mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-04-02 07:20:26 +00:00
Drop renego state from context if no renego support
This commit is contained in:
Manuel Pégourié-Gonnard
parent
d2b35ec3d3
commit
69849f8595
@ -794,8 +794,8 @@ struct _ssl_context
|
|||||||
*/
|
*/
|
||||||
int state; /*!< SSL handshake: current state */
|
int state; /*!< SSL handshake: current state */
|
||||||
int transport; /*!< Transport: stream or datagram */
|
int transport; /*!< Transport: stream or datagram */
|
||||||
int renegotiation; /*!< Initial or renegotiation */
|
|
||||||
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||||
|
int renegotiation; /*!< Initial or renegotiation */
|
||||||
int renego_records_seen; /*!< Records since renego request, or with DTLS,
|
int renego_records_seen; /*!< Records since renego request, or with DTLS,
|
||||||
number of retransmissions of request if
|
number of retransmissions of request if
|
||||||
renego_max_records is < 0 */
|
renego_max_records is < 0 */
|
||||||
|
|||||||
@ -1495,16 +1495,11 @@ read_record_header:
|
|||||||
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
|
if( ssl->transport == SSL_TRANSPORT_DATAGRAM )
|
||||||
{
|
{
|
||||||
/*
|
/*
|
||||||
* Copy the client's handshake message_seq on initial handshakes
|
* Copy the client's handshake message_seq on initial handshakes,
|
||||||
|
* check sequence number on renego.
|
||||||
*/
|
*/
|
||||||
if( ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||||
{
|
if( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS )
|
||||||
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
|
||||||
ssl->in_msg[5];
|
|
||||||
ssl->handshake->out_msg_seq = cli_msg_seq;
|
|
||||||
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
{
|
||||||
/* This couldn't be done in ssl_prepare_handshake_record() */
|
/* This couldn't be done in ssl_prepare_handshake_record() */
|
||||||
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
||||||
@ -1520,6 +1515,14 @@ read_record_header:
|
|||||||
|
|
||||||
ssl->handshake->in_msg_seq++;
|
ssl->handshake->in_msg_seq++;
|
||||||
}
|
}
|
||||||
|
else
|
||||||
|
#endif
|
||||||
|
{
|
||||||
|
unsigned int cli_msg_seq = ( ssl->in_msg[4] << 8 ) |
|
||||||
|
ssl->in_msg[5];
|
||||||
|
ssl->handshake->out_msg_seq = cli_msg_seq;
|
||||||
|
ssl->handshake->in_msg_seq = cli_msg_seq + 1;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* For now we don't support fragmentation, so make sure
|
* For now we don't support fragmentation, so make sure
|
||||||
@ -1643,8 +1646,11 @@ read_record_header:
|
|||||||
buf + cookie_offset + 1, cookie_len );
|
buf + cookie_offset + 1, cookie_len );
|
||||||
|
|
||||||
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
|
#if defined(POLARSSL_SSL_DTLS_HELLO_VERIFY)
|
||||||
if( ssl->f_cookie_check != NULL &&
|
if( ssl->f_cookie_check != NULL
|
||||||
ssl->renegotiation == SSL_INITIAL_HANDSHAKE )
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||||
|
&& ssl->renegotiation == SSL_INITIAL_HANDSHAKE
|
||||||
|
#endif
|
||||||
|
)
|
||||||
{
|
{
|
||||||
if( ssl->f_cookie_check( ssl->p_cookie,
|
if( ssl->f_cookie_check( ssl->p_cookie,
|
||||||
buf + cookie_offset + 1, cookie_len,
|
buf + cookie_offset + 1, cookie_len,
|
||||||
@ -1941,6 +1947,7 @@ read_record_header:
|
|||||||
if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
|
if( p[0] == 0 && p[1] == SSL_EMPTY_RENEGOTIATION_INFO )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
|
SSL_DEBUG_MSG( 3, ( "received TLS_EMPTY_RENEGOTIATION_INFO " ) );
|
||||||
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||||
if( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS )
|
if( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS )
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
|
SSL_DEBUG_MSG( 1, ( "received RENEGOTIATION SCSV during renegotiation" ) );
|
||||||
@ -1950,6 +1957,7 @@ read_record_header:
|
|||||||
|
|
||||||
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_HELLO );
|
||||||
}
|
}
|
||||||
|
#endif
|
||||||
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
|
ssl->secure_renegotiation = SSL_SECURE_RENEGOTIATION;
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -3205,9 +3205,12 @@ static int ssl_parse_record_header( ssl_context *ssl )
|
|||||||
/* Drop unexpected ApplicationData records,
|
/* Drop unexpected ApplicationData records,
|
||||||
* except at the beginning of renegotiations */
|
* except at the beginning of renegotiations */
|
||||||
if( ssl->in_msgtype == SSL_MSG_APPLICATION_DATA &&
|
if( ssl->in_msgtype == SSL_MSG_APPLICATION_DATA &&
|
||||||
ssl->state != SSL_HANDSHAKE_OVER &&
|
ssl->state != SSL_HANDSHAKE_OVER
|
||||||
! ( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS &&
|
#if defined(POLARSSL_SSL_RENEGOTIATION)
|
||||||
ssl->state == SSL_SERVER_HELLO ) )
|
&& ! ( ssl->renegotiation == SSL_RENEGOTIATION_IN_PROGRESS &&
|
||||||
|
ssl->state == SSL_SERVER_HELLO )
|
||||||
|
#endif
|
||||||
|
)
|
||||||
{
|
{
|
||||||
SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
|
SSL_DEBUG_MSG( 1, ( "dropping unexpected ApplicationData" ) );
|
||||||
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
return( POLARSSL_ERR_SSL_INVALID_RECORD );
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user