-/* Copyright (C) 2015, Felix Morgner <felix.morgner@gmail.com>
+/* Copyright (C) 2015-2016, Felix Morgner <felix.morgner@gmail.com>
All rights reserved.
static gnutls_dh_params_t dhParameters;
static gnutls_certificate_credentials_t certificate;
-static const char * ciphers = "NORMAL";
+static const char * ciphers = "NONE:"
+ "+ECDHE-ECDSA:+ECDHE-RSA:+RSA:"
+ "+AES-256-GCM:+AES-128-GCM:"
+ "+AEAD:+SHA384:+SHA256:+SHA1:"
+ "+CURVE-ALL:"
+ "+COMP-NULL:"
+ "+SIGN-ALL:"
+ "+VERS-TLS1.2:+VERS-TLS1.0:"
+ "+CTYPE-X509";
+
static gnutls_priority_t cipherCache;
void initializeCertificate()
if( error != GNUTLS_E_SUCCESS ) {
Log_fatal("Could not open key (%s) or certificate (%s).", keyPath, certificatePath);
}
-
}
void SSLi_init()
{
- unsigned const bitCount = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_MEDIUM);
-
- gnutls_priority_init(&cipherCache, ciphers, NULL);
- initializeCertificate();
-
- gnutls_dh_params_init(&dhParameters);
-
- Log_info("Generating Diffie-Hellman parameters (%i bits)", bitCount);
- int error = gnutls_dh_params_generate2(dhParameters, bitCount);
-
- if(!error) {
- Log_info("Successfully generated Diffie-Hellman parameters");
- } else {
- Log_warn("Failed to generate Diffie-Hellman parameters: %s", gnutls_strerror(error));
+ if(gnutls_priority_init(&cipherCache, ciphers, NULL) != GNUTLS_E_SUCCESS)
+ {
+ Log_fatal("Failed to set priorities");
}
- gnutls_certificate_set_dh_params(certificate, dhParameters);
+ initializeCertificate();
Log_info("Sucessfully initialized GNUTLS version %s", gnutls_check_version(NULL));
-
}
void SSLi_deinit()
#include <mbedtls/x509.h>
#include <mbedtls/ssl.h>
#include <mbedtls/net.h>
+#include <mbedtls/sha1.h>
const int ciphers[] =
{
- MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
- MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+ MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+ MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+ MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
0
};
static mbedtls_x509_crt certificate;
-static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path,
- const char *pwd)
+static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path, const char *pwd)
{
int ret;
mbedtls_pk_init(pk);
ret = mbedtls_pk_parse_keyfile(pk, path, pwd);
- if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+ if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA) && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+ {
ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+ }
return ret;
}
int urandom_fd;
#endif
-/* DH prime */
-char *my_dhm_P =
- "9CE85640903BF123906947FEDE767261" \
- "D9B4A973EB8F7D984A8C656E2BCC161C" \
- "183D4CA471BA78225F940F16D1D99CA3" \
- "E66152CC68EDCE1311A390F307741835" \
- "44FF6AB553EC7073AD0CB608F2A3B480" \
- "19E6C02BCED40BD30E91BB2469089670" \
- "DEF409C08E8AC24D1732A6128D2220DC53";
-char *my_dhm_G = "4";
-
-#ifdef USE_MBEDTLS_TESTCERT
-static void initTestCert()
-{
- int rc;
- builtInTestCertificate = true;
- rc = mbedtls_x509_crt_parse_rsa(&certificate, (unsigned char *)test_srv_crt,
- strlen(test_srv_crt));
-
- if (rc != 0)
- Log_fatal("Could not parse built-in test certificate");
-}
-
-static void initTestKey()
-{
- int rc;
-
- rc = mbedtls_x509parse_key_rsa(&key, (unsigned char *)test_srv_key,
- strlen(test_srv_key), NULL, 0);
- if (rc != 0)
- Log_fatal("Could not parse built-in test RSA key");
-}
-#endif
-
-/*
- * How to generate a self-signed cert with openssl:
- * openssl genrsa 1024 > host.key
- * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
- */
static void initCert()
{
int rc;
char *crtfile = (char *)getStrConf(CERTIFICATE);
if (crtfile == NULL) {
-#ifdef USE_MBEDTLS_TESTCERT
- Log_warn("No certificate file specified. Falling back to test certificate.");
- initTestCert();
-#else
Log_fatal("No certificate file specified");
-#endif
return;
}
rc = mbedtls_x509_crt_parse_file(&certificate, crtfile);
if (rc != 0) {
-#ifdef USE_MBEDTLS_TESTCERT
- Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile);
- initTestCert();
-#else
Log_fatal("Could not read certificate file '%s'", crtfile);
-#endif
return;
}
}
Log_fatal("No key file specified");
rc = x509parse_keyfile(&key, keyfile, NULL);
if (rc != 0)
- Log_fatal("Could not read RSA key file %s", keyfile);
+ Log_fatal("Could not read private key file %s", keyfile);
}
#ifndef USE_MBEDTLS_HAVEGE
int rc;
initCert();
-#ifdef USE_MBEDTLS_TESTCERT
- if (builtInTestCertificate) {
- Log_warn("*** Using built-in test certificate and RSA key ***");
- Log_warn("*** This is not secure! Please use a CA-signed certificate or create a key and self-signed certificate ***");
- initTestKey();
- }
- else
- initKey();
-#else
initKey();
-#endif
/* Initialize random number generator */
#ifdef USE_MBEDTLS_HAVEGE
#endif
mbedtls_ssl_conf_dbg(conf, pssl_debug, NULL);
+ mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
+
mbedtls_ssl_conf_ciphersuites(conf, (const int*)&ciphers);
mbedtls_ssl_conf_ca_chain(conf, &certificate, NULL);
if((rc = mbedtls_ssl_conf_own_cert(conf, &certificate, &key)) != 0)
Log_fatal("mbedtls_ssl_conf_own_cert returned %d", rc);
- if((rc = mbedtls_ssl_conf_dh_param(conf, my_dhm_P, my_dhm_G)) != 0)
- Log_fatal("mbedtls_ssl_conf_dh_param returned %d", rc);
-
#ifdef MBEDTLS_VERSION_FEATURES
mbedtls_version_get_string(verstring);
Log_info("mbedTLS library version %s initialized", verstring);
mbedtls_pk_free(&key);
}
-/* Create SHA1 of last certificate in the peer's chain. */
bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
{
mbedtls_x509_crt const *cert;
projects / umurmur.git / commitdiff