tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED to guard
code specific to the TLS 1.3 ephemeral key exchange mode.
Use it also for the dependencies of TLS 1.3 only tests
relying on ephemeral key exchange mode, but for
tests in tls13-kex-modes.sh where the change is done
later using all
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_.*ENABLED macros.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ae60256..a58e2a1 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -1873,7 +1873,7 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_process_certificate( mbedtls_ssl_context *ssl );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
/*
* Handler of TLS 1.3 write Certificate message
*/
@@ -1886,7 +1886,7 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
* Generic handler of Certificate Verify
@@ -2063,10 +2063,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
}
-
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
static inline int mbedtls_ssl_sig_alg_is_received( const mbedtls_ssl_context *ssl,
uint16_t own_sig_alg )
{
@@ -2081,61 +2078,7 @@
}
return( 0 );
}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
- uint16_t proposed_sig_alg )
-{
- const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
- if( sig_alg == NULL )
- return( 0 );
-
- for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
- {
- if( *sig_alg == proposed_sig_alg )
- return( 1 );
- }
- return( 0 );
-}
-
-static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
- uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
-{
- *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
- *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
-
- if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
- return( 0 );
-
- switch( sig_alg )
- {
-#if defined(MBEDTLS_PKCS1_V21)
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
- *md_alg = MBEDTLS_MD_SHA256;
- *pk_type = MBEDTLS_PK_RSASSA_PSS;
- break;
-#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
- *md_alg = MBEDTLS_MD_SHA384;
- *pk_type = MBEDTLS_PK_RSASSA_PSS;
- break;
-#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
- *md_alg = MBEDTLS_MD_SHA512;
- *pk_type = MBEDTLS_PK_RSASSA_PSS;
- break;
-#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#endif /* MBEDTLS_PKCS1_V21 */
- default:
- return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
- }
- return( 0 );
-}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
const uint16_t sig_alg )
{
@@ -2203,7 +2146,63 @@
return( 1 );
}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
+ mbedtls_pk_context *key );
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
+
+#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+static inline int mbedtls_ssl_sig_alg_is_offered( const mbedtls_ssl_context *ssl,
+ uint16_t proposed_sig_alg )
+{
+ const uint16_t *sig_alg = mbedtls_ssl_get_sig_algs( ssl );
+ if( sig_alg == NULL )
+ return( 0 );
+
+ for( ; *sig_alg != MBEDTLS_TLS_SIG_NONE; sig_alg++ )
+ {
+ if( *sig_alg == proposed_sig_alg )
+ return( 1 );
+ }
+ return( 0 );
+}
+
+static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
+ uint16_t sig_alg, mbedtls_pk_type_t *pk_type, mbedtls_md_type_t *md_alg )
+{
+ *pk_type = mbedtls_ssl_pk_alg_from_sig( sig_alg & 0xff );
+ *md_alg = mbedtls_ssl_md_alg_from_hash( ( sig_alg >> 8 ) & 0xff );
+
+ if( *pk_type != MBEDTLS_PK_NONE && *md_alg != MBEDTLS_MD_NONE )
+ return( 0 );
+
+ switch( sig_alg )
+ {
+#if defined(MBEDTLS_PKCS1_V21)
+#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
+ *md_alg = MBEDTLS_MD_SHA256;
+ *pk_type = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
+#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
+ *md_alg = MBEDTLS_MD_SHA384;
+ *pk_type = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
+#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+ case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
+ *md_alg = MBEDTLS_MD_SHA512;
+ *pk_type = MBEDTLS_PK_RSASSA_PSS;
+ break;
+#endif /* MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
+#endif /* MBEDTLS_PKCS1_V21 */
+ default:
+ return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
+ }
+ return( 0 );
+}
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
@@ -2281,25 +2280,16 @@
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if( ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3 )
{
return( mbedtls_ssl_tls13_sig_alg_is_supported( sig_alg ) );
}
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
+#endif
((void) ssl);
((void) sig_alg);
return( 0 );
}
-
-#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
-
-MBEDTLS_CHECK_RETURN_CRITICAL
-int mbedtls_ssl_tls13_check_sig_alg_cert_key_match( uint16_t sig_alg,
- mbedtls_pk_context *key );
-
-#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
-
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index b62e2ac..1e7d9a3 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -4822,7 +4822,7 @@
else
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
conf->sig_algs = ssl_preset_suiteb_sig_algs;
-#endif
+#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_ECP_C) && !defined(MBEDTLS_DEPRECATED_REMOVED)
conf->curve_list = NULL;
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 4aba59f..c44399e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -2065,7 +2065,7 @@
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, buf_len );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
else
@@ -2082,7 +2082,7 @@
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
/*
* STATE HANDLING: CertificateRequest
*
@@ -2319,7 +2319,7 @@
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
return( 0 );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
* Handler for MBEDTLS_SSL_SERVER_FINISHED
@@ -2365,7 +2365,7 @@
( "Switch to handshake traffic keys for outbound traffic" ) );
mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if( ssl->handshake->client_auth )
{
int ret = mbedtls_ssl_tls13_write_certificate( ssl );
@@ -2395,7 +2395,7 @@
return( 0 );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
/*
* Handler for MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY
*/
@@ -2409,7 +2409,7 @@
return( ret );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
* Handler for MBEDTLS_SSL_CLIENT_FINISHED
@@ -2722,7 +2722,7 @@
ret = ssl_tls13_process_encrypted_extensions( ssl );
break;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
ret = ssl_tls13_process_certificate_request( ssl );
break;
@@ -2734,7 +2734,7 @@
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
ret = ssl_tls13_process_certificate_verify( ssl );
break;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
case MBEDTLS_SSL_SERVER_FINISHED:
ret = ssl_tls13_process_server_finished( ssl );
@@ -2744,11 +2744,11 @@
ret = ssl_tls13_write_client_certificate( ssl );
break;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
case MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY:
ret = ssl_tls13_write_client_certificate_verify( ssl );
break;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
case MBEDTLS_SSL_CLIENT_FINISHED:
ret = ssl_tls13_write_client_finished( ssl );
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index abb7a14..3913c16 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -83,7 +83,7 @@
return( ret );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
/*
* STATE HANDLING: Read CertificateVerify
*/
@@ -285,12 +285,12 @@
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
int mbedtls_ssl_tls13_process_certificate_verify( mbedtls_ssl_context *ssl )
{
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char verify_buffer[SSL_VERIFY_STRUCT_MAX_SIZE];
size_t verify_buffer_len;
@@ -348,7 +348,7 @@
((void) ssl);
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
}
/*
@@ -757,7 +757,7 @@
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= parse certificate" ) );
return( ret );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
/*
* enum {
* X509(0),
@@ -1078,7 +1078,7 @@
return( ret );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
*
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 3e54f38..e5cd416 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -1104,7 +1104,7 @@
}
#if defined(MBEDTLS_X509_CRT_PARSE_C) && \
- defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+ defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_algorithm_t ssl_tls13_iana_sig_alg_to_psa_alg( uint16_t sig_alg )
@@ -1229,7 +1229,7 @@
return( -1 );
}
#endif /* MBEDTLS_X509_CRT_PARSE_C &&
- MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
*
@@ -1634,7 +1634,7 @@
break;
#endif /* MBEDTLS_SSL_ALPN */
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
case MBEDTLS_TLS_EXT_SIG_ALG:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
@@ -1649,7 +1649,7 @@
}
ssl->handshake->extensions_present |= MBEDTLS_SSL_EXT_SIG_ALG;
break;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
default:
MBEDTLS_SSL_DEBUG_MSG( 3,
@@ -2390,7 +2390,7 @@
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len ) );
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if( mbedtls_ssl_tls13_key_exchange_mode_with_psk( ssl ) )
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
else
@@ -2405,7 +2405,7 @@
return( ret );
}
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
#define SSL_CERTIFICATE_REQUEST_SEND_REQUEST 0
#define SSL_CERTIFICATE_REQUEST_SKIP 1
/* Coordination:
@@ -2573,7 +2573,7 @@
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
return( 0 );
}
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
* Handler for MBEDTLS_SSL_SERVER_FINISHED
@@ -2984,7 +2984,7 @@
}
break;
-#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
+#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
ret = ssl_tls13_write_certificate_request( ssl );
break;
@@ -2996,7 +2996,7 @@
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
ret = ssl_tls13_write_certificate_verify( ssl );
break;
-#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
+#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
/*
* Injection of dummy-CCS's for middlebox compatibility