Add ssl_set_hs_own_cert()

This commit is contained in:
Manuel Pégourié-Gonnard 2015-05-10 23:10:37 +02:00
parent 8f618a8e65
commit 1af6c8500b
4 changed files with 31 additions and 23 deletions

View file

@ -1706,6 +1706,22 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/**
* \brief Set own certificate and key for the current handshake
*
* \note Same as \c mbedtls_ssl_set_own_cert() but for use within
* the SNI callback.
*
* \param ssl SSL context
* \param own_cert own public certificate chain
* \param pk_key own private key
*
* \return 0 on success or MBEDTLS_ERR_SSL_MALLOC_FAILED
*/
int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *own_cert,
mbedtls_pk_context *pk_key );
/**
* \brief Set server side ServerName TLS extension callback
* (optional, server-side only).
@ -1716,8 +1732,8 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
* following parameters: (void *parameter, mbedtls_ssl_context *ssl,
* const unsigned char *hostname, size_t len). If a suitable
* certificate is found, the callback should set the
* certificate and key to use with mbedtls_ssl_set_own_cert() (and
* possibly adjust the CA chain as well) and return 0. The
* certificate and key to use with mbedtls_ssl_set_hs_own_cert() (and
* possibly adjust the CA chain as well TODO: broken) and return 0. The
* callback should return -1 to abort the handshake at this
* point.
*

View file

@ -389,25 +389,6 @@ void mbedtls_ssl_set_dtls_cookies( mbedtls_ssl_config *conf,
#endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/*
* Wrapper around f_sni, allowing use of mbedtls_ssl_set_own_cert() but
* making it act on ssl->handshake->sni_key_cert instead.
*/
static int ssl_sni_wrapper( mbedtls_ssl_context *ssl,
const unsigned char* name, size_t len )
{
int ret;
mbedtls_ssl_key_cert *key_cert_ori = ssl->conf->key_cert;
ssl->conf->key_cert = NULL;
ret = ssl->conf->f_sni( ssl->conf->p_sni, ssl, name, len );
ssl->handshake->sni_key_cert = ssl->conf->key_cert;
ssl->conf->key_cert = key_cert_ori;
return( ret );
}
static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
@ -437,7 +418,8 @@ static int ssl_parse_servername_ext( mbedtls_ssl_context *ssl,
if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
{
ret = ssl_sni_wrapper( ssl, p + 3, hostname_len );
ret = ssl->conf->f_sni( ssl->conf->p_sni,
ssl, p + 3, hostname_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_sni_wrapper", ret );

View file

@ -5352,6 +5352,16 @@ void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf,
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
int mbedtls_ssl_set_hs_own_cert( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *own_cert,
mbedtls_pk_context *pk_key )
{
return( ssl_append_key_cert( &ssl->handshake->sni_key_cert,
own_cert, pk_key ) );
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
int mbedtls_ssl_set_psk( mbedtls_ssl_config *conf,
const unsigned char *psk, size_t psk_len,

View file

@ -547,7 +547,7 @@ int sni_callback( void *p_info, mbedtls_ssl_context *ssl,
if( name_len == strlen( cur->name ) &&
memcmp( name, cur->name, name_len ) == 0 )
{
return( mbedtls_ssl_set_own_cert( ssl, cur->cert, cur->key ) );
return( mbedtls_ssl_set_hs_own_cert( ssl, cur->cert, cur->key ) );
}
cur = cur->next;