From cbf3ef3861dc82525d6d0cc7624586d62f200e0e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Mon, 23 Sep 2013 12:20:02 +0200
Subject: [PATCH] RSA and ECDSA key exchanges don't depend on CRL

---
 include/polarssl/config.h                  | 22 +++++++++-------------
 include/polarssl/ssl.h                     |  6 ------
 include/polarssl/x509_crt.h                |  6 ++----
 library/x509_crt.c                         |  2 ++
 programs/test/ssl_cert_test.c              |  6 ++++--
 scripts/data_files/config-mini-tls1_1.h    |  1 -
 scripts/data_files/config-suite-b.h        |  1 -
 tests/suites/test_suite_x509parse.function |  2 +-
 8 files changed, 18 insertions(+), 28 deletions(-)

diff --git a/include/polarssl/config.h b/include/polarssl/config.h
index 737e5b489..f2ac41c67 100644
--- a/include/polarssl/config.h
+++ b/include/polarssl/config.h
@@ -286,7 +286,7 @@
  * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
  * (NOT YET IMPLEMENTED)
  * Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -307,7 +307,7 @@
  * Enable the RSA-only based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -333,7 +333,7 @@
  * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_DHM_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -355,7 +355,7 @@
  * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_ECDH_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -378,7 +378,6 @@
  * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_ECDH_C, POLARSSL_ECDSA_C, POLARSSL_X509_CRT_PARSE_C,
- *           POLARSSL_X509_CRL_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1683,34 +1682,31 @@
 
 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) &&                   \
     ( !defined(POLARSSL_DHM_C) || !defined(POLARSSL_RSA_C) ||           \
-      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \
-      !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
     ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_RSA_C) ||          \
-      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \
-      !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
     ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_ECDSA_C) ||          \
-      !defined(POLARSSL_X509_CRT_PARSE_C) ||                              \
-      !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_X509_CRT_PARSE_C) )
 #error "POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) &&                   \
     ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\
-      !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) &&                       \
     ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\
-      !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h
index 98742dc69..93b3170ba 100644
--- a/include/polarssl/ssl.h
+++ b/include/polarssl/ssl.h
@@ -58,9 +58,7 @@
 #include "x509_crt.h"
 #endif
 
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 #include "x509_crl.h"
-#endif
 
 #if defined(POLARSSL_DHM_C)
 #include "dhm.h"
@@ -659,9 +657,7 @@ struct _ssl_context
     x509_crt *ca_chain;                 /*!<  own trusted CA chain    */
     const char *peer_cn;                /*!<  expected peer CN        */
 #endif /* POLARSSL_X509_CRT_PARSE_C */
-#if defined(POLARSSL_X509_CRL_PARSE_C)
     x509_crl *ca_crl;                   /*!<  trusted CA CRLs         */
-#endif /* POLARSSL_X509_CRL_PARSE_C */
 
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     /*
@@ -956,7 +952,6 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl,
                                        int major, int minor );
 
 #if defined(POLARSSL_X509_CRT_PARSE_C)
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 /**
  * \brief          Set the data required to verify peer certificate
  *
@@ -967,7 +962,6 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl,
  */
 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
                        x509_crl *ca_crl, const char *peer_cn );
-#endif /* POLARSSL_X509_CRL_PARSE_C */
 
 /**
  * \brief          Set own certificate chain and private key
diff --git a/include/polarssl/x509_crt.h b/include/polarssl/x509_crt.h
index dab1296ca..0c1b9e109 100644
--- a/include/polarssl/x509_crt.h
+++ b/include/polarssl/x509_crt.h
@@ -31,9 +31,7 @@
 
 #include "x509.h"
 
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 #include "x509_crl.h"
-#endif
 
 /**
  * \addtogroup x509_module
@@ -198,7 +196,6 @@ int x509_crt_parse_path( x509_crt *chain, const char *path );
 int x509_crt_info( char *buf, size_t size, const char *prefix,
                    const x509_crt *crt );
 
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 /**
  * \brief          Verify the certificate signature
  *
@@ -242,8 +239,9 @@ int x509_crt_verify( x509_crt *crt,
                      int (*f_vrfy)(void *, x509_crt *, int, int *),
                      void *p_vrfy );
 
+#if defined(POLARSSL_X509_CRL_PARSE_C)
 /**
- * \brief          Verify the certificate signature
+ * \brief          Verify the certificate revocation status
  *
  * \param crt      a certificate to be verified
  * \param crl      the CRL to verify against
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 1173cae4b..e6c840c9b 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1391,6 +1391,8 @@ static int x509_crt_verify_top(
 #if defined(POLARSSL_X509_CRL_PARSE_C)
         /* Check trusted CA's CRL for the chain's top crt */
         *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl );
+#else
+        ((void) ca_crl);
 #endif
 
         if( x509_time_expired( &trust_ca->valid_to ) )
diff --git a/programs/test/ssl_cert_test.c b/programs/test/ssl_cert_test.c
index 42f5c5928..57f5f844f 100644
--- a/programs/test/ssl_cert_test.c
+++ b/programs/test/ssl_cert_test.c
@@ -29,13 +29,14 @@
 #include <stdio.h>
 
 #if !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) || \
-    !defined(POLARSSL_FS_IO)
+    !defined(POLARSSL_FS_IO) || !defined(POLARSSL_X509_CRL_PARSE_C)
 int main( int argc, char *argv[] )
 {
     ((void) argc);
     ((void) argv);
 
     printf("POLARSSL_RSA_C and/or POLARSSL_X509_CRT_PARSE_C "
+           "POLARSSL_FS_IO and/or POLARSSL_X509_CRL_PARSE_C "
            "not defined.\n");
     return( 0 );
 }
@@ -257,4 +258,5 @@ exit:
 
     return( ret );
 }
-#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO */
+#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO &&
+          POLARSSL_X509_CRL_PARSE_C */
diff --git a/scripts/data_files/config-mini-tls1_1.h b/scripts/data_files/config-mini-tls1_1.h
index 493069707..60b4c3688 100644
--- a/scripts/data_files/config-mini-tls1_1.h
+++ b/scripts/data_files/config-mini-tls1_1.h
@@ -34,7 +34,6 @@
 #define POLARSSL_SSL_CLI_C
 #define POLARSSL_SSL_SRV_C
 #define POLARSSL_SSL_TLS_C
-#define POLARSSL_X509_CRL_PARSE_C
 #define POLARSSL_X509_CRT_PARSE_C
 #define POLARSSL_X509_USE_C
 
diff --git a/scripts/data_files/config-suite-b.h b/scripts/data_files/config-suite-b.h
index 72dd348f8..a1543ee9c 100644
--- a/scripts/data_files/config-suite-b.h
+++ b/scripts/data_files/config-suite-b.h
@@ -34,7 +34,6 @@
 #define POLARSSL_SSL_CLI_C
 #define POLARSSL_SSL_SRV_C
 #define POLARSSL_SSL_TLS_C
-#define POLARSSL_X509_CRL_PARSE_C
 #define POLARSSL_X509_CRT_PARSE_C
 #define POLARSSL_X509_USE_C
 
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 02238ba34..2add9e3c9 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -75,7 +75,7 @@ void x509_crl_info( char *crl_file, char *result_str )
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CRL_PARSE_C */
 void x509_verify( char *crt_file, char *ca_file, char *crl_file,
                   char *cn_name_str, int result, int flags_result,
                   char *verify_callback )