From d1d0af4d59ae6b82b7bb1949bf942d99fe0c180d Mon Sep 17 00:00:00 2001 From: Jerome Forissier Date: Thu, 17 Apr 2025 16:29:59 +0200 Subject: [PATCH] altcp_tls: enforce checking of server certificates based on CA availability Instead of relying on some build time configuration to determine if server certificates need to be checked against CA certificates, do it based on the availability of such certificates. If no CA is configured then no check can succeed; on the other hand if we have CA certs then we should not ignore them. Signed-off-by: Jerome Forissier Reviewed-by: Ilias Apalodimas Link: https://source.denx.de/u-boot/u-boot/-/commit/f69f7aef26f --- src/apps/altcp_tls/altcp_tls_mbedtls.c | 3 ++- src/include/lwip/apps/altcp_tls_mbedtls_opts.h | 6 ------ 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/src/apps/altcp_tls/altcp_tls_mbedtls.c b/src/apps/altcp_tls/altcp_tls_mbedtls.c index 9e6191269..e6548cf00 100644 --- a/src/apps/altcp_tls/altcp_tls_mbedtls.c +++ b/src/apps/altcp_tls/altcp_tls_mbedtls.c @@ -784,6 +784,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav int ret; struct altcp_tls_config *conf; mbedtls_x509_crt *mem; + int authmode = have_ca ? MBEDTLS_SSL_VERIFY_REQUIRED : MBEDTLS_SSL_VERIFY_NONE; if (TCP_WND < MBEDTLS_SSL_MAX_CONTENT_LEN) { LWIP_DEBUGF(ALTCP_MBEDTLS_DEBUG|LWIP_DBG_LEVEL_SERIOUS, @@ -838,7 +839,7 @@ altcp_tls_create_config(int is_server, u8_t cert_count, u8_t pkey_count, int hav altcp_mbedtls_free_config(conf); return NULL; } - mbedtls_ssl_conf_authmode(&conf->conf, ALTCP_MBEDTLS_AUTHMODE); + mbedtls_ssl_conf_authmode(&conf->conf, authmode); mbedtls_ssl_conf_rng(&conf->conf, mbedtls_ctr_drbg_random, &altcp_tls_entropy_rng->ctr_drbg); #if ALTCP_MBEDTLS_LIB_DEBUG != LWIP_DBG_OFF diff --git a/src/include/lwip/apps/altcp_tls_mbedtls_opts.h b/src/include/lwip/apps/altcp_tls_mbedtls_opts.h index e41301c06..71aa59939 100644 --- a/src/include/lwip/apps/altcp_tls_mbedtls_opts.h +++ b/src/include/lwip/apps/altcp_tls_mbedtls_opts.h @@ -100,12 +100,6 @@ #define ALTCP_MBEDTLS_SESSION_TICKET_TIMEOUT_SECONDS (60 * 60 * 24) #endif -/** Certificate verification mode: MBEDTLS_SSL_VERIFY_NONE, MBEDTLS_SSL_VERIFY_OPTIONAL (default), - * MBEDTLS_SSL_VERIFY_REQUIRED (recommended)*/ -#ifndef ALTCP_MBEDTLS_AUTHMODE -#define ALTCP_MBEDTLS_AUTHMODE MBEDTLS_SSL_VERIFY_OPTIONAL -#endif - #endif /* LWIP_ALTCP */ #endif /* LWIP_HDR_ALTCP_TLS_OPTS_H */