From 9df7c80c786c3d70550b96ad57efd33d864bf8e0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 8 Mar 2022 18:38:54 +0100 Subject: [PATCH] TLS 1.3: Always go through the CLIENT_CERTIFICATE state Even if certificate authentication is disabled at build time, go through the MBEDTLS_SSL_CLIENT_CERTIFICATE state. It simplifies overall the code for a small code size cost when certificate authentication is disabled at build time. Furthermore that way we have only one point in the code where we switch to the handshake keys for record encryption. Signed-off-by: Ronald Cron --- library/ssl_tls13_client.c | 20 ++++++-------------- library/ssl_tls13_generic.c | 8 +------- 2 files changed, 7 insertions(+), 21 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index eac3d4f04f..0af8ce7482 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1917,12 +1917,7 @@ static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl ) ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED ); #else -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE ); -#else - mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ return( 0 ); @@ -1944,7 +1939,6 @@ static int ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl ) } #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE */ @@ -1954,9 +1948,14 @@ static int ssl_tls13_write_client_certificate( mbedtls_ssl_context *ssl ) ( "Switch to handshake traffic keys for outbound traffic" ) ); mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake ); +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) return( mbedtls_ssl_tls13_write_certificate( ssl ) ); +#else + return( 0 ); +#endif } +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) /* * Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY */ @@ -1973,13 +1972,6 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl ) { int ret; - if( !ssl->handshake->client_auth ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, - ( "Switch to handshake traffic keys for outbound traffic" ) ); - mbedtls_ssl_set_outbound_transform( ssl, - ssl->handshake->transform_handshake ); - } ret = mbedtls_ssl_tls13_write_finished_message( ssl ); if( ret != 0 ) return( ret ); @@ -2060,11 +2052,11 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl ) ret = ssl_tls13_process_server_finished( ssl ); break; -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) case MBEDTLS_SSL_CLIENT_CERTIFICATE: ret = ssl_tls13_write_client_certificate( ssl ); break; +#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY: ret = ssl_tls13_write_client_certificate_verify( ssl ); break; diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index f006438a8d..4fee3b0308 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1529,14 +1529,8 @@ static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); break; case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_CLIENT_CERTIFICATE ); -#else - mbedtls_ssl_handshake_set_state( ssl, - MBEDTLS_SSL_CLIENT_FINISHED ); -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - + MBEDTLS_SSL_CLIENT_CERTIFICATE ); break; default: MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );