eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tls13_only: guard ssl_{cli,srv}.c with TLS1_2

Browse source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2021-12-23 20:15:02 +08:00
parent ab08290c09
commit c5aef88be6
4 changed files with 101 additions and 157 deletions
Download patch file Download diff file Expand all files Collapse all files

94
library/ssl_cli.c
View file

@ -21,6 +21,8 @@
#if defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_SSL_CLI_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_PLATFORM_C) #if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
#else #else
@ -90,76 +92,6 @@ static int ssl_conf_has_static_raw_psk( mbedtls_ssl_config const *conf )
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
size_t hostname_len;
*olen = 0;
if( ssl->hostname == NULL )
return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "client hello, adding server name extension: %s",
ssl->hostname ) );
hostname_len = strlen( ssl->hostname );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
/*
* Sect. 3, RFC 6066 (TLS Extensions Definitions)
*
* In order to provide any of the server names, clients MAY include an
* extension of type "server_name" in the (extended) client hello. The
* "extension_data" field of this extension SHALL contain
* "ServerNameList" where:
*
* struct {
* NameType name_type;
* select (name_type) {
* case host_name: HostName;
* } name;
* } ServerName;
*
* enum {
* host_name(0), (255)
* } NameType;
*
* opaque HostName<1..2^16-1>;
*
* struct {
* ServerName server_name_list<1..2^16-1>
* } ServerNameList;
*
*/
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 );
p += 2;
MBEDTLS_PUT_UINT16_BE( hostname_len + 5, p, 0 );
p += 2;
MBEDTLS_PUT_UINT16_BE( hostname_len + 3, p, 0 );
p += 2;
*p++ = MBEDTLS_BYTE_0( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME );
MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 );
p += 2;
memcpy( p, ssl->hostname, hostname_len );
*olen = hostname_len + 9;
return( 0 );
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl, static int ssl_write_renegotiation_ext( mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
@ -1028,8 +960,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
ext_len += olen; ext_len += olen;
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
if( ( ret = mbedtls_ssl_write_sig_alg_ext( ssl, p + 2 + ext_len, if( ( ret = mbedtls_ssl_write_sig_alg_ext( ssl, p + 2 + ext_len,
end, &olen ) ) != 0 ) end, &olen ) ) != 0 )
{ {
@ -1037,7 +968,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
return( ret ); return( ret );
} }
ext_len += olen; ext_len += olen;
#endif #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ #if defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \
defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
@ -2573,13 +2504,11 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( len_bytes == 2 ) if( len_bytes == 2 )
{ {
MBEDTLS_PUT_UINT16_BE( *olen, ssl->out_msg, offset ); MBEDTLS_PUT_UINT16_BE( *olen, ssl->out_msg, offset );
*olen += 2; *olen += 2;
} }
#endif
#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) #if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
/* We don't need the peer's public key anymore. Free it. */ /* We don't need the peer's public key anymore. Free it. */
@ -2590,7 +2519,6 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED || #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */ MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED)
@ -2655,7 +2583,6 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED || #endif /* MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED ||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \
defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)
@ -2931,10 +2858,8 @@ start_processing:
#endif #endif
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE;
mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE; mbedtls_pk_type_t pk_alg = MBEDTLS_PK_NONE;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl ); unsigned char *params = ssl->in_msg + mbedtls_ssl_hs_hdr_len( ssl );
size_t params_len = p - params; size_t params_len = p - params;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
void *rs_ctx = NULL; void *rs_ctx = NULL;
mbedtls_pk_context * peer_pk; mbedtls_pk_context * peer_pk;
@ -2942,7 +2867,6 @@ start_processing:
/* /*
* Handle the digitally-signed structure * Handle the digitally-signed structure
*/ */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{ {
if( ssl_parse_signature_algorithm( ssl, &p, end, if( ssl_parse_signature_algorithm( ssl, &p, end,
@ -2970,7 +2894,6 @@ start_processing:
} }
} }
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -3007,7 +2930,6 @@ start_processing:
/* /*
* Compute the hash that has been signed * Compute the hash that has been signed
*/ */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( md_alg != MBEDTLS_MD_NONE ) if( md_alg != MBEDTLS_MD_NONE )
{ {
ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen, ret = mbedtls_ssl_get_key_exchange_md_tls1_2( ssl, hash, &hashlen,
@ -3017,7 +2939,6 @@ start_processing:
return( ret ); return( ret );
} }
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -3213,7 +3134,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
} }
/* supported_signature_algorithms */ /* supported_signature_algorithms */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{ {
size_t sig_alg_len = size_t sig_alg_len =
@ -3259,7 +3179,6 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
n += 2 + sig_alg_len; n += 2 + sig_alg_len;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* certificate_authorities */ /* certificate_authorities */
dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 ) dn_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
@ -3818,7 +3737,6 @@ sign:
ssl->handshake->calc_verify( ssl, hash, &hashlen ); ssl->handshake->calc_verify( ssl, hash, &hashlen );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 ) if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
{ {
/* /*
@ -3854,7 +3772,6 @@ sign:
offset = 2; offset = 2;
} }
else else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
@ -4138,4 +4055,7 @@ int mbedtls_ssl_handshake_client_step( mbedtls_ssl_context *ssl )
return( ret ); return( ret );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_SSL_CLI_C */

8
library/ssl_misc.h
View file

@ -89,14 +89,12 @@
/* Determine maximum supported version */ /* Determine maximum supported version */
#define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3 #define MBEDTLS_SSL_MAX_MAJOR_VERSION MBEDTLS_SSL_MAJOR_VERSION_3
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4
#elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3 #define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_3
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
#define MBEDTLS_SSL_MAX_MINOR_VERSION MBEDTLS_SSL_MINOR_VERSION_4
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
/* Shorthand for restartable ECC */ /* Shorthand for restartable ECC */
#if defined(MBEDTLS_ECP_RESTARTABLE) && \ #if defined(MBEDTLS_ECP_RESTARTABLE) && \
defined(MBEDTLS_SSL_CLI_C) && \ defined(MBEDTLS_SSL_CLI_C) && \

20
library/ssl_srv.c
View file

@ -21,6 +21,8 @@
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_PLATFORM_C) #if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h" #include "mbedtls/platform.h"
#else #else
@ -2956,11 +2958,9 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
ssl->handshake->ciphersuite_info; ssl->handshake->ciphersuite_info;
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED)
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
defined(MBEDTLS_SSL_PROTO_TLS1_2)
unsigned char *dig_signed = NULL; unsigned char *dig_signed = NULL;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED && #endif /* MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED */
MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */
(void) ciphersuite_info; /* unused in some configurations */ (void) ciphersuite_info; /* unused in some configurations */
@ -3066,8 +3066,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
return( ret ); return( ret );
} }
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
defined(MBEDTLS_SSL_PROTO_TLS1_2)
dig_signed = ssl->out_msg + ssl->out_msglen; dig_signed = ssl->out_msg + ssl->out_msglen;
#endif #endif
@ -3133,8 +3132,7 @@ curve_matching_done:
return( ret ); return( ret );
} }
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
defined(MBEDTLS_SSL_PROTO_TLS1_2)
dig_signed = ssl->out_msg + ssl->out_msglen; dig_signed = ssl->out_msg + ssl->out_msglen;
#endif #endif
@ -3154,9 +3152,7 @@ curve_matching_done:
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED)
if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) ) if( mbedtls_ssl_ciphersuite_uses_server_signature( ciphersuite_info ) )
{ {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed; size_t dig_signed_len = ssl->out_msg + ssl->out_msglen - dig_signed;
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
size_t hashlen = 0; size_t hashlen = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char hash[PSA_HASH_MAX_SIZE]; unsigned char hash[PSA_HASH_MAX_SIZE];
@ -3171,7 +3167,7 @@ curve_matching_done:
* to choose appropriate hash. * to choose appropriate hash.
*/ */
mbedtls_md_type_t md_alg = MBEDTLS_MD_NONE; mbedtls_md_type_t md_alg;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_pk_type_t sig_alg = mbedtls_pk_type_t sig_alg =
@ -4412,4 +4408,6 @@ void mbedtls_ssl_conf_preference_order( mbedtls_ssl_config *conf, int order )
conf->respect_cli_pref = order; conf->respect_cli_pref = order;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#endif /* MBEDTLS_SSL_SRV_C */ #endif /* MBEDTLS_SSL_SRV_C */

136
library/ssl_tls.c
View file

@ -333,7 +333,6 @@ static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing,
} }
#endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */ #endif /* MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH */
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation, static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
@ -574,11 +573,9 @@ static int tls_prf_sha384( const unsigned char *secret, size_t slen,
label, random, rlen, dstbuf, dlen ) ); label, random, rlen, dstbuf, dlen ) );
} }
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t ); static void ssl_update_checksum_start( mbedtls_ssl_context *, const unsigned char *, size_t );
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t ); static void ssl_update_checksum_sha256( mbedtls_ssl_context *, const unsigned char *, size_t );
static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * ); static void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *,unsigned char*, size_t * );
@ -590,7 +587,6 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *, const unsigned ch
static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * ); static void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *, unsigned char*, size_t * );
static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int ); static void ssl_calc_finished_tls_sha384( mbedtls_ssl_context *, unsigned char *, int );
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO) defined(MBEDTLS_USE_PSA_CRYPTO)
@ -616,6 +612,7 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf ) static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
{ {
((void) tls_prf);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
if( tls_prf == tls_prf_sha384 ) if( tls_prf == tls_prf_sha384 )
@ -632,7 +629,6 @@ static mbedtls_tls_prf_types tls_prf_get_type( mbedtls_ssl_tls_prf_cb *tls_prf )
else else
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
((void) tls_prf);
return( MBEDTLS_SSL_TLS_PRF_NONE ); return( MBEDTLS_SSL_TLS_PRF_NONE );
} }
@ -1122,14 +1118,12 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
int minor_ver, int minor_ver,
mbedtls_md_type_t hash ) mbedtls_md_type_t hash )
{ {
#if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || \ #if !defined(MBEDTLS_SSL_PROTO_TLS1_2) || !defined(MBEDTLS_SHA384_C)
!( defined(MBEDTLS_SHA384_C) || defined(MBEDTLS_SHA256_C) )
(void) hash; (void) hash;
(void) handshake;
(void) minor_ver; (void) minor_ver;
(void) handshake;
#endif #endif
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 && if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 &&
hash == MBEDTLS_MD_SHA384 ) hash == MBEDTLS_MD_SHA384 )
@ -1149,7 +1143,6 @@ static int ssl_set_handshake_prfs( mbedtls_ssl_handshake_params *handshake,
} }
else else
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
} }
@ -1366,7 +1359,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
return( 0 ); return( 0 );
} }
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_3) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl, void ssl_calc_verify_tls_sha256( const mbedtls_ssl_context *ssl,
unsigned char *hash, unsigned char *hash,
@ -1464,7 +1457,7 @@ void ssl_calc_verify_tls_sha384( const mbedtls_ssl_context *ssl,
return; return;
} }
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex ) int mbedtls_ssl_psk_derive_premaster( mbedtls_ssl_context *ssl, mbedtls_key_exchange_type_t key_ex )
@ -2441,7 +2434,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
{ {
((void) ciphersuite_info); ((void) ciphersuite_info);
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 ) if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
ssl->handshake->update_checksum = ssl_update_checksum_sha384; ssl->handshake->update_checksum = ssl_update_checksum_sha384;
@ -2452,7 +2444,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
ssl->handshake->update_checksum = ssl_update_checksum_sha256; ssl->handshake->update_checksum = ssl_update_checksum_sha256;
else else
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return; return;
@ -2462,7 +2453,6 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl ) void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
{ {
((void) ssl); ((void) ssl);
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &ssl->handshake->fin_sha256_psa ); psa_hash_abort( &ssl->handshake->fin_sha256_psa );
@ -2479,16 +2469,11 @@ void mbedtls_ssl_reset_checksum( mbedtls_ssl_context *ssl )
mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 ); mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
#endif #endif
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
} }
static void ssl_update_checksum_start( mbedtls_ssl_context *ssl, static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len ) const unsigned char *buf, size_t len )
{ {
((void) ssl);
((void) buf);
((void) len);
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len ); psa_hash_update( &ssl->handshake->fin_sha256_psa, buf, len );
@ -2503,10 +2488,8 @@ static void ssl_update_checksum_start( mbedtls_ssl_context *ssl,
mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len ); mbedtls_sha512_update( &ssl->handshake->fin_sha512, buf, len );
#endif #endif
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
} }
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl, static void ssl_update_checksum_sha256( mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len ) const unsigned char *buf, size_t len )
@ -2530,9 +2513,7 @@ static void ssl_update_checksum_sha384( mbedtls_ssl_context *ssl,
#endif #endif
} }
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
static void ssl_calc_finished_tls_sha256( static void ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from ) mbedtls_ssl_context *ssl, unsigned char *buf, int from )
@ -2684,7 +2665,6 @@ static void ssl_calc_finished_tls_sha384(
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= calc finished" ) );
} }
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl ) void mbedtls_ssl_handshake_wrapup_free_hs_transform( mbedtls_ssl_context *ssl )
{ {
@ -2974,7 +2954,6 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
{ {
memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) ); memset( handshake, 0, sizeof( mbedtls_ssl_handshake_params ) );
// #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
handshake->fin_sha256_psa = psa_hash_operation_init(); handshake->fin_sha256_psa = psa_hash_operation_init();
@ -2993,7 +2972,6 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake )
mbedtls_sha512_starts( &handshake->fin_sha512, 1 ); mbedtls_sha512_starts( &handshake->fin_sha512, 1 );
#endif #endif
#endif #endif
// #endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
handshake->update_checksum = ssl_update_checksum_start; handshake->update_checksum = ssl_update_checksum_start;
@ -5204,7 +5182,6 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
{ {
return( ssl_session_save( session, 0, buf, buf_len, olen ) ); return( ssl_session_save( session, 0, buf, buf_len, olen ) );
} }
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* /*
* Deserialize session, see mbedtls_ssl_session_save() for format. * Deserialize session, see mbedtls_ssl_session_save() for format.
@ -5410,8 +5387,7 @@ static int ssl_session_load_tls12( mbedtls_ssl_session *session,
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif /*MBEDTLS_SSL_PROTO_TLS1_2 */
static int ssl_session_load( mbedtls_ssl_session *session, static int ssl_session_load( mbedtls_ssl_session *session,
unsigned char omit_header, unsigned char omit_header,
const unsigned char *buf, const unsigned char *buf,
@ -5781,7 +5757,6 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
} }
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &handshake->fin_sha256_psa ); psa_hash_abort( &handshake->fin_sha256_psa );
@ -5796,7 +5771,6 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
mbedtls_sha512_free( &handshake->fin_sha512 ); mbedtls_sha512_free( &handshake->fin_sha512 );
#endif #endif
#endif #endif
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_DHM_C) #if defined(MBEDTLS_DHM_C)
mbedtls_dhm_free( &handshake->dhm_ctx ); mbedtls_dhm_free( &handshake->dhm_ctx );
@ -6222,9 +6196,6 @@ typedef int (*tls_prf_fn)( const unsigned char *secret, size_t slen,
static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id ) static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
{ {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* TODO: This function has some problem when
!MBEDTLS_SHA384_C && !MBEDTLS_SHA256_C && MBEDTLS_SHA512_C
*/
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
const mbedtls_ssl_ciphersuite_t * const ciphersuite_info = const mbedtls_ssl_ciphersuite_t * const ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( ciphersuite_id ); mbedtls_ssl_ciphersuite_from_id( ciphersuite_id );
@ -6236,9 +6207,9 @@ static tls_prf_fn ssl_tls12prf_from_cs( int ciphersuite_id )
#endif #endif
return( tls_prf_sha256 ); return( tls_prf_sha256 );
#else #else
((void) ciphersuite_id); (void) ciphersuite_id;
return NULL; return( NULL );
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #endif
} }
@ -7582,11 +7553,8 @@ static int ssl_get_handshake_transcript_sha256( mbedtls_ssl_context *ssl,
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
mbedtls_sha256_init( &sha256 ); mbedtls_sha256_init( &sha256 );
// MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:sha256", &sha256, sizeof(sha256));
mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 ); mbedtls_sha256_clone( &sha256, &ssl->handshake->fin_sha256 );
// MBEDTLS_SSL_DEBUG_MSG(2,("ssl_get_handshake_transcript_sha256"));
// MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:sha256", &sha256, sizeof(sha256));
// MBEDTLS_SSL_DEBUG_BUF(2,"ssl_get_handshake_transcript_sha256:ssl->handshake->fin_sha256", &ssl->handshake->fin_sha256, sizeof(ssl->handshake->fin_sha256));
if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 ) if( ( ret = mbedtls_sha256_finish( &sha256, dst ) ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret ); MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_sha256_finish", ret );
@ -7608,32 +7576,23 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
size_t dst_len, size_t dst_len,
size_t *olen ) size_t *olen )
{ {
int ret = MBEDTLS_ERR_SSL_INTERNAL_ERROR;
switch( md ) switch( md )
{ {
#if defined(MBEDTLS_SHA384_C) #if defined(MBEDTLS_SHA384_C)
case MBEDTLS_MD_SHA384: case MBEDTLS_MD_SHA384:
ret = ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) ; return( ssl_get_handshake_transcript_sha384( ssl, dst, dst_len, olen ) );
break;
#endif /* MBEDTLS_SHA384_C */ #endif /* MBEDTLS_SHA384_C */
#if defined(MBEDTLS_SHA256_C) #if defined(MBEDTLS_SHA256_C)
case MBEDTLS_MD_SHA256: case MBEDTLS_MD_SHA256:
ret = ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) ; return( ssl_get_handshake_transcript_sha256( ssl, dst, dst_len, olen ) );
break;
#endif /* MBEDTLS_SHA256_C */ #endif /* MBEDTLS_SHA256_C */
default: default:
break; break;
} }
((void) ssl); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
((void) md);
((void) dst);
((void) dst_len);
((void) olen);
return( ret );
} }
#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* !MBEDTLS_USE_PSA_CRYPTO */
@ -7866,5 +7825,74 @@ int mbedtls_ssl_write_sig_alg_ext( mbedtls_ssl_context *ssl, unsigned char *buf,
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
int mbedtls_ssl_write_hostname_ext( mbedtls_ssl_context *ssl,
unsigned char *buf,
const unsigned char *end,
size_t *olen )
{
unsigned char *p = buf;
size_t hostname_len;
*olen = 0;
if( ssl->hostname == NULL )
return( 0 );
MBEDTLS_SSL_DEBUG_MSG( 3,
( "client hello, adding server name extension: %s",
ssl->hostname ) );
hostname_len = strlen( ssl->hostname );
MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
/*
* Sect. 3, RFC 6066 (TLS Extensions Definitions)
*
* In order to provide any of the server names, clients MAY include an
* extension of type "server_name" in the (extended) client hello. The
* "extension_data" field of this extension SHALL contain
* "ServerNameList" where:
*
* struct {
* NameType name_type;
* select (name_type) {
* case host_name: HostName;
* } name;
* } ServerName;
*
* enum {
* host_name(0), (255)
* } NameType;
*
* opaque HostName<1..2^16-1>;
*
* struct {
* ServerName server_name_list<1..2^16-1>
* } ServerNameList;
*
*/
MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_SERVERNAME, p, 0 );
p += 2;
MBEDTLS_PUT_UINT16_BE( hostname_len + 5, p, 0 );
p += 2;
MBEDTLS_PUT_UINT16_BE( hostname_len + 3, p, 0 );
p += 2;
*p++ = MBEDTLS_BYTE_0( MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME );
MBEDTLS_PUT_UINT16_BE( hostname_len, p, 0 );
p += 2;
memcpy( p, ssl->hostname, hostname_len );
*olen = hostname_len + 9;
return( 0 );
}
#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
#endif /* MBEDTLS_SSL_TLS_C */ #endif /* MBEDTLS_SSL_TLS_C */