WIP: Adds MbedTLS support to Cytoplasm #54
2 changed files with 31 additions and 19 deletions
|
@ -85,6 +85,7 @@ static bool
|
||||||
RegisterPEMs(mbedtls_x509_crt *certs)
|
RegisterPEMs(mbedtls_x509_crt *certs)
|
||||||
{
|
{
|
||||||
char *cafile;
|
char *cafile;
|
||||||
|
int loaded = 0;
|
||||||
if (!certs)
|
if (!certs)
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
|
@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs)
|
||||||
cafile = getenv("CYTO_TLS_CA");
|
cafile = getenv("CYTO_TLS_CA");
|
||||||
if (AddPEM(certs, cafile))
|
if (AddPEM(certs, cafile))
|
||||||
{
|
{
|
||||||
return true;
|
loaded++;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Step 1: Try /etc/ssl/certs */
|
/* Step 1: Try /etc/ssl/certs */
|
||||||
if (AddPEM(certs, "/etc/ssl/certs"))
|
if (AddPEM(certs, "/etc/ssl/certs"))
|
||||||
{
|
{
|
||||||
return true;
|
loaded++;
|
||||||
}
|
}
|
||||||
/* Step 2: Try loading off Mozilla's certificates */
|
/* Step 2: Try loading off Mozilla's certificates */
|
||||||
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
|
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
|
||||||
{
|
{
|
||||||
return true;
|
loaded++;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Step 3: Try loading from its root directly*/
|
/* Step 3: Try loading from its root directly */
|
||||||
if (AddPEM(certs, "/usr/share/ca-certificates"))
|
if (AddPEM(certs, "/usr/share/ca-certificates"))
|
||||||
{
|
{
|
||||||
return true;
|
loaded++;
|
||||||
}
|
}
|
||||||
|
return loaded != 0;
|
||||||
/* Step 4: Give up. */
|
|
||||||
return false;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
void *
|
void *
|
||||||
|
@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
mbedtls_x509_crt_init(&cookie->cert);
|
mbedtls_x509_crt_init(&cookie->cert);
|
||||||
mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
|
mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
|
||||||
mbedtls_pk_init(&cookie->serverkey);
|
mbedtls_pk_init(&cookie->serverkey);
|
||||||
|
|
||||||
mbedtls_entropy_init(&cookie->entropy);
|
mbedtls_entropy_init(&cookie->entropy);
|
||||||
|
|
||||||
err = mbedtls_ctr_drbg_seed(
|
err = mbedtls_ctr_drbg_seed(
|
||||||
&cookie->ctrDrbg,
|
&cookie->ctrDrbg,
|
||||||
mbedtls_entropy_func,
|
mbedtls_entropy_func,
|
||||||
|
@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* TODO: Reconsider a source of additional entropy. */
|
|
||||||
|
|
||||||
cookie->serverFD.fd = fd;
|
cookie->serverFD.fd = fd;
|
||||||
|
|
||||||
err = mbedtls_ssl_config_defaults(
|
err = mbedtls_ssl_config_defaults(
|
||||||
|
@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
{
|
{
|
||||||
char message[256];
|
char message[256];
|
||||||
mbedtls_strerror(err, message, 255);
|
mbedtls_strerror(err, message, 255);
|
||||||
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
|
||||||
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
|
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
|
||||||
|
|
||||||
/* Setup some callbacks */
|
/* Setup some callbacks */
|
||||||
|
@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Setup some functions */
|
||||||
|
mbedtls_ssl_set_bio(
|
||||||
|
&cookie->ssl, &cookie->serverFD,
|
||||||
|
mbedtls_net_send, mbedtls_net_recv, NULL
|
||||||
|
);
|
||||||
|
|
||||||
/* Setup the servername */
|
/* Setup the servername */
|
||||||
if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
|
if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
|
||||||
{
|
{
|
||||||
|
@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
|
Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0)
|
||||||
/* Setup some functions */
|
{
|
||||||
mbedtls_ssl_set_bio(
|
char message[256];
|
||||||
&cookie->ssl, &cookie->serverFD,
|
switch (err)
|
||||||
mbedtls_net_send, mbedtls_net_recv, NULL
|
{
|
||||||
);
|
case MBEDTLS_ERR_SSL_WANT_WRITE:
|
||||||
|
case MBEDTLS_ERR_SSL_WANT_READ:
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
mbedtls_strerror(err, message, 255);
|
||||||
|
Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
}
|
||||||
return cookie;
|
return cookie;
|
||||||
error:
|
error:
|
||||||
|
|
||||||
|
|
|
@ -399,7 +399,7 @@ end_loop:
|
||||||
}
|
}
|
||||||
else if (StrEquals(op, "def?"))
|
else if (StrEquals(op, "def?"))
|
||||||
{
|
{
|
||||||
Definition *def;
|
Definition *def = NULL;
|
||||||
size_t i;
|
size_t i;
|
||||||
char *directive = Eval(&argv, stack);
|
char *directive = Eval(&argv, stack);
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue