diff --git a/configs/baremetal.h b/configs/baremetal.h index 0bdee4fc2..11292e1bf 100644 --- a/configs/baremetal.h +++ b/configs/baremetal.h @@ -128,6 +128,7 @@ #define MBEDTLS_X509_ON_DEMAND_PARSING #define MBEDTLS_X509_ALWAYS_FLUSH #define MBEDTLS_ASN1_PARSE_C +#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION /* X.509 CSR writing */ #define MBEDTLS_X509_CSR_WRITE_C diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index d19c23182..0a26dcb47 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -1624,7 +1624,8 @@ PREDEFINED = WIN32 \ ENABLE_PLUGIN \ ENABLE_MANAGEMENT \ ENABLE_OCC \ - HAVE_GETTIMEOFDAY + HAVE_GETTIMEOFDAY \ + DOXYGEN_ONLY # If the MACRO_EXPANSION and EXPAND_ONLY_PREDEF tags are set to YES then # this tag can be used to specify a list of macro names that should be expanded. diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 5da4f1176..0b4380276 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1978,6 +1978,44 @@ */ //#define MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID +/** + * \def MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION + * + * Remove hostname verification from APIs related to X.509 certificate validation. + * + * \warning Uncommenting this affects parsing and verification of + * X.509 certificate by leaving Common Name and Subject Alternative Name fields out + * of parsing and verification. + * + * Affected API's: + * - mbedtls_ssl_set_hostname() not available. + * - mbedtls_x509_crt_get_subject_alt_names() not available. + * - mbedtls_x509_crt_parse_der(): Subject Alternative Name field + * is not parsed. + * - mbedtls_x509_crt_parse_der_nocopy(): Subject Alternative Name field + * is not parsed. + * - mbedtls_x509_crt_parse(): Subject Alternative Name field + * is not parsed. + * - mbedtls_x509_crt_parse_file(): Subject Alternative Name field + * is not parsed. + * - mbedtls_x509_crt_parse_path(): Subject Alternative Name field + * is not parsed. + * - mbedtls_x509_crt_info(): Subject Alternative Name field + * is not parsed. + * - mbedtls_x509_crt_verify(): param \c cn is omitted from the API. + * - mbedtls_x509_crt_verify_with_profile(): param \c cn is omitted from the API. + * - mbedtls_x509_crt_verify_restartable(): param \c cn is omitted from the API. + * - + * + * Affected structs + * - ::mbedtls_x509_crt_frame: subject_alt_raw is defined out. + * - ::mbedtls_x509_crt: subject_alt_names is defined out. + * + * Uncomment this to save some code and RAM on constrained systems which + * don't need hostname verification. + */ +//#define MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION + /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index b6a3b6017..7efb411f3 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1386,10 +1386,10 @@ struct mbedtls_ssl_context /* * User settings */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) char *hostname; /*!< expected peer CN for verification (and SNI if available) */ -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if defined(MBEDTLS_SSL_ALPN) const char *alpn_chosen; /*!< negotiated protocol */ @@ -2921,7 +2921,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, const int *hashes ); #endif /* MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /** * \brief Set or reset the hostname to check against the received * server certificate. It sets the ServerName TLS extension, @@ -2941,7 +2941,7 @@ void mbedtls_ssl_conf_sig_hashes( mbedtls_ssl_config *conf, * On too long input failure, old hostname is unchanged. */ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ); -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) /** diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index c8f488c5c..f3ef5723a 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -96,9 +96,10 @@ typedef struct mbedtls_x509_crt_frame mbedtls_x509_buf_raw v3_ext; /**< The raw data for the extension list in the certificate. * Might be useful for manual inspection of extensions that * Mbed TLS doesn't yet support. */ +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) mbedtls_x509_buf_raw subject_alt_raw; /**< The raw data for the SubjectAlternativeNames extension. */ +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ mbedtls_x509_buf_raw ext_key_usage_raw; /**< The raw data for the ExtendedKeyUsage extension. */ - } mbedtls_x509_crt_frame; /** @@ -140,7 +141,9 @@ typedef struct mbedtls_x509_crt mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */ #endif /* !MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */ +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) mbedtls_x509_sequence subject_alt_names; /**< Optional list of Subject Alternative Names (Only dNSName supported). */ +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ int ext_types; /**< Bit string containing detected and parsed extensions */ int ca_istrue; /**< Optional Basic Constraint extension value: 1 if this certificate belongs to a CA, 0 otherwise. */ @@ -499,7 +502,10 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, - const char *cn, uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ + uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); @@ -534,7 +540,10 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, - const char *cn, uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ + uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ); @@ -564,7 +573,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, - const char *cn, uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) || defined(DOXYGEN_ONLY) + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION || defined(DOXYGEN_ONLY) */ + uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx ); @@ -747,6 +759,7 @@ int mbedtls_x509_crt_get_subject( mbedtls_x509_crt const *crt, int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt, mbedtls_x509_name **issuer ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /** * \brief Request the subject alternative name of a CRT, presented * as a dynamically allocated linked list. @@ -771,6 +784,7 @@ int mbedtls_x509_crt_get_issuer( mbedtls_x509_crt const *crt, */ int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt, mbedtls_x509_sequence **subj_alt ); +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ /** * \brief Request the ExtendedKeyUsage extension of a CRT, diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 890343181..a90303da1 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -51,7 +51,7 @@ #include "mbedtls/platform_util.h" #endif -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -119,7 +119,7 @@ static void ssl_write_hostname_ext( mbedtls_ssl_context *ssl, *olen = hostname_len + 9; } -#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */ +#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if defined(MBEDTLS_SSL_RENEGOTIATION) static void ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, @@ -1057,7 +1057,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) // First write extensions, then the total length // -#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) +#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) ssl_write_hostname_ext( ssl, p + 2 + ext_len, &olen ); ext_len += olen; #endif diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6e5f75c39..96276c2b6 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -6858,7 +6858,9 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, chain, ca_chain, ca_crl, ssl->conf->cert_profile, +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) ssl->hostname, +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ &ssl->session_negotiate->verify_result, ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx ); @@ -8939,7 +8941,7 @@ void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, #endif /* MBEDTLS_SSL_CONF_SINGLE_EC */ #endif /* MBEDTLS_ECP_C */ -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) { /* Initialize to suppress unnecessary compiler warning */ @@ -8983,7 +8985,7 @@ int mbedtls_ssl_set_hostname( mbedtls_ssl_context *ssl, const char *hostname ) return( 0 ); } -#endif /* MBEDTLS_X509_CRT_PARSE_C */ +#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, @@ -11759,7 +11761,7 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl ) mbedtls_free( ssl->session ); } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( ssl->hostname != NULL ) { mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) ); diff --git a/library/version_features.c b/library/version_features.c index 102b52109..bb655c0c9 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -573,6 +573,9 @@ static const char *features[] = { #if defined(MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID) "MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID", #endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ +#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION", +#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) "MBEDTLS_X509_RSASSA_PSS_SUPPORT", #endif /* MBEDTLS_X509_RSASSA_PSS_SUPPORT */ diff --git a/library/x509.c b/library/x509.c index a6c658479..19cc64b79 100644 --- a/library/x509.c +++ b/library/x509.c @@ -1250,7 +1250,11 @@ int mbedtls_x509_self_test( int verbose ) if( verbose != 0 ) mbedtls_printf( "passed\n X.509 signature verify: "); - ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, NULL, &flags, NULL, NULL ); + ret = mbedtls_x509_crt_verify( &clicert, &cacert, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, NULL, NULL ); if( ret != 0 ) { if( verbose != 0 ) diff --git a/library/x509_crt.c b/library/x509_crt.c index 0c158f836..1c4237bda 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -102,8 +102,10 @@ static int x509_crt_subject_from_frame( mbedtls_x509_crt_frame const *frame, mbedtls_x509_name *subject ); static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame const *frame, mbedtls_x509_name *issuer ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame, mbedtls_x509_sequence *subject_alt ); +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame, mbedtls_x509_sequence *ext_key_usage ); @@ -333,6 +335,7 @@ static void x509_crt_cache_free( mbedtls_x509_crt_cache *cache ) memset( cache, 0, sizeof( *cache ) ); } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt, mbedtls_x509_sequence **subj_alt ) { @@ -355,6 +358,7 @@ int mbedtls_x509_crt_get_subject_alt_names( mbedtls_x509_crt const *crt, *subj_alt = seq; return( ret ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ int mbedtls_x509_crt_get_ext_key_usage( mbedtls_x509_crt const *crt, mbedtls_x509_sequence **ext_key_usage ) @@ -613,6 +617,7 @@ static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile, return( -1 ); } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /* * Return 0 if name matches wildcard, -1 otherwise */ @@ -648,6 +653,7 @@ static int x509_check_wildcard( char const *cn, return( -1 ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ /* * Reset (init or clear) a verify_chain @@ -934,6 +940,7 @@ static int x509_get_ext_key_usage( unsigned char **p, (void *) &ext_key_usage ) ); } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /* * SubjectAltName ::= GeneralNames * @@ -972,6 +979,7 @@ static int x509_get_subject_alt_name( unsigned char *p, asn1_build_sequence_cb, (void *) &subject_alt_name ) ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ /* * X.509 v3 extensions @@ -1077,10 +1085,10 @@ static int x509_crt_get_ext_cb( void *ctx, break; case MBEDTLS_X509_EXT_SUBJECT_ALT_NAME: +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /* Copy reference to raw subject alt name data. */ frame->subject_alt_raw.p = p; frame->subject_alt_raw.len = end_ext_octet - p; - ret = mbedtls_asn1_traverse_sequence_of( &p, end_ext_octet, MBEDTLS_ASN1_TAG_CLASS_MASK, MBEDTLS_ASN1_CONTEXT_SPECIFIC, @@ -1089,6 +1097,7 @@ static int x509_crt_get_ext_cb( void *ctx, NULL, NULL ); if( ret != 0 ) goto err; +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ break; case MBEDTLS_X509_EXT_EXTENDED_KEY_USAGE: @@ -1470,6 +1479,7 @@ static int x509_crt_issuer_from_frame( mbedtls_x509_crt_frame const *frame, issuer ) ); } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame, mbedtls_x509_sequence *subject_alt ) { @@ -1487,6 +1497,7 @@ static int x509_crt_subject_alt_from_frame( mbedtls_x509_crt_frame const *frame, ret += MBEDTLS_ERR_X509_INVALID_EXTENSIONS; return( ret ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ static int x509_crt_ext_key_usage_from_frame( mbedtls_x509_crt_frame const *frame, mbedtls_x509_sequence *ext_key_usage ) @@ -1663,9 +1674,11 @@ static int x509_crt_parse_der_core( mbedtls_x509_crt *crt, if( ret != 0 ) goto exit; +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) ret = x509_crt_subject_alt_from_frame( frame, &crt->subject_alt_names ); if( ret != 0 ) goto exit; +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ ret = x509_crt_ext_key_usage_from_frame( frame, &crt->ext_key_usage ); if( ret != 0 ) @@ -2104,6 +2117,7 @@ static int x509_crt_get_sig_info( mbedtls_x509_crt_frame const *frame, } #if !defined(MBEDTLS_X509_REMOVE_INFO) +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) static int x509_info_subject_alt_name( char **buf, size_t *size, const mbedtls_x509_sequence *subject_alt_name ) { @@ -2141,6 +2155,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, return( 0 ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #define PRINT_ITEM(i) \ { \ @@ -2249,7 +2264,11 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, mbedtls_pk_context pk; mbedtls_x509_name *issuer = NULL, *subject = NULL; - mbedtls_x509_sequence *ext_key_usage = NULL, *subject_alt_names = NULL; + mbedtls_x509_sequence *ext_key_usage = NULL; +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + mbedtls_x509_sequence *subject_alt_names = NULL; +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + mbedtls_x509_crt_sig_info sig_info; p = buf; @@ -2287,12 +2306,14 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, goto cleanup; } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) ret = mbedtls_x509_crt_get_subject_alt_names( crt, &subject_alt_names ); if( ret != 0 ) { ret = MBEDTLS_ERR_X509_FATAL_ERROR; goto cleanup; } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ ret = mbedtls_x509_crt_get_ext_key_usage( crt, &ext_key_usage ); if( ret != 0 ) @@ -2391,6 +2412,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, } } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( frame.ext_types & MBEDTLS_X509_EXT_SUBJECT_ALT_NAME ) { ret = mbedtls_snprintf( p, n, "\n%ssubject alt name : ", prefix ); @@ -2400,6 +2422,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix, subject_alt_names ) ) != 0 ) return( ret ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ if( frame.ext_types & MBEDTLS_X509_EXT_NS_CERT_TYPE ) { @@ -2441,7 +2464,9 @@ cleanup: mbedtls_x509_name_free( issuer ); mbedtls_x509_name_free( subject ); mbedtls_x509_sequence_free( ext_key_usage ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) mbedtls_x509_sequence_free( subject_alt_names ); +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ return( ret ); } @@ -3399,6 +3424,7 @@ find_parent: } } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /* * Check for CN match */ @@ -3510,6 +3536,7 @@ static int x509_crt_verify_name( const mbedtls_x509_crt *crt, *flags |= MBEDTLS_X509_BADCERT_CN_MISMATCH; return( ret ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ /* * Merge the flags for all certs in the chain, after calling callback @@ -3546,12 +3573,19 @@ static int x509_crt_merge_flags_with_cb( int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, - const char *cn, uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, - &mbedtls_x509_crt_profile_default, cn, flags, + &mbedtls_x509_crt_profile_default, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + flags, f_vrfy, p_vrfy, NULL ) ); } @@ -3562,12 +3596,19 @@ int mbedtls_x509_crt_verify_with_profile( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, - const char *cn, uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy ) { return( mbedtls_x509_crt_verify_restartable( crt, trust_ca, ca_crl, - profile, cn, flags, f_vrfy, p_vrfy, NULL ) ); + profile, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + flags, f_vrfy, p_vrfy, NULL ) ); } /* @@ -3584,7 +3625,10 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, mbedtls_x509_crt *trust_ca, mbedtls_x509_crl *ca_crl, const mbedtls_x509_crt_profile *profile, - const char *cn, uint32_t *flags, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + const char *cn, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + uint32_t *flags, int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *), void *p_vrfy, mbedtls_x509_crt_restart_ctx *rs_ctx ) @@ -3603,6 +3647,7 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, goto exit; } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) /* check name if requested */ if( cn != NULL ) { @@ -3610,6 +3655,7 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt, if( ret != 0 ) return( ret ); } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ { mbedtls_pk_context *pk; @@ -3703,7 +3749,10 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt ) mbedtls_x509_name_free( cert_cur->issuer.next ); mbedtls_x509_name_free( cert_cur->subject.next ); mbedtls_x509_sequence_free( cert_cur->ext_key_usage.next ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) mbedtls_x509_sequence_free( cert_cur->subject_alt_names.next ); +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + #endif /* !MBEDTLS_X509_ON_DEMAND_PARSING */ if( cert_cur->raw.p != NULL && cert_cur->own_buffer ) diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 39a9f769f..b31090f13 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -222,12 +222,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto exit; } - +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index 87c48ff4a..7d868549a 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -250,7 +250,7 @@ int main( void ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( mbedtls_ssl_set_hostname( &ssl, HOSTNAME ) != 0 ) { ret = hostname_failed; diff --git a/programs/ssl/query_config.c b/programs/ssl/query_config.c index cf10ba18d..c17941929 100644 --- a/programs/ssl/query_config.c +++ b/programs/ssl/query_config.c @@ -1570,6 +1570,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID */ +#if defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + if( strcmp( "MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION ); + return( 0 ); + } +#endif /* MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) if( strcmp( "MBEDTLS_X509_RSASSA_PSS_SUPPORT", config ) == 0 ) { diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index 8629980f8..9922a7e32 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -210,11 +210,13 @@ int main( void ) goto exit; } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, SERVER_NAME ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index a7fd2595d..2aa49503e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2053,7 +2053,7 @@ int main( int argc, char *argv[] ) goto exit; } -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 205c93ec6..24000a2ed 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -662,11 +662,13 @@ int main( int argc, char *argv[] ) goto exit; } +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto exit; } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index 9b40fa71b..74efea388 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -363,8 +363,11 @@ int main( int argc, char *argv[] ) { mbedtls_printf( " . Verifying X.509 certificate..." ); - if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, NULL, &flags, - my_verify, NULL ) ) != 0 ) + if( ( ret = mbedtls_x509_crt_verify( &crt, &cacert, &cacrl, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, my_verify, NULL ) ) != 0 ) { char vrfy_buf[512]; @@ -453,12 +456,13 @@ int main( int argc, char *argv[] ) mbedtls_printf( " failed\n ! mbedtls_ssl_setup returned %d\n\n", ret ); goto ssl_exit; } - +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( ( ret = mbedtls_ssl_set_hostname( &ssl, opt.server_name ) ) != 0 ) { mbedtls_printf( " failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret ); goto ssl_exit; } +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ #if !defined(MBEDTLS_SSL_CONF_RECV) && \ !defined(MBEDTLS_SSL_CONF_SEND) && \ diff --git a/scripts/config.pl b/scripts/config.pl index e4648de52..77358b393 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -41,6 +41,7 @@ # MBEDTLS_X509_REMOVE_INFO # MBEDTLS_X509_CRT_REMOVE_TIME # MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID +# MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION # MBEDTLS_ZLIB_SUPPORT # MBEDTLS_PKCS11_C # and any symbol beginning _ALT @@ -106,6 +107,7 @@ MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION MBEDTLS_X509_REMOVE_INFO MBEDTLS_X509_CRT_REMOVE_TIME MBEDTLS_X509_CRT_REMOVE_SUBJECT_ISSUER_ID +MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION MBEDTLS_ZLIB_SUPPORT MBEDTLS_PKCS11_C MBEDTLS_NO_UDBL_DIVISION diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 13c38b551..20552926d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1280,6 +1280,20 @@ component_test_no_x509_info () { if_build_succeeded tests/ssl-opt.sh } +component_test_no_hostname_verification () { + msg "build: full + MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION" # ~ 10s + scripts/config.pl full + scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests + scripts/config.pl set MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION + make CFLAGS='-Werror -O1' + + msg "test: full + MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION" # ~ 10s + make test + + msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION" # ~ 1 min + if_build_succeeded tests/ssl-opt.sh +} + component_build_arm_none_eabi_gcc () { msg "build: arm-none-eabi-gcc, make" # ~ 10s scripts/config.pl baremetal diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 5ad73d693..71dba368e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -3925,6 +3925,7 @@ run_test "SNI: no SNI callback" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: matching cert 1" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3936,6 +3937,7 @@ run_test "SNI: matching cert 1" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: matching cert 2" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3946,6 +3948,7 @@ run_test "SNI: matching cert 2" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: no matching cert" \ "$P_SRV debug_level=3 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3971,6 +3974,7 @@ run_test "SNI: client auth no override: optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: client auth override: none -> optional" \ "$P_SRV debug_level=3 auth_mode=none \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3984,6 +3988,7 @@ run_test "SNI: client auth override: none -> optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: client auth override: optional -> none" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -3998,6 +4003,7 @@ run_test "SNI: client auth override: optional -> none" \ -s "skip parse certificate verify" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: CA no override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4017,6 +4023,7 @@ run_test "SNI: CA no override" \ -S "The certificate has been revoked (is on a CRL)" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: CA override" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4036,6 +4043,7 @@ run_test "SNI: CA override" \ -S "The certificate has been revoked (is on a CRL)" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4067,6 +4075,7 @@ run_test "SNI: DTLS, no SNI callback" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, matching cert 1" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4078,6 +4087,7 @@ run_test "SNI: DTLS, matching cert 1" \ -c "subject name *: C=NL, O=PolarSSL, CN=localhost" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, matching cert 2" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4088,6 +4098,7 @@ run_test "SNI: DTLS, matching cert 2" \ -c "issuer name *: C=NL, O=PolarSSL, CN=PolarSSL Test CA" \ -c "subject name *: C=NL, O=PolarSSL, CN=polarssl.example" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, no matching cert" \ "$P_SRV debug_level=3 dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4113,6 +4124,7 @@ run_test "SNI: DTLS, client auth no override: optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, client auth override: none -> optional" \ "$P_SRV debug_level=3 auth_mode=none dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4126,6 +4138,7 @@ run_test "SNI: DTLS, client auth override: none -> optional" \ -C "skip write certificate verify" \ -S "skip parse certificate verify" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, client auth override: optional -> none" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4140,6 +4153,7 @@ run_test "SNI: DTLS, client auth override: optional -> none" \ -s "skip parse certificate verify" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, CA no override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4158,6 +4172,7 @@ run_test "SNI: DTLS, CA no override" \ -s "! The certificate is not correctly signed by the trusted CA" \ -S "The certificate has been revoked (is on a CRL)" +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, CA override" \ "$P_SRV debug_level=3 auth_mode=optional dtls=1 \ crt_file=data_files/server5.crt key_file=data_files/server5.key \ @@ -4177,6 +4192,7 @@ run_test "SNI: DTLS, CA override" \ -S "The certificate has been revoked (is on a CRL)" requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SNI: DTLS, CA override with CRL" \ "$P_SRV debug_level=3 auth_mode=optional \ crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \ @@ -6347,6 +6363,7 @@ run_test "SSL async private: sign, RSA, TLS 1.1" \ requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE requires_config_disabled MBEDTLS_X509_REMOVE_INFO +requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION run_test "SSL async private: sign, SNI" \ "$P_SRV debug_level=3 \ async_operations=s async_private_delay1=0 async_private_delay2=0 \ diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 2c4a6b4b2..b177779e7 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -402,7 +402,7 @@ void ssl_dtls_replay( data_t * prevs, data_t * new, int ret ) } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C */ +/* BEGIN_CASE depends_on:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ void ssl_set_hostname_twice( char *hostname0, char *hostname1 ) { mbedtls_ssl_context ssl; diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6536cc9c7..d96188b5f 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -107,13 +107,21 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C x509_cert_info:"data_files/keyUsage.decipherOnly.crt":"cert. version \: 3\nserial number \: 9B\:13\:CE\:4C\:A5\:6F\:DE\:52\nissuer name \: C=GB, L=Cambridge, O=Default Company Ltd\nsubject name \: C=GB, L=Cambridge, O=Default Company Ltd\nissued on \: 2015-05-12 10\:36\:55\nexpires on \: 2018-05-11 10\:36\:55\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment, Decipher Only\n" X509 CRT information, Subject Alt Name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: example.com, example.net, *.example.org\n" +X509 CRT information, Subject Alt Name, not expected Subject alt name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n" + X509 CRT information, Subject Alt Name + Key Usage -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \: www.shotokan-braunschweig.de, www.massimo-abate.eu\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" +X509 CRT information, Subject Alt Name + Key Usage, not expected Subject alt name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n" + X509 CRT information, Key Usage + Extended Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509_cert_info:"data_files/server1.ext_ku.crt":"cert. version \: 3\nserial number \: 21\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nissued on \: 2014-04-01 14\:44\:43\nexpires on \: 2024-03-29 14\:44\:43\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\next key usage \: TLS Web Server Authentication\n" @@ -127,9 +135,13 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED: x509_cert_info:"data_files/server3.crt":"cert. version \: 3\nserial number \: 0D\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nissued on \: 2013-08-09 09\:17\:03\nexpires on \: 2023-08-07 09\:17\:03\nsigned using \: RSA with SHA1\nEC key size \: 192 bits\nbasic constraints \: CA=false\n" X509 CRT information Bitstring in subject name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \: \next key usage \: TLS Web Client Authentication\n" +X509 CRT information Bitstring in subject name, not expected Subject alt name +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\next key usage \: TLS Web Client Authentication\n" + X509 certificate v1 with extension depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3:MBEDTLS_SHA1_C x509_cert_info:"data_files/cert_v1_with_ext.crt":"cert. version \: 1\nserial number \: BD\:ED\:44\:C7\:D2\:3E\:C2\:A4\nissuer name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nsubject name \: C=XX, ST=XX, L=XX, O=XX, OU=XX, emailAddress=admin@identity-check.org, CN=identity-check.org\nissued on \: 2013-07-04 16\:17\:02\nexpires on \: 2014-07-04 16\:17\:02\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nsubject alt name \: identity-check.org, www.identity-check.org\n" @@ -400,13 +412,21 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_S x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"localhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" X509 CRT verification #3 (Revoked Cert, Future CRL, CN Mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" -X509 CRT verification #3a (Revoked Cert, Expired CRL, CN Mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE +X509 CRT verification #3a (Revoked Cert, Future CRL, CN Discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" + +X509 CRT verification #3b (Revoked Cert, Expired CRL, CN Mismatch) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #3c (Revoked Cert, Expired CRL, CN Discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/server6.crt":"data_files/test-ca2.crt":"data_files/crl-future.pem":"Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCRL_FUTURE:"compat":"NULL" + X509 CRT verification #4 (Valid Cert, Expired CRL) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE x509_verify:"data_files/server2.crt":"data_files/test-ca.crt":"data_files/crl_expired.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCRL_EXPIRED:"compat":"NULL" @@ -436,9 +456,13 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MB x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Server 1":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" X509 CRT verification #7 (Revoked Cert, CN Mismatch) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED | MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #7a (Revoked Cert, CN Discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_HAVE_TIME_DATE:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/server1.crt":"data_files/test-ca.crt":"data_files/crl.pem":"PolarSSL Wrong CN":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_REVOKED:"compat":"NULL" + X509 CRT verification #8 (Valid Cert) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA256_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_SHA1_C x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha1.pem":"NULL":0:0:"compat":"NULL" @@ -532,37 +556,65 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.ExAmPlE.com":0:0:"compat":"NULL" X509 CRT verification #22 (domain not matching wildcard certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #22a (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.net":0:0:"compat":"NULL" + X509 CRT verification #23 (domain not matching wildcard certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #23a (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_wildcard.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.com":0:0:"compat":"NULL" + X509 CRT verification #24 (domain matching CN of multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #24a (domain matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.com":0:0:"compat":"NULL" + X509 CRT verification #25 (domain matching multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.net":0:0:"compat":"NULL" X509 CRT verification #26 (domain not matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #26a (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":0:0:"compat":"NULL" + X509 CRT verification #27 (domain not matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" -X509 CRT verification #27 (domain not matching multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +X509 CRT verification #27a (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"xample.net":0:0:"compat":"NULL" + +X509 CRT verification #27c (domain not matching multi certificate) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #27d (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"bexample.net":0:0:"compat":"NULL" + X509 CRT verification #28 (domain not matching wildcard in multi certificate) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH:"compat":"NULL" +X509 CRT verification #28a (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"example.org":0:0:"compat":"NULL" + X509 CRT verification #29 (domain matching wildcard in multi certificate) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_example_multi.crt":"data_files/test-ca.crt":"data_files/crl.pem":"mail.example.org":0:0:"compat":"NULL" @@ -572,9 +624,13 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.shotokan-braunschweig.de":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" X509 CRT verification #31 (domain not matching multi certificate without CN) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_CN_MISMATCH + MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" +X509 CRT verification #31a (domain not matching discard) +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify:"data_files/cert_example_multi_nocn.crt":"data_files/test-ca.crt":"data_files/crl.pem":"www.example.net":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" + X509 CRT verification #32 (Valid, EC cert, RSA CA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C x509_verify:"data_files/server3.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL" @@ -848,9 +904,13 @@ depends_on:MBEDTLS_SHA256_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15: x509_verify:"data_files/cert_sha256.crt":"data_files/test-ca.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"next":"NULL" X509 CRT verification callback: bad name -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000004\n" +X509 CRT verification callback: bad name discard +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509_verify_callback:"data_files/server5.crt":"data_files/test-ca2.crt":"globalhost":0:"depth 1 - serial C1\:43\:E2\:7E\:62\:43\:CC\:E8 - subject C=NL, O=PolarSSL, CN=Polarssl Test EC CA - flags 0x00000000\ndepth 0 - serial 09 - subject C=NL, O=PolarSSL, CN=localhost - flags 0x00000000\n" + X509 CRT verification callback: trusted EE cert depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED x509_verify_callback:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":"NULL":0:"depth 0 - serial 53\:A2\:CB\:4B\:12\:4E\:AD\:83\:7D\:A8\:94\:B2 - subject CN=selfsigned, OU=testing, O=PolarSSL, C=NL - flags 0x00000000\n" @@ -1698,9 +1758,13 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crt:"3081b93081a3a0030201018204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374300d06092a864886f70d01010b0500030200ff":"":MBEDTLS_ERR_X509_INVALID_FORMAT + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH X509 CRT ASN1 (TBS, valid SubjectID, valid IssuerID, inv v3Ext, SubjectAltName repeated outside Extensions, inv SubjectAltNames tag) -depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION x509parse_crt:"308203723082025aa003020102020111300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3132303531303133323334315a170d3232303531313133323334315a303a310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c311830160603550403130f7777772e6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b93c4ac5c8a38e9017a49e52aa7175266180e7c7b56d8cffaab64126b7be11ad5c73160c64114804ffd6e13b05db89bbb39709d51c14dd688739b03d71cbe276d01ad8182d801b54f6e5449af1cbaf612edf490d9d09b7edb1fd3cfd3cfa24cf5dbf7ce453e725b5ea4422e926d3ea20949ee66167ba2e07670b032fa209edf0338f0bce10ef67a4c608dac1edc23fd74add153df95e1c8160463eb5b33d2fa6de471cbc92aeebdf276b1656b7dcecd15557a56eec7525f5b77bdfabd23a5a91987d97170b130aa76b4a8bc14730fb3af84104d5c1dfb81dbf7b01a565a2e01e36b7a65ccc305af8cd6fcdf1196225ca01e3357ffa20f5dcfd69b26a007d17f70203010001a38181307f30090603551d1304023000301d0603551d0e041604147de49c6be6f9717d46d2123dad6b1dfdc2aa784c301f0603551d23041830168014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30320603551d11042b3029c20b6578616d706c652e636f6d820b6578616d706c652e6e6574820d2a2e6578616d706c652e6f7267300d06092a864886f70d010105050003820101004f09cb7ad5eef5ef620ddc7ba285d68cca95b46bda115b92007513b9ca0bceeafbc31fe23f7f217479e2e6bcda06e52f6ff655c67339cf48bc0d2f0cd27a06c34a4cd9485da0d07389e4d4851d969a0e5799c66f1d21271f8d0529e840ae823968c39707cf3c934c1adf2fa6a455487f7c8c1ac922da24cd9239c68aecb08df5698267cb04eede534196c127dc2ffe33fad30eb8d432a9842853a5f0d189d5a298e71691bb9cc0418e8c58acffe3dd2e7aabb0b97176ad0f2733f7a929d3c076c0bf06407c0ed5a47c8ae2326e16aeda641fb0557cdbddf1a4ba447cb39958d2346e00ea976c143af2101e0aa249107601f4f2c818fdcc6346128b091bf194e6":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +X509 CRT ASN1 (TBS, valid SubjectID, valid IssuerID, inv v3Ext, SubjectAltName repeated outside Extensions, inv SubjectAltNames discarded) +depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA1_C:MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION +x509parse_crt:"308203723082025aa003020102020111300d06092a864886f70d0101050500303b310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c3119301706035504031310506f6c617253534c2054657374204341301e170d3132303531303133323334315a170d3232303531313133323334315a303a310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c311830160603550403130f7777772e6578616d706c652e636f6d30820122300d06092a864886f70d01010105000382010f003082010a0282010100b93c4ac5c8a38e9017a49e52aa7175266180e7c7b56d8cffaab64126b7be11ad5c73160c64114804ffd6e13b05db89bbb39709d51c14dd688739b03d71cbe276d01ad8182d801b54f6e5449af1cbaf612edf490d9d09b7edb1fd3cfd3cfa24cf5dbf7ce453e725b5ea4422e926d3ea20949ee66167ba2e07670b032fa209edf0338f0bce10ef67a4c608dac1edc23fd74add153df95e1c8160463eb5b33d2fa6de471cbc92aeebdf276b1656b7dcecd15557a56eec7525f5b77bdfabd23a5a91987d97170b130aa76b4a8bc14730fb3af84104d5c1dfb81dbf7b01a565a2e01e36b7a65ccc305af8cd6fcdf1196225ca01e3357ffa20f5dcfd69b26a007d17f70203010001a38181307f30090603551d1304023000301d0603551d0e041604147de49c6be6f9717d46d2123dad6b1dfdc2aa784c301f0603551d23041830168014b45ae4a5b3ded252f6b9d5a6950feb3ebcc7fdff30320603551d11042b3029c20b6578616d706c652e636f6d820b6578616d706c652e6e6574820d2a2e6578616d706c652e6f7267300d06092a864886f70d010105050003820101004f09cb7ad5eef5ef620ddc7ba285d68cca95b46bda115b92007513b9ca0bceeafbc31fe23f7f217479e2e6bcda06e52f6ff655c67339cf48bc0d2f0cd27a06c34a4cd9485da0d07389e4d4851d969a0e5799c66f1d21271f8d0529e840ae823968c39707cf3c934c1adf2fa6a455487f7c8c1ac922da24cd9239c68aecb08df5698267cb04eede534196c127dc2ffe33fad30eb8d432a9842853a5f0d189d5a298e71691bb9cc0418e8c58acffe3dd2e7aabb0b97176ad0f2733f7a929d3c076c0bf06407c0ed5a47c8ae2326e16aeda641fb0557cdbddf1a4ba447cb39958d2346e00ea976c143af2101e0aa249107601f4f2c818fdcc6346128b091bf194e6":"cert. version \: 3\nserial number \: 11\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=www.example.com\nissued on \: 2012-05-10 13\:23\:41\nexpires on \: 2022-05-11 13\:23\:41\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\n":0 + X509 CRT ASN1 (SignatureAlgorithm missing) depends_on:MBEDTLS_RSA_C:MBEDTLS_SHA256_C x509parse_crt:"3081aa3081a7a0030201028204deadbeef300d06092a864886f70d01010b0500300c310a30080600130454657374301c170c303930313031303030303030170c303931323331323335393539300c310a30080600130454657374302a300d06092A864886F70D010101050003190030160210ffffffffffffffffffffffffffffffff0202ffffa100a200a321301f301d0603551d11041630148208666f6f2e7465737482086261722e74657374":"":MBEDTLS_ERR_X509_INVALID_ALG + MBEDTLS_ERR_ASN1_OUT_OF_DATA diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 25b0d7f8f..b81c1b12a 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -329,7 +329,11 @@ void x509_verify_restart( char *crt_file, char *ca_file, cnt_restart = 0; do { ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, - &mbedtls_x509_crt_profile_default, NULL, &flags, + &mbedtls_x509_crt_profile_default, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, NULL, NULL, &rs_ctx ); } while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart ); @@ -341,7 +345,11 @@ void x509_verify_restart( char *crt_file, char *ca_file, /* Do we leak memory when aborting? */ ret = mbedtls_x509_crt_verify_restartable( &crt, &ca, NULL, - &mbedtls_x509_crt_profile_default, NULL, &flags, + &mbedtls_x509_crt_profile_default, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, NULL, NULL, &rs_ctx ); TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS ); @@ -364,15 +372,21 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, uint32_t flags = 0; int res; int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL; - char * cn_name = NULL; const mbedtls_x509_crt_profile *profile; +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + char * cn_name = NULL; +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ mbedtls_x509_crt_init( &crt ); mbedtls_x509_crt_init( &ca ); mbedtls_x509_crl_init( &crl ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( strcmp( cn_name_str, "NULL" ) != 0 ) cn_name = cn_name_str; +#else + (void)cn_name_str; +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ if( strcmp( profile_str, "" ) == 0 ) profile = &mbedtls_x509_crt_profile_default; @@ -400,7 +414,11 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file, TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 ); - res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, cn_name, &flags, f_vrfy, NULL ); + res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + cn_name, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, f_vrfy, NULL ); TEST_ASSERT( res == ( result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) ); @@ -429,13 +447,19 @@ void x509_verify_callback( char *crt_file, char *ca_file, char *name, TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 ); TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) if( strcmp( name, "NULL" ) == 0 ) name = NULL; +#else + (void)name; +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ ret = mbedtls_x509_crt_verify_with_profile( &crt, &ca, NULL, &compat_profile, - name, &flags, - verify_print, &vrfy_ctx ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + name, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, verify_print, &vrfy_ctx ); TEST_ASSERT( ret == exp_ret ); TEST_ASSERT( strcmp( vrfy_ctx.buf, exp_vrfy_out ) == 0 ); @@ -792,8 +816,11 @@ void mbedtls_x509_crt_verify_max( char *ca_file, char *chain_dir, int nb_int, TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 ); /* Try to verify that chain */ - ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, NULL, &flags, - NULL, NULL ); + ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL, +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, NULL, NULL ); TEST_ASSERT( ret == ret_chk ); TEST_ASSERT( flags == (uint32_t) flags_chk ); @@ -833,7 +860,10 @@ void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca, profile = &profile_sha512; res = mbedtls_x509_crt_verify_with_profile( &chain, &trusted, NULL, profile, - NULL, &flags, verify_fatal, &vrfy_fatal_lvls ); +#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION) + NULL, +#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */ + &flags, verify_fatal, &vrfy_fatal_lvls ); TEST_ASSERT( res == ( result ) ); TEST_ASSERT( flags == (uint32_t)( flags_result ) );