL_WANT_READ:
     io_wantread(sock);
     io_dontwantwrite(sock);
     return 0;
-  case POLARSSL_ERR_NET_WANT_WRITE:
+  case MBEDTLS_ERR_SSL_WANT_WRITE:
     io_wantwrite(sock);
     io_dontwantread(sock);
     return 0;
 #endif
 #ifdef USE_OPENSSL
   case SSL_ERROR_SYSCALL:
-#elif defined(USE_POLARSSL)
-  case POLARSSL_ERR_NET_RECV_FAILED:
-  case POLARSSL_ERR_NET_SEND_FAILED:
-  case POLARSSL_ERR_NET_CONN_RESET:
+#elif defined(USE_MBEDTLS)
+  case MBEDTLS_ERR_NET_RECV_FAILED:
+  case MBEDTLS_ERR_NET_SEND_FAILED:
+  case MBEDTLS_ERR_NET_CONN_RESET:
     errno=ECONNRESET;
 #endif
     // we already signal the error up and upsteam will then write an
@@ -870,8 +866,8 @@ void do_sslaccept(int sock,struct http_d
   r=SSL_get_error(h->ssl,SSL_accept(h->ssl));
 //  printf("do_sslaccept -> %d\n",r);
   if (r==SSL_ERROR_NONE)
-#elif defined(USE_POLARSSL)
-  r=ssl_handshake(&h->ssl);
+#elif defined(USE_MBEDTLS)
+  r=mbedtls_ssl_handshake(&h->ssl);
   if (r==0)
 #endif
   {
@@ -905,8 +901,8 @@ static void handle_read_misc(int64 i,str
   if (h->t == HTTPSREQUEST) {
 #ifdef USE_OPENSSL
     l=SSL_read(h->ssl,buf,sizeof(buf));
-#elif defined(USE_POLARSSL)
-    l=ssl_read(&h->ssl,(unsigned char*)buf,sizeof(buf));
+#elif defined(USE_MBEDTLS)
+    l=mbedtls_ssl_read(&h->ssl,(unsigned char*)buf,sizeof(buf));
 #else
 #error fixme
 #endif
@@ -915,9 +911,9 @@ static void handle_read_misc(int64 i,str
     if (l==-1) {
       l=SSL_get_error(h->ssl,l);
       if (l==SSL_ERROR_WANT_READ || l==SSL_ERROR_WANT_WRITE) {
-#elif defined(USE_POLARSSL)
+#elif defined(USE_MBEDTLS)
     if (l<0) {
-      if (l==POLARSSL_ERR_NET_WANT_READ || l==POLARSSL_ERR_NET_WANT_WRITE) {
+      if (l==MBEDTLS_ERR_SSL_WANT_READ || l==MBEDTLS_ERR_SSL_WANT_WRITE) {
 #else
 #error fixme
 #endif
@@ -928,8 +924,8 @@ static void handle_read_misc(int64 i,str
 	  return;
 	}
 	l=-1;
-#ifdef USE_POLARSSL
-      } else if (l==POLARSSL_ERR_NET_RECV_FAILED) {
+#ifdef USE_MBEDTLS
+      } else if (l==MBEDTLS_ERR_NET_RECV_FAILED) {
 	l=0;
 #endif
       } else {
@@ -1117,8 +1113,8 @@ int64 https_write_callback(int64 sock,co
   l=SSL_write(H->ssl,buf,n);
   if (l<0) {
     l=SSL_get_error(H->ssl,l);
-#elif defined(USE_POLARSSL)
-  l=ssl_write(&H->ssl,buf,n);
+#elif defined(USE_MBEDTLS)
+  l=mbedtls_ssl_write(&H->ssl,buf,n);
   if (l<0) {
 #endif
     if (handle_ssl_error_code(sock,l,0)==-1) {
@@ -1127,8 +1123,8 @@ int64 https_write_callback(int64 sock,co
     }
 #ifdef USE_OPENSSL
     if (l==SSL_ERROR_WANT_READ || l==SSL_ERROR_WANT_WRITE) {
-#elif defined(USE_POLARSSL)
-    if (l==POLARSSL_ERR_NET_WANT_READ || l==POLARSSL_ERR_NET_WANT_WRITE) {
+#elif defined(USE_MBEDTLS)
+    if (l==MBEDTLS_ERR_SSL_WANT_READ || l==MBEDTLS_ERR_SSL_WANT_WRITE) {
 #endif
       l=-1; errno=EAGAIN;
     } else
--- a/gatling.h
+++ b/gatling.h
@@ -98,7 +98,7 @@ enum conntype {
 
 #ifdef SUPPORT_HTTPS
 
-#ifdef USE_POLARSSL
+#ifdef USE_MBEDTLS
 #undef USE_OPENSSL
 #else
 #define USE_OPENSSL
@@ -111,10 +111,11 @@ enum conntype {
 extern int init_serverside_tls(SSL** ssl,int sock);
 #endif
 
-#ifdef USE_POLARSSL
+#ifdef USE_MBEDTLS
 /* in pssl.c */
-#include <polarssl/ssl.h>
-extern int init_serverside_tls(ssl_context* ssl,ssl_session* ssn,int sock);
+#include <mbedtls/ssl.h>
+#include <mbedtls/net.h>
+extern int init_serverside_tls(mbedtls_ssl_context* ssl, int sock);
 #endif
 
 #endif
@@ -169,9 +170,8 @@ struct http_data {
   char* oldheader;	/* old, unmodified request */
 #endif
 #ifdef SUPPORT_HTTPS
-#ifdef USE_POLARSSL
-  ssl_context ssl;
-  ssl_session ssn;
+#ifdef USE_MBEDTLS
+  mbedtls_ssl_context ssl;
 #endif
 #ifdef USE_OPENSSL
   SSL* ssl;
--- a/http.c
+++ b/http.c
@@ -22,12 +22,12 @@
 #include <dirent.h>
 #ifdef __dietlibc__
 #include <md5.h>
-#elif defined(USE_POLARSSL)
-#include <polarssl/md5.h>
-#define MD5_CTX md5_context
-#define MD5Init md5_starts
-#define MD5Update md5_update
-#define MD5Final(out,ctx) md5_finish(ctx,out)
+#elif defined(USE_MBEDTLS)
+#include <mbedtls/md5.h>
+#define MD5_CTX mbedtls_md5_context
+#define MD5Init mbedtls_md5_starts
+#define MD5Update mbedtls_md5_update
+#define MD5Final(out,ctx) mbedtls_md5_finish(ctx,out)
 #else
 #include <openssl/md5.h>
 #define MD5Init MD5_Init
@@ -871,8 +871,8 @@ punt2:
 	    if (ctx_for_sockfd->t==HTTPSREQUEST)
 #if defined(USE_OPENSSL)
 	      SSL_write(ctx_for_sockfd->ssl,contmsg,sizeof(contmsg)-1);
-#elif defined(USE_POLARSSL)
-	      ssl_write(&ctx_for_sockfd->ssl,(const unsigned char*)contmsg,sizeof(contmsg)-1);
+#elif defined(USE_MBEDTLS)
+	      mbedtls_ssl_write(&ctx_for_sockfd->ssl,(const unsigned char*)contmsg,sizeof(contmsg)-1);
 #else
 #warn fixme update SSL code in http.c
 #endif
@@ -1112,10 +1112,10 @@ int read_http_post(int sockfd,struct htt
     if (i<0) {
       i=SSL_get_error(H->ssl,i);
       if (l==SSL_ERROR_WANT_READ || l==SSL_ERROR_WANT_WRITE) {
-#elif defined(USE_POLARSSL)
-    i=ssl_read(&H->ssl,(unsigned char*)buf,l);
+#elif defined(USE_MBEDTLS)
+    i=mbedtls_ssl_read(&H->ssl,(unsigned char*)buf,l);
     if (i<0) {
-      if (l==POLARSSL_ERR_NET_WANT_READ || l==POLARSSL_ERR_NET_WANT_WRITE) {
+      if (l==MBEDTLS_ERR_SSL_WANT_READ || l==MBEDTLS_ERR_SSL_WANT_WRITE) {
 #endif
 	io_eagain(sockfd);
 	if (handle_ssl_error_code(sockfd,i,1)==-1)
--- a/pssl.c
+++ b/pssl.c
@@ -6,15 +6,11 @@
 #include <sys/poll.h>
 #include <netdb.h>
 #include <fcntl.h>
-#include <polarssl/compat-1.2.h>
-#include <polarssl/havege.h>
-#include <polarssl/ssl.h>
+#include <mbedtls/havege.h>
+#include <mbedtls/net.h>
+#include <mbedtls/ssl.h>
 #include "mmap.h"
 
-#ifdef POLARSSL_ERR_NET_TRY_AGAIN
-#error polarssl version too old, try the svn trunk
-#endif
-
 static int library_inited;
 
 const char* ssl_server_cert="server.pem";
@@ -23,95 +19,76 @@ const char* ssl_client_ca="clientca.pem"
 const char* ssl_ciphers="DEFAULT";
 const char* ssl_client_cert="clientcert.pem";
 
-x509_cert srvcert;
-rsa_context rsa;
-havege_state hs;
+static mbedtls_ssl_config tls_config;
+static mbedtls_pk_context tls_pk;
+static mbedtls_x509_crt tls_srvcert;
+static mbedtls_havege_state tls_hs;
 
 int my_ciphersuites[] =
 {
-    TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-    TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
-    TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-    TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
-    TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
-    TLS_RSA_WITH_AES_256_CBC_SHA,
-    TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
-    TLS_RSA_WITH_AES_128_CBC_SHA,
-    TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
-    TLS_RSA_WITH_3DES_EDE_CBC_SHA,
-    TLS_RSA_WITH_RC4_128_SHA,
-    TLS_RSA_WITH_RC4_128_MD5,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_SHA,
+    MBEDTLS_TLS_RSA_WITH_RC4_128_MD5,
     0
 };
 
 static int my_net_recv( void *ctx, unsigned char *buf, size_t len ) {
   int sock=(int)(uintptr_t)ctx;
-  return net_recv(&sock,buf,len);
+  return mbedtls_net_recv(&sock,buf,len);
 };
 
 static int my_net_send( void *ctx, const unsigned char *buf, size_t len ) {
   int sock=(int)(uintptr_t)ctx;
-  return net_send(&sock,buf,len);
+  return mbedtls_net_send(&sock,buf,len);
 };
 
 
-int init_serverside_tls(ssl_context* ssl,ssl_session* ssn,int sock) {
-  size_t l,i;
-  int found=0;
-  char* buf;
+int init_serverside_tls(mbedtls_ssl_context* ssl, int sock) {
   if (!library_inited) {
-    library_inited=1;
-    havege_init(&hs);
-  } else
-    x509_free(&srvcert);
-
-  memset(&srvcert,0,sizeof(x509_cert));
-  /* for compatibility we expect the same file format as openssl, which
-   * looks like this:
-
-   -----BEGIN RSA PRIVATE KEY-----
-   [base64]
-   -----END RSA PRIVATE KEY-----
-   -----BEGIN CERTIFICATE-----
-   [base64]
-   -----END CERTIFICATE-----
-
-   */
-  buf=(char*)mmap_read(ssl_server_cert,&l);
-  if (!buf) return -1;
-  for (i=0; i<l-sizeof("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"); ++i)
-    if (!memcmp(buf+i,"-----BEGIN CERTIFICATE-----",sizeof("-----BEGIN CERTIFICATE-----")-1)) {
-      found=1;
-      break;
+    mbedtls_havege_init(&tls_hs);
+    mbedtls_x509_crt_init(&tls_srvcert);
+    mbedtls_pk_init(&tls_pk);
+    mbedtls_ssl_config_init(&tls_config);
+
+    /* Load certificate and private key */
+    if (mbedtls_x509_crt_parse_file(&tls_srvcert, ssl_server_cert) ||
+        mbedtls_pk_parse_keyfile(&tls_pk, ssl_server_cert, NULL) ||
+        !mbedtls_pk_can_do(&tls_pk, MBEDTLS_PK_RSA)) {
+
+      mbedtls_pk_free(&tls_pk);
+      mbedtls_x509_crt_free(&tls_srvcert);
+      return -1;
     }
-  if (!found) {
-fail:
-    mmap_unmap(buf,l);
-    return -1;
-  }
-  /* parse cert and key */
-  if (x509parse_crt(&srvcert,(unsigned char*)buf+i,l-i) ||
-      x509parse_key(&rsa,(unsigned char*)buf,i,NULL,0))
-    goto fail;
-  mmap_unmap(buf,l);
 
-  memset(ssl,0,sizeof(*ssl));
-  memset(ssn,0,sizeof(*ssn));
+    /* Setup common TLS config */
+    mbedtls_ssl_config_defaults(&tls_config,
+      MBEDTLS_SSL_IS_SERVER,
+      MBEDTLS_SSL_TRANSPORT_STREAM,
+      MBEDTLS_SSL_PRESET_DEFAULT);
+    mbedtls_ssl_conf_rng(&tls_config, mbedtls_havege_random, &tls_hs);
+    mbedtls_ssl_conf_ciphersuites(&tls_config, my_ciphersuites);
+    mbedtls_ssl_conf_ca_chain(&tls_config, tls_srvcert.next, NULL);
+    mbedtls_ssl_conf_own_cert(&tls_config, &tls_srvcert, &tls_pk);
+    mbedtls_ssl_conf_dh_param(&tls_config, "CD95C1B9959B0A135B9D306D53A87518E8ED3EA8CBE6E3A338D9DD3167889FC809FE1AD59B38C98D1A8FCE47E46DF5FB56B8EA3B03B2132C249A99209F62A1AD63511BD08A60655B0463B6F1BB79BEC9D17C71BD269C6B50CF0EDDAAB83290B4C697A7F641FBD21EE0E7B57C698AFEED8DA3AB800525E6887215A61CA62DC437", "04");
 
-  if (ssl_init(ssl))
-    return -1;
+    library_inited=1;
+  }
 
-  ssl_set_endpoint( ssl, SSL_IS_SERVER );
-  ssl_set_authmode( ssl, SSL_VERIFY_NONE );
-  ssl_set_rng( ssl, havege_random, &hs );
-  ssl_set_bio( ssl, my_net_recv, (void*)(uintptr_t)sock, my_net_send, (void*)(uintptr_t)sock );
-  ssl_set_ciphersuites( ssl, my_ciphersuites );
-  ssl_set_session( ssl, ssn );
-
-  ssl_set_ca_chain( ssl, srvcert.next, NULL, NULL );
-  ssl_set_own_cert( ssl, &srvcert, &rsa );
-  ssl_set_dh_param( ssl, "CD95C1B9959B0A135B9D306D53A87518E8ED3EA8CBE6E3A338D9DD3167889FC809FE1AD59B38C98D1A8FCE47E46DF5FB56B8EA3B03B2132C249A99209F62A1AD63511BD08A60655B0463B6F1BB79BEC9D17C71BD269C6B50CF0EDDAAB83290B4C697A7F641FBD21EE0E7B57C698AFEED8DA3AB800525E6887215A61CA62DC437", "04" );
+  /** Initialize new SSL context */
+  mbedtls_ssl_init(ssl);
+  if (mbedtls_ssl_setup(ssl, &tls_config))
+    return -1;
 
+  mbedtls_ssl_set_bio(ssl, (void*)(uintptr_t) sock, my_net_send, my_net_recv, NULL);
   return 0;
 }

Attachment: signature.asc
Description: This is a digitally signed message part

Reply via email to