Change X.509 verify flags to uint32_t
diff --git a/ChangeLog b/ChangeLog
index b6278a5..63dfc1f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -40,6 +40,11 @@
pointer, parameters reordered).
* mbedtls_ssl_conf_truncated_hmac() now returns void.
* mbedtls_memory_bufer_alloc_init() now returns void.
+ * X.509 verification flags are now an uint32_t. Affect the signature of:
+ mbedtls_ssl_get_verify_result()
+ mbedtls_x509_ctr_verify_info()
+ mbedtls_x509_crt_verify() (flags, f_vrfy -> needs to be update)
+ mbedtls_ssl_conf_verify() (f_vrfy -> needs to be updated)
* In the threading layer, mbedtls_mutex_init() and mbedtls_mutex_free() now
return void.
* ecdsa_write_signature() gained an addtional md_alg argument and
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index 1efb6a8..3076d12 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -590,7 +590,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt *peer_cert; /*!< peer X.509 cert chain */
#endif /* MBEDTLS_X509_CRT_PARSE_C */
- int verify_result; /*!< verification result */
+ uint32_t verify_result; /*!< verification result */
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
unsigned char *ticket; /*!< RFC 5077 session ticket */
@@ -823,7 +823,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/** Callback to customize X.509 certificate chain verification */
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *);
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
void *p_vrfy; /*!< context for X.509 verify calllback */
#endif
@@ -1242,7 +1242,7 @@
* \param p_vrfy verification parameter
*/
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
@@ -2107,7 +2107,7 @@
* a combination of BADCERT_xxx and BADCRL_xxx flags, see
* x509.h
*/
-int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl );
/**
* \brief Return the name of the current ciphersuite
@@ -2424,7 +2424,7 @@
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
int cert_endpoint,
- int *flags );
+ uint32_t *flags );
#endif /* MBEDTLS_X509_CRT_PARSE_C */
void mbedtls_ssl_write_version( int major, int minor, int transport,
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 5241db1..e184dee 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -214,22 +214,7 @@
* case of an error.
*/
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
- int flags );
-
-/**
- * \brief Returns an informational string about the
- * verification status of a certificate.
- *
- * \param buf Buffer to write to
- * \param size Maximum size of buffer
- * \param prefix A line prefix
- * \param flags Verification flags created by mbedtls_x509_crt_verify()
- *
- * \return The amount of data written to the buffer, or -1 in
- * case of an error.
- */
-int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
- int flags );
+ uint32_t flags );
/**
* \brief Verify the certificate signature
@@ -270,8 +255,8 @@
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
- const char *cn, int *flags,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy );
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 7d22b48..5d04497 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -850,7 +850,7 @@
{
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
- int flags;
+ uint32_t flags;
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL )
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6918e4b..73c3a74 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5219,7 +5219,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
void mbedtls_ssl_conf_verify( mbedtls_ssl_config *conf,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
conf->f_vrfy = f_vrfy;
@@ -5682,7 +5682,7 @@
return( ssl->in_offt == NULL ? 0 : ssl->in_msglen );
}
-int mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
+uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
{
if( ssl->session != NULL )
return( ssl->session->verify_result );
@@ -6828,7 +6828,7 @@
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
int cert_endpoint,
- int *flags )
+ uint32_t *flags )
{
int ret = 0;
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
diff --git a/library/x509.c b/library/x509.c
index 2205400..55daf74 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -998,7 +998,7 @@
{
#if defined(MBEDTLS_CERTS_C) && defined(MBEDTLS_SHA1_C)
int ret;
- int flags;
+ uint32_t flags;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6aab3bf..4ebae77 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1408,7 +1408,7 @@
};
int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
- int flags )
+ uint32_t flags )
{
int ret;
const struct x509_crt_verify_string *cur;
@@ -1767,12 +1767,13 @@
static int x509_crt_verify_top(
mbedtls_x509_crt *child, mbedtls_x509_crt *trust_ca,
- mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+ mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
int ret;
- int ca_flags = 0, check_path_cnt = path_cnt + 1;
+ uint32_t ca_flags = 0;
+ int check_path_cnt = path_cnt + 1;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
const mbedtls_md_info_t *md_info;
@@ -1881,12 +1882,12 @@
static int x509_crt_verify_child(
mbedtls_x509_crt *child, mbedtls_x509_crt *parent, mbedtls_x509_crt *trust_ca,
- mbedtls_x509_crl *ca_crl, int path_cnt, int *flags,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+ mbedtls_x509_crl *ca_crl, int path_cnt, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
int ret;
- int parent_flags = 0;
+ uint32_t parent_flags = 0;
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
mbedtls_x509_crt *grandparent;
const mbedtls_md_info_t *md_info;
@@ -1971,8 +1972,8 @@
int mbedtls_x509_crt_verify( mbedtls_x509_crt *crt,
mbedtls_x509_crt *trust_ca,
mbedtls_x509_crl *ca_crl,
- const char *cn, int *flags,
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *),
+ const char *cn, uint32_t *flags,
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *),
void *p_vrfy )
{
size_t cn_len;
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index 3886bbd..0b837ba 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -85,6 +85,7 @@
int main( int argc, char *argv[] )
{
int ret, len, server_fd = -1;
+ uint32_t flags;
unsigned char buf[1024];
const char *pers = "dtls_client";
int retry_left = MAX_RETRY;
@@ -221,23 +222,15 @@
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
* handshake would not succeed if the peer's cert is bad. Even if we used
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
mbedtls_printf( " failed\n" );
- if( ( ret & MBEDTLS_X509_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! server certificate has expired\n" );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
- if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
- mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
-
- if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- mbedtls_printf( "\n" );
+ mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index ec1edd8..6ff0e14 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -77,6 +77,7 @@
int main( void )
{
int ret, len, server_fd = -1;
+ uint32_t flags;
unsigned char buf[1024];
const char *pers = "ssl_client1";
@@ -204,13 +205,13 @@
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index d1b0b84..d5722ba 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -364,7 +364,7 @@
/*
* Enabled if debug_level > 1 in code below
*/
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
{
char buf[1024];
((void) data);
@@ -388,6 +388,7 @@
int main( int argc, char *argv[] )
{
int ret = 0, len, tail_len, server_fd, i, written, frags, retry_left;
+ uint32_t flags;
unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
@@ -1260,13 +1261,13 @@
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index cab7997..df25435 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -166,6 +166,7 @@
static int do_handshake( mbedtls_ssl_context *ssl )
{
int ret;
+ uint32_t flags;
unsigned char buf[1024];
memset(buf, 0, 1024);
@@ -196,13 +197,13 @@
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
- if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 863cc53..4f1607f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -705,6 +705,7 @@
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
+ uint32_t flags;
int version_suites[4][2];
unsigned char buf[IO_BUF_LEN];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1896,13 +1897,13 @@
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 35cdce4..43dc44c 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -140,7 +140,7 @@
* 1.3. Load own certificate
*/
char name[512];
- int flags;
+ uint32_t flags;
mbedtls_x509_crt clicert;
mbedtls_pk_context pk;
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index 41bbb42..7ae9015 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -119,7 +119,7 @@
}
}
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
{
char buf[1024];
((void) data);
@@ -152,7 +152,8 @@
mbedtls_x509_crl cacrl;
mbedtls_pk_context pkey;
int i, j;
- int flags, verify = 0;
+ uint32_t flags;
+ int verify = 0;
char *p, *q;
const char *pers = "cert_app";
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 22bc18c..f955e3d 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -6,7 +6,7 @@
#include "mbedtls/oid.h"
#include "mbedtls/base64.h"
-int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
+int verify_none( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
{
((void) data);
((void) crt);
@@ -16,7 +16,7 @@
return 0;
}
-int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, int *flags )
+int verify_all( void *data, mbedtls_x509_crt *crt, int certificate_depth, uint32_t *flags )
{
((void) data);
((void) crt);
@@ -126,9 +126,9 @@
mbedtls_x509_crt crt;
mbedtls_x509_crt ca;
mbedtls_x509_crl crl;
- int flags = 0;
+ uint32_t flags = 0;
int res;
- int (*f_vrfy)(void *, mbedtls_x509_crt *, int, int *) = NULL;
+ int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
char * cn_name = NULL;
mbedtls_x509_crt_init( &crt );
@@ -154,7 +154,7 @@
res = mbedtls_x509_crt_verify( &crt, &ca, &crl, cn_name, &flags, f_vrfy, NULL );
TEST_ASSERT( res == ( result ) );
- TEST_ASSERT( flags == ( flags_result ) );
+ TEST_ASSERT( flags == (uint32_t)( flags_result ) );
exit:
mbedtls_x509_crt_free( &crt );
