- Added CRL revocation support to x509parse_verify()

- Fixed an off-by-one allocation in ssl_set_hostname() - Added CRL support to SSL/TLS code
2009-05-03 10:18:48 +00:00 · 2009-05-03 10:18:48 +00:00 · 40ea7de46d
commit 40ea7de46d
parent 7d06ad2b52
9 changed files with 133 additions and 27 deletions
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@ -235,6 +235,7 @@ struct _ssl_context
    rsa_context *rsa_key;               /*!<  own RSA private key     */
    x509_cert *own_cert;                /*!<  own X.509 certificate   */
    x509_cert *ca_chain;                /*!<  own trusted CA chain    */
+    x509_crl *ca_crl;                   /*!<  trusted CA CRLs         */
    x509_cert *peer_cert;               /*!<  peer X.509 cert chain   */
    char *peer_cn;                      /*!<  expected peer CN        */

@ -389,12 +390,13 @@ void ssl_set_ciphers( ssl_context *ssl, int *ciphers );
 *
 * \param ssl      SSL context
 * \param ca_chain trusted CA chain
+ * \param ca_crl   trusted CA CRLs
 * \param peer_cn  expected peer CommonName (or NULL)
 *
 * \note           TODO: add two more parameters: depth and crl
 */
 void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
-                       char *peer_cn );
+                       x509_crl *ca_crl, char *peer_cn );

 /**
 * \brief          Set own certificate and private key
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@ -60,6 +60,8 @@
 #define BADCERT_REVOKED                 2
 #define BADCERT_CN_MISMATCH             4
 #define BADCERT_NOT_TRUSTED             8
+#define BADCRL_NOT_TRUSTED             16
+#define BADCRL_EXPIRED                 32

 /*
 * DER constants
@ -335,16 +337,17 @@ int x509parse_cert_info( char *buf, size_t size, char *prefix, x509_cert *crt );
 int x509parse_crl_info( char *buf, size_t size, char *prefix, x509_crl *crl );

 /**
- * \brief          Return 0 if the certificate is still valid,
- *                 or BADCERT_EXPIRED
+ * \brief          Return 0 if the x509_time is still valid,
+ *                 or 1 otherwise.
 */
-int x509parse_expired( x509_cert *crt );
+int x509parse_time_expired( x509_time *time );

 /**
 * \brief          Verify the certificate signature
 *
 * \param crt      a certificate to be verified
 * \param trust_ca the trusted CA chain
+ * \param ca_crl   the CRL chain for trusted CA's
 * \param cn       expected Common Name (can be set to
 *                 NULL if the CN must not be verified)
 * \param flags    result of the verification
@ -361,6 +364,7 @@ int x509parse_expired( x509_cert *crt );
 */
 int x509parse_verify( x509_cert *crt,
                      x509_cert *trust_ca,
+                      x509_crl *ca_crl,
                      char *cn, int *flags );

 /**