mirror of
https://github.com/yuzu-emu/mbedtls.git
synced 2024-12-25 02:45:32 +00:00
Introduce getter function for max/min SSL version
This is a first step towards hardcoding ssl->{major|minor}_ver in configurations which accept only a single version.
This commit is contained in:
parent
3fa1ee567c
commit
2881d80138
|
@ -960,6 +960,16 @@ int mbedtls_ssl_check_sig_hash( const mbedtls_ssl_context *ssl,
|
||||||
mbedtls_md_type_t md );
|
mbedtls_md_type_t md );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_get_minor_ver( mbedtls_ssl_context const *ssl )
|
||||||
|
{
|
||||||
|
return( ssl->minor_ver );
|
||||||
|
}
|
||||||
|
|
||||||
|
static inline int mbedtls_ssl_get_major_ver( mbedtls_ssl_context const *ssl )
|
||||||
|
{
|
||||||
|
return( ssl->major_ver );
|
||||||
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
|
static inline mbedtls_pk_context *mbedtls_ssl_own_key( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
|
|
|
@ -1333,7 +1333,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||||
size_t len )
|
size_t len )
|
||||||
{
|
{
|
||||||
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
||||||
len != 0 )
|
len != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching encrypt-then-MAC extension" ) );
|
||||||
|
@ -1357,7 +1357,7 @@ static int ssl_parse_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||||
{
|
{
|
||||||
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
if( mbedtls_ssl_conf_get_ems( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ||
|
||||||
len != 0 )
|
len != 0 )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "non-matching extended master secret extension" ) );
|
||||||
|
@ -1901,8 +1901,8 @@ static int ssl_parse_server_hello( mbedtls_ssl_context *ssl )
|
||||||
ciphersuite_info )
|
ciphersuite_info )
|
||||||
{
|
{
|
||||||
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
if( ssl_validate_ciphersuite( ciphersuite_info, ssl,
|
||||||
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ),
|
||||||
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) ) != 0 )
|
||||||
{
|
{
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
@ -1929,7 +1929,7 @@ server_picked_valid_suite:
|
||||||
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
#if defined(MBEDTLS_SSL__ECP_RESTARTABLE)
|
||||||
if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
|
if( mbedtls_ssl_suite_get_key_exchange( server_suite_info ) ==
|
||||||
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA &&
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
ssl->handshake->ecrs_enabled = 1;
|
ssl->handshake->ecrs_enabled = 1;
|
||||||
}
|
}
|
||||||
|
@ -1943,14 +1943,15 @@ server_picked_valid_suite:
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
ssl->session_negotiate->compression = comp;
|
ssl->session_negotiate->compression = comp;
|
||||||
|
|
||||||
ext = buf + 40 + n;
|
ext = buf + 40 + n;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d", ext_len ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "server hello, total extension length: %d",
|
||||||
|
ext_len ) );
|
||||||
|
|
||||||
while( ext_len )
|
while( ext_len )
|
||||||
{
|
{
|
||||||
|
@ -1963,7 +1964,7 @@ server_picked_valid_suite:
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
|
||||||
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
mbedtls_ssl_send_alert_message( ssl, MBEDTLS_SSL_ALERT_LEVEL_FATAL,
|
||||||
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2358,7 +2359,7 @@ static int ssl_write_encrypted_pms( mbedtls_ssl_context *ssl,
|
||||||
size_t pms_offset )
|
size_t pms_offset )
|
||||||
{
|
{
|
||||||
int ret;
|
int ret;
|
||||||
size_t len_bytes = ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
|
size_t len_bytes = mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ? 0 : 2;
|
||||||
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
unsigned char *p = ssl->handshake->premaster + pms_offset;
|
||||||
mbedtls_pk_context *peer_pk = NULL;
|
mbedtls_pk_context *peer_pk = NULL;
|
||||||
|
|
||||||
|
@ -2475,7 +2476,7 @@ static int ssl_parse_signature_algorithm( mbedtls_ssl_context *ssl,
|
||||||
*pk_alg = MBEDTLS_PK_NONE;
|
*pk_alg = MBEDTLS_PK_NONE;
|
||||||
|
|
||||||
/* Only in TLS 1.2 */
|
/* Only in TLS 1.2 */
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
@ -2802,7 +2803,7 @@ start_processing:
|
||||||
* Handle the digitally-signed structure
|
* Handle the digitally-signed structure
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
if( ssl_parse_signature_algorithm( ssl, &p, end,
|
if( ssl_parse_signature_algorithm( ssl, &p, end,
|
||||||
&md_alg, &pk_alg ) != 0 )
|
&md_alg, &pk_alg ) != 0 )
|
||||||
|
@ -2825,7 +2826,7 @@ start_processing:
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
pk_alg = mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||||
|
|
||||||
|
@ -3097,7 +3098,7 @@ static int ssl_parse_certificate_request( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
/* supported_signature_algorithms */
|
/* supported_signature_algorithms */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
size_t sig_alg_len = ( ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 1 + n] << 8 )
|
||||||
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
| ( buf[mbedtls_ssl_hs_hdr_len( ssl ) + 2 + n] ) );
|
||||||
|
@ -3590,7 +3591,7 @@ sign:
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* digitally-signed struct {
|
* digitally-signed struct {
|
||||||
|
@ -3620,7 +3621,7 @@ sign:
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 || \
|
||||||
MBEDTLS_SSL_PROTO_TLS1_1 */
|
MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* digitally-signed struct {
|
* digitally-signed struct {
|
||||||
|
|
|
@ -536,7 +536,7 @@ static int ssl_parse_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||||
((void) buf);
|
((void) buf);
|
||||||
|
|
||||||
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
|
if( ssl->conf->encrypt_then_mac == MBEDTLS_SSL_ETM_ENABLED &&
|
||||||
ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
|
ssl->session_negotiate->encrypt_then_mac = MBEDTLS_SSL_ETM_ENABLED;
|
||||||
}
|
}
|
||||||
|
@ -864,7 +864,7 @@ static int ssl_pick_cert( mbedtls_ssl_context *ssl,
|
||||||
* present them a SHA-higher cert rather than failing if it's the only
|
* present them a SHA-higher cert rather than failing if it's the only
|
||||||
* one we got that satisfies the other conditions.
|
* one we got that satisfies the other conditions.
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
mbedtls_md_type_t sig_md;
|
mbedtls_md_type_t sig_md;
|
||||||
{
|
{
|
||||||
|
@ -930,8 +930,10 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl,
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "trying ciphersuite: %s",
|
||||||
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
mbedtls_ssl_suite_get_name( suite_info ) ) );
|
||||||
|
|
||||||
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info ) > ssl->minor_ver ||
|
if( mbedtls_ssl_suite_get_min_minor_ver( suite_info )
|
||||||
mbedtls_ssl_suite_get_max_minor_ver( suite_info ) < ssl->minor_ver )
|
> mbedtls_ssl_get_minor_ver( ssl ) ||
|
||||||
|
mbedtls_ssl_suite_get_max_minor_ver( suite_info )
|
||||||
|
< mbedtls_ssl_get_minor_ver( ssl ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: version" ) );
|
||||||
return( 0 );
|
return( 0 );
|
||||||
|
@ -993,7 +995,7 @@ static int ssl_ciphersuite_is_match( mbedtls_ssl_context *ssl,
|
||||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
/* If the ciphersuite requires signing, check whether
|
/* If the ciphersuite requires signing, check whether
|
||||||
* a suitable hash algorithm is present. */
|
* a suitable hash algorithm is present. */
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
|
sig_type = mbedtls_ssl_get_ciphersuite_sig_alg( suite_info );
|
||||||
if( sig_type != MBEDTLS_PK_NONE &&
|
if( sig_type != MBEDTLS_PK_NONE &&
|
||||||
|
@ -1094,11 +1096,12 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
||||||
( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
( buf[4] <= mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
? buf[4] : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
|
? buf[4] : mbedtls_ssl_conf_get_max_minor_ver( ssl->conf );
|
||||||
|
|
||||||
if( ssl->minor_ver < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "client only supports ssl smaller than minimum"
|
||||||
" [%d:%d] < [%d:%d]",
|
" [%d:%d] < [%d:%d]",
|
||||||
ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_get_major_ver( ssl ),
|
||||||
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
|
mbedtls_ssl_conf_get_min_major_ver( ssl->conf ),
|
||||||
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
|
mbedtls_ssl_conf_get_min_minor_ver( ssl->conf ) ) );
|
||||||
|
|
||||||
|
@ -1215,7 +1218,7 @@ static int ssl_parse_client_hello_v2( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
||||||
|
|
||||||
if( ssl->minor_ver <
|
if( mbedtls_ssl_get_minor_ver( ssl ) <
|
||||||
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
||||||
|
@ -1804,7 +1807,8 @@ read_record_header:
|
||||||
|
|
||||||
/* Do not parse the extensions if the protocol is SSLv3 */
|
/* Do not parse the extensions if the protocol is SSLv3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) ||
|
||||||
|
( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
|
||||||
{
|
{
|
||||||
#endif
|
#endif
|
||||||
/*
|
/*
|
||||||
|
@ -2030,7 +2034,7 @@ read_record_header:
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received FALLBACK_SCSV" ) );
|
||||||
|
|
||||||
if( ssl->minor_ver <
|
if( mbedtls_ssl_get_minor_ver( ssl ) <
|
||||||
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
mbedtls_ssl_conf_get_max_minor_ver( ssl->conf ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
||||||
|
@ -2243,7 +2247,7 @@ have_ciphersuite:
|
||||||
#if defined(MBEDTLS_DEBUG_C) && \
|
#if defined(MBEDTLS_DEBUG_C) && \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
|
||||||
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
defined(MBEDTLS_KEY_EXCHANGE__WITH_CERT__ENABLED)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
|
mbedtls_pk_type_t sig_alg = mbedtls_ssl_get_ciphersuite_sig_alg(
|
||||||
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
|
mbedtls_ssl_handshake_get_ciphersuite( ssl->handshake ) );
|
||||||
|
@ -2351,7 +2355,7 @@ static void ssl_write_encrypt_then_mac_ext( mbedtls_ssl_context *ssl,
|
||||||
const mbedtls_cipher_info_t *cipher = NULL;
|
const mbedtls_cipher_info_t *cipher = NULL;
|
||||||
|
|
||||||
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
if( ssl->session_negotiate->encrypt_then_mac == MBEDTLS_SSL_ETM_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
return;
|
return;
|
||||||
|
@ -2401,7 +2405,7 @@ static void ssl_write_extended_ms_ext( mbedtls_ssl_context *ssl,
|
||||||
|
|
||||||
if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
|
if( mbedtls_ssl_hs_get_extended_ms( ssl->handshake )
|
||||||
== MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
== MBEDTLS_SSL_EXTENDED_MS_DISABLED ||
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
*olen = 0;
|
*olen = 0;
|
||||||
return;
|
return;
|
||||||
|
@ -2645,8 +2649,9 @@ static int ssl_write_hello_verify_request( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
/* The RFC is not clear on this point, but sending the actual negotiated
|
/* The RFC is not clear on this point, but sending the actual negotiated
|
||||||
* version looks like the most interoperable thing to do. */
|
* version looks like the most interoperable thing to do. */
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->transport, p );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
ssl->conf->transport, p );
|
||||||
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
|
MBEDTLS_SSL_DEBUG_BUF( 3, "server version", p, 2 );
|
||||||
p += 2;
|
p += 2;
|
||||||
|
|
||||||
|
@ -2738,8 +2743,9 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
||||||
buf = ssl->out_msg;
|
buf = ssl->out_msg;
|
||||||
p = buf + 4;
|
p = buf + 4;
|
||||||
|
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->transport, p );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
ssl->conf->transport, p );
|
||||||
p += 2;
|
p += 2;
|
||||||
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen version: [%d:%d]",
|
||||||
|
@ -2867,7 +2873,7 @@ static int ssl_write_server_hello( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
/* Do not write the extensions if the protocol is SSLv3 */
|
/* Do not write the extensions if the protocol is SSLv3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ( ssl->major_ver != 3 ) || ( ssl->minor_ver != 0 ) )
|
if( ( mbedtls_ssl_get_major_ver( ssl ) != 3 ) || ( mbedtls_ssl_get_minor_ver( ssl ) != 0 ) )
|
||||||
{
|
{
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -3049,7 +3055,7 @@ static int ssl_write_certificate_request( mbedtls_ssl_context *ssl )
|
||||||
* enum { (255) } HashAlgorithm;
|
* enum { (255) } HashAlgorithm;
|
||||||
* enum { (255) } SignatureAlgorithm;
|
* enum { (255) } SignatureAlgorithm;
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
const int *cur;
|
const int *cur;
|
||||||
|
|
||||||
|
@ -3407,7 +3413,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
mbedtls_pk_type_t sig_alg =
|
mbedtls_pk_type_t sig_alg =
|
||||||
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
mbedtls_ssl_get_ciphersuite_sig_pk_alg( ciphersuite_info );
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/* A: For TLS 1.2, obey signature-hash-algorithm extension
|
/* A: For TLS 1.2, obey signature-hash-algorithm extension
|
||||||
* (RFC 5246, Sec. 7.4.1.4.1). */
|
* (RFC 5246, Sec. 7.4.1.4.1). */
|
||||||
|
@ -3483,7 +3489,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl,
|
||||||
* 2.3: Compute and add the signature
|
* 2.3: Compute and add the signature
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* For TLS 1.2, we need to specify signature and hash algorithm
|
* For TLS 1.2, we need to specify signature and hash algorithm
|
||||||
|
@ -3787,7 +3793,7 @@ static int ssl_decrypt_encrypted_pms( mbedtls_ssl_context *ssl,
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
{
|
{
|
||||||
if( len < 2 )
|
if( len < 2 )
|
||||||
|
@ -4407,7 +4413,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
||||||
*/
|
*/
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
md_alg = MBEDTLS_MD_NONE;
|
md_alg = MBEDTLS_MD_NONE;
|
||||||
hashlen = 36;
|
hashlen = 36;
|
||||||
|
@ -4424,7 +4430,7 @@ static int ssl_parse_certificate_verify( mbedtls_ssl_context *ssl )
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 || MBEDTLS_SSL_PROTO_TLS1 ||
|
||||||
MBEDTLS_SSL_PROTO_TLS1_1 */
|
MBEDTLS_SSL_PROTO_TLS1_1 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
{
|
{
|
||||||
if( i + 2 > ssl->in_hslen )
|
if( i + 2 > ssl->in_hslen )
|
||||||
{
|
{
|
||||||
|
|
|
@ -1347,7 +1347,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
/* Set PRF, calc_verify and calc_finished function pointers */
|
/* Set PRF, calc_verify and calc_finished function pointers */
|
||||||
ret = ssl_set_handshake_prfs( ssl->handshake,
|
ret = ssl_set_handshake_prfs( ssl->handshake,
|
||||||
ssl->minor_ver,
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
{
|
||||||
|
@ -1393,7 +1393,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
||||||
#endif
|
#endif
|
||||||
ssl->handshake->tls_prf,
|
ssl->handshake->tls_prf,
|
||||||
ssl->handshake->randbytes,
|
ssl->handshake->randbytes,
|
||||||
ssl->minor_ver,
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
|
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
|
||||||
ssl );
|
ssl );
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
|
@ -3736,7 +3736,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
/* In SSLv3, the client might send a NoCertificate alert. */
|
/* In SSLv3, the client might send a NoCertificate alert. */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
|
||||||
if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
if( ! ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||||
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
||||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_IS_CLIENT ) )
|
MBEDTLS_SSL_IS_CLIENT ) )
|
||||||
|
@ -3926,8 +3926,9 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
|
||||||
/* Skip writing the record content type to after the encryption,
|
/* Skip writing the record content type to after the encryption,
|
||||||
* as it may change when using the CID extension. */
|
* as it may change when using the CID extension. */
|
||||||
|
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
ssl->conf->transport, ssl->out_hdr + 1 );
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
|
ssl->conf->transport, ssl->out_hdr + 1 );
|
||||||
|
|
||||||
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
|
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
|
||||||
ssl->out_len[0] = (unsigned char)( len >> 8 );
|
ssl->out_len[0] = (unsigned char)( len >> 8 );
|
||||||
|
@ -3944,7 +3945,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
|
||||||
rec.data_offset = ssl->out_msg - rec.buf;
|
rec.data_offset = ssl->out_msg - rec.buf;
|
||||||
|
|
||||||
memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
|
memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
ssl->conf->transport, rec.ver );
|
ssl->conf->transport, rec.ver );
|
||||||
rec.type = ssl->out_msgtype;
|
rec.type = ssl->out_msgtype;
|
||||||
|
|
||||||
|
@ -4699,7 +4701,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check version */
|
/* Check version */
|
||||||
if( major_ver != ssl->major_ver )
|
if( major_ver != mbedtls_ssl_get_major_ver( ssl ) )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
|
||||||
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
|
||||||
|
@ -4830,7 +4832,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||||
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
|
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
|
||||||
|
@ -4842,7 +4844,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
|
||||||
/*
|
/*
|
||||||
* TLS encrypted messages can have up to 256 bytes of padding
|
* TLS encrypted messages can have up to 256 bytes of padding
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
|
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 &&
|
||||||
ssl->in_msglen > ssl->transform_in->minlen +
|
ssl->in_msglen > ssl->transform_in->minlen +
|
||||||
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
|
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
|
||||||
{
|
{
|
||||||
|
@ -4896,7 +4898,8 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
||||||
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
|
||||||
|
|
||||||
memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
|
memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
|
||||||
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
|
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
|
||||||
|
mbedtls_ssl_get_minor_ver( ssl ),
|
||||||
ssl->conf->transport, rec.ver );
|
ssl->conf->transport, rec.ver );
|
||||||
rec.type = ssl->in_msgtype;
|
rec.type = ssl->in_msgtype;
|
||||||
if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
|
if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
|
||||||
|
@ -4962,7 +4965,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
|
||||||
else if( ssl->in_msglen == 0 )
|
else if( ssl->in_msglen == 0 )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3
|
||||||
&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
|
&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
|
||||||
{
|
{
|
||||||
/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
|
/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
|
||||||
|
@ -5955,7 +5958,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
|
||||||
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
|
||||||
MBEDTLS_SSL_IS_SERVER &&
|
MBEDTLS_SSL_IS_SERVER &&
|
||||||
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
|
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
|
||||||
|
@ -6143,7 +6146,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
|
||||||
* (otherwise an empty Certificate message will be sent).
|
* (otherwise an empty Certificate message will be sent).
|
||||||
*/
|
*/
|
||||||
if( mbedtls_ssl_own_cert( ssl ) == NULL &&
|
if( mbedtls_ssl_own_cert( ssl ) == NULL &&
|
||||||
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
ssl->out_msglen = 2;
|
ssl->out_msglen = 2;
|
||||||
ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
|
ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
|
||||||
|
@ -6435,7 +6438,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
|
||||||
/*
|
/*
|
||||||
* Check if the client sent an empty certificate
|
* Check if the client sent an empty certificate
|
||||||
*/
|
*/
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
if( ssl->in_msglen == 2 &&
|
if( ssl->in_msglen == 2 &&
|
||||||
ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
|
||||||
|
@ -6987,7 +6990,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
defined(MBEDTLS_SSL_PROTO_TLS1_1)
|
||||||
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
|
ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
|
@ -7420,7 +7423,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
|
||||||
* ciphersuite does this (and this is unlikely to change as activity has
|
* ciphersuite does this (and this is unlikely to change as activity has
|
||||||
* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
|
* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
|
||||||
*/
|
*/
|
||||||
hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
|
hash_len = ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||||
ssl->verify_data_len = hash_len;
|
ssl->verify_data_len = hash_len;
|
||||||
|
@ -7567,7 +7570,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
|
||||||
|
|
||||||
/* There is currently no ciphersuite using another length with TLS 1.2 */
|
/* There is currently no ciphersuite using another length with TLS 1.2 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
hash_len = 36;
|
hash_len = 36;
|
||||||
else
|
else
|
||||||
#endif
|
#endif
|
||||||
|
@ -7835,7 +7838,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
|
||||||
|
|
||||||
/* Adjust out_msg to make space for explicit IV, if used. */
|
/* Adjust out_msg to make space for explicit IV, if used. */
|
||||||
if( transform != NULL &&
|
if( transform != NULL &&
|
||||||
ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
{
|
{
|
||||||
ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
|
ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
|
||||||
}
|
}
|
||||||
|
@ -9012,7 +9015,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
||||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||||
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
|
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
|
||||||
{
|
{
|
||||||
switch( ssl->minor_ver )
|
switch( mbedtls_ssl_get_minor_ver( ssl ) )
|
||||||
{
|
{
|
||||||
case MBEDTLS_SSL_MINOR_VERSION_2:
|
case MBEDTLS_SSL_MINOR_VERSION_2:
|
||||||
return( "DTLSv1.0" );
|
return( "DTLSv1.0" );
|
||||||
|
@ -9028,7 +9031,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
|
||||||
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
#endif /* MBEDTLS_SSL_PROTO_DTLS */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
#if defined(MBEDTLS_SSL_PROTO_TLS)
|
||||||
{
|
{
|
||||||
switch( ssl->minor_ver )
|
switch( mbedtls_ssl_get_minor_ver( ssl ) )
|
||||||
{
|
{
|
||||||
case MBEDTLS_SSL_MINOR_VERSION_0:
|
case MBEDTLS_SSL_MINOR_VERSION_0:
|
||||||
return( "SSLv3.0" );
|
return( "SSLv3.0" );
|
||||||
|
@ -9090,7 +9093,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
|
||||||
/* For TLS 1.1 or higher, an explicit IV is added
|
/* For TLS 1.1 or higher, an explicit IV is added
|
||||||
* after the record header. */
|
* after the record header. */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
|
||||||
transform_expansion += block_size;
|
transform_expansion += block_size;
|
||||||
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
|
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
|
||||||
|
|
||||||
|
@ -10214,7 +10217,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
#if defined(MBEDTLS_SSL_PROTO_SSL3)
|
||||||
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
|
||||||
{
|
{
|
||||||
/* SSLv3 does not have a "no_renegotiation" warning, so
|
/* SSLv3 does not have a "no_renegotiation" warning, so
|
||||||
we send a fatal alert and abort the connection. */
|
we send a fatal alert and abort the connection. */
|
||||||
|
@ -10226,7 +10229,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
|
||||||
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
|
||||||
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 )
|
||||||
{
|
{
|
||||||
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
|
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
|
||||||
MBEDTLS_SSL_ALERT_LEVEL_WARNING,
|
MBEDTLS_SSL_ALERT_LEVEL_WARNING,
|
||||||
|
@ -10435,7 +10438,7 @@ static int ssl_write_split( mbedtls_ssl_context *ssl,
|
||||||
if( ssl->conf->cbc_record_splitting ==
|
if( ssl->conf->cbc_record_splitting ==
|
||||||
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
|
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
|
||||||
len <= 1 ||
|
len <= 1 ||
|
||||||
ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
|
mbedtls_ssl_get_minor_ver( ssl ) > MBEDTLS_SSL_MINOR_VERSION_1 ||
|
||||||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
|
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
|
||||||
!= MBEDTLS_MODE_CBC )
|
!= MBEDTLS_MODE_CBC )
|
||||||
{
|
{
|
||||||
|
@ -11473,7 +11476,7 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport,
|
||||||
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
|
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
|
||||||
{
|
{
|
||||||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
|
||||||
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
|
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
|
||||||
return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
|
return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
|
||||||
|
|
||||||
switch( md )
|
switch( md )
|
||||||
|
|
Loading…
Reference in a new issue