Make function mbedtls_ssl_set_hostname(...) as optional

Now function mbedtls_ssl_set_hostname is compile-time configurable
in config.h with define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION.
This affects to many x509 API's. See config.h for details.
This commit is contained in:
Teppo Järvelin 2019-08-19 14:48:09 +03:00
parent f0f01e1f0a
commit 4009d8f377
23 changed files with 313 additions and 57 deletions

View file

@ -128,6 +128,7 @@
#define MBEDTLS_X509_ON_DEMAND_PARSING #define MBEDTLS_X509_ON_DEMAND_PARSING
#define MBEDTLS_X509_ALWAYS_FLUSH #define MBEDTLS_X509_ALWAYS_FLUSH
#define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_PARSE_C
#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
/* X.509 CSR writing */ /* X.509 CSR writing */
#define MBEDTLS_X509_CSR_WRITE_C #define MBEDTLS_X509_CSR_WRITE_C

View file

@ -1624,7 +1624,8 @@ PREDEFINED = WIN32 \
ENABLE_PLUGIN \ ENABLE_PLUGIN \
ENABLE_MANAGEMENT \ ENABLE_MANAGEMENT \
ENABLE_OCC \ ENABLE_OCC \
HAVE_GETTIMEOFDAY HAVE_GETTIMEOFDAY \
DOXYGEN_ONLY
# If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then
# this tag can be used to specify a list of macro names that should be expanded. # this tag can be used to specify a list of macro names that should be expanded.

View file

@ -1978,6 +1978,44 @@
*/ */
//#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID //#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
/**
* \def MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
*
* Remove hostname verification from APIs related to X.509 certificate validation.
*
* \warning Uncommenting this affects parsing and verification of
* X.509 certificate by leaving Common Name and Subject Alternative Name fields out
* of parsing and verification.
*
* Affected API's:
* - mbedtls_ssl_set_hostname() not available.
* - mbedtls_x509_crt_get_subject_alt_names() not available.
* - mbedtls_x509_crt_parse_der(): Subject Alternative Name field
* is not parsed.
* - mbedtls_x509_crt_parse_der_nocopy(): Subject Alternative Name field
* is not parsed.
* - mbedtls_x509_crt_parse(): Subject Alternative Name field
* is not parsed.
* - mbedtls_x509_crt_parse_file(): Subject Alternative Name field
* is not parsed.
* - mbedtls_x509_crt_parse_path(): Subject Alternative Name field
* is not parsed.
* - mbedtls_x509_crt_info(): Subject Alternative Name field
* is not parsed.
* - mbedtls_x509_crt_verify(): param \c cn is omitted from the API.
* - mbedtls_x509_crt_verify_with_profile(): param \c cn is omitted from the API.
* - mbedtls_x509_crt_verify_restartable(): param \c cn is omitted from the API.
* -
*
* Affected structs
* - ::mbedtls_x509_crt_frame: subject_alt_raw is defined out.
* - ::mbedtls_x509_crt: subject_alt_names is defined out.
*
* Uncomment this to save some code and RAM on constrained systems which
* don't need hostname verification.
*/
//#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
/** /**
* \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT
* *

View file

@ -1386,10 +1386,10 @@ struct mbedtls_ssl_context
/* /*
* User settings * User settings
*/ */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
char *hostname; /*!< expected peer CN for verification char *hostname; /*!< expected peer CN for verification
(and SNI if available) */ (and SNI if available) */
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_ALPN) #if defined(MBEDTLS_SSL_ALPN)
const char *alpn_chosen; /*!< negotiated protocol */ const char *alpn_chosen; /*!< negotiated protocol */
@ -2921,7 +2921,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
const int *hashes ); const int *hashes );
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/** /**
* \brief Set or reset the hostname to check against the received * \brief Set or reset the hostname to check against the received
* server certificate. It sets the ServerName TLS extension, * server certificate. It sets the ServerName TLS extension,
@ -2941,7 +2941,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf,
* On too long input failure, old hostname is unchanged. * On too long input failure, old hostname is unchanged.
*/ */
int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname );
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
/** /**

View file

@ -96,9 +96,10 @@ typedef struct mbedtls_x509_crt_frame
mbedtls_x509_buf_raw v3_ext; /**< The raw data for the extension list in the certificate. mbedtls_x509_buf_raw v3_ext; /**< The raw data for the extension list in the certificate.
* Might be useful for manual inspection of extensions that * Might be useful for manual inspection of extensions that
* Mbed TLS doesn't yet support. */ * Mbed TLS doesn't yet support. */
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_buf_raw subject_alt_raw; /**< The raw data for the SubjectAlternativeNames extension. */ mbedtls_x509_buf_raw subject_alt_raw; /**< The raw data for the SubjectAlternativeNames extension. */
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
mbedtls_x509_buf_raw ext_key_usage_raw; /**< The raw data for the ExtendedKeyUsage extension. */ mbedtls_x509_buf_raw ext_key_usage_raw; /**< The raw data for the ExtendedKeyUsage extension. */
} mbedtls_x509_crt_frame; } mbedtls_x509_crt_frame;
/** /**
@ -140,7 +141,9 @@ typedef struct mbedtls_x509_crt
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
#endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ #endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
int ext_types; /**< Bit string containing detected and parsed extensions */ int ext_types; /**< Bit string containing detected and parsed extensions */
int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */
@ -499,7 +502,10 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const char *cn, uint32_t *flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy ); void *p_vrfy );
@ -534,7 +540,10 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy ); void *p_vrfy );
@ -564,7 +573,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy, void *p_vrfy,
mbedtls_x509_crt_restart_ctx *rs_ctx ); mbedtls_x509_crt_restart_ctx *rs_ctx );
@ -747,6 +759,7 @@ int mbedtls_x509_crt_get_subject( mbedtls_x509_crt const *crt,
int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt, int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt,
mbedtls_x509_name **issuer ); mbedtls_x509_name **issuer );
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/** /**
* \brief Request the subject alternative name of a CRT, presented * \brief Request the subject alternative name of a CRT, presented
* as a dynamically allocated linked list. * as a dynamically allocated linked list.
@ -771,6 +784,7 @@ int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt,
*/ */
int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt, int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt,
mbedtls_x509_sequence **subj_alt ); mbedtls_x509_sequence **subj_alt );
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/** /**
* \brief Request the ExtendedKeyUsage extension of a CRT, * \brief Request the ExtendedKeyUsage extension of a CRT,

View file

@ -51,7 +51,7 @@
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#endif #endif
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
size_t *olen ) size_t *olen )
@ -119,7 +119,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
*olen = hostname_len + 9; *olen = hostname_len + 9;
} }
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
@ -1057,7 +1057,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
// First write extensions, then the total length // First write extensions, then the total length
// //
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen; ext_len += olen;
#endif #endif

View file

@ -6910,7 +6910,9 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
chain, chain,
ca_chain, ca_crl, ca_chain, ca_crl,
ssl->conf->cert_profile, ssl->conf->cert_profile,
#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ssl->hostname, ssl->hostname,
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&ssl->session_negotiate->verify_result, &ssl->session_negotiate->verify_result,
ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );
@ -8991,7 +8993,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf,
#endif /* MBEDTLS_SSL_CONF_SINGLE_EC */ #endif /* MBEDTLS_SSL_CONF_SINGLE_EC */
#endif /* MBEDTLS_ECP_C */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
{ {
/* Initialize to suppress unnecessary compiler warning */ /* Initialize to suppress unnecessary compiler warning */
@ -9035,7 +9037,7 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname )
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf,
@ -11789,7 +11791,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
mbedtls_free( ssl->session ); mbedtls_free( ssl->session );
} }
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ssl->hostname != NULL ) if( ssl->hostname != NULL )
{ {
mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) ); mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );

View file

@ -573,6 +573,9 @@ static const char *features[] = {
#if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) #if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID)
"MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID", "MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID",
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ #endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
"MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION",
#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
"MBEDTLS_X509_RSASSA_PSS_SUPPORT", "MBEDTLS_X509_RSASSA_PSS_SUPPORT",
#endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */

View file

@ -1250,7 +1250,11 @@ int mbedtls_x509_self_test( int verbose )
if( verbose != 0 ) if( verbose != 0 )
mbedtls_printf( "passed\n X.509 signature verify: "); mbedtls_printf( "passed\n X.509 signature verify: ");
ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL ); ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, NULL, NULL );
if( ret != 0 ) if( ret != 0 )
{ {
if( verbose != 0 ) if( verbose != 0 )

View file

@ -102,8 +102,10 @@ static int x509_crt_subject_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_name *subject ); mbedtls_x509_name *subject );
static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame const *frame, static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_name *issuer ); mbedtls_x509_name *issuer );
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame, static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *subject_alt ); mbedtls_x509_sequence *subject_alt );
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame, static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *ext_key_usage ); mbedtls_x509_sequence *ext_key_usage );
@ -333,6 +335,7 @@ static void x509_crt_cache_free( mbedtls_x509_crt_cache *cache )
memset( cache, 0, sizeof( *cache ) ); memset( cache, 0, sizeof( *cache ) );
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt, int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt,
mbedtls_x509_sequence **subj_alt ) mbedtls_x509_sequence **subj_alt )
{ {
@ -355,6 +358,7 @@ int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt,
*subj_alt = seq; *subj_alt = seq;
return( ret ); return( ret );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
int mbedtls_x509_crt_get_ext_key_usage( mbedtls_x509_crt const *crt, int mbedtls_x509_crt_get_ext_key_usage( mbedtls_x509_crt const *crt,
mbedtls_x509_sequence **ext_key_usage ) mbedtls_x509_sequence **ext_key_usage )
@ -613,6 +617,7 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
return( -1 ); return( -1 );
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* /*
* Return 0 if name matches wildcard, -1 otherwise * Return 0 if name matches wildcard, -1 otherwise
*/ */
@ -648,6 +653,7 @@ static int x509_check_wildcard( char const *cn,
return( -1 ); return( -1 );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/* /*
* Reset (init or clear) a verify_chain * Reset (init or clear) a verify_chain
@ -934,6 +940,7 @@ static int x509_get_ext_key_usage( unsigned char **p,
(void *) &ext_key_usage ) ); (void *) &ext_key_usage ) );
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* /*
* SubjectAltName ::= GeneralNames * SubjectAltName ::= GeneralNames
* *
@ -972,6 +979,7 @@ static int x509_get_subject_alt_name( unsigned char *p,
asn1_build_sequence_cb, asn1_build_sequence_cb,
(void *) &subject_alt_name ) ); (void *) &subject_alt_name ) );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/* /*
* X.509 v3 extensions * X.509 v3 extensions
@ -1077,10 +1085,10 @@ static int x509_crt_get_ext_cb( void *ctx,
break; break;
case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME:
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* Copy reference to raw subject alt name data. */ /* Copy reference to raw subject alt name data. */
frame->subject_alt_raw.p = p; frame->subject_alt_raw.p = p;
frame->subject_alt_raw.len = end_ext_octet - p; frame->subject_alt_raw.len = end_ext_octet - p;
ret = mbedtls_asn1_traverse_sequence_of( &p, end_ext_octet, ret = mbedtls_asn1_traverse_sequence_of( &p, end_ext_octet,
MBEDTLS_ASN1_TAG_CLASS_MASK, MBEDTLS_ASN1_TAG_CLASS_MASK,
MBEDTLS_ASN1_CONTEXT_SPECIFIC, MBEDTLS_ASN1_CONTEXT_SPECIFIC,
@ -1089,6 +1097,7 @@ static int x509_crt_get_ext_cb( void *ctx,
NULL, NULL ); NULL, NULL );
if( ret != 0 ) if( ret != 0 )
goto err; goto err;
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
break; break;
case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE: case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE:
@ -1470,6 +1479,7 @@ static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame const *frame,
issuer ) ); issuer ) );
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame, static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *subject_alt ) mbedtls_x509_sequence *subject_alt )
{ {
@ -1487,6 +1497,7 @@ static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame,
ret += MBEDTLS_ERR_X509_INVALID_EXTENSIONS; ret += MBEDTLS_ERR_X509_INVALID_EXTENSIONS;
return( ret ); return( ret );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame, static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame,
mbedtls_x509_sequence *ext_key_usage ) mbedtls_x509_sequence *ext_key_usage )
@ -1663,9 +1674,11 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt,
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ret = x509_crt_subject_alt_from_frame( frame, &crt->subject_alt_names ); ret = x509_crt_subject_alt_from_frame( frame, &crt->subject_alt_names );
if( ret != 0 ) if( ret != 0 )
goto exit; goto exit;
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
ret = x509_crt_ext_key_usage_from_frame( frame, &crt->ext_key_usage ); ret = x509_crt_ext_key_usage_from_frame( frame, &crt->ext_key_usage );
if( ret != 0 ) if( ret != 0 )
@ -2104,6 +2117,7 @@ static int x509_crt_get_sig_info( mbedtls_x509_crt_frame const *frame,
} }
#if !defined(MBEDTLS_X509_REMOVE_INFO) #if !defined(MBEDTLS_X509_REMOVE_INFO)
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
static int x509_info_subject_alt_name( char **buf, size_t *size, static int x509_info_subject_alt_name( char **buf, size_t *size,
const mbedtls_x509_sequence *subject_alt_name ) const mbedtls_x509_sequence *subject_alt_name )
{ {
@ -2141,6 +2155,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size,
return( 0 ); return( 0 );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#define PRINT_ITEM(i) \ #define PRINT_ITEM(i) \
{ \ { \
@ -2249,7 +2264,11 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
mbedtls_pk_context pk; mbedtls_pk_context pk;
mbedtls_x509_name *issuer = NULL, *subject = NULL; mbedtls_x509_name *issuer = NULL, *subject = NULL;
mbedtls_x509_sequence *ext_key_usage = NULL, *subject_alt_names = NULL; mbedtls_x509_sequence *ext_key_usage = NULL;
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence *subject_alt_names = NULL;
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
mbedtls_x509_crt_sig_info sig_info; mbedtls_x509_crt_sig_info sig_info;
p = buf; p = buf;
@ -2287,12 +2306,14 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
goto cleanup; goto cleanup;
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
ret = mbedtls_x509_crt_get_subject_alt_names( crt, &subject_alt_names ); ret = mbedtls_x509_crt_get_subject_alt_names( crt, &subject_alt_names );
if( ret != 0 ) if( ret != 0 )
{ {
ret = MBEDTLS_ERR_X509_FATAL_ERROR; ret = MBEDTLS_ERR_X509_FATAL_ERROR;
goto cleanup; goto cleanup;
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
ret = mbedtls_x509_crt_get_ext_key_usage( crt, &ext_key_usage ); ret = mbedtls_x509_crt_get_ext_key_usage( crt, &ext_key_usage );
if( ret != 0 ) if( ret != 0 )
@ -2391,6 +2412,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
} }
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( frame.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) if( frame.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME )
{ {
ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix ); ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix );
@ -2400,6 +2422,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
subject_alt_names ) ) != 0 ) subject_alt_names ) ) != 0 )
return( ret ); return( ret );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
if( frame.ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE ) if( frame.ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE )
{ {
@ -2441,7 +2464,9 @@ cleanup:
mbedtls_x509_name_free( issuer ); mbedtls_x509_name_free( issuer );
mbedtls_x509_name_free( subject ); mbedtls_x509_name_free( subject );
mbedtls_x509_sequence_free( ext_key_usage ); mbedtls_x509_sequence_free( ext_key_usage );
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence_free( subject_alt_names ); mbedtls_x509_sequence_free( subject_alt_names );
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
return( ret ); return( ret );
} }
@ -3399,6 +3424,7 @@ find_parent:
} }
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* /*
* Check for CN match * Check for CN match
*/ */
@ -3510,6 +3536,7 @@ static int x509_crt_verify_name( const mbedtls_x509_crt *crt,
*flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH;
return( ret ); return( ret );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
/* /*
* Merge the flags for all certs in the chain, after calling callback * Merge the flags for all certs in the chain, after calling callback
@ -3546,12 +3573,19 @@ static int x509_crt_merge_flags_with_cb(
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const char *cn, uint32_t *flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy ) void *p_vrfy )
{ {
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
&mbedtls_x509_crt_profile_default, cn, flags, &mbedtls_x509_crt_profile_default,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
flags,
f_vrfy, p_vrfy, NULL ) ); f_vrfy, p_vrfy, NULL ) );
} }
@ -3562,12 +3596,19 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy ) void *p_vrfy )
{ {
return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl,
profile, cn, flags, f_vrfy, p_vrfy, NULL ) ); profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
flags, f_vrfy, p_vrfy, NULL ) );
} }
/* /*
@ -3584,7 +3625,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca, mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl, mbedtls_x509_crl *ca_crl,
const mbedtls_x509_crt_profile *profile, const mbedtls_x509_crt_profile *profile,
const char *cn, uint32_t *flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
const char *cn,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
uint32_t *flags,
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy, void *p_vrfy,
mbedtls_x509_crt_restart_ctx *rs_ctx ) mbedtls_x509_crt_restart_ctx *rs_ctx )
@ -3603,6 +3647,7 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
goto exit; goto exit;
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
/* check name if requested */ /* check name if requested */
if( cn != NULL ) if( cn != NULL )
{ {
@ -3610,6 +3655,7 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
{ {
mbedtls_pk_context *pk; mbedtls_pk_context *pk;
@ -3703,7 +3749,10 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
mbedtls_x509_name_free( cert_cur->issuer.next ); mbedtls_x509_name_free( cert_cur->issuer.next );
mbedtls_x509_name_free( cert_cur->subject.next ); mbedtls_x509_name_free( cert_cur->subject.next );
mbedtls_x509_sequence_free( cert_cur->ext_key_usage.next ); mbedtls_x509_sequence_free( cert_cur->ext_key_usage.next );
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
mbedtls_x509_sequence_free( cert_cur->subject_alt_names.next ); mbedtls_x509_sequence_free( cert_cur->subject_alt_names.next );
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */ #endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */
if( cert_cur->raw.p != NULL && cert_cur->own_buffer ) if( cert_cur->raw.p != NULL && cert_cur->own_buffer )

View file

@ -222,12 +222,13 @@ int main( int argc, char *argv[] )
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto exit; goto exit;
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit; goto exit;
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if !defined(MBEDTLS_SSL_CONF_RECV) && \ #if !defined(MBEDTLS_SSL_CONF_RECV) && \
!defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \

View file

@ -250,7 +250,7 @@ int main( void )
goto exit; goto exit;
} }
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 )
{ {
ret = hostname_failed; ret = hostname_failed;

View file

@ -1570,6 +1570,14 @@ int query_config( const char *config )
} }
#endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ #endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */
#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( strcmp( "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION", config ) == 0 )
{
MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION );
return( 0 );
}
#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 )
{ {

View file

@ -210,11 +210,13 @@ int main( void )
goto exit; goto exit;
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit; goto exit;
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if !defined(MBEDTLS_SSL_CONF_RECV) && \ #if !defined(MBEDTLS_SSL_CONF_RECV) && \
!defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \

View file

@ -2053,7 +2053,7 @@ int main( int argc, char *argv[] )
goto exit; goto exit;
} }
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n",

View file

@ -662,11 +662,13 @@ int main( int argc, char *argv[] )
goto exit; goto exit;
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto exit; goto exit;
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if !defined(MBEDTLS_SSL_CONF_RECV) && \ #if !defined(MBEDTLS_SSL_CONF_RECV) && \
!defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \

View file

@ -363,8 +363,11 @@ int main( int argc, char *argv[] )
{ {
mbedtls_printf( " . Verifying X.509 certificate..." ); mbedtls_printf( " . Verifying X.509 certificate..." );
if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags, if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl,
my_verify, NULL ) ) != 0 ) #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, my_verify, NULL ) ) != 0 )
{ {
char vrfy_buf[512]; char vrfy_buf[512];
@ -453,12 +456,13 @@ int main( int argc, char *argv[] )
mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret );
goto ssl_exit; goto ssl_exit;
} }
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )
{ {
mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret );
goto ssl_exit; goto ssl_exit;
} }
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
#if !defined(MBEDTLS_SSL_CONF_RECV) && \ #if !defined(MBEDTLS_SSL_CONF_RECV) && \
!defined(MBEDTLS_SSL_CONF_SEND) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \

View file

@ -41,6 +41,7 @@
# MBEDTLS_X509_REMOVE_INFO # MBEDTLS_X509_REMOVE_INFO
# MBEDTLS_X509_CRT_REMOVE_TIME # MBEDTLS_X509_CRT_REMOVE_TIME
# MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID # MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
# MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
# MBEDTLS_ZLIB_SUPPORT # MBEDTLS_ZLIB_SUPPORT
# MBEDTLS_PKCS11_C # MBEDTLS_PKCS11_C
# and any symbol beginning _ALT # and any symbol beginning _ALT
@ -106,6 +107,7 @@ MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
MBEDTLS_X509_REMOVE_INFO MBEDTLS_X509_REMOVE_INFO
MBEDTLS_X509_CRT_REMOVE_TIME MBEDTLS_X509_CRT_REMOVE_TIME
MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID
MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
MBEDTLS_ZLIB_SUPPORT MBEDTLS_ZLIB_SUPPORT
MBEDTLS_PKCS11_C MBEDTLS_PKCS11_C
MBEDTLS_NO_UDBL_DIVISION MBEDTLS_NO_UDBL_DIVISION

View file

@ -1280,6 +1280,20 @@ component_test_no_x509_info () {
if_build_succeeded tests/ssl-opt.sh if_build_succeeded tests/ssl-opt.sh
} }
component_test_no_hostname_verification () {
msg "build: full + MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION" # ~ 10s
scripts/config.pl full
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
scripts/config.pl set MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
make CFLAGS='-Werror -O1'
msg "test: full + MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION" # ~ 10s
make test
msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION" # ~ 1 min
if_build_succeeded tests/ssl-opt.sh
}
component_build_arm_none_eabi_gcc () { component_build_arm_none_eabi_gcc () {
msg "build: arm-none-eabi-gcc, make" # ~ 10s msg "build: arm-none-eabi-gcc, make" # ~ 10s
scripts/config.pl baremetal scripts/config.pl baremetal

View file

@ -3925,6 +3925,7 @@ run_test "SNI: no SNI callback" \
-c "subject name *: C=NL, O=PolarSSL, CN=localhost" -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: matching cert 1" \ run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -3936,6 +3937,7 @@ run_test "SNI: matching cert 1" \
-c "subject name *: C=NL, O=PolarSSL, CN=localhost" -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: matching cert 2" \ run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -3946,6 +3948,7 @@ run_test "SNI: matching cert 2" \
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: no matching cert" \ run_test "SNI: no matching cert" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -3971,6 +3974,7 @@ run_test "SNI: client auth no override: optional" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" -S "skip parse certificate verify"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: client auth override: none -> optional" \ run_test "SNI: client auth override: none -> optional" \
"$P_SRV debug_level=3 auth_mode=none \ "$P_SRV debug_level=3 auth_mode=none \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -3984,6 +3988,7 @@ run_test "SNI: client auth override: none -> optional" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" -S "skip parse certificate verify"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: client auth override: optional -> none" \ run_test "SNI: client auth override: optional -> none" \
"$P_SRV debug_level=3 auth_mode=optional \ "$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -3998,6 +4003,7 @@ run_test "SNI: client auth override: optional -> none" \
-s "skip parse certificate verify" -s "skip parse certificate verify"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: CA no override" \ run_test "SNI: CA no override" \
"$P_SRV debug_level=3 auth_mode=optional \ "$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4017,6 +4023,7 @@ run_test "SNI: CA no override" \
-S "The certificate has been revoked (is on a CRL)" -S "The certificate has been revoked (is on a CRL)"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: CA override" \ run_test "SNI: CA override" \
"$P_SRV debug_level=3 auth_mode=optional \ "$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4036,6 +4043,7 @@ run_test "SNI: CA override" \
-S "The certificate has been revoked (is on a CRL)" -S "The certificate has been revoked (is on a CRL)"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: CA override with CRL" \ run_test "SNI: CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \ "$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4067,6 +4075,7 @@ run_test "SNI: DTLS, no SNI callback" \
-c "subject name *: C=NL, O=PolarSSL, CN=localhost" -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, matching cert 1" \ run_test "SNI: DTLS, matching cert 1" \
"$P_SRV debug_level=3 dtls=1 \ "$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4078,6 +4087,7 @@ run_test "SNI: DTLS, matching cert 1" \
-c "subject name *: C=NL, O=PolarSSL, CN=localhost" -c "subject name *: C=NL, O=PolarSSL, CN=localhost"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, matching cert 2" \ run_test "SNI: DTLS, matching cert 2" \
"$P_SRV debug_level=3 dtls=1 \ "$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4088,6 +4098,7 @@ run_test "SNI: DTLS, matching cert 2" \
-c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \
-c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, no matching cert" \ run_test "SNI: DTLS, no matching cert" \
"$P_SRV debug_level=3 dtls=1 \ "$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4113,6 +4124,7 @@ run_test "SNI: DTLS, client auth no override: optional" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" -S "skip parse certificate verify"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, client auth override: none -> optional" \ run_test "SNI: DTLS, client auth override: none -> optional" \
"$P_SRV debug_level=3 auth_mode=none dtls=1 \ "$P_SRV debug_level=3 auth_mode=none dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4126,6 +4138,7 @@ run_test "SNI: DTLS, client auth override: none -> optional" \
-C "skip write certificate verify" \ -C "skip write certificate verify" \
-S "skip parse certificate verify" -S "skip parse certificate verify"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, client auth override: optional -> none" \ run_test "SNI: DTLS, client auth override: optional -> none" \
"$P_SRV debug_level=3 auth_mode=optional dtls=1 \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4140,6 +4153,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \
-s "skip parse certificate verify" -s "skip parse certificate verify"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, CA no override" \ run_test "SNI: DTLS, CA no override" \
"$P_SRV debug_level=3 auth_mode=optional dtls=1 \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4158,6 +4172,7 @@ run_test "SNI: DTLS, CA no override" \
-s "! The certificate is not correctly signed by the trusted CA" \ -s "! The certificate is not correctly signed by the trusted CA" \
-S "The certificate has been revoked (is on a CRL)" -S "The certificate has been revoked (is on a CRL)"
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, CA override" \ run_test "SNI: DTLS, CA override" \
"$P_SRV debug_level=3 auth_mode=optional dtls=1 \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \ crt_file=data_files/server5.crt key_file=data_files/server5.key \
@ -4177,6 +4192,7 @@ run_test "SNI: DTLS, CA override" \
-S "The certificate has been revoked (is on a CRL)" -S "The certificate has been revoked (is on a CRL)"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SNI: DTLS, CA override with CRL" \ run_test "SNI: DTLS, CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \ "$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
@ -6347,6 +6363,7 @@ run_test "SSL async private: sign, RSA, TLS 1.1" \
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_config_disabled MBEDTLS_X509_REMOVE_INFO requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
run_test "SSL async private: sign, SNI" \ run_test "SSL async private: sign, SNI" \
"$P_SRV debug_level=3 \ "$P_SRV debug_level=3 \
async_operations=s async_private_delay1=0 async_private_delay2=0 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \

View file

@ -402,7 +402,7 @@ void ssl_dtls_replay( data_t * prevs, data_t * new, int ret )
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ /* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
void ssl_set_hostname_twice( char *hostname0, char *hostname1 ) void ssl_set_hostname_twice( char *hostname0, char *hostname1 )
{ {
mbedtls_ssl_context ssl; mbedtls_ssl_context ssl;

View file

@ -107,13 +107,21 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C
x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n" x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n"
X509 CRT information, Subject Alt Name X509 CRT information, Subject Alt Name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n" x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n"
X509 CRT information, Subject Alt Name, not expected Subject alt name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n"
X509 CRT information, Subject Alt Name + Key Usage X509 CRT information, Subject Alt Name + Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \: www.shotokan-braunschweig.de, www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \: www.shotokan-braunschweig.de, www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CRT information, Subject Alt Name + Key Usage, not expected Subject alt name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
X509 CRT information, Key Usage + Extended Key Usage X509 CRT information, Key Usage + Extended Key Usage
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509_cert_info:"data_files/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n" x509_cert_info:"data_files/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n"
@ -127,9 +135,13 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:
x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n" x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n"
X509 CRT information Bitstring in subject name X509 CRT information Bitstring in subject name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: \next key usage \: TLS Web Client Authentication\n" x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: \next key usage \: TLS Web Client Authentication\n"
X509 CRT information Bitstring in subject name, not expected Subject alt name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\next key usage \: TLS Web Client Authentication\n"
X509 certificate v1 with extension X509 certificate v1 with extension
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C
x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n" x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n"
@ -400,13 +412,21 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_S
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
X509 CRT verification #3 (Revoked Cert, Future CRL, CN Mismatch) X509 CRT verification #3 (Revoked Cert, Future CRL, CN Mismatch)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #3a (Revoked Cert, Expired CRL, CN Mismatch) X509 CRT verification #3a (Revoked Cert, Future CRL, CN Discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
X509 CRT verification #3b (Revoked Cert, Expired CRL, CN Mismatch)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #3c (Revoked Cert, Expired CRL, CN Discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL"
X509 CRT verification #4 (Valid Cert, Expired CRL) X509 CRT verification #4 (Valid Cert, Expired CRL)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE
x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL"
@ -436,9 +456,13 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MB
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 CRT verification #7 (Revoked Cert, CN Mismatch) X509 CRT verification #7 (Revoked Cert, CN Mismatch)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #7a (Revoked Cert, CN Discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL"
X509 CRT verification #8 (Valid Cert) X509 CRT verification #8 (Valid Cert)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL"
@ -532,37 +556,65 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL" x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL"
X509 CRT verification #22 (domain not matching wildcard certificate) X509 CRT verification #22 (domain not matching wildcard certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #22a (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":0:0:"compat":"NULL"
X509 CRT verification #23 (domain not matching wildcard certificate) X509 CRT verification #23 (domain not matching wildcard certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #23a (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":0:0:"compat":"NULL"
X509 CRT verification #24 (domain matching CN of multi certificate) X509 CRT verification #24 (domain matching CN of multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #24a (domain matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":0:0:"compat":"NULL"
X509 CRT verification #25 (domain matching multi certificate) X509 CRT verification #25 (domain matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL"
X509 CRT verification #26 (domain not matching multi certificate) X509 CRT verification #26 (domain not matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #26a (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":0:0:"compat":"NULL"
X509 CRT verification #27 (domain not matching multi certificate) X509 CRT verification #27 (domain not matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #27 (domain not matching multi certificate) X509 CRT verification #27a (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":0:0:"compat":"NULL"
X509 CRT verification #27c (domain not matching multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #27d (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":0:0:"compat":"NULL"
X509 CRT verification #28 (domain not matching wildcard in multi certificate) X509 CRT verification #28 (domain not matching wildcard in multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL"
X509 CRT verification #28a (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":0:0:"compat":"NULL"
X509 CRT verification #29 (domain matching wildcard in multi certificate) X509 CRT verification #29 (domain matching wildcard in multi certificate)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL" x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL"
@ -572,9 +624,13 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 CRT verification #31 (domain not matching multi certificate without CN) X509 CRT verification #31 (domain not matching multi certificate without CN)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 CRT verification #31a (domain not matching discard)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL"
X509 CRT verification #32 (Valid, EC cert, RSA CA) X509 CRT verification #32 (Valid, EC cert, RSA CA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
@ -848,9 +904,13 @@ depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:
x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL" x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL"
X509 CRT verification callback: bad name X509 CRT verification callback: bad name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n" x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n"
X509 CRT verification callback: bad name discard
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":0:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n"
X509 CRT verification callback: trusted EE cert X509 CRT verification callback: trusted EE cert
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n" x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n"
@ -1698,9 +1758,13 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"3081b93081a3a0030201018204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH x509parse_crt:"3081b93081a3a0030201018204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH
X509 CRT ASN1 (TBS, valid SubjectID, valid IssuerID, inv v3Ext, SubjectAltName repeated outside Extensions, inv SubjectAltNames tag) X509 CRT ASN1 (TBS, valid SubjectID, valid IssuerID, inv v3Ext, SubjectAltName repeated outside Extensions, inv SubjectAltNames tag)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509parse_crt:"308203723082025aa003020102020111300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3132303531303133323334315a170d3232303531313133323334315a303a310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c311830160603550403130f7777772e6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b93c4ac5c8a38e9017a49e52aa7175266180e7c7b56d8cffaab64126b7be11ad5c73160c64114804ffd6e13b05db89bbb39709d51c14dd688739b03d71cbe276d01ad8182d801b54f6e5449af1cbaf612edf490d9d09b7edb1fd3cfd3cfa24cf5dbf7ce453e725b5ea4422e926d3ea20949ee66167ba2e07670b032fa209edf0338f0bce10ef67a4c608dac1edc23fd74add153df95e1c8160463eb5b33d2fa6de471cbc92aeebdf276b1656b7dcecd15557a56eec7525f5b77bdfabd23a5a91987d97170b130aa76b4a8bc14730fb3af84104d5c1dfb81dbf7b01a565a2e01e36b7a65ccc305af8cd6fcdf1196225ca01e3357ffa20f5dcfd69b26a007d17f70203010001a38181307f30090603551d1304023000301d0603551d0e041604147de49c6be6f9717d46d2123dad6b1dfdc2aa784c301f0603551d23041830168014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30320603551d11042b3029c20b6578616d706c652e636f6d820b6578616d706c652e6e6574820d2a2e6578616d706c652e6f7267300d06092a864886f70d010105050003820101004f09cb7ad5eef5ef620ddc7ba285d68cca95b46bda115b92007513b9ca0bceeafbc31fe23f7f217479e2e6bcda06e52f6ff655c67339cf48bc0d2f0cd27a06c34a4cd9485da0d07389e4d4851d969a0e5799c66f1d21271f8d0529e840ae823968c39707cf3c934c1adf2fa6a455487f7c8c1ac922da24cd9239c68aecb08df5698267cb04eede534196c127dc2ffe33fad30eb8d432a9842853a5f0d189d5a298e71691bb9cc0418e8c58acffe3dd2e7aabb0b97176ad0f2733f7a929d3c076c0bf06407c0ed5a47c8ae2326e16aeda641fb0557cdbddf1a4ba447cb39958d2346e00ea976c143af2101e0aa249107601f4f2c818fdcc6346128b091bf194e6":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG x509parse_crt:"308203723082025aa003020102020111300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3132303531303133323334315a170d3232303531313133323334315a303a310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c311830160603550403130f7777772e6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b93c4ac5c8a38e9017a49e52aa7175266180e7c7b56d8cffaab64126b7be11ad5c73160c64114804ffd6e13b05db89bbb39709d51c14dd688739b03d71cbe276d01ad8182d801b54f6e5449af1cbaf612edf490d9d09b7edb1fd3cfd3cfa24cf5dbf7ce453e725b5ea4422e926d3ea20949ee66167ba2e07670b032fa209edf0338f0bce10ef67a4c608dac1edc23fd74add153df95e1c8160463eb5b33d2fa6de471cbc92aeebdf276b1656b7dcecd15557a56eec7525f5b77bdfabd23a5a91987d97170b130aa76b4a8bc14730fb3af84104d5c1dfb81dbf7b01a565a2e01e36b7a65ccc305af8cd6fcdf1196225ca01e3357ffa20f5dcfd69b26a007d17f70203010001a38181307f30090603551d1304023000301d0603551d0e041604147de49c6be6f9717d46d2123dad6b1dfdc2aa784c301f0603551d23041830168014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30320603551d11042b3029c20b6578616d706c652e636f6d820b6578616d706c652e6e6574820d2a2e6578616d706c652e6f7267300d06092a864886f70d010105050003820101004f09cb7ad5eef5ef620ddc7ba285d68cca95b46bda115b92007513b9ca0bceeafbc31fe23f7f217479e2e6bcda06e52f6ff655c67339cf48bc0d2f0cd27a06c34a4cd9485da0d07389e4d4851d969a0e5799c66f1d21271f8d0529e840ae823968c39707cf3c934c1adf2fa6a455487f7c8c1ac922da24cd9239c68aecb08df5698267cb04eede534196c127dc2ffe33fad30eb8d432a9842853a5f0d189d5a298e71691bb9cc0418e8c58acffe3dd2e7aabb0b97176ad0f2733f7a929d3c076c0bf06407c0ed5a47c8ae2326e16aeda641fb0557cdbddf1a4ba447cb39958d2346e00ea976c143af2101e0aa249107601f4f2c818fdcc6346128b091bf194e6":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG
X509 CRT ASN1 (TBS, valid SubjectID, valid IssuerID, inv v3Ext, SubjectAltName repeated outside Extensions, inv SubjectAltNames discarded)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
x509parse_crt:"308203723082025aa003020102020111300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3132303531303133323334315a170d3232303531313133323334315a303a310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c311830160603550403130f7777772e6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b93c4ac5c8a38e9017a49e52aa7175266180e7c7b56d8cffaab64126b7be11ad5c73160c64114804ffd6e13b05db89bbb39709d51c14dd688739b03d71cbe276d01ad8182d801b54f6e5449af1cbaf612edf490d9d09b7edb1fd3cfd3cfa24cf5dbf7ce453e725b5ea4422e926d3ea20949ee66167ba2e07670b032fa209edf0338f0bce10ef67a4c608dac1edc23fd74add153df95e1c8160463eb5b33d2fa6de471cbc92aeebdf276b1656b7dcecd15557a56eec7525f5b77bdfabd23a5a91987d97170b130aa76b4a8bc14730fb3af84104d5c1dfb81dbf7b01a565a2e01e36b7a65ccc305af8cd6fcdf1196225ca01e3357ffa20f5dcfd69b26a007d17f70203010001a38181307f30090603551d1304023000301d0603551d0e041604147de49c6be6f9717d46d2123dad6b1dfdc2aa784c301f0603551d23041830168014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30320603551d11042b3029c20b6578616d706c652e636f6d820b6578616d706c652e6e6574820d2a2e6578616d706c652e6f7267300d06092a864886f70d010105050003820101004f09cb7ad5eef5ef620ddc7ba285d68cca95b46bda115b92007513b9ca0bceeafbc31fe23f7f217479e2e6bcda06e52f6ff655c67339cf48bc0d2f0cd27a06c34a4cd9485da0d07389e4d4851d969a0e5799c66f1d21271f8d0529e840ae823968c39707cf3c934c1adf2fa6a455487f7c8c1ac922da24cd9239c68aecb08df5698267cb04eede534196c127dc2ffe33fad30eb8d432a9842853a5f0d189d5a298e71691bb9cc0418e8c58acffe3dd2e7aabb0b97176ad0f2733f7a929d3c076c0bf06407c0ed5a47c8ae2326e16aeda641fb0557cdbddf1a4ba447cb39958d2346e00ea976c143af2101e0aa249107601f4f2c818fdcc6346128b091bf194e6":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n":0
X509 CRT ASN1 (SignatureAlgorithm missing) X509 CRT ASN1 (SignatureAlgorithm missing)
depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C
x509parse_crt:"3081aa3081a7a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA x509parse_crt:"3081aa3081a7a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA

View file

@ -329,7 +329,11 @@ void x509_verify_restart( char *crt_file, char *ca_file,
cnt_restart = 0; cnt_restart = 0;
do { do {
ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL,
&mbedtls_x509_crt_profile_default, NULL, &flags, &mbedtls_x509_crt_profile_default,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags,
NULL, NULL, &rs_ctx ); NULL, NULL, &rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
@ -341,7 +345,11 @@ void x509_verify_restart( char *crt_file, char *ca_file,
/* Do we leak memory when aborting? */ /* Do we leak memory when aborting? */
ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL,
&mbedtls_x509_crt_profile_default, NULL, &flags, &mbedtls_x509_crt_profile_default,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags,
NULL, NULL, &rs_ctx ); NULL, NULL, &rs_ctx );
TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
@ -364,15 +372,21 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
uint32_t flags = 0; uint32_t flags = 0;
int res; int res;
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
char * cn_name = NULL;
const mbedtls_x509_crt_profile *profile; const mbedtls_x509_crt_profile *profile;
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
char * cn_name = NULL;
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
mbedtls_x509_crt_init( &crt ); mbedtls_x509_crt_init( &crt );
mbedtls_x509_crt_init( &ca ); mbedtls_x509_crt_init( &ca );
mbedtls_x509_crl_init( &crl ); mbedtls_x509_crl_init( &crl );
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( strcmp( cn_name_str, "NULL" ) != 0 ) if( strcmp( cn_name_str, "NULL" ) != 0 )
cn_name = cn_name_str; cn_name = cn_name_str;
#else
(void)cn_name_str;
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
if( strcmp( profile_str, "" ) == 0 ) if( strcmp( profile_str, "" ) == 0 )
profile = &mbedtls_x509_crt_profile_default; profile = &mbedtls_x509_crt_profile_default;
@ -400,7 +414,11 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 );
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL ); res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn_name,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, f_vrfy, NULL );
TEST_ASSERT( res == ( result ) ); TEST_ASSERT( res == ( result ) );
TEST_ASSERT( flags == (uint32_t)( flags_result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) );
@ -429,13 +447,19 @@ void x509_verify_callback( char *crt_file, char *ca_file, char *name,
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
if( strcmp( name, "NULL" ) == 0 ) if( strcmp( name, "NULL" ) == 0 )
name = NULL; name = NULL;
#else
(void)name;
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL, ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL,
&compat_profile, &compat_profile,
name, &flags, #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
verify_print, &vrfy_ctx ); name,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, verify_print, &vrfy_ctx );
TEST_ASSERT( ret == exp_ret ); TEST_ASSERT( ret == exp_ret );
TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 ); TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 );
@ -792,8 +816,11 @@ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int,
TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 );
/* Try to verify that chain */ /* Try to verify that chain */
ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags, ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL,
NULL, NULL ); #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, NULL, NULL );
TEST_ASSERT( ret == ret_chk ); TEST_ASSERT( ret == ret_chk );
TEST_ASSERT( flags == (uint32_t) flags_chk ); TEST_ASSERT( flags == (uint32_t) flags_chk );
@ -833,7 +860,10 @@ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca,
profile = &profile_sha512; profile = &profile_sha512;
res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile, res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile,
NULL, &flags, verify_fatal, &vrfy_fatal_lvls ); #if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, verify_fatal, &vrfy_fatal_lvls );
TEST_ASSERT( res == ( result ) ); TEST_ASSERT( res == ( result ) );
TEST_ASSERT( flags == (uint32_t)( flags_result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) );