From 4f68b04018a35fe6aff4298565cdfc1f0c781809 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 22 Jul 2019 15:58:19 +0100 Subject: [PATCH] Restructure outgoing CliKeyExch: Remove old code The code from the previous function ssl_write_client_key_exchange() has been entirely moved to one of the newly introduced subroutines and is no longer needed. This commit removes it. --- library/ssl_cli.c | 318 ---------------------------------------------- 1 file changed, 318 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 38efd2376..ded93a666 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3706,324 +3706,6 @@ static int ssl_client_key_exchange_postprocess( mbedtls_ssl_context *ssl ) return( 0 ); } -/* OLD CODE - * - * Temporarily included to gradually move it to the correct - * place in the restructured code. - * - */ - -static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) -{ - int ret; - size_t i, n; - mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = - mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) ); - -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) - if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == MBEDTLS_KEY_EXCHANGE_DHE_RSA ) - { - /* - * DHM key exchange -- send G^X mod P - */ - - /* n = ssl->handshake->dhm_ctx.len; */ - - /* ssl->out_msg[4] = (unsigned char)( n >> 8 ); */ - /* ssl->out_msg[5] = (unsigned char)( n ); */ - /* i = 6; */ - - /* ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, */ - /* (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), */ - /* &ssl->out_msg[i], n, */ - /* mbedtls_ssl_conf_get_frng( ssl->conf ), */ - /* ssl->conf->p_rng ); */ - /* if( ret != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); */ - /* return( ret ); */ - /* } */ - - /* MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: X ", &ssl->handshake->dhm_ctx.X ); */ - /* MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: GX", &ssl->handshake->dhm_ctx.GX ); */ - - /* if( ( ret = mbedtls_dhm_calc_secret( &ssl->handshake->dhm_ctx, */ - /* ssl->handshake->premaster, */ - /* MBEDTLS_PREMASTER_SIZE, */ - /* &ssl->handshake->pmslen, */ - /* mbedtls_ssl_conf_get_frng( ssl->conf ), */ - /* ssl->conf->p_rng ) ) != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_calc_secret", ret ); */ - /* return( ret ); */ - /* } */ - - /* MBEDTLS_SSL_DEBUG_MPI( 3, "DHM: K ", &ssl->handshake->dhm_ctx.K ); */ - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) - == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) - == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || - mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) - == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) - == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) - { - /* - * ECDH key exchange -- send client public value - */ -/* i = 4; */ - -/* #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) */ -/* if( ssl->handshake->ecrs_enabled ) */ -/* { */ -/* if( ssl->handshake->ecrs_state == ssl_ecrs_cke_ecdh_calc_secret ) */ -/* goto ecdh_calc_secret; */ - -/* mbedtls_ecdh_enable_restart( &ssl->handshake->ecdh_ctx ); */ -/* } */ -/* #endif */ - -/* ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, */ -/* &n, */ -/* &ssl->out_msg[i], 1000, */ -/* mbedtls_ssl_conf_get_frng( ssl->conf ), */ -/* ssl->conf->p_rng ); */ -/* if( ret != 0 ) */ -/* { */ -/* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); */ -/* #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) */ -/* if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) */ -/* ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; */ -/* #endif */ -/* return( ret ); */ -/* } */ - -/* MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, */ -/* MBEDTLS_DEBUG_ECDH_Q ); */ - -/* #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) */ -/* if( ssl->handshake->ecrs_enabled ) */ -/* { */ -/* ssl->handshake->ecrs_n = n; */ -/* ssl->handshake->ecrs_state = ssl_ecrs_cke_ecdh_calc_secret; */ -/* } */ - -/* ecdh_calc_secret: */ -/* if( ssl->handshake->ecrs_enabled ) */ -/* n = ssl->handshake->ecrs_n; */ -/* #endif */ -/* if( ( ret = mbedtls_ecdh_calc_secret( &ssl->handshake->ecdh_ctx, */ -/* &ssl->handshake->pmslen, */ -/* ssl->handshake->premaster, */ -/* MBEDTLS_MPI_MAX_SIZE, */ -/* mbedtls_ssl_conf_get_frng( ssl->conf ), */ -/* ssl->conf->p_rng ) ) != 0 ) */ -/* { */ -/* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_calc_secret", ret ); */ -/* #if defined(MBEDTLS_SSL__ECP_RESTARTABLE) */ -/* if( ret == MBEDTLS_ERR_ECP_IN_PROGRESS ) */ -/* ret = MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS; */ -/* #endif */ -/* return( ret ); */ -/* } */ - -/* MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, */ -/* MBEDTLS_DEBUG_ECDH_Z ); */ - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) - if( mbedtls_ssl_ciphersuite_uses_psk( ciphersuite_info ) ) - { - /* - * opaque psk_identity<0..2^16-1>; - */ - - /* if( ssl->conf->psk == NULL || ssl->conf->psk_identity == NULL ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_MSG( 1, ( "got no private key for PSK" ) ); */ - /* return( MBEDTLS_ERR_SSL_PRIVATE_KEY_REQUIRED ); */ - /* } */ - - /* i = 4; */ - /* n = ssl->conf->psk_identity_len; */ - - /* if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity too long or " */ - /* "SSL buffer too short" ) ); */ - /* return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); */ - /* } */ - - /* ssl->out_msg[i++] = (unsigned char)( n >> 8 ); */ - /* ssl->out_msg[i++] = (unsigned char)( n ); */ - - /* memcpy( ssl->out_msg + i, ssl->conf->psk_identity, ssl->conf->psk_identity_len ); */ - /* i += ssl->conf->psk_identity_len; */ - -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) - /* if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) */ - /* == MBEDTLS_KEY_EXCHANGE_PSK ) */ - /* { */ - /* n = 0; */ - /* } */ - /* else */ -#endif -#if defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED) - /* if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) */ - /* == MBEDTLS_KEY_EXCHANGE_RSA_PSK ) */ - /* { */ - /* /\* Code for PMS generation has been moved, */ - /* * code for encryption and writing it hasn't. *\/ */ - /* if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 2 ) ) != 0 ) */ - /* return( ret ); */ - /* } */ - /* else */ -#endif -#if defined(MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED) - /* if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) */ - /* == MBEDTLS_KEY_EXCHANGE_DHE_PSK ) */ - /* { */ - /* /\* */ - /* * ClientDiffieHellmanPublic public (DHM send G^X mod P) */ - /* *\/ */ - /* n = ssl->handshake->dhm_ctx.len; */ - - /* if( i + 2 + n > MBEDTLS_SSL_OUT_CONTENT_LEN ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_MSG( 1, ( "psk identity or DHM size too long" */ - /* " or SSL buffer too short" ) ); */ - /* return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL ); */ - /* } */ - - /* ssl->out_msg[i++] = (unsigned char)( n >> 8 ); */ - /* ssl->out_msg[i++] = (unsigned char)( n ); */ - - /* ret = mbedtls_dhm_make_public( &ssl->handshake->dhm_ctx, */ - /* (int) mbedtls_mpi_size( &ssl->handshake->dhm_ctx.P ), */ - /* &ssl->out_msg[i], n, */ - /* mbedtls_ssl_conf_get_frng( ssl->conf ), */ - /* ssl->conf->p_rng ); */ - /* if( ret != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_dhm_make_public", ret ); */ - /* return( ret ); */ - /* } */ - /* } */ - /* else */ -#endif /* MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) - if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) - == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK ) - { - /* - * ClientECDiffieHellmanPublic public; - */ - - /* ret = mbedtls_ecdh_make_public( &ssl->handshake->ecdh_ctx, &n, */ - /* &ssl->out_msg[i], MBEDTLS_SSL_OUT_CONTENT_LEN - i, */ - /* mbedtls_ssl_conf_get_frng( ssl->conf ), */ - /* ssl->conf->p_rng ); */ - /* if( ret != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecdh_make_public", ret ); */ - /* return( ret ); */ - /* } */ - - /* MBEDTLS_SSL_DEBUG_ECDH( 3, &ssl->handshake->ecdh_ctx, */ - /* MBEDTLS_DEBUG_ECDH_Q ); */ - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED */ - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - /* if( ( ret = mbedtls_ssl_psk_derive_premaster( ssl, */ - /* mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) ) ) != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_psk_derive_premaster", ret ); */ - /* return( ret ); */ - /* } */ - } - else -#endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) - /* if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == */ - /* MBEDTLS_KEY_EXCHANGE_RSA ) */ - /* { */ - /* i = 4; */ - /* /\* Code for PMS generation has been moved, */ - /* * code for encryption and writing it hasn't. *\/ */ - /* if( ( ret = ssl_write_encrypted_pms( ssl, i, &n, 0 ) ) != 0 ) */ - /* return( ret ); */ - /* } */ - else -#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == - MBEDTLS_KEY_EXCHANGE_ECJPAKE ) - { - /* i = 4; */ - - /* ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, */ - /* ssl->out_msg + i, MBEDTLS_SSL_OUT_CONTENT_LEN - i, &n, */ - /* mbedtls_ssl_conf_get_frng( ssl->conf ), */ - /* ssl->conf->p_rng ); */ - /* if( ret != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_write_round_two", ret ); */ - /* return( ret ); */ - /* } */ - - /* ret = mbedtls_ecjpake_derive_secret( &ssl->handshake->ecjpake_ctx, */ - /* ssl->handshake->premaster, 32, &ssl->handshake->pmslen, */ - /* mbedtls_ssl_conf_get_frng( ssl->conf ), */ - /* ssl->conf->p_rng ); */ - /* if( ret != 0 ) */ - /* { */ - /* MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); */ - /* return( ret ); */ - /* } */ - } - else -#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ - { - ((void) ciphersuite_info); - MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - ssl->out_msglen = i + n; - ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE; - ssl->out_msg[0] = MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE; - - ssl->state++; - - if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_write_handshake_msg", ret ); - return( ret ); - } - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write client key exchange" ) ); - - return( 0 ); -} - #if !defined(MBEDTLS_KEY_EXCHANGE__CERT_REQ_ALLOWED__ENABLED) static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl ) {