Merge pull request #5748 from yuhaoth/pr/add-tls13-write-certificate-and-verify
TLS1.3:Add Certificate and CertificateVerify message on Server Side
This commit is contained in:
commit
a478441517
2 changed files with 112 additions and 49 deletions
|
@ -1185,6 +1185,71 @@ cleanup:
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
|
||||||
|
*/
|
||||||
|
static int ssl_tls13_write_hello_retry_request_coordinate(
|
||||||
|
mbedtls_ssl_context *ssl )
|
||||||
|
{
|
||||||
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
|
if( ssl->handshake->hello_retry_request_count > 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
|
||||||
|
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
|
||||||
|
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||||
|
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||||
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Create stateless transcript hash for HRR
|
||||||
|
*/
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
|
||||||
|
ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
|
||||||
|
if( ret != 0 )
|
||||||
|
{
|
||||||
|
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
|
||||||
|
|
||||||
|
return( 0 );
|
||||||
|
}
|
||||||
|
|
||||||
|
static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
|
||||||
|
{
|
||||||
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
|
unsigned char *buf;
|
||||||
|
size_t buf_len, msg_len;
|
||||||
|
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
|
||||||
|
|
||||||
|
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) );
|
||||||
|
|
||||||
|
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
|
||||||
|
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
|
||||||
|
&buf, &buf_len ) );
|
||||||
|
|
||||||
|
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
|
||||||
|
buf + buf_len,
|
||||||
|
&msg_len,
|
||||||
|
1 ) );
|
||||||
|
mbedtls_ssl_add_hs_msg_to_checksum(
|
||||||
|
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
|
||||||
|
|
||||||
|
|
||||||
|
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
|
||||||
|
msg_len ) );
|
||||||
|
|
||||||
|
ssl->handshake->hello_retry_request_count++;
|
||||||
|
|
||||||
|
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
|
||||||
|
|
||||||
|
cleanup:
|
||||||
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
|
||||||
|
return( ret );
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
|
* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
|
||||||
*/
|
*/
|
||||||
|
@ -1376,72 +1441,40 @@ cleanup:
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
|
* Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
|
||||||
*/
|
*/
|
||||||
|
static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
|
||||||
static int ssl_tls13_write_hello_retry_request_coordinate(
|
|
||||||
mbedtls_ssl_context *ssl )
|
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
||||||
if( ssl->handshake->hello_retry_request_count > 0 )
|
if( mbedtls_ssl_own_cert( ssl ) == NULL )
|
||||||
{
|
{
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
|
MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
|
||||||
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
|
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
|
||||||
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
|
||||||
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
ret = mbedtls_ssl_tls13_write_certificate( ssl );
|
||||||
* Create stateless transcript hash for HRR
|
|
||||||
*/
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
|
|
||||||
ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
|
|
||||||
if( ret != 0 )
|
if( ret != 0 )
|
||||||
{
|
|
||||||
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
|
|
||||||
return( ret );
|
return( ret );
|
||||||
}
|
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
|
||||||
mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
|
|
||||||
|
|
||||||
return( 0 );
|
return( 0 );
|
||||||
}
|
}
|
||||||
|
|
||||||
static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
|
/*
|
||||||
|
* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
|
||||||
|
*/
|
||||||
|
static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
|
||||||
{
|
{
|
||||||
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
|
int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
|
||||||
unsigned char *buf;
|
if( ret != 0 )
|
||||||
size_t buf_len, msg_len;
|
return( ret );
|
||||||
|
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
|
return( 0 );
|
||||||
|
|
||||||
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) );
|
|
||||||
|
|
||||||
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
|
|
||||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
|
|
||||||
&buf, &buf_len ) );
|
|
||||||
|
|
||||||
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
|
|
||||||
buf + buf_len,
|
|
||||||
&msg_len,
|
|
||||||
1 ) );
|
|
||||||
mbedtls_ssl_add_hs_msg_to_checksum(
|
|
||||||
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
|
|
||||||
|
|
||||||
|
|
||||||
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
|
|
||||||
msg_len ) );
|
|
||||||
|
|
||||||
ssl->handshake->hello_retry_request_count++;
|
|
||||||
|
|
||||||
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
|
|
||||||
|
|
||||||
cleanup:
|
|
||||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
|
|
||||||
return( ret );
|
|
||||||
}
|
}
|
||||||
|
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* TLS 1.3 State Machine -- server side
|
* TLS 1.3 State Machine -- server side
|
||||||
|
@ -1497,6 +1530,14 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
|
||||||
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
|
case MBEDTLS_SSL_CERTIFICATE_REQUEST:
|
||||||
ret = ssl_tls13_write_certificate_request( ssl );
|
ret = ssl_tls13_write_certificate_request( ssl );
|
||||||
break;
|
break;
|
||||||
|
|
||||||
|
case MBEDTLS_SSL_SERVER_CERTIFICATE:
|
||||||
|
ret = ssl_tls13_write_server_certificate( ssl );
|
||||||
|
break;
|
||||||
|
|
||||||
|
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
|
||||||
|
ret = ssl_tls13_write_certificate_verify( ssl );
|
||||||
|
break;
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
|
||||||
|
|
||||||
default:
|
default:
|
||||||
|
|
|
@ -11206,6 +11206,8 @@ run_test "TLS 1.3: Server side check - openssl" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||||
-s "SSL - The requested feature is not available" \
|
-s "SSL - The requested feature is not available" \
|
||||||
-s "=> parse client hello" \
|
-s "=> parse client hello" \
|
||||||
-s "<= parse client hello"
|
-s "<= parse client hello"
|
||||||
|
@ -11223,6 +11225,8 @@ run_test "TLS 1.3: Server side check - openssl with client authentication" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||||
-s "=> write certificate request" \
|
-s "=> write certificate request" \
|
||||||
-s "SSL - The requested feature is not available" \
|
-s "SSL - The requested feature is not available" \
|
||||||
-s "=> parse client hello" \
|
-s "=> parse client hello" \
|
||||||
|
@ -11241,6 +11245,8 @@ run_test "TLS 1.3: Server side check - gnutls" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||||
-s "SSL - The requested feature is not available" \
|
-s "SSL - The requested feature is not available" \
|
||||||
-s "=> parse client hello" \
|
-s "=> parse client hello" \
|
||||||
-s "<= parse client hello"
|
-s "<= parse client hello"
|
||||||
|
@ -11259,6 +11265,8 @@ run_test "TLS 1.3: Server side check - gnutls with client authentication" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||||
-s "=> write certificate request" \
|
-s "=> write certificate request" \
|
||||||
-s "SSL - The requested feature is not available" \
|
-s "SSL - The requested feature is not available" \
|
||||||
-s "=> parse client hello" \
|
-s "=> parse client hello" \
|
||||||
|
@ -11293,7 +11301,10 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||||
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
|
||||||
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
|
||||||
-s "SSL - The requested feature is not available" \
|
-s "SSL - The requested feature is not available" \
|
||||||
-s "=> parse client hello" \
|
-s "=> parse client hello" \
|
||||||
|
@ -11318,6 +11329,17 @@ run_test "TLS 1.3: server: HRR check - mbedtls" \
|
||||||
-s "=> write hello retry request" \
|
-s "=> write hello retry request" \
|
||||||
-s "<= write hello retry request"
|
-s "<= write hello retry request"
|
||||||
|
|
||||||
|
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
|
||||||
|
requires_config_enabled MBEDTLS_DEBUG_C
|
||||||
|
requires_config_enabled MBEDTLS_SSL_SRV_C
|
||||||
|
requires_config_enabled MBEDTLS_SSL_CLI_C
|
||||||
|
run_test "TLS 1.3: Server side check, no server certificate available" \
|
||||||
|
"$P_SRV debug_level=4 crt_file=none key_file=none force_version=tls13" \
|
||||||
|
"$P_CLI debug_level=4 force_version=tls13" \
|
||||||
|
1 \
|
||||||
|
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
|
||||||
|
-s "No certificate available."
|
||||||
|
|
||||||
for i in opt-testcases/*.sh
|
for i in opt-testcases/*.sh
|
||||||
do
|
do
|
||||||
TEST_SUITE_NAME=${i##*/}
|
TEST_SUITE_NAME=${i##*/}
|
||||||
|
|
Loading…
Reference in a new issue