Change state machine
Skip CertificateVerfiy if empty certificate or no
CertificateRequest received.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 207098c..30b1ed4 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1917,11 +1917,11 @@
MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED );
#else
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- if( ssl->handshake->client_auth )
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
- else
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE );
+#else
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
+
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
return( 0 );
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 3cf9745..f65e2b6 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -997,7 +997,14 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
- mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
+ const mbedtls_x509_crt *crt = mbedtls_ssl_own_cert( ssl );
+ if( ssl->handshake->client_auth && crt != NULL )
+ {
+ mbedtls_ssl_handshake_set_state( ssl,
+ MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );
+ }
+ else
+ mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
return( 0 );
}
else
@@ -1051,14 +1058,6 @@
/*
* STATE HANDLING: Output Certificate Verify
*/
-/* Coordinate: Check whether a Certificate Verify message should be sent.
- * Returns a negative value on failure, and otherwise
- * - SSL_WRITE_CERTIFICATE_VERIFY_SKIP
- * - SSL_WRITE_CERTIFICATE_VERIFY_SEND
- * to indicate if the CertificateVerify message should be sent or not.
- */
-#define SSL_WRITE_CERTIFICATE_VERIFY_SKIP 0
-#define SSL_WRITE_CERTIFICATE_VERIFY_SEND 1
static int ssl_tls13_write_certificate_verify_coordinate(
mbedtls_ssl_context *ssl )
{
@@ -1066,8 +1065,8 @@
if( mbedtls_ssl_tls13_some_psk_enabled( ssl ) )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
- return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@@ -1078,8 +1077,8 @@
crt == NULL ||
ssl->conf->authmode == MBEDTLS_SSL_VERIFY_NONE )
{
- MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
- return( SSL_WRITE_CERTIFICATE_VERIFY_SKIP );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
}
#endif /* MBEDTLS_SSL_CLI_C */
@@ -1087,10 +1086,10 @@
if( crt == NULL &&
ssl->conf->authmode != MBEDTLS_SSL_VERIFY_NONE )
{
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no certificate" ) );
- return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED );
+ MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
+ return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
- return( SSL_WRITE_CERTIFICATE_VERIFY_SEND );
+ return( 0 );
#else /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
((void) crt);
@@ -1245,34 +1244,27 @@
int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
{
int ret = 0;
+ unsigned char *buf;
+ size_t buf_len, msg_len;
+
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
/* Coordination step: Check if we need to send a CertificateVerify */
MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_write_certificate_verify_coordinate( ssl ) );
- if( ret == SSL_WRITE_CERTIFICATE_VERIFY_SEND )
- {
- unsigned char *buf;
- size_t buf_len, msg_len;
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_start_handshake_msg( ssl,
- MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
+ ssl, buf, buf + buf_len, &msg_len ) );
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_certificate_verify_body(
- ssl, buf, buf + buf_len, &msg_len ) );
+ mbedtls_ssl_tls13_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len );
+ /* Update state */
+ MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_certificate_verify( ssl ) );
- mbedtls_ssl_tls13_add_hs_msg_to_checksum(
- ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, msg_len );
- /* Update state */
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_certificate_verify( ssl ) );
-
- MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
- ssl, buf_len, msg_len ) );
- }
- else
- {
- MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_certificate_verify( ssl ) );
- }
+ MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_finish_handshake_msg(
+ ssl, buf_len, msg_len ) );
cleanup:
@@ -1578,17 +1570,13 @@
break;
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
- if( ssl->handshake->client_auth )
- {
- mbedtls_ssl_handshake_set_state( ssl,
+ mbedtls_ssl_handshake_set_state( ssl,
MBEDTLS_SSL_CLIENT_CERTIFICATE );
- }
- else
+#else
+ mbedtls_ssl_handshake_set_state( ssl,
+ MBEDTLS_SSL_CLIENT_FINISHED );
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
- {
- mbedtls_ssl_handshake_set_state( ssl,
- MBEDTLS_SSL_CLIENT_FINISHED );
- }
+
break;
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );