Change X.509 verify flags to uint32_t
diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c
index 3886bbd..0b837ba 100644
--- a/programs/ssl/dtls_client.c
+++ b/programs/ssl/dtls_client.c
@@ -85,6 +85,7 @@
int main( int argc, char *argv[] )
{
int ret, len, server_fd = -1;
+ uint32_t flags;
unsigned char buf[1024];
const char *pers = "dtls_client";
int retry_left = MAX_RETRY;
@@ -221,23 +222,15 @@
/* In real life, we would have used MBEDTLS_SSL_VERIFY_REQUIRED so that the
* handshake would not succeed if the peer's cert is bad. Even if we used
* MBEDTLS_SSL_VERIFY_OPTIONAL, we would bail out here if ret != 0 */
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
+ char vrfy_buf[512];
+
mbedtls_printf( " failed\n" );
- if( ( ret & MBEDTLS_X509_BADCERT_EXPIRED ) != 0 )
- mbedtls_printf( " ! server certificate has expired\n" );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
- if( ( ret & MBEDTLS_X509_BADCERT_REVOKED ) != 0 )
- mbedtls_printf( " ! server certificate has been revoked\n" );
-
- if( ( ret & MBEDTLS_X509_BADCERT_CN_MISMATCH ) != 0 )
- mbedtls_printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
-
- if( ( ret & MBEDTLS_X509_BADCERT_NOT_TRUSTED ) != 0 )
- mbedtls_printf( " ! self-signed or not signed by a trusted CA\n" );
-
- mbedtls_printf( "\n" );
+ mbedtls_printf( "%s\n", vrfy_buf );
}
else
mbedtls_printf( " ok\n" );
diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c
index ec1edd8..6ff0e14 100644
--- a/programs/ssl/ssl_client1.c
+++ b/programs/ssl/ssl_client1.c
@@ -77,6 +77,7 @@
int main( void )
{
int ret, len, server_fd = -1;
+ uint32_t flags;
unsigned char buf[1024];
const char *pers = "ssl_client1";
@@ -204,13 +205,13 @@
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index d1b0b84..d5722ba 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -364,7 +364,7 @@
/*
* Enabled if debug_level > 1 in code below
*/
-static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, int *flags )
+static int my_verify( void *data, mbedtls_x509_crt *crt, int depth, uint32_t *flags )
{
char buf[1024];
((void) data);
@@ -388,6 +388,7 @@
int main( int argc, char *argv[] )
{
int ret = 0, len, tail_len, server_fd, i, written, frags, retry_left;
+ uint32_t flags;
unsigned char buf[MBEDTLS_SSL_MAX_CONTENT_LEN + 1];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
@@ -1260,13 +1261,13 @@
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index cab7997..df25435 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -166,6 +166,7 @@
static int do_handshake( mbedtls_ssl_context *ssl )
{
int ret;
+ uint32_t flags;
unsigned char buf[1024];
memset(buf, 0, 1024);
@@ -196,13 +197,13 @@
mbedtls_printf( " . Verifying peer X.509 certificate..." );
/* In real life, we probably want to bail out when ret != 0 */
- if( ( ret = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 863cc53..4f1607f 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -705,6 +705,7 @@
int main( int argc, char *argv[] )
{
int ret = 0, len, written, frags, exchanges_left;
+ uint32_t flags;
int version_suites[4][2];
unsigned char buf[IO_BUF_LEN];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
@@ -1896,13 +1897,13 @@
*/
mbedtls_printf( " . Verifying peer X.509 certificate..." );
- if( ( ret = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
+ if( ( flags = mbedtls_ssl_get_verify_result( &ssl ) ) != 0 )
{
char vrfy_buf[512];
mbedtls_printf( " failed\n" );
- mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", ret );
+ mbedtls_x509_crt_verify_info( vrfy_buf, sizeof( vrfy_buf ), " ! ", flags );
mbedtls_printf( "%s\n", vrfy_buf );
}