From 635f86874fc4388192dfde34dcc341179607be9f Mon Sep 17 00:00:00 2001 From: Hannes Tschofenig Date: Thu, 3 Dec 2020 15:48:32 +0100 Subject: [PATCH] Adding delayed server cert verification to client state machine --- library/ssl_cli.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index cec2f0962..eaba905c4 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -4218,6 +4218,11 @@ static int ssl_parse_new_session_ticket( mbedtls_ssl_context *ssl ) int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) { int ret = 0; +#if defined(MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION) + void *rs_ctx = NULL; + int authmode; + mbedtls_x509_crt *chain = NULL; +#endif /* MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */ if( ssl->state == MBEDTLS_SSL_HANDSHAKE_OVER || ssl->handshake == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); @@ -4310,6 +4315,29 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl ) break; case MBEDTLS_SSL_CLIENT_FINISHED: + +#if defined(MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION) +#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) + authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET + ? ssl->handshake->sni_authmode + : mbedtls_ssl_conf_get_authmode( ssl->conf ); +#else + authmode = mbedtls_ssl_conf_get_authmode( ssl->conf ); +#endif +/* authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET + ? ssl->handshake->sni_authmode + : ssl->conf->authmode; +*/ + chain = ssl->session_negotiate->peer_cert; + + MBEDTLS_SSL_DEBUG_MSG( 3, ( "execute delayed server certificate verification" ) ); + + ret = ssl_parse_delayed_certificate_verify( ssl, authmode, + chain, rs_ctx ); + if( ret != 0 ) + break; +#endif /* MBEDTLS_DELAYED_SERVER_CERT_VERIFICATION */ + ret = mbedtls_ssl_write_finished( ssl ); break;