Fix a few things that broke with RSA compiled out
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 284c0a8..bfdd7e4 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1581,16 +1581,34 @@
p = buf + 5;
while( cert_type_len > 0 )
{
- if( *p == SSL_CERT_TYPE_RSA_SIGN )
+#if defined(POLARSSL_RSA_C)
+ if( *p == SSL_CERT_TYPE_RSA_SIGN &&
+ pk_can_do( ssl->pk_key, POLARSSL_PK_RSA ) )
{
ssl->handshake->cert_type = SSL_CERT_TYPE_RSA_SIGN;
break;
}
+ else
+#endif
+#if defined(POLARSSL_ECDSA_C)
+ if( *p == SSL_CERT_TYPE_ECDSA_SIGN &&
+ pk_can_do( ssl->pk_key, POLARSSL_PK_ECDSA ) )
+ {
+ ssl->handshake->cert_type = SSL_CERT_TYPE_ECDSA_SIGN;
+ break;
+ }
+ else
+#endif
+ {
+ ; /* Unsupported cert type, ignore */
+ }
cert_type_len--;
p++;
}
+ // TODO: shall we abort now or send an empty certificate list later?
+
if( ssl->handshake->cert_type == 0 )
{
SSL_DEBUG_MSG( 1, ( "no known cert_type provided" ) );
@@ -1600,6 +1618,8 @@
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
+ /* Ignored, see comments about hash in write_certificate_verify */
+ // TODO: should check the signature part against our pk_key though
size_t sig_alg_len = ( ( buf[5 + n] << 8 )
| ( buf[6 + n] ) );
@@ -1615,6 +1635,8 @@
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
+ /* Ignore certificate_authorities, we only have one cert anyway */
+ // TODO: should not send cert if no CA matches
dn_len = ( ( buf[5 + m + n] << 8 )
| ( buf[6 + m + n] ) );
@@ -1930,7 +1952,8 @@
#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
!defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
- !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_write_certificate_verify( ssl_context *ssl )
{
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -1946,6 +1969,7 @@
return( 0 );
}
+ SSL_DEBUG_MSG( 1, ( "should not happen" ) );
return( ret );
}
#else
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 8931382..8d1b723 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -1642,7 +1642,8 @@
#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
!defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
- !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_write_certificate_request( ssl_context *ssl )
{
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -1658,6 +1659,7 @@
return( 0 );
}
+ SSL_DEBUG_MSG( 1, ( "should not happen" ) );
return( ret );
}
#else
@@ -2510,7 +2512,8 @@
#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
!defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
- !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
static int ssl_parse_certificate_verify( ssl_context *ssl )
{
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -2526,6 +2529,7 @@
return( 0 );
}
+ SSL_DEBUG_MSG( 1, ( "should not happen" ) );
return( ret );
}
#else
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index c19536b..774cb47 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -2231,7 +2231,8 @@
*/
#if !defined(POLARSSL_KEY_EXCHANGE_RSA_ENABLED) && \
!defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) && \
- !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) && \
+ !defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
int ssl_write_certificate( ssl_context *ssl )
{
int ret = POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE;
@@ -2247,6 +2248,7 @@
return( 0 );
}
+ SSL_DEBUG_MSG( 1, ( "should not happen" ) );
return( ret );
}
@@ -2265,6 +2267,7 @@
return( 0 );
}
+ SSL_DEBUG_MSG( 1, ( "should not happen" ) );
return( ret );
}
#else
