diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index e3cd65bcc..bb55a4b65 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -331,22 +331,80 @@ struct mbedtls_ssl_ciphersuite_t unsigned char flags; }; -const int *mbedtls_ssl_list_ciphersuites( void ); +typedef mbedtls_ssl_ciphersuite_t const * mbedtls_ssl_ciphersuite_handle_t; +#define MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ( (mbedtls_ssl_ciphersuite_handle_t) NULL ) -const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name ); -const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id ); +/* + * Getter functions for the extraction of ciphersuite attributes + * from a ciphersuite handle. + * + * These functions have the validity of the handle as a precondition! + * Their behaviour is undefined when MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE + * is passed. + */ -#if defined(MBEDTLS_PK_C) -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info ); -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info ); -#endif - -int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info ); -int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info ); - -static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite_t *info ) +/* + * Implementation of getter functions when the ciphersuite handle + * is a pointer to the ciphersuite information structure. + * + * The precondition that the handle is valid means that + * we don't need to check that info != NULL. + */ +static inline int mbedtls_ssl_suite_get_id( + mbedtls_ssl_ciphersuite_handle_t const info ) { - switch( info->key_exchange ) + return( info->id ); +} +static inline const char* mbedtls_ssl_suite_get_name( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->name ); +} +static inline mbedtls_cipher_type_t mbedtls_ssl_suite_get_cipher( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->cipher ); +} +static inline mbedtls_md_type_t mbedtls_ssl_suite_get_mac( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->mac ); +} +static inline mbedtls_key_exchange_type_t mbedtls_ssl_suite_get_key_exchange( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->key_exchange ); +} +static inline int mbedtls_ssl_suite_get_min_major_ver( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->min_major_ver ); +} +static inline int mbedtls_ssl_suite_get_min_minor_ver( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->min_minor_ver ); +} +static inline int mbedtls_ssl_suite_get_max_major_ver( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->max_major_ver ); +} +static inline int mbedtls_ssl_suite_get_max_minor_ver( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->max_minor_ver ); +} +static inline unsigned char mbedtls_ssl_suite_get_flags( + mbedtls_ssl_ciphersuite_handle_t const info ) +{ + return( info->flags ); +} + +static inline int mbedtls_ssl_ciphersuite_has_pfs( + mbedtls_ssl_ciphersuite_handle_t info ) +{ + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_PSK: @@ -361,9 +419,10 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs( const mbedtls_ssl_ciphersuite } } -static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_no_pfs( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: @@ -377,9 +436,10 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs( const mbedtls_ssl_ciphersuite_ } } -static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_uses_ecdh( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: @@ -390,9 +450,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdh( const mbedtls_ssl_ciphersui } } -static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_RSA: @@ -407,9 +468,10 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed( const mbedtls_ssl_ci } } -static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_RSA_PSK: @@ -425,9 +487,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_srv_cert( const mbedtls_ssl_ciphe } } -static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_uses_dhe( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_PSK: @@ -438,9 +501,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_dhe( const mbedtls_ssl_ciphersuit } } -static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: @@ -452,9 +516,10 @@ static inline int mbedtls_ssl_ciphersuite_uses_ecdhe( const mbedtls_ssl_ciphersu } } -static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_ssl_ciphersuite_t *info ) +static inline int mbedtls_ssl_ciphersuite_uses_server_signature( + mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_DHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: @@ -466,6 +531,19 @@ static inline int mbedtls_ssl_ciphersuite_uses_server_signature( const mbedtls_s } } +const int *mbedtls_ssl_list_ciphersuites( void ); + +mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name ); +mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id( int ciphersuite_id ); + +#if defined(MBEDTLS_PK_C) +mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( mbedtls_ssl_ciphersuite_handle_t info ); +mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( mbedtls_ssl_ciphersuite_handle_t info ); +#endif + +int mbedtls_ssl_ciphersuite_uses_ec( mbedtls_ssl_ciphersuite_handle_t info ); +int mbedtls_ssl_ciphersuite_uses_psk( mbedtls_ssl_ciphersuite_handle_t info ); + #ifdef __cplusplus } #endif diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index 151589f59..b2382fab9 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -501,7 +501,7 @@ struct mbedtls_ssl_handshake_params const unsigned char *, size_t, unsigned char *, size_t); - mbedtls_ssl_ciphersuite_t const *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; size_t pmslen; /*!< premaster length */ @@ -918,7 +918,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl ); int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl ); void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, - const mbedtls_ssl_ciphersuite_t *ciphersuite_info ); + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ); @@ -978,7 +978,7 @@ static inline mbedtls_x509_crt *mbedtls_ssl_own_cert( mbedtls_ssl_context *ssl ) * Return 0 if everything is OK, -1 if not. */ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, - const mbedtls_ssl_ciphersuite_t *ciphersuite, + mbedtls_ssl_ciphersuite_handle_t ciphersuite, int cert_endpoint, uint32_t *flags ); #endif /* MBEDTLS_X509_CRT_PARSE_C */ diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index 518f7dde0..8378a9017 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -2182,18 +2182,19 @@ const int *mbedtls_ssl_list_ciphersuites( void ) static int supported_ciphersuites[MAX_CIPHERSUITES]; static int supported_init = 0; -static int ciphersuite_is_removed( const mbedtls_ssl_ciphersuite_t *cs_info ) +static int ciphersuite_is_removed( mbedtls_ssl_ciphersuite_handle_t cs_info ) { - (void)cs_info; + if( cs_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) + return( 1 ); #if defined(MBEDTLS_REMOVE_ARC4_CIPHERSUITES) - if( cs_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + if( mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_ARC4_128 ) return( 1 ); #endif /* MBEDTLS_REMOVE_ARC4_CIPHERSUITES */ #if defined(MBEDTLS_REMOVE_3DES_CIPHERSUITES) - if( cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_ECB || - cs_info->cipher == MBEDTLS_CIPHER_DES_EDE3_CBC ) + if( mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_DES_EDE3_ECB || + mbedtls_ssl_suite_get_cipher( cs_info ) == MBEDTLS_CIPHER_DES_EDE3_CBC ) { return( 1 ); } @@ -2217,12 +2218,10 @@ const int *mbedtls_ssl_list_ciphersuites( void ) *p != 0 && q < supported_ciphersuites + MAX_CIPHERSUITES - 1; p++ ) { - const mbedtls_ssl_ciphersuite_t *cs_info; - if( ( cs_info = mbedtls_ssl_ciphersuite_from_id( *p ) ) != NULL && - !ciphersuite_is_removed( cs_info ) ) - { + mbedtls_ssl_ciphersuite_handle_t cs_info; + cs_info = mbedtls_ssl_ciphersuite_from_id( *p ); + if( !ciphersuite_is_removed( cs_info ) ) *(q++) = *p; - } } *q = 0; @@ -2233,10 +2232,10 @@ const int *mbedtls_ssl_list_ciphersuites( void ) } #endif /* MBEDTLS_SSL_CIPHERSUITES */ -const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( +mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_string( const char *ciphersuite_name ) { - const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions; + mbedtls_ssl_ciphersuite_handle_t cur = ciphersuite_definitions; if( NULL == ciphersuite_name ) return( NULL ); @@ -2252,9 +2251,9 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_string( return( NULL ); } -const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuite ) +mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_ciphersuite_from_id( int ciphersuite ) { - const mbedtls_ssl_ciphersuite_t *cur = ciphersuite_definitions; + mbedtls_ssl_ciphersuite_handle_t cur = ciphersuite_definitions; while( cur->id != 0 ) { @@ -2269,7 +2268,7 @@ const mbedtls_ssl_ciphersuite_t *mbedtls_ssl_ciphersuite_from_id( int ciphersuit const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id ) { - const mbedtls_ssl_ciphersuite_t *cur; + mbedtls_ssl_ciphersuite_handle_t cur; cur = mbedtls_ssl_ciphersuite_from_id( ciphersuite_id ); @@ -2281,7 +2280,7 @@ const char *mbedtls_ssl_get_ciphersuite_name( const int ciphersuite_id ) int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name ) { - const mbedtls_ssl_ciphersuite_t *cur; + mbedtls_ssl_ciphersuite_handle_t cur; cur = mbedtls_ssl_ciphersuite_from_string( ciphersuite_name ); @@ -2292,9 +2291,9 @@ int mbedtls_ssl_get_ciphersuite_id( const char *ciphersuite_name ) } #if defined(MBEDTLS_PK_C) -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciphersuite_t *info ) +mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_RSA: @@ -2314,9 +2313,9 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg( const mbedtls_ssl_ciph } } -mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphersuite_t *info ) +mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_DHE_RSA: @@ -2335,9 +2334,9 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_alg( const mbedtls_ssl_ciphers #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info ) +int mbedtls_ssl_ciphersuite_uses_ec( mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: @@ -2354,9 +2353,9 @@ int mbedtls_ssl_ciphersuite_uses_ec( const mbedtls_ssl_ciphersuite_t *info ) #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C || MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED*/ #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) -int mbedtls_ssl_ciphersuite_uses_psk( const mbedtls_ssl_ciphersuite_t *info ) +int mbedtls_ssl_ciphersuite_uses_psk( mbedtls_ssl_ciphersuite_handle_t info ) { - switch( info->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( info ) ) { case MBEDTLS_KEY_EXCHANGE_PSK: case MBEDTLS_KEY_EXCHANGE_RSA_PSK: diff --git a/library/ssl_cli.c b/library/ssl_cli.c index a050adb3b..fa5b64ec5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -780,34 +780,45 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl ) * * \return 0 if valid, else 1 */ -static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info, +static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info, const mbedtls_ssl_context * ssl, int min_minor_ver, int max_minor_ver ) { (void) ssl; - if( suite_info == NULL ) + if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) return( 1 ); - if( suite_info->min_minor_ver > max_minor_ver || - suite_info->max_minor_ver < min_minor_ver ) + + if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver || + mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver ) + { return( 1 ); + } #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && - ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) + ( mbedtls_ssl_suite_get_flags( suite_info ) & + MBEDTLS_CIPHERSUITE_NODTLS ) != 0 ) + { return( 1 ); + } #endif #if defined(MBEDTLS_ARC4_C) if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && - suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 ) + { return( 1 ); + } #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && - mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + if( mbedtls_ssl_suite_get_key_exchange( suite_info ) == + MBEDTLS_KEY_EXCHANGE_ECJPAKE && + mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + { return( 1 ); + } #endif return( 0 ); @@ -821,7 +832,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) unsigned char *p, *q; unsigned char offer_compress; const int *ciphersuites; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) int uses_ec = 0; @@ -978,7 +989,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) continue; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", - ciphersuites[i] ) ); + mbedtls_ssl_suite_get_id( ciphersuite_info ) ) ); #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) @@ -986,8 +997,10 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl ) #endif n++; - *p++ = (unsigned char)( ciphersuites[i] >> 8 ); - *p++ = (unsigned char)( ciphersuites[i] ); + *p++ = (unsigned char)( + mbedtls_ssl_suite_get_id( ciphersuite_info ) >> 8 ); + *p++ = (unsigned char)( + mbedtls_ssl_suite_get_id( ciphersuite_info ) ); } MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites (excluding SCSVs)", n ) ); @@ -1428,8 +1441,8 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, { int ret; - if( ssl->handshake->ciphersuite_info->key_exchange != - MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( mbedtls_ssl_suite_get_key_exchange( + ssl->handshake->ciphersuite_info ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); return( 0 ); @@ -1613,7 +1626,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) int extended_ms_seen = 0; #endif int handshake_failure = 0; - const mbedtls_ssl_ciphersuite_t *suite_info; + mbedtls_ssl_ciphersuite_handle_t suite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server hello" ) ); @@ -1790,7 +1803,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) * Initialize update checksum functions */ ssl->handshake->ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( i ); - if( ssl->handshake->ciphersuite_info == NULL ) + if( ssl->handshake->ciphersuite_info == + MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %04x not found", i ) ); mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, @@ -1888,10 +1902,12 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO ); } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", suite_info->name ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %s", + mbedtls_ssl_suite_get_name( suite_info ) ) ); #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) - if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && + if( mbedtls_ssl_suite_get_key_exchange( suite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA && ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) { ssl->handshake->ecrs_enabled = 1; @@ -2555,14 +2571,15 @@ cleanup: static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) { int ret; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; unsigned char *p = NULL, *end = NULL; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) ); #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_RSA ) { MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); ssl->state++; @@ -2574,8 +2591,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDH_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) { if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) { @@ -2622,8 +2641,10 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) */ if( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) { - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) { /* Current message is probably either * CertificateRequest or ServerHelloDone */ @@ -2650,10 +2671,14 @@ start_processing: MBEDTLS_SSL_DEBUG_BUF( 3, "server key exchange", p, end - p ); #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_RSA_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { if( ssl_parse_server_psk_hint( ssl, &p, end ) != 0 ) { @@ -2667,16 +2692,22 @@ start_processing: #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + { ; /* nothing more to do */ + } else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED || MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_DHE_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { if( ssl_parse_server_dh_params( ssl, &p, end ) != 0 ) { @@ -2692,9 +2723,12 @@ start_processing: #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) { if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 ) { @@ -2709,7 +2743,8 @@ start_processing: MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); @@ -2922,7 +2957,7 @@ exit: #if ! defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); @@ -2944,7 +2979,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl ) unsigned char *buf; size_t n = 0; size_t cert_type_len = 0, dn_len = 0; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) ); @@ -3145,13 +3180,13 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) { int ret; size_t i, n; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) { /* * DHM key exchange -- send G^X mod P @@ -3195,10 +3230,14 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) { /* * ECDH key exchange -- send client public value @@ -3296,14 +3335,16 @@ ecdh_calc_secret: i += ssl->conf->psk_identity_len; #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_PSK ) { n = 0; } else #endif #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) { if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) return( ret ); @@ -3311,7 +3352,8 @@ ecdh_calc_secret: else #endif #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { /* * ClientDiffieHellmanPublic public (DHM send G^X mod P) @@ -3342,7 +3384,8 @@ ecdh_calc_secret: else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { /* * ClientECDiffieHellmanPublic public; @@ -3368,7 +3411,7 @@ ecdh_calc_secret: } if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); @@ -3377,7 +3420,8 @@ ecdh_calc_secret: else #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_RSA ) { i = 4; if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) @@ -3386,7 +3430,8 @@ ecdh_calc_secret: else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { i = 4; @@ -3438,7 +3483,7 @@ ecdh_calc_secret: #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; int ret; @@ -3464,7 +3509,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; size_t n = 0, offset = 0; unsigned char hash[48]; @@ -3570,7 +3615,8 @@ sign: * Reason: Otherwise we should have running hashes for SHA512 and SHA224 * in order to satisfy 'weird' needs from the server side. */ - if( ssl->handshake->ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + if( mbedtls_ssl_suite_get_mac( ssl->handshake->ciphersuite_info ) + == MBEDTLS_MD_SHA384 ) { md_alg = MBEDTLS_MD_SHA384; ssl->out_msg[4] = MBEDTLS_SSL_HASH_SHA384; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index 4fab4ed16..ec9201f8b 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -759,9 +759,8 @@ static int ssl_check_key_curve( mbedtls_pk_context *pk, * return 0 on success and -1 on failure. */ static int ssl_pick_cert( mbedtls_ssl_context *ssl, - const mbedtls_ssl_ciphersuite_t * ciphersuite_info, + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info, mbedtls_ecp_group_id const *acceptable_ec_grp_ids ) - { mbedtls_ssl_key_cert *cur, *list, *fallback = NULL; mbedtls_pk_type_t pk_alg = @@ -920,10 +919,10 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl, * Sets ciphersuite_info only if the suite matches. */ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, - const mbedtls_ssl_ciphersuite_t **ciphersuite_info, + mbedtls_ssl_ciphersuite_handle_t *ciphersuite_info, mbedtls_ecp_group_id const *acceptable_ec_grp_ids ) { - const mbedtls_ssl_ciphersuite_t *suite_info; + mbedtls_ssl_ciphersuite_handle_t suite_info; #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED) @@ -931,16 +930,17 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, #endif suite_info = mbedtls_ssl_ciphersuite_from_id( suite_id ); - if( suite_info == NULL ) + if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); } - MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) ); + MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", + mbedtls_ssl_suite_get_name( suite_info ) ) ); - if( suite_info->min_minor_ver > ssl->minor_ver || - suite_info->max_minor_ver < ssl->minor_ver ) + if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver || + mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) ); return( 0 ); @@ -948,13 +948,16 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, #if defined(MBEDTLS_SSL_PROTO_DTLS) if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) && - ( suite_info->flags & MBEDTLS_CIPHERSUITE_NODTLS ) ) + ( mbedtls_ssl_suite_get_flags( suite_info ) & + MBEDTLS_CIPHERSUITE_NODTLS ) ) + { return( 0 ); + } #endif #if defined(MBEDTLS_ARC4_C) if( ssl->conf->arc4_disabled == MBEDTLS_SSL_ARC4_DISABLED && - suite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + mbedtls_ssl_suite_get_cipher( suite_info ) == MBEDTLS_CIPHER_ARC4_128 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) ); return( 0 ); @@ -962,7 +965,8 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id, #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + if( mbedtls_ssl_suite_get_key_exchange( suite_info ) == + MBEDTLS_KEY_EXCHANGE_ECJPAKE && ( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 ) { MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake " @@ -1044,7 +1048,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) unsigned int ciph_len, sess_len, chal_len; unsigned char *buf, *p; const int *ciphersuites; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); @@ -1235,7 +1239,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) got_common_suite = 0; ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; - ciphersuite_info = NULL; + ciphersuite_info = MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) for( i = 0; ciphersuites[i] != 0; i++ ) @@ -1258,7 +1262,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) return( ret ); } - if( ciphersuite_info != NULL ) + if( ciphersuite_info != MBEDTLS_SSL_CIPHERSUITE_INVALD_HANDLE ) goto have_ciphersuite_v2; } @@ -1275,7 +1279,8 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl ) } have_ciphersuite_v2: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", + mbedtls_ssl_suite_get_name( ciphersuite_info ) ) ); ssl->session_negotiate->ciphersuite = ciphersuites[i]; ssl->handshake->ciphersuite_info = ciphersuite_info; @@ -1323,7 +1328,7 @@ static int ssl_parse_client_hello( mbedtls_ssl_context *ssl ) #endif int handshake_failure = 0; const int *ciphersuites; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; int major, minor; #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ @@ -2129,7 +2134,7 @@ read_record_header: */ got_common_suite = 0; ciphersuites = ssl->conf->ciphersuite_list[ssl->minor_ver]; - ciphersuite_info = NULL; + ciphersuite_info = MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE; #if defined(MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE) for( j = 0, p = buf + ciph_offset + 2; j < ciph_len; j += 2, p += 2 ) for( i = 0; ciphersuites[i] != 0; i++ ) @@ -2151,7 +2156,7 @@ read_record_header: return( ret ); } - if( ciphersuite_info != NULL ) + if( ciphersuite_info != MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) goto have_ciphersuite; } @@ -2172,7 +2177,8 @@ read_record_header: } have_ciphersuite: - MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", + mbedtls_ssl_suite_get_name( ciphersuite_info ) ) ); ssl->session_negotiate->ciphersuite = ciphersuites[i]; ssl->handshake->ciphersuite_info = ciphersuite_info; @@ -2290,7 +2296,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, size_t *olen ) { unsigned char *p = buf; - const mbedtls_ssl_ciphersuite_t *suite = NULL; + mbedtls_ssl_ciphersuite_handle_t suite = + MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE; const mbedtls_cipher_info_t *cipher = NULL; if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED || @@ -2306,9 +2313,17 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl, * with Associated Data (AEAD) ciphersuite, it MUST NOT send an * encrypt-then-MAC response extension back to the client." */ - if( ( suite = mbedtls_ssl_ciphersuite_from_id( - ssl->session_negotiate->ciphersuite ) ) == NULL || - ( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL || + suite = mbedtls_ssl_ciphersuite_from_id( + ssl->session_negotiate->ciphersuite ); + if( suite == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) + { + *olen = 0; + return; + } + + cipher = mbedtls_cipher_info_from_type( + mbedtls_ssl_suite_get_cipher( suite ) ); + if( cipher == NULL || cipher->mode != MBEDTLS_MODE_CBC ) { *olen = 0; @@ -2491,7 +2506,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, *olen = 0; /* Skip costly computation if not needed */ - if( ssl->handshake->ciphersuite_info->key_exchange != + if( mbedtls_ssl_suite_get_key_exchange( ssl->handshake->ciphersuite_info ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) return; @@ -2884,7 +2899,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl ) #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) ); @@ -2903,7 +2918,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) static int ssl_write_certificate_request( mbedtls_ssl_context *ssl ) { int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; size_t dn_size, total_dn_size; /* excluding length bytes */ size_t ct_len, sa_len; /* including length bytes */ @@ -3134,7 +3149,7 @@ static int ssl_resume_server_key_exchange( mbedtls_ssl_context *ssl, static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, size_t *signature_len ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; #if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED) @@ -3160,7 +3175,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, * - ECJPAKE key exchanges */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { int ret; size_t len = 0; @@ -3188,8 +3204,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, **/ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { ssl->out_msg[ssl->out_msglen++] = 0x00; ssl->out_msg[ssl->out_msglen++] = 0x00; @@ -3353,7 +3369,8 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \ defined(MBEDTLS_SSL_PROTO_TLS1_1) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) { /* B: Default hash SHA1 */ md_alg = MBEDTLS_MD_SHA1; @@ -3495,7 +3512,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl ) int ret; size_t signature_len = 0; #if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED) - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; #endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */ @@ -3939,7 +3956,7 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) { int ret; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; unsigned char *p, *end; ciphersuite_info = ssl->handshake->ciphersuite_info; @@ -3949,8 +3966,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \ ( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) ) - if( ( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) && + if( ( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_RSA_PSK || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_RSA ) && ( ssl->handshake->async_in_progress != 0 ) ) { /* We've already read a record and there is an asynchronous @@ -3982,7 +3999,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) { if( ( ret = ssl_parse_client_dh_public( ssl, &p, end ) ) != 0 ) { @@ -4015,10 +4033,14 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) + == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) { if( ( ret = mbedtls_ecdh_read_public( &ssl->handshake->ecdh_ctx, p, end - p) ) != 0 ) @@ -4050,7 +4072,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_PSK ) { if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) { @@ -4065,7 +4088,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); @@ -4074,7 +4097,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_RSA_PSK ) { #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) if ( ssl->handshake->async_in_progress != 0 ) @@ -4102,7 +4126,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); @@ -4111,7 +4135,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_DHE_PSK ) { if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) { @@ -4131,7 +4156,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) } if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); @@ -4140,7 +4165,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) { if( ( ret = ssl_parse_client_psk_identity( ssl, &p, end ) ) != 0 ) { @@ -4159,7 +4185,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_DEBUG_ECDH_QP ); if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, - ciphersuite_info->key_exchange ) ) != 0 ) + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); return( ret ); @@ -4168,7 +4194,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_RSA ) { if( ( ret = ssl_parse_encrypted_pms( ssl, p, end, 0 ) ) != 0 ) { @@ -4179,7 +4206,8 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); @@ -4222,7 +4250,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) ); @@ -4249,7 +4277,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl ) mbedtls_pk_type_t pk_alg; #endif mbedtls_md_type_t md_alg; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; mbedtls_pk_context *peer_pk = NULL; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 84c78c48e..c245145b7 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -801,7 +801,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, size_t mac_key_len; size_t iv_copy_len; unsigned keylen; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; const mbedtls_cipher_info_t *cipher_info; const mbedtls_md_info_t *md_info; @@ -823,26 +823,28 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, * Get various info structures */ ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuite ); - if( ciphersuite_info == NULL ) + if( ciphersuite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite info for %d not found", ciphersuite ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - cipher_info = mbedtls_cipher_info_from_type( ciphersuite_info->cipher ); + cipher_info = mbedtls_cipher_info_from_type( + mbedtls_ssl_suite_get_cipher( ciphersuite_info ) ); if( cipher_info == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "cipher info for %d not found", - ciphersuite_info->cipher ) ); + mbedtls_ssl_suite_get_cipher( ciphersuite_info ) ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } - md_info = mbedtls_md_info_from_type( ciphersuite_info->mac ); + md_info = mbedtls_md_info_from_type( + mbedtls_ssl_suite_get_mac( ciphersuite_info ) ); if( md_info == NULL ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "mbedtls_md info for %d not found", - ciphersuite_info->mac ) ); + mbedtls_ssl_suite_get_mac( ciphersuite_info ) ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -899,8 +901,8 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform, transform->maclen = 0; mac_key_len = 0; - transform->taglen = - ciphersuite_info->flags & MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; + transform->taglen = mbedtls_ssl_suite_get_flags( ciphersuite_info ) & + MBEDTLS_CIPHERSUITE_SHORT_TAG ? 8 : 16; /* All modes haves 96-bit IVs; * GCM and CCM has 4 implicit and 8 explicit bytes @@ -1338,15 +1340,15 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) { int ret; - const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) ); /* Set PRF, calc_verify and calc_finished function pointers */ ret = ssl_set_handshake_prfs( ssl->handshake, - ssl->minor_ver, - ciphersuite_info->mac ); + ssl->minor_ver, + mbedtls_ssl_suite_get_mac( ciphersuite_info ) ); if( ret != 0 ) { MBEDTLS_SSL_DEBUG_RET( 1, "ssl_set_handshake_prfs", ret ); @@ -6070,7 +6072,7 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session ) /* No certificate support -> dummy functions */ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); @@ -6087,7 +6089,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) ); @@ -6110,7 +6112,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl ) int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE; size_t i, n; const mbedtls_x509_crt *crt; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) ); @@ -6474,7 +6476,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl ) static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, int authmode ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info; if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) ) @@ -6483,8 +6485,11 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SRV_C) if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_SERVER ) { - if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_RSA_PSK ) + { return( SSL_CERTIFICATE_SKIP ); + } if( authmode == MBEDTLS_SSL_VERIFY_NONE ) { @@ -6506,8 +6511,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl, void *rs_ctx ) { int verify_ret; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = - ssl->handshake->ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = mbedtls_x509_crt *ca_chain; mbedtls_x509_crl *ca_crl; @@ -6973,7 +6977,7 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl ) } void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, - const mbedtls_ssl_ciphersuite_t *ciphersuite_info ) + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info ) { ((void) ciphersuite_info); @@ -6985,12 +6989,12 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl, #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SHA512_C) - if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) + if( mbedtls_ssl_suite_get_mac( ciphersuite_info ) == MBEDTLS_MD_SHA384 ) ssl->handshake->update_checksum = ssl_update_checksum_sha384; else #endif #if defined(MBEDTLS_SHA256_C) - if( ciphersuite_info->mac != MBEDTLS_MD_SHA384 ) + if( mbedtls_ssl_suite_get_mac( ciphersuite_info ) != MBEDTLS_MD_SHA384 ) ssl->handshake->update_checksum = ssl_update_checksum_sha256; else #endif @@ -11242,7 +11246,7 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl, #if defined(MBEDTLS_X509_CRT_PARSE_C) int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, - const mbedtls_ssl_ciphersuite_t *ciphersuite, + mbedtls_ssl_ciphersuite_handle_t ciphersuite, int cert_endpoint, uint32_t *flags ) { @@ -11266,7 +11270,7 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, if( cert_endpoint == MBEDTLS_SSL_IS_SERVER ) { /* Server part of the key exchange */ - switch( ciphersuite->key_exchange ) + switch( mbedtls_ssl_suite_get_key_exchange( ciphersuite ) ) { case MBEDTLS_KEY_EXCHANGE_RSA: case MBEDTLS_KEY_EXCHANGE_RSA_PSK: diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index c63b44550..56641f54d 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -56,6 +56,7 @@ int main( void ) #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" +#include "mbedtls/ssl_ciphersuites.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/certs.h" @@ -1296,19 +1297,19 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] > 0 ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] ); if( opt.max_version != -1 && - ciphersuite_info->min_minor_ver > opt.max_version ) + mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version ) { mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" ); ret = 2; goto usage; } if( opt.min_version != -1 && - ciphersuite_info->max_minor_ver < opt.min_version ) + mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version ) { mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" ); ret = 2; @@ -1318,13 +1319,13 @@ int main( int argc, char *argv[] ) /* If the server selects a version that's not supported by * this suite, then there will be no common ciphersuite... */ if( opt.max_version == -1 || - opt.max_version > ciphersuite_info->max_minor_ver ) + opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) ) { - opt.max_version = ciphersuite_info->max_minor_ver; + opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ); } - if( opt.min_version < ciphersuite_info->min_minor_ver ) + if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) ) { - opt.min_version = ciphersuite_info->min_minor_ver; + opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ); /* DTLS starts with TLS 1.1 */ if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 ) @@ -1332,7 +1333,7 @@ int main( int argc, char *argv[] ) } /* Enable RC4 if needed and not explicitly disabled */ - if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 ) { if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED ) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 876a7a06c..4312629c5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -55,6 +55,7 @@ int main( void ) #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" +#include "mbedtls/ssl_ciphersuites.h" #include "mbedtls/entropy.h" #include "mbedtls/ctr_drbg.h" #include "mbedtls/certs.h" @@ -2018,19 +2019,19 @@ int main( int argc, char *argv[] ) if( opt.force_ciphersuite[0] > 0 ) { - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; + mbedtls_ssl_ciphersuite_handle_t ciphersuite_info; ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] ); if( opt.max_version != -1 && - ciphersuite_info->min_minor_ver > opt.max_version ) + mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version ) { mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" ); ret = 2; goto usage; } if( opt.min_version != -1 && - ciphersuite_info->max_minor_ver < opt.min_version ) + mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version ) { mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" ); ret = 2; @@ -2040,13 +2041,13 @@ int main( int argc, char *argv[] ) /* If we select a version that's not supported by * this suite, then there will be no common ciphersuite... */ if( opt.max_version == -1 || - opt.max_version > ciphersuite_info->max_minor_ver ) + opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) ) { - opt.max_version = ciphersuite_info->max_minor_ver; + opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ); } - if( opt.min_version < ciphersuite_info->min_minor_ver ) + if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) ) { - opt.min_version = ciphersuite_info->min_minor_ver; + opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ); /* DTLS starts with TLS 1.1 */ if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM && opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 ) @@ -2054,7 +2055,7 @@ int main( int argc, char *argv[] ) } /* Enable RC4 if needed and not explicitly disabled */ - if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 ) + if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 ) { if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED ) {