From 015aa44b93ae04ac50ccd763a5d152e2c44b0ab0 Mon Sep 17 00:00:00 2001
From: Jarno Lamsa <jarno.lamsa@arm.com>
Date: Fri, 20 Dec 2019 12:09:37 +0200
Subject: [PATCH] Make authmode volatile

This is to enforce reading it from memory for the double
check to prevent compiler from optimising it away.
---
 library/ssl_tls.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 46b6679a5..611f26fc8 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -7931,11 +7931,11 @@ int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
     volatile int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
 
 #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-    const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
+    volatile const int authmode = ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET
                        ? ssl->handshake->sni_authmode
                        : mbedtls_ssl_conf_get_authmode( ssl->conf );
 #else
-    const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
+    volatile const int authmode = mbedtls_ssl_conf_get_authmode( ssl->conf );
 #endif
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
     volatile int crt_expected = SSL_CERTIFICATE_EXPECTED;
@@ -7989,6 +7989,7 @@ int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
         1 )
 #endif
     {
+        mbedtls_platform_enforce_volatile_reads();
         if( authmode == MBEDTLS_SSL_VERIFY_NONE ||
             authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ||
 #if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)