add client suite verify, detect mismatch early

This commit is contained in:
toddouska 2014-04-10 14:11:30 -07:00
parent 78ebc49bd2
commit 5de34bf987
3 changed files with 36 additions and 5 deletions

View File

@ -2066,6 +2066,8 @@ CYASSL_LOCAL int IsAtLeastTLSv1_2(const CYASSL* ssl);
CYASSL_LOCAL void FreeHandshakeResources(CYASSL* ssl);
CYASSL_LOCAL void ShrinkInputBuffer(CYASSL* ssl, int forcedFree);
CYASSL_LOCAL void ShrinkOutputBuffer(CYASSL* ssl);
CYASSL_LOCAL int VerifyClientSuite(CYASSL* ssl);
#ifndef NO_CERTS
CYASSL_LOCAL Signer* GetCA(void* cm, byte* hash);
#ifndef NO_SKID

View File

@ -9945,18 +9945,40 @@ static void PickHashSigAlgo(CYASSL* ssl,
}
/* Make sure client setup is valid for this suite, true on success */
int VerifyClientSuite(CYASSL* ssl)
{
int havePSK = 0;
byte first = ssl->options.cipherSuite0;
byte second = ssl->options.cipherSuite;
CYASSL_ENTER("VerifyClientSuite");
#ifndef NO_PSK
havePSK = ssl->options.havePSK;
#endif
if (CipherRequires(first, second, REQUIRES_PSK)) {
CYASSL_MSG("Requires PSK");
if (havePSK == 0) {
CYASSL_MSG("Don't have PSK");
return 0;
}
}
return 1; /* success */
}
/* Make sure cert/key are valid for this suite, true on success */
static int VerifySuite(CYASSL* ssl, word16 idx)
/* Make sure server cert/key are valid for this suite, true on success */
static int VerifyServerSuite(CYASSL* ssl, word16 idx)
{
int haveRSA = !ssl->options.haveStaticECC;
int havePSK = 0;
byte first;
byte second;
CYASSL_ENTER("VerifySuite");
CYASSL_ENTER("VerifyServerSuite");
if (ssl->suites == NULL) {
CYASSL_MSG("Suites pointer error");
@ -10061,7 +10083,7 @@ static void PickHashSigAlgo(CYASSL* ssl,
if (ssl->suites->suites[i] == peerSuites->suites[j] &&
ssl->suites->suites[i+1] == peerSuites->suites[j+1] ) {
if (VerifySuite(ssl, i)) {
if (VerifyServerSuite(ssl, i)) {
int result;
CYASSL_MSG("Verified suite validity");
ssl->options.cipherSuite0 = ssl->suites->suites[i];

View File

@ -39,6 +39,13 @@
int SetCipherSpecs(CYASSL* ssl)
{
if (ssl->options.side == CYASSL_CLIENT_END) {
/* server side verified before SetCipherSpecs call */
if (VerifyClientSuite(ssl) != 1) {
CYASSL_MSG("SetCipherSpecs() client has an unusuable suite");
return UNSUPPORTED_SUITE;
}
}
/* ECC extensions, or AES-CCM */
if (ssl->options.cipherSuite0 == ECC_BYTE) {