From 63282b43210291931dc14341c94e198a54079c4d Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Tue, 11 Jan 2022 15:43:53 +0800 Subject: [PATCH] Refactor write supported group Signed-off-by: Jerry Yu --- library/ssl_tls.c | 76 +++++++++++++++++------------------------------ 1 file changed, 28 insertions(+), 48 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bb533c957a..6ca63ccb08 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -7208,36 +7208,26 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl, * struct { * NamedGroup named_group_list<2..2^16-1>; * } NamedGroupList; + * From RFC8422: + * enum { + * deprecated(1..22), + * secp256r1 (23), secp384r1 (24), secp521r1 (25), + * x25519(29), x448(30), + * reserved (0xFE00..0xFEFF), + * deprecated(0xFF01..0xFF02), + * (0xFFFF) + * } NamedCurve; + * struct { + * NamedCurve named_curve_list<2..2^16-1> + * } NamedCurveList; + * + * RFC8422 and RFC8446 share simillar structure and same extension id. The function + * only check if the curve/group is supported by library. It does not need check + * the IANA values. ECP module should check if the group/curve is deprecated or + * supported. + * + * DHE groups hasn't been supported yet. */ - -#define SSL_GROUP_IS_UNSUPPORTED 0 -#define SSL_GROUP_IS_ECDHE 1 -#define SSL_GROUP_IS_DHE 2 -static int ssl_check_group_type( const mbedtls_ssl_config *conf, - const uint16_t group ) -{ -#if defined(MBEDTLS_ECP_C) -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if( mbedtls_ssl_conf_is_tls12_only( conf ) - && mbedtls_ssl_named_group_is_ecdhe( group ) ) - return( SSL_GROUP_IS_ECDHE ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if( mbedtls_ssl_conf_is_tls13_only( conf ) - && mbedtls_ssl_tls13_named_group_is_ecdhe( group ) ) - return( SSL_GROUP_IS_ECDHE ); -#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#else - ((void) conf); -#endif /* MBEDTLS_ECDH_C */ - - if( mbedtls_ssl_tls13_named_group_is_dhe( group ) ) - return( SSL_GROUP_IS_DHE ); - - return( SSL_GROUP_IS_UNSUPPORTED ); -} - int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, @@ -7272,31 +7262,21 @@ int mbedtls_ssl_write_supported_groups_ext( mbedtls_ssl_context *ssl, for ( ; *group_list != 0; group_list++ ) { MBEDTLS_SSL_DEBUG_MSG( 1, ("got supported group(%04x)",*group_list)); - int group_type = ssl_check_group_type( ssl->conf, *group_list ); - if( group_type == SSL_GROUP_IS_UNSUPPORTED ) - continue; - MBEDTLS_SSL_DEBUG_MSG( 1, ("add supported group(%04x)",*group_list)); + #if defined(MBEDTLS_ECP_C) - if( group_type == SSL_GROUP_IS_ECDHE ) + const mbedtls_ecp_curve_info *curve_info; + curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); + if( curve_info != NULL ) { - const mbedtls_ecp_curve_info *curve_info; - curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list ); - if( curve_info == NULL ) - continue; + MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); + MBEDTLS_PUT_UINT16_BE( *group_list, p, 0 ); + p += 2; MBEDTLS_SSL_DEBUG_MSG( 3, ( "NamedGroup: %s ( %x )", curve_info->name, *group_list ) ); - } -#endif /* MBEDTLS_ECDH_C */ - - if( group_type == SSL_GROUP_IS_DHE ) - { - /* Implement DHE group here. */ continue; } - - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - MBEDTLS_PUT_UINT16_BE( *group_list, p, 0 ); - p += 2; +#endif /* MBEDTLS_ECP_C */ + /* Add DHE groups here */ }