fix various issues

- Signature of - mbedtls_tls13_set_hs_sent_ext_mask - check_received_extension and issues - Also fix comment issue. - improve readablity. Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-10-29 09:08:47 +08:00 · 2022-10-29 09:08:47 +08:00 · c4bf5d658e
commit c4bf5d658e
parent 03112ae022
6 changed files with 84 additions and 94 deletions
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@ -398,6 +398,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
    size_t certificate_list_len = 0;
    const unsigned char *p = buf;
    const unsigned char *certificate_list_end;
+    mbedtls_ssl_handshake_params *handshake = ssl->handshake;

    MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 4 );
    certificate_request_context_len = p[0];
@ -507,7 +508,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
        MBEDTLS_SSL_CHK_BUF_READ_PTR( p, certificate_list_end, extensions_len );

        extensions_end = p + extensions_len;
-        ssl->handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;
+        handshake->received_extensions = MBEDTLS_SSL_EXT_NONE;

        while( p < extensions_end )
        {
@ -527,9 +528,9 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,

            MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );

-            ret = mbedtls_tls13_check_received_extensions(
-                  ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
-                  MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
+            ret = mbedtls_ssl_tls13_check_received_extension(
+                      ssl, MBEDTLS_SSL_HS_CERTIFICATE, extension_type,
+                      MBEDTLS_SSL_TLS1_3_ALLOWED_EXTS_OF_CT );
            if( ret != 0 )
                return( ret );

@ -547,7 +548,7 @@ int mbedtls_ssl_tls13_parse_certificate( mbedtls_ssl_context *ssl,
        }

        MBEDTLS_SSL_TLS1_3_PRINT_EXTS(
-            3, MBEDTLS_SSL_HS_CERTIFICATE, ssl->handshake->received_extensions );
+            3, MBEDTLS_SSL_HS_CERTIFICATE, handshake->received_extensions );
    }

 exit:
@ -555,7 +556,7 @@ exit:
    if( p != end )
    {
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad Certificate message" ) );
-        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR, \
+        MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
                                      MBEDTLS_ERR_SSL_DECODE_ERROR );
        return( MBEDTLS_ERR_SSL_DECODE_ERROR );
    }
@ -1759,43 +1760,46 @@ void mbedtls_ssl_tls13_print_extensions( const mbedtls_ssl_context *ssl,
 *
 */

-int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
-                                             int hs_msg_type,
-                                             uint32_t extension_type,
-                                             uint32_t allowed_mask )
+int mbedtls_ssl_tls13_check_received_extension(
+        mbedtls_ssl_context *ssl,
+        int hs_msg_type,
+        unsigned int received_extension_type,
+        uint32_t hs_msg_allowed_extensions_mask )
 {
-    uint32_t extension_mask;
-
 #if defined(MBEDTLS_DEBUG_C)
    const char *hs_msg_name = ssl_tls13_get_hs_msg_name( hs_msg_type );
 #endif
-
-    extension_mask = mbedtls_tls13_get_extension_mask( extension_type );
+    uint32_t extension_mask = mbedtls_tls13_get_extension_mask( received_extension_type );

    MBEDTLS_SSL_DEBUG_MSG( 3,
                ( "%s : received %s(%x) extension",
                  hs_msg_name,
-                  mbedtls_tls13_get_extension_name( extension_type ),
-                  (unsigned int)extension_type ) );
+                  mbedtls_tls13_get_extension_name( received_extension_type ),
+                  (unsigned int)received_extension_type ) );

-    if( ( extension_mask & allowed_mask ) == 0 )
+    if( ( extension_mask & hs_msg_allowed_extensions_mask ) == 0 )
    {
        MBEDTLS_SSL_DEBUG_MSG(
            3, ( "%s : forbidden extension received.", hs_msg_name ) );
        MBEDTLS_SSL_PEND_FATAL_ALERT(
            MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
-            MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-        return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+            MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
+        return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
    }

    ssl->handshake->received_extensions |= extension_mask;
+    /*
+     * If it is a message containing extension responses, check that we
+     * previously sent the extension.
+     */
    switch( hs_msg_type )
    {
        case MBEDTLS_SSL_HS_SERVER_HELLO:
        case -MBEDTLS_SSL_HS_SERVER_HELLO: // HRR does not have IANA value.
        case MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS:
        case MBEDTLS_SSL_HS_CERTIFICATE:
-            if( ( ~ssl->handshake->sent_extensions & extension_mask ) == 0 )
+            /* Check if the received extension is sent by peer message.*/
+            if( ( ssl->handshake->sent_extensions & extension_mask ) != 0 )
                return( 0 );
            break;
        default:
@ -1803,11 +1807,11 @@ int mbedtls_tls13_check_received_extensions( mbedtls_ssl_context *ssl,
    }

    MBEDTLS_SSL_DEBUG_MSG(
-            3, ( "%s : forbidden extension received.", hs_msg_name ) );
+            3, ( "%s : unexpected extension received.", hs_msg_name ) );
    MBEDTLS_SSL_PEND_FATAL_ALERT(
        MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
-        MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
-    return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
+        MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
+    return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
 }

 #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */