commit e6706e62d8296d5d9630c0c6edec278f6cc02698
author Hanno Becker <hanno.becker@arm.com> Mon May 15 16:05:15 2017 +0100
committer Hanno Becker <hanno.becker@arm.com> Wed Jun 07 11:26:59 2017 +0100
tree c1d5ae19da60289f648e42e4d87cf29978679f3d
parent 39ae8cd2077d2e9e7d00161162ad8d3fb45dba27

Add tests for missing CA chains and bad curves.

This commit adds four tests to tests/ssl-opt.sh:
(1) & (2): Check behaviour of optional/required verification when the
trusted CA chain is empty.
(3) & (4): Check behaviour of optional/required verification when the
client receives a server certificate with an unsupported curve.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ff951a5..208500a 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4569,6 +4569,17 @@
                                             alert );
         }
 
+#if defined(MBEDTLS_DEBUG_C)
+        if( ssl->session_negotiate->verify_result != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "! Certificate verification flags %x",
+                                        ssl->session_negotiate->verify_result ) );
+        }
+        else
+        {
+            MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate verification flags clear" ) );
+        }
+#endif /* MBEDTLS_DEBUG_C */
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );