WIP: Adds MbedTLS support to Cytoplasm #54

Draft
lda wants to merge 9 commits from lda/Cytoplasm:add-mbed into master
2 changed files with 31 additions and 19 deletions
Showing only changes of commit 4ce2b136a5 - Show all commits

View file

@ -85,6 +85,7 @@ static bool
RegisterPEMs(mbedtls_x509_crt *certs) RegisterPEMs(mbedtls_x509_crt *certs)
{ {
char *cafile; char *cafile;
int loaded = 0;
if (!certs) if (!certs)
{ {
return false; return false;
@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs)
cafile = getenv("CYTO_TLS_CA"); cafile = getenv("CYTO_TLS_CA");
if (AddPEM(certs, cafile)) if (AddPEM(certs, cafile))
{ {
return true; loaded++;
} }
/* Step 1: Try /etc/ssl/certs */ /* Step 1: Try /etc/ssl/certs */
if (AddPEM(certs, "/etc/ssl/certs")) if (AddPEM(certs, "/etc/ssl/certs"))
{ {
return true; loaded++;
} }
/* Step 2: Try loading off Mozilla's certificates */ /* Step 2: Try loading off Mozilla's certificates */
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla")) if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
{ {
return true; loaded++;
} }
/* Step 3: Try loading from its root directly*/ /* Step 3: Try loading from its root directly */
if (AddPEM(certs, "/usr/share/ca-certificates")) if (AddPEM(certs, "/usr/share/ca-certificates"))
{ {
return true; loaded++;
} }
return loaded != 0;
/* Step 4: Give up. */
return false;
} }
void * void *
@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName)
mbedtls_x509_crt_init(&cookie->cert); mbedtls_x509_crt_init(&cookie->cert);
mbedtls_ctr_drbg_init(&cookie->ctrDrbg); mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
mbedtls_pk_init(&cookie->serverkey); mbedtls_pk_init(&cookie->serverkey);
mbedtls_entropy_init(&cookie->entropy); mbedtls_entropy_init(&cookie->entropy);
err = mbedtls_ctr_drbg_seed( err = mbedtls_ctr_drbg_seed(
&cookie->ctrDrbg, &cookie->ctrDrbg,
mbedtls_entropy_func, mbedtls_entropy_func,
@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName)
goto error; goto error;
} }
/* TODO: Reconsider a source of additional entropy. */
cookie->serverFD.fd = fd; cookie->serverFD.fd = fd;
err = mbedtls_ssl_config_defaults( err = mbedtls_ssl_config_defaults(
@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName)
{ {
char message[256]; char message[256];
mbedtls_strerror(err, message, 255); mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message); Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
goto error; goto error;
} }
@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName)
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message); Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
goto error; goto error;
} }
mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL); mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
/* Setup some callbacks */ /* Setup some callbacks */
@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName)
goto error; goto error;
} }
/* Setup some functions */
mbedtls_ssl_set_bio(
&cookie->ssl, &cookie->serverFD,
mbedtls_net_send, mbedtls_net_recv, NULL
);
/* Setup the servername */ /* Setup the servername */
if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0) if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
{ {
@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName)
Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message); Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
goto error; goto error;
} }
while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0)
/* Setup some functions */ {
mbedtls_ssl_set_bio( char message[256];
&cookie->ssl, &cookie->serverFD, switch (err)
mbedtls_net_send, mbedtls_net_recv, NULL {
); case MBEDTLS_ERR_SSL_WANT_WRITE:
case MBEDTLS_ERR_SSL_WANT_READ:
break;
default:
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
goto error;
}
}
return cookie; return cookie;
error: error:

View file

@ -399,7 +399,7 @@ end_loop:
} }
else if (StrEquals(op, "def?")) else if (StrEquals(op, "def?"))
{ {
Definition *def; Definition *def = NULL;
size_t i; size_t i;
char *directive = Eval(&argv, stack); char *directive = Eval(&argv, stack);