From 7ce0f2aa6b21a4f703169ad9bc829eabcac09532 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 27 Jan 2022 18:25:04 +0800 Subject: [PATCH 1/5] Wrap client_auth. The variable is used for client side only Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 350ee2cb2..d11db3f55 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1615,8 +1615,12 @@ struct mbedtls_ssl_context /* * PKI layer */ - int MBEDTLS_PRIVATE(client_auth); /*!< flag for client auth. */ - +#if defined(MBEDTLS_SSL_CLI_C) + int MBEDTLS_PRIVATE(client_auth); /*!< used to check if CertificateRequest is + received from server side. If + CertificateReqeust is received, Certificate + and CertificateVerify should be sent to server */ +#endif /* MBEDTLS_SSL_CLI_C */ /* * User settings */ From fb28b88e2661e3373c48516e670b5b33b8df7f10 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Fri, 28 Jan 2022 11:05:58 +0800 Subject: [PATCH 2/5] move client_auth to handshake Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 7 +------ library/ssl_cli.c | 10 ++++++---- library/ssl_misc.h | 6 ++++++ library/ssl_tls.c | 2 +- 4 files changed, 14 insertions(+), 11 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d11db3f55..69d3b7593 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1615,12 +1615,7 @@ struct mbedtls_ssl_context /* * PKI layer */ -#if defined(MBEDTLS_SSL_CLI_C) - int MBEDTLS_PRIVATE(client_auth); /*!< used to check if CertificateRequest is - received from server side. If - CertificateReqeust is received, Certificate - and CertificateVerify should be sent to server */ -#endif /* MBEDTLS_SSL_CLI_C */ + /* * User settings */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e411b7049..825034a8d 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3137,12 +3137,13 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) } ssl->state++; - ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); + ssl->handshake->client_auth = + ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request", - ssl->client_auth ? "a" : "no" ) ); + ssl->handshake->client_auth ? "a" : "no" ) ); - if( ssl->client_auth == 0 ) + if( ssl->handshake->client_auth == 0 ) { /* Current message is probably the ServerHelloDone */ ssl->keep_current_message = 1; @@ -3794,7 +3795,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) return( 0 ); } - if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL ) + if( ssl->handshake->client_auth == 0 || + mbedtls_ssl_own_cert( ssl ) == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) ); ssl->state++; diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 0c43c795a..a8a7119a5 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -768,6 +768,12 @@ struct mbedtls_ssl_handshake_params * but can be overwritten by the HRR. */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_SSL_CLI_C) + int client_auth; /*!< used to check if CertificateRequest is received + from server side. If CertificateReqeust is + received, Certificate and CertificateVerify + should be sent to server */ +#endif /* MBEDTLS_SSL_CLI_C */ /* * State-local variables used during the processing * of a specific handshake state. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index f261a6a89..87fa395e5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1701,7 +1701,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_CLI_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ) { - if( ssl->client_auth == 0 ) + if( ssl->handshake->client_auth == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) ); ssl->state++; From 0ff8ac89f56cc8920beb17a0c58c62d613ad5c2d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Feb 2022 10:10:48 +0800 Subject: [PATCH 3/5] fix comments issues Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 4 ---- library/ssl_misc.h | 6 +++--- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 69d3b7593..7e5fb199c 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1612,10 +1612,6 @@ struct mbedtls_ssl_context uint16_t MBEDTLS_PRIVATE(mtu); /*!< path mtu, used to fragment outgoing messages */ #endif /* MBEDTLS_SSL_PROTO_DTLS */ - /* - * PKI layer - */ - /* * User settings */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a8a7119a5..689641662 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -769,9 +769,9 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_CLI_C) - int client_auth; /*!< used to check if CertificateRequest is received - from server side. If CertificateReqeust is - received, Certificate and CertificateVerify + int client_auth; /*!< used to check if CertificateRequest has been + received from server side. If CertificateReqeust + has been received, Certificate and CertificateVerify should be sent to server */ #endif /* MBEDTLS_SSL_CLI_C */ /* From 2d9a6940882efc694327eff21860d297a18dde6a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Feb 2022 21:07:10 +0800 Subject: [PATCH 4/5] change type of client_auth Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 689641662..607ed49dd 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -769,7 +769,7 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_CLI_C) - int client_auth; /*!< used to check if CertificateRequest has been + uint8_t client_auth; /*!< used to check if CertificateRequest has been received from server side. If CertificateReqeust has been received, Certificate and CertificateVerify should be sent to server */ From 5c7d1cce975ac8fdd86e5822d7a6c3a08ec7f912 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 8 Feb 2022 21:08:29 +0800 Subject: [PATCH 5/5] fix typo error Signed-off-by: Jerry Yu --- library/ssl_misc.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 607ed49dd..cad7f2827 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -770,7 +770,7 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_SSL_CLI_C) uint8_t client_auth; /*!< used to check if CertificateRequest has been - received from server side. If CertificateReqeust + received from server side. If CertificateRequest has been received, Certificate and CertificateVerify should be sent to server */ #endif /* MBEDTLS_SSL_CLI_C */