From 2a674937dd0ac288b2ac5d56222ce345d81f940a Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 4 Jan 2023 03:15:09 +0000 Subject: [PATCH] Pend a illeagal allert when selected_identity isn't 0 Handshake should abort will illeagal parameter allert when receiving early data extentions but the selected_identity parsed from pre-share key isn't equal to 0. Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 7a0f6b8115..a9ce4ed061 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1093,6 +1093,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2); selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0); + ssl->handshake->selected_identity = (uint16_t) selected_identity; MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity)); @@ -2096,6 +2097,18 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl, MBEDTLS_ERR_SSL_DECODE_ERROR); return MBEDTLS_ERR_SSL_DECODE_ERROR; } + if (ssl->handshake->selected_identity != 0) { + /* RFC8446 4.2.11 + * If the server supplies an "early_data" extension, the + * client MUST verify that the server's selected_identity + * is 0. If any other value is returned, the client MUST + * abort the handshake with an "illegal_parameter" alert. + */ + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } break; #endif /* MBEDTLS_SSL_EARLY_DATA */