Improved fi protection to ssl_parse_certificate

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
This commit is contained in:
Andrzej Kurek 2021-01-11 06:56:47 -05:00
parent 5ef12c0cbc
commit 8fde918b4e

View File

@ -8099,8 +8099,10 @@ static int ssl_remember_peer_pubkey( mbedtls_ssl_context *ssl,
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
{ {
int ret = 0; volatile int ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
int crt_expected; volatile int ret_verify = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
volatile int check_cert_initiated = 0;
volatile int crt_expected = SSL_CERTIFICATE_EXPECTED;
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
? ssl->handshake->sni_authmode ? ssl->handshake->sni_authmode
@ -8113,12 +8115,18 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
if( crt_expected == SSL_CERTIFICATE_SKIP )
{
mbedtls_platform_random_delay();
crt_expected = ssl_parse_certificate_coordinate( ssl, authmode ); crt_expected = ssl_parse_certificate_coordinate( ssl, authmode );
if( crt_expected == SSL_CERTIFICATE_SKIP ) if( crt_expected == SSL_CERTIFICATE_SKIP )
{ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
ret = 0;
goto exit; goto exit;
} }
}
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE) #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
if( ssl->handshake->ecrs_enabled && if( ssl->handshake->ecrs_enabled &&
@ -8178,6 +8186,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ssl->handshake->ecrs_state = ssl_ecrs_crt_verify; ssl->handshake->ecrs_state = ssl_ecrs_crt_verify;
crt_verify: crt_verify:
check_cert_initiated = 1;
if( ssl->handshake->ecrs_enabled) if( ssl->handshake->ecrs_enabled)
rs_ctx = &ssl->handshake->ecrs_ctx; rs_ctx = &ssl->handshake->ecrs_ctx;
#endif #endif
@ -8186,15 +8195,20 @@ crt_verify:
if ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT ) if ( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, ( "delay server certificate verification" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "delay server certificate verification" ) );
check_cert_initiated = 0;
ret = 0;
} }
else else
#endif /* MBEDTLS_SSL_DELAYED_SERVER_CERT_VERIFICATION */ #endif /* MBEDTLS_SSL_DELAYED_SERVER_CERT_VERIFICATION */
{ {
ret = ssl_parse_certificate_verify( ssl, authmode, ret_verify = ssl_parse_certificate_verify( ssl, authmode,
chain, rs_ctx ); chain, rs_ctx );
if( ret != 0 ) ret = ret_verify;
if( ret_verify != 0 )
{
goto exit; goto exit;
} }
}
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
{ {
@ -8243,6 +8257,10 @@ crt_verify:
exit: exit:
if( check_cert_initiated && ( ret == 0 ) )
{
ret = ret_verify;
}
if( ret == 0 ) if( ret == 0 )
{ {
if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE ) if( ssl->state == MBEDTLS_SSL_CLIENT_CERTIFICATE )