Remove coordinate functions and change state machine in server side

Change-Id: Id4abf78f493e77afc289409db691c9c61acde1d2 Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2025-04-10 15:45:34 +00:00 · 2022-05-10 08:12:17 +00:00 · 2022-05-10 08:12:17 +00:00 · 189ded2b07
commit 189ded2b07
parent 6b916b1616
4 changed files with 20 additions and 99 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -509,6 +509,11 @@ struct mbedtls_ssl_handshake_params
    uint8_t sni_authmode;               /*!< authmode from SNI callback     */
 #endif
 #if defined(MBEDTLS_SSL_SRV_C)
    /** cert_request_send to indicate whether client certitifacte request */
    uint16_t cert_request_send;
 #endif /* MBEDTLS_SSL_SRV_C */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
    uint8_t new_session_ticket;         /*!< use NewSessionTicket?    */
 #endif /* MBEDTLS_SSL_SESSION_TICKETS */
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -153,30 +153,6 @@ static void ssl_tls13_create_verify_structure( const unsigned char *transcript_h
    *verify_buffer_len = idx;
 }
 /* Coordinate: Check whether a certificate verify message is expected.
 * Returns a negative value on failure, and otherwise
 * - SSL_CERTIFICATE_VERIFY_SKIP
 * - SSL_CERTIFICATE_VERIFY_READ
 * to indicate if the CertificateVerify message should be present or not.
 */
 #define SSL_CERTIFICATE_VERIFY_SKIP 0
 #define SSL_CERTIFICATE_VERIFY_READ 1
 static int ssl_tls13_read_certificate_verify_coordinate( mbedtls_ssl_context *ssl )
 {
    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
        return( SSL_CERTIFICATE_VERIFY_SKIP );
 #if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 #else
    if( ssl->session_negotiate->peer_cert == NULL )
        return( SSL_CERTIFICATE_VERIFY_SKIP );
    return( SSL_CERTIFICATE_VERIFY_READ );
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 }
 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                               const unsigned char *buf,
                                               const unsigned char *end,
@ -339,19 +315,13 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_verify_coordinate( ssl ) );
+    if( ssl->handshake->cert_request_send &&
-    if( ret == SSL_CERTIFICATE_VERIFY_SKIP )
+        ssl->session_negotiate->peer_cert == NULL ) 
    {
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
        ret = 0;
        goto cleanup;
    }
    else if( ret != SSL_CERTIFICATE_VERIFY_READ )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
        goto cleanup;
    }
    MBEDTLS_SSL_PROC_CHK(
        mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
@ -409,63 +379,6 @@ cleanup:
 *
 */
 /* Coordination: Check if a certificate is expected.
 * Returns a negative error code on failure, and otherwise
 * SSL_CERTIFICATE_EXPECTED or
 * SSL_CERTIFICATE_SKIP
 * indicating whether a Certificate message is expected or not.
 */
 #define SSL_CERTIFICATE_EXPECTED   0
 #define SSL_CERTIFICATE_SKIP       1
 static int ssl_tls13_read_certificate_coordinate( mbedtls_ssl_context *ssl )
 {
 #if defined(MBEDTLS_SSL_SRV_C)
    int authmode = ssl->conf->authmode;
 #endif /* MBEDTLS_SSL_SRV_C */
 #if defined(MBEDTLS_SSL_SRV_C)
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
        mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
    }
 #endif /* MBEDTLS_SSL_SRV_C */
    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
        return( SSL_CERTIFICATE_SKIP );
 #if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
    ( ( void )authmode );
    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
 #else
 #if defined(MBEDTLS_SSL_SRV_C)
    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
    {
        /* If SNI was used, overwrite authentication mode
         * from the configuration. */
 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
        if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
            authmode = ssl->handshake->sni_authmode;
 #endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
        if( authmode == MBEDTLS_SSL_VERIFY_NONE )
        {
            /* NOTE: Is it intentional that we set verify_result
             * to SKIP_VERIFY on server-side only? */
            ssl->session_negotiate->verify_result =
                MBEDTLS_X509_BADCERT_SKIP_VERIFY;
            return( SSL_CERTIFICATE_SKIP );
        }
    }
 #endif /* MBEDTLS_SSL_SRV_C */
    return( SSL_CERTIFICATE_EXPECTED );
 #endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
 }
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
 /*
@ -837,9 +750,8 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
     * Check if we expect a certificate, and if yes,
     * check if a non-empty certificate has been sent.
     */
    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_coordinate( ssl ) );
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-    if( ret == SSL_CERTIFICATE_EXPECTED )
+    if( ssl->handshake->cert_request_send )
    {
        unsigned char *buf;
        size_t buf_len;
@ -859,16 +771,10 @@ int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl )
    }
    else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
    if( ret == SSL_CERTIFICATE_SKIP )
    {
        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
        ret = 0;
    }
    else
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
    }
 cleanup:
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -1342,6 +1342,8 @@ static int ssl_tls13_certificate_request_coordinate( mbedtls_ssl_context *ssl )
    if( authmode == MBEDTLS_SSL_VERIFY_NONE )
        return( SSL_CERTIFICATE_REQUEST_SKIP );
    ssl->handshake->cert_request_send = 1;
    return( SSL_CERTIFICATE_REQUEST_SEND_REQUEST );
 }
@ -1495,7 +1497,15 @@ static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
                MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
        return( ret );
    }
-    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+    if( ssl->handshake->cert_request_send )
    {
        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
        mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
    }
    else
        mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
    return( 0 );
 }
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -11310,7 +11310,7 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
 run_test    "TLS 1.3: Server side check - mbedtls" \
            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
            "$P_CLI debug_level=4 force_version=tls13" \
-            0 \
+            1 \
            -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
            -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
            -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \