eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #5620 from gstrauss/dn_hints

Browse source 
Add accessors to config DN hints for cert request
This commit is contained in:
Paul Elliott 2022-07-01 17:23:14 +01:00 committed by GitHub
commit bae7a1a5a6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 168 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

3
library/ssl_misc.h
View file

@ -850,6 +850,9 @@ struct mbedtls_ssl_handshake_params
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const unsigned char *sni_name; /*!< raw SNI */
size_t sni_name_len; /*!< raw SNI len */
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
const mbedtls_x509_crt *dn_hints; /*!< acceptable client cert issuers */
#endif
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
};

8
library/ssl_tls.c
View file

@ -1472,6 +1472,14 @@ void mbedtls_ssl_set_hs_ca_chain( mbedtls_ssl_context *ssl,
ssl->handshake->sni_ca_crl = ca_crl;
}
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
void mbedtls_ssl_set_hs_dn_hints( mbedtls_ssl_context *ssl,
const mbedtls_x509_crt *crt)
{
ssl->handshake->dn_hints = crt;
}
#endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */
void mbedtls_ssl_set_hs_authmode( mbedtls_ssl_context *ssl,
int authmode )
{

38
library/ssl_tls12_client.c
View file

@ -2534,6 +2534,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
size_t sig_alg_len;
#if defined(MBEDTLS_DEBUG_C)
unsigned char *sig_alg;
unsigned char *dn;
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
@ -2681,6 +2682,43 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
#if defined(MBEDTLS_DEBUG_C)
dn = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n - dn_len;
for( size_t i = 0, dni_len = 0; i < dn_len; i += 2 + dni_len )
{
unsigned char *p = dn + i + 2;
mbedtls_x509_name name;
mbedtls_x509_name *name_cur, *name_prv;
size_t asn1_len;
char s[MBEDTLS_X509_MAX_DN_NAME_SIZE];
memset( &name, 0, sizeof( name ) );
dni_len = MBEDTLS_GET_UINT16_BE( dn + i, 0 );
if( dni_len > dn_len - i - 2 ||
mbedtls_asn1_get_tag( &p, p + dni_len, &asn1_len,
MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE ) != 0 ||
mbedtls_x509_get_name( &p, p + asn1_len, &name ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
mbedtls_ssl_send_alert_message(
ssl,
MBEDTLS_SSL_ALERT_LEVEL_FATAL,
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
MBEDTLS_SSL_DEBUG_MSG( 3,
( "DN hint: %.*s",
mbedtls_x509_dn_gets( s, sizeof(s), &name ), s ) );
name_cur = name.next;
while( name_cur != NULL )
{
name_prv = name_cur;
name_cur = name_cur->next;
mbedtls_platform_zeroize( name_prv, sizeof( mbedtls_x509_name ) );
mbedtls_free( name_prv );
}
}
#endif
exit:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate request" ) );

10
library/ssl_tls12_server.c
View file

@ -2489,6 +2489,16 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
* `mbedtls_ssl_conf_ca_cb()`, then the
* CertificateRequest is currently left empty. */
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->dn_hints != NULL )
crt = ssl->handshake->dn_hints;
else
#endif
if( ssl->conf->dn_hints != NULL )
crt = ssl->conf->dn_hints;
else
#endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
crt = ssl->handshake->sni_ca_chain;