lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-08 17:42:09 +03:00
Code Activity

Make mbedtls_ssl_check_cert_usage() work for 1.3

Browse Source 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
2024-08-09 11:49:12 +02:00
parent 96a0c5c48e
commit 4938b693f3
4 changed files with 33 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
library/ssl_tls13_generic.c
View File

@@ -631,8 +631,6 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
int authmode = MBEDTLS_SSL_VERIFY_REQUIRED;
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
const char *ext_oid;
size_t ext_len;
uint32_t verify_result = 0;
/* If SNI was used, overwrite authentication mode
@@ -714,34 +712,15 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
/*
* Secondary checks: always done, but change 'ret' only if it was 0
*/
/* keyUsage */
if ((mbedtls_x509_crt_check_key_usage(
ssl->session_negotiate->peer_cert,
MBEDTLS_X509_KU_DIGITAL_SIGNATURE) != 0)) {
if (mbedtls_ssl_check_cert_usage(ssl->session_negotiate->peer_cert,
NULL,
ssl->conf->endpoint,
MBEDTLS_SSL_VERSION_TLS1_3,
&verify_result) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
if (ret == 0) {
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
verify_result |= MBEDTLS_X509_BADCERT_KEY_USAGE;
}
/* extKeyUsage */
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT) {
ext_oid = MBEDTLS_OID_SERVER_AUTH;
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
} else {
ext_oid = MBEDTLS_OID_CLIENT_AUTH;
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_CLIENT_AUTH);
}
if ((mbedtls_x509_crt_check_extended_key_usage(
ssl->session_negotiate->peer_cert,
ext_oid, ext_len) != 0)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
if (ret == 0) {
ret = MBEDTLS_ERR_SSL_BAD_CERTIFICATE;
}
verify_result |= MBEDTLS_X509_BADCERT_EXT_KEY_USAGE;
}
/* mbedtls_x509_crt_verify_with_profile is supposed to report a