mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 06:05:28 +00:00
Make verify() actually restartable
This commit is contained in:
parent
c11e4baa63
commit
8b59049407
|
@ -171,7 +171,22 @@ typedef struct
|
|||
*/
|
||||
typedef struct
|
||||
{
|
||||
mbedtls_ecdsa_restart_ctx ecdsa; /*!< ecdsa restart context */
|
||||
/* for check_signature() */
|
||||
mbedtls_ecdsa_restart_ctx ecdsa;
|
||||
|
||||
/* for find_parent_in() */
|
||||
mbedtls_x509_crt *parent; /* non-null iff parent_in in progress */
|
||||
mbedtls_x509_crt *fallback_parent;
|
||||
int fallback_sign_good;
|
||||
|
||||
/* for find_parent() */
|
||||
int parent_is_trusted; /* -1 if find_parent is not in progress */
|
||||
|
||||
/* for verify_chain() */
|
||||
mbedtls_x509_crt *child; /* non-null iff in progress */
|
||||
int self_cnt;
|
||||
mbedtls_x509_crt_verify_chain ver_chain;
|
||||
|
||||
} mbedtls_x509_crt_restart_ctx;
|
||||
|
||||
#else /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
|
|
|
@ -1870,7 +1870,7 @@ static int x509_crt_check_signature( const mbedtls_x509_crt *child,
|
|||
if( ! mbedtls_pk_can_do( &parent->pk, child->sig_pk ) )
|
||||
return( -1 );
|
||||
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA )
|
||||
{
|
||||
return( mbedtls_pk_verify_restartable( &parent->pk,
|
||||
|
@ -1961,8 +1961,23 @@ static int x509_crt_find_parent_in(
|
|||
mbedtls_x509_crt_restart_ctx *rs_ctx )
|
||||
{
|
||||
int ret;
|
||||
mbedtls_x509_crt *parent, *fallback_parent = NULL;
|
||||
int signature_is_good = 0, fallback_sign_good = 0;
|
||||
mbedtls_x509_crt *parent, *fallback_parent;
|
||||
int signature_is_good, fallback_sign_good;
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
/* restore state if we have some stored */
|
||||
if( rs_ctx != NULL && rs_ctx->parent != NULL )
|
||||
{
|
||||
parent = rs_ctx->parent;
|
||||
fallback_parent = rs_ctx->fallback_parent;
|
||||
fallback_sign_good = rs_ctx->fallback_sign_good;
|
||||
|
||||
goto check_signature;
|
||||
}
|
||||
#endif
|
||||
|
||||
fallback_parent = NULL;
|
||||
fallback_sign_good = 0;
|
||||
|
||||
for( parent = candidates; parent != NULL; parent = parent->next )
|
||||
{
|
||||
|
@ -1978,14 +1993,24 @@ static int x509_crt_find_parent_in(
|
|||
}
|
||||
|
||||
/* Signature */
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
check_signature:
|
||||
#endif
|
||||
ret = x509_crt_check_signature( child, parent, rs_ctx );
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||
// TODO: stave state
|
||||
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
|
||||
{
|
||||
/* save state */
|
||||
rs_ctx->parent = parent;
|
||||
rs_ctx->fallback_parent = fallback_parent;
|
||||
rs_ctx->fallback_sign_good = fallback_sign_good;
|
||||
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
#else
|
||||
(void) ret;
|
||||
#endif
|
||||
|
||||
signature_is_good = ret == 0;
|
||||
if( top && ! signature_is_good )
|
||||
|
@ -2018,6 +2043,16 @@ static int x509_crt_find_parent_in(
|
|||
*r_signature_is_good = fallback_sign_good;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( rs_ctx != NULL )
|
||||
{
|
||||
/* reset state */
|
||||
rs_ctx->parent = NULL;
|
||||
rs_ctx->fallback_parent = NULL;
|
||||
rs_ctx->fallback_sign_good = 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
@ -2042,6 +2077,12 @@ static int x509_crt_find_parent(
|
|||
|
||||
*parent_is_trusted = 1;
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
/* restore state if we have some stored */
|
||||
if( rs_ctx != NULL && rs_ctx->parent_is_trusted != -1)
|
||||
*parent_is_trusted = rs_ctx->parent_is_trusted;
|
||||
#endif
|
||||
|
||||
while( 1 ) {
|
||||
search_list = *parent_is_trusted ? trust_ca : child->next;
|
||||
|
||||
|
@ -2051,11 +2092,15 @@ static int x509_crt_find_parent(
|
|||
path_cnt, self_cnt, rs_ctx );
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||
// TODO: stave state
|
||||
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
|
||||
{
|
||||
/* save state */
|
||||
rs_ctx->parent_is_trusted = *parent_is_trusted;
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
#else
|
||||
(void) ret;
|
||||
#endif
|
||||
|
||||
/* stop here if found or already in second iteration */
|
||||
if( *parent != NULL || *parent_is_trusted == 0 )
|
||||
|
@ -2072,6 +2117,12 @@ static int x509_crt_find_parent(
|
|||
signature_is_good = 0;
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
/* reset state */
|
||||
if( rs_ctx != NULL )
|
||||
rs_ctx->parent_is_trusted = -1;
|
||||
#endif
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
@ -2155,12 +2206,31 @@ static int x509_crt_verify_chain(
|
|||
mbedtls_x509_crt_verify_chain_item *cur;
|
||||
mbedtls_x509_crt *child;
|
||||
mbedtls_x509_crt *parent;
|
||||
int parent_is_trusted = 0;
|
||||
int child_is_trusted = 0;
|
||||
int signature_is_good = 0;
|
||||
int self_cnt = 0;
|
||||
int parent_is_trusted;
|
||||
int child_is_trusted;
|
||||
int signature_is_good;
|
||||
int self_cnt;
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
/* resume if we had an operation in progress */
|
||||
if( rs_ctx != NULL && rs_ctx->child != NULL )
|
||||
{
|
||||
/* save state */
|
||||
child = rs_ctx->child;
|
||||
self_cnt = rs_ctx->self_cnt;
|
||||
*ver_chain = rs_ctx->ver_chain;
|
||||
|
||||
cur = &ver_chain->items[ver_chain->len - 1];
|
||||
flags = &cur->flags;
|
||||
|
||||
goto find_parent;
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
|
||||
child = crt;
|
||||
self_cnt = 0;
|
||||
parent_is_trusted = 0;
|
||||
child_is_trusted = 0;
|
||||
|
||||
while( 1 ) {
|
||||
/* Add certificate to the verification chain */
|
||||
|
@ -2194,17 +2264,27 @@ static int x509_crt_verify_chain(
|
|||
return( 0 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
find_parent:
|
||||
#endif
|
||||
/* Look for a parent in trusted CAs or up the chain */
|
||||
ret = x509_crt_find_parent( child, trust_ca, &parent,
|
||||
&parent_is_trusted, &signature_is_good,
|
||||
ver_chain->len - 1, self_cnt, rs_ctx );
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||
// TODO: stave state
|
||||
if( rs_ctx != NULL && ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
|
||||
{
|
||||
/* save state */
|
||||
rs_ctx->child = child;
|
||||
rs_ctx->self_cnt = self_cnt;
|
||||
rs_ctx-> ver_chain = *ver_chain;
|
||||
|
||||
return( ret );
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
}
|
||||
#else
|
||||
(void) ret;
|
||||
#endif
|
||||
|
||||
/* No parent? We're done here */
|
||||
if( parent == NULL )
|
||||
|
@ -2425,13 +2505,6 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
|||
ret = x509_crt_verify_chain( crt, trust_ca, ca_crl, profile,
|
||||
&ver_chain, rs_ctx );
|
||||
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) {
|
||||
// TODO: stave state
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
|
||||
if( ret != 0 )
|
||||
goto exit;
|
||||
|
||||
|
@ -2439,6 +2512,11 @@ int mbedtls_x509_crt_verify_restartable( mbedtls_x509_crt *crt,
|
|||
ret = x509_crt_merge_flags_with_cb( flags, &ver_chain, f_vrfy, p_vrfy );
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
|
||||
if( rs_ctx != NULL && ret != MBEDTLS_ERR_ECP_IN_PROGRESS )
|
||||
mbedtls_x509_crt_restart_free( rs_ctx );
|
||||
#endif
|
||||
|
||||
/* prevent misuse of the vrfy callback - VERIFY_FAILED would be ignored by
|
||||
* the SSL module for authmode optional, but non-zero return from the
|
||||
* callback means a fatal error so it shouldn't be ignored */
|
||||
|
@ -2554,6 +2632,17 @@ void mbedtls_x509_crt_free( mbedtls_x509_crt *crt )
|
|||
void mbedtls_x509_crt_restart_init( mbedtls_x509_crt_restart_ctx *ctx )
|
||||
{
|
||||
mbedtls_ecdsa_restart_init( &ctx->ecdsa );
|
||||
|
||||
ctx->parent = NULL;
|
||||
ctx->fallback_parent = NULL;
|
||||
ctx->fallback_sign_good = 0;
|
||||
|
||||
ctx->parent_is_trusted = -1;
|
||||
|
||||
ctx->child = NULL;
|
||||
ctx->self_cnt = 0;
|
||||
memset( ctx->ver_chain.items, 0, sizeof( ctx->ver_chain.items ) );
|
||||
ctx->ver_chain.len = 0;
|
||||
}
|
||||
|
||||
/*
|
||||
|
@ -2565,6 +2654,8 @@ void mbedtls_x509_crt_restart_free( mbedtls_x509_crt_restart_ctx *ctx )
|
|||
return;
|
||||
|
||||
mbedtls_ecdsa_restart_free( &ctx->ecdsa );
|
||||
|
||||
mbedtls_x509_crt_restart_init( ctx );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_ECP_RESTARTABLE */
|
||||
|
||||
|
|
|
@ -17,7 +17,7 @@ Two intermediate CAs are signed by them:
|
|||
- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
|
||||
uses RSA-4096, signed by test-ca2
|
||||
- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
|
||||
uses an EC key with NIST P-256, signed by test-ca
|
||||
uses an EC key with NIST P-384, signed by test-ca
|
||||
|
||||
A third intermediate CA is signed by test-int-ca2.crt:
|
||||
- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
|
||||
|
|
|
@ -1810,22 +1810,86 @@ X509 cert verify restart: trusted EE, max_ops=0
|
|||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: trusted EE, max_ops=1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-selfsigned.crt":"data_files/server5-selfsigned.crt":0:0:1:0:0
|
||||
|
||||
X509 cert verify restart: no intermediate, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: no intermediate, max_ops=1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:1:100:10000
|
||||
|
||||
X509 cert verify restart: no intermediate, max_ops=40000
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:40000:0:0
|
||||
|
||||
X509 cert verify restart: no intermediate, max_ops=500
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5.crt":"data_files/test-ca2.crt":0:0:500:20:80
|
||||
|
||||
X509 cert verify restart: no intermediate, badsign, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
|
||||
|
||||
X509 cert verify restart: one intermediate, max_ops=0
|
||||
X509 cert verify restart: no intermediate, badsign, max_ops=1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
|
||||
|
||||
X509 cert verify restart: no intermediate, badsign, max_ops=40000
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:40000:0:0
|
||||
|
||||
X509 cert verify restart: no intermediate, badsign, max_ops=500
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED
|
||||
x509_verify_restart:"data_files/server5-badsign.crt":"data_files/test-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:20:80
|
||||
|
||||
X509 cert verify restart: one int, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:0:0:0
|
||||
|
||||
X509 cert verify restart: one intermediate, EE badsign, max_ops=0
|
||||
X509 cert verify restart: one int, max_ops=1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:1:100:10000
|
||||
|
||||
X509 cert verify restart: one int, max_ops=30000
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:30000:0:0
|
||||
|
||||
X509 cert verify restart: one int, max_ops=500
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3_int-ca2.crt":"data_files/test-int-ca2.crt":0:0:500:25:100
|
||||
|
||||
X509 cert verify restart: one int, EE badsign, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
|
||||
|
||||
X509 cert verify restart: one intermediate, int badsign, max_ops=0
|
||||
X509 cert verify restart: one int, EE badsign, max_ops=1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
|
||||
|
||||
X509 cert verify restart: one int, EE badsign, max_ops=30000
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
|
||||
|
||||
X509 cert verify restart: one int, EE badsign, max_ops=500
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10-bs_int3.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
|
||||
|
||||
X509 cert verify restart: one int, int badsign, max_ops=0
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:0:0:0
|
||||
|
||||
X509 cert verify restart: one int, int badsign, max_ops=1
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:1:100:10000
|
||||
|
||||
X509 cert verify restart: one int, int badsign, max_ops=30000
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:30000:0:0
|
||||
|
||||
X509 cert verify restart: one int, int badsign, max_ops=500
|
||||
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_RSA_C
|
||||
x509_verify_restart:"data_files/server10_int3-bs.pem":"data_files/test-int-ca2.crt":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:500:25:100
|
||||
|
|
|
@ -272,6 +272,16 @@ void x509_verify_restart( char *crt_file, char *ca_file,
|
|||
mbedtls_x509_crt ca;
|
||||
uint32_t flags = 0;
|
||||
|
||||
/*
|
||||
* See comments on ecp_test_vect_restart() for op count precision.
|
||||
*
|
||||
* For reference, with mbed TLS 2.6 and default settings:
|
||||
* - ecdsa_verify() for P-256: ~ 6700
|
||||
* - ecdsa_verify() for P-384: ~ 18800
|
||||
* - x509_verify() for server5 -> test-ca2: ~ 18800
|
||||
* - x509_verify() for server10 -> int-ca3 -> int-ca2: ~ 25500
|
||||
*/
|
||||
|
||||
mbedtls_x509_crt_restart_init( &rs_ctx );
|
||||
mbedtls_x509_crt_init( &crt );
|
||||
mbedtls_x509_crt_init( &ca );
|
||||
|
|
Loading…
Reference in a new issue