summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNikos Mavrogiannopoulos <nmav@redhat.com>2018-04-23 15:11:28 +0200
committerNikos Mavrogiannopoulos <nmav@gnutls.org>2018-04-30 08:58:29 +0200
commitee41e4df74c6ce03d077973f43d8cb2489e4fa39 (patch)
tree1afc6ffe404c5c591cda6623bd9edcce5d7fbb1d
parent790cb112552bef3c366e55b7eaf956566231ea96 (diff)
downloadgnutls-ee41e4df74c6ce03d077973f43d8cb2489e4fa39.tar.gz
psk: mark psk_ke_modes as invalid when ignored
TLS1.3 handles the receiving of pre-shared keys extension as invalid when the psk_ke_modes extension is not received as well. As such, when we ignore the psk_ke_modes for some reason (e.g., no credentials) we need to indicate that it was received. We use the invalid mode flag for that reason, allowing the handshake to fail later for the right reason (e.g., no credentials error rather than illegal extension). Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat
-rw-r--r--lib/ext/psk_ke_modes.c15
1 files changed, 11 insertions, 4 deletions
diff --git a/lib/ext/psk_ke_modes.c b/lib/ext/psk_ke_modes.c
index afcbcb8ce1..872fec9fa3 100644
--- a/lib/ext/psk_ke_modes.c
+++ b/lib/ext/psk_ke_modes.c
@@ -112,12 +112,19 @@ psk_ke_modes_recv_params(gnutls_session_t session,
if (session->security_parameters.entity == GNUTLS_CLIENT)
return gnutls_assert_val(GNUTLS_E_RECEIVED_ILLEGAL_EXTENSION);
- if (!vers || !vers->tls13_sem)
- return 0;
+ /* we set hsk_flags to HSK_PSK_KE_MODE_INVALID on failure to ensure that
+ * when we parse the pre-shared key extension we detect PSK_KE_MODES as
+ * received. */
+ if (!vers || !vers->tls13_sem) {
+ session->internals.hsk_flags |= HSK_PSK_KE_MODE_INVALID;
+ return gnutls_assert_val(0);
+ }
cred = (gnutls_psk_server_credentials_t)_gnutls_get_cred(session, GNUTLS_CRD_PSK);
- if (cred == NULL)
- return 0;
+ if (cred == NULL) {
+ session->internals.hsk_flags |= HSK_PSK_KE_MODE_INVALID;
+ return gnutls_assert_val(0);
+ }
DECR_LEN(len, 1);
ke_modes_len = *(data++);
View Lorry Controller Status