Fix implementation of VERIFY_OPTIONAL verification mode This commit changes the behaviour of mbedtls_ssl_parse_certificate to make the two authentication modes SSL_VERIFY_REQUIRED and SSL_VERIFY_OPTIONAL be in the following relationship: Mode == SSL_VERIFY_REQUIRED <=> Mode == SSL_VERIFY_OPTIONAL + check verify result Also, it changes the behaviour to perform the certificate chain verification even if the trusted CA chain is empty. Previously, the function failed in this case, even when using optional verification, which was brought up in #864.

commit: 888c2fde60737adc5250baff3f4d4e23084c99d2 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Thu May 11 11:12:40 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Jun 07 11:35:05 2017 +0100
tree: 4ae705a2ac27c5af590e62e8780147860f294793
parent: bbcef7e2c5cd6da22710a1f82a0a5409493ad6c1 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index a64de5d..d33897c 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -15,6 +15,12 @@
    * Wipe stack buffers in RSA private key operations
      (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt).
      Found by Laurent Simon.
+   * Accept empty trusted CA chain in authentication mode
+     SSL_VERIFY_OPTIONAL. Fixes #864. Found by jethrogb.
+   * Fix implementation of ssl_parse_certificate
+     to not annihilate fatal errors in authentication mode
+     SSL_VERIFY_OPTIONAL and to reflect bad EC curves
+     within verification result.
 
 = mbed TLS 1.3.19 branch released 2017-03-08
commit	888c2fde60737adc5250baff3f4d4e23084c99d2	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Thu May 11 11:12:40 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Jun 07 11:35:05 2017 +0100
tree	4ae705a2ac27c5af590e62e8780147860f294793
parent	bbcef7e2c5cd6da22710a1f82a0a5409493ad6c1 [diff] [blame]