Update parse_key_share in server side and version config

Change-Id: Ic91c061027d0ee4dca2055df21809cbb4388f3ef
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-04-21 09:24:56 +00:00
parent 0a1b54ed73
commit 060d867598
2 changed files with 40 additions and 41 deletions

View file

@ -4210,34 +4210,37 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
endpoint == MBEDTLS_SSL_IS_SERVER )
{
/* DTLS 1.3 not supported yet
* server side hybrid mode not support yet
*/
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
}
else
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
}
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
}
else
{
/* DTLS 1.3 not supported yet */
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
/*
* Preset-specific defaults
@ -7791,7 +7794,7 @@ int mbedtls_ssl_validate_ciphersuite(
return( -1 );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )

View file

@ -215,19 +215,19 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
if( match_found == 1 )
continue;
if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
! mbedtls_ssl_named_group_is_supported( group ) )
{
continue;
}
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_tls_id( group );
/*
* For now, we only support ECDHE groups.
*/
if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
{
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_tls_id( group );
if( curve_info == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
continue;
}
match_found = 1;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
@ -377,8 +377,9 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *p = buf;
size_t legacy_session_id_len;
const unsigned char *cipher_suites_start;
const unsigned char *cipher_suites;
size_t cipher_suites_len;
const unsigned char *cipher_suites_end;
size_t extensions_len;
const unsigned char *extensions_end;
@ -479,7 +480,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
* with CipherSuite defined as:
* uint8 CipherSuite[2];
*/
cipher_suites_start = p;
cipher_suites = p;
cipher_suites_end = p + cipher_suites_len;
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
p, cipher_suites_len );
/*
@ -487,8 +489,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
*/
int ciphersuite_match = 0;
ciphersuite_info = NULL;
for ( size_t j = 0; j < cipher_suites_len;
j += 2, p += 2 )
for ( ; p < cipher_suites_end; p += 2 )
{
uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
@ -520,7 +521,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
ciphersuite_info->name ) );
p = cipher_suites_start + cipher_suites_len;
p = cipher_suites + cipher_suites_len;
/* ...
* opaque legacy_compression_methods<1..2^8-1>;
* ...
@ -730,7 +731,7 @@ cleanup:
}
/*
* TLS and DTLS 1.3 State Maschine -- server side
* TLS 1.3 State Maschine -- server side
*/
int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
{
@ -760,14 +761,9 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
break;
case MBEDTLS_SSL_SERVER_HELLO:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
break;
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
return( ret );