From 01f3dae3f30d4c016ed7b1b5cb251d5e5abaceb5 Mon Sep 17 00:00:00 2001 From: Brett Warren Date: Tue, 17 Aug 2021 13:50:51 +0100 Subject: [PATCH] Refactor elliptic curve extension for NamedGroups The refactoring is needed for the group api to work properly. Code is modified to use mbedtls_get_supported_groups instead of direct access so that both deprecated and new api are useable. Signed-off-by: Brett Warren --- library/ssl_cli.c | 32 ++++++++++++-------------------- library/ssl_srv.c | 8 +++++--- 2 files changed, 17 insertions(+), 23 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 9120aa2f7..9fc804126 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -309,27 +309,32 @@ static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *elliptic_curve_list = p + 6; size_t elliptic_curve_len = 0; const mbedtls_ecp_curve_info *info; - const mbedtls_ecp_group_id *grp_id; - + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); *olen = 0; + /* Check there is room for header */ + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); - if( ssl->conf->curve_list == NULL ) + if( group_list == NULL ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - for( grp_id = ssl->conf->curve_list; - *grp_id != MBEDTLS_ECP_DP_NONE; - grp_id++ ) + for( ; *group_list != 0; group_list++ ) { - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); + info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); if( info == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); return( MBEDTLS_ERR_SSL_BAD_CONFIG ); } + + /* Check there is room for another curve */ + MBEDTLS_SSL_CHK_BUF_PTR( elliptic_curve_list, end, elliptic_curve_len + 2 ); + + MBEDTLS_PUT_UINT16_BE( *group_list, elliptic_curve_list, elliptic_curve_len ); elliptic_curve_len += 2; if( elliptic_curve_len > MBEDTLS_SSL_MAX_CURVE_LIST_LEN ) @@ -344,19 +349,6 @@ static int ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, if( elliptic_curve_len == 0 ) return( MBEDTLS_ERR_SSL_BAD_CONFIG ); - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 6 + elliptic_curve_len ); - - elliptic_curve_len = 0; - - for( grp_id = ssl->conf->curve_list; - *grp_id != MBEDTLS_ECP_DP_NONE; - grp_id++ ) - { - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_1( info->tls_id ); - elliptic_curve_list[elliptic_curve_len++] = MBEDTLS_BYTE_0( info->tls_id ); - } - MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES, p, 0 ); p += 2; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e27fdff5e..881b1fd69 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -3036,14 +3036,16 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, * } ServerECDHParams; */ const mbedtls_ecp_curve_info **curve = NULL; - const mbedtls_ecp_group_id *gid; + const uint16_t *group_list = mbedtls_ssl_get_groups( ssl ); int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; /* Match our preference list against the offered curves */ - for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) + if( group_list == NULL ) + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); + for( ; *group_list != 0; group_list++ ) for( curve = ssl->handshake->curves; *curve != NULL; curve++ ) - if( (*curve)->grp_id == *gid ) + if( (*curve)->tls_id == *group_list ) goto curve_matching_done; curve_matching_done: