tls13: srv: Postpone cipher suite selection

Postpone TLS 1.3 cipher suite selection
when we are sure we negotiate the version
1.3 of the protocol.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2023-03-07 10:07:32 +01:00
parent cada410365
commit 2f16b4ec66

View file

@ -1245,6 +1245,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
size_t legacy_session_id_len;
const unsigned char *legacy_session_id;
size_t cipher_suites_len;
const unsigned char *cipher_suites;
const unsigned char *cipher_suites_end;
size_t extensions_len;
const unsigned char *extensions_end;
@ -1252,7 +1253,6 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
int hrr_required = 0;
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
const unsigned char *cipher_suites;
const unsigned char *pre_shared_key_ext = NULL;
const unsigned char *pre_shared_key_ext_end = NULL;
#endif
@ -1316,8 +1316,15 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, legacy_session_id_len + 2);
p += legacy_session_id_len;
/* ...
* CipherSuite cipher_suites<2..2^16-2>;
* ...
* with CipherSuite defined as:
* uint8 CipherSuite[2];
*/
cipher_suites_len = MBEDTLS_GET_UINT16_BE(p, 0);
p += 2;
cipher_suites = p;
/*
* The length of the ciphersuite list has to be even.
@ -1336,19 +1343,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
* extensions_len 2 bytes
*/
MBEDTLS_SSL_CHK_BUF_READ_PTR(p, end, cipher_suites_len + 2 + 2);
/* ...
* CipherSuite cipher_suites<2..2^16-2>;
* ...
* with CipherSuite defined as:
* uint8 CipherSuite[2];
*/
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
cipher_suites = p;
#endif
cipher_suites_end = p + cipher_suites_len;
MBEDTLS_SSL_DEBUG_BUF(3, "client hello, ciphersuitelist",
p, cipher_suites_len);
/*
* Only support TLS 1.3 currently, temporarily set the version.
@ -1364,7 +1359,7 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
/*
* We are negotiation the version 1.3 of the protocol. Do what we have
* postponed: copy of the client random bytes, copy of the legacy session
* identifier.
* identifier and selection of the TLS 1.3 cipher suite.
*/
MBEDTLS_SSL_DEBUG_BUF(3, "client hello, random bytes",
random, MBEDTLS_CLIENT_HELLO_RANDOM_LEN);
@ -1383,7 +1378,9 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
/*
* Search for a matching ciphersuite
*/
for (; p < cipher_suites_end; p += 2) {
MBEDTLS_SSL_DEBUG_BUF(3, "client hello, list of cipher suites",
cipher_suites, cipher_suites_len);
for (p = cipher_suites; p < cipher_suites_end; p += 2) {
uint16_t cipher_suite;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@ -1441,7 +1438,6 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
extensions_end = p + extensions_len;
MBEDTLS_SSL_DEBUG_BUF(3, "client hello extensions", p, extensions_len);
handshake->received_extensions = MBEDTLS_SSL_EXT_MASK_NONE;
while (p < extensions_end) {