Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for MbedTLS to libnetconf2 #485

Merged
merged 54 commits into from
May 14, 2024
Merged

Add support for MbedTLS to libnetconf2 #485

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
54 commits
Select commit Hold shift + click to select a range
4282a08
cmake UPDATE add findlibmedtls module
Apr 4, 2024
6d3cf69
cmake UPDATE compile using libmedtls
Apr 4, 2024
57ac689
session mbedtls UPDATE add mbedtls wrapper
Apr 4, 2024
5da7d06
session openssl UPDATE add openssl wrapper
Apr 4, 2024
f69d366
config UPDATE add HAVE_LIBMEDTLS macro
Apr 5, 2024
08ee21e
session wrapper UPDATE add wrapper header
Apr 5, 2024
54a6429
session wrapper UPDATE add crl cert ext fetch wrap
Apr 5, 2024
1babaf2
session UPDATE wrap session_p
Apr 5, 2024
b921104
io UPDATE wrap TLS
Apr 5, 2024
0fb5626
server config UPDATE wrap TLS
Apr 5, 2024
d2862f2
session config util UPDATE wrap TLS
Apr 5, 2024
6ab8862
session UPDATE wrap TLS
Apr 5, 2024
a6b55f4
session client UPDATE wrap TLS
Apr 5, 2024
20f067d
session client tls UPDATE wrap TLS
Apr 5, 2024
0e44ecf
session server UPDATE wrap TLS
Apr 5, 2024
d1c38a6
session server ssh UPDATE wrap TLS
Apr 5, 2024
366666b
session server tls UPDATE wrap TLS
Apr 5, 2024
a9177eb
session REFACTOR format sources
Apr 5, 2024
38d3ea4
session UPDATE rename transport implementations
Apr 11, 2024
823f0fc
session server tls UPDATE refactor wraps
Apr 15, 2024
d2828c8
cmake UPDATE mbedtls/openssl compilation
Apr 23, 2024
ef72e00
session mbedtls UPDATE reworked everything
Apr 23, 2024
7c6a185
session openssl UPDATE reworked everything
Apr 23, 2024
ed0dd53
session wrapper UPDATE add wrapper docs
Apr 23, 2024
267c0fc
io UPDATE rename wrapped function
Apr 23, 2024
2c39656
session server UPDATE reflect wrapper changes
Apr 23, 2024
1adb980
session client tls UPDATE reflect wrapper changes
Apr 23, 2024
73e8211
session UPDATE reflect wrapper changes
Apr 23, 2024
5751a1f
server config util UPDATE reflect wrapper changes
Apr 23, 2024
4ce1d46
test crl UPDATE adjust seeked message
Apr 23, 2024
2d77268
session server tls UPDATE return instead of goto
Apr 25, 2024
5052b81
tests UPDATE use new transport names
Apr 25, 2024
3da5d96
session server tls BUGFIX fix spaces in key type
Apr 25, 2024
b10b62a
session mbedtls BUGFIX fix return NULL on fail
Apr 25, 2024
c300f47
session wrapper UPDATE add includes
Apr 25, 2024
e6ab5b8
server config util UPDATE key format handling
Apr 26, 2024
8726489
session wrapper UPDATE add file desc to new files
May 13, 2024
ef2c117
session client tls UPDATE remove ctx assignment
May 13, 2024
9278147
session mbedtls UPDATE remove unused includes
May 13, 2024
206239d
session wrapper REFACTOR use void when no params
May 13, 2024
fda7d7b
session mbedtls BUGFIX fix cert memory leak
May 13, 2024
1c4f415
session mbedtls BUGFIX fix double & nonnull free
May 13, 2024
2f9d764
session wrapper UPDATE add docs
May 13, 2024
8b3f577
session wrapper UPDATE tls verify callback
May 13, 2024
1687361
ci UPDATE add mbedtls test runs
May 13, 2024
2d47f61
cmake UPDATE improve FindMbedTLS module
May 13, 2024
999eb95
server config UPDATE clarify ca/ee certs auth
May 13, 2024
e64c2cc
session wrapper BUGFIX account for no ssh/tls
May 13, 2024
2b9ce8c
session wrapper UPDATE store client cert in sess
May 14, 2024
f99eb74
cmake UPDATE rename mbedtls include dir var
May 14, 2024
afdf6cd
session wrapper REFACTOR add doxygen to static fns
May 14, 2024
cacf66d
session mbedtls REFACTOR divide crl dist point fn
May 14, 2024
97fec8b
cmake UPDATE set mbedtls min version to 3.5.0
May 14, 2024
e458cb5
readme UPDATE mention mbedtls in requirements
May 14, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
66 changes: 62 additions & 4 deletions .github/workflows/ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,12 +37,26 @@ jobs:
matrix:
config:
- {
name: "Release, gcc",
name: "Release, gcc, OpenSSL",
os: "ubuntu-22.04",
build-type: "Release",
dep-build-type: "Release",
cc: "gcc",
options: "-DENABLE_TESTS=ON -DENABLE_DNSSEC=ON",
tls-lib: "OpenSSL",
packages: "",
snaps: "",
make-prepend: "",
make-target: ""
}
- {
name: "Release, gcc, MbedTLS",
os: "ubuntu-22.04",
build-type: "Release",
dep-build-type: "Release",
cc: "gcc",
options: "-DENABLE_TESTS=ON -DENABLE_DNSSEC=ON",
tls-lib: "MbedTLS",
packages: "",
snaps: "",
make-prepend: "",
Expand All @@ -55,18 +69,33 @@ jobs:
dep-build-type: "Release",
cc: "clang",
options: "-DENABLE_TESTS=ON -DENABLE_DNSSEC=ON",
tls-lib: "OpenSSL",
packages: "",
snaps: "",
make-prepend: "",
make-target: ""
}
- {
name: "Debug, gcc",
name: "Debug, gcc, OpenSSL",
os: "ubuntu-22.04",
build-type: "Debug",
dep-build-type: "Release",
cc: "gcc",
options: "-DENABLE_DNSSEC=ON",
tls-lib: "OpenSSL",
packages: "valgrind",
snaps: "",
make-prepend: "",
make-target: ""
}
- {
name: "Debug, gcc, MbedTLS",
os: "ubuntu-22.04",
build-type: "Debug",
dep-build-type: "Release",
cc: "gcc",
options: "-DENABLE_DNSSEC=ON",
tls-lib: "MbedTLS",
packages: "valgrind",
snaps: "",
make-prepend: "",
Expand All @@ -79,6 +108,7 @@ jobs:
dep-build-type: "Release",
cc: "clang",
options: "-DENABLE_DNSSEC=ON",
tls-lib: "OpenSSL",
# no valgrind because it does not support DWARF5 yet generated by clang 14
packages: "",
snaps: "",
Expand All @@ -92,18 +122,33 @@ jobs:
dep-build-type: "Release",
cc: "gcc",
options: "-DENABLE_SSH_TLS=OFF",
tls-lib: "",
packages: "valgrind",
snaps: "",
make-prepend: "",
make-target: ""
}
- {
name: "ASAN and UBSAN",
name: "ASAN and UBSAN, OpenSSL",
os: "ubuntu-22.04",
build-type: "Debug",
dep-build-type: "Release",
cc: "clang",
options: "-DCMAKE_C_FLAGS=-fsanitize=address,undefined -DENABLE_VALGRIND_TESTS=OFF",
tls-lib: "OpenSSL",
packages: "",
snaps: "",
make-prepend: "",
make-target: ""
}
- {
name: "ASAN and UBSAN, MbedTLS",
os: "ubuntu-22.04",
build-type: "Debug",
dep-build-type: "Release",
cc: "clang",
options: "-DCMAKE_C_FLAGS=-fsanitize=address,undefined -DENABLE_VALGRIND_TESTS=OFF",
tls-lib: "MbedTLS",
packages: "",
snaps: "",
make-prepend: "",
Expand All @@ -116,6 +161,7 @@ jobs:
dep-build-type: "Debug",
cc: "gcc",
options: "",
tls-lib: "OpenSSL",
packages: "abi-dumper abi-compliance-checker snap",
snaps: "core universal-ctags",
make-prepend: "",
Expand Down Expand Up @@ -145,7 +191,7 @@ jobs:
CC=${{ matrix.config.cc }} cmake ..
make
sudo make install
if: ${{ matrix.config.name == 'Debug, gcc' }}
if: ${{ matrix.config.name == 'Debug, gcc, OpenSSL' || matrix.config.name == 'Debug, gcc, MbedTLS' }}

- name: Deps-libyang
shell: bash
Expand All @@ -167,6 +213,18 @@ jobs:
make -j2
sudo make install

- name: Deps-MbedTLS
shell: bash
run: |
git clone -b mbedtls-3.5.2 https://github.com/Mbed-TLS/mbedtls.git
cd mbedtls
mkdir build
cd build
CC=${{ matrix.config.cc }} cmake -DUSE_SHARED_MBEDTLS_LIBRARY=On -DENABLE_TESTING=Off ..
make -j2
sudo make install
if: ${{ matrix.config.tls-lib == 'MbedTLS' }}

- name: Configure
shell: bash
working-directory: ${{ github.workspace }}
Expand Down
30 changes: 24 additions & 6 deletions CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -210,8 +210,10 @@ endif()
# use compat
use_compat()

# netconf2 target
add_library(netconf2 ${libsrc} ${compatsrc})
# netconf2 sourceless target - need it for linking libs, but the required sources will be added later
add_library(netconf2)

# set the shared library version
set_target_properties(netconf2 PROPERTIES VERSION ${LIBNETCONF2_SOVERSION_FULL} SOVERSION ${LIBNETCONF2_SOVERSION})

# include repository files with highest priority
Expand All @@ -231,10 +233,23 @@ check_include_file("shadow.h" HAVE_SHADOW)
check_include_file("termios.h" HAVE_TERMIOS)

if(ENABLE_SSH_TLS)
# dependencies - openssl
find_package(OpenSSL 3.0.0 REQUIRED)
target_link_libraries(netconf2 ${OPENSSL_LIBRARIES})
include_directories(${OPENSSL_INCLUDE_DIR})
# dependencies - mbedTLS (higher preference) or OpenSSL
find_package(MbedTLS 3.5.0)
if (MBEDTLS_FOUND)
# dependencies - mbedtls
set(HAVE_MBEDTLS TRUE)
list(APPEND libsrc src/session_mbedtls.c)
include_directories(${MBEDTLS_INCLUDE_DIRS})
target_link_libraries(netconf2 ${MBEDTLS_LIBRARIES})
list(APPEND CMAKE_REQUIRED_LIBRARIES ${MBEDTLS_LIBRARIES})
else()
# dependencies - openssl
find_package(OpenSSL 3.0.0 REQUIRED)
list(APPEND libsrc src/session_openssl.c)
include_directories(${OPENSSL_INCLUDE_DIR})
target_link_libraries(netconf2 ${OPENSSL_LIBRARIES})
list(APPEND CMAKE_REQUIRED_LIBRARIES ${OPENSSL_LIBRARIES})
endif()

# dependencies - libssh
find_package(LibSSH 0.9.5 REQUIRED)
Expand Down Expand Up @@ -301,6 +316,9 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "QNX")
list(REMOVE_ITEM CMAKE_REQUIRED_DEFINITIONS -D_QNX_SOURCE)
endif()

# set sources
target_sources(netconf2 PRIVATE ${libsrc} ${compatsrc})

# generate config file
configure_file("${PROJECT_SOURCE_DIR}/src/config.h.in" "${PROJECT_BINARY_DIR}/src/config.h" ESCAPE_QUOTES @ONLY)

Expand Down
110 changes: 110 additions & 0 deletions CMakeModules/FindMbedTLS.cmake
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
# - Try to find MbedTLS
# Once done this will define
#
# MBEDTLS_FOUND - MbedTLS was found
# MBEDTLS_INCLUDE_DIRS - MbedTLS include directories
# MBEDTLS_LIBRARIES - link these to use MbedTLS
# MBEDTLS_VERSION - version of MbedTLS
#
# Author Roman Janota <[email protected]>
# Copyright (c) 2024 CESNET, z.s.p.o.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
#
# 1. Redistributions of source code must retain the copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
# 3. The name of the author may not be used to endorse or promote products
# derived from this software without specific prior written permission.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include(FindPackageHandleStandardArgs)

if(MBEDTLS_LIBRARIES AND MBEDTLS_INCLUDE_DIRS)
# in cache already
set(MBEDTLS_FOUND TRUE)
else()
find_path(MBEDTLS_INCLUDE_DIR
NAMES
mbedtls/ssl.h
PATHS
/opt/local/include
/sw/include
${CMAKE_INCLUDE_PATH}
${CMAKE_INSTALL_PREFIX}/include
)

find_library(MBEDTLS_LIBRARY
NAMES
libmbedtls.so
PATHS
/usr/lib
/usr/lib64
/opt/local/lib
/sw/lib
${CMAKE_LIBRARY_PATH}
${CMAKE_INSTALL_PREFIX}/lib
)

find_library(MBEDX509_LIBRARY
NAMES
libmbedx509.so
PATHS
/usr/lib
/usr/lib64
/opt/local/lib
/sw/lib
${CMAKE_LIBRARY_PATH}
${CMAKE_INSTALL_PREFIX}/lib
)

find_library(MBEDCRYPTO_LIBRARY
NAMES
libmbedcrypto.so
PATHS
/usr/lib
/usr/lib64
/opt/local/lib
/sw/lib
${CMAKE_LIBRARY_PATH}
${CMAKE_INSTALL_PREFIX}/lib
)

if(MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARY AND MBEDX509_LIBRARY AND MBEDCRYPTO_LIBRARY)
# learn MbedTLS version
if(EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h" MBEDTLS_VERSION
REGEX "#define[ \t]+MBEDTLS_VERSION_STRING[ \t]+\"([0-9]+\.[0-9]+\.[0-9]+)\"")
string(REGEX MATCH "[0-9]+\\.[0-9]+\\.[0-9]+" MBEDTLS_VERSION ${MBEDTLS_VERSION})
endif()
if(NOT MBEDTLS_VERSION)
message(STATUS "MBEDTLS_VERSION not found, assuming MbedTLS is too old and cannot be used!")
set(MBEDTLS_INCLUDE_DIR "MBEDTLS_INCLUDE_DIR-NOTFOUND")
set(MBEDTLS_LIBRARY "MBEDTLS_LIBRARY-NOTFOUND")
endif()
endif()

set(MBEDTLS_INCLUDE_DIRS ${MBEDTLS_INCLUDE_DIR})
set(MBEDTLS_LIBRARIES ${MBEDTLS_LIBRARY} ${MBEDX509_LIBRARY} ${MBEDCRYPTO_LIBRARY})

find_package_handle_standard_args(MbedTLS FOUND_VAR MBEDTLS_FOUND
REQUIRED_VARS MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES
VERSION_VAR MBEDTLS_VERSION)

# show the MBEDTLS_INCLUDE_DIR and MBEDTLS_LIBRARIES variables only in the advanced view
mark_as_advanced(MBEDTLS_INCLUDE_DIRS MBEDTLS_LIBRARIES)
endif()
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ the `distro` directory.
* crypt(3)
* [libyang](https://github.com/CESNET/libyang)
* libssh >= 0.9.5 (for SSH support)
* OpenSSL >= 3.0.0 (for TLS support)
* OpenSSL >= 3.0.0 or MbedTLS >= 3.5.0 (for TLS support)
* curl >= 7.30.0

#### Optional
Expand Down
5 changes: 5 additions & 0 deletions src/config.h.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,11 @@
*/
#cmakedefine HAVE_LIBPAM

/*
* Use MbedTLS as TLS back-end
*/
#cmakedefine HAVE_MBEDTLS

/*
* Location of installed YANG modules on the system
*/
Expand Down
Loading
Loading