From a9a028ebd0fb74d2fd893089966575bdcd52a018 Mon Sep 17 00:00:00 2001 From: Paul Bakker Date: Thu, 21 Nov 2013 17:31:06 +0100 Subject: [PATCH] SSL now gracefully handles missing RNG --- ChangeLog | 1 + include/polarssl/ssl.h | 2 +- library/error.c | 4 ++-- library/ssl_cli.c | 6 ++++++ library/ssl_srv.c | 6 ++++++ 5 files changed, 16 insertions(+), 3 deletions(-) diff --git a/ChangeLog b/ChangeLog index eca541c8f..1d28f6e3f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,7 @@ PolarSSL ChangeLog (Sorted per branch, date) = PolarSSL 1.3 branch Bugfix * Fixed X.509 hostname comparison (with non-regular characters) + * SSL now gracefully handles missing RNG = PolarSSL 1.3.2 released on 2013-11-04 Features diff --git a/include/polarssl/ssl.h b/include/polarssl/ssl.h index 1608df30e..fdb27f65a 100644 --- a/include/polarssl/ssl.h +++ b/include/polarssl/ssl.h @@ -101,7 +101,7 @@ #define POLARSSL_ERR_SSL_CONN_EOF -0x7280 /**< The connection indicated an EOF. */ #define POLARSSL_ERR_SSL_UNKNOWN_CIPHER -0x7300 /**< An unknown cipher was received. */ #define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */ -#define POLARSSL_ERR_SSL_NO_SESSION_FOUND -0x7400 /**< No session to recover was found. */ +#define POLARSSL_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */ #define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ #define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message.*/ #define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */ diff --git a/library/error.c b/library/error.c index 9d76f194c..6ef104d72 100644 --- a/library/error.c +++ b/library/error.c @@ -358,8 +358,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen ) snprintf( buf, buflen, "SSL - An unknown cipher was received" ); if( use_ret == -(POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN) ) snprintf( buf, buflen, "SSL - The server has no ciphersuites in common with the client" ); - if( use_ret == -(POLARSSL_ERR_SSL_NO_SESSION_FOUND) ) - snprintf( buf, buflen, "SSL - No session to recover was found" ); + if( use_ret == -(POLARSSL_ERR_SSL_NO_RNG) ) + snprintf( buf, buflen, "SSL - No RNG was provided to the SSL module" ); if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) ) snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" ); if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) ) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 0eaa531fc..3cde3752f 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -390,6 +390,12 @@ static int ssl_write_client_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); + if( ssl->f_rng == NULL ) + { + SSL_DEBUG_MSG( 1, ( "no RNG provided") ); + return( POLARSSL_ERR_SSL_NO_RNG ); + } + if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) { ssl->major_ver = ssl->min_major_ver; diff --git a/library/ssl_srv.c b/library/ssl_srv.c index e44bf7212..12ccb1282 100644 --- a/library/ssl_srv.c +++ b/library/ssl_srv.c @@ -1594,6 +1594,12 @@ static int ssl_write_server_hello( ssl_context *ssl ) SSL_DEBUG_MSG( 2, ( "=> write server hello" ) ); + if( ssl->f_rng == NULL ) + { + SSL_DEBUG_MSG( 1, ( "no RNG provided") ); + return( POLARSSL_ERR_SSL_NO_RNG ); + } + /* * 0 . 0 handshake type * 1 . 3 handshake length