Introduce configuration option to remove CRT verification callbacks

2026-05-09 03:04:24 +02:00 · 2019-07-01 17:36:12 +01:00
parent 0e895727be
commit 9ec3fe0d43
16 changed files with 213 additions and 41 deletions
--- a/programs/ssl/query_config.c
+++ b/programs/ssl/query_config.c
@@ -1578,6 +1578,14 @@ int query_config( const char *config )
    }
 #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */

+#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+    if( strcmp( "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_VERIFY_CALLBACK );
+        return( 0 );
+    }
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
 #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
    if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
    {
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -664,6 +664,8 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len )
          !MBEDTLS_SSL_CONF_RECV_TIMEOUT */

 #if defined(MBEDTLS_X509_CRT_PARSE_C)
+
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
 static unsigned char peer_crt_info[1024];

 /*
@@ -704,6 +706,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,

    return( 0 );
 }
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */

 #endif /* MBEDTLS_X509_CRT_PARSE_C */

@@ -1894,8 +1897,10 @@ int main( int argc, char *argv[] )
 #endif
    }

+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
    mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
    memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
@@ -2316,10 +2321,11 @@ int main( int argc, char *argv[] )
    else
        mbedtls_printf( " ok\n" );

-#if !defined(MBEDTLS_X509_REMOVE_INFO)
+#if !defined(MBEDTLS_X509_REMOVE_INFO) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
    mbedtls_printf( "  . Peer certificate information    ...\n" );
    mbedtls_printf( "%s\n", peer_crt_info );
-#endif /* !MBEDTLS_X509_REMOVE_INFO */
+#endif /* !MBEDTLS_X509_REMOVE_INFO && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */

 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@@ -2648,9 +2654,10 @@ send_request:
        mbedtls_printf( "  . Restarting connection from same port..." );
        fflush( stdout );

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
        memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */

        if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
        {
@@ -2825,9 +2832,10 @@ reconnect:

        mbedtls_printf( "  . Reconnecting with saved session..." );

-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
+    !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
        memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
-#endif /* MBEDTLS_X509_CRT_PARSE_C */
+#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */

        if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
        {
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -129,6 +129,7 @@ static void my_debug( void *ctx, int level,
 }
 #endif /* MBEDTLS_DEBUG_C */

+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
 static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
 {
    char buf[1024];
@@ -148,6 +149,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *fl

    return( 0 );
 }
+#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */

 #if defined(MBEDTLS_SSL_CONF_RNG)
 int rng_wrap( void *ctx, unsigned char *dst, size_t len );
@@ -363,11 +365,21 @@ int main( int argc, char *argv[] )
        {
            mbedtls_printf( "  . Verifying X.509 certificate..." );

-            if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+            ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
 #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
                                        NULL,
 #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
-                                        &flags, my_verify, NULL ) ) != 0 )
+                                        &flags,
+                                        my_verify, NULL );
+#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+            ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+                                           NULL,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+                                           &flags );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+            if( ret != 0 )
            {
                char vrfy_buf[512];

@@ -436,7 +448,10 @@ int main( int argc, char *argv[] )
        {
            mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
            mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
+
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
            mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
+#endif
        }
        else
            mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );