mirror of
https://github.com/cesanta/mongoose.git
synced 2024-11-27 20:59:00 +08:00
mbedtls CRL support
Certificate revocation checking when using mbedtls
This commit is contained in:
parent
b5147a149e
commit
383653d608
@ -1802,6 +1802,7 @@ while ((mg_mqtt_parse(buf, len, &mm)) == 0) {
|
|||||||
```c
|
```c
|
||||||
struct mg_tls_opts {
|
struct mg_tls_opts {
|
||||||
const char *ca; // CA certificate file. For both listeners and clients
|
const char *ca; // CA certificate file. For both listeners and clients
|
||||||
|
const char *crl; // Certificate Revocation List. For clients
|
||||||
const char *cert; // Certificate
|
const char *cert; // Certificate
|
||||||
const char *certkey; // Certificate key
|
const char *certkey; // Certificate key
|
||||||
const char *ciphers; // Cipher list
|
const char *ciphers; // Cipher list
|
||||||
@ -1813,6 +1814,9 @@ TLS initialisation structure:
|
|||||||
- `ca` - Certificate Authority. Can be a filename or a string. Used to verify
|
- `ca` - Certificate Authority. Can be a filename or a string. Used to verify
|
||||||
a certificate that the other end sends to us. If NULL, then certificate checking
|
a certificate that the other end sends to us. If NULL, then certificate checking
|
||||||
is disabled
|
is disabled
|
||||||
|
- `crl` - Certificate Revocation List. Can be a filename or a string. Used to
|
||||||
|
verify a certificate that the other end sends to us. If NULL, then certificate
|
||||||
|
revocation checking is disabled
|
||||||
- `cert` - Our own certificate. Can be a filename, or a string. If NULL, then
|
- `cert` - Our own certificate. Can be a filename, or a string. If NULL, then
|
||||||
we don't authenticate with the other peer
|
we don't authenticate with the other peer
|
||||||
- `certkey` - A key for a `cert`. Sometimes, a certificate and its key are
|
- `certkey` - A key for a `cert`. Sometimes, a certificate and its key are
|
||||||
|
24
mongoose.c
24
mongoose.c
@ -3704,6 +3704,7 @@ EXTERN_C int mbedtls_net_send(void *, const unsigned char *, size_t);
|
|||||||
struct mg_tls {
|
struct mg_tls {
|
||||||
char *cafile; // CA certificate path
|
char *cafile; // CA certificate path
|
||||||
mbedtls_x509_crt ca; // Parsed CA certificate
|
mbedtls_x509_crt ca; // Parsed CA certificate
|
||||||
|
mbedtls_x509_crl crl; // Parsed Certificate Revocation List
|
||||||
mbedtls_x509_crt cert; // Parsed certificate
|
mbedtls_x509_crt cert; // Parsed certificate
|
||||||
mbedtls_ssl_context ssl; // SSL/TLS context
|
mbedtls_ssl_context ssl; // SSL/TLS context
|
||||||
mbedtls_ssl_config conf; // SSL-TLS config
|
mbedtls_ssl_config conf; // SSL-TLS config
|
||||||
@ -3755,6 +3756,9 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
const char *ca = opts->ca == NULL ? "-"
|
const char *ca = opts->ca == NULL ? "-"
|
||||||
: opts->ca[0] == '-' ? "(emb)"
|
: opts->ca[0] == '-' ? "(emb)"
|
||||||
: opts->ca;
|
: opts->ca;
|
||||||
|
const char *crl = opts->crl == NULL ? "-"
|
||||||
|
: opts->crl[0] == '-' ? "(emb)"
|
||||||
|
: opts->crl;
|
||||||
const char *cert = opts->cert == NULL ? "-"
|
const char *cert = opts->cert == NULL ? "-"
|
||||||
: opts->cert[0] == '-' ? "(emb)"
|
: opts->cert[0] == '-' ? "(emb)"
|
||||||
: opts->cert;
|
: opts->cert;
|
||||||
@ -3765,11 +3769,12 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
mg_error(c, "TLS OOM");
|
mg_error(c, "TLS OOM");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
LOG(LL_DEBUG,
|
LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, CRL: %s, cert: %s, key: %s", c->id,
|
||||||
("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id, ca, cert, certkey));
|
ca, crl, cert, certkey));
|
||||||
mbedtls_ssl_init(&tls->ssl);
|
mbedtls_ssl_init(&tls->ssl);
|
||||||
mbedtls_ssl_config_init(&tls->conf);
|
mbedtls_ssl_config_init(&tls->conf);
|
||||||
mbedtls_x509_crt_init(&tls->ca);
|
mbedtls_x509_crt_init(&tls->ca);
|
||||||
|
mbedtls_x509_crl_init(&tls->crl);
|
||||||
mbedtls_x509_crt_init(&tls->cert);
|
mbedtls_x509_crt_init(&tls->cert);
|
||||||
mbedtls_pk_init(&tls->pk);
|
mbedtls_pk_init(&tls->pk);
|
||||||
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
|
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
|
||||||
@ -3788,9 +3793,19 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
||||||
}
|
}
|
||||||
if (opts->ca != NULL && opts->ca[0] != '\0') {
|
if (opts->ca != NULL && opts->ca[0] != '\0') {
|
||||||
|
if (opts->crl != NULL && opts->crl[0] != '\0') {
|
||||||
|
rc = opts->crl[0] == '-'
|
||||||
|
? mbedtls_x509_crl_parse(&tls->crl, (uint8_t *) opts->crl,
|
||||||
|
strlen(opts->crl) + 1)
|
||||||
|
: mbedtls_x509_crl_parse_file(&tls->crl, opts->crl);
|
||||||
|
if (rc != 0) {
|
||||||
|
mg_error(c, "parse(%s) err %#x", crl, -rc);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
}
|
||||||
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
|
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
|
||||||
tls->cafile = strdup(opts->ca);
|
tls->cafile = strdup(opts->ca);
|
||||||
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL);
|
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, &tls->crl);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
|
mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
|
||||||
goto fail;
|
goto fail;
|
||||||
@ -3804,7 +3819,7 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
mg_error(c, "parse(%s) err %#x", ca, -rc);
|
mg_error(c, "parse(%s) err %#x", ca, -rc);
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL);
|
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, &tls->crl);
|
||||||
#endif
|
#endif
|
||||||
if (opts->srvname.len > 0) {
|
if (opts->srvname.len > 0) {
|
||||||
char mem[128], *buf = mem;
|
char mem[128], *buf = mem;
|
||||||
@ -3877,6 +3892,7 @@ void mg_tls_free(struct mg_connection *c) {
|
|||||||
mbedtls_ssl_free(&tls->ssl);
|
mbedtls_ssl_free(&tls->ssl);
|
||||||
mbedtls_pk_free(&tls->pk);
|
mbedtls_pk_free(&tls->pk);
|
||||||
mbedtls_x509_crt_free(&tls->ca);
|
mbedtls_x509_crt_free(&tls->ca);
|
||||||
|
mbedtls_x509_crl_free(&tls->crl);
|
||||||
mbedtls_x509_crt_free(&tls->cert);
|
mbedtls_x509_crt_free(&tls->cert);
|
||||||
mbedtls_ssl_config_free(&tls->conf);
|
mbedtls_ssl_config_free(&tls->conf);
|
||||||
free(tls);
|
free(tls);
|
||||||
|
@ -900,6 +900,7 @@ void mg_http_serve_ssi(struct mg_connection *c, const char *root,
|
|||||||
|
|
||||||
struct mg_tls_opts {
|
struct mg_tls_opts {
|
||||||
const char *ca; // CA certificate file. For both listeners and clients
|
const char *ca; // CA certificate file. For both listeners and clients
|
||||||
|
const char *crl; // Certificate Revocation List. For clients
|
||||||
const char *cert; // Certificate
|
const char *cert; // Certificate
|
||||||
const char *certkey; // Certificate key
|
const char *certkey; // Certificate key
|
||||||
const char *ciphers; // Cipher list
|
const char *ciphers; // Cipher list
|
||||||
|
24
src/tls.c
24
src/tls.c
@ -29,6 +29,7 @@ EXTERN_C int mbedtls_net_send(void *, const unsigned char *, size_t);
|
|||||||
struct mg_tls {
|
struct mg_tls {
|
||||||
char *cafile; // CA certificate path
|
char *cafile; // CA certificate path
|
||||||
mbedtls_x509_crt ca; // Parsed CA certificate
|
mbedtls_x509_crt ca; // Parsed CA certificate
|
||||||
|
mbedtls_x509_crl crl; // Parsed Certificate Revocation List
|
||||||
mbedtls_x509_crt cert; // Parsed certificate
|
mbedtls_x509_crt cert; // Parsed certificate
|
||||||
mbedtls_ssl_context ssl; // SSL/TLS context
|
mbedtls_ssl_context ssl; // SSL/TLS context
|
||||||
mbedtls_ssl_config conf; // SSL-TLS config
|
mbedtls_ssl_config conf; // SSL-TLS config
|
||||||
@ -80,6 +81,9 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
const char *ca = opts->ca == NULL ? "-"
|
const char *ca = opts->ca == NULL ? "-"
|
||||||
: opts->ca[0] == '-' ? "(emb)"
|
: opts->ca[0] == '-' ? "(emb)"
|
||||||
: opts->ca;
|
: opts->ca;
|
||||||
|
const char *crl = opts->crl == NULL ? "-"
|
||||||
|
: opts->crl[0] == '-' ? "(emb)"
|
||||||
|
: opts->crl;
|
||||||
const char *cert = opts->cert == NULL ? "-"
|
const char *cert = opts->cert == NULL ? "-"
|
||||||
: opts->cert[0] == '-' ? "(emb)"
|
: opts->cert[0] == '-' ? "(emb)"
|
||||||
: opts->cert;
|
: opts->cert;
|
||||||
@ -90,11 +94,12 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
mg_error(c, "TLS OOM");
|
mg_error(c, "TLS OOM");
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
LOG(LL_DEBUG,
|
LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, CRL: %s, cert: %s, key: %s", c->id,
|
||||||
("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id, ca, cert, certkey));
|
ca, crl, cert, certkey));
|
||||||
mbedtls_ssl_init(&tls->ssl);
|
mbedtls_ssl_init(&tls->ssl);
|
||||||
mbedtls_ssl_config_init(&tls->conf);
|
mbedtls_ssl_config_init(&tls->conf);
|
||||||
mbedtls_x509_crt_init(&tls->ca);
|
mbedtls_x509_crt_init(&tls->ca);
|
||||||
|
mbedtls_x509_crl_init(&tls->crl);
|
||||||
mbedtls_x509_crt_init(&tls->cert);
|
mbedtls_x509_crt_init(&tls->cert);
|
||||||
mbedtls_pk_init(&tls->pk);
|
mbedtls_pk_init(&tls->pk);
|
||||||
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
|
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
|
||||||
@ -113,9 +118,19 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
|
||||||
}
|
}
|
||||||
if (opts->ca != NULL && opts->ca[0] != '\0') {
|
if (opts->ca != NULL && opts->ca[0] != '\0') {
|
||||||
|
if (opts->crl != NULL && opts->crl[0] != '\0') {
|
||||||
|
rc = opts->crl[0] == '-'
|
||||||
|
? mbedtls_x509_crl_parse(&tls->crl, (uint8_t *) opts->crl,
|
||||||
|
strlen(opts->crl) + 1)
|
||||||
|
: mbedtls_x509_crl_parse_file(&tls->crl, opts->crl);
|
||||||
|
if (rc != 0) {
|
||||||
|
mg_error(c, "parse(%s) err %#x", crl, -rc);
|
||||||
|
goto fail;
|
||||||
|
}
|
||||||
|
}
|
||||||
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
|
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
|
||||||
tls->cafile = strdup(opts->ca);
|
tls->cafile = strdup(opts->ca);
|
||||||
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL);
|
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, &tls->crl);
|
||||||
if (rc != 0) {
|
if (rc != 0) {
|
||||||
mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
|
mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
|
||||||
goto fail;
|
goto fail;
|
||||||
@ -129,7 +144,7 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
|
|||||||
mg_error(c, "parse(%s) err %#x", ca, -rc);
|
mg_error(c, "parse(%s) err %#x", ca, -rc);
|
||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL);
|
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, &tls->crl);
|
||||||
#endif
|
#endif
|
||||||
if (opts->srvname.len > 0) {
|
if (opts->srvname.len > 0) {
|
||||||
char mem[128], *buf = mem;
|
char mem[128], *buf = mem;
|
||||||
@ -202,6 +217,7 @@ void mg_tls_free(struct mg_connection *c) {
|
|||||||
mbedtls_ssl_free(&tls->ssl);
|
mbedtls_ssl_free(&tls->ssl);
|
||||||
mbedtls_pk_free(&tls->pk);
|
mbedtls_pk_free(&tls->pk);
|
||||||
mbedtls_x509_crt_free(&tls->ca);
|
mbedtls_x509_crt_free(&tls->ca);
|
||||||
|
mbedtls_x509_crl_free(&tls->crl);
|
||||||
mbedtls_x509_crt_free(&tls->cert);
|
mbedtls_x509_crt_free(&tls->cert);
|
||||||
mbedtls_ssl_config_free(&tls->conf);
|
mbedtls_ssl_config_free(&tls->conf);
|
||||||
free(tls);
|
free(tls);
|
||||||
|
@ -3,6 +3,7 @@
|
|||||||
|
|
||||||
struct mg_tls_opts {
|
struct mg_tls_opts {
|
||||||
const char *ca; // CA certificate file. For both listeners and clients
|
const char *ca; // CA certificate file. For both listeners and clients
|
||||||
|
const char *crl; // Certificate Revocation List. For clients
|
||||||
const char *cert; // Certificate
|
const char *cert; // Certificate
|
||||||
const char *certkey; // Certificate key
|
const char *certkey; // Certificate key
|
||||||
const char *ciphers; // Cipher list
|
const char *ciphers; // Cipher list
|
||||||
|
Loading…
Reference in New Issue
Block a user