From 23f7a6fc5cdfc97e0bfd63fd84bd1683f447286e Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Sat, 23 Apr 2022 15:16:45 +0800 Subject: [PATCH] share write_body between HRR and ServerHello Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 293 +++++++++------------------ tests/opt-testcases/tls13-generic.sh | 2 +- 2 files changed, 92 insertions(+), 203 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index 13fcb654b..528409b57 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -917,6 +917,72 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, return( 0 ); } +static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, + unsigned char *buf, + unsigned char *end, + size_t *out_len ) +{ + uint16_t selected_group = ssl->handshake->hrr_selected_group; + /* key_share Extension + * + * struct { + * select (Handshake.msg_type) { + * ... + * case hello_retry_request: + * NamedGroup selected_group; + * ... + * }; + * } KeyShare; + */ + + *out_len = 0; + + /* For a pure PSK-based ciphersuite there is no key share to declare. */ + if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) + return( 0 ); + + /* We should only send the key_share extension if the client's initial + * key share was not acceptable. */ + if( ssl->handshake->offered_group_id != 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) ); + return( 0 ); + } + + if( selected_group == 0 ) + { + MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } + + if( ! mbedtls_ssl_named_group_is_offered( ssl, selected_group ) || + ! mbedtls_ssl_named_group_is_supported( selected_group ) ) + { + MBEDTLS_SSL_DEBUG_MSG( 4, ( "should never happen" ) ); + return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); + } + + /* extension header, extension length, NamedGroup value */ + MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 6 ); + + /* Write extension header */ + MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 ); + + /* Write extension length */ + MBEDTLS_PUT_UINT16_BE( 2, buf, 2 ); + + /* Write selected group */ + MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 ); + + MBEDTLS_SSL_DEBUG_MSG( 3, + ( "HRR selected_group: %s (%x)", + mbedtls_ssl_named_group_to_str( selected_group ), + selected_group ) ); + + *out_len = 6; + return( 0 ); + +} /* * Structure of ServerHello message: @@ -933,7 +999,8 @@ static int ssl_tls13_write_key_share_ext( mbedtls_ssl_context *ssl, static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, unsigned char *buf, unsigned char *end, - size_t *out_len ) + size_t *out_len, + int is_hrr ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; unsigned char *p = buf; @@ -959,8 +1026,16 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, * opaque Random[MBEDTLS_SERVER_HELLO_RANDOM_LEN]; */ MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], - MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + if( is_hrr ) + { + memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic, + MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + } + else + { + memcpy( p, &ssl->handshake->randbytes[MBEDTLS_CLIENT_HELLO_RANDOM_LEN], + MBEDTLS_SERVER_HELLO_RANDOM_LEN ); + } MBEDTLS_SSL_DEBUG_BUF( 3, "server hello, random bytes", p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; @@ -1026,7 +1101,10 @@ static int ssl_tls13_write_server_hello_body( mbedtls_ssl_context *ssl, if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) { - ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); + if( is_hrr ) + ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len ); + else + ret = ssl_tls13_write_key_share_ext( ssl, p, end, &output_len ); if( ret != 0 ) return( ret ); p += output_len; @@ -1079,7 +1157,8 @@ static int ssl_tls13_write_server_hello( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf, buf + buf_len, - &msg_len ) ); + &msg_len, + 0 ) ); mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); @@ -1319,213 +1398,23 @@ static int ssl_tls13_write_hello_retry_request_coordinate( return( 0 ); } -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) -static int ssl_tls13_write_hrr_key_share_ext( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *out_len ) -{ - uint16_t selected_group = ssl->handshake->hrr_selected_group; - /* key_share Extension - * - * struct { - * select (Handshake.msg_type) { - * ... - * case hello_retry_request: - * NamedGroup selected_group; - * ... - * }; - * } KeyShare; - */ - - *out_len = 0; - - /* For a pure PSK-based ciphersuite there is no key share to declare. */ - if( ! mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) - return( 0 ); - - /* We should only send the key_share extension if the client's initial - * key share was not acceptable. */ - if( ssl->handshake->offered_group_id != 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 4, ( "Skip key_share extension in HRR" ) ); - return( 0 ); - } - - if( selected_group == 0 ) - { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "no matching named group found" ) ); - return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); - } - - if( ! mbedtls_ssl_named_group_is_offered( ssl, selected_group ) || - ! mbedtls_ssl_named_group_is_supported( selected_group ) ) - { - MBEDTLS_SSL_DEBUG_MSG( 4, ( "should never happen" ) ); - return( MBEDTLS_ERR_SSL_INTERNAL_ERROR ); - } - - /* extension header, extension length, NamedGroup value */ - MBEDTLS_SSL_CHK_BUF_READ_PTR( buf, end, 6 ); - - /* Write extension header */ - MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_KEY_SHARE, buf, 0 ); - - /* Write extension length */ - MBEDTLS_PUT_UINT16_BE( 2, buf, 2 ); - - /* Write selected group */ - MBEDTLS_PUT_UINT16_BE( selected_group, buf, 4 ); - - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "HRR selected_group: %s (%x)", - mbedtls_ssl_named_group_to_str( selected_group ), - selected_group ) ); - - *out_len = 6; - return( 0 ); - -} -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - -static int ssl_tls13_write_hello_retry_request_body( mbedtls_ssl_context *ssl, - unsigned char *buf, - unsigned char *end, - size_t *out_len ) -{ - int ret; - unsigned char *p = buf; - unsigned char *start = buf; - size_t output_len; - unsigned char *extension_start; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); - - *out_len = 0; - - /* - * struct { - * ProtocolVersion legacy_version = 0x0303; - * Random random ( with magic value ); - * opaque legacy_session_id_echo<0..32>; - * CipherSuite cipher_suite; - * uint8 legacy_compression_method = 0; - * Extension extensions<0..2^16-1>; - * } ServerHello; --- aka HelloRetryRequest - */ - - - /* - * Write legacy_version - * ProtocolVersion legacy_version = 0x0303; // TLS v1.2 - * - * For TLS 1.3 we use the legacy version number {0x03, 0x03} - * instead of the true version number. - */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - MBEDTLS_PUT_UINT16_BE( 0x0303, p, 0 ); - p += 2; - - /* write magic string (as a replacement for the random value) */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - memcpy( p, mbedtls_ssl_tls13_hello_retry_request_magic, - MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - MBEDTLS_SSL_DEBUG_BUF( 3, "client hello, random bytes", - p, MBEDTLS_SERVER_HELLO_RANDOM_LEN ); - p += MBEDTLS_SERVER_HELLO_RANDOM_LEN; - - /* - * Write legacy_session_id_echo - */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 + ssl->session_negotiate->id_len ); - *p++ = (unsigned char)ssl->session_negotiate->id_len; - if( ssl->session_negotiate->id_len > 0 ) - { - memcpy( p, &ssl->session_negotiate->id[0], - ssl->session_negotiate->id_len ); - p += ssl->session_negotiate->id_len; - MBEDTLS_SSL_DEBUG_MSG( 3, ( "session id length ( %" - MBEDTLS_PRINTF_SIZET " )", - ssl->session_negotiate->id_len ) ); - MBEDTLS_SSL_DEBUG_BUF( 3, "session id", ssl->session_negotiate->id, - ssl->session_negotiate->id_len ); - } - - /* - * Write ciphersuite - */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - MBEDTLS_PUT_UINT16_BE( ssl->session_negotiate->ciphersuite, p, 0 ); - p += 2; - MBEDTLS_SSL_DEBUG_MSG( 3, - ( "server hello, chosen ciphersuite: %s ( id=%d )", - mbedtls_ssl_get_ciphersuite_name( - ssl->session_negotiate->ciphersuite ), - ssl->session_negotiate->ciphersuite ) ); - - /* write legacy_compression_method = ( 0 ) */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 1 ); - *p++ = 0x0; - - /* Extensions */ - MBEDTLS_SSL_CHK_BUF_PTR( p, end, 2 ); - extension_start = p; - p += 2; - - /* Add supported_version extension */ - if( ( ret = ssl_tls13_write_server_hello_supported_versions_ext( - ssl, p, end, &output_len ) ) != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_selected_version_ext", - ret ); - return( ret ); - } - p += output_len; - -#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) - /* Add key_share extension, if necessary */ - if( mbedtls_ssl_conf_tls13_some_ephemeral_enabled( ssl ) ) - { - ret = ssl_tls13_write_hrr_key_share_ext( ssl, p, end, &output_len ); - if( ret != 0 ) - { - MBEDTLS_SSL_DEBUG_RET( 1, "ssl_tls13_write_hrr_key_share_ext", ret ); - return( ret ); - } - p += output_len; - } -#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ - - /* Write length information */ - MBEDTLS_PUT_UINT16_BE( p - extension_start - 2, extension_start, 0 ); - - MBEDTLS_SSL_DEBUG_BUF( 4, "hello retry request extensions", - extension_start, p - extension_start ); - - *out_len = p - start; - - MBEDTLS_SSL_DEBUG_BUF( 3, "hello retry request", start, *out_len ); - - *out_len = p - buf; - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); - return( 0 ); -} - static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) { int ret; unsigned char *buf; size_t buf_len, msg_len; + MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) ); MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, &buf, &buf_len ) ); - MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_body( - ssl, buf, buf + buf_len, &msg_len ) ); - + MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf, + buf + buf_len, + &msg_len, + 1 ) ); mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len ); @@ -1538,7 +1427,7 @@ static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO ); cleanup: - + MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) ); return( ret ); } diff --git a/tests/opt-testcases/tls13-generic.sh b/tests/opt-testcases/tls13-generic.sh index ba1dd12f6..67d62eee7 100755 --- a/tests/opt-testcases/tls13-generic.sh +++ b/tests/opt-testcases/tls13-generic.sh @@ -22,7 +22,7 @@ requires_config_enabled MBEDTLS_DEBUG_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3 -run_test "TLS 1.3 m->M: HRR secp256r1 -> secp384r1" \ +run_test "TLS 1.3: server: HRR check - mbedtls" \ "$P_SRV debug_level=4 force_version=tls13 curves=secp384r1" \ "$P_CLI debug_level=4 force_version=tls13 curves=secp256r1,secp384r1" \ 1 \