X-Git-Url: http://git.code-monkey.de/?p=umurmur.git;a=blobdiff_plain;f=src%2Fssli_mbedtls.c;h=0f55a9d168630f56f03539e809f66d376dba3bfa;hp=a843d976906c87cb51a2082f18a12bbbb36ef11d;hb=c72ebd29f239793218f2248c3f8b48a7b3e0a541;hpb=dbf4a6828c7cdcf4c2d8f8535a76272847823809 diff --git a/src/ssli_mbedtls.c b/src/ssli_mbedtls.c index a843d97..0f55a9d 100644 --- a/src/ssli_mbedtls.c +++ b/src/ssli_mbedtls.c @@ -43,25 +43,30 @@ #include #include #include +#include const int ciphers[] = { - MBEDTLS_TLS_DHE_RSA_WITH_AES_256_CBC_SHA, - MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, - MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, + MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, + MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, + MBEDTLS_TLS_RSA_WITH_AES_256_CBC_SHA, + MBEDTLS_TLS_RSA_WITH_AES_128_CBC_SHA, 0 }; static mbedtls_x509_crt certificate; -static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path, - const char *pwd) +static inline int x509parse_keyfile(mbedtls_pk_context *pk, const char *path, const char *pwd) { int ret; mbedtls_pk_init(pk); ret = mbedtls_pk_parse_keyfile(pk, path, pwd); - if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) + if (ret == 0 && !mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA) && !mbedtls_pk_can_do(pk, MBEDTLS_PK_RSA)) + { ret = MBEDTLS_ERR_PK_TYPE_MISMATCH; + } return ret; } @@ -75,69 +80,20 @@ havege_state hs; int urandom_fd; #endif -/* DH prime */ -char *my_dhm_P = - "9CE85640903BF123906947FEDE767261" \ - "D9B4A973EB8F7D984A8C656E2BCC161C" \ - "183D4CA471BA78225F940F16D1D99CA3" \ - "E66152CC68EDCE1311A390F307741835" \ - "44FF6AB553EC7073AD0CB608F2A3B480" \ - "19E6C02BCED40BD30E91BB2469089670" \ - "DEF409C08E8AC24D1732A6128D2220DC53"; -char *my_dhm_G = "4"; - -#ifdef USE_MBEDTLS_TESTCERT -static void initTestCert() -{ - int rc; - builtInTestCertificate = true; - rc = mbedtls_x509_crt_parse_rsa(&certificate, (unsigned char *)test_srv_crt, - strlen(test_srv_crt)); - - if (rc != 0) - Log_fatal("Could not parse built-in test certificate"); -} - -static void initTestKey() -{ - int rc; - - rc = mbedtls_x509parse_key_rsa(&key, (unsigned char *)test_srv_key, - strlen(test_srv_key), NULL, 0); - if (rc != 0) - Log_fatal("Could not parse built-in test RSA key"); -} -#endif - -/* - * How to generate a self-signed cert with openssl: - * openssl genrsa 1024 > host.key - * openssl req -new -x509 -nodes -sha1 -days 365 -key host.key > host.cert - */ static void initCert() { int rc; char *crtfile = (char *)getStrConf(CERTIFICATE); if (crtfile == NULL) { -#ifdef USE_MBEDTLS_TESTCERT - Log_warn("No certificate file specified. Falling back to test certificate."); - initTestCert(); -#else Log_fatal("No certificate file specified"); -#endif return; } rc = mbedtls_x509_crt_parse_file(&certificate, crtfile); if (rc != 0) { -#ifdef USE_MBEDTLS_TESTCERT - Log_warn("Could not read certificate file '%s'. Falling back to test certificate.", crtfile); - initTestCert(); -#else Log_fatal("Could not read certificate file '%s'", crtfile); -#endif return; } } @@ -151,7 +107,7 @@ static void initKey() Log_fatal("No key file specified"); rc = x509parse_keyfile(&key, keyfile, NULL); if (rc != 0) - Log_fatal("Could not read RSA key file %s", keyfile); + Log_fatal("Could not read private key file %s", keyfile); } #ifndef USE_MBEDTLS_HAVEGE @@ -184,17 +140,7 @@ void SSLi_init(void) int rc; initCert(); -#ifdef USE_MBEDTLS_TESTCERT - if (builtInTestCertificate) { - Log_warn("*** Using built-in test certificate and RSA key ***"); - Log_warn("*** This is not secure! Please use a CA-signed certificate or create a key and self-signed certificate ***"); - initTestKey(); - } - else - initKey(); -#else initKey(); -#endif /* Initialize random number generator */ #ifdef USE_MBEDTLS_HAVEGE @@ -227,6 +173,8 @@ void SSLi_init(void) #endif mbedtls_ssl_conf_dbg(conf, pssl_debug, NULL); + mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3); + mbedtls_ssl_conf_ciphersuites(conf, (const int*)&ciphers); mbedtls_ssl_conf_ca_chain(conf, &certificate, NULL); @@ -234,9 +182,6 @@ void SSLi_init(void) if((rc = mbedtls_ssl_conf_own_cert(conf, &certificate, &key)) != 0) Log_fatal("mbedtls_ssl_conf_own_cert returned %d", rc); - if((rc = mbedtls_ssl_conf_dh_param(conf, my_dhm_P, my_dhm_G)) != 0) - Log_fatal("mbedtls_ssl_conf_dh_param returned %d", rc); - #ifdef MBEDTLS_VERSION_FEATURES mbedtls_version_get_string(verstring); Log_info("mbedTLS library version %s initialized", verstring); @@ -253,7 +198,6 @@ void SSLi_deinit(void) mbedtls_pk_free(&key); } -/* Create SHA1 of last certificate in the peer's chain. */ bool_t SSLi_getSHA1Hash(SSL_handle_t *ssl, uint8_t *hash) { mbedtls_x509_crt const *cert;