mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2025-01-11 10:25:34 +00:00
Introduce configuration option and API for SSL record checking
This commit is contained in:
parent
f010eba833
commit
02f2609551
|
@ -1293,6 +1293,19 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
#define MBEDTLS_SSL_ALL_ALERT_MESSAGES
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def MBEDTLS_SSL_RECORD_CHECKING
|
||||||
|
*
|
||||||
|
* Enable the API mbedtls_ssl_check_record() which allows to check the
|
||||||
|
* validity, freshness and authenticity of an incoming record without
|
||||||
|
* modifying the externally visible state of the SSL context.
|
||||||
|
*
|
||||||
|
* See mbedtls_ssl_check_record() for more information.
|
||||||
|
*
|
||||||
|
* Uncomment to enable support for record checking.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_SSL_RECORD_CHECKING
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
|
* \def MBEDTLS_SSL_DTLS_CONNECTION_ID
|
||||||
*
|
*
|
||||||
|
|
|
@ -1898,6 +1898,54 @@ void mbedtls_ssl_set_mtu( mbedtls_ssl_context *ssl, uint16_t mtu );
|
||||||
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
|
void mbedtls_ssl_conf_read_timeout( mbedtls_ssl_config *conf, uint32_t timeout );
|
||||||
#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
|
#endif /* !MBEDTLS_SSL_CONF_READ_TIMEOUT */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
|
||||||
|
/**
|
||||||
|
* \brief Check whether a buffer contains a valid, fresh
|
||||||
|
* and authentic application data record (DTLS only).
|
||||||
|
*
|
||||||
|
* This function does not change the user-visible state
|
||||||
|
* of the SSL context. It's sole purpose is to provide
|
||||||
|
* an indication of the legitimacy of an incoming record.
|
||||||
|
*
|
||||||
|
* This can be useful e.g. in distributed server environments
|
||||||
|
* using the DTLS Connection ID feature, in which connections
|
||||||
|
* might need to be passed between service instances on a change
|
||||||
|
* of peer address, but where such disruptive operations should
|
||||||
|
* only happen after the validity of incoming records has been
|
||||||
|
* confirmed.
|
||||||
|
*
|
||||||
|
* \param ssl The SSL context to use.
|
||||||
|
* \param buf The address of the buffer holding the record to be checked.
|
||||||
|
* This must be an R/W buffer of length \p buflen Bytes.
|
||||||
|
* \param buflen The length of \p buf in Bytes.
|
||||||
|
*
|
||||||
|
* \note This routine only checks whether the provided buffer begins
|
||||||
|
* with a valid, fresh and authentic record, but does not check
|
||||||
|
* potential data following the initial record. In particular,
|
||||||
|
* it is possible to pass DTLS datagrams containing records,
|
||||||
|
* in which case only the first record is checked.
|
||||||
|
*
|
||||||
|
* \note This function modifies the input buffer \p buf. If you need
|
||||||
|
* to preserve the original record, you have to maintain a copy.
|
||||||
|
*
|
||||||
|
* \return \c 0 if the record is valid, fresh (DTLS only) and authentic.
|
||||||
|
* \return MBEDTLS_ERR_SSL_INVALID_MAC if the check completed
|
||||||
|
* successfully but the record was found to be not authentic.
|
||||||
|
* \return MBEDTLS_ERR_SSL_INVALID_RECORD if the check completed
|
||||||
|
* successfully but the record was found to be invalid for
|
||||||
|
* a reason different from authenticity checking.
|
||||||
|
* \return MBEDTLS_ERR_SSL_UNEXPECTED_RECORD if the check completed
|
||||||
|
* successfully but the record was found to be unexpected
|
||||||
|
* in the state of the SSL context, including replayed records.
|
||||||
|
* \return Another negative error code on different kinds of failure.
|
||||||
|
* In this case, the SSL context becomes unusable and needs
|
||||||
|
* to be freed or reset before reuse.
|
||||||
|
*/
|
||||||
|
int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
|
||||||
|
unsigned char *buf,
|
||||||
|
size_t buflen );
|
||||||
|
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
|
||||||
|
|
||||||
#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \
|
#if !defined(MBEDTLS_SSL_CONF_SET_TIMER) && \
|
||||||
!defined(MBEDTLS_SSL_CONF_GET_TIMER)
|
!defined(MBEDTLS_SSL_CONF_GET_TIMER)
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -122,6 +122,18 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
|
||||||
mbedtls_ssl_transform *transform );
|
mbedtls_ssl_transform *transform );
|
||||||
static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
|
static void ssl_update_in_pointers( mbedtls_ssl_context *ssl );
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
|
||||||
|
int mbedtls_ssl_check_record( mbedtls_ssl_context const *ssl,
|
||||||
|
unsigned char *buf,
|
||||||
|
size_t buflen )
|
||||||
|
{
|
||||||
|
((void) ssl);
|
||||||
|
((void) buf);
|
||||||
|
((void) buflen);
|
||||||
|
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
|
||||||
|
|
||||||
#define SSL_DONT_FORCE_FLUSH 0
|
#define SSL_DONT_FORCE_FLUSH 0
|
||||||
#define SSL_FORCE_FLUSH 1
|
#define SSL_FORCE_FLUSH 1
|
||||||
|
|
||||||
|
|
|
@ -1210,6 +1210,14 @@ int query_config( const char *config )
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
|
#endif /* MBEDTLS_SSL_ALL_ALERT_MESSAGES */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_RECORD_CHECKING)
|
||||||
|
if( strcmp( "MBEDTLS_SSL_RECORD_CHECKING", config ) == 0 )
|
||||||
|
{
|
||||||
|
MACRO_EXPANSION_TO_STR( MBEDTLS_SSL_RECORD_CHECKING );
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
#endif /* MBEDTLS_SSL_RECORD_CHECKING */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
|
||||||
if( strcmp( "MBEDTLS_SSL_DTLS_CONNECTION_ID", config ) == 0 )
|
if( strcmp( "MBEDTLS_SSL_DTLS_CONNECTION_ID", config ) == 0 )
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue