mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2025-07-30 22:43:08 +03:00
Refine the ciphersuite and select id check for early data
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
This commit is contained in:
Xiaokang Qian
@ -1104,15 +1104,6 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl,
|
|||||||
}
|
}
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
if (ssl->handshake->ciphersuite_info->id !=
|
|
||||||
ssl->session_negotiate->ciphersuite) {
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG(
|
|
||||||
1, ("Invalid ciphersuite for session ticket psk."));
|
|
||||||
|
|
||||||
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
|
|
||||||
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
|
|
||||||
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
|
|
||||||
}
|
|
||||||
if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
|
if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) {
|
||||||
ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
|
ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len);
|
||||||
} else
|
} else
|
||||||
@ -1909,7 +1900,8 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
|
|||||||
goto cleanup;
|
goto cleanup;
|
||||||
}
|
}
|
||||||
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
#if defined(MBEDTLS_SSL_EARLY_DATA)
|
||||||
if (ssl->handshake->sent_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&
|
if (ssl->handshake->received_extensions &
|
||||||
|
MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&
|
||||||
ssl->handshake->selected_identity != 0) {
|
ssl->handshake->selected_identity != 0) {
|
||||||
/* RFC8446 4.2.11
|
/* RFC8446 4.2.11
|
||||||
* If the server supplies an "early_data" extension, the
|
* If the server supplies an "early_data" extension, the
|
||||||
@ -1921,6 +1913,17 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
|
|||||||
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
|
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
|
||||||
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
|
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
|
||||||
}
|
}
|
||||||
|
if (ssl->handshake->received_extensions &
|
||||||
|
MBEDTLS_SSL_EXT_MASK(EARLY_DATA) &&
|
||||||
|
ssl->handshake->ciphersuite_info->id !=
|
||||||
|
ssl->session_negotiate->ciphersuite) {
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG(
|
||||||
|
1, ("Invalid ciphersuite for session ticket psk."));
|
||||||
|
|
||||||
|
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
|
||||||
|
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
|
||||||
|
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
|
||||||
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) {
|
if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) {
|
||||||
|
|||||||
Reference in New Issue
Block a user