diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 430060b75..a039290d0 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -187,24 +187,16 @@ int main( void ) */ mbedtls_printf( " . Verifying peer X.509 certificate..." ); - /* In real life, we may want to bail out when ret != 0 */ + /* In real life, we probably want to bail out when ret != 0 */ if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + mbedtls_printf( " failed\n" ); - if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" ); - - if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - mbedtls_printf( "\n" ); + mbedtls_printf( "%s\n", vrfy_buf ); } else mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 892ca170e..b6c776a5e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -373,29 +373,13 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags ) mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); mbedtls_printf( "%s", buf ); - if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! CRL not trusted\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 ) - mbedtls_printf( " ! CRL expired\n" ); - - if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 ) - mbedtls_printf( " ! other (unknown) flag\n" ); - if ( ( *flags ) == 0 ) mbedtls_printf( " This certificate has no flags\n" ); + else + { + mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags ); + mbedtls_printf( "%s\n", buf ); + } return( 0 ); } @@ -1287,21 +1271,13 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + mbedtls_printf( " failed\n" ); - if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); - - if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - mbedtls_printf( "\n" ); + mbedtls_printf( "%s\n", vrfy_buf ); } else mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index ca5407011..371d9ad28 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -163,7 +163,7 @@ static void my_debug( void *ctx, int level, const char *str ) } } -static int do_handshake( mbedtls_ssl_context *ssl, struct options *opt ) +static int do_handshake( mbedtls_ssl_context *ssl ) { int ret; unsigned char buf[1024]; @@ -195,24 +195,16 @@ static int do_handshake( mbedtls_ssl_context *ssl, struct options *opt ) */ mbedtls_printf( " . Verifying peer X.509 certificate..." ); - /* In real life, we may want to bail out when ret != 0 */ + /* In real life, we probably want to bail out when ret != 0 */ if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 ) { + char vrfy_buf[512]; + mbedtls_printf( " failed\n" ); - if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt->server_name ); - - if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - mbedtls_printf( "\n" ); + mbedtls_printf( "%s\n", vrfy_buf ); } else mbedtls_printf( " ok\n" ); @@ -626,7 +618,7 @@ int main( int argc, char *argv[] ) if( opt.mode == MODE_SSL_TLS ) { - if( do_handshake( &ssl, &opt ) != 0 ) + if( do_handshake( &ssl ) != 0 ) goto exit; mbedtls_printf( " > Get header from server:" ); @@ -695,7 +687,7 @@ int main( int argc, char *argv[] ) mbedtls_printf(" ok\n" ); - if( do_handshake( &ssl, &opt ) != 0 ) + if( do_handshake( &ssl ) != 0 ) goto exit; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b536c22e7..b6d41c56e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1910,21 +1910,13 @@ reset: if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + mbedtls_printf( " failed\n" ); - if( !mbedtls_ssl_get_peer_cert( &ssl ) ) - mbedtls_printf( " ! no client certificate sent\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! client certificate has expired\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! client certificate has been revoked\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - mbedtls_printf( "\n" ); + mbedtls_printf( "%s\n", vrfy_buf ); } else mbedtls_printf( " ok\n" ); diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index 3c0c5262c..f33d9a3a1 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -173,19 +173,14 @@ int main( void ) { if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { - if( flags & MBEDTLS_X509_BADCERT_CN_MISMATCH ) - mbedtls_printf( " CN_MISMATCH " ); - if( flags & MBEDTLS_BADCERT_EXPIRED ) - mbedtls_printf( " EXPIRED " ); - if( flags & MBEDTLS_X509_BADCERT_REVOKED ) - mbedtls_printf( " REVOKED " ); - if( flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) - mbedtls_printf( " NOT_TRUSTED " ); - if( flags & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) - mbedtls_printf( " CRL_NOT_TRUSTED " ); - if( flags & MBEDTLS_X509_BADCRL_EXPIRED ) - mbedtls_printf( " CRL_EXPIRED " ); - } else { + char vrfy_buf[512]; + + mbedtls_printf( " failed\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); + mbedtls_printf( "%s\n", vrfy_buf ); + } + else + { mbedtls_printf( " failed\n ! mbedtls_x509_crt_verify returned %d\n\n", ret ); goto exit; } diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 0ebed1ac3..2593b5e84 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -128,29 +128,13 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags ) mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); mbedtls_printf( "%s", buf ); - if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! CRL not trusted\n" ); - - if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 ) - mbedtls_printf( " ! CRL expired\n" ); - - if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 ) - mbedtls_printf( " ! other (unknown) flag\n" ); - if ( ( *flags ) == 0 ) mbedtls_printf( " This certificate has no flags\n" ); + else + { + mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags ); + mbedtls_printf( "%s\n", buf ); + } return( 0 ); } @@ -358,21 +342,13 @@ int main( int argc, char *argv[] ) if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags, my_verify, NULL ) ) != 0 ) { + char vrfy_buf[512]; + mbedtls_printf( " failed\n" ); - if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); - if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name ); - - if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - mbedtls_printf( "\n" ); + mbedtls_printf( "%s\n", vrfy_buf ); } else mbedtls_printf( " ok\n" ); diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 9748d8b38..249327877 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1561,7 +1561,7 @@ run_test "Authentication: server badcert, client required" \ "$P_CLI debug_level=1 auth_mode=required" \ 1 \ -c "x509_verify_cert() returned" \ - -c "! self-signed or not signed by a trusted CA" \ + -c "! The certificate is not correctly signed by the trusted CA" \ -c "! mbedtls_ssl_handshake returned" \ -c "X509 - Certificate verification failed" @@ -1571,7 +1571,7 @@ run_test "Authentication: server badcert, client optional" \ "$P_CLI debug_level=1 auth_mode=optional" \ 0 \ -c "x509_verify_cert() returned" \ - -c "! self-signed or not signed by a trusted CA" \ + -c "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" @@ -1581,7 +1581,7 @@ run_test "Authentication: server badcert, client none" \ "$P_CLI debug_level=1 auth_mode=none" \ 0 \ -C "x509_verify_cert() returned" \ - -C "! self-signed or not signed by a trusted CA" \ + -C "! The certificate is not correctly signed by the trusted CA" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" @@ -1597,7 +1597,7 @@ run_test "Authentication: client badcert, server required" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" \ -s "x509_verify_cert() returned" \ - -S "! self-signed or not signed by a trusted CA" \ + -S "! The certificate is not correctly signed by the trusted CA" \ -s "! mbedtls_ssl_handshake returned" \ -c "! mbedtls_ssl_handshake returned" \ -s "X509 - Certificate verification failed" @@ -1614,7 +1614,7 @@ run_test "Authentication: client badcert, server optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" \ -s "x509_verify_cert() returned" \ - -s "! self-signed or not signed by a trusted CA" \ + -s "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1631,7 +1631,7 @@ run_test "Authentication: client badcert, server none" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" \ -S "x509_verify_cert() returned" \ - -S "! self-signed or not signed by a trusted CA" \ + -S "! The certificate is not correctly signed by the trusted CA" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1648,7 +1648,7 @@ run_test "Authentication: client no cert, server optional" \ -S "SSLv3 client has no certificate" \ -c "skip write certificate verify" \ -s "skip parse certificate verify" \ - -s "! no client certificate sent" \ + -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1659,7 +1659,7 @@ run_test "Authentication: openssl client no cert, server optional" \ 0 \ -S "skip write certificate request" \ -s "skip parse certificate verify" \ - -s "! no client certificate sent" \ + -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -1685,7 +1685,7 @@ run_test "Authentication: client no cert, ssl3" \ -c "got no certificate to send" \ -s "SSLv3 client has no certificate" \ -s "skip parse certificate verify" \ - -s "! no client certificate sent" \ + -s "! Certificate was missing" \ -S "! mbedtls_ssl_handshake returned" \ -C "! mbedtls_ssl_handshake returned" \ -S "X509 - Certificate verification failed" @@ -2719,14 +2719,14 @@ run_test "DTLS client auth: optional, client has no cert" \ "$P_SRV dtls=1 auth_mode=optional" \ "$P_CLI dtls=1 crt_file=none key_file=none" \ 0 \ - -s "! no client certificate sent" + -s "! Certificate was missing" -run_test "DTLS client auth: optional, client has no cert" \ +run_test "DTLS client auth: none, client has no cert" \ "$P_SRV dtls=1 auth_mode=none" \ "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ 0 \ -c "skip write certificate$" \ - -s "! no client certificate sent" + -s "! Certificate verification was skipped" # Tests for receiving fragmented handshake messages with DTLS