Change X.509 verify flags to uint32_t

parent e85fef10
......@@ -40,6 +40,11 @@ API Changes
pointer, parameters reordered).
* mbedtls_ssl_conf_truncated_hmac() now returns void.
* mbedtls_memory_bufer_alloc_init() now returns void.
* X.509 verification flags are now an uint32_t. Affect the signature of:
mbedtls_ssl_get_verify_result()
mbedtls_x509_ctr_verify_info()
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be update)
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
return void.
* ecdsa_write_signature() gained an addtional md_alg argument and
......
......@@ -590,7 +590,7 @@ struct mbedtls_ssl_session
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
int verify_result; /*!< verification result */
uint32_t verify_result; /*!< verification result */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
unsigned char *ticket; /*!< RFC 5077 session ticket */
......@@ -823,7 +823,7 @@ typedef struct
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Callback to customize X.509 certificate chain verification */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *);
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify calllback */
#endif
......@@ -1242,7 +1242,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
* \param p_vrfy verification parameter
*/
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
......@@ -2107,7 +2107,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
* a combination of BADCERT_xxx and BADCRL_xxx flags, see
* x509.h
*/
int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
/**
* \brief Return the name of the current ciphersuite
......@@ -2424,7 +2424,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
int cert_endpoint,
int *flags );
uint32_t *flags );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_ssl_write_version( int major, int minor, int transport,
......
......@@ -214,22 +214,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
* case of an error.
*/
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int flags );
/**
* \brief Returns an informational string about the
* verification status of a certificate.
*
* \param buf Buffer to write to
* \param size Maximum size of buffer
* \param prefix A line prefix
* \param flags Verification flags created by mbedtls_x509_crt_verify()
*
* \return The amount of data written to the buffer, or -1 in
* case of an error.
*/
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int flags );
uint32_t flags );
/**
* \brief Verify the certificate signature
......@@ -270,8 +255,8 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const char *cn, int *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
const char *cn, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
......
......@@ -850,7 +850,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
{
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
int flags;
uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL )
......
......@@ -5219,7 +5219,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
#if defined(MBEDTLS_X509_CRT_PARSE_C)
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
conf->f_vrfy = f_vrfy;
......@@ -5682,7 +5682,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
}
int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
{
if( ssl->session != NULL )
return( ssl->session->verify_result );
......@@ -6828,7 +6828,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
int cert_endpoint,
int *flags )
uint32_t *flags )
{
int ret = 0;
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
......
......@@ -998,7 +998,7 @@ int mbedtls_x509_self_test( int verbose )
{
#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
int ret;
int flags;
uint32_t flags;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
......
......@@ -1408,7 +1408,7 @@ static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
};
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int flags )
uint32_t flags )
{
int ret;
const struct x509_crt_verify_string *cur;
......@@ -1767,12 +1767,13 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
static int x509_crt_verify_top(
mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
int ret;
int ca_flags = 0, check_path_cnt = path_cnt + 1;
uint32_t ca_flags = 0;
int check_path_cnt = path_cnt + 1;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
const mbedtls_md_info_t *md_info;
......@@ -1881,12 +1882,12 @@ static int x509_crt_verify_top(
static int x509_crt_verify_child(
mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
int ret;
int parent_flags = 0;
uint32_t parent_flags = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_x509_crt *grandparent;
const mbedtls_md_info_t *md_info;
......@@ -1971,8 +1972,8 @@ static int x509_crt_verify_child(
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
const char *cn, int *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
const char *cn, uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
size_t cn_len;
......
......@@ -85,6 +85,7 @@ static void my_debug( void *ctx, int level, const char *str )
int main( int argc, char *argv[] )
{
int ret, len, server_fd = -1;
uint32_t flags;
unsigned char buf[1024];
const char *pers = "dtls_client";
int retry_left = MAX_RETRY;
......@@ -221,23 +222,15 @@ int main( int argc, char *argv[] )
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
* handshake would not succeed if the peer's cert is bad. Even if we used
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
mbedtls_printf( " failed\n" );
if( ( ret & MBEDTLS_X509_BADCERT_EXPIRED ) != 0 )
mbedtls_printf( " ! server certificate has expired\n" );
char vrfy_buf[512];
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
mbedtls_printf( " ! server certificate has been revoked\n" );
if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
mbedtls_printf( " failed\n" );
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "\n" );
mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
......
......@@ -77,6 +77,7 @@ static void my_debug( void *ctx, int level, const char *str )
int main( void )
{
int ret, len, server_fd = -1;
uint32_t flags;
unsigned char buf[1024];
const char *pers = "ssl_client1";
......@@ -204,13 +205,13 @@ int main( void )
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
......
......@@ -364,7 +364,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
/*
* Enabled if debug_level > 1 in code below
*/
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
{
char buf[1024];
((void) data);
......@@ -388,6 +388,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
int main( int argc, char *argv[] )
{
int ret = 0, len, tail_len, server_fd, i, written, frags, retry_left;
uint32_t flags;
unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
......@@ -1260,13 +1261,13 @@ int main( int argc, char *argv[] )
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
......
......@@ -166,6 +166,7 @@ static void my_debug( void *ctx, int level, const char *str )
static int do_handshake( mbedtls_ssl_context *ssl )
{
int ret;
uint32_t flags;
unsigned char buf[1024];
memset(buf, 0, 1024);
......@@ -196,13 +197,13 @@ static int do_handshake( mbedtls_ssl_context *ssl )
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
......
......@@ -705,6 +705,7 @@ void term_handler( int sig )
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
uint32_t flags;
int version_suites[4][2];
unsigned char buf[IO_BUF_LEN];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
......@@ -1896,13 +1897,13 @@ reset:
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
......
......@@ -140,7 +140,7 @@ int main( void )
* 1.3. Load own certificate
*/
char name[512];
int flags;
uint32_t flags;
mbedtls_x509_crt clicert;
mbedtls_pk_context pk;
......
......@@ -119,7 +119,7 @@ static void my_debug( void *ctx, int level, const char *str )
}
}
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
{
char buf[1024];
((void) data);
......@@ -152,7 +152,8 @@ int main( int argc, char *argv[] )
mbedtls_x509_crl cacrl;
mbedtls_pk_context pkey;
int i, j;
int flags, verify = 0;
uint32_t flags;
int verify = 0;
char *p, *q;
const char *pers = "cert_app";
......
......@@ -6,7 +6,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/base64.h"
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
{
((void) data);
((void) crt);
......@@ -16,7 +16,7 @@ int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *
return 0;
}
int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
{
((void) data);
((void) crt);
......@@ -126,9 +126,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
mbedtls_x509_crt crt;
mbedtls_x509_crt ca;
mbedtls_x509_crl crl;
int flags = 0;
uint32_t flags = 0;
int res;
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *) = NULL;
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
char * cn_name = NULL;
mbedtls_x509_crt_init( &crt );
......@@ -154,7 +154,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
res = mbedtls_x509_crt_verify( &crt, &ca, &crl, cn_name, &flags, f_vrfy, NULL );
TEST_ASSERT( res == ( result ) );
TEST_ASSERT( flags == ( flags_result ) );
TEST_ASSERT( flags == (uint32_t)( flags_result ) );
exit:
mbedtls_x509_crt_free( &crt );
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment