yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-26 00:55:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Introduce configuration option to remove CRT verification callbacks

Browse Source
This commit is contained in:
Hanno Becker 2019-07-01 17:36:12 +01:00
parent 0e895727be
commit 9ec3fe0d43
16 changed files with 213 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
configs/baremetal.h
View File

@ -116,6 +116,7 @@
#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
#define MBEDTLS_X509_ON_DEMAND_PARSING
#define MBEDTLS_X509_ALWAYS_FLUSH
#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
#define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION

11
include/mbedtls/config.h
View File

@ -2018,6 +2018,17 @@
*/
//#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
/**
* \def MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
*
* Remove support for X.509 certificate verification callbacks.
*
* Uncomment to save some bytes of code by removing support for X.509
* certificate verification callbacks in mbedtls_x509_crt_verify() and
* related verification API.
*/
#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
/**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
*

8
include/mbedtls/ssl.h
View File

@ -1033,7 +1033,8 @@ struct mbedtls_ssl_config
void *p_sni; /*!< context for SNI callback */
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
!defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
/** Callback to customize X.509 certificate chain verification */
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify calllback */
@ -1588,7 +1589,8 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport );
*/
void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
!defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
/**
* \brief Set the verification callback (Optional).
*
@ -1603,7 +1605,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if !defined(MBEDTLS_SSL_CONF_RNG)
/**

30
include/mbedtls/x509_crt.h
View File

@ -502,14 +502,17 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
* verification process.
*/
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
const char *cn,
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
uint32_t *flags
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
);
/**
* \brief Verify the certificate signature according to profile
@ -545,9 +548,12 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
uint32_t *flags
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
);
/**
* \brief Restartable version of \c mbedtls_crt_verify_with_profile()
@ -579,8 +585,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
mbedtls_x509_crt_restart_ctx *rs_ctx );
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)

10
library/ssl_tls.c
View File

@ -7181,7 +7181,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
ssl->hostname,
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&ssl->session_negotiate->verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ssl->conf->f_vrfy, ssl->conf->p_vrfy,
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
rs_ctx );
if( verify_ret != 0 )
{
@ -8523,7 +8526,8 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
#endif /* MBEDTLS_SSL_CONF_AUTHMODE */
}
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
!defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
@ -8531,7 +8535,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
conf->f_vrfy = f_vrfy;
conf->p_vrfy = p_vrfy;
}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if !defined(MBEDTLS_SSL_CONF_RNG)
void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf,

3
library/version_features.c
View File

@ -576,6 +576,9 @@ static const char *features[] = {
#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
"MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION",
#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
"MBEDTLS_X509_REMOVE_VERIFY_CALLBACK",
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */

9
library/x509.c
View File

@ -1250,11 +1250,20 @@ int mbedtls_x509_self_test( int verbose )
if( verbose != 0 )
mbedtls_printf( "passed\n X.509 signature verify: ");
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, NULL, NULL );
#else
ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags );
#endif
if( ret != 0 )
{
if( verbose != 0 )

35
library/x509_crt.c
View File

@ -3590,9 +3590,12 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
uint32_t *flags
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *)
, void *p_vrfy
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
)
{
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
&mbedtls_x509_crt_profile_default,
@ -3600,7 +3603,10 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
flags,
f_vrfy, p_vrfy, NULL ) );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
f_vrfy, p_vrfy,
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
NULL ) );
}
/*
@ -3613,16 +3619,23 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
uint32_t *flags
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *)
, void *p_vrfy
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
)
{
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
flags, f_vrfy, p_vrfy, NULL ) );
flags,
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
f_vrfy, p_vrfy,
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
NULL ) );
}
/*
@ -3643,8 +3656,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy,
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
mbedtls_x509_crt_restart_ctx *rs_ctx )
{
int ret;
@ -3702,7 +3717,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
ver_chain.items[0].flags |= ee_flags;
/* Build final flags, calling callback on the way if any */
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
#else
ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, NULL, NULL );
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
exit:
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)

8
programs/ssl/query_config.c
View File

@ -1578,6 +1578,14 @@ int query_config( const char *config )
}
#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
if( strcmp( "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_VERIFY_CALLBACK );
return( 0 );
}
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
{

20
programs/ssl/ssl_client2.c
View File

@ -664,6 +664,8 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len )
!MBEDTLS_SSL_CONF_RECV_TIMEOUT */
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
static unsigned char peer_crt_info[1024];
/*
@ -704,6 +706,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt,
return( 0 );
}
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
@ -1894,8 +1897,10 @@ int main( int argc, char *argv[] )
#endif
}
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
@ -2316,10 +2321,11 @@ int main( int argc, char *argv[] )
else
mbedtls_printf( " ok\n" );
#if !defined(MBEDTLS_X509_REMOVE_INFO)
#if !defined(MBEDTLS_X509_REMOVE_INFO) && \
!defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
mbedtls_printf( " . Peer certificate information ...\n" );
mbedtls_printf( "%s\n", peer_crt_info );
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#endif /* !MBEDTLS_X509_REMOVE_INFO && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -2648,9 +2654,10 @@ send_request:
mbedtls_printf( " . Restarting connection from same port..." );
fflush( stdout );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
!defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
{
@ -2825,9 +2832,10 @@ reconnect:
mbedtls_printf( " . Reconnecting with saved session..." );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
!defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
memset( peer_crt_info, 0, sizeof( peer_crt_info ) );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 )
{

19
programs/x509/cert_app.c
View File

@ -129,6 +129,7 @@ static void my_debug( void *ctx, int level,
}
#endif /* MBEDTLS_DEBUG_C */
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
{
char buf[1024];
@ -148,6 +149,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *fl
return( 0 );
}
#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
#if defined(MBEDTLS_SSL_CONF_RNG)
int rng_wrap( void *ctx, unsigned char *dst, size_t len );
@ -363,11 +365,21 @@ int main( int argc, char *argv[] )
{
mbedtls_printf( " . Verifying X.509 certificate..." );
if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, my_verify, NULL ) ) != 0 )
&flags,
my_verify, NULL );
#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags );
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
if( ret != 0 )
{
char vrfy_buf[512];
@ -436,7 +448,10 @@ int main( int argc, char *argv[] )
{
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
mbedtls_ssl_conf_verify( &conf, my_verify, NULL );
#endif
}
else
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );

2
scripts/config.pl
View File

@ -43,6 +43,7 @@
# MBEDTLS_X509_CRT_REMOVE_TIME
# MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
# MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
# MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
# MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C
# and any symbol beginning _ALT
@ -110,6 +111,7 @@ MBEDTLS_X509_REMOVE_INFO
MBEDTLS_X509_CRT_REMOVE_TIME
MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION

15
tests/scripts/all.sh
View File

@ -1348,6 +1348,21 @@ component_test_no_hostname_verification () {
if_build_succeeded tests/ssl-opt.sh
}
component_test_no_x509_verify_callback () {
msg "build: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s
scripts/config.pl full
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
scripts/config.pl set MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
make CFLAGS='-Werror -O1'
msg "test: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s
make test
msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 1 min
if_build_succeeded tests/ssl-opt.sh
}
component_build_arm_none_eabi_gcc () {
msg "build: arm-none-eabi-gcc, make" # ~ 10s
scripts/config.pl baremetal

36
tests/ssl-opt.sh
View File

@ -1188,6 +1188,7 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \
requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SHA-1 forbidden by default in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI debug_level=2 allow_sha1=0" \
@ -1212,6 +1213,7 @@ run_test "SHA-256 allowed by default in server certificate" \
requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SHA-1 forbidden by default in client certificate" \
"$P_SRV auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
@ -3653,6 +3655,7 @@ run_test "DER format: with 9 trailing random bytes" \
# Tests for auth_mode
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server badcert, client required" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -3664,6 +3667,7 @@ run_test "Authentication: server badcert, client required" \
-c "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server badcert, client optional" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@ -3675,6 +3679,7 @@ run_test "Authentication: server badcert, client optional" \
-C "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server goodcert, client optional, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
@ -3687,6 +3692,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \
-C "SSL - No CA Chain is set, but required to operate"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@ -3783,6 +3789,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \
-s "No client certification received from the client, but required by the authentication mode"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client badcert, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -3805,6 +3812,7 @@ run_test "Authentication: client badcert, server required" \
# before reading the alert message.
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client cert not trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@ -3823,6 +3831,7 @@ run_test "Authentication: client cert not trusted, server required" \
-s "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client badcert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@ -3858,6 +3867,7 @@ run_test "Authentication: client badcert, server none" \
-S "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \
@ -3876,6 +3886,7 @@ run_test "Authentication: client no cert, server optional" \
-S "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: openssl client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
"$O_CLI" \
@ -3908,6 +3919,7 @@ run_test "Authentication: client no cert, openssl server required" \
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client no cert, ssl3" \
"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
"$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
@ -4026,6 +4038,7 @@ run_test "Authentication: do not send CA list in CertificateRequest" \
-S "requested DN"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: send CA list in CertificateRequest, client self signed" \
"$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@ -4041,6 +4054,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig
# Tests for certificate selection based on SHA verson
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@ -4052,6 +4066,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
-C "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@ -4063,6 +4078,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
-c "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@ -4074,6 +4090,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
-c "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@ -4086,6 +4103,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
-C "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
"$P_SRV crt_file=data_files/server6.crt \
key_file=data_files/server6.key \
@ -4100,6 +4118,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
# tests for SNI
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: no SNI callback" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
@ -4111,6 +4130,7 @@ run_test "SNI: no SNI callback" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4123,6 +4143,7 @@ run_test "SNI: matching cert 1" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4189,6 +4210,7 @@ run_test "SNI: client auth override: optional -> none" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: CA no override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4209,6 +4231,7 @@ run_test "SNI: CA no override" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: CA override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4229,6 +4252,7 @@ run_test "SNI: CA override" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4250,6 +4274,7 @@ run_test "SNI: CA override with CRL" \
# Tests for SNI and DTLS
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, no SNI callback" \
"$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
@ -4261,6 +4286,7 @@ run_test "SNI: DTLS, no SNI callback" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, matching cert 1" \
"$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4273,6 +4299,7 @@ run_test "SNI: DTLS, matching cert 1" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, matching cert 2" \
"$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4339,6 +4366,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, CA no override" \
"$P_SRV debug_level=3 auth_mode=optional dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4378,6 +4406,7 @@ run_test "SNI: DTLS, CA override" \
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
@ -4816,6 +4845,7 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
-C "Ciphersuite is TLS-"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
"$O_SRV -key data_files/server2.key \
-cert data_files/server2.ku-ke.crt" \
@ -4848,6 +4878,7 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \
-C "Ciphersuite is TLS-"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
"$O_SRV -key data_files/server2.key \
-cert data_files/server2.ku-ds.crt" \
@ -6399,6 +6430,7 @@ run_test "EC restart: TLS, max_ops=1000" \
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "EC restart: TLS, max_ops=1000, badsign" \
"$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
crt_file=data_files/server5-badsign.crt \
@ -6435,6 +6467,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \
-C "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
"$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
@ -6535,6 +6568,7 @@ run_test "SSL async private: sign, RSA, TLS 1.1" \
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SSL async private: sign, SNI" \
"$P_SRV debug_level=3 \
async_operations=s async_private_delay1=0 async_private_delay2=0 \
@ -6998,6 +7032,7 @@ run_test "DTLS client auth: required" \
-s "Verifying peer X.509 certificate... ok"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "DTLS client auth: optional, client has no cert" \
"$P_SRV dtls=1 auth_mode=optional" \
"$P_CLI dtls=1 crt_file=none key_file=none" \
@ -7005,6 +7040,7 @@ run_test "DTLS client auth: optional, client has no cert" \
-s "! Certificate was missing"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "DTLS client auth: none, client has no cert" \
"$P_SRV dtls=1 auth_mode=none" \
"$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \

6
tests/suites/test_suite_x509parse.data
View File

@ -560,11 +560,11 @@ depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBE
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #19 (Valid Cert, denying callback)
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none"
X509 CRT verification #19 (Not trusted Cert, allowing callback)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all"
X509 CRT verification #21 (domain matching wildcard certificate, case insensitive)
@ -920,7 +920,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MB
x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #92 (bad name, allowing callback)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all"
X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA)

41
tests/suites/test_suite_x509parse.function
View File

@ -334,7 +334,10 @@ void x509_verify_restart( char *crt_file, char *ca_file,
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags,
NULL, NULL, &rs_ctx );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
NULL, NULL,
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
&rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
TEST_ASSERT( ret == result );
@ -355,7 +358,10 @@ void x509_verify_restart( char *crt_file, char *ca_file,
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags,
NULL, NULL, &rs_ctx );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
NULL, NULL,
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
&rs_ctx );
TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
exit:
@ -376,7 +382,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
mbedtls_x509_crl crl;
uint32_t flags = 0;
int res;
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
#endif
const mbedtls_x509_crt_profile *profile;
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
char * cn_name = NULL;
@ -406,6 +414,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
else
TEST_ASSERT( "Unknown algorithm profile" == 0 );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
if( strcmp( verify_callback, "NULL" ) == 0 )
f_vrfy = NULL;
else if( strcmp( verify_callback, "verify_none" ) == 0 )
@ -414,16 +423,28 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
f_vrfy = verify_all;
else
TEST_ASSERT( "No known verify callback selected" == 0 );
#else
if( strcmp( verify_callback, "NULL" ) != 0 )
TEST_ASSERT( "Verify callbacks disabled" == 0 );
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 );
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn_name,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, f_vrfy, NULL );
#else
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn_name,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags );
#endif
TEST_ASSERT( res == ( result ) );
if( flags != (uint32_t) flags_result )
@ -441,7 +462,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
void x509_verify_callback( char *crt_file, char *ca_file, char *name,
int exp_ret, char *exp_vrfy_out )
{
@ -827,11 +848,21 @@ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int,
TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 );
/* Try to verify that chain */
#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, NULL, NULL );
&flags,
NULL, NULL );
#else
ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags );
#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
TEST_ASSERT( ret == ret_chk );
TEST_ASSERT( flags == (uint32_t) flags_chk );
@ -841,7 +872,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca,
int flags_result, int result,
char *profile_name, int vrfy_fatal_lvls )