update based on comments

Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
This commit is contained in:
Xiaofei Bai 2022-02-08 07:28:04 +00:00
parent 6d42bb430c
commit 51f515a503
4 changed files with 22 additions and 38 deletions

View file

@ -267,9 +267,7 @@
/* Maximum size in bytes of list in supported elliptic curve ext., RFC 4492 */
#define MBEDTLS_SSL_MAX_CURVE_LIST_LEN 65535
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#define MBEDTLS_RECEIVED_SIG_ALGS_SIZE 20
#endif
/*
* Check that we obey the standard's message size bounds
@ -600,7 +598,8 @@ struct mbedtls_ssl_handshake_params
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
uint16_t received_sig_algs[MBEDTLS_RECEIVED_SIG_ALGS_SIZE];
#endif
@ -1700,11 +1699,6 @@ int mbedtls_ssl_tls13_start_handshake_msg( mbedtls_ssl_context *ssl,
unsigned char **buf,
size_t *buf_len );
/*
* Handler of TLS 1.3 server certificate request message
*/
int mbedtls_ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl );
/*
* Handler of TLS 1.3 server certificate message
*/

View file

@ -5579,14 +5579,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
mbedtls_free( (void*) handshake->sig_algs );
handshake->sig_algs = NULL;
#endif /* MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( ssl->handshake->certificate_request_context )
{
mbedtls_free( (void*) handshake->certificate_request_context );
}
handshake->certificate_request_context = NULL;
handshake->certificate_request_context_len = 0;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)

View file

@ -1523,11 +1523,7 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
{
MBEDTLS_SSL_DEBUG_MSG( 3,
( "Duplicate signature algorithms extensions found" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
mbedtls_ssl_handshake_free( ssl );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
goto error;
}
break;
@ -1544,11 +1540,8 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
if( p != end )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Signature algorithms extension length misaligned" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
mbedtls_ssl_handshake_free( ssl );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
( "CertificateRequset misaligned" ) );
goto error;
}
/* Check that we found signature algorithms extension */
if( ! sig_alg_ext_found )
@ -1556,16 +1549,17 @@ static int ssl_tls13_parse_certificate_request( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3,
( "no signature algorithms extension found" ) );
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Signature algorithms extension length misaligned" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
mbedtls_ssl_handshake_free( ssl );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
( "ssl_tls13_parse_certificate_request" ) );
goto error;
}
ssl->client_auth = 1;
return( 0 );
error:
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR );
return( MBEDTLS_ERR_SSL_DECODE_ERROR );
}
/*
@ -1602,7 +1596,8 @@ static int ssl_tls13_process_certificate_request( mbedtls_ssl_context *ssl )
else
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
goto cleanup;
}
MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",

View file

@ -166,12 +166,11 @@ int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
p += 2;
memset( ssl->handshake->received_sig_algs, 0,
sizeof( ssl->handshake->received_sig_algs) );
sizeof(ssl->handshake->received_sig_algs) );
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, supported_sig_algs_len );
supported_sig_algs_end = p + supported_sig_algs_len;
while( p < supported_sig_algs_end &&
common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
while( p < supported_sig_algs_end )
{
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, supported_sig_algs_end, 2 );
sig_alg = MBEDTLS_GET_UINT16_BE( p, 0 );
@ -180,8 +179,11 @@ int mbedtls_ssl_tls13_parse_sig_alg_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 4, ( "received signature algorithm: 0x%x",
sig_alg ) );
if( mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) &&
mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
if( ! mbedtls_ssl_sig_alg_is_offered( ssl, sig_alg ) ||
! mbedtls_ssl_sig_alg_is_supported( ssl, sig_alg ) )
continue;
if( common_idx + 1 < MBEDTLS_RECEIVED_SIG_ALGS_SIZE )
{
ssl->handshake->received_sig_algs[common_idx] = sig_alg;
common_idx += 1;