Clean up mbedtls_ssl_check_cert_usage()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 018eb93..865f984 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6361,7 +6361,7 @@
#if defined(MBEDTLS_X509_CRT_PARSE_C)
int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert,
const mbedtls_ssl_ciphersuite_t *ciphersuite,
- int cert_endpoint,
+ int recv_endpoint,
uint32_t *flags)
{
int ret = 0;
@@ -6369,7 +6369,10 @@
const char *ext_oid;
size_t ext_len;
- if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
+ /* Note: don't guard this with MBEDTLS_SSL_CLI_C because the server wants
+ * to check what a compliant client will think while choosing which cert
+ * to send to the client. */
+ if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
/* Server part of the key exchange */
switch (ciphersuite->key_exchange) {
case MBEDTLS_KEY_EXCHANGE_RSA:
@@ -6406,7 +6409,7 @@
ret = -1;
}
- if (cert_endpoint == MBEDTLS_SSL_IS_SERVER) {
+ if (recv_endpoint == MBEDTLS_SSL_IS_CLIENT) {
ext_oid = MBEDTLS_OID_SERVER_AUTH;
ext_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_SERVER_AUTH);
} else {
@@ -8061,7 +8064,7 @@
if (mbedtls_ssl_check_cert_usage(chain,
ciphersuite_info,
- !ssl->conf->endpoint,
+ ssl->conf->endpoint,
&ssl->session_negotiate->verify_result) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad certificate (usage extensions)"));
if (ret == 0) {