mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-02-25 13:26:55 +00:00
Remove ciphersuite from handshake params if single suite hardcoded
If MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled, the type mbedtls_ssl_ciphersuite_handle_t is logically a boolean (concretely realized as `unsigned char`), containing the invalid handle and the unique valid handle, which represents the single enabled ciphersuite. The SSL handshake structure mbedtls_ssl_handshake_params contains an instance of mbedtls_ssl_ciphersuite_handle_t which is guaranteed to be valid, and which is hence redundant in any two-valued implementation of mbedtls_ssl_ciphersuite_handle_t. This commit replaces read-uses of mbedtls_ssl_handshake_params::ciphersuite_info by a getter functions which, and defines this getter function either by just reading the field from the handshake structure (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is disabled), or by returning the single valid ciphersuite handle (in case MBEDTLS_SSL_SINGLE_CIPHERSUITE is enabled) and removing the field from mbedtls_ssl_handshake_params in this case.
This commit is contained in:
Hanno Becker
parent
2d46b4f2a1
commit
df64596733
|
|
@ -501,7 +501,9 @@ struct mbedtls_ssl_handshake_params
|
|||
const unsigned char *, size_t,
|
||||
unsigned char *, size_t);
|
||||
|
||||
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
#endif /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||
|
||||
size_t pmslen; /*!< premaster length */
|
||||
|
||||
|
|
@ -556,6 +558,21 @@ static inline int mbedtls_ssl_hs_get_extended_ms(
|
|||
}
|
||||
#endif /* MBEDTLS_SSL_EXTENDED_MASTER_SECRET */
|
||||
|
||||
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||
static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_handshake_get_ciphersuite(
|
||||
mbedtls_ssl_handshake_params const *handshake )
|
||||
{
|
||||
return( handshake->ciphersuite_info );
|
||||
}
|
||||
#else /* !MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||
static inline mbedtls_ssl_ciphersuite_handle_t mbedtls_ssl_handshake_get_ciphersuite(
|
||||
mbedtls_ssl_handshake_params const *handshake )
|
||||
{
|
||||
((void) handshake);
|
||||
return( MBEDTLS_SSL_CIPHERSUITE_UNIQUE_VALID_HANDLE );
|
||||
}
|
||||
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||
|
||||
typedef struct mbedtls_ssl_hs_buffer mbedtls_ssl_hs_buffer;
|
||||
|
||||
/*
|
||||
|
|
|
|||
|
|
@ -1452,7 +1452,8 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
|
|||
int ret;
|
||||
|
||||
if( mbedtls_ssl_suite_get_key_exchange(
|
||||
ssl->handshake->ciphersuite_info ) != MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
|
||||
!= MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
|
||||
return( 0 );
|
||||
|
|
@ -2595,7 +2596,7 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
int ret;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
unsigned char *p = NULL, *end = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
|
||||
|
|
@ -2981,7 +2982,7 @@ exit:
|
|||
static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
|
||||
|
||||
|
|
@ -3003,7 +3004,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
|||
size_t n = 0;
|
||||
size_t cert_type_len = 0, dn_len = 0;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
|
||||
|
||||
|
|
@ -3204,7 +3205,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
int ret;
|
||||
size_t i, n;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write client key exchange" ) );
|
||||
|
||||
|
|
@ -3507,7 +3508,7 @@ ecdh_calc_secret:
|
|||
static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
int ret;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate verify" ) );
|
||||
|
|
@ -3533,7 +3534,7 @@ static int ssl_write_certificate_verify( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
size_t n = 0, offset = 0;
|
||||
unsigned char hash[48];
|
||||
unsigned char *hash_start = hash;
|
||||
|
|
@ -3638,7 +3639,8 @@ sign:
|
|||
* Reason: Otherwise we should have running hashes for SHA512 and SHA224
|
||||
* in order to satisfy 'weird' needs from the server side.
|
||||
*/
|
||||
if( mbedtls_ssl_suite_get_mac( ssl->handshake->ciphersuite_info )
|
||||
if( mbedtls_ssl_suite_get_mac(
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) )
|
||||
== MBEDTLS_MD_SHA384 )
|
||||
{
|
||||
md_alg = MBEDTLS_MD_SHA384;
|
||||
|
|
|
|||
|
|
@ -1291,7 +1291,9 @@ have_ciphersuite_v2:
|
|||
|
||||
ssl->session_negotiate->ciphersuite =
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
||||
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||
#endif
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
|
||||
mbedtls_ssl_get_ciphersuite_name(
|
||||
|
|
@ -2212,7 +2214,9 @@ have_ciphersuite:
|
|||
|
||||
ssl->session_negotiate->ciphersuite =
|
||||
mbedtls_ssl_suite_get_id( ciphersuite_info );
|
||||
#if !defined(MBEDTLS_SSL_SINGLE_CIPHERSUITE)
|
||||
ssl->handshake->ciphersuite_info = ciphersuite_info;
|
||||
#endif /* MBEDTLS_SSL_SINGLE_CIPHERSUITE */
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s",
|
||||
mbedtls_ssl_get_ciphersuite_name(
|
||||
|
|
@ -2542,9 +2546,12 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl,
|
|||
*olen = 0;
|
||||
|
||||
/* Skip costly computation if not needed */
|
||||
if( mbedtls_ssl_suite_get_key_exchange( ssl->handshake->ciphersuite_info ) !=
|
||||
if( mbedtls_ssl_suite_get_key_exchange(
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) ) !=
|
||||
MBEDTLS_KEY_EXCHANGE_ECJPAKE )
|
||||
{
|
||||
return;
|
||||
}
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, ecjpake kkpp extension" ) );
|
||||
|
||||
|
|
@ -2936,7 +2943,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||
static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate request" ) );
|
||||
|
||||
|
|
@ -2955,7 +2962,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
size_t dn_size, total_dn_size; /* excluding length bytes */
|
||||
size_t ct_len, sa_len; /* including length bytes */
|
||||
unsigned char *buf, *p;
|
||||
|
|
@ -3186,7 +3193,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||
size_t *signature_len )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_PFS__ENABLED)
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__WITH_SERVER_SIGNATURE__ENABLED)
|
||||
|
|
@ -3549,7 +3556,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
|
|||
size_t signature_len = 0;
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED)
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
#endif /* MBEDTLS_KEY_EXCHANGE__SOME_NON_PFS__ENABLED */
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write server key exchange" ) );
|
||||
|
|
@ -3992,11 +3999,10 @@ static int ssl_parse_client_psk_identity( mbedtls_ssl_context *ssl, unsigned cha
|
|||
static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
int ret;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
unsigned char *p, *end;
|
||||
|
||||
ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse client key exchange" ) );
|
||||
|
||||
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE) && \
|
||||
|
|
@ -4287,7 +4293,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
||||
|
||||
|
|
@ -4314,7 +4320,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
|||
#endif
|
||||
mbedtls_md_type_t md_alg;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
mbedtls_pk_context *peer_pk = NULL;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate verify" ) );
|
||||
|
|
|
|||
|
|
@ -1341,7 +1341,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
{
|
||||
int ret;
|
||||
mbedtls_ssl_ciphersuite_handle_t const ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> derive keys" ) );
|
||||
|
||||
|
|
@ -6072,7 +6072,8 @@ static void ssl_clear_peer_cert( mbedtls_ssl_session *session )
|
|||
/* No certificate support -> dummy functions */
|
||||
int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||
|
||||
|
|
@ -6089,7 +6090,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||
|
||||
int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> parse certificate" ) );
|
||||
|
||||
|
|
@ -6112,7 +6114,8 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||
int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
|
||||
size_t i, n;
|
||||
const mbedtls_x509_crt *crt;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info = ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write certificate" ) );
|
||||
|
||||
|
|
@ -6477,7 +6480,7 @@ static int ssl_parse_certificate_coordinate( mbedtls_ssl_context *ssl,
|
|||
int authmode )
|
||||
{
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
ssl->handshake->ciphersuite_info;
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
|
||||
if( !mbedtls_ssl_ciphersuite_uses_srv_cert( ciphersuite_info ) )
|
||||
return( SSL_CERTIFICATE_SKIP );
|
||||
|
|
@ -6512,6 +6515,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl,
|
|||
{
|
||||
int verify_ret;
|
||||
mbedtls_ssl_ciphersuite_handle_t ciphersuite_info =
|
||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake );
|
||||
mbedtls_x509_crt *ca_chain;
|
||||
mbedtls_x509_crl *ca_crl;
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue