cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-11-04 04:32:24 -05:00
Code Issues Packages Projects Releases Wiki Activity

Fix define for ssl_conf_curves()

Browse Source 
This is a security feature, it shouldn't be optional.
This commit is contained in:
Manuel Pégourié-Gonnard 2015-06-17 11:43:30 +02:00
parent 6e3ee3ad43
commit b541da6ef3
9 changed files with 14 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/mbedtls/compat-1.3.h
View File

@ -585,9 +585,6 @@
#if defined MBEDTLS_SSL_SESSION_TICKETS #if defined MBEDTLS_SSL_SESSION_TICKETS
#define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS #define POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
#endif #endif
#if defined MBEDTLS_SSL_SET_CURVES
#define POLARSSL_SSL_SET_CURVES MBEDTLS_SSL_SET_CURVES
#endif
#if defined MBEDTLS_SSL_SRV_C #if defined MBEDTLS_SSL_SRV_C
#define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C #define POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
#endif #endif

14
include/mbedtls/config.h
View File

@ -1154,20 +1154,6 @@
*/ */
#define MBEDTLS_SSL_TRUNCATED_HMAC #define MBEDTLS_SSL_TRUNCATED_HMAC
/**
* \def MBEDTLS_SSL_SET_CURVES
*
* Enable mbedtls_ssl_conf_curves().
*
* This is disabled by default since it breaks binary compatibility with the
* 1.3.x line. If you choose to enable it, you will need to rebuild your
* application against the new header files, relinking will not be enough.
* It will be enabled by default, or no longer an option, in the 1.4 branch.
*
* Uncomment to make mbedtls_ssl_conf_curves() available.
*/
//#define MBEDTLS_SSL_SET_CURVES
/** /**
* \def MBEDTLS_THREADING_ALT * \def MBEDTLS_THREADING_ALT
* *

6
include/mbedtls/ssl.h
View File

@ -535,7 +535,7 @@ struct mbedtls_ssl_config
mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */ mbedtls_x509_crl *ca_crl; /*!< trusted CAs CRLs */
#endif /* MBEDTLS_X509_CRT_PARSE_C */ #endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */ const mbedtls_ecp_group_id *curve_list; /*!< allowed curves */
#endif #endif
@ -1504,7 +1504,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
unsigned int bitlen ); unsigned int bitlen );
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
/** /**
* \brief Set the allowed curves in order of preference. * \brief Set the allowed curves in order of preference.
* (Default: all defined curves.) * (Default: all defined curves.)
@ -1524,7 +1524,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
* terminated by MBEDTLS_ECP_DP_NONE. * terminated by MBEDTLS_ECP_DP_NONE.
*/ */
void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves ); void mbedtls_ssl_conf_curves( mbedtls_ssl_config *conf, const mbedtls_ecp_group_id *curves );
#endif /* MBEDTLS_SSL_SET_CURVES */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
/** /**

2
include/mbedtls/ssl_internal.h
View File

@ -375,7 +375,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig( unsigned char sig );
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash ); mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash );
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id ); int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp_group_id grp_id );
#endif #endif

6
library/ssl_cli.c
View File

@ -255,7 +255,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
unsigned char *elliptic_curve_list = p + 6; unsigned char *elliptic_curve_list = p + 6;
size_t elliptic_curve_len = 0; size_t elliptic_curve_len = 0;
const mbedtls_ecp_curve_info *info; const mbedtls_ecp_curve_info *info;
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_group_id *grp_id; const mbedtls_ecp_group_id *grp_id;
#else #else
((void) ssl); ((void) ssl);
@ -265,7 +265,7 @@ static void ssl_write_supported_elliptic_curves_ext( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding supported_elliptic_curves extension" ) );
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ ) for( grp_id = ssl->conf->curve_list; *grp_id != MBEDTLS_ECP_DP_NONE; grp_id++ )
{ {
info = mbedtls_ecp_curve_info_from_grp_id( *grp_id ); info = mbedtls_ecp_curve_info_from_grp_id( *grp_id );
@ -1683,7 +1683,7 @@ static int ssl_check_server_ecdh_params( const mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "ECDH curve: %s", curve_info->name ) );
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
if( ! mbedtls_ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) ) if( ! mbedtls_ssl_curve_is_acceptable( ssl, ssl->handshake->ecdh_ctx.grp.id ) )
#else #else
if( ssl->handshake->ecdh_ctx.grp.nbits < 163 || if( ssl->handshake->ecdh_ctx.grp.nbits < 163 ||

2
library/ssl_srv.c
View File

@ -2641,7 +2641,7 @@ static int ssl_write_server_key_exchange( mbedtls_ssl_context *ssl )
* } ServerECDHParams; * } ServerECDHParams;
*/ */
const mbedtls_ecp_curve_info **curve = NULL; const mbedtls_ecp_curve_info **curve = NULL;
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
const mbedtls_ecp_group_id *gid; const mbedtls_ecp_group_id *gid;
/* Match our preference list against the offered curves */ /* Match our preference list against the offered curves */

12
library/ssl_tls.c
View File

@ -4081,7 +4081,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
* Secondary checks: always done, but change 'ret' only if it was 0 * Secondary checks: always done, but change 'ret' only if it was 0
*/ */
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
{ {
const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk; const mbedtls_pk_context *pk = &ssl->session_negotiate->peer_cert->pk;
@ -4094,7 +4094,7 @@ int mbedtls_ssl_parse_certificate( mbedtls_ssl_context *ssl )
ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE; ret = MBEDTLS_ERR_SSL_BAD_HS_CERTIFICATE;
} }
} }
#endif /* MBEDTLS_SSL_SET_CURVES */ #endif /* MBEDTLS_ECP_C */
if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert, if( mbedtls_ssl_check_cert_usage( ssl->session_negotiate->peer_cert,
ciphersuite_info, ciphersuite_info,
@ -5478,7 +5478,7 @@ void mbedtls_ssl_conf_dhm_min_bitlen( mbedtls_ssl_config *conf,
} }
#endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */ #endif /* MBEDTLS_DHM_C && MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
/* /*
* Set the allowed elliptic curves * Set the allowed elliptic curves
*/ */
@ -6665,7 +6665,7 @@ int mbedtls_ssl_config_defaults( mbedtls_ssl_config *conf,
conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED; conf->cbc_record_splitting = MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED;
#endif #endif
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
conf->curve_list = mbedtls_ecp_grp_id_list( ); conf->curve_list = mbedtls_ecp_grp_id_list( );
#endif #endif
@ -6804,7 +6804,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash( unsigned char hash )
} }
} }
#if defined(MBEDTLS_SSL_SET_CURVES) #if defined(MBEDTLS_ECP_C)
/* /*
* Check is a curve proposed by the peer is in our list. * Check is a curve proposed by the peer is in our list.
* Return 1 if we're willing to use it, 0 otherwise. * Return 1 if we're willing to use it, 0 otherwise.
@ -6819,7 +6819,7 @@ int mbedtls_ssl_curve_is_acceptable( const mbedtls_ssl_context *ssl, mbedtls_ecp
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_SSL_SET_CURVES */ #endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_X509_CRT_PARSE_C) #if defined(MBEDTLS_X509_CRT_PARSE_C)
int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert, int mbedtls_ssl_check_cert_usage( const mbedtls_x509_crt *cert,

3
library/version_features.c
View File

@ -385,9 +385,6 @@ static const char *features[] = {
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
"MBEDTLS_SSL_TRUNCATED_HMAC", "MBEDTLS_SSL_TRUNCATED_HMAC",
#endif /* MBEDTLS_SSL_TRUNCATED_HMAC */ #endif /* MBEDTLS_SSL_TRUNCATED_HMAC */
#if defined(MBEDTLS_SSL_SET_CURVES)
"MBEDTLS_SSL_SET_CURVES",
#endif /* MBEDTLS_SSL_SET_CURVES */
#if defined(MBEDTLS_THREADING_ALT) #if defined(MBEDTLS_THREADING_ALT)
"MBEDTLS_THREADING_ALT", "MBEDTLS_THREADING_ALT",
#endif /* MBEDTLS_THREADING_ALT */ #endif /* MBEDTLS_THREADING_ALT */

1
scripts/data_files/rename-1.3-2.0.txt
View File

@ -881,7 +881,6 @@ POLARSSL_SSL_PROTO_TLS1_2 MBEDTLS_SSL_PROTO_TLS1_2
POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION POLARSSL_SSL_RENEGOTIATION MBEDTLS_SSL_RENEGOTIATION
POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION POLARSSL_SSL_SERVER_NAME_INDICATION MBEDTLS_SSL_SERVER_NAME_INDICATION
POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS POLARSSL_SSL_SESSION_TICKETS MBEDTLS_SSL_SESSION_TICKETS
POLARSSL_SSL_SET_CURVES MBEDTLS_SSL_SET_CURVES
POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C POLARSSL_SSL_SRV_C MBEDTLS_SSL_SRV_C
POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE MBEDTLS_SSL_SRV_RESPECT_CLIENT_PREFERENCE
POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO POLARSSL_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO MBEDTLS_SSL_SRV_SUPPORT_SSLV2_CLIENT_HELLO