yuzu-emu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-11-30 06:34:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

Add Mbed TLS version to SSL sessions

Browse Source 
The format of serialized SSL sessions depends on the version and the
configuration of Mbed TLS; attempts to restore sessions established
in different versions and/or configurations lead to undefined behaviour.

This commit adds an 3-byte version header to the serialized session
generated and cleanly fails ticket parsing in case a session from a
non-matching version of Mbed TLS is presented.
This commit is contained in:
Hanno Becker 2019-05-16 12:39:07 +01:00 committed by Jarno Lamsa
parent aa75583ced
commit a835da5cb1
1 changed files with 41 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
library/ssl_tls.c
View File

@ -47,6 +47,7 @@
#include "mbedtls/ssl.h" #include "mbedtls/ssl.h"
#include "mbedtls/ssl_internal.h" #include "mbedtls/ssl_internal.h"
#include "mbedtls/platform_util.h" #include "mbedtls/platform_util.h"
#include "mbedtls/version.h"
#include <string.h> #include <string.h>
@ -9842,10 +9843,22 @@ const mbedtls_ssl_session *mbedtls_ssl_get_session_pointer( const mbedtls_ssl_co
return( ssl->session ); return( ssl->session );
} }
/*
* Define ticket header determining Mbed TLS version
* and structure of the ticket.
*/
static unsigned char ssl_serialized_session_header[] = {
MBEDTLS_VERSION_MAJOR,
MBEDTLS_VERSION_MINOR,
MBEDTLS_VERSION_PATCH,
};
/* /*
* Serialize a session in the following format: * Serialize a session in the following format:
* (in the presentation language of TLS, RFC 8446 section 3) * (in the presentation language of TLS, RFC 8446 section 3)
* *
* opaque mbedtls_version[3]; // major, minor, patch
* uint64 start_time; * uint64 start_time;
* uint8 ciphersuite[2]; // defined by the standard * uint8 ciphersuite[2]; // defined by the standard
* uint8 compression; // 0 or 1 * uint8 compression; // 0 or 1
@ -9881,6 +9894,19 @@ int mbedtls_ssl_session_save( const mbedtls_ssl_session *session,
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
* Add version identifier
*/
used += sizeof( ssl_serialized_session_header );
if( used <= buf_len )
{
memcpy( p, ssl_serialized_session_header,
sizeof( ssl_serialized_session_header ) );
p += sizeof( ssl_serialized_session_header );
}
/* /*
* Time * Time
*/ */
@ -10060,6 +10086,21 @@ static int ssl_session_load( mbedtls_ssl_session *session,
#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
/*
* Check version identifier
*/
if( (size_t)( end - p ) < sizeof( ssl_serialized_session_header ) )
return( MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL );
if( memcmp( p, ssl_serialized_session_header,
sizeof( ssl_serialized_session_header ) ) != 0 )
{
/* A more specific error code might be used here. */
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
}
p += sizeof( ssl_serialized_session_header );
/* /*
* Time * Time
*/ */