From 4ce2b136a5277688c3004f040a9ddbce69a298bf Mon Sep 17 00:00:00 2001 From: LDA Date: Sat, 21 Sep 2024 09:25:31 +0200 Subject: [PATCH] [FIX] Use as much certs as possible, handshakes --- src/Tls/TlsMbedTLS.c | 48 +++++++++++++++++++++++++++----------------- tools/tp.c | 2 +- 2 files changed, 31 insertions(+), 19 deletions(-) diff --git a/src/Tls/TlsMbedTLS.c b/src/Tls/TlsMbedTLS.c index a4249d1..7312883 100644 --- a/src/Tls/TlsMbedTLS.c +++ b/src/Tls/TlsMbedTLS.c @@ -85,6 +85,7 @@ static bool RegisterPEMs(mbedtls_x509_crt *certs) { char *cafile; + int loaded = 0; if (!certs) { return false; @@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs) cafile = getenv("CYTO_TLS_CA"); if (AddPEM(certs, cafile)) { - return true; + loaded++; } /* Step 1: Try /etc/ssl/certs */ if (AddPEM(certs, "/etc/ssl/certs")) { - return true; + loaded++; } /* Step 2: Try loading off Mozilla's certificates */ if (AddPEM(certs, "/usr/share/ca-certificates/mozilla")) { - return true; + loaded++; } - /* Step 3: Try loading from its root directly*/ + /* Step 3: Try loading from its root directly */ if (AddPEM(certs, "/usr/share/ca-certificates")) { - return true; + loaded++; } - - /* Step 4: Give up. */ - return false; + return loaded != 0; } void * @@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName) mbedtls_x509_crt_init(&cookie->cert); mbedtls_ctr_drbg_init(&cookie->ctrDrbg); mbedtls_pk_init(&cookie->serverkey); - mbedtls_entropy_init(&cookie->entropy); + err = mbedtls_ctr_drbg_seed( &cookie->ctrDrbg, mbedtls_entropy_func, @@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName) goto error; } - /* TODO: Reconsider a source of additional entropy. */ - cookie->serverFD.fd = fd; err = mbedtls_ssl_config_defaults( @@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName) { char message[256]; mbedtls_strerror(err, message, 255); - Log(LOG_ERR, "MbedTLS failure on client certs: %s", message); + Log(LOG_ERR, "MbedTLS failure on client config: %s", message); goto error; } @@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName) Log(LOG_ERR, "MbedTLS failure on client certs: %s", message); goto error; } + mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED); mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL); /* Setup some callbacks */ @@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName) goto error; } + /* Setup some functions */ + mbedtls_ssl_set_bio( + &cookie->ssl, &cookie->serverFD, + mbedtls_net_send, mbedtls_net_recv, NULL + ); + /* Setup the servername */ if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0) { @@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName) Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message); goto error; } - - /* Setup some functions */ - mbedtls_ssl_set_bio( - &cookie->ssl, &cookie->serverFD, - mbedtls_net_send, mbedtls_net_recv, NULL - ); + while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0) + { + char message[256]; + switch (err) + { + case MBEDTLS_ERR_SSL_WANT_WRITE: + case MBEDTLS_ERR_SSL_WANT_READ: + break; + default: + mbedtls_strerror(err, message, 255); + Log(LOG_ERR, "MbedTLS failure on handshake: %s", message); + goto error; + } + } return cookie; error: diff --git a/tools/tp.c b/tools/tp.c index f178948..32fade3 100644 --- a/tools/tp.c +++ b/tools/tp.c @@ -399,7 +399,7 @@ end_loop: } else if (StrEquals(op, "def?")) { - Definition *def; + Definition *def = NULL; size_t i; char *directive = Eval(&argv, stack);