From a4a9c696c12194686aba587fa9980bf7c64df7a2 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Tue, 18 Jun 2019 16:55:47 +0100 Subject: [PATCH] Introduce helper macro for traversal of supported EC TLS IDs --- include/mbedtls/ssl_internal.h | 29 +++++++++++++++++++++ library/ssl_cli.c | 46 +++++++++++++++------------------- library/ssl_srv.c | 21 +++++----------- library/ssl_tls.c | 9 +++---- 4 files changed, 59 insertions(+), 46 deletions(-) diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h index c411715d6..f7ae62584 100644 --- a/include/mbedtls/ssl_internal.h +++ b/include/mbedtls/ssl_internal.h @@ -1484,4 +1484,33 @@ static inline unsigned int mbedtls_ssl_conf_get_ems_enforced( #endif /* MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE */ +#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( TLS_ID_VAR ) \ + { \ + mbedtls_ecp_group_id const *__gid; \ + mbedtls_ecp_curve_info const *__info; \ + for( __gid = ssl->conf->curve_list; \ + *__gid != MBEDTLS_ECP_DP_NONE; __gid++ ) \ + { \ + uint16_t TLS_ID_VAR; \ + __info = mbedtls_ecp_curve_info_from_grp_id( *__gid ); \ + if( __info == NULL ) \ + continue; \ + TLS_ID_VAR = __info->tls_id; + +#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID \ + } \ + } + +#define MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( EC_ID_VAR ) \ + { \ + mbedtls_ecp_group_id const *__gid; \ + for( __gid = ssl->conf->curve_list; \ + *__gid != MBEDTLS_ECP_DP_NONE; __gid++ ) \ + { \ + mbedtls_ecp_group_id EC_ID_VAR = *__gid; \ + +#define MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID \ + } \ + } + #endif /* ssl_internal.h */ diff --git a/library/ssl_cli.c b/library/ssl_cli.c index d226e6532..e7e0d46bc 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -251,6 +251,18 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +static size_t ssl_get_ec_curve_list_length( mbedtls_ssl_context *ssl ) +{ + size_t ec_list_len = 0; + + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id ) + ((void) tls_id); + ec_list_len++; + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID + + return( ec_list_len ); +} + static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) @@ -259,28 +271,15 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; unsigned char *elliptic_curve_list = p + 6; size_t elliptic_curve_len = 0; - const mbedtls_ecp_curve_info *info; -#if defined(MBEDTLS_ECP_C) - const mbedtls_ecp_group_id *grp_id; -#else - ((void) ssl); -#endif *olen = 0; MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); - for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) - { - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - if( info == NULL ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid curve in ssl configuration" ) ); - return; - } - - elliptic_curve_len += 2; - } + /* Each elliptic curve is encoded in 2 bytes. */ + elliptic_curve_len = 2 * ssl_get_ec_curve_list_length( ssl ); + if( elliptic_curve_len == 0 ) + return; if( end < p || (size_t)( end - p ) < 6 + elliptic_curve_len ) { @@ -290,15 +289,10 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl, elliptic_curve_len = 0; - for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) - { - info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); - elliptic_curve_list[elliptic_curve_len++] = info->tls_id >> 8; - elliptic_curve_list[elliptic_curve_len++] = info->tls_id & 0xFF; - } - - if( elliptic_curve_len == 0 ) - return; + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( tls_id ) + elliptic_curve_list[elliptic_curve_len++] = tls_id >> 8; + elliptic_curve_list[elliptic_curve_len++] = tls_id & 0xFF; + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES >> 8 ) & 0xFF ); *p++ = (unsigned char)( ( MBEDTLS_TLS_EXT_SUPPORTED_ELLIPTIC_CURVES ) & 0xFF ); diff --git a/library/ssl_srv.c b/library/ssl_srv.c index d1970c371..39ce3741a 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -309,24 +309,15 @@ static int ssl_parse_supported_elliptic_curves( mbedtls_ssl_context *ssl, while( list_size > 0 ) { - uint16_t const tls_id = ( p[0] << 8 ) | p[1]; - mbedtls_ecp_curve_info const * const info = - mbedtls_ecp_curve_info_from_tls_id( tls_id ); + uint16_t const peer_tls_id = ( p[0] << 8 ) | p[1]; - if( info != NULL ) + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_TLS_ID( own_tls_id ) + if( own_tls_id == peer_tls_id && + ssl->handshake->curve_tls_id == 0 ) { - mbedtls_ecp_group_id const *gid; - /* Remember the first curve that we also support. */ - for( gid = ssl->conf->curve_list; - *gid != MBEDTLS_ECP_DP_NONE; gid++ ) - { - if( info->grp_id != *gid ) - continue; - - if( ssl->handshake->curve_tls_id == 0 ) - ssl->handshake->curve_tls_id = tls_id; - } + ssl->handshake->curve_tls_id = own_tls_id; } + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_TLS_ID list_size -= 2; p += 2; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 2a2d3219e..633fb4b42 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -11241,14 +11241,13 @@ unsigned char mbedtls_ssl_hash_from_md_alg( int md ) */ int mbedtls_ssl_check_curve( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ) { - const mbedtls_ecp_group_id *gid; - if( ssl->conf->curve_list == NULL ) return( -1 ); - for( gid = ssl->conf->curve_list; *gid != MBEDTLS_ECP_DP_NONE; gid++ ) - if( *gid == grp_id ) - return( 0 ); + MBEDTLS_SSL_BEGIN_FOR_EACH_SUPPORTED_EC_GRP_ID( own_ec_id ) + if( own_ec_id == grp_id ) + return( 0 ); + MBEDTLS_SSL_END_FOR_EACH_SUPPORTED_EC_GRP_ID return( -1 ); }