lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

ssl_tls12_client.c: Remove some unnecessary checks on TLS minor version

Browse Source 
ssl_tls12_client.c contains only TLS 1.2 specific
code thus remove some checks on the minor version
version being MBEDTLS_SSL_MINOR_VERSION_3. No aim
for completeness, ssl_parse_server_hello() is not
reworked here for example.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2022-03-07 11:11:36 +01:00
parent a25cf58681
commit 90915f2a21
1 changed files with 83 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
library/ssl_tls12_client.c
View File

@ -2531,12 +2531,6 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
*md_alg = MBEDTLS_MD_NONE; *md_alg = MBEDTLS_MD_NONE;
*pk_alg = MBEDTLS_PK_NONE; *pk_alg = MBEDTLS_PK_NONE;
/* Only in TLS 1.2 */
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
{
return( 0 );
}
if( (*p) + 2 > end ) if( (*p) + 2 > end )
return( MBEDTLS_ERR_SSL_DECODE_ERROR ); return( MBEDTLS_ERR_SSL_DECODE_ERROR );
@ -2903,8 +2897,6 @@ start_processing:
/* /*
* Handle the digitally-signed structure * Handle the digitally-signed structure
*/ */
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
if( ssl_parse_signature_algorithm( ssl, &p, end, if( ssl_parse_signature_algorithm( ssl, &p, end,
&md_alg, &pk_alg ) != 0 ) &md_alg, &pk_alg ) != 0 )
{ {
@ -2928,12 +2920,6 @@ start_processing:
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
} }
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* /*
* Read signature * Read signature
@ -3074,6 +3060,10 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
size_t cert_type_len = 0, dn_len = 0; size_t cert_type_len = 0, dn_len = 0;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
size_t sig_alg_len;
#if defined(MBEDTLS_DEBUG_C)
unsigned char *sig_alg;
#endif
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
@ -3170,15 +3160,8 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
} }
/* supported_signature_algorithms */ /* supported_signature_algorithms */
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
{
size_t sig_alg_len =
( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) ); | ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
#if defined(MBEDTLS_DEBUG_C)
unsigned char* sig_alg;
size_t i;
#endif
/* /*
* The furthest access in buf is in the loop few lines below: * The furthest access in buf is in the loop few lines below:
@ -3192,8 +3175,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
* buf[...hdr_len + 3 + n + sig_alg_len], * buf[...hdr_len + 3 + n + sig_alg_len],
* which is one less than we need the buf to be. * which is one less than we need the buf to be.
*/ */
if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) if( ssl->in_hslen <= mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n + sig_alg_len )
+ 3 + n + sig_alg_len )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate request message" ) );
mbedtls_ssl_send_alert_message( mbedtls_ssl_send_alert_message(
@ -3205,7 +3187,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_DEBUG_C) #if defined(MBEDTLS_DEBUG_C)
sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n; sig_alg = buf + mbedtls_ssl_hs_hdr_len( ssl ) + 3 + n;
for( i = 0; i < sig_alg_len; i += 2 ) for( size_t i = 0; i < sig_alg_len; i += 2 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 3, MBEDTLS_SSL_DEBUG_MSG( 3,
( "Supported Signature Algorithm found: %d,%d", ( "Supported Signature Algorithm found: %d,%d",
@ -3214,7 +3196,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
#endif #endif
n += 2 + sig_alg_len; n += 2 + sig_alg_len;
}
/* certificate_authorities */ /* certificate_authorities */
dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
@ -3612,7 +3593,6 @@ ecdh_calc_secret:
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ #if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK && if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK &&
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
ssl_conf_has_static_raw_psk( ssl->conf ) == 0 ) ssl_conf_has_static_raw_psk( ssl->conf ) == 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, MBEDTLS_SSL_DEBUG_MSG( 1,
@ -3783,8 +3763,6 @@ sign:
ssl->handshake->calc_verify( ssl, hash, &hashlen ); ssl->handshake->calc_verify( ssl, hash, &hashlen );
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{
/* /*
* digitally-signed struct { * digitally-signed struct {
* opaque handshake_messages[handshake_messages_length]; * opaque handshake_messages[handshake_messages_length];
@ -3816,12 +3794,6 @@ sign:
/* Info from md_alg will be used instead */ /* Info from md_alg will be used instead */
hashlen = 0; hashlen = 0;
offset = 2; offset = 2;
}
else
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
#if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED)
if( ssl->handshake->ecrs_enabled ) if( ssl->handshake->ecrs_enabled )