1
0
mirror of https://github.com/esp8266/Arduino.git synced 2025-07-29 05:21:37 +03:00

Started to implement TLS1.1 (but disabled for now)

git-svn-id: svn://svn.code.sf.net/p/axtls/code/trunk@204 9a5d90b5-6617-0410-8a86-bb477d3ed2e3
This commit is contained in:
cameronrich
2011-04-26 20:33:55 +00:00
parent 222f2d98f1
commit 2ae9a3ec83
6 changed files with 69 additions and 30 deletions

View File

@ -120,17 +120,20 @@ static int process_client_hello(SSL *ssl)
uint8_t *record_buf = ssl->hmac_header;
int pkt_size = ssl->bm_index;
int i, j, cs_len, id_len, offset = 6 + SSL_RANDOM_SIZE;
int version = (record_buf[1] << 4) + record_buf[2];
int ret = SSL_OK;
/* should be v3.1 (TLSv1) or better - we'll send in v3.1 mode anyway */
if (version < 0x31)
uint8_t version = (record_buf[1] << 4) + record_buf[2];
if (version > SSL_PROTOCOL_VERSION)
version = SSL_PROTOCOL_VERSION;
else if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
{
ret = SSL_ERROR_INVALID_VERSION;
ssl_display_error(ret);
goto error;
}
ssl->version = ssl->client_version = version;
memcpy(ssl->dc->client_random, &buf[6], SSL_RANDOM_SIZE);
/* process the session id */
@ -151,10 +154,11 @@ static int process_client_hello(SSL *ssl)
PARANOIA_CHECK(pkt_size, offset);
/* work out what cipher suite we are going to use */
for (j = 0; j < NUM_PROTOCOLS; j++)
/* work out what cipher suite we are going to use - client defines
the preference */
for (i = 0; i < cs_len; i += 2)
{
for (i = 0; i < cs_len; i += 2)
for (j = 0; j < NUM_PROTOCOLS; j++)
{
if (ssl_prot_prefs[j] == buf[offset+i]) /* got a match? */
{
@ -180,7 +184,6 @@ int process_sslv23_client_hello(SSL *ssl)
{
uint8_t *buf = ssl->bm_data;
int bytes_needed = ((buf[0] & 0x7f) << 8) + buf[1];
int version = (buf[3] << 4) + buf[4];
int ret = SSL_OK;
/* we have already read 3 extra bytes so far */
@ -193,8 +196,9 @@ int process_sslv23_client_hello(SSL *ssl)
DISPLAY_BYTES(ssl, "received %d bytes", buf, read_len, read_len);
/* should be v3.1 (TLSv1) or better - we'll send in v3.1 mode anyway */
if (version < 0x31)
/* should be v3.1 (TLSv1) or better */
ssl->version = (buf[3] << 4) + buf[4];
if (ssl->version < SSL_PROTOCOL_MIN_VERSION)
{
return SSL_ERROR_INVALID_VERSION;
}
@ -308,7 +312,7 @@ static int send_server_hello(SSL *ssl)
buf[2] = 0;
/* byte 3 is calculated later */
buf[4] = 0x03;
buf[5] = 0x01;
buf[5] = ssl->version & 0x0f;
/* server random value */
get_random(SSL_RANDOM_SIZE, &buf[6]);
@ -396,11 +400,12 @@ static int process_client_key_xchg(SSL *ssl)
SSL_CTX_UNLOCK(ssl->ssl_ctx->mutex);
if (premaster_size != SSL_SECRET_SIZE ||
premaster_secret[0] != 0x03 || /* check version is 3.1 (TLS) */
premaster_secret[1] != 0x01)
premaster_secret[0] != 0x03 || /* must be the same as client
offered version */
premaster_secret[1] != (ssl->client_version & 0x0f))
{
/* guard against a Bleichenbacher attack */
memset(premaster_secret, 0, SSL_SECRET_SIZE);
get_random(SSL_SECRET_SIZE, premaster_secret);
/* and continue - will die eventually when checking the mac */
}