SSL: Make use of the new ECDH interface
The SSL module accesses ECDH context members directly. This can't work with the new context, where we can't make any assumption about the implementation of the context. This commit makes use of the new functions to avoid accessing ECDH members directly. The only members that are still accessed directly are the group ID and the point format and they are independent from the implementation.
This commit is contained in:
parent
948f4bedcc
commit
3fbdadad7b
3 changed files with 28 additions and 13 deletions
|
@ -2027,8 +2027,14 @@ static int ssl_parse_server_dh_params( mbedtls_ssl_context *ssl, unsigned char *
|
||||||
static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
|
static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
const mbedtls_ecp_curve_info *curve_info;
|
const mbedtls_ecp_curve_info *curve_info;
|
||||||
|
mbedtls_ecp_group_id grp_id;
|
||||||
|
#if defined(MBEDTLS_ECDH_LEGACY_CONTEXT)
|
||||||
|
grp_id = ssl->handshake->ecdh_ctx.grp.id;
|
||||||
|
#else
|
||||||
|
grp_id = ssl->handshake->ecdh_ctx.grp_id;
|
||||||
|
#endif
|
||||||
|
|
||||||
curve_info = mbedtls_ecp_curve_info_from_grp_id( ssl->handshake->ecdh_ctx.grp.id );
|
curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id );
|
||||||
if( curve_info == NULL )
|
if( curve_info == NULL )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||||
|
@ -2038,14 +2044,15 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECP_C)
|
||||||
if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
|
if( mbedtls_ssl_check_curve( ssl, grp_id ) != 0 )
|
||||||
#else
|
#else
|
||||||
if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
|
if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
|
||||||
ssl->handshake->ecdh_ctx.grp.nbits > 521 )
|
ssl->handshake->ecdh_ctx.grp.nbits > 521 )
|
||||||
#endif
|
#endif
|
||||||
return( -1 );
|
return( -1 );
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp", &ssl->handshake->ecdh_ctx.Qp );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_QP );
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
@ -2967,7 +2974,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Q );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
if( ssl->handshake->ecrs_enabled )
|
if( ssl->handshake->ecrs_enabled )
|
||||||
|
@ -2994,7 +3002,8 @@ ecdh_calc_secret:
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Z );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
@ -3089,7 +3098,8 @@ ecdh_calc_secret:
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q", &ssl->handshake->ecdh_ctx.Q );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Q );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||||
|
|
|
@ -3048,7 +3048,7 @@ curve_matching_done:
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDHE curve: %s", (*curve)->name ) );
|
||||||
|
|
||||||
if( ( ret = mbedtls_ecp_group_load( &ssl->handshake->ecdh_ctx.grp,
|
if( ( ret = mbedtls_ecdh_setup( &ssl->handshake->ecdh_ctx,
|
||||||
(*curve)->grp_id ) ) != 0 )
|
(*curve)->grp_id ) ) != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecp_group_load", ret );
|
||||||
|
@ -3071,7 +3071,8 @@ curve_matching_done:
|
||||||
|
|
||||||
ssl->out_msglen += len;
|
ssl->out_msglen += len;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Q ", &ssl->handshake->ecdh_ctx.Q );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Q );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
|
||||||
|
|
||||||
|
@ -3794,7 +3795,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_QP );
|
||||||
|
|
||||||
if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
|
if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx,
|
||||||
&ssl->handshake->pmslen,
|
&ssl->handshake->pmslen,
|
||||||
|
@ -3806,7 +3808,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_CS );
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z ", &ssl->handshake->ecdh_ctx.z );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Z );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
@ -3919,7 +3922,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE_RP );
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_ECP( 3, "ECDH: Qp ", &ssl->handshake->ecdh_ctx.Qp );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_QP );
|
||||||
|
|
||||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||||
ciphersuite_info->key_exchange ) ) != 0 )
|
ciphersuite_info->key_exchange ) ) != 0 )
|
||||||
|
|
|
@ -1333,7 +1333,8 @@ int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exch
|
||||||
*(p++) = (unsigned char)( zlen );
|
*(p++) = (unsigned char)( zlen );
|
||||||
p += zlen;
|
p += zlen;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
|
MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx,
|
||||||
|
MBEDTLS_DEBUG_ECDH_Z );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||||
|
|
Loading…
Reference in a new issue