MbedTLS: Don't use a dummy CA certificate on new library (no longer required)
This commit is contained in:
parent
e0f1c3b5bc
commit
1b7c6aff1a
2 changed files with 19 additions and 4 deletions
|
@ -65,9 +65,12 @@ typedef struct
|
||||||
static mbedtls_ctr_drbg_context ctr_drbg_ctx;
|
static mbedtls_ctr_drbg_context ctr_drbg_ctx;
|
||||||
static mbedtls_entropy_context entropy_ctx;
|
static mbedtls_entropy_context entropy_ctx;
|
||||||
|
|
||||||
static mbedtls_x509_crt dummy_ca_ctx;
|
|
||||||
static rb_mbedtls_cfg_context *rb_mbedtls_cfg = NULL;
|
static rb_mbedtls_cfg_context *rb_mbedtls_cfg = NULL;
|
||||||
|
|
||||||
|
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||||
|
static mbedtls_x509_crt dummy_ca_ctx;
|
||||||
|
#endif
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
struct ssl_connect
|
struct ssl_connect
|
||||||
|
@ -226,8 +229,10 @@ rb_mbedtls_cfg_new(void)
|
||||||
mbedtls_ssl_conf_rng(&cfg->server_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
|
mbedtls_ssl_conf_rng(&cfg->server_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
|
||||||
mbedtls_ssl_conf_rng(&cfg->client_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
|
mbedtls_ssl_conf_rng(&cfg->client_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
|
||||||
|
|
||||||
|
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||||
mbedtls_ssl_conf_ca_chain(&cfg->server_cfg, &dummy_ca_ctx, NULL);
|
mbedtls_ssl_conf_ca_chain(&cfg->server_cfg, &dummy_ca_ctx, NULL);
|
||||||
mbedtls_ssl_conf_ca_chain(&cfg->client_cfg, &dummy_ca_ctx, NULL);
|
mbedtls_ssl_conf_ca_chain(&cfg->client_cfg, &dummy_ca_ctx, NULL);
|
||||||
|
#endif
|
||||||
|
|
||||||
mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
||||||
mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE);
|
mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE);
|
||||||
|
@ -429,12 +434,14 @@ rb_init_ssl(void)
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||||
if((ret = mbedtls_x509_crt_parse_der(&dummy_ca_ctx, rb_mbedtls_dummy_ca_certificate,
|
if((ret = mbedtls_x509_crt_parse_der(&dummy_ca_ctx, rb_mbedtls_dummy_ca_certificate,
|
||||||
sizeof(rb_mbedtls_dummy_ca_certificate))) != 0)
|
sizeof(rb_mbedtls_dummy_ca_certificate))) != 0)
|
||||||
{
|
{
|
||||||
rb_lib_log("%s: x509_crt_parse_der (Dummy CA): %s", __func__, rb_ssl_strerror(ret));
|
rb_lib_log("%s: x509_crt_parse_der (Dummy CA): %s", __func__, rb_ssl_strerror(ret));
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
rb_lib_log("%s: MbedTLS backend initialised", __func__);
|
rb_lib_log("%s: MbedTLS backend initialised", __func__);
|
||||||
return 1;
|
return 1;
|
||||||
|
|
|
@ -152,8 +152,8 @@ static const int rb_mbedtls_ciphersuites[] = {
|
||||||
*
|
*
|
||||||
* BEFORE YOU THROW YOUR ARMS UP IN A PANIC ABOUT A BACKDOOR, READ THIS TEXT!
|
* BEFORE YOU THROW YOUR ARMS UP IN A PANIC ABOUT A BACKDOOR, READ THIS TEXT!
|
||||||
*
|
*
|
||||||
* ARM mbedTLS requires a CA certificate to be set in its configuration before it will
|
* ARM mbedTLS required a CA certificate to be set in its configuration before it will
|
||||||
* request a client certificate from peers. Since we want to do that, and not all
|
* process a client certificate from peers. Since we want to do that, and not all
|
||||||
* installations will have a CA certificate to hand, we have this.
|
* installations will have a CA certificate to hand, we have this.
|
||||||
*
|
*
|
||||||
* Its key was securely destroyed after being generated, but even if it wasn't, that
|
* Its key was securely destroyed after being generated, but even if it wasn't, that
|
||||||
|
@ -163,9 +163,15 @@ static const int rb_mbedtls_ciphersuites[] = {
|
||||||
* After all, it only cares about certificates in as far as to generate a fingerprint
|
* After all, it only cares about certificates in as far as to generate a fingerprint
|
||||||
* for them.
|
* for them.
|
||||||
*
|
*
|
||||||
* Yes, this is a massive hack, but there is no alternative.
|
* Yes, this is a massive hack, but there is no alternative for older versions.
|
||||||
|
*
|
||||||
|
* This issue was fixed in commit 39ae8cd2077d on the MbedTLS 2.5 development branch,
|
||||||
|
* released in version 2.5.1 on 19 June 2017. This certificate will not be used if
|
||||||
|
* that version (or greater) is installed.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||||
|
|
||||||
static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
|
static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
|
||||||
0x30, 0x82, 0x03, 0x35, 0x30, 0x82, 0x02, 0x1D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
|
0x30, 0x82, 0x03, 0x35, 0x30, 0x82, 0x02, 0x1D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
|
||||||
0x86, 0xC5, 0x1F, 0x62, 0xBE, 0xFC, 0x0B, 0xA8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
|
0x86, 0xC5, 0x1F, 0x62, 0xBE, 0xFC, 0x0B, 0xA8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
|
||||||
|
@ -221,4 +227,6 @@ static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
|
||||||
0xB3, 0x1F, 0x72, 0xDE, 0x2A, 0x28, 0xFE, 0x7C, 0x2D
|
0xB3, 0x1F, 0x72, 0xDE, 0x2A, 0x28, 0xFE, 0x7C, 0x2D
|
||||||
};
|
};
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_VERSION_NUMBER */
|
||||||
|
|
||||||
#endif /* RB_MBEDTLS_EMBEDDED_DATA_H */
|
#endif /* RB_MBEDTLS_EMBEDDED_DATA_H */
|
||||||
|
|
Loading…
Reference in a new issue