mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 00:05:36 +01:00
Adapt ECDHE_ECDSA key exchange to restartable EC
For now some other key exchanges (ECDHE_PSK) will just fail to work, this will be either fixed or properly fixed later.
This commit is contained in:
parent
b3c8307960
commit
2350b4ebdc
@ -88,6 +88,14 @@
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
|
||||
/* Shorthand for restartable */
|
||||
#if defined(MBEDTLS_ECP_RESTARTABLE) && \
|
||||
defined(MBEDTLS_SSL_CLI_C) && \
|
||||
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#define MBEDTLS_SSL__ECP_RESTARTABLE
|
||||
#endif
|
||||
|
||||
#define MBEDTLS_SSL_INITIAL_HANDSHAKE 0
|
||||
#define MBEDTLS_SSL_RENEGOTIATION_IN_PROGRESS 1 /* In progress */
|
||||
#define MBEDTLS_SSL_RENEGOTIATION_DONE 2 /* Done or aborted */
|
||||
@ -218,6 +226,14 @@ struct mbedtls_ssl_handshake_params
|
||||
mbedtls_x509_crl *sni_ca_crl; /*!< trusted CAs CRLs from SNI */
|
||||
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
enum {
|
||||
ssl_ecrs_init = 0, /*!< just getting started */
|
||||
ssl_ecrs_ecdh_public_done, /*!< wrote ECDHE public share */
|
||||
ssl_ecrs_ecdh_completed, /*!< completed ECDHE key exchange */
|
||||
} ecrs_state; /*!< state for restartable ECC */
|
||||
size_t ecrs_n; /*!< place for seving a length */
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
|
||||
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
|
||||
|
@ -2861,6 +2861,11 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
*/
|
||||
i = 4;
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( ssl->handshake->ecrs_state == ssl_ecrs_ecdh_public_done )
|
||||
goto ecdh_calc_secret;
|
||||
#endif
|
||||
|
||||
ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx,
|
||||
&n,
|
||||
&ssl->out_msg[i], 1000,
|
||||
@ -2873,6 +2878,13 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
|
||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
ssl->handshake->ecrs_n = n;
|
||||
ssl->handshake->ecrs_state++;
|
||||
|
||||
ecdh_calc_secret:
|
||||
n = ssl->handshake->ecrs_n;
|
||||
#endif
|
||||
if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
|
||||
&ssl->handshake->pmslen,
|
||||
ssl->handshake->premaster,
|
||||
@ -2884,6 +2896,10 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
ssl->handshake->ecrs_state++;
|
||||
#endif
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||
|
@ -3441,6 +3441,48 @@ run_test "Large packet TLS 1.2 AEAD shorter tag" \
|
||||
0 \
|
||||
-s "Read from client: 16384 bytes read"
|
||||
|
||||
# Tests for restartable ECC
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, default" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
debug_level=1" \
|
||||
0 \
|
||||
-C "mbedtls_ecdh_make_public.*4b80"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, max_ops=0" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
debug_level=1 ec_max_ops=0" \
|
||||
0 \
|
||||
-C "mbedtls_ecdh_make_public.*4b80"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, max_ops=65535" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
debug_level=1 ec_max_ops=65535" \
|
||||
0 \
|
||||
-C "mbedtls_ecdh_make_public.*4b80"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: TLS, max_ops=1000" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
debug_level=1 ec_max_ops=1000" \
|
||||
0 \
|
||||
-c "mbedtls_ecdh_make_public.*4b80"
|
||||
|
||||
requires_config_enabled MBEDTLS_ECP_RESTARTABLE
|
||||
run_test "EC restart: DTLS, max_ops=1000" \
|
||||
"$P_SRV dtls=1" \
|
||||
"$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \
|
||||
dtls=1 debug_level=1 ec_max_ops=1000" \
|
||||
0 \
|
||||
-c "mbedtls_ecdh_make_public.*4b80"
|
||||
|
||||
# Tests for DTLS HelloVerifyRequest
|
||||
|
||||
run_test "DTLS cookie: enabled" \
|
||||
|
Loading…
Reference in New Issue
Block a user