mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 03:25:38 +01:00
Enable restart for certificate verify
This commit is contained in:
parent
fed37ed039
commit
3bf49c4552
@ -231,6 +231,8 @@ struct mbedtls_ssl_handshake_params
|
|||||||
mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
|
mbedtls_x509_crt_restart_ctx ecrs_ctx; /*!< restart context */
|
||||||
enum {
|
enum {
|
||||||
ssl_ecrs_init = 0, /*!< just getting started */
|
ssl_ecrs_init = 0, /*!< just getting started */
|
||||||
|
ssl_ecrs_crt_parsed, /*!< server certificate was parsed */
|
||||||
|
ssl_ecrs_crt_verified, /*!< server certificate was verified*/
|
||||||
ssl_ecrs_ske_read, /*!< ServerKeyExchange was read */
|
ssl_ecrs_ske_read, /*!< ServerKeyExchange was read */
|
||||||
ssl_ecrs_ske_verified, /*!< ServerKeyExchange was verified */
|
ssl_ecrs_ske_verified, /*!< ServerKeyExchange was verified */
|
||||||
ssl_ecrs_ecdh_public_done, /*!< wrote ECDHE public share */
|
ssl_ecrs_ecdh_public_done, /*!< wrote ECDHE public share */
|
||||||
|
@ -4518,6 +4518,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
#else
|
#else
|
||||||
const int authmode = ssl->conf->authmode;
|
const int authmode = ssl->conf->authmode;
|
||||||
#endif
|
#endif
|
||||||
|
void *rs_ctx = NULL;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||||
|
|
||||||
@ -4545,11 +4546,20 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
{
|
{
|
||||||
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
||||||
|
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
if( ssl->handshake->ecrs_enabled &&
|
||||||
|
ssl->handshake->ecrs_state == ssl_ecrs_crt_parsed )
|
||||||
|
{
|
||||||
|
goto crt_verify;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
|
if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
|
||||||
{
|
{
|
||||||
/* mbedtls_ssl_read_record may have sent an alert already. We
|
/* mbedtls_ssl_read_record may have sent an alert already. We
|
||||||
@ -4572,6 +4582,15 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
if( ssl->handshake->ecrs_enabled)
|
||||||
|
ssl->handshake->ecrs_state++;
|
||||||
|
|
||||||
|
crt_verify:
|
||||||
|
if( ssl->handshake->ecrs_enabled)
|
||||||
|
rs_ctx = &ssl->handshake->ecrs_ctx;
|
||||||
|
#endif
|
||||||
|
|
||||||
if( authmode != MBEDTLS_SSL_VERIFY_NONE )
|
if( authmode != MBEDTLS_SSL_VERIFY_NONE )
|
||||||
{
|
{
|
||||||
mbedtls_x509_crt *ca_chain;
|
mbedtls_x509_crt *ca_chain;
|
||||||
@ -4593,19 +4612,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
/*
|
/*
|
||||||
* Main check: verify certificate
|
* Main check: verify certificate
|
||||||
*/
|
*/
|
||||||
ret = mbedtls_x509_crt_verify_with_profile(
|
ret = mbedtls_x509_crt_verify_restartable(
|
||||||
ssl->session_negotiate->peer_cert,
|
ssl->session_negotiate->peer_cert,
|
||||||
ca_chain, ca_crl,
|
ca_chain, ca_crl,
|
||||||
ssl->conf->cert_profile,
|
ssl->conf->cert_profile,
|
||||||
ssl->hostname,
|
ssl->hostname,
|
||||||
&ssl->session_negotiate->verify_result,
|
&ssl->session_negotiate->verify_result,
|
||||||
ssl->conf->f_vrfy, ssl->conf->p_vrfy );
|
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
|
||||||
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
|
MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
|
||||||
|
return( ret );
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Secondary checks: always done, but change 'ret' only if it was 0
|
* Secondary checks: always done, but change 'ret' only if it was 0
|
||||||
*/
|
*/
|
||||||
@ -4702,6 +4726,11 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
#endif /* MBEDTLS_DEBUG_C */
|
#endif /* MBEDTLS_DEBUG_C */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
if( ssl->handshake->ecrs_enabled)
|
||||||
|
ssl->handshake->ecrs_state++;
|
||||||
|
#endif
|
||||||
|
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
|
||||||
|
@ -3450,6 +3450,7 @@ run_test "EC restart: TLS, default" \
|
|||||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
debug_level=1" \
|
debug_level=1" \
|
||||||
0 \
|
0 \
|
||||||
|
-C "x509_verify_cert.*4b80" \
|
||||||
-C "mbedtls_pk_verify.*4b80" \
|
-C "mbedtls_pk_verify.*4b80" \
|
||||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-C "mbedtls_pk_sign.*4b80"
|
-C "mbedtls_pk_sign.*4b80"
|
||||||
@ -3461,6 +3462,7 @@ run_test "EC restart: TLS, max_ops=0" \
|
|||||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
debug_level=1 ec_max_ops=0" \
|
debug_level=1 ec_max_ops=0" \
|
||||||
0 \
|
0 \
|
||||||
|
-C "x509_verify_cert.*4b80" \
|
||||||
-C "mbedtls_pk_verify.*4b80" \
|
-C "mbedtls_pk_verify.*4b80" \
|
||||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-C "mbedtls_pk_sign.*4b80"
|
-C "mbedtls_pk_sign.*4b80"
|
||||||
@ -3472,6 +3474,7 @@ run_test "EC restart: TLS, max_ops=65535" \
|
|||||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
debug_level=1 ec_max_ops=65535" \
|
debug_level=1 ec_max_ops=65535" \
|
||||||
0 \
|
0 \
|
||||||
|
-C "x509_verify_cert.*4b80" \
|
||||||
-C "mbedtls_pk_verify.*4b80" \
|
-C "mbedtls_pk_verify.*4b80" \
|
||||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-C "mbedtls_pk_sign.*4b80"
|
-C "mbedtls_pk_sign.*4b80"
|
||||||
@ -3483,10 +3486,62 @@ run_test "EC restart: TLS, max_ops=1000" \
|
|||||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
debug_level=1 ec_max_ops=1000" \
|
debug_level=1 ec_max_ops=1000" \
|
||||||
0 \
|
0 \
|
||||||
|
-c "x509_verify_cert.*4b80" \
|
||||||
-c "mbedtls_pk_verify.*4b80" \
|
-c "mbedtls_pk_verify.*4b80" \
|
||||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-c "mbedtls_pk_sign.*4b80"
|
-c "mbedtls_pk_sign.*4b80"
|
||||||
|
|
||||||
|
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||||
|
run_test "EC restart: TLS, max_ops=1000, badsign" \
|
||||||
|
"$P_SRV auth_mode=required \
|
||||||
|
crt_file=data_files/server5-badsign.crt \
|
||||||
|
key_file=data_files/server5.key" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
|
debug_level=1 ec_max_ops=1000" \
|
||||||
|
1 \
|
||||||
|
-c "x509_verify_cert.*4b80" \
|
||||||
|
-C "mbedtls_pk_verify.*4b80" \
|
||||||
|
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||||
|
-C "mbedtls_pk_sign.*4b80" \
|
||||||
|
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||||
|
-c "! mbedtls_ssl_handshake returned" \
|
||||||
|
-c "X509 - Certificate verification failed"
|
||||||
|
|
||||||
|
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||||
|
run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
|
||||||
|
"$P_SRV auth_mode=required \
|
||||||
|
crt_file=data_files/server5-badsign.crt \
|
||||||
|
key_file=data_files/server5.key" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
|
debug_level=1 ec_max_ops=1000 auth_mode=optional" \
|
||||||
|
0 \
|
||||||
|
-c "x509_verify_cert.*4b80" \
|
||||||
|
-c "mbedtls_pk_verify.*4b80" \
|
||||||
|
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||||
|
-c "mbedtls_pk_sign.*4b80" \
|
||||||
|
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||||
|
-C "! mbedtls_ssl_handshake returned" \
|
||||||
|
-C "X509 - Certificate verification failed"
|
||||||
|
|
||||||
|
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||||
|
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
|
||||||
|
"$P_SRV auth_mode=required \
|
||||||
|
crt_file=data_files/server5-badsign.crt \
|
||||||
|
key_file=data_files/server5.key" \
|
||||||
|
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
|
debug_level=1 ec_max_ops=1000 auth_mode=none" \
|
||||||
|
0 \
|
||||||
|
-C "x509_verify_cert.*4b80" \
|
||||||
|
-c "mbedtls_pk_verify.*4b80" \
|
||||||
|
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||||
|
-c "mbedtls_pk_sign.*4b80" \
|
||||||
|
-C "! The certificate is not correctly signed by the trusted CA" \
|
||||||
|
-C "! mbedtls_ssl_handshake returned" \
|
||||||
|
-C "X509 - Certificate verification failed"
|
||||||
|
|
||||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||||
run_test "EC restart: DTLS, max_ops=1000" \
|
run_test "EC restart: DTLS, max_ops=1000" \
|
||||||
"$P_SRV auth_mode=required dtls=1" \
|
"$P_SRV auth_mode=required dtls=1" \
|
||||||
@ -3494,6 +3549,7 @@ run_test "EC restart: DTLS, max_ops=1000" \
|
|||||||
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
key_file=data_files/server5.key crt_file=data_files/server5.crt \
|
||||||
dtls=1 debug_level=1 ec_max_ops=1000" \
|
dtls=1 debug_level=1 ec_max_ops=1000" \
|
||||||
0 \
|
0 \
|
||||||
|
-c "x509_verify_cert.*4b80" \
|
||||||
-c "mbedtls_pk_verify.*4b80" \
|
-c "mbedtls_pk_verify.*4b80" \
|
||||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-c "mbedtls_pk_sign.*4b80"
|
-c "mbedtls_pk_sign.*4b80"
|
||||||
@ -3504,6 +3560,7 @@ run_test "EC restart: TLS, max_ops=1000 no client auth" \
|
|||||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||||
debug_level=1 ec_max_ops=1000" \
|
debug_level=1 ec_max_ops=1000" \
|
||||||
0 \
|
0 \
|
||||||
|
-c "x509_verify_cert.*4b80" \
|
||||||
-c "mbedtls_pk_verify.*4b80" \
|
-c "mbedtls_pk_verify.*4b80" \
|
||||||
-c "mbedtls_ecdh_make_public.*4b80" \
|
-c "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-C "mbedtls_pk_sign.*4b80"
|
-C "mbedtls_pk_sign.*4b80"
|
||||||
@ -3514,6 +3571,7 @@ run_test "EC restart: TLS, max_ops=1000, ECDHE-PSK" \
|
|||||||
"$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
|
"$P_CLI force_ciphersuite=TLS-ECDHE-PSK-WITH-AES-128-CBC-SHA256 \
|
||||||
psk=abc123 debug_level=1 ec_max_ops=1000" \
|
psk=abc123 debug_level=1 ec_max_ops=1000" \
|
||||||
0 \
|
0 \
|
||||||
|
-C "x509_verify_cert.*4b80" \
|
||||||
-C "mbedtls_pk_verify.*4b80" \
|
-C "mbedtls_pk_verify.*4b80" \
|
||||||
-C "mbedtls_ecdh_make_public.*4b80" \
|
-C "mbedtls_ecdh_make_public.*4b80" \
|
||||||
-C "mbedtls_pk_sign.*4b80"
|
-C "mbedtls_pk_sign.*4b80"
|
||||||
|
Loading…
Reference in New Issue
Block a user