Try and make the transition tests for CKE message clearer

The logic testing whether a CKE message is allowed or not was a little difficult to follow. This tries to clean it up. Reviewed-by: Emilia Käsper <emilia@openssl.org>
2025-02-23 14:42:15 +08:00 · 2016-07-15 10:36:42 +01:00 · 2016-07-15 10:36:42 +01:00 · 0f512756e2
commit 0f512756e2
parent 7d2c13a705
1 changed files with 22 additions and 18 deletions
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@ -101,30 +101,34 @@ int ossl_statem_server_read_transition(SSL *s, int mt)
         *      b) We are running SSL3 (in TLS1.0+ the client must return a 0
         *         list if we requested a certificate)
         */
-        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE
-                && (!s->s3->tmp.cert_request
-                    || (!((s->verify_mode & SSL_VERIFY_PEER) &&
-                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT))
-                        && (s->version == SSL3_VERSION)))) {
+        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE) {
+            if (s->s3->tmp.cert_request) {
+                if (s->version == SSL3_VERSION) {
+                    if ((s->verify_mode & SSL_VERIFY_PEER) &&
+                          (s->verify_mode & SSL_VERIFY_FAIL_IF_NO_PEER_CERT)) {
+                        /*
+                         * This isn't an unexpected message as such - we're just
+                         * not going to accept it.
+                         */
+                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                                        SSL3_AD_HANDSHAKE_FAILURE);
+                        SSLerr(SSL_F_READ_STATE_MACHINE,
+                               SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
+                        return 0;
+                    }
                    st->hand_state = TLS_ST_SR_KEY_EXCH;
                    return 1;
+                }
+            } else {
+                st->hand_state = TLS_ST_SR_KEY_EXCH;
+                return 1;
+            }
        } else if (s->s3->tmp.cert_request) {
            if (mt == SSL3_MT_CERTIFICATE) {
                st->hand_state = TLS_ST_SR_CERT;
                return 1;
            }
        }
-        if (mt == SSL3_MT_CLIENT_KEY_EXCHANGE && s->s3->tmp.cert_request
-                && s->version == SSL3_VERSION) {
-            /*
-             * This isn't an unexpected message as such - we're just not going
-             * to accept it.
-             */
-            ssl3_send_alert(s, SSL3_AL_FATAL, SSL3_AD_HANDSHAKE_FAILURE);
-            SSLerr(SSL_F_READ_STATE_MACHINE,
-                   SSL_R_PEER_DID_NOT_RETURN_A_CERTIFICATE);
-            return 0;
-        }
        break;

    case TLS_ST_SR_CERT: