mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-09 16:25:30 +00:00
Improve documentation
This commit is contained in:
parent
118848fd77
commit
032aec0523
|
@ -2681,16 +2681,24 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
||||||
unsigned char *p = ssl->out_msg + 4;
|
unsigned char *p = ssl->out_msg + 4;
|
||||||
|
size_t len;
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||||
unsigned char *dig_signed = p;
|
unsigned char *dig_signed = p;
|
||||||
size_t dig_signed_len = 0, len;
|
size_t dig_signed_len = 0;
|
||||||
((void) dig_signed);
|
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
||||||
((void) dig_signed_len);
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED */
|
||||||
((void) len);
|
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) */
|
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
|
||||||
|
|
||||||
/* For key exchanges involving ECDH, extract DH parameters from certificate here. */
|
/*
|
||||||
|
*
|
||||||
|
* Part 1: Extract static ECDH parameters and abort
|
||||||
|
* if ServerKeyExchange not needed.
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* For suites involving ECDH, extract DH parameters
|
||||||
|
* from certificate at this point. */
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDH_ENABLED)
|
||||||
if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
|
if( mbedtls_ssl_ciphersuite_uses_ecdh( ciphersuite_info ) )
|
||||||
{
|
{
|
||||||
|
@ -2728,7 +2736,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* For DHE key exchanges, add the DH parameters here.
|
* - DHE key exchanges
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED)
|
||||||
if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
|
if( mbedtls_ssl_ciphersuite_uses_dhe( ciphersuite_info ) )
|
||||||
|
@ -2763,8 +2771,10 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||||
dig_signed = p;
|
dig_signed = p;
|
||||||
dig_signed_len = len;
|
dig_signed_len = len;
|
||||||
|
#endif
|
||||||
|
|
||||||
p += len;
|
p += len;
|
||||||
n += len;
|
n += len;
|
||||||
|
@ -2777,7 +2787,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__DHE_ENABLED */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* For ECDHE key exchanges, add the ECDH parameters here.
|
* - ECDHE key exchanges
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED)
|
||||||
if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
|
if( mbedtls_ssl_ciphersuite_uses_ecdhe( ciphersuite_info ) )
|
||||||
|
@ -2823,8 +2833,10 @@ curve_matching_done:
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||||
dig_signed = p;
|
dig_signed = p;
|
||||||
dig_signed_len = len;
|
dig_signed_len = len;
|
||||||
|
#endif
|
||||||
|
|
||||||
p += len;
|
p += len;
|
||||||
n += len;
|
n += len;
|
||||||
|
@ -2834,8 +2846,10 @@ curve_matching_done:
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__ECDHE_ENABLED */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* For key exchanges involving the server signing the (EC)DH parameters,
|
*
|
||||||
* compute and add the signature here.
|
* Part 3: For key exchanges involving the server signing the
|
||||||
|
* exchange parameters, compute and add the signature here.
|
||||||
|
*
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||||
if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
|
if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
|
||||||
|
@ -2860,16 +2874,15 @@ curve_matching_done:
|
||||||
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/* For TLS 1.2, obey signature-hash-algorithm extension
|
/* A: For TLS 1.2, obey signature-hash-algorithm extension
|
||||||
* (RFC 5246, Sec. 7.4.1.4.1). */
|
* (RFC 5246, Sec. 7.4.1.4.1). */
|
||||||
|
|
||||||
if( sig_alg == MBEDTLS_PK_NONE ||
|
if( sig_alg == MBEDTLS_PK_NONE ||
|
||||||
( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
( md_alg = mbedtls_ssl_sig_hash_set_find( &ssl->handshake->hash_algs,
|
||||||
sig_alg ) ) == MBEDTLS_MD_NONE )
|
sig_alg ) ) == MBEDTLS_MD_NONE )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||||
/* (... because we choose a cipher suite
|
/* (... because we choose a cipher suite
|
||||||
* only if there is a matching hash.) */
|
* only if there is a matching hash.) */
|
||||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -2877,22 +2890,23 @@ curve_matching_done:
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ciphersuite_info->key_exchange ==
|
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
|
||||||
{
|
{
|
||||||
|
/* B: Default hash SHA1 */
|
||||||
md_alg = MBEDTLS_MD_SHA1;
|
md_alg = MBEDTLS_MD_SHA1;
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
||||||
MBEDTLS_SSL_PROTO_TLS1_1 */
|
MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
{
|
{
|
||||||
|
/* C: MD5 + SHA1 */
|
||||||
md_alg = MBEDTLS_MD_NONE;
|
md_alg = MBEDTLS_MD_NONE;
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pick hash algorithm %d for signing", md_alg ) );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Compute the hash to be signed
|
* 3.2: Compute the hash to be signed
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
|
@ -2917,6 +2931,7 @@ curve_matching_done:
|
||||||
* SHA(ClientHello.random + ServerHello.random
|
* SHA(ClientHello.random + ServerHello.random
|
||||||
* + ServerParams);
|
* + ServerParams);
|
||||||
*/
|
*/
|
||||||
|
|
||||||
mbedtls_md5_starts( &mbedtls_md5 );
|
mbedtls_md5_starts( &mbedtls_md5 );
|
||||||
mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
|
mbedtls_md5_update( &mbedtls_md5, ssl->handshake->randbytes, 64 );
|
||||||
mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
|
mbedtls_md5_update( &mbedtls_md5, dig_signed, dig_signed_len );
|
||||||
|
@ -2978,7 +2993,7 @@ curve_matching_done:
|
||||||
(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
|
(unsigned int) ( mbedtls_md_get_size( mbedtls_md_info_from_type( md_alg ) ) ) );
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Compute and add the signature
|
* 3.3: Compute and add the signature
|
||||||
*/
|
*/
|
||||||
if( mbedtls_ssl_own_key( ssl ) == NULL )
|
if( mbedtls_ssl_own_key( ssl ) == NULL )
|
||||||
{
|
{
|
||||||
|
@ -2989,7 +3004,8 @@ curve_matching_done:
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/* For TLS 1.2, we need to specify signature and hash algorithm
|
/*
|
||||||
|
* For TLS 1.2, we need to specify signature and hash algorithm
|
||||||
* explicitly through a prefix to the signature.
|
* explicitly through a prefix to the signature.
|
||||||
*
|
*
|
||||||
* struct {
|
* struct {
|
||||||
|
@ -3028,6 +3044,8 @@ curve_matching_done:
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED */
|
||||||
|
|
||||||
|
/* Done with actual work; add header and send. */
|
||||||
|
|
||||||
ssl->out_msglen = 4 + n;
|
ssl->out_msglen = 4 + n;
|
||||||
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
||||||
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
|
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE;
|
||||||
|
|
Loading…
Reference in a new issue