1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00

mbedtls: allow central trust store preload

Mbedtls does not have the same concept as openssl about preloading the
system trust store into every SSL_CTX.

This patch allows you to simulate the behaviour by passing in a context
creation-time filepath that all client SSL_CTX will be initialized from.
This commit is contained in:
Andy Green 2021-04-13 20:40:02 +01:00
parent 68d9f3a7f2
commit aa6b3f418e
7 changed files with 49 additions and 0 deletions

View file

@ -72,6 +72,7 @@
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_ca_chain
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_own_cert
#cmakedefine LWS_HAVE_mbedtls_ssl_set_hs_authmode
#cmakedefine LWS_HAVE_mbedtls_x509_crt_parse_file
#cmakedefine LWS_HAVE_MBEDTLS_NET_SOCKETS
#cmakedefine LWS_HAVE_NEW_UV_VERSION_H
#cmakedefine LWS_HAVE_OPENSSL_ECDH_H

View file

@ -536,6 +536,17 @@ struct lws_context_creation_info {
* implementation for the one provided by provided_ssl_ctx.
* Libwebsockets no longer is responsible for freeing the context
* if this option is selected. */
#else /* WITH_MBEDTLS */
const char *mbedtls_client_preload_filepath;
/**< CONTEXT: If NULL, no effect. Otherwise it should point to a
* filepath where every created client SSL_CTX is preloaded from the
* system trust bundle.
*
* This sets a processwide variable that affects all contexts.
*
* Requires that the mbedtls provides mbedtls_x509_crt_parse_file(),
* else disabled.
*/
#endif
#endif

View file

@ -30,6 +30,10 @@
static const char *library_version = LWS_LIBRARY_VERSION;
#if defined(LWS_WITH_MBEDTLS)
extern const char *mbedtls_client_preload_filepath;
#endif
#if defined(LWS_HAVE_SYS_RESOURCE_H)
/* for setrlimit */
#include <sys/resource.h>
@ -811,6 +815,8 @@ lws_create_context(const struct lws_context_creation_info *info)
#if defined(LWS_WITH_TLS) && defined(LWS_WITH_NETWORK)
#if defined(LWS_WITH_MBEDTLS)
context->tls_ops = &tls_ops_mbedtls;
mbedtls_client_preload_filepath = info->mbedtls_client_preload_filepath;
#else
context->tls_ops = &tls_ops_openssl;
#endif

View file

@ -359,6 +359,7 @@ if (LWS_WITH_MBEDTLS)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_own_cert LWS_HAVE_mbedtls_ssl_set_hs_own_cert PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(mbedtls_ssl_set_hs_authmode LWS_HAVE_mbedtls_ssl_set_hs_authmode PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(mbedtls_net_init LWS_HAVE_mbedtls_net_init PARENT_SCOPE)
CHECK_FUNCTION_EXISTS(mbedtls_x509_crt_parse_file LWS_HAVE_mbedtls_x509_crt_parse_file PARENT_SCOPE) # some embedded may lack filesystem
CHECK_FUNCTION_EXISTS(mbedtls_md_setup LWS_HAVE_mbedtls_md_setup PARENT_SCOPE) # not on xenial 2.2
CHECK_FUNCTION_EXISTS(mbedtls_rsa_complete LWS_HAVE_mbedtls_rsa_complete PARENT_SCOPE) # not on xenial 2.2
CHECK_FUNCTION_EXISTS(mbedtls_internal_aes_encrypt LWS_HAVE_mbedtls_internal_aes_encrypt PARENT_SCOPE) # not on xenial 2.2

View file

@ -363,6 +363,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
}
vh->tls.x509_client_CA = d2i_X509(NULL, buf, (long)len);
free(buf);
lwsl_info("Loading client CA for verification %s\n", ca_filepath);
#endif
} else {

View file

@ -179,6 +179,8 @@ OSSL_HANDSHAKE_STATE SSL_get_state(const SSL *ssl)
return state;
}
const char *mbedtls_client_preload_filepath;
/**
* @brief create a SSL context
*/
@ -187,6 +189,9 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
SSL_CTX *ctx;
CERT *cert;
X509 *client_ca;
#if defined(LWS_HAVE_mbedtls_x509_crt_parse_file)
int n;
#endif
if (!method) {
SSL_DEBUG(SSL_LIB_ERROR_LEVEL, "no no_method");
@ -217,6 +222,20 @@ SSL_CTX* SSL_CTX_new(const SSL_METHOD *method)
ctx->version = method->version;
#if defined(LWS_HAVE_mbedtls_x509_crt_parse_file)
if (mbedtls_client_preload_filepath) {
mbedtls_x509_crt **px = (mbedtls_x509_crt **)ctx->client_CA->x509_pm;
*px = malloc(sizeof(**px));
mbedtls_x509_crt_init(*px);
n = mbedtls_x509_crt_parse_file(*px, mbedtls_client_preload_filepath);
if (n < 0)
lwsl_err("%s: unable to load cert bundle 0x%x\n", __func__, -n);
else
lwsl_info("%s: loaded cert bundle %d\n", __func__, n);
}
#endif
return ctx;
failed3:

View file

@ -546,6 +546,16 @@ int main(int argc, const char **argv)
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
#endif
#if defined(LWS_WITH_MBEDTLS)
/* uncomment to force mbedtls to load a system trust store like
* openssl does
*
* info.mbedtls_client_preload_filepath =
* "/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem";
*/
#endif
/* integrate us with lws system state management when context created */
nl.name = "app";