Refine code base on review
Remove useless hrr code
Share validate_cipher_suit between client and server
Fix test failure when tls13 only in server side
Change-Id: I5d6a7932bd8448ebf542bc86cdcab8862bc28e9b
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
diff --git a/library/ssl_client.c b/library/ssl_client.c
index f5b8be4..79c5d9f 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -413,45 +413,6 @@
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
-int mbedtls_ssl_validate_ciphersuite(
- const mbedtls_ssl_context *ssl,
- const mbedtls_ssl_ciphersuite_t *suite_info,
- mbedtls_ssl_protocol_version min_tls_version,
- mbedtls_ssl_protocol_version max_tls_version )
-{
- (void) ssl;
-
- if( suite_info == NULL )
- return( -1 );
-
- if( ( suite_info->min_tls_version > max_tls_version ) ||
- ( suite_info->max_tls_version < min_tls_version ) )
- {
- return( -1 );
- }
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
-#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
- if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
- mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
- {
- return( -1 );
- }
-#endif
-
- /* Don't suggest PSK-based ciphersuite if no PSK is available. */
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
- if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
- mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
- {
- return( -1 );
- }
-#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
-#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-
- return( 0 );
-}
-
static int ssl_write_client_hello_cipher_suites(
mbedtls_ssl_context *ssl,
unsigned char *buf,
diff --git a/library/ssl_client.h b/library/ssl_client.h
index 67fc558..8e0c216 100644
--- a/library/ssl_client.h
+++ b/library/ssl_client.h
@@ -28,22 +28,6 @@
#include <stddef.h>
-/**
- * \brief Validate cipher suite against config in SSL context.
- *
- * \param ssl SSL context
- * \param suite_info Cipher suite to validate
- * \param min_tls_version Minimal TLS version to accept a cipher suite
- * \param max_tls_version Maximal TLS version to accept a cipher suite
- *
- * \return 0 if valid, negative value otherwise.
- */
-int mbedtls_ssl_validate_ciphersuite(
- const mbedtls_ssl_context *ssl,
- const mbedtls_ssl_ciphersuite_t *suite_info,
- mbedtls_ssl_protocol_version min_tls_version,
- mbedtls_ssl_protocol_version max_tls_version );
-
int mbedtls_ssl_write_client_hello( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_CLIENT_H */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 025732e..d276082 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -589,6 +589,8 @@
#if defined(MBEDTLS_SSL_SRV_C)
/** selected_group of key_share extension in HelloRetryRequest message. */
uint16_t hrr_selected_group;
+ /** selected_group of key_share extension in ClientHello message. */
+ uint16_t selected_group;
#endif /* MBEDTLS_SSL_SRV_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 1114056..d8d79d7 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4216,6 +4216,9 @@
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
+#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
+ conf->min_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
+ conf->max_tls_version = MBEDTLS_SSL_VERSION_TLS1_3;
#else
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
#endif
@@ -7771,4 +7774,43 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+int mbedtls_ssl_validate_ciphersuite(
+ const mbedtls_ssl_context *ssl,
+ const mbedtls_ssl_ciphersuite_t *suite_info,
+ mbedtls_ssl_protocol_version min_tls_version,
+ mbedtls_ssl_protocol_version max_tls_version )
+{
+ (void) ssl;
+
+ if( suite_info == NULL )
+ return( -1 );
+
+ if( ( suite_info->min_tls_version > max_tls_version ) ||
+ ( suite_info->max_tls_version < min_tls_version ) )
+ {
+ return( -1 );
+ }
+
+#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
+ if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
+ mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
+ {
+ return( -1 );
+ }
+#endif
+
+ /* Don't suggest PSK-based ciphersuite if no PSK is available. */
+#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
+ if( mbedtls_ssl_ciphersuite_uses_psk( suite_info ) &&
+ mbedtls_ssl_conf_has_static_psk( ssl->conf ) == 0 )
+ {
+ return( -1 );
+ }
+#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
+
+ return( 0 );
+}
+
#endif /* MBEDTLS_SSL_TLS_C */
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 447bc0e..a8e523a 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -24,7 +24,6 @@
#include "mbedtls/debug.h"
#include "ssl_misc.h"
-#include "ssl_client.h"
#include "ssl_tls13_keys.h"
#include "ssl_debug_helpers.h"
#include <string.h>
@@ -116,7 +115,7 @@
p += 2;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, named_group_list_len );
named_group_list_end = p + named_group_list_len;
- ssl->handshake->hrr_selected_group = 0;
+ ssl->handshake->selected_group = 0;
while( p < named_group_list_end )
{
@@ -129,7 +128,7 @@
if( ! mbedtls_ssl_named_group_is_offered( ssl, named_group ) ||
! mbedtls_ssl_named_group_is_supported( named_group ) ||
- ssl->handshake->hrr_selected_group != 0 )
+ ssl->handshake->selected_group != 0 )
{
continue;
}
@@ -137,7 +136,7 @@
MBEDTLS_SSL_DEBUG_MSG(
2, ( "add named group (%04x) into received list.",
named_group ) );
- ssl->handshake->hrr_selected_group = named_group;
+ ssl->handshake->selected_group = named_group;
}
return( 0 );
@@ -384,7 +383,6 @@
const unsigned char *extensions_end;
const mbedtls_ssl_ciphersuite_t* ciphersuite_info;
- int hrr_required = 0;
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
@@ -682,9 +680,6 @@
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
- if( hrr_required == 1 )
- return( SSL_CLIENT_HELLO_HRR_REQUIRED );
-
return( 0 );
}