From 8927c833129a8d467a0f8e9192b37ea5c66c98b8 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 3 Apr 2019 12:52:50 +0100 Subject: [PATCH] Implement context-specific verification callbacks --- include/mbedtls/ssl.h | 6 ++++++ library/ssl_tls.c | 26 +++++++++++++++++++++++++- 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b8215a404..bbe9a8383 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1090,6 +1090,12 @@ struct mbedtls_ssl_context unsigned badmac_seen; /*!< records with a bad MAC received */ #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) + /** Callback to customize X.509 certificate chain verification */ + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); + void *p_vrfy; /*!< context for X.509 verify calllback */ +#endif + mbedtls_ssl_send_t *f_send; /*!< Callback for network send */ mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */ mbedtls_ssl_recv_timeout_t *f_recv_timeout; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 660d548e4..8800cc7ec 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6038,6 +6038,9 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain; mbedtls_x509_crl *ca_crl; + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); + void *p_vrfy; + if( authmode == MBEDTLS_SSL_VERIFY_NONE ) return( 0 ); @@ -6054,6 +6057,17 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, ca_crl = ssl->conf->ca_crl; } + if( ssl->f_vrfy != NULL ) + { + f_vrfy = ssl->f_vrfy; + p_vrfy = ssl->p_vrfy; + } + else + { + f_vrfy = ssl->conf->f_vrfy; + p_vrfy = ssl->conf->p_vrfy; + } + /* * Main check: verify certificate */ @@ -6063,7 +6077,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, ssl->conf->cert_profile, ssl->hostname, &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); + f_vrfy, p_vrfy, rs_ctx ); if( ret != 0 ) { @@ -7902,6 +7916,16 @@ void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ +#if defined(MBEDTLS_X509_CRT_PARSE_C) +void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy ) +{ + ssl->f_vrfy = f_vrfy; + ssl->p_vrfy = p_vrfy; +} +#endif + #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * Set EC J-PAKE password for current handshake