mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

tls13: cli: Enforce maximum size of early data

Browse Source 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2024-02-23 08:24:12 +01:00
parent a4f0a71a01
commit 62f971aa60
1 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
library/ssl_msg.c
View File

@ -6065,6 +6065,7 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const struct mbedtls_ssl_config *conf; const struct mbedtls_ssl_config *conf;
int written_data_len = 0; int written_data_len = 0;
uint32_t remaining;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write early_data")); MBEDTLS_SSL_DEBUG_MSG(2, ("=> write early_data"));
@ -6114,18 +6115,27 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
return ret; return ret;
} }
} }
remaining = ssl->session_negotiate->max_early_data_size;
} else { } else {
/* /*
* If we are past the point where we can send early data, return * If we are past the point where we can send early data or we have
* immediatly. Otherwise, progress the handshake as much as possible to * already reached the maximum early data size, return immediatly.
* not delay it too much. If we reach a point where we can still send * Otherwise, progress the handshake as much as possible to not delay
* early data, then we will send some. * it too much. If we reach a point where we can still send early data,
* then we will send some.
*/ */
if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) && if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) &&
(ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) {
return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
} }
remaining = ssl->session_negotiate->max_early_data_size -
ssl->early_data_count;
if (remaining == 0) {
return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
}
ret = mbedtls_ssl_handshake(ssl); ret = mbedtls_ssl_handshake(ssl);
if ((ret != 0) && (ret != MBEDTLS_ERR_SSL_WANT_READ)) { if ((ret != 0) && (ret != MBEDTLS_ERR_SSL_WANT_READ)) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret); MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_handshake", ret);
@ -6133,12 +6143,18 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl,
} }
} }
if ((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) && if (((ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_CAN_WRITE) &&
(ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED)) { (ssl->early_data_status != MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED))
|| (remaining == 0)) {
return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA; return MBEDTLS_ERR_SSL_CANNOT_WRITE_EARLY_DATA;
} }
if (len > remaining) {
len = remaining;
}
written_data_len = ssl_write_real(ssl, buf, len); written_data_len = ssl_write_real(ssl, buf, len);
ssl->early_data_count += written_data_len;
MBEDTLS_SSL_DEBUG_MSG(2, ("<= write early_data, len=%d", written_data_len)); MBEDTLS_SSL_DEBUG_MSG(2, ("<= write early_data, len=%d", written_data_len));