mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 03:25:38 +01:00
Merge pull request #5660 from ronald-cron-arm/restore-full-compat-testing-2.28
Backport 2.28: Restore full compat testing
This commit is contained in:
commit
19f2d59184
@ -2354,12 +2354,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
const mbedtls_ssl_ciphersuite_t *suite = NULL;
|
||||||
const mbedtls_cipher_info_t *cipher = NULL;
|
const mbedtls_cipher_info_t *cipher = NULL;
|
||||||
|
|
||||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
|
||||||
{
|
|
||||||
*olen = 0;
|
|
||||||
return;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* RFC 7366: "If a server receives an encrypt-then-MAC request extension
|
* RFC 7366: "If a server receives an encrypt-then-MAC request extension
|
||||||
@ -2371,6 +2367,11 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
ssl->session_negotiate->ciphersuite ) ) == NULL ||
|
||||||
( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
( cipher = mbedtls_cipher_info_from_type( suite->cipher ) ) == NULL ||
|
||||||
cipher->mode != MBEDTLS_MODE_CBC )
|
cipher->mode != MBEDTLS_MODE_CBC )
|
||||||
|
{
|
||||||
|
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_DISABLED;
|
||||||
|
}
|
||||||
|
|
||||||
|
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED )
|
||||||
{
|
{
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
return;
|
return;
|
||||||
|
@ -1361,7 +1361,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||||||
* the structure field for the IV, which the PSA-based
|
* the structure field for the IV, which the PSA-based
|
||||||
* implementation currently doesn't. */
|
* implementation currently doesn't. */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
|
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_enc,
|
||||||
cipher_info, transform->taglen );
|
cipher_info, transform->taglen );
|
||||||
@ -1404,7 +1404,7 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||||||
* the structure field for the IV, which the PSA-based
|
* the structure field for the IV, which the PSA-based
|
||||||
* implementation currently doesn't. */
|
* implementation currently doesn't. */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
|
ret = mbedtls_cipher_setup_psa( &transform->cipher_ctx_dec,
|
||||||
cipher_info, transform->taglen );
|
cipher_info, transform->taglen );
|
||||||
|
@ -227,15 +227,6 @@ filter_ciphersuites()
|
|||||||
G_CIPHERS=$( filter "$G_CIPHERS" )
|
G_CIPHERS=$( filter "$G_CIPHERS" )
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# OpenSSL <1.0.2 doesn't support DTLS 1.2. Check what OpenSSL
|
|
||||||
# supports from the s_server help. (The s_client help isn't
|
|
||||||
# accurate as of 1.0.2g: it supports DTLS 1.2 but doesn't list it.
|
|
||||||
# But the s_server help seems to be accurate.)
|
|
||||||
if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$MODE "; then
|
|
||||||
M_CIPHERS=""
|
|
||||||
O_CIPHERS=""
|
|
||||||
fi
|
|
||||||
|
|
||||||
# For GnuTLS client -> mbed TLS server,
|
# For GnuTLS client -> mbed TLS server,
|
||||||
# we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
|
# we need to force IPv4 by connecting to 127.0.0.1 but then auth fails
|
||||||
if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
|
if [ "X$VERIFY" = "XYES" ] && is_dtls "$MODE"; then
|
||||||
@ -870,6 +861,7 @@ add_mbedtls_ciphersuites()
|
|||||||
|
|
||||||
setup_arguments()
|
setup_arguments()
|
||||||
{
|
{
|
||||||
|
O_MODE=""
|
||||||
G_MODE=""
|
G_MODE=""
|
||||||
case "$MODE" in
|
case "$MODE" in
|
||||||
"ssl3")
|
"ssl3")
|
||||||
@ -882,6 +874,7 @@ setup_arguments()
|
|||||||
G_PRIO_MODE="+VERS-TLS1.1"
|
G_PRIO_MODE="+VERS-TLS1.1"
|
||||||
;;
|
;;
|
||||||
"tls12")
|
"tls12")
|
||||||
|
O_MODE="tls1_2"
|
||||||
G_PRIO_MODE="+VERS-TLS1.2"
|
G_PRIO_MODE="+VERS-TLS1.2"
|
||||||
;;
|
;;
|
||||||
"dtls1")
|
"dtls1")
|
||||||
@ -889,6 +882,7 @@ setup_arguments()
|
|||||||
G_MODE="-u"
|
G_MODE="-u"
|
||||||
;;
|
;;
|
||||||
"dtls12")
|
"dtls12")
|
||||||
|
O_MODE="dtls1_2"
|
||||||
G_PRIO_MODE="+VERS-DTLS1.2"
|
G_PRIO_MODE="+VERS-DTLS1.2"
|
||||||
G_MODE="-u"
|
G_MODE="-u"
|
||||||
;;
|
;;
|
||||||
@ -905,7 +899,7 @@ setup_arguments()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
|
M_SERVER_ARGS="server_port=$PORT server_addr=0.0.0.0 force_version=$MODE arc4=1"
|
||||||
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$MODE"
|
O_SERVER_ARGS="-accept $PORT -cipher NULL,ALL -$O_MODE"
|
||||||
G_SERVER_ARGS="-p $PORT --http $G_MODE"
|
G_SERVER_ARGS="-p $PORT --http $G_MODE"
|
||||||
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
G_SERVER_PRIO="NORMAL:${G_PRIO_CCM}+ARCFOUR-128:+NULL:+MD5:+PSK:+DHE-PSK:+ECDHE-PSK:+SHA256:+SHA384:+RSA-PSK:-VERS-TLS-ALL:$G_PRIO_MODE"
|
||||||
|
|
||||||
@ -930,7 +924,7 @@ setup_arguments()
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
|
M_CLIENT_ARGS="server_port=$PORT server_addr=127.0.0.1 force_version=$MODE"
|
||||||
O_CLIENT_ARGS="-connect localhost:$PORT -$MODE"
|
O_CLIENT_ARGS="-connect localhost:$PORT -$O_MODE"
|
||||||
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
|
G_CLIENT_ARGS="-p $PORT --debug 3 $G_MODE"
|
||||||
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
|
G_CLIENT_PRIO="NONE:$G_PRIO_MODE:+COMP-NULL:+CURVE-ALL:+SIGN-ALL"
|
||||||
|
|
||||||
@ -1329,6 +1323,15 @@ for VERIFY in $VERIFIES; do
|
|||||||
continue;
|
continue;
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
|
||||||
|
# supports $O_MODE from the s_server help. (The s_client
|
||||||
|
# help isn't accurate as of 1.0.2g: it supports DTLS 1.2
|
||||||
|
# but doesn't list it. But the s_server help seems to be
|
||||||
|
# accurate.)
|
||||||
|
if ! $OPENSSL_CMD s_server -help 2>&1 | grep -q "^ *-$O_MODE "; then
|
||||||
|
continue;
|
||||||
|
fi
|
||||||
|
|
||||||
reset_ciphersuites
|
reset_ciphersuites
|
||||||
add_common_ciphersuites
|
add_common_ciphersuites
|
||||||
add_openssl_ciphersuites
|
add_openssl_ciphersuites
|
||||||
|
Loading…
Reference in New Issue
Block a user