mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-26 03:35:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add server certificate selection callback

Browse Source 
https://github.com/ARMmbed/mbedtls/issues/5430

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This commit is contained in:
Glenn Strauss 2022-01-21 18:02:17 -05:00
parent 4579a972bf
commit 2ed95279c0
4 changed files with 48 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/mbedtls_ssl_cert_cb.txt Normal file
View File

@ -0,0 +1,3 @@
Features
* Add server certificate selection callback near end of Client Hello.
Register callback with mbedtls_ssl_conf_cert_cb().

26
include/mbedtls/ssl.h
View File

@ -1475,6 +1475,10 @@ struct mbedtls_ssl_config
* access it afterwards. * access it afterwards.
*/ */
mbedtls_ssl_user_data_t MBEDTLS_PRIVATE(user_data); mbedtls_ssl_user_data_t MBEDTLS_PRIVATE(user_data);
#if defined(MBEDTLS_SSL_SRV_C)
int (*MBEDTLS_PRIVATE(f_cert_cb))(mbedtls_ssl_context *); /*!< certificate selection callback */
#endif /* MBEDTLS_SSL_SRV_C */
}; };
struct mbedtls_ssl_context struct mbedtls_ssl_context
@ -2220,6 +2224,28 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_set_timer_t *f_set_timer, mbedtls_ssl_set_timer_t *f_set_timer,
mbedtls_ssl_get_timer_t *f_get_timer ); mbedtls_ssl_get_timer_t *f_get_timer );
#if defined(MBEDTLS_SSL_SRV_C)
/**
* \brief Set the certificate selection callback (server-side only).
*
* If set, the callback is always called for each handshake,
* after `ClientHello` processing has finished.
*
* The callback has the following parameters:
* - \c mbedtls_ssl_context*: The SSL context to which
* the operation applies.
* The return value of the callback is 0 if successful,
* or a specific MBEDTLS_ERR_XXX code, which will cause
* the handshake to be aborted.
*
* \param conf The SSL configuration to register the callback with.
* \param f_cert_cb The callback for selecting server certificate after
* `ClientHello` processing has finished.
*/
void mbedtls_ssl_conf_cert_cb( mbedtls_ssl_config *conf,
int (*f_cert_cb)(mbedtls_ssl_context *) );
#endif /* MBEDTLS_SSL_SRV_C */
/** /**
* \brief Callback type: generate and write session ticket * \brief Callback type: generate and write session ticket
* *

12
library/ssl_srv.c
View File

@ -1870,10 +1870,20 @@ read_record_header:
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
/*
* Server certification selection (after processing TLS extensions)
*/
if( ssl->conf->f_cert_cb && ( ret = ssl->conf->f_cert_cb( ssl ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "f_cert_cb", ret );
return( ret );
}
/* /*
* Search for a matching ciphersuite * Search for a matching ciphersuite
* (At the end because we need information from the EC-based extensions * (At the end because we need information from the EC-based extensions
* and certificate from the SNI callback triggered by the SNI extension.) * and certificate from the SNI callback triggered by the SNI extension
* or certificate from server certificate selection callback.)
*/ */
got_common_suite = 0; got_common_suite = 0;
ciphersuites = ssl->conf->ciphersuite_list; ciphersuites = ssl->conf->ciphersuite_list;

8
library/ssl_tls.c
View File

@ -1232,6 +1232,14 @@ void mbedtls_ssl_set_timer_cb( mbedtls_ssl_context *ssl,
mbedtls_ssl_set_timer( ssl, 0 ); mbedtls_ssl_set_timer( ssl, 0 );
} }
#if defined(MBEDTLS_SSL_SRV_C)
void mbedtls_ssl_conf_cert_cb( mbedtls_ssl_config *conf,
int (*f_cert_cb)(mbedtls_ssl_context *) )
{
conf->f_cert_cb = f_cert_cb;
}
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf,
void *p_cache, void *p_cache,