- Added permissive certificate parsing to x509parse_crt() and x509parse_crtfile(). With permissive parsing the parsing does not stop on encountering a parse-error

2025-12-24 08:16:33 +01:00 · 2011-12-04 12:24:18 +00:00 · 2011-12-04 12:24:18 +00:00 · 6c0ceb3f9a
commit 6c0ceb3f9a
parent a17bcc3033
15 changed files with 210 additions and 116 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -224,12 +224,12 @@ int main( int argc, char *argv[] )

 #if defined(POLARSSL_FS_IO)
    if( strlen( opt.ca_file ) )
-        ret = x509parse_crtfile( &cacert, opt.ca_file );
+        ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
    else 
 #endif
 #if defined(POLARSSL_CERTS_C)
        ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
-                strlen( test_ca_crt ) );
+                strlen( test_ca_crt ), X509_NON_PERMISSIVE );
 #else
    {
        ret = 1;
@ -254,12 +254,12 @@ int main( int argc, char *argv[] )

 #if defined(POLARSSL_FS_IO)
    if( strlen( opt.crt_file ) )
-        ret = x509parse_crtfile( &clicert, opt.crt_file );
+        ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
    else 
 #endif
 #if defined(POLARSSL_CERTS_C)
        ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
-                strlen( test_cli_crt ) );
+                strlen( test_cli_crt ), X509_NON_PERMISSIVE );
 #else
    {
        ret = 1;
--- a/programs/ssl/ssl_fork_server.c
+++ b/programs/ssl/ssl_fork_server.c
@ -230,7 +230,7 @@ int main( int argc, char *argv[] )
     * server and CA certificates, as well as x509parse_keyfile().
     */
    ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
-                         strlen( test_srv_crt ) );
+                         strlen( test_srv_crt ), X509_NON_PERMISSIVE );
    if( ret != 0 )
    {
        printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
@ -238,7 +238,7 @@ int main( int argc, char *argv[] )
    }

    ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
-                         strlen( test_ca_crt ) );
+                         strlen( test_ca_crt ), X509_NON_PERMISSIVE );
    if( ret != 0 )
    {
        printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
--- a/programs/ssl/ssl_mail_client.c
+++ b/programs/ssl/ssl_mail_client.c
@ -476,12 +476,12 @@ int main( int argc, char *argv[] )

 #if defined(POLARSSL_FS_IO)
    if( strlen( opt.ca_file ) )
-        ret = x509parse_crtfile( &cacert, opt.ca_file );
+        ret = x509parse_crtfile( &cacert, opt.ca_file, X509_NON_PERMISSIVE );
    else
 #endif
 #if defined(POLARSSL_CERTS_C)
        ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
-                strlen( test_ca_crt ) );
+                strlen( test_ca_crt ), X509_NON_PERMISSIVE );
 #else
    {
        ret = 1;
@ -506,12 +506,12 @@ int main( int argc, char *argv[] )

 #if defined(POLARSSL_FS_IO)
    if( strlen( opt.crt_file ) )
-        ret = x509parse_crtfile( &clicert, opt.crt_file );
+        ret = x509parse_crtfile( &clicert, opt.crt_file, X509_NON_PERMISSIVE );
    else 
 #endif
 #if defined(POLARSSL_CERTS_C)
        ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
-                strlen( test_cli_crt ) );
+                strlen( test_cli_crt ), X509_NON_PERMISSIVE );
 #else
    {
        ret = 1;
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@ -216,7 +216,7 @@ int main( int argc, char *argv[] )
     * server and CA certificates, as well as x509parse_keyfile().
     */
    ret = x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
-                         strlen( test_srv_crt ) );
+                         strlen( test_srv_crt ), X509_NON_PERMISSIVE );
    if( ret != 0 )
    {
        printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
@ -224,7 +224,7 @@ int main( int argc, char *argv[] )
    }

    ret = x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
-                         strlen( test_ca_crt ) );
+                         strlen( test_ca_crt ), X509_NON_PERMISSIVE );
    if( ret != 0 )
    {
        printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@ -100,7 +100,7 @@ int main( int argc, char *argv[] )
     * Alternatively, you may load the CA certificates from a .pem or
     * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
     */
-    ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt" );
+    ret = x509parse_crtfile( &cacert, "ssl/test-ca/test-ca.crt", X509_NON_PERMISSIVE );
    if( ret != 0 )
    {
        printf( " failed\n  !  x509parse_crtfile returned %d\n\n", ret );
@ -148,7 +148,7 @@ int main( int argc, char *argv[] )
        printf( "  . Loading the client certificate %s...", name );
        fflush( stdout );

-        ret = x509parse_crtfile( &clicert, name );
+        ret = x509parse_crtfile( &clicert, name, X509_NON_PERMISSIVE );
        if( ret != 0 )
        {
            printf( " failed\n  !  x509parse_crt returned %d\n\n", ret );
--- a/programs/test/ssl_test.c
+++ b/programs/test/ssl_test.c
@ -203,7 +203,7 @@ static int ssl_test( struct options *opt )
        goto exit;
 #else
        ret =  x509parse_crt( &srvcert, (unsigned char *) test_srv_crt,
-                              strlen( test_srv_crt ) );
+                              strlen( test_srv_crt ), X509_NON_PERMISSIVE );
        if( ret != 0 )
        {
            printf( "  !  x509parse_crt returned %d\n\n", ret );
@ -211,7 +211,7 @@ static int ssl_test( struct options *opt )
        }

        ret =  x509parse_crt( &srvcert, (unsigned char *) test_ca_crt,
-                              strlen( test_ca_crt ) );
+                              strlen( test_ca_crt ), X509_NON_PERMISSIVE );
        if( ret != 0 )
        {
            printf( "  !  x509parse_crt returned %d\n\n", ret );
--- a/programs/x509/cert_app.c
+++ b/programs/x509/cert_app.c
@ -47,6 +47,7 @@
 #define DFL_SERVER_NAME         "localhost"
 #define DFL_SERVER_PORT         4433
 #define DFL_DEBUG_LEVEL         0
+#define DFL_PERMISSIVE          0

 /*
 * global options
@ -58,6 +59,7 @@ struct options
    char *server_name;          /* hostname of the server (client only) */
    int server_port;            /* port on which the ssl service runs   */
    int debug_level;            /* level of debugging                   */
+    int permissive;             /* permissive parsing                   */
 } opt;

 void my_debug( void *ctx, int level, const char *str )
@ -77,6 +79,7 @@ void my_debug( void *ctx, int level, const char *str )
    "    server_name=%%s      default: localhost\n"     \
    "    server_port=%%d      default: 4433\n"          \
    "    debug_level=%%d      default: 0 (disabled)\n"  \
+    "    permissive=%%d       default: 0 (disabled)\n"  \
    "\n"

 #if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_HAVEGE_C) ||   \
@ -128,6 +131,7 @@ int main( int argc, char *argv[] )
    opt.server_name         = DFL_SERVER_NAME;
    opt.server_port         = DFL_SERVER_PORT;
    opt.debug_level         = DFL_DEBUG_LEVEL;
+    opt.permissive          = DFL_PERMISSIVE;

    for( i = 1; i < argc; i++ )
    {
@ -169,6 +173,12 @@ int main( int argc, char *argv[] )
            if( opt.debug_level < 0 || opt.debug_level > 65535 )
                goto usage;
        }
+        else if( strcmp( p, "permissive" ) == 0 )
+        {
+            opt.permissive = atoi( q );
+            if( opt.permissive < 0 || opt.permissive > 1 )
+                goto usage;
+        }
        else
            goto usage;
    }
@ -185,7 +195,7 @@ int main( int argc, char *argv[] )
        printf( "\n  . Loading the certificate(s) ..." );
        fflush( stdout );

-        ret = x509parse_crtfile( &crt, opt.filename );
+        ret = x509parse_crtfile( &crt, opt.filename, opt.permissive );

        if( ret != 0 )
        {