commit eeef9470406422af6d4f05df9a28d18af6c300dc
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Feb 22 11:36:55 2016 +0100
committer Simon Butcher <simon.butcher@arm.com> Wed Mar 09 19:32:08 2016 +0000
tree e737a39023e2d2037bcc9a1b33e55bb2c5afd419
parent 214a84889cfc8fd18ef08f72e4b9074b4f8472d6

Clarify documentation about missing CRLs

Also tune up some working while at it.

include/mbedtls/x509_crt.h

diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index fe821d1..41b6bfe 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -271,9 +271,14 @@
  * \note           Same as \c mbedtls_x509_crt_verify_with_profile() with the
  *                 default security profile.
  *
- * \param crt      a certificate to be verified
- * \param trust_ca the trusted CA chain
- * \param ca_crl   the CRL chain for trusted CA's
+ * \note           It is your responsibility to provide up-to-date CRLs for
+ *                 all trusted CAs. If no CRL is provided for the CA that was
+ *                 used to sign the certificate, CRL verification is skipped
+ *                 silently, that is *without* setting any flag.
+ *
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs (see note above)
  * \param cn       expected Common Name (can be set to
  *                 NULL if the CN must not be verified)
  * \param flags    result of the verification
@@ -304,9 +309,9 @@
  *                 for ECDSA) apply to all certificates: trusted root,
  *                 intermediate CAs if any, and end entity certificate.
  *
- * \param crt      a certificate to be verified
- * \param trust_ca the trusted CA chain
- * \param ca_crl   the CRL chain for trusted CA's
+ * \param crt      a certificate (chain) to be verified
+ * \param trust_ca the list of trusted CAs
+ * \param ca_crl   the list of CRLs for trusted CAs
  * \param profile  security profile for verification
  * \param cn       expected Common Name (can be set to
  *                 NULL if the CN must not be verified)

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 6dc5ad3..0606eb9 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1600,7 +1600,8 @@
 }
 
 /*
- * Check that the given certificate is valid according to the CRL.
+ * Check that the given certificate is not revoked according to the CRL.
+ * Skip validation is no CRL for the given CA is present.
  */
 static int x509_crt_verifycrl( mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
                                mbedtls_x509_crl *crl_list,
@@ -1613,12 +1614,6 @@
     if( ca == NULL )
         return( flags );
 
-    /*
-     * TODO: What happens if no CRL is present?
-     * Suggestion: Revocation state should be unknown if no CRL is present.
-     * For backwards compatibility this is not yet implemented.
-     */
-
     while( crl_list != NULL )
     {
         if( crl_list->version == 0 ||