mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 17:55:42 +01:00
manually merge 9f98251
make extKeyUsage accessible
This commit is contained in:
parent
89addc43db
commit
e6efa6f54e
@ -70,6 +70,9 @@ Changes
|
||||
= mbed TLS 1.3 branch
|
||||
|
||||
Security
|
||||
* With authmode set to MBEDTLS_SSL_VERIFY_OPTIONAL, verification of keyUsage and
|
||||
extendedKeyUsage on the leaf certificate was lost (results not accessible
|
||||
via ssl_get_verify_results()).
|
||||
|
||||
Features
|
||||
* Add mbedtls_x509_crt_verify_info() to display certificate verification results.
|
||||
|
@ -2281,7 +2281,8 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
|
||||
*/
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint );
|
||||
int cert_endpoint,
|
||||
int *flags );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
void mbedtls_ssl_write_version( int major, int minor, int transport,
|
||||
|
@ -868,6 +868,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
{
|
||||
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
|
||||
mbedtls_pk_type_t pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||
int flags;
|
||||
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if( ssl->handshake->sni_key_cert != NULL )
|
||||
@ -901,7 +902,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
* and decrypting with the same RSA key.
|
||||
*/
|
||||
if( mbedtls_ssl_check_cert_usage( cur->cert, ciphersuite_info,
|
||||
MBEDTLS_SSL_IS_SERVER ) != 0 )
|
||||
MBEDTLS_SSL_IS_SERVER, &flags ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
|
||||
"(extended) key usage extension" ) );
|
||||
|
@ -4059,7 +4059,8 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||
|
||||
if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
|
||||
ciphersuite_info,
|
||||
! ssl->endpoint ) != 0 )
|
||||
! ssl->endpoint,
|
||||
&ssl->session_negotiate->verify_result ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
|
||||
if( ret == 0 )
|
||||
@ -6789,8 +6790,10 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
int cert_endpoint )
|
||||
int cert_endpoint,
|
||||
int *flags )
|
||||
{
|
||||
int ret = 0;
|
||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||
int usage = 0;
|
||||
#endif
|
||||
@ -6803,6 +6806,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
!defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
|
||||
((void) cert);
|
||||
((void) cert_endpoint);
|
||||
((void) flags);
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
|
||||
@ -6842,7 +6846,10 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
}
|
||||
|
||||
if( mbedtls_x509_crt_check_key_usage( cert, usage ) != 0 )
|
||||
return( -1 );
|
||||
{
|
||||
*flags |= MBEDTLS_BADCERT_KEY_USAGE;
|
||||
ret = -1;
|
||||
}
|
||||
#else
|
||||
((void) ciphersuite);
|
||||
#endif /* MBEDTLS_X509_CHECK_KEY_USAGE */
|
||||
@ -6860,10 +6867,13 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
}
|
||||
|
||||
if( mbedtls_x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
|
||||
return( -1 );
|
||||
{
|
||||
*flags |= MBEDTLS_BADCERT_EXT_KEY_USAGE;
|
||||
ret = -1;
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE */
|
||||
|
||||
return( 0 );
|
||||
return( ret );
|
||||
}
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
||||
|
@ -2094,6 +2094,17 @@ run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail" \
|
||||
-c "Processing of the Certificate handshake message failed" \
|
||||
-C "Ciphersuite is TLS-"
|
||||
|
||||
run_test "keyUsage cli: KeyEncipherment, DHE-RSA: fail, soft" \
|
||||
"$O_SRV -key data_files/server2.key \
|
||||
-cert data_files/server2.ku-ke.crt" \
|
||||
"$P_CLI debug_level=1 auth_mode=optional \
|
||||
force_ciphersuite=TLS-DHE-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-c "bad certificate (usage extensions)" \
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-" \
|
||||
-c "! Usage does not match the keyUsage extension"
|
||||
|
||||
run_test "keyUsage cli: DigitalSignature, DHE-RSA: OK" \
|
||||
"$O_SRV -key data_files/server2.key \
|
||||
-cert data_files/server2.ku-ds.crt" \
|
||||
@ -2114,6 +2125,17 @@ run_test "keyUsage cli: DigitalSignature, RSA: fail" \
|
||||
-c "Processing of the Certificate handshake message failed" \
|
||||
-C "Ciphersuite is TLS-"
|
||||
|
||||
run_test "keyUsage cli: DigitalSignature, RSA: fail, soft" \
|
||||
"$O_SRV -key data_files/server2.key \
|
||||
-cert data_files/server2.ku-ds.crt" \
|
||||
"$P_CLI debug_level=1 auth_mode=optional \
|
||||
force_ciphersuite=TLS-RSA-WITH-AES-128-CBC-SHA" \
|
||||
0 \
|
||||
-c "bad certificate (usage extensions)" \
|
||||
-C "Processing of the Certificate handshake message failed" \
|
||||
-c "Ciphersuite is TLS-" \
|
||||
-c "! Usage does not match the keyUsage extension"
|
||||
|
||||
# Tests for keyUsage in leaf certificates, part 3:
|
||||
# server-side checking of client cert
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user