mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-03 20:54:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix various issue

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-02-16 11:21:37 +08:00
parent ca133a34c5
commit 3391ac00d3
1 changed files with 22 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
library/ssl_tls13_generic.c
View File

@ -860,8 +860,8 @@ cleanup:
* indicating that a Certificate message should be written based
* on the configured certificate, or whether it should be silently skipped.
*/
#define SSL_WRITE_CERTIFICATE_SEND 0
#define SSL_WRITE_CERTIFICATE_SKIP 1
#define SSL_WRITE_CERTIFICATE_SEND 0
#define SSL_WRITE_CERTIFICATE_SKIP 1
static int ssl_tls13_write_certificate_coordinate( mbedtls_ssl_context* ssl )
{
@ -929,41 +929,29 @@ static int ssl_tls13_write_certificate_body( mbedtls_ssl_context *ssl,
unsigned char *certificate_list;
/* Write certificate_request_context */
/* ...
* opaque certificate_request_context<0..2^8-1>;
* ...
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end,
ssl->handshake->certificate_request_context_len + 1 );
*p++ = ssl->handshake->certificate_request_context_len;
if( ssl->handshake->certificate_request_context_len > 0 )
{
MBEDTLS_SSL_CHK_BUF_PTR( p, end,
ssl->handshake->certificate_request_context_len );
memcpy( p,
ssl->handshake->certificate_request_context,
ssl->handshake->certificate_request_context_len );
p += ssl->handshake->certificate_request_context_len;
}
/* Reserve space for certificate_list_len */
/* ...
* CertificateEntry certificate_list<0..2^24-1>;
* ...
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 );
certificate_list = p;
p += 3;
#if defined(MBEDTLS_SSL_CLI_C)
/* If the server requests client authentication but no suitable
* certificate is available, the client MUST send a
* Certificate message containing no certificates
* ( i.e., with the "certificate_list" field having length 0 ).
*
* authmode indicates whether the client configuration required authentication.
*/
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT && crt == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write empty client certificate" ) );
MBEDTLS_PUT_UINT24_BE( 0, certificate_list, 0 );
*out_len = p - buf;
return( 0 );
}
#endif /* MBEDTLS_SSL_CLI_C */
MBEDTLS_SSL_DEBUG_CRT( 3, "own certificate", crt );
while ( crt != NULL )
@ -1058,46 +1046,6 @@ cleanup:
/*
* STATE HANDLING: Output Certificate Verify
*/
static int ssl_tls13_write_certificate_verify_coordinate(
mbedtls_ssl_context *ssl )
{
mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
if( ssl->handshake->client_auth == 0 ||
crt == NULL ||
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
}
#endif /* MBEDTLS_SSL_CLI_C */
if( crt == NULL &&
ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
return( 0 );
#else /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
((void) crt);
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
}
static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@ -1116,11 +1064,9 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
int algorithm;
size_t signature_len = 0;
const mbedtls_md_info_t *md_info;
unsigned char verify_hash[ MBEDTLS_TLS1_3_MD_MAX_SIZE ];
unsigned char verify_hash[ MBEDTLS_MD_MAX_SIZE ];
size_t verify_hash_len;
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 + MBEDTLS_TLS1_3_MD_MAX_SIZE );
own_key = mbedtls_ssl_own_key( ssl );
if( own_key == NULL )
{
@ -1178,6 +1124,10 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
md_alg = MBEDTLS_MD_SHA384;
algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
break;
case 521:
md_alg = MBEDTLS_MD_SHA512;
algorithm = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
break;
default:
MBEDTLS_SSL_DEBUG_MSG( 3,
( "unknown key size: %" MBEDTLS_PRINTF_SIZET
@ -1190,9 +1140,13 @@ static int ssl_tls13_write_certificate_verify_body( mbedtls_ssl_context *ssl,
if( !mbedtls_ssl_sig_alg_is_received( ssl, algorithm ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
/* Check there is space for the algorithm identifier (2 bytes) and the
* signature length (2 bytes).
*/
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
MBEDTLS_PUT_UINT16_BE( algorithm, p, 0 );
p += 2;
@ -1249,9 +1203,6 @@ int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
/* Coordination step: Check if we need to send a CertificateVerify */
MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_verify_coordinate( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );