Merge pull request #278 from edk0/override

[solanum.git] / librb / src / mbedtls.c

diff --git a/librb/src/mbedtls.c b/librb/src/mbedtls.c
index cf388cb8696d65d176c73ed3fff253c351b5fd0e..25bbb0fb8a52a36d6a3e5b0362fd6d04fd4dac66 100644 (file)
--- a/librb/src/mbedtls.c
+++ b/librb/src/mbedtls.c
@@ -50,8 +50,8 @@ typedef struct
        mbedtls_dhm_context      dhp;
        mbedtls_ssl_config       server_cfg;
        mbedtls_ssl_config       client_cfg;
-       int                      suites[RB_MAX_CIPHERSUITES + 1];
        size_t                   refcount;
+       int                      suites[RB_MAX_CIPHERSUITES + 1];
 } rb_mbedtls_cfg_context;
 
 typedef struct
@@ -81,9 +81,6 @@ struct ssl_connect
 static const char *rb_ssl_strerror(int);
 static void rb_ssl_connect_realcb(rb_fde_t *, int, struct ssl_connect *);
 
-static int rb_sock_net_recv(void *, unsigned char *, size_t);
-static int rb_sock_net_xmit(void *, const unsigned char *, size_t);
-
 
 
 /*
@@ -118,6 +115,32 @@ rb_mbedtls_cfg_decref(rb_mbedtls_cfg_context *const cfg)
        rb_free(cfg);
 }
 
+static int
+rb_sock_net_recv(void *const context_ptr, unsigned char *const buf, const size_t count)
+{
+       const int fd = rb_get_fd((rb_fde_t *)context_ptr);
+
+       const int ret = (int) read(fd, buf, count);
+
+       if(ret < 0 && rb_ignore_errno(errno))
+               return MBEDTLS_ERR_SSL_WANT_READ;
+
+       return ret;
+}
+
+static int
+rb_sock_net_xmit(void *const context_ptr, const unsigned char *const buf, const size_t count)
+{
+       const int fd = rb_get_fd((rb_fde_t *)context_ptr);
+
+       const int ret = (int) write(fd, buf, count);
+
+       if(ret < 0 && rb_ignore_errno(errno))
+               return MBEDTLS_ERR_SSL_WANT_WRITE;
+
+       return ret;
+}
+
 static void
 rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir)
 {
@@ -130,7 +153,7 @@ rb_ssl_init_fd(rb_fde_t *const F, const rb_fd_tls_direction dir)
                return;
        }
 
-       mbedtls_ssl_config *mbed_config;
+       mbedtls_ssl_config *mbed_config = NULL;
 
        switch(dir)
        {
@@ -210,6 +233,9 @@ rb_mbedtls_cfg_new(void)
        mbedtls_ssl_conf_authmode(&cfg->server_cfg, MBEDTLS_SSL_VERIFY_OPTIONAL);
        mbedtls_ssl_conf_authmode(&cfg->client_cfg, MBEDTLS_SSL_VERIFY_NONE);
 
+       mbedtls_ssl_conf_min_version(&cfg->server_cfg, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2);
+       mbedtls_ssl_conf_min_version(&cfg->client_cfg, MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_2);
+
        #ifdef MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE
        mbedtls_ssl_conf_legacy_renegotiation(&cfg->client_cfg, MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE);
        #endif
@@ -229,6 +255,8 @@ rb_ssl_accept_common(rb_fde_t *const F, void *const data)
        lrb_assert(F->accept->callback != NULL);
        lrb_assert(F->ssl != NULL);
 
+       (void) data;
+
        const int ret = mbedtls_ssl_handshake(SSL_P(F));
 
        switch(ret)
@@ -288,16 +316,19 @@ rb_ssl_connect_common(rb_fde_t *const F, void *const data)
 }
 
 static const char *
-rb_ssl_strerror(const int err)
+rb_ssl_strerror(int err)
 {
        static char errbuf[512];
 
+       if (err < 0)
+               err = -err;
+
 #ifdef MBEDTLS_ERROR_C
        char mbed_errbuf[512];
        mbedtls_strerror(err, mbed_errbuf, sizeof mbed_errbuf);
-       (void) snprintf(errbuf, sizeof errbuf, "-0x%x: %s", -err, mbed_errbuf);
+       (void) snprintf(errbuf, sizeof errbuf, "-0x%X: %s", (unsigned int) err, mbed_errbuf);
 #else
-       (void) snprintf(errbuf, sizeof errbuf, "-0x%x", -err);
+       (void) snprintf(errbuf, sizeof errbuf, "-0x%X", (unsigned int) err);
 #endif
 
        return errbuf;
@@ -342,6 +373,9 @@ rb_make_certfp(const mbedtls_x509_crt *const peer_cert, uint8_t certfp[const RB_
 
        if(spki)
        {
+               // Compiler may complain about dropping const qualifier on the cast below
+               // See <https://github.com/ARMmbed/mbedtls/issues/396> -- this is okay
+
                unsigned char der_pubkey[8192];
                if((ret = mbedtls_pk_write_pubkey_der((mbedtls_pk_context *)&peer_cert->pk,
                                                       der_pubkey, sizeof der_pubkey)) < 0)
@@ -450,6 +484,12 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
                rb_mbedtls_cfg_decref(newcfg);
                return 0;
        }
+       if((ret = mbedtls_pk_check_pair(&newcfg->crt.pk, &newcfg->key)) != 0)
+       {
+               rb_lib_log("%s: pk_check_pair: public/private key mismatch", __func__);
+               rb_mbedtls_cfg_decref(newcfg);
+               return 0;
+       }
        if((ret = mbedtls_ssl_conf_own_cert(&newcfg->server_cfg, &newcfg->crt, &newcfg->key)) != 0)
        {
                rb_lib_log("%s: ssl_conf_own_cert (server): %s", __func__, rb_ssl_strerror(ret));
@@ -566,6 +606,9 @@ rb_setup_ssl_server(const char *const certfile, const char *keyfile,
 int
 rb_init_prng(const char *const path, prng_seed_t seed_type)
 {
+       (void) path;
+       (void) seed_type;
+
        rb_lib_log("%s: Skipping PRNG initialisation; not required by MbedTLS backend", __func__);
        return 1;
 }
@@ -588,7 +631,7 @@ const char *
 rb_get_ssl_strerror(rb_fde_t *const F)
 {
        const int err = (int) F->ssl_errno;
-       return rb_ssl_strerror(-err);
+       return rb_ssl_strerror(err);
 }
 
 int
@@ -721,6 +764,8 @@ rb_ssl_connect_realcb(rb_fde_t *const F, const int status, struct ssl_connect *c
 static void
 rb_ssl_timeout_cb(rb_fde_t *const F, void *const data)
 {
+       (void) data;
+
        lrb_assert(F->accept != NULL);
        lrb_assert(F->accept->callback != NULL);
 
@@ -753,32 +798,6 @@ rb_ssl_tryconn(rb_fde_t *const F, const int status, void *const data)
        rb_ssl_connect_common(F, sconn);
 }
 
-static int
-rb_sock_net_recv(void *const context_ptr, unsigned char *const buf, const size_t count)
-{
-       const int fd = rb_get_fd((rb_fde_t *)context_ptr);
-
-       const int ret = (int) read(fd, buf, count);
-
-       if(ret < 0 && rb_ignore_errno(errno))
-               return MBEDTLS_ERR_SSL_WANT_READ;
-
-       return ret;
-}
-
-static int
-rb_sock_net_xmit(void *const context_ptr, const unsigned char *const buf, const size_t count)
-{
-       const int fd = rb_get_fd((rb_fde_t *)context_ptr);
-
-       const int ret = (int) write(fd, buf, count);
-
-       if(ret < 0 && rb_ignore_errno(errno))
-               return MBEDTLS_ERR_SSL_WANT_WRITE;
-
-       return ret;
-}
-
 
 
 /*