From 8e20aa1a5984dc6b94d584fcfcd0dd29e3c76085 Mon Sep 17 00:00:00 2001 From: "Jean-Marc Pigeon (Delson)" Date: Mon, 5 May 2025 06:31:00 -0400 Subject: [PATCH] Replace set_certificate by set_crypting --- conf/mailleur.conf.dvl | 13 +++++++-- lib/unitls.c | 65 +++++++++++++++++++++++++++--------------- 2 files changed, 52 insertions(+), 26 deletions(-) diff --git a/conf/mailleur.conf.dvl b/conf/mailleur.conf.dvl index f03c293..e61836b 100644 --- a/conf/mailleur.conf.dvl +++ b/conf/mailleur.conf.dvl @@ -2,7 +2,14 @@ #Used for developpement purpose ONLY #------------------------------------------------ #Defining Certificate -CA_ROOT = "./certs/root-safe_CA.pem" -CA_CERT = "./certs/mailleur_server-chain-cert_x509.pem" -CA_KEY = "./certs/mailleur_server-key.pem" +CA_ROOT = "./certs/root-safe_CA.pem" +CA_CERT = "./certs/mailleur_server-chain-cert_x509.pem" +CA_KEY = "./certs/mailleur_server-key.pem" +CA_VERIFY = 1 #to check PEER certificat +#------------------------------------------------ +#Configured for Postgresql database +DB_TYPE = POSTGRES +DB_NAME = mailleur +DB_HOST = localhost +DB_PORT = 5436 #------------------------------------------------ diff --git a/lib/unitls.c b/lib/unitls.c index 761f2f5..a2ad0e3 100644 --- a/lib/unitls.c +++ b/lib/unitls.c @@ -154,18 +154,25 @@ return tls; /* Procedure to set the link certificate */ /* */ /********************************************************/ -static int set_certificate(TLSTYP *tls) +static int set_crypting(TLSTYP *tls) { -#define OPEP "unitls.c:set_certificate" +#define OPEP "unitls.c:set_crypting" + +static const char *cenv[]={"CA_KEY","CA_CERT","CA_ROOT"}; -const char *certs[3]; int done; +const char *certs[sizeof(cenv)/sizeof(char *)]; +const SSL_METHOD *(*tls_methode)(); int mode; int phase; _Bool proceed; done=false; +tls_methode=TLS_client_method; +if (tls->server==true) + tls_methode=TLS_server_method; +phase=0; mode=SSL_VERIFY_NONE; //mode=SSL_VERIFY_PEER; //to have both end check peer certificate phase=0; @@ -176,8 +183,25 @@ while (proceed==true) { certs[0]=getenv("CA_KEY"); certs[1]=getenv("CA_CERT"); certs[2]=getenv("CA_ROOT"); + for (int i=0;i<(sizeof(cenv)/sizeof(char *));i++) { + certs[i]=getenv(cenv[i]); + if (certs[i]==(char *)0) { + (void) rou_alert(0,"%s Missing <%s> environment variable (config?)", + OPEP,cenv[i]); + phase=999; //missing certificate info. + } + } + break; + case 1 : //pre-configure SSL + (void) SSL_library_init(); + (void) SSL_load_error_strings(); + (void) ERR_clear_error(); + if ((tls->ctx=SSL_CTX_new(tls_methode()))==(SSL_CTX *)0) { + (void) showtlserror(tls,0,"Get CTX"); + phase=999; //no need to go furter + } break; - case 1 : //first load certificate key + case 2 : //first load certificate key if (SSL_CTX_use_PrivateKey_file(tls->ctx,certs[0],SSL_FILETYPE_PEM)!=1) { char msg[200]; @@ -187,7 +211,7 @@ while (proceed==true) { phase=999; } break; - case 2 : //load certificate + chain file + case 3 : //load certificate + chain file if (SSL_CTX_use_certificate_chain_file(tls->ctx,certs[1])!=1) { char msg[200]; @@ -197,7 +221,7 @@ while (proceed==true) { phase=999; //no need to go furter } break; - case 3 : //loading root certificate + case 4 : //loading root certificate if (SSL_CTX_load_verify_locations(tls->ctx,certs[2],(const char *)0)!=1) { char msg[200]; @@ -207,7 +231,7 @@ while (proceed==true) { phase=999; //no need to go furter } break; - case 4 : //verify management + case 5 : //verify management if (((mode&SSL_VERIFY_PEER)!=0)||(tls->server==false)) tls->checkpeer=true; (void) SSL_CTX_set_verify(tls->ctx,mode,(int(*)())0); @@ -219,10 +243,10 @@ while (proceed==true) { phase=999; } break; - case 5 : //allowing partial write + case 6 : //allowing partial write (void) SSL_CTX_set_mode(tls->ctx,SSL_MODE_ENABLE_PARTIAL_WRITE); break; - case 6 : //everything fine + case 7 : //everything fine done=true; break; default : //SAFE Guard @@ -337,8 +361,11 @@ proceed=true; while (proceed==true) { switch (phase) { case 0 : //do we need to check peer - if (tls->checkpeer==false) + if (tls->checkpeer==false) { + (void) rou_alert(1,"%s Peer [%s]; certificate not verified", + OPEP,tls->peerip); phase=999; //No need to check certificate + } break; case 1 : //get remote certificate if ((peer=SSL_get_peer_certificate(tls->ssl))==(X509 *)0) { @@ -404,14 +431,10 @@ PUBLIC TLSTYP *tls_opentls(int handle,_Bool server) #define OPEP "unitls.c:tls_opentls" TLSTYP *tls; -const SSL_METHOD *(*tls_methode)(); int phase; _Bool proceed; tls=(TLSTYP *)0; -tls_methode=TLS_client_method; -if (server==true) - tls_methode=TLS_server_method; phase=0; proceed=true; while (proceed==true) { @@ -422,17 +445,13 @@ while (proceed==true) { tls->handle=handle; tls->server=server; (void) getnames(tls); - (void) SSL_library_init(); - (void) SSL_load_error_strings(); - (void) ERR_clear_error(); - if ((tls->ctx=SSL_CTX_new(tls_methode()))==(SSL_CTX *)0) { - (void) showtlserror(tls,0,"Get CTX"); - phase=999; //no need to go furter - } break; case 1 : //set certificate - if (set_certificate(tls)==false) - phase=999; //trouble, trouble no need to go furter + if (set_crypting(tls)==false) { + (void) rou_alert(1,"%s Unable to open a TLS channel",OPEP); + tls=freetls(tls); + phase=999; + } break; case 2 : //Setting the TLS channel if ((tls->ssl=tls_setsocket(handle,tls->ctx))==(SSL *)0) -- 2.47.3