manually merge 0c6ce2f use x509_crt_verify_info()
This commit is contained in:
Manuel Pégourié-Gonnard
parent
b5f48ad82f
commit
89addc43db
7 changed files with 55 additions and 132 deletions
|
|
@ -187,24 +187,16 @@ int main( void )
|
|||
*/
|
||||
mbedtls_printf( " . Verifying peer X.509 certificate..." );
|
||||
|
||||
/* In real life, we may want to bail out when ret != 0 */
|
||||
/* In real life, we probably want to bail out when ret != 0 */
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
mbedtls_printf( "\n" );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
|
|||
|
|
@ -373,29 +373,13 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
|
|||
mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
|
||||
mbedtls_printf( "%s", buf );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! CRL not trusted\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! CRL expired\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 )
|
||||
mbedtls_printf( " ! other (unknown) flag\n" );
|
||||
|
||||
if ( ( *flags ) == 0 )
|
||||
mbedtls_printf( " This certificate has no flags\n" );
|
||||
else
|
||||
{
|
||||
mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
|
||||
mbedtls_printf( "%s\n", buf );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
|
@ -1287,21 +1271,13 @@ int main( int argc, char *argv[] )
|
|||
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
mbedtls_printf( "\n" );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ static void my_debug( void *ctx, int level, const char *str )
|
|||
}
|
||||
}
|
||||
|
||||
static int do_handshake( mbedtls_ssl_context *ssl, struct options *opt )
|
||||
static int do_handshake( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
unsigned char buf[1024];
|
||||
|
|
@ -195,24 +195,16 @@ static int do_handshake( mbedtls_ssl_context *ssl, struct options *opt )
|
|||
*/
|
||||
mbedtls_printf( " . Verifying peer X.509 certificate..." );
|
||||
|
||||
/* In real life, we may want to bail out when ret != 0 */
|
||||
/* In real life, we probably want to bail out when ret != 0 */
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt->server_name );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
mbedtls_printf( "\n" );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
@ -626,7 +618,7 @@ int main( int argc, char *argv[] )
|
|||
|
||||
if( opt.mode == MODE_SSL_TLS )
|
||||
{
|
||||
if( do_handshake( &ssl, &opt ) != 0 )
|
||||
if( do_handshake( &ssl ) != 0 )
|
||||
goto exit;
|
||||
|
||||
mbedtls_printf( " > Get header from server:" );
|
||||
|
|
@ -695,7 +687,7 @@ int main( int argc, char *argv[] )
|
|||
|
||||
mbedtls_printf(" ok\n" );
|
||||
|
||||
if( do_handshake( &ssl, &opt ) != 0 )
|
||||
if( do_handshake( &ssl ) != 0 )
|
||||
goto exit;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -1910,21 +1910,13 @@ reset:
|
|||
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
if( !mbedtls_ssl_get_peer_cert( &ssl ) )
|
||||
mbedtls_printf( " ! no client certificate sent\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
|
||||
if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! client certificate has expired\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! client certificate has been revoked\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
mbedtls_printf( "\n" );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
|
|||
|
|
@ -173,19 +173,14 @@ int main( void )
|
|||
{
|
||||
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
|
||||
{
|
||||
if( flags & MBEDTLS_X509_BADCERT_CN_MISMATCH )
|
||||
mbedtls_printf( " CN_MISMATCH " );
|
||||
if( flags & MBEDTLS_BADCERT_EXPIRED )
|
||||
mbedtls_printf( " EXPIRED " );
|
||||
if( flags & MBEDTLS_X509_BADCERT_REVOKED )
|
||||
mbedtls_printf( " REVOKED " );
|
||||
if( flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
|
||||
mbedtls_printf( " NOT_TRUSTED " );
|
||||
if( flags & MBEDTLS_X509_BADCRL_NOT_TRUSTED )
|
||||
mbedtls_printf( " CRL_NOT_TRUSTED " );
|
||||
if( flags & MBEDTLS_X509_BADCRL_EXPIRED )
|
||||
mbedtls_printf( " CRL_EXPIRED " );
|
||||
} else {
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
{
|
||||
mbedtls_printf( " failed\n ! mbedtls_x509_crt_verify returned %d\n\n", ret );
|
||||
goto exit;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -128,29 +128,13 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
|
|||
mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
|
||||
mbedtls_printf( "%s", buf );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! CRL not trusted\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! CRL expired\n" );
|
||||
|
||||
if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 )
|
||||
mbedtls_printf( " ! other (unknown) flag\n" );
|
||||
|
||||
if ( ( *flags ) == 0 )
|
||||
mbedtls_printf( " This certificate has no flags\n" );
|
||||
else
|
||||
{
|
||||
mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
|
||||
mbedtls_printf( "%s\n", buf );
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
|
@ -358,21 +342,13 @@ int main( int argc, char *argv[] )
|
|||
if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags,
|
||||
my_verify, NULL ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
mbedtls_printf( "\n" );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
|
|
|||
|
|
@ -1561,7 +1561,7 @@ run_test "Authentication: server badcert, client required" \
|
|||
"$P_CLI debug_level=1 auth_mode=required" \
|
||||
1 \
|
||||
-c "x509_verify_cert() returned" \
|
||||
-c "! self-signed or not signed by a trusted CA" \
|
||||
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-c "X509 - Certificate verification failed"
|
||||
|
||||
|
|
@ -1571,7 +1571,7 @@ run_test "Authentication: server badcert, client optional" \
|
|||
"$P_CLI debug_level=1 auth_mode=optional" \
|
||||
0 \
|
||||
-c "x509_verify_cert() returned" \
|
||||
-c "! self-signed or not signed by a trusted CA" \
|
||||
-c "! The certificate is not correctly signed by the trusted CA" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
|
|
@ -1581,7 +1581,7 @@ run_test "Authentication: server badcert, client none" \
|
|||
"$P_CLI debug_level=1 auth_mode=none" \
|
||||
0 \
|
||||
-C "x509_verify_cert() returned" \
|
||||
-C "! self-signed or not signed by a trusted CA" \
|
||||
-C "! The certificate is not correctly signed by the trusted CA" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-C "X509 - Certificate verification failed"
|
||||
|
||||
|
|
@ -1597,7 +1597,7 @@ run_test "Authentication: client badcert, server required" \
|
|||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify" \
|
||||
-s "x509_verify_cert() returned" \
|
||||
-S "! self-signed or not signed by a trusted CA" \
|
||||
-S "! The certificate is not correctly signed by the trusted CA" \
|
||||
-s "! mbedtls_ssl_handshake returned" \
|
||||
-c "! mbedtls_ssl_handshake returned" \
|
||||
-s "X509 - Certificate verification failed"
|
||||
|
|
@ -1614,7 +1614,7 @@ run_test "Authentication: client badcert, server optional" \
|
|||
-C "skip write certificate verify" \
|
||||
-S "skip parse certificate verify" \
|
||||
-s "x509_verify_cert() returned" \
|
||||
-s "! self-signed or not signed by a trusted CA" \
|
||||
-s "! The certificate is not correctly signed by the trusted CA" \
|
||||
-S "! mbedtls_ssl_handshake returned" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-S "X509 - Certificate verification failed"
|
||||
|
|
@ -1631,7 +1631,7 @@ run_test "Authentication: client badcert, server none" \
|
|||
-c "skip write certificate verify" \
|
||||
-s "skip parse certificate verify" \
|
||||
-S "x509_verify_cert() returned" \
|
||||
-S "! self-signed or not signed by a trusted CA" \
|
||||
-S "! The certificate is not correctly signed by the trusted CA" \
|
||||
-S "! mbedtls_ssl_handshake returned" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-S "X509 - Certificate verification failed"
|
||||
|
|
@ -1648,7 +1648,7 @@ run_test "Authentication: client no cert, server optional" \
|
|||
-S "SSLv3 client has no certificate" \
|
||||
-c "skip write certificate verify" \
|
||||
-s "skip parse certificate verify" \
|
||||
-s "! no client certificate sent" \
|
||||
-s "! Certificate was missing" \
|
||||
-S "! mbedtls_ssl_handshake returned" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-S "X509 - Certificate verification failed"
|
||||
|
|
@ -1659,7 +1659,7 @@ run_test "Authentication: openssl client no cert, server optional" \
|
|||
0 \
|
||||
-S "skip write certificate request" \
|
||||
-s "skip parse certificate verify" \
|
||||
-s "! no client certificate sent" \
|
||||
-s "! Certificate was missing" \
|
||||
-S "! mbedtls_ssl_handshake returned" \
|
||||
-S "X509 - Certificate verification failed"
|
||||
|
||||
|
|
@ -1685,7 +1685,7 @@ run_test "Authentication: client no cert, ssl3" \
|
|||
-c "got no certificate to send" \
|
||||
-s "SSLv3 client has no certificate" \
|
||||
-s "skip parse certificate verify" \
|
||||
-s "! no client certificate sent" \
|
||||
-s "! Certificate was missing" \
|
||||
-S "! mbedtls_ssl_handshake returned" \
|
||||
-C "! mbedtls_ssl_handshake returned" \
|
||||
-S "X509 - Certificate verification failed"
|
||||
|
|
@ -2719,14 +2719,14 @@ run_test "DTLS client auth: optional, client has no cert" \
|
|||
"$P_SRV dtls=1 auth_mode=optional" \
|
||||
"$P_CLI dtls=1 crt_file=none key_file=none" \
|
||||
0 \
|
||||
-s "! no client certificate sent"
|
||||
-s "! Certificate was missing"
|
||||
|
||||
run_test "DTLS client auth: optional, client has no cert" \
|
||||
run_test "DTLS client auth: none, client has no cert" \
|
||||
"$P_SRV dtls=1 auth_mode=none" \
|
||||
"$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
|
||||
0 \
|
||||
-c "skip write certificate$" \
|
||||
-s "! no client certificate sent"
|
||||
-s "! Certificate verification was skipped"
|
||||
|
||||
# Tests for receiving fragmented handshake messages with DTLS
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue