Merge pull request #4982 from yuhaoth/pr/add-read-ptr-and-handshake-kex-modes
TLS1.3:add read ptr and handshake kex modes
CI merge job: only "Session resume using tickets, DTLS: openssl client" failed in one component thus CI can be considered as passed.
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 7c44382..9041c51 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -413,6 +413,32 @@
} \
} while( 0 )
+/**
+ * \brief This macro checks if the remaining length in an input buffer is
+ * greater or equal than a needed length. If it is not the case, it
+ * returns #MBEDTLS_ERR_SSL_DECODE_ERROR error and pends a
+ * #MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR alert message.
+ *
+ * This is a function-like macro. It is guaranteed to evaluate each
+ * argument exactly once.
+ *
+ * \param cur Pointer to the current position in the buffer.
+ * \param end Pointer to one past the end of the buffer.
+ * \param need Needed length in bytes.
+ *
+ */
+#define MBEDTLS_SSL_CHK_BUF_READ_PTR( cur, end, need ) \
+ do { \
+ if( mbedtls_ssl_chk_buf_ptr( ( cur ), ( end ), ( need ) ) != 0 ) \
+ { \
+ MBEDTLS_SSL_DEBUG_MSG( 1, \
+ ( "missing input data in %s", __func__ ) ); \
+ MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
+ MBEDTLS_ERR_SSL_DECODE_ERROR ); \
+ return( MBEDTLS_ERR_SSL_DECODE_ERROR ); \
+ } \
+ } while( 0 )
+
#ifdef __cplusplus
extern "C" {
#endif
@@ -490,6 +516,9 @@
/*
* Handshake specific crypto variables
*/
+#if defined(MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL)
+ int tls1_3_kex_modes; /*!< key exchange modes for TLS 1.3 */
+#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@@ -1434,6 +1463,53 @@
MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) );
}
+/**
+ * Given a list of key exchange modes, check if at least one of them is
+ * supported.
+ *
+ * \param[in] ssl SSL context
+ * \param kex_modes_mask Mask of the key exchange modes to check
+ *
+ * \return 0 if at least one of the key exchange modes is supported,
+ * !=0 otherwise.
+ */
+static inline unsigned mbedtls_ssl_tls1_3_check_kex_modes( mbedtls_ssl_context *ssl,
+ int kex_modes_mask )
+{
+ return( ( ssl->handshake->tls1_3_kex_modes & kex_modes_mask ) == 0 );
+}
+
+static inline int mbedtls_ssl_tls1_3_psk_enabled( mbedtls_ssl_context *ssl )
+{
+ return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
+ MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK ) );
+}
+
+static inline int mbedtls_ssl_tls1_3_psk_ephemeral_enabled(
+ mbedtls_ssl_context *ssl )
+{
+ return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
+ MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_EPHEMERAL ) );
+}
+
+static inline int mbedtls_ssl_tls1_3_ephemeral_enabled( mbedtls_ssl_context *ssl )
+{
+ return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
+ MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL ) );
+}
+
+static inline int mbedtls_ssl_tls1_3_some_ephemeral_enabled( mbedtls_ssl_context *ssl )
+{
+ return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
+ MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_EPHEMERAL_ALL ) );
+}
+
+static inline int mbedtls_ssl_tls1_3_some_psk_enabled( mbedtls_ssl_context *ssl )
+{
+ return( ! mbedtls_ssl_tls1_3_check_kex_modes( ssl,
+ MBEDTLS_SSL_TLS13_KEY_EXCHANGE_MODE_PSK_ALL ) );
+}
+
#endif /* MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL */
/**