From 2fbefde1d825f570b8abd3ea3fc3cdc75294b843 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Sat, 29 Jun 2013 16:01:15 +0200 Subject: [PATCH] Client and server now filter sent and accepted ciphersuites on minimum and maximum protocol version --- ChangeLog | 2 ++ include/polarssl/ssl.h | 15 +++++++++++---- library/ssl_cli.c | 34 +++++++++++++++++++++++++--------- library/ssl_srv.c | 27 +++++++++++++++++---------- library/ssl_tls.c | 2 ++ 5 files changed, 57 insertions(+), 23 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6ea2dea61..e73ad3ad2 100644 --- a/ChangeLog +++ b/ChangeLog @@ -17,6 +17,8 @@ Changes * Moved all OID functionality to a separate module. RSA function prototypes for the RSA sign and verify functions changed as a result * Split up the GCM module into a starts/update/finish cycle + * Client and server now filter sent and accepted ciphersuites on minimum + and maximum protocol version Bugfix * Fix for MPI assembly for ARM diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 1bc589369..e0e4bd852 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -401,6 +401,8 @@ struct _ssl_handshake_params /*!< premaster secret */ int resume; /*!< session resume indicator*/ + int max_major_ver; /*!< max. major version client*/ + int max_minor_ver; /*!< max. minor version client*/ }; struct _ssl_context @@ -414,10 +416,10 @@ struct _ssl_context int major_ver; /*!< equal to SSL_MAJOR_VERSION_3 */ int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */ - int max_major_ver; /*!< max. major version from client */ - int max_minor_ver; /*!< max. minor version from client */ - int min_major_ver; /*!< min. major version accepted */ - int min_minor_ver; /*!< min. minor version accepted */ + int max_major_ver; /*!< max. major version used */ + int max_minor_ver; /*!< max. minor version used */ + int min_major_ver; /*!< min. major version used */ + int min_minor_ver; /*!< min. minor version used */ /* * Callbacks (RNG, debug, I/O, verification) @@ -911,6 +913,11 @@ void ssl_set_sni( ssl_context *ssl, /** * \brief Set the maximum supported version sent from the client side + * and/or accepted at the server side + * (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3) + * + * Note: This prevents ciphersuites from 'higher' versions to + * be ignored. * * \param ssl SSL context * \param major Major version number (only SSL_MAJOR_VERSION_3 supported) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 49b11cd57..53557f86a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -255,9 +255,10 @@ static int ssl_write_client_hello( ssl_context *ssl ) int ret; size_t i, n, olen, ext_len = 0; unsigned char *buf; - unsigned char *p; + unsigned char *p, *q; time_t t; const int *ciphersuites; + const ssl_ciphersuite_t *ciphersuite_info; SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); @@ -331,10 +332,11 @@ static int ssl_write_client_hello( ssl_context *ssl ) SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); ciphersuites = ssl->ciphersuite_list[ssl->minor_ver]; - for( n = 0; ciphersuites[n] != 0; n++ ); - if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++; - *p++ = (unsigned char)( n >> 7 ); - *p++ = (unsigned char)( n << 1 ); + n = 0; + q = p; + + // Skip writing ciphersuite length for now + p += 2; /* * Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV @@ -343,20 +345,34 @@ static int ssl_write_client_hello( ssl_context *ssl ) { *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 ); *p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO ); - n--; + n++; } - SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); - - for( i = 0; i < n; i++ ) + for( i = 0; ciphersuites[i] != 0; i++ ) { + ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] ); + + if( ciphersuite_info == NULL ) + continue; + + if( ciphersuite_info->min_minor_ver > ssl->max_minor_ver || + ciphersuite_info->max_minor_ver < ssl->min_minor_ver ) + continue; + SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", ciphersuites[i] ) ); + n++; *p++ = (unsigned char)( ciphersuites[i] >> 8 ); *p++ = (unsigned char)( ciphersuites[i] ); } + *q++ = (unsigned char)( n >> 7 ); + *q++ = (unsigned char)( n << 1 ); + + SSL_DEBUG_MSG( 3, ( "client hello, got %d ciphersuites", n ) ); + + #if defined(POLARSSL_ZLIB_SUPPORT) SSL_DEBUG_MSG( 3, ( "client hello, compress len.: %d", 2 ) ); SSL_DEBUG_MSG( 3, ( "client hello, compress alg.: %d %d", diff --git a/library/ssl_srv.c b/library/ssl_srv.c index f053ba28a..27df90340 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -323,8 +323,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl ) } ssl->major_ver = SSL_MAJOR_VERSION_3; - ssl->minor_ver = ( buf[4] <= SSL_MINOR_VERSION_3 ) - ? buf[4] : SSL_MINOR_VERSION_3; + ssl->minor_ver = ( buf[4] <= ssl->max_minor_ver ) + ? buf[4] : ssl->max_minor_ver; if( ssl->minor_ver < ssl->min_minor_ver ) { @@ -337,8 +337,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } - ssl->max_major_ver = buf[3]; - ssl->max_minor_ver = buf[4]; + ssl->handshake->max_major_ver = buf[3]; + ssl->handshake->max_minor_ver = buf[4]; if( ( ret = ssl_fetch_input( ssl, 2 + n ) ) != 0 ) { @@ -453,6 +453,9 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); } + if( ciphersuite_info->min_minor_ver > ssl->minor_ver || + ciphersuite_info->max_minor_ver < ssl->minor_ver ) + continue; goto have_ciphersuite_v2; } @@ -602,8 +605,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) } ssl->major_ver = SSL_MAJOR_VERSION_3; - ssl->minor_ver = ( buf[5] <= SSL_MINOR_VERSION_3 ) - ? buf[5] : SSL_MINOR_VERSION_3; + ssl->minor_ver = ( buf[5] <= ssl->max_minor_ver ) + ? buf[5] : ssl->max_minor_ver; if( ssl->minor_ver < ssl->min_minor_ver ) { @@ -617,8 +620,8 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_HS_PROTOCOL_VERSION ); } - ssl->max_major_ver = buf[4]; - ssl->max_minor_ver = buf[5]; + ssl->handshake->max_major_ver = buf[4]; + ssl->handshake->max_minor_ver = buf[5]; memcpy( ssl->handshake->randbytes, buf + 6, 32 ); @@ -870,6 +873,10 @@ static int ssl_parse_client_hello( ssl_context *ssl ) return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); } + if( ciphersuite_info->min_minor_ver > ssl->minor_ver || + ciphersuite_info->max_minor_ver < ssl->minor_ver ) + continue; + if( ( ciphersuite_info->flags & POLARSSL_CIPHERSUITE_EC ) && ssl->handshake->ec_curve == 0 ) continue; @@ -1575,8 +1582,8 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl ) } if( ret != 0 || ssl->handshake->pmslen != 48 || - ssl->handshake->premaster[0] != ssl->max_major_ver || - ssl->handshake->premaster[1] != ssl->max_minor_ver ) + ssl->handshake->premaster[0] != ssl->handshake->max_major_ver || + ssl->handshake->premaster[1] != ssl->handshake->max_minor_ver ) { SSL_DEBUG_MSG( 1, ( "bad client key exchange message" ) ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a19e4dab4..c6a45d954 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2756,6 +2756,8 @@ int ssl_init( ssl_context *ssl ) ssl->min_major_ver = SSL_MAJOR_VERSION_3; ssl->min_minor_ver = SSL_MINOR_VERSION_0; + ssl->max_major_ver = SSL_MAJOR_VERSION_3; + ssl->max_minor_ver = SSL_MINOR_VERSION_3; ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );