Make use of CA callback if present when verifying peer CRT chain

2025-11-03 20:22:59 -05:00 · 2019-03-27 16:55:01 +00:00 · 2019-03-27 16:55:01 +00:00 · afd0b0a1a7
commit afd0b0a1a7
parent 5adaad9846
1 changed files with 49 additions and 24 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -6035,12 +6035,36 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
    int ret = 0;
    const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
        ssl->transform_negotiate->ciphersuite_info;
-    mbedtls_x509_crt *ca_chain;
-    mbedtls_x509_crl *ca_crl;
+    int have_ca_chain = 0;

    if( authmode == MBEDTLS_SSL_VERIFY_NONE )
        return( 0 );

+    /*
+     * Main check: verify certificate
+     */
+#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
+    if( ssl->conf->f_ca_cb != NULL )
+    {
+        ((void) rs_ctx);
+        have_ca_chain = 1;
+
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "use CA callback for X.509 CRT verification" ) );
+        ret = mbedtls_x509_crt_verify_with_cb(
+            chain,
+            ssl->conf->f_ca_cb,
+            ssl->conf->p_ca_cb,
+            ssl->conf->cert_profile,
+            ssl->hostname,
+            &ssl->session_negotiate->verify_result,
+            ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+    }
+    else
+#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
+    {
+        mbedtls_x509_crt *ca_chain;
+        mbedtls_x509_crl *ca_crl;
+
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
        if( ssl->handshake->sni_ca_chain != NULL )
        {
@ -6054,9 +6078,9 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
            ca_crl   = ssl->conf->ca_crl;
        }

-    /*
-     * Main check: verify certificate
-     */
+        if( ca_chain != NULL )
+            have_ca_chain = 1;
+
        ret = mbedtls_x509_crt_verify_restartable(
            chain,
            ca_chain, ca_crl,
@ -6064,6 +6088,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
            ssl->hostname,
            &ssl->session_negotiate->verify_result,
            ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+    }

    if( ret != 0 )
    {
@ -6119,7 +6144,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
        ret = 0;
    }

-    if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
+    if( have_ca_chain == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) );
        ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
@ -7886,7 +7911,7 @@ void mbedtls_ssl_conf_ca_chain( mbedtls_ssl_config *conf,

 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
 void mbedtls_ssl_conf_ca_cb( mbedtls_ssl_config *conf,
-                             mbedtls_x509_ca_cb_t f_ca_cb,
+                             mbedtls_x509_crt_ca_cb_t f_ca_cb,
                             void *p_ca_cb )
 {
    conf->f_ca_cb = f_ca_cb;