yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Merge pull request #7353 from xkqian/tls13_fix_code_style

Browse source 
Improve code styles for tls13 related files
This commit is contained in:
Dave Rodgman 2023-04-11 09:18:22 +01:00 committed by GitHub
commit 22d9ff6d3c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 362 additions and 315 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

135
library/ssl_tls13_client.c
View file

@ -117,7 +117,8 @@ static int ssl_tls13_parse_supported_versions_ext(mbedtls_ssl_context *ssl,
}
if (&buf[2] != end) {
MBEDTLS_SSL_DEBUG_MSG(1, ("supported_versions ext data length incorrect"));
MBEDTLS_SSL_DEBUG_MSG(
1, ("supported_versions ext data length incorrect"));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_DECODE_ERROR,
MBEDTLS_ERR_SSL_DECODE_ERROR);
return MBEDTLS_ERR_SSL_DECODE_ERROR;
@ -227,8 +228,8 @@ static int ssl_tls13_get_default_group_id(mbedtls_ssl_context *ssl,
}
for (; *group_list != 0; group_list++) {
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(*group_list,
NULL, NULL) == PSA_SUCCESS) &&
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
*group_list, NULL, NULL) == PSA_SUCCESS) &&
mbedtls_ssl_tls13_named_group_is_ecdhe(*group_list)) {
*group_id = *group_list;
return 0;
@ -352,7 +353,8 @@ static int ssl_tls13_write_key_share_ext(mbedtls_ssl_context *ssl,
/* Output the total length of key_share extension. */
*out_len = p - buf;
MBEDTLS_SSL_DEBUG_BUF(3, "client hello, key_share extension", buf, *out_len);
MBEDTLS_SSL_DEBUG_BUF(
3, "client hello, key_share extension", buf, *out_len);
mbedtls_ssl_tls13_set_hs_sent_ext_mask(ssl, MBEDTLS_TLS_EXT_KEY_SHARE);
@ -402,8 +404,8 @@ static int ssl_tls13_parse_hrr_key_share_ext(mbedtls_ssl_context *ssl,
* then the client MUST abort the handshake with an "illegal_parameter" alert.
*/
for (; *group_list != 0; group_list++) {
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(*group_list,
NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
if ((mbedtls_ssl_get_psa_curve_info_from_tls_id(
*group_list, NULL, NULL) == PSA_ERROR_NOT_SUPPORTED) ||
*group_list != selected_group) {
continue;
}
@ -472,9 +474,9 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
/* Check that the chosen group matches the one we offered. */
offered_group = ssl->handshake->offered_group_id;
if (offered_group != group) {
MBEDTLS_SSL_DEBUG_MSG(1,
("Invalid server key share, our group %u, their group %u",
(unsigned) offered_group, (unsigned) group));
MBEDTLS_SSL_DEBUG_MSG(
1, ("Invalid server key share, our group %u, their group %u",
(unsigned) offered_group, (unsigned) group));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
@ -488,8 +490,9 @@ static int ssl_tls13_parse_key_share_ext(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
MBEDTLS_SSL_DEBUG_MSG(2, ("ECDH curve: %s",
mbedtls_ssl_get_curve_name_from_tls_id(group)));
MBEDTLS_SSL_DEBUG_MSG(
2,
("ECDH curve: %s", mbedtls_ssl_get_curve_name_from_tls_id(group)));
ret = mbedtls_ssl_tls13_read_public_ecdhe_share(ssl, p, end - p);
if (ret != 0) {
@ -1410,8 +1413,8 @@ static int ssl_server_hello_is_hrr(mbedtls_ssl_context *ssl,
* } ServerHello;
*
*/
MBEDTLS_SSL_CHK_BUF_READ_PTR(buf, end,
2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
MBEDTLS_SSL_CHK_BUF_READ_PTR(
buf, end, 2 + sizeof(mbedtls_ssl_tls13_hello_retry_request_magic));
if (memcmp(buf + 2, mbedtls_ssl_tls13_hello_retry_request_magic,
sizeof(mbedtls_ssl_tls13_hello_retry_request_magic)) == 0) {
@ -1464,9 +1467,9 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
*/
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_SERVER_HELLO,
buf, (size_t) (end - buf)));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
buf, (size_t) (end - buf)));
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_reset_key_share(ssl);
@ -1492,15 +1495,16 @@ static int ssl_tls13_preprocess_server_hello(mbedtls_ssl_context *ssl,
break;
case SSL_SERVER_HELLO_HRR:
MBEDTLS_SSL_DEBUG_MSG(2, ("received HelloRetryRequest message"));
/* If a client receives a second
* HelloRetryRequest in the same connection (i.e., where the ClientHello
* was itself in response to a HelloRetryRequest), it MUST abort the
* handshake with an "unexpected_message" alert.
/* If a client receives a second HelloRetryRequest in the same
* connection (i.e., where the ClientHello was itself in response
* to a HelloRetryRequest), it MUST abort the handshake with an
* "unexpected_message" alert.
*/
if (handshake->hello_retry_request_count > 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("Multiple HRRs received"));
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNEXPECTED_MESSAGE,
MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE);
return MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE;
}
/*
@ -1861,20 +1865,25 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
* exchange mode is EPHEMERAL-only.
*/
switch (handshake->received_extensions &
(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
(MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
MBEDTLS_SSL_EXT_MASK(KEY_SHARE))) {
/* Only the pre_shared_key extension was received */
case MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY):
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
break;
/* Only the key_share extension was received */
case MBEDTLS_SSL_EXT_MASK(KEY_SHARE):
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
break;
/* Both the pre_shared_key and key_share extensions were received */
case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) | MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
case (MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY) |
MBEDTLS_SSL_EXT_MASK(KEY_SHARE)):
handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
break;
/* Neither pre_shared_key nor key_share extension was received */
@ -1917,15 +1926,15 @@ static int ssl_tls13_postprocess_server_hello(mbedtls_ssl_context *ssl)
if (!mbedtls_ssl_conf_tls13_check_kex_modes(
ssl, handshake->key_exchange_mode)) {
ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
MBEDTLS_SSL_DEBUG_MSG(2,
("Key exchange mode(%s) is not supported.",
ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
MBEDTLS_SSL_DEBUG_MSG(
2, ("Key exchange mode(%s) is not supported.",
ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
goto cleanup;
}
MBEDTLS_SSL_DEBUG_MSG(3,
("Selected key exchange mode: %s",
ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
MBEDTLS_SSL_DEBUG_MSG(
3, ("Selected key exchange mode: %s",
ssl_tls13_get_kex_mode_str(handshake->key_exchange_mode)));
/* Start the TLS 1.3 key scheduling if not already done.
*
@ -2009,9 +2018,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> %s", __func__));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
MBEDTLS_SSL_HS_SERVER_HELLO,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
ret = ssl_tls13_preprocess_server_hello(ssl, buf, buf + buf_len);
if (ret < 0) {
@ -2032,9 +2040,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
}
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_SERVER_HELLO, buf,
buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, buf_len));
if (is_hrr) {
MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
@ -2043,8 +2050,8 @@ static int ssl_tls13_process_server_hello(mbedtls_ssl_context *ssl)
* immediately before its second flight. This may either be before
* its second ClientHello or before its encrypted handshake flight.
*/
mbedtls_ssl_handshake_set_state(ssl,
MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_CLIENT_CCS_BEFORE_2ND_CLIENT_HELLO);
#else
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_HELLO);
#endif /* MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE */
@ -2124,7 +2131,8 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_ALPN:
MBEDTLS_SSL_DEBUG_MSG(3, ("found alpn extension"));
if ((ret = ssl_tls13_parse_alpn_ext(ssl, p, (size_t) extension_data_len)) != 0) {
if ((ret = ssl_tls13_parse_alpn_ext(
ssl, p, (size_t) extension_data_len)) != 0) {
return ret;
}
@ -2148,10 +2156,12 @@ static int ssl_tls13_parse_encrypted_extensions(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, p + extension_data_len);
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
ssl, p, p + extension_data_len);
/* TODO: Return unconditionally here until we handle the record size limit correctly.
* Once handled correctly, only return in case of errors. */
/* TODO: Return unconditionally here until we handle the record
* size limit correctly. Once handled correctly, only return in
* case of errors. */
return ret;
break;
@ -2190,9 +2200,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse encrypted extensions"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
&buf, &buf_len));
/* Process the message contents */
MBEDTLS_SSL_PROC_CHK(
@ -2205,9 +2215,9 @@ static int ssl_tls13_process_encrypted_extensions(mbedtls_ssl_context *ssl)
}
#endif
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, buf_len));
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
@ -2443,16 +2453,16 @@ static int ssl_tls13_process_certificate_request(mbedtls_ssl_context *ssl)
unsigned char *buf;
size_t buf_len;
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(ssl,
buf, buf + buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(
ssl, buf, buf + buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
buf, buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
buf, buf_len));
} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
ret = 0;
} else {
@ -2614,8 +2624,8 @@ static int ssl_tls13_write_client_finished(mbedtls_ssl_context *ssl)
ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_compute_resumption_master_secret ", ret);
return ret;
}
@ -2995,7 +3005,8 @@ int mbedtls_ssl_tls13_handshake_client_step(mbedtls_ssl_context *ssl)
case MBEDTLS_SSL_CLIENT_CCS_AFTER_SERVER_FINISHED:
ret = mbedtls_ssl_tls13_write_change_cipher_spec(ssl);
if (ret == 0) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_CLIENT_CERTIFICATE);
}
break;

134
library/ssl_tls13_generic.c
View file

@ -247,15 +247,17 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
/* RFC 8446 section 4.4.3
*
* If the CertificateVerify message is sent by a server, the signature algorithm
* MUST be one offered in the client's "signature_algorithms" extension unless
* no valid certificate chain can be produced without unsupported algorithms
* If the CertificateVerify message is sent by a server, the signature
* algorithm MUST be one offered in the client's "signature_algorithms"
* extension unless no valid certificate chain can be produced without
* unsupported algorithms
*
* RFC 8446 section 4.4.2.2
*
* If the client cannot construct an acceptable chain using the provided
* certificates and decides to abort the handshake, then it MUST abort the handshake
* with an appropriate certificate-related alert (by default, "unsupported_certificate").
* certificates and decides to abort the handshake, then it MUST abort the
* handshake with an appropriate certificate-related alert
* (by default, "unsupported_certificate").
*
* Check if algorithm is an offered signature algorithm.
*/
@ -350,17 +352,18 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse certificate verify"));
MBEDTLS_SSL_PROC_CHK(
mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
mbedtls_ssl_tls13_fetch_handshake_msg(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf, &buf_len));
/* Need to calculate the hash of the transcript first
* before reading the message since otherwise it gets
* included in the transcript
*/
ret = mbedtls_ssl_get_handshake_transcript(ssl,
ssl->handshake->ciphersuite_info->mac,
transcript, sizeof(transcript),
&transcript_len);
ret = mbedtls_ssl_get_handshake_transcript(
ssl,
ssl->handshake->ciphersuite_info->mac,
transcript, sizeof(transcript),
&transcript_len);
if (ret != 0) {
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_INTERNAL_ERROR,
@ -380,13 +383,13 @@ int mbedtls_ssl_tls13_process_certificate_verify(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_IS_CLIENT);
/* Process the message contents */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(ssl, buf,
buf + buf_len, verify_buffer,
verify_buffer_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_verify(
ssl, buf, buf + buf_len,
verify_buffer, verify_buffer_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
buf, buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
buf, buf_len));
cleanup:
@ -600,7 +603,8 @@ exit:
return MBEDTLS_ERR_SSL_DECODE_ERROR;
}
MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate", ssl->session_negotiate->peer_cert);
MBEDTLS_SSL_DEBUG_CRT(3, "peer certificate",
ssl->session_negotiate->peer_cert);
return ret;
}
@ -666,8 +670,9 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
if (authmode == MBEDTLS_SSL_VERIFY_OPTIONAL) {
return 0;
} else {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_NO_CERT,
MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_NO_CERT,
MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE);
return MBEDTLS_ERR_SSL_NO_CLIENT_CERTIFICATE;
}
}
@ -754,7 +759,8 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
Pick one and send the corresponding alert. Which alert to send
may be a subject of debate in some cases. */
if (verify_result & MBEDTLS_X509_BADCERT_OTHER) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_ACCESS_DENIED, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_CN_MISMATCH) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_BAD_CERT, ret);
} else if (verify_result & (MBEDTLS_X509_BADCERT_KEY_USAGE |
@ -762,15 +768,19 @@ static int ssl_tls13_validate_certificate(mbedtls_ssl_context *ssl)
MBEDTLS_X509_BADCERT_NS_CERT_TYPE |
MBEDTLS_X509_BADCERT_BAD_PK |
MBEDTLS_X509_BADCERT_BAD_KEY)) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_CERT, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_EXPIRED) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_CERT_EXPIRED, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_REVOKED) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_CERT_REVOKED, ret);
} else if (verify_result & MBEDTLS_X509_BADCERT_NOT_TRUSTED) {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_UNKNOWN_CA, ret);
} else {
MBEDTLS_SSL_PEND_FATAL_ALERT(MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_CERT_UNKNOWN, ret);
}
}
@ -815,9 +825,8 @@ int mbedtls_ssl_tls13_process_certificate(mbedtls_ssl_context *ssl)
/* Validate the certificate chain and set the verification results. */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_CERTIFICATE, buf,
buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, buf_len));
cleanup:
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
@ -923,18 +932,16 @@ int mbedtls_ssl_tls13_write_certificate(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
MBEDTLS_SSL_HS_CERTIFICATE, &buf,
&buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_CERTIFICATE, &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_body(ssl,
buf,
buf + buf_len,
&msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_CERTIFICATE, buf,
msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE, buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@ -1017,11 +1024,9 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ret = mbedtls_ssl_get_handshake_transcript(ssl,
ssl->handshake->ciphersuite_info->mac,
handshake_hash,
sizeof(handshake_hash),
&handshake_hash_len);
ret = mbedtls_ssl_get_handshake_transcript(
ssl, ssl->handshake->ciphersuite_info->mac,
handshake_hash, sizeof(handshake_hash), &handshake_hash_len);
if (ret != 0) {
return ret;
}
@ -1128,16 +1133,16 @@ int mbedtls_ssl_tls13_write_certificate_verify(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write certificate verify"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, &buf,
&buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
ssl, buf, buf + buf_len, &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf,
msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@ -1163,13 +1168,13 @@ static int ssl_tls13_preprocess_finished_message(mbedtls_ssl_context *ssl)
{
int ret;
ret = mbedtls_ssl_tls13_calculate_verify_data(ssl,
ssl->handshake->state_local.finished_in.digest,
sizeof(ssl->handshake->state_local.finished_in.
digest),
&ssl->handshake->state_local.finished_in.digest_len,
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
ret = mbedtls_ssl_tls13_calculate_verify_data(
ssl,
ssl->handshake->state_local.finished_in.digest,
sizeof(ssl->handshake->state_local.finished_in.digest),
&ssl->handshake->state_local.finished_in.digest_len,
ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT ?
MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_calculate_verify_data", ret);
return ret;
@ -1228,17 +1233,17 @@ int mbedtls_ssl_tls13_process_finished_message(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished message"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(ssl,
MBEDTLS_SSL_HS_FINISHED,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_tls13_fetch_handshake_msg(
ssl, MBEDTLS_SSL_HS_FINISHED, &buf, &buf_len));
/* Preprocessing step: Compute handshake digest */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_preprocess_finished_message(ssl));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(
ssl, buf, buf + buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
cleanup:
@ -1526,9 +1531,8 @@ int mbedtls_ssl_tls13_generate_and_write_ecdh_key_exchange(
MBEDTLS_SSL_DEBUG_MSG(1, ("Perform PSA-based ECDH computation."));
/* Convert EC's TLS ID to PSA key type. */
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(named_group,
&ec_psa_family,
&ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
if (mbedtls_ssl_get_psa_curve_info_from_tls_id(
named_group, &ec_psa_family, &ec_bits) == PSA_ERROR_NOT_SUPPORTED) {
return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE;
}
handshake->ecdh_psa_type = PSA_KEY_TYPE_ECC_KEY_PAIR(ec_psa_family);
@ -1638,7 +1642,8 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
uint16_t record_size_limit;
const size_t extension_data_len = end - buf;
if (extension_data_len != MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
if (extension_data_len !=
MBEDTLS_SSL_RECORD_SIZE_LIMIT_EXTENSION_DATA_LENGTH) {
MBEDTLS_SSL_DEBUG_MSG(2,
("record_size_limit extension has invalid length: %"
MBEDTLS_PRINTF_SIZET " Bytes",
@ -1668,9 +1673,8 @@ int mbedtls_ssl_tls13_parse_record_size_limit_ext(mbedtls_ssl_context *ssl,
return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER;
}
MBEDTLS_SSL_DEBUG_MSG(2,
(
"record_size_limit extension is still in development. Aborting handshake."));
MBEDTLS_SSL_DEBUG_MSG(
2, ("record_size_limit extension is still in development. Aborting handshake."));
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_UNSUPPORTED_EXT,

305
library/ssl_tls13_keys.c
View file

@ -455,25 +455,27 @@ int mbedtls_ssl_tls13_derive_early_secrets(
*/
/* Create client_early_traffic_secret */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->client_early_traffic_secret,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_e_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->client_early_traffic_secret,
hash_len);
if (ret != 0) {
return ret;
}
/* Create early exporter */
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->early_exporter_master_secret,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(e_exp_master),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->early_exporter_master_secret,
hash_len);
if (ret != 0) {
return ret;
}
@ -515,13 +517,14 @@ int mbedtls_ssl_tls13_derive_handshake_secrets(
* Derive-Secret( ., "c hs traffic", ClientHello...ServerHello )
*/
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
handshake_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->client_handshake_traffic_secret,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
handshake_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_hs_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->client_handshake_traffic_secret,
hash_len);
if (ret != 0) {
return ret;
}
@ -531,13 +534,14 @@ int mbedtls_ssl_tls13_derive_handshake_secrets(
* Derive-Secret( ., "s hs traffic", ClientHello...ServerHello )
*/
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
handshake_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->server_handshake_traffic_secret,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
handshake_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_hs_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->server_handshake_traffic_secret,
hash_len);
if (ret != 0) {
return ret;
}
@ -578,35 +582,38 @@ int mbedtls_ssl_tls13_derive_application_secrets(
*
*/
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->client_application_traffic_secret_N,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(c_ap_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->client_application_traffic_secret_N,
hash_len);
if (ret != 0) {
return ret;
}
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->server_application_traffic_secret_N,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(s_ap_traffic),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->server_application_traffic_secret_N,
hash_len);
if (ret != 0) {
return ret;
}
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->exporter_master_secret,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(exp_master),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->exporter_master_secret,
hash_len);
if (ret != 0) {
return ret;
}
@ -633,13 +640,14 @@ int mbedtls_ssl_tls13_derive_resumption_master_secret(
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;
}
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->resumption_master_secret,
hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
application_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_master),
transcript, transcript_len,
MBEDTLS_SSL_TLS1_3_CONTEXT_HASHED,
derived->resumption_master_secret,
hash_len);
if (ret != 0) {
return ret;
@ -675,17 +683,19 @@ static int ssl_tls13_key_schedule_stage_application(mbedtls_ssl_context *ssl)
/*
* Compute MasterSecret
*/
ret = mbedtls_ssl_tls13_evolve_secret(hash_alg,
handshake->tls13_master_secrets.handshake,
NULL, 0,
handshake->tls13_master_secrets.app);
ret = mbedtls_ssl_tls13_evolve_secret(
hash_alg,
handshake->tls13_master_secrets.handshake,
NULL, 0,
handshake->tls13_master_secrets.app);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
return ret;
}
MBEDTLS_SSL_DEBUG_BUF(4, "Master secret",
handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg));
MBEDTLS_SSL_DEBUG_BUF(
4, "Master secret",
handshake->tls13_master_secrets.app, PSA_HASH_LENGTH(hash_alg));
return 0;
}
@ -810,7 +820,8 @@ int mbedtls_ssl_tls13_calculate_verify_data(mbedtls_ssl_context *ssl,
}
MBEDTLS_SSL_DEBUG_BUF(4, "handshake hash", transcript, transcript_len);
ret = ssl_tls13_calc_finished_core(hash_alg, base_key, transcript, dst, actual_len);
ret = ssl_tls13_calc_finished_core(hash_alg, base_key,
transcript, dst, actual_len);
if (ret != 0) {
goto exit;
}
@ -873,18 +884,20 @@ int mbedtls_ssl_tls13_create_psk_binder(mbedtls_ssl_context *ssl,
early_secret, hash_len);
if (psk_type == MBEDTLS_SSL_TLS1_3_PSK_RESUMPTION) {
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder),
NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
binder_key, hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(res_binder),
NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
binder_key, hash_len);
MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'res binder'"));
} else {
ret = mbedtls_ssl_tls13_derive_secret(hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder),
NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
binder_key, hash_len);
ret = mbedtls_ssl_tls13_derive_secret(
hash_alg,
early_secret, hash_len,
MBEDTLS_SSL_TLS1_3_LBL_WITH_LEN(ext_binder),
NULL, 0, MBEDTLS_SSL_TLS1_3_CONTEXT_UNHASHED,
binder_key, hash_len);
MBEDTLS_SSL_DEBUG_MSG(4, ("Derive Early Secret with 'ext binder'"));
}
@ -913,11 +926,11 @@ exit:
return ret;
}
int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
int endpoint,
int ciphersuite,
mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl /* DEBUG ONLY */)
int mbedtls_ssl_tls13_populate_transform(
mbedtls_ssl_transform *transform,
int endpoint, int ciphersuite,
mbedtls_ssl_key_set const *traffic_keys,
mbedtls_ssl_context *ssl /* DEBUG ONLY */)
{
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
int ret;
@ -1044,7 +1057,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
&alg,
&key_type,
&key_bits)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status));
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_cipher_to_psa", PSA_TO_MBEDTLS_ERR(status));
return PSA_TO_MBEDTLS_ERR(status);
}
@ -1059,7 +1073,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
key_enc,
PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_enc)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
MBEDTLS_SSL_DEBUG_RET(
1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
return PSA_TO_MBEDTLS_ERR(status);
}
@ -1069,7 +1084,8 @@ int mbedtls_ssl_tls13_populate_transform(mbedtls_ssl_transform *transform,
key_dec,
PSA_BITS_TO_BYTES(key_bits),
&transform->psa_key_dec)) != PSA_SUCCESS) {
MBEDTLS_SSL_DEBUG_RET(1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
MBEDTLS_SSL_DEBUG_RET(
1, "psa_import_key", PSA_TO_MBEDTLS_ERR(status));
return PSA_TO_MBEDTLS_ERR(status);
}
}
@ -1134,7 +1150,8 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
handshake->ciphersuite_info;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key"));
@ -1333,8 +1350,10 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
size_t iv_len;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets = &handshake->tls13_hs_secrets;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
handshake->ciphersuite_info;
mbedtls_ssl_tls13_handshake_secrets *tls13_hs_secrets =
&handshake->tls13_hs_secrets;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_handshake_keys"));
@ -1360,9 +1379,9 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
return ret;
}
ret = mbedtls_ssl_tls13_derive_handshake_secrets(hash_alg,
handshake->tls13_master_secrets.handshake,
transcript, transcript_len, tls13_hs_secrets);
ret = mbedtls_ssl_tls13_derive_handshake_secrets(
hash_alg, handshake->tls13_master_secrets.handshake,
transcript, transcript_len, tls13_hs_secrets);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_derive_handshake_secrets",
ret);
@ -1380,27 +1399,30 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
* Export client handshake traffic secret
*/
if (ssl->f_export_keys != NULL) {
ssl->f_export_keys(ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
tls13_hs_secrets->client_handshake_traffic_secret,
hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
ssl->f_export_keys(
ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_HANDSHAKE_TRAFFIC_SECRET,
tls13_hs_secrets->client_handshake_traffic_secret,
hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
ssl->f_export_keys(ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
tls13_hs_secrets->server_handshake_traffic_secret,
hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
ssl->f_export_keys(
ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_HANDSHAKE_TRAFFIC_SECRET,
tls13_hs_secrets->server_handshake_traffic_secret,
hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: FIX! */);
}
ret = mbedtls_ssl_tls13_make_traffic_keys(hash_alg,
tls13_hs_secrets->client_handshake_traffic_secret,
tls13_hs_secrets->server_handshake_traffic_secret,
hash_len, key_len, iv_len, traffic_keys);
ret = mbedtls_ssl_tls13_make_traffic_keys(
hash_alg,
tls13_hs_secrets->client_handshake_traffic_secret,
tls13_hs_secrets->server_handshake_traffic_secret,
hash_len, key_len, iv_len, traffic_keys);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
goto exit;
@ -1510,10 +1532,10 @@ static int ssl_tls13_key_schedule_stage_handshake(mbedtls_ssl_context *ssl)
/*
* Compute the Handshake Secret
*/
ret = mbedtls_ssl_tls13_evolve_secret(hash_alg,
handshake->tls13_master_secrets.early,
shared_secret, shared_secret_len,
handshake->tls13_master_secrets.handshake);
ret = mbedtls_ssl_tls13_evolve_secret(
hash_alg, handshake->tls13_master_secrets.early,
shared_secret, shared_secret_len,
handshake->tls13_master_secrets.handshake);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_evolve_secret", ret);
goto cleanup;
@ -1601,22 +1623,22 @@ static int ssl_tls13_generate_application_keys(
/* Compute application secrets from master secret and transcript hash. */
ret = mbedtls_ssl_tls13_derive_application_secrets(hash_alg,
handshake->tls13_master_secrets.app,
transcript, transcript_len,
app_secrets);
ret = mbedtls_ssl_tls13_derive_application_secrets(
hash_alg, handshake->tls13_master_secrets.app,
transcript, transcript_len, app_secrets);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_tls13_derive_application_secrets", ret);
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_derive_application_secrets", ret);
goto cleanup;
}
/* Derive first epoch of IV + Key for application traffic. */
ret = mbedtls_ssl_tls13_make_traffic_keys(hash_alg,
app_secrets->client_application_traffic_secret_N,
app_secrets->server_application_traffic_secret_N,
hash_len, key_len, iv_len, traffic_keys);
ret = mbedtls_ssl_tls13_make_traffic_keys(
hash_alg,
app_secrets->client_application_traffic_secret_N,
app_secrets->server_application_traffic_secret_N,
hash_len, key_len, iv_len, traffic_keys);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_tls13_make_traffic_keys", ret);
goto cleanup;
@ -1634,21 +1656,23 @@ static int ssl_tls13_generate_application_keys(
* Export client/server application traffic secret 0
*/
if (ssl->f_export_keys != NULL) {
ssl->f_export_keys(ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
app_secrets->client_application_traffic_secret_N, hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */);
ssl->f_export_keys(
ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_APPLICATION_TRAFFIC_SECRET,
app_secrets->client_application_traffic_secret_N, hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */);
ssl->f_export_keys(ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
app_secrets->server_application_traffic_secret_N, hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */);
ssl->f_export_keys(
ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_SERVER_APPLICATION_TRAFFIC_SECRET,
app_secrets->server_application_traffic_secret_N, hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
MBEDTLS_SSL_TLS_PRF_NONE /* TODO: this should be replaced by
a new constant for TLS 1.3! */);
}
MBEDTLS_SSL_DEBUG_BUF(4, "client application_write_key:",
@ -1729,8 +1753,8 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
MBEDTLS_SSL_DEBUG_MSG(2,
("=> mbedtls_ssl_tls13_compute_resumption_master_secret"));
MBEDTLS_SSL_DEBUG_MSG(
2, ("=> mbedtls_ssl_tls13_compute_resumption_master_secret"));
md_type = handshake->ciphersuite_info->mac;
@ -1754,12 +1778,13 @@ int mbedtls_ssl_tls13_compute_resumption_master_secret(mbedtls_ssl_context *ssl)
mbedtls_platform_zeroize(&handshake->tls13_master_secrets,
sizeof(handshake->tls13_master_secrets));
MBEDTLS_SSL_DEBUG_BUF(4, "Resumption master secret",
ssl->session_negotiate->app_secrets.resumption_master_secret,
PSA_HASH_LENGTH(mbedtls_psa_translate_md(md_type)));
MBEDTLS_SSL_DEBUG_BUF(
4, "Resumption master secret",
ssl->session_negotiate->app_secrets.resumption_master_secret,
PSA_HASH_LENGTH(mbedtls_psa_translate_md(md_type)));
MBEDTLS_SSL_DEBUG_MSG(2,
("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));
MBEDTLS_SSL_DEBUG_MSG(
2, ("<= mbedtls_ssl_tls13_compute_resumption_master_secret"));
return 0;
}

103
library/ssl_tls13_server.c
View file

@ -317,11 +317,10 @@ static int ssl_tls13_offered_psks_check_identity_match(
}
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_offered_psks_check_binder_match(mbedtls_ssl_context *ssl,
const unsigned char *binder,
size_t binder_len,
int psk_type,
psa_algorithm_t psk_hash_alg)
static int ssl_tls13_offered_psks_check_binder_match(
mbedtls_ssl_context *ssl,
const unsigned char *binder, size_t binder_len,
int psk_type, psa_algorithm_t psk_hash_alg)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -490,11 +489,12 @@ static int ssl_tls13_session_copy_ticket(mbedtls_ssl_session *dst,
* } PreSharedKeyExtension;
*/
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
const unsigned char *pre_shared_key_ext,
const unsigned char *pre_shared_key_ext_end,
const unsigned char *ciphersuites,
const unsigned char *ciphersuites_end)
static int ssl_tls13_parse_pre_shared_key_ext(
mbedtls_ssl_context *ssl,
const unsigned char *pre_shared_key_ext,
const unsigned char *pre_shared_key_ext_end,
const unsigned char *ciphersuites,
const unsigned char *ciphersuites_end)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *identities = pre_shared_key_ext;
@ -621,8 +621,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
mbedtls_ssl_session_free(&session);
#endif
MBEDTLS_SSL_DEBUG_MSG(3, ("Invalid binder."));
MBEDTLS_SSL_DEBUG_RET(1,
"ssl_tls13_offered_psks_check_binder_match", ret);
MBEDTLS_SSL_DEBUG_RET(
1, "ssl_tls13_offered_psks_check_binder_match", ret);
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_DECRYPT_ERROR,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
@ -656,9 +656,8 @@ static int ssl_tls13_parse_pre_shared_key_ext(mbedtls_ssl_context *ssl,
}
/* Update the handshake transcript with the binder list. */
ret = ssl->handshake->update_checksum(ssl,
identities_end,
(size_t) (binders_end - identities_end));
ret = ssl->handshake->update_checksum(
ssl, identities_end, (size_t) (binders_end - identities_end));
if (0 != ret) {
MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
return ret;
@ -840,13 +839,14 @@ static int ssl_tls13_parse_supported_groups_ext(mbedtls_ssl_context *ssl,
#if defined(PSA_WANT_ALG_ECDH)
/*
* ssl_tls13_parse_key_shares_ext() verifies whether the information in the
* extension is correct and stores the first acceptable key share and its associated group.
* extension is correct and stores the first acceptable key share and its
* associated group.
*
* Possible return values are:
* - 0: Successful processing of the client provided key share extension.
* - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by the client
* does not match a group supported by the server. A HelloRetryRequest will
* be needed.
* - SSL_TLS1_3_PARSE_KEY_SHARES_EXT_NO_MATCH: The key shares provided by
* the client does not match a group supported by the server. A
* HelloRetryRequest will be needed.
* - A negative value for fatal errors.
*/
MBEDTLS_CHECK_RETURN_CRITICAL
@ -1042,7 +1042,8 @@ static int ssl_tls13_determine_key_exchange_mode(mbedtls_ssl_context *ssl)
* 3 ) Plain PSK Mode ( psk )
*/
ssl->handshake->key_exchange_mode = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
ssl->handshake->key_exchange_mode =
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
if (ssl_tls13_check_psk_ephemeral_key_exchange(ssl)) {
ssl->handshake->key_exchange_mode =
@ -1552,8 +1553,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
ret = ssl_tls13_parse_supported_groups_ext(
ssl, p, extension_data_end);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_parse_supported_groups_ext", ret);
MBEDTLS_SSL_DEBUG_RET(
1, "ssl_tls13_parse_supported_groups_ext", ret);
return ret;
}
@ -1593,7 +1594,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
case MBEDTLS_TLS_EXT_PSK_KEY_EXCHANGE_MODES:
MBEDTLS_SSL_DEBUG_MSG(3, ("found psk key exchange modes extension"));
MBEDTLS_SSL_DEBUG_MSG(
3, ("found psk key exchange modes extension"));
ret = ssl_tls13_parse_key_exchange_modes_ext(
ssl, p, extension_data_end);
@ -1645,10 +1647,8 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
ret = mbedtls_ssl_parse_sig_alg_ext(
ssl, p, extension_data_end);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_MSG(1,
(
"ssl_parse_supported_signature_algorithms_server_ext ( %d )",
ret));
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_parse_sig_alg_ext", ret);
return ret;
}
break;
@ -1658,10 +1658,14 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl,
case MBEDTLS_TLS_EXT_RECORD_SIZE_LIMIT:
MBEDTLS_SSL_DEBUG_MSG(3, ("found record_size_limit extension"));
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(ssl, p, extension_data_end);
ret = mbedtls_ssl_tls13_parse_record_size_limit_ext(
ssl, p, extension_data_end);
/* TODO: Return unconditionally here until we handle the record size limit correctly.
* Once handled correctly, only return in case of errors. */
/*
* TODO: Return unconditionally here until we handle the record
* size limit correctly.
* Once handled correctly, only return in case of errors.
*/
return ret;
break;
@ -2239,9 +2243,8 @@ static int ssl_tls13_write_server_hello(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_server_hello(ssl));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
MBEDTLS_SSL_HS_SERVER_HELLO, &buf,
&buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_server_hello_body(ssl, buf,
buf + buf_len,
@ -2413,15 +2416,16 @@ static int ssl_tls13_write_encrypted_extensions(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_DEBUG_MSG(2, ("=> write encrypted extensions"));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, &buf,
&buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
ssl, buf, buf + buf_len, &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len));
ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@ -2546,15 +2550,16 @@ static int ssl_tls13_write_certificate_request(mbedtls_ssl_context *ssl)
unsigned char *buf;
size_t buf_len, msg_len;
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
ssl, buf, buf + buf_len, &msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len));
ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@ -2665,8 +2670,8 @@ static int ssl_tls13_process_client_finished(mbedtls_ssl_context *ssl)
ret = mbedtls_ssl_tls13_compute_resumption_master_secret(ssl);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(1,
"mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_compute_resumption_master_secret", ret);
}
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP);
@ -2691,7 +2696,8 @@ static int ssl_tls13_handshake_wrapup(mbedtls_ssl_context *ssl)
*/
/* Sent NewSessionTicket message only when client supports PSK */
if (mbedtls_ssl_tls13_some_psk_enabled(ssl)) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
} else
#endif
{
@ -2954,9 +2960,9 @@ static int ssl_tls13_write_new_session_ticket(mbedtls_ssl_context *ssl)
MBEDTLS_SSL_PROC_CHK(ssl_tls13_prepare_new_session_ticket(
ssl, ticket_nonce, sizeof(ticket_nonce)));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(ssl,
MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_NEW_SESSION_TICKET,
&buf, &buf_len));
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_new_session_ticket_body(
ssl, buf, buf + buf_len, &msg_len,
@ -3124,7 +3130,8 @@ int mbedtls_ssl_tls13_handshake_server_step(mbedtls_ssl_context *ssl)
if (ssl->handshake->new_session_tickets_count == 0) {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_HANDSHAKE_OVER);
} else {
mbedtls_ssl_handshake_set_state(ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
mbedtls_ssl_handshake_set_state(
ssl, MBEDTLS_SSL_TLS1_3_NEW_SESSION_TICKET);
}
break;