commit 615cbcdbdfbb147724c50721013d77a46190911a
author Przemek Stekiel <przemyslaw.stekiel@mobica.com> Thu Jul 06 11:08:39 2023 +0200
committer Przemek Stekiel <przemyslaw.stekiel@mobica.com> Thu Jul 06 12:16:39 2023 +0200
tree 2b1568d3abac2fa173d223e76813b6c649fe504f
parent e80bbf4dbf3ae8b3b1eb9317a29143c2ffa75cfa

Provide additional comments for claryfication

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

library/ssl_tls12_server.c

diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 9d302d6..d5da55a 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -3909,12 +3909,18 @@
             return MBEDTLS_ERR_SSL_DECODE_ERROR;
         }
 
+    /* When FFDH is enabled, the array handshake->xxdh_psa_peer_key size takes into account
+       the sizes of the FFDH keys which are at least 2048 bits.
+       The size of the array is thus greater than 256 bytes which is greater than any
+       possible value of ecpoint_len (type uint8_t) and the check below can be skipped.*/
 #if !defined(PSA_WANT_ALG_FFDH)
         if (ecpoint_len > sizeof(handshake->xxdh_psa_peerkey)) {
             psa_destroy_key(handshake->xxdh_psa_privkey);
             handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
             return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
         }
+#else
+    MBEDTLS_STATIC_ASSERT(sizeof(handshake->xxdh_psa_peerkey) >= UINT8_MAX, "peer key buffer too small");
 #endif
 
         memcpy(handshake->xxdh_psa_peerkey, p, ecpoint_len);