lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Code Activity

Merge commit 'b2eaac1' into dtls

Browse Source 
* commit 'b2eaac1':
  Stop assuming chars are signed
  Add tests for CBC record splitting
  Fix tests that were failing with record splitting
  Allow disabling record splitting at runtime
  Add 1/n-1 record splitting
  Enhance doc on ssl_write()

Conflicts:
	include/polarssl/ssl.h
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
This commit is contained in:
Manuel Pégourié-Gonnard
2015-01-21 13:37:08 +00:00
parent b89c4f35a1 b2eaac154b
commit 8fbb01ec84
8 changed files with 190 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
include/polarssl/check_config.h
View File

@ -303,6 +303,11 @@
#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
#endif
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING) && \
!defined(POLARSSL_SSL_PROTO_SSL3) && !defined(POLARSSL_SSL_PROTO_TLS1)
#error "POLARSSL_SSL_CBC_RECORD_SPLITTING defined, but not all prerequisites"
#endif
#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION) && \
!defined(POLARSSL_X509_CRT_PARSE_C)
#error "POLARSSL_SSL_SERVER_NAME_INDICATION defined, but not all prerequisites"

12
include/polarssl/config.h
View File

@ -886,6 +886,18 @@
*/
//#define POLARSSL_SSL_HW_RECORD_ACCEL
/**
* \def POLARSSL_SSL_CBC_RECORD_SPLITTING
*
* Enable 1/n-1 record splitting for CBC mode in SSLv3 and TLS 1.0.
*
* This is a countermeasure to the BEAST attack, which also minimizes the risk
* of interoperability issues compared to sending 0-length records.
*
* Comment this macro to disable 1/n-1 record splitting.
*/
#define POLARSSL_SSL_CBC_RECORD_SPLITTING
/**
* \def POLARSSL_SSL_DISABLE_RENEGOTIATION
*

34
include/polarssl/ssl.h
View File

@ -265,6 +265,9 @@
#define SSL_SESSION_TICKETS_DISABLED 0
#define SSL_SESSION_TICKETS_ENABLED 1
#define SSL_CBC_RECORD_SPLITTING_DISABLED -1
#define SSL_CBC_RECORD_SPLITTING_ENABLED 0
/*
* DTLS retransmission states, see RFC 6347 4.2.4
*
@ -943,6 +946,10 @@ struct _ssl_context
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
unsigned char mfl_code; /*!< MaxFragmentLength chosen by us */
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
char split_done; /*!< flag for record splitting:
-1 disabled, 0 todo, 1 done */
#endif
/*
* PKI layer
@ -1857,6 +1864,21 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
#if defined(POLARSSL_SSL_CBC_RECORD_SPLITTING)
/**
* \brief Enable / Disable 1/n-1 record splitting
* (Default: SSL_CBC_RECORD_SPLITTING_ENABLED)
*
* \note Only affects SSLv3 and TLS 1.0, not higher versions.
* Does not affect non-CBC ciphersuites in any version.
*
* \param ssl SSL context
* \param split SSL_CBC_RECORD_SPLITTING_ENABLED or
* SSL_CBC_RECORD_SPLITTING_DISABLED
*/
void ssl_set_cbc_record_splitting( ssl_context *ssl, char split );
#endif /* POLARSSL_SSL_CBC_RECORD_SPLITTING */
#if defined(POLARSSL_SSL_SESSION_TICKETS)
/**
* \brief Enable / Disable session tickets
@ -2147,11 +2169,13 @@ int ssl_read( ssl_context *ssl, unsigned char *buf, size_t len );
* it must be called later with the *same* arguments,
* until it returns a positive value.
*
* \note When DTLS is in use, and a maximum fragment length was
* either set with \c ssl_set_max_frag_len() or negotiated by
* the peer, len must not not be greater than the maximum
* fragment length, or POLARSSL_ERR_SSL_BAD_INPUT_DATA is
* returned.
* \note If the requested length is greater than the maximum
* fragment length (either the built-in limit or the one set
* or negotiated with the peer), then:
* - with TLS, less bytes than requested are written. (In
* order to write larger messages, this function should be
* called in a loop.)
* - with DTLS, POLARSSL_ERR_SSL_BAD_INPUT_DATA is returned.
*/
int ssl_write( ssl_context *ssl, const unsigned char *buf, size_t len );