eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Introduce getter function for max/min SSL version

Browse source 
This is a first step towards hardcoding ssl->{major|minor}_ver
in configurations which accept only a single version.
This commit is contained in:
Hanno Becker 2019-05-22 14:44:53 +01:00
parent 3fa1ee567c
commit 2881d80138
4 changed files with 84 additions and 64 deletions
Download patch file Download diff file Expand all files Collapse all files

53
library/ssl_tls.c
View file

@ -1347,7 +1347,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
/* Set PRF, calc_verify and calc_finished function pointers */
ret = ssl_set_handshake_prfs( ssl->handshake,
ssl->minor_ver,
mbedtls_ssl_get_minor_ver( ssl ),
mbedtls_ssl_suite_get_mac( ciphersuite_info ) );
if( ret != 0 )
{
@ -1393,7 +1393,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
#endif
ssl->handshake->tls_prf,
ssl->handshake->randbytes,
ssl->minor_ver,
mbedtls_ssl_get_minor_ver( ssl ),
mbedtls_ssl_conf_get_endpoint( ssl->conf ),
ssl );
if( ret != 0 )
@ -3736,7 +3736,7 @@ int mbedtls_ssl_write_handshake_msg( mbedtls_ssl_context *ssl )
{
/* In SSLv3, the client might send a NoCertificate alert. */
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_CLI_C)
if( ! ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
if( ! ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->out_msgtype == MBEDTLS_SSL_MSG_ALERT &&
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_CLIENT ) )
@ -3926,8 +3926,9 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
/* Skip writing the record content type to after the encryption,
* as it may change when using the CID extension. */
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
ssl->conf->transport, ssl->out_hdr + 1 );
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
mbedtls_ssl_get_minor_ver( ssl ),
ssl->conf->transport, ssl->out_hdr + 1 );
memcpy( ssl->out_ctr, ssl->cur_out_ctr, 8 );
ssl->out_len[0] = (unsigned char)( len >> 8 );
@ -3944,7 +3945,8 @@ int mbedtls_ssl_write_record( mbedtls_ssl_context *ssl, uint8_t force_flush )
rec.data_offset = ssl->out_msg - rec.buf;
memcpy( &rec.ctr[0], ssl->out_ctr, 8 );
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
mbedtls_ssl_get_minor_ver( ssl ),
ssl->conf->transport, rec.ver );
rec.type = ssl->out_msgtype;
@ -4699,7 +4701,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
}
/* Check version */
if( major_ver != ssl->major_ver )
if( major_ver != mbedtls_ssl_get_major_ver( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "major version mismatch" ) );
return( MBEDTLS_ERR_SSL_INVALID_RECORD );
@ -4830,7 +4832,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
}
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
ssl->in_msglen > ssl->transform_in->minlen + MBEDTLS_SSL_IN_CONTENT_LEN )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad message length" ) );
@ -4842,7 +4844,7 @@ static int ssl_parse_record_header( mbedtls_ssl_context *ssl )
/*
* TLS encrypted messages can have up to 256 bytes of padding
*/
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 &&
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 &&
ssl->in_msglen > ssl->transform_in->minlen +
MBEDTLS_SSL_IN_CONTENT_LEN + 256 )
{
@ -4896,7 +4898,8 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
memcpy( &rec.ctr[0], ssl->in_ctr, 8 );
mbedtls_ssl_write_version( ssl->major_ver, ssl->minor_ver,
mbedtls_ssl_write_version( mbedtls_ssl_get_major_ver( ssl ),
mbedtls_ssl_get_minor_ver( ssl ),
ssl->conf->transport, rec.ver );
rec.type = ssl->in_msgtype;
if( ( ret = mbedtls_ssl_decrypt_buf( ssl, ssl->transform_in,
@ -4962,7 +4965,7 @@ static int ssl_prepare_record_content( mbedtls_ssl_context *ssl )
else if( ssl->in_msglen == 0 )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_3
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_3
&& ssl->in_msgtype != MBEDTLS_SSL_MSG_APPLICATION_DATA )
{
/* TLS v1.2 explicitly disallows zero-length messages which are not application data */
@ -5955,7 +5958,7 @@ int mbedtls_ssl_handle_message_type( mbedtls_ssl_context *ssl )
#endif
#if defined(MBEDTLS_SSL_PROTO_SSL3) && defined(MBEDTLS_SSL_SRV_C)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 &&
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 &&
mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
MBEDTLS_SSL_IS_SERVER &&
ssl->in_msg[0] == MBEDTLS_SSL_ALERT_LEVEL_WARNING &&
@ -6143,7 +6146,7 @@ int mbedtls_ssl_write_certificate( mbedtls_ssl_context *ssl )
* (otherwise an empty Certificate message will be sent).
*/
if( mbedtls_ssl_own_cert( ssl ) == NULL &&
ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
ssl->out_msglen = 2;
ssl->out_msgtype = MBEDTLS_SSL_MSG_ALERT;
@ -6435,7 +6438,7 @@ static int ssl_srv_check_client_no_crt_notification( mbedtls_ssl_context *ssl )
/*
* Check if the client sent an empty certificate
*/
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
if( ssl->in_msglen == 2 &&
ssl->in_msgtype == MBEDTLS_SSL_MSG_ALERT &&
@ -6987,7 +6990,7 @@ void mbedtls_ssl_optimize_checksum( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_PROTO_SSL3) || defined(MBEDTLS_SSL_PROTO_TLS1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_1)
if( ssl->minor_ver < MBEDTLS_SSL_MINOR_VERSION_3 )
if( mbedtls_ssl_get_minor_ver( ssl ) < MBEDTLS_SSL_MINOR_VERSION_3 )
ssl->handshake->update_checksum = ssl_update_checksum_md5sha1;
else
#endif
@ -7420,7 +7423,7 @@ int mbedtls_ssl_write_finished( mbedtls_ssl_context *ssl )
* ciphersuite does this (and this is unlikely to change as activity has
* moved to TLS 1.3 now) so we can keep the hardcoded 12 here.
*/
hash_len = ( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
hash_len = ( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 ) ? 36 : 12;
#if defined(MBEDTLS_SSL_RENEGOTIATION)
ssl->verify_data_len = hash_len;
@ -7567,7 +7570,7 @@ int mbedtls_ssl_parse_finished( mbedtls_ssl_context *ssl )
/* There is currently no ciphersuite using another length with TLS 1.2 */
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
hash_len = 36;
else
#endif
@ -7835,7 +7838,7 @@ static void ssl_update_out_pointers( mbedtls_ssl_context *ssl,
/* Adjust out_msg to make space for explicit IV, if used. */
if( transform != NULL &&
ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
{
ssl->out_msg = ssl->out_iv + transform->ivlen - transform->fixed_ivlen;
}
@ -9012,7 +9015,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_SSL_PROTO_DTLS)
if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
{
switch( ssl->minor_ver )
switch( mbedtls_ssl_get_minor_ver( ssl ) )
{
case MBEDTLS_SSL_MINOR_VERSION_2:
return( "DTLSv1.0" );
@ -9028,7 +9031,7 @@ const char *mbedtls_ssl_get_version( const mbedtls_ssl_context *ssl )
#endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_SSL_PROTO_TLS)
{
switch( ssl->minor_ver )
switch( mbedtls_ssl_get_minor_ver( ssl ) )
{
case MBEDTLS_SSL_MINOR_VERSION_0:
return( "SSLv3.0" );
@ -9090,7 +9093,7 @@ int mbedtls_ssl_get_record_expansion( const mbedtls_ssl_context *ssl )
/* For TLS 1.1 or higher, an explicit IV is added
* after the record header. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_1) || defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_2 )
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_2 )
transform_expansion += block_size;
#endif /* MBEDTLS_SSL_PROTO_TLS1_1 || MBEDTLS_SSL_PROTO_TLS1_2 */
@ -10214,7 +10217,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "refusing renegotiation, sending alert" ) );
#if defined(MBEDTLS_SSL_PROTO_SSL3)
if( ssl->minor_ver == MBEDTLS_SSL_MINOR_VERSION_0 )
if( mbedtls_ssl_get_minor_ver( ssl ) == MBEDTLS_SSL_MINOR_VERSION_0 )
{
/* SSLv3 does not have a "no_renegotiation" warning, so
we send a fatal alert and abort the connection. */
@ -10226,7 +10229,7 @@ int mbedtls_ssl_read( mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
#endif /* MBEDTLS_SSL_PROTO_SSL3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1) || defined(MBEDTLS_SSL_PROTO_TLS1_1) || \
defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver >= MBEDTLS_SSL_MINOR_VERSION_1 )
if( mbedtls_ssl_get_minor_ver( ssl ) >= MBEDTLS_SSL_MINOR_VERSION_1 )
{
if( ( ret = mbedtls_ssl_send_alert_message( ssl,
MBEDTLS_SSL_ALERT_LEVEL_WARNING,
@ -10435,7 +10438,7 @@ static int ssl_write_split( mbedtls_ssl_context *ssl,
if( ssl->conf->cbc_record_splitting ==
MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ||
len <= 1 ||
ssl->minor_ver > MBEDTLS_SSL_MINOR_VERSION_1 ||
mbedtls_ssl_get_minor_ver( ssl ) > MBEDTLS_SSL_MINOR_VERSION_1 ||
mbedtls_cipher_get_cipher_mode( &ssl->transform_out->cipher_ctx_enc )
!= MBEDTLS_MODE_CBC )
{
@ -11473,7 +11476,7 @@ void mbedtls_ssl_read_version( int *major, int *minor, int transport,
int mbedtls_ssl_set_calc_verify_md( mbedtls_ssl_context *ssl, int md )
{
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->minor_ver != MBEDTLS_SSL_MINOR_VERSION_3 )
if( mbedtls_ssl_get_minor_ver( ssl ) != MBEDTLS_SSL_MINOR_VERSION_3 )
return MBEDTLS_ERR_SSL_INVALID_VERIFY_HASH;
switch( md )