From 0c6ce2f536941413278f981f0aea169272af914c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 17 Apr 2015 16:32:21 +0200 Subject: [PATCH] Use x509_crt_verify_info() in programs --- programs/ssl/ssl_client1.c | 18 ++++----------- programs/ssl/ssl_client2.c | 42 ++++++++-------------------------- programs/ssl/ssl_mail_client.c | 24 +++++++------------ programs/ssl/ssl_server2.c | 16 ++++--------- programs/test/ssl_cert_test.c | 21 +++++++---------- programs/x509/cert_app.c | 42 ++++++++-------------------------- tests/ssl-opt.sh | 18 +++++++-------- 7 files changed, 52 insertions(+), 129 deletions(-) diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 57104caf6..057b84257 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -203,24 +203,16 @@ int main( void ) */ polarssl_printf( " . Verifying peer X.509 certificate..." ); - /* In real life, we may want to bail out when ret != 0 */ + /* In real life, we probably want to bail out when ret != 0 */ if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + polarssl_printf( " failed\n" ); - if( ( ret & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! server certificate has expired\n" ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) - polarssl_printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" ); - - if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - polarssl_printf( "\n" ); + polarssl_printf( "%s\n", vrfy_buf ); } else polarssl_printf( " ok\n" ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index da3dba738..cdadf59a4 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -350,29 +350,13 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); polarssl_printf( "%s", buf ); - if( ( (*flags) & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! server certificate has expired\n" ); - - if( ( (*flags) & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! server certificate has been revoked\n" ); - - if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 ) - polarssl_printf( " ! CN mismatch\n" ); - - if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! CRL not trusted\n" ); - - if( ( (*flags) & BADCRL_EXPIRED ) != 0 ) - polarssl_printf( " ! CRL expired\n" ); - - if( ( (*flags) & BADCERT_OTHER ) != 0 ) - polarssl_printf( " ! other (unknown) flag\n" ); - if ( ( *flags ) == 0 ) polarssl_printf( " This certificate has no flags\n" ); + else + { + x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags ); + polarssl_printf( "%s\n", buf ); + } return( 0 ); } @@ -1142,21 +1126,13 @@ int main( int argc, char *argv[] ) if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + polarssl_printf( " failed\n" ); - if( ( ret & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! server certificate has expired\n" ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) - polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); - - if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - polarssl_printf( "\n" ); + polarssl_printf( "%s\n", vrfy_buf ); } else polarssl_printf( " ok\n" ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 2b2d493d1..fcda1dde3 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -169,7 +169,7 @@ static void my_debug( void *ctx, int level, const char *str ) } } -static int do_handshake( ssl_context *ssl, struct options *opt ) +static int do_handshake( ssl_context *ssl ) { int ret; unsigned char buf[1024]; @@ -201,24 +201,16 @@ static int do_handshake( ssl_context *ssl, struct options *opt ) */ polarssl_printf( " . Verifying peer X.509 certificate..." ); - /* In real life, we may want to bail out when ret != 0 */ + /* In real life, we probably want to bail out when ret != 0 */ if( ( ret = ssl_get_verify_result( ssl ) ) != 0 ) { + char vrfy_buf[512]; + polarssl_printf( " failed\n" ); - if( ( ret & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! server certificate has expired\n" ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) - polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt->server_name ); - - if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - polarssl_printf( "\n" ); + polarssl_printf( "%s\n", vrfy_buf ); } else polarssl_printf( " ok\n" ); @@ -638,7 +630,7 @@ int main( int argc, char *argv[] ) if( opt.mode == MODE_SSL_TLS ) { - if( do_handshake( &ssl, &opt ) != 0 ) + if( do_handshake( &ssl ) != 0 ) goto exit; polarssl_printf( " > Get header from server:" ); @@ -707,7 +699,7 @@ int main( int argc, char *argv[] ) polarssl_printf(" ok\n" ); - if( do_handshake( &ssl, &opt ) != 0 ) + if( do_handshake( &ssl ) != 0 ) goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d1bc36ed1..095fabd49 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1626,21 +1626,13 @@ reset: if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + polarssl_printf( " failed\n" ); - if( !ssl_get_peer_cert( &ssl ) ) - polarssl_printf( " ! no client certificate sent\n" ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! client certificate has expired\n" ); - - if( ( ret & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! client certificate has been revoked\n" ); - - if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - polarssl_printf( "\n" ); + polarssl_printf( "%s\n", vrfy_buf ); } else polarssl_printf( " ok\n" ); diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index d823964ee..a2127306f 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -173,19 +173,14 @@ int main( void ) { if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED ) { - if( flags & BADCERT_CN_MISMATCH ) - polarssl_printf( " CN_MISMATCH " ); - if( flags & BADCERT_EXPIRED ) - polarssl_printf( " EXPIRED " ); - if( flags & BADCERT_REVOKED ) - polarssl_printf( " REVOKED " ); - if( flags & BADCERT_NOT_TRUSTED ) - polarssl_printf( " NOT_TRUSTED " ); - if( flags & BADCRL_NOT_TRUSTED ) - polarssl_printf( " CRL_NOT_TRUSTED " ); - if( flags & BADCRL_EXPIRED ) - polarssl_printf( " CRL_EXPIRED " ); - } else { + char vrfy_buf[512]; + + polarssl_printf( " failed\n" ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); + polarssl_printf( "%s\n", vrfy_buf ); + } + else + { polarssl_printf( " failed\n ! x509_crt_verify returned %d\n\n", ret ); goto exit; } diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 72f69ba93..3a6ae87e4 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -128,29 +128,13 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags ) x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); polarssl_printf( "%s", buf ); - if( ( (*flags) & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! server certificate has expired\n" ); - - if( ( (*flags) & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! server certificate has been revoked\n" ); - - if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 ) - polarssl_printf( " ! CN mismatch\n" ); - - if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! CRL not trusted\n" ); - - if( ( (*flags) & BADCRL_EXPIRED ) != 0 ) - polarssl_printf( " ! CRL expired\n" ); - - if( ( (*flags) & BADCERT_OTHER ) != 0 ) - polarssl_printf( " ! other (unknown) flag\n" ); - if ( ( *flags ) == 0 ) polarssl_printf( " This certificate has no flags\n" ); + else + { + x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags ); + polarssl_printf( "%s\n", buf ); + } return( 0 ); } @@ -358,21 +342,13 @@ int main( int argc, char *argv[] ) if( ( ret = x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags, my_verify, NULL ) ) != 0 ) { + char vrfy_buf[512]; + polarssl_printf( " failed\n" ); - if( ( ret & BADCERT_EXPIRED ) != 0 ) - polarssl_printf( " ! server certificate has expired\n" ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & BADCERT_REVOKED ) != 0 ) - polarssl_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & BADCERT_CN_MISMATCH ) != 0 ) - polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); - - if( ( ret & BADCERT_NOT_TRUSTED ) != 0 ) - polarssl_printf( " ! self-signed or not signed by a trusted CA\n" ); - - polarssl_printf( "\n" ); + polarssl_printf( "%s\n", vrfy_buf ); } else polarssl_printf( " ok\n" ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 63c0a2332..75c59423a 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1338,7 +1338,7 @@ run_test "Authentication: server badcert, client required" \ "$P_CLI debug_level=1 auth_mode=required" \ 1 \ -c "x509_verify_cert() returned" \ - -c "! self-signed or not signed by a trusted CA" \ + -c "! The certificate is not correctly signed by the trusted CA" \ -c "! ssl_handshake returned" \ -c "X509 - Certificate verification failed" @@ -1348,7 +1348,7 @@ run_test "Authentication: server badcert, client optional" \ "$P_CLI debug_level=1 auth_mode=optional" \ 0 \ -c "x509_verify_cert() returned" \ - -c "! self-signed or not signed by a trusted CA" \ + -c "! The certificate is not correctly signed by the trusted CA" \ -C "! ssl_handshake returned" \ -C "X509 - Certificate verification failed" @@ -1358,7 +1358,7 @@ run_test "Authentication: server badcert, client none" \ "$P_CLI debug_level=1 auth_mode=none" \ 0 \ -C "x509_verify_cert() returned" \ - -C "! self-signed or not signed by a trusted CA" \ + -C "! The certificate is not correctly signed by the trusted CA" \ -C "! ssl_handshake returned" \ -C "X509 - Certificate verification failed" @@ -1374,7 +1374,7 @@ run_test "Authentication: client badcert, server required" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" \ -s "x509_verify_cert() returned" \ - -S "! self-signed or not signed by a trusted CA" \ + -S "! The certificate is not correctly signed by the trusted CA" \ -s "! ssl_handshake returned" \ -c "! ssl_handshake returned" \ -s "X509 - Certificate verification failed" @@ -1391,7 +1391,7 @@ run_test "Authentication: client badcert, server optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" \ -s "x509_verify_cert() returned" \ - -s "! self-signed or not signed by a trusted CA" \ + -s "! The certificate is not correctly signed by the trusted CA" \ -S "! ssl_handshake returned" \ -C "! ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1408,7 +1408,7 @@ run_test "Authentication: client badcert, server none" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" \ -S "x509_verify_cert() returned" \ - -S "! self-signed or not signed by a trusted CA" \ + -S "! The certificate is not correctly signed by the trusted CA" \ -S "! ssl_handshake returned" \ -C "! ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1425,7 +1425,7 @@ run_test "Authentication: client no cert, server optional" \ -S "SSLv3 client has no certificate" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" \ - -s "! no client certificate sent" \ + -s "! Certificate was missing" \ -S "! ssl_handshake returned" \ -C "! ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1436,7 +1436,7 @@ run_test "Authentication: openssl client no cert, server optional" \ 0 \ -S "skip write certificate request" \ -s "skip parse certificate verify" \ - -s "! no client certificate sent" \ + -s "! Certificate was missing" \ -S "! ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1462,7 +1462,7 @@ run_test "Authentication: client no cert, ssl3" \ -c "got no certificate to send" \ -s "SSLv3 client has no certificate" \ -s "skip parse certificate verify" \ - -s "! no client certificate sent" \ + -s "! Certificate was missing" \ -S "! ssl_handshake returned" \ -C "! ssl_handshake returned" \ -S "X509 - Certificate verification failed"