ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-05-11 01:11:42 +08:00
Code Issues Releases Wiki Activity

move ciphersuite validation to set_session

Browse Source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-09-30 09:22:21 +08:00
parent 25ab654781
commit 19ae6f62c7
4 changed files with 56 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
library/ssl_misc.h
View File

@ -1911,6 +1911,10 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
size_t *out_len ); size_t *out_len );
#endif /* MBEDTLS_ECDH_C */ #endif /* MBEDTLS_ECDH_C */
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
int ciphersuite,
psa_algorithm_t *psa_alg );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

9
library/ssl_tls.c
View File

@ -1373,6 +1373,15 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
if( ssl->handshake->resume == 1 ) if( ssl->handshake->resume == 1 )
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
if( session->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 &&
( ( ret = mbedtls_ssl_tls13_ciphersuite_to_alg(
ssl, session->ciphersuite, NULL ) ) != 0 ) )
{
return( ret );
}
#endif
if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate, if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
session ) ) != 0 ) session ) ) != 0 )
return( ret ); return( ret );

22
library/ssl_tls13_client.c
View File

@ -668,17 +668,19 @@ static int ssl_tls13_write_psk_key_exchange_modes_ext( mbedtls_ssl_context *ssl,
static psa_algorithm_t ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl, static psa_algorithm_t ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
int ciphersuite ) int ciphersuite )
{ {
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
if( mbedtls_ssl_validate_ciphersuite( psa_algorithm_t psa_alg;
ssl, ciphersuite_info, if( mbedtls_ssl_tls13_ciphersuite_to_alg(
MBEDTLS_SSL_VERSION_TLS1_3, ssl, ciphersuite, &psa_alg ) != 0 )
MBEDTLS_SSL_VERSION_TLS1_3 ) == 0 )
{ {
return( mbedtls_psa_translate_md( ciphersuite_info->mac ) ); /* ciphersuite is `ssl->session_negotiate->ciphersuite` or
} * PSA_ALG_SHA256, both are validated before writting pre_shared_key.
*/
MBEDTLS_SSL_DEBUG_MSG( 2, ( "should never happen" ) );
return( PSA_ALG_NONE ); return( PSA_ALG_NONE );
}
return( psa_alg );
} }
static int ssl_tls13_has_configured_psk( mbedtls_ssl_context *ssl ) static int ssl_tls13_has_configured_psk( mbedtls_ssl_context *ssl )
@ -695,9 +697,7 @@ static int ssl_tls13_has_configured_ticket( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_session *session = ssl->session_negotiate; mbedtls_ssl_session *session = ssl->session_negotiate;
return( session != NULL && return( session != NULL &&
session->ticket != NULL && session->ticket != NULL );
ssl_tls13_ciphersuite_to_alg( ssl,
ssl->session_negotiate->ciphersuite ) != PSA_ALG_NONE );
#else #else
((void) ssl); ((void) ssl);
return( 0 ); return( 0 );

32
library/ssl_tls13_generic.c
View File

@ -1485,4 +1485,36 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
} }
#endif /* MBEDTLS_ECDH_C */ #endif /* MBEDTLS_ECDH_C */
int mbedtls_ssl_tls13_ciphersuite_to_alg( mbedtls_ssl_context *ssl,
int ciphersuite,
psa_algorithm_t *psa_alg )
{
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
psa_algorithm_t alg;
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
if( psa_alg )
*psa_alg = PSA_ALG_NONE;
if( mbedtls_ssl_validate_ciphersuite(
ssl, ciphersuite_info,
MBEDTLS_SSL_VERSION_TLS1_3,
MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
}
alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
if( alg == PSA_ALG_NONE )
{
MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not valid.", ciphersuite ) );
return( MBEDTLS_ERR_SSL_INVALID_MAC );
}
if( psa_alg )
*psa_alg = alg;
return( 0 );
}
#endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */