X-Git-Url: http://git.code-monkey.de/?a=blobdiff_plain;f=src%2Fssli_mbedtls.c;h=aaaccf852f232bd162c3d60a44ac99fdeb841b5f;hb=dad72e93b709f61385390ece33f9bbb860b17e3e;hp=3381e8b883d08e08299d76232226deb27c5a8153;hpb=6fb422b7cbb94a2b8063c6df630b04184414b633;p=umurmur.git

diff --git a/src/ssli_mbedtls.c b/src/ssli_mbedtls.c
index 3381e8b..aaaccf8 100644
--- a/src/ssli_mbedtls.c
+++ b/src/ssli_mbedtls.c
@@ -32,6 +32,7 @@
 #include "conf.h"
 #include "log.h"
 #include "ssl.h"
+#include "memory.h"
 
 #include <stdlib.h>
 #include <fcntl.h>
@@ -42,25 +43,30 @@
 #include <mbedtls/x509.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/net.h>
+#include <mbedtls/sha1.h>
 
 const int ciphers[] =
 {
-    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
-    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+	MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+	MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+	MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
     0
 };
 
 static mbedtls_x509_crt certificate;
-static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path,
-                                    const char *pwd)
+static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path, const char *pwd)
 {
     int ret;
 
     mbedtls_pk_init(pk);
     ret = mbedtls_pk_parse_keyfile(pk, path, pwd);
-    if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+    if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA) && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+	{
         ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+	}
 
     return ret;
 }
@@ -74,69 +80,20 @@ havege_state hs;
 int urandom_fd;
 #endif
 
-/* DH prime */
-char *my_dhm_P =
-	"9CE85640903BF123906947FEDE767261" \
-	"D9B4A973EB8F7D984A8C656E2BCC161C" \
-	"183D4CA471BA78225F940F16D1D99CA3" \
-	"E66152CC68EDCE1311A390F307741835" \
-	"44FF6AB553EC7073AD0CB608F2A3B480" \
-	"19E6C02BCED40BD30E91BB2469089670" \
-	"DEF409C08E8AC24D1732A6128D2220DC53";
-char *my_dhm_G = "4";
-
-#ifdef USE_MBEDTLS_TESTCERT
-static void initTestCert()
-{
-	int rc;
-	builtInTestCertificate = true;
-	rc = mbedtls_x509_crt_parse_rsa(&certificate, (unsigned char *)test_srv_crt,
-		strlen(test_srv_crt));
-
-	if (rc != 0)
-		Log_fatal("Could not parse built-in test certificate");
-}
-
-static void initTestKey()
-{
-	int rc;
-
-	rc = mbedtls_x509parse_key_rsa(&key, (unsigned char *)test_srv_key,
-	                       strlen(test_srv_key), NULL, 0);
-	if (rc != 0)
-		Log_fatal("Could not parse built-in test RSA key");
-}
-#endif
-
-/*
- * How to generate a self-signed cert with openssl:
- * openssl genrsa 1024 > host.key
- * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
- */
 static void initCert()
 {
 	int rc;
 	char *crtfile = (char *)getStrConf(CERTIFICATE);
 
 	if (crtfile == NULL) {
-#ifdef USE_MBEDTLS_TESTCERT
-		Log_warn("No certificate file specified. Falling back to test certificate.");
-		initTestCert();
-#else
 		Log_fatal("No certificate file specified");
-#endif
 		return;
 	}
 
 	rc = mbedtls_x509_crt_parse_file(&certificate, crtfile);
 
 	if (rc != 0) {
-#ifdef USE_MBEDTLS_TESTCERT
-		Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile);
-		initTestCert();
-#else
 		Log_fatal("Could not read certificate file '%s'", crtfile);
-#endif
 		return;
 	}
 }
@@ -150,7 +107,7 @@ static void initKey()
 		Log_fatal("No key file specified");
 	rc = x509parse_keyfile(&key, keyfile, NULL);
 	if (rc != 0)
-		Log_fatal("Could not read RSA key file %s", keyfile);
+		Log_fatal("Could not read private key file %s", keyfile);
 }
 
 #ifndef USE_MBEDTLS_HAVEGE
@@ -175,22 +132,15 @@ static void pssl_debug(void *ctx, int level, const char *file, int line, const c
 		Log_info("mbedTLS [level %d]: %s", level, str);
 }
 
+mbedtls_ssl_config *conf;
+
 void SSLi_init(void)
 {
 	char verstring[12];
+	int rc;
 
 	initCert();
-#ifdef USE_MBEDTLS_TESTCERT
-	if (builtInTestCertificate) {
-		Log_warn("*** Using built-in test certificate and RSA key ***");
-		Log_warn("*** This is not secure! Please use a CA-signed certificate or create a key and self-signed certificate ***");
-		initTestKey();
-	}
-	else
-		initKey();
-#else
 	initKey();
-#endif
 
 	/* Initialize random number generator */
 #ifdef USE_MBEDTLS_HAVEGE
@@ -201,6 +151,37 @@ void SSLi_init(void)
 	    Log_fatal("Cannot open /dev/urandom");
 #endif
 
+	/* Initialize config */
+	conf = Memory_safeCalloc(1, sizeof(mbedtls_ssl_config));
+
+	if (!conf)
+		Log_fatal("Out of memory");
+
+	mbedtls_ssl_config_init(conf);
+
+	if((rc = mbedtls_ssl_config_defaults(conf,
+			MBEDTLS_SSL_IS_SERVER,
+			MBEDTLS_SSL_TRANSPORT_STREAM,
+			MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
+		Log_fatal("mbedtls_ssl_config_defaults returned %d", rc);
+
+	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+#ifdef USE_MBEDTLS_HAVEGE
+	mbedtls_ssl_conf_rng(conf, HAVEGE_RAND, &hs);
+#else
+	mbedtls_ssl_conf_rng(conf, urandom_bytes, NULL);
+#endif
+	mbedtls_ssl_conf_dbg(conf, pssl_debug, NULL);
+
+	mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_1);
+
+	mbedtls_ssl_conf_ciphersuites(conf, (const int*)&ciphers);
+
+	mbedtls_ssl_conf_ca_chain(conf, &certificate, NULL);
+
+	if((rc = mbedtls_ssl_conf_own_cert(conf, &certificate, &key)) != 0)
+		Log_fatal("mbedtls_ssl_conf_own_cert returned %d", rc);
+
 #ifdef MBEDTLS_VERSION_FEATURES
     mbedtls_version_get_string(verstring);
     Log_info("mbedTLS library version %s initialized", verstring);
@@ -211,11 +192,12 @@ void SSLi_init(void)
 
 void SSLi_deinit(void)
 {
+	mbedtls_ssl_config_free(conf);
+	free(conf);
 	mbedtls_x509_crt_free(&certificate);
 	mbedtls_pk_free(&key);
 }
 
-/* Create SHA1 of last certificate in the peer's chain. */
 bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
 {
 	mbedtls_x509_crt const *cert;
@@ -232,42 +214,17 @@ SSL_handle_t *SSLi_newconnection(int *fd, bool_t *SSLready)
 {
 	mbedtls_ssl_context *ssl;
 	mbedtls_ssl_session *ssn;
-	mbedtls_ssl_config *conf;
 	int rc;
 
-	ssl = calloc(1, sizeof(mbedtls_ssl_context));
-	ssn = calloc(1, sizeof(mbedtls_ssl_session));
-	conf = calloc(1, sizeof(mbedtls_ssl_config));
+	ssl = Memory_safeCalloc(1, sizeof(mbedtls_ssl_context));
+	ssn = Memory_safeCalloc(1, sizeof(mbedtls_ssl_session));
 
-	if (!ssl || !ssn || !conf)
+	if (!ssl || !ssn)
 		Log_fatal("Out of memory");
 
 	mbedtls_ssl_init(ssl);
-	mbedtls_ssl_config_init(conf);
-
-	if((rc = mbedtls_ssl_config_defaults(conf,
-			MBEDTLS_SSL_IS_SERVER,
-			MBEDTLS_SSL_TRANSPORT_STREAM,
-			MBEDTLS_SSL_PRESET_DEFAULT)) != 0)
-		Log_fatal("mbedtls_ssl_config_defaults returned %d", rc);
-
-	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
-#ifdef USE_MBEDTLS_HAVEGE
-	mbedtls_ssl_conf_rng(conf, HAVEGE_RAND, &hs);
-#else
-	mbedtls_ssl_conf_rng(conf, urandom_bytes, NULL);
-#endif
-	mbedtls_ssl_conf_dbg(conf, pssl_debug, NULL);
 	mbedtls_ssl_set_bio(ssl, fd, mbedtls_net_send, mbedtls_net_recv, NULL);
-	mbedtls_ssl_conf_ciphersuites(conf, (const int*)&ciphers);
 	mbedtls_ssl_set_session(ssl, ssn);
-	mbedtls_ssl_conf_ca_chain(conf, &certificate, NULL);
-
-	if((rc = mbedtls_ssl_conf_own_cert(conf, &certificate, &key)) != 0)
-		Log_fatal("mbedtls_ssl_conf_own_cert returned %d", rc);
-
-	if((rc = mbedtls_ssl_conf_dh_param(conf, my_dhm_P, my_dhm_G)) != 0)
-		Log_fatal("mbedtls_ssl_conf_dh_param returned %d", rc);
 
 	if((rc = mbedtls_ssl_setup(ssl, conf)) != 0)
 		Log_fatal("mbedtls_ssl_setup returned %d", rc);
@@ -332,9 +289,7 @@ void SSLi_shutdown(SSL_handle_t *ssl)
 void SSLi_free(SSL_handle_t *ssl)
 {
 	Log_debug("SSLi_free");
-	mbedtls_ssl_config_free((mbedtls_ssl_config*)ssl->conf);
 	mbedtls_ssl_free(ssl);
-	free((mbedtls_ssl_config*)ssl->conf);
 	free(ssl);
 }