yuzu/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-emu/mbedtls.git synced 2024-10-18 13:11:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add server extension parsing

Browse source 
Only accept EC J-PAKE ciphersuite if extension was present and OK (single flag
for both), and ignore extension if we have no password.
This commit is contained in:
Manuel Pégourié-Gonnard 2015-09-16 15:04:01 +02:00
parent e511b4e7cb
commit bf57be690e
3 changed files with 57 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
include/mbedtls/ssl_internal.h
View file

@ -150,6 +150,7 @@
* of state of the renegotiation flag, so no indicator is required)
*/
#define MBEDTLS_TLS_EXT_SUPPORTED_POINT_FORMATS_PRESENT (1 << 0)
#define MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK (1 << 1)
#ifdef __cplusplus
extern "C" {

43
library/ssl_srv.c
View file

@ -318,6 +318,33 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl,
}
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl,
const unsigned char *buf,
size_t len )
{
int ret;
if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) );
return( 0 );
}
if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx,
buf, len ) ) != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_read_round_one", ret );
return( ret );
}
/* Only mark the extension as OK when we're sure it is */
ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK;
return( 0 );
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
static int ssl_parse_max_fragment_length_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
@ -709,10 +736,10 @@ static int ssl_ciphersuite_match( mbedtls_ssl_context *ssl, int suite_id,
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE &&
mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 )
( ssl->handshake->cli_exts & MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK ) == 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: "
"ecjpake not configured" ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "ciphersuite mismatch: ecjpake "
"not configured or ext missing" ) );
return( 0 );
}
#endif
@ -1571,6 +1598,16 @@ read_record_header:
break;
#endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
case MBEDTLS_TLS_EXT_ECJPAKE_KKPP:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found ecjpake kkpp extension" ) );
ret = ssl_parse_ecjpake_kkpp( ssl, ext + 4, ext_size );
if( ret != 0 )
return( ret );
break;
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
case MBEDTLS_TLS_EXT_MAX_FRAGMENT_LENGTH:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found max fragment length extension" ) );

16
tests/ssl-opt.sh
View file

@ -2507,6 +2507,8 @@ run_test "ECJPAKE: client not configured" \
0 \
-C "add ciphersuite: c0ff" \
-C "adding ecjpake_kkpp extension" \
-S "found ecjpake kkpp extension" \
-S "skip ecjpake kkpp extension" \
-S "ciphersuite mismatch: ecjpake not configured" \
-S "None of the common ciphersuites is usable"
@ -2517,9 +2519,23 @@ run_test "ECJPAKE: server not configured" \
1 \
-c "add ciphersuite: c0ff" \
-c "adding ecjpake_kkpp extension" \
-s "found ecjpake kkpp extension" \
-s "skip ecjpake kkpp extension" \
-s "ciphersuite mismatch: ecjpake not configured" \
-s "None of the common ciphersuites is usable"
run_test "ECJPAKE: working, TLS" \
"$P_SRV debug_level=3 ecjpake_pw=bla" \
"$P_CLI debug_level=3 ecjpake_pw=bla \
force_ciphersuite=TLS-ECJPAKE-WITH-AES-128-CCM-8" \
1 \
-c "add ciphersuite: c0ff" \
-c "adding ecjpake_kkpp extension" \
-s "found ecjpake kkpp extension" \
-S "skip ecjpake kkpp extension" \
-S "ciphersuite mismatch: ecjpake not configured" \
-S "None of the common ciphersuites is usable"
# Tests for ciphersuites per version
run_test "Per-version suites: SSL3" \