Merge remote-tracking branch 'origin/pr/2539' into development

Resolve conflicts by performing the following:
  - Ensure calls to mbedtls_x509_crt_verify_* are made with callbacks

* origin/pr/2539:
  Make CRT callback tests more robust
  Rename constant in client2.c
  Fix typo
  Add test for configuration specific CRT callback
  Fix doxygen documentation of mbedtls_ssl_set_verify()
  Add test exercising context-specific CRT callback to ssl-opt.sh
  Add cmd to use context-specific CRT callback in ssl_client2
  Implement context-specific verification callbacks
  Add context-specific CRT verification callbacks
  Improve documentation of mbedtls_ssl_conf_verify()
This commit is contained in:
Jaeden Amero 2019-04-16 15:03:12 +01:00
commit fe7106755e
4 changed files with 117 additions and 9 deletions

View file

@ -1094,6 +1094,12 @@ struct mbedtls_ssl_context
unsigned badmac_seen; /*!< records with a bad MAC received */ unsigned badmac_seen; /*!< records with a bad MAC received */
#endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */ #endif /* MBEDTLS_SSL_DTLS_BADMAC_LIMIT */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Callback to customize X.509 certificate chain verification */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify callback */
#endif
mbedtls_ssl_send_t *f_send; /*!< Callback for network send */ mbedtls_ssl_send_t *f_send; /*!< Callback for network send */
mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */ mbedtls_ssl_recv_t *f_recv; /*!< Callback for network receive */
mbedtls_ssl_recv_timeout_t *f_recv_timeout; mbedtls_ssl_recv_timeout_t *f_recv_timeout;
@ -1370,13 +1376,17 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
/** /**
* \brief Set the verification callback (Optional). * \brief Set the verification callback (Optional).
* *
* If set, the verify callback is called for each * If set, the provided verify callback is called for each
* certificate in the chain. For implementation * certificate in the peer's CRT chain, including the trusted
* information, please see \c mbedtls_x509_crt_verify() * root. For more information, please see the documentation of
* \c mbedtls_x509_crt_verify().
* *
* \param conf SSL configuration * \note For per context callbacks and contexts, please use
* \param f_vrfy verification function * mbedtls_ssl_set_verify() instead.
* \param p_vrfy verification parameter *
* \param conf The SSL configuration to use.
* \param f_vrfy The verification callback to use during CRT verification.
* \param p_vrfy The opaque context to be passed to the callback.
*/ */
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
@ -1494,6 +1504,30 @@ void mbedtls_ssl_set_bio( mbedtls_ssl_context *ssl,
void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu ); void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
#endif /* MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/**
* \brief Set a connection-specific verification callback (optional).
*
* If set, the provided verify callback is called for each
* certificate in the peer's CRT chain, including the trusted
* root. For more information, please see the documentation of
* \c mbedtls_x509_crt_verify().
*
* \note This call is analogous to mbedtls_ssl_conf_verify() but
* binds the verification callback and context to an SSL context
* as opposed to an SSL configuration.
* If mbedtls_ssl_conf_verify() and mbedtls_ssl_set_verify()
* are both used, mbedtls_ssl_set_verify() takes precedence.
*
* \param ssl The SSL context to use.
* \param f_vrfy The verification callback to use during CRT verification.
* \param p_vrfy The opaque context to be passed to the callback.
*/
void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
/** /**
* \brief Set the timeout period for mbedtls_ssl_read() * \brief Set the timeout period for mbedtls_ssl_read()
* (Default: no timeout.) * (Default: no timeout.)

View file

@ -6037,9 +6037,25 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
ssl->transform_negotiate->ciphersuite_info; ssl->transform_negotiate->ciphersuite_info;
int have_ca_chain = 0; int have_ca_chain = 0;
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy;
if( authmode == MBEDTLS_SSL_VERIFY_NONE ) if( authmode == MBEDTLS_SSL_VERIFY_NONE )
return( 0 ); return( 0 );
if( ssl->f_vrfy != NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use context-specific verification callback" ) );
f_vrfy = ssl->f_vrfy;
p_vrfy = ssl->p_vrfy;
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Use configuration-specific verification callback" ) );
f_vrfy = ssl->conf->f_vrfy;
p_vrfy = ssl->conf->p_vrfy;
}
/* /*
* Main check: verify certificate * Main check: verify certificate
*/ */
@ -6057,7 +6073,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
ssl->conf->cert_profile, ssl->conf->cert_profile,
ssl->hostname, ssl->hostname,
&ssl->session_negotiate->verify_result, &ssl->session_negotiate->verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy ); f_vrfy, p_vrfy );
} }
else else
#endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
@ -6087,7 +6103,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
ssl->conf->cert_profile, ssl->conf->cert_profile,
ssl->hostname, ssl->hostname,
&ssl->session_negotiate->verify_result, &ssl->session_negotiate->verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); f_vrfy, p_vrfy, rs_ctx );
} }
if( ret != 0 ) if( ret != 0 )
@ -7949,6 +7965,16 @@ void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
ssl->f_vrfy = f_vrfy;
ssl->p_vrfy = p_vrfy;
}
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/* /*
* Set EC J-PAKE password for current handshake * Set EC J-PAKE password for current handshake

View file

@ -82,6 +82,7 @@ int main( void )
#define DFL_REQUEST_PAGE "/" #define DFL_REQUEST_PAGE "/"
#define DFL_REQUEST_SIZE -1 #define DFL_REQUEST_SIZE -1
#define DFL_DEBUG_LEVEL 0 #define DFL_DEBUG_LEVEL 0
#define DFL_CONTEXT_CRT_CB 0
#define DFL_NBIO 0 #define DFL_NBIO 0
#define DFL_EVENT 0 #define DFL_EVENT 0
#define DFL_READ_TIMEOUT 0 #define DFL_READ_TIMEOUT 0
@ -130,6 +131,16 @@ int main( void )
#define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: " #define GET_REQUEST "GET %s HTTP/1.0\r\nExtra-header: "
#define GET_REQUEST_END "\r\n\r\n" #define GET_REQUEST_END "\r\n\r\n"
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#define USAGE_CONTEXT_CRT_CB \
" context_crt_cb=%%d This determines whether the CRT verification callback is bound\n" \
" to the SSL configuration of the SSL context.\n" \
" Possible values:\n"\
" - 0 (default): Use CRT callback bound to configuration\n" \
" - 1: Use CRT callback bound to SSL context\n"
#else
#define USAGE_CONTEXT_CRT_CB ""
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_FS_IO) #if defined(MBEDTLS_FS_IO)
#define USAGE_IO \ #define USAGE_IO \
@ -339,6 +350,7 @@ int main( void )
USAGE_TICKETS \ USAGE_TICKETS \
USAGE_MAX_FRAG_LEN \ USAGE_MAX_FRAG_LEN \
USAGE_TRUNC_HMAC \ USAGE_TRUNC_HMAC \
USAGE_CONTEXT_CRT_CB \
USAGE_ALPN \ USAGE_ALPN \
USAGE_FALLBACK \ USAGE_FALLBACK \
USAGE_EMS \ USAGE_EMS \
@ -435,6 +447,7 @@ struct options
int dgram_packing; /* allow/forbid datagram packing */ int dgram_packing; /* allow/forbid datagram packing */
int extended_ms; /* negotiate extended master secret? */ int extended_ms; /* negotiate extended master secret? */
int etm; /* negotiate encrypt then mac? */ int etm; /* negotiate encrypt then mac? */
int context_crt_cb; /* use context-specific CRT verify callback */
} opt; } opt;
int query_config( const char *config ); int query_config( const char *config );
@ -757,6 +770,7 @@ int main( int argc, char *argv[] )
opt.debug_level = DFL_DEBUG_LEVEL; opt.debug_level = DFL_DEBUG_LEVEL;
opt.nbio = DFL_NBIO; opt.nbio = DFL_NBIO;
opt.event = DFL_EVENT; opt.event = DFL_EVENT;
opt.context_crt_cb = DFL_CONTEXT_CRT_CB;
opt.read_timeout = DFL_READ_TIMEOUT; opt.read_timeout = DFL_READ_TIMEOUT;
opt.max_resend = DFL_MAX_RESEND; opt.max_resend = DFL_MAX_RESEND;
opt.request_page = DFL_REQUEST_PAGE; opt.request_page = DFL_REQUEST_PAGE;
@ -834,6 +848,12 @@ int main( int argc, char *argv[] )
if( opt.debug_level < 0 || opt.debug_level > 65535 ) if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage; goto usage;
} }
else if( strcmp( p, "context_crt_cb" ) == 0 )
{
opt.context_crt_cb = atoi( q );
if( opt.context_crt_cb != 0 && opt.context_crt_cb != 1 )
goto usage;
}
else if( strcmp( p, "nbio" ) == 0 ) else if( strcmp( p, "nbio" ) == 0 )
{ {
opt.nbio = atoi( q ); opt.nbio = atoi( q );
@ -1590,7 +1610,9 @@ int main( int argc, char *argv[] )
mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test ); mbedtls_ssl_conf_sig_hashes( &conf, ssl_sig_hashes_for_test );
} }
mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); if( opt.context_crt_cb == 0 )
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
@ -1799,6 +1821,11 @@ int main( int argc, char *argv[] )
} }
#endif #endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( opt.context_crt_cb == 1 )
mbedtls_ssl_set_verify( &ssl, my_verify, NULL );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
if( opt.nbio == 2 ) if( opt.nbio == 2 )
mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL ); mbedtls_ssl_set_bio( &ssl, &server_fd, my_send, my_recv, NULL );
else else

View file

@ -1031,6 +1031,27 @@ run_test "Unique IV in GCM" \
-u "IV used" \ -u "IV used" \
-U "IV used" -U "IV used"
# Tests for certificate verification callback
run_test "Configuration-specific CRT verification callback" \
"$P_SRV debug_level=3" \
"$P_CLI context_crt_cb=0 debug_level=3" \
0 \
-S "error" \
-c "Verify requested for " \
-c "Use configuration-specific verification callback" \
-C "Use context-specific verification callback" \
-C "error"
run_test "Context-specific CRT verification callback" \
"$P_SRV debug_level=3" \
"$P_CLI context_crt_cb=1 debug_level=3" \
0 \
-S "error" \
-c "Verify requested for " \
-c "Use context-specific verification callback" \
-C "Use configuration-specific verification callback" \
-C "error"
# Tests for rc4 option # Tests for rc4 option
requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES requires_config_enabled MBEDTLS_REMOVE_ARC4_CIPHERSUITES