mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-25 21:25:46 +01:00
Improved fi protection to ssl_parse_certificate
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
parent
5ef12c0cbc
commit
8fde918b4e
@ -8099,8 +8099,10 @@ static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
int ret = 0;
|
volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
|
||||||
int crt_expected;
|
volatile int ret_verify = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
|
||||||
|
volatile int check_cert_initiated = 0;
|
||||||
|
volatile int crt_expected = SSL_CERTIFICATE_EXPECTED;
|
||||||
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||||
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
|
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
|
||||||
? ssl->handshake->sni_authmode
|
? ssl->handshake->sni_authmode
|
||||||
@ -8113,12 +8115,18 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||||
|
|
||||||
|
crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
|
||||||
|
if( crt_expected == SSL_CERTIFICATE_SKIP )
|
||||||
|
{
|
||||||
|
mbedtls_platform_random_delay();
|
||||||
crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
|
crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
|
||||||
if( crt_expected == SSL_CERTIFICATE_SKIP )
|
if( crt_expected == SSL_CERTIFICATE_SKIP )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
||||||
|
ret = 0;
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
if( ssl->handshake->ecrs_enabled &&
|
if( ssl->handshake->ecrs_enabled &&
|
||||||
@ -8178,6 +8186,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
|
ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
|
||||||
|
|
||||||
crt_verify:
|
crt_verify:
|
||||||
|
check_cert_initiated = 1;
|
||||||
if( ssl->handshake->ecrs_enabled)
|
if( ssl->handshake->ecrs_enabled)
|
||||||
rs_ctx = &ssl->handshake->ecrs_ctx;
|
rs_ctx = &ssl->handshake->ecrs_ctx;
|
||||||
#endif
|
#endif
|
||||||
@ -8186,15 +8195,20 @@ crt_verify:
|
|||||||
if ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
|
if ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "delay server certificate verification" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "delay server certificate verification" ) );
|
||||||
|
check_cert_initiated = 0;
|
||||||
|
ret = 0;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_SSL_DELAYED_SERVER_CERT_VERIFICATION */
|
#endif /* MBEDTLS_SSL_DELAYED_SERVER_CERT_VERIFICATION */
|
||||||
{
|
{
|
||||||
ret = ssl_parse_certificate_verify( ssl, authmode,
|
ret_verify = ssl_parse_certificate_verify( ssl, authmode,
|
||||||
chain, rs_ctx );
|
chain, rs_ctx );
|
||||||
if( ret != 0 )
|
ret = ret_verify;
|
||||||
|
if( ret_verify != 0 )
|
||||||
|
{
|
||||||
goto exit;
|
goto exit;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||||
{
|
{
|
||||||
@ -8243,6 +8257,10 @@ crt_verify:
|
|||||||
|
|
||||||
exit:
|
exit:
|
||||||
|
|
||||||
|
if( check_cert_initiated && ( ret == 0 ) )
|
||||||
|
{
|
||||||
|
ret = ret_verify;
|
||||||
|
}
|
||||||
if( ret == 0 )
|
if( ret == 0 )
|
||||||
{
|
{
|
||||||
if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
|
if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )
|
||||||
|
Loading…
Reference in New Issue
Block a user