#include "conf.h"
#include "log.h"
#include "ssl.h"
+#include "memory.h"
#include <stdlib.h>
#include <fcntl.h>
#include <mbedtls/x509.h>
#include <mbedtls/ssl.h>
#include <mbedtls/net.h>
+#include <mbedtls/sha1.h>
const int ciphers[] =
{
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
0
};
static mbedtls_x509_crt certificate;
-static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path,
- const char *pwd)
+static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path, const char *pwd)
{
int ret;
mbedtls_pk_init(pk);
ret = mbedtls_pk_parse_keyfile(pk, path, pwd);
- if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+ if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA) && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+ {
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
return ret;
}
int urandom_fd;
#endif
-/* DH prime */
-char *my_dhm_P =
- "9CE85640903BF123906947FEDE767261" \
- "D9B4A973EB8F7D984A8C656E2BCC161C" \
- "183D4CA471BA78225F940F16D1D99CA3" \
- "E66152CC68EDCE1311A390F307741835" \
- "44FF6AB553EC7073AD0CB608F2A3B480" \
- "19E6C02BCED40BD30E91BB2469089670" \
- "DEF409C08E8AC24D1732A6128D2220DC53";
-char *my_dhm_G = "4";
-
-#ifdef USE_MBEDTLS_TESTCERT
-static void initTestCert()
-{
- int rc;
- builtInTestCertificate = true;
- rc = mbedtls_x509_crt_parse_rsa(&certificate, (unsigned char *)test_srv_crt,
- strlen(test_srv_crt));
-
- if (rc != 0)
- Log_fatal("Could not parse built-in test certificate");
-}
-
-static void initTestKey()
-{
- int rc;
-
- rc = mbedtls_x509parse_key_rsa(&key, (unsigned char *)test_srv_key,
- strlen(test_srv_key), NULL, 0);
- if (rc != 0)
- Log_fatal("Could not parse built-in test RSA key");
-}
-#endif
-
-/*
- * How to generate a self-signed cert with openssl:
- * openssl genrsa 1024 > host.key
- * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
- */
static void initCert()
{
int rc;
char *crtfile = (char *)getStrConf(CERTIFICATE);
if (crtfile == NULL) {
-#ifdef USE_MBEDTLS_TESTCERT
- Log_warn("No certificate file specified. Falling back to test certificate.");
- initTestCert();
-#else
Log_fatal("No certificate file specified");
-#endif
return;
}
rc = mbedtls_x509_crt_parse_file(&certificate, crtfile);
if (rc != 0) {
-#ifdef USE_MBEDTLS_TESTCERT
- Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile);
- initTestCert();
-#else
Log_fatal("Could not read certificate file '%s'", crtfile);
-#endif
return;
}
}
Log_fatal("No key file specified");
rc = x509parse_keyfile(&key, keyfile, NULL);
if (rc != 0)
- Log_fatal("Could not read RSA key file %s", keyfile);
+ Log_fatal("Could not read private key file %s", keyfile);
}
#ifndef USE_MBEDTLS_HAVEGE
int rc;
initCert();
-#ifdef USE_MBEDTLS_TESTCERT
- if (builtInTestCertificate) {
- Log_warn("*** Using built-in test certificate and RSA key ***");
- Log_warn("*** This is not secure! Please use a CA-signed certificate or create a key and self-signed certificate ***");
- initTestKey();
- }
- else
- initKey();
-#else
initKey();
-#endif
/* Initialize random number generator */
#ifdef USE_MBEDTLS_HAVEGE
#endif
/* Initialize config */
- conf = calloc(1, sizeof(mbedtls_ssl_config));
+ conf = Memory_safeCalloc(1, sizeof(mbedtls_ssl_config));
if (!conf)
Log_fatal("Out of memory");
#endif
mbedtls_ssl_conf_dbg(conf, pssl_debug, NULL);
+ mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1);
+
mbedtls_ssl_conf_ciphersuites(conf, (const int*)&ciphers);
mbedtls_ssl_conf_ca_chain(conf, &certificate, NULL);
if((rc = mbedtls_ssl_conf_own_cert(conf, &certificate, &key)) != 0)
Log_fatal("mbedtls_ssl_conf_own_cert returned %d", rc);
- if((rc = mbedtls_ssl_conf_dh_param(conf, my_dhm_P, my_dhm_G)) != 0)
- Log_fatal("mbedtls_ssl_conf_dh_param returned %d", rc);
-
#ifdef MBEDTLS_VERSION_FEATURES
mbedtls_version_get_string(verstring);
Log_info("mbedTLS library version %s initialized", verstring);
mbedtls_pk_free(&key);
}
-/* Create SHA1 of last certificate in the peer's chain. */
bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
{
mbedtls_x509_crt const *cert;
mbedtls_ssl_session *ssn;
int rc;
- ssl = calloc(1, sizeof(mbedtls_ssl_context));
- ssn = calloc(1, sizeof(mbedtls_ssl_session));
+ ssl = Memory_safeCalloc(1, sizeof(mbedtls_ssl_context));
+ ssn = Memory_safeCalloc(1, sizeof(mbedtls_ssl_session));
if (!ssl || !ssn)
Log_fatal("Out of memory");
mbedtls_ssl_init(ssl);
mbedtls_ssl_set_bio(ssl, fd, mbedtls_net_send, mbedtls_net_recv, NULL);
mbedtls_ssl_set_session(ssl, ssn);
-
+
if((rc = mbedtls_ssl_setup(ssl, conf)) != 0)
Log_fatal("mbedtls_ssl_setup returned %d", rc);