Feature: ssl abstraction (#1999)

Sming now supports different SSL adapters. At the moment we support axTLS and BearSSL. Switching between the different adapters is very easy. For example the Basic_Ssl example can be compiled to use Bearssl using the following command: ``` make ENABLE_SSL=Bearssl ``` See Basic_Ssl and HttpServer_ConfigNetwork samples. NOTICE: This PR introduces breaking changes. Make sure to read the migration guide: https://sming.readthedocs.io/en/latest/upgrading/4.0-4.1.html
SmingHub · Jan 3, 2020 · 41d03e8 · 41d03e8
1 parent 0491784
commit 41d03e8
Show file tree

Hide file tree

Showing 116 changed files with 5,188 additions and 1,341 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -48,10 +48,14 @@
 	path = Sming/Arch/Esp8266/Components/driver/new-pwm
 	url = https://github.com/StefanBruens/ESP8266_new_pwm.git
 	ignore = dirty
-[submodule "ESP8266.axtls-8266"]
+[submodule "ESP8266.axtls"]
 	path = Sming/Components/axtls-8266/axtls-8266
 	url = https://github.com/igrr/axtls-8266.git
 	ignore = dirty
+[submodule "ESP8266.bearssl"]
+	path = Sming/Components/bearssl-esp8266/bearssl
+	url = https://github.com/earlephilhower/bearssl-esp8266
+	ignore = dirty
 [submodule "ESP8266.umm_malloc"]
 	path = Sming/Arch/Esp8266/Components/heap/umm_malloc
 	url = https://github.com/rhempel/umm_malloc.git

diff --git a/README.md b/README.md
@@ -60,7 +60,7 @@ Please note Version 4 documentation is at [sming.readthedocs.io](https://sming.r
     * Async TCP and UDP stack based on [LWIP](http://savannah.nongnu.org/projects/lwip/).
     * With clients supporting: HTTP, MQTT, WebSockets and SMTP.
     * And servers for: DNS, FTP, HTTP(+ WebSockets), Telnet.
-    * With SSL support for all network clients and servers based on [axTLS 2.1+](https://github.com/igrr/axtls-8266) with [Lwirax](https://github.com/attachix/lwirax/).
+    * With [SSL support](https://sming.readthedocs.io/en/latest/framework/core/network/ssl.html) for all network clients and servers. Based on [axTLS](http://axtls.sourceforge.net/) and [BearSSL](https://www.bearssl.org/).
     * Out of the box support for OTA over HTTPS.
 * ESP8266 specific features.
     * Integrated boot loader [rboot](https://sming.readthedocs.io/en/latest/_inc/Sming/Components/rboot/index.html) with support for 1MB ROMs, OTA firmware updating and ROM switching.

diff --git a/Sming/Arch/Host/Components/lwip/lwipopts.h b/Sming/Arch/Host/Components/lwip/lwipopts.h
@@ -348,6 +348,7 @@
 #define LWIP_LISTEN_BACKLOG             0
 #define TCP_QUEUE_OOSEQ                 0
 #define LWIP_TCP_KEEPALIVE              1
+#define TCP_MSS                         1390
 
 /*
    ----------------------------------

diff --git a/Sming/Components/axtls-8266/axtls-8266 b/Sming/Components/axtls-8266/axtls-8266
diff --git a/Sming/Components/axtls-8266/axtls-8266.patch b/Sming/Components/axtls-8266/axtls-8266.patch
@@ -154,7 +154,7 @@ index 4972119..da75839 100644
      return 0;
  }
 diff --git a/ssl/os_port.h b/ssl/os_port.h
-index e0b9e46..268512e 100644
+index e0b9e46..ea246ae 100644
 --- a/ssl/os_port.h
 +++ b/ssl/os_port.h
 @@ -43,7 +43,12 @@ extern "C" {
@@ -171,9 +171,12 @@ index e0b9e46..268512e 100644
 
  #ifdef WIN32
  #define STDCALL                 __stdcall
-@@ -62,12 +67,11 @@ extern "C" {
+@@ -60,14 +65,13 @@ extern "C" {
 
- #include "util/time.h"
+ #if defined(ESP8266)
+
+-#include "util/time.h"
++#include "../util/time.h"
  #include <errno.h>
 +#ifndef alloca
  #define alloca(size) __builtin_alloca(size)
@@ -295,7 +298,7 @@ index e0b9e46..268512e 100644
  EXP_FUNC int STDCALL ax_open(const char *pathname, int flags); 
 
 diff --git a/ssl/tls1.c b/ssl/tls1.c
-index 10b592c..be0fc29 100644
+index 8f0fbfb..be0fc29 100644
 --- a/ssl/tls1.c
 +++ b/ssl/tls1.c
 @@ -1368,6 +1368,10 @@ int basic_read(SSL *ssl, uint8_t **in_data)
@@ -309,25 +312,6 @@ index 10b592c..be0fc29 100644
      if (IS_SET_SSL_FLAG(SSL_SENT_CLOSE_NOTIFY))
          return SSL_CLOSE_NOTIFY;
 
-@@ -1426,6 +1430,9 @@ int basic_read(SSL *ssl, uint8_t **in_data)
-             goto error;
-         }
-
-+        memcpy(ssl->hmac_header, buf, 3);       /* store for hmac */
-+        ssl->record_type = buf[0];
-+
-         /* is the allocated buffer large enough to handle all the data? if not, increase its size*/
-         if (ssl->need_bytes > ssl->max_plain_length+RT_EXTRA-BM_RECORD_OFFSET)
-         {
-@@ -1439,8 +1446,6 @@ int basic_read(SSL *ssl, uint8_t **in_data)
-         }
-
-         CLR_SSL_FLAG(SSL_NEED_RECORD);
--        memcpy(ssl->hmac_header, buf, 3);       /* store for hmac */
--        ssl->record_type = buf[0];
-         goto error;                         /* no error, we're done */
-     }
-
 diff --git a/tools/make_certs.sh b/tools/make_certs.sh
 index fc6cc90..3113355 100644
 --- a/tools/make_certs.sh
@@ -676,4 +660,31 @@ index d90b093..f18fbd5 100644
 +            m_putc((num <= 9) ? (num + '0') : (num + 'A' - 10));
          }
      }  
+
+diff --git a/ssl/crypto_misc.h b/ssl/crypto_misc.h
+index 02d9306..191d605 100644
+--- a/ssl/crypto_misc.h
++++ b/ssl/crypto_misc.h
+@@ -39,8 +39,8 @@
+ extern "C" {
+ #endif
+
+-#include "crypto.h"
+-#include "bigint.h"
++#include "../crypto/crypto.h"
++#include "../crypto/bigint.h"
+
+ /**************************************************************************
+  * X509 declarations 
+diff --git a/ssl/tls1.h b/ssl/tls1.h
+index dac63b9..f35a942 100644
+--- a/ssl/tls1.h
++++ b/ssl/tls1.h
+@@ -44,7 +44,6 @@ extern "C" {
+ #include "config.h"
+ #include "os_int.h"
+ #include "os_port.h"
+-#include "crypto.h"
+ #include "crypto_misc.h"
 
+ #define SSL_PROTOCOL_MIN_VERSION    0x31   /* TLS v1.0 */
diff --git a/Sming/Components/axtls-8266/component.mk b/Sming/Components/axtls-8266/component.mk
@@ -1,10 +1,6 @@
-COMPONENT_VARS			:= SSL_DEBUG
-SSL_DEBUG				?= 0
-
 COMPONENT_SUBMODULES	:= axtls-8266
 
 COMPONENT_SRCDIRS := \
-	axtls-8266/compat \
 	axtls-8266/crypto \
 	axtls-8266/ssl
 
@@ -13,26 +9,12 @@ COMPONENT_SRCDIRS += \
 	axtls-8266/replacements
 endif
 
-COMPONENT_INCDIRS := \
-	. \
+COMPONENT_INCDIRS := .
+
+EXTRA_INCDIR := \
 	axtls-8266 \
 	axtls-8266/ssl \
 	axtls-8266/crypto
 
 GLOBAL_CFLAGS			+= -DLWIP_RAW=1
 COMPONENT_CFLAGS		:= -DWITH_PGM_READ_HELPER=1 -DAXTLS_BUILD
-ifeq ($(SSL_DEBUG),1)
-	COMPONENT_CFLAGS	+= -DAXL_DEBUG=1
-	GLOBAL_CFLAGS += -DSSL_DEBUG=1
-endif
-
-# Application
-CUSTOM_TARGETS			+= include/ssl/private_key.h
-
-AXTLS_PATH				:= $(COMPONENT_PATH)/axtls-8266
-
-include/ssl/private_key.h:
-	$(info Generating unique certificate and key. This may take some time...)
-	$(Q) mkdir -p $(PROJECT_DIR)/include/ssl/
-	$(Q) chmod a+x $(AXTLS_PATH)/tools/make_certs.sh
-	AXDIR=$(PROJECT_DIR)/include/ssl/ $(AXTLS_PATH)/tools/make_certs.sh