Make results of (ext)KeyUsage accessible
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index dad6872..5f01a01 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -829,6 +829,7 @@
{
ssl_key_cert *cur, *list, *fallback = NULL;
pk_type_t pk_alg = ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
+ int flags;
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_key_cert != NULL )
@@ -862,7 +863,7 @@
* and decrypting with the same RSA key.
*/
if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
- SSL_IS_SERVER ) != 0 )
+ SSL_IS_SERVER, &flags ) != 0 )
{
SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
"(extended) key usage extension" ) );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d2e0c52..72cd6d2 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2859,7 +2859,8 @@
if( ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
ciphersuite_info,
- ! ssl->endpoint ) != 0 )
+ ! ssl->endpoint,
+ &ssl->session_negotiate->verify_result ) != 0 )
{
SSL_DEBUG_MSG( 1, ( "bad certificate (usage extensions)" ) );
if( ret == 0 )
@@ -5199,8 +5200,10 @@
#if defined(POLARSSL_X509_CRT_PARSE_C)
int ssl_check_cert_usage( const x509_crt *cert,
const ssl_ciphersuite_t *ciphersuite,
- int cert_endpoint )
+ int cert_endpoint,
+ int *flags )
{
+ int ret = 0;
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
int usage = 0;
#endif
@@ -5213,6 +5216,7 @@
!defined(POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE)
((void) cert);
((void) cert_endpoint);
+ ((void) flags);
#endif
#if defined(POLARSSL_X509_CHECK_KEY_USAGE)
@@ -5252,7 +5256,10 @@
}
if( x509_crt_check_key_usage( cert, usage ) != 0 )
- return( -1 );
+ {
+ *flags |= BADCERT_KEY_USAGE;
+ ret = -1;
+ }
#else
((void) ciphersuite);
#endif /* POLARSSL_X509_CHECK_KEY_USAGE */
@@ -5270,10 +5277,13 @@
}
if( x509_crt_check_extended_key_usage( cert, ext_oid, ext_len ) != 0 )
- return( -1 );
+ {
+ *flags |= BADCERT_EXT_KEY_USAGE;
+ ret = -1;
+ }
#endif /* POLARSSL_X509_CHECK_EXTENDED_KEY_USAGE */
- return( 0 );
+ return( ret );
}
#endif /* POLARSSL_X509_CRT_PARSE_C */