Merge remote-tracking branch 'origin/pr/2539' into development

Resolve conflicts by performing the following: - Ensure calls to mbedtls_x509_crt_verify_* are made with callbacks * origin/pr/2539: Make CRT callback tests more robust Rename constant in client2.c Fix typo Add test for configuration specific CRT callback Fix doxygen documentation of mbedtls_ssl_set_verify() Add test exercising context-specific CRT callback to ssl-opt.sh Add cmd to use context-specific CRT callback in ssl_client2 Implement context-specific verification callbacks Add context-specific CRT verification callbacks Improve documentation of mbedtls_ssl_conf_verify()
2025-07-29 11:41:15 +03:00 · 2019-04-16 15:03:12 +01:00
parent ff34d43720 4031b314ed
commit fe7106755e
4 changed files with 117 additions and 9 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -6037,9 +6037,25 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
        ssl->transform_negotiate->ciphersuite_info;
    int have_ca_chain = 0;

+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
+    void *p_vrfy;
+
    if( authmode == MBEDTLS_SSL_VERIFY_NONE )
        return( 0 );

+    if( ssl->f_vrfy != NULL )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
+        f_vrfy = ssl->f_vrfy;
+        p_vrfy = ssl->p_vrfy;
+    }
+    else
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
+        f_vrfy = ssl->conf->f_vrfy;
+        p_vrfy = ssl->conf->p_vrfy;
+    }
+
    /*
     * Main check: verify certificate
     */
@ -6057,7 +6073,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
            ssl->conf->cert_profile,
            ssl->hostname,
            &ssl->session_negotiate->verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+            f_vrfy, p_vrfy );
    }
    else
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
@ -6087,7 +6103,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
            ssl->conf->cert_profile,
            ssl->hostname,
            &ssl->session_negotiate->verify_result,
-            ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
+            f_vrfy, p_vrfy, rs_ctx );
    }

    if( ret != 0 )
@ -7949,6 +7965,16 @@ void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
 }
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */

+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
+                     void *p_vrfy )
+{
+    ssl->f_vrfy = f_vrfy;
+    ssl->p_vrfy = p_vrfy;
+}
+#endif
+
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
 /*
 * Set EC J-PAKE password for current handshake