mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-06 12:40:02 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Always print detailed cert errors in test programs

Browse Source 
Previously the client was only printing them on handshake success, and
the server was printing them on success and some but not all failures.

This makes ssl-opt.sh more consistent as we can always check for the
presence of the expected message in the output, regardless of whether
the failure is hard or soft.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard 2024-08-08 10:56:41 +02:00 committed by Elena Uziunaite
parent 4956e32538
commit 92a391e0fe
3 changed files with 21 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
programs/ssl/ssl_client2.c
View File

@ -2204,7 +2204,9 @@ usage:
ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) { ret != MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) {
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n", mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned -0x%x\n",
(unsigned int) -ret); (unsigned int) -ret);
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
mbedtls_printf( mbedtls_printf(
" Unable to verify the server's certificate. " " Unable to verify the server's certificate. "
"Either it is invalid,\n" "Either it is invalid,\n"
@ -2215,7 +2217,13 @@ usage:
"not using TLS 1.3.\n" "not using TLS 1.3.\n"
" For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`" " For TLS 1.3 server, try `ca_path=/etc/ssl/certs/`"
"or other folder that has root certificates\n"); "or other folder that has root certificates\n");
flags = mbedtls_ssl_get_verify_result(&ssl);
char vrfy_buf[512];
x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
mbedtls_printf("%s\n", vrfy_buf);
} }
#endif
mbedtls_printf("\n"); mbedtls_printf("\n");
goto exit; goto exit;
} }

3
programs/ssl/ssl_server2.c
View File

@ -3504,7 +3504,8 @@ handshake:
(unsigned int) -ret); (unsigned int) -ret);
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) { if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE) {
char vrfy_buf[512]; char vrfy_buf[512];
flags = mbedtls_ssl_get_verify_result(&ssl); flags = mbedtls_ssl_get_verify_result(&ssl);

16
tests/ssl-opt.sh
View File

@ -7736,7 +7736,7 @@ run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-" \ -C "Ciphersuite is TLS-" \
-c "send alert level=2 message=43" \ -c "send alert level=2 message=43" \
-C "! Usage does not match the keyUsage extension" -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail, soft" \ run_test "keyUsage cli 1.2: KeyEncipherment, DHE-RSA: fail, soft" \
@ -7771,7 +7771,7 @@ run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is TLS-" \ -C "Ciphersuite is TLS-" \
-c "send alert level=2 message=43" \ -c "send alert level=2 message=43" \
-C "! Usage does not match the keyUsage extension" -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail, soft" \ run_test "keyUsage cli 1.2: DigitalSignature, RSA: fail, soft" \
@ -7822,7 +7822,7 @@ run_test "keyUsage cli 1.3: KeyEncipherment, RSA: fail" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \ -C "Ciphersuite is" \
-c "send alert level=2 message=43" \ -c "send alert level=2 message=43" \
-C "! Usage does not match the keyUsage extension" -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
@ -7837,7 +7837,7 @@ run_test "keyUsage cli 1.3: KeyAgreement, RSA: fail" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \ -C "Ciphersuite is" \
-c "send alert level=2 message=43" \ -c "send alert level=2 message=43" \
-C "! Usage does not match the keyUsage extension" -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
@ -7864,7 +7864,7 @@ run_test "keyUsage cli 1.3: KeyEncipherment, ECDSA: fail" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \ -C "Ciphersuite is" \
-c "send alert level=2 message=43" \ -c "send alert level=2 message=43" \
-C "! Usage does not match the keyUsage extension" -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
requires_openssl_tls1_3_with_compatible_ephemeral requires_openssl_tls1_3_with_compatible_ephemeral
@ -7879,7 +7879,7 @@ run_test "keyUsage cli 1.3: KeyAgreement, ECDSA: fail" \
-c "Processing of the Certificate handshake message failed" \ -c "Processing of the Certificate handshake message failed" \
-C "Ciphersuite is" \ -C "Ciphersuite is" \
-c "send alert level=2 message=43" \ -c "send alert level=2 message=43" \
-C "! Usage does not match the keyUsage extension" -c "! Usage does not match the keyUsage extension"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
# Tests for keyUsage in leaf certificates, part 3: # Tests for keyUsage in leaf certificates, part 3:
@ -7916,6 +7916,7 @@ run_test "keyUsage cli-auth 1.2: RSA, KeyEncipherment: fail (hard)" \
1 \ 1 \
-s "bad certificate (usage extensions)" \ -s "bad certificate (usage extensions)" \
-s "send alert level=2 message=43" \ -s "send alert level=2 message=43" \
-s "! Usage does not match the keyUsage extension" \
-s "Processing of the Certificate handshake message failed" -s "Processing of the Certificate handshake message failed"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
@ -7948,6 +7949,7 @@ run_test "keyUsage cli-auth 1.2: ECDSA, KeyAgreement: fail (hard)" \
1 \ 1 \
-s "bad certificate (usage extensions)" \ -s "bad certificate (usage extensions)" \
-s "send alert level=2 message=43" \ -s "send alert level=2 message=43" \
-s "! Usage does not match the keyUsage extension" \
-s "Processing of the Certificate handshake message failed" -s "Processing of the Certificate handshake message failed"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
@ -7999,6 +8001,7 @@ run_test "keyUsage cli-auth 1.3: RSA, KeyEncipherment: fail (hard)" \
-s "bad certificate (usage extensions)" \ -s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed" \ -s "Processing of the Certificate handshake message failed" \
-s "send alert level=2 message=43" \ -s "send alert level=2 message=43" \
-s "! Usage does not match the keyUsage extension" \
-s "! mbedtls_ssl_handshake returned" -s "! mbedtls_ssl_handshake returned"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
# #
@ -8040,6 +8043,7 @@ run_test "keyUsage cli-auth 1.3: ECDSA, KeyAgreement: fail (hard)" \
-s "bad certificate (usage extensions)" \ -s "bad certificate (usage extensions)" \
-s "Processing of the Certificate handshake message failed" \ -s "Processing of the Certificate handshake message failed" \
-s "send alert level=2 message=43" \ -s "send alert level=2 message=43" \
-s "! Usage does not match the keyUsage extension" \
-s "! mbedtls_ssl_handshake returned" -s "! mbedtls_ssl_handshake returned"
# MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT # MBEDTLS_X509_BADCERT_KEY_USAGE -> MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT
# #