Change code base on comments

Align the alert type in parse_server_hello Remove MBEDTLS_SSL_COOKIE_C guard Enable cookie for both DTLS and TLS1.3 Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2025-02-26 12:39:55 +00:00 · 2022-01-26 09:49:29 +00:00 · 2022-01-26 09:49:29 +00:00 · 52da558103
commit 52da558103
parent aec1f3e913
2 changed files with 18 additions and 30 deletions
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -692,14 +692,16 @@ struct mbedtls_ssl_handshake_params

    } buffering;

-#if defined(MBEDTLS_SSL_PROTO_DTLS)
-    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
-    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */
-
+#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
    unsigned char *verify_cookie;       /*!<  Cli: HelloVerifyRequest cookie
                                              Srv: unused                    */
    unsigned char verify_cookie_len;    /*!<  Cli: cookie length
                                              Srv: flag for sending a cookie */
+#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
+
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+    unsigned int out_msg_seq;           /*!<  Outgoing handshake sequence number */
+    unsigned int in_msg_seq;            /*!<  Incoming handshake sequence number */

    uint32_t retransmit_timeout;        /*!<  Current value of timeout       */
    mbedtls_ssl_flight_item *flight;    /*!<  Current outgoing flight        */
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@ -526,7 +526,6 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,

 #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */

-#if defined(MBEDTLS_SSL_COOKIE_C)
 /*
 * ssl_tls13_parse_cookie_ext()
 *      Parse cookie extension in Hello Retry Request
@ -559,7 +558,6 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
    MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
    MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );

-#if defined(MBEDTLS_SSL_PROTO_DTLS)
    mbedtls_free( handshake->verify_cookie );
    handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
    if( handshake->verify_cookie == NULL )
@ -572,11 +570,9 @@ static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,

    memcpy( handshake->verify_cookie, p, cookie_len );
    handshake->verify_cookie_len = (unsigned char) cookie_len;
-#endif /* MBEDTLS_SSL_PROTO_DTLS */

    return( 0 );
 }
-#endif /* MBEDTLS_SSL_COOKIE_C */

 /* Write cipher_suites
 * CipherSuite cipher_suites<2..2^16-2>;
@ -1121,7 +1117,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
     */
    if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
    {
-        fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
        goto cleanup;
    }

@ -1145,7 +1141,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
    if( ciphersuite_info == NULL ||
        ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 )
    {
-        fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
    }
    /*
     * If we received an HRR before and that the proposed selected
@ -1156,10 +1152,10 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
    else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
             ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
    {
-        fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
    }

-    if( fatal_alert == MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER )
+    if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
                                    cipher_suite ) );
@ -1187,7 +1183,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
    if( p[0] != 0 )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
-        fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
        goto cleanup;
    }
    p++;
@ -1226,19 +1222,11 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,

        switch( extension_type )
        {
-#if defined(MBEDTLS_SSL_COOKIE_C)
            case MBEDTLS_TLS_EXT_COOKIE:
-                /*
-                 * Currently, we only support the cookies in DTLS 1.3.
-                 */
-#if !defined(MBEDTLS_SSL_PROTO_DTLS)
-                fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
-                goto cleanup;
-#else

                if( !is_hrr )
                {
-                    fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+                    fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
                    goto cleanup;
                }

@ -1251,9 +1239,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                                           ret );
                    goto cleanup;
                }
-#endif /* MBEDTLS_SSL_PROTO_DTLS */
                break;
-#endif /* MBEDTLS_SSL_COOKIE_C */

            case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
                supported_versions_ext_found = 1;
@ -1271,7 +1257,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
                MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );

-                fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+                fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
                goto cleanup;

 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@ -1279,7 +1265,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
                if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
                {
-                    fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+                    fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
                    goto cleanup;
                }

@ -1305,7 +1291,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
                    ( "unknown extension found: %u ( ignoring )",
                      extension_type ) );

-                fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
+                fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
                goto cleanup;
        }

@ -1315,19 +1301,19 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
    if( !supported_versions_ext_found )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions not found" ) );
-        fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+        fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
        goto cleanup;
    }

 cleanup:

-    if( fatal_alert & MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION )
+    if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
    {
        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
                                      MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
        ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
    }
-    else if ( fatal_alert & MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER )
+    else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
    {
        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
                                      MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );