- Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 3825106..fea43ee 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -224,12 +224,12 @@
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) )
- ret = x509parse_crtfile( &cacert, opt.ca_file );
+ ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
- strlen( test_ca_crt ) );
+ strlen( test_ca_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;
@@ -254,12 +254,12 @@
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
- ret = x509parse_crtfile( &clicert, opt.crt_file );
+ ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
- strlen( test_cli_crt ) );
+ strlen( test_cli_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;
diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c
index 85803d3..0f0cfc3 100644
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@@ -230,7 +230,7 @@
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
- strlen( test_srv_crt ) );
+ strlen( test_srv_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
@@ -238,7 +238,7 @@
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
- strlen( test_ca_crt ) );
+ strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c
index 3f4bd75..08ecd1a 100644
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@@ -476,12 +476,12 @@
#if defined(POLARSSL_FS_IO)
if( strlen( opt.ca_file ) )
- ret = x509parse_crtfile( &cacert, opt.ca_file );
+ ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
- strlen( test_ca_crt ) );
+ strlen( test_ca_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;
@@ -506,12 +506,12 @@
#if defined(POLARSSL_FS_IO)
if( strlen( opt.crt_file ) )
- ret = x509parse_crtfile( &clicert, opt.crt_file );
+ ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
else
#endif
#if defined(POLARSSL_CERTS_C)
ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
- strlen( test_cli_crt ) );
+ strlen( test_cli_crt ), X509_NON_PERMISSIVE );
#else
{
ret = 1;
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index 8a49140..a673f52 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -216,7 +216,7 @@
* server and CA certificates, as well as x509parse_keyfile().
*/
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
- strlen( test_srv_crt ) );
+ strlen( test_srv_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
@@ -224,7 +224,7 @@
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
- strlen( test_ca_crt ) );
+ strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 57ea32c..2e4e6c5 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -100,7 +100,7 @@
* Alternatively, you may load the CA certificates from a .pem or
* .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
*/
- ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" );
+ ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt", X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crtfile returned %d\n\n", ret );
@@ -148,7 +148,7 @@
printf( " . Loading the client certificate %s...", name );
fflush( stdout );
- ret = x509parse_crtfile( &clicert, name );
+ ret = x509parse_crtfile( &clicert, name, X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c
index 8bac4b2..b9c9572 100644
--- a/programs/test/ssl_test.c
+++ b/programs/test/ssl_test.c
@@ -203,7 +203,7 @@
goto exit;
#else
ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
- strlen( test_srv_crt ) );
+ strlen( test_srv_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " ! x509parse_crt returned %d\n\n", ret );
@@ -211,7 +211,7 @@
}
ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
- strlen( test_ca_crt ) );
+ strlen( test_ca_crt ), X509_NON_PERMISSIVE );
if( ret != 0 )
{
printf( " ! x509parse_crt returned %d\n\n", ret );
diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c
index cde96af..24b9727 100644
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@@ -47,6 +47,7 @@
#define DFL_SERVER_NAME "localhost"
#define DFL_SERVER_PORT 4433
#define DFL_DEBUG_LEVEL 0
+#define DFL_PERMISSIVE 0
/*
* global options
@@ -58,6 +59,7 @@
char *server_name; /* hostname of the server (client only) */
int server_port; /* port on which the ssl service runs */
int debug_level; /* level of debugging */
+ int permissive; /* permissive parsing */
} opt;
void my_debug( void *ctx, int level, const char *str )
@@ -77,6 +79,7 @@
" server_name=%%s default: localhost\n" \
" server_port=%%d default: 4433\n" \
" debug_level=%%d default: 0 (disabled)\n" \
+ " permissive=%%d default: 0 (disabled)\n" \
"\n"
#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_HAVEGE_C) || \
@@ -128,6 +131,7 @@
opt.server_name = DFL_SERVER_NAME;
opt.server_port = DFL_SERVER_PORT;
opt.debug_level = DFL_DEBUG_LEVEL;
+ opt.permissive = DFL_PERMISSIVE;
for( i = 1; i < argc; i++ )
{
@@ -169,6 +173,12 @@
if( opt.debug_level < 0 || opt.debug_level > 65535 )
goto usage;
}
+ else if( strcmp( p, "permissive" ) == 0 )
+ {
+ opt.permissive = atoi( q );
+ if( opt.permissive < 0 || opt.permissive > 1 )
+ goto usage;
+ }
else
goto usage;
}
@@ -185,7 +195,7 @@
printf( "\n . Loading the certificate(s) ..." );
fflush( stdout );
- ret = x509parse_crtfile( &crt, opt.filename );
+ ret = x509parse_crtfile( &crt, opt.filename, opt.permissive );
if( ret != 0 )
{