Add possibility to use ca_callbacks in ssl programs

This commit is contained in:
Jarno Lamsa 2019-03-27 17:55:27 +02:00 committed by Hanno Becker
parent 557426ad77
commit 1b4a2bad7a
2 changed files with 89 additions and 3 deletions

View file

@ -122,6 +122,8 @@ int main( void )
#define DFL_FALLBACK -1 #define DFL_FALLBACK -1
#define DFL_EXTENDED_MS -1 #define DFL_EXTENDED_MS -1
#define DFL_ETM -1 #define DFL_ETM -1
#define DFL_CA_CALLBACK 0
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
#define GET_REQUEST_END "\r\n\r\n" #define GET_REQUEST_END "\r\n\r\n"
@ -169,6 +171,13 @@ int main( void )
#else #else
#define USAGE_PSK_SLOT "" #define USAGE_PSK_SLOT ""
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
#define USAGE_CA_CALLBACK \
" ca_callback=%%d default: 0 (disabled)\n" \
" Enable this to use the trusted certificate callback function\n"
#else
#define USAGE_CA_CALLBACK ""
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
#else #else
#define USAGE_PSK "" #define USAGE_PSK ""
@ -312,6 +321,7 @@ int main( void )
" options: none, optional, required\n" \ " options: none, optional, required\n" \
USAGE_IO \ USAGE_IO \
USAGE_KEY_OPAQUE \ USAGE_KEY_OPAQUE \
USAGE_CA_CALLBACK \
"\n" \ "\n" \
USAGE_PSK \ USAGE_PSK \
USAGE_ECJPAKE \ USAGE_ECJPAKE \
@ -385,6 +395,9 @@ struct options
int key_opaque; /* handle private key as if it were opaque */ int key_opaque; /* handle private key as if it were opaque */
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
int psk_opaque; int psk_opaque;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int use_ca_callback /* Use a callback for a trusted certificate list */
#endif #endif
const char *psk; /* the pre-shared key */ const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */ const char *psk_identity; /* the pre-shared key identity */
@ -439,6 +452,25 @@ static void my_debug( void *ctx, int level,
fflush( (FILE *) ctx ); fflush( (FILE *) ctx );
} }
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback( void *data, mbedtls_x509_crt *child, mbedtls_x509_crt **candidates)
{
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
mbedtls_x509_crt *first = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
TEST_ASSERT( first != NULL);
TEST_ASSERT( mbedtls_x509_crt_init( first ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) == 0);
while( ca->next != NULL )
{
ca = ca->next;
TEST_ASSERT( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) == 0);
}
*candidates = first;
return 0;
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
/* /*
* Test recv/send functions that make sure each try returns * Test recv/send functions that make sure each try returns
* WANT_READ/WANT_WRITE at least once before sucesseding * WANT_READ/WANT_WRITE at least once before sucesseding
@ -697,6 +729,9 @@ int main( int argc, char *argv[] )
opt.psk = DFL_PSK; opt.psk = DFL_PSK;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_opaque = DFL_PSK_OPAQUE;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt.ca_callback = DFL_CA_CALLBACK;
#endif #endif
opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_identity = DFL_PSK_IDENTITY;
opt.ecjpake_pw = DFL_ECJPAKE_PW; opt.ecjpake_pw = DFL_ECJPAKE_PW;
@ -805,6 +840,10 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
else if( strcmp( p, "psk_opaque" ) == 0 ) else if( strcmp( p, "psk_opaque" ) == 0 )
opt.psk_opaque = atoi( q ); opt.psk_opaque = atoi( q );
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if( strcmp( p, "ca_callback" ) == 0)
opt.ca_callback = atoi( q );
#endif #endif
else if( strcmp( p, "psk_identity" ) == 0 ) else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q; opt.psk_identity = q;
@ -1600,7 +1639,12 @@ int main( int argc, char *argv[] )
if( strcmp( opt.ca_path, "none" ) != 0 && if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 ) strcmp( opt.ca_file, "none" ) != 0 )
{ {
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if( opt.ca_callback != 0 )
mbedtls_ssl_conf_ca_cb( &conf, ca_callback, &cacert);
else
#endif
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
} }
if( strcmp( opt.crt_file, "none" ) != 0 && if( strcmp( opt.crt_file, "none" ) != 0 &&
strcmp( opt.key_file, "none" ) != 0 ) strcmp( opt.key_file, "none" ) != 0 )

View file

@ -166,6 +166,7 @@ int main( void )
#define DFL_DGRAM_PACKING 1 #define DFL_DGRAM_PACKING 1
#define DFL_EXTENDED_MS -1 #define DFL_EXTENDED_MS -1
#define DFL_ETM -1 #define DFL_ETM -1
#define DFL_CA_CALLBACK 0
#define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
"02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \ "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
@ -264,7 +265,13 @@ int main( void )
#else #else
#define USAGE_PSK "" #define USAGE_PSK ""
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
#define USAGE_CA_CALLBACK \
" ca_callback=%%d default: 0 (disabled)\n" \
" Enable this to use the trusted certificate callback function\n"
#else
#define USAGE_CA_CALLBACK ""
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
#define USAGE_TICKETS \ #define USAGE_TICKETS \
" tickets=%%d default: 1 (enabled)\n" \ " tickets=%%d default: 1 (enabled)\n" \
@ -420,6 +427,7 @@ int main( void )
USAGE_SNI \ USAGE_SNI \
"\n" \ "\n" \
USAGE_PSK \ USAGE_PSK \
USAGE_CA_CALLBACK \
USAGE_ECJPAKE \ USAGE_ECJPAKE \
"\n" \ "\n" \
" allow_legacy=%%d default: (library default: no)\n" \ " allow_legacy=%%d default: (library default: no)\n" \
@ -506,6 +514,9 @@ struct options
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
int psk_opaque; int psk_opaque;
int psk_list_opaque; int psk_list_opaque;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int use_ca_callback /* Use a callback for a trusted certificate list */
#endif #endif
const char *psk; /* the pre-shared key */ const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */ const char *psk_identity; /* the pre-shared key identity */
@ -564,6 +575,25 @@ static void my_debug( void *ctx, int level,
fflush( (FILE *) ctx ); fflush( (FILE *) ctx );
} }
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback( void *data, mbedtls_x509_crt *child, mbedtls_x509_crt **candidates)
{
mbedtls_x509_crt *ca = (mbedtls_x509_crt *) data;
mbedtls_x509_crt *first = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
TEST_ASSERT( first != NULL);
TEST_ASSERT( mbedtls_x509_crt_init( first ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) == 0);
while( ca->next != NULL )
{
ca = ca->next;
TEST_ASSERT( mbedtls_x509_crt_parse_der( first, ca->raw.p, ca->raw.len ) == 0);
}
*candidates = first;
return 0;
}
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
/* /*
* Test recv/send functions that make sure each try returns * Test recv/send functions that make sure each try returns
* WANT_READ/WANT_WRITE at least once before sucesseding * WANT_READ/WANT_WRITE at least once before sucesseding
@ -1457,6 +1487,9 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_opaque = DFL_PSK_OPAQUE;
opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt.ca_callback = DFL_CA_CALLBACK;
#endif #endif
opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST; opt.psk_list = DFL_PSK_LIST;
@ -1591,6 +1624,10 @@ int main( int argc, char *argv[] )
opt.psk_opaque = atoi( q ); opt.psk_opaque = atoi( q );
else if( strcmp( p, "psk_list_opaque" ) == 0 ) else if( strcmp( p, "psk_list_opaque" ) == 0 )
opt.psk_list_opaque = atoi( q ); opt.psk_list_opaque = atoi( q );
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if( strcmp( p, "ca_callback" ) == 0)
opt.ca_callback = atoi( q );
#endif #endif
else if( strcmp( p, "psk_identity" ) == 0 ) else if( strcmp( p, "psk_identity" ) == 0 )
opt.psk_identity = q; opt.psk_identity = q;
@ -2570,7 +2607,12 @@ int main( int argc, char *argv[] )
if( strcmp( opt.ca_path, "none" ) != 0 && if( strcmp( opt.ca_path, "none" ) != 0 &&
strcmp( opt.ca_file, "none" ) != 0 ) strcmp( opt.ca_file, "none" ) != 0 )
{ {
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
if( opt.ca_callback != 0 )
mbedtls_ssl_conf_ca_cb( &conf, ca_callback, &cacert);
else
#endif
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
} }
if( key_cert_init ) if( key_cert_init )
{ {