mbedtls CRL support

Certificate revocation checking when using mbedtls
This commit is contained in:
Panagiotis Tsolakos 2021-10-14 17:32:48 +02:00
parent b5147a149e
commit 383653d608
5 changed files with 46 additions and 8 deletions

View File

@ -1802,6 +1802,7 @@ while ((mg_mqtt_parse(buf, len, &mm)) == 0) {
```c ```c
struct mg_tls_opts { struct mg_tls_opts {
const char *ca; // CA certificate file. For both listeners and clients const char *ca; // CA certificate file. For both listeners and clients
const char *crl; // Certificate Revocation List. For clients
const char *cert; // Certificate const char *cert; // Certificate
const char *certkey; // Certificate key const char *certkey; // Certificate key
const char *ciphers; // Cipher list const char *ciphers; // Cipher list
@ -1813,6 +1814,9 @@ TLS initialisation structure:
- `ca` - Certificate Authority. Can be a filename or a string. Used to verify - `ca` - Certificate Authority. Can be a filename or a string. Used to verify
a certificate that the other end sends to us. If NULL, then certificate checking a certificate that the other end sends to us. If NULL, then certificate checking
is disabled is disabled
- `crl` - Certificate Revocation List. Can be a filename or a string. Used to
verify a certificate that the other end sends to us. If NULL, then certificate
revocation checking is disabled
- `cert` - Our own certificate. Can be a filename, or a string. If NULL, then - `cert` - Our own certificate. Can be a filename, or a string. If NULL, then
we don't authenticate with the other peer we don't authenticate with the other peer
- `certkey` - A key for a `cert`. Sometimes, a certificate and its key are - `certkey` - A key for a `cert`. Sometimes, a certificate and its key are

View File

@ -3704,6 +3704,7 @@ EXTERN_C int mbedtls_net_send(void *, const unsigned char *, size_t);
struct mg_tls { struct mg_tls {
char *cafile; // CA certificate path char *cafile; // CA certificate path
mbedtls_x509_crt ca; // Parsed CA certificate mbedtls_x509_crt ca; // Parsed CA certificate
mbedtls_x509_crl crl; // Parsed Certificate Revocation List
mbedtls_x509_crt cert; // Parsed certificate mbedtls_x509_crt cert; // Parsed certificate
mbedtls_ssl_context ssl; // SSL/TLS context mbedtls_ssl_context ssl; // SSL/TLS context
mbedtls_ssl_config conf; // SSL-TLS config mbedtls_ssl_config conf; // SSL-TLS config
@ -3755,6 +3756,9 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
const char *ca = opts->ca == NULL ? "-" const char *ca = opts->ca == NULL ? "-"
: opts->ca[0] == '-' ? "(emb)" : opts->ca[0] == '-' ? "(emb)"
: opts->ca; : opts->ca;
const char *crl = opts->crl == NULL ? "-"
: opts->crl[0] == '-' ? "(emb)"
: opts->crl;
const char *cert = opts->cert == NULL ? "-" const char *cert = opts->cert == NULL ? "-"
: opts->cert[0] == '-' ? "(emb)" : opts->cert[0] == '-' ? "(emb)"
: opts->cert; : opts->cert;
@ -3765,11 +3769,12 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mg_error(c, "TLS OOM"); mg_error(c, "TLS OOM");
goto fail; goto fail;
} }
LOG(LL_DEBUG, LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, CRL: %s, cert: %s, key: %s", c->id,
("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id, ca, cert, certkey)); ca, crl, cert, certkey));
mbedtls_ssl_init(&tls->ssl); mbedtls_ssl_init(&tls->ssl);
mbedtls_ssl_config_init(&tls->conf); mbedtls_ssl_config_init(&tls->conf);
mbedtls_x509_crt_init(&tls->ca); mbedtls_x509_crt_init(&tls->ca);
mbedtls_x509_crl_init(&tls->crl);
mbedtls_x509_crt_init(&tls->cert); mbedtls_x509_crt_init(&tls->cert);
mbedtls_pk_init(&tls->pk); mbedtls_pk_init(&tls->pk);
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c); mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
@ -3788,9 +3793,19 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
} }
if (opts->ca != NULL && opts->ca[0] != '\0') { if (opts->ca != NULL && opts->ca[0] != '\0') {
if (opts->crl != NULL && opts->crl[0] != '\0') {
rc = opts->crl[0] == '-'
? mbedtls_x509_crl_parse(&tls->crl, (uint8_t *) opts->crl,
strlen(opts->crl) + 1)
: mbedtls_x509_crl_parse_file(&tls->crl, opts->crl);
if (rc != 0) {
mg_error(c, "parse(%s) err %#x", crl, -rc);
goto fail;
}
}
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK) #if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
tls->cafile = strdup(opts->ca); tls->cafile = strdup(opts->ca);
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL); rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, &tls->crl);
if (rc != 0) { if (rc != 0) {
mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc); mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
goto fail; goto fail;
@ -3804,7 +3819,7 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mg_error(c, "parse(%s) err %#x", ca, -rc); mg_error(c, "parse(%s) err %#x", ca, -rc);
goto fail; goto fail;
} }
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL); mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, &tls->crl);
#endif #endif
if (opts->srvname.len > 0) { if (opts->srvname.len > 0) {
char mem[128], *buf = mem; char mem[128], *buf = mem;
@ -3877,6 +3892,7 @@ void mg_tls_free(struct mg_connection *c) {
mbedtls_ssl_free(&tls->ssl); mbedtls_ssl_free(&tls->ssl);
mbedtls_pk_free(&tls->pk); mbedtls_pk_free(&tls->pk);
mbedtls_x509_crt_free(&tls->ca); mbedtls_x509_crt_free(&tls->ca);
mbedtls_x509_crl_free(&tls->crl);
mbedtls_x509_crt_free(&tls->cert); mbedtls_x509_crt_free(&tls->cert);
mbedtls_ssl_config_free(&tls->conf); mbedtls_ssl_config_free(&tls->conf);
free(tls); free(tls);

View File

@ -900,6 +900,7 @@ void mg_http_serve_ssi(struct mg_connection *c, const char *root,
struct mg_tls_opts { struct mg_tls_opts {
const char *ca; // CA certificate file. For both listeners and clients const char *ca; // CA certificate file. For both listeners and clients
const char *crl; // Certificate Revocation List. For clients
const char *cert; // Certificate const char *cert; // Certificate
const char *certkey; // Certificate key const char *certkey; // Certificate key
const char *ciphers; // Cipher list const char *ciphers; // Cipher list

View File

@ -29,6 +29,7 @@ EXTERN_C int mbedtls_net_send(void *, const unsigned char *, size_t);
struct mg_tls { struct mg_tls {
char *cafile; // CA certificate path char *cafile; // CA certificate path
mbedtls_x509_crt ca; // Parsed CA certificate mbedtls_x509_crt ca; // Parsed CA certificate
mbedtls_x509_crl crl; // Parsed Certificate Revocation List
mbedtls_x509_crt cert; // Parsed certificate mbedtls_x509_crt cert; // Parsed certificate
mbedtls_ssl_context ssl; // SSL/TLS context mbedtls_ssl_context ssl; // SSL/TLS context
mbedtls_ssl_config conf; // SSL-TLS config mbedtls_ssl_config conf; // SSL-TLS config
@ -80,6 +81,9 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
const char *ca = opts->ca == NULL ? "-" const char *ca = opts->ca == NULL ? "-"
: opts->ca[0] == '-' ? "(emb)" : opts->ca[0] == '-' ? "(emb)"
: opts->ca; : opts->ca;
const char *crl = opts->crl == NULL ? "-"
: opts->crl[0] == '-' ? "(emb)"
: opts->crl;
const char *cert = opts->cert == NULL ? "-" const char *cert = opts->cert == NULL ? "-"
: opts->cert[0] == '-' ? "(emb)" : opts->cert[0] == '-' ? "(emb)"
: opts->cert; : opts->cert;
@ -90,11 +94,12 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mg_error(c, "TLS OOM"); mg_error(c, "TLS OOM");
goto fail; goto fail;
} }
LOG(LL_DEBUG, LOG(LL_DEBUG, ("%lu Setting TLS, CA: %s, CRL: %s, cert: %s, key: %s", c->id,
("%lu Setting TLS, CA: %s, cert: %s, key: %s", c->id, ca, cert, certkey)); ca, crl, cert, certkey));
mbedtls_ssl_init(&tls->ssl); mbedtls_ssl_init(&tls->ssl);
mbedtls_ssl_config_init(&tls->conf); mbedtls_ssl_config_init(&tls->conf);
mbedtls_x509_crt_init(&tls->ca); mbedtls_x509_crt_init(&tls->ca);
mbedtls_x509_crl_init(&tls->crl);
mbedtls_x509_crt_init(&tls->cert); mbedtls_x509_crt_init(&tls->cert);
mbedtls_pk_init(&tls->pk); mbedtls_pk_init(&tls->pk);
mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c); mbedtls_ssl_conf_dbg(&tls->conf, debug_cb, c);
@ -113,9 +118,19 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE); mbedtls_ssl_conf_authmode(&tls->conf, MBEDTLS_SSL_VERIFY_NONE);
} }
if (opts->ca != NULL && opts->ca[0] != '\0') { if (opts->ca != NULL && opts->ca[0] != '\0') {
if (opts->crl != NULL && opts->crl[0] != '\0') {
rc = opts->crl[0] == '-'
? mbedtls_x509_crl_parse(&tls->crl, (uint8_t *) opts->crl,
strlen(opts->crl) + 1)
: mbedtls_x509_crl_parse_file(&tls->crl, opts->crl);
if (rc != 0) {
mg_error(c, "parse(%s) err %#x", crl, -rc);
goto fail;
}
}
#if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK) #if defined(MBEDTLS_X509_CA_CHAIN_ON_DISK)
tls->cafile = strdup(opts->ca); tls->cafile = strdup(opts->ca);
rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, NULL); rc = mbedtls_ssl_conf_ca_chain_file(&tls->conf, tls->cafile, &tls->crl);
if (rc != 0) { if (rc != 0) {
mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc); mg_error(c, "parse on-disk chain(%s) err %#x", ca, -rc);
goto fail; goto fail;
@ -129,7 +144,7 @@ void mg_tls_init(struct mg_connection *c, struct mg_tls_opts *opts) {
mg_error(c, "parse(%s) err %#x", ca, -rc); mg_error(c, "parse(%s) err %#x", ca, -rc);
goto fail; goto fail;
} }
mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, NULL); mbedtls_ssl_conf_ca_chain(&tls->conf, &tls->ca, &tls->crl);
#endif #endif
if (opts->srvname.len > 0) { if (opts->srvname.len > 0) {
char mem[128], *buf = mem; char mem[128], *buf = mem;
@ -202,6 +217,7 @@ void mg_tls_free(struct mg_connection *c) {
mbedtls_ssl_free(&tls->ssl); mbedtls_ssl_free(&tls->ssl);
mbedtls_pk_free(&tls->pk); mbedtls_pk_free(&tls->pk);
mbedtls_x509_crt_free(&tls->ca); mbedtls_x509_crt_free(&tls->ca);
mbedtls_x509_crl_free(&tls->crl);
mbedtls_x509_crt_free(&tls->cert); mbedtls_x509_crt_free(&tls->cert);
mbedtls_ssl_config_free(&tls->conf); mbedtls_ssl_config_free(&tls->conf);
free(tls); free(tls);

View File

@ -3,6 +3,7 @@
struct mg_tls_opts { struct mg_tls_opts {
const char *ca; // CA certificate file. For both listeners and clients const char *ca; // CA certificate file. For both listeners and clients
const char *crl; // Certificate Revocation List. For clients
const char *cert; // Certificate const char *cert; // Certificate
const char *certkey; // Certificate key const char *certkey; // Certificate key
const char *ciphers; // Cipher list const char *ciphers; // Cipher list