--- Begin Message ---
Source: gatling
Version: 0.13-5
Severity: important
Tags: patch
User: james...@cowgill.org.uk
Usertag: polarssl-to-mbedtls
Hi,
Around a year ago, the polarssl project was rebranded as "mbed TLS".
Due to this and due to some major API changes in the 2.0 release, I've
uploaded a new mbedtls package which is intended to replace polarssl.
Please can you switch to mbedtls instead of using polarssl. I did a bit
of work at porting this. The attached patch should work (or you can use
it as the basis for another fix).
Thanks,
James
Description: Switch from polarssl to mbedtls
Author: James Cowgill <james...@cowgill.org>
Forwarded: no
---
This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -84,10 +84,10 @@ tlsgatling_nofail: gatling.c ssl.o $(HTT
-$(CC) -o tlsgatling gatling.c ssl.o $(HTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS $(LDFLAGS) -lssl -lcrypto $(LDLIBS)
ptlsgatling: gatling.c pssl.o $(PHTTPS_OBJS) libsocket libiconv libcrypt
- $(CC) -o $@ gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_POLARSSL $(LDFLAGS) -lpolarssl $(LDLIBS)
+ $(CC) -o $@ gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_MBEDTLS $(LDFLAGS) -lmbedcrypto -lmbedx509 -lmbedtls $(LDLIBS)
ptlsgatling_nofail: gatling.c pssl.o $(PHTTPS_OBJS) libsocket libiconv libcrypt
- -$(CC) -o ptlsgatling gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_POLARSSL $(LDFLAGS) -lpolarssl $(LDLIBS)
+ -$(CC) -o ptlsgatling gatling.c pssl.c $(PHTTPS_OBJS) $(CFLAGS) -DSUPPORT_HTTPS -DUSE_MBEDTLS $(LDFLAGS) -lmbedcrypto -lmbedx509 -lmbedtls $(LDLIBS)
gatling: gatling.o $(OBJS) md5lib
$(CC) $(LDFLAGS) $@.o $(OBJS) -o $@ $(LDLIBS) `cat md5lib`
@@ -113,7 +113,7 @@ https.o: http.c
$(CC) -c $< -o $@ -I. $(CFLAGS) -DSUPPORT_HTTPS
phttps.o: http.c
- $(CC) -c $< -o $@ -I. $(CFLAGS) -DSUPPORT_HTTPS -DUSE_POLARSSL
+ $(CC) -c $< -o $@ -I. $(CFLAGS) -DSUPPORT_HTTPS -DUSE_MBEDTLS
%: %.o
$(CC) $(LDFLAGS) $@.o -o $@ $(LDLIBS)
--- a/gatling.c
+++ b/gatling.c
@@ -259,8 +259,8 @@ void cleanup(int64 fd) {
#ifdef USE_OPENSSL
if (h->ssl) SSL_free(h->ssl);
#endif
-#ifdef USE_POLARSSL
- ssl_free(&h->ssl);
+#ifdef USE_MBEDTLS
+ mbedtls_ssl_free(&h->ssl);
#endif
#endif
#ifdef SUPPORT_SMB
@@ -707,11 +707,7 @@ static void accept_server_connection(int
#else
fchdir(origdir);
#endif
-#ifdef USE_OPENSSL
if (init_serverside_tls(&h->ssl,n))
-#elif defined(USE_POLARSSL)
- if (init_serverside_tls(&h->ssl,&h->ssn,n))
-#endif
{
if (logging) {
char a[FMT_ULONG];
@@ -789,22 +785,22 @@ int handle_ssl_error_code(int sock,int c
io_wantwrite(sock);
io_dontwantread(sock);
return 0;
-#elif defined(USE_POLARSSL)
- case POLARSSL_ERR_NET_WANT_READ:
+#elif defined(USE_MBEDTLS)
+ case MBEDTLS_ERR_SSL_WANT_READ:
io_wantread(sock);
io_dontwantwrite(sock);
return 0;
- case POLARSSL_ERR_NET_WANT_WRITE:
+ case MBEDTLS_ERR_SSL_WANT_WRITE:
io_wantwrite(sock);
io_dontwantread(sock);
return 0;
#endif
#ifdef USE_OPENSSL
case SSL_ERROR_SYSCALL:
-#elif defined(USE_POLARSSL)
- case POLARSSL_ERR_NET_RECV_FAILED:
- case POLARSSL_ERR_NET_SEND_FAILED:
- case POLARSSL_ERR_NET_CONN_RESET:
+#elif defined(USE_MBEDTLS)
+ case MBEDTLS_ERR_NET_RECV_FAILED:
+ case MBEDTLS_ERR_NET_SEND_FAILED:
+ case MBEDTLS_ERR_NET_CONN_RESET:
errno=ECONNRESET;
#endif
// we already signal the error up and upsteam will then write an
@@ -870,8 +866,8 @@ void do_sslaccept(int sock,struct http_d
r=SSL_get_error(h->ssl,SSL_accept(h->ssl));
// printf("do_sslaccept -> %d\n",r);
if (r==SSL_ERROR_NONE)
-#elif defined(USE_POLARSSL)
- r=ssl_handshake(&h->ssl);
+#elif defined(USE_MBEDTLS)
+ r=mbedtls_ssl_handshake(&h->ssl);
if (r==0)
#endif
{
@@ -905,8 +901,8 @@ static void handle_read_misc(int64 i,str
if (h->t == HTTPSREQUEST) {
#ifdef USE_OPENSSL
l=SSL_read(h->ssl,buf,sizeof(buf));
-#elif defined(USE_POLARSSL)
- l=ssl_read(&h->ssl,(unsigned char*)buf,sizeof(buf));
+#elif defined(USE_MBEDTLS)
+ l=mbedtls_ssl_read(&h->ssl,(unsigned char*)buf,sizeof(buf));
#else
#error fixme
#endif
@@ -915,9 +911,9 @@ static void handle_read_misc(int64 i,str
if (l==-1) {
l=SSL_get_error(h->ssl,l);
if (l==SSL_ERROR_WANT_READ || l==SSL_ERROR_WANT_WRITE) {
-#elif defined(USE_POLARSSL)
+#elif defined(USE_MBEDTLS)
if (l<0) {
- if (l==POLARSSL_ERR_NET_WANT_READ || l==POLARSSL_ERR_NET_WANT_WRITE) {
+ if (l==MBEDTLS_ERR_SSL_WANT_READ || l==MBEDTLS_ERR_SSL_WANT_WRITE) {
#else
#error fixme
#endif
@@ -928,8 +924,8 @@ static void handle_read_misc(int64 i,str
return;
}
l=-1;
-#ifdef USE_POLARSSL
- } else if (l==POLARSSL_ERR_NET_RECV_FAILED) {
+#ifdef USE_MBEDTLS
+ } else if (l==MBEDTLS_ERR_NET_RECV_FAILED) {
l=0;
#endif
} else {
@@ -1117,8 +1113,8 @@ int64 https_write_callback(int64 sock,co
l=SSL_write(H->ssl,buf,n);
if (l<0) {
l=SSL_get_error(H->ssl,l);
-#elif defined(USE_POLARSSL)
- l=ssl_write(&H->ssl,buf,n);
+#elif defined(USE_MBEDTLS)
+ l=mbedtls_ssl_write(&H->ssl,buf,n);
if (l<0) {
#endif
if (handle_ssl_error_code(sock,l,0)==-1) {
@@ -1127,8 +1123,8 @@ int64 https_write_callback(int64 sock,co
}
#ifdef USE_OPENSSL
if (l==SSL_ERROR_WANT_READ || l==SSL_ERROR_WANT_WRITE) {
-#elif defined(USE_POLARSSL)
- if (l==POLARSSL_ERR_NET_WANT_READ || l==POLARSSL_ERR_NET_WANT_WRITE) {
+#elif defined(USE_MBEDTLS)
+ if (l==MBEDTLS_ERR_SSL_WANT_READ || l==MBEDTLS_ERR_SSL_WANT_WRITE) {
#endif
l=-1; errno=EAGAIN;
} else
--- a/gatling.h
+++ b/gatling.h
@@ -98,7 +98,7 @@ enum conntype {
#ifdef SUPPORT_HTTPS
-#ifdef USE_POLARSSL
+#ifdef USE_MBEDTLS
#undef USE_OPENSSL
#else
#define USE_OPENSSL
@@ -111,10 +111,11 @@ enum conntype {
extern int init_serverside_tls(SSL** ssl,int sock);
#endif
-#ifdef USE_POLARSSL
+#ifdef USE_MBEDTLS
/* in pssl.c */
-#include <polarssl/ssl.h>
-extern int init_serverside_tls(ssl_context* ssl,ssl_session* ssn,int sock);
+#include <mbedtls/ssl.h>
+#include <mbedtls/net.h>
+extern int init_serverside_tls(mbedtls_ssl_context* ssl, int sock);
#endif
#endif
@@ -169,9 +170,8 @@ struct http_data {
char* oldheader; /* old, unmodified request */
#endif
#ifdef SUPPORT_HTTPS
-#ifdef USE_POLARSSL
- ssl_context ssl;
- ssl_session ssn;
+#ifdef USE_MBEDTLS
+ mbedtls_ssl_context ssl;
#endif
#ifdef USE_OPENSSL
SSL* ssl;
--- a/http.c
+++ b/http.c
@@ -22,12 +22,12 @@
#include <dirent.h>
#ifdef __dietlibc__
#include <md5.h>
-#elif defined(USE_POLARSSL)
-#include <polarssl/md5.h>
-#define MD5_CTX md5_context
-#define MD5Init md5_starts
-#define MD5Update md5_update
-#define MD5Final(out,ctx) md5_finish(ctx,out)
+#elif defined(USE_MBEDTLS)
+#include <mbedtls/md5.h>
+#define MD5_CTX mbedtls_md5_context
+#define MD5Init mbedtls_md5_starts
+#define MD5Update mbedtls_md5_update
+#define MD5Final(out,ctx) mbedtls_md5_finish(ctx,out)
#else
#include <openssl/md5.h>
#define MD5Init MD5_Init
@@ -871,8 +871,8 @@ punt2:
if (ctx_for_sockfd->t==HTTPSREQUEST)
#if defined(USE_OPENSSL)
SSL_write(ctx_for_sockfd->ssl,contmsg,sizeof(contmsg)-1);
-#elif defined(USE_POLARSSL)
- ssl_write(&ctx_for_sockfd->ssl,(const unsigned char*)contmsg,sizeof(contmsg)-1);
+#elif defined(USE_MBEDTLS)
+ mbedtls_ssl_write(&ctx_for_sockfd->ssl,(const unsigned char*)contmsg,sizeof(contmsg)-1);
#else
#warn fixme update SSL code in http.c
#endif
@@ -1112,10 +1112,10 @@ int read_http_post(int sockfd,struct htt
if (i<0) {
i=SSL_get_error(H->ssl,i);
if (l==SSL_ERROR_WANT_READ || l==SSL_ERROR_WANT_WRITE) {
-#elif defined(USE_POLARSSL)
- i=ssl_read(&H->ssl,(unsigned char*)buf,l);
+#elif defined(USE_MBEDTLS)
+ i=mbedtls_ssl_read(&H->ssl,(unsigned char*)buf,l);
if (i<0) {
- if (l==POLARSSL_ERR_NET_WANT_READ || l==POLARSSL_ERR_NET_WANT_WRITE) {
+ if (l==MBEDTLS_ERR_SSL_WANT_READ || l==MBEDTLS_ERR_SSL_WANT_WRITE) {
#endif
io_eagain(sockfd);
if (handle_ssl_error_code(sockfd,i,1)==-1)
--- a/pssl.c
+++ b/pssl.c
@@ -6,15 +6,11 @@
#include <sys/poll.h>
#include <netdb.h>
#include <fcntl.h>
-#include <polarssl/compat-1.2.h>
-#include <polarssl/havege.h>
-#include <polarssl/ssl.h>
+#include <mbedtls/havege.h>
+#include <mbedtls/net.h>
+#include <mbedtls/ssl.h>
#include "mmap.h"
-#ifdef POLARSSL_ERR_NET_TRY_AGAIN
-#error polarssl version too old, try the svn trunk
-#endif
-
static int library_inited;
const char* ssl_server_cert="server.pem";
@@ -23,95 +19,76 @@ const char* ssl_client_ca="clientca.pem"
const char* ssl_ciphers="DEFAULT";
const char* ssl_client_cert="clientcert.pem";
-x509_cert srvcert;
-rsa_context rsa;
-havege_state hs;
+static mbedtls_ssl_config tls_config;
+static mbedtls_pk_context tls_pk;
+static mbedtls_x509_crt tls_srvcert;
+static mbedtls_havege_state tls_hs;
int my_ciphersuites[] =
{
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_RSA_WITH_AES_256_CBC_SHA,
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
- TLS_RSA_WITH_AES_128_CBC_SHA,
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
- TLS_RSA_WITH_3DES_EDE_CBC_SHA,
- TLS_RSA_WITH_RC4_128_SHA,
- TLS_RSA_WITH_RC4_128_MD5,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ MBEDTLS_TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_CAMELLIA_128_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_3DES_EDE_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_RC4_128_SHA,
+ MBEDTLS_TLS_RSA_WITH_RC4_128_MD5,
0
};
static int my_net_recv( void *ctx, unsigned char *buf, size_t len ) {
int sock=(int)(uintptr_t)ctx;
- return net_recv(&sock,buf,len);
+ return mbedtls_net_recv(&sock,buf,len);
};
static int my_net_send( void *ctx, const unsigned char *buf, size_t len ) {
int sock=(int)(uintptr_t)ctx;
- return net_send(&sock,buf,len);
+ return mbedtls_net_send(&sock,buf,len);
};
-int init_serverside_tls(ssl_context* ssl,ssl_session* ssn,int sock) {
- size_t l,i;
- int found=0;
- char* buf;
+int init_serverside_tls(mbedtls_ssl_context* ssl, int sock) {
if (!library_inited) {
- library_inited=1;
- havege_init(&hs);
- } else
- x509_free(&srvcert);
-
- memset(&srvcert,0,sizeof(x509_cert));
- /* for compatibility we expect the same file format as openssl, which
- * looks like this:
-
- -----BEGIN RSA PRIVATE KEY-----
- [base64]
- -----END RSA PRIVATE KEY-----
- -----BEGIN CERTIFICATE-----
- [base64]
- -----END CERTIFICATE-----
-
- */
- buf=(char*)mmap_read(ssl_server_cert,&l);
- if (!buf) return -1;
- for (i=0; i<l-sizeof("-----BEGIN CERTIFICATE-----\n-----END CERTIFICATE-----"); ++i)
- if (!memcmp(buf+i,"-----BEGIN CERTIFICATE-----",sizeof("-----BEGIN CERTIFICATE-----")-1)) {
- found=1;
- break;
+ mbedtls_havege_init(&tls_hs);
+ mbedtls_x509_crt_init(&tls_srvcert);
+ mbedtls_pk_init(&tls_pk);
+ mbedtls_ssl_config_init(&tls_config);
+
+ /* Load certificate and private key */
+ if (mbedtls_x509_crt_parse_file(&tls_srvcert, ssl_server_cert) ||
+ mbedtls_pk_parse_keyfile(&tls_pk, ssl_server_cert, NULL) ||
+ !mbedtls_pk_can_do(&tls_pk, MBEDTLS_PK_RSA)) {
+
+ mbedtls_pk_free(&tls_pk);
+ mbedtls_x509_crt_free(&tls_srvcert);
+ return -1;
}
- if (!found) {
-fail:
- mmap_unmap(buf,l);
- return -1;
- }
- /* parse cert and key */
- if (x509parse_crt(&srvcert,(unsigned char*)buf+i,l-i) ||
- x509parse_key(&rsa,(unsigned char*)buf,i,NULL,0))
- goto fail;
- mmap_unmap(buf,l);
- memset(ssl,0,sizeof(*ssl));
- memset(ssn,0,sizeof(*ssn));
+ /* Setup common TLS config */
+ mbedtls_ssl_config_defaults(&tls_config,
+ MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT);
+ mbedtls_ssl_conf_rng(&tls_config, mbedtls_havege_random, &tls_hs);
+ mbedtls_ssl_conf_ciphersuites(&tls_config, my_ciphersuites);
+ mbedtls_ssl_conf_ca_chain(&tls_config, tls_srvcert.next, NULL);
+ mbedtls_ssl_conf_own_cert(&tls_config, &tls_srvcert, &tls_pk);
+ mbedtls_ssl_conf_dh_param(&tls_config, "CD95C1B9959B0A135B9D306D53A87518E8ED3EA8CBE6E3A338D9DD3167889FC809FE1AD59B38C98D1A8FCE47E46DF5FB56B8EA3B03B2132C249A99209F62A1AD63511BD08A60655B0463B6F1BB79BEC9D17C71BD269C6B50CF0EDDAAB83290B4C697A7F641FBD21EE0E7B57C698AFEED8DA3AB800525E6887215A61CA62DC437", "04");
- if (ssl_init(ssl))
- return -1;
+ library_inited=1;
+ }
- ssl_set_endpoint( ssl, SSL_IS_SERVER );
- ssl_set_authmode( ssl, SSL_VERIFY_NONE );
- ssl_set_rng( ssl, havege_random, &hs );
- ssl_set_bio( ssl, my_net_recv, (void*)(uintptr_t)sock, my_net_send, (void*)(uintptr_t)sock );
- ssl_set_ciphersuites( ssl, my_ciphersuites );
- ssl_set_session( ssl, ssn );
-
- ssl_set_ca_chain( ssl, srvcert.next, NULL, NULL );
- ssl_set_own_cert( ssl, &srvcert, &rsa );
- ssl_set_dh_param( ssl, "CD95C1B9959B0A135B9D306D53A87518E8ED3EA8CBE6E3A338D9DD3167889FC809FE1AD59B38C98D1A8FCE47E46DF5FB56B8EA3B03B2132C249A99209F62A1AD63511BD08A60655B0463B6F1BB79BEC9D17C71BD269C6B50CF0EDDAAB83290B4C697A7F641FBD21EE0E7B57C698AFEED8DA3AB800525E6887215A61CA62DC437", "04" );
+ /** Initialize new SSL context */
+ mbedtls_ssl_init(ssl);
+ if (mbedtls_ssl_setup(ssl, &tls_config))
+ return -1;
+ mbedtls_ssl_set_bio(ssl, (void*)(uintptr_t) sock, my_net_send, my_net_recv, NULL);
return 0;
}
signature.asc
Description: This is a digitally signed message part
--- End Message ---
