Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
PKI: Make (D)TLS operation consistent across all TLS libraries
The use of the verify_peer_cert and require_peer_cert variables in the coap_dtls_pki_t structure was giving inconsistent results across all the TLS libraries. This primarily was down to the large numbers of options available to control the TLS handshakes in OpenSSL compared to the limited control available to mbedTLS port which followed later. require_peer_cert is not easy to control in mbedTLS as it is an implicit configuration based on how other, not always related, items were configured. require_peer_cert was used by the server to control whether the client could use anonymous certificates or not. This is now controlled by verify_peer_cert. require_peer_cert variable has been replaced with check_common_ca, so that the OpenSSL functionality can continue, but enable GnuTLS / mbedTLS to produce the same results. This allows peers to mutually authenticate (because the peer certs are signed by the same common CA) or not which was in effect controlled by verify_peer_cert previously. If check_common_ca is set, then allow_self_signed is ignored. If is_rpk_not_cert is set, then all certificate validation is ignored. In the examples, use of the -R option unsets check_common_ca, so disables mutual authentication support by having a common CA. This was needed as mbedTLS and GnuTLS only have a single trust store for CAs. configure.ac: Increase the number of mbed libraries to use when checking for mbedTLS. examples/client.c: examples/coap-rd.c: examples/coap-server.c: Add in -n (unset verify_peer_cert) option. In the case of coap-server and coap-rd, make -n refer to verify_peer_cert. Add in TLS library capabilites in usage(). Update usage() documentation as appropriate, with some changes to fit everything into a 80 column output. include/coap2/coap_dtls.h: include/coap2/net.h: Update with variable changes, and make the coap_dtls_pki_t parameter const for the *_context_set_pki() functions. man/coap-client.txt.in: man/coap-rd.txt.in: man/coap-server.txt.in: Update documentation to reflect the examples option usage. man/coap_context.txt.in: man/coap_encryption.txt.in: man/coap_session.txt.in: Update with the new variable name and document as appropriate. src/coap_gnutls.c src/coap_mbedtls.c src/coap_notls.c src/coap_openssl.c coap_tinydtls.c Update to make variable usage consistent. Update logging from LOG_WARNING to LOG_INFO where there is an override of a PKI check failure by one of the coap_dtls_pki_t variables. Timing window closed for TLS where the peer does not like a certificate, sends fatal alert and closes connection. local then fails on writing the next handshake - but now also reads in alert and reports on it. src/coap_io.c: Update logging from LOG_WARNING to LOG_INFO for EPIPE or ECONNRESET errors in coap_socket_write(). src/net.c: Handle the const coap_dtls_pki_t parameter in coap_context_set_pki() function.
- Loading branch information