refactor: ossl verify cb logic #4423
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The default X509_STORE_CTX only allows for a single verify callback, but s2n-tls sometimes requires multiple pieces of functionality for that callback. Previously we did this by chaining function together, but this will become more difficult as we add more verify functions that we wish to call. This commit adds a generic config and callback that allows for verify callbacks to be more easily configured.
goatgoose
reviewed
Feb 16, 2024
- make verify cb enablement unconditional - zero struct upon init - guard ossl value
- remove config, use duplicated checks instead
goatgoose
reviewed
Feb 19, 2024
lrstewart
reviewed
Feb 19, 2024
tls/s2n_x509_validator.c
Outdated
Comment on lines
590
to
591
| return OSSL_VERIFY_CALLBACK_ERROR; | ||
| } |
There was a problem hiding this comment.
Do we have to set an error code of some kind on failure? Or do we just set the return value?
There was a problem hiding this comment.
We just set the return value.
- rename ossl callback methods - switch comment ordering and add justification for callback usage
- add null check - rename functions
goatgoose
approved these changes
Feb 20, 2024
Comment on lines
+606
to
+607
| const struct s2n_connection *conn = (struct s2n_connection *) X509_STORE_CTX_get_app_data(ctx); | ||
| if (conn == NULL || ctx == NULL) { |
There was a problem hiding this comment.
It might be good to check ctx before giving it to the libcrypto in X509_STORE_CTX_get_app_data().
|
My feature ended up not needing this, and this increases the number of verify cb features we'd be depending on, which is something to avoid if we don't need it. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of changes:
This commit adds a new
s2n_ossl_verify_cb_configstruct on thes2n_x509_validator, which is used to control which verify callbacks are invoked.This is being done in preparation for the cert key restrictions, which will add yet another verify callback to enforce cert key restrictions.
Call-outs:
Alternate implementation.
Rather than adding a new config, we could instead pass the entire
s2n_connection *as the application data, and then use the original checks froms2n_x509_validator_verify_cert_chainto toggle the callbacks,E.g. instead of
We could do
But duplicating all of the conditional checks felt odd, so I went with the config route.
Testing:
This refactor should not change any behavior, which is confirmed by existing unit tests passing.
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.