Add ciphersuite check in set_session Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

commit: 40afab61a87fe5bcc7c7cde7e10c2bf72fe49e5b [log] [tgz]
author: Jerry Yu <jerry.h.yu@arm.com> Sat Oct 08 10:42:13 2022 +0800
committer: Jerry Yu <jerry.h.yu@arm.com> Sat Oct 08 14:35:43 2022 +0800
tree: 1f829b49e9e4c06a500464427dffb1add0e0ac9d
parent: 21f9095fa8fe7cd0badd2573595807d1143d2773 [diff] [blame]
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 616df07..d32d58e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c

@@ -1361,6 +1361,7 @@
 int mbedtls_ssl_set_session( mbedtls_ssl_context *ssl, const mbedtls_ssl_session *session )
 {
     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+    const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
 
     if( ssl == NULL ||
         session == NULL ||
@@ -1373,6 +1374,16 @@
     if( ssl->handshake->resume == 1 )
         return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );
 
+    ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( session->ciphersuite );
+    if( mbedtls_ssl_validate_ciphersuite( ssl, ciphersuite_info,
+                                          session->tls_version,
+                                          session->tls_version ) != 0 )
+    {
+        MBEDTLS_SSL_DEBUG_MSG( 4, ( "%d is not a valid ciphersuite.",
+                                    session->ciphersuite ) );
+        return( MBEDTLS_ERR_SSL_INVALID_MAC );
+    }
+
     if( ( ret = mbedtls_ssl_session_copy( ssl->session_negotiate,
                                           session ) ) != 0 )
         return( ret );
commit	40afab61a87fe5bcc7c7cde7e10c2bf72fe49e5b	[log] [tgz]
author	Jerry Yu <jerry.h.yu@arm.com>	Sat Oct 08 10:42:13 2022 +0800
committer	Jerry Yu <jerry.h.yu@arm.com>	Sat Oct 08 14:35:43 2022 +0800
tree	1f829b49e9e4c06a500464427dffb1add0e0ac9d
parent	21f9095fa8fe7cd0badd2573595807d1143d2773 [diff] [blame]