yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-26 04:35:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

Check that the peer_authenticated flag

Browse Source 
Check that the peer has been authenticated in the end
of the handshake.
This commit is contained in:
Jarno Lamsa 2019-12-19 08:58:56 +02:00
parent ba4730fe4c
commit e1621d4700
4 changed files with 55 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
include/mbedtls/ssl_internal.h
View File

@ -514,7 +514,7 @@ struct mbedtls_ssl_handshake_params
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
int resume; /*!< session resume indicator*/
volatile int resume; /*!< session resume indicator*/
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
#if defined(MBEDTLS_SSL_SRV_C) && \
@ -913,7 +913,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl );
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl );
int mbedtls_ssl_send_fatal_handshake_failure( mbedtls_ssl_context *ssl );

2
library/ssl_cli.c
View File

@ -4296,7 +4296,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
mbedtls_ssl_handshake_wrapup( ssl );
ret = mbedtls_ssl_handshake_wrapup( ssl );
break;
case MBEDTLS_SSL_INVALID:

5
library/ssl_srv.c
View File

@ -4450,6 +4450,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@ -4478,6 +4479,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@ -4506,6 +4508,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( peer_pk == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
return( 0 );
}
@ -4851,7 +4854,7 @@ int mbedtls_ssl_handshake_server_step( mbedtls_ssl_context *ssl )
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
mbedtls_ssl_handshake_wrapup( ssl );
ret = mbedtls_ssl_handshake_wrapup( ssl );
break;
case MBEDTLS_SSL_INVALID:

50
library/ssl_tls.c
View File

@ -7309,10 +7309,13 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
mbedtls_x509_crt *ca_chain;
mbedtls_x509_crl *ca_crl;
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_UNSET;
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
{
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
if( ssl->handshake->sni_ca_chain != NULL )
{
@ -7456,6 +7459,10 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
verify_ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;
flow_counter++;
}
else
{
flow_counter++;
}
if( verify_ret != 0 )
{
@ -7504,12 +7511,15 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
flow_counter == 4 )
#endif
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PEER AUTHENTICATED" ) );
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
}
else
{
return( MBEDTLS_ERR_PLATFORM_FAULT_DETECTED );
}
} else {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> PEER NOT AUTHENTICATED, %d", flow_counter));
}
#if defined(MBEDTLS_DEBUG_C)
@ -7602,6 +7612,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
if( crt_expected == SSL_CERTIFICATE_SKIP )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
goto exit;
}
@ -7917,8 +7928,9 @@ static void ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup: final free" ) );
}
void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
{
volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
#if defined(MBEDTLS_SSL_RENEGOTIATION)
@ -7959,6 +7971,39 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
}
#endif /* MBEDTLS_SSL_SRV_C && !MBEDTLS_SSL_NO_SESSION_CACHE */
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
if( ssl->handshake->resume )
{
mbedtls_platform_enforce_volatile_reads();
if( ssl->handshake->resume )
{
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
}
else
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
return( ret );
}
}
#endif
if( ssl->handshake->peer_authenticated == MBEDTLS_SSL_FI_FLAG_SET )
{
mbedtls_platform_enforce_volatile_reads();
if( ssl->handshake->peer_authenticated == MBEDTLS_SSL_FI_FLAG_SET )
{
ret = 0;
}
else
{
ret = MBEDTLS_ERR_PLATFORM_FAULT_DETECTED;
}
}
else
{
ret = MBEDTLS_ERR_SSL_PEER_VERIFY_FAILED;
}
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
ssl->handshake->flight != NULL )
@ -7977,6 +8022,7 @@ void mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
ssl->state = MBEDTLS_SSL_HANDSHAKE_OVER;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "<= handshake wrapup" ) );
return ret;
}
int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )