From bc2b771af4b67c900813e58e7c8c77d7907291c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 6 May 2015 11:14:19 +0100 Subject: [PATCH] Move ssl_set_ca_chain() to work on config --- ChangeLog | 2 ++ include/mbedtls/ssl.h | 24 ++++++++++-------------- library/ssl_tls.c | 16 +++++++++------- programs/ssl/dtls_client.c | 11 ++++++++--- programs/ssl/dtls_server.c | 2 +- programs/ssl/mini_client.c | 8 +++++++- programs/ssl/ssl_client1.c | 7 ++++++- programs/ssl/ssl_client2.c | 15 ++++++--------- programs/ssl/ssl_fork_server.c | 2 +- programs/ssl/ssl_mail_client.c | 7 ++++++- programs/ssl/ssl_pthread_server.c | 2 +- programs/ssl/ssl_server.c | 2 +- programs/ssl/ssl_server2.c | 2 +- programs/x509/cert_app.c | 4 +--- 14 files changed, 60 insertions(+), 44 deletions(-) diff --git a/ChangeLog b/ChangeLog index d81050445..cf834d3fa 100644 --- a/ChangeLog +++ b/ChangeLog @@ -20,6 +20,8 @@ API Changes mbedtls_gcm_init() -> mbedtls_gcm_setkey() mbedtls_hmac_drbg_init() -> mbedtls_hmac_drbg_init(_buf)() mbedtls_ctr_drbg_init() -> mbedtls_ctr_drbg_init(_buf)() + * mbedtls_ssl_set_ca_chain() lost its last argument (peer_cn), now set + using mbedtls_ssl_set_hostname(). * Renamed mbedtls_pkcs11_priv_key_init() to ..._bind() and mbedtls_pkcs11_x509_cert_init() as well (handled by rename.pl and compat-1.3.h) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 6dfa9f47a..7d660bc67 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1055,21 +1055,15 @@ struct mbedtls_ssl_context /* * PKI layer */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) - const char *peer_cn; /*!< expected peer CN */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ - int client_auth; /*!< flag for client auth. */ int verify_result; /*!< verification result */ /* * User settings */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - /* - * SNI extension - */ - char *hostname; +#if defined(MBEDTLS_X509_CRT_PARSE_C) + char *hostname; /*!< expected peer CN for verification + (and SNI if available) */ #endif #if defined(MBEDTLS_SSL_ALPN) @@ -1575,13 +1569,13 @@ void mbedtls_ssl_set_ciphersuites_for_version( mbedtls_ssl_config *conf, /** * \brief Set the data required to verify peer certificate * - * \param ssl SSL context + * \param conf SSL configuration * \param ca_chain trusted CA chain (meaning all fully trusted top-level CAs) * \param ca_crl trusted CA CRLs - * \param peer_cn expected peer CommonName (or NULL) */ -void mbedtls_ssl_set_ca_chain( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, - mbedtls_x509_crl *ca_crl, const char *peer_cn ); +void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl ); /** * \brief Set own certificate chain and private key @@ -1695,7 +1689,7 @@ int mbedtls_ssl_set_dh_param_ctx( mbedtls_ssl_config *conf, mbedtls_dhm_context void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); #endif /* MBEDTLS_SSL_SET_CURVES */ -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#if defined(MBEDTLS_X509_CRT_PARSE_C) /** * \brief Set hostname for ServerName TLS extension * (client-side only) @@ -1707,7 +1701,9 @@ void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_i * \return 0 if successful or MBEDTLS_ERR_SSL_MALLOC_FAILED */ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); +#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** * \brief Set server side ServerName TLS extension callback * (optional, server-side only). diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d417065d8..ad95a1f46 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4030,7 +4030,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) * Main check: verify certificate */ ret = mbedtls_x509_crt_verify( ssl->session_negotiate->peer_cert, - ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->peer_cn, + ssl->conf->ca_chain, ssl->conf->ca_crl, ssl->hostname, &ssl->session_negotiate->verify_result, ssl->conf->f_vrfy, ssl->conf->p_vrfy ); @@ -5345,12 +5345,12 @@ static mbedtls_ssl_key_cert *ssl_add_key_cert( mbedtls_ssl_context *ssl ) return( key_cert ); } -void mbedtls_ssl_set_ca_chain( mbedtls_ssl_context *ssl, mbedtls_x509_crt *ca_chain, - mbedtls_x509_crl *ca_crl, const char *peer_cn ) +void mbedtls_ssl_set_ca_chain( mbedtls_ssl_config *conf, + mbedtls_x509_crt *ca_chain, + mbedtls_x509_crl *ca_crl ) { - ssl->conf->ca_chain = ca_chain; - ssl->conf->ca_crl = ca_crl; - ssl->peer_cn = peer_cn; + conf->ca_chain = ca_chain; + conf->ca_crl = ca_crl; } int mbedtls_ssl_set_own_cert( mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, @@ -5450,7 +5450,7 @@ void mbedtls_ssl_set_curves( mbedtls_ssl_config *conf, } #endif -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) { size_t hostname_len; @@ -5474,7 +5474,9 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) return( 0 ); } +#endif +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) void mbedtls_ssl_set_sni( mbedtls_ssl_config *conf, int (*f_sni)(void *, mbedtls_ssl_context *, const unsigned char *, size_t), diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index eb27f3cbe..9f8fcbfa3 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -176,13 +176,16 @@ int main( int argc, char *argv[] ) goto exit; } - mbedtls_printf( " ok\n" ); - /* OPTIONAL is usually a bad choice for security, but makes interop easier * in this simplified example, in which the ca chain is hardcoded. * Production code should set a proper ca chain and use REQUIRED. */ mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); @@ -191,6 +194,8 @@ int main( int argc, char *argv[] ) mbedtls_net_send, mbedtls_net_recv, mbedtls_net_recv_timeout, READ_TIMEOUT_MS ); + mbedtls_printf( " ok\n" ); + /* * 4. Handshake */ diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 96cb1368d..9a925ec27 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -215,7 +215,7 @@ int main( void ) mbedtls_ssl_cache_set, &cache ); #endif - mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) { printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 5d140b911..d6ee5702f 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -149,6 +149,7 @@ enum exit_codes ctr_drbg_seed_failed, ssl_config_default_failed, ssl_setup_failed, + hostname_failed, socket_failed, connect_failed, x509_crt_parse_failed, @@ -216,7 +217,12 @@ int main( void ) goto exit; } - mbedtls_ssl_set_ca_chain( &ssl, &ca, NULL, HOSTNAME ); + mbedtls_ssl_set_ca_chain( &conf, &ca, NULL ); + if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) + { + ret = hostname_failed; + goto exit; + } mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); #endif diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 38a510c35..d7cb14199 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -169,7 +169,12 @@ int main( void ) /* OPTIONAL is not optimal for security, * but makes interop easier in this simplified example */ mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_OPTIONAL ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, "mbed TLS Server 1" ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + if( ( ret = mbedtls_ssl_set_hostname( &ssl, "mbed TLS Server 1" ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } mbedtls_ssl_set_rng( &ssl, mbedtls_ctr_drbg_random, &ctr_drbg ); mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 03ac1b35d..aaf22db33 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -1154,7 +1154,7 @@ int main( int argc, char *argv[] ) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); } if( strcmp( opt.crt_file, "none" ) != 0 && strcmp( opt.key_file, "none" ) != 0 ) @@ -1165,6 +1165,11 @@ int main( int argc, char *argv[] ) goto exit; } } + if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } #endif #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1177,14 +1182,6 @@ int main( int argc, char *argv[] ) } #endif -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) - { - mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); - goto exit; - } -#endif - if( opt.min_version != DFL_MIN_VERSION ) { ret = mbedtls_ssl_set_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version ); diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 877f9581c..50de5ef54 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -269,7 +269,7 @@ int main( void ) mbedtls_ssl_set_dbg( &conf, my_debug, stdout ); mbedtls_ssl_set_bio_timeout( &ssl, &client_fd, mbedtls_net_send, mbedtls_net_recv, NULL, 0 ); - mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 000ed09f6..ab849a95c 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -611,7 +611,12 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER ) mbedtls_ssl_set_ciphersuites( &conf, opt.force_ciphersuite ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); + if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) + { + mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); + goto exit; + } if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index e951b3ad7..1fc326263 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -188,7 +188,7 @@ static void *handle_ssl_connection( void *data ) mbedtls_ssl_cache_set, thread_info->cache ); #endif - mbedtls_ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, thread_info->ca_chain, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 2302f06f6..61b9dc95e 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -214,7 +214,7 @@ int main( void ) mbedtls_ssl_cache_set, &cache ); #endif - mbedtls_ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, srvcert.next, NULL ); if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_own_cert returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index e5fcfdf31..954ae430d 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1682,7 +1682,7 @@ int main( int argc, char *argv[] ) if( strcmp( opt.ca_path, "none" ) != 0 && strcmp( opt.ca_file, "none" ) != 0 ) { - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, NULL ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); } if( key_cert_init ) if( ( ret = mbedtls_ssl_set_own_cert( &ssl, &srvcert, &pkey ) ) != 0 ) diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 9f6356d34..2bac2ae7a 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -413,7 +413,7 @@ int main( int argc, char *argv[] ) if( verify ) { mbedtls_ssl_set_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); - mbedtls_ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name ); + mbedtls_ssl_set_ca_chain( &conf, &cacert, NULL ); mbedtls_ssl_set_verify( &conf, my_verify, NULL ); } else @@ -429,13 +429,11 @@ int main( int argc, char *argv[] ) goto ssl_exit; } -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto ssl_exit; } -#endif /* * 4. Handshake