WIP: Adds MbedTLS support to Cytoplasm #54

Draft
lda wants to merge 9 commits from lda/Cytoplasm:add-mbed into master
2 changed files with 31 additions and 19 deletions
Showing only changes of commit 4ce2b136a5 - Show all commits

View file

@ -85,6 +85,7 @@ static bool
RegisterPEMs(mbedtls_x509_crt *certs)
{
char *cafile;
int loaded = 0;
if (!certs)
{
return false;
@ -94,28 +95,26 @@ RegisterPEMs(mbedtls_x509_crt *certs)
cafile = getenv("CYTO_TLS_CA");
if (AddPEM(certs, cafile))
{
return true;
loaded++;
}
/* Step 1: Try /etc/ssl/certs */
if (AddPEM(certs, "/etc/ssl/certs"))
{
return true;
loaded++;
}
/* Step 2: Try loading off Mozilla's certificates */
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
{
return true;
loaded++;
}
/* Step 3: Try loading from its root directly */
if (AddPEM(certs, "/usr/share/ca-certificates"))
{
return true;
loaded++;
}
/* Step 4: Give up. */
return false;
return loaded != 0;
}
void *
@ -140,8 +139,8 @@ TlsInitClient(int fd, const char *serverName)
mbedtls_x509_crt_init(&cookie->cert);
mbedtls_ctr_drbg_init(&cookie->ctrDrbg);
mbedtls_pk_init(&cookie->serverkey);
mbedtls_entropy_init(&cookie->entropy);
err = mbedtls_ctr_drbg_seed(
&cookie->ctrDrbg,
mbedtls_entropy_func,
@ -154,8 +153,6 @@ TlsInitClient(int fd, const char *serverName)
goto error;
}
/* TODO: Reconsider a source of additional entropy. */
cookie->serverFD.fd = fd;
err = mbedtls_ssl_config_defaults(
@ -168,7 +165,7 @@ TlsInitClient(int fd, const char *serverName)
{
char message[256];
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
Log(LOG_ERR, "MbedTLS failure on client config: %s", message);
goto error;
}
@ -180,6 +177,7 @@ TlsInitClient(int fd, const char *serverName)
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
goto error;
}
mbedtls_ssl_conf_authmode(&cookie->conf, MBEDTLS_SSL_VERIFY_REQUIRED);
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
/* Setup some callbacks */
@ -196,6 +194,12 @@ TlsInitClient(int fd, const char *serverName)
goto error;
}
/* Setup some functions */
mbedtls_ssl_set_bio(
&cookie->ssl, &cookie->serverFD,
mbedtls_net_send, mbedtls_net_recv, NULL
);
/* Setup the servername */
if ((err = mbedtls_ssl_set_hostname(&cookie->ssl, serverName)) != 0)
{
@ -204,12 +208,20 @@ TlsInitClient(int fd, const char *serverName)
Log(LOG_ERR, "MbedTLS failure on client hostname: %s", message);
goto error;
}
/* Setup some functions */
mbedtls_ssl_set_bio(
&cookie->ssl, &cookie->serverFD,
mbedtls_net_send, mbedtls_net_recv, NULL
);
while ((err = mbedtls_ssl_handshake(&cookie->ssl)) != 0)
{
char message[256];
switch (err)
{
case MBEDTLS_ERR_SSL_WANT_WRITE:
case MBEDTLS_ERR_SSL_WANT_READ:
break;
default:
mbedtls_strerror(err, message, 255);
Log(LOG_ERR, "MbedTLS failure on handshake: %s", message);
goto error;
}
}
return cookie;
error:

View file

@ -399,7 +399,7 @@ end_loop:
}
else if (StrEquals(op, "def?"))
{
Definition *def;
Definition *def = NULL;
size_t i;
char *directive = Eval(&argv, stack);