- Added CRL revocation support to x509parse_verify()

- Fixed an off-by-one allocation in ssl_set_hostname()
 - Added CRL support to SSL/TLS code

programs/ssl/ssl_client2.c

@@ -158,7 +158,7 @@ int main( void )
     ssl_set_ciphers( &ssl, ssl_default_ciphers );
     ssl_set_session( &ssl, 1, 600, &ssn );
 
-    ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
+    ssl_set_ca_chain( &ssl, &cacert, NULL, SERVER_NAME );
     ssl_set_own_cert( &ssl, &clicert, &rsa );
 
     ssl_set_hostname( &ssl, SERVER_NAME );

programs/ssl/ssl_server.c

@@ -286,7 +286,7 @@ accept:
 
     memset( &ssn, 0, sizeof( ssl_session ) );
 
-    ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+    ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
     ssl_set_own_cert( &ssl, &srvcert, &rsa );
     ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );
 

programs/test/ssl_cert_test.c

@@ -32,12 +32,14 @@
 #define snprintf _snprintf
 #endif
 
-#define MAX_CLIENT_CERTS    6
+#define MAX_CLIENT_CERTS    8
 
 char *client_certificates[MAX_CLIENT_CERTS] =
 {
     "client1.crt",
     "client2.crt",
+    "server1.crt",
+    "server2.crt",
     "cert_sha224.crt",
     "cert_sha256.crt",
     "cert_sha384.crt",
@@ -48,6 +50,8 @@ char *client_private_keys[MAX_CLIENT_CERTS] =
 {
     "client1.key",
     "client2.key",
+    "server1.key",
+    "server2.key",
     "cert_sha224.key",
     "cert_sha256.key",
     "cert_sha384.key",
@@ -83,6 +87,9 @@ int main( void )
 
     printf( " ok\n" );
 
+    x509parse_cert_info( buf, 1024, "CRT: ", &cacert );
+    printf("%s\n", buf );
+
     /*
      * 1.2. Load the CRL
      */
@@ -134,11 +141,17 @@ int main( void )
         printf( "  . Verify the client certificate with CA certificate..." );
         fflush( stdout );
 
-        ret = x509parse_verify( &clicert, &cacert, NULL, &flags );
+        ret = x509parse_verify( &clicert, &cacert, &crl, NULL, &flags );
         if( ret != 0 )
         {
-            printf( " failed\n  !  x509parse_verify returned %d\n\n", ret );
-            goto exit;
+            if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
+            {
+                if( flags == BADCERT_REVOKED )
+                    printf( " REVOKED " );
+            } else {
+                printf( " failed\n  !  x509parse_verify returned %d\n\n", ret );
+                goto exit;
+            }
         }
 
         printf( " ok\n" );

programs/test/ssl_test.c

@@ -225,7 +225,7 @@ static int ssl_test( struct options *opt )
 
         ssl_set_endpoint( &ssl, SSL_IS_SERVER );
         ssl_set_dh_param( &ssl, dhm_P, dhm_G );
-        ssl_set_ca_chain( &ssl, srvcert.next, NULL );
+        ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );
         ssl_set_own_cert( &ssl, &srvcert, &rsa );
     }