From 989f06d52d32e7f640c264e86242d4a6c0bc3ada Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Tue, 17 May 2022 01:50:15 +0000 Subject: [PATCH] Change some comments base on review Change-Id: I3db2b8ca8162eb368d2f17dfeffee8b25f9edf6f Signed-off-by: XiaokangQian --- library/ssl_tls13_generic.c | 28 +++++++++++++++++++--------- library/ssl_tls13_server.c | 2 +- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index ef27644ec6..49ed112672 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -551,32 +551,39 @@ static int ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl, static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) { int ret = 0; - int authmode = ssl->conf->authmode; + int authmode = MBEDTLS_SSL_VERIFY_REQUIRED; mbedtls_x509_crt *ca_chain; mbedtls_x509_crl *ca_crl; uint32_t verify_result = 0; /* If SNI was used, overwrite authentication mode * from the configuration. */ +#if defined(MBEDTLS_SSL_SRV_C) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + { #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) - if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) - authmode = ssl->handshake->sni_authmode; + if( ssl->handshake->sni_authmode != MBEDTLS_SSL_VERIFY_UNSET ) + authmode = ssl->handshake->sni_authmode; + else +#endif + authmode = ssl->conf->authmode; + } #endif /* - * If the client hasn't sent a certificate ( i.e. it sent + * If the peer hasn't sent a certificate ( i.e. it sent * an empty certificate chain ), this is reflected in the peer CRT * structure being unset. * Check for that and handle it depending on the - * server's authentication mode. + * authentication mode. */ if( ssl->session_negotiate->peer_cert == NULL ) { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "peer has not sent a certificate" ) ); + #if defined(MBEDTLS_SSL_SRV_C) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "client has no certificate" ) ); - /* The client was asked for a certificate but didn't send * one. The client should know what's going on, so we * don't send an alert. @@ -585,7 +592,11 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) if( authmode == MBEDTLS_SSL_VERIFY_OPTIONAL ) return( 0 ); else - return( MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE ); + { + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_NO_CERT, + MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); + return( MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE ); + } } #endif /* MBEDTLS_SSL_SRV_C */ @@ -654,7 +665,6 @@ static int ssl_tls13_validate_certificate( mbedtls_ssl_context *ssl ) ret = 0; } - if( ca_chain == NULL && authmode == MBEDTLS_SSL_VERIFY_REQUIRED ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no CA chain" ) ); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 43018d0dbf..e45db76c2e 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1626,7 +1626,7 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) case MBEDTLS_SSL_CLIENT_CERTIFICATE: ret = mbedtls_ssl_tls13_process_certificate( ssl ); - if( ret == 0 && ssl->session_negotiate->peer_cert != NULL) + if( ret == 0 && ssl->session_negotiate->peer_cert != NULL ) { mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY );