From 125afcb0604596bc37989df8bc2e297766772664 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 28 Oct 2022 06:04:06 +0000 Subject: [PATCH 01/51] Add end-of-early-data write Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 2 + library/ssl_tls13_client.c | 102 ++++++++++++++++++++++++++++-- tests/opt-testcases/tls13-misc.sh | 1 + 3 files changed, 98 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index dbc37e831..d6e214be1 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -533,6 +533,7 @@ #define MBEDTLS_SSL_HS_SERVER_HELLO 2 #define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST 3 #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET 4 +#define MBEDTLS_SSL_HS_END_OF_EARLY_DATA 5 // NEW IN TLS 1.3 #define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS 8 // NEW IN TLS 1.3 #define MBEDTLS_SSL_HS_CERTIFICATE 11 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE 12 @@ -671,6 +672,7 @@ typedef enum { MBEDTLS_SSL_SERVER_HELLO_VERIFY_REQUEST_SENT, MBEDTLS_SSL_HELLO_RETRY_REQUEST, MBEDTLS_SSL_ENCRYPTED_EXTENSIONS, + MBEDTLS_SSL_END_OF_EARLY_DATA, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 4aea61ca7..e4691743d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2108,6 +2108,96 @@ cleanup: } +/* + * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA + * + * RFC 8446: + * + * If the server sent an "early_data" extension in the EncryptedExtensions + * message, the client MUST send an EndOfEarlyData message after receiving + * the server Finished. + * + * If the server does not send an "early_data" extension + * in EncryptedExtensions, then the client MUST NOT send + * an EndOfEarlyData message. + */ + +/* Write end of early data message + * struct {} EndOfEarlyData; + */ + +#define SSL_END_OF_EARLY_DATA_WRITE 0 +#define SSL_END_OF_EARLY_DATA_SKIP 1 + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_end_of_early_data_coordinate( + mbedtls_ssl_context *ssl) +{ + ((void) ssl); + +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + return SSL_END_OF_EARLY_DATA_WRITE; + } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + MBEDTLS_SSL_DEBUG_MSG(4, ("skip EndOfEarlyData, server rejected")); + return SSL_END_OF_EARLY_DATA_SKIP; + } else { + MBEDTLS_SSL_DEBUG_MSG(4, ("skip write EndOfEarlyData")); + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + + return SSL_END_OF_EARLY_DATA_SKIP; +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_finalize_write_end_of_early_data( + mbedtls_ssl_context *ssl) +{ +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); +#else + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + + return 0; +} + +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); + + MBEDTLS_SSL_PROC_CHK_NEG( + ssl_tls13_write_end_of_early_data_coordinate(ssl)); + if (ret == SSL_END_OF_EARLY_DATA_WRITE) { + unsigned char *buf = NULL; + size_t buf_len; + + MBEDTLS_SSL_DEBUG_MSG(2, ("Client write EndOfEarlyData")); + + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, + MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, + &buf_len)); + + mbedtls_ssl_add_hs_hdr_to_checksum( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); + + MBEDTLS_SSL_PROC_CHK( + mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); + } + + /* Update state */ + MBEDTLS_SSL_PROC_CHK( + ssl_tls13_finalize_write_end_of_early_data(ssl)); + +cleanup: + + MBEDTLS_SSL_DEBUG_MSG(2, ("<= write EndOfEarlyData")); + return ret; +} + #if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED) /* * STATE HANDLING: CertificateRequest @@ -2367,13 +2457,7 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) return ret; } -#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state( - ssl, - MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); -#else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); -#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); return 0; } @@ -2789,6 +2873,10 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) ret = ssl_tls13_process_server_finished(ssl); break; + case MBEDTLS_SSL_END_OF_EARLY_DATA: + ret = ssl_tls13_write_end_of_early_data(ssl); + break; + case MBEDTLS_SSL_CLIENT_CERTIFICATE: ret = ssl_tls13_write_client_certificate(ssl); break; diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 821a37bf3..b1f214731 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -281,6 +281,7 @@ run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ -c "ClientHello: early_data(42) extension exists." \ -c "EncryptedExtensions: early_data(42) extension received." \ -c "EncryptedExtensions: early_data(42) extension exists." \ + -c "Client write EndOfEarlyData" \ -s "Parsing extension 'Early Data/42' (0 bytes)" \ -s "Sending extension Early Data/42 (0 bytes)" \ -s "early data accepted" From 34aab55aa775315af53a2bd59d438545ae139aed Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 9 Dec 2022 08:05:53 +0000 Subject: [PATCH 02/51] Add prepare function to switch transform to early keys Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index e4691743d..b58cc29b0 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2149,6 +2149,34 @@ static int ssl_tls13_write_end_of_early_data_coordinate( return SSL_END_OF_EARLY_DATA_SKIP; } +MBEDTLS_CHECK_RETURN_CRITICAL +static int ssl_tls13_prepare_end_of_early_data(mbedtls_ssl_context *ssl) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + + /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. */ + ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, + "mbedtls_ssl_tls13_key_schedule_stage_early", ret); + return ret; + } + + /* Derive 0-RTT key material */ + ret = mbedtls_ssl_tls13_compute_early_transform(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, + "mbedtls_ssl_tls13_compute_early_transform", ret); + return ret; + } + + /* Activate transform */ + MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to early data keys for outbound traffic")); + mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_earlydata); + + return 0; +} + MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_finalize_write_end_of_early_data( mbedtls_ssl_context *ssl) @@ -2175,11 +2203,11 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) unsigned char *buf = NULL; size_t buf_len; + MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_end_of_early_data(ssl)); MBEDTLS_SSL_DEBUG_MSG(2, ("Client write EndOfEarlyData")); - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl, - MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, - &buf_len)); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); From 32af4fbbdb406ecca1e23cf81719de88ea321406 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 14:05:55 +0000 Subject: [PATCH 03/51] Set ciphersuite info and kex mode in set_session in re-connection Signed-off-by: Xiaokang Qian --- library/ssl_tls.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 86f5c0b55..44942911a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1676,6 +1676,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session session->ciphersuite)); return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } + ssl->handshake->ciphersuite_info = ciphersuite_info; } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ @@ -1685,6 +1686,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session } ssl->handshake->resume = 1; + ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; return 0; } From d05ac5dfcedf0d004babe5ee8fc31d2801511d19 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 14:38:29 +0000 Subject: [PATCH 04/51] Add extern apis mbedtls_ticket_get_psk. Signed-off-by: Xiaokang Qian --- library/ssl_misc.h | 7 +++++++ library/ssl_tls13_generic.c | 27 +++++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 146dae0fb..baef741a2 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2629,6 +2629,13 @@ static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( return 0; } +#ifdef MBEDTLS_SSL_SESSION_TICKETS +int mbedtls_ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl, + psa_algorithm_t *hash_alg, + const unsigned char **psk, + size_t *psk_len); +#endif + /** * \brief Validate cipher suite against config in SSL context. * diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 513937e0e..3de164cd1 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1574,4 +1574,31 @@ int mbedtls_ssl_tls13_check_received_extension( return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; } +#ifdef MBEDTLS_SSL_SESSION_TICKETS +int mbedtls_ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl, + psa_algorithm_t *hash_alg, + const unsigned char **psk, + size_t *psk_len) +{ + + mbedtls_ssl_session *session = ssl->session_negotiate; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; + + if (ssl->handshake->resume == 0 || session == NULL || + session->ticket == NULL) { + return -1; + } + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); + if (ciphersuite_info != NULL) { + *hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac); + } + + *psk = session->resumption_key; + *psk_len = session->resumption_key_len; + + return 0; +} +#endif /* MBEDTLS_SSL_SESSION_TICKETS */ + #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ From df6f52e2b298cc3358843add594854b9b4e88203 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 14:42:45 +0000 Subject: [PATCH 05/51] Generate early key and switch outbound key to it after write client hello Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 47 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index ab897c49f..4e42d00f3 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -893,6 +893,7 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) return 0; } + /* * Write ClientHello handshake message. * Handler for MBEDTLS_SSL_CLIENT_HELLO @@ -962,8 +963,52 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) buf_len, msg_len)); mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); - } +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + psa_algorithm_t hash_alg = PSA_ALG_NONE; + const unsigned char *psk; + size_t psk_len; + MBEDTLS_SSL_DEBUG_MSG(1, ("in generate early keys")); + + if ((ret = mbedtls_ssl_tls13_ticket_get_psk( + ssl, &hash_alg, &psk, &psk_len)) + != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_ticket_get_psk", ret); + goto cleanup; + } + + if ((ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len)) != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); + goto cleanup; + } + + /* Start the TLS 1.3 key schedule: + * Set the PSK and derive early secret. + */ + ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, + "mbedtls_ssl_tls13_key_schedule_stage_early", ret); + goto cleanup; + } + + /* Derive early data key material */ + ret = mbedtls_ssl_tls13_compute_early_transform(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, + "mbedtls_ssl_tls13_compute_early_transform", ret); + goto cleanup; + } + + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to early data keys for outbound traffic")); + mbedtls_ssl_set_outbound_transform( + ssl, ssl->handshake->transform_earlydata); + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + } cleanup: From bf09376bdafdddf46e050cfb69a20647fc2c9ff6 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 14:53:03 +0000 Subject: [PATCH 06/51] Remove useless prepare_write_end_of_early_data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 30 ------------------------------ 1 file changed, 30 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b58cc29b0..418c84d06 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2149,34 +2149,6 @@ static int ssl_tls13_write_end_of_early_data_coordinate( return SSL_END_OF_EARLY_DATA_SKIP; } -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_prepare_end_of_early_data(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - - /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. */ - ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, - "mbedtls_ssl_tls13_key_schedule_stage_early", ret); - return ret; - } - - /* Derive 0-RTT key material */ - ret = mbedtls_ssl_tls13_compute_early_transform(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, - "mbedtls_ssl_tls13_compute_early_transform", ret); - return ret; - } - - /* Activate transform */ - MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to early data keys for outbound traffic")); - mbedtls_ssl_set_outbound_transform(ssl, ssl->handshake->transform_earlydata); - - return 0; -} - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_finalize_write_end_of_early_data( mbedtls_ssl_context *ssl) @@ -2203,7 +2175,6 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) unsigned char *buf = NULL; size_t buf_len; - MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_end_of_early_data(ssl)); MBEDTLS_SSL_DEBUG_MSG(2, ("Client write EndOfEarlyData")); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( @@ -2216,7 +2187,6 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); } - /* Update state */ MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_end_of_early_data(ssl)); From da8402dde63999817d7f9c8a7c19828a933d706c Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 14:55:35 +0000 Subject: [PATCH 07/51] Switch outbound back to handshake key after end_of_early_data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 418c84d06..4c07a64bb 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2185,6 +2185,10 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); + + /* Switch outbound back to handshake key after end_of_early_data */ + mbedtls_ssl_set_outbound_transform( + ssl, ssl->handshake->transform_handshake); } MBEDTLS_SSL_PROC_CHK( From 94dd1dd6fae7bddc34ac8a96003c21d0edf19058 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 15:13:04 +0000 Subject: [PATCH 08/51] Update test case to indicate parsing of end of early data Signed-off-by: Xiaokang Qian --- tests/opt-testcases/tls13-misc.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index b1f214731..5428e3c38 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -284,6 +284,7 @@ run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ -c "Client write EndOfEarlyData" \ -s "Parsing extension 'Early Data/42' (0 bytes)" \ -s "Sending extension Early Data/42 (0 bytes)" \ + -s "END OF EARLY DATA (5) was received." \ -s "early data accepted" requires_gnutls_tls1_3 From 8804e6d0ac907113d82acc710b4492b52e65e3e7 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 15 Dec 2022 15:27:26 +0000 Subject: [PATCH 09/51] Put kex_exchange_mode in the guard of TLS13 Signed-off-by: Xiaokang Qian --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 44942911a..376f6cf9a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1677,6 +1677,7 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } ssl->handshake->ciphersuite_info = ciphersuite_info; + ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ @@ -1686,7 +1687,6 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session } ssl->handshake->resume = 1; - ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; return 0; } From 7ed30e59af0e8378901a0d458ac94c58a9c1da04 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 16 Dec 2022 08:32:02 +0000 Subject: [PATCH 10/51] Fix the issue that gnutls server doesn't support packet Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 10 ++++++---- tests/opt-testcases/tls13-misc.sh | 4 ++-- 2 files changed, 8 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 4c07a64bb..3219425c2 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2153,12 +2153,14 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_finalize_write_end_of_early_data( mbedtls_ssl_context *ssl) { -#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) +#if defined(MBEDTLS_SSL_EARLY_DATA) || \ + !defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); +#else mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); -#else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); -#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ +#endif /* MBEDTLS_SSL_EARLY_DATA || + !MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ return 0; } diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 5428e3c38..0b01e50a5 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -274,8 +274,8 @@ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ - 1 \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + 0 \ -c "Reconnecting with saved session" \ -c "NewSessionTicket: early_data(42) extension received." \ -c "ClientHello: early_data(42) extension exists." \ From c81a15a019f17d8a2ab8690da24270157d306897 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 19 Dec 2022 02:43:33 +0000 Subject: [PATCH 11/51] Change the comment format of end_of_early_data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 3219425c2..9dd057004 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2111,19 +2111,13 @@ cleanup: /* * Handler for MBEDTLS_SSL_END_OF_EARLY_DATA * - * RFC 8446: + * RFC 8446 section 4.5 * - * If the server sent an "early_data" extension in the EncryptedExtensions - * message, the client MUST send an EndOfEarlyData message after receiving - * the server Finished. - * - * If the server does not send an "early_data" extension - * in EncryptedExtensions, then the client MUST NOT send - * an EndOfEarlyData message. - */ - -/* Write end of early data message * struct {} EndOfEarlyData; + * + * If the server sent an "early_data" extension in EncryptedExtensions, the + * client MUST send an EndOfEarlyData message after receiving the server + * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message. */ #define SSL_END_OF_EARLY_DATA_WRITE 0 From bc75bc0c3a42ceb7846dc23ee0836a273cff2e49 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 19 Dec 2022 06:16:42 +0000 Subject: [PATCH 12/51] Switch to MBEDTLS_SSL_END_OF_EARLY_DATA as needed Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 9dd057004..8edbd8fc3 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2455,7 +2455,19 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) return ret; } - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); + } else +#endif /* MBEDTLS_SSL_EARLY_DATA */ + { +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); +#else + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + } return 0; } From 742578ca2ce4a25681e350f19368f1af1037ed45 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 19 Dec 2022 06:34:44 +0000 Subject: [PATCH 13/51] Remove end_of_early_data_coordinate() to align with exist style Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 59 +++++++++----------------------------- 1 file changed, 13 insertions(+), 46 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8edbd8fc3..724e9d745 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2120,41 +2120,12 @@ cleanup: * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message. */ -#define SSL_END_OF_EARLY_DATA_WRITE 0 -#define SSL_END_OF_EARLY_DATA_SKIP 1 - -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_write_end_of_early_data_coordinate( - mbedtls_ssl_context *ssl) -{ - ((void) ssl); - -#if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { - return SSL_END_OF_EARLY_DATA_WRITE; - } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { - MBEDTLS_SSL_DEBUG_MSG(4, ("skip EndOfEarlyData, server rejected")); - return SSL_END_OF_EARLY_DATA_SKIP; - } else { - MBEDTLS_SSL_DEBUG_MSG(4, ("skip write EndOfEarlyData")); - } -#endif /* MBEDTLS_SSL_EARLY_DATA */ - - return SSL_END_OF_EARLY_DATA_SKIP; -} - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_finalize_write_end_of_early_data( mbedtls_ssl_context *ssl) { -#if defined(MBEDTLS_SSL_EARLY_DATA) || \ - !defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); -#else - mbedtls_ssl_handshake_set_state( - ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED); -#endif /* MBEDTLS_SSL_EARLY_DATA || - !MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ return 0; } @@ -2165,27 +2136,23 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); - MBEDTLS_SSL_PROC_CHK_NEG( - ssl_tls13_write_end_of_early_data_coordinate(ssl)); - if (ret == SSL_END_OF_EARLY_DATA_WRITE) { - unsigned char *buf = NULL; - size_t buf_len; + unsigned char *buf = NULL; + size_t buf_len; - MBEDTLS_SSL_DEBUG_MSG(2, ("Client write EndOfEarlyData")); + MBEDTLS_SSL_DEBUG_MSG(2, ("Client write EndOfEarlyData")); - MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( - ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); + MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); - mbedtls_ssl_add_hs_hdr_to_checksum( - ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); + mbedtls_ssl_add_hs_hdr_to_checksum( + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); - MBEDTLS_SSL_PROC_CHK( - mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); + MBEDTLS_SSL_PROC_CHK( + mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); - /* Switch outbound back to handshake key after end_of_early_data */ - mbedtls_ssl_set_outbound_transform( - ssl, ssl->handshake->transform_handshake); - } + /* Switch outbound back to handshake key after end_of_early_data */ + mbedtls_ssl_set_outbound_transform( + ssl, ssl->handshake->transform_handshake); MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_write_end_of_early_data(ssl)); From 57a138d5c35b1cb90bfe2afe784c56bc43828fd4 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 19 Dec 2022 06:40:47 +0000 Subject: [PATCH 14/51] Update message log for end of early data test cases Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 5 +---- tests/opt-testcases/tls13-misc.sh | 2 +- 2 files changed, 2 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 724e9d745..6f91fb27b 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2134,12 +2134,9 @@ MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); - unsigned char *buf = NULL; size_t buf_len; - - MBEDTLS_SSL_DEBUG_MSG(2, ("Client write EndOfEarlyData")); + MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 0b01e50a5..711b5125b 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -281,7 +281,7 @@ run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ -c "ClientHello: early_data(42) extension exists." \ -c "EncryptedExtensions: early_data(42) extension received." \ -c "EncryptedExtensions: early_data(42) extension exists." \ - -c "Client write EndOfEarlyData" \ + -c "<= write EndOfEarlyData" \ -s "Parsing extension 'Early Data/42' (0 bytes)" \ -s "Sending extension Early Data/42 (0 bytes)" \ -s "END OF EARLY DATA (5) was received." \ From 854db28bb7ebc4f69807cba4b044255a6cfd7a49 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 19 Dec 2022 07:31:27 +0000 Subject: [PATCH 15/51] Set hs_psk,ciphercuit_info and kex mode when writing pre-share key Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 18 ------------------ library/ssl_tls.c | 2 -- library/ssl_tls13_client.c | 31 ++++++++++++++++++++++++++++++- 3 files changed, 30 insertions(+), 21 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 4e42d00f3..08b3de802 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -966,24 +966,6 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { - psa_algorithm_t hash_alg = PSA_ALG_NONE; - const unsigned char *psk; - size_t psk_len; - MBEDTLS_SSL_DEBUG_MSG(1, ("in generate early keys")); - - if ((ret = mbedtls_ssl_tls13_ticket_get_psk( - ssl, &hash_alg, &psk, &psk_len)) - != 0) { - MBEDTLS_SSL_DEBUG_RET( - 1, "mbedtls_ssl_tls13_ticket_get_psk", ret); - goto cleanup; - } - - if ((ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); - goto cleanup; - } - /* Start the TLS 1.3 key schedule: * Set the PSK and derive early secret. */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 376f6cf9a..86f5c0b55 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1676,8 +1676,6 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session session->ciphersuite)); return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; } - ssl->handshake->ciphersuite_info = ciphersuite_info; - ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 6f91fb27b..874f2439f 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -893,11 +893,16 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int configured_psk_count = 0; unsigned char *p = buf; - psa_algorithm_t hash_alg; + psa_algorithm_t hash_alg = PSA_ALG_NONE; const unsigned char *identity; size_t identity_len; size_t l_binders_len = 0; size_t output_len; +#if defined(MBEDTLS_SSL_EARLY_DATA) + const unsigned char *psk; + size_t psk_len; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; +#endif *out_len = 0; *binders_len = 0; @@ -962,6 +967,30 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( p += output_len; l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg); + +#if defined(MBEDTLS_SSL_EARLY_DATA) + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Set hs psk for early data when writing the first psk")); + + ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_ticket_get_psk", ret); + return ret; + } + + ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); + return ret; + } + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( + ssl->session_negotiate->ciphersuite); + ssl->handshake->ciphersuite_info = ciphersuite_info; + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; +#endif /* MBEDTLS_SSL_EARLY_DATA */ } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ From 7094f66879fdae230085435323c42c71fbd29287 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 19 Dec 2022 07:35:40 +0000 Subject: [PATCH 16/51] Remove useless duplicted mbedtls_ssl_tls13_ticket_get_psk Signed-off-by: Xiaokang Qian --- library/ssl_misc.h | 7 ------- library/ssl_tls13_client.c | 2 +- library/ssl_tls13_generic.c | 27 --------------------------- 3 files changed, 1 insertion(+), 35 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index baef741a2..146dae0fb 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2629,13 +2629,6 @@ static inline int mbedtls_ssl_tls13_cipher_suite_is_offered( return 0; } -#ifdef MBEDTLS_SSL_SESSION_TICKETS -int mbedtls_ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl, - psa_algorithm_t *hash_alg, - const unsigned char **psk, - size_t *psk_len); -#endif - /** * \brief Validate cipher suite against config in SSL context. * diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 874f2439f..8615d9062 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -975,7 +975,7 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET( - 1, "mbedtls_ssl_tls13_ticket_get_psk", ret); + 1, "ssl_tls13_ticket_get_psk", ret); return ret; } diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 3de164cd1..513937e0e 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1574,31 +1574,4 @@ int mbedtls_ssl_tls13_check_received_extension( return MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION; } -#ifdef MBEDTLS_SSL_SESSION_TICKETS -int mbedtls_ssl_tls13_ticket_get_psk(mbedtls_ssl_context *ssl, - psa_algorithm_t *hash_alg, - const unsigned char **psk, - size_t *psk_len) -{ - - mbedtls_ssl_session *session = ssl->session_negotiate; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info = NULL; - - if (ssl->handshake->resume == 0 || session == NULL || - session->ticket == NULL) { - return -1; - } - - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(session->ciphersuite); - if (ciphersuite_info != NULL) { - *hash_alg = mbedtls_psa_translate_md(ciphersuite_info->mac); - } - - *psk = session->resumption_key; - *psk_len = session->resumption_key_len; - - return 0; -} -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ - #endif /* MBEDTLS_SSL_TLS_C && MBEDTLS_SSL_PROTO_TLS1_3 */ From 19d4416a453be109604d4be76067615850a203b7 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 3 Jan 2023 03:39:50 +0000 Subject: [PATCH 17/51] Refine code to remove finalize_write_end_of_early_data() Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8615d9062..8f5e0fcf6 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2149,16 +2149,6 @@ cleanup: * Finished. Otherwise, the client MUST NOT send an EndOfEarlyData message. */ -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_finalize_write_end_of_early_data( - mbedtls_ssl_context *ssl) -{ - - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); - - return 0; -} - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) { @@ -2180,8 +2170,7 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_handshake); - MBEDTLS_SSL_PROC_CHK( - ssl_tls13_finalize_write_end_of_early_data(ssl)); + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); cleanup: From 126929f8251fd1e8643cd522a0ec1488446877c7 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 3 Jan 2023 10:29:41 +0000 Subject: [PATCH 18/51] Move early keys generation into mbedtls_ssl_tls13_finalize_write_client_hello Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 27 +----------- library/ssl_misc.h | 2 + library/ssl_tls13_client.c | 88 ++++++++++++++++++++++++++------------ 3 files changed, 63 insertions(+), 54 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 08b3de802..a975d6acf 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -962,34 +962,9 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len, msg_len)); - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); -#if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { - /* Start the TLS 1.3 key schedule: - * Set the PSK and derive early secret. - */ - ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, - "mbedtls_ssl_tls13_key_schedule_stage_early", ret); - goto cleanup; - } + mbedtls_ssl_tls13_finalize_write_client_hello(ssl); - /* Derive early data key material */ - ret = mbedtls_ssl_tls13_compute_early_transform(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, - "mbedtls_ssl_tls13_compute_early_transform", ret); - goto cleanup; - } - - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Switch to early data keys for outbound traffic")); - mbedtls_ssl_set_outbound_transform( - ssl, ssl->handshake->transform_earlydata); - } -#endif /* MBEDTLS_SSL_EARLY_DATA */ } cleanup: diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 146dae0fb..e2efabd2f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2740,4 +2740,6 @@ static inline void mbedtls_ssl_session_clear_ticket_flags( } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ +int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl); + #endif /* ssl_misc.h */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8f5e0fcf6..7a0f6b811 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -898,11 +898,6 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( size_t identity_len; size_t l_binders_len = 0; size_t output_len; -#if defined(MBEDTLS_SSL_EARLY_DATA) - const unsigned char *psk; - size_t psk_len; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; -#endif *out_len = 0; *binders_len = 0; @@ -968,29 +963,6 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( p += output_len; l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg); -#if defined(MBEDTLS_SSL_EARLY_DATA) - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Set hs psk for early data when writing the first psk")); - - ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET( - 1, "ssl_tls13_ticket_get_psk", ret); - return ret; - } - - ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); - return ret; - } - - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( - ssl->session_negotiate->ciphersuite); - ssl->handshake->ciphersuite_info = ciphersuite_info; - ssl->handshake->key_exchange_mode = - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; -#endif /* MBEDTLS_SSL_EARLY_DATA */ } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -1240,6 +1212,66 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, return 0; } +int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) +{ +#if defined(MBEDTLS_SSL_EARLY_DATA) + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + psa_algorithm_t hash_alg = PSA_ALG_NONE; + const unsigned char *psk; + size_t psk_len; + const mbedtls_ssl_ciphersuite_t *ciphersuite_info; +#endif + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Set hs psk for early data when writing the first psk")); + + ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "ssl_tls13_ticket_get_psk", ret); + return ret; + } + + ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); + return ret; + } + + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( + ssl->session_negotiate->ciphersuite); + ssl->handshake->ciphersuite_info = ciphersuite_info; + ssl->handshake->key_exchange_mode = + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; + + /* Start the TLS 1.3 key schedule: + * Set the PSK and derive early secret. + */ + ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, + "mbedtls_ssl_tls13_key_schedule_stage_early", ret); + return ret; + } + + /* Derive early data key material */ + ret = mbedtls_ssl_tls13_compute_early_transform(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET(1, + "mbedtls_ssl_tls13_compute_early_transform", ret); + return ret; + } + + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to early data keys for outbound traffic")); + mbedtls_ssl_set_outbound_transform( + ssl, ssl->handshake->transform_earlydata); + } +#endif /* MBEDTLS_SSL_EARLY_DATA */ + return 0; +} /* * Functions for parsing and processing Server Hello */ From 5b410075cf204f83cea500feec4df4e069990425 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 3 Jan 2023 10:31:15 +0000 Subject: [PATCH 19/51] Remove useless comments about handshake messages for TLS13 Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index d6e214be1..517a063f7 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -533,8 +533,8 @@ #define MBEDTLS_SSL_HS_SERVER_HELLO 2 #define MBEDTLS_SSL_HS_HELLO_VERIFY_REQUEST 3 #define MBEDTLS_SSL_HS_NEW_SESSION_TICKET 4 -#define MBEDTLS_SSL_HS_END_OF_EARLY_DATA 5 // NEW IN TLS 1.3 -#define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS 8 // NEW IN TLS 1.3 +#define MBEDTLS_SSL_HS_END_OF_EARLY_DATA 5 +#define MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS 8 #define MBEDTLS_SSL_HS_CERTIFICATE 11 #define MBEDTLS_SSL_HS_SERVER_KEY_EXCHANGE 12 #define MBEDTLS_SSL_HS_CERTIFICATE_REQUEST 13 From 2a674937dd0ac288b2ac5d56222ce345d81f940a Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 4 Jan 2023 03:15:09 +0000 Subject: [PATCH 20/51] Pend a illeagal allert when selected_identity isn't 0 Handshake should abort will illeagal parameter allert when receiving early data extentions but the selected_identity parsed from pre-share key isn't equal to 0. Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 7a0f6b811..a9ce4ed06 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1093,6 +1093,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end, 2); selected_identity = MBEDTLS_GET_UINT16_BE(buf, 0); + ssl->handshake->selected_identity = (uint16_t) selected_identity; MBEDTLS_SSL_DEBUG_MSG(3, ("selected_identity = %d", selected_identity)); @@ -2096,6 +2097,18 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl, MBEDTLS_ERR_SSL_DECODE_ERROR); return MBEDTLS_ERR_SSL_DECODE_ERROR; } + if (ssl->handshake->selected_identity != 0) { + /* RFC8446 4.2.11 + * If the server supplies an "early_data" extension, the + * client MUST verify that the server's selected_identity + * is 0. If any other value is returned, the client MUST + * abort the handshake with an "illegal_parameter" alert. + */ + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } break; #endif /* MBEDTLS_SSL_EARLY_DATA */ From b46275c7ec54c31b1bfeb6a29ba2ee158bb11f0f Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 4 Jan 2023 07:38:50 +0000 Subject: [PATCH 21/51] Add TLS1_3 guard to finalize_write_client_hello() to fix compile issue Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 2 ++ library/ssl_misc.h | 2 ++ 2 files changed, 4 insertions(+) diff --git a/library/ssl_client.c b/library/ssl_client.c index a975d6acf..7acb725a1 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -963,7 +963,9 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) buf_len, msg_len)); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_tls13_finalize_write_client_hello(ssl); +#endif } diff --git a/library/ssl_misc.h b/library/ssl_misc.h index e2efabd2f..29a60ec9a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2740,6 +2740,8 @@ static inline void mbedtls_ssl_session_clear_ticket_flags( } #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ +#if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl); +#endif #endif /* ssl_misc.h */ From 303f82c5b9e05e051e1cdb543665d3b265c9546c Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 4 Jan 2023 08:43:46 +0000 Subject: [PATCH 22/51] Skip generating early secrets in some cases Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index a9ce4ed06..252c217ac 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1901,14 +1901,20 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. * - * TODO: We don't have to do this in case we offered 0-RTT and the - * server accepted it. In this case, we could skip generating - * the early secret. */ - ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_key_schedule_stage_early", - ret); - goto cleanup; + * We do this in case we didn't offer 0-RTT or even we offered 0-RTT but + * server selected ephemeral mode. In other cases, we could skip generating + * the early secret. + */ + if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) + || ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) + && handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) { + ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); + if (ret != 0) { + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret); + goto cleanup; + } } ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl); From 592021aceb44f15755ea3c4a10c44aa70ff08578 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 4 Jan 2023 10:47:05 +0000 Subject: [PATCH 23/51] Add CCS after client hello in case of early data and comp mode Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 1 + library/ssl_client.c | 12 ++++++++++++ library/ssl_tls13_client.c | 19 ++++++++++++------- 3 files changed, 25 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 517a063f7..8bc8fd0bc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -677,6 +677,7 @@ typedef enum { MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_SERVER_HELLO, + MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO, MBEDTLS_SSL_SERVER_CCS_AFTER_HELLO_RETRY_REQUEST, MBEDTLS_SSL_HANDSHAKE_OVER, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET, diff --git a/library/ssl_client.c b/library/ssl_client.c index 7acb725a1..62af0f99f 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -963,6 +963,18 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) buf_len, msg_len)); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if ((ssl->handshake->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3) && + (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3)) { +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); +#else + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + } else +#endif + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) mbedtls_ssl_tls13_finalize_write_client_hello(ssl); #endif diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 252c217ac..57843a520 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1221,9 +1221,7 @@ int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) const unsigned char *psk; size_t psk_len; const mbedtls_ssl_ciphersuite_t *ciphersuite_info; -#endif - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); -#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Set hs psk for early data when writing the first psk")); @@ -1265,10 +1263,6 @@ int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) return ret; } - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Switch to early data keys for outbound traffic")); - mbedtls_ssl_set_outbound_transform( - ssl, ssl->handshake->transform_earlydata); } #endif /* MBEDTLS_SSL_EARLY_DATA */ return 0; @@ -2959,6 +2953,17 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: + ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); + if (ret == 0) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); + + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Switch to early data keys for outbound traffic")); + mbedtls_ssl_set_outbound_transform( + ssl, ssl->handshake->transform_earlydata); + } + break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #if defined(MBEDTLS_SSL_SESSION_TICKETS) From f10f47498187e62e2f272f8393fa5766828942f3 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 6 Jan 2023 03:43:56 +0000 Subject: [PATCH 24/51] Check server selected cipher suite indicating a Hash associated with the PSK Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 1 + library/ssl_tls13_client.c | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 8bc8fd0bc..086f980f2 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1180,6 +1180,7 @@ struct mbedtls_ssl_session { mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ #endif int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ + int MBEDTLS_PRIVATE(res_ciphersuite); /*!< resumption ciphersuite */ size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 57843a520..fb94a8998 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1106,12 +1106,30 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SESSION_TICKETS) + if (ssl->session_negotiate->res_ciphersuite != + ssl->session_negotiate->ciphersuite) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Invalid ciphersuite for session ticket psk.")); + + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) { ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); } else #endif if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len); + if (ssl_tls13_get_ciphersuite_hash_alg( + ssl->session_negotiate->ciphersuite) != hash_alg) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Invalid ciphersuite for external psk.")); + + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } } else { MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); return MBEDTLS_ERR_SSL_INTERNAL_ERROR; @@ -1683,6 +1701,8 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info); handshake->ciphersuite_info = ciphersuite_info; + ssl->session_negotiate->res_ciphersuite = + ssl->session_negotiate->ciphersuite; ssl->session_negotiate->ciphersuite = cipher_suite; MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s", From 907461319ad9bae466a672d71ac4c5efe99dec9a Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 6 Jan 2023 05:54:59 +0000 Subject: [PATCH 25/51] Fix compile error and warnings Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index fb94a8998..b154835a3 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1233,6 +1233,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) { + ((void) ssl); #if defined(MBEDTLS_SSL_EARLY_DATA) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_algorithm_t hash_alg = PSA_ALG_NONE; @@ -1919,10 +1920,13 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * server selected ephemeral mode. In other cases, we could skip generating * the early secret. */ +#if defined(MBEDTLS_SSL_EARLY_DATA) if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) || ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) && handshake->key_exchange_mode == - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) { + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) +#endif + { ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET( From 43a83f247cdf787d5a0e46d14834389affe0ef2b Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 6 Jan 2023 06:02:54 +0000 Subject: [PATCH 26/51] Move the place where call set_outbound_transform to switch handshake key Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b154835a3..cd36ea867 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2235,9 +2235,11 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); - /* Switch outbound back to handshake key after end_of_early_data */ - mbedtls_ssl_set_outbound_transform( - ssl, ssl->handshake->transform_handshake); + /* TODO: Currently switch outbound back to handshake key in the case of + * MBEDTLS_SSL_CLIENT_CERTIFICATE. If we refine the coordinate function + * of client certificate state machine, we have to move the switch + * outbound function. + */ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); From 33ff868dca6a29c2cb78537dc89f51815e1c65a4 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 10 Jan 2023 06:32:12 +0000 Subject: [PATCH 27/51] Fix various errors Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 2 ++ library/ssl_tls13_client.c | 7 ++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 086f980f2..2d805ad8a 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1180,7 +1180,9 @@ struct mbedtls_ssl_session { mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ #endif int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ +#if defined(MBEDTLS_SSL_SESSION_TICKETS) int MBEDTLS_PRIVATE(res_ciphersuite); /*!< resumption ciphersuite */ +#endif size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index cd36ea867..b79652569 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1106,7 +1106,8 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (ssl->session_negotiate->res_ciphersuite != + if (ssl->handshake->resume && + ssl->session_negotiate->res_ciphersuite != ssl->session_negotiate->ciphersuite) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Invalid ciphersuite for session ticket psk.")); @@ -1702,8 +1703,10 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info); handshake->ciphersuite_info = ciphersuite_info; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) ssl->session_negotiate->res_ciphersuite = ssl->session_negotiate->ciphersuite; +#endif ssl->session_negotiate->ciphersuite = cipher_suite; MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s", @@ -2984,10 +2987,12 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) if (ret == 0) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); +#if defined(MBEDTLS_SSL_EARLY_DATA) MBEDTLS_SSL_DEBUG_MSG( 1, ("Switch to early data keys for outbound traffic")); mbedtls_ssl_set_outbound_transform( ssl, ssl->handshake->transform_earlydata); +#endif } break; #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ From 422424488344a4343a86dabc66b70a0b38996c7a Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 12 Jan 2023 02:26:17 +0000 Subject: [PATCH 28/51] Improve coding styles and add comments Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index b79652569..4384706e3 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1262,6 +1262,7 @@ int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite); ssl->handshake->ciphersuite_info = ciphersuite_info; + /* Enable psk and psk_ephermal to make stage early happy */ ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; @@ -1924,10 +1925,10 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * the early secret. */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) - || ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) - && handshake->key_exchange_mode == - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) + if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) || + (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED && + handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) #endif { ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); From ea28a78384fcd347417b40de70c04f07da2a893a Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 12 Jan 2023 03:18:31 +0000 Subject: [PATCH 29/51] Revert new field and check ciphersuite match when resume by exist info_id Signed-off-by: Xiaokang Qian --- include/mbedtls/ssl.h | 3 --- library/ssl_tls13_client.c | 6 ++---- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 2d805ad8a..8bc8fd0bc 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1180,9 +1180,6 @@ struct mbedtls_ssl_session { mbedtls_time_t MBEDTLS_PRIVATE(start); /*!< starting time */ #endif int MBEDTLS_PRIVATE(ciphersuite); /*!< chosen ciphersuite */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - int MBEDTLS_PRIVATE(res_ciphersuite); /*!< resumption ciphersuite */ -#endif size_t MBEDTLS_PRIVATE(id_len); /*!< session id length */ unsigned char MBEDTLS_PRIVATE(id)[32]; /*!< session identifier */ unsigned char MBEDTLS_PRIVATE(master)[48]; /*!< the master secret */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 4384706e3..c91980ac1 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1106,8 +1106,7 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (ssl->handshake->resume && - ssl->session_negotiate->res_ciphersuite != + if (ssl->handshake->ciphersuite_info->id != ssl->session_negotiate->ciphersuite) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Invalid ciphersuite for session ticket psk.")); @@ -1705,8 +1704,7 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, handshake->ciphersuite_info = ciphersuite_info; #if defined(MBEDTLS_SSL_SESSION_TICKETS) - ssl->session_negotiate->res_ciphersuite = - ssl->session_negotiate->ciphersuite; + if (handshake->resume == 0) #endif ssl->session_negotiate->ciphersuite = cipher_suite; From 1d8e86ce00353fe7b53fc1a2754255d89785a17c Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 12 Jan 2023 03:28:18 +0000 Subject: [PATCH 30/51] Get hash_alg by mbedtls_psa_translate_md Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c91980ac1..c925f8763 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1121,8 +1121,8 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, #endif if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len); - if (ssl_tls13_get_ciphersuite_hash_alg( - ssl->session_negotiate->ciphersuite) != hash_alg) { + if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac) + != hash_alg) { MBEDTLS_SSL_DEBUG_MSG( 1, ("Invalid ciphersuite for external psk.")); From 3f616c24930e25b7d97d4eb0873bd0373b69106b Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 12 Jan 2023 03:36:31 +0000 Subject: [PATCH 31/51] Move selected_identity zero check to post_server_hello Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 26 ++++++++++++++------------ 1 file changed, 14 insertions(+), 12 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index c925f8763..55e566546 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1903,6 +1903,20 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; goto cleanup; } +#if defined(MBEDTLS_SSL_EARLY_DATA) + if (ssl->handshake->sent_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && + ssl->handshake->selected_identity != 0) { + /* RFC8446 4.2.11 + * If the server supplies an "early_data" extension, the + * client MUST verify that the server's selected_identity + * is 0. If any other value is returned, the client MUST + * abort the handshake with an "illegal_parameter" alert. + */ + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } +#endif if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) { ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; @@ -2123,18 +2137,6 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl, MBEDTLS_ERR_SSL_DECODE_ERROR); return MBEDTLS_ERR_SSL_DECODE_ERROR; } - if (ssl->handshake->selected_identity != 0) { - /* RFC8446 4.2.11 - * If the server supplies an "early_data" extension, the - * client MUST verify that the server's selected_identity - * is 0. If any other value is returned, the client MUST - * abort the handshake with an "illegal_parameter" alert. - */ - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } break; #endif /* MBEDTLS_SSL_EARLY_DATA */ From 79f77528f582ea7bbd1925d84d33d2bec3d0de42 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Sat, 28 Jan 2023 10:35:29 +0000 Subject: [PATCH 32/51] Move state change to finalize client hello Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 15 +++++---------- library/ssl_tls13_client.c | 7 +++++++ 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 62af0f99f..2ad69f903 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -963,21 +963,16 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) buf_len, msg_len)); -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - if ((ssl->handshake->min_tls_version == MBEDTLS_SSL_VERSION_TLS1_3) && - (ssl->tls_version == MBEDTLS_SSL_VERSION_TLS1_3)) { -#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state( - ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); -#else +#if defined(MBEDTLS_SSL_PROTO_TLS1_2) + if (mbedtls_ssl_conf_is_tls12_only(ssl->conf)) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); -#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ } else #endif - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); + { #if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_ssl_tls13_finalize_write_client_hello(ssl); + mbedtls_ssl_tls13_finalize_write_client_hello(ssl); #endif + } } diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 55e566546..0c4a91203 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1234,6 +1234,13 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) { ((void) ssl); +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); +#else + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); +#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ + #if defined(MBEDTLS_SSL_EARLY_DATA) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_algorithm_t hash_alg = PSA_ALG_NONE; From f6d8fd3d6b15df758be9ebd2c0e0d0843a90bf4e Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 2 Feb 2023 02:46:26 +0000 Subject: [PATCH 33/51] Improve the coding style of new lines Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 0c4a91203..22e9e39e7 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -898,7 +898,6 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( size_t identity_len; size_t l_binders_len = 0; size_t output_len; - *out_len = 0; *binders_len = 0; @@ -962,7 +961,6 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( p += output_len; l_binders_len += 1 + PSA_HASH_LENGTH(hash_alg); - } #endif /* MBEDTLS_SSL_SESSION_TICKETS */ @@ -2990,6 +2988,7 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl) mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } break; + case MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO: ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl); if (ret == 0) { From bd0ab06d5013e419429daafbcbf00282f2e088f1 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 2 Feb 2023 05:56:30 +0000 Subject: [PATCH 34/51] Skip CCS once we proposed early data even it is rejected Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 22e9e39e7..ae51bd337 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2520,6 +2520,8 @@ static int ssl_tls13_process_server_finished(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED) { mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_END_OF_EARLY_DATA); + } else if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); } else #endif /* MBEDTLS_SSL_EARLY_DATA */ { From 7892b6caada80328e1588555e22c7f277ab2dca6 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 2 Feb 2023 06:05:48 +0000 Subject: [PATCH 35/51] Refine the comment about generating early secrects in post server hello Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index ae51bd337..add9f6c8f 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1935,11 +1935,14 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) ("Selected key exchange mode: %s", ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode))); - /* Start the TLS 1.3 key schedule: Set the PSK and derive early secret. + /* Start the TLS 1.3 key scheduling if not already done. * - * We do this in case we didn't offer 0-RTT or even we offered 0-RTT but - * server selected ephemeral mode. In other cases, we could skip generating - * the early secret. + * If we proposed early data then we have already derived an + * early secret using the selected PSK and its associated hash. + * It means that if the negotiated key exchange mode is psk or + * psk_ephemeral, we have already correctly computed the + * early secret and thus we do not do it again. In all other + * cases we compute it here. */ #if defined(MBEDTLS_SSL_EARLY_DATA) if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) || From 44051f6376a86e85d790d5214543a288d704f5be Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 2 Feb 2023 06:57:26 +0000 Subject: [PATCH 36/51] Refine the state change after write client hello Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 2ad69f903..d407520cf 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -963,17 +963,18 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) buf_len, msg_len)); -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - if (mbedtls_ssl_conf_is_tls12_only(ssl->conf)) { - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); - } else -#endif - { -#if defined(MBEDTLS_SSL_PROTO_TLS1_3) - mbedtls_ssl_tls13_finalize_write_client_hello(ssl); -#endif - } + /* + * Set next state. Note that if TLS 1.3 is proposed, this may be + * overwritten by mbedtls_ssl_tls13_finalize_write_client_hello(). + */ + mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); +#if defined(MBEDTLS_SSL_PROTO_TLS1_3) + if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && + MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version) { + ret = mbedtls_ssl_tls13_finalize_write_client_hello(ssl); + } +#endif } cleanup: From b58462157e58c7f1874f4f523e8adba158866048 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Thu, 2 Feb 2023 08:12:20 +0000 Subject: [PATCH 37/51] Refine the ciphersuite and select id check for early data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index add9f6c8f..5f89cadea 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1104,15 +1104,6 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (ssl->handshake->ciphersuite_info->id != - ssl->session_negotiate->ciphersuite) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Invalid ciphersuite for session ticket psk.")); - - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) { ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); } else @@ -1909,7 +1900,8 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) goto cleanup; } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->handshake->sent_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && + if (ssl->handshake->received_extensions & + MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && ssl->handshake->selected_identity != 0) { /* RFC8446 4.2.11 * If the server supplies an "early_data" extension, the @@ -1921,6 +1913,17 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } + if (ssl->handshake->received_extensions & + MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && + ssl->handshake->ciphersuite_info->id != + ssl->session_negotiate->ciphersuite) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Invalid ciphersuite for session ticket psk.")); + + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } #endif if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) { From 7179f810f1b4c6cbae78c94935acc3d4ae4650ac Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 3 Feb 2023 03:38:44 +0000 Subject: [PATCH 38/51] Restore the empty lines Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 1 - library/ssl_tls13_client.c | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index d407520cf..7ec43f5fc 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -893,7 +893,6 @@ static int ssl_prepare_client_hello(mbedtls_ssl_context *ssl) return 0; } - /* * Write ClientHello handshake message. * Handler for MBEDTLS_SSL_CLIENT_HELLO diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 5f89cadea..98926609d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -898,6 +898,7 @@ int mbedtls_ssl_tls13_write_identities_of_pre_shared_key_ext( size_t identity_len; size_t l_binders_len = 0; size_t output_len; + *out_len = 0; *binders_len = 0; From 6be8290aba46158bb79b7c36ebae950f292097aa Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Fri, 3 Feb 2023 06:04:43 +0000 Subject: [PATCH 39/51] Change to CCS after client hello only if we offer early data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 98926609d..68bea23a5 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1224,12 +1224,6 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) { ((void) ssl); -#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) - mbedtls_ssl_handshake_set_state( - ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); -#else - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); -#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #if defined(MBEDTLS_SSL_EARLY_DATA) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -1239,6 +1233,10 @@ int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) const mbedtls_ssl_ciphersuite_t *ciphersuite_info; if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED) { +#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) + mbedtls_ssl_handshake_set_state( + ssl, MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO); +#endif MBEDTLS_SSL_DEBUG_MSG( 1, ("Set hs psk for early data when writing the first psk")); From ac4c625dead70e4930a78116cdf7897fe8e0902e Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 6 Feb 2023 10:15:00 +0000 Subject: [PATCH 40/51] Add hash check of ciphersuite for ticket psk Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 68bea23a5..623849940 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1107,6 +1107,16 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SESSION_TICKETS) if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) { ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); + if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac) + != hash_alg) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Invalid ciphersuite for ticket psk.")); + + MBEDTLS_SSL_PEND_FATAL_ALERT( + MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } } else #endif if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { From 934ce6f6a9a0420d8b434f7cc8299cf9a3c6731f Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 6 Feb 2023 10:23:04 +0000 Subject: [PATCH 41/51] Rename the finalize_client{server}_hello() Signed-off-by: Xiaokang Qian --- library/ssl_client.c | 4 ++-- library/ssl_misc.h | 2 +- library/ssl_tls13_client.c | 2 +- library/ssl_tls13_server.c | 4 ++-- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_client.c b/library/ssl_client.c index 7ec43f5fc..963f8bb7c 100644 --- a/library/ssl_client.c +++ b/library/ssl_client.c @@ -964,14 +964,14 @@ int mbedtls_ssl_write_client_hello(mbedtls_ssl_context *ssl) /* * Set next state. Note that if TLS 1.3 is proposed, this may be - * overwritten by mbedtls_ssl_tls13_finalize_write_client_hello(). + * overwritten by mbedtls_ssl_tls13_finalize_client_hello(). */ mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_SERVER_HELLO); #if defined(MBEDTLS_SSL_PROTO_TLS1_3) if (ssl->handshake->min_tls_version <= MBEDTLS_SSL_VERSION_TLS1_3 && MBEDTLS_SSL_VERSION_TLS1_3 <= ssl->tls_version) { - ret = mbedtls_ssl_tls13_finalize_write_client_hello(ssl); + ret = mbedtls_ssl_tls13_finalize_client_hello(ssl); } #endif } diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 29a60ec9a..ef05dcae6 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2741,7 +2741,7 @@ static inline void mbedtls_ssl_session_clear_ticket_flags( #endif /* MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_SESSION_TICKETS */ #if defined(MBEDTLS_SSL_CLI_C) && defined(MBEDTLS_SSL_PROTO_TLS1_3) -int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl); +int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl); #endif #endif /* ssl_misc.h */ diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 623849940..8970dd429 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1231,7 +1231,7 @@ int mbedtls_ssl_tls13_write_client_hello_exts(mbedtls_ssl_context *ssl, return 0; } -int mbedtls_ssl_tls13_finalize_write_client_hello(mbedtls_ssl_context *ssl) +int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) { ((void) ssl); diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index ef90f69a2..81c289aee 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -2100,7 +2100,7 @@ static int ssl_tls13_write_server_hello_body(mbedtls_ssl_context *ssl, } MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_tls13_finalize_write_server_hello(mbedtls_ssl_context *ssl) +static int ssl_tls13_finalize_server_hello(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; ret = mbedtls_ssl_tls13_compute_handshake_transform(ssl); @@ -2140,7 +2140,7 @@ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg( ssl, buf_len, msg_len)); - MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_write_server_hello(ssl)); + MBEDTLS_SSL_PROC_CHK(ssl_tls13_finalize_server_hello(ssl)); #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) /* The server sends a dummy change_cipher_spec record immediately From 02f5e14073b200ecb6cb0674cc465568c0ccd80c Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 6 Feb 2023 10:44:17 +0000 Subject: [PATCH 42/51] Combine the alert check of selected_id and ciphercuite Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 23 +++++++++-------------- 1 file changed, 9 insertions(+), 14 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 8970dd429..3d6f6266b 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1909,30 +1909,25 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) goto cleanup; } #if defined(MBEDTLS_SSL_EARLY_DATA) - if (ssl->handshake->received_extensions & - MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && - ssl->handshake->selected_identity != 0) { + if (handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && + (handshake->selected_identity != 0 || + handshake->ciphersuite_info->id != + ssl->session_negotiate->ciphersuite)) { /* RFC8446 4.2.11 * If the server supplies an "early_data" extension, the * client MUST verify that the server's selected_identity * is 0. If any other value is returned, the client MUST * abort the handshake with an "illegal_parameter" alert. + * + * Clients MUST verify that the server selected a cipher suite + * indicating a Hash associated with the PSK, If this value are + * not consistent, the client MUST abort the handshake with an + * "illegal_parameter" alert. */ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; } - if (ssl->handshake->received_extensions & - MBEDTLS_SSL_EXT_MASK(EARLY_DATA) && - ssl->handshake->ciphersuite_info->id != - ssl->session_negotiate->ciphersuite) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Invalid ciphersuite for session ticket psk.")); - - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } #endif if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) { From bb883244aa86325cd5f7915cb6cf0bafc1fc7131 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 6 Feb 2023 10:46:35 +0000 Subject: [PATCH 43/51] Remove useless comments of outbound switch Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 3d6f6266b..46e728403 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -2254,12 +2254,6 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0)); - /* TODO: Currently switch outbound back to handshake key in the case of - * MBEDTLS_SSL_CLIENT_CERTIFICATE. If we refine the coordinate function - * of client certificate state machine, we have to move the switch - * outbound function. - */ - mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE); cleanup: From 4ef8ba29387eaac2893ea22a449e7ad0abbd4668 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Mon, 6 Feb 2023 11:06:16 +0000 Subject: [PATCH 44/51] Assign the ciphersuite in finalize_hrr{server_hello} Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 46e728403..65a56b3bc 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1976,6 +1976,7 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) mbedtls_ssl_set_inbound_transform(ssl, handshake->transform_handshake); MBEDTLS_SSL_DEBUG_MSG(1, ("Switch to handshake keys for inbound traffic")); + ssl->session_negotiate->ciphersuite = handshake->ciphersuite_info->id; ssl->session_in = ssl->session_negotiate; cleanup: @@ -2006,6 +2007,7 @@ static int ssl_tls13_postprocess_hrr(mbedtls_ssl_context *ssl) return ret; } + ssl->session_negotiate->ciphersuite = ssl->handshake->ciphersuite_info->id; return 0; } From eb31cbc791a037d3a4cfc8ebf7a425e32f42a236 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 7 Feb 2023 02:08:56 +0000 Subject: [PATCH 45/51] Share the hash check code between ticket and external psk Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 65a56b3bc..24da11206 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1107,29 +1107,10 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, #if defined(MBEDTLS_SSL_SESSION_TICKETS) if (selected_identity == 0 && ssl_tls13_has_configured_ticket(ssl)) { ret = ssl_tls13_ticket_get_psk(ssl, &hash_alg, &psk, &psk_len); - if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac) - != hash_alg) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Invalid ciphersuite for ticket psk.")); - - MBEDTLS_SSL_PEND_FATAL_ALERT( - MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } } else #endif if (mbedtls_ssl_conf_has_static_psk(ssl->conf)) { ret = ssl_tls13_psk_get_psk(ssl, &hash_alg, &psk, &psk_len); - if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac) - != hash_alg) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("Invalid ciphersuite for external psk.")); - - MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, - MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } } else { MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); return MBEDTLS_ERR_SSL_INTERNAL_ERROR; @@ -1138,6 +1119,16 @@ static int ssl_tls13_parse_server_pre_shared_key_ext(mbedtls_ssl_context *ssl, return ret; } + if (mbedtls_psa_translate_md(ssl->handshake->ciphersuite_info->mac) + != hash_alg) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("Invalid ciphersuite for external psk.")); + + MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, + MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); + return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; + } + ret = mbedtls_ssl_set_hs_psk(ssl, psk, psk_len); if (ret != 0) { MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_set_hs_psk", ret); From e04afdc44fd23c49af9f2a7a7786958ccdd045f1 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 7 Feb 2023 02:19:42 +0000 Subject: [PATCH 46/51] Refine the condition of whether re-generate early keys Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 24da11206..1ff8a2fda 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1943,10 +1943,9 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * cases we compute it here. */ #if defined(MBEDTLS_SSL_EARLY_DATA) - if ((ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT) || - (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED && - handshake->key_exchange_mode == - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL)) + if (ssl->early_data_status == MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT || + handshake->key_exchange_mode == + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL) #endif { ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); From 64bc9bc33dac8417ef56457a2cb363b3266e7156 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 7 Feb 2023 02:32:23 +0000 Subject: [PATCH 47/51] Add comments to describe the early data behavior-encrypt/rejected... Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index 1ff8a2fda..dbb29ef5d 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1254,6 +1254,19 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) return ret; } + /* + * Early data are going to be encrypted using the ciphersuite + * associated with the pre-shared key used for the handshake. + * Note that if the server rejects early data, the handshake + * based on the pre-shared key may complete successfully + * with a selected ciphersuite different from the ciphersuite + * associated with the pre-shared key. Only the hashes of the + * two ciphersuites have to be the same. In that case, the + * encrypted handshake data and application data are + * encrypted using a different ciphersuite than the one used for + * the rejected early data. + */ + ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite); ssl->handshake->ciphersuite_info = ciphersuite_info; From 53c4c27d3514931e97404497368eb2f771359620 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 7 Feb 2023 02:42:01 +0000 Subject: [PATCH 48/51] Update the comment of ciphersuite check for early data Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index dbb29ef5d..e8f79317e 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1923,10 +1923,15 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * is 0. If any other value is returned, the client MUST * abort the handshake with an "illegal_parameter" alert. * - * Clients MUST verify that the server selected a cipher suite - * indicating a Hash associated with the PSK, If this value are - * not consistent, the client MUST abort the handshake with an - * "illegal_parameter" alert. + * RFC 8446 4.2.10 + * In order to accept early data, the server MUST have accepted a PSK + * cipher suite and selected the first key offered in the client's + * "pre_shared_key" extension. In addition, it MUST verify that the + * following values are the same as those associated with the + * selected PSK: + * - The TLS version number + * - The selected cipher suite + * - The selected ALPN [RFC7301] protocol, if any (not checked yet) */ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); From 6b980011e512cbf8d26f042010e478499b223308 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 7 Feb 2023 03:17:45 +0000 Subject: [PATCH 49/51] Replace session_negotiate->ciphersuite with handshake->ciphersuite_info->id Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 5 ----- library/ssl_tls13_generic.c | 5 ++--- library/ssl_tls13_keys.c | 6 +++--- 3 files changed, 5 insertions(+), 11 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index e8f79317e..f7f9f9992 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1712,11 +1712,6 @@ static int ssl_tls13_parse_server_hello(mbedtls_ssl_context *ssl, mbedtls_ssl_optimize_checksum(ssl, ciphersuite_info); handshake->ciphersuite_info = ciphersuite_info; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) - if (handshake->resume == 0) -#endif - ssl->session_negotiate->ciphersuite = cipher_suite; - MBEDTLS_SSL_DEBUG_MSG(3, ("server hello, chosen ciphersuite: ( %04x ) - %s", cipher_suite, ciphersuite_info->name)); diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 513937e0e..4fb73f91b 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -1378,9 +1378,8 @@ int mbedtls_ssl_reset_transcript_for_hrr(mbedtls_ssl_context *ssl) int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char hash_transcript[PSA_HASH_MAX_SIZE + 4]; size_t hash_len; - const mbedtls_ssl_ciphersuite_t *ciphersuite_info; - uint16_t cipher_suite = ssl->session_negotiate->ciphersuite; - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(cipher_suite); + const mbedtls_ssl_ciphersuite_t *ciphersuite_info = + ssl->handshake->ciphersuite_info; MBEDTLS_SSL_DEBUG_MSG(3, ("Reset SSL session for HRR")); diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c index b92f12e6d..2e34ee873 100644 --- a/library/ssl_tls13_keys.c +++ b/library/ssl_tls13_keys.c @@ -1238,7 +1238,7 @@ int mbedtls_ssl_tls13_compute_early_transform(mbedtls_ssl_context *ssl) ret = mbedtls_ssl_tls13_populate_transform( transform_earlydata, ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, + handshake->ciphersuite_info->id, &traffic_keys, ssl); if (ret != 0) { @@ -1699,7 +1699,7 @@ int mbedtls_ssl_tls13_compute_handshake_transform(mbedtls_ssl_context *ssl) ret = mbedtls_ssl_tls13_populate_transform( transform_handshake, ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, + handshake->ciphersuite_info->id, &traffic_keys, ssl); if (ret != 0) { @@ -1789,7 +1789,7 @@ int mbedtls_ssl_tls13_compute_application_transform(mbedtls_ssl_context *ssl) ret = mbedtls_ssl_tls13_populate_transform( transform_application, ssl->conf->endpoint, - ssl->session_negotiate->ciphersuite, + ssl->handshake->ciphersuite_info->id, &traffic_keys, ssl); if (ret != 0) { From 8dc4ce76c748bd44a059d493ef2cfcc9ef43bb95 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Tue, 7 Feb 2023 10:49:50 +0000 Subject: [PATCH 50/51] Fix various coding style and comment issues Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index f7f9f9992..e896e82da 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1266,16 +1266,16 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) * encrypted using a different ciphersuite than the one used for * the rejected early data. */ - ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( ssl->session_negotiate->ciphersuite); ssl->handshake->ciphersuite_info = ciphersuite_info; + /* Enable psk and psk_ephermal to make stage early happy */ ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL; /* Start the TLS 1.3 key schedule: - * Set the PSK and derive early secret. + * Set the PSK and derive early secret. */ ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); if (ret != 0) { @@ -1926,7 +1926,11 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) * selected PSK: * - The TLS version number * - The selected cipher suite - * - The selected ALPN [RFC7301] protocol, if any (not checked yet) + * - The selected ALPN [RFC7301] protocol, if any + * + * We check here that when early data is involved the server + * selected the cipher suite associated to the pre-shared key + * as it must have. */ MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER); From 0de0d863b615ca292f2eaed4a7db1b321bcf20d4 Mon Sep 17 00:00:00 2001 From: Xiaokang Qian Date: Wed, 8 Feb 2023 06:04:50 +0000 Subject: [PATCH 51/51] Rebase code to restore reco-delay and fix some style issues Signed-off-by: Xiaokang Qian --- library/ssl_tls13_client.c | 14 ++++++++------ tests/opt-testcases/tls13-misc.sh | 2 +- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c index e896e82da..1e79afab8 100644 --- a/library/ssl_tls13_client.c +++ b/library/ssl_tls13_client.c @@ -1279,16 +1279,16 @@ int mbedtls_ssl_tls13_finalize_client_hello(mbedtls_ssl_context *ssl) */ ret = mbedtls_ssl_tls13_key_schedule_stage_early(ssl); if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, - "mbedtls_ssl_tls13_key_schedule_stage_early", ret); + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_key_schedule_stage_early", ret); return ret; } /* Derive early data key material */ ret = mbedtls_ssl_tls13_compute_early_transform(ssl); if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, - "mbedtls_ssl_tls13_compute_early_transform", ret); + MBEDTLS_SSL_DEBUG_RET( + 1, "mbedtls_ssl_tls13_compute_early_transform", ret); return ret; } @@ -1938,7 +1938,8 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl) } #endif - if (!mbedtls_ssl_conf_tls13_check_kex_modes(ssl, handshake->key_exchange_mode)) { + if (!mbedtls_ssl_conf_tls13_check_kex_modes( + ssl, handshake->key_exchange_mode)) { ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; MBEDTLS_SSL_DEBUG_MSG(2, ("Key exchange mode(%s) is not supported.", @@ -2255,7 +2256,8 @@ static int ssl_tls13_write_end_of_early_data(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> write EndOfEarlyData")); MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg( - ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, &buf, &buf_len)); + ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, + &buf, &buf_len)); mbedtls_ssl_add_hs_hdr_to_checksum( ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0); diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 711b5125b..46c371fe0 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -274,7 +274,7 @@ requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED run_test "TLS 1.3 m->G: EarlyData: basic check, good" \ "$G_NEXT_SRV -d 10 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+CIPHER-ALL:+ECDHE-PSK:+PSK --earlydata --disable-client-cert" \ - "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=2" \ + "$P_CLI debug_level=4 early_data=1 reco_mode=1 reconnect=1 reco_delay=900" \ 0 \ -c "Reconnecting with saved session" \ -c "NewSessionTicket: early_data(42) extension received." \