diff options
| author | Hanno Becker <hanno.becker@arm.com> | 2019-02-06 16:49:54 +0000 |
|---|---|---|
| committer | Hanno Becker <hanno.becker@arm.com> | 2019-02-26 14:38:09 +0000 |
| commit | c7d7e29b462866638132e68e160202d2ba4379c3 (patch) | |
| tree | 661fc680c74a09ea269664dd74d97c98a5cadffb | |
| parent | a27475335aba72c2743448f02a93b68c0c78d807 (diff) | |
| download | mbedtls-c7d7e29b462866638132e68e160202d2ba4379c3.zip mbedtls-c7d7e29b462866638132e68e160202d2ba4379c3.tar.gz mbedtls-c7d7e29b462866638132e68e160202d2ba4379c3.tar.bz2 | |
Adapt ssl_write_encrypted_pms() to use raw public key
We must dispatch between the peer's public key stored as part of
the peer's CRT in the current session structure (situation until
now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is
enabled), and the sole public key stored in the handshake structure
(new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled).
| -rw-r--r-- | library/ssl_cli.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/library/ssl_cli.c b/library/ssl_cli.c index b0c8b30..0056896 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2265,6 +2265,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, int ret; size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2; unsigned char *p = ssl->handshake->premaster + pms_offset; + mbedtls_pk_context * peer_pk; if( offset + len_bytes > MBEDTLS_SSL_OUT_CONTENT_LEN ) { @@ -2290,23 +2291,27 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl, ssl->handshake->pmslen = 48; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ /* * Now write it out, encrypted */ - if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, - MBEDTLS_PK_RSA ) ) + if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_RSA ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "certificate key type mismatch" ) ); return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); } - if( ( ret = mbedtls_pk_encrypt( &ssl->session_negotiate->peer_cert->pk, + if( ( ret = mbedtls_pk_encrypt( peer_pk, p, ssl->handshake->pmslen, ssl->out_msg + offset + len_bytes, olen, MBEDTLS_SSL_OUT_CONTENT_LEN - offset - len_bytes, |