From 2a831a4ba7c1344ecd219e735adca1987e090154 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Thu, 7 Feb 2019 13:17:25 +0000 Subject: [PATCH] Adapt client auth detection in ssl_parse_certificate_verify() The server expects a CertificateVerify message only if it has previously received a Certificate from the client. So far, this was detected by looking at the `peer_cert` field in the current session. Preparing to remove the latter, this commit changes this to instead determine the presence of a peer certificate by checking the new `peer_cert_digest` pointer. --- library/ssl_srv.c | 19 +++++++++++++++++-- 1 file changed, 17 insertions(+), 2 deletions(-) diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 3fe0d6c07..c96908956 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -4066,14 +4066,29 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); - if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) || - ssl->session_negotiate->peer_cert == NULL ) + if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); ssl->state++; return( 0 ); } +#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) + if( ssl->session_negotiate->peer_cert == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); + ssl->state++; + return( 0 ); + } +#else /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + if( ssl->session_negotiate->peer_cert_digest == NULL ) + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) ); + ssl->state++; + return( 0 ); + } +#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ + /* Read the message without adding it to the checksum */ ret = mbedtls_ssl_read_record( ssl, 0 /* no checksum update */ ); if( 0 != ret )