fortanix
diff --git a/‎Cargo.lock
Lines changed: 1 addition & 1 deletion b/‎Cargo.lock
Lines changed: 1 addition & 1 deletion
diff --git a/‎mbedtls/Cargo.toml
Lines changed: 1 addition & 1 deletion b/‎mbedtls/Cargo.toml
Lines changed: 1 addition & 1 deletion
diff --git a/‎mbedtls/src/x509/certificate.rs
Lines changed: 52 additions & 9 deletions b/‎mbedtls/src/x509/certificate.rs
Lines changed: 52 additions & 9 deletions
diff --git a/‎mbedtls/tests/data/certificate.crt
Lines changed: 34 additions & 0 deletions b/‎mbedtls/tests/data/certificate.crt
Lines changed: 34 additions & 0 deletions
diff --git a/‎mbedtls/tests/data/root.crt
Lines changed: 32 additions & 0 deletions b/‎mbedtls/tests/data/root.crt
Lines changed: 32 additions & 0 deletions
diff --git a/‎mbedtls/tests/data/root.empty.crl
690 Bytes b/‎mbedtls/tests/data/root.empty.crl
690 Bytes
diff --git a/‎mbedtls/tests/data/root.revoked.crl
712 Bytes b/‎mbedtls/tests/data/root.revoked.crl
712 Bytes
@@ -1,6 +1,6 @@
 [package]
 name = "mbedtls"
-version = "0.8.2"
+version = "0.9.0"
 authors = ["Jethro Beekman <[email protected]>"]
 build = "build.rs"
 edition = "2018"
 
@@ -21,7 +21,7 @@ use crate::hash::Type as MdType;
 use crate::pk::Pk;
 use crate::private::UnsafeFrom;
 use crate::rng::Random;
-use crate::x509::{self, Time, VerifyCallback};
+use crate::x509::{self, Crl, Time, VerifyCallback};
 
 extern "C" {
     pub(crate) fn forward_mbedtls_calloc(n: mbedtls_sys::types::size_t, size: mbedtls_sys::types::size_t) -> *mut mbedtls_sys::types::raw_types::c_void;
@@ -226,6 +226,7 @@ impl Certificate {
     fn verify_ex<F>(
         chain: &MbedtlsList<Certificate>,
         trust_ca: &MbedtlsList<Certificate>,
+        ca_crl: Option<&mut Crl>,
         err_info: Option<&mut String>,
         cb: Option<F>,
     ) -> Result<()>
@@ -243,7 +244,7 @@ impl Certificate {
             x509_crt_verify(
                 chain.inner_ffi_mut(),
                 trust_ca.inner_ffi_mut(),
-                ::core::ptr::null_mut(),
+                ca_crl.map_or(::core::ptr::null_mut(), |crl| crl.handle_mut()),
                 ::core::ptr::null(),
                 &mut flags,
                 f_vrfy,
@@ -269,21 +270,23 @@ impl Certificate {
     pub fn verify(
         chain: &MbedtlsList<Certificate>,
         trust_ca: &MbedtlsList<Certificate>,
+        ca_crl: Option<&mut Crl>,
         err_info: Option<&mut String>,
     ) -> Result<()> {
-        Self::verify_ex(chain, trust_ca, err_info, None::<&dyn VerifyCallback>)
+        Self::verify_ex(chain, trust_ca, ca_crl, err_info, None::<&dyn VerifyCallback>)
     }
 
     pub fn verify_with_callback<F>(
         chain: &MbedtlsList<Certificate>,
         trust_ca: &MbedtlsList<Certificate>,
+        ca_crl: Option<&mut Crl>,
         err_info: Option<&mut String>,
         cb: F,
     ) -> Result<()>
     where
         F: VerifyCallback + 'static,
     {
-        Self::verify_ex(chain, trust_ca, err_info, Some(cb))
+        Self::verify_ex(chain, trust_ca, ca_crl, err_info, Some(cb))
     }
 }
 
@@ -1014,7 +1017,7 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
             chain.push(c_leaf.clone());
             chain.push(c_int1.clone());
 
-            let err = Certificate::verify(&chain, &mut c_root, None).unwrap_err();
+            let err = Certificate::verify(&chain, &mut c_root, None, None).unwrap_err();
             assert_eq!(err, Error::X509CertVerifyFailed);
 
             // try again after fixing the chain
@@ -1028,8 +1031,8 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
                 Ok(())
             };
 
-            Certificate::verify(&chain, &mut c_root, None).unwrap();
-            let res = Certificate::verify_with_callback(&chain, &mut c_root, Some(&mut err_str), verify_callback);
+            Certificate::verify(&chain, &mut c_root, None, None).unwrap();
+            let res = Certificate::verify_with_callback(&chain, &mut c_root, None, Some(&mut err_str), verify_callback);
 
             match res {
                 Ok(()) => (),
@@ -1043,15 +1046,15 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
             chain.push(c_int1.clone());
             chain.push(c_int2.clone());
 
-            Certificate::verify(&chain, &mut c_root, None).unwrap();
+            Certificate::verify(&chain, &mut c_root, None, None).unwrap();
 
             let verify_callback = |_crt: &Certificate, _depth: i32, verify_flags: &mut VerifyError| {
                 verify_flags.remove(VerifyError::CERT_EXPIRED);
                 Ok(())
             };
 
             let mut err_str = String::new();
-            let res = Certificate::verify_with_callback(&chain, &mut c_root, Some(&mut err_str), verify_callback);
+            let res = Certificate::verify_with_callback(&chain, &mut c_root, None, Some(&mut err_str), verify_callback);
 
             match res {
                 Ok(()) => (),
@@ -1443,4 +1446,44 @@ cYp0bH/RcPTC0Z+ZaqSWMtfxRrk63MJQF9EXpDCdvQRcTMD9D85DJrMKn8aumq0M
         assert!(crate::tests::TestTrait::<dyn Sync, MbedtlsBox<Certificate>>::new().impls_trait(), "MbedtlsBox<Certificate> should be Sync");
         assert!(crate::tests::TestTrait::<dyn Sync, MbedtlsList<Certificate>>::new().impls_trait(), "MbedtlsList<Certificate> should be Sync");
     }
+
+    #[test]
+    fn empty_crl_test() {
+        const C_CERT: &'static str = concat!(include_str!("../../tests/data/certificate.crt"), "\0");
+        const C_ROOT: &'static str = concat!(include_str!("../../tests/data/root.crt"), "\0");
+        const C_CRL: &'static [u8] = include_bytes!("../../tests/data/root.empty.crl");
+
+        let mut certs = MbedtlsList::new();
+        certs.push(Certificate::from_pem(&C_CERT.as_bytes()).unwrap());
+        let mut roots = MbedtlsList::new();
+        roots.push(Certificate::from_pem(&C_ROOT.as_bytes()).unwrap());
+
+        assert!(Certificate::verify(&certs, &roots, None, None).is_ok());
+
+        let mut crl = Crl::new();
+        crl.push_from_der(C_CRL).unwrap();
+        assert!(Certificate::verify(&certs, &roots, Some(&mut crl), None).is_ok());
+    }
+
+    #[test]
+    fn revoked_cert_crl_test() {
+        const C_CERT: &'static str = concat!(include_str!("../../tests/data/certificate.crt"), "\0");
+        const C_ROOT: &'static str = concat!(include_str!("../../tests/data/root.crt"), "\0");
+        const C_CRL: &'static [u8] = include_bytes!("../../tests/data/root.revoked.crl");
+
+        let mut certs = MbedtlsList::new();
+        certs.push(Certificate::from_pem(&C_CERT.as_bytes()).unwrap());
+        let mut roots = MbedtlsList::new();
+        roots.push(Certificate::from_pem(&C_ROOT.as_bytes()).unwrap());
+
+        let mut crl = Crl::new();
+        crl.push_from_der(C_CRL).unwrap();
+
+        let mut err = String::new();
+        assert_eq!(
+            Certificate::verify(&certs, &roots, Some(&mut crl), Some(&mut err)).unwrap_err(),
+            Error::X509CertVerifyFailed
+        );
+        assert_eq!(err, "The certificate has been revoked (is on a CRL)\n");
+    }
 }
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF8TCCA9mgAwIBAgIBATANBgkqhkiG9w0BAQsFADBTMQswCQYDVQQGEwJCRTEX
+MBUGA1UECAwOVmxhYW1zLUJyYWJhbnQxGTAXBgNVBAoMEENlcnRpZmljYXRlcy5p
+bmMxEDAOBgNVBAMMB1Jvb3QgQ0EwIBcNMjAwNjEyMTE1MzAyWhgPMjEyMDA1MTkx
+MTUzMDJaMFsxHzAdBgNVBAMMFkVhc3lUb1N0ZWFsQ2VydGlmaWNhdGUxEzARBgNV
+BAgMClNvbWUtU3RhdGUxCzAJBgNVBAYTAkJFMRYwFAYDVQQKDA1NYWxpY2lvdXMu
+aW5jMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAq45U97O8N26icu+T
+zmejshoPa4n2PeSzwDPUk/zYVq9zaHZA/tvi4Wm8q5sQuSL4Lumqs1/2APgtXYv5
+t0BhfQAZ2fZKWwczqW1xPIX8JviUaGq/yLtygWnaie5Y+1lanP4J4Sc0JTwnuFnB
+uLBLOFZc+fh46gvp+xBq33aF1HeM8XiVpOhlbnK+3LXN2UrSsX5fq9Z6zsQjpB/L
+chy7dz0mkCJnJlm0TG+VEeCzVHw3pL+/Tt/jzt0Ha4sy3fw4TyFIVtpZQsgyg1kN
+1qYB0KonHDxX57rSlxMRKY8NhHG1zkC/zzGl4L0VejV0tJBEtwfql82jid8eBAUM
+aqvoWta9mTpH77v9KzNZ5nfMndu5Ve/nf8cH3SSQArMtMl0sk78ABN1ZSLRy2Vfk
+3Kj9ctZR4ypkfvZqNMFyaK5+W6bq85j3tH/9RYYnJ0I4WKZpRjuC4/v6bO8iLToD
+0Ng1bBnpKMhsvEIS6sdF6eMM/evv4T0dnW2AsaawpUrWegyriGiNCiD8MJPW7sia
+i2Uk8ZZuBSyI6kRm0jqdeYQ5vyz4VrWTeEzX6k1EUNkQbA5t2Ez8pZrN5ujGpZae
+UMK03hr2jWqNJxhCYFohS0ln0b/LfnxHSxqjKKM2U3EDX/f1EmIZzAYE/zaF16Uh
+rZJvDVRzBQPjMTFdmGNblRoB6p0CAwEAAaOBxTCBwjAJBgNVHRMEAjAAMB0GA1Ud
+DgQWBBRrsu6JsVWQ3SoGx7qwanSqZeLepzAfBgNVHSMEGDAWgBRElqcxP4x4K9IX
+fIEbJ5r6rWErBTALBgNVHQ8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwLAYD
+VR0fBCUwIzAhoB+gHYYbaHR0cDovL2V4YW1wbGUuY29tL3Jvb3QuY3JsMCUGA1Ud
+EQQeMByCC2V4YW1wbGUuY29tgg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3DQEBCwUA
+A4ICAQCLrmC0o8rd+ZzoGorjwBA8KvF3vh9xDDdsrqUhB1pD+mo1enHWu1Y2KE8j
+AOy36MPDQnDJf1sDw6vKoxKdTffk/BH45WaxsrkR7omOj9EItXgPy3TSxf4KRJVQ
+zFYA7np1MJ3QtIzd7aAyN3PGikS3UR481iKxLR7y3JI+BOU3Mlg2FWQeqebV5LTu
+tqaX4J8USnOcbNxlbfNnhj6EEr2wEVDXDc+EcLhz77LefV3hqxXa2jLcnivxTP0X
+3ZbKcr4i/u5JOQ3xtaSnGdi55/68OLd/3qjLeB88q3NpF+lEeM34sgJYOnow01Ow
+Klf/gHfdYkmAto+d8m85AgS/yFANF/8G9NNFnL1xXhLnLJ5J6LypY/A2ISOS+heh
+q53VO0YliKKODFGSR7SoBw4H/tM6LWh3joUQAboq1NOpjMJz18kLd7uf0Aw/ZV7/
+r7A6fe2sOkBwPRz/BvF+aPvJJCOGAMdgBNA5HZhOOEZkOu+FcVLC0tSdK8l5PHgW
+z7AXtdlmMuj1L9vPyA1JWaYcr+y8ygUv8+Jip5spNFr8/62p5ZLzgkekWMrDI9IT
+2nN4O4kTDcf7kWyJg/hW6LDE5pTB6ptuMMJiDdBTX9jAQb6FYjEMGLDe+83Bk4cI
+JbPERIBz2nsffwBGwAOXddCCDq13tjfMHMg1RiguQDm9mWDYHA==
+-----END CERTIFICATE-----
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFezCCA2OgAwIBAgIJAMc0/p4v7aKUMA0GCSqGSIb3DQEBCwUAMFMxCzAJBgNV
+BAYTAkJFMRcwFQYDVQQIDA5WbGFhbXMtQnJhYmFudDEZMBcGA1UECgwQQ2VydGlm
+aWNhdGVzLmluYzEQMA4GA1UEAwwHUm9vdCBDQTAgFw0yMDA2MTIxMTUyMzVaGA8y
+MTIwMDUxOTExNTIzNVowUzELMAkGA1UEBhMCQkUxFzAVBgNVBAgMDlZsYWFtcy1C
+cmFiYW50MRkwFwYDVQQKDBBDZXJ0aWZpY2F0ZXMuaW5jMRAwDgYDVQQDDAdSb290
+IENBMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAywObiGKXKi1O735I
+JNHzYduXmnTJUmIASXWMab61ebjGCD38f1gFl6f6x8jAl0zZpijQA7b1/q1GCWIJ
+7ODG4D/R3VHletlxBkNP/3pxq84kdohGtwtf+qIsHXjND7u5fC0jensklFG14EGE
+CTTRceSPXpv7H9qO0eaBoNWjY3y5T8ZXK1HakEJJjiDXtPgybRZDN1FsG6w71zED
+Lqvjvee7VAuOtCwl6R9Veq6buRPAASC9MlpRIuQJLo4lcVBEO5HIx2Ji4+SV+w6e
+m5XfXCPPwGGazL2b64BGicL3ZsrsKEC+ogXrcvLD47Rvag3k6Km4sOvsRtkloKol
+8kjaf2LUyNh/VW1wPq6l6WkUuYyDKUeuHD7C5yBysrXJcwjE4P0JAiDQuNXzW8oA
+2khYidgK4qTMCvLO4RlWiZxS/+xrp3yquXmxTFm61/vPJQUDK2g6vqiOV5wKIewa
+zZGVpHqdS7PenQZ1cIKVkEOI7NdPWU2MqS8QL9A/7dRfAC8nI4fp6bsuZwjQbwKH
+gufmJ8XdKzOzpITIihwkdIJnzka9JSLsAdEFHCwfQpzwRqpn0KbIBoRXk0FszEYO
+vfzwUcIGJW+tUIrrwIQhhIvB6qVeTJn4lzgpsCo10PMXPDc9Zt9BS6J6EP2k9KVp
+T0fgq12G9LtWX3UAs1hExkHrEpECAwEAAaNQME4wHQYDVR0OBBYEFESWpzE/jHgr
+0hd8gRsnmvqtYSsFMB8GA1UdIwQYMBaAFESWpzE/jHgr0hd8gRsnmvqtYSsFMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBABxR8KEu4RFLdrC+QLAumBG4
+9Agcc2e2VUHkWEZlRsBGzr9MBC3jfhTld06hLl7QO2HVuxlOdHfvWr621QQIckB9
+cBNmoGKghnIF78IM044+GAYc3/TzhVLyjd9JKFtB6hfR1S0254zO/RdquQoH8DSP
+C5XmfnnQ3fA6AC/yIImRaN0oEfFTMt7tiri6UndTgvRVSEm2blvydsnKXMpxNQz3
+s424ZJSIoUv+d1Gm/7phB3yPltcleQSylV+Fsw29L63iTFEnagwgAOcfWYNBUvrj
+13UvI0EoYjwEA1y6e/9XH89OU7Rtgo81n7//KuDglwKA9PggAiYZ/o1u6540uqg1
+2GX727xJlShdW7hJtGxSF6CQUBzXMXcXYxnXBXHPUsY7vnWb/7ex5o1OIw6Msdp2
+xiRUVuMOTkwxAvi/z81oe11P1pE1p3ySuk9O87ebc2T5dYyYlZXQTymzAAgY4mVH
+LYFfrcdObyy47yiURbVR2T1bZQ8Q7ehN1qb02wMPNk3mFrnLFNQRM3/lmfPVZeUU
+5ACuqvooW4ieLrPcFfKhGblrDsnDhY7xngHeBi+QNMmqTqYR+skUGhxRX6VLsTlC
+1wrBd8pUeMJU6Oj30KYop9xgWhGfrgkn8Z/C3LLC4C6mjUx6AU7mXPI3UqxZ2Z83
+uv5959EBeVGwRDi6WT8u
+-----END CERTIFICATE-----