Enable restart for certificate verify

2025-08-01 10:06:53 +03:00 · 2017-08-15 13:47:06 +02:00
parent fed37ed039
commit 3bf49c4552
3 changed files with 91 additions and 2 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4518,6 +4518,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
 #else
    const int authmode = ssl->conf->authmode;
 #endif
+    void *rs_ctx = NULL;

    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );

@ -4545,11 +4546,20 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
    {
        ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
+
        ssl->state++;
        return( 0 );
    }
 #endif

+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled &&
+        ssl->handshake->ecrs_state == ssl_ecrs_crt_parsed )
+    {
+        goto crt_verify;
+    }
+#endif
+
    if( ( ret = mbedtls_ssl_read_record( ssl ) ) != 0 )
    {
        /* mbedtls_ssl_read_record may have sent an alert already. We
@ -4572,6 +4582,15 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
        return( ret );
    }

+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state++;
+
+crt_verify:
+    if( ssl->handshake->ecrs_enabled)
+        rs_ctx = &ssl->handshake->ecrs_ctx;
+#endif
+
    if( authmode != MBEDTLS_SSL_VERIFY_NONE )
    {
        mbedtls_x509_crt *ca_chain;
@ -4593,19 +4612,24 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
        /*
         * Main check: verify certificate
         */
-        ret = mbedtls_x509_crt_verify_with_profile(
+        ret = mbedtls_x509_crt_verify_restartable(
                                ssl->session_negotiate->peer_cert,
                                ca_chain, ca_crl,
                                ssl->conf->cert_profile,
                                ssl->hostname,
                               &ssl->session_negotiate->verify_result,
-                                ssl->conf->f_vrfy, ssl->conf->p_vrfy );
+                                ssl->conf->f_vrfy, ssl->conf->p_vrfy, rs_ctx );

        if( ret != 0 )
        {
            MBEDTLS_SSL_DEBUG_RET( 1, "x509_verify_cert", ret );
        }

+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+        if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS )
+            return( ret );
+#endif
+
        /*
         * Secondary checks: always done, but change 'ret' only if it was 0
         */
@ -4702,6 +4726,11 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
 #endif /* MBEDTLS_DEBUG_C */
    }

+#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
+    if( ssl->handshake->ecrs_enabled)
+        ssl->handshake->ecrs_state++;
+#endif
+
    ssl->state++;

    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );