diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/supplemental/tls/mbedtls/tls.c | 42 | ||||
| -rw-r--r-- | src/supplemental/tls/tls_common.c | 2 | ||||
| -rw-r--r-- | src/supplemental/tls/tls_test.c | 6 |
3 files changed, 41 insertions, 9 deletions
diff --git a/src/supplemental/tls/mbedtls/tls.c b/src/supplemental/tls/mbedtls/tls.c index 1f9453c1..a216b3a6 100644 --- a/src/supplemental/tls/mbedtls/tls.c +++ b/src/supplemental/tls/mbedtls/tls.c @@ -1,5 +1,5 @@ // -// Copyright 2020 Staysail Systems, Inc. <info@staysail.tech> +// Copyright 2021 Staysail Systems, Inc. <info@staysail.tech> // Copyright 2018 Capitar IT Group BV <info@capitar.com> // Copyright 2019 Devolutions <info@devolutions.net> // @@ -44,13 +44,13 @@ static nni_mtx rng_lock; #endif struct nng_tls_engine_conn { - void * tls; // parent conn + void *tls; // parent conn mbedtls_ssl_context ctx; }; struct nng_tls_engine_config { mbedtls_ssl_config cfg_ctx; - char * server_name; + char *server_name; mbedtls_x509_crt ca_certs; mbedtls_x509_crl crl; int min_ver; @@ -104,14 +104,29 @@ static struct { int tls; int nng; } tls_errs[] = { +#ifdef MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE { MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE, NNG_EPEERAUTH }, +#endif +#ifdef MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED { MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED, NNG_EPEERAUTH }, +#endif +#ifdef MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED { MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED, NNG_EPEERAUTH }, +#endif +#ifdef MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE { MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE, NNG_EPEERAUTH }, +#endif { MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY, NNG_ECONNREFUSED }, { MBEDTLS_ERR_SSL_ALLOC_FAILED, NNG_ENOMEM }, { MBEDTLS_ERR_SSL_TIMEOUT, NNG_ETIMEDOUT }, { MBEDTLS_ERR_SSL_CONN_EOF, NNG_ECLOSED }, +// MbedTLS 3.0 error codes +#ifdef MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE + { MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, NNG_EPEERAUTH }, +#endif +#ifdef MBEDTLS_ERR_SSL_BAD_CERTIFICATE + { MBEDTLS_ERR_SSL_BAD_CERTIFICATE, NNG_EPEERAUTH }, +#endif // terminator { 0, 0 }, }; @@ -337,7 +352,7 @@ config_server_name(nng_tls_engine_config *cfg, const char *name) if ((dup = nni_strdup(name)) == NULL) { return (NNG_ENOMEM); } - if (cfg->server_name) { + if (cfg->server_name != NULL) { nni_strfree(cfg->server_name); } cfg->server_name = dup; @@ -395,7 +410,7 @@ config_own_cert(nng_tls_engine_config *cfg, const char *cert, const char *key, { size_t len; const uint8_t *pem; - pair * p; + pair *p; int rv; if ((p = NNI_ALLOC_STRUCT(p)) == NULL) { @@ -413,8 +428,13 @@ config_own_cert(nng_tls_engine_config *cfg, const char *cert, const char *key, pem = (const uint8_t *) key; len = strlen(key) + 1; - rv = mbedtls_pk_parse_key(&p->key, pem, len, (const uint8_t *) pass, - pass != NULL ? strlen(pass) : 0); +#if MBEDTLS_VERSION_MAJOR < 3 + rv = mbedtls_pk_parse_key(&p->key, pem, len, (const uint8_t *) pass, + pass != NULL ? strlen(pass) : 0); +#else + rv = mbedtls_pk_parse_key(&p->key, pem, len, (const uint8_t *) pass, + pass != NULL ? strlen(pass) : 0, tls_random, NULL); +#endif if (rv != 0) { rv = tls_mk_err(rv); goto err; @@ -448,12 +468,16 @@ config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver, return (NNG_ENOTSUP); } switch (min_ver) { +#ifdef MBEDTLS_SSL_MINOR_VERSION_1 case NNG_TLS_1_0: v1 = MBEDTLS_SSL_MINOR_VERSION_1; break; +#endif +#ifdef MBEDTLS_SSL_MINOR_VERSION_2 case NNG_TLS_1_1: v1 = MBEDTLS_SSL_MINOR_VERSION_2; break; +#endif case NNG_TLS_1_2: v1 = MBEDTLS_SSL_MINOR_VERSION_3; break; @@ -462,12 +486,16 @@ config_version(nng_tls_engine_config *cfg, nng_tls_version min_ver, } switch (max_ver) { +#ifdef MBEDTLS_SSL_MINOR_VERSION_1 case NNG_TLS_1_0: v2 = MBEDTLS_SSL_MINOR_VERSION_1; break; +#endif +#ifdef MBEDTLS_SSL_MINOR_VERSION_2 case NNG_TLS_1_1: v2 = MBEDTLS_SSL_MINOR_VERSION_2; break; +#endif case NNG_TLS_1_2: case NNG_TLS_1_3: // We lack support for 1.3, so treat as 1.2. v2 = MBEDTLS_SSL_MINOR_VERSION_3; diff --git a/src/supplemental/tls/tls_common.c b/src/supplemental/tls/tls_common.c index 2ae50f15..404a8cf7 100644 --- a/src/supplemental/tls/tls_common.c +++ b/src/supplemental/tls/tls_common.c @@ -1374,7 +1374,7 @@ nng_tls_config_alloc(nng_tls_config **cfg_p, nng_tls_mode mode) return (NNG_ENOTSUP); } - size = NNI_ALIGN_UP(sizeof(*cfg) + eng->config_ops->size); + size = NNI_ALIGN_UP(sizeof(*cfg)) + eng->config_ops->size; if ((cfg = nni_zalloc(size)) == NULL) { return (NNG_ENOMEM); diff --git a/src/supplemental/tls/tls_test.c b/src/supplemental/tls/tls_test.c index 244f68ca..96d95fb6 100644 --- a/src/supplemental/tls/tls_test.c +++ b/src/supplemental/tls/tls_test.c @@ -28,7 +28,10 @@ test_tls_config_version(void) NUTS_FAIL(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_3 + 1), NNG_ENOTSUP); - // Verify that we *can* configure some various ranges. + // Verify that we *can* configure some various ranges starting with + // TLS v1.2. Note that some libraries no longer support TLS 1.0 + // and TLS 1.1, so we don't test for them. +#if 0 NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_0)); NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_1)); NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_0, NNG_TLS_1_2)); @@ -36,6 +39,7 @@ test_tls_config_version(void) NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_1)); NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_2)); NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_1, NNG_TLS_1_3)); +#endif NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_2)); NUTS_PASS(nng_tls_config_version(cfg, NNG_TLS_1_2, NNG_TLS_1_3)); |