Improve behaviour on fatal errors If we didn't walk the whole chain, then there may be any kind of errors in the part of the chain we didn't check, so setting all flags looks like the safe thing to do.

commit: 8af7bfa982dbc855d159f2e990ea33c464f969bc [log] [tgz]
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Mon Jul 10 11:20:08 2017 +0200
committer: Simon Butcher <simon.butcher@arm.com> Fri Jul 28 13:15:57 2017 +0100
tree: 8950ab91f5e22356a0e3e5350cef5cf66295a60f
parent: 7ac50196f3e9350a93ec658237a69e74890f38a0 [diff] [blame]
diff --git a/ChangeLog b/ChangeLog
index 90c6e6b..f008cdc 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -25,7 +25,12 @@
      to bypass the version verification check. Found by Peng Li/Yueh-Hsun Lin,
      KNOX Security, Samsung Research America
 
-= mbed TLS 1.3.20 branch released 2017-06-21
+Changes
+   * Certificate verification functions now set flags to -1 in case the full
+     chain was not verified due to an internal error (including in the verify
+     callback) or chain length limitations.
+
+= mbed TLS 1.3.20 released 2017-06-21
 
 Security
    * Fixed unlimited overread of heap-based buffer in ssl_read().
commit	8af7bfa982dbc855d159f2e990ea33c464f969bc	[log] [tgz]
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	Mon Jul 10 11:20:08 2017 +0200
committer	Simon Butcher <simon.butcher@arm.com>	Fri Jul 28 13:15:57 2017 +0100
tree	8950ab91f5e22356a0e3e5350cef5cf66295a60f
parent	7ac50196f3e9350a93ec658237a69e74890f38a0 [diff] [blame]