lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-05 19:35:48 +03:00
Code Activity

Call psa_crypto_init in the library when required for TLS 1.3

Browse Source 
For backward compatibility with Mbed TLS <=3.5.x, applications must be able
to make a TLS connection with a peer that supports both TLS 1.2 and TLS 1.3,
regardless of whether they call psa_crypto_init(). Since Mbed TLS 3.6.0,
we enable TLS 1.3 in the default configuration, so we must take care of
calling psa_crypto_init() if needed. This is a change from TLS 1.3 in
previous versions, where enabling MBEDTLS_SSL_PROTO_TLS1_3 was a user
choice and could have additional requirement.

This commit makes the library call psa_crypto_init() when it needs PSA
crypto in a situation where the application might not have called it,
namely, when starting a TLS 1.3 connection.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit is contained in:
Gilles Peskine
2024-08-23 21:55:24 +02:00
parent cd4da16eea
commit 069bccdf78
5 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
library/ssl_tls13_server.c
View File

@@ -1948,6 +1948,11 @@ static int ssl_tls13_process_client_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse client hello"));
ret = mbedtls_ssl_tls13_crypto_init(ssl);
if (ret != 0) {
return ret;
}
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
&buf, &buflen));