From be7f50866d3aa8a0cc174a477af1f953de1e0a81 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Wed, 6 Feb 2019 17:44:07 +0000 Subject: [PATCH] Adapt ssl_get_ecdh_params_from_cert() to use raw public key We must dispatch between the peer's public key stored as part of the peer's CRT in the current session structure (situation until now, and future behaviour if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is enabled), and the sole public key stored in the handshake structure (new, if MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is disabled). --- library/ssl_cli.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0056896c57..a758524398 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2406,21 +2406,26 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl ) { int ret; const mbedtls_ecp_keypair *peer_key; + mbedtls_pk_context * peer_pk; +#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + peer_pk = &ssl->handshake->peer_pubkey; +#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( ssl->session_negotiate->peer_cert == NULL ) { /* Should never happen */ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } + peer_pk = &ssl->session_negotiate->peer_cert->pk; +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - if( ! mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, - MBEDTLS_PK_ECKEY ) ) + if( ! mbedtls_pk_can_do( peer_pk, MBEDTLS_PK_ECKEY ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "server key not ECDH capable" ) ); return( MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH ); } - peer_key = mbedtls_pk_ec( ssl->session_negotiate->peer_cert->pk ); + peer_key = mbedtls_pk_ec( *peer_pk ); if( ( ret = mbedtls_ecdh_get_params( &ssl->handshake->ecdh_ctx, peer_key, MBEDTLS_ECDH_THEIRS ) ) != 0 )