Pend a illeagal allert when selected_identity isn't 0
Handshake should abort will illeagal parameter allert when
receiving early data extentions but the selected_identity
parsed from pre-share key isn't equal to 0.
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 7a0f6b8..a9ce4ed 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1093,6 +1093,7 @@
MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2);
selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0);
+ ssl->handshake->selected_identity = (uint16_t) selected_identity;
MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity));
@@ -2096,6 +2097,18 @@
MBEDTLS_ERR_SSL_DECODE_ERROR);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
+ if (ssl->handshake->selected_identity != 0) {
+ /* RFC8446 4.2.11
+ * If the server supplies an "early_data" extension, the
+ * client MUST verify that the server's selected_identity
+ * is 0. If any other value is returned, the client MUST
+ * abort the handshake with an "illegal_parameter" alert.
+ */
+ MBEDTLS_SSL_PEND_FATAL_ALERT(
+ MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
+ MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
+ return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
+ }
break;
#endif /* MBEDTLS_SSL_EARLY_DATA */