From 2224ccf390c39e34d16bb2631226cf09a7d4632a Mon Sep 17 00:00:00 2001
From: Hanno Becker <hanno.becker@arm.com>
Date: Fri, 28 Jun 2019 10:52:45 +0100
Subject: [PATCH] Don't use assertion for failures of
 mbedtls_x509_crt_x_acquire()

These functions may afil in a regular run, e.g. due to an out of memory
error.
---
 library/ssl_cli.c | 15 ++++++---------
 library/ssl_srv.c | 14 +++++++++++---
 library/ssl_tls.c |  3 +++
 3 files changed, 20 insertions(+), 12 deletions(-)

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index c3c28c703..0a1fce8ff 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -2328,9 +2328,8 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
                                            &peer_pk );
         if( ret != 0 )
         {
-            /* Should never happen */
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
+            return( ret );
         }
     }
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
@@ -2472,9 +2471,8 @@ static int ssl_get_ecdh_params_from_cert( mbedtls_ssl_context *ssl )
                                        &peer_pk );
     if( ret != 0 )
     {
-        /* Should never happen */
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
+        return( ret );
     }
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
@@ -2822,9 +2820,8 @@ start_processing:
                                            &peer_pk );
         if( ret != 0 )
         {
-            /* Should never happen */
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
+            return( ret );
         }
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
 
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 1e3c6fa5c..9e15f756a 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -815,7 +815,10 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
             int ret;
             ret = mbedtls_x509_crt_pk_acquire( cur->cert, &pk );
             if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
                 return( ret );
+            }
         }
 #else
         /* Outside of ASYNC_PRIVATE, use private key context directly
@@ -877,7 +880,10 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
                 mbedtls_x509_crt_frame const *frame;
                 ret = mbedtls_x509_crt_frame_acquire( cur->cert, &frame );
                 if( ret != 0 )
+                {
+                    MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_frame_acquire", ret );
                     return( ret );
+                }
                 sig_md = frame->sig_md;
                 mbedtls_x509_crt_frame_release( cur->cert );
             }
@@ -2999,7 +3005,10 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
             mbedtls_x509_crt_frame const *frame;
             ret = mbedtls_x509_crt_frame_acquire( crt, &frame );
             if( ret != 0 )
+            {
+                MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_frame_acquire", ret );
                 return( ret );
+            }
 
             dn_size = frame->subject_raw.len;
 
@@ -4247,9 +4256,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
                                            &peer_pk );
         if( ret != 0 )
         {
-            /* Should never happen */
-            MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-            return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
+            return( ret );
         }
     }
 #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 560ef4c07..f1075cbf1 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -6507,7 +6507,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
         mbedtls_pk_context *pk;
         ret = mbedtls_x509_crt_pk_acquire( chain, &pk );
         if( ret != 0 )
+        {
+            MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_x509_crt_pk_acquire", ret );
             return( ret );
+        }
 
         /* If certificate uses an EC key, make sure the curve is OK */
         if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) )