mbedtls: fix validation
mbedtls validation was broken by an earlier patch on main... fix it and add
a CI test also using the wrong CA cert so this can be caught straight away
from now on.
diff --git a/lib/tls/mbedtls/mbedtls-client.c b/lib/tls/mbedtls/mbedtls-client.c
index 9897b55..7f9651f 100644
--- a/lib/tls/mbedtls/mbedtls-client.c
+++ b/lib/tls/mbedtls/mbedtls-client.c
@@ -74,6 +74,7 @@
char hostname[128], *p;
const char *alpn_comma = wsi->a.context->tls.alpn_default;
struct alpn_ctx protos;
+ int fl = SSL_VERIFY_PEER;
if (wsi->stash)
lws_strncpy(hostname, wsi->stash->cis[CIS_HOST], sizeof(hostname));
@@ -117,7 +118,9 @@
/* Enable automatic hostname checks */
// X509_VERIFY_PARAM_set_hostflags(param,
// X509_CHECK_FLAG_NO_PARTIAL_WILDCARDS);
- X509_VERIFY_PARAM_set1_host(param, hostname, 0);
+ lwsl_info("%s: setting hostname %s\n", __func__, hostname);
+ if (X509_VERIFY_PARAM_set1_host(param, hostname, 0) != 1)
+ return -1;
}
if (wsi->a.vhost->tls.alpn)
@@ -143,6 +146,14 @@
/* with mbedtls, protos is not pointed to after exit from this call */
SSL_set_alpn_select_cb(wsi->tls.ssl, &protos);
+ if (wsi->flags & LCCSCF_ALLOW_SELFSIGNED) {
+ lwsl_notice("%s: allowing selfsigned\n", __func__);
+ fl = SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+ }
+
+ if (wsi->flags & LCCSCF_ALLOW_INSECURE)
+ fl = SSL_VERIFY_NONE;
+
/*
* use server name indication (SNI), if supported,
* when establishing connection
@@ -150,6 +161,8 @@
#if defined(LWS_WITH_TLS_JIT_TRUST)
SSL_set_verify(wsi->tls.ssl, SSL_VERIFY_PEER,
lws_mbedtls_client_verify_callback);
+#else
+ SSL_set_verify(wsi->tls.ssl, fl, NULL);
#endif
SSL_set_fd(wsi->tls.ssl, (int)wsi->desc.sockfd);
@@ -406,7 +419,7 @@
vh->tls.x509_client_CA = d2i_X509(NULL, buf, (long)len);
free(buf);
- lwsl_info("Loading client CA for verification %s\n", ca_filepath);
+ lwsl_info("Loading vh %s client CA for verification %s\n", vh->name, ca_filepath);
#endif
} else {
vh->tls.x509_client_CA = d2i_X509(NULL, (uint8_t*)ca_mem, (long)ca_mem_len);
diff --git a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
index 669ef4e..f67da54 100755
--- a/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
+++ b/lib/tls/mbedtls/wrapper/platform/ssl_pm.c
@@ -242,18 +242,18 @@
*/
static int ssl_pm_reload_crt(SSL *ssl)
{
- int ret;
- int mode;
- struct ssl_pm *ssl_pm = ssl->ssl_pm;
struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm;
+ struct ssl_pm *ssl_pm = ssl->ssl_pm;
+ int ret = 0;
+ int mode;
struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm;
struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm;
if (ssl->verify_mode == SSL_VERIFY_PEER)
- mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
- else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
+ else if (ssl->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
+ mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
else if (ssl->verify_mode == SSL_VERIFY_CLIENT_ONCE)
mode = MBEDTLS_SSL_VERIFY_UNSET;
else
@@ -261,19 +261,15 @@
mbedtls_ssl_conf_authmode(&ssl_pm->conf, mode);
- if (ca_pm->x509_crt) {
+ if (ca_pm->x509_crt)
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->x509_crt, NULL);
- } else if (ca_pm->ex_crt) {
+ else if (ca_pm->ex_crt)
mbedtls_ssl_conf_ca_chain(&ssl_pm->conf, ca_pm->ex_crt, NULL);
- }
- if (crt_pm->x509_crt && pkey_pm->pkey) {
+ if (crt_pm->x509_crt && pkey_pm->pkey)
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->x509_crt, pkey_pm->pkey);
- } else if (crt_pm->ex_crt && pkey_pm->ex_pkey) {
+ else if (crt_pm->ex_crt && pkey_pm->ex_pkey)
ret = mbedtls_ssl_conf_own_cert(&ssl_pm->conf, crt_pm->ex_crt, pkey_pm->ex_pkey);
- } else {
- ret = 0;
- }
if (ret) {
SSL_DEBUG(SSL_PLATFORM_ERROR_LEVEL, "mbedtls_ssl_conf_own_cert() return -0x%x", -ret);
@@ -967,7 +963,7 @@
#if defined(LWS_HAVE_mbedtls_ssl_set_hs_authmode)
if (ctx->verify_mode == SSL_VERIFY_PEER)
- mode = MBEDTLS_SSL_VERIFY_OPTIONAL;
+ mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ctx->verify_mode == SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
mode = MBEDTLS_SSL_VERIFY_REQUIRED;
else if (ctx->verify_mode == SSL_VERIFY_CLIENT_ONCE)
diff --git a/minimal-examples/http-client/minimal-http-client/CMakeLists.txt b/minimal-examples/http-client/minimal-http-client/CMakeLists.txt
index 5cedc8b..8c42ae9 100644
--- a/minimal-examples/http-client/minimal-http-client/CMakeLists.txt
+++ b/minimal-examples/http-client/minimal-http-client/CMakeLists.txt
@@ -14,6 +14,7 @@
set(has_ss_policy_parse 1)
set(has_no_system_vhost 1)
set(has_async_dns 1)
+set(has_mbedtls 1)
set(requirements 1)
@@ -34,6 +35,7 @@
require_lws_config(LWS_WITH_SYS_DHCP_CLIENT 0 has_no_system_vhost)
require_lws_config(LWS_WITH_SYS_ASYNC_DNS 1 has_async_dns)
+require_lws_config(LWS_WITH_MBEDTLS 1 has_mbedtls)
if (requirements)
add_executable(${SAMP} ${SRCS})
@@ -124,7 +126,7 @@
if (has_async_dns)
list(APPEND mytests http-client-fi-connfail)
- add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi=user/connfail")
+ add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
else()
list(APPEND mytests http-client-fi-connfail)
add_test(NAME http-client-fi-connfail COMMAND lws-minimal-http-client --expected-exit 2 --fault-injection "wsi=user/connfail")
@@ -132,10 +134,16 @@
list(APPEND mytests http-client-fi-user-est-fail)
add_test(NAME http-client-fi-user-est-fail COMMAND lws-minimal-http-client --expected-exit 3 --fault-injection "wsi/user_reject_at_est")
-
endif()
-
+ if (has_mbedtls)
+ list(APPEND mytests http-client-mbedtls-wrong-ca)
+ add_test(NAME http-client-mbedtls-wrong-ca COMMAND lws-minimal-http-client -w --expected-exit 3)
+ message("... adding mbedtls wrong CA test")
+ else()
+ message("... skipping mbedtls wrong CA test")
+ endif()
+
set_tests_properties(${mytests} PROPERTIES
WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}/minimal-examples/http-client/minimal-http-client
TIMEOUT 20)
diff --git a/minimal-examples/http-client/minimal-http-client/README.md b/minimal-examples/http-client/minimal-http-client/README.md
index c37549c..09df8ef 100644
--- a/minimal-examples/http-client/minimal-http-client/README.md
+++ b/minimal-examples/http-client/minimal-http-client/README.md
@@ -22,6 +22,7 @@
-m|Apply tls option LCCSCF_SKIP_SERVER_CERT_HOSTNAME_CHECK
-e|Apply tls option LCCSCF_ALLOW_EXPIRED
-b|Apply tls option LCCSCF_CACHE_COOKIES
+-w|For mbedtls/wolfssl, load wrong CA cert (expected to fail)
-c <cookie jar file>|Set filepath used for cookie jar
-v|Connection validity use 3s / 10s instead of default 5m / 5m10s
--nossl| disable ssl connection
diff --git a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
index 246b183..f151356 100644
--- a/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
+++ b/minimal-examples/http-client/minimal-http-client/minimal-http-client.c
@@ -1,7 +1,7 @@
/*
* lws-minimal-http-client
*
- * Written in 2010-2019 by Andy Green <andy@warmcat.com>
+ * Written in 2010-2021 by Andy Green <andy@warmcat.com>
*
* This file is made available under the Creative Commons CC0 1.0
* Universal Public Domain Dedication.
@@ -385,7 +385,11 @@
* OpenSSL uses the system trust store. mbedTLS has to be told which
* CA to trust explicitly.
*/
- info.client_ssl_ca_filepath = "./warmcat.com.cer";
+ if (lws_cmdline_option(argc, argv, "-w"))
+ /* option to confirm we are validating against the right cert */
+ info.client_ssl_ca_filepath = "./wrong.cer";
+ else
+ info.client_ssl_ca_filepath = "./warmcat.com.cer";
#endif
#if 0
n = open("./warmcat.com.cer", O_RDONLY);
diff --git a/minimal-examples/http-client/minimal-http-client/wrong.cer b/minimal-examples/http-client/minimal-http-client/wrong.cer
new file mode 100644
index 0000000..3503566
--- /dev/null
+++ b/minimal-examples/http-client/minimal-http-client/wrong.cer
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDQTCCAimgAwIBAgITBmyfz5m/jAo54vB4ikPmljZbyjANBgkqhkiG9w0BAQsF
+ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
+b24gUm9vdCBDQSAxMB4XDTE1MDUyNjAwMDAwMFoXDTM4MDExNzAwMDAwMFowOTEL
+MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
+b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
+ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
+9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
+IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
+VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
+93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
+jgSubJrIqg0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMC
+AYYwHQYDVR0OBBYEFIQYzIU07LwMlJQuCFmcx7IQTgoIMA0GCSqGSIb3DQEBCwUA
+A4IBAQCY8jdaQZChGsV2USggNiMOruYou6r4lK5IpDB/G/wkjUu0yKGX9rbxenDI
+U5PMCCjjmCXPI6T53iHTfIUJrU6adTrCC2qJeHZERxhlbI1Bjjt/msv0tadQ1wUs
+N+gDS63pYaACbvXy8MWy7Vu33PqUXHeeE6V/Uq2V8viTO96LXFvKWlJbYK8U90vv
+o/ufQJVtMVT8QtPHRh8jrdkPSHCa2XV4cdFyQzR1bldZwgJcJmApzyMZFo6IQ6XU
+5MsI+yMRQ+hDKXJioaldXgjUkK642M4UwtBV8ob2xJNDd2ZhwLnoQdeXeGADbkpy
+rqXRfboQnoZsG4q5WTP468SQvvG5
+-----END CERTIFICATE-----
+