Introduce ciphersuite handle type
This commit introduces an internal zero-cost abstraction layer for
SSL ciphersuites: Instead of addressing ciphersuites via pointers
to instances of mbedtls_ssl_ciphersuite_t and accessing their fields
directly, this commit introduces an opaque type
mbedtls_ssl_ciphersuite_handle_t,
and getter functions
mbedtls_ssl_suite_get_xxx()
operating on ciphersuite handles.
The role of NULL is played by a new macro constant
MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE
which results of functions returning handles can be checked against.
(For example, when doing a lookup of a ciphersuite from a peer-provided
ciphersuite ID in the per's Hello message).
The getter functions have the validity of the handle as a precondition
and are undefined if the handle is invalid.
So far, there's only one implementation of this abstraction layer, namely
mbedtls_ssl_ciphersuite_handle_t being mbedtls_ssl_ciphersuite_t const *
and
getter functions being field accesses.
In subsequent commits, however, the abstraction layer will be useful
to save code in the situation where only a single ciphersuite is enabled.
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index c63b445..56641f5 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -56,6 +56,7 @@
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
@@ -1296,19 +1297,19 @@
if( opt.force_ciphersuite[0] > 0 )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
- ciphersuite_info->min_minor_ver > opt.max_version )
+ mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
{
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
- ciphersuite_info->max_minor_ver < opt.min_version )
+ mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
{
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
@@ -1318,13 +1319,13 @@
/* If the server selects a version that's not supported by
* this suite, then there will be no common ciphersuite... */
if( opt.max_version == -1 ||
- opt.max_version > ciphersuite_info->max_minor_ver )
+ opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
{
- opt.max_version = ciphersuite_info->max_minor_ver;
+ opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
}
- if( opt.min_version < ciphersuite_info->min_minor_ver )
+ if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
{
- opt.min_version = ciphersuite_info->min_minor_ver;
+ opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
/* DTLS starts with TLS 1.1 */
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
@@ -1332,7 +1333,7 @@
}
/* Enable RC4 if needed and not explicitly disabled */
- if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+ if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 )
{
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
{
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 876a7a0..4312629 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -55,6 +55,7 @@
#include "mbedtls/net_sockets.h"
#include "mbedtls/ssl.h"
+#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
@@ -2018,19 +2019,19 @@
if( opt.force_ciphersuite[0] > 0 )
{
- const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
+ mbedtls_ssl_ciphersuite_handle_t ciphersuite_info;
ciphersuite_info =
mbedtls_ssl_ciphersuite_from_id( opt.force_ciphersuite[0] );
if( opt.max_version != -1 &&
- ciphersuite_info->min_minor_ver > opt.max_version )
+ mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) > opt.max_version )
{
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
goto usage;
}
if( opt.min_version != -1 &&
- ciphersuite_info->max_minor_ver < opt.min_version )
+ mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) < opt.min_version )
{
mbedtls_printf( "forced ciphersuite not allowed with this protocol version\n" );
ret = 2;
@@ -2040,13 +2041,13 @@
/* If we select a version that's not supported by
* this suite, then there will be no common ciphersuite... */
if( opt.max_version == -1 ||
- opt.max_version > ciphersuite_info->max_minor_ver )
+ opt.max_version > mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info ) )
{
- opt.max_version = ciphersuite_info->max_minor_ver;
+ opt.max_version = mbedtls_ssl_suite_get_max_minor_ver( ciphersuite_info );
}
- if( opt.min_version < ciphersuite_info->min_minor_ver )
+ if( opt.min_version < mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info ) )
{
- opt.min_version = ciphersuite_info->min_minor_ver;
+ opt.min_version = mbedtls_ssl_suite_get_min_minor_ver( ciphersuite_info );
/* DTLS starts with TLS 1.1 */
if( opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM &&
opt.min_version < MBEDTLS_SSL_MINOR_VERSION_2 )
@@ -2054,7 +2055,7 @@
}
/* Enable RC4 if needed and not explicitly disabled */
- if( ciphersuite_info->cipher == MBEDTLS_CIPHER_ARC4_128 )
+ if( mbedtls_ssl_suite_get_cipher( ciphersuite_info ) == MBEDTLS_CIPHER_ARC4_128 )
{
if( opt.arc4 == MBEDTLS_SSL_ARC4_DISABLED )
{