mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 19:55:37 +00:00
Parse and verify peer CRT chain in local variable
`mbedtls_ssl_parse_certificate()` parses the peer's certificate chain directly into the `peer_cert` field of the `mbedtls_ssl_session` structure being established. To allow to optionally remove this field from the session structure, this commit changes this to parse the peer's chain into a local variable instead first, which can then either be freed after CRT verification - in case the chain should not be stored - or mapped to the `peer_cert` if it should be kept. For now, only the latter is implemented.
This commit is contained in:
parent
177475a3aa
commit
3dad311ef0
|
@ -331,6 +331,9 @@ struct mbedtls_ssl_handshake_params
|
||||||
ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
|
ssl_ecrs_cke_ecdh_calc_secret, /*!< ClientKeyExchange: ECDH step 2 */
|
||||||
ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
|
ssl_ecrs_crt_vrfy_sign, /*!< CertificateVerify: pk_sign() */
|
||||||
} ecrs_state; /*!< current (or last) operation */
|
} ecrs_state; /*!< current (or last) operation */
|
||||||
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
mbedtls_x509_crt *ecrs_peer_cert; /*!< The peer's CRT chain. */
|
||||||
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
size_t ecrs_n; /*!< place for saving a length */
|
size_t ecrs_n; /*!< place for saving a length */
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
|
|
@ -6176,6 +6176,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
const int authmode = ssl->conf->authmode;
|
const int authmode = ssl->conf->authmode;
|
||||||
#endif
|
#endif
|
||||||
void *rs_ctx = NULL;
|
void *rs_ctx = NULL;
|
||||||
|
mbedtls_x509_crt *chain = NULL;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||||
|
|
||||||
|
@ -6190,6 +6191,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
if( ssl->handshake->ecrs_enabled &&
|
if( ssl->handshake->ecrs_enabled &&
|
||||||
ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
|
ssl->handshake->ecrs_state == ssl_ecrs_crt_verify )
|
||||||
{
|
{
|
||||||
|
chain = ssl->handshake->ecrs_peer_cert;
|
||||||
|
ssl->handshake->ecrs_peer_cert = NULL;
|
||||||
goto crt_verify;
|
goto crt_verify;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
@ -6199,7 +6202,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
/* mbedtls_ssl_read_record may have sent an alert already. We
|
/* mbedtls_ssl_read_record may have sent an alert already. We
|
||||||
let it decide whether to alert. */
|
let it decide whether to alert. */
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_read_record", ret );
|
||||||
return( ret );
|
goto exit;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SRV_C)
|
#if defined(MBEDTLS_SSL_SRV_C)
|
||||||
|
@ -6219,22 +6222,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
/* Clear existing peer CRT structure in case we tried to
|
/* Clear existing peer CRT structure in case we tried to
|
||||||
* reuse a session but it failed, and allocate a new one. */
|
* reuse a session but it failed, and allocate a new one. */
|
||||||
ssl_clear_peer_cert( ssl->session_negotiate );
|
ssl_clear_peer_cert( ssl->session_negotiate );
|
||||||
ssl->session_negotiate->peer_cert =
|
|
||||||
mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
|
chain = mbedtls_calloc( 1, sizeof( mbedtls_x509_crt ) );
|
||||||
if( ssl->session_negotiate->peer_cert == NULL )
|
if( chain == NULL )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc(%d bytes) failed",
|
||||||
sizeof( mbedtls_x509_crt ) ) );
|
sizeof( mbedtls_x509_crt ) ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl,
|
mbedtls_ssl_send_alert_message( ssl,
|
||||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
||||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
|
||||||
}
|
|
||||||
mbedtls_x509_crt_init( ssl->session_negotiate->peer_cert );
|
|
||||||
|
|
||||||
ret = ssl_parse_certificate_chain( ssl, ssl->session_negotiate->peer_cert );
|
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
mbedtls_x509_crt_init( chain );
|
||||||
|
|
||||||
|
ret = ssl_parse_certificate_chain( ssl, chain );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
goto exit;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
if( ssl->handshake->ecrs_enabled)
|
if( ssl->handshake->ecrs_enabled)
|
||||||
|
@ -6246,12 +6251,12 @@ crt_verify:
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
ret = ssl_parse_certificate_verify( ssl, authmode,
|
ret = ssl_parse_certificate_verify( ssl, authmode,
|
||||||
ssl->session_negotiate->peer_cert,
|
chain, rs_ctx );
|
||||||
rs_ctx );
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
goto exit;
|
||||||
|
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
|
||||||
/* Remember digest of the peer's end-CRT. */
|
/* Remember digest of the peer's end-CRT. */
|
||||||
ssl->session_negotiate->peer_cert_digest =
|
ssl->session_negotiate->peer_cert_digest =
|
||||||
mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
|
mbedtls_calloc( 1, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN );
|
||||||
|
@ -6262,15 +6267,16 @@ crt_verify:
|
||||||
mbedtls_ssl_send_alert_message( ssl,
|
mbedtls_ssl_send_alert_message( ssl,
|
||||||
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
||||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
|
||||||
|
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
|
||||||
|
goto exit;
|
||||||
}
|
}
|
||||||
ret = mbedtls_md( mbedtls_md_info_from_type(
|
ret = mbedtls_md( mbedtls_md_info_from_type(
|
||||||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
|
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE ),
|
||||||
ssl->session_negotiate->peer_cert->raw.p,
|
chain->raw.p, chain->raw.len,
|
||||||
ssl->session_negotiate->peer_cert->raw.len,
|
|
||||||
ssl->session_negotiate->peer_cert_digest );
|
ssl->session_negotiate->peer_cert_digest );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
goto exit;
|
||||||
|
|
||||||
ssl->session_negotiate->peer_cert_digest_type =
|
ssl->session_negotiate->peer_cert_digest_type =
|
||||||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
|
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE;
|
||||||
|
@ -6278,11 +6284,30 @@ crt_verify:
|
||||||
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
|
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN;
|
||||||
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
|
ssl->session_negotiate->peer_cert = chain;
|
||||||
|
chain = NULL;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
|
|
||||||
|
if( ret == 0 )
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
if( ret == MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS )
|
||||||
|
{
|
||||||
|
ssl->handshake->ecrs_peer_cert = chain;
|
||||||
|
chain = NULL;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
if( chain != NULL )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crt_free( chain );
|
||||||
|
mbedtls_free( chain );
|
||||||
|
}
|
||||||
|
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
|
||||||
|
@ -9487,6 +9512,11 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
|
mbedtls_x509_crt_restart_free( &handshake->ecrs_ctx );
|
||||||
|
if( handshake->ecrs_peer_cert != NULL )
|
||||||
|
{
|
||||||
|
mbedtls_x509_crt_free( handshake->ecrs_peer_cert );
|
||||||
|
mbedtls_free( handshake->ecrs_peer_cert );
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
|
Loading…
Reference in a new issue