lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-05 19:35:48 +03:00
Code Activity

Merge pull request #8823 from davidhorstmann-arm/fix-config-bitflag-2.28

Browse Source 
[Backport 2.28] Update `SSL_SERIALIZED_SESSION_CONFIG_BITFLAG` with new flags
This commit is contained in:
Gilles Peskine
2024-03-05 13:17:43 +00:00
committed by GitHub
parent cb086af4bc fc8cacf9a2
commit a19f6bfcad
2 changed files with 44 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ChangeLog.d/fix-ssl-session-serialization-config.txt Normal file
View File

@@ -0,0 +1,4 @@
Bugfix
* Fix missing bitflags in SSL session serialization headers. Their absence
allowed SSL sessions saved in one configuration to be loaded in a
different, incompatible configuration.

54
library/ssl_tls.c
View File

@@ -5204,6 +5204,12 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer(const mbedtls_ssl_con
#define SSL_SERIALIZED_SESSION_CONFIG_CRT 0 #define SSL_SERIALIZED_SESSION_CONFIG_CRT 0
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 1
#else
#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT 0
#endif /* MBEDTLS_SSL_SESSION_TICKETS */
#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_SESSION_TICKETS)
#define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1 #define SSL_SERIALIZED_SESSION_CONFIG_CLIENT_TICKET 1
#else #else
@@ -5241,6 +5247,7 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer(const mbedtls_ssl_con
#define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 4 #define SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT 4
#define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 5 #define SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT 5
#define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 6 #define SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT 6
#define SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT 7
#define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \ #define SSL_SERIALIZED_SESSION_CONFIG_BITFLAG \
((uint16_t) ( \ ((uint16_t) ( \
@@ -5252,7 +5259,9 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer(const mbedtls_ssl_con
(SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC << \ (SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC << \
SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT) | \ SSL_SERIALIZED_SESSION_CONFIG_TRUNC_HMAC_BIT) | \
(SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \ (SSL_SERIALIZED_SESSION_CONFIG_ETM << SSL_SERIALIZED_SESSION_CONFIG_ETM_BIT) | \
(SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT))) (SSL_SERIALIZED_SESSION_CONFIG_TICKET << SSL_SERIALIZED_SESSION_CONFIG_TICKET_BIT) | \
(SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT << \
SSL_SERIALIZED_SESSION_CONFIG_KEEP_PEER_CRT_BIT)))
static const unsigned char ssl_serialized_session_header[] = { static const unsigned char ssl_serialized_session_header[] = {
MBEDTLS_VERSION_MAJOR, MBEDTLS_VERSION_MAJOR,
@@ -5278,19 +5287,36 @@ static const unsigned char ssl_serialized_session_header[] = {
* // the setting of those compile-time * // the setting of those compile-time
* // configuration options which influence * // configuration options which influence
* // the structure of mbedtls_ssl_session. * // the structure of mbedtls_ssl_session.
* uint64 start_time; * #if defined(MBEDTLS_HAVE_TIME)
* uint8 ciphersuite[2]; // defined by the standard * uint64 start_time;
* uint8 compression; // 0 or 1 * #endif
* uint8 session_id_len; // at most 32 * uint8 ciphersuite[2]; // defined by the standard
* opaque session_id[32]; * uint8 compression; // 0 or 1
* opaque master[48]; // fixed length in the standard * uint8 session_id_len; // at most 32
* uint32 verify_result; * opaque session_id[32];
* opaque peer_cert<0..2^24-1>; // length 0 means no peer cert * opaque master[48]; // fixed length in the standard
* opaque ticket<0..2^24-1>; // length 0 means no ticket * uint32 verify_result;
* uint32 ticket_lifetime; * #if defined(MBEDTLS_X509_CRT_PARSE_C)
* uint8 mfl_code; // up to 255 according to standard * #if defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
* uint8 trunc_hmac; // 0 or 1 * opaque peer_cert<0..2^24-1>; // length 0 means no peer cert
* uint8 encrypt_then_mac; // 0 or 1 * #else
* uint8 peer_cert_digest_type;
* opaque peer_cert_digest<0..2^8-1>
* #endif
* #endif
* #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_CLI_C)
* opaque ticket<0..2^24-1>; // length 0 means no ticket
* uint32 ticket_lifetime;
* #endif
* #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
* uint8 mfl_code; // up to 255 according to standard
* #endif
* #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
* uint8 trunc_hmac; // 0 or 1
* #endif
* #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
* uint8 encrypt_then_mac; // 0 or 1
* #endif
* *
* The order is the same as in the definition of the structure, except * The order is the same as in the definition of the structure, except
* verify_result is put before peer_cert so that all mandatory fields come * verify_result is put before peer_cert so that all mandatory fields come