From 40afab61a87fe5bcc7c7cde7e10c2bf72fe49e5b Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 8 Oct 2022 10:42:13 +0800 Subject: [PATCH] Add ciphersuite check in set_session Signed-off-by: Jerry Yu --- library/ssl_tls.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 616df07de..d32d58e2d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1361,6 +1361,7 @@ void mbedtls_ssl_conf_session_cache( mbedtls_ssl_config *conf, int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; if( ssl == NULL || session == NULL || @@ -1373,6 +1374,16 @@ int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session if( ssl->handshake->resume == 1 ) return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite ); + if( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info, + session->tls_version, + session->tls_version ) != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not a valid ciphersuite.", + session->ciphersuite ) ); + return( MBEDTLS_ERR_SSL_INVALID_MAC ); + } + if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate, session ) ) != 0 ) return( ret );