Check keyUsage in SSL client and server

commit: 7f2a07d7b2d5edbe9dfd7803103041ca30bee250 [log] [tgz]
author: Manuel Pégourié-Gonnard <mpg@elzevir.fr> Wed Apr 09 09:50:57 2014 +0200
committer: Paul Bakker <p.j.bakker@polarssl.org> Wed Apr 09 15:50:57 2014 +0200
tree: 94c23620354a90807b90b45246eb3cd3bb22ad1c
parent: 603116c570f55f3d00f705d1862e7f685522162f [diff] [blame]
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 08f6eea..8bdf237 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -797,6 +797,20 @@
         if( ! pk_can_do( cur->key, pk_alg ) )
             continue;
 
+        /*
+         * This avoids sending the client a cert it'll reject based on
+         * keyUsage or other extensions.
+         *
+         * It also allows the user to provision different certificates for
+         * different uses based on keyUsage, eg if they want to avoid signing
+         * and decrypting with the same RSA key.
+         */
+        if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
+                                  SSL_IS_SERVER ) != 0 )
+        {
+            continue;
+        }
+
 #if defined(POLARSSL_ECDSA_C)
         if( pk_alg == POLARSSL_PK_ECDSA )
         {
commit	7f2a07d7b2d5edbe9dfd7803103041ca30bee250	[log] [tgz]
author	Manuel Pégourié-Gonnard <mpg@elzevir.fr>	Wed Apr 09 09:50:57 2014 +0200
committer	Paul Bakker <p.j.bakker@polarssl.org>	Wed Apr 09 15:50:57 2014 +0200
tree	94c23620354a90807b90b45246eb3cd3bb22ad1c
parent	603116c570f55f3d00f705d1862e7f685522162f [diff] [blame]