- Added CRL revocation support to x509parse_verify()
- Fixed an off-by-one allocation in ssl_set_hostname()
- Added CRL support to SSL/TLS code
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 66e0c69..86720e6 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -158,7 +158,7 @@
ssl_set_ciphers( &ssl, ssl_default_ciphers );
ssl_set_session( &ssl, 1, 600, &ssn );
- ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
+ ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME );
ssl_set_own_cert( &ssl, &clicert, &rsa );
ssl_set_hostname( &ssl, SERVER_NAME );
diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c
index f44c933..f9b9b36 100644
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@@ -286,7 +286,7 @@
memset( &ssn, 0, sizeof( ssl_session ) );
- ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+ ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index a0c2e13..00488ba 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -32,12 +32,14 @@
#define snprintf _snprintf
#endif
-#define MAX_CLIENT_CERTS 6
+#define MAX_CLIENT_CERTS 8
char *client_certificates[MAX_CLIENT_CERTS] =
{
"client1.crt",
"client2.crt",
+ "server1.crt",
+ "server2.crt",
"cert_sha224.crt",
"cert_sha256.crt",
"cert_sha384.crt",
@@ -48,6 +50,8 @@
{
"client1.key",
"client2.key",
+ "server1.key",
+ "server2.key",
"cert_sha224.key",
"cert_sha256.key",
"cert_sha384.key",
@@ -83,6 +87,9 @@
printf( " ok\n" );
+ x509parse_cert_info( buf, 1024, "CRT: ", &cacert );
+ printf("%s\n", buf );
+
/*
* 1.2. Load the CRL
*/
@@ -134,11 +141,17 @@
printf( " . Verify the client certificate with CA certificate..." );
fflush( stdout );
- ret = x509parse_verify( &clicert, &cacert, NULL, &flags );
+ ret = x509parse_verify( &clicert, &cacert, &crl, NULL, &flags );
if( ret != 0 )
{
- printf( " failed\n ! x509parse_verify returned %d\n\n", ret );
- goto exit;
+ if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+ {
+ if( flags == BADCERT_REVOKED )
+ printf( " REVOKED " );
+ } else {
+ printf( " failed\n ! x509parse_verify returned %d\n\n", ret );
+ goto exit;
+ }
}
printf( " ok\n" );
diff --git a/programs/test/ssl_test.c b/programs/test/ssl_test.c
index 32ea1c1..0c088d4 100644
--- a/programs/test/ssl_test.c
+++ b/programs/test/ssl_test.c
@@ -225,7 +225,7 @@
ssl_set_endpoint( &ssl, SSL_IS_SERVER );
ssl_set_dh_param( &ssl, dhm_P, dhm_G );
- ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+ ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
ssl_set_own_cert( &ssl, &srvcert, &rsa );
}