Migrate to LibSSH-ESP32 (#22)

Author: buglloc

.gitmodules

@@ -1,6 +1,3 @@
-[submodule "components/wolfssl"]
-	path = components/wolfssl
-	url = https://github.com/buglloc/wolfssl-idf.git
-[submodule "components/wolfssh"]
-	path = components/wolfssh
-	url = https://github.com/buglloc/wolfssh-idf.git
+[submodule "components/LibSSH-ESP32"]
+	path = components/LibSSH-ESP32
+	url = https://github.com/buglloc/LibSSH-ESP32.git

CMakeLists.txt

@@ -3,8 +3,6 @@
 # The following five lines of boilerplate have to be in your project's
 # CMakeLists in this exact order for cmake to work correctly
 cmake_minimum_required(VERSION 3.5)
-set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
-set(CMAKE_CXX_FLAGS "${CMAKE_C_FLAGS} -DWOLFSSL_USER_SETTINGS")
 
 include($ENV{IDF_PATH}/tools/cmake/project.cmake)
 project(BoundBoxESP)

components/LibSSH-ESP32

@@ -5,6 +5,6 @@ SRCS
   "src/hex.cc"
 INCLUDE_DIRS
   "include"
-REQUIRES
-  wolfssl
+PRIV_REQUIRES
+  mbedtls
 )

components/blob/CMakeLists.txt

@@ -2,12 +2,14 @@
 
 #include <expected>
 
-#include "wolfssl_init.h"
-#include <wolfssl/wolfcrypt/hmac.h>
 
 #include "bytes.h"
 #include "errors.h"
 
+// fwd
+struct mbedtls_md_context_t;
+
+
 namespace Blob
 {
   enum class HashType: uint8_t
@@ -18,26 +20,19 @@ namespace Blob
     SHA512,
   };
 
-  struct HKDFConfig
-  {
-    const Blob::Bytes& Key;
-    const Blob::Bytes& Salt;
-    Blob::HashType HashType = HashType::SHA256;
-  };
-
-  std::expected<Bytes, Error> HMACSum(const Blob::Bytes& key, const Blob::Bytes& msg, HashType hashType = HashType::SHA256);
-  std::expected<Bytes, Error> HKDF(const Blob::Bytes& info, size_t outLen, const HKDFConfig& cfg);
-
   class HMAC
   {
   public:
     explicit HMAC(const Blob::Bytes& key, HashType type = HashType::SHA256);
     Error Write(const Blob::Bytes& data);
     std::expected<Blob::Bytes, Error> Sum();
-
     ~HMAC();
+
+  public:
+    static std::expected<Bytes, Error> Sum(const Blob::Bytes& key, const Blob::Bytes& msg, HashType hashType = HashType::SHA256);
+
   private:
     Error err = Error::None;
-    Hmac ctx;
+    mbedtls_md_context_t* ctx = nullptr;
   };
 }

components/blob/include/blob/hash.h

@@ -1,124 +1,111 @@
 #include "blob/hash.h"
-#include "blob/wolfssl_init.h"
 
 #include <expected>
 
 
-namespace Blob
+#include <mbedtls/md.h>
+
+
+using namespace Blob;
+
+HMAC::HMAC(const Bytes& key, HashType hashType)
 {
-  std::expected<Bytes, Error> HMACSum(const Bytes& key, const Bytes& msg, HashType type)
-  {
-    HMAC hmac(key, type);
-    Error err = hmac.Write(msg);
-    if (err != Error::None) {
-      return std::unexpected<Error>(err);
-    }
-
-    return hmac.Sum();
+  const mbedtls_md_info_t* mdInfo = nullptr;
+  switch (hashType) {
+  case HashType::SHA1:
+    mdInfo = mbedtls_md_info_from_type(MBEDTLS_MD_SHA1);
+    break;
+  case HashType::SHA256:
+    mdInfo = mbedtls_md_info_from_type(MBEDTLS_MD_SHA256);
+    break;
+  case HashType::SHA512:
+    mdInfo = mbedtls_md_info_from_type(MBEDTLS_MD_SHA512);
+    break;
+  default:
+    err = Error::Unsupported;
+    return;
   }
 
-  std::expected<Bytes, Error> HKDF(const Bytes& key, const Bytes& salt, const Bytes& info, size_t outLen, HashType hashType = HashType::SHA256)
-  {
-    int wcType;
-    switch (hashType)
-    {
-    case HashType::SHA1:
-      wcType = WC_SHA;
-      break;
-    case HashType::SHA256:
-      wcType = WC_SHA256;
-      break;
-    case HashType::SHA512:
-      wcType = WC_SHA512;
-      break;
-
-    default:
-      return std::unexpected<Error>{Error::Unsupported};
-    }
-
-    Bytes out(outLen, '\xff');
-    int ret = wc_HKDF(wcType, key.c_str(), key.size(), salt.c_str(), salt.size(), info.c_str(), info.size(), out.data(), outLen);
-    if (ret != 0) {
-      return std::unexpected<Error>{Error::ShitHappens};
-    }
-
-    return out;
+  if (mdInfo == nullptr) {
+    err = Error::Unsupported;
+    return;
   }
 
-  HMAC::HMAC(const Bytes& key, HashType hashType)
-  {
-    int wcType;
-    switch (hashType)
-    {
-    case HashType::SHA1:
-      wcType = WC_SHA;
-      break;
-    case HashType::SHA256:
-      wcType = WC_SHA256;
-      break;
-    case HashType::SHA512:
-      wcType = WC_SHA512;
-      break;
-
-    default:
-      err = Error::Unsupported;
-      return;
-    }
-
-    int ret = wc_HmacInit(&ctx, nullptr, INVALID_DEVID);
-    if (ret != 0) {
-      err = Error::InitFailed;
-      return;
-    }
-
-    ret = wc_HmacSetKey(&ctx, wcType, key.c_str(), key.size());
-    if (ret != 0) {
-      err = Error::InvalidKey;
-      wc_HmacFree(&ctx);
-      return;
-    }
+  ctx = static_cast<mbedtls_md_context_t*>(malloc(sizeof(mbedtls_md_context_t)));
+  if (ctx == nullptr) {
+    err = Error::ShitHappens;
+    return;
   }
 
-  Error HMAC::Write(const Bytes& data)
-  {
-    if (err != Error::None) {
-      return err;
-    }
+  mbedtls_md_init(ctx);
+  int rc = mbedtls_md_setup(ctx, mdInfo, 1);
+  if (rc != 0) {
+    mbedtls_md_free(ctx);
+    free(ctx);
+    err = Error::InitFailed;
+    return;
+  }
 
-    int ret = wc_HmacUpdate(&ctx, data.c_str(), data.size());
-    if (ret != 0) {
-      return Error::ShitHappens;
-    }
+  rc = mbedtls_md_hmac_starts(ctx, key.c_str(), key.size());
+  if (rc != 0) {
+    mbedtls_md_free(ctx);
+    free(ctx);
+    err = Error::InitFailed;
+    return;
+  }
+}
 
-    return Error::None;
+Error HMAC::Write(const Bytes& data)
+{
+  if (err != Error::None) {
+    return err;
   }
 
-  std::expected<Bytes, Error> HMAC::Sum()
-  {
-    if (err != Error::None) {
-      return std::unexpected<Error>{err};
-    }
+  if (mbedtls_md_hmac_update(ctx, data.c_str(), data.length())) {
+    return Error::ShitHappens;
+  }
 
-    size_t hashLen = wc_HmacSizeByType(ctx.macType);
-    if (hashLen <= 0) {
-      return std::unexpected<Error>{Error::ShitHappens};
-    }
+  return Error::None;
+}
 
-    Bytes out(hashLen, '\xff');
-    int ret = wc_HmacFinal(&ctx, out.data());
-    if (ret != 0) {
-      return std::unexpected<Error>{Error::ShitHappens};
-    }
+std::expected<Bytes, Error> HMAC::Sum()
+{
+  if (err != Error::None) {
+    return std::unexpected<Error>{err};
+  }
 
-    return out;
+  size_t hashLen = static_cast<size_t>(mbedtls_md_get_size(mbedtls_md_info_from_ctx(ctx)));
+  if (hashLen == 0) {
+    return std::unexpected<Error>{Error::ShitHappens};
   }
 
-  HMAC::~HMAC()
-  {
-    if (err != Error::None) {
-      return;
-    }
+  Bytes out(hashLen, '\xff');
+  int ret = mbedtls_md_hmac_finish(ctx, out.data());
+  if (ret != 0) {
+    return std::unexpected<Error>{Error::ShitHappens};
+  }
+
+  return out;
+}
+
+HMAC::~HMAC()
+{
+  if (ctx == nullptr) {
+    return;
+  }
+
+  mbedtls_md_free(ctx);
+  free(ctx);
+  ctx = nullptr;
+}
 
-    wc_HmacFree(&ctx);
+std::expected<Bytes, Error> HMAC::Sum(const Bytes& key, const Bytes& msg, HashType type)
+{
+  HMAC hmac(key, type);
+  Error err = hmac.Write(msg);
+  if (err != Error::None) {
+    return std::unexpected<Error>(err);
   }
+
+  return hmac.Sum();
 }

components/blob/include/blob/wolfssl_init.h

@@ -1,13 +1,14 @@
 idf_component_register(
 SRCS
-  "src/auth.cc"
+  "src/auth_provider.cc"
+  "src/keyring.cc"
   "src/keys.cc"
   "src/server.cc"
   "src/stream.cc"
 INCLUDE_DIRS
   "include"
 REQUIRES
-  blob
+  blob LibSSH-ESP32
 PRIV_REQUIRES
-  wolfssh wolfssl lwip defer
+  lwip defer
 )

components/blob/src/hash.cc

@@ -18,6 +18,14 @@ menu "SSH"
     int "Stream buf size"
     default 4096
 
+  config SSH_STREAM_POLL_TIMEOUT
+    int "Stream buf size"
+    default 100
+
+  config SSH_STREAM_READ_TIMEOUT
+    int "Stream buf size"
+    default 5000
+
   config SSH_CHANNEL_INITIAL_WINDOW
     int "Channel initial window"
     default 1024
@@ -26,4 +34,8 @@ menu "SSH"
     int "Channel max packet size"
     default 32768
 
+  config SSH_AUTH_RETRIES
+    int "Auth retries"
+    default 10
+
 endmenu

components/ssh/CMakeLists.txt

@@ -5,7 +5,10 @@
 #include <expected>
 
 #include <blob/bytes.h>
+
 #include "common.h"
+#include "keyring.h"
+
 
 namespace SSH
 {
@@ -31,11 +34,11 @@ namespace SSH
   public:
     AuthProvider() = default;
     Error Initialize(const ServerConfig& cfg);
-    bool Authenticate(const std::string_view user, const Blob::Bytes& key) const;
+    bool Authenticate(const std::string_view user, const ssh_key key) const;
     UserRole Role(const std::string_view user) const;
 
   private:
     std::string rootUser;
-    std::vector<std::string> rootFingerprints;
+    Keyring rootKeyring;
   };
-}
+}

components/ssh/Kconfig

@@ -2,6 +2,9 @@
 
 #include <stdint.h>
 
+#include "libssh_esp.h"
+
+
 
 namespace SSH
 {
@@ -10,16 +13,19 @@ namespace SSH
     None = 0,
     MalformedKey,
     Unsupported,
+    InvalidState,
     Internal,
     ShitHappens
   };
 
   enum class ListenError: uint8_t
   {
     None = 0,
-    Sock,
     Bind,
+    Listen,
     Accept,
+    Auth,
+    Internal,
     Unsupported,
     ShitHappens
   };