Add support for context f_vrfy callback in 1.3

This was only supported in 1.2 for no good reason. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-03-14 01:26:49 +00:00 · 2024-08-16 09:53:41 +02:00 · 2024-08-16 09:53:41 +02:00 · dee6ffa961
commit dee6ffa961
parent e910ac8627
3 changed files with 18 additions and 4 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -7953,6 +7953,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
        return 0;
    }

+    /* Verify callback: precedence order is SSL context, else conf struct. */
    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
    void *p_vrfy;
    if (ssl->f_vrfy != NULL) {
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -695,6 +695,19 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
        return 0;
    }

+    /* Verify callback: precedence order is SSL context, else conf struct. */
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
+    if (ssl->f_vrfy != NULL) {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use context-specific verification callback"));
+        f_vrfy = ssl->f_vrfy;
+        p_vrfy = ssl->p_vrfy;
+    } else {
+        MBEDTLS_SSL_DEBUG_MSG(3, ("Use configuration-specific verification callback"));
+        f_vrfy = ssl->conf->f_vrfy;
+        p_vrfy = ssl->conf->p_vrfy;
+    }
+
    /*
     * Main check: verify certificate
     */
@ -710,7 +723,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
            ssl->conf->cert_profile,
            ssl->hostname,
            &verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+            f_vrfy, p_vrfy);
    } else
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
    {
@ -737,7 +750,7 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
            ssl->conf->cert_profile,
            ssl->hostname,
            &verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy);
+            f_vrfy, p_vrfy);
    }

    if (ret != 0) {
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -2724,7 +2724,7 @@ run_test    "Single supported algorithm sending: openssl client" \
 # Tests for certificate verification callback
 run_test    "Configuration-specific CRT verification callback" \
            "$P_SRV debug_level=3" \
-            "$P_CLI force_version=tls12 context_crt_cb=0 debug_level=3" \
+            "$P_CLI context_crt_cb=0 debug_level=3" \
            0 \
            -S "error" \
            -c "Verify requested for " \
@ -2734,7 +2734,7 @@ run_test    "Configuration-specific CRT verification callback" \

 run_test    "Context-specific CRT verification callback" \
            "$P_SRV debug_level=3" \
-            "$P_CLI force_version=tls12 context_crt_cb=1 debug_level=3" \
+            "$P_CLI context_crt_cb=1 debug_level=3" \
            0 \
            -S "error" \
            -c "Verify requested for " \