empty pre_shared_key functions
To easy review
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 40e3cfd..645479b 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -665,56 +665,6 @@
return ( 0 );
}
-/* Check if we have any PSK to offer, returns 0 if a PSK is available. */
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_get_psk_to_offer(
- const mbedtls_ssl_context *ssl,
- int *psk_type,
- const unsigned char **psk, size_t *psk_len,
- const unsigned char **psk_identity, size_t *psk_identity_len )
-{
- *psk = NULL;
- *psk_len = 0;
- *psk_identity = NULL;
- *psk_identity_len = 0;
- *psk_type = MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL;
-
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- /* Check if a ticket has been configured. */
- if( ssl->session_negotiate != NULL &&
- ssl->session_negotiate->ticket != NULL )
- {
-#if defined(MBEDTLS_HAVE_TIME)
- mbedtls_time_t now = mbedtls_time( NULL );
- if( ssl->session_negotiate->ticket_received <= now &&
- (uint64_t)( now - ssl->session_negotiate->ticket_received )
- <= ssl->session_negotiate->ticket_lifetime )
- {
- *psk_type = MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION;
- *psk = ssl->session_negotiate->resumption_key;
- *psk_len = ssl->session_negotiate->resumption_key_len;
- *psk_identity = ssl->session_negotiate->ticket;
- *psk_identity_len = ssl->session_negotiate->ticket_len;
- return( 0 );
- }
-#endif /* MBEDTLS_HAVE_TIME */
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "ticket expired" ) );
- }
-#endif
-
- /* Check if an external PSK has been configured. */
- if( ssl->conf->psk != NULL )
- {
- *psk = ssl->conf->psk;
- *psk_len = ssl->conf->psk_len;
- *psk_identity = ssl->conf->psk_identity;
- *psk_identity_len = ssl->conf->psk_identity_len;
- return( 0 );
- }
-
- return( MBEDTLS_ERR_ERROR_GENERIC_ERROR );
-}
-
/*
* mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext() structure:
*
@@ -743,204 +693,53 @@
unsigned char *buf, unsigned char *end,
size_t *out_len, size_t *binders_len )
{
- unsigned char *p = buf;
- const unsigned char *psk;
- size_t psk_len;
- const unsigned char *psk_identity;
- size_t psk_identity_len;
- int psk_type;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
- const int *ciphersuites;
- psa_algorithm_t psa_hash_alg;
- int hash_len = 0;
- size_t identities_len, l_binders_len;
- uint32_t obfuscated_ticket_age = 0;
-
- *out_len = 0;
- *binders_len = 0;
-
- /* Check if we have any PSKs to offer. If so, return the first.
- *
- * NOTE: Ultimately, we want to be able to offer multiple PSKs,
- * in which case we want to iterate over them here.
- *
- * As it stands, however, we only ever offer one, chosen
- * by the following heuristic:
- * - If a ticket has been configured, offer the corresponding PSK.
- * - If no ticket has been configured by an external PSK has been
- * configured, offer that.
- * - Otherwise, skip the PSK extension.
- */
- if( ssl_tls13_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
- &psk_identity, &psk_identity_len ) != 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip pre_shared_key extensions" ) );
- return( 0 );
- }
-
- if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_EXTERNAL )
- {
- /*
- * Ciphersuite list
- */
- ciphersuites = ssl->conf->ciphersuite_list;
- for( int i = 0; ciphersuites[i] != 0; i++ )
- {
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
- ciphersuites[i] );
-
- if( mbedtls_ssl_validate_ciphersuite(
- ssl, ciphersuite_info,
- MBEDTLS_SSL_VERSION_TLS1_3,
- MBEDTLS_SSL_VERSION_TLS1_3 ) != 0 )
- continue;
-
- /* In this implementation we only add one pre-shared-key
- * extension.
- */
- ssl->session_negotiate->ciphersuite = ciphersuites[i];
- break;
- }
- }
- else
-#if defined(MBEDTLS_SSL_SESSION_TICKETS)
- if( psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION )
- {
-#if defined(MBEDTLS_HAVE_TIME)
- mbedtls_time_t now = mbedtls_time( NULL );
-
- obfuscated_ticket_age =
- ( (uint32_t)( now - ssl->session_negotiate->ticket_received ) * 1000 )
- + ssl->session_negotiate->ticket_age_add;
-#endif
- }
- else
-#endif /* MBEDTLS_SSL_SESSION_TICKETS */
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "write_identities_of_pre_shared_key_ext: "
- "should never happen" ) );
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
-
-
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
- ssl->session_negotiate->ciphersuite );
- /* No suitable ciphersuite for the PSK */
- if( ciphersuite_info == NULL )
- return( 0 );
-
- psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
- hash_len = PSA_HASH_LENGTH( psa_hash_alg );
- if( hash_len == -1 )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-
- /* Check if we have space to write the extension, binder included.
- * - extension_type (2 bytes)
- * - extension_data_len (2 bytes)
- * - identities_len (2 bytes)
- * - identity_len (2 bytes)
- * - identity (psk_identity_len bytes)
- * - obfuscated_ticket_age (4 bytes)
- * - binders_len (2 bytes)
- * - binder_len (1 byte)
- * - binder (hash_len bytes)
- */
-
- identities_len = 6 + psk_identity_len;
- l_binders_len = 1 + hash_len;
-
- MBEDTLS_SSL_DEBUG_MSG( 3,
- ( "client hello, adding pre_shared_key extension, "
- "omitting PSK binder list" ) );
-
- /* Extension header */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 8 );
- MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_PRE_SHARED_KEY, p, 0 );
- MBEDTLS_PUT_UINT16_BE( 2 + identities_len + 2 + l_binders_len , p, 2 );
-
- MBEDTLS_PUT_UINT16_BE( identities_len, p, 4 );
- MBEDTLS_PUT_UINT16_BE( psk_identity_len, p, 6 );
- p += 8;
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, psk_identity_len );
- memcpy( p, psk_identity, psk_identity_len );
- p += psk_identity_len;
-
- /* add obfuscated ticket age */
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 4 );
- MBEDTLS_PUT_UINT32_BE( obfuscated_ticket_age, p, 0 );
- p += 4;
-
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 + l_binders_len );
- *out_len = ( p - buf ) + l_binders_len + 2;
- *binders_len = l_binders_len + 2;
-
- ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
-
+ ((void) ssl);
+ ((void) buf);
+ ((void) end);
+ ((void) out_len);
+ ((void) binders_len);
return( 0 );
}
int mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
- mbedtls_ssl_context *ssl,
- unsigned char *buf, unsigned char *end )
+ mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end )
{
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- unsigned char *p = buf;
- const unsigned char *psk_identity;
- size_t psk_identity_len;
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL;
- psa_algorithm_t psa_hash_alg;
- int hash_len = 0;
- const unsigned char *psk = NULL;
- size_t psk_len = 0;
- int psk_type;
- unsigned char transcript[MBEDTLS_MD_MAX_SIZE];
- size_t transcript_len;
-
- if( ssl_tls13_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
- &psk_identity, &psk_identity_len ) != 0 )
- {
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
- }
-
- ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(
- ssl->session_negotiate->ciphersuite );
- if( ciphersuite_info == NULL )
- return( 0 );
-
- psa_hash_alg = mbedtls_psa_translate_md( ciphersuite_info->mac );
- hash_len = PSA_HASH_LENGTH( psa_hash_alg );
- if( ( hash_len == -1 ) || ( ( end - buf ) != 3 + hash_len ) )
- return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-
- MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding PSK binder list" ) );
-
- MBEDTLS_SSL_CHK_BUF_PTR( p, end, 3 + hash_len );
- /* 2 bytes length field for array of psk binders */
- MBEDTLS_PUT_UINT16_BE( hash_len + 1, p, 0 );
- p += 2;
-
- /* 1 bytes length field for next psk binder */
- *p++ = MBEDTLS_BYTE_0( hash_len );
-
- /* Get current state of handshake transcript. */
- ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
- transcript, sizeof( transcript ),
- &transcript_len );
- if( ret != 0 )
- return( ret );
-
- ret = mbedtls_ssl_tls13_create_psk_binder( ssl,
- mbedtls_psa_translate_md( ciphersuite_info->mac ),
- psk, psk_len, psk_type,
- transcript, p );
- if( ret != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_create_psk_binder", ret );
- return( ret );
- }
+ ((void) ssl);
+ ((void) buf);
+ ((void) end);
return( 0 );
}
+
+/*
+ * struct {
+ * opaque identity<1..2^16-1>;
+ * uint32 obfuscated_ticket_age;
+ * } PskIdentity;
+ *
+ * opaque PskBinderEntry<32..255>;
+ *
+ * struct {
+ *
+ * select (Handshake.msg_type) {
+ * ...
+ * case server_hello: uint16 selected_identity;
+ * };
+ *
+ * } PreSharedKeyExtension;
+ *
+ */
+MBEDTLS_CHECK_RETURN_CRITICAL
+static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
+ const unsigned char *buf,
+ const unsigned char *end )
+{
+ ((void) ssl);
+ ((void) buf);
+ ((void) end);
+ return( 0 );
+}
+
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
int mbedtls_ssl_tls13_write_client_hello_exts( mbedtls_ssl_context *ssl,
@@ -1299,92 +1098,6 @@
return( 0 );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
-/*
- * struct {
- * opaque identity<1..2^16-1>;
- * uint32 obfuscated_ticket_age;
- * } PskIdentity;
- *
- * opaque PskBinderEntry<32..255>;
- *
- * struct {
- *
- * select (Handshake.msg_type) {
- * ...
- * case server_hello: uint16 selected_identity;
- * };
- *
- * } PreSharedKeyExtension;
- *
- */
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-static int ssl_tls13_parse_server_pre_shared_key_ext( mbedtls_ssl_context *ssl,
- const unsigned char *buf,
- const unsigned char *end )
-{
- int ret = 0;
- size_t selected_identity;
-
- int psk_type;
- const unsigned char *psk;
- size_t psk_len;
- const unsigned char *psk_identity;
- size_t psk_identity_len;
-
- /* Check which PSK we've offered.
- *
- * NOTE: Ultimately, we want to offer multiple PSKs, and in this
- * case, we need to iterate over them here.
- */
- if( ssl_tls13_get_psk_to_offer( ssl, &psk_type, &psk, &psk_len,
- &psk_identity, &psk_identity_len ) != 0 )
- {
- /* If we haven't offered a PSK, the server must not send
- * a PSK identity extension. */
- return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
- }
-
- MBEDTLS_SSL_CHK_BUF_PTR( buf, end, 2 );
- selected_identity = MBEDTLS_GET_UINT16_BE( buf, 0 );
-
- /* We have offered only one PSK, so the only valid choice
- * for the server is PSK index 0.
- *
- * This will change once we support multiple PSKs. */
- if( selected_identity > 0 )
- {
- MBEDTLS_SSL_DEBUG_MSG( 1, ( "Server's chosen PSK identity out of range" ) );
-
- if( ( ret = mbedtls_ssl_send_alert_message( ssl,
- MBEDTLS_SSL_ALERT_LEVEL_FATAL,
- MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ) ) != 0 )
- {
- return( ret );
- }
-
- return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
- }
-
- /* Set the chosen PSK
- *
- * TODO: We don't have to do this in case we offered 0-RTT and the
- * server accepted it, because in this case we've already
- * set the handshake PSK. */
- ret = mbedtls_ssl_set_hs_psk( ssl, psk, psk_len );
- if( ret != 0 )
- {
- MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_set_hs_psk", ret );
- return( ret );
- }
-
- ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_PRE_SHARED_KEY;
- return( 0 );
-}
-
-#endif
-
/* Parse ServerHello message and configure context
*
* struct {