Introduce specific error for ver/cfg mismatch on deserialization
This commit introduces a new SSL error code `MBEDTLS_ERR_SSL_VERSION_MISMATCH` which can be used to indicate operation failure due to a mismatch of version or configuration. It is put to use in the implementation of `mbedtls_ssl_session_load()` to signal the attempt to de-serialize a session which has been serialized in a build of Mbed TLS using a different version or configuration.
This commit is contained in:
parent
fe1275e3fe
commit
f9b3303eb9
5 changed files with 9 additions and 3 deletions
|
@ -100,6 +100,7 @@
|
||||||
* ECP 4 10 (Started from top)
|
* ECP 4 10 (Started from top)
|
||||||
* MD 5 5
|
* MD 5 5
|
||||||
* HKDF 5 1 (Started from top)
|
* HKDF 5 1 (Started from top)
|
||||||
|
* SSL 5 1 (Started from 0x5F00)
|
||||||
* CIPHER 6 8 (Started from 0x6080)
|
* CIPHER 6 8 (Started from 0x6080)
|
||||||
* SSL 6 24 (Started from top, plus 0x6000)
|
* SSL 6 24 (Started from top, plus 0x6000)
|
||||||
* SSL 7 32
|
* SSL 7 32
|
||||||
|
|
|
@ -127,6 +127,7 @@
|
||||||
#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */
|
#define MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS -0x6500 /**< The asynchronous operation is not completed yet. */
|
||||||
#define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 /**< Internal-only message signaling that a message arrived early. */
|
#define MBEDTLS_ERR_SSL_EARLY_MESSAGE -0x6480 /**< Internal-only message signaling that a message arrived early. */
|
||||||
#define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */
|
#define MBEDTLS_ERR_SSL_UNEXPECTED_CID -0x6000 /**< An encrypted DTLS-frame with an unexpected CID was received. */
|
||||||
|
#define MBEDTLS_ERR_SSL_VERSION_MISMATCH -0x5F00 /**< An operation failed due to an unexpected version or configuration. */
|
||||||
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */
|
#define MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS -0x7000 /**< A cryptographic operation is in progress. Try again later. */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
@ -2382,6 +2383,9 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session
|
||||||
* \return \c 0 if successful.
|
* \return \c 0 if successful.
|
||||||
* \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
|
* \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed.
|
||||||
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
|
* \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid.
|
||||||
|
* \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data
|
||||||
|
* was generated in a different version or configuration of
|
||||||
|
* Mbed TLS.
|
||||||
* \return Another negative value for other kinds of errors (for
|
* \return Another negative value for other kinds of errors (for
|
||||||
* example, unsupported features in the embedded certificate).
|
* example, unsupported features in the embedded certificate).
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -525,6 +525,8 @@ void mbedtls_strerror( int ret, char *buf, size_t buflen )
|
||||||
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
|
mbedtls_snprintf( buf, buflen, "SSL - Internal-only message signaling that a message arrived early" );
|
||||||
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_CID) )
|
if( use_ret == -(MBEDTLS_ERR_SSL_UNEXPECTED_CID) )
|
||||||
mbedtls_snprintf( buf, buflen, "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
|
mbedtls_snprintf( buf, buflen, "SSL - An encrypted DTLS-frame with an unexpected CID was received" );
|
||||||
|
if( use_ret == -(MBEDTLS_ERR_SSL_VERSION_MISMATCH) )
|
||||||
|
mbedtls_snprintf( buf, buflen, "SSL - An operation failed due to an unexpected version or configuration" );
|
||||||
if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
|
if( use_ret == -(MBEDTLS_ERR_SSL_CRYPTO_IN_PROGRESS) )
|
||||||
mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
|
mbedtls_snprintf( buf, buflen, "SSL - A cryptographic operation is in progress. Try again later" );
|
||||||
#endif /* MBEDTLS_SSL_TLS_C */
|
#endif /* MBEDTLS_SSL_TLS_C */
|
||||||
|
|
|
@ -10184,8 +10184,7 @@ static int ssl_session_load( mbedtls_ssl_session *session,
|
||||||
if( memcmp( p, ssl_serialized_session_header,
|
if( memcmp( p, ssl_serialized_session_header,
|
||||||
sizeof( ssl_serialized_session_header ) ) != 0 )
|
sizeof( ssl_serialized_session_header ) ) != 0 )
|
||||||
{
|
{
|
||||||
/* A more specific error code might be used here. */
|
return( MBEDTLS_ERR_SSL_VERSION_MISMATCH );
|
||||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
|
||||||
}
|
}
|
||||||
p += sizeof( ssl_serialized_session_header );
|
p += sizeof( ssl_serialized_session_header );
|
||||||
|
|
||||||
|
|
|
@ -975,7 +975,7 @@ void ssl_session_serialize_version_check( int corrupt_major,
|
||||||
TEST_ASSERT( mbedtls_ssl_session_load( &session,
|
TEST_ASSERT( mbedtls_ssl_session_load( &session,
|
||||||
serialized_session,
|
serialized_session,
|
||||||
serialized_session_len ) ==
|
serialized_session_len ) ==
|
||||||
MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
MBEDTLS_ERR_SSL_VERSION_MISMATCH );
|
||||||
|
|
||||||
/* Undo the change */
|
/* Undo the change */
|
||||||
*byte ^= corrupted_bit;
|
*byte ^= corrupted_bit;
|
||||||
|
|
Loading…
Reference in a new issue