Regarding the possibility of selecting a
key exchange mode, the check of the ticket
flags is now separated from the check of
the ClientHello content and server
configuration.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For PSK based key exchange modes do not check twice
anymore if they can be selected or not. Check it
only when looping over the offered PSKs to select
one.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
If we prefer ephemeral key exchange mode over
the pure PSK one, make sure the resume flag is
disabled as eventually we are not going to
resume a session even if we aimed to at some
point.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
If an identity has been determined as a
ticket identity but the ticket is not
usable, do not try to check if the
identity is that of an external
provided PSK.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Improve the values returned by
ssl_tls13_offered_psks_check_identity_match_ticket().
Distinguish between the two following cases:
1) the PSK identity is not a valid ticket identity
2) the PSK identity is a valid ticket identity but
the ticket cannot be used for session resumption.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Fix the value returned by
ssl_tls13_offered_psks_check_identity_match_ticket()
when there is no ticket parser function defined
or no time.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When building with -Og (specifically Zephyr with
CONFIG_DEBUG_OPTIMIZATIONS=y) one observes the following warning:
'shared_secret' may be used uninitialized [-Werror=maybe-uninitialized]
Fix this by zero initializing 'shared_secret' similar to the issue
addressed in commit 2fab5c960 ("Work around for GCC bug").
Signed-off-by: Moritz Fischer <moritzf@google.com>
Not all of the writes to this field are protected by a mutex.
There is no also no protection in place to stop another thread from overwriting
the current transaction
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
This way, `make lib` will work in the absence of the framework, as long as
generated files are present.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
`make -C tests libtestdriver1` copies `library/Makefile` to
`tests/libtestdriver1/library/Makefile`, where `../framework` does not point
to the framework submodule.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The endpoint and version were factorized out into the main session.
Update the session struct comment to reflect these new fields, as was
previously missed.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Describe the TLS 1.2, TLS 1.3 and full session structs in the same
place for ease of reference.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Ensure that session save and load functions are not scattered
throughout ssl_tls.c but are in the same part of the file.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Add config bits for server name indication, early data and record size
limit, which all cause the serialized session to be structured
differently.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This config option decides whether the session stores the entire
certificate or just a digest of it, but was missing from the
serialization config bitflag.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
