Fix and improve documentation, comments and logs

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-02-21 08:53:33 +01:00 · 2023-02-21 08:53:33 +01:00 · d89360b87b
commit d89360b87b
parent 675d97d42e
3 changed files with 13 additions and 4 deletions
--- a/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt
+++ b/ChangeLog.d/tls13-reorder-ciphersuite-preference-list.txt
@ -1,11 +1,12 @@
 Default behavior changes
   * The default priority order of TLS 1.3 cipher suites has been modified to
     follow the same rules as the TLS 1.2 cipher suites (see
-     ssl_ciphersuites.c).
+     ssl_ciphersuites.c). The preferred cipher suite is now
+     TLS_CHACHA20_POLY1305_SHA256.

 Bugfix
-   * In the TLS 1.3 server, select the prefered client cipher suite, not the
-     least prefered. The selection error was introduced in Mbed TLS 3.3.0.
+   * In the TLS 1.3 server, select the preferred client cipher suite, not the
+     least preferred. The selection error was introduced in Mbed TLS 3.3.0.
   * Fix TLS 1.3 session resumption when the established pre-shared key is
     384 bits long. That is the length of pre-shared keys created under a
     session where the cipher suite is TLS_AES_256_GCM_SHA384.
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@ -1371,6 +1371,11 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
        uint16_t cipher_suite;
        const mbedtls_ssl_ciphersuite_t *ciphersuite_info;

+        /*
+         * "cipher_suite_end - p is even" is an invariant of the loop. As
+         * cipher_suites_end - p > 0, we have cipher_suites_end - p >= 2 and
+         * it is thus safe to read two bytes.
+         */
        cipher_suite = MBEDTLS_GET_UINT16_BE(p, 0);
        ciphersuite_info = ssl_tls13_validate_peer_ciphersuite(
            ssl, cipher_suite);
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -13237,7 +13237,7 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
-run_test    "TLS 1.3: NewSessionTicket: Basic check" \
+run_test    "TLS 1.3: NewSessionTicket: Basic check, G->m" \
            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \
            "$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3 -V -r" \
            0 \
@ -13257,6 +13257,9 @@ requires_config_enabled MBEDTLS_DEBUG_C
 requires_all_configs_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE \
                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \
                             MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED
+# Test the session resumption when the cipher suite for the original session is
+# TLS1-3-AES-256-GCM-SHA384. In that case, the PSK is 384 bits long and not
+# 256 bits long as with all the other TLS 1.3 cipher suites.
 requires_ciphersuite_enabled TLS1-3-AES-256-GCM-SHA384
 run_test    "TLS 1.3: NewSessionTicket: Basic check with AES-256-GCM only, G->m" \
            "$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=4" \