diff options
Diffstat (limited to 'lib/ext/pre_shared_key.c')
-rw-r--r-- | lib/ext/pre_shared_key.c | 46 |
1 files changed, 29 insertions, 17 deletions
diff --git a/lib/ext/pre_shared_key.c b/lib/ext/pre_shared_key.c index f3bd9c5973..35ec94fe4a 100644 --- a/lib/ext/pre_shared_key.c +++ b/lib/ext/pre_shared_key.c @@ -469,10 +469,11 @@ static int server_recv_params(gnutls_session_t session, const mac_entry_st *prf; gnutls_datum_t full_client_hello; uint8_t binder_value[MAX_HASH_SIZE]; - int psk_index; + uint16_t psk_index, i; gnutls_datum_t binder_recvd = { NULL, 0 }; gnutls_datum_t key = {NULL, 0}; psk_ext_parser_st psk_parser; + psk_ext_iter_st psk_iter; struct psk_st psk; psk_auth_info_t info; tls13_ticket_t ticket_data; @@ -481,12 +482,22 @@ static int server_recv_params(gnutls_session_t session, ret = _gnutls13_psk_ext_parser_init(&psk_parser, data, len); if (ret < 0) { - if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) /* No PSKs advertised by client */ + /* No PSKs advertised by client */ + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) return 0; return gnutls_assert_val(ret); } - while ((psk_index = _gnutls13_psk_ext_parser_next_psk(&psk_parser, &psk)) >= 0) { + _gnutls13_psk_ext_iter_init(&psk_iter, &psk_parser); + for (psk_index = 0; ; psk_index++) { + ret = _gnutls13_psk_ext_iter_next_identity(&psk_iter, &psk); + if (ret < 0) { + /* We couldn't find any usable PSK */ + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return 0; + return gnutls_assert_val(ret); + } + /* This will unpack the session ticket if it is well * formed and has the expected name */ if (!(session->internals.flags & GNUTLS_NO_TICKETS) && @@ -498,17 +509,20 @@ static int server_recv_params(gnutls_session_t session, /* Check whether ticket is stale or not */ ticket_age = psk.ob_ticket_age - ticket_data.age_add; if (ticket_age < 0) { + gnutls_assert(); tls13_ticket_deinit(&ticket_data); continue; } if ((unsigned int) (ticket_age / 1000) > ticket_data.lifetime) { + gnutls_assert(); tls13_ticket_deinit(&ticket_data); continue; } ret = compute_psk_from_ticket(&ticket_data, &key); if (ret < 0) { + gnutls_assert(); tls13_ticket_deinit(&ticket_data); continue; } @@ -539,14 +553,16 @@ static int server_recv_params(gnutls_session_t session, } } - if (psk_index < 0) - return 0; - - ret = _gnutls13_psk_ext_parser_find_binder(&psk_parser, psk_index, - &binder_recvd); - if (ret < 0) { - gnutls_assert(); - goto fail; + _gnutls13_psk_ext_iter_init(&psk_iter, &psk_parser); + for (i = 0; i <= psk_index; i++) { + ret = _gnutls13_psk_ext_iter_next_binder(&psk_iter, &binder_recvd); + if (ret < 0) { + gnutls_assert(); + /* We couldn't extract binder */ + if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; + goto fail; + } } /* Get full ClientHello */ @@ -557,7 +573,7 @@ static int server_recv_params(gnutls_session_t session, } /* Compute the binder value for this PSK */ - ret = compute_psk_binder(session, prf, psk_parser.binder_len+2, 0, 0, + ret = compute_psk_binder(session, prf, psk_parser.binders_len+2, 0, 0, &key, &full_client_hello, resuming, binder_value); if (ret < 0) { @@ -582,11 +598,7 @@ static int server_recv_params(gnutls_session_t session, /* save the username in psk_auth_info to make it available * using gnutls_psk_server_get_username() */ if (!resuming) { - if (psk.identity.size >= sizeof(info->username)) { - gnutls_assert(); - ret = GNUTLS_E_RECEIVED_ILLEGAL_PARAMETER; - goto fail; - } + assert(psk.identity.size < sizeof(info->username)); ret = _gnutls_auth_info_set(session, GNUTLS_CRD_PSK, sizeof(psk_auth_info_st), 1); if (ret < 0) { |