mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 13:55:29 +00:00
Enable restart for certificate verify
This commit is contained in:
parent
fed37ed039
commit
3bf49c4552
|
@ -231,6 +231,8 @@ struct mbedtls_ssl_handshake_params
|
|||
mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
|
||||
enum {
|
||||
ssl_ecrs_init = 0, /*!< just getting started */
|
||||
ssl_ecrs_crt_parsed, /*!< server certificate was parsed */
|
||||
ssl_ecrs_crt_verified, /*!< server certificate was verified*/
|
||||
ssl_ecrs_ske_read, /*!< ServerKeyExchange was read */
|
||||
ssl_ecrs_ske_verified, /*!< ServerKeyExchange was verified */
|
||||
ssl_ecrs_ecdh_public_done, /*!< wrote ECDHE public share */
|
||||
|
|
|
@ -4518,6 +4518,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||
#else
|
||||
const int authmode = ssl->conf->authmode;
|
||||
#endif
|
||||
void *rs_ctx = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||
|
||||
|
@ -4545,11 +4546,20 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
||||
|
||||
ssl->state++;
|
||||
return( 0 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( ssl->handshake->ecrs_enabled &&
|
||||
ssl->handshake->ecrs_state == ssl_ecrs_crt_parsed )
|
||||
{
|
||||
goto crt_verify;
|
||||
}
|
||||
#endif
|
||||
|
||||
if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
|
||||
{
|
||||
/* mbedtls_ssl_read_record may have sent an alert already. We
|
||||
|
@ -4572,6 +4582,15 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||
return( ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( ssl->handshake->ecrs_enabled)
|
||||
ssl->handshake->ecrs_state++;
|
||||
|
||||
crt_verify:
|
||||
if( ssl->handshake->ecrs_enabled)
|
||||
rs_ctx = &ssl->handshake->ecrs_ctx;
|
||||
#endif
|
||||
|
||||
if( authmode != MBEDTLS_SSL_VERIFY_NONE )
|
||||
{
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
|
@ -4593,19 +4612,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||
/*
|
||||
* Main check: verify certificate
|
||||
*/
|
||||
ret = mbedtls_x509_crt_verify_with_profile(
|
||||
ret = mbedtls_x509_crt_verify_restartable(
|
||||
ssl->session_negotiate->peer_cert,
|
||||
ca_chain, ca_crl,
|
||||
ssl->conf->cert_profile,
|
||||
ssl->hostname,
|
||||
&ssl->session_negotiate->verify_result,
|
||||
ssl->conf->f_vrfy, ssl->conf->p_vrfy );
|
||||
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
|
||||
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
|
||||
return( ret );
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Secondary checks: always done, but change 'ret' only if it was 0
|
||||
*/
|
||||
|
@ -4702,6 +4726,11 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||
#endif /* MBEDTLS_DEBUG_C */
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( ssl->handshake->ecrs_enabled)
|
||||
ssl->handshake->ecrs_state++;
|
||||
#endif
|
||||
|
||||
ssl->state++;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
|
||||
|
|
|
@ -3450,6 +3450,7 @@ run_test "EC restart: TLS, default" \
|
|||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1" \
|
||||
0 \
|
||||
-C "x509_verify_cert.*4b80" \
|
||||
-C "mbedtls_pk_verify.*4b80" \
|
||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||
-C "mbedtls_pk_sign.*4b80"
|
||||
|
@ -3461,6 +3462,7 @@ run_test "EC restart: TLS, max_ops=0" \
|
|||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1 ec_max_ops=0" \
|
||||
0 \
|
||||
-C "x509_verify_cert.*4b80" \
|
||||
-C "mbedtls_pk_verify.*4b80" \
|
||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||
-C "mbedtls_pk_sign.*4b80"
|
||||
|
@ -3472,6 +3474,7 @@ run_test "EC restart: TLS, max_ops=65535" \
|
|||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1 ec_max_ops=65535" \
|
||||
0 \
|
||||
-C "x509_verify_cert.*4b80" \
|
||||
-C "mbedtls_pk_verify.*4b80" \
|
||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||
-C "mbedtls_pk_sign.*4b80"
|
||||
|
@ -3483,10 +3486,62 @@ run_test "EC restart: TLS, max_ops=1000" \
|
|||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1 ec_max_ops=1000" \
|
||||
0 \
|
||||
-c "x509_verify_cert.*4b80" \
|
||||
-c "mbedtls_pk_verify.*4b80" \
|
||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||
-c "mbedtls_pk_sign.*4b80"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, max_ops=1000, badsign" \
|
||||
"$P_SRV auth_mode=required \
|
||||
crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1 ec_max_ops=1000" \
|
||||
1 \
|
||||
-c "x509_verify_cert.*4b80" \
|
||||
-C "mbedtls_pk_verify.*4b80" \
|
||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||
-C "mbedtls_pk_sign.*4b80" \
|
||||
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-c "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
|
||||
"$P_SRV auth_mode=required \
|
||||
crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1 ec_max_ops=1000 auth_mode=optional" \
|
||||
0 \
|
||||
-c "x509_verify_cert.*4b80" \
|
||||
-c "mbedtls_pk_verify.*4b80" \
|
||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||
-c "mbedtls_pk_sign.*4b80" \
|
||||
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
|
||||
"$P_SRV auth_mode=required \
|
||||
crt_file=data_files/server5-badsign.crt \
|
||||
key_file=data_files/server5.key" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
debug_level=1 ec_max_ops=1000 auth_mode=none" \
|
||||
0 \
|
||||
-C "x509_verify_cert.*4b80" \
|
||||
-c "mbedtls_pk_verify.*4b80" \
|
||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||
-c "mbedtls_pk_sign.*4b80" \
|
||||
-C "! The certificate is not correctly signed by the trusted CA" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: DTLS, max_ops=1000" \
|
||||
"$P_SRV auth_mode=required dtls=1" \
|
||||
|
@ -3494,6 +3549,7 @@ run_test "EC restart: DTLS, max_ops=1000" \
|
|||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||
dtls=1 debug_level=1 ec_max_ops=1000" \
|
||||
0 \
|
||||
-c "x509_verify_cert.*4b80" \
|
||||
-c "mbedtls_pk_verify.*4b80" \
|
||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||
-c "mbedtls_pk_sign.*4b80"
|
||||
|
@ -3504,6 +3560,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \
|
|||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
debug_level=1 ec_max_ops=1000" \
|
||||
0 \
|
||||
-c "x509_verify_cert.*4b80" \
|
||||
-c "mbedtls_pk_verify.*4b80" \
|
||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||
-C "mbedtls_pk_sign.*4b80"
|
||||
|
@ -3514,6 +3571,7 @@ run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
|
|||
"$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
|
||||
psk=abc123 debug_level=1 ec_max_ops=1000" \
|
||||
0 \
|
||||
-C "x509_verify_cert.*4b80" \
|
||||
-C "mbedtls_pk_verify.*4b80" \
|
||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||
-C "mbedtls_pk_sign.*4b80"
|
||||
|
|
Loading…
Reference in a new issue