Change X.509 verify flags to uint32_t

ChangeLog

@@ -40,6 +40,11 @@ API Changes
      pointer, parameters reordered).
    * mbedtls_ssl_conf_truncated_hmac() now returns void.
    * mbedtls_memory_bufer_alloc_init() now returns void.
+   * X.509 verification flags are now an uint32_t. Affect the signature of:
+     mbedtls_ssl_get_verify_result()
+     mbedtls_x509_ctr_verify_info()
+     mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be update)
+     mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
    * In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
      return void.
    * ecdsa_write_signature() gained an addtional md_alg argument and

include/mbedtls/ssl.h

@@ -590,7 +590,7 @@ struct mbedtls_ssl_session
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     mbedtls_x509_crt *peer_cert;        /*!< peer X.509 cert chain */
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
-    int verify_result;          /*!<  verification result     */
+    uint32_t verify_result;          /*!<  verification result     */
 
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
     unsigned char *ticket;      /*!< RFC 5077 session ticket */
@@ -823,7 +823,7 @@ typedef struct
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
     /** Callback to customize X.509 certificate chain verification          */
-    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *);
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;                   /*!< context for X.509 verify calllback */
 #endif
 
@@ -1242,7 +1242,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode );
  * \param p_vrfy   verification parameter
  */
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
@@ -2107,7 +2107,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl );
  *                 a combination of BADCERT_xxx and BADCRL_xxx flags, see
  *                 x509.h
  */
-int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
 
 /**
  * \brief          Return the name of the current ciphersuite
@@ -2424,7 +2424,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
                           int cert_endpoint,
-                          int *flags );
+                          uint32_t *flags );
 #endif /* MBEDTLS_X509_CRT_PARSE_C */
 
 void mbedtls_ssl_write_version( int major, int minor, int transport,

include/mbedtls/x509_crt.h

@@ -214,22 +214,7 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
  *                 case of an error.
  */
 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
-                          int flags );
-
-/**
- * \brief          Returns an informational string about the
- *                 verification status of a certificate.
- *
- * \param buf      Buffer to write to
- * \param size     Maximum size of buffer
- * \param prefix   A line prefix
- * \param flags    Verification flags created by mbedtls_x509_crt_verify()
- *
- * \return         The amount of data written to the buffer, or -1 in
- *                 case of an error.
- */
-int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
-                          int flags );
+                          uint32_t flags );
 
 /**
  * \brief          Verify the certificate signature
@@ -270,8 +255,8 @@ int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
                      mbedtls_x509_crt *trust_ca,
                      mbedtls_x509_crl *ca_crl,
-                     const char *cn, int *flags,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy );
 
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)

library/ssl_srv.c

@@ -850,7 +850,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
 {
     mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
     mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
-    int flags;
+    uint32_t flags;
 
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
     if( ssl->handshake->sni_key_cert != NULL )

library/ssl_tls.c

@@ -5219,7 +5219,7 @@ void mbedtls_ssl_conf_authmode( mbedtls_ssl_config *conf, int authmode )
 
 #if defined(MBEDTLS_X509_CRT_PARSE_C)
 void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy )
 {
     conf->f_vrfy      = f_vrfy;
@@ -5682,7 +5682,7 @@ size_t mbedtls_ssl_get_bytes_avail( const mbedtls_ssl_context *ssl )
     return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
 }
 
-int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
 {
     if( ssl->session != NULL )
         return( ssl->session->verify_result );
@@ -6828,7 +6828,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp
 int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
                           const mbedtls_ssl_ciphersuite_t *ciphersuite,
                           int cert_endpoint,
-                          int *flags )
+                          uint32_t *flags )
 {
     int ret = 0;
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)

library/x509.c

@@ -998,7 +998,7 @@ int mbedtls_x509_self_test( int verbose )
 {
 #if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
     int ret;
-    int flags;
+    uint32_t flags;
     mbedtls_x509_crt cacert;
     mbedtls_x509_crt clicert;
 

library/x509_crt.c

@@ -1408,7 +1408,7 @@ static const struct x509_crt_verify_string x509_crt_verify_strings[] = {
 };
 
 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
-                          int flags )
+                          uint32_t flags )
 {
     int ret;
     const struct x509_crt_verify_string *cur;
@@ -1767,12 +1767,13 @@ static int x509_crt_check_parent( const mbedtls_x509_crt *child,
 
 static int x509_crt_verify_top(
                 mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
-                mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
-                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+                mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
+                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                 void *p_vrfy )
 {
     int ret;
-    int ca_flags = 0, check_path_cnt = path_cnt + 1;
+    uint32_t ca_flags = 0;
+    int check_path_cnt = path_cnt + 1;
     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     const mbedtls_md_info_t *md_info;
 
@@ -1881,12 +1882,12 @@ static int x509_crt_verify_top(
 
 static int x509_crt_verify_child(
                 mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt *trust_ca,
-                mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
-                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+                mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
+                int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                 void *p_vrfy )
 {
     int ret;
-    int parent_flags = 0;
+    uint32_t parent_flags = 0;
     unsigned char hash[MBEDTLS_MD_MAX_SIZE];
     mbedtls_x509_crt *grandparent;
     const mbedtls_md_info_t *md_info;
@@ -1971,8 +1972,8 @@ static int x509_crt_verify_child(
 int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
                      mbedtls_x509_crt *trust_ca,
                      mbedtls_x509_crl *ca_crl,
-                     const char *cn, int *flags,
-                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+                     const char *cn, uint32_t *flags,
+                     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
                      void *p_vrfy )
 {
     size_t cn_len;

programs/ssl/dtls_client.c

@@ -85,6 +85,7 @@ static void my_debug( void *ctx, int level, const char *str )
 int main( int argc, char *argv[] )
 {
     int ret, len, server_fd = -1;
+    uint32_t flags;
     unsigned char buf[1024];
     const char *pers = "dtls_client";
     int retry_left = MAX_RETRY;
@@ -221,23 +222,15 @@ int main( int argc, char *argv[] )
     /* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
      * handshake would not succeed if the peer's cert is bad.  Even if we used
      * MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
-    if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
+        char vrfy_buf[512];
+
         mbedtls_printf( " failed\n" );
 
-        if( ( ret & MBEDTLS_X509_BADCERT_EXPIRED ) != 0 )
-            mbedtls_printf( "  ! server certificate has expired\n" );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
-        if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
-            mbedtls_printf( "  ! server certificate has been revoked\n" );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
-            mbedtls_printf( "  ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
-
-        if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
-            mbedtls_printf( "  ! self-signed or not signed by a trusted CA\n" );
-
-        mbedtls_printf( "\n" );
+        mbedtls_printf( "%s\n", vrfy_buf );
     }
     else
         mbedtls_printf( " ok\n" );

programs/ssl/ssl_client1.c

@@ -77,6 +77,7 @@ static void my_debug( void *ctx, int level, const char *str )
 int main( void )
 {
     int ret, len, server_fd = -1;
+    uint32_t flags;
     unsigned char buf[1024];
     const char *pers = "ssl_client1";
 
@@ -204,13 +205,13 @@ int main( void )
     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
 
     /* In real life, we probably want to bail out when ret != 0 */
-    if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
         char vrfy_buf[512];
 
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
     }

programs/ssl/ssl_client2.c

@@ -364,7 +364,7 @@ static int my_send( void *ctx, const unsigned char *buf, size_t len )
 /*
  * Enabled if debug_level > 1 in code below
  */
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
 {
     char buf[1024];
     ((void) data);
@@ -388,6 +388,7 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
 int main( int argc, char *argv[] )
 {
     int ret = 0, len, tail_len, server_fd, i, written, frags, retry_left;
+    uint32_t flags;
     unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
     unsigned char psk[MBEDTLS_PSK_MAX_LEN];
@@ -1260,13 +1261,13 @@ int main( int argc, char *argv[] )
      */
     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
 
-    if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
         char vrfy_buf[512];
 
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
     }

programs/ssl/ssl_mail_client.c

@@ -166,6 +166,7 @@ static void my_debug( void *ctx, int level, const char *str )
 static int do_handshake( mbedtls_ssl_context *ssl )
 {
     int ret;
+    uint32_t flags;
     unsigned char buf[1024];
     memset(buf, 0, 1024);
 
@@ -196,13 +197,13 @@ static int do_handshake( mbedtls_ssl_context *ssl )
     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
 
     /* In real life, we probably want to bail out when ret != 0 */
-    if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
+    if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
     {
         char vrfy_buf[512];
 
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
     }

programs/ssl/ssl_server2.c

@@ -705,6 +705,7 @@ void term_handler( int sig )
 int main( int argc, char *argv[] )
 {
     int ret = 0, len, written, frags, exchanges_left;
+    uint32_t flags;
     int version_suites[4][2];
     unsigned char buf[IO_BUF_LEN];
 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1896,13 +1897,13 @@ reset:
      */
     mbedtls_printf( "  . Verifying peer X.509 certificate..." );
 
-    if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+    if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
     {
         char vrfy_buf[512];
 
         mbedtls_printf( " failed\n" );
 
-        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", ret );
+        mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), "  ! ", flags );
 
         mbedtls_printf( "%s\n", vrfy_buf );
     }

programs/test/ssl_cert_test.c

@@ -140,7 +140,7 @@ int main( void )
          * 1.3. Load own certificate
          */
         char    name[512];
-        int flags;
+        uint32_t flags;
         mbedtls_x509_crt clicert;
         mbedtls_pk_context pk;
 

programs/x509/cert_app.c

@@ -119,7 +119,7 @@ static void my_debug( void *ctx, int level, const char *str )
     }
 }
 
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
 {
     char buf[1024];
     ((void) data);
@@ -152,7 +152,8 @@ int main( int argc, char *argv[] )
     mbedtls_x509_crl cacrl;
     mbedtls_pk_context pkey;
     int i, j;
-    int flags, verify = 0;
+    uint32_t flags;
+    int verify = 0;
     char *p, *q;
     const char *pers = "cert_app";
 

tests/suites/test_suite_x509parse.function

@@ -6,7 +6,7 @@
 #include "mbedtls/oid.h"
 #include "mbedtls/base64.h"
 
-int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
+int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
 {
     ((void) data);
     ((void) crt);
@@ -16,7 +16,7 @@ int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *
     return 0;
 }
 
-int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
+int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
 {
     ((void) data);
     ((void) crt);
@@ -126,9 +126,9 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
     mbedtls_x509_crt   crt;
     mbedtls_x509_crt   ca;
     mbedtls_x509_crl    crl;
-    int         flags = 0;
+    uint32_t         flags = 0;
     int         res;
-    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *) = NULL;
+    int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
     char *      cn_name = NULL;
 
     mbedtls_x509_crt_init( &crt );
@@ -154,7 +154,7 @@ void x509_verify( char *crt_file, char *ca_file, char *crl_file,
     res = mbedtls_x509_crt_verify( &crt, &ca, &crl, cn_name, &flags, f_vrfy, NULL );
 
     TEST_ASSERT( res == ( result ) );
-    TEST_ASSERT( flags == ( flags_result ) );
+    TEST_ASSERT( flags == (uint32_t)( flags_result ) );
 
 exit:
     mbedtls_x509_crt_free( &crt );