mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-29 04:20:12 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add support for context f_vrfy callback in 1.3

Browse Source 
This was only supported in 1.2 for no good reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2024-08-16 09:53:41 +02:00
parent fd800c2416
commit 843a00dec6
3 changed files with 18 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
library/ssl_tls.c
View File

@ -7953,6 +7953,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
return 0; return 0;
} }
/* Verify callback: precedence order is SSL context, else conf struct. */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; void *p_vrfy;
if (ssl->f_vrfy != NULL) { if (ssl->f_vrfy != NULL) {

17
library/ssl_tls13_generic.c
View File

@ -695,6 +695,19 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
return 0; return 0;
} }
/* Verify callback: precedence order is SSL context, else conf struct. */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy;
if (ssl->f_vrfy != NULL) {
MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
f_vrfy = ssl->f_vrfy;
p_vrfy = ssl->p_vrfy;
} else {
MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
f_vrfy = ssl->conf->f_vrfy;
p_vrfy = ssl->conf->p_vrfy;
}
/* /*
* Main check: verify certificate * Main check: verify certificate
*/ */
@ -710,7 +723,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
ssl->conf->cert_profile, ssl->conf->cert_profile,
ssl->hostname, ssl->hostname,
&verify_result, &verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy); f_vrfy, p_vrfy);
} else } else
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
{ {
@ -737,7 +750,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
ssl->conf->cert_profile, ssl->conf->cert_profile,
ssl->hostname, ssl->hostname,
&verify_result, &verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy); f_vrfy, p_vrfy);
} }
if (ret != 0) { if (ret != 0) {

4
tests/ssl-opt.sh
View File

@ -2724,7 +2724,7 @@ run_test "Single supported algorithm sending: openssl client" \
# Tests for certificate verification callback # Tests for certificate verification callback
run_test "Configuration-specific CRT verification callback" \ run_test "Configuration-specific CRT verification callback" \
"$P_SRV debug_level=3" \ "$P_SRV debug_level=3" \
"$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \ "$P_CLI context_crt_cb=0 debug_level=3" \
0 \ 0 \
-S "error" \ -S "error" \
-c "Verify requested for " \ -c "Verify requested for " \
@ -2734,7 +2734,7 @@ run_test "Configuration-specific CRT verification callback" \
run_test "Context-specific CRT verification callback" \ run_test "Context-specific CRT verification callback" \
"$P_SRV debug_level=3" \ "$P_SRV debug_level=3" \
"$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \ "$P_CLI context_crt_cb=1 debug_level=3" \
0 \ 0 \
-S "error" \ -S "error" \
-c "Verify requested for " \ -c "Verify requested for " \