mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-18 05:42:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls13: Add support for trusted certificate callback

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Ronald Cron 2024-04-03 09:07:22 +02:00 committed by Manuel Pégourié-Gonnard
parent 7a442c9941
commit bfbecf8b34
1 changed files with 41 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
library/ssl_tls13_generic.c
View File

@ -629,6 +629,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl) static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
{ {
int ret = 0; int ret = 0;
int have_ca_chain = 0;
mbedtls_x509_crt *ca_chain; mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl; mbedtls_x509_crl *ca_crl;
uint32_t verify_result = 0; uint32_t verify_result = 0;
@ -696,27 +697,48 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
return 0; return 0;
} }
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if (ssl->handshake->sni_ca_chain != NULL) {
ca_chain = ssl->handshake->sni_ca_chain;
ca_crl = ssl->handshake->sni_ca_crl;
} else
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
{
ca_chain = ssl->conf->ca_chain;
ca_crl = ssl->conf->ca_crl;
}
/* /*
* Main check: verify certificate * Main check: verify certificate
*/ */
ret = mbedtls_x509_crt_verify_with_profile( #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
ssl->session_negotiate->peer_cert, if (ssl->conf->f_ca_cb != NULL) {
ca_chain, ca_crl, have_ca_chain = 1;
ssl->conf->cert_profile,
ssl->hostname, MBEDTLS_SSL_DEBUG_MSG(3, ("use CA callback for X.509 CRT verification"));
&verify_result, ret = mbedtls_x509_crt_verify_with_ca_cb(
ssl->conf->f_vrfy, ssl->conf->p_vrfy); ssl->session_negotiate->peer_cert,
ssl->conf->f_ca_cb,
ssl->conf->p_ca_cb,
ssl->conf->cert_profile,
ssl->hostname,
&verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy);
} else
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
{
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if (ssl->handshake->sni_ca_chain != NULL) {
ca_chain = ssl->handshake->sni_ca_chain;
ca_crl = ssl->handshake->sni_ca_crl;
} else
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
{
ca_chain = ssl->conf->ca_chain;
ca_crl = ssl->conf->ca_crl;
}
if (ca_chain != NULL) {
have_ca_chain = 1;
}
ret = mbedtls_x509_crt_verify_with_profile(
ssl->session_negotiate->peer_cert,
ca_chain, ca_crl,
ssl->conf->cert_profile,
ssl->hostname,
&verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy);
}
if (ret != 0) { if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret); MBEDTLS_SSL_DEBUG_RET(1, "x509_verify_cert", ret);
@ -749,7 +771,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
ret = 0; ret = 0;
} }
if (ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) { if (!have_ca_chain && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain")); MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED; ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
} }