RSA and ECDSA key exchanges don't depend on CRL
diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 737e5b4..f2ac41c 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -286,7 +286,7 @@
* Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
* (NOT YET IMPLEMENTED)
* Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ * POLARSSL_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -307,7 +307,7 @@
* Enable the RSA-only based ciphersuite modes in SSL / TLS.
*
* Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ * POLARSSL_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -333,7 +333,7 @@
* Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
*
* Requires: POLARSSL_DHM_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ * POLARSSL_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -355,7 +355,7 @@
* Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
*
* Requires: POLARSSL_ECDH_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- * POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ * POLARSSL_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -378,7 +378,6 @@
* Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
*
* Requires: POLARSSL_ECDH_C, POLARSSL_ECDSA_C, POLARSSL_X509_CRT_PARSE_C,
- * POLARSSL_X509_CRL_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
* enabled as well):
@@ -1683,34 +1682,31 @@
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
( !defined(POLARSSL_DHM_C) || !defined(POLARSSL_RSA_C) || \
- !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \
- !defined(POLARSSL_X509_CRL_PARSE_C) )
+ !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) )
#error "POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_RSA_C) || \
- !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \
- !defined(POLARSSL_X509_CRL_PARSE_C) )
+ !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) )
#error "POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) && \
( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_ECDSA_C) || \
- !defined(POLARSSL_X509_CRT_PARSE_C) || \
- !defined(POLARSSL_X509_CRL_PARSE_C) )
+ !defined(POLARSSL_X509_CRT_PARSE_C) )
#error "POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
#endif
#if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) && \
( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\
- !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) )
+ !defined(POLARSSL_PKCS1_V15) )
#error "POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
#endif
#if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\
- !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) )
+ !defined(POLARSSL_PKCS1_V15) )
#error "POLARSSL_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
#endif
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 98742dc..93b3170 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -58,9 +58,7 @@
#include "x509_crt.h"
#endif
-#if defined(POLARSSL_X509_CRL_PARSE_C)
#include "x509_crl.h"
-#endif
#if defined(POLARSSL_DHM_C)
#include "dhm.h"
@@ -659,9 +657,7 @@
x509_crt *ca_chain; /*!< own trusted CA chain */
const char *peer_cn; /*!< expected peer CN */
#endif /* POLARSSL_X509_CRT_PARSE_C */
-#if defined(POLARSSL_X509_CRL_PARSE_C)
x509_crl *ca_crl; /*!< trusted CA CRLs */
-#endif /* POLARSSL_X509_CRL_PARSE_C */
#if defined(POLARSSL_SSL_SESSION_TICKETS)
/*
@@ -956,7 +952,6 @@
int major, int minor );
#if defined(POLARSSL_X509_CRT_PARSE_C)
-#if defined(POLARSSL_X509_CRL_PARSE_C)
/**
* \brief Set the data required to verify peer certificate
*
@@ -967,7 +962,6 @@
*/
void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
x509_crl *ca_crl, const char *peer_cn );
-#endif /* POLARSSL_X509_CRL_PARSE_C */
/**
* \brief Set own certificate chain and private key
diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h
index dab1296..0c1b9e1 100644
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -31,9 +31,7 @@
#include "x509.h"
-#if defined(POLARSSL_X509_CRL_PARSE_C)
#include "x509_crl.h"
-#endif
/**
* \addtogroup x509_module
@@ -198,7 +196,6 @@
int x509_crt_info( char *buf, size_t size, const char *prefix,
const x509_crt *crt );
-#if defined(POLARSSL_X509_CRL_PARSE_C)
/**
* \brief Verify the certificate signature
*
@@ -242,8 +239,9 @@
int (*f_vrfy)(void *, x509_crt *, int, int *),
void *p_vrfy );
+#if defined(POLARSSL_X509_CRL_PARSE_C)
/**
- * \brief Verify the certificate signature
+ * \brief Verify the certificate revocation status
*
* \param crt a certificate to be verified
* \param crl the CRL to verify against
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 1173cae..e6c840c 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1391,6 +1391,8 @@
#if defined(POLARSSL_X509_CRL_PARSE_C)
/* Check trusted CA's CRL for the chain's top crt */
*flags |= x509_crt_verifycrl( child, trust_ca, ca_crl );
+#else
+ ((void) ca_crl);
#endif
if( x509_time_expired( &trust_ca->valid_to ) )
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 42f5c59..57f5f84 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -29,13 +29,14 @@
#include <stdio.h>
#if !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) || \
- !defined(POLARSSL_FS_IO)
+ !defined(POLARSSL_FS_IO) || !defined(POLARSSL_X509_CRL_PARSE_C)
int main( int argc, char *argv[] )
{
((void) argc);
((void) argv);
printf("POLARSSL_RSA_C and/or POLARSSL_X509_CRT_PARSE_C "
+ "POLARSSL_FS_IO and/or POLARSSL_X509_CRL_PARSE_C "
"not defined.\n");
return( 0 );
}
@@ -257,4 +258,5 @@
return( ret );
}
-#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO */
+#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO &&
+ POLARSSL_X509_CRL_PARSE_C */
diff --git a/scripts/data_files/config-mini-tls1_1.h b/scripts/data_files/config-mini-tls1_1.h
index 4930697..60b4c36 100644
--- a/scripts/data_files/config-mini-tls1_1.h
+++ b/scripts/data_files/config-mini-tls1_1.h
@@ -34,7 +34,6 @@
#define POLARSSL_SSL_CLI_C
#define POLARSSL_SSL_SRV_C
#define POLARSSL_SSL_TLS_C
-#define POLARSSL_X509_CRL_PARSE_C
#define POLARSSL_X509_CRT_PARSE_C
#define POLARSSL_X509_USE_C
diff --git a/scripts/data_files/config-suite-b.h b/scripts/data_files/config-suite-b.h
index 72dd348..a1543ee 100644
--- a/scripts/data_files/config-suite-b.h
+++ b/scripts/data_files/config-suite-b.h
@@ -34,7 +34,6 @@
#define POLARSSL_SSL_CLI_C
#define POLARSSL_SSL_SRV_C
#define POLARSSL_SSL_TLS_C
-#define POLARSSL_X509_CRL_PARSE_C
#define POLARSSL_X509_CRT_PARSE_C
#define POLARSSL_X509_USE_C
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 02238ba..2add9e3 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -75,7 +75,7 @@
}
/* END_CASE */
-/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CRL_PARSE_C */
void x509_verify( char *crt_file, char *ca_file, char *crl_file,
char *cn_name_str, int result, int flags_result,
char *verify_callback )