mirror of
https://github.com/yuzu-emu/mbedtls
synced 2024-11-24 14:18:10 +00:00
Made support for the truncated_hmac extension configurable
This commit is contained in:
parent
05decb24c3
commit
1f2bc6238b
6 changed files with 45 additions and 1 deletions
|
@ -549,6 +549,15 @@
|
||||||
*/
|
*/
|
||||||
#define POLARSSL_SSL_SESSION_TICKETS
|
#define POLARSSL_SSL_SESSION_TICKETS
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def POLARSSL_SSL_TRUNCATED_HMAC
|
||||||
|
*
|
||||||
|
* Enable support for RFC 6066 truncated HMAC in SSL
|
||||||
|
*
|
||||||
|
* Comment this macro to disable support for truncated HMAC in SSL
|
||||||
|
*/
|
||||||
|
#define POLARSSL_SSL_TRUNCATED_HMAC
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
* \def POLARSSL_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION
|
||||||
*
|
*
|
||||||
|
|
|
@ -366,7 +366,9 @@ struct _ssl_session
|
||||||
unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */
|
unsigned char mfl_code; /*!< MaxFragmentLength negotiated by peer */
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
int trunc_hmac; /*!< flag for truncated hmac activation */
|
int trunc_hmac; /*!< flag for truncated hmac activation */
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
};
|
};
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -601,7 +603,9 @@ struct _ssl_context
|
||||||
int disable_renegotiation; /*!< enable/disable renegotiation */
|
int disable_renegotiation; /*!< enable/disable renegotiation */
|
||||||
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
int allow_legacy_renegotiation; /*!< allow legacy renegotiation */
|
||||||
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
const int *ciphersuite_list[4]; /*!< allowed ciphersuites / version */
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
int trunc_hmac; /*!< negotiate truncated hmac? */
|
int trunc_hmac; /*!< negotiate truncated hmac? */
|
||||||
|
#endif
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
int session_tickets; /*!< use session tickets? */
|
int session_tickets; /*!< use session tickets? */
|
||||||
int ticket_lifetime; /*!< session ticket lifetime */
|
int ticket_lifetime; /*!< session ticket lifetime */
|
||||||
|
@ -1049,6 +1053,7 @@ void ssl_set_min_version( ssl_context *ssl, int major, int minor );
|
||||||
int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
|
int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
/**
|
/**
|
||||||
* \brief Activate negotiation of truncated HMAC (Client only)
|
* \brief Activate negotiation of truncated HMAC (Client only)
|
||||||
* (Default: SSL_TRUNC_HMAC_ENABLED)
|
* (Default: SSL_TRUNC_HMAC_ENABLED)
|
||||||
|
@ -1061,6 +1066,7 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code );
|
||||||
* POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side
|
* POLARSSL_ERR_SSL_BAD_INPUT_DATA if used server-side
|
||||||
*/
|
*/
|
||||||
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
|
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate );
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -302,6 +302,7 @@ static void ssl_write_max_fragment_length_ext( ssl_context *ssl,
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
|
static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
|
||||||
unsigned char *buf, size_t *olen )
|
unsigned char *buf, size_t *olen )
|
||||||
{
|
{
|
||||||
|
@ -323,6 +324,7 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
|
||||||
|
|
||||||
*olen = 4;
|
*olen = 4;
|
||||||
}
|
}
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
static void ssl_write_session_ticket_ext( ssl_context *ssl,
|
static void ssl_write_session_ticket_ext( ssl_context *ssl,
|
||||||
|
@ -553,8 +555,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
|
@ -645,6 +649,7 @@ static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
|
static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
|
||||||
const unsigned char *buf,
|
const unsigned char *buf,
|
||||||
size_t len )
|
size_t len )
|
||||||
|
@ -661,6 +666,7 @@ static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
static int ssl_parse_session_ticket_ext( ssl_context *ssl,
|
static int ssl_parse_session_ticket_ext( ssl_context *ssl,
|
||||||
|
@ -910,6 +916,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
|
||||||
break;
|
break;
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
case TLS_EXT_TRUNCATED_HMAC:
|
case TLS_EXT_TRUNCATED_HMAC:
|
||||||
SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
|
SSL_DEBUG_MSG( 3, ( "found truncated_hmac extension" ) );
|
||||||
|
|
||||||
|
@ -920,6 +927,7 @@ static int ssl_parse_server_hello( ssl_context *ssl )
|
||||||
}
|
}
|
||||||
|
|
||||||
break;
|
break;
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
case TLS_EXT_SESSION_TICKET:
|
case TLS_EXT_SESSION_TICKET:
|
||||||
|
|
|
@ -581,6 +581,7 @@ static int ssl_parse_max_fragment_length_ext( ssl_context *ssl,
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
|
static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
|
||||||
const unsigned char *buf,
|
const unsigned char *buf,
|
||||||
size_t len )
|
size_t len )
|
||||||
|
@ -597,6 +598,7 @@ static int ssl_parse_truncated_hmac_ext( ssl_context *ssl,
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
static int ssl_parse_session_ticket_ext( ssl_context *ssl,
|
static int ssl_parse_session_ticket_ext( ssl_context *ssl,
|
||||||
|
@ -1186,6 +1188,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
break;
|
break;
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
case TLS_EXT_TRUNCATED_HMAC:
|
case TLS_EXT_TRUNCATED_HMAC:
|
||||||
SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
|
SSL_DEBUG_MSG( 3, ( "found truncated hmac extension" ) );
|
||||||
|
|
||||||
|
@ -1193,6 +1196,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
return( ret );
|
return( ret );
|
||||||
break;
|
break;
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
case TLS_EXT_SESSION_TICKET:
|
case TLS_EXT_SESSION_TICKET:
|
||||||
|
@ -1313,6 +1317,7 @@ have_ciphersuite:
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
|
static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
|
||||||
unsigned char *buf,
|
unsigned char *buf,
|
||||||
size_t *olen )
|
size_t *olen )
|
||||||
|
@ -1335,6 +1340,7 @@ static void ssl_write_truncated_hmac_ext( ssl_context *ssl,
|
||||||
|
|
||||||
*olen = 4;
|
*olen = 4;
|
||||||
}
|
}
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
static void ssl_write_session_ticket_ext( ssl_context *ssl,
|
static void ssl_write_session_ticket_ext( ssl_context *ssl,
|
||||||
|
@ -1562,8 +1568,10 @@ static int ssl_write_server_hello( ssl_context *ssl )
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_truncated_hmac_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
ext_len += olen;
|
ext_len += olen;
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
#if defined(POLARSSL_SSL_SESSION_TICKETS)
|
||||||
ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
|
ssl_write_session_ticket_ext( ssl, p + 2 + ext_len, &olen );
|
||||||
|
|
|
@ -516,6 +516,7 @@ int ssl_derive_keys( ssl_context *ssl )
|
||||||
|
|
||||||
transform->maclen = md_get_size( md_info );
|
transform->maclen = md_get_size( md_info );
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
/*
|
/*
|
||||||
* If HMAC is to be truncated, we shall keep the leftmost bytes,
|
* If HMAC is to be truncated, we shall keep the leftmost bytes,
|
||||||
* (rfc 6066 page 13 or rfc 2104 section 4),
|
* (rfc 6066 page 13 or rfc 2104 section 4),
|
||||||
|
@ -523,6 +524,7 @@ int ssl_derive_keys( ssl_context *ssl )
|
||||||
*/
|
*/
|
||||||
if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
|
if( session->trunc_hmac == SSL_TRUNC_HMAC_ENABLED )
|
||||||
transform->maclen = SSL_TRUNCATED_HMAC_LEN;
|
transform->maclen = SSL_TRUNCATED_HMAC_LEN;
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
}
|
}
|
||||||
|
|
||||||
transform->keylen = cipher_info->key_length;
|
transform->keylen = cipher_info->key_length;
|
||||||
|
@ -3255,6 +3257,7 @@ int ssl_set_max_frag_len( ssl_context *ssl, unsigned char mfl_code )
|
||||||
}
|
}
|
||||||
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
#endif /* POLARSSL_SSL_MAX_FRAGMENT_LENGTH */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
|
int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
|
||||||
{
|
{
|
||||||
if( ssl->endpoint != SSL_IS_CLIENT )
|
if( ssl->endpoint != SSL_IS_CLIENT )
|
||||||
|
@ -3264,6 +3267,7 @@ int ssl_set_truncated_hmac( ssl_context *ssl, int truncate )
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
|
void ssl_set_renegotiation( ssl_context *ssl, int renegotiation )
|
||||||
{
|
{
|
||||||
|
|
|
@ -185,6 +185,13 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
|
||||||
#define USAGE_TICKETS ""
|
#define USAGE_TICKETS ""
|
||||||
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
#endif /* POLARSSL_SSL_SESSION_TICKETS */
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
|
#define USAGE_TRUNC_HMAC \
|
||||||
|
" trunc_hmac=%%d default: 0 (disabled)\n"
|
||||||
|
#else
|
||||||
|
#define USAGE_TRUNC_HMAC ""
|
||||||
|
#endif /* POLARSSL_SSL_TRUNCATED_HMAC */
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)
|
||||||
#define USAGE_MAX_FRAG_LEN \
|
#define USAGE_MAX_FRAG_LEN \
|
||||||
" max_frag_len=%%d default: 16384 (tls default)\n" \
|
" max_frag_len=%%d default: 16384 (tls default)\n" \
|
||||||
|
@ -213,7 +220,7 @@ static int my_verify( void *data, x509_cert *crt, int depth, int *flags )
|
||||||
" auth_mode=%%s default: \"optional\"\n" \
|
" auth_mode=%%s default: \"optional\"\n" \
|
||||||
" options: none, optional, required\n" \
|
" options: none, optional, required\n" \
|
||||||
USAGE_MAX_FRAG_LEN \
|
USAGE_MAX_FRAG_LEN \
|
||||||
" trunc_hmac=%%d default: 0 (disabled)\n" \
|
USAGE_TRUNC_HMAC \
|
||||||
USAGE_PSK \
|
USAGE_PSK \
|
||||||
"\n" \
|
"\n" \
|
||||||
" force_ciphersuite=<name> default: all enabled\n"\
|
" force_ciphersuite=<name> default: all enabled\n"\
|
||||||
|
@ -682,8 +689,10 @@ int main( int argc, char *argv[] )
|
||||||
ssl_set_max_frag_len( &ssl, opt.mfl_code );
|
ssl_set_max_frag_len( &ssl, opt.mfl_code );
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(POLARSSL_SSL_TRUNCATED_HMAC)
|
||||||
if( opt.trunc_hmac != 0 )
|
if( opt.trunc_hmac != 0 )
|
||||||
ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED );
|
ssl_set_truncated_hmac( &ssl, SSL_TRUNC_HMAC_ENABLED );
|
||||||
|
#endif
|
||||||
|
|
||||||
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
|
||||||
ssl_set_dbg( &ssl, my_debug, stdout );
|
ssl_set_dbg( &ssl, my_debug, stdout );
|
||||||
|
|
Loading…
Reference in a new issue