- Added CRL revocation support to x509parse_verify()

- Fixed an off-by-one allocation in ssl_set_hostname() - Added CRL support to SSL/TLS code
2025-12-21 21:36:21 +01:00 · 2009-05-03 10:18:48 +00:00 · 2009-05-03 10:18:48 +00:00 · 40ea7de46d
commit 40ea7de46d
parent 7d06ad2b52
9 changed files with 133 additions and 27 deletions
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -158,7 +158,7 @@ int main( void )
    ssl_set_ciphers( &ssl, ssl_default_ciphers );
    ssl_set_session( &ssl, 1, 600, &ssn );

-    ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
+    ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME );
    ssl_set_own_cert( &ssl, &clicert, &rsa );

    ssl_set_hostname( &ssl, SERVER_NAME );
--- a/programs/ssl/ssl_server.c
+++ b/programs/ssl/ssl_server.c
@ -286,7 +286,7 @@ accept:

    memset( &ssn, 0, sizeof( ssl_session ) );

-    ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+    ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
    ssl_set_own_cert( &ssl, &srvcert, &rsa );
    ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );

--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@ -32,12 +32,14 @@
 #define snprintf _snprintf
 #endif

-#define MAX_CLIENT_CERTS    6
+#define MAX_CLIENT_CERTS    8

 char *client_certificates[MAX_CLIENT_CERTS] =
 {
    "client1.crt",
    "client2.crt",
+    "server1.crt",
+    "server2.crt",
    "cert_sha224.crt",
    "cert_sha256.crt",
    "cert_sha384.crt",
@ -48,6 +50,8 @@ char *client_private_keys[MAX_CLIENT_CERTS] =
 {
    "client1.key",
    "client2.key",
+    "server1.key",
+    "server2.key",
    "cert_sha224.key",
    "cert_sha256.key",
    "cert_sha384.key",
@ -83,6 +87,9 @@ int main( void )

    printf( " ok\n" );

+    x509parse_cert_info( buf, 1024, "CRT: ", &cacert );
+    printf("%s\n", buf );
+
    /*
     * 1.2. Load the CRL
     */
@ -134,11 +141,17 @@ int main( void )
        printf( "  . Verify the client certificate with CA certificate..." );
        fflush( stdout );

-        ret = x509parse_verify( &clicert, &cacert, NULL, &flags );
+        ret = x509parse_verify( &clicert, &cacert, &crl, NULL, &flags );
        if( ret != 0 )
        {
-            printf( " failed\n  !  x509parse_verify returned %d\n\n", ret );
-            goto exit;
+            if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+            {
+                if( flags == BADCERT_REVOKED )
+                    printf( " REVOKED " );
+            } else {
+                printf( " failed\n  !  x509parse_verify returned %d\n\n", ret );
+                goto exit;
+            }
        }

        printf( " ok\n" );
--- a/programs/test/ssl_test.c
+++ b/programs/test/ssl_test.c
@ -225,7 +225,7 @@ static int ssl_test( struct options *opt )

        ssl_set_endpoint( &ssl, SSL_IS_SERVER );
        ssl_set_dh_param( &ssl, dhm_P, dhm_G );
-        ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+        ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
        ssl_set_own_cert( &ssl, &srvcert, &rsa );
    }