From 9ec3fe0d4371b3d384b53da199775def7ab3abee Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 1 Jul 2019 17:36:12 +0100 Subject: [PATCH] Introduce configuration option to remove CRT verification callbacks --- configs/baremetal.h | 1 + include/mbedtls/config.h | 11 ++++++ include/mbedtls/ssl.h | 8 +++-- include/mbedtls/x509_crt.h | 30 ++++++++++------ library/ssl_tls.c | 10 ++++-- library/version_features.c | 3 ++ library/x509.c | 9 +++++ library/x509_crt.c | 35 +++++++++++++----- programs/ssl/query_config.c | 8 +++++ programs/ssl/ssl_client2.c | 20 +++++++---- programs/x509/cert_app.c | 19 ++++++++-- scripts/config.pl | 2 ++ tests/scripts/all.sh | 15 ++++++++ tests/ssl-opt.sh | 36 +++++++++++++++++++ tests/suites/test_suite_x509parse.data | 6 ++-- tests/suites/test_suite_x509parse.function | 41 +++++++++++++++++++--- 16 files changed, 213 insertions(+), 41 deletions(-) diff --git a/configs/baremetal.h b/configs/baremetal.h index 1b522551a..e1066fe7b 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -116,6 +116,7 @@ #define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID #define MBEDTLS_X509_ON_DEMAND_PARSING #define MBEDTLS_X509_ALWAYS_FLUSH +#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f32498b1b..22b6e5430 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2018,6 +2018,17 @@ */ //#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +/** + * \def MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + * + * Remove support for X.509 certificate verification callbacks. + * + * Uncomment to save some bytes of code by removing support for X.509 + * certificate verification callbacks in mbedtls_x509_crt_verify() and + * related verification API. + */ +#define MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 40ad4b114..db5465a36 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1033,7 +1033,8 @@ struct mbedtls_ssl_config void *p_sni; /*!< context for SNI callback */ #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) /** Callback to customize X.509 certificate chain verification */ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); void *p_vrfy; /*!< context for X.509 verify calllback */ @@ -1588,7 +1589,8 @@ void mbedtls_ssl_conf_transport( mbedtls_ssl_config *conf, int transport ); */ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) /** * \brief Set the verification callback (Optional). * @@ -1603,7 +1605,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if !defined(MBEDTLS_SSL_CONF_RNG) /** diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 182ab15b0..f0801df79 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -502,14 +502,17 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, * verification process. */ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, - mbedtls_x509_crt *trust_ca, - mbedtls_x509_crl *ca_crl, + mbedtls_x509_crt *trust_ca, + mbedtls_x509_crl *ca_crl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) - const char *cn, + const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ); + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ); /** * \brief Verify the certificate signature according to profile @@ -545,9 +548,12 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ); + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ); /** * \brief Restartable version of \c mbedtls_crt_verify_with_profile() @@ -579,8 +585,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), + void *p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ mbedtls_x509_crt_restart_ctx *rs_ctx ); #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index e47c45657..6aebc0814 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7181,7 +7181,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, ssl->hostname, #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &ssl->session_negotiate->verify_result, - ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ssl->conf->f_vrfy, ssl->conf->p_vrfy, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + rs_ctx ); if( verify_ret != 0 ) { @@ -8523,7 +8526,8 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) #endif /* MBEDTLS_SSL_CONF_AUTHMODE */ } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) @@ -8531,7 +8535,7 @@ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, conf->f_vrfy = f_vrfy; conf->p_vrfy = p_vrfy; } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if !defined(MBEDTLS_SSL_CONF_RNG) void mbedtls_ssl_conf_rng( mbedtls_ssl_config *conf, diff --git a/library/version_features.c b/library/version_features.c index bb655c0c9..23aaa2a52 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -576,6 +576,9 @@ static const char *features[] = { #if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION", #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ +#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) "MBEDTLS_X509_RSASSA_PSS_SUPPORT", #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ diff --git a/library/x509.c b/library/x509.c index 19cc64b79..0eca0592a 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1250,11 +1250,20 @@ int mbedtls_x509_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n X.509 signature verify: "); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, NULL, NULL ); +#else + ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif + if( ret != 0 ) { if( verbose != 0 ) diff --git a/library/x509_crt.c b/library/x509_crt.c index 0089ef2a3..730126be8 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -3590,9 +3590,12 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) + , void *p_vrfy +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, &mbedtls_x509_crt_profile_default, @@ -3600,7 +3603,10 @@ int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ flags, - f_vrfy, p_vrfy, NULL ) ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + f_vrfy, p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + NULL ) ); } /* @@ -3613,16 +3619,23 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - uint32_t *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), - void *p_vrfy ) + uint32_t *flags +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + , int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) + , void *p_vrfy +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - flags, f_vrfy, p_vrfy, NULL ) ); + flags, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + f_vrfy, p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + NULL ) ); } /* @@ -3643,8 +3656,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, const char *cn, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ mbedtls_x509_crt_restart_ctx *rs_ctx ) { int ret; @@ -3702,7 +3717,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, ver_chain.items[0].flags |= ee_flags; /* Build final flags, calling callback on the way if any */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy ); +#else + ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, NULL, NULL ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ exit: #if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE) diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index dd5051466..0f555b717 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1578,6 +1578,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ +#if defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + if( strcmp( "MBEDTLS_X509_REMOVE_VERIFY_CALLBACK", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_VERIFY_CALLBACK ); + return( 0 ); + } +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) { diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 788793a49..6fa051a90 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -664,6 +664,8 @@ static int send_cb( void *ctx, unsigned char const *buf, size_t len ) !MBEDTLS_SSL_CONF_RECV_TIMEOUT */ #if defined(MBEDTLS_X509_CRT_PARSE_C) + +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) static unsigned char peer_crt_info[1024]; /* @@ -704,6 +706,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, return( 0 ); } +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -1894,8 +1897,10 @@ int main( int argc, char *argv[] ) #endif } +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ @@ -2316,10 +2321,11 @@ int main( int argc, char *argv[] ) else mbedtls_printf( " ok\n" ); -#if !defined(MBEDTLS_X509_REMOVE_INFO) +#if !defined(MBEDTLS_X509_REMOVE_INFO) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_printf( " . Peer certificate information ...\n" ); mbedtls_printf( "%s\n", peer_crt_info ); -#endif /* !MBEDTLS_X509_REMOVE_INFO */ +#endif /* !MBEDTLS_X509_REMOVE_INFO && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2648,9 +2654,10 @@ send_request: mbedtls_printf( " . Restarting connection from same port..." ); fflush( stdout ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { @@ -2825,9 +2832,10 @@ reconnect: mbedtls_printf( " . Reconnecting with saved session..." ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && \ + !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) memset( peer_crt_info, 0, sizeof( peer_crt_info ) ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ if( ( ret = mbedtls_ssl_session_reset( &ssl ) ) != 0 ) { diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 74efea388..b82f83f8f 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -129,6 +129,7 @@ static void my_debug( void *ctx, int level, } #endif /* MBEDTLS_DEBUG_C */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags ) { char buf[1024]; @@ -148,6 +149,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *fl return( 0 ); } +#endif /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ #if defined(MBEDTLS_SSL_CONF_RNG) int rng_wrap( void *ctx, unsigned char *dst, size_t len ); @@ -363,11 +365,21 @@ int main( int argc, char *argv[] ) { mbedtls_printf( " . Verifying X.509 certificate..." ); - if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, my_verify, NULL ) ) != 0 ) + &flags, + my_verify, NULL ); +#else /* !MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + if( ret != 0 ) { char vrfy_buf[512]; @@ -436,7 +448,10 @@ int main( int argc, char *argv[] ) { mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) mbedtls_ssl_conf_verify( &conf, my_verify, NULL ); +#endif } else mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); diff --git a/scripts/config.pl b/scripts/config.pl index 751ea1db1..0922e53a7 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -43,6 +43,7 @@ # MBEDTLS_X509_CRT_REMOVE_TIME # MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID # MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +# MBEDTLS_X509_REMOVE_VERIFY_CALLBACK # MBEDTLS_ZLIB_SUPPORT # MBEDTLS_PKCS11_C # and any symbol beginning _ALT @@ -110,6 +111,7 @@ MBEDTLS_X509_REMOVE_INFO MBEDTLS_X509_CRT_REMOVE_TIME MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +MBEDTLS_X509_REMOVE_VERIFY_CALLBACK MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C MBEDTLS_NO_UDBL_DIVISION diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1e3287c46..ff0019bbf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1348,6 +1348,21 @@ component_test_no_hostname_verification () { if_build_succeeded tests/ssl-opt.sh } +component_test_no_x509_verify_callback () { + msg "build: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests + scripts/config.pl set MBEDTLS_X509_REMOVE_VERIFY_CALLBACK + make CFLAGS='-Werror -O1' + + msg "test: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s + make test + + msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 1 min + if_build_succeeded tests/ssl-opt.sh +} + component_build_arm_none_eabi_gcc () { msg "build: arm-none-eabi-gcc, make" # ~ 10s scripts/config.pl baremetal diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index da87793ec..38bfed728 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -1188,6 +1188,7 @@ run_test "CertificateRequest with empty CA list, TLS 1.0 (GnuTLS server)" \ requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SHA-1 forbidden by default in server certificate" \ "$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \ "$P_CLI debug_level=2 allow_sha1=0" \ @@ -1212,6 +1213,7 @@ run_test "SHA-256 allowed by default in server certificate" \ requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SHA-1 forbidden by default in client certificate" \ "$P_SRV auth_mode=required allow_sha1=0" \ "$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \ @@ -3653,6 +3655,7 @@ run_test "DER format: with 9 trailing random bytes" \ # Tests for auth_mode requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server badcert, client required" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -3664,6 +3667,7 @@ run_test "Authentication: server badcert, client required" \ -c "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server badcert, client optional" \ "$P_SRV crt_file=data_files/server5-badsign.crt \ key_file=data_files/server5.key" \ @@ -3675,6 +3679,7 @@ run_test "Authentication: server badcert, client optional" \ -C "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server goodcert, client optional, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \ @@ -3687,6 +3692,7 @@ run_test "Authentication: server goodcert, client optional, no trusted CA" \ -C "SSL - No CA Chain is set, but required to operate" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: server goodcert, client required, no trusted CA" \ "$P_SRV" \ "$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \ @@ -3783,6 +3789,7 @@ run_test "Authentication: client has no cert, server required (TLS)" \ -s "No client certification received from the client, but required by the authentication mode" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client badcert, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -3805,6 +3812,7 @@ run_test "Authentication: client badcert, server required" \ # before reading the alert message. requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client cert not trusted, server required" \ "$P_SRV debug_level=3 auth_mode=required" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -3823,6 +3831,7 @@ run_test "Authentication: client cert not trusted, server required" \ -s "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client badcert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \ @@ -3858,6 +3867,7 @@ run_test "Authentication: client badcert, server none" \ -S "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional" \ "$P_CLI debug_level=3 crt_file=none key_file=none" \ @@ -3876,6 +3886,7 @@ run_test "Authentication: client no cert, server optional" \ -S "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: openssl client no cert, server optional" \ "$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \ "$O_CLI" \ @@ -3908,6 +3919,7 @@ run_test "Authentication: client no cert, openssl server required" \ requires_config_enabled MBEDTLS_SSL_PROTO_SSL3 requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: client no cert, ssl3" \ "$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \ "$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \ @@ -4026,6 +4038,7 @@ run_test "Authentication: do not send CA list in CertificateRequest" \ -S "requested DN" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Authentication: send CA list in CertificateRequest, client self signed" \ "$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \ "$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \ @@ -4041,6 +4054,7 @@ run_test "Authentication: send CA list in CertificateRequest, client self sig # Tests for certificate selection based on SHA verson requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4052,6 +4066,7 @@ run_test "Certificate hash: client TLS 1.2 -> SHA-2" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4063,6 +4078,7 @@ run_test "Certificate hash: client TLS 1.1 -> SHA-1" \ -c "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4074,6 +4090,7 @@ run_test "Certificate hash: client TLS 1.0 -> SHA-1" \ -c "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ "$P_SRV crt_file=data_files/server5.crt \ key_file=data_files/server5.key \ @@ -4086,6 +4103,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \ -C "signed using.*ECDSA with SHA1" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ "$P_SRV crt_file=data_files/server6.crt \ key_file=data_files/server6.key \ @@ -4100,6 +4118,7 @@ run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \ # tests for SNI requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: no SNI callback" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -4111,6 +4130,7 @@ run_test "SNI: no SNI callback" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4123,6 +4143,7 @@ run_test "SNI: matching cert 1" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4189,6 +4210,7 @@ run_test "SNI: client auth override: optional -> none" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA no override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4209,6 +4231,7 @@ run_test "SNI: CA no override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4229,6 +4252,7 @@ run_test "SNI: CA override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4250,6 +4274,7 @@ run_test "SNI: CA override with CRL" \ # Tests for SNI and DTLS requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, no SNI callback" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key" \ @@ -4261,6 +4286,7 @@ run_test "SNI: DTLS, no SNI callback" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4273,6 +4299,7 @@ run_test "SNI: DTLS, matching cert 1" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4339,6 +4366,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4378,6 +4406,7 @@ run_test "SNI: DTLS, CA override" \ requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ @@ -4816,6 +4845,7 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \ -C "Ciphersuite is TLS-" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ke.crt" \ @@ -4848,6 +4878,7 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \ -C "Ciphersuite is TLS-" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \ "$O_SRV -key data_files/server2.key \ -cert data_files/server2.ku-ds.crt" \ @@ -6399,6 +6430,7 @@ run_test "EC restart: TLS, max_ops=1000" \ requires_config_enabled MBEDTLS_ECP_RESTARTABLE requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "EC restart: TLS, max_ops=1000, badsign" \ "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ crt_file=data_files/server5-badsign.crt \ @@ -6435,6 +6467,7 @@ run_test "EC restart: TLS, max_ops=1000, auth_mode=optional badsign" \ -C "X509 - Certificate verification failed" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK requires_config_enabled MBEDTLS_ECP_RESTARTABLE run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \ "$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \ @@ -6535,6 +6568,7 @@ run_test "SSL async private: sign, RSA, TLS 1.1" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "SSL async private: sign, SNI" \ "$P_SRV debug_level=3 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \ @@ -6998,6 +7032,7 @@ run_test "DTLS client auth: required" \ -s "Verifying peer X.509 certificate... ok" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "DTLS client auth: optional, client has no cert" \ "$P_SRV dtls=1 auth_mode=optional" \ "$P_CLI dtls=1 crt_file=none key_file=none" \ @@ -7005,6 +7040,7 @@ run_test "DTLS client auth: optional, client has no cert" \ -s "! Certificate was missing" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK run_test "DTLS client auth: none, client has no cert" \ "$P_SRV dtls=1 auth_mode=none" \ "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \ diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 375feb9a3..aa4099537 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -560,11 +560,11 @@ depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBE x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #19 (Valid Cert, denying callback) -depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none" X509 CRT verification #19 (Not trusted Cert, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all" X509 CRT verification #21 (domain matching wildcard certificate, case insensitive) @@ -920,7 +920,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MB x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #92 (bad name, allowing callback) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all" X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 96ad7d932..130d90fa8 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -334,7 +334,10 @@ void x509_verify_restart( char *crt_file, char *ca_file, NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, - NULL, NULL, &rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + NULL, NULL, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + &rs_ctx ); } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); TEST_ASSERT( ret == result ); @@ -355,7 +358,10 @@ void x509_verify_restart( char *crt_file, char *ca_file, NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, - NULL, NULL, &rs_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) + NULL, NULL, +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + &rs_ctx ); TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); exit: @@ -376,7 +382,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, mbedtls_x509_crl crl; uint32_t flags = 0; int res; +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; +#endif const mbedtls_x509_crt_profile *profile; #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) char * cn_name = NULL; @@ -406,6 +414,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, else TEST_ASSERT( "Unknown algorithm profile" == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) if( strcmp( verify_callback, "NULL" ) == 0 ) f_vrfy = NULL; else if( strcmp( verify_callback, "verify_none" ) == 0 ) @@ -414,16 +423,28 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, f_vrfy = verify_all; else TEST_ASSERT( "No known verify callback selected" == 0 ); +#else + if( strcmp( verify_callback, "NULL" ) != 0 ) + TEST_ASSERT( "Verify callbacks disabled" == 0 ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) cn_name, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &flags, f_vrfy, NULL ); +#else + res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + cn_name, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif TEST_ASSERT( res == ( result ) ); if( flags != (uint32_t) flags_result ) @@ -441,7 +462,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ void x509_verify_callback( char *crt_file, char *ca_file, char *name, int exp_ret, char *exp_vrfy_out ) { @@ -827,11 +848,21 @@ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int, TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); /* Try to verify that chain */ +#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK) ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) NULL, #endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ - &flags, NULL, NULL ); + &flags, + NULL, NULL ); +#else + ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags ); +#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ + TEST_ASSERT( ret == ret_chk ); TEST_ASSERT( flags == (uint32_t) flags_chk ); @@ -841,7 +872,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, int flags_result, int result, char *profile_name, int vrfy_fatal_lvls )