MbedTLS: Don't use a dummy CA certificate on new library (no longer required)
This commit is contained in:
Aaron Jones
parent
e0f1c3b5bc
commit
1b7c6aff1a
2 changed files with 19 additions and 4 deletions
|
|
@ -65,9 +65,12 @@ typedef struct
|
|||
static mbedtls_ctr_drbg_context ctr_drbg_ctx;
|
||||
static mbedtls_entropy_context entropy_ctx;
|
||||
|
||||
static mbedtls_x509_crt dummy_ca_ctx;
|
||||
static rb_mbedtls_cfg_context *rb_mbedtls_cfg = NULL;
|
||||
|
||||
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||
static mbedtls_x509_crt dummy_ca_ctx;
|
||||
#endif
|
||||
|
||||
|
||||
|
||||
struct ssl_connect
|
||||
|
|
@ -226,8 +229,10 @@ rb_mbedtls_cfg_new(void)
|
|||
mbedtls_ssl_conf_rng(&cfg->server_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
|
||||
mbedtls_ssl_conf_rng(&cfg->client_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
|
||||
|
||||
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||
mbedtls_ssl_conf_ca_chain(&cfg->server_cfg, &dummy_ca_ctx, NULL);
|
||||
mbedtls_ssl_conf_ca_chain(&cfg->client_cfg, &dummy_ca_ctx, NULL);
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
||||
mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE);
|
||||
|
|
@ -429,12 +434,14 @@ rb_init_ssl(void)
|
|||
return 0;
|
||||
}
|
||||
|
||||
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||
if((ret = mbedtls_x509_crt_parse_der(&dummy_ca_ctx, rb_mbedtls_dummy_ca_certificate,
|
||||
sizeof(rb_mbedtls_dummy_ca_certificate))) != 0)
|
||||
{
|
||||
rb_lib_log("%s: x509_crt_parse_der (Dummy CA): %s", __func__, rb_ssl_strerror(ret));
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
rb_lib_log("%s: MbedTLS backend initialised", __func__);
|
||||
return 1;
|
||||
|
|
|
|||
|
|
@ -152,8 +152,8 @@ static const int rb_mbedtls_ciphersuites[] = {
|
|||
*
|
||||
* BEFORE YOU THROW YOUR ARMS UP IN A PANIC ABOUT A BACKDOOR, READ THIS TEXT!
|
||||
*
|
||||
* ARM mbedTLS requires a CA certificate to be set in its configuration before it will
|
||||
* request a client certificate from peers. Since we want to do that, and not all
|
||||
* ARM mbedTLS required a CA certificate to be set in its configuration before it will
|
||||
* process a client certificate from peers. Since we want to do that, and not all
|
||||
* installations will have a CA certificate to hand, we have this.
|
||||
*
|
||||
* Its key was securely destroyed after being generated, but even if it wasn't, that
|
||||
|
|
@ -163,9 +163,15 @@ static const int rb_mbedtls_ciphersuites[] = {
|
|||
* After all, it only cares about certificates in as far as to generate a fingerprint
|
||||
* for them.
|
||||
*
|
||||
* Yes, this is a massive hack, but there is no alternative.
|
||||
* Yes, this is a massive hack, but there is no alternative for older versions.
|
||||
*
|
||||
* This issue was fixed in commit 39ae8cd2077d on the MbedTLS 2.5 development branch,
|
||||
* released in version 2.5.1 on 19 June 2017. This certificate will not be used if
|
||||
* that version (or greater) is installed.
|
||||
*/
|
||||
|
||||
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
|
||||
|
||||
static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
|
||||
0x30, 0x82, 0x03, 0x35, 0x30, 0x82, 0x02, 0x1D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
|
||||
0x86, 0xC5, 0x1F, 0x62, 0xBE, 0xFC, 0x0B, 0xA8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
|
||||
|
|
@ -221,4 +227,6 @@ static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
|
|||
0xB3, 0x1F, 0x72, 0xDE, 0x2A, 0x28, 0xFE, 0x7C, 0x2D
|
||||
};
|
||||
|
||||
#endif /* MBEDTLS_VERSION_NUMBER */
|
||||
|
||||
#endif /* RB_MBEDTLS_EMBEDDED_DATA_H */
|
||||
|
|
|
|||
Loading…
Reference in a new issue