mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-03-29 22:20:30 +00:00
Remove coordinate functions and change state machine in server side
Change-Id: Id4abf78f493e77afc289409db691c9c61acde1d2 Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian
parent
6b916b1616
commit
189ded2b07
@ -509,6 +509,11 @@ struct mbedtls_ssl_handshake_params
|
||||
uint8_t sni_authmode; /*!< authmode from SNI callback */
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
/** cert_request_send to indicate whether client certitifacte request */
|
||||
uint16_t cert_request_send;
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
uint8_t new_session_ticket; /*!< use NewSessionTicket? */
|
||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||
|
||||
@ -153,30 +153,6 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h
|
||||
*verify_buffer_len = idx;
|
||||
}
|
||||
|
||||
/* Coordinate: Check whether a certificate verify message is expected.
|
||||
* Returns a negative value on failure, and otherwise
|
||||
* - SSL_CERTIFICATE_VERIFY_SKIP
|
||||
* - SSL_CERTIFICATE_VERIFY_READ
|
||||
* to indicate if the CertificateVerify message should be present or not.
|
||||
*/
|
||||
#define SSL_CERTIFICATE_VERIFY_SKIP 0
|
||||
#define SSL_CERTIFICATE_VERIFY_READ 1
|
||||
static int ssl_tls13_read_certificate_verify_coordinate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
|
||||
return( SSL_CERTIFICATE_VERIFY_SKIP );
|
||||
|
||||
#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
#else
|
||||
if( ssl->session_negotiate->peer_cert == NULL )
|
||||
return( SSL_CERTIFICATE_VERIFY_SKIP );
|
||||
|
||||
return( SSL_CERTIFICATE_VERIFY_READ );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
}
|
||||
|
||||
static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *buf,
|
||||
const unsigned char *end,
|
||||
@ -339,19 +315,13 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_verify_coordinate( ssl ) );
|
||||
if( ret == SSL_CERTIFICATE_VERIFY_SKIP )
|
||||
if( ssl->handshake->cert_request_send &&
|
||||
ssl->session_negotiate->peer_cert == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
|
||||
ret = 0;
|
||||
goto cleanup;
|
||||
}
|
||||
else if( ret != SSL_CERTIFICATE_VERIFY_READ )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
goto cleanup;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_PROC_CHK(
|
||||
mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
|
||||
@ -409,63 +379,6 @@ cleanup:
|
||||
*
|
||||
*/
|
||||
|
||||
/* Coordination: Check if a certificate is expected.
|
||||
* Returns a negative error code on failure, and otherwise
|
||||
* SSL_CERTIFICATE_EXPECTED or
|
||||
* SSL_CERTIFICATE_SKIP
|
||||
* indicating whether a Certificate message is expected or not.
|
||||
*/
|
||||
#define SSL_CERTIFICATE_EXPECTED 0
|
||||
#define SSL_CERTIFICATE_SKIP 1
|
||||
|
||||
static int ssl_tls13_read_certificate_coordinate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
int authmode = ssl->conf->authmode;
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
|
||||
|
||||
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
|
||||
return( SSL_CERTIFICATE_SKIP );
|
||||
|
||||
#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
( ( void )authmode );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
#else
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
|
||||
{
|
||||
/* If SNI was used, overwrite authentication mode
|
||||
* from the configuration. */
|
||||
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
|
||||
if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
|
||||
authmode = ssl->handshake->sni_authmode;
|
||||
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||
|
||||
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
||||
{
|
||||
/* NOTE: Is it intentional that we set verify_result
|
||||
* to SKIP_VERIFY on server-side only? */
|
||||
ssl->session_negotiate->verify_result =
|
||||
MBEDTLS_X509_BADCERT_SKIP_VERIFY;
|
||||
return( SSL_CERTIFICATE_SKIP );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
return( SSL_CERTIFICATE_EXPECTED );
|
||||
#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
|
||||
/*
|
||||
@ -837,9 +750,8 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
|
||||
* Check if we expect a certificate, and if yes,
|
||||
* check if a non-empty certificate has been sent.
|
||||
*/
|
||||
MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_coordinate( ssl ) );
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
if( ret == SSL_CERTIFICATE_EXPECTED )
|
||||
if( ssl->handshake->cert_request_send )
|
||||
{
|
||||
unsigned char *buf;
|
||||
size_t buf_len;
|
||||
@ -859,16 +771,10 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
if( ret == SSL_CERTIFICATE_SKIP )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
||||
ret = 0;
|
||||
}
|
||||
else
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
|
||||
}
|
||||
|
||||
|
||||
cleanup:
|
||||
|
||||
@ -1342,6 +1342,8 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
|
||||
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
||||
return( SSL_CERTIFICATE_REQUEST_SKIP );
|
||||
|
||||
ssl->handshake->cert_request_send = 1;
|
||||
|
||||
return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
|
||||
}
|
||||
|
||||
@ -1495,7 +1497,15 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||
return( ret );
|
||||
}
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
|
||||
if( ssl->handshake->cert_request_send )
|
||||
{
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
|
||||
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
|
||||
}
|
||||
else
|
||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
||||
@ -11310,7 +11310,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||
run_test "TLS 1.3: Server side check - mbedtls" \
|
||||
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
|
||||
"$P_CLI debug_level=4 force_version=tls13" \
|
||||
0 \
|
||||
1 \
|
||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user