cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-30 19:20:40 -04:00
Code Issues Packages Projects Releases Wiki Activity

Refactor ssl_tls13_parse_certificate_verify

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2021-10-29 20:12:51 +08:00
parent daac359331
commit 6f87f2521c
1 changed files with 18 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
library/ssl_tls13_generic.c
View File

@ -341,8 +341,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
* certificates and decides to abort the handshake, then it MUST abort the handshake * certificates and decides to abort the handshake, then it MUST abort the handshake
* with an appropriate certificate-related alert (by default, "unsupported_certificate"). * with an appropriate certificate-related alert (by default, "unsupported_certificate").
* *
* Check if algorithm is an offered signature algorithm. Send `unsupported_certificate` * Check if algorithm is an offered signature algorithm.
* alert message on failure.
*/ */
if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) ) if( ! ssl_tls13_sig_alg_is_offered( ssl, algorithm ) )
{ {
@ -350,10 +349,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not " MBEDTLS_SSL_DEBUG_MSG( 1, ( "Received signature algorithm(%04x) is not "
"offered.", "offered.",
( unsigned int ) algorithm ) ); ( unsigned int ) algorithm ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( goto error;
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
/* We currently only support ECDSA-based signatures */ /* We currently only support ECDSA-based signatures */
@ -373,10 +369,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
break; break;
default: default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "Certificate Verify: Unknown signature algorithm." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( goto error;
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )", MBEDTLS_SSL_DEBUG_MSG( 3, ( "Certificate Verify: Signature algorithm ( %04x )",
@ -388,10 +381,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) ) if( !mbedtls_pk_can_do( &ssl->session_negotiate->peer_cert->pk, sig_alg ) )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "signature algorithm doesn't match cert key" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( goto error;
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
@ -431,10 +421,7 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
if( ret != 0 ) if( ret != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "hash computation error", ret );
MBEDTLS_SSL_PEND_FATAL_ALERT( goto error;
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len ); MBEDTLS_SSL_DEBUG_BUF( 3, "verify hash", verify_hash, verify_hash_len );
@ -442,21 +429,22 @@ static int ssl_tls13_parse_certificate_verify( mbedtls_ssl_context *ssl,
if( ( ret = mbedtls_pk_verify_ext( sig_alg, NULL, if( ( ret = mbedtls_pk_verify_ext( sig_alg, NULL,
&ssl->session_negotiate->peer_cert->pk, &ssl->session_negotiate->peer_cert->pk,
md_alg, verify_hash, verify_hash_len, md_alg, verify_hash, verify_hash_len,
p, signature_len ) ) != 0 ) p, signature_len ) ) == 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret ); return( 0 );
/* RFC 8446 section 4.4.3
*
* If the verification fails, the receiver MUST terminate the handshake
* with a "decrypt_error" alert.
*/
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR, ret );
return( ret );
} }
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_pk_verify_ext", ret );
error:
/* RFC 8446 section 4.4.3
*
* If the verification fails, the receiver MUST terminate the handshake
* with a "decrypt_error" alert.
*/
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( 0 );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */