From ff56da3a26cd7f5bfac1610413f0982a6233ba12 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 11 Jul 2013 10:46:21 +0200 Subject: [PATCH] Fix direct uses of x509_cert.rsa, now use pk_rsa() --- library/ssl_cli.c | 29 ++++++++++++++++++----------- library/ssl_srv.c | 11 ++++++++--- library/x509parse.c | 22 ++++++++++++++++++---- 3 files changed, 44 insertions(+), 18 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 66ebcefcb..aeba799cb 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -1072,8 +1072,12 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); } + /* EC NOT IMPLEMENTED YET */ + if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA ) + return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); + if( (unsigned int)( end - p ) != - ssl->session_negotiate->peer_cert->rsa.len ) + pk_rsa( ssl->session_negotiate->peer_cert->pk )->len ) { SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE ); @@ -1139,9 +1143,9 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl ) SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen ); - if( ( ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa, - RSA_PUBLIC, - md_alg, hashlen, hash, p ) ) != 0 ) + if( ( ret = rsa_pkcs1_verify( + pk_rsa( ssl->session_negotiate->peer_cert->pk ), + RSA_PUBLIC, md_alg, hashlen, hash, p ) ) != 0 ) { SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret ); return( ret ); @@ -1516,8 +1520,12 @@ static int ssl_write_client_key_exchange( ssl_context *ssl ) if( ret != 0 ) return( ret ); + /* EC NOT IMPLEMENTED YET */ + if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA ) + return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); + i = 4; - n = ssl->session_negotiate->peer_cert->rsa.len; + n = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len; if( ssl->minor_ver != SSL_MINOR_VERSION_0 ) { @@ -1526,12 +1534,11 @@ static int ssl_write_client_key_exchange( ssl_context *ssl ) ssl->out_msg[5] = (unsigned char)( n ); } - ret = rsa_pkcs1_encrypt( &ssl->session_negotiate->peer_cert->rsa, - ssl->f_rng, ssl->p_rng, - RSA_PUBLIC, - ssl->handshake->pmslen, - ssl->handshake->premaster, - ssl->out_msg + i ); + ret = rsa_pkcs1_encrypt( + pk_rsa( ssl->session_negotiate->peer_cert->pk ), + ssl->f_rng, ssl->p_rng, RSA_PUBLIC, + ssl->handshake->pmslen, ssl->handshake->premaster, + ssl->out_msg + i ); if( ret != 0 ) { SSL_DEBUG_RET( 1, "rsa_pkcs1_encrypt", ret ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index c6a827320..2aef9c415 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1968,7 +1968,11 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) md_alg = POLARSSL_MD_NONE; } - n1 = ssl->session_negotiate->peer_cert->rsa.len; + /* EC NOT IMPLEMENTED YET */ + if( ssl->session_negotiate->peer_cert->pk.type != POLARSSL_PK_RSA ) + return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE ); + + n1 = pk_rsa( ssl->session_negotiate->peer_cert->pk )->len; n2 = ( ssl->in_msg[4 + n] << 8 ) | ssl->in_msg[5 + n]; if( n + n1 + 6 != ssl->in_hslen || n1 != n2 ) @@ -1977,8 +1981,9 @@ static int ssl_parse_certificate_verify( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); } - ret = rsa_pkcs1_verify( &ssl->session_negotiate->peer_cert->rsa, RSA_PUBLIC, - md_alg, hashlen, hash, ssl->in_msg + 6 + n ); + ret = rsa_pkcs1_verify( pk_rsa( ssl->session_negotiate->peer_cert->pk ), + RSA_PUBLIC, md_alg, hashlen, hash, + ssl->in_msg + 6 + n ); if( ret != 0 ) { SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret ); diff --git a/library/x509parse.c b/library/x509parse.c index ab33c318b..6c848b7ab 100644 --- a/library/x509parse.c +++ b/library/x509parse.c @@ -3625,7 +3625,11 @@ static int x509parse_verifycrl(x509_cert *crt, x509_cert *ca, md( md_info, crl_list->tbs.p, crl_list->tbs.len, hash ); - if( !rsa_pkcs1_verify( &ca->rsa, RSA_PUBLIC, crl_list->sig_md, + /* EC NOT IMPLEMENTED YET */ + if( ca->pk.type != POLARSSL_PK_RSA ) + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + + if( !rsa_pkcs1_verify( pk_rsa( ca->pk ), RSA_PUBLIC, crl_list->sig_md, 0, hash, crl_list->sig.p ) == 0 ) { /* @@ -3743,7 +3747,11 @@ static int x509parse_verify_top( md( md_info, child->tbs.p, child->tbs.len, hash ); - if( rsa_pkcs1_verify( &trust_ca->rsa, RSA_PUBLIC, child->sig_md, + /* EC NOT IMPLEMENTED YET */ + if( trust_ca->pk.type != POLARSSL_PK_RSA ) + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + + if( rsa_pkcs1_verify( pk_rsa( trust_ca->pk ), RSA_PUBLIC, child->sig_md, 0, hash, child->sig.p ) != 0 ) { trust_ca = trust_ca->next; @@ -3819,9 +3827,15 @@ static int x509parse_verify_child( { md( md_info, child->tbs.p, child->tbs.len, hash ); - if( rsa_pkcs1_verify( &parent->rsa, RSA_PUBLIC, child->sig_md, 0, hash, - child->sig.p ) != 0 ) + /* EC NOT IMPLEMENTED YET */ + if( parent->pk.type != POLARSSL_PK_RSA ) + return( POLARSSL_ERR_X509_FEATURE_UNAVAILABLE ); + + if( rsa_pkcs1_verify( pk_rsa( parent->pk ), RSA_PUBLIC, child->sig_md, + 0, hash, child->sig.p ) != 0 ) + { *flags |= BADCERT_NOT_TRUSTED; + } } /* Check trusted CA's CRL for the given crt */