Make results of (ext)KeyUsage accessible

2025-08-08 17:42:09 +03:00 · 2015-04-17 16:55:53 +02:00
parent 0c6ce2f536
commit 9f98251e72
5 changed files with 44 additions and 7 deletions
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -829,6 +829,7 @@ static int ssl_pick_cert( ssl_context *ssl,
 {
    ssl_key_cert *cur, *list, *fallback = NULL;
    pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+    int flags;

 #if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
    if( ssl->handshake->sni_key_cert != NULL )
@@ -862,7 +863,7 @@ static int ssl_pick_cert( ssl_context *ssl,
         * and decrypting with the same RSA key.
         */
        if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
-                                  SSL_IS_SERVER ) != 0 )
+                                  SSL_IS_SERVER, &flags ) != 0 )
        {
            SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
                                "(extended) key usage extension" ) );
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2859,7 +2859,8 @@ int ssl_parse_certificate( ssl_context *ssl )

        if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
                                  ciphersuite_info,
-                                  ! ssl->endpoint ) != 0 )
+                                  ! ssl->endpoint,
+                                 &ssl->session_negotiate->verify_result ) != 0 )
        {
            SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
            if( ret == 0 )
@@ -5199,8 +5200,10 @@ int ssl_curve_is_acceptable( const ssl_context *ssl, ecp_group_id grp_id )
 #if defined(POLARSSL_X509_CRT_PARSE_C)
 int ssl_check_cert_usage( const x509_crt *cert,
                          const ssl_ciphersuite_t *ciphersuite,
-                          int cert_endpoint )
+                          int cert_endpoint,
+                          int *flags )
 {
+    int ret = 0;
 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
    int usage = 0;
 #endif
@@ -5213,6 +5216,7 @@ int ssl_check_cert_usage( const x509_crt *cert,
    !defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
    ((void) cert);
    ((void) cert_endpoint);
+    ((void) flags);
 #endif

 #if defined(POLARSSL_X509_CHECK_KEY_USAGE)
@@ -5252,7 +5256,10 @@ int ssl_check_cert_usage( const x509_crt *cert,
    }

    if( x509_crt_check_key_usage( cert, usage ) != 0 )
-        return( -1 );
+    {
+        *flags |= BADCERT_KEY_USAGE;
+        ret = -1;
+    }
 #else
    ((void) ciphersuite);
 #endif /* POLARSSL_X509_CHECK_KEY_USAGE */
@@ -5270,10 +5277,13 @@ int ssl_check_cert_usage( const x509_crt *cert,
    }

    if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
-        return( -1 );
+    {
+        *flags |= BADCERT_EXT_KEY_USAGE;
+        ret = -1;
+    }
 #endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */

-    return( 0 );
+    return( ret );
 }
 #endif /* POLARSSL_X509_CRT_PARSE_C */