Improve documentation

This commit is contained in:
Hanno Becker 2017-05-11 14:07:25 +01:00
parent 0d0cd4b30e
commit cf7ae7e7d3

View File

@ -2788,16 +2788,24 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
unsigned char *p = ssl->out_msg + 4; unsigned char *p = ssl->out_msg + 4;
size_t len;
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
unsigned char *dig_signed = p; unsigned char *dig_signed = p;
size_t dig_signed_len = 0, len; size_t dig_signed_len = 0;
((void) dig_signed); #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
((void) dig_signed_len); #endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
((void) len);
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) */
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
/* For key exchanges involving ECDH, extract DH parameters from certificate here. */ /*
*
* Part 1: Extract static ECDH parameters and abort
* if ServerKeyExchange not needed.
*
*/
/* For suites involving ECDH, extract DH parameters
* from certificate at this point. */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) ) if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
{ {
@ -2862,7 +2870,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
/* /*
* For DHE key exchanges, add the DH parameters here. * - DHE key exchanges
*/ */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) ) if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
@ -2913,7 +2921,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
/* /*
* For ECDHE key exchanges, add the ECDH parameters here. * - ECDHE key exchanges
*/ */
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) ) if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
@ -2959,8 +2967,10 @@ curve_matching_done:
return( ret ); return( ret );
} }
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
dig_signed = p; dig_signed = p;
dig_signed_len = len; dig_signed_len = len;
#endif
p += len; p += len;
n += len; n += len;
@ -2970,8 +2980,10 @@ curve_matching_done:
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
/* /*
* For key exchanges involving the server signing the (EC)DH parameters, *
* compute and add the signature here. * Part 3: For key exchanges involving the server signing the
* exchange parameters, compute and add the signature here.
*
*/ */
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
@ -3012,22 +3024,23 @@ curve_matching_done:
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) defined(MBEDTLS_SSL_PROTO_TLS1_1)
if( ciphersuite_info->key_exchange == if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
{ {
/* B: Default hash SHA1 */
md_alg = MBEDTLS_MD_SHA1; md_alg = MBEDTLS_MD_SHA1;
} }
else else
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \ #endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
MBEDTLS_SSL_PROTO_TLS1_1 */ MBEDTLS_SSL_PROTO_TLS1_1 */
{ {
/* C: MD5 + SHA1 */
md_alg = MBEDTLS_MD_NONE; md_alg = MBEDTLS_MD_NONE;
} }
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
/* /*
* Compute the hash to be signed * 3.2: Compute the hash to be signed
*/ */
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1) defined(MBEDTLS_SSL_PROTO_TLS1_1)
@ -3052,6 +3065,7 @@ curve_matching_done:
* SHA(ClientHello.random + ServerHello.random * SHA(ClientHello.random + ServerHello.random
* + ServerParams); * + ServerParams);
*/ */
mbedtls_md5_starts( &mbedtls_md5 ); mbedtls_md5_starts( &mbedtls_md5 );
mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 ); mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len ); mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
@ -3113,7 +3127,7 @@ curve_matching_done:
(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) ); (unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
/* /*
* Compute and add the signature * 3.3: Compute and add the signature
*/ */
if( mbedtls_ssl_own_key( ssl ) == NULL ) if( mbedtls_ssl_own_key( ssl ) == NULL )
{ {
@ -3124,7 +3138,8 @@ curve_matching_done:
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{ {
/* For TLS 1.2, we need to specify signature and hash algorithm /*
* For TLS 1.2, we need to specify signature and hash algorithm
* explicitly through a prefix to the signature. * explicitly through a prefix to the signature.
* *
* struct { * struct {
@ -3163,6 +3178,8 @@ curve_matching_done:
} }
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
/* Done with actual work; add header and send. */
ssl->out_msglen = 4 + n; ssl->out_msglen = 4 + n;
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE; ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;