Update mbedtls to 2.5.1 (cuberite#3964)

* Renaming changes:
  * macro prefix "POLARSSL" -> "MBEDTLS"
  * functions now prefixed with "mbedtls_"
  * rename PolarSSL++ -> mbedTLS++
  * rename polarssl submodule

* Use mbedtls' AES-CFB8 implementation.

* Add cSslConfig to wrap mbedtls_ssl_config

* Update cTCPLink and cBlockingSslClientSocket to use cSslConfig

* Use cSslConfig in cHTTPServer

* Use cSslConfig for cMojangAPI::SecureRequest

* CI Fixes

* Set -fomit-frame-pointer on the right target

.gitmodules

@@ -7,9 +7,9 @@
 [submodule "Server/Plugins/ChatLog"]
 	path = Server/Plugins/ChatLog
 	url = https://github.com/cuberite/ChatLog.git
-[submodule "lib/polarssl"]
-	path = lib/polarssl
-	url = https://github.com/cuberite/polarssl.git
+[submodule "lib/mbedtls"]
+	path = lib/mbedtls
+	url = https://github.com/ARMmbed/mbedtls.git
 	ignore = dirty
 [submodule "lib/SQLiteCpp"]
 	path = lib/SQLiteCpp

CMakeLists.txt

@@ -1,4 +1,4 @@
-# This is the top-level CMakeLists.txt file for the Cuberite project
+# This is the top-level CMakeLists.txt file for the Cuberite project
 #
 # Use CMake to generate the build files for your platform
 #
@@ -209,8 +209,8 @@ link_directories(lib/jsoncpp/src/lib_json)
 if (NOT EXISTS ${PROJECT_SOURCE_DIR}/lib/SQLiteCpp/CMakeLists.txt)
 	message(FATAL_ERROR "SQLiteCpp is missing in folder lib/SQLiteCpp. Have you initialized the submodules / downloaded the extra libraries?")
 endif()
-if (NOT EXISTS ${PROJECT_SOURCE_DIR}/lib/polarssl/CMakeLists.txt)
-	message(FATAL_ERROR "PolarSSL is missing in folder lib/polarssl. Have you initialized the submodules / downloaded the extra libraries?")
+if (NOT EXISTS ${PROJECT_SOURCE_DIR}/lib/mbedtls/CMakeLists.txt)
+	message(FATAL_ERROR "mbedTLS is missing in folder lib/mbedtls. Have you initialized the submodules / downloaded the extra libraries?")
 endif()
 if (NOT EXISTS ${PROJECT_SOURCE_DIR}/lib/libevent/CMakeLists.txt)
 	message(FATAL_ERROR "LibEvent is missing in folder lib/libevent. Have you initialized and updated the submodules / downloaded the extra libraries?")
@@ -274,13 +274,13 @@ if (WIN32)
 endif()
 
 # We use EXCLUDE_FROM_ALL so that only the explicit dependencies are used
-# (PolarSSL also has test and example programs in their CMakeLists.txt, we don't want those)
-include(lib/polarssl.cmake EXCLUDE_FROM_ALL)
+# (mbedTLS also has test and example programs in their CMakeLists.txt, we don't want those)
+include(lib/mbedtls.cmake EXCLUDE_FROM_ALL)
 
 if(NOT MSVC AND "${CMAKE_SYSTEM_PROCESSOR}" MATCHES "arm")
-	# mbed TLS uses the frame pointer's register in inline assembly:
+	# mbed TLS uses the frame pointer's register in inline assembly for its bignum implementation:
 	# https://tls.mbed.org/kb/development/arm-thumb-error-r7-cannot-be-used-in-asm-here
-	target_compile_options(mbedtls PUBLIC -fomit-frame-pointer)
+	target_compile_options(mbedcrypto PRIVATE -fomit-frame-pointer)
 endif()
 
 set_exe_flags()
@@ -302,7 +302,9 @@ if (MSVC)
 		jsoncpp_lib_static
 		lua
 		luaexpat
+		mbedcrypto
 		mbedtls
+		mbedx509
 		sqlite
 		SQLiteCpp
 		tolualib

Tools/ProtoProxy/CMakeLists.txt

@@ -8,7 +8,7 @@ set_lib_flags()
 
 # Set include paths to the used libraries:
 include_directories(SYSTEM "../../lib")
-include_directories(SYSTEM "../../lib/polarssl/include")
+include_directories(SYSTEM "../../lib/mbedtls/include")
 include_directories("../../src")
 
 function(flatten_files arg1)
@@ -20,7 +20,7 @@ function(flatten_files arg1)
 	set(${arg1} "${res}" PARENT_SCOPE)
 endfunction()
 
-include(../../lib/polarssl.cmake)
+include(../../lib/mbedtls.cmake)
 add_subdirectory(../../lib/zlib ${CMAKE_CURRENT_BINARY_DIR}/${CMAKE_FILES_DIRECTORY}/lib/zlib)
 
 set_exe_flags()
@@ -30,25 +30,25 @@ set(SHARED_SRC
 	../../src/ByteBuffer.cpp
 	../../src/StringUtils.cpp
 	../../src/UUID.cpp
-	../../src/PolarSSL++/AesCfb128Decryptor.cpp
-	../../src/PolarSSL++/AesCfb128Encryptor.cpp
-	../../src/PolarSSL++/CryptoKey.cpp
-	../../src/PolarSSL++/CtrDrbgContext.cpp
-	../../src/PolarSSL++/EntropyContext.cpp
-	../../src/PolarSSL++/RsaPrivateKey.cpp
+	../../src/mbedTLS++/AesCfb128Decryptor.cpp
+	../../src/mbedTLS++/AesCfb128Encryptor.cpp
+	../../src/mbedTLS++/CryptoKey.cpp
+	../../src/mbedTLS++/CtrDrbgContext.cpp
+	../../src/mbedTLS++/EntropyContext.cpp
+	../../src/mbedTLS++/RsaPrivateKey.cpp
 	../../src/LoggerListeners.cpp
 	../../src/Logger.cpp
 )
 set(SHARED_HDR
 	../../src/ByteBuffer.h
 	../../src/StringUtils.h
 	../../src/UUID.h
-	../../src/PolarSSL++/AesCfb128Decryptor.h
-	../../src/PolarSSL++/AesCfb128Encryptor.h
-	../../src/PolarSSL++/CryptoKey.h
-	../../src/PolarSSL++/CtrDrbgContext.h
-	../../src/PolarSSL++/EntropyContext.h
-	../../src/PolarSSL++/RsaPrivateKey.h
+	../../src/mbedTLS++/AesCfb128Decryptor.h
+	../../src/mbedTLS++/AesCfb128Encryptor.h
+	../../src/mbedTLS++/CryptoKey.h
+	../../src/mbedTLS++/CtrDrbgContext.h
+	../../src/mbedTLS++/EntropyContext.h
+	../../src/mbedTLS++/RsaPrivateKey.h
 )
 set(SHARED_OSS_SRC
 	../../src/OSSupport/CriticalSection.cpp

Tools/ProtoProxy/Connection.cpp

@@ -1,4 +1,4 @@
-
+
 // Connection.cpp
 
 // Interfaces to the cConnection class representing a single pair of connected sockets
@@ -7,7 +7,7 @@
 #include "Connection.h"
 #include "Server.h"
 #include <iostream>
-#include "PolarSSL++/CryptoKey.h"
+#include "mbedTLS++/CryptoKey.h"
 #include "../../src/Logger.h"
 
 #ifdef _WIN32

Tools/ProtoProxy/Connection.h

@@ -1,4 +1,4 @@
-
+
 // Connection.h
 
 // Interfaces to the cConnection class representing a single pair of connected sockets
@@ -10,8 +10,8 @@
 #pragma once
 
 #include "ByteBuffer.h"
-#include "PolarSSL++/AesCfb128Decryptor.h"
-#include "PolarSSL++/AesCfb128Encryptor.h"
+#include "mbedTLS++/AesCfb128Decryptor.h"
+#include "mbedTLS++/AesCfb128Encryptor.h"
 
 
 

Tools/ProtoProxy/Server.h

@@ -1,4 +1,4 @@
-
+
 // Server.h
 
 // Interfaces to the cServer class encapsulating the entire "server"
@@ -9,7 +9,7 @@
 
 #pragma once
 
-#include "PolarSSL++/RsaPrivateKey.h"
+#include "mbedTLS++/RsaPrivateKey.h"
 
 
 

lib/polarssl.cmake → lib/mbedtls.cmake

@@ -1,10 +1,10 @@
-
+
 # This script includes PolarSSL, if not already included.
 # It is needed for when multiple projects reference PolarSSL.
 
 if(NOT TARGET mbedtls)
-	message("including polarssl")
+	message("including mbedtls")
 	set(ENABLE_TESTING OFF CACHE BOOL "Disable tests")
 	set(ENABLE_PROGRAMS OFF CACHE BOOL "Disable programs")
-	add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/polarssl/ ${CMAKE_CURRENT_BINARY_DIR}/lib/polarssl EXCLUDE_FROM_ALL)
+	add_subdirectory(${CMAKE_CURRENT_LIST_DIR}/mbedtls/ ${CMAKE_CURRENT_BINARY_DIR}/lib/mbedtls EXCLUDE_FROM_ALL)
 endif()

src/Bindings/LuaTCPLink.cpp

@@ -6,8 +6,8 @@
 #include "Globals.h"
 #include "LuaTCPLink.h"
 #include "LuaServerHandle.h"
-#include "../PolarSSL++/X509Cert.h"
-#include "../PolarSSL++/CryptoKey.h"
+#include "../mbedTLS++/X509Cert.h"
+#include "../mbedTLS++/CryptoKey.h"
 
 
 

src/Bindings/ManualBindings.cpp

@@ -1,13 +1,13 @@
-
+
 #include "Globals.h"  // NOTE: MSVC stupidness requires this to be the same across all modules
 
 #include "ManualBindings.h"
 #undef TOLUA_TEMPLATE_BIND
 #include <sstream>
 #include <iomanip>
 #include "tolua++/include/tolua++.h"
-#include "polarssl/md5.h"
-#include "polarssl/sha1.h"
+#include "mbedtls/md5.h"
+#include "mbedtls/sha1.h"
 #include "PluginLua.h"
 #include "PluginManager.h"
 #include "LuaWindow.h"
@@ -1838,7 +1838,7 @@ static int tolua_md5(lua_State * tolua_S)
 	{
 		return 0;
 	}
-	md5(SourceString, len, Output);
+	mbedtls_md5(SourceString, len, Output);
 	lua_pushlstring(tolua_S, reinterpret_cast<const char *>(Output), ARRAYCOUNT(Output));
 	return 1;
 }
@@ -1869,7 +1869,7 @@ static int tolua_md5HexString(lua_State * tolua_S)
 	{
 		return 0;
 	}
-	md5(SourceString, len, md5Output);
+	mbedtls_md5(SourceString, len, md5Output);
 
 	// Convert the md5 checksum to hex string:
 	std::stringstream Output;
@@ -1896,7 +1896,7 @@ static int tolua_sha1(lua_State * tolua_S)
 	{
 		return 0;
 	}
-	sha1(SourceString, len, Output);
+	mbedtls_sha1(SourceString, len, Output);
 	lua_pushlstring(tolua_S, reinterpret_cast<const char *>(Output), ARRAYCOUNT(Output));
 	return 1;
 }
@@ -1915,7 +1915,7 @@ static int tolua_sha1HexString(lua_State * tolua_S)
 	{
 		return 0;
 	}
-	sha1(SourceString, len, sha1Output);
+	mbedtls_sha1(SourceString, len, sha1Output);
 
 	// Convert the sha1 checksum to hex string:
 	std::stringstream Output;

src/CMakeLists.txt

@@ -1,13 +1,13 @@
-project (Cuberite)
+project (Cuberite)
 
 
 include_directories (SYSTEM "${CMAKE_CURRENT_SOURCE_DIR}/../lib/")
 include_directories (SYSTEM "${CMAKE_CURRENT_SOURCE_DIR}/../lib/jsoncpp/include")
-include_directories (SYSTEM "${CMAKE_CURRENT_SOURCE_DIR}/../lib/polarssl/include")
+include_directories (SYSTEM "${CMAKE_CURRENT_SOURCE_DIR}/../lib/mbedtls/include")
 include_directories (SYSTEM "${CMAKE_CURRENT_SOURCE_DIR}/../lib/libevent/include")
 
 set(FOLDERS
-	OSSupport HTTP Items Blocks Protocol Generating PolarSSL++ Bindings
+	OSSupport HTTP Items Blocks Protocol Generating mbedTLS++ Bindings
 	WorldStorage Mobs Entities Simulator Simulator/IncrementalRedstoneSimulator
 	BlockEntities UI Noise
 )
@@ -177,7 +177,7 @@ endif()
 if (NOT MSVC)
 	# Bindings need to reference other folders, so they are done here instead
 	# lib dependencies are not included
-	include_directories ("${CMAKE_CURRENT_SOURCE_DIR}/../lib/polarssl/include")
+	include_directories ("${CMAKE_CURRENT_SOURCE_DIR}/../lib/mbedtls/include")
 
 	foreach(folder ${FOLDERS})
 		add_subdirectory(${folder})
@@ -349,7 +349,7 @@ if (NOT MSVC)
 		OSSupport HTTPServer Bindings Items Blocks Noise
 		Protocol Generating WorldStorage
 		Mobs Entities Simulator IncrementalRedstoneSimulator
-		BlockEntities UI PolarSSL++
+		BlockEntities UI mbedTLS++
 	)
 endif ()
 

src/ClientHandle.cpp

@@ -1,4 +1,4 @@
-#include "Globals.h"  // NOTE: MSVC stupidness requires this to be the same across all modules
+#include "Globals.h"  // NOTE: MSVC stupidness requires this to be the same across all modules
 
 #include "ClientHandle.h"
 #include "Server.h"
@@ -33,7 +33,7 @@
 #include "CompositeChat.h"
 #include "Items/ItemSword.h"
 
-#include "polarssl/md5.h"
+#include "mbedtls/md5.h"
 
 
 

src/HTTP/HTTPServer.cpp

@@ -1,4 +1,4 @@
-
+
 // HTTPServer.cpp
 
 // Implements the cHTTPServer class representing a HTTP webserver that uses cListenThread and cSocketThreads for processing
@@ -9,6 +9,7 @@
 #include "HTTPServerConnection.h"
 #include "HTTPFormParser.h"
 #include "SslHTTPServerConnection.h"
+#include "mbedTLS++/SslConfig.h"
 
 
 
@@ -88,17 +89,23 @@ bool cHTTPServer::Initialize(void)
 	AString KeyFile  = cFile::ReadWholeFile("webadmin/httpskey.pem");
 	if (!CertFile.empty() && !KeyFile.empty())
 	{
-		m_Cert.reset(new cX509Cert);
-		int res = m_Cert->Parse(CertFile.data(), CertFile.size());
+		auto Cert = std::make_shared<cX509Cert>();
+		int res = Cert->Parse(CertFile.data(), CertFile.size());
 		if (res == 0)
 		{
-			m_CertPrivKey.reset(new cCryptoKey);
-			int res2 = m_CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), "");
-			if (res2 != 0)
+			auto CertPrivKey = std::make_shared<cCryptoKey>();
+			res = CertPrivKey->ParsePrivate(KeyFile.data(), KeyFile.size(), "");
+			if (res == 0)
+			{
+				// Modifyable locally but otherwise must be const
+				auto Config = cSslConfig::MakeDefaultConfig(false);
+				Config->SetOwnCert(Cert, CertPrivKey);
+				m_SslConfig = std::move(Config);
+			}
+			else
 			{
 				// Reading the private key failed, reset the cert:
-				LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res2);
-				m_Cert.reset();
+				LOGWARNING("WebServer: Cannot read HTTPS certificate private key: -0x%x", -res);
 			}
 		}
 		else
@@ -108,7 +115,7 @@ bool cHTTPServer::Initialize(void)
 	}
 
 	// Notify the admin about the HTTPS / HTTP status
-	if (m_Cert.get() == nullptr)
+	if (m_SslConfig == nullptr)
 	{
 		LOGWARNING("WebServer: The server will run in unsecured HTTP mode.");
 		LOGINFO("Put a valid HTTPS certificate in file 'webadmin/httpscert.crt' and its corresponding private key to 'webadmin/httpskey.pem' (without any password) to enable HTTPS support");
@@ -184,9 +191,9 @@ cTCPLink::cCallbacksPtr cHTTPServer::OnIncomingConnection(const AString & a_Remo
 	UNUSED(a_RemoteIPAddress);
 	UNUSED(a_RemotePort);
 
-	if (m_Cert.get() != nullptr)
+	if (m_SslConfig != nullptr)
 	{
-		return std::make_shared<cSslHTTPServerConnection>(*this, m_Cert, m_CertPrivKey);
+		return std::make_shared<cSslHTTPServerConnection>(*this, m_SslConfig);
 	}
 	else
 	{

src/HTTP/HTTPServer.h

@@ -1,4 +1,4 @@
-
+
 // HTTPServer.h
 
 // Declares the cHTTPServer class representing a HTTP webserver that uses cListenThread and cSocketThreads for processing
@@ -11,8 +11,8 @@
 
 #include "../OSSupport/Network.h"
 #include "../IniFile.h"
-#include "PolarSSL++/CryptoKey.h"
-#include "PolarSSL++/X509Cert.h"
+#include "mbedTLS++/CryptoKey.h"
+#include "mbedTLS++/X509Cert.h"
 
 
 
@@ -21,6 +21,7 @@
 // fwd:
 class cHTTPIncomingRequest;
 class cHTTPServerConnection;
+class cSslConfig;
 
 
 
@@ -70,11 +71,8 @@ class cHTTPServer
 	/** The callbacks to call for various events */
 	cCallbacks * m_Callbacks;
 
-	/** The server certificate to use for the SSL connections */
-	cX509CertPtr m_Cert;
-
-	/** The private key for m_Cert. */
-	cCryptoKeyPtr m_CertPrivKey;
+	/** Configuration for server ssl connections. */
+	std::shared_ptr<const cSslConfig> m_SslConfig;
 
 
 	/** Called by cHTTPServerListenCallbacks when there's a new incoming connection.