Small internal changes in curve checking
- switch from is_acceptable to the more usual check - add NULL check just in case user screwed up config
This commit is contained in:
parent
a83e4e2bf5
commit
9d412d872c
3 changed files with 10 additions and 7 deletions
|
@ -376,7 +376,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
|
||||||
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
|
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECP_C)
|
||||||
int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
|
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
|
|
|
@ -1684,7 +1684,7 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECP_C)
|
||||||
if( ! mbedtls_ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
|
if( mbedtls_ssl_check_curve( ssl, ssl->handshake->ecdh_ctx.grp.id ) != 0 )
|
||||||
#else
|
#else
|
||||||
if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
|
if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||
|
||||||
ssl->handshake->ecdh_ctx.grp.nbits > 521 )
|
ssl->handshake->ecdh_ctx.grp.nbits > 521 )
|
||||||
|
|
|
@ -4087,7 +4087,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
/* If certificate uses an EC key, make sure the curve is OK */
|
/* If certificate uses an EC key, make sure the curve is OK */
|
||||||
if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
|
if( mbedtls_pk_can_do( pk, MBEDTLS_PK_ECKEY ) &&
|
||||||
! mbedtls_ssl_curve_is_acceptable( ssl, mbedtls_pk_ec( *pk )->grp.id ) )
|
mbedtls_ssl_check_curve( ssl, mbedtls_pk_ec( *pk )->grp.id ) != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad certificate (EC key curve)" ) );
|
||||||
if( ret == 0 )
|
if( ret == 0 )
|
||||||
|
@ -6807,17 +6807,20 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
|
||||||
#if defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECP_C)
|
||||||
/*
|
/*
|
||||||
* Check is a curve proposed by the peer is in our list.
|
* Check is a curve proposed by the peer is in our list.
|
||||||
* Return 1 if we're willing to use it, 0 otherwise.
|
* Return 0 if we're willing to use it, -1 otherwise.
|
||||||
*/
|
*/
|
||||||
int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
|
int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id )
|
||||||
{
|
{
|
||||||
const mbedtls_ecp_group_id *gid;
|
const mbedtls_ecp_group_id *gid;
|
||||||
|
|
||||||
|
if( ssl->conf->curve_list == NULL )
|
||||||
|
return( -1 );
|
||||||
|
|
||||||
for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
|
for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ )
|
||||||
if( *gid == grp_id )
|
if( *gid == grp_id )
|
||||||
return( 1 );
|
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
|
||||||
|
return( -1 );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_ECP_C */
|
#endif /* MBEDTLS_ECP_C */
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue