mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-27 06:35:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Check server selected cipher suite indicating a Hash associated with the PSK

Browse Source 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
This commit is contained in:
Xiaokang Qian 2023-01-06 03:43:56 +00:00
parent 592021aceb
commit f10f474981
2 changed files with 21 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/mbedtls/ssl.h
View File

@ -1180,6 +1180,7 @@ struct mbedtls_ssl_session {
mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */
#endif #endif
int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */
int MBEDTLS_PRIVATE(res_ciphersuite); /*!< resumption ciphersuite */
size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */
unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */
unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */

20
library/ssl_tls13_client.c
View File

@ -1106,12 +1106,30 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
} }
#if defined(MBEDTLS_SSL_SESSION_TICKETS) #if defined(MBEDTLS_SSL_SESSION_TICKETS)
if (ssl->session_negotiate->res_ciphersuite !=
ssl->session_negotiate->ciphersuite) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("Invalid ciphersuite for session ticket psk."));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) { if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
} else } else
#endif #endif
if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) {
ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len); ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len);
if (ssl_tls13_get_ciphersuite_hash_alg(
ssl->session_negotiate->ciphersuite) != hash_alg) {
MBEDTLS_SSL_DEBUG_MSG(
1, ("Invalid ciphersuite for external psk."));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
} else { } else {
MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR; return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
@ -1683,6 +1701,8 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl,
mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info); mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info);
handshake->ciphersuite_info = ciphersuite_info; handshake->ciphersuite_info = ciphersuite_info;
ssl->session_negotiate->res_ciphersuite =
ssl->session_negotiate->ciphersuite;
ssl->session_negotiate->ciphersuite = cipher_suite; ssl->session_negotiate->ciphersuite = cipher_suite;
MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s", MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s",