Try and make the transition tests for CKE message clearer

The logic testing whether a CKE message is allowed or not was a little difficult to follow. This tries to clean it up. Reviewed-by: N Emilia Käsper <emilia@openssl.org>

Try and make the transition tests for CKE message clearer
The logic testing whether a CKE message is allowed or not was a little difficult to follow. This tries to clean it up. Reviewed-by: N Emilia Käsper <emilia@openssl.org>
0f512756 · Matt Caswell · 7d2c13a7 · 0f512756
隐藏空白更改
内联并排

Showing with 22 addition and 18 deletion

ssl/statem/statem_srvr.c ssl/statem/statem_srvr.c +22 -18

未找到文件。
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -101,30 +101,34 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
-        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
-                && (!s->s3->tmp.cert_request
-                    || (!((s->verify_mode & SSL_VERIFY_PEER) &&
-                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
-                        && (s->version == SSL3_VERSION)))) {
-            st->hand_state = TLS_ST_SR_KEY_EXCH;
-            return 1;
+        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
+            if (s->s3->tmp.cert_request) {
+                if (s->version == SSL3_VERSION) {
+                    if ((s->verify_mode & SSL_VERIFY_PEER) &&
+                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
+                        /*
+                         * This isn't an unexpected message as such - we're just
+                         * not going to accept it.
+                         */
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                                        SSL3_AD_HANDSHAKE_FAILURE);
+                        SSLerr(SSL_F_READ_STATE_MACHINE,
+                               SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+                        return 0;
+                    }
+                    st->hand_state = TLS_ST_SR_KEY_EXCH;
+                    return 1;
+                }
+            } else {
+                st->hand_state = TLS_ST_SR_KEY_EXCH;
+                return 1;
+            }
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        }
-        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE && s->s3->tmp.cert_request
-                && s->version == SSL3_VERSION) {
-            /*
-             * This isn't an unexpected message as such - we're just not going
-             * to accept it.
-             */
-            ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_HANDSHAKE_FAILURE);
-            SSLerr(SSL_F_READ_STATE_MACHINE,
-                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-            return 0;
-        }
        break;

    case TLS_ST_SR_CERT: