60 lines
2.7 KiB
Diff
60 lines
2.7 KiB
Diff
--- google_boringssl/ssl/handshake.cc 2021-02-03 18:29:04.000000000 -0800
|
|
+++ boringssl/ssl/handshake.cc 2021-02-03 20:24:49.000000000 -0800
|
|
@@ -109,6 +109,25 @@
|
|
* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
|
|
* ECC cipher suite support in OpenSSL originally developed by
|
|
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */
|
|
+/* ====================================================================
|
|
+ * Copyright 2020 Apple Inc.
|
|
+ *
|
|
+ * Permission is hereby granted, free of charge, to any person obtaining a
|
|
+ * copy of this software and associated documentation files (the “Software”),
|
|
+ * to deal in the Software without restriction, including without limitation
|
|
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
|
|
+ * and/or sell copies of the Software, and to permit persons to whom
|
|
+ * the Software is furnished to do so, subject to the following conditions:
|
|
+ * The above copyright notice and this permission notice shall be included in
|
|
+ * all copies or substantial portions of the Software.
|
|
+ * THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|
+ * OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
|
|
+ * IN THE SOFTWARE.
|
|
+ */
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
@@ -149,6 +168,7 @@
|
|
cert_compression_negotiated(false),
|
|
apply_jdk11_workaround(false),
|
|
can_release_private_key(false),
|
|
+ server_certificate_type_negotiated(false),
|
|
channel_id_negotiated(false) {
|
|
assert(ssl);
|
|
|
|
@@ -333,7 +353,21 @@
|
|
|
|
uint8_t alert = SSL_AD_CERTIFICATE_UNKNOWN;
|
|
enum ssl_verify_result_t ret;
|
|
- if (hs->config->custom_verify_callback != nullptr) {
|
|
+ if (hs->server_certificate_type_negotiated &&
|
|
+ hs->server_certificate_type == TLSEXT_CERTIFICATETYPE_RAW_PUBLIC_KEY) {
|
|
+ ret = ssl_verify_invalid;
|
|
+ EVP_PKEY *peer_pubkey = hs->peer_pubkey.get();
|
|
+ CBS spki = MakeConstSpan(ssl->config->server_raw_public_key_certificate);
|
|
+ EVP_PKEY *pubkey = EVP_parse_public_key(&spki);
|
|
+ if (!pubkey) {
|
|
+ OPENSSL_PUT_ERROR(SSL, SSL_R_DECODE_ERROR);
|
|
+ alert = SSL_AD_INTERNAL_ERROR;
|
|
+ } else if (EVP_PKEY_cmp(peer_pubkey, pubkey) == 1 /* Equal */) {
|
|
+ ret = ssl_verify_ok;
|
|
+ } else {
|
|
+ alert = SSL_AD_BAD_CERTIFICATE;
|
|
+ }
|
|
+ } else if (hs->config->custom_verify_callback != nullptr) {
|
|
ret = hs->config->custom_verify_callback(ssl, &alert);
|
|
switch (ret) {
|
|
case ssl_verify_ok:
|