Add extension check for Certificate
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
parent
c55a6af9eb
commit
2eaa76044b
1 changed files with 58 additions and 1 deletions
|
@ -447,6 +447,8 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
|
|||
while( p < certificate_list_end )
|
||||
{
|
||||
size_t cert_data_len, extensions_len;
|
||||
const unsigned char *extensions_end;
|
||||
uint32_t extensions_present;
|
||||
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, 3 );
|
||||
cert_data_len = MBEDTLS_GET_UINT24_BE( p, 0 );
|
||||
|
@ -504,7 +506,62 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
|
|||
extensions_len = MBEDTLS_GET_UINT16_BE( p, 0 );
|
||||
p += 2;
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );
|
||||
p += extensions_len;
|
||||
|
||||
extensions_end = p + extensions_len;
|
||||
extensions_present = MBEDTLS_SSL_EXT_NONE;
|
||||
|
||||
while( p < extensions_end )
|
||||
{
|
||||
unsigned int extension_type;
|
||||
size_t extension_data_len;
|
||||
|
||||
/*
|
||||
* struct {
|
||||
* ExtensionType extension_type; (2 bytes)
|
||||
* opaque extension_data<0..2^16-1>;
|
||||
* } Extension;
|
||||
*/
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
|
||||
extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
|
||||
extension_data_len = MBEDTLS_GET_UINT16_BE( p, 2 );
|
||||
p += 4;
|
||||
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
|
||||
|
||||
/* RFC 8446 page 35
|
||||
*
|
||||
* If an implementation receives an extension which it recognizes and
|
||||
* which is not specified for the message in which it appears, it MUST
|
||||
* abort the handshake with an "illegal_parameter" alert.
|
||||
*/
|
||||
extensions_present |= mbedtls_tls13_get_extension_mask( extension_type );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||
( "encrypted extensions : received %s(%u) extension",
|
||||
mbedtls_tls13_get_extension_name( extension_type ),
|
||||
extension_type ) );
|
||||
if( ( extensions_present & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT ) == 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG(
|
||||
3, ( "forbidden extension received." ) );
|
||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
|
||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
}
|
||||
switch( extension_type )
|
||||
{
|
||||
default:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3,
|
||||
( "Certificate: received %s(%u) extension ( ignored )",
|
||||
mbedtls_tls13_get_extension_name( extension_type ),
|
||||
extension_type ) );
|
||||
break;
|
||||
}
|
||||
|
||||
p += extension_data_len;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "Certificate", extensions_present );
|
||||
}
|
||||
|
||||
exit:
|
||||
|
|
Loading…
Reference in a new issue