Refine code base on review

Remove useless hrr code
Share validate_cipher_suit between client and server
Fix test failure when tls13 only in server side

Change-Id: I5d6a7932bd8448ebf542bc86cdcab8862bc28e9b
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-04-20 11:05:24 +00:00
parent 318dc763a6
commit 75d40ef8cb
6 changed files with 63 additions and 63 deletions

View file

@ -4936,6 +4936,22 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen );
/**
* \brief Validate cipher suite against config in SSL context.
*
* \param ssl SSL context
* \param suite_info Cipher suite to validate
* \param min_tls_version Minimal TLS version to accept a cipher suite
* \param max_tls_version Maximal TLS version to accept a cipher suite
*
* \return 0 if valid, negative value otherwise.
*/
int mbedtls_ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info,
mbedtls_ssl_protocol_version min_tls_version,
mbedtls_ssl_protocol_version max_tls_version );
#ifdef __cplusplus
}
#endif

View file

@ -413,45 +413,6 @@ static int ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
int mbedtls_ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info,
mbedtls_ssl_protocol_version min_tls_version,
mbedtls_ssl_protocol_version max_tls_version )
{
(void) ssl;
if( suite_info == NULL )
return( -1 );
if( ( suite_info->min_tls_version > max_tls_version ) ||
( suite_info->max_tls_version < min_tls_version ) )
{
return( -1 );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
{
return( -1 );
}
#endif
/* Don't suggest PSK-based ciphersuite if no PSK is available. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
{
return( -1 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
return( 0 );
}
static int ssl_write_client_hello_cipher_suites(
mbedtls_ssl_context *ssl,
unsigned char *buf,

View file

@ -28,22 +28,6 @@
#include <stddef.h>
/**
* \brief Validate cipher suite against config in SSL context.
*
* \param ssl SSL context
* \param suite_info Cipher suite to validate
* \param min_tls_version Minimal TLS version to accept a cipher suite
* \param max_tls_version Maximal TLS version to accept a cipher suite
*
* \return 0 if valid, negative value otherwise.
*/
int mbedtls_ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info,
mbedtls_ssl_protocol_version min_tls_version,
mbedtls_ssl_protocol_version max_tls_version );
int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_CLIENT_H */

View file

@ -589,6 +589,8 @@ struct mbedtls_ssl_handshake_params
#if defined(MBEDTLS_SSL_SRV_C)
/** selected_group of key_share extension in HelloRetryRequest message. */
uint16_t hrr_selected_group;
/** selected_group of key_share extension in ClientHello message. */
uint16_t selected_group;
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \

View file

@ -4216,6 +4216,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
@ -7771,4 +7774,43 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session,
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
int mbedtls_ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info,
mbedtls_ssl_protocol_version min_tls_version,
mbedtls_ssl_protocol_version max_tls_version )
{
(void) ssl;
if( suite_info == NULL )
return( -1 );
if( ( suite_info->min_tls_version > max_tls_version ) ||
( suite_info->max_tls_version < min_tls_version ) )
{
return( -1 );
}
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
{
return( -1 );
}
#endif
/* Don't suggest PSK-based ciphersuite if no PSK is available. */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
{
return( -1 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
return( 0 );
}
#endif /* MBEDTLS_SSL_TLS_C */

View file

@ -24,7 +24,6 @@
#include "mbedtls/debug.h"
#include "ssl_misc.h"
#include "ssl_client.h"
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
#include <string.h>
@ -116,7 +115,7 @@ static int ssl_tls13_parse_supported_groups_ext(
p += 2;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
named_group_list_end = p + named_group_list_len;
ssl->handshake->hrr_selected_group = 0;
ssl->handshake->selected_group = 0;
while( p < named_group_list_end )
{
@ -129,7 +128,7 @@ static int ssl_tls13_parse_supported_groups_ext(
if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
! mbedtls_ssl_named_group_is_supported( named_group ) ||
ssl->handshake->hrr_selected_group != 0 )
ssl->handshake->selected_group != 0 )
{
continue;
}
@ -137,7 +136,7 @@ static int ssl_tls13_parse_supported_groups_ext(
MBEDTLS_SSL_DEBUG_MSG(
2, ( "add named group (%04x) into received list.",
named_group ) );
ssl->handshake->hrr_selected_group = named_group;
ssl->handshake->selected_group = named_group;
}
return( 0 );
@ -384,7 +383,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
const unsigned char *extensions_end;
const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
int hrr_required = 0;
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
@ -682,9 +680,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
if( hrr_required == 1 )
return( SSL_CLIENT_HELLO_HRR_REQUIRED );
return( 0 );
}