mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-24 01:43:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add accessors to config DN hints for cert request

Browse Source 
mbedtls_ssl_conf_dn_hints()
mbedtls_ssl_set_hs_dn_hints()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This commit is contained in:
Glenn Strauss 2022-03-11 01:37:23 -05:00
parent e99ec7cb6a
commit 999ef70b27
5 changed files with 63 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
ChangeLog.d/mbedtls_ssl_dn_hint.txt Normal file
View File

@ -0,0 +1,3 @@
Features
* Add accessors to configure DN hints for certificate request:
mbedtls_ssl_conf_dn_hints() and mbedtls_ssl_set_hs_dn_hints()

39
include/mbedtls/ssl.h
View File

@ -1494,6 +1494,10 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
mbedtls_ssl_hs_cb_t MBEDTLS_PRIVATE(f_cert_cb); /*!< certificate selection callback */ mbedtls_ssl_hs_cb_t MBEDTLS_PRIVATE(f_cert_cb); /*!< certificate selection callback */
#endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
const mbedtls_x509_crt *MBEDTLS_PRIVATE(dn_hints);/*!< acceptable client cert issuers */
#endif
}; };
struct mbedtls_ssl_context struct mbedtls_ssl_context
@ -3126,6 +3130,26 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
mbedtls_x509_crt *ca_chain, mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl ); mbedtls_x509_crl *ca_crl );
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
/**
* \brief Set DN hints sent to client in CertificateRequest message
*
* \note If not set, subject distinguished names (DNs) are taken
* from \c mbedtls_ssl_conf_ca_chain()
* or \c mbedtls_ssl_set_hs_ca_chain())
*
* \param conf SSL configuration
* \param crt crt chain whose subject DNs are issuer DNs of client certs
* from which the client should select client peer certificate.
*/
static inline
void mbedtls_ssl_conf_dn_hints( mbedtls_ssl_config *conf,
const mbedtls_x509_crt *crt )
{
conf->MBEDTLS_PRIVATE(dn_hints) = crt;
}
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
/** /**
* \brief Set the trusted certificate callback. * \brief Set the trusted certificate callback.
@ -3650,6 +3674,21 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *ca_chain, mbedtls_x509_crt *ca_chain,
mbedtls_x509_crl *ca_crl ); mbedtls_x509_crl *ca_crl );
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
/**
* \brief Set DN hints sent to client in CertificateRequest message
*
* \note Same as \c mbedtls_ssl_conf_dn_hints() but for use within
* the SNI callback or the certificate selection callback.
*
* \param ssl SSL context
* \param crt crt chain whose subject DNs are issuer DNs of client certs
* from which the client should select client peer certificate.
*/
void mbedtls_ssl_set_hs_dn_hints( mbedtls_ssl_context *ssl,
const mbedtls_x509_crt *crt );
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
/** /**
* \brief Set authmode for the current handshake. * \brief Set authmode for the current handshake.
* *

3
library/ssl_misc.h
View File

@ -850,6 +850,9 @@ struct mbedtls_ssl_handshake_params
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const unsigned char *sni_name; /*!< raw SNI */ const unsigned char *sni_name; /*!< raw SNI */
size_t sni_name_len; /*!< raw SNI len */ size_t sni_name_len; /*!< raw SNI len */
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
#endif
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
}; };

8
library/ssl_tls.c
View File

@ -1472,6 +1472,14 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
ssl->handshake->sni_ca_crl = ca_crl; ssl->handshake->sni_ca_crl = ca_crl;
} }
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
void mbedtls_ssl_set_hs_dn_hints( mbedtls_ssl_context *ssl,
const mbedtls_x509_crt *crt)
{
ssl->handshake->dn_hints = crt;
}
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
int authmode ) int authmode )
{ {

10
library/ssl_tls12_server.c
View File

@ -2489,6 +2489,16 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
* `mbedtls_ssl_conf_ca_cb()`, then the * `mbedtls_ssl_conf_ca_cb()`, then the
* CertificateRequest is currently left empty. */ * CertificateRequest is currently left empty. */
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->dn_hints != NULL )
crt = ssl->handshake->dn_hints;
else
#endif
if( ssl->conf->dn_hints != NULL )
crt = ssl->conf->dn_hints;
else
#endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL ) if( ssl->handshake->sni_ca_chain != NULL )
crt = ssl->handshake->sni_ca_chain; crt = ssl->handshake->sni_ca_chain;