mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-26 01:05:27 +00:00
Rearrange ExtendedMasterSecret parsing logic
`mbedtls_ssl_handshake_params::extended_ms` holds the state of the ExtendedMasterSecret extension in the current handshake. Initially set to 'disabled' for both client and server, - the client sets it to 'enabled' as soon as it finds the ExtendedMS extension in the `ServerHello` and it has advertised that extension in its ClientHello, - the server sets it to 'enabled' as soon as it finds the ExtendedMS extension in the `ClientHello` and is willing to advertise is in its `ServerHello`. This commit slightly restructures this logic in prepraration for the removal of `mbedtls_ssl_handshake_params::extended_ms` in case both the use and the enforcement of the ExtendedMasterSecret extension have been fixed at compile-time. Namely, in this case there is no need for the `extended_ms` field in the handshake structure, as the ExtendedMS must be in use if the handshake progresses beyond the Hello stage. Paving the way for the removal of mbedtls_ssl_handshake_params::extended_ms this commit introduces a temporary variable tracking the presence of the ExtendedMS extension in the ClientHello/ServerHello messages, leaving the derivation of `extended_ms` (and potential failure) to the end of the parsing routine.
This commit is contained in:
parent
aabbb582eb
commit
03b64fa6c1
|
@ -1341,9 +1341,6 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||||
}
|
}
|
||||||
|
|
||||||
((void) buf);
|
((void) buf);
|
||||||
|
|
||||||
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
@ -1603,6 +1600,9 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
int renegotiation_info_seen = 0;
|
int renegotiation_info_seen = 0;
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
|
int extended_ms_seen = 0;
|
||||||
#endif
|
#endif
|
||||||
int handshake_failure = 0;
|
int handshake_failure = 0;
|
||||||
const mbedtls_ssl_ciphersuite_t *suite_info;
|
const mbedtls_ssl_ciphersuite_t *suite_info;
|
||||||
|
@ -1984,6 +1984,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
extended_ms_seen = 1;
|
||||||
|
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
@ -2092,14 +2093,19 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
MBEDTLS_SSL_EXTENDED_MS_ENABLED )
|
||||||
mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
|
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
|
||||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
if( extended_ms_seen )
|
||||||
|
{
|
||||||
|
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||||
|
}
|
||||||
|
else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||||
"secret, while it is enforced") );
|
"secret, while it is enforced") );
|
||||||
handshake_failure = 1;
|
handshake_failure = 1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
|
|
|
@ -567,13 +567,6 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||||
|
|
||||||
((void) buf);
|
((void) buf);
|
||||||
|
|
||||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
|
||||||
ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
|
||||||
{
|
|
||||||
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
|
||||||
}
|
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
@ -1266,6 +1259,9 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
||||||
unsigned char *buf, *p, *ext;
|
unsigned char *buf, *p, *ext;
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
int renegotiation_info_seen = 0;
|
int renegotiation_info_seen = 0;
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
|
int extended_ms_seen = 0;
|
||||||
#endif
|
#endif
|
||||||
int handshake_failure = 0;
|
int handshake_failure = 0;
|
||||||
const int *ciphersuites;
|
const int *ciphersuites;
|
||||||
|
@ -1894,6 +1890,7 @@ read_record_header:
|
||||||
ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
|
ret = ssl_parse_extended_ms_ext( ssl, ext + 4, ext_size );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
|
extended_ms_seen = 1;
|
||||||
break;
|
break;
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
|
@ -2041,14 +2038,19 @@ read_record_header:
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED &&
|
MBEDTLS_SSL_EXTENDED_MS_ENABLED )
|
||||||
mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
|
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED &&
|
|
||||||
ssl->handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_DISABLED)
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
if( extended_ms_seen )
|
||||||
"secret, while it is enforced") );
|
{
|
||||||
handshake_failure = 1;
|
ssl->handshake->extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
|
||||||
|
}
|
||||||
|
else if( mbedtls_ssl_conf_get_ems_enforced( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_EXTENDED_MS_ENFORCE_ENABLED )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Peer not offering extended master "
|
||||||
|
"secret, while it is enforced") );
|
||||||
|
handshake_failure = 1;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue