Merge branch 'mbedtls-1.3' into development

* mbedtls-1.3:
  Make results of (ext)KeyUsage accessible
  Use x509_crt_verify_info() in programs
  Add x509_crt_verify_info()

Conflicts:
	ChangeLog
	include/mbedtls/x509_crt.h
	include/polarssl/ssl.h
	include/polarssl/x509.h
	library/ssl_srv.c
	library/ssl_tls.c
	library/x509_crt.c
	programs/ssl/ssl_client1.c
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_mail_client.c
	programs/ssl/ssl_server2.c
	programs/test/ssl_cert_test.c
	programs/x509/cert_app.c
	tests/ssl-opt.sh
	tests/suites/test_suite_x509parse.function

ChangeLog

@@ -70,12 +70,12 @@ Changes
 = mbed TLS 1.3 branch
 
 Security
-   * With authmode set to MBEDTLS_SSL_VERIFY_OPTIONAL, verification of keyUsage and
+   * With authmode set to SSL_VERIFY_OPTIONAL, verification of keyUsage and
      extendedKeyUsage on the leaf certificate was lost (results not accessible
      via ssl_get_verify_results()).
 
 Features
-   * Add mbedtls_x509_crt_verify_info() to display certificate verification results.
+   * Add x509_crt_verify_info() to display certificate verification results.
    * Add support for reading DH parameters with privateValueLength included
      (contributed by Daniel Kahn Gillmor).
    * Add support for bit strings in X.509 names (request by Fredrik Axelsson).

include/mbedtls/x509_crt.h

@@ -216,6 +216,21 @@ int mbedtls_x509_crt_info( char *buf, size_t size, const char *prefix,
 int mbedtls_x509_crt_verify_info( char *buf, size_t size, const char *prefix,
                           int flags );
 
+/**
+ * \brief          Returns an informational string about the
+ *                 verification status of a certificate.
+ *
+ * \param buf      Buffer to write to
+ * \param size     Maximum size of buffer
+ * \param prefix   A line prefix
+ * \param flags    Verification flags created by x509_crt_verify()
+ *
+ * \return         The amount of data written to the buffer, or -1 in
+ *                 case of an error.
+ */
+int x509_crt_verify_info( char *buf, size_t size, const char *prefix,
+                          int flags );
+
 /**
  * \brief          Verify the certificate signature
  *

tests/suites/test_suite_x509parse.data

@@ -283,6 +283,27 @@ x509_verify_info:MBEDTLS_BADCERT_MISSING:"  ! ":"  ! Certificate was missing\n"
 X509 Verify Information: two issues, with prefix
 x509_verify_info:MBEDTLS_BADCERT_EXPIRED | MBEDTLS_X509_BADCRL_EXPIRED:"  ! ":"  ! The certificate validity has expired\n  ! The CRL is expired\n"
 
+X509 Verify Information: empty
+x509_verify_info:0:"":""
+
+X509 Verify Information: one issue
+x509_verify_info:BADCERT_MISSING:"":"Certificate was missing\n"
+
+X509 Verify Information: two issues
+x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:"":"The certificate validity has expired\nThe CRL is expired\n"
+
+X509 Verify Information: two issues, one unknown
+x509_verify_info:BADCERT_OTHER | 0x8000:"":"Other reason (can be used by verify callback)\nUnknown reason (this should not happen)\n"
+
+X509 Verify Information: empty, with prefix
+x509_verify_info:0:"  ! ":""
+
+X509 Verify Information: one issue, with prefix
+x509_verify_info:BADCERT_MISSING:"  ! ":"  ! Certificate was missing\n"
+
+X509 Verify Information: two issues, with prefix
+x509_verify_info:BADCERT_EXPIRED | BADCRL_EXPIRED:"  ! ":"  ! The certificate validity has expired\n  ! The CRL is expired\n"
+
 X509 Get Distinguished Name #1
 depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C
 mbedtls_x509_dn_gets:"data_files/server1.crt":"subject":"C=NL, O=PolarSSL, CN=PolarSSL Server 1"