TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / a040548747959d3f7f3cd4d6f77c82de90ffdfb9^! / . / library / ssl_tls.c
commita040548747959d3f7f3cd4d6f77c82de90ffdfb9[log] [tgz]
authorManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Fri Aug 16 11:19:51 2024 +0200
committerManuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>Mon Sep 02 12:46:03 2024 +0200
tree3bb3f109991cad46956b9e7c8fa2c66331c6648d
parent19dd9f59bce259eaf759bc7126b8bd9ec0a79290 [diff] [blame]
Improve some comments

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index fb48b95..0081e04 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -7944,14 +7944,13 @@
                                    const mbedtls_ssl_ciphersuite_t *ciphersuite_info,
                                    void *rs_ctx)
 {
-    int ret = 0;
-    int have_ca_chain_or_callback = 0;
-
     if (authmode == MBEDTLS_SSL_VERIFY_NONE) {
         return 0;
     }
 
-    /* Verify callback: precedence order is SSL context, else conf struct. */
+    /*
+     * Primary check: use the appropriate X.509 verification function
+     */
     int (*f_vrfy)(void *, mbedtls_x509_crt *, int, uint32_t *);
     void *p_vrfy;
     if (ssl->f_vrfy != NULL) {
@@ -7964,9 +7963,8 @@
         p_vrfy = ssl->conf->p_vrfy;
     }
 
-    /*
-     * Main check: verify certificate
-     */
+    int ret = 0;
+    int have_ca_chain_or_callback = 0;
 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
     if (ssl->conf->f_ca_cb != NULL) {
         ((void) rs_ctx);
@@ -8057,18 +8055,22 @@
         }
     }
 
-    /* mbedtls_x509_crt_verify_with_profile is supposed to report a
-     * verification failure through MBEDTLS_ERR_X509_CERT_VERIFY_FAILED,
-     * with details encoded in the verification flags. All other kinds
-     * of error codes, including those from the user provided f_vrfy
-     * functions, are treated as fatal and lead to a failure of
-     * ssl_parse_certificate even if verification was optional. */
+    /* With authmode optional, we want to keep going it the certificate was
+     * unacceptable, but still fail on other error (out of memory etc),
+     * including fatal errors from the f_vrfy callback.
+     *
+     * The only acceptable errors are:
+     * - MBEDTLS_ERR_X509_CERT_VERIFY_FAILED: cert rejected by primary check;
+     * - MBEDTLS_ERR_SSL_BAD_CERTIFICATE: cert rejected by secondary checks.
+     * Anything else is a fatal error. */
     if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL &&
         (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED ||
          ret == MBEDTLS_ERR_SSL_BAD_CERTIFICATE)) {
         ret = 0;
     }
 
+    /* Return a specific error as this is a user error: inconsistent
+     * configuration - can't verify without trust anchors. */
     if (have_ca_chain_or_callback == 0 && authmode == MBEDTLS_SSL_VERIFY_REQUIRED) {
         MBEDTLS_SSL_DEBUG_MSG(1, ("got no CA chain"));
         ret = MBEDTLS_ERR_SSL_CA_CHAIN_REQUIRED;