From fca604d355c46f6288bbf5e6ad846c27f558ef69 Mon Sep 17 00:00:00 2001 From: Hanno Becker Date: Mon, 21 May 2018 09:12:05 +0100 Subject: [PATCH] Restructure SrvKeyExchange: Move static DH parameter extraction This code moves the code-path that extracts static DH parameters from the server's CRT (if applicable) to the new function ssl_server_key_exchange_prepare(). --- library/ssl_cli.c | 67 ++++++++++++++++++++++++++++++++--------------- 1 file changed, 46 insertions(+), 21 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0305a5865..bc5eb5f6a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -2663,8 +2663,7 @@ static int ssl_process_server_key_exchange( mbedtls_ssl_context *ssl ) ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE ) { MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) ); - mbedtls_ssl_pend_alert_message( ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, + mbedtls_ssl_pend_fatal_alert( ssl, MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE ); ret = MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE; goto cleanup; @@ -2696,7 +2695,33 @@ cleanup: static int ssl_server_key_exchange_prepare( mbedtls_ssl_context *ssl ) { - /* TBD */ + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->transform_negotiate->ciphersuite_info; + ((void) ciphersuite_info); + + /* If applicable, extract static DH parameters from Server CRT. */ + +#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ + defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) + if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDH_RSA || + mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) + { + int ret; + + if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) + { + MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); + mbedtls_ssl_pend_fatal_alert( ssl, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( ret ); + } + } +#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || + MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ + + return( 0 ); } static int ssl_server_key_exchange_coordinate( mbedtls_ssl_context *ssl ) @@ -2746,25 +2771,25 @@ static int ssl_parse_server_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == - MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) - { - if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); - mbedtls_ssl_pend_fatal_alert( ssl, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - return( ret ); - } +/* if( mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == */ +/* MBEDTLS_KEY_EXCHANGE_ECDH_RSA || */ +/* mbedtls_ssl_suite_get_key_exchange( ciphersuite_info ) == */ +/* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA ) */ +/* { */ +/* if( ( ret = ssl_get_ecdh_params_from_cert( ssl ) ) != 0 ) */ +/* { */ +/* MBEDTLS_SSL_DEBUG_RET( 1, "ssl_get_ecdh_params_from_cert", ret ); */ +/* mbedtls_ssl_pend_fatal_alert( ssl, */ +/* MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); */ +/* return( ret ); */ +/* } */ - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); - ssl->state++; - return( 0 ); - } - ((void) p); - ((void) end); +/* MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse server key exchange" ) ); */ +/* ssl->state++; */ +/* return( 0 ); */ +/* } */ +/* ((void) p); */ +/* ((void) end); */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */