lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

ssl_client.c: Adapt ciphersuite writing to TLS 1.2 case

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2022-02-19 18:30:46 +01:00
parent a874aa818a
commit d491c2d779
3 changed files with 81 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
library/ssl_client.c
View File

@ -119,10 +119,56 @@ static int ssl_write_alpn_ext( mbedtls_ssl_context *ssl,
/* Write cipher_suites /* Write cipher_suites
* CipherSuite cipher_suites<2..2^16-2>; * CipherSuite cipher_suites<2..2^16-2>;
*/ */
/**
* \brief Validate cipher suite against config in SSL context.
*
* \param ssl SSL context
* \param suite_info Cipher suite to validate
*
* \return 0 if valid, else 1
*/
static int ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info )
{
if( suite_info == NULL )
return( 1 );
if( ( suite_info->min_minor_ver > ssl->conf->max_minor_ver ) ||
( suite_info->max_minor_ver < ssl->conf->min_minor_ver ) )
return( 1 );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
return( 1 );
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
return( 1 );
#endif
/* Don't suggest PSK-based ciphersuite if no PSK is available. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
{
return( 1 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
return( 0 );
}
static int ssl_write_client_hello_cipher_suites( static int ssl_write_client_hello_cipher_suites(
mbedtls_ssl_context *ssl, mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
unsigned char *end, unsigned char *end,
int *tls12_uses_ec,
size_t *out_len ) size_t *out_len )
{ {
unsigned char *p = buf; unsigned char *p = buf;
@ -130,7 +176,8 @@ static int ssl_write_client_hello_cipher_suites(
unsigned char *cipher_suites; /* Start of the cipher_suites list */ unsigned char *cipher_suites; /* Start of the cipher_suites list */
size_t cipher_suites_len; size_t cipher_suites_len;
*out_len = 0 ; *tls12_uses_ec = 0;
*out_len = 0;
/* /*
* Ciphersuite list * Ciphersuite list
@ -154,12 +201,16 @@ static int ssl_write_client_hello_cipher_suites(
const mbedtls_ssl_ciphersuite_t *ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
if( ciphersuite_info == NULL )
continue; if( ssl_validate_ciphersuite( ssl, ciphersuite_info ) )
if( !( MBEDTLS_SSL_MINOR_VERSION_4 >= ciphersuite_info->min_minor_ver &&
MBEDTLS_SSL_MINOR_VERSION_4 <= ciphersuite_info->max_minor_ver ) )
continue; continue;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
( defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) )
*tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec( ciphersuite_info );
#endif
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s", MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x, %s",
(unsigned int) cipher_suite, (unsigned int) cipher_suite,
ciphersuite_info->name ) ); ciphersuite_info->name ) );
@ -170,6 +221,19 @@ static int ssl_write_client_hello_cipher_suites(
p += 2; p += 2;
} }
/*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
#if defined(MBEDTLS_SSL_RENEGOTIATION)
if( ssl->renego_status == MBEDTLS_SSL_INITIAL_HANDSHAKE )
#endif
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "adding EMPTY_RENEGOTIATION_INFO_SCSV" ) );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 );
MBEDTLS_PUT_UINT16_BE( MBEDTLS_SSL_EMPTY_RENEGOTIATION_INFO, p, 0 );
p += 2;
}
/* Write the cipher_suites length in number of bytes */ /* Write the cipher_suites length in number of bytes */
cipher_suites_len = p - cipher_suites; cipher_suites_len = p - cipher_suites;
MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 ); MBEDTLS_PUT_UINT16_BE( cipher_suites_len, buf, 0 );
@ -217,15 +281,14 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
unsigned char *end, unsigned char *end,
size_t *out_len ) size_t *out_len )
{ {
int ret; int ret;
unsigned char *p = buf;
int tls12_uses_ec = 0;
unsigned char *p_extensions_len; /* Pointer to extensions length */ unsigned char *p_extensions_len; /* Pointer to extensions length */
size_t output_len; /* Length of buffer used by function */ size_t output_len; /* Length of buffer used by function */
size_t extensions_len; /* Length of the list of extensions*/ size_t extensions_len; /* Length of the list of extensions*/
/* Buffer management */
unsigned char *p = buf;
*out_len = 0; *out_len = 0;
/* /*
@ -315,7 +378,9 @@ static int ssl_write_client_hello_body( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
/* Write cipher_suites */ /* Write cipher_suites */
ret = ssl_write_client_hello_cipher_suites( ssl, p, end, &output_len ); ret = ssl_write_client_hello_cipher_suites( ssl, p, end,
&tls12_uses_ec,
&output_len );
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
p += output_len; p += output_len;

3
library/ssl_misc.h
View File

@ -1299,6 +1299,9 @@ void mbedtls_ssl_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl,
mbedtls_key_exchange_type_t key_ex ); mbedtls_key_exchange_type_t key_ex );
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_2)
int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf );
#endif
/** /**
* Get the first defined PSK by order of precedence: * Get the first defined PSK by order of precedence:

6
library/ssl_tls12_client.c
View File

@ -53,7 +53,7 @@
#endif #endif
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf ) int mbedtls_ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
{ {
if( conf->psk_identity == NULL || if( conf->psk_identity == NULL ||
conf->psk_identity_len == 0 ) conf->psk_identity_len == 0 )
@ -672,7 +672,7 @@ static int ssl_validate_ciphersuite(
/* Don't suggest PSK-based ciphersuite if no PSK is available. */ /* Don't suggest PSK-based ciphersuite if no PSK is available. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
ssl_conf_has_static_psk( ssl->conf ) == 0 ) mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
{ {
return( 1 ); return( 1 );
} }
@ -3495,7 +3495,7 @@ ecdh_calc_secret:
/* /*
* opaque psk_identity<0..2^16-1>; * opaque psk_identity<0..2^16-1>;
*/ */
if( ssl_conf_has_static_psk( ssl->conf ) == 0 ) if( mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
{ {
/* We don't offer PSK suites if we don't have a PSK, /* We don't offer PSK suites if we don't have a PSK,
* and we check that the server's choice is among the * and we check that the server's choice is among the