commit 23bdca0d63522d983d7e1169d5fe407ceb611455
author Janos Follath <janos.follath@arm.com> Fri Oct 07 14:47:14 2016 +0100
committer Janos Follath <janos.follath@arm.com> Fri Oct 07 16:12:50 2016 +0100
tree cba2da4de978ac895c185175d630b9f546017ae9
parent 9fe6f9256152a24d9f6e3705b2269662391c6b3d

Fix an x509 compatibility issue

Certificates with unsupported algorithms in the certificate chain
prevented verification even if a certificate before the unsupported
ones was already trusted.

We change the behaviour to ignoring every certificate with unknown
(unsupported) signature algorithm oid when parsing the certificate
chain received from the peer.

library/ssl_tls.c

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 505bb6c..df7b734 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -49,8 +49,7 @@
 
 #include <string.h>
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
-    defined(MBEDTLS_X509_CHECK_EXTENDED_KEY_USAGE)
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
 #include "mbedtls/oid.h"
 #endif
 
@@ -4347,7 +4346,7 @@
 
         ret = mbedtls_x509_crt_parse_der( ssl->session_negotiate->peer_cert,
                                   ssl->in_msg + i, n );
-        if( ret != 0 )
+        if( 0 != ret && ( MBEDTLS_ERR_X509_UNKNOWN_SIG_ALG + MBEDTLS_ERR_OID_NOT_FOUND ) != ret )
         {
             MBEDTLS_SSL_DEBUG_RET( 1, " mbedtls_x509_crt_parse_der", ret );
             return( ret );