Refine code base on review
Remove useless hrr code Share validate_cipher_suit between client and server Fix test failure when tls13 only in server side Change-Id: I5d6a7932bd8448ebf542bc86cdcab8862bc28e9b Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
parent
318dc763a6
commit
75d40ef8cb
@ -4936,6 +4936,22 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
|
||||
const unsigned char *random, size_t rlen,
|
||||
unsigned char *dstbuf, size_t dlen );
|
||||
|
||||
/**
|
||||
* \brief Validate cipher suite against config in SSL context.
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param suite_info Cipher suite to validate
|
||||
* \param min_tls_version Minimal TLS version to accept a cipher suite
|
||||
* \param max_tls_version Maximal TLS version to accept a cipher suite
|
||||
*
|
||||
* \return 0 if valid, negative value otherwise.
|
||||
*/
|
||||
int mbedtls_ssl_validate_ciphersuite(
|
||||
const mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info,
|
||||
mbedtls_ssl_protocol_version min_tls_version,
|
||||
mbedtls_ssl_protocol_version max_tls_version );
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
@ -413,45 +413,6 @@ static int ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||
|
||||
int mbedtls_ssl_validate_ciphersuite(
|
||||
const mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info,
|
||||
mbedtls_ssl_protocol_version min_tls_version,
|
||||
mbedtls_ssl_protocol_version max_tls_version )
|
||||
{
|
||||
(void) ssl;
|
||||
|
||||
if( suite_info == NULL )
|
||||
return( -1 );
|
||||
|
||||
if( ( suite_info->min_tls_version > max_tls_version ) ||
|
||||
( suite_info->max_tls_version < min_tls_version ) )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Don't suggest PSK-based ciphersuite if no PSK is available. */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
|
||||
mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
static int ssl_write_client_hello_cipher_suites(
|
||||
mbedtls_ssl_context *ssl,
|
||||
unsigned char *buf,
|
||||
|
@ -28,22 +28,6 @@
|
||||
|
||||
#include <stddef.h>
|
||||
|
||||
/**
|
||||
* \brief Validate cipher suite against config in SSL context.
|
||||
*
|
||||
* \param ssl SSL context
|
||||
* \param suite_info Cipher suite to validate
|
||||
* \param min_tls_version Minimal TLS version to accept a cipher suite
|
||||
* \param max_tls_version Maximal TLS version to accept a cipher suite
|
||||
*
|
||||
* \return 0 if valid, negative value otherwise.
|
||||
*/
|
||||
int mbedtls_ssl_validate_ciphersuite(
|
||||
const mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info,
|
||||
mbedtls_ssl_protocol_version min_tls_version,
|
||||
mbedtls_ssl_protocol_version max_tls_version );
|
||||
|
||||
int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
|
||||
|
||||
#endif /* MBEDTLS_SSL_CLIENT_H */
|
||||
|
@ -589,6 +589,8 @@ struct mbedtls_ssl_handshake_params
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
/** selected_group of key_share extension in HelloRetryRequest message. */
|
||||
uint16_t hrr_selected_group;
|
||||
/** selected_group of key_share extension in ClientHello message. */
|
||||
uint16_t selected_group;
|
||||
#endif /* MBEDTLS_SSL_SRV_C */
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
|
@ -4216,6 +4216,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
|
||||
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
|
||||
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
|
||||
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
|
||||
#else
|
||||
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||
#endif
|
||||
@ -7771,4 +7774,43 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session,
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
int mbedtls_ssl_validate_ciphersuite(
|
||||
const mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info,
|
||||
mbedtls_ssl_protocol_version min_tls_version,
|
||||
mbedtls_ssl_protocol_version max_tls_version )
|
||||
{
|
||||
(void) ssl;
|
||||
|
||||
if( suite_info == NULL )
|
||||
return( -1 );
|
||||
|
||||
if( ( suite_info->min_tls_version > max_tls_version ) ||
|
||||
( suite_info->max_tls_version < min_tls_version ) )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
/* Don't suggest PSK-based ciphersuite if no PSK is available. */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
|
||||
mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
|
||||
{
|
||||
return( -1 );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
|
@ -24,7 +24,6 @@
|
||||
#include "mbedtls/debug.h"
|
||||
|
||||
#include "ssl_misc.h"
|
||||
#include "ssl_client.h"
|
||||
#include "ssl_tls13_keys.h"
|
||||
#include "ssl_debug_helpers.h"
|
||||
#include <string.h>
|
||||
@ -116,7 +115,7 @@ static int ssl_tls13_parse_supported_groups_ext(
|
||||
p += 2;
|
||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
|
||||
named_group_list_end = p + named_group_list_len;
|
||||
ssl->handshake->hrr_selected_group = 0;
|
||||
ssl->handshake->selected_group = 0;
|
||||
|
||||
while( p < named_group_list_end )
|
||||
{
|
||||
@ -129,7 +128,7 @@ static int ssl_tls13_parse_supported_groups_ext(
|
||||
|
||||
if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
|
||||
! mbedtls_ssl_named_group_is_supported( named_group ) ||
|
||||
ssl->handshake->hrr_selected_group != 0 )
|
||||
ssl->handshake->selected_group != 0 )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
@ -137,7 +136,7 @@ static int ssl_tls13_parse_supported_groups_ext(
|
||||
MBEDTLS_SSL_DEBUG_MSG(
|
||||
2, ( "add named group (%04x) into received list.",
|
||||
named_group ) );
|
||||
ssl->handshake->hrr_selected_group = named_group;
|
||||
ssl->handshake->selected_group = named_group;
|
||||
}
|
||||
|
||||
return( 0 );
|
||||
@ -384,7 +383,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
const unsigned char *extensions_end;
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
|
||||
int hrr_required = 0;
|
||||
|
||||
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
|
||||
|
||||
@ -682,9 +680,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
|
||||
}
|
||||
|
||||
if( hrr_required == 1 )
|
||||
return( SSL_CLIENT_HELLO_HRR_REQUIRED );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user