commit 3f81691d293f75785f78f0b4fc4683f7bdc0b0b3
author Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Oct 26 10:24:16 2017 +0200
committer Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> Thu Oct 26 10:24:16 2017 +0200
tree 2145a0b47a74631a3193e2fc4b961ace637f1c20
parent 254eec8bb4844cc9b4ac9974ad34d3c5679d9fb3

Revert to old behaviour of profile_check_key()

Was never documented to check for key alg compatibility, so should not start
doing so. Just stop relying on the pk_alg argument instead.

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index a851998..bbc0f3c 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -161,7 +161,7 @@
 
 /*
  * Check md_alg against profile
- * Return 0 if md_alg acceptable for this profile, -1 otherwise
+ * Return 0 if md_alg is acceptable for this profile, -1 otherwise
  */
 static int x509_profile_check_md_alg( const mbedtls_x509_crt_profile *profile,
                                       mbedtls_md_type_t md_alg )
@@ -174,7 +174,7 @@
 
 /*
  * Check pk_alg against profile
- * Return 0 if pk_alg acceptable for this profile, -1 otherwise
+ * Return 0 if pk_alg is acceptable for this profile, -1 otherwise
  */
 static int x509_profile_check_pk_alg( const mbedtls_x509_crt_profile *profile,
                                       mbedtls_pk_type_t pk_alg )
@@ -187,24 +187,16 @@
 
 /*
  * Check key against profile
- * Return 0 if pk_alg acceptable for this profile, -1 otherwise
+ * Return 0 if pk is acceptable for this profile, -1 otherwise
  */
 static int x509_profile_check_key( const mbedtls_x509_crt_profile *profile,
-                                   mbedtls_pk_type_t pk_alg,
                                    const mbedtls_pk_context *pk )
 {
-    const mbedtls_pk_type_t pk_type = mbedtls_pk_get_type( pk );
+    const mbedtls_pk_type_t pk_alg = mbedtls_pk_get_type( pk );
 
 #if defined(MBEDTLS_RSA_C)
     if( pk_alg == MBEDTLS_PK_RSA || pk_alg == MBEDTLS_PK_RSASSA_PSS )
     {
-        /* Avoid comparing size between RSA and ECC */
-        if( pk_type != MBEDTLS_PK_RSA &&
-            pk_type != MBEDTLS_PK_RSASSA_PSS )
-        {
-            return( -1 );
-        }
-
         if( mbedtls_pk_get_bitlen( pk ) >= profile->rsa_min_bitlen )
             return( 0 );
 
@@ -217,17 +209,7 @@
         pk_alg == MBEDTLS_PK_ECKEY ||
         pk_alg == MBEDTLS_PK_ECKEY_DH )
     {
-        mbedtls_ecp_group_id gid;
-
-        /* Avoid calling pk_ec() if this is not an EC key */
-        if( pk_type != MBEDTLS_PK_ECDSA &&
-            pk_type != MBEDTLS_PK_ECKEY &&
-            pk_type != MBEDTLS_PK_ECKEY_DH )
-        {
-            return( -1 );
-        }
-
-        gid = mbedtls_pk_ec( *pk )->grp.id;
+        const mbedtls_ecp_group_id gid = mbedtls_pk_ec( *pk )->grp.id;
 
         if( ( profile->allowed_curves & MBEDTLS_X509_ID_FLAG( gid ) ) != 0 )
             return( 0 );
@@ -1716,7 +1698,7 @@
             break;
         }
 
-        if( x509_profile_check_key( profile, crl_list->sig_pk, &ca->pk ) != 0 )
+        if( x509_profile_check_key( profile, &ca->pk ) != 0 )
             flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
         if( mbedtls_pk_verify_ext( crl_list->sig_pk, crl_list->sig_opts, &ca->pk,
@@ -2183,7 +2165,7 @@
             *flags |= MBEDTLS_X509_BADCERT_NOT_TRUSTED;
 
         /* check size of signing key */
-        if( x509_profile_check_key( profile, child->sig_pk, &parent->pk ) != 0 )
+        if( x509_profile_check_key( profile, &parent->pk ) != 0 )
             *flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
 #if defined(MBEDTLS_X509_CRL_PARSE_C)
@@ -2346,7 +2328,7 @@
     if( x509_profile_check_pk_alg( profile, pk_type ) != 0 )
         *ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK;
 
-    if( x509_profile_check_key( profile, pk_type, &crt->pk ) != 0 )
+    if( x509_profile_check_key( profile, &crt->pk ) != 0 )
         *ee_flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
 
     /* Check the chain */