mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 17:05:42 +01:00
Change X.509 verify flags to uint32_t
This commit is contained in:
parent
e85fef10b5
commit
e6ef16f98c
@ -40,6 +40,11 @@ API Changes
|
||||
pointer, parameters reordered).
|
||||
* mbedtls_ssl_conf_truncated_hmac() now returns void.
|
||||
* mbedtls_memory_bufer_alloc_init() now returns void.
|
||||
* X.509 verification flags are now an uint32_t. Affect the signature of:
|
||||
mbedtls_ssl_get_verify_result()
|
||||
mbedtls_x509_ctr_verify_info()
|
||||
mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be update)
|
||||
mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
|
||||
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
|
||||
return void.
|
||||
* ecdsa_write_signature() gained an addtional md_alg argument and
|
||||
|
@ -590,7 +590,7 @@ struct mbedtls_ssl_session
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
int verify_result; /*!< verification result */
|
||||
uint32_t verify_result; /*!< verification result */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
unsigned char *ticket; /*!< RFC 5077 session ticket */
|
||||
@ -823,7 +823,7 @@ typedef struct
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
/** Callback to customize X.509 certificate chain verification */
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *);
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
|
||||
void *p_vrfy; /*!< context for X.509 verify calllback */
|
||||
#endif
|
||||
|
||||
@ -1242,7 +1242,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
|
||||
* \param p_vrfy verification parameter
|
||||
*/
|
||||
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
@ -2107,7 +2107,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
|
||||
* a combination of BADCERT_xxx and BADCRL_xxx flags, see
|
||||
* x509.h
|
||||
*/
|
||||
int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
|
||||
uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
|
||||
|
||||
/**
|
||||
* \brief Return the name of the current ciphersuite
|
||||
@ -2424,7 +2424,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint,
|
||||
int *flags );
|
||||
uint32_t *flags );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
void mbedtls_ssl_write_version( int major, int minor, int transport,
|
||||
|
@ -214,22 +214,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
|
||||
* case of an error.
|
||||
*/
|
||||
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
int flags );
|
||||
|
||||
/**
|
||||
* \brief Returns an informational string about the
|
||||
* verification status of a certificate.
|
||||
*
|
||||
* \param buf Buffer to write to
|
||||
* \param size Maximum size of buffer
|
||||
* \param prefix A line prefix
|
||||
* \param flags Verification flags created by mbedtls_x509_crt_verify()
|
||||
*
|
||||
* \return The amount of data written to the buffer, or -1 in
|
||||
* case of an error.
|
||||
*/
|
||||
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
int flags );
|
||||
uint32_t flags );
|
||||
|
||||
/**
|
||||
* \brief Verify the certificate signature
|
||||
@ -270,8 +255,8 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const char *cn, int *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy );
|
||||
|
||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||
|
@ -850,7 +850,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
{
|
||||
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
|
||||
mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||
int flags;
|
||||
uint32_t flags;
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if( ssl->handshake->sni_key_cert != NULL )
|
||||
|
@ -5219,7 +5219,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
conf->f_vrfy = f_vrfy;
|
||||
@ -5682,7 +5682,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
|
||||
return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
|
||||
uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
|
||||
{
|
||||
if( ssl->session != NULL )
|
||||
return( ssl->session->verify_result );
|
||||
@ -6828,7 +6828,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint,
|
||||
int *flags )
|
||||
uint32_t *flags )
|
||||
{
|
||||
int ret = 0;
|
||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||
|
@ -998,7 +998,7 @@ int mbedtls_x509_self_test( int verbose )
|
||||
{
|
||||
#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
|
||||
int ret;
|
||||
int flags;
|
||||
uint32_t flags;
|
||||
mbedtls_x509_crt cacert;
|
||||
mbedtls_x509_crt clicert;
|
||||
|
||||
|
@ -1408,7 +1408,7 @@ static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
|
||||
};
|
||||
|
||||
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
|
||||
int flags )
|
||||
uint32_t flags )
|
||||
{
|
||||
int ret;
|
||||
const struct x509_crt_verify_string *cur;
|
||||
@ -1767,12 +1767,13 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
|
||||
|
||||
static int x509_crt_verify_top(
|
||||
mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
|
||||
mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
int ret;
|
||||
int ca_flags = 0, check_path_cnt = path_cnt + 1;
|
||||
uint32_t ca_flags = 0;
|
||||
int check_path_cnt = path_cnt + 1;
|
||||
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
||||
const mbedtls_md_info_t *md_info;
|
||||
|
||||
@ -1881,12 +1882,12 @@ static int x509_crt_verify_top(
|
||||
|
||||
static int x509_crt_verify_child(
|
||||
mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
|
||||
mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
int ret;
|
||||
int parent_flags = 0;
|
||||
uint32_t parent_flags = 0;
|
||||
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
|
||||
mbedtls_x509_crt *grandparent;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
@ -1971,8 +1972,8 @@ static int x509_crt_verify_child(
|
||||
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
|
||||
mbedtls_x509_crt *trust_ca,
|
||||
mbedtls_x509_crl *ca_crl,
|
||||
const char *cn, int *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
|
||||
const char *cn, uint32_t *flags,
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
|
||||
void *p_vrfy )
|
||||
{
|
||||
size_t cn_len;
|
||||
|
@ -85,6 +85,7 @@ static void my_debug( void *ctx, int level, const char *str )
|
||||
int main( int argc, char *argv[] )
|
||||
{
|
||||
int ret, len, server_fd = -1;
|
||||
uint32_t flags;
|
||||
unsigned char buf[1024];
|
||||
const char *pers = "dtls_client";
|
||||
int retry_left = MAX_RETRY;
|
||||
@ -221,23 +222,15 @@ int main( int argc, char *argv[] )
|
||||
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
|
||||
* handshake would not succeed if the peer's cert is bad. Even if we used
|
||||
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_EXPIRED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has expired\n" );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
|
||||
mbedtls_printf( " ! server certificate has been revoked\n" );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
|
||||
mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
|
||||
|
||||
if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
|
||||
mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
|
||||
|
||||
mbedtls_printf( "\n" );
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
else
|
||||
mbedtls_printf( " ok\n" );
|
||||
|
@ -77,6 +77,7 @@ static void my_debug( void *ctx, int level, const char *str )
|
||||
int main( void )
|
||||
{
|
||||
int ret, len, server_fd = -1;
|
||||
uint32_t flags;
|
||||
unsigned char buf[1024];
|
||||
const char *pers = "ssl_client1";
|
||||
|
||||
@ -204,13 +205,13 @@ int main( void )
|
||||
mbedtls_printf( " . Verifying peer X.509 certificate..." );
|
||||
|
||||
/* In real life, we probably want to bail out when ret != 0 */
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
|
@ -364,7 +364,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
|
||||
/*
|
||||
* Enabled if debug_level > 1 in code below
|
||||
*/
|
||||
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
|
||||
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
|
||||
{
|
||||
char buf[1024];
|
||||
((void) data);
|
||||
@ -388,6 +388,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
|
||||
int main( int argc, char *argv[] )
|
||||
{
|
||||
int ret = 0, len, tail_len, server_fd, i, written, frags, retry_left;
|
||||
uint32_t flags;
|
||||
unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
|
||||
@ -1260,13 +1261,13 @@ int main( int argc, char *argv[] )
|
||||
*/
|
||||
mbedtls_printf( " . Verifying peer X.509 certificate..." );
|
||||
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
|
@ -166,6 +166,7 @@ static void my_debug( void *ctx, int level, const char *str )
|
||||
static int do_handshake( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
uint32_t flags;
|
||||
unsigned char buf[1024];
|
||||
memset(buf, 0, 1024);
|
||||
|
||||
@ -196,13 +197,13 @@ static int do_handshake( mbedtls_ssl_context *ssl )
|
||||
mbedtls_printf( " . Verifying peer X.509 certificate..." );
|
||||
|
||||
/* In real life, we probably want to bail out when ret != 0 */
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
|
@ -705,6 +705,7 @@ void term_handler( int sig )
|
||||
int main( int argc, char *argv[] )
|
||||
{
|
||||
int ret = 0, len, written, frags, exchanges_left;
|
||||
uint32_t flags;
|
||||
int version_suites[4][2];
|
||||
unsigned char buf[IO_BUF_LEN];
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
@ -1896,13 +1897,13 @@ reset:
|
||||
*/
|
||||
mbedtls_printf( " . Verifying peer X.509 certificate..." );
|
||||
|
||||
if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
|
||||
{
|
||||
char vrfy_buf[512];
|
||||
|
||||
mbedtls_printf( " failed\n" );
|
||||
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
|
||||
mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
|
||||
|
||||
mbedtls_printf( "%s\n", vrfy_buf );
|
||||
}
|
||||
|
@ -140,7 +140,7 @@ int main( void )
|
||||
* 1.3. Load own certificate
|
||||
*/
|
||||
char name[512];
|
||||
int flags;
|
||||
uint32_t flags;
|
||||
mbedtls_x509_crt clicert;
|
||||
mbedtls_pk_context pk;
|
||||
|
||||
|
@ -119,7 +119,7 @@ static void my_debug( void *ctx, int level, const char *str )
|
||||
}
|
||||
}
|
||||
|
||||
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
|
||||
static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
|
||||
{
|
||||
char buf[1024];
|
||||
((void) data);
|
||||
@ -152,7 +152,8 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_x509_crl cacrl;
|
||||
mbedtls_pk_context pkey;
|
||||
int i, j;
|
||||
int flags, verify = 0;
|
||||
uint32_t flags;
|
||||
int verify = 0;
|
||||
char *p, *q;
|
||||
const char *pers = "cert_app";
|
||||
|
||||
|
@ -6,7 +6,7 @@
|
||||
#include "mbedtls/oid.h"
|
||||
#include "mbedtls/base64.h"
|
||||
|
||||
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
|
||||
int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
|
||||
{
|
||||
((void) data);
|
||||
((void) crt);
|
||||
@ -16,7 +16,7 @@ int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *
|
||||
return 0;
|
||||
}
|
||||
|
||||
int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
|
||||
int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
|
||||
{
|
||||
((void) data);
|
||||
((void) crt);
|
||||
@ -126,9 +126,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
||||
mbedtls_x509_crt crt;
|
||||
mbedtls_x509_crt ca;
|
||||
mbedtls_x509_crl crl;
|
||||
int flags = 0;
|
||||
uint32_t flags = 0;
|
||||
int res;
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *) = NULL;
|
||||
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
|
||||
char * cn_name = NULL;
|
||||
|
||||
mbedtls_x509_crt_init( &crt );
|
||||
@ -154,7 +154,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
|
||||
res = mbedtls_x509_crt_verify( &crt, &ca, &crl, cn_name, &flags, f_vrfy, NULL );
|
||||
|
||||
TEST_ASSERT( res == ( result ) );
|
||||
TEST_ASSERT( flags == ( flags_result ) );
|
||||
TEST_ASSERT( flags == (uint32_t)( flags_result ) );
|
||||
|
||||
exit:
|
||||
mbedtls_x509_crt_free( &crt );
|
||||
|
Loading…
Reference in New Issue
Block a user