Refine code base on review

Remove useless hrr code
Share validate_cipher_suit between client and server
Fix test failure when tls13 only in server side

Change-Id: I5d6a7932bd8448ebf542bc86cdcab8862bc28e9b
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>

include/mbedtls/ssl.h

@@ -4936,6 +4936,22 @@ int  mbedtls_ssl_tls_prf( const mbedtls_tls_prf_types prf,
                           const unsigned char *random, size_t rlen,
                           unsigned char *dstbuf, size_t dlen );
 
+/**
+ * \brief Validate cipher suite against config in SSL context.
+ *
+ * \param ssl              SSL context
+ * \param suite_info       Cipher suite to validate
+ * \param min_tls_version  Minimal TLS version to accept a cipher suite
+ * \param max_tls_version  Maximal TLS version to accept a cipher suite
+ *
+ * \return 0 if valid, negative value otherwise.
+ */
+int mbedtls_ssl_validate_ciphersuite(
+    const mbedtls_ssl_context *ssl,
+    const mbedtls_ssl_ciphersuite_t *suite_info,
+    mbedtls_ssl_protocol_version min_tls_version,
+    mbedtls_ssl_protocol_version max_tls_version );
+
 #ifdef __cplusplus
 }
 #endif

library/ssl_client.c

@@ -413,45 +413,6 @@ static int ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
 }
 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
 
-int mbedtls_ssl_validate_ciphersuite(
-    const mbedtls_ssl_context *ssl,
-    const mbedtls_ssl_ciphersuite_t *suite_info,
-    mbedtls_ssl_protocol_version min_tls_version,
-    mbedtls_ssl_protocol_version max_tls_version )
-{
-    (void) ssl;
-
-    if( suite_info == NULL )
-        return( -1 );
-
-    if( ( suite_info->min_tls_version > max_tls_version ) ||
-        ( suite_info->max_tls_version < min_tls_version ) )
-    {
-        return( -1 );
-    }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
-    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
-        mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
-    {
-        return( -1 );
-    }
-#endif
-
-    /* Don't suggest PSK-based ciphersuite if no PSK is available. */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-    if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
-        mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
-    {
-        return( -1 );
-    }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
-    return( 0 );
-}
-
 static int ssl_write_client_hello_cipher_suites(
             mbedtls_ssl_context *ssl,
             unsigned char *buf,

library/ssl_client.h

@@ -28,22 +28,6 @@
 
 #include <stddef.h>
 
-/**
- * \brief Validate cipher suite against config in SSL context.
- *
- * \param ssl              SSL context
- * \param suite_info       Cipher suite to validate
- * \param min_tls_version  Minimal TLS version to accept a cipher suite
- * \param max_tls_version  Maximal TLS version to accept a cipher suite
- *
- * \return 0 if valid, negative value otherwise.
- */
-int mbedtls_ssl_validate_ciphersuite(
-    const mbedtls_ssl_context *ssl,
-    const mbedtls_ssl_ciphersuite_t *suite_info,
-    mbedtls_ssl_protocol_version min_tls_version,
-    mbedtls_ssl_protocol_version max_tls_version );
-
 int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
 
 #endif /* MBEDTLS_SSL_CLIENT_H */

library/ssl_misc.h

@@ -589,6 +589,8 @@ struct mbedtls_ssl_handshake_params
 #if defined(MBEDTLS_SSL_SRV_C)
     /** selected_group of key_share extension in HelloRetryRequest message. */
     uint16_t hrr_selected_group;
+    /** selected_group of key_share extension in ClientHello message. */
+    uint16_t selected_group;
 #endif /* MBEDTLS_SSL_SRV_C */
 
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \

library/ssl_tls.c

@@ -4216,6 +4216,9 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
         conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
         conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+        conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+        conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
 #else
         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
 #endif
@@ -7771,4 +7774,43 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session,
 }
 #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
 
+int mbedtls_ssl_validate_ciphersuite(
+    const mbedtls_ssl_context *ssl,
+    const mbedtls_ssl_ciphersuite_t *suite_info,
+    mbedtls_ssl_protocol_version min_tls_version,
+    mbedtls_ssl_protocol_version max_tls_version )
+{
+    (void) ssl;
+
+    if( suite_info == NULL )
+        return( -1 );
+
+    if( ( suite_info->min_tls_version > max_tls_version ) ||
+        ( suite_info->max_tls_version < min_tls_version ) )
+    {
+        return( -1 );
+    }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+    if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+        mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+    {
+        return( -1 );
+    }
+#endif
+
+    /* Don't suggest PSK-based ciphersuite if no PSK is available. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+    if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
+        mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
+    {
+        return( -1 );
+    }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+    return( 0 );
+}
+
 #endif /* MBEDTLS_SSL_TLS_C */

library/ssl_tls13_server.c

@@ -24,7 +24,6 @@
 #include "mbedtls/debug.h"
 
 #include "ssl_misc.h"
-#include "ssl_client.h"
 #include "ssl_tls13_keys.h"
 #include "ssl_debug_helpers.h"
 #include <string.h>
@@ -116,7 +115,7 @@ static int ssl_tls13_parse_supported_groups_ext(
     p += 2;
     MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
     named_group_list_end = p + named_group_list_len;
-    ssl->handshake->hrr_selected_group = 0;
+    ssl->handshake->selected_group = 0;
 
     while( p < named_group_list_end )
     {
@@ -129,7 +128,7 @@ static int ssl_tls13_parse_supported_groups_ext(
 
         if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
             ! mbedtls_ssl_named_group_is_supported( named_group ) ||
-            ssl->handshake->hrr_selected_group != 0 )
+            ssl->handshake->selected_group != 0 )
         {
             continue;
         }
@@ -137,7 +136,7 @@ static int ssl_tls13_parse_supported_groups_ext(
         MBEDTLS_SSL_DEBUG_MSG(
                 2, ( "add named group (%04x) into received list.",
                      named_group ) );
-        ssl->handshake->hrr_selected_group = named_group;
+        ssl->handshake->selected_group = named_group;
     }
 
     return( 0 );
@@ -384,7 +383,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
     const unsigned char *extensions_end;
 
     const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
-    int hrr_required = 0;
 
     ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
 
@@ -682,9 +680,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
         return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
     }
 
-    if( hrr_required == 1 )
-        return( SSL_CLIENT_HELLO_HRR_REQUIRED );
-
     return( 0 );
 }