mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-02-05 00:40:09 +00:00
Add client support for ECDHE_ECDSA key exchange
This commit is contained in:
Manuel Pégourié-Gonnard
parent
efebb0a394
commit
20846b1a50
@ -1083,7 +1083,8 @@ static int ssl_parse_server_dh_params( ssl_context *ssl, unsigned char **p,
|
|||||||
}
|
}
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
static int ssl_parse_server_ecdh_params( ssl_context *ssl,
|
static int ssl_parse_server_ecdh_params( ssl_context *ssl,
|
||||||
unsigned char **p,
|
unsigned char **p,
|
||||||
unsigned char *end )
|
unsigned char *end )
|
||||||
@ -1116,7 +1117,8 @@ static int ssl_parse_server_ecdh_params( ssl_context *ssl,
|
|||||||
|
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED) || \
|
||||||
defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
defined(POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED)
|
||||||
@ -1153,7 +1155,8 @@ static int ssl_parse_server_psk_hint( ssl_context *ssl,
|
|||||||
POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
|
||||||
|
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
static int ssl_parse_signature_algorithm( ssl_context *ssl,
|
static int ssl_parse_signature_algorithm( ssl_context *ssl,
|
||||||
unsigned char **p,
|
unsigned char **p,
|
||||||
unsigned char *end,
|
unsigned char *end,
|
||||||
@ -1256,7 +1259,8 @@ static int ssl_parse_signature_algorithm( ssl_context *ssl,
|
|||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
||||||
POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
|
POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||||
|
|
||||||
static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
||||||
{
|
{
|
||||||
@ -1264,7 +1268,8 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
|||||||
const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
|
const ssl_ciphersuite_t *ciphersuite_info = ssl->transform_negotiate->ciphersuite_info;
|
||||||
unsigned char *p, *end;
|
unsigned char *p, *end;
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
size_t sig_len, params_len;
|
size_t sig_len, params_len;
|
||||||
unsigned char hash[64];
|
unsigned char hash[64];
|
||||||
md_type_t md_alg = POLARSSL_MD_NONE;
|
md_type_t md_alg = POLARSSL_MD_NONE;
|
||||||
@ -1276,6 +1281,7 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
|||||||
|
|
||||||
if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
|
if( ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_RSA &&
|
||||||
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
|
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_RSA &&
|
||||||
|
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||||
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_PSK &&
|
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_PSK &&
|
||||||
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
|
ciphersuite_info->key_exchange != POLARSSL_KEY_EXCHANGE_DHE_PSK )
|
||||||
{
|
{
|
||||||
@ -1324,8 +1330,10 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
|
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
|
||||||
|
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||||
{
|
{
|
||||||
if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
|
if( ssl_parse_server_ecdh_params( ssl, &p, end ) != 0 )
|
||||||
{
|
{
|
||||||
@ -1334,7 +1342,8 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
|
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
|
||||||
{
|
{
|
||||||
@ -1367,9 +1376,11 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
|
||||||
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
|
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
|
||||||
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
|
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
|
||||||
|
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||||
{
|
{
|
||||||
params_len = p - ( ssl->in_msg + 4 );
|
params_len = p - ( ssl->in_msg + 4 );
|
||||||
|
|
||||||
@ -1452,30 +1463,23 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
|
|||||||
/*
|
/*
|
||||||
* Verify signature
|
* Verify signature
|
||||||
*/
|
*/
|
||||||
if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
|
if( pk_alg != POLARSSL_PK_NONE &&
|
||||||
POLARSSL_PK_RSA ) )
|
! pk_can_do( &ssl->session_negotiate->peer_cert->pk, pk_alg ) )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
|
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
|
||||||
return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
|
return( POLARSSL_ERR_SSL_PK_TYPE_MISMATCH );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( 8 * sig_len !=
|
if( ( ret = pk_verify( &ssl->session_negotiate->peer_cert->pk,
|
||||||
pk_get_size( &ssl->session_negotiate->peer_cert->pk ) )
|
md_alg, hash, hashlen, p, sig_len ) ) != 0 )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "bad server key exchange message" ) );
|
SSL_DEBUG_RET( 1, "pk_verify", ret );
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
|
|
||||||
}
|
|
||||||
|
|
||||||
if( ( ret = rsa_pkcs1_verify(
|
|
||||||
pk_rsa( ssl->session_negotiate->peer_cert->pk ),
|
|
||||||
RSA_PUBLIC, md_alg, hashlen, hash, p ) ) != 0 )
|
|
||||||
{
|
|
||||||
SSL_DEBUG_RET( 1, "rsa_pkcs1_verify", ret );
|
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
|
||||||
POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
|
POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||||
|
|
||||||
exit:
|
exit:
|
||||||
ssl->state++;
|
ssl->state++;
|
||||||
@ -1687,8 +1691,10 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED */
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
|
||||||
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
|
defined(POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
|
||||||
|
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA ||
|
||||||
|
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* ECDH key exchange -- send client public value
|
* ECDH key exchange -- send client public value
|
||||||
@ -1719,7 +1725,8 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
|
|||||||
SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
|
SSL_DEBUG_MPI( 3, "ECDH: z", &ssl->handshake->ecdh_ctx.z );
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
|
#endif /* POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
|
||||||
|
POLARSSL_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
|
||||||
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
#if defined(POLARSSL_KEY_EXCHANGE_PSK_ENABLED)
|
||||||
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
|
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_PSK )
|
||||||
{
|
{
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user