diff --git a/components/openssl/include/internal/ssl_code.h b/components/openssl/include/internal/ssl_code.h index de86e07df1..e76b35abe9 100644 --- a/components/openssl/include/internal/ssl_code.h +++ b/components/openssl/include/internal/ssl_code.h @@ -23,6 +23,11 @@ # define SSL_SENT_SHUTDOWN 1 # define SSL_RECEIVED_SHUTDOWN 2 +# define SSL_VERIFY_NONE 0x00 +# define SSL_VERIFY_PEER 0x01 +# define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02 +# define SSL_VERIFY_CLIENT_ONCE 0x04 + /* * The following 3 states are kept in ssl->rlayer.rstate when reads fail, you * should not need these diff --git a/components/openssl/include/internal/ssl_methods.h b/components/openssl/include/internal/ssl_methods.h index 2893db1888..244eec38dd 100644 --- a/components/openssl/include/internal/ssl_methods.h +++ b/components/openssl/include/internal/ssl_methods.h @@ -22,7 +22,6 @@ set_fd, get_fd, \ set_bufflen, \ get_verify_result, \ - ssl_reload_crt, \ get_state) \ static const SSL_METHOD_FUNC func_name LOCAL_ATRR = { \ new, \ @@ -37,7 +36,6 @@ get_fd, \ set_bufflen, \ get_verify_result, \ - ssl_reload_crt, \ get_state \ }; diff --git a/components/openssl/include/internal/ssl_types.h b/components/openssl/include/internal/ssl_types.h index 47e6b0bf65..6da6076148 100644 --- a/components/openssl/include/internal/ssl_types.h +++ b/components/openssl/include/internal/ssl_types.h @@ -171,6 +171,8 @@ struct ssl_ctx_st int verify_mode; + int (*default_verify_callback) (int ok, X509_STORE_CTX *ctx); + long session_timeout; int read_ahead; @@ -209,6 +211,10 @@ struct ssl_st SSL_SESSION session; + int verify_mode; + + int (*verify_callback) (int ok, X509_STORE_CTX *ctx); + int rwstate; long verify_result; @@ -259,8 +265,6 @@ struct ssl_method_func_st { long (*ssl_get_verify_result)(const SSL *ssl); - int (*ssl_reload_crt)(SSL *ssl); - OSSL_HANDSHAKE_STATE (*ssl_get_state)(const SSL *ssl); }; diff --git a/components/openssl/include/platform/ssl_pm.h b/components/openssl/include/platform/ssl_pm.h index 53bff0d80e..3f64a4ae32 100644 --- a/components/openssl/include/platform/ssl_pm.h +++ b/components/openssl/include/platform/ssl_pm.h @@ -51,6 +51,4 @@ void pkey_pm_unload(EVP_PKEY *pkey); long ssl_pm_get_verify_result(const SSL *ssl); -int ssl_pm_reload_crt(SSL *ssl); - #endif diff --git a/components/openssl/library/ssl_lib.c b/components/openssl/library/ssl_lib.c index cc218f9a26..ae517b0a40 100644 --- a/components/openssl/library/ssl_lib.c +++ b/components/openssl/library/ssl_lib.c @@ -284,6 +284,7 @@ SSL *SSL_new(SSL_CTX *ctx) ssl->cert = ctx->cert; ssl->client_CA = ctx->client_CA; + ssl->verify_mode = ctx->verify_mode; ret = SSL_METHOD_CALL(new, ssl); if (ret) @@ -1726,21 +1727,6 @@ long SSL_set_timeout(SSL *ssl, long t) return t; } -/* - * SSL_set_verify - set the SSL verifying of the SSL context - * - * @param ctx - SSL point - * @param mode - verifying mode - * @param verify_callback - verifying callback function - * - * @return none - */ -void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) -{ - SSL_ASSERT(ssl); - SSL_ASSERT(verify_callback); -} - /* * SSL_get_verify_result - get the verifying result of the SSL certification * @@ -1812,3 +1798,37 @@ void SSL_set_verify_depth(SSL *ssl, int depth) ssl->param.depth = depth; } + +/* + * SSL_CTX_set_verify - set the SSL context verifying of the SSL context + * + * @param ctx - SSL context point + * @param mode - verifying mode + * @param verify_callback - verifying callback function + * + * @return none + */ +void SSL_CTX_set_verify(SSL_CTX *ctx, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) +{ + SSL_ASSERT(ctx); + + ctx->verify_mode = mode; + ctx->default_verify_callback = verify_callback; +} + +/* + * SSL_set_verify - set the SSL verifying of the SSL context + * + * @param ctx - SSL point + * @param mode - verifying mode + * @param verify_callback - verifying callback function + * + * @return none + */ +void SSL_set_verify(SSL *ssl, int mode, int (*verify_callback)(int, X509_STORE_CTX *)) +{ + SSL_ASSERT(ctx); + + ssl->verify_mode = mode; + ssl->verify_callback = verify_callback; +} diff --git a/components/openssl/library/ssl_methods.c b/components/openssl/library/ssl_methods.c index 0674f40587..c6fb40e59c 100644 --- a/components/openssl/library/ssl_methods.c +++ b/components/openssl/library/ssl_methods.c @@ -26,7 +26,6 @@ IMPLEMENT_TLS_METHOD_FUNC(TLS_method_func, ssl_pm_set_fd, ssl_pm_get_fd, ssl_pm_set_bufflen, ssl_pm_get_verify_result, - ssl_pm_reload_crt, ssl_pm_get_state); /* diff --git a/components/openssl/library/ssl_pkey.c b/components/openssl/library/ssl_pkey.c index ab56fe789d..e13870344f 100644 --- a/components/openssl/library/ssl_pkey.c +++ b/components/openssl/library/ssl_pkey.c @@ -160,13 +160,7 @@ int SSL_use_PrivateKey(SSL *ssl, EVP_PKEY *pkey) ssl->cert->pkey = pkey; - ssl_ret = SSL_METHOD_CALL(reload_crt, ssl); - if (ssl_ret) - ret = 0; - else - ret = 1; - - return ret; + return 1; } /* diff --git a/components/openssl/library/ssl_x509.c b/components/openssl/library/ssl_x509.c index 431f03caa9..6eb3c1d461 100644 --- a/components/openssl/library/ssl_x509.c +++ b/components/openssl/library/ssl_x509.c @@ -138,9 +138,6 @@ int SSL_CTX_add_client_CA(SSL_CTX *ctx, X509 *x) */ int SSL_add_client_CA(SSL *ssl, X509 *x) { - int ret; - int ssl_ret; - SSL_ASSERT(ssl); SSL_ASSERT(x); @@ -151,13 +148,7 @@ int SSL_add_client_CA(SSL *ssl, X509 *x) ssl->client_CA = x; - ssl_ret = SSL_METHOD_CALL(reload_crt, ssl); - if (ssl_ret) - ret = 0; - else - ret = 1; - - return ret; + return 1; } /* diff --git a/components/openssl/platform/ssl_pm.c b/components/openssl/platform/ssl_pm.c index 10b736aa9c..cd29882dfa 100644 --- a/components/openssl/platform/ssl_pm.c +++ b/components/openssl/platform/ssl_pm.c @@ -71,14 +71,10 @@ int ssl_pm_new(SSL *ssl) size_t pers_len = sizeof(pers); int endpoint; - int mode; int version; const SSL_METHOD *method = ssl->method; - struct x509_pm *x509_pm; - struct pkey_pm *pkey_pm; - ssl->session.peer = ssl_zalloc(sizeof(X509)); if (!ssl->session.peer) SSL_ERR(ret, failed1, "ssl_zalloc\n"); @@ -123,28 +119,9 @@ int ssl_pm_new(SSL *ssl) mbedtls_ssl_conf_dbg(&ssl_pm->conf, NULL, NULL); - x509_pm = (struct x509_pm *)ssl->client_CA->x509_pm; - if (x509_pm->load) { - mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL); - - mode = MBEDTLS_SSL_VERIFY_REQUIRED; - } else { - mode = MBEDTLS_SSL_VERIFY_NONE; - } - mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode); - - pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm; - if (pkey_pm->load) { - x509_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; - - ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey); - if (ret) - SSL_ERR(ret, failed4, "mbedtls_ssl_conf_own_cert:[%d]\n", ret); - } - ret = mbedtls_ssl_setup(&ssl_pm->ssl, &ssl_pm->conf); if (ret) - SSL_ERR(ret, failed5, "mbedtls_ssl_setup:[-0x%x]\n", -ret); + SSL_ERR(ret, failed4, "mbedtls_ssl_setup:[-0x%x]\n", -ret); mbedtls_ssl_set_bio(&ssl_pm->ssl, &ssl_pm->fd, mbedtls_net_send, mbedtls_net_recv, NULL); @@ -152,9 +129,8 @@ int ssl_pm_new(SSL *ssl) return 0; -failed5: - mbedtls_ssl_config_free(&ssl_pm->conf); failed4: + mbedtls_ssl_config_free(&ssl_pm->conf); mbedtls_ctr_drbg_free(&ssl_pm->ctr_drbg); failed3: mbedtls_entropy_free(&ssl_pm->entropy); @@ -177,11 +153,49 @@ void ssl_pm_free(SSL *ssl) ssl->ssl_pm = NULL; } +static int ssl_pm_reload_crt(SSL *ssl) +{ + int ret; + int mode; + struct ssl_pm *ssl_pm = ssl->ssl_pm; + struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm; + + struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm; + struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; + + if (ssl->verify_mode == SSL_VERIFY_PEER) + mode = MBEDTLS_SSL_VERIFY_REQUIRED; + else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT) + mode = MBEDTLS_SSL_VERIFY_NONE; + else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE) + mode = MBEDTLS_SSL_VERIFY_UNSET; + else + mode = MBEDTLS_SSL_VERIFY_NONE; + + mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode); + + if (ca_pm->load) { + mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &ca_pm->x509_crt, NULL); + } + + if (pkey_pm->load) { + ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &crt_pm->x509_crt, &pkey_pm->pkey); + if (ret) + return -1; + } + + return 0; +} + int ssl_pm_handshake(SSL *ssl) { int ret, mbed_ret; struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; + mbed_ret = ssl_pm_reload_crt(ssl); + if (mbed_ret) + return 0; + ssl_speed_up_enter(); while((mbed_ret = mbedtls_ssl_handshake(&ssl_pm->ssl)) != 0) { if (mbed_ret != MBEDTLS_ERR_SSL_WANT_READ && mbed_ret != MBEDTLS_ERR_SSL_WANT_WRITE) { @@ -475,33 +489,3 @@ long ssl_pm_get_verify_result(const SSL *ssl) return verify_result; } - -int ssl_pm_reload_crt(SSL *ssl) -{ - int ret; - int mode; - struct ssl_pm *ssl_pm = ssl->ssl_pm; - struct x509_pm *x509_pm; - struct pkey_pm *pkey_pm; - - x509_pm = (struct x509_pm *)ssl->client_CA->x509_pm; - if (x509_pm->load) { - mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, &x509_pm->x509_crt, NULL); - - mode = MBEDTLS_SSL_VERIFY_REQUIRED; - } else { - mode = MBEDTLS_SSL_VERIFY_NONE; - } - mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode); - - pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm; - if (pkey_pm->load) { - x509_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; - - ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, &x509_pm->x509_crt, &pkey_pm->pkey); - if (ret) - return -1; - } - - return 0; -}