ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-10 17:01:41 +08:00
Code Issues Releases Wiki Activity

Update parse_key_share in server side and version config

Browse Source 
Change-Id: Ic91c061027d0ee4dca2055df21809cbb4388f3ef
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-04-21 09:24:56 +00:00
parent 0a1b54ed73
commit 060d867598
2 changed files with 40 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
library/ssl_tls.c
View File

@ -4210,34 +4210,37 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL; conf->tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
if( ( endpoint == MBEDTLS_SSL_IS_SERVER ) ||
( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) #elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ||
endpoint == MBEDTLS_SSL_IS_SERVER )
{
/* DTLS 1.3 not supported yet
* server side hybrid mode not support yet
*/
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
} }
else else
{ {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
} }
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
}
else
{
/* DTLS 1.3 not supported yet */
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
}
#endif
/* /*
* Preset-specific defaults * Preset-specific defaults
@ -7791,7 +7794,7 @@ int mbedtls_ssl_validate_ciphersuite(
return( -1 ); return( -1 );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )

36
library/ssl_tls13_server.c
View File

@ -215,19 +215,19 @@ static int ssl_tls13_parse_key_shares_ext( mbedtls_ssl_context *ssl,
if( match_found == 1 ) if( match_found == 1 )
continue; continue;
if( ! mbedtls_ssl_named_group_is_offered( ssl, group ) ||
! mbedtls_ssl_named_group_is_supported( group ) )
{
continue;
}
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_tls_id( group );
/* /*
* For now, we only support ECDHE groups. * For now, we only support ECDHE groups.
*/ */
if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) ) if( mbedtls_ssl_tls13_named_group_is_ecdhe( group ) )
{ {
const mbedtls_ecp_curve_info *curve_info =
mbedtls_ecp_curve_info_from_tls_id( group );
if( curve_info == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid TLS curve group id" ) );
continue;
}
match_found = 1; match_found = 1;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
ret = mbedtls_ssl_tls13_read_public_ecdhe_share( ret = mbedtls_ssl_tls13_read_public_ecdhe_share(
@ -377,8 +377,9 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *p = buf; const unsigned char *p = buf;
size_t legacy_session_id_len; size_t legacy_session_id_len;
const unsigned char *cipher_suites_start; const unsigned char *cipher_suites;
size_t cipher_suites_len; size_t cipher_suites_len;
const unsigned char *cipher_suites_end;
size_t extensions_len; size_t extensions_len;
const unsigned char *extensions_end; const unsigned char *extensions_end;
@ -479,7 +480,8 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
* with CipherSuite defined as: * with CipherSuite defined as:
* uint8 CipherSuite[2]; * uint8 CipherSuite[2];
*/ */
cipher_suites_start = p; cipher_suites = p;
cipher_suites_end = p + cipher_suites_len;
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist", MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, ciphersuitelist",
p, cipher_suites_len ); p, cipher_suites_len );
/* /*
@ -487,8 +489,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
*/ */
int ciphersuite_match = 0; int ciphersuite_match = 0;
ciphersuite_info = NULL; ciphersuite_info = NULL;
for ( size_t j = 0; j < cipher_suites_len; for ( ; p < cipher_suites_end; p += 2 )
j += 2, p += 2 )
{ {
uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 ); uint16_t cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
@ -520,7 +521,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
ciphersuite_info->name ) ); ciphersuite_info->name ) );
p = cipher_suites_start + cipher_suites_len; p = cipher_suites + cipher_suites_len;
/* ... /* ...
* opaque legacy_compression_methods<1..2^8-1>; * opaque legacy_compression_methods<1..2^8-1>;
* ... * ...
@ -730,7 +731,7 @@ cleanup:
} }
/* /*
* TLS and DTLS 1.3 State Maschine -- server side * TLS 1.3 State Maschine -- server side
*/ */
int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl ) int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
{ {
@ -760,14 +761,9 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
break; break;
case MBEDTLS_SSL_SERVER_HELLO:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "SSL - The requested feature is not available" ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
break;
default: default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
} }
return( ret ); return( ret );