From a310459f5c8ada754317c134b7dc97f8d793a8c2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= <mpg@elzevir.fr>
Date: Tue, 17 Sep 2013 21:17:44 +0200
Subject: [PATCH] Fix a few things that broke with RSA compiled out

---
 library/ssl_cli.c | 28 ++++++++++++++++++++++++++--
 library/ssl_srv.c |  8 ++++++--
 library/ssl_tls.c |  5 ++++-
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 284c0a81a..bfdd7e43f 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1581,16 +1581,34 @@ static int ssl_parse_certificate_request( ssl_context *ssl )
     p = buf + 5;
     while( cert_type_len > 0 )
     {
-        if( *p == SSL_CERT_TYPE_RSA_SIGN )
+#if defined(POLARSSL_RSA_C)
+        if( *p == SSL_CERT_TYPE_RSA_SIGN &&
+            pk_can_do( ssl->pk_key, POLARSSL_PK_RSA ) )
         {
             ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
             break;
         }
+        else
+#endif
+#if defined(POLARSSL_ECDSA_C)
+        if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
+            pk_can_do( ssl->pk_key, POLARSSL_PK_ECDSA ) )
+        {
+            ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN;
+            break;
+        }
+        else
+#endif
+        {
+            ; /* Unsupported cert type, ignore */
+        }
 
         cert_type_len--;
         p++;
     }
 
+    // TODO: shall we abort now or send an empty certificate list later?
+
     if( ssl->handshake->cert_type == 0 )
     {
         SSL_DEBUG_MSG( 1, ( "no known cert_type provided" ) );
@@ -1600,6 +1618,8 @@ static int ssl_parse_certificate_request( ssl_context *ssl )
 #if defined(POLARSSL_SSL_PROTO_TLS1_2)
     if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
     {
+        /* Ignored, see comments about hash in write_certificate_verify */
+        // TODO: should check the signature part against our pk_key though
         size_t sig_alg_len = ( ( buf[5 + n] <<  8 )
                              | ( buf[6 + n]       ) );
 
@@ -1615,6 +1635,8 @@ static int ssl_parse_certificate_request( ssl_context *ssl )
     }
 #endif /* POLARSSL_SSL_PROTO_TLS1_2 */
 
+    /* Ignore certificate_authorities, we only have one cert anyway */
+    // TODO: should not send cert if no CA matches
     dn_len = ( ( buf[5 + m + n] <<  8 )
              | ( buf[6 + m + n]       ) );
 
@@ -1930,7 +1952,8 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
 
 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
-    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 static int ssl_write_certificate_verify( ssl_context *ssl )
 {
     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -1946,6 +1969,7 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
         return( 0 );
     }
 
+    SSL_DEBUG_MSG( 1, ( "should not happen" ) );
     return( ret );
 }
 #else
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 8931382d4..8d1b723ba 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1642,7 +1642,8 @@ static int ssl_write_server_hello( ssl_context *ssl )
 
 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
-    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 static int ssl_write_certificate_request( ssl_context *ssl )
 {
     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -1658,6 +1659,7 @@ static int ssl_write_certificate_request( ssl_context *ssl )
         return( 0 );
     }
 
+    SSL_DEBUG_MSG( 1, ( "should not happen" ) );
     return( ret );
 }
 #else
@@ -2510,7 +2512,8 @@ static int ssl_parse_client_key_exchange( ssl_context *ssl )
 
 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
-    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 static int ssl_parse_certificate_verify( ssl_context *ssl )
 {
     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -2526,6 +2529,7 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
         return( 0 );
     }
 
+    SSL_DEBUG_MSG( 1, ( "should not happen" ) );
     return( ret );
 }
 #else
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c19536bd6..774cb4721 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2231,7 +2231,8 @@ int ssl_send_alert_message( ssl_context *ssl,
  */
 #if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED)       && \
     !defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED)   && \
-    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+    !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 int ssl_write_certificate( ssl_context *ssl )
 {
     int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -2247,6 +2248,7 @@ int ssl_write_certificate( ssl_context *ssl )
         return( 0 );
     }
 
+    SSL_DEBUG_MSG( 1, ( "should not happen" ) );
     return( ret );
 }
 
@@ -2265,6 +2267,7 @@ int ssl_parse_certificate( ssl_context *ssl )
         return( 0 );
     }
 
+    SSL_DEBUG_MSG( 1, ( "should not happen" ) );
     return( ret );
 }
 #else