Do not allow configuring zero-length PSK

fix error when calloc is called with size 0
2025-02-02 07:41:03 +00:00 · 2019-11-20 14:54:36 +01:00 · 2019-11-20 14:54:36 +01:00 · 9926eaf695
parent 5d74241b54
commit 9926eaf695
3 changed files with 28 additions and 14 deletions
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -9171,8 +9171,13 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
    ssl_conf_remove_psk( conf );

    /* Check and set raw PSK */
-    if( psk == NULL || psk_len > MBEDTLS_PSK_MAX_LEN )
+    if( psk == NULL )
        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    if( psk_len == 0 )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+    if( psk_len > MBEDTLS_PSK_MAX_LEN )
+        return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
+
    if( ( conf->psk = mbedtls_calloc( 1, psk_len ) ) == NULL )
        return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
    conf->psk_len = psk_len;
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -194,7 +194,8 @@ int main( void )

 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
 #define USAGE_PSK_RAW                                               \
-    "    psk=%%s              default: \"\" (in hex, without 0x)\n" \
+    "    psk=%%s              default: \"\" (disabled)\n"     \
+    "                          The PSK values are in hex, without 0x.\n" \
    "    psk_identity=%%s     default: \"Client_identity\"\n"
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
 #define USAGE_PSK_SLOT                          \
@ -2374,14 +2375,17 @@ int main( int argc, char *argv[] )
    }
    else
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
-    if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
-                             (const unsigned char *) opt.psk_identity,
-                             strlen( opt.psk_identity ) ) ) != 0 )
+    if( psk_len > 0 )
    {
-        mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_psk returned %d\n\n",
-                        ret );
+        ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
+                             (const unsigned char *) opt.psk_identity,
+                             strlen( opt.psk_identity ) );
+        if( ret != 0 )
+        {
+            mbedtls_printf( " failed\n  ! mbedtls_ssl_conf_psk returned %d\n\n", ret );
            goto exit;
        }
+    }
 #endif /* MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED */

    if( opt.min_version != DFL_MIN_VERSION )
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -259,7 +259,8 @@ int main( void )

 #if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
 #define USAGE_PSK_RAW                                               \
-    "    psk=%%s              default: \"\" (in hex, without 0x)\n"     \
+    "    psk=%%s              default: \"\" (disabled)\n"     \
+    "                          The PSK values are in hex, without 0x.\n" \
    "    psk_list=%%s         default: \"\"\n"                          \
    "                          A list of (PSK identity, PSK value) pairs.\n" \
    "                          The PSK values are in hex, without 0x.\n" \
@ -3364,14 +3365,18 @@ int main( int argc, char *argv[] )
        }
        else
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
-        if( ( ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
+        if( psk_len > 0 )
+        {
+            ret = mbedtls_ssl_conf_psk( &conf, psk, psk_len,
                                     (const unsigned char *) opt.psk_identity,
-                                     strlen( opt.psk_identity ) ) ) != 0 )
+                                     strlen( opt.psk_identity ) );
+            if( ret != 0 )
            {
                mbedtls_printf( "  failed\n  mbedtls_ssl_conf_psk returned -0x%04X\n\n", - ret );
                goto exit;
            }
        }
+    }

    if( opt.psk_list != NULL )
    {