Introduce configuration option to remove CRT verification callbacks
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 1e3287c..ff0019b 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1348,6 +1348,21 @@
if_build_succeeded tests/ssl-opt.sh
}
+component_test_no_x509_verify_callback () {
+ msg "build: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s
+ scripts/config.pl full
+ scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
+ scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
+ scripts/config.pl set MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
+ make CFLAGS='-Werror -O1'
+
+ msg "test: full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 10s
+ make test
+
+ msg "test: ssl-opt.sh, full + MBEDTLS_X509_REMOVE_VERIFY_CALLBACK" # ~ 1 min
+ if_build_succeeded tests/ssl-opt.sh
+}
+
component_build_arm_none_eabi_gcc () {
msg "build: arm-none-eabi-gcc, make" # ~ 10s
scripts/config.pl baremetal
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index da87793..38bfed7 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1188,6 +1188,7 @@
requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SHA-1 forbidden by default in server certificate" \
"$P_SRV key_file=data_files/server2.key crt_file=data_files/server2.crt" \
"$P_CLI debug_level=2 allow_sha1=0" \
@@ -1212,6 +1213,7 @@
requires_config_disabled MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SHA-1 forbidden by default in client certificate" \
"$P_SRV auth_mode=required allow_sha1=0" \
"$P_CLI key_file=data_files/cli-rsa.key crt_file=data_files/cli-rsa-sha1.crt" \
@@ -3653,6 +3655,7 @@
# Tests for auth_mode
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server badcert, client required" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@@ -3664,6 +3667,7 @@
-c "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server badcert, client optional" \
"$P_SRV crt_file=data_files/server5-badsign.crt \
key_file=data_files/server5.key" \
@@ -3675,6 +3679,7 @@
-C "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server goodcert, client optional, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=optional ca_file=none ca_path=none" \
@@ -3687,6 +3692,7 @@
-C "SSL - No CA Chain is set, but required to operate"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: server goodcert, client required, no trusted CA" \
"$P_SRV" \
"$P_CLI debug_level=3 auth_mode=required ca_file=none ca_path=none" \
@@ -3783,6 +3789,7 @@
-s "No client certification received from the client, but required by the authentication mode"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client badcert, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@@ -3805,6 +3812,7 @@
# before reading the alert message.
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client cert not trusted, server required" \
"$P_SRV debug_level=3 auth_mode=required" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@@ -3823,6 +3831,7 @@
-s "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client badcert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=data_files/server5-badsign.crt \
@@ -3858,6 +3867,7 @@
-S "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional" \
"$P_CLI debug_level=3 crt_file=none key_file=none" \
@@ -3876,6 +3886,7 @@
-S "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: openssl client no cert, server optional" \
"$P_SRV debug_level=3 auth_mode=optional ca_file=data_files/test-ca2.crt" \
"$O_CLI" \
@@ -3908,6 +3919,7 @@
requires_config_enabled MBEDTLS_SSL_PROTO_SSL3
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: client no cert, ssl3" \
"$P_SRV debug_level=3 auth_mode=optional force_version=ssl3" \
"$P_CLI debug_level=3 crt_file=none key_file=none min_version=ssl3" \
@@ -4026,6 +4038,7 @@
-S "requested DN"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Authentication: send CA list in CertificateRequest, client self signed" \
"$P_SRV debug_level=3 auth_mode=required cert_req_ca_list=0" \
"$P_CLI debug_level=3 crt_file=data_files/server5-selfsigned.crt \
@@ -4041,6 +4054,7 @@
# Tests for certificate selection based on SHA verson
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.2 -> SHA-2" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@@ -4052,6 +4066,7 @@
-C "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.1 -> SHA-1" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@@ -4063,6 +4078,7 @@
-c "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.0 -> SHA-1" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@@ -4074,6 +4090,7 @@
-c "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 1)" \
"$P_SRV crt_file=data_files/server5.crt \
key_file=data_files/server5.key \
@@ -4086,6 +4103,7 @@
-C "signed using.*ECDSA with SHA1"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "Certificate hash: client TLS 1.1, no SHA-1 -> SHA-2 (order 2)" \
"$P_SRV crt_file=data_files/server6.crt \
key_file=data_files/server6.key \
@@ -4100,6 +4118,7 @@
# tests for SNI
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: no SNI callback" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
@@ -4111,6 +4130,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: matching cert 1" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4123,6 +4143,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: matching cert 2" \
"$P_SRV debug_level=3 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4189,6 +4210,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: CA no override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4209,6 +4231,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: CA override" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4229,6 +4252,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4250,6 +4274,7 @@
# Tests for SNI and DTLS
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, no SNI callback" \
"$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key" \
@@ -4261,6 +4286,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, matching cert 1" \
"$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4273,6 +4299,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, matching cert 2" \
"$P_SRV debug_level=3 dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4339,6 +4366,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, CA no override" \
"$P_SRV debug_level=3 auth_mode=optional dtls=1 \
crt_file=data_files/server5.crt key_file=data_files/server5.key \
@@ -4378,6 +4406,7 @@
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SNI: DTLS, CA override with CRL" \
"$P_SRV debug_level=3 auth_mode=optional \
crt_file=data_files/server5.crt key_file=data_files/server5.key dtls=1 \
@@ -4816,6 +4845,7 @@
-C "Ciphersuite is TLS-"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
"$O_SRV -key data_files/server2.key \
-cert data_files/server2.ku-ke.crt" \
@@ -4848,6 +4878,7 @@
-C "Ciphersuite is TLS-"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
"$O_SRV -key data_files/server2.key \
-cert data_files/server2.ku-ds.crt" \
@@ -6399,6 +6430,7 @@
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "EC restart: TLS, max_ops=1000, badsign" \
"$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
crt_file=data_files/server5-badsign.crt \
@@ -6435,6 +6467,7 @@
-C "X509 - Certificate verification failed"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
run_test "EC restart: TLS, max_ops=1000, auth_mode=none badsign" \
"$P_SRV auth_mode=required ca_file=data_files/test-ca2.crt \
@@ -6535,6 +6568,7 @@
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
requires_config_disabled MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "SSL async private: sign, SNI" \
"$P_SRV debug_level=3 \
async_operations=s async_private_delay1=0 async_private_delay2=0 \
@@ -6998,6 +7032,7 @@
-s "Verifying peer X.509 certificate... ok"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "DTLS client auth: optional, client has no cert" \
"$P_SRV dtls=1 auth_mode=optional" \
"$P_CLI dtls=1 crt_file=none key_file=none" \
@@ -7005,6 +7040,7 @@
-s "! Certificate was missing"
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
+requires_config_disabled MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
run_test "DTLS client auth: none, client has no cert" \
"$P_SRV dtls=1 auth_mode=none" \
"$P_CLI dtls=1 crt_file=none key_file=none debug_level=2" \
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 375feb9..aa40995 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -560,11 +560,11 @@
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #19 (Valid Cert, denying callback)
-depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
+depends_on:MBEDTLS_SHA512_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_SHA1_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
x509_verify:"data_files/cert_sha512.crt":"data_files/test-ca.crt":"data_files/crl.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_OTHER:"compat":"verify_none"
X509 CRT verification #19 (Not trusted Cert, allowing callback)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_SHA1_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
x509_verify:"data_files/server2.crt":"data_files/server1.crt":"data_files/crl_expired.pem":"NULL":0:0:"compat":"verify_all"
X509 CRT verification #21 (domain matching wildcard certificate, case insensitive)
@@ -920,7 +920,7 @@
x509_verify:"data_files/server1.crt":"data_files/test-ca-alt-good.crt":"data_files/crl-ec-sha256.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #92 (bad name, allowing callback)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_SHA256_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:!MBEDTLS_USE_TINYCRYPT:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK
x509_verify:"data_files/server5.crt":"data_files/test-ca2.crt":"data_files/crl-ec-sha256.pem":"globalhost":0:0:"":"verify_all"
X509 CRT verification #93 (Suite B invalid, EC cert, RSA CA)
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 96ad7d9..130d90f 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -334,7 +334,10 @@
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags,
- NULL, NULL, &rs_ctx );
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ NULL, NULL,
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ &rs_ctx );
} while( ret == MBEDTLS_ERR_ECP_IN_PROGRESS && ++cnt_restart );
TEST_ASSERT( ret == result );
@@ -355,7 +358,10 @@
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags,
- NULL, NULL, &rs_ctx );
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
+ NULL, NULL,
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+ &rs_ctx );
TEST_ASSERT( ret == result || ret == MBEDTLS_ERR_ECP_IN_PROGRESS );
exit:
@@ -376,7 +382,9 @@
mbedtls_x509_crl crl;
uint32_t flags = 0;
int res;
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *) = NULL;
+#endif
const mbedtls_x509_crt_profile *profile;
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
char * cn_name = NULL;
@@ -406,6 +414,7 @@
else
TEST_ASSERT( "Unknown algorithm profile" == 0 );
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
if( strcmp( verify_callback, "NULL" ) == 0 )
f_vrfy = NULL;
else if( strcmp( verify_callback, "verify_none" ) == 0 )
@@ -414,16 +423,28 @@
f_vrfy = verify_all;
else
TEST_ASSERT( "No known verify callback selected" == 0 );
+#else
+ if( strcmp( verify_callback, "NULL" ) != 0 )
+ TEST_ASSERT( "Verify callbacks disabled" == 0 );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
TEST_ASSERT( mbedtls_x509_crt_parse_file( &crt, crt_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crt_parse_file( &ca, ca_file ) == 0 );
TEST_ASSERT( mbedtls_x509_crl_parse_file( &crl, crl_file ) == 0 );
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
cn_name,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
&flags, f_vrfy, NULL );
+#else
+ res = mbedtls_x509_crt_verify_with_profile( &crt, &ca, &crl, profile,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ cn_name,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ &flags );
+#endif
TEST_ASSERT( res == ( result ) );
if( flags != (uint32_t) flags_result )
@@ -441,7 +462,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
void x509_verify_callback( char *crt_file, char *ca_file, char *name,
int exp_ret, char *exp_vrfy_out )
{
@@ -827,11 +848,21 @@
TEST_ASSERT( mbedtls_x509_crt_parse_file( &chain, file_buf ) == 0 );
/* Try to verify that chain */
+#if !defined(MBEDTLS_X509_REMOVE_VERIFY_CALLBACK)
ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL,
#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
NULL,
#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
- &flags, NULL, NULL );
+ &flags,
+ NULL, NULL );
+#else
+ ret = mbedtls_x509_crt_verify( &chain, &trusted, NULL,
+#if !defined(MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION)
+ NULL,
+#endif /* !MBEDTLS_X509_REMOVE_HOSTNAME_VERIFICATION */
+ &flags );
+#endif /* MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
+
TEST_ASSERT( ret == ret_chk );
TEST_ASSERT( flags == (uint32_t) flags_chk );
@@ -841,7 +872,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C */
+/* BEGIN_CASE depends_on:MBEDTLS_FS_IO:MBEDTLS_X509_CRT_PARSE_C:!MBEDTLS_X509_REMOVE_VERIFY_CALLBACK */
void mbedtls_x509_crt_verify_chain( char *chain_paths, char *trusted_ca,
int flags_result, int result,
char *profile_name, int vrfy_fatal_lvls )