From 51f515a5035a3abc8493e98b42f12bbd6e6e061e Mon Sep 17 00:00:00 2001 From: Xiaofei Bai Date: Tue, 8 Feb 2022 07:28:04 +0000 Subject: [PATCH] update based on comments Signed-off-by: Xiaofei Bai --- library/ssl_misc.h | 10 ++-------- library/ssl_tls.c | 9 +-------- library/ssl_tls13_client.c | 29 ++++++++++++----------------- library/ssl_tls13_generic.c | 12 +++++++----- 4 files changed, 22 insertions(+), 38 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 60c68d4d55..f68bb77bc6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -267,9 +267,7 @@ /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */ #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535 -#if defined(MBEDTLS_X509_CRT_PARSE_C) #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20 -#endif /* * Check that we obey the standard's message size bounds @@ -600,7 +598,8 @@ struct mbedtls_ssl_handshake_params mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ #endif -#if defined(MBEDTLS_X509_CRT_PARSE_C) +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ + defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE]; #endif @@ -1700,11 +1699,6 @@ int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl, unsigned char **buf, size_t *buf_len ); -/* - * Handler of TLS 1.3 server certificate request message - */ -int mbedtls_ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ); - /* * Handler of TLS 1.3 server certificate message */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 91767fb004..5e8b60b9bc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5579,14 +5579,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_free( (void*) handshake->sig_algs ); handshake->sig_algs = NULL; #endif /* MBEDTLS_DEPRECATED_REMOVED */ -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if( ssl->handshake->certificate_request_context ) - { - mbedtls_free( (void*) handshake->certificate_request_context ); - } - handshake->certificate_request_context = NULL; - handshake->certificate_request_context_len = 0; -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ + #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 87517874e6..62ed098351 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1523,11 +1523,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_MSG( 3, ( "Duplicate signature algorithms extensions found" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - mbedtls_ssl_handshake_free( ssl ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + goto error; } break; @@ -1544,11 +1540,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, if( p != end ) { MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Signature algorithms extension length misaligned" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - mbedtls_ssl_handshake_free( ssl ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); + ( "CertificateRequset misaligned" ) ); + goto error; } /* Check that we found signature algorithms extension */ if( ! sig_alg_ext_found ) @@ -1556,16 +1549,17 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "no signature algorithms extension found" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Signature algorithms extension length misaligned" ) ); - MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, - MBEDTLS_ERR_SSL_DECODE_ERROR ); - mbedtls_ssl_handshake_free( ssl ); - return( MBEDTLS_ERR_SSL_DECODE_ERROR ); - + ( "ssl_tls13_parse_certificate_request" ) ); + goto error; } ssl->client_auth = 1; return( 0 ); + +error: + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, + MBEDTLS_ERR_SSL_DECODE_ERROR ); + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); } /* @@ -1602,7 +1596,8 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl ) else { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR; + goto cleanup; } MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 86699d9596..e174d63984 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -166,12 +166,11 @@ int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl, p += 2; memset( ssl->handshake->received_sig_algs, 0, - sizeof( ssl->handshake->received_sig_algs) ); + sizeof(ssl->handshake->received_sig_algs) ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len ); supported_sig_algs_end = p + supported_sig_algs_len; - while( p < supported_sig_algs_end && - common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE ) + while( p < supported_sig_algs_end ) { MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 ); sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 ); @@ -180,8 +179,11 @@ int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x", sig_alg ) ); - if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) && - mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ) + if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) || + ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) ) + continue; + + if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE ) { ssl->handshake->received_sig_algs[common_idx] = sig_alg; common_idx += 1;