From 9ec3fe0d4371b3d384b53da199775def7ab3abee Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 1 Jul 2019 17:36:12 +0100 Subject: [PATCH 1/8] Introduce configuration option to remove CRT verification callbacks --- configs/baremetal.h | 1 + include/mbedtls/config.h | 11 ++++++ include/mbedtls/ssl.h | 8 +++-- include/mbedtls/x509_crt.h | 30 ++++++++++------ library/ssl_tls.c | 10 ++++-- library/version_features.c | 3 ++ library/x509.c | 9 +++++ library/x509_crt.c | 35 +++++++++++++----- programs/ssl/query_config.c | 8 +++++ programs/ssl/ssl_client2.c | 20 +++++++---- programs/x509/cert_app.c | 19 ++++++++-- scripts/config.pl | 2 ++ tests/scripts/all.sh | 15 ++++++++ tests/ssl-opt.sh | 36 +++++++++++++++++++ tests/suites/test_suite_x509parse.data | 6 ++-- tests/suites/test_suite_x509parse.function | 41 +++++++++++++++++++--- 16 files changed, 213 insertions(+), 41 deletions(-) diff --git a/configs/baremetal.h b/configs/baremetal.h index 1b522551a..e1066fe7b 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -116,6 +116,7 @@ #define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID #define MBEDTLS_X509_ON_DEMAND_PARSING #define MBEDTLS_X509_ALWAYS_FLUSH +#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f32498b1b..22b6e5430 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2018,6 +2018,17 @@ */ //#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +/** + * \def MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + * + * Remove support for X.509 certificate verification callbacks. + * + * Uncomment to save some bytes of code by removing support for X.509 + * certificate verification callbacks in mbedtls_x509_crt_verify() and + * related verification API. + */ +#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 40ad4b114..db5465a36 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1033,7 +1033,8 @@ struct mbedtls_ssl_config void *p_sni; /*!< context for SNI callback */ #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) /** Callback to customize X.509 certificate chain verification */ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); void *p_vrfy; /*!< context for X.509 verify calllback */ @@ -1588,7 +1589,8 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); */ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) /** * \brief Set the verification callback (Optional). * @@ -1603,7 +1605,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if !defined(MBEDTLS_SSL_CONF_RNG) /** diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 182ab15b0..f0801df79 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -502,14 +502,17 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, * verification process. */ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, - mbedtls_x509_crt *trust_ca, - mbedtls_x509_crl *ca_crl, + mbedtls_x509_crt *trust_ca, + mbedtls_x509_crl *ca_crl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) - const char *cn, + const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ); + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ); /** * \brief Verify the certificate signature according to profile @@ -545,9 +548,12 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ); + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ); /** * \brief Restartable version of \c mbedtls_crt_verify_with_profile() @@ -579,8 +585,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ mbedtls_x509_crt_restart_ctx *rs_ctx ); #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e47c45657..6aebc0814 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7181,7 +7181,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, ssl->hostname, #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ssl->conf->f_vrfy, ssl->conf->p_vrfy, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + rs_ctx ); if( verify_ret != 0 ) { @@ -8523,7 +8526,8 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) #endif /* MBEDTLS_SSL_CONF_AUTHMODE */ } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) @@ -8531,7 +8535,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, conf->f_vrfy = f_vrfy; conf->p_vrfy = p_vrfy; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if !defined(MBEDTLS_SSL_CONF_RNG) void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, diff --git a/library/version_features.c b/library/version_features.c index bb655c0c9..23aaa2a52 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -576,6 +576,9 @@ static const char *features[] = { #if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION", #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ +#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) "MBEDTLS_X509_RSASSA_PSS_SUPPORT", #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ diff --git a/library/x509.c b/library/x509.c index 19cc64b79..0eca0592a 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1250,11 +1250,20 @@ int mbedtls_x509_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n X.509 signature verify: "); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, NULL, NULL ); +#else + ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif + if( ret != 0 ) { if( verbose != 0 ) diff --git a/library/x509_crt.c b/library/x509_crt.c index 0089ef2a3..730126be8 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -3590,9 +3590,12 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) + , void *p_vrfy +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, &mbedtls_x509_crt_profile_default, @@ -3600,7 +3603,10 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ flags, - f_vrfy, p_vrfy, NULL ) ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + f_vrfy, p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + NULL ) ); } /* @@ -3613,16 +3619,23 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) + , void *p_vrfy +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - flags, f_vrfy, p_vrfy, NULL ) ); + flags, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + f_vrfy, p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + NULL ) ); } /* @@ -3643,8 +3656,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ mbedtls_x509_crt_restart_ctx *rs_ctx ) { int ret; @@ -3702,7 +3717,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, ver_chain.items[0].flags |= ee_flags; /* Build final flags, calling callback on the way if any */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy ); +#else + ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, NULL, NULL ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ exit: #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index dd5051466..0f555b717 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1578,6 +1578,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ +#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + if( strcmp( "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_VERIFY_CALLBACK ); + return( 0 ); + } +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 788793a49..6fa051a90 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -664,6 +664,8 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) !MBEDTLS_SSL_CONF_RECV_TIMEOUT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) + +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) static unsigned char peer_crt_info[1024]; /* @@ -704,6 +706,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, return( 0 ); } +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1894,8 +1897,10 @@ int main( int argc, char *argv[] ) #endif } +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ @@ -2316,10 +2321,11 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " ok\n" ); -#if !defined(MBEDTLS_X509_REMOVE_INFO) +#if !defined(MBEDTLS_X509_REMOVE_INFO) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); -#endif /* !MBEDTLS_X509_REMOVE_INFO */ +#endif /* !MBEDTLS_X509_REMOVE_INFO && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2648,9 +2654,10 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -2825,9 +2832,10 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 74efea388..b82f83f8f 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -129,6 +129,7 @@ static void my_debug( void *ctx, int level, } #endif /* MBEDTLS_DEBUG_C */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags ) { char buf[1024]; @@ -148,6 +149,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *fl return( 0 ); } +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if defined(MBEDTLS_SSL_CONF_RNG) int rng_wrap( void *ctx, unsigned char *dst, size_t len ); @@ -363,11 +365,21 @@ int main( int argc, char *argv[] ) { mbedtls_printf( " . Verifying X.509 certificate..." ); - if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, my_verify, NULL ) ) != 0 ) + &flags, + my_verify, NULL ); +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + if( ret != 0 ) { char vrfy_buf[512]; @@ -436,7 +448,10 @@ int main( int argc, char *argv[] ) { mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); +#endif } else mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); diff --git a/scripts/config.pl b/scripts/config.pl index 751ea1db1..0922e53a7 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -43,6 +43,7 @@ # MBEDTLS_X509_CRT_REMOVE_TIME # MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID # MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +# MBEDTLS_X509_REMOVE_VERIFY_CALLBACK # MBEDTLS_ZLIB_SUPPORT # MBEDTLS_PKCS11_C # and any symbol beginning _ALT @@ -110,6 +111,7 @@ MBEDTLS_X509_REMOVE_INFO MBEDTLS_X509_CRT_REMOVE_TIME MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +MBEDTLS_X509_REMOVE_VERIFY_CALLBACK MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C MBEDTLS_NO_UDBL_DIVISION diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1e3287c46..ff0019bbf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1348,6 +1348,21 @@ component_test_no_hostname_verification () { if_build_succeeded tests/ssl-opt.sh } +component_test_no_x509_verify_callback () { + msg "build: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests + scripts/config.pl set MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + make CFLAGS='-Werror -O1' + + msg "test: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s + make test + + msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 1 min + if_build_succeeded tests/ssl-opt.sh +} + component_build_arm_none_eabi_gcc () { msg "build: arm-none-eabi-gcc, make" # ~ 10s scripts/config.pl baremetal diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index da87793ec..38bfed728 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1188,6 +1188,7 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI debug_level=2 allow_sha1=0" \ @@ -1212,6 +1213,7 @@ run_test "SHA-256 allowed by default in server certificate" \ requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV auth_mode=required allow_sha1=0" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ @@ -3653,6 +3655,7 @@ run_test "DER format: with 9 trailing random bytes" \ # Tests for auth_mode requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -3664,6 +3667,7 @@ run_test "Authentication: server badcert, client required" \ -c "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -3675,6 +3679,7 @@ run_test "Authentication: server badcert, client optional" \ -C "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server goodcert, client optional, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ @@ -3687,6 +3692,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -C "SSL - No CA Chain is set, but required to operate" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ @@ -3783,6 +3789,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -s "No client certification received from the client, but required by the authentication mode" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client badcert, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -3805,6 +3812,7 @@ run_test "Authentication: client badcert, server required" \ # before reading the alert message. requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -3823,6 +3831,7 @@ run_test "Authentication: client cert not trusted, server required" \ -s "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -3858,6 +3867,7 @@ run_test "Authentication: client badcert, server none" \ -S "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -3876,6 +3886,7 @@ run_test "Authentication: client no cert, server optional" \ -S "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: openssl client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \ "$O_CLI" \ @@ -3908,6 +3919,7 @@ run_test "Authentication: client no cert, openssl server required" \ requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client no cert, ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ @@ -4026,6 +4038,7 @@ run_test "Authentication: do not send CA list in CertificateRequest" \ -S "requested DN" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: send CA list in CertificateRequest, client self signed" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -4041,6 +4054,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig # Tests for certificate selection based on SHA verson requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4052,6 +4066,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4063,6 +4078,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ -c "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4074,6 +4090,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ -c "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4086,6 +4103,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ "$P_SRV crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ @@ -4100,6 +4118,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ # tests for SNI requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -4111,6 +4130,7 @@ run_test "SNI: no SNI callback" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4123,6 +4143,7 @@ run_test "SNI: matching cert 1" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4189,6 +4210,7 @@ run_test "SNI: client auth override: optional -> none" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA no override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4209,6 +4231,7 @@ run_test "SNI: CA no override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4229,6 +4252,7 @@ run_test "SNI: CA override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4250,6 +4274,7 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -4261,6 +4286,7 @@ run_test "SNI: DTLS, no SNI callback" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4273,6 +4299,7 @@ run_test "SNI: DTLS, matching cert 1" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4339,6 +4366,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4378,6 +4406,7 @@ run_test "SNI: DTLS, CA override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ @@ -4816,6 +4845,7 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ -C "Ciphersuite is TLS-" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ke.crt" \ @@ -4848,6 +4878,7 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \ -C "Ciphersuite is TLS-" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds.crt" \ @@ -6399,6 +6430,7 @@ run_test "EC restart: TLS, max_ops=1000" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ @@ -6435,6 +6467,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ @@ -6535,6 +6568,7 @@ run_test "SSL async private: sign, RSA, TLS 1.1" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SSL async private: sign, SNI" \ "$P_SRV debug_level=3 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \ @@ -6998,6 +7032,7 @@ run_test "DTLS client auth: required" \ -s "Verifying peer X.509 certificate... ok" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "DTLS client auth: optional, client has no cert" \ "$P_SRV dtls=1 auth_mode=optional" \ "$P_CLI dtls=1 crt_file=none key_file=none" \ @@ -7005,6 +7040,7 @@ run_test "DTLS client auth: optional, client has no cert" \ -s "! Certificate was missing" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "DTLS client auth: none, client has no cert" \ "$P_SRV dtls=1 auth_mode=none" \ "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 375feb9a3..aa4099537 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -560,11 +560,11 @@ depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBE x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #19 (Valid Cert, denying callback) -depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none" X509 CRT verification #19 (Not trusted Cert, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all" X509 CRT verification #21 (domain matching wildcard certificate, case insensitive) @@ -920,7 +920,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MB x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #92 (bad name, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 96ad7d932..130d90fa8 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -334,7 +334,10 @@ void x509_verify_restart( char *crt_file, char *ca_file, NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, - NULL, NULL, &rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + NULL, NULL, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + &rs_ctx ); } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); TEST_ASSERT( ret == result ); @@ -355,7 +358,10 @@ void x509_verify_restart( char *crt_file, char *ca_file, NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, - NULL, NULL, &rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + NULL, NULL, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + &rs_ctx ); TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); exit: @@ -376,7 +382,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, mbedtls_x509_crl crl; uint32_t flags = 0; int res; +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; +#endif const mbedtls_x509_crt_profile *profile; #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) char * cn_name = NULL; @@ -406,6 +414,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, else TEST_ASSERT( "Unknown algorithm profile" == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) if( strcmp( verify_callback, "NULL" ) == 0 ) f_vrfy = NULL; else if( strcmp( verify_callback, "verify_none" ) == 0 ) @@ -414,16 +423,28 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, f_vrfy = verify_all; else TEST_ASSERT( "No known verify callback selected" == 0 ); +#else + if( strcmp( verify_callback, "NULL" ) != 0 ) + TEST_ASSERT( "Verify callbacks disabled" == 0 ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) cn_name, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, f_vrfy, NULL ); +#else + res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + cn_name, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif TEST_ASSERT( res == ( result ) ); if( flags != (uint32_t) flags_result ) @@ -441,7 +462,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ void x509_verify_callback( char *crt_file, char *ca_file, char *name, int exp_ret, char *exp_vrfy_out ) { @@ -827,11 +848,21 @@ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int, TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); /* Try to verify that chain */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, NULL, NULL ); + &flags, + NULL, NULL ); +#else + ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + TEST_ASSERT( ret == ret_chk ); TEST_ASSERT( flags == (uint32_t) flags_chk ); @@ -841,7 +872,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, int flags_result, int result, char *profile_name, int vrfy_fatal_lvls ) From adc282a5e881293540d02db94c02f6bfb002101a Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 16 Aug 2019 17:14:25 +0100 Subject: [PATCH 2/8] Add zero-cost abstraction layer for CRT verification chain When verifying an X.509 certificate, the current verification logic maintains an instance of the internal mbedtls_x509_crt_verify_chain structure representing the state of the verification process. This instance references the list of certificates that comprise the chain built so far together with their verification flags. This information must be stored during verification because it's being passed to the verification callback at the end of verification - if the user has specified those. If the user hasn't specified a verification callback, it is not necessary to maintain the list of CRTs, and it is also not necessary to maintain verification flags for each CRT individually, as they're merged at the end of the verification process. To allow a readable simplification of the code in case no verification callbacks are used, this commit introduces a zero-cost abstraction layer for the functionality that's required from the verification chain structure: - init/reset - add a new CRT to the chain - get pointer to current CRT flags - add flags to EE certificate - get current chain length - trigger callbacks and get final (merged) flags This gives flexibility for re-implementing the verification chain structure, e.g. in the case where no verification callbacks are provided, and there's hence no need to store CRTs and flags individually. This will be done in a later commit. --- include/mbedtls/x509_crt.h | 3 + library/x509_crt.c | 152 ++++++++++++++++++++++--------------- 2 files changed, 92 insertions(+), 63 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index f0801df79..e90f6a09a 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -249,6 +249,9 @@ typedef struct /* for find_parent_in() */ mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */ + /* current child CRT */ + mbedtls_x509_crt *cur_crt; + #if defined(MBEDTLS_HAVE_TIME_DATE) mbedtls_x509_crt *fallback_parent; int fallback_signature_is_good; diff --git a/library/x509_crt.c b/library/x509_crt.c index 730126be8..a04e33ccb 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -669,23 +669,6 @@ static int x509_check_wildcard( char const *cn, } #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ -/* - * Reset (init or clear) a verify_chain - */ -static void x509_crt_verify_chain_reset( - mbedtls_x509_crt_verify_chain *ver_chain ) -{ - size_t i; - - for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ ) - { - ver_chain->items[i].crt = NULL; - ver_chain->items[i].flags = (uint32_t) -1; - } - - ver_chain->len = 0; -} - /* * Version ::= INTEGER { v1(0), v2(1), v3(2) } */ @@ -3202,6 +3185,82 @@ static int x509_crt_check_ee_locally_trusted( return( -1 ); } +/* + * Reset (init or clear) a verify_chain + */ +static void x509_crt_verify_chain_reset( + mbedtls_x509_crt_verify_chain *ver_chain ) +{ + size_t i; + + for( i = 0; i < MBEDTLS_X509_MAX_VERIFY_CHAIN_SIZE; i++ ) + { + ver_chain->items[i].crt = NULL; + ver_chain->items[i].flags = (uint32_t) -1; + } + + ver_chain->len = 0; +} + +/* + * Merge the flags for all certs in the chain, after calling callback + */ +static int x509_crt_verify_chain_get_flags( + const mbedtls_x509_crt_verify_chain *ver_chain, + uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy ) +{ + int ret; + unsigned i; + uint32_t cur_flags; + const mbedtls_x509_crt_verify_chain_item *cur; + + for( i = ver_chain->len; i != 0; --i ) + { + cur = &ver_chain->items[i-1]; + cur_flags = cur->flags; + + if( NULL != f_vrfy ) + if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 ) + return( ret ); + + *flags |= cur_flags; + } + + return( 0 ); +} + +static void x509_crt_verify_chain_add_ee_flags( + mbedtls_x509_crt_verify_chain *chain, + uint32_t ee_flags ) +{ + chain->items[0].flags |= ee_flags; +} + +static void x509_crt_verify_chain_add_crt( + mbedtls_x509_crt_verify_chain *chain, + mbedtls_x509_crt *crt ) +{ + mbedtls_x509_crt_verify_chain_item *cur; + cur = &chain->items[chain->len]; + cur->crt = crt; + cur->flags = 0; + chain->len++; +} + +static uint32_t* x509_crt_verify_chain_get_cur_flags( + mbedtls_x509_crt_verify_chain *chain ) +{ + return( &chain->items[chain->len - 1].flags ); +} + +static unsigned x509_crt_verify_chain_len( + mbedtls_x509_crt_verify_chain const *chain ) +{ + return( chain->len ); +} + /* * Build and verify a certificate chain * @@ -3254,7 +3313,6 @@ static int x509_crt_verify_chain( * catch potential issues with jumping ahead when restarting */ int ret; uint32_t *flags; - mbedtls_x509_crt_verify_chain_item *cur; mbedtls_x509_crt *child_crt; mbedtls_x509_crt *parent_crt; int parent_is_trusted; @@ -3269,10 +3327,7 @@ static int x509_crt_verify_chain( /* restore saved state */ *ver_chain = rs_ctx->ver_chain; /* struct copy */ self_cnt = rs_ctx->self_cnt; - - /* restore derived state */ - cur = &ver_chain->items[ver_chain->len - 1]; - child_crt = cur->crt; + child_crt = rs_ctx->cur_crt; child_is_trusted = 0; goto find_parent; @@ -3291,16 +3346,13 @@ static int x509_crt_verify_chain( int self_issued; /* Add certificate to the verification chain */ - cur = &ver_chain->items[ver_chain->len]; - cur->crt = child_crt; - cur->flags = 0; - ver_chain->len++; + x509_crt_verify_chain_add_crt( ver_chain, child_crt ); #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) find_parent: #endif - flags = &cur->flags; + flags = x509_crt_verify_chain_get_cur_flags( ver_chain ); { mbedtls_x509_crt_sig_info child_sig; @@ -3342,7 +3394,7 @@ find_parent: *flags |= MBEDTLS_X509_BADCERT_BAD_PK; /* Special case: EE certs that are locally trusted */ - if( ver_chain->len == 1 && self_issued && + if( x509_crt_verify_chain_len( ver_chain ) == 1 && self_issued && x509_crt_check_ee_locally_trusted( child, trust_ca ) == 0 ) { mbedtls_x509_crt_frame_release( child_crt ); @@ -3364,7 +3416,8 @@ find_parent: ret = x509_crt_find_parent( &child_sig, child_crt->next, trust_ca, &parent_crt, &parent_is_trusted, &signature_is_good, - ver_chain->len - 1, self_cnt, rs_ctx ); + x509_crt_verify_chain_len( ver_chain ) - 1, + self_cnt, rs_ctx ); x509_crt_free_sig_info( &child_sig ); } @@ -3376,6 +3429,7 @@ find_parent: rs_ctx->in_progress = x509_crt_rs_find_parent; rs_ctx->self_cnt = self_cnt; rs_ctx->ver_chain = *ver_chain; /* struct copy */ + rs_ctx->cur_crt = child_crt; return( ret ); } #else @@ -3392,13 +3446,14 @@ find_parent: /* Count intermediate self-issued (not necessarily self-signed) certs. * These can occur with some strategies for key rollover, see [SIRO], * and should be excluded from max_pathlen checks. */ - if( ver_chain->len != 1 && self_issued ) + if( x509_crt_verify_chain_len( ver_chain ) != 1 && self_issued ) self_cnt++; /* path_cnt is 0 for the first intermediate CA, * and if parent is trusted it's not an intermediate CA */ if( ! parent_is_trusted && - ver_chain->len > MBEDTLS_X509_MAX_INTERMEDIATE_CA ) + x509_crt_verify_chain_len( ver_chain ) > + MBEDTLS_X509_MAX_INTERMEDIATE_CA ) { /* return immediately to avoid overflow the chain array */ return( MBEDTLS_ERR_X509_FATAL_ERROR ); @@ -3552,35 +3607,6 @@ static int x509_crt_verify_name( const mbedtls_x509_crt *crt, } #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ -/* - * Merge the flags for all certs in the chain, after calling callback - */ -static int x509_crt_merge_flags_with_cb( - uint32_t *flags, - const mbedtls_x509_crt_verify_chain *ver_chain, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) -{ - int ret; - unsigned i; - uint32_t cur_flags; - const mbedtls_x509_crt_verify_chain_item *cur; - - for( i = ver_chain->len; i != 0; --i ) - { - cur = &ver_chain->items[i-1]; - cur_flags = cur->flags; - - if( NULL != f_vrfy ) - if( ( ret = f_vrfy( p_vrfy, cur->crt, (int) i-1, &cur_flags ) ) != 0 ) - return( ret ); - - *flags |= cur_flags; - } - - return( 0 ); -} - /* * Verify the certificate validity (default profile, not restartable) */ @@ -3714,13 +3740,13 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, goto exit; /* Merge end-entity flags */ - ver_chain.items[0].flags |= ee_flags; + x509_crt_verify_chain_add_ee_flags( &ver_chain, ee_flags ); /* Build final flags, calling callback on the way if any */ #if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) - ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy ); + ret = x509_crt_verify_chain_get_flags( &ver_chain, flags, f_vrfy, p_vrfy ); #else - ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, NULL, NULL ); + ret = x509_crt_verify_chain_get_flags( &ver_chain, flags, NULL, NULL ); #endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ exit: From 8d6d3206036e2017cdccf638bc46a2b2e5e00d66 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Fri, 16 Aug 2019 17:18:15 +0100 Subject: [PATCH 3/8] Re-implement verify chain if vrfy cbs are disabled This commit re-implements the previously introduced internal verification chain API in the case where verification callbacks are disabled. In this situation, it is not necessary to maintain the list of individual certificates and flags comprising the verification chain - instead, it suffices to just keep track of the length and the total (=merged) flags. --- include/mbedtls/x509_crt.h | 12 ++++++++ library/x509_crt.c | 58 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 70 insertions(+) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index e90f6a09a..aa0ec9749 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -214,6 +214,8 @@ typedef struct mbedtls_x509write_cert mbedtls_x509write_cert; #endif /* MBEDTLS_X509_CRT_WRITE_C */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + /** * Item in a verification chain: cert and flags for it */ @@ -236,6 +238,16 @@ typedef struct unsigned len; } mbedtls_x509_crt_verify_chain; +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + +typedef struct +{ + unsigned len; + uint32_t flags; +} mbedtls_x509_crt_verify_chain; + +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) /** diff --git a/library/x509_crt.c b/library/x509_crt.c index a04e33ccb..5f2af7fcb 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -3185,6 +3185,8 @@ static int x509_crt_check_ee_locally_trusted( return( -1 ); } +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + /* * Reset (init or clear) a verify_chain */ @@ -3261,6 +3263,62 @@ static unsigned x509_crt_verify_chain_len( return( chain->len ); } +#else + +/* + * Reset (init or clear) a verify_chain + */ +static void x509_crt_verify_chain_reset( + mbedtls_x509_crt_verify_chain *ver_chain ) +{ + ver_chain->len = 0; + ver_chain->flags = 0; +} + +/* + * Merge the flags for all certs in the chain, after calling callback + */ +static int x509_crt_verify_chain_get_flags( + const mbedtls_x509_crt_verify_chain *ver_chain, + uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy ) +{ + ((void) f_vrfy); + ((void) p_vrfy); + *flags = ver_chain->flags; + return( 0 ); +} + +static void x509_crt_verify_chain_add_ee_flags( + mbedtls_x509_crt_verify_chain *chain, + uint32_t ee_flags ) +{ + chain->flags |= ee_flags; +} + +static void x509_crt_verify_chain_add_crt( + mbedtls_x509_crt_verify_chain *chain, + mbedtls_x509_crt *crt ) +{ + ((void) crt); + chain->len++; +} + +static uint32_t* x509_crt_verify_chain_get_cur_flags( + mbedtls_x509_crt_verify_chain *chain ) +{ + return( &chain->flags ); +} + +static unsigned x509_crt_verify_chain_len( + mbedtls_x509_crt_verify_chain const *chain ) +{ + return( chain->len ); +} + +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + /* * Build and verify a certificate chain * From 03d77469279e409fa794afcf3cd14db776e6e8d9 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 27 Aug 2019 16:24:56 +0100 Subject: [PATCH 4/8] ECC restart: Use optional verification mode in bad signature test This way, the verification failure string will still be printed even if verification callbacks are disabled, allowing to increase test coverage. --- tests/ssl-opt.sh | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 38bfed728..b0e4515d7 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -6430,22 +6430,19 @@ run_test "EC restart: TLS, max_ops=1000" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_disabled MBEDTLS_X509_REMOVE_INFO -requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ - key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ - debug_level=1 ec_max_ops=1000" \ - 1 \ + key_file=data_files/server5.key crt_file=data_files/server5.crt ca_file=data_files/test-ca2.crt \ + debug_level=1 ec_max_ops=1000 auth_mode=optional" \ + 0 \ -c "x509_verify_cert.*4b00" \ - -C "mbedtls_pk_verify.*4b00" \ - -C "mbedtls_ecdh_make_public.*4b00" \ - -C "mbedtls_pk_sign.*4b00" \ + -c "mbedtls_pk_verify.*4b00" \ + -c "mbedtls_ecdh_make_public.*4b00" \ + -c "mbedtls_pk_sign.*4b00" \ -c "! The certificate is not correctly signed by the trusted CA" \ - -c "! mbedtls_ssl_handshake returned" \ - -c "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_enabled MBEDTLS_ECP_RESTARTABLE From cd839c9aa7e8ee649e49de36bf0fe13d1be29eaa Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 29 Aug 2019 11:11:00 +0100 Subject: [PATCH 5/8] Fix Doxygen warnings regarding removed verify cb+ctx parameters --- include/mbedtls/x509_crt.h | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index aa0ec9749..662ec68a1 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -521,12 +521,12 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, mbedtls_x509_crl *ca_crl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || DOXYGEN_ONLY */ uint32_t *flags -#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) || defined(DOXYGEN_ONLY) , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy -#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK || DOXYGEN_ONLY */ ); /** @@ -562,12 +562,12 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, const mbedtls_x509_crt_profile *profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || DOXYGEN_ONLY */ uint32_t *flags -#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) || defined(DOXYGEN_ONLY) , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy -#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK || DOXYGEN_ONLY */ ); /** @@ -598,12 +598,12 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const mbedtls_x509_crt_profile *profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || DOXYGEN_ONLY */ uint32_t *flags, -#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) || defined(DOXYGEN_ONLY) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, -#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK || DOXYGEN_ONLY */ mbedtls_x509_crt_restart_ctx *rs_ctx ); #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) From cd239f88396323a2e913b32039166956b97b1fbe Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 29 Aug 2019 11:52:43 +0100 Subject: [PATCH 6/8] X.509: Don't remove verify callback by default --- include/mbedtls/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 22b6e5430..3d78ece77 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2027,7 +2027,7 @@ * certificate verification callbacks in mbedtls_x509_crt_verify() and * related verification API. */ -#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK +//#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT From 14b0a680839348f63805eb7197406d865a70b66b Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 29 Aug 2019 15:26:15 +0100 Subject: [PATCH 7/8] x509_crt.c: Indicate guarding condition in #else branch --- library/x509_crt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index 5f2af7fcb..0676e6481 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -3263,7 +3263,7 @@ static unsigned x509_crt_verify_chain_len( return( chain->len ); } -#else +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ /* * Reset (init or clear) a verify_chain From 392a8d0e64f5be054daf3ac7c447c7d53dba4b9c Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 3 Sep 2019 09:09:58 +0100 Subject: [PATCH 8/8] x509.c: Minor readability improvement --- library/x509.c | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/library/x509.c b/library/x509.c index 0eca0592a..beb263327 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1250,19 +1250,15 @@ int mbedtls_x509_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n X.509 signature verify: "); + ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags #if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) - ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, -#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) - NULL, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, NULL, NULL ); -#else - ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, -#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) - NULL, -#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags ); + , NULL, NULL #endif + ); if( ret != 0 ) {