Provide additional comments for claryfication Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

commit: 615cbcdbdfbb147724c50721013d77a46190911a [log] [tgz]
author: Przemek Stekiel <przemyslaw.stekiel@mobica.com> Thu Jul 06 11:08:39 2023 +0200
committer: Przemek Stekiel <przemyslaw.stekiel@mobica.com> Thu Jul 06 12:16:39 2023 +0200
tree: 2b1568d3abac2fa173d223e76813b6c649fe504f
parent: e80bbf4dbf3ae8b3b1eb9317a29143c2ffa75cfa [diff] [blame]
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index c0ddfa1..f9c54fe 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c

@@ -1770,10 +1770,16 @@
         return MBEDTLS_ERR_SSL_DECODE_ERROR;
     }
 
+    /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
+       the sizes of the FFDH keys which are at least 2048 bits.
+       The size of the array is thus greater than 256 bytes which is greater than any
+       possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
 #if !defined(PSA_WANT_ALG_FFDH)
     if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
         return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
     }
+#else
+    MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX, "peer key buffer too small");
 #endif
 
     memcpy(handshake->xxdh_psa_peerkey, *p, ecpoint_len);
commit	615cbcdbdfbb147724c50721013d77a46190911a	[log] [tgz]
author	Przemek Stekiel <przemyslaw.stekiel@mobica.com>	Thu Jul 06 11:08:39 2023 +0200
committer	Przemek Stekiel <przemyslaw.stekiel@mobica.com>	Thu Jul 06 12:16:39 2023 +0200
tree	2b1568d3abac2fa173d223e76813b6c649fe504f
parent	e80bbf4dbf3ae8b3b1eb9317a29143c2ffa75cfa [diff] [blame]