Merge branch 'bugfix/openss_strict_verify_mode_3.3' into 'release/v3.3'
openssl: made verification mode conversion to mbetls modes more strict (v3.3) See merge request espressif/esp-idf!10502
This commit is contained in:
David Čermák
commit
31d272e460
1 changed files with 24 additions and 9 deletions
|
|
@ -213,21 +213,36 @@ void ssl_pm_free(SSL *ssl)
|
||||||
static int ssl_pm_reload_crt(SSL *ssl)
|
static int ssl_pm_reload_crt(SSL *ssl)
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
int mode;
|
int mode = MBEDTLS_SSL_VERIFY_UNSET;
|
||||||
struct ssl_pm *ssl_pm = ssl->ssl_pm;
|
struct ssl_pm *ssl_pm = ssl->ssl_pm;
|
||||||
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
|
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
|
||||||
|
|
||||||
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
|
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
|
||||||
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
|
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
|
||||||
|
|
||||||
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
/* OpenSSL verification modes outline (see `man SSL_set_verify` for more details)
|
||||||
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
*
|
||||||
else if (ssl->verify_mode & SSL_VERIFY_PEER)
|
* | openssl mode | Server | Client |
|
||||||
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
* | SSL_VERIFY_NONE | will not send a client certificate request | server certificate which will be checked |
|
||||||
else if (ssl->verify_mode & SSL_VERIFY_CLIENT_ONCE)
|
* handshake will be continued regardless |
|
||||||
mode = MBEDTLS_SSL_VERIFY_UNSET;
|
* | SSL_VERIFY_PEER | depends on SSL_VERIFY_FAIL_IF_NO_PEER_CERT | handshake is terminated if verify fails |
|
||||||
else
|
* (unless anonymous ciphers--not supported |
|
||||||
mode = MBEDTLS_SSL_VERIFY_NONE;
|
* | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | handshake is terminated if | ignored |
|
||||||
|
* client cert verify fails | |
|
||||||
|
*/
|
||||||
|
if (ssl->method->endpoint == MBEDTLS_SSL_IS_SERVER) {
|
||||||
|
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||||
|
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||||
|
else if (ssl->verify_mode & SSL_VERIFY_PEER)
|
||||||
|
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||||
|
else if (ssl->verify_mode == SSL_VERIFY_NONE)
|
||||||
|
mode = MBEDTLS_SSL_VERIFY_NONE;
|
||||||
|
} else if (ssl->method->endpoint == MBEDTLS_SSL_IS_CLIENT) {
|
||||||
|
if (ssl->verify_mode & SSL_VERIFY_PEER)
|
||||||
|
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||||
|
else if (ssl->verify_mode == SSL_VERIFY_NONE)
|
||||||
|
mode = MBEDTLS_SSL_VERIFY_NONE;
|
||||||
|
}
|
||||||
|
|
||||||
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
|
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue