Merge pull request #7921 from valeriosetti/issue7613
TLS: Clean up ECDSA dependencies
This commit is contained in:
Gilles Peskine
GitHub
commit
eda1b1f744
9 changed files with 142 additions and 61 deletions
|
|
@ -292,21 +292,49 @@ typedef enum {
|
||||||
#define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
|
#define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Key exchanges in either TLS 1.2 or 1.3 which are using an ECDSA
|
||||||
|
* signature */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \
|
||||||
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||||
#define MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED
|
#define MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Key exchanges allowing client certificate requests */
|
/* Key exchanges allowing client certificate requests.
|
||||||
|
*
|
||||||
|
* Note: that's almost the same as MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED
|
||||||
|
* above, except RSA-PSK uses a server certificate but no client cert.
|
||||||
|
*
|
||||||
|
* Note: this difference is specific to TLS 1.2, as with TLS 1.3, things are
|
||||||
|
* more symmetrical: client certs and server certs are either both allowed
|
||||||
|
* (Ephemeral mode) or both disallowed (PSK and PKS-Ephemeral modes).
|
||||||
|
*/
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED)
|
||||||
#define MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED
|
#define MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Helper to state that certificate-based client authentication through ECDSA
|
||||||
|
* is supported in TLS 1.2 */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED) && \
|
||||||
|
defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && defined(MBEDTLS_PK_CAN_ECDSA_VERIFY)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* ECDSA required for certificates in either TLS 1.2 or 1.3 */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
|
defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||||
|
#define MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Key exchanges involving server signature in ServerKeyExchange */
|
/* Key exchanges involving server signature in ServerKeyExchange */
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
|
|
||||||
|
|
@ -2022,7 +2022,7 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg(const mbedtls_ssl_ciphersu
|
||||||
#endif /* MBEDTLS_PK_C */
|
#endif /* MBEDTLS_PK_C */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info)
|
int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info)
|
||||||
{
|
{
|
||||||
|
|
@ -2040,7 +2040,8 @@ int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
||||||
* MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
|
* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
|
* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
|
||||||
int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
|
int mbedtls_ssl_ciphersuite_uses_psk(const mbedtls_ssl_ciphersuite_t *info)
|
||||||
|
|
|
||||||
|
|
@ -375,7 +375,7 @@ static int ssl_write_client_hello_cipher_suites(
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
(defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
(defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED))
|
||||||
*tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
|
*tls12_uses_ec |= mbedtls_ssl_ciphersuite_uses_ec(ciphersuite_info);
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -783,7 +783,7 @@ struct mbedtls_ssl_handshake_params {
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
|
||||||
defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
|
uint16_t *curves_tls_id; /*!< List of TLS IDs of supported elliptic curves */
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -2313,7 +2313,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
|
||||||
const uint16_t sig_alg)
|
const uint16_t sig_alg)
|
||||||
{
|
{
|
||||||
switch (sig_alg) {
|
switch (sig_alg) {
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
|
||||||
#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
#if defined(PSA_WANT_ALG_SHA_256) && defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||||
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
|
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256:
|
||||||
break;
|
break;
|
||||||
|
|
@ -2326,7 +2326,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
|
||||||
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
|
case MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512:
|
||||||
break;
|
break;
|
||||||
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
||||||
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
|
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_PKCS1_V21)
|
#if defined(MBEDTLS_PKCS1_V21)
|
||||||
#if defined(PSA_WANT_ALG_SHA_256)
|
#if defined(PSA_WANT_ALG_SHA_256)
|
||||||
|
|
@ -2482,7 +2482,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
case MBEDTLS_SSL_SIG_ECDSA:
|
case MBEDTLS_SSL_SIG_ECDSA:
|
||||||
break;
|
break;
|
||||||
#endif
|
#endif
|
||||||
|
|
|
||||||
|
|
@ -1207,7 +1207,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
|
||||||
if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
|
if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
sig_algs_len += sizeof(uint16_t);
|
sig_algs_len += sizeof(uint16_t);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
@ -1235,7 +1235,7 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl)
|
||||||
if (hash == MBEDTLS_SSL_HASH_NONE) {
|
if (hash == MBEDTLS_SSL_HASH_NONE) {
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
*p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
|
*p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA);
|
||||||
p++;
|
p++;
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -4156,7 +4156,7 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) || \
|
||||||
defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
|
defined(MBEDTLS_KEY_EXCHANGE_WITH_ECDSA_ANY_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
/* explicit void pointer cast for buggy MS compiler */
|
/* explicit void pointer cast for buggy MS compiler */
|
||||||
mbedtls_free((void *) handshake->curves_tls_id);
|
mbedtls_free((void *) handshake->curves_tls_id);
|
||||||
|
|
@ -4973,26 +4973,26 @@ static const int ssl_preset_suiteb_ciphersuites[] = {
|
||||||
*/
|
*/
|
||||||
static uint16_t ssl_preset_default_sig_algs[] = {
|
static uint16_t ssl_preset_default_sig_algs[] = {
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
|
||||||
defined(MBEDTLS_MD_CAN_SHA256) && \
|
defined(MBEDTLS_MD_CAN_SHA256) && \
|
||||||
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||||
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
|
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
|
||||||
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_MD_CAN_SHA256 &&
|
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
|
||||||
MBEDTLS_ECP_DP_SECP256R1_ENABLED */
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
|
||||||
defined(MBEDTLS_MD_CAN_SHA384) && \
|
defined(MBEDTLS_MD_CAN_SHA384) && \
|
||||||
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||||
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
|
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
|
||||||
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_MD_CAN_SHA384&&
|
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
|
||||||
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
|
||||||
defined(MBEDTLS_MD_CAN_SHA512) && \
|
defined(MBEDTLS_MD_CAN_SHA512) && \
|
||||||
defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
|
||||||
MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
|
MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512,
|
||||||
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME && MBEDTLS_MD_CAN_SHA384&&
|
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512)
|
||||||
MBEDTLS_ECP_DP_SECP521R1_ENABLED */
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
||||||
defined(MBEDTLS_MD_CAN_SHA512)
|
defined(MBEDTLS_MD_CAN_SHA512)
|
||||||
|
|
@ -5031,7 +5031,7 @@ static uint16_t ssl_preset_default_sig_algs[] = {
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
|
static uint16_t ssl_tls12_preset_default_sig_algs[] = {
|
||||||
#if defined(MBEDTLS_MD_CAN_SHA512)
|
#if defined(MBEDTLS_MD_CAN_SHA512)
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
|
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA512),
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||||
|
|
@ -5042,7 +5042,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
|
||||||
#endif
|
#endif
|
||||||
#endif /* MBEDTLS_MD_CAN_SHA512*/
|
#endif /* MBEDTLS_MD_CAN_SHA512*/
|
||||||
#if defined(MBEDTLS_MD_CAN_SHA384)
|
#if defined(MBEDTLS_MD_CAN_SHA384)
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
|
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||||
|
|
@ -5053,7 +5053,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
|
||||||
#endif
|
#endif
|
||||||
#endif /* MBEDTLS_MD_CAN_SHA384*/
|
#endif /* MBEDTLS_MD_CAN_SHA384*/
|
||||||
#if defined(MBEDTLS_MD_CAN_SHA256)
|
#if defined(MBEDTLS_MD_CAN_SHA256)
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
|
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
|
||||||
|
|
@ -5069,17 +5069,19 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
|
||||||
/* NOTICE: see above */
|
/* NOTICE: see above */
|
||||||
static uint16_t ssl_preset_suiteb_sig_algs[] = {
|
static uint16_t ssl_preset_suiteb_sig_algs[] = {
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_MD_CAN_SHA256) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
|
||||||
|
defined(MBEDTLS_MD_CAN_SHA256) && \
|
||||||
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
|
||||||
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
|
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
|
||||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_MD_CAN_SHA256&&
|
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
|
||||||
MBEDTLS_ECP_DP_SECP256R1_ENABLED */
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_MD_CAN_SHA384) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
|
||||||
|
defined(MBEDTLS_MD_CAN_SHA384) && \
|
||||||
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
|
||||||
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
|
MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384,
|
||||||
#endif /* MBEDTLS_ECDSA_C && MBEDTLS_MD_CAN_SHA384&&
|
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384)
|
||||||
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && \
|
||||||
defined(MBEDTLS_MD_CAN_SHA256)
|
defined(MBEDTLS_MD_CAN_SHA256)
|
||||||
|
|
@ -5098,7 +5100,7 @@ static uint16_t ssl_preset_suiteb_sig_algs[] = {
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
|
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
|
||||||
#if defined(MBEDTLS_MD_CAN_SHA256)
|
#if defined(MBEDTLS_MD_CAN_SHA256)
|
||||||
#if defined(MBEDTLS_ECDSA_C)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
|
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_RSA_C)
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
|
@ -5106,7 +5108,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
|
||||||
#endif
|
#endif
|
||||||
#endif /* MBEDTLS_MD_CAN_SHA256*/
|
#endif /* MBEDTLS_MD_CAN_SHA256*/
|
||||||
#if defined(MBEDTLS_MD_CAN_SHA384)
|
#if defined(MBEDTLS_MD_CAN_SHA384)
|
||||||
#if defined(MBEDTLS_ECDSA_C)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
|
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA384),
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_RSA_C)
|
#if defined(MBEDTLS_RSA_C)
|
||||||
|
|
@ -5395,7 +5397,7 @@ void mbedtls_ssl_config_free(mbedtls_ssl_config *conf)
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_C) && \
|
#if defined(MBEDTLS_PK_C) && \
|
||||||
(defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PK_CAN_ECDSA_SOME))
|
(defined(MBEDTLS_RSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED))
|
||||||
/*
|
/*
|
||||||
* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
|
* Convert between MBEDTLS_PK_XXX and SSL_SIG_XXX
|
||||||
*/
|
*/
|
||||||
|
|
@ -5406,7 +5408,7 @@ unsigned char mbedtls_ssl_sig_from_pk(mbedtls_pk_context *pk)
|
||||||
return MBEDTLS_SSL_SIG_RSA;
|
return MBEDTLS_SSL_SIG_RSA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
|
||||||
if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
|
if (mbedtls_pk_can_do(pk, MBEDTLS_PK_ECDSA)) {
|
||||||
return MBEDTLS_SSL_SIG_ECDSA;
|
return MBEDTLS_SSL_SIG_ECDSA;
|
||||||
}
|
}
|
||||||
|
|
@ -5434,7 +5436,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
|
||||||
case MBEDTLS_SSL_SIG_RSA:
|
case MBEDTLS_SSL_SIG_RSA:
|
||||||
return MBEDTLS_PK_RSA;
|
return MBEDTLS_PK_RSA;
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED)
|
||||||
case MBEDTLS_SSL_SIG_ECDSA:
|
case MBEDTLS_SSL_SIG_ECDSA:
|
||||||
return MBEDTLS_PK_ECDSA;
|
return MBEDTLS_PK_ECDSA;
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -5442,7 +5444,8 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
|
||||||
return MBEDTLS_PK_NONE;
|
return MBEDTLS_PK_NONE;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_PK_C && ( MBEDTLS_RSA_C || MBEDTLS_PK_CAN_ECDSA_SOME ) */
|
#endif /* MBEDTLS_PK_C &&
|
||||||
|
( MBEDTLS_RSA_C || MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED ) */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
|
* Convert from MBEDTLS_SSL_HASH_XXX to MBEDTLS_MD_XXX
|
||||||
|
|
|
||||||
|
|
@ -100,7 +100,7 @@ static int ssl_write_renegotiation_ext(mbedtls_ssl_context *ssl,
|
||||||
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
|
|
@ -132,7 +132,8 @@ static int ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
||||||
MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
|
|
@ -549,7 +550,7 @@ int mbedtls_ssl_tls12_write_client_hello_exts(mbedtls_ssl_context *ssl,
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
if (uses_ec) {
|
if (uses_ec) {
|
||||||
if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
|
if ((ret = ssl_write_supported_point_formats_ext(ssl, p, end,
|
||||||
|
|
@ -818,7 +819,7 @@ static int ssl_parse_session_ticket_ext(mbedtls_ssl_context *ssl,
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
||||||
|
|
@ -863,7 +864,8 @@ static int ssl_parse_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
||||||
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
||||||
MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
|
|
@ -1548,7 +1550,8 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
|
||||||
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
|
case MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS:
|
||||||
MBEDTLS_SSL_DEBUG_MSG(3,
|
MBEDTLS_SSL_DEBUG_MSG(3,
|
||||||
("found supported_point_formats extension"));
|
("found supported_point_formats extension"));
|
||||||
|
|
@ -1559,7 +1562,8 @@ static int ssl_parse_server_hello(mbedtls_ssl_context *ssl)
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || MBEDTLS_ECDSA_C ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
|
|
||||||
|
|
@ -149,7 +149,7 @@ static int ssl_parse_renegotiation_info(mbedtls_ssl_context *ssl,
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
/*
|
/*
|
||||||
* Function for parsing a supported groups (TLS 1.3) or supported elliptic
|
* Function for parsing a supported groups (TLS 1.3) or supported elliptic
|
||||||
|
|
@ -294,7 +294,8 @@ static int ssl_parse_supported_point_formats(mbedtls_ssl_context *ssl,
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
||||||
MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
|
|
@ -669,7 +670,7 @@ static int ssl_parse_use_srtp_ext(mbedtls_ssl_context *ssl,
|
||||||
/*
|
/*
|
||||||
* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
|
* Return 0 if the given key uses one of the acceptable curves, -1 otherwise
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_CHECK_RETURN_CRITICAL
|
MBEDTLS_CHECK_RETURN_CRITICAL
|
||||||
static int ssl_check_key_curve(mbedtls_pk_context *pk,
|
static int ssl_check_key_curve(mbedtls_pk_context *pk,
|
||||||
uint16_t *curves_tls_id)
|
uint16_t *curves_tls_id)
|
||||||
|
|
@ -688,7 +689,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
|
||||||
|
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
|
#endif /* MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Try picking a certificate for this ciphersuite,
|
* Try picking a certificate for this ciphersuite,
|
||||||
|
|
@ -773,7 +774,7 @@ static int ssl_pick_cert(mbedtls_ssl_context *ssl,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
if (pk_alg == MBEDTLS_PK_ECDSA &&
|
if (pk_alg == MBEDTLS_PK_ECDSA &&
|
||||||
ssl_check_key_curve(&cur->cert->pk,
|
ssl_check_key_curve(&cur->cert->pk,
|
||||||
ssl->handshake->curves_tls_id) != 0) {
|
ssl->handshake->curves_tls_id) != 0) {
|
||||||
|
|
@ -838,7 +839,7 @@ static int ssl_ciphersuite_match(mbedtls_ssl_context *ssl, int suite_id,
|
||||||
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
|
if (mbedtls_ssl_ciphersuite_uses_ec(suite_info) &&
|
||||||
(ssl->handshake->curves_tls_id == NULL ||
|
(ssl->handshake->curves_tls_id == NULL ||
|
||||||
ssl->handshake->curves_tls_id[0] == 0)) {
|
ssl->handshake->curves_tls_id[0] == 0)) {
|
||||||
|
|
@ -1383,7 +1384,7 @@ read_record_header:
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_PK_CAN_ECDSA_SOME) || \
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
|
case MBEDTLS_TLS_EXT_SUPPORTED_GROUPS:
|
||||||
MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
|
MBEDTLS_SSL_DEBUG_MSG(3, ("found supported elliptic curves extension"));
|
||||||
|
|
@ -1404,7 +1405,8 @@ read_record_header:
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || \
|
||||||
MBEDTLS_PK_CAN_ECDSA_SOME || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
|
case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
|
||||||
|
|
@ -1513,7 +1515,7 @@ read_record_header:
|
||||||
if (!sig_hash_alg_ext_present) {
|
if (!sig_hash_alg_ext_present) {
|
||||||
uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
|
uint16_t *received_sig_algs = ssl->handshake->received_sig_algs;
|
||||||
const uint16_t default_sig_algs[] = {
|
const uint16_t default_sig_algs[] = {
|
||||||
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
|
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA,
|
||||||
MBEDTLS_SSL_HASH_SHA1),
|
MBEDTLS_SSL_HASH_SHA1),
|
||||||
#endif
|
#endif
|
||||||
|
|
@ -1898,7 +1900,8 @@ static void ssl_write_max_fragment_length_ext(mbedtls_ssl_context *ssl,
|
||||||
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
||||||
unsigned char *buf,
|
unsigned char *buf,
|
||||||
size_t *olen)
|
size_t *olen)
|
||||||
|
|
@ -1925,7 +1928,8 @@ static void ssl_write_supported_point_formats_ext(mbedtls_ssl_context *ssl,
|
||||||
|
|
||||||
*olen = 6;
|
*olen = 6;
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED || MBEDTLS_ECDSA_C ||
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED ||
|
||||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
|
|
@ -2356,7 +2360,8 @@ static int ssl_write_server_hello(mbedtls_ssl_context *ssl)
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED) || \
|
||||||
defined(MBEDTLS_ECDSA_C) || defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||||
const mbedtls_ssl_ciphersuite_t *suite =
|
const mbedtls_ssl_ciphersuite_t *suite =
|
||||||
mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
|
mbedtls_ssl_ciphersuite_from_id(ssl->session_negotiate->ciphersuite);
|
||||||
if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
|
if (suite != NULL && mbedtls_ssl_ciphersuite_uses_ec(suite)) {
|
||||||
|
|
@ -2479,7 +2484,7 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl)
|
||||||
#if defined(MBEDTLS_RSA_C)
|
#if defined(MBEDTLS_RSA_C)
|
||||||
p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
|
p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_RSA_SIGN;
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_ECDSA_C)
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
|
||||||
p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
|
p[1 + ct_len++] = MBEDTLS_SSL_CERT_TYPE_ECDSA_SIGN;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2989,6 +2989,41 @@ component_test_psa_crypto_config_accel_all_curves_except_x25519 () {
|
||||||
psa_crypto_config_accel_all_curves_except_one MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
psa_crypto_config_accel_all_curves_except_one MBEDTLS_ECP_DP_CURVE25519_ENABLED
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Common helper for component_full_without_ecdhe_ecdsa() and
|
||||||
|
# component_full_without_ecdhe_ecdsa_and_tls13() which:
|
||||||
|
# - starts from the "full" configuration minus the list of symbols passed in
|
||||||
|
# as 1st parameter
|
||||||
|
# - build
|
||||||
|
# - test only TLS (i.e. test_suite_tls and ssl-opt)
|
||||||
|
build_full_minus_something_and_test_tls () {
|
||||||
|
SYMBOLS_TO_DISABLE="$1"
|
||||||
|
|
||||||
|
msg "build: full minus something, test TLS"
|
||||||
|
|
||||||
|
scripts/config.py full
|
||||||
|
for SYM in $SYMBOLS_TO_DISABLE; do
|
||||||
|
echo "Disabling $SYM"
|
||||||
|
scripts/config.py unset $SYM
|
||||||
|
done
|
||||||
|
|
||||||
|
make
|
||||||
|
|
||||||
|
msg "test: full minus something, test TLS"
|
||||||
|
( cd tests; ./test_suite_ssl )
|
||||||
|
|
||||||
|
msg "ssl-opt: full minus something, test TLS"
|
||||||
|
tests/ssl-opt.sh
|
||||||
|
}
|
||||||
|
|
||||||
|
component_full_without_ecdhe_ecdsa () {
|
||||||
|
build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
|
||||||
|
}
|
||||||
|
|
||||||
|
component_full_without_ecdhe_ecdsa_and_tls13 () {
|
||||||
|
build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
|
||||||
|
MBEDTLS_SSL_PROTO_TLS1_3"
|
||||||
|
}
|
||||||
|
|
||||||
# This is an helper used by:
|
# This is an helper used by:
|
||||||
# - component_test_psa_ecc_key_pair_no_derive
|
# - component_test_psa_ecc_key_pair_no_derive
|
||||||
# - component_test_psa_ecc_key_pair_no_generate
|
# - component_test_psa_ecc_key_pair_no_generate
|
||||||
|
|
|
||||||
|
|
@ -1635,13 +1635,18 @@ run_test() {
|
||||||
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# If the client or server requires certain features that can be detected
|
|
||||||
# from their command-line arguments, check that they're enabled.
|
|
||||||
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
|
|
||||||
|
|
||||||
# Check if we are trying to use an external tool wich does not support ECDH
|
# Check if we are trying to use an external tool wich does not support ECDH
|
||||||
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
|
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
|
||||||
|
|
||||||
|
# Guess the TLS version which is going to be used
|
||||||
|
if [ "$EXT_WO_ECDH" = "no" ]; then
|
||||||
|
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
|
||||||
|
else
|
||||||
|
TLS_VERSION="TLS12"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If the client or server requires certain features that can be detected
|
||||||
|
# from their command-line arguments, check whether they're enabled.
|
||||||
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
|
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
|
||||||
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
|
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue