diff --git a/ChangeLog b/ChangeLog index b6278a5dc..63dfc1fcc 100644 --- a/ChangeLog +++ b/ChangeLog @@ -40,6 +40,11 @@ API Changes pointer, parameters reordered). * mbedtls_ssl_conf_truncated_hmac() now returns void. * mbedtls_memory_bufer_alloc_init() now returns void. + * X.509 verification flags are now an uint32_t. Affect the signature of: + mbedtls_ssl_get_verify_result() + mbedtls_x509_ctr_verify_info() + mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be update) + mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated) * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now return void. * ecdsa_write_signature() gained an addtional md_alg argument and diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 1efb6a889..3076d12d5 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -590,7 +590,7 @@ struct mbedtls_ssl_session #if defined(MBEDTLS_X509_CRT_PARSE_C) mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */ #endif /* MBEDTLS_X509_CRT_PARSE_C */ - int verify_result; /*!< verification result */ + uint32_t verify_result; /*!< verification result */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) unsigned char *ticket; /*!< RFC 5077 session ticket */ @@ -823,7 +823,7 @@ typedef struct #if defined(MBEDTLS_X509_CRT_PARSE_C) /** Callback to customize X.509 certificate chain verification */ - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *); + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *); void *p_vrfy; /*!< context for X.509 verify calllback */ #endif @@ -1242,7 +1242,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ); * \param p_vrfy verification parameter */ void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ @@ -2107,7 +2107,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ); * a combination of BADCERT_xxx and BADCRL_xxx flags, see * x509.h */ -int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ); +uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ); /** * \brief Return the name of the current ciphersuite @@ -2424,7 +2424,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl ) int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, const mbedtls_ssl_ciphersuite_t *ciphersuite, int cert_endpoint, - int *flags ); + uint32_t *flags ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ void mbedtls_ssl_write_version( int major, int minor, int transport, diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 5241db174..e184deeff 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -214,22 +214,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, * case of an error. */ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, - int flags ); - -/** - * \brief Returns an informational string about the - * verification status of a certificate. - * - * \param buf Buffer to write to - * \param size Maximum size of buffer - * \param prefix A line prefix - * \param flags Verification flags created by mbedtls_x509_crt_verify() - * - * \return The amount of data written to the buffer, or -1 in - * case of an error. - */ -int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, - int flags ); + uint32_t flags ); /** * \brief Verify the certificate signature @@ -270,8 +255,8 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, - const char *cn, int *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), + const char *cn, uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 7d22b4845..5d04497da 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -850,7 +850,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, { mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info ); - int flags; + uint32_t flags; #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) if( ssl->handshake->sni_key_cert != NULL ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6918e4b07..73c3a746c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5219,7 +5219,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode ) #if defined(MBEDTLS_X509_CRT_PARSE_C) void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) { conf->f_vrfy = f_vrfy; @@ -5682,7 +5682,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl ) return( ssl->in_offt == NULL ? 0 : ssl->in_msglen ); } -int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) +uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl ) { if( ssl->session != NULL ) return( ssl->session->verify_result ); @@ -6828,7 +6828,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, const mbedtls_ssl_ciphersuite_t *ciphersuite, int cert_endpoint, - int *flags ) + uint32_t *flags ) { int ret = 0; #if defined(MBEDTLS_X509_CHECK_KEY_USAGE) diff --git a/library/x509.c b/library/x509.c index 2205400d8..55daf74d4 100644 --- a/library/x509.c +++ b/library/x509.c @@ -998,7 +998,7 @@ int mbedtls_x509_self_test( int verbose ) { #if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C) int ret; - int flags; + uint32_t flags; mbedtls_x509_crt cacert; mbedtls_x509_crt clicert; diff --git a/library/x509_crt.c b/library/x509_crt.c index 6aab3bfcc..4ebae7796 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1408,7 +1408,7 @@ static const struct x509_crt_verify_string x509_crt_verify_strings[] = { }; int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, - int flags ) + uint32_t flags ) { int ret; const struct x509_crt_verify_string *cur; @@ -1767,12 +1767,13 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child, static int x509_crt_verify_top( mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca, - mbedtls_x509_crl *ca_crl, int path_cnt, int *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), + mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) { int ret; - int ca_flags = 0, check_path_cnt = path_cnt + 1; + uint32_t ca_flags = 0; + int check_path_cnt = path_cnt + 1; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; const mbedtls_md_info_t *md_info; @@ -1881,12 +1882,12 @@ static int x509_crt_verify_top( static int x509_crt_verify_child( mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt *trust_ca, - mbedtls_x509_crl *ca_crl, int path_cnt, int *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), + mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) { int ret; - int parent_flags = 0; + uint32_t parent_flags = 0; unsigned char hash[MBEDTLS_MD_MAX_SIZE]; mbedtls_x509_crt *grandparent; const mbedtls_md_info_t *md_info; @@ -1971,8 +1972,8 @@ static int x509_crt_verify_child( int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, - const char *cn, int *flags, - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *), + const char *cn, uint32_t *flags, + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) { size_t cn_len; diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 3886bbd30..0b837ba60 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -85,6 +85,7 @@ static void my_debug( void *ctx, int level, const char *str ) int main( int argc, char *argv[] ) { int ret, len, server_fd = -1; + uint32_t flags; unsigned char buf[1024]; const char *pers = "dtls_client"; int retry_left = MAX_RETRY; @@ -221,23 +222,15 @@ int main( int argc, char *argv[] ) /* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the * handshake would not succeed if the peer's cert is bad. Even if we used * MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */ - if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { + char vrfy_buf[512]; + mbedtls_printf( " failed\n" ); - if( ( ret & MBEDTLS_X509_BADCERT_EXPIRED ) != 0 ) - mbedtls_printf( " ! server certificate has expired\n" ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); - if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 ) - mbedtls_printf( " ! server certificate has been revoked\n" ); - - if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 ) - mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME ); - - if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 ) - mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" ); - - mbedtls_printf( "\n" ); + mbedtls_printf( "%s\n", vrfy_buf ); } else mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index ec1edd89a..6ff0e142b 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -77,6 +77,7 @@ static void my_debug( void *ctx, int level, const char *str ) int main( void ) { int ret, len, server_fd = -1; + uint32_t flags; unsigned char buf[1024]; const char *pers = "ssl_client1"; @@ -204,13 +205,13 @@ int main( void ) mbedtls_printf( " . Verifying peer X.509 certificate..." ); /* In real life, we probably want to bail out when ret != 0 */ - if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { char vrfy_buf[512]; mbedtls_printf( " failed\n" ); - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); } diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d1b0b84cb..d5722ba84 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -364,7 +364,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len ) /* * Enabled if debug_level > 1 in code below */ -static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags ) +static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags ) { char buf[1024]; ((void) data); @@ -388,6 +388,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags ) int main( int argc, char *argv[] ) { int ret = 0, len, tail_len, server_fd, i, written, frags, retry_left; + uint32_t flags; unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1]; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) unsigned char psk[MBEDTLS_PSK_MAX_LEN]; @@ -1260,13 +1261,13 @@ int main( int argc, char *argv[] ) */ mbedtls_printf( " . Verifying peer X.509 certificate..." ); - if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { char vrfy_buf[512]; mbedtls_printf( " failed\n" ); - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); } diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index cab799750..df25435f4 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -166,6 +166,7 @@ static void my_debug( void *ctx, int level, const char *str ) static int do_handshake( mbedtls_ssl_context *ssl ) { int ret; + uint32_t flags; unsigned char buf[1024]; memset(buf, 0, 1024); @@ -196,13 +197,13 @@ static int do_handshake( mbedtls_ssl_context *ssl ) mbedtls_printf( " . Verifying peer X.509 certificate..." ); /* In real life, we probably want to bail out when ret != 0 */ - if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 ) { char vrfy_buf[512]; mbedtls_printf( " failed\n" ); - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 863cc534f..4f1607f8e 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -705,6 +705,7 @@ void term_handler( int sig ) int main( int argc, char *argv[] ) { int ret = 0, len, written, frags, exchanges_left; + uint32_t flags; int version_suites[4][2]; unsigned char buf[IO_BUF_LEN]; #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) @@ -1896,13 +1897,13 @@ reset: */ mbedtls_printf( " . Verifying peer X.509 certificate..." ); - if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) + if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { char vrfy_buf[512]; mbedtls_printf( " failed\n" ); - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret ); + mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); } diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c index 35cdce4e7..43dc44c74 100644 --- a/programs/test/ssl_cert_test.c +++ b/programs/test/ssl_cert_test.c @@ -140,7 +140,7 @@ int main( void ) * 1.3. Load own certificate */ char name[512]; - int flags; + uint32_t flags; mbedtls_x509_crt clicert; mbedtls_pk_context pk; diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 41bbb4272..7ae90154d 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -119,7 +119,7 @@ static void my_debug( void *ctx, int level, const char *str ) } } -static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags ) +static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags ) { char buf[1024]; ((void) data); @@ -152,7 +152,8 @@ int main( int argc, char *argv[] ) mbedtls_x509_crl cacrl; mbedtls_pk_context pkey; int i, j; - int flags, verify = 0; + uint32_t flags; + int verify = 0; char *p, *q; const char *pers = "cert_app"; diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 22bc18c7d..f955e3d6c 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -6,7 +6,7 @@ #include "mbedtls/oid.h" #include "mbedtls/base64.h" -int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags ) +int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) { ((void) data); ((void) crt); @@ -16,7 +16,7 @@ int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int * return 0; } -int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags ) +int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags ) { ((void) data); ((void) crt); @@ -126,9 +126,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, mbedtls_x509_crt crt; mbedtls_x509_crt ca; mbedtls_x509_crl crl; - int flags = 0; + uint32_t flags = 0; int res; - int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *) = NULL; + int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; char * cn_name = NULL; mbedtls_x509_crt_init( &crt ); @@ -154,7 +154,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, res = mbedtls_x509_crt_verify( &crt, &ca, &crl, cn_name, &flags, f_vrfy, NULL ); TEST_ASSERT( res == ( result ) ); - TEST_ASSERT( flags == ( flags_result ) ); + TEST_ASSERT( flags == (uint32_t)( flags_result ) ); exit: mbedtls_x509_crt_free( &crt );