diff options
| author | Hanno Becker <hanno.becker@arm.com> | 2019-02-05 13:11:17 +0000 |
|---|---|---|
| committer | Hanno Becker <hanno.becker@arm.com> | 2019-02-26 14:38:09 +0000 |
| commit | 6bdfab2cccaf91d8546b471a8e4e4d2979635caa (patch) | |
| tree | a9e73c7163bf6a6cdfe67bfd2312ed9703e50b56 | |
| parent | 7a955a043edbc48ec6b8dbf2dd660b1fc11deff5 (diff) | |
| download | mbedtls-6bdfab2cccaf91d8546b471a8e4e4d2979635caa.zip mbedtls-6bdfab2cccaf91d8546b471a8e4e4d2979635caa.tar.gz mbedtls-6bdfab2cccaf91d8546b471a8e4e4d2979635caa.tar.bz2 | |
Unify state machine update in mbedtls_ssl_parse_certificate()
The handler `mbedtls_ssl_parse_certificate()` for incoming `Certificate`
messages contains many branches updating the handshake state. For easier
reasoning about state evolution, this commit introduces a single code-path
updating the state machine at the end of `mbedtls_ssl_parse_certificate()`.
| -rw-r--r-- | library/ssl_tls.c | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 6239d67..8653afc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -5962,7 +5962,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { - int ret; + int ret = 0; const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = ssl->transform_negotiate->ciphersuite_info; #if defined(MBEDTLS_SSL_SRV_C) && defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) @@ -5982,8 +5982,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - ssl->state++; - return( 0 ); + goto exit; } #if defined(MBEDTLS_SSL_SRV_C) @@ -5991,8 +5990,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - ssl->state++; - return( 0 ); + goto exit; } if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER && @@ -6000,9 +5998,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_SKIP_VERIFY; MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) ); - - ssl->state++; - return( 0 ); + goto exit; } #endif @@ -6026,12 +6022,13 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) if( ssl_srv_check_client_no_crt_notification( ssl ) == 0 ) { ssl->session_negotiate->verify_result = MBEDTLS_X509_BADCERT_MISSING; - ssl->state++; if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) - return( 0 ); + ret = 0; + else + ret = MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE; - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + goto exit; } #endif /* MBEDTLS_SSL_SRV_C */ @@ -6039,10 +6036,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) ssl_clear_peer_cert( ssl->session_negotiate ); if( ( ret = ssl_parse_certificate_chain( ssl ) ) != 0 ) - { - ssl->state++; - return( ret ); - } + goto exit; #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) if( ssl->handshake->ecrs_enabled) @@ -6188,10 +6182,11 @@ crt_verify: #endif /* MBEDTLS_DEBUG_C */ } - ssl->state++; - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) ); +exit: + + ssl->state++; return( ret ); } #endif /* !MBEDTLS_KEY_EXCHANGE_RSA_ENABLED |