Print X.509 verify info strings even if MBEDTLS_X509_REMOVE_INFO
The new compile-time option MBEDTLS_X509_REMOVE_INFO removes various
X.509 debugging strings and functionality, including
```
mbedtls_x509_crt_verify_info()
```
which ssl_client2.c and ssl_server2.c use to print human readable
descriptions of X.509 verification failure conditions. Those
conditions are also grepped for in numerous ssl-opt.sh tests.
Instead of disabling those tests if MBEDTLS_X509_REMOVE_INFO is set,
this commit essentially moves mbedtls_x509_crt_verify_info() to
ssl_client2.c and ssl_server2.c. However, instead of just copy-pasting
the code from x509_crt.c, the following approach is used:
A macro MBEDTLS_X509_CRT_ERROR_INFO_LIST is introduced which for each
verification failure condition invokes a user-defined macro X509_CRT_ERROR_INFO
with (a) the numerical error code, (b) the string presentation of the
corresponding error macro, (c) the info string for the error condition.
This macro can thus be used to generate code which somehow iterates over
the verifiation failure conditions, but the list of error conditions and
information strings is nowhere duplicated.
This is then used to re-implement mbedtls_x509_crt_verify_info() in
x509_crt.c and to provide a functionally equivalent (yet slightly different)
version in ssl_client2.c and ssl_server2.c in case MBEDTLS_X509_REMOVE_INFO
is set.
This way, little changes to ssl-opt.sh will be necessary in case
MBEDTLS_X509_REMOVE_INFO is set because the info strings for the
verification failure conditions will be printed regardless of whether
MBEDTLS_X509_REMOVE_INFO is set or not.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index d3a4ed3..a8cc150 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -623,6 +623,42 @@
#include "ssl_test_common_source.c"
+#if !defined(MBEDTLS_X509_REMOVE_INFO)
+int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+ uint32_t flags )
+{
+ return( mbedtls_x509_crt_verify_info( buf, size, prefix, flags ) );
+}
+#else /* !MBEDTLS_X509_REMOVE_INFO */
+int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+ uint32_t flags )
+{
+ int ret;
+ char *p = buf;
+ size_t n = size;
+
+#define X509_CRT_ERROR_INFO( err, err_str, info ) \
+ if( ( flags & err ) != 0 ) \
+ { \
+ ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, info ); \
+ MBEDTLS_X509_SAFE_SNPRINTF; \
+ flags ^= err; \
+ }
+
+ MBEDTLS_X509_CRT_ERROR_INFO_LIST
+#undef X509_CRT_ERROR_INFO
+
+ if( flags != 0 )
+ {
+ ret = mbedtls_snprintf( p, n, "%sUnknown reason "
+ "(this should not happen)\n", prefix );
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ }
+
+ return( (int) ( size - n ) );
+}
+#endif /* MBEDTLS_X509_REMOVE_INFO */
+
/*
* Return authmode from string, or -1 on error
*/
@@ -3134,13 +3170,13 @@
{
mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret );
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
{
char vrfy_buf[512];
flags = mbedtls_ssl_get_verify_result( &ssl );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
@@ -3188,17 +3224,12 @@
if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
char vrfy_buf[512];
-#endif
mbedtls_printf( " failed\n" );
-#if !defined(MBEDTLS_X509_REMOVE_INFO)
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
-
+ x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
-#endif
}
else
mbedtls_printf( " ok\n" );