Adapt client-side signature verification to use raw public key
We must dispatch between the peer's public key stored as part of the peer's CRT in the current session structure (situation until now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled), and the sole public key stored in the handshake structure (new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
This commit is contained in:
parent
be7f50866d
commit
a6899bb89d
@ -2650,6 +2650,8 @@ start_processing:
|
|||||||
size_t params_len = p - params;
|
size_t params_len = p - params;
|
||||||
void *rs_ctx = NULL;
|
void *rs_ctx = NULL;
|
||||||
|
|
||||||
|
mbedtls_pk_context * peer_pk;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Handle the digitally-signed structure
|
* Handle the digitally-signed structure
|
||||||
*/
|
*/
|
||||||
@ -2752,16 +2754,21 @@ start_processing:
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
|
MBEDTLS_SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
|
peer_pk = &ssl->handshake->peer_pubkey;
|
||||||
|
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
if( ssl->session_negotiate->peer_cert == NULL )
|
if( ssl->session_negotiate->peer_cert == NULL )
|
||||||
{
|
{
|
||||||
/* Should never happen */
|
/* Should never happen */
|
||||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||||
}
|
}
|
||||||
|
peer_pk = &ssl->session_negotiate->peer_cert->pk;
|
||||||
|
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Verify signature
|
* Verify signature
|
||||||
*/
|
*/
|
||||||
if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
|
if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
@ -2774,8 +2781,7 @@ start_processing:
|
|||||||
rs_ctx = &ssl->handshake->ecrs_ctx.pk;
|
rs_ctx = &ssl->handshake->ecrs_ctx.pk;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( ( ret = mbedtls_pk_verify_restartable(
|
if( ( ret = mbedtls_pk_verify_restartable( peer_pk,
|
||||||
&ssl->session_negotiate->peer_cert->pk,
|
|
||||||
md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
|
md_alg, hash, hashlen, p, sig_len, rs_ctx ) ) != 0 )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
|
Loading…
Reference in New Issue
Block a user