mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-03-03 19:13:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Improve some debug messages and error codes

Browse Source 
On a parsing error in TLS, return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, not a
crypto error code.

On error paths, emit a level-1 debug message. Report the offending sizes.

Downgrade an informational message's level to 3.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine 2023-10-02 15:37:23 +02:00
parent 6dd5b9a60c
commit 530c423ad2
2 changed files with 15 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
library/ssl_tls12_server.c
View File

@ -3718,25 +3718,31 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl)
psa_status_t status = PSA_ERROR_GENERIC_ERROR; psa_status_t status = PSA_ERROR_GENERIC_ERROR;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
MBEDTLS_SSL_DEBUG_MSG(1, ("Read the peer's public key.")); MBEDTLS_SSL_DEBUG_MSG(3, ("Read the peer's public key."));
/* /*
* We must have at least two bytes (1 for length, at least 1 for data) * We must have at least two bytes (1 for length, at least 1 for data)
*/ */
if (buf_len < 2) { if (buf_len < 2) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length")); MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid buffer length: %" MBEDTLS_PRINTF_SIZET,
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; buf_len));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
if (data_len < 1 || data_len > buf_len) { if (data_len < 1 || data_len > buf_len) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length: %" MBEDTLS_PRINTF_SIZET
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; " > %" MBEDTLS_PRINTF_SIZET,
data_len, buf_len));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
/* Store peer's ECDH public key. */ /* Store peer's ECDH public key. */
MBEDTLS_SSL_DEBUG_MSG(3, ("data_len=%zu sizeof(handshake->xxdh_psa_peerkey)=%zu", data_len, sizeof(handshake->xxdh_psa_peerkey))); MBEDTLS_SSL_DEBUG_MSG(3, ("data_len=%zu sizeof(handshake->xxdh_psa_peerkey)=%zu", data_len, sizeof(handshake->xxdh_psa_peerkey)));
if (data_len > sizeof(handshake->xxdh_psa_peerkey)) { if (data_len > sizeof(handshake->xxdh_psa_peerkey)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid data length")); MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %" MBEDTLS_PRINTF_SIZET
" > %" MBEDTLS_PRINTF_SIZET,
data_len,
sizeof(handshake->xxdh_psa_peerkey)));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
memcpy(handshake->xxdh_psa_peerkey, p, data_len); memcpy(handshake->xxdh_psa_peerkey, p, data_len);

3
library/ssl_tls13_generic.c
View File

@ -1518,6 +1518,9 @@ int mbedtls_ssl_tls13_read_public_xxdhe_share(mbedtls_ssl_context *ssl,
/* Store peer's ECDH/FFDH public key. */ /* Store peer's ECDH/FFDH public key. */
if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) { if (peerkey_len > sizeof(handshake->xxdh_psa_peerkey)) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Invalid public key length: %u > %" MBEDTLS_PRINTF_SIZET,
(unsigned) peerkey_len,
sizeof(handshake->xxdh_psa_peerkey)));
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
} }
memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len); memcpy(handshake->xxdh_psa_peerkey, p, peerkey_len);