@ -174,7 +174,7 @@ verifyCertificate (void* parameter, mbedtls_x509_crt *crt, int certificate_depth
if ( certMatches )
* flags = 0 ;
else {
raiseSecurityEvent ( self - > tlsConfig , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED , " Incident: Certificate not configured " , self ) ;
raiseSecurityEvent ( self - > tlsConfig , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED , " Alarm: certificate validation: trusted individual certificate not available " , self ) ;
* flags | = MBEDTLS_X509_BADCERT_OTHER ;
return 1 ;
@ -214,7 +214,7 @@ TLSConfiguration_setupComplete(TLSConfiguration self)
int ret = mbedtls_ssl_conf_own_cert ( & ( self - > conf ) , & ( self - > ownCertificate ) , & ( self - > ownKey ) ) ;
if ( ret ! = 0 ) {
DEBUG_PRINT ( " TLS " , " mbedtls_ssl_conf_own_cert returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_ssl_conf_own_cert returned -0x%x\n " , - ret ) ;
return false ;
}
}
@ -265,7 +265,7 @@ TLSConfiguration_create()
mbedtls_ssl_conf_authmode ( & ( self - > conf ) , MBEDTLS_SSL_VERIFY_REQUIRED ) ;
mbedtls_ssl_conf_renegotiation ( & ( self - > conf ) , MBEDTLS_SSL_ RENEGOTIATION_ENABLED ) ;
mbedtls_ssl_conf_renegotiation ( & ( self - > conf ) , MBEDTLS_SSL_ LEGACY_NO_ RENEGOTIATION) ;
/* static int hashes[] = {3,4,5,6,7,8,0}; */
/* mbedtls_ssl_conf_sig_hashes(&(self->conf), hashes); */
@ -349,7 +349,7 @@ TLSConfiguration_setOwnCertificate(TLSConfiguration self, uint8_t* certificate,
int ret = mbedtls_x509_crt_parse ( & ( self - > ownCertificate ) , certificate , certLen ) ;
if ( ret ! = 0 )
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse returned -0x%x\n " , - ret ) ;
return ( ret = = 0 ) ;
}
@ -360,7 +360,7 @@ TLSConfiguration_setOwnCertificateFromFile(TLSConfiguration self, const char* fi
int ret = mbedtls_x509_crt_parse_file ( & ( self - > ownCertificate ) , filename ) ;
if ( ret ! = 0 )
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse_file returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse_file returned -0x%x\n " , - ret ) ;
return ( ret = = 0 ) ;
}
@ -371,7 +371,7 @@ TLSConfiguration_setOwnKey(TLSConfiguration self, uint8_t* key, int keyLen, cons
int ret = mbedtls_pk_parse_key ( & ( self - > ownKey ) , key , keyLen , ( const uint8_t * ) keyPassword , ( keyPassword = = NULL ) ? 0 : strlen ( keyPassword ) ) ;
if ( ret ! = 0 )
DEBUG_PRINT ( " TLS " , " mbedtls_pk_parse_key returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_pk_parse_key returned -0x%x\n " , - ret ) ;
return ( ret = = 0 ) ;
}
@ -382,7 +382,7 @@ TLSConfiguration_setOwnKeyFromFile(TLSConfiguration self, const char* filename,
int ret = mbedtls_pk_parse_keyfile ( & ( self - > ownKey ) , filename , keyPassword ) ;
if ( ret ! = 0 )
DEBUG_PRINT ( " TLS " , " mbedtls_pk_parse_keyfile returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_pk_parse_keyfile returned -0x%x\n " , - ret ) ;
return ( ret = = 0 ) ;
}
@ -427,7 +427,7 @@ TLSConfiguration_addCACertificate(TLSConfiguration self, uint8_t* certificate, i
int ret = mbedtls_x509_crt_parse ( & ( self - > cacerts ) , certificate , certLen ) ;
if ( ret ! = 0 ) {
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse returned -0x%x\n " , - ret ) ;
return false ;
}
@ -440,7 +440,7 @@ TLSConfiguration_addCACertificateFromFile(TLSConfiguration self, const char* fil
int ret = mbedtls_x509_crt_parse_file ( & ( self - > cacerts ) , filename ) ;
if ( ret ! = 0 )
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crt_parse returned -0x%x\n " , - ret ) ;
return ( ret = = 0 ) ;
}
@ -471,7 +471,7 @@ TLSConfiguration_addCRL(TLSConfiguration self, uint8_t* crl, int crlLen)
int ret = mbedtls_x509_crl_parse ( & ( self - > crl ) , crl , crlLen ) ;
if ( ret ! = 0 ) {
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crl_parse returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_x509_crl_parse returned -0x%x\n " , - ret ) ;
}
else {
confCRLUpdated ( self ) ;
@ -552,57 +552,66 @@ createSecurityEvents(TLSConfiguration config, int ret, uint32_t flags, TLSSocket
return ;
switch ( ret ) {
case MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_NO_CIPHER , " Alarm: Algorithm not supported " , socket ) ;
break ;
case MBEDTLS_ERR_SSL_NO_CIPHER_CHOSEN :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_NO_CIPHER , " Alarm: no matching TLS ciphers " , socket ) ;
break ;
case MBEDTLS_ERR_SSL_NO_USABLE_CIPHERSUITE :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_ALGO_NOT_SUPPORTED , " Incident: Algorithm not supported " , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_ALGO_NOT_SUPPORTED , " Alarm : Algorithm not supported" , socket ) ;
break ;
case MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_UNSECURE_COMMUNICATION , " Incident: Unsecure communication " , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_UNSECURE_COMMUNICATION , " Alarm : Unsecure communication" , socket ) ;
break ;
case MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_UNAVAILABLE , " Incident: C ertificate unavailable" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_UNAVAILABLE , " Alarm: c ertificate unavailable" , socket ) ;
break ;
case MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_BAD_CERT , " Incident : Bad certificate" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_BAD_CERT , " Alarm : Bad certificate" , socket ) ;
break ;
case MBEDTLS_ERR_SSL_CERTIFICATE_TOO_LARGE :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_SIZE_EXCEEDED , " Incident : TLS certificate size exceeded" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_SIZE_EXCEEDED , " Alarm : TLS certificate size exceeded" , socket ) ;
break ;
case MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_VALIDATION_FAILED , " Incident : certificate validation: certificate signature could not be validated" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_VALIDATION_FAILED , " Alarm : certificate validation: certificate signature could not be validated" , socket ) ;
break ;
case MBEDTLS_ERR_SSL_CERTIFICATE_REQUIRED :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_REQUIRED , " Incident : Certificate required" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_REQUIRED , " Alarm : Certificate required" , socket ) ;
break ;
case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED :
{
if ( flags & MBEDTLS_X509_BADCERT_EXPIRED ) {
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_EXPIRED , " Incident: Certificate expired " , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_EXPIRED , " Alarm: expired certificate " , socket ) ;
}
else if ( flags & MBEDTLS_X509_BADCERT_REVOKED ) {
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_REVOKED , " Incident: Certificate revoked " , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_REVOKED , " Alarm: revoked certificate " , socket ) ;
}
else if ( flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) {
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED , " Incident : Certificate validation: CA certificate not available" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_NOT_TRUSTED , " Alarm : Certificate validation: CA certificate not available" , socket ) ;
}
else if ( flags & MBEDTLS_X509_BADCERT_OTHER ) {
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED , " Incident : Certificate not configured" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_NOT_CONFIGURED , " Alarm : Certificate not configured" , socket ) ;
}
else {
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_ VALIDATION_FAILED, " Incident: Certificate verification failed " , socket ) ;
else if ( flags & MBEDTLS_X509_BADCERT_BAD_KEY ) {
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_ NOT_CONFIGURED, " Alarm: Insufficient key length " , socket ) ;
}
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_CERT_VALIDATION_FAILED , " Alarm: Certificate verification failed " , socket ) ;
}
break ;
default :
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_HANDSHAKE_FAILED_UNKNOWN_REASON , " Incident : handshake failed for unknown reason" , socket ) ;
raiseSecurityEvent ( config , TLS_SEC_EVT_INCIDENT , TLS_EVENT_CODE_ALM_HANDSHAKE_FAILED_UNKNOWN_REASON , " Alarm : handshake failed for unknown reason" , socket ) ;
break ;
}
}
@ -777,7 +786,7 @@ TLSSocket_create(Socket socket, TLSConfiguration configuration, bool storeClient
{
if ( ret ! = MBEDTLS_ERR_SSL_WANT_READ & & ret ! = MBEDTLS_ERR_SSL_WANT_WRITE )
{
DEBUG_PRINT ( " TLS " , " handshake failed - mbedtls_ssl_handshake --> %d\n \n " , ret ) ;
DEBUG_PRINT ( " TLS " , " handshake failed - mbedtls_ssl_handshake returned -0x%x\n " , - ret ) ;
uint32_t flags = mbedtls_ssl_get_verify_result ( & ( self - > ssl ) ) ;
@ -980,7 +989,7 @@ TLSSocket_close(TLSSocket self)
{
if ( ( ret ! = MBEDTLS_ERR_SSL_WANT_READ ) & & ( ret ! = MBEDTLS_ERR_SSL_WANT_WRITE ) )
{
DEBUG_PRINT ( " TLS " , " mbedtls_ssl_close_notify returned %d\n " , ret ) ;
DEBUG_PRINT ( " TLS " , " mbedtls_ssl_close_notify returned -0x%x\n " , - ret ) ;
break ;
}
}
Michael Zillgith
3 years ago
committed by