cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Ability to specify allowed ciphersuites based on the protocol version.

Browse Source 
The ciphersuites parameter in the ssl_session structure changed from
'int *' to 'int *[4]'.

The new function ssl_set_ciphersuite_for_version() sets specific entries
inside this array. ssl_set_ciphersuite() sets all entries to the same
value.
(cherry picked from commit a62729888b9d8eafbfa952fca63a04100ed90f69)

Conflicts:
	ChangeLog
	library/ssl_srv.c
	library/ssl_tls.c
This commit is contained in:
Paul Bakker 2013-04-15 15:09:54 +02:00
parent eff2e6d414
commit 8f4ddaeea9
5 changed files with 63 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ChangeLog
View File

@ -6,6 +6,7 @@ Features
* Elliptic Curve Diffie Hellman module added * Elliptic Curve Diffie Hellman module added
* Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS
(ECDHE-based ciphersuites) (ECDHE-based ciphersuites)
* Ability to specify allowed ciphersuites based on the protocol version.
Changes Changes
* Introduced separate SSL Ciphersuites module that is based on * Introduced separate SSL Ciphersuites module that is based on

20
include/polarssl/ssl.h
View File

@ -476,7 +476,7 @@ struct _ssl_context
int verify_result; /*!< verification result */ int verify_result; /*!< verification result */
int disable_renegotiation; /*!< enable/disable renegotiation */ int disable_renegotiation; /*!< enable/disable renegotiation */
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */ int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
const int *ciphersuites; /*!< allowed ciphersuites */ const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
mpi dhm_P; /*!< prime modulus for DHM */ mpi dhm_P; /*!< prime modulus for DHM */
@ -706,12 +706,30 @@ void ssl_set_session( ssl_context *ssl, const ssl_session *session );
/** /**
* \brief Set the list of allowed ciphersuites * \brief Set the list of allowed ciphersuites
* (Overrides all version specific lists)
* *
* \param ssl SSL context * \param ssl SSL context
* \param ciphersuites 0-terminated list of allowed ciphersuites * \param ciphersuites 0-terminated list of allowed ciphersuites
*/ */
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ); void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites );
/**
* \brief Set the list of allowed ciphersuites for a specific
* version of the protocol.
* (Only useful on the server side)
*
* \param ssl SSL context
* \param ciphersuites 0-terminated list of allowed ciphersuites
* \param major Major version number (only SSL_MAJOR_VERSION_3
* supported)
* \param minor Minor version number (SSL_MINOR_VERSION_0,
* SSL_MINOR_VERSION_1 and SSL_MINOR_VERSION_2,
* SSL_MINOR_VERSION_3 supported)
*/
void ssl_set_ciphersuites_for_version( ssl_context *ssl,
const int *ciphersuites,
int major, int minor );
/** /**
* \brief Set the data required to verify peer certificate * \brief Set the data required to verify peer certificate
* *

19
library/ssl_cli.c
View File

@ -255,6 +255,7 @@ static int ssl_write_client_hello( ssl_context *ssl )
unsigned char *buf; unsigned char *buf;
unsigned char *p; unsigned char *p;
time_t t; time_t t;
const int *ciphersuites;
SSL_DEBUG_MSG( 2, ( "=> write client hello" ) ); SSL_DEBUG_MSG( 2, ( "=> write client hello" ) );
@ -327,7 +328,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) ); SSL_DEBUG_MSG( 3, ( "client hello, session id len.: %d", n ) );
SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n ); SSL_DEBUG_BUF( 3, "client hello, session id", buf + 39, n );
for( n = 0; ssl->ciphersuites[n] != 0; n++ ); ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
for( n = 0; ciphersuites[n] != 0; n++ );
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++; if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE ) n++;
*p++ = (unsigned char)( n >> 7 ); *p++ = (unsigned char)( n >> 7 );
*p++ = (unsigned char)( n << 1 ); *p++ = (unsigned char)( n << 1 );
@ -347,10 +349,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
for( i = 0; i < n; i++ ) for( i = 0; i < n; i++ )
{ {
SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d", SSL_DEBUG_MSG( 3, ( "client hello, add ciphersuite: %2d",
ssl->ciphersuites[i] ) ); ciphersuites[i] ) );
*p++ = (unsigned char)( ssl->ciphersuites[i] >> 8 ); *p++ = (unsigned char)( ciphersuites[i] >> 8 );
*p++ = (unsigned char)( ssl->ciphersuites[i] ); *p++ = (unsigned char)( ciphersuites[i] );
} }
#if defined(POLARSSL_ZLIB_SUPPORT) #if defined(POLARSSL_ZLIB_SUPPORT)
@ -571,7 +573,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
if( ssl->transform_negotiate->ciphersuite_info == NULL ) if( ssl->transform_negotiate->ciphersuite_info == NULL )
{ {
SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found", SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
ssl->ciphersuites[i] ) ); ssl->ciphersuite_list[ssl->minor_ver][i] ) );
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
} }
@ -616,15 +618,18 @@ static int ssl_parse_server_hello( ssl_context *ssl )
i = 0; i = 0;
while( 1 ) while( 1 )
{ {
if( ssl->ciphersuites[i] == 0 ) if( ssl->ciphersuite_list[ssl->minor_ver][i] == 0 )
{ {
SSL_DEBUG_MSG( 1, ( "bad server hello message" ) ); SSL_DEBUG_MSG( 1, ( "bad server hello message" ) );
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO ); return( POLARSSL_ERR_SSL_BAD_HS_SERVER_HELLO );
} }
if( ssl->ciphersuites[i++] == ssl->session_negotiate->ciphersuite ) if( ssl->ciphersuite_list[ssl->minor_ver][i++] ==
ssl->session_negotiate->ciphersuite )
{
break; break;
} }
}
if( comp != SSL_COMPRESS_NULL if( comp != SSL_COMPRESS_NULL
#if defined(POLARSSL_ZLIB_SUPPORT) #if defined(POLARSSL_ZLIB_SUPPORT)

24
library/ssl_srv.c
View File

@ -271,6 +271,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
size_t n; size_t n;
unsigned int ciph_len, sess_len, chal_len; unsigned int ciph_len, sess_len, chal_len;
unsigned char *buf, *p; unsigned char *buf, *p;
const int *ciphersuites;
SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) ); SSL_DEBUG_MSG( 2, ( "=> parse client hello v2" ) );
@ -431,7 +432,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
} }
} }
for( i = 0; ssl->ciphersuites[i] != 0; i++ ) ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
for( i = 0; ciphersuites[i] != 0; i++ )
{ {
for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 ) for( j = 0, p = buf + 6; j < ciph_len; j += 3, p += 3 )
{ {
@ -439,8 +441,8 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
// //
if( p[0] == 0 && if( p[0] == 0 &&
p[1] == 0 && p[1] == 0 &&
( ( ssl->ciphersuites[i] >> 8 ) & 0xFF ) == 0 && ( ( ciphersuites[i] >> 8 ) & 0xFF ) == 0 &&
p[2] == ( ssl->ciphersuites[i] & 0xFF ) ) p[2] == ( ciphersuites[i] & 0xFF ) )
goto have_ciphersuite_v2; goto have_ciphersuite_v2;
} }
} }
@ -450,7 +452,7 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
have_ciphersuite_v2: have_ciphersuite_v2:
ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i]; ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );
/* /*
@ -487,6 +489,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
unsigned char *buf, *p, *ext; unsigned char *buf, *p, *ext;
int renegotiation_info_seen = 0; int renegotiation_info_seen = 0;
int handshake_failure = 0; int handshake_failure = 0;
const int *ciphersuites;
const ssl_ciphersuite_t *ciphersuite_info; const ssl_ciphersuite_t *ciphersuite_info;
SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) ); SSL_DEBUG_MSG( 2, ( "=> parse client hello" ) );
@ -836,20 +839,21 @@ static int ssl_parse_client_hello( ssl_context *ssl )
* Search for a matching ciphersuite * Search for a matching ciphersuite
* (At the end because we need information from the EC-based extensions) * (At the end because we need information from the EC-based extensions)
*/ */
for( i = 0; ssl->ciphersuites[i] != 0; i++ ) ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
for( i = 0; ciphersuites[i] != 0; i++ )
{ {
for( j = 0, p = buf + 41 + sess_len; j < ciph_len; for( j = 0, p = buf + 41 + sess_len; j < ciph_len;
j += 2, p += 2 ) j += 2, p += 2 )
{ {
if( p[0] == ( ( ssl->ciphersuites[i] >> 8 ) & 0xFF ) && if( p[0] == ( ( ciphersuites[i] >> 8 ) & 0xFF ) &&
p[1] == ( ( ssl->ciphersuites[i] ) & 0xFF ) ) p[1] == ( ( ciphersuites[i] ) & 0xFF ) )
{ {
ciphersuite_info = ssl_ciphersuite_from_id( ssl->ciphersuites[i] ); ciphersuite_info = ssl_ciphersuite_from_id( ciphersuites[i] );
if( ciphersuite_info == NULL ) if( ciphersuite_info == NULL )
{ {
SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found", SSL_DEBUG_MSG( 1, ( "ciphersuite info for %02x not found",
ssl->ciphersuites[i] ) ); ciphersuites[i] ) );
return( POLARSSL_ERR_SSL_BAD_INPUT_DATA ); return( POLARSSL_ERR_SSL_BAD_INPUT_DATA );
} }
@ -870,7 +874,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN ); return( POLARSSL_ERR_SSL_NO_CIPHER_CHOSEN );
have_ciphersuite: have_ciphersuite:
ssl->session_negotiate->ciphersuite = ssl->ciphersuites[i]; ssl->session_negotiate->ciphersuite = ciphersuites[i];
ssl->transform_negotiate->ciphersuite_info = ciphersuite_info; ssl->transform_negotiate->ciphersuite_info = ciphersuite_info;
ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info ); ssl_optimize_checksum( ssl, ssl->transform_negotiate->ciphersuite_info );

19
library/ssl_tls.c
View File

@ -2677,7 +2677,7 @@ int ssl_init( ssl_context *ssl )
ssl->min_major_ver = SSL_MAJOR_VERSION_3; ssl->min_major_ver = SSL_MAJOR_VERSION_3;
ssl->min_minor_ver = SSL_MINOR_VERSION_0; ssl->min_minor_ver = SSL_MINOR_VERSION_0;
ssl->ciphersuites = ssl_list_ciphersuites(); ssl_set_ciphersuites( ssl, ssl_list_ciphersuites() );
#if defined(POLARSSL_DHM_C) #if defined(POLARSSL_DHM_C)
if( ( ret = mpi_read_string( &ssl->dhm_P, 16, if( ( ret = mpi_read_string( &ssl->dhm_P, 16,
@ -2862,7 +2862,22 @@ void ssl_set_session( ssl_context *ssl, const ssl_session *session )
void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites ) void ssl_set_ciphersuites( ssl_context *ssl, const int *ciphersuites )
{ {
ssl->ciphersuites = ciphersuites; ssl->ciphersuite_list[SSL_MINOR_VERSION_0] = ciphersuites;
ssl->ciphersuite_list[SSL_MINOR_VERSION_1] = ciphersuites;
ssl->ciphersuite_list[SSL_MINOR_VERSION_2] = ciphersuites;
ssl->ciphersuite_list[SSL_MINOR_VERSION_3] = ciphersuites;
}
void ssl_set_ciphersuites_for_version( ssl_context *ssl, const int *ciphersuites,
int major, int minor )
{
if( major != SSL_MAJOR_VERSION_3 )
return;
if( minor < SSL_MINOR_VERSION_0 || minor > SSL_MINOR_VERSION_3 )
return;
ssl->ciphersuite_list[minor] = ciphersuites;
} }
void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain, void ssl_set_ca_chain( ssl_context *ssl, x509_cert *ca_chain,