commit 2b20516b60dcd098b333d710b5ad462d8701b15d
author Jarno Lamsa <jarno.lamsa@arm.com> Tue Nov 12 15:36:21 2019 +0200
committer Jarno Lamsa <jarno.lamsa@arm.com> Thu Dec 19 07:56:10 2019 +0200
tree b4e29125f5bc8f75a7451a79ef90a99c674eb823
parent 171f422109514925d022f51567c4dc6a92dd2ded

Make TLS state changes explicit

This is to enable hardening the security when changing
states in state machine so that the state cannot be changed by bit flipping.
The later commit changes the enumerations so that the states have large
hamming distance in between them to prevent this kind of attack.

library/ssl_cli.c

diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 7c03b41..2c209d3 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -1116,7 +1116,7 @@
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CLIENT_HELLO;
 
-    ssl->state++;
+    ssl->state = MBEDTLS_SSL_SERVER_HELLO;
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -1839,7 +1839,7 @@
     else
     {
         /* Start a new session */
-        ssl->state++;
+        ssl->state = MBEDTLS_SSL_SERVER_CERTIFICATE;
 #if defined(MBEDTLS_HAVE_TIME)
         ssl->session_negotiate->start = mbedtls_time( NULL );
 #endif
@@ -3143,7 +3143,7 @@
     if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
-        ssl->state++;
+        ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
         return( 0 );
     }
 
@@ -3165,7 +3165,7 @@
     if( ! mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip parse certificate request" ) );
-        ssl->state++;
+        ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
         return( 0 );
     }
 
@@ -3183,7 +3183,7 @@
         return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
     }
 
-    ssl->state++;
+    ssl->state = MBEDTLS_SSL_SERVER_HELLO_DONE;
     ssl->client_auth = ( ssl->in_msg[0] == MBEDTLS_SSL_HS_CERTIFICATE_REQUEST );
 
     MBEDTLS_SSL_DEBUG_MSG( 3, ( "got %s certificate request",
@@ -3340,7 +3340,7 @@
         return( MBEDTLS_ERR_SSL_BAD_HS_SERVER_HELLO_DONE );
     }
 
-    ssl->state++;
+    ssl->state = MBEDTLS_SSL_CLIENT_CERTIFICATE;
 
 #if defined(MBEDTLS_SSL_PROTO_DTLS)
     if( MBEDTLS_SSL_TRANSPORT_IS_DTLS( ssl->conf->transport ) )
@@ -3827,7 +3827,7 @@
     if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
-        ssl->state++;
+        ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
         return( 0 );
     }
 
@@ -3866,14 +3866,14 @@
     if( !mbedtls_ssl_ciphersuite_cert_req_allowed( ciphersuite_info ) )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
-        ssl->state++;
+        ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
         return( 0 );
     }
 
     if( ssl->client_auth == 0 || mbedtls_ssl_own_cert( ssl ) == NULL )
     {
         MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= skip write certificate verify" ) );
-        ssl->state++;
+        ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
         return( 0 );
     }
 
@@ -3997,7 +3997,7 @@
     ssl->out_msgtype = MBEDTLS_SSL_MSG_HANDSHAKE;
     ssl->out_msg[0]  = MBEDTLS_SSL_HS_CERTIFICATE_VERIFY;
 
-    ssl->state++;
+    ssl->state = MBEDTLS_SSL_CLIENT_CHANGE_CIPHER_SPEC;
 
     if( ( ret = mbedtls_ssl_write_handshake_msg( ssl ) ) != 0 )
     {