AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

skip some extensions if ephemeral not enabled

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-01-11 16:28:00 +08:00
parent 63282b4321
commit f46b016058
3 changed files with 33 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
library/ssl_tls.c
View File

@ -7239,11 +7239,7 @@ int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl,
const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
*out_len = 0;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( mbedtls_ssl_conf_is_tls13_only( ssl->conf )
&& !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
return( 0 );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_groups extension" ) );
/* Check if we have space for header and length fields:

63
library/ssl_tls13_client.c
View File

@ -219,9 +219,6 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl,
*out_len = 0;
if( !mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
return( 0 );
/* Check if we have space for header and length fields:
* - extension_type (2 bytes)
* - extension_data_length (2 bytes)
@ -620,36 +617,40 @@ static int ssl_tls13_write_client_hello_body( mbedtls_ssl_context *ssl,
*
* It is REQUIRED for ECDHE cipher_suites.
*/
ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Skip the extensions on the client if all allowed key exchanges
* are PSK-based. */
if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
ret = mbedtls_ssl_write_supported_groups_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write key_share extension
*
* We need to send the key shares under three conditions:
* 1) A certificate-based ciphersuite is being offered. In this case
* supported_groups and supported_signature extensions have been
* successfully added.
* 2) A PSK-based ciphersuite with ECDHE is offered. In this case the
* psk_key_exchange_modes has been added as the last extension.
* 3) Or, in case all ciphers are supported ( which includes #1 and #2
* from above )
*/
ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write signature_algorithms extension
*
* It is REQUIRED for certificate authenticated cipher_suites.
*/
ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write key_share extension
*
* We need to send the key shares under three conditions:
* 1) A certificate-based ciphersuite is being offered. In this case
* supported_groups and supported_signature extensions have been
* successfully added.
* 2) A PSK-based ciphersuite with ECDHE is offered. In this case the
* psk_key_exchange_modes has been added as the last extension.
* 3) Or, in case all ciphers are supported ( which includes #1 and #2
* from above )
*/
ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
/* Write signature_algorithms extension
*
* It is REQUIRED for certificate authenticated cipher_suites.
*/
ret = mbedtls_ssl_tls13_write_sig_alg_ext( ssl, p, end, &output_len );
if( ret != 0 )
return( ret );
p += output_len;
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)

10
library/ssl_tls13_generic.c
View File

@ -165,16 +165,6 @@ int mbedtls_ssl_tls13_write_sig_alg_ext( mbedtls_ssl_context *ssl,
*out_len = 0;
/* Skip the extension on the client if all allowed key exchanges
* are PSK-based. */
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
!mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
return( 0 );
}
#endif /* MBEDTLS_SSL_CLI_C */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding signature_algorithms extension" ) );
/* Check if we have space for header and length field: