TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 89addc43dbc547fccf3e4b1d54bd67289a1459d2^! / .
commit89addc43dbc547fccf3e4b1d54bd67289a1459d2[log] [tgz]
authorManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon Apr 20 10:56:18 2015 +0100
committerManuel Pégourié-Gonnard <mpg@elzevir.fr>Mon Apr 20 11:23:11 2015 +0100
tree288194c5e44a33a3c06204291dd7a761f8f6b8ac
parentb5f48ad82fb540835916a2687a2fabdf01e1d829 [diff]
manually merge 0c6ce2f use x509_crt_verify_info()

diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index 430060b..a039290 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c

@@ -187,24 +187,16 @@
      */
     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
 
-    /* In real life, we may want to bail out when ret != 0 */
+    /* In real life, we probably want to bail out when ret != 0 */
     if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
+        char vrfy_buf[512];
+
         mbedtls_printf( " failed\n" );
 
-        if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-            mbedtls_printf( "  ! server certificate has expired\n" );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
 
-        if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-            mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-            mbedtls_printf( "  ! CN mismatch (expected CN=%s)\n", "PolarSSL Server 1" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-            mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-        mbedtls_printf( "\n" );
+        mbedtls_printf( "%s\n", vrfy_buf );
     }
     else
         mbedtls_printf( " ok\n" );

diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 892ca17..b6c776a 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c

@@ -373,29 +373,13 @@
     mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
     mbedtls_printf( "%s", buf );
 
-    if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-        mbedtls_printf( "  ! server certificate has expired\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-        mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-        mbedtls_printf( "  ! CN mismatch\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-        mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 )
-        mbedtls_printf( "  ! CRL not trusted\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 )
-        mbedtls_printf( "  ! CRL expired\n" );
-
-    if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 )
-        mbedtls_printf( "  ! other (unknown) flag\n" );
-
     if ( ( *flags ) == 0 )
         mbedtls_printf( "  This certificate has no flags\n" );
+    else
+    {
+        mbedtls_x509_crt_verify_info( buf, sizeof( buf ), "  ! ", *flags );
+        mbedtls_printf( "%s\n", buf );
+    }
 
     return( 0 );
 }
@@ -1287,21 +1271,13 @@
 
     if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
+        char vrfy_buf[512];
+
         mbedtls_printf( " failed\n" );
 
-        if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-            mbedtls_printf( "  ! server certificate has expired\n" );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
 
-        if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-            mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-            mbedtls_printf( "  ! CN mismatch (expected CN=%s)\n", opt.server_name );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-            mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-        mbedtls_printf( "\n" );
+        mbedtls_printf( "%s\n", vrfy_buf );
     }
     else
         mbedtls_printf( " ok\n" );

diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index ca54070..371d9ad 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c

@@ -163,7 +163,7 @@
     }
 }
 
-static int do_handshake( mbedtls_ssl_context *ssl, struct options *opt )
+static int do_handshake( mbedtls_ssl_context *ssl )
 {
     int ret;
     unsigned char buf[1024];
@@ -195,24 +195,16 @@
      */
     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
 
-    /* In real life, we may want to bail out when ret != 0 */
+    /* In real life, we probably want to bail out when ret != 0 */
     if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
     {
+        char vrfy_buf[512];
+
         mbedtls_printf( " failed\n" );
 
-        if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-            mbedtls_printf( "  ! server certificate has expired\n" );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
 
-        if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-            mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-            mbedtls_printf( "  ! CN mismatch (expected CN=%s)\n", opt->server_name );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-            mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-        mbedtls_printf( "\n" );
+        mbedtls_printf( "%s\n", vrfy_buf );
     }
     else
         mbedtls_printf( " ok\n" );
@@ -626,7 +618,7 @@
 
     if( opt.mode == MODE_SSL_TLS )
     {
-        if( do_handshake( &ssl, &opt ) != 0 )
+        if( do_handshake( &ssl ) != 0 )
             goto exit;
 
         mbedtls_printf( "  > Get header from server:" );
@@ -695,7 +687,7 @@
 
         mbedtls_printf(" ok\n" );
 
-        if( do_handshake( &ssl, &opt ) != 0 )
+        if( do_handshake( &ssl ) != 0 )
             goto exit;
     }
 

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index b536c22..b6d41c5 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c

@@ -1910,21 +1910,13 @@
 
     if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
+        char vrfy_buf[512];
+
         mbedtls_printf( " failed\n" );
 
-        if( !mbedtls_ssl_get_peer_cert( &ssl ) )
-            mbedtls_printf( "  ! no client certificate sent\n" );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
 
-        if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-            mbedtls_printf( "  ! client certificate has expired\n" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-            mbedtls_printf( "  ! client certificate has been revoked\n" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-            mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-        mbedtls_printf( "\n" );
+        mbedtls_printf( "%s\n", vrfy_buf );
     }
     else
         mbedtls_printf( " ok\n" );

diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 3c0c526..f33d9a3 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c

@@ -173,19 +173,14 @@
         {
             if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED )
             {
-                if( flags & MBEDTLS_X509_BADCERT_CN_MISMATCH )
-                    mbedtls_printf( " CN_MISMATCH " );
-                if( flags & MBEDTLS_BADCERT_EXPIRED )
-                    mbedtls_printf( " EXPIRED " );
-                if( flags & MBEDTLS_X509_BADCERT_REVOKED )
-                    mbedtls_printf( " REVOKED " );
-                if( flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED )
-                    mbedtls_printf( " NOT_TRUSTED " );
-                if( flags & MBEDTLS_X509_BADCRL_NOT_TRUSTED )
-                    mbedtls_printf( " CRL_NOT_TRUSTED " );
-                if( flags & MBEDTLS_X509_BADCRL_EXPIRED )
-                    mbedtls_printf( " CRL_EXPIRED " );
-            } else {
+                 char vrfy_buf[512];
+
+                 mbedtls_printf( " failed\n" );
+                 mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
+                 mbedtls_printf( "%s\n", vrfy_buf );
+             }
+             else
+             {
                 mbedtls_printf( " failed\n  !  mbedtls_x509_crt_verify returned %d\n\n", ret );
                 goto exit;
             }

diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 0ebed1a..2593b5e 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c

@@ -128,29 +128,13 @@
     mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt );
     mbedtls_printf( "%s", buf );
 
-    if( ( (*flags) & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-        mbedtls_printf( "  ! server certificate has expired\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-        mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-        mbedtls_printf( "  ! CN mismatch\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-        mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCRL_NOT_TRUSTED ) != 0 )
-        mbedtls_printf( "  ! CRL not trusted\n" );
-
-    if( ( (*flags) & MBEDTLS_X509_BADCRL_EXPIRED ) != 0 )
-        mbedtls_printf( "  ! CRL expired\n" );
-
-    if( ( (*flags) & MBEDTLS_BADCERT_OTHER ) != 0 )
-        mbedtls_printf( "  ! other (unknown) flag\n" );
-
     if ( ( *flags ) == 0 )
         mbedtls_printf( "  This certificate has no flags\n" );
+    else
+    {
+        mbedtls_x509_crt_verify_info( buf, sizeof( buf ), "  ! ", *flags );
+        mbedtls_printf( "%s\n", buf );
+    }
 
     return( 0 );
 }
@@ -358,21 +342,13 @@
             if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags,
                                          my_verify, NULL ) ) != 0 )
             {
+                char vrfy_buf[512];
+
                 mbedtls_printf( " failed\n" );
 
-                if( ( ret & MBEDTLS_BADCERT_EXPIRED ) != 0 )
-                    mbedtls_printf( "  ! server certificate has expired\n" );
+                mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
 
-                if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-                    mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-                if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-                    mbedtls_printf( "  ! CN mismatch (expected CN=%s)\n", opt.server_name );
-
-                if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-                    mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-                mbedtls_printf( "\n" );
+                mbedtls_printf( "%s\n", vrfy_buf );
             }
             else
                 mbedtls_printf( " ok\n" );

diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index 9748d8b..2493278 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh

@@ -1561,7 +1561,7 @@
             "$P_CLI debug_level=1 auth_mode=required" \
             1 \
             -c "x509_verify_cert() returned" \
-            -c "! self-signed or not signed by a trusted CA" \
+            -c "! The certificate is not correctly signed by the trusted CA" \
             -c "! mbedtls_ssl_handshake returned" \
             -c "X509 - Certificate verification failed"
 
@@ -1571,7 +1571,7 @@
             "$P_CLI debug_level=1 auth_mode=optional" \
             0 \
             -c "x509_verify_cert() returned" \
-            -c "! self-signed or not signed by a trusted CA" \
+            -c "! The certificate is not correctly signed by the trusted CA" \
             -C "! mbedtls_ssl_handshake returned" \
             -C "X509 - Certificate verification failed"
 
@@ -1581,7 +1581,7 @@
             "$P_CLI debug_level=1 auth_mode=none" \
             0 \
             -C "x509_verify_cert() returned" \
-            -C "! self-signed or not signed by a trusted CA" \
+            -C "! The certificate is not correctly signed by the trusted CA" \
             -C "! mbedtls_ssl_handshake returned" \
             -C "X509 - Certificate verification failed"
 
@@ -1597,7 +1597,7 @@
             -C "skip write certificate verify" \
             -S "skip parse certificate verify" \
             -s "x509_verify_cert() returned" \
-            -S "! self-signed or not signed by a trusted CA" \
+            -S "! The certificate is not correctly signed by the trusted CA" \
             -s "! mbedtls_ssl_handshake returned" \
             -c "! mbedtls_ssl_handshake returned" \
             -s "X509 - Certificate verification failed"
@@ -1614,7 +1614,7 @@
             -C "skip write certificate verify" \
             -S "skip parse certificate verify" \
             -s "x509_verify_cert() returned" \
-            -s "! self-signed or not signed by a trusted CA" \
+            -s "! The certificate is not correctly signed by the trusted CA" \
             -S "! mbedtls_ssl_handshake returned" \
             -C "! mbedtls_ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
@@ -1631,7 +1631,7 @@
             -c "skip write certificate verify" \
             -s "skip parse certificate verify" \
             -S "x509_verify_cert() returned" \
-            -S "! self-signed or not signed by a trusted CA" \
+            -S "! The certificate is not correctly signed by the trusted CA" \
             -S "! mbedtls_ssl_handshake returned" \
             -C "! mbedtls_ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
@@ -1648,7 +1648,7 @@
             -S "SSLv3 client has no certificate" \
             -c "skip write certificate verify" \
             -s "skip parse certificate verify" \
-            -s "! no client certificate sent" \
+            -s "! Certificate was missing" \
             -S "! mbedtls_ssl_handshake returned" \
             -C "! mbedtls_ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
@@ -1659,7 +1659,7 @@
             0 \
             -S "skip write certificate request" \
             -s "skip parse certificate verify" \
-            -s "! no client certificate sent" \
+            -s "! Certificate was missing" \
             -S "! mbedtls_ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
 
@@ -1685,7 +1685,7 @@
             -c "got no certificate to send" \
             -s "SSLv3 client has no certificate" \
             -s "skip parse certificate verify" \
-            -s "! no client certificate sent" \
+            -s "! Certificate was missing" \
             -S "! mbedtls_ssl_handshake returned" \
             -C "! mbedtls_ssl_handshake returned" \
             -S "X509 - Certificate verification failed"
@@ -2719,14 +2719,14 @@
             "$P_SRV dtls=1 auth_mode=optional" \
             "$P_CLI dtls=1 crt_file=none key_file=none" \
             0 \
-            -s "! no client certificate sent"
+            -s "! Certificate was missing"
 
-run_test    "DTLS client auth: optional, client has no cert" \
+run_test    "DTLS client auth: none, client has no cert" \
             "$P_SRV dtls=1 auth_mode=none" \
             "$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
             0 \
             -c "skip write certificate$" \
-            -s "! no client certificate sent"
+            -s "! Certificate verification was skipped"
 
 # Tests for receiving fragmented handshake messages with DTLS