update based on comments

Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>

library/ssl_misc.h

@@ -267,9 +267,7 @@
 /* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
 #define MBEDTLS_SSL_MAX_CURVE_LIST_LEN         65535
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
 #define MBEDTLS_RECEIVED_SIG_ALGS_SIZE         20
-#endif
 
 /*
  * Check that we obey the standard's message size bounds
@@ -600,7 +598,8 @@ struct mbedtls_ssl_handshake_params
     mbedtls_ssl_sig_hash_set_t hash_algs;             /*!<  Set of suitable sig-hash pairs */
 #endif
 
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+    defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
     uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
 #endif
 
@@ -1700,11 +1699,6 @@ int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
                                            unsigned char **buf,
                                            size_t *buf_len );
 
-/*
- * Handler of TLS 1.3 server certificate request message
- */
-int mbedtls_ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl );
-
 /*
  * Handler of TLS 1.3 server certificate message
  */

library/ssl_tls.c

@@ -5579,14 +5579,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
         mbedtls_free( (void*) handshake->sig_algs );
     handshake->sig_algs = NULL;
 #endif /* MBEDTLS_DEPRECATED_REMOVED */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+
-    if( ssl->handshake->certificate_request_context )
-    {
-        mbedtls_free( (void*) handshake->certificate_request_context );
-    }
-    handshake->certificate_request_context = NULL;
-    handshake->certificate_request_context_len = 0;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)

library/ssl_tls13_client.c

@@ -1523,11 +1523,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
                 {
                     MBEDTLS_SSL_DEBUG_MSG( 3,
                         ( "Duplicate signature algorithms extensions found" ) );
-                    MBEDTLS_SSL_PEND_FATAL_ALERT(
+                    goto error;
-                        MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
-                        MBEDTLS_ERR_SSL_DECODE_ERROR );
-                    mbedtls_ssl_handshake_free( ssl );
-                    return( MBEDTLS_ERR_SSL_DECODE_ERROR );
                 }
                 break;
 
@@ -1544,11 +1540,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
     if( p != end )
     {
         MBEDTLS_SSL_DEBUG_MSG( 1,
-            ( "Signature algorithms extension length misaligned" ) );
+            ( "CertificateRequset misaligned" ) );
-        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+        goto error;
-                                      MBEDTLS_ERR_SSL_DECODE_ERROR );
-        mbedtls_ssl_handshake_free( ssl );
-        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
     }
     /* Check that we found signature algorithms extension */
     if( ! sig_alg_ext_found )
@@ -1556,16 +1549,17 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_MSG( 3,
             ( "no signature algorithms extension found" ) );
         MBEDTLS_SSL_DEBUG_MSG( 1,
-            ( "Signature algorithms extension length misaligned" ) );
+            ( "ssl_tls13_parse_certificate_request" ) );
-        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+        goto error;
-                                      MBEDTLS_ERR_SSL_DECODE_ERROR );
-        mbedtls_ssl_handshake_free( ssl );
-        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
-
     }
 
     ssl->client_auth = 1;
     return( 0 );
+
+error:
+    MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+                                  MBEDTLS_ERR_SSL_DECODE_ERROR );
+    return( MBEDTLS_ERR_SSL_DECODE_ERROR );
 }
 
 /*
@@ -1602,7 +1596,8 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
     else
     {
         MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+        goto cleanup;
     }
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",

library/ssl_tls13_generic.c

@@ -166,12 +166,11 @@ int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
     p += 2;
 
     memset( ssl->handshake->received_sig_algs, 0,
-            sizeof( ssl->handshake->received_sig_algs) );
+            sizeof(ssl->handshake->received_sig_algs) );
 
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
     supported_sig_algs_end = p + supported_sig_algs_len;
-    while( p < supported_sig_algs_end &&
+    while( p < supported_sig_algs_end )
-           common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
     {
         MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
         sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -180,8 +179,11 @@ int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
         MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
                                     sig_alg ) );
 
-        if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) &&
+        if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ||
-            mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
+            ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
+            continue;
+
+        if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
         {
             ssl->handshake->received_sig_algs[common_idx] = sig_alg;
             common_idx += 1;