RSA and ECDSA key exchanges don't depend on CRL

include/polarssl/config.h

@@ -286,7 +286,7 @@
  * Enable the RSA-PSK based ciphersuite modes in SSL / TLS.
  * (NOT YET IMPLEMENTED)
  * Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -307,7 +307,7 @@
  * Enable the RSA-only based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -333,7 +333,7 @@
  * Enable the DHE-RSA based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_DHM_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -355,7 +355,7 @@
  * Enable the ECDHE-RSA based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_ECDH_C, POLARSSL_RSA_C, POLARSSL_PKCS1_V15,
- *           POLARSSL_X509_CRT_PARSE_C, POLARSSL_X509_CRL_PARSE_C
+ *           POLARSSL_X509_CRT_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -378,7 +378,6 @@
  * Enable the ECDHE-ECDSA based ciphersuite modes in SSL / TLS.
  *
  * Requires: POLARSSL_ECDH_C, POLARSSL_ECDSA_C, POLARSSL_X509_CRT_PARSE_C,
- *           POLARSSL_X509_CRL_PARSE_C
  *
  * This enables the following ciphersuites (if other requisites are
  * enabled as well):
@@ -1683,34 +1682,31 @@
 
 #if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) &&                   \
     ( !defined(POLARSSL_DHM_C) || !defined(POLARSSL_RSA_C) ||           \
-      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \
-      !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) &&                 \
     ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_RSA_C) ||          \
-      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) || \
-      !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_X509_CRT_PARSE_C) || !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) &&                 \
     ( !defined(POLARSSL_ECDH_C) || !defined(POLARSSL_ECDSA_C) ||          \
-      !defined(POLARSSL_X509_CRT_PARSE_C) ||                              \
-      !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_X509_CRT_PARSE_C) )
 #error "POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED) &&                   \
     ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\
-      !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_RSA_PSK_ENABLED defined, but not all prerequisites"
 #endif
 
 #if defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) &&                       \
     ( !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) ||\
-      !defined(POLARSSL_PKCS1_V15) || !defined(POLARSSL_X509_CRL_PARSE_C) )
+      !defined(POLARSSL_PKCS1_V15) )
 #error "POLARSSL_KEY_EXCHANGE_RSA_ENABLED defined, but not all prerequisites"
 #endif
 

include/polarssl/ssl.h

@@ -58,9 +58,7 @@
 #include "x509_crt.h"
 #endif
 
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 #include "x509_crl.h"
-#endif
 
 #if defined(POLARSSL_DHM_C)
 #include "dhm.h"
@@ -659,9 +657,7 @@ struct _ssl_context
     x509_crt *ca_chain;                 /*!<  own trusted CA chain    */
     const char *peer_cn;                /*!<  expected peer CN        */
 #endif /* POLARSSL_X509_CRT_PARSE_C */
-#if defined(POLARSSL_X509_CRL_PARSE_C)
     x509_crl *ca_crl;                   /*!<  trusted CA CRLs         */
-#endif /* POLARSSL_X509_CRL_PARSE_C */
 
 #if defined(POLARSSL_SSL_SESSION_TICKETS)
     /*
@@ -956,7 +952,6 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl,
                                        int major, int minor );
 
 #if defined(POLARSSL_X509_CRT_PARSE_C)
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 /**
  * \brief          Set the data required to verify peer certificate
  *
@@ -967,7 +962,6 @@ void ssl_set_ciphersuites_for_version( ssl_context *ssl,
  */
 void ssl_set_ca_chain( ssl_context *ssl, x509_crt *ca_chain,
                        x509_crl *ca_crl, const char *peer_cn );
-#endif /* POLARSSL_X509_CRL_PARSE_C */
 
 /**
  * \brief          Set own certificate chain and private key

include/polarssl/x509_crt.h

@@ -31,9 +31,7 @@
 
 #include "x509.h"
 
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 #include "x509_crl.h"
-#endif
 
 /**
  * \addtogroup x509_module
@@ -198,7 +196,6 @@ int x509_crt_parse_path( x509_crt *chain, const char *path );
 int x509_crt_info( char *buf, size_t size, const char *prefix,
                    const x509_crt *crt );
 
-#if defined(POLARSSL_X509_CRL_PARSE_C)
 /**
  * \brief          Verify the certificate signature
  *
@@ -242,8 +239,9 @@ int x509_crt_verify( x509_crt *crt,
                      int (*f_vrfy)(void *, x509_crt *, int, int *),
                      void *p_vrfy );
 
+#if defined(POLARSSL_X509_CRL_PARSE_C)
 /**
- * \brief          Verify the certificate signature
+ * \brief          Verify the certificate revocation status
  *
  * \param crt      a certificate to be verified
  * \param crl      the CRL to verify against

library/x509_crt.c

@@ -1391,6 +1391,8 @@ static int x509_crt_verify_top(
 #if defined(POLARSSL_X509_CRL_PARSE_C)
         /* Check trusted CA's CRL for the chain's top crt */
         *flags |= x509_crt_verifycrl( child, trust_ca, ca_crl );
+#else
+        ((void) ca_crl);
 #endif
 
         if( x509_time_expired( &trust_ca->valid_to ) )

programs/test/ssl_cert_test.c

@@ -29,13 +29,14 @@
 #include <stdio.h>
 
 #if !defined(POLARSSL_RSA_C) || !defined(POLARSSL_X509_CRT_PARSE_C) || \
-    !defined(POLARSSL_FS_IO)
+    !defined(POLARSSL_FS_IO) || !defined(POLARSSL_X509_CRL_PARSE_C)
 int main( int argc, char *argv[] )
 {
     ((void) argc);
     ((void) argv);
 
     printf("POLARSSL_RSA_C and/or POLARSSL_X509_CRT_PARSE_C "
+           "POLARSSL_FS_IO and/or POLARSSL_X509_CRL_PARSE_C "
            "not defined.\n");
     return( 0 );
 }
@@ -257,4 +258,5 @@ exit:
 
     return( ret );
 }
-#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO */
+#endif /* POLARSSL_RSA_C && POLARSSL_X509_CRT_PARSE_C && POLARSSL_FS_IO &&
+          POLARSSL_X509_CRL_PARSE_C */

scripts/data_files/config-mini-tls1_1.h

@@ -34,7 +34,6 @@
 #define POLARSSL_SSL_CLI_C
 #define POLARSSL_SSL_SRV_C
 #define POLARSSL_SSL_TLS_C
-#define POLARSSL_X509_CRL_PARSE_C
 #define POLARSSL_X509_CRT_PARSE_C
 #define POLARSSL_X509_USE_C
 

scripts/data_files/config-suite-b.h

@@ -34,7 +34,6 @@
 #define POLARSSL_SSL_CLI_C
 #define POLARSSL_SSL_SRV_C
 #define POLARSSL_SSL_TLS_C
-#define POLARSSL_X509_CRL_PARSE_C
 #define POLARSSL_X509_CRT_PARSE_C
 #define POLARSSL_X509_USE_C
 

tests/suites/test_suite_x509parse.function

@@ -75,7 +75,7 @@ void x509_crl_info( char *crl_file, char *result_str )
 }
 /* END_CASE */
 
-/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C */
+/* BEGIN_CASE depends_on:POLARSSL_FS_IO:POLARSSL_X509_CRT_PARSE_C:POLARSSL_X509_CRL_PARSE_C */
 void x509_verify( char *crt_file, char *ca_file, char *crl_file,
                   char *cn_name_str, int result, int flags_result,
                   char *verify_callback )