lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-28 00:21:48 +03:00
Code Activity

Merge branch 'development' into dtls

Browse Source 
* development: (46 commits)
  Fix url again
  Fix small bug in base64_encode()
  Fix depend that was checked but not documented
  Fix dependency that was not checked
  Minor gitginore fixes
  Move some ignore patterns to subdirectories
  Ignore CMake/MSVC-related build files.
  Re-categorize changelog entry
  Fix misattribution
  Minor nits with stdout/stderr.
  Add cmake compatibility targets
  Add script for polarssl symlink creation
  Fix more stdio inclusion issues
  Add debug info for cert/suite selection
  Fix possible portability issue
  Fix bug in ssl_get_verify_result()
  aescrypt2.c local char array not initial
  Update Changelog
  Fix mips64 bignum implementation
  Fix usage string of ssl_client2
  ...

Conflicts:
	include/polarssl/ssl.h
	library/CMakeLists.txt
	library/Makefile
	programs/Makefile
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	visualc/VS2010/PolarSSL.sln
	visualc/VS2010/mbedTLS.vcxproj
	visualc/VS6/mbedtls.dsp
	visualc/VS6/mbedtls.dsw
This commit is contained in:
Manuel Pégourié-Gonnard
2015-01-29 11:29:12 +00:00
parent dba564bc79 860b51642d
commit 2a0718d947
267 changed files with 5475 additions and 3350 deletions
Download Patch File Download Diff File Expand all files Collapse all files

55
library/ssl_srv.c
View File

@ -3,7 +3,7 @@
*
* Copyright (C) 2006-2014, ARM Limited, All Rights Reserved
*
* This file is part of mbed TLS (https://www.polarssl.org)
* This file is part of mbed TLS (https://polarssl.org)
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
@ -869,10 +869,18 @@ static int ssl_pick_cert( ssl_context *ssl,
if( pk_alg == POLARSSL_PK_NONE )
return( 0 );
SSL_DEBUG_MSG( 3, ( "ciphersuite requires certificate" ) );
for( cur = list; cur != NULL; cur = cur->next )
{
SSL_DEBUG_CRT( 3, "candidate certificate chain, certificate",
cur->cert );
if( ! pk_can_do( cur->key, pk_alg ) )
{
SSL_DEBUG_MSG( 3, ( "certificate mismatch: key type" ) );
continue;
}
/*
* This avoids sending the client a cert it'll reject based on
@ -885,13 +893,18 @@ static int ssl_pick_cert( ssl_context *ssl,
if( ssl_check_cert_usage( cur->cert, ciphersuite_info,
SSL_IS_SERVER ) != 0 )
{
SSL_DEBUG_MSG( 3, ( "certificate mismatch: "
"(extended) key usage extension" ) );
continue;
}
#if defined(POLARSSL_ECDSA_C)
if( pk_alg == POLARSSL_PK_ECDSA &&
ssl_check_key_curve( cur->key, ssl->handshake->curves ) != 0 )
{
SSL_DEBUG_MSG( 3, ( "certificate mismatch: elliptic curve" ) );
continue;
}
#endif
/*
@ -904,22 +917,27 @@ static int ssl_pick_cert( ssl_context *ssl,
{
if( fallback == NULL )
fallback = cur;
{
SSL_DEBUG_MSG( 3, ( "certificate not preferred: "
"sha-2 with pre-TLS 1.2 client" ) );
continue;
}
}
/* If we get there, we got a winner */
break;
}
if( cur == NULL )
cur = fallback;
/* Do not update ssl->handshake->key_cert unless the is a match */
if( cur != NULL )
{
ssl->handshake->key_cert = cur;
return( 0 );
}
if( fallback != NULL )
{
ssl->handshake->key_cert = fallback;
SSL_DEBUG_CRT( 3, "selected certificate chain, certificate",
ssl->handshake->key_cert->cert );
return( 0 );
}
@ -943,9 +961,14 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
return( POLARSSL_ERR_SSL_INTERNAL_ERROR );
}
SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s", suite_info->name ) );
if( suite_info->min_minor_ver > ssl->minor_ver ||
suite_info->max_minor_ver < ssl->minor_ver )
{
SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
return( 0 );
}
#if defined(POLARSSL_SSL_PROTO_DTLS)
if( ssl->transport == SSL_TRANSPORT_DATAGRAM &&
@ -955,13 +978,20 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
if( ssl->arc4_disabled == SSL_ARC4_DISABLED &&
suite_info->cipher == POLARSSL_CIPHER_ARC4_128 )
{
SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: rc4" ) );
return( 0 );
}
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
if( ssl_ciphersuite_uses_ec( suite_info ) &&
( ssl->handshake->curves == NULL ||
ssl->handshake->curves[0] == NULL ) )
{
SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
"no common elliptic curve" ) );
return( 0 );
}
#endif
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
@ -971,7 +1001,10 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
ssl->f_psk == NULL &&
( ssl->psk == NULL || ssl->psk_identity == NULL ||
ssl->psk_identity_len == 0 || ssl->psk_len == 0 ) )
{
SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: no pre-shared key" ) );
return( 0 );
}
#endif
#if defined(POLARSSL_X509_CRT_PARSE_C)
@ -983,7 +1016,11 @@ static int ssl_ciphersuite_match( ssl_context *ssl, int suite_id,
* This must be done last since we modify the key_cert list.
*/
if( ssl_pick_cert( ssl, suite_info ) != 0 )
{
SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
"no suitable certificate" ) );
return( 0 );
}
#endif
*ciphersuite_info = suite_info;
@ -1233,6 +1270,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
}
have_ciphersuite_v2:
SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
@ -2004,6 +2043,8 @@ read_record_header:
}
have_ciphersuite:
SSL_DEBUG_MSG( 2, ( "selected ciphersuite: %s", ciphersuite_info->name ) );
ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );