Change place of ssl_tls13_check_ephemeral_key_exchange

Change-Id: Id49172f7375e2a0771ad1216fb7eead808f0db3e Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-15 09:42:45 +00:00 · 2022-06-15 09:42:45 +00:00 · 75fe8c7e54
commit 75fe8c7e54
parent fb665a8452
2 changed files with 16 additions and 12 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -8248,7 +8248,7 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,

    MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, server_name_list_len );
    server_name_list_end = p + server_name_list_len;
-    while ( p < server_name_list_end )
+    while( p < server_name_list_end )
    {
        MBEDTLS_SSL_CHK_BUF_READ_PTR( p, server_name_list_end, 3 );
        hostname_len = MBEDTLS_GET_UINT16_BE( p, 1 );
@ -8257,6 +8257,11 @@ int mbedtls_ssl_parse_server_name_ext( mbedtls_ssl_context *ssl,

        if( p[0] == MBEDTLS_TLS_EXT_SERVERNAME_HOSTNAME )
        {
+            /* sni_name is intended to be used only during the parsing of the
+             * ClientHello message (it is reset to NULL before the end of
+             * the message parsing). Thus it is ok to just point to the
+             * reception buffer and not make a copy of it.
+             */
            ssl->handshake->sni_name = p + 3;
            ssl->handshake->sni_name_len = hostname_len;
            if( ssl->conf->f_sni == NULL )
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -392,7 +392,7 @@ static int ssl_tls13_pick_key_cert( mbedtls_ssl_context *ssl )
            {
                ssl->handshake->key_cert = key_cert;
                MBEDTLS_SSL_DEBUG_CRT(
-                        3, "selected certificate chain, certificate",
+                        3, "selected certificate (chain)",
                        ssl->handshake->key_cert->cert );
                return( 0 );
            }
@ -769,10 +769,18 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
    ssl_tls13_debug_print_client_hello_exts( ssl );
 #endif /* MBEDTLS_DEBUG_C */

+    return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
+}
+
+/* Update the handshake state machine */
+
+static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
+{
+    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
    /*
     * Here we only support the ephemeral or (EC)DHE key echange mode
     */
-
    if( !ssl_tls13_check_ephemeral_key_exchange( ssl ) )
    {
        MBEDTLS_SSL_DEBUG_MSG(
@ -783,15 +791,6 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
    }

-    return( hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK );
-}
-
-/* Update the handshake state machine */
-
-static int ssl_tls13_postprocess_client_hello( mbedtls_ssl_context* ssl )
-{
-    int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
-
    /*
     * Server certificate selection
     */