Increase hamming distance for session resume flag This is to prevent glitching a single bit for the resume flag.

commit: 8d09e5744c9641e53f2e0bfec12e3b204676bbf5 [log] [tgz]
author: Jarno Lamsa <jarno.lamsa@arm.com> Thu Dec 19 15:20:19 2019 +0200
committer: Jarno Lamsa <jarno.lamsa@arm.com> Thu Dec 19 17:07:35 2019 +0200
tree: d59279d2b0c5b30e1bb8089b2362a1b144d4622f
parent: 489dccd15863b5bccdc5c8517fa1a91e737c80f4 [diff]
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 08d4fd3..11c6f46 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c

@@ -868,7 +868,7 @@
      * appropriate length. Otherwise make the length 0 (for now, see next code
      * block for behaviour with tickets).
      */
-    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 ||
+    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_UNSET ||
         mbedtls_ssl_get_renego_status( ssl ) != MBEDTLS_SSL_INITIAL_HANDSHAKE ||
         ssl->session_negotiate->id_len < 16 ||
         ssl->session_negotiate->id_len > 32 )
@@ -1832,11 +1832,11 @@
         ssl->session_negotiate->id_len != n ||
         mbedtls_platform_memcmp( ssl->session_negotiate->id, buf + 35, n ) != 0 )
     {
-        ssl->handshake->resume = 0;
+        ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_UNSET;
     }
 #endif /* !MBEDTLS_SSL_NO_SESSION_RESUMPTION */
 
-    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
+    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_SET )
     {
         /* Resume a session */
         ssl->state = MBEDTLS_SSL_SERVER_CHANGE_CIPHER_SPEC;

diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index e70dd12..cd3aaf7 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c

@@ -627,7 +627,7 @@
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from ticket" ) );
 
-    ssl->handshake->resume = 1;
+    ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
 
     /* Don't send a new ticket after all, this one is OK */
     ssl->handshake->new_session_ticket = 0;
@@ -2839,19 +2839,19 @@
      * It may be already set to 1 by ssl_parse_session_ticket_ext().
      * If not, try looking up session ID in our cache.
      */
-    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 0 &&
+    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_UNSET &&
         mbedtls_ssl_get_renego_status( ssl ) == MBEDTLS_SSL_INITIAL_HANDSHAKE &&
         ssl->session_negotiate->id_len != 0 &&
         ssl->conf->f_get_cache != NULL &&
         ssl->conf->f_get_cache( ssl->conf->p_cache, ssl->session_negotiate ) == 0 )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "session successfully restored from cache" ) );
-        ssl->handshake->resume = 1;
+        ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
     }
 #endif /* !MBEDTLS_SSL_NO_SESSION_CACHE */
 
 #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
-    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == 1 )
+    if( mbedtls_ssl_handshake_get_resume( ssl->handshake ) == MBEDTLS_SSL_FI_FLAG_SET )
     {
         /*
          * Resuming a session

diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index ba63848..e8a230d 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -1825,7 +1825,7 @@
         mbedtls_ssl_handshake_get_ciphersuite( handshake );
 
 #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
-    if( handshake->resume != 0 )
+    if( handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
     {
         MBEDTLS_SSL_DEBUG_MSG( 3, ( "no premaster (session resumed)" ) );
         return( 0 );
@@ -7969,7 +7969,7 @@
      */
     if( ssl->conf->f_set_cache != NULL &&
         ssl->session->id_len != 0 &&
-        ssl->handshake->resume == 0 )
+        ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_UNSET )
     {
         if( ssl->conf->f_set_cache( ssl->conf->p_cache, ssl->session ) != 0 )
             MBEDTLS_SSL_DEBUG_MSG( 1, ( "cache did not store session" ) );
@@ -7990,10 +7990,10 @@
     }
 
 #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
-    if( ssl->handshake->resume )
+    if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
     {
         mbedtls_platform_enforce_volatile_reads();
-        if( ssl->handshake->resume )
+        if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
         {
             /* When doing session resume, no premaster or peer authentication */
             ssl->handshake->peer_authenticated = MBEDTLS_SSL_FI_FLAG_SET;
@@ -8111,7 +8111,7 @@
      * In case of session resuming, invert the client and server
      * ChangeCipherSpec messages order.
      */
-    if( ssl->handshake->resume != 0 )
+    if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
     {
 #if defined(MBEDTLS_SSL_CLI_C)
         if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) ==
@@ -8290,7 +8290,7 @@
 #endif
 
 #if !defined(MBEDTLS_SSL_NO_SESSION_RESUMPTION)
-    if( ssl->handshake->resume != 0 )
+    if( ssl->handshake->resume == MBEDTLS_SSL_FI_FLAG_SET )
     {
 #if defined(MBEDTLS_SSL_CLI_C)
         if( mbedtls_ssl_conf_get_endpoint( ssl->conf ) == MBEDTLS_SSL_IS_CLIENT )
@@ -9019,7 +9019,7 @@
                                           session ) ) != 0 )
         return( ret );
 
-    ssl->handshake->resume = 1;
+    ssl->handshake->resume = MBEDTLS_SSL_FI_FLAG_SET;
 
     return( 0 );
 }
commit	8d09e5744c9641e53f2e0bfec12e3b204676bbf5	[log] [tgz]
author	Jarno Lamsa <jarno.lamsa@arm.com>	Thu Dec 19 15:20:19 2019 +0200
committer	Jarno Lamsa <jarno.lamsa@arm.com>	Thu Dec 19 17:07:35 2019 +0200
tree	d59279d2b0c5b30e1bb8089b2362a1b144d4622f
parent	489dccd15863b5bccdc5c8517fa1a91e737c80f4 [diff]