commit 1ffa4508828588343ec154f4b67999b98f854ffe
author Ronald Cron <ronald.cron@arm.com> Fri Jun 30 14:56:38 2023 +0200
committer Ronald Cron <ronald.cron@arm.com> Tue Jul 04 12:16:25 2023 +0200
tree 582cbc88a6e4dc4a6fa7d7c5476524ce1fa59c15
parent 443589ac5337e87a7e548eb94788a0c866e7042d

tls: client: Improve writing of supported_groups ext

Align the TLS 1.3 specific and TLS 1.2 specific
tests done before to call
ssl_write_supported_groups_ext() and inside
thsi function.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

library/ssl_client.c

diff --git a/library/ssl_client.c b/library/ssl_client.c
index 0b3c53e..d657317 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -224,10 +224,14 @@
  * share the same extension identifier.
  *
  */
+#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG 1
+#define SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG 2
+
 MBEDTLS_CHECK_RETURN_CRITICAL
 static int ssl_write_supported_groups_ext(mbedtls_ssl_context *ssl,
                                           unsigned char *buf,
                                           const unsigned char *end,
+                                          int flags,
                                           size_t *out_len)
 {
     unsigned char *p = buf;
@@ -254,40 +258,44 @@
     }
 
     for (; *group_list != 0; group_list++) {
+        int propose_group = 0;
+
         MBEDTLS_SSL_DEBUG_MSG(1, ("got supported group(%04x)", *group_list));
 
-#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
-        (defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \
-        defined(PSA_WANT_ALG_ECDH))
-        if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
-             mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) ||
-            (mbedtls_ssl_conf_is_tls12_enabled(ssl->conf) &&
-             mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list))) {
-            if (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) ==
-                MBEDTLS_ECP_DP_NONE) {
-                continue;
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+        if (flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG) {
+#if defined(PSA_WANT_ALG_ECDH)
+            if (mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list) &&
+                (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
+                 MBEDTLS_ECP_DP_NONE)) {
+                propose_group = 1;
             }
+#endif
+#if defined(PSA_WANT_ALG_FFDH)
+            if (mbedtls_ssl_tls13_named_group_is_dhe(*group_list)) {
+                propose_group = 1;
+            }
+#endif
+        }
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
+        if ((flags & SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG) &&
+            mbedtls_ssl_tls12_named_group_is_ecdhe(*group_list) &&
+            (mbedtls_ssl_get_ecp_group_id_from_tls_id(*group_list) !=
+             MBEDTLS_ECP_DP_NONE)) {
+            propose_group = 1;
+        }
+#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC */
+
+        if (propose_group) {
             MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
             MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
             p += 2;
             MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
-                                      mbedtls_ssl_get_curve_name_from_tls_id(*group_list),
+                                      mbedtls_ssl_named_group_to_str(*group_list),
                                       *group_list));
         }
-#endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
-          (MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_ECDH) */
-#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED) && \
-        defined(PSA_WANT_ALG_FFDH)
-        if ((mbedtls_ssl_conf_is_tls13_enabled(ssl->conf) &&
-             mbedtls_ssl_tls13_named_group_is_dhe(*group_list))) {
-
-            MBEDTLS_SSL_DEBUG_MSG(3, ("NamedGroup: %s ( %x )",
-                                      mbedtls_ssl_named_group_to_str(*group_list), *group_list));
-            MBEDTLS_SSL_CHK_BUF_PTR(p, end, 2);
-            MBEDTLS_PUT_UINT16_BE(*group_list, p, 0);
-            p += 2;
-        }
-#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED && PSA_WANT_ALG_FFDH */
     }
 
     /* Length of named_group_list */
@@ -610,20 +618,30 @@
 
 #if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC) || \
     defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
-    if (
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-        (propose_tls13 &&
-         mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) ||
-#endif
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-        (propose_tls12 && tls12_uses_ec) ||
-#endif
-        0) {
-        ret = ssl_write_supported_groups_ext(ssl, p, end, &output_len);
-        if (ret != 0) {
-            return ret;
+    {
+        int ssl_write_supported_groups_ext_flags = 0;
+
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED)
+        if (propose_tls13 && mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
+            ssl_write_supported_groups_ext_flags |=
+                SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_3_FLAG;
         }
-        p += output_len;
+#endif
+#if defined(MBEDTLS_SSL_TLS1_2_SOME_ECC)
+        if (propose_tls12 && tls12_uses_ec) {
+            ssl_write_supported_groups_ext_flags |=
+                SSL_WRITE_SUPPORTED_GROUPS_EXT_TLS1_2_FLAG;
+        }
+#endif
+        if (ssl_write_supported_groups_ext_flags != 0) {
+            ret = ssl_write_supported_groups_ext(ssl, p, end,
+                                                 ssl_write_supported_groups_ext_flags,
+                                                 &output_len);
+            if (ret != 0) {
+                return ret;
+            }
+            p += output_len;
+        }
     }
 #endif /* MBEDTLS_SSL_TLS1_2_SOME_ECC ||
           MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_EPHEMERAL_ENABLED */