Add server name check when proposeing pre-share key
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 1b59125..bd9edf1 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -54,6 +54,7 @@
{
unsigned char *p = buf;
size_t hostname_len;
+ size_t cmp_hostname_len;
*olen = 0;
@@ -64,8 +65,25 @@
( "client hello, adding server name extension: %s",
ssl->hostname ) );
+ ssl->session_negotiate->hostname_mismatch = 0;
hostname_len = strlen( ssl->hostname );
+ cmp_hostname_len = hostname_len < ssl->session_negotiate->hostname_len ?
+ hostname_len : ssl->session_negotiate->hostname_len;
+
+ if( hostname_len != ssl->session_negotiate->hostname_len ||
+ memcmp( ssl->hostname, ssl->session_negotiate->hostname, cmp_hostname_len ) )
+ ssl->session_negotiate->hostname_mismatch = 1;
+
+ if( ssl->session_negotiate->hostname == NULL )
+ {
+ ssl->session_negotiate->hostname = mbedtls_calloc( 1, hostname_len );
+ if( ssl->session_negotiate->hostname == NULL )
+ return MBEDTLS_ERR_SSL_ALLOC_FAILED;
+ memcpy(ssl->session_negotiate->hostname, ssl->hostname, hostname_len);
+ }
+ ssl->session_negotiate->hostname_len = hostname_len;
+
MBEDTLS_SSL_CHK_BUF_PTR( p, end, hostname_len + 9 );
/*
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 9741a6e..9238761 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -297,6 +297,18 @@
}
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_CLI_C */
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( src->hostname != NULL )
+ {
+ dst->hostname = mbedtls_calloc( 1, src->hostname_len + 1 );
+ if( dst->hostname == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+
+ memcpy( dst->hostname, src->hostname, src->hostname_len );
+ dst->hostname[src->hostname_len] = '\0';
+ }
+#endif
+
return( 0 );
}
@@ -1978,6 +1990,11 @@
#if defined(MBEDTLS_SSL_CLI_C)
if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ needed += 1 /* hostname_len */
+ + session->hostname_len; /* hostname */
+#endif
+
needed += 4 /* ticket_lifetime */
+ 2; /* ticket_len */
@@ -2004,6 +2021,19 @@
memcpy( p, session->resumption_key, session->resumption_key_len );
p += session->resumption_key_len;
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
+ if( session->endpoint == MBEDTLS_SSL_IS_CLIENT &&
+ session->hostname_len != 0 &&
+ session->hostname != NULL )
+ {
+ /* save host name */
+ p[0] = session->hostname_len;
+ p++;
+ memcpy( p, session->hostname, session->hostname_len );
+ p += session->hostname_len;
+ }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
+
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if( session->endpoint == MBEDTLS_SSL_IS_SERVER )
{
@@ -2062,6 +2092,22 @@
memcpy( session->resumption_key, p, session->resumption_key_len );
p += session->resumption_key_len;
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_SSL_CLI_C)
+ if( session->endpoint == MBEDTLS_SSL_IS_CLIENT )
+ {
+ /* load host name */
+ session->hostname_len = p[0];
+ p += 1;
+ if( end - p < session->hostname_len )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+ session->hostname = mbedtls_calloc( 1, session->hostname_len );
+ if( session->hostname == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ memcpy( session->hostname, p, session->hostname_len );
+ p += session->hostname_len;
+ }
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION && MBEDTLS_SSL_CLI_C */
+
#if defined(MBEDTLS_HAVE_TIME) && defined(MBEDTLS_SSL_SRV_C)
if( session->endpoint == MBEDTLS_SSL_IS_SERVER )
{
@@ -2430,6 +2476,39 @@
return( 0 );
}
+
+int mbedtls_ssl_reset_hostname( mbedtls_ssl_context *ssl,
+ const char *hostname,
+ const char *rec_hostname )
+{
+ /* Initialize to suppress unnecessary compiler warning */
+ size_t rec_hostname_len = 0;
+
+ if( hostname == NULL || rec_hostname == NULL )
+ return( 0 );
+
+ rec_hostname_len = strlen( rec_hostname );
+ if( rec_hostname_len > MBEDTLS_SSL_MAX_HOST_NAME_LEN )
+ return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
+ if( rec_hostname_len == strlen( hostname ) &&
+ memcmp( hostname, rec_hostname, rec_hostname_len ) == 0 )
+ return( 0 );
+
+ if( ssl->hostname != NULL )
+ {
+ mbedtls_platform_zeroize( ssl->hostname, strlen( ssl->hostname ) );
+ mbedtls_free( ssl->hostname );
+ ssl->hostname = NULL;
+ ssl->hostname = mbedtls_calloc( 1, rec_hostname_len + 1 );
+ if( ssl->hostname == NULL )
+ return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
+ memcpy( ssl->hostname, rec_hostname, rec_hostname_len );
+ ssl->hostname[rec_hostname_len] = '\0';
+ }
+
+ return( 0 );
+}
#endif /* MBEDTLS_X509_CRT_PARSE_C */
#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
@@ -3679,6 +3758,10 @@
mbedtls_free( session->ticket );
#endif
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ mbedtls_free( session->hostname );
+#endif
+
mbedtls_platform_zeroize( session, sizeof( mbedtls_ssl_session ) );
}
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 61a1bad..60b1e05 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -235,6 +235,20 @@
(int)age_diff_in_ms ) );
goto exit;
}
+#if 0
+#if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
+ if( ssl->session_negotiate->hostname != NULL &&
+ ssl->session_negotiate->hostname_len != 0 &&
+ memcmp( ssl->session_negotiate->hostname,
+ ssl->session->hostname, ssl->session->hostname_len ) != 0 )
+ {
+ MBEDTLS_SSL_DEBUG_MSG(
+ 3, ( "Session hostname not matched with stored session ticket" ) );
+ goto exit;
+ }
+
+#endif /* MBEDTLS_SSL_SERVER_NAME_INDICATION */
+#endif
ret = 0;