mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-27 05:54:16 +01:00
Merge remote-tracking branch 'origin/pr/606' into baremetal
This commit is contained in:
commit
92bb0e954b
@ -60,6 +60,7 @@
|
||||
/* Key exchanges */
|
||||
#define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||
#define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
#define MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
|
||||
/* Digests - just SHA-256 */
|
||||
#define MBEDTLS_MD_C
|
||||
|
@ -3641,6 +3641,17 @@
|
||||
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
||||
//#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENFORCE_DISABLED
|
||||
|
||||
/* Set this to MBEDTLS_SUITE_{OFFICIAL_SUITE_NAME} to hardcode
|
||||
* the choice of a fixed ciphersuite at compile-time.
|
||||
*
|
||||
* You need to make sure that the corresponding ciphersuite attributes
|
||||
* are defined through macros in ssl_ciphersuites.h. See the definitions
|
||||
* of MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_XXX for an example.
|
||||
*
|
||||
* If this option is set, the API mbedtls_ssl_conf_ciphersuites() is removed.
|
||||
*/
|
||||
//#define MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
|
||||
/* \} SECTION: Compile-time SSL configuration */
|
||||
|
||||
/* Target and application specific configurations
|
||||
|
@ -33,8 +33,6 @@
|
||||
#include "bignum.h"
|
||||
#include "ecp.h"
|
||||
|
||||
#include "ssl_ciphersuites.h"
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
#include "x509_crt.h"
|
||||
#include "x509_crl.h"
|
||||
@ -401,6 +399,84 @@
|
||||
|
||||
#define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO 0xFF01
|
||||
|
||||
/*
|
||||
* Helper macros indicating whether certain classes
|
||||
* of key exchanges are enabled in the configuration.
|
||||
*/
|
||||
|
||||
/* Key exchanges using a certificate */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges allowing client certificate requests */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges involving server signature in ServerKeyExchange */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using ECDH */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges that don't involve ephemeral keys */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges that involve ephemeral keys */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using a PSK */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using DHE */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using ECDHE */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
|
||||
#endif
|
||||
|
||||
/*
|
||||
* Size defines
|
||||
*/
|
||||
@ -847,7 +923,9 @@ struct mbedtls_ssl_session
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
mbedtls_time_t start; /*!< starting time */
|
||||
#endif
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
int ciphersuite; /*!< chosen ciphersuite */
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
int compression; /*!< chosen compression */
|
||||
size_t id_len; /*!< session id length */
|
||||
unsigned char id[32]; /*!< session identifier */
|
||||
@ -896,7 +974,9 @@ struct mbedtls_ssl_config
|
||||
* Pointers
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
const int *ciphersuite_list[4]; /*!< allowed ciphersuites per version */
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
/** Callback for printing debug output */
|
||||
void (*f_dbg)(void *, int, const char *, int, const char *);
|
||||
@ -2390,6 +2470,7 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
||||
*/
|
||||
const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_context *ssl );
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
/**
|
||||
* \brief Set the list of allowed ciphersuites and the preference
|
||||
* order. First in the list has the highest preference.
|
||||
@ -2402,11 +2483,43 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
|
||||
* over the preference of the client unless
|
||||
* MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE is defined!
|
||||
*
|
||||
* \note On constrained systems, support for a single ciphersuite
|
||||
* (in all versions) can be fixed at compile-time through
|
||||
* the configuration option MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param ciphersuites 0-terminated list of allowed ciphersuites
|
||||
*/
|
||||
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
|
||||
const int *ciphersuites );
|
||||
const int *ciphersuites );
|
||||
|
||||
/**
|
||||
* \brief Set the list of allowed ciphersuites and the
|
||||
* preference order for a specific version of the protocol.
|
||||
* (Only useful on the server side)
|
||||
*
|
||||
* The ciphersuites array is not copied, and must remain
|
||||
* valid for the lifetime of the ssl_config.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param ciphersuites 0-terminated list of allowed ciphersuites
|
||||
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
|
||||
* supported)
|
||||
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
|
||||
* MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
|
||||
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
|
||||
*
|
||||
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
|
||||
* and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
|
||||
*
|
||||
* \note On constrained systems, support for a single ciphersuite
|
||||
* (in all versions) can be fixed at compile-time through
|
||||
* the configuration option MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE.
|
||||
*/
|
||||
void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
|
||||
const int *ciphersuites,
|
||||
int major, int minor );
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#define MBEDTLS_SSL_UNEXPECTED_CID_IGNORE 0
|
||||
#define MBEDTLS_SSL_UNEXPECTED_CID_FAIL 1
|
||||
@ -2455,29 +2568,6 @@ int mbedtls_ssl_conf_cid( mbedtls_ssl_config *conf, size_t len,
|
||||
!MBEDTLS_SSL_CONF_CID_LEN &&
|
||||
!MBEDTLS_SSL_CONF_IGNORE_UNEXPECTED_CID */
|
||||
|
||||
/**
|
||||
* \brief Set the list of allowed ciphersuites and the
|
||||
* preference order for a specific version of the protocol.
|
||||
* (Only useful on the server side)
|
||||
*
|
||||
* The ciphersuites array is not copied, and must remain
|
||||
* valid for the lifetime of the ssl_config.
|
||||
*
|
||||
* \param conf SSL configuration
|
||||
* \param ciphersuites 0-terminated list of allowed ciphersuites
|
||||
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3
|
||||
* supported)
|
||||
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
|
||||
* MBEDTLS_SSL_MINOR_VERSION_1 and MBEDTLS_SSL_MINOR_VERSION_2,
|
||||
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
|
||||
*
|
||||
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0
|
||||
* and MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
|
||||
*/
|
||||
void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
|
||||
const int *ciphersuites,
|
||||
int major, int minor );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
/**
|
||||
* \brief Set the X.509 security profile used for verification
|
||||
@ -3915,6 +4005,8 @@ void mbedtls_ssl_session_init( mbedtls_ssl_session *session );
|
||||
*/
|
||||
void mbedtls_ssl_session_free( mbedtls_ssl_session *session );
|
||||
|
||||
#include "ssl_ciphersuites.h"
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
@ -33,6 +33,8 @@
|
||||
#include "pk.h"
|
||||
#include "cipher.h"
|
||||
#include "md.h"
|
||||
#include "ssl.h"
|
||||
#include <string.h>
|
||||
|
||||
#ifdef __cplusplus
|
||||
extern "C" {
|
||||
@ -304,79 +306,6 @@ typedef enum {
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE,
|
||||
} mbedtls_key_exchange_type_t;
|
||||
|
||||
/* Key exchanges using a certificate */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges allowing client certificate requests */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges involving server signature in ServerKeyExchange */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using ECDH */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges that don't involve ephemeral keys */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges that involve ephemeral keys */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using a PSK */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using DHE */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED
|
||||
#endif
|
||||
|
||||
/* Key exchanges using ECDHE */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
#define MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED
|
||||
#endif
|
||||
|
||||
typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
|
||||
|
||||
#define MBEDTLS_CIPHERSUITE_WEAK 0x01 /**< Weak ciphersuite flag */
|
||||
@ -384,6 +313,61 @@ typedef struct mbedtls_ssl_ciphersuite_t mbedtls_ssl_ciphersuite_t;
|
||||
eg for CCM_8 */
|
||||
#define MBEDTLS_CIPHERSUITE_NODTLS 0x04 /**< Can't be used with DTLS */
|
||||
|
||||
/*
|
||||
* Ciphersuite macro definitions
|
||||
*
|
||||
* This is highly incomplete and only contains those ciphersuites for
|
||||
* which we need to be able to build the library with support for that
|
||||
* ciphersuite only (currently MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8
|
||||
* as an example).
|
||||
*/
|
||||
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_ID MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_NAME "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8"
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_CIPHER MBEDTLS_CIPHER_AES_128_CCM
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_MAC MBEDTLS_MD_SHA256
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_KEY_EXCHANGE MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
|
||||
#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8_FLAGS MBEDTLS_CIPHERSUITE_SHORT_TAG
|
||||
|
||||
/* This is just to make check-names.sh happy -- don't uncomment. */
|
||||
//#define MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
|
||||
/*
|
||||
* Helper macros to extract fields from ciphersuites.
|
||||
*/
|
||||
|
||||
#define MBEDTLS_SSL_SUITE_ID_T( SUITE ) SUITE ## _ID
|
||||
#define MBEDTLS_SSL_SUITE_NAME_T( SUITE ) SUITE ## _NAME
|
||||
#define MBEDTLS_SSL_SUITE_CIPHER_T( SUITE ) SUITE ## _CIPHER
|
||||
#define MBEDTLS_SSL_SUITE_MAC_T( SUITE ) SUITE ## _MAC
|
||||
#define MBEDTLS_SSL_SUITE_KEY_EXCHANGE_T( SUITE ) SUITE ## _KEY_EXCHANGE
|
||||
#define MBEDTLS_SSL_SUITE_MIN_MAJOR_VER_T( SUITE ) SUITE ## _MIN_MAJOR_VER
|
||||
#define MBEDTLS_SSL_SUITE_MIN_MINOR_VER_T( SUITE ) SUITE ## _MIN_MINOR_VER
|
||||
#define MBEDTLS_SSL_SUITE_MAX_MAJOR_VER_T( SUITE ) SUITE ## _MAX_MAJOR_VER
|
||||
#define MBEDTLS_SSL_SUITE_MAX_MINOR_VER_T( SUITE ) SUITE ## _MAX_MINOR_VER
|
||||
#define MBEDTLS_SSL_SUITE_FLAGS_T( SUITE ) SUITE ## _FLAGS
|
||||
|
||||
/* Wrapper around MBEDTLS_SSL_SUITE_XXX_T() which makes sure that
|
||||
* the argument is macro-expanded before concatenated with the
|
||||
* field name. This allows to call these macros as
|
||||
* MBEDTLS_SSL_SUITE_XXX( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ),
|
||||
* where MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE expands to MBEDTLS_SSL_SUITE_XXX. */
|
||||
#define MBEDTLS_SSL_SUITE_ID( SUITE ) MBEDTLS_SSL_SUITE_ID_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_NAME( SUITE ) MBEDTLS_SSL_SUITE_NAME_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_CIPHER( SUITE ) MBEDTLS_SSL_SUITE_CIPHER_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_MAC( SUITE ) MBEDTLS_SSL_SUITE_MAC_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_KEY_EXCHANGE( SUITE ) MBEDTLS_SSL_SUITE_KEY_EXCHANGE_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_MIN_MAJOR_VER( SUITE ) MBEDTLS_SSL_SUITE_MIN_MAJOR_VER_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_MIN_MINOR_VER( SUITE ) MBEDTLS_SSL_SUITE_MIN_MINOR_VER_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_MAX_MAJOR_VER( SUITE ) MBEDTLS_SSL_SUITE_MAX_MAJOR_VER_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_MAX_MINOR_VER( SUITE ) MBEDTLS_SSL_SUITE_MAX_MINOR_VER_T( SUITE )
|
||||
#define MBEDTLS_SSL_SUITE_FLAGS( SUITE ) MBEDTLS_SSL_SUITE_FLAGS_T( SUITE )
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
/**
|
||||
* \brief This structure is used for storing ciphersuite information
|
||||
*/
|
||||
@ -404,23 +388,376 @@ struct mbedtls_ssl_ciphersuite_t
|
||||
unsigned char flags;
|
||||
};
|
||||
|
||||
typedef mbedtls_ssl_ciphersuite_t const * mbedtls_ssl_ciphersuite_handle_t;
|
||||
#define MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ( (mbedtls_ssl_ciphersuite_handle_t) NULL )
|
||||
|
||||
/**
|
||||
* \brief This macro builds an instance of ::mbedtls_ssl_ciphersuite_t
|
||||
* from an \c MBEDTLS_SUITE_XXX identifier.
|
||||
*/
|
||||
#define MBEDTLS_SSL_SUITE_INFO( SUITE ) \
|
||||
{ MBEDTLS_SSL_SUITE_ID( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_NAME( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_CIPHER( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_MAC( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_KEY_EXCHANGE( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_MIN_MAJOR_VER( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_MIN_MINOR_VER( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_MAX_MAJOR_VER( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_MAX_MINOR_VER( SUITE ), \
|
||||
MBEDTLS_SSL_SUITE_FLAGS( SUITE ) }
|
||||
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
typedef unsigned char mbedtls_ssl_ciphersuite_handle_t;
|
||||
#define MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ( (mbedtls_ssl_ciphersuite_handle_t) 0 )
|
||||
#define MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE ( (mbedtls_ssl_ciphersuite_handle_t) 1 )
|
||||
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
static inline int mbedtls_ssl_session_get_ciphersuite(
|
||||
mbedtls_ssl_session const * session )
|
||||
{
|
||||
return( session->ciphersuite );
|
||||
}
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
static inline int mbedtls_ssl_session_get_ciphersuite(
|
||||
mbedtls_ssl_session const * session )
|
||||
{
|
||||
((void) session);
|
||||
return( MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
/*
|
||||
* Getter functions for the extraction of ciphersuite attributes
|
||||
* from a ciphersuite handle.
|
||||
*
|
||||
* Warning: These functions have the validity of the handle as a precondition!
|
||||
* Their behaviour is undefined when MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE
|
||||
* is passed.
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
/*
|
||||
* Implementation of getter functions when the ciphersuite handle
|
||||
* is a pointer to the ciphersuite information structure.
|
||||
*
|
||||
* The precondition that the handle is valid means that
|
||||
* we don't need to check that info != NULL.
|
||||
*/
|
||||
static inline int mbedtls_ssl_suite_get_id(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->id );
|
||||
}
|
||||
static inline const char* mbedtls_ssl_suite_get_name(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->name );
|
||||
}
|
||||
static inline mbedtls_cipher_type_t mbedtls_ssl_suite_get_cipher(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->cipher );
|
||||
}
|
||||
static inline mbedtls_md_type_t mbedtls_ssl_suite_get_mac(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->mac );
|
||||
}
|
||||
static inline mbedtls_key_exchange_type_t mbedtls_ssl_suite_get_key_exchange(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->key_exchange );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_min_major_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->min_major_ver );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_min_minor_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->min_minor_ver );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_max_major_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->max_major_ver );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_max_minor_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->max_minor_ver );
|
||||
}
|
||||
static inline unsigned char mbedtls_ssl_suite_get_flags(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->flags );
|
||||
}
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
/*
|
||||
* Implementations of getter functions in the case of only a single possible
|
||||
* ciphersuite. In this case, the handle is logically a boolean (either the
|
||||
* invalid handle or the unique valid handle representing the single enabled
|
||||
* ciphersuite), and the precondition that the handle is valid means that we
|
||||
* can statically return the hardcoded attribute of the enabled ciphersuite.
|
||||
*/
|
||||
static inline int mbedtls_ssl_suite_get_id(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline const char* mbedtls_ssl_suite_get_name(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_NAME( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline mbedtls_cipher_type_t mbedtls_ssl_suite_get_cipher(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_CIPHER( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline mbedtls_md_type_t mbedtls_ssl_suite_get_mac(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_MAC( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline mbedtls_key_exchange_type_t mbedtls_ssl_suite_get_key_exchange(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_KEY_EXCHANGE( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_min_major_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_MIN_MAJOR_VER( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_min_minor_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_MIN_MINOR_VER( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_max_major_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_MAX_MAJOR_VER( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_max_minor_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_MAX_MINOR_VER( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
static inline unsigned char mbedtls_ssl_suite_get_flags(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
((void) info);
|
||||
return( MBEDTLS_SSL_SUITE_FLAGS( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
const int *mbedtls_ssl_list_ciphersuites( void );
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
|
||||
/*
|
||||
* Various small helper functions for ciphersuites.
|
||||
*
|
||||
* Like the getter functions, they assume that the provided ciphersuite
|
||||
* handle is valid, and hence can be optimized in case there's only one
|
||||
* ciphersuite enabled.
|
||||
*
|
||||
* To avoid code-duplication between inline and non-inline implementations
|
||||
* of this, we define internal static inline versions of all functions first,
|
||||
* and define wrappers around these either here or in ssl_ciphersuites.c,
|
||||
* depending on whether MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE is defined.
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
|
||||
#endif
|
||||
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg_internal(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
return( MBEDTLS_PK_RSA );
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
return( MBEDTLS_PK_ECDSA );
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
return( MBEDTLS_PK_ECKEY );
|
||||
|
||||
default:
|
||||
return( MBEDTLS_PK_NONE );
|
||||
}
|
||||
}
|
||||
|
||||
static inline mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg_internal(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
return( MBEDTLS_PK_RSA );
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
return( MBEDTLS_PK_ECDSA );
|
||||
|
||||
default:
|
||||
return( MBEDTLS_PK_NONE );
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_PK_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ec_internal(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
|
||||
return( 1 );
|
||||
|
||||
default:
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_psk_internal(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||
return( 1 );
|
||||
|
||||
default:
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||
|
||||
/*
|
||||
* Wrappers around internal helper functions to be used by the rest of
|
||||
* the library, either defined static inline here or in ssl_ciphersuites.c.
|
||||
*/
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string(
|
||||
const char *ciphersuite_name );
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id(
|
||||
int ciphersuite_id );
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(
|
||||
mbedtls_ssl_ciphersuite_handle_t info );
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(
|
||||
mbedtls_ssl_ciphersuite_handle_t info );
|
||||
#endif /* MBEDTLS_PK_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( mbedtls_ssl_ciphersuite_handle_t info );
|
||||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( mbedtls_ssl_ciphersuite_handle_t info );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
static inline mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
return( mbedtls_ssl_get_ciphersuite_sig_pk_alg_internal( info ) );
|
||||
}
|
||||
|
||||
static inline mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
return( mbedtls_ssl_get_ciphersuite_sig_alg_internal( info ) );
|
||||
}
|
||||
#endif /* MBEDTLS_PK_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ec(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
return( mbedtls_ssl_ciphersuite_uses_ec_internal( info ) );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_psk(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
return( mbedtls_ssl_ciphersuite_uses_psk_internal( info ) );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||
|
||||
static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id(
|
||||
int ciphersuite )
|
||||
{
|
||||
static const int single_suite_id =
|
||||
MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE );
|
||||
|
||||
if( ciphersuite == single_suite_id )
|
||||
return( MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE );
|
||||
|
||||
return( MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE );
|
||||
}
|
||||
|
||||
static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string(
|
||||
const char *ciphersuite_name )
|
||||
{
|
||||
static const char * const single_suite_name =
|
||||
MBEDTLS_SSL_SUITE_NAME( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE );
|
||||
|
||||
if( strcmp( ciphersuite_name, single_suite_name ) == 0 )
|
||||
return( MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE );
|
||||
|
||||
return( MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_has_pfs(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
@ -434,12 +771,11 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_no_pfs(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
@ -452,12 +788,12 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdh(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
@ -467,11 +803,11 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersui
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED */
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
@ -486,9 +822,10 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ci
|
||||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
@ -504,10 +841,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphe
|
||||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_dhe(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
@ -517,12 +854,11 @@ static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuit
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
@ -533,12 +869,11 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersu
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
@ -549,7 +884,6 @@ static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_s
|
||||
return( 0 );
|
||||
}
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
|
@ -501,7 +501,9 @@ struct mbedtls_ssl_handshake_params
|
||||
const unsigned char *, size_t,
|
||||
unsigned char *, size_t);
|
||||
|
||||
mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
size_t pmslen; /*!< premaster length */
|
||||
|
||||
@ -556,6 +558,21 @@ static inline int mbedtls_ssl_hs_get_extended_ms(
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_handshake_get_ciphersuite(
|
||||
mbedtls_ssl_handshake_params const *handshake )
|
||||
{
|
||||
return( handshake->ciphersuite_info );
|
||||
}
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_handshake_get_ciphersuite(
|
||||
mbedtls_ssl_handshake_params const *handshake )
|
||||
{
|
||||
((void) handshake);
|
||||
return( MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
|
||||
|
||||
/*
|
||||
@ -918,7 +935,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
|
||||
int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
|
||||
|
||||
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
|
||||
@ -978,7 +995,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
|
||||
* Return 0 if everything is OK, -1 if not.
|
||||
*/
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite,
|
||||
int cert_endpoint,
|
||||
uint32_t *flags );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
@ -1430,4 +1447,41 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced(
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
/*
|
||||
* Macros for the traversal of the list of all enabled ciphersuites.
|
||||
* This is implemented as a plain loop in case we have a runtime
|
||||
* configurable list of ciphersuites, and as a simple variable
|
||||
* instantiation in case a single ciphersuite is enabled at
|
||||
* compile-time.
|
||||
*/
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
|
||||
#define MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, ver, info ) \
|
||||
{ \
|
||||
int const *__id_ptr; \
|
||||
for( __id_ptr=(ssl)->conf->ciphersuite_list[ (ver) ]; \
|
||||
*__id_ptr != 0; __id_ptr++ ) \
|
||||
{ \
|
||||
const int __id = *__id_ptr; \
|
||||
mbedtls_ssl_ciphersuite_handle_t info; \
|
||||
info = mbedtls_ssl_ciphersuite_from_id( __id ); \
|
||||
if( info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) \
|
||||
continue;
|
||||
|
||||
#define MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE \
|
||||
} \
|
||||
}
|
||||
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#define MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, ver, info ) \
|
||||
do { \
|
||||
const mbedtls_ssl_ciphersuite_handle_t info = \
|
||||
MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE;
|
||||
|
||||
#define MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE \
|
||||
} while( 0 );
|
||||
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#endif /* ssl_internal.h */
|
||||
|
@ -84,10 +84,13 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
||||
continue;
|
||||
#endif
|
||||
|
||||
if( session->ciphersuite != entry->session.ciphersuite ||
|
||||
if( mbedtls_ssl_session_get_ciphersuite( session ) !=
|
||||
mbedtls_ssl_session_get_ciphersuite( &entry->session ) ||
|
||||
session->compression != entry->session.compression ||
|
||||
session->id_len != entry->session.id_len )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
if( memcmp( session->id, entry->session.id,
|
||||
entry->session.id_len ) != 0 )
|
||||
|
@ -54,6 +54,7 @@
|
||||
*/
|
||||
static const int ciphersuite_preference[] =
|
||||
{
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
#if defined(MBEDTLS_SSL_CIPHERSUITES)
|
||||
MBEDTLS_SSL_CIPHERSUITES,
|
||||
#else
|
||||
@ -311,9 +312,13 @@ static const int ciphersuite_preference[] =
|
||||
MBEDTLS_TLS_PSK_WITH_NULL_SHA,
|
||||
|
||||
#endif /* MBEDTLS_SSL_CIPHERSUITES */
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ),
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
0
|
||||
};
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
{
|
||||
#if defined(MBEDTLS_CHACHAPOLY_C) && \
|
||||
@ -449,11 +454,7 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
0 },
|
||||
{ MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8, "TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8",
|
||||
MBEDTLS_CIPHER_AES_128_CCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3, MBEDTLS_SSL_MINOR_VERSION_3,
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG },
|
||||
MBEDTLS_SSL_SUITE_INFO( MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8 ),
|
||||
#endif /* MBEDTLS_CCM_C */
|
||||
#endif /* MBEDTLS_AES_C */
|
||||
|
||||
@ -2170,8 +2171,9 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] =
|
||||
MBEDTLS_CIPHER_NONE, MBEDTLS_MD_NONE, MBEDTLS_KEY_EXCHANGE_NONE,
|
||||
0, 0, 0, 0, 0 }
|
||||
};
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CIPHERSUITES)
|
||||
#if defined(MBEDTLS_SSL_CIPHERSUITES) || defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
const int *mbedtls_ssl_list_ciphersuites( void )
|
||||
{
|
||||
return( ciphersuite_preference );
|
||||
@ -2182,18 +2184,19 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
||||
static int supported_ciphersuites[MAX_CIPHERSUITES];
|
||||
static int supported_init = 0;
|
||||
|
||||
static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
|
||||
static int ciphersuite_is_removed( mbedtls_ssl_ciphersuite_handle_t cs_info )
|
||||
{
|
||||
(void)cs_info;
|
||||
if( cs_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
return( 1 );
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
if( mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
return( 1 );
|
||||
#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
|
||||
cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
if( mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_DES_EDE3_ECB ||
|
||||
mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
@ -2217,12 +2220,10 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
||||
*p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
|
||||
p++ )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cs_info;
|
||||
if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
|
||||
!ciphersuite_is_removed( cs_info ) )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t cs_info;
|
||||
cs_info = mbedtls_ssl_ciphersuite_from_id( *p );
|
||||
if( !ciphersuite_is_removed( cs_info ) )
|
||||
*(q++) = *p;
|
||||
}
|
||||
}
|
||||
*q = 0;
|
||||
|
||||
@ -2231,12 +2232,13 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
||||
|
||||
return( supported_ciphersuites );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CIPHERSUITES */
|
||||
#endif /* !( MBEDTLS_SSL_CIPHERSUITES || MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) */
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string(
|
||||
const char *ciphersuite_name )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur = ciphersuite_definitions;
|
||||
|
||||
if( NULL == ciphersuite_name )
|
||||
return( NULL );
|
||||
@ -2252,9 +2254,9 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
|
||||
return( NULL );
|
||||
}
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur = ciphersuite_definitions;
|
||||
|
||||
while( cur->id != 0 )
|
||||
{
|
||||
@ -2269,7 +2271,7 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuit
|
||||
|
||||
const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur;
|
||||
|
||||
cur = mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
|
||||
|
||||
@ -2281,7 +2283,7 @@ const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
|
||||
|
||||
int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur;
|
||||
|
||||
cur = mbedtls_ssl_ciphersuite_from_string( ciphersuite_name );
|
||||
|
||||
@ -2292,82 +2294,62 @@ int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info )
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
return( MBEDTLS_PK_RSA );
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
return( MBEDTLS_PK_ECDSA );
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
return( MBEDTLS_PK_ECKEY );
|
||||
|
||||
default:
|
||||
return( MBEDTLS_PK_NONE );
|
||||
}
|
||||
return( mbedtls_ssl_get_ciphersuite_sig_pk_alg_internal( info ) );
|
||||
}
|
||||
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
return( MBEDTLS_PK_RSA );
|
||||
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
return( MBEDTLS_PK_ECDSA );
|
||||
|
||||
default:
|
||||
return( MBEDTLS_PK_NONE );
|
||||
}
|
||||
return( mbedtls_ssl_get_ciphersuite_sig_alg_internal( info ) );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_PK_C */
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
|
||||
int mbedtls_ssl_ciphersuite_uses_ec(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECJPAKE:
|
||||
return( 1 );
|
||||
|
||||
default:
|
||||
return( 0 );
|
||||
}
|
||||
return( mbedtls_ssl_ciphersuite_uses_ec_internal( info ) );
|
||||
}
|
||||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
|
||||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info )
|
||||
int mbedtls_ssl_ciphersuite_uses_psk(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK:
|
||||
return( 1 );
|
||||
|
||||
default:
|
||||
return( 0 );
|
||||
}
|
||||
return( mbedtls_ssl_ciphersuite_uses_psk_internal( info ) );
|
||||
}
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||
|
||||
#else /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
const char *mbedtls_ssl_get_ciphersuite_name(
|
||||
const int ciphersuite_id )
|
||||
{
|
||||
static const int single_suite_id =
|
||||
MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE );
|
||||
|
||||
if( ciphersuite_id == single_suite_id )
|
||||
return( MBEDTLS_SSL_SUITE_NAME( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
|
||||
return( "unknown" );
|
||||
}
|
||||
|
||||
int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
|
||||
{
|
||||
static const char * const single_suite_name =
|
||||
MBEDTLS_SSL_SUITE_NAME( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE );
|
||||
|
||||
if( strcmp( ciphersuite_name, single_suite_name ) == 0 )
|
||||
return( MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#endif /* MBEDTLS_SSL_TLS_C */
|
||||
|
@ -780,34 +780,45 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
|
||||
*
|
||||
* \return 0 if valid, else 1
|
||||
*/
|
||||
static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
|
||||
static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info,
|
||||
const mbedtls_ssl_context * ssl,
|
||||
int min_minor_ver, int max_minor_ver )
|
||||
{
|
||||
(void) ssl;
|
||||
if( suite_info == NULL )
|
||||
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
return( 1 );
|
||||
|
||||
if( suite_info->min_minor_ver > max_minor_ver ||
|
||||
suite_info->max_minor_ver < min_minor_ver )
|
||||
|
||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
|
||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
|
||||
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
|
||||
( mbedtls_ssl_suite_get_flags( suite_info ) &
|
||||
MBEDTLS_CIPHERSUITE_NODTLS ) != 0 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
|
||||
suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
return( 0 );
|
||||
@ -820,8 +831,6 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
||||
unsigned char *buf;
|
||||
unsigned char *p, *q;
|
||||
unsigned char offer_compress;
|
||||
const int *ciphersuites;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
int uses_ec = 0;
|
||||
@ -961,24 +970,25 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
||||
/*
|
||||
* Ciphersuite list
|
||||
*/
|
||||
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
||||
|
||||
/* Skip writing ciphersuite length for now */
|
||||
n = 0;
|
||||
q = p;
|
||||
p += 2;
|
||||
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
|
||||
ssl->minor_ver,
|
||||
ciphersuite_info )
|
||||
{
|
||||
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
|
||||
|
||||
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
||||
ssl->conf->min_minor_ver,
|
||||
ssl->conf->max_minor_ver ) != 0 )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
|
||||
ciphersuites[i] ) );
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info ) ) );
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
@ -986,9 +996,12 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
||||
#endif
|
||||
|
||||
n++;
|
||||
*p++ = (unsigned char)( ciphersuites[i] >> 8 );
|
||||
*p++ = (unsigned char)( ciphersuites[i] );
|
||||
*p++ = (unsigned char)(
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 );
|
||||
*p++ = (unsigned char)(
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info ) );
|
||||
}
|
||||
MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
|
||||
|
||||
@ -1428,8 +1441,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
|
||||
{
|
||||
int ret;
|
||||
|
||||
if( ssl->handshake->ciphersuite_info->key_exchange !=
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange(
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
|
||||
!= MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
|
||||
return( 0 );
|
||||
@ -1613,7 +1627,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
int extended_ms_seen = 0;
|
||||
#endif
|
||||
int handshake_failure = 0;
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info;
|
||||
|
||||
/* The ciphersuite chosen by the server. */
|
||||
mbedtls_ssl_ciphersuite_handle_t server_suite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
|
||||
|
||||
@ -1789,16 +1805,18 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
/*
|
||||
* Initialize update checksum functions
|
||||
*/
|
||||
ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
|
||||
if( ssl->handshake->ciphersuite_info == NULL )
|
||||
server_suite_info = mbedtls_ssl_ciphersuite_from_id( i );
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
ssl->handshake->ciphersuite_info = server_suite_info;
|
||||
#endif
|
||||
if( server_suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
mbedtls_ssl_optimize_checksum( ssl, ssl->handshake->ciphersuite_info );
|
||||
mbedtls_ssl_optimize_checksum( ssl, server_suite_info );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, session id len.: %d", n ) );
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, session id", buf + 35, n );
|
||||
@ -1817,7 +1835,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
|
||||
if( n == 0 ||
|
||||
mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
|
||||
ssl->session_negotiate->ciphersuite != i ||
|
||||
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) != i ||
|
||||
ssl->session_negotiate->compression != comp ||
|
||||
ssl->session_negotiate->id_len != n ||
|
||||
memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
|
||||
@ -1846,7 +1864,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
ssl->session_negotiate->start = mbedtls_time( NULL );
|
||||
#endif
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
ssl->session_negotiate->ciphersuite = i;
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
ssl->session_negotiate->compression = comp;
|
||||
ssl->session_negotiate->id_len = n;
|
||||
memcpy( ssl->session_negotiate->id, buf + 35, n );
|
||||
@ -1861,37 +1881,39 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||
/*
|
||||
* Perform cipher suite validation in same way as in ssl_write_client_hello.
|
||||
*/
|
||||
i = 0;
|
||||
while( 1 )
|
||||
MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl,
|
||||
ssl->minor_ver,
|
||||
ciphersuite_info )
|
||||
{
|
||||
if( ssl->conf->ciphersuite_list[ssl->minor_ver][i] == 0 )
|
||||
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
||||
ssl->conf->min_minor_ver,
|
||||
ssl->conf->max_minor_ver ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
continue;
|
||||
}
|
||||
|
||||
if( ssl->conf->ciphersuite_list[ssl->minor_ver][i++] ==
|
||||
ssl->session_negotiate->ciphersuite )
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
if( ciphersuite_info != server_suite_info )
|
||||
continue;
|
||||
|
||||
suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
|
||||
if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
goto server_picked_valid_suite;
|
||||
}
|
||||
MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
|
||||
/* If we reach this code-path, the server's chosen ciphersuite
|
||||
* wasn't among those advertised by us. */
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
|
||||
server_picked_valid_suite:
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
||||
mbedtls_ssl_suite_get_name( server_suite_info ) ) );
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||
if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||
{
|
||||
ssl->handshake->ecrs_enabled = 1;
|
||||
@ -2555,14 +2577,15 @@ cleanup:
|
||||
static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
unsigned char *p = NULL, *end = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
|
||||
ssl->state++;
|
||||
@ -2574,8 +2597,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
{
|
||||
if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
|
||||
{
|
||||
@ -2622,8 +2647,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||
*/
|
||||
if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
|
||||
{
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
/* Current message is probably either
|
||||
* CertificateRequest or ServerHelloDone */
|
||||
@ -2650,10 +2677,14 @@ start_processing:
|
||||
MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
|
||||
{
|
||||
@ -2667,16 +2698,22 @@ start_processing:
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
; /* nothing more to do */
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
{
|
||||
if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
|
||||
{
|
||||
@ -2692,9 +2729,12 @@ start_processing:
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
{
|
||||
if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
|
||||
{
|
||||
@ -2709,7 +2749,8 @@ start_processing:
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
|
||||
p, end - p );
|
||||
@ -2922,8 +2963,8 @@ exit:
|
||||
#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
|
||||
|
||||
@ -2944,8 +2985,8 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||
unsigned char *buf;
|
||||
size_t n = 0;
|
||||
size_t cert_type_len = 0, dn_len = 0;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
|
||||
|
||||
@ -3145,13 +3186,13 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
size_t i, n;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
{
|
||||
/*
|
||||
* DHM key exchange -- send G^X mod P
|
||||
@ -3195,10 +3236,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
{
|
||||
/*
|
||||
* ECDH key exchange -- send client public value
|
||||
@ -3296,14 +3341,16 @@ ecdh_calc_secret:
|
||||
i += ssl->conf->psk_identity_len;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
{
|
||||
n = 0;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
|
||||
return( ret );
|
||||
@ -3311,7 +3358,8 @@ ecdh_calc_secret:
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
{
|
||||
/*
|
||||
* ClientDiffieHellmanPublic public (DHM send G^X mod P)
|
||||
@ -3342,7 +3390,8 @@ ecdh_calc_secret:
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
/*
|
||||
* ClientECDiffieHellmanPublic public;
|
||||
@ -3368,7 +3417,7 @@ ecdh_calc_secret:
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
@ -3377,7 +3426,8 @@ ecdh_calc_secret:
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
{
|
||||
i = 4;
|
||||
if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
|
||||
@ -3386,7 +3436,8 @@ ecdh_calc_secret:
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
i = 4;
|
||||
|
||||
@ -3438,8 +3489,8 @@ ecdh_calc_secret:
|
||||
#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
int ret;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
|
||||
@ -3464,8 +3515,8 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
size_t n = 0, offset = 0;
|
||||
unsigned char hash[48];
|
||||
unsigned char *hash_start = hash;
|
||||
@ -3570,7 +3621,9 @@ sign:
|
||||
* Reason: Otherwise we should have running hashes for SHA512 and SHA224
|
||||
* in order to satisfy 'weird' needs from the server side.
|
||||
*/
|
||||
if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||
if( mbedtls_ssl_suite_get_mac(
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
|
||||
== MBEDTLS_MD_SHA384 )
|
||||
{
|
||||
md_alg = MBEDTLS_MD_SHA384;
|
||||
ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
|
||||
|
@ -759,9 +759,8 @@ static int ssl_check_key_curve( mbedtls_pk_context *pk,
|
||||
* return 0 on success and -1 on failure.
|
||||
*/
|
||||
static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t * ciphersuite_info,
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info,
|
||||
mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
|
||||
|
||||
{
|
||||
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
|
||||
mbedtls_pk_type_t pk_alg =
|
||||
@ -919,28 +918,20 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
* Check if a given ciphersuite is suitable for use with our config/keys/etc
|
||||
* Sets ciphersuite_info only if the suite matches.
|
||||
*/
|
||||
static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
||||
const mbedtls_ssl_ciphersuite_t **ciphersuite_info,
|
||||
mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
|
||||
static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl,
|
||||
mbedtls_ssl_ciphersuite_handle_t suite_info,
|
||||
mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info;
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
mbedtls_pk_type_t sig_type;
|
||||
#endif
|
||||
|
||||
suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
|
||||
if( suite_info == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
}
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
|
||||
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
|
||||
|
||||
if( suite_info->min_minor_ver > ssl->minor_ver ||
|
||||
suite_info->max_minor_ver < ssl->minor_ver )
|
||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver ||
|
||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
||||
return( 0 );
|
||||
@ -948,13 +939,16 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
|
||||
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
|
||||
( mbedtls_ssl_suite_get_flags( suite_info ) &
|
||||
MBEDTLS_CIPHERSUITE_NODTLS ) )
|
||||
{
|
||||
return( 0 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
|
||||
suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
|
||||
return( 0 );
|
||||
@ -962,7 +956,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
|
||||
@ -1031,8 +1026,7 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
||||
((void) acceptable_ec_grp_ids);
|
||||
#endif
|
||||
|
||||
*ciphersuite_info = suite_info;
|
||||
return( 0 );
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO)
|
||||
@ -1043,8 +1037,9 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
||||
size_t n;
|
||||
unsigned int ciph_len, sess_len, chal_len;
|
||||
unsigned char *buf, *p;
|
||||
const int *ciphersuites;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
#endif
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
||||
|
||||
@ -1234,33 +1229,50 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
||||
#endif /* MBEDTLS_SSL_FALLBACK_SCSV */
|
||||
|
||||
got_common_suite = 0;
|
||||
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
||||
ciphersuite_info = NULL;
|
||||
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
#else
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
||||
#endif
|
||||
{
|
||||
MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, \
|
||||
ssl->minor_ver, \
|
||||
cur_info )
|
||||
{
|
||||
#else
|
||||
MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, \
|
||||
ssl->minor_ver, \
|
||||
cur_info )
|
||||
{
|
||||
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
||||
{
|
||||
#endif
|
||||
const int ciphersuite_id =
|
||||
mbedtls_ssl_suite_get_id( cur_info );
|
||||
|
||||
if( p[0] != 0 ||
|
||||
p[1] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
|
||||
p[2] != ( ( ciphersuites[i] ) & 0xFF ) )
|
||||
p[1] != ( ( ciphersuite_id >> 8 ) & 0xFF ) ||
|
||||
p[2] != ( ( ciphersuite_id ) & 0xFF ) )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
got_common_suite = 1;
|
||||
|
||||
if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
|
||||
&ciphersuite_info,
|
||||
NULL ) ) )
|
||||
if( ssl_ciphersuite_is_match( ssl, cur_info, NULL ) )
|
||||
{
|
||||
return( ret );
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
ciphersuite_info = cur_info;
|
||||
#endif
|
||||
goto have_ciphersuite_v2;
|
||||
}
|
||||
|
||||
if( ciphersuite_info != NULL )
|
||||
goto have_ciphersuite_v2;
|
||||
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
}
|
||||
MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
|
||||
}
|
||||
#else
|
||||
}
|
||||
}
|
||||
MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
|
||||
#endif
|
||||
|
||||
if( got_common_suite )
|
||||
{
|
||||
@ -1275,10 +1287,16 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
have_ciphersuite_v2:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
||||
|
||||
ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
ssl->session_negotiate->ciphersuite =
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||
#endif
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
|
||||
mbedtls_ssl_get_ciphersuite_name(
|
||||
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) );
|
||||
|
||||
/*
|
||||
* SSLv2 Client Hello relevant renegotiation security checks
|
||||
@ -1322,8 +1340,10 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
||||
int extended_ms_seen = 0;
|
||||
#endif
|
||||
int handshake_failure = 0;
|
||||
const int *ciphersuites;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
#endif
|
||||
int major, minor;
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
@ -2128,32 +2148,49 @@ read_record_header:
|
||||
* and certificate from the SNI callback triggered by the SNI extension.)
|
||||
*/
|
||||
got_common_suite = 0;
|
||||
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
||||
ciphersuite_info = NULL;
|
||||
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
#else
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
||||
#endif
|
||||
{
|
||||
MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, \
|
||||
ssl->minor_ver, \
|
||||
cur_info )
|
||||
{
|
||||
if( p[0] != ( ( ciphersuites[i] >> 8 ) & 0xFF ) ||
|
||||
p[1] != ( ( ciphersuites[i] ) & 0xFF ) )
|
||||
#else
|
||||
MBEDTLS_SSL_BEGIN_FOR_EACH_CIPHERSUITE( ssl, \
|
||||
ssl->minor_ver, \
|
||||
cur_info )
|
||||
{
|
||||
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
||||
{
|
||||
#endif
|
||||
const int ciphersuite_id =
|
||||
mbedtls_ssl_suite_get_id( cur_info );
|
||||
|
||||
if( p[0] != ( ( ciphersuite_id >> 8 ) & 0xFF ) ||
|
||||
p[1] != ( ( ciphersuite_id ) & 0xFF ) )
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
got_common_suite = 1;
|
||||
|
||||
if( ( ret = ssl_ciphersuite_match( ssl, ciphersuites[i],
|
||||
&ciphersuite_info,
|
||||
acceptable_ec_grp_ids ) ) != 0 )
|
||||
if( ssl_ciphersuite_is_match( ssl, cur_info,
|
||||
acceptable_ec_grp_ids) )
|
||||
{
|
||||
return( ret );
|
||||
}
|
||||
|
||||
if( ciphersuite_info != NULL )
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
ciphersuite_info = cur_info;
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
goto have_ciphersuite;
|
||||
}
|
||||
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
}
|
||||
MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
|
||||
}
|
||||
#else
|
||||
}
|
||||
}
|
||||
MBEDTLS_SSL_END_FOR_EACH_CIPHERSUITE
|
||||
#endif
|
||||
|
||||
if( got_common_suite )
|
||||
{
|
||||
@ -2172,10 +2209,16 @@ read_record_header:
|
||||
}
|
||||
|
||||
have_ciphersuite:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
||||
|
||||
ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
ssl->session_negotiate->ciphersuite =
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
|
||||
mbedtls_ssl_get_ciphersuite_name(
|
||||
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) );
|
||||
|
||||
ssl->state++;
|
||||
|
||||
@ -2190,7 +2233,8 @@ have_ciphersuite:
|
||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||
{
|
||||
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg( ciphersuite_info );
|
||||
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
|
||||
if( sig_alg != MBEDTLS_PK_NONE )
|
||||
{
|
||||
mbedtls_md_type_t md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
||||
@ -2290,7 +2334,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
||||
mbedtls_ssl_ciphersuite_handle_t suite =
|
||||
MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE;
|
||||
const mbedtls_cipher_info_t *cipher = NULL;
|
||||
|
||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||
@ -2306,9 +2351,17 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||
* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
|
||||
* encrypt-then-MAC response extension back to the client."
|
||||
*/
|
||||
if( ( suite = mbedtls_ssl_ciphersuite_from_id(
|
||||
ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
||||
( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
||||
suite = mbedtls_ssl_ciphersuite_from_id(
|
||||
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) );
|
||||
if( suite == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
*olen = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
cipher = mbedtls_cipher_info_from_type(
|
||||
mbedtls_ssl_suite_get_cipher( suite ) );
|
||||
if( cipher == NULL ||
|
||||
cipher->mode != MBEDTLS_MODE_CBC )
|
||||
{
|
||||
*olen = 0;
|
||||
@ -2491,9 +2544,12 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
||||
*olen = 0;
|
||||
|
||||
/* Skip costly computation if not needed */
|
||||
if( ssl->handshake->ciphersuite_info->key_exchange !=
|
||||
if( mbedtls_ssl_suite_get_key_exchange(
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) !=
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
|
||||
|
||||
@ -2637,6 +2693,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
||||
mbedtls_time_t t;
|
||||
#endif
|
||||
int ret;
|
||||
int ciphersuite;
|
||||
size_t olen, ext_len = 0, n;
|
||||
unsigned char *buf, *p;
|
||||
|
||||
@ -2786,12 +2843,13 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
|
||||
mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
|
||||
|
||||
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
|
||||
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
|
||||
ciphersuite = mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate );
|
||||
*p++ = (unsigned char)( ciphersuite >> 8 );
|
||||
*p++ = (unsigned char)( ciphersuite );
|
||||
*p++ = (unsigned char)( ssl->session_negotiate->compression );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
||||
mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
|
||||
mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
||||
ssl->session_negotiate->compression ) );
|
||||
|
||||
@ -2840,7 +2898,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if ( mbedtls_ssl_ciphersuite_uses_ec(
|
||||
mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
|
||||
mbedtls_ssl_ciphersuite_from_id(
|
||||
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) )
|
||||
{
|
||||
ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
|
||||
ext_len += olen;
|
||||
@ -2884,8 +2943,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
||||
#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
||||
|
||||
@ -2903,8 +2962,8 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
size_t dn_size, total_dn_size; /* excluding length bytes */
|
||||
size_t ct_len, sa_len; /* including length bytes */
|
||||
unsigned char *buf, *p;
|
||||
@ -3134,8 +3193,8 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||
static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||
size_t *signature_len )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||
@ -3160,7 +3219,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||
* - ECJPAKE key exchanges
|
||||
*/
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
@ -3188,8 +3248,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||
**/
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
ssl->out_msg[ssl->out_msglen++] = 0x00;
|
||||
ssl->out_msg[ssl->out_msglen++] = 0x00;
|
||||
@ -3353,7 +3413,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
{
|
||||
/* B: Default hash SHA1 */
|
||||
md_alg = MBEDTLS_MD_SHA1;
|
||||
@ -3495,8 +3556,8 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||
int ret;
|
||||
size_t signature_len = 0;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
|
||||
@ -3939,18 +4000,17 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
|
||||
static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
unsigned char *p, *end;
|
||||
|
||||
ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
||||
( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
|
||||
if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
|
||||
if( ( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_RSA ) &&
|
||||
( ssl->handshake->async_in_progress != 0 ) )
|
||||
{
|
||||
/* We've already read a record and there is an asynchronous
|
||||
@ -3982,7 +4042,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
@ -4015,10 +4076,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
{
|
||||
if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
||||
p, end - p) ) != 0 )
|
||||
@ -4050,7 +4115,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
@ -4065,7 +4131,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
@ -4074,7 +4140,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
if ( ssl->handshake->async_in_progress != 0 )
|
||||
@ -4102,7 +4169,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
@ -4111,7 +4178,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
@ -4131,7 +4199,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
@ -4140,7 +4208,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
@ -4159,7 +4228,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
MBEDTLS_DEBUG_ECDH_QP );
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
@ -4168,7 +4237,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
{
|
||||
if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
|
||||
{
|
||||
@ -4179,7 +4249,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
|
||||
p, end - p );
|
||||
@ -4222,8 +4293,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
||||
|
||||
@ -4249,8 +4320,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
mbedtls_pk_type_t pk_alg;
|
||||
#endif
|
||||
mbedtls_md_type_t md_alg;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
mbedtls_pk_context *peer_pk = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
||||
|
@ -801,7 +801,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
||||
size_t mac_key_len;
|
||||
size_t iv_copy_len;
|
||||
unsigned keylen;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
const mbedtls_cipher_info_t *cipher_info;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
|
||||
@ -823,26 +823,28 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
||||
* Get various info structures
|
||||
*/
|
||||
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
|
||||
if( ciphersuite_info == NULL )
|
||||
if( ciphersuite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
|
||||
ciphersuite ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
|
||||
cipher_info = mbedtls_cipher_info_from_type(
|
||||
mbedtls_ssl_suite_get_cipher( ciphersuite_info ) );
|
||||
if( cipher_info == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
|
||||
ciphersuite_info->cipher ) );
|
||||
mbedtls_ssl_suite_get_cipher( ciphersuite_info ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
|
||||
md_info = mbedtls_md_info_from_type(
|
||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
||||
if( md_info == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
|
||||
ciphersuite_info->mac ) );
|
||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
@ -899,8 +901,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
||||
|
||||
transform->maclen = 0;
|
||||
mac_key_len = 0;
|
||||
transform->taglen =
|
||||
ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
transform->taglen = mbedtls_ssl_suite_get_flags( ciphersuite_info ) &
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
|
||||
/* All modes haves 96-bit IVs;
|
||||
* GCM and CCM has 4 implicit and 8 explicit bytes
|
||||
@ -1338,15 +1340,15 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
|
||||
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
|
||||
|
||||
/* Set PRF, calc_verify and calc_finished function pointers */
|
||||
ret = ssl_set_handshake_prfs( ssl->handshake,
|
||||
ssl->minor_ver,
|
||||
ciphersuite_info->mac );
|
||||
ssl->minor_ver,
|
||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
|
||||
@ -1376,24 +1378,24 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||
|
||||
/* Populate transform structure */
|
||||
ret = ssl_populate_transform( ssl->transform_negotiate,
|
||||
ssl->session_negotiate->ciphersuite,
|
||||
ssl->session_negotiate->master,
|
||||
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ),
|
||||
ssl->session_negotiate->master,
|
||||
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
ssl->session_negotiate->encrypt_then_mac,
|
||||
ssl->session_negotiate->encrypt_then_mac,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
ssl->session_negotiate->trunc_hmac,
|
||||
ssl->session_negotiate->trunc_hmac,
|
||||
#endif
|
||||
#endif /* MBEDTLS_SSL_SOME_MODES_USE_MAC */
|
||||
#if defined(MBEDTLS_ZLIB_SUPPORT)
|
||||
ssl->session_negotiate->compression,
|
||||
ssl->session_negotiate->compression,
|
||||
#endif
|
||||
ssl->handshake->tls_prf,
|
||||
ssl->handshake->randbytes,
|
||||
ssl->minor_ver,
|
||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
|
||||
ssl );
|
||||
ssl->handshake->tls_prf,
|
||||
ssl->handshake->randbytes,
|
||||
ssl->minor_ver,
|
||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
|
||||
ssl );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_populate_transform", ret );
|
||||
@ -6070,7 +6072,8 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
|
||||
/* No certificate support -> dummy functions */
|
||||
int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||
|
||||
@ -6087,7 +6090,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
||||
|
||||
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||
|
||||
@ -6110,7 +6114,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
size_t i, n;
|
||||
const mbedtls_x509_crt *crt;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||
|
||||
@ -6474,8 +6479,8 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
|
||||
static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
|
||||
int authmode )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||
return( SSL_CERTIFICATE_SKIP );
|
||||
@ -6483,8 +6488,11 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
|
||||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
|
||||
{
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
return( SSL_CERTIFICATE_SKIP );
|
||||
}
|
||||
|
||||
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
||||
{
|
||||
@ -6506,8 +6514,8 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
||||
void *rs_ctx )
|
||||
{
|
||||
int verify_ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
mbedtls_x509_crl *ca_crl;
|
||||
|
||||
@ -6973,7 +6981,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
|
||||
}
|
||||
|
||||
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info )
|
||||
{
|
||||
((void) ciphersuite_info);
|
||||
|
||||
@ -6985,12 +6993,12 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||
if( mbedtls_ssl_suite_get_mac( ciphersuite_info ) == MBEDTLS_MD_SHA384 )
|
||||
ssl->handshake->update_checksum = ssl_update_checksum_sha384;
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
|
||||
if( mbedtls_ssl_suite_get_mac( ciphersuite_info ) != MBEDTLS_MD_SHA384 )
|
||||
ssl->handshake->update_checksum = ssl_update_checksum_sha256;
|
||||
else
|
||||
#endif
|
||||
@ -8315,6 +8323,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CLI_C && !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
void mbedtls_ssl_conf_ciphersuites( mbedtls_ssl_config *conf,
|
||||
const int *ciphersuites )
|
||||
{
|
||||
@ -8336,6 +8345,7 @@ void mbedtls_ssl_conf_ciphersuites_for_version( mbedtls_ssl_config *conf,
|
||||
|
||||
conf->ciphersuite_list[minor] = ciphersuites;
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
void mbedtls_ssl_conf_cert_profile( mbedtls_ssl_config *conf,
|
||||
@ -8958,10 +8968,13 @@ uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
|
||||
|
||||
const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int suite;
|
||||
|
||||
if( ssl == NULL || ssl->session == NULL )
|
||||
return( NULL );
|
||||
|
||||
return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
|
||||
suite = mbedtls_ssl_session_get_ciphersuite( ssl->session );
|
||||
return( mbedtls_ssl_get_ciphersuite_name( suite ) );
|
||||
}
|
||||
|
||||
const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
||||
@ -9383,8 +9396,10 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
||||
|
||||
if( used <= buf_len )
|
||||
{
|
||||
*p++ = (unsigned char)( ( session->ciphersuite >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( session->ciphersuite ) & 0xFF );
|
||||
const int ciphersuite =
|
||||
mbedtls_ssl_session_get_ciphersuite( session );
|
||||
*p++ = (unsigned char)( ( ciphersuite >> 8 ) & 0xFF );
|
||||
*p++ = (unsigned char)( ( ciphersuite ) & 0xFF );
|
||||
|
||||
*p++ = (unsigned char)( session->compression & 0xFF );
|
||||
|
||||
@ -9522,6 +9537,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||
{
|
||||
const unsigned char *p = buf;
|
||||
const unsigned char * const end = buf + len;
|
||||
int ciphersuite;
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
uint64_t start;
|
||||
#endif
|
||||
@ -9568,12 +9584,23 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||
/*
|
||||
* Basic mandatory fields
|
||||
*/
|
||||
|
||||
if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
session->ciphersuite = ( p[0] << 8 ) | p[1];
|
||||
ciphersuite = ( p[0] << 8 ) | p[1];
|
||||
p += 2;
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
session->ciphersuite = ciphersuite;
|
||||
#else
|
||||
if( ciphersuite !=
|
||||
MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
|
||||
}
|
||||
#endif
|
||||
|
||||
session->compression = *p++;
|
||||
|
||||
session->id_len = *p++;
|
||||
@ -10795,11 +10822,13 @@ static int ssl_preset_default_hashes[] = {
|
||||
};
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
static int ssl_preset_suiteb_ciphersuites[] = {
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
|
||||
MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
|
||||
0
|
||||
};
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
static int ssl_preset_suiteb_hashes[] = {
|
||||
@ -10935,11 +10964,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
||||
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
|
||||
ssl_preset_suiteb_ciphersuites;
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
conf->cert_profile = &mbedtls_x509_crt_profile_suiteb;
|
||||
@ -10974,11 +11005,13 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
||||
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_1] =
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_2] =
|
||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_3] =
|
||||
mbedtls_ssl_list_ciphersuites();
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
conf->cert_profile = &mbedtls_x509_crt_profile_default;
|
||||
@ -11242,7 +11275,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite,
|
||||
int cert_endpoint,
|
||||
uint32_t *flags )
|
||||
{
|
||||
@ -11266,7 +11299,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
|
||||
{
|
||||
/* Server part of the key exchange */
|
||||
switch( ciphersuite->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( ciphersuite ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
|
@ -2770,6 +2770,14 @@ int query_config( const char *config )
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
if( strcmp( "MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE", config ) == 0 )
|
||||
{
|
||||
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE );
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
/* If the symbol is not found, return an error */
|
||||
return( 1 );
|
||||
}
|
||||
|
@ -56,6 +56,7 @@ int main( void )
|
||||
|
||||
#include "mbedtls/net_sockets.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/ssl_ciphersuites.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
@ -1296,19 +1297,19 @@ int main( int argc, char *argv[] )
|
||||
|
||||
if( opt.force_ciphersuite[0] > 0 )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
|
||||
|
||||
if( opt.max_version != -1 &&
|
||||
ciphersuite_info->min_minor_ver > opt.max_version )
|
||||
mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
goto usage;
|
||||
}
|
||||
if( opt.min_version != -1 &&
|
||||
ciphersuite_info->max_minor_ver < opt.min_version )
|
||||
mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
@ -1318,13 +1319,13 @@ int main( int argc, char *argv[] )
|
||||
/* If the server selects a version that's not supported by
|
||||
* this suite, then there will be no common ciphersuite... */
|
||||
if( opt.max_version == -1 ||
|
||||
opt.max_version > ciphersuite_info->max_minor_ver )
|
||||
opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.max_version = ciphersuite_info->max_minor_ver;
|
||||
opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
|
||||
}
|
||||
if( opt.min_version < ciphersuite_info->min_minor_ver )
|
||||
if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.min_version = ciphersuite_info->min_minor_ver;
|
||||
opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
|
||||
/* DTLS starts with TLS 1.1 */
|
||||
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
||||
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||
@ -1332,7 +1333,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
|
||||
/* Enable RC4 if needed and not explicitly disabled */
|
||||
if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
|
||||
{
|
||||
@ -1787,8 +1788,10 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_session_tickets( &conf, opt.tickets );
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
||||
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
|
||||
#endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
if( opt.arc4 != DFL_ARC4 )
|
||||
|
@ -621,8 +621,10 @@ int main( int argc, char *argv[] )
|
||||
mbedtls_ssl_conf_rng( &conf, mbedtls_ctr_drbg_random, &ctr_drbg );
|
||||
mbedtls_ssl_conf_dbg( &conf, my_debug, stdout );
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
||||
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
|
||||
if( ( ret = mbedtls_ssl_conf_own_cert( &conf, &clicert, &pkey ) ) != 0 )
|
||||
|
@ -55,6 +55,7 @@ int main( void )
|
||||
|
||||
#include "mbedtls/net_sockets.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/ssl_ciphersuites.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
@ -2018,19 +2019,19 @@ int main( int argc, char *argv[] )
|
||||
|
||||
if( opt.force_ciphersuite[0] > 0 )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
|
||||
|
||||
if( opt.max_version != -1 &&
|
||||
ciphersuite_info->min_minor_ver > opt.max_version )
|
||||
mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
goto usage;
|
||||
}
|
||||
if( opt.min_version != -1 &&
|
||||
ciphersuite_info->max_minor_ver < opt.min_version )
|
||||
mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
@ -2040,13 +2041,13 @@ int main( int argc, char *argv[] )
|
||||
/* If we select a version that's not supported by
|
||||
* this suite, then there will be no common ciphersuite... */
|
||||
if( opt.max_version == -1 ||
|
||||
opt.max_version > ciphersuite_info->max_minor_ver )
|
||||
opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.max_version = ciphersuite_info->max_minor_ver;
|
||||
opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
|
||||
}
|
||||
if( opt.min_version < ciphersuite_info->min_minor_ver )
|
||||
if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.min_version = ciphersuite_info->min_minor_ver;
|
||||
opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
|
||||
/* DTLS starts with TLS 1.1 */
|
||||
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
||||
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||
@ -2054,7 +2055,7 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
|
||||
/* Enable RC4 if needed and not explicitly disabled */
|
||||
if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
|
||||
{
|
||||
@ -2661,14 +2662,17 @@ int main( int argc, char *argv[] )
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )
|
||||
mbedtls_ssl_conf_ciphersuites( &conf, opt.force_ciphersuite );
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
if( opt.arc4 != DFL_ARC4 )
|
||||
mbedtls_ssl_conf_arc4_support( &conf, opt.arc4 );
|
||||
#endif
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
if( opt.version_suites != NULL )
|
||||
{
|
||||
mbedtls_ssl_conf_ciphersuites_for_version( &conf, version_suites[0],
|
||||
@ -2684,6 +2688,7 @@ int main( int argc, char *argv[] )
|
||||
MBEDTLS_SSL_MAJOR_VERSION_3,
|
||||
MBEDTLS_SSL_MINOR_VERSION_3 );
|
||||
}
|
||||
#endif /* !MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_CONF_ALLOW_LEGACY_RENEGOTIATION)
|
||||
if( opt.allow_legacy != DFL_ALLOW_LEGACY )
|
||||
|
@ -759,6 +759,21 @@ component_test_full_cmake_clang () {
|
||||
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
|
||||
}
|
||||
|
||||
component_test_hardcoded_ciphersuite_cmake_clang() {
|
||||
msg "build: cmake, full config + MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE, clang" # ~ 50s
|
||||
scripts/config.pl full
|
||||
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
|
||||
scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE MBEDTLS_SUITE_TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8
|
||||
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Check -D ENABLE_TESTING=On .
|
||||
make
|
||||
|
||||
msg "test: main suites (full config + MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)" # ~ 5s
|
||||
make test
|
||||
|
||||
msg "test: ssl-opt.sh default (full config + MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)" # ~ 5s
|
||||
if_build_succeeded tests/ssl-opt.sh -f '^Default$\|^Default, DTLS$'
|
||||
}
|
||||
|
||||
component_build_deprecated () {
|
||||
msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s
|
||||
scripts/config.pl full
|
||||
|
@ -164,6 +164,12 @@ requires_config_disabled() {
|
||||
fi
|
||||
}
|
||||
|
||||
requires_ciphersuite_enabled() {
|
||||
if [ -z "$($P_CLI --help | grep "$1")" ]; then
|
||||
SKIP_NEXT="YES"
|
||||
fi
|
||||
}
|
||||
|
||||
get_config_value_or_default() {
|
||||
# This function uses the query_config command line option to query the
|
||||
# required Mbed TLS compile time configuration from the ssl_server2
|
||||
@ -952,11 +958,25 @@ trap cleanup INT TERM HUP
|
||||
|
||||
# Basic test
|
||||
|
||||
run_test "Default" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI" \
|
||||
0
|
||||
|
||||
run_test "Default, DTLS" \
|
||||
"$P_SRV dtls=1" \
|
||||
"$P_CLI dtls=1" \
|
||||
0
|
||||
|
||||
# Checks that:
|
||||
# - things work with all ciphersuites active (used with config-full in all.sh)
|
||||
# - the expected (highest security) parameters are selected
|
||||
# ("signature_algorithm ext: 6" means SHA-512 (highest common hash))
|
||||
run_test "Default" \
|
||||
requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
|
||||
requires_config_enabled MBEDTLS_SHA512_C
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
||||
run_test "Default, choose highest security suite and hash" \
|
||||
"$P_SRV debug_level=3" \
|
||||
"$P_CLI" \
|
||||
0 \
|
||||
@ -967,12 +987,18 @@ run_test "Default" \
|
||||
-S "error" \
|
||||
-C "error"
|
||||
|
||||
run_test "Default, DTLS" \
|
||||
"$P_SRV dtls=1" \
|
||||
requires_ciphersuite_enabled "TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
|
||||
requires_config_enabled MBEDTLS_SHA512_C
|
||||
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_2
|
||||
requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED
|
||||
run_test "Default, choose highest security suite and hash, DTLS" \
|
||||
"$P_SRV debug_level=3 dtls=1" \
|
||||
"$P_CLI dtls=1" \
|
||||
0 \
|
||||
-s "Protocol is DTLSv1.2" \
|
||||
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256"
|
||||
-s "Ciphersuite is TLS-ECDHE-RSA-WITH-CHACHA20-POLY1305-SHA256" \
|
||||
-s "client hello v3, signature_algorithm ext: 6" \
|
||||
-s "ECDHE curve: secp521r1"
|
||||
|
||||
# Test current time in ServerHello
|
||||
requires_config_enabled MBEDTLS_HAVE_TIME
|
||||
|
@ -279,7 +279,9 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
session->start = mbedtls_time( NULL ) - 42;
|
||||
#endif
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
session->ciphersuite = 0xabcd;
|
||||
#endif
|
||||
session->compression = 1;
|
||||
session->id_len = sizeof( session->id );
|
||||
memset( session->id, 66, session->id_len );
|
||||
@ -698,7 +700,9 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
||||
#if defined(MBEDTLS_HAVE_TIME)
|
||||
TEST_ASSERT( original.start == restored.start );
|
||||
#endif
|
||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||
TEST_ASSERT( original.ciphersuite == restored.ciphersuite );
|
||||
#endif
|
||||
TEST_ASSERT( original.compression == restored.compression );
|
||||
TEST_ASSERT( original.id_len == restored.id_len );
|
||||
TEST_ASSERT( memcmp( original.id,
|
||||
|
Loading…
Reference in New Issue
Block a user