yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-01-30 17:10:59 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'development' into dtls

Browse source 
* development:
  Fix error code description.
  generate_errors.pl now errors on duplicate codes
  Avoid nested if's without braces.
  Move renego SCSV after actual ciphersuites
  Fix send_close_notify usage.
  Rename variable for clarity
  Improve script portability

Conflicts:
	library/ssl_srv.c
	programs/ssl/ssl_client2.c
	programs/ssl/ssl_server2.c
	tests/ssl-opt.sh
This commit is contained in:
Manuel Pégourié-Gonnard 2015-01-22 13:30:33 +00:00
parent 23eb74d8b5 11c919208d
commit 3a173f497b
8 changed files with 50 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
include/polarssl/ssl.h
View file

@ -124,7 +124,7 @@
#define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */ #define POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN -0x7380 /**< The server has no ciphersuites in common with the client. */
#define POLARSSL_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */ #define POLARSSL_ERR_SSL_NO_RNG -0x7400 /**< No RNG was provided to the SSL module. */
#define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */ #define POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE -0x7480 /**< No client certification received from the client, but required by the authentication mode. */
#define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message.*/ #define POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE -0x7500 /**< Our own certificate(s) is/are too large to send in an SSL message. */
#define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */ #define POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED -0x7580 /**< The own certificate is not set, but needed by the server. */
#define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */ #define POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED -0x7600 /**< The own private key or pre-shared key is not set, but needed. */
#define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */ #define POLARSSL_ERR_SSL_CA_CHAIN_REQUIRED -0x7680 /**< No CA Chain is set, but required to operate. */

2
library/error.c
View file

@ -386,7 +386,7 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) ) if( use_ret == -(POLARSSL_ERR_SSL_NO_CLIENT_CERTIFICATE) )
snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" ); snprintf( buf, buflen, "SSL - No client certification received from the client, but required by the authentication mode" );
if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) ) if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_TOO_LARGE) )
snprintf( buf, buflen, "SSL - DESCRIPTION MISSING" ); snprintf( buf, buflen, "SSL - Our own certificate(s) is/are too large to send in an SSL message" );
if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) ) if( use_ret == -(POLARSSL_ERR_SSL_CERTIFICATE_REQUIRED) )
snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" ); snprintf( buf, buflen, "SSL - The own certificate is not set, but needed by the server" );
if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) ) if( use_ret == -(POLARSSL_ERR_SSL_PRIVATE_KEY_REQUIRED) )

40
library/ssl_cli.c
View file

@ -635,16 +635,18 @@ static int ssl_write_client_hello( ssl_context *ssl )
*/ */
#if defined(POLARSSL_SSL_RENEGOTIATION) #if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
if( ssl->session_negotiate->ticket != NULL &&
ssl->session_negotiate->ticket_len != 0 )
{ {
ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 ); #endif
if( ssl->session_negotiate->ticket != NULL &&
ssl->session_negotiate->ticket_len != 0 )
{
ret = ssl->f_rng( ssl->p_rng, ssl->session_negotiate->id, 32 );
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
ssl->session_negotiate->length = n = 32; ssl->session_negotiate->length = n = 32;
}
} }
#endif /* POLARSSL_SSL_SESSION_TICKETS */ #endif /* POLARSSL_SSL_SESSION_TICKETS */
@ -691,18 +693,6 @@ static int ssl_write_client_hello( ssl_context *ssl )
q = p; q = p;
p += 2; p += 2;
/*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
{
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
n++;
}
for( i = 0; ciphersuites[i] != 0; i++ ) for( i = 0; ciphersuites[i] != 0; i++ )
{ {
ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] ); ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
@ -732,6 +722,18 @@ static int ssl_write_client_hello( ssl_context *ssl )
*p++ = (unsigned char)( ciphersuites[i] ); *p++ = (unsigned char)( ciphersuites[i] );
} }
/*
* Add TLS_EMPTY_RENEGOTIATION_INFO_SCSV
*/
#if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif
{
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO >> 8 );
*p++ = (unsigned char)( SSL_EMPTY_RENEGOTIATION_INFO );
n++;
}
/* Some versions of OpenSSL don't handle it correctly if not at end */ /* Some versions of OpenSSL don't handle it correctly if not at end */
#if defined(POLARSSL_SSL_FALLBACK_SCSV) #if defined(POLARSSL_SSL_FALLBACK_SCSV)
if( ssl->fallback == SSL_IS_FALLBACK ) if( ssl->fallback == SSL_IS_FALLBACK )

15
library/ssl_srv.c
View file

@ -1294,10 +1294,12 @@ read_record_header:
#if defined(POLARSSL_SSL_RENEGOTIATION) #if defined(POLARSSL_SSL_RENEGOTIATION)
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
#endif #endif
if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
{ {
SSL_DEBUG_RET( 1, "ssl_fetch_input", ret ); if( ( ret = ssl_fetch_input( ssl, 5 ) ) != 0 )
return( ret ); {
SSL_DEBUG_RET( 1, "ssl_fetch_input", ret );
return( ret );
}
} }
buf = ssl->in_hdr; buf = ssl->in_hdr;
@ -1351,8 +1353,11 @@ read_record_header:
/* For DTLS if this is the initial handshake, remember the client sequence /* For DTLS if this is the initial handshake, remember the client sequence
* number to use it in our next message (RFC 6347 4.2.1) */ * number to use it in our next message (RFC 6347 4.2.1) */
#if defined(POLARSSL_SSL_PROTO_DTLS) #if defined(POLARSSL_SSL_PROTO_DTLS)
if( ssl->transport == SSL_TRANSPORT_DATAGRAM && if( ssl->transport == SSL_TRANSPORT_DATAGRAM
ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) #if defined(POLARSSL_SSL_RENEGOTIATION)
&& ssl->renegotiation == SSL_INITIAL_HANDSHAKE
#endif
)
{ {
/* Epoch should be 0 for initial handshakes */ /* Epoch should be 0 for initial handshakes */
if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 ) if( ssl->in_ctr[0] != 0 || ssl->in_ctr[1] != 0 )

3
programs/ssl/ssl_client2.c
View file

@ -1487,8 +1487,7 @@ close_notify:
printf( " . Closing the connection..." ); printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */ /* No error checking, the connection might be closed already */
do do ret = ssl_close_notify( &ssl );
ret = ssl_close_notify( &ssl );
while( ret == POLARSSL_ERR_NET_WANT_WRITE ); while( ret == POLARSSL_ERR_NET_WANT_WRITE );
ret = 0; ret = 0;

11
programs/ssl/ssl_server2.c
View file

@ -687,7 +687,7 @@ void term_handler( int sig )
int main( int argc, char *argv[] ) int main( int argc, char *argv[] )
{ {
int ret = 0, len, written, frags, exchanges; int ret = 0, len, written, frags, exchanges_left;
int version_suites[4][2]; int version_suites[4][2];
unsigned char buf[IO_BUF_LEN]; unsigned char buf[IO_BUF_LEN];
#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED) #if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)
@ -1902,7 +1902,7 @@ reset:
if( opt.exchanges == 0 ) if( opt.exchanges == 0 )
goto close_notify; goto close_notify;
exchanges = opt.exchanges; exchanges_left = opt.exchanges;
data_exchange: data_exchange:
/* /*
* 6. Read the HTTP Request * 6. Read the HTTP Request
@ -2042,7 +2042,7 @@ data_exchange:
* (only on the first exchange, to be able to test retransmission) * (only on the first exchange, to be able to test retransmission)
*/ */
#if defined(POLARSSL_SSL_RENEGOTIATION) #if defined(POLARSSL_SSL_RENEGOTIATION)
if( opt.renegotiate && exchanges == opt.exchanges ) if( opt.renegotiate && exchanges_left == opt.exchanges )
{ {
printf( " . Requestion renegotiation..." ); printf( " . Requestion renegotiation..." );
fflush( stdout ); fflush( stdout );
@ -2115,7 +2115,7 @@ data_exchange:
/* /*
* 7b. Continue doing data exchanges? * 7b. Continue doing data exchanges?
*/ */
if( --exchanges > 0 ) if( --exchanges_left > 0 )
goto data_exchange; goto data_exchange;
/* /*
@ -2125,8 +2125,7 @@ close_notify:
printf( " . Closing the connection..." ); printf( " . Closing the connection..." );
/* No error checking, the connection might be closed already */ /* No error checking, the connection might be closed already */
do do ret = ssl_close_notify( &ssl );
ret = ssl_close_notify( &ssl );
while( ret == POLARSSL_ERR_NET_WANT_WRITE ); while( ret == POLARSSL_ERR_NET_WANT_WRITE );
ret = 0; ret = 0;

11
scripts/generate_errors.pl
View file

@ -56,13 +56,22 @@ my $hl_code_check = "";
my $headers = ""; my $headers = "";
my %error_codes_seen;
while (my $line = <GREP>) while (my $line = <GREP>)
{ {
next if ($line =~ /compat-1.2.h/); next if ($line =~ /compat-1.2.h/);
my ($error_name, $error_code) = $line =~ /(POLARSSL_ERR_\w+)\s+\-(0x\w+)/; my ($error_name, $error_code) = $line =~ /(POLARSSL_ERR_\w+)\s+\-(0x\w+)/;
my ($description) = $line =~ /\/\*\*< (.*?)\.? \*\//; my ($description) = $line =~ /\/\*\*< (.*?)\.? \*\//;
die "Duplicated error code: $error_code ($error_name)\n"
if( $error_codes_seen{$error_code}++ );
$description =~ s/\\/\\\\/g; $description =~ s/\\/\\\\/g;
$description = "DESCRIPTION MISSING" if ($description eq ""); if ($description eq "") {
$description = "DESCRIPTION MISSING";
warn "Missing description for $error_name\n";
}
my ($module_name) = $error_name =~ /^POLARSSL_ERR_([^_]+)/; my ($module_name) = $error_name =~ /^POLARSSL_ERR_([^_]+)/;

2
tests/ssl-opt.sh
View file

@ -495,7 +495,7 @@ CLI_DELAY_FACTOR=1
# Pick a "unique" server port in the range 10000-19999, and a proxy port # Pick a "unique" server port in the range 10000-19999, and a proxy port
PORT_BASE="0000$$" PORT_BASE="0000$$"
PORT_BASE="$( echo -n $PORT_BASE | tail -c 5 )" PORT_BASE="$( printf $PORT_BASE | tail -c 4 )"
SRV_PORT="1$PORT_BASE" SRV_PORT="1$PORT_BASE"
PXY_PORT="2$PORT_BASE" PXY_PORT="2$PORT_BASE"
unset PORT_BASE unset PORT_BASE