diff --git a/configs/baremetal.h b/configs/baremetal.h index 8bed9a8ae..bdd86bfe1 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -117,6 +117,7 @@ #define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID #define MBEDTLS_X509_ON_DEMAND_PARSING #define MBEDTLS_X509_ALWAYS_FLUSH +#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 83405245e..040dcd6e9 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2028,6 +2028,17 @@ */ //#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +/** + * \def MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + * + * Remove support for X.509 certificate verification callbacks. + * + * Uncomment to save some bytes of code by removing support for X.509 + * certificate verification callbacks in mbedtls_x509_crt_verify() and + * related verification API. + */ +//#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 710c286ca..8008b516b 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1041,7 +1041,8 @@ struct mbedtls_ssl_config void *p_sni; /*!< context for SNI callback */ #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) /** Callback to customize X.509 certificate chain verification */ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); void *p_vrfy; /*!< context for X.509 verify calllback */ @@ -1596,7 +1597,8 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); */ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) /** * \brief Set the verification callback (Optional). * @@ -1611,7 +1613,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if !defined(MBEDTLS_SSL_CONF_RNG) /** diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 182ab15b0..662ec68a1 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -214,6 +214,8 @@ typedef struct mbedtls_x509write_cert mbedtls_x509write_cert; #endif /* MBEDTLS_X509_CRT_WRITE_C */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + /** * Item in a verification chain: cert and flags for it */ @@ -236,6 +238,16 @@ typedef struct unsigned len; } mbedtls_x509_crt_verify_chain; +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + +typedef struct +{ + unsigned len; + uint32_t flags; +} mbedtls_x509_crt_verify_chain; + +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) /** @@ -249,6 +261,9 @@ typedef struct /* for find_parent_in() */ mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */ + /* current child CRT */ + mbedtls_x509_crt *cur_crt; + #if defined(MBEDTLS_HAVE_TIME_DATE) mbedtls_x509_crt *fallback_parent; int fallback_signature_is_good; @@ -502,14 +517,17 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, * verification process. */ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, - mbedtls_x509_crt *trust_ca, - mbedtls_x509_crl *ca_crl, + mbedtls_x509_crt *trust_ca, + mbedtls_x509_crl *ca_crl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) - const char *cn, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ); + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || DOXYGEN_ONLY */ + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) || defined(DOXYGEN_ONLY) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK || DOXYGEN_ONLY */ + ); /** * \brief Verify the certificate signature according to profile @@ -544,10 +562,13 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, const mbedtls_x509_crt_profile *profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ); +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || DOXYGEN_ONLY */ + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) || defined(DOXYGEN_ONLY) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK || DOXYGEN_ONLY */ + ); /** * \brief Restartable version of \c mbedtls_crt_verify_with_profile() @@ -577,10 +598,12 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const mbedtls_x509_crt_profile *profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || DOXYGEN_ONLY */ uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) || defined(DOXYGEN_ONLY) + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK || DOXYGEN_ONLY */ mbedtls_x509_crt_restart_ctx *rs_ctx ); #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5a869b72a..56e068906 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7190,7 +7190,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, ssl->hostname, #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ssl->conf->f_vrfy, ssl->conf->p_vrfy, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + rs_ctx ); if( verify_ret != 0 ) { @@ -8534,7 +8537,8 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) #endif /* MBEDTLS_SSL_CONF_AUTHMODE */ } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) @@ -8542,7 +8546,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, conf->f_vrfy = f_vrfy; conf->p_vrfy = p_vrfy; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if !defined(MBEDTLS_SSL_CONF_RNG) void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, diff --git a/library/version_features.c b/library/version_features.c index 961148bbb..4f5bf137a 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -579,6 +579,9 @@ static const char *features[] = { #if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION", #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ +#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) "MBEDTLS_X509_RSASSA_PSS_SUPPORT", #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ diff --git a/library/x509.c b/library/x509.c index 19cc64b79..beb263327 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1252,9 +1252,14 @@ int mbedtls_x509_self_test( int verbose ) ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) - NULL, + NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, NULL, NULL ); + &flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , NULL, NULL +#endif + ); + if( ret != 0 ) { if( verbose != 0 ) diff --git a/library/x509_crt.c b/library/x509_crt.c index 0089ef2a3..0676e6481 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -669,23 +669,6 @@ static int x509_check_wildcard( char const *cn, } #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ -/* - * Reset (init or clear) a verify_chain - */ -static void x509_crt_verify_chain_reset( - mbedtls_x509_crt_verify_chain *ver_chain ) -{ - size_t i; - - for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ ) - { - ver_chain->items[i].crt = NULL; - ver_chain->items[i].flags = (uint32_t) -1; - } - - ver_chain->len = 0; -} - /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } */ @@ -3202,6 +3185,140 @@ static int x509_crt_check_ee_locally_trusted( return( -1 ); } +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + +/* + * Reset (init or clear) a verify_chain + */ +static void x509_crt_verify_chain_reset( + mbedtls_x509_crt_verify_chain *ver_chain ) +{ + size_t i; + + for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ ) + { + ver_chain->items[i].crt = NULL; + ver_chain->items[i].flags = (uint32_t) -1; + } + + ver_chain->len = 0; +} + +/* + * Merge the flags for all certs in the chain, after calling callback + */ +static int x509_crt_verify_chain_get_flags( + const mbedtls_x509_crt_verify_chain *ver_chain, + uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy ) +{ + int ret; + unsigned i; + uint32_t cur_flags; + const mbedtls_x509_crt_verify_chain_item *cur; + + for( i = ver_chain->len; i != 0; --i ) + { + cur = &ver_chain->items[i-1]; + cur_flags = cur->flags; + + if( NULL != f_vrfy ) + if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 ) + return( ret ); + + *flags |= cur_flags; + } + + return( 0 ); +} + +static void x509_crt_verify_chain_add_ee_flags( + mbedtls_x509_crt_verify_chain *chain, + uint32_t ee_flags ) +{ + chain->items[0].flags |= ee_flags; +} + +static void x509_crt_verify_chain_add_crt( + mbedtls_x509_crt_verify_chain *chain, + mbedtls_x509_crt *crt ) +{ + mbedtls_x509_crt_verify_chain_item *cur; + cur = &chain->items[chain->len]; + cur->crt = crt; + cur->flags = 0; + chain->len++; +} + +static uint32_t* x509_crt_verify_chain_get_cur_flags( + mbedtls_x509_crt_verify_chain *chain ) +{ + return( &chain->items[chain->len - 1].flags ); +} + +static unsigned x509_crt_verify_chain_len( + mbedtls_x509_crt_verify_chain const *chain ) +{ + return( chain->len ); +} + +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + +/* + * Reset (init or clear) a verify_chain + */ +static void x509_crt_verify_chain_reset( + mbedtls_x509_crt_verify_chain *ver_chain ) +{ + ver_chain->len = 0; + ver_chain->flags = 0; +} + +/* + * Merge the flags for all certs in the chain, after calling callback + */ +static int x509_crt_verify_chain_get_flags( + const mbedtls_x509_crt_verify_chain *ver_chain, + uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy ) +{ + ((void) f_vrfy); + ((void) p_vrfy); + *flags = ver_chain->flags; + return( 0 ); +} + +static void x509_crt_verify_chain_add_ee_flags( + mbedtls_x509_crt_verify_chain *chain, + uint32_t ee_flags ) +{ + chain->flags |= ee_flags; +} + +static void x509_crt_verify_chain_add_crt( + mbedtls_x509_crt_verify_chain *chain, + mbedtls_x509_crt *crt ) +{ + ((void) crt); + chain->len++; +} + +static uint32_t* x509_crt_verify_chain_get_cur_flags( + mbedtls_x509_crt_verify_chain *chain ) +{ + return( &chain->flags ); +} + +static unsigned x509_crt_verify_chain_len( + mbedtls_x509_crt_verify_chain const *chain ) +{ + return( chain->len ); +} + +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + /* * Build and verify a certificate chain * @@ -3254,7 +3371,6 @@ static int x509_crt_verify_chain( * catch potential issues with jumping ahead when restarting */ int ret; uint32_t *flags; - mbedtls_x509_crt_verify_chain_item *cur; mbedtls_x509_crt *child_crt; mbedtls_x509_crt *parent_crt; int parent_is_trusted; @@ -3269,10 +3385,7 @@ static int x509_crt_verify_chain( /* restore saved state */ *ver_chain = rs_ctx->ver_chain; /* struct copy */ self_cnt = rs_ctx->self_cnt; - - /* restore derived state */ - cur = &ver_chain->items[ver_chain->len - 1]; - child_crt = cur->crt; + child_crt = rs_ctx->cur_crt; child_is_trusted = 0; goto find_parent; @@ -3291,16 +3404,13 @@ static int x509_crt_verify_chain( int self_issued; /* Add certificate to the verification chain */ - cur = &ver_chain->items[ver_chain->len]; - cur->crt = child_crt; - cur->flags = 0; - ver_chain->len++; + x509_crt_verify_chain_add_crt( ver_chain, child_crt ); #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) find_parent: #endif - flags = &cur->flags; + flags = x509_crt_verify_chain_get_cur_flags( ver_chain ); { mbedtls_x509_crt_sig_info child_sig; @@ -3342,7 +3452,7 @@ find_parent: *flags |= MBEDTLS_X509_BADCERT_BAD_PK; /* Special case: EE certs that are locally trusted */ - if( ver_chain->len == 1 && self_issued && + if( x509_crt_verify_chain_len( ver_chain ) == 1 && self_issued && x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 ) { mbedtls_x509_crt_frame_release( child_crt ); @@ -3364,7 +3474,8 @@ find_parent: ret = x509_crt_find_parent( &child_sig, child_crt->next, trust_ca, &parent_crt, &parent_is_trusted, &signature_is_good, - ver_chain->len - 1, self_cnt, rs_ctx ); + x509_crt_verify_chain_len( ver_chain ) - 1, + self_cnt, rs_ctx ); x509_crt_free_sig_info( &child_sig ); } @@ -3376,6 +3487,7 @@ find_parent: rs_ctx->in_progress = x509_crt_rs_find_parent; rs_ctx->self_cnt = self_cnt; rs_ctx->ver_chain = *ver_chain; /* struct copy */ + rs_ctx->cur_crt = child_crt; return( ret ); } #else @@ -3392,13 +3504,14 @@ find_parent: /* Count intermediate self-issued (not necessarily self-signed) certs. * These can occur with some strategies for key rollover, see [SIRO], * and should be excluded from max_pathlen checks. */ - if( ver_chain->len != 1 && self_issued ) + if( x509_crt_verify_chain_len( ver_chain ) != 1 && self_issued ) self_cnt++; /* path_cnt is 0 for the first intermediate CA, * and if parent is trusted it's not an intermediate CA */ if( ! parent_is_trusted && - ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA ) + x509_crt_verify_chain_len( ver_chain ) > + MBEDTLS_X509_MAX_INTERMEDIATE_CA ) { /* return immediately to avoid overflow the chain array */ return( MBEDTLS_ERR_X509_FATAL_ERROR ); @@ -3552,35 +3665,6 @@ static int x509_crt_verify_name( const mbedtls_x509_crt *crt, } #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ -/* - * Merge the flags for all certs in the chain, after calling callback - */ -static int x509_crt_merge_flags_with_cb( - uint32_t *flags, - const mbedtls_x509_crt_verify_chain *ver_chain, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) -{ - int ret; - unsigned i; - uint32_t cur_flags; - const mbedtls_x509_crt_verify_chain_item *cur; - - for( i = ver_chain->len; i != 0; --i ) - { - cur = &ver_chain->items[i-1]; - cur_flags = cur->flags; - - if( NULL != f_vrfy ) - if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 ) - return( ret ); - - *flags |= cur_flags; - } - - return( 0 ); -} - /* * Verify the certificate validity (default profile, not restartable) */ @@ -3590,9 +3674,12 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) + , void *p_vrfy +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, &mbedtls_x509_crt_profile_default, @@ -3600,7 +3687,10 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ flags, - f_vrfy, p_vrfy, NULL ) ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + f_vrfy, p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + NULL ) ); } /* @@ -3613,16 +3703,23 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) + , void *p_vrfy +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - flags, f_vrfy, p_vrfy, NULL ) ); + flags, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + f_vrfy, p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + NULL ) ); } /* @@ -3643,8 +3740,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ mbedtls_x509_crt_restart_ctx *rs_ctx ) { int ret; @@ -3699,10 +3798,14 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, goto exit; /* Merge end-entity flags */ - ver_chain.items[0].flags |= ee_flags; + x509_crt_verify_chain_add_ee_flags( &ver_chain, ee_flags ); /* Build final flags, calling callback on the way if any */ - ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ret = x509_crt_verify_chain_get_flags( &ver_chain, flags, f_vrfy, p_vrfy ); +#else + ret = x509_crt_verify_chain_get_flags( &ver_chain, flags, NULL, NULL ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ exit: #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index 627934fc3..c2de82a73 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1586,6 +1586,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ +#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + if( strcmp( "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_VERIFY_CALLBACK ); + return( 0 ); + } +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 5c13f8a26..1a07c9dea 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -666,6 +666,8 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) !MBEDTLS_SSL_CONF_RECV_TIMEOUT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) + +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) static unsigned char peer_crt_info[1024]; /* @@ -706,6 +708,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, return( 0 ); } +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1907,8 +1910,10 @@ int main( int argc, char *argv[] ) #endif } +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ @@ -2329,10 +2334,11 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " ok\n" ); -#if !defined(MBEDTLS_X509_REMOVE_INFO) +#if !defined(MBEDTLS_X509_REMOVE_INFO) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); -#endif /* !MBEDTLS_X509_REMOVE_INFO */ +#endif /* !MBEDTLS_X509_REMOVE_INFO && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2661,9 +2667,10 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -2838,9 +2845,10 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 74efea388..b82f83f8f 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -129,6 +129,7 @@ static void my_debug( void *ctx, int level, } #endif /* MBEDTLS_DEBUG_C */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags ) { char buf[1024]; @@ -148,6 +149,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *fl return( 0 ); } +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if defined(MBEDTLS_SSL_CONF_RNG) int rng_wrap( void *ctx, unsigned char *dst, size_t len ); @@ -363,11 +365,21 @@ int main( int argc, char *argv[] ) { mbedtls_printf( " . Verifying X.509 certificate..." ); - if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, my_verify, NULL ) ) != 0 ) + &flags, + my_verify, NULL ); +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + if( ret != 0 ) { char vrfy_buf[512]; @@ -436,7 +448,10 @@ int main( int argc, char *argv[] ) { mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); +#endif } else mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); diff --git a/scripts/config.pl b/scripts/config.pl index e18df926e..287f1f18b 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -44,6 +44,7 @@ # MBEDTLS_X509_CRT_REMOVE_TIME # MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID # MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +# MBEDTLS_X509_REMOVE_VERIFY_CALLBACK # MBEDTLS_ZLIB_SUPPORT # MBEDTLS_PKCS11_C # and any symbol beginning _ALT @@ -112,6 +113,7 @@ MBEDTLS_X509_REMOVE_INFO MBEDTLS_X509_CRT_REMOVE_TIME MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +MBEDTLS_X509_REMOVE_VERIFY_CALLBACK MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C MBEDTLS_NO_UDBL_DIVISION diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1e3287c46..ff0019bbf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1348,6 +1348,21 @@ component_test_no_hostname_verification () { if_build_succeeded tests/ssl-opt.sh } +component_test_no_x509_verify_callback () { + msg "build: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests + scripts/config.pl set MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + make CFLAGS='-Werror -O1' + + msg "test: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s + make test + + msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 1 min + if_build_succeeded tests/ssl-opt.sh +} + component_build_arm_none_eabi_gcc () { msg "build: arm-none-eabi-gcc, make" # ~ 10s scripts/config.pl baremetal diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index da87793ec..b0e4515d7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1188,6 +1188,7 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI debug_level=2 allow_sha1=0" \ @@ -1212,6 +1213,7 @@ run_test "SHA-256 allowed by default in server certificate" \ requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV auth_mode=required allow_sha1=0" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ @@ -3653,6 +3655,7 @@ run_test "DER format: with 9 trailing random bytes" \ # Tests for auth_mode requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -3664,6 +3667,7 @@ run_test "Authentication: server badcert, client required" \ -c "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -3675,6 +3679,7 @@ run_test "Authentication: server badcert, client optional" \ -C "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server goodcert, client optional, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ @@ -3687,6 +3692,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -C "SSL - No CA Chain is set, but required to operate" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ @@ -3783,6 +3789,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -s "No client certification received from the client, but required by the authentication mode" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client badcert, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -3805,6 +3812,7 @@ run_test "Authentication: client badcert, server required" \ # before reading the alert message. requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -3823,6 +3831,7 @@ run_test "Authentication: client cert not trusted, server required" \ -s "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -3858,6 +3867,7 @@ run_test "Authentication: client badcert, server none" \ -S "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -3876,6 +3886,7 @@ run_test "Authentication: client no cert, server optional" \ -S "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: openssl client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \ "$O_CLI" \ @@ -3908,6 +3919,7 @@ run_test "Authentication: client no cert, openssl server required" \ requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client no cert, ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ @@ -4026,6 +4038,7 @@ run_test "Authentication: do not send CA list in CertificateRequest" \ -S "requested DN" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: send CA list in CertificateRequest, client self signed" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -4041,6 +4054,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig # Tests for certificate selection based on SHA verson requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4052,6 +4066,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4063,6 +4078,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ -c "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4074,6 +4090,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ -c "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4086,6 +4103,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ "$P_SRV crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ @@ -4100,6 +4118,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ # tests for SNI requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -4111,6 +4130,7 @@ run_test "SNI: no SNI callback" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4123,6 +4143,7 @@ run_test "SNI: matching cert 1" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4189,6 +4210,7 @@ run_test "SNI: client auth override: optional -> none" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA no override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4209,6 +4231,7 @@ run_test "SNI: CA no override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4229,6 +4252,7 @@ run_test "SNI: CA override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4250,6 +4274,7 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -4261,6 +4286,7 @@ run_test "SNI: DTLS, no SNI callback" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4273,6 +4299,7 @@ run_test "SNI: DTLS, matching cert 1" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4339,6 +4366,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4378,6 +4406,7 @@ run_test "SNI: DTLS, CA override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ @@ -4816,6 +4845,7 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ -C "Ciphersuite is TLS-" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ke.crt" \ @@ -4848,6 +4878,7 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \ -C "Ciphersuite is TLS-" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds.crt" \ @@ -6404,16 +6435,14 @@ run_test "EC restart: TLS, max_ops=1000, badsign" \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ - debug_level=1 ec_max_ops=1000" \ - 1 \ + key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ + debug_level=1 ec_max_ops=1000 auth_mode=optional" \ + 0 \ -c "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" \ + -c "mbedtls_pk_verify.*4b00" \ + -c "mbedtls_ecdh_make_public.*4b00" \ + -c "mbedtls_pk_sign.*4b00" \ -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE @@ -6435,6 +6464,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ @@ -6535,6 +6565,7 @@ run_test "SSL async private: sign, RSA, TLS 1.1" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SSL async private: sign, SNI" \ "$P_SRV debug_level=3 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \ @@ -6998,6 +7029,7 @@ run_test "DTLS client auth: required" \ -s "Verifying peer X.509 certificate... ok" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "DTLS client auth: optional, client has no cert" \ "$P_SRV dtls=1 auth_mode=optional" \ "$P_CLI dtls=1 crt_file=none key_file=none" \ @@ -7005,6 +7037,7 @@ run_test "DTLS client auth: optional, client has no cert" \ -s "! Certificate was missing" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "DTLS client auth: none, client has no cert" \ "$P_SRV dtls=1 auth_mode=none" \ "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 454244089..abf2ab353 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -560,11 +560,11 @@ depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBE x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #19 (Valid Cert, denying callback) -depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none" X509 CRT verification #19 (Not trusted Cert, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all" X509 CRT verification #21 (domain matching wildcard certificate, case insensitive) @@ -920,7 +920,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MB x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #92 (bad name, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 96ad7d932..130d90fa8 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -334,7 +334,10 @@ void x509_verify_restart( char *crt_file, char *ca_file, NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, - NULL, NULL, &rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + NULL, NULL, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + &rs_ctx ); } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); TEST_ASSERT( ret == result ); @@ -355,7 +358,10 @@ void x509_verify_restart( char *crt_file, char *ca_file, NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, - NULL, NULL, &rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + NULL, NULL, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + &rs_ctx ); TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); exit: @@ -376,7 +382,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, mbedtls_x509_crl crl; uint32_t flags = 0; int res; +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; +#endif const mbedtls_x509_crt_profile *profile; #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) char * cn_name = NULL; @@ -406,6 +414,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, else TEST_ASSERT( "Unknown algorithm profile" == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) if( strcmp( verify_callback, "NULL" ) == 0 ) f_vrfy = NULL; else if( strcmp( verify_callback, "verify_none" ) == 0 ) @@ -414,16 +423,28 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, f_vrfy = verify_all; else TEST_ASSERT( "No known verify callback selected" == 0 ); +#else + if( strcmp( verify_callback, "NULL" ) != 0 ) + TEST_ASSERT( "Verify callbacks disabled" == 0 ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) cn_name, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, f_vrfy, NULL ); +#else + res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + cn_name, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif TEST_ASSERT( res == ( result ) ); if( flags != (uint32_t) flags_result ) @@ -441,7 +462,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ void x509_verify_callback( char *crt_file, char *ca_file, char *name, int exp_ret, char *exp_vrfy_out ) { @@ -827,11 +848,21 @@ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int, TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); /* Try to verify that chain */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, NULL, NULL ); + &flags, + NULL, NULL ); +#else + ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + TEST_ASSERT( ret == ret_chk ); TEST_ASSERT( flags == (uint32_t) flags_chk ); @@ -841,7 +872,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, int flags_result, int result, char *profile_name, int vrfy_fatal_lvls )