cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-03 20:22:59 -05:00
Code Issues Packages Projects Releases Wiki Activity

Forbid sequence number wrapping

Browse Source
This commit is contained in:
Manuel Pégourié-Gonnard 2014-03-10 21:20:29 +01:00
parent 3c599f11b0
commit 83cdffc437
5 changed files with 19 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -19,6 +19,7 @@ Security
"triple handshake" attack when authentication mode is optional (the "triple handshake" attack when authentication mode is optional (the
attack was already impossible when authentication is required). attack was already impossible when authentication is required).
* Check notBefore timestamp of certificates and CRLs from the future. * Check notBefore timestamp of certificates and CRLs from the future.
* Forbid sequence number wrapping
Bugfix Bugfix
* ecp_gen_keypair() does more tries to prevent failure because of * ecp_gen_keypair() does more tries to prevent failure because of

2
include/polarssl/error.h
View File

@ -89,7 +89,7 @@
* ECP 4 7 (Started from top) * ECP 4 7 (Started from top)
* MD 5 4 * MD 5 4
* CIPHER 6 6 * CIPHER 6 6
* SSL 6 8 (Started from top) * SSL 6 9 (Started from top)
* SSL 7 31 * SSL 7 31
* *
* Module dependent error code (5 bits 0x.00.-0x.F8.) * Module dependent error code (5 bits 0x.00.-0x.F8.)

1
include/polarssl/ssl.h
View File

@ -139,6 +139,7 @@
#define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */ #define POLARSSL_ERR_SSL_PK_TYPE_MISMATCH -0x6D00 /**< Public key type mismatch (eg, asked for RSA key exchange and presented EC key) */
#define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 /**< Unkown identity received (eg, PSK identity) */ #define POLARSSL_ERR_SSL_UNKNOWN_IDENTITY -0x6C80 /**< Unkown identity received (eg, PSK identity) */
#define POLARSSL_ERR_SSL_INTERNAL_ERROR -0x6C00 /**< Internal error (eg, unexpected failure in lower-level module) */ #define POLARSSL_ERR_SSL_INTERNAL_ERROR -0x6C00 /**< Internal error (eg, unexpected failure in lower-level module) */
#define POLARSSL_ERR_SSL_COUNTER_WRAPPING -0x6B80 /**< A counter would wrap (eg, too many messages exchanged). */
/* /*
* Various constants * Various constants

2
library/error.c
View File

@ -433,6 +433,8 @@ void polarssl_strerror( int ret, char *buf, size_t buflen )
snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" ); snprintf( buf, buflen, "SSL - Unkown identity received (eg, PSK identity)" );
if( use_ret == -(POLARSSL_ERR_SSL_INTERNAL_ERROR) ) if( use_ret == -(POLARSSL_ERR_SSL_INTERNAL_ERROR) )
snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" ); snprintf( buf, buflen, "SSL - Internal error (eg, unexpected failure in lower-level module)" );
if( use_ret == -(POLARSSL_ERR_SSL_COUNTER_WRAPPING) )
snprintf( buf, buflen, "SSL - A counter would wrap (eg, too many messages exchanged)" );
#endif /* POLARSSL_SSL_TLS_C */ #endif /* POLARSSL_SSL_TLS_C */
#if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C) #if defined(POLARSSL_X509_USE_C) || defined(POLARSSL_X509_CREATE_C)

14
library/ssl_tls.c
View File

@ -1309,6 +1309,13 @@ static int ssl_encrypt_buf( ssl_context *ssl )
if( ++ssl->out_ctr[i - 1] != 0 ) if( ++ssl->out_ctr[i - 1] != 0 )
break; break;
/* The loops goes to its end iff the counter is wrapping */
if( i == 0 )
{
SSL_DEBUG_MSG( 1, ( "outgoing message counter would wrap" ) );
return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
}
SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) ); SSL_DEBUG_MSG( 2, ( "<= encrypt buf" ) );
return( 0 ); return( 0 );
@ -1775,6 +1782,13 @@ static int ssl_decrypt_buf( ssl_context *ssl )
if( ++ssl->in_ctr[i - 1] != 0 ) if( ++ssl->in_ctr[i - 1] != 0 )
break; break;
/* The loops goes to its end iff the counter is wrapping */
if( i == 0 )
{
SSL_DEBUG_MSG( 1, ( "incoming message counter would wrap" ) );
return( POLARSSL_ERR_SSL_COUNTER_WRAPPING );
}
SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) ); SSL_DEBUG_MSG( 2, ( "<= decrypt buf" ) );
return( 0 ); return( 0 );