diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 462a0fa2d3..6b63886898 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2152,7 +2152,7 @@ * and other functions/constants only used by these functions, thus reducing * the code footprint by several KB. */ -//#define MBEDTLS_X509_REMOVE_INFO +#define MBEDTLS_X509_REMOVE_INFO /** * \def MBEDTLS_X509_RSASSA_PSS_SUPPORT diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index 433c3b7343..6906585c00 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -176,6 +176,74 @@ mbedtls_x509_crt_profile; #define MBEDTLS_X509_MAX_FILE_PATH_LEN 512 #endif +/* This macro unfolds to the concatenation of macro invocations + * X509_CRT_ERROR_INFO( error code, + * error code as string, + * human readable description ) + * where X509_CRT_ERROR_INFO is defined by the user. + * See x509_crt.c for an example of how to use this. */ +#define MBEDTLS_X509_CRT_ERROR_INFO_LIST \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXPIRED, \ + "MBEDTLS_X509_BADCERT_EXPIRED", \ + "The certificate validity has expired" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_REVOKED, \ + "MBEDTLS_X509_BADCERT_REVOKED", \ + "The certificate has been revoked (is on a CRL)" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_CN_MISMATCH, \ + "MBEDTLS_X509_BADCERT_CN_MISMATCH", \ + "The certificate Common Name (CN) does not match with the expected CN" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NOT_TRUSTED, \ + "MBEDTLS_X509_BADCERT_NOT_TRUSTED", \ + "The certificate is not correctly signed by the trusted CA" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_NOT_TRUSTED, \ + "MBEDTLS_X509_BADCRL_NOT_TRUSTED", \ + "The CRL is not correctly signed by the trusted CA" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_EXPIRED, \ + "MBEDTLS_X509_BADCRL_EXPIRED", \ + "The CRL is expired" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_MISSING, \ + "MBEDTLS_X509_BADCERT_MISSING", \ + "Certificate was missing" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_SKIP_VERIFY, \ + "MBEDTLS_X509_BADCERT_SKIP_VERIFY", \ + "Certificate verification was skipped" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_OTHER, \ + "MBEDTLS_X509_BADCERT_OTHER", \ + "Other reason (can be used by verify callback)" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_FUTURE, \ + "MBEDTLS_X509_BADCERT_FUTURE", \ + "The certificate validity starts in the future" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_FUTURE, \ + "MBEDTLS_X509_BADCRL_FUTURE", \ + "The CRL is from the future" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_KEY_USAGE, \ + "MBEDTLS_X509_BADCERT_KEY_USAGE", \ + "Usage does not match the keyUsage extension" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, \ + "MBEDTLS_X509_BADCERT_EXT_KEY_USAGE", \ + "Usage does not match the extendedKeyUsage extension" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_NS_CERT_TYPE, \ + "MBEDTLS_X509_BADCERT_NS_CERT_TYPE", \ + "Usage does not match the nsCertType extension" ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_MD, \ + "MBEDTLS_X509_BADCERT_BAD_MD", \ + "The certificate is signed with an unacceptable hash." ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_PK, \ + "MBEDTLS_X509_BADCERT_BAD_PK", \ + "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCERT_BAD_KEY, \ + "MBEDTLS_X509_BADCERT_BAD_KEY", \ + "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_MD, \ + "MBEDTLS_X509_BADCRL_BAD_MD", \ + "The CRL is signed with an unacceptable hash." ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_PK, \ + "MBEDTLS_X509_BADCRL_BAD_PK", \ + "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." ) \ + X509_CRT_ERROR_INFO( MBEDTLS_X509_BADCRL_BAD_KEY, \ + "MBEDTLS_X509_BADCRL_BAD_KEY", \ + "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." ) + /** * Container for writing a certificate (CRT) */ diff --git a/library/x509_crt.c b/library/x509_crt.c index 19c4f40f53..27e3e33b6a 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -2200,29 +2200,12 @@ struct x509_crt_verify_string { const char *string; }; +#define X509_CRT_ERROR_INFO( err, err_str, info ) { err, info }, static const struct x509_crt_verify_string x509_crt_verify_strings[] = { - { MBEDTLS_X509_BADCERT_EXPIRED, "The certificate validity has expired" }, - { MBEDTLS_X509_BADCERT_REVOKED, "The certificate has been revoked (is on a CRL)" }, - { MBEDTLS_X509_BADCERT_CN_MISMATCH, "The certificate Common Name (CN) does not match with the expected CN" }, - { MBEDTLS_X509_BADCERT_NOT_TRUSTED, "The certificate is not correctly signed by the trusted CA" }, - { MBEDTLS_X509_BADCRL_NOT_TRUSTED, "The CRL is not correctly signed by the trusted CA" }, - { MBEDTLS_X509_BADCRL_EXPIRED, "The CRL is expired" }, - { MBEDTLS_X509_BADCERT_MISSING, "Certificate was missing" }, - { MBEDTLS_X509_BADCERT_SKIP_VERIFY, "Certificate verification was skipped" }, - { MBEDTLS_X509_BADCERT_OTHER, "Other reason (can be used by verify callback)" }, - { MBEDTLS_X509_BADCERT_FUTURE, "The certificate validity starts in the future" }, - { MBEDTLS_X509_BADCRL_FUTURE, "The CRL is from the future" }, - { MBEDTLS_X509_BADCERT_KEY_USAGE, "Usage does not match the keyUsage extension" }, - { MBEDTLS_X509_BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" }, - { MBEDTLS_X509_BADCERT_NS_CERT_TYPE, "Usage does not match the nsCertType extension" }, - { MBEDTLS_X509_BADCERT_BAD_MD, "The certificate is signed with an unacceptable hash." }, - { MBEDTLS_X509_BADCERT_BAD_PK, "The certificate is signed with an unacceptable PK alg (eg RSA vs ECDSA)." }, - { MBEDTLS_X509_BADCERT_BAD_KEY, "The certificate is signed with an unacceptable key (eg bad curve, RSA too short)." }, - { MBEDTLS_X509_BADCRL_BAD_MD, "The CRL is signed with an unacceptable hash." }, - { MBEDTLS_X509_BADCRL_BAD_PK, "The CRL is signed with an unacceptable PK alg (eg RSA vs ECDSA)." }, - { MBEDTLS_X509_BADCRL_BAD_KEY, "The CRL is signed with an unacceptable key (eg bad curve, RSA too short)." }, + MBEDTLS_X509_CRT_ERROR_INFO_LIST { 0, NULL } }; +#undef X509_CRT_ERROR_INFO int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix, uint32_t flags ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 963006069a..5be162f1ef 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -523,17 +523,53 @@ struct options #if defined(MBEDTLS_X509_CRT_PARSE_C) static unsigned char peer_crt_info[1024]; +#if !defined(MBEDTLS_X509_REMOVE_INFO) +int x509_crt_verify_info( char *buf, size_t size, const char *prefix, + uint32_t flags ) +{ + return( mbedtls_x509_crt_verify_info( buf, size, prefix, flags ) ); +} +#else /* !MBEDTLS_X509_REMOVE_INFO */ +int x509_crt_verify_info( char *buf, size_t size, const char *prefix, + uint32_t flags ) +{ + int ret; + char *p = buf; + size_t n = size; + +#define X509_CRT_ERROR_INFO( err, err_str, info ) \ + if( ( flags & err ) != 0 ) \ + { \ + ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, info ); \ + MBEDTLS_X509_SAFE_SNPRINTF; \ + flags ^= err; \ + } + + MBEDTLS_X509_CRT_ERROR_INFO_LIST +#undef X509_CRT_ERROR_INFO + + if( flags != 0 ) + { + ret = mbedtls_snprintf( p, n, "%sUnknown reason " + "(this should not happen)\n", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + } + + return( (int) ( size - n ) ); +} +#endif /* MBEDTLS_X509_REMOVE_INFO */ + /* * Enabled if debug_level > 1 in code below */ static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags ) { -#if !defined(MBEDTLS_X509_REMOVE_INFO) char buf[1024]; -#endif ((void) data); + mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth ); + #if !defined(MBEDTLS_X509_REMOVE_INFO) mbedtls_x509_crt_info( buf, sizeof( buf ) - 1, "", crt ); if( depth == 0 ) @@ -542,7 +578,6 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, if( opt.debug_level == 0 ) return( 0 ); - mbedtls_printf( "\nVerify requested for (Depth %d):\n", depth ); mbedtls_printf( "%s", buf ); #else ((void) crt); @@ -553,10 +588,8 @@ static int my_verify( void *data, mbedtls_x509_crt *crt, mbedtls_printf( " This certificate has no flags\n" ); else { -#if !defined(MBEDTLS_X509_REMOVE_INFO) - mbedtls_x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags ); + x509_crt_verify_info( buf, sizeof( buf ), " ! ", *flags ); mbedtls_printf( "%s\n", buf ); -#endif } return( 0 ); @@ -2284,18 +2317,13 @@ int main( int argc, char *argv[] ) if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { -#if !defined(MBEDTLS_X509_REMOVE_INFO) char vrfy_buf[512]; -#endif - mbedtls_printf( " failed\n" ); -#if !defined(MBEDTLS_X509_REMOVE_INFO) - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); -#endif } else mbedtls_printf( " ok\n" ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index d3a4ed340c..a8cc150459 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -623,6 +623,42 @@ struct options #include "ssl_test_common_source.c" +#if !defined(MBEDTLS_X509_REMOVE_INFO) +int x509_crt_verify_info( char *buf, size_t size, const char *prefix, + uint32_t flags ) +{ + return( mbedtls_x509_crt_verify_info( buf, size, prefix, flags ) ); +} +#else /* !MBEDTLS_X509_REMOVE_INFO */ +int x509_crt_verify_info( char *buf, size_t size, const char *prefix, + uint32_t flags ) +{ + int ret; + char *p = buf; + size_t n = size; + +#define X509_CRT_ERROR_INFO( err, err_str, info ) \ + if( ( flags & err ) != 0 ) \ + { \ + ret = mbedtls_snprintf( p, n, "%s%s\n", prefix, info ); \ + MBEDTLS_X509_SAFE_SNPRINTF; \ + flags ^= err; \ + } + + MBEDTLS_X509_CRT_ERROR_INFO_LIST +#undef X509_CRT_ERROR_INFO + + if( flags != 0 ) + { + ret = mbedtls_snprintf( p, n, "%sUnknown reason " + "(this should not happen)\n", prefix ); + MBEDTLS_X509_SAFE_SNPRINTF; + } + + return( (int) ( size - n ) ); +} +#endif /* MBEDTLS_X509_REMOVE_INFO */ + /* * Return authmode from string, or -1 on error */ @@ -3134,13 +3170,13 @@ handshake: { mbedtls_printf( " failed\n ! mbedtls_ssl_handshake returned -0x%x\n\n", (unsigned int) -ret ); -#if defined(MBEDTLS_X509_CRT_PARSE_C) && !defined(MBEDTLS_X509_REMOVE_INFO) +#if defined(MBEDTLS_X509_CRT_PARSE_C) if( ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ) { char vrfy_buf[512]; flags = mbedtls_ssl_get_verify_result( &ssl ); - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); } @@ -3188,17 +3224,12 @@ handshake: if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 ) { -#if !defined(MBEDTLS_X509_REMOVE_INFO) char vrfy_buf[512]; -#endif mbedtls_printf( " failed\n" ); -#if !defined(MBEDTLS_X509_REMOVE_INFO) - mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); - + x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags ); mbedtls_printf( "%s\n", vrfy_buf ); -#endif } else mbedtls_printf( " ok\n" );