eden-emu/mbedtls
19
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tls13: guards transform negotiate

Browse source 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This commit is contained in:
Jerry Yu 2022-12-01 18:57:19 +08:00
parent a6ca882943
commit 2e19981e17
3 changed files with 34 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

2
include/mbedtls/ssl.h
View file

@ -1656,9 +1656,11 @@ struct mbedtls_ssl_context
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform); /*!< negotiated transform params
* This pointer owns the transform * This pointer owns the transform
* it references. */ * it references. */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation mbedtls_ssl_transform *MBEDTLS_PRIVATE(transform_negotiate); /*!< transform params in negotiation
* This pointer owns the transform * This pointer owns the transform
* it references. */ * it references. */
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
/*! The application data transform in TLS 1.3. /*! The application data transform in TLS 1.3.

3
library/ssl_msg.c
View file

@ -5097,9 +5097,12 @@ int mbedtls_ssl_parse_change_cipher_spec( mbedtls_ssl_context *ssl )
* data. * data.
*/ */
MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "switching to new transform spec for inbound data" ) );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
ssl->transform_in = ssl->transform_negotiate; ssl->transform_in = ssl->transform_negotiate;
#endif
ssl->session_in = ssl->session_negotiate; ssl->session_in = ssl->session_negotiate;
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM ) if( ssl->conf->transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM )
{ {

40
library/ssl_tls.c
View file

@ -965,13 +965,16 @@ MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_handshake_init( mbedtls_ssl_context *ssl ) static int ssl_handshake_init( mbedtls_ssl_context *ssl )
{ {
/* Clear old handshake information if present */ /* Clear old handshake information if present */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->transform_negotiate ) if( ssl->transform_negotiate )
mbedtls_ssl_transform_free( ssl->transform_negotiate ); mbedtls_ssl_transform_free( ssl->transform_negotiate );
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
if( ssl->session_negotiate ) if( ssl->session_negotiate )
mbedtls_ssl_session_free( ssl->session_negotiate ); mbedtls_ssl_session_free( ssl->session_negotiate );
if( ssl->handshake ) if( ssl->handshake )
mbedtls_ssl_handshake_free( ssl ); mbedtls_ssl_handshake_free( ssl );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* /*
* Either the pointers are now NULL or cleared properly and can be freed. * Either the pointers are now NULL or cleared properly and can be freed.
* Now allocate missing structures. * Now allocate missing structures.
@ -980,6 +983,7 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
{ {
ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) ); ssl->transform_negotiate = mbedtls_calloc( 1, sizeof(mbedtls_ssl_transform) );
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
if( ssl->session_negotiate == NULL ) if( ssl->session_negotiate == NULL )
{ {
@ -998,18 +1002,23 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
#endif #endif
/* All pointers should exist and can be directly freed without issue */ /* All pointers should exist and can be directly freed without issue */
if( ssl->handshake == NULL || if( ssl->handshake == NULL ||
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
ssl->transform_negotiate == NULL || ssl->transform_negotiate == NULL ||
ssl->session_negotiate == NULL ) #endif
ssl->session_negotiate == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "alloc() of ssl sub-contexts failed" ) );
mbedtls_free( ssl->handshake ); mbedtls_free( ssl->handshake );
mbedtls_free( ssl->transform_negotiate );
mbedtls_free( ssl->session_negotiate );
ssl->handshake = NULL; ssl->handshake = NULL;
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_free( ssl->transform_negotiate );
ssl->transform_negotiate = NULL; ssl->transform_negotiate = NULL;
#endif
mbedtls_free( ssl->session_negotiate );
ssl->session_negotiate = NULL; ssl->session_negotiate = NULL;
return( MBEDTLS_ERR_SSL_ALLOC_FAILED ); return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
@ -1017,9 +1026,12 @@ static int ssl_handshake_init( mbedtls_ssl_context *ssl )
/* Initialize structures */ /* Initialize structures */
mbedtls_ssl_session_init( ssl->session_negotiate ); mbedtls_ssl_session_init( ssl->session_negotiate );
mbedtls_ssl_transform_init( ssl->transform_negotiate );
ssl_handshake_params_init( ssl->handshake ); ssl_handshake_params_init( ssl->handshake );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_transform_init( ssl->transform_negotiate );
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SRV_C) && \ defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_SSL_SESSION_TICKETS) defined(MBEDTLS_SSL_SESSION_TICKETS)
@ -3975,7 +3987,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &handshake->fin_sha256_psa ); psa_hash_abort( &handshake->fin_sha256_psa );
#else #else
mbedtls_sha256_free( &handshake->fin_sha256 ); mbedtls_sha256_free( &handshake->fin_sha256 );
#endif #endif
#endif #endif
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA) #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
@ -4512,10 +4524,12 @@ static int ssl_context_load( mbedtls_ssl_context *ssl,
/* This has been allocated by ssl_handshake_init(), called by /* This has been allocated by ssl_handshake_init(), called by
* by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */ * by either mbedtls_ssl_session_reset_int() or mbedtls_ssl_setup(). */
ssl->transform = ssl->transform_negotiate; #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
ssl->transform = ssl->transform_negotiate;
ssl->transform_in = ssl->transform; ssl->transform_in = ssl->transform;
ssl->transform_out = ssl->transform; ssl->transform_out = ssl->transform;
ssl->transform_negotiate = NULL; ssl->transform_negotiate = NULL;
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
prf_func = ssl_tls12prf_from_cs( ssl->session->ciphersuite ); prf_func = ssl_tls12prf_from_cs( ssl->session->ciphersuite );
@ -4748,14 +4762,18 @@ void mbedtls_ssl_free( mbedtls_ssl_context *ssl )
mbedtls_free( ssl->transform ); mbedtls_free( ssl->transform );
} }
if( ssl->handshake ) if( ssl->handshake )
{ {
mbedtls_ssl_handshake_free( ssl ); mbedtls_ssl_handshake_free( ssl );
mbedtls_ssl_transform_free( ssl->transform_negotiate );
mbedtls_ssl_session_free( ssl->session_negotiate );
mbedtls_free( ssl->handshake ); mbedtls_free( ssl->handshake );
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
mbedtls_ssl_transform_free( ssl->transform_negotiate );
mbedtls_free( ssl->transform_negotiate ); mbedtls_free( ssl->transform_negotiate );
#endif
mbedtls_ssl_session_free( ssl->session_negotiate );
mbedtls_free( ssl->session_negotiate ); mbedtls_free( ssl->session_negotiate );
} }