Fix implementation of VERIFY_OPTIONAL verification mode This commit changes the behaviour of mbedtls_ssl_parse_certificate to make the two authentication modes SSL_VERIFY_REQUIRED and SSL_VERIFY_OPTIONAL be in the following relationship: Mode == SSL_VERIFY_REQUIRED <=> Mode == SSL_VERIFY_OPTIONAL + check verify result Also, it changes the behaviour to perform the certificate chain verification even if the trusted CA chain is empty. Previously, the function failed in this case, even when using optional verification, which was brought up in #864.

commit: 888c2fde60737adc5250baff3f4d4e23084c99d2 [log] [tgz]
author: Hanno Becker <hanno.becker@arm.com> Thu May 11 11:12:40 2017 +0100
committer: Hanno Becker <hanno.becker@arm.com> Wed Jun 07 11:35:05 2017 +0100
tree: 4ae705a2ac27c5af590e62e8780147860f294793
parent: bbcef7e2c5cd6da22710a1f82a0a5409493ad6c1 [diff] [blame]
diff --git a/library/x509_crt.c b/library/x509_crt.c
index a3517f6..16a29b5 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c

@@ -1403,6 +1403,7 @@
     { BADCERT_KEY_USAGE,     "Usage does not match the keyUsage extension" },
     { BADCERT_EXT_KEY_USAGE, "Usage does not match the extendedKeyUsage extension" },
     { BADCERT_NS_CERT_TYPE,  "Usage does not match the nsCertType extension" },
+    { BADCERT_BAD_KEY,       "The certificate uses an invalid key (e.g. unsupported elliptic curve)" },
     { 0, NULL }
 };
commit	888c2fde60737adc5250baff3f4d4e23084c99d2	[log] [tgz]
author	Hanno Becker <hanno.becker@arm.com>	Thu May 11 11:12:40 2017 +0100
committer	Hanno Becker <hanno.becker@arm.com>	Wed Jun 07 11:35:05 2017 +0100
tree	4ae705a2ac27c5af590e62e8780147860f294793
parent	bbcef7e2c5cd6da22710a1f82a0a5409493ad6c1 [diff] [blame]