MbedTLS: Don't use a dummy CA certificate on new library (no longer required)

This commit is contained in:
Aaron Jones 2017-06-22 11:12:21 +00:00
parent e0f1c3b5bc
commit 1b7c6aff1a
No known key found for this signature in database
GPG key ID: 8AF0737488AB3012
2 changed files with 19 additions and 4 deletions

View file

@ -65,9 +65,12 @@ typedef struct
static mbedtls_ctr_drbg_context ctr_drbg_ctx;
static mbedtls_entropy_context entropy_ctx;
static mbedtls_x509_crt dummy_ca_ctx;
static rb_mbedtls_cfg_context *rb_mbedtls_cfg = NULL;
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
static mbedtls_x509_crt dummy_ca_ctx;
#endif
struct ssl_connect
@ -226,8 +229,10 @@ rb_mbedtls_cfg_new(void)
mbedtls_ssl_conf_rng(&cfg->server_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
mbedtls_ssl_conf_rng(&cfg->client_cfg, mbedtls_ctr_drbg_random, &ctr_drbg_ctx);
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
mbedtls_ssl_conf_ca_chain(&cfg->server_cfg, &dummy_ca_ctx, NULL);
mbedtls_ssl_conf_ca_chain(&cfg->client_cfg, &dummy_ca_ctx, NULL);
#endif
mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE);
@ -429,12 +434,14 @@ rb_init_ssl(void)
return 0;
}
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
if((ret = mbedtls_x509_crt_parse_der(&dummy_ca_ctx, rb_mbedtls_dummy_ca_certificate,
sizeof(rb_mbedtls_dummy_ca_certificate))) != 0)
{
rb_lib_log("%s: x509_crt_parse_der (Dummy CA): %s", __func__, rb_ssl_strerror(ret));
return 0;
}
#endif
rb_lib_log("%s: MbedTLS backend initialised", __func__);
return 1;

View file

@ -152,8 +152,8 @@ static const int rb_mbedtls_ciphersuites[] = {
*
* BEFORE YOU THROW YOUR ARMS UP IN A PANIC ABOUT A BACKDOOR, READ THIS TEXT!
*
* ARM mbedTLS requires a CA certificate to be set in its configuration before it will
* request a client certificate from peers. Since we want to do that, and not all
* ARM mbedTLS required a CA certificate to be set in its configuration before it will
* process a client certificate from peers. Since we want to do that, and not all
* installations will have a CA certificate to hand, we have this.
*
* Its key was securely destroyed after being generated, but even if it wasn't, that
@ -163,9 +163,15 @@ static const int rb_mbedtls_ciphersuites[] = {
* After all, it only cares about certificates in as far as to generate a fingerprint
* for them.
*
* Yes, this is a massive hack, but there is no alternative.
* Yes, this is a massive hack, but there is no alternative for older versions.
*
* This issue was fixed in commit 39ae8cd2077d on the MbedTLS 2.5 development branch,
* released in version 2.5.1 on 19 June 2017. This certificate will not be used if
* that version (or greater) is installed.
*/
#if (MBEDTLS_VERSION_NUMBER < 0x02050100)
static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
0x30, 0x82, 0x03, 0x35, 0x30, 0x82, 0x02, 0x1D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0x02, 0x09, 0x00,
0x86, 0xC5, 0x1F, 0x62, 0xBE, 0xFC, 0x0B, 0xA8, 0x30, 0x0D, 0x06, 0x09, 0x2A, 0x86, 0x48, 0x86,
@ -221,4 +227,6 @@ static const unsigned char rb_mbedtls_dummy_ca_certificate[825] = {
0xB3, 0x1F, 0x72, 0xDE, 0x2A, 0x28, 0xFE, 0x7C, 0x2D
};
#endif /* MBEDTLS_VERSION_NUMBER */
#endif /* RB_MBEDTLS_EMBEDDED_DATA_H */