TLS client: Add certificate chain validation failure callbacks
This adds more support for event_cb() calls for various server certificate chain validation failures. Signed-off-by: Jouni Malinen <j@w1.fi>
This commit is contained in:
parent
2286578fe0
commit
c5864dca5d
1 changed files with 38 additions and 0 deletions
|
@ -264,6 +264,32 @@ static void tls_peer_cert_event(struct tlsv1_client *conn, int depth,
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void tls_cert_chain_failure_event(struct tlsv1_client *conn, int depth,
|
||||||
|
struct x509_certificate *cert,
|
||||||
|
enum tls_fail_reason reason,
|
||||||
|
const char *reason_txt)
|
||||||
|
{
|
||||||
|
struct wpabuf *cert_buf = NULL;
|
||||||
|
union tls_event_data ev;
|
||||||
|
char subject[128];
|
||||||
|
|
||||||
|
if (!conn->event_cb)
|
||||||
|
return;
|
||||||
|
|
||||||
|
os_memset(&ev, 0, sizeof(ev));
|
||||||
|
ev.cert_fail.depth = depth;
|
||||||
|
x509_name_string(&cert->subject, subject, sizeof(subject));
|
||||||
|
ev.peer_cert.subject = subject;
|
||||||
|
ev.cert_fail.reason = reason;
|
||||||
|
ev.cert_fail.reason_txt = reason_txt;
|
||||||
|
cert_buf = wpabuf_alloc_copy(cert->cert_start,
|
||||||
|
cert->cert_len);
|
||||||
|
ev.cert_fail.cert = cert_buf;
|
||||||
|
conn->event_cb(conn->cb_ctx, TLS_CERT_CHAIN_FAILURE, &ev);
|
||||||
|
wpabuf_free(cert_buf);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
|
static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
|
||||||
const u8 *in_data, size_t *in_len)
|
const u8 *in_data, size_t *in_len)
|
||||||
{
|
{
|
||||||
|
@ -485,21 +511,33 @@ static int tls_process_certificate(struct tlsv1_client *conn, u8 ct,
|
||||||
switch (reason) {
|
switch (reason) {
|
||||||
case X509_VALIDATE_BAD_CERTIFICATE:
|
case X509_VALIDATE_BAD_CERTIFICATE:
|
||||||
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
|
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
|
||||||
|
tls_cert_chain_failure_event(
|
||||||
|
conn, 0, chain, TLS_FAIL_BAD_CERTIFICATE,
|
||||||
|
"bad certificate");
|
||||||
break;
|
break;
|
||||||
case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
|
case X509_VALIDATE_UNSUPPORTED_CERTIFICATE:
|
||||||
tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
|
tls_reason = TLS_ALERT_UNSUPPORTED_CERTIFICATE;
|
||||||
break;
|
break;
|
||||||
case X509_VALIDATE_CERTIFICATE_REVOKED:
|
case X509_VALIDATE_CERTIFICATE_REVOKED:
|
||||||
tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
|
tls_reason = TLS_ALERT_CERTIFICATE_REVOKED;
|
||||||
|
tls_cert_chain_failure_event(
|
||||||
|
conn, 0, chain, TLS_FAIL_REVOKED,
|
||||||
|
"certificate revoked");
|
||||||
break;
|
break;
|
||||||
case X509_VALIDATE_CERTIFICATE_EXPIRED:
|
case X509_VALIDATE_CERTIFICATE_EXPIRED:
|
||||||
tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
|
tls_reason = TLS_ALERT_CERTIFICATE_EXPIRED;
|
||||||
|
tls_cert_chain_failure_event(
|
||||||
|
conn, 0, chain, TLS_FAIL_EXPIRED,
|
||||||
|
"certificate has expired or is not yet valid");
|
||||||
break;
|
break;
|
||||||
case X509_VALIDATE_CERTIFICATE_UNKNOWN:
|
case X509_VALIDATE_CERTIFICATE_UNKNOWN:
|
||||||
tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
|
tls_reason = TLS_ALERT_CERTIFICATE_UNKNOWN;
|
||||||
break;
|
break;
|
||||||
case X509_VALIDATE_UNKNOWN_CA:
|
case X509_VALIDATE_UNKNOWN_CA:
|
||||||
tls_reason = TLS_ALERT_UNKNOWN_CA;
|
tls_reason = TLS_ALERT_UNKNOWN_CA;
|
||||||
|
tls_cert_chain_failure_event(
|
||||||
|
conn, 0, chain, TLS_FAIL_UNTRUSTED,
|
||||||
|
"unknown CA");
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
|
tls_reason = TLS_ALERT_BAD_CERTIFICATE;
|
||||||
|
|
Loading…
Reference in a new issue