mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-23 13:55:29 +00:00
Introduce ciphersuite handle type
This commit introduces an internal zero-cost abstraction layer for SSL ciphersuites: Instead of addressing ciphersuites via pointers to instances of mbedtls_ssl_ciphersuite_t and accessing their fields directly, this commit introduces an opaque type mbedtls_ssl_ciphersuite_handle_t, and getter functions mbedtls_ssl_suite_get_xxx() operating on ciphersuite handles. The role of NULL is played by a new macro constant MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE which results of functions returning handles can be checked against. (For example, when doing a lookup of a ciphersuite from a peer-provided ciphersuite ID in the per's Hello message). The getter functions have the validity of the handle as a precondition and are undefined if the handle is invalid. So far, there's only one implementation of this abstraction layer, namely mbedtls_ssl_ciphersuite_handle_t being mbedtls_ssl_ciphersuite_t const * and getter functions being field accesses. In subsequent commits, however, the abstraction layer will be useful to save code in the situation where only a single ciphersuite is enabled.
This commit is contained in:
parent
65382f250d
commit
473f98f2e0
|
@ -331,22 +331,80 @@ struct mbedtls_ssl_ciphersuite_t
|
|||
unsigned char flags;
|
||||
};
|
||||
|
||||
const int *mbedtls_ssl_list_ciphersuites( void );
|
||||
typedef mbedtls_ssl_ciphersuite_t const * mbedtls_ssl_ciphersuite_handle_t;
|
||||
#define MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ( (mbedtls_ssl_ciphersuite_handle_t) NULL )
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
|
||||
/*
|
||||
* Getter functions for the extraction of ciphersuite attributes
|
||||
* from a ciphersuite handle.
|
||||
*
|
||||
* These functions have the validity of the handle as a precondition!
|
||||
* Their behaviour is undefined when MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE
|
||||
* is passed.
|
||||
*/
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info );
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info );
|
||||
#endif
|
||||
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info );
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info );
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info )
|
||||
/*
|
||||
* Implementation of getter functions when the ciphersuite handle
|
||||
* is a pointer to the ciphersuite information structure.
|
||||
*
|
||||
* The precondition that the handle is valid means that
|
||||
* we don't need to check that info != NULL.
|
||||
*/
|
||||
static inline int mbedtls_ssl_suite_get_id(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
return( info->id );
|
||||
}
|
||||
static inline const char* mbedtls_ssl_suite_get_name(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->name );
|
||||
}
|
||||
static inline mbedtls_cipher_type_t mbedtls_ssl_suite_get_cipher(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->cipher );
|
||||
}
|
||||
static inline mbedtls_md_type_t mbedtls_ssl_suite_get_mac(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->mac );
|
||||
}
|
||||
static inline mbedtls_key_exchange_type_t mbedtls_ssl_suite_get_key_exchange(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->key_exchange );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_min_major_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->min_major_ver );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_min_minor_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->min_minor_ver );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_max_major_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->max_major_ver );
|
||||
}
|
||||
static inline int mbedtls_ssl_suite_get_max_minor_ver(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->max_minor_ver );
|
||||
}
|
||||
static inline unsigned char mbedtls_ssl_suite_get_flags(
|
||||
mbedtls_ssl_ciphersuite_handle_t const info )
|
||||
{
|
||||
return( info->flags );
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_has_pfs(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
|
@ -361,9 +419,10 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_no_pfs(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
|
@ -377,9 +436,10 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdh(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA:
|
||||
|
@ -390,9 +450,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersui
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
|
@ -407,9 +468,10 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ci
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
|
@ -425,9 +487,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphe
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_dhe(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_PSK:
|
||||
|
@ -438,9 +501,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuit
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_ecdhe(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
|
@ -452,9 +516,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersu
|
|||
}
|
||||
}
|
||||
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info )
|
||||
static inline int mbedtls_ssl_ciphersuite_uses_server_signature(
|
||||
mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
|
@ -466,6 +531,19 @@ static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_s
|
|||
}
|
||||
}
|
||||
|
||||
const int *mbedtls_ssl_list_ciphersuites( void );
|
||||
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name );
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id );
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( mbedtls_ssl_ciphersuite_handle_t info );
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( mbedtls_ssl_ciphersuite_handle_t info );
|
||||
#endif
|
||||
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( mbedtls_ssl_ciphersuite_handle_t info );
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( mbedtls_ssl_ciphersuite_handle_t info );
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -501,7 +501,7 @@ struct mbedtls_ssl_handshake_params
|
|||
const unsigned char *, size_t,
|
||||
unsigned char *, size_t);
|
||||
|
||||
mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
|
||||
size_t pmslen; /*!< premaster length */
|
||||
|
||||
|
@ -918,7 +918,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl );
|
|||
int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl );
|
||||
|
||||
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info );
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex );
|
||||
|
@ -978,7 +978,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl )
|
|||
* Return 0 if everything is OK, -1 if not.
|
||||
*/
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite,
|
||||
int cert_endpoint,
|
||||
uint32_t *flags );
|
||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||
|
|
|
@ -2182,18 +2182,19 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
|||
static int supported_ciphersuites[MAX_CIPHERSUITES];
|
||||
static int supported_init = 0;
|
||||
|
||||
static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info )
|
||||
static int ciphersuite_is_removed( mbedtls_ssl_ciphersuite_handle_t cs_info )
|
||||
{
|
||||
(void)cs_info;
|
||||
if( cs_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
return( 1 );
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
if( mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
return( 1 );
|
||||
#endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */
|
||||
|
||||
#if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES)
|
||||
if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB ||
|
||||
cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
if( mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_DES_EDE3_ECB ||
|
||||
mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_DES_EDE3_CBC )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
|
@ -2217,12 +2218,10 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
|||
*p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1;
|
||||
p++ )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cs_info;
|
||||
if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL &&
|
||||
!ciphersuite_is_removed( cs_info ) )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t cs_info;
|
||||
cs_info = mbedtls_ssl_ciphersuite_from_id( *p );
|
||||
if( !ciphersuite_is_removed( cs_info ) )
|
||||
*(q++) = *p;
|
||||
}
|
||||
}
|
||||
*q = 0;
|
||||
|
||||
|
@ -2233,10 +2232,10 @@ const int *mbedtls_ssl_list_ciphersuites( void )
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_CIPHERSUITES */
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string(
|
||||
const char *ciphersuite_name )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur = ciphersuite_definitions;
|
||||
|
||||
if( NULL == ciphersuite_name )
|
||||
return( NULL );
|
||||
|
@ -2252,9 +2251,9 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string(
|
|||
return( NULL );
|
||||
}
|
||||
|
||||
const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
|
||||
mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id( int ciphersuite )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur = ciphersuite_definitions;
|
||||
|
||||
while( cur->id != 0 )
|
||||
{
|
||||
|
@ -2269,7 +2268,7 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuit
|
|||
|
||||
const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur;
|
||||
|
||||
cur = mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
|
||||
|
||||
|
@ -2281,7 +2280,7 @@ const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id )
|
|||
|
||||
int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *cur;
|
||||
mbedtls_ssl_ciphersuite_handle_t cur;
|
||||
|
||||
cur = mbedtls_ssl_ciphersuite_from_string( ciphersuite_name );
|
||||
|
||||
|
@ -2292,9 +2291,9 @@ int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name )
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_PK_C)
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info )
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
|
@ -2314,9 +2313,9 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciph
|
|||
}
|
||||
}
|
||||
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info )
|
||||
mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_DHE_RSA:
|
||||
|
@ -2335,9 +2334,9 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphers
|
|||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
|
||||
int mbedtls_ssl_ciphersuite_uses_ec( mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA:
|
||||
|
@ -2354,9 +2353,9 @@ int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info )
|
|||
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info )
|
||||
int mbedtls_ssl_ciphersuite_uses_psk( mbedtls_ssl_ciphersuite_handle_t info )
|
||||
{
|
||||
switch( info->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( info ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_PSK:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
|
|
|
@ -780,34 +780,45 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
|
|||
*
|
||||
* \return 0 if valid, else 1
|
||||
*/
|
||||
static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
|
||||
static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info,
|
||||
const mbedtls_ssl_context * ssl,
|
||||
int min_minor_ver, int max_minor_ver )
|
||||
{
|
||||
(void) ssl;
|
||||
if( suite_info == NULL )
|
||||
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
return( 1 );
|
||||
|
||||
if( suite_info->min_minor_ver > max_minor_ver ||
|
||||
suite_info->max_minor_ver < min_minor_ver )
|
||||
|
||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
|
||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
|
||||
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
|
||||
( mbedtls_ssl_suite_get_flags( suite_info ) &
|
||||
MBEDTLS_CIPHERSUITE_NODTLS ) != 0 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
|
||||
suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
|
||||
{
|
||||
return( 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
return( 0 );
|
||||
|
@ -821,7 +832,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||
unsigned char *p, *q;
|
||||
unsigned char offer_compress;
|
||||
const int *ciphersuites;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
int uses_ec = 0;
|
||||
|
@ -978,7 +989,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||
continue;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
|
||||
ciphersuites[i] ) );
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info ) ) );
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
|
@ -986,8 +997,10 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||
#endif
|
||||
|
||||
n++;
|
||||
*p++ = (unsigned char)( ciphersuites[i] >> 8 );
|
||||
*p++ = (unsigned char)( ciphersuites[i] );
|
||||
*p++ = (unsigned char)(
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 );
|
||||
*p++ = (unsigned char)(
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info ) );
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) );
|
||||
|
@ -1428,8 +1441,8 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
int ret;
|
||||
|
||||
if( ssl->handshake->ciphersuite_info->key_exchange !=
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange(
|
||||
ssl->handshake->ciphersuite_info ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
|
||||
return( 0 );
|
||||
|
@ -1613,7 +1626,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||
int extended_ms_seen = 0;
|
||||
#endif
|
||||
int handshake_failure = 0;
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t suite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) );
|
||||
|
||||
|
@ -1790,7 +1803,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||
* Initialize update checksum functions
|
||||
*/
|
||||
ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i );
|
||||
if( ssl->handshake->ciphersuite_info == NULL )
|
||||
if( ssl->handshake->ciphersuite_info ==
|
||||
MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) );
|
||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||
|
@ -1888,10 +1902,12 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s",
|
||||
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
||||
|
||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||
if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||
{
|
||||
ssl->handshake->ecrs_enabled = 1;
|
||||
|
@ -2555,14 +2571,15 @@ cleanup:
|
|||
static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
unsigned char *p = NULL, *end = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) );
|
||||
ssl->state++;
|
||||
|
@ -2574,8 +2591,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
|||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
{
|
||||
if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 )
|
||||
{
|
||||
|
@ -2622,8 +2641,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
|||
*/
|
||||
if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE )
|
||||
{
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
/* Current message is probably either
|
||||
* CertificateRequest or ServerHelloDone */
|
||||
|
@ -2650,10 +2671,14 @@ start_processing:
|
|||
MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 )
|
||||
{
|
||||
|
@ -2667,16 +2692,22 @@ start_processing:
|
|||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
; /* nothing more to do */
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
{
|
||||
if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 )
|
||||
{
|
||||
|
@ -2692,9 +2723,12 @@ start_processing:
|
|||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
{
|
||||
if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
|
||||
{
|
||||
|
@ -2709,7 +2743,8 @@ start_processing:
|
|||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
|
||||
p, end - p );
|
||||
|
@ -2922,7 +2957,7 @@ exit:
|
|||
#if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
|
||||
|
@ -2944,7 +2979,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
|||
unsigned char *buf;
|
||||
size_t n = 0;
|
||||
size_t cert_type_len = 0, dn_len = 0;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
|
||||
|
@ -3145,13 +3180,13 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
int ret;
|
||||
size_t i, n;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
{
|
||||
/*
|
||||
* DHM key exchange -- send G^X mod P
|
||||
|
@ -3195,10 +3230,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
{
|
||||
/*
|
||||
* ECDH key exchange -- send client public value
|
||||
|
@ -3296,14 +3335,16 @@ ecdh_calc_secret:
|
|||
i += ssl->conf->psk_identity_len;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
{
|
||||
n = 0;
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 )
|
||||
return( ret );
|
||||
|
@ -3311,7 +3352,8 @@ ecdh_calc_secret:
|
|||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
{
|
||||
/*
|
||||
* ClientDiffieHellmanPublic public (DHM send G^X mod P)
|
||||
|
@ -3342,7 +3384,8 @@ ecdh_calc_secret:
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
/*
|
||||
* ClientECDiffieHellmanPublic public;
|
||||
|
@ -3368,7 +3411,7 @@ ecdh_calc_secret:
|
|||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
|
@ -3377,7 +3420,8 @@ ecdh_calc_secret:
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
{
|
||||
i = 4;
|
||||
if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 )
|
||||
|
@ -3386,7 +3430,8 @@ ecdh_calc_secret:
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
i = 4;
|
||||
|
||||
|
@ -3438,7 +3483,7 @@ ecdh_calc_secret:
|
|||
#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
int ret;
|
||||
|
||||
|
@ -3464,7 +3509,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
|||
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
size_t n = 0, offset = 0;
|
||||
unsigned char hash[48];
|
||||
|
@ -3570,7 +3615,8 @@ sign:
|
|||
* Reason: Otherwise we should have running hashes for SHA512 and SHA224
|
||||
* in order to satisfy 'weird' needs from the server side.
|
||||
*/
|
||||
if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||
if( mbedtls_ssl_suite_get_mac( ssl->handshake->ciphersuite_info )
|
||||
== MBEDTLS_MD_SHA384 )
|
||||
{
|
||||
md_alg = MBEDTLS_MD_SHA384;
|
||||
ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384;
|
||||
|
|
|
@ -759,9 +759,8 @@ static int ssl_check_key_curve( mbedtls_pk_context *pk,
|
|||
* return 0 on success and -1 on failure.
|
||||
*/
|
||||
static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t * ciphersuite_info,
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info,
|
||||
mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
|
||||
|
||||
{
|
||||
mbedtls_ssl_key_cert *cur, *list, *fallback = NULL;
|
||||
mbedtls_pk_type_t pk_alg =
|
||||
|
@ -920,10 +919,10 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
|||
* Sets ciphersuite_info only if the suite matches.
|
||||
*/
|
||||
static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
||||
const mbedtls_ssl_ciphersuite_t **ciphersuite_info,
|
||||
mbedtls_ssl_ciphersuite_handle_t *ciphersuite_info,
|
||||
mbedtls_ecp_group_id const *acceptable_ec_grp_ids )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *suite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t suite_info;
|
||||
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||
|
@ -931,16 +930,17 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
|||
#endif
|
||||
|
||||
suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id );
|
||||
if( suite_info == NULL )
|
||||
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
|
||||
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
|
||||
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
||||
|
||||
if( suite_info->min_minor_ver > ssl->minor_ver ||
|
||||
suite_info->max_minor_ver < ssl->minor_ver )
|
||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver ||
|
||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
||||
return( 0 );
|
||||
|
@ -948,13 +948,16 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
|||
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) &&
|
||||
( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) )
|
||||
( mbedtls_ssl_suite_get_flags( suite_info ) &
|
||||
MBEDTLS_CIPHERSUITE_NODTLS ) )
|
||||
{
|
||||
return( 0 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_ARC4_C)
|
||||
if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED &&
|
||||
suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
|
||||
return( 0 );
|
||||
|
@ -962,7 +965,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
|
|||
#endif
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
if( mbedtls_ssl_suite_get_key_exchange( suite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
|
||||
( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
|
||||
|
@ -1044,7 +1048,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||
unsigned int ciph_len, sess_len, chal_len;
|
||||
unsigned char *buf, *p;
|
||||
const int *ciphersuites;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
||||
|
||||
|
@ -1235,7 +1239,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||
|
||||
got_common_suite = 0;
|
||||
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
||||
ciphersuite_info = NULL;
|
||||
ciphersuite_info = MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE;
|
||||
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
|
@ -1258,7 +1262,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||
return( ret );
|
||||
}
|
||||
|
||||
if( ciphersuite_info != NULL )
|
||||
if( ciphersuite_info != MBEDTLS_SSL_CIPHERSUITE_INVALD_HANDLE )
|
||||
goto have_ciphersuite_v2;
|
||||
}
|
||||
|
||||
|
@ -1275,7 +1279,8 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
have_ciphersuite_v2:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
|
||||
mbedtls_ssl_suite_get_name( ciphersuite_info ) ) );
|
||||
|
||||
ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||
|
@ -1323,7 +1328,7 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl )
|
|||
#endif
|
||||
int handshake_failure = 0;
|
||||
const int *ciphersuites;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
int major, minor;
|
||||
|
||||
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
|
||||
|
@ -2129,7 +2134,7 @@ read_record_header:
|
|||
*/
|
||||
got_common_suite = 0;
|
||||
ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver];
|
||||
ciphersuite_info = NULL;
|
||||
ciphersuite_info = MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE;
|
||||
#if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 )
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
|
@ -2151,7 +2156,7 @@ read_record_header:
|
|||
return( ret );
|
||||
}
|
||||
|
||||
if( ciphersuite_info != NULL )
|
||||
if( ciphersuite_info != MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
goto have_ciphersuite;
|
||||
}
|
||||
|
||||
|
@ -2172,7 +2177,8 @@ read_record_header:
|
|||
}
|
||||
|
||||
have_ciphersuite:
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
|
||||
mbedtls_ssl_suite_get_name( ciphersuite_info ) ) );
|
||||
|
||||
ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||
|
@ -2290,7 +2296,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||
size_t *olen )
|
||||
{
|
||||
unsigned char *p = buf;
|
||||
const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
||||
mbedtls_ssl_ciphersuite_handle_t suite =
|
||||
MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE;
|
||||
const mbedtls_cipher_info_t *cipher = NULL;
|
||||
|
||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||
|
@ -2306,9 +2313,17 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||
* with Associated Data (AEAD) ciphersuite, it MUST NOT send an
|
||||
* encrypt-then-MAC response extension back to the client."
|
||||
*/
|
||||
if( ( suite = mbedtls_ssl_ciphersuite_from_id(
|
||||
ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
||||
( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
||||
suite = mbedtls_ssl_ciphersuite_from_id(
|
||||
ssl->session_negotiate->ciphersuite );
|
||||
if( suite == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
*olen = 0;
|
||||
return;
|
||||
}
|
||||
|
||||
cipher = mbedtls_cipher_info_from_type(
|
||||
mbedtls_ssl_suite_get_cipher( suite ) );
|
||||
if( cipher == NULL ||
|
||||
cipher->mode != MBEDTLS_MODE_CBC )
|
||||
{
|
||||
*olen = 0;
|
||||
|
@ -2491,7 +2506,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
*olen = 0;
|
||||
|
||||
/* Skip costly computation if not needed */
|
||||
if( ssl->handshake->ciphersuite_info->key_exchange !=
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ssl->handshake->ciphersuite_info ) !=
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
return;
|
||||
|
||||
|
@ -2884,7 +2899,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||
#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
||||
|
@ -2903,7 +2918,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
size_t dn_size, total_dn_size; /* excluding length bytes */
|
||||
size_t ct_len, sa_len; /* including length bytes */
|
||||
|
@ -3134,7 +3149,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||
size_t *signature_len )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
||||
|
@ -3160,7 +3175,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
* - ECJPAKE key exchanges
|
||||
*/
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
int ret;
|
||||
size_t len = 0;
|
||||
|
@ -3188,8 +3204,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
**/
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
ssl->out_msg[ssl->out_msglen++] = 0x00;
|
||||
ssl->out_msg[ssl->out_msglen++] = 0x00;
|
||||
|
@ -3353,7 +3369,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
{
|
||||
/* B: Default hash SHA1 */
|
||||
md_alg = MBEDTLS_MD_SHA1;
|
||||
|
@ -3495,7 +3512,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
|||
int ret;
|
||||
size_t signature_len = 0;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
||||
|
||||
|
@ -3939,7 +3956,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
|
|||
static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
unsigned char *p, *end;
|
||||
|
||||
ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
|
@ -3949,8 +3966,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
||||
( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) )
|
||||
if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) &&
|
||||
if( ( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_RSA_PSK ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_RSA ) &&
|
||||
( ssl->handshake->async_in_progress != 0 ) )
|
||||
{
|
||||
/* We've already read a record and there is an asynchronous
|
||||
|
@ -3982,7 +3999,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_DHE_RSA )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
|
@ -4015,10 +4033,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
|
||||
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_RSA ||
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info )
|
||||
== MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA )
|
||||
{
|
||||
if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx,
|
||||
p, end - p) ) != 0 )
|
||||
|
@ -4050,7 +4072,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED ||
|
||||
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_PSK )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
|
@ -4065,7 +4088,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
|
@ -4074,7 +4097,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
|
||||
if ( ssl->handshake->async_in_progress != 0 )
|
||||
|
@ -4102,7 +4126,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
|
@ -4111,7 +4135,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_DHE_PSK )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
|
@ -4131,7 +4156,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
|
@ -4140,7 +4165,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECDHE_PSK )
|
||||
{
|
||||
if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 )
|
||||
{
|
||||
|
@ -4159,7 +4185,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
MBEDTLS_DEBUG_ECDH_QP );
|
||||
|
||||
if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl,
|
||||
ciphersuite_info->key_exchange ) ) != 0 )
|
||||
mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret );
|
||||
return( ret );
|
||||
|
@ -4168,7 +4194,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA )
|
||||
{
|
||||
if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 )
|
||||
{
|
||||
|
@ -4179,7 +4206,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
else
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx,
|
||||
p, end - p );
|
||||
|
@ -4222,7 +4250,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
#if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED)
|
||||
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
||||
|
@ -4249,7 +4277,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
|||
mbedtls_pk_type_t pk_alg;
|
||||
#endif
|
||||
mbedtls_md_type_t md_alg;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_pk_context *peer_pk = NULL;
|
||||
|
||||
|
|
|
@ -801,7 +801,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||
size_t mac_key_len;
|
||||
size_t iv_copy_len;
|
||||
unsigned keylen;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
const mbedtls_cipher_info_t *cipher_info;
|
||||
const mbedtls_md_info_t *md_info;
|
||||
|
||||
|
@ -823,26 +823,28 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||
* Get various info structures
|
||||
*/
|
||||
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite );
|
||||
if( ciphersuite_info == NULL )
|
||||
if( ciphersuite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found",
|
||||
ciphersuite ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher );
|
||||
cipher_info = mbedtls_cipher_info_from_type(
|
||||
mbedtls_ssl_suite_get_cipher( ciphersuite_info ) );
|
||||
if( cipher_info == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found",
|
||||
ciphersuite_info->cipher ) );
|
||||
mbedtls_ssl_suite_get_cipher( ciphersuite_info ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
md_info = mbedtls_md_info_from_type( ciphersuite_info->mac );
|
||||
md_info = mbedtls_md_info_from_type(
|
||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
||||
if( md_info == NULL )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found",
|
||||
ciphersuite_info->mac ) );
|
||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) ) );
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
|
@ -899,8 +901,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||
|
||||
transform->maclen = 0;
|
||||
mac_key_len = 0;
|
||||
transform->taglen =
|
||||
ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
transform->taglen = mbedtls_ssl_suite_get_flags( ciphersuite_info ) &
|
||||
MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16;
|
||||
|
||||
/* All modes haves 96-bit IVs;
|
||||
* GCM and CCM has 4 implicit and 8 explicit bytes
|
||||
|
@ -1338,15 +1340,15 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
|
|||
int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
|
||||
|
||||
/* Set PRF, calc_verify and calc_finished function pointers */
|
||||
ret = ssl_set_handshake_prfs( ssl->handshake,
|
||||
ssl->minor_ver,
|
||||
ciphersuite_info->mac );
|
||||
ssl->minor_ver,
|
||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
||||
if( ret != 0 )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret );
|
||||
|
@ -6070,7 +6072,7 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
|
|||
/* No certificate support -> dummy functions */
|
||||
int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||
|
||||
|
@ -6087,7 +6089,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||
|
||||
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||
|
||||
|
@ -6110,7 +6112,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
size_t i, n;
|
||||
const mbedtls_x509_crt *crt;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||
|
||||
|
@ -6474,7 +6476,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
|
|||
static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
|
||||
int authmode )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
|
||||
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||
|
@ -6483,8 +6485,11 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
|
|||
#if defined(MBEDTLS_SSL_SRV_C)
|
||||
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER )
|
||||
{
|
||||
if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ==
|
||||
MBEDTLS_KEY_EXCHANGE_RSA_PSK )
|
||||
{
|
||||
return( SSL_CERTIFICATE_SKIP );
|
||||
}
|
||||
|
||||
if( authmode == MBEDTLS_SSL_VERIFY_NONE )
|
||||
{
|
||||
|
@ -6506,8 +6511,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||
void *rs_ctx )
|
||||
{
|
||||
int verify_ret;
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
mbedtls_x509_crl *ca_crl;
|
||||
|
||||
|
@ -6973,7 +6977,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
|
|||
}
|
||||
|
||||
void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info )
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info )
|
||||
{
|
||||
((void) ciphersuite_info);
|
||||
|
||||
|
@ -6985,12 +6989,12 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
|||
#endif
|
||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||
#if defined(MBEDTLS_SHA512_C)
|
||||
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||
if( mbedtls_ssl_suite_get_mac( ciphersuite_info ) == MBEDTLS_MD_SHA384 )
|
||||
ssl->handshake->update_checksum = ssl_update_checksum_sha384;
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_SHA256_C)
|
||||
if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 )
|
||||
if( mbedtls_ssl_suite_get_mac( ciphersuite_info ) != MBEDTLS_MD_SHA384 )
|
||||
ssl->handshake->update_checksum = ssl_update_checksum_sha256;
|
||||
else
|
||||
#endif
|
||||
|
@ -11242,7 +11246,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
|
|||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite,
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite,
|
||||
int cert_endpoint,
|
||||
uint32_t *flags )
|
||||
{
|
||||
|
@ -11266,7 +11270,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
|||
if( cert_endpoint == MBEDTLS_SSL_IS_SERVER )
|
||||
{
|
||||
/* Server part of the key exchange */
|
||||
switch( ciphersuite->key_exchange )
|
||||
switch( mbedtls_ssl_suite_get_key_exchange( ciphersuite ) )
|
||||
{
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA:
|
||||
case MBEDTLS_KEY_EXCHANGE_RSA_PSK:
|
||||
|
|
|
@ -56,6 +56,7 @@ int main( void )
|
|||
|
||||
#include "mbedtls/net_sockets.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/ssl_ciphersuites.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
|
@ -1296,19 +1297,19 @@ int main( int argc, char *argv[] )
|
|||
|
||||
if( opt.force_ciphersuite[0] > 0 )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
|
||||
|
||||
if( opt.max_version != -1 &&
|
||||
ciphersuite_info->min_minor_ver > opt.max_version )
|
||||
mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
goto usage;
|
||||
}
|
||||
if( opt.min_version != -1 &&
|
||||
ciphersuite_info->max_minor_ver < opt.min_version )
|
||||
mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
|
@ -1318,13 +1319,13 @@ int main( int argc, char *argv[] )
|
|||
/* If the server selects a version that's not supported by
|
||||
* this suite, then there will be no common ciphersuite... */
|
||||
if( opt.max_version == -1 ||
|
||||
opt.max_version > ciphersuite_info->max_minor_ver )
|
||||
opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.max_version = ciphersuite_info->max_minor_ver;
|
||||
opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
|
||||
}
|
||||
if( opt.min_version < ciphersuite_info->min_minor_ver )
|
||||
if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.min_version = ciphersuite_info->min_minor_ver;
|
||||
opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
|
||||
/* DTLS starts with TLS 1.1 */
|
||||
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
||||
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||
|
@ -1332,7 +1333,7 @@ int main( int argc, char *argv[] )
|
|||
}
|
||||
|
||||
/* Enable RC4 if needed and not explicitly disabled */
|
||||
if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
|
||||
{
|
||||
|
|
|
@ -55,6 +55,7 @@ int main( void )
|
|||
|
||||
#include "mbedtls/net_sockets.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/ssl_ciphersuites.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
|
@ -2018,19 +2019,19 @@ int main( int argc, char *argv[] )
|
|||
|
||||
if( opt.force_ciphersuite[0] > 0 )
|
||||
{
|
||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
ciphersuite_info =
|
||||
mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
|
||||
|
||||
if( opt.max_version != -1 &&
|
||||
ciphersuite_info->min_minor_ver > opt.max_version )
|
||||
mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
goto usage;
|
||||
}
|
||||
if( opt.min_version != -1 &&
|
||||
ciphersuite_info->max_minor_ver < opt.min_version )
|
||||
mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
|
||||
{
|
||||
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
|
||||
ret = 2;
|
||||
|
@ -2040,13 +2041,13 @@ int main( int argc, char *argv[] )
|
|||
/* If we select a version that's not supported by
|
||||
* this suite, then there will be no common ciphersuite... */
|
||||
if( opt.max_version == -1 ||
|
||||
opt.max_version > ciphersuite_info->max_minor_ver )
|
||||
opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.max_version = ciphersuite_info->max_minor_ver;
|
||||
opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
|
||||
}
|
||||
if( opt.min_version < ciphersuite_info->min_minor_ver )
|
||||
if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
|
||||
{
|
||||
opt.min_version = ciphersuite_info->min_minor_ver;
|
||||
opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
|
||||
/* DTLS starts with TLS 1.1 */
|
||||
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
|
||||
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||
|
@ -2054,7 +2055,7 @@ int main( int argc, char *argv[] )
|
|||
}
|
||||
|
||||
/* Enable RC4 if needed and not explicitly disabled */
|
||||
if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
|
||||
if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 )
|
||||
{
|
||||
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue