Support MBEDTLS 3 (#1374)

* Support MBEDTLS 3

* mbedTLS 2 & 3 support (incl. System libs)

Co-authored-by: Markus <16664240+Paulchen-Panther@users.noreply.github.com>

Author: Lord-Grey

cmake/Findmbedtls.cmake

@@ -7,9 +7,16 @@ find_library(MBEDTLS_CRYPTO_LIBRARY mbedcrypto)
 set(MBEDTLS_LIBRARIES ${MBEDTLS_SSL_LIBRARY} ${MBEDTLS_X509_LIBRARY} ${MBEDTLS_CRYPTO_LIBRARY})
 set(MBEDTLS_LIBRARIES ${MBEDTLS_LIBRARIES} PARENT_SCOPE)
 
-if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
-    file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _MBEDTLS_VERSION_STRING REGEX "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
-    string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*" "\\1" MBEDTLS_VERSION "${_MBEDTLS_VERSION_STRING}")
+if (MBEDTLS_INCLUDE_DIR)
+    if (EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+        file(STRINGS ${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h _MBEDTLS_VERSION_LINE REGEX "^#define[ \t]+MBEDTLS_VERSION_STRING[\t ].*")
+        string(REGEX REPLACE ".*MBEDTLS_VERSION_STRING[\t ]+\"(.*)\"" "\\1" MBEDTLS_VERSION ${_MBEDTLS_VERSION_LINE})
+        set (MBEDTLS_VERSION ${MBEDTLS_VERSION} PARENT_SCOPE)
+    elseif(EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
+        file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _MBEDTLS_VERSION_STRING REGEX "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
+        string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*" "\\1" MBEDTLS_VERSION "${_MBEDTLS_VERSION_STRING}")
+        set (MBEDTLS_VERSION ${MBEDTLS_VERSION} PARENT_SCOPE)
+    endif()
 endif ()
 
 if (MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES AND MBEDTLS_VERSION)
@@ -20,10 +27,11 @@ if (MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES AND MBEDTLS_VERSION)
         REQUIRED_VARS
                 MBEDTLS_INCLUDE_DIR
                 MBEDTLS_LIBRARIES
+
         VERSION_VAR
                 MBEDTLS_VERSION
     )
 
-    mark_as_advanced (MBEDTLS_INCLUDE_DIR MBEDTLS_LIBRARIES MBEDTLS_SSL_LIBRARY MBEDTLS_X509_LIBRARY MBEDTLS_CRYPTO_LIBRARY)
+    mark_as_advanced (MBEDTLS_INCLUDE_DIR MBEDTLS_LIBRARIES MBEDTLS_SSL_LIBRARY MBEDTLS_X509_LIBRARY MBEDTLS_CRYPTO_LIBRARY MBEDTLS_VERSION)
 
 endif (MBEDTLS_INCLUDE_DIR AND MBEDTLS_LIBRARIES AND MBEDTLS_VERSION)

dependencies/CMakeLists-mbedtls.txt.in

@@ -14,7 +14,7 @@ include(ExternalProject)
 ExternalProject_Add(
         mbedtls
         GIT_REPOSITORY        "https://github.com/ARMmbed/mbedtls.git"
-        GIT_TAG               "v2.27.0" # Latest 2.x Version
+        GIT_TAG               origin/master
         BUILD_ALWAYS          OFF
         DOWNLOAD_DIR          "${DOWNLOAD_DIR}"
         SOURCE_DIR            "${SOURCE_DIR}"

dependencies/CMakeLists.txt

@@ -241,7 +241,7 @@ if (NOT USE_SYSTEM_MBEDTLS_LIBS)
 		FetchContent_Declare(
 			mbedtls
 			GIT_REPOSITORY        https://github.com/ARMmbed/mbedtls.git
-			GIT_TAG               "v2.27.0" # Latest 2.x Version
+			GIT_TAG               origin/master
 			BUILD_ALWAYS          OFF
 			GIT_PROGRESS          1
 			DOWNLOAD_DIR          "${MBEDTLS_DOWNLOAD_DIR}"
@@ -286,10 +286,18 @@ if (NOT USE_SYSTEM_MBEDTLS_LIBS)
 
 	set (MBEDTLS_INCLUDE_DIR "${MBEDTLS_SOURCE_DIR}/include")
 	set (MBEDTLS_INCLUDE_DIR ${MBEDTLS_INCLUDE_DIR} PARENT_SCOPE)
-	if (MBEDTLS_INCLUDE_DIR AND EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
-		file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _MBEDTLS_VERSION_STRING REGEX "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
-		string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*" "\\1" MBEDTLS_VERSION "${_MBEDTLS_VERSION_STRING}")
-		message(STATUS "Using static mbedtls libraries (build version \"${MBEDTLS_VERSION}\")")
+	if (MBEDTLS_INCLUDE_DIR)
+		if (EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h")
+			file(STRINGS ${MBEDTLS_INCLUDE_DIR}/mbedtls/build_info.h _MBEDTLS_VERSION_LINE REGEX "^#define[ \t]+MBEDTLS_VERSION_STRING[\t ].*")
+			string(REGEX REPLACE ".*MBEDTLS_VERSION_STRING[\t ]+\"(.*)\"" "\\1" MBEDTLS_VERSION ${_MBEDTLS_VERSION_LINE})
+			set (MBEDTLS_VERSION ${MBEDTLS_VERSION} PARENT_SCOPE)
+			message(STATUS "Using static mbedtls libraries (build version \"${MBEDTLS_VERSION}\")")
+		elseif(EXISTS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h")
+			file(STRINGS "${MBEDTLS_INCLUDE_DIR}/mbedtls/version.h" _MBEDTLS_VERSION_STRING REGEX "^#[\t ]*define[\t ]+MBEDTLS_VERSION_STRING[\t ]+\"[0-9]+.[0-9]+.[0-9]+\"")
+			string(REGEX REPLACE "^.*MBEDTLS_VERSION_STRING.*([0-9]+.[0-9]+.[0-9]+).*" "\\1" MBEDTLS_VERSION "${_MBEDTLS_VERSION_STRING}")
+			set (MBEDTLS_VERSION ${MBEDTLS_VERSION} PARENT_SCOPE)
+			message(STATUS "Using static mbedtls libraries (build version \"${MBEDTLS_VERSION}\")")
+		endif()
 	endif ()
 
 	include_directories(${MBEDTLS_INCLUDE_DIR})

include/grabber/EncoderThread.h

@@ -135,7 +135,7 @@ class EncoderThreadManager : public QObject
 		for (int i = 0; i < _threadCount; i++)
 		{
 			_threads[i] = new Thread<EncoderThread>(new EncoderThread, this);
-			_threads[i]->setObjectName("Encoder " + i);
+			_threads[i]->setObjectName("Encoder " + QString::number(i));
 		}
 	}
 

libsrc/leddevice/CMakeLists.txt

@@ -70,6 +70,7 @@ SET( Leddevice_SOURCES
 FILE ( WRITE "${CMAKE_BINARY_DIR}/LedDevice_headers.h" "#pragma once\n\n//this file is autogenerated, don't touch it\n\n" )
 FILE ( WRITE "${CMAKE_BINARY_DIR}/LedDevice_register.cpp" "//this file is autogenerated, don't touch it\n\n" )
 FOREACH( f ${Leddevice_SOURCES} )
+	# MESSAGE (STATUS "Add led device: ${f}")
 	if ( "${f}" MATCHES "dev_.*/Led.evice.+h$" )
 		GET_FILENAME_COMPONENT(fname ${f} NAME)
 		FILE ( APPEND "${CMAKE_BINARY_DIR}/LedDevice_headers.h" "#include \"${fname}\"\n" )
@@ -86,7 +87,7 @@ target_link_libraries(leddevice
 	hyperion-utils
 	${CMAKE_THREAD_LIBS_INIT}
 	Qt${QT_VERSION_MAJOR}::Network
-	Qt${QT_VERSION_MAJOR}::SerialPort	
+	Qt${QT_VERSION_MAJOR}::SerialPort
 	ssdp
 )
 
@@ -117,3 +118,8 @@ if (NOT DEFAULT_USE_SYSTEM_MBEDTLS_LIBS)
 		target_include_directories(leddevice PRIVATE ${MBEDTLS_INCLUDE_DIR})
 	endif (MBEDTLS_LIBRARIES)
 endif ()
+
+string(REGEX MATCH "[0-9]+|-([A-Za-z0-9_.]+)" MBEDTLS_MAJOR ${MBEDTLS_VERSION})
+if (MBEDTLS_MAJOR EQUAL "3")
+	target_compile_definitions(leddevice PRIVATE USE_MBEDTLS3)
+endif()

libsrc/leddevice/dev_net/ProviderUdpSSL.cpp

@@ -2,6 +2,7 @@
 // STL includes
 #include <cstdio>
 #include <exception>
+#include <algorithm>
 
 // Linux includes
 #include <fcntl.h>
@@ -11,7 +12,6 @@
 
 // Local Hyperion includes
 #include "ProviderUdpSSL.h"
-#include <utils/QStringUtils.h>
 
 const int MAX_RETRY = 5;
 const ushort MAX_PORT_SSL = 65535;
@@ -22,6 +22,7 @@ ProviderUdpSSL::ProviderUdpSSL(const QJsonObject &deviceConfig)
 	, entropy()
 	, ssl()
 	, conf()
+	, cacert()
 	, ctr_drbg()
 	, timer()
 	, _transport_type("DTLS")
@@ -246,42 +247,42 @@ bool ProviderUdpSSL::initConnection()
 
 bool ProviderUdpSSL::seedingRNG()
 {
-	sslLog("Seeding the random number generator...");
+	sslLog( "Seeding the random number generator..." );
 
 	mbedtls_entropy_init(&entropy);
 
-	sslLog("Set mbedtls_ctr_drbg_seed...");
+	sslLog( "Set mbedtls_ctr_drbg_seed..." );
 
 	QByteArray customDataArray = _custom.toLocal8Bit();
 	const char* customData = customDataArray.constData();
 
 	int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func,
-		&entropy, reinterpret_cast<const unsigned char*>(customData),
-		std::min(strlen(customData), (size_t)MBEDTLS_CTR_DRBG_MAX_SEED_INPUT));
+		                            &entropy, reinterpret_cast<const unsigned char*>(customData),
+		                            std::min(strlen(customData), (size_t)MBEDTLS_CTR_DRBG_MAX_SEED_INPUT));
 
 	if (ret != 0)
 	{
-		sslLog(QString("mbedtls_ctr_drbg_seed FAILED %1").arg(errorMsg(ret)), "error");
+		sslLog( QString("mbedtls_ctr_drbg_seed FAILED %1").arg( errorMsg( ret ) ), "error" );
 		return false;
 	}
 
-	sslLog("Seeding the random number generator...ok");
+	sslLog( "Seeding the random number generator...ok" );
 
 	return true;
 }
 
 bool ProviderUdpSSL::setupStructure()
 {
-	int ret = 0;
-
 	sslLog( QString( "Setting up the %1 structure").arg( _transport_type ) );
 
 	//TLS  MBEDTLS_SSL_TRANSPORT_STREAM
 	//DTLS MBEDTLS_SSL_TRANSPORT_DATAGRAM
 
 	int transport = ( _transport_type == "DTLS" ) ? MBEDTLS_SSL_TRANSPORT_DATAGRAM : MBEDTLS_SSL_TRANSPORT_STREAM;
 
-	if ((ret = mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, transport, MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
+	int ret = mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, transport, MBEDTLS_SSL_PRESET_DEFAULT);
+
+	if (ret != 0)
 	{
 		sslLog( QString("mbedtls_ssl_config_defaults FAILED %1").arg( errorMsg( ret ) ), "error" );
 		return false;
@@ -291,21 +292,18 @@ bool ProviderUdpSSL::setupStructure()
 
 	if( _debugStreamer )
 	{
-		int s = ( sizeof( ciphersuites ) ) / sizeof( int );
-
 		QString cipher_values;
-		for(int i=0; i<s; i++)
+		for(int i=0; ciphersuites != nullptr && ciphersuites[i] != 0; i++)
 		{
-			if(i > 0) cipher_values.append(", ");
+			if (i > 0)
+				cipher_values.append(", ");
 			cipher_values.append(QString::number(ciphersuites[i]));
 		}
 
 		sslLog( ( QString("used ciphersuites value: %1").arg( cipher_values ) ) );
 	}
 
 	mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_REQUIRED);
-	//mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
-	//mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_NONE);
 	mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
 
 	mbedtls_ssl_conf_ciphersuites(&conf, ciphersuites);
@@ -343,15 +341,15 @@ bool ProviderUdpSSL::startUPDConnection()
 {
 	sslLog( "init SSL Network -> startUPDConnection" );
 
-	int ret = 0;
-
 	mbedtls_ssl_session_reset(&ssl);
 
 	if(!setupPSK()) return false;
 
 	sslLog( QString("Connecting to udp %1:%2").arg( _address.toString() ).arg( _ssl_port ) );
 
-	if ((ret = mbedtls_net_connect( &client_fd, _address.toString().toUtf8(), std::to_string(_ssl_port).c_str(), MBEDTLS_NET_PROTO_UDP)) != 0)
+	int ret = mbedtls_net_connect(&client_fd, _address.toString().toUtf8(), std::to_string(_ssl_port).c_str(), MBEDTLS_NET_PROTO_UDP);
+
+	if (ret != 0)
 	{
 		sslLog( QString("mbedtls_net_connect FAILED %1").arg( errorMsg( ret ) ), "error" );
 		return false;
@@ -367,15 +365,19 @@ bool ProviderUdpSSL::startUPDConnection()
 
 bool ProviderUdpSSL::setupPSK()
 {
-	int ret;
-
 	QByteArray pskArray = _psk.toUtf8();
 	QByteArray pskRawArray = QByteArray::fromHex(pskArray);
 
 	QByteArray pskIdArray = _psk_identity.toUtf8();
 	QByteArray pskIdRawArray = pskIdArray;
 
-	if (0 != (ret = mbedtls_ssl_conf_psk( &conf, ( const unsigned char* ) pskRawArray.data(), pskRawArray.length() * sizeof(char), reinterpret_cast<const unsigned char *> ( pskIdRawArray.data() ), pskIdRawArray.length() * sizeof(char) ) ) )
+	int ret = mbedtls_ssl_conf_psk( &conf,
+									reinterpret_cast<const unsigned char*> (pskRawArray.constData()),
+									pskRawArray.length() * sizeof(char),
+									reinterpret_cast<const unsigned char*> (pskIdRawArray.constData()),
+									pskIdRawArray.length() * sizeof(char));
+
+	if (ret != 0)
 	{
 		sslLog( QString("mbedtls_ssl_conf_psk FAILED %1").arg( errorMsg( ret ) ), "error" );
 		return false;
@@ -460,9 +462,12 @@ void ProviderUdpSSL::freeSSLConnection()
 	}
 }
 
-void ProviderUdpSSL::writeBytes(unsigned size, const unsigned char * data)
+void ProviderUdpSSL::writeBytes(unsigned int size, const uint8_t* data)
 {
-	if( _stopConnection ) return;
+	if ( _stopConnection )
+	{
+		return;
+	}
 
 	QMutexLocker locker(&_hueMutex);
 
@@ -526,6 +531,46 @@ QString ProviderUdpSSL::errorMsg(int ret) {
 #else
 	switch (ret)
 	{
+#if defined(MBEDTLS_ERR_SSL_DECODE_ERROR)
+	case MBEDTLS_ERR_SSL_DECODE_ERROR:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_DECODE_ERROR -0x7300";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER)
+	case MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER -0x6600";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE)
+	case MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE -0x6E00";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION)
+	case MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION -0x6E80";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_BAD_CERTIFICATE)
+	case MBEDTLS_ERR_SSL_BAD_CERTIFICATE:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_BAD_CERTIFICATE -0x7A00";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME)
+	case MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_UNRECOGNIZED_NAME -0x7800";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION)
+	case MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION -0x7500";
+		break;
+#endif
+#if defined(MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL)
+	case MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL:
+		msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_NO_APPLICATION_PROTOCOL -0x7580";
+		break;
+#endif
 #if defined(MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE)
 		case MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE:
 			msg = "The requested feature is not available. - MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -0x7080";
@@ -822,3 +867,40 @@ void ProviderUdpSSL::closeSSLNotify()
 
 	sslLog( "SSL Connection successful closed" );
 }
+
+void ProviderUdpSSL::ProviderUdpSSLDebug(void* ctx, int level, const char* file, int line, const char* str)
+{
+	const char* p, * basename;
+	(void)ctx;
+	/* Extract basename from file */
+	for (p = basename = file; *p != '\0'; p++)
+	{
+		if (*p == '/' || *p == '\\')
+		{
+			basename = p + 1;
+		}
+	}
+	mbedtls_printf("%s:%04d: |%d| %s", basename, line, level, str);
+}
+
+int ProviderUdpSSL::ProviderUdpSSLVerify(void* data, mbedtls_x509_crt* crt, int depth, uint32_t* flags)
+{
+	const uint32_t buf_size = 1024;
+	char* buf = new char[buf_size];
+	(void)data;
+
+	mbedtls_printf("\nVerifying certificate at depth %d:\n", depth);
+	mbedtls_x509_crt_info(buf, buf_size - 1, "  ", crt);
+	mbedtls_printf("%s", buf);
+
+	if (*flags == 0)
+		mbedtls_printf("No verification issue for this certificate\n");
+	else
+	{
+		mbedtls_x509_crt_verify_info(buf, buf_size, "  ! ", *flags);
+		mbedtls_printf("%s\n", buf);
+	}
+
+	delete[] buf;
+	return 0;
+}