yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-22 22:15:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Increase hamming distance for session resume flag

Browse Source 
This is to prevent glitching a single bit for the resume flag.
This commit is contained in:
Jarno Lamsa 2019-12-19 15:20:19 +02:00
parent 489dccd158
commit 8d09e5744c
3 changed files with 14 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
library/ssl_cli.c
View File

@ -868,7 +868,7 @@ static int ssl_write_client_hello( mbedtls_ssl_context *ssl )
* appropriate length. Otherwise make the length 0 (for now, see next code
* block for behaviour with tickets).
*/
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_UNSET ||
mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
ssl->session_negotiate->id_len < 16 ||
ssl->session_negotiate->id_len > 32 )
@ -1832,11 +1832,11 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
ssl->session_negotiate->id_len != n ||
mbedtls_platform_memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
{
ssl->handshake->resume = 0;
ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_UNSET;
}
#endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_SET )
{
/* Resume a session */
ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;

8
library/ssl_srv.c
View File

@ -627,7 +627,7 @@ static int ssl_parse_session_ticket_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
ssl->handshake->resume = 1;
ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
/* Don't send a new ticket after all, this one is OK */
ssl->handshake->new_session_ticket = 0;
@ -2839,19 +2839,19 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
* It may be already set to 1 by ssl_parse_session_ticket_ext().
* If not, try looking up session ID in our cache.
*/
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 &&
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_UNSET &&
mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
ssl->session_negotiate->id_len != 0 &&
ssl->conf->f_get_cache != NULL &&
ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
ssl->handshake->resume = 1;
ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
}
#endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_SET )
{
/*
* Resuming a session

14
library/ssl_tls.c
View File

@ -1825,7 +1825,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
mbedtls_ssl_handshake_get_ciphersuite( handshake );
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
if( handshake->resume != 0 )
if( handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
return( 0 );
@ -7969,7 +7969,7 @@ int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
*/
if( ssl->conf->f_set_cache != NULL &&
ssl->session->id_len != 0 &&
ssl->handshake->resume == 0 )
ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_UNSET )
{
if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
@ -7990,10 +7990,10 @@ int mbedtls_ssl_handshake_wrapup( mbedtls_ssl_context *ssl )
}
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
if( ssl->handshake->resume )
if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
mbedtls_platform_enforce_volatile_reads();
if( ssl->handshake->resume )
if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
/* When doing session resume, no premaster or peer authentication */
ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
@ -8111,7 +8111,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
* In case of session resuming, invert the client and server
* ChangeCipherSpec messages order.
*/
if( ssl->handshake->resume != 0 )
if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
@ -8290,7 +8290,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
#endif
#if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
if( ssl->handshake->resume != 0 )
if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
@ -9019,7 +9019,7 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
session ) ) != 0 )
return( ret );
ssl->handshake->resume = 1;
ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
return( 0 );
}