[FIX] Use as much certs as possible, handshakes

src/Tls/TlsMbedTLS.c

@@ -85,6 +85,7 @@ static bool
 RegisterPEMs(mbedtls_x509_crt *certs)
 {
     char *cafile;
+    int loaded = 0;
     if (!certs)
     {
         return false;
@@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs)
     cafile = getenv("CYTO_TLS_CA");
     if (AddPEM(certs, cafile))
     {
-        return true;
+        loaded++;
     }
 
     /* Step 1: Try /etc/ssl/certs */
     if (AddPEM(certs, "/etc/ssl/certs"))
     {
-        return true;
+        loaded++;
     }
     /* Step 2: Try loading off Mozilla's certificates */
     if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
     {
-        return true;
+        loaded++;
     }
 
-    /* Step 3: Try loading from its root directly*/
+    /* Step 3: Try loading from its root directly */
     if (AddPEM(certs, "/usr/share/ca-certificates"))
     {
-        return true;
+        loaded++;
     }
-
+    return loaded != 0;
-    /* Step 4: Give up. */
-    return false;
 }
 
 void *
@@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName)
     mbedtls_x509_crt_init(&cookie->cert);
     mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
     mbedtls_pk_init(&cookie->serverkey);
-
     mbedtls_entropy_init(&cookie->entropy);
+
     err = mbedtls_ctr_drbg_seed(
         &cookie->ctrDrbg, 
         mbedtls_entropy_func, 
@@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName)
         goto error;
     }
 
-    /* TODO: Reconsider a source of additional entropy. */
-
     cookie->serverFD.fd = fd;
 
     err = mbedtls_ssl_config_defaults(
@@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName)
     {
         char message[256];
         mbedtls_strerror(err, message, 255);
-        Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
+        Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
         goto error;
     }
 
@@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName)
         Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
         goto error;
     }
+    mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
     mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
 
     /* Setup some callbacks */
@@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName)
         goto error;
     }
 
+    /* Setup some functions */
+    mbedtls_ssl_set_bio(
+        &cookie->ssl, &cookie->serverFD,
+        mbedtls_net_send, mbedtls_net_recv, NULL
+    );
+
     /* Setup the servername */
     if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
     {
@@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName)
         Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
         goto error;
     }
-
+    while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0) 
-    /* Setup some functions */
+    {
-    mbedtls_ssl_set_bio(
+        char message[256];
-        &cookie->ssl, &cookie->serverFD,
+        switch (err)
-        mbedtls_net_send, mbedtls_net_recv, NULL
+        {
-    );
+            case MBEDTLS_ERR_SSL_WANT_WRITE:
+            case MBEDTLS_ERR_SSL_WANT_READ:
+                break;
+            default:
+                mbedtls_strerror(err, message, 255);
+                Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
+                goto error;
+        }
+    }
     return cookie;
 error:
 

tools/tp.c

@@ -399,7 +399,7 @@ end_loop:
     }
     else if (StrEquals(op, "def?"))
     {
-        Definition *def;
+        Definition *def = NULL;
         size_t i;
         char *directive = Eval(&argv, stack);