Remove certificate_verify_coordinate

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2025-07-30 22:43:08 +03:00 · 2021-10-25 15:06:49 +08:00
parent 982d9e5db2
commit da8cdf2fa9
1 changed files with 53 additions and 81 deletions
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -295,29 +295,7 @@ static void ssl_tls13_create_verify_structure( unsigned char *transcript_hash,
                                       1 +                          \
                                      MBEDTLS_TLS1_3_MD_MAX_SIZE    \
                                    )
-/* Coordinate: Check whether a certificate verify message is expected.
- * Returns a negative value on failure, and otherwise
- * - SSL_CERTIFICATE_VERIFY_SKIP
- * - SSL_CERTIFICATE_VERIFY_READ
- * to indicate if the CertificateVerify message should be present or not.
- */
-#define SSL_CERTIFICATE_VERIFY_SKIP 0
-#define SSL_CERTIFICATE_VERIFY_READ 1
-static int ssl_tls13_process_certificate_verify_coordinate(
-                                    mbedtls_ssl_context *ssl )
-{
-    if( mbedtls_ssl_tls1_3_some_psk_enabled( ssl ) )
-        return( SSL_CERTIFICATE_VERIFY_SKIP );

-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-    if( ssl->session_negotiate->peer_cert == NULL )
-        return( SSL_CERTIFICATE_VERIFY_SKIP );
-    return( SSL_CERTIFICATE_VERIFY_READ );
-#else
-    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-}

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
 static int ssl_tls13_sig_alg_is_offered( mbedtls_ssl_context *ssl, uint16_t sig_alg )
@ -493,16 +471,9 @@ static int ssl_tls13_process_certificate_verify_parse( mbedtls_ssl_context *ssl,

 int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
 {
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
-    /* Coordination step */
-    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
-
-    MBEDTLS_SSL_PROC_CHK_NEG( ssl_tls13_process_certificate_verify_coordinate( ssl ) );
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) // TBD: double-check
-    if( ret == SSL_CERTIFICATE_VERIFY_READ )
-    {
    unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
    size_t verify_buffer_len;
    unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
@ -510,6 +481,15 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
    unsigned char *buf;
    size_t buf_len;

+    if( mbedtls_ssl_tls1_3_some_psk_enabled( ssl ) )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+    if( ssl->session_negotiate->peer_cert == NULL )
+        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+
+
+    MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
+
    MBEDTLS_SSL_PROC_CHK(
        mbedtls_ssl_tls1_3_fetch_handshake_msg( ssl,
                MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len ) );
@ -546,24 +526,16 @@ int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )

    mbedtls_ssl_tls1_3_add_hs_msg_to_checksum( ssl,
                        MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf, buf_len );
-    }
-    else
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-    if( ret == SSL_CERTIFICATE_VERIFY_SKIP )
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate verify" ) );
-    }
-    else
-    {
-        MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
-        return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-    }
-

 cleanup:

    MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate verify" ) );
    return( ret );
+#else
+    ((void) ssl);
+    MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
+    return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 }

 /*