From 60835a88c3249e266d0a1aac69a955f2a1ac26f4 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 4 Aug 2021 10:13:52 +0800 Subject: [PATCH] Add config check utils functions Check configuration parameter in structure setup function to make sure the config data is available and valid. Current implementation checks the version config. Available version configs are - tls1_3 only - tls1_2 only issues: #4844 Change-Id: Ia762bd3d817440ae130b45f19b80a2868afae924 Signed-off-by: Jerry Yu --- library/ssl_misc.h | 46 ++++++++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index cc19f4723..879e0e07b 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -1259,4 +1259,50 @@ void mbedtls_ssl_buffering_free( mbedtls_ssl_context *ssl ); void mbedtls_ssl_flight_free( mbedtls_ssl_flight_item *flight ); #endif /* MBEDTLS_SSL_PROTO_DTLS */ +/** + * ssl utils functions for checking configuration. + */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_tls13_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +static inline int mbedtls_ssl_conf_is_tls12_only( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) +static inline int mbedtls_ssl_conf_is_hybrid_tls12_tls13( const mbedtls_ssl_config *conf ) +{ + if( conf->min_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->max_major_ver == MBEDTLS_SSL_MAJOR_VERSION_3 && + conf->min_minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && + conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_4 ) + { + return( 1 ); + } + return( 0 ); +} +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL*/ + #endif /* ssl_misc.h */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bb5ddc470..911a80c64 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -3142,6 +3142,53 @@ void mbedtls_ssl_init( mbedtls_ssl_context *ssl ) memset( ssl, 0, sizeof( mbedtls_ssl_context ) ); } +static int ssl_conf_version_check( const mbedtls_ssl_context *ssl ) +{ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_tls13_only( ssl->conf ) ) + { + if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "DTLS 1.3 is not yet supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls13 only." ) ); + return( 0 ); + } +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if( mbedtls_ssl_conf_is_tls12_only( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "The SSL configuration is tls12 only." ) ); + return( 0 ); + } +#endif + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + if( mbedtls_ssl_conf_is_hybrid_tls12_tls13( ssl->conf ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Hybrid TLS 1.2 + TLS 1.3 configurations are not yet supported" ) ); + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } +#endif + + MBEDTLS_SSL_DEBUG_MSG( 1, ( "The SSL configuration is invalid." ) ); + return( MBEDTLS_ERR_SSL_BAD_CONFIG ); +} + +static int ssl_conf_check(const mbedtls_ssl_context *ssl) +{ + int ret; + ret = ssl_conf_version_check( ssl ); + if( ret != 0 ) + return( ret ); + + /* Space for further checks */ + + return( 0 ); +} + /* * Setup an SSL context */ @@ -3155,6 +3202,9 @@ int mbedtls_ssl_setup( mbedtls_ssl_context *ssl, ssl->conf = conf; + if( ( ret = ssl_conf_check( ssl ) ) != 0 ) + return( ret ); + /* * Prepare base structures */