diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 7c443822a2..9041c51d2c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -413,6 +413,32 @@ static inline int mbedtls_ssl_chk_buf_ptr( const uint8_t *cur, } \ } while( 0 ) +/** + * \brief This macro checks if the remaining length in an input buffer is + * greater or equal than a needed length. If it is not the case, it + * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a + * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message. + * + * This is a function-like macro. It is guaranteed to evaluate each + * argument exactly once. + * + * \param cur Pointer to the current position in the buffer. + * \param end Pointer to one past the end of the buffer. + * \param need Needed length in bytes. + * + */ +#define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \ + do { \ + if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \ + { \ + MBEDTLS_SSL_DEBUG_MSG( 1, \ + ( "missing input data in %s", __func__ ) ); \ + MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \ + MBEDTLS_ERR_SSL_DECODE_ERROR ); \ + return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \ + } \ + } while( 0 ) + #ifdef __cplusplus extern "C" { #endif @@ -490,6 +516,9 @@ struct mbedtls_ssl_handshake_params /* * Handshake specific crypto variables */ +#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL) + int tls1_3_kex_modes; /*!< key exchange modes for TLS 1.3 */ +#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) @@ -1434,6 +1463,53 @@ static inline int mbedtls_ssl_conf_tls13_some_psk_enabled( mbedtls_ssl_context * MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); } +/** + * Given a list of key exchange modes, check if at least one of them is + * supported. + * + * \param[in] ssl SSL context + * \param kex_modes_mask Mask of the key exchange modes to check + * + * \return 0 if at least one of the key exchange modes is supported, + * !=0 otherwise. + */ +static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl, + int kex_modes_mask ) +{ + return( ( ssl->handshake->tls1_3_kex_modes & kex_modes_mask ) == 0 ); +} + +static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl ) +{ + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) ); +} + +static inline int mbedtls_ssl_tls1_3_psk_ephemeral_enabled( + mbedtls_ssl_context *ssl ) +{ + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) ); +} + +static inline int mbedtls_ssl_tls1_3_ephemeral_enabled( mbedtls_ssl_context *ssl ) +{ + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) ); +} + +static inline int mbedtls_ssl_tls1_3_some_ephemeral_enabled( mbedtls_ssl_context *ssl ) +{ + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) ); +} + +static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl ) +{ + return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl, + MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) ); +} + #endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */ /**