yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-03-24 10:35:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

Make use of acquire/release in ssl_parse_certificate_verify()

Browse source
This commit is contained in:
Hanno Becker 2019-02-28 14:04:16 +00:00
parent 2fefa4845d
commit 73cd8d8adc
1 changed files with 30 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

38
library/ssl_srv.c
View file

@ -4237,7 +4237,16 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
peer_pk = &ssl->handshake->peer_pubkey; peer_pk = &ssl->handshake->peer_pubkey;
#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( ssl->session_negotiate->peer_cert != NULL ) if( ssl->session_negotiate->peer_cert != NULL )
peer_pk = &ssl->session_negotiate->peer_cert->pk; {
ret = mbedtls_x509_crt_pk_acquire( ssl->session_negotiate->peer_cert,
&peer_pk );
if( ret != 0 )
{
/* Should never happen */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
}
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
if( peer_pk == NULL ) if( peer_pk == NULL )
@ -4297,7 +4306,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( i + 2 > ssl->in_hslen ) if( i + 2 > ssl->in_hslen )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
goto exit;
} }
/* /*
@ -4309,7 +4319,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
" for verify message" ) ); " for verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
goto exit;
} }
#if !defined(MBEDTLS_MD_SHA1) #if !defined(MBEDTLS_MD_SHA1)
@ -4330,7 +4341,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg" MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer not adhering to requested sig_alg"
" for verify message" ) ); " for verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
goto exit;
} }
/* /*
@ -4339,7 +4351,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( !mbedtls_pk_can_do( peer_pk, pk_alg ) ) if( !mbedtls_pk_can_do( peer_pk, pk_alg ) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "sig_alg doesn't match cert key" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
goto exit;
} }
i++; i++;
@ -4354,7 +4367,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( i + 2 > ssl->in_hslen ) if( i + 2 > ssl->in_hslen )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
goto exit;
} }
sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1]; sig_len = ( ssl->in_msg[i] << 8 ) | ssl->in_msg[i+1];
@ -4363,7 +4377,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
if( i + sig_len != ssl->in_hslen ) if( i + sig_len != ssl->in_hslen )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate verify message" ) );
return( MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY ); ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY;
goto exit;
} }
/* Calculate hash and verify signature */ /* Calculate hash and verify signature */
@ -4377,13 +4392,20 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
ssl->in_msg + i, sig_len ) ) != 0 ) ssl->in_msg + i, sig_len ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify", ret );
return( ret ); goto exit;
} }
mbedtls_ssl_update_handshake_status( ssl ); mbedtls_ssl_update_handshake_status( ssl );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
exit:
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
mbedtls_x509_crt_pk_release( ssl->session_negotiate->peer_cert,
peer_pk );
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
return( ret ); return( ret );
} }
#endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED */