mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-25 12:18:54 +00:00
Implement FALLBACK_SCSV server-side
This commit is contained in:
parent
1cbd39dbeb
commit
01b2699198
3 changed files with 87 additions and 0 deletions
|
@ -369,6 +369,7 @@
|
|||
#define SSL_ALERT_MSG_PROTOCOL_VERSION 70 /* 0x46 */
|
||||
#define SSL_ALERT_MSG_INSUFFICIENT_SECURITY 71 /* 0x47 */
|
||||
#define SSL_ALERT_MSG_INTERNAL_ERROR 80 /* 0x50 */
|
||||
#define SSL_ALERT_MSG_INAPROPRIATE_FALLBACK 86 /* 0x56 */
|
||||
#define SSL_ALERT_MSG_USER_CANCELED 90 /* 0x5A */
|
||||
#define SSL_ALERT_MSG_NO_RENEGOTIATION 100 /* 0x64 */
|
||||
#define SSL_ALERT_MSG_UNSUPPORTED_EXT 110 /* 0x6E */
|
||||
|
|
|
@ -1052,6 +1052,30 @@ static int ssl_parse_client_hello_v2( ssl_context *ssl )
|
|||
}
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_SSL_FALLBACK_SCSV)
|
||||
for( i = 0, p = buf + 6; i < ciph_len; i += 3, p += 3 )
|
||||
{
|
||||
if( p[0] == 0 &&
|
||||
p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
|
||||
p[2] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) )
|
||||
{
|
||||
SSL_DEBUG_MSG( 3, ( "received FALLBACK_SCSV" ) );
|
||||
|
||||
if( ssl->minor_ver < ssl->max_minor_ver )
|
||||
{
|
||||
SSL_DEBUG_MSG( 1, ( "inapropriate fallback" ) );
|
||||
|
||||
ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
|
||||
SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
|
||||
|
||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif /* POLARSSL_SSL_FALLBACK_SCSV */
|
||||
|
||||
ciphersuites = ssl->ciphersuite_list[ssl->minor_ver];
|
||||
ciphersuite_info = NULL;
|
||||
#if defined(POLARSSL_SSL_SRV_RESPECT_CLIENT_PREFERENCE)
|
||||
|
@ -1365,6 +1389,29 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
|||
}
|
||||
}
|
||||
|
||||
#if defined(POLARSSL_SSL_FALLBACK_SCSV)
|
||||
for( i = 0, p = buf + 41 + sess_len; i < ciph_len; i += 2, p += 2 )
|
||||
{
|
||||
if( p[0] == (unsigned char)( ( SSL_FALLBACK_SCSV >> 8 ) & 0xff ) &&
|
||||
p[1] == (unsigned char)( ( SSL_FALLBACK_SCSV ) & 0xff ) )
|
||||
{
|
||||
SSL_DEBUG_MSG( 0, ( "received FALLBACK_SCSV" ) );
|
||||
|
||||
if( ssl->minor_ver < ssl->max_minor_ver )
|
||||
{
|
||||
SSL_DEBUG_MSG( 0, ( "inapropriate fallback" ) );
|
||||
|
||||
ssl_send_alert_message( ssl, SSL_ALERT_LEVEL_FATAL,
|
||||
SSL_ALERT_MSG_INAPROPRIATE_FALLBACK );
|
||||
|
||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
#endif /* POLARSSL_SSL_FALLBACK_SCSV */
|
||||
|
||||
ext = buf + 44 + sess_len + ciph_len + comp_len;
|
||||
|
||||
while( ext_len )
|
||||
|
|
|
@ -447,6 +447,8 @@ run_test "Fallback SCSV: default" \
|
|||
"$P_CLI debug_level=3 force_version=tls1_1" \
|
||||
0 \
|
||||
-C "adding FALLBACK_SCSV" \
|
||||
-S "received FALLBACK_SCSV" \
|
||||
-S "inapropriate fallback" \
|
||||
-C "is a fatal alert message (msg 86)"
|
||||
|
||||
run_test "Fallback SCSV: explicitly disabled" \
|
||||
|
@ -454,13 +456,26 @@ run_test "Fallback SCSV: explicitly disabled" \
|
|||
"$P_CLI debug_level=3 force_version=tls1_1 fallback=0" \
|
||||
0 \
|
||||
-C "adding FALLBACK_SCSV" \
|
||||
-S "received FALLBACK_SCSV" \
|
||||
-S "inapropriate fallback" \
|
||||
-C "is a fatal alert message (msg 86)"
|
||||
|
||||
run_test "Fallback SCSV: enabled" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI debug_level=3 force_version=tls1_1 fallback=1" \
|
||||
1 \
|
||||
-c "adding FALLBACK_SCSV" \
|
||||
-s "received FALLBACK_SCSV" \
|
||||
-s "inapropriate fallback" \
|
||||
-c "is a fatal alert message (msg 86)"
|
||||
|
||||
run_test "Fallback SCSV: enabled, max version" \
|
||||
"$P_SRV" \
|
||||
"$P_CLI debug_level=3 fallback=1" \
|
||||
0 \
|
||||
-c "adding FALLBACK_SCSV" \
|
||||
-s "received FALLBACK_SCSV" \
|
||||
-S "inapropriate fallback" \
|
||||
-C "is a fatal alert message (msg 86)"
|
||||
|
||||
requires_openssl_with_fallback_scsv
|
||||
|
@ -479,6 +494,30 @@ run_test "Fallback SCSV: enabled, openssl server" \
|
|||
-c "adding FALLBACK_SCSV" \
|
||||
-c "is a fatal alert message (msg 86)"
|
||||
|
||||
requires_openssl_with_fallback_scsv
|
||||
run_test "Fallback SCSV: disabled, openssl client" \
|
||||
"$P_SRV" \
|
||||
"$O_CLI -tls1_1" \
|
||||
0 \
|
||||
-S "received FALLBACK_SCSV" \
|
||||
-S "inapropriate fallback"
|
||||
|
||||
requires_openssl_with_fallback_scsv
|
||||
run_test "Fallback SCSV: enabled, openssl client" \
|
||||
"$P_SRV" \
|
||||
"$O_CLI -tls1_1 -fallback_scsv" \
|
||||
1 \
|
||||
-s "received FALLBACK_SCSV" \
|
||||
-s "inapropriate fallback"
|
||||
|
||||
requires_openssl_with_fallback_scsv
|
||||
run_test "Fallback SCSV: enabled, max version, openssl client" \
|
||||
"$P_SRV" \
|
||||
"$O_CLI -fallback_scsv" \
|
||||
0 \
|
||||
-s "received FALLBACK_SCSV" \
|
||||
-S "inapropriate fallback"
|
||||
|
||||
# Tests for Session Tickets
|
||||
|
||||
run_test "Session resume using tickets: basic" \
|
||||
|
|
Loading…
Reference in a new issue