TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / 40ea7de46d4cd6d5acac8eb3ee74abae1df5198b^! / . / include
commit40ea7de46d4cd6d5acac8eb3ee74abae1df5198b[log] [tgz]
authorPaul Bakker <p.j.bakker@polarssl.org>Sun May 03 10:18:48 2009 +0000
committerPaul Bakker <p.j.bakker@polarssl.org>Sun May 03 10:18:48 2009 +0000
tree095970930e70b45e7886d2e4039373d118c0ce5e
parent7d06ad2b523bb2f99689ca284c860f8280e52859 [diff]
 - Added CRL revocation support to x509parse_verify()
 - Fixed an off-by-one allocation in ssl_set_hostname()
 - Added CRL support to SSL/TLS code


diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index f4d7d1a..b26e4ed 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h

@@ -235,6 +235,7 @@
     rsa_context *rsa_key;               /*!<  own RSA private key     */
     x509_cert *own_cert;                /*!<  own X.509 certificate   */
     x509_cert *ca_chain;                /*!<  own trusted CA chain    */
+    x509_crl *ca_crl;                   /*!<  trusted CA CRLs         */
     x509_cert *peer_cert;               /*!<  peer X.509 cert chain   */
     char *peer_cn;                      /*!<  expected peer CN        */
 
@@ -389,12 +390,13 @@
  *
  * \param ssl      SSL context
  * \param ca_chain trusted CA chain
+ * \param ca_crl   trusted CA CRLs
  * \param peer_cn  expected peer CommonName (or NULL)
  *
  * \note           TODO: add two more parameters: depth and crl
  */
 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
-                       char *peer_cn );
+                       x509_crl *ca_crl, char *peer_cn );
 
 /**
  * \brief          Set own certificate and private key

diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index c0a50b7..b7b971c 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h

@@ -60,6 +60,8 @@
 #define BADCERT_REVOKED                 2
 #define BADCERT_CN_MISMATCH             4
 #define BADCERT_NOT_TRUSTED             8
+#define BADCRL_NOT_TRUSTED             16
+#define BADCRL_EXPIRED                 32
 
 /*
  * DER constants
@@ -335,16 +337,17 @@
 int x509parse_crl_info( char *buf, size_t size, char *prefix, x509_crl *crl );
 
 /**
- * \brief          Return 0 if the certificate is still valid,
- *                 or BADCERT_EXPIRED
+ * \brief          Return 0 if the x509_time is still valid,
+ *                 or 1 otherwise.
  */
-int x509parse_expired( x509_cert *crt );
+int x509parse_time_expired( x509_time *time );
 
 /**
  * \brief          Verify the certificate signature
  *
  * \param crt      a certificate to be verified
  * \param trust_ca the trusted CA chain
+ * \param ca_crl   the CRL chain for trusted CA's
  * \param cn       expected Common Name (can be set to
  *                 NULL if the CN must not be verified)
  * \param flags    result of the verification
@@ -361,6 +364,7 @@
  */
 int x509parse_verify( x509_cert *crt,
                       x509_cert *trust_ca,
+                      x509_crl *ca_crl,
                       char *cn, int *flags );
 
 /**