mirror of
https://github.com/warmcat/libwebsockets.git
synced 2025-03-09 00:00:04 +01:00
mbedtls: fix validation
mbedtls validation was broken by an earlier patch on main... fix it and add a CI test also using the wrong CA cert so this can be caught straight away from now on.
This commit is contained in:
Andy Green
parent
2c2b3b62c2
commit
733f0c10f0
6 changed files with 64 additions and 21 deletions
|
|
@ -74,6 +74,7 @@ lws_ssl_client_bio_create(struct lws *wsi)
|
|||
char hostname[128], *p;
|
||||
const char *alpn_comma = wsi->a.context->tls.alpn_default;
|
||||
struct alpn_ctx protos;
|
||||
int fl = SSL_VERIFY_PEER;
|
||||
|
||||
if (wsi->stash)
|
||||
lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
|
||||
|
|
@ -117,7 +118,9 @@ lws_ssl_client_bio_create(struct lws *wsi)
|
|||
/* Enable automatic hostname checks */
|
||||
// X509_VERIFY_PARAM_set_hostflags(param,
|
||||
// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
|
||||
X509_VERIFY_PARAM_set1_host(param, hostname, 0);
|
||||
lwsl_info("%s: setting hostname %s\n", __func__, hostname);
|
||||
if (X509_VERIFY_PARAM_set1_host(param, hostname, 0) != 1)
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (wsi->a.vhost->tls.alpn)
|
||||
|
|
@ -143,6 +146,14 @@ lws_ssl_client_bio_create(struct lws *wsi)
|
|||
/* with mbedtls, protos is not pointed to after exit from this call */
|
||||
SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
|
||||
|
||||
if (wsi->flags & LCCSCF_ALLOW_SELFSIGNED) {
|
||||
lwsl_notice("%s: allowing selfsigned\n", __func__);
|
||||
fl = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
|
||||
}
|
||||
|
||||
if (wsi->flags & LCCSCF_ALLOW_INSECURE)
|
||||
fl = SSL_VERIFY_NONE;
|
||||
|
||||
/*
|
||||
* use server name indication (SNI), if supported,
|
||||
* when establishing connection
|
||||
|
|
@ -150,6 +161,8 @@ lws_ssl_client_bio_create(struct lws *wsi)
|
|||
#if defined(LWS_WITH_TLS_JIT_TRUST)
|
||||
SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
|
||||
lws_mbedtls_client_verify_callback);
|
||||
#else
|
||||
SSL_set_verify(wsi->tls.ssl, fl, NULL);
|
||||
#endif
|
||||
|
||||
SSL_set_fd(wsi->tls.ssl, (int)wsi->desc.sockfd);
|
||||
|
|
@ -406,7 +419,7 @@ lws_tls_client_create_vhost_context(struct lws_vhost *vh,
|
|||
vh->tls.x509_client_CA = d2i_X509(NULL, buf, (long)len);
|
||||
free(buf);
|
||||
|
||||
lwsl_info("Loading client CA for verification %s\n", ca_filepath);
|
||||
lwsl_info("Loading vh %s client CA for verification %s\n", vh->name, ca_filepath);
|
||||
#endif
|
||||
} else {
|
||||
vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, (long)ca_mem_len);
|
||||
|
|
|
|||
|
|
@ -242,18 +242,18 @@ void ssl_pm_free(SSL *ssl)
|
|||
*/
|
||||
static int ssl_pm_reload_crt(SSL *ssl)
|
||||
{
|
||||
int ret;
|
||||
int mode;
|
||||
struct ssl_pm *ssl_pm = ssl->ssl_pm;
|
||||
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
|
||||
struct ssl_pm *ssl_pm = ssl->ssl_pm;
|
||||
int ret = 0;
|
||||
int mode;
|
||||
|
||||
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
|
||||
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
|
||||
|
||||
if (ssl->verify_mode == SSL_VERIFY_PEER)
|
||||
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||
else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
|
||||
mode = MBEDTLS_SSL_VERIFY_UNSET;
|
||||
else
|
||||
|
|
@ -261,19 +261,15 @@ static int ssl_pm_reload_crt(SSL *ssl)
|
|||
|
||||
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
|
||||
|
||||
if (ca_pm->x509_crt) {
|
||||
if (ca_pm->x509_crt)
|
||||
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
|
||||
} else if (ca_pm->ex_crt) {
|
||||
else if (ca_pm->ex_crt)
|
||||
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
|
||||
}
|
||||
|
||||
if (crt_pm->x509_crt && pkey_pm->pkey) {
|
||||
if (crt_pm->x509_crt && pkey_pm->pkey)
|
||||
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
|
||||
} else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
|
||||
else if (crt_pm->ex_crt && pkey_pm->ex_pkey)
|
||||
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
|
||||
} else {
|
||||
ret = 0;
|
||||
}
|
||||
|
||||
if (ret) {
|
||||
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
|
||||
|
|
@ -967,7 +963,7 @@ void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx)
|
|||
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
|
||||
|
||||
if (ctx->verify_mode == SSL_VERIFY_PEER)
|
||||
mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
|
||||
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||
else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
|
||||
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
|
||||
else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
|
||||
|
|
|
|||
|
|
@ -14,6 +14,7 @@ set(has_plugins 1)
|
|||
set(has_ss_policy_parse 1)
|
||||
set(has_no_system_vhost 1)
|
||||
set(has_async_dns 1)
|
||||
set(has_mbedtls 1)
|
||||
|
||||
set(requirements 1)
|
||||
|
||||
|
|
@ -34,6 +35,7 @@ require_lws_config(LWS_WITH_SYS_NTPCLIENT 0 has_no_system_vhost)
|
|||
require_lws_config(LWS_WITH_SYS_DHCP_CLIENT 0 has_no_system_vhost)
|
||||
|
||||
require_lws_config(LWS_WITH_SYS_ASYNC_DNS 1 has_async_dns)
|
||||
require_lws_config(LWS_WITH_MBEDTLS 1 has_mbedtls)
|
||||
|
||||
if (requirements)
|
||||
add_executable(${SAMP} ${SRCS})
|
||||
|
|
@ -124,7 +126,7 @@ if (requirements)
|
|||
|
||||
if (has_async_dns)
|
||||
list(APPEND mytests http-client-fi-connfail)
|
||||
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi=user/connfail")
|
||||
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
|
||||
else()
|
||||
list(APPEND mytests http-client-fi-connfail)
|
||||
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
|
||||
|
|
@ -132,10 +134,16 @@ if (requirements)
|
|||
|
||||
list(APPEND mytests http-client-fi-user-est-fail)
|
||||
add_test(NAME http-client-fi-user-est-fail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi/user_reject_at_est")
|
||||
|
||||
|
||||
endif()
|
||||
|
||||
if (has_mbedtls)
|
||||
list(APPEND mytests http-client-mbedtls-wrong-ca)
|
||||
add_test(NAME http-client-mbedtls-wrong-ca COMMAND lws-minimal-http-client -w --expected-exit 3)
|
||||
message("... adding mbedtls wrong CA test")
|
||||
else()
|
||||
message("... skipping mbedtls wrong CA test")
|
||||
endif()
|
||||
|
||||
set_tests_properties(${mytests} PROPERTIES
|
||||
WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/http-client/minimal-http-client
|
||||
TIMEOUT 20)
|
||||
|
|
|
|||
|
|
@ -22,6 +22,7 @@ Commandline option|Meaning
|
|||
-m|Apply tls option LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK
|
||||
-e|Apply tls option LCCSCF_ALLOW_EXPIRED
|
||||
-b|Apply tls option LCCSCF_CACHE_COOKIES
|
||||
-w|For mbedtls/wolfssl, load wrong CA cert (expected to fail)
|
||||
-c <cookie jar file>|Set filepath used for cookie jar
|
||||
-v|Connection validity use 3s / 10s instead of default 5m / 5m10s
|
||||
--nossl| disable ssl connection
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
/*
|
||||
* lws-minimal-http-client
|
||||
*
|
||||
* Written in 2010-2019 by Andy Green <andy@warmcat.com>
|
||||
* Written in 2010-2021 by Andy Green <andy@warmcat.com>
|
||||
*
|
||||
* This file is made available under the Creative Commons CC0 1.0
|
||||
* Universal Public Domain Dedication.
|
||||
|
|
@ -385,7 +385,11 @@ int main(int argc, const char **argv)
|
|||
* OpenSSL uses the system trust store. mbedTLS has to be told which
|
||||
* CA to trust explicitly.
|
||||
*/
|
||||
info.client_ssl_ca_filepath = "./warmcat.com.cer";
|
||||
if (lws_cmdline_option(argc, argv, "-w"))
|
||||
/* option to confirm we are validating against the right cert */
|
||||
info.client_ssl_ca_filepath = "./wrong.cer";
|
||||
else
|
||||
info.client_ssl_ca_filepath = "./warmcat.com.cer";
|
||||
#endif
|
||||
#if 0
|
||||
n = open("./warmcat.com.cer", O_RDONLY);
|
||||
|
|
|
|||
21
minimal-examples/http-client/minimal-http-client/wrong.cer
Normal file
21
minimal-examples/http-client/minimal-http-client/wrong.cer
Normal file
|
|
@ -0,0 +1,21 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
|
||||
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
|
||||
b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
|
||||
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
|
||||
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
|
||||
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
|
||||
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
|
||||
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
|
||||
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
|
||||
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
|
||||
jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
|
||||
AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
|
||||
A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
|
||||
U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
|
||||
N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
|
||||
o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
|
||||
5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
|
||||
rqXRfboQnoZsG4q5WTP468SQvvG5
|
||||
-----END CERTIFICATE-----
|
||||
|
||||
Loading…
Add table
Reference in a new issue