Commit graph

22 commits

Author SHA1 Message Date
Ed Kellett
c07751a50d Remove hardcoded TLSv1 disables 2020-11-01 04:07:24 +00:00
Aaron Jones
e081bf2988
libratbox/src/mbedtls.c: check public/private keys match 2018-01-06 16:05:48 +00:00
Aaron Jones
515467e527
mbedtls.c: minor fixups
- Add (void) casts for unused function parameters
- Rearrange member in `struct rb_mbedtls_cfg_context' for data alignment
- Document a `clang-4.0 -Weverything' (-Wcast-qual) diagnostic
- Avoid pointless conversions between positive/negative error codes
- Use capital hexadecimals in error codes and properly cast to
  (unsigned int) for %x/%X
2017-07-30 18:41:32 +01:00
Aaron Jones
c3abf98286
MbedTLS: Disable TLSv1.0 2016-12-30 17:59:48 +00:00
Aaron Jones
05281d7a0d
TLS backends: Move some library-dependent functions to the proper location
The comment incorrectly stated these were library-agnostic; infact, they
use library-dependent data types or macro names.
2016-11-15 12:16:03 +00:00
Aaron Jones
dd066596dc
MbedTLS: Forward-port release/3.5 improvements
The changes made in this file are detailed in release/3.5 commits
295c8f7d37 through 265dc4e53c inclusive.

Some slight alterations are necessary; librb instead of libratbox,
snprintf() instead of rb_snprintf(), etc. Also, release/4 has
offline certificate digesting functionality. For more insight,
simply diff the mbedtls.c between release/3.5 and release/4.
2016-09-17 17:19:31 +00:00
Aaron Jones
c4acd427ac
MbedTLS: Misc backend cleanups
This is a forward-port of release/3.5 commit 566f4678

* Add generic direction enum for negotiation setup.

* Rename a rather long wrapper function to a shorter one consistent with
  what it does.

* Rework context setup function.

* Don't check for handshake state before beginning handshaking.

  The old backend began a handshake and then stepped into the callback
  function if it was interrupted; the current one just jumps right into
  it, so there is no need to check if it has previously succeeded,
  because it hasn't been attempted yet.

* Add missing errno assignment to one of the handshake wrappers.

* Don't bother checking if SSL_P(F) is NULL when we already checked if
  F->ssl is NULL -- this should be impossible.

* Don't bother checking if SSL_C(F) is NULL -- this was a no-op.

* Change the socket send and recv functions to not peer into a foreign
  ratbox structure -- use the correct function to get the socket fd.

* Rewrap some lines and function arguments.

Other backends will be brought into line with this backend soon.

This will enable easier maintenance of the backends, by reducing the
diffs between them, which should make different behaviour easier to
spot.
2016-09-10 08:51:09 +00:00
Aaron Jones
73c486c7a5
MbedTLS: Treat 0 bytes read/written to socket properly
At the moment, if a link quits in just the right (wrong [1]) way,
the quit reason will resemble:

    <-- foo (~bar@baz) has quit (Read error: (-0x0) )

This should resolve that.

[1] Peers should send a close_notify alert before abruptly shutting
    down their socket. This will result in a sane quit message:

    <-- foo (~bar@baz) has quit (Read error: (-0x7880) SSL -
    The peer notified us that the connection is going to be closed)

[ci skip]
2016-09-09 01:47:18 +00:00
Aaron Jones
7272518795
MbedTLS: Initial attempt to port release/3.5 commit 89d4c468 to this branch 2016-09-04 03:50:29 +00:00
Aaron Jones
31145ea0b3
TLS Backends: Harmomise the rb_ssl_get_cipher() function
The GNUTLS backend reports the version in use for the client as well
as its ciphersuite -- do the same for the other 2 backends.
2016-08-20 04:16:33 +01:00
Aaron Jones
2bf9371a07
mbedtls backend: indicate reason for TLS session termination
[ci skip]
2016-06-12 11:33:09 +00:00
Aaron Jones
1e7342d0f4
[mbedtls] Various fixes and improvements
* Move certificate, key, DH parameters and configuration to heap
  (Documentation states that setting new configuration, e.g.
   during a rehash, is unsupported while connections using that
   configuration are active)

  This is the same approach as the fix for #186

  Refcount these structures so as to not introduce a memory leak

  On rehash, it will use new structures only if there are no
  errors in constructing them

* Make fingerprint generation work for TLS connections

  See the comments in the newly created file for an explanation

* Fix memory leak when generating a fingerprint from a file

* Add better error-reporting (strings in addition to numbers)
  where possible

* Coalesce several connection memory allocations into one function

* Reduce boilerplate where possible (Charybdis targets C99)

* Support private key being in certificate file, and having no
  DH parameters file

* Correct erroneous closing comment
2016-05-05 03:47:57 +00:00
Aaron Jones
c40eede13b
[TLS Backends] Make version strings more useful and consistent 2016-05-05 03:47:46 +00:00
Aaron Jones
6a7ea191a7
[mbedtls] correct printf argument count
[ci skip]
2016-04-27 22:11:19 +00:00
Aaron Jones
e3760ba710
[TLS backends] Miscellaneous fixes
* Certificate fingerprint length functions return an "int", so use an
  int when calculating the length
* Clean up the OpenSSL certificate fingerprint if() and indentation mess
2016-04-27 21:45:19 +00:00
Simon Arlott
0346918701
add mkfingerprint program 2016-04-26 20:49:03 +01:00
Simon Arlott
5ad62c80ee
librb: remove socklen parameter from rb_connect_tcp 2016-04-24 17:11:20 +01:00
Simon Arlott
cf430c1a40
ssld: Add new certfp_methods spki_sha256 and spki_sha512
These operate on the SubjectPublicKeyInfo of the certificate, which does
change unless the private key is changed. This allows the fingerprint to
stay constant even if the certificate is reissued.

(The same fingerprint is also used by DANE)
2016-04-23 22:51:05 +01:00
Simon Arlott
7da82465a8
librb: mbedtls: fix rb_get_ssl_certfp()
Add missing break statements.
Return the hash length on success.
2016-04-23 22:45:13 +01:00
Matt Ullman
c056dba233 Remove the rest of the SVN id tags 2016-03-23 20:13:12 -04:00
Elizabeth Myers
fe037171d6 Change all leftover libratbox stuff to librb. 2016-03-06 03:49:27 -06:00
William Pitcock
c83f2f5e12 rename libratbox to librb, since its pretty modified anyway 2016-03-06 02:30:20 -06:00
Renamed from libratbox/src/mbedtls.c (Browse further)