[FIX] Use as much certs as possible, handshakes

2024-09-21 09:25:31 +02:00 · 2024-09-21 09:25:31 +02:00 · 4ce2b136a5
commit 4ce2b136a5
parent b28cd422fb
2 changed files with 31 additions and 19 deletions
--- a/src/Tls/TlsMbedTLS.c
+++ b/src/Tls/TlsMbedTLS.c
@ -85,6 +85,7 @@ static bool
 RegisterPEMs(mbedtls_x509_crt *certs)
 {
    char *cafile;
+    int loaded = 0;
    if (!certs)
    {
        return false;
@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs)
    cafile = getenv("CYTO_TLS_CA");
    if (AddPEM(certs, cafile))
    {
-        return true;
+        loaded++;
    }

    /* Step 1: Try /etc/ssl/certs */
    if (AddPEM(certs, "/etc/ssl/certs"))
    {
-        return true;
+        loaded++;
    }
    /* Step 2: Try loading off Mozilla's certificates */
    if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
    {
-        return true;
+        loaded++;
    }

    /* Step 3: Try loading from its root directly */
    if (AddPEM(certs, "/usr/share/ca-certificates"))
    {
-        return true;
+        loaded++;
    }
-
-    /* Step 4: Give up. */
-    return false;
+    return loaded != 0;
 }

 void *
@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName)
    mbedtls_x509_crt_init(&cookie->cert);
    mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
    mbedtls_pk_init(&cookie->serverkey);
-
    mbedtls_entropy_init(&cookie->entropy);
+
    err = mbedtls_ctr_drbg_seed(
        &cookie->ctrDrbg, 
        mbedtls_entropy_func, 
@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName)
        goto error;
    }

-    /* TODO: Reconsider a source of additional entropy. */
-
    cookie->serverFD.fd = fd;

    err = mbedtls_ssl_config_defaults(
@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName)
    {
        char message[256];
        mbedtls_strerror(err, message, 255);
-        Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
+        Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
        goto error;
    }

@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName)
        Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
        goto error;
    }
+    mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
    mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);

    /* Setup some callbacks */
@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName)
        goto error;
    }

+    /* Setup some functions */
+    mbedtls_ssl_set_bio(
+        &cookie->ssl, &cookie->serverFD,
+        mbedtls_net_send, mbedtls_net_recv, NULL
+    );
+
    /* Setup the servername */
    if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
    {
@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName)
        Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
        goto error;
    }
-
-    /* Setup some functions */
-    mbedtls_ssl_set_bio(
-        &cookie->ssl, &cookie->serverFD,
-        mbedtls_net_send, mbedtls_net_recv, NULL
-    );
+    while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0) 
+    {
+        char message[256];
+        switch (err)
+        {
+            case MBEDTLS_ERR_SSL_WANT_WRITE:
+            case MBEDTLS_ERR_SSL_WANT_READ:
+                break;
+            default:
+                mbedtls_strerror(err, message, 255);
+                Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
+                goto error;
+        }
+    }
    return cookie;
 error:

--- a/tools/tp.c
+++ b/tools/tp.c
@ -399,7 +399,7 @@ end_loop:
    }
    else if (StrEquals(op, "def?"))
    {
-        Definition *def;
+        Definition *def = NULL;
        size_t i;
        char *directive = Eval(&argv, stack);