projects
/
BearSSL
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Fixed computing of intermediate buffer size for maximum-size RSA keys.
[BearSSL]
/
src
/
ssl
/
ssl_hs_client.t0
diff --git
a/src/ssl/ssl_hs_client.t0
b/src/ssl/ssl_hs_client.t0
index
911fdfc
..
23b39e7
100644
(file)
--- a/
src/ssl/ssl_hs_client.t0
+++ b/
src/ssl/ssl_hs_client.t0
@@
-31,7
+31,7
@@
preamble {
* specific name. It must be noted that since the engine context is the
* first field of the br_ssl_client_context structure ('eng'), then
* pointers values of both types are interchangeable, modulo an
* specific name. It must be noted that since the engine context is the
* first field of the br_ssl_client_context structure ('eng'), then
* pointers values of both types are interchangeable, modulo an
- * appropriate cast. This also means that "adresses" computed as offsets
+ * appropriate cast. This also means that "ad
d
resses" computed as offsets
* within the structure work for both kinds of context.
*/
#define CTX ((br_ssl_client_context *)ENG)
* within the structure work for both kinds of context.
*/
#define CTX ((br_ssl_client_context *)ENG)
@@
-686,16
+686,12
@@
cc: DEBUG-BLOB ( addr len -- ) {
\ Cipher suite. We check that it is part of the list of cipher
\ suites that we advertised.
\ Cipher suite. We check that it is part of the list of cipher
\ suites that we advertised.
- \ read16 { suite ; found }
- \ 0 >found
- \ addr-suites_buf dup addr-suites_num get8 1 << +
- \ begin dup2 < while
- \ 2 - dup get16
- \ suite = found or >found
- \ repeat
- \ 2drop found ifnot ERR_BAD_CIPHER_SUITE fail then
read16
dup scan-suite 0< if ERR_BAD_CIPHER_SUITE fail then
read16
dup scan-suite 0< if ERR_BAD_CIPHER_SUITE fail then
+ \ Also check that the cipher suite is compatible with the
+ \ announced version: suites that don't use HMAC/SHA-1 are
+ \ for TLS-1.2 only, not older versions.
+ dup use-tls12? version 0x0303 < and if ERR_BAD_CIPHER_SUITE fail then
addr-cipher_suite resume check-resume
\ Compression method. Should be 0 (no compression).
addr-cipher_suite resume check-resume
\ Compression method. Should be 0 (no compression).
@@
-973,7
+969,7
@@
cc: get-client-chain ( auth_types -- ) {
\ Parse CertificateRequest. Header has already been read.
: read-contents-CertificateRequest ( lim -- )
\ Parse CertificateRequest. Header has already been read.
: read-contents-CertificateRequest ( lim -- )
- \ Read supported client authenti
fi
cation types. We keep only
+ \ Read supported client authentication types. We keep only
\ RSA, ECDSA, and ECDH.
0 { auth_types }
read8 open-elt
\ RSA, ECDSA, and ECDH.
0 { auth_types }
read8 open-elt