add client suite verify, detect mismatch early
This commit is contained in:
parent
78ebc49bd2
commit
5de34bf987
@ -2066,6 +2066,8 @@ CYASSL_LOCAL int IsAtLeastTLSv1_2(const CYASSL* ssl);
|
||||
CYASSL_LOCAL void FreeHandshakeResources(CYASSL* ssl);
|
||||
CYASSL_LOCAL void ShrinkInputBuffer(CYASSL* ssl, int forcedFree);
|
||||
CYASSL_LOCAL void ShrinkOutputBuffer(CYASSL* ssl);
|
||||
|
||||
CYASSL_LOCAL int VerifyClientSuite(CYASSL* ssl);
|
||||
#ifndef NO_CERTS
|
||||
CYASSL_LOCAL Signer* GetCA(void* cm, byte* hash);
|
||||
#ifndef NO_SKID
|
||||
|
@ -9945,18 +9945,40 @@ static void PickHashSigAlgo(CYASSL* ssl,
|
||||
}
|
||||
|
||||
|
||||
/* Make sure client setup is valid for this suite, true on success */
|
||||
int VerifyClientSuite(CYASSL* ssl)
|
||||
{
|
||||
int havePSK = 0;
|
||||
byte first = ssl->options.cipherSuite0;
|
||||
byte second = ssl->options.cipherSuite;
|
||||
|
||||
CYASSL_ENTER("VerifyClientSuite");
|
||||
|
||||
#ifndef NO_PSK
|
||||
havePSK = ssl->options.havePSK;
|
||||
#endif
|
||||
|
||||
if (CipherRequires(first, second, REQUIRES_PSK)) {
|
||||
CYASSL_MSG("Requires PSK");
|
||||
if (havePSK == 0) {
|
||||
CYASSL_MSG("Don't have PSK");
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
|
||||
return 1; /* success */
|
||||
}
|
||||
|
||||
|
||||
|
||||
/* Make sure cert/key are valid for this suite, true on success */
|
||||
static int VerifySuite(CYASSL* ssl, word16 idx)
|
||||
/* Make sure server cert/key are valid for this suite, true on success */
|
||||
static int VerifyServerSuite(CYASSL* ssl, word16 idx)
|
||||
{
|
||||
int haveRSA = !ssl->options.haveStaticECC;
|
||||
int havePSK = 0;
|
||||
byte first;
|
||||
byte second;
|
||||
|
||||
CYASSL_ENTER("VerifySuite");
|
||||
CYASSL_ENTER("VerifyServerSuite");
|
||||
|
||||
if (ssl->suites == NULL) {
|
||||
CYASSL_MSG("Suites pointer error");
|
||||
@ -10061,7 +10083,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
|
||||
if (ssl->suites->suites[i] == peerSuites->suites[j] &&
|
||||
ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) {
|
||||
|
||||
if (VerifySuite(ssl, i)) {
|
||||
if (VerifyServerSuite(ssl, i)) {
|
||||
int result;
|
||||
CYASSL_MSG("Verified suite validity");
|
||||
ssl->options.cipherSuite0 = ssl->suites->suites[i];
|
||||
|
@ -39,6 +39,13 @@
|
||||
|
||||
int SetCipherSpecs(CYASSL* ssl)
|
||||
{
|
||||
if (ssl->options.side == CYASSL_CLIENT_END) {
|
||||
/* server side verified before SetCipherSpecs call */
|
||||
if (VerifyClientSuite(ssl) != 1) {
|
||||
CYASSL_MSG("SetCipherSpecs() client has an unusuable suite");
|
||||
return UNSUPPORTED_SUITE;
|
||||
}
|
||||
}
|
||||
/* ECC extensions, or AES-CCM */
|
||||
if (ssl->options.cipherSuite0 == ECC_BYTE) {
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user