Merge pull request #5748 from yuhaoth/pr/add-tls13-write-certificate-and-verify

TLS1.3:Add Certificate and CertificateVerify message on Server Side
This commit is contained in:
Paul Elliott 2022-05-17 15:47:36 +01:00 committed by GitHub
commit a478441517
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 112 additions and 49 deletions

View file

@ -1185,6 +1185,71 @@ cleanup:
return( ret ); return( ret );
} }
/*
* Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST
*/
static int ssl_tls13_write_hello_retry_request_coordinate(
mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ssl->handshake->hello_retry_request_count > 0 )
{
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
}
/*
* Create stateless transcript hash for HRR
*/
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
return( ret );
}
mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
return( 0 );
}
static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl )
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
unsigned char *buf;
size_t buf_len, msg_len;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
&buf, &buf_len ) );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
buf + buf_len,
&msg_len,
1 ) );
mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
msg_len ) );
ssl->handshake->hello_retry_request_count++;
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
return( ret );
}
/* /*
* Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS * Handler for MBEDTLS_SSL_ENCRYPTED_EXTENSIONS
*/ */
@ -1376,72 +1441,40 @@ cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write certificate request" ) );
return( ret ); return( ret );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* /*
* Handler for MBEDTLS_SSL_HELLO_RETRY_REQUEST * Handler for MBEDTLS_SSL_SERVER_CERTIFICATE
*/ */
static int ssl_tls13_write_server_certificate( mbedtls_ssl_context *ssl )
static int ssl_tls13_write_hello_retry_request_coordinate(
mbedtls_ssl_context *ssl )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
if( ssl->handshake->hello_retry_request_count > 0 ) if( mbedtls_ssl_own_cert( ssl ) == NULL )
{ {
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Too many HRRs" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "No certificate available." ) );
MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE, MBEDTLS_SSL_PEND_FATAL_ALERT( MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE,
MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE);
return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE );
} }
/* ret = mbedtls_ssl_tls13_write_certificate( ssl );
* Create stateless transcript hash for HRR
*/
MBEDTLS_SSL_DEBUG_MSG( 4, ( "Reset transcript for HRR" ) );
ret = mbedtls_ssl_reset_transcript_for_hrr( ssl );
if( ret != 0 ) if( ret != 0 )
{
MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ssl_reset_transcript_for_hrr", ret );
return( ret ); return( ret );
} mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CERTIFICATE_VERIFY );
mbedtls_ssl_session_reset_msg_layer( ssl, 0 );
return( 0 ); return( 0 );
} }
static int ssl_tls13_write_hello_retry_request( mbedtls_ssl_context *ssl ) /*
* Handler for MBEDTLS_SSL_CERTIFICATE_VERIFY
*/
static int ssl_tls13_write_certificate_verify( mbedtls_ssl_context *ssl )
{ {
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int ret = mbedtls_ssl_tls13_write_certificate_verify( ssl );
unsigned char *buf; if( ret != 0 )
size_t buf_len, msg_len; return( ret );
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_SERVER_FINISHED );
MBEDTLS_SSL_DEBUG_MSG( 2, ( "=> write hello retry request" ) ); return( 0 );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_hello_retry_request_coordinate( ssl ) );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_start_handshake_msg(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
&buf, &buf_len ) );
MBEDTLS_SSL_PROC_CHK( ssl_tls13_write_server_hello_body( ssl, buf,
buf + buf_len,
&msg_len,
1 ) );
mbedtls_ssl_add_hs_msg_to_checksum(
ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len );
MBEDTLS_SSL_PROC_CHK( mbedtls_ssl_finish_handshake_msg( ssl, buf_len,
msg_len ) );
ssl->handshake->hello_retry_request_count++;
mbedtls_ssl_handshake_set_state( ssl, MBEDTLS_SSL_CLIENT_HELLO );
cleanup:
MBEDTLS_SSL_DEBUG_MSG( 2, ( "<= write hello retry request" ) );
return( ret );
} }
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
/* /*
* TLS 1.3 State Machine -- server side * TLS 1.3 State Machine -- server side
@ -1497,6 +1530,14 @@ int mbedtls_ssl_tls13_handshake_server_step( mbedtls_ssl_context *ssl )
case MBEDTLS_SSL_CERTIFICATE_REQUEST: case MBEDTLS_SSL_CERTIFICATE_REQUEST:
ret = ssl_tls13_write_certificate_request( ssl ); ret = ssl_tls13_write_certificate_request( ssl );
break; break;
case MBEDTLS_SSL_SERVER_CERTIFICATE:
ret = ssl_tls13_write_server_certificate( ssl );
break;
case MBEDTLS_SSL_CERTIFICATE_VERIFY:
ret = ssl_tls13_write_certificate_verify( ssl );
break;
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
default: default:

View file

@ -11206,6 +11206,8 @@ run_test "TLS 1.3: Server side check - openssl" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "SSL - The requested feature is not available" \ -s "SSL - The requested feature is not available" \
-s "=> parse client hello" \ -s "=> parse client hello" \
-s "<= parse client hello" -s "<= parse client hello"
@ -11223,6 +11225,8 @@ run_test "TLS 1.3: Server side check - openssl with client authentication" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "=> write certificate request" \ -s "=> write certificate request" \
-s "SSL - The requested feature is not available" \ -s "SSL - The requested feature is not available" \
-s "=> parse client hello" \ -s "=> parse client hello" \
@ -11241,6 +11245,8 @@ run_test "TLS 1.3: Server side check - gnutls" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "SSL - The requested feature is not available" \ -s "SSL - The requested feature is not available" \
-s "=> parse client hello" \ -s "=> parse client hello" \
-s "<= parse client hello" -s "<= parse client hello"
@ -11259,6 +11265,8 @@ run_test "TLS 1.3: Server side check - gnutls with client authentication" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-s "=> write certificate request" \ -s "=> write certificate request" \
-s "SSL - The requested feature is not available" \ -s "SSL - The requested feature is not available" \
-s "=> parse client hello" \ -s "=> parse client hello" \
@ -11293,7 +11301,10 @@ run_test "TLS 1.3: Server side check - mbedtls with client authentication" \
-s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_CLIENT_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_HELLO" \
-s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \ -s "tls13 server state: MBEDTLS_SSL_ENCRYPTED_EXTENSIONS" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \ -s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "tls13 server state: MBEDTLS_SSL_CERTIFICATE_VERIFY" \
-s "tls13 server state: MBEDTLS_SSL_SERVER_FINISHED" \
-c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \ -c "client state: MBEDTLS_SSL_CERTIFICATE_REQUEST" \
-s "SSL - The requested feature is not available" \ -s "SSL - The requested feature is not available" \
-s "=> parse client hello" \ -s "=> parse client hello" \
@ -11318,6 +11329,17 @@ run_test "TLS 1.3: server: HRR check - mbedtls" \
-s "=> write hello retry request" \ -s "=> write hello retry request" \
-s "<= write hello retry request" -s "<= write hello retry request"
requires_config_enabled MBEDTLS_SSL_PROTO_TLS1_3
requires_config_enabled MBEDTLS_DEBUG_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_config_enabled MBEDTLS_SSL_CLI_C
run_test "TLS 1.3: Server side check, no server certificate available" \
"$P_SRV debug_level=4 crt_file=none key_file=none force_version=tls13" \
"$P_CLI debug_level=4 force_version=tls13" \
1 \
-s "tls13 server state: MBEDTLS_SSL_SERVER_CERTIFICATE" \
-s "No certificate available."
for i in opt-testcases/*.sh for i in opt-testcases/*.sh
do do
TEST_SUITE_NAME=${i##*/} TEST_SUITE_NAME=${i##*/}