Upgrade TLS suites for GnuTLS, mbedTLS and OpenSSL

[umurmur.git] / src / ssli_mbedtls.c

diff --git a/src/ssli_mbedtls.c b/src/ssli_mbedtls.c
index a843d976906c87cb51a2082f18a12bbbb36ef11d..0f55a9d168630f56f03539e809f66d376dba3bfa 100644 (file)
--- a/src/ssli_mbedtls.c
+++ b/src/ssli_mbedtls.c
@@ -43,25 +43,30 @@
 #include <mbedtls/x509.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/net.h>
+#include <mbedtls/sha1.h>
 
 const int ciphers[] =
 {
-    MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-    MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
-    MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
+       MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
+       MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
+       MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
+       MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
+       MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA,
+       MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA,
     0
 };
 
 static mbedtls_x509_crt certificate;
-static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path,
-                                    const char *pwd)
+static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path, const char *pwd)
 {
     int ret;
 
     mbedtls_pk_init(pk);
     ret = mbedtls_pk_parse_keyfile(pk, path, pwd);
-    if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+    if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA) && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA))
+       {
         ret = MBEDTLS_ERR_PK_TYPE_MISMATCH;
+       }
 
     return ret;
 }
@@ -75,69 +80,20 @@ havege_state hs;
 int urandom_fd;
 #endif
 
-/* DH prime */
-char *my_dhm_P =
-       "9CE85640903BF123906947FEDE767261" \
-       "D9B4A973EB8F7D984A8C656E2BCC161C" \
-       "183D4CA471BA78225F940F16D1D99CA3" \
-       "E66152CC68EDCE1311A390F307741835" \
-       "44FF6AB553EC7073AD0CB608F2A3B480" \
-       "19E6C02BCED40BD30E91BB2469089670" \
-       "DEF409C08E8AC24D1732A6128D2220DC53";
-char *my_dhm_G = "4";
-
-#ifdef USE_MBEDTLS_TESTCERT
-static void initTestCert()
-{
-       int rc;
-       builtInTestCertificate = true;
-       rc = mbedtls_x509_crt_parse_rsa(&certificate, (unsigned char *)test_srv_crt,
-               strlen(test_srv_crt));
-
-       if (rc != 0)
-               Log_fatal("Could not parse built-in test certificate");
-}
-
-static void initTestKey()
-{
-       int rc;
-
-       rc = mbedtls_x509parse_key_rsa(&key, (unsigned char *)test_srv_key,
-                              strlen(test_srv_key), NULL, 0);
-       if (rc != 0)
-               Log_fatal("Could not parse built-in test RSA key");
-}
-#endif
-
-/*
- * How to generate a self-signed cert with openssl:
- * openssl genrsa 1024 > host.key
- * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert
- */
 static void initCert()
 {
        int rc;
        char *crtfile = (char *)getStrConf(CERTIFICATE);
 
        if (crtfile == NULL) {
-#ifdef USE_MBEDTLS_TESTCERT
-               Log_warn("No certificate file specified. Falling back to test certificate.");
-               initTestCert();
-#else
                Log_fatal("No certificate file specified");
-#endif
                return;
        }
 
        rc = mbedtls_x509_crt_parse_file(&certificate, crtfile);
 
        if (rc != 0) {
-#ifdef USE_MBEDTLS_TESTCERT
-               Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile);
-               initTestCert();
-#else
                Log_fatal("Could not read certificate file '%s'", crtfile);
-#endif
                return;
        }
 }
@@ -151,7 +107,7 @@ static void initKey()
                Log_fatal("No key file specified");
        rc = x509parse_keyfile(&key, keyfile, NULL);
        if (rc != 0)
-               Log_fatal("Could not read RSA key file %s", keyfile);
+               Log_fatal("Could not read private key file %s", keyfile);
 }
 
 #ifndef USE_MBEDTLS_HAVEGE
@@ -184,17 +140,7 @@ void SSLi_init(void)
        int rc;
 
        initCert();
-#ifdef USE_MBEDTLS_TESTCERT
-       if (builtInTestCertificate) {
-               Log_warn("*** Using built-in test certificate and RSA key ***");
-               Log_warn("*** This is not secure! Please use a CA-signed certificate or create a key and self-signed certificate ***");
-               initTestKey();
-       }
-       else
-               initKey();
-#else
        initKey();
-#endif
 
        /* Initialize random number generator */
 #ifdef USE_MBEDTLS_HAVEGE
@@ -227,6 +173,8 @@ void SSLi_init(void)
 #endif
        mbedtls_ssl_conf_dbg(conf, pssl_debug, NULL);
 
+       mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3);
+
        mbedtls_ssl_conf_ciphersuites(conf, (const int*)&ciphers);
 
        mbedtls_ssl_conf_ca_chain(conf, &certificate, NULL);
@@ -234,9 +182,6 @@ void SSLi_init(void)
        if((rc = mbedtls_ssl_conf_own_cert(conf, &certificate, &key)) != 0)
                Log_fatal("mbedtls_ssl_conf_own_cert returned %d", rc);
 
-       if((rc = mbedtls_ssl_conf_dh_param(conf, my_dhm_P, my_dhm_G)) != 0)
-               Log_fatal("mbedtls_ssl_conf_dh_param returned %d", rc);
-
 #ifdef MBEDTLS_VERSION_FEATURES
     mbedtls_version_get_string(verstring);
     Log_info("mbedTLS library version %s initialized", verstring);
@@ -253,7 +198,6 @@ void SSLi_deinit(void)
        mbedtls_pk_free(&key);
 }
 
-/* Create SHA1 of last certificate in the peer's chain. */
 bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash)
 {
        mbedtls_x509_crt const *cert;