mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-02 14:54:16 +01:00
Introduce helper function to determine whether suite uses server CRT
This commit introduces a static helper function `mbedtls_ssl_ciphersuite_uses_srv_cert()` which determines whether a ciphersuite may make use of server-side CRTs. This function is in turn uses in `mbedtls_ssl_parse_certificate()` to skip certificate parsing for ciphersuites which don't involve CRTs. Note: Ciphersuites not using server-side CRTs don't allow client-side CRTs either, so it is safe to guard `mbedtls_ssl_{parse/write}_certificate()` this way. Note: Previously, the code uses a positive check over the suites - MBEDTLS_KEY_EXCHANGE_PSK - MBEDTLS_KEY_EXCHANGE_DHE_PSK - MBEDTLS_KEY_EXCHANGE_ECDHE_PSK - MBEDTLS_KEY_EXCHANGE_ECJPAKE, while now, it uses a negative check over `mbedtls_ssl_ciphersuite_uses_srv_cert()`, which checks for the suites - MBEDTLS_KEY_EXCHANGE_RSA - MBEDTLS_KEY_EXCHANGE_RSA_PSK - MBEDTLS_KEY_EXCHANGE_DHE_RSA - MBEDTLS_KEY_EXCHANGE_ECDH_RSA - MBEDTLS_KEY_EXCHANGE_ECDHE_RSA - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA This is equivalent since, together, those are all ciphersuites. Quoting ssl_ciphersuites.h: ``` typedef enum { MBEDTLS_KEY_EXCHANGE_NONE = 0, MBEDTLS_KEY_EXCHANGE_RSA, MBEDTLS_KEY_EXCHANGE_DHE_RSA, MBEDTLS_KEY_EXCHANGE_ECDHE_RSA, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, MBEDTLS_KEY_EXCHANGE_PSK, MBEDTLS_KEY_EXCHANGE_DHE_PSK, MBEDTLS_KEY_EXCHANGE_RSA_PSK, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, MBEDTLS_KEY_EXCHANGE_ECJPAKE, } mbedtls_key_exchange_type_t; ```
This commit is contained in:
parent
b71e90acc5
commit
5097cba93c
@ -486,6 +486,24 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ci
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
|
{
|
||||||
|
switch( info->key_exchange )
|
||||||
|
{
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||||
|
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||||
|
return( 1 );
|
||||||
|
|
||||||
|
default:
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
||||||
static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
|
static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||||
{
|
{
|
||||||
|
@ -5979,10 +5979,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||||
|
|
||||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
@ -5999,10 +5996,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||||
|
|
||||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
@ -6025,10 +6019,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||||
|
|
||||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate" ) );
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
@ -6169,7 +6160,6 @@ static int ssl_parse_certificate_chain( mbedtls_ssl_context *ssl )
|
|||||||
size_t i, n;
|
size_t i, n;
|
||||||
uint8_t alert;
|
uint8_t alert;
|
||||||
|
|
||||||
|
|
||||||
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
|
if( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate message" ) );
|
||||||
@ -6384,10 +6374,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||||
|
|
||||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
|
||||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate" ) );
|
||||||
goto exit;
|
goto exit;
|
||||||
|
Loading…
Reference in New Issue
Block a user