[FIX] Use as much certs as possible, handshakes
This commit is contained in:
LDA
parent
b28cd422fb
commit
4ce2b136a5
2 changed files with 31 additions and 19 deletions
|
|
@ -85,6 +85,7 @@ static bool
|
|||
RegisterPEMs(mbedtls_x509_crt *certs)
|
||||
{
|
||||
char *cafile;
|
||||
int loaded = 0;
|
||||
if (!certs)
|
||||
{
|
||||
return false;
|
||||
|
|
@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs)
|
|||
cafile = getenv("CYTO_TLS_CA");
|
||||
if (AddPEM(certs, cafile))
|
||||
{
|
||||
return true;
|
||||
loaded++;
|
||||
}
|
||||
|
||||
/* Step 1: Try /etc/ssl/certs */
|
||||
if (AddPEM(certs, "/etc/ssl/certs"))
|
||||
{
|
||||
return true;
|
||||
loaded++;
|
||||
}
|
||||
/* Step 2: Try loading off Mozilla's certificates */
|
||||
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
|
||||
{
|
||||
return true;
|
||||
loaded++;
|
||||
}
|
||||
|
||||
/* Step 3: Try loading from its root directly*/
|
||||
/* Step 3: Try loading from its root directly */
|
||||
if (AddPEM(certs, "/usr/share/ca-certificates"))
|
||||
{
|
||||
return true;
|
||||
loaded++;
|
||||
}
|
||||
|
||||
/* Step 4: Give up. */
|
||||
return false;
|
||||
return loaded != 0;
|
||||
}
|
||||
|
||||
void *
|
||||
|
|
@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName)
|
|||
mbedtls_x509_crt_init(&cookie->cert);
|
||||
mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
|
||||
mbedtls_pk_init(&cookie->serverkey);
|
||||
|
||||
mbedtls_entropy_init(&cookie->entropy);
|
||||
|
||||
err = mbedtls_ctr_drbg_seed(
|
||||
&cookie->ctrDrbg,
|
||||
mbedtls_entropy_func,
|
||||
|
|
@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName)
|
|||
goto error;
|
||||
}
|
||||
|
||||
/* TODO: Reconsider a source of additional entropy. */
|
||||
|
||||
cookie->serverFD.fd = fd;
|
||||
|
||||
err = mbedtls_ssl_config_defaults(
|
||||
|
|
@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName)
|
|||
{
|
||||
char message[256];
|
||||
mbedtls_strerror(err, message, 255);
|
||||
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
||||
Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
|
||||
goto error;
|
||||
}
|
||||
|
||||
|
|
@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName)
|
|||
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
||||
goto error;
|
||||
}
|
||||
mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
|
||||
|
||||
/* Setup some callbacks */
|
||||
|
|
@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName)
|
|||
goto error;
|
||||
}
|
||||
|
||||
/* Setup some functions */
|
||||
mbedtls_ssl_set_bio(
|
||||
&cookie->ssl, &cookie->serverFD,
|
||||
mbedtls_net_send, mbedtls_net_recv, NULL
|
||||
);
|
||||
|
||||
/* Setup the servername */
|
||||
if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
|
||||
{
|
||||
|
|
@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName)
|
|||
Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
|
||||
goto error;
|
||||
}
|
||||
|
||||
/* Setup some functions */
|
||||
mbedtls_ssl_set_bio(
|
||||
&cookie->ssl, &cookie->serverFD,
|
||||
mbedtls_net_send, mbedtls_net_recv, NULL
|
||||
);
|
||||
while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0)
|
||||
{
|
||||
char message[256];
|
||||
switch (err)
|
||||
{
|
||||
case MBEDTLS_ERR_SSL_WANT_WRITE:
|
||||
case MBEDTLS_ERR_SSL_WANT_READ:
|
||||
break;
|
||||
default:
|
||||
mbedtls_strerror(err, message, 255);
|
||||
Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
|
||||
goto error;
|
||||
}
|
||||
}
|
||||
return cookie;
|
||||
error:
|
||||
|
||||
|
|
|
|||
|
|
@ -399,7 +399,7 @@ end_loop:
|
|||
}
|
||||
else if (StrEquals(op, "def?"))
|
||||
{
|
||||
Definition *def;
|
||||
Definition *def = NULL;
|
||||
size_t i;
|
||||
char *directive = Eval(&argv, stack);
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue