yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 16:35:41 +01:00
Code Issues Packages Projects Releases Wiki Activity

Change accepted ciphersuite versions when parsing server hello

Browse Source 
Accept only ciphersuites for version chosen by the server
This commit is contained in:
Andrzej Kurek 2018-04-25 05:06:07 -04:00
parent 1d3b508b82
commit 03bac448db
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
library/ssl_cli.c
View File

@ -722,17 +722,21 @@ static int ssl_generate_random( mbedtls_ssl_context *ssl )
* *
* \param suite_info cipher suite to validate * \param suite_info cipher suite to validate
* \param ssl SSL context * \param ssl SSL context
* \param min_minor_ver Minimal minor version to accept a cipher suite
* \param max_minor_ver Maximal minor version to accept a cipher suite
* *
* \return 0 if valid, else 1 * \return 0 if valid, else 1
*/ */
static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info, static int ssl_validate_ciphersuite( const mbedtls_ssl_ciphersuite_t * suite_info,
const mbedtls_ssl_context * ssl ) const mbedtls_ssl_context * ssl,
int min_minor_ver, int max_minor_ver )
{ {
(void) ssl;
if( suite_info == NULL ) if( suite_info == NULL )
return( 1 ); return( 1 );
if( suite_info->min_minor_ver > ssl->conf->max_minor_ver || if( suite_info->min_minor_ver > max_minor_ver ||
suite_info->max_minor_ver < ssl->conf->min_minor_ver ) suite_info->max_minor_ver < min_minor_ver )
return( 1 ); return( 1 );
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
@ -908,7 +912,9 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
{ {
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] ); ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ciphersuites[i] );
if( ssl_validate_ciphersuite( ciphersuite_info, ssl ) != 0 ) if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
ssl->conf->min_minor_ver,
ssl->conf->max_minor_ver ) != 0 )
continue; continue;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x", MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %04x",
@ -1707,7 +1713,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: %04x", i ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: %d", buf[37 + n] ) );
/* Perform cipher suite validation in same way as in ssl_write_client_hello. /*
* Perform cipher suite validation in same way as in ssl_write_client_hello.
*/ */
i = 0; i = 0;
while( 1 ) while( 1 )
@ -1728,7 +1735,7 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
} }
suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite ); suite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite );
if( ssl_validate_ciphersuite( suite_info, ssl ) != 0 ) if( ssl_validate_ciphersuite( suite_info, ssl, ssl->minor_ver, ssl->minor_ver ) != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL, mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,