Fix implementation of VERIFY_OPTIONAL verification mode This commit changes the behaviour of mbedtls_ssl_parse_certificate to make the two authentication modes SSL_VERIFY_REQUIRED and SSL_VERIFY_OPTIONAL be in the following relationship: Mode == SSL_VERIFY_REQUIRED <=> Mode == SSL_VERIFY_OPTIONAL + check verify result Also, it changes the behaviour to perform the certificate chain verification even if the trusted CA chain is empty. Previously, the function failed in this case, even when using optional verification, which was brought up in #864.

commit: 888c2fde60737adc5250baff3f4d4e23084c99d2 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Thu May 11 11:12:40 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Jun 07 11:35:05 2017 +0100
tree: 4ae705a2ac27c5af590e62e8780147860f294793
parent: bbcef7e2c5cd6da22710a1f82a0a5409493ad6c1 [diff]
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index cd01539..adaacff 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h

@@ -97,6 +97,8 @@
 #define BADCERT_KEY_USAGE         0x0800  /**< Usage does not match the keyUsage extension. */
 #define BADCERT_EXT_KEY_USAGE     0x1000  /**< Usage does not match the extendedKeyUsage extension. */
 #define BADCERT_NS_CERT_TYPE      0x2000  /**< Usage does not match the nsCertType extension. */
+#define BADCERT_BAD_KEY          0x10000  /**< Bad key (e.g. unsupported elliptic curve in use) */
+
 /* \} name */
 /* \} addtogroup x509_module */
commit	888c2fde60737adc5250baff3f4d4e23084c99d2	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Thu May 11 11:12:40 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Jun 07 11:35:05 2017 +0100
tree	4ae705a2ac27c5af590e62e8780147860f294793
parent	bbcef7e2c5cd6da22710a1f82a0a5409493ad6c1 [diff]