WIP: Adds MbedTLS support to Cytoplasm #54
1 changed files with 67 additions and 10 deletions
|
@ -35,6 +35,7 @@
|
||||||
|
|
||||||
#include <Memory.h>
|
#include <Memory.h>
|
||||||
#include <Log.h>
|
#include <Log.h>
|
||||||
|
#include <Str.h>
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
#include <stdlib.h>
|
#include <stdlib.h>
|
||||||
|
@ -57,12 +58,70 @@ typedef struct MbedCookie {
|
||||||
mbedtls_pk_context serverkey;
|
mbedtls_pk_context serverkey;
|
||||||
} MbedCookie;
|
} MbedCookie;
|
||||||
|
|
||||||
|
static bool
|
||||||
|
AddPEM(mbedtls_x509_crt *certs, char *path)
|
||||||
|
{
|
||||||
|
size_t len;
|
||||||
|
if (!certs || !path)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
len = strlen(path);
|
||||||
|
if (len >= 4 && StrEquals(&path[len - 1 - 4], ".pem"))
|
||||||
|
{
|
||||||
|
/* Parse it as a file */
|
||||||
|
if (mbedtls_x509_crt_parse_file(certs, path) == 0)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Parse it as a directory if it is not a .PEM
|
||||||
|
* Note that this is non-recursive. */
|
||||||
|
return mbedtls_x509_crt_parse_path(certs, path) == 0;
|
||||||
|
}
|
||||||
|
static bool
|
||||||
|
RegisterPEMs(mbedtls_x509_crt *certs)
|
||||||
|
{
|
||||||
|
char *cafile;
|
||||||
|
if (!certs)
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Step 0: Load from CYTO_TLS_CA if present to overwrite */
|
||||||
|
cafile = getenv("CYTO_TLS_CA");
|
||||||
|
if (AddPEM(certs, cafile))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Step 1: Try /etc/ssl/certs */
|
||||||
|
if (AddPEM(certs, "/etc/ssl/certs"))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
/* Step 2: Try loading off Mozilla's certificates */
|
||||||
|
if (AddPEM(certs, "/usr/share/ca-certificates/mozilla"))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Step 3: Try loading from its root directly*/
|
||||||
|
if (AddPEM(certs, "/usr/share/ca-certificates"))
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Step 4: Give up. */
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
void *
|
void *
|
||||||
TlsInitClient(int fd, const char *serverName)
|
TlsInitClient(int fd, const char *serverName)
|
||||||
{
|
{
|
||||||
MbedCookie *cookie;
|
MbedCookie *cookie;
|
||||||
char *cafile;
|
|
||||||
char *seed;
|
|
||||||
int err;
|
int err;
|
||||||
if (!serverName)
|
if (!serverName)
|
||||||
{
|
{
|
||||||
|
@ -94,12 +153,9 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
Log(LOG_ERR, "MbedTLS failure on client init: %d", err);
|
Log(LOG_ERR, "MbedTLS failure on client init: %d", err);
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
/* Add a source of entropy if possible(using the CYTO_TLS_SEED env).
|
|
||||||
* Note that we ignore the error code. */
|
|
||||||
seed = getenv("CYTO_TLS_SEED");
|
|
||||||
mbedtls_entropy_update_seed_file(&cookie->entropy, seed);
|
|
||||||
|
|
||||||
/* TODO */
|
/* TODO: Reconsider a source of additional entropy. */
|
||||||
|
|
||||||
cookie->serverFD.fd = fd;
|
cookie->serverFD.fd = fd;
|
||||||
|
|
||||||
err = mbedtls_ssl_config_defaults(
|
err = mbedtls_ssl_config_defaults(
|
||||||
|
@ -117,13 +173,12 @@ TlsInitClient(int fd, const char *serverName)
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Setup key verification */
|
/* Setup key verification */
|
||||||
cafile = getenv("CYTO_TLS_CA");
|
if (!RegisterPEMs(&cookie->cert))
|
||||||
if ((err = mbedtls_x509_crt_parse_file(&cookie->cert, cafile)) != 0)
|
|
||||||
{
|
{
|
||||||
char message[256];
|
char message[256];
|
||||||
mbedtls_strerror(err, message, 255);
|
mbedtls_strerror(err, message, 255);
|
||||||
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
Log(LOG_ERR, "MbedTLS failure on client certs: %s", message);
|
||||||
//goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
|
mbedtls_ssl_conf_ca_chain(&cookie->conf, &cookie->cert, NULL);
|
||||||
|
|
||||||
|
@ -217,6 +272,8 @@ TlsInitServer(int fd, const char *crt, const char *key)
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
if ((err = mbedtls_pk_parse_keyfile(&cookie->serverkey, key, NULL, mbedtls_entropy_func, &cookie->ctrDrbg)) != 0)
|
if ((err = mbedtls_pk_parse_keyfile(&cookie->serverkey, key, NULL, mbedtls_entropy_func, &cookie->ctrDrbg)) != 0)
|
||||||
{
|
{
|
||||||
char message[256];
|
char message[256];
|
||||||
|
|
Loading…
Reference in a new issue