ssl: call signature verification twice for non-restartable operations

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2024-11-22 10:55:38 +01:00 · 2020-08-09 14:53:10 -04:00 · 2020-08-09 14:53:10 -04:00 · 6c30be8e4b
commit 6c30be8e4b
parent 2544cd3582
2 changed files with 10 additions and 2 deletions
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -3100,6 +3100,11 @@ static int ssl_in_server_key_exchange_parse( mbedtls_ssl_context *ssl,
        {
            mbedtls_platform_random_delay();

+            if( rs_ctx == NULL )
+            {
+                ret = mbedtls_pk_verify_restartable( peer_pk,
+                        md_alg, hash, hashlen, p, sig_len, rs_ctx );
+            }
            if( ret == 0 )
            {
 #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@ -4643,13 +4643,16 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
    }

    ret = mbedtls_pk_verify( peer_pk,
-                                      md_alg, hash_start, hashlen,
-                                      ssl->in_msg + i, sig_len );
+                             md_alg, hash_start, hashlen,
+                             ssl->in_msg + i, sig_len );

    if( ret == 0 )
    {
        mbedtls_platform_random_delay();

+        ret = mbedtls_pk_verify( peer_pk,
+                                 md_alg, hash_start, hashlen,
+                                 ssl->in_msg + i, sig_len );
        if( ret == 0 )
        {
            mbedtls_ssl_update_handshake_status( ssl );