Add mbedtls_ssl_check_curve_tls_id() (internal)
This can be used to validate the server's choice of group in the PSA case (this will be done in the next commit). Note that new function doesn't depend on ECP_C, as it only requires mbedtls_ssl_get_groups(), which is always available. As a general rule, functions for defining and enforcing policy in the TLS module should not depend on low-level modules but work with TLS-level identifiers are much as possible, and this new function follows that principle. Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This commit is contained in:
Manuel Pégourié-Gonnard
parent
3caa0edb9b
commit
0d63b84fa4
2 changed files with 12 additions and 3 deletions
|
|
@ -1288,6 +1288,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
|
|||
unsigned char mbedtls_ssl_hash_from_md_alg( int md );
|
||||
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md );
|
||||
|
||||
int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id );
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -7054,18 +7054,16 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md )
|
|||
}
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
/*
|
||||
* Check if a curve proposed by the peer is in our list.
|
||||
* Return 0 if we're willing to use it, -1 otherwise.
|
||||
*/
|
||||
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
|
||||
int mbedtls_ssl_check_curve_tls_id( const mbedtls_ssl_context *ssl, uint16_t tls_id )
|
||||
{
|
||||
const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
|
||||
|
||||
if( group_list == NULL )
|
||||
return( -1 );
|
||||
uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
|
||||
|
||||
for( ; *group_list != 0; group_list++ )
|
||||
{
|
||||
|
|
@ -7075,6 +7073,16 @@ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_i
|
|||
|
||||
return( -1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
/*
|
||||
* Same as mbedtls_ssl_check_curve_tls_id() but with a mbedtls_ecp_group_id.
|
||||
*/
|
||||
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
|
||||
{
|
||||
uint16_t tls_id = mbedtls_ecp_curve_info_from_grp_id(grp_id)->tls_id;
|
||||
return mbedtls_ssl_check_curve_tls_id( ssl, tls_id );
|
||||
}
|
||||
#endif /* MBEDTLS_ECP_C */
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
|
|
|
|||
Loading…
Reference in a new issue