Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
BC
public
external
mbedtls
Commits
8d4ad077
Commit
8d4ad077
authored
Jul 13, 2014
by
Manuel Pégourié-Gonnard
Browse files
SHA-2 ciphersuites now require TLS 1.x
parent
e73b2639
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
28 additions
and
33 deletions
+28
-33
ChangeLog
ChangeLog
+4
-0
include/polarssl/ssl.h
include/polarssl/ssl.h
+2
-2
library/ssl_ciphersuites.c
library/ssl_ciphersuites.c
+19
-19
library/ssl_tls.c
library/ssl_tls.c
+3
-6
tests/compat.sh
tests/compat.sh
+0
-6
No files found.
ChangeLog
View file @
8d4ad077
...
...
@@ -5,6 +5,10 @@ Bugfix
* Support escaping of commas in x509_string_to_names()
* Fix compile error in ssl_pthread_server (found by Julian Ospald).
Changes
* Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
standard defining how to use SHA-2 with SSL 3.0).
= PolarSSL 1.3.8 released 2014-07-11
Security
* Fix length checking for AEAD ciphersuites (found by Codenomicon).
...
...
include/polarssl/ssl.h
View file @
8d4ad077
...
...
@@ -560,8 +560,8 @@ struct _ssl_transform
#if defined(POLARSSL_SSL_PROTO_SSL3)
/* Needed only for SSL v3.0 secret */
unsigned
char
mac_enc
[
48
];
/*!< SSL v3.0 secret (enc) */
unsigned
char
mac_dec
[
48
];
/*!< SSL v3.0 secret (dec) */
unsigned
char
mac_enc
[
20
];
/*!< SSL v3.0 secret (enc) */
unsigned
char
mac_dec
[
20
];
/*!< SSL v3.0 secret (dec) */
#endif
/* POLARSSL_SSL_PROTO_SSL3 */
md_context_t
md_ctx_enc
;
/*!< MAC (encryption) */
...
...
library/ssl_ciphersuites.c
View file @
8d4ad077
...
...
@@ -1077,7 +1077,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_PSK_WITH_AES_128_CBC_SHA256
,
"TLS-PSK-WITH-AES-128-CBC-SHA256"
,
POLARSSL_CIPHER_AES_128_CBC
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA256_C */
...
...
@@ -1085,7 +1085,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_PSK_WITH_AES_256_CBC_SHA384
,
"TLS-PSK-WITH-AES-256-CBC-SHA384"
,
POLARSSL_CIPHER_AES_256_CBC
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA512_C */
...
...
@@ -1133,7 +1133,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256
,
"TLS-PSK-WITH-CAMELLIA-128-CBC-SHA256"
,
POLARSSL_CIPHER_CAMELLIA_128_CBC
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA256_C */
...
...
@@ -1141,7 +1141,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384
,
"TLS-PSK-WITH-CAMELLIA-256-CBC-SHA384"
,
POLARSSL_CIPHER_CAMELLIA_256_CBC
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA512_C */
...
...
@@ -1213,7 +1213,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_DHE_PSK_WITH_AES_128_CBC_SHA256
,
"TLS-DHE-PSK-WITH-AES-128-CBC-SHA256"
,
POLARSSL_CIPHER_AES_128_CBC
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_DHE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA256_C */
...
...
@@ -1221,7 +1221,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_DHE_PSK_WITH_AES_256_CBC_SHA384
,
"TLS-DHE-PSK-WITH-AES-256-CBC-SHA384"
,
POLARSSL_CIPHER_AES_256_CBC
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_DHE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA512_C */
...
...
@@ -1269,7 +1269,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256
,
"TLS-DHE-PSK-WITH-CAMELLIA-128-CBC-SHA256"
,
POLARSSL_CIPHER_CAMELLIA_128_CBC
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_DHE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA256_C */
...
...
@@ -1277,7 +1277,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384
,
"TLS-DHE-PSK-WITH-CAMELLIA-256-CBC-SHA384"
,
POLARSSL_CIPHER_CAMELLIA_256_CBC
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_DHE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA512_C */
...
...
@@ -1428,7 +1428,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_RSA_PSK_WITH_AES_128_CBC_SHA256
,
"TLS-RSA-PSK-WITH-AES-128-CBC-SHA256"
,
POLARSSL_CIPHER_AES_128_CBC
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_RSA_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA256_C */
...
...
@@ -1436,7 +1436,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_RSA_PSK_WITH_AES_256_CBC_SHA384
,
"TLS-RSA-PSK-WITH-AES-256-CBC-SHA384"
,
POLARSSL_CIPHER_AES_256_CBC
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_RSA_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA512_C */
...
...
@@ -1462,7 +1462,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256
,
"TLS-RSA-PSK-WITH-CAMELLIA-128-CBC-SHA256"
,
POLARSSL_CIPHER_CAMELLIA_128_CBC
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_RSA_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA256_C */
...
...
@@ -1470,7 +1470,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384
,
"TLS-RSA-PSK-WITH-CAMELLIA-256-CBC-SHA384"
,
POLARSSL_CIPHER_CAMELLIA_256_CBC
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_RSA_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
0
},
#endif
/* POLARSSL_SHA512_C */
...
...
@@ -1540,7 +1540,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_RSA_WITH_NULL_SHA256
,
"TLS-RSA-WITH-NULL-SHA256"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_RSA
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
@@ -1558,7 +1558,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_PSK_WITH_NULL_SHA256
,
"TLS-PSK-WITH-NULL-SHA256"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
@@ -1566,7 +1566,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_PSK_WITH_NULL_SHA384
,
"TLS-PSK-WITH-NULL-SHA384"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
@@ -1584,7 +1584,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_DHE_PSK_WITH_NULL_SHA256
,
"TLS-DHE-PSK-WITH-NULL-SHA256"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_DHE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
@@ -1592,7 +1592,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_DHE_PSK_WITH_NULL_SHA384
,
"TLS-DHE-PSK-WITH-NULL-SHA384"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_DHE_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
@@ -1636,7 +1636,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA256_C)
{
TLS_RSA_PSK_WITH_NULL_SHA256
,
"TLS-RSA-PSK-WITH-NULL-SHA256"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA256
,
POLARSSL_KEY_EXCHANGE_RSA_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
@@ -1644,7 +1644,7 @@ static const ssl_ciphersuite_t ciphersuite_definitions[] =
#if defined(POLARSSL_SHA512_C)
{
TLS_RSA_PSK_WITH_NULL_SHA384
,
"TLS-RSA-PSK-WITH-NULL-SHA384"
,
POLARSSL_CIPHER_NULL
,
POLARSSL_MD_SHA384
,
POLARSSL_KEY_EXCHANGE_RSA_PSK
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
0
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_
1
,
SSL_MAJOR_VERSION_3
,
SSL_MINOR_VERSION_3
,
POLARSSL_CIPHERSUITE_WEAK
},
#endif
...
...
library/ssl_tls.c
View file @
8d4ad077
...
...
@@ -991,18 +991,15 @@ static void ssl_mac( md_context_t *md_ctx, unsigned char *secret,
{
unsigned
char
header
[
11
];
unsigned
char
padding
[
48
];
int
padlen
=
0
;
int
padlen
;
int
md_size
=
md_get_size
(
md_ctx
->
md_info
);
int
md_type
=
md_get_type
(
md_ctx
->
md_info
);
/* Only MD5 and SHA-1 supported */
if
(
md_type
==
POLARSSL_MD_MD5
)
padlen
=
48
;
else
if
(
md_type
==
POLARSSL_MD_SHA1
)
else
padlen
=
40
;
else
if
(
md_type
==
POLARSSL_MD_SHA256
)
padlen
=
32
;
else
if
(
md_type
==
POLARSSL_MD_SHA384
)
padlen
=
16
;
memcpy
(
header
,
ctr
,
8
);
header
[
8
]
=
(
unsigned
char
)
type
;
...
...
tests/compat.sh
View file @
8d4ad077
...
...
@@ -586,12 +586,6 @@ add_polarssl_ciphersuites()
;;
"RSA"
)
if
[
"
$MODE
"
==
"ssl3"
]
;
then
P_CIPHERS
=
"
$P_CIPHERS
\
TLS-RSA-WITH-NULL-SHA256
\
"
fi
if
[
"
$MODE
"
=
"tls1_2"
]
;
then
P_CIPHERS
=
"
$P_CIPHERS
\
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
