cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-10-04 11:09:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #5276 from xkqian/add_hello_retry_request

Browse Source 
Add hello retry request in client side
This commit is contained in:
Ronald Cron 2022-01-27 11:17:10 +01:00 committed by GitHub
commit fedefdd6f9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 530 additions and 95 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/mbedtls/ssl.h
View File

@ -505,6 +505,7 @@
#define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY 15 #define MBEDTLS_SSL_HS_CERTIFICATE_VERIFY 15
#define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE 16 #define MBEDTLS_SSL_HS_CLIENT_KEY_EXCHANGE 16
#define MBEDTLS_SSL_HS_FINISHED 20 #define MBEDTLS_SSL_HS_FINISHED 20
#define MBEDTLS_SSL_HS_MESSAGE_HASH 254
/* /*
* TLS extensions * TLS extensions
@ -643,6 +644,7 @@ typedef enum
MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY, MBEDTLS_SSL_CLIENT_CERTIFICATE_VERIFY,
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED, MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED,
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO,
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
} }

23
library/ssl_misc.h
View File

@ -591,6 +591,11 @@ struct mbedtls_ssl_handshake_params
int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */ int tls13_kex_modes; /*!< key exchange modes for TLS 1.3 */
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_CLI_C)
/*!< Number of Hello Retry Request messages received from the server. */
int hello_retry_request_count;
#endif /* MBEDTLS_SSL_CLI_C */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \
defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */ mbedtls_ssl_sig_hash_set_t hash_algs; /*!< Set of suitable sig-hash pairs */
@ -687,15 +692,19 @@ struct mbedtls_ssl_handshake_params
} buffering; } buffering;
#if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
* for dtls / tls 1.3
* Srv: unused */
unsigned char verify_cookie_len; /*!< Cli: cookie length for
* dtls / tls 1.3
* Srv: flag for sending a cookie */
#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS)
unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */ unsigned int out_msg_seq; /*!< Outgoing handshake sequence number */
unsigned int in_msg_seq; /*!< Incoming handshake sequence number */ unsigned int in_msg_seq; /*!< Incoming handshake sequence number */
unsigned char *verify_cookie; /*!< Cli: HelloVerifyRequest cookie
Srv: unused */
unsigned char verify_cookie_len; /*!< Cli: cookie length
Srv: flag for sending a cookie */
uint32_t retransmit_timeout; /*!< Current value of timeout */ uint32_t retransmit_timeout; /*!< Current value of timeout */
mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */ mbedtls_ssl_flight_item *flight; /*!< Current outgoing flight */
mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */ mbedtls_ssl_flight_item *cur_msg; /*!< Current message in flight */
@ -1442,6 +1451,8 @@ void mbedtls_ssl_update_out_pointers( mbedtls_ssl_context *ssl,
void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl ); void mbedtls_ssl_update_in_pointers( mbedtls_ssl_context *ssl );
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ); int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial );
void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
int partial );
/* /*
* Send pending alert * Send pending alert
@ -1721,6 +1732,8 @@ void mbedtls_ssl_tls13_add_hs_msg_to_checksum( mbedtls_ssl_context *ssl,
unsigned char const *msg, unsigned char const *msg,
size_t msg_len ); size_t msg_len );
int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)

32
library/ssl_tls.c
View File

@ -3400,7 +3400,7 @@ error:
* If partial is non-zero, keep data in the input buffer and client ID. * If partial is non-zero, keep data in the input buffer and client ID.
* (Use when a DTLS client reconnects from the same port.) * (Use when a DTLS client reconnects from the same port.)
*/ */
static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl, void mbedtls_ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
int partial ) int partial )
{ {
#if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH) #if defined(MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH)
@ -3453,12 +3453,32 @@ static void ssl_session_reset_msg_layer( mbedtls_ssl_context *ssl,
mbedtls_ssl_dtls_replay_reset( ssl ); mbedtls_ssl_dtls_replay_reset( ssl );
#endif #endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if( ssl->transform ) if( ssl->transform )
{ {
mbedtls_ssl_transform_free( ssl->transform ); mbedtls_ssl_transform_free( ssl->transform );
mbedtls_free( ssl->transform ); mbedtls_free( ssl->transform );
ssl->transform = NULL; ssl->transform = NULL;
} }
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_ssl_transform_free( ssl->transform_application );
mbedtls_free( ssl->transform_application );
ssl->transform_application = NULL;
if( ssl->handshake != NULL )
{
mbedtls_ssl_transform_free( ssl->handshake->transform_earlydata );
mbedtls_free( ssl->handshake->transform_earlydata );
ssl->handshake->transform_earlydata = NULL;
mbedtls_ssl_transform_free( ssl->handshake->transform_handshake );
mbedtls_free( ssl->handshake->transform_handshake );
ssl->handshake->transform_handshake = NULL;
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
} }
int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial ) int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
@ -3467,7 +3487,7 @@ int mbedtls_ssl_session_reset_int( mbedtls_ssl_context *ssl, int partial )
ssl->state = MBEDTLS_SSL_HELLO_REQUEST; ssl->state = MBEDTLS_SSL_HELLO_REQUEST;
ssl_session_reset_msg_layer( ssl, partial ); mbedtls_ssl_session_reset_msg_layer( ssl, partial );
/* Reset renegotiation state */ /* Reset renegotiation state */
#if defined(MBEDTLS_SSL_RENEGOTIATION) #if defined(MBEDTLS_SSL_RENEGOTIATION)
@ -5669,11 +5689,14 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl )
mbedtls_pk_free( &handshake->peer_pubkey ); mbedtls_pk_free( &handshake->peer_pubkey );
#endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ #endif /* MBEDTLS_X509_CRT_PARSE_C && !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */
#if defined(MBEDTLS_SSL_PROTO_DTLS) #if defined(MBEDTLS_SSL_PROTO_DTLS) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
mbedtls_free( handshake->verify_cookie ); mbedtls_free( handshake->verify_cookie );
#endif /* MBEDTLS_SSL_PROTO_DTLS || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_PROTO_DTLS)
mbedtls_ssl_flight_free( handshake->flight ); mbedtls_ssl_flight_free( handshake->flight );
mbedtls_ssl_buffering_free( ssl ); mbedtls_ssl_buffering_free( ssl );
#endif #endif /* MBEDTLS_SSL_PROTO_DTLS */
#if defined(MBEDTLS_ECDH_C) && \ #if defined(MBEDTLS_ECDH_C) && \
defined(MBEDTLS_USE_PSA_CRYPTO) defined(MBEDTLS_USE_PSA_CRYPTO)
@ -7384,6 +7407,7 @@ int mbedtls_ssl_get_handshake_transcript( mbedtls_ssl_context *ssl,
} }
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
} }
#endif /* !MBEDTLS_USE_PSA_CRYPTO */ #endif /* !MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) || \

397
library/ssl_tls13_client.c
View File

@ -115,6 +115,28 @@ static int ssl_tls13_parse_supported_versions_ext( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
static int ssl_tls13_reset_key_share( mbedtls_ssl_context *ssl )
{
uint16_t group_id = ssl->handshake->offered_group_id;
if( group_id == 0 )
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
#if defined(MBEDTLS_ECDH_C)
if( mbedtls_ssl_tls13_named_group_is_ecdhe( group_id ) )
{
mbedtls_ecdh_free( &ssl->handshake->ecdh_ctx );
return( 0 );
}
else
#endif /* MBEDTLS_ECDH_C */
if( 0 /* other KEMs? */ )
{
/* Do something */
}
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
/* /*
* Functions for writing key_share extension. * Functions for writing key_share extension.
*/ */
@ -371,6 +393,76 @@ static int ssl_tls13_read_public_ecdhe_share( mbedtls_ssl_context *ssl,
} }
#endif /* MBEDTLS_ECDH_C */ #endif /* MBEDTLS_ECDH_C */
/*
* ssl_tls13_parse_hrr_key_share_ext()
* Parse key_share extension in Hello Retry Request
*
* struct {
* NamedGroup selected_group;
* } KeyShareHelloRetryRequest;
*/
static int ssl_tls13_parse_hrr_key_share_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
const mbedtls_ecp_curve_info *curve_info = NULL;
const unsigned char *p = buf;
int selected_group;
int found = 0;
const uint16_t *group_list = mbedtls_ssl_get_groups( ssl );
if( group_list == NULL )
return( MBEDTLS_ERR_SSL_BAD_CONFIG );
MBEDTLS_SSL_DEBUG_BUF( 3, "key_share extension", p, end - buf );
/* Read selected_group */
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
selected_group = MBEDTLS_GET_UINT16_BE( p, 0 );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "selected_group ( %d )", selected_group ) );
/* Upon receipt of this extension in a HelloRetryRequest, the client
* MUST first verify that the selected_group field corresponds to a
* group which was provided in the "supported_groups" extension in the
* original ClientHello.
* The supported_group was based on the info in ssl->conf->group_list.
*
* If the server provided a key share that was not sent in the ClientHello
* then the client MUST abort the handshake with an "illegal_parameter" alert.
*/
for( ; *group_list != 0; group_list++ )
{
curve_info = mbedtls_ecp_curve_info_from_tls_id( *group_list );
if( curve_info == NULL || curve_info->tls_id != selected_group )
continue;
/* We found a match */
found = 1;
break;
}
/* Client MUST verify that the selected_group field does not
* correspond to a group which was provided in the "key_share"
* extension in the original ClientHello. If the server sent an
* HRR message with a key share already provided in the
* ClientHello then the client MUST abort the handshake with
* an "illegal_parameter" alert.
*/
if( found == 0 || selected_group == ssl->handshake->offered_group_id )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Invalid key share in HRR" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
/* Remember server's preference for next ClientHello */
ssl->handshake->offered_group_id = selected_group;
return( 0 );
}
/* /*
* ssl_tls13_parse_key_share_ext() * ssl_tls13_parse_key_share_ext()
* Parse key_share extension in Server Hello * Parse key_share extension in Server Hello
@ -434,6 +526,55 @@ static int ssl_tls13_parse_key_share_ext( mbedtls_ssl_context *ssl,
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/*
* ssl_tls13_parse_cookie_ext()
* Parse cookie extension in Hello Retry Request
*
* struct {
* opaque cookie<1..2^16-1>;
* } Cookie;
*
* When sending a HelloRetryRequest, the server MAY provide a "cookie"
* extension to the client (this is an exception to the usual rule that
* the only extensions that may be sent are those that appear in the
* ClientHello). When sending the new ClientHello, the client MUST copy
* the contents of the extension received in the HelloRetryRequest into
* a "cookie" extension in the new ClientHello. Clients MUST NOT use
* cookies in their initial ClientHello in subsequent connections.
*/
static int ssl_tls13_parse_cookie_ext( mbedtls_ssl_context *ssl,
const unsigned char *buf,
const unsigned char *end )
{
size_t cookie_len;
const unsigned char *p = buf;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
/* Retrieve length field of cookie */
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, 2 );
cookie_len = MBEDTLS_GET_UINT16_BE( p, 0 );
p += 2;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, end, cookie_len );
MBEDTLS_SSL_DEBUG_BUF( 3, "cookie extension", p, cookie_len );
mbedtls_free( handshake->verify_cookie );
handshake->verify_cookie_len = 0;
handshake->verify_cookie = mbedtls_calloc( 1, cookie_len );
if( handshake->verify_cookie == NULL )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "alloc failed ( %" MBEDTLS_PRINTF_SIZET " bytes )",
cookie_len ) );
return( MBEDTLS_ERR_SSL_ALLOC_FAILED );
}
memcpy( handshake->verify_cookie, p, cookie_len );
handshake->verify_cookie_len = (unsigned char) cookie_len;
return( 0 );
}
/* Write cipher_suites /* Write cipher_suites
* CipherSuite cipher_suites<2..2^16-2>; * CipherSuite cipher_suites<2..2^16-2>;
*/ */
@ -747,7 +888,8 @@ cleanup:
/* Returns a negative value on failure, and otherwise /* Returns a negative value on failure, and otherwise
* - SSL_SERVER_HELLO_COORDINATE_HELLO or * - SSL_SERVER_HELLO_COORDINATE_HELLO or
* - SSL_SERVER_HELLO_COORDINATE_HRR * - SSL_SERVER_HELLO_COORDINATE_HRR
* to indicate which message is expected and to be parsed next. */ * to indicate which message is expected and to be parsed next.
*/
#define SSL_SERVER_HELLO_COORDINATE_HELLO 0 #define SSL_SERVER_HELLO_COORDINATE_HELLO 0
#define SSL_SERVER_HELLO_COORDINATE_HRR 1 #define SSL_SERVER_HELLO_COORDINATE_HRR 1
static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl, static int ssl_server_hello_is_hrr( mbedtls_ssl_context *ssl,
@ -796,20 +938,9 @@ static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_read_record( ssl, 0 ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_tls13_fetch_handshake_msg( ssl,
MBEDTLS_SSL_HS_SERVER_HELLO,
if( ( ssl->in_msgtype != MBEDTLS_SSL_MSG_HANDSHAKE ) || buf, buf_len ) );
( ssl->in_msg[0] != MBEDTLS_SSL_HS_SERVER_HELLO ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "unexpected message" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
*buf = ssl->in_msg + 4;
*buf_len = ssl->in_hslen - 4;
ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len ); ret = ssl_server_hello_is_hrr( ssl, *buf, *buf + *buf_len );
switch( ret ) switch( ret )
@ -819,6 +950,36 @@ static int ssl_tls13_server_hello_coordinate( mbedtls_ssl_context *ssl,
break; break;
case SSL_SERVER_HELLO_COORDINATE_HRR: case SSL_SERVER_HELLO_COORDINATE_HRR:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "received HelloRetryRequest message" ) );
/* If a client receives a second
* HelloRetryRequest in the same connection (i.e., where the ClientHello
* was itself in response to a HelloRetryRequest), it MUST abort the
* handshake with an "unexpected_message" alert.
*/
if( ssl->handshake->hello_retry_request_count > 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Multiple HRRs received" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
return( MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE );
}
/*
* Clients must abort the handshake with an "illegal_parameter"
* alert if the HelloRetryRequest would not result in any change
* in the ClientHello.
* In a PSK only key exchange that what we expect.
*/
if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
{
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Unexpected HRR in pure PSK key exchange." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER);
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
}
ssl->handshake->hello_retry_request_count++;
break; break;
} }
@ -892,14 +1053,18 @@ static int ssl_tls13_cipher_suite_is_offered( mbedtls_ssl_context *ssl,
*/ */
static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl, static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
const unsigned char *buf, const unsigned char *buf,
const unsigned char *end ) const unsigned char *end,
int is_hrr )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *p = buf; const unsigned char *p = buf;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
size_t extensions_len; size_t extensions_len;
const unsigned char *extensions_end; const unsigned char *extensions_end;
uint16_t cipher_suite; uint16_t cipher_suite;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info; const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
int supported_versions_ext_found = 0;
int fatal_alert = 0;
/* /*
* Check there is space for minimal fields * Check there is space for minimal fields
@ -927,7 +1092,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "Unsupported version of TLS." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION, MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_PROTOCOL_VERSION,
MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION );
return( MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION ); ret = MBEDTLS_ERR_SSL_BAD_PROTOCOL_VERSION;
goto cleanup;
} }
p += 2; p += 2;
@ -937,10 +1103,13 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
* with Random defined as: * with Random defined as:
* opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN];
*/ */
memcpy( &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p, if( !is_hrr )
{
memcpy( &handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], p,
MBEDTLS_SERVER_HELLO_RANDOM_LEN ); MBEDTLS_SERVER_HELLO_RANDOM_LEN );
MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes",
p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); p, MBEDTLS_SERVER_HELLO_RANDOM_LEN );
}
p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; p += MBEDTLS_SERVER_HELLO_RANDOM_LEN;
/* ... /* ...
@ -949,9 +1118,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
*/ */
if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 ) if( ssl_tls13_check_server_hello_session_id_echo( ssl, &p, end ) != 0 )
{ {
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); goto cleanup;
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
} }
/* ... /* ...
@ -965,28 +1133,40 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
p += 2; p += 2;
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
/* /*
* Check whether this ciphersuite is supported and offered. * Check whether this ciphersuite is supported and offered.
* Via the force_ciphersuite version we may have instructed the client * Via the force_ciphersuite version we may have instructed the client
* to use a different ciphersuite. * to use a different ciphersuite.
*/ */
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
if( ciphersuite_info == NULL || if( ciphersuite_info == NULL ||
ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 ) ssl_tls13_cipher_suite_is_offered( ssl, cipher_suite ) == 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "ciphersuite(%04x) not found or not offered", fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
cipher_suite ) ); }
/*
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, * If we received an HRR before and that the proposed selected
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); * ciphersuite in this server hello is not the same as the one
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); * proposed in the HRR, we abort the handshake and send an
* "illegal_parameter" alert.
*/
else if( ( !is_hrr ) && ( handshake->hello_retry_request_count > 0 ) &&
( cipher_suite != ssl->session_negotiate->ciphersuite ) )
{
fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
} }
if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid ciphersuite(%04x) parameter",
cipher_suite ) );
goto cleanup;
}
/* Configure ciphersuites */ /* Configure ciphersuites */
mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info ); mbedtls_ssl_optimize_checksum( ssl, ciphersuite_info );
ssl->handshake->ciphersuite_info = ciphersuite_info; handshake->ciphersuite_info = ciphersuite_info;
ssl->session_negotiate->ciphersuite = cipher_suite; ssl->session_negotiate->ciphersuite = cipher_suite;
MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s", MBEDTLS_SSL_DEBUG_MSG( 3, ( "server hello, chosen ciphersuite: ( %04x ) - %s",
@ -1004,9 +1184,8 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
if( p[0] != 0 ) if( p[0] != 0 )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "bad legacy compression method" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER, fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); goto cleanup;
return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
} }
p++; p++;
@ -1032,6 +1211,7 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
{ {
unsigned int extension_type; unsigned int extension_type;
size_t extension_data_len; size_t extension_data_len;
const unsigned char *extension_data_end;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, 4 );
extension_type = MBEDTLS_GET_UINT16_BE( p, 0 ); extension_type = MBEDTLS_GET_UINT16_BE( p, 0 );
@ -1039,39 +1219,69 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
p += 4; p += 4;
MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len ); MBEDTLS_SSL_CHK_BUF_READ_PTR( p, extensions_end, extension_data_len );
extension_data_end = p + extension_data_len;
switch( extension_type ) switch( extension_type )
{ {
case MBEDTLS_TLS_EXT_COOKIE:
if( !is_hrr )
{
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
goto cleanup;
}
ret = ssl_tls13_parse_cookie_ext( ssl,
p, extension_data_end );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"ssl_tls13_parse_cookie_ext",
ret );
goto cleanup;
}
break;
case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS: case MBEDTLS_TLS_EXT_SUPPORTED_VERSIONS:
supported_versions_ext_found = 1;
MBEDTLS_SSL_DEBUG_MSG( 3, MBEDTLS_SSL_DEBUG_MSG( 3,
( "found supported_versions extension" ) ); ( "found supported_versions extension" ) );
ret = ssl_tls13_parse_supported_versions_ext( ssl, ret = ssl_tls13_parse_supported_versions_ext( ssl,
p, p,
p + extension_data_len ); extension_data_end );
if( ret != 0 ) if( ret != 0 )
return( ret ); goto cleanup;
break; break;
case MBEDTLS_TLS_EXT_PRE_SHARED_KEY: case MBEDTLS_TLS_EXT_PRE_SHARED_KEY:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found pre_shared_key extension." ) );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "pre_shared_key:Not supported yet" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, goto cleanup;
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
case MBEDTLS_TLS_EXT_KEY_SHARE: case MBEDTLS_TLS_EXT_KEY_SHARE:
MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) ); MBEDTLS_SSL_DEBUG_MSG( 3, ( "found key_shares extension" ) );
if( ( ret = ssl_tls13_parse_key_share_ext( ssl, if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) )
p, p + extension_data_len ) ) != 0 ) {
fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
goto cleanup;
}
if( is_hrr )
ret = ssl_tls13_parse_hrr_key_share_ext( ssl,
p, extension_data_end );
else
ret = ssl_tls13_parse_key_share_ext( ssl,
p, extension_data_end );
if( ret != 0 )
{ {
MBEDTLS_SSL_DEBUG_RET( 1, MBEDTLS_SSL_DEBUG_RET( 1,
"ssl_tls13_parse_key_share_ext", "ssl_tls13_parse_key_share_ext",
ret ); ret );
return( ret ); goto cleanup;
} }
break; break;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
@ -1082,19 +1292,38 @@ static int ssl_tls13_parse_server_hello( mbedtls_ssl_context *ssl,
( "unknown extension found: %u ( ignoring )", ( "unknown extension found: %u ( ignoring )",
extension_type ) ); extension_type ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( fatal_alert = MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT;
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT, goto cleanup;
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
return( MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
} }
p += extension_data_len; p += extension_data_len;
} }
return( 0 ); if( !supported_versions_ext_found )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "supported_versions not found" ) );
fatal_alert = MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER;
goto cleanup;
}
cleanup:
if( fatal_alert == MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT )
{
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,
MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION );
ret = MBEDTLS_ERR_SSL_UNSUPPORTED_EXTENSION;
}
else if ( fatal_alert == MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER )
{
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER,
MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER );
ret = MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
return( ret );
} }
static int ssl_tls13_finalize_server_hello( mbedtls_ssl_context *ssl ) static int ssl_tls13_postprocess_server_hello( mbedtls_ssl_context *ssl )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_key_set traffic_keys; mbedtls_ssl_key_set traffic_keys;
@ -1208,6 +1437,40 @@ cleanup:
return( ret ); return( ret );
} }
static int ssl_tls13_postprocess_hrr( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED)
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
/* If not offering early data, the client sends a dummy CCS record
* immediately before its second flight. This may either be before
* its second ClientHello or before its encrypted handshake flight.
*/
mbedtls_ssl_handshake_set_state( ssl,
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO );
#else
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
/*
* We are going to re-generate a shared secret corresponding to the group
* selected by the server, which is different from the group for which we
* generated a shared secret in the first client hello.
* Thus, reset the shared secret.
*/
ret = ssl_tls13_reset_key_share( ssl );
if( ret != 0 )
return( ret );
#else
((void) ssl);
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
return( 0 );
}
/* /*
* Wait and parse ServerHello handshake message. * Wait and parse ServerHello handshake message.
* Handler for MBEDTLS_SSL_SERVER_HELLO * Handler for MBEDTLS_SSL_SERVER_HELLO
@ -1215,8 +1478,9 @@ cleanup:
static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl ) static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *buf; unsigned char *buf = NULL;
size_t buf_len; size_t buf_len = 0;
int is_hrr = 0;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> %s", __func__ ) );
@ -1229,31 +1493,29 @@ static int ssl_tls13_process_server_hello( mbedtls_ssl_context *ssl )
ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE; ssl->handshake->extensions_present = MBEDTLS_SSL_EXT_NONE;
ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len ); ret = ssl_tls13_server_hello_coordinate( ssl, &buf, &buf_len );
/* Parsing step if( ret < 0 )
* We know what message to expect by now and call goto cleanup;
* the respective parsing function. else
*/ is_hrr = ( ret == SSL_SERVER_HELLO_COORDINATE_HRR );
if( ret == SSL_SERVER_HELLO_COORDINATE_HELLO )
{
MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf, MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_server_hello( ssl, buf,
buf + buf_len ) ); buf + buf_len,
is_hrr ) );
if( is_hrr )
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_reset_transcript_for_hrr( ssl ) );
mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl, mbedtls_ssl_tls13_add_hs_msg_to_checksum( ssl,
MBEDTLS_SSL_HS_SERVER_HELLO, MBEDTLS_SSL_HS_SERVER_HELLO,
buf, buf_len ); buf, buf_len );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_server_hello( ssl ) ); if( is_hrr )
} MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_hrr( ssl ) );
else if( ret == SSL_SERVER_HELLO_COORDINATE_HRR ) else
{ MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_server_hello( ssl ) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "HRR not supported" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
cleanup: cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s", __func__ ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= %s ( %s )", __func__,
is_hrr?"HelloRetryRequest":"ServerHello" ) );
return( ret ); return( ret );
} }
@ -1492,8 +1754,6 @@ static int ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
if( ret != 0 ) if( ret != 0 )
return( ret ); return( ret );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
return( 0 ); return( 0 );
} }
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
@ -1604,6 +1864,7 @@ int mbedtls_ssl_tls13_handshake_client_step( mbedtls_ssl_context *ssl )
*/ */
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED: case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
ret = ssl_tls13_write_change_cipher_spec( ssl ); ret = ssl_tls13_write_change_cipher_spec( ssl );
break; break;
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */

103
library/ssl_tls13_generic.c
View File

@ -1058,6 +1058,32 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
*/ */
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE) #if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
static int ssl_tls13_finalize_change_cipher_spec( mbedtls_ssl_context* ssl )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
switch( ssl->state )
{
case MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO:
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
break;
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
break;
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "should never happen" ) );
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
}
#else
((void) ssl);
#endif /* MBEDTLS_SSL_CLI_C */
return( 0 );
}
static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl, static int ssl_tls13_write_change_cipher_spec_body( mbedtls_ssl_context *ssl,
unsigned char *buf, unsigned char *buf,
unsigned char *end, unsigned char *end,
@ -1088,6 +1114,9 @@ int mbedtls_ssl_tls13_write_change_cipher_spec( mbedtls_ssl_context *ssl )
ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC; ssl->out_msgtype = MBEDTLS_SSL_MSG_CHANGE_CIPHER_SPEC;
/* Update state */
MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_change_cipher_spec( ssl ) );
/* Dispatch message */ /* Dispatch message */
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_write_record( ssl, 1 ) );
@ -1099,6 +1128,80 @@ cleanup:
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */ #endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
/* Reset SSL context and update hash for handling HRR.
*
* Replace Transcript-Hash(X) by
* Transcript-Hash( message_hash ||
* 00 00 Hash.length ||
* X )
* A few states of the handshake are preserved, including:
* - session ID
* - session ticket
* - negotiated ciphersuite
*/
int mbedtls_ssl_reset_transcript_for_hrr( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char hash_transcript[ MBEDTLS_MD_MAX_SIZE + 4 ];
size_t hash_len;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
uint16_t cipher_suite = ssl->session_negotiate->ciphersuite;
ciphersuite_info = mbedtls_ssl_ciphersuite_from_id( cipher_suite );
MBEDTLS_SSL_DEBUG_MSG( 3, ( "Reset SSL session for HRR" ) );
ret = mbedtls_ssl_get_handshake_transcript( ssl, ciphersuite_info->mac,
hash_transcript + 4,
MBEDTLS_MD_MAX_SIZE,
&hash_len );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 4, "mbedtls_ssl_get_handshake_transcript", ret );
return( ret );
}
hash_transcript[0] = MBEDTLS_SSL_HS_MESSAGE_HASH;
hash_transcript[1] = 0;
hash_transcript[2] = 0;
hash_transcript[3] = (unsigned char) hash_len;
hash_len += 4;
if( ciphersuite_info->mac == MBEDTLS_MD_SHA256 )
{
#if defined(MBEDTLS_SHA256_C)
MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-256 handshake transcript",
hash_transcript, hash_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &ssl->handshake->fin_sha256_psa );
psa_hash_setup( &ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256 );
#else
mbedtls_sha256_starts( &ssl->handshake->fin_sha256, 0 );
#endif
#endif /* MBEDTLS_SHA256_C */
}
else if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
{
#if defined(MBEDTLS_SHA384_C)
MBEDTLS_SSL_DEBUG_BUF( 4, "Truncated SHA-384 handshake transcript",
hash_transcript, hash_len );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort( &ssl->handshake->fin_sha384_psa );
psa_hash_setup( &ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384 );
#else
mbedtls_sha512_starts( &ssl->handshake->fin_sha512, 1 );
#endif
#endif /* MBEDTLS_SHA384_C */
}
#if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA384_C)
ssl->handshake->update_checksum( ssl, hash_transcript, hash_len );
#endif /* MBEDTLS_SHA256_C || MBEDTLS_SHA384_C */
return( ret );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_TLS_C */ #endif /* MBEDTLS_SSL_TLS_C */

52
tests/ssl-opt.sh
View File

@ -9214,13 +9214,29 @@ requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
requires_openssl_tls1_3 requires_openssl_tls1_3
run_test "TLS 1.3: HelloRetryRequest check - openssl" \ run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - openssl" \
"$O_NEXT_SRV -ciphersuites TLS_AES_128_GCM_SHA256 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
"$P_CLI debug_level=4 force_version=tls13" \
0 \
-c "received HelloRetryRequest message" \
-c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
-c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
-c "HTTP/1.0 200 ok"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
requires_openssl_tls1_3
run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - openssl" \
"$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \ "$O_NEXT_SRV -ciphersuites TLS_AES_256_GCM_SHA384 -sigalgs ecdsa_secp256r1_sha256 -groups P-256 -msg -tls1_3 -num_tickets 0 -no_resume_ephemeral -no_cache" \
"$P_CLI debug_level=4 force_version=tls13" \ "$P_CLI debug_level=4 force_version=tls13" \
1 \ 0 \
-c "received HelloRetryRequest message" \ -c "received HelloRetryRequest message" \
-c "HRR not supported" \ -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
-c "Last error was: -0x6E00 - SSL - The handshake negotiation failed" -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
-c "HTTP/1.0 200 ok"
requires_gnutls_tls1_3 requires_gnutls_tls1_3
requires_gnutls_next_no_ticket requires_gnutls_next_no_ticket
@ -9229,14 +9245,30 @@ requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
run_test "TLS 1.3: HelloRetryRequest check - gnutls" \ run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_128_GCM_SHA256 - gnutls" \
"$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS" \ "$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-128-GCM:+SHA256:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
"$P_CLI debug_level=4 force_version=tls13" \ "$P_CLI debug_level=4 force_version=tls13" \
1 \ 0 \
-c "received HelloRetryRequest message" \ -c "received HelloRetryRequest message" \
-c "HRR not supported" \ -c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
-c "Last error was: -0x6E00 - SSL - The handshake negotiation failed" \ -c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "HELLO RETRY REQUEST was queued" -c "HTTP/1.0 200 OK"
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
run_test "TLS 1.3: HelloRetryRequest check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \
"$G_NEXT_SRV -d 4 --priority=NONE:+GROUP-SECP256R1:+AES-256-GCM:+SHA384:+AEAD:+SIGN-ECDSA-SECP256R1-SHA256:+VERS-TLS1.3:%NO_TICKETS --disable-client-cert" \
"$P_CLI debug_level=4 force_version=tls13" \
0 \
-c "received HelloRetryRequest message" \
-c "<= ssl_tls13_process_server_hello ( HelloRetryRequest )" \
-c "tls13 client state: MBEDTLS_SSL_CLIENT_HELLO" \
-c "HTTP/1.0 200 OK"
for i in $(ls opt-testcases/*.sh) for i in $(ls opt-testcases/*.sh)
do do