TLS 1.3: Always go through the CLIENT_CERTIFICATE state

Even if certificate authentication is disabled at build time, go through the MBEDTLS_SSL_CLIENT_CERTIFICATE state. It simplifies overall the code for a small code size cost when certificate authentication is disabled at build time. Furthermore that way we have only one point in the code where we switch to the handshake keys for record encryption. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2025-03-29 04:20:12 +00:00 · 2022-03-08 18:38:54 +01:00 · 2022-03-08 18:38:54 +01:00 · 9df7c80c78
commit 9df7c80c78
parent d815114f93
2 changed files with 7 additions and 21 deletions
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -1917,12 +1917,7 @@ static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
        ssl,
        MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
 #else
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
-#else
-    mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

    return( 0 );
@ -1944,7 +1939,6 @@ static int ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
 }
 #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /*
 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE
 */
@ -1954,9 +1948,14 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl )
                  ( "Switch to handshake traffic keys for outbound traffic" ) );
    mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );

+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    return( mbedtls_ssl_tls13_write_certificate( ssl ) );
+#else
+    return( 0 );
+#endif
 }

+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 /*
 * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
 */
@ -1973,13 +1972,6 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
 {
    int ret;

-    if( !ssl->handshake->client_auth )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1,
-                  ( "Switch to handshake traffic keys for outbound traffic" ) );
-        mbedtls_ssl_set_outbound_transform( ssl,
-                                        ssl->handshake->transform_handshake );
-    }
    ret = mbedtls_ssl_tls13_write_finished_message( ssl );
    if( ret != 0 )
        return( ret );
@ -2060,11 +2052,11 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
            ret = ssl_tls13_process_server_finished( ssl );
            break;

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
        case MBEDTLS_SSL_CLIENT_CERTIFICATE:
            ret = ssl_tls13_write_client_certificate( ssl );
            break;

+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
        case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
            ret = ssl_tls13_write_client_certificate_verify( ssl );
            break;
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -1529,14 +1529,8 @@ static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl )
                mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
                break;
            case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
                mbedtls_ssl_handshake_set_state( ssl,
-                                            MBEDTLS_SSL_CLIENT_CERTIFICATE );
-#else
-                mbedtls_ssl_handshake_set_state( ssl,
-                                                 MBEDTLS_SSL_CLIENT_FINISHED );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-
+                                                 MBEDTLS_SSL_CLIENT_CERTIFICATE );
                break;
            default:
                MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );