eden-emu/mbedtls
14
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Unify state machine update in mbedtls_ssl_parse_certificate()

Browse source 
The handler `mbedtls_ssl_parse_certificate()` for incoming `Certificate`
messages contains many branches updating the handshake state. For easier
reasoning about state evolution, this commit introduces a single code-path
updating the state machine at the end of `mbedtls_ssl_parse_certificate()`.
This commit is contained in:
Hanno Becker 2019-02-05 13:11:17 +00:00
parent a46c287796
commit 613d490bf1
1 changed files with 12 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

29
library/ssl_tls.c
View file

@ -6376,7 +6376,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
{ {
int ret; int ret = 0;
const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
#if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@ -6396,8 +6396,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
{ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
ssl->state++; goto exit;
return( 0 );
} }
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
@ -6405,8 +6404,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
{ {
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
ssl->state++; goto exit;
return( 0 );
} }
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER &&
@ -6414,9 +6412,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
{ {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
goto exit;
ssl->state++;
return( 0 );
} }
#endif #endif
@ -6440,12 +6436,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 ) if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 )
{ {
ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING;
ssl->state++;
if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL )
return( 0 ); ret = 0;
else
ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); goto exit;
} }
#endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SRV_C */
@ -6453,10 +6450,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ssl_clear_peer_cert( ssl->session_negotiate ); ssl_clear_peer_cert( ssl->session_negotiate );
if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 )
{ goto exit;
ssl->state++;
return( ret );
}
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE) #if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
if( ssl->handshake->ecrs_enabled) if( ssl->handshake->ecrs_enabled)
@ -6602,10 +6596,11 @@ crt_verify:
#endif /* MBEDTLS_DEBUG_C */ #endif /* MBEDTLS_DEBUG_C */
} }
ssl->state++;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
exit:
ssl->state++;
return( ret ); return( ret );
} }
#endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED