yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-12-26 00:45:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

Adapt server-side signature verification to use raw public key

Browse source 
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
This commit is contained in:
Hanno Becker 2019-02-06 18:31:04 +00:00
parent 69fad13853
commit 0833c1082b
1 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
library/ssl_srv.c
View file

@ -4161,6 +4161,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
mbedtls_md_type_t md_alg; mbedtls_md_type_t md_alg;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
mbedtls_pk_context * peer_pk;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
@ -4192,6 +4193,17 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
i = mbedtls_ssl_hs_hdr_len( ssl ); i = mbedtls_ssl_hs_hdr_len( ssl );
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert == NULL )
{
/* Should never happen */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
peer_pk = &ssl->session_negotiate->peer_cert->pk;
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
/* /*
* struct { * struct {
* SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only * SignatureAndHashAlgorithm algorithm; -- TLS 1.2 only
@ -4206,8 +4218,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
hashlen = 36; hashlen = 36;
/* For ECDSA, use SHA-1, not MD-5 + SHA-1 */ /* For ECDSA, use SHA-1, not MD-5 + SHA-1 */
if( mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, if( mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECDSA ) )
MBEDTLS_PK_ECDSA ) )
{ {
hash_start += 16; hash_start += 16;
hashlen -= 16; hashlen -= 16;
@ -4262,7 +4273,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
/* /*
* Check the certificate's key type matches the signature alg * Check the certificate's key type matches the signature alg
*/ */
if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) ) if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
@ -4298,7 +4309,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
ssl->handshake->calc_verify( ssl, hash, &dummy_hlen ); ssl->handshake->calc_verify( ssl, hash, &dummy_hlen );
} }
if( ( ret = mbedtls_pk_verify( &ssl->session_negotiate->peer_cert->pk, if( ( ret = mbedtls_pk_verify( peer_pk,
md_alg, hash_start, hashlen, md_alg, hash_start, hashlen,
ssl->in_msg + i, sig_len ) ) != 0 ) ssl->in_msg + i, sig_len ) ) != 0 )
{ {