mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-29 11:41:15 +03:00
Pengyu Lv
@ -609,7 +609,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
|
|||||||
int ssl_write_supported_groups_ext_flags = 0;
|
int ssl_write_supported_groups_ext_flags = 0;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
||||||
if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
|
if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
|
||||||
ssl_write_supported_groups_ext_flags |=
|
ssl_write_supported_groups_ext_flags |=
|
||||||
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
|
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
|
||||||
}
|
}
|
||||||
@ -637,7 +637,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
|
|||||||
int write_sig_alg_ext = 0;
|
int write_sig_alg_ext = 0;
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
|
||||||
write_sig_alg_ext = write_sig_alg_ext ||
|
write_sig_alg_ext = write_sig_alg_ext ||
|
||||||
(propose_tls13 && mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl));
|
(propose_tls13 && mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl));
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
|
write_sig_alg_ext = write_sig_alg_ext || propose_tls12;
|
||||||
@ -668,7 +668,7 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
|
|||||||
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
|
/* The "pre_shared_key" extension (RFC 8446 Section 4.2.11)
|
||||||
* MUST be the last extension in the ClientHello.
|
* MUST be the last extension in the ClientHello.
|
||||||
*/
|
*/
|
||||||
if (propose_tls13 && mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
|
if (propose_tls13 && mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
|
||||||
ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
|
ret = mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext(
|
||||||
ssl, p, end, &output_len, binders_len);
|
ssl, p, end, &output_len, binders_len);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
|
|||||||
@ -1907,31 +1907,31 @@ static inline int mbedtls_ssl_conf_tls13_is_kex_mode_enabled(mbedtls_ssl_context
|
|||||||
return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
|
return (ssl->conf->tls13_kex_modes & kex_mode_mask) != 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int mbedtls_ssl_conf_tls13_psk_enabled(mbedtls_ssl_context *ssl)
|
static inline int mbedtls_ssl_conf_tls13_is_psk_enabled(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
|
static inline int mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int mbedtls_ssl_conf_tls13_ephemeral_enabled(mbedtls_ssl_context *ssl)
|
static inline int mbedtls_ssl_conf_tls13_is_ephemeral_enabled(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int mbedtls_ssl_conf_tls13_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
|
static inline int mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL);
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline int mbedtls_ssl_conf_tls13_some_psk_enabled(mbedtls_ssl_context *ssl)
|
static inline int mbedtls_ssl_conf_tls13_is_some_psk_enabled(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
return mbedtls_ssl_conf_tls13_is_kex_mode_enabled(ssl,
|
||||||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
|
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL);
|
||||||
|
|||||||
@ -1342,7 +1342,7 @@ static int ssl_conf_check(const mbedtls_ssl_context *ssl)
|
|||||||
* bad config.
|
* bad config.
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
if (mbedtls_ssl_conf_tls13_ephemeral_enabled(
|
if (mbedtls_ssl_conf_tls13_is_ephemeral_enabled(
|
||||||
(mbedtls_ssl_context *) ssl) &&
|
(mbedtls_ssl_context *) ssl) &&
|
||||||
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
|
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT &&
|
||||||
ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
|
ssl->conf->max_tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
|
||||||
|
|||||||
@ -621,7 +621,7 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
|
|||||||
/* Skip writing extension if no PSK key exchange mode
|
/* Skip writing extension if no PSK key exchange mode
|
||||||
* is enabled in the config.
|
* is enabled in the config.
|
||||||
*/
|
*/
|
||||||
if (!mbedtls_ssl_conf_tls13_some_psk_enabled(ssl)) {
|
if (!mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl)) {
|
||||||
MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
|
MBEDTLS_SSL_DEBUG_MSG(3, ("skip psk_key_exchange_modes extension"));
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -640,14 +640,14 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext(mbedtls_ssl_context *ssl,
|
|||||||
*/
|
*/
|
||||||
p += 5;
|
p += 5;
|
||||||
|
|
||||||
if (mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl)) {
|
if (mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl)) {
|
||||||
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
|
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_ECDHE;
|
||||||
ke_modes_len++;
|
ke_modes_len++;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
|
MBEDTLS_SSL_DEBUG_MSG(4, ("Adding PSK-ECDHE key exchange mode"));
|
||||||
}
|
}
|
||||||
|
|
||||||
if (mbedtls_ssl_conf_tls13_psk_enabled(ssl)) {
|
if (mbedtls_ssl_conf_tls13_is_psk_enabled(ssl)) {
|
||||||
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
|
*p++ = MBEDTLS_SSL_TLS1_3_PSK_MODE_PURE;
|
||||||
ke_modes_len++;
|
ke_modes_len++;
|
||||||
|
|
||||||
@ -1161,7 +1161,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
|
|||||||
p += ext_len;
|
p += ext_len;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
|
||||||
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
|
if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
|
||||||
ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
|
ret = ssl_tls13_write_key_share_ext(ssl, p, end, &ext_len);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
return ret;
|
return ret;
|
||||||
@ -1171,7 +1171,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl,
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||||
if (mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
|
if (mbedtls_ssl_conf_tls13_is_some_psk_enabled(ssl) &&
|
||||||
ssl_tls13_early_data_has_valid_ticket(ssl) &&
|
ssl_tls13_early_data_has_valid_ticket(ssl) &&
|
||||||
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
|
ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
|
||||||
|
|
||||||
@ -1457,7 +1457,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
|
|||||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
|
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
|
||||||
buf, (size_t) (end - buf)));
|
buf, (size_t) (end - buf)));
|
||||||
|
|
||||||
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
|
if (mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
|
||||||
ret = ssl_tls13_reset_key_share(ssl);
|
ret = ssl_tls13_reset_key_share(ssl);
|
||||||
if (ret != 0) {
|
if (ret != 0) {
|
||||||
return ret;
|
return ret;
|
||||||
@ -1499,7 +1499,7 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
|
|||||||
* in the ClientHello.
|
* in the ClientHello.
|
||||||
* In a PSK only key exchange that what we expect.
|
* In a PSK only key exchange that what we expect.
|
||||||
*/
|
*/
|
||||||
if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
|
if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
|
||||||
MBEDTLS_SSL_DEBUG_MSG(1,
|
MBEDTLS_SSL_DEBUG_MSG(1,
|
||||||
("Unexpected HRR in pure PSK key exchange."));
|
("Unexpected HRR in pure PSK key exchange."));
|
||||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||||
@ -1776,7 +1776,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
case MBEDTLS_TLS_EXT_KEY_SHARE:
|
case MBEDTLS_TLS_EXT_KEY_SHARE:
|
||||||
MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
|
MBEDTLS_SSL_DEBUG_MSG(3, ("found key_shares extension"));
|
||||||
if (!mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
|
if (!mbedtls_ssl_conf_tls13_is_some_ephemeral_enabled(ssl)) {
|
||||||
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
|
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
|
||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -1025,7 +1025,7 @@ MBEDTLS_CHECK_RETURN_CRITICAL
|
|||||||
static int ssl_tls13_key_exchange_ephemeral_available(mbedtls_ssl_context *ssl)
|
static int ssl_tls13_key_exchange_ephemeral_available(mbedtls_ssl_context *ssl)
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||||
return mbedtls_ssl_conf_tls13_ephemeral_enabled(ssl) &&
|
return mbedtls_ssl_conf_tls13_is_ephemeral_enabled(ssl) &&
|
||||||
ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
|
ssl_tls13_client_hello_has_exts_for_ephemeral_key_exchange(ssl);
|
||||||
#else
|
#else
|
||||||
((void) ssl);
|
((void) ssl);
|
||||||
@ -1039,7 +1039,7 @@ static int ssl_tls13_key_exchange_psk_available(mbedtls_ssl_context *ssl)
|
|||||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED)
|
||||||
return ssl_tls13_ticket_is_kex_mode_permitted(
|
return ssl_tls13_ticket_is_kex_mode_permitted(
|
||||||
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
|
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK) &&
|
||||||
mbedtls_ssl_conf_tls13_psk_enabled(ssl) &&
|
mbedtls_ssl_conf_tls13_is_psk_enabled(ssl) &&
|
||||||
mbedtls_ssl_tls13_psk_enabled(ssl) &&
|
mbedtls_ssl_tls13_psk_enabled(ssl) &&
|
||||||
ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
|
ssl_tls13_client_hello_has_exts_for_psk_key_exchange(ssl);
|
||||||
#else
|
#else
|
||||||
@ -1054,7 +1054,7 @@ static int ssl_tls13_key_exchange_psk_ephemeral_available(mbedtls_ssl_context *s
|
|||||||
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED)
|
||||||
return ssl_tls13_ticket_is_kex_mode_permitted(
|
return ssl_tls13_ticket_is_kex_mode_permitted(
|
||||||
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
|
ssl, MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL) &&
|
||||||
mbedtls_ssl_conf_tls13_psk_ephemeral_enabled(ssl) &&
|
mbedtls_ssl_conf_tls13_is_psk_ephemeral_enabled(ssl) &&
|
||||||
mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
|
mbedtls_ssl_tls13_psk_ephemeral_enabled(ssl) &&
|
||||||
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
|
ssl_tls13_client_hello_has_exts_for_psk_ephemeral_key_exchange(ssl);
|
||||||
#else
|
#else
|
||||||
|
|||||||
Reference in New Issue
Block a user