diff --git a/library/x509parse.c b/library/x509parse.c index a44cf11c0..b68640368 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3305,7 +3305,6 @@ int x509parse_revoked( const x509_cert *crt, const x509_crl *crl ) static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, x509_crl *crl_list) { - int ret; int flags = 0; unsigned char hash[POLARSSL_MD_MAX_SIZE]; const md_info_t *md_info; @@ -3346,14 +3345,12 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); #if defined(POLARSSL_RSA_C) - if( ca->pk.type == POLARSSL_PK_RSA ) + if( crl_list->sig_pk == POLARSSL_PK_RSA ) { - if( !rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, - crl_list->sig_md, 0, hash, crl_list->sig.p ) == 0 ) + if( ca->pk.type != POLARSSL_PK_RSA || + rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, + crl_list->sig_md, 0, hash, crl_list->sig.p ) != 0 ) { - /* - * CRL is not trusted - */ flags |= BADCRL_NOT_TRUSTED; break; } @@ -3361,17 +3358,14 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( pk_can_ecdsa( ca->pk ) ) { - if( ( ret = pk_ec_to_ecdsa( &ca->pk ) ) != 0 ) - return( ret ); - - if( ecdsa_read_signature( (ecdsa_context *) ca->pk.data, + if( crl_list->sig_pk == POLARSSL_PK_ECDSA ) + { + if( ! pk_can_ecdsa( ca->pk ) || + pk_ec_to_ecdsa( &ca->pk ) != 0 || + ecdsa_read_signature( (ecdsa_context *) ca->pk.data, hash, md_info->size, crl_list->sig.p, crl_list->sig.len ) != 0 ) { - /* - * CRL is not trusted - */ flags |= BADCRL_NOT_TRUSTED; break; } @@ -3490,9 +3484,10 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); #if defined(POLARSSL_RSA_C) - if( trust_ca->pk.type == POLARSSL_PK_RSA ) + if( child->sig_pk == POLARSSL_PK_RSA ) { - if( rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, + if( trust_ca->pk.type != POLARSSL_PK_RSA || + rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, child->sig_md, 0, hash, child->sig.p ) != 0 ) { trust_ca = trust_ca->next; @@ -3502,11 +3497,11 @@ static int x509parse_verify_top( else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( pk_can_ecdsa( trust_ca->pk ) ) { - if( ( ret = pk_ec_to_ecdsa( &trust_ca->pk ) ) != 0 ) - return( ret ); - - if( ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data, + if( child->sig_pk == POLARSSL_PK_ECDSA ) + { + if( ! pk_can_ecdsa( trust_ca->pk ) || + pk_ec_to_ecdsa( &trust_ca->pk ) != 0 || + ecdsa_read_signature( (ecdsa_context *) trust_ca->pk.data, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) { @@ -3588,9 +3583,10 @@ static int x509parse_verify_child( md( md_info, child->tbs.p, child->tbs.len, hash ); #if defined(POLARSSL_RSA_C) - if( parent->pk.type == POLARSSL_PK_RSA ) + if( child->sig_pk == POLARSSL_PK_RSA ) { - if( rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, + if( parent->pk.type != POLARSSL_PK_RSA || + rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, child->sig_md, 0, hash, child->sig.p ) != 0 ) { *flags |= BADCERT_NOT_TRUSTED; @@ -3599,11 +3595,11 @@ static int x509parse_verify_child( else #endif /* POLARSSL_RSA_C */ #if defined(POLARSSL_ECDSA_C) - if( pk_can_ecdsa( parent->pk ) ) { - if( ( ret = pk_ec_to_ecdsa( &parent->pk ) ) != 0 ) - return( ret ); - - if( ecdsa_read_signature( (ecdsa_context *) parent->pk.data, + if( child->sig_pk == POLARSSL_PK_ECDSA ) + { + if( ! pk_can_ecdsa( parent->pk ) || + pk_ec_to_ecdsa( &parent->pk ) != 0 || + ecdsa_read_signature( (ecdsa_context *) parent->pk.data, hash, md_info->size, child->sig.p, child->sig.len ) != 0 ) {