From 73cd8d8adc3a436a457aed51c826e62326283da0 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 28 Feb 2019 14:04:16 +0000 Subject: [PATCH] Make use of acquire/release in ssl_parse_certificate_verify() --- library/ssl_srv.c | 38 ++++++++++++++++++++++++++++++-------- 1 file changed, 30 insertions(+), 8 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index fbe895646..f661d11e6 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4237,7 +4237,16 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) peer_pk = &ssl->handshake->peer_pubkey; #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( ssl->session_negotiate->peer_cert != NULL ) - peer_pk = &ssl->session_negotiate->peer_cert->pk; + { + ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert, + &peer_pk ); + if( ret != 0 ) + { + /* Should never happen */ + MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + } #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ if( peer_pk == NULL ) @@ -4297,7 +4306,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) if( i + 2 > ssl->in_hslen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY; + goto exit; } /* @@ -4309,7 +4319,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" " for verify message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY; + goto exit; } #if !defined(MBEDTLS_MD_SHA1) @@ -4330,7 +4341,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" " for verify message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY; + goto exit; } /* @@ -4339,7 +4351,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY; + goto exit; } i++; @@ -4354,7 +4367,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) if( i + 2 > ssl->in_hslen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY; + goto exit; } sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; @@ -4363,7 +4377,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) if( i + sig_len != ssl->in_hslen ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); - return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); + ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY; + goto exit; } /* Calculate hash and verify signature */ @@ -4377,13 +4392,20 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) ssl->in_msg + i, sig_len ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); - return( ret ); + goto exit; } mbedtls_ssl_update_handshake_status( ssl ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); +exit: + +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert, + peer_pk ); +#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + return( ret ); } #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */