Remove coordinate functions and change state machine in server side Change-Id: Id4abf78f493e77afc289409db691c9c61acde1d2 Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>

commit: 189ded2b076c10745104fccc63474502113ea977 [log] [tgz]
author: XiaokangQian <xiaokang.qian@arm.com> Tue May 10 08:12:17 2022 +0000
committer: XiaokangQian <xiaokang.qian@arm.com> Thu May 26 00:46:13 2022 +0000
tree: e2a8ad8ee0392371239739955dfa1a54bf0ba3f6
parent: 6b916b1616f7994c8f7dfea2bb3754917b3964ef [diff] [blame]
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index a260717..ab4d077 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c

@@ -153,30 +153,6 @@
     *verify_buffer_len = idx;
 }
 
-/* Coordinate: Check whether a certificate verify message is expected.
- * Returns a negative value on failure, and otherwise
- * - SSL_CERTIFICATE_VERIFY_SKIP
- * - SSL_CERTIFICATE_VERIFY_READ
- * to indicate if the CertificateVerify message should be present or not.
- */
-#define SSL_CERTIFICATE_VERIFY_SKIP 0
-#define SSL_CERTIFICATE_VERIFY_READ 1
-static int ssl_tls13_read_certificate_verify_coordinate( mbedtls_ssl_context *ssl )
-{
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
-        return( SSL_CERTIFICATE_VERIFY_SKIP );
-
-#if !defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-#else
-    if( ssl->session_negotiate->peer_cert == NULL )
-        return( SSL_CERTIFICATE_VERIFY_SKIP );
-
-    return( SSL_CERTIFICATE_VERIFY_READ );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-}
-
 static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
                                                const unsigned char *buf,
                                                const unsigned char *end,
@@ -339,19 +315,13 @@
 
     MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
 
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_verify_coordinate( ssl ) );
-    if( ret == SSL_CERTIFICATE_VERIFY_SKIP )
+    if( ssl->handshake->cert_request_send &&
+        ssl->session_negotiate->peer_cert == NULL ) 
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
         ret = 0;
         goto cleanup;
     }
-    else if( ret != SSL_CERTIFICATE_VERIFY_READ )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-        goto cleanup;
-    }
 
     MBEDTLS_SSL_PROC_CHK(
         mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
@@ -409,63 +379,6 @@
  *
  */
 
-/* Coordination: Check if a certificate is expected.
- * Returns a negative error code on failure, and otherwise
- * SSL_CERTIFICATE_EXPECTED or
- * SSL_CERTIFICATE_SKIP
- * indicating whether a Certificate message is expected or not.
- */
-#define SSL_CERTIFICATE_EXPECTED   0
-#define SSL_CERTIFICATE_SKIP       1
-
-static int ssl_tls13_read_certificate_coordinate( mbedtls_ssl_context *ssl )
-{
-#if defined(MBEDTLS_SSL_SRV_C)
-    int authmode = ssl->conf->authmode;
-#endif /* MBEDTLS_SSL_SRV_C */
-
-#if defined(MBEDTLS_SSL_SRV_C)
-    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to handshake keys for inbound traffic" ) );
-
-        mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
-    }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-    if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
-        return( SSL_CERTIFICATE_SKIP );
-
-#if !defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-    ( ( void )authmode );
-    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-#else
-#if defined(MBEDTLS_SSL_SRV_C)
-    if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER )
-    {
-        /* If SNI was used, overwrite authentication mode
-         * from the configuration. */
-#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
-        if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET )
-            authmode = ssl->handshake->sni_authmode;
-#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
-
-        if( authmode == MBEDTLS_SSL_VERIFY_NONE )
-        {
-            /* NOTE: Is it intentional that we set verify_result
-             * to SKIP_VERIFY on server-side only? */
-            ssl->session_negotiate->verify_result =
-                MBEDTLS_X509_BADCERT_SKIP_VERIFY;
-            return( SSL_CERTIFICATE_SKIP );
-        }
-    }
-#endif /* MBEDTLS_SSL_SRV_C */
-
-    return( SSL_CERTIFICATE_EXPECTED );
-#endif /* !MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-}
-
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
 #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
 /*
@@ -837,9 +750,8 @@
      * Check if we expect a certificate, and if yes,
      * check if a non-empty certificate has been sent.
      */
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_read_certificate_coordinate( ssl ) );
 #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
-    if( ret == SSL_CERTIFICATE_EXPECTED )
+    if( ssl->handshake->cert_request_send )
     {
         unsigned char *buf;
         size_t buf_len;
@@ -859,16 +771,10 @@
     }
     else
 #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
-    if( ret == SSL_CERTIFICATE_SKIP )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
         ret = 0;
     }
-    else
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
-    }
 
 
 cleanup:
commit	189ded2b076c10745104fccc63474502113ea977	[log] [tgz]
author	XiaokangQian <xiaokang.qian@arm.com>	Tue May 10 08:12:17 2022 +0000
committer	XiaokangQian <xiaokang.qian@arm.com>	Thu May 26 00:46:13 2022 +0000
tree	e2a8ad8ee0392371239739955dfa1a54bf0ba3f6
parent	6b916b1616f7994c8f7dfea2bb3754917b3964ef [diff] [blame]