yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add extensions check for CertificateRequest

Browse source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-08-04 17:01:21 +08:00
parent cbd082f396
commit c55a6af9eb
1 changed files with 51 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

66
library/ssl_tls13_client.c
View file

@ -2162,7 +2162,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
size_t certificate_request_context_len = 0; size_t certificate_request_context_len = 0;
size_t extensions_len = 0; size_t extensions_len = 0;
const unsigned char *extensions_end; const unsigned char *extensions_end;
unsigned char sig_alg_ext_found = 0; uint32_t extensions_present;
/* ... /* ...
* opaque certificate_request_context<0..2^8-1> * opaque certificate_request_context<0..2^8-1>
@ -2202,10 +2202,13 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, extensions_len );
extensions_end = p + extensions_len; extensions_end = p + extensions_len;
extensions_present = MBEDTLS_SSL_EXT_NONE;
while( p < extensions_end ) while( p < extensions_end )
{ {
unsigned int extension_type; unsigned int extension_type;
size_t extension_data_len; size_t extension_data_len;
uint32_t extension_mask;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
@ -2214,6 +2217,38 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
/* RFC 8446 page 35
*
* If an implementation receives an extension which it recognizes and which
* is not specified for the message in which it appears, it MUST abort the
* handshake with an "illegal_parameter" alert.
*/
extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "encrypted extensions : received %s(%u) extension",
mbedtls_tls13_get_extension_name( extension_type ),
extension_type ) );
if( ( extension_mask & MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CR ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG(
3, ( "forbidden extension received." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
if( extensions_present & extension_mask )
{
MBEDTLS_SSL_DEBUG_MSG( 3,
( "Duplicate %s extensions found",
mbedtls_tls13_get_extension_name( extension_type ) ) );
goto decode_error;
}
extensions_present |= extension_mask;
switch( extension_type ) switch( extension_type )
{ {
case MBEDTLS_TLS_EXT_SIG_ALG: case MBEDTLS_TLS_EXT_SIG_ALG:
@ -2223,25 +2258,22 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
p + extension_data_len ); p + extension_data_len );
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
if( ! sig_alg_ext_found )
sig_alg_ext_found = 1;
else
{
MBEDTLS_SSL_DEBUG_MSG( 3,
( "Duplicate signature algorithms extensions found" ) );
goto decode_error;
}
break; break;
default: default:
MBEDTLS_SSL_DEBUG_MSG( MBEDTLS_SSL_DEBUG_MSG( 3,
3, ( "certificate request: received %s(%u) extension ( ignored )",
( "unknown extension found: %u ( ignoring )", mbedtls_tls13_get_extension_name( extension_type ),
extension_type ) ); extension_type ) );
break; break;
} }
p += extension_data_len; p += extension_data_len;
} }
MBEDTLS_SSL_TLS1_3_PRINT_EXTS( 3, "CertificateRequest", extensions_present );
/* Check that we consumed all the message. */ /* Check that we consumed all the message. */
if( p != end ) if( p != end )
{ {
@ -2249,8 +2281,12 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
( "CertificateRequest misaligned" ) ); ( "CertificateRequest misaligned" ) );
goto decode_error; goto decode_error;
} }
/* Check that we found signature algorithms extension */
if( ! sig_alg_ext_found ) /* RFC 8446 page 60
*
* The "signature_algorithms" extension MUST be specified
*/
if( ( extensions_present & MBEDTLS_SSL_EXT_SIG_ALG ) == 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, MBEDTLS_SSL_DEBUG_MSG( 3,
( "no signature algorithms extension found" ) ); ( "no signature algorithms extension found" ) );