coap_mbedtls.c: Make TLS error recovery more rigorous

Support self-signed certificates that have expired. Correct variable ret initialization in coap_tls_read(). Catch some additional MbedTLS SSL error codes in do_mbedtls_handshake().
obgm · Dec 23, 2021 · 0dabb0f · 0dabb0f
1 parent 2a329e1
commit 0dabb0f
Showing 1 changed file with 23 additions and 2 deletions.
diff --git a/src/coap_mbedtls.c b/src/coap_mbedtls.c
@@ -300,6 +300,24 @@ get_error_string(int ret) {
   return buf;
 }
 
+static int
+self_signed_cert_verify_callback_mbedtls(void *data,
+                              mbedtls_x509_crt *crt COAP_UNUSED,
+                             int depth COAP_UNUSED, uint32_t *flags)
+{
+  coap_session_t *c_session = (coap_session_t*)data;
+  coap_mbedtls_context_t *m_context =
+           (coap_mbedtls_context_t *)c_session->context->dtls_context;
+  coap_dtls_pki_t *setup_data = &m_context->setup_data;
+
+  if (*flags & MBEDTLS_X509_BADCERT_EXPIRED) {
+    if (setup_data->allow_expired_certs) {
+      *flags &= ~MBEDTLS_X509_BADCERT_EXPIRED;
+    }
+  }
+  return 0;
+}
+
 /*
  * return 0 All OK
  *        -ve Error Code
@@ -358,7 +376,7 @@ cert_verify_callback_mbedtls(void *data, mbedtls_x509_crt *crt,
   if (*flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
     uint32_t lflags;
     int self_signed = !mbedtls_x509_crt_verify(crt, crt, NULL, NULL, &lflags,
-                                               NULL, NULL);
+                              self_signed_cert_verify_callback_mbedtls, data);
     if (self_signed && depth == 0) {
       if (setup_data->allow_self_signed &&
           !setup_data->check_common_ca) {
@@ -1221,6 +1239,7 @@ static int do_mbedtls_handshake(coap_session_t *c_session,
     alert = MBEDTLS_SSL_ALERT_MSG_NO_CERT;
     goto fail_alert;
   case MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO:
+  case MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO:
     alert = MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE;
     goto fail_alert;
   case MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:
@@ -1232,6 +1251,8 @@ static int do_mbedtls_handshake(coap_session_t *c_session,
                report_mbedtls_alert(m_env->ssl.in_msg[1]));
     /* Fall through */
   case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
+  case MBEDTLS_ERR_SSL_CONN_EOF:
+  case MBEDTLS_ERR_NET_CONN_RESET:
     c_session->dtls_event = COAP_EVENT_DTLS_CLOSED;
     ret = -1;
     break;
@@ -2240,7 +2261,7 @@ ssize_t coap_tls_read(coap_session_t *c_session,
                       size_t data_len
                       )
 {
-  int ret = 1;
+  int ret = -1;
 
   coap_mbedtls_env_t *m_env = (coap_mbedtls_env_t *)c_session->tls;