components/openssl: add debug message and change verifying mode

components/openssl/include/internal/ssl_dbg.h

@@ -19,10 +19,10 @@
  extern "C" {
 #endif
 
-#define SSL_DEBUG_ENBALE 0
+#define SSL_DEBUG_ENBALE 1
 #define SSL_DEBUG_LEVEL 0
-#define SSL_ASSERT_ENABLE 0
-#define SSL_DEBUG_LOCATION_ENABLE 0
+#define SSL_ASSERT_ENABLE 1
+#define SSL_DEBUG_LOCATION_ENABLE 1
 
 #if SSL_DEBUG_ENBALE
     extern int ets_printf(const char *fmt, ...);

components/openssl/include/internal/ssl_methods.h

@@ -15,6 +15,8 @@
 #ifndef _SSL_METHODS_H_
 #define _SSL_METHODS_H_
 
+#include "ssl_types.h"
+
 #ifdef __cplusplus
  extern "C" {
 #endif

components/openssl/include/internal/ssl_x509.h

@@ -63,6 +63,30 @@ X509* d2i_X509(X509 **cert, const unsigned char *buffer, long len);
  */
 void X509_free(X509 *x);
 
+/**
+ * @brief set SSL context client CA certification
+ *
+ * @param ctx - SSL context point
+ * @param x   - X509 certification point
+ *
+ * @return result
+ *     0 : failed
+ *     1 : OK
+ */
+int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x);
+
+/**
+ * @brief add CA client certification into the SSL
+ *
+ * @param ssl - SSL point
+ * @param x   - X509 certification point
+ *
+ * @return result
+ *     0 : failed
+ *     1 : OK
+ */
+int SSL_add_client_CA(SSL *ssl, X509 *x);
+
 #ifdef __cplusplus
 }
 #endif

components/openssl/library/ssl_lib.c

@@ -126,11 +126,11 @@ SSL_SESSION* SSL_SESSION_new(void)
 
     session = ssl_zalloc(sizeof(SSL_SESSION));
     if (!session)
-        SSL_RET(failed1);
+        SSL_RET(failed1, "ssl_zalloc\n");
 
     session->peer = X509_new();
     if (!session->peer)
-        SSL_RET(failed2);
+        SSL_RET(failed2, "X509_new\n");
 
     return session;
 
@@ -1500,7 +1500,7 @@ void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509
  */
 void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *))
 {
-    SSL_ASSERT(ctx);
+    SSL_ASSERT(ssl);
 
     ssl->verify_mode = mode;
     ssl->verify_callback = verify_callback;

components/openssl/library/ssl_methods.c

@@ -12,7 +12,6 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#include "ssl_lib.h"
 #include "ssl_methods.h"
 #include "ssl_pm.h"
 

components/openssl/library/ssl_pkey.c

@@ -12,9 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-#include "ssl_lib.h"
 #include "ssl_pkey.h"
-#include "ssl_cert.h"
 #include "ssl_methods.h"
 #include "ssl_dbg.h"
 #include "ssl_port.h"

components/openssl/library/ssl_stack.c

@@ -30,13 +30,13 @@ OPENSSL_STACK* OPENSSL_sk_new(OPENSSL_sk_compfunc c)
     OPENSSL_STACK *stack;
     char **data;
 
-    stack = ssl_malloc(sizeof(OPENSSL_STACK));
+    stack = ssl_zalloc(sizeof(OPENSSL_STACK));
     if (!stack)
-        SSL_RET(failed1);
+        SSL_RET(failed1, "ssl_zalloc\n");
 
-    data = ssl_malloc(sizeof(*data) * MIN_NODES);
+    data = ssl_zalloc(sizeof(*data) * MIN_NODES);
     if (!data)
-        SSL_RET(failed2);
+        SSL_RET(failed2, "ssl_zalloc\n");
 
     stack->data = data;
     stack->num_alloc = MIN_NODES;

components/openssl/library/ssl_x509.c

@@ -13,7 +13,6 @@
 // limitations under the License.
 
 #include "ssl_x509.h"
-#include "ssl_cert.h"
 #include "ssl_methods.h"
 #include "ssl_dbg.h"
 #include "ssl_port.h"
@@ -214,9 +213,7 @@ int SSL_use_certificate_ASN1(SSL *ssl, int len,
                              const unsigned char *d)
 {
     int ret;
-    int reload;
     X509 *x;
-    int m = 0;
 
     x = d2i_X509(NULL, d, len);
     if (!x)

components/openssl/platform/ssl_pm.c

@@ -112,7 +112,7 @@ int ssl_pm_new(SSL *ssl)
     else
         version = MBEDTLS_SSL_MINOR_VERSION_0;
 
-    mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
+    //mbedtls_ssl_conf_max_version(&ssl_pm->conf, MBEDTLS_SSL_MAJOR_VERSION_3, version);
 
     mbedtls_ssl_conf_rng(&ssl_pm->conf, mbedtls_ctr_drbg_random, &ssl_pm->ctr_drbg);
 
@@ -169,7 +169,7 @@ static int ssl_pm_reload_crt(SSL *ssl)
     if (ssl->verify_mode == SSL_VERIFY_PEER)
         mode = MBEDTLS_SSL_VERIFY_REQUIRED;
     else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-        mode = MBEDTLS_SSL_VERIFY_NONE;
+        mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
     else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
         mode = MBEDTLS_SSL_VERIFY_UNSET;
     else
@@ -370,7 +370,7 @@ int x509_pm_new(X509 *x, X509 *m_x)
 
     x509_pm = ssl_zalloc(sizeof(struct x509_pm));
     if (!x509_pm)
-        SSL_RET(failed1);
+        SSL_RET(failed1, "ssl_zalloc\n");
 
     x->x509_pm = x509_pm;
 
@@ -408,27 +408,28 @@ int x509_pm_load(X509 *x, const unsigned char *buffer, int len)
     struct x509_pm *x509_pm = (struct x509_pm *)x->x509_pm;
 
     if (!x509_pm->x509_crt) {
-        x509_pm->x509_crt = ssl_malloc(sizeof(mbedtls_x509_crt));
+        x509_pm->x509_crt = ssl_zalloc(sizeof(mbedtls_x509_crt));
         if (!x509_pm->x509_crt)
-            SSL_RET(failed1);
+            SSL_RET(failed1, "ssl_zalloc\n");
     }
 
     load_buf = ssl_malloc(len + 1);
     if (!load_buf)
-        SSL_RET(failed2);
+        SSL_RET(failed2, "ssl_malloc\n");
 
     ssl_memcpy(load_buf, buffer, len);
     load_buf[len] = '\0';
 
+	mbedtls_x509_crt_init(x509_pm->x509_crt);
+
     if (x509_pm->x509_crt)
         mbedtls_x509_crt_free(x509_pm->x509_crt);
 
-    mbedtls_x509_crt_init(x509_pm->x509_crt);
     ret = mbedtls_x509_crt_parse(x509_pm->x509_crt, load_buf, len);
     ssl_free(load_buf);
 
     if (ret)
-        SSL_RET(failed2);
+        SSL_RET(failed2, "mbedtls_x509_crt_parse, return [-0x%x]\n", -ret);
 
     return 0;
 
@@ -480,27 +481,28 @@ int pkey_pm_load(EVP_PKEY *pk, const unsigned char *buffer, int len)
     struct pkey_pm *pkey_pm = (struct pkey_pm *)pk->pkey_pm;
 
     if (!pkey_pm->pkey) {
-        pkey_pm->pkey = ssl_malloc(sizeof(mbedtls_pk_context));
+        pkey_pm->pkey = ssl_zalloc(sizeof(mbedtls_pk_context));
         if (!pkey_pm->pkey)
-            SSL_RET(failed1);
+            SSL_RET(failed1, "ssl_zalloc\n");
     }
 
     load_buf = ssl_malloc(len + 1);
     if (!load_buf)
-        SSL_RET(failed2);
+        SSL_RET(failed2, "ssl_malloc\n");
 
     ssl_memcpy(load_buf, buffer, len);
     load_buf[len] = '\0';
 
+    mbedtls_pk_init(pkey_pm->pkey);
+
     if (pkey_pm->pkey)
         mbedtls_pk_free(pkey_pm->pkey);
 
-    mbedtls_pk_init(pkey_pm->pkey);
     ret = mbedtls_pk_parse_key(pkey_pm->pkey, load_buf, len, NULL, 0);
     ssl_free(load_buf);
 
     if (ret)
-        SSL_RET(failed2);
+        SSL_RET(failed2, "mbedtls_pk_parse_key, return [-0x%x]\n", -ret);
 
     return 0;