yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

tls: client: Improve writing of supported_groups ext

Browse source 
Align the TLS 1.3 specific and TLS 1.2 specific
tests done before to call
ssl_write_supported_groups_ext() and inside
thsi function.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2023-06-30 14:56:38 +02:00
parent 443589ac53
commit 1ffa450882
1 changed files with 56 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

94
library/ssl_client.c
View file

@ -224,10 +224,14 @@ static int ssl_write_alpn_ext(mbedtls_ssl_context *ssl,
* share the same extension identifier. * share the same extension identifier.
* *
*/ */
#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG 1
#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG 2
MBEDTLS_CHECK_RETURN_CRITICAL MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl, static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
const unsigned char *end, const unsigned char *end,
int flags,
size_t *out_len) size_t *out_len)
{ {
unsigned char *p = buf; unsigned char *p = buf;
@ -254,40 +258,44 @@ static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
} }
for (; *group_list != 0; group_list++) { for (; *group_list != 0; group_list++) {
int propose_group = 0;
MBEDTLS_SSL_DEBUG_MSG(1, ("got supported group(%04x)", *group_list)); MBEDTLS_SSL_DEBUG_MSG(1, ("got supported group(%04x)", *group_list));
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \ #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
(defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \ if (flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG) {
defined(PSA_WANT_ALG_ECDH)) #if defined(PSA_WANT_ALG_ECDH)
if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) && if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list) &&
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) || (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
(mbedtls_ssl_conf_is_tls12_enabled(ssl->conf) && MBEDTLS_ECP_DP_NONE)) {
mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list))) { propose_group = 1;
if (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) ==
MBEDTLS_ECP_DP_NONE) {
continue;
} }
#endif
#if defined(PSA_WANT_ALG_FFDH)
if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {
propose_group = 1;
}
#endif
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
if ((flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG) &&
mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list) &&
(mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
MBEDTLS_ECP_DP_NONE)) {
propose_group = 1;
}
#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC */
if (propose_group) {
MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2); MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
MBEDTLS_PUT_UINT16_BE(*group_list, p, 0); MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
p += 2; p += 2;
MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )", MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
mbedtls_ssl_get_curve_name_from_tls_id(*group_list), mbedtls_ssl_named_group_to_str(*group_list),
*group_list)); *group_list));
} }
#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_ECDH) */
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \
defined(PSA_WANT_ALG_FFDH)
if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
mbedtls_ssl_tls13_named_group_is_dhe(*group_list))) {
MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
mbedtls_ssl_named_group_to_str(*group_list), *group_list));
MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
p += 2;
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_FFDH */
} }
/* Length of named_group_list */ /* Length of named_group_list */
@ -610,20 +618,30 @@ static int ssl_write_client_hello_body(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \ #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
if ( {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) int ssl_write_supported_groups_ext_flags = 0;
(propose_tls13 &&
mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) || #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
#endif if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) ssl_write_supported_groups_ext_flags |=
(propose_tls12 && tls12_uses_ec) || SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
#endif }
0) { #endif
ret = ssl_write_supported_groups_ext(ssl, p, end, &output_len); #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
if (ret != 0) { if (propose_tls12 && tls12_uses_ec) {
return ret; ssl_write_supported_groups_ext_flags |=
SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG;
}
#endif
if (ssl_write_supported_groups_ext_flags != 0) {
ret = ssl_write_supported_groups_ext(ssl, p, end,
ssl_write_supported_groups_ext_flags,
&output_len);
if (ret != 0) {
return ret;
}
p += output_len;
} }
p += output_len;
} }
#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC || #endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */