mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-26 14:45:38 +01:00
Remove ciphersuite from SSL session if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type mbedtls_ssl_ciphersuite_handle_t is logically a boolean (concretely realized as `unsigned char`), containing the invalid handle and the unique valid handle, which represents the single enabled ciphersuite. The SSL session structure mbedtls_ssl_session contains an instance of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid, and which is hence redundant in any two-valued implementation of mbedtls_ssl_ciphersuite_handle_t. This commit replaces read-uses of mbedtls_ssl_session::ciphersuite_info by a getter functions which, and defines this getter function either by just reading the field from the session structure (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by returning the single valid ciphersuite handle (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the field from mbedtls_ssl_session in this case.
This commit is contained in:
Hanno Becker
parent
6ace4657b6
commit
e02758c9c8
@ -923,7 +923,9 @@ struct mbedtls_ssl_session
|
|||||||
#if defined(MBEDTLS_HAVE_TIME)
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
mbedtls_time_t start; /*!< starting time */
|
mbedtls_time_t start; /*!< starting time */
|
||||||
#endif
|
#endif
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
int ciphersuite; /*!< chosen ciphersuite */
|
int ciphersuite; /*!< chosen ciphersuite */
|
||||||
|
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||||
int compression; /*!< chosen compression */
|
int compression; /*!< chosen compression */
|
||||||
size_t id_len; /*!< session id length */
|
size_t id_len; /*!< session id length */
|
||||||
unsigned char id[32]; /*!< session identifier */
|
unsigned char id[32]; /*!< session identifier */
|
||||||
|
|||||||
@ -681,6 +681,21 @@ static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
|
static inline int mbedtls_ssl_session_get_ciphersuite(
|
||||||
|
mbedtls_ssl_session const * session )
|
||||||
|
{
|
||||||
|
return( session->ciphersuite );
|
||||||
|
}
|
||||||
|
#else /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||||
|
static inline int mbedtls_ssl_session_get_ciphersuite(
|
||||||
|
mbedtls_ssl_session const * session )
|
||||||
|
{
|
||||||
|
((void) session);
|
||||||
|
return( MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_SINGLE_CIPHERSUITE ) );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||||
|
|
||||||
const int *mbedtls_ssl_list_ciphersuites( void );
|
const int *mbedtls_ssl_list_ciphersuites( void );
|
||||||
|
|
||||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
|
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
|
||||||
|
|||||||
@ -84,10 +84,13 @@ int mbedtls_ssl_cache_get( void *data, mbedtls_ssl_session *session )
|
|||||||
continue;
|
continue;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if( session->ciphersuite != entry->session.ciphersuite ||
|
if( mbedtls_ssl_session_get_ciphersuite( session ) !=
|
||||||
|
mbedtls_ssl_session_get_ciphersuite( &entry->session ) ||
|
||||||
session->compression != entry->session.compression ||
|
session->compression != entry->session.compression ||
|
||||||
session->id_len != entry->session.id_len )
|
session->id_len != entry->session.id_len )
|
||||||
|
{
|
||||||
continue;
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
if( memcmp( session->id, entry->session.id,
|
if( memcmp( session->id, entry->session.id,
|
||||||
entry->session.id_len ) != 0 )
|
entry->session.id_len ) != 0 )
|
||||||
|
|||||||
@ -1845,7 +1845,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
|
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
|
||||||
if( n == 0 ||
|
if( n == 0 ||
|
||||||
mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
|
mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
|
||||||
ssl->session_negotiate->ciphersuite != i ||
|
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) != i ||
|
||||||
ssl->session_negotiate->compression != comp ||
|
ssl->session_negotiate->compression != comp ||
|
||||||
ssl->session_negotiate->id_len != n ||
|
ssl->session_negotiate->id_len != n ||
|
||||||
memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
|
memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
|
||||||
@ -1874,7 +1874,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
#if defined(MBEDTLS_HAVE_TIME)
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
ssl->session_negotiate->start = mbedtls_time( NULL );
|
ssl->session_negotiate->start = mbedtls_time( NULL );
|
||||||
#endif
|
#endif
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
ssl->session_negotiate->ciphersuite = i;
|
ssl->session_negotiate->ciphersuite = i;
|
||||||
|
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||||
ssl->session_negotiate->compression = comp;
|
ssl->session_negotiate->compression = comp;
|
||||||
ssl->session_negotiate->id_len = n;
|
ssl->session_negotiate->id_len = n;
|
||||||
memcpy( ssl->session_negotiate->id, buf + 35, n );
|
memcpy( ssl->session_negotiate->id, buf + 35, n );
|
||||||
|
|||||||
@ -1037,7 +1037,9 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||||||
size_t n;
|
size_t n;
|
||||||
unsigned int ciph_len, sess_len, chal_len;
|
unsigned int ciph_len, sess_len, chal_len;
|
||||||
unsigned char *buf, *p;
|
unsigned char *buf, *p;
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||||
|
#endif
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
||||||
|
|
||||||
@ -1256,7 +1258,9 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
if( ssl_ciphersuite_is_match( ssl, cur_info, NULL ) )
|
if( ssl_ciphersuite_is_match( ssl, cur_info, NULL ) )
|
||||||
{
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
ciphersuite_info = cur_info;
|
ciphersuite_info = cur_info;
|
||||||
|
#endif
|
||||||
goto have_ciphersuite_v2;
|
goto have_ciphersuite_v2;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1289,9 +1293,9 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
have_ciphersuite_v2:
|
have_ciphersuite_v2:
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
ssl->session_negotiate->ciphersuite =
|
ssl->session_negotiate->ciphersuite =
|
||||||
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
||||||
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
|
||||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -1341,7 +1345,10 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
|||||||
int extended_ms_seen = 0;
|
int extended_ms_seen = 0;
|
||||||
#endif
|
#endif
|
||||||
int handshake_failure = 0;
|
int handshake_failure = 0;
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||||
|
#endif
|
||||||
int major, minor;
|
int major, minor;
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||||
@ -2175,7 +2182,9 @@ read_record_header:
|
|||||||
if( ssl_ciphersuite_is_match( ssl, cur_info,
|
if( ssl_ciphersuite_is_match( ssl, cur_info,
|
||||||
acceptable_ec_grp_ids) )
|
acceptable_ec_grp_ids) )
|
||||||
{
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
ciphersuite_info = cur_info;
|
ciphersuite_info = cur_info;
|
||||||
|
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||||
goto have_ciphersuite;
|
goto have_ciphersuite;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2212,9 +2221,9 @@ read_record_header:
|
|||||||
|
|
||||||
have_ciphersuite:
|
have_ciphersuite:
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
ssl->session_negotiate->ciphersuite =
|
ssl->session_negotiate->ciphersuite =
|
||||||
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
||||||
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
|
||||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||||
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||||
|
|
||||||
@ -2354,7 +2363,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
* encrypt-then-MAC response extension back to the client."
|
* encrypt-then-MAC response extension back to the client."
|
||||||
*/
|
*/
|
||||||
suite = mbedtls_ssl_ciphersuite_from_id(
|
suite = mbedtls_ssl_ciphersuite_from_id(
|
||||||
ssl->session_negotiate->ciphersuite );
|
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) );
|
||||||
if( suite == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
if( suite == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||||
{
|
{
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
@ -2695,6 +2704,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
mbedtls_time_t t;
|
mbedtls_time_t t;
|
||||||
#endif
|
#endif
|
||||||
int ret;
|
int ret;
|
||||||
|
int ciphersuite;
|
||||||
size_t olen, ext_len = 0, n;
|
size_t olen, ext_len = 0, n;
|
||||||
unsigned char *buf, *p;
|
unsigned char *buf, *p;
|
||||||
|
|
||||||
@ -2844,12 +2854,13 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "%s session has been resumed",
|
||||||
mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
|
mbedtls_ssl_handshake_get_resume( ssl->handshake ) ? "a" : "no" ) );
|
||||||
|
|
||||||
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite >> 8 );
|
ciphersuite = mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate );
|
||||||
*p++ = (unsigned char)( ssl->session_negotiate->ciphersuite );
|
*p++ = (unsigned char)( ciphersuite >> 8 );
|
||||||
|
*p++ = (unsigned char)( ciphersuite );
|
||||||
*p++ = (unsigned char)( ssl->session_negotiate->compression );
|
*p++ = (unsigned char)( ssl->session_negotiate->compression );
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
||||||
mbedtls_ssl_get_ciphersuite_name( ssl->session_negotiate->ciphersuite ) ) );
|
mbedtls_ssl_get_ciphersuite_name( ciphersuite ) ) );
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
||||||
ssl->session_negotiate->compression ) );
|
ssl->session_negotiate->compression ) );
|
||||||
|
|
||||||
@ -2898,7 +2909,8 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
if ( mbedtls_ssl_ciphersuite_uses_ec(
|
if ( mbedtls_ssl_ciphersuite_uses_ec(
|
||||||
mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ) ) )
|
mbedtls_ssl_ciphersuite_from_id(
|
||||||
|
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ) ) ) )
|
||||||
{
|
{
|
||||||
ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_supported_point_formats_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
|
|||||||
@ -1378,7 +1378,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
/* Populate transform structure */
|
/* Populate transform structure */
|
||||||
ret = ssl_populate_transform( ssl->transform_negotiate,
|
ret = ssl_populate_transform( ssl->transform_negotiate,
|
||||||
ssl->session_negotiate->ciphersuite,
|
mbedtls_ssl_session_get_ciphersuite( ssl->session_negotiate ),
|
||||||
ssl->session_negotiate->master,
|
ssl->session_negotiate->master,
|
||||||
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
#if defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||||
@ -8968,10 +8968,13 @@ uint32_t mbedtls_ssl_get_verify_result( const mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
|
const char *mbedtls_ssl_get_ciphersuite( const mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
|
int suite;
|
||||||
|
|
||||||
if( ssl == NULL || ssl->session == NULL )
|
if( ssl == NULL || ssl->session == NULL )
|
||||||
return( NULL );
|
return( NULL );
|
||||||
|
|
||||||
return mbedtls_ssl_get_ciphersuite_name( ssl->session->ciphersuite );
|
suite = mbedtls_ssl_session_get_ciphersuite( ssl->session );
|
||||||
|
return( mbedtls_ssl_get_ciphersuite_name( suite ) );
|
||||||
}
|
}
|
||||||
|
|
||||||
const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
||||||
@ -9393,8 +9396,10 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
|
|||||||
|
|
||||||
if( used <= buf_len )
|
if( used <= buf_len )
|
||||||
{
|
{
|
||||||
*p++ = (unsigned char)( ( session->ciphersuite >> 8 ) & 0xFF );
|
const int ciphersuite =
|
||||||
*p++ = (unsigned char)( ( session->ciphersuite ) & 0xFF );
|
mbedtls_ssl_session_get_ciphersuite( session );
|
||||||
|
*p++ = (unsigned char)( ( ciphersuite >> 8 ) & 0xFF );
|
||||||
|
*p++ = (unsigned char)( ( ciphersuite ) & 0xFF );
|
||||||
|
|
||||||
*p++ = (unsigned char)( session->compression & 0xFF );
|
*p++ = (unsigned char)( session->compression & 0xFF );
|
||||||
|
|
||||||
@ -9532,6 +9537,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||||||
{
|
{
|
||||||
const unsigned char *p = buf;
|
const unsigned char *p = buf;
|
||||||
const unsigned char * const end = buf + len;
|
const unsigned char * const end = buf + len;
|
||||||
|
int ciphersuite;
|
||||||
#if defined(MBEDTLS_HAVE_TIME)
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
uint64_t start;
|
uint64_t start;
|
||||||
#endif
|
#endif
|
||||||
@ -9578,12 +9584,23 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
|||||||
/*
|
/*
|
||||||
* Basic mandatory fields
|
* Basic mandatory fields
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
|
if( 2 + 1 + 1 + 32 + 48 + 4 > (size_t)( end - p ) )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||||
|
|
||||||
session->ciphersuite = ( p[0] << 8 ) | p[1];
|
ciphersuite = ( p[0] << 8 ) | p[1];
|
||||||
p += 2;
|
p += 2;
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||||
|
session->ciphersuite = ciphersuite;
|
||||||
|
#else
|
||||||
|
if( ciphersuite !=
|
||||||
|
MBEDTLS_SSL_SUITE_ID( MBEDTLS_SSL_SINGLE_CIPHERSUITE ) )
|
||||||
|
{
|
||||||
|
return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
session->compression = *p++;
|
session->compression = *p++;
|
||||||
|
|
||||||
session->id_len = *p++;
|
session->id_len = *p++;
|
||||||
|
|||||||
@ -279,7 +279,9 @@ static int ssl_populate_session( mbedtls_ssl_session *session,
|
|||||||
#if defined(MBEDTLS_HAVE_TIME)
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
session->start = mbedtls_time( NULL ) - 42;
|
session->start = mbedtls_time( NULL ) - 42;
|
||||||
#endif
|
#endif
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||||
session->ciphersuite = 0xabcd;
|
session->ciphersuite = 0xabcd;
|
||||||
|
#endif
|
||||||
session->compression = 1;
|
session->compression = 1;
|
||||||
session->id_len = sizeof( session->id );
|
session->id_len = sizeof( session->id );
|
||||||
memset( session->id, 66, session->id_len );
|
memset( session->id, 66, session->id_len );
|
||||||
@ -698,7 +700,9 @@ void ssl_serialize_session_save_load( int ticket_len, char *crt_file )
|
|||||||
#if defined(MBEDTLS_HAVE_TIME)
|
#if defined(MBEDTLS_HAVE_TIME)
|
||||||
TEST_ASSERT( original.start == restored.start );
|
TEST_ASSERT( original.start == restored.start );
|
||||||
#endif
|
#endif
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||||
TEST_ASSERT( original.ciphersuite == restored.ciphersuite );
|
TEST_ASSERT( original.ciphersuite == restored.ciphersuite );
|
||||||
|
#endif
|
||||||
TEST_ASSERT( original.compression == restored.compression );
|
TEST_ASSERT( original.compression == restored.compression );
|
||||||
TEST_ASSERT( original.id_len == restored.id_len );
|
TEST_ASSERT( original.id_len == restored.id_len );
|
||||||
TEST_ASSERT( memcmp( original.id,
|
TEST_ASSERT( memcmp( original.id,
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user