From cdf07e997906093cc3c15b56a166b7b6af05ff0e Mon Sep 17 00:00:00 2001
From: Paul Bakker
Date: Sun, 30 Jan 2011 17:05:13 +0000
Subject: [PATCH] - Information about missing or non-verified client
certificate is not provided as well.
---
include/polarssl/x509.h | 14 ++++++++------
library/ssl_tls.c | 3 +++
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git a/include/polarssl/x509.h b/include/polarssl/x509.h
index 4305074b42..eda522161c 100644
--- a/include/polarssl/x509.h
+++ b/include/polarssl/x509.h
@@ -85,12 +85,14 @@
* \name X509 Verify codes
* \{
*/
-#define BADCERT_EXPIRED 1 /**< The certificate validity has expired. */
-#define BADCERT_REVOKED 2 /**< The certificate has been revoked (is on a CRL). */
-#define BADCERT_CN_MISMATCH 4 /**< The certificate Common Name (CN) does not match with the expected CN. */
-#define BADCERT_NOT_TRUSTED 8 /**< The certificate is not correctly signed by the trusted CA. */
-#define BADCRL_NOT_TRUSTED 16 /**< CRL is not correctly signed by the trusted CA. */
-#define BADCRL_EXPIRED 32 /**< CRL is expired. */
+#define BADCERT_EXPIRED 0x01 /**< The certificate validity has expired. */
+#define BADCERT_REVOKED 0x02 /**< The certificate has been revoked (is on a CRL). */
+#define BADCERT_CN_MISMATCH 0x04 /**< The certificate Common Name (CN) does not match with the expected CN. */
+#define BADCERT_NOT_TRUSTED 0x08 /**< The certificate is not correctly signed by the trusted CA. */
+#define BADCRL_NOT_TRUSTED 0x10 /**< CRL is not correctly signed by the trusted CA. */
+#define BADCRL_EXPIRED 0x20 /**< CRL is expired. */
+#define BADCERT_MISSING 0x40 /**< Certificate was missing. */
+#define BADCERT_SKIP_VERIFY 0x80 /**< Certificate verification was skipped. */
/* \} name */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 6f36e265b5..27c456acf5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -1280,6 +1280,7 @@ int ssl_parse_certificate( ssl_context *ssl )
if( ssl->endpoint == SSL_IS_SERVER &&
ssl->authmode == SSL_VERIFY_NONE )
{
+ ssl->verify_result = BADCERT_SKIP_VERIFY;
SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
ssl->state++;
return( 0 );
@@ -1306,6 +1307,7 @@ int ssl_parse_certificate( ssl_context *ssl )
{
SSL_DEBUG_MSG( 1, ( "SSLv3 client has no certificate" ) );
+ ssl->verify_result = BADCERT_MISSING;
if( ssl->authmode == SSL_VERIFY_OPTIONAL )
return( 0 );
else
@@ -1323,6 +1325,7 @@ int ssl_parse_certificate( ssl_context *ssl )
{
SSL_DEBUG_MSG( 1, ( "TLSv1 client has no certificate" ) );
+ ssl->verify_result = BADCERT_MISSING;
if( ssl->authmode == SSL_VERIFY_REQUIRED )
return( POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE );
else