I don't specifically know the behavior of the code, so I have no means of answering your question directly.
That said, it would certainly work if you stored a copy of the certificate during your VerifyCallback(), and compared with the version you copied out yourself. You might wish to balance this with other forms of memory security like certificate digests, key digests and the like -- though if an attacker can modify your process memory, it's all over anyway. Only you can determine what your security needs are, or how to meet them. -Kyle H On Fri, May 23, 2014 at 2:32 AM, Dimitrios Apostolou <ji...@gmx.net> wrote: > The same question in much more specific terms: > > int VerifyCallback(X509_STORE_CTX *store_ctx, void *arg) > > Is the certificate stored in store_ctx the *new* one that the peer sends > in case of *renegotiation*? > > Is the certificate stored in the SSL struct (obtained via > SSL_get_peer_certificate()) the *old* one that was negotiated from the > previous successful handshake? Is this one NULL the first time this > callback is called? (i.e. initial handshake, *not* renegotiation) > > > If so, I could just compare those two and return 0 if they are not equal. > > > Thanks in advance, > Dimitris > > > > On Wed, 21 May 2014, Dimitrios Apostolou wrote: > > Hello list, >> >> I'm using SSL_CTX_set_cert_verify_callback(empty_callback) to bypass all >> certificate chain walking and validation. I extract and validate the RSA >> key *after* handshake and verify only that. >> >> However I believe this callback can be called arbitrary times after >> initial handshake, in the case of renegotiation. In that case, I want to >> close the connection if the peer renegotiates the session using a different >> key than the initial one. >> >> So I need to not only get the current certificate from X509_STORE_CTX, >> but also the original certificate *from before renegotiation*. Is there an >> API call for that, or do I need to pass custom data pointers using ex_data? >> >> >> Thank you in advance, >> Dimitris >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager majord...@openssl.org >> >> ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
