mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-11-23 12:25:36 +01:00
Fix non compliance SSLv3 in server extension handling.
The server code parses the client hello extensions even when the protocol is SSLv3 and this behaviour is non compliant with rfc6101. Also the server sends extensions in the server hello and omitting them may prevent interoperability problems.
This commit is contained in:
parent
b700c46750
commit
83f26052bf
@ -20,6 +20,8 @@ Changes
|
|||||||
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
|
* On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5,
|
||||||
don't use the optimized assembly for bignum multiplication. This removes
|
don't use the optimized assembly for bignum multiplication. This removes
|
||||||
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
|
the need to pass -fomit-frame-pointer to avoid a build error with -O0.
|
||||||
|
* Fix non-compliance server extension handling. Extensions for SSLv3 are now
|
||||||
|
ignored, as required by RFC6101.
|
||||||
|
|
||||||
= mbed TLS 2.1.4 released 2016-01-05
|
= mbed TLS 2.1.4 released 2016-01-05
|
||||||
|
|
||||||
|
@ -1460,6 +1460,12 @@ read_record_header:
|
|||||||
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
|
ssl->session_negotiate->compression = MBEDTLS_SSL_COMPRESS_NULL;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Do not parse the extensions if the protocol is SSLv3 */
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
||||||
|
{
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Check the extension length
|
* Check the extension length
|
||||||
*/
|
*/
|
||||||
@ -1633,8 +1639,13 @@ read_record_header:
|
|||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad client hello message" ) );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
#if defined(MBEDTLS_SSL_FALLBACK_SCSV)
|
||||||
for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
|
for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
|
||||||
{
|
{
|
||||||
@ -2259,6 +2270,12 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, compress alg.: 0x%02X",
|
||||||
ssl->session_negotiate->compression ) );
|
ssl->session_negotiate->compression ) );
|
||||||
|
|
||||||
|
/* Do not write the extensions if the protocol is SSLv3 */
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
||||||
|
{
|
||||||
|
#endif
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* First write extensions, then the total length
|
* First write extensions, then the total length
|
||||||
*/
|
*/
|
||||||
@ -2309,6 +2326,10 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
|||||||
p += ext_len;
|
p += ext_len;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
ssl->out_msglen = p - buf;
|
ssl->out_msglen = p - buf;
|
||||||
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
|
||||||
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
|
ssl->out_msg[0] = MBEDTLS_SSL_HS_SERVER_HELLO;
|
||||||
|
Loading…
Reference in New Issue
Block a user