diff options
Diffstat (limited to '')
-rw-r--r-- | src/mbedTLS++/BlockingSslClientSocket.cpp (renamed from src/PolarSSL++/BlockingSslClientSocket.cpp) | 60 |
1 files changed, 39 insertions, 21 deletions
diff --git a/src/PolarSSL++/BlockingSslClientSocket.cpp b/src/mbedTLS++/BlockingSslClientSocket.cpp index 7d7fc4ccf..6f765f607 100644 --- a/src/PolarSSL++/BlockingSslClientSocket.cpp +++ b/src/mbedTLS++/BlockingSslClientSocket.cpp @@ -1,4 +1,4 @@ - + // BlockingSslClientSocket.cpp // Implements the cBlockingSslClientSocket class representing a blocking TCP socket with client SSL encryption over it @@ -125,7 +125,16 @@ bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Po } // Initialize the SSL: - int ret = m_Ssl.Initialize(true); + int ret = 0; + if (m_Config != nullptr) + { + ret = m_Ssl.Initialize(m_Config); + } + else + { + ret = m_Ssl.Initialize(true); + } + if (ret != 0) { Printf(m_LastErrorText, "SSL initialization failed: -0x%x", -ret); @@ -133,9 +142,9 @@ bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Po } // If we have been assigned a trusted CA root cert store, push it into the SSL context: - if (m_CACerts.get() != nullptr) + if (!m_ExpectedPeerName.empty()) { - m_Ssl.SetCACerts(m_CACerts, m_ExpectedPeerName); + m_Ssl.SetExpectedPeerName(m_ExpectedPeerName); } ret = m_Ssl.Handshake(); @@ -153,28 +162,37 @@ bool cBlockingSslClientSocket::Connect(const AString & a_ServerName, UInt16 a_Po -bool cBlockingSslClientSocket::SetTrustedRootCertsFromString(const AString & a_CACerts, const AString & a_ExpectedPeerName) +void cBlockingSslClientSocket::SetExpectedPeerName(AString a_ExpectedPeerName) { + ASSERT(!m_IsConnected); // Must be called before connect + // Warn if used multiple times, but don't signal an error: - if (m_CACerts.get() != nullptr) + if (!m_ExpectedPeerName.empty()) { LOGWARNING( - "SSL: Trying to set multiple trusted CA root cert stores, only the last one will be used. Name: %s", + "SSL: Trying to set multiple expected peer names, only the last one will be used. Name: %s", a_ExpectedPeerName.c_str() ); } - // Parse the cert: - m_CACerts.reset(new cX509Cert); - int ret = m_CACerts->Parse(a_CACerts.data(), a_CACerts.size()); - if (ret < 0) + m_ExpectedPeerName = std::move(a_ExpectedPeerName); +} + + + + + +void cBlockingSslClientSocket::SetSslConfig(std::shared_ptr<const cSslConfig> a_Config) +{ + ASSERT(!m_IsConnected); // Must be called before connect + + // Warn if used multiple times, but don't signal an error: + if (m_Config != nullptr) { - Printf(m_LastErrorText, "CA cert parsing failed: -0x%x", -ret); - return false; + LOGWARNING("SSL: Trying to set multiple configurations, only the last one will be used."); } - m_ExpectedPeerName = a_ExpectedPeerName; - return true; + m_Config = std::move(a_Config); } @@ -197,8 +215,8 @@ bool cBlockingSslClientSocket::Send(const void * a_Data, size_t a_NumBytes) int res = m_Ssl.WritePlain(Data, a_NumBytes); if (res < 0) { - ASSERT(res != POLARSSL_ERR_NET_WANT_READ); // This should never happen with callback-based SSL - ASSERT(res != POLARSSL_ERR_NET_WANT_WRITE); // This should never happen with callback-based SSL + ASSERT(res != MBEDTLS_ERR_SSL_WANT_READ); // This should never happen with callback-based SSL + ASSERT(res != MBEDTLS_ERR_SSL_WANT_WRITE); // This should never happen with callback-based SSL Printf(m_LastErrorText, "Data cannot be written to SSL context: -0x%x", -res); return false; } @@ -272,7 +290,7 @@ int cBlockingSslClientSocket::ReceiveEncrypted(unsigned char * a_Buffer, size_t // If we got disconnected, report an error after processing all data: if (!m_IsConnected && m_IncomingData.empty()) { - return POLARSSL_ERR_NET_RECV_FAILED; + return MBEDTLS_ERR_NET_RECV_FAILED; } // Copy the data from the incoming buffer into the specified space: @@ -291,12 +309,12 @@ int cBlockingSslClientSocket::SendEncrypted(const unsigned char * a_Buffer, size cTCPLinkPtr Socket(m_Socket); // Make a copy so that multiple threads don't race on deleting the socket. if (Socket == nullptr) { - return POLARSSL_ERR_NET_SEND_FAILED; + return MBEDTLS_ERR_NET_SEND_FAILED; } if (!Socket->Send(a_Buffer, a_NumBytes)) { - // PolarSSL's net routines distinguish between connection reset and general failure, we don't need to - return POLARSSL_ERR_NET_SEND_FAILED; + // mbedTLS's net routines distinguish between connection reset and general failure, we don't need to + return MBEDTLS_ERR_NET_SEND_FAILED; } return static_cast<int>(a_NumBytes); } |