From: Petr Štetiar <ynezz@true.cz>
Date: Thu, 10 Dec 2020 13:51:25 +0000 (+0100)
Subject: ustream-mbedtls: fix certificate verification
X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=cee6791b362a1b778b6e0630433052bd819943f1;p=project%2Fustream-ssl.git

ustream-mbedtls: fix certificate verification

Fixes certificate verification if no CA certificates are available, it's
visible when you run:

 $ uclient-fetch https://www.openwrt.org

(so no explicit certificate is given) and have *not* installed
`ca-certificates` or `ca-bundle` package, mbed TLS obviously can't do
verification since no root certificates are available.  But then it
simply ignores the issue and continues SSL handshake without warning.

Further, if you run it like:

 $ uclient-fetch --ca-certificate=/dev/null https://www.openwrt.org

ustream-mbedtls also does not do verification at all (gives no warning
either).

References: https://lists.infradead.org/pipermail/openwrt-devel/2018-August/019183.html
Suggested-by: Paul Wassi <p.wassi@gmx.at>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---

diff --git a/ustream-mbedtls.c b/ustream-mbedtls.c
index 1bea983..e79e37b 100644
--- a/ustream-mbedtls.c
+++ b/ustream-mbedtls.c
@@ -159,15 +159,17 @@ __ustream_ssl_context_new(bool server)
 
 	mbedtls_ssl_config_defaults(conf, ep, MBEDTLS_SSL_TRANSPORT_STREAM,
 				    MBEDTLS_SSL_PRESET_DEFAULT);
-	mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
 	mbedtls_ssl_conf_rng(conf, _urandom, NULL);
 
 	if (server) {
+		mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
 		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_server);
 		mbedtls_ssl_conf_min_version(conf, MBEDTLS_SSL_MAJOR_VERSION_3,
 					     MBEDTLS_SSL_MINOR_VERSION_3);
-	} else
+	} else {
+		mbedtls_ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
 		mbedtls_ssl_conf_ciphersuites(conf, default_ciphersuites_client);
+	}
 
 #if defined(MBEDTLS_SSL_CACHE_C)
 	mbedtls_ssl_conf_session_cache(conf, &ctx->cache,