openssl: made verification mode conversion to mbetls modes more strict

This commit is contained in:
David Cermak 2020-06-16 15:53:19 +02:00 committed by bot
parent d83520060c
commit 8350f2fb6e

View File

@ -213,21 +213,36 @@ void ssl_pm_free(SSL *ssl)
static int ssl_pm_reload_crt(SSL *ssl) static int ssl_pm_reload_crt(SSL *ssl)
{ {
int ret; int ret;
int mode; int mode = MBEDTLS_SSL_VERIFY_UNSET;
struct ssl_pm *ssl_pm = ssl->ssl_pm; struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm; struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm; struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) /* OpenSSL verification modes outline (see `man SSL_set_verify` for more details)
mode = MBEDTLS_SSL_VERIFY_REQUIRED; *
else if (ssl->verify_mode & SSL_VERIFY_PEER) * | openssl mode | Server | Client |
mode = MBEDTLS_SSL_VERIFY_OPTIONAL; * | SSL_VERIFY_NONE | will not send a client certificate request | server certificate which will be checked |
else if (ssl->verify_mode & SSL_VERIFY_CLIENT_ONCE) * handshake will be continued regardless |
mode = MBEDTLS_SSL_VERIFY_UNSET; * | SSL_VERIFY_PEER | depends on SSL_VERIFY_FAIL_IF_NO_PEER_CERT | handshake is terminated if verify fails |
else * (unless anonymous ciphers--not supported |
mode = MBEDTLS_SSL_VERIFY_NONE; * | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | handshake is terminated if | ignored |
* client cert verify fails | |
*/
if (ssl->method->endpoint == MBEDTLS_SSL_IS_SERVER) {
if (ssl->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ssl->verify_mode & SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_NONE)
mode = MBEDTLS_SSL_VERIFY_NONE;
} else if (ssl->method->endpoint == MBEDTLS_SSL_IS_CLIENT) {
if (ssl->verify_mode & SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ssl->verify_mode == SSL_VERIFY_NONE)
mode = MBEDTLS_SSL_VERIFY_NONE;
}
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode); mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);