yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-07 07:05:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

Don't rely on private key metadata in SSL

Browse source 
When checking whether a server key matches the handshake parameters,
rely only on the offered certificate and not on the metadata of the
private key. Specifically, with an EC key, check the curve in the
certificate rather than in the associated private key.

This was the only place in the SSL module where mbedtls_pk_ec or
mbedtls_pk_rsa was called to access a private signature or decryption
key (as opposed to a public key or a key used for DH/ECDH).
This commit is contained in:
Gilles Peskine 2017-10-27 10:18:44 +02:00 committed by Andrzej Kurek
parent 2ba437ad3c
commit 858880686e
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
library/ssl_srv.c
View file

@ -731,7 +731,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_ECDSA_C)
if( pk_alg == MBEDTLS_PK_ECDSA &&
ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
ssl_check_key_curve( &cur->cert->pk, ssl->handshake->curves ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
continue;