Refine fatal alert in parse_server_hello

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
This commit is contained in:
XiaokangQian 2022-01-26 03:29:10 +00:00
parent d59be77ce7
commit b119a35d07

View file

@ -1052,8 +1052,6 @@ static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
* Extension extensions<6..2^16-1>; * Extension extensions<6..2^16-1>;
* } ServerHello; * } ServerHello;
*/ */
#define ALERT_UNSUPPORTED_EXTENSION_FOUND ( 1 << 0 )
#define ALERT_ILLEGAL_PARAMETER_FOUND ( 1 << 1 )
static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
const unsigned char *end, const unsigned char *end,
@ -1067,7 +1065,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
uint16_t cipher_suite; uint16_t cipher_suite;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
int supported_versions_ext_found = 0; int supported_versions_ext_found = 0;
int fatal_alert_found = 0; int fatal_alert = 0;
/* /*
* Check there is space for minimal fields * Check there is space for minimal fields
@ -1121,7 +1119,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
*/ */
if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 ) if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
{ {
fatal_alert_found |= ALERT_ILLEGAL_PARAMETER_FOUND; fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
goto cleanup; goto cleanup;
} }
@ -1145,7 +1143,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
if( ciphersuite_info == NULL || if( ciphersuite_info == NULL ||
ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 ) ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 )
{ {
ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
} }
/* /*
* If we received an HRR before and that the proposed selected * If we received an HRR before and that the proposed selected
@ -1156,14 +1154,13 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) && else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
( cipher_suite != ssl->session_negotiate->ciphersuite ) ) ( cipher_suite != ssl->session_negotiate->ciphersuite ) )
{ {
ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
} }
if( ret == MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ) if( fatal_alert == MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter", MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
cipher_suite ) ); cipher_suite ) );
fatal_alert_found |= ALERT_ILLEGAL_PARAMETER_FOUND;
goto cleanup; goto cleanup;
} }
@ -1188,7 +1185,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
if( p[0] != 0 ) if( p[0] != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
fatal_alert_found |= ALERT_ILLEGAL_PARAMETER_FOUND; fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
goto cleanup; goto cleanup;
} }
p++; p++;
@ -1232,7 +1229,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
if( !is_hrr ) if( !is_hrr )
{ {
fatal_alert_found |= ALERT_UNSUPPORTED_EXTENSION_FOUND; fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
goto cleanup; goto cleanup;
} }
@ -1264,7 +1261,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
fatal_alert_found |= ALERT_UNSUPPORTED_EXTENSION_FOUND; fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
goto cleanup; goto cleanup;
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
@ -1272,7 +1269,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{ {
fatal_alert_found |= ALERT_UNSUPPORTED_EXTENSION_FOUND; fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
goto cleanup; goto cleanup;
} }
@ -1298,7 +1295,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
( "unknown extension found: %u ( ignoring )", ( "unknown extension found: %u ( ignoring )",
extension_type ) ); extension_type ) );
fatal_alert_found |= ALERT_UNSUPPORTED_EXTENSION_FOUND; fatal_alert = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
goto cleanup; goto cleanup;
} }
@ -1308,19 +1305,19 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
if( !supported_versions_ext_found ) if( !supported_versions_ext_found )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions not found" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions not found" ) );
fatal_alert_found |= ALERT_ILLEGAL_PARAMETER_FOUND; fatal_alert = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
goto cleanup; goto cleanup;
} }
cleanup: cleanup:
if( fatal_alert_found & ALERT_UNSUPPORTED_EXTENSION_FOUND ) if( fatal_alert & MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION )
{ {
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION ); MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
} }
else if ( fatal_alert_found & ALERT_ILLEGAL_PARAMETER_FOUND ) else if ( fatal_alert & MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER )
{ {
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );