yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-26 02:05:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Use x509_crt_verify_info() in programs

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2015-04-17 16:32:21 +02:00
parent 39a183a629
commit 0c6ce2f536
7 changed files with 52 additions and 129 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
programs/ssl/ssl_client1.c
View File

@ -203,24 +203,16 @@ int main( void )
*/ */
polarssl_printf( " . Verifying peer X.509 certificate..." ); polarssl_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we may want to bail out when ret != 0 */ /* In real life, we probably want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{ {
char vrfy_buf[512];
polarssl_printf( " failed\n" ); polarssl_printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 ) x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
polarssl_printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 ) polarssl_printf( "%s\n", vrfy_buf );
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
polarssl_printf( "\n" );
} }
else else
polarssl_printf( " ok\n" ); polarssl_printf( " ok\n" );

42
programs/ssl/ssl_client2.c
View File

@ -350,29 +350,13 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
polarssl_printf( "%s", buf ); polarssl_printf( "%s", buf );
if( ( (*flags) & BADCERT_EXPIRED ) != 0 )
polarssl_printf( " ! server certificate has expired\n" );
if( ( (*flags) & BADCERT_REVOKED ) != 0 )
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch\n" );
if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! CRL not trusted\n" );
if( ( (*flags) & BADCRL_EXPIRED ) != 0 )
polarssl_printf( " ! CRL expired\n" );
if( ( (*flags) & BADCERT_OTHER ) != 0 )
polarssl_printf( " ! other (unknown) flag\n" );
if ( ( *flags ) == 0 ) if ( ( *flags ) == 0 )
polarssl_printf( " This certificate has no flags\n" ); polarssl_printf( " This certificate has no flags\n" );
else
{
x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
polarssl_printf( "%s\n", buf );
}
return( 0 ); return( 0 );
} }
@ -1142,21 +1126,13 @@ int main( int argc, char *argv[] )
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{ {
char vrfy_buf[512];
polarssl_printf( " failed\n" ); polarssl_printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 ) x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
polarssl_printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 ) polarssl_printf( "%s\n", vrfy_buf );
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
polarssl_printf( "\n" );
} }
else else
polarssl_printf( " ok\n" ); polarssl_printf( " ok\n" );

24
programs/ssl/ssl_mail_client.c
View File

@ -169,7 +169,7 @@ static void my_debug( void *ctx, int level, const char *str )
} }
} }
static int do_handshake( ssl_context *ssl, struct options *opt ) static int do_handshake( ssl_context *ssl )
{ {
int ret; int ret;
unsigned char buf[1024]; unsigned char buf[1024];
@ -201,24 +201,16 @@ static int do_handshake( ssl_context *ssl, struct options *opt )
*/ */
polarssl_printf( " . Verifying peer X.509 certificate..." ); polarssl_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we may want to bail out when ret != 0 */ /* In real life, we probably want to bail out when ret != 0 */
if( ( ret = ssl_get_verify_result( ssl ) ) != 0 ) if( ( ret = ssl_get_verify_result( ssl ) ) != 0 )
{ {
char vrfy_buf[512];
polarssl_printf( " failed\n" ); polarssl_printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 ) x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
polarssl_printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 ) polarssl_printf( "%s\n", vrfy_buf );
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt->server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
polarssl_printf( "\n" );
} }
else else
polarssl_printf( " ok\n" ); polarssl_printf( " ok\n" );
@ -638,7 +630,7 @@ int main( int argc, char *argv[] )
if( opt.mode == MODE_SSL_TLS ) if( opt.mode == MODE_SSL_TLS )
{ {
if( do_handshake( &ssl, &opt ) != 0 ) if( do_handshake( &ssl ) != 0 )
goto exit; goto exit;
polarssl_printf( " > Get header from server:" ); polarssl_printf( " > Get header from server:" );
@ -707,7 +699,7 @@ int main( int argc, char *argv[] )
polarssl_printf(" ok\n" ); polarssl_printf(" ok\n" );
if( do_handshake( &ssl, &opt ) != 0 ) if( do_handshake( &ssl ) != 0 )
goto exit; goto exit;
} }

16
programs/ssl/ssl_server2.c
View File

@ -1626,21 +1626,13 @@ reset:
if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 ) if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
{ {
char vrfy_buf[512];
polarssl_printf( " failed\n" ); polarssl_printf( " failed\n" );
if( !ssl_get_peer_cert( &ssl ) ) x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
polarssl_printf( " ! no client certificate sent\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 ) polarssl_printf( "%s\n", vrfy_buf );
polarssl_printf( " ! client certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 )
polarssl_printf( " ! client certificate has been revoked\n" );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
polarssl_printf( "\n" );
} }
else else
polarssl_printf( " ok\n" ); polarssl_printf( " ok\n" );

21
programs/test/ssl_cert_test.c
View File

@ -173,19 +173,14 @@ int main( void )
{ {
if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED ) if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
{ {
if( flags & BADCERT_CN_MISMATCH ) char vrfy_buf[512];
polarssl_printf( " CN_MISMATCH " );
if( flags & BADCERT_EXPIRED ) polarssl_printf( " failed\n" );
polarssl_printf( " EXPIRED " ); x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
if( flags & BADCERT_REVOKED ) polarssl_printf( "%s\n", vrfy_buf );
polarssl_printf( " REVOKED " ); }
if( flags & BADCERT_NOT_TRUSTED ) else
polarssl_printf( " NOT_TRUSTED " ); {
if( flags & BADCRL_NOT_TRUSTED )
polarssl_printf( " CRL_NOT_TRUSTED " );
if( flags & BADCRL_EXPIRED )
polarssl_printf( " CRL_EXPIRED " );
} else {
polarssl_printf( " failed\n ! x509_crt_verify returned %d\n\n", ret ); polarssl_printf( " failed\n ! x509_crt_verify returned %d\n\n", ret );
goto exit; goto exit;
} }

42
programs/x509/cert_app.c
View File

@ -128,29 +128,13 @@ static int my_verify( void *data, x509_crt *crt, int depth, int *flags )
x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
polarssl_printf( "%s", buf ); polarssl_printf( "%s", buf );
if( ( (*flags) & BADCERT_EXPIRED ) != 0 )
polarssl_printf( " ! server certificate has expired\n" );
if( ( (*flags) & BADCERT_REVOKED ) != 0 )
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( (*flags) & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch\n" );
if( ( (*flags) & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
if( ( (*flags) & BADCRL_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! CRL not trusted\n" );
if( ( (*flags) & BADCRL_EXPIRED ) != 0 )
polarssl_printf( " ! CRL expired\n" );
if( ( (*flags) & BADCERT_OTHER ) != 0 )
polarssl_printf( " ! other (unknown) flag\n" );
if ( ( *flags ) == 0 ) if ( ( *flags ) == 0 )
polarssl_printf( " This certificate has no flags\n" ); polarssl_printf( " This certificate has no flags\n" );
else
{
x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags );
polarssl_printf( "%s\n", buf );
}
return( 0 ); return( 0 );
} }
@ -358,21 +342,13 @@ int main( int argc, char *argv[] )
if( ( ret = x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags, if( ( ret = x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags,
my_verify, NULL ) ) != 0 ) my_verify, NULL ) ) != 0 )
{ {
char vrfy_buf[512];
polarssl_printf( " failed\n" ); polarssl_printf( " failed\n" );
if( ( ret & BADCERT_EXPIRED ) != 0 ) x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
polarssl_printf( " ! server certificate has expired\n" );
if( ( ret & BADCERT_REVOKED ) != 0 ) polarssl_printf( "%s\n", vrfy_buf );
polarssl_printf( " ! server certificate has been revoked\n" );
if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
polarssl_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
polarssl_printf( " ! self-signed or not signed by a trusted CA\n" );
polarssl_printf( "\n" );
} }
else else
polarssl_printf( " ok\n" ); polarssl_printf( " ok\n" );

18
tests/ssl-opt.sh
View File

@ -1338,7 +1338,7 @@ run_test "Authentication: server badcert, client required" \
"$P_CLI debug_level=1 auth_mode=required" \ "$P_CLI debug_level=1 auth_mode=required" \
1 \ 1 \
-c "x509_verify_cert() returned" \ -c "x509_verify_cert() returned" \
-c "! self-signed or not signed by a trusted CA" \ -c "! The certificate is not correctly signed by the trusted CA" \
-c "! ssl_handshake returned" \ -c "! ssl_handshake returned" \
-c "X509 - Certificate verification failed" -c "X509 - Certificate verification failed"
@ -1348,7 +1348,7 @@ run_test "Authentication: server badcert, client optional" \
"$P_CLI debug_level=1 auth_mode=optional" \ "$P_CLI debug_level=1 auth_mode=optional" \
0 \ 0 \
-c "x509_verify_cert() returned" \ -c "x509_verify_cert() returned" \
-c "! self-signed or not signed by a trusted CA" \ -c "! The certificate is not correctly signed by the trusted CA" \
-C "! ssl_handshake returned" \ -C "! ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
@ -1358,7 +1358,7 @@ run_test "Authentication: server badcert, client none" \
"$P_CLI debug_level=1 auth_mode=none" \ "$P_CLI debug_level=1 auth_mode=none" \
0 \ 0 \
-C "x509_verify_cert() returned" \ -C "x509_verify_cert() returned" \
-C "! self-signed or not signed by a trusted CA" \ -C "! The certificate is not correctly signed by the trusted CA" \
-C "! ssl_handshake returned" \ -C "! ssl_handshake returned" \
-C "X509 - Certificate verification failed" -C "X509 - Certificate verification failed"
@ -1374,7 +1374,7 @@ run_test "Authentication: client badcert, server required" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" \ -S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \ -s "x509_verify_cert() returned" \
-S "! self-signed or not signed by a trusted CA" \ -S "! The certificate is not correctly signed by the trusted CA" \
-s "! ssl_handshake returned" \ -s "! ssl_handshake returned" \
-c "! ssl_handshake returned" \ -c "! ssl_handshake returned" \
-s "X509 - Certificate verification failed" -s "X509 - Certificate verification failed"
@ -1391,7 +1391,7 @@ run_test "Authentication: client badcert, server optional" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" \ -S "skip parse certificate verify" \
-s "x509_verify_cert() returned" \ -s "x509_verify_cert() returned" \
-s "! self-signed or not signed by a trusted CA" \ -s "! The certificate is not correctly signed by the trusted CA" \
-S "! ssl_handshake returned" \ -S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \ -C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed" -S "X509 - Certificate verification failed"
@ -1408,7 +1408,7 @@ run_test "Authentication: client badcert, server none" \
-c "skip write certificate verify" \ -c "skip write certificate verify" \
-s "skip parse certificate verify" \ -s "skip parse certificate verify" \
-S "x509_verify_cert() returned" \ -S "x509_verify_cert() returned" \
-S "! self-signed or not signed by a trusted CA" \ -S "! The certificate is not correctly signed by the trusted CA" \
-S "! ssl_handshake returned" \ -S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \ -C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed" -S "X509 - Certificate verification failed"
@ -1425,7 +1425,7 @@ run_test "Authentication: client no cert, server optional" \
-S "SSLv3 client has no certificate" \ -S "SSLv3 client has no certificate" \
-c "skip write certificate verify" \ -c "skip write certificate verify" \
-s "skip parse certificate verify" \ -s "skip parse certificate verify" \
-s "! no client certificate sent" \ -s "! Certificate was missing" \
-S "! ssl_handshake returned" \ -S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \ -C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed" -S "X509 - Certificate verification failed"
@ -1436,7 +1436,7 @@ run_test "Authentication: openssl client no cert, server optional" \
0 \ 0 \
-S "skip write certificate request" \ -S "skip write certificate request" \
-s "skip parse certificate verify" \ -s "skip parse certificate verify" \
-s "! no client certificate sent" \ -s "! Certificate was missing" \
-S "! ssl_handshake returned" \ -S "! ssl_handshake returned" \
-S "X509 - Certificate verification failed" -S "X509 - Certificate verification failed"
@ -1462,7 +1462,7 @@ run_test "Authentication: client no cert, ssl3" \
-c "got no certificate to send" \ -c "got no certificate to send" \
-s "SSLv3 client has no certificate" \ -s "SSLv3 client has no certificate" \
-s "skip parse certificate verify" \ -s "skip parse certificate verify" \
-s "! no client certificate sent" \ -s "! Certificate was missing" \
-S "! ssl_handshake returned" \ -S "! ssl_handshake returned" \
-C "! ssl_handshake returned" \ -C "! ssl_handshake returned" \
-S "X509 - Certificate verification failed" -S "X509 - Certificate verification failed"