lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge remote-tracking branch 'origin/pr/2532' into development

Browse Source 
* origin/pr/2532: (29 commits)
  Document and test flags in x509_verify
  Fix style issues and a typo
  Fix name to function call
  Address comments for x509 tests
  Address review comments regarding ssl_client2 and ssl tests
  Remove mbedtls_ from the static function name
  Change docs according to review comments
  Change the verify function naming
  Fix ssl_client2 and ssl_server2 if !PLATFORM_C
  Correct placement of usage macro in ssl_client2
  Update version_features.c
  Remove trailing whitespace in test_suite_x509parse.function
  Update query_config.c
  Add ssl-opt.sh tests for trusted CA callbacks
  Only run X.509 CRT verification tests with CA callback tests if !CRL
  Minor fixes to CA callback tests
  Declare CA callback type even if feature is disabled
  Implement X.509 CRT verification using CA callback
  Add prototype for CRT verification with static and dynamic CA list
  Make use of CA callback if present when verifying peer CRT chain
  ...
This commit is contained in:
Jaeden Amero
2019-04-16 14:42:11 +01:00
parent 24c71d3a5c 846ae7a70d
commit ff34d43720
13 changed files with 927 additions and 102 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
programs/ssl/query_config.c
View File

@ -1498,6 +1498,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if( strcmp( "MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK );
return( 0 );
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
if( strcmp( "MBEDTLS_X509_CHECK_KEY_USAGE", config ) == 0 )
{

86
programs/ssl/ssl_client2.c
View File

@ -35,6 +35,8 @@
#define mbedtls_printf printf
#define mbedtls_fprintf fprintf
#define mbedtls_snprintf snprintf
#define mbedtls_calloc calloc
#define mbedtls_free free
#define mbedtls_exit exit
#define MBEDTLS_EXIT_SUCCESS EXIT_SUCCESS
#define MBEDTLS_EXIT_FAILURE EXIT_FAILURE
@ -122,6 +124,8 @@ int main( void )
#define DFL_FALLBACK -1
#define DFL_EXTENDED_MS -1
#define DFL_ETM -1
#define DFL_CA_CALLBACK 0
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
#define GET_REQUEST_END "\r\n\r\n"
@ -174,6 +178,14 @@ int main( void )
#define USAGE_PSK ""
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
#define USAGE_CA_CALLBACK \
" ca_callback=%%d default: 0 (disabled)\n" \
" Enable this to use the trusted certificate callback function\n"
#else
#define USAGE_CA_CALLBACK ""
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#define USAGE_TICKETS \
" tickets=%%d default: 1 (enabled)\n"
@ -312,6 +324,7 @@ int main( void )
" options: none, optional, required\n" \
USAGE_IO \
USAGE_KEY_OPAQUE \
USAGE_CA_CALLBACK \
"\n" \
USAGE_PSK \
USAGE_ECJPAKE \
@ -385,6 +398,9 @@ struct options
int key_opaque; /* handle private key as if it were opaque */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int psk_opaque;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback; /* Use callback for trusted certificate list */
#endif
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
@ -439,6 +455,62 @@ static void my_debug( void *ctx, int level,
fflush( (FILE *) ctx );
}
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback( void *data, mbedtls_x509_crt const *child,
mbedtls_x509_crt **candidates )
{
int ret = 0;
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
mbedtls_x509_crt *first;
/* This is a test-only implementation of the CA callback
* which always returns the entire list of trusted certificates.
* Production implementations managing a large number of CAs
* should use an efficient presentation and lookup for the
* set of trusted certificates (such as a hashtable) and only
* return those trusted certificates which satisfy basic
* parental checks, such as the matching of child `Issuer`
* and parent `Subject` field or matching key identifiers. */
((void) child);
first = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
if( first == NULL )
{
ret = -1;
goto exit;
}
mbedtls_x509_crt_init( first );
if( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) != 0 )
{
ret = -1;
goto exit;
}
while( ca->next != NULL )
{
ca = ca->next;
if( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) != 0 )
{
ret = -1;
goto exit;
}
}
exit:
if( ret != 0 )
{
mbedtls_x509_crt_free( first );
mbedtls_free( first );
first = NULL;
}
*candidates = first;
return( ret );
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
/*
* Test recv/send functions that make sure each try returns
* WANT_READ/WANT_WRITE at least once before sucesseding
@ -697,6 +769,9 @@ int main( int argc, char *argv[] )
opt.psk = DFL_PSK;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.psk_opaque = DFL_PSK_OPAQUE;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt.ca_callback = DFL_CA_CALLBACK;
#endif
opt.psk_identity = DFL_PSK_IDENTITY;
opt.ecjpake_pw = DFL_ECJPAKE_PW;
@ -805,6 +880,10 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
else if( strcmp( p, "psk_opaque" ) == 0 )
opt.psk_opaque = atoi( q );
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if( strcmp( p, "ca_callback" ) == 0)
opt.ca_callback = atoi( q );
#endif
else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q;
@ -1600,7 +1679,12 @@ int main( int argc, char *argv[] )
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if( opt.ca_callback != 0 )
mbedtls_ssl_conf_ca_cb( &conf, ca_callback, &cacert );
else
#endif
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( strcmp( opt.crt_file, "none" ) != 0 &&
strcmp( opt.key_file, "none" ) != 0 )

84
programs/ssl/ssl_server2.c
View File

@ -30,6 +30,7 @@
#else
#include <stdio.h>
#include <stdlib.h>
#define mbedtls_calloc calloc
#define mbedtls_free free
#define mbedtls_time time
#define mbedtls_time_t time_t
@ -166,6 +167,7 @@ int main( void )
#define DFL_DGRAM_PACKING 1
#define DFL_EXTENDED_MS -1
#define DFL_ETM -1
#define DFL_CA_CALLBACK 0
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
@ -264,7 +266,13 @@ int main( void )
#else
#define USAGE_PSK ""
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
#define USAGE_CA_CALLBACK \
" ca_callback=%%d default: 0 (disabled)\n" \
" Enable this to use the trusted certificate callback function\n"
#else
#define USAGE_CA_CALLBACK ""
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#define USAGE_TICKETS \
" tickets=%%d default: 1 (enabled)\n" \
@ -420,6 +428,7 @@ int main( void )
USAGE_SNI \
"\n" \
USAGE_PSK \
USAGE_CA_CALLBACK \
USAGE_ECJPAKE \
"\n" \
" allow_legacy=%%d default: (library default: no)\n" \
@ -506,6 +515,9 @@ struct options
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int psk_opaque;
int psk_list_opaque;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback; /* Use callback for trusted certificate list */
#endif
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
@ -564,6 +576,62 @@ static void my_debug( void *ctx, int level,
fflush( (FILE *) ctx );
}
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback( void *data, mbedtls_x509_crt const *child,
mbedtls_x509_crt **candidates)
{
int ret = 0;
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
mbedtls_x509_crt *first;
/* This is a test-only implementation of the CA callback
* which always returns the entire list of trusted certificates.
* Production implementations managing a large number of CAs
* should use an efficient presentation and lookup for the
* set of trusted certificates (such as a hashtable) and only
* return those trusted certificates which satisfy basic
* parental checks, such as the matching of child `Issuer`
* and parent `Subject` field. */
((void) child);
first = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
if( first == NULL )
{
ret = -1;
goto exit;
}
mbedtls_x509_crt_init( first );
if( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) != 0 )
{
ret = -1;
goto exit;
}
while( ca->next != NULL )
{
ca = ca->next;
if( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) != 0 )
{
ret = -1;
goto exit;
}
}
exit:
if( ret != 0 )
{
mbedtls_x509_crt_free( first );
mbedtls_free( first );
first = NULL;
}
*candidates = first;
return( ret );
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
/*
* Test recv/send functions that make sure each try returns
* WANT_READ/WANT_WRITE at least once before sucesseding
@ -1457,6 +1525,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.psk_opaque = DFL_PSK_OPAQUE;
opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt.ca_callback = DFL_CA_CALLBACK;
#endif
opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST;
@ -1591,6 +1662,10 @@ int main( int argc, char *argv[] )
opt.psk_opaque = atoi( q );
else if( strcmp( p, "psk_list_opaque" ) == 0 )
opt.psk_list_opaque = atoi( q );
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if( strcmp( p, "ca_callback" ) == 0)
opt.ca_callback = atoi( q );
#endif
else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q;
@ -2570,7 +2645,12 @@ int main( int argc, char *argv[] )
if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 )
{
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if( opt.ca_callback != 0 )
mbedtls_ssl_conf_ca_cb( &conf, ca_callback, &cacert);
else
#endif
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
}
if( key_cert_init )
{