Add extension check for Certificate

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-08-04 17:28:15 +08:00
parent c55a6af9eb
commit 2eaa76044b

View file

@ -447,6 +447,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
while( p < certificate_list_end )
{
size_t cert_data_len, extensions_len;
const unsigned char *extensions_end;
uint32_t extensions_present;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
@ -504,7 +506,62 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
p += extensions_len;
extensions_end = p + extensions_len;
extensions_present = MBEDTLS_SSL_EXT_NONE;
while( p < extensions_end )
{
unsigned int extension_type;
size_t extension_data_len;
/*
* struct {
* ExtensionType extension_type; (2 bytes)
* opaque extension_data<0..2^16-1>;
* } Extension;
*/
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
p += 4;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
/* RFC 8446 page 35
*
* If an implementation receives an extension which it recognizes and
* which is not specified for the message in which it appears, it MUST
* abort the handshake with an "illegal_parameter" alert.
*/
extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "encrypted extensions : received %s(%u) extension",
mbedtls_tls13_get_extension_name( extension_type ),
extension_type ) );
if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG(
3, ( "forbidden extension received." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
switch( extension_type )
{
default:
MBEDTLS_SSL_DEBUG_MSG( 3,
( "Certificate: received %s(%u) extension ( ignored )",
mbedtls_tls13_get_extension_name( extension_type ),
extension_type ) );
break;
}
p += extension_data_len;
}
MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "Certificate", extensions_present );
}
exit: