mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 14:25:37 +01:00
Merge remote-tracking branch 'origin/pr/593' into baremetal
This commit is contained in:
Simon Butcher
commit
5f7436f757
@ -100,6 +100,10 @@
|
|||||||
#define MBEDTLS_SSL_CONF_SEND mbedtls_net_send
|
#define MBEDTLS_SSL_CONF_SEND mbedtls_net_send
|
||||||
#define MBEDTLS_SSL_CONF_RECV_TIMEOUT mbedtls_net_recv_timeout
|
#define MBEDTLS_SSL_CONF_RECV_TIMEOUT mbedtls_net_recv_timeout
|
||||||
#define MBEDTLS_SSL_CONF_RNG mbedtls_hmac_drbg_random
|
#define MBEDTLS_SSL_CONF_RNG mbedtls_hmac_drbg_random
|
||||||
|
#define MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
|
#define MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
|
#define MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
#define MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
|
#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET \
|
||||||
MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
||||||
#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \
|
#define MBEDTLS_SSL_CONF_ENFORCE_EXTENDED_MASTER_SECRET \
|
||||||
|
|||||||
@ -614,6 +614,18 @@
|
|||||||
#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_DTLS_ANTI_REPLAY defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
#if !( defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) && \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) && \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) )
|
||||||
|
#error "MBEDTLS_SSL_CONF_MIN_MINOR_VER, MBEDTLS_SSL_CONF_MAX_MINOR_VER, MBEDTLS_SSL_CONF_MIN_MAJOR_VER, MBEDTLS_SSL_CONF_MAX_MAJOR_VER must be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
|
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \
|
||||||
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
|
( !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_PROTO_DTLS) )
|
||||||
#error "MBEDTLS_SSL_DTLS_CONNECTION_ID defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_DTLS_CONNECTION_ID defined, but not all prerequisites"
|
||||||
|
|||||||
@ -3636,6 +3636,12 @@
|
|||||||
*/
|
*/
|
||||||
//#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random
|
//#define MBEDTLS_SSL_CONF_RNG mbedtls_ctr_drbg_random
|
||||||
|
|
||||||
|
/* TLS version */
|
||||||
|
//#define MBEDTLS_SSL_CONF_MIN_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
|
//#define MBEDTLS_SSL_CONF_MAX_MINOR_VER MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
|
//#define MBEDTLS_SSL_CONF_MIN_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
//#define MBEDTLS_SSL_CONF_MAX_MAJOR_VER MBEDTLS_SSL_MAJOR_VERSION_3
|
||||||
|
|
||||||
/* ExtendedMasterSecret extension
|
/* ExtendedMasterSecret extension
|
||||||
* The following two options must be set/unset simultaneously. */
|
* The following two options must be set/unset simultaneously. */
|
||||||
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
//#define MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET MBEDTLS_SSL_EXTENDED_MS_ENABLED
|
||||||
|
|||||||
@ -63,6 +63,18 @@
|
|||||||
#include "platform_time.h"
|
#include "platform_time.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER) && \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) && \
|
||||||
|
( MBEDTLS_SSL_CONF_MAX_MAJOR_VER == MBEDTLS_SSL_CONF_MIN_MAJOR_VER )
|
||||||
|
#define MBEDTLS_SSL_CONF_FIXED_MAJOR_VER MBEDTLS_SSL_CONF_MIN_MAJOR_VER
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) && \
|
||||||
|
defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) && \
|
||||||
|
( MBEDTLS_SSL_CONF_MAX_MINOR_VER == MBEDTLS_SSL_CONF_MIN_MINOR_VER )
|
||||||
|
#define MBEDTLS_SSL_CONF_FIXED_MINOR_VER MBEDTLS_SSL_CONF_MIN_MINOR_VER
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SSL Error codes
|
* SSL Error codes
|
||||||
*/
|
*/
|
||||||
@ -1132,10 +1144,18 @@ struct mbedtls_ssl_config
|
|||||||
unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */
|
unsigned int dhm_min_bitlen; /*!< min. bit length of the DHM prime */
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
unsigned char max_major_ver; /*!< max. major version used */
|
unsigned char max_major_ver; /*!< max. major version used */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
|
||||||
unsigned char max_minor_ver; /*!< max. minor version used */
|
unsigned char max_minor_ver; /*!< max. minor version used */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
unsigned char min_major_ver; /*!< min. major version used */
|
unsigned char min_major_ver; /*!< min. major version used */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
|
||||||
unsigned char min_minor_ver; /*!< min. minor version used */
|
unsigned char min_minor_ver; /*!< min. minor version used */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Flags (bitfields)
|
* Flags (bitfields)
|
||||||
@ -1221,8 +1241,12 @@ struct mbedtls_ssl_context
|
|||||||
renego_max_records is < 0 */
|
renego_max_records is < 0 */
|
||||||
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
#endif /* MBEDTLS_SSL_RENEGOTIATION */
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
|
||||||
int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */
|
int major_ver; /*!< equal to MBEDTLS_SSL_MAJOR_VERSION_3 */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
|
int minor_ver; /*!< either 0 (SSL3) or 1 (TLS1.0) */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
|
#if defined(MBEDTLS_SSL_DTLS_BADMAC_LIMIT)
|
||||||
unsigned badmac_seen; /*!< records with a bad MAC received */
|
unsigned badmac_seen; /*!< records with a bad MAC received */
|
||||||
@ -2985,6 +3009,8 @@ int mbedtls_ssl_conf_alpn_protocols( mbedtls_ssl_config *conf, const char **prot
|
|||||||
const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
|
const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
|
||||||
#endif /* MBEDTLS_SSL_ALPN */
|
#endif /* MBEDTLS_SSL_ALPN */
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
/**
|
/**
|
||||||
* \brief Set the maximum supported version sent from the client side
|
* \brief Set the maximum supported version sent from the client side
|
||||||
* and/or accepted at the server side
|
* and/or accepted at the server side
|
||||||
@ -2995,6 +3021,11 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
|
|||||||
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
|
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
|
||||||
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
|
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
|
||||||
*
|
*
|
||||||
|
* \note On constrained systems, the maximum major/minor version can
|
||||||
|
* also be configured at compile-time by setting
|
||||||
|
* MBEDTLS_SSL_CONF_MAX_MAJOR_VER and
|
||||||
|
* MBEDTLS_SSL_CONF_MAX_MINOR_VER.
|
||||||
|
*
|
||||||
* \param conf SSL configuration
|
* \param conf SSL configuration
|
||||||
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
|
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
|
||||||
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
|
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
|
||||||
@ -3002,7 +3033,11 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl );
|
|||||||
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
|
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
|
||||||
*/
|
*/
|
||||||
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
|
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER ||
|
||||||
|
MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
/**
|
/**
|
||||||
* \brief Set the minimum accepted SSL/TLS protocol version
|
* \brief Set the minimum accepted SSL/TLS protocol version
|
||||||
* (Default: TLS 1.0)
|
* (Default: TLS 1.0)
|
||||||
@ -3015,6 +3050,11 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino
|
|||||||
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
|
* \note With DTLS, use MBEDTLS_SSL_MINOR_VERSION_2 for DTLS 1.0 and
|
||||||
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
|
* MBEDTLS_SSL_MINOR_VERSION_3 for DTLS 1.2
|
||||||
*
|
*
|
||||||
|
* \note On constrained systems, the minimum major/minor version can
|
||||||
|
* also be configured at compile-time by setting
|
||||||
|
* MBEDTLS_SSL_CONF_MIN_MAJOR_VER and
|
||||||
|
* MBEDTLS_SSL_CONF_MIN_MINOR_VER.
|
||||||
|
*
|
||||||
* \param conf SSL configuration
|
* \param conf SSL configuration
|
||||||
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
|
* \param major Major version number (only MBEDTLS_SSL_MAJOR_VERSION_3 supported)
|
||||||
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
|
* \param minor Minor version number (MBEDTLS_SSL_MINOR_VERSION_0,
|
||||||
@ -3022,6 +3062,8 @@ void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int mino
|
|||||||
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
|
* MBEDTLS_SSL_MINOR_VERSION_3 supported)
|
||||||
*/
|
*/
|
||||||
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
|
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER ||
|
||||||
|
MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
|
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
|
||||||
/**
|
/**
|
||||||
|
|||||||
@ -514,8 +514,14 @@ struct mbedtls_ssl_handshake_params
|
|||||||
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
|
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
|
||||||
int resume; /*!< session resume indicator*/
|
int resume; /*!< session resume indicator*/
|
||||||
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
|
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_SRV_C) && \
|
||||||
|
( defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ) )
|
||||||
int max_major_ver; /*!< max. major version client*/
|
int max_major_ver; /*!< max. major version client*/
|
||||||
int max_minor_ver; /*!< max. minor version client*/
|
int max_minor_ver; /*!< max. minor version client*/
|
||||||
|
#endif /* MBEDTLS_SSL_SRV_C && ( MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ) */
|
||||||
int cli_exts; /*!< client extension presence*/
|
int cli_exts; /*!< client extension presence*/
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
@ -703,7 +709,10 @@ struct mbedtls_ssl_transform
|
|||||||
|
|
||||||
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
|
mbedtls_cipher_context_t cipher_ctx_enc; /*!< encryption context */
|
||||||
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
|
mbedtls_cipher_context_t cipher_ctx_dec; /*!< decryption context */
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
int minor_ver;
|
int minor_ver;
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||||
uint8_t in_cid_len;
|
uint8_t in_cid_len;
|
||||||
@ -721,6 +730,16 @@ struct mbedtls_ssl_transform
|
|||||||
#endif
|
#endif
|
||||||
};
|
};
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_transform_get_minor_ver( mbedtls_ssl_transform const *transform )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
return( transform->minor_ver );
|
||||||
|
#else
|
||||||
|
((void) transform);
|
||||||
|
return( MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Internal representation of record frames
|
* Internal representation of record frames
|
||||||
*
|
*
|
||||||
@ -960,6 +979,26 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
|
|||||||
mbedtls_md_type_t md );
|
mbedtls_md_type_t md );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_get_minor_ver( mbedtls_ssl_context const *ssl )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
return( ssl->minor_ver );
|
||||||
|
#else /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
|
((void) ssl);
|
||||||
|
return( MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_get_major_ver( mbedtls_ssl_context const *ssl )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
|
||||||
|
return( ssl->major_ver );
|
||||||
|
#else /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
|
||||||
|
((void) ssl);
|
||||||
|
return( MBEDTLS_SSL_CONF_FIXED_MAJOR_VER );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
|
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
@ -1000,11 +1039,6 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
|||||||
uint32_t *flags );
|
uint32_t *flags );
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
void mbedtls_ssl_write_version( int major, int minor, int transport,
|
|
||||||
unsigned char ver[2] );
|
|
||||||
void mbedtls_ssl_read_version( int *major, int *minor, int transport,
|
|
||||||
const unsigned char ver[2] );
|
|
||||||
|
|
||||||
static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
|
static inline size_t mbedtls_ssl_in_hdr_len( const mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
return( (size_t) ( ssl->in_iv - ssl->in_hdr ) );
|
return( (size_t) ( ssl->in_iv - ssl->in_hdr ) );
|
||||||
@ -1084,6 +1118,69 @@ int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl,
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
|
#endif /* MBEDTLS_SSL_PROTO_TLS1 || MBEDTLS_SSL_PROTO_TLS1_1 || \
|
||||||
MBEDTLS_SSL_PROTO_TLS1_2 */
|
MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Convert version numbers to/from wire format
|
||||||
|
* and, for DTLS, to/from TLS equivalent.
|
||||||
|
*
|
||||||
|
* For TLS this is the identity.
|
||||||
|
* For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
|
||||||
|
* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
|
||||||
|
* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
|
||||||
|
*/
|
||||||
|
static inline void mbedtls_ssl_write_version( int major, int minor,
|
||||||
|
int transport,
|
||||||
|
unsigned char ver[2] )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
|
||||||
|
((void) transport);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
|
||||||
|
{
|
||||||
|
if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
|
--minor; /* DTLS 1.0 stored as TLS 1.1 internally */
|
||||||
|
|
||||||
|
ver[0] = (unsigned char)( 255 - ( major - 2 ) );
|
||||||
|
ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
|
||||||
|
}
|
||||||
|
MBEDTLS_SSL_TRANSPORT_ELSE
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
||||||
|
{
|
||||||
|
ver[0] = (unsigned char) major;
|
||||||
|
ver[1] = (unsigned char) minor;
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline void mbedtls_ssl_read_version( int *major, int *minor,
|
||||||
|
int transport,
|
||||||
|
const unsigned char ver[2] )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
|
||||||
|
((void) transport);
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
|
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
|
||||||
|
{
|
||||||
|
*major = 255 - ver[0] + 2;
|
||||||
|
*minor = 255 - ver[1] + 1;
|
||||||
|
|
||||||
|
if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
|
||||||
|
++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
|
||||||
|
}
|
||||||
|
MBEDTLS_SSL_TRANSPORT_ELSE
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
||||||
|
{
|
||||||
|
*major = ver[0];
|
||||||
|
*minor = ver[1];
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_PROTO_TLS */
|
||||||
|
}
|
||||||
|
|
||||||
#ifdef __cplusplus
|
#ifdef __cplusplus
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
@ -1423,6 +1520,50 @@ static inline mbedtls_frng_t* mbedtls_ssl_conf_get_frng(
|
|||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_CONF_RNG */
|
#endif /* MBEDTLS_SSL_CONF_RNG */
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_conf_get_max_major_ver(
|
||||||
|
mbedtls_ssl_config const *conf )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
return( conf->max_major_ver );
|
||||||
|
#else
|
||||||
|
((void) conf);
|
||||||
|
return( MBEDTLS_SSL_CONF_MAX_MAJOR_VER );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_conf_get_min_major_ver(
|
||||||
|
mbedtls_ssl_config const *conf )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
|
return( conf->min_major_ver );
|
||||||
|
#else /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
((void) conf);
|
||||||
|
return( MBEDTLS_SSL_CONF_MIN_MAJOR_VER );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_conf_get_max_minor_ver(
|
||||||
|
mbedtls_ssl_config const *conf )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
|
||||||
|
return( conf->max_minor_ver );
|
||||||
|
#else /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
|
||||||
|
((void) conf);
|
||||||
|
return( MBEDTLS_SSL_CONF_MAX_MINOR_VER );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER */
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_conf_get_min_minor_ver(
|
||||||
|
mbedtls_ssl_config const *conf )
|
||||||
|
{
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
|
||||||
|
return( conf->min_minor_ver );
|
||||||
|
#else /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
|
||||||
|
((void) conf);
|
||||||
|
return( MBEDTLS_SSL_CONF_MIN_MINOR_VER );
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER */
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||||
static inline unsigned int mbedtls_ssl_conf_get_ems(
|
static inline unsigned int mbedtls_ssl_conf_get_ems(
|
||||||
mbedtls_ssl_config const *conf )
|
mbedtls_ssl_config const *conf )
|
||||||
|
|||||||
@ -180,8 +180,11 @@ static void ssl_write_signature_algorithms_ext( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
|
|
||||||
if( ssl->conf->max_minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) !=
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
|
{
|
||||||
return;
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding signature_algorithms extension" ) );
|
||||||
|
|
||||||
@ -558,7 +561,8 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
*olen = 0;
|
*olen = 0;
|
||||||
|
|
||||||
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -593,7 +597,8 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||||
ssl->conf->max_minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ==
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
@ -788,7 +793,6 @@ static int ssl_validate_ciphersuite( mbedtls_ssl_ciphersuite_handle_t suite_info
|
|||||||
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
if( suite_info == MBEDTLS_SSL_CIPHERSUITE_INVALID_HANDLE )
|
||||||
return( 1 );
|
return( 1 );
|
||||||
|
|
||||||
|
|
||||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
|
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > max_minor_ver ||
|
||||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
|
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < min_minor_ver )
|
||||||
{
|
{
|
||||||
@ -846,11 +850,15 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
if( mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE )
|
||||||
{
|
{
|
||||||
ssl->major_ver = ssl->conf->min_major_ver;
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
|
||||||
ssl->minor_ver = ssl->conf->min_minor_ver;
|
ssl->major_ver = mbedtls_ssl_conf_get_min_major_ver( ssl->conf );
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
ssl->minor_ver = mbedtls_ssl_conf_get_min_minor_ver( ssl->conf );
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
}
|
}
|
||||||
|
|
||||||
if( ssl->conf->max_major_ver == 0 )
|
if( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) == 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "configured max major version is invalid, "
|
||||||
"consider using mbedtls_ssl_config_defaults()" ) );
|
"consider using mbedtls_ssl_config_defaults()" ) );
|
||||||
@ -867,8 +875,9 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||||||
buf = ssl->out_msg;
|
buf = ssl->out_msg;
|
||||||
p = buf + 4;
|
p = buf + 4;
|
||||||
|
|
||||||
mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
|
||||||
ssl->conf->transport, p );
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
|
||||||
|
ssl->conf->transport, p );
|
||||||
p += 2;
|
p += 2;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, max version: [%d:%d]",
|
||||||
@ -981,8 +990,8 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
|
|||||||
ciphersuite_info )
|
ciphersuite_info )
|
||||||
{
|
{
|
||||||
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
||||||
ssl->conf->min_minor_ver,
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
|
||||||
ssl->conf->max_minor_ver ) != 0 )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
|
||||||
{
|
{
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -1328,7 +1337,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
size_t len )
|
size_t len )
|
||||||
{
|
{
|
||||||
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
||||||
len != 0 )
|
len != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
|
||||||
@ -1352,7 +1361,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
|||||||
{
|
{
|
||||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
||||||
len != 0 )
|
len != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
|
||||||
@ -1563,8 +1572,8 @@ static int ssl_parse_hello_verify_request( mbedtls_ssl_context *ssl )
|
|||||||
*/
|
*/
|
||||||
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
|
if( major_ver < MBEDTLS_SSL_MAJOR_VERSION_3 ||
|
||||||
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
|
minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 ||
|
||||||
major_ver > ssl->conf->max_major_ver ||
|
major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
|
||||||
minor_ver > ssl->conf->max_minor_ver )
|
minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server version" ) );
|
||||||
|
|
||||||
@ -1711,25 +1720,40 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
*/
|
*/
|
||||||
buf += mbedtls_ssl_hs_hdr_len( ssl );
|
buf += mbedtls_ssl_hs_hdr_len( ssl );
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
|
|
||||||
mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
|
|
||||||
ssl->conf->transport, buf + 0 );
|
|
||||||
|
|
||||||
if( ssl->major_ver < ssl->conf->min_major_ver ||
|
|
||||||
ssl->minor_ver < ssl->conf->min_minor_ver ||
|
|
||||||
ssl->major_ver > ssl->conf->max_major_ver ||
|
|
||||||
ssl->minor_ver > ssl->conf->max_minor_ver )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
|
int major_ver, minor_ver;
|
||||||
" min: [%d:%d], server: [%d:%d], max: [%d:%d]",
|
|
||||||
ssl->conf->min_major_ver, ssl->conf->min_minor_ver,
|
|
||||||
ssl->major_ver, ssl->minor_ver,
|
|
||||||
ssl->conf->max_major_ver, ssl->conf->max_minor_ver ) );
|
|
||||||
|
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, version", buf + 0, 2 );
|
||||||
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
mbedtls_ssl_read_version( &major_ver, &minor_ver,
|
||||||
|
ssl->conf->transport,
|
||||||
|
buf + 0 );
|
||||||
|
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
|
||||||
|
minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ||
|
||||||
|
major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) ||
|
||||||
|
minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "server version out of bounds - "
|
||||||
|
" min: [%d:%d], server: [%d:%d], max: [%d:%d]",
|
||||||
|
mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
|
||||||
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
|
||||||
|
major_ver, minor_ver,
|
||||||
|
mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
|
||||||
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) );
|
||||||
|
|
||||||
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
|
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
||||||
|
|
||||||
|
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
||||||
|
}
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
ssl->minor_ver = minor_ver;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
|
||||||
|
ssl->major_ver = major_ver;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
|
||||||
}
|
}
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, current time: %lu",
|
||||||
@ -1886,8 +1910,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
ciphersuite_info )
|
ciphersuite_info )
|
||||||
{
|
{
|
||||||
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
||||||
ssl->conf->min_minor_ver,
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
|
||||||
ssl->conf->max_minor_ver ) != 0 )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
|
||||||
{
|
{
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
@ -1914,7 +1938,7 @@ server_picked_valid_suite:
|
|||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
|
if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
ssl->handshake->ecrs_enabled = 1;
|
ssl->handshake->ecrs_enabled = 1;
|
||||||
}
|
}
|
||||||
@ -1928,14 +1952,15 @@ server_picked_valid_suite:
|
|||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
ssl->session_negotiate->compression = comp;
|
ssl->session_negotiate->compression = comp;
|
||||||
|
|
||||||
ext = buf + 40 + n;
|
ext = buf + 40 + n;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d",
|
||||||
|
ext_len ) );
|
||||||
|
|
||||||
while( ext_len )
|
while( ext_len )
|
||||||
{
|
{
|
||||||
@ -1948,7 +1973,7 @@ server_picked_valid_suite:
|
|||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -2343,7 +2368,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||||||
size_t pms_offset )
|
size_t pms_offset )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
|
size_t len_bytes = mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
|
||||||
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
||||||
mbedtls_pk_context *peer_pk = NULL;
|
mbedtls_pk_context *peer_pk = NULL;
|
||||||
|
|
||||||
@ -2360,8 +2385,9 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||||||
* opaque random[46];
|
* opaque random[46];
|
||||||
* } PreMasterSecret;
|
* } PreMasterSecret;
|
||||||
*/
|
*/
|
||||||
mbedtls_ssl_write_version( ssl->conf->max_major_ver, ssl->conf->max_minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_conf_get_max_major_ver( ssl->conf ),
|
||||||
ssl->conf->transport, p );
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ),
|
||||||
|
ssl->conf->transport, p );
|
||||||
|
|
||||||
if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
|
if( ( ret = mbedtls_ssl_conf_get_frng( ssl->conf )
|
||||||
( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
|
( ssl->conf->p_rng, p + 2, 46 ) ) != 0 )
|
||||||
@ -2459,7 +2485,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
|
|||||||
*pk_alg = MBEDTLS_PK_NONE;
|
*pk_alg = MBEDTLS_PK_NONE;
|
||||||
|
|
||||||
/* Only in TLS 1.2 */
|
/* Only in TLS 1.2 */
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
@ -2786,7 +2812,7 @@ start_processing:
|
|||||||
* Handle the digitally-signed structure
|
* Handle the digitally-signed structure
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
if( ssl_parse_signature_algorithm( ssl, &p, end,
|
if( ssl_parse_signature_algorithm( ssl, &p, end,
|
||||||
&md_alg, &pk_alg ) != 0 )
|
&md_alg, &pk_alg ) != 0 )
|
||||||
@ -2809,7 +2835,7 @@ start_processing:
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||||
|
|
||||||
@ -3081,7 +3107,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
/* supported_signature_algorithms */
|
/* supported_signature_algorithms */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
||||||
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
||||||
@ -3574,7 +3600,7 @@ sign:
|
|||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* digitally-signed struct {
|
* digitally-signed struct {
|
||||||
@ -3604,7 +3630,7 @@ sign:
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
||||||
MBEDTLS_SSL_PROTO_TLS1_1 */
|
MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* digitally-signed struct {
|
* digitally-signed struct {
|
||||||
|
|||||||
@ -536,7 +536,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
((void) buf);
|
((void) buf);
|
||||||
|
|
||||||
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
|
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
|
||||||
ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
|
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
|
||||||
}
|
}
|
||||||
@ -864,7 +864,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
|||||||
* present them a SHA-higher cert rather than failing if it's the only
|
* present them a SHA-higher cert rather than failing if it's the only
|
||||||
* one we got that satisfies the other conditions.
|
* one we got that satisfies the other conditions.
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
mbedtls_md_type_t sig_md;
|
mbedtls_md_type_t sig_md;
|
||||||
{
|
{
|
||||||
@ -930,8 +930,10 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl,
|
|||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
|
||||||
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
||||||
|
|
||||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver ||
|
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info )
|
||||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver )
|
> mbedtls_ssl_get_minor_ver( ssl ) ||
|
||||||
|
mbedtls_ssl_suite_get_max_minor_ver( suite_info )
|
||||||
|
< mbedtls_ssl_get_minor_ver( ssl ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
||||||
return( 0 );
|
return( 0 );
|
||||||
@ -993,7 +995,7 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl,
|
|||||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
/* If the ciphersuite requires signing, check whether
|
/* If the ciphersuite requires signing, check whether
|
||||||
* a suitable hash algorithm is present. */
|
* a suitable hash algorithm is present. */
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
|
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
|
||||||
if( sig_type != MBEDTLS_PK_NONE &&
|
if( sig_type != MBEDTLS_PK_NONE &&
|
||||||
@ -1090,23 +1092,30 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
|
|
||||||
ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
ssl->major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
||||||
ssl->minor_ver = ( buf[4] <= ssl->conf->max_minor_ver )
|
ssl->minor_ver =
|
||||||
? buf[4] : ssl->conf->max_minor_ver;
|
( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
|
? buf[4] : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
|
||||||
|
|
||||||
if( ssl->minor_ver < ssl->conf->min_minor_ver )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
||||||
" [%d:%d] < [%d:%d]",
|
" [%d:%d] < [%d:%d]",
|
||||||
ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
|
||||||
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
|
||||||
|
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||||
ssl->handshake->max_major_ver = buf[3];
|
ssl->handshake->max_major_ver = buf[3];
|
||||||
ssl->handshake->max_minor_ver = buf[4];
|
ssl->handshake->max_minor_ver = buf[4];
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||||
|
|
||||||
if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
|
if( ( ret = mbedtls_ssl_fetch_input( ssl, 2 + n ) ) != 0 )
|
||||||
{
|
{
|
||||||
@ -1213,7 +1222,8 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
|||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
||||||
|
|
||||||
if( ssl->minor_ver < ssl->conf->max_minor_ver )
|
if( mbedtls_ssl_get_minor_ver( ssl ) <
|
||||||
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
||||||
|
|
||||||
@ -1618,31 +1628,47 @@ read_record_header:
|
|||||||
*/
|
*/
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
|
MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, version", buf, 2 );
|
||||||
|
|
||||||
mbedtls_ssl_read_version( &ssl->major_ver, &ssl->minor_ver,
|
|
||||||
ssl->conf->transport, buf );
|
|
||||||
|
|
||||||
ssl->handshake->max_major_ver = ssl->major_ver;
|
|
||||||
ssl->handshake->max_minor_ver = ssl->minor_ver;
|
|
||||||
|
|
||||||
if( ssl->major_ver < ssl->conf->min_major_ver ||
|
|
||||||
ssl->minor_ver < ssl->conf->min_minor_ver )
|
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
int minor_ver, major_ver;
|
||||||
|
mbedtls_ssl_read_version( &major_ver, &minor_ver,
|
||||||
|
ssl->conf->transport,
|
||||||
|
buf );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_RSA_ENABLED) || \
|
||||||
|
defined(MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED)
|
||||||
|
ssl->handshake->max_major_ver = major_ver;
|
||||||
|
ssl->handshake->max_minor_ver = minor_ver;
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED ||
|
||||||
|
MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED */
|
||||||
|
|
||||||
|
if( major_ver < mbedtls_ssl_conf_get_min_major_ver( ssl->conf ) ||
|
||||||
|
minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
||||||
" [%d:%d] < [%d:%d]",
|
" [%d:%d] < [%d:%d]",
|
||||||
ssl->major_ver, ssl->minor_ver,
|
major_ver, minor_ver,
|
||||||
ssl->conf->min_major_ver, ssl->conf->min_minor_ver ) );
|
mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
|
||||||
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION );
|
||||||
}
|
return( MBEDTLS_ERR_SSL_BAD_HS_PROTOCOL_VERSION );
|
||||||
|
}
|
||||||
|
|
||||||
if( ssl->major_ver > ssl->conf->max_major_ver )
|
if( major_ver > mbedtls_ssl_conf_get_max_major_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
ssl->major_ver = ssl->conf->max_major_ver;
|
major_ver = mbedtls_ssl_conf_get_max_major_ver( ssl->conf );
|
||||||
ssl->minor_ver = ssl->conf->max_minor_ver;
|
minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
|
||||||
|
}
|
||||||
|
else if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
|
minor_ver = mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MAJOR_VER)
|
||||||
|
ssl->major_ver = major_ver;
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_FIXED_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
ssl->minor_ver = minor_ver;
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
}
|
}
|
||||||
else if( ssl->minor_ver > ssl->conf->max_minor_ver )
|
|
||||||
ssl->minor_ver = ssl->conf->max_minor_ver;
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Save client random (inc. Unix time)
|
* Save client random (inc. Unix time)
|
||||||
@ -1793,7 +1819,8 @@ read_record_header:
|
|||||||
|
|
||||||
/* Do not parse the extensions if the protocol is SSLv3 */
|
/* Do not parse the extensions if the protocol is SSLv3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) ||
|
||||||
|
( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
|
||||||
{
|
{
|
||||||
#endif
|
#endif
|
||||||
/*
|
/*
|
||||||
@ -2019,7 +2046,8 @@ read_record_header:
|
|||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
|
||||||
|
|
||||||
if( ssl->minor_ver < ssl->conf->max_minor_ver )
|
if( mbedtls_ssl_get_minor_ver( ssl ) <
|
||||||
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
||||||
|
|
||||||
@ -2231,7 +2259,7 @@ have_ciphersuite:
|
|||||||
#if defined(MBEDTLS_DEBUG_C) && \
|
#if defined(MBEDTLS_DEBUG_C) && \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
|
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
|
||||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
|
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
|
||||||
@ -2339,7 +2367,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
|||||||
const mbedtls_cipher_info_t *cipher = NULL;
|
const mbedtls_cipher_info_t *cipher = NULL;
|
||||||
|
|
||||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
return;
|
return;
|
||||||
@ -2389,7 +2417,7 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
|
if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
|
||||||
== MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
== MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
return;
|
return;
|
||||||
@ -2633,8 +2661,9 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
/* The RFC is not clear on this point, but sending the actual negotiated
|
/* The RFC is not clear on this point, but sending the actual negotiated
|
||||||
* version looks like the most interoperable thing to do. */
|
* version looks like the most interoperable thing to do. */
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->transport, p );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
ssl->conf->transport, p );
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
|
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
|
||||||
p += 2;
|
p += 2;
|
||||||
|
|
||||||
@ -2726,8 +2755,9 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
buf = ssl->out_msg;
|
buf = ssl->out_msg;
|
||||||
p = buf + 4;
|
p = buf + 4;
|
||||||
|
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->transport, p );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
ssl->conf->transport, p );
|
||||||
p += 2;
|
p += 2;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
|
||||||
@ -2855,7 +2885,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
/* Do not write the extensions if the protocol is SSLv3 */
|
/* Do not write the extensions if the protocol is SSLv3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) || ( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
|
||||||
{
|
{
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
@ -3037,7 +3067,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
|||||||
* enum { (255) } HashAlgorithm;
|
* enum { (255) } HashAlgorithm;
|
||||||
* enum { (255) } SignatureAlgorithm;
|
* enum { (255) } SignatureAlgorithm;
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
const int *cur;
|
const int *cur;
|
||||||
|
|
||||||
@ -3395,7 +3425,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
mbedtls_pk_type_t sig_alg =
|
mbedtls_pk_type_t sig_alg =
|
||||||
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/* A: For TLS 1.2, obey signature-hash-algorithm extension
|
/* A: For TLS 1.2, obey signature-hash-algorithm extension
|
||||||
* (RFC 5246, Sec. 7.4.1.4.1). */
|
* (RFC 5246, Sec. 7.4.1.4.1). */
|
||||||
@ -3471,7 +3501,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
|||||||
* 2.3: Compute and add the signature
|
* 2.3: Compute and add the signature
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* For TLS 1.2, we need to specify signature and hash algorithm
|
* For TLS 1.2, we need to specify signature and hash algorithm
|
||||||
@ -3775,7 +3805,7 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
|
|||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
{
|
{
|
||||||
if( len < 2 )
|
if( len < 2 )
|
||||||
@ -4395,7 +4425,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
|||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
md_alg = MBEDTLS_MD_NONE;
|
md_alg = MBEDTLS_MD_NONE;
|
||||||
hashlen = 36;
|
hashlen = 36;
|
||||||
@ -4412,7 +4442,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
|
||||||
MBEDTLS_SSL_PROTO_TLS1_1 */
|
MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
if( i + 2 > ssl->in_hslen )
|
if( i + 2 > ssl->in_hslen )
|
||||||
{
|
{
|
||||||
|
|||||||
@ -817,7 +817,12 @@ static int ssl_populate_transform( mbedtls_ssl_transform *transform,
|
|||||||
defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
defined(MBEDTLS_SSL_SOME_MODES_USE_MAC)
|
||||||
transform->encrypt_then_mac = encrypt_then_mac;
|
transform->encrypt_then_mac = encrypt_then_mac;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
transform->minor_ver = minor_ver;
|
transform->minor_ver = minor_ver;
|
||||||
|
#else
|
||||||
|
((void) minor_ver);
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_FIXED_MINOR_VER */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Get various info structures
|
* Get various info structures
|
||||||
@ -1347,7 +1352,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
/* Set PRF, calc_verify and calc_finished function pointers */
|
/* Set PRF, calc_verify and calc_finished function pointers */
|
||||||
ret = ssl_set_handshake_prfs( ssl->handshake,
|
ret = ssl_set_handshake_prfs( ssl->handshake,
|
||||||
ssl->minor_ver,
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
@ -1393,7 +1398,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||||||
#endif
|
#endif
|
||||||
ssl->handshake->tls_prf,
|
ssl->handshake->tls_prf,
|
||||||
ssl->handshake->randbytes,
|
ssl->handshake->randbytes,
|
||||||
ssl->minor_ver,
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
|
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
|
||||||
ssl );
|
ssl );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
@ -1994,7 +1999,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) ==
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
unsigned char mac[SSL_MAC_MAX_BYTES];
|
unsigned char mac[SSL_MAC_MAX_BYTES];
|
||||||
ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
|
ssl_mac( &transform->md_ctx_enc, transform->mac_enc,
|
||||||
@ -2005,7 +2011,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_1 )
|
||||||
{
|
{
|
||||||
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
|
unsigned char mac[MBEDTLS_SSL_MAC_ADD];
|
||||||
|
|
||||||
@ -2184,7 +2191,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
* Prepend per-record IV for block cipher in TLS v1.1 and up as per
|
* Prepend per-record IV for block cipher in TLS v1.1 and up as per
|
||||||
* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
|
* Method 1 (6.2.3.2. in RFC4346 and RFC5246)
|
||||||
*/
|
*/
|
||||||
if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
if( f_rng == NULL )
|
if( f_rng == NULL )
|
||||||
{
|
{
|
||||||
@ -2233,7 +2241,8 @@ int mbedtls_ssl_encrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
|
||||||
if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) <
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Save IV in SSL3 and TLS1
|
* Save IV in SSL3 and TLS1
|
||||||
@ -2482,7 +2491,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
* Check immediate ciphertext sanity
|
* Check immediate ciphertext sanity
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
/* The ciphertext is prefixed with the CBC IV. */
|
/* The ciphertext is prefixed with the CBC IV. */
|
||||||
minlen += transform->ivlen;
|
minlen += transform->ivlen;
|
||||||
@ -2573,7 +2583,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
/*
|
/*
|
||||||
* Initialize for prepended IV for block cipher in TLS v1.1 and up
|
* Initialize for prepended IV for block cipher in TLS v1.1 and up
|
||||||
*/
|
*/
|
||||||
if( transform->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) >=
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
/* This is safe because data_len >= minlen + maclen + 1 initially,
|
/* This is safe because data_len >= minlen + maclen + 1 initially,
|
||||||
* and at this point we have at most subtracted maclen (note that
|
* and at this point we have at most subtracted maclen (note that
|
||||||
@ -2601,7 +2612,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1)
|
||||||
if( transform->minor_ver < MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) <
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Save IV in SSL3 and TLS1
|
* Save IV in SSL3 and TLS1
|
||||||
@ -2643,7 +2655,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
* we have data_len >= padlen here. */
|
* we have data_len >= padlen here. */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) ==
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
if( padlen > transform->ivlen )
|
if( padlen > transform->ivlen )
|
||||||
{
|
{
|
||||||
@ -2659,7 +2672,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) >
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
/* The padding check involves a series of up to 256
|
/* The padding check involves a series of up to 256
|
||||||
* consecutive memory reads at the end of the record
|
* consecutive memory reads at the end of the record
|
||||||
@ -2745,7 +2759,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
|
ssl_extract_add_data_from_record( add_data, &add_data_len, rec );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( transform->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) ==
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
ssl_mac( &transform->md_ctx_dec,
|
ssl_mac( &transform->md_ctx_dec,
|
||||||
transform->mac_dec,
|
transform->mac_dec,
|
||||||
@ -2757,7 +2772,8 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context *ssl,
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( transform->minor_ver > MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_transform_get_minor_ver( transform ) >
|
||||||
|
MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Process MAC and always update for padlen afterwards to make
|
* Process MAC and always update for padlen afterwards to make
|
||||||
@ -3736,7 +3752,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
|
|||||||
{
|
{
|
||||||
/* In SSLv3, the client might send a NoCertificate alert. */
|
/* In SSLv3, the client might send a NoCertificate alert. */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
|
||||||
if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
if( ! ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||||
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
||||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_IS_CLIENT ) )
|
MBEDTLS_SSL_IS_CLIENT ) )
|
||||||
@ -3926,8 +3942,9 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
|
|||||||
/* Skip writing the record content type to after the encryption,
|
/* Skip writing the record content type to after the encryption,
|
||||||
* as it may change when using the CID extension. */
|
* as it may change when using the CID extension. */
|
||||||
|
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->transport, ssl->out_hdr + 1 );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
ssl->conf->transport, ssl->out_hdr + 1 );
|
||||||
|
|
||||||
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
|
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
|
||||||
ssl->out_len[0] = (unsigned char)( len >> 8 );
|
ssl->out_len[0] = (unsigned char)( len >> 8 );
|
||||||
@ -3944,7 +3961,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
|
|||||||
rec.data_offset = ssl->out_msg - rec.buf;
|
rec.data_offset = ssl->out_msg - rec.buf;
|
||||||
|
|
||||||
memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
|
memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
ssl->conf->transport, rec.ver );
|
ssl->conf->transport, rec.ver );
|
||||||
rec.type = ssl->out_msgtype;
|
rec.type = ssl->out_msgtype;
|
||||||
|
|
||||||
@ -4699,13 +4717,13 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Check version */
|
/* Check version */
|
||||||
if( major_ver != ssl->major_ver )
|
if( major_ver != mbedtls_ssl_get_major_ver( ssl ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
|
||||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||||
}
|
}
|
||||||
|
|
||||||
if( minor_ver > ssl->conf->max_minor_ver )
|
if( minor_ver > mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "minor version mismatch" ) );
|
||||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||||
@ -4830,7 +4848,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||||
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
|
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||||
@ -4842,7 +4860,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
|||||||
/*
|
/*
|
||||||
* TLS encrypted messages can have up to 256 bytes of padding
|
* TLS encrypted messages can have up to 256 bytes of padding
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
|
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 &&
|
||||||
ssl->in_msglen > ssl->transform_in->minlen +
|
ssl->in_msglen > ssl->transform_in->minlen +
|
||||||
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
|
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
|
||||||
{
|
{
|
||||||
@ -4896,7 +4914,8 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
|||||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||||
|
|
||||||
memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
|
memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
ssl->conf->transport, rec.ver );
|
ssl->conf->transport, rec.ver );
|
||||||
rec.type = ssl->in_msgtype;
|
rec.type = ssl->in_msgtype;
|
||||||
if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
|
if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
|
||||||
@ -4962,7 +4981,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
|||||||
else if( ssl->in_msglen == 0 )
|
else if( ssl->in_msglen == 0 )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
|
&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
|
||||||
{
|
{
|
||||||
/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
|
/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
|
||||||
@ -5955,7 +5974,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
|
|||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_IS_SERVER &&
|
MBEDTLS_SSL_IS_SERVER &&
|
||||||
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
|
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
|
||||||
@ -6143,7 +6162,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
|||||||
* (otherwise an empty Certificate message will be sent).
|
* (otherwise an empty Certificate message will be sent).
|
||||||
*/
|
*/
|
||||||
if( mbedtls_ssl_own_cert( ssl ) == NULL &&
|
if( mbedtls_ssl_own_cert( ssl ) == NULL &&
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
ssl->out_msglen = 2;
|
ssl->out_msglen = 2;
|
||||||
ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
|
ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
|
||||||
@ -6435,7 +6454,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
|
|||||||
/*
|
/*
|
||||||
* Check if the client sent an empty certificate
|
* Check if the client sent an empty certificate
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
if( ssl->in_msglen == 2 &&
|
if( ssl->in_msglen == 2 &&
|
||||||
ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
||||||
@ -6987,7 +7006,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
|
ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
@ -7420,7 +7439,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
|
|||||||
* ciphersuite does this (and this is unlikely to change as activity has
|
* ciphersuite does this (and this is unlikely to change as activity has
|
||||||
* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
|
* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
|
||||||
*/
|
*/
|
||||||
hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
|
hash_len = ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
ssl->verify_data_len = hash_len;
|
ssl->verify_data_len = hash_len;
|
||||||
@ -7567,7 +7586,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
|
|||||||
|
|
||||||
/* There is currently no ciphersuite using another length with TLS 1.2 */
|
/* There is currently no ciphersuite using another length with TLS 1.2 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
hash_len = 36;
|
hash_len = 36;
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
@ -7835,7 +7854,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
|
|||||||
|
|
||||||
/* Adjust out_msg to make space for explicit IV, if used. */
|
/* Adjust out_msg to make space for explicit IV, if used. */
|
||||||
if( transform != NULL &&
|
if( transform != NULL &&
|
||||||
ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
|
ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
|
||||||
}
|
}
|
||||||
@ -8715,17 +8734,27 @@ const char *mbedtls_ssl_get_alpn_protocol( const mbedtls_ssl_context *ssl )
|
|||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_ALPN */
|
#endif /* MBEDTLS_SSL_ALPN */
|
||||||
|
|
||||||
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf, int major, int minor )
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
void mbedtls_ssl_conf_max_version( mbedtls_ssl_config *conf,
|
||||||
|
int major, int minor )
|
||||||
{
|
{
|
||||||
conf->max_major_ver = major;
|
conf->max_major_ver = major;
|
||||||
conf->max_minor_ver = minor;
|
conf->max_minor_ver = minor;
|
||||||
}
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER ||
|
||||||
|
MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
|
||||||
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf, int major, int minor )
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
|
void mbedtls_ssl_conf_min_version( mbedtls_ssl_config *conf,
|
||||||
|
int major, int minor )
|
||||||
{
|
{
|
||||||
conf->min_major_ver = major;
|
conf->min_major_ver = major;
|
||||||
conf->min_minor_ver = minor;
|
conf->min_minor_ver = minor;
|
||||||
}
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER ||
|
||||||
|
MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
|
#if defined(MBEDTLS_SSL_FALLBACK_SCSV) && defined(MBEDTLS_SSL_CLI_C)
|
||||||
void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
|
void mbedtls_ssl_conf_fallback( mbedtls_ssl_config *conf, char fallback )
|
||||||
@ -8984,7 +9013,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
|||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
|
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
|
||||||
{
|
{
|
||||||
switch( ssl->minor_ver )
|
switch( mbedtls_ssl_get_minor_ver( ssl ) )
|
||||||
{
|
{
|
||||||
case MBEDTLS_SSL_MINOR_VERSION_2:
|
case MBEDTLS_SSL_MINOR_VERSION_2:
|
||||||
return( "DTLSv1.0" );
|
return( "DTLSv1.0" );
|
||||||
@ -9000,7 +9029,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
||||||
{
|
{
|
||||||
switch( ssl->minor_ver )
|
switch( mbedtls_ssl_get_minor_ver( ssl ) )
|
||||||
{
|
{
|
||||||
case MBEDTLS_SSL_MINOR_VERSION_0:
|
case MBEDTLS_SSL_MINOR_VERSION_0:
|
||||||
return( "SSLv3.0" );
|
return( "SSLv3.0" );
|
||||||
@ -9062,7 +9091,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
|
|||||||
/* For TLS 1.1 or higher, an explicit IV is added
|
/* For TLS 1.1 or higher, an explicit IV is added
|
||||||
* after the record header. */
|
* after the record header. */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
transform_expansion += block_size;
|
transform_expansion += block_size;
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
@ -10186,7 +10215,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
|
|||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
/* SSLv3 does not have a "no_renegotiation" warning, so
|
/* SSLv3 does not have a "no_renegotiation" warning, so
|
||||||
we send a fatal alert and abort the connection. */
|
we send a fatal alert and abort the connection. */
|
||||||
@ -10198,7 +10227,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
|
|||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 )
|
||||||
{
|
{
|
||||||
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
|
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
|
||||||
MBEDTLS_SSL_ALERT_LEVEL_WARNING,
|
MBEDTLS_SSL_ALERT_LEVEL_WARNING,
|
||||||
@ -10407,7 +10436,7 @@ static int ssl_write_split( mbedtls_ssl_context *ssl,
|
|||||||
if( ssl->conf->cbc_record_splitting ==
|
if( ssl->conf->cbc_record_splitting ==
|
||||||
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
|
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
|
||||||
len <= 1 ||
|
len <= 1 ||
|
||||||
ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
|
mbedtls_ssl_get_minor_ver( ssl ) > MBEDTLS_SSL_MINOR_VERSION_1 ||
|
||||||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
|
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
|
||||||
!= MBEDTLS_MODE_CBC )
|
!= MBEDTLS_MODE_CBC )
|
||||||
{
|
{
|
||||||
@ -10961,10 +10990,18 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
|||||||
* NSA Suite B
|
* NSA Suite B
|
||||||
*/
|
*/
|
||||||
case MBEDTLS_SSL_PRESET_SUITEB:
|
case MBEDTLS_SSL_PRESET_SUITEB:
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
conf->min_major_ver = MBEDTLS_SSL_MAJOR_VERSION_3;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
|
||||||
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
|
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_3; /* TLS 1.2 */
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
|
||||||
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
|
||||||
|
|
||||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
||||||
@ -10991,21 +11028,28 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
|
|||||||
* Default
|
* Default
|
||||||
*/
|
*/
|
||||||
default:
|
default:
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
|
conf->min_major_ver = ( MBEDTLS_SSL_MIN_MAJOR_VERSION >
|
||||||
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
|
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION ) ?
|
||||||
MBEDTLS_SSL_MIN_MAJOR_VERSION :
|
MBEDTLS_SSL_MIN_MAJOR_VERSION :
|
||||||
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
|
MBEDTLS_SSL_MIN_VALID_MAJOR_VERSION;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
|
||||||
conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
|
conf->min_minor_ver = ( MBEDTLS_SSL_MIN_MINOR_VERSION >
|
||||||
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
|
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION ) ?
|
||||||
MBEDTLS_SSL_MIN_MINOR_VERSION :
|
MBEDTLS_SSL_MIN_MINOR_VERSION :
|
||||||
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
|
MBEDTLS_SSL_MIN_VALID_MINOR_VERSION;
|
||||||
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
|
||||||
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
|
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
|
||||||
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
|
conf->min_minor_ver = MBEDTLS_SSL_MINOR_VERSION_2;
|
||||||
#endif
|
#endif
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MIN_MINOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
conf->max_major_ver = MBEDTLS_SSL_MAX_MAJOR_VERSION;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
|
||||||
|
conf->max_minor_ver = MBEDTLS_SSL_MAX_MINOR_VERSION;
|
||||||
|
#endif /* !MBEDTLS_SSL_CONF_MAX_MINOR_VER */
|
||||||
|
|
||||||
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
#if !defined(MBEDTLS_SSL_CONF_SINGLE_CIPHERSUITE)
|
||||||
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
conf->ciphersuite_list[MBEDTLS_SSL_MINOR_VERSION_0] =
|
||||||
@ -11366,71 +11410,10 @@ int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,
|
|||||||
}
|
}
|
||||||
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
#endif /* MBEDTLS_X509_CRT_PARSE_C */
|
||||||
|
|
||||||
/*
|
|
||||||
* Convert version numbers to/from wire format
|
|
||||||
* and, for DTLS, to/from TLS equivalent.
|
|
||||||
*
|
|
||||||
* For TLS this is the identity.
|
|
||||||
* For DTLS, use 1's complement (v -> 255 - v, and then map as follows:
|
|
||||||
* 1.0 <-> 3.2 (DTLS 1.0 is based on TLS 1.1)
|
|
||||||
* 1.x <-> 3.x+1 for x != 0 (DTLS 1.2 based on TLS 1.2)
|
|
||||||
*/
|
|
||||||
void mbedtls_ssl_write_version( int major, int minor, int transport,
|
|
||||||
unsigned char ver[2] )
|
|
||||||
{
|
|
||||||
#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
|
|
||||||
((void) transport);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
|
||||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
|
|
||||||
{
|
|
||||||
if( minor == MBEDTLS_SSL_MINOR_VERSION_2 )
|
|
||||||
--minor; /* DTLS 1.0 stored as TLS 1.1 internally */
|
|
||||||
|
|
||||||
ver[0] = (unsigned char)( 255 - ( major - 2 ) );
|
|
||||||
ver[1] = (unsigned char)( 255 - ( minor - 1 ) );
|
|
||||||
}
|
|
||||||
MBEDTLS_SSL_TRANSPORT_ELSE
|
|
||||||
#endif
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
|
||||||
{
|
|
||||||
ver[0] = (unsigned char) major;
|
|
||||||
ver[1] = (unsigned char) minor;
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
}
|
|
||||||
|
|
||||||
void mbedtls_ssl_read_version( int *major, int *minor, int transport,
|
|
||||||
const unsigned char ver[2] )
|
|
||||||
{
|
|
||||||
#if !defined(MBEDTLS_SSL_TRANSPORT__BOTH)
|
|
||||||
((void) transport);
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
|
||||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( transport ) )
|
|
||||||
{
|
|
||||||
*major = 255 - ver[0] + 2;
|
|
||||||
*minor = 255 - ver[1] + 1;
|
|
||||||
|
|
||||||
if( *minor == MBEDTLS_SSL_MINOR_VERSION_1 )
|
|
||||||
++*minor; /* DTLS 1.0 stored as TLS 1.1 internally */
|
|
||||||
}
|
|
||||||
MBEDTLS_SSL_TRANSPORT_ELSE
|
|
||||||
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
|
||||||
{
|
|
||||||
*major = ver[0];
|
|
||||||
*minor = ver[1];
|
|
||||||
}
|
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS */
|
|
||||||
}
|
|
||||||
|
|
||||||
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
|
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
|
return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
|
||||||
|
|
||||||
switch( md )
|
switch( md )
|
||||||
|
|||||||
@ -2754,6 +2754,38 @@ int query_config( const char *config )
|
|||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_CONF_RNG */
|
#endif /* MBEDTLS_SSL_CONF_RNG */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER)
|
||||||
|
if( strcmp( "MBEDTLS_SSL_CONF_MIN_MINOR_VER", config ) == 0 )
|
||||||
|
{
|
||||||
|
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MIN_MINOR_VER );
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MIN_MINOR_VER */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER)
|
||||||
|
if( strcmp( "MBEDTLS_SSL_CONF_MAX_MINOR_VER", config ) == 0 )
|
||||||
|
{
|
||||||
|
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MAX_MINOR_VER );
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MAX_MINOR_VER */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER)
|
||||||
|
if( strcmp( "MBEDTLS_SSL_CONF_MIN_MAJOR_VER", config ) == 0 )
|
||||||
|
{
|
||||||
|
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MIN_MAJOR_VER );
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MIN_MAJOR_VER */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
if( strcmp( "MBEDTLS_SSL_CONF_MAX_MAJOR_VER", config ) == 0 )
|
||||||
|
{
|
||||||
|
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_CONF_MAX_MAJOR_VER );
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_CONF_MAX_MAJOR_VER */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
#if defined(MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET)
|
||||||
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
|
if( strcmp( "MBEDTLS_SSL_CONF_EXTENDED_MASTER_SECRET", config ) == 0 )
|
||||||
{
|
{
|
||||||
|
|||||||
@ -315,6 +315,20 @@ int main( void )
|
|||||||
#define USAGE_READ_TIMEOUT ""
|
#define USAGE_READ_TIMEOUT ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
#define USAGE_MAX_VERSION " max_version=%%s default: (library default: tls1_2)\n"
|
||||||
|
#define USAGE_MIN_VERSION " min_version=%%s default: (library default: tls1)\n"
|
||||||
|
#define USAGE_FORCE_VERSION " force_version=%%s default: \"\" (none)\n" \
|
||||||
|
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n"
|
||||||
|
#else
|
||||||
|
#define USAGE_MAX_VERSION ""
|
||||||
|
#define USAGE_MIN_VERSION ""
|
||||||
|
#define USAGE_FORCE_VERSION ""
|
||||||
|
#endif
|
||||||
|
|
||||||
#define USAGE \
|
#define USAGE \
|
||||||
"\n usage: ssl_client2 param=<>...\n" \
|
"\n usage: ssl_client2 param=<>...\n" \
|
||||||
"\n acceptable parameters:\n" \
|
"\n acceptable parameters:\n" \
|
||||||
@ -368,10 +382,9 @@ int main( void )
|
|||||||
"\n" \
|
"\n" \
|
||||||
" arc4=%%d default: (library default: 0)\n" \
|
" arc4=%%d default: (library default: 0)\n" \
|
||||||
" allow_sha1=%%d default: 0\n" \
|
" allow_sha1=%%d default: 0\n" \
|
||||||
" min_version=%%s default: (library default: tls1)\n" \
|
USAGE_MIN_VERSION \
|
||||||
" max_version=%%s default: (library default: tls1_2)\n" \
|
USAGE_MAX_VERSION \
|
||||||
" force_version=%%s default: \"\" (none)\n" \
|
USAGE_FORCE_VERSION \
|
||||||
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
|
|
||||||
"\n" \
|
"\n" \
|
||||||
" force_ciphersuite=<name> default: all enabled\n"\
|
" force_ciphersuite=<name> default: all enabled\n"\
|
||||||
" query_config=<name> return 0 if the specified\n" \
|
" query_config=<name> return 0 if the specified\n" \
|
||||||
@ -1113,6 +1126,10 @@ int main( int argc, char *argv[] )
|
|||||||
default: goto usage;
|
default: goto usage;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
else if( strcmp( p, "min_version" ) == 0 )
|
else if( strcmp( p, "min_version" ) == 0 )
|
||||||
{
|
{
|
||||||
if( strcmp( q, "ssl3" ) == 0 )
|
if( strcmp( q, "ssl3" ) == 0 )
|
||||||
@ -1143,24 +1160,6 @@ int main( int argc, char *argv[] )
|
|||||||
else
|
else
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
else if( strcmp( p, "arc4" ) == 0 )
|
|
||||||
{
|
|
||||||
switch( atoi( q ) )
|
|
||||||
{
|
|
||||||
case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
|
|
||||||
case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
|
|
||||||
default: goto usage;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else if( strcmp( p, "allow_sha1" ) == 0 )
|
|
||||||
{
|
|
||||||
switch( atoi( q ) )
|
|
||||||
{
|
|
||||||
case 0: opt.allow_sha1 = 0; break;
|
|
||||||
case 1: opt.allow_sha1 = 1; break;
|
|
||||||
default: goto usage;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else if( strcmp( p, "force_version" ) == 0 )
|
else if( strcmp( p, "force_version" ) == 0 )
|
||||||
{
|
{
|
||||||
if( strcmp( q, "ssl3" ) == 0 )
|
if( strcmp( q, "ssl3" ) == 0 )
|
||||||
@ -1198,6 +1197,25 @@ int main( int argc, char *argv[] )
|
|||||||
else
|
else
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
else if( strcmp( p, "arc4" ) == 0 )
|
||||||
|
{
|
||||||
|
switch( atoi( q ) )
|
||||||
|
{
|
||||||
|
case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
|
||||||
|
case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
|
||||||
|
default: goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( strcmp( p, "allow_sha1" ) == 0 )
|
||||||
|
{
|
||||||
|
switch( atoi( q ) )
|
||||||
|
{
|
||||||
|
case 0: opt.allow_sha1 = 0; break;
|
||||||
|
case 1: opt.allow_sha1 = 1; break;
|
||||||
|
default: goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
||||||
else if( strcmp( p, "auth_mode" ) == 0 )
|
else if( strcmp( p, "auth_mode" ) == 0 )
|
||||||
{
|
{
|
||||||
@ -1847,6 +1865,10 @@ int main( int argc, char *argv[] )
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
if( opt.min_version != DFL_MIN_VERSION )
|
if( opt.min_version != DFL_MIN_VERSION )
|
||||||
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
|
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
|
||||||
opt.min_version );
|
opt.min_version );
|
||||||
@ -1854,6 +1876,7 @@ int main( int argc, char *argv[] )
|
|||||||
if( opt.max_version != DFL_MAX_VERSION )
|
if( opt.max_version != DFL_MAX_VERSION )
|
||||||
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
|
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3,
|
||||||
opt.max_version );
|
opt.max_version );
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
||||||
if( opt.fallback != DFL_FALLBACK )
|
if( opt.fallback != DFL_FALLBACK )
|
||||||
|
|||||||
@ -431,6 +431,20 @@ int main( void )
|
|||||||
#define USAGE_CERT_REQ_CA_LIST ""
|
#define USAGE_CERT_REQ_CA_LIST ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
#define USAGE_MAX_VERSION " max_version=%%s default: (library default: tls1_2)\n"
|
||||||
|
#define USAGE_MIN_VERSION " min_version=%%s default: (library default: tls1)\n"
|
||||||
|
#define USAGE_FORCE_VERSION " force_version=%%s default: \"\" (none)\n" \
|
||||||
|
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n"
|
||||||
|
#else
|
||||||
|
#define USAGE_MAX_VERSION ""
|
||||||
|
#define USAGE_MIN_VERSION ""
|
||||||
|
#define USAGE_FORCE_VERSION ""
|
||||||
|
#endif
|
||||||
|
|
||||||
#define USAGE \
|
#define USAGE \
|
||||||
"\n usage: ssl_server2 param=<>...\n" \
|
"\n usage: ssl_server2 param=<>...\n" \
|
||||||
"\n acceptable parameters:\n" \
|
"\n acceptable parameters:\n" \
|
||||||
@ -477,10 +491,9 @@ int main( void )
|
|||||||
"\n" \
|
"\n" \
|
||||||
" arc4=%%d default: (library default: 0)\n" \
|
" arc4=%%d default: (library default: 0)\n" \
|
||||||
" allow_sha1=%%d default: 0\n" \
|
" allow_sha1=%%d default: 0\n" \
|
||||||
" min_version=%%s default: (library default: tls1)\n" \
|
USAGE_MIN_VERSION \
|
||||||
" max_version=%%s default: (library default: tls1_2)\n" \
|
USAGE_MAX_VERSION \
|
||||||
" force_version=%%s default: \"\" (none)\n" \
|
USAGE_FORCE_VERSION \
|
||||||
" options: ssl3, tls1, tls1_1, tls1_2, dtls1, dtls1_2\n" \
|
|
||||||
"\n" \
|
"\n" \
|
||||||
" version_suites=a,b,c,d per-version ciphersuites\n" \
|
" version_suites=a,b,c,d per-version ciphersuites\n" \
|
||||||
" in order from ssl3 to tls1_2\n" \
|
" in order from ssl3 to tls1_2\n" \
|
||||||
@ -1749,6 +1762,10 @@ int main( int argc, char *argv[] )
|
|||||||
if( opt.exchanges < 0 )
|
if( opt.exchanges < 0 )
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
else if( strcmp( p, "min_version" ) == 0 )
|
else if( strcmp( p, "min_version" ) == 0 )
|
||||||
{
|
{
|
||||||
if( strcmp( q, "ssl3" ) == 0 )
|
if( strcmp( q, "ssl3" ) == 0 )
|
||||||
@ -1779,24 +1796,6 @@ int main( int argc, char *argv[] )
|
|||||||
else
|
else
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
else if( strcmp( p, "arc4" ) == 0 )
|
|
||||||
{
|
|
||||||
switch( atoi( q ) )
|
|
||||||
{
|
|
||||||
case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
|
|
||||||
case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
|
|
||||||
default: goto usage;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else if( strcmp( p, "allow_sha1" ) == 0 )
|
|
||||||
{
|
|
||||||
switch( atoi( q ) )
|
|
||||||
{
|
|
||||||
case 0: opt.allow_sha1 = 0; break;
|
|
||||||
case 1: opt.allow_sha1 = 1; break;
|
|
||||||
default: goto usage;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else if( strcmp( p, "force_version" ) == 0 )
|
else if( strcmp( p, "force_version" ) == 0 )
|
||||||
{
|
{
|
||||||
if( strcmp( q, "ssl3" ) == 0 )
|
if( strcmp( q, "ssl3" ) == 0 )
|
||||||
@ -1834,6 +1833,31 @@ int main( int argc, char *argv[] )
|
|||||||
else
|
else
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
|
else if( strcmp( p, "arc4" ) == 0 )
|
||||||
|
{
|
||||||
|
switch( atoi( q ) )
|
||||||
|
{
|
||||||
|
case 0: opt.arc4 = MBEDTLS_SSL_ARC4_DISABLED; break;
|
||||||
|
case 1: opt.arc4 = MBEDTLS_SSL_ARC4_ENABLED; break;
|
||||||
|
default: goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if( strcmp( p, "allow_sha1" ) == 0 )
|
||||||
|
{
|
||||||
|
switch( atoi( q ) )
|
||||||
|
{
|
||||||
|
case 0: opt.allow_sha1 = 0; break;
|
||||||
|
case 1: opt.allow_sha1 = 1; break;
|
||||||
|
default: goto usage;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
|
|
||||||
|
#endif
|
||||||
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
#if !defined(MBEDTLS_SSL_CONF_AUTHMODE)
|
||||||
else if( strcmp( p, "auth_mode" ) == 0 )
|
else if( strcmp( p, "auth_mode" ) == 0 )
|
||||||
{
|
{
|
||||||
@ -2863,11 +2887,16 @@ int main( int argc, char *argv[] )
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_MIN_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MIN_MAJOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MINOR_VER) || \
|
||||||
|
!defined(MBEDTLS_SSL_CONF_MAX_MAJOR_VER)
|
||||||
if( opt.min_version != DFL_MIN_VERSION )
|
if( opt.min_version != DFL_MIN_VERSION )
|
||||||
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
|
mbedtls_ssl_conf_min_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.min_version );
|
||||||
|
|
||||||
if( opt.max_version != DFL_MIN_VERSION )
|
if( opt.max_version != DFL_MIN_VERSION )
|
||||||
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
|
mbedtls_ssl_conf_max_version( &conf, MBEDTLS_SSL_MAJOR_VERSION_3, opt.max_version );
|
||||||
|
#endif
|
||||||
|
|
||||||
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
if( ( ret = mbedtls_ssl_setup( &ssl, &conf ) ) != 0 )
|
||||||
{
|
{
|
||||||
|
|||||||
@ -563,6 +563,84 @@ check_cmdline_legacy_renego_compat() {
|
|||||||
fi
|
fi
|
||||||
}
|
}
|
||||||
|
|
||||||
|
check_cmdline_min_minor_version_compat() {
|
||||||
|
__VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
|
||||||
|
if [ ! -z "$__VAL" ]; then
|
||||||
|
extract_cmdline_argument "min_version"
|
||||||
|
if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
|
||||||
|
SKIP_NEXT="YES";
|
||||||
|
elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_cmdline_max_minor_version_compat() {
|
||||||
|
__VAL="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
|
||||||
|
if [ ! -z "$__VAL" ]; then
|
||||||
|
extract_cmdline_argument "max_version"
|
||||||
|
if [ "$__ARG" = "ssl3" ] && [ "$__VAL" != "0" ]; then
|
||||||
|
SKIP_NEXT="YES";
|
||||||
|
elif [ "$__ARG" = "tls1" ] && [ "$__VAL" != "1" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif [ "$__ARG" = "tls1_1" ] && [ "$__VAL" != "2" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif [ "$__ARG" = "tls1_2" ] && [ "$__VAL" != "3" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
check_cmdline_force_version_compat() {
|
||||||
|
__VAL_MAX="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MAX_MINOR_VER" )"
|
||||||
|
__VAL_MIN="$( get_config_value_or_default "MBEDTLS_SSL_CONF_MIN_MINOR_VER" )"
|
||||||
|
if [ ! -z "$__VAL_MIN" ]; then
|
||||||
|
|
||||||
|
# SSL cli/srv cmd line
|
||||||
|
|
||||||
|
extract_cmdline_argument "force_version"
|
||||||
|
if [ "$__ARG" = "ssl3" ] && \
|
||||||
|
( [ "$__VAL_MIN" != "0" ] || [ "$__VAL_MAX" != "0" ] ); then
|
||||||
|
SKIP_NEXT="YES";
|
||||||
|
elif [ "$__ARG" = "tls1" ] && \
|
||||||
|
( [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ] ); then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif ( [ "$__ARG" = "tls1_1" ] || [ "$__ARG" = "dtls1" ] ) && \
|
||||||
|
( [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ] ); then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
elif ( [ "$__ARG" = "tls1_2" ] || [ "$__ARG" = "dtls1_2" ] ) && \
|
||||||
|
( [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ] ); then
|
||||||
|
echo "FORCE SKIP"
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# OpenSSL cmd line
|
||||||
|
|
||||||
|
if echo "$CMD" | grep -e "-tls1\($\|[^_]\)" > /dev/null; then
|
||||||
|
if [ "$__VAL_MIN" != "1" ] || [ "$__VAL_MAX" != "1" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if echo "$CMD" | grep -e "-\(dtls1\($\|[^_]\)\|tls1_1\)" > /dev/null; then
|
||||||
|
if [ "$__VAL_MIN" != "2" ] || [ "$__VAL_MAX" != "2" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
if echo "$CMD" | grep -e "-\(dtls1_2\($\|[^_]\)\|tls1_2\)" > /dev/null; then
|
||||||
|
if [ "$__VAL_MIN" != "3" ] || [ "$__VAL_MAX" != "3" ]; then
|
||||||
|
SKIP_NEXT="YES"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
# Go through all options that can be hardcoded at compile-time and
|
# Go through all options that can be hardcoded at compile-time and
|
||||||
# detect whether the command line configures them in a conflicting
|
# detect whether the command line configures them in a conflicting
|
||||||
# way. If so, skip the test. Otherwise, remove the corresponding
|
# way. If so, skip the test. Otherwise, remove the corresponding
|
||||||
@ -592,6 +670,11 @@ check_cmdline_compat() {
|
|||||||
|
|
||||||
# Legacy renegotiation
|
# Legacy renegotiation
|
||||||
check_cmdline_legacy_renego_compat
|
check_cmdline_legacy_renego_compat
|
||||||
|
|
||||||
|
# Version configuration
|
||||||
|
check_cmdline_min_minor_version_compat
|
||||||
|
check_cmdline_max_minor_version_compat
|
||||||
|
check_cmdline_force_version_compat
|
||||||
}
|
}
|
||||||
|
|
||||||
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
|
# Usage: run_test name [-p proxy_cmd] srv_cmd cli_cmd cli_exit [option [...]]
|
||||||
|
|||||||
@ -108,6 +108,21 @@ typedef enum
|
|||||||
} \
|
} \
|
||||||
} while( 0 )
|
} while( 0 )
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief This macro tests the expression passed to it and skips the
|
||||||
|
* running test if it doesn't evaluate to 'true'.
|
||||||
|
*
|
||||||
|
* \param TEST The test expression to be tested.
|
||||||
|
*/
|
||||||
|
#define TEST_ASSUME( TEST ) \
|
||||||
|
do { \
|
||||||
|
if( ! (TEST) ) \
|
||||||
|
{ \
|
||||||
|
test_skip( #TEST, __LINE__, __FILE__ ); \
|
||||||
|
goto exit; \
|
||||||
|
} \
|
||||||
|
} while( 0 )
|
||||||
|
|
||||||
#if defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT)
|
#if defined(MBEDTLS_CHECK_PARAMS) && !defined(MBEDTLS_PARAM_FAILED_ALT)
|
||||||
/**
|
/**
|
||||||
* \brief This macro tests the statement passed to it as a test step or
|
* \brief This macro tests the statement passed to it as a test step or
|
||||||
@ -241,10 +256,17 @@ typedef enum
|
|||||||
/*----------------------------------------------------------------------------*/
|
/*----------------------------------------------------------------------------*/
|
||||||
/* Global variables */
|
/* Global variables */
|
||||||
|
|
||||||
|
typedef enum
|
||||||
|
{
|
||||||
|
TEST_RESULT_SUCCESS = 0,
|
||||||
|
TEST_RESULT_FAILED,
|
||||||
|
TEST_RESULT_SKIPPED
|
||||||
|
} test_result_t;
|
||||||
|
|
||||||
static struct
|
static struct
|
||||||
{
|
{
|
||||||
paramfail_test_state_t paramfail_test_state;
|
paramfail_test_state_t paramfail_test_state;
|
||||||
int failed;
|
test_result_t result;
|
||||||
const char *test;
|
const char *test;
|
||||||
const char *filename;
|
const char *filename;
|
||||||
int line_no;
|
int line_no;
|
||||||
@ -280,7 +302,15 @@ jmp_buf jmp_tmp;
|
|||||||
|
|
||||||
void test_fail( const char *test, int line_no, const char* filename )
|
void test_fail( const char *test, int line_no, const char* filename )
|
||||||
{
|
{
|
||||||
test_info.failed = 1;
|
test_info.result = TEST_RESULT_FAILED;
|
||||||
|
test_info.test = test;
|
||||||
|
test_info.line_no = line_no;
|
||||||
|
test_info.filename = filename;
|
||||||
|
}
|
||||||
|
|
||||||
|
void test_skip( const char *test, int line_no, const char* filename )
|
||||||
|
{
|
||||||
|
test_info.result = TEST_RESULT_SKIPPED;
|
||||||
test_info.test = test;
|
test_info.test = test;
|
||||||
test_info.line_no = line_no;
|
test_info.line_no = line_no;
|
||||||
test_info.filename = filename;
|
test_info.filename = filename;
|
||||||
@ -319,7 +349,7 @@ void mbedtls_param_failed( const char *failure_condition,
|
|||||||
/* Record the location of the failure, but not as a failure yet, in case
|
/* Record the location of the failure, but not as a failure yet, in case
|
||||||
* it was part of the test */
|
* it was part of the test */
|
||||||
test_fail( failure_condition, line, file );
|
test_fail( failure_condition, line, file );
|
||||||
test_info.failed = 0;
|
test_info.result = TEST_RESULT_SUCCESS;
|
||||||
|
|
||||||
longjmp( param_fail_jmp, 1 );
|
longjmp( param_fail_jmp, 1 );
|
||||||
}
|
}
|
||||||
|
|||||||
@ -498,7 +498,8 @@ int execute_tests( int argc , const char ** argv )
|
|||||||
|
|
||||||
if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
|
if( ( ret = get_line( file, buf, sizeof(buf) ) ) != 0 )
|
||||||
break;
|
break;
|
||||||
mbedtls_fprintf( stdout, "%s%.66s", test_info.failed ? "\n" : "", buf );
|
mbedtls_fprintf( stdout, "%s%.66s",
|
||||||
|
test_info.result == TEST_RESULT_FAILED ? "\n" : "", buf );
|
||||||
mbedtls_fprintf( stdout, " " );
|
mbedtls_fprintf( stdout, " " );
|
||||||
for( i = strlen( buf ) + 1; i < 67; i++ )
|
for( i = strlen( buf ) + 1; i < 67; i++ )
|
||||||
mbedtls_fprintf( stdout, "." );
|
mbedtls_fprintf( stdout, "." );
|
||||||
@ -545,7 +546,7 @@ int execute_tests( int argc , const char ** argv )
|
|||||||
// If there are no unmet dependencies execute the test
|
// If there are no unmet dependencies execute the test
|
||||||
if( unmet_dep_count == 0 )
|
if( unmet_dep_count == 0 )
|
||||||
{
|
{
|
||||||
test_info.failed = 0;
|
test_info.result = TEST_RESULT_SUCCESS;
|
||||||
test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
|
test_info.paramfail_test_state = PARAMFAIL_TESTSTATE_IDLE;
|
||||||
|
|
||||||
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
|
#if defined(__unix__) || (defined(__APPLE__) && defined(__MACH__))
|
||||||
@ -610,10 +611,15 @@ int execute_tests( int argc , const char ** argv )
|
|||||||
}
|
}
|
||||||
else if( ret == DISPATCH_TEST_SUCCESS )
|
else if( ret == DISPATCH_TEST_SUCCESS )
|
||||||
{
|
{
|
||||||
if( test_info.failed == 0 )
|
if( test_info.result == TEST_RESULT_SUCCESS )
|
||||||
{
|
{
|
||||||
mbedtls_fprintf( stdout, "PASS\n" );
|
mbedtls_fprintf( stdout, "PASS\n" );
|
||||||
}
|
}
|
||||||
|
else if( test_info.result == TEST_RESULT_SKIPPED )
|
||||||
|
{
|
||||||
|
mbedtls_fprintf( stdout, "----\n" );
|
||||||
|
total_skipped++;
|
||||||
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
total_errors++;
|
total_errors++;
|
||||||
|
|||||||
@ -156,7 +156,7 @@ void execute_function_ptr(TestWrapper_t fp, void **params)
|
|||||||
else
|
else
|
||||||
{
|
{
|
||||||
/* Unexpected parameter validation error */
|
/* Unexpected parameter validation error */
|
||||||
test_info.failed = 1;
|
test_info.result = TEST_RESULT_FAILED;
|
||||||
}
|
}
|
||||||
|
|
||||||
memset( param_fail_jmp, 0, sizeof(jmp_buf) );
|
memset( param_fail_jmp, 0, sizeof(jmp_buf) );
|
||||||
|
|||||||
@ -168,8 +168,12 @@ static int build_transforms( mbedtls_ssl_transform *t_in,
|
|||||||
((void) etm);
|
((void) etm);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
t_out->minor_ver = ver;
|
t_out->minor_ver = ver;
|
||||||
t_in->minor_ver = ver;
|
t_in->minor_ver = ver;
|
||||||
|
#else
|
||||||
|
((void) ver);
|
||||||
|
#endif
|
||||||
t_out->ivlen = ivlen;
|
t_out->ivlen = ivlen;
|
||||||
t_in->ivlen = ivlen;
|
t_in->ivlen = ivlen;
|
||||||
|
|
||||||
@ -432,6 +436,11 @@ void ssl_crypt_record( int cipher_type, int hash_id,
|
|||||||
mbedtls_ssl_init( &ssl );
|
mbedtls_ssl_init( &ssl );
|
||||||
mbedtls_ssl_transform_init( &t0 );
|
mbedtls_ssl_transform_init( &t0 );
|
||||||
mbedtls_ssl_transform_init( &t1 );
|
mbedtls_ssl_transform_init( &t1 );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
TEST_ASSUME( ver == MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
|
||||||
|
#endif
|
||||||
|
|
||||||
TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id,
|
TEST_ASSERT( build_transforms( &t0, &t1, cipher_type, hash_id,
|
||||||
etm, tag_mode, ver,
|
etm, tag_mode, ver,
|
||||||
(size_t) cid0_len,
|
(size_t) cid0_len,
|
||||||
@ -573,6 +582,10 @@ void ssl_crypt_record_small( int cipher_type, int hash_id,
|
|||||||
(size_t) cid0_len,
|
(size_t) cid0_len,
|
||||||
(size_t) cid1_len ) == 0 );
|
(size_t) cid1_len ) == 0 );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_CONF_FIXED_MINOR_VER)
|
||||||
|
TEST_ASSUME( ver == MBEDTLS_SSL_CONF_FIXED_MINOR_VER );
|
||||||
|
#endif
|
||||||
|
|
||||||
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
|
TEST_ASSERT( ( buf = mbedtls_calloc( 1, buflen ) ) != NULL );
|
||||||
|
|
||||||
for( mode=1; mode <= 3; mode++ )
|
for( mode=1; mode <= 3; mode++ )
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user