Merge pull request #5749 from yuhaoth/pr/add-tls13-finished-message-and-wrapup

TLS 1.3: Add Finished Message and wrapup
This commit is contained in:
Paul Elliott 2022-05-25 12:02:06 +01:00 committed by GitHub
commit 8fba70f66c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 207 additions and 118 deletions

View file

@ -1750,6 +1750,15 @@ static int ssl_tls13_process_server_finished( mbedtls_ssl_context *ssl )
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( ret );
}
#if defined(MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE)
mbedtls_ssl_handshake_set_state(
ssl,
@ -1825,6 +1834,14 @@ static int ssl_tls13_write_client_finished( mbedtls_ssl_context *ssl )
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
return ( ret );
}
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_FLUSH_BUFFERS );
return( 0 );
}
@ -1844,11 +1861,6 @@ static int ssl_tls13_flush_buffers( mbedtls_ssl_context *ssl )
*/
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
mbedtls_ssl_tls13_handshake_wrapup( ssl );

View file

@ -1120,80 +1120,6 @@ static int ssl_tls13_parse_finished_message( mbedtls_ssl_context *ssl,
return( 0 );
}
#if defined(MBEDTLS_SSL_CLI_C)
static int ssl_tls13_postprocess_server_finished_message( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_key_set traffic_keys;
mbedtls_ssl_transform *transform_application = NULL;
ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_tls13_key_schedule_stage_application", ret );
goto cleanup;
}
ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_tls13_generate_application_keys", ret );
goto cleanup;
}
transform_application =
mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
if( transform_application == NULL )
{
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto cleanup;
}
ret = mbedtls_ssl_tls13_populate_transform(
transform_application,
ssl->conf->endpoint,
ssl->session_negotiate->ciphersuite,
&traffic_keys,
ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
goto cleanup;
}
ssl->transform_application = transform_application;
cleanup:
mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
if( ret != 0 )
{
mbedtls_free( transform_application );
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
return( ret );
}
#endif /* MBEDTLS_SSL_CLI_C */
static int ssl_tls13_postprocess_finished_message( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_SSL_CLI_C)
if( ssl->conf->endpoint == MBEDTLS_SSL_IS_CLIENT )
{
return( ssl_tls13_postprocess_server_finished_message( ssl ) );
}
#else
((void) ssl);
#endif /* MBEDTLS_SSL_CLI_C */
return( MBEDTLS_ERR_SSL_INTERNAL_ERROR );
}
int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@ -1211,7 +1137,6 @@ int mbedtls_ssl_tls13_process_finished_message( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_PROC_CHK( ssl_tls13_parse_finished_message( ssl, buf, buf + buf_len ) );
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
buf, buf_len );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_postprocess_finished_message( ssl ) );
cleanup:
@ -1248,14 +1173,6 @@ static int ssl_tls13_prepare_finished_message( mbedtls_ssl_context *ssl )
return( 0 );
}
static int ssl_tls13_finalize_finished_message( mbedtls_ssl_context *ssl )
{
// TODO: Add back resumption keys calculation after MVP.
((void) ssl);
return( 0 );
}
static int ssl_tls13_write_finished_message_body( mbedtls_ssl_context *ssl,
unsigned char *buf,
unsigned char *end,
@ -1296,7 +1213,6 @@ int mbedtls_ssl_tls13_write_finished_message( mbedtls_ssl_context *ssl )
mbedtls_ssl_add_hs_msg_to_checksum( ssl, MBEDTLS_SSL_HS_FINISHED,
buf, msg_len );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_finalize_finished_message( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len ) );
cleanup:
@ -1310,6 +1226,12 @@ void mbedtls_ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
MBEDTLS_SSL_DEBUG_MSG( 3, ( "=> handshake wrapup" ) );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for inbound traffic" ) );
mbedtls_ssl_set_inbound_transform ( ssl, ssl->transform_application );
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Switch to application keys for outbound traffic" ) );
mbedtls_ssl_set_outbound_transform( ssl, ssl->transform_application );
/*
* Free the previous session and switch to the current one.
*/

View file

@ -1473,9 +1473,6 @@ int mbedtls_ssl_tls13_generate_application_keys(
handshake->tls13_master_secrets.app,
transcript, transcript_len,
app_secrets );
/* Erase master secrets */
mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
sizeof( ssl->handshake->tls13_master_secrets ) );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
@ -1598,4 +1595,67 @@ cleanup:
return( ret );
}
int mbedtls_ssl_tls13_generate_resumption_master_secret(
mbedtls_ssl_context *ssl )
{
/* Erase master secrets */
mbedtls_platform_zeroize( &ssl->handshake->tls13_master_secrets,
sizeof( ssl->handshake->tls13_master_secrets ) );
return( 0 );
}
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_key_set traffic_keys;
mbedtls_ssl_transform *transform_application = NULL;
ret = mbedtls_ssl_tls13_key_schedule_stage_application( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_tls13_key_schedule_stage_application", ret );
goto cleanup;
}
ret = mbedtls_ssl_tls13_generate_application_keys( ssl, &traffic_keys );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_tls13_generate_application_keys", ret );
goto cleanup;
}
transform_application =
mbedtls_calloc( 1, sizeof( mbedtls_ssl_transform ) );
if( transform_application == NULL )
{
ret = MBEDTLS_ERR_SSL_ALLOC_FAILED;
goto cleanup;
}
ret = mbedtls_ssl_tls13_populate_transform(
transform_application,
ssl->conf->endpoint,
ssl->session_negotiate->ciphersuite,
&traffic_keys,
ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_tls13_populate_transform", ret );
goto cleanup;
}
ssl->transform_application = transform_application;
cleanup:
mbedtls_platform_zeroize( &traffic_keys, sizeof( traffic_keys ) );
if( ret != 0 )
{
mbedtls_free( transform_application );
}
return( ret );
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */

View file

@ -610,6 +610,19 @@ int mbedtls_ssl_tls13_key_schedule_stage_application( mbedtls_ssl_context *ssl )
int mbedtls_ssl_tls13_generate_application_keys(
mbedtls_ssl_context* ssl, mbedtls_ssl_key_set *traffic_keys );
/**
* \brief Compute TLS 1.3 resumption master secret.
*
* \param ssl The SSL context to operate on. This must be in
* key schedule stage \c Application, see
* mbedtls_ssl_tls13_key_schedule_stage_application().
*
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
int mbedtls_ssl_tls13_generate_resumption_master_secret(
mbedtls_ssl_context *ssl );
/**
* \brief Calculate the verify_data value for the client or server TLS 1.3
* Finished message.
@ -649,6 +662,17 @@ int mbedtls_ssl_tls13_calculate_verify_data( mbedtls_ssl_context *ssl,
*/
int mbedtls_ssl_tls13_compute_handshake_transform( mbedtls_ssl_context *ssl );
/**
* \brief Compute TLS 1.3 application transform
*
* \param ssl The SSL context to operate on. The early secret must have been
* computed.
*
* \returns \c 0 on success.
* \returns A negative error code on failure.
*/
int mbedtls_ssl_tls13_compute_application_transform( mbedtls_ssl_context *ssl );
#endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
#endif /* MBEDTLS_SSL_TLS1_3_KEYS_H */

View file

@ -1476,6 +1476,67 @@ static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
}
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/*
* Handler for MBEDTLS_SSL_SERVER_FINISHED
*/
static int ssl_tls13_write_server_finished( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
ret = mbedtls_ssl_tls13_write_finished_message( ssl );
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_compute_application_transform( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_PEND_FATAL_ALERT(
MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( ret );
}
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_FINISHED );
return( 0 );
}
/*
* Handler for MBEDTLS_SSL_CLIENT_FINISHED
*/
static int ssl_tls13_process_client_finished( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
MBEDTLS_SSL_DEBUG_MSG( 1,
( "Switch to handshake traffic keys for inbound traffic" ) );
mbedtls_ssl_set_inbound_transform( ssl, ssl->handshake->transform_handshake );
ret = mbedtls_ssl_tls13_process_finished_message( ssl );
if( ret != 0 )
return( ret );
ret = mbedtls_ssl_tls13_generate_resumption_master_secret( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1,
"mbedtls_ssl_tls13_generate_resumption_master_secret ", ret );
}
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_WRAPUP );
return( 0 );
}
/*
* Handler for MBEDTLS_SSL_HANDSHAKE_WRAPUP
*/
static int ssl_tls13_handshake_wrapup( mbedtls_ssl_context *ssl )
{
MBEDTLS_SSL_DEBUG_MSG( 2, ( "handshake: done" ) );
mbedtls_ssl_tls13_handshake_wrapup( ssl );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_HANDSHAKE_OVER );
return( 0 );
}
/*
* TLS 1.3 State Machine -- server side
*/
@ -1540,6 +1601,18 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
break;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
case MBEDTLS_SSL_SERVER_FINISHED:
ret = ssl_tls13_write_server_finished( ssl );
break;
case MBEDTLS_SSL_CLIENT_FINISHED:
ret = ssl_tls13_process_client_finished( ssl );
break;
case MBEDTLS_SSL_HANDSHAKE_WRAPUP:
ret = ssl_tls13_handshake_wrapup( ssl );
break;
default:
MBEDTLS_SSL_DEBUG_MSG( 1, ( "invalid state %d", ssl->state ) );
return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE );

View file

@ -81,7 +81,7 @@ fi
if [ -n "${OPENSSL_NEXT:-}" ]; then
O_NEXT_SRV="$OPENSSL_NEXT s_server -www -cert data_files/server5.crt -key data_files/server5.key"
O_NEXT_SRV_NO_CERT="$OPENSSL_NEXT s_server -www "
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client"
O_NEXT_CLI="echo 'GET / HTTP/1.0' | $OPENSSL_NEXT s_client -CAfile data_files/test-ca_cat12.crt"
else
O_NEXT_SRV=false
O_NEXT_SRV_NO_CERT=false
@ -11224,31 +11224,34 @@ run_test "TLS 1.3: HRR check, ciphersuite TLS_AES_256_GCM_SHA384 - gnutls" \
-c "Protocol is TLSv1.3" \
-c "HTTP/1.0 200 OK"
requires_openssl_tls1_3
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_openssl_tls1_3
run_test "TLS 1.3: Server side check - openssl" \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$O_NEXT_CLI -msg -debug -tls1_3" \
1 \
"$O_NEXT_CLI -msg -debug -tls1_3 -no_middlebox" \
0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP"
# Skip this test before openssl exit code issue fixed
# On fail, openssl return different exit code on OpenCI and internal CI for
# this test.
skip_next_test
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_openssl_tls1_3
run_test "TLS 1.3: Server side check - openssl with client authentication" \
"$P_SRV debug_level=4 auth_mode=required crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3" \
"$O_NEXT_CLI -msg -debug -cert data_files/server5.crt -key data_files/server5.key -tls1_3 -no_middlebox" \
1 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
@ -11258,7 +11261,6 @@ run_test "TLS 1.3: Server side check - openssl with client authentication" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "=> write certificate request" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
@ -11270,16 +11272,16 @@ requires_config_enabled MBEDTLS_SSL_SRV_C
run_test "TLS 1.3: Server side check - gnutls" \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$G_NEXT_CLI localhost -d 4 --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:%NO_TICKETS:%DISABLE_TLS13_COMPAT_MODE -V" \
1 \
0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
-c "HTTP/1.0 200 OK"
requires_gnutls_tls1_3
requires_gnutls_next_no_ticket
@ -11298,7 +11300,6 @@ run_test "TLS 1.3: Server side check - gnutls with client authentication" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "=> write certificate request" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
@ -11309,16 +11310,17 @@ requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check - mbedtls" \
"$P_SRV debug_level=4 crt_file=data_files/server5.crt key_file=data_files/server5.key force_version=tls13 tickets=0" \
"$P_CLI debug_level=4 force_version=tls13" \
1 \
0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "=> write certificate request" \
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_FINISHED" \
-s "tls13 server state: MBEDTLS_SSL_HANDSHAKE_WRAPUP" \
-c "HTTP/1.0 200 OK"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
@ -11331,12 +11333,9 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "=> write certificate request" \
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "SSL - The requested feature is not available" \
-s "=> parse client hello" \
-s "<= parse client hello"
@ -11348,14 +11347,13 @@ requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
run_test "TLS 1.3: server: HRR check - mbedtls" \
"$P_SRV debug_level=4 force_version=tls13 curves=secp384r1" \
"$P_CLI debug_level=4 force_version=tls13 curves=secp256r1,secp384r1" \
1 \
0 \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_HELLO_RETRY_REQUEST" \
-c "client state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "selected_group: secp384r1" \
-s "SSL - The requested feature is not available" \
-s "=> write hello retry request" \
-s "<= write hello retry request"