mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-08-08 17:42:09 +03:00
Ability to specify allowed ciphersuites based on the protocol version.
The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int *[4]'.
The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
(cherry picked from commit a62729888b
)
Conflicts:
ChangeLog
library/ssl_srv.c
library/ssl_tls.c
This commit is contained in:
@@ -255,6 +255,7 @@ static int ssl_write_client_hello( ssl_context *ssl )
|
||||
unsigned char *buf;
|
||||
unsigned char *p;
|
||||
time_t t;
|
||||
const int *ciphersuites;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
|
||||
|
||||
@@ -327,7 +328,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
|
||||
SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
|
||||
SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
|
||||
|
||||
for( n = 0; ssl->ciphersuites[n] != 0; n++ );
|
||||
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
|
||||
for( n = 0; ciphersuites[n] != 0; n++ );
|
||||
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
|
||||
*p++ = (unsigned char)( n >> 7 );
|
||||
*p++ = (unsigned char)( n << 1 );
|
||||
@@ -347,10 +349,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
|
||||
for( i = 0; i < n; i++ )
|
||||
{
|
||||
SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
|
||||
ssl->ciphersuites[i] ) );
|
||||
ciphersuites[i] ) );
|
||||
|
||||
*p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 );
|
||||
*p++ = (unsigned char)( ssl->ciphersuites[i] );
|
||||
*p++ = (unsigned char)( ciphersuites[i] >> 8 );
|
||||
*p++ = (unsigned char)( ciphersuites[i] );
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_ZLIB_SUPPORT)
|
||||
@@ -571,7 +573,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
|
||||
if( ssl->transform_negotiate->ciphersuite_info == NULL )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
|
||||
ssl->ciphersuites[i] ) );
|
||||
ssl->ciphersuite_list[ssl->minor_ver][i] ) );
|
||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
@@ -616,14 +618,17 @@ static int ssl_parse_server_hello( ssl_context *ssl )
|
||||
i = 0;
|
||||
while( 1 )
|
||||
{
|
||||
if( ssl->ciphersuites[i] == 0 )
|
||||
if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||
}
|
||||
|
||||
if( ssl->ciphersuites[i++] == ssl->session_negotiate->ciphersuite )
|
||||
if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
|
||||
ssl->session_negotiate->ciphersuite )
|
||||
{
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if( comp != SSL_COMPRESS_NULL
|
||||
|
@@ -271,6 +271,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
|
||||
size_t n;
|
||||
unsigned int ciph_len, sess_len, chal_len;
|
||||
unsigned char *buf, *p;
|
||||
const int *ciphersuites;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
|
||||
|
||||
@@ -431,7 +432,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
|
||||
}
|
||||
}
|
||||
|
||||
for( i = 0; ssl->ciphersuites[i] != 0; i++ )
|
||||
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
{
|
||||
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
|
||||
{
|
||||
@@ -439,8 +441,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
|
||||
//
|
||||
if( p[0] == 0 &&
|
||||
p[1] == 0 &&
|
||||
( ( ssl->ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
|
||||
p[2] == ( ssl->ciphersuites[i] & 0xFF ) )
|
||||
( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
|
||||
p[2] == ( ciphersuites[i] & 0xFF ) )
|
||||
goto have_ciphersuite_v2;
|
||||
}
|
||||
}
|
||||
@@ -450,7 +452,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
|
||||
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
|
||||
|
||||
have_ciphersuite_v2:
|
||||
ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i];
|
||||
ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
||||
ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
|
||||
|
||||
/*
|
||||
@@ -487,6 +489,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||
unsigned char *buf, *p, *ext;
|
||||
int renegotiation_info_seen = 0;
|
||||
int handshake_failure = 0;
|
||||
const int *ciphersuites;
|
||||
const ssl_ciphersuite_t *ciphersuite_info;
|
||||
|
||||
SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
|
||||
@@ -836,20 +839,21 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||
* Search for a matching ciphersuite
|
||||
* (At the end because we need information from the EC-based extensions)
|
||||
*/
|
||||
for( i = 0; ssl->ciphersuites[i] != 0; i++ )
|
||||
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
|
||||
for( i = 0; ciphersuites[i] != 0; i++ )
|
||||
{
|
||||
for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
|
||||
j += 2, p += 2 )
|
||||
{
|
||||
if( p[0] == ( ( ssl->ciphersuites[i] >> 8 ) & 0xFF ) &&
|
||||
p[1] == ( ( ssl->ciphersuites[i] ) & 0xFF ) )
|
||||
if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
|
||||
p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
|
||||
{
|
||||
ciphersuite_info = ssl_ciphersuite_from_id( ssl->ciphersuites[i] );
|
||||
ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
|
||||
|
||||
if( ciphersuite_info == NULL )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
|
||||
ssl->ciphersuites[i] ) );
|
||||
ciphersuites[i] ) );
|
||||
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
@@ -870,7 +874,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
|
||||
|
||||
have_ciphersuite:
|
||||
ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i];
|
||||
ssl->session_negotiate->ciphersuite = ciphersuites[i];
|
||||
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
|
||||
ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
|
||||
|
||||
|
@@ -2677,7 +2677,7 @@ int ssl_init( ssl_context *ssl )
|
||||
ssl->min_major_ver = SSL_MAJOR_VERSION_3;
|
||||
ssl->min_minor_ver = SSL_MINOR_VERSION_0;
|
||||
|
||||
ssl->ciphersuites = ssl_list_ciphersuites();
|
||||
ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
|
||||
|
||||
#if defined(POLARSSL_DHM_C)
|
||||
if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
|
||||
@@ -2862,7 +2862,22 @@ void ssl_set_session( ssl_context *ssl, const ssl_session *session )
|
||||
|
||||
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
|
||||
{
|
||||
ssl->ciphersuites = ciphersuites;
|
||||
ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
|
||||
ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
|
||||
ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
|
||||
ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
|
||||
}
|
||||
|
||||
void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
|
||||
int major, int minor )
|
||||
{
|
||||
if( major != SSL_MAJOR_VERSION_3 )
|
||||
return;
|
||||
|
||||
if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
|
||||
return;
|
||||
|
||||
ssl->ciphersuite_list[minor] = ciphersuites;
|
||||
}
|
||||
|
||||
void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
|
||||
|
Reference in New Issue
Block a user