commit 655a96453968e11a6fabac882ae99bc82f81acdc
author Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Jun 23 10:48:44 2015 +0200
committer Manuel Pégourié-Gonnard <mpg@elzevir.fr> Tue Jun 23 13:09:10 2015 +0200
tree a7c564947b9394bf32dcc3bbb7cd8d566d6a93d0
parent 9a702255f4f5cbbd742afc956813d96cb45ea750

Adapt check_key_usage to new weird bits

library/x509_crt.c

diff --git a/library/x509_crt.c b/library/x509_crt.c
index 2285e1d..051b61a 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -1519,10 +1519,24 @@
 }
 
 #if defined(MBEDTLS_X509_CHECK_KEY_USAGE)
-int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt, unsigned int usage )
+int mbedtls_x509_crt_check_key_usage( const mbedtls_x509_crt *crt,
+                                      unsigned int usage )
 {
-    if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) != 0 &&
-        ( crt->key_usage & usage ) != usage )
+    unsigned int usage_must, usage_may;
+    unsigned int may_mask = MBEDTLS_X509_KU_ENCIPHER_ONLY
+                          | MBEDTLS_X509_KU_DECIPHER_ONLY;
+
+    if( ( crt->ext_types & MBEDTLS_X509_EXT_KEY_USAGE ) == 0 )
+        return( 0 );
+
+    usage_must = usage & ~may_mask;
+
+    if( ( ( crt->key_usage & ~may_mask ) & usage_must ) != usage_must )
+        return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
+
+    usage_may = usage & may_mask;
+
+    if( ( ( crt->key_usage & may_mask ) | usage_may ) != usage_may )
         return( MBEDTLS_ERR_X509_BAD_INPUT_DATA );
 
     return( 0 );