mirror of
https://github.com/cuberite/polarssl.git
synced 2025-11-04 04:32:24 -05:00
Make use of CA callback if present when verifying peer CRT chain
This commit is contained in:
Hanno Becker
parent
5adaad9846
commit
afd0b0a1a7
@ -6035,12 +6035,36 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||||||
int ret = 0;
|
int ret = 0;
|
||||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||||
ssl->transform_negotiate->ciphersuite_info;
|
ssl->transform_negotiate->ciphersuite_info;
|
||||||
mbedtls_x509_crt *ca_chain;
|
int have_ca_chain = 0;
|
||||||
mbedtls_x509_crl *ca_crl;
|
|
||||||
|
|
||||||
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Main check: verify certificate
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||||
|
if( ssl->conf->f_ca_cb != NULL )
|
||||||
|
{
|
||||||
|
((void) rs_ctx);
|
||||||
|
have_ca_chain = 1;
|
||||||
|
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
|
||||||
|
ret = mbedtls_x509_crt_verify_with_cb(
|
||||||
|
chain,
|
||||||
|
ssl->conf->f_ca_cb,
|
||||||
|
ssl->conf->p_ca_cb,
|
||||||
|
ssl->conf->cert_profile,
|
||||||
|
ssl->hostname,
|
||||||
|
&ssl->session_negotiate->verify_result,
|
||||||
|
ssl->conf->f_vrfy, ssl->conf->p_vrfy );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
|
||||||
|
{
|
||||||
|
mbedtls_x509_crt *ca_chain;
|
||||||
|
mbedtls_x509_crl *ca_crl;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||||
if( ssl->handshake->sni_ca_chain != NULL )
|
if( ssl->handshake->sni_ca_chain != NULL )
|
||||||
{
|
{
|
||||||
@ -6054,9 +6078,9 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||||||
ca_crl = ssl->conf->ca_crl;
|
ca_crl = ssl->conf->ca_crl;
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
if( ca_chain != NULL )
|
||||||
* Main check: verify certificate
|
have_ca_chain = 1;
|
||||||
*/
|
|
||||||
ret = mbedtls_x509_crt_verify_restartable(
|
ret = mbedtls_x509_crt_verify_restartable(
|
||||||
chain,
|
chain,
|
||||||
ca_chain, ca_crl,
|
ca_chain, ca_crl,
|
||||||
@ -6064,6 +6088,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||||||
ssl->hostname,
|
ssl->hostname,
|
||||||
&ssl->session_negotiate->verify_result,
|
&ssl->session_negotiate->verify_result,
|
||||||
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
|
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
|
||||||
|
}
|
||||||
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
@ -6119,7 +6144,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||||||
ret = 0;
|
ret = 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
|
if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
|
||||||
ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
|
ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
|
||||||
@ -7886,7 +7911,7 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,
|
|||||||
|
|
||||||
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
|
||||||
void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
|
void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
|
||||||
mbedtls_x509_ca_cb_t f_ca_cb,
|
mbedtls_x509_crt_ca_cb_t f_ca_cb,
|
||||||
void *p_ca_cb )
|
void *p_ca_cb )
|
||||||
{
|
{
|
||||||
conf->f_ca_cb = f_ca_cb;
|
conf->f_ca_cb = f_ca_cb;
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user