yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-22 12:41:02 +00:00
Code Issues Packages Projects Releases Wiki Activity

Set authmode to optional, if not set

Browse source 
Set authmode to `MBEDTLS_SSL_VERIFY_REQUIRED` when using dtls-srtp,
in case authmode was not set. This is to support self signed certificates
received by the server, which is the case with webRTC. Certificate fingerprints
are verified outside the dtls stack, as defined in RFC 5763.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
This commit is contained in:
Ron Eldor 2018-07-04 18:45:27 +03:00 committed by Johan Pascal
parent 12c6eaddd5
commit 1c399bdffe
2 changed files with 7 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
library/ssl_srv.c
View file

@ -3021,9 +3021,9 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
else
#endif
#if defined(MBEDTLS_SSL_DTLS_SRTP)
/* check if we have a chosen srtp protection profile */
if ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) {
authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
/* check if we have a chosen srtp protection profile, force verify mode to be at least OPTIONAL */
if ( ( ssl->dtls_srtp_info.chosen_dtls_srtp_profile != MBEDTLS_SRTP_UNSET_PROFILE ) && ( ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ) ) {
authmode = MBEDTLS_SSL_VERIFY_OPTIONAL;
}
else
#endif

6
library/ssl_tls.c
View file

@ -2753,6 +2753,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_DTLS_SRTP)
: ssl->dtls_srtp_info.chosen_dtls_srtp_profile !=
MBEDTLS_SRTP_UNSET_PROFILE
&& ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE
? MBEDTLS_SSL_VERIFY_REQUIRED
#endif /* MBEDTLS_SSL_DTLS_SRTP */
: ssl->conf->authmode;
@ -2760,8 +2761,9 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
const int authmode =
#if defined(MBEDTLS_SSL_DTLS_SRTP)
ssl->dtls_srtp_info.chosen_dtls_srtp_profile !=
MBEDTLS_SRTP_UNSET_PROFILE ?
MBEDTLS_SSL_VERIFY_REQUIRED :
MBEDTLS_SRTP_UNSET_PROFILE &&
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE ?
MBEDTLS_SSL_VERIFY_REQUIRED :
#endif /* MBEDTLS_SSL_DTLS_SRTP */
ssl->conf->authmode;
#endif