ARMmbed/mbedtls
1
0
Fork 0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-06-25 22:56:35 +08:00
Code Issues Releases Wiki Activity

tls: Add logic in handshake step to enable server version negotiation

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2023-03-08 15:51:25 +01:00
parent 8a12aeec93
commit 6291b23080
2 changed files with 33 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
library/ssl_tls.c
View File

@ -3883,22 +3883,23 @@ int mbedtls_ssl_handshake_step(mbedtls_ssl_context *ssl)
#endif #endif
} }
} }
#endif #endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_SRV_C) #if defined(MBEDTLS_SSL_SRV_C)
if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) { if (ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER) {
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_PROTO_TLS1_3)
if (mbedtls_ssl_conf_is_tls13_only(ssl->conf)) { if (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3) {
ret = mbedtls_ssl_tls13_handshake_server_step(ssl); ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
} } else {
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if (mbedtls_ssl_conf_is_tls12_only(ssl->conf)) {
ret = mbedtls_ssl_handshake_server_step(ssl); ret = mbedtls_ssl_handshake_server_step(ssl);
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ #elif defined(MBEDTLS_SSL_PROTO_TLS1_2)
} ret = mbedtls_ssl_handshake_server_step(ssl);
#else
ret = mbedtls_ssl_tls13_handshake_server_step(ssl);
#endif #endif
}
#endif /* MBEDTLS_SSL_SRV_C */
if (ret != 0) { if (ret != 0) {
/* handshake_step return error. And it is same /* handshake_step return error. And it is same

9
library/ssl_tls12_server.c
View File

@ -920,12 +920,15 @@ read_record_header:
* If renegotiating, then the input was read with mbedtls_ssl_read_record(), * If renegotiating, then the input was read with mbedtls_ssl_read_record(),
* otherwise read it ourselves manually in order to support SSLv2 * otherwise read it ourselves manually in order to support SSLv2
* ClientHello, which doesn't use the same record layer format. * ClientHello, which doesn't use the same record layer format.
* Otherwise in a scenario of TLS 1.3/TLS 1.2 version negotiation, the
* ClientHello has been already fully fetched by the TLS 1.3 code and the
* flag ssl->keep_current_message is raised.
*/ */
renegotiating = 0; renegotiating = 0;
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE); renegotiating = (ssl->renego_status != MBEDTLS_SSL_INITIAL_HANDSHAKE);
#endif #endif
if (!renegotiating) { if (!renegotiating && !ssl->keep_current_message) {
if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) { if ((ret = mbedtls_ssl_fetch_input(ssl, 5)) != 0) {
/* No alert on a read error. */ /* No alert on a read error. */
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_fetch_input", ret);
@ -1000,6 +1003,9 @@ read_record_header:
} else } else
#endif #endif
{ {
if (ssl->keep_current_message) {
ssl->keep_current_message = 0;
} else {
if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) { if (msg_len > MBEDTLS_SSL_IN_CONTENT_LEN) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message")); MBEDTLS_SSL_DEBUG_MSG(1, ("bad client hello message"));
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
@ -1019,6 +1025,7 @@ read_record_header:
#endif #endif
ssl->in_left = 0; ssl->in_left = 0;
} }
}
buf = ssl->in_msg; buf = ssl->in_msg;