From 6c0ceb3f9aacdabeb475acdeae741685bb9d46bb Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Sun, 4 Dec 2011 12:24:18 +0000 Subject: [PATCH] - Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error --- ChangeLog | 3 + include/polarssl/x509.h | 28 ++- library/error.c | 4 +- library/pem.c | 2 + library/ssl_tls.c | 3 +- library/x509parse.c | 228 +++++++++++++-------- programs/ssl/ssl_client2.c | 8 +- programs/ssl/ssl_fork_server.c | 4 +- programs/ssl/ssl_mail_client.c | 8 +- programs/ssl/ssl_server.c | 4 +- programs/test/ssl_cert_test.c | 4 +- programs/test/ssl_test.c | 4 +- programs/x509/cert_app.c | 12 +- tests/suites/test_suite_debug.function | 2 +- tests/suites/test_suite_x509parse.function | 12 +- 15 files changed, 210 insertions(+), 116 deletions(-) diff --git a/ChangeLog b/ChangeLog index 8817d9f12..fc7287e0f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -35,6 +35,9 @@ Changes * Changed the used random function pointer to more flexible format. Renamed havege_rand() to havege_random() to prevent mistakes. Lots of changes as a consequence in library code and programs + * Added permissive certificate parsing to x509parse_crt() and + x509parse_crtfile(). With permissive parsing the parsing does not stop on + encountering a parse-error Bugfix * Fixed faulty HMAC-MD2 implementation. Found by dibac. (Closes diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h index 93ef26539..11f1a3108 100644 --- a/include/polarssl/x509.h +++ b/include/polarssl/x509.h @@ -58,7 +58,7 @@ #define POLARSSL_ERR_X509_CERT_VERIFY_FAILED -0x2800 /**< Certificate verification failed, e.g. CRL, CA or signature check failed. */ #define POLARSSL_ERR_X509_KEY_INVALID_VERSION -0x2880 /**< Unsupported RSA key version */ #define POLARSSL_ERR_X509_KEY_INVALID_FORMAT -0x2900 /**< Invalid RSA key tag or value. */ -#define POLARSSL_ERR_X509_POINT_ERROR -0x2980 /**< Not used. */ +#define POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT -0x2980 /**< Format not recognized as DER or PEM. */ #define POLARSSL_ERR_X509_VALUE_TO_LENGTH -0x2A00 /**< Not used. */ /* \} name */ @@ -220,6 +220,17 @@ #define EXT_NS_CERT_TYPE (1 << 16) +/* + * Storage format identifiers + * Recognized formats: PEM and DER + */ +#define X509_FORMAT_DER 1 +#define X509_FORMAT_PEM 2 + +#define X509_NON_PERMISSIVE 0 +#define X509_PERMISSIVE 1 + + /** * \addtogroup x509_module * \{ */ @@ -409,27 +420,34 @@ extern "C" { /** \ingroup x509_module */ /** * \brief Parse one or more certificates and add them - * to the chained list + * to the chained list. With permissive parsing enabled + * all certificates that cannot be parsed are ignored. + * If none complete correctly, the first error is returned. * * \param chain points to the start of the chain * \param buf buffer holding the certificate data * \param buflen size of the buffer + * \param permissive X509_PERMISSIVE or X509_NON_PERMISSIVE * * \return 0 if successful, or a specific X509 or PEM error code */ -int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ); +int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, + int permissive ); /** \ingroup x509_module */ /** * \brief Load one or more certificates and add them - * to the chained list + * to the chained list. With permissive parsing enabled + * all certificates that cannot be parsed are ignored. + * If none complete correctly, the first error is returned. * * \param chain points to the start of the chain * \param path filename to read the certificates from + * \param permissive X509_PERMISSIVE or X509_NON_PERMISSIVE * * \return 0 if successful, or a specific X509 or PEM error code */ -int x509parse_crtfile( x509_cert *chain, const char *path ); +int x509parse_crtfile( x509_cert *chain, const char *path, int permissive ); /** \ingroup x509_module */ /** diff --git a/library/error.c b/library/error.c index d5ad61754..33fad8518 100644 --- a/library/error.c +++ b/library/error.c @@ -297,8 +297,8 @@ void error_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "X509 - Unsupported RSA key version" ); if( use_ret == -(POLARSSL_ERR_X509_KEY_INVALID_FORMAT) ) snprintf( buf, buflen, "X509 - Invalid RSA key tag or value" ); - if( use_ret == -(POLARSSL_ERR_X509_POINT_ERROR) ) - snprintf( buf, buflen, "X509 - Not used" ); + if( use_ret == -(POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT) ) + snprintf( buf, buflen, "X509 - Format not recognized as DER or PEM" ); if( use_ret == -(POLARSSL_ERR_X509_VALUE_TO_LENGTH) ) snprintf( buf, buflen, "X509 - Not used" ); #endif /* POLARSSL_X509_PARSE_C */ diff --git a/library/pem.c b/library/pem.c index 3e8f79e1a..33e74ab78 100644 --- a/library/pem.c +++ b/library/pem.c @@ -345,6 +345,8 @@ void pem_free( pem_context *ctx ) if( ctx->info ) free( ctx->info ); + + memset( ctx, 0, sizeof( pem_context ) ); } #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a865a7551..26e7dfa65 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1401,7 +1401,8 @@ int ssl_parse_certificate( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE ); } - ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n ); + ret = x509parse_crt( ssl->peer_cert, ssl->in_msg + i, n, + X509_NON_PERMISSIVE ); if( ret != 0 ) { SSL_DEBUG_RET( 1, " x509parse_crt", ret ); diff --git a/library/x509parse.c b/library/x509parse.c index e14a16391..326c98665 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -1006,20 +1006,13 @@ static int x509_get_sig_alg( const x509_buf *sig_oid, int *sig_alg ) } /* - * Parse one or more certificates and add them to the chained list + * Parse and fill a single X.509 certificate in DER format */ -int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) +int x509parse_crt_der( x509_cert *crt, const unsigned char *buf, size_t buflen ) { int ret; size_t len; unsigned char *p, *end; - x509_cert *crt; -#if defined(POLARSSL_PEM_C) - pem_context pem; - size_t use_len; -#endif - - crt = chain; /* * Check for valid input @@ -1027,69 +1020,6 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) if( crt == NULL || buf == NULL ) return( 1 ); - while( crt->version != 0 && crt->next != NULL ) - crt = crt->next; - - /* - * Add new certificate on the end of the chain if needed. - */ - if ( crt->version != 0 && crt->next == NULL) - { - crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); - - if( crt->next == NULL ) - { - x509_free( crt ); - return( 1 ); - } - - crt = crt->next; - memset( crt, 0, sizeof( x509_cert ) ); - } - -#if defined(POLARSSL_PEM_C) - pem_init( &pem ); - ret = pem_read_buffer( &pem, - "-----BEGIN CERTIFICATE-----", - "-----END CERTIFICATE-----", - buf, NULL, 0, &use_len ); - - if( ret == 0 ) - { - /* - * Was PEM encoded - */ - buflen -= use_len; - buf += use_len; - - /* - * Steal PEM buffer - */ - p = pem.buf; - pem.buf = NULL; - len = pem.buflen; - pem_free( &pem ); - } - else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) - { - pem_free( &pem ); - return( ret ); - } - else - { - /* - * nope, copy the raw DER data - */ - p = (unsigned char *) malloc( len = buflen ); - - if( p == NULL ) - return( 1 ); - - memcpy( p, buf, buflen ); - - buflen = 0; - } -#else p = (unsigned char *) malloc( len = buflen ); if( p == NULL ) @@ -1098,7 +1028,6 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) memcpy( p, buf, buflen ); buflen = 0; -#endif crt->raw.p = p; crt->raw.len = len; @@ -1324,23 +1253,154 @@ int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen ) POLARSSL_ERR_ASN1_LENGTH_MISMATCH ); } - if( buflen > 0 ) + return( 0 ); +} + +/* + * Parse one or more PEM certificates from a buffer and add them to the chained list + */ +int x509parse_crt( x509_cert *chain, const unsigned char *buf, size_t buflen, + int permissive ) +{ + int ret, success = 0, first_error = 0; + x509_cert *crt, *prev = NULL; + int buf_format = X509_FORMAT_DER; + + crt = chain; + + /* + * Check for valid input + */ + if( crt == NULL || buf == NULL ) + return( 1 ); + + while( crt->version != 0 && crt->next != NULL ) + { + prev = crt; + crt = crt->next; + } + + /* + * Add new certificate on the end of the chain if needed. + */ + if ( crt->version != 0 && crt->next == NULL) { crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); if( crt->next == NULL ) - { - x509_free( crt ); return( 1 ); - } + prev = crt; crt = crt->next; memset( crt, 0, sizeof( x509_cert ) ); - - return( x509parse_crt( crt, buf, buflen ) ); } - return( 0 ); + /* + * Determine buffer content. Buffer contains either one DER certificate or + * one or more PEM certificates. + */ +#if defined(POLARSSL_PEM_C) + if( strstr( (char *) buf, "-----BEGIN CERTIFICATE-----" ) != NULL ) + buf_format = X509_FORMAT_PEM; +#endif + + if( buf_format == X509_FORMAT_DER ) + return x509parse_crt_der( crt, buf, buflen ); + +#if defined(POLARSSL_PEM_C) + if( buf_format == X509_FORMAT_PEM ) + { + pem_context pem; + + while( buflen > 0 ) + { + size_t use_len; + pem_init( &pem ); + + ret = pem_read_buffer( &pem, + "-----BEGIN CERTIFICATE-----", + "-----END CERTIFICATE-----", + buf, NULL, 0, &use_len ); + + if( ret == 0 ) + { + /* + * Was PEM encoded + */ + buflen -= use_len; + buf += use_len; + } + else if( ret != POLARSSL_ERR_PEM_NO_HEADER_PRESENT ) + { + pem_free( &pem ); + + if( first_error == 0 ) + first_error = ret; + + continue; + } + else + break; + + ret = x509parse_crt_der( crt, pem.buf, pem.buflen ); + + pem_free( &pem ); + + if( ret != 0 ) + { + /* + * quit parsing on a memory error or if in non-permissive parsing mode + */ + if( ret == 1 || permissive != 1 ) + { + if( prev ) + prev->next = NULL; + + if( crt != chain ) + free( crt ); + + return( ret ); + } + + if( first_error == 0 ) + first_error = ret; + + memset( crt, 0, sizeof( x509_cert ) ); + continue; + } + + success = 1; + + /* + * Add new certificate to the list + */ + crt->next = (x509_cert *) malloc( sizeof( x509_cert ) ); + + if( crt->next == NULL ) + return( 1 ); + + prev = crt; + crt = crt->next; + memset( crt, 0, sizeof( x509_cert ) ); + } + } +#endif + + if( crt->version == 0 ) + { + if( prev ) + prev->next = NULL; + + if( crt != chain ) + free( crt ); + } + + if( success ) + return( 0 ); + else if( first_error ) + return( first_error ); + else + return( POLARSSL_ERR_X509_CERT_UNKNOWN_FORMAT ); } /* @@ -1667,7 +1727,7 @@ int load_file( const char *path, unsigned char **buf, size_t *n ) /* * Load one or more certificates and add them to the chained list */ -int x509parse_crtfile( x509_cert *chain, const char *path ) +int x509parse_crtfile( x509_cert *chain, const char *path, int permissive ) { int ret; size_t n; @@ -1676,7 +1736,7 @@ int x509parse_crtfile( x509_cert *chain, const char *path ) if ( load_file( path, &buf, &n ) ) return( 1 ); - ret = x509parse_crt( chain, buf, n ); + ret = x509parse_crt( chain, buf, n, permissive ); memset( buf, 0, n + 1 ); free( buf ); @@ -3099,7 +3159,7 @@ int x509_self_test( int verbose ) memset( &clicert, 0, sizeof( x509_cert ) ); ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, - strlen( test_cli_crt ) ); + strlen( test_cli_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { if( verbose != 0 ) @@ -3111,7 +3171,7 @@ int x509_self_test( int verbose ) memset( &cacert, 0, sizeof( x509_cert ) ); ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + strlen( test_ca_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { if( verbose != 0 ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 38251067a..fea43ee34 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -224,12 +224,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_file ) ) - ret = x509parse_crtfile( &cacert, opt.ca_file ); + ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + strlen( test_ca_crt ), X509_NON_PERMISSIVE ); #else { ret = 1; @@ -254,12 +254,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) - ret = x509parse_crtfile( &clicert, opt.crt_file ); + ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, - strlen( test_cli_crt ) ); + strlen( test_cli_crt ), X509_NON_PERMISSIVE ); #else { ret = 1; diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index 85803d30d..0f0cfc35e 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -230,7 +230,7 @@ int main( int argc, char *argv[] ) * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + strlen( test_srv_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); @@ -238,7 +238,7 @@ int main( int argc, char *argv[] ) } ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + strlen( test_ca_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 3f4bd75c2..08ecd1a5d 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -476,12 +476,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.ca_file ) ) - ret = x509parse_crtfile( &cacert, opt.ca_file ); + ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + strlen( test_ca_crt ), X509_NON_PERMISSIVE ); #else { ret = 1; @@ -506,12 +506,12 @@ int main( int argc, char *argv[] ) #if defined(POLARSSL_FS_IO) if( strlen( opt.crt_file ) ) - ret = x509parse_crtfile( &clicert, opt.crt_file ); + ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE ); else #endif #if defined(POLARSSL_CERTS_C) ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt, - strlen( test_cli_crt ) ); + strlen( test_cli_crt ), X509_NON_PERMISSIVE ); #else { ret = 1; diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 8a4914092..a673f52dc 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -216,7 +216,7 @@ int main( int argc, char *argv[] ) * server and CA certificates, as well as x509parse_keyfile(). */ ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + strlen( test_srv_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); @@ -224,7 +224,7 @@ int main( int argc, char *argv[] ) } ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + strlen( test_ca_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index 57ea32c8f..2e4e6c532 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -100,7 +100,7 @@ int main( int argc, char *argv[] ) * Alternatively, you may load the CA certificates from a .pem or * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ). */ - ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" ); + ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt", X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " failed\n ! x509parse_crtfile returned %d\n\n", ret ); @@ -148,7 +148,7 @@ int main( int argc, char *argv[] ) printf( " . Loading the client certificate %s...", name ); fflush( stdout ); - ret = x509parse_crtfile( &clicert, name ); + ret = x509parse_crtfile( &clicert, name, X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " failed\n ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c index 8bac4b249..b9c957250 100644 --- a/programs/test/ssl_test.c +++ b/programs/test/ssl_test.c @@ -203,7 +203,7 @@ static int ssl_test( struct options *opt ) goto exit; #else ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt, - strlen( test_srv_crt ) ); + strlen( test_srv_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " ! x509parse_crt returned %d\n\n", ret ); @@ -211,7 +211,7 @@ static int ssl_test( struct options *opt ) } ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt, - strlen( test_ca_crt ) ); + strlen( test_ca_crt ), X509_NON_PERMISSIVE ); if( ret != 0 ) { printf( " ! x509parse_crt returned %d\n\n", ret ); diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index cde96af73..24b97270e 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -47,6 +47,7 @@ #define DFL_SERVER_NAME "localhost" #define DFL_SERVER_PORT 4433 #define DFL_DEBUG_LEVEL 0 +#define DFL_PERMISSIVE 0 /* * global options @@ -58,6 +59,7 @@ struct options char *server_name; /* hostname of the server (client only) */ int server_port; /* port on which the ssl service runs */ int debug_level; /* level of debugging */ + int permissive; /* permissive parsing */ } opt; void my_debug( void *ctx, int level, const char *str ) @@ -77,6 +79,7 @@ void my_debug( void *ctx, int level, const char *str ) " server_name=%%s default: localhost\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ + " permissive=%%d default: 0 (disabled)\n" \ "\n" #if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_HAVEGE_C) || \ @@ -128,6 +131,7 @@ int main( int argc, char *argv[] ) opt.server_name = DFL_SERVER_NAME; opt.server_port = DFL_SERVER_PORT; opt.debug_level = DFL_DEBUG_LEVEL; + opt.permissive = DFL_PERMISSIVE; for( i = 1; i < argc; i++ ) { @@ -169,6 +173,12 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } + else if( strcmp( p, "permissive" ) == 0 ) + { + opt.permissive = atoi( q ); + if( opt.permissive < 0 || opt.permissive > 1 ) + goto usage; + } else goto usage; } @@ -185,7 +195,7 @@ int main( int argc, char *argv[] ) printf( "\n . Loading the certificate(s) ..." ); fflush( stdout ); - ret = x509parse_crtfile( &crt, opt.filename ); + ret = x509parse_crtfile( &crt, opt.filename, opt.permissive ); if( ret != 0 ) { diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function index 02381ca95..950c7ea4b 100644 --- a/tests/suites/test_suite_debug.function +++ b/tests/suites/test_suite_debug.function @@ -35,7 +35,7 @@ debug_print_crt:crt_file:file:line:prefix:result_str ssl_set_dbg(&ssl, string_debug, &buffer); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); debug_print_crt( &ssl, 0, {file}, {line}, {prefix}, &crt); TEST_ASSERT( strcmp( buffer.buf, {result_str} ) == 0 ); diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 18e1c41f3..deac249b0 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -38,7 +38,7 @@ x509_cert_info:crt_file:result_str memset( &crt, 0, sizeof( x509_cert ) ); memset( buf, 0, 2000 ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); res = x509parse_cert_info( buf, 2000, "", &crt ); TEST_ASSERT( res != -1 ); @@ -81,8 +81,8 @@ x509_verify:crt_file:ca_file:crl_file:cn_name:result:flags:verify_callback memset( &ca, 0, sizeof( x509_cert ) ); memset( &crl, 0, sizeof( x509_crl ) ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); - TEST_ASSERT( x509parse_crtfile( &ca, {ca_file} ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &ca, {ca_file}, X509_NON_PERMISSIVE ) == 0 ); TEST_ASSERT( x509parse_crlfile( &crl, {crl_file} ) == 0 ); res = x509parse_verify( &crt, &ca, &crl, {cn_name}, &flags, {verify_callback}, NULL ); @@ -102,7 +102,7 @@ x509_dn_gets:crt_file:entity:result_str memset( &crt, 0, sizeof( x509_cert ) ); memset( buf, 0, 2000 ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); res = x509parse_dn_gets( buf, 2000, &crt.{entity} ); TEST_ASSERT( res != -1 ); @@ -119,7 +119,7 @@ x509_time_expired:crt_file:entity:result memset( &crt, 0, sizeof( x509_cert ) ); - TEST_ASSERT( x509parse_crtfile( &crt, {crt_file} ) == 0 ); + TEST_ASSERT( x509parse_crtfile( &crt, {crt_file}, X509_NON_PERMISSIVE ) == 0 ); TEST_ASSERT( x509parse_time_expired( &crt.{entity} ) == {result} ); } END_CASE @@ -176,7 +176,7 @@ x509parse_crt:crt_data:result_str:result data_len = unhexify( buf, {crt_data} ); - TEST_ASSERT( x509parse_crt( &crt, buf, data_len ) == ( {result} ) ); + TEST_ASSERT( x509parse_crt( &crt, buf, data_len, X509_NON_PERMISSIVE ) == ( {result} ) ); if( ( {result} ) == 0 ) { res = x509parse_cert_info( (char *) output, 2000, "", &crt );