Commit d2f068e0 authored by Paul Bakker's avatar Paul Bakker

Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2 individually

parent fb08fd2e
......@@ -20,6 +20,8 @@ Features
* Support for session tickets (RFC 5077)
Changes
* Ability to enable / disable SSL v3 / TLS 1.0 / TLS 1.1 / TLS 1.2
individually
* Introduced separate SSL Ciphersuites module that is based on
Cipher and MD information
* Internals for SSL module adapted to have separate IV pointer that is
......
......@@ -537,6 +537,54 @@
*/
#define POLARSSL_SSL_MAX_FRAGMENT_LENGTH
/**
* \def POLARSSL_SSL_PROTO_SSL3
*
* Enable support for SSL 3.0
*
* Requires: POLARSSL_MD5_C
* POLARSSL_SHA1_C
*
* Comment this macro to disable support for SSL 3.0
*/
#define POLARSSL_SSL_PROTO_SSL3
/**
* \def POLARSSL_SSL_PROTO_TLS1
*
* Enable support for TLS 1.0
*
* Requires: POLARSSL_MD5_C
* POLARSSL_SHA1_C
*
* Comment this macro to disable support for TLS 1.0
*/
#define POLARSSL_SSL_PROTO_TLS1
/**
* \def POLARSSL_SSL_PROTO_TLS1_1
*
* Enable support for TLS 1.1
*
* Requires: POLARSSL_MD5_C
* POLARSSL_SHA1_C
*
* Comment this macro to disable support for TLS 1.1
*/
#define POLARSSL_SSL_PROTO_TLS1_1
/**
* \def POLARSSL_SSL_PROTO_TLS1_2
*
* Enable support for TLS 1.2
*
* Requires: POLARSSL_SHA256_C or POLARSSL_SHA512_C
* (Depends on ciphersuites)
*
* Comment this macro to disable support for TLS 1.2
*/
#define POLARSSL_SSL_PROTO_TLS1_2
/**
* \def POLARSSL_SSL_SESSION_TICKETS
*
......@@ -1226,7 +1274,8 @@
* Caller: library/ssl_cli.c
* library/ssl_srv.c
*
* Requires: POLARSSL_MD5_C, POLARSSL_SHA1_C, POLARSSL_CIPHER_C
* Requires: POLARSSL_CIPHER_C and at least one of the
* POLARSSL_SSL_PROTO_* defines
*
* This module is required for SSL/TLS.
*/
......@@ -1454,8 +1503,7 @@
#error "POLARSSL_SSL_CLI_C defined, but not all prerequisites"
#endif
#if defined(POLARSSL_SSL_TLS_C) && ( !defined(POLARSSL_MD5_C) || \
!defined(POLARSSL_SHA1_C) || !defined(POLARSSL_CIPHER_C) )
#if defined(POLARSSL_SSL_TLS_C) && !defined(POLARSSL_CIPHER_C)
#error "POLARSSL_SSL_TLS_C defined, but not all prerequisites"
#endif
......@@ -1463,6 +1511,28 @@
#error "POLARSSL_SSL_SRV_C defined, but not all prerequisites"
#endif
#if defined(POLARSSL_SSL_TLS_C) && (!defined(POLARSSL_SSL_PROTO_SSL3) && \
!defined(POLARSSL_SSL_PROTO_TLS1) && !defined(POLARSSL_SSL_PROTO_TLS1_1) && \
!defined(POLARSSL_SSL_PROTO_TLS1_2))
#error "POLARSSL_SSL_TLS_C defined, but no protocols are active"
#endif
#if defined(POLARSSL_SSL_TLS_C) && (defined(POLARSSL_SSL_PROTO_SSL3) && \
defined(POLARSSL_SSL_PROTO_TLS1_1) && !defined(POLARSSL_SSL_PROTO_TLS1))
#error "Illegal protocol selection"
#endif
#if defined(POLARSSL_SSL_TLS_C) && (defined(POLARSSL_SSL_PROTO_TLS1) && \
defined(POLARSSL_SSL_PROTO_TLS1_2) && !defined(POLARSSL_SSL_PROTO_TLS1_1))
#error "Illegal protocol selection"
#endif
#if defined(POLARSSL_SSL_TLS_C) && (defined(POLARSSL_SSL_PROTO_SSL3) && \
defined(POLARSSL_SSL_PROTO_TLS1_2) && (!defined(POLARSSL_SSL_PROTO_TLS1) || \
!defined(POLARSSL_SSL_PROTO_TLS1_1)))
#error "Illegal protocol selection"
#endif
#if defined(POLARSSL_SSL_SESSION_TICKETS) && defined(POLARSSL_SSL_TLS_C) && \
( !defined(POLARSSL_AES_C) || !defined(POLARSSL_SHA256_C) )
#error "POLARSSL_SSL_SESSION_TICKETS_C defined, but not all prerequisites"
......
......@@ -31,13 +31,27 @@
#include "net.h"
#include "bignum.h"
#include "ssl_ciphersuites.h"
#if defined(POLARSSL_MD5_C)
#include "md5.h"
#endif
#if defined(POLARSSL_SHA1_C)
#include "sha1.h"
#endif
#if defined(POLARSSL_SHA256_C)
#include "sha256.h"
#endif
#if defined(POLARSSL_SHA512_C)
#include "sha512.h"
#include "aes.h"
#endif
#include "ssl_ciphersuites.h"
#if defined(POLARSSL_AES_C)
#include "aes.h"
#endif
#if defined(POLARSSL_X509_PARSE_C)
#include "x509.h"
......@@ -121,6 +135,44 @@
#define SSL_MINOR_VERSION_2 2 /*!< TLS v1.1 */
#define SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */
/* Determine minimum supported version */
#define SSL_MIN_MAJOR_VERSION SSL_MAJOR_VERSION_3
#if defined(POLARSSL_SSL_PROTO_SSL3)
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_0
#else
#if defined(POLARSSL_SSL_PROTO_TLS1)
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_1
#else
#if defined(POLARSSL_SSL_PROTO_TLS1_1)
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_2
#else
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#define SSL_MIN_MINOR_VERSION SSL_MINOR_VERSION_3
#endif
#endif
#endif
#endif
/* Determine maximum supported version */
#define SSL_MAX_MAJOR_VERSION SSL_MAJOR_VERSION_3
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_3
#else
#if defined(POLARSSL_SSL_PROTO_TLS1_1)
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_2
#else
#if defined(POLARSSL_SSL_PROTO_TLS1)
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_1
#else
#if defined(POLARSSL_SSL_PROTO_SSL3)
#define SSL_MAX_MINOR_VERSION SSL_MINOR_VERSION_0
#endif
#endif
#endif
#endif
/* RFC 6066 section 4, see also mfl_code_to_length in ssl_tls.c
* NONE must be zero so that memset()ing structure to zero works */
#define SSL_MAX_FRAG_LEN_NONE 0 /*!< don't use this extension */
......@@ -392,9 +444,11 @@ struct _ssl_transform
unsigned char iv_enc[16]; /*!< IV (encryption) */
unsigned char iv_dec[16]; /*!< IV (decryption) */
#if defined(POLARSSL_SSL_PROTO_SSL3)
/* Needed only for SSL v3.0 secret */
unsigned char mac_enc[32]; /*!< SSL v3.0 secret (enc) */
unsigned char mac_dec[32]; /*!< SSL v3.0 secret (dec) */
#endif /* POLARSSL_SSL_PROTO_SSL3 */
md_context_t md_ctx_enc; /*!< MAC (encryption) */
md_context_t md_ctx_dec; /*!< MAC (decryption) */
......@@ -436,12 +490,19 @@ struct _ssl_handshake_params
/*
* Checksum contexts
*/
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
defined(POLARSSL_SSL_PROTO_TLS1_1)
md5_context fin_md5;
sha1_context fin_sha1;
#endif
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#if defined(POLARSSL_SHA256_C)
sha256_context fin_sha256;
#endif
#if defined(POLARSSL_SHA512_C)
sha512_context fin_sha512;
#endif
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
void (*update_checksum)(ssl_context *, const unsigned char *, size_t);
void (*calc_verify)(ssl_context *, unsigned char *);
......@@ -1010,11 +1071,12 @@ void ssl_set_sni( ssl_context *ssl,
/**
* \brief Set the maximum supported version sent from the client side
* and/or accepted at the server side
* (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_3)
* (Default: SSL_MAX_MAJOR_VERSION, SSL_MAX_MINOR_VERSION)
*
* Note: This ignores ciphersuites from 'higher' versions.
* Note: Input outside of the SSL_MAX_XXXXX_VERSION and
* SSL_MIN_XXXXX_VERSION range is ignored.
*
* Note: This prevents ciphersuites from 'higher' versions to
* be ignored.
*
* \param ssl SSL context
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported)
* \param minor Minor version number (SSL_MINOR_VERSION_0,
......@@ -1026,7 +1088,10 @@ void ssl_set_max_version( ssl_context *ssl, int major, int minor );
/**
* \brief Set the minimum accepted SSL/TLS protocol version
* (Default: SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_0)
* (Default: SSL_MIN_MAJOR_VERSION, SSL_MIN_MINOR_VERSION)
*
* Note: Input outside of the SSL_MAX_XXXXX_VERSION and
* SSL_MIN_XXXXX_VERSION range is ignored.
*
* \param ssl SSL context
* \param major Major version number (only SSL_MAJOR_VERSION_3 supported)
......
......@@ -129,6 +129,7 @@ static void ssl_write_renegotiation_ext( ssl_context *ssl,
*olen = 5 + ssl->verify_data_len;
}
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
unsigned char *buf,
size_t *olen )
......@@ -198,6 +199,7 @@ static void ssl_write_signature_algorithms_ext( ssl_context *ssl,
*olen = 6 + sig_alg_len;
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static void ssl_write_supported_elliptic_curves_ext( ssl_context *ssl,
......@@ -384,8 +386,8 @@ static int ssl_write_client_hello( ssl_context *ssl )
if( ssl->max_major_ver == 0 && ssl->max_minor_ver == 0 )
{
ssl->max_major_ver = SSL_MAJOR_VERSION_3;
ssl->max_minor_ver = SSL_MINOR_VERSION_3;
ssl->max_major_ver = SSL_MAX_MAJOR_VERSION;
ssl->max_minor_ver = SSL_MAX_MINOR_VERSION;
}
/*
......@@ -538,8 +540,10 @@ static int ssl_write_client_hello( ssl_context *ssl )
ssl_write_renegotiation_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
ssl_write_signature_algorithms_ext( ssl, p + 2 + ext_len, &olen );
ext_len += olen;
#endif
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
ssl_write_supported_elliptic_curves_ext( ssl, p + 2 + ext_len, &olen );
......@@ -1152,6 +1156,7 @@ static int ssl_parse_server_psk_hint( ssl_context *ssl,
#endif /* POLARSSL_KEY_EXCHANGE_PSK_ENABLED ||
POLARSSL_KEY_EXCHANGE_DHE_PSK_ENABLED */
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
#if defined(POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED) || \
defined(POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED)
static int ssl_parse_signature_algorithm( ssl_context *ssl,
......@@ -1212,6 +1217,7 @@ static int ssl_parse_signature_algorithm( ssl_context *ssl,
}
#endif /* POLARSSL_KEY_EXCHANGE_DHE_RSA_ENABLED ||
POLARSSL_KEY_EXCHANGE_ECDHE_RSA_ENABLED */
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
static int ssl_parse_server_key_exchange( ssl_context *ssl )
{
......@@ -1224,7 +1230,7 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
unsigned char hash[64];
md_type_t md_alg = POLARSSL_MD_NONE;
unsigned int hashlen = 0;
#endif
#endif
SSL_DEBUG_MSG( 2, ( "=> parse server key exchange" ) );
......@@ -1325,6 +1331,7 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
if( ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_DHE_RSA ||
ciphersuite_info->key_exchange == POLARSSL_KEY_EXCHANGE_ECDHE_RSA )
{
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
/*
* Handle the digitally-signed structure
*/
......@@ -1336,6 +1343,7 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
n = ( p[0] << 8 ) | p[1];
p += 2;
......@@ -1360,6 +1368,8 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_SERVER_KEY_EXCHANGE );
}
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
defined(POLARSSL_SSL_PROTO_TLS1_1)
if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
{
md5_context md5;
......@@ -1394,6 +1404,10 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
hashlen = 36;
}
else
#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
POLARSSL_SSL_PROTO_TLS1_1 */
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
md_context_t ctx;
......@@ -1418,6 +1432,10 @@ static int ssl_parse_server_key_exchange( ssl_context *ssl )
md_finish( &ctx, hash );
md_free_ctx( &ctx );
}
else
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
/* Should never happen */
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
......@@ -1445,7 +1463,7 @@ static int ssl_parse_certificate_request( ssl_context *ssl )
int ret;
unsigned char *buf, *p;
size_t n = 0, m = 0;
size_t cert_type_len = 0, sig_alg_len = 0, dn_len = 0;
size_t cert_type_len = 0, dn_len = 0;
SSL_DEBUG_MSG( 2, ( "=> parse certificate request" ) );
......@@ -1527,10 +1545,11 @@ static int ssl_parse_certificate_request( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
}
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
sig_alg_len = ( ( buf[5 + n] << 8 )
| ( buf[6 + n] ) );
size_t sig_alg_len = ( ( buf[5 + n] << 8 )
| ( buf[6 + n] ) );
p = buf + 7 + n;
m += 2;
......@@ -1542,6 +1561,7 @@ static int ssl_parse_certificate_request( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_REQUEST );
}
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
dn_len = ( ( buf[5 + m + n] << 8 )
| ( buf[6 + m + n] ) );
......@@ -1808,12 +1828,15 @@ static int ssl_write_client_key_exchange( ssl_context *ssl )
i = 4;
n = pk_get_size( &ssl->session_negotiate->peer_cert->pk ) / 8;
#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
{
i += 2;
ssl->out_msg[4] = (unsigned char)( n >> 8 );
ssl->out_msg[5] = (unsigned char)( n );
}
#endif
ret = rsa_pkcs1_encrypt(
pk_rsa( ssl->session_negotiate->peer_cert->pk ),
......@@ -1914,6 +1937,8 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
*/
ssl->handshake->calc_verify( ssl, hash );
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
defined(POLARSSL_SSL_PROTO_TLS1_1)
if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
{
/*
......@@ -1932,6 +1957,10 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
md_alg = POLARSSL_MD_NONE;
}
else
#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
POLARSSL_SSL_PROTO_TLS1_1 */
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
/*
* digitally-signed struct {
......@@ -1964,6 +1993,10 @@ static int ssl_write_certificate_verify( ssl_context *ssl )
offset = 2;
}
else
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
/* Should never happen */
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
if ( ssl->rsa_key )
n = ssl->rsa_key_len ( ssl->rsa_key );
......
......@@ -424,6 +424,7 @@ static int ssl_parse_renegotiation_info( ssl_context *ssl,
return( 0 );
}
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
const unsigned char *buf,
size_t len )
......@@ -492,6 +493,7 @@ static int ssl_parse_signature_algorithms_ext( ssl_context *ssl,
return( 0 );
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
static int ssl_parse_supported_elliptic_curves( ssl_context *ssl,
......@@ -1174,6 +1176,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
return( ret );
break;
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
case TLS_EXT_SIG_ALG:
SSL_DEBUG_MSG( 3, ( "found signature_algorithms extension" ) );
if( ssl->renegotiation == SSL_RENEGOTIATION )
......@@ -1183,6 +1186,7 @@ static int ssl_parse_client_hello( ssl_context *ssl )
if( ret != 0 )
return( ret );
break;
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#if defined(POLARSSL_ECDH_C) || defined(POLARSSL_ECDSA_C)
case TLS_EXT_SUPPORTED_ELLIPTIC_CURVES:
......@@ -1713,6 +1717,7 @@ static int ssl_write_certificate_request( ssl_context *ssl )
*p++ = 1;
*p++ = SSL_CERT_TYPE_RSA_SIGN;
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
/*
* Add signature_algorithms for verify (TLS 1.2)
* Only add current running algorithm that is already required for
......@@ -1738,6 +1743,7 @@ static int ssl_write_certificate_request( ssl_context *ssl )
n += 4;
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
p += 2;
crt = ssl->ca_chain;
......@@ -1908,6 +1914,8 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
{
size_t rsa_key_len = 0;
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
defined(POLARSSL_SSL_PROTO_TLS1_1)
if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
{
md5_context md5;
......@@ -1940,6 +1948,10 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
md_alg = POLARSSL_MD_NONE;
}
else
#endif /* POLARSSL_SSL_PROTO_SSL3 || POLARSSL_SSL_PROTO_TLS1 || \
POLARSSL_SSL_PROTO_TLS1_1 */
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
md_context_t ctx;
......@@ -2001,12 +2013,17 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
}
}
else
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
/* Should never happen */
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
SSL_DEBUG_BUF( 3, "parameters hash", hash, hashlen );
if ( ssl->rsa_key )
rsa_key_len = ssl->rsa_key_len( ssl->rsa_key );
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
*(p++) = ssl->handshake->sig_alg;
......@@ -2014,6 +2031,7 @@ static int ssl_write_server_key_exchange( ssl_context *ssl )
n += 2;
}
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
*(p++) = (unsigned char)( rsa_key_len >> 8 );
*(p++) = (unsigned char)( rsa_key_len );
......@@ -2170,6 +2188,8 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
n = ssl->rsa_key_len( ssl->rsa_key );
ssl->handshake->pmslen = 48;
#if defined(POLARSSL_SSL_PROTO_TLS1) || defined(POLARSSL_SSL_PROTO_TLS1_1) || \
defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver != SSL_MINOR_VERSION_0 )
{
i += 2;
......@@ -2180,6 +2200,7 @@ static int ssl_parse_encrypted_pms_secret( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CLIENT_KEY_EXCHANGE );
}
}
#endif
if( ssl->in_hslen != i + n )
{
......@@ -2513,6 +2534,7 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
return( POLARSSL_ERR_SSL_BAD_HS_CERTIFICATE_VERIFY );
}
#if defined(POLARSSL_SSL_PROTO_TLS1_2)
if( ssl->minor_ver == SSL_MINOR_VERSION_3 )
{
/*
......@@ -2534,10 +2556,18 @@ static int ssl_parse_certificate_verify( ssl_context *ssl )
n += 2;
}
else
#endif /* POLARSSL_SSL_PROTO_TLS1_2 */
#if defined(POLARSSL_SSL_PROTO_SSL3) || defined(POLARSSL_SSL_PROTO_TLS1) || \
defined(POLARSSL_SSL_PROTO_TLS1_1)
if( ssl->minor_ver != SSL_MINOR_VERSION_3 )
{
hashlen = 36;
md_alg = POLARSSL_MD_NONE;
}
else
#endif
/* Should never happen */
return( POLARSSL_ERR_SSL_FEATURE_UNAVAILABLE );
/* EC NOT IMPLEMENTED YET */
if( ! pk_can_do( &ssl->session_negotiate->peer_cert->pk,
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment