yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2025-06-01 14:40:30 +00:00
Code Issues Packages Projects Releases Wiki Activity

Ability to specify allowed ciphersuites based on the protocol version.

Browse source 
The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int **' and is now malloced in ssl_init() and freed in
ssl_free().

The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
This commit is contained in:
Paul Bakker 2013-04-12 13:13:43 +02:00
parent d4c5944212
commit a62729888b
5 changed files with 54 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ChangeLog
View file

@ -1,6 +1,9 @@
PolarSSL ChangeLog PolarSSL ChangeLog
= Branch 1.2 = Branch 1.2
Features
* Ability to specify allowed ciphersuites based on the protocol version.
Bugfix Bugfix
* Fix for MPI assembly for ARM * Fix for MPI assembly for ARM

20
include/polarssl/ssl.h
View file

@ -491,7 +491,7 @@ struct _ssl_context
int verify_result; /*!< verification result */ int verify_result; /*!< verification result */
int disable_renegotiation; /*!< enable/disable renegotiation */ int disable_renegotiation; /*!< enable/disable renegotiation */
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuites; /*!< allowed ciphersuites */ const int **ciphersuites; /*!< allowed ciphersuites / version */
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
mpi dhm_P; /*!< prime modulus for DHM */ mpi dhm_P; /*!< prime modulus for DHM */
@ -718,12 +718,30 @@ void ssl_set_session( ssl_context *ssl, const ssl_session *session );
/** /**
* \brief Set the list of allowed ciphersuites * \brief Set the list of allowed ciphersuites
* (Overrides all version specific lists)
* *
* \param ssl SSL context * \param ssl SSL context
* \param ciphersuites 0-terminated list of allowed ciphersuites * \param ciphersuites 0-terminated list of allowed ciphersuites
*/ */
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ); void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );
/**
* \brief Set the list of allowed ciphersuites for a specific
* version of the protocol.
* (Only useful on the server side)
*
* \param ssl SSL context
* \param ciphersuites 0-terminated list of allowed ciphersuites
* \param major Major version number (only SSL_MAJOR_VERSION_3
* supported)
* \param minor Minor version number (SSL_MINOR_VERSION_0,
* SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
* SSL_MINOR_VERSION_3 supported)
*/
void ssl_set_ciphersuites_for_version( ssl_context *ssl,
const int *ciphersuites,
int major, int minor );
/** /**
* \brief Set the data required to verify peer certificate * \brief Set the data required to verify peer certificate
* *

12
library/ssl_cli.c
View file

@ -119,7 +119,7 @@ static int ssl_write_client_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
for( n = 0; ssl->ciphersuites[n] != 0; n++ ); for( n = 0; ssl->ciphersuites[ssl->minor_ver][n] != 0; n++ );
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++; if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
*p++ = (unsigned char)( n >> 7 ); *p++ = (unsigned char)( n >> 7 );
*p++ = (unsigned char)( n << 1 ); *p++ = (unsigned char)( n << 1 );
@ -139,10 +139,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
for( i = 0; i < n; i++ ) for( i = 0; i < n; i++ )
{ {
SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
ssl->ciphersuites[i] ) ); ssl->ciphersuites[ssl->minor_ver][i] ) );
*p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 ); *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] >> 8 );
*p++ = (unsigned char)( ssl->ciphersuites[i] ); *p++ = (unsigned char)( ssl->ciphersuites[ssl->minor_ver][i] );
} }
#if defined(POLARSSL_ZLIB_SUPPORT) #if defined(POLARSSL_ZLIB_SUPPORT)
@ -515,13 +515,13 @@ static int ssl_parse_server_hello( ssl_context *ssl )
i = 0; i = 0;
while( 1 ) while( 1 )
{ {
if( ssl->ciphersuites[i] == 0 ) if( ssl->ciphersuites[ssl->minor_ver][i] == 0 )
{ {
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
} }
if( ssl->ciphersuites[i++] == ssl->session_negotiate->ciphersuite ) if( ssl->ciphersuites[ssl->minor_ver][i++] == ssl->session_negotiate->ciphersuite )
break; break;
} }

12
library/ssl_srv.c
View file

@ -359,13 +359,13 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
} }
} }
for( i = 0; ssl->ciphersuites[i] != 0; i++ ) for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
{ {
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
{ {
if( p[0] == 0 && if( p[0] == 0 &&
p[1] == 0 && p[1] == 0 &&
p[2] == ssl->ciphersuites[i] ) p[2] == ssl->ciphersuites[ssl->minor_ver][i] )
goto have_ciphersuite_v2; goto have_ciphersuite_v2;
} }
} }
@ -375,7 +375,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
have_ciphersuite_v2: have_ciphersuite_v2:
ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i]; ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite ); ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite );
/* /*
@ -642,12 +642,12 @@ static int ssl_parse_client_hello( ssl_context *ssl )
/* /*
* Search for a matching ciphersuite * Search for a matching ciphersuite
*/ */
for( i = 0; ssl->ciphersuites[i] != 0; i++ ) for( i = 0; ssl->ciphersuites[ssl->minor_ver][i] != 0; i++ )
{ {
for( j = 0, p = buf + 41 + sess_len; j < ciph_len; for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
j += 2, p += 2 ) j += 2, p += 2 )
{ {
if( p[0] == 0 && p[1] == ssl->ciphersuites[i] ) if( p[0] == 0 && p[1] == ssl->ciphersuites[ssl->minor_ver][i] )
goto have_ciphersuite; goto have_ciphersuite;
} }
} }
@ -657,7 +657,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
have_ciphersuite: have_ciphersuite:
ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i]; ssl->session_negotiate->ciphersuite = ssl->ciphersuites[ssl->minor_ver][i];
ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite ); ssl_optimize_checksum( ssl, ssl->session_negotiate->ciphersuite );
ext = buf + 44 + sess_len + ciph_len + comp_len; ext = buf + 44 + sess_len + ciph_len + comp_len;

22
library/ssl_tls.c
View file

@ -2952,7 +2952,8 @@ int ssl_init( ssl_context *ssl )
ssl->min_major_ver = SSL_MAJOR_VERSION_3; ssl->min_major_ver = SSL_MAJOR_VERSION_3;
ssl->min_minor_ver = SSL_MINOR_VERSION_0; ssl->min_minor_ver = SSL_MINOR_VERSION_0;
ssl->ciphersuites = ssl_default_ciphersuites; ssl->ciphersuites = malloc( sizeof(int *) * 4 );
ssl_set_ciphersuites( ssl, ssl_default_ciphersuites );
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16, if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
@ -3133,7 +3134,22 @@ void ssl_set_session( ssl_context *ssl, const ssl_session *session )
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ) void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
{ {
ssl->ciphersuites = ciphersuites; ssl->ciphersuites[SSL_MINOR_VERSION_0] = ciphersuites;
ssl->ciphersuites[SSL_MINOR_VERSION_1] = ciphersuites;
ssl->ciphersuites[SSL_MINOR_VERSION_2] = ciphersuites;
ssl->ciphersuites[SSL_MINOR_VERSION_3] = ciphersuites;
}
void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
int major, int minor )
{
if( major != SSL_MAJOR_VERSION_3 )
return;
if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
return;
ssl->ciphersuites[minor] = ciphersuites;
} }
void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,
@ -3897,6 +3913,8 @@ void ssl_free( ssl_context *ssl )
{ {
SSL_DEBUG_MSG( 2, ( "=> free" ) ); SSL_DEBUG_MSG( 2, ( "=> free" ) );
free( ssl->ciphersuites );
if( ssl->out_ctr != NULL ) if( ssl->out_ctr != NULL )
{ {
memset( ssl->out_ctr, 0, SSL_BUFFER_LEN ); memset( ssl->out_ctr, 0, SSL_BUFFER_LEN );