update based on comments
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 60c68d4..f68bb77 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -267,9 +267,7 @@
/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
-#endif
/*
* Check that we obey the standard's message size bounds
@@ -600,7 +598,8 @@
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
#endif
-#if defined(MBEDTLS_X509_CRT_PARSE_C)
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
+ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
#endif
@@ -1701,11 +1700,6 @@
size_t *buf_len );
/*
- * Handler of TLS 1.3 server certificate request message
- */
-int mbedtls_ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl );
-
-/*
* Handler of TLS 1.3 server certificate message
*/
int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 91767fb..5e8b60b 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -5579,14 +5579,7 @@
mbedtls_free( (void*) handshake->sig_algs );
handshake->sig_algs = NULL;
#endif /* MBEDTLS_DEPRECATED_REMOVED */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
- if( ssl->handshake->certificate_request_context )
- {
- mbedtls_free( (void*) handshake->certificate_request_context );
- }
- handshake->certificate_request_context = NULL;
- handshake->certificate_request_context_len = 0;
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 8751787..62ed098 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1523,11 +1523,7 @@
{
MBEDTLS_SSL_DEBUG_MSG( 3,
( "Duplicate signature algorithms extensions found" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT(
- MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
- MBEDTLS_ERR_SSL_DECODE_ERROR );
- mbedtls_ssl_handshake_free( ssl );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ goto error;
}
break;
@@ -1544,11 +1540,8 @@
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "Signature algorithms extension length misaligned" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
- MBEDTLS_ERR_SSL_DECODE_ERROR );
- mbedtls_ssl_handshake_free( ssl );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
+ ( "CertificateRequset misaligned" ) );
+ goto error;
}
/* Check that we found signature algorithms extension */
if( ! sig_alg_ext_found )
@@ -1556,16 +1549,17 @@
MBEDTLS_SSL_DEBUG_MSG( 3,
( "no signature algorithms extension found" ) );
MBEDTLS_SSL_DEBUG_MSG( 1,
- ( "Signature algorithms extension length misaligned" ) );
- MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
- MBEDTLS_ERR_SSL_DECODE_ERROR );
- mbedtls_ssl_handshake_free( ssl );
- return( MBEDTLS_ERR_SSL_DECODE_ERROR );
-
+ ( "ssl_tls13_parse_certificate_request" ) );
+ goto error;
}
ssl->client_auth = 1;
return( 0 );
+
+error:
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
+ MBEDTLS_ERR_SSL_DECODE_ERROR );
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
/*
@@ -1602,7 +1596,8 @@
else
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+ ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
+ goto cleanup;
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 86699d9..e174d63 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -166,12 +166,11 @@
p += 2;
memset( ssl->handshake->received_sig_algs, 0,
- sizeof( ssl->handshake->received_sig_algs) );
+ sizeof(ssl->handshake->received_sig_algs) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
supported_sig_algs_end = p + supported_sig_algs_len;
- while( p < supported_sig_algs_end &&
- common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
+ while( p < supported_sig_algs_end )
{
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
@@ -180,8 +179,11 @@
MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
sig_alg ) );
- if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) &&
- mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
+ if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ||
+ ! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
+ continue;
+
+ if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
ssl->handshake->received_sig_algs[common_idx] = sig_alg;
common_idx += 1;