1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-09 00:00:04 +01:00

mbedtls: fix validation

mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
This commit is contained in:
Andy Green 2021-10-02 13:50:35 +01:00
parent 2c2b3b62c2
commit 733f0c10f0
6 changed files with 64 additions and 21 deletions

View file

@ -74,6 +74,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
char hostname[128], *p;
const char *alpn_comma = wsi->a.context->tls.alpn_default;
struct alpn_ctx protos;
int fl = SSL_VERIFY_PEER;
if (wsi->stash)
lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
@ -117,7 +118,9 @@ lws_ssl_client_bio_create(struct lws *wsi)
/* Enable automatic hostname checks */
// X509_VERIFY_PARAM_set_hostflags(param,
// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
lwsl_info("%s: setting hostname %s\n", __func__, hostname);
if (X509_VERIFY_PARAM_set1_host(param, hostname, 0) != 1)
return -1;
}
if (wsi->a.vhost->tls.alpn)
@ -143,6 +146,14 @@ lws_ssl_client_bio_create(struct lws *wsi)
/* with mbedtls, protos is not pointed to after exit from this call */
SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
if (wsi->flags & LCCSCF_ALLOW_SELFSIGNED) {
lwsl_notice("%s: allowing selfsigned\n", __func__);
fl = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
}
if (wsi->flags & LCCSCF_ALLOW_INSECURE)
fl = SSL_VERIFY_NONE;
/*
* use server name indication (SNI), if supported,
* when establishing connection
@ -150,6 +161,8 @@ lws_ssl_client_bio_create(struct lws *wsi)
#if defined(LWS_WITH_TLS_JIT_TRUST)
SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
lws_mbedtls_client_verify_callback);
#else
SSL_set_verify(wsi->tls.ssl, fl, NULL);
#endif
SSL_set_fd(wsi->tls.ssl, (int)wsi->desc.sockfd);
@ -406,7 +419,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
vh->tls.x509_client_CA = d2i_X509(NULL, buf, (long)len);
free(buf);
lwsl_info("Loading client CA for verification %s\n", ca_filepath);
lwsl_info("Loading vh %s client CA for verification %s\n", vh->name, ca_filepath);
#endif
} else {
vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, (long)ca_mem_len);

View file

@ -242,18 +242,18 @@ void ssl_pm_free(SSL *ssl)
*/
static int ssl_pm_reload_crt(SSL *ssl)
{
int ret;
int mode;
struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
struct ssl_pm *ssl_pm = ssl->ssl_pm;
int ret = 0;
int mode;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
mode = MBEDTLS_SSL_VERIFY_UNSET;
else
@ -261,19 +261,15 @@ static int ssl_pm_reload_crt(SSL *ssl)
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
if (ca_pm->x509_crt) {
if (ca_pm->x509_crt)
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
} else if (ca_pm->ex_crt) {
else if (ca_pm->ex_crt)
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
}
if (crt_pm->x509_crt && pkey_pm->pkey) {
if (crt_pm->x509_crt && pkey_pm->pkey)
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
} else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
else if (crt_pm->ex_crt && pkey_pm->ex_pkey)
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
} else {
ret = 0;
}
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
@ -967,7 +963,7 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
if (ctx->verify_mode == SSL_VERIFY_PEER)
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)

View file

@ -14,6 +14,7 @@ set(has_plugins 1)
set(has_ss_policy_parse 1)
set(has_no_system_vhost 1)
set(has_async_dns 1)
set(has_mbedtls 1)
set(requirements 1)
@ -34,6 +35,7 @@ require_lws_config(LWS_WITH_SYS_NTPCLIENT 0 has_no_system_vhost)
require_lws_config(LWS_WITH_SYS_DHCP_CLIENT 0 has_no_system_vhost)
require_lws_config(LWS_WITH_SYS_ASYNC_DNS 1 has_async_dns)
require_lws_config(LWS_WITH_MBEDTLS 1 has_mbedtls)
if (requirements)
add_executable(${SAMP} ${SRCS})
@ -124,7 +126,7 @@ if (requirements)
if (has_async_dns)
list(APPEND mytests http-client-fi-connfail)
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi=user/connfail")
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
else()
list(APPEND mytests http-client-fi-connfail)
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
@ -132,10 +134,16 @@ if (requirements)
list(APPEND mytests http-client-fi-user-est-fail)
add_test(NAME http-client-fi-user-est-fail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi/user_reject_at_est")
endif()
if (has_mbedtls)
list(APPEND mytests http-client-mbedtls-wrong-ca)
add_test(NAME http-client-mbedtls-wrong-ca COMMAND lws-minimal-http-client -w --expected-exit 3)
message("... adding mbedtls wrong CA test")
else()
message("... skipping mbedtls wrong CA test")
endif()
set_tests_properties(${mytests} PROPERTIES
WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/http-client/minimal-http-client
TIMEOUT 20)

View file

@ -22,6 +22,7 @@ Commandline option|Meaning
-m|Apply tls option LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK
-e|Apply tls option LCCSCF_ALLOW_EXPIRED
-b|Apply tls option LCCSCF_CACHE_COOKIES
-w|For mbedtls/wolfssl, load wrong CA cert (expected to fail)
-c <cookie jar file>|Set filepath used for cookie jar
-v|Connection validity use 3s / 10s instead of default 5m / 5m10s
--nossl| disable ssl connection

View file

@ -1,7 +1,7 @@
/*
* lws-minimal-http-client
*
* Written in 2010-2019 by Andy Green <andy@warmcat.com>
* Written in 2010-2021 by Andy Green <andy@warmcat.com>
*
* This file is made available under the Creative Commons CC0 1.0
* Universal Public Domain Dedication.
@ -385,7 +385,11 @@ int main(int argc, const char **argv)
* OpenSSL uses the system trust store. mbedTLS has to be told which
* CA to trust explicitly.
*/
info.client_ssl_ca_filepath = "./warmcat.com.cer";
if (lws_cmdline_option(argc, argv, "-w"))
/* option to confirm we are validating against the right cert */
info.client_ssl_ca_filepath = "./wrong.cer";
else
info.client_ssl_ca_filepath = "./warmcat.com.cer";
#endif
#if 0
n = open("./warmcat.com.cer", O_RDONLY);

View file

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
rqXRfboQnoZsG4q5WTP468SQvvG5
-----END CERTIFICATE-----