From 75d40ef8cb241e312df1a4ee455ded6ed5105e2b Mon Sep 17 00:00:00 2001 From: XiaokangQian Date: Wed, 20 Apr 2022 11:05:24 +0000 Subject: [PATCH] Refine code base on review Remove useless hrr code Share validate_cipher_suit between client and server Fix test failure when tls13 only in server side Change-Id: I5d6a7932bd8448ebf542bc86cdcab8862bc28e9b Signed-off-by: XiaokangQian --- include/mbedtls/ssl.h | 16 +++++++++++++++ library/ssl_client.c | 39 ----------------------------------- library/ssl_client.h | 16 --------------- library/ssl_misc.h | 2 ++ library/ssl_tls.c | 42 ++++++++++++++++++++++++++++++++++++++ library/ssl_tls13_server.c | 11 +++------- 6 files changed, 63 insertions(+), 63 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 16939565fe..15e11db15e 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -4936,6 +4936,22 @@ int mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf, const unsigned char *random, size_t rlen, unsigned char *dstbuf, size_t dlen ); +/** + * \brief Validate cipher suite against config in SSL context. + * + * \param ssl SSL context + * \param suite_info Cipher suite to validate + * \param min_tls_version Minimal TLS version to accept a cipher suite + * \param max_tls_version Maximal TLS version to accept a cipher suite + * + * \return 0 if valid, negative value otherwise. + */ +int mbedtls_ssl_validate_ciphersuite( + const mbedtls_ssl_context *ssl, + const mbedtls_ssl_ciphersuite_t *suite_info, + mbedtls_ssl_protocol_version min_tls_version, + mbedtls_ssl_protocol_version max_tls_version ); + #ifdef __cplusplus } #endif diff --git a/library/ssl_client.c b/library/ssl_client.c index f5b8be485c..79c5d9fbeb 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -413,45 +413,6 @@ static int ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf, } #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ -int mbedtls_ssl_validate_ciphersuite( - const mbedtls_ssl_context *ssl, - const mbedtls_ssl_ciphersuite_t *suite_info, - mbedtls_ssl_protocol_version min_tls_version, - mbedtls_ssl_protocol_version max_tls_version ) -{ - (void) ssl; - - if( suite_info == NULL ) - return( -1 ); - - if( ( suite_info->min_tls_version > max_tls_version ) || - ( suite_info->max_tls_version < min_tls_version ) ) - { - return( -1 ); - } - -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) - if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && - mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) - { - return( -1 ); - } -#endif - - /* Don't suggest PSK-based ciphersuite if no PSK is available. */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) - if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && - mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 ) - { - return( -1 ); - } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - - return( 0 ); -} - static int ssl_write_client_hello_cipher_suites( mbedtls_ssl_context *ssl, unsigned char *buf, diff --git a/library/ssl_client.h b/library/ssl_client.h index 67fc5583f7..8e0c21634b 100644 --- a/library/ssl_client.h +++ b/library/ssl_client.h @@ -28,22 +28,6 @@ #include -/** - * \brief Validate cipher suite against config in SSL context. - * - * \param ssl SSL context - * \param suite_info Cipher suite to validate - * \param min_tls_version Minimal TLS version to accept a cipher suite - * \param max_tls_version Maximal TLS version to accept a cipher suite - * - * \return 0 if valid, negative value otherwise. - */ -int mbedtls_ssl_validate_ciphersuite( - const mbedtls_ssl_context *ssl, - const mbedtls_ssl_ciphersuite_t *suite_info, - mbedtls_ssl_protocol_version min_tls_version, - mbedtls_ssl_protocol_version max_tls_version ); - int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl ); #endif /* MBEDTLS_SSL_CLIENT_H */ diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 025732e03d..d2760826d1 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -589,6 +589,8 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_SSL_SRV_C) /** selected_group of key_share extension in HelloRetryRequest message. */ uint16_t hrr_selected_group; + /** selected_group of key_share extension in ClientHello message. */ + uint16_t selected_group; #endif /* MBEDTLS_SSL_SRV_C */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 11140569d6..d8d79d7998 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -4216,6 +4216,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf, #if defined(MBEDTLS_SSL_PROTO_TLS1_2) conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2; +#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) + conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; + conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3; #else return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); #endif @@ -7771,4 +7774,43 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session, } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ +int mbedtls_ssl_validate_ciphersuite( + const mbedtls_ssl_context *ssl, + const mbedtls_ssl_ciphersuite_t *suite_info, + mbedtls_ssl_protocol_version min_tls_version, + mbedtls_ssl_protocol_version max_tls_version ) +{ + (void) ssl; + + if( suite_info == NULL ) + return( -1 ); + + if( ( suite_info->min_tls_version > max_tls_version ) || + ( suite_info->max_tls_version < min_tls_version ) ) + { + return( -1 ); + } + +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) + { + return( -1 ); + } +#endif + + /* Don't suggest PSK-based ciphersuite if no PSK is available. */ +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) + if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) && + mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 ) + { + return( -1 ); + } +#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ + + return( 0 ); +} + #endif /* MBEDTLS_SSL_TLS_C */ diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 447bc0e3dc..a8e523a774 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -24,7 +24,6 @@ #include "mbedtls/debug.h" #include "ssl_misc.h" -#include "ssl_client.h" #include "ssl_tls13_keys.h" #include "ssl_debug_helpers.h" #include @@ -116,7 +115,7 @@ static int ssl_tls13_parse_supported_groups_ext( p += 2; MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len ); named_group_list_end = p + named_group_list_len; - ssl->handshake->hrr_selected_group = 0; + ssl->handshake->selected_group = 0; while( p < named_group_list_end ) { @@ -129,7 +128,7 @@ static int ssl_tls13_parse_supported_groups_ext( if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) || ! mbedtls_ssl_named_group_is_supported( named_group ) || - ssl->handshake->hrr_selected_group != 0 ) + ssl->handshake->selected_group != 0 ) { continue; } @@ -137,7 +136,7 @@ static int ssl_tls13_parse_supported_groups_ext( MBEDTLS_SSL_DEBUG_MSG( 2, ( "add named group (%04x) into received list.", named_group ) ); - ssl->handshake->hrr_selected_group = named_group; + ssl->handshake->selected_group = named_group; } return( 0 ); @@ -384,7 +383,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, const unsigned char *extensions_end; const mbedtls_ssl_ciphersuite_t* ciphersuite_info; - int hrr_required = 0; ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; @@ -682,9 +680,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); } - if( hrr_required == 1 ) - return( SSL_CLIENT_HELLO_HRR_REQUIRED ); - return( 0 ); }