From 6ee1e20d7fb1fb1c29c50b2b7f51f6e113a37133 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Wed, 12 Oct 2022 10:17:25 -0400 Subject: [PATCH] Replace x509_CRT_PARSE_C with KEY_EXCHANGE_WITH_CERT_ENABLED SSL programs use certificates in an exchange, so it's more natural to have such dependency instead of just certificate parsing. Signed-off-by: Andrzej Kurek --- programs/ssl/ssl_client2.c | 60 ++++++++++++++++---------------------- programs/ssl/ssl_server2.c | 45 ++++++++++++---------------- 2 files changed, 43 insertions(+), 62 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index caf9ac5cf..87c13c02a 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -120,7 +120,7 @@ int main( void ) #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST_END "\r\n\r\n" -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_CONTEXT_CRT_CB \ " context_crt_cb=%%d This determines whether the CRT verification callback is bound\n" \ " to the SSL configuration of the SSL context.\n" \ @@ -129,8 +129,8 @@ int main( void ) " - 1: Use CRT callback bound to SSL context\n" #else #define USAGE_CONTEXT_CRT_CB "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_FS_IO) #define USAGE_IO \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ @@ -148,10 +148,10 @@ int main( void ) #define USAGE_IO \ " No file operations available (MBEDTLS_FS_IO not defined)\n" #endif /* MBEDTLS_FS_IO */ -#else /* MBEDTLS_X509_CRT_PARSE_C */ +#else /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #define USAGE_IO "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -768,9 +768,6 @@ int main( int argc, char *argv[] ) psa_status_t status; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#endif rng_context_t rng; mbedtls_ssl_context ssl; mbedtls_ssl_config conf; @@ -780,17 +777,16 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_TIMING_C) mbedtls_timing_delay_context timer; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; -#endif mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; mbedtls_pk_context pkey; + mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ char *p, *q; const int *list; #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) @@ -831,7 +827,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_config_init( &conf ); memset( &saved_session, 0, sizeof( mbedtls_ssl_session ) ); rng_init( &rng ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &clicert ); mbedtls_pk_init( &pkey ); @@ -1031,7 +1027,7 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); #endif @@ -1709,7 +1705,7 @@ int main( int argc, char *argv[] ) goto exit; mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 1.1. Load the trusted CA */ @@ -1831,7 +1827,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok (key type: %s)\n", strlen( opt.key_file ) || strlen( opt.key_opaque_alg1 ) ? mbedtls_pk_get_name( &pkey ) : "none" ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ /* * 2. Setup stuff @@ -1849,7 +1845,6 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* The default algorithms profile disables SHA-1, but our tests still rely on it heavily. */ @@ -1864,7 +1859,6 @@ int main( int argc, char *argv[] ) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if( opt.cid_enabled == 1 || opt.cid_enabled_renego == 1 ) @@ -2001,7 +1995,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_renegotiation( &conf, opt.renegotiation ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { @@ -2022,7 +2016,7 @@ int main( int argc, char *argv[] ) goto exit; } } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_ECP_C) if( opt.curves != NULL && @@ -2110,7 +2104,7 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", @@ -2133,11 +2127,10 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( opt.context_crt_cb == 1 ) mbedtls_ssl_set_verify( &ssl, my_verify, NULL ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ io_ctx.ssl = &ssl; io_ctx.net = &server_fd; @@ -2458,8 +2451,7 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the server certificate */ @@ -2482,7 +2474,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) ret = report_cid_usage( &ssl, "initial handshake" ); @@ -2857,10 +2849,9 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -3094,10 +3085,9 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -3201,14 +3191,14 @@ exit: mbedtls_free( context_buf ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_free( &clicert ); mbedtls_x509_crt_free( &cacert ); mbedtls_pk_free( &pkey ); #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key( key_slot ); #endif -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 0554d2cb1..c39871a6d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -175,7 +175,7 @@ int main( void ) */ #define DFL_IO_BUF_LEN 200 -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_FS_IO) #define USAGE_IO \ " ca_file=%%s The single file containing the top-level CA(s) you fully trust\n" \ @@ -206,8 +206,8 @@ int main( void ) #endif /* MBEDTLS_FS_IO */ #else #define USAGE_IO "" -#endif /* MBEDTLS_X509_CRT_PARSE_C */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -1444,10 +1444,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cookie_ctx cookie_ctx; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ - defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#endif mbedtls_ssl_context ssl; mbedtls_ssl_config conf; #if defined(MBEDTLS_TIMING_C) @@ -1456,13 +1452,14 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_RENEGOTIATION) unsigned char renego_period[8] = { 0 }; #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint32_t flags; mbedtls_x509_crt cacert; mbedtls_x509_crt srvcert; mbedtls_pk_context pkey; mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; + mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; #if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ @@ -1471,7 +1468,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) ssl_async_key_context_t ssl_async_keys; #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) mbedtls_dhm_context dhm; #endif @@ -1553,7 +1550,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); rng_init( &rng ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_init( &cacert ); mbedtls_x509_crt_init( &srvcert ); mbedtls_pk_init( &pkey ); @@ -1782,7 +1779,7 @@ int main( int argc, char *argv[] ) opt.key_file = q; else if( strcmp( p, "key_pwd" ) == 0 ) opt.key_pwd = q; -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) else if( strcmp( p, "key_opaque" ) == 0 ) opt.key_opaque = atoi( q ); #endif @@ -2586,7 +2583,7 @@ int main( int argc, char *argv[] ) goto exit; mbedtls_printf( " ok\n" ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 1.1. Load the trusted CA */ @@ -2794,7 +2791,7 @@ int main( int argc, char *argv[] ) mbedtls_printf( " ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name( &pkey ) : "none", key_cert_init2 ? mbedtls_pk_get_name( &pkey2 ) : "none" ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO) if( opt.dhm_file != NULL ) @@ -2844,7 +2841,6 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* The default algorithms profile disables SHA-1, but our tests still rely on it heavily. Hence we allow it here. A real-world server @@ -2856,7 +2852,6 @@ int main( int argc, char *argv[] ) mbedtls_ssl_conf_sig_algs( &conf, ssl_sig_algs_for_test ); } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ if( opt.auth_mode != DFL_AUTH_MODE ) mbedtls_ssl_conf_authmode( &conf, opt.auth_mode ); @@ -2864,15 +2859,13 @@ int main( int argc, char *argv[] ) if( opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST ) mbedtls_ssl_conf_cert_req_ca_list( &conf, opt.cert_req_ca_list ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) -#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by * a specific CA which is an intermediate in a CA chain, not the root) */ if( opt.cert_req_dn_hint == 2 && key_cert_init2 ) mbedtls_ssl_conf_dn_hints( &conf, &srvcert2 ); #endif -#endif #if defined(MBEDTLS_SSL_PROTO_DTLS) if( opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX ) @@ -3109,7 +3102,7 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { @@ -3198,7 +3191,7 @@ int main( int argc, char *argv[] ) &ssl_async_keys ); } #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(SNI_OPTION) if( opt.sni != NULL ) @@ -3492,9 +3485,8 @@ reset: } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) -#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* exercise setting DN hints for server certificate request * (Intended for use where the client cert expected has been signed by * a specific CA which is an intermediate in a CA chain, not the root) @@ -3503,7 +3495,6 @@ reset: if( opt.cert_req_dn_hint == 3 && key_cert_init2 ) mbedtls_ssl_set_hs_dn_hints( &ssl, &srvcert2 ); #endif -#endif #endif mbedtls_printf( " ok\n" ); @@ -3552,7 +3543,7 @@ handshake: { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; @@ -3607,7 +3598,7 @@ handshake: } #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * 5. Verify the client certificate */ @@ -3636,7 +3627,7 @@ handshake: mbedtls_printf( "%s\n", crt_buf ); } #endif /* MBEDTLS_X509_REMOVE_INFO */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ if( opt.eap_tls != 0 ) { @@ -4330,7 +4321,7 @@ exit: mbedtls_printf( "Failed to list of opaque PSKs - error was %d\n", ret ); #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_x509_crt_free( &cacert ); mbedtls_x509_crt_free( &srvcert ); mbedtls_pk_free( &pkey );