fix various issues
- code style - variable initialize - update comments Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
parent
2185c0f2e9
commit
c5a23a0f12
3 changed files with 16 additions and 18 deletions
|
@ -1572,10 +1572,9 @@ int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||||
unsigned char **psk,
|
unsigned char **psk,
|
||||||
size_t *psk_len )
|
size_t *psk_len )
|
||||||
{
|
{
|
||||||
|
|
||||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
|
psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT;
|
||||||
psa_status_t status;
|
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
|
||||||
|
|
||||||
*psk_len = 0;
|
*psk_len = 0;
|
||||||
*psk = NULL;
|
*psk = NULL;
|
||||||
|
@ -1585,16 +1584,12 @@ int mbedtls_ssl_tls13_export_handshake_psk( mbedtls_ssl_context *ssl,
|
||||||
|
|
||||||
status = psa_get_key_attributes( ssl->handshake->psk_opaque, &key_attributes );
|
status = psa_get_key_attributes( ssl->handshake->psk_opaque, &key_attributes );
|
||||||
if( status != PSA_SUCCESS )
|
if( status != PSA_SUCCESS )
|
||||||
{
|
|
||||||
return( psa_ssl_status_to_mbedtls( status ) );
|
return( psa_ssl_status_to_mbedtls( status ) );
|
||||||
}
|
|
||||||
|
|
||||||
*psk_len = PSA_BITS_TO_BYTES( psa_get_key_bits( &key_attributes ) );
|
*psk_len = PSA_BITS_TO_BYTES( psa_get_key_bits( &key_attributes ) );
|
||||||
*psk = mbedtls_calloc( 1, *psk_len );
|
*psk = mbedtls_calloc( 1, *psk_len );
|
||||||
if( *psk == NULL )
|
if( *psk == NULL )
|
||||||
{
|
|
||||||
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
|
||||||
}
|
|
||||||
|
|
||||||
status = psa_export_key( ssl->handshake->psk_opaque,
|
status = psa_export_key( ssl->handshake->psk_opaque,
|
||||||
(uint8_t *)*psk, *psk_len, psk_len );
|
(uint8_t *)*psk, *psk_len, psk_len );
|
||||||
|
|
|
@ -47,9 +47,9 @@
|
||||||
#include "ssl_debug_helpers.h"
|
#include "ssl_debug_helpers.h"
|
||||||
|
|
||||||
|
|
||||||
static const mbedtls_ssl_ciphersuite_t *ssl_tls13_get_ciphersuite_info_by_id(
|
static const mbedtls_ssl_ciphersuite_t *ssl_tls13_validate_peer_ciphersuite(
|
||||||
mbedtls_ssl_context *ssl,
|
mbedtls_ssl_context *ssl,
|
||||||
uint16_t cipher_suite )
|
unsigned int cipher_suite )
|
||||||
{
|
{
|
||||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||||
if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
|
if( ! mbedtls_ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) )
|
||||||
|
@ -235,8 +235,8 @@ static int ssl_tls13_select_ciphersuite_for_psk(
|
||||||
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
|
||||||
|
|
||||||
cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
|
cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
|
||||||
ciphersuite_info = ssl_tls13_get_ciphersuite_info_by_id(
|
ciphersuite_info = ssl_tls13_validate_peer_ciphersuite( ssl,
|
||||||
ssl,cipher_suite );
|
cipher_suite );
|
||||||
if( ciphersuite_info == NULL )
|
if( ciphersuite_info == NULL )
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
|
@ -416,9 +416,10 @@ static int ssl_tls13_parse_pre_shared_key_ext( mbedtls_ssl_context *ssl,
|
||||||
mbedtls_psa_translate_md( ciphersuite_info->mac ) );
|
mbedtls_psa_translate_md( ciphersuite_info->mac ) );
|
||||||
if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
|
if( ret != SSL_TLS1_3_OFFERED_PSK_MATCH )
|
||||||
{
|
{
|
||||||
/* For the security rationale, handshake should be abort when binder
|
/* For security reasons, the handshake should be aborted when we
|
||||||
* value mismatch. See RFC 8446 section 4.2.11.2 and appendix E.6. */
|
* fail to validate a binder value. See RFC 8446 section 4.2.11.2
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Binder is not matched." ) );
|
* and appendix E.6. */
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Invalid binder." ) );
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1,
|
MBEDTLS_SSL_DEBUG_RET( 1,
|
||||||
"ssl_tls13_offered_psks_check_binder_match" , ret );
|
"ssl_tls13_offered_psks_check_binder_match" , ret );
|
||||||
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
MBEDTLS_SSL_PEND_FATAL_ALERT(
|
||||||
|
@ -1176,7 +1177,7 @@ static int ssl_tls13_parse_client_hello( mbedtls_ssl_context *ssl,
|
||||||
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
|
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, cipher_suites_end, 2 );
|
||||||
|
|
||||||
cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
|
cipher_suite = MBEDTLS_GET_UINT16_BE( p, 0 );
|
||||||
ciphersuite_info = ssl_tls13_get_ciphersuite_info_by_id(
|
ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
|
||||||
ssl,cipher_suite );
|
ssl,cipher_suite );
|
||||||
if( ciphersuite_info == NULL )
|
if( ciphersuite_info == NULL )
|
||||||
continue;
|
continue;
|
||||||
|
|
|
@ -1860,10 +1860,12 @@ int main( int argc, char *argv[] )
|
||||||
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
|
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
|
||||||
else if( strcmp( q, "all" ) == 0 )
|
else if( strcmp( q, "all" ) == 0 )
|
||||||
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
|
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
|
||||||
/* `psk_or_ephemeral` exists in theory and is not recommended in practice.
|
/* The purpose of `psk_or_ephemeral` is to improve test coverage. That
|
||||||
* In server side, if needed extensions are received, psk or ephemeral
|
* is not recommended in practice.
|
||||||
* mode will be set. Add this mode only for test purposes to improve
|
* `psk_or_ephemeral` exists in theory, we need this mode to test if
|
||||||
* test coverage.
|
* this setting work correctly. With this key exchange setting, server
|
||||||
|
* should always perform `ephemeral` handshake. `psk` or `psk_ephermal`
|
||||||
|
* is not expected.
|
||||||
*/
|
*/
|
||||||
else if( strcmp( q, "psk_or_ephemeral" ) == 0 )
|
else if( strcmp( q, "psk_or_ephemeral" ) == 0 )
|
||||||
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK |
|
opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK |
|
||||||
|
|
Loading…
Reference in a new issue