mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-25 09:02:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ssl_client.c: Extend and export ciphersuite validation function

Browse Source 
Extend and export ciphersuite validation function
to be able to use it in TLS 1.2/3 specific code.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2022-03-30 13:57:40 +02:00
parent f735cf1f0f
commit 757a2abfe2
2 changed files with 30 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
library/ssl_client.c
View File

@ -416,32 +416,27 @@ static int ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
/* Write cipher_suites /* Write cipher_suites
* CipherSuite cipher_suites<2..2^16-2>; * CipherSuite cipher_suites<2..2^16-2>;
*/ */
/** int mbedtls_ssl_validate_ciphersuite(
* \brief Validate cipher suite against config in SSL context.
*
* \param ssl SSL context
* \param suite_info Cipher suite to validate
*
* \return 0 if valid, else 1
*/
static int ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl, const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info ) const mbedtls_ssl_ciphersuite_t *suite_info,
int min_minor_ver, int max_minor_ver )
{ {
if( suite_info == NULL ) if( suite_info == NULL )
return( 1 ); return( -1 );
if( ( suite_info->min_minor_ver > ssl->minor_ver ) || if( ( suite_info->min_minor_ver > max_minor_ver ) ||
( suite_info->max_minor_ver < ssl->handshake->min_minor_ver ) ) ( suite_info->max_minor_ver < min_minor_ver ) )
{ {
return( 1 ); return( -1 );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
return( 1 ); {
return( -1 );
}
#endif #endif
/* Don't suggest PSK-based ciphersuite if no PSK is available. */ /* Don't suggest PSK-based ciphersuite if no PSK is available. */
@ -449,7 +444,7 @@ static int ssl_validate_ciphersuite(
if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 ) mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
{ {
return( 1 ); return( -1 );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
@ -495,7 +490,9 @@ static int ssl_write_client_hello_cipher_suites(
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite ); ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
if( ssl_validate_ciphersuite( ssl, ciphersuite_info ) ) if( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
ssl->handshake->min_minor_ver,
ssl->minor_ver ) != 0 )
continue; continue;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \

15
library/ssl_client.h
View File

@ -28,6 +28,21 @@
#include <stddef.h> #include <stddef.h>
/**
* \brief Validate cipher suite against config in SSL context.
*
* \param ssl SSL context
* \param suite_info Cipher suite to validate
* \param min_minor_ver Minimal minor version to accept a cipher suite
* \param max_minor_ver Maximal minor version to accept a cipher suite
*
* \return 0 if valid, negative value otherwise.
*/
int mbedtls_ssl_validate_ciphersuite(
const mbedtls_ssl_context *ssl,
const mbedtls_ssl_ciphersuite_t *suite_info,
int min_minor_ver, int max_minor_ver );
int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ); int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_CLIENT_H */ #endif /* MBEDTLS_SSL_CLIENT_H */